[Pkg-openldap-devel] r1128 - in openldap/trunk: . build clients clients/tools contrib contrib/ldapc++ contrib/ldapc++/examples contrib/ldapc++/src contrib/ldapc++/src/ac contrib/slapd-modules contrib/slapd-modules/acl contrib/slapd-modules/allop contrib/slapd-modules/comp_match contrib/slapd-modules/denyop contrib/slapd-modules/dsaschema contrib/slapd-modules/lastmod contrib/slapd-modules/passwd contrib/slapd-modules/smbk5pwd contrib/slapd-modules/trace contrib/slapd-tools contrib/slapi-plugins/addrdnvalues debian doc doc/devel doc/guide doc/guide/admin doc/guide/images/src doc/guide/release doc/man doc/man/man1 doc/man/man3 doc/man/man5 doc/man/man8 include include/ac libraries libraries/liblber libraries/libldap libraries/libldap_r libraries/liblunicode libraries/liblunicode/ucdata libraries/liblunicode/ure libraries/liblunicode/utbm libraries/liblutil libraries/librewrite servers servers/slapd servers/slapd/back-bdb servers/slapd/back-dnssrv servers/slapd/back-hdb servers/slapd/back-ldap servers/slapd/back-ldif servers/slapd/back-meta servers/slapd/back-monitor servers/slapd/back-null servers/slapd/back-passwd servers/slapd/back-perl servers/slapd/back-relay servers/slapd/back-shell servers/slapd/back-sql servers/slapd/back-sql/rdbms_depend/timesten/dnreverse servers/slapd/overlays servers/slapd/schema servers/slapd/shell-backends servers/slapd/slapi tests tests/data tests/data/regressions/its4184 tests/data/regressions/its4326 tests/data/regressions/its4336 tests/data/regressions/its4337 tests/data/regressions/its4448 tests/progs tests/scripts

matthijs at alioth.debian.org matthijs at alioth.debian.org
Sun May 25 14:29:34 UTC 2008


Author: matthijs
Date: 2008-05-25 14:29:31 +0000 (Sun, 25 May 2008)
New Revision: 1128

Added:
   openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h
   openldap/trunk/contrib/ldapc++/src/LdifReader.cpp
   openldap/trunk/contrib/ldapc++/src/LdifReader.h
   openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp
   openldap/trunk/contrib/ldapc++/src/LdifWriter.h
   openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp
   openldap/trunk/contrib/ldapc++/src/SaslInteraction.h
   openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp
   openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h
   openldap/trunk/contrib/slapd-modules/autogroup/
   openldap/trunk/doc/guide/admin/access-control.sdf
   openldap/trunk/doc/guide/admin/config_repl.png
   openldap/trunk/doc/guide/admin/set-following-references.png
   openldap/trunk/doc/guide/admin/set-memberUid.png
   openldap/trunk/doc/guide/admin/set-recursivegroup.png
   openldap/trunk/doc/guide/images/src/README.fonts
   openldap/trunk/doc/guide/images/src/config_dit.dia
   openldap/trunk/doc/guide/images/src/config_local.dia
   openldap/trunk/doc/guide/images/src/config_ref.dia
   openldap/trunk/doc/guide/images/src/config_repl.dia
   openldap/trunk/doc/guide/images/src/delta-syncrepl.dia
   openldap/trunk/doc/guide/images/src/intro_dctree.dia
   openldap/trunk/doc/guide/images/src/intro_tree.dia
   openldap/trunk/doc/guide/images/src/mirrormode.dia
   openldap/trunk/doc/guide/images/src/n-way-multi-master.dia
   openldap/trunk/doc/guide/images/src/set-following-references.svg
   openldap/trunk/doc/guide/images/src/set-memberUid.svg
   openldap/trunk/doc/guide/images/src/set-recursivegroup.svg
   openldap/trunk/doc/guide/images/src/syncrepl-firewalls.dia
   openldap/trunk/doc/guide/images/src/syncrepl-pull.dia
   openldap/trunk/doc/guide/images/src/syncrepl-push.dia
   openldap/trunk/doc/guide/images/src/syncrepl.dia
   openldap/trunk/doc/man/man5/slapd-sock.5
   openldap/trunk/servers/slapd/back-sock/
   openldap/trunk/tests/data/slapd-2db.conf
Removed:
   openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h
   openldap/trunk/doc/guide/admin/config_repl.gif
Modified:
   openldap/trunk/ANNOUNCEMENT
   openldap/trunk/CHANGES
   openldap/trunk/COPYRIGHT
   openldap/trunk/INSTALL
   openldap/trunk/Makefile.in
   openldap/trunk/README
   openldap/trunk/build/config.guess
   openldap/trunk/build/config.sub
   openldap/trunk/build/crupdate
   openldap/trunk/build/dir.mk
   openldap/trunk/build/info.mk
   openldap/trunk/build/lib-shared.mk
   openldap/trunk/build/lib-static.mk
   openldap/trunk/build/lib.mk
   openldap/trunk/build/ltmain.sh
   openldap/trunk/build/man.mk
   openldap/trunk/build/missing
   openldap/trunk/build/mkdep
   openldap/trunk/build/mkdep.aix
   openldap/trunk/build/mkrelease
   openldap/trunk/build/mkvers.bat
   openldap/trunk/build/mkversion
   openldap/trunk/build/mod.mk
   openldap/trunk/build/openldap.m4
   openldap/trunk/build/rules.mk
   openldap/trunk/build/srv.mk
   openldap/trunk/build/top.mk
   openldap/trunk/build/version.h
   openldap/trunk/build/version.sh
   openldap/trunk/build/version.var
   openldap/trunk/clients/Makefile.in
   openldap/trunk/clients/tools/Makefile.in
   openldap/trunk/clients/tools/common.c
   openldap/trunk/clients/tools/common.h
   openldap/trunk/clients/tools/ldapcompare.c
   openldap/trunk/clients/tools/ldapdelete.c
   openldap/trunk/clients/tools/ldapexop.c
   openldap/trunk/clients/tools/ldapmodify.c
   openldap/trunk/clients/tools/ldapmodrdn.c
   openldap/trunk/clients/tools/ldappasswd.c
   openldap/trunk/clients/tools/ldapsearch.c
   openldap/trunk/clients/tools/ldapwhoami.c
   openldap/trunk/configure
   openldap/trunk/configure.in
   openldap/trunk/contrib/ConfigOIDs
   openldap/trunk/contrib/ldapc++/COPYRIGHT
   openldap/trunk/contrib/ldapc++/Makefile.am
   openldap/trunk/contrib/ldapc++/Makefile.in
   openldap/trunk/contrib/ldapc++/configure
   openldap/trunk/contrib/ldapc++/configure.in
   openldap/trunk/contrib/ldapc++/doxygen.rc
   openldap/trunk/contrib/ldapc++/examples/Makefile.am
   openldap/trunk/contrib/ldapc++/examples/Makefile.in
   openldap/trunk/contrib/ldapc++/examples/main.cpp
   openldap/trunk/contrib/ldapc++/examples/readSchema.cpp
   openldap/trunk/contrib/ldapc++/examples/urlTest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h
   openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h
   openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h
   openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h
   openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPConnection.h
   openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h
   openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPControl.h
   openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h
   openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPEntry.h
   openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h
   openldap/trunk/contrib/ldapc++/src/LDAPException.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPException.h
   openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h
   openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPMessage.h
   openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h
   openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPModList.h
   openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPModification.h
   openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h
   openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPRebind.h
   openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h
   openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h
   openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPResult.h
   openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPSchema.h
   openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h
   openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h
   openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h
   openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h
   openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPUrl.h
   openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp
   openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h
   openldap/trunk/contrib/ldapc++/src/Makefile.am
   openldap/trunk/contrib/ldapc++/src/Makefile.in
   openldap/trunk/contrib/ldapc++/src/StringList.cpp
   openldap/trunk/contrib/ldapc++/src/StringList.h
   openldap/trunk/contrib/ldapc++/src/ac/time.h
   openldap/trunk/contrib/ldapc++/src/config.h.in
   openldap/trunk/contrib/ldapc++/src/debug.h
   openldap/trunk/contrib/slapd-modules/acl/README
   openldap/trunk/contrib/slapd-modules/acl/posixgroup.c
   openldap/trunk/contrib/slapd-modules/allop/README
   openldap/trunk/contrib/slapd-modules/allop/allop.c
   openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5
   openldap/trunk/contrib/slapd-modules/comp_match/Makefile
   openldap/trunk/contrib/slapd-modules/denyop/denyop.c
   openldap/trunk/contrib/slapd-modules/dsaschema/README
   openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c
   openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c
   openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5
   openldap/trunk/contrib/slapd-modules/passwd/README
   openldap/trunk/contrib/slapd-modules/passwd/kerberos.c
   openldap/trunk/contrib/slapd-modules/passwd/netscape.c
   openldap/trunk/contrib/slapd-modules/passwd/radius.c
   openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
   openldap/trunk/contrib/slapd-modules/trace/trace.c
   openldap/trunk/contrib/slapd-tools/README
   openldap/trunk/contrib/slapi-plugins/addrdnvalues/README
   openldap/trunk/debian/changelog
   openldap/trunk/debian/rules
   openldap/trunk/doc/Makefile.in
   openldap/trunk/doc/devel/args
   openldap/trunk/doc/guide/COPYRIGHT
   openldap/trunk/doc/guide/admin/Makefile
   openldap/trunk/doc/guide/admin/README.spellcheck
   openldap/trunk/doc/guide/admin/abstract.sdf
   openldap/trunk/doc/guide/admin/admin.sdf
   openldap/trunk/doc/guide/admin/appendix-changes.sdf
   openldap/trunk/doc/guide/admin/appendix-common-errors.sdf
   openldap/trunk/doc/guide/admin/appendix-configs.sdf
   openldap/trunk/doc/guide/admin/appendix-contrib.sdf
   openldap/trunk/doc/guide/admin/appendix-deployments.sdf
   openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf
   openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf
   openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
   openldap/trunk/doc/guide/admin/aspell.en.pws
   openldap/trunk/doc/guide/admin/backends.sdf
   openldap/trunk/doc/guide/admin/config.sdf
   openldap/trunk/doc/guide/admin/dbtools.sdf
   openldap/trunk/doc/guide/admin/glossary.sdf
   openldap/trunk/doc/guide/admin/guide.html
   openldap/trunk/doc/guide/admin/guide.sdf
   openldap/trunk/doc/guide/admin/index.sdf
   openldap/trunk/doc/guide/admin/install.sdf
   openldap/trunk/doc/guide/admin/intro.sdf
   openldap/trunk/doc/guide/admin/maintenance.sdf
   openldap/trunk/doc/guide/admin/master.sdf
   openldap/trunk/doc/guide/admin/monitoringslapd.sdf
   openldap/trunk/doc/guide/admin/overlays.sdf
   openldap/trunk/doc/guide/admin/preface.sdf
   openldap/trunk/doc/guide/admin/quickstart.sdf
   openldap/trunk/doc/guide/admin/referrals.sdf
   openldap/trunk/doc/guide/admin/replication.sdf
   openldap/trunk/doc/guide/admin/runningslapd.sdf
   openldap/trunk/doc/guide/admin/sasl.sdf
   openldap/trunk/doc/guide/admin/schema.sdf
   openldap/trunk/doc/guide/admin/security.sdf
   openldap/trunk/doc/guide/admin/slapdconf2.sdf
   openldap/trunk/doc/guide/admin/slapdconfig.sdf
   openldap/trunk/doc/guide/admin/title.sdf
   openldap/trunk/doc/guide/admin/tls.sdf
   openldap/trunk/doc/guide/admin/troubleshooting.sdf
   openldap/trunk/doc/guide/admin/tuning.sdf
   openldap/trunk/doc/guide/plain.sdf
   openldap/trunk/doc/guide/preamble.sdf
   openldap/trunk/doc/guide/release/copyright-plain.sdf
   openldap/trunk/doc/guide/release/copyright.sdf
   openldap/trunk/doc/guide/release/install.sdf
   openldap/trunk/doc/guide/release/license-plain.sdf
   openldap/trunk/doc/guide/release/license.sdf
   openldap/trunk/doc/man/Makefile.in
   openldap/trunk/doc/man/man1/Makefile.in
   openldap/trunk/doc/man/man1/ldapcompare.1
   openldap/trunk/doc/man/man1/ldapdelete.1
   openldap/trunk/doc/man/man1/ldapmodify.1
   openldap/trunk/doc/man/man1/ldapmodrdn.1
   openldap/trunk/doc/man/man1/ldappasswd.1
   openldap/trunk/doc/man/man1/ldapsearch.1
   openldap/trunk/doc/man/man1/ldapwhoami.1
   openldap/trunk/doc/man/man3/Makefile.in
   openldap/trunk/doc/man/man3/lber-decode.3
   openldap/trunk/doc/man/man3/lber-encode.3
   openldap/trunk/doc/man/man3/lber-memory.3
   openldap/trunk/doc/man/man3/lber-sockbuf.3
   openldap/trunk/doc/man/man3/lber-types.3
   openldap/trunk/doc/man/man3/ldap.3
   openldap/trunk/doc/man/man3/ldap_abandon.3
   openldap/trunk/doc/man/man3/ldap_add.3
   openldap/trunk/doc/man/man3/ldap_bind.3
   openldap/trunk/doc/man/man3/ldap_compare.3
   openldap/trunk/doc/man/man3/ldap_controls.3
   openldap/trunk/doc/man/man3/ldap_delete.3
   openldap/trunk/doc/man/man3/ldap_error.3
   openldap/trunk/doc/man/man3/ldap_extended_operation.3
   openldap/trunk/doc/man/man3/ldap_first_attribute.3
   openldap/trunk/doc/man/man3/ldap_first_entry.3
   openldap/trunk/doc/man/man3/ldap_first_message.3
   openldap/trunk/doc/man/man3/ldap_first_reference.3
   openldap/trunk/doc/man/man3/ldap_get_dn.3
   openldap/trunk/doc/man/man3/ldap_get_option.3
   openldap/trunk/doc/man/man3/ldap_get_values.3
   openldap/trunk/doc/man/man3/ldap_memory.3
   openldap/trunk/doc/man/man3/ldap_modify.3
   openldap/trunk/doc/man/man3/ldap_modrdn.3
   openldap/trunk/doc/man/man3/ldap_open.3
   openldap/trunk/doc/man/man3/ldap_parse_reference.3
   openldap/trunk/doc/man/man3/ldap_parse_result.3
   openldap/trunk/doc/man/man3/ldap_parse_sort_control.3
   openldap/trunk/doc/man/man3/ldap_parse_vlv_control.3
   openldap/trunk/doc/man/man3/ldap_rename.3
   openldap/trunk/doc/man/man3/ldap_result.3
   openldap/trunk/doc/man/man3/ldap_schema.3
   openldap/trunk/doc/man/man3/ldap_search.3
   openldap/trunk/doc/man/man3/ldap_sort.3
   openldap/trunk/doc/man/man3/ldap_sync.3
   openldap/trunk/doc/man/man3/ldap_tls.3
   openldap/trunk/doc/man/man3/ldap_url.3
   openldap/trunk/doc/man/man5/Makefile.in
   openldap/trunk/doc/man/man5/ldap.conf.5
   openldap/trunk/doc/man/man5/ldif.5
   openldap/trunk/doc/man/man5/slapd-bdb.5
   openldap/trunk/doc/man/man5/slapd-config.5
   openldap/trunk/doc/man/man5/slapd-dnssrv.5
   openldap/trunk/doc/man/man5/slapd-ldap.5
   openldap/trunk/doc/man/man5/slapd-ldbm.5
   openldap/trunk/doc/man/man5/slapd-ldif.5
   openldap/trunk/doc/man/man5/slapd-meta.5
   openldap/trunk/doc/man/man5/slapd-monitor.5
   openldap/trunk/doc/man/man5/slapd-null.5
   openldap/trunk/doc/man/man5/slapd-passwd.5
   openldap/trunk/doc/man/man5/slapd-shell.5
   openldap/trunk/doc/man/man5/slapd.access.5
   openldap/trunk/doc/man/man5/slapd.backends.5
   openldap/trunk/doc/man/man5/slapd.conf.5
   openldap/trunk/doc/man/man5/slapd.overlays.5
   openldap/trunk/doc/man/man5/slapd.plugin.5
   openldap/trunk/doc/man/man5/slapo-accesslog.5
   openldap/trunk/doc/man/man5/slapo-auditlog.5
   openldap/trunk/doc/man/man5/slapo-chain.5
   openldap/trunk/doc/man/man5/slapo-constraint.5
   openldap/trunk/doc/man/man5/slapo-dds.5
   openldap/trunk/doc/man/man5/slapo-dyngroup.5
   openldap/trunk/doc/man/man5/slapo-dynlist.5
   openldap/trunk/doc/man/man5/slapo-memberof.5
   openldap/trunk/doc/man/man5/slapo-pcache.5
   openldap/trunk/doc/man/man5/slapo-ppolicy.5
   openldap/trunk/doc/man/man5/slapo-refint.5
   openldap/trunk/doc/man/man5/slapo-retcode.5
   openldap/trunk/doc/man/man5/slapo-rwm.5
   openldap/trunk/doc/man/man5/slapo-syncprov.5
   openldap/trunk/doc/man/man5/slapo-translucent.5
   openldap/trunk/doc/man/man5/slapo-unique.5
   openldap/trunk/doc/man/man5/slapo-valsort.5
   openldap/trunk/doc/man/man8/Makefile.in
   openldap/trunk/doc/man/man8/slapacl.8
   openldap/trunk/doc/man/man8/slapadd.8
   openldap/trunk/doc/man/man8/slapauth.8
   openldap/trunk/doc/man/man8/slapcat.8
   openldap/trunk/doc/man/man8/slapd.8
   openldap/trunk/doc/man/man8/slapdn.8
   openldap/trunk/doc/man/man8/slapindex.8
   openldap/trunk/doc/man/man8/slappasswd.8
   openldap/trunk/doc/man/man8/slaptest.8
   openldap/trunk/include/Makefile.in
   openldap/trunk/include/ac/alloca.h
   openldap/trunk/include/ac/assert.h
   openldap/trunk/include/ac/bytes.h
   openldap/trunk/include/ac/crypt.h
   openldap/trunk/include/ac/ctype.h
   openldap/trunk/include/ac/dirent.h
   openldap/trunk/include/ac/errno.h
   openldap/trunk/include/ac/fdset.h
   openldap/trunk/include/ac/localize.h
   openldap/trunk/include/ac/param.h
   openldap/trunk/include/ac/regex.h
   openldap/trunk/include/ac/setproctitle.h
   openldap/trunk/include/ac/signal.h
   openldap/trunk/include/ac/socket.h
   openldap/trunk/include/ac/stdarg.h
   openldap/trunk/include/ac/stdlib.h
   openldap/trunk/include/ac/string.h
   openldap/trunk/include/ac/sysexits.h
   openldap/trunk/include/ac/syslog.h
   openldap/trunk/include/ac/termios.h
   openldap/trunk/include/ac/time.h
   openldap/trunk/include/ac/unistd.h
   openldap/trunk/include/ac/wait.h
   openldap/trunk/include/avl.h
   openldap/trunk/include/getopt-compat.h
   openldap/trunk/include/lber.h
   openldap/trunk/include/lber_pvt.h
   openldap/trunk/include/lber_types.hin
   openldap/trunk/include/ldap.h
   openldap/trunk/include/ldap_cdefs.h
   openldap/trunk/include/ldap_config.hin
   openldap/trunk/include/ldap_defaults.h
   openldap/trunk/include/ldap_features.hin
   openldap/trunk/include/ldap_int_thread.h
   openldap/trunk/include/ldap_log.h
   openldap/trunk/include/ldap_pvt.h
   openldap/trunk/include/ldap_pvt_thread.h
   openldap/trunk/include/ldap_pvt_uc.h
   openldap/trunk/include/ldap_queue.h
   openldap/trunk/include/ldap_rq.h
   openldap/trunk/include/ldap_schema.h
   openldap/trunk/include/ldap_utf8.h
   openldap/trunk/include/ldif.h
   openldap/trunk/include/lutil.h
   openldap/trunk/include/lutil_hash.h
   openldap/trunk/include/lutil_ldap.h
   openldap/trunk/include/lutil_lockf.h
   openldap/trunk/include/lutil_md5.h
   openldap/trunk/include/lutil_sha1.h
   openldap/trunk/include/portable.hin
   openldap/trunk/include/rewrite.h
   openldap/trunk/include/slapi-plugin.h
   openldap/trunk/include/sysexits-compat.h
   openldap/trunk/libraries/Makefile.in
   openldap/trunk/libraries/liblber/Makefile.in
   openldap/trunk/libraries/liblber/assert.c
   openldap/trunk/libraries/liblber/bprint.c
   openldap/trunk/libraries/liblber/debug.c
   openldap/trunk/libraries/liblber/decode.c
   openldap/trunk/libraries/liblber/dtest.c
   openldap/trunk/libraries/liblber/encode.c
   openldap/trunk/libraries/liblber/etest.c
   openldap/trunk/libraries/liblber/idtest.c
   openldap/trunk/libraries/liblber/io.c
   openldap/trunk/libraries/liblber/lber-int.h
   openldap/trunk/libraries/liblber/memory.c
   openldap/trunk/libraries/liblber/nt_err.c
   openldap/trunk/libraries/liblber/options.c
   openldap/trunk/libraries/liblber/sockbuf.c
   openldap/trunk/libraries/liblber/stdio.c
   openldap/trunk/libraries/libldap/Makefile.in
   openldap/trunk/libraries/libldap/abandon.c
   openldap/trunk/libraries/libldap/add.c
   openldap/trunk/libraries/libldap/addentry.c
   openldap/trunk/libraries/libldap/apitest.c
   openldap/trunk/libraries/libldap/bind.c
   openldap/trunk/libraries/libldap/cancel.c
   openldap/trunk/libraries/libldap/charray.c
   openldap/trunk/libraries/libldap/compare.c
   openldap/trunk/libraries/libldap/controls.c
   openldap/trunk/libraries/libldap/cyrus.c
   openldap/trunk/libraries/libldap/dds.c
   openldap/trunk/libraries/libldap/delete.c
   openldap/trunk/libraries/libldap/dnssrv.c
   openldap/trunk/libraries/libldap/dntest.c
   openldap/trunk/libraries/libldap/error.c
   openldap/trunk/libraries/libldap/extended.c
   openldap/trunk/libraries/libldap/filter.c
   openldap/trunk/libraries/libldap/free.c
   openldap/trunk/libraries/libldap/ftest.c
   openldap/trunk/libraries/libldap/getattr.c
   openldap/trunk/libraries/libldap/getdn.c
   openldap/trunk/libraries/libldap/getentry.c
   openldap/trunk/libraries/libldap/getvalues.c
   openldap/trunk/libraries/libldap/init.c
   openldap/trunk/libraries/libldap/ldap-int.h
   openldap/trunk/libraries/libldap/ldap_sync.c
   openldap/trunk/libraries/libldap/messages.c
   openldap/trunk/libraries/libldap/modify.c
   openldap/trunk/libraries/libldap/modrdn.c
   openldap/trunk/libraries/libldap/open.c
   openldap/trunk/libraries/libldap/options.c
   openldap/trunk/libraries/libldap/os-ip.c
   openldap/trunk/libraries/libldap/os-local.c
   openldap/trunk/libraries/libldap/pagectrl.c
   openldap/trunk/libraries/libldap/passwd.c
   openldap/trunk/libraries/libldap/ppolicy.c
   openldap/trunk/libraries/libldap/print.c
   openldap/trunk/libraries/libldap/references.c
   openldap/trunk/libraries/libldap/request.c
   openldap/trunk/libraries/libldap/result.c
   openldap/trunk/libraries/libldap/sasl.c
   openldap/trunk/libraries/libldap/sbind.c
   openldap/trunk/libraries/libldap/schema.c
   openldap/trunk/libraries/libldap/search.c
   openldap/trunk/libraries/libldap/sort.c
   openldap/trunk/libraries/libldap/sortctrl.c
   openldap/trunk/libraries/libldap/stctrl.c
   openldap/trunk/libraries/libldap/string.c
   openldap/trunk/libraries/libldap/t61.c
   openldap/trunk/libraries/libldap/test.c
   openldap/trunk/libraries/libldap/tls.c
   openldap/trunk/libraries/libldap/turn.c
   openldap/trunk/libraries/libldap/txn.c
   openldap/trunk/libraries/libldap/unbind.c
   openldap/trunk/libraries/libldap/url.c
   openldap/trunk/libraries/libldap/urltest.c
   openldap/trunk/libraries/libldap/utf-8-conv.c
   openldap/trunk/libraries/libldap/utf-8.c
   openldap/trunk/libraries/libldap/util-int.c
   openldap/trunk/libraries/libldap/vlvctrl.c
   openldap/trunk/libraries/libldap/whoami.c
   openldap/trunk/libraries/libldap_r/Makefile.in
   openldap/trunk/libraries/libldap_r/ldap_thr_debug.h
   openldap/trunk/libraries/libldap_r/rdwr.c
   openldap/trunk/libraries/libldap_r/rmutex.c
   openldap/trunk/libraries/libldap_r/rq.c
   openldap/trunk/libraries/libldap_r/thr_cthreads.c
   openldap/trunk/libraries/libldap_r/thr_debug.c
   openldap/trunk/libraries/libldap_r/thr_lwp.c
   openldap/trunk/libraries/libldap_r/thr_nt.c
   openldap/trunk/libraries/libldap_r/thr_posix.c
   openldap/trunk/libraries/libldap_r/thr_pth.c
   openldap/trunk/libraries/libldap_r/thr_stub.c
   openldap/trunk/libraries/libldap_r/thr_thr.c
   openldap/trunk/libraries/libldap_r/threads.c
   openldap/trunk/libraries/libldap_r/tpool.c
   openldap/trunk/libraries/liblunicode/Makefile.in
   openldap/trunk/libraries/liblunicode/ucdata/ucdata.c
   openldap/trunk/libraries/liblunicode/ucdata/ucdata.h
   openldap/trunk/libraries/liblunicode/ucdata/ucgendat.c
   openldap/trunk/libraries/liblunicode/ucdata/ucpgba.c
   openldap/trunk/libraries/liblunicode/ucdata/ucpgba.h
   openldap/trunk/libraries/liblunicode/ucstr.c
   openldap/trunk/libraries/liblunicode/ure/ure.c
   openldap/trunk/libraries/liblunicode/ure/ure.h
   openldap/trunk/libraries/liblunicode/ure/urestubs.c
   openldap/trunk/libraries/liblunicode/utbm/utbm.c
   openldap/trunk/libraries/liblunicode/utbm/utbm.h
   openldap/trunk/libraries/liblunicode/utbm/utbmstub.c
   openldap/trunk/libraries/liblutil/Makefile.in
   openldap/trunk/libraries/liblutil/avl.c
   openldap/trunk/libraries/liblutil/base64.c
   openldap/trunk/libraries/liblutil/csn.c
   openldap/trunk/libraries/liblutil/detach.c
   openldap/trunk/libraries/liblutil/entropy.c
   openldap/trunk/libraries/liblutil/fetch.c
   openldap/trunk/libraries/liblutil/getopt.c
   openldap/trunk/libraries/liblutil/getpass.c
   openldap/trunk/libraries/liblutil/getpeereid.c
   openldap/trunk/libraries/liblutil/hash.c
   openldap/trunk/libraries/liblutil/ldif.c
   openldap/trunk/libraries/liblutil/lockf.c
   openldap/trunk/libraries/liblutil/md5.c
   openldap/trunk/libraries/liblutil/memcmp.c
   openldap/trunk/libraries/liblutil/ntservice.c
   openldap/trunk/libraries/liblutil/passfile.c
   openldap/trunk/libraries/liblutil/passwd.c
   openldap/trunk/libraries/liblutil/ptest.c
   openldap/trunk/libraries/liblutil/sasl.c
   openldap/trunk/libraries/liblutil/setproctitle.c
   openldap/trunk/libraries/liblutil/sha1.c
   openldap/trunk/libraries/liblutil/signal.c
   openldap/trunk/libraries/liblutil/sockpair.c
   openldap/trunk/libraries/liblutil/tavl.c
   openldap/trunk/libraries/liblutil/testavl.c
   openldap/trunk/libraries/liblutil/testtavl.c
   openldap/trunk/libraries/liblutil/utils.c
   openldap/trunk/libraries/liblutil/uuid.c
   openldap/trunk/libraries/librewrite/Makefile.in
   openldap/trunk/libraries/librewrite/config.c
   openldap/trunk/libraries/librewrite/context.c
   openldap/trunk/libraries/librewrite/info.c
   openldap/trunk/libraries/librewrite/ldapmap.c
   openldap/trunk/libraries/librewrite/map.c
   openldap/trunk/libraries/librewrite/params.c
   openldap/trunk/libraries/librewrite/parse.c
   openldap/trunk/libraries/librewrite/rewrite-int.h
   openldap/trunk/libraries/librewrite/rewrite-map.h
   openldap/trunk/libraries/librewrite/rewrite.c
   openldap/trunk/libraries/librewrite/rule.c
   openldap/trunk/libraries/librewrite/session.c
   openldap/trunk/libraries/librewrite/subst.c
   openldap/trunk/libraries/librewrite/var.c
   openldap/trunk/libraries/librewrite/xmap.c
   openldap/trunk/servers/Makefile.in
   openldap/trunk/servers/slapd/DB_CONFIG
   openldap/trunk/servers/slapd/Makefile.in
   openldap/trunk/servers/slapd/abandon.c
   openldap/trunk/servers/slapd/aci.c
   openldap/trunk/servers/slapd/acl.c
   openldap/trunk/servers/slapd/aclparse.c
   openldap/trunk/servers/slapd/ad.c
   openldap/trunk/servers/slapd/add.c
   openldap/trunk/servers/slapd/alock.c
   openldap/trunk/servers/slapd/alock.h
   openldap/trunk/servers/slapd/at.c
   openldap/trunk/servers/slapd/attr.c
   openldap/trunk/servers/slapd/ava.c
   openldap/trunk/servers/slapd/back-bdb/Makefile.in
   openldap/trunk/servers/slapd/back-bdb/add.c
   openldap/trunk/servers/slapd/back-bdb/attr.c
   openldap/trunk/servers/slapd/back-bdb/back-bdb.h
   openldap/trunk/servers/slapd/back-bdb/bind.c
   openldap/trunk/servers/slapd/back-bdb/cache.c
   openldap/trunk/servers/slapd/back-bdb/compare.c
   openldap/trunk/servers/slapd/back-bdb/config.c
   openldap/trunk/servers/slapd/back-bdb/dbcache.c
   openldap/trunk/servers/slapd/back-bdb/delete.c
   openldap/trunk/servers/slapd/back-bdb/dn2entry.c
   openldap/trunk/servers/slapd/back-bdb/dn2id.c
   openldap/trunk/servers/slapd/back-bdb/error.c
   openldap/trunk/servers/slapd/back-bdb/extended.c
   openldap/trunk/servers/slapd/back-bdb/filterindex.c
   openldap/trunk/servers/slapd/back-bdb/id2entry.c
   openldap/trunk/servers/slapd/back-bdb/idl.c
   openldap/trunk/servers/slapd/back-bdb/idl.h
   openldap/trunk/servers/slapd/back-bdb/index.c
   openldap/trunk/servers/slapd/back-bdb/init.c
   openldap/trunk/servers/slapd/back-bdb/key.c
   openldap/trunk/servers/slapd/back-bdb/modify.c
   openldap/trunk/servers/slapd/back-bdb/modrdn.c
   openldap/trunk/servers/slapd/back-bdb/monitor.c
   openldap/trunk/servers/slapd/back-bdb/nextid.c
   openldap/trunk/servers/slapd/back-bdb/operational.c
   openldap/trunk/servers/slapd/back-bdb/proto-bdb.h
   openldap/trunk/servers/slapd/back-bdb/referral.c
   openldap/trunk/servers/slapd/back-bdb/search.c
   openldap/trunk/servers/slapd/back-bdb/tools.c
   openldap/trunk/servers/slapd/back-bdb/trans.c
   openldap/trunk/servers/slapd/back-dnssrv/Makefile.in
   openldap/trunk/servers/slapd/back-dnssrv/bind.c
   openldap/trunk/servers/slapd/back-dnssrv/compare.c
   openldap/trunk/servers/slapd/back-dnssrv/config.c
   openldap/trunk/servers/slapd/back-dnssrv/init.c
   openldap/trunk/servers/slapd/back-dnssrv/proto-dnssrv.h
   openldap/trunk/servers/slapd/back-dnssrv/referral.c
   openldap/trunk/servers/slapd/back-dnssrv/search.c
   openldap/trunk/servers/slapd/back-hdb/Makefile.in
   openldap/trunk/servers/slapd/back-hdb/back-bdb.h
   openldap/trunk/servers/slapd/back-ldap/Makefile.in
   openldap/trunk/servers/slapd/back-ldap/add.c
   openldap/trunk/servers/slapd/back-ldap/back-ldap.h
   openldap/trunk/servers/slapd/back-ldap/bind.c
   openldap/trunk/servers/slapd/back-ldap/chain.c
   openldap/trunk/servers/slapd/back-ldap/compare.c
   openldap/trunk/servers/slapd/back-ldap/config.c
   openldap/trunk/servers/slapd/back-ldap/delete.c
   openldap/trunk/servers/slapd/back-ldap/distproc.c
   openldap/trunk/servers/slapd/back-ldap/extended.c
   openldap/trunk/servers/slapd/back-ldap/init.c
   openldap/trunk/servers/slapd/back-ldap/modify.c
   openldap/trunk/servers/slapd/back-ldap/modrdn.c
   openldap/trunk/servers/slapd/back-ldap/monitor.c
   openldap/trunk/servers/slapd/back-ldap/proto-ldap.h
   openldap/trunk/servers/slapd/back-ldap/search.c
   openldap/trunk/servers/slapd/back-ldap/unbind.c
   openldap/trunk/servers/slapd/back-ldif/Makefile.in
   openldap/trunk/servers/slapd/back-ldif/ldif.c
   openldap/trunk/servers/slapd/back-meta/Makefile.in
   openldap/trunk/servers/slapd/back-meta/add.c
   openldap/trunk/servers/slapd/back-meta/back-meta.h
   openldap/trunk/servers/slapd/back-meta/bind.c
   openldap/trunk/servers/slapd/back-meta/candidates.c
   openldap/trunk/servers/slapd/back-meta/compare.c
   openldap/trunk/servers/slapd/back-meta/config.c
   openldap/trunk/servers/slapd/back-meta/conn.c
   openldap/trunk/servers/slapd/back-meta/delete.c
   openldap/trunk/servers/slapd/back-meta/dncache.c
   openldap/trunk/servers/slapd/back-meta/init.c
   openldap/trunk/servers/slapd/back-meta/map.c
   openldap/trunk/servers/slapd/back-meta/modify.c
   openldap/trunk/servers/slapd/back-meta/modrdn.c
   openldap/trunk/servers/slapd/back-meta/proto-meta.h
   openldap/trunk/servers/slapd/back-meta/search.c
   openldap/trunk/servers/slapd/back-meta/suffixmassage.c
   openldap/trunk/servers/slapd/back-meta/unbind.c
   openldap/trunk/servers/slapd/back-monitor/Makefile.in
   openldap/trunk/servers/slapd/back-monitor/back-monitor.h
   openldap/trunk/servers/slapd/back-monitor/backend.c
   openldap/trunk/servers/slapd/back-monitor/bind.c
   openldap/trunk/servers/slapd/back-monitor/cache.c
   openldap/trunk/servers/slapd/back-monitor/compare.c
   openldap/trunk/servers/slapd/back-monitor/conn.c
   openldap/trunk/servers/slapd/back-monitor/database.c
   openldap/trunk/servers/slapd/back-monitor/entry.c
   openldap/trunk/servers/slapd/back-monitor/init.c
   openldap/trunk/servers/slapd/back-monitor/listener.c
   openldap/trunk/servers/slapd/back-monitor/log.c
   openldap/trunk/servers/slapd/back-monitor/modify.c
   openldap/trunk/servers/slapd/back-monitor/operation.c
   openldap/trunk/servers/slapd/back-monitor/operational.c
   openldap/trunk/servers/slapd/back-monitor/overlay.c
   openldap/trunk/servers/slapd/back-monitor/proto-back-monitor.h
   openldap/trunk/servers/slapd/back-monitor/rww.c
   openldap/trunk/servers/slapd/back-monitor/search.c
   openldap/trunk/servers/slapd/back-monitor/sent.c
   openldap/trunk/servers/slapd/back-monitor/thread.c
   openldap/trunk/servers/slapd/back-monitor/time.c
   openldap/trunk/servers/slapd/back-null/Makefile.in
   openldap/trunk/servers/slapd/back-null/null.c
   openldap/trunk/servers/slapd/back-passwd/Makefile.in
   openldap/trunk/servers/slapd/back-passwd/back-passwd.h
   openldap/trunk/servers/slapd/back-passwd/config.c
   openldap/trunk/servers/slapd/back-passwd/init.c
   openldap/trunk/servers/slapd/back-passwd/proto-passwd.h
   openldap/trunk/servers/slapd/back-passwd/search.c
   openldap/trunk/servers/slapd/back-perl/Makefile.in
   openldap/trunk/servers/slapd/back-perl/SampleLDAP.pm
   openldap/trunk/servers/slapd/back-perl/add.c
   openldap/trunk/servers/slapd/back-perl/asperl_undefs.h
   openldap/trunk/servers/slapd/back-perl/bind.c
   openldap/trunk/servers/slapd/back-perl/close.c
   openldap/trunk/servers/slapd/back-perl/compare.c
   openldap/trunk/servers/slapd/back-perl/config.c
   openldap/trunk/servers/slapd/back-perl/delete.c
   openldap/trunk/servers/slapd/back-perl/init.c
   openldap/trunk/servers/slapd/back-perl/modify.c
   openldap/trunk/servers/slapd/back-perl/modrdn.c
   openldap/trunk/servers/slapd/back-perl/perl_back.h
   openldap/trunk/servers/slapd/back-perl/proto-perl.h
   openldap/trunk/servers/slapd/back-perl/search.c
   openldap/trunk/servers/slapd/back-relay/Makefile.in
   openldap/trunk/servers/slapd/back-relay/back-relay.h
   openldap/trunk/servers/slapd/back-relay/init.c
   openldap/trunk/servers/slapd/back-relay/op.c
   openldap/trunk/servers/slapd/back-relay/proto-back-relay.h
   openldap/trunk/servers/slapd/back-shell/Makefile.in
   openldap/trunk/servers/slapd/back-shell/add.c
   openldap/trunk/servers/slapd/back-shell/bind.c
   openldap/trunk/servers/slapd/back-shell/compare.c
   openldap/trunk/servers/slapd/back-shell/config.c
   openldap/trunk/servers/slapd/back-shell/delete.c
   openldap/trunk/servers/slapd/back-shell/fork.c
   openldap/trunk/servers/slapd/back-shell/init.c
   openldap/trunk/servers/slapd/back-shell/modify.c
   openldap/trunk/servers/slapd/back-shell/modrdn.c
   openldap/trunk/servers/slapd/back-shell/proto-shell.h
   openldap/trunk/servers/slapd/back-shell/result.c
   openldap/trunk/servers/slapd/back-shell/search.c
   openldap/trunk/servers/slapd/back-shell/searchexample.conf
   openldap/trunk/servers/slapd/back-shell/searchexample.sh
   openldap/trunk/servers/slapd/back-shell/shell.h
   openldap/trunk/servers/slapd/back-shell/unbind.c
   openldap/trunk/servers/slapd/back-sql/Makefile.in
   openldap/trunk/servers/slapd/back-sql/add.c
   openldap/trunk/servers/slapd/back-sql/api.c
   openldap/trunk/servers/slapd/back-sql/back-sql.h
   openldap/trunk/servers/slapd/back-sql/bind.c
   openldap/trunk/servers/slapd/back-sql/compare.c
   openldap/trunk/servers/slapd/back-sql/config.c
   openldap/trunk/servers/slapd/back-sql/delete.c
   openldap/trunk/servers/slapd/back-sql/entry-id.c
   openldap/trunk/servers/slapd/back-sql/init.c
   openldap/trunk/servers/slapd/back-sql/modify.c
   openldap/trunk/servers/slapd/back-sql/modrdn.c
   openldap/trunk/servers/slapd/back-sql/operational.c
   openldap/trunk/servers/slapd/back-sql/proto-sql.h
   openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile
   openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp
   openldap/trunk/servers/slapd/back-sql/schema-map.c
   openldap/trunk/servers/slapd/back-sql/search.c
   openldap/trunk/servers/slapd/back-sql/sql-wrap.c
   openldap/trunk/servers/slapd/back-sql/util.c
   openldap/trunk/servers/slapd/backend.c
   openldap/trunk/servers/slapd/backglue.c
   openldap/trunk/servers/slapd/backover.c
   openldap/trunk/servers/slapd/bconfig.c
   openldap/trunk/servers/slapd/bind.c
   openldap/trunk/servers/slapd/cancel.c
   openldap/trunk/servers/slapd/ch_malloc.c
   openldap/trunk/servers/slapd/compare.c
   openldap/trunk/servers/slapd/component.c
   openldap/trunk/servers/slapd/component.h
   openldap/trunk/servers/slapd/config.c
   openldap/trunk/servers/slapd/config.h
   openldap/trunk/servers/slapd/connection.c
   openldap/trunk/servers/slapd/controls.c
   openldap/trunk/servers/slapd/cr.c
   openldap/trunk/servers/slapd/ctxcsn.c
   openldap/trunk/servers/slapd/daemon.c
   openldap/trunk/servers/slapd/delete.c
   openldap/trunk/servers/slapd/dn.c
   openldap/trunk/servers/slapd/entry.c
   openldap/trunk/servers/slapd/extended.c
   openldap/trunk/servers/slapd/filter.c
   openldap/trunk/servers/slapd/filterentry.c
   openldap/trunk/servers/slapd/frontend.c
   openldap/trunk/servers/slapd/globals.c
   openldap/trunk/servers/slapd/index.c
   openldap/trunk/servers/slapd/init.c
   openldap/trunk/servers/slapd/ldapsync.c
   openldap/trunk/servers/slapd/limits.c
   openldap/trunk/servers/slapd/lock.c
   openldap/trunk/servers/slapd/main.c
   openldap/trunk/servers/slapd/matchedValues.c
   openldap/trunk/servers/slapd/modify.c
   openldap/trunk/servers/slapd/modrdn.c
   openldap/trunk/servers/slapd/mods.c
   openldap/trunk/servers/slapd/module.c
   openldap/trunk/servers/slapd/mr.c
   openldap/trunk/servers/slapd/mra.c
   openldap/trunk/servers/slapd/nt_svc.c
   openldap/trunk/servers/slapd/oc.c
   openldap/trunk/servers/slapd/oidm.c
   openldap/trunk/servers/slapd/operation.c
   openldap/trunk/servers/slapd/operational.c
   openldap/trunk/servers/slapd/overlays/Makefile.in
   openldap/trunk/servers/slapd/overlays/accesslog.c
   openldap/trunk/servers/slapd/overlays/auditlog.c
   openldap/trunk/servers/slapd/overlays/collect.c
   openldap/trunk/servers/slapd/overlays/constraint.c
   openldap/trunk/servers/slapd/overlays/dds.c
   openldap/trunk/servers/slapd/overlays/dyngroup.c
   openldap/trunk/servers/slapd/overlays/dynlist.c
   openldap/trunk/servers/slapd/overlays/memberof.c
   openldap/trunk/servers/slapd/overlays/overlays.c
   openldap/trunk/servers/slapd/overlays/pcache.c
   openldap/trunk/servers/slapd/overlays/ppolicy.c
   openldap/trunk/servers/slapd/overlays/refint.c
   openldap/trunk/servers/slapd/overlays/retcode.c
   openldap/trunk/servers/slapd/overlays/rwm.c
   openldap/trunk/servers/slapd/overlays/rwm.h
   openldap/trunk/servers/slapd/overlays/rwmconf.c
   openldap/trunk/servers/slapd/overlays/rwmdn.c
   openldap/trunk/servers/slapd/overlays/rwmmap.c
   openldap/trunk/servers/slapd/overlays/seqmod.c
   openldap/trunk/servers/slapd/overlays/syncprov.c
   openldap/trunk/servers/slapd/overlays/translucent.c
   openldap/trunk/servers/slapd/overlays/unique.c
   openldap/trunk/servers/slapd/overlays/valsort.c
   openldap/trunk/servers/slapd/passwd.c
   openldap/trunk/servers/slapd/phonetic.c
   openldap/trunk/servers/slapd/proto-slap.h
   openldap/trunk/servers/slapd/referral.c
   openldap/trunk/servers/slapd/result.c
   openldap/trunk/servers/slapd/root_dse.c
   openldap/trunk/servers/slapd/sasl.c
   openldap/trunk/servers/slapd/saslauthz.c
   openldap/trunk/servers/slapd/schema.c
   openldap/trunk/servers/slapd/schema/README
   openldap/trunk/servers/slapd/schema/cosine.ldif
   openldap/trunk/servers/slapd/schema/duaconf.schema
   openldap/trunk/servers/slapd/schema/dyngroup.schema
   openldap/trunk/servers/slapd/schema/inetorgperson.ldif
   openldap/trunk/servers/slapd/schema/inetorgperson.schema
   openldap/trunk/servers/slapd/schema/misc.schema
   openldap/trunk/servers/slapd/schema/nadf.schema
   openldap/trunk/servers/slapd/schema/nis.ldif
   openldap/trunk/servers/slapd/schema/nis.schema
   openldap/trunk/servers/slapd/schema/openldap.ldif
   openldap/trunk/servers/slapd/schema/openldap.schema
   openldap/trunk/servers/slapd/schema_check.c
   openldap/trunk/servers/slapd/schema_init.c
   openldap/trunk/servers/slapd/schema_prep.c
   openldap/trunk/servers/slapd/schemaparse.c
   openldap/trunk/servers/slapd/search.c
   openldap/trunk/servers/slapd/sets.c
   openldap/trunk/servers/slapd/sets.h
   openldap/trunk/servers/slapd/shell-backends/Makefile.in
   openldap/trunk/servers/slapd/shell-backends/passwd-shell.c
   openldap/trunk/servers/slapd/shell-backends/shellutil.c
   openldap/trunk/servers/slapd/shell-backends/shellutil.h
   openldap/trunk/servers/slapd/sl_malloc.c
   openldap/trunk/servers/slapd/slap.h
   openldap/trunk/servers/slapd/slapacl.c
   openldap/trunk/servers/slapd/slapadd.c
   openldap/trunk/servers/slapd/slapauth.c
   openldap/trunk/servers/slapd/slapcat.c
   openldap/trunk/servers/slapd/slapcommon.c
   openldap/trunk/servers/slapd/slapcommon.h
   openldap/trunk/servers/slapd/slapdn.c
   openldap/trunk/servers/slapd/slapi/Makefile.in
   openldap/trunk/servers/slapd/slapi/plugin.c
   openldap/trunk/servers/slapd/slapi/printmsg.c
   openldap/trunk/servers/slapd/slapi/proto-slapi.h
   openldap/trunk/servers/slapd/slapi/slapi.h
   openldap/trunk/servers/slapd/slapi/slapi_dn.c
   openldap/trunk/servers/slapd/slapi/slapi_ext.c
   openldap/trunk/servers/slapd/slapi/slapi_ops.c
   openldap/trunk/servers/slapd/slapi/slapi_overlay.c
   openldap/trunk/servers/slapd/slapi/slapi_pblock.c
   openldap/trunk/servers/slapd/slapi/slapi_utils.c
   openldap/trunk/servers/slapd/slapindex.c
   openldap/trunk/servers/slapd/slappasswd.c
   openldap/trunk/servers/slapd/slaptest.c
   openldap/trunk/servers/slapd/starttls.c
   openldap/trunk/servers/slapd/str2filter.c
   openldap/trunk/servers/slapd/syncrepl.c
   openldap/trunk/servers/slapd/syntax.c
   openldap/trunk/servers/slapd/txn.c
   openldap/trunk/servers/slapd/unbind.c
   openldap/trunk/servers/slapd/user.c
   openldap/trunk/servers/slapd/value.c
   openldap/trunk/servers/slapd/zn_malloc.c
   openldap/trunk/tests/Makefile.in
   openldap/trunk/tests/data/ditcontentrules.conf
   openldap/trunk/tests/data/dn.out
   openldap/trunk/tests/data/do_add.1
   openldap/trunk/tests/data/do_add.2
   openldap/trunk/tests/data/do_add.3
   openldap/trunk/tests/data/do_add.4
   openldap/trunk/tests/data/dynlist.out
   openldap/trunk/tests/data/emptydn.out
   openldap/trunk/tests/data/emptydn.out.slapadd
   openldap/trunk/tests/data/regressions/its4184/its4184
   openldap/trunk/tests/data/regressions/its4326/its4326
   openldap/trunk/tests/data/regressions/its4326/slapd.conf
   openldap/trunk/tests/data/regressions/its4336/its4336
   openldap/trunk/tests/data/regressions/its4336/slapd.conf
   openldap/trunk/tests/data/regressions/its4337/its4337
   openldap/trunk/tests/data/regressions/its4337/slapd.conf
   openldap/trunk/tests/data/regressions/its4448/its4448
   openldap/trunk/tests/data/regressions/its4448/slapd-meta.conf
   openldap/trunk/tests/data/relay.out
   openldap/trunk/tests/data/retcode.conf
   openldap/trunk/tests/data/slapd-aci.conf
   openldap/trunk/tests/data/slapd-acl.conf
   openldap/trunk/tests/data/slapd-cache-master.conf
   openldap/trunk/tests/data/slapd-chain1.conf
   openldap/trunk/tests/data/slapd-chain2.conf
   openldap/trunk/tests/data/slapd-component.conf
   openldap/trunk/tests/data/slapd-dds.conf
   openldap/trunk/tests/data/slapd-deltasync-master.conf
   openldap/trunk/tests/data/slapd-deltasync-slave.conf
   openldap/trunk/tests/data/slapd-dn.conf
   openldap/trunk/tests/data/slapd-dnssrv.conf
   openldap/trunk/tests/data/slapd-dynlist.conf
   openldap/trunk/tests/data/slapd-emptydn.conf
   openldap/trunk/tests/data/slapd-glue-ldap.conf
   openldap/trunk/tests/data/slapd-glue-syncrepl1.conf
   openldap/trunk/tests/data/slapd-glue-syncrepl2.conf
   openldap/trunk/tests/data/slapd-glue.conf
   openldap/trunk/tests/data/slapd-idassert.conf
   openldap/trunk/tests/data/slapd-ldapglue.conf
   openldap/trunk/tests/data/slapd-ldapgluegroups.conf
   openldap/trunk/tests/data/slapd-ldapgluepeople.conf
   openldap/trunk/tests/data/slapd-limits.conf
   openldap/trunk/tests/data/slapd-master.conf
   openldap/trunk/tests/data/slapd-meta-target1.conf
   openldap/trunk/tests/data/slapd-meta-target2.conf
   openldap/trunk/tests/data/slapd-meta.conf
   openldap/trunk/tests/data/slapd-nis-master.conf
   openldap/trunk/tests/data/slapd-passwd.conf
   openldap/trunk/tests/data/slapd-ppolicy.conf
   openldap/trunk/tests/data/slapd-proxycache.conf
   openldap/trunk/tests/data/slapd-pw.conf
   openldap/trunk/tests/data/slapd-ref-slave.conf
   openldap/trunk/tests/data/slapd-referrals.conf
   openldap/trunk/tests/data/slapd-refint.conf
   openldap/trunk/tests/data/slapd-relay.conf
   openldap/trunk/tests/data/slapd-repl-slave-remote.conf
   openldap/trunk/tests/data/slapd-retcode.conf
   openldap/trunk/tests/data/slapd-schema.conf
   openldap/trunk/tests/data/slapd-sql-syncrepl-master.conf
   openldap/trunk/tests/data/slapd-sql.conf
   openldap/trunk/tests/data/slapd-syncrepl-master.conf
   openldap/trunk/tests/data/slapd-syncrepl-multiproxy.conf
   openldap/trunk/tests/data/slapd-syncrepl-slave-persist-ldap.conf
   openldap/trunk/tests/data/slapd-syncrepl-slave-persist1.conf
   openldap/trunk/tests/data/slapd-syncrepl-slave-persist2.conf
   openldap/trunk/tests/data/slapd-syncrepl-slave-persist3.conf
   openldap/trunk/tests/data/slapd-syncrepl-slave-refresh1.conf
   openldap/trunk/tests/data/slapd-syncrepl-slave-refresh2.conf
   openldap/trunk/tests/data/slapd-translucent-local.conf
   openldap/trunk/tests/data/slapd-translucent-remote.conf
   openldap/trunk/tests/data/slapd-unique.conf
   openldap/trunk/tests/data/slapd-valsort.conf
   openldap/trunk/tests/data/slapd-whoami.conf
   openldap/trunk/tests/data/slapd.conf
   openldap/trunk/tests/data/slapd2.conf
   openldap/trunk/tests/data/test.schema
   openldap/trunk/tests/progs/Makefile.in
   openldap/trunk/tests/progs/slapd-addel.c
   openldap/trunk/tests/progs/slapd-bind.c
   openldap/trunk/tests/progs/slapd-common.c
   openldap/trunk/tests/progs/slapd-common.h
   openldap/trunk/tests/progs/slapd-modify.c
   openldap/trunk/tests/progs/slapd-modrdn.c
   openldap/trunk/tests/progs/slapd-read.c
   openldap/trunk/tests/progs/slapd-search.c
   openldap/trunk/tests/progs/slapd-tester.c
   openldap/trunk/tests/run.in
   openldap/trunk/tests/scripts/acfilter.sh
   openldap/trunk/tests/scripts/all
   openldap/trunk/tests/scripts/conf.sh
   openldap/trunk/tests/scripts/defines.sh
   openldap/trunk/tests/scripts/its-all
   openldap/trunk/tests/scripts/passwd-search
   openldap/trunk/tests/scripts/relay
   openldap/trunk/tests/scripts/sql-all
   openldap/trunk/tests/scripts/sql-test000-read
   openldap/trunk/tests/scripts/sql-test001-concurrency
   openldap/trunk/tests/scripts/sql-test900-write
   openldap/trunk/tests/scripts/sql-test901-syncrepl
   openldap/trunk/tests/scripts/start-server
   openldap/trunk/tests/scripts/start-server-nolog
   openldap/trunk/tests/scripts/start-server2
   openldap/trunk/tests/scripts/start-server2-nolog
   openldap/trunk/tests/scripts/startup_nis_ldap_server.sh
   openldap/trunk/tests/scripts/test000-rootdse
   openldap/trunk/tests/scripts/test001-slapadd
   openldap/trunk/tests/scripts/test002-populate
   openldap/trunk/tests/scripts/test003-search
   openldap/trunk/tests/scripts/test004-modify
   openldap/trunk/tests/scripts/test005-modrdn
   openldap/trunk/tests/scripts/test006-acls
   openldap/trunk/tests/scripts/test008-concurrency
   openldap/trunk/tests/scripts/test009-referral
   openldap/trunk/tests/scripts/test010-passwd
   openldap/trunk/tests/scripts/test011-glue-slapadd
   openldap/trunk/tests/scripts/test012-glue-populate
   openldap/trunk/tests/scripts/test013-language
   openldap/trunk/tests/scripts/test014-whoami
   openldap/trunk/tests/scripts/test015-xsearch
   openldap/trunk/tests/scripts/test016-subref
   openldap/trunk/tests/scripts/test017-syncreplication-refresh
   openldap/trunk/tests/scripts/test018-syncreplication-persist
   openldap/trunk/tests/scripts/test019-syncreplication-cascade
   openldap/trunk/tests/scripts/test020-proxycache
   openldap/trunk/tests/scripts/test021-certificate
   openldap/trunk/tests/scripts/test022-ppolicy
   openldap/trunk/tests/scripts/test023-refint
   openldap/trunk/tests/scripts/test024-unique
   openldap/trunk/tests/scripts/test025-limits
   openldap/trunk/tests/scripts/test026-dn
   openldap/trunk/tests/scripts/test027-emptydn
   openldap/trunk/tests/scripts/test028-idassert
   openldap/trunk/tests/scripts/test029-ldapglue
   openldap/trunk/tests/scripts/test030-relay
   openldap/trunk/tests/scripts/test031-component-filter
   openldap/trunk/tests/scripts/test032-chain
   openldap/trunk/tests/scripts/test033-glue-syncrepl
   openldap/trunk/tests/scripts/test034-translucent
   openldap/trunk/tests/scripts/test035-meta
   openldap/trunk/tests/scripts/test036-meta-concurrency
   openldap/trunk/tests/scripts/test037-manage
   openldap/trunk/tests/scripts/test038-retcode
   openldap/trunk/tests/scripts/test039-glue-ldap-concurrency
   openldap/trunk/tests/scripts/test040-subtree-rename
   openldap/trunk/tests/scripts/test041-aci
   openldap/trunk/tests/scripts/test042-valsort
   openldap/trunk/tests/scripts/test043-delta-syncrepl
   openldap/trunk/tests/scripts/test044-dynlist
   openldap/trunk/tests/scripts/test045-syncreplication-proxied
   openldap/trunk/tests/scripts/test046-dds
   openldap/trunk/tests/scripts/test047-ldap
   openldap/trunk/tests/scripts/test048-syncrepl-multiproxy
   openldap/trunk/tests/scripts/test049-sync-config
   openldap/trunk/tests/scripts/test050-syncrepl-multimaster
   openldap/trunk/tests/scripts/test051-config-undo
   openldap/trunk/tests/scripts/test052-memberof
Log:
 * Update to 2.4.9.


Modified: openldap/trunk/ANNOUNCEMENT
===================================================================
--- openldap/trunk/ANNOUNCEMENT	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/ANNOUNCEMENT	2008-05-25 14:29:31 UTC (rev 1128)
@@ -106,6 +106,6 @@
 ---
 OpenLDAP is a registered trademark of the OpenLDAP Foundation.
 
-Copyright 1999-2007 The OpenLDAP Foundation, Redwood City,
+Copyright 1999-2008 The OpenLDAP Foundation, Redwood City,
 California, USA.  All Rights Reserved.  Permission to copy and
 distribute verbatim copies of this document is granted.

Modified: openldap/trunk/CHANGES
===================================================================
--- openldap/trunk/CHANGES	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/CHANGES	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,127 @@
 OpenLDAP 2.4 Change Log
 
+OpenLDAP 2.4.9 Release (2008/05/07)
+	Fixed libldap to use unsigned port (ITS#5436)
+	Fixed libldap error message for missing close paren (ITS#5458)
+	Fixed libldap_r tpool pause checks (ITS#5364, #5407)
+	Fixed slapcat error checking (ITS#5387)
+	Fixed slapd abstract objectClass inheritance check (ITS#5474)
+	Fixed slapd add operations requiring naming attrs (ITS#5412)
+	Fixed slapd connection handling (ITS#5469)
+	Fixed slapd delta-syncrepl resync (ITS#5378)
+	Fixed slapd frontendDB backend selection (ITS#5419)
+	Fixed slapd pagedresults stale state (ITS#5409)
+	Fixed slapd pointer dereference (ITS#5388)
+	Fixed slapd null argument dereference (ITS#5435)
+	Fixed slapd REP_ENTRY flags (ITS#5340)
+	Fixed slapd sets attribute description parsing (ITS#5402)
+	Fixed slapd syncrepl hang on back-config (ITS#5407)
+	Fixed slapd syncrepl compare_csns crash (ITS#5413)
+	Fixed slapd syncrepl contextCSN update clash (ITS#5426)
+	Fixed slapd syncrepl/glue failure (ITS#5430)
+	Fixed slapd syncrepl crash on empty CSN (ITS#5432)
+	Fixed slapd syncrepl refreshAndPersist (ITS#5454)
+	Fixed slapd syncrepl modrdn processing (ITS#5397)
+	Fixed slapd syncrepl MMR partial refresh (ITS#5470)
+	Fixed slapd value list termination (ITS#5450)
+	Fixed slapd/slapo-accesslog rq mutex usage (ITS#5442)
+	Fixed slapd-bdb ID_NOCACHE handling (ITS#5439)
+	Fixed slapd-bdb entryinfo state if db_lock fails (ITS#5455)
+	Fixed slapd-bdb referral rewrite (ITS#5339)
+	Fixed slapd-config overlay stacking (ITS#5346)
+	Fixed slapd-config attribute publishing (ITS#5383)
+	Fixed slapd-ldap connection handler (ITS#5404)
+	Fixed slapd-ldif file name handling & multi-suffix/dir catch (ITS#5408)
+	Fixed slapd-meta connections on error (ITS#5440)
+	Fixed slapd-meta crash on search (ITS#5481)
+	Fixed slapo-accesslog null callback stack crash (ITS#5490)
+	Fixed slapo-auditlog unnecessary syscall (ITS#5441)
+	Added slapo-dynlist mapping to dynamic attrs generation (ITS#5466)
+	Fixed slapo-refint dnSubtreeMatch (ITS#5427)
+	Fixed slapo-refint global referential integrity (ITS#5428)
+	Fixed slapo-syncprov psearch on closed connection (ITS#5401)
+	Fixed slapo-syncprov psearch task delay (ITS#5405)
+	Fixed slapo-syncprov psearch filter identity (ITS#5418, #5486)
+	Fixed slapo-syncprov/glue contextCSN update (ITS#5433)
+	Fixed slapo-syncprov/glue search ops (ITS#5434)
+	Fixed slapo-syncprov null cookie (ITS#5437,#5444)
+	Fixed slapo-syncprov double-free (ITS#5445)
+	Fixed slapo-syncprov free syncop correctly (ITS#5484)
+	Fixed slapo-syncprov glue deadlock (ITS#5451)
+	Build Environment
+		Fixed leave function naming for OSF1 (ITS#5411)
+	Documentation
+		Fixed slapd.access(5) authz-regexp documented behavior (ITS#5400)
+		Fixed slapd.meta(5) idassert-* documentation (ITS#5406)
+		admin24 delta-syncrepl documentation (ITS#5476)
+		admin24 set documentation (ITS#5278,ITS#5279,ITS#5281)
+		admin24 slapo-ppolicy documentation (ITS#5479)
+		admin24 syncrepl directives update (ITS#5425)
+
+OpenLDAP 2.4.8 Release (2008/02/19)
+	Fixed ldapmodify verbose logging (ITS#5247)
+	Fixed ldapdelete with sizelimit (ITS#5294)
+	Fixed ldapdelete with subentries control (ITS#5293)
+	Fixed ldapsearch exit code init (ITS#5317)
+	Fixed libldap extended decoding (ITS#5304)
+	Fixed libldap filter abort (ITS#5300)
+	Fixed libldap ldap_parse_sasl_bind_result (ITS#5263)
+	Fixed libldap result codes for open (ITS#5338)
+	Fixed libldap search timeout crash (ITS#5291)
+	Fixed libldap paged results crash (ITS#5315)
+	Fixed libldap cipher suite with GnuTLS (ITS#5341)
+	Fixed slapd support for 2.1 CSN (ITS#5348)
+	Fixed slapd include handling (ITS#5276)
+	Fixed slapd modrdn check for valid new DN (ITS#5344)
+	Fixed slapd multi-step SASL binds (ITS#5298)
+	Fixed slapd non-atomic signal variables (ITS#5248)
+	Fixed slapd overlay ordering when moving to slapd.d (ITS#5284)
+	Fixed slapd NULL printf (ITS#5264)	
+	Fixed slapd NULL set values (ITS#5286)
+	Fixed slapd segv with SASL/OTP (ITS#5259)
+	Fixed slapd timestamp race condition (ITS#5370)
+	Fixed slapd cn=config crash on delete (ITS#5343)
+	Fixed slapd cn=config global acls (ITS#5352)
+	Fixed slapd truncated cookie (ITS#5362)
+	Fixed slapd sasl with CLEARTEXT (ITS#5368)
+	Fixed slapd str2entry with no attrs (ITS#5308)
+	Fixed slapd TLSVerifyClient default (ITS#5360)
+	Fixed slapd HAVE_TLS dependency (ITS#5379)
+	Fixed slapd delta-syncrepl refresh mode (ITS#5376)
+	Fixed slapd ACL sets URI attrs (ITS#5384)
+	Fixed slapd invalid entryUUID filter (ITS#5386)
+	Fixed slapd-bdb idlcache on adds (ITS#5086)
+	Fixed slapd-bdb crash with modrdn (ITS#5358)
+	Fixed slapd-bdb segv with bdb4.6 (ITS#5322)
+	Fixed slapd-bdb modrdn to same dn (ITS#5319)
+	Fixed slapd-bdb MMR (ITS#5332)
+	Added slapd-bdb/slapd-hdb DB encryption (ITS#5359)
+	Fixed slapd-ldif delete (ITS#5265)
+	Fixed slapd-meta link to slapd-ldap (ITS#5355)
+	Fixed slapd-meta setting of sm_nvalues (ITS#5375)
+	Fixed slapd-monitor crash (ITS#5311)
+	Fixed slapd-relay compare (ITS#4937)
+	Added slapd-sock (ITS#4094)
+	Fixed slapo-accesslog cleanup on successful response (ITS#5374)
+	Added slapo-autogroup contrib module (ITS#5145)
+	Added slapo-constraint cross-attribute constraints (ITS#4987)
+	Fixed slapo-memberof objectClass inheritance (ITS#5299)
+	Added slapo-memberof global overlay support (ITS#5301)
+	Fixed slapo-memberof leak (ITS#5302)
+	Fixed slapo-ppolicy only password check with policy (ITS#5285)
+	Fixed slapo-ppolicy del/replace password without new one (ITS#5373)
+	Fixed slapo-syncprov hang on checkpoint (ITS#5261)
+	Added slapo-translucent local searching (ITS#5283)
+	Removed lint
+	Build Environment
+		Fixed libldap_r threaded library linking (ITS#4982)
+		Fixed libldap use of %n (ITS#5324)
+		Fixed test047 to skip if rwm is not available (ITS#5292)
+	Documentation
+		DB_CONFIG.example URL wrong in comments (ITS#5288)
+		Add cn=config example for auditlog (ITS#5245)
+		ldapmodify(1) clarification for RFC2849 (ITS#5312)
+
 OpenLDAP 2.4.7 Release (2007/12/14)
 	Added slapd ordered indexing of integer attributes (ITS#5239)
 	Fixed slapd paged results control handling (ITS#5191)

Modified: openldap/trunk/COPYRIGHT
===================================================================
--- openldap/trunk/COPYRIGHT	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/COPYRIGHT	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 1998-2007 The OpenLDAP Foundation
+Copyright 1998-2008 The OpenLDAP Foundation
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -25,7 +25,7 @@
 
 ---
 
-Portions Copyright 1998-2006 Kurt D. Zeilenga.
+Portions Copyright 1998-2008 Kurt D. Zeilenga.
 Portions Copyright 1998-2006 Net Boolean Incorporated.
 Portions Copyright 2001-2006 IBM Corporation.
 All rights reserved.
@@ -39,8 +39,8 @@
 Portions Copyright 1999-2007 Howard Y.H. Chu.
 Portions Copyright 1999-2007 Symas Corporation.
 Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2007 Gavin Henry
-Portions Copyright 2007 Suretec Systems
+Portions Copyright 2008 Gavin Henry
+Portions Copyright 2008 Suretec Systems
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/INSTALL
===================================================================
--- openldap/trunk/INSTALL	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/INSTALL	2008-05-25 14:29:31 UTC (rev 1128)
@@ -107,7 +107,7 @@
 
 This work is part of OpenLDAP Software <http://www.openldap.org/>.
 
-Copyright 1998-2007 The OpenLDAP Foundation.
+Copyright 1998-2008 The OpenLDAP Foundation.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/Makefile.in
===================================================================
--- openldap/trunk/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Master Makefile for OpenLDAP
-# $OpenLDAP: pkg/ldap/Makefile.in,v 1.30.2.2 2007/08/31 23:13:44 quanah Exp $
+# $OpenLDAP: pkg/ldap/Makefile.in,v 1.30.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/README
===================================================================
--- openldap/trunk/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -74,11 +74,11 @@
     <http://www.openldap.org/its/> to be considered.
 
 ---
-$OpenLDAP: pkg/ldap/README,v 1.40.2.6 2007/10/11 18:55:56 quanah Exp $
+$OpenLDAP: pkg/ldap/README,v 1.40.2.7 2008/02/11 23:26:37 kurt Exp $
 
 This work is part of OpenLDAP Software <http://www.openldap.org/>.
 
-Copyright 1998-2007 The OpenLDAP Foundation.
+Copyright 1998-2008 The OpenLDAP Foundation.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/config.guess
===================================================================
--- openldap/trunk/build/config.guess	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/config.guess	2008-05-25 14:29:31 UTC (rev 1128)
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
 
 timestamp='2003-07-02-OpenLDAP'
-# $OpenLDAP: pkg/ldap/build/config.guess,v 1.19.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/config.guess,v 1.19.2.3 2008/02/11 23:26:37 kurt Exp $
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -29,7 +29,7 @@
 # configuration script generated by Autoconf, and is distributable
 # under the same distributions terms as OpenLDAP itself.
 
-## Portions Copyright 1998-2007 The OpenLDAP Foundation.
+## Portions Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/config.sub
===================================================================
--- openldap/trunk/build/config.sub	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/config.sub	2008-05-25 14:29:31 UTC (rev 1128)
@@ -4,7 +4,7 @@
 #   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
 
 timestamp='2003-07-04-OpenLDAP'
-# $OpenLDAP: pkg/ldap/build/config.sub,v 1.19.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/config.sub,v 1.19.2.3 2008/02/11 23:26:37 kurt Exp $
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -34,7 +34,7 @@
 # configuration script generated by Autoconf, and is distributable
 # under the same distributions terms as OpenLDAP itself.
 
-## Portions Copyright 1998-2007 The OpenLDAP Foundation.
+## Portions Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/crupdate
===================================================================
--- openldap/trunk/build/crupdate	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/crupdate	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/build/crupdate,v 1.7.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/crupdate,v 1.7.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -18,5 +18,5 @@
 
 set -e 		# exit immediately if any errors occur
 
-find . -type f -not -name 'LICENSE*' -print -exec perl -pi -e 's/Copyright ([0-9]{4})([,\-][0-9]{2,4})*,? The OpenLDAP Foundation/Copyright $1-2007 The OpenLDAP Foundation/g;' {} \;
+find . -type f -not -name 'LICENSE*' -print -exec perl -pi -e 's/Copyright ([0-9]{4})([,\-][0-9]{2,4})*,? The OpenLDAP Foundation/Copyright $1-2008 The OpenLDAP Foundation/g;' {} \;
 

Modified: openldap/trunk/build/dir.mk
===================================================================
--- openldap/trunk/build/dir.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/dir.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/dir.mk,v 1.17.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/dir.mk,v 1.17.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/info.mk
===================================================================
--- openldap/trunk/build/info.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/info.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/info.mk,v 1.12.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/info.mk,v 1.12.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/lib-shared.mk
===================================================================
--- openldap/trunk/build/lib-shared.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/lib-shared.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib-shared.mk,v 1.22.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/lib-shared.mk,v 1.22.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/lib-static.mk
===================================================================
--- openldap/trunk/build/lib-static.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/lib-static.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib-static.mk,v 1.13.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/lib-static.mk,v 1.13.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/lib.mk
===================================================================
--- openldap/trunk/build/lib.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/lib.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib.mk,v 1.23.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/lib.mk,v 1.23.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/ltmain.sh
===================================================================
--- openldap/trunk/build/ltmain.sh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/ltmain.sh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -28,7 +28,7 @@
 # configuration script generated by Autoconf, and is distributable
 # under the same distributions terms as OpenLDAP itself.
 
-## Portions Copyright 1998-2007 The OpenLDAP Foundation.
+## Portions Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/man.mk
===================================================================
--- openldap/trunk/build/man.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/man.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/man.mk,v 1.32.2.3 2007/11/09 02:55:50 hyc Exp $
+# $OpenLDAP: pkg/ldap/build/man.mk,v 1.32.2.4 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/missing
===================================================================
--- openldap/trunk/build/missing	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/missing	2008-05-25 14:29:31 UTC (rev 1128)
@@ -29,7 +29,7 @@
 # configuration script generated by Autoconf, and is distributable
 # under the same distributions terms as OpenLDAP itself.
 
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/mkdep
===================================================================
--- openldap/trunk/build/mkdep	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkdep	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh -
-# $OpenLDAP: pkg/ldap/build/mkdep,v 1.32.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mkdep,v 1.32.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/mkdep.aix
===================================================================
--- openldap/trunk/build/mkdep.aix	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkdep.aix	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 #! /bin/sh
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/mkrelease
===================================================================
--- openldap/trunk/build/mkrelease	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkrelease	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/build/mkrelease,v 1.23.2.3 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mkrelease,v 1.23.2.4 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/mkvers.bat
===================================================================
--- openldap/trunk/build/mkvers.bat	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkvers.bat	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-:: $OpenLDAP: pkg/ldap/build/mkvers.bat,v 1.7.2.2 2007/08/31 23:13:50 quanah Exp $
+:: $OpenLDAP: pkg/ldap/build/mkvers.bat,v 1.7.2.3 2008/02/11 23:26:37 kurt Exp $
 :: This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ::
-:: Copyright 1998-2007 The OpenLDAP Foundation.
+:: Copyright 1998-2008 The OpenLDAP Foundation.
 :: All rights reserved.
 ::
 :: Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/mkversion
===================================================================
--- openldap/trunk/build/mkversion	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mkversion	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Create a version.c file
-# $OpenLDAP: pkg/ldap/build/mkversion,v 1.14.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mkversion,v 1.14.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@
 cat << __EOF__
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -68,7 +68,7 @@
  */
 
 static const char copyright[] =
-"Copyright 1998-2007 The OpenLDAP Foundation.  All rights reserved.\n"
+"Copyright 1998-2008 The OpenLDAP Foundation.  All rights reserved.\n"
 "COPYING RESTRICTIONS APPLY\n";
 
 $static $const char $SYMBOL[] =

Modified: openldap/trunk/build/mod.mk
===================================================================
--- openldap/trunk/build/mod.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/mod.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/mod.mk,v 1.25.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/mod.mk,v 1.25.2.3 2008/02/11 23:26:37 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/openldap.m4
===================================================================
--- openldap/trunk/build/openldap.m4	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/openldap.m4	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 dnl OpenLDAP Autoconf Macros
-dnl $OpenLDAP: pkg/ldap/build/openldap.m4,v 1.157.2.4 2007/09/01 00:38:35 hyc Exp $
+dnl $OpenLDAP: pkg/ldap/build/openldap.m4,v 1.157.2.5 2008/02/11 23:26:37 kurt Exp $
 dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
 dnl
-dnl Copyright 1998-2007 The OpenLDAP Foundation.
+dnl Copyright 1998-2008 The OpenLDAP Foundation.
 dnl All rights reserved.
 dnl
 dnl Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/rules.mk
===================================================================
--- openldap/trunk/build/rules.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/rules.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/rules.mk,v 1.15.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/rules.mk,v 1.15.2.3 2008/02/11 23:26:38 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/srv.mk
===================================================================
--- openldap/trunk/build/srv.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/srv.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/srv.mk,v 1.18.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/srv.mk,v 1.18.2.3 2008/02/11 23:26:38 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/top.mk
===================================================================
--- openldap/trunk/build/top.mk	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/top.mk	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/top.mk,v 1.103.2.4 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/top.mk,v 1.103.2.5 2008/02/11 23:26:38 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/version.h
===================================================================
--- openldap/trunk/build/version.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/version.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -13,6 +13,6 @@
  */
 
 static const char copyright[] =
-"Copyright 1998-2007 The OpenLDAP Foundation.  All rights reserved.\n"
+"Copyright 1998-2008 The OpenLDAP Foundation.  All rights reserved.\n"
 "COPYING RESTRICTIONS APPLY.\n";
 

Modified: openldap/trunk/build/version.sh
===================================================================
--- openldap/trunk/build/version.sh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/version.sh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.sh,v 1.16.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/build/version.sh,v 1.16.2.3 2008/02/11 23:26:38 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/build/version.var
===================================================================
--- openldap/trunk/build/version.var	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/build/version.var	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.19 2007/12/13 20:56:24 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.26 2008/05/07 19:26:02 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -15,9 +15,9 @@
 ol_package=OpenLDAP
 ol_major=2
 ol_minor=4
-ol_patch=7
-ol_api_inc=20407
+ol_patch=9
+ol_api_inc=20409
 ol_api_current=2
-ol_api_revision=3
+ol_api_revision=5
 ol_api_age=0
-ol_release_date="2007/12/14"
+ol_release_date="2008/05/07"

Modified: openldap/trunk/clients/Makefile.in
===================================================================
--- openldap/trunk/clients/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Clients Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/clients/Makefile.in,v 1.17.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/clients/Makefile.in,v 1.17.2.3 2008/02/11 23:26:38 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/clients/tools/Makefile.in
===================================================================
--- openldap/trunk/clients/tools/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile for LDAP tools
-# $OpenLDAP: pkg/ldap/clients/tools/Makefile.in,v 1.45.2.2 2007/08/31 23:13:50 quanah Exp $
+# $OpenLDAP: pkg/ldap/clients/tools/Makefile.in,v 1.45.2.3 2008/02/11 23:26:38 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/clients/tools/common.c
===================================================================
--- openldap/trunk/clients/tools/common.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/common.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* common.c - common routines for the ldap client tools */
-/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.4 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.7 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 Kurt D. Zeilenga.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
@@ -149,8 +149,8 @@
 };
 
 /* "features" */
-static int	gotintr;
-static int	abcan;
+enum { Intr_None = 0, Intr_Abandon, Intr_Cancel, Intr_Ignore }; 
+static volatile sig_atomic_t	gotintr, abcan;
 
 
 #ifdef LDAP_CONTROL_X_SESSION_TRACKING
@@ -223,6 +223,17 @@
 #ifdef HAVE_TLS
 	ldap_pvt_tls_destroy();
 #endif
+
+	if ( ldapuri != NULL ) {
+		ber_memfree( ldapuri );
+		ldapuri = NULL;
+	}
+
+	if ( pr_cookie.bv_val != NULL ) {
+		ber_memfree( pr_cookie.bv_val );
+		pr_cookie.bv_val = NULL;
+		pr_cookie.bv_len = 0;
+	}
 }
 
 void
@@ -558,19 +569,19 @@
 
 			/* this shouldn't go here, really; but it's a feature... */
 			} else if ( strcasecmp( control, "abandon" ) == 0 ) {
-				abcan = LDAP_REQ_ABANDON;
+				abcan = Intr_Abandon;
 				if ( crit ) {
 					gotintr = abcan;
 				}
 
 			} else if ( strcasecmp( control, "cancel" ) == 0 ) {
-				abcan = LDAP_REQ_EXTENDED;
+				abcan = Intr_Cancel;
 				if ( crit ) {
 					gotintr = abcan;
 				}
 
 			} else if ( strcasecmp( control, "ignore" ) == 0 ) {
-				abcan = -1;
+				abcan = Intr_Ignore;
 				if ( crit ) {
 					gotintr = abcan;
 				}
@@ -746,7 +757,7 @@
 		case 'P':
 			ival = strtol( optarg, &next, 10 );
 			if ( next == NULL || next[0] != '\0' ) {
-				fprintf( stderr, "%s: unabel to parse protocol version \"%s\"\n", prog, optarg );
+				fprintf( stderr, "%s: unable to parse protocol version \"%s\"\n", prog, optarg );
 				exit( EXIT_FAILURE );
 			}
 			switch( ival ) {
@@ -1720,19 +1731,19 @@
 	int	rc;
 
 	switch ( gotintr ) {
-	case LDAP_REQ_EXTENDED:
+	case Intr_Cancel:
 		rc = ldap_cancel_s( ld, msgid, NULL, NULL );
 		fprintf( stderr, "got interrupt, cancel got %d: %s\n",
 				rc, ldap_err2string( rc ) );
 		return -1;
 
-	case LDAP_REQ_ABANDON:
+	case Intr_Abandon:
 		rc = ldap_abandon_ext( ld, msgid, NULL, NULL );
 		fprintf( stderr, "got interrupt, abandon got %d: %s\n",
 				rc, ldap_err2string( rc ) );
 		return -1;
 
-	case -1:
+	case Intr_Ignore:
 		/* just unbind, ignoring the request */
 		return -1;
 	}

Modified: openldap/trunk/clients/tools/common.h
===================================================================
--- openldap/trunk/clients/tools/common.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/common.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* common.h - common definitions for the ldap client tools */
-/* $OpenLDAP: pkg/ldap/clients/tools/common.h,v 1.24.2.2 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/common.h,v 1.24.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/clients/tools/ldapcompare.c
===================================================================
--- openldap/trunk/clients/tools/ldapcompare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapcompare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapcompare.c -- LDAP compare tool */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapcompare.c,v 1.43.2.3 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapcompare.c,v 1.43.2.4 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 1998-2001 Net Boolean Incorporated.
  * All rights reserved.

Modified: openldap/trunk/clients/tools/ldapdelete.c
===================================================================
--- openldap/trunk/clients/tools/ldapdelete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapdelete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapdelete.c - simple program to delete an entry using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapdelete.c,v 1.118.2.4 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapdelete.c,v 1.118.2.7 2008/02/12 00:32:01 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *
@@ -51,6 +51,7 @@
 
 
 static int	prune = 0;
+static int sizelimit = -1;
 
 
 static int dodelete LDAP_P((
@@ -59,7 +60,8 @@
 
 static int deletechildren LDAP_P((
 	LDAP *ld,
-	const char *dn ));
+	const char *dn,
+	int subentries ));
 
 void
 usage( void )
@@ -76,11 +78,13 @@
 
 
 const char options[] = "r"
-	"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+	"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z";
 
 int
 handle_private_option( int i )
 {
+	int ival;
+	char *next;
 	switch ( i ) {
 #if 0
 		int crit;
@@ -115,6 +119,29 @@
 		prune = 1;
 		break;
 
+	case 'z':	/* size limit */
+		if ( strcasecmp( optarg, "none" ) == 0 ) {
+			sizelimit = 0;
+
+		} else if ( strcasecmp( optarg, "max" ) == 0 ) {
+			sizelimit = LDAP_MAXINT;
+
+		} else {
+			ival = strtol( optarg, &next, 10 );
+			if ( next == NULL || next[0] != '\0' ) {
+				fprintf( stderr,
+					_("Unable to parse size limit \"%s\"\n"), optarg );
+				exit( EXIT_FAILURE );
+			}
+			sizelimit = ival;
+		}
+		if( sizelimit < 0 || sizelimit > LDAP_MAXINT ) {
+			fprintf( stderr, _("%s: invalid sizelimit (%d) specified\n"),
+				prog, sizelimit );
+			exit( EXIT_FAILURE );
+		}
+		break;
+
 	default:
 		return 0;
 	}
@@ -212,6 +239,7 @@
 	char *matcheddn = NULL, *text = NULL, **refs = NULL;
 	LDAPControl **ctrls = NULL;
 	LDAPMessage *res;
+	int subentries = 0;
 
 	if ( verbose ) {
 		printf( _("%sdeleting entry \"%s\"\n"),
@@ -225,7 +253,10 @@
 	/* If prune is on, remove a whole subtree.  Delete the children of the
 	 * DN recursively, then the DN requested.
 	 */
-	if ( prune ) deletechildren( ld, dn );
+	if ( prune ) {
+retry:;
+		deletechildren( ld, dn, subentries );
+	}
 
 	rc = ldap_delete_ext( ld, dn, NULL, NULL, &id );
 	if ( rc != LDAP_SUCCESS ) {
@@ -257,7 +288,18 @@
 
 	rc = ldap_parse_result( ld, res, &code, &matcheddn, &text, &refs, &ctrls, 1 );
 
-	if( rc != LDAP_SUCCESS ) {
+	switch ( rc ) {
+	case LDAP_SUCCESS:
+		break;
+
+	case LDAP_NOT_ALLOWED_ON_NONLEAF:
+		if ( prune && !subentries ) {
+			subentries = 1;
+			goto retry;
+		}
+		/* fallthru */
+
+	default:
 		fprintf( stderr, "%s: ldap_parse_result: %s (%d)\n",
 			prog, ldap_err2string( rc ), rc );
 		return rc;
@@ -290,7 +332,7 @@
 	if (ctrls) {
 		tool_print_ctrls( ld, ctrls );
 		ldap_controls_free( ctrls );
-    }
+	}
 
 	ber_memfree( text );
 	ber_memfree( matcheddn );
@@ -304,27 +346,55 @@
  */
 static int deletechildren(
 	LDAP *ld,
-	const char *dn )
+	const char *base,
+	int subentries )
 {
 	LDAPMessage *res, *e;
 	int entries;
-	int rc;
+	int rc = LDAP_SUCCESS, srch_rc;
 	static char *attrs[] = { LDAP_NO_ATTRS, NULL };
-	LDAPControl c, *ctrls[2];
+	LDAPControl c, *ctrls[2], **ctrlsp = NULL;
 	BerElement *ber = NULL;
-	LDAPMessage *res_se;
 
-	if ( verbose ) printf ( _("deleting children of: %s\n"), dn );
+	if ( verbose ) printf ( _("deleting children of: %s\n"), base );
 
+	if ( subentries ) {
+		/*
+		 * Do a one level search at base for subentry children.
+		 */
+
+		if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) {
+			return EXIT_FAILURE;
+		}
+		rc = ber_printf( ber, "b", 1 );
+		if ( rc == -1 ) {
+			ber_free( ber, 1 );
+			fprintf( stderr, _("Subentries control encoding error!\n"));
+			return EXIT_FAILURE;
+		}
+		if ( ber_flatten2( ber, &c.ldctl_value, 0 ) == -1 ) {
+			return EXIT_FAILURE;
+		}
+		c.ldctl_oid = LDAP_CONTROL_SUBENTRIES;
+		c.ldctl_iscritical = 1;
+		ctrls[0] = &c;
+		ctrls[1] = NULL;
+		ctrlsp = ctrls;
+	}
+
 	/*
-	 * Do a one level search at dn for children.  For each, delete its children.
+	 * Do a one level search at base for children.  For each, delete its children.
 	 */
-
-	rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
-		NULL, NULL, NULL, -1, &res );
-	if ( rc != LDAP_SUCCESS ) {
-		tool_perror( "ldap_search", rc, NULL, NULL, NULL, NULL );
-		return( rc );
+more:;
+	srch_rc = ldap_search_ext_s( ld, base, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
+		ctrlsp, NULL, NULL, sizelimit, &res );
+	switch ( srch_rc ) {
+	case LDAP_SUCCESS:
+	case LDAP_SIZELIMIT_EXCEEDED:
+		break;
+	default:
+		tool_perror( "ldap_search", srch_rc, NULL, NULL, NULL, NULL );
+		return( srch_rc );
 	}
 
 	entries = ldap_count_entries( ld, res );
@@ -344,8 +414,8 @@
 				return rc;
 			}
 
-			rc = deletechildren( ld, dn );
-			if ( rc == -1 ) {
+			rc = deletechildren( ld, dn, 0 );
+			if ( rc != LDAP_SUCCESS ) {
 				tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL );
 				ber_memfree( dn );
 				return rc;
@@ -356,7 +426,7 @@
 			}
 
 			rc = ldap_delete_ext_s( ld, dn, NULL, NULL );
-			if ( rc == -1 ) {
+			if ( rc != LDAP_SUCCESS ) {
 				tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL );
 				ber_memfree( dn );
 				return rc;
@@ -373,72 +443,9 @@
 
 	ldap_msgfree( res );
 
-	/*
-	 * Do a one level search at dn for subentry children.
-	 */
-
-	if ((ber = ber_alloc_t(LBER_USE_DER)) == NULL) {
-		return EXIT_FAILURE;
+	if ( srch_rc == LDAP_SIZELIMIT_EXCEEDED ) {
+		goto more;
 	}
-	rc = ber_printf( ber, "b", 1 );
-	if ( rc == -1 ) {
-		ber_free( ber, 1 );
-		fprintf( stderr, _("Subentries control encoding error!\n"));
-		return EXIT_FAILURE;
-	}
-	if ( ber_flatten2( ber, &c.ldctl_value, 0 ) == -1 ) {
-		return EXIT_FAILURE;
-	}
-	c.ldctl_oid = LDAP_CONTROL_SUBENTRIES;
-	c.ldctl_iscritical = 1;
-	ctrls[0] = &c;
-	ctrls[1] = NULL;
 
-	rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
-		ctrls, NULL, NULL, -1, &res_se );
-	if ( rc != LDAP_SUCCESS ) {
-		tool_perror( "ldap_search", rc, NULL, NULL, NULL, NULL );
-		return( rc );
-	}
-	ber_free( ber, 1 );
-
-	entries = ldap_count_entries( ld, res_se );
-
-	if ( entries > 0 ) {
-		int i;
-
-		for (e = ldap_first_entry( ld, res_se ), i = 0; e != NULL;
-			e = ldap_next_entry( ld, e ), i++ )
-		{
-			char *dn = ldap_get_dn( ld, e );
-
-			if( dn == NULL ) {
-				ldap_get_option( ld, LDAP_OPT_RESULT_CODE, &rc );
-				tool_perror( "ldap_prune", rc, NULL, NULL, NULL, NULL );
-				ber_memfree( dn );
-				return rc;
-			}
-
-			if ( verbose ) {
-				printf( _("\tremoving %s\n"), dn );
-			}
-
-			rc = ldap_delete_ext_s( ld, dn, NULL, NULL );
-			if ( rc == -1 ) {
-				tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL );
-				ber_memfree( dn );
-				return rc;
-
-			}
-			
-			if ( verbose ) {
-				printf( _("\t%s removed\n"), dn );
-			}
-
-			ber_memfree( dn );
-		}
-	}
-
-	ldap_msgfree( res_se );
 	return rc;
 }

Modified: openldap/trunk/clients/tools/ldapexop.c
===================================================================
--- openldap/trunk/clients/tools/ldapexop.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapexop.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapexop.c -- a tool for performing well-known extended operations */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapexop.c,v 1.9.2.2 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapexop.c,v 1.9.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/clients/tools/ldapmodify.c
===================================================================
--- openldap/trunk/clients/tools/ldapmodify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapmodify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapmodify.c - generic program to modify or add entries using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodify.c,v 1.186.2.3 2007/08/31 23:13:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodify.c,v 1.186.2.7 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 2006 Howard Chu.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 1998-2001 Net Boolean Incorporated.
@@ -70,15 +70,14 @@
 
 #include "common.h"
 
-static int	ldapadd, force = 0;
+static int	ldapadd;
 static char *rejfile = NULL;
 static LDAP	*ld = NULL;
 
 #define	M_SEP	0x7f
 
-/* strings found in replog/LDIF entries (mostly lifted from slurpd/slurp.h) */
+/* strings found in LDIF entries */
 static struct berval BV_VERSION = BER_BVC("version");
-static struct berval BV_REPLICA = BER_BVC("replica");
 static struct berval BV_DN = BER_BVC("dn");
 static struct berval BV_CONTROL = BER_BVC("control");
 static struct berval BV_CHANGETYPE = BER_BVC("changetype");
@@ -144,7 +143,6 @@
  	fprintf( stderr,
 		_("             [!]txn=<commit|abort>         (transaction)\n"));
 #endif
-	fprintf( stderr, _("  -F         force all changes records to be used\n"));
 	fprintf( stderr, _("  -S file    write skipped modifications to `file'\n"));
 
 	tool_common_usage();
@@ -152,7 +150,7 @@
 }
 
 
-const char options[] = "aE:FrS:"
+const char options[] = "aE:rS:"
 	"cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
 
 int
@@ -217,10 +215,6 @@
 		ldapadd = 1;
 		break;
 
-	case 'F':	/* force all changes records to be used */
-		force = 1;
-		break;
-
 	case 'r':	/* replace (obsolete) */
 		break;
 
@@ -408,10 +402,10 @@
 process_ldif_rec( char *rbuf, int linenum )
 {
 	char	*line, *dn, *newrdn, *newsup;
-	int		rc, modop, replicaport;
+	int		rc, modop;
 	int		expect_modop, expect_sep;
 	int		deleteoldrdn;
-	int		saw_replica, use_record, new_entry, delete_entry, got_all;
+	int		new_entry, delete_entry, got_all;
 	LDAPMod	**pmods, *lm = NULL;
 	int version;
 	LDAPControl **pctrls;
@@ -422,11 +416,10 @@
 
 	new_entry = ldapadd;
 
-	rc = got_all = saw_replica = delete_entry = modop = expect_modop = 0;
+	rc = got_all = delete_entry = modop = expect_modop = 0;
 	expect_sep = 0;
 	version = 0;
 	deleteoldrdn = 1;
-	use_record = force;
 	pmods = NULL;
 	pctrls = NULL;
 	dn = newrdn = newsup = NULL;
@@ -464,27 +457,7 @@
 		freeval[i] = freev;
 
 		if ( dn == NULL ) {
-			if ( !use_record && !BVICMP( btype+i, &BV_REPLICA )) {
-				char *p;
-				++saw_replica;
-				if (( p = strchr( vals[i].bv_val, ':' )) == NULL ) {
-					replicaport = 0;
-				} else {
-					*p++ = '\0';
-					if ( lutil_atoi( &replicaport, p ) != 0 ) {
-						fprintf( stderr, _("%s: unable to parse replica port \"%s\" (line %d) entry: \"%s\"\n"),
-							prog, p, linenum+i, dn == NULL ? "" : dn );
-						rc = LDAP_PARAM_ERROR;
-						break;
-					}
-				}
-				if ( ldaphost != NULL &&
-					strcasecmp( vals[i].bv_val, ldaphost ) == 0 &&
-					replicaport == ldapport )
-				{
-					use_record = 1;
-				}
-			} else if ( linenum+i == 1 && !BVICMP( btype+i, &BV_VERSION )) {
+			if ( linenum+i == 1 && !BVICMP( btype+i, &BV_VERSION )) {
 				int	v;
 				if( vals[i].bv_len == 0 || lutil_atoi( &v, vals[i].bv_val) != 0 || v != 1 ) {
 					fprintf( stderr,
@@ -496,13 +469,6 @@
 			} else if ( !BVICMP( btype+i, &BV_DN )) {
 				dn = vals[i].bv_val;
 				idn = i;
-				if ( !use_record && saw_replica ) {
-					printf(_("%s: skipping change record for entry: %s at line %d\n"),
-						prog, dn, linenum+i);
-					printf(_("\t(LDAP host/port does not match replica: lines)\n"));
-					rc = 0;
-					goto leave;
-				}
 			}
 			/* skip all lines until we see "dn:" */
 		}
@@ -1136,13 +1102,14 @@
 			tool_perror( newentry ? "ldap_add" : "ldap_modify",
 				rc, NULL, NULL, NULL, NULL );
 			goto done;
-		} else if ( verbose ) {
-			printf( _("modify complete\n") );
 		}
-
 		rc = process_response( ld, msgid,
 			newentry ? LDAP_RES_ADD : LDAP_RES_MODIFY, dn );
 
+		if ( verbose && rc == LDAP_SUCCESS ) {
+			printf( _("modify complete\n") );
+		}
+
 	} else {
 		rc = LDAP_SUCCESS;
 	}
@@ -1168,12 +1135,12 @@
 			fprintf( stderr, _("%s: delete failed: %s\n"), prog, dn );
 			tool_perror( "ldap_delete", rc, NULL, NULL, NULL, NULL );
 			goto done;
-		} else if ( verbose ) {
-			printf( _("delete complete") );
 		}
-
 		rc = process_response( ld, msgid, LDAP_RES_DELETE, dn );
 
+		if ( verbose && rc == LDAP_SUCCESS ) {
+			printf( _("delete complete\n") );
+		}
 	} else {
 		rc = LDAP_SUCCESS;
 	}
@@ -1207,12 +1174,12 @@
 			fprintf( stderr, _("%s: rename failed: %s\n"), prog, dn );
 			tool_perror( "ldap_rename", rc, NULL, NULL, NULL, NULL );
 			goto done;
-		} else {
-			printf( _("rename completed\n") );
 		}
-
 		rc = process_response( ld, msgid, LDAP_RES_RENAME, dn );
 
+		if ( verbose && rc == LDAP_SUCCESS ) {
+			printf( _("rename complete\n") );
+		}
 	} else {
 		rc = LDAP_SUCCESS;
 	}

Modified: openldap/trunk/clients/tools/ldapmodrdn.c
===================================================================
--- openldap/trunk/clients/tools/ldapmodrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapmodrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapmodrdn.c - generic program to modify an entry's RDN using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodrdn.c,v 1.116.2.3 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodrdn.c,v 1.116.2.4 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 1998-2001 Net Boolean Incorporated.
  * Portions Copyright 2001-2003 IBM Corporation.

Modified: openldap/trunk/clients/tools/ldappasswd.c
===================================================================
--- openldap/trunk/clients/tools/ldappasswd.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldappasswd.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldappasswd -- a tool for change LDAP passwords */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldappasswd.c,v 1.136.2.3 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldappasswd.c,v 1.136.2.4 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 1998-2001 Net Boolean Incorporated.
  * Portions Copyright 2001-2003 IBM Corporation.

Modified: openldap/trunk/clients/tools/ldapsearch.c
===================================================================
--- openldap/trunk/clients/tools/ldapsearch.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapsearch.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapsearch -- a tool for searching LDAP directories */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapsearch.c,v 1.234.2.5 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapsearch.c,v 1.234.2.9 2008/02/12 19:59:52 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 1998-2001 Net Boolean Incorporated.
  * Portions Copyright 2001-2003 IBM Corporation.
@@ -95,6 +95,8 @@
 static int timelimit = -1;
 static int sizelimit = -1;
 
+static char *control;
+
 static char *def_tmpdir;
 static char *def_urlpre;
 
@@ -255,7 +257,7 @@
 handle_private_option( int i )
 {
 	int crit, ival;
-	char *control, *cvalue, *next;
+	char *cvalue, *next;
 	switch ( i ) {
 	case 'a':	/* set alias deref option */
 		if ( strcasecmp( optarg, "never" ) == 0 ) {
@@ -623,7 +625,7 @@
 {
 	char		*filtpattern, **attrs = NULL, line[BUFSIZ];
 	FILE		*fp = NULL;
-	int		rc, i, first;
+	int			rc, rc1, i, first;
 	LDAP		*ld = NULL;
 	BerElement	*seber = NULL, *vrber = NULL;
 
@@ -979,6 +981,7 @@
 			attrs, attrsonly, NULL, NULL, NULL, -1 );
 
 	} else {
+		rc = 0;
 		first = 1;
 		while ( fgets( line, sizeof( line ), fp ) != NULL ) { 
 			line[ strlen( line ) - 1 ] = '\0';
@@ -987,11 +990,13 @@
 			} else {
 				first = 0;
 			}
-			rc = dosearch( ld, base, scope, filtpattern, line,
+			rc1 = dosearch( ld, base, scope, filtpattern, line,
 				attrs, attrsonly, NULL, NULL, NULL, -1 );
 
-			if ( rc != 0 && !contoper ) {
-				break;
+			if ( rc1 != 0 ) {
+				rc = rc1;
+				if ( !contoper )
+					break;
 			}
 		}
 		if ( fp != stdin ) {
@@ -1040,6 +1045,12 @@
 
 	tool_unbind( ld );
 	tool_destroy();
+	if ( base != NULL ) {
+		ber_memfree( base );
+	}
+	if ( control != NULL ) {
+		ber_memfree( control );
+	}
 
 	if ( c ) {
 		for ( ; save_nctrls-- > 0; ) {

Modified: openldap/trunk/clients/tools/ldapwhoami.c
===================================================================
--- openldap/trunk/clients/tools/ldapwhoami.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/clients/tools/ldapwhoami.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapwhoami.c -- a tool for asking the directory "Who Am I?" */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapwhoami.c,v 1.42.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapwhoami.c,v 1.42.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 1998-2001 Net Boolean Incorporated.
  * Portions Copyright 2001-2003 IBM Corporation.

Modified: openldap/trunk/configure
===================================================================
--- openldap/trunk/configure	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/configure	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,9 @@
 #! /bin/sh
-# From configure.in OpenLDAP: pkg/ldap/configure.in,v 1.631.2.7 2007/10/16 23:43:09 quanah Exp .
+# From configure.in OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
-# Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.
+# Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.
 # Restrictions apply, see COPYRIGHT and LICENSE files.
 #
 # Copyright (C) 2003 Free Software Foundation, Inc.
@@ -465,7 +465,7 @@
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os target target_cpu target_vendor target_os INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar OPENLDAP_LIBRELEASE OPENLDAP_LIBVERSION OPENLDAP_RELEASE_DATE top_builddir ldap_subdir CC AR CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE EGREP LN_S ECHO ac_ct_AR RANLIB ac_ct_RANLIB DLLTOOL ac_ct_DLLTOOL AS ac_ct_AS OBJDUMP ac_ct_OBJDUMP CPP LIBTOOL PERLBIN OL_MKDEP OL_MKDEP_FLAGS LTSTATIC LIBOBJS LIBSRCS PLAT WITH_SASL WITH_TLS WITH_MODULES_ENABLED WITH_ACI_ENABLED BUILD_THREAD BUILD_LIBS_DYNAMIC BUILD_SLAPD BUILD_SLAPI SLAPD_SLAPI_DEPEND BUILD_BDB BUILD_DNSSRV BUILD_HDB BUILD_LDAP BUILD_META BUILD_MONITOR BUILD_NULL BUILD_PASSWD BUILD_RELAY BUILD_PERL BUILD_SHELL BUILD_SQL BUILD_ACCESSLOG BUILD_AUDITLOG BUILD_CONSTRAINT BUILD_DDS BUILD_DENYOP BUILD_DYNGROUP BUILD_DYNLIST BUILD_LASTMOD BUILD_MEMBEROF BUILD_PPOLICY BUILD_PROXYCACHE BUILD_REFINT BUILD_RETCODE BUILD_RWM BUILD_SEQMOD BUILD_SYNCPROV BUILD_TRANSLUCENT BUILD_UNIQUE BUILD_VALSORT LDAP_LIBS SLAPD_LIBS BDB_LIBS LTHREAD_LIBS LUTIL_LIBS WRAP_LIBS SLAPD_MODULES_CPPFLAGS SLAPD_MODULES_LDFLAGS SLAPD_NO_STATIC SLAPD_STATIC_BACKENDS SLAPD_DYNAMIC_BACKENDS SLAPD_STATIC_OVERLAYS SLAPD_DYNAMIC_OVERLAYS PERL_CPPFLAGS SLAPD_PERL_LDFLAGS MOD_PERL_LDFLAGS KRB4_LIBS KRB5_LIBS SASL_LIBS TLS_LIBS MODULES_LIBS SLAPI_LIBS LIBSLAPI LIBSLAPITOOLS AUTH_LIBS ICU_LIBS SLAPD_SLP_LIBS SLAPD_GMP_LIBS SLAPD_SQL_LDFLAGS SLAPD_SQL_LIBS SLAPD_SQL_INCLUDES LTLIBOBJS'
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os target target_cpu target_vendor target_os INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar OPENLDAP_LIBRELEASE OPENLDAP_LIBVERSION OPENLDAP_RELEASE_DATE top_builddir ldap_subdir CC AR CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE EGREP LN_S ECHO ac_ct_AR RANLIB ac_ct_RANLIB DLLTOOL ac_ct_DLLTOOL AS ac_ct_AS OBJDUMP ac_ct_OBJDUMP CPP LIBTOOL PERLBIN OL_MKDEP OL_MKDEP_FLAGS LTSTATIC LIBOBJS LIBSRCS PLAT WITH_SASL WITH_TLS WITH_MODULES_ENABLED WITH_ACI_ENABLED BUILD_THREAD BUILD_LIBS_DYNAMIC BUILD_SLAPD BUILD_SLAPI SLAPD_SLAPI_DEPEND BUILD_BDB BUILD_DNSSRV BUILD_HDB BUILD_LDAP BUILD_META BUILD_MONITOR BUILD_NULL BUILD_PASSWD BUILD_RELAY BUILD_PERL BUILD_SHELL BUILD_SOCK BUILD_SQL BUILD_ACCESSLOG BUILD_AUDITLOG BUILD_CONSTRAINT BUILD_DDS BUILD_DENYOP BUILD_DYNGROUP BUILD_DYNLIST BUILD_LASTMOD BUILD_MEMBEROF BUILD_PPOLICY BUILD_PROXYCACHE BUILD_REFINT BUILD_RETCODE BUILD_RWM BUILD_SEQMOD BUILD_SYNCPROV BUILD_TRANSLUCENT BUILD_UNIQUE BUILD_VALSORT LDAP_LIBS SLAPD_LIBS BDB_LIBS LTHREAD_LIBS LUTIL_LIBS WRAP_LIBS SLAPD_MODULES_CPPFLAGS SLAPD_MODULES_LDFLAGS SLAPD_NO_STATIC SLAPD_STATIC_BACKENDS SLAPD_DYNAMIC_BACKENDS SLAPD_STATIC_OVERLAYS SLAPD_DYNAMIC_OVERLAYS PERL_CPPFLAGS SLAPD_PERL_LDFLAGS MOD_PERL_LDFLAGS KRB4_LIBS KRB5_LIBS SASL_LIBS TLS_LIBS MODULES_LIBS SLAPI_LIBS LIBSLAPI LIBSLAPITOOLS AUTH_LIBS ICU_LIBS SLAPD_SLP_LIBS SLAPD_GMP_LIBS SLAPD_SQL_LDFLAGS SLAPD_SQL_LIBS SLAPD_SQL_INCLUDES LTLIBOBJS'
 ac_subst_files=''
 
 # Initialize some variables set by options.
@@ -1041,6 +1041,7 @@
     --enable-perl	  enable perl backend no|yes|mod [no]
     --enable-relay  	  enable relay backend no|yes|mod [yes]
     --enable-shell	  enable shell backend no|yes|mod [no]
+    --enable-sock	  enable sock backend no|yes|mod [no]
     --enable-sql	  enable sql backend no|yes|mod [no]
 
 SLAPD Overlay Options:
@@ -1205,7 +1206,7 @@
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 
-Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.
 Restrictions apply, see COPYRIGHT and LICENSE files.
 _ACEOF
   exit 0
@@ -2788,6 +2789,7 @@
 	perl \
 	relay \
 	shell \
+	sock \
 	sql"
 
 # Check whether --enable-xxslapbackends or --disable-xxslapbackends was given.
@@ -3070,6 +3072,29 @@
   	ol_enable_shell=${ol_enable_backends:-no}
 fi;
 # end --enable-shell
+# OpenLDAP --enable-sock
+
+	# Check whether --enable-sock or --disable-sock was given.
+if test "${enable_sock+set}" = set; then
+  enableval="$enable_sock"
+
+	ol_arg=invalid
+	for ol_val in no yes mod ; do
+		if test "$enableval" = "$ol_val" ; then
+			ol_arg="$ol_val"
+		fi
+	done
+	if test "$ol_arg" = "invalid" ; then
+		{ { echo "$as_me:$LINENO: error: bad value $enableval for --enable-sock" >&5
+echo "$as_me: error: bad value $enableval for --enable-sock" >&2;}
+   { (exit 1); exit 1; }; }
+	fi
+	ol_enable_sock="$ol_arg"
+
+else
+  	ol_enable_sock=${ol_enable_backends:-no}
+fi;
+# end --enable-sock
 # OpenLDAP --enable-sql
 
 	# Check whether --enable-sql or --disable-sql was given.
@@ -3683,6 +3708,7 @@
 	test $ol_enable_perl = no &&
 	test $ol_enable_relay = no &&
 	test $ol_enable_shell = no &&
+	test $ol_enable_sock = no &&
 	test $ol_enable_sql = no ; then
 
 	if test $ol_enable_slapd = yes ; then
@@ -3747,6 +3773,7 @@
 BUILD_PERL=no
 BUILD_RELAY=no
 BUILD_SHELL=no
+BUILD_SOCK=no
 BUILD_SQL=no
 
 BUILD_ACCESSLOG=no
@@ -5594,7 +5621,7 @@
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 5597 "configure"' > conftest.$ac_ext
+  echo '#line 5624 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -7574,11 +7601,11 @@
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7577: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7604: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7581: \$? = $ac_status" >&5
+   echo "$as_me:7608: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7836,11 +7863,11 @@
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7839: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7866: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7843: \$? = $ac_status" >&5
+   echo "$as_me:7870: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7898,11 +7925,11 @@
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7901: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7928: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7905: \$? = $ac_status" >&5
+   echo "$as_me:7932: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10146,7 +10173,7 @@
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10149 "configure"
+#line 10176 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -10244,7 +10271,7 @@
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10247 "configure"
+#line 10274 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -40474,6 +40501,23 @@
 
 fi
 
+if test "$ol_enable_sock" != no ; then
+	BUILD_SLAPD=yes
+	BUILD_SOCK=$ol_enable_sock
+	if test "$ol_enable_sock" = mod ; then
+		SLAPD_DYNAMIC_BACKENDS="$SLAPD_DYNAMIC_BACKENDS back-sock"
+		MFLAG=SLAPD_MOD_DYNAMIC
+	else
+		SLAPD_STATIC_BACKENDS="$SLAPD_STATIC_BACKENDS back-sock"
+		MFLAG=SLAPD_MOD_STATIC
+	fi
+
+cat >>confdefs.h <<_ACEOF
+#define SLAPD_SOCK $MFLAG
+_ACEOF
+
+fi
+
 if test "$ol_link_sql" != no ; then
 	BUILD_SLAPD=yes
 	BUILD_SQL=$ol_enable_sql
@@ -40875,6 +40919,7 @@
 
 
 
+
 # Check whether --with-xxinstall or --without-xxinstall was given.
 if test "${with_xxinstall+set}" = set; then
   withval="$with_xxinstall"
@@ -40882,7 +40927,7 @@
 fi;
 
 
-                                                                                                                                                                                                                                                                                                                                                                                            ac_config_files="$ac_config_files Makefile:build/top.mk:Makefile.in:build/dir.mk doc/Makefile:build/top.mk:doc/Makefile.in:build/dir.mk doc/man/Makefile:build/top.mk:doc/man/Makefile.in:build/dir.mk doc/man/man1/Makefile:build/top.mk:doc/man/man1/Makefile.in:build/man.mk doc/man/man3/Makefile:build/top.mk:doc/man/man3/Makefile.in:build/man.mk doc/man/man5/Makefile:build/top.mk:doc/man/man5/Makefile.in:build/man.mk doc/man/man8/Makefile:build/top.mk:doc/man/man8/Makefile.in:build/man.mk clients/Makefile:build/top.mk:clients/Makefile.in:build/dir.mk clients/tools/Makefile:build/top.mk:clients/tools/Makefile.in:build/rules.mk include/Makefile:build/top.mk:include/Makefile.in libraries/Makefile:build/top.mk:libraries/Makefile.in:build/dir.mk libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap_r/Makefile:build/top.mk:libraries/libldap_r/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk servers/Makefile:build/top.mk:servers/Makefile.in:build/dir.mk servers/slapd/Makefile:build/top.mk:servers/slapd/Makefile.in:build/srv.mk servers/slapd/back-bdb/Makefile:build/top.mk:servers/slapd/back-bdb/Makefile.in:build/mod.mk servers/slapd/back-dnssrv/Makefile:build/top.mk:servers/slapd/back-dnssrv/Makefile.in:build/mod.mk servers/slapd/back-hdb/Makefile:build/top.mk:servers/slapd/back-hdb/Makefile.in:build/mod.mk servers/slapd/back-ldap/Makefile:build/top.mk:servers/slapd/back-ldap/Makefile.in:build/mod.mk servers/slapd/back-ldif/Makefile:build/top.mk:servers/slapd/back-ldif/Makefile.in:build/mod.mk servers/slapd/back-meta/Makefile:build/top.mk:servers/slapd/back-meta/Makefile.in:build/mod.mk servers/slapd/back-monitor/Makefile:build/top.mk:servers/slapd/back-monitor/Makefile.in:build/mod.mk servers/slapd/back-null/Makefile:build/top.mk:servers/slapd/back-null/Makefile.in:build/mod.mk servers/slapd/back-passwd/Makefile:build/top.mk:servers/slapd/back-passwd/Makefile.in:build/mod.mk servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk tests/run tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk"
+                                                                                                                                                                                                                                                                                                                                                                                                      ac_config_files="$ac_config_files Makefile:build/top.mk:Makefile.in:build/dir.mk doc/Makefile:build/top.mk:doc/Makefile.in:build/dir.mk doc/man/Makefile:build/top.mk:doc/man/Makefile.in:build/dir.mk doc/man/man1/Makefile:build/top.mk:doc/man/man1/Makefile.in:build/man.mk doc/man/man3/Makefile:build/top.mk:doc/man/man3/Makefile.in:build/man.mk doc/man/man5/Makefile:build/top.mk:doc/man/man5/Makefile.in:build/man.mk doc/man/man8/Makefile:build/top.mk:doc/man/man8/Makefile.in:build/man.mk clients/Makefile:build/top.mk:clients/Makefile.in:build/dir.mk clients/tools/Makefile:build/top.mk:clients/tools/Makefile.in:build/rules.mk include/Makefile:build/top.mk:include/Makefile.in libraries/Makefile:build/top.mk:libraries/Makefile.in:build/dir.mk libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap_r/Makefile:build/top.mk:libraries/libldap_r/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk servers/Makefile:build/top.mk:servers/Makefile.in:build/dir.mk servers/slapd/Makefile:build/top.mk:servers/slapd/Makefile.in:build/srv.mk servers/slapd/back-bdb/Makefile:build/top.mk:servers/slapd/back-bdb/Makefile.in:build/mod.mk servers/slapd/back-dnssrv/Makefile:build/top.mk:servers/slapd/back-dnssrv/Makefile.in:build/mod.mk servers/slapd/back-hdb/Makefile:build/top.mk:servers/slapd/back-hdb/Makefile.in:build/mod.mk servers/slapd/back-ldap/Makefile:build/top.mk:servers/slapd/back-ldap/Makefile.in:build/mod.mk servers/slapd/back-ldif/Makefile:build/top.mk:servers/slapd/back-ldif/Makefile.in:build/mod.mk servers/slapd/back-meta/Makefile:build/top.mk:servers/slapd/back-meta/Makefile.in:build/mod.mk servers/slapd/back-monitor/Makefile:build/top.mk:servers/slapd/back-monitor/Makefile.in:build/mod.mk servers/slapd/back-null/Makefile:build/top.mk:servers/slapd/back-null/Makefile.in:build/mod.mk servers/slapd/back-passwd/Makefile:build/top.mk:servers/slapd/back-passwd/Makefile.in:build/mod.mk servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk tests/run tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk"
 
 
           ac_config_commands="$ac_config_commands default"
@@ -41425,6 +41470,7 @@
   "servers/slapd/back-perl/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk" ;;
   "servers/slapd/back-relay/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk" ;;
   "servers/slapd/back-shell/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk" ;;
+  "servers/slapd/back-sock/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk" ;;
   "servers/slapd/back-sql/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk" ;;
   "servers/slapd/shell-backends/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk" ;;
   "servers/slapd/slapi/Makefile" ) CONFIG_FILES="$CONFIG_FILES servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk" ;;
@@ -41619,6 +41665,7 @@
 s, at BUILD_RELAY@,$BUILD_RELAY,;t t
 s, at BUILD_PERL@,$BUILD_PERL,;t t
 s, at BUILD_SHELL@,$BUILD_SHELL,;t t
+s, at BUILD_SOCK@,$BUILD_SOCK,;t t
 s, at BUILD_SQL@,$BUILD_SQL,;t t
 s, at BUILD_ACCESSLOG@,$BUILD_ACCESSLOG,;t t
 s, at BUILD_AUDITLOG@,$BUILD_AUDITLOG,;t t
@@ -42362,7 +42409,7 @@
 cat > $BACKENDSC << ENDX
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42413,7 +42460,7 @@
 cat > $OVERLAYSC << ENDX
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/configure.in
===================================================================
--- openldap/trunk/configure.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/configure.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.7 2007/10/16 23:43:09 quanah Exp $
+dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp $
 dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
 dnl
-dnl Copyright 1998-2007 The OpenLDAP Foundation.
+dnl Copyright 1998-2008 The OpenLDAP Foundation.
 dnl All rights reserved.
 dnl
 dnl Redistribution and use in source and binary forms, with or without
@@ -23,9 +23,9 @@
 define([AC_LIBTOOL_LANG_GCJ_CONFIG], [:])dnl
 dnl ================================================================
 dnl Configure.in for OpenLDAP
-AC_COPYRIGHT([[Copyright 1998-2007 The OpenLDAP Foundation. All rights reserved.
+AC_COPYRIGHT([[Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.
 Restrictions apply, see COPYRIGHT and LICENSE files.]])
-AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.7 2007/10/16 23:43:09 quanah Exp $])
+AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp $])
 AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
 m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>])
 AC_CONFIG_SRCDIR(build/version.sh)dnl
@@ -96,7 +96,7 @@
 /* begin of portable.h.pre */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation
+ * Copyright 1998-2008 The OpenLDAP Foundation
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -291,6 +291,7 @@
 	perl \
 	relay \
 	shell \
+	sock \
 	sql"
 
 AC_ARG_ENABLE(xxslapbackends,[
@@ -320,6 +321,8 @@
 	yes, [no yes mod], ol_enable_backends)dnl
 OL_ARG_ENABLE(shell,[    --enable-shell	  enable shell backend],
 	no, [no yes mod], ol_enable_backends)dnl
+OL_ARG_ENABLE(sock,[    --enable-sock	  enable sock backend],
+	no, [no yes mod], ol_enable_backends)dnl
 OL_ARG_ENABLE(sql,[    --enable-sql	  enable sql backend],
 	no, [no yes mod], ol_enable_backends)dnl
 
@@ -462,6 +465,7 @@
 	test $ol_enable_perl = no &&
 	test $ol_enable_relay = no &&
 	test $ol_enable_shell = no &&
+	test $ol_enable_sock = no &&
 	test $ol_enable_sql = no ; then
 	dnl no slapd backend
 
@@ -519,6 +523,7 @@
 BUILD_PERL=no
 BUILD_RELAY=no
 BUILD_SHELL=no
+BUILD_SOCK=no
 BUILD_SQL=no
 
 BUILD_ACCESSLOG=no
@@ -2635,6 +2640,19 @@
 	AC_DEFINE_UNQUOTED(SLAPD_SHELL,$MFLAG,[define to support SHELL backend])
 fi
 
+if test "$ol_enable_sock" != no ; then
+	BUILD_SLAPD=yes
+	BUILD_SOCK=$ol_enable_sock
+	if test "$ol_enable_sock" = mod ; then
+		SLAPD_DYNAMIC_BACKENDS="$SLAPD_DYNAMIC_BACKENDS back-sock"
+		MFLAG=SLAPD_MOD_DYNAMIC
+	else
+		SLAPD_STATIC_BACKENDS="$SLAPD_STATIC_BACKENDS back-sock"
+		MFLAG=SLAPD_MOD_STATIC
+	fi
+	AC_DEFINE_UNQUOTED(SLAPD_SOCK,$MFLAG,[define to support SOCK backend])
+fi
+
 if test "$ol_link_sql" != no ; then
 	BUILD_SLAPD=yes
 	BUILD_SQL=$ol_enable_sql
@@ -2903,6 +2921,7 @@
   AC_SUBST(BUILD_RELAY)
   AC_SUBST(BUILD_PERL)
   AC_SUBST(BUILD_SHELL)
+  AC_SUBST(BUILD_SOCK)
   AC_SUBST(BUILD_SQL)
 dnl overlays
   AC_SUBST(BUILD_ACCESSLOG)
@@ -3003,6 +3022,7 @@
 [servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk]
 [servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk]
 [servers/slapd/back-shell/Makefile:build/top.mk:servers/slapd/back-shell/Makefile.in:build/mod.mk]
+[servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk]
 [servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk]
 [servers/slapd/shell-backends/Makefile:build/top.mk:servers/slapd/shell-backends/Makefile.in:build/srv.mk]
 [servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk]
@@ -3020,7 +3040,7 @@
 cat > $BACKENDSC << ENDX
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -3071,7 +3091,7 @@
 cat > $OVERLAYSC << ENDX
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/ConfigOIDs
===================================================================
--- openldap/trunk/contrib/ConfigOIDs	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ConfigOIDs	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
 List of OpenLDAP Configuration OIDs allocated to contrib modules
 
 OLcfgCt{Oc|At}:1	smbk5pwd
+OLcfgCt{Oc|At}:2	autogroup

Modified: openldap/trunk/contrib/ldapc++/COPYRIGHT
===================================================================
--- openldap/trunk/contrib/ldapc++/COPYRIGHT	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/COPYRIGHT	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 1998-2007 The OpenLDAP Foundation
+Copyright 1998-2008 The OpenLDAP Foundation
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/ldapc++/Makefile.am
===================================================================
--- openldap/trunk/contrib/ldapc++/Makefile.am	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/Makefile.am	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,5 @@
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/Makefile.am,v 1.2.6.1 2008/04/14 23:20:12 quanah Exp $
+
 ##
 # Copyright 2000-2003, OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/Makefile.in
===================================================================
--- openldap/trunk/contrib/ldapc++/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -14,6 +14,8 @@
 
 @SET_MAKE@
 
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/Makefile.in,v 1.11.2.3 2008/04/14 23:20:12 quanah Exp $
+
 # Copyright 2000-2003, OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT file
 VPATH = @srcdir@

Modified: openldap/trunk/contrib/ldapc++/configure
===================================================================
--- openldap/trunk/contrib/ldapc++/configure	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/configure	2008-05-25 14:29:31 UTC (rev 1128)
@@ -19719,18 +19719,24 @@
 
 fi
 
-if test "${ac_cv_header_ldap_h+set}" = set; then
-  { echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
+
+
+for ac_header in termios.h ldap.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ echo "$as_me:$LINENO: checking ldap.h usability" >&5
-echo $ECHO_N "checking ldap.h usability... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -19738,7 +19744,7 @@
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
-#include <ldap.h>
+#include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
 if { (ac_try="$ac_compile"
@@ -19770,15 +19776,15 @@
 echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ echo "$as_me:$LINENO: checking ldap.h presence" >&5
-echo $ECHO_N "checking ldap.h presence... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <ldap.h>
+#include <$ac_header>
 _ACEOF
 if { (ac_try="$ac_cpp conftest.$ac_ext"
 case "(($ac_try" in
@@ -19811,41 +19817,49 @@
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: ldap.h:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ echo "$as_me:$LINENO: checking for ldap.h" >&5
-echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
-if test "${ac_cv_header_ldap_h+set}" = set; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_header_ldap_h=$ac_header_preproc
+  eval "$as_ac_Header=\$ac_header_preproc"
 fi
-{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
-echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
 
+fi
 
+done
+
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF

Modified: openldap/trunk/contrib/ldapc++/configure.in
===================================================================
--- openldap/trunk/contrib/ldapc++/configure.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/configure.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,8 @@
+dnl $OpenLDAP: pkg/ldap/contrib/ldapc++/configure.in,v 1.8.2.5 2008/04/14 23:20:12 quanah Exp $
+
 dnl Copyright 2000-2003, OpenLDAP Foundation, All Rights Reserved.
 dnl COPYING RESTRICTIONS APPLY, see COPYRIGHT file
-  
-  
+
 dnl Process this file with autoconf to produce a configure script.
 
 dnl disable config.cache
@@ -67,7 +68,7 @@
     ])
 dnl Checks for header files.
 AC_HEADER_TIME
-AC_CHECK_HEADER(ldap.h)
+AC_CHECK_HEADERS(termios.h ldap.h)
 AC_EGREP_HEADER(ldap_add_ext,ldap.h,[
 dnl NOOP
         :

Modified: openldap/trunk/contrib/ldapc++/doxygen.rc
===================================================================
--- openldap/trunk/contrib/ldapc++/doxygen.rc	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/doxygen.rc	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,173 +1,492 @@
-# Doxyfile 1.0.0
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/doxygen.rc,v 1.2.10.2 2008/04/14 23:20:12 quanah Exp $
 
-# This file describes the settings to be used by doxygen for a project
+# Doxyfile 1.5.4
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
 #
 # All text after a hash (#) is considered a comment and will be ignored
 # The format is:
 #       TAG = value [value, ...]
+# For lists items can also be appended using:
+#       TAG += value [value, ...]
 # Values that contain spaces should be placed between quotes (" ")
 
 #---------------------------------------------------------------------------
-# General configuration options
+# Project related configuration options
 #---------------------------------------------------------------------------
 
-# The PROJECT_NAME tag is a single word (or a sequence of word surrounded
-# by quotes) that should identify the project. 
+# This tag specifies the encoding used for all characters in the config file that 
+# follow. The default is UTF-8 which is also the encoding used for all text before 
+# the first occurrence of this tag. Doxygen uses libiconv (or the iconv built into 
+# libc) for the transcoding. See http://www.gnu.org/software/libiconv for the list of 
+# possible encodings.
 
-PROJECT_NAME         = ldapsdk
+DOXYFILE_ENCODING      = UTF-8
 
-# The PROJECT_NUMBER tag can be used to enter a project or revision number.
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# by quotes) that should identify the project.
+
+PROJECT_NAME           = ldapsdk
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
 # This could be handy for archiving the generated documentation or 
 # if some version control system is used.
 
-PROJECT_NUMBER       = 0.0.1
+PROJECT_NUMBER         = 0.0.1
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
 # base path where the generated documentation will be put. 
 # If a relative path is entered, it will be relative to the location 
 # where doxygen was started. If left blank the current directory will be used.
 
-OUTPUT_DIRECTORY     = srcdoc
+OUTPUT_DIRECTORY       = srcdoc
 
-# The OUTPUT_LANGUAGE tag is used to specify the language in which all
-# documentation generated by doxygen is written. Doxygen will use this
-# information to generate all constant output in the proper language.
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
+# 4096 sub-directories (in 2 levels) under the output directory of each output 
+# format and will distribute the generated files over these directories. 
+# Enabling this option can be useful when feeding doxygen a huge amount of 
+# source files, where putting all generated files in the same directory would 
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS         = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
+# documentation generated by doxygen is written. Doxygen will use this 
+# information to generate all constant output in the proper language. 
 # The default language is English, other supported languages are: 
-# Dutch, French, Italian, Czech, Swedish, German and Japanese
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
+# Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian, 
+# Italian, Japanese, Japanese-en (Japanese with English messages), Korean, 
+# Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, 
+# Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian.
 
-OUTPUT_LANGUAGE      = English
+OUTPUT_LANGUAGE        = English
 
-# The QUIET tag can be used to turn on/off the messages that are generated
-# by doxygen. Possible values are YES and NO. If left blank NO is used.
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
+# include brief member descriptions after the members that are listed in 
+# the file and class documentation (similar to JavaDoc). 
+# Set to NO to disable this.
 
-QUIET                = NO
+BRIEF_MEMBER_DESC      = YES
 
-# The WARNINGS tag can be used to turn on/off the warning messages that are
-# generated by doxygen. Possible values are YES and NO. If left blank
-# NO is used.
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
+# the brief description of a member or function before the detailed description. 
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# brief descriptions will be completely suppressed.
 
-WARNINGS             = YES
+REPEAT_BRIEF           = yes
 
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
-# top of each HTML page. The value NO (the default) enables the index and
-# the value YES disables it.
+# This tag implements a quasi-intelligent brief description abbreviator 
+# that is used to form the text in various listings. Each string 
+# in this list, if found as the leading text of the brief description, will be 
+# stripped from the text and the result after processing the whole list, is 
+# used as the annotated text. Otherwise, the brief description is used as-is. 
+# If left blank, the following values are used ("$name" is automatically 
+# replaced with the name of the entity): "The $name class" "The $name widget" 
+# "The $name file" "is" "provides" "specifies" "contains" 
+# "represents" "a" "an" "the"
 
-DISABLE_INDEX        = NO
+ABBREVIATE_BRIEF       = 
 
-# If the EXTRACT_ALL tag is set to YES all classes and functions will be
-# included in the documentation, even if no documentation was available.
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
+# Doxygen will generate a detailed section even if there is only a brief 
+# description.
 
-EXTRACT_ALL          = YES
+ALWAYS_DETAILED_SEC    = yes
 
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
+# inherited members of a class in the documentation of that class as if those 
+# members were ordinary class members. Constructors, destructors and assignment 
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
+# path before files name in the file list and in the header files. If set 
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES        = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
+# can be used to strip a user-defined part of the path. Stripping is 
+# only done if one of the specified strings matches the left-hand part of 
+# the path. The tag can be used to show relative paths in the file list. 
+# If left blank the directory from which doxygen is run is used as the 
+# path to strip.
+
+STRIP_FROM_PATH        = 
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
+# the path mentioned in the documentation of a class, which tells 
+# the reader which header file to include in order to use a class. 
+# If left blank only the name of the header file containing the class 
+# definition is used. Otherwise one should specify the include paths that 
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH    = 
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
+# (but less readable) file names. This can be useful is your file systems 
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
+# will interpret the first line (until the first dot) of a JavaDoc-style 
+# comment as the brief description. If set to NO, the JavaDoc 
+# comments will behave just like regular Qt-style comments 
+# (thus requiring an explicit @brief command for a brief description.)
+
+JAVADOC_AUTOBRIEF      = YES
+
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will 
+# interpret the first line (until the first dot) of a Qt-style 
+# comment as the brief description. If set to NO, the comments 
+# will behave just like regular Qt-style comments (thus requiring 
+# an explicit \brief command for a brief description.)
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
+# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
+# comments) as a brief description. This used to be the default behaviour. 
+# The new default is to treat a multi-line C++ comment block as a detailed 
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member 
+# documentation.
+
+DETAILS_AT_TOP         = NO
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
+# member inherits the documentation from any documented member that it 
+# re-implements.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
+# a new page for each member. If set to NO, the documentation of a member will 
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE               = 4
+
+# This tag can be used to specify a number of aliases that acts 
+# as commands in the documentation. An alias has the form "name=value". 
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
+# put the command \sideeffect (or @sideeffect) in the documentation, which 
+# will result in a user-defined paragraph with heading "Side Effects:". 
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES                = 
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
+# sources only. Doxygen will then generate output that is more tailored for C. 
+# For instance, some of the names that are used will be different. The list 
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C  = NO
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
+# sources only. Doxygen will then generate output that is more tailored for Java. 
+# For instance, namespaces will be presented as packages, qualified scopes 
+# will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to 
+# include (a tag file for) the STL sources as input, then you should 
+# set this tag to YES in order to let doxygen match functions declarations and 
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
+# func(std::string) {}). This also make the inheritance and collaboration 
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. 
+# Doxygen will parse them like normal C++ but will assume all classes use public 
+# instead of private inheritance when no explicit protection keyword is present.
+
+SIP_SUPPORT            = NO
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
+# tag is set to YES, then doxygen will reuse the documentation of the first 
+# member in the group (if any) for the other members of the group. By default 
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
+# the same type (for instance a group of public functions) to be put as a 
+# subgroup of that type (e.g. under the Public Functions section). Set it to 
+# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# the \nosubgrouping command.
+
+SUBGROUPING            = YES
+
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct (or union) is 
+# documented as struct with the name of the typedef. So 
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct 
+# with name TypeT. When disabled the typedef will appear as a member of a file, 
+# namespace, or class. And the struct will be named TypeS. This can typically 
+# be useful for C code where the coding convention is that all structs are 
+# typedef'ed and only the typedef is referenced never the struct's name.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
+# documentation are documented, even if no documentation was available. 
+# Private class members and static file members will be hidden unless 
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL            = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
 # will be included in the documentation.
 
-EXTRACT_PRIVATE      = YES
+EXTRACT_PRIVATE        = YES
 
-# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
-# undocumented members inside documented classes or files.
+# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# will be included in the documentation.
 
-HIDE_UNDOC_MEMBERS   = NO
+EXTRACT_STATIC         = NO
 
-# If the HIDE_UNDOC_CLASSESS tag is set to YES, Doxygen will hide all
-# undocumented classes.
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
+# defined locally in source files will be included in the documentation. 
+# If set to NO only classes defined in header files are included.
 
-HIDE_UNDOC_CLASSES   = NO
+EXTRACT_LOCAL_CLASSES  = YES
 
-# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
-# include brief member descriptions after the members that are listed in 
-# the file and class documentation (similar to JavaDoc).
-# Set to NO to disable this.
+# This flag is only useful for Objective-C code. When set to YES local 
+# methods, which are defined in the implementation section but not in 
+# the interface are included in the documentation. 
+# If set to NO (the default) only methods in the interface are included.
 
-BRIEF_MEMBER_DESC    = YES
+EXTRACT_LOCAL_METHODS  = NO
 
-# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
-# the brief description of a member or function before the detailed description.
-# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
-# brief descriptions will be completely suppressed.
+# If this flag is set to YES, the members of anonymous namespaces will be extracted 
+# and appear in the documentation as a namespace called 'anonymous_namespace{file}', 
+# where file will be replaced with the base name of the file that contains the anonymous 
+# namespace. By default anonymous namespace are hidden.
 
-REPEAT_BRIEF         = yes
+EXTRACT_ANON_NSPACES   = NO
 
-# If the ALWAYS_DETAILS_SEC and REPEAT_BRIEF tags are both set to YES then
-# Doxygen will generate a detailed section even if there is only a brief
-# description.
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
+# undocumented members of documented classes, files or namespaces. 
+# If set to NO (the default) these members will be included in the 
+# various overviews, but no documentation section is generated. 
+# This option has no effect if EXTRACT_ALL is enabled.
 
-ALWAYS_DETAILED_SEC  = yes
+HIDE_UNDOC_MEMBERS     = NO
 
-# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
-# path before files name in the file list and in the header files. If set
-# to NO the shortest path that makes the file name unique will be used.
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
+# undocumented classes that are normally visible in the class hierarchy. 
+# If set to NO (the default) these classes will be included in the various 
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
 
-FULL_PATH_NAMES      = NO
+HIDE_UNDOC_CLASSES     = NO
 
-# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
-# can be used to strip a user defined part of the path. Stripping is
-# only done if one of the specified strings matches the left-hand part of
-# the path.
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
+# friend (class|struct|union) declarations. 
+# If set to NO (the default) these declarations will be included in the 
+# documentation.
 
-STRIP_FROM_PATH      =
+HIDE_FRIEND_COMPOUNDS  = NO
 
-# The INTERNAL_DOCS tag determines if documentation
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
+# documentation blocks found inside the body of a function. 
+# If set to NO (the default) these blocks will be appended to the 
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation 
 # that is typed after a \internal command is included. If the tag is set 
-# to NO (the default) then the documentation will be excluded.
+# to NO (the default) then the documentation will be excluded. 
 # Set it to YES to include the internal documentation.
 
-INTERNAL_DOCS        = NO
+INTERNAL_DOCS          = NO
 
-# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
-# generate a class diagram (in Html and LaTeX) for classes with base or
-# super classes. Setting the tag to NO turns the diagrams off.
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
+# file names in lower-case letters. If set to YES upper-case letters are also 
+# allowed. This is useful if you have classes or files whose names only differ 
+# in case and if your file system supports case sensitive file names. Windows 
+# and Mac users are advised to set this option to NO.
 
-CLASS_DIAGRAMS       = YES
+CASE_SENSE_NAMES       = NO
 
-# If the SOURCE_BROWSER tag is set to YES then a list of source files will
-# be generated. Documented entities will be cross-referenced with these sources.
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
+# will show members with their full class and namespace scopes in the 
+# documentation. If set to YES the scope will be hidden.
 
-SOURCE_BROWSER       = no
+HIDE_SCOPE_NAMES       = NO
 
-# Setting the INLINE_SOURCES tag to YES will include the body
-# of functions and classes directly in the documentation.
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
+# will put a list of the files that are included by a file in the documentation 
+# of that file.
 
-INLINE_SOURCES       = NO
+SHOW_INCLUDE_FILES     = YES
 
-# If the CASE_SENSE_NAMES tag is set to NO (the default) then Doxygen
-# will only generate file names in lower case letters. If set to
-# YES upper case letters are also allowed. This is useful if you have
-# classes or files whose names only differ in case and if your file system
-# supports case sensitive file names.
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# is inserted in the documentation for inline members.
 
-CASE_SENSE_NAMES     = NO
+INLINE_INFO            = YES
 
-# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
-# will generate a verbatim copy of the header file for each class for
-# which an include is specified. Set to NO to disable this.
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
+# will sort the (detailed) documentation of file and class members 
+# alphabetically by member name. If set to NO the members will appear in 
+# declaration order.
 
-VERBATIM_HEADERS     = YES
+SORT_MEMBER_DOCS       = YES
 
-# If the JAVADOC_AUTOBRIEF tag is set to YES (the default) then Doxygen
-# will interpret the first line (until the first dot) of a JavaDoc-style
-# comment as the brief description. If set to NO, the Javadoc-style will
-# behave just like the Qt-style comments.
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
+# brief documentation of file, namespace and class members alphabetically 
+# by member name. If set to NO (the default) the members will appear in 
+# declaration order.
 
-JAVADOC_AUTOBRIEF    = YES
+SORT_BRIEF_DOCS        = NO
 
-# if the INHERIT_DOCS tag is set to YES (the default) then an undocumented
-# member inherits the documentation from any documented member that it
-# reimplements.
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
+# sorted by fully-qualified names, including namespaces. If set to 
+# NO (the default), the class list will be sorted only by class name, 
+# not including the namespace part. 
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the 
+# alphabetical list.
 
-INHERIT_DOCS         = YES
+SORT_BY_SCOPE_NAME     = NO
 
-# if the INLINE_INFO tag is set to YES (the default) then a tag [inline]
-# is inserted in the documentation for inline members.
+# The GENERATE_TODOLIST tag can be used to enable (YES) or 
+# disable (NO) the todo list. This list is created by putting \todo 
+# commands in the documentation.
 
-INLINE_INFO          = YES
+GENERATE_TODOLIST      = YES
 
-# the TAB_SIZE tag can be used to set the number of spaces in a tab.
-# Doxygen uses this value to replace tabs by spaces in code fragments.
+# The GENERATE_TESTLIST tag can be used to enable (YES) or 
+# disable (NO) the test list. This list is created by putting \test 
+# commands in the documentation.
 
-TAB_SIZE             = 4
+GENERATE_TESTLIST      = YES
 
+# The GENERATE_BUGLIST tag can be used to enable (YES) or 
+# disable (NO) the bug list. This list is created by putting \bug 
+# commands in the documentation.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
+# disable (NO) the deprecated list. This list is created by putting 
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional 
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS       = 
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
+# the initial value of a variable or define consists of for it to appear in 
+# the documentation. If the initializer consists of more lines than specified 
+# here it will be hidden. Use a value of 0 to hide initializers completely. 
+# The appearance of the initializer of individual variables and defines in the 
+# documentation can be controlled using \showinitializer or \hideinitializer 
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
+# at the bottom of the documentation of classes and structs. If set to YES the 
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES        = YES
+
+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = NO
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
+# doxygen should invoke to get the current version for each file (typically from the 
+# version control system). Doxygen will invoke the program by executing (via 
+# popen()) the command <command> <input-file>, where <command> is the value of 
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
+# provided by doxygen. Whatever the program writes to standard output 
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER    = 
+
 #---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated 
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are 
+# generated by doxygen. Possible values are YES and NO. If left blank 
+# NO is used.
+
+WARNINGS               = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
+# potential errors in the documentation, such as not documenting some 
+# parameters in a documented function, or documenting parameters that 
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for 
+# functions that are documented, but have no documentation for their parameters 
+# or return value. If set to NO (the default) doxygen will only warn about 
+# wrong or incomplete parameter documentation, but not about the absence of 
+# documentation.
+
+WARN_NO_PARAMDOC       = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that 
+# doxygen can produce. The string should contain the $file, $line, and $text 
+# tags, which will be replaced by the file and line number from which the 
+# warning originated and the warning text. Optionally the format may contain 
+# $version, which will be replaced by the version of the file (if it could 
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT            = "$file:$line: $text "
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning 
+# and error messages should be written. If left blank the output is written 
+# to stderr.
+
+WARN_LOGFILE           = 
+
+#---------------------------------------------------------------------------
 # configuration options related to the input files
 #---------------------------------------------------------------------------
 
@@ -176,291 +495,819 @@
 # directories like "/usr/src/myproject". Separate the files or directories 
 # with spaces.
 
-INPUT                = ./src
+INPUT                  = ./src
 
+# This tag can be used to specify the character encoding of the source files that 
+# doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default 
+# input encoding. Doxygen uses libiconv (or the iconv built into libc) for the transcoding. 
+# See http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+INPUT_ENCODING         = UTF-8
+
 # If the value of the INPUT tag contains directories, you can use the 
 # FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
 # and *.h) to filter out the source-files in the directories. If left 
-# blank all files are included.
+# blank the following patterns are tested: 
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
 
-FILE_PATTERNS        = *.cpp *.h
+FILE_PATTERNS          = *.cpp \
+                         *.h
 
-# The RECURSIVE tag can be used to turn specify whether or not subdirectories
-# should be searched for input files as well. Possible values are YES and NO.
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
+# should be searched for input files as well. Possible values are YES and NO. 
 # If left blank NO is used.
 
-RECURSIVE            = yes
+RECURSIVE              = yes
 
-# The EXCLUDE tag can be used to specify files and/or directories that should
+# The EXCLUDE tag can be used to specify files and/or directories that should 
 # excluded from the INPUT source files. This way you can easily exclude a 
 # subdirectory from a directory tree whose root is specified with the INPUT tag.
 
-EXCLUDE              =
+EXCLUDE                = 
 
-# If the value of the INPUT tag contains directories, you can use the
-# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
-# certain files from those directories.
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
+# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# from the input.
 
-EXCLUDE_PATTERNS     =
+EXCLUDE_SYMLINKS       = NO
 
+# If the value of the INPUT tag contains directories, you can use the 
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
+# certain files from those directories. Note that the wildcards are matched 
+# against the file with absolute path, so to exclude all test directories 
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       = 
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names 
+# (namespaces, classes, functions, etc.) that should be excluded from the output. 
+# The symbol name can be a fully qualified name, a word, or if the wildcard * is used, 
+# a substring. Examples: ANamespace, AClass, AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS        = 
+
 # The EXAMPLE_PATH tag can be used to specify one or more files or 
 # directories that contain example code fragments that are included (see 
 # the \include command).
 
-EXAMPLE_PATH         =
+EXAMPLE_PATH           = 
 
-# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
 # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
 # and *.h) to filter out the source-files in the directories. If left 
 # blank all files are included.
 
-EXAMPLE_PATTERNS     =
+EXAMPLE_PATTERNS       = 
 
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
+# searched for input files to be used with the \include or \dontinclude 
+# commands irrespective of the value of the RECURSIVE tag. 
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE      = NO
+
 # The IMAGE_PATH tag can be used to specify one or more files or 
 # directories that contain image that are included in the documentation (see 
 # the \image command).
 
-IMAGE_PATH           =
+IMAGE_PATH             = 
 
-# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# The INPUT_FILTER tag can be used to specify a program that doxygen should 
 # invoke to filter for each input file. Doxygen will invoke the filter program 
-# by executing (via popen()) the command <filter> <input-file>, where <filter>
-# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
-# input file. Doxygen will then use the output that the filter program writes
-# to standard output.
+# by executing (via popen()) the command <filter> <input-file>, where <filter> 
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
+# input file. Doxygen will then use the output that the filter program writes 
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# ignored.
 
-INPUT_FILTER         =
+INPUT_FILTER           = 
 
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
+# basis.  Doxygen will compare the file name with each pattern and apply the 
+# filter if there is a match.  The filters are a list of the form: 
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# is applied to all files.
+
+FILTER_PATTERNS        = 
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
+# INPUT_FILTER) will be used to filter the input files when producing source 
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES    = NO
+
 #---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
+# be generated. Documented entities will be cross-referenced with these sources. 
+# Note: To get rid of all source code in the generated output, make sure also 
+# VERBATIM_HEADERS is set to NO. If you have enabled CALL_GRAPH or CALLER_GRAPH 
+# then you must also enable this option. If you don't then doxygen will produce 
+# a warning and turn it on anyway
+
+SOURCE_BROWSER         = no
+
+# Setting the INLINE_SOURCES tag to YES will include the body 
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
+# doxygen to hide any special comment blocks from generated source code 
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS    = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES (the default) 
+# then for each documented function all documented 
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES (the default) 
+# then for each documented function all documented entities 
+# called/used by that function will be listed.
+
+REFERENCES_RELATION    = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code.  Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code 
+# will point to the HTML generated by the htags(1) tool instead of doxygen 
+# built-in source browser. The htags tool is part of GNU's global source 
+# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# will need version 4.8.6 or higher.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
+# will generate a verbatim copy of the header file for each class for 
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS       = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
+# of all compounds will be generated. Enable this if the project 
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX     = NO
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all 
+# classes will be put under the same header in the alphabetical index. 
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX          = 
+
+#---------------------------------------------------------------------------
 # configuration options related to the HTML output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
-# generate HTML output
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# generate HTML output.
 
-GENERATE_HTML        = YES
+GENERATE_HTML          = YES
 
-# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
 # put in front of it. If left blank `html' will be used as the default path.
 
-HTML_OUTPUT          =
+HTML_OUTPUT            = 
 
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION    = .html
+
 # The HTML_HEADER tag can be used to specify a personal HTML header for 
 # each generated HTML page. If it is left blank doxygen will generate a 
 # standard header.
 
-HTML_HEADER          =
+HTML_HEADER            = 
 
 # The HTML_FOOTER tag can be used to specify a personal HTML footer for 
 # each generated HTML page. If it is left blank doxygen will generate a 
 # standard footer.
 
-HTML_FOOTER          = 
+HTML_FOOTER            = 
 
-# The HTML_STYLESHEET tag can be used to specify a user defined cascading
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
 # style sheet that is used by each HTML page. It can be used to 
-# fine-tune the look of the HTML output. If the tag is left blank doxygen
-# will generate a default style sheet
+# fine-tune the look of the HTML output. If the tag is left blank doxygen 
+# will generate a default style sheet. Note that doxygen will try to copy 
+# the style sheet file to the HTML output directory, so don't put your own 
+# stylesheet in the HTML output directory as well, or it will be erased!
 
-HTML_STYLESHEET      =
+HTML_STYLESHEET        = 
 
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
-# files or namespaces will be aligned in HTML using tables. If set to
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
 # NO a bullet list will be used.
 
-HTML_ALIGN_MEMBERS   = YES
+HTML_ALIGN_MEMBERS     = YES
 
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files
-# will be generated that can be used as input for tools like the
-# Microsoft HTML help workshop to generate a compressed HTML help file (.chm)
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
+# will be generated that can be used as input for tools like the 
+# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) 
 # of the generated HTML documentation.
 
-GENERATE_HTMLHELP    = NO
+GENERATE_HTMLHELP      = NO
 
-# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
-# of all compounds will be generated. Enable this if the project
-# contains a lot of classes, structs, unions or interfaces.
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML 
+# documentation will contain sections that can be hidden and shown after the 
+# page has loaded. For this to work a browser that supports 
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox 
+# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
 
-ALPHABETICAL_INDEX   = NO
+HTML_DYNAMIC_SECTIONS  = NO
 
-# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
-# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
-# in which this list will be split (can be a number in the range [1..20])
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
+# be used to specify the file name of the resulting .chm file. You 
+# can add a path in front of the file if the result should not be 
+# written to the html output directory.
 
-COLS_IN_ALPHA_INDEX  = 5
+CHM_FILE               = 
 
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
+# be used to specify the location (absolute path including file name) of 
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION           = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
+# controls if a separate .chi index file is generated (YES) or that 
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI           = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
+# controls whether a binary table of contents is generated (YES) or a 
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND             = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
+# top of each HTML page. The value NO (the default) enables the index and 
+# the value YES disables it.
+
+DISABLE_INDEX          = NO
+
+# This tag can be used to set the number of enum values (range [1..20]) 
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
+# generated containing a tree-like index structure (just like the one that 
+# is generated for HTML Help). For this to work a browser that supports 
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
+# probably better off using the HTML help feature.
+
+GENERATE_TREEVIEW      = NO
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
+# used to set the initial width (in pixels) of the frame in which the tree 
+# is shown.
+
+TREEVIEW_WIDTH         = 250
+
 #---------------------------------------------------------------------------
 # configuration options related to the LaTeX output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
 # generate Latex output.
 
-GENERATE_LATEX       = no
+GENERATE_LATEX         = no
 
-# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
 # put in front of it. If left blank `latex' will be used as the default path.
 
-LATEX_OUTPUT         =
+LATEX_OUTPUT           = 
 
-# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
-# LaTeX documents. This may be useful for small projects and may help to
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
+# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# default command name.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
+# LaTeX documents. This may be useful for small projects and may help to 
 # save some trees in general.
 
-COMPACT_LATEX        = NO
+COMPACT_LATEX          = NO
 
-# The PAPER_TYPE tag can be used to set the paper type that is used
+# The PAPER_TYPE tag can be used to set the paper type that is used 
 # by the printer. Possible values are: a4, a4wide, letter, legal and 
 # executive. If left blank a4wide will be used.
 
-PAPER_TYPE           = a4wide
+PAPER_TYPE             = a4wide
 
-# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
 # packages that should be included in the LaTeX output.
 
-EXTRA_PACKAGES       =
+EXTRA_PACKAGES         = 
 
 # The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
-# the generated latex document. The header should contain everything until
+# the generated latex document. The header should contain everything until 
 # the first chapter. If it is left blank doxygen will generate a 
 # standard header. Notice: only use this tag if you know what you are doing!
 
-LATEX_HEADER         =
+LATEX_HEADER           = 
 
-# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
-# is prepared for conversion to pdf (using ps2pdf). The pdf file will
-# contain links (just like the HTML output) instead of page references
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
+# contain links (just like the HTML output) instead of page references 
 # This makes the output suitable for online browsing using a pdf viewer.
 
-PDF_HYPERLINKS       = NO
+PDF_HYPERLINKS         = NO
 
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
+# plain latex in the generated Makefile. Set this option to YES to get a 
+# higher quality PDF documentation.
+
+USE_PDFLATEX           = NO
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
+# command to the generated LaTeX files. This will instruct LaTeX to keep 
+# running if errors occur, instead of asking the user for help. 
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE        = NO
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
+# include the index chapters (such as File Index, Compound Index, etc.) 
+# in the output.
+
+LATEX_HIDE_INDICES     = NO
+
 #---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
+# The RTF output is optimized for Word 97 and may not look very pretty with 
+# other RTF readers or editors.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
+# RTF documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
+# will contain hyperlink fields. The RTF file will 
+# contain links (just like the HTML output) instead of page references. 
+# This makes the output suitable for online browsing using WORD or other 
+# programs which support those fields. 
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's 
+# config file, i.e. a series of assignments. You only have to provide 
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE    = 
+
+# Set optional variables used in the generation of an rtf document. 
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE    = 
+
+#---------------------------------------------------------------------------
 # configuration options related to the man page output
 #---------------------------------------------------------------------------
 
-# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
 # generate man pages
 
-GENERATE_MAN         = no
+GENERATE_MAN           = no
 
-# The MAN_OUTPUT tag is used to specify where the man pages will be put.
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
 # put in front of it. If left blank `man' will be used as the default path.
 
-MAN_OUTPUT           =
+MAN_OUTPUT             = 
 
-# The MAN_EXTENSION tag determines the extension that is added to
+# The MAN_EXTENSION tag determines the extension that is added to 
 # the generated man pages (default is the subroutine's section .3)
 
-MAN_EXTENSION        = .3
+MAN_EXTENSION          = .3
 
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
+# then it will generate one additional man file for each entity 
+# documented in the real man page(s). These additional files 
+# only source the real man page, but without them the man command 
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS              = NO
+
 #---------------------------------------------------------------------------
-# Configuration options related to the preprocessor 
+# configuration options related to the XML output
 #---------------------------------------------------------------------------
 
-# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
-# evaluate all C-preprocessor directives found in the sources and include
+# If the GENERATE_XML tag is set to YES Doxygen will 
+# generate an XML file that captures the structure of 
+# the code including all documentation.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT             = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
+# dump the program listings (including syntax highlighting 
+# and cross-referencing information) to the XML output. Note that 
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
+# generate an AutoGen Definitions (see autogen.sf.net) file 
+# that captures the structure of the code including all 
+# documentation. Note that this feature is still experimental 
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
+# generate a Perl module file that captures the structure of 
+# the code including all documentation. Note that this 
+# feature is still experimental and incomplete at the 
+# moment.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
+# nicely formatted so it can be parsed by a human reader.  This is useful 
+# if you want to understand what is going on.  On the other hand, if this 
+# tag is set to NO the size of the Perl module output will be much smaller 
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file 
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
+# This is useful so different doxyrules.make files included by the same 
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX = 
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
+# evaluate all C-preprocessor directives found in the sources and include 
 # files.
 
-ENABLE_PREPROCESSING = YES
+ENABLE_PREPROCESSING   = YES
 
-# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
 # names in the source code. If set to NO (the default) only conditional 
-# compilation will be performed.
+# compilation will be performed. Macro expansion can be done in a controlled 
+# way by setting EXPAND_ONLY_PREDEF to YES.
 
-MACRO_EXPANSION      = NO
+MACRO_EXPANSION        = NO
 
-# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
+# then the macro expansion is limited to the macros specified with the 
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
 # in the INCLUDE_PATH (see below) will be search if a #include is found.
 
-SEARCH_INCLUDES      = YES
+SEARCH_INCLUDES        = YES
 
-# The INCLUDE_PATH tag can be used to specify one or more directories that
-# contain include files that are not input files but should be processed by
+# The INCLUDE_PATH tag can be used to specify one or more directories that 
+# contain include files that are not input files but should be processed by 
 # the preprocessor.
 
-INCLUDE_PATH         =
+INCLUDE_PATH           = 
 
-# The PREDEFINED tag can be used to specify one or more macro names that
-# are defined before the preprocessor is started (similar to the -D option of
-# gcc). The argument of the tag is a list of macros of the form: name
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
+# patterns (like *.h and *.hpp) to filter out the header-files in the 
+# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# be used.
+
+INCLUDE_FILE_PATTERNS  = 
+
+# The PREDEFINED tag can be used to specify one or more macro names that 
+# are defined before the preprocessor is started (similar to the -D option of 
+# gcc). The argument of the tag is a list of macros of the form: name 
 # or name=definition (no spaces). If the definition and the = are 
-# omitted =1 is assumed.
+# omitted =1 is assumed. To prevent a macro definition from being 
+# undefined via #undef or recursively expanded use the := operator 
+# instead of the = operator.
 
-PREDEFINED           =
+PREDEFINED             = 
 
-# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
-# then the macro expansion is limited to the macros specified with the
-# PREDEFINED tag.
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
+# this tag can be used to specify a list of macro names that should be expanded. 
+# The macro definition that is found in the sources will be used. 
+# Use the PREDEFINED tag if you want to use a different macro definition.
 
-EXPAND_ONLY_PREDEF   = NO
+EXPAND_AS_DEFINED      = 
 
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
+# doxygen's preprocessor will remove all function-like macros that are alone 
+# on a line, have an all uppercase name, and do not end with a semicolon. Such 
+# function macros are typically used for boiler-plate code, and will confuse 
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS   = YES
+
 #---------------------------------------------------------------------------
-# Configuration options related to external references 
+# Configuration::additions related to external references   
 #---------------------------------------------------------------------------
 
-# The TAGFILES tag can be used to specify one or more tagfiles. 
+# The TAGFILES option can be used to specify one or more tagfiles. 
+# Optionally an initial location of the external documentation 
+# can be added for each tagfile. The format of a tag file without 
+# this location is as follows: 
+#   TAGFILES = file1 file2 ... 
+# Adding location for the tag files is done as follows: 
+#   TAGFILES = file1=loc1 "file2 = loc2" ... 
+# where "loc1" and "loc2" can be relative or absolute paths or 
+# URLs. If a location is present for each tag, the installdox tool 
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen 
+# is run, you must also specify the path to the tagfile here.
 
-TAGFILES             =
+TAGFILES               = 
 
-# When a file name is specified after GENERATE_TAGFILE, doxygen will create
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
 # a tag file that is based on the input files it reads.
 
-GENERATE_TAGFILE     =
+GENERATE_TAGFILE       = 
 
-# If the ALLEXTERNALS tag is set to YES all external classes will be listed
-# in the class index. If set to NO only the inherited external classes
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
+# in the class index. If set to NO only the inherited external classes 
 # will be listed.
 
-ALLEXTERNALS         = NO
+ALLEXTERNALS           = NO
 
-# The PERL_PATH should be the absolute path and name of the perl script
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
+# in the modules index. If set to NO, only the current project's groups will 
+# be listed.
+
+EXTERNAL_GROUPS        = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script 
 # interpreter (i.e. the result of `which perl').
 
-PERL_PATH            = /usr/bin/perl
+PERL_PATH              = /usr/bin/perl
 
 #---------------------------------------------------------------------------
-# Configuration options related to the search engine 
+# Configuration options related to the dot tool   
 #---------------------------------------------------------------------------
 
-# The SEARCHENGINE tag specifies whether or not a search engine should be 
-# used. If set to NO the values of all tags below this one will be ignored.
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
+# or super classes. Setting the tag to NO turns the diagrams off. Note that 
+# this option is superseded by the HAVE_DOT option below. This is only a 
+# fallback. It is recommended to install and use dot, since it yields more 
+# powerful graphs.
 
-SEARCHENGINE         = NO
+CLASS_DIAGRAMS         = YES
 
-# The CGI_NAME tag should be the name of the CGI script that
-# starts the search engine (doxysearch) with the correct parameters.
-# A script with this name will be generated by doxygen.
+# You can define message sequence charts within doxygen comments using the \msc 
+# command. Doxygen will then run the mscgen tool (see http://www.mcternan.me.uk/mscgen/) to 
+# produce the chart and insert it in the documentation. The MSCGEN_PATH tag allows you to 
+# specify the directory where the mscgen tool resides. If left empty the tool is assumed to 
+# be found in the default search path.
 
-CGI_NAME             = search.cgi
+MSCGEN_PATH            = 
 
-# The CGI_URL tag should be the absolute URL to the directory where the
-# cgi binaries are located. See the documentation of your http daemon for 
-# details.
+# If set to YES, the inheritance and collaboration graphs will hide 
+# inheritance and usage relations if the target is undocumented 
+# or is not a class.
 
-CGI_URL              =
+HIDE_UNDOC_RELATIONS   = YES
 
-# The DOC_URL tag should be the absolute URL to the directory where the
-# documentation is located. If left blank the absolute path to the 
-# documentation, with file:// prepended to it, will be used.
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
+# available from the path. This tool is part of Graphviz, a graph visualization 
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# have no effect if this option is set to NO (the default)
 
-DOC_URL              =
+HAVE_DOT               = NO
 
-# The DOC_ABSPATH tag should be the absolute path to the directory where the
-# documentation is located. If left blank the directory on the local machine
-# will be used.
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect inheritance relations. Setting this tag to YES will force the 
+# the CLASS_DIAGRAMS tag to NO.
 
-DOC_ABSPATH          =
+CLASS_GRAPH            = YES
 
-# The BIN_ABSPATH tag must point to the directory where the doxysearch binary
-# is installed.
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect implementation dependencies (inheritance, containment, and 
+# class references variables) of the class with other documented classes.
 
-BIN_ABSPATH          = /usr/local/bin/
+COLLABORATION_GRAPH    = YES
 
-# The EXT_DOC_PATHS tag can be used to specify one or more paths to 
-# documentation generated for other projects. This allows doxysearch to search
-# the documentation for these projects as well.
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for groups, showing the direct groups dependencies
 
-EXT_DOC_PATHS        =
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
+# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# Language.
+
+UML_LOOK               = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the 
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
+# tags are set to YES then doxygen will generate a graph for each documented 
+# file showing the direct and indirect include dependencies of the file with 
+# other documented files.
+
+INCLUDE_GRAPH          = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
+# documented header file showing the documented files that directly or 
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will 
+# generate a call dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable call graphs for selected 
+# functions only using the \callgraph command.
+
+CALL_GRAPH             = NO
+
+# If the CALLER_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will 
+# generate a caller dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable caller graphs for selected 
+# functions only using the \callergraph command.
+
+CALLER_GRAPH           = NO
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
+# then doxygen will show the dependencies a directory has on other directories 
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT       = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH               = 
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that 
+# contain dot files that are included in the documentation (see the 
+# \dotfile command).
+
+DOTFILE_DIRS           = 
+
+# The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of 
+# nodes that will be shown in the graph. If the number of nodes in a graph 
+# becomes larger than this value, doxygen will truncate the graph, which is 
+# visualized by representing a node as a red box. Note that doxygen if the number 
+# of direct children of the root node in a graph is already larger than 
+# MAX_DOT_GRAPH_NOTES then the graph will not be shown at all. Also note 
+# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
+# graphs generated by dot. A depth value of 3 means that only nodes reachable 
+# from the root by following a path via at most 3 edges will be shown. Nodes 
+# that lay further from the root node will be omitted. Note that setting this 
+# option to 1 or 2 may greatly reduce the computation time needed for large 
+# code bases. Also note that the size of a graph can be further restricted by 
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
+# background. This is disabled by default, which results in a white background. 
+# Warning: Depending on the platform used, enabling this option may lead to 
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to 
+# read).
+
+DOT_TRANSPARENT        = YES
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
+# files in one run (i.e. multiple -o and -T options on the command line). This 
+# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
+# generate a legend page explaining the meaning of the various boxes and 
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
+# remove the intermediate dot files that are used to generate 
+# the various graphs.
+
+DOT_CLEANUP            = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE           = NO

Modified: openldap/trunk/contrib/ldapc++/examples/Makefile.am
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/Makefile.am	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/Makefile.am	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,5 @@
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/Makefile.am,v 1.2.4.3 2008/04/14 23:18:59 quanah Exp $
+
 ##
 # Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/examples/Makefile.in
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -14,6 +14,8 @@
 
 @SET_MAKE@
 
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/Makefile.in,v 1.3.2.3 2008/04/14 23:18:59 quanah Exp $
+
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@

Modified: openldap/trunk/contrib/ldapc++/examples/main.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/main.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/main.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/main.cpp,v 1.1.8.3 2008/04/14 23:18:59 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -3,6 +4,6 @@
  */
 
-#include<iostream>
-#include<sstream>
+#include <iostream>
+#include <sstream>
 #include "LDAPConnection.h"
 #include "LDAPConstraints.h"
@@ -14,9 +15,8 @@
 #include "LDAPEntry.h"
 #include "LDAPException.h"
 #include "LDAPModification.h"
-#include "LDAPReferralException.h"
 
-#include"debug.h"
+#include "debug.h"
 
 int main(){
     LDAPConstraints* cons=new LDAPConstraints;
@@ -69,7 +69,7 @@
         
         lc->unbind();
         delete lc;
-   }catch (LDAPException e){
+   }catch (LDAPException &e){
         std::cout << "-------------- caught Exception ---------"<< std::endl;
         std::cout << e << std::endl;
     }

Modified: openldap/trunk/contrib/ldapc++/examples/readSchema.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/readSchema.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/readSchema.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,11 @@
-#include<iostream>
-#include<sstream>
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/readSchema.cpp,v 1.1.6.3 2008/04/14 23:18:59 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include <iostream>
+#include <sstream>
 #include "LDAPConnection.h"
 #include "LDAPConstraints.h"
 #include "LDAPSearchReference.h"
@@ -9,10 +15,9 @@
 #include "LDAPEntry.h"
 #include "LDAPException.h"
 #include "LDAPModification.h"
-#include "LDAPReferralException.h"
 #include "LDAPSchema.h"
 
-#include"debug.h"
+#include "debug.h"
 
 int main(){
     LDAPConnection *lc=new LDAPConnection("192.168.3.128",389);

Modified: openldap/trunk/contrib/ldapc++/examples/urlTest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/examples/urlTest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/examples/urlTest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,9 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/examples/urlTest.cpp,v 1.1.2.3 2008/04/14 23:18:59 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
 #include <LDAPUrl.h>
 #include <LDAPException.h>
 #include <cstdlib>

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAddRequest.cpp,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAddRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAddRequest.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAsynConnection.cpp,v 1.13.2.6 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000-2006, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -24,15 +25,20 @@
 
 using namespace std;
 
-LDAPAsynConnection::LDAPAsynConnection(const string& hostname, int port,
+LDAPAsynConnection::LDAPAsynConnection(const string& url, int port,
                                LDAPConstraints *cons ){
     DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPAsynConnection::LDAPAsynConnection()"
             << endl);
     DEBUG(LDAP_DEBUG_CONSTRUCT | LDAP_DEBUG_PARAMETER,
-            "   host:" << hostname << endl << "   port:" << port << endl);
+            "   URL:" << url << endl << "   port:" << port << endl);
     cur_session=0;
     m_constr = 0;
-    this->init(hostname, port);
+    // Is this an LDAP URI?
+    if ( url.find("://") == std::string::npos ) {
+    	this->init(url, port);
+    } else {
+    	this->initialize(url);
+    }
     this->setConstraints(cons);
 }
 
@@ -95,6 +101,41 @@
     }
 }
 
+LDAPMessageQueue* LDAPAsynConnection::saslBind(const std::string &mech,
+		const std::string &cred,
+		const LDAPConstraints *cons)
+{
+    DEBUG(LDAP_DEBUG_TRACE, "LDAPAsynConnection::saslBind()" <<  endl);
+    LDAPSaslBindRequest *req = new LDAPSaslBindRequest(mech, cred, this, cons);
+    try{
+        LDAPMessageQueue *ret = req->sendRequest();
+        return ret;
+    }catch(LDAPException e){
+        delete req;
+        throw;
+    }
+
+}
+
+LDAPMessageQueue* LDAPAsynConnection::saslInteractiveBind(
+                        const std::string &mech,
+                        int flags,
+                        SaslInteractionHandler *sih,
+                        const LDAPConstraints *cons)
+{
+    DEBUG(LDAP_DEBUG_TRACE, "LDAPAsynConnection::saslInteractiveBind" 
+            << std::endl);
+    LDAPSaslInteractiveBind *req = 
+            new LDAPSaslInteractiveBind(mech, flags, sih, this, cons);
+    try {
+        LDAPMessageQueue *ret = req->sendRequest();
+        return ret;
+    }catch(LDAPException e){
+        delete req;
+        throw;
+    } 
+}
+
 LDAPMessageQueue* LDAPAsynConnection::search(const string& base,int scope, 
                                          const string& filter, 
                                          const StringList& attrs, 

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAsynConnection.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAsynConnection.h,v 1.11.2.4 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -21,6 +22,7 @@
 #include <LDAPModList.h>
 #include <LDAPUrl.h>
 #include <LDAPUrlList.h>
+#include <SaslInteractionHandler.h>
 
 //* Main class for an asynchronous LDAP connection 
 /**
@@ -59,9 +61,6 @@
          * Search
          */
         static const int SEARCH_SUB=2;
-//        static const int SEARCH_SUB=LDAP_SCOPE_SUBTREE;
-//        static const int SEARCH_ONE=LDAP_SCOPE_ONELEVEL;
-//        static const int SEARCH_SUB=LDAP_SCOPE_SUBTREE;
 
         /** Construtor that initializes a connection to a server
          * @param hostname Name (or IP-Adress) of the destination host
@@ -69,7 +68,7 @@
          * @param cons Default constraints to use with operations over 
          *      this connection
          */
-        LDAPAsynConnection(const std::string& hostname=std::string("localhost"),
+        LDAPAsynConnection(const std::string& url=std::string("localhost"),
                 int port=0, LDAPConstraints *cons=new LDAPConstraints() );
 
         //* Destructor
@@ -116,9 +115,19 @@
          * @param dn the distiguished name to bind as
          * @param passwd cleartext password to use
          */
-        LDAPMessageQueue* bind(const std::string& dn="", const std::string& passwd="",
+        LDAPMessageQueue* bind(const std::string& dn="", 
+                const std::string& passwd="",
                 const LDAPConstraints *cons=0);
 
+        LDAPMessageQueue* saslBind(const std::string& mech, 
+                const std::string& cred, 
+                const LDAPConstraints *cons=0);
+
+        LDAPMessageQueue* saslInteractiveBind(const std::string& mech,
+                int flags=0,
+                SaslInteractionHandler *sih=0,
+                const LDAPConstraints *cons=0);
+
         /** Performing a search on a directory tree.
          *
          * Use the search method to perform a search on the LDAP-Directory

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.cpp,v 1.3.4.3 2008/05/01 21:28:42 quanah Exp $
 /*
  * Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -18,17 +19,6 @@
     usage = 0;
 }
 
-LDAPAttrType::LDAPAttrType (const LDAPAttrType &at){
-    DEBUG(LDAP_DEBUG_CONSTRUCT,
-            "LDAPAttrType::LDAPAttrType( )" << endl);
-
-    oid = at.oid;
-    desc = at.desc;
-    names = at.names;
-    single = at.single;
-    usage = at.usage;
-}
-
 LDAPAttrType::LDAPAttrType (string at_item) { 
 
     DEBUG(LDAP_DEBUG_CONSTRUCT,
@@ -45,6 +35,11 @@
 	this->setOid( a->at_oid );
 	this->setSingle( a->at_single_value );
 	this->setUsage( a->at_usage );
+        this->setSuperiorOid( a->at_sup_oid );
+        this->setEqualityOid( a->at_equality_oid );
+        this->setOrderingOid( a->at_ordering_oid );
+        this->setSubstringOid( a->at_substr_oid );
+        this->setSyntaxOid( a->at_syntax_oid );
     }
     // else? -> error
 }
@@ -57,17 +52,17 @@
     single = (at_single == 1);
 }
     
-void LDAPAttrType::setNames (char **at_names) {
-    names = StringList (at_names);
+void LDAPAttrType::setNames ( char **at_names ) {
+    names = StringList(at_names);
 }
 
-void LDAPAttrType::setDesc (char *at_desc) {
+void LDAPAttrType::setDesc (const char *at_desc) {
     desc = string ();
     if (at_desc)
 	desc = at_desc;
 }
 
-void LDAPAttrType::setOid (char *at_oid) {
+void LDAPAttrType::setOid (const char *at_oid) {
     oid = string ();
     if (at_oid)
 	oid = at_oid;
@@ -77,23 +72,48 @@
     usage = at_usage;
 }
 
-bool LDAPAttrType::isSingle () {
-    return single;
+void LDAPAttrType::setSuperiorOid( const char *oid ){
+    if ( oid )
+        superiorOid = oid;
 }
 
-string LDAPAttrType::getOid () {
+void LDAPAttrType::setEqualityOid( const char *oid ){
+    if ( oid )
+        equalityOid = oid;
+}
+
+void LDAPAttrType::setOrderingOid( const char *oid ){
+    if ( oid )
+        orderingOid = oid;
+}
+
+void LDAPAttrType::setSubstringOid( const char *oid ){
+    if ( oid )
+        substringOid = oid;
+}
+
+void LDAPAttrType::setSyntaxOid( const char *oid ){
+    if ( oid )
+        syntaxOid = oid;
+}
+
+bool LDAPAttrType::isSingle() const {
+    return single;
+} 
+
+string LDAPAttrType::getOid() const {
     return oid;
 }
 
-string LDAPAttrType::getDesc () {
+string LDAPAttrType::getDesc() const {
     return desc;
 }
 
-StringList LDAPAttrType::getNames () {
+StringList LDAPAttrType::getNames() const {
     return names;
 }
 
-string LDAPAttrType::getName () {
+string LDAPAttrType::getName() const {
 
     if (names.empty())
 	return "";
@@ -101,6 +121,28 @@
 	return *(names.begin());
 }
 
-int LDAPAttrType::getUsage () {
+int LDAPAttrType::getUsage() const {
     return usage;
 }
+
+std::string LDAPAttrType::getSuperiorOid() const {
+    return superiorOid;
+}
+
+std::string LDAPAttrType::getEqualityOid() const {
+    return equalityOid;
+}
+
+std::string LDAPAttrType::getOrderingOid() const {
+    return orderingOid;
+}
+
+std::string LDAPAttrType::getSubstringOid() const {
+    return substringOid;
+}
+
+std::string LDAPAttrType::getSyntaxOid() const {
+    return syntaxOid;
+}
+
+

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.h,v 1.3.4.3 2008/05/01 21:28:42 quanah Exp $
 /*
  * Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -22,10 +23,11 @@
 class LDAPAttrType{
     private :
 	StringList names;
-	string desc, oid;
+	std::string desc, oid, superiorOid, equalityOid;
+        std::string orderingOid, substringOid, syntaxOid;
 	bool single;
 	int usage;
-	
+
     public :
 
         /**
@@ -34,11 +36,6 @@
         LDAPAttrType();
 
         /**
-         * Copy constructor
-         */   
-	LDAPAttrType (const LDAPAttrType& oc);
-
-        /**
 	 * Constructs new object and fills the data structure by parsing the
 	 * argument.
 	 * @param at_item description of attribute type is string returned
@@ -57,40 +54,50 @@
 	/**
 	 * Returns attribute description
 	 */
-	string getDesc ();
+	string getDesc() const;
 	
 	/**
 	 * Returns attribute oid
 	 */
-	string getOid ();
+	string getOid() const;
 
 	/**
 	 * Returns attribute name (first one if there are more of them)
 	 */
-	string getName ();
+	string getName() const;
 
 	/**
 	 * Returns all attribute names
 	 */
-	StringList getNames();
+	StringList getNames() const;
 	
 	/**
 	 * Returns true if attribute type allows only single value
 	 */
-	bool isSingle();
+	bool isSingle() const;
 	
 	/**
  	 * Return the 'usage' value:
  	 * (0=userApplications, 1=directoryOperation, 2=distributedOperation, 
 	 *  3=dSAOperation)
  	 */
- 	int getUsage ();
+ 	int getUsage () const;
+        std::string getSuperiorOid() const;
+        std::string getEqualityOid() const;
+        std::string getOrderingOid() const;
+        std::string getSubstringOid() const;
+        std::string getSyntaxOid() const;
 
-	void setNames (char **at_names);
-	void setDesc (char *at_desc);
-	void setOid (char *at_oid);
-	void setSingle (int at_single_value);
-	void setUsage (int at_usage );
+	void setNames( char **at_names);
+	void setDesc(const char *at_desc);
+	void setOid(const char *at_oid);
+	void setSingle(int at_single_value);
+	void setUsage(int at_usage );
+        void setSuperiorOid( const char *oid );
+        void setEqualityOid( const char *oid );
+        void setOrderingOid( const char *oid );
+        void setSubstringOid( const char *oid );
+        void setSyntaxOid( const char *oid );
 };
 
 #endif // LDAP_ATTRTYPE_H

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttribute.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttribute.cpp,v 1.6.10.2 2008/04/14 23:09:26 quanah Exp $
 /*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttribute.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttribute.h,v 1.6.8.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000-2002, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttributeList.cpp,v 1.7.6.3 2008/04/14 23:09:26 quanah Exp $
 /*
- * Copyright 2000-2002, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -139,6 +140,24 @@
     }
 }
 
+void LDAPAttributeList::replaceAttribute(const LDAPAttribute& attr)
+{
+    DEBUG(LDAP_DEBUG_TRACE,"LDAPAttribute::replaceAttribute()" << endl);
+    DEBUG(LDAP_DEBUG_TRACE | LDAP_DEBUG_PARAMETER,
+            "   attr:" << attr << endl);
+    
+    LDAPAttributeList::iterator i;
+    for( i = m_attrs.begin(); i != m_attrs.end(); i++){
+	if(attr.getName().size() == i->getName().size()){
+	    if(equal(attr.getName().begin(), attr.getName().end(), i->getName().begin(),
+		    nocase_compare)){
+                m_attrs.erase(i);
+                break;
+            }
+        }
+    }
+    m_attrs.push_back(attr);
+}
 
 LDAPMod** LDAPAttributeList::toLDAPModArray() const{
     DEBUG(LDAP_DEBUG_TRACE,"LDAPAttribute::toLDAPModArray()" << endl);

Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttributeList.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttributeList.h,v 1.9.6.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000-2002, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -84,7 +85,6 @@
 	 */
 	const LDAPAttribute* getAttributeByName(const std::string& name) const;
 
-
         /**
          * Adds one element to the end of the list.
          * @param attr The attribute to add to the list.
@@ -92,6 +92,12 @@
         void addAttribute(const LDAPAttribute& attr);
 
         /**
+         * Replace an Attribute in the List
+         * @param attr The attribute to add to the list.
+         */
+        void replaceAttribute(const LDAPAttribute& attr);
+
+        /**
          * Translates the list of Attributes to a 0-terminated array of
          * LDAPMod-structures as needed by the C-API
          */

Modified: openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPBindRequest.cpp,v 1.6.8.3 2008/04/14 23:09:26 quanah Exp $
 /*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -9,8 +10,11 @@
 
 #include "LDAPBindRequest.h"
 #include "LDAPException.h"
+#include "SaslInteractionHandler.h"
+#include "SaslInteraction.h"
 
 #include <cstdlib>
+#include <sasl/sasl.h>
 
 using namespace std;
 
@@ -73,10 +77,97 @@
     }
 }
 
-LDAPRequest* LDAPBindRequest::followReferral(LDAPMsg* /*urls*/){
-    DEBUG(LDAP_DEBUG_TRACE,"LDAPBindRequest::followReferral()" << endl);
-    DEBUG(LDAP_DEBUG_TRACE,
-            "ReferralChasing for bind-operation not implemented yet" << endl);
-    return 0;
+LDAPSaslBindRequest::LDAPSaslBindRequest(const std::string& mech,
+        const std::string& cred, 
+        LDAPAsynConnection *connect,
+        const LDAPConstraints *cons, 
+        bool isReferral) : LDAPRequest(connect, cons, isReferral),m_mech(mech), m_cred(cred) {}
+
+LDAPMessageQueue* LDAPSaslBindRequest::sendRequest()
+{
+    DEBUG(LDAP_DEBUG_TRACE,"LDAPSaslBindRequest::sendRequest()" << endl);
+    int msgID=0;
+    
+    BerValue tmpcred;
+    tmpcred.bv_val = (char*) malloc( m_cred.size() * sizeof(char));
+    m_cred.copy(tmpcred.bv_val,string::npos);
+    tmpcred.bv_len = m_cred.size();
+    
+    LDAPControl** tmpSrvCtrls=m_cons->getSrvCtrlsArray();
+    LDAPControl** tmpClCtrls=m_cons->getClCtrlsArray();
+    int err=ldap_sasl_bind(m_connection->getSessionHandle(), "", m_mech.c_str(), 
+            &tmpcred, tmpSrvCtrls, tmpClCtrls, &msgID);
+    LDAPControlSet::freeLDAPControlArray(tmpSrvCtrls);
+    LDAPControlSet::freeLDAPControlArray(tmpClCtrls);
+    free(tmpcred.bv_val);
+
+    if(err != LDAP_SUCCESS){
+        throw LDAPException(err);
+    }else{
+        m_msgID=msgID;
+        return new LDAPMessageQueue(this);
+    }
 }
 
+LDAPSaslBindRequest::~LDAPSaslBindRequest()
+{
+    DEBUG(LDAP_DEBUG_DESTROY,"LDAPSaslBindRequest::~LDAPSaslBindRequest()" << endl);
+}
+
+LDAPSaslInteractiveBind::LDAPSaslInteractiveBind( const std::string& mech, 
+        int flags, SaslInteractionHandler *sih, LDAPAsynConnection *connect,
+        const LDAPConstraints *cons, bool isReferral) : 
+            LDAPRequest(connect, cons, isReferral),
+            m_mech(mech), m_flags(flags), m_sih(sih), m_res(0)
+{
+}
+
+static int my_sasl_interact(LDAP *l, unsigned flags, void *cbh, void *interact)
+{
+    DEBUG(LDAP_DEBUG_TRACE, "LDAPSaslInteractiveBind::my_sasl_interact()" 
+            << std::endl );
+    std::list<SaslInteraction*> interactions;
+
+    sasl_interact_t *iter = (sasl_interact_t*) interact;
+    while ( iter->id != SASL_CB_LIST_END ) {
+        SaslInteraction *si = new SaslInteraction(iter);
+        interactions.push_back( si );
+        iter++;
+    }
+    ((SaslInteractionHandler*)cbh)->handleInteractions(interactions);
+    return LDAP_SUCCESS;
+}
+
+/* This kind of fakes an asynchronous operation, ldap_sasl_interactive_bind_s
+ * is synchronous */
+LDAPMessageQueue *LDAPSaslInteractiveBind::sendRequest()
+{
+    DEBUG(LDAP_DEBUG_TRACE, "LDAPSaslInteractiveBind::sendRequest()" <<
+            m_mech << std::endl);
+
+    LDAPControl** tmpSrvCtrls=m_cons->getSrvCtrlsArray();
+    LDAPControl** tmpClCtrls=m_cons->getClCtrlsArray();
+    int res = ldap_sasl_interactive_bind_s( m_connection->getSessionHandle(),
+            "", m_mech.c_str(), tmpSrvCtrls, tmpClCtrls, m_flags, 
+            my_sasl_interact, m_sih );
+
+    DEBUG(LDAP_DEBUG_TRACE, "ldap_sasl_interactive_bind_s returned: " 
+            << res << std::endl);
+    if(res != LDAP_SUCCESS){
+        throw LDAPException(res);
+    } else {
+        m_res = new LDAPResult(LDAPMsg::BIND_RESPONSE, res, ""); 
+    }
+    return new LDAPMessageQueue(this);
+}
+
+LDAPMsg* LDAPSaslInteractiveBind::getNextMessage() const 
+{
+    return m_res;
+}
+
+LDAPSaslInteractiveBind::~LDAPSaslInteractiveBind()
+{
+    DEBUG(LDAP_DEBUG_DESTROY,"LDAPSaslInteractiveBind::~LDAPSaslInteractiveBind()" << endl);
+}
+

Modified: openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPBindRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPBindRequest.h,v 1.4.10.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -7,6 +8,8 @@
 #define LDAP_BIND_REQUEST_H
 
 #include <LDAPRequest.h>
+#include <LDAPResult.h>
+#include <SaslInteractionHandler.h>
 
 class LDAPBindRequest : LDAPRequest {
     private:
@@ -15,14 +18,44 @@
         std::string m_mech;
 
     public:
-        LDAPBindRequest(const LDAPBindRequest& req);
+        LDAPBindRequest( const LDAPBindRequest& req);
         //just for simple authentication
         LDAPBindRequest(const std::string&, const std::string& passwd, 
                 LDAPAsynConnection *connect, const LDAPConstraints *cons, 
                 bool isReferral=false);
         virtual ~LDAPBindRequest();
         virtual LDAPMessageQueue *sendRequest();
-        virtual LDAPRequest* followReferral(LDAPMsg* urls);
 };
+
+class LDAPSaslBindRequest : LDAPRequest
+{
+    public:
+        LDAPSaslBindRequest( const std::string& mech, const std::string& cred, 
+        LDAPAsynConnection *connect, const LDAPConstraints *cons, 
+                bool isReferral=false);
+        virtual LDAPMessageQueue *sendRequest();
+        virtual ~LDAPSaslBindRequest();
+
+    private:
+        std::string m_mech;
+        std::string m_cred;
+};
+
+class LDAPSaslInteractiveBind : LDAPRequest
+{
+    public:
+        LDAPSaslInteractiveBind( const std::string& mech, int flags,
+                SaslInteractionHandler *sih, LDAPAsynConnection *connect, 
+                const LDAPConstraints *cons, bool isReferral=false);
+        virtual LDAPMessageQueue *sendRequest();
+        virtual LDAPMsg* getNextMessage() const;
+        virtual ~LDAPSaslInteractiveBind();
+
+    private:
+        std::string m_mech;
+        int m_flags;
+        SaslInteractionHandler *m_sih;
+        LDAPResult *m_res;
+};
 #endif //LDAP_BIND_REQUEST_H
 

Modified: openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPCompareRequest.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPCompareRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPCompareRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConnection.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConnection.cpp,v 1.10.4.3 2008/04/14 23:28:11 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -7,7 +8,6 @@
 
 #include "LDAPResult.h"
 #include "LDAPException.h"
-#include "LDAPReferralException.h"
 #include "LDAPUrlList.h"
 
 #include "LDAPConnection.h"
@@ -60,6 +60,40 @@
     delete msg;   // memcheck
 }
 
+void LDAPConnection::saslInteractiveBind( const std::string &mech,
+                        int flags,
+                        SaslInteractionHandler *sih,
+                        const LDAPConstraints *cons)
+{
+    DEBUG(LDAP_DEBUG_TRACE,"LDAPConnection::bind" << endl);
+    LDAPMessageQueue* msg=0;
+    LDAPResult* res=0;
+    try{
+        msg = LDAPAsynConnection::saslInteractiveBind(mech, flags, sih, cons);
+        res = (LDAPResult*)msg->getNext();
+    }catch(LDAPException e){
+        delete msg;
+        delete res;
+        throw;
+    }
+    int resCode=res->getResultCode();
+    if(resCode != LDAPResult::SUCCESS) {
+        if(resCode == LDAPResult::REFERRAL){
+            LDAPUrlList urls = res->getReferralUrls();
+            delete res;
+            delete msg;
+            throw LDAPReferralException(urls);
+        }else{
+            string srvMsg = res->getErrMsg();
+            delete res;
+            delete msg;
+            throw LDAPException(resCode, srvMsg);
+        }
+    }
+    delete res;
+    delete msg;
+}
+
 void LDAPConnection::unbind(){
     LDAPAsynConnection::unbind();
 }

Modified: openldap/trunk/contrib/ldapc++/src/LDAPConnection.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConnection.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConnection.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConnection.h,v 1.8.4.2 2008/04/14 23:28:11 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -88,6 +89,10 @@
          */
         void bind(const std::string& dn="", const std::string& passwd="",
                 LDAPConstraints* cons=0);
+        void saslInteractiveBind(const std::string& mech,
+                int flags=0,
+                SaslInteractionHandler *sih=0,
+                const LDAPConstraints *cons=0);
         
         /**
          * Performs the UNBIND-operation on the destination server

Modified: openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConstraints.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConstraints.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPConstraints.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPConstraints.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPControl.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControl.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControl.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.h,v 1.5.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControlSet.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControlSet.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControlSet.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControlSet.h,v 1.6.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPDeleteRequest.cpp,v 1.7.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPDeleteRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPDeleteRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntry.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntry.cpp,v 1.5.8.4 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -22,8 +23,11 @@
 LDAPEntry::LDAPEntry(const string& dn, const LDAPAttributeList *attrs){
     DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPEntry::LDAPEntry()" << endl);
     DEBUG(LDAP_DEBUG_CONSTRUCT | LDAP_DEBUG_PARAMETER,
-            "   dn:" << dn << endl << " attrs:" << *attrs << endl);
-    m_attrs=new LDAPAttributeList(*attrs);
+            "   dn:" << dn << endl);
+    if ( attrs )
+        m_attrs=new LDAPAttributeList(*attrs);
+    else
+        m_attrs=new LDAPAttributeList();
     m_dn=dn;
 }
 
@@ -40,6 +44,13 @@
     delete m_attrs;
 }
 
+LDAPEntry& LDAPEntry::operator=(const LDAPEntry& from){
+    m_dn = from.m_dn;
+    delete m_attrs;
+    m_attrs = new LDAPAttributeList( *(from.m_attrs));
+    return *this;
+}
+
 void LDAPEntry::setDN(const string& dn){
     DEBUG(LDAP_DEBUG_TRACE,"LDAPEntry::setDN()" << endl);
     DEBUG(LDAP_DEBUG_TRACE | LDAP_DEBUG_PARAMETER,
@@ -67,6 +78,21 @@
     return m_attrs;
 }
 
+const LDAPAttribute* LDAPEntry::getAttributeByName(const std::string& name) const 
+{
+    return m_attrs->getAttributeByName(name);
+}
+
+void LDAPEntry::addAttribute(const LDAPAttribute& attr)
+{
+    m_attrs->addAttribute(attr);
+}
+
+void LDAPEntry::replaceAttribute(const LDAPAttribute& attr)
+{
+    m_attrs->replaceAttribute(attr); 
+}
+
 ostream& operator << (ostream& s, const LDAPEntry& le){
     s << "DN: " << le.m_dn << ": " << *(le.m_attrs); 
     return s;

Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntry.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntry.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntry.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntry.h,v 1.6.8.5 2008/04/14 23:30:47 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -17,11 +18,11 @@
  */
 class LDAPEntry{
 
-	public :
+    public :
         /**
          * Copy-constructor
          */
-		LDAPEntry(const LDAPEntry& entry);
+        LDAPEntry(const LDAPEntry& entry);
 
         /**
          * Constructs a new entry (also used as standard constructor).
@@ -29,8 +30,8 @@
          * @param dn    The Distinguished Name for the new entry.
          * @param attrs The attributes for the new entry.
          */
-		LDAPEntry(const std::string& dn=std::string(), 
-                const LDAPAttributeList *attrs=new LDAPAttributeList());
+        LDAPEntry(const std::string& dn=std::string(), 
+                const LDAPAttributeList *attrs=0);
 
         /**
          * Used internally only.
@@ -38,44 +39,71 @@
          * The constructor is used internally to create a LDAPEntry from
          * the C-API's data structurs.
          */ 
-		LDAPEntry(const LDAPAsynConnection *ld, LDAPMessage *msg);
+        LDAPEntry(const LDAPAsynConnection *ld, LDAPMessage *msg);
 
         /**
          * Destructor
          */
-		~LDAPEntry();
-        
+        ~LDAPEntry();
+
         /**
+         * Assignment operator
+         */
+        LDAPEntry& operator=(const LDAPEntry& from);
+
+        /**
          * Sets the DN-attribute.
          * @param dn: The new DN for the entry.
          */
-		void setDN(const std::string& dn);
+        void setDN(const std::string& dn);
 
         /**
          * Sets the attributes of the entry.
          * @param attr: A pointer to a std::list of the new attributes.
          */
-		void setAttributes(LDAPAttributeList *attrs);
+        void setAttributes(LDAPAttributeList *attrs);
 
+	/**
+	 * Get an Attribute by its AttributeType (simple wrapper around
+         * LDAPAttributeList::getAttributeByName() )
+	 * @param name The name of the Attribute to look for
+	 * @return a pointer to the LDAPAttribute with the AttributeType 
+	 *	"name" or 0, if there is no Attribute of that Type
+	 */
+	const LDAPAttribute* getAttributeByName(const std::string& name) const;
+
         /**
+         * Adds one Attribute to the List of Attributes (simple wrapper around
+         * LDAPAttributeList::addAttribute() ).
+         * @param attr The attribute to add to the list.
+         */
+        void addAttribute(const LDAPAttribute& attr);
+
+        /**
+         * Replace an Attribute in the List of Attributes (simple wrapper
+         * around LDAPAttributeList::replaceAttribute() ).
+         * @param attr The attribute to add to the list.
+         */
+        void replaceAttribute(const LDAPAttribute& attr);
+
+        /**
          * @returns The current DN of the entry.
          */
-		const std::string& getDN() const ;
+        const std::string& getDN() const ;
 
         /**
          * @returns A const pointer to the attributes of the entry.  
          */
-		const LDAPAttributeList* getAttributes() const;
+        const LDAPAttributeList* getAttributes() const;
 
         /**
          * This method can be used to dump the data of a LDAPResult-Object.
          * It is only useful for debugging purposes at the moment
          */
-		friend std::ostream& operator << (std::ostream& s, const LDAPEntry& le);
+        friend std::ostream& operator << (std::ostream& s, const LDAPEntry& le);
 	
     private :
-
-		LDAPAttributeList *m_attrs;
-		std::string m_dn;
+        LDAPAttributeList *m_attrs;
+        std::string m_dn;
 };
 #endif  //LDAP_ENTRY_H

Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntryList.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntryList.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPEntryList.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPEntryList.h,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPException.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPException.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPException.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPException.cpp,v 1.8.2.5 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -3,22 +4,24 @@
  */
 
-
-
 #include <ldap.h>
 #include "config.h"
 #include "LDAPException.h"
-#include "LDAPReferralException.h"
 
 #include "LDAPAsynConnection.h"
+#include "LDAPResult.h"
 
 using namespace std;
 
-LDAPException::LDAPException(int res_code, const string& err_string){
+LDAPException::LDAPException(int res_code, const string& err_string) throw()
+    : std::runtime_error(err_string)
+{
 	m_res_code=res_code;
 	m_res_string=string(ldap_err2string(res_code));
     m_err_string=err_string;
 }
 
-LDAPException::LDAPException(const LDAPAsynConnection *lc){
+LDAPException::LDAPException(const LDAPAsynConnection *lc) throw()
+    : std::runtime_error("")
+{
     LDAP *l = lc->getSessionHandle();
     ldap_get_option(l,LDAP_OPT_RESULT_CODE,&m_res_code);
@@ -43,22 +46,32 @@
     }
 }
 
-LDAPException::~LDAPException(){
+LDAPException::~LDAPException() throw()
+{
 }
 
-int LDAPException::getResultCode() const{
+int LDAPException::getResultCode() const throw()
+{
 	return m_res_code;
 }
 
-const string& LDAPException::getResultMsg() const{
+const string& LDAPException::getResultMsg() const throw()
+{
 	return m_res_string;
 }
 
-const string& LDAPException::getServerMsg() const{
+const string& LDAPException::getServerMsg() const throw()
+{
     return m_err_string;
 }
 
-ostream& operator << (ostream& s, LDAPException e){
+const char* LDAPException::what() const throw()
+{
+    return this->m_res_string.c_str(); 
+}
+
+ostream& operator << (ostream& s, LDAPException e) throw()
+{
 	s << "Error " << e.m_res_code << ": " << e.m_res_string;
 	if (!e.m_err_string.empty()) {
 		s << endl <<  "additional info: " << e.m_err_string ;
@@ -66,3 +79,18 @@
 	return s;
 }
 
+
+LDAPReferralException::LDAPReferralException(const LDAPUrlList& urls) throw() 
+        : LDAPException(LDAPResult::REFERRAL) , m_urlList(urls)
+{
+}
+
+LDAPReferralException::~LDAPReferralException() throw()
+{
+}
+
+const LDAPUrlList& LDAPReferralException::getUrls() throw()
+{
+    return m_urlList;
+}
+

Modified: openldap/trunk/contrib/ldapc++/src/LDAPException.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPException.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPException.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPException.h,v 1.5.8.3 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -9,14 +10,18 @@
 
 #include <iostream>
 #include <string>
+#include <stdexcept>
 
+#include <LDAPUrlList.h>
+
 class LDAPAsynConnection;
 
 /**
  * This class is only thrown as an Exception and used to signalize error
  * conditions during LDAP-operations
  */
-class LDAPException{
+class LDAPException : public std::runtime_error
+{
 		
     public :
         /**
@@ -26,7 +31,7 @@
          *                      that happend (optional)
          */
         LDAPException(int res_code, 
-                const std::string& err_string=std::string());
+                const std::string& err_string=std::string()) throw();
 		
         /**
          * Constructs a LDAPException-object from the error state of a
@@ -34,38 +39,69 @@
          * @param lc A LDAP-Connection for that an error has happend. The
          *          Constructor tries to read its error state.
          */
-        LDAPException(const LDAPAsynConnection *lc);
+        LDAPException(const LDAPAsynConnection *lc) throw();
 
         /**
          * Destructor
          */
-        virtual ~LDAPException();
+        virtual ~LDAPException() throw();
 
         /**
          * @return The Result code of the object
          */
-        int getResultCode() const;
+        int getResultCode() const throw();
 
         /**
          * @return The error message that is corresponding to the result
          *          code .
          */
-        const std::string& getResultMsg() const;
+        const std::string& getResultMsg() const throw();
         
         /**
          * @return The addional error message of the error (if it was set)
          */
-        const std::string& getServerMsg() const;
+        const std::string& getServerMsg() const throw();
 
+        
+        virtual const char* what() const throw();
+
         /**
          * This method can be used to dump the data of a LDAPResult-Object.
          * It is only useful for debugging purposes at the moment
          */
-        friend std::ostream& operator << (std::ostream &s, LDAPException e);
+        friend std::ostream& operator << (std::ostream &s, LDAPException e) throw();
 
     private :
         int m_res_code;
         std::string m_res_string;
         std::string m_err_string;
 };
+
+/**
+ * This class extends LDAPException and is used to signalize Referrals
+ * there were received during synchronous LDAP-operations
+ */
+class LDAPReferralException : public LDAPException
+{
+
+    public :
+        /**
+         * Creates an object that is initialized with a list of URLs
+         */
+        LDAPReferralException(const LDAPUrlList& urls) throw();
+
+        /**
+         * Destructor
+         */
+        ~LDAPReferralException() throw();
+
+        /**
+         * @return The List of URLs of the Referral/Search Reference
+         */
+        const LDAPUrlList& getUrls() throw();
+
+    private :
+        LDAPUrlList m_urlList;
+};
+
 #endif //LDAP_EXCEPTION_H

Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 

Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPExtRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtResult.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPExtResult.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPExtResult.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPExtResult.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessage.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessage.cpp,v 1.4.10.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -8,6 +9,7 @@
 
 #include "LDAPResult.h"
 #include "LDAPExtResult.h"
+#include "LDAPSaslBindResult.h"
 #include "LDAPRequest.h"
 #include "LDAPSearchResult.h"
 #include "LDAPSearchReference.h"
@@ -22,6 +24,13 @@
     m_hasControls=false;
 }
 
+LDAPMsg::LDAPMsg(int type, int id=0){
+    DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPMsg::LDAPMsg()" << endl);
+    msgType = type;
+    msgID = id;
+    m_hasControls=false;
+}
+
 LDAPMsg* LDAPMsg::create(const LDAPRequest *req, LDAPMessage *msg){
     DEBUG(LDAP_DEBUG_TRACE,"LDAPMsg::create()" << endl);
     switch(ldap_msgtype(msg)){
@@ -34,6 +43,8 @@
         case EXTENDED_RESPONSE :
             return new LDAPExtResult(req,msg);
         break;
+        case BIND_RESPONSE :
+            return new LDAPSaslBindResult(req,msg);
         default :
             return new LDAPResult(req, msg);
     }

Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessage.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessage.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessage.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessage.h,v 1.4.10.3 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -21,7 +22,7 @@
  */
 class LDAPMsg{
     public:
-        //public Constants defining the Message types
+        //public Constants defining the response message types
         static const int BIND_RESPONSE=LDAP_RES_BIND;
         static const int SEARCH_ENTRY=LDAP_RES_SEARCH_ENTRY;
         static const int SEARCH_DONE=LDAP_RES_SEARCH_RESULT;
@@ -32,6 +33,17 @@
         static const int MODDN_RESPONSE=LDAP_RES_MODDN;
         static const int COMPARE_RESPONSE=LDAP_RES_COMPARE;
         static const int EXTENDED_RESPONSE=LDAP_RES_EXTENDED;
+        //public Constants defining the request message types
+        static const int BIND_REQUEST=LDAP_REQ_BIND;
+        static const int UNBIND_REQUEST=LDAP_REQ_UNBIND;
+        static const int SEARCH_REQUEST=LDAP_REQ_SEARCH;
+        static const int MODIFY_REQUEST=LDAP_REQ_MODIFY;
+        static const int ADD_REQUEST=LDAP_REQ_ADD;
+        static const int DELETE_REQUEST=LDAP_REQ_DELETE;
+        static const int MODRDN_REQUEST=LDAP_REQ_MODRDN;
+        static const int COMPARE_REQUEST=LDAP_REQ_COMPARE;
+        static const int ABANDON_REQUEST=LDAP_REQ_ABANDON;
+        static const int EXTENDED_REQUEST=LDAP_REQ_EXTENDED;
        
         /**
          * The destructor has no implemenation, because this is an abstract
@@ -98,6 +110,7 @@
          * Only for internal use.
          */
         LDAPMsg(LDAPMessage *msg);
+        LDAPMsg(int msgType, int msgID);
        
         /**
          * This attribute stores Server-Control that were returned with the

Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessageQueue.cpp,v 1.6.10.6 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -6,10 +7,8 @@
 
 #include "config.h"
 #include "debug.h"
-#include <ldap.h>
 #include "LDAPMessageQueue.h"
 #include "LDAPRequest.h"
-#include "LDAPAsynConnection.h"
 #include "LDAPResult.h"
 #include "LDAPSearchReference.h"
 #include "LDAPSearchRequest.h"
@@ -40,110 +39,102 @@
 
 LDAPMsg *LDAPMessageQueue::getNext(){
     DEBUG(LDAP_DEBUG_TRACE,"LDAPMessageQueue::getNext()" << endl);
-    LDAPMessage *msg;
+
+    if ( m_activeReq.empty() ) {
+        return 0;
+    }
+
     LDAPRequest *req=m_activeReq.top();
-    int msg_id = req->getMsgID();
-    int res;
-    const  LDAPAsynConnection *con=req->getConnection();
-    res=ldap_result(con->getSessionHandle(),msg_id,0,0,&msg);
-    if (res <= 0){
-        if(msg != 0){
-            ldap_msgfree(msg);
-        }
-	throw  LDAPException(con);
-    }else{	
-        const LDAPConstraints *constr=req->getConstraints();
-        LDAPMsg *ret=0;
-        //this can  throw an exception (Decoding Error)
-        try{
-            ret = LDAPMsg::create(req,msg);
-            ldap_msgfree(msg);
-        }catch(LDAPException e){
-            //do some clean up
-            delete req;
-            m_activeReq.top();
-            throw;   
-        }
-        switch (ret->getMessageType()) {
-            case LDAPMsg::SEARCH_REFERENCE : 
-                if (constr->getReferralChase() ){
-                    //throws Exception (limit Exceeded)
-                    LDAPRequest *refReq=chaseReferral(ret);
-                    if(refReq != 0){
-                        m_activeReq.push(refReq);
-                        m_issuedReq.push_back(refReq);
-                        delete ret;
-                        return getNext();
-                    }
+    LDAPMsg *ret=0;
+
+    try{
+        ret = req->getNextMessage();
+    }catch(LDAPException e){
+        //do some clean up
+        m_activeReq.pop();
+        throw;   
+    }
+
+    const LDAPConstraints *constr=req->getConstraints();
+    switch (ret->getMessageType()) {
+        case LDAPMsg::SEARCH_REFERENCE : 
+            if (constr->getReferralChase() ){
+                //throws Exception (limit Exceeded)
+                LDAPRequest *refReq=chaseReferral(ret);
+                if(refReq != 0){
+                    m_activeReq.push(refReq);
+                    m_issuedReq.push_back(refReq);
+                    delete ret;
+                    return getNext();
                 }
-                return ret;
-            break;
-            case LDAPMsg::SEARCH_ENTRY :
-                return ret;
-            break;
-            case LDAPMsg::SEARCH_DONE :
-                if(req->isReferral()){
-                    req->unbind();
-                }
-                switch ( ((LDAPResult*)ret)->getResultCode()) {
-                    case LDAPResult::REFERRAL :
-                        if(constr->getReferralChase()){
-                            //throws Exception (limit Exceeded)
-                            LDAPRequest *refReq=chaseReferral(ret);
-                            if(refReq != 0){
-                                m_activeReq.pop();
-                                m_activeReq.push(refReq);
-                                m_issuedReq.push_back(refReq);
-                                delete ret;
-                                return getNext();
-                            }
-                        }    
-                        return ret;
-                    break;
-                    case LDAPResult::SUCCESS :
-                        if(req->isReferral()){
-                            delete ret;
+            }
+            return ret;
+        break;
+        case LDAPMsg::SEARCH_ENTRY :
+            return ret;
+        break;
+        case LDAPMsg::SEARCH_DONE :
+            if(req->isReferral()){
+                req->unbind();
+            }
+            switch ( ((LDAPResult*)ret)->getResultCode()) {
+                case LDAPResult::REFERRAL :
+                    if(constr->getReferralChase()){
+                        //throws Exception (limit Exceeded)
+                        LDAPRequest *refReq=chaseReferral(ret);
+                        if(refReq != 0){
                             m_activeReq.pop();
+                            m_activeReq.push(refReq);
+                            m_issuedReq.push_back(refReq);
+                            delete ret;
                             return getNext();
-                        }else{
-                            m_activeReq.pop();
-                            return ret;
                         }
-                    break;
-                    default:
+                    }    
+                    return ret;
+                break;
+                case LDAPResult::SUCCESS :
+                    if(req->isReferral()){
+                        delete ret;
                         m_activeReq.pop();
-                        return ret;
-                    break;
-                }
-            break;
-            //must be some kind of LDAPResultMessage
-            default:
-                if(req->isReferral()){
-                    req->unbind();
-                }
-                LDAPResult* res_p=(LDAPResult*)ret;
-                switch (res_p->getResultCode()) {
-                    case LDAPResult::REFERRAL :
-                        if(constr->getReferralChase()){
-                            //throws Exception (limit Exceeded)
-                            LDAPRequest *refReq=chaseReferral(ret);
-                            if(refReq != 0){
-                                m_activeReq.pop();
-                                m_activeReq.push(refReq);
-                                m_issuedReq.push_back(refReq);
-                                delete ret;
-                                return getNext();
-                            }
-                        }    
-                        return ret;
-                    break;
-                    default:
+                        return getNext();
+                    }else{
                         m_activeReq.pop();
                         return ret;
-                }
-            break;
-        }
-    }	
+                    }
+                break;
+                default:
+                    m_activeReq.pop();
+                    return ret;
+                break;
+            }
+        break;
+        //must be some kind of LDAPResultMessage
+        default:
+            if(req->isReferral()){
+                req->unbind();
+            }
+            LDAPResult* res_p=(LDAPResult*)ret;
+            switch (res_p->getResultCode()) {
+                case LDAPResult::REFERRAL :
+                    if(constr->getReferralChase()){
+                        //throws Exception (limit Exceeded)
+                        LDAPRequest *refReq=chaseReferral(ret);
+                        if(refReq != 0){
+                            m_activeReq.pop();
+                            m_activeReq.push(refReq);
+                            m_issuedReq.push_back(refReq);
+                            delete ret;
+                            return getNext();
+                        }
+                    }    
+                    return ret;
+                break;
+                default:
+                    m_activeReq.pop();
+                    return ret;
+            }
+        break;
+    }
 }
 
 // TODO Maybe moved to LDAPRequest::followReferral seems more reasonable

Modified: openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPMessageQueue.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPMessageQueue.h,v 1.5.10.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModDNRequest.cpp,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModDNRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModDNRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModList.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModList.cpp,v 1.5.6.3 2008/04/14 23:29:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -37,3 +38,11 @@
     }
     return ret;
 }
+
+bool LDAPModList::empty() const {
+    return m_modList.empty();
+}
+
+unsigned int LDAPModList::size() const {
+    return m_modList.size();
+}

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModList.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModList.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModList.h,v 1.7.6.2 2008/04/14 23:29:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -15,9 +16,9 @@
  * This container class is used to store multiple LDAPModification-objects.
  */
 class LDAPModList{
-        typedef std::list<LDAPModification> ListType;
+    typedef std::list<LDAPModification> ListType;
 
-	public : 
+    public : 
         /**
          * Constructs an empty list.
          */   
@@ -40,7 +41,17 @@
          */
         LDAPMod** toLDAPModArray();
 
-	private : 
+        /**
+         * @returns true, if the ModList contains no Operations
+         */
+        bool empty() const;
+        
+        /**
+         * @returns number of Modifications in the ModList
+         */
+        unsigned int size() const;
+
+    private : 
         ListType m_modList;
 };
 #endif //LDAP_MOD_LIST_H

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModification.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModification.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModification.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModification.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModification.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModification.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModifyRequest.cpp,v 1.8.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPModifyRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPModifyRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.cpp,v 1.3.6.2 2008/05/01 21:28:42 quanah Exp $
 /*
  * Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -90,31 +91,31 @@
 	oid = oc_oid;
 }
 
-string LDAPObjClass::getOid () {
+string LDAPObjClass::getOid() const {
     return oid;
 }
 
-string LDAPObjClass::getDesc () {
+string LDAPObjClass::getDesc() const {
     return desc;
 }
 
-StringList LDAPObjClass::getNames () {
+StringList LDAPObjClass::getNames() const {
     return names;
 }
 
-StringList LDAPObjClass::getMust () {
+StringList LDAPObjClass::getMust() const {
     return must;
 }
 
-StringList LDAPObjClass::getMay () {
+StringList LDAPObjClass::getMay() const {
     return may;
 }
 
-StringList LDAPObjClass::getSup () {
+StringList LDAPObjClass::getSup() const {
     return sup;
 }
 
-string LDAPObjClass::getName () {
+string LDAPObjClass::getName() const {
 
     if (names.empty())
 	return "";
@@ -122,7 +123,7 @@
 	return *(names.begin());
 }
 
-int LDAPObjClass::getKind () {
+int LDAPObjClass::getKind() const {
      return kind;
 }
 

Modified: openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.h,v 1.3.6.2 2008/05/01 21:28:42 quanah Exp $
 /*
  * Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -55,42 +56,42 @@
 	/**
 	 * Returns object class description
 	 */
-	string getDesc ();
+	string getDesc() const;
 	
 	/**
 	 * Returns object class oid
 	 */
-	string getOid ();
+	string getOid() const;
 
 	/**
 	 * Returns object class name (first one if there are more of them)
 	 */
-	string getName ();
+	string getName() const;
 
 	/**
 	 * Returns object class kind: 0=ABSTRACT, 1=STRUCTURAL, 2=AUXILIARY
 	 */
-	int getKind ();
+	int getKind() const;
 
 	/**
 	 * Returns all object class names
 	 */
-	StringList getNames();
+	StringList getNames() const;
 	
 	/**
 	 * Returns list of required attributes
 	 */
-	StringList getMust();
+	StringList getMust() const;
 	
 	/**
 	 * Returns list of allowed (and not required) attributes
 	 */
-	StringList getMay();
+	StringList getMay() const;
 	
         /**
 	 * Returns list of the OIDs of the superior ObjectClasses
 	 */
-	StringList getSup();
+	StringList getSup() const;
 
 	void setNames (char **oc_names);
 	void setMay (char **oc_may);

Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebind.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebind.cpp,v 1.1.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebind.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebind.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebind.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebind.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebindAuth.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRebindAuth.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRebindAuth.h,v 1.3.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPReferenceList.cpp,v 1.2.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferenceList.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPReferenceList.h,v 1.7.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Deleted: openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferralException.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,24 +0,0 @@
-/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-
-
-#include <iostream>
-#include "LDAPException.h"
-#include "LDAPReferralException.h"
-#include "LDAPResult.h"
-#include "LDAPRequest.h"
-#include "LDAPUrl.h"
-
-LDAPReferralException::LDAPReferralException(const LDAPUrlList& urls) : 
-        LDAPException(LDAPResult::REFERRAL) , m_urlList(urls){
-}
-
-LDAPReferralException::~LDAPReferralException(){
-}
-
-const LDAPUrlList& LDAPReferralException::getUrls(){
-    return m_urlList;
-}
-

Deleted: openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPReferralException.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,42 +0,0 @@
-/*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-
-
-#ifndef LDAP_REFERRAL_EXCEPTION_H
-#define LDAP_REFERRAL_EXCEPTION_H
-
-#include <list>
-#include <LDAPMessage.h>
-#include <LDAPUrlList.h>
-
-class LDAPUrlList;
-
-/**
- * This class extends LDAPException and is used to signalize Referrals
- * there were received during synchronous LDAP-operations
- */
-class LDAPReferralException : public LDAPException{
-
-    public :
-        /**
-         * Creates an object that is initialized with a list of URLs
-         */
-        LDAPReferralException(const LDAPUrlList& urls);
-
-        /**
-         * Destructor
-         */
-        ~LDAPReferralException();
-
-        /**
-         * @return The List of URLs of the Referral/Search Reference
-         */
-        const LDAPUrlList& getUrls();
-
-    private :
-        LDAPUrlList m_urlList;
-};
-
-#endif //LDAP_REFERRAL_EXCEPTION_H

Modified: openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRequest.cpp,v 1.3.10.3 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -47,6 +48,36 @@
     delete m_cons;
 }
 
+LDAPMsg* LDAPRequest::getNextMessage() const 
+{
+    DEBUG(LDAP_DEBUG_DESTROY,"LDAPRequest::getNextMessage()" << endl);
+    int res;
+    LDAPMessage *msg;
+
+    res=ldap_result(this->m_connection->getSessionHandle(),
+            this->m_msgID,0,0,&msg);
+
+    if (res <= 0){
+        if(msg != 0){
+            ldap_msgfree(msg);
+        }
+        throw  LDAPException(this->m_connection);
+    }else{	
+        LDAPMsg *ret=0;
+        //this can  throw an exception (Decoding Error)
+        ret = LDAPMsg::create(this,msg);
+        ldap_msgfree(msg);
+        return ret;
+    }
+}
+
+LDAPRequest* LDAPRequest::followReferral(LDAPMsg* /*urls*/){
+    DEBUG(LDAP_DEBUG_TRACE,"LDAPBindRequest::followReferral()" << endl);
+    DEBUG(LDAP_DEBUG_TRACE,
+            "ReferralChasing not implemented for this operation" << endl);
+    return 0;
+}
+
 const LDAPConstraints* LDAPRequest::getConstraints() const{
     DEBUG(LDAP_DEBUG_TRACE,"LDAPRequest::getConstraints()" << endl);
     return m_cons;

Modified: openldap/trunk/contrib/ldapc++/src/LDAPRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPRequest.h,v 1.4.10.3 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -40,6 +41,7 @@
         
         const LDAPConstraints* getConstraints() const;
         const LDAPAsynConnection* getConnection() const;
+        virtual LDAPMsg *getNextMessage() const;
         int getType()const;
         int getMsgID() const;
         int getHopCount() const;
@@ -63,7 +65,7 @@
          * functions of the C-API to send the Request to a LDAP-Server
          */
         virtual LDAPMessageQueue* sendRequest()=0;
-        virtual LDAPRequest* followReferral(LDAPMsg* ref)=0;
+        virtual LDAPRequest* followReferral(LDAPMsg* ref);
 
         /**
          * Compare this request with another on. And returns true if they

Modified: openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPResult.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPResult.cpp,v 1.5.2.3 2008/04/14 23:09:26 quanah Exp $
 /*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -53,6 +54,11 @@
     }
 }
 
+LDAPResult::LDAPResult(int type, int resultCode, const std::string &msg) : 
+        LDAPMsg(type,0), m_resCode(resultCode), m_errMsg(msg)
+{}
+
+
 LDAPResult::~LDAPResult(){
     DEBUG(LDAP_DEBUG_DESTROY,"LDAPResult::~LDAPResult()" << endl);
 }

Modified: openldap/trunk/contrib/ldapc++/src/LDAPResult.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPResult.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPResult.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPResult.h,v 1.5.10.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -103,6 +104,7 @@
          *              Message.
          */
         LDAPResult(const LDAPRequest *req, LDAPMessage *msg);
+        LDAPResult(int type, int resultCode, const std::string &msg); 
         
         /**
          * The destructor.

Copied: openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LDAPSaslBindResult.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,45 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSaslBindResult.cpp,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "debug.h"
+#include <lber.h>
+#include "LDAPRequest.h"
+#include "LDAPException.h"
+
+#include "LDAPResult.h"
+#include "LDAPSaslBindResult.h"
+
+using namespace std;
+
+LDAPSaslBindResult::LDAPSaslBindResult(const LDAPRequest* req, LDAPMessage* msg) :
+        LDAPResult(req, msg){
+    DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPSaslBindResult::LDAPSaslBindResult()" 
+            << std::endl);
+    BerValue* data = 0;
+    LDAP* lc = req->getConnection()->getSessionHandle();
+    int err = ldap_parse_sasl_bind_result(lc, msg, &data, 0);
+    if( err != LDAP_SUCCESS && err != LDAP_SASL_BIND_IN_PROGRESS ){
+        ber_bvfree(data);
+        throw LDAPException(err);
+    }else{
+        if(data){
+            DEBUG(LDAP_DEBUG_TRACE, "   creds present" << std::endl);
+            m_creds=string(data->bv_val, data->bv_len);
+            ber_bvfree(data);
+        } else {
+            DEBUG(LDAP_DEBUG_TRACE, "   no creds present" << std::endl);
+        }
+    }
+}
+
+LDAPSaslBindResult::~LDAPSaslBindResult(){
+    DEBUG(LDAP_DEBUG_DESTROY,"LDAPSaslBindResult::~LDAPSaslBindResult()" << endl);
+}
+
+const string& LDAPSaslBindResult::getServerCreds() const{
+    return m_creds;
+}
+

Copied: openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LDAPSaslBindResult.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSaslBindResult.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,43 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSaslBindResult.h,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef LDAP_SASL_BIND_RESULT_H
+#define LDAP_SASL_BIND_RESULT_H
+
+#include <ldap.h>
+
+#include <LDAPResult.h>
+
+class LDAPRequest;
+
+/**
+ * Object of this class are created by the LDAPMsg::create method if
+ * results for an Extended Operation were returned by a LDAP server.
+ */
+class LDAPSaslBindResult : public LDAPResult {
+    public :
+        /**
+         * Constructor that creates an LDAPExtResult-object from the C-API
+         * structures
+         */
+        LDAPSaslBindResult(const LDAPRequest* req, LDAPMessage* msg);
+
+        /**
+         * The Destructor
+         */
+        virtual ~LDAPSaslBindResult();
+
+        /**
+         * @returns If the result contained data this method will return
+         *          the data to the caller as a std::string.
+         */
+        const std::string& getServerCreds() const;
+
+    private:
+        std::string m_creds;
+};
+
+#endif // LDAP_SASL_BIND_RESULT_H

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSchema.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSchema.cpp,v 1.2.6.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -3,10 +4,13 @@
  */
 
-#include "debug.h"
-#include "StringList.h"
 #include "LDAPSchema.h"
 
 #include <ctype.h>
+#include <ldap.h>
 
+#include "debug.h"
+#include "StringList.h"
+
+
 using namespace std;
 

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSchema.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSchema.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSchema.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSchema.h,v 1.1.8.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -6,7 +7,6 @@
 #ifndef LDAP_SCHEMA_H
 #define LDAP_SCHEMA_H
 
-#include <ldap.h>
 #include <string>
 #include <map>
 
@@ -44,8 +44,8 @@
          * Fill the object_classes map
 	 * @param oc description of one objectclass (string returned by search
 	 * command), in form:
-	 * "( SuSE.YaST.OC:5 NAME 'userTemplate' SUP objectTemplate STRUCTURAL
-	 *    DESC 'User object template' MUST ( cn ) MAY ( secondaryGroup ))"
+	 * "( 1.2.3.4.5 NAME '<name>' SUP <supname> STRUCTURAL
+	 *    DESC '<description>' MUST ( <attrtype> ) MAY ( <attrtype> ))"
          */
 	void setObjectClasses (const StringList &oc);
 
@@ -53,7 +53,7 @@
          * Fill the attr_types map
 	 * @param at description of one attribute type
 	 *  (string returned by search command), in form:
-	 * "( SuSE.YaST.Attr:19 NAME ( 'skelDir' ) DESC ''
+	 * "( 1.2.3.4.6 NAME ( '<name>' ) DESC '<desc>'
 	 *    EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )"
          */
 	void setAttributeTypes (const StringList &at);

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchReference.cpp,v 1.4.2.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchReference.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchReference.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchRequest.cpp,v 1.7.2.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchRequest.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchRequest.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResult.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResult.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResult.h,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResults.cpp,v 1.1.10.2 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -7,7 +8,6 @@
 #include "LDAPException.h"
 #include "LDAPSearchResult.h"
 #include "LDAPResult.h"
-#include "LDAPReferralException.h"
 
 #include "LDAPSearchResults.h"
 

Modified: openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPSearchResults.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPSearchResults.h,v 1.3.10.2 2008/04/14 23:30:47 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -28,14 +29,14 @@
         /**
          * For internal use only.
          *
-         * This method read Search result entries from a
+         * This method reads Search result entries from a
          * LDAPMessageQueue-object.
          * @param msg The message queue to read
          */
         LDAPResult* readMessageQueue(LDAPMessageQueue* msg);
 
         /**
-         * The methode is used by the client-application to read the
+         * The method is used by the client-application to read the
          * result entries of the  SEARCH-Operation. Every call of this
          * method returns one entry. If all entries were read it return 0.
          * @throws LDAPReferralException  If a Search Reference was

Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrl.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrl.cpp,v 1.3.10.5 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000-2006, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -6,6 +7,7 @@
 
 #include "LDAPUrl.h"
 #include <sstream>
+#include <iomanip>
 #include "debug.h"
 
 using namespace std;
@@ -163,7 +165,7 @@
     DEBUG(LDAP_DEBUG_TRACE, "LDAPUrl::parseUrl()" << std::endl);
     // reading Scheme
     std::string::size_type pos = m_urlString.find(':');
-    std::string::size_type startpos = m_urlString.find(':');
+    std::string::size_type startpos = pos;
     if (pos == std::string::npos) {
         throw LDAPUrlException(LDAPUrlException::INVALID_URL,
                 "No colon found in URL");
@@ -190,28 +192,42 @@
         startpos = pos + 3;
     }
     if ( m_urlString[startpos] == '/' ) {
+        // no hostname and port
         startpos++;
     } else {
+        std::string::size_type hostend;
+        std::string::size_type portstart;
         pos = m_urlString.find('/', startpos);
-        std::string hostport = m_urlString.substr(startpos, 
-                pos - startpos);
-        DEBUG(LDAP_DEBUG_TRACE, "    hostport: <" << hostport << ">" 
-                << std::endl);
-        std::string::size_type portstart = m_urlString.find(':', startpos);
-        if (portstart == std::string::npos || portstart > pos ) {
-            percentDecode(hostport, m_Host);
+
+        // IPv6 Address?
+        if ( m_urlString[startpos] == '[' ) {
+            // skip
+            startpos++;
+            hostend =  m_urlString.find(']', startpos);
+            if ( hostend == std::string::npos ){
+                throw LDAPUrlException(LDAPUrlException::INVALID_URL);
+            }
+            portstart = hostend + 1;
+        } else {
+            hostend = m_urlString.find(':', startpos);
+            if ( hostend == std::string::npos || portstart > pos ) {
+                hostend = pos;
+            }
+            portstart = hostend;
+        }
+        std::string host = m_urlString.substr(startpos, hostend - startpos);
+        DEBUG(LDAP_DEBUG_TRACE, "    host: <" << host << ">" << std::endl);
+        percentDecode(host, m_Host);
+
+        if (portstart >= m_urlString.length() || portstart >= pos ) {
             if ( m_Scheme == "ldap" || m_Scheme == "cldap" ) {
                 m_Port = LDAP_DEFAULT_PORT;
             } else if ( m_Scheme == "ldaps" ) {
                 m_Port = LDAPS_DEFAULT_PORT;
             }
         } else {
-            std::string tmp = m_urlString.substr(startpos, 
-                        portstart - startpos);
-            percentDecode(tmp, m_Host);
-            DEBUG(LDAP_DEBUG_TRACE, "Host: <" << m_Host << ">" << std::endl);
             std::string port = m_urlString.substr(portstart+1, 
-                    pos-portstart-1);
+                    (pos == std::string::npos ? pos : pos-portstart-1) );
             if ( port.length() > 0 ) {
                 std::istringstream i(port);
                 i >> m_Port;
@@ -222,8 +238,8 @@
             DEBUG(LDAP_DEBUG_TRACE, "    Port: <" << m_Port << ">" 
                     << std::endl);
         }
+        startpos = pos + 1;
     }
-    startpos = pos + 1;
     int parserMode = base;
     while ( pos != std::string::npos ) {
         pos = m_urlString.find('?', startpos);
@@ -327,8 +343,15 @@
 {
     std::ostringstream url; 
     std::string encoded = "";
-    this->percentEncode(m_Host, encoded, PCT_ENCFLAG_SLASH);
-    url << m_Scheme << "://" << encoded;
+    
+    url << m_Scheme << "://";
+    // IPv6 ?
+    if ( m_Host.find( ':', 0 ) != std::string::npos ) {
+        url <<  "[" << this->percentEncode(m_Host, encoded) <<  "]";
+    } else {
+        url << this->percentEncode(m_Host, encoded, PCT_ENCFLAG_SLASH);
+    }
+
     if ( m_Port != 0 ) {
         url << ":" << m_Port;
     }
@@ -393,7 +416,7 @@
 }
 
 
-void LDAPUrl::percentEncode( const std::string &src, 
+std::string& LDAPUrl::percentEncode( const std::string &src, 
         std::string &dest, 
         int flags) const
 {
@@ -453,12 +476,13 @@
             break;
         }
         if ( escape ) {
-            o << "%" << (int)(unsigned char)*i ;
+            o << "%" << std::setw(2) << std::setfill('0') << (int)(unsigned char)*i ;
         } else {
             o.put(*i);
         }
     }
     dest = o.str();
+    return dest;
 }
 
 const code2string_s LDAPUrlException::code2string[] = {

Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrl.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrl.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrl.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrl.h,v 1.6.8.4 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000-2006, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -138,7 +139,7 @@
          * @param dest The encoded result string
          * @param flags
          */
-        void percentEncode( const std::string& src, 
+        std::string& percentEncode( const std::string& src, 
                     std::string& dest, 
                     int flags=0 ) const;
    

Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrlList.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrlList.cpp,v 1.6.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000-2002 OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/LDAPUrlList.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPUrlList.h,v 1.8.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Copied: openldap/trunk/contrib/ldapc++/src/LdifReader.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifReader.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifReader.cpp	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifReader.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,348 @@
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "LdifReader.h"
+#include "LDAPMessage.h"
+#include "LDAPEntry.h"
+#include "LDAPAttributeList.h"
+#include "LDAPAttribute.h"
+#include "LDAPUrl.h"
+#include "debug.h"
+
+#include <string>
+#include <sstream>
+#include <stdexcept>
+
+#include <sasl/saslutil.h> // For base64 routines
+
+typedef std::pair<std::string, std::string> stringpair;
+
+LdifReader::LdifReader( std::istream &input ) 
+        : m_ldifstream(input), m_lineNumber(0)
+{
+    DEBUG(LDAP_DEBUG_TRACE, "<> LdifReader::LdifReader()" << std::endl);
+    this->m_version = 0;
+    // read the first record to find out version and type of the LDIF
+    this->readNextRecord(true);
+    this->m_currentIsFirst = true;
+}
+
+int LdifReader::readNextRecord( bool first )
+{
+    DEBUG(LDAP_DEBUG_TRACE, "-> LdifReader::readRecord()" << std::endl);
+    std::string line;
+    std::string type;
+    std::string value;
+    int numLine = 0;
+    int recordType = 0;
+
+    if ( (! first) && this->m_currentIsFirst == true )
+    {
+        this->m_currentIsFirst = false;
+        return m_curRecType;
+    }
+
+    m_currentRecord.clear();
+
+    while ( !this->getLdifLine(line) )
+    {
+        DEBUG(LDAP_DEBUG_TRACE, "  Line: " << line << std::endl );
+
+        // skip comments and empty lines between entries
+        if ( line[0] == '#' || ( numLine == 0 && line.size() == 0 ) )
+        {
+            DEBUG(LDAP_DEBUG_TRACE, "skipping empty line or comment" << std::endl );
+            continue;
+        }
+        if ( line.size() == 0 ) 
+        {
+            // End of Entry
+            break;
+        }
+
+        this->splitLine(line, type, value);
+
+        if ( numLine == 0 )
+        {
+            if ( type == "version" )
+            {
+                std::istringstream valuestream(value);
+                valuestream >> this->m_version;
+                if ( this->m_version != 1 ) // there is no other Version than LDIFv1 
+                {
+                    std::ostringstream err;
+                    err << "Line " << this->m_lineNumber 
+                        << ": Unsuported LDIF Version";
+                    throw( std::runtime_error(err.str()) );
+                }
+                continue;
+            }
+            if ( type == "dn" ) // Record should start with the DN ...
+            {
+                DEBUG(LDAP_DEBUG_TRACE, " Record DN:" << value << std::endl);
+            }
+            else if ( type == "include" ) // ... or it might be an "include" line
+            {
+                DEBUG(LDAP_DEBUG_TRACE, " Include directive: " << value << std::endl);
+                if ( this->m_version == 1 )
+                {
+                    std::ostringstream err;
+                    err << "Line " << this->m_lineNumber 
+                        << ": \"include\" not allowed in LDIF version 1.";
+                    throw( std::runtime_error(err.str()) );
+                }
+                else
+                {
+                    std::ostringstream err;
+                    err << "Line " << this->m_lineNumber 
+                        << ": \"include\" not yet suppported.";
+                    throw( std::runtime_error(err.str()) );
+                }
+            }
+            else
+            {
+                DEBUG(LDAP_DEBUG_TRACE, " Record doesn't start with a DN" 
+                            << std::endl);
+                std::ostringstream err;
+                err << "Line " << this->m_lineNumber 
+                    << ": LDIF record does not start with a DN.";
+                throw( std::runtime_error(err.str()) );
+            }
+        }
+        if ( numLine == 1 ) // might contain "changtype" to indicate a change request
+        {
+            if ( type == "changetype" ) 
+            {
+                if ( first ) 
+                {
+                    this->m_ldifTypeRequest = true;
+                }
+                else if (! this->m_ldifTypeRequest )
+                {
+                    // Change Request in Entry record LDIF, should we accept it?
+                    std::ostringstream err;
+                    err << "Line " << this->m_lineNumber 
+                        << ": Change Request in an entry-only LDIF.";
+                    throw( std::runtime_error(err.str()) );
+                }
+                if ( value == "modify" )
+                {
+                    recordType = LDAPMsg::MODIFY_REQUEST;
+                }
+                else if ( value == "add" )
+                {
+                    recordType = LDAPMsg::ADD_REQUEST;
+                }
+                else if ( value == "delete" )
+                {
+                    recordType = LDAPMsg::DELETE_REQUEST;
+                }
+                else if ( value == "modrdn" )
+                {   
+                    recordType = LDAPMsg::MODRDN_REQUEST;
+                }
+                else
+                {
+                    DEBUG(LDAP_DEBUG_TRACE, " Unknown change request <" 
+                            << value << ">" << std::endl);
+                    std::ostringstream err;
+                    err << "Line " << this->m_lineNumber 
+                        << ": Unknown changetype: \"" << value << "\".";
+                    throw( std::runtime_error(err.str()) );
+                }
+            }
+            else
+            {
+                if ( first ) 
+                {
+                    this->m_ldifTypeRequest = false;
+                }
+                else if (this->m_ldifTypeRequest )
+                {
+                    // Entry record in Change record LDIF, should we accept 
+                    // it (e.g. as AddRequest)?
+                }
+                recordType = LDAPMsg::SEARCH_ENTRY;
+            }
+        }
+        m_currentRecord.push_back( stringpair(type, value) );
+        numLine++;
+    }
+    DEBUG(LDAP_DEBUG_TRACE, "<- LdifReader::readRecord() return: " 
+            << recordType << std::endl);
+    m_curRecType = recordType;
+    return recordType;
+}
+
+LDAPEntry LdifReader::getEntryRecord()
+{
+    if ( m_curRecType != LDAPMsg::SEARCH_ENTRY )
+    {
+        // Error
+    }
+    std::list<stringpair>::const_iterator i = m_currentRecord.begin();
+    LDAPEntry resEntry(i->second);
+    i++;
+    LDAPAttribute curAttr(i->first);
+    LDAPAttributeList *curAl = new LDAPAttributeList();
+    for ( ; i != m_currentRecord.end(); i++ )
+    {
+        if ( i->first == curAttr.getName() )
+        {
+            curAttr.addValue(i->second);
+        }
+        else
+        {
+            if ( curAl->getAttributeByName( i->first ) )
+            {
+                // Attribute exists already -> Syntax Error
+                std::ostringstream err;
+                err << "Line " << this->m_lineNumber 
+                    << ": Attribute \"" << i->first 
+                    << "\" specified multiple times.";
+                throw( std::runtime_error(err.str()) );
+            }
+            else
+            {
+                curAl->addAttribute( curAttr );
+                curAttr = LDAPAttribute( i->first, i->second );
+            }
+        }
+    }
+    curAl->addAttribute( curAttr );
+    resEntry.setAttributes( curAl );
+    return resEntry;
+}
+
+int LdifReader::getLdifLine(std::string &ldifline)
+{
+    DEBUG(LDAP_DEBUG_TRACE, "-> LdifReader::getLdifLine()" << std::endl);
+
+    this->m_lineNumber++;
+    if ( ! getline(m_ldifstream, ldifline) )
+    {
+        return -1;
+    }
+    while ( m_ldifstream &&
+        (m_ldifstream.peek() == ' ' || m_ldifstream.peek() == '\t'))
+    {
+        std::string cat;
+        m_ldifstream.ignore();
+        getline(m_ldifstream, cat);
+        ldifline += cat;
+        this->m_lineNumber++;
+    }
+
+    DEBUG(LDAP_DEBUG_TRACE, "<- LdifReader::getLdifLine()" << std::endl);
+    return 0;
+}
+
+void LdifReader::splitLine(
+            const std::string& line, 
+            std::string &type,
+            std::string &value) const
+{
+    std::string::size_type pos = line.find(':');
+    if ( pos == std::string::npos )
+    {
+        DEBUG(LDAP_DEBUG_ANY, "Invalid LDIF line. No `:` separator" 
+                << std::endl );
+        std::ostringstream err;
+        err << "Line " << this->m_lineNumber << ": Invalid LDIF line. No `:` separator";
+        throw( std::runtime_error( err.str() ));
+    }
+
+    type = line.substr(0, pos);
+    if ( pos == line.size() )
+    {
+        // empty value
+        value = "";
+        return;
+    }
+
+    pos++;
+    char delim = line[pos];
+    if ( delim == ':' || delim == '<' )
+    {
+        pos++;
+    }
+
+    for( ; pos < line.size() && isspace(line[pos]); pos++ )
+    { /* empty */ }
+
+    value = line.substr(pos);
+
+    if ( delim == ':' )
+    {
+        // Base64 encoded value
+        DEBUG(LDAP_DEBUG_TRACE, "  base64 encoded value" << std::endl );
+        char outbuf[value.size()];
+        int rc = sasl_decode64(value.c_str(), value.size(), 
+                outbuf, value.size(), NULL);
+        if( rc == SASL_OK )
+        {
+            value = std::string(outbuf);
+        }
+        else if ( rc == SASL_BADPROT )
+        {
+            value = "";
+            DEBUG( LDAP_DEBUG_TRACE, " invalid base64 content" << std::endl );
+            std::ostringstream err;
+            err << "Line " << this->m_lineNumber << ": Can't decode Base64 data";
+            throw( std::runtime_error( err.str() ));
+        }
+        else if ( rc == SASL_BUFOVER )
+        {
+            value = "";
+            DEBUG( LDAP_DEBUG_TRACE, " not enough space in output buffer" 
+                    << std::endl );
+            std::ostringstream err;
+            err << "Line " << this->m_lineNumber 
+                << ": Can't decode Base64 data. Buffer too small";
+            throw( std::runtime_error( err.str() ));
+        }
+    }
+    else if ( delim == '<' )
+    {
+        // URL value
+        DEBUG(LDAP_DEBUG_TRACE, "  url value" << std::endl );
+        std::ostringstream err;
+        err << "Line " << this->m_lineNumber 
+            << ": URLs are currently not supported";
+        throw( std::runtime_error( err.str() ));
+    }
+    else 
+    {
+        // "normal" value
+        DEBUG(LDAP_DEBUG_TRACE, "  string value" << std::endl );
+    }
+    DEBUG(LDAP_DEBUG_TRACE, "  Type: <" << type << ">" << std::endl );
+    DEBUG(LDAP_DEBUG_TRACE, "  Value: <" << value << ">" << std::endl );
+    return;
+}
+
+std::string LdifReader::readIncludeLine( const std::string& line ) const
+{
+    std::string::size_type pos = sizeof("file:") - 1;
+    std::string scheme = line.substr( 0, pos );
+    std::string file;
+
+    // only file:// URLs supported currently
+    if ( scheme != "file:" )
+    {
+        DEBUG( LDAP_DEBUG_TRACE, "unsupported scheme: " << scheme 
+                << std::endl);
+    }
+    else if ( line[pos] == '/' )
+    {
+        if ( line[pos+1] == '/' )
+        {
+            pos += 2;
+        }
+        file = line.substr(pos, std::string::npos);
+        DEBUG( LDAP_DEBUG_TRACE, "target file: " << file << std::endl);
+    }
+    return file;
+}

Copied: openldap/trunk/contrib/ldapc++/src/LdifReader.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifReader.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifReader.h	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifReader.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef LDIF_READER_H
+#define LDIF_READER_H
+
+#include <LDAPEntry.h>
+#include <iosfwd>
+#include <list>
+
+typedef std::list< std::pair<std::string, std::string> > LdifRecord;
+class LdifReader
+{
+    public:
+        LdifReader( std::istream &input );
+
+        inline bool isEntryRecords() const
+        {
+            return !m_ldifTypeRequest;
+        }
+
+        inline bool isChangeRecords() const
+        {
+            return m_ldifTypeRequest;
+        }
+
+        inline int getVersion() const
+        {
+            return m_version;
+        }
+
+        LDAPEntry getEntryRecord();
+        int readNextRecord( bool first=false );
+        //LDAPRequest getChangeRecord();
+
+    private:
+        int getLdifLine(std::string &line);
+
+        void splitLine(const std::string& line, 
+                    std::string &type,
+                    std::string &value ) const;
+
+        std::string readIncludeLine( const std::string &line) const;
+
+        std::istream &m_ldifstream;
+        LdifRecord m_currentRecord;
+        int m_version;
+        int m_curRecType;
+        int m_lineNumber;
+        bool m_ldifTypeRequest;
+        bool m_currentIsFirst;
+};
+
+#endif /* LDIF_READER_H */

Copied: openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifWriter.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifWriter.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,116 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LdifWriter.cpp,v 1.2.2.1 2008/04/14 22:58:58 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "LdifWriter.h"
+#include "StringList.h"
+#include "LDAPAttribute.h"
+#include "debug.h"
+#include <sstream>
+#include <stdexcept>
+
+LdifWriter::LdifWriter( std::ostream& output, int version ) :
+        m_ldifstream(output), m_version(version), m_addSeparator(false)
+{
+    if ( version )
+    {
+        if ( version == 1 )
+        {
+            m_ldifstream << "version: " << version << std::endl;
+            m_addSeparator = true;
+        } else {
+            std::ostringstream err;
+            err << "Unsuported LDIF Version";
+            throw( std::runtime_error(err.str()) );
+        }
+    }
+    
+}
+
+void LdifWriter::writeRecord(const LDAPEntry& le)
+{
+    std::ostringstream line;
+
+    if ( m_addSeparator )
+    {
+        m_ldifstream << std::endl;
+    } else {
+        m_addSeparator = true;
+    }
+
+    line << "dn: " << le.getDN();
+    this->breakline( line.str(), m_ldifstream );
+
+    const LDAPAttributeList *al = le.getAttributes();
+    LDAPAttributeList::const_iterator i = al->begin();
+    for ( ; i != al->end(); i++ )
+    {
+        StringList values = i->getValues();
+        StringList::const_iterator j = values.begin();
+        for( ; j != values.end(); j++)
+        {
+            // clear output stream
+            line.str("");
+            line << i->getName() << ": " << *j;
+            this->breakline( line.str(), m_ldifstream );
+        }
+    }
+}
+
+void LdifWriter::writeIncludeRecord( const std::string& target )
+{
+    DEBUG(LDAP_DEBUG_TRACE, "writeIncludeRecord: " << target << std::endl);
+    std::string scheme = target.substr( 0, sizeof("file:")-1 );
+    
+    if ( m_version == 1 )
+    {
+        std::ostringstream err;
+        err << "\"include\" not allowed in LDIF version 1.";
+        throw( std::runtime_error(err.str()) );
+    }
+    
+    if ( m_addSeparator )
+    {
+        m_ldifstream << std::endl;
+    } else {
+        m_addSeparator = true;
+    }
+
+    m_ldifstream << "include: ";
+    if ( scheme != "file:" )
+    {
+        m_ldifstream << "file://";
+    }
+
+    m_ldifstream << target << std::endl;
+}
+
+void LdifWriter::breakline( const std::string &line, std::ostream &out )
+{
+    std::string::size_type pos = 0;
+    std::string::size_type linelength = 76;
+    bool first = true;
+    
+    if ( line.length() >= linelength )
+    {
+        while ( pos < line.length() )
+        {
+            if (! first )
+            {
+                out << " ";
+            }
+            out << line.substr(pos, linelength) << std::endl;
+            pos += linelength;
+            if ( first )
+            {
+                first = false;
+                linelength--; //account for the leading space
+            }
+        }
+    } else {
+        out << line << std::endl;
+    }
+}
+

Copied: openldap/trunk/contrib/ldapc++/src/LdifWriter.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/LdifWriter.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LdifWriter.h	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/LdifWriter.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,31 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LdifWriter.h,v 1.2.2.1 2008/04/14 22:58:58 quanah Exp $
+/*
+ * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef LDIF_WRITER_H
+#define LDIF_WRITER_H
+
+#include <LDAPEntry.h>
+#include <iosfwd>
+#include <list>
+
+class LdifWriter
+{
+    public:
+        LdifWriter( std::ostream& output, int version = 0 );
+        void writeRecord(const LDAPEntry& le);
+        void writeIncludeRecord(const std::string& target);
+
+    private:
+        void breakline( const std::string &line, std::ostream &out );
+
+        std::ostream& m_ldifstream;
+        int m_version;
+        bool m_addSeparator;
+
+};
+
+#endif /* LDIF_WRITER_H */
+

Modified: openldap/trunk/contrib/ldapc++/src/Makefile.am
===================================================================
--- openldap/trunk/contrib/ldapc++/src/Makefile.am	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/Makefile.am	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,6 @@
-##
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/src/Makefile.am,v 1.10.2.5 2008/04/14 23:02:35 quanah Exp $
+
+###
 # Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT file
 ##
@@ -6,73 +8,81 @@
 lib_LTLIBRARIES = libldapcpp.la
 
 libldapcpp_la_SOURCES = LDAPAddRequest.cpp \
-                        LDAPAsynConnection.cpp \
-                        LDAPAttribute.cpp \
-                        LDAPAttributeList.cpp \
-                        LDAPAttrType.cpp \
-                        LDAPBindRequest.cpp \
-                        LDAPCompareRequest.cpp \
-                        LDAPConnection.cpp \
-                        LDAPConstraints.cpp \
-                        LDAPControl.cpp \
-                        LDAPControlSet.cpp \
-                        LDAPDeleteRequest.cpp \
-                        LDAPEntry.cpp \
-                        LDAPEntryList.cpp \
-                        LDAPException.cpp \
-                        LDAPExtRequest.cpp \
-                        LDAPExtResult.cpp \
-                        LDAPMessage.cpp \
-                        LDAPMessageQueue.cpp \
-                        LDAPModDNRequest.cpp \
-                        LDAPModification.cpp \
-                        LDAPModifyRequest.cpp \
-                        LDAPModList.cpp \
-                        LDAPObjClass.cpp \
-                        LDAPRebind.cpp \
-                        LDAPRebindAuth.cpp \
-                        LDAPReferralException.cpp \
-                        LDAPReferenceList.cpp \
-                        LDAPRequest.cpp \
-                        LDAPResult.cpp \
-                        LDAPSchema.cpp \
-                        LDAPSearchReference.cpp \
-                        LDAPSearchRequest.cpp \
-                        LDAPSearchResult.cpp \
-                        LDAPSearchResults.cpp \
-                        LDAPUrl.cpp \
-                        LDAPUrlList.cpp \
-                        StringList.cpp 
+			LDAPAsynConnection.cpp \
+			LDAPAttribute.cpp \
+			LDAPAttributeList.cpp \
+			LDAPAttrType.cpp \
+			LDAPBindRequest.cpp \
+			LDAPCompareRequest.cpp \
+			LDAPConnection.cpp \
+			LDAPConstraints.cpp \
+			LDAPControl.cpp \
+			LDAPControlSet.cpp \
+			LDAPDeleteRequest.cpp \
+			LDAPEntry.cpp \
+			LDAPEntryList.cpp \
+			LDAPException.cpp \
+			LDAPExtRequest.cpp \
+			LDAPExtResult.cpp \
+			LDAPMessage.cpp \
+			LDAPMessageQueue.cpp \
+			LDAPModDNRequest.cpp \
+			LDAPModification.cpp \
+			LDAPModifyRequest.cpp \
+			LDAPModList.cpp \
+			LDAPObjClass.cpp \
+			LDAPRebind.cpp \
+			LDAPRebindAuth.cpp \
+			LDAPReferenceList.cpp \
+			LDAPRequest.cpp \
+			LDAPResult.cpp \
+			LDAPSaslBindResult.cpp \
+			LDAPSchema.cpp \
+			LDAPSearchReference.cpp \
+			LDAPSearchRequest.cpp \
+			LDAPSearchResult.cpp \
+			LDAPSearchResults.cpp \
+			LDAPUrl.cpp \
+			LDAPUrlList.cpp \
+			LdifReader.cpp \
+			LdifWriter.cpp \
+			SaslInteraction.cpp \
+			SaslInteractionHandler.cpp \
+			StringList.cpp 
 
 include_HEADERS = LDAPAsynConnection.h \
-                        LDAPAttribute.h \
-                        LDAPAttributeList.h \
-                        LDAPAttrType.h \
-                        LDAPConnection.h \
-                        LDAPConstraints.h \
-                        LDAPControl.h \
-                        LDAPControlSet.h \
-                        LDAPEntry.h \
-                        LDAPEntryList.h \
-                        LDAPException.h \
-                        LDAPExtResult.h \
-                        LDAPMessage.h \
-                        LDAPMessageQueue.h \
-                        LDAPModification.h \
-                        LDAPModList.h \
-                        LDAPObjClass.h \
-                        LDAPRebind.h \
-                        LDAPRebindAuth.h \
-                        LDAPReferralException.h \
-                        LDAPReferenceList.h \
-                        LDAPResult.h \
-                        LDAPSchema.h \
-                        LDAPSearchReference.h \
-                        LDAPSearchResult.h \
-                        LDAPSearchResults.h \
-                        LDAPUrl.h \
-                        LDAPUrlList.h \
-                        StringList.h 
+			LDAPAttribute.h \
+			LDAPAttributeList.h \
+			LDAPAttrType.h \
+			LDAPConnection.h \
+			LDAPConstraints.h \
+			LDAPControl.h \
+			LDAPControlSet.h \
+			LDAPEntry.h \
+			LDAPEntryList.h \
+			LDAPException.h \
+			LDAPExtResult.h \
+			LDAPMessage.h \
+			LDAPMessageQueue.h \
+			LDAPModification.h \
+			LDAPModList.h \
+			LDAPObjClass.h \
+			LDAPRebind.h \
+			LDAPRebindAuth.h \
+			LDAPReferenceList.h \
+			LDAPResult.h \
+			LDAPSaslBindResult.h \
+			LDAPSchema.h \
+			LDAPSearchReference.h \
+			LDAPSearchResult.h \
+			LDAPSearchResults.h \
+			LDAPUrl.h \
+			LDAPUrlList.h \
+			LdifReader.h \
+			LdifWriter.h \
+			SaslInteraction.h \
+			SaslInteractionHandler.h \
+			StringList.h 
 
 noinst_HEADERS = LDAPAddRequest.h \
                 LDAPBindRequest.h \

Modified: openldap/trunk/contrib/ldapc++/src/Makefile.in
===================================================================
--- openldap/trunk/contrib/ldapc++/src/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -14,6 +14,9 @@
 
 @SET_MAKE@
 
+# $OpenLDAP: pkg/ldap/contrib/ldapc++/src/Makefile.in,v 1.9.2.7 2008/04/14 23:02:35 quanah Exp $
+
+###
 # Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT file
 
@@ -66,10 +69,11 @@
 	LDAPMessage.lo LDAPMessageQueue.lo LDAPModDNRequest.lo \
 	LDAPModification.lo LDAPModifyRequest.lo LDAPModList.lo \
 	LDAPObjClass.lo LDAPRebind.lo LDAPRebindAuth.lo \
-	LDAPReferralException.lo LDAPReferenceList.lo LDAPRequest.lo \
-	LDAPResult.lo LDAPSchema.lo LDAPSearchReference.lo \
+	LDAPReferenceList.lo LDAPRequest.lo LDAPResult.lo \
+	LDAPSaslBindResult.lo LDAPSchema.lo LDAPSearchReference.lo \
 	LDAPSearchRequest.lo LDAPSearchResult.lo LDAPSearchResults.lo \
-	LDAPUrl.lo LDAPUrlList.lo StringList.lo
+	LDAPUrl.lo LDAPUrlList.lo LdifReader.lo LdifWriter.lo \
+	SaslInteraction.lo SaslInteractionHandler.lo StringList.lo
 libldapcpp_la_OBJECTS = $(am_libldapcpp_la_OBJECTS)
 libldapcpp_la_LINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CXXLD) $(AM_CXXFLAGS) \
@@ -201,73 +205,81 @@
 top_srcdir = @top_srcdir@
 lib_LTLIBRARIES = libldapcpp.la
 libldapcpp_la_SOURCES = LDAPAddRequest.cpp \
-                        LDAPAsynConnection.cpp \
-                        LDAPAttribute.cpp \
-                        LDAPAttributeList.cpp \
-                        LDAPAttrType.cpp \
-                        LDAPBindRequest.cpp \
-                        LDAPCompareRequest.cpp \
-                        LDAPConnection.cpp \
-                        LDAPConstraints.cpp \
-                        LDAPControl.cpp \
-                        LDAPControlSet.cpp \
-                        LDAPDeleteRequest.cpp \
-                        LDAPEntry.cpp \
-                        LDAPEntryList.cpp \
-                        LDAPException.cpp \
-                        LDAPExtRequest.cpp \
-                        LDAPExtResult.cpp \
-                        LDAPMessage.cpp \
-                        LDAPMessageQueue.cpp \
-                        LDAPModDNRequest.cpp \
-                        LDAPModification.cpp \
-                        LDAPModifyRequest.cpp \
-                        LDAPModList.cpp \
-                        LDAPObjClass.cpp \
-                        LDAPRebind.cpp \
-                        LDAPRebindAuth.cpp \
-                        LDAPReferralException.cpp \
-                        LDAPReferenceList.cpp \
-                        LDAPRequest.cpp \
-                        LDAPResult.cpp \
-                        LDAPSchema.cpp \
-                        LDAPSearchReference.cpp \
-                        LDAPSearchRequest.cpp \
-                        LDAPSearchResult.cpp \
-                        LDAPSearchResults.cpp \
-                        LDAPUrl.cpp \
-                        LDAPUrlList.cpp \
-                        StringList.cpp 
+			LDAPAsynConnection.cpp \
+			LDAPAttribute.cpp \
+			LDAPAttributeList.cpp \
+			LDAPAttrType.cpp \
+			LDAPBindRequest.cpp \
+			LDAPCompareRequest.cpp \
+			LDAPConnection.cpp \
+			LDAPConstraints.cpp \
+			LDAPControl.cpp \
+			LDAPControlSet.cpp \
+			LDAPDeleteRequest.cpp \
+			LDAPEntry.cpp \
+			LDAPEntryList.cpp \
+			LDAPException.cpp \
+			LDAPExtRequest.cpp \
+			LDAPExtResult.cpp \
+			LDAPMessage.cpp \
+			LDAPMessageQueue.cpp \
+			LDAPModDNRequest.cpp \
+			LDAPModification.cpp \
+			LDAPModifyRequest.cpp \
+			LDAPModList.cpp \
+			LDAPObjClass.cpp \
+			LDAPRebind.cpp \
+			LDAPRebindAuth.cpp \
+			LDAPReferenceList.cpp \
+			LDAPRequest.cpp \
+			LDAPResult.cpp \
+			LDAPSaslBindResult.cpp \
+			LDAPSchema.cpp \
+			LDAPSearchReference.cpp \
+			LDAPSearchRequest.cpp \
+			LDAPSearchResult.cpp \
+			LDAPSearchResults.cpp \
+			LDAPUrl.cpp \
+			LDAPUrlList.cpp \
+			LdifReader.cpp \
+			LdifWriter.cpp \
+			SaslInteraction.cpp \
+			SaslInteractionHandler.cpp \
+			StringList.cpp 
 
 include_HEADERS = LDAPAsynConnection.h \
-                        LDAPAttribute.h \
-                        LDAPAttributeList.h \
-                        LDAPAttrType.h \
-                        LDAPConnection.h \
-                        LDAPConstraints.h \
-                        LDAPControl.h \
-                        LDAPControlSet.h \
-                        LDAPEntry.h \
-                        LDAPEntryList.h \
-                        LDAPException.h \
-                        LDAPExtResult.h \
-                        LDAPMessage.h \
-                        LDAPMessageQueue.h \
-                        LDAPModification.h \
-                        LDAPModList.h \
-                        LDAPObjClass.h \
-                        LDAPRebind.h \
-                        LDAPRebindAuth.h \
-                        LDAPReferralException.h \
-                        LDAPReferenceList.h \
-                        LDAPResult.h \
-                        LDAPSchema.h \
-                        LDAPSearchReference.h \
-                        LDAPSearchResult.h \
-                        LDAPSearchResults.h \
-                        LDAPUrl.h \
-                        LDAPUrlList.h \
-                        StringList.h 
+			LDAPAttribute.h \
+			LDAPAttributeList.h \
+			LDAPAttrType.h \
+			LDAPConnection.h \
+			LDAPConstraints.h \
+			LDAPControl.h \
+			LDAPControlSet.h \
+			LDAPEntry.h \
+			LDAPEntryList.h \
+			LDAPException.h \
+			LDAPExtResult.h \
+			LDAPMessage.h \
+			LDAPMessageQueue.h \
+			LDAPModification.h \
+			LDAPModList.h \
+			LDAPObjClass.h \
+			LDAPRebind.h \
+			LDAPRebindAuth.h \
+			LDAPReferenceList.h \
+			LDAPResult.h \
+			LDAPSaslBindResult.h \
+			LDAPSchema.h \
+			LDAPSearchReference.h \
+			LDAPSearchResult.h \
+			LDAPSearchResults.h \
+			LDAPUrl.h \
+			LDAPUrlList.h \
+			LdifReader.h \
+			LdifWriter.h \
+			SaslInteraction.h \
+			SaslInteractionHandler.h \
+			StringList.h 
 
 noinst_HEADERS = LDAPAddRequest.h \
                 LDAPBindRequest.h \
@@ -395,9 +407,9 @@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPRebind.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPRebindAuth.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPReferenceList.Plo at am__quote@
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPReferralException.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPRequest.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPResult.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSaslBindResult.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSchema.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSearchReference.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSearchRequest.Plo at am__quote@
@@ -405,6 +417,10 @@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPSearchResults.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPUrl.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LDAPUrlList.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LdifReader.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/LdifWriter.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/SaslInteraction.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/SaslInteractionHandler.Plo at am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/StringList.Plo at am__quote@
 
 .cpp.o:

Copied: openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteraction.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteraction.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,44 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteraction.cpp,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include <SaslInteraction.h>
+#include <iostream>
+#include "debug.h"
+
+SaslInteraction::SaslInteraction( sasl_interact_t *interact ) :
+        m_interact(interact) {}
+
+SaslInteraction::~SaslInteraction()
+{
+    DEBUG(LDAP_DEBUG_TRACE, "SaslInteraction::~SaslInteraction()" << std::endl);
+}
+
+unsigned long SaslInteraction::getId() const
+{
+    return m_interact->id;
+}
+
+const std::string SaslInteraction::getPrompt() const
+{
+    return std::string(m_interact->prompt);
+}
+
+const std::string SaslInteraction::getChallenge() const
+{
+    return std::string(m_interact->challenge);
+}
+
+const std::string SaslInteraction::getDefaultResult() const
+{
+    return std::string(m_interact->defresult);
+}
+
+void SaslInteraction::setResult(const std::string &res)
+{
+    m_result = res;
+    m_interact->result = m_result.data();
+    m_interact->len = m_result.size();
+}

Copied: openldap/trunk/contrib/ldapc++/src/SaslInteraction.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteraction.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteraction.h	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteraction.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,29 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteraction.h,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef SASL_INTERACTION_H
+#define SASL_INTERACTION_H
+
+#include <string>
+#include <sasl/sasl.h>
+
+class SaslInteraction {
+    public:
+        SaslInteraction( sasl_interact_t *interact );
+        ~SaslInteraction();
+        unsigned long getId() const;
+        const std::string getPrompt() const;
+        const std::string getChallenge() const;
+        const std::string getDefaultResult() const;
+
+        void setResult(const std::string &res);
+
+    private:
+        sasl_interact_t *m_interact;
+        std::string m_result;
+
+};
+#endif /* SASL_INTERACTION_H */

Copied: openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteractionHandler.cpp)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,99 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteractionHandler.cpp,v 1.3.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include <iostream>
+#include <iomanip>
+#include <limits>
+#include "config.h"
+
+#ifdef HAVE_TERMIOS_H
+#include <termios.h>
+#endif
+
+#include <string.h>
+#include "SaslInteractionHandler.h"
+#include "SaslInteraction.h"
+#include "debug.h"
+
+void DefaultSaslInteractionHandler::handleInteractions( 
+        const std::list<SaslInteraction*> &cb ) 
+{
+    DEBUG(LDAP_DEBUG_TRACE, "DefaultSaslInteractionHandler::handleCallbacks()" 
+            << std::endl );
+    std::list<SaslInteraction*>::const_iterator i;
+
+    for (i = cb.begin(); i != cb.end(); i++ ) {
+        bool noecho;
+
+        cleanupList.push_back(*i);
+
+        std::cout << (*i)->getPrompt();
+        if (! (*i)->getDefaultResult().empty() ) {
+            std::cout << "(" << (*i)->getDefaultResult() << ")" ;
+        }
+        std:: cout << ": ";
+
+        switch ( (*i)->getId() ) {
+            case SASL_CB_PASS:
+            case SASL_CB_ECHOPROMPT:
+                noecho = true;
+                noecho = true;
+            break;
+            default:
+                noecho = false;
+            break;
+        }
+#ifdef HAVE_TERMIOS_H
+        /* turn off terminal echo if needed */
+        struct termios old_attr;
+        if ( noecho ) {
+            struct termios attr;
+            if (tcgetattr(STDIN_FILENO, &attr) < 0) {
+                perror("tcgetattr");
+            }
+
+            /* save terminal attributes */
+            memcpy(&old_attr, &attr, sizeof(attr));
+
+            /* disable echo */
+            attr.c_lflag &= ~(ECHO);
+
+            /* write attributes to terminal */
+            if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &attr) < 0) {
+                perror("tcsetattr");
+            }
+        }
+#endif /* HAVE_TERMIOS_H */
+        std::string input;
+        std::cin >> std::noskipws >> input;
+        std::cin >> std::skipws;
+        (*i)->setResult(input);
+        if( std::cin.fail() ) {
+            std::cin.clear();
+        }
+        /* ignore the rest of the input line */
+        std::cin.ignore(std::numeric_limits<std::streamsize>::max(), '\n');
+
+#ifdef HAVE_TERMIOS_H
+        /* restore terminal settings */
+        if ( noecho ) {
+            tcsetattr(STDIN_FILENO, TCSANOW, &old_attr);
+            std::cout << std::endl;
+        }
+#endif /* HAVE_TERMIOS_H */
+    }
+}
+
+DefaultSaslInteractionHandler::~DefaultSaslInteractionHandler()
+{
+    DEBUG(LDAP_DEBUG_TRACE, "DefaultSaslInteractionHandler::~DefaultSaslInteractionHandler()"
+            << std::endl );
+
+    std::list<SaslInteraction*>::const_iterator i;
+    for (i = cleanupList.begin(); i != cleanupList.end(); i++ ) {
+        delete(*i);
+    }
+}

Copied: openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/ldapc++/src/SaslInteractionHandler.h)
===================================================================
--- openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h	                        (rev 0)
+++ openldap/trunk/contrib/ldapc++/src/SaslInteractionHandler.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,27 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/SaslInteractionHandler.h,v 1.1.2.2 2008/04/14 23:09:26 quanah Exp $
+/*
+ * Copyright 2007, OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#ifndef SASL_INTERACTION_HANDLER_H
+#define SASL_INTERACTION_HANDLER_H
+#include <list>
+
+class SaslInteraction;
+
+class SaslInteractionHandler {
+    public:
+        virtual void handleInteractions( const std::list<SaslInteraction*> &cb )=0;
+        virtual ~SaslInteractionHandler() {}
+};
+
+class DefaultSaslInteractionHandler {
+    public:
+        virtual void handleInteractions( const std::list<SaslInteraction*> &cb );
+        virtual ~DefaultSaslInteractionHandler();
+
+    private:
+        std::list<SaslInteraction*> cleanupList;
+};
+#endif /* SASL_INTERACTION_HANDLER_H */

Modified: openldap/trunk/contrib/ldapc++/src/StringList.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/StringList.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/StringList.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,6 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/StringList.cpp,v 1.6.6.2 2008/04/14 23:09:26 quanah Exp $
 /*
- * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 2000-2007, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 

Modified: openldap/trunk/contrib/ldapc++/src/StringList.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/StringList.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/StringList.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/StringList.h,v 1.7.6.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/ldapc++/src/ac/time.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/ac/time.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/ac/time.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 /* Generic time.h */
-/* $OpenLDAP: pkg/ldap/contrib/ldapc++/src/ac/time.h,v 1.7.2.3 2007/10/02 02:24:57 ralf Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/ldapc++/src/ac/time.h,v 1.7.2.4 2008/02/11 23:26:38 kurt Exp $ */
 /*
- * Copyright 1998-2007 The OpenLDAP Foundation, Redwood City, California, USA
+ * Copyright 1998-2008 The OpenLDAP Foundation, Redwood City, California, USA
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms are permitted only

Modified: openldap/trunk/contrib/ldapc++/src/config.h.in
===================================================================
--- openldap/trunk/contrib/ldapc++/src/config.h.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/config.h.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -6,6 +6,9 @@
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
+/* Define to 1 if you have the <ldap.h> header file. */
+#undef HAVE_LDAP_H
+
 /* Define to 1 if you have the `resolv' library (-lresolv). */
 #undef HAVE_LIBRESOLV
 
@@ -30,6 +33,9 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define to 1 if you have the <termios.h> header file. */
+#undef HAVE_TERMIOS_H
+
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H
 

Modified: openldap/trunk/contrib/ldapc++/src/debug.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/debug.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/ldapc++/src/debug.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/debug.h,v 1.5.10.1 2008/04/14 23:09:26 quanah Exp $
 /*
  * Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file

Modified: openldap/trunk/contrib/slapd-modules/acl/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/acl/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/acl/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2005-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2005-2008 The OpenLDAP Foundation. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted only as authorized by the OpenLDAP

Modified: openldap/trunk/contrib/slapd-modules/acl/posixgroup.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/acl/posixgroup.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/acl/posixgroup.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/acl/posixgroup.c,v 1.3.2.3 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/acl/posixgroup.c,v 1.3.2.4 2008/02/11 23:26:38 kurt Exp $ */
 /*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/allop/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/allop/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted only as authorized by the OpenLDAP

Modified: openldap/trunk/contrib/slapd-modules/allop/allop.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/allop.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/allop/allop.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* allop.c - returns all operational attributes when appropriate */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/allop.c,v 1.3.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/allop.c,v 1.3.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-ALLOP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/slapo-allop.5,v 1.2.2.2 2007/08/31 23:13:51 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/slapo-allop.5,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $
 .SH NAME
 slapo-allop \- All Operational Attributes overlay
 .SH SYNOPSIS

Copied: openldap/trunk/contrib/slapd-modules/autogroup (from rev 1127, openldap/vendor/openldap-2.4.9/contrib/slapd-modules/autogroup)

Modified: openldap/trunk/contrib/slapd-modules/comp_match/Makefile
===================================================================
--- openldap/trunk/contrib/slapd-modules/comp_match/Makefile	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/comp_match/Makefile	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/contrib/slapd-modules/comp_match/Makefile,v 1.11.2.2 2007/08/31 23:13:51 quanah Exp $
+# $OpenLDAP: pkg/ldap/contrib/slapd-modules/comp_match/Makefile,v 1.11.2.3 2008/02/11 23:26:38 kurt Exp $
 # This work is part of OpenLDAP Software <http://www.openldap.org/>.
 #
-# Copyright 2003-2007 The OpenLDAP Foundation.
+# Copyright 2003-2008 The OpenLDAP Foundation.
 # Portions Copyright 2004 by IBM Corporation.
 # All rights reserved.
 

Modified: openldap/trunk/contrib/slapd-modules/denyop/denyop.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/denyop/denyop.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/denyop/denyop.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* denyop.c - Denies operations */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/denyop/denyop.c,v 1.2.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/denyop/denyop.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/dsaschema/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/dsaschema/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/dsaschema/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted only as authorized by the OpenLDAP

Modified: openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/dsaschema/dsaschema.c,v 1.5.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/dsaschema/dsaschema.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /*
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* lastmod.c - returns last modification info */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/lastmod/lastmod.c,v 1.2.2.2 2007/08/31 23:13:51 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/lastmod/lastmod.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5
===================================================================
--- openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .TH SLAPO_LASTMOD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .SH NAME

Modified: openldap/trunk/contrib/slapd-modules/passwd/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted only as authorized by the OpenLDAP

Modified: openldap/trunk/contrib/slapd-modules/passwd/kerberos.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/kerberos.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/kerberos.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/kerberos.c,v 1.5.2.2 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/kerberos.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/passwd/netscape.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/netscape.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/netscape.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/netscape.c,v 1.5.2.2 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/netscape.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/passwd/radius.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/radius.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/passwd/radius.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/radius.c,v 1.2.2.3 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/radius.c,v 1.2.2.4 2008/02/11 23:26:38 kurt Exp $ */
 /*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 /* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.5 2007/10/09 00:18:47 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.10 2008/04/14 21:58:37 quanah Exp $ */
 /*
  * Copyright 2004-2005 by Howard Chu, Symas Corp.
  * All rights reserved.
@@ -91,8 +91,8 @@
 #ifdef DO_SAMBA
 	/* How many seconds before forcing a password change? */
 	time_t	smb_must_change;
-        /* How many seconds after allowing a password change? */
-        time_t  smb_can_change;
+	/* How many seconds after allowing a password change? */
+	time_t  smb_can_change;
 #endif
 } smbk5pwd_t;
 
@@ -215,7 +215,7 @@
 
 	/* clear out the current key */
 	ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup,
-		NULL, NULL );
+		NULL, 0, NULL, NULL );
 
 	/* free the callback */
 	cb = op->o_callback;
@@ -234,8 +234,8 @@
 	 */
 	if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE ) {
 		slap_callback *cb;
-		ldap_pvt_thread_pool_setkey( op->o_threadctx, smbk5pwd_op_cleanup, op,
-			NULL );
+		ldap_pvt_thread_pool_setkey( op->o_threadctx,
+			smbk5pwd_op_cleanup, op, 0, NULL, NULL );
 		cb = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
 		cb->sc_cleanup = smbk5pwd_op_cleanup;
 		cb->sc_next = op->o_callback;
@@ -268,7 +268,7 @@
 	const struct berval *cred,
 	const char **text )
 {
-	void *ctx;
+	void *ctx, *op_tmp;
 	Operation *op;
 	int rc;
 	Entry *e;
@@ -281,9 +281,10 @@
 	/* Find our thread context, find our Operation */
 	ctx = ldap_pvt_thread_pool_context();
 
-	if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, (void **)&op, NULL ) ||
-		!op )
+	if ( ldap_pvt_thread_pool_getkey( ctx, smbk5pwd_op_cleanup, &op_tmp, NULL )
+		 || !op_tmp )
 		return LUTIL_PASSWD_ERR;
+	op = op_tmp;
 
 	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
 	if ( rc != LDAP_SUCCESS ) return LUTIL_PASSWD_ERR;
@@ -532,9 +533,9 @@
 		qpw->rs_mods = ml;
 
 		keys = ch_malloc( 2 * sizeof(struct berval) );
-		keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
+		keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
 		keys[0].bv_len = snprintf(keys[0].bv_val,
-			STRLENOF( "9223372036854775807L" ) + 1,
+			LDAP_PVT_INTTYPE_CHARS(long),
 			"%ld", slap_get_time());
 		BER_BVZERO( &keys[1] );
 		
@@ -554,9 +555,9 @@
 			qpw->rs_mods = ml;
 
 			keys = ch_malloc( 2 * sizeof(struct berval) );
-			keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
+			keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
 			keys[0].bv_len = snprintf(keys[0].bv_val,
-					STRLENOF( "9223372036854775807L" ) + 1,
+					LDAP_PVT_INTTYPE_CHARS(long),
 					"%ld", slap_get_time() + pi->smb_must_change);
 			BER_BVZERO( &keys[1] );
 
@@ -570,28 +571,28 @@
 			ml->sml_nvalues = NULL;
 		}
 
-                if (pi->smb_can_change)
-                {
-                        ml = ch_malloc(sizeof(Modifications));
-                        ml->sml_next = qpw->rs_mods;
-                        qpw->rs_mods = ml;
+		if (pi->smb_can_change)
+		{
+			ml = ch_malloc(sizeof(Modifications));
+			ml->sml_next = qpw->rs_mods;
+			qpw->rs_mods = ml;
 
-                        keys = ch_malloc( 2 * sizeof(struct berval) );
-                        keys[0].bv_val = ch_malloc( STRLENOF( "9223372036854775807L" ) + 1 );
-                        keys[0].bv_len = snprintf(keys[0].bv_val,
-                                        STRLENOF( "9223372036854775807L" ) + 1,
-                                        "%ld", slap_get_time() + pi->smb_can_change);
-                        BER_BVZERO( &keys[1] );
+			keys = ch_malloc( 2 * sizeof(struct berval) );
+			keys[0].bv_val = ch_malloc( LDAP_PVT_INTTYPE_CHARS(long) );
+			keys[0].bv_len = snprintf(keys[0].bv_val,
+					LDAP_PVT_INTTYPE_CHARS(long),
+					"%ld", slap_get_time() + pi->smb_can_change);
+			BER_BVZERO( &keys[1] );
 
-                        ml->sml_desc = ad_sambaPwdCanChange;
-                        ml->sml_op = LDAP_MOD_REPLACE;
+			ml->sml_desc = ad_sambaPwdCanChange;
+			ml->sml_op = LDAP_MOD_REPLACE;
 #ifdef SLAP_MOD_INTERNAL
-                        ml->sml_flags = SLAP_MOD_INTERNAL;
+			ml->sml_flags = SLAP_MOD_INTERNAL;
 #endif
-						ml->sml_numvals = 1;
-                        ml->sml_values = keys;
-                        ml->sml_nvalues = NULL;
-                }
+			ml->sml_numvals = 1;
+			ml->sml_values = keys;
+			ml->sml_nvalues = NULL;
+		}
 	}
 #endif /* DO_SAMBA */
 	be_entry_release_r( op, e );
@@ -625,11 +626,11 @@
 		"( OLcfgCtAt:1.2 NAME 'olcSmbK5PwdMustChange' "
 		"DESC 'Credentials validity interval' "
 		"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
-        { "smbk5pwd-can-change", "time",
-                2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func,
-                "( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' "
-                "DESC 'Credentials minimum validity interval' "
-                "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+	{ "smbk5pwd-can-change", "time",
+		2, 2, 0, ARG_MAGIC|ARG_INT|PC_SMB_CAN_CHANGE, smbk5pwd_cf_func,
+		"( OLcfgCtAt:1.3 NAME 'olcSmbK5PwdCanChange' "
+		"DESC 'Credentials minimum validity interval' "
+		"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 
 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
 };
@@ -676,13 +677,13 @@
 #endif /* ! DO_SAMBA */
 			break;
 
-                case PC_SMB_CAN_CHANGE:
+		case PC_SMB_CAN_CHANGE:
 #ifdef DO_SAMBA
-                        c->value_int = pi->smb_can_change;
+			c->value_int = pi->smb_can_change;
 #else /* ! DO_SAMBA */
-                        c->value_int = 0;
+			c->value_int = 0;
 #endif /* ! DO_SAMBA */
-                        break;
+			break;
 
 		case PC_SMB_ENABLE:
 			c->rvalue_vals = NULL;
@@ -843,7 +844,7 @@
 		{ "sambaNTPassword",		&ad_sambaNTPassword },
 		{ "sambaPwdLastSet",		&ad_sambaPwdLastSet },
 		{ "sambaPwdMustChange",		&ad_sambaPwdMustChange },
-                { "sambaPwdCanChange",          &ad_sambaPwdCanChange },
+		{ "sambaPwdCanChange",		&ad_sambaPwdCanChange },
 		{ NULL }
 	},
 #endif /* DO_SAMBA */

Modified: openldap/trunk/contrib/slapd-modules/trace/trace.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/trace/trace.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-modules/trace/trace.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* trace.c - traces overlay invocation */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/trace/trace.c,v 1.2.2.2 2007/08/31 23:13:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/trace/trace.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2006-2007 The OpenLDAP Foundation.
+ * Copyright 2006-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/contrib/slapd-tools/README
===================================================================
--- openldap/trunk/contrib/slapd-tools/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapd-tools/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2004-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted only as authorized by the OpenLDAP

Modified: openldap/trunk/contrib/slapi-plugins/addrdnvalues/README
===================================================================
--- openldap/trunk/contrib/slapi-plugins/addrdnvalues/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/contrib/slapi-plugins/addrdnvalues/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 2003-2007 The OpenLDAP Foundation. All rights reserved.
+Copyright 2003-2008 The OpenLDAP Foundation. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted only as authorized by the OpenLDAP

Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/debian/changelog	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-openldap2.3 (2.4.7-7) UNRELEASED; urgency=low
+openldap2.3 (2.4.9-1) unstable; urgency=low
 
   [ Updated debconf translations ]
   * French, thanks to Christian Perrier <bubulle at debian.org>.
@@ -13,7 +13,7 @@
   * Galician, thanks to Jacobo Tarrio <jtarrio at trasno.net>.  Closes: #480218.
   * Japanese, thanks to Kenshi Muto <kmuto at debian.org>.  Closes: #480247.
 
- -- Steve Langasek <vorlon at debian.org>  Thu, 28 Feb 2008 22:32:44 -0800
+ -- Matthijs Mohlmann <matthijs at cacholong.nl>  Sun, 25 May 2008 11:58:39 +0200
 
 openldap2.3 (2.4.7-6) unstable; urgency=low
 

Modified: openldap/trunk/debian/rules
===================================================================
--- openldap/trunk/debian/rules	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/debian/rules	2008-05-25 14:29:31 UTC (rev 1128)
@@ -41,7 +41,7 @@
 
 # These variables are used only by get-orig-source, which will normally only
 # be run by maintainers.
-VERSION = 2.4.7
+VERSION = 2.4.9
 URL     = http://www.openldap.org/software/download/OpenLDAP/openldap-release/
 
 # Download the upstream source and make changes as required for DFSG reasons.

Modified: openldap/trunk/doc/Makefile.in
===================================================================
--- openldap/trunk/doc/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 ## doc Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/Makefile.in,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
+# $OpenLDAP: pkg/ldap/doc/Makefile.in,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/doc/devel/args
===================================================================
--- openldap/trunk/doc/devel/args	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/devel/args	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 Tools           ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
 ldapcompare      * DE**HI*K M*OPQR  UVWXYZ   de *h**k *nop*    vwxyz
-ldapdelete       *CDE**HI*K M*OPQR  UVWXYZ  cdef*h**k *nop*    vwxy
+ldapdelete       *CDE**HI*K M*OPQR  UVWXYZ  cdef*h**k *nop*    vwxyz
 ldapmodify       *CDE**HI*K M*OPQRS UVWXYZabcde *h**k *nop*r t vwxy
 ldapmodrdn       *CDE**HI*K M*OPQR  UVWXYZ  cdef*h**k *nop*rs  vwxy
 ldappasswd      A*CDE**HI*   *O QRS UVWXYZa  def*h**  * o * s  vwxy  
@@ -56,4 +56,4 @@
 
 
 ---
-$OpenLDAP: pkg/ldap/doc/devel/args,v 1.29.2.2 2007/08/31 23:13:52 quanah Exp $
+$OpenLDAP: pkg/ldap/doc/devel/args,v 1.29.2.3 2008/02/09 00:53:37 quanah Exp $

Modified: openldap/trunk/doc/guide/COPYRIGHT
===================================================================
--- openldap/trunk/doc/guide/COPYRIGHT	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/COPYRIGHT	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-Copyright 1998-2007 The OpenLDAP Foundation
+Copyright 1998-2008 The OpenLDAP Foundation
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -12,11 +12,11 @@
 OpenLDAP is a registered trademark of the OpenLDAP Foundation.
 
 Individual files and/or contributed packages may be copyright by
-other parties and subject to additional restrictions.
+other parties and/or subject to additional restrictions.
 
 This work is derived from the University of Michigan LDAP v3.3
 distribution.  Information concerning this software is available
-at <http://www.umich.edu/~dirsvcs/ldap/>.
+at <http://www.umich.edu/~dirsvcs/ldap/ldap.html>.
 
 This work also contains materials derived from public sources.
 
@@ -25,9 +25,9 @@
 
 ---
 
-Portions Copyright 1998-2005 Kurt D. Zeilenga.
-Portions Copyright 1998-2005 Net Boolean Incorporated.
-Portions Copyright 2001-2005 IBM Corporation.
+Portions Copyright 1998-2006 Kurt D. Zeilenga.
+Portions Copyright 1998-2006 Net Boolean Incorporated.
+Portions Copyright 2001-2006 IBM Corporation.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -39,8 +39,8 @@
 Portions Copyright 1999-2007 Howard Y.H. Chu.
 Portions Copyright 1999-2007 Symas Corporation.
 Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2007 Gavin Henry
-Portions Copyright 2007 Suretec Systems
+Portions Copyright 2007-2008 Gavin Henry
+Portions Copyright 2007-2008 Suretec Systems Limited.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/doc/guide/admin/Makefile
===================================================================
--- openldap/trunk/doc/guide/admin/Makefile	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/Makefile	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 ## Makefile for OpenLDAP Administrator's Guide
-# $OpenLDAP: pkg/openldap-guide/admin/Makefile,v 1.5.2.6 2007/11/29 22:51:25 quanah Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/Makefile,v 1.5.2.9 2008/04/14 20:43:48 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2005-2007 The OpenLDAP Foundation.
+## Copyright 2005-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -21,6 +21,7 @@
 	../plain.sdf \
 	../preamble.sdf \
 	abstract.sdf \
+	access-control.sdf \
 	appendix-changes.sdf \
 	appendix-common-errors.sdf \
 	appendix-configs.sdf \
@@ -61,11 +62,14 @@
 	config_dit.png \
 	config_local.png \
 	config_ref.png \
-	config_repl.gif \
+	config_repl.png \
 	dual_dc.png \
 	intro_dctree.png \
 	intro_tree.png \
-	refint.png 
+	refint.png \
+	set-following-references.png \
+	set-memberUid.png \
+	set-recursivegroup.png 
 
 guide.html: guide.sdf sdf-src sdf-img
 	sdf -2html guide.sdf

Modified: openldap/trunk/doc/guide/admin/README.spellcheck
===================================================================
--- openldap/trunk/doc/guide/admin/README.spellcheck	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/README.spellcheck	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/README.spellcheck,v 1.2.2.2 2007/10/23 19:06:09 quanah Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/README.spellcheck,v 1.2.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 #
 # README.spellcheck 

Modified: openldap/trunk/doc/guide/admin/abstract.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/abstract.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/abstract.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/abstract.sdf,v 1.7.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/abstract.sdf,v 1.7.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 # 
 # OpenLDAP Administrator's Guide: Abstract

Copied: openldap/trunk/doc/guide/admin/access-control.sdf (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/access-control.sdf)
===================================================================
--- openldap/trunk/doc/guide/admin/access-control.sdf	                        (rev 0)
+++ openldap/trunk/doc/guide/admin/access-control.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,1539 @@
+# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.3.2.1 2008/04/14 20:35:10 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+
+H1: Access Control
+
+H2: Introduction
+
+As the directory gets populated with more and more data of varying sensitivity, 
+controlling the kinds of access granted to the directory becomes more and more
+critical. For instance, the directory may contain data of a confidential nature 
+that you may need to protect by contract or by law. Or, if using the directory 
+to control access to other services, inappropriate access to the directory may 
+create avenues of attack to your sites security that result in devastating 
+damage to your assets.
+
+Access to your directory can be configured via two methods, the first using
+{{SECT:The slapd Configuration File}} and the second using the {{slapd-config}}(5) 
+format ({{SECT:Configuring slapd}}).
+
+The default access control policy is allow read by all clients. Regardless of 
+what access control policy is defined, the {{rootdn}} is always allowed full 
+rights (i.e. auth, search, compare, read and write) on everything and anything.
+
+As a consequence, it's useless (and results in a performance penalty) to explicitly 
+list the {{rootdn}} among the {{<by>}} clauses.
+
+The following sections will describe Access Control Lists in more details and 
+follow with some examples and recommendations. 
+
+H2: Access Control via Static Configuration
+
+Access to entries and attributes is controlled by the
+access configuration file directive. The general form of an
+access line is:
+
+>    <access directive> ::= access to <what>
+>        [by <who> [<access>] [<control>] ]+
+>    <what> ::= * |
+>        [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+>        [filter=<ldapfilter>] [attrs=<attrlist>]
+>    <basic-style> ::= regex | exact
+>    <scope-style> ::= base | one | subtree | children
+>    <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
+>    <attr> ::= <attrname> | entry | children
+>    <who> ::= * | [anonymous | users | self
+>            | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] 
+>        [dnattr=<attrname>]
+>        [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
+>        [peername[.<basic-style>]=<regex>]
+>        [sockname[.<basic-style>]=<regex>]
+>        [domain[.<basic-style>]=<regex>]
+>        [sockurl[.<basic-style>]=<regex>]
+>        [set=<setspec>]
+>        [aci=<attrname>]
+>    <access> ::= [self]{<level>|<priv>}
+>    <level> ::= none | disclose | auth | compare | search | read | write | manage
+>    <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+>    <control> ::= [stop | continue | break]
+
+where the <what> part selects the entries and/or attributes to which
+the access applies, the {{EX:<who>}} part specifies which entities
+are granted access, and the {{EX:<access>}} part specifies the
+access granted. Multiple {{EX:<who> <access> <control>}} triplets
+are supported, allowing many entities to be granted different access
+to the same set of entries and attributes. Not all of these access
+control options are described here; for more details see the
+{{slapd.access}}(5) man page.
+
+
+H3: What to control access to
+
+The <what> part of an access specification determines the entries
+and attributes to which the access control applies.  Entries are
+commonly selected in two ways: by DN and by filter.  The following
+qualifiers select entries by DN:
+
+>    to *
+>    to dn[.<basic-style>]=<regex>
+>    to dn.<scope-style>=<DN>
+
+The first form is used to select all entries.  The second form may
+be used to select entries by matching a regular expression against
+the target entry's {{normalized DN}}.   (The second form is not
+discussed further in this document.)  The third form is used to
+select entries which are within the requested scope of DN.  The
+<DN> is a string representation of the Distinguished Name, as
+described in {{REF:RFC4514}}.
+
+The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
+or {{EX:children}}.  Where {{EX:base}} matches only the entry with
+provided DN, {{EX:one}} matches the entries whose parent is the
+provided DN, {{EX:subtree}} matches all entries in the subtree whose
+root is the provided DN, and {{EX:children}} matches all entries
+under the DN (but not the entry named by the DN).
+
+For example, if the directory contained entries named:
+
+>    0: o=suffix
+>    1: cn=Manager,o=suffix
+>    2: ou=people,o=suffix
+>    3: uid=kdz,ou=people,o=suffix
+>    4: cn=addresses,uid=kdz,ou=people,o=suffix
+>    5: uid=hyc,ou=people,o=suffix
+
+\Then:
+. {{EX:dn.base="ou=people,o=suffix"}} match 2;
+. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
+. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
+. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
+
+
+Entries may also be selected using a filter:
+
+>    to filter=<ldap filter>
+
+where <ldap filter> is a string representation of an LDAP
+search filter, as described in {{REF:RFC4515}}.  For example:
+
+>    to filter=(objectClass=person)
+
+Note that entries may be selected by both DN and filter by
+including both qualifiers in the <what> clause.
+
+>    to dn.one="ou=people,o=suffix" filter=(objectClass=person)
+
+Attributes within an entry are selected by including a comma-separated
+list of attribute names in the <what> selector:
+
+>    attrs=<attribute list>
+
+A specific value of an attribute is selected by using a single
+attribute name and also using a value selector:
+
+>    attrs=<attribute> val[.<style>]=<regex>
+
+There are two special {{pseudo}} attributes {{EX:entry}} and
+{{EX:children}}.  To read (and hence return) a target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute.  To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
+have {{EX:write}} access to the entry's parent's {{EX:children}}
+attribute.  To rename an entry, the subject must have {{EX:write}}
+access to entry's {{EX:entry}} attribute AND have {{EX:write}}
+access to both the old parent's and new parent's {{EX:children}}
+attributes.  The complete examples at the end of this section should
+help clear things up.
+
+Lastly, there is a special entry selector {{EX:"*"}} that is used to
+select any entry.  It is used when no other {{EX:<what>}}
+selector has been provided.  It's equivalent to "{{EX:dn=.*}}"
+
+
+H3: Who to grant access to
+
+The <who> part identifies the entity or entities being granted
+access. Note that access is granted to "entities" not "entries."
+The following table summarizes entity specifiers:
+
+!block table; align=Center; coltags="EX,N"; \
+    title="Table 6.3: Access Entity Specifiers"
+Specifier|Entities
+*|All, including anonymous and authenticated users
+anonymous|Anonymous (non-authenticated) users
+users|Authenticated users
+self|User associated with target entry
+dn[.<basic-style>]=<regex>|Users matching a regular expression
+dn.<scope-style>=<DN>|Users within scope of a DN
+!endblock
+
+The DN specifier behaves much like <what> clause DN specifiers.
+
+Other control factors are also supported.  For example, a {{EX:<who>}}
+can be restricted by an entry listed in a DN-valued attribute in
+the entry to which the access applies:
+
+>    dnattr=<dn-valued attribute name>
+
+The dnattr specification is used to give access to an entry
+whose DN is listed in an attribute of the entry (e.g., give
+access to a group entry to whoever is listed as the owner of
+the group entry).
+
+Some factors may not be appropriate in all environments (or any).
+For example, the domain factor relies on IP to domain name lookups.
+As these can easily be spoofed, the domain factor should be avoided.
+
+
+H3: The access to grant
+
+The kind of <access> granted can be one of the following:
+
+!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
+    title="Table 6.4: Access Levels"
+Level        Privileges    Description
+none        =0             no access
+disclose    =d             needed for information disclosure on error
+auth        =dx            needed to authenticate (bind)
+compare     =cdx           needed to compare
+search      =scdx          needed to apply search filters
+read        =rscdx         needed to read search results
+write       =wrscdx        needed to modify/rename
+manage      =mwrscdx       needed to manage
+!endblock
+
+Each level implies all lower levels of access. So, for example,
+granting someone {{EX:write}} access to an entry also grants them
+{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
+{{EX:disclose}} access.  However, one may use the privileges specifier
+to grant specific permissions.
+
+
+H3: Access Control Evaluation
+
+When evaluating whether some requester should be given access to
+an entry and/or attribute, slapd compares the entry and/or attribute
+to the {{EX:<what>}} selectors given in the configuration file.
+For each entry, access controls provided in the database which holds
+the entry (or the first database if not held in any database) apply
+first, followed by the global access directives.  Within this
+priority, access directives are examined in the order in which they
+appear in the config file.  Slapd stops with the first {{EX:<what>}}
+selector that matches the entry and/or attribute. The corresponding
+access directive is the one slapd will use to evaluate access.
+
+Next, slapd compares the entity requesting access to the {{EX:<who>}}
+selectors within the access directive selected above in the order
+in which they appear. It stops with the first {{EX:<who>}} selector
+that matches the requester. This determines the access the entity
+requesting access has to the entry and/or attribute.
+
+Finally, slapd compares the access granted in the selected
+{{EX:<access>}} clause to the access requested by the client. If
+it allows greater or equal access, access is granted. Otherwise,
+access is denied.
+
+The order of evaluation of access directives makes their placement
+in the configuration file important. If one access directive is
+more specific than another in terms of the entries it selects, it
+should appear first in the config file. Similarly, if one {{EX:<who>}}
+selector is more specific than another it should come first in the
+access directive. The access control examples given below should
+help make this clear.
+
+
+
+H3: Access Control Examples
+
+The access control facility described above is quite powerful.  This
+section shows some examples of its use for descriptive purposes.
+
+A simple example:
+
+>    access to * by * read
+
+This access directive grants read access to everyone.
+
+>    access to *
+>        by self write
+>        by anonymous auth
+>        by * read
+
+This directive allows the user to modify their entry, allows anonymous
+to authentication against these entries, and allows all others to
+read these entries.  Note that only the first {{EX:by <who>}} clause
+which matches applies.  Hence, the anonymous users are granted
+{{EX:auth}}, not {{EX:read}}.  The last clause could just as well
+have been "{{EX:by users read}}".
+
+It is often desirable to restrict operations based upon the level
+of protection in place.  The following shows how security strength
+factors (SSF) can be used.
+
+>    access to *
+>        by ssf=128 self write
+>        by ssf=64 anonymous auth
+>        by ssf=64 users read
+
+This directive allows users to modify their own entries if security
+protections have of strength 128 or better have been established,
+allows authentication access to anonymous users, and read access
+when 64 or better security protections have been established.  If
+client has not establish sufficient security protections, the
+implicit {{EX:by * none}} clause would be applied.
+
+The following example shows the use of a style specifiers to select
+the entries by DN in two access directives where ordering is
+significant.
+
+>    access to dn.children="dc=example,dc=com"
+>         by * search
+>    access to dn.children="dc=com"
+>         by * read
+
+Read access is granted to entries under the {{EX:dc=com}} subtree,
+except for those entries under the {{EX:dc=example,dc=com}} subtree,
+to which search access is granted.  No access is granted to
+{{EX:dc=com}} as neither access directive matches this DN.  If the
+order of these access directives was reversed, the trailing directive
+would never be reached, since all entries under {{EX:dc=example,dc=com}}
+are also under {{EX:dc=com}} entries.
+
+Also note that if no {{EX:access to}} directive matches or no {{EX:by
+<who>}} clause, {{B:access is denied}}.  That is, every {{EX:access
+to}} directive ends with an implicit {{EX:by * none}} clause and
+every access list ends with an implicit {{EX:access to * by * none}}
+directive.
+
+The next example again shows the importance of ordering, both of
+the access directives and the {{EX:by <who>}} clauses.  It also
+shows the use of an attribute selector to grant access to a specific
+attribute and various {{EX:<who>}} selectors.
+
+>    access to dn.subtree="dc=example,dc=com" attrs=homePhone
+>        by self write
+>        by dn.children="dc=example,dc=com" search
+>        by peername.regex=IP:10\..+ read
+>    access to dn.subtree="dc=example,dc=com"
+>        by self write
+>        by dn.children="dc=example,dc=com" search
+>        by anonymous auth
+
+This example applies to entries in the "{{EX:dc=example,dc=com}}"
+subtree. To all attributes except {{EX:homePhone}}, an entry can
+write to itself, entries under {{EX:example.com}} entries can search
+by them, anybody else has no access (implicit {{EX:by * none}})
+excepting for authentication/authorization (which is always done
+anonymously).  The {{EX:homePhone}} attribute is writable by the
+entry, searchable by entries under {{EX:example.com}}, readable by
+clients connecting from network 10, and otherwise not readable
+(implicit {{EX:by * none}}).  All other access is denied by the
+implicit {{EX:access to * by * none}}.
+
+Sometimes it is useful to permit a particular DN to add or
+remove itself from an attribute. For example, if you would like to
+create a group and allow people to add and remove only
+their own DN from the member attribute, you could accomplish
+it with an access directive like this:
+
+>    access to attrs=member,entry
+>         by dnattr=member selfwrite
+
+The dnattr {{EX:<who>}} selector says that the access applies to
+entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
+selector says that such members can only add or delete their
+own DN from the attribute, not other values. The addition of
+the entry attribute is required because access to the entry is
+required to access any of the entry's attributes.
+
+!if 0
+For more details on how to use the {{EX:access}} directive,
+consult the {{Advanced Access Control}} chapter.
+!endif
+
+
+H3: Configuration File Example
+
+The following is an example configuration file, interspersed
+with explanatory text. It defines two databases to handle
+different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
+database instances. The line numbers shown are provided for
+reference only and are not included in the actual file. First, the
+global configuration section:
+
+E:  1.    # example config file - global configuration section
+E:  2.    include /usr/local/etc/schema/core.schema
+E:  3.    referral ldap://root.openldap.org
+E:  4.    access to * by * read
+ 
+Line 1 is a comment. Line 2 includes another config file
+which contains {{core}} schema definitions.
+The {{EX:referral}} directive on line 3
+means that queries not local to one of the databases defined
+below will be referred to the LDAP server running on the
+standard port (389) at the host {{EX:root.openldap.org}}.
+
+Line 4 is a global access control.  It applies to all
+entries (after any applicable database-specific access
+controls).
+
+The next section of the configuration file defines a BDB
+backend that will handle queries for things in the
+"dc=example,dc=com" portion of the tree. The
+database is to be replicated to two slave slapds, one on
+truelies, the other on judgmentday. Indices are to be
+maintained for several attributes, and the {{EX:userPassword}}
+attribute is to be protected from unauthorized access.
+
+E:  5.    # BDB definition for the example.com
+E:  6.    database bdb
+E:  7.    suffix "dc=example,dc=com"
+E:  8.    directory /usr/local/var/openldap-data
+E:  9.    rootdn "cn=Manager,dc=example,dc=com"
+E: 10.    rootpw secret
+E: 11.    # indexed attribute definitions
+E: 12.    index uid pres,eq
+E: 13.    index cn,sn,uid pres,eq,approx,sub
+E: 14.    index objectClass eq
+E: 15.    # database access control definitions
+E: 16.    access to attrs=userPassword
+E: 17.        by self write
+E: 18.        by anonymous auth
+E: 19.        by dn.base="cn=Admin,dc=example,dc=com" write
+E: 20.        by * none
+E: 21.    access to *
+E: 22.        by self write
+E: 23.        by dn.base="cn=Admin,dc=example,dc=com" write
+E: 24.        by * read
+
+Line 5 is a comment. The start of the database definition is marked
+by the database keyword on line 6. Line 7 specifies the DN suffix
+for queries to pass to this database. Line 8 specifies the directory
+in which the database files will live.
+
+Lines 9 and 10 identify the database {{super-user}} entry and associated
+password. This entry is not subject to access control or size or
+time limit restrictions.
+
+Lines 12 through 14 indicate the indices to maintain for various
+attributes.
+
+Lines 16 through 24 specify access control for entries in this
+database.  As this is the first database, the controls also apply
+to entries not held in any database (such as the Root DSE).  For
+all applicable entries, the {{EX:userPassword}} attribute is writable
+by the entry itself and by the "admin" entry.  It may be used for
+authentication/authorization purposes, but is otherwise not readable.
+All other attributes are writable by the entry and the "admin"
+entry, but may be read by all users (authenticated or not).
+
+The next section of the example configuration file defines another
+BDB database. This one handles queries involving the
+{{EX:dc=example,dc=net}} subtree but is managed by the same entity
+as the first database.  Note that without line 39, the read access
+would be allowed due to the global access rule at line 4.
+
+E: 33.    # BDB definition for example.net
+E: 34.    database bdb
+E: 35.    suffix "dc=example,dc=net"
+E: 36.    directory /usr/local/var/openldap-data-net
+E: 37.    rootdn "cn=Manager,dc=example,dc=com"
+E: 38.    index objectClass eq
+E: 39.    access to * by users read
+
+H2: Access Control via Dynamic Configuration
+
+Access to slapd entries and attributes is controlled by the
+olcAccess attribute, whose values are a sequence of access directives.
+The general form of the olcAccess configuration is:
+
+>    olcAccess: <access directive>
+>    <access directive> ::= to <what>
+>        [by <who> [<access>] [<control>] ]+
+>    <what> ::= * |
+>        [dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
+>        [filter=<ldapfilter>] [attrs=<attrlist>]
+>    <basic-style> ::= regex | exact
+>    <scope-style> ::= base | one | subtree | children
+>    <attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
+>    <attr> ::= <attrname> | entry | children
+>    <who> ::= * | [anonymous | users | self
+>            | dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] 
+>        [dnattr=<attrname>]
+>        [group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
+>        [peername[.<basic-style>]=<regex>]
+>        [sockname[.<basic-style>]=<regex>]
+>        [domain[.<basic-style>]=<regex>]
+>        [sockurl[.<basic-style>]=<regex>]
+>        [set=<setspec>]
+>        [aci=<attrname>]
+>    <access> ::= [self]{<level>|<priv>}
+>    <level> ::= none | disclose | auth | compare | search | read | write | manage
+>    <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+>    <control> ::= [stop | continue | break]
+
+where the <what> part selects the entries and/or attributes to which
+the access applies, the {{EX:<who>}} part specifies which entities
+are granted access, and the {{EX:<access>}} part specifies the
+access granted. Multiple {{EX:<who> <access> <control>}} triplets
+are supported, allowing many entities to be granted different access
+to the same set of entries and attributes. Not all of these access
+control options are described here; for more details see the
+{{slapd.access}}(5) man page.
+
+
+H3: What to control access to
+
+The <what> part of an access specification determines the entries
+and attributes to which the access control applies.  Entries are
+commonly selected in two ways: by DN and by filter.  The following
+qualifiers select entries by DN:
+
+>    to *
+>    to dn[.<basic-style>]=<regex>
+>    to dn.<scope-style>=<DN>
+
+The first form is used to select all entries.  The second form may
+be used to select entries by matching a regular expression against
+the target entry's {{normalized DN}}.   (The second form is not
+discussed further in this document.)  The third form is used to
+select entries which are within the requested scope of DN.  The
+<DN> is a string representation of the Distinguished Name, as
+described in {{REF:RFC4514}}.
+
+The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
+or {{EX:children}}.  Where {{EX:base}} matches only the entry with
+provided DN, {{EX:one}} matches the entries whose parent is the
+provided DN, {{EX:subtree}} matches all entries in the subtree whose
+root is the provided DN, and {{EX:children}} matches all entries
+under the DN (but not the entry named by the DN).
+
+For example, if the directory contained entries named:
+
+>    0: o=suffix
+>    1: cn=Manager,o=suffix
+>    2: ou=people,o=suffix
+>    3: uid=kdz,ou=people,o=suffix
+>    4: cn=addresses,uid=kdz,ou=people,o=suffix
+>    5: uid=hyc,ou=people,o=suffix
+
+\Then:
+. {{EX:dn.base="ou=people,o=suffix"}} match 2;
+. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
+. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
+. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
+
+
+Entries may also be selected using a filter:
+
+>    to filter=<ldap filter>
+
+where <ldap filter> is a string representation of an LDAP
+search filter, as described in {{REF:RFC4515}}.  For example:
+
+>    to filter=(objectClass=person)
+
+Note that entries may be selected by both DN and filter by
+including both qualifiers in the <what> clause.
+
+>    to dn.one="ou=people,o=suffix" filter=(objectClass=person)
+
+Attributes within an entry are selected by including a comma-separated
+list of attribute names in the <what> selector:
+
+>    attrs=<attribute list>
+
+A specific value of an attribute is selected by using a single
+attribute name and also using a value selector:
+
+>    attrs=<attribute> val[.<style>]=<regex>
+
+There are two special {{pseudo}} attributes {{EX:entry}} and
+{{EX:children}}.  To read (and hence return) a target entry, the
+subject must have {{EX:read}} access to the target's {{entry}}
+attribute.  To add or delete an entry, the subject must have
+{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
+have {{EX:write}} access to the entry's parent's {{EX:children}}
+attribute.  To rename an entry, the subject must have {{EX:write}}
+access to entry's {{EX:entry}} attribute AND have {{EX:write}}
+access to both the old parent's and new parent's {{EX:children}}
+attributes.  The complete examples at the end of this section should
+help clear things up.
+
+Lastly, there is a special entry selector {{EX:"*"}} that is used to
+select any entry.  It is used when no other {{EX:<what>}}
+selector has been provided.  It's equivalent to "{{EX:dn=.*}}"
+
+
+H3: Who to grant access to
+
+The <who> part identifies the entity or entities being granted
+access. Note that access is granted to "entities" not "entries."
+The following table summarizes entity specifiers:
+
+!block table; align=Center; coltags="EX,N"; \
+    title="Table 5.3: Access Entity Specifiers"
+Specifier|Entities
+*|All, including anonymous and authenticated users
+anonymous|Anonymous (non-authenticated) users
+users|Authenticated users
+self|User associated with target entry
+dn[.<basic-style>]=<regex>|Users matching a regular expression
+dn.<scope-style>=<DN>|Users within scope of a DN
+!endblock
+
+The DN specifier behaves much like <what> clause DN specifiers.
+
+Other control factors are also supported.  For example, a {{EX:<who>}}
+can be restricted by an entry listed in a DN-valued attribute in
+the entry to which the access applies:
+
+>    dnattr=<dn-valued attribute name>
+
+The dnattr specification is used to give access to an entry
+whose DN is listed in an attribute of the entry (e.g., give
+access to a group entry to whoever is listed as the owner of
+the group entry).
+
+Some factors may not be appropriate in all environments (or any).
+For example, the domain factor relies on IP to domain name lookups.
+As these can easily be spoofed, the domain factor should be avoided.
+
+
+H3: The access to grant
+
+The kind of <access> granted can be one of the following:
+
+!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
+    title="Table 5.4: Access Levels"
+Level        Privileges    Description
+none         =0            no access
+disclose     =d            needed for information disclosure on error
+auth         =dx           needed to authenticate (bind)
+compare      =cdx          needed to compare
+search       =scdx         needed to apply search filters
+read         =rscdx        needed to read search results
+write        =wrscdx       needed to modify/rename
+manage       =mwrscdx      needed to manage
+!endblock
+
+Each level implies all lower levels of access. So, for example,
+granting someone {{EX:write}} access to an entry also grants them
+{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
+{{EX:disclose}} access.  However, one may use the privileges specifier
+to grant specific permissions.
+
+
+H3: Access Control Evaluation
+
+When evaluating whether some requester should be given access to
+an entry and/or attribute, slapd compares the entry and/or attribute
+to the {{EX:<what>}} selectors given in the configuration.  For
+each entry, access controls provided in the database which holds
+the entry (or the first database if not held in any database) apply
+first, followed by the global access directives (which are held in
+the {{EX:frontend}} database definition).  Within this priority,
+access directives are examined in the order in which they appear
+in the configuration attribute.  Slapd stops with the first
+{{EX:<what>}} selector that matches the entry and/or attribute. The
+corresponding access directive is the one slapd will use to evaluate
+access.
+
+Next, slapd compares the entity requesting access to the {{EX:<who>}}
+selectors within the access directive selected above in the order
+in which they appear. It stops with the first {{EX:<who>}} selector
+that matches the requester. This determines the access the entity
+requesting access has to the entry and/or attribute.
+
+Finally, slapd compares the access granted in the selected
+{{EX:<access>}} clause to the access requested by the client. If
+it allows greater or equal access, access is granted. Otherwise,
+access is denied.
+
+The order of evaluation of access directives makes their placement
+in the configuration file important. If one access directive is
+more specific than another in terms of the entries it selects, it
+should appear first in the configuration. Similarly, if one {{EX:<who>}}
+selector is more specific than another it should come first in the
+access directive. The access control examples given below should
+help make this clear.
+
+
+
+H3: Access Control Examples
+
+The access control facility described above is quite powerful.  This
+section shows some examples of its use for descriptive purposes.
+
+A simple example:
+
+>    olcAccess: to * by * read
+
+This access directive grants read access to everyone.
+
+>    olcAccess: to *
+>        by self write
+>        by anonymous auth
+>        by * read
+
+This directive allows the user to modify their entry, allows anonymous
+to authenticate against these entries, and allows all others to
+read these entries.  Note that only the first {{EX:by <who>}} clause
+which matches applies.  Hence, the anonymous users are granted
+{{EX:auth}}, not {{EX:read}}.  The last clause could just as well
+have been "{{EX:by users read}}".
+
+It is often desirable to restrict operations based upon the level
+of protection in place.  The following shows how security strength
+factors (SSF) can be used.
+
+>    olcAccess: to *
+>        by ssf=128 self write
+>        by ssf=64 anonymous auth
+>        by ssf=64 users read
+
+This directive allows users to modify their own entries if security
+protections of strength 128 or better have been established,
+allows authentication access to anonymous users, and read access
+when strength 64 or better security protections have been established.  If
+the client has not establish sufficient security protections, the
+implicit {{EX:by * none}} clause would be applied.
+
+The following example shows the use of style specifiers to select
+the entries by DN in two access directives where ordering is
+significant.
+
+>    olcAccess: to dn.children="dc=example,dc=com"
+>         by * search
+>    olcAccess: to dn.children="dc=com"
+>         by * read
+
+Read access is granted to entries under the {{EX:dc=com}} subtree,
+except for those entries under the {{EX:dc=example,dc=com}} subtree,
+to which search access is granted.  No access is granted to
+{{EX:dc=com}} as neither access directive matches this DN.  If the
+order of these access directives was reversed, the trailing directive
+would never be reached, since all entries under {{EX:dc=example,dc=com}}
+are also under {{EX:dc=com}} entries.
+
+Also note that if no {{EX:olcAccess: to}} directive matches or no {{EX:by
+<who>}} clause, {{B:access is denied}}.  That is, every {{EX:olcAccess:
+to}} directive ends with an implicit {{EX:by * none}} clause and
+every access list ends with an implicit {{EX:olcAccess: to * by * none}}
+directive.
+
+The next example again shows the importance of ordering, both of
+the access directives and the {{EX:by <who>}} clauses.  It also
+shows the use of an attribute selector to grant access to a specific
+attribute and various {{EX:<who>}} selectors.
+
+>    olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
+>        by self write
+>        by dn.children=dc=example,dc=com" search
+>        by peername.regex=IP:10\..+ read
+>    olcAccess: to dn.subtree="dc=example,dc=com"
+>        by self write
+>        by dn.children="dc=example,dc=com" search
+>        by anonymous auth
+
+This example applies to entries in the "{{EX:dc=example,dc=com}}"
+subtree. To all attributes except {{EX:homePhone}}, an entry can
+write to itself, entries under {{EX:example.com}} entries can search
+by them, anybody else has no access (implicit {{EX:by * none}})
+excepting for authentication/authorization (which is always done
+anonymously).  The {{EX:homePhone}} attribute is writable by the
+entry, searchable by entries under {{EX:example.com}}, readable by
+clients connecting from network 10, and otherwise not readable
+(implicit {{EX:by * none}}).  All other access is denied by the
+implicit {{EX:access to * by * none}}.
+
+Sometimes it is useful to permit a particular DN to add or
+remove itself from an attribute. For example, if you would like to
+create a group and allow people to add and remove only
+their own DN from the member attribute, you could accomplish
+it with an access directive like this:
+
+>    olcAccess: to attrs=member,entry
+>         by dnattr=member selfwrite
+
+The dnattr {{EX:<who>}} selector says that the access applies to
+entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
+selector says that such members can only add or delete their
+own DN from the attribute, not other values. The addition of
+the entry attribute is required because access to the entry is
+required to access any of the entry's attributes.
+
+
+
+H3: Access Control Ordering
+
+Since the ordering of {{EX:olcAccess}} directives is essential to their
+proper evaluation, but LDAP attributes normally do not preserve the
+ordering of their values, OpenLDAP uses a custom schema extension to
+maintain a fixed ordering of these values. This ordering is maintained
+by prepending a {{EX:"{X}"}} numeric index to each value, similarly to
+the approach used for ordering the configuration entries. These index
+tags are maintained automatically by slapd and do not need to be specified
+when originally defining the values. For example, when you create the
+settings
+
+>    olcAccess: to attrs=member,entry
+>         by dnattr=member selfwrite
+>    olcAccess: to dn.children="dc=example,dc=com"
+>         by * search
+>    olcAccess: to dn.children="dc=com"
+>         by * read
+
+when you read them back using slapcat or ldapsearch they will contain
+
+>    olcAccess: {0}to attrs=member,entry
+>         by dnattr=member selfwrite
+>    olcAccess: {1}to dn.children="dc=example,dc=com"
+>         by * search
+>    olcAccess: {2}to dn.children="dc=com"
+>         by * read
+
+The numeric index may be used to specify a particular value to change
+when using ldapmodify to edit the access rules. This index can be used
+instead of (or in addition to) the actual access value. Using this 
+numeric index is very helpful when multiple access rules are being managed.
+
+For example, if we needed to change the second rule above to grant
+write access instead of search, we could try this LDIF:
+
+>    changetype: modify
+>    delete: olcAccess
+>    olcAccess: to dn.children="dc=example,dc=com" by * search
+>    -
+>    add: olcAccess
+>    olcAccess: to dn.children="dc=example,dc=com" by * write
+>    -
+
+But this example {{B:will not}} guarantee that the existing values remain in
+their original order, so it will most likely yield a broken security
+configuration. Instead, the numeric index should be used:
+
+>    changetype: modify
+>    delete: olcAccess
+>    olcAccess: {1}
+>    -
+>    add: olcAccess
+>    olcAccess: {1}to dn.children="dc=example,dc=com" by * write
+>    -
+
+This example deletes whatever rule is in value #1 of the {{EX:olcAccess}}
+attribute (regardless of its value) and adds a new value that is
+explicitly inserted as value #1. The result will be
+
+>    olcAccess: {0}to attrs=member,entry
+>         by dnattr=member selfwrite
+>    olcAccess: {1}to dn.children="dc=example,dc=com"
+>         by * write
+>    olcAccess: {2}to dn.children="dc=com"
+>         by * read
+
+which is exactly what was intended.
+
+!if 0
+For more details on how to use the {{EX:access}} directive,
+consult the {{Advanced Access Control}} chapter.
+!endif
+
+
+H3: Configuration Example
+
+The following is an example configuration, interspersed
+with explanatory text. It defines two databases to handle
+different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
+database instances. The line numbers shown are provided for
+reference only and are not included in the actual file. First, the
+global configuration section:
+
+E:  1.    # example config file - global configuration entry
+E:  2.    dn: cn=config
+E:  3.    objectClass: olcGlobal
+E:  4.    cn: config
+E:  5.    olcReferral: ldap://root.openldap.org
+E:  6.    
+
+Line 1 is a comment. Lines 2-4 identify this as the global
+configuration entry.
+The {{EX:olcReferral:}} directive on line 5
+means that queries not local to one of the databases defined
+below will be referred to the LDAP server running on the
+standard port (389) at the host {{EX:root.openldap.org}}.
+Line 6 is a blank line, indicating the end of this entry.
+
+E:  7.    # internal schema
+E:  8.    dn: cn=schema,cn=config
+E:  9.    objectClass: olcSchemaConfig
+E: 10.    cn: schema
+E: 11.    
+
+Line 7 is a comment. Lines 8-10 identify this as the root of
+the schema subtree. The actual schema definitions in this entry
+are hardcoded into slapd so no additional attributes are specified here.
+Line 11 is a blank line, indicating the end of this entry.
+
+E: 12.    # include the core schema
+E: 13.    include: file:///usr/local/etc/openldap/schema/core.ldif
+E: 14.    
+
+Line 12 is a comment. Line 13 is an LDIF include directive which
+accesses the {{core}} schema definitions in LDIF format. Line 14
+is a blank line.
+
+Next comes the database definitions. The first database is the
+special {{EX:frontend}} database whose settings are applied globally
+to all the other databases.
+
+E: 15.    # global database parameters
+E: 16.    dn: olcDatabase=frontend,cn=config
+E: 17.    objectClass: olcDatabaseConfig
+E: 18.    olcDatabase: frontend
+E: 19.    olcAccess: to * by * read
+E: 20.    
+
+Line 15 is a comment. Lines 16-18 identify this entry as the global
+database entry. Line 19 is a global access control. It applies to all
+entries (after any applicable database-specific access controls).
+
+The next entry defines a BDB backend that will handle queries for things
+in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
+for several attributes, and the {{EX:userPassword}} attribute is to be
+protected from unauthorized access.
+
+E: 21.    # BDB definition for example.com
+E: 22.    dn: olcDatabase=bdb,cn=config
+E: 23.    objectClass: olcDatabaseConfig
+E: 24.    objectClass: olcBdbConfig
+E: 25.    olcDatabase: bdb
+E: 26.    olcSuffix: "dc=example,dc=com"
+E: 27.    olcDbDirectory: /usr/local/var/openldap-data
+E: 28.    olcRootDN: "cn=Manager,dc=example,dc=com"
+E: 29.    olcRootPW: secret
+E: 30.    olcDbIndex: uid pres,eq
+E: 31.    olcDbIndex: cn,sn,uid pres,eq,approx,sub
+E: 32.    olcDbIndex: objectClass eq
+E: 33.    olcAccess: to attrs=userPassword
+E: 34.      by self write
+E: 35.      by anonymous auth
+E: 36.      by dn.base="cn=Admin,dc=example,dc=com" write
+E: 37.      by * none
+E: 38.    olcAccess: to *
+E: 39.      by self write
+E: 40.      by dn.base="cn=Admin,dc=example,dc=com" write
+E: 41.      by * read
+E: 42.    
+
+Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
+configuration entry.  Line 26 specifies the DN suffix
+for queries to pass to this database. Line 27 specifies the directory
+in which the database files will live.
+
+Lines 28 and 29 identify the database {{super-user}} entry and associated
+password. This entry is not subject to access control or size or
+time limit restrictions.
+
+Lines 30 through 32 indicate the indices to maintain for various
+attributes.
+
+Lines 33 through 41 specify access control for entries in this
+database.  As this is the first database, the controls also apply
+to entries not held in any database (such as the Root DSE).  For
+all applicable entries, the {{EX:userPassword}} attribute is writable
+by the entry itself and by the "admin" entry.  It may be used for
+authentication/authorization purposes, but is otherwise not readable.
+All other attributes are writable by the entry and the "admin"
+entry, but may be read by all users (authenticated or not).
+
+Line 42 is a blank line, indicating the end of this entry.
+
+The next section of the example configuration file defines another
+BDB database. This one handles queries involving the
+{{EX:dc=example,dc=net}} subtree but is managed by the same entity
+as the first database.  Note that without line 52, the read access
+would be allowed due to the global access rule at line 19.
+
+E: 43.    # BDB definition for example.net
+E: 44.    dn: olcDatabase=bdb,cn=config
+E: 45.    objectClass: olcDatabaseConfig
+E: 46.    objectClass: olcBdbConfig
+E: 47.    olcDatabase: bdb
+E: 48.    olcSuffix: "dc=example,dc=net"
+E: 49.    olcDbDirectory: /usr/local/var/openldap-data-net
+E: 50.    olcRootDN: "cn=Manager,dc=example,dc=com"
+E: 51.    olcDbIndex: objectClass eq
+E: 52.    olcAccess: to * by users read
+
+
+H3: Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format
+
+Discuss slap* -f slapd.conf -F slapd.d/  (man slapd-config)
+
+
+H2: Access Control Common Examples
+
+H3: Basic ACLs
+
+Generally one should start with some basic ACLs such as:
+
+>    access to attr=userPassword
+>        by self =xw
+>        by anonymous auth
+>        by * none
+>
+>
+>      access to *
+>        by self write
+>        by users read
+>        by * none
+
+The first ACL allows users to update (but not read) their passwords, anonymous 
+users to authenticate against this attribute, and (implicitly) denying all 
+access to others.
+
+The second ACL allows users full access to their entry, authenticated users read 
+access to anything, and (implicitly) denying all access to others (in this case, 
+anonymous users). 
+
+
+H3: Matching Anonymous and Authenticated users
+
+An anonymous user has a empty DN. While the {{dn.exact=""}} or {{dn.regex="^$"}}
+ could be used, {{slapd}}(8)) offers an anonymous shorthand which should be 
+used instead.
+
+>    access to *
+>      by anonymous none
+>      by * read
+
+denies all access to anonymous users while granting others read. 
+
+Authenticated users have a subject DN. While {{dn.regex=".+"}} will match any 
+authenticated user, OpenLDAP provides the users short hand which should be used 
+instead.
+
+>    access to *
+>      by users read
+>      by * none
+
+This ACL grants read permissions to authenticated users while denying others 
+(i.e.: anonymous users).
+
+
+H3: Controlling rootdn access
+
+You could specify the {{rootdn}} in {{slapd.conf}}(5) or {[slapd.d}} without 
+specifying a {{rootpw}}. Then you have to add an actual directory entry with 
+the same dn, e.g.:
+
+>    dn: cn=Manager,o=MyOrganization
+>    cn: Manager
+>    sn: Manager
+>    objectClass: person
+>    objectClass: top
+>    userPassword: {SSHA}someSSHAdata
+
+Then binding as the {{rootdn}} will require a regular bind to that DN, which 
+in turn requires auth access to that entry's DN and {{userPassword}}, and this 
+can be restricted via ACLs. E.g.:
+
+>    access to dn.base="cn=Manager,o=MyOrganization"
+>      by peername.regex=127\.0\.0\.1 auth
+>      by peername.regex=192\.168\.0\..* auth
+>      by users none
+>      by * none
+
+The ACLs above will only allow binding using rootdn from localhost and 
+192.168.0.0/24.
+
+
+H3: Managing access with Groups
+
+There are a few ways to do this. One approach is illustrated here. Consider the 
+following DIT layout:
+
+>    +-dc=example,dc=com
+>    +---cn=administrators,dc=example,dc=com
+>    +---cn=fred blogs,dc=example,dc=com 
+
+and the following group object (in LDIF format):
+
+>    dn: cn=administrators,dc=example,dc=com
+>    cn: administrators of this region
+>    objectclass: groupOfNames  (important for the group acl feature)
+>    member: cn=fred blogs,dc=example,dc=com 
+>    member: cn=somebody else,dc=example,dc=com
+
+One can then grant access to the members of this this group by adding appropriate 
+{{by group}} clause to an access directive in {{slapd.conf}}(5). For instance,
+
+>    access to dn.children="dc=example,dc=com" 
+>        by self write 
+>        by group.exact="cn=Administrators,dc=example,dc=com" write  
+>        by * auth
+
+Like by {[dn}} clauses, one can also use {{expand}} to expand the group name 
+based upon the regular expression matching of the target, that is, the to {{dn.regex}}). 
+For instance,
+
+>    access to dn.regex="(.+,)?ou=People,(dc=[^,]+,dc=[^,]+)$"
+>             attrs=children,entry,uid
+>        by group.expand="cn=Managers,$2" write
+>        by users read
+>        by * auth
+
+
+The above illustration assumed that the group members are to be found in the 
+{{member}} attribute type of the {{groupOfNames}} object class. If you need to 
+use a different group object and/or a different attribute type then use the 
+following {{slapd.conf}}(5) (abbreviated) syntax:
+
+>    access to <what>
+>            by group/<objectclass>/<attributename>=<DN> <access>
+
+For example:
+
+>    access to *
+>      by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com" write
+
+In this case, we have an ObjectClass {{organizationalRole}} which contains the 
+administrator DN's in the {{roleOccupant}} attribute. For instance:
+
+>    dn: cn=Administrator,dc=example,dc=com
+>    cn: Administrator
+>    objectclass: organizationalRole
+>    roleOccupant: cn=Jane Doe,dc=example,dc=com 
+
+Note: the specified member attribute type MUST be of DN or {{NameAndOptionalUID}} syntax, 
+and the specified object class SHOULD allow the attribute type.
+
+Dynamic Groups are also supported in Access Control. Please see {{slapo-dynlist}}(5)
+and the {{SECT:Dynamic Lists}} overlay section.
+
+
+H3:  Granting access to a subset of attributes
+
+You can grant access to a set of attributes by specifying a list of attribute names 
+in the ACL {{to}} clause. To be useful, you also need to grant access to the 
+{{entry}} itself. Also note how {{children}} controls the ability to add, delete, 
+and rename entries.
+
+>    # mail: self may write, authenticated users may read
+>    access to attrs=mail
+>      by self write
+>      by users read
+>      by * none
+>    
+>    # cn, sn: self my write, all may read
+>    access to attrs=cn,sn
+>      by self write
+>      by * read
+>    
+>    # immediate children: only self can add/delete entries under this entry
+>    access to attrs=children
+>      by self write
+>    
+>    # entry itself: self may write, all may read
+>    access to attrs=entry
+>      by self write
+>      by * read
+>    
+>    # other attributes: self may write, others have no access
+>    access to *
+>      by self write
+>      by * none
+
+ObjectClass names may also be specified in this list, which will affect 
+all the attributes that are required and/or allowed by that {{objectClass}}. 
+Actually, names in {{attrlist}} that are prefixed by {{@}} are directly treated 
+as objectClass names. A name prefixed by {{!}} is also treated as an objectClass, 
+but in this case the access rule affects the attributes that are not required 
+nor allowed by that {{objectClass}}. 
+
+
+H3: Allowing a user write to all entries below theirs
+
+For a setup where a user can write to its own record and to all of its children:
+
+>    access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
+>       by dn.exact,expand="$2" write
+>       by anonymous auth
+
+(Add more examples for above)
+
+
+H3: Allowing entry creation
+
+Let's say, you have it like this:
+
+>        o=<basedn>
+>            ou=domains
+>                associatedDomain=<somedomain>
+>                    ou=users
+>                        uid=<someuserid>            
+>                        uid=<someotheruserid>
+>                    ou=addressbooks
+>                        uid=<someuserid>
+>                            cn=<someone>
+>                            cn=<someoneelse>
+
+and, for another domain <someotherdomain>:
+
+>        o=<basedn>
+>            ou=domains
+>                associatedDomain=<someotherdomain>
+>                    ou=users
+>                        uid=<someuserid>            
+>                        uid=<someotheruserid>
+>                    ou=addressbooks
+>                        uid=<someotheruserid>
+>                            cn=<someone>
+>                            cn=<someoneelse>
+
+then, if you wanted user {{uid=<someuserid>}} to {{B:ONLY}} create an entry 
+for its own thing, you could write an ACL like this:
+
+>    # this rule lets users of "associatedDomain=<matcheddomain>"
+>    # write under "ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>",
+>    # i.e. a user can write ANY entry below its domain's address book;
+>    # this permission is necessary, but not sufficient, the next 
+>    # will restrict this permission further
+>    
+>    
+>    access to dn.regex="^ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$" attrs=children
+>            by dn.regex="^uid=([^,]+),ou=users,associatedDomain=$1,ou=domains,o=<basedn>$$" write
+>            by * none
+>    
+>    
+>    # Note that above the "by" clause needs a "regex" style to make sure
+>    # it expands to a DN that starts with a "uid=<someuserid>" pattern
+>    # while substituting the associatedDomain submatch from the "what" clause.
+>    
+>    
+>    # This rule lets a user with "uid=<matcheduid>" of "<associatedDomain=matcheddomain>"
+>    # write (i.e. add, modify, delete) the entry whose DN is exactly
+>    # "uid=<matcheduid>,ou=addressbook,associatedDomain=<matcheddomain>,ou=domains,o=<basedn>"
+>    # and ANY entry as subtree of it
+>    
+>    
+>    access to dn.regex="^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=<basedn>$"
+>            by dn.exact,expand="uid=$2,ou=users,associatedDomain=$3,ou=domains,o=<basedn>" write
+>            by * none 
+>    
+>    
+>    # Note that above the "by" clause uses the "exact" style with the "expand"
+>    # modifier because now the whole pattern can be rebuilt by means of the
+>    # submatches from the "what" clause, so a "regex" compilation and evaluation
+>    # is no longer required.
+
+
+H3: Tips for using regular expressions in Access Control 
+
+Always use {{dn.regex=<pattern>}} when you intend to use regular expression 
+matching. {{dn=<pattern>}} alone defaults to {{dn.exact<pattern>}}.
+
+Use {{(.+)}} instead of {{(.*)}} when you want at least one char to be matched. 
+{{(.*)}} matches the empty string as well.
+
+Don't use regular expressions for matches that can be done otherwise in a safer 
+and cheaper manner. Examples:
+
+>    dn.regex=".*dc=example,dc=com"
+
+is unsafe and expensive:
+
+    * unsafe because any string containing {{dc=example,dc=com }}will match, 
+not only those that end with the desired pattern; use {{.*dc=example,dc=com$}} instead.
+    * unsafe also because it would allow any {{attributeType}} ending with {{dc}}
+ as naming attribute for the first RDN in the string, e.g. a custom attributeType 
+{{mydc}} would match as well. If you really need a regular expression that allows 
+just {{dc=example,dc=com}} or any of its subtrees, use {{^(.+,)?dc=example,dc=com$}}, 
+which means: anything to the left of dc=..., if any (the question mark after the 
+pattern within brackets), must end with a comma;
+    * expensive because if you don't need submatches, you could use scoping styles, e.g.
+
+>    dn.subtree="dc=example,dc=com"
+
+to include {{dc=example,dc=com}} in the matching patterns,
+
+>    dn.children="dc=example,dc=com"
+
+to exclude {{dc=example,dc=com}} from the matching patterns, or
+
+>    dn.onelevel="dc=example,dc=com"
+
+to allow exactly one sublevel matches only. 
+
+Always use {{^}} and {{$}} in regexes, whenever appropriate, because 
+{{ou=(.+),ou=(.+),ou=addressbooks,o=basedn}} will match 
+{{something=bla,ou=xxx,ou=yyy,ou=addressbooks,o=basedn,ou=addressbooks,o=basedn,dc=some,dc=org}}
+
+Always use {{([^,]+)}} to indicate exactly one RDN, because {{(.+)}} can 
+include any number of RDNs; e.g. {{ou=(.+),dc=example,dc=com}} will match 
+{{ou=My,o=Org,dc=example,dc=com}}, which might not be what you want.
+
+Never add the rootdn to the by clauses. ACLs are not even processed for operations 
+performed with rootdn identity (otherwise there would be no reason to define a 
+rootdn at all).
+
+Use shorthands. The user directive matches authenticated users and the anonymous
+directive matches anonymous users.
+
+Don't use the {{dn.regex}} form for <by> clauses if all you need is scoping 
+and/or substring replacement; use scoping styles (e.g. {{exact}}, {{onelevel}}, 
+{{children}} or {{subtree}}) and the style modifier expand to cause substring expansion.
+
+For instance,
+
+>    access to dn.regex=".+,dc=([^,]+),dc=([^,]+)$"
+>      by dn.regex="^[^,],ou=Admin,dc=$1,dc=$2$$" write
+
+although correct, can be safely and efficiently replaced by
+
+>    access to dn.regex=".+,(dc=[^,]+,dc=[^,]+)$"
+>      by dn.onelevel,expand="ou=Admin,$1" write
+
+where the regex in the {{<what>}} clause is more compact, and the one in the {{<by>}} 
+clause is replaced by a much more efficient scoping style of onelevel with substring expansion. 
+
+
+H3: Granting and Denying access based on security strength factors (ssf)
+
+You can restrict access based on the security strength factor (SSF)
+
+>    access to dn="cn=example,cn=edu"
+>          by * ssf=256 read
+
+0 (zero) implies no protection,
+1 implies integrity protection only,
+56 DES or other weak ciphers,
+112 triple DES and other strong ciphers,
+128 RC4, Blowfish and other modern strong ciphers.
+
+Other possibilities:
+
+>    transport_ssf=<n>
+>    tls_ssf=<n>
+>    sasl_ssf=<n>
+
+256 is recommended.
+
+See {{slapd.conf}}(5) for information on {{ssf}}.
+
+
+H3: When things aren't working as expected
+
+Consider this example:
+
+>    access to *
+>      by anonymous auth
+>    
+>    access to *
+>      by self write
+>    
+>    access to *
+>      by users read 
+
+You may think this will allow any user to login, to read everything and change 
+his own data if he is logged in. But in this example only the login works and 
+an ldapsearch returns no data. The Problem is that SLAPD goes through its access 
+config line by line and stops as soon as it finds a match in the part of the 
+access rule.(here: {{to *}})
+
+To get what we wanted the file has to read:
+
+>    access to *
+>      by anonymous auth
+>      by self write
+>      by users read 
+
+The general rule is: "special access rules first, generic access rules last"
+
+See also {{slapd.access}}(8), loglevel 128 and {{slapacl}}(8) for debugging
+information.
+
+
+H2: Sets - Granting rights based on relationships
+
+Sets are best illustrated via examples. The following sections will present 
+a few set ACL examples in order to facilitate their understanding.
+
+(Sets in Access Controls FAQ Entry: {{URL:http://www.openldap.org/faq/data/cache/1133.html}})
+
+Note: Sets are considered experimental. 
+
+
+H3: Groups of Groups
+
+The OpenLDAP ACL for groups doesn't expand groups within groups, which are
+groups that have another group as a member. For example:
+
+> dn: cn=sudoadm,ou=group,dc=example,dc=com
+> cn: sudoadm
+> objectClass: groupOfNames
+> member: uid=john,ou=people,dc=example,dc=com
+> member: cn=accountadm,ou=group,dc=example,dc=com
+>
+> dn: cn=accountadm,ou=group,dc=example,dc=com
+> cn: accountadm
+> objectClass: groupOfNames
+> member: uid=mary,ou=people,dc=example,dc=com
+
+If we use standard group ACLs with the above entries and allow members of the
+{{F:sudoadm}} group to write somewhere, {{F:mary}} won't be included:
+
+> access to dn.subtree="ou=sudoers,dc=example,dc=com"
+>         by group.exact="cn=sudoadm,ou=group,dc=example,dc=com" write
+>         by * read
+
+With sets we can make the ACL be recursive and consider group within groups. So
+for each member that is a group, it is further expanded:
+
+> access to dn.subtree="ou=sudoers,dc=example,dc=com"
+>       by set="[cn=sudoadm,ou=group,dc=example,dc=com]/member* & user" write
+>       by * read
+
+This set ACL means: take the {{F:cn=sudoadm}} DN, check its {{F:member}}
+attribute(s) (where the "{{F:*}}" means recursively) and intersect the result
+with the authenticated user's DN. If the result is non-empty, the ACL is
+considered a match and write access is granted.
+
+The following drawing explains how this set is built:
+!import "set-recursivegroup.png"; align="center"; title="Building a recursive group"
+FT[align="Center"] Figure X.Y: Populating a recursive group set
+
+First we get the {{F:uid=john}} DN. This entry doesn't have a {{F:member}}
+attribute, so the expansion stops here.  Now we get to {{F:cn=accountadm}}.
+This one does have a {{F:member}} attribute, which is {{F:uid=mary}}. The
+{{F:uid=mary}} entry, however, doesn't have member, so we stop here again. The
+end comparison is:
+
+> {"uid=john,ou=people,dc=example,dc=com","uid=mary,ou=people,dc=example,dc=com"} & user
+
+If the authenticated user's DN is any one of those two, write access is
+granted. So this set will include {{F:mary}} in the {{F:sudoadm}} group and she
+will be allowed the write access.
+
+H3: Group ACLs without DN syntax
+
+The traditional group ACLs, and even the previous example about recursive groups, require
+that the members are specified as DNs instead of just usernames.
+
+With sets, however, it's also possible to use simple names in group ACLs, as this example will
+show.
+
+Let's say we want to allow members of the {{F:sudoadm}} group to write to the
+{{F:ou=suders}} branch of our tree. But our group definition now is using {{F:memberUid}} for
+the group members:
+
+> dn: cn=sudoadm,ou=group,dc=example,dc=com
+> cn: sudoadm
+> objectClass: posixGroup
+> gidNumber: 1000
+> memberUid: john
+
+With this type of group, we can't use group ACLs. But with a set ACL we can
+grant the desired access:
+
+> access to dn.subtree="ou=sudoers,dc=example,dc=com"
+>       by set="[cn=sudoadm,ou=group,dc=example,dc=com]/memberUid & user/uid" write
+>       by * read
+
+We use a simple intersection where we compare the {{F:uid}} attribute
+of the connecting (and authenticated) user with the {{F:memberUid}} attributes
+of the group. If they match, the intersection is non-empty and the ACL will
+grant write access.
+
+This drawing illustrates this set when the connecting user is authenticated as
+{{F:uid=john,ou=people,dc=example,dc=com}}:
+!import "set-memberUid.png"; align="center"; title="Sets with memberUid"
+FT[align="Center"] Figure X.Y: Sets with {{F:memberUid}}
+
+In this case, it's a match. If it were {{F:mary}} authenticating, however, she
+would be denied write access to {{F:ou=sudoers}} because her {{F:uid}}
+attribute is not listed in the group's {{F:memberUid}}.
+
+H3: Following references
+
+We will now show a quite powerful example of what can be done with sets. This
+example tends to make OpenLDAP administrators smile after they have understood
+it and its implications.
+
+Let's start with an user entry:
+
+> dn: uid=john,ou=people,dc=example,dc=com
+> uid: john
+> objectClass: inetOrgPerson
+> givenName: John
+> sn: Smith
+> cn: john
+> manager: uid=mary,ou=people,dc=example,dc=com
+
+Writing an ACL to allow the manager to update some attributes is quite simple
+using sets:
+
+> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+>    attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+>    by self write
+>    by set="this/manager & user" write
+>    by * read
+
+In that set, {{F:this}} expands to the entry being accessed, so that
+{{F:this/manager}} expands to {{F:uid=mary,ou=people,dc=example,dc=com}} when
+john's entry is accessed.  If the manager herself is accessing John's entry,
+the ACL will match and write access to those attributes will be granted.
+
+So far, this same behavior can be obtained with the {{F:dnattr}} keyword. With
+sets, however, we can further enhance this ACL. Let's say we want to allow the
+secretary of the manager to also update these attributes. This is how we do it:
+
+> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+>    attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+>    by self write
+>    by set="this/manager & user" write
+>    by set="this/manager/secretary & user" write
+>    by * read
+
+Now we need a picture to help explain what is happening here (entries shortened
+for clarity):
+
+!import "set-following-references.png"; align="center"; title="Sets jumping through entries"
+FT[align="Center"] Figure X.Y: Sets jumping through entries
+
+In this example, Jane is the secretary of Mary, which is the manager of John.
+This whole relationship is defined with the {{F:manager}} and {{F:secretary}}
+attributes, which are both of the distinguishedName syntax (i.e., full DNs).
+So, when the {{F:uid=john}} entry is being accessed, the
+{{F:this/manager/secretary}} set becomes
+{{F:{"uid=jane,ou=people,dc=example,dc=com"}}} (follow the references in the
+picture):
+
+> this = [uid=john,ou=people,dc=example,dc=com]
+> this/manager = \
+>   [uid=john,ou=people,dc=example,dc=com]/manager = uid=mary,ou=people,dc=example,dc=com
+> this/manager/secretary = \
+>   [uid=mary,ou=people,dc=example,dc=com]/secretary = uid=jane,ou=people,dc=example,dc=com
+
+The end result is that when Jane accesses John's entry, she will be granted
+write access to the specified attributes. Better yet, this will happen to any
+entry she accesses which has Mary as the manager.
+
+This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further
+restrict it. For example, let's only allow executive secretaries to have this power:
+
+> access to dn.exact="uid=john,ou=people,dc=example,dc=com"
+>   attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+>   by self write
+>   by set="this/manager & user" write
+>   by set="this/manager/secretary & 
+>           [cn=executive,ou=group,dc=example,dc=com]/member* & 
+>           user" write
+>   by * read
+
+It's almost the same ACL as before, but we now also require that the connecting user be a member
+of the (possibly nested) {{F:cn=executive}} group.
+
+

Modified: openldap/trunk/doc/guide/admin/admin.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/admin.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/admin.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/admin.sdf,v 1.2.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/admin.sdf,v 1.2.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 #
 # guide.sdf 

Modified: openldap/trunk/doc/guide/admin/appendix-changes.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-changes.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-changes.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-changes.sdf,v 1.8.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-changes.sdf,v 1.8.2.6 2008/04/14 22:36:18 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Changes Since Previous Release
@@ -15,6 +15,7 @@
 * {{SECT:When should I use LDAP?}}
 * {{SECT:When should I not use LDAP?}}
 * {{SECT:LDAP vs RDBMS}}
+* {{SECT:Access Control}}
 * {{SECT:Backends}}
 * {{SECT:Overlays}}
 * {{SECT:Replication}}
@@ -178,7 +179,11 @@
 * monitoring of back-{b,h}db: cache fill-in, non-indexed searches,
 * session tracking control (draft-wahl-ldap-session)
 * subtree delete in back-sql (draft-armijo-ldap-treedelete)
+* sorted values in multivalued attributes for faster matching 
+* lightweight dispatcher for greater throughput under heavy load and on
+multiprocessor machines. (33% faster than 2.3 on AMD quad-socket dual-core server.)
 
+
 H3: New features in libldap
 
 * ldap_sync client API (LDAP Content Sync Operation, RFC 4533)

Modified: openldap/trunk/doc/guide/admin/appendix-common-errors.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-common-errors.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-common-errors.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-common-errors.sdf,v 1.4.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-common-errors.sdf,v 1.4.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Common errors encountered when using OpenLDAP Software

Modified: openldap/trunk/doc/guide/admin/appendix-configs.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-configs.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-configs.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-configs.sdf,v 1.2.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-configs.sdf,v 1.2.2.4 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Configuration File Examples

Modified: openldap/trunk/doc/guide/admin/appendix-contrib.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-contrib.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-contrib.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-contrib.sdf,v 1.1.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-contrib.sdf,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: OpenLDAP Software Contributions

Modified: openldap/trunk/doc/guide/admin/appendix-deployments.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-deployments.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-deployments.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-deployments.sdf,v 1.1.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-deployments.sdf,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Real World OpenLDAP Deployments and Examples

Modified: openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.4 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1:  LDAP Result Codes

Modified: openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-recommended-versions.sdf,v 1.3.2.2 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-recommended-versions.sdf,v 1.3.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Recommended OpenLDAP Software Dependency Versions

Modified: openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-upgrading.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/appendix-upgrading.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.4 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Upgrading from 2.3.x

Modified: openldap/trunk/doc/guide/admin/aspell.en.pws
===================================================================
--- openldap/trunk/doc/guide/admin/aspell.en.pws	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/aspell.en.pws	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,1492 +1,1599 @@
-personal_ws-1.1 en 1491 
-nattrsets
-inappropriateAuthentication
+personal_ws-1.1 en 1598 
+commonName
+bla
+Masarati
+subjectAltName
 api
-olcAttributeTypes
 BhY
-reqEnd
-olcOverlayConfig
-shoesize
-olcTLSCACertificateFile
+olcSyncrepl
+olcSyncRepl
+adamsom
+adamson
+CER
+intermediateResponse
+bjensen
+cdx
 CGI
-cdx
 DCE
 DAP
-attributename
-lsei
-dbconfig
+chainingRequired
 arg
-kurt
-authzID
-authzid
-authzId
+ddd
 DAs
-ddd
-userApplications
+TLSCACertificateFile
 BNF
-attrs
-mixin
-wholeSubtree
-chainingRequired
-ldapport
-hallvard
+TLSEphemeralDHParamFile
+ppolicy
 ASN
-acknowledgements
+ava
 Chu
-ava
-monitorCounter
 del
+libexecdir
 DDR
-testObject
-OrgPerson
-IGJlZ
-olcUpdateref
+numericoid
+dsaschema
 ECC
-deleteDN
 cli
-ltdl
-CAPI
+DIB
 dev
-serverctrls
-olcDbDirectory
-xvfB
+reqNewSuperior
+librewrite
+memberOf
+memberof
 BSI
-modv
-nonleaf
-errCode
-PhotoURI
+updateref
 buf
-cdef
-monitorConnectionLocalAddress
+changetype
 dir
 EGD
+pwdMustChange
+Debian
 dit
-retoidp
-ando
+AlmostASearchRequest
+EXEEXT
 edu
-caseExactSubstringsMatch
-bvstrdup
-AUTHNAME
-memrealloc
-auditExtended
-replog
-ludp
-metainformation
+Heimdal
+organizationalPerson
+olcTimeLimit
+CAPI
+tokenization
+INSTALLFLAGS
 CRL
+reqcert
 CRP
-olcReferral
-XLDFLAGS
-metadirectory
+postread
 csn
-siiiib
-stateful
-olcModulePath
-maxentries
-authc
-seeAlso
-searchbase
-searchBase
-realnamingcontext
+xvfB
+neverDerefaliases
+dns
+DN's
+DNs
 dn's
-DNs
-DN's
-dns
-dereference
-sortKey
-authzTo
-lossy
+cdef
+Helvetica
+DOP
+requestdata
 gcc
+gecos
+reqData
 CWD
-lssl
-organizationalRole
+ando
+reqDeleteOldRDN
 DSA
-derefInSearching
-pwdGraceUseTime
+msgfree
 DSE
-groupOfURLs
-modrdn
-ModRDN
-modrDN
-pwdFailureCountInterval
-homePhone
+keycol
+dlopen
 eng
-paramName
-errUnsolicitedData
-Heimdal
+AttributeValue
+attributevalue
 EOF
-authz
-XINCPATH
-LTFINISH
-plaintext
-indices
-reqAssertion
-olcDbUri
+DUA
+inputfile
+DSP
+refreshDone
 dst
+NOSYNC
 env
-oplist
-MirrorMode
-mirrormode
-objclass
-Bint
 dup
 hdb
+LDIFv
+syslog
+monitorTimestamp
+subschemaSubentry
+interoperate
 gid
-stderr
-caseIgnoreOrderingMatch
-moduledir
 gif
-jpegPhoto
-lsasl
-judgmentday
-prepend
-subentry
-dbcache
-mkversion
-objectClasses
-objectclasses
-adminLimitExceeded
-searchResultReference
+memfree
+struct
+IAB
 fmt
-qdescrs
-olcSuffix
-objectClassModsProhibited
-unavailableCriticalExtension
-supportedControl
+SysNet
+olcConstraintAttribute
 GHz
-libpath
-INADDR
-compareDN
-sizelimit
-unixODBC
-notAllowedOnNonLeaf
-APIs
-blen
-attrsOnly
-attrsonly
-slappasswd
-referralsPreferred
-oids
-OIDs
-wBDARESEhgVG
-syncIdSet
-olcTLSCipherSuite
-username
-aliasProblem
-sizeLimitExceeded
-subst
+Bint
+memalloc
+FSF
+usernames
+strtol
 idl
-chroot
+IDN
+DESTDIR
 iff
-auditDelete
-numbits
+contextCSN
+auditModify
+auditSearch
+openldap
+OpenLDAP
+resultCode
+resultcode
+sysconfig
+indices
+blen
+APIs
+lresolv
+Contribware
+directoryString
+database's
+iscritical
+gss
 ZKKuqbEKJfKSXhUbHG
-reqRespControls
-TLSCertificateKeyFile
-olcAccess
-aliasDereferencingProblem
-proxyTemplates
-neverDerefaliases
-RootDN
-rootdn
-loglevel
+invalidAttributeSyntax
+subtree
+Kartik
+newparent
+memcalloc
+ing
+filtertype
+regcomp
+ldapmodify
+includedir
+IPC
+resync
+ldapsearch
+reqAttr
+dynlist
 args
-caseExactOrderingMatch
-olcDbQuarantine
-RELEASEDATE
-baseDN
-basedn
+hardcoded
 argv
-gss
-schemachecking
-whoami
-WhoAmI
-syslogd
-dataflow
-subentries
-attrpair
-balancer
-entryAlreadyExists
-BerkeleyDB's
+kdz
 notAllowedOnRDN
-singleLevel
-entryDN
-dSAOperation
-includedir
-inplace
-LDAPAPIFeatureInfo
-logbase
-ldapmaster
-ing
-moduleload
-IPC
-Makefile
-getpid
-GETREALM
-numericString
-MANSECT
-XXXX
-domainstyle
-bvarray
-Choi
-iscritical
-subschema
-slapindex
-plugin
-distinguishedNameMatch
-derefAliases
-baseObject
-kdz
-reqMod
+hostport
+starttls
+StartTLS
 ldb
-srcdir
-pwdExpireWarning
+servercredp
 ldd
-localstatedir
-sockbuf
-PENs
 ipv
 IPv
-ghenry
 hyc
-multimaster
-noop
-DEFS
 joe
-testAttr
-syncrepl
-pwdFailureTime
-timestamp
-whitespaces
+bindmethods
+armijo
+ldp
 ISP
-ldp
-monitorInfo
-PDUs
-bjensen
-newPasswd
-irresponsive
 len
-perl
-dynlist
-browseable
-posixGroup
-attrvalue
-pers
-retcode
-rootpw
-matchedDN
-auditReadObject
-idletimeout
-intermediateResponse
-myOID
-structuralObjectClass
-integerMatch
-openldap
-OpenLDAP
-moddn
-rewriteEngine
-AVAs
-accesslog
-searchDN
-reqOld
+carLicense
+Choi
+Clatworthy
+scherr
+virtualnamingcontext
+ITU
+XXXX
+Stringprep
+Apurva
+labeledURI
+DEFS
 MDn
-aspell
-TLSCACertificateFile
+attrstyle
+directoryOperation
+creatorsName
 mem
-peername
-syncUUIDs
-database's
+oldpasswdfile
+oldPasswdFile
+uniqueMember
 krb
-bool
-logins
+libpath
+acknowledgements
 jts
-memberAttr
-newpasswdfile
-newPasswdFile
-ucdata
+createTimestamp
 LLL
-confdir
-invalidCredentials
-BerValues
-olcDbLinearIndex
-Elfrink
-AUTOREMOVE
-countp
-realloc
-bsize
-CThreads
-structs
+MIB
+OpenSSL
+openssl
+LOF
+AVAs
+associatedDomain
+organizationalRole
+initgroups
+olcDbCachesize
+olcDbCacheSize
+ETCDIR
+colaligns
+olcReadOnly
+olcReadonly
+reqResult
+LDAPMatchingRule
+bool
+LRL
+CPPFLAGS
+schemadir
 desc
-LTCOMPILE
-bindmethod
-olcDbCheckpoint
-addprinc
-modme
-refreshOnly
-PIII
-pwdPolicySubentry
-supportedSASLmechanism
-supportedSASLMechanism
-FIXME
-realanonymous
-caseExactMatch
-olcSizeLimit
-Bourne
-attr
-objectidentifier
-objectIdentifier
-refint
-msgtype
-OBJEXT
-LRL
-subtrees
-realdnattr
-entrymods
-admittable
-libtool's
-dupbv
-searchResultEntry
 lud
-modifyTimestamp
-TLSEphemeralDHParamFile
+newrdn
 LRU
-syncprov
-strvals
-preread
-auth
+memvfree
+dbtools
 nis
-regexec
-adamsom
-objclasses
-deallocation
-strdup
-gsMatch
-adamson
-UniqueName
+rewriteRule
+postoperation
 LVL
-ppErrStr
-DESTDIR
 oid
-saslpasswd
-interoperate
-bindwhen
-Solaris
-oOjM
 msg
-submatch
-refreshAndPersist
-monitorServer
-attributeUsage
-soelim
-objectIdentiferMatch
+attr
+caseExactOrderingMatch
+Subbarao
+aeeiib
+oidlen
+submatches
 olc
 PEM
-Autoconf
-alloc
 PDU
 OLF
-inetorgperson
-inetOrgPerson
-deleteoldrdn
-monitorCounterObject
+LDAPSchemaExtensionItem
+auth
+Pierangelo
+authzFrom
 pid
-CPAN
-sharedstatedir
+subdirectories
 OLP
-LDFLAGS
-dereferencing
-allop
-errcodep
-xeXBkeFxlZ
-accessor's
-extendedop
+pwdPolicyChecker
+subst
+singleLevel
+cleartext
+numattrsets
+requestDN
+caseExactSubstringsMatch
+PKI
+olcSyncProvConfig
 ple
 NTP
-reqSizeLimit
-ORed
+auditModRDN
+checkpointing
 NUL
-namingContexts
 num
-reqAttrsOnly
-ldappasswd
-online
-libdir
-unindexed
-ObjectClassDescription
-attrdesc
-jsmith
-efgh
-exopPasswdDN
-ranlib
-olcAttributeOptions
-lineno
-storages
-nameAndOptionalUID
+objectIdentifierMatch
+sharedstatedir
 png
-INCPATH
-organizationalPerson
-integerOrderingMatch
+CPAN
 OSI
-subschemaSubentry
-cond
-conf
+extendedop
+distinguishedName
+distinguishedname
+preinstalled
 rfc
-bvec
+LDAPCONF
 rdn
-ECHOPROMPT
-RDBM
-subany
-runningslapd
-configs
-datagram
-crlcheck
-conn
-builddir
+wZFQrDD
 OTP
-entrylimit
-attrdescN
-logold
+olcSizeLimit
 pos
 sbi
 PRD
-reqEntries
 pre
-bvals
-unixusers
-olcReadonly
-olcReadOnly
-pwdChangedTime
-mySQL
-DITs
+sudoadm
+stringal
+retoidp
 sdf
-suffixmassage
-referralDN
+efgh
+accesslog
 sed
-statslog
-perror
-ldapexop
-bvecadd
-distributedOperation
+cond
+qdescrs
+modifyDN
+conf
+ldapmodrdn
 sel
-versa
+bvec
 TBC
-telephonenumber
-telephoneNumber
-DLDAP
-peernamestyle
+stringbv
 Sep
 SHA
-filename
-rpath
-argsfile
 ptr
-INCDIR
+conn
 pwd
-dctree
+DISP
+newsup
 rnd
-quanah
-lastmod
 TCL
-sprintf
 shm
-logops
-dnattr
-subdir
-searchAttrDN
-cctrls
+DITs
 tcp
-kadmin
-undefinedAttributeType
-strlen
-spellcheck
-ludpp
-typedef
-olcDbIDLcacheSize
-ostring
-toolsets
-mwrscdx
+INCPATH
+RPC
+myOID
+supportedSASLMechanism
+supportedSASLmechanism
+realnamingcontext
 SMD
 UCD
-cancelled
-crit
-organizationalUnit
-lucyB
+keytab
+portnumber
+uncached
 slp
-rdns
-CPUs
+derefInSearching
+UMich's
 TGT
-modulepath
-quickstart
-mySNMP
+numbits
+sasldb
+UCS
+searchDN
+keytbl
 tgz
 UDP
-RDBMs
-rdbms
-Matic
-qdstring
-gunzip
-librewrite
+freemods
+prepend
+errText
+groupnaam
 UFl
 src
-lastName
+matchedDN
 ufn
-cron
-RelativeLDAPDN
+allusersgroup
+FIXME
 sql
-pwdPolicyChecker
 uid
-olcDbConfig
-refreshDone
+crit
+objectClassViolation
 ssf
-replogfile
+ldapfilter
 rwm
 TOC
 vec
-LDAPDN
-compareAttrDN
-endmacro
+pwdChangedTime
 tls
-repl
-monitoringslapd
-referralsp
+peernamestyle
+xpasswd
 tmp
 SRP
-olcDbNosync
-conns
 SSL
-PDkzODdASFxOQ
+dupbv
+CPUs
 SRV
+entrymods
 rwx
 sss
-deallocators
-Contribware
-URLlist
+reqNewRDN
+nopresent
+rebindproc
+olcOverlayConfig
 str
-subinitial
-CSNs
-sbin
-dbtools
-datasource
-sbio
-posp
-errText
-prepended
-labeledURI
-scdx
-startup
-const
-wBDABALD
-octetStringSubstringsStringMatch
+syncIdSet
+cron
+accesslevel
+accessor's
+keyval
+alloc
+saslpasswd
+README
+maxentries
 ttl
-bvalue
-bvdup
-stringa
-stringb
-hasSubordinates
-oldPasswd
+undefinedAttributeType
+peercred
 sys
-pwdPolicy
-slapd
-affectsMultipleDSAs
-sasl
-slapauth
-MANCOMPRESS
-octetStringOrderingStringMatch
-updatedn
-UpdateDN
-slapdindex
-searchFilter
+allop
+memberUid
+CSNs
+wildcards
 uri
-slapi
 tty
-liblunicode
 url
-entryExpireTimestamp
-priv
-slapo
+XED
+sortKey
 UTF
 vlv
-ctrl
 TXN
-virtualnamingcontext
-eatBlanks
-slimit
-ldaprc
+auditExtended
 usr
 txt
-proc
-generalizedTime
-loopback
-unmassaged
-mechs
-freemods
-initgroups
-auditCompare
+UTR
+XER
+olcDbIDLcacheSize
+namespace
+LDAPControl
+dbconfig
+olcAttributeOptions
+dsaparam
+searchResult
+ctrl
+ldapwhoami
+extensibleObject
+clientctrls
+monitorServer
+MANCOMPRESSSUFFIX
+memberAttr
+multiclassing
+memberURL
+sudoers
+pwdMaxFailure
+pseudorootdn
 GDBM
+LIBRELEASE
 DSAs
 DSA's
-dsaschema
-compareFalse
-resultCode
-resultcode
-noSuchObject
-params
-groupnummer
-searchEntryDN
-negttl
-chainingPreferred
-TABs
-retdatap
-errAuxObject
-postoperation
+realloc
+booleanMatch
+compareTrue
+mySQL
+passwd
+printf
+idassert
+rwxrwxrwx
+al
 realself
-olcPasswordHash
-concat
-debuglevel
-addAttrDN
-credp
-ldaphost
-pwdMaxFailure
-octetStringMatch
-extparam
-auditWriteObject
-colaligns
-Diffie
-offsite
-attributevalue
-AttributeValue
-SIGTERM
-MyCompany
-al
-AAQSkZJRgABAAAAAQABAAD
 cd
-contextCSN
 ar
-pthreads
-monitorTimestamp
+olcDatabaseConfig
 de
-reqAuthzID
-backend's
-backends
-requestName
+derated
+auditDelete
 cn
-lcrypto
-infodir
-groupstyle
-ldapsearch
+versa
 cp
-displayName
+bv
 eg
-bv
-olcBackendConfig
+fd
 dn
-fd
-LDAPSync
-olcReplicationInterval
 fG
-gidNumber
+DS
 fi
-Instanstantiation
+allmail
+du
 eq
-FIPS
+pwdAllowUserChange
 dx
 et
 eu
+syncUUIDs
 hh
-olcLogLevel
-slurpd
-logevels
+regexec
 IG
-addDN
-tbls
-ldapmodify
+msgidp
 kb
-syslog
+organizationalUnit
+Warper
+logfilter
 io
 ip
-dynacl
-aXRoIGEgc
-enum
-slapdconf
-reqFilter
+referralsRequired
 ld
-xyz
-TLSCertificateFile
-idassert
-failover
-kerberos
-lookups
+Matic
+regexes
+subfinal
+pseudorootpw
 md
+preread
+pwdMinLength
 iZ
-SysNet
-BerValue
-idlcachesize
-struct
-UCASE
-errno
-syslogged
+ldapdelete
+xyz
+RDBMs
+rdbms
+extparam
 mk
 ng
 oc
-invalidAttributeSyntax
-errOp
-pwdMaxAge
-insufficientAccessRights
-truelies
+FIPS
 NL
+logfiles
 mr
-reindex
-newentry
 ok
 mv
-preinstalled
-regex
-saslmech
+LTVERSION
+someotheruserid
 rc
-config
+realdn
 ou
-policyDN
+yyy
 sb
-olcSyncrepl
+enum
+auditContext
 QN
-strtol
-runtime
-NOSYNC
-slapover
+contrib
 RL
-sockname
-noSuchAttribute
-MANCOMPRESSSUFFIX
-makeinfo
-coltags
+errMatchedDN
+auditContainer
 ro
 rp
-EXEEXT
-sockurl
 th
 sn
 ru
 UG
 ss
+behera
+TP
 su
-TP
-reqMethod
-XLIBS
-PhotoObject
+invalidCredentials
 tt
-keycol
-namingContext
-rlookups
-searchstack
-NOECHOPROMPT
-sldb
+wildcard
 wi
-AlmostASearchRequest
+syslogd
+newPasswd
 xf
-param
-MChAODQ
-caseExactIA
+deallocation
+whitespaces
+retdatap
+attrlist
+Vu
 Za
-Vu
-idlecachesize
-objectClassViolation
-allusers
+PDkzODdASFxOQ
+MyOrganization
 ws
-errSleepTime
-INSTALLFLAGS
-pthread
-pwdHistory
+cacert
+notAllowedOnNonLeaf
+attrname
+olcTLSCipherSuite
 x's
-Debian
-slen
-errUnsolicitedOID
-dyngroup
-filtertype
-rewriteRules
-criticality
-preoperation
-smbk
-subord
-reqVersion
+xw
+octetStringMatch
+mechs
+ZZ
+LDVERSION
+testAttr
+backend
+backend's
+backends
+BerValues
+Solaris
+structs
+reqTimeLimit
+judgmentday
+reqAuthzID
 errp
-ZZ
-entryCSNs
-dlopen
-continuated
-newsuperior
-newSuperior
-Preprocessor
-XXLIBS
-deallocate
-reqScope
-llber
-bitstringa
-sbindir
-apache's
-noidlen
-monitorContext
-testrun
-resync
+ostring
+policyDN
+testObject
+pwdMaxAge
+bindDn
+bindDN
+binddn
+distributedOperation
+schemachecking
+strvals
+dataflow
+robert
 fqdn
-authPassword
-LDAPMatchingRule
-olcIdleTimeout
-treedelete
-auditAdd
-reqSession
-derated
-LDVERSION
+admittable
+Makefile
 IANA
-olcDbSearchStack
-bitstrings
-rscdx
-schemas
-minssf
-ldapadd
-pseudorootdn
-lldap
-gssapi
-applicatio
-nelems
-liblutil
-wrscdx
-scherr
-internet
-logfilter
-lutil
-themself
-libexec
-dnpattern
-proxying
-reqType
-Kartik
-libexecdir
-inetd
-pwdSafeModify
-contrib
-FQDNs
-bjorn
-myldap
-myLDAP
-peercred
-SNMP
-myObjectClass
-thru
-olcLastMod
-commonName
-testTwo
-olcFrontendConfig
-LDAPObjectClass
-attributeTypes
-LTINSTALL
-hostname
-Symas
-numattrsets
-msgid
-ldapmodrdn
-ldapbis
-attributeoptions
-serverID
-memberOf
-memberof
-pseudorootpw
-allmail
-CFLAGS
-operationsError
-substr
-pwdAllowUserChange
-rewriteRule
-XXXXXXXXXX
-credlen
-departmentNumber
-rewriteMap
-logfile
-vals
-LDAPAVA
-modifyAttrDN
-dcedn
-olcOverlay
+localhost
+offsite
+bindir
+fred
+olcUpdateref
+bindwhen
+UMLDAP
+searchResultDone
+MAXLEN
+pwdInHistory
+reqAttrsOnly
+sysconfdir
+searchResultReference
+olcAttributeTypes
+everytime
+protocolError
+errno
+errOp
+serverctrls
+recursivegroup
+integerMatch
+moduledir
+dynstyle
+bindpw
+AUTHNAME
+UniqueName
+saslmech
+pthreads
+IEEE
+regex
+SIGINT
+slappasswd
+errAbsObject
+errABsObject
+ldapexop
+objectidentifier
+objectIdentifier
+deallocators
+MirrorMode
+mirrormode
+loopDetect
+SIGHUP
+authMethodNotSupported
+IDNA
+bvecfree
+pwdLockoutDuration
+attrset
+displayName
+subentry
+reqScope
+oldPasswd
 exop
-berelement
-BerElement
-olcRootDN
-octetString
-SampleLDAP
+filtercomp
 expr
-allusersgroup
-PostgreSQL
-bvstr
-filesystem
-pathtest
-objectClass
-objectclass
-submatches
-newrdn
-armijo
-addBlanks
-reqMessage
+syntaxes
+memrealloc
+returnCode
+returncode
+OpenLDAP's
 exts
-SSHA
+bitstringa
+caseIgnoreOrderingMatch
+searchFilterAttrDN
 func
-filterlist
-modifyDN
 jane
-syncuser
-Masarati
-LDAPSyntax
-oldpasswdfile
-oldPasswdFile
-reqDN
-SSFs
+IESG
+llber
+attrval
 ietf
-unwillingToPerform
-oidlen
-searchFilterAttrDN
-CPPFLAGS
-slapadd
-Clatworthy
-urldesc
-substrings
-Apurva
-slapacl
-multiclassing
-monitoredInfo
-LTLINK
-addrdnvalues
-KTNAME
-ETCDIR
-reqId
-setspec
-scanf
-TLSv
-distinguishedname
-distinguishedName
-BerVarray
-caseIgnoreSubstrin
-ldapwhoami
-URLattr
-generalizedTimeOrderingMatch
-requestdata
-timelimit
-subr
+olcSchemaConfig
+bitstrings
+bvalues
+realdnattr
+attrpair
+affectsMultipleDSAs
+Preprocessor
+lastName
+lldap
 cachesize
-olcRootPW
-SSLv
-proxyOld
-domainScope
-LDAPMessage
-LTVERSION
-memalloc
-refreshDeletes
-BerkeleyDB
-pathspec
-uint
-Poitou
-whitespace
-dynstyle
-slaptest
-zeilenga
-WebUpdate
-numericoid
-changelog
-ChangeLog
-creatorsName
-ascii
-wahl
-uniqueMember
-slapcat
-lwrap
-ldapfilter
-errDisconnect
-sermersheim
-rootdns
-searchResult
-libtool
-servercredp
-AttributeTypeDescription
-LTFLAGS
-simplebinddn
-authcDN
-TLSCipherSuite
-supportedSASLMechanisms
-rootdse
-rootDSE
-dsaparam
-cachefree
-UMich's
-uidNumber
-schemadir
-attribute's
-extern
-varchar
-olcDbCacheSize
-olcDbCachesize
-authcid
-authcID
-POSIX
+slapauth
+attributetype
+attributeType
+GSER
+olcDbNosync
+typedef
+bjorn
+datagram
+strcasecmp
+selfstyle
+preoperation
+FQDNs
+exopPasswdDN
+userid
+subentries
+monitoredObject
+TLSVerifyClient
+noidlen
+LDAPNOINIT
+pwdGraceAuthNLimit
+pwdGraceAuthnLimit
 hnPk
-ldapext
-authzFrom
-Google
-olcSchemaConfig
-newsup
-sbiod
-XXXLIBS
-LDAPBASE
-Supr
-olcDatabaseConfig
-rwxrwxrwx
-aeeiib
-SUPs
-reqStart
-sasldb
-somevalue
-LIBRELEASE
-randkey
-starttls
-StartTLS
-LDAPSchemaExtensionItem
+userPassword
+noanonymous
+LIBVERSION
+symas
+dcedn
+sublevel
+chroot
+posixGroup
+nretries
+testgroup
+ldaphost
+frontend
+someotherdomain
+proxying
+organisations
+rewriteMap
+monitoredInfo
+modrdn
+ModRDN
+modrDN
+HREF
+inline
+multiproxy
+reqSizeLimit
+kerberos
+loglevel
+bvstrdup
 reqReferral
-shtool
-Pierangelo
-attrstyle
-backend
-portnumber
-subjectAltName
-errObject
-gsskrb
-valsort
-bervals
-berval's
-derefFindingBaseObj
-checkpointed
-keytab
-groupnaam
-frontend
-sctrls
-dbnum
-olcLdapConfig
-sessionlog
-attrset
-organizationPerson
-entryCSN
-strcast
-kbyte
-modifiersName
-keytbl
-olcHdbConfig
-constraintViolation
-README
-memcalloc
+rlookups
+siiiib
+LTSTATIC
+timeLimitExceeded
+timelimitExceeded
+XKYnrjvGT
+subtrees
+unixODBC
+hostnames
+AutoConfig
+libtool
+submatch
+reqDN
+dnstyle
 inet
-saslargs
-givenname
-givenName
-olcDbMode
-pidfile
-olcLimits
-memvfree
-tuple
-superset
-directoryString
-ktadd
-proxyTemplate
-proxytemplate
-wildcards
-monitoredObject
-TTLs
-LxsdLy
-olcTimeLimit
-stringal
+schemas
+pwdPolicySubEntry
+pwdPolicySubentry
+reqId
+scanf
+olcBackend
+TLSCACertificatePath
+Arial
 init
-Locators
-bvalues
-reqResult
+runtime
+onelevel
 impl
-strongerAuthRequired
-outvalue
-returnCode
-returncode
-attributeDescription
-attrval
-dnssrv
-ciphersuite
-auditlog
-reqControls
-protocolError
-notypes
-myAttributeType
-stringbv
-keyval
-calloc
-chmod
-Subbarao
-setstyle
-subdirectories
-errlist
-addpartial
-slapdn
-uncached
-ldapapiinfo
-groupOfUniqueNames
-dhparam
-slapd's
-slapds
-inputfile
-RDBMSes
-wildcard
-Locator
-errAbsObject
-errABsObject
-SASL's
+Autoconf
+stderr
+ascii
+MANCOMPRESS
+authPassword
+attrdescN
+aspell
+allusers
+statslog
+alwaysDerefAliases
+RELEASEDATE
+olcModuleList
+pwdSafeModify
 html
-searchResultDone
-olcBdbConfig
-ldapmod
-LDAPMod
-olcHidden
-userPassword
-TLSRandFile
-use'd
-auditBind
-requestDN
-lockdetect
-selfstyle
-liblber
-ERXRTc
-printf
-AutoConfig
-localhost
+multimaster
+testrun
+rewriteEngine
+slapdindex
+LTFINISH
+olcOverlay
 lber
-noprompt
-databasenumber
-hasSubordintes
-URIs
-denyop
+serverID
+blogs
+numResponses
 lang
-auditSearch
-ldapdelete
-reqTimeLimit
-cacertdir
-queryid
-Warper
-XDEFS
-urls
-URL's
-postalAddress
-postaladdress
-passwd
-plugins
-george
+POSIX
+pathname
+noSuchObject
+proxyOld
+berelement
+BerElement
+sbiod
+plugin
 http
-uppercased
-Poobah
-libldap
-invalidDNSyntax
+olcModuleLoad
 ldap
 ldbm
-ursula
-LDAPModifying
+numericStringSubstringsMatch
+internet
+storages
+whoami
+WhoAmI
+criticality
+addBlanks
+logins
+syncrepl
+dbnum
+operationsError
+homePhone
+testTwo
+ldif
+entryAlreadyExists
+plaintext
+someoneelse
+errDisconnect
+username
+accessee
+LDAPURLDesc
+ISOC
+IRTF
+jpeg
+ktadd
+tuple
+refint
+makeinfo
+chmod
+auditWriteObject
+Jong
+addressbooks
+setspec
+syncprov
+dctree
+hallvard
+cctrls
+debuglevel
+dSAOperation
+datadir
+slapadd
+reqFilter
+matcheddomain
+CThreads
+slapacl
+requestName
+randkey
+Cryptosystem
+groupOfNames
+themself
+jsmith
+filesystems
+lineno
+SASL's
+lockdetect
+addrdnvalues
+Hyuk
+rewriteContext
+soelim
 slapdconfig
-sysconfig
-dnSubtreeMatch
-olcSaslSecProps
-olcSaslSecprops
-auditModify
-groupOfNames
-jensen
-reloadHint
-prepending
-olcGlobal
-matchingRule
-matchingrule
-SmVuc
-MSSQL
-nisMailAlias
-hostnames
-ctrlp
+entrylimit
+departmentNumber
+immSupr
+addressbook
+pidfile
+online
+logold
+proxyattrset
+proxyAttrSet
+proxyAttrset
+mary
+crlcheck
+olcBdbConfig
+kadmin
+mech
+slapcat
+insufficientAccessRights
+XDEFS
+olcDbLinearIndex
+MKDEPFLAG
+rootdns
+caseExactIA
+notypes
+numericStringMatch
+octothorpe
 lltdl
-ctrls
+rootDSE
+rootdse
+logops
 rewriter
-secprops
-namespace
-whsp
-realusers
-dnstyle
-suffixalias
-proxyAttrset
-proxyAttrSet
-proxyattrset
-pwdMustChange
-ldif
-bvfree
-sleeptime
-pwdCheckQuality
-msgidp
-confidentialityRequired
-pwdAttribute
-authMethodNotSupported
 chown
+attributeUsage
+slapdconf
+olcDbUri
+subany
+Authorizaiton
+bvalue
+manpage
+olcLimits
 PRNGD
-LDAPRDN
-entryUUIDs
-proxycache
-proxyCache
-SERATGCgaGBYWGDEjJR
-noanonymous
-accessee
-createTimestamp
-nretries
-auditAbandon
-LDAPAttributeType
+BerVarray
+abcdefgh
+matchingrule
+matchingRule
+modifiersName
+inetOrgPerson
+inetorgperson
+secprops
 logdb
+postaladdress
+postalAddress
+quanah
+ManageDsaIT
+manageDSAit
+subinitial
 procs
-realdn
-alwaysDerefAliases
-ppolicy
-jpeg
-functionalities
-pcache
-caseIgnoreMatch
-sysconfdir
-checkpointing
-rebindproc
-dryrun
-noplain
-exattrs
-Jong
-ldaptcl
-proxied
-firstName
-accesslevel
+varchar
+RDBMSes
+XLDFLAGS
+caseExactMatch
+urldesc
+liblutil
+olcObjectIdentifier
+subdir
+suffixmassage
+auditAdd
+pwdMinAge
+olcModulePath
+URLattr
+reqSession
 login
-rewriteContext
-dcObject
-newparent
-numericStringMatch
-TLSVerifyClient
-subtree
-multi
-immSupr
-manpage
-assciated
-wZFQrDD
-serverctrlsp
-onelevel
-abcd
-reqcert
-referralsRequired
-Hyuk
-olcServerID
-reqDerefAliases
+RetCodes
+userApplications
+NDBM
 newSuperiorDN
-passwdfile
-errMatchedDN
-everytime
+browseable
+auditBind
+setstyle
+newSuperior
+newsuperior
+concat
+realanonymous
+invalue
+refreshOnly
+filesystem
+Naur
+unwillingToPerform
+PhotoURI
+MyCompany
 mkdep
-olcDbindex
-olcDbIndex
-syntaxOID
-reqData
-databasetype
-woid
-numericStringOrderingMatch
-clientctrls
-inappropriateMatching
-RetCodes
-ldapc
-pwdAccountLockedTime
-attrtype
-LIBVERSION
+idlcachesize
+irresponsive
+readOnly
+readonly
+CLDAP
 proto
-endif
-logfiles
-reqNewRDN
-ldapi
-notoc
-matcheddnp
 mkdir
-mech
-pwdMinAge
-ldaps
-userCertificate
-LDAPv
-IPsec
-tokenization
-olcModuleList
-robert
-generalizedTimeMatch
-UMLDAP
-OpenLDAP's
-lookup
-ABNF
-olcDbShmKey
-pwdLockoutDuration
-TLSCACertificatePath
-ldapuri
-ldapurl
-ACIs
-behera
-olcObjectIdentifier
-endblock
+peername
+pwdFailureTime
+compareDN
+reqVersion
+negttl
+logevels
+AAQSkZJRgABAAAAAQABAAD
+strcast
+failover
+constraintViolation
+cacheable
+sambaPwdCanChange
+errCode
+queryid
+olcReferral
+dynacl
+mkln
+structuralObjectClass
 proxyAuthz
-pagedResults
-saslBindInProgress
-bitstring
-ACLs
-berptr
-olcModuleLoad
-namingViolation
-attributetype
-attributeType
-auditModRDN
-cacert
-memberUid
-freebuf
+config
 IDSET
-pwdGraceAuthnLimit
-invalue
-XKYnrjvGT
-srvtab
-referralAttrDN
-requestoid
+ODBC
+searchFilter
+wholeSubtree
+SASLprep
+nisMailAlias
+attributeDescription
+groupnummer
+lsei
+kurt
+OrgPerson
+generalizedTime
+filename
+pwdCheckQuality
+methodp
+Verdana
+deref
+proxied
+endmacro
+backload
+ECHOPROMPT
+bvarray
+ltdl
+slapdconfigfile
+modv
+ObjectClassDescription
+truelies
+slurpd
 basename
-substring
-booleanMatch
-babs
+groupOfUniqueNames
+DHAVE
+ludp
+entryUUID
+ldapapiinfo
+SampleLDAP
+compareAttrDN
+lssl
+newentry
+applicatio
+addpartial
+confdir
+entryDN
+pwdFailureCountInterval
+XXXLIBS
+Kumar
+LTHREAD
+distinguishedNameMatch
+timestamp
+UUIDs
+olcDbCheckpoint
+LTINSTALL
+gssapi
+continuated
+localstatedir
+devel
+errcodep
+Elfrink
+olcPidFile
+attribute's
 pPasswd
-msgfree
-slapdconfigfile
+metadirectory
+assciated
+myObjectClass
+OIDs
+oids
+sermersheim
+chainingPreferred
+CFLAGS
+minssf
+ModName
+attrs
+typeA
+objclasses
+typeB
+nelems
+subord
+namingViolation
+inappropriateAuthentication
+mixin
+suders
+syntaxOID
+olcTLSCACertificateFile
+IGJlZ
+TLSCipherSuite
+auditlog
+runningslapd
+myLDAP
+myldap
+configs
+datasource
+refreshAndPersist
+authc
+PENs
+referralDN
+MANAGERDN
+noop
+errObject
+XXLIBS
+reqAssertion
+PDUs
+baseObject
+bvecadd
+perl
+inplace
+lossy
+pers
+authz
+pwdReset
+wrscdx
+adminLimitExceeded
+LDAPMessage
+serverctrlsp
+simplebinddn
+nonleaf
+compareFalse
+lsasl
+caseIgnoreSubstringsMatch
+AUTOREMOVE
+mydc
+searchResultEntry
+PIII
+olcDbShmKey
+substr
+reqRespControls
+XXXXXXXXXX
+MANSECT
+bindmethod
+KTNAME
+referralsp
+pwdExpireWarning
+suretecsystems
+timeval
+LTLINK
+gsMatch
+attributeTypes
+pwdCheckModule
 olcDatabase
-builtin
-hardcoded
-SIGINT
-MAXLEN
-xpasswd
-cleartext
-extensibleObject
+PKCS
+syncuser
+oOjM
+extern
+dcObject
+supportedControl
+addprinc
+logbase
+filterlist
+generalizedTimeMatch
+Google
+sessionlog
+balancer
+NSSR
+PKIX
+urandom
+derefFindingBaseObj
+Poitou
+dereferencing
+dereferenced
+ORed
+caseIgnoreSubstrin
+superset
+Locators
+qdstring
+olcAccess
+dereferences
+shoesize
+monitorContext
+RDBM
+PostgreSQL
+ppErrStr
+olcFrontendConfig
+aliasDereferencingProblem
+gsskrb
+unindexed
+whitespace
+seeAlso
+monitorRuntimeConfig
+olcAuditlogFile
+namingContexts
+referralAttrDN
+idlecachesize
+moddn
+calloc
+LDFLAGS
+attributeOrValueExists
+olcHdbConfig
+bsize
+auditObject
+dnssrv
+dynamicObject
+objectclass
+objectClass
+sizeLimitExceeded
+accountadm
+reqControls
+modme
+shtool
+aXRoIGEgc
+RDNs
+rdns
+modifyTimestamp
+objectIdentiferMatch
+sleeptime
+derefAliases
+pagedResults
+denyop
+sctrls
+ldapport
+octetString
+repl
+ERXRTc
+LxsdLy
+lastmod
+integerOrderingMatch
+searchEntryDN
 pwdLockout
-SIGHUP
-reqDeleteOldRDN
-reqAttr
-subfinal
+sbin
+olcSuffix
+sbio
+posp
+TLSCertificateKeyFile
+george
+LDAPSyntax
+apache's
+scdx
+someuserid
+attrtype
+msgtype
+pathtest
+ldapcompare
+coltags
+sasl
+unixusers
+bvfree
+xeXBkeFxlZ
+priv
+proxyTemplates
+bvals
+givenName
+givenname
+jensen
+auditReadObject
+proc
+unavailableCriticalExtension
+slapdn
+noSuchAttribute
+retcode
+slapds
+slapd's
+DLDAP
+TABs
+dyngroup
+pathspec
+domainstyle
+requestoid
+rpath
+Blowfish
+dryrun
+Poobah
+searchable
+SDSE
+olcDbDirectory
+ludpp
+spellcheck
+logsuccess
+lucyB
+entryUUIDs
+reqEntries
+sockbuf
+olcSaslSecprops
+olcSaslSecProps
+dnSubtreeMatch
+conns
+pcache
+ChangeLog
+changelog
+ursula
+monitorConnectionLocalAddress
+requestor's
+requestors
+TLSCertificateFile
+pwdPolicy
+infodir
+suretec
+tbls
+const
+bvdup
+mkversion
+olcDbSearchStack
+numericStringOrderingMatch
+checkpointed
+strongerAuthRequired
+treedelete
+olcObjectClasses
+berptr
+errSleepTime
+substrings
+slapd
+sambaNTPassword
+slapi
+lcrypto
+slapo
+mwrscdx
+credlen
+deleteDN
+substring
+prepending
+sldb
+credp
+numEntries
+searchBase
+searchbase
 berval
-octothorpe
+slen
+lookup
+databasetype
+rewriteRules
+smbk
+userCertificate
+entryCSN
+errAuxObject
+replogfile
+reloadhint
+reloadHint
+moduleload
+hasSubordinates
+contextp
+LDAPModifying
+nameAndOptionalUID
+addDN
+berval's
+bervals
+passwdfile
+reqDerefAliases
+authcDN
+groupstyle
+cancelled
+stateful
+proxytemplate
+proxyTemplate
+entryExpireTimestamp
+referralsPreferred
+authcID
+authcid
+AuthcId
+MChAODQ
+lookups
+GnuTLS
+GNUtls
+gnutls
 LTONLY
-filesystems
-urandom
-NDBM
-abcdefgh
-olcBackend
-errmsgp
-boolean
-updateref
-regcomp
-contextp
-filtercomp
-LDAPNOINIT
-deref
-preallocated
-syntaxes
-memberURL
-monitorRuntimeConfig
-bindDn
-bindDN
-binddn
-methodp
-timeLimitExceeded
-timelimitExceeded
-pwdInHistory
-LTSTATIC
-requestors
-requestor's
-LDAPCONF
+SNMP
+timelimit
+UCASE
+thru
 saslauthd
-MKDEPFLAG
-gecos
-entryUUID
-gnutls
-GNUtls
-GnuTLS
-postread
-timeval
-DHAVE
-loopDetect
-caseIgnoreSubstringsMatch
+logpurge
+SMTP
+srvtab
+ldapadd
+sprintf
+monitorCounterObject
+Instanstantiation
+olcDbConfig
+olcLastMod
+vals
+param
+matcheddnp
+malloc
+XLIBS
+freeit
+invalidDNSyntax
+zeilenga
+addAttrDN
+syncdata
+somedomain
+attrsonly
+attrsOnly
+numericString
+libexec
+entryCSNs
+noprompt
+LTCOMPILE
+ldapbis
+SSHA
+mandir
+RXER
+SSFs
+octetStringOrderingStringMatch
+auditCompare
+pEntry
+endblock
+LDAPAVA
+startup
+olcReplicationInterval
+TLSv
+libtool's
+slapindex
+rscdx
+dhparam
+subr
+SSLv
+SIGTERM
+liblunicode
+uint
+stringa
+reindex
+stringb
+lutil
+inetd
+SERATGCgaGBYWGDEjJR
+wahl
+olcDbQuarantine
+reqEnd
+modifyAttrDN
+monitorContainer
+searchstack
+cachefree
+errUnsolicitedOID
+WebUpdate
+RelativeLDAPDN
+URLlist
+monitorInfo
+argsfile
+attrvalue
+deallocate
+msgid
+modulepath
+logfile
+Supr
+inappropriateMatching
+SUPs
+myAttributeType
+BerValue
+basedn
+baseDN
+bvstr
+replog
+adressbooks
+databasenumber
+subschema
+PhotoObject
+INADDR
+pthread
+errlist
+olcDbIndex
+olcDbindex
+ldapext
+caseIgnoreMatch
+suffixalias
+sbindir
+gidNumber
+LDAPSync
+bitstring
+objclass
+oplist
+LDAPObjectClass
+sockurl
+somevalue
+getpid
 monitorIsShadow
-syncdata
-BDB's
-olcPidFile
-hostport
-backload
-bindir
-olcObjectClasses
-auditObject
-LDIFv
-strcasecmp
-LTHREAD
-dereferenced
+confidentialityRequired
+groupOfURLs
+preallocated
+hostname
+TTLs
+attrdesc
+ghenry
+reqType
+slapover
+BerkeleyDB's
+attributename
+lwrap
+reqStart
+errUnsolicitedData
+objectclasses
+objectClasses
+countp
+dereference
+sizelimit
+use'd
+rootdn
+RootDN
+LTFLAGS
+Bourne
+URIs
+pwdAttribute
+uppercased
+cacertdir
+ciphersuite
+URL's
+urls
+olcAuditLogConfig
+reqMod
+pwdHistory
 entryTtl
-LDAPControl
-pwdMinLength
-ldapcompare
-readonly
-readOnly
+olcIdleTimeout
+TLSRandFile
+unmassaged
+LDAPMod
+ldapmod
+srcdir
+someSSHAdata
+whsp
+exattrs
+reqOld
+kbyte
+monitorCounter
+quickstart
+UUID
+olcConstraintConfig
+roleOccupant
+rootpw
+veryclean
+syslogged
+olcRootDN
+idletimeout
+sockname
+telephoneNumber
+telephonenumber
+objectClassModsProhibited
+nattrsets
+saslargs
+OBJEXT
+LDAPAttributeType
+newPasswdFile
+newpasswdfile
+boolean
+liblber
+ucdata
+toolsets
+builddir
+builtin
+matcheduid
+Locator
+ldapmaster
+olcMirrorMode
+libldap
+refreshDeletes
+aliasProblem
+eMail
+outvalue
+LDAPRDN
+olcBackendConfig
+wBDABALD
+libdir
+deleteoldrdn
+abcd
+olcRootPW
+dnattr
+AttributeTypeDescription
+strdup
+domainScope
+prepended
+saslBindInProgress
+olcDbMode
+selfwrite
+olcLdapConfig
+pwdGraceUseTime
+titleCatalog
+woid
+organizationPerson
+ldaptcl
+INCDIR
+ACDF
+realusers
+ranlib
+eatBlanks
+reqMessage
+paramName
+ctrlp
+freebuf
+ctrls
+firstName
+ABNF
+dnpattern
+perror
+MSSQL
+SmVuc
+ACIs
+errmsgp
+authzDN
+gunzip
+jpegPhoto
+supportedSASLMechanisms
+ACLs
+reqMethod
+authzId
+authzid
+authzID
+hasSubordintes
+proxyCache
+proxycache
+slaptest
+olcLogLevel
+LDAPDN
+XINCPATH
+monitoringslapd
+babs
+DSAIT
+olcHidden
+mySNMP
+metainformation
+BerkeleyDB
+ldapuri
+auditAbandon
 RANDFILE
-attrlist
+ldapurl
+strlen
+pwdAccountLockedTime
+searchAttrDN
+dbcache
+sambaPwdLastSet
+wBDARESEhgVG
+multi
+aaa
+ldaprc
+updatedn
+UpdateDN
+LDAPBASE
+LDAPAPIFeatureInfo
+authzTo
+valsort
+plugins
+Diffie
+ldappasswd
+olcGlobal
+ABI
 aci
-directoryOperation
-compareTrue
-selfwrite
-pwdReset
+endif
+unescaped
 acl
-attrname
 ADH
-searchable
-bindmethods
-logpurge
-reqNewSuperior
-multiproxy
-dereferences
-datadir
-malloc
-UUIDs
-veryclean
-userid
-Kumar
+olcPasswordHash
+ldapc
+loopback
+ldapi
+BDB's
+GETREALM
+functionalities
+noplain
+NOECHOPROMPT
 AES
+ldaps
+notoc
 bdb
-attributeOrValueExists
-manageDSAit
-ManageDsaIT
-bindpw
-monitorContainer
-pEntry
+LDAPv
+IPsec
+olcServerID
+BCP
 baz
-memfree
-lresolv
-objectIdentifierMatch
-Blowfish
-mkln
-numericStringSubstringsMatch
-testgroup
-openssl
-OpenSSL
-ModName
-cacheable
-freeit
-pathname
+params
+generalizedTimeOrderingMatch
+octetStringSubstringsStringMatch
 ber
+slimit
 ali
-mandir
-changetype
+attributeoptions
+uidNumber
 CAs
 CA's
-typeA
-bvecfree
-ODBC
-typeB
-unescaped
-devel
-pwdCheckModule
-LDAPURLDesc
-authzDN
+namingContext

Modified: openldap/trunk/doc/guide/admin/backends.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/backends.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/backends.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/backends.sdf,v 1.8.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/backends.sdf,v 1.8.2.5 2008/04/14 19:00:49 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Backends
@@ -44,7 +44,7 @@
 their own private connection to the remote LDAP server. Anonymous sessions 
 will share a single anonymous connection to the remote server. For sessions 
 bound through other mechanisms, all sessions with the same DN will share the 
-same connection. This connection pooling strategy can enhance the proxy’s 
+same connection. This connection pooling strategy can enhance the proxy's 
 efficiency by reducing the overhead of repeatedly making/breaking multiple 
 connections.
 

Modified: openldap/trunk/doc/guide/admin/config.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/config.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/config.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/config.sdf,v 1.14.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/config.sdf,v 1.14.2.6 2008/04/14 20:43:48 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 H1: The Big Picture - Configuration Choices
 
@@ -47,9 +47,10 @@
 information on multiple directory servers.   In its most basic
 configuration, the {{master}} is a syncrepl provider and one or more
 {{slave}} (or {{shadow}}) are syncrepl consumers.  An example
-master-slave configuration is shown in figure 3.3.
+master-slave configuration is shown in figure 3.3. Multi-Master 
+configurations are also supported.
 
-!import "config_repl.gif"; align="center"; title="Replicated Directory Services"
+!import "config_repl.png"; align="center"; title="Replicated Directory Services"
 FT[align="Center"] Figure 3.3: Replicated Directory Services
 
 This configuration can be used in conjunction with either of the

Deleted: openldap/trunk/doc/guide/admin/config_repl.gif
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/admin/config_repl.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/config_repl.png)
===================================================================
(Binary files differ)

Modified: openldap/trunk/doc/guide/admin/dbtools.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/dbtools.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/dbtools.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/dbtools.sdf,v 1.24.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/dbtools.sdf,v 1.24.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Database Creation and Maintenance Tools

Modified: openldap/trunk/doc/guide/admin/glossary.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/glossary.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/glossary.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/glossary.sdf,v 1.5.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2006-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/glossary.sdf,v 1.5.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2006-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 H1: Glossary
 

Modified: openldap/trunk/doc/guide/admin/guide.html
===================================================================
--- openldap/trunk/doc/guide/admin/guide.html	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/guide.html	2008-05-25 14:29:31 UTC (rev 1128)
@@ -23,7 +23,7 @@
 <DIV CLASS="title">
 <H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1>
 <ADDRESS CLASS="doc-author">The OpenLDAP Project &lt;<A HREF="http://www.openldap.org/">http://www.openldap.org/</A>&gt;</ADDRESS>
-<ADDRESS CLASS="doc-modified">13 December 2007</ADDRESS>
+<ADDRESS CLASS="doc-modified">7 May 2008</ADDRESS>
 <BR CLEAR="All">
 </DIV>
 <DIV CLASS="contents">
@@ -100,25 +100,8 @@
 <BR>
 <A HREF="#Database-specific Directives">5.2.5. Database-specific Directives</A>
 <BR>
-<A HREF="#BDB and HDB Database Directives">5.2.6. BDB and HDB Database Directives</A></UL>
+<A HREF="#BDB and HDB Database Directives">5.2.6. BDB and HDB Database Directives</A></UL></UL>
 <BR>
-<A HREF="#Access Control">5.3. Access Control</A><UL>
-<A HREF="#What to control access to">5.3.1. What to control access to</A>
-<BR>
-<A HREF="#Who to grant access to">5.3.2. Who to grant access to</A>
-<BR>
-<A HREF="#The access to grant">5.3.3. The access to grant</A>
-<BR>
-<A HREF="#Access Control Evaluation">5.3.4. Access Control Evaluation</A>
-<BR>
-<A HREF="#Access Control Examples">5.3.5. Access Control Examples</A>
-<BR>
-<A HREF="#Access Control Ordering">5.3.6. Access Control Ordering</A></UL>
-<BR>
-<A HREF="#Configuration Example">5.4. Configuration Example</A>
-<BR>
-<A HREF="#Converting from slapd.conf(8) to a {{B:cn=config}} directory format">5.5. Converting from slapd.conf(8) to a <B>cn=config</B> directory format</A></UL>
-<BR>
 <A HREF="#The slapd Configuration File">6. The slapd Configuration File</A><UL>
 <A HREF="#Configuration File Format">6.1. Configuration File Format</A>
 <BR>
@@ -129,403 +112,443 @@
 <BR>
 <A HREF="#General Database Directives">6.2.3. General Database Directives</A>
 <BR>
-<A HREF="#BDB and HDB Database Directives">6.2.4. BDB and HDB Database Directives</A></UL>
+<A HREF="#BDB and HDB Database Directives">6.2.4. BDB and HDB Database Directives</A></UL></UL>
 <BR>
-<A HREF="#The access Configuration Directive">6.3. The access Configuration Directive</A><UL>
-<A HREF="#What to control access to">6.3.1. What to control access to</A>
+<A HREF="#Access Control">7. Access Control</A><UL>
+<A HREF="#Introduction">7.1. Introduction</A>
 <BR>
-<A HREF="#Who to grant access to">6.3.2. Who to grant access to</A>
+<A HREF="#Access Control via Static Configuration">7.2. Access Control via Static Configuration</A><UL>
+<A HREF="#What to control access to">7.2.1. What to control access to</A>
 <BR>
-<A HREF="#The access to grant">6.3.3. The access to grant</A>
+<A HREF="#Who to grant access to">7.2.2. Who to grant access to</A>
 <BR>
-<A HREF="#Access Control Evaluation">6.3.4. Access Control Evaluation</A>
+<A HREF="#The access to grant">7.2.3. The access to grant</A>
 <BR>
-<A HREF="#Access Control Examples">6.3.5. Access Control Examples</A></UL>
+<A HREF="#Access Control Evaluation">7.2.4. Access Control Evaluation</A>
 <BR>
-<A HREF="#Configuration File Example">6.4. Configuration File Example</A></UL>
+<A HREF="#Access Control Examples">7.2.5. Access Control Examples</A>
 <BR>
-<A HREF="#Running slapd">7. Running slapd</A><UL>
-<A HREF="#Command-Line Options">7.1. Command-Line Options</A>
+<A HREF="#Configuration File Example">7.2.6. Configuration File Example</A></UL>
 <BR>
-<A HREF="#Starting slapd">7.2. Starting slapd</A>
+<A HREF="#Access Control via Dynamic Configuration">7.3. Access Control via Dynamic Configuration</A><UL>
+<A HREF="#What to control access to">7.3.1. What to control access to</A>
 <BR>
-<A HREF="#Stopping slapd">7.3. Stopping slapd</A></UL>
+<A HREF="#Who to grant access to">7.3.2. Who to grant access to</A>
 <BR>
-<A HREF="#Database Creation and Maintenance Tools">8. Database Creation and Maintenance Tools</A><UL>
-<A HREF="#Creating a database over LDAP">8.1. Creating a database over LDAP</A>
+<A HREF="#The access to grant">7.3.3. The access to grant</A>
 <BR>
-<A HREF="#Creating a database off-line">8.2. Creating a database off-line</A><UL>
-<A HREF="#The {{EX:slapadd}} program">8.2.1. The <TT>slapadd</TT> program</A>
+<A HREF="#Access Control Evaluation">7.3.4. Access Control Evaluation</A>
 <BR>
-<A HREF="#The {{EX:slapindex}} program">8.2.2. The <TT>slapindex</TT> program</A>
+<A HREF="#Access Control Examples">7.3.5. Access Control Examples</A>
 <BR>
-<A HREF="#The {{EX:slapcat}} program">8.2.3. The <TT>slapcat</TT> program</A></UL>
+<A HREF="#Access Control Ordering">7.3.6. Access Control Ordering</A>
 <BR>
-<A HREF="#The LDIF text entry format">8.3. The LDIF text entry format</A></UL>
+<A HREF="#Configuration Example">7.3.7. Configuration Example</A>
 <BR>
-<A HREF="#Backends">9. Backends</A><UL>
-<A HREF="#Berkeley DB Backends">9.1. Berkeley DB Backends</A><UL>
-<A HREF="#Overview">9.1.1. Overview</A>
+<A HREF="#Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">7.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></UL>
 <BR>
-<A HREF="#back-bdb/back-hdb Configuration">9.1.2. back-bdb/back-hdb Configuration</A>
+<A HREF="#Access Control Common Examples">7.4. Access Control Common Examples</A><UL>
+<A HREF="#Basic ACLs">7.4.1. Basic ACLs</A>
 <BR>
-<A HREF="#Further Information">9.1.3. Further Information</A></UL>
+<A HREF="#Matching Anonymous and Authenticated users">7.4.2. Matching Anonymous and Authenticated users</A>
 <BR>
-<A HREF="#LDAP">9.2. LDAP</A><UL>
-<A HREF="#Overview">9.2.1. Overview</A>
+<A HREF="#Controlling rootdn access">7.4.3. Controlling rootdn access</A>
 <BR>
-<A HREF="#back-ldap Configuration">9.2.2. back-ldap Configuration</A>
+<A HREF="#Managing access with Groups">7.4.4. Managing access with Groups</A>
 <BR>
-<A HREF="#Further Information">9.2.3. Further Information</A></UL>
+<A HREF="#Granting access to a subset of attributes">7.4.5. Granting access to a subset of attributes</A>
 <BR>
-<A HREF="#LDIF">9.3. LDIF</A><UL>
-<A HREF="#Overview">9.3.1. Overview</A>
+<A HREF="#Allowing a user write to all entries below theirs">7.4.6. Allowing a user write to all entries below theirs</A>
 <BR>
-<A HREF="#back-ldif Configuration">9.3.2. back-ldif Configuration</A>
+<A HREF="#Allowing entry creation">7.4.7. Allowing entry creation</A>
 <BR>
-<A HREF="#Further Information">9.3.3. Further Information</A></UL>
+<A HREF="#Tips for using regular expressions in Access Control">7.4.8. Tips for using regular expressions in Access Control</A>
 <BR>
-<A HREF="#Metadirectory">9.4. Metadirectory</A><UL>
-<A HREF="#Overview">9.4.1. Overview</A>
+<A HREF="#Granting and Denying access based on security strength factors (ssf)">7.4.9. Granting and Denying access based on security strength factors (ssf)</A>
 <BR>
-<A HREF="#back-meta Configuration">9.4.2. back-meta Configuration</A>
+<A HREF="#When things aren\'t working as expected">7.4.10. When things aren't working as expected</A></UL>
 <BR>
-<A HREF="#Further Information">9.4.3. Further Information</A></UL>
+<A HREF="#Sets - Granting rights based on relationships">7.5. Sets - Granting rights based on relationships</A><UL>
+<A HREF="#Groups of Groups">7.5.1. Groups of Groups</A>
 <BR>
-<A HREF="#Monitor">9.5. Monitor</A><UL>
-<A HREF="#Overview">9.5.1. Overview</A>
+<A HREF="#Group ACLs without DN syntax">7.5.2. Group ACLs without DN syntax</A>
 <BR>
-<A HREF="#back-monitor Configuration">9.5.2. back-monitor Configuration</A>
+<A HREF="#Following references">7.5.3. Following references</A></UL></UL>
 <BR>
-<A HREF="#Further Information">9.5.3. Further Information</A></UL>
+<A HREF="#Running slapd">8. Running slapd</A><UL>
+<A HREF="#Command-Line Options">8.1. Command-Line Options</A>
 <BR>
-<A HREF="#Null">9.6. Null</A><UL>
-<A HREF="#Overview">9.6.1. Overview</A>
+<A HREF="#Starting slapd">8.2. Starting slapd</A>
 <BR>
-<A HREF="#back-null Configuration">9.6.2. back-null Configuration</A>
+<A HREF="#Stopping slapd">8.3. Stopping slapd</A></UL>
 <BR>
-<A HREF="#Further Information">9.6.3. Further Information</A></UL>
+<A HREF="#Database Creation and Maintenance Tools">9. Database Creation and Maintenance Tools</A><UL>
+<A HREF="#Creating a database over LDAP">9.1. Creating a database over LDAP</A>
 <BR>
-<A HREF="#Passwd">9.7. Passwd</A><UL>
-<A HREF="#Overview">9.7.1. Overview</A>
+<A HREF="#Creating a database off-line">9.2. Creating a database off-line</A><UL>
+<A HREF="#The {{EX:slapadd}} program">9.2.1. The <TT>slapadd</TT> program</A>
 <BR>
-<A HREF="#back-passwd Configuration">9.7.2. back-passwd Configuration</A>
+<A HREF="#The {{EX:slapindex}} program">9.2.2. The <TT>slapindex</TT> program</A>
 <BR>
-<A HREF="#Further Information">9.7.3. Further Information</A></UL>
+<A HREF="#The {{EX:slapcat}} program">9.2.3. The <TT>slapcat</TT> program</A></UL>
 <BR>
-<A HREF="#Perl/Shell">9.8. Perl/Shell</A><UL>
-<A HREF="#Overview">9.8.1. Overview</A>
+<A HREF="#The LDIF text entry format">9.3. The LDIF text entry format</A></UL>
 <BR>
-<A HREF="#back-perl/back-shell Configuration">9.8.2. back-perl/back-shell Configuration</A>
+<A HREF="#Backends">10. Backends</A><UL>
+<A HREF="#Berkeley DB Backends">10.1. Berkeley DB Backends</A><UL>
+<A HREF="#Overview">10.1.1. Overview</A>
 <BR>
-<A HREF="#Further Information">9.8.3. Further Information</A></UL>
+<A HREF="#back-bdb/back-hdb Configuration">10.1.2. back-bdb/back-hdb Configuration</A>
 <BR>
-<A HREF="#Relay">9.9. Relay</A><UL>
-<A HREF="#Overview">9.9.1. Overview</A>
+<A HREF="#Further Information">10.1.3. Further Information</A></UL>
 <BR>
-<A HREF="#back-relay Configuration">9.9.2. back-relay Configuration</A>
+<A HREF="#LDAP">10.2. LDAP</A><UL>
+<A HREF="#Overview">10.2.1. Overview</A>
 <BR>
-<A HREF="#Further Information">9.9.3. Further Information</A></UL>
+<A HREF="#back-ldap Configuration">10.2.2. back-ldap Configuration</A>
 <BR>
-<A HREF="#SQL">9.10. SQL</A><UL>
-<A HREF="#Overview">9.10.1. Overview</A>
+<A HREF="#Further Information">10.2.3. Further Information</A></UL>
 <BR>
-<A HREF="#back-sql Configuration">9.10.2. back-sql Configuration</A>
-<BR>
-<A HREF="#Further Information">9.10.3. Further Information</A></UL></UL>
-<BR>
-<A HREF="#Overlays">10. Overlays</A><UL>
-<A HREF="#Access Logging">10.1. Access Logging</A><UL>
-<A HREF="#Overview">10.1.1. Overview</A>
-<BR>
-<A HREF="#Access Logging Configuration">10.1.2. Access Logging Configuration</A></UL>
-<BR>
-<A HREF="#Audit Logging">10.2. Audit Logging</A><UL>
-<A HREF="#Overview">10.2.1. Overview</A>
-<BR>
-<A HREF="#Audit Logging Configuration">10.2.2. Audit Logging Configuration</A></UL>
-<BR>
-<A HREF="#Chaining">10.3. Chaining</A><UL>
+<A HREF="#LDIF">10.3. LDIF</A><UL>
 <A HREF="#Overview">10.3.1. Overview</A>
 <BR>
-<A HREF="#Chaining Configuration">10.3.2. Chaining Configuration</A>
+<A HREF="#back-ldif Configuration">10.3.2. back-ldif Configuration</A>
 <BR>
-<A HREF="#Handling Chaining Errors">10.3.3. Handling Chaining Errors</A></UL>
+<A HREF="#Further Information">10.3.3. Further Information</A></UL>
 <BR>
-<A HREF="#Constraints">10.4. Constraints</A><UL>
+<A HREF="#Metadirectory">10.4. Metadirectory</A><UL>
 <A HREF="#Overview">10.4.1. Overview</A>
 <BR>
-<A HREF="#Constraint Configuration">10.4.2. Constraint Configuration</A></UL>
+<A HREF="#back-meta Configuration">10.4.2. back-meta Configuration</A>
 <BR>
-<A HREF="#Dynamic Directory Services">10.5. Dynamic Directory Services</A><UL>
+<A HREF="#Further Information">10.4.3. Further Information</A></UL>
+<BR>
+<A HREF="#Monitor">10.5. Monitor</A><UL>
 <A HREF="#Overview">10.5.1. Overview</A>
 <BR>
-<A HREF="#Dynamic Directory Service Configuration">10.5.2. Dynamic Directory Service Configuration</A></UL>
+<A HREF="#back-monitor Configuration">10.5.2. back-monitor Configuration</A>
 <BR>
-<A HREF="#Dynamic Groups">10.6. Dynamic Groups</A><UL>
+<A HREF="#Further Information">10.5.3. Further Information</A></UL>
+<BR>
+<A HREF="#Null">10.6. Null</A><UL>
 <A HREF="#Overview">10.6.1. Overview</A>
 <BR>
-<A HREF="#Dynamic Group Configuration">10.6.2. Dynamic Group Configuration</A></UL>
+<A HREF="#back-null Configuration">10.6.2. back-null Configuration</A>
 <BR>
-<A HREF="#Dynamic Lists">10.7. Dynamic Lists</A><UL>
+<A HREF="#Further Information">10.6.3. Further Information</A></UL>
+<BR>
+<A HREF="#Passwd">10.7. Passwd</A><UL>
 <A HREF="#Overview">10.7.1. Overview</A>
 <BR>
-<A HREF="#Dynamic List Configuration">10.7.2. Dynamic List Configuration</A></UL>
+<A HREF="#back-passwd Configuration">10.7.2. back-passwd Configuration</A>
 <BR>
-<A HREF="#Reverse Group Membership Maintenance">10.8. Reverse Group Membership Maintenance</A><UL>
+<A HREF="#Further Information">10.7.3. Further Information</A></UL>
+<BR>
+<A HREF="#Perl/Shell">10.8. Perl/Shell</A><UL>
 <A HREF="#Overview">10.8.1. Overview</A>
 <BR>
-<A HREF="#Member Of Configuration">10.8.2. Member Of Configuration</A></UL>
+<A HREF="#back-perl/back-shell Configuration">10.8.2. back-perl/back-shell Configuration</A>
 <BR>
-<A HREF="#The Proxy Cache Engine">10.9. The Proxy Cache Engine</A><UL>
+<A HREF="#Further Information">10.8.3. Further Information</A></UL>
+<BR>
+<A HREF="#Relay">10.9. Relay</A><UL>
 <A HREF="#Overview">10.9.1. Overview</A>
 <BR>
-<A HREF="#Proxy Cache Configuration">10.9.2. Proxy Cache Configuration</A></UL>
+<A HREF="#back-relay Configuration">10.9.2. back-relay Configuration</A>
 <BR>
-<A HREF="#Password Policies">10.10. Password Policies</A><UL>
+<A HREF="#Further Information">10.9.3. Further Information</A></UL>
+<BR>
+<A HREF="#SQL">10.10. SQL</A><UL>
 <A HREF="#Overview">10.10.1. Overview</A>
 <BR>
-<A HREF="#Password Policy Configuration">10.10.2. Password Policy Configuration</A></UL>
+<A HREF="#back-sql Configuration">10.10.2. back-sql Configuration</A>
 <BR>
-<A HREF="#Referential Integrity">10.11. Referential Integrity</A><UL>
-<A HREF="#Overview">10.11.1. Overview</A>
+<A HREF="#Further Information">10.10.3. Further Information</A></UL></UL>
 <BR>
-<A HREF="#Referential Integrity Configuration">10.11.2. Referential Integrity Configuration</A></UL>
+<A HREF="#Overlays">11. Overlays</A><UL>
+<A HREF="#Access Logging">11.1. Access Logging</A><UL>
+<A HREF="#Overview">11.1.1. Overview</A>
 <BR>
-<A HREF="#Return Code">10.12. Return Code</A><UL>
-<A HREF="#Overview">10.12.1. Overview</A>
+<A HREF="#Access Logging Configuration">11.1.2. Access Logging Configuration</A></UL>
 <BR>
-<A HREF="#Return Code Configuration">10.12.2. Return Code Configuration</A></UL>
+<A HREF="#Audit Logging">11.2. Audit Logging</A><UL>
+<A HREF="#Overview">11.2.1. Overview</A>
 <BR>
-<A HREF="#Rewrite/Remap">10.13. Rewrite/Remap</A><UL>
-<A HREF="#Overview">10.13.1. Overview</A>
+<A HREF="#Audit Logging Configuration">11.2.2. Audit Logging Configuration</A></UL>
 <BR>
-<A HREF="#Rewrite/Remap Configuration">10.13.2. Rewrite/Remap Configuration</A></UL>
+<A HREF="#Chaining">11.3. Chaining</A><UL>
+<A HREF="#Overview">11.3.1. Overview</A>
 <BR>
-<A HREF="#Sync Provider">10.14. Sync Provider</A><UL>
-<A HREF="#Overview">10.14.1. Overview</A>
+<A HREF="#Chaining Configuration">11.3.2. Chaining Configuration</A>
 <BR>
-<A HREF="#Sync Provider Configuration">10.14.2. Sync Provider Configuration</A></UL>
+<A HREF="#Handling Chaining Errors">11.3.3. Handling Chaining Errors</A></UL>
 <BR>
-<A HREF="#Translucent Proxy">10.15. Translucent Proxy</A><UL>
-<A HREF="#Overview">10.15.1. Overview</A>
+<A HREF="#Constraints">11.4. Constraints</A><UL>
+<A HREF="#Overview">11.4.1. Overview</A>
 <BR>
-<A HREF="#Translucent Proxy Configuration">10.15.2. Translucent Proxy Configuration</A></UL>
+<A HREF="#Constraint Configuration">11.4.2. Constraint Configuration</A></UL>
 <BR>
-<A HREF="#Attribute Uniqueness">10.16. Attribute Uniqueness</A><UL>
-<A HREF="#Overview">10.16.1. Overview</A>
+<A HREF="#Dynamic Directory Services">11.5. Dynamic Directory Services</A><UL>
+<A HREF="#Overview">11.5.1. Overview</A>
 <BR>
-<A HREF="#Attribute Uniqueness Configuration">10.16.2. Attribute Uniqueness Configuration</A></UL>
+<A HREF="#Dynamic Directory Service Configuration">11.5.2. Dynamic Directory Service Configuration</A></UL>
 <BR>
-<A HREF="#Value Sorting">10.17. Value Sorting</A><UL>
-<A HREF="#Overview">10.17.1. Overview</A>
+<A HREF="#Dynamic Groups">11.6. Dynamic Groups</A><UL>
+<A HREF="#Overview">11.6.1. Overview</A>
 <BR>
-<A HREF="#Value Sorting Configuration">10.17.2. Value Sorting Configuration</A></UL>
+<A HREF="#Dynamic Group Configuration">11.6.2. Dynamic Group Configuration</A></UL>
 <BR>
-<A HREF="#Overlay Stacking">10.18. Overlay Stacking</A><UL>
-<A HREF="#Overview">10.18.1. Overview</A>
+<A HREF="#Dynamic Lists">11.7. Dynamic Lists</A><UL>
+<A HREF="#Overview">11.7.1. Overview</A>
 <BR>
-<A HREF="#Example Scenarios">10.18.2. Example Scenarios</A></UL></UL>
+<A HREF="#Dynamic List Configuration">11.7.2. Dynamic List Configuration</A></UL>
 <BR>
-<A HREF="#Schema Specification">11. Schema Specification</A><UL>
-<A HREF="#Distributed Schema Files">11.1. Distributed Schema Files</A>
+<A HREF="#Reverse Group Membership Maintenance">11.8. Reverse Group Membership Maintenance</A><UL>
+<A HREF="#Overview">11.8.1. Overview</A>
 <BR>
-<A HREF="#Extending Schema">11.2. Extending Schema</A><UL>
-<A HREF="#Object Identifiers">11.2.1. Object Identifiers</A>
+<A HREF="#Member Of Configuration">11.8.2. Member Of Configuration</A></UL>
 <BR>
-<A HREF="#Naming Elements">11.2.2. Naming Elements</A>
+<A HREF="#The Proxy Cache Engine">11.9. The Proxy Cache Engine</A><UL>
+<A HREF="#Overview">11.9.1. Overview</A>
 <BR>
-<A HREF="#Local schema file">11.2.3. Local schema file</A>
+<A HREF="#Proxy Cache Configuration">11.9.2. Proxy Cache Configuration</A></UL>
 <BR>
-<A HREF="#Attribute Type Specification">11.2.4. Attribute Type Specification</A>
+<A HREF="#Password Policies">11.10. Password Policies</A><UL>
+<A HREF="#Overview">11.10.1. Overview</A>
 <BR>
-<A HREF="#Object Class Specification">11.2.5. Object Class Specification</A>
+<A HREF="#Password Policy Configuration">11.10.2. Password Policy Configuration</A></UL>
 <BR>
-<A HREF="#OID Macros">11.2.6. OID Macros</A></UL></UL>
+<A HREF="#Referential Integrity">11.11. Referential Integrity</A><UL>
+<A HREF="#Overview">11.11.1. Overview</A>
 <BR>
-<A HREF="#Security Considerations">12. Security Considerations</A><UL>
-<A HREF="#Network Security">12.1. Network Security</A><UL>
-<A HREF="#Selective Listening">12.1.1. Selective Listening</A>
+<A HREF="#Referential Integrity Configuration">11.11.2. Referential Integrity Configuration</A></UL>
 <BR>
-<A HREF="#IP Firewall">12.1.2. IP Firewall</A>
+<A HREF="#Return Code">11.12. Return Code</A><UL>
+<A HREF="#Overview">11.12.1. Overview</A>
 <BR>
-<A HREF="#TCP Wrappers">12.1.3. TCP Wrappers</A></UL>
+<A HREF="#Return Code Configuration">11.12.2. Return Code Configuration</A></UL>
 <BR>
-<A HREF="#Data Integrity and Confidentiality Protection">12.2. Data Integrity and Confidentiality Protection</A><UL>
-<A HREF="#Security Strength Factors">12.2.1. Security Strength Factors</A></UL>
+<A HREF="#Rewrite/Remap">11.13. Rewrite/Remap</A><UL>
+<A HREF="#Overview">11.13.1. Overview</A>
 <BR>
-<A HREF="#Authentication Methods">12.3. Authentication Methods</A><UL>
-<A HREF="#&quot;simple&quot; method">12.3.1. &quot;simple&quot; method</A>
+<A HREF="#Rewrite/Remap Configuration">11.13.2. Rewrite/Remap Configuration</A></UL>
 <BR>
-<A HREF="#SASL method">12.3.2. SASL method</A></UL></UL>
+<A HREF="#Sync Provider">11.14. Sync Provider</A><UL>
+<A HREF="#Overview">11.14.1. Overview</A>
 <BR>
-<A HREF="#Using SASL">13. Using SASL</A><UL>
-<A HREF="#SASL Security Considerations">13.1. SASL Security Considerations</A>
+<A HREF="#Sync Provider Configuration">11.14.2. Sync Provider Configuration</A></UL>
 <BR>
-<A HREF="#SASL Authentication">13.2. SASL Authentication</A><UL>
-<A HREF="#GSSAPI">13.2.1. GSSAPI</A>
+<A HREF="#Translucent Proxy">11.15. Translucent Proxy</A><UL>
+<A HREF="#Overview">11.15.1. Overview</A>
 <BR>
-<A HREF="#KERBEROS_V4">13.2.2. KERBEROS_V4</A>
+<A HREF="#Translucent Proxy Configuration">11.15.2. Translucent Proxy Configuration</A></UL>
 <BR>
-<A HREF="#DIGEST-MD5">13.2.3. DIGEST-MD5</A>
+<A HREF="#Attribute Uniqueness">11.16. Attribute Uniqueness</A><UL>
+<A HREF="#Overview">11.16.1. Overview</A>
 <BR>
-<A HREF="#Mapping Authentication Identities">13.2.4. Mapping Authentication Identities</A>
+<A HREF="#Attribute Uniqueness Configuration">11.16.2. Attribute Uniqueness Configuration</A></UL>
 <BR>
-<A HREF="#Direct Mapping">13.2.5. Direct Mapping</A>
+<A HREF="#Value Sorting">11.17. Value Sorting</A><UL>
+<A HREF="#Overview">11.17.1. Overview</A>
 <BR>
-<A HREF="#Search-based mappings">13.2.6. Search-based mappings</A></UL>
+<A HREF="#Value Sorting Configuration">11.17.2. Value Sorting Configuration</A></UL>
 <BR>
-<A HREF="#SASL Proxy Authorization">13.3. SASL Proxy Authorization</A><UL>
-<A HREF="#Uses of Proxy Authorization">13.3.1. Uses of Proxy Authorization</A>
+<A HREF="#Overlay Stacking">11.18. Overlay Stacking</A><UL>
+<A HREF="#Overview">11.18.1. Overview</A>
 <BR>
-<A HREF="#SASL Authorization Identities">13.3.2. SASL Authorization Identities</A>
+<A HREF="#Example Scenarios">11.18.2. Example Scenarios</A></UL></UL>
 <BR>
-<A HREF="#Proxy Authorization Rules">13.3.3. Proxy Authorization Rules</A></UL></UL>
+<A HREF="#Schema Specification">12. Schema Specification</A><UL>
+<A HREF="#Distributed Schema Files">12.1. Distributed Schema Files</A>
 <BR>
-<A HREF="#Using TLS">14. Using TLS</A><UL>
-<A HREF="#TLS Certificates">14.1. TLS Certificates</A><UL>
-<A HREF="#Server Certificates">14.1.1. Server Certificates</A>
+<A HREF="#Extending Schema">12.2. Extending Schema</A><UL>
+<A HREF="#Object Identifiers">12.2.1. Object Identifiers</A>
 <BR>
-<A HREF="#Client Certificates">14.1.2. Client Certificates</A></UL>
+<A HREF="#Naming Elements">12.2.2. Naming Elements</A>
 <BR>
-<A HREF="#TLS Configuration">14.2. TLS Configuration</A><UL>
-<A HREF="#Server Configuration">14.2.1. Server Configuration</A>
+<A HREF="#Local schema file">12.2.3. Local schema file</A>
 <BR>
-<A HREF="#Client Configuration">14.2.2. Client Configuration</A></UL></UL>
+<A HREF="#Attribute Type Specification">12.2.4. Attribute Type Specification</A>
 <BR>
-<A HREF="#Constructing a Distributed Directory Service">15. Constructing a Distributed Directory Service</A><UL>
-<A HREF="#Subordinate Knowledge Information">15.1. Subordinate Knowledge Information</A>
+<A HREF="#Object Class Specification">12.2.5. Object Class Specification</A>
 <BR>
-<A HREF="#Superior Knowledge Information">15.2. Superior Knowledge Information</A>
+<A HREF="#OID Macros">12.2.6. OID Macros</A></UL></UL>
 <BR>
-<A HREF="#The ManageDsaIT Control">15.3. The ManageDsaIT Control</A></UL>
+<A HREF="#Security Considerations">13. Security Considerations</A><UL>
+<A HREF="#Network Security">13.1. Network Security</A><UL>
+<A HREF="#Selective Listening">13.1.1. Selective Listening</A>
 <BR>
-<A HREF="#Replication">16. Replication</A><UL>
-<A HREF="#Replication Strategies">16.1. Replication Strategies</A><UL>
-<A HREF="#Push Based">16.1.1. Push Based</A>
+<A HREF="#IP Firewall">13.1.2. IP Firewall</A>
 <BR>
-<A HREF="#Pull Based">16.1.2. Pull Based</A></UL>
+<A HREF="#TCP Wrappers">13.1.3. TCP Wrappers</A></UL>
 <BR>
-<A HREF="#Replication Types">16.2. Replication Types</A><UL>
-<A HREF="#syncrepl replication">16.2.1. syncrepl replication</A>
+<A HREF="#Data Integrity and Confidentiality Protection">13.2. Data Integrity and Confidentiality Protection</A><UL>
+<A HREF="#Security Strength Factors">13.2.1. Security Strength Factors</A></UL>
 <BR>
-<A HREF="#delta-syncrepl replication">16.2.2. delta-syncrepl replication</A>
+<A HREF="#Authentication Methods">13.3. Authentication Methods</A><UL>
+<A HREF="#&quot;simple&quot; method">13.3.1. &quot;simple&quot; method</A>
 <BR>
-<A HREF="#N-Way Multi-Master replication">16.2.3. N-Way Multi-Master replication</A>
+<A HREF="#SASL method">13.3.2. SASL method</A></UL></UL>
 <BR>
-<A HREF="#MirrorMode replication">16.2.4. MirrorMode replication</A></UL>
+<A HREF="#Using SASL">14. Using SASL</A><UL>
+<A HREF="#SASL Security Considerations">14.1. SASL Security Considerations</A>
 <BR>
-<A HREF="#LDAP Sync Replication">16.3. LDAP Sync Replication</A><UL>
-<A HREF="#The LDAP Content Synchronization Protocol">16.3.1. The LDAP Content Synchronization Protocol</A>
+<A HREF="#SASL Authentication">14.2. SASL Authentication</A><UL>
+<A HREF="#GSSAPI">14.2.1. GSSAPI</A>
 <BR>
-<A HREF="#Syncrepl Details">16.3.2. Syncrepl Details</A>
+<A HREF="#KERBEROS_V4">14.2.2. KERBEROS_V4</A>
 <BR>
-<A HREF="#Configuring Syncrepl">16.3.3. Configuring Syncrepl</A></UL>
+<A HREF="#DIGEST-MD5">14.2.3. DIGEST-MD5</A>
 <BR>
-<A HREF="#N-Way Multi-Master">16.4. N-Way Multi-Master</A>
+<A HREF="#Mapping Authentication Identities">14.2.4. Mapping Authentication Identities</A>
 <BR>
-<A HREF="#MirrorMode">16.5. MirrorMode</A><UL>
-<A HREF="#Arguments for MirrorMode">16.5.1. Arguments for MirrorMode</A>
+<A HREF="#Direct Mapping">14.2.5. Direct Mapping</A>
 <BR>
-<A HREF="#Arguments against MirrorMode">16.5.2. Arguments against MirrorMode</A>
+<A HREF="#Search-based mappings">14.2.6. Search-based mappings</A></UL>
 <BR>
-<A HREF="#MirrorMode Configuration">16.5.3. MirrorMode Configuration</A>
+<A HREF="#SASL Proxy Authorization">14.3. SASL Proxy Authorization</A><UL>
+<A HREF="#Uses of Proxy Authorization">14.3.1. Uses of Proxy Authorization</A>
 <BR>
-<A HREF="#MirrorMode Summary">16.5.4. MirrorMode Summary</A></UL></UL>
+<A HREF="#SASL Authorization Identities">14.3.2. SASL Authorization Identities</A>
 <BR>
-<A HREF="#Maintenance">17. Maintenance</A><UL>
-<A HREF="#Directory Backups">17.1. Directory Backups</A>
+<A HREF="#Proxy Authorization Rules">14.3.3. Proxy Authorization Rules</A></UL></UL>
 <BR>
-<A HREF="#Berkeley DB Logs">17.2. Berkeley DB Logs</A>
+<A HREF="#Using TLS">15. Using TLS</A><UL>
+<A HREF="#TLS Certificates">15.1. TLS Certificates</A><UL>
+<A HREF="#Server Certificates">15.1.1. Server Certificates</A>
 <BR>
-<A HREF="#Checkpointing">17.3. Checkpointing</A>
+<A HREF="#Client Certificates">15.1.2. Client Certificates</A></UL>
 <BR>
-<A HREF="#Migration">17.4. Migration</A></UL>
+<A HREF="#TLS Configuration">15.2. TLS Configuration</A><UL>
+<A HREF="#Server Configuration">15.2.1. Server Configuration</A>
 <BR>
-<A HREF="#Monitoring">18. Monitoring</A><UL>
-<A HREF="#Monitor configuration via cn=config(5)">18.1. Monitor configuration via cn=config(5)</A>
+<A HREF="#Client Configuration">15.2.2. Client Configuration</A></UL></UL>
 <BR>
-<A HREF="#Monitor configuration via slapd.conf(5)">18.2. Monitor configuration via slapd.conf(5)</A>
+<A HREF="#Constructing a Distributed Directory Service">16. Constructing a Distributed Directory Service</A><UL>
+<A HREF="#Subordinate Knowledge Information">16.1. Subordinate Knowledge Information</A>
 <BR>
-<A HREF="#Accessing Monitoring Information">18.3. Accessing Monitoring Information</A>
+<A HREF="#Superior Knowledge Information">16.2. Superior Knowledge Information</A>
 <BR>
-<A HREF="#Monitor Information">18.4. Monitor Information</A><UL>
-<A HREF="#Backends">18.4.1. Backends</A>
+<A HREF="#The ManageDsaIT Control">16.3. The ManageDsaIT Control</A></UL>
 <BR>
-<A HREF="#Connections">18.4.2. Connections</A>
+<A HREF="#Replication">17. Replication</A><UL>
+<A HREF="#Push Based">17.1. Push Based</A><UL>
+<A HREF="#Replacing Slurpd">17.1.1. Replacing Slurpd</A></UL>
 <BR>
-<A HREF="#Databases">18.4.3. Databases</A>
+<A HREF="#Pull Based">17.2. Pull Based</A><UL>
+<A HREF="#LDAP Sync Replication">17.2.1. LDAP Sync Replication</A>
 <BR>
-<A HREF="#Listener">18.4.4. Listener</A>
+<A HREF="#Delta-syncrepl replication">17.2.2. Delta-syncrepl replication</A></UL>
 <BR>
-<A HREF="#Log">18.4.5. Log</A>
+<A HREF="#Mixture of both Pull and Push based">17.3. Mixture of both Pull and Push based</A><UL>
+<A HREF="#N-Way Multi-Master replication">17.3.1. N-Way Multi-Master replication</A>
 <BR>
-<A HREF="#Operations">18.4.6. Operations</A>
+<A HREF="#MirrorMode replication">17.3.2. MirrorMode replication</A></UL>
 <BR>
-<A HREF="#Overlays">18.4.7. Overlays</A>
+<A HREF="#Configuring the different replication types">17.4. Configuring the different replication types</A><UL>
+<A HREF="#Syncrepl">17.4.1. Syncrepl</A>
 <BR>
-<A HREF="#SASL">18.4.8. SASL</A>
+<A HREF="#Delta-syncrepl">17.4.2. Delta-syncrepl</A>
 <BR>
-<A HREF="#Statistics">18.4.9. Statistics</A>
+<A HREF="#N-Way Multi-Master">17.4.3. N-Way Multi-Master</A>
 <BR>
-<A HREF="#Threads">18.4.10. Threads</A>
+<A HREF="#MirrorMode">17.4.4. MirrorMode</A></UL></UL>
 <BR>
-<A HREF="#Time">18.4.11. Time</A>
+<A HREF="#Maintenance">18. Maintenance</A><UL>
+<A HREF="#Directory Backups">18.1. Directory Backups</A>
 <BR>
-<A HREF="#TLS">18.4.12. TLS</A>
+<A HREF="#Berkeley DB Logs">18.2. Berkeley DB Logs</A>
 <BR>
-<A HREF="#Waiters">18.4.13. Waiters</A></UL></UL>
+<A HREF="#Checkpointing">18.3. Checkpointing</A>
 <BR>
-<A HREF="#Tuning">19. Tuning</A><UL>
-<A HREF="#Performance Factors">19.1. Performance Factors</A><UL>
-<A HREF="#Memory">19.1.1. Memory</A>
+<A HREF="#Migration">18.4. Migration</A></UL>
 <BR>
-<A HREF="#Disks">19.1.2. Disks</A>
+<A HREF="#Monitoring">19. Monitoring</A><UL>
+<A HREF="#Monitor configuration via cn=config(5)">19.1. Monitor configuration via cn=config(5)</A>
 <BR>
-<A HREF="#Network Topology">19.1.3. Network Topology</A>
+<A HREF="#Monitor configuration via slapd.conf(5)">19.2. Monitor configuration via slapd.conf(5)</A>
 <BR>
-<A HREF="#Directory Layout Design">19.1.4. Directory Layout Design</A>
+<A HREF="#Accessing Monitoring Information">19.3. Accessing Monitoring Information</A>
 <BR>
-<A HREF="#Expected Usage">19.1.5. Expected Usage</A></UL>
+<A HREF="#Monitor Information">19.4. Monitor Information</A><UL>
+<A HREF="#Backends">19.4.1. Backends</A>
 <BR>
-<A HREF="#Indexes">19.2. Indexes</A><UL>
-<A HREF="#Understanding how a search works">19.2.1. Understanding how a search works</A>
+<A HREF="#Connections">19.4.2. Connections</A>
 <BR>
-<A HREF="#What to index">19.2.2. What to index</A>
+<A HREF="#Databases">19.4.3. Databases</A>
 <BR>
-<A HREF="#Presence indexing">19.2.3. Presence indexing</A></UL>
+<A HREF="#Listener">19.4.4. Listener</A>
 <BR>
-<A HREF="#Logging">19.3. Logging</A><UL>
-<A HREF="#What log level to use">19.3.1. What log level to use</A>
+<A HREF="#Log">19.4.5. Log</A>
 <BR>
-<A HREF="#What to watch out for">19.3.2. What to watch out for</A>
+<A HREF="#Operations">19.4.6. Operations</A>
 <BR>
-<A HREF="#Improving throughput">19.3.3. Improving throughput</A></UL>
+<A HREF="#Overlays">19.4.7. Overlays</A>
 <BR>
-<A HREF="#BDB/HDB Database Caching">19.4. BDB/HDB Database Caching</A><UL>
-<A HREF="#Berkeley DB Cache">19.4.1. Berkeley DB Cache</A>
+<A HREF="#SASL">19.4.8. SASL</A>
 <BR>
-<A HREF="#{{slapd}}(8) Entry Cache">19.4.2. <EM>slapd</EM>(8) Entry Cache</A>
+<A HREF="#Statistics">19.4.9. Statistics</A>
 <BR>
-<A HREF="#{{TERM:IDL}} Cache">19.4.3. <TERM>IDL</TERM> Cache</A></UL></UL>
+<A HREF="#Threads">19.4.10. Threads</A>
 <BR>
-<A HREF="#Troubleshooting">20. Troubleshooting</A><UL>
-<A HREF="#User or Software errors">20.1. User or Software errors?</A>
+<A HREF="#Time">19.4.11. Time</A>
 <BR>
-<A HREF="#Checklist">20.2. Checklist</A>
+<A HREF="#TLS">19.4.12. TLS</A>
 <BR>
-<A HREF="#OpenLDAP Bugs">20.3. OpenLDAP Bugs</A>
+<A HREF="#Waiters">19.4.13. Waiters</A></UL></UL>
 <BR>
-<A HREF="#3rd party software error">20.4. 3rd party software error</A>
+<A HREF="#Tuning">20. Tuning</A><UL>
+<A HREF="#Performance Factors">20.1. Performance Factors</A><UL>
+<A HREF="#Memory">20.1.1. Memory</A>
 <BR>
-<A HREF="#How to contact the OpenLDAP Project">20.5. How to contact the OpenLDAP Project</A>
+<A HREF="#Disks">20.1.2. Disks</A>
 <BR>
-<A HREF="#How to present your problem">20.6. How to present your problem</A>
+<A HREF="#Network Topology">20.1.3. Network Topology</A>
 <BR>
-<A HREF="#Debugging {{slapd}}(8)">20.7. Debugging <EM>slapd</EM>(8)</A>
+<A HREF="#Directory Layout Design">20.1.4. Directory Layout Design</A>
 <BR>
-<A HREF="#Commercial Support">20.8. Commercial Support</A></UL>
+<A HREF="#Expected Usage">20.1.5. Expected Usage</A></UL>
 <BR>
+<A HREF="#Indexes">20.2. Indexes</A><UL>
+<A HREF="#Understanding how a search works">20.2.1. Understanding how a search works</A>
+<BR>
+<A HREF="#What to index">20.2.2. What to index</A>
+<BR>
+<A HREF="#Presence indexing">20.2.3. Presence indexing</A></UL>
+<BR>
+<A HREF="#Logging">20.3. Logging</A><UL>
+<A HREF="#What log level to use">20.3.1. What log level to use</A>
+<BR>
+<A HREF="#What to watch out for">20.3.2. What to watch out for</A>
+<BR>
+<A HREF="#Improving throughput">20.3.3. Improving throughput</A></UL>
+<BR>
+<A HREF="#Caching">20.4. Caching</A><UL>
+<A HREF="#Berkeley DB Cache">20.4.1. Berkeley DB Cache</A>
+<BR>
+<A HREF="#{{slapd}}(8) Entry Cache (cachesize)">20.4.2. <EM>slapd</EM>(8) Entry Cache (cachesize)</A>
+<BR>
+<A HREF="#{{TERM:IDL}} Cache (idlcachesize)">20.4.3. <TERM>IDL</TERM> Cache (idlcachesize)</A>
+<BR>
+<A HREF="#{{slapd}}(8) Threads">20.4.4. <EM>slapd</EM>(8) Threads</A></UL></UL>
+<BR>
+<A HREF="#Troubleshooting">21. Troubleshooting</A><UL>
+<A HREF="#User or Software errors">21.1. User or Software errors?</A>
+<BR>
+<A HREF="#Checklist">21.2. Checklist</A>
+<BR>
+<A HREF="#OpenLDAP Bugs">21.3. OpenLDAP Bugs</A>
+<BR>
+<A HREF="#3rd party software error">21.4. 3rd party software error</A>
+<BR>
+<A HREF="#How to contact the OpenLDAP Project">21.5. How to contact the OpenLDAP Project</A>
+<BR>
+<A HREF="#How to present your problem">21.6. How to present your problem</A>
+<BR>
+<A HREF="#Debugging {{slapd}}(8)">21.7. Debugging <EM>slapd</EM>(8)</A>
+<BR>
+<A HREF="#Commercial Support">21.8. Commercial Support</A></UL>
+<BR>
 <A HREF="#Changes Since Previous Release">A. Changes Since Previous Release</A><UL>
 <A HREF="#New Guide Sections">A.1. New Guide Sections</A>
 <BR>
@@ -1187,8 +1210,8 @@
 <P ALIGN="Center">Figure 3.2: Local service with referrals</P>
 <P>Use this configuration if you want to provide local service and participate in the Global Directory,  or you want to delegate responsibility for <EM>subordinate</EM> entries to another server.</P>
 <H2><A NAME="Replicated Directory Service">3.3. Replicated Directory Service</A></H2>
-<P>slapd(8) includes support for <EM>LDAP Sync</EM>-based replication, called <EM>syncrepl</EM>, which may be used to maintain shadow copies of directory information on multiple directory servers.   In its most basic configuration, the <EM>master</EM> is a syncrepl provider and one or more <EM>slave</EM> (or <EM>shadow</EM>) are syncrepl consumers.  An example master-slave configuration is shown in figure 3.3.</P>
-<P><CENTER><IMG SRC="config_repl.gif" ALIGN="center"></CENTER></P>
+<P>slapd(8) includes support for <EM>LDAP Sync</EM>-based replication, called <EM>syncrepl</EM>, which may be used to maintain shadow copies of directory information on multiple directory servers.   In its most basic configuration, the <EM>master</EM> is a syncrepl provider and one or more <EM>slave</EM> (or <EM>shadow</EM>) are syncrepl consumers.  An example master-slave configuration is shown in figure 3.3. Multi-Master configurations are also supported.</P>
+<P><CENTER><IMG SRC="config_repl.png" ALIGN="center"></CENTER></P>
 <P ALIGN="Center">Figure 3.3: Replicated Directory Services</P>
 <P>This configuration can be used in conjunction with either of the first two configurations in situations where a single <EM>slapd</EM>(8) instance does not provide the required reliability or availability.</P>
 <H2><A NAME="Distributed Local Directory Service">3.4. Distributed Local Directory Service</A></H2>
@@ -1824,7 +1847,7 @@
 </PRE>
 <P>This marks the beginning of a new <TERM>BDB</TERM> database instance.</P>
 <H4><A NAME="olcAccess: to &lt;what&gt; [ by &lt;who&gt; [&lt;accesslevel&gt;] [&lt;control&gt;] ]+">5.2.5.2. olcAccess: to &lt;what&gt; [ by &lt;who&gt; [&lt;accesslevel&gt;] [&lt;control&gt;] ]+</A></H4>
-<P>This directive grants access (specified by &lt;accesslevel&gt;) to a set of entries and/or attributes (specified by &lt;what&gt;) by one or more requestors (specified by &lt;who&gt;). See the <A HREF="#Access Control">Access Control</A> section of this chapter for a summary of basic usage.</P>
+<P>This directive grants access (specified by &lt;accesslevel&gt;) to a set of entries and/or attributes (specified by &lt;what&gt;) by one or more requestors (specified by &lt;who&gt;). See the <A HREF="#Access Control">Access Control</A> section of this guide for basic usage.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>If no <TT>olcAccess</TT> directives are specified, the default access control policy, <TT>to * by * read</TT>, allows all users (both authenticated and anonymous) read access.
 <HR WIDTH="80%" ALIGN="Left"></P>
@@ -1915,7 +1938,7 @@
 <P>The <TT>rid</TT> parameter is used for identification of the current <TT>syncrepl</TT> directive within the replication consumer server, where <TT>&lt;replica ID&gt;</TT> uniquely identifies the syncrepl specification described by the current <TT>syncrepl</TT> directive. <TT>&lt;replica ID&gt;</TT> is non-negative and is no more than three decimal digits in length.</P>
 <P>The <TT>provider</TT> parameter specifies the replication provider site containing the master content as an LDAP URI. The <TT>provider</TT> parameter specifies a scheme, a host and optionally a port where the provider slapd instance can be found. Either a domain name or IP address may be used for &lt;hostname&gt;. Examples are <TT>ldap://provider.example.com:389</TT> or <TT>ldaps://192.168.1.1:636</TT>. If &lt;port&gt; is not given, the standard LDAP port number (389 or 636) is used. Note that the syncrepl uses a consumer-initiated protocol, and hence its specification is located at the consumer site, whereas the <TT>replica</TT> specification is located at the provider site. <TT>syncrepl</TT> and <TT>replica</TT> directives define two independent replication mechanisms. They do not represent the replication peers of each other.</P>
 <P>The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes <TT>searchbase</TT>, <TT>scope</TT>, <TT>filter</TT>, <TT>attrs</TT>, <TT>attrsonly</TT>, <TT>sizelimit</TT>, and <TT>timelimit</TT> parameters as in the normal search specification. The <TT>searchbase</TT> parameter has no default value and must always be specified. The <TT>scope</TT> defaults to <TT>sub</TT>, the <TT>filter</TT> defaults to <TT>(objectclass=*)</TT>, <TT>attrs</TT> defaults to <TT>&quot;*,+&quot;</TT> to replicate all user and operational attributes, and <TT>attrsonly</TT> is unset by default. Both <TT>sizelimit</TT> and <TT>timelimit</TT> default to &quot;unlimited&quot;, and only positive integers or &quot;unlimited&quot; may be specified.</P>
-<P>The <TERM>LDAP Content Sychronization</TERM> protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider <EM>slapd</EM> instance. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
+<P>The <TERM>LDAP Content Synchronization</TERM> protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider <EM>slapd</EM> instance. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
 <P>If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the &lt;retry interval&gt; and &lt;# of retries&gt; pairs. For example, retry=&quot;60 10 300 3&quot; lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next three times before stop retrying. + in &lt;#  of retries&gt; means indefinite number of retries until success.</P>
 <P>The schema checking can be enforced at the LDAP Sync consumer site by turning on the <TT>schemachecking</TT> parameter. If it is turned on, every replicated entry will be checked for its schema as the entry is stored into the replica content. Every entry in the replica should contain those attributes required by the schema definition. If it is turned off, entries will be stored without checking schema conformance. The default is off.</P>
 <P>The <TT>binddn</TT> parameter gives the DN to bind as for the syncrepl searches to the provider slapd. It should be a DN which has read access to the replication content in the master database.</P>
@@ -1982,7 +2005,7 @@
         olcDbConfig: set_lg_dir /var/tmp/bdb-log
         olcDbConfig: set_flags DB_LOG_AUTOREMOVE
 </PRE>
-<P>In this example, the BDB cache is set to 10MB, the BDB transaction log buffer size is set to 2MB, and the transaction log files are to be stored in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to delete transaction log files as soon as their contents have been checkpointed and they are no longer needed. Without this setting the transaction log files will continue to accumulate until some other cleanup procedure removes them. See the Berkeley DB documentation for the <TT>db_archive</TT> command for details.</P>
+<P>In this example, the BDB cache is set to 10MB, the BDB transaction log buffer size is set to 2MB, and the transaction log files are to be stored in the /var/tmp/bdb-log directory. Also a flag is set to tell BDB to delete transaction log files as soon as their contents have been checkpointed and they are no longer needed. Without this setting the transaction log files will continue to accumulate until some other cleanup procedure removes them. See the Berkeley DB documentation for the <TT>db_archive</TT> command for details. For a complete list of Berkeley DB flags please see - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html">http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html</A></P>
 <P>Ideally the BDB cache must be at least as large as the working set of the database, the log buffer size should be large enough to accommodate most transactions without overflowing, and the log directory must be on a separate physical disk from the main database files. And both the database directory and the log directory should be separate from disks used for regular system activities such as the root, boot, or swap filesystems. See the FAQ-o-Matic and the Berkeley DB documentation for more details.</P>
 <H4><A NAME="olcDbNosync: { TRUE | FALSE }">5.2.6.5. olcDbNosync: { TRUE | FALSE }</A></H4>
 <P>This option causes on-disk database contents to not be immediately synchronized with in memory changes upon change.  Setting this option to <TT>TRUE</TT> may improve performance at the expense of data integrity. This directive has the same effect as using</P>
@@ -2051,443 +2074,6 @@
 olcDbIDLcacheSize: 3000
 olcDbIndex: objectClass eq
 </PRE>
-<H2><A NAME="Access Control">5.3. Access Control</A></H2>
-<P>Access to slapd entries and attributes is controlled by the olcAccess attribute, whose values are a sequence of access directives. The general form of the olcAccess configuration is:</P>
-<PRE>
-        olcAccess: &lt;access directive&gt;
-        &lt;access directive&gt; ::= to &lt;what&gt;
-                [by &lt;who&gt; [&lt;access&gt;] [&lt;control&gt;] ]+
-        &lt;what&gt; ::= * |
-                [dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
-                [filter=&lt;ldapfilter&gt;] [attrs=&lt;attrlist&gt;]
-        &lt;basic-style&gt; ::= regex | exact
-        &lt;scope-style&gt; ::= base | one | subtree | children
-        &lt;attrlist&gt; ::= &lt;attr&gt; [val[.&lt;basic-style&gt;]=&lt;regex&gt;] | &lt;attr&gt; , &lt;attrlist&gt;
-        &lt;attr&gt; ::= &lt;attrname&gt; | entry | children
-        &lt;who&gt; ::= * | [anonymous | users | self
-                        | dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
-                [dnattr=&lt;attrname&gt;]
-                [group[/&lt;objectclass&gt;[/&lt;attrname&gt;][.&lt;basic-style&gt;]]=&lt;regex&gt;]
-                [peername[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [sockname[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [domain[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [sockurl[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [set=&lt;setspec&gt;]
-                [aci=&lt;attrname&gt;]
-        &lt;access&gt; ::= [self]{&lt;level&gt;|&lt;priv&gt;}
-        &lt;level&gt; ::= none | disclose | auth | compare | search | read | write | manage
-        &lt;priv&gt; ::= {=|+|-}{m|w|r|s|c|x|d|0}+
-        &lt;control&gt; ::= [stop | continue | break]
-</PRE>
-<P>where the &lt;what&gt; part selects the entries and/or attributes to which the access applies, the <TT>&lt;who&gt;</TT> part specifies which entities are granted access, and the <TT>&lt;access&gt;</TT> part specifies the access granted. Multiple <TT>&lt;who&gt; &lt;access&gt; &lt;control&gt;</TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
-<H3><A NAME="What to control access to">5.3.1. What to control access to</A></H3>
-<P>The &lt;what&gt; part of an access specification determines the entries and attributes to which the access control applies.  Entries are commonly selected in two ways: by DN and by filter.  The following qualifiers select entries by DN:</P>
-<PRE>
-        to *
-        to dn[.&lt;basic-style&gt;]=&lt;regex&gt;
-        to dn.&lt;scope-style&gt;=&lt;DN&gt;
-</PRE>
-<P>The first form is used to select all entries.  The second form may be used to select entries by matching a regular expression against the target entry's <EM>normalized DN</EM>.   (The second form is not discussed further in this document.)  The third form is used to select entries which are within the requested scope of DN.  The &lt;DN&gt; is a string representation of the Distinguished Name, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4514.txt">RFC4514</A>.</P>
-<P>The scope can be either <TT>base</TT>, <TT>one</TT>, <TT>subtree</TT>, or <TT>children</TT>.  Where <TT>base</TT> matches only the entry with provided DN, <TT>one</TT> matches the entries whose parent is the provided DN, <TT>subtree</TT> matches all entries in the subtree whose root is the provided DN, and <TT>children</TT> matches all entries under the DN (but not the entry named by the DN).</P>
-<P>For example, if the directory contained entries named:</P>
-<PRE>
-        0: o=suffix
-        1: cn=Manager,o=suffix
-        2: ou=people,o=suffix
-        3: uid=kdz,ou=people,o=suffix
-        4: cn=addresses,uid=kdz,ou=people,o=suffix
-        5: uid=hyc,ou=people,o=suffix
-</PRE>
-<P>Then:</P>
-<UL>
-<TT>dn.base=&quot;ou=people,o=suffix&quot;</TT> match 2;
-<BR>
-<TT>dn.one=&quot;ou=people,o=suffix&quot;</TT> match 3, and 5;
-<BR>
-<TT>dn.subtree=&quot;ou=people,o=suffix&quot;</TT> match 2, 3, 4, and 5; and
-<BR>
-<TT>dn.children=&quot;ou=people,o=suffix&quot;</TT> match 3, 4, and 5.</UL>
-<P>Entries may also be selected using a filter:</P>
-<PRE>
-        to filter=&lt;ldap filter&gt;
-</PRE>
-<P>where &lt;ldap filter&gt; is a string representation of an LDAP search filter, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>.  For example:</P>
-<PRE>
-        to filter=(objectClass=person)
-</PRE>
-<P>Note that entries may be selected by both DN and filter by including both qualifiers in the &lt;what&gt; clause.</P>
-<PRE>
-        to dn.one=&quot;ou=people,o=suffix&quot; filter=(objectClass=person)
-</PRE>
-<P>Attributes within an entry are selected by including a comma-separated list of attribute names in the &lt;what&gt; selector:</P>
-<PRE>
-        attrs=&lt;attribute list&gt;
-</PRE>
-<P>A specific value of an attribute is selected by using a single attribute name and also using a value selector:</P>
-<PRE>
-        attrs=&lt;attribute&gt; val[.&lt;style&gt;]=&lt;regex&gt;
-</PRE>
-<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>.  To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute.  To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute.  To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes.  The complete examples at the end of this section should help clear things up.</P>
-<P>Lastly, there is a special entry selector <TT>&quot;*&quot;</TT> that is used to select any entry.  It is used when no other <TT>&lt;what&gt;</TT> selector has been provided.  It's equivalent to &quot;<TT>dn=.*</TT>&quot;</P>
-<H3><A NAME="Who to grant access to">5.3.2. Who to grant access to</A></H3>
-<P>The &lt;who&gt; part identifies the entity or entities being granted access. Note that access is granted to &quot;entities&quot; not &quot;entries.&quot; The following table summarizes entity specifiers:</P>
-<TABLE CLASS="columns" BORDER ALIGN='Center'>
-<CAPTION ALIGN=top>Table 5.3: Access Entity Specifiers</CAPTION>
-<TR CLASS="heading">
-<TD>
-<STRONG>Specifier</STRONG>
-</TD>
-<TD>
-<STRONG>Entities</STRONG>
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>*</TT>
-</TD>
-<TD>
-All, including anonymous and authenticated users
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>anonymous</TT>
-</TD>
-<TD>
-Anonymous (non-authenticated) users
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>users</TT>
-</TD>
-<TD>
-Authenticated users
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>self</TT>
-</TD>
-<TD>
-User associated with target entry
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>dn[.&lt;basic-style&gt;]=&lt;regex&gt;</TT>
-</TD>
-<TD>
-Users matching a regular expression
-</TD>
-</TR>
-<TR>
-<TD>
-<TT>dn.&lt;scope-style&gt;=&lt;DN&gt;</TT>
-</TD>
-<TD>
-Users within scope of a DN
-</TD>
-</TR>
-</TABLE>
-
-<P>The DN specifier behaves much like &lt;what&gt; clause DN specifiers.</P>
-<P>Other control factors are also supported.  For example, a <TT>&lt;who&gt;</TT> can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:</P>
-<PRE>
-        dnattr=&lt;dn-valued attribute name&gt;
-</PRE>
-<P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
-<P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
-<H3><A NAME="The access to grant">5.3.3. The access to grant</A></H3>
-<P>The kind of &lt;access&gt; granted can be one of the following:</P>
-<TABLE CLASS="columns" BORDER ALIGN='Center'>
-<CAPTION ALIGN=top>Table 5.4: Access Levels</CAPTION>
-<TR CLASS="heading">
-<TD ALIGN='Left'>
-<STRONG>Level</STRONG>
-</TD>
-<TD ALIGN='Right'>
-<STRONG>Privileges</STRONG>
-</TD>
-<TD ALIGN='Left'>
-<STRONG>Description</STRONG>
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>none</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=0</TT>
-</TD>
-<TD ALIGN='Left'>
-no access
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>disclose</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=d</TT>
-</TD>
-<TD ALIGN='Left'>
-needed for information disclosure on error
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>auth</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=dx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to authenticate (bind)
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>compare</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=cdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to compare
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>search</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=scdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to apply search filters
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>read</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=rscdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to read search results
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>write</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=wrscdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to modify/rename
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Left'>
-<TT>manage</TT>
-</TD>
-<TD ALIGN='Right'>
-<TT>=mwrscdx</TT>
-</TD>
-<TD ALIGN='Left'>
-needed to manage
-</TD>
-</TR>
-</TABLE>
-
-<P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access.  However, one may use the privileges specifier to grant specific permissions.</P>
-<H3><A NAME="Access Control Evaluation">5.3.4. Access Control Evaluation</A></H3>
-<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT>&lt;what&gt;</TT> selectors given in the configuration.  For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives (which are held in the <TT>frontend</TT> database definition).  Within this priority, access directives are examined in the order in which they appear in the configuration attribute.  Slapd stops with the first <TT>&lt;what&gt;</TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
-<P>Next, slapd compares the entity requesting access to the <TT>&lt;who&gt;</TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT>&lt;who&gt;</TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
-<P>Finally, slapd compares the access granted in the selected <TT>&lt;access&gt;</TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
-<P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration. Similarly, if one <TT>&lt;who&gt;</TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
-<H3><A NAME="Access Control Examples">5.3.5. Access Control Examples</A></H3>
-<P>The access control facility described above is quite powerful.  This section shows some examples of its use for descriptive purposes.</P>
-<P>A simple example:</P>
-<PRE>
-        olcAccess: to * by * read
-</PRE>
-<P>This access directive grants read access to everyone.</P>
-<PRE>
-        olcAccess: to *
-                by self write
-                by anonymous auth
-                by * read
-</PRE>
-<P>This directive allows the user to modify their entry, allows anonymous to authenticate against these entries, and allows all others to read these entries.  Note that only the first <TT>by &lt;who&gt;</TT> clause which matches applies.  Hence, the anonymous users are granted <TT>auth</TT>, not <TT>read</TT>.  The last clause could just as well have been &quot;<TT>by users read</TT>&quot;.</P>
-<P>It is often desirable to restrict operations based upon the level of protection in place.  The following shows how security strength factors (SSF) can be used.</P>
-<PRE>
-        olcAccess: to *
-                by ssf=128 self write
-                by ssf=64 anonymous auth
-                by ssf=64 users read
-</PRE>
-<P>This directive allows users to modify their own entries if security protections of strength 128 or better have been established, allows authentication access to anonymous users, and read access when strength 64 or better security protections have been established.  If the client has not establish sufficient security protections, the implicit <TT>by * none</TT> clause would be applied.</P>
-<P>The following example shows the use of style specifiers to select the entries by DN in two access directives where ordering is significant.</P>
-<PRE>
-        olcAccess: to dn.children=&quot;dc=example,dc=com&quot;
-                by * search
-        olcAccess: to dn.children=&quot;dc=com&quot;
-                by * read
-</PRE>
-<P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted.  No access is granted to <TT>dc=com</TT> as neither access directive matches this DN.  If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
-<P>Also note that if no <TT>olcAccess: to</TT> directive matches or no <TT>by &lt;who&gt;</TT> clause, <B>access is denied</B>.  That is, every <TT>olcAccess: to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>olcAccess: to * by * none</TT> directive.</P>
-<P>The next example again shows the importance of ordering, both of the access directives and the <TT>by &lt;who&gt;</TT> clauses.  It also shows the use of an attribute selector to grant access to a specific attribute and various <TT>&lt;who&gt;</TT> selectors.</P>
-<PRE>
-        olcAccess: to dn.subtree=&quot;dc=example,dc=com&quot; attrs=homePhone
-                by self write
-                by dn.children=dc=example,dc=com&quot; search
-                by peername.regex=IP:10\..+ read
-        olcAccess: to dn.subtree=&quot;dc=example,dc=com&quot;
-                by self write
-                by dn.children=&quot;dc=example,dc=com&quot; search
-                by anonymous auth
-</PRE>
-<P>This example applies to entries in the &quot;<TT>dc=example,dc=com</TT>&quot; subtree. To all attributes except <TT>homePhone</TT>, an entry can write to itself, entries under <TT>example.com</TT> entries can search by them, anybody else has no access (implicit <TT>by * none</TT>) excepting for authentication/authorization (which is always done anonymously).  The <TT>homePhone</TT> attribute is writable by the entry, searchable by entries under <TT>example.com</TT>, readable by clients connecting from network 10, and otherwise not readable (implicit <TT>by * none</TT>).  All other access is denied by the implicit <TT>access to * by * none</TT>.</P>
-<P>Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:</P>
-<PRE>
-        olcAccess: to attrs=member,entry
-                by dnattr=member selfwrite
-</PRE>
-<P>The dnattr <TT>&lt;who&gt;</TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
-<H3><A NAME="Access Control Ordering">5.3.6. Access Control Ordering</A></H3>
-<P>Since the ordering of <TT>olcAccess</TT> directives is essential to their proper evaluation, but LDAP attributes normally do not preserve the ordering of their values, OpenLDAP uses a custom schema extension to maintain a fixed ordering of these values. This ordering is maintained by prepending a <TT>&quot;{X}&quot;</TT> numeric index to each value, similarly to the approach used for ordering the configuration entries. These index tags are maintained automatically by slapd and do not need to be specified when originally defining the values. For example, when you create the settings</P>
-<PRE>
-        olcAccess: to attrs=member,entry
-                by dnattr=member selfwrite
-        olcAccess: to dn.children=&quot;dc=example,dc=com&quot;
-                by * search
-        olcAccess: to dn.children=&quot;dc=com&quot;
-                by * read
-</PRE>
-<P>when you read them back using slapcat or ldapsearch they will contain</P>
-<PRE>
-        olcAccess: {0}to attrs=member,entry
-                by dnattr=member selfwrite
-        olcAccess: {1}to dn.children=&quot;dc=example,dc=com&quot;
-                by * search
-        olcAccess: {2}to dn.children=&quot;dc=com&quot;
-                by * read
-</PRE>
-<P>The numeric index may be used to specify a particular value to change when using ldapmodify to edit the access rules. This index can be used instead of (or in addition to) the actual access value. Using this numeric index is very helpful when multiple access rules are being managed.</P>
-<P>For example, if we needed to change the second rule above to grant write access instead of search, we could try this LDIF:</P>
-<PRE>
-        changetype: modify
-        delete: olcAccess
-        olcAccess: to dn.children=&quot;dc=example,dc=com&quot; by * search
-        -
-        add: olcAccess
-        olcAccess: to dn.children=&quot;dc=example,dc=com&quot; by * write
-        -
-</PRE>
-<P>But this example <B>will not</B> guarantee that the existing values remain in their original order, so it will most likely yield a broken security configuration. Instead, the numeric index should be used:</P>
-<PRE>
-        changetype: modify
-        delete: olcAccess
-        olcAccess: {1}
-        -
-        add: olcAccess
-        olcAccess: {1}to dn.children=&quot;dc=example,dc=com&quot; by * write
-        -
-</PRE>
-<P>This example deletes whatever rule is in value #1 of the <TT>olcAccess</TT> attribute (regardless of its value) and adds a new value that is explicitly inserted as value #1. The result will be</P>
-<PRE>
-        olcAccess: {0}to attrs=member,entry
-                by dnattr=member selfwrite
-        olcAccess: {1}to dn.children=&quot;dc=example,dc=com&quot;
-                by * write
-        olcAccess: {2}to dn.children=&quot;dc=com&quot;
-                by * read
-</PRE>
-<P>which is exactly what was intended.</P>
-<H2><A NAME="Configuration Example">5.4. Configuration Example</A></H2>
-<P>The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
-<PRE>
-  1.    # example config file - global configuration entry
-  2.    dn: cn=config
-  3.    objectClass: olcGlobal
-  4.    cn: config
-  5.    olcReferral: ldap://root.openldap.org
-  6.
-</PRE>
-<P>Line 1 is a comment. Lines 2-4 identify this as the global configuration entry. The <TT>olcReferral:</TT> directive on line 5 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host <TT>root.openldap.org</TT>. Line 6 is a blank line, indicating the end of this entry.</P>
-<PRE>
-  7.    # internal schema
-  8.    dn: cn=schema,cn=config
-  9.    objectClass: olcSchemaConfig
- 10.    cn: schema
- 11.
-</PRE>
-<P>Line 7 is a comment. Lines 8-10 identify this as the root of the schema subtree. The actual schema definitions in this entry are hardcoded into slapd so no additional attributes are specified here. Line 11 is a blank line, indicating the end of this entry.</P>
-<PRE>
- 12.    # include the core schema
- 13.    include: file:///usr/local/etc/openldap/schema/core.ldif
- 14.
-</PRE>
-<P>Line 12 is a comment. Line 13 is an LDIF include directive which accesses the <EM>core</EM> schema definitions in LDIF format. Line 14 is a blank line.</P>
-<P>Next comes the database definitions. The first database is the special <TT>frontend</TT> database whose settings are applied globally to all the other databases.</P>
-<PRE>
- 15.    # global database parameters
- 16.    dn: olcDatabase=frontend,cn=config
- 17.    objectClass: olcDatabaseConfig
- 18.    olcDatabase: frontend
- 19.    olcAccess: to * by * read
- 20.
-</PRE>
-<P>Line 15 is a comment. Lines 16-18 identify this entry as the global database entry. Line 19 is a global access control. It applies to all entries (after any applicable database-specific access controls).</P>
-<P>The next entry defines a BDB backend that will handle queries for things in the &quot;dc=example,dc=com&quot; portion of the tree. Indices are to be maintained for several attributes, and the <TT>userPassword</TT> attribute is to be protected from unauthorized access.</P>
-<PRE>
- 21.    # BDB definition for example.com
- 22.    dn: olcDatabase=bdb,cn=config
- 23.    objectClass: olcDatabaseConfig
- 24.    objectClass: olcBdbConfig
- 25.    olcDatabase: bdb
- 26.    olcSuffix: &quot;dc=example,dc=com&quot;
- 27.    olcDbDirectory: /usr/local/var/openldap-data
- 28.    olcRootDN: &quot;cn=Manager,dc=example,dc=com&quot;
- 29.    olcRootPW: secret
- 30.    olcDbIndex: uid pres,eq
- 31.    olcDbIndex: cn,sn,uid pres,eq,approx,sub
- 32.    olcDbIndex: objectClass eq
- 33.    olcAccess: to attrs=userPassword
- 34.      by self write
- 35.      by anonymous auth
- 36.      by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
- 37.      by * none
- 38.    olcAccess: to *
- 39.      by self write
- 40.      by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
- 41.      by * read
- 42.
-</PRE>
-<P>Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry.  Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.</P>
-<P>Lines 28 and 29 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
-<P>Lines 30 through 32 indicate the indices to maintain for various attributes.</P>
-<P>Lines 33 through 41 specify access control for entries in this database.  As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE).  For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the &quot;admin&quot; entry.  It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the &quot;admin&quot; entry, but may be read by all users (authenticated or not).</P>
-<P>Line 42 is a blank line, indicating the end of this entry.</P>
-<P>The next section of the example configuration file defines another BDB database. This one handles queries involving the <TT>dc=example,dc=net</TT> subtree but is managed by the same entity as the first database.  Note that without line 52, the read access would be allowed due to the global access rule at line 19.</P>
-<PRE>
- 43.    # BDB definition for example.net
- 44.    dn: olcDatabase=bdb,cn=config
- 45.    objectClass: olcDatabaseConfig
- 46.    objectClass: olcBdbConfig
- 47.    olcDatabase: bdb
- 48.    olcSuffix: &quot;dc=example,dc=net&quot;
- 49.    olcDbDirectory: /usr/local/var/openldap-data-net
- 50.    olcRootDN: &quot;cn=Manager,dc=example,dc=com&quot;
- 51.    olcDbIndex: objectClass eq
- 52.    olcAccess: to * by users read
-</PRE>
-<H2><A NAME="Converting from slapd.conf(8) to a {{B:cn=config}} directory format">5.5. Converting from slapd.conf(8) to a <B>cn=config</B> directory format</A></H2>
-<P>Discuss slap* -f slapd.conf -F slapd.d/  (man slapd-config)</P>
 <P></P>
 <HR>
 <H1><A NAME="The slapd Configuration File">6. The slapd Configuration File</A></H1>
@@ -2527,7 +2113,7 @@
 <H3><A NAME="Global Directives">6.2.1. Global Directives</A></H3>
 <P>Directives described in this section apply to all backends and databases unless specifically overridden in a backend or database definition.  Arguments that should be replaced by actual text are shown in brackets <TT>&lt;&gt;</TT>.</P>
 <H4><A NAME="access to &lt;what&gt; [ by &lt;who&gt; [&lt;accesslevel&gt;] [&lt;control&gt;] ]+">6.2.1.1. access to &lt;what&gt; [ by &lt;who&gt; [&lt;accesslevel&gt;] [&lt;control&gt;] ]+</A></H4>
-<P>This directive grants access (specified by &lt;accesslevel&gt;) to a set of entries and/or attributes (specified by &lt;what&gt;) by one or more requestors (specified by &lt;who&gt;).  See the <A HREF="#The access Configuration Directive">The access Configuration Directive</A> section of this chapter for a summary of basic usage.</P>
+<P>This directive grants access (specified by &lt;accesslevel&gt;) to a set of entries and/or attributes (specified by &lt;what&gt;) by one or more requestors (specified by &lt;who&gt;).  See the <A HREF="#Access Control">Access Control</A> section of this guide for basic usage.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>If no <TT>access</TT> directives are specified, the default access control policy, <TT>access to * by * read</TT>, allows all both authenticated and anonymous users read access.
 <HR WIDTH="80%" ALIGN="Left"></P>
@@ -2868,21 +2454,34 @@
                 [credentials=&lt;passwd&gt;]
                 [realm=&lt;realm&gt;]
                 [secprops=&lt;properties&gt;]
+                [starttls=yes|critical]
+                [tls_cert=&lt;file&gt;]
+                [tls_key=&lt;file&gt;]
+                [tls_cacert=&lt;file&gt;]
+                [tls_cacertdir=&lt;path&gt;]
+                [tls_reqcert=never|allow|try|demand]
+                [tls_ciphersuite=&lt;ciphers&gt;]
+                [tls_crlcheck=none|peer|all]
+                [logbase=&lt;base DN&gt;]
+                [logfilter=&lt;filter str&gt;]
+                [syncdata=default|accesslog|changelog]
 </PRE>
 <P>This directive specifies the current database as a replica of the master content by establishing the current <EM>slapd</EM>(8) as a replication consumer site running a syncrepl replication engine. The master database is located at the replication provider site specified by the <TT>provider</TT> parameter. The replica database is kept up-to-date with the master content using the LDAP Content Synchronization protocol. See <A HREF="http://www.rfc-editor.org/rfc/rfc4533.txt">RFC4533</A> for more information on the protocol.</P>
 <P>The <TT>rid</TT> parameter is used for identification of the current <TT>syncrepl</TT> directive within the replication consumer server, where <TT>&lt;replica ID&gt;</TT> uniquely identifies the syncrepl specification described by the current <TT>syncrepl</TT> directive. <TT>&lt;replica ID&gt;</TT> is non-negative and is no more than three decimal digits in length.</P>
 <P>The <TT>provider</TT> parameter specifies the replication provider site containing the master content as an LDAP URI. The <TT>provider</TT> parameter specifies a scheme, a host and optionally a port where the provider slapd instance can be found. Either a domain name or IP address may be used for &lt;hostname&gt;. Examples are <TT>ldap://provider.example.com:389</TT> or <TT>ldaps://192.168.1.1:636</TT>. If &lt;port&gt; is not given, the standard LDAP port number (389 or 636) is used. Note that the syncrepl uses a consumer-initiated protocol, and hence its specification is located at the consumer site, whereas the <TT>replica</TT> specification is located at the provider site. <TT>syncrepl</TT> and <TT>replica</TT> directives define two independent replication mechanisms. They do not represent the replication peers of each other.</P>
-<P>The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes <TT>searchbase</TT>, <TT>scope</TT>, <TT>filter</TT>, <TT>attrs</TT>, <TT>attrsonly</TT>, <TT>sizelimit</TT>, and <TT>timelimit</TT> parameters as in the normal search specification. The <TT>searchbase</TT> parameter has no default value and must always be specified. The <TT>scope</TT> defaults to <TT>sub</TT>, the <TT>filter</TT> defaults to <TT>(objectclass=*)</TT>, <TT>attrs</TT> defaults to <TT>&quot;*,+&quot;</TT> to replicate all user and operational attributes, and <TT>attrsonly</TT> is unset by default. Both <TT>sizelimit</TT> and <TT>timelimit</TT> default to &quot;unlimited&quot;, and only integers or &quot;unlimited&quot; may be specified.</P>
-<P>The LDAP Content Synchronization protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider slapd. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
+<P>The content of the syncrepl replica is defined using a search specification as its result set. The consumer slapd will send search requests to the provider slapd according to the search specification. The search specification includes <TT>searchbase</TT>, <TT>scope</TT>, <TT>filter</TT>, <TT>attrs</TT>, <TT>attrsonly</TT>, <TT>sizelimit</TT>, and <TT>timelimit</TT> parameters as in the normal search specification. The <TT>searchbase</TT> parameter has no default value and must always be specified. The <TT>scope</TT> defaults to <TT>sub</TT>, the <TT>filter</TT> defaults to <TT>(objectclass=*)</TT>, <TT>attrs</TT> defaults to <TT>&quot;*,+&quot;</TT> to replicate all user and operational attributes, and <TT>attrsonly</TT> is unset by default. Both <TT>sizelimit</TT> and <TT>timelimit</TT> default to &quot;unlimited&quot;, and only positive integers or &quot;unlimited&quot; may be specified.</P>
+<P>The <TERM>LDAP Content Synchronization</TERM> protocol has two operation types: <TT>refreshOnly</TT> and <TT>refreshAndPersist</TT>. The operation type is specified by the <TT>type</TT> parameter. In the <TT>refreshOnly</TT> operation, the next synchronization search operation is periodically rescheduled at an interval time after each synchronization operation finishes. The interval is specified by the <TT>interval</TT> parameter. It is set to one day by default. In the <TT>refreshAndPersist</TT> operation, a synchronization search remains persistent in the provider <EM>slapd</EM> instance. Further updates to the master replica will generate <TT>searchResultEntry</TT> to the consumer slapd as the search responses to the persistent synchronization search.</P>
 <P>If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the &lt;retry interval&gt; and &lt;# of retries&gt; pairs. For example, retry=&quot;60 10 300 3&quot; lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next three times before stop retrying. + in &lt;#  of retries&gt; means indefinite number of retries until success.</P>
 <P>The schema checking can be enforced at the LDAP Sync consumer site by turning on the <TT>schemachecking</TT> parameter. If it is turned on, every replicated entry will be checked for its schema as the entry is stored into the replica content. Every entry in the replica should contain those attributes required by the schema definition. If it is turned off, entries will be stored without checking schema conformance. The default is off.</P>
 <P>The <TT>binddn</TT> parameter gives the DN to bind as for the syncrepl searches to the provider slapd. It should be a DN which has read access to the replication content in the master database.</P>
-<P>The <TT>bindmethod</TT> is <TT>simple</TT> or <TT>sasl</TT>, depending on whether simple password-based authentication or <TERM>SASL</TERM> authentication is to be used when connecting to the provider slapd.</P>
+<P>The <TT>bindmethod</TT> is <TT>simple</TT> or <TT>sasl</TT>, depending on whether simple password-based authentication or <TERM>SASL</TERM> authentication is to be used when connecting to the provider <EM>slapd</EM> instance.</P>
 <P>Simple authentication should not be used unless adequate data integrity and confidentiality protections are in place (e.g. TLS or IPsec). Simple authentication requires specification of <TT>binddn</TT> and <TT>credentials</TT> parameters.</P>
 <P>SASL authentication is generally recommended.  SASL authentication requires specification of a mechanism using the <TT>saslmech</TT> parameter. Depending on the mechanism, an authentication identity and/or credentials can be specified using <TT>authcid</TT> and <TT>credentials</TT>, respectively.  The <TT>authzid</TT> parameter may be used to specify an authorization identity.</P>
 <P>The <TT>realm</TT> parameter specifies a realm which a certain mechanisms authenticate the identity within. The <TT>secprops</TT> parameter specifies Cyrus SASL security properties.</P>
-<P>The syncrepl replication mechanism is supported by the two primary database backends: back-bdb and back-hdb.</P>
-<P>See the <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> chapter of the admin guide for more information on how to use this directive.</P>
+<P>The <TT>starttls</TT> parameter specifies use of the StartTLS extended operation to establish a TLS session before authenticating to the provider. If the <TT>critical</TT> argument is supplied, the session will be aborted if the StartTLS request fails.  Otherwise the syncrepl session continues without TLS.  Note that the main slapd TLS settings are not used by the syncrepl engine; by default the TLS parameters from a <EM>ldap.conf</EM>(5) configuration file will be used.  TLS settings may be specified here, in which case any <EM>ldap.conf</EM>(5) settings will be completely ignored.</P>
+<P>Rather than replicating whole entries, the consumer can query logs of data modifications.  This mode of operation is referred to as <EM>delta syncrepl</EM>.  In addition to the above parameters, the <TT>logbase</TT> and <TT>logfilter</TT> parameters must be set appropriately for the log that will be used. The <TT>syncdata</TT> parameter must be set to either <TT>&quot;accesslog&quot;</TT> if the log conforms to the <EM>slapo-accesslog</EM>(5) log format, or <TT>&quot;changelog&quot;</TT> if the log conforms to the obsolete <EM>changelog</EM> format. If the <TT>syncdata</TT> parameter is omitted or set to <TT>&quot;default&quot;</TT> then the log parameters are ignored.</P>
+<P>The <EM>syncrepl</EM> replication mechanism is supported by the <EM>bdb</EM> and <EM>hdb</EM> backends.</P>
+<P>See the <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> chapter of this guide for more information on how to use this directive.</P>
 <H4><A NAME="updateref &lt;URL&gt;">6.2.3.7. updateref &lt;URL&gt;</A></H4>
 <P>This directive is only applicable in a <EM>slave</EM> (or <EM>shadow</EM>) <EM>slapd</EM>(8) instance. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each <TERM>URL</TERM> is provided.</P>
 <P>Example:</P>
@@ -2897,51 +2496,60 @@
 <PRE>
         directory /usr/local/var/openldap-data
 </PRE>
-<H2><A NAME="The access Configuration Directive">6.3. The access Configuration Directive</A></H2>
+<P></P>
+<HR>
+<H1><A NAME="Access Control">7. Access Control</A></H1>
+<H2><A NAME="Introduction">7.1. Introduction</A></H2>
+<P>As the directory gets populated with more and more data of varying sensitivity, controlling the kinds of access granted to the directory becomes more and more critical. For instance, the directory may contain data of a confidential nature that you may need to protect by contract or by law. Or, if using the directory to control access to other services, inappropriate access to the directory may create avenues of attack to your sites security that result in devastating damage to your assets.</P>
+<P>Access to your directory can be configured via two methods, the first using <A HREF="#The slapd Configuration File">The slapd Configuration File</A> and the second using the <EM>slapd-config</EM>(5) format (<A HREF="#Configuring slapd">Configuring slapd</A>).</P>
+<P>The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the <EM>rootdn</EM> is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.</P>
+<P>As a consequence, it's useless (and results in a performance penalty) to explicitly list the <EM>rootdn</EM> among the <EM>&lt;by&gt;</EM> clauses.</P>
+<P>The following sections will describe Access Control Lists in more details and follow with some examples and recommendations.</P>
+<H2><A NAME="Access Control via Static Configuration">7.2. Access Control via Static Configuration</A></H2>
 <P>Access to entries and attributes is controlled by the access configuration file directive. The general form of an access line is:</P>
 <PRE>
-        &lt;access directive&gt; ::= access to &lt;what&gt;
-                [by &lt;who&gt; [&lt;access&gt;] [&lt;control&gt;] ]+
-        &lt;what&gt; ::= * |
-                [dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
-                [filter=&lt;ldapfilter&gt;] [attrs=&lt;attrlist&gt;]
-        &lt;basic-style&gt; ::= regex | exact
-        &lt;scope-style&gt; ::= base | one | subtree | children
-        &lt;attrlist&gt; ::= &lt;attr&gt; [val[.&lt;basic-style&gt;]=&lt;regex&gt;] | &lt;attr&gt; , &lt;attrlist&gt;
-        &lt;attr&gt; ::= &lt;attrname&gt; | entry | children
-        &lt;who&gt; ::= * | [anonymous | users | self
-                        | dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
-                [dnattr=&lt;attrname&gt;]
-                [group[/&lt;objectclass&gt;[/&lt;attrname&gt;][.&lt;basic-style&gt;]]=&lt;regex&gt;]
-                [peername[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [sockname[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [domain[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [sockurl[.&lt;basic-style&gt;]=&lt;regex&gt;]
-                [set=&lt;setspec&gt;]
-                [aci=&lt;attrname&gt;]
-        &lt;access&gt; ::= [self]{&lt;level&gt;|&lt;priv&gt;}
-        &lt;level&gt; ::= none | disclose | auth | compare | search | read | write | manage
-        &lt;priv&gt; ::= {=|+|-}{m|w|r|s|c|x|d|0}+
-        &lt;control&gt; ::= [stop | continue | break]
+    &lt;access directive&gt; ::= access to &lt;what&gt;
+        [by &lt;who&gt; [&lt;access&gt;] [&lt;control&gt;] ]+
+    &lt;what&gt; ::= * |
+        [dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
+        [filter=&lt;ldapfilter&gt;] [attrs=&lt;attrlist&gt;]
+    &lt;basic-style&gt; ::= regex | exact
+    &lt;scope-style&gt; ::= base | one | subtree | children
+    &lt;attrlist&gt; ::= &lt;attr&gt; [val[.&lt;basic-style&gt;]=&lt;regex&gt;] | &lt;attr&gt; , &lt;attrlist&gt;
+    &lt;attr&gt; ::= &lt;attrname&gt; | entry | children
+    &lt;who&gt; ::= * | [anonymous | users | self
+            | dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
+        [dnattr=&lt;attrname&gt;]
+        [group[/&lt;objectclass&gt;[/&lt;attrname&gt;][.&lt;basic-style&gt;]]=&lt;regex&gt;]
+        [peername[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [sockname[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [domain[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [sockurl[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [set=&lt;setspec&gt;]
+        [aci=&lt;attrname&gt;]
+    &lt;access&gt; ::= [self]{&lt;level&gt;|&lt;priv&gt;}
+    &lt;level&gt; ::= none | disclose | auth | compare | search | read | write | manage
+    &lt;priv&gt; ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+    &lt;control&gt; ::= [stop | continue | break]
 </PRE>
 <P>where the &lt;what&gt; part selects the entries and/or attributes to which the access applies, the <TT>&lt;who&gt;</TT> part specifies which entities are granted access, and the <TT>&lt;access&gt;</TT> part specifies the access granted. Multiple <TT>&lt;who&gt; &lt;access&gt; &lt;control&gt;</TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
-<H3><A NAME="What to control access to">6.3.1. What to control access to</A></H3>
+<H3><A NAME="What to control access to">7.2.1. What to control access to</A></H3>
 <P>The &lt;what&gt; part of an access specification determines the entries and attributes to which the access control applies.  Entries are commonly selected in two ways: by DN and by filter.  The following qualifiers select entries by DN:</P>
 <PRE>
-        to *
-        to dn[.&lt;basic-style&gt;]=&lt;regex&gt;
-        to dn.&lt;scope-style&gt;=&lt;DN&gt;
+    to *
+    to dn[.&lt;basic-style&gt;]=&lt;regex&gt;
+    to dn.&lt;scope-style&gt;=&lt;DN&gt;
 </PRE>
 <P>The first form is used to select all entries.  The second form may be used to select entries by matching a regular expression against the target entry's <EM>normalized DN</EM>.   (The second form is not discussed further in this document.)  The third form is used to select entries which are within the requested scope of DN.  The &lt;DN&gt; is a string representation of the Distinguished Name, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4514.txt">RFC4514</A>.</P>
 <P>The scope can be either <TT>base</TT>, <TT>one</TT>, <TT>subtree</TT>, or <TT>children</TT>.  Where <TT>base</TT> matches only the entry with provided DN, <TT>one</TT> matches the entries whose parent is the provided DN, <TT>subtree</TT> matches all entries in the subtree whose root is the provided DN, and <TT>children</TT> matches all entries under the DN (but not the entry named by the DN).</P>
 <P>For example, if the directory contained entries named:</P>
 <PRE>
-        0: o=suffix
-        1: cn=Manager,o=suffix
-        2: ou=people,o=suffix
-        3: uid=kdz,ou=people,o=suffix
-        4: cn=addresses,uid=kdz,ou=people,o=suffix
-        5: uid=hyc,ou=people,o=suffix
+    0: o=suffix
+    1: cn=Manager,o=suffix
+    2: ou=people,o=suffix
+    3: uid=kdz,ou=people,o=suffix
+    4: cn=addresses,uid=kdz,ou=people,o=suffix
+    5: uid=hyc,ou=people,o=suffix
 </PRE>
 <P>Then:</P>
 <UL>
@@ -2954,27 +2562,27 @@
 <TT>dn.children=&quot;ou=people,o=suffix&quot;</TT> match 3, 4, and 5.</UL>
 <P>Entries may also be selected using a filter:</P>
 <PRE>
-        to filter=&lt;ldap filter&gt;
+    to filter=&lt;ldap filter&gt;
 </PRE>
 <P>where &lt;ldap filter&gt; is a string representation of an LDAP search filter, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>.  For example:</P>
 <PRE>
-        to filter=(objectClass=person)
+    to filter=(objectClass=person)
 </PRE>
 <P>Note that entries may be selected by both DN and filter by including both qualifiers in the &lt;what&gt; clause.</P>
 <PRE>
-        to dn.one=&quot;ou=people,o=suffix&quot; filter=(objectClass=person)
+    to dn.one=&quot;ou=people,o=suffix&quot; filter=(objectClass=person)
 </PRE>
 <P>Attributes within an entry are selected by including a comma-separated list of attribute names in the &lt;what&gt; selector:</P>
 <PRE>
-        attrs=&lt;attribute list&gt;
+    attrs=&lt;attribute list&gt;
 </PRE>
 <P>A specific value of an attribute is selected by using a single attribute name and also using a value selector:</P>
 <PRE>
-        attrs=&lt;attribute&gt; val[.&lt;style&gt;]=&lt;regex&gt;
+    attrs=&lt;attribute&gt; val[.&lt;style&gt;]=&lt;regex&gt;
 </PRE>
 <P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>.  To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute.  To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute.  To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes.  The complete examples at the end of this section should help clear things up.</P>
 <P>Lastly, there is a special entry selector <TT>&quot;*&quot;</TT> that is used to select any entry.  It is used when no other <TT>&lt;what&gt;</TT> selector has been provided.  It's equivalent to &quot;<TT>dn=.*</TT>&quot;</P>
-<H3><A NAME="Who to grant access to">6.3.2. Who to grant access to</A></H3>
+<H3><A NAME="Who to grant access to">7.2.2. Who to grant access to</A></H3>
 <P>The &lt;who&gt; part identifies the entity or entities being granted access. Note that access is granted to &quot;entities&quot; not &quot;entries.&quot; The following table summarizes entity specifiers:</P>
 <TABLE CLASS="columns" BORDER ALIGN='Center'>
 <CAPTION ALIGN=top>Table 6.3: Access Entity Specifiers</CAPTION>
@@ -3039,11 +2647,11 @@
 <P>The DN specifier behaves much like &lt;what&gt; clause DN specifiers.</P>
 <P>Other control factors are also supported.  For example, a <TT>&lt;who&gt;</TT> can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:</P>
 <PRE>
-        dnattr=&lt;dn-valued attribute name&gt;
+    dnattr=&lt;dn-valued attribute name&gt;
 </PRE>
 <P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
 <P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
-<H3><A NAME="The access to grant">6.3.3. The access to grant</A></H3>
+<H3><A NAME="The access to grant">7.2.3. The access to grant</A></H3>
 <P>The kind of &lt;access&gt; granted can be one of the following:</P>
 <TABLE CLASS="columns" BORDER ALIGN='Center'>
 <CAPTION ALIGN=top>Table 6.4: Access Levels</CAPTION>
@@ -3060,10 +2668,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>none</TT>
+<TT>none        =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=0</TT>
+<TT>0</TT>
 </TD>
 <TD ALIGN='Left'>
 no access
@@ -3071,10 +2679,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>disclose</TT>
+<TT>disclose    =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=d</TT>
+<TT>d</TT>
 </TD>
 <TD ALIGN='Left'>
 needed for information disclosure on error
@@ -3082,10 +2690,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>auth</TT>
+<TT>auth        =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=dx</TT>
+<TT>dx</TT>
 </TD>
 <TD ALIGN='Left'>
 needed to authenticate (bind)
@@ -3093,10 +2701,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>compare</TT>
+<TT>compare     =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=cdx</TT>
+<TT>cdx</TT>
 </TD>
 <TD ALIGN='Left'>
 needed to compare
@@ -3104,10 +2712,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>search</TT>
+<TT>search      =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=scdx</TT>
+<TT>scdx</TT>
 </TD>
 <TD ALIGN='Left'>
 needed to apply search filters
@@ -3115,10 +2723,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>read</TT>
+<TT>read        =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=rscdx</TT>
+<TT>rscdx</TT>
 </TD>
 <TD ALIGN='Left'>
 needed to read search results
@@ -3126,10 +2734,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>write</TT>
+<TT>write       =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=wrscdx</TT>
+<TT>wrscdx</TT>
 </TD>
 <TD ALIGN='Left'>
 needed to modify/rename
@@ -3137,10 +2745,10 @@
 </TR>
 <TR>
 <TD ALIGN='Left'>
-<TT>manage</TT>
+<TT>manage      =</TT>
 </TD>
 <TD ALIGN='Right'>
-<TT>=mwrscdx</TT>
+<TT>mwrscdx</TT>
 </TD>
 <TD ALIGN='Left'>
 needed to manage
@@ -3149,61 +2757,61 @@
 </TABLE>
 
 <P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access.  However, one may use the privileges specifier to grant specific permissions.</P>
-<H3><A NAME="Access Control Evaluation">6.3.4. Access Control Evaluation</A></H3>
+<H3><A NAME="Access Control Evaluation">7.2.4. Access Control Evaluation</A></H3>
 <P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT>&lt;what&gt;</TT> selectors given in the configuration file. For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives.  Within this priority, access directives are examined in the order in which they appear in the config file.  Slapd stops with the first <TT>&lt;what&gt;</TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
 <P>Next, slapd compares the entity requesting access to the <TT>&lt;who&gt;</TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT>&lt;who&gt;</TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
 <P>Finally, slapd compares the access granted in the selected <TT>&lt;access&gt;</TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
 <P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the config file. Similarly, if one <TT>&lt;who&gt;</TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
-<H3><A NAME="Access Control Examples">6.3.5. Access Control Examples</A></H3>
+<H3><A NAME="Access Control Examples">7.2.5. Access Control Examples</A></H3>
 <P>The access control facility described above is quite powerful.  This section shows some examples of its use for descriptive purposes.</P>
 <P>A simple example:</P>
 <PRE>
-        access to * by * read
+    access to * by * read
 </PRE>
 <P>This access directive grants read access to everyone.</P>
 <PRE>
-        access to *
-                by self write
-                by anonymous auth
-                by * read
+    access to *
+        by self write
+        by anonymous auth
+        by * read
 </PRE>
 <P>This directive allows the user to modify their entry, allows anonymous to authentication against these entries, and allows all others to read these entries.  Note that only the first <TT>by &lt;who&gt;</TT> clause which matches applies.  Hence, the anonymous users are granted <TT>auth</TT>, not <TT>read</TT>.  The last clause could just as well have been &quot;<TT>by users read</TT>&quot;.</P>
 <P>It is often desirable to restrict operations based upon the level of protection in place.  The following shows how security strength factors (SSF) can be used.</P>
 <PRE>
-        access to *
-                by ssf=128 self write
-                by ssf=64 anonymous auth
-                by ssf=64 users read
+    access to *
+        by ssf=128 self write
+        by ssf=64 anonymous auth
+        by ssf=64 users read
 </PRE>
 <P>This directive allows users to modify their own entries if security protections have of strength 128 or better have been established, allows authentication access to anonymous users, and read access when 64 or better security protections have been established.  If client has not establish sufficient security protections, the implicit <TT>by * none</TT> clause would be applied.</P>
 <P>The following example shows the use of a style specifiers to select the entries by DN in two access directives where ordering is significant.</P>
 <PRE>
-        access to dn.children=&quot;dc=example,dc=com&quot;
-                by * search
-        access to dn.children=&quot;dc=com&quot;
-                by * read
+    access to dn.children=&quot;dc=example,dc=com&quot;
+         by * search
+    access to dn.children=&quot;dc=com&quot;
+         by * read
 </PRE>
 <P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted.  No access is granted to <TT>dc=com</TT> as neither access directive matches this DN.  If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
 <P>Also note that if no <TT>access to</TT> directive matches or no <TT>by &lt;who&gt;</TT> clause, <B>access is denied</B>.  That is, every <TT>access to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>access to * by * none</TT> directive.</P>
 <P>The next example again shows the importance of ordering, both of the access directives and the <TT>by &lt;who&gt;</TT> clauses.  It also shows the use of an attribute selector to grant access to a specific attribute and various <TT>&lt;who&gt;</TT> selectors.</P>
 <PRE>
-        access to dn.subtree=&quot;dc=example,dc=com&quot; attrs=homePhone
-                by self write
-                by dn.children=&quot;dc=example,dc=com&quot; search
-                by peername.regex=IP:10\..+ read
-        access to dn.subtree=&quot;dc=example,dc=com&quot;
-                by self write
-                by dn.children=&quot;dc=example,dc=com&quot; search
-                by anonymous auth
+    access to dn.subtree=&quot;dc=example,dc=com&quot; attrs=homePhone
+        by self write
+        by dn.children=&quot;dc=example,dc=com&quot; search
+        by peername.regex=IP:10\..+ read
+    access to dn.subtree=&quot;dc=example,dc=com&quot;
+        by self write
+        by dn.children=&quot;dc=example,dc=com&quot; search
+        by anonymous auth
 </PRE>
 <P>This example applies to entries in the &quot;<TT>dc=example,dc=com</TT>&quot; subtree. To all attributes except <TT>homePhone</TT>, an entry can write to itself, entries under <TT>example.com</TT> entries can search by them, anybody else has no access (implicit <TT>by * none</TT>) excepting for authentication/authorization (which is always done anonymously).  The <TT>homePhone</TT> attribute is writable by the entry, searchable by entries under <TT>example.com</TT>, readable by clients connecting from network 10, and otherwise not readable (implicit <TT>by * none</TT>).  All other access is denied by the implicit <TT>access to * by * none</TT>.</P>
 <P>Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:</P>
 <PRE>
-        access to attrs=member,entry
-                by dnattr=member selfwrite
+    access to attrs=member,entry
+         by dnattr=member selfwrite
 </PRE>
 <P>The dnattr <TT>&lt;who&gt;</TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
-<H2><A NAME="Configuration File Example">6.4. Configuration File Example</A></H2>
+<H3><A NAME="Configuration File Example">7.2.6. Configuration File Example</A></H3>
 <P>The following is an example configuration file, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
 <PRE>
   1.    # example config file - global configuration section
@@ -3227,14 +2835,14 @@
  14.    index objectClass eq
  15.    # database access control definitions
  16.    access to attrs=userPassword
- 17.            by self write
- 18.            by anonymous auth
- 19.            by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
- 20.            by * none
+ 17.        by self write
+ 18.        by anonymous auth
+ 19.        by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
+ 20.        by * none
  21.    access to *
- 22.            by self write
- 23.            by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
- 24.            by * read
+ 22.        by self write
+ 23.        by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
+ 24.        by * read
 </PRE>
 <P>Line 5 is a comment. The start of the database definition is marked by the database keyword on line 6. Line 7 specifies the DN suffix for queries to pass to this database. Line 8 specifies the directory in which the database files will live.</P>
 <P>Lines 9 and 10 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
@@ -3250,11 +2858,843 @@
  38.    index objectClass eq
  39.    access to * by users read
 </PRE>
+<H2><A NAME="Access Control via Dynamic Configuration">7.3. Access Control via Dynamic Configuration</A></H2>
+<P>Access to slapd entries and attributes is controlled by the olcAccess attribute, whose values are a sequence of access directives. The general form of the olcAccess configuration is:</P>
+<PRE>
+    olcAccess: &lt;access directive&gt;
+    &lt;access directive&gt; ::= to &lt;what&gt;
+        [by &lt;who&gt; [&lt;access&gt;] [&lt;control&gt;] ]+
+    &lt;what&gt; ::= * |
+        [dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
+        [filter=&lt;ldapfilter&gt;] [attrs=&lt;attrlist&gt;]
+    &lt;basic-style&gt; ::= regex | exact
+    &lt;scope-style&gt; ::= base | one | subtree | children
+    &lt;attrlist&gt; ::= &lt;attr&gt; [val[.&lt;basic-style&gt;]=&lt;regex&gt;] | &lt;attr&gt; , &lt;attrlist&gt;
+    &lt;attr&gt; ::= &lt;attrname&gt; | entry | children
+    &lt;who&gt; ::= * | [anonymous | users | self
+            | dn[.&lt;basic-style&gt;]=&lt;regex&gt; | dn.&lt;scope-style&gt;=&lt;DN&gt;]
+        [dnattr=&lt;attrname&gt;]
+        [group[/&lt;objectclass&gt;[/&lt;attrname&gt;][.&lt;basic-style&gt;]]=&lt;regex&gt;]
+        [peername[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [sockname[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [domain[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [sockurl[.&lt;basic-style&gt;]=&lt;regex&gt;]
+        [set=&lt;setspec&gt;]
+        [aci=&lt;attrname&gt;]
+    &lt;access&gt; ::= [self]{&lt;level&gt;|&lt;priv&gt;}
+    &lt;level&gt; ::= none | disclose | auth | compare | search | read | write | manage
+    &lt;priv&gt; ::= {=|+|-}{m|w|r|s|c|x|d|0}+
+    &lt;control&gt; ::= [stop | continue | break]
+</PRE>
+<P>where the &lt;what&gt; part selects the entries and/or attributes to which the access applies, the <TT>&lt;who&gt;</TT> part specifies which entities are granted access, and the <TT>&lt;access&gt;</TT> part specifies the access granted. Multiple <TT>&lt;who&gt; &lt;access&gt; &lt;control&gt;</TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
+<H3><A NAME="What to control access to">7.3.1. What to control access to</A></H3>
+<P>The &lt;what&gt; part of an access specification determines the entries and attributes to which the access control applies.  Entries are commonly selected in two ways: by DN and by filter.  The following qualifiers select entries by DN:</P>
+<PRE>
+    to *
+    to dn[.&lt;basic-style&gt;]=&lt;regex&gt;
+    to dn.&lt;scope-style&gt;=&lt;DN&gt;
+</PRE>
+<P>The first form is used to select all entries.  The second form may be used to select entries by matching a regular expression against the target entry's <EM>normalized DN</EM>.   (The second form is not discussed further in this document.)  The third form is used to select entries which are within the requested scope of DN.  The &lt;DN&gt; is a string representation of the Distinguished Name, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4514.txt">RFC4514</A>.</P>
+<P>The scope can be either <TT>base</TT>, <TT>one</TT>, <TT>subtree</TT>, or <TT>children</TT>.  Where <TT>base</TT> matches only the entry with provided DN, <TT>one</TT> matches the entries whose parent is the provided DN, <TT>subtree</TT> matches all entries in the subtree whose root is the provided DN, and <TT>children</TT> matches all entries under the DN (but not the entry named by the DN).</P>
+<P>For example, if the directory contained entries named:</P>
+<PRE>
+    0: o=suffix
+    1: cn=Manager,o=suffix
+    2: ou=people,o=suffix
+    3: uid=kdz,ou=people,o=suffix
+    4: cn=addresses,uid=kdz,ou=people,o=suffix
+    5: uid=hyc,ou=people,o=suffix
+</PRE>
+<P>Then:</P>
+<UL>
+<TT>dn.base=&quot;ou=people,o=suffix&quot;</TT> match 2;
+<BR>
+<TT>dn.one=&quot;ou=people,o=suffix&quot;</TT> match 3, and 5;
+<BR>
+<TT>dn.subtree=&quot;ou=people,o=suffix&quot;</TT> match 2, 3, 4, and 5; and
+<BR>
+<TT>dn.children=&quot;ou=people,o=suffix&quot;</TT> match 3, 4, and 5.</UL>
+<P>Entries may also be selected using a filter:</P>
+<PRE>
+    to filter=&lt;ldap filter&gt;
+</PRE>
+<P>where &lt;ldap filter&gt; is a string representation of an LDAP search filter, as described in <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>.  For example:</P>
+<PRE>
+    to filter=(objectClass=person)
+</PRE>
+<P>Note that entries may be selected by both DN and filter by including both qualifiers in the &lt;what&gt; clause.</P>
+<PRE>
+    to dn.one=&quot;ou=people,o=suffix&quot; filter=(objectClass=person)
+</PRE>
+<P>Attributes within an entry are selected by including a comma-separated list of attribute names in the &lt;what&gt; selector:</P>
+<PRE>
+    attrs=&lt;attribute list&gt;
+</PRE>
+<P>A specific value of an attribute is selected by using a single attribute name and also using a value selector:</P>
+<PRE>
+    attrs=&lt;attribute&gt; val[.&lt;style&gt;]=&lt;regex&gt;
+</PRE>
+<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>.  To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute.  To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute.  To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes.  The complete examples at the end of this section should help clear things up.</P>
+<P>Lastly, there is a special entry selector <TT>&quot;*&quot;</TT> that is used to select any entry.  It is used when no other <TT>&lt;what&gt;</TT> selector has been provided.  It's equivalent to &quot;<TT>dn=.*</TT>&quot;</P>
+<H3><A NAME="Who to grant access to">7.3.2. Who to grant access to</A></H3>
+<P>The &lt;who&gt; part identifies the entity or entities being granted access. Note that access is granted to &quot;entities&quot; not &quot;entries.&quot; The following table summarizes entity specifiers:</P>
+<TABLE CLASS="columns" BORDER ALIGN='Center'>
+<CAPTION ALIGN=top>Table 5.3: Access Entity Specifiers</CAPTION>
+<TR CLASS="heading">
+<TD>
+<STRONG>Specifier</STRONG>
+</TD>
+<TD>
+<STRONG>Entities</STRONG>
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>*</TT>
+</TD>
+<TD>
+All, including anonymous and authenticated users
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>anonymous</TT>
+</TD>
+<TD>
+Anonymous (non-authenticated) users
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>users</TT>
+</TD>
+<TD>
+Authenticated users
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>self</TT>
+</TD>
+<TD>
+User associated with target entry
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>dn[.&lt;basic-style&gt;]=&lt;regex&gt;</TT>
+</TD>
+<TD>
+Users matching a regular expression
+</TD>
+</TR>
+<TR>
+<TD>
+<TT>dn.&lt;scope-style&gt;=&lt;DN&gt;</TT>
+</TD>
+<TD>
+Users within scope of a DN
+</TD>
+</TR>
+</TABLE>
+
+<P>The DN specifier behaves much like &lt;what&gt; clause DN specifiers.</P>
+<P>Other control factors are also supported.  For example, a <TT>&lt;who&gt;</TT> can be restricted by an entry listed in a DN-valued attribute in the entry to which the access applies:</P>
+<PRE>
+    dnattr=&lt;dn-valued attribute name&gt;
+</PRE>
+<P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
+<P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
+<H3><A NAME="The access to grant">7.3.3. The access to grant</A></H3>
+<P>The kind of &lt;access&gt; granted can be one of the following:</P>
+<TABLE CLASS="columns" BORDER ALIGN='Center'>
+<CAPTION ALIGN=top>Table 5.4: Access Levels</CAPTION>
+<TR CLASS="heading">
+<TD ALIGN='Left'>
+<STRONG>Level</STRONG>
+</TD>
+<TD ALIGN='Right'>
+<STRONG>Privileges</STRONG>
+</TD>
+<TD ALIGN='Left'>
+<STRONG>Description</STRONG>
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>none</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=0</TT>
+</TD>
+<TD ALIGN='Left'>
+no access
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>disclose</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=d</TT>
+</TD>
+<TD ALIGN='Left'>
+needed for information disclosure on error
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>auth</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=dx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to authenticate (bind)
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>compare</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=cdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to compare
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>search</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=scdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to apply search filters
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>read</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=rscdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to read search results
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>write</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=wrscdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to modify/rename
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Left'>
+<TT>manage</TT>
+</TD>
+<TD ALIGN='Right'>
+<TT>=mwrscdx</TT>
+</TD>
+<TD ALIGN='Left'>
+needed to manage
+</TD>
+</TR>
+</TABLE>
+
+<P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access.  However, one may use the privileges specifier to grant specific permissions.</P>
+<H3><A NAME="Access Control Evaluation">7.3.4. Access Control Evaluation</A></H3>
+<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT>&lt;what&gt;</TT> selectors given in the configuration.  For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives (which are held in the <TT>frontend</TT> database definition).  Within this priority, access directives are examined in the order in which they appear in the configuration attribute.  Slapd stops with the first <TT>&lt;what&gt;</TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
+<P>Next, slapd compares the entity requesting access to the <TT>&lt;who&gt;</TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT>&lt;who&gt;</TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
+<P>Finally, slapd compares the access granted in the selected <TT>&lt;access&gt;</TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
+<P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration. Similarly, if one <TT>&lt;who&gt;</TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
+<H3><A NAME="Access Control Examples">7.3.5. Access Control Examples</A></H3>
+<P>The access control facility described above is quite powerful.  This section shows some examples of its use for descriptive purposes.</P>
+<P>A simple example:</P>
+<PRE>
+    olcAccess: to * by * read
+</PRE>
+<P>This access directive grants read access to everyone.</P>
+<PRE>
+    olcAccess: to *
+        by self write
+        by anonymous auth
+        by * read
+</PRE>
+<P>This directive allows the user to modify their entry, allows anonymous to authenticate against these entries, and allows all others to read these entries.  Note that only the first <TT>by &lt;who&gt;</TT> clause which matches applies.  Hence, the anonymous users are granted <TT>auth</TT>, not <TT>read</TT>.  The last clause could just as well have been &quot;<TT>by users read</TT>&quot;.</P>
+<P>It is often desirable to restrict operations based upon the level of protection in place.  The following shows how security strength factors (SSF) can be used.</P>
+<PRE>
+    olcAccess: to *
+        by ssf=128 self write
+        by ssf=64 anonymous auth
+        by ssf=64 users read
+</PRE>
+<P>This directive allows users to modify their own entries if security protections of strength 128 or better have been established, allows authentication access to anonymous users, and read access when strength 64 or better security protections have been established.  If the client has not establish sufficient security protections, the implicit <TT>by * none</TT> clause would be applied.</P>
+<P>The following example shows the use of style specifiers to select the entries by DN in two access directives where ordering is significant.</P>
+<PRE>
+    olcAccess: to dn.children=&quot;dc=example,dc=com&quot;
+         by * search
+    olcAccess: to dn.children=&quot;dc=com&quot;
+         by * read
+</PRE>
+<P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted.  No access is granted to <TT>dc=com</TT> as neither access directive matches this DN.  If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
+<P>Also note that if no <TT>olcAccess: to</TT> directive matches or no <TT>by &lt;who&gt;</TT> clause, <B>access is denied</B>.  That is, every <TT>olcAccess: to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>olcAccess: to * by * none</TT> directive.</P>
+<P>The next example again shows the importance of ordering, both of the access directives and the <TT>by &lt;who&gt;</TT> clauses.  It also shows the use of an attribute selector to grant access to a specific attribute and various <TT>&lt;who&gt;</TT> selectors.</P>
+<PRE>
+    olcAccess: to dn.subtree=&quot;dc=example,dc=com&quot; attrs=homePhone
+        by self write
+        by dn.children=dc=example,dc=com&quot; search
+        by peername.regex=IP:10\..+ read
+    olcAccess: to dn.subtree=&quot;dc=example,dc=com&quot;
+        by self write
+        by dn.children=&quot;dc=example,dc=com&quot; search
+        by anonymous auth
+</PRE>
+<P>This example applies to entries in the &quot;<TT>dc=example,dc=com</TT>&quot; subtree. To all attributes except <TT>homePhone</TT>, an entry can write to itself, entries under <TT>example.com</TT> entries can search by them, anybody else has no access (implicit <TT>by * none</TT>) excepting for authentication/authorization (which is always done anonymously).  The <TT>homePhone</TT> attribute is writable by the entry, searchable by entries under <TT>example.com</TT>, readable by clients connecting from network 10, and otherwise not readable (implicit <TT>by * none</TT>).  All other access is denied by the implicit <TT>access to * by * none</TT>.</P>
+<P>Sometimes it is useful to permit a particular DN to add or remove itself from an attribute. For example, if you would like to create a group and allow people to add and remove only their own DN from the member attribute, you could accomplish it with an access directive like this:</P>
+<PRE>
+    olcAccess: to attrs=member,entry
+         by dnattr=member selfwrite
+</PRE>
+<P>The dnattr <TT>&lt;who&gt;</TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
+<H3><A NAME="Access Control Ordering">7.3.6. Access Control Ordering</A></H3>
+<P>Since the ordering of <TT>olcAccess</TT> directives is essential to their proper evaluation, but LDAP attributes normally do not preserve the ordering of their values, OpenLDAP uses a custom schema extension to maintain a fixed ordering of these values. This ordering is maintained by prepending a <TT>&quot;{X}&quot;</TT> numeric index to each value, similarly to the approach used for ordering the configuration entries. These index tags are maintained automatically by slapd and do not need to be specified when originally defining the values. For example, when you create the settings</P>
+<PRE>
+    olcAccess: to attrs=member,entry
+         by dnattr=member selfwrite
+    olcAccess: to dn.children=&quot;dc=example,dc=com&quot;
+         by * search
+    olcAccess: to dn.children=&quot;dc=com&quot;
+         by * read
+</PRE>
+<P>when you read them back using slapcat or ldapsearch they will contain</P>
+<PRE>
+    olcAccess: {0}to attrs=member,entry
+         by dnattr=member selfwrite
+    olcAccess: {1}to dn.children=&quot;dc=example,dc=com&quot;
+         by * search
+    olcAccess: {2}to dn.children=&quot;dc=com&quot;
+         by * read
+</PRE>
+<P>The numeric index may be used to specify a particular value to change when using ldapmodify to edit the access rules. This index can be used instead of (or in addition to) the actual access value. Using this numeric index is very helpful when multiple access rules are being managed.</P>
+<P>For example, if we needed to change the second rule above to grant write access instead of search, we could try this LDIF:</P>
+<PRE>
+    changetype: modify
+    delete: olcAccess
+    olcAccess: to dn.children=&quot;dc=example,dc=com&quot; by * search
+    -
+    add: olcAccess
+    olcAccess: to dn.children=&quot;dc=example,dc=com&quot; by * write
+    -
+</PRE>
+<P>But this example <B>will not</B> guarantee that the existing values remain in their original order, so it will most likely yield a broken security configuration. Instead, the numeric index should be used:</P>
+<PRE>
+    changetype: modify
+    delete: olcAccess
+    olcAccess: {1}
+    -
+    add: olcAccess
+    olcAccess: {1}to dn.children=&quot;dc=example,dc=com&quot; by * write
+    -
+</PRE>
+<P>This example deletes whatever rule is in value #1 of the <TT>olcAccess</TT> attribute (regardless of its value) and adds a new value that is explicitly inserted as value #1. The result will be</P>
+<PRE>
+    olcAccess: {0}to attrs=member,entry
+         by dnattr=member selfwrite
+    olcAccess: {1}to dn.children=&quot;dc=example,dc=com&quot;
+         by * write
+    olcAccess: {2}to dn.children=&quot;dc=com&quot;
+         by * read
+</PRE>
+<P>which is exactly what was intended.</P>
+<H3><A NAME="Configuration Example">7.3.7. Configuration Example</A></H3>
+<P>The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
+<PRE>
+  1.    # example config file - global configuration entry
+  2.    dn: cn=config
+  3.    objectClass: olcGlobal
+  4.    cn: config
+  5.    olcReferral: ldap://root.openldap.org
+  6.
+</PRE>
+<P>Line 1 is a comment. Lines 2-4 identify this as the global configuration entry. The <TT>olcReferral:</TT> directive on line 5 means that queries not local to one of the databases defined below will be referred to the LDAP server running on the standard port (389) at the host <TT>root.openldap.org</TT>. Line 6 is a blank line, indicating the end of this entry.</P>
+<PRE>
+  7.    # internal schema
+  8.    dn: cn=schema,cn=config
+  9.    objectClass: olcSchemaConfig
+ 10.    cn: schema
+ 11.
+</PRE>
+<P>Line 7 is a comment. Lines 8-10 identify this as the root of the schema subtree. The actual schema definitions in this entry are hardcoded into slapd so no additional attributes are specified here. Line 11 is a blank line, indicating the end of this entry.</P>
+<PRE>
+ 12.    # include the core schema
+ 13.    include: file:///usr/local/etc/openldap/schema/core.ldif
+ 14.
+</PRE>
+<P>Line 12 is a comment. Line 13 is an LDIF include directive which accesses the <EM>core</EM> schema definitions in LDIF format. Line 14 is a blank line.</P>
+<P>Next comes the database definitions. The first database is the special <TT>frontend</TT> database whose settings are applied globally to all the other databases.</P>
+<PRE>
+ 15.    # global database parameters
+ 16.    dn: olcDatabase=frontend,cn=config
+ 17.    objectClass: olcDatabaseConfig
+ 18.    olcDatabase: frontend
+ 19.    olcAccess: to * by * read
+ 20.
+</PRE>
+<P>Line 15 is a comment. Lines 16-18 identify this entry as the global database entry. Line 19 is a global access control. It applies to all entries (after any applicable database-specific access controls).</P>
+<P>The next entry defines a BDB backend that will handle queries for things in the &quot;dc=example,dc=com&quot; portion of the tree. Indices are to be maintained for several attributes, and the <TT>userPassword</TT> attribute is to be protected from unauthorized access.</P>
+<PRE>
+ 21.    # BDB definition for example.com
+ 22.    dn: olcDatabase=bdb,cn=config
+ 23.    objectClass: olcDatabaseConfig
+ 24.    objectClass: olcBdbConfig
+ 25.    olcDatabase: bdb
+ 26.    olcSuffix: &quot;dc=example,dc=com&quot;
+ 27.    olcDbDirectory: /usr/local/var/openldap-data
+ 28.    olcRootDN: &quot;cn=Manager,dc=example,dc=com&quot;
+ 29.    olcRootPW: secret
+ 30.    olcDbIndex: uid pres,eq
+ 31.    olcDbIndex: cn,sn,uid pres,eq,approx,sub
+ 32.    olcDbIndex: objectClass eq
+ 33.    olcAccess: to attrs=userPassword
+ 34.      by self write
+ 35.      by anonymous auth
+ 36.      by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
+ 37.      by * none
+ 38.    olcAccess: to *
+ 39.      by self write
+ 40.      by dn.base=&quot;cn=Admin,dc=example,dc=com&quot; write
+ 41.      by * read
+ 42.
+</PRE>
+<P>Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry.  Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.</P>
+<P>Lines 28 and 29 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
+<P>Lines 30 through 32 indicate the indices to maintain for various attributes.</P>
+<P>Lines 33 through 41 specify access control for entries in this database.  As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE).  For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the &quot;admin&quot; entry.  It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the &quot;admin&quot; entry, but may be read by all users (authenticated or not).</P>
+<P>Line 42 is a blank line, indicating the end of this entry.</P>
+<P>The next section of the example configuration file defines another BDB database. This one handles queries involving the <TT>dc=example,dc=net</TT> subtree but is managed by the same entity as the first database.  Note that without line 52, the read access would be allowed due to the global access rule at line 19.</P>
+<PRE>
+ 43.    # BDB definition for example.net
+ 44.    dn: olcDatabase=bdb,cn=config
+ 45.    objectClass: olcDatabaseConfig
+ 46.    objectClass: olcBdbConfig
+ 47.    olcDatabase: bdb
+ 48.    olcSuffix: &quot;dc=example,dc=net&quot;
+ 49.    olcDbDirectory: /usr/local/var/openldap-data-net
+ 50.    olcRootDN: &quot;cn=Manager,dc=example,dc=com&quot;
+ 51.    olcDbIndex: objectClass eq
+ 52.    olcAccess: to * by users read
+</PRE>
+<H3><A NAME="Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">7.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></H3>
+<P>Discuss slap* -f slapd.conf -F slapd.d/  (man slapd-config)</P>
+<H2><A NAME="Access Control Common Examples">7.4. Access Control Common Examples</A></H2>
+<H3><A NAME="Basic ACLs">7.4.1. Basic ACLs</A></H3>
+<P>Generally one should start with some basic ACLs such as:</P>
+<PRE>
+    access to attr=userPassword
+        by self =xw
+        by anonymous auth
+        by * none
+
+
+      access to *
+        by self write
+        by users read
+        by * none
+</PRE>
+<P>The first ACL allows users to update (but not read) their passwords, anonymous users to authenticate against this attribute, and (implicitly) denying all access to others.</P>
+<P>The second ACL allows users full access to their entry, authenticated users read access to anything, and (implicitly) denying all access to others (in this case, anonymous users).</P>
+<H3><A NAME="Matching Anonymous and Authenticated users">7.4.2. Matching Anonymous and Authenticated users</A></H3>
+<P>An anonymous user has a empty DN. While the <EM>dn.exact=&quot;&quot;</EM> or <EM>dn.regex=&quot;^$&quot;</EM> could be used, <EM>slapd</EM>(8)) offers an anonymous shorthand which should be used instead.</P>
+<PRE>
+    access to *
+      by anonymous none
+      by * read
+</PRE>
+<P>denies all access to anonymous users while granting others read.</P>
+<P>Authenticated users have a subject DN. While <EM>dn.regex=&quot;.+&quot;</EM> will match any authenticated user, OpenLDAP provides the users short hand which should be used instead.</P>
+<PRE>
+    access to *
+      by users read
+      by * none
+</PRE>
+<P>This ACL grants read permissions to authenticated users while denying others (i.e.: anonymous users).</P>
+<H3><A NAME="Controlling rootdn access">7.4.3. Controlling rootdn access</A></H3>
+<P>You could specify the <EM>rootdn</EM> in <EM>slapd.conf</EM>(5) or {[slapd.d}} without specifying a <EM>rootpw</EM>. Then you have to add an actual directory entry with the same dn, e.g.:</P>
+<PRE>
+    dn: cn=Manager,o=MyOrganization
+    cn: Manager
+    sn: Manager
+    objectClass: person
+    objectClass: top
+    userPassword: {SSHA}someSSHAdata
+</PRE>
+<P>Then binding as the <EM>rootdn</EM> will require a regular bind to that DN, which in turn requires auth access to that entry's DN and <EM>userPassword</EM>, and this can be restricted via ACLs. E.g.:</P>
+<PRE>
+    access to dn.base=&quot;cn=Manager,o=MyOrganization&quot;
+      by peername.regex=127\.0\.0\.1 auth
+      by peername.regex=192\.168\.0\..* auth
+      by users none
+      by * none
+</PRE>
+<P>The ACLs above will only allow binding using rootdn from localhost and 192.168.0.0/24.</P>
+<H3><A NAME="Managing access with Groups">7.4.4. Managing access with Groups</A></H3>
+<P>There are a few ways to do this. One approach is illustrated here. Consider the following DIT layout:</P>
+<PRE>
+    +-dc=example,dc=com
+    +---cn=administrators,dc=example,dc=com
+    +---cn=fred blogs,dc=example,dc=com
+</PRE>
+<P>and the following group object (in LDIF format):</P>
+<PRE>
+    dn: cn=administrators,dc=example,dc=com
+    cn: administrators of this region
+    objectclass: groupOfNames  (important for the group acl feature)
+    member: cn=fred blogs,dc=example,dc=com
+    member: cn=somebody else,dc=example,dc=com
+</PRE>
+<P>One can then grant access to the members of this this group by adding appropriate <EM>by group</EM> clause to an access directive in <EM>slapd.conf</EM>(5). For instance,</P>
+<PRE>
+    access to dn.children=&quot;dc=example,dc=com&quot;
+        by self write
+        by group.exact=&quot;cn=Administrators,dc=example,dc=com&quot; write
+        by * auth
+</PRE>
+<P>Like by {[dn}} clauses, one can also use <EM>expand</EM> to expand the group name based upon the regular expression matching of the target, that is, the to <EM>dn.regex</EM>). For instance,</P>
+<PRE>
+    access to dn.regex=&quot;(.+,)?ou=People,(dc=[^,]+,dc=[^,]+)$&quot;
+             attrs=children,entry,uid
+        by group.expand=&quot;cn=Managers,$2&quot; write
+        by users read
+        by * auth
+</PRE>
+<P>The above illustration assumed that the group members are to be found in the <EM>member</EM> attribute type of the <EM>groupOfNames</EM> object class. If you need to use a different group object and/or a different attribute type then use the following <EM>slapd.conf</EM>(5) (abbreviated) syntax:</P>
+<PRE>
+    access to &lt;what&gt;
+            by group/&lt;objectclass&gt;/&lt;attributename&gt;=&lt;DN&gt; &lt;access&gt;
+</PRE>
+<P>For example:</P>
+<PRE>
+    access to *
+      by group/organizationalRole/roleOccupant=&quot;cn=Administrator,dc=example,dc=com&quot; write
+</PRE>
+<P>In this case, we have an ObjectClass <EM>organizationalRole</EM> which contains the administrator DN's in the <EM>roleOccupant</EM> attribute. For instance:</P>
+<PRE>
+    dn: cn=Administrator,dc=example,dc=com
+    cn: Administrator
+    objectclass: organizationalRole
+    roleOccupant: cn=Jane Doe,dc=example,dc=com
+</PRE>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>the specified member attribute type MUST be of DN or <EM>NameAndOptionalUID</EM> syntax, and the specified object class SHOULD allow the attribute type.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>Dynamic Groups are also supported in Access Control. Please see <EM>slapo-dynlist</EM>(5) and the <A HREF="#Dynamic Lists">Dynamic Lists</A> overlay section.</P>
+<H3><A NAME="Granting access to a subset of attributes">7.4.5. Granting access to a subset of attributes</A></H3>
+<P>You can grant access to a set of attributes by specifying a list of attribute names in the ACL <EM>to</EM> clause. To be useful, you also need to grant access to the <EM>entry</EM> itself. Also note how <EM>children</EM> controls the ability to add, delete, and rename entries.</P>
+<PRE>
+    # mail: self may write, authenticated users may read
+    access to attrs=mail
+      by self write
+      by users read
+      by * none
+
+    # cn, sn: self my write, all may read
+    access to attrs=cn,sn
+      by self write
+      by * read
+
+    # immediate children: only self can add/delete entries under this entry
+    access to attrs=children
+      by self write
+
+    # entry itself: self may write, all may read
+    access to attrs=entry
+      by self write
+      by * read
+
+    # other attributes: self may write, others have no access
+    access to *
+      by self write
+      by * none
+</PRE>
+<P>ObjectClass names may also be specified in this list, which will affect all the attributes that are required and/or allowed by that <EM>objectClass</EM>. Actually, names in <EM>attrlist</EM> that are prefixed by <EM>@</EM> are directly treated as objectClass names. A name prefixed by <EM>!</EM> is also treated as an objectClass, but in this case the access rule affects the attributes that are not required nor allowed by that <EM>objectClass</EM>.</P>
+<H3><A NAME="Allowing a user write to all entries below theirs">7.4.6. Allowing a user write to all entries below theirs</A></H3>
+<P>For a setup where a user can write to its own record and to all of its children:</P>
+<PRE>
+    access to dn.regex=&quot;(.+,)?(uid=[^,]+,o=Company)$&quot;
+       by dn.exact,expand=&quot;$2&quot; write
+       by anonymous auth
+</PRE>
+<P>(Add more examples for above)</P>
+<H3><A NAME="Allowing entry creation">7.4.7. Allowing entry creation</A></H3>
+<P>Let's say, you have it like this:</P>
+<PRE>
+        o=&lt;basedn&gt;
+            ou=domains
+                associatedDomain=&lt;somedomain&gt;
+                    ou=users
+                        uid=&lt;someuserid&gt;
+                        uid=&lt;someotheruserid&gt;
+                    ou=addressbooks
+                        uid=&lt;someuserid&gt;
+                            cn=&lt;someone&gt;
+                            cn=&lt;someoneelse&gt;
+</PRE>
+<P>and, for another domain &lt;someotherdomain&gt;:</P>
+<PRE>
+        o=&lt;basedn&gt;
+            ou=domains
+                associatedDomain=&lt;someotherdomain&gt;
+                    ou=users
+                        uid=&lt;someuserid&gt;
+                        uid=&lt;someotheruserid&gt;
+                    ou=addressbooks
+                        uid=&lt;someotheruserid&gt;
+                            cn=&lt;someone&gt;
+                            cn=&lt;someoneelse&gt;
+</PRE>
+<P>then, if you wanted user <EM>uid=&lt;someuserid&gt;</EM> to <B>ONLY</B> create an entry for its own thing, you could write an ACL like this:</P>
+<PRE>
+    # this rule lets users of &quot;associatedDomain=&lt;matcheddomain&gt;&quot;
+    # write under &quot;ou=addressbook,associatedDomain=&lt;matcheddomain&gt;,ou=domains,o=&lt;basedn&gt;&quot;,
+    # i.e. a user can write ANY entry below its domain's address book;
+    # this permission is necessary, but not sufficient, the next
+    # will restrict this permission further
+
+
+    access to dn.regex=&quot;^ou=addressbook,associatedDomain=([^,]+),ou=domains,o=&lt;basedn&gt;$&quot; attrs=children
+            by dn.regex=&quot;^uid=([^,]+),ou=users,associatedDomain=$1,ou=domains,o=&lt;basedn&gt;$$&quot; write
+            by * none
+
+
+    # Note that above the &quot;by&quot; clause needs a &quot;regex&quot; style to make sure
+    # it expands to a DN that starts with a &quot;uid=&lt;someuserid&gt;&quot; pattern
+    # while substituting the associatedDomain submatch from the &quot;what&quot; clause.
+
+
+    # This rule lets a user with &quot;uid=&lt;matcheduid&gt;&quot; of &quot;&lt;associatedDomain=matcheddomain&gt;&quot;
+    # write (i.e. add, modify, delete) the entry whose DN is exactly
+    # &quot;uid=&lt;matcheduid&gt;,ou=addressbook,associatedDomain=&lt;matcheddomain&gt;,ou=domains,o=&lt;basedn&gt;&quot;
+    # and ANY entry as subtree of it
+
+
+    access to dn.regex=&quot;^(.+,)?uid=([^,]+),ou=addressbook,associatedDomain=([^,]+),ou=domains,o=&lt;basedn&gt;$&quot;
+            by dn.exact,expand=&quot;uid=$2,ou=users,associatedDomain=$3,ou=domains,o=&lt;basedn&gt;&quot; write
+            by * none
+
+
+    # Note that above the &quot;by&quot; clause uses the &quot;exact&quot; style with the &quot;expand&quot;
+    # modifier because now the whole pattern can be rebuilt by means of the
+    # submatches from the &quot;what&quot; clause, so a &quot;regex&quot; compilation and evaluation
+    # is no longer required.
+</PRE>
+<H3><A NAME="Tips for using regular expressions in Access Control">7.4.8. Tips for using regular expressions in Access Control</A></H3>
+<P>Always use <EM>dn.regex=&lt;pattern&gt;</EM> when you intend to use regular expression matching. <EM>dn=&lt;pattern&gt;</EM> alone defaults to <EM>dn.exact&lt;pattern&gt;</EM>.</P>
+<P>Use <EM>(.+)</EM> instead of <EM>(.*)</EM> when you want at least one char to be matched. <EM>(.*)</EM> matches the empty string as well.</P>
+<P>Don't use regular expressions for matches that can be done otherwise in a safer and cheaper manner. Examples:</P>
+<PRE>
+    dn.regex=&quot;.*dc=example,dc=com&quot;
+</PRE>
+<P>is unsafe and expensive:</P>
+<UL>
+<LI>unsafe because any string containing <EM>dc=example,dc=com </EM>will match, not only those that end with the desired pattern; use <EM>.*dc=example,dc=com$</EM> instead.
+<LI>unsafe also because it would allow any <EM>attributeType</EM> ending with <EM>dc</EM> as naming attribute for the first RDN in the string, e.g. a custom attributeType <EM>mydc</EM> would match as well. If you really need a regular expression that allows just <EM>dc=example,dc=com</EM> or any of its subtrees, use <EM>^(.+,)?dc=example,dc=com$</EM>, which means: anything to the left of dc=..., if any (the question mark after the pattern within brackets), must end with a comma;
+<LI>expensive because if you don't need submatches, you could use scoping styles, e.g.</UL>
+<PRE>
+    dn.subtree=&quot;dc=example,dc=com&quot;
+</PRE>
+<P>to include <EM>dc=example,dc=com</EM> in the matching patterns,</P>
+<PRE>
+    dn.children=&quot;dc=example,dc=com&quot;
+</PRE>
+<P>to exclude <EM>dc=example,dc=com</EM> from the matching patterns, or</P>
+<PRE>
+    dn.onelevel=&quot;dc=example,dc=com&quot;
+</PRE>
+<P>to allow exactly one sublevel matches only.</P>
+<P>Always use <EM>^</EM> and <EM>$</EM> in regexes, whenever appropriate, because <EM>ou=(.+),ou=(.+),ou=addressbooks,o=basedn</EM> will match <EM>something=bla,ou=xxx,ou=yyy,ou=addressbooks,o=basedn,ou=addressbooks,o=basedn,dc=some,dc=org</EM></P>
+<P>Always use <EM>([^,]+)</EM> to indicate exactly one RDN, because <EM>(.+)</EM> can include any number of RDNs; e.g. <EM>ou=(.+),dc=example,dc=com</EM> will match <EM>ou=My,o=Org,dc=example,dc=com</EM>, which might not be what you want.</P>
+<P>Never add the rootdn to the by clauses. ACLs are not even processed for operations performed with rootdn identity (otherwise there would be no reason to define a rootdn at all).</P>
+<P>Use shorthands. The user directive matches authenticated users and the anonymous directive matches anonymous users.</P>
+<P>Don't use the <EM>dn.regex</EM> form for &lt;by&gt; clauses if all you need is scoping and/or substring replacement; use scoping styles (e.g. <EM>exact</EM>, <EM>onelevel</EM>, <EM>children</EM> or <EM>subtree</EM>) and the style modifier expand to cause substring expansion.</P>
+<P>For instance,</P>
+<PRE>
+    access to dn.regex=&quot;.+,dc=([^,]+),dc=([^,]+)$&quot;
+      by dn.regex=&quot;^[^,],ou=Admin,dc=$1,dc=$2$$&quot; write
+</PRE>
+<P>although correct, can be safely and efficiently replaced by</P>
+<PRE>
+    access to dn.regex=&quot;.+,(dc=[^,]+,dc=[^,]+)$&quot;
+      by dn.onelevel,expand=&quot;ou=Admin,$1&quot; write
+</PRE>
+<P>where the regex in the <EM>&lt;what&gt;</EM> clause is more compact, and the one in the <EM>&lt;by&gt;</EM> clause is replaced by a much more efficient scoping style of onelevel with substring expansion.</P>
+<H3><A NAME="Granting and Denying access based on security strength factors (ssf)">7.4.9. Granting and Denying access based on security strength factors (ssf)</A></H3>
+<P>You can restrict access based on the security strength factor (SSF)</P>
+<PRE>
+    access to dn=&quot;cn=example,cn=edu&quot;
+          by * ssf=256 read
+</PRE>
+<P>0 (zero) implies no protection, 1 implies integrity protection only, 56 DES or other weak ciphers, 112 triple DES and other strong ciphers, 128 RC4, Blowfish and other modern strong ciphers.</P>
+<P>Other possibilities:</P>
+<PRE>
+    transport_ssf=&lt;n&gt;
+    tls_ssf=&lt;n&gt;
+    sasl_ssf=&lt;n&gt;
+</PRE>
+<P>256 is recommended.</P>
+<P>See <EM>slapd.conf</EM>(5) for information on <EM>ssf</EM>.</P>
+<H3><A NAME="When things aren\'t working as expected">7.4.10. When things aren't working as expected</A></H3>
+<P>Consider this example:</P>
+<PRE>
+    access to *
+      by anonymous auth
+
+    access to *
+      by self write
+
+    access to *
+      by users read
+</PRE>
+<P>You may think this will allow any user to login, to read everything and change his own data if he is logged in. But in this example only the login works and an ldapsearch returns no data. The Problem is that SLAPD goes through its access config line by line and stops as soon as it finds a match in the part of the access rule.(here: <EM>to *</EM>)</P>
+<P>To get what we wanted the file has to read:</P>
+<PRE>
+    access to *
+      by anonymous auth
+      by self write
+      by users read
+</PRE>
+<P>The general rule is: &quot;special access rules first, generic access rules last&quot;</P>
+<P>See also <EM>slapd.access</EM>(8), loglevel 128 and <EM>slapacl</EM>(8) for debugging information.</P>
+<H2><A NAME="Sets - Granting rights based on relationships">7.5. Sets - Granting rights based on relationships</A></H2>
+<P>Sets are best illustrated via examples. The following sections will present a few set ACL examples in order to facilitate their understanding.</P>
+<P>(Sets in Access Controls FAQ Entry: <A HREF="http://www.openldap.org/faq/data/cache/1133.html">http://www.openldap.org/faq/data/cache/1133.html</A>)</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Sets are considered experimental.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H3><A NAME="Groups of Groups">7.5.1. Groups of Groups</A></H3>
+<P>The OpenLDAP ACL for groups doesn't expand groups within groups, which are groups that have another group as a member. For example:</P>
+<PRE>
+ dn: cn=sudoadm,ou=group,dc=example,dc=com
+ cn: sudoadm
+ objectClass: groupOfNames
+ member: uid=john,ou=people,dc=example,dc=com
+ member: cn=accountadm,ou=group,dc=example,dc=com
+
+ dn: cn=accountadm,ou=group,dc=example,dc=com
+ cn: accountadm
+ objectClass: groupOfNames
+ member: uid=mary,ou=people,dc=example,dc=com
+</PRE>
+<P>If we use standard group ACLs with the above entries and allow members of the <TT>sudoadm</TT> group to write somewhere, <TT>mary</TT> won't be included:</P>
+<PRE>
+ access to dn.subtree=&quot;ou=sudoers,dc=example,dc=com&quot;
+         by group.exact=&quot;cn=sudoadm,ou=group,dc=example,dc=com&quot; write
+         by * read
+</PRE>
+<P>With sets we can make the ACL be recursive and consider group within groups. So for each member that is a group, it is further expanded:</P>
+<PRE>
+ access to dn.subtree=&quot;ou=sudoers,dc=example,dc=com&quot;
+       by set=&quot;[cn=sudoadm,ou=group,dc=example,dc=com]/member* &amp; user&quot; write
+       by * read
+</PRE>
+<P>This set ACL means: take the <TT>cn=sudoadm</TT> DN, check its <TT>member</TT> attribute(s) (where the &quot;<TT>*</TT>&quot; means recursively) and intersect the result with the authenticated user's DN. If the result is non-empty, the ACL is considered a match and write access is granted.</P>
+<P>The following drawing explains how this set is built:</P>
+<P><CENTER><IMG SRC="set-recursivegroup.png" ALIGN="center"></CENTER></P>
+<P ALIGN="Center">Figure X.Y: Populating a recursive group set</P>
+<P>First we get the <TT>uid=john</TT> DN. This entry doesn't have a <TT>member</TT> attribute, so the expansion stops here.  Now we get to <TT>cn=accountadm</TT>. This one does have a <TT>member</TT> attribute, which is <TT>uid=mary</TT>. The <TT>uid=mary</TT> entry, however, doesn't have member, so we stop here again. The end comparison is:</P>
+<PRE>
+ {&quot;uid=john,ou=people,dc=example,dc=com&quot;,&quot;uid=mary,ou=people,dc=example,dc=com&quot;} &amp; user
+</PRE>
+<P>If the authenticated user's DN is any one of those two, write access is granted. So this set will include <TT>mary</TT> in the <TT>sudoadm</TT> group and she will be allowed the write access.</P>
+<H3><A NAME="Group ACLs without DN syntax">7.5.2. Group ACLs without DN syntax</A></H3>
+<P>The traditional group ACLs, and even the previous example about recursive groups, require that the members are specified as DNs instead of just usernames.</P>
+<P>With sets, however, it's also possible to use simple names in group ACLs, as this example will show.</P>
+<P>Let's say we want to allow members of the <TT>sudoadm</TT> group to write to the <TT>ou=suders</TT> branch of our tree. But our group definition now is using <TT>memberUid</TT> for the group members:</P>
+<PRE>
+ dn: cn=sudoadm,ou=group,dc=example,dc=com
+ cn: sudoadm
+ objectClass: posixGroup
+ gidNumber: 1000
+ memberUid: john
+</PRE>
+<P>With this type of group, we can't use group ACLs. But with a set ACL we can grant the desired access:</P>
+<PRE>
+ access to dn.subtree=&quot;ou=sudoers,dc=example,dc=com&quot;
+       by set=&quot;[cn=sudoadm,ou=group,dc=example,dc=com]/memberUid &amp; user/uid&quot; write
+       by * read
+</PRE>
+<P>We use a simple intersection where we compare the <TT>uid</TT> attribute of the connecting (and authenticated) user with the <TT>memberUid</TT> attributes of the group. If they match, the intersection is non-empty and the ACL will grant write access.</P>
+<P>This drawing illustrates this set when the connecting user is authenticated as <TT>uid=john,ou=people,dc=example,dc=com</TT>:</P>
+<P><CENTER><IMG SRC="set-memberUid.png" ALIGN="center"></CENTER></P>
+<P ALIGN="Center">Figure X.Y: Sets with <TT>memberUid</TT></P>
+<P>In this case, it's a match. If it were <TT>mary</TT> authenticating, however, she would be denied write access to <TT>ou=sudoers</TT> because her <TT>uid</TT> attribute is not listed in the group's <TT>memberUid</TT>.</P>
+<H3><A NAME="Following references">7.5.3. Following references</A></H3>
+<P>We will now show a quite powerful example of what can be done with sets. This example tends to make OpenLDAP administrators smile after they have understood it and its implications.</P>
+<P>Let's start with an user entry:</P>
+<PRE>
+ dn: uid=john,ou=people,dc=example,dc=com
+ uid: john
+ objectClass: inetOrgPerson
+ givenName: John
+ sn: Smith
+ cn: john
+ manager: uid=mary,ou=people,dc=example,dc=com
+</PRE>
+<P>Writing an ACL to allow the manager to update some attributes is quite simple using sets:</P>
+<PRE>
+ access to dn.exact=&quot;uid=john,ou=people,dc=example,dc=com&quot;
+    attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+    by self write
+    by set=&quot;this/manager &amp; user&quot; write
+    by * read
+</PRE>
+<P>In that set, <TT>this</TT> expands to the entry being accessed, so that <TT>this/manager</TT> expands to <TT>uid=mary,ou=people,dc=example,dc=com</TT> when john's entry is accessed.  If the manager herself is accessing John's entry, the ACL will match and write access to those attributes will be granted.</P>
+<P>So far, this same behavior can be obtained with the <TT>dnattr</TT> keyword. With sets, however, we can further enhance this ACL. Let's say we want to allow the secretary of the manager to also update these attributes. This is how we do it:</P>
+<PRE>
+ access to dn.exact=&quot;uid=john,ou=people,dc=example,dc=com&quot;
+    attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+    by self write
+    by set=&quot;this/manager &amp; user&quot; write
+    by set=&quot;this/manager/secretary &amp; user&quot; write
+    by * read
+</PRE>
+<P>Now we need a picture to help explain what is happening here (entries shortened for clarity):</P>
+<P><CENTER><IMG SRC="set-following-references.png" ALIGN="center"></CENTER></P>
+<P ALIGN="Center">Figure X.Y: Sets jumping through entries</P>
+<P>In this example, Jane is the secretary of Mary, which is the manager of John. This whole relationship is defined with the <TT>manager</TT> and <TT>secretary</TT> attributes, which are both of the distinguishedName syntax (i.e., full DNs). So, when the <TT>uid=john</TT> entry is being accessed, the <TT>this/manager/secretary</TT> set becomes <TT>{&quot;uid=jane,ou=people,dc=example,dc=com&quot;</TT>} (follow the references in the picture):</P>
+<PRE>
+ this = [uid=john,ou=people,dc=example,dc=com]
+ this/manager = \
+   [uid=john,ou=people,dc=example,dc=com]/manager = uid=mary,ou=people,dc=example,dc=com
+ this/manager/secretary = \
+   [uid=mary,ou=people,dc=example,dc=com]/secretary = uid=jane,ou=people,dc=example,dc=com
+</PRE>
+<P>The end result is that when Jane accesses John's entry, she will be granted write access to the specified attributes. Better yet, this will happen to any entry she accesses which has Mary as the manager.</P>
+<P>This is all cool and nice, but perhaps gives to much power to secretaries. Maybe we need to further restrict it. For example, let's only allow executive secretaries to have this power:</P>
+<PRE>
+ access to dn.exact=&quot;uid=john,ou=people,dc=example,dc=com&quot;
+   attrs=carLicense,homePhone,mobile,pager,telephoneNumber
+   by self write
+   by set=&quot;this/manager &amp; user&quot; write
+   by set=&quot;this/manager/secretary &amp;
+           [cn=executive,ou=group,dc=example,dc=com]/member* &amp;
+           user&quot; write
+   by * read
+</PRE>
+<P>It's almost the same ACL as before, but we now also require that the connecting user be a member of the (possibly nested) <TT>cn=executive</TT> group.</P>
 <P></P>
 <HR>
-<H1><A NAME="Running slapd">7. Running slapd</A></H1>
+<H1><A NAME="Running slapd">8. Running slapd</A></H1>
 <P><EM>slapd</EM>(8) is designed to be run as a standalone service.  This allows the server to take advantage of caching, manage concurrency issues with underlying databases, and conserve system resources. Running from <EM>inetd</EM>(8) is <EM>NOT</EM> an option.</P>
-<H2><A NAME="Command-Line Options">7.1. Command-Line Options</A></H2>
+<H2><A NAME="Command-Line Options">8.1. Command-Line Options</A></H2>
 <P><EM>slapd</EM>(8) supports a number of command-line options as detailed in the manual page.  This section details a few commonly used options.</P>
 <PRE>
         -f &lt;filename&gt;
@@ -3419,13 +3859,13 @@
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>slapd must have been compiled with <TT>-DLDAP_DEBUG</TT> defined for any debugging information beyond the two stats levels to be available.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="Starting slapd">7.2. Starting slapd</A></H2>
+<H2><A NAME="Starting slapd">8.2. Starting slapd</A></H2>
 <P>In general, slapd is run like this:</P>
 <PRE>
         /usr/local/libexec/slapd [&lt;option&gt;]*
 </PRE>
 <P>where <TT>/usr/local/libexec</TT> is determined by <TT>configure</TT> and &lt;option&gt; is one of the options described above (or in <EM>slapd</EM>(8)). Unless you have specified a debugging level (including level <TT>0</TT>), slapd will automatically fork and detach itself from its controlling terminal and run in the background.</P>
-<H2><A NAME="Stopping slapd">7.3. Stopping slapd</A></H2>
+<H2><A NAME="Stopping slapd">8.3. Stopping slapd</A></H2>
 <P>To kill off <EM>slapd</EM>(8) safely, you should give a command like this</P>
 <PRE>
         kill -INT `cat /usr/local/var/slapd.pid`
@@ -3434,10 +3874,10 @@
 <P>Killing slapd by a more drastic method may cause information loss or database corruption.</P>
 <P></P>
 <HR>
-<H1><A NAME="Database Creation and Maintenance Tools">8. Database Creation and Maintenance Tools</A></H1>
+<H1><A NAME="Database Creation and Maintenance Tools">9. Database Creation and Maintenance Tools</A></H1>
 <P>This section tells you how to create a slapd database from scratch, and how to do trouble shooting if you run into problems. There are two ways to create a database. First, you can create the database on-line using <TERM>LDAP</TERM>. With this method, you simply start up slapd and add entries using the LDAP client of your choice. This method is fine for relatively small databases (a few hundred or thousand entries, depending on your requirements). This method works for database types which support updates.</P>
 <P>The second method of database creation is to do it off-line using special utilities provided with <EM>slapd</EM>(8). This method is best if you have many thousands of entries to create, which would take an unacceptably long time using the LDAP method, or if you want to ensure the database is not accessed while it is being created. Note that not all database types support these utilities.</P>
-<H2><A NAME="Creating a database over LDAP">8.1. Creating a database over LDAP</A></H2>
+<H2><A NAME="Creating a database over LDAP">9.1. Creating a database over LDAP</A></H2>
 <P>With this method, you use the LDAP client of your choice (e.g., the <EM>ldapadd</EM>(1)) to add entries, just like you would once the database is created.  You should be sure to set the following options in the configuration file before starting <EM>slapd</EM>(8).</P>
 <PRE>
         suffix &lt;dn&gt;
@@ -3497,7 +3937,7 @@
         ldapadd -f entries.ldif -x -D &quot;cn=Manager,dc=example,dc=com&quot; -w secret
 </PRE>
 <P>The above command assumes settings provided in the above examples.</P>
-<H2><A NAME="Creating a database off-line">8.2. Creating a database off-line</A></H2>
+<H2><A NAME="Creating a database off-line">9.2. Creating a database off-line</A></H2>
 <P>The second method of database creation is to do it off-line, using the slapd database tools described below. This method is best if you have many thousands of entries to create, which would take an unacceptably long time to add using the LDAP method described above. These tools read the slapd configuration file and an input file containing a text representation of the entries to add. For database types which support the tools, they produce the database files directly (otherwise you must use the on-line method above). There are several important configuration options you will want to be sure and set in the config file database definition first:</P>
 <PRE>
         suffix &lt;dn&gt;
@@ -3524,7 +3964,7 @@
         index objectClass eq
 </PRE>
 <P>This would create presence, equality, approximate, and substring indices for the <TT>cn</TT>, <TT>sn</TT>, and <TT>uid</TT> attributes and an equality index for the <TT>objectClass</TT> attribute.  Note that not all index types are available with all attribute types.  See <A HREF="#The slapd Configuration File">The slapd Configuration File</A> section for more information on this option.</P>
-<H3><A NAME="The {{EX:slapadd}} program">8.2.1. The <TT>slapadd</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapadd}} program">9.2.1. The <TT>slapadd</TT> program</A></H3>
 <P>Once you've configured things to your liking, you create the primary database and associated indices by running the <EM>slapadd</EM>(8) program:</P>
 <PRE>
         slapadd -l &lt;inputfile&gt; -f &lt;slapdconfigfile&gt;
@@ -3555,21 +3995,21 @@
         -b &lt;suffix&gt;
 </PRE>
 <P>An optional argument that specifies which database to modify.  The provided suffix is matched against a database <TT>suffix</TT> directive to determine the database number. Should not be used in conjunction with <TT>-n</TT>.</P>
-<H3><A NAME="The {{EX:slapindex}} program">8.2.2. The <TT>slapindex</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapindex}} program">9.2.2. The <TT>slapindex</TT> program</A></H3>
 <P>Sometimes it may be necessary to regenerate indices (such as after modifying <EM>slapd.conf</EM>(5)). This is possible using the <EM>slapindex</EM>(8) program.  <EM>slapindex</EM> is invoked like this</P>
 <PRE>
         slapindex -f &lt;slapdconfigfile&gt;
                 [-d &lt;debuglevel&gt;] [-n &lt;databasenumber&gt;|-b &lt;suffix&gt;]
 </PRE>
 <P>Where the <TT>-f</TT>, <TT>-d</TT>, <TT>-n</TT> and <TT>-b</TT> options are the same as for the <EM>slapadd</EM>(1) program.  <EM>slapindex</EM> rebuilds all indices based upon the current database contents.</P>
-<H3><A NAME="The {{EX:slapcat}} program">8.2.3. The <TT>slapcat</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapcat}} program">9.2.3. The <TT>slapcat</TT> program</A></H3>
 <P>The <TT>slapcat</TT> program is used to dump the database to an <TERM>LDIF</TERM> file.  This can be useful when you want to make a human-readable backup of your database or when you want to edit your database off-line.  The program is invoked like this:</P>
 <PRE>
         slapcat -l &lt;filename&gt; -f &lt;slapdconfigfile&gt;
                 [-d &lt;debuglevel&gt;] [-n &lt;databasenumber&gt;|-b &lt;suffix&gt;]
 </PRE>
 <P>where <TT>-n</TT> or <TT>-b</TT> is used to select the database in the <EM>slapd.conf</EM>(5) specified using <TT>-f</TT>.  The corresponding <TERM>LDIF</TERM> output is written to standard output or to the file specified using the <TT>-l</TT> option.</P>
-<H2><A NAME="The LDIF text entry format">8.3. The LDIF text entry format</A></H2>
+<H2><A NAME="The LDIF text entry format">9.3. The LDIF text entry format</A></H2>
 <P>The <TERM>LDAP Data Interchange Format</TERM> (LDIF) is used to represent LDAP entries in a simple text format.  This section provides a brief description of the LDIF entry format which complements <EM>ldif</EM>(5) and the technical specification <A HREF="http://www.rfc-editor.org/rfc/rfc2849.txt">RFC2849</A>.</P>
 <P>The basic form of an entry is:</P>
 <PRE>
@@ -3641,55 +4081,55 @@
 <HR WIDTH="80%" ALIGN="Left"></P>
 <P></P>
 <HR>
-<H1><A NAME="Backends">9. Backends</A></H1>
-<H2><A NAME="Berkeley DB Backends">9.1. Berkeley DB Backends</A></H2>
-<H3><A NAME="Overview">9.1.1. Overview</A></H3>
+<H1><A NAME="Backends">10. Backends</A></H1>
+<H2><A NAME="Berkeley DB Backends">10.1. Berkeley DB Backends</A></H2>
+<H3><A NAME="Overview">10.1.1. Overview</A></H3>
 <P>The <EM>bdb</EM> backend to <EM>slapd</EM>(8) is the recommended primary backend for a normal <EM>slapd</EM> database.  It uses the Oracle Berkeley DB (<TERM>BDB</TERM>) package to store data. It makes extensive use of indexing and caching (see the <A HREF="#Tuning">Tuning</A> section) to speed data access.</P>
 <P><EM>hdb</EM> is a variant of the <EM>bdb</EM> backend that uses a hierarchical database layout which supports subtree renames. It is otherwise identical to the <EM>bdb</EM> behavior, and all the same configuration options apply.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>An <EM>hdb</EM> database needs a large <EM>idlcachesize</EM> for good search performance, typically three times the <EM>cachesize</EM> (entry cache size) or larger.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="back-bdb/back-hdb Configuration">9.1.2. back-bdb/back-hdb Configuration</A></H3>
+<H3><A NAME="back-bdb/back-hdb Configuration">10.1.2. back-bdb/back-hdb Configuration</A></H3>
 <P>MORE LATER</P>
-<H3><A NAME="Further Information">9.1.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.1.3. Further Information</A></H3>
 <P><EM>slapd-bdb</EM>(5)</P>
-<H2><A NAME="LDAP">9.2. LDAP</A></H2>
-<H3><A NAME="Overview">9.2.1. Overview</A></H3>
+<H2><A NAME="LDAP">10.2. LDAP</A></H2>
+<H3><A NAME="Overview">10.2.1. Overview</A></H3>
 <P>The LDAP backend to <EM>slapd</EM>(8) is not an actual database; instead it acts as a proxy to forward incoming requests to another LDAP server. While processing requests it will also chase referrals, so that referrals are fully processed instead of being returned to the <EM>slapd</EM> client.</P>
-<P>Sessions that explicitly <EM>Bind</EM> to the <EM>back-ldap</EM> database always create their own private connection to the remote LDAP server. Anonymous sessions will share a single anonymous connection to the remote server. For sessions bound through other mechanisms, all sessions with the same DN will share the same connection. This connection pooling strategy can enhance the proxy’s efficiency by reducing the overhead of repeatedly making/breaking multiple connections.</P>
+<P>Sessions that explicitly <EM>Bind</EM> to the <EM>back-ldap</EM> database always create their own private connection to the remote LDAP server. Anonymous sessions will share a single anonymous connection to the remote server. For sessions bound through other mechanisms, all sessions with the same DN will share the same connection. This connection pooling strategy can enhance the proxy's efficiency by reducing the overhead of repeatedly making/breaking multiple connections.</P>
 <P>The ldap database can also act as an information service, i.e. the identity of locally authenticated clients is asserted to the remote server, possibly in some modified form. For this purpose, the proxy binds to the remote server with some administrative identity, and, if required, authorizes the asserted identity.</P>
-<H3><A NAME="back-ldap Configuration">9.2.2. back-ldap Configuration</A></H3>
+<H3><A NAME="back-ldap Configuration">10.2.2. back-ldap Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.2.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.2.3. Further Information</A></H3>
 <P><EM>slapd-ldap</EM>(5)</P>
-<H2><A NAME="LDIF">9.3. LDIF</A></H2>
-<H3><A NAME="Overview">9.3.1. Overview</A></H3>
+<H2><A NAME="LDIF">10.3. LDIF</A></H2>
+<H3><A NAME="Overview">10.3.1. Overview</A></H3>
 <P>The LDIF backend to <EM>slapd</EM>(8) is a basic storage backend that stores entries in text files in LDIF format, and exploits the filesystem to create the tree structure of the database. It is intended as a cheap, low performance easy to use backend.</P>
 <P>When using the <EM>cn=config</EM> dynamic configuration database with persistent storage, the configuration data is stored using this backend. See <EM>slapd-config</EM>(5) for more information</P>
-<H3><A NAME="back-ldif Configuration">9.3.2. back-ldif Configuration</A></H3>
+<H3><A NAME="back-ldif Configuration">10.3.2. back-ldif Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.3.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.3.3. Further Information</A></H3>
 <P><EM>slapd-ldif</EM>(5)</P>
-<H2><A NAME="Metadirectory">9.4. Metadirectory</A></H2>
-<H3><A NAME="Overview">9.4.1. Overview</A></H3>
+<H2><A NAME="Metadirectory">10.4. Metadirectory</A></H2>
+<H3><A NAME="Overview">10.4.1. Overview</A></H3>
 <P>The meta backend to <EM>slapd</EM>(8) performs basic LDAP proxying with respect to a set of remote LDAP servers, called &quot;targets&quot;. The information contained in these servers can be presented as belonging to a single Directory Information Tree (<TERM>DIT</TERM>).</P>
 <P>A basic knowledge of the functionality of the <EM>slapd-ldap</EM>(5) backend is recommended. This backend has been designed as an enhancement of the ldap backend. The two backends share many features (actually they also share portions of code). While the ldap backend is intended to proxy operations directed to a single server, the meta backend is mainly intended for proxying of multiple servers and possibly naming context  masquerading.</P>
 <P>These features, although useful in many scenarios, may result in excessive overhead for some applications, so its use should be carefully considered.</P>
-<H3><A NAME="back-meta Configuration">9.4.2. back-meta Configuration</A></H3>
+<H3><A NAME="back-meta Configuration">10.4.2. back-meta Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.4.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.4.3. Further Information</A></H3>
 <P><EM>slapd-meta</EM>(5)</P>
-<H2><A NAME="Monitor">9.5. Monitor</A></H2>
-<H3><A NAME="Overview">9.5.1. Overview</A></H3>
+<H2><A NAME="Monitor">10.5. Monitor</A></H2>
+<H3><A NAME="Overview">10.5.1. Overview</A></H3>
 <P>The monitor backend to <EM>slapd</EM>(8) is not an actual database; if enabled, it is automatically generated and dynamically maintained by slapd with information about the running status of the daemon.</P>
 <P>To inspect all monitor information, issue a subtree search with base <EM>cn=Monitor</EM>, requesting that attributes &quot;+&quot; and &quot;*&quot; are returned. The monitor backend produces mostly operational attributes, and LDAP only returns operational attributes that are explicitly requested.  Requesting attribute &quot;+&quot; is an extension which requests all operational attributes.</P>
 <P>See the <A HREF="#Monitoring">Monitoring</A> section.</P>
-<H3><A NAME="back-monitor Configuration">9.5.2. back-monitor Configuration</A></H3>
+<H3><A NAME="back-monitor Configuration">10.5.2. back-monitor Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.5.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.5.3. Further Information</A></H3>
 <P><EM>slapd-monitor</EM>(5)</P>
-<H2><A NAME="Null">9.6. Null</A></H2>
-<H3><A NAME="Overview">9.6.1. Overview</A></H3>
+<H2><A NAME="Null">10.6. Null</A></H2>
+<H3><A NAME="Overview">10.6.1. Overview</A></H3>
 <P>The Null backend to <EM>slapd</EM>(8) is surely the most useful part of slapd:</P>
 <UL>
 <LI>Searches return success but no entries.
@@ -3698,88 +4138,222 @@
 <LI>Binds other than as the rootdn fail unless the database option &quot;bind on&quot; is given.
 <LI>The slapadd(8) and slapcat(8) tools are equally exciting.</UL>
 <P>Inspired by the <TT>/dev/null</TT> device.</P>
-<H3><A NAME="back-null Configuration">9.6.2. back-null Configuration</A></H3>
+<H3><A NAME="back-null Configuration">10.6.2. back-null Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.6.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.6.3. Further Information</A></H3>
 <P><EM>slapd-null</EM>(5)</P>
-<H2><A NAME="Passwd">9.7. Passwd</A></H2>
-<H3><A NAME="Overview">9.7.1. Overview</A></H3>
+<H2><A NAME="Passwd">10.7. Passwd</A></H2>
+<H3><A NAME="Overview">10.7.1. Overview</A></H3>
 <P>The PASSWD backend to <EM>slapd</EM>(8) serves up the user account information listed in the system <EM>passwd</EM>(5) file.</P>
 <P>This backend is provided for demonstration purposes only. The DN of each entry is &quot;uid=&lt;username&gt;,&lt;suffix&gt;&quot;.</P>
-<H3><A NAME="back-passwd Configuration">9.7.2. back-passwd Configuration</A></H3>
+<H3><A NAME="back-passwd Configuration">10.7.2. back-passwd Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.7.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.7.3. Further Information</A></H3>
 <P><EM>slapd-passwd</EM>(5)</P>
-<H2><A NAME="Perl/Shell">9.8. Perl/Shell</A></H2>
-<H3><A NAME="Overview">9.8.1. Overview</A></H3>
+<H2><A NAME="Perl/Shell">10.8. Perl/Shell</A></H2>
+<H3><A NAME="Overview">10.8.1. Overview</A></H3>
 <P>The Perl backend to <EM>slapd</EM>(8) works by embedding a <EM>perl</EM>(1) interpreter into <EM>slapd</EM>(8). Any perl database section of the configuration file <EM>slapd.conf</EM>(5) must then specify what Perl module to use. Slapd then creates a new Perl object that handles all the requests for that particular instance of the backend.</P>
 <P>The Shell backend to <EM>slapd</EM>(8) executes external programs to implement operations, and is designed to make it easy to tie an existing database to the slapd front-end. This backend is is primarily intended to be used in prototypes.</P>
-<H3><A NAME="back-perl/back-shell Configuration">9.8.2. back-perl/back-shell Configuration</A></H3>
+<H3><A NAME="back-perl/back-shell Configuration">10.8.2. back-perl/back-shell Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.8.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.8.3. Further Information</A></H3>
 <P><EM>slapd-shell</EM>(5) and <EM>slapd-perl</EM>(5)</P>
-<H2><A NAME="Relay">9.9. Relay</A></H2>
-<H3><A NAME="Overview">9.9.1. Overview</A></H3>
+<H2><A NAME="Relay">10.9. Relay</A></H2>
+<H3><A NAME="Overview">10.9.1. Overview</A></H3>
 <P>The primary purpose of this <EM>slapd</EM>(8) backend is to map a naming context defined in a database running in the same <EM>slapd</EM>(8) instance into a virtual naming context, with attributeType and objectClass manipulation, if required. It requires the rwm overlay.</P>
 <P>This backend and the above mentioned overlay are experimental.</P>
-<H3><A NAME="back-relay Configuration">9.9.2. back-relay Configuration</A></H3>
+<H3><A NAME="back-relay Configuration">10.9.2. back-relay Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.9.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.9.3. Further Information</A></H3>
 <P><EM>slapd-relay</EM>(5)</P>
-<H2><A NAME="SQL">9.10. SQL</A></H2>
-<H3><A NAME="Overview">9.10.1. Overview</A></H3>
+<H2><A NAME="SQL">10.10. SQL</A></H2>
+<H3><A NAME="Overview">10.10.1. Overview</A></H3>
 <P>The primary purpose of this <EM>slapd</EM>(8) backend is to PRESENT information stored in some RDBMS as an LDAP subtree without any programming (some SQL and maybe stored procedures can’t be considered programming, anyway ;).</P>
 <P>That is, for example, when you (some ISP) have account information you use in an RDBMS, and want to use modern solutions that expect such information in LDAP (to authenticate users, make email lookups etc.). Or you want to synchronize or distribute information between different sites/applications that use RDBMSes and/or LDAP. Or whatever else...</P>
 <P>It is <B>NOT</B> designed as a general-purpose backend that uses RDBMS instead of BerkeleyDB (as the standard BDB backend does), though it can be used as such with several limitations. Please see <A HREF="#LDAP vs RDBMS">LDAP vs RDBMS</A> for discussion.</P>
 <P>The idea is to use some meta-information to translate LDAP queries to SQL queries, leaving relational schema untouched, so that old applications can continue using it without any modifications. This allows SQL and LDAP applications to interoperate without replication, and exchange data as needed.</P>
 <P>The SQL backend is designed to be tunable to virtually any relational schema without having to change source (through that meta-information mentioned). Also, it uses ODBC to connect to RDBMSes, and is highly configurable for SQL dialects RDBMSes may use, so it may be used for integration and distribution of data on different RDBMSes, OSes, hosts etc., in other words, in highly heterogeneous environment.</P>
 <P>This backend is experimental.</P>
-<H3><A NAME="back-sql Configuration">9.10.2. back-sql Configuration</A></H3>
+<H3><A NAME="back-sql Configuration">10.10.2. back-sql Configuration</A></H3>
 <P>LATER</P>
-<H3><A NAME="Further Information">9.10.3. Further Information</A></H3>
+<H3><A NAME="Further Information">10.10.3. Further Information</A></H3>
 <P><EM>slapd-sql</EM>(5)</P>
 <P></P>
 <HR>
-<H1><A NAME="Overlays">10. Overlays</A></H1>
+<H1><A NAME="Overlays">11. Overlays</A></H1>
 <P>Overlays are software components that provide hooks to functions analogous to those provided by backends, which can be stacked on top of the backend calls and as callbacks on top of backend responses to alter their behavior.</P>
-<P>Overlays may be compiled statically into slapd, or when module support is enabled, they may be dynamically loaded. Most of the overlays are only allowed to be configured on individual databases, but some may also be configured globally.</P>
-<P>Essentially they represent a means to:</P>
+<P>Overlays may be compiled statically into <EM>slapd</EM>, or when module support is enabled, they may be dynamically loaded. Most of the overlays are only allowed to be configured on individual databases.</P>
+<P>Some can be stacked on the <TT>frontend</TT> as well, for global use. This means that they can be executed after a request is parsed and validated, but right before the appropriate database is selected. The main purpose is to affect operations regardless of the database they will be handled by, and, in some cases, to influence the selection of the database by massaging the request DN.</P>
+<P>Essentially, overlays represent a means to:</P>
 <UL>
 <LI>customize the behavior of existing backends without changing the backend code and without requiring one to write a new custom backend with complete functionality
 <LI>write functionality of general usefulness that can be applied to different backend types</UL>
+<P>When using <EM>slapd.conf</EM>(5), overlays that are configured before any other databases are considered global, as mentioned above. In fact they are implicitly stacked on top of the <TT>frontend</TT> database. They can also be explicitly configured as such:</P>
+<PRE>
+        database frontend
+        overlay &lt;overlay name&gt;
+</PRE>
 <P>Overlays are usually documented by separate specific man pages in section 5; the naming convention is</P>
 <PRE>
         slapo-&lt;overlay name&gt;
 </PRE>
-<P>Not all distributed overlays have a man page yet. Feel free to contribute one, if you think you well understood the behavior of the component and the implications of all the related configuration directives.</P>
+<P>All distributed core overlays have a man page. Feel free to contribute to any, if you think there is anything missing in describing the behavior of the component and the implications of all the related configuration directives.</P>
 <P>Official overlays are located in</P>
 <PRE>
         servers/slapd/overlays/
 </PRE>
-<P>That directory also contains the file slapover.txt, which describes the rationale of the overlay implementation, and may serve as guideline for the development of custom overlays.</P>
+<P>That directory also contains the file slapover.txt, which describes the rationale of the overlay implementation, and may serve as a guideline for the development of custom overlays.</P>
 <P>Contribware overlays are located in</P>
 <PRE>
         contrib/slapd-modules/&lt;overlay name&gt;/
 </PRE>
 <P>along with other types of run-time loadable components; they are officially distributed, but not maintained by the project.</P>
-<P>They can be stacked on the frontend as well; this means that they can be executed after a request is parsed and validated, but right before the appropriate database is selected. The main purpose is to affect operations regardless of the database they will be handled by, and, in some cases, to influence the selection of the database by massaging the request DN.</P>
-<P>All the current overlays in 2.4 are listed and described in detail in the following sections.</P>
-<H2><A NAME="Access Logging">10.1. Access Logging</A></H2>
-<H3><A NAME="Overview">10.1.1. Overview</A></H3>
+<P>All the current overlays in OpenLDAP are listed and described in detail in the following sections.</P>
+<H2><A NAME="Access Logging">11.1. Access Logging</A></H2>
+<H3><A NAME="Overview">11.1.1. Overview</A></H3>
 <P>This overlay can record accesses to a given backend database on another database.</P>
-<H3><A NAME="Access Logging Configuration">10.1.2. Access Logging Configuration</A></H3>
-<H2><A NAME="Audit Logging">10.2. Audit Logging</A></H2>
-<P>This overlay records changes on a given backend database to an LDIF log file.</P>
-<H3><A NAME="Overview">10.2.1. Overview</A></H3>
-<H3><A NAME="Audit Logging Configuration">10.2.2. Audit Logging Configuration</A></H3>
-<H2><A NAME="Chaining">10.3. Chaining</A></H2>
-<H3><A NAME="Overview">10.3.1. Overview</A></H3>
+<P>This allows all of the activity on a given database to be reviewed using arbitrary LDAP queries, instead of just logging to local flat text files. Configuration options are available for selecting a subset of operation types to log, and to automatically prune older log records from the logging database. Log records are stored with audit schema to assure their readability whether viewed as LDIF or in raw form.</P>
+<P>It is also used for <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A></P>
+<H3><A NAME="Access Logging Configuration">11.1.2. Access Logging Configuration</A></H3>
+<P>The following is a basic example that implements Access Logging:</P>
+<PRE>
+        database bdb
+        suffix dc=example,dc=com
+        ...
+        overlay accesslog
+        logdb cn=log
+        logops writes reads
+        logold (objectclass=person)
+
+        database bdb
+        suffix cn=log
+        ...
+        index reqStart eq
+        access to *
+          by dn.base=&quot;cn=admin,dc=example,dc=com&quot; read
+</PRE>
+<P>The following is an example used for <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A>:</P>
+<PRE>
+        database hdb
+        suffix cn=accesslog
+        directory /usr/local/var/openldap-accesslog
+        rootdn cn=accesslog
+        index default eq
+        index entryCSN,objectClass,reqEnd,reqResult,reqStart
+</PRE>
+<P>Accesslog overlay definitions for the primary db</P>
+<PRE>
+        database bdb
+        suffix dc=example,dc=com
+        ...
+        overlay accesslog
+        logdb cn=accesslog
+        logops writes
+        logsuccess TRUE
+        # scan the accesslog DB every day, and purge entries older than 7 days
+        logpurge 07+00:00 01+00:00
+</PRE>
+<P>An example search result against <B>cn=accesslog</B> might look like:</P>
+<PRE>
+        [ghenry at suretec ghenry]# ldapsearch -x -b cn=accesslog
+        # extended LDIF
+        #
+        # LDAPv3
+        # base &lt;cn=accesslog&gt; with scope subtree
+        # filter: (objectclass=*)
+        # requesting: ALL
+        #
+
+        # accesslog
+        dn: cn=accesslog
+        objectClass: auditContainer
+        cn: accesslog
+
+        # 20080110163829.000004Z, accesslog
+        dn: reqStart=20080110163829.000004Z,cn=accesslog
+        objectClass: auditModify
+        reqStart: 20080110163829.000004Z
+        reqEnd: 20080110163829.000005Z
+        reqType: modify
+        reqSession: 196696
+        reqAuthzID: cn=admin,dc=suretecsystems,dc=com
+        reqDN: uid=suretec-46022f8$,ou=Users,dc=suretecsystems,dc=com
+        reqResult: 0
+        reqMod: sambaPwdCanChange:- ###CENSORED###
+        reqMod: sambaPwdCanChange:+ ###CENSORED###
+        reqMod: sambaNTPassword:- ###CENSORED###
+        reqMod: sambaNTPassword:+ ###CENSORED###
+        reqMod: sambaPwdLastSet:- ###CENSORED###
+        reqMod: sambaPwdLastSet:+ ###CENSORED###
+        reqMod: entryCSN:= 20080110163829.095157Z#000000#000#000000
+        reqMod: modifiersName:= cn=admin,dc=suretecsystems,dc=com
+        reqMod: modifyTimestamp:= 20080110163829Z
+
+        # search result
+        search: 2
+        result: 0 Success
+
+        # numResponses: 3
+        # numEntries: 2
+</PRE>
+<P>For more information, please see <EM>slapo-accesslog(5)</EM> and the <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A> section.</P>
+<H2><A NAME="Audit Logging">11.2. Audit Logging</A></H2>
+<P>The Audit Logging overlay can be used to record all changes on a given backend database to a specified log file.</P>
+<H3><A NAME="Overview">11.2.1. Overview</A></H3>
+<P>If the need arises whereby changes need to be logged as standard LDIF, then the auditlog overlay <B>slapo-auditlog (5)</B> can be used. Full examples are available in the man page <B>slapo-auditlog (5)</B></P>
+<H3><A NAME="Audit Logging Configuration">11.2.2. Audit Logging Configuration</A></H3>
+<P>If the directory is running vi <TT>slapd.d</TT>, then the following LDIF could be used to add the overlay to the overlay list in <B>cn=config</B> and set what file the <TERM>LDIF</TERM> gets logged to (adjust to suit)</P>
+<PRE>
+       dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config
+       changetype: add
+       objectClass: olcOverlayConfig
+       objectClass: olcAuditLogConfig
+       olcOverlay: auditlog
+       olcAuditlogFile: /tmp/auditlog.ldif
+</PRE>
+<P>In this example for testing, we are logging changes to <TT>/tmp/auditlog.ldif</TT></P>
+<P>A typical <TERM>LDIF</TERM> file created by <B>slapo-auditlog (5)</B> would look like:</P>
+<PRE>
+       # add 1196797576 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+       dn: dc=suretecsystems,dc=com
+       changetype: add
+       objectClass: dcObject
+       objectClass: organization
+       dc: suretecsystems
+       o: Suretec Systems Ltd.
+       structuralObjectClass: organization
+       entryUUID: 1606f8f8-f06e-1029-8289-f0cc9d81e81a
+       creatorsName: cn=admin,dc=suretecsystems,dc=com
+       modifiersName: cn=admin,dc=suretecsystems,dc=com
+       createTimestamp: 20051123130912Z
+       modifyTimestamp: 20051123130912Z
+       entryCSN: 20051123130912.000000Z#000001#000#000000
+       auditContext: cn=accesslog
+       # end add 1196797576
+
+       # add 1196797577 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+       dn: ou=Groups,dc=suretecsystems,dc=com
+       changetype: add
+       objectClass: top
+       objectClass: organizationalUnit
+       ou: Groups
+       structuralObjectClass: organizationalUnit
+       entryUUID: 160aaa2a-f06e-1029-828a-f0cc9d81e81a
+       creatorsName: cn=admin,dc=suretecsystems,dc=com
+       modifiersName: cn=admin,dc=suretecsystems,dc=com
+       createTimestamp: 20051123130912Z
+       modifyTimestamp: 20051123130912Z
+       entryCSN: 20051123130912.000000Z#000002#000#000000
+       # end add 1196797577
+</PRE>
+<H2><A NAME="Chaining">11.3. Chaining</A></H2>
+<H3><A NAME="Overview">11.3.1. Overview</A></H3>
 <P>The chain overlay provides basic chaining capability to the underlying database.</P>
 <P>What is chaining? It indicates the capability of a DSA to follow referrals on behalf of the client, so that distributed systems are viewed as a single virtual DSA by clients that are otherwise unable to &quot;chase&quot; (i.e. follow) referrals by themselves.</P>
-<P>The chain overlay is built on top of the ldap backend; it is compiled by default when --enable-ldap.</P>
-<H3><A NAME="Chaining Configuration">10.3.2. Chaining Configuration</A></H3>
+<P>The chain overlay is built on top of the ldap backend; it is compiled by default when <B>--enable-ldap</B>.</P>
+<H3><A NAME="Chaining Configuration">11.3.2. Chaining Configuration</A></H3>
 <P>In order to demonstrate how this overlay works, we shall discuss a typical scenario which might be one master server and three Syncrepl slaves.</P>
-<P>On each replica, add this near the top of the file (global), before any database definitions:</P>
+<P>On each replica, add this near the top of the <EM>slapd.conf</EM>(5) file (global), before any database definitions:</P>
 <PRE>
         overlay                    chain
         chain-uri                  &quot;ldap://ldapmaster.example.com&quot;
@@ -3795,7 +4369,7 @@
         updateref                  &quot;ldap://ldapmaster.example.com/&quot;
 </PRE>
 <P>The <B>chain-tls</B> statement enables TLS from the slave to the ldap master. The DITs are exactly the same between these machines, therefore whatever user bound to the slave will also exist on the master. If that DN does not have update privileges on the master, nothing will happen.</P>
-<P>You will need to restart the slave after these changes. Then, if you are using <EM>loglevel 256</EM>, you can monitor an <EM>ldapmodify</EM> on the slave and the master.</P>
+<P>You will need to restart the slave after these <EM>slapd.conf</EM> changes. Then, if you are using <EM>loglevel stats</EM> (256), you can monitor an <EM>ldapmodify</EM> on the slave and the master. (If you're using <EM>cn=config</EM> no restart is required.)</P>
 <P>Now start an <EM>ldapmodify</EM> on the slave and watch the logs. You should expect something like:</P>
 <PRE>
         Sep  6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389)
@@ -3825,28 +4399,103 @@
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>You can clearly see the PROXYAUTHZ line on the master, indicating the proper identity assertion for the update on the master. Also note the slave immediately receiving the Syncrepl update from the master.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Handling Chaining Errors">10.3.3. Handling Chaining Errors</A></H3>
+<H3><A NAME="Handling Chaining Errors">11.3.3. Handling Chaining Errors</A></H3>
 <P>By default, if chaining fails, the original referral is returned to the client under the assumption that the client might want to try and follow the referral.</P>
 <P>With the following directive however, if the chaining fails at the provider side, the actual error is returned to the client.</P>
 <PRE>
         chain-return-error TRUE
 </PRE>
-<H2><A NAME="Constraints">10.4. Constraints</A></H2>
-<H3><A NAME="Overview">10.4.1. Overview</A></H3>
-<P>This overlay enforces a regular expression constraint on all values of specified attributes. It is used to enforce a more rigorous syntax when the underlying attribute syntax is too general.</P>
-<H3><A NAME="Constraint Configuration">10.4.2. Constraint Configuration</A></H3>
-<H2><A NAME="Dynamic Directory Services">10.5. Dynamic Directory Services</A></H2>
-<H3><A NAME="Overview">10.5.1. Overview</A></H3>
-<P>This overlay supports dynamic objects, which have a limited life after which they expire and are automatically deleted.</P>
-<H3><A NAME="Dynamic Directory Service Configuration">10.5.2. Dynamic Directory Service Configuration</A></H3>
-<H2><A NAME="Dynamic Groups">10.6. Dynamic Groups</A></H2>
-<H3><A NAME="Overview">10.6.1. Overview</A></H3>
+<H2><A NAME="Constraints">11.4. Constraints</A></H2>
+<H3><A NAME="Overview">11.4.1. Overview</A></H3>
+<P>This overlay enforces a regular expression constraint on all values of specified attributes during an LDAP modify request that contains add or modify commands. It is used to enforce a more rigorous syntax when the underlying attribute syntax is too general.</P>
+<H3><A NAME="Constraint Configuration">11.4.2. Constraint Configuration</A></H3>
+<P>Configuration via <EM>slapd.conf</EM>(5) would look like:</P>
+<PRE>
+        overlay constraint
+        constraint_attribute mail regex ^[:alnum:]+ at mydomain.com$
+        constraint_attribute title uri
+        ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+</PRE>
+<P>A specification like the above would reject any <EM>mail</EM> attribute which did not look like <EM>&lt;alpha-numeric string&gt;@mydomain.com</EM>.</P>
+<P>It would also reject any title attribute whose values were not listed in the title attribute of any <EM>titleCatalog</EM> entries in the given scope.</P>
+<P>An example for use with <EM>cn=config</EM>:</P>
+<PRE>
+       dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config
+       changetype: add
+       objectClass: olcOverlayConfig
+       objectClass: olcConstraintConfig
+       olcOverlay: constraint
+       olcConstraintAttribute: mail regex ^[:alnum:]+ at mydomain.com$
+       olcConstraintAttribute: title uri ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+</PRE>
+<H2><A NAME="Dynamic Directory Services">11.5. Dynamic Directory Services</A></H2>
+<H3><A NAME="Overview">11.5.1. Overview</A></H3>
+<P>The <EM>dds</EM> overlay to <EM>slapd</EM>(8) implements dynamic objects as per <A HREF="http://www.rfc-editor.org/rfc/rfc2589.txt">RFC2589</A>. The name <EM>dds</EM> stands for Dynamic Directory Services. It allows to define dynamic objects, characterized by the <EM>dynamicObject</EM> objectClass.</P>
+<P>Dynamic objects have a limited lifetime, determined by a time-to-live (TTL) that can be refreshed by means of a specific refresh extended operation. This operation allows to set the Client Refresh Period (CRP), namely the period between refreshes that is required to preserve the dynamic object from expiration. The expiration time is computed by adding the requested TTL to the current time. When dynamic objects reach the end of their lifetime without being further refreshed, they are automatically <EM>deleted</EM>. There is no guarantee of immediate deletion, so clients should not count on it.</P>
+<H3><A NAME="Dynamic Directory Service Configuration">11.5.2. Dynamic Directory Service Configuration</A></H3>
+<P>A usage of dynamic objects might be to implement dynamic meetings; in this case, all the participants to the meeting are allowed to refresh the meeting object, but only the creator can delete it (otherwise it will be deleted when the TTL expires).</P>
+<P>If we add the overlay to an example database, specifying a Max TTL of 1 day, a min of 10 seconds, with a default TTL of 1 hour. We'll also specify an interval of 120 (less than 60s might be too small) seconds between expiration checks and a tolerance of 5 second (lifetime of a dynamic object will be <EM>entryTtl + tolerance</EM>).</P>
+<PRE>
+       overlay dds
+       dds-max-ttl     1d
+       dds-min-ttl     10s
+       dds-default-ttl 1h
+       dds-interval    120s
+       dds-tolerance   5s
+</PRE>
+<P>and add an index:</P>
+<PRE>
+       entryExpireTimestamp
+</PRE>
+<P>Creating a meeting is as simple as adding the following:</P>
+<PRE>
+       dn: cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com
+       objectClass: groupOfNames
+       objectClass: dynamicObject
+       cn: OpenLDAP Documentation Meeting
+       member: uid=ghenry,ou=People,dc=example,dc=com
+       member: uid=hyc,ou=People,dc=example,dc=com
+</PRE>
+<H4><A NAME="Dynamic Directory Service ACLs">11.5.2.1. Dynamic Directory Service ACLs</A></H4>
+<P>Allow users to start a meeting and to join it; restrict refresh to the <EM>member</EM>; restrict delete to the creator:</P>
+<PRE>
+       access to attrs=userPassword
+          by self write
+          by * read
+
+       access to dn.base=&quot;ou=Meetings,dc=example,dc=com&quot;
+                 attrs=children
+            by users write
+
+       access to dn.onelevel=&quot;ou=Meetings,dc=example,dc=com&quot;
+                 attrs=entry
+            by dnattr=creatorsName write
+            by * read
+
+       access to dn.onelevel=&quot;ou=Meetings,dc=example,dc=com&quot;
+                 attrs=participant
+            by dnattr=creatorsName write
+            by users selfwrite
+            by * read
+
+       access to dn.onelevel=&quot;ou=Meetings,dc=example,dc=com&quot;
+                 attrs=entryTtl
+            by dnattr=member manage
+            by * read
+</PRE>
+<P>In simple terms, the user who created the <EM>OpenLDAP Documentation Meeting</EM> can add new attendees, refresh the meeting using (basically complete control):</P>
+<PRE>
+       ldapexop -x -H ldap://ldaphost &quot;refresh&quot; &quot;cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com&quot; &quot;120&quot; -D &quot;uid=ghenry,ou=People,dc=example,dc=com&quot; -W
+</PRE>
+<P>Any user can join the meeting, but not add another attendee, but they can refresh the meeting. The ACLs above are quite straight forward to understand.</P>
+<H2><A NAME="Dynamic Groups">11.6. Dynamic Groups</A></H2>
+<H3><A NAME="Overview">11.6.1. Overview</A></H3>
 <P>This overlay extends the Compare operation to detect members of a dynamic group. This overlay is now deprecated as all of its functions are available using the <A HREF="#Dynamic Lists">Dynamic Lists</A> overlay.</P>
-<H3><A NAME="Dynamic Group Configuration">10.6.2. Dynamic Group Configuration</A></H3>
-<H2><A NAME="Dynamic Lists">10.7. Dynamic Lists</A></H2>
-<H3><A NAME="Overview">10.7.1. Overview</A></H3>
+<H3><A NAME="Dynamic Group Configuration">11.6.2. Dynamic Group Configuration</A></H3>
+<H2><A NAME="Dynamic Lists">11.7. Dynamic Lists</A></H2>
+<H3><A NAME="Overview">11.7.1. Overview</A></H3>
 <P>This overlay allows expansion of dynamic groups and lists. Instead of having the group members or list attributes hard coded, this overlay allows us to define an LDAP search whose results will make up the group or list.</P>
-<H3><A NAME="Dynamic List Configuration">10.7.2. Dynamic List Configuration</A></H3>
+<H3><A NAME="Dynamic List Configuration">11.7.2. Dynamic List Configuration</A></H3>
 <P>This module can behave both as a dynamic list and dynamic group, depending on the configuration. The syntax is as follows:</P>
 <PRE>
        overlay dynlist
@@ -3856,7 +4505,7 @@
 <UL>
 <LI><TT>&lt;group-oc&gt;</TT>: specifies which object class triggers the subsequent LDAP search. Whenever an entry with this object class is retrieved, the search is performed.
 <LI><TT>&lt;URL-ad&gt;</TT>: is the name of the attribute which holds the search URI. It has to be a subtype of <TT>labeledURI</TT>. The attributes and values present in the search result are added to the entry unless <TT>member-ad</TT> is used (see below).
-<LI><TT>member-ad</TT>: if present, changes the overlay behaviour into a dynamic group. Instead of inserting the results of the search in the entry, the distinguished name of the results are added as values of this attribute.</UL>
+<LI><TT>member-ad</TT>: if present, changes the overlay behavior into a dynamic group. Instead of inserting the results of the search in the entry, the distinguished name of the results are added as values of this attribute.</UL>
 <P>Here is an example which will allow us to have an email alias which automatically expands to all user's emails according to our LDAP filter:</P>
 <P>In <EM>slapd.conf</EM>(5):</P>
 <PRE>
@@ -3888,17 +4537,17 @@
        objectClass: groupOfNames
        labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
 </PRE>
-<P>The behaviour is similar to the dynamic list configuration we had before: whenever an entry with the <TT>groupOfNames</TT> object class is retrieved, the search specified in the <TT>labeledURI</TT> attribute is performed. But this time, only the distinguished names of the results are added, and as values of the <TT>member</TT> attribute.</P>
+<P>The behavior is similar to the dynamic list configuration we had before: whenever an entry with the <TT>groupOfNames</TT> object class is retrieved, the search specified in the <TT>labeledURI</TT> attribute is performed. But this time, only the distinguished names of the results are added, and as values of the <TT>member</TT> attribute.</P>
 <P>This is what we get:</P>
 <P><CENTER><IMG SRC="allusersgroup-en.png" ALIGN="center"></CENTER></P>
 <P ALIGN="Center">Figure X.Y: Dynamic Group for all users</P>
-<P>Note that a side effect of this scheme of dymamic groups is that the members need to be specified as full DNs. So, if you are planning in using this for <TT>posixGroup</TT>s, be sure to use RFC2307bis and some attribute which can hold distinguished names. The <TT>memberUid</TT> attribute used in the <TT>posixGroup</TT> object class can hold only names, not DNs, and is therefore not suitable for dynamic groups.</P>
-<H2><A NAME="Reverse Group Membership Maintenance">10.8. Reverse Group Membership Maintenance</A></H2>
-<H3><A NAME="Overview">10.8.1. Overview</A></H3>
+<P>Note that a side effect of this scheme of dynamic groups is that the members need to be specified as full DNs. So, if you are planning in using this for <TT>posixGroup</TT>s, be sure to use RFC2307bis and some attribute which can hold distinguished names. The <TT>memberUid</TT> attribute used in the <TT>posixGroup</TT> object class can hold only names, not DNs, and is therefore not suitable for dynamic groups.</P>
+<H2><A NAME="Reverse Group Membership Maintenance">11.8. Reverse Group Membership Maintenance</A></H2>
+<H3><A NAME="Overview">11.8.1. Overview</A></H3>
 <P>In some scenarios, it may be desirable for a client to be able to determine which groups an entry is a member of, without performing an additional search. Examples of this are applications using the <TERM>DIT</TERM> for access control based on group authorization.</P>
 <P>The <B>memberof</B> overlay updates an attribute (by default <B>memberOf</B>) whenever changes occur to the membership attribute (by default <B>member</B>) of entries of the objectclass (by default <B>groupOfNames</B>) configured to trigger updates.</P>
 <P>Thus, it provides maintenance of the list of groups an entry is a member of, when usual maintenance of groups is done by modifying the members on the group entry.</P>
-<H3><A NAME="Member Of Configuration">10.8.2. Member Of Configuration</A></H3>
+<H3><A NAME="Member Of Configuration">11.8.2. Member Of Configuration</A></H3>
 <P>The typical use of this overlay requires just enabling the overlay for a specific database. For example, with the following minimal slapd.conf:</P>
 <PRE>
         include /usr/share/openldap/schema/core.schema
@@ -3954,33 +4603,33 @@
  memberOf: cn=testgroup,ou=Group,dc=example,dc=com
 </PRE>
 <P>Note that the <B>memberOf</B> attribute is an operational attribute, so it must be requested explicitly.</P>
-<H2><A NAME="The Proxy Cache Engine">10.9. The Proxy Cache Engine</A></H2>
+<H2><A NAME="The Proxy Cache Engine">11.9. The Proxy Cache Engine</A></H2>
 <P><TERM>LDAP</TERM> servers typically hold one or more subtrees of a <TERM>DIT</TERM>. Replica (or shadow) servers hold shadow copies of entries held by one or more master servers.  Changes are propagated from the master server to replica (slave) servers using LDAP Sync replication.  An LDAP cache is a special type of replica which holds entries corresponding to search filters instead of subtrees.</P>
-<H3><A NAME="Overview">10.9.1. Overview</A></H3>
+<H3><A NAME="Overview">11.9.1. Overview</A></H3>
 <P>The proxy cache extension of slapd is designed to improve the responsiveness of the ldap and meta backends. It handles a search request (query) by first determining whether it is contained in any cached search filter. Contained requests are answered from the proxy cache's local database. Other requests are passed on to the underlying ldap or meta backend and processed as usual.</P>
 <P>E.g. <TT>(shoesize&gt;=9)</TT> is contained in <TT>(shoesize&gt;=8)</TT> and <TT>(sn=Richardson)</TT> is contained in <TT>(sn=Richards*)</TT></P>
 <P>Correct matching rules and syntaxes are used while comparing assertions for query containment. To simplify the query containment problem, a list of cacheable &quot;templates&quot; (defined below) is specified at configuration time. A query is cached or answered only if it belongs to one of these templates. The entries corresponding to cached queries are stored in the proxy cache local database while its associated meta information (filter, scope, base, attributes) is stored in main memory.</P>
 <P>A template is a prototype for generating LDAP search requests. Templates are described by a prototype search filter and a list of attributes which are required in queries generated from the template. The representation for prototype filter is similar to <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>, except that the assertion values are missing. Examples of prototype filters are: (sn=),(&amp;(sn=)(givenname=)) which are instantiated by search filters (sn=Doe) and (&amp;(sn=Doe)(givenname=John)) respectively.</P>
 <P>The cache replacement policy removes the least recently used (LRU) query and entries belonging to only that query. Queries are allowed a maximum time to live (TTL) in the cache thus providing weak consistency. A background task periodically checks the cache for expired queries and removes them.</P>
 <P>The Proxy Cache paper (<A HREF="http://www.openldap.org/pub/kapurva/proxycaching.pdf">http://www.openldap.org/pub/kapurva/proxycaching.pdf</A>) provides design and implementation details.</P>
-<H3><A NAME="Proxy Cache Configuration">10.9.2. Proxy Cache Configuration</A></H3>
+<H3><A NAME="Proxy Cache Configuration">11.9.2. Proxy Cache Configuration</A></H3>
 <P>The cache configuration specific directives described below must appear after a <TT>overlay proxycache</TT> directive within a <TT>&quot;database meta&quot;</TT> or <TT>database ldap</TT> section of the server's <EM>slapd.conf</EM>(5) file.</P>
-<H4><A NAME="Setting cache parameters">10.9.2.1. Setting cache parameters</A></H4>
+<H4><A NAME="Setting cache parameters">11.9.2.1. Setting cache parameters</A></H4>
 <PRE>
  proxyCache &lt;DB&gt; &lt;maxentries&gt; &lt;nattrsets&gt; &lt;entrylimit&gt; &lt;period&gt;
 </PRE>
 <P>This directive enables proxy caching and sets general cache parameters.  The &lt;DB&gt; parameter specifies which underlying database is to be used to hold cached entries.  It should be set to <TT>bdb</TT> or <TT>hdb</TT>.  The &lt;maxentries&gt; parameter specifies the total number of entries which may be held in the cache.  The &lt;nattrsets&gt; parameter specifies the total number of attribute sets (as specified by the <TT>proxyAttrSet</TT> directive) that may be defined.  The &lt;entrylimit&gt; parameter specifies the maximum number of entries in a cacheable query.  The &lt;period&gt; specifies the consistency check period (in seconds).  In each period, queries with expired TTLs are removed.</P>
-<H4><A NAME="Defining attribute sets">10.9.2.2. Defining attribute sets</A></H4>
+<H4><A NAME="Defining attribute sets">11.9.2.2. Defining attribute sets</A></H4>
 <PRE>
  proxyAttrset &lt;index&gt; &lt;attrs...&gt;
 </PRE>
 <P>Used to associate a set of attributes to an index. Each attribute set is associated with an index number from 0 to &lt;numattrsets&gt;-1. These indices are used by the proxyTemplate directive to define cacheable templates.</P>
-<H4><A NAME="Specifying cacheable templates">10.9.2.3. Specifying cacheable templates</A></H4>
+<H4><A NAME="Specifying cacheable templates">11.9.2.3. Specifying cacheable templates</A></H4>
 <PRE>
  proxyTemplate &lt;prototype_string&gt; &lt;attrset_index&gt; &lt;TTL&gt;
 </PRE>
 <P>Specifies a cacheable template and the &quot;time to live&quot; (in sec) &lt;TTL&gt; for queries belonging to the template. A template is described by its prototype filter string and set of required attributes identified by &lt;attrset_index&gt;.</P>
-<H4><A NAME="Example">10.9.2.4. Example</A></H4>
+<H4><A NAME="Example">11.9.2.4. Example</A></H4>
 <P>An example <EM>slapd.conf</EM>(5) database section for a caching server which proxies for the <TT>&quot;dc=example,dc=com&quot;</TT> subtree held at server <TT>ldap.example.com</TT>.</P>
 <PRE>
         database        ldap
@@ -3999,9 +4648,9 @@
         index       objectClass eq
         index       cn,sn,uid,mail  pres,eq,sub
 </PRE>
-<H5><A NAME="Cacheable Queries">10.9.2.4.1. Cacheable Queries</A></H5>
+<H5><A NAME="Cacheable Queries">11.9.2.4.1. Cacheable Queries</A></H5>
 <P>A LDAP search query is cacheable when its filter matches one of the templates as defined in the &quot;proxyTemplate&quot; statements and when it references only the attributes specified in the corresponding attribute set. In the example above the attribute set number 0 defines that only the attributes: <TT>mail postaladdress telephonenumber</TT> are cached for the following proxyTemplates.</P>
-<H5><A NAME="Examples:">10.9.2.4.2. Examples:</A></H5>
+<H5><A NAME="Examples:">11.9.2.4.2. Examples:</A></H5>
 <PRE>
         Filter: (&amp;(sn=Richard*)(givenName=jack))
         Attrs: mail telephoneNumber
@@ -4017,16 +4666,89 @@
         Attrs: mail telephoneNumber
 </PRE>
 <P>is not cacheable, because the filter does not match the template ( logical OR &quot;|&quot; condition instead of logical AND &quot;&amp;&quot; )</P>
-<H2><A NAME="Password Policies">10.10. Password Policies</A></H2>
-<H3><A NAME="Overview">10.10.1. Overview</A></H3>
-<P>This overlay provides a variety of password control mechanisms, e.g. password aging, password reuse and duplication control, mandatory password resets, etc.</P>
-<H3><A NAME="Password Policy Configuration">10.10.2. Password Policy Configuration</A></H3>
-<H2><A NAME="Referential Integrity">10.11. Referential Integrity</A></H2>
-<H3><A NAME="Overview">10.11.1. Overview</A></H3>
+<H2><A NAME="Password Policies">11.10. Password Policies</A></H2>
+<H3><A NAME="Overview">11.10.1. Overview</A></H3>
+<P>This overlay follows the specifications contained in the draft RFC titled draft-behera-ldap-password-policy-09. While the draft itself is expired, it has been implemented in several directory servers, including slapd. Nonetheless, it is important to note that it is a draft, meaning that it is subject to change and is a work-in-progress.</P>
+<P>The key abilities of the password policy overlay are as follows:</P>
+<UL>
+<LI>Enforce a minimum length for new passwords
+<LI>Make sure passwords are not changed too frequently
+<LI>Cause passwords to expire, provide warnings before they need to be changed, and allow a fixed number of 'grace' logins to allow them to be changed after they have expired
+<LI>Maintain a history of passwords to prevent password re-use
+<LI>Prevent password guessing by locking a password for a specified period of time after repeated authentication failures
+<LI>Force a password to be changed at the next authentication
+<LI>Set an administrative lock on an account
+<LI>Support multiple password policies on a default or a per-object basis.
+<LI>Perform arbitrary quality checks using an external loadable module. This is a non-standard extension of the draft RFC.</UL>
+<H3><A NAME="Password Policy Configuration">11.10.2. Password Policy Configuration</A></H3>
+<P>Instantiate the module in the database where it will be used, after adding the new ppolicy schema and loading the ppolicy module. The following example shows the ppolicy module being added to the database that handles the naming context &quot;dc=example,dc=com&quot;. In this example we are also specifying the DN of a policy object to use if none other is specified in a user's object.</P>
+<PRE>
+       database bdb
+       suffix &quot;dc=example,dc=com&quot;
+       [...additional database configuration directives go here...]
+
+       overlay ppolicy
+       ppolicy_default &quot;cn=default,ou=policies,dc=example,dc=com&quot;
+</PRE>
+<P>Now we need a container for the policy objects. In our example the password policy objects are going to be placed in a section of the tree called &quot;ou=policies,dc=example,dc=com&quot;:</P>
+<PRE>
+       dn: ou=policies,dc=example,dc=com
+       objectClass: organizationalUnit
+       objectClass: top
+       ou: policies
+</PRE>
+<P>The default policy object that we are creating defines the following policies:</P>
+<UL>
+<LI>The user is allowed to change his own password. Note that the directory ACLs for this attribute can also affect this ability (pwdAllowUserChange: TRUE).
+<LI>The name of the password attribute is &quot;userPassword&quot; (pwdAttribute: userPassword). Note that this is the only value that is accepted by OpenLDAP for this attribute.
+<LI>The server will check the syntax of the password. If the server is unable to check the syntax (i.e., it was hashed or otherwise encoded by the client) it will return an error refusing the password (pwdCheckQuality: 2).
+<LI>When a client includes the Password Policy Request control with a bind request, the server will respond with a password expiration warning if it is going to expire in ten minutes or less (pwdExpireWarning: 600). The warnings themselves are returned in a Password Policy Response control.
+<LI>When the password for a DN has expired, the server will allow five additional &quot;grace&quot; logins (pwdGraceAuthNLimit: 5).
+<LI>The server will maintain a history of the last five passwords that were used for a DN (pwdInHistory: 5).
+<LI>The server will lock the account after the maximum number of failed bind attempts has been exceeded (pwdLockout: TRUE).
+<LI>When the server has locked an account, the server will keep it locked until an administrator unlocks it (pwdLockoutDuration: 0)
+<LI>The server will reset its failed bind count after a period of 30 seconds.
+<LI>Passwords will not expire (pwdMaxAge: 0).
+<LI>Passwords can be changed as often as desired (pwdMinAge: 0).
+<LI>Passwords must be at least 5 characters in length (pwdMinLength: 5).
+<LI>The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
+<LI>The current password does not need to be included with password change requests (pwdSafeModify: FALSE)
+<LI>The server will only allow five failed binds in a row for a particular DN (pwdMaxFailure: 5).</UL>
+<P>The actual policy would be:</P>
+<PRE>
+       dn: cn=default,ou=policies,dc=example,dc=com
+       cn: default
+       objectClass: pwdPolicy
+       objectClass: person
+       objectClass: top
+       pwdAllowUserChange: TRUE
+       pwdAttribute: userPassword
+       pwdCheckQuality: 2
+       pwdExpireWarning: 600
+       pwdFailureCountInterval: 30
+       pwdGraceAuthNLimit: 5
+       pwdInHistory: 5
+       pwdLockout: TRUE
+       pwdLockoutDuration: 0
+       pwdMaxAge: 0
+       pwdMaxFailure: 5
+       pwdMinAge: 0
+       pwdMinLength: 5
+       pwdMustChange: FALSE
+       pwdSafeModify: FALSE
+       sn: dummy value
+</PRE>
+<P>You can create additional policy objects as needed.</P>
+<P>There are two ways password policy can be applied to individual objects:</P>
+<P>1. The pwdPolicySubentry in a user's object - If a user's object has a pwdPolicySubEntry attribute specifying the DN of a policy object, then the policy defined by that object is applied.</P>
+<P>2. Default password policy - If there is no specific pwdPolicySubentry set for an object, and the password policy module was configured with the DN of a default policy object and if that object exists, then the policy defined in that object is applied.</P>
+<P>Please see <EM>slapo-ppolicy(5)</EM> for complete explanations of features and discussion of &quot;Password Management Issues&quot; at <A HREF="http://www.connexitor.com/forums/viewtopic.php?f=6&amp;t=25">http://www.connexitor.com/forums/viewtopic.php?f=6&amp;t=25</A></P>
+<H2><A NAME="Referential Integrity">11.11. Referential Integrity</A></H2>
+<H3><A NAME="Overview">11.11.1. Overview</A></H3>
 <P>This overlay can be used with a backend database such as slapd-bdb(5) to maintain the cohesiveness of a schema which utilizes reference attributes.</P>
 <P>Whenever a <EM>modrdn</EM> or <EM>delete</EM> is performed, that is, when an entry's DN is renamed or an entry is removed, the server will search the directory for references to this DN (in selected attributes: see below) and update them accordingly. If it was a <EM>delete</EM> operation, the reference is deleted. If it was a <EM>modrdn</EM> operation, then the reference is updated with the new DN.</P>
 <P>For example, a very common administration task is to maintain group membership lists, specially when users are removed from the directory. When an user account is deleted or renamed, all groups this user is a member of have to be updated. LDAP administrators usually have scripts for that. But we can use the <TT>refint</TT> overlay to automate this task. In this example, if the user is removed from the directory, the overlay will take care to remove the user from all the groups he/she was a member of. No more scripting for this.</P>
-<H3><A NAME="Referential Integrity Configuration">10.11.2. Referential Integrity Configuration</A></H3>
+<H3><A NAME="Referential Integrity Configuration">11.11.2. Referential Integrity Configuration</A></H3>
 <P>The configuration for this overlay is as follows:</P>
 <PRE>
        overlay refint
@@ -4049,42 +4771,43 @@
 <P ALIGN="Center">Figure X.Y: Maintaining referential integrity in groups</P>
 <P>Notice that if we rename (<TT>modrdn</TT>) the <TT>john</TT> entry to, say, <TT>jsmith</TT>, the refint overlay will also rename the reference in the <TT>member</TT> attribute, so the group membership stays correct.</P>
 <P>If we removed all users from the directory who are a member of this group, then the end result would be a single member in the group: <TT>cn=admin,dc=example,dc=com</TT>. This is the <TT>refint_nothing</TT> parameter kicking into action so that the schema is not violated.</P>
-<H2><A NAME="Return Code">10.12. Return Code</A></H2>
-<H3><A NAME="Overview">10.12.1. Overview</A></H3>
+<H2><A NAME="Return Code">11.12. Return Code</A></H2>
+<H3><A NAME="Overview">11.12.1. Overview</A></H3>
 <P>This overlay is useful to test the behavior of clients when server-generated erroneous and/or unusual responses occur.</P>
-<H3><A NAME="Return Code Configuration">10.12.2. Return Code Configuration</A></H3>
-<H2><A NAME="Rewrite/Remap">10.13. Rewrite/Remap</A></H2>
-<H3><A NAME="Overview">10.13.1. Overview</A></H3>
+<H3><A NAME="Return Code Configuration">11.12.2. Return Code Configuration</A></H3>
+<H2><A NAME="Rewrite/Remap">11.13. Rewrite/Remap</A></H2>
+<H3><A NAME="Overview">11.13.1. Overview</A></H3>
 <P>It performs basic DN/data rewrite and objectClass/attributeType mapping.</P>
-<H3><A NAME="Rewrite/Remap Configuration">10.13.2. Rewrite/Remap Configuration</A></H3>
-<H2><A NAME="Sync Provider">10.14. Sync Provider</A></H2>
-<H3><A NAME="Overview">10.14.1. Overview</A></H3>
+<H3><A NAME="Rewrite/Remap Configuration">11.13.2. Rewrite/Remap Configuration</A></H3>
+<H2><A NAME="Sync Provider">11.14. Sync Provider</A></H2>
+<H3><A NAME="Overview">11.14.1. Overview</A></H3>
 <P>This overlay implements the provider-side support for syncrepl replication, including persistent search functionality</P>
-<H3><A NAME="Sync Provider Configuration">10.14.2. Sync Provider Configuration</A></H3>
-<H2><A NAME="Translucent Proxy">10.15. Translucent Proxy</A></H2>
-<H3><A NAME="Overview">10.15.1. Overview</A></H3>
+<H3><A NAME="Sync Provider Configuration">11.14.2. Sync Provider Configuration</A></H3>
+<H2><A NAME="Translucent Proxy">11.15. Translucent Proxy</A></H2>
+<H3><A NAME="Overview">11.15.1. Overview</A></H3>
 <P>This overlay can be used with a backend database such as slapd-bdb (5) to create a &quot;translucent proxy&quot;.</P>
 <P>Content of entries retrieved from a remote LDAP server can be partially overridden by the database.</P>
-<H3><A NAME="Translucent Proxy Configuration">10.15.2. Translucent Proxy Configuration</A></H3>
-<H2><A NAME="Attribute Uniqueness">10.16. Attribute Uniqueness</A></H2>
-<H3><A NAME="Overview">10.16.1. Overview</A></H3>
+<H3><A NAME="Translucent Proxy Configuration">11.15.2. Translucent Proxy Configuration</A></H3>
+<H2><A NAME="Attribute Uniqueness">11.16. Attribute Uniqueness</A></H2>
+<H3><A NAME="Overview">11.16.1. Overview</A></H3>
 <P>This overlay can be used with a backend database such as slapd-bdb (5) to enforce the uniqueness of some or all attributes within a subtree.</P>
-<H3><A NAME="Attribute Uniqueness Configuration">10.16.2. Attribute Uniqueness Configuration</A></H3>
-<H2><A NAME="Value Sorting">10.17. Value Sorting</A></H2>
-<H3><A NAME="Overview">10.17.1. Overview</A></H3>
+<H3><A NAME="Attribute Uniqueness Configuration">11.16.2. Attribute Uniqueness Configuration</A></H3>
+<H2><A NAME="Value Sorting">11.17. Value Sorting</A></H2>
+<H3><A NAME="Overview">11.17.1. Overview</A></H3>
 <P>This overlay can be used to enforce a specific order for the values of an attribute when it is returned in a search.</P>
-<H3><A NAME="Value Sorting Configuration">10.17.2. Value Sorting Configuration</A></H3>
-<H2><A NAME="Overlay Stacking">10.18. Overlay Stacking</A></H2>
-<H3><A NAME="Overview">10.18.1. Overview</A></H3>
-<H3><A NAME="Example Scenarios">10.18.2. Example Scenarios</A></H3>
-<H4><A NAME="Samba">10.18.2.1. Samba</A></H4>
+<H3><A NAME="Value Sorting Configuration">11.17.2. Value Sorting Configuration</A></H3>
+<H2><A NAME="Overlay Stacking">11.18. Overlay Stacking</A></H2>
+<H3><A NAME="Overview">11.18.1. Overview</A></H3>
+<P>Overlays can be stacked, which means that more than one overlay can be instantiated for each database, or for the <TT>frontend</TT>. As a consequence, each overlays function is called, if defined, when overlay execution is invoked. Multiple overlays are executed in reverse order (as a stack) with respect to their definition in slapd.conf (5), or with respect to their ordering in the config database, as documented in slapd-config (5).</P>
+<H3><A NAME="Example Scenarios">11.18.2. Example Scenarios</A></H3>
+<H4><A NAME="Samba">11.18.2.1. Samba</A></H4>
 <P></P>
 <HR>
-<H1><A NAME="Schema Specification">11. Schema Specification</A></H1>
+<H1><A NAME="Schema Specification">12. Schema Specification</A></H1>
 <P>This chapter describes how to extend the user schema used by <EM>slapd</EM>(8).  The chapter assumes the reader is familiar with the <TERM>LDAP</TERM>/<TERM>X.500</TERM> information model.</P>
 <P>The first section, <A HREF="#Distributed Schema Files">Distributed Schema Files</A> details optional schema definitions provided in the distribution and where to obtain other definitions. The second section, <A HREF="#Extending Schema">Extending Schema</A>, details how to define new schema items.</P>
 <P>This chapter does not discuss how to extend system schema used by <EM>slapd</EM>(8) as this requires source code modification.  System schema includes all operational attribute types or any object class which allows or requires an operational attribute (directly or indirectly).</P>
-<H2><A NAME="Distributed Schema Files">11.1. Distributed Schema Files</A></H2>
+<H2><A NAME="Distributed Schema Files">12.1. Distributed Schema Files</A></H2>
 <P>OpenLDAP Software is distributed with a set of schema specifications for your use.  Each set is defined in a file suitable for inclusion (using the <TT>include</TT> directive) in your <EM>slapd.conf</EM>(5) file.  These schema files are normally installed in the <TT>/usr/local/etc/openldap/schema</TT> directory.</P>
 <TABLE CLASS="columns" BORDER ALIGN='Center'>
 <CAPTION ALIGN=top>Table 8.1: Provided Schema Specifications</CAPTION>
@@ -4157,7 +4880,7 @@
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>You should not modify any of the schema items defined in provided files.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="Extending Schema">11.2. Extending Schema</A></H2>
+<H2><A NAME="Extending Schema">12.2. Extending Schema</A></H2>
 <P>Schema used by <EM>slapd</EM>(8) may be extended to support additional syntaxes, matching rules, attribute types, and object classes.  This chapter details how to add user application attribute types and object classes using the syntaxes and matching rules already supported by slapd.  slapd can also be extended to support additional syntaxes, matching rules and system schema, but this requires some programming and hence is not discussed here.</P>
 <P>There are five steps to defining new schema:</P>
 <OL>
@@ -4166,7 +4889,7 @@
 <LI>create local schema file
 <LI>define custom attribute types (if necessary)
 <LI>define custom object classes</OL>
-<H3><A NAME="Object Identifiers">11.2.1. Object Identifiers</A></H3>
+<H3><A NAME="Object Identifiers">12.2.1. Object Identifiers</A></H3>
 <P>Each schema element is identified by a globally unique <TERM>Object Identifier</TERM> (OID).  OIDs are also used to identify other objects.  They are commonly found in protocols described by <TERM>ASN.1</TERM>.  In particular, they are heavily used by the <TERM>Simple Network Management Protocol</TERM> (SNMP). As OIDs are hierarchical, your organization can obtain one OID and branch it as needed.  For example, if your organization were assigned OID <TT>1.1</TT>, you could branch the tree as follows:</P>
 <TABLE CLASS="columns" BORDER ALIGN='Center'>
 <CAPTION ALIGN=top>Table 8.2: Example OID hierarchy</CAPTION>
@@ -4245,12 +4968,12 @@
 <STRONG>Note: </STRONG>PENs obtained using this form may be used for any purpose including identifying LDAP schema elements.
 <HR WIDTH="80%" ALIGN="Left"></P>
 <P>Alternatively, OID name space may be available from a national authority (e.g., <A HREF="http://www.ansi.org/">ANSI</A>, <A HREF="http://www.bsi-global.com/">BSI</A>).</P>
-<H3><A NAME="Naming Elements">11.2.2. Naming Elements</A></H3>
+<H3><A NAME="Naming Elements">12.2.2. Naming Elements</A></H3>
 <P>In addition to assigning a unique object identifier to each schema element, you should provide a least one textual name for each element.  Names should be registered with the <A HREF="http://www.iana.org/">IANA</A> or prefixed with &quot;x-&quot; to place in the &quot;private use&quot; name space.</P>
 <P>The name should be both descriptive and not likely to clash with names of other schema elements.  In particular, any name you choose should not clash with present or future Standard Track names (this is assured if you registered names or use names beginning with &quot;x-&quot;).</P>
 <P>It is noted that you can obtain your own registered name prefix so as to avoid having to register your names individually. See <A HREF="http://www.rfc-editor.org/rfc/rfc4520.txt">RFC4520</A> for details.</P>
 <P>In the examples below, we have used a short prefix '<TT>x-my-</TT>'. Such a short prefix would only be suitable for a very large, global organization.  In general, we recommend something like '<TT>x-de-Firm-</TT>' (German company) or '<TT>x-com-Example</TT>' (elements associated with organization associated with <TT>example.com</TT>).</P>
-<H3><A NAME="Local schema file">11.2.3. Local schema file</A></H3>
+<H3><A NAME="Local schema file">12.2.3. Local schema file</A></H3>
 <P>The <TT>objectclass</TT> and <TT>attributeTypes</TT> configuration file directives can be used to define schema rules on entries in the directory.  It is customary to create a file to contain definitions of your custom schema items.  We recommend you create a file <TT>local.schema</TT> in <TT>/usr/local/etc/openldap/schema/local.schema</TT> and then include this file in your <EM>slapd.conf</EM>(5) file immediately after other schema <TT>include</TT> directives.</P>
 <PRE>
         # include schema
@@ -4260,7 +4983,7 @@
         # include local schema
         include /usr/local/etc/openldap/schema/local.schema
 </PRE>
-<H3><A NAME="Attribute Type Specification">11.2.4. Attribute Type Specification</A></H3>
+<H3><A NAME="Attribute Type Specification">12.2.4. Attribute Type Specification</A></H3>
 <P>The <EM>attributetype</EM> directive is used to define a new attribute type.  The directive uses the same Attribute Type Description (as defined in <A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A>) used by the attributeTypes attribute found in the subschema subentry, e.g.:</P>
 <PRE>
         attributetype &lt;<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A> Attribute Type Description&gt;
@@ -4605,7 +5328,7 @@
 <P>The second attribute, <TT>cn</TT>, is a subtype of <TT>name</TT> hence it inherits the syntax, matching rules, and usage of <TT>name</TT>. <TT>commonName</TT> is an alternative name.</P>
 <P>Neither attribute is restricted to a single value.  Both are meant for usage by user applications.  Neither is obsolete nor collective.</P>
 <P>The following subsections provide a couple of examples.</P>
-<H4><A NAME="x-my-UniqueName">11.2.4.1. x-my-UniqueName</A></H4>
+<H4><A NAME="x-my-UniqueName">12.2.4.1. x-my-UniqueName</A></H4>
 <P>Many organizations maintain a single unique name for each user. Though one could use <TT>displayName</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>), this attribute is really meant to be controlled by the user, not the organization.  We could just copy the definition of <TT>displayName</TT> from <TT>inetorgperson.schema</TT> and replace the OID, name, and description, e.g:</P>
 <PRE>
         attributetype ( 1.1.2.1.1 NAME 'x-my-UniqueName'
@@ -4621,7 +5344,7 @@
                 DESC 'unique name with my organization'
                 SUP name )
 </PRE>
-<H4><A NAME="x-my-Photo">11.2.4.2. x-my-Photo</A></H4>
+<H4><A NAME="x-my-Photo">12.2.4.2. x-my-Photo</A></H4>
 <P>Many organizations maintain a photo of each each user.  A <TT>x-my-Photo</TT> attribute type could be defined to hold a photo. Of course, one could use just use <TT>jpegPhoto</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>) (or a subtype) to hold the photo.  However, you can only do this if the photo is in <EM>JPEG File Interchange Format</EM>. Alternatively, an attribute type which uses the <EM>Octet String</EM> syntax can be defined, e.g.:</P>
 <PRE>
         attributetype ( 1.1.2.1.2 NAME 'x-my-Photo'
@@ -4637,7 +5360,7 @@
                 DESC 'URI and optional label referring to a photo'
                 SUP labeledURI )
 </PRE>
-<H3><A NAME="Object Class Specification">11.2.5. Object Class Specification</A></H3>
+<H3><A NAME="Object Class Specification">12.2.5. Object Class Specification</A></H3>
 <P>The <EM>objectclasses</EM> directive is used to define a new object class.  The directive uses the same Object Class Description (as defined in <A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A>) used by the objectClasses attribute found in the subschema subentry, e.g.:</P>
 <PRE>
         objectclass &lt;<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A> Object Class Description&gt;
@@ -4657,7 +5380,7 @@
                 whsp &quot;)&quot;
 </PRE>
 <P>where whsp is a space ('<TT> </TT>'), numericoid is a globally unique OID in dotted-decimal form (e.g. <TT>1.1.0</TT>), qdescrs is one or more names, and oids is one or more names and/or OIDs.</P>
-<H4><A NAME="x-my-PhotoObject">11.2.5.1. x-my-PhotoObject</A></H4>
+<H4><A NAME="x-my-PhotoObject">12.2.5.1. x-my-PhotoObject</A></H4>
 <P>To define an <EM>auxiliary</EM> object class which allows x-my-Photo to be added to any existing entry.</P>
 <PRE>
         objectclass ( 1.1.2.2.1 NAME 'x-my-PhotoObject'
@@ -4665,7 +5388,7 @@
                 AUXILIARY
                 MAY x-my-Photo )
 </PRE>
-<H4><A NAME="x-my-Person">11.2.5.2. x-my-Person</A></H4>
+<H4><A NAME="x-my-Person">12.2.5.2. x-my-Person</A></H4>
 <P>If your organization would like have a private <EM>structural</EM> object class to instantiate users, you can subclass one of the existing person classes, such as <TT>inetOrgPerson</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>), and add any additional attributes which you desire.</P>
 <PRE>
         objectclass ( 1.1.2.2.2 NAME 'x-my-Person'
@@ -4675,7 +5398,7 @@
                 MAY x-my-Photo )
 </PRE>
 <P>The object class inherits the required/allowed attribute types of <TT>inetOrgPerson</TT> but requires <TT>x-my-UniqueName</TT> and <TT>givenName</TT> and allows <TT>x-my-Photo</TT>.</P>
-<H3><A NAME="OID Macros">11.2.6. OID Macros</A></H3>
+<H3><A NAME="OID Macros">12.2.6. OID Macros</A></H3>
 <P>To ease the management and use of OIDs, <EM>slapd</EM>(8) supports <EM>Object Identifier</EM> macros.  The <TT>objectIdentifier</TT> directive is used to equate a macro (name) with a OID.  The OID may possibly be derived from a previously defined OID macro.   The <EM>slapd.conf</EM>(5) syntax is:</P>
 <PRE>
         objectIdentifier &lt;name&gt; { &lt;oid&gt; | &lt;name&gt;[:&lt;suffix&gt;] }
@@ -4697,21 +5420,21 @@
 </PRE>
 <P></P>
 <HR>
-<H1><A NAME="Security Considerations">12. Security Considerations</A></H1>
+<H1><A NAME="Security Considerations">13. Security Considerations</A></H1>
 <P>OpenLDAP Software is designed to run in a wide variety of computing environments from tightly-controlled closed networks to the global Internet.  Hence, OpenLDAP Software supports many different security mechanisms.  This chapter describes these mechanisms and discusses security considerations for using OpenLDAP Software.</P>
-<H2><A NAME="Network Security">12.1. Network Security</A></H2>
-<H3><A NAME="Selective Listening">12.1.1. Selective Listening</A></H3>
+<H2><A NAME="Network Security">13.1. Network Security</A></H2>
+<H3><A NAME="Selective Listening">13.1.1. Selective Listening</A></H3>
 <P>By default, <EM>slapd</EM>(8) will listen on both the IPv4 and IPv6 &quot;any&quot; addresses.  It is often desirable to have <EM>slapd</EM> listen on select address/port pairs.  For example, listening only on the IPv4 address <TT>127.0.0.1</TT> will disallow remote access to the directory server. E.g.:</P>
 <PRE>
         slapd -h ldap://127.0.0.1
 </PRE>
 <P>While the server can be configured to listen on a particular interface address, this doesn't necessarily restrict access to the server to only those networks accessible via that interface.   To selective restrict remote access, it is recommend that an <A HREF="#IP Firewall">IP Firewall</A> be used to restrict access.</P>
 <P>See <A HREF="#Command-line Options">Command-line Options</A> and <EM>slapd</EM>(8) for more information.</P>
-<H3><A NAME="IP Firewall">12.1.2. IP Firewall</A></H3>
+<H3><A NAME="IP Firewall">13.1.2. IP Firewall</A></H3>
 <P><TERM>IP</TERM> firewall capabilities of the server system can be used to restrict access based upon the client's IP address and/or network interface used to communicate with the client.</P>
 <P>Generally, <EM>slapd</EM>(8) listens on port 389/tcp for <A HREF="ldap://">ldap://</A> sessions and port 636/tcp for <A HREF="ldaps://">ldaps://</A>) sessions.  <EM>slapd</EM>(8) may be configured to listen on other ports.</P>
 <P>As specifics of how to configure IP firewall are dependent on the particular kind of IP firewall used, no examples are provided here. See the document associated with your IP firewall.</P>
-<H3><A NAME="TCP Wrappers">12.1.3. TCP Wrappers</A></H3>
+<H3><A NAME="TCP Wrappers">13.1.3. TCP Wrappers</A></H3>
 <P><EM>slapd</EM>(8) supports <TERM>TCP</TERM> Wrappers.  TCP Wrappers provide a rule-based access control system for controlling TCP/IP access to the server.  For example, the <EM>host_options</EM>(5) rule:</P>
 <PRE>
         slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
@@ -4720,10 +5443,10 @@
 <P>allows only incoming connections from the private network <TT>10.0.0.0</TT> and localhost (<TT>127.0.0.1</TT>) to access the directory service. Note that IP addresses are used as <EM>slapd</EM>(8) is not normally configured to perform reverse lookups.</P>
 <P>It is noted that TCP wrappers require the connection to be accepted. As significant processing is required just to deny a connection, it is generally advised that IP firewall protection be used instead of TCP wrappers.</P>
 <P>See <EM>hosts_access</EM>(5) for more information on TCP wrapper rules.</P>
-<H2><A NAME="Data Integrity and Confidentiality Protection">12.2. Data Integrity and Confidentiality Protection</A></H2>
+<H2><A NAME="Data Integrity and Confidentiality Protection">13.2. Data Integrity and Confidentiality Protection</A></H2>
 <P><TERM>Transport Layer Security</TERM> (TLS) can be used to provide data integrity and confidentiality protection.  OpenLDAP supports negotiation of <TERM>TLS</TERM> (<TERM>SSL</TERM>) via both StartTLS and <A HREF="ldaps://">ldaps://</A>. See the <A HREF="#Using TLS">Using TLS</A> chapter for more information.  StartTLS is the standard track mechanism.</P>
 <P>A number of <TERM>Simple Authentication and Security Layer</TERM> (SASL) mechanisms, such as <TERM>DIGEST-MD5</TERM> and <TERM>GSSAPI</TERM>, also provide data integrity and confidentiality protection.  See the <A HREF="#Using SASL">Using SASL</A> chapter for more information.</P>
-<H3><A NAME="Security Strength Factors">12.2.1. Security Strength Factors</A></H3>
+<H3><A NAME="Security Strength Factors">13.2.1. Security Strength Factors</A></H3>
 <P>The server uses <TERM>Security Strength Factor</TERM>s (SSF) to indicate the relative strength of protection.  A SSF of zero (0) indicates no protections are in place.  A SSF of one (1) indicates integrity protection are in place.  A SSF greater than one (&gt;1) roughly correlates to the effective encryption key length.  For example, <TERM>DES</TERM> is 56, <TERM>3DES</TERM> is 112, and <TERM>AES</TERM> 128, 192, or 256.</P>
 <P>A number of administrative controls rely on SSFs associated with TLS and SASL protection in place on an LDAP session.</P>
 <P><TT>security</TT> controls disallow operations when appropriate protections are not in place.  For example:</P>
@@ -4732,8 +5455,8 @@
 </PRE>
 <P>requires integrity protection for all operations and encryption protection, 3DES equivalent, for update operations (e.g. add, delete, modify, etc.).  See <EM>slapd.conf</EM>(5) for details.</P>
 <P>For fine-grained control, SSFs may be used in access controls. See <A HREF="#The access Configuration Directive">The access Configuration Directive</A> section of the <A HREF="#The slapd Configuration File">The slapd Configuration File</A> for more information.</P>
-<H2><A NAME="Authentication Methods">12.3. Authentication Methods</A></H2>
-<H3><A NAME="&quot;simple&quot; method">12.3.1. &quot;simple&quot; method</A></H3>
+<H2><A NAME="Authentication Methods">13.3. Authentication Methods</A></H2>
+<H3><A NAME="&quot;simple&quot; method">13.3.1. &quot;simple&quot; method</A></H3>
 <P>The LDAP &quot;simple&quot; method has three modes of operation:</P>
 <UL>
 <LI>anonymous,
@@ -4747,26 +5470,26 @@
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>An unsuccessful bind always results in the session having an <EM>anonymous</EM> authorization association.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="SASL method">12.3.2. SASL method</A></H3>
+<H3><A NAME="SASL method">13.3.2. SASL method</A></H3>
 <P>The LDAP <TERM>SASL</TERM> method allows use of any SASL authentication mechanism.  The <A HREF="#Using SASL">Using SASL</A> discusses use of SASL.</P>
 <P></P>
 <HR>
-<H1><A NAME="Using SASL">13. Using SASL</A></H1>
+<H1><A NAME="Using SASL">14. Using SASL</A></H1>
 <P>OpenLDAP clients and servers are capable of authenticating via the <TERM>Simple Authentication and Security Layer</TERM> (<TERM>SASL</TERM>) framework, which is detailed in <A HREF="http://www.rfc-editor.org/rfc/rfc4422.txt">RFC4422</A>.   This chapter describes how to make use of SASL in OpenLDAP.</P>
 <P>There are several industry standard authentication mechanisms that can be used with SASL, including <TERM>GSSAPI</TERM> for <TERM>Kerberos</TERM> V, <TERM>DIGEST-MD5</TERM>, and <TERM>PLAIN</TERM> and <TERM>EXTERNAL</TERM> for use with <TERM>Transport Layer Security</TERM> (TLS).</P>
 <P>The standard client tools provided with OpenLDAP Software, such as <EM>ldapsearch</EM>(1) and <EM>ldapmodify</EM>(1), will by default attempt to authenticate the user to the <TERM>LDAP</TERM> directory server using SASL.  Basic authentication service can be set up by the LDAP administrator with a few steps, allowing users to be authenticated to the slapd server as their LDAP entry.  With a few extra steps, some users and services can be allowed to exploit SASL's proxy authorization feature, allowing them to authenticate themselves and then switch their identity to that of another user or service.</P>
 <P>This chapter assumes you have read <EM>Cyrus SASL for System Administrators</EM>, provided with the <A HREF="http://asg.web.cmu.edu/sasl/sasl-library.html">Cyrus SASL</A> package (in <TT>doc/sysadmin.html</TT>) and have a working Cyrus SASL installation.  You should use the Cyrus SASL <TT>sample_client</TT> and <TT>sample_server</TT> to test your SASL installation before attempting to make use of it with OpenLDAP Software.</P>
 <P>Note that in the following text the term <EM>user</EM> is used to describe a person or application entity who is connecting to the LDAP server via an LDAP client, such as <EM>ldapsearch</EM>(1).  That is, the term <EM>user</EM> not only applies to both an individual using an LDAP client, but to an application entity which issues LDAP client operations without direct user control.  For example, an e-mail server which uses LDAP operations to access information held in an LDAP server is an application entity.</P>
-<H2><A NAME="SASL Security Considerations">13.1. SASL Security Considerations</A></H2>
+<H2><A NAME="SASL Security Considerations">14.1. SASL Security Considerations</A></H2>
 <P>SASL offers many different authentication mechanisms.  This section briefly outlines security considerations.</P>
 <P>Some mechanisms, such as PLAIN and LOGIN, offer no greater security over LDAP <EM>simple</EM> authentication.  Like LDAP <EM>simple</EM> authentication, such mechanisms should not be used unless you have adequate security protections in place.  It is recommended that these mechanisms be used only in conjunction with <TERM>Transport Layer Security</TERM> (TLS).  Use of PLAIN and LOGIN are not discussed further in this document.</P>
 <P>The DIGEST-MD5 mechanism is the mandatory-to-implement authentication mechanism for LDAPv3.  Though DIGEST-MD5 is not a strong authentication mechanism in comparison with trusted third party authentication systems (such as <TERM>Kerberos</TERM> or public key systems), it does offer significant protections against a number of attacks.  Unlike the <TERM>CRAM-MD5</TERM> mechanism, it prevents chosen plaintext attacks.  DIGEST-MD5 is favored over the use of plaintext password mechanisms.  The CRAM-MD5 mechanism is deprecated in favor of DIGEST-MD5.  Use of <A HREF="#DIGEST-MD5">DIGEST-MD5</A> is discussed below.</P>
 <P>The GSSAPI mechanism utilizes <TERM>GSS-API</TERM> <TERM>Kerberos</TERM> V to provide secure authentication services.  The KERBEROS_V4 mechanism is available for those using Kerberos IV.  Kerberos is viewed as a secure, distributed authentication system suitable for both small and large enterprises.  Use of <A HREF="#GSSAPI">GSSAPI</A> and <A HREF="#KERBEROS_V4">KERBEROS_V4</A> are discussed below.</P>
 <P>The EXTERNAL mechanism utilizes authentication services provided by lower level network services such as <TERM>TLS</TERM> (TLS).  When used in conjunction with <TERM>TLS</TERM> <TERM>X.509</TERM>-based public key technology, EXTERNAL offers strong authentication.  Use of EXTERNAL is discussed in the <A HREF="#Using TLS">Using TLS</A> chapter.</P>
 <P>There are other strong authentication mechanisms to choose from, including <TERM>OTP</TERM> (one time passwords) and <TERM>SRP</TERM> (secure remote passwords).  These mechanisms are not discussed in this document.</P>
-<H2><A NAME="SASL Authentication">13.2. SASL Authentication</A></H2>
+<H2><A NAME="SASL Authentication">14.2. SASL Authentication</A></H2>
 <P>Getting basic SASL authentication running involves a few steps. The first step configures your slapd server environment so that it can communicate with client programs using the security system in place at your site. This usually involves setting up a service key, a public key, or other form of secret. The second step concerns mapping authentication identities to LDAP <TERM>DN</TERM>'s, which depends on how entries are laid out in your directory. An explanation of the first step will be given in the next section using Kerberos V4 as an example mechanism. The steps necessary for your site's authentication mechanism will be similar, but a guide to every mechanism available under SASL is beyond the scope of this chapter. The second step is described in the section <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A>.</P>
-<H3><A NAME="GSSAPI">13.2.1. GSSAPI</A></H3>
+<H3><A NAME="GSSAPI">14.2.1. GSSAPI</A></H3>
 <P>This section describes the use of the SASL GSSAPI mechanism and Kerberos V with OpenLDAP.  It will be assumed that you have Kerberos V deployed, you are familiar with the operation of the system, and that your users are trained in its use.  This section also assumes you have familiarized yourself with the use of the GSSAPI mechanism by reading <EM>Configuring GSSAPI and Cyrus SASL</EM> (provided with Cyrus SASL in the <TT>doc/gssapi</TT> file) and successfully experimented with the Cyrus provided <TT>sample_server</TT> and <TT>sample_client</TT> applications.  General information about Kerberos is available at <A HREF="http://web.mit.edu/kerberos/www/">http://web.mit.edu/kerberos/www/</A>.</P>
 <P>To use the GSSAPI mechanism with <EM>slapd</EM>(8) one must create a service key with a principal for <EM>ldap</EM> service within the realm for the host on which the service runs.  For example, if you run <EM>slapd</EM> on <TT>directory.example.com</TT> and your realm is <TT>EXAMPLE.COM</TT>, you need to create a service key with the principal:</P>
 <PRE>
@@ -4787,7 +5510,7 @@
         uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
 </PRE>
 <P>The authentication request DN can be used directly ACLs and <TT>groupOfNames</TT> &quot;member&quot; attributes, since it is of legitimate LDAP DN format.  Or alternatively, the authentication DN could be mapped before use.  See the section <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A> for details.</P>
-<H3><A NAME="KERBEROS_V4">13.2.2. KERBEROS_V4</A></H3>
+<H3><A NAME="KERBEROS_V4">14.2.2. KERBEROS_V4</A></H3>
 <P>This section describes the use of the SASL KERBEROS_V4 mechanism with OpenLDAP.  It will be assumed that you are familiar with the workings of the Kerberos IV security system, and that your site has Kerberos IV deployed.  Your users should be familiar with authentication policy, how to receive credentials in a Kerberos ticket cache, and how to refresh expired credentials.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>KERBEROS_V4 and Kerberos IV are deprecated in favor of GSSAPI and Kerberos V.
@@ -4810,7 +5533,7 @@
         uid=adamsom,cn=example.com,cn=kerberos_v4,cn=auth
 </PRE>
 <P>This authentication request DN can be used directly ACLs or, alternatively, mapped prior to use.  See the section <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A> for details.</P>
-<H3><A NAME="DIGEST-MD5">13.2.3. DIGEST-MD5</A></H3>
+<H3><A NAME="DIGEST-MD5">14.2.3. DIGEST-MD5</A></H3>
 <P>This section describes the use of the SASL DIGEST-MD5 mechanism using secrets stored either in the directory itself or in Cyrus SASL's own database. DIGEST-MD5 relies on the client and the server sharing a &quot;secret&quot;, usually a password. The server generates a challenge and the client a response proving that it knows the shared secret. This is much more secure than simply sending the secret over the wire.</P>
 <P>Cyrus SASL supports several shared-secret mechanisms. To do this, it needs access to the plaintext password (unlike mechanisms which pass plaintext passwords over the wire, where the server can store a hashed version of the password).</P>
 <P>The server's copy of the shared-secret may be stored in Cyrus SASL's own <EM>sasldb</EM> database, in an external system accessed via <EM>saslauthd</EM>, or in LDAP database itself.  In either case it is very important to apply file access controls and LDAP access controls to prevent exposure of the passwords.  The configuration and commands discussed in this section assume the use of Cyrus SASL 2.1.</P>
@@ -4849,7 +5572,7 @@
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>in each of the above cases, no authorization identity (e.g. <TT>-X</TT>) was provided.   Unless you are attempting <A HREF="#SASL Proxy Authorization">SASL Proxy Authorization</A>, no authorization identity should be specified. The server will infer an authorization identity from authentication identity (as described below).
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Mapping Authentication Identities">13.2.4. Mapping Authentication Identities</A></H3>
+<H3><A NAME="Mapping Authentication Identities">14.2.4. Mapping Authentication Identities</A></H3>
 <P>The authentication mechanism in the slapd server will use SASL library calls to obtain the authenticated user's &quot;username&quot;, based on whatever underlying authentication mechanism was used.  This username is in the namespace of the authentication mechanism, and not in the normal LDAP namespace. As stated in the sections above, that username is reformatted into an authentication request DN of the form</P>
 <PRE>
         uid=&lt;username&gt;,cn=&lt;realm&gt;,cn=&lt;mechanism&gt;,cn=auth
@@ -4871,7 +5594,7 @@
 <P>The authentication request DN is compared to the search pattern using the regular expression functions <EM>regcomp</EM>() and <EM>regexec</EM>(), and if it matches, it is rewritten as the replacement pattern. If there are multiple <TT>authz-regexp</TT> directives, only the first whose search pattern matches the authentication identity is used. The string that is output from the replacement pattern should be the authentication DN of the user or an LDAP URL.  If replacement string produces a DN, the entry named by this DN need not be held by this server.  If the replace string produces an LDAP URL, that LDAP URL must evaluate to one and only one entry held by this server.</P>
 <P>The search pattern can contain any of the regular expression characters listed in <EM>regexec</EM>(3C). The main characters of note are dot &quot;.&quot;, asterisk &quot;*&quot;, and the open and close parenthesis &quot;(&quot; and &quot;)&quot;.  Essentially, the dot matches any character, the asterisk allows zero or more repeats of the immediately preceding character or pattern, and terms in parenthesis are remembered for the replacement pattern.</P>
 <P>The replacement pattern will produce either a DN or URL referring to the user.  Anything from the authentication request DN that matched a string in parenthesis in the search pattern is stored in the variable &quot;$1&quot;. That variable &quot;$1&quot; can appear in the replacement pattern, and will be replaced by the string from the authentication request DN. If there were multiple sets of parentheses in the search pattern, the variables $2, $3, etc are used.</P>
-<H3><A NAME="Direct Mapping">13.2.5. Direct Mapping</A></H3>
+<H3><A NAME="Direct Mapping">14.2.5. Direct Mapping</A></H3>
 <P>Where possible, direct mapping of the authentication request DN to the user's DN is generally recommended.  Aside from avoiding the expense of searching for the user's DN, it allows mapping to DNs which refer to entries not held by this server.</P>
 <P>Suppose the authentication request DN is written as:</P>
 <PRE>
@@ -4895,7 +5618,7 @@
 </PRE>
 <P>Be careful about setting the search pattern too leniently, however, since it may mistakenly allow persons to become authenticated as a DN to which they should not have access.  It is better to write several strict directives than one lenient directive which has security holes.  If there is only one authentication mechanism in place at your site, and zero or one realms in use, you might be able to map between authentication identities and LDAP DN's with a single <TT>authz-regexp</TT> directive.</P>
 <P>Don't forget to allow for the case where the realm is omitted as well as the case with an explicitly specified realm. This may well require a separate <TT>authz-regexp</TT> directive for each case, with the explicit-realm entry being listed first.</P>
-<H3><A NAME="Search-based mappings">13.2.6. Search-based mappings</A></H3>
+<H3><A NAME="Search-based mappings">14.2.6. Search-based mappings</A></H3>
 <P>There are a number of cases where mapping to a LDAP URL may be appropriate.  For instance, some sites may have person objects located in multiple areas of the LDAP tree, such as if there were an <TT>ou=accounting</TT> tree and an <TT>ou=engineering</TT> tree, with persons interspersed between them.  Or, maybe the desired mapping must be based upon information in the user's information. Consider the need to map the above authentication request DN to user whose entry is as follows:</P>
 <PRE>
         dn: cn=Mark Adamson,ou=People,dc=Example,dc=COM
@@ -4937,10 +5660,10 @@
 <P>Note that the explicitly-named realms are handled first, to avoid the realm name becoming part of the UID.  Also note the use of scope and filters to limit matching to desirable entries.</P>
 <P>Note as well that <TT>authz-regexp</TT> internal search are subject to access controls.  Specifically, the authentication identity must have <TT>auth</TT> access.</P>
 <P>See <EM>slapd.conf</EM>(5) for more detailed information.</P>
-<H2><A NAME="SASL Proxy Authorization">13.3. SASL Proxy Authorization</A></H2>
+<H2><A NAME="SASL Proxy Authorization">14.3. SASL Proxy Authorization</A></H2>
 <P>The SASL offers a feature known as <EM>proxy authorization</EM>, which allows an authenticated user to request that they act on the behalf of another user.  This step occurs after the user has obtained an authentication DN, and involves sending an authorization identity to the server. The server will then make a decision on whether or not to allow the authorization to occur. If it is allowed, the user's LDAP connection is switched to have a binding DN derived from the authorization identity, and the LDAP session proceeds with the access of the new authorization DN.</P>
 <P>The decision to allow an authorization to proceed depends on the rules and policies of the site where LDAP is running, and thus cannot be made by SASL alone. The SASL library leaves it up to the server to make the decision. The LDAP administrator sets the guidelines of who can authorize to what identity by adding information into the LDAP database entries. By default, the authorization features are disabled, and must be explicitly configured by the LDAP administrator before use.</P>
-<H3><A NAME="Uses of Proxy Authorization">13.3.1. Uses of Proxy Authorization</A></H3>
+<H3><A NAME="Uses of Proxy Authorization">14.3.1. Uses of Proxy Authorization</A></H3>
 <P>This sort of service is useful when one entity needs to act on the behalf of many other users. For example, users may be directed to a web page to make changes to their personal information in their LDAP entry. The users authenticate to the web server to establish their identity, but the web server CGI cannot authenticate to the LDAP server as that user to make changes for them. Instead, the web server authenticates itself to the LDAP server as a service identity, say,</P>
 <PRE>
         cn=WebUpdate,dc=example,dc=com
@@ -4948,7 +5671,7 @@
 <P>and then it will SASL authorize to the DN of the user. Once so authorized, the CGI makes changes to the LDAP entry of the user, and as far as the slapd server can tell for its ACLs, it is the user themself on the other end of the connection. The user could have connected to the LDAP server directly and authenticated as themself, but that would require the user to have more knowledge of LDAP clients, knowledge which the web page provides in an easier format.</P>
 <P>Proxy authorization can also be used to limit access to an account that has greater access to the database. Such an account, perhaps even the root DN specified in <EM>slapd.conf</EM>(5), can have a strict list of people who can authorize to that DN. Changes to the LDAP database could then be only allowed by that DN, and in order to become that DN, users must first authenticate as one of the persons on the list. This allows for better auditing of who made changes to the LDAP database.  If people were allowed to authenticate directly to the privileged account, possibly through the <TT>rootpw</TT> <EM>slapd.conf</EM>(5) directive or through a <TT>userPassword</TT> attribute, then auditing becomes more difficult.</P>
 <P>Note that after a successful proxy authorization, the original authentication DN of the LDAP connection is overwritten by the new DN from the authorization request. If a service program is able to authenticate itself as its own authentication DN and then authorize to other DN's, and it is planning on switching to several different identities during one LDAP session, it will need to authenticate itself each time before authorizing to another DN (or use a different proxy authorization mechanism).  The slapd server does not keep record of the service program's ability to switch to other DN's. On authentication mechanisms like Kerberos this will not require multiple connections being made to the Kerberos server, since the user's TGT and &quot;ldap&quot; session key are valid for multiple uses for the several hours of the ticket lifetime.</P>
-<H3><A NAME="SASL Authorization Identities">13.3.2. SASL Authorization Identities</A></H3>
+<H3><A NAME="SASL Authorization Identities">14.3.2. SASL Authorization Identities</A></H3>
 <P>The SASL authorization identity is sent to the LDAP server via the <TT>-X</TT> switch for <EM>ldapsearch</EM>(1) and other tools, or in the <TT>*authzid</TT> parameter to the <EM>lutil_sasl_defaults</EM>() call. The identity can be in one of two forms, either</P>
 <PRE>
         u:&lt;username&gt;
@@ -4963,7 +5686,7 @@
 </PRE>
 <P>That authorization request DN is then run through the same <TT>authz-regexp</TT> process to convert it into a legitimate authorization DN from the database. If it cannot be converted due to a failed search from an LDAP URL, the authorization request fails with &quot;inappropriate access&quot;.  Otherwise, the DN string is now a legitimate authorization DN ready to undergo approval.</P>
 <P>If the authorization identity was provided in the second form, with a <TT>&quot;dn:&quot;</TT> prefix, the string after the prefix is already in authorization DN form, ready to undergo approval.</P>
-<H3><A NAME="Proxy Authorization Rules">13.3.3. Proxy Authorization Rules</A></H3>
+<H3><A NAME="Proxy Authorization Rules">14.3.3. Proxy Authorization Rules</A></H3>
 <P>Once slapd has the authorization DN, the actual approval process begins. There are two attributes that the LDAP administrator can put into LDAP entries to allow authorization:</P>
 <PRE>
         authzTo
@@ -4977,7 +5700,7 @@
         authzTo: ldap:///dc=example,dc=com??sub?(objectclass=person)
 </PRE>
 <P>then any user who authenticated as <TT>cn=WebUpdate,dc=example,dc=com</TT> could authorize to any other LDAP entry under the search base <TT>dc=example,dc=com</TT> which has an objectClass of <TT>Person</TT>.</P>
-<H4><A NAME="Notes on Proxy Authorization Rules">13.3.3.1. Notes on Proxy Authorization Rules</A></H4>
+<H4><A NAME="Notes on Proxy Authorization Rules">14.3.3.1. Notes on Proxy Authorization Rules</A></H4>
 <P>An LDAP URL in a <TT>authzTo</TT> or <TT>authzFrom</TT> attribute will return a set of DNs.  Each DN returned will be checked.  Searches which return a large set can cause the authorization process to take an uncomfortably long time. Also, searches should be performed on attributes that have been indexed by slapd.</P>
 <P>To help produce more sweeping rules for <TT>authzFrom</TT> and <TT>authzTo</TT>, the values of these attributes are allowed to be DNs with regular expression characters in them. This means a source rule like</P>
 <PRE>
@@ -4985,76 +5708,76 @@
 </PRE>
 <P>would allow that authenticated user to authorize to any DN that matches the regular expression pattern given. This regular expression comparison can be evaluated much faster than an LDAP search for <TT>(uid=*)</TT>.</P>
 <P>Also note that the values in an authorization rule must be one of the two forms: an LDAP URL or a DN (with or without regular expression characters). Anything that does not begin with &quot;<TT>ldap://</TT>&quot; is taken as a DN. It is not permissible to enter another authorization identity of the form &quot;<TT>u:&lt;username&gt;</TT>&quot; as an authorization rule.</P>
-<H4><A NAME="Policy Configuration">13.3.3.2. Policy Configuration</A></H4>
+<H4><A NAME="Policy Configuration">14.3.3.2. Policy Configuration</A></H4>
 <P>The decision of which type of rules to use, <TT>authzFrom</TT> or <TT>authzTo</TT>, will depend on the site's situation. For example, if the set of people who may become a given identity can easily be written as a search filter, then a single destination rule could be written. If the set of people is not easily defined by a search filter, and the set of people is small, it may be better to write a source rule in the entries of each of those people who should be allowed to perform the proxy authorization.</P>
 <P>By default, processing of proxy authorization rules is disabled. The <TT>authz-policy</TT> directive must be set in the <EM>slapd.conf</EM>(5) file to enable authorization. This directive can be set to <TT>none</TT> for no rules (the default), <TT>to</TT> for source rules, <TT>from</TT> for destination rules, or <TT>both</TT> for both source and destination rules.</P>
 <P>Source rules are extremely powerful. If ordinary users have access to write the <TT>authzTo</TT> attribute in their own entries, then they can write rules that would allow them to authorize as anyone else.  As such, when using source rules, the <TT>authzTo</TT> attribute should be protected with an ACL that only allows privileged users to set its values.</P>
 <P></P>
 <HR>
-<H1><A NAME="Using TLS">14. Using TLS</A></H1>
+<H1><A NAME="Using TLS">15. Using TLS</A></H1>
 <P>OpenLDAP clients and servers are capable of using the <TERM>Transport Layer Security</TERM> (<TERM>TLS</TERM>) framework to provide integrity and confidentiality protections and to support LDAP authentication using the <TERM>SASL</TERM> <TERM>EXTERNAL</TERM> mechanism. TLS is defined in <A HREF="http://www.rfc-editor.org/rfc/rfc4346.txt">RFC4346</A>.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>For generating certifcates, please reference <A HREF="http://www.openldap.org/faq/data/cache/185.html">http://www.openldap.org/faq/data/cache/185.html</A>
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="TLS Certificates">14.1. TLS Certificates</A></H2>
+<H2><A NAME="TLS Certificates">15.1. TLS Certificates</A></H2>
 <P>TLS uses <TERM>X.509</TERM> certificates to carry client and server identities.  All servers are required to have valid certificates, whereas client certificates are optional.  Clients must have a valid certificate in order to authenticate via SASL EXTERNAL. For more information on creating and managing certificates, see the <A HREF="http://www.openssl.org/">OpenSSL</A> documentation.</P>
-<H3><A NAME="Server Certificates">14.1.1. Server Certificates</A></H3>
+<H3><A NAME="Server Certificates">15.1.1. Server Certificates</A></H3>
 <P>The <TERM>DN</TERM> of a server certificate must use the <TT>CN</TT> attribute to name the server, and the <TT>CN</TT> must carry the server's fully qualified domain name. Additional alias names and wildcards may be present in the <TT>subjectAltName</TT> certificate extension.  More details on server certificate names are in <A HREF="http://www.rfc-editor.org/rfc/rfc4513.txt">RFC4513</A>.</P>
-<H3><A NAME="Client Certificates">14.1.2. Client Certificates</A></H3>
+<H3><A NAME="Client Certificates">15.1.2. Client Certificates</A></H3>
 <P>The DN of a client certificate can be used directly as an authentication DN. Since X.509 is a part of the <TERM>X.500</TERM> standard and LDAP is also based on X.500, both use the same DN formats and generally the DN in a user's X.509 certificate should be identical to the DN of their LDAP entry. However, sometimes the DNs may not be exactly the same, and so the mapping facility described in <A HREF="#Mapping Authentication Identities">Mapping Authentication Identities</A> can be applied to these DNs as well.</P>
-<H2><A NAME="TLS Configuration">14.2. TLS Configuration</A></H2>
+<H2><A NAME="TLS Configuration">15.2. TLS Configuration</A></H2>
 <P>After obtaining the required certificates, a number of options must be configured on both the client and the server to enable TLS and make use of the certificates.  At a minimum, the clients must be configured with the name of the file containing all of the <TERM>Certificate Authority</TERM> (CA) certificates it will trust. The server must be configured with the <TERM>CA</TERM> certificates and also its own server certificate and private key.</P>
 <P>Typically a single CA will have issued the server certificate and all of the trusted client certificates, so the server only needs to trust that one signing CA. However, a client may wish to connect to a variety of secure servers managed by different organizations, with server certificates generated by many different CAs. As such, a client is likely to need a list of many different trusted CAs in its configuration.</P>
-<H3><A NAME="Server Configuration">14.2.1. Server Configuration</A></H3>
+<H3><A NAME="Server Configuration">15.2.1. Server Configuration</A></H3>
 <P>The configuration directives for slapd belong in the global directives section of <EM>slapd.conf</EM>(5).</P>
-<H4><A NAME="TLSCACertificateFile &lt;filename&gt;">14.2.1.1. TLSCACertificateFile &lt;filename&gt;</A></H4>
+<H4><A NAME="TLSCACertificateFile &lt;filename&gt;">15.2.1.1. TLSCACertificateFile &lt;filename&gt;</A></H4>
 <P>This directive specifies the <TERM>PEM</TERM>-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.</P>
-<H4><A NAME="TLSCACertificatePath &lt;path&gt;">14.2.1.2. TLSCACertificatePath &lt;path&gt;</A></H4>
+<H4><A NAME="TLSCACertificatePath &lt;path&gt;">15.2.1.2. TLSCACertificatePath &lt;path&gt;</A></H4>
 <P>This directive specifies the path of a directory that contains individual <TERM>CA</TERM> certificates in separate files.  In addition, this directory must be specially managed using the OpenSSL <EM>c_rehash</EM> utility. When using this feature, the OpenSSL library will attempt to locate certificate files based on a hash of their name and serial number. The <EM>c_rehash</EM> utility is used to generate symbolic links with the hashed names that point to the actual certificate files. As such, this option can only be used with a filesystem that actually supports symbolic links. In general, it is simpler to use the <TT>TLSCACertificateFile</TT> directive instead.</P>
-<H4><A NAME="TLSCertificateFile &lt;filename&gt;">14.2.1.3. TLSCertificateFile &lt;filename&gt;</A></H4>
+<H4><A NAME="TLSCertificateFile &lt;filename&gt;">15.2.1.3. TLSCertificateFile &lt;filename&gt;</A></H4>
 <P>This directive specifies the file that contains the slapd server certificate. Certificates are generally public information and require no special protection.</P>
-<H4><A NAME="TLSCertificateKeyFile &lt;filename&gt;">14.2.1.4. TLSCertificateKeyFile &lt;filename&gt;</A></H4>
+<H4><A NAME="TLSCertificateKeyFile &lt;filename&gt;">15.2.1.4. TLSCertificateKeyFile &lt;filename&gt;</A></H4>
 <P>This directive specifies the file that contains the private key that matches the certificate stored in the <TT>TLSCertificateFile</TT> file. Private keys themselves are sensitive data and are usually password encrypted for protection. However, the current implementation doesn't support encrypted keys so the key must not be encrypted and the file itself must be protected carefully.</P>
-<H4><A NAME="TLSCipherSuite &lt;cipher-suite-spec&gt;">14.2.1.5. TLSCipherSuite &lt;cipher-suite-spec&gt;</A></H4>
+<H4><A NAME="TLSCipherSuite &lt;cipher-suite-spec&gt;">15.2.1.5. TLSCipherSuite &lt;cipher-suite-spec&gt;</A></H4>
 <P>This directive configures what ciphers will be accepted and the preference order. <TT>&lt;cipher-suite-spec&gt;</TT> should be a cipher specification for OpenSSL. You can use the command</P>
 <PRE>
         openssl ciphers -v ALL
 </PRE>
 <P>to obtain a verbose list of available cipher specifications. Besides the individual cipher names, the specifiers <TT>HIGH</TT>, <TT>MEDIUM</TT>, <TT>LOW</TT>, <TT>EXPORT</TT>, and <TT>EXPORT40</TT> may be helpful, along with <TT>TLSv1</TT>, <TT>SSLv3</TT>, and <TT>SSLv2</TT>.</P>
-<H4><A NAME="TLSRandFile &lt;filename&gt;">14.2.1.6. TLSRandFile &lt;filename&gt;</A></H4>
+<H4><A NAME="TLSRandFile &lt;filename&gt;">15.2.1.6. TLSRandFile &lt;filename&gt;</A></H4>
 <P>This directive specifies the file to obtain random bits from when <TT>/dev/urandom</TT> is not available. If the system provides <TT>/dev/urandom</TT> then this option is not needed, otherwise a source of random data must be configured.  Some systems (e.g. Linux) provide <TT>/dev/urandom</TT> by default, while others (e.g. Solaris) require the installation of a patch to provide it, and others may not support it at all. In the latter case, EGD or PRNGD should be installed, and this directive should specify the name of the EGD/PRNGD socket. The environment variable <TT>RANDFILE</TT> can also be used to specify the filename. Also, in the absence of these options, the <TT>.rnd</TT> file in the slapd user's home directory may be used if it exists. To use the <TT>.rnd</TT> file, just create the file and copy a few hundred bytes of arbitrary data into the file. The file is only used to provide a seed for the pseudo-random number generator, and it doesn't need very much data to work.</P>
-<H4><A NAME="TLSEphemeralDHParamFile &lt;filename&gt;">14.2.1.7. TLSEphemeralDHParamFile &lt;filename&gt;</A></H4>
+<H4><A NAME="TLSEphemeralDHParamFile &lt;filename&gt;">15.2.1.7. TLSEphemeralDHParamFile &lt;filename&gt;</A></H4>
 <P>This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange.  This is required in order to use a DSA certificate on the server side (i.e. <TT>TLSCertificateKeyFile</TT> points to a DSA key).  Multiple sets of parameters can be included in the file; all of them will be processed.  Parameters can be generated using the following command</P>
 <PRE>
         openssl dhparam [-dsaparam] -out &lt;filename&gt; &lt;numbits&gt;
 </PRE>
-<H4><A NAME="TLSVerifyClient { never | allow | try | demand }">14.2.1.8. TLSVerifyClient { never | allow | try | demand }</A></H4>
+<H4><A NAME="TLSVerifyClient { never | allow | try | demand }">15.2.1.8. TLSVerifyClient { never | allow | try | demand }</A></H4>
 <P>This directive specifies what checks to perform on client certificates in an incoming TLS session, if any. This option is set to <TT>never</TT> by default, in which case the server never asks the client for a certificate. With a setting of <TT>allow</TT> the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided. With a setting of <TT>try</TT> the certificate is requested, and if none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated. With a setting of <TT>demand</TT> the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminated.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>The server must request a client certificate in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default <TT>TLSVerifyClient</TT> setting must be configured before SASL EXTERNAL authentication may be attempted, and the SASL EXTERNAL mechanism will only be offered to the client if a valid client certificate was received.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Client Configuration">14.2.2. Client Configuration</A></H3>
+<H3><A NAME="Client Configuration">15.2.2. Client Configuration</A></H3>
 <P>Most of the client configuration directives parallel the server directives. The names of the directives are different, and they go into <EM>ldap.conf</EM>(5) instead of <EM>slapd.conf</EM>(5), but their functionality is mostly the same. Also, while most of these options may be configured on a system-wide basis, they may all be overridden by individual users in their <EM>.ldaprc</EM> files.</P>
 <P>The LDAP Start TLS operation is used in LDAP to initiate TLS negotiation.  All OpenLDAP command line tools support a <TT>-Z</TT> and <TT>-ZZ</TT> flag to indicate whether a Start TLS operation is to be issued.  The latter flag indicates that the tool is to cease processing if TLS cannot be started while the former allows the command to continue.</P>
 <P>In LDAPv2 environments, TLS is normally started using the LDAP Secure URI scheme (<TT>ldaps://</TT>) instead of the normal LDAP URI scheme (<TT>ldap://</TT>).  OpenLDAP command line tools allow either scheme to used with the <TT>-H</TT> flag and with the <TT>URI</TT> <EM>ldap.conf</EM>(5) option.</P>
-<H4><A NAME="TLS_CACERT &lt;filename&gt;">14.2.2.1. TLS_CACERT &lt;filename&gt;</A></H4>
+<H4><A NAME="TLS_CACERT &lt;filename&gt;">15.2.2.1. TLS_CACERT &lt;filename&gt;</A></H4>
 <P>This is equivalent to the server's <TT>TLSCACertificateFile</TT> option. As noted in the <A HREF="#TLS Configuration">TLS Configuration</A> section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.</P>
-<H4><A NAME="TLS_CACERTDIR &lt;path&gt;">14.2.2.2. TLS_CACERTDIR &lt;path&gt;</A></H4>
+<H4><A NAME="TLS_CACERTDIR &lt;path&gt;">15.2.2.2. TLS_CACERTDIR &lt;path&gt;</A></H4>
 <P>This is equivalent to the server's <TT>TLSCACertificatePath</TT> option. The specified directory must be managed with the OpenSSL <EM>c_rehash</EM> utility as well.</P>
-<H4><A NAME="TLS_CERT &lt;filename&gt;">14.2.2.3. TLS_CERT &lt;filename&gt;</A></H4>
+<H4><A NAME="TLS_CERT &lt;filename&gt;">15.2.2.3. TLS_CERT &lt;filename&gt;</A></H4>
 <P>This directive specifies the file that contains the client certificate. This is a user-only directive and can only be specified in a user's <EM>.ldaprc</EM> file.</P>
-<H4><A NAME="TLS_KEY &lt;filename&gt;">14.2.2.4. TLS_KEY &lt;filename&gt;</A></H4>
+<H4><A NAME="TLS_KEY &lt;filename&gt;">15.2.2.4. TLS_KEY &lt;filename&gt;</A></H4>
 <P>This directive specifies the file that contains the private key that matches the certificate stored in the <TT>TLS_CERT</TT> file. The same constraints mentioned for <TT>TLSCertificateKeyFile</TT> apply here. This is also a user-only directive.</P>
-<H4><A NAME="TLS_RANDFILE &lt;filename&gt;">14.2.2.5. TLS_RANDFILE &lt;filename&gt;</A></H4>
+<H4><A NAME="TLS_RANDFILE &lt;filename&gt;">15.2.2.5. TLS_RANDFILE &lt;filename&gt;</A></H4>
 <P>This directive is the same as the server's <TT>TLSRandFile</TT> option.</P>
-<H4><A NAME="TLS_REQCERT { never | allow | try | demand }">14.2.2.6. TLS_REQCERT { never | allow | try | demand }</A></H4>
+<H4><A NAME="TLS_REQCERT { never | allow | try | demand }">15.2.2.6. TLS_REQCERT { never | allow | try | demand }</A></H4>
 <P>This directive is equivalent to the server's <TT>TLSVerifyClient</TT> option. However, for clients the default value is <TT>demand</TT> and there generally is no good reason to change this setting.</P>
 <P></P>
 <HR>
-<H1><A NAME="Constructing a Distributed Directory Service">15. Constructing a Distributed Directory Service</A></H1>
+<H1><A NAME="Constructing a Distributed Directory Service">16. Constructing a Distributed Directory Service</A></H1>
 <P>For many sites, running one or more <EM>slapd</EM>(8) that hold an entire subtree of data is sufficient. But often it is desirable to have one <EM>slapd</EM> refer to other directory services for a certain part of the tree (which may or may not be running <EM>slapd</EM>).</P>
 <P><EM>slapd</EM> supports <EM>subordinate</EM> and <EM>superior</EM> knowledge information. Subordinate knowledge information is held in <TT>referral</TT> objects (<A HREF="http://www.rfc-editor.org/rfc/rfc3296.txt">RFC3296</A>).</P>
-<H2><A NAME="Subordinate Knowledge Information">15.1. Subordinate Knowledge Information</A></H2>
+<H2><A NAME="Subordinate Knowledge Information">16.1. Subordinate Knowledge Information</A></H2>
 <P>Subordinate knowledge information may be provided to delegate a subtree. Subordinate knowledge information is maintained in the directory as a special <EM>referral</EM> object at the delegate point. The referral object acts as a delegation point, gluing two services together. This mechanism allows for hierarchical directory services to be constructed.</P>
 <P>A referral object has a structural object class of <TT>referral</TT> and has the same <TERM>Distinguished Name</TERM> as the delegated subtree.  Generally, the referral object will also provide the auxiliary object class <TT>extensibleObject</TT>. This allows the entry to contain appropriate <TERM>Relative Distinguished Name</TERM> values.  This is best demonstrated by example.</P>
 <P>If the server <TT>a.example.net</TT> holds <TT>dc=example,dc=net</TT> and wished to delegate the subtree <TT>ou=subtree,dc=example,dc=net</TT> to another server <TT>b.example.net</TT>, the following named referral object would be added to <TT>a.example.net</TT>:</P>
@@ -5067,7 +5790,7 @@
 </PRE>
 <P>The server uses this information to generate referrals and search continuations to subordinate servers.</P>
 <P>For those familiar with <TERM>X.500</TERM>, a <EM>named referral</EM> object is similar to an X.500 knowledge reference held in a <EM>subr</EM> <TERM>DSE</TERM>.</P>
-<H2><A NAME="Superior Knowledge Information">15.2. Superior Knowledge Information</A></H2>
+<H2><A NAME="Superior Knowledge Information">16.2. Superior Knowledge Information</A></H2>
 <P>Superior knowledge information may be specified using the <TT>referral</TT> directive.  The value is a list of <TERM>URI</TERM>s referring to superior directory services.  For servers without immediate superiors, such as for <TT>a.example.net</TT> in the example above, the server can be configured to use a directory service with <EM>global knowledge</EM>, such as the <EM>OpenLDAP Root Service</EM> (<A HREF="http://www.openldap.org/faq/index.cgi?file=393">http://www.openldap.org/faq/index.cgi?file=393</A>).</P>
 <PRE>
         referral        ldap://root.openldap.org/
@@ -5078,7 +5801,7 @@
 </PRE>
 <P>The server uses this information to generate referrals for operations acting upon entries not within or subordinate to any of the naming contexts held by the server.</P>
 <P>For those familiar with <TERM>X.500</TERM>, this use of the <TT>ref</TT> attribute is similar to an X.500 knowledge reference held in a <EM>Supr</EM> <TERM>DSE</TERM>.</P>
-<H2><A NAME="The ManageDsaIT Control">15.3. The ManageDsaIT Control</A></H2>
+<H2><A NAME="The ManageDsaIT Control">16.3. The ManageDsaIT Control</A></H2>
 <P>Adding, modifying, and deleting referral objects is generally done using <EM>ldapmodify</EM>(1) or similar tools which support the ManageDsaIT control.  The ManageDsaIT control informs the server that you intend to manage the referral object as a regular entry.  This keeps the server from sending a referral result for requests which interrogate or update referral objects.</P>
 <P>The ManageDsaIT control should not be specified when managing regular entries.</P>
 <P>The <TT>-M</TT> option of <EM>ldapmodify</EM>(1) (and other tools) enables ManageDsaIT.  For example:</P>
@@ -5097,12 +5820,11 @@
 <HR WIDTH="80%" ALIGN="Left"></P>
 <P></P>
 <HR>
-<H1><A NAME="Replication">16. Replication</A></H1>
+<H1><A NAME="Replication">17. Replication</A></H1>
 <P>Replicated directories are a fundamental requirement for delivering a resilient enterprise deployment.</P>
 <P><A HREF="http://www.openldap.org/">OpenLDAP</A> has various configuration options for creating a replicated directory. The following sections will discuss these.</P>
-<H2><A NAME="Replication Strategies">16.1. Replication Strategies</A></H2>
-<H3><A NAME="Push Based">16.1.1. Push Based</A></H3>
-<H5><A NAME="Replacing Slurpd">16.1.1..1. Replacing Slurpd</A></H5>
+<H2><A NAME="Push Based">17.1. Push Based</A></H2>
+<H3><A NAME="Replacing Slurpd">17.1.1. Replacing Slurpd</A></H3>
 <P><EM>Slurpd</EM> replication has been deprecated in favor of Syncrepl replication and has been completely removed from OpenLDAP 2.4.</P>
 <P><EM>Why was it replaced?</EM></P>
 <P>The <EM>slurpd</EM> daemon was the original replication mechanism inherited from UMich's LDAP and operates in push mode: the master pushes changes to the slaves. It has been replaced for many reasons, in brief:</P>
@@ -5186,39 +5908,15 @@
 <P>DETAILED EXPLANATION OF ABOVE LIKE IN OTHER SECTIONS (line numbers?)</P>
 <P>ANOTHER DIAGRAM HERE</P>
 <P>As you can see, you can let your imagination go wild using Syncrepl and <EM>slapd-ldap(8)</EM> tailoring your replication to fit your specific network topology.</P>
-<H3><A NAME="Pull Based">16.1.2. Pull Based</A></H3>
-<H4><A NAME="syncrepl replication">16.1.2.1. syncrepl replication</A></H4>
-<H4><A NAME="delta-syncrepl replication">16.1.2.2. delta-syncrepl replication</A></H4>
-<H2><A NAME="Replication Types">16.2. Replication Types</A></H2>
-<H3><A NAME="syncrepl replication">16.2.1. syncrepl replication</A></H3>
-<H3><A NAME="delta-syncrepl replication">16.2.2. delta-syncrepl replication</A></H3>
-<H3><A NAME="N-Way Multi-Master replication">16.2.3. N-Way Multi-Master replication</A></H3>
-<P>Multi-Master replication is a replication technique using Syncrepl to replicate data to multiple Master Directory servers.</P>
-<UL>
-<LI>Advantages of Multi-Master replication:<UL>
-<LI>If any master fails, other masters will continue to accept updates
-<LI>Avoids a single point of failure
-<LI>Masters can be located in several physical sites i.e. distributed across the network/globe.
-<LI>Good for Automatic failover/High Availability</UL>
-<LI>Disadvantages of Multi-Master replication:<UL>
-<LI>It has <B>NOTHING</B> to do with load balancing
-<LI><A HREF="http://www.openldap.org/faq/data/cache/1240.html">http://www.openldap.org/faq/data/cache/1240.html</A>
-<LI>If connectivity with a master is lost because of a network partition, then &quot;automatic failover&quot; can just compound the problem
-<LI>Typically, a particular machine cannot distinguish between losing contact with a peer because that peer crashed, or because the network link has failed
-<LI>If a network is partitioned and multiple clients start writing to each of the &quot;masters&quot; then reconciliation will be a pain; it may be best to simply deny writes to the clients that are partitioned from the single master
-<LI>Masters <B>must</B> propagate writes to <B>all</B> the other servers, which means the network traffic and write load is constant and spreads across all of the servers</UL></UL>
-<P>This is discussed in full in the <A HREF="#N-Way Multi-Master">N-Way Multi-Master</A> section below</P>
-<H3><A NAME="MirrorMode replication">16.2.4. MirrorMode replication</A></H3>
-<P>MirrorMode is a hybrid configuration that provides all of the consistency guarantees of single-master replication, while also providing the high availability of multi-master. In MirrorMode two masters are set up to replicate from each other (as a multi-master configuration) but an external frontend is employed to direct all writes to only one of the two servers. The second master will only be used for writes if the first master crashes, at which point the frontend will switch to directing all writes to the second master. When a crashed master is repaired and restarted it will automatically catch up to any changes on the running master and resync.</P>
-<P>This is discussed in full in the <A HREF="#MirrorMode">MirrorMode</A> section below</P>
-<H2><A NAME="LDAP Sync Replication">16.3. LDAP Sync Replication</A></H2>
+<H2><A NAME="Pull Based">17.2. Pull Based</A></H2>
+<H3><A NAME="LDAP Sync Replication">17.2.1. LDAP Sync Replication</A></H3>
 <P>The <TERM>LDAP Sync</TERM> Replication engine, <TERM>syncrepl</TERM> for short, is a consumer-side replication engine that enables the consumer <TERM>LDAP</TERM> server to maintain a shadow copy of a <TERM>DIT</TERM> fragment. A syncrepl engine resides at the consumer-side as one of the <EM>slapd</EM>(8) threads. It creates and maintains a consumer replica by connecting to the replication provider to perform the initial DIT content load followed either by periodic content polling or by timely updates upon content changes.</P>
 <P>Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for short) protocol as the replica synchronization protocol.  It provides a stateful replication which supports both pull-based and push-based synchronization and does not mandate the use of a history store.</P>
 <P>Syncrepl keeps track of the status of the replication content by maintaining and exchanging synchronization cookies. Because the syncrepl consumer and provider maintain their content status, the consumer can poll the provider content to perform incremental synchronization by asking for the entries required to make the consumer replica up-to-date with the provider content. Syncrepl also enables convenient management of replicas by maintaining replica status.  The consumer replica can be constructed from a consumer-side or a provider-side backup at any synchronization status. Syncrepl can automatically resynchronize the consumer replica up-to-date with the current provider content.</P>
 <P>Syncrepl supports both pull-based and push-based synchronization. In its basic refreshOnly synchronization mode, the provider uses pull-based synchronization where the consumer servers need not be tracked and no history information is maintained.  The information required for the provider to process periodic polling requests is contained in the synchronization cookie of the request itself.  To optimize the pull-based synchronization, syncrepl utilizes the present phase of the LDAP Sync protocol as well as its delete phase, instead of falling back on frequent full reloads. To further optimize the pull-based synchronization, the provider can maintain a per-scope session log as a history store. In its refreshAndPersist mode of synchronization, the provider uses a push-based synchronization. The provider keeps track of the consumer servers that have requested a persistent search and sends them necessary updates as the provider replication content gets modified.</P>
 <P>With syncrepl, a consumer server can create a replica without changing the provider's configurations and without restarting the provider server, if the consumer server has appropriate access privileges for the DIT fragment to be replicated. The consumer server can stop the replication also without the need for provider-side changes and restart.</P>
 <P>Syncrepl supports both partial and sparse replications.  The shadow DIT fragment is defined by a general search criteria consisting of base, scope, filter, and attribute list.  The replica content is also subject to the access privileges of the bind identity of the syncrepl replication connection.</P>
-<H3><A NAME="The LDAP Content Synchronization Protocol">16.3.1. The LDAP Content Synchronization Protocol</A></H3>
+<H4><A NAME="The LDAP Content Synchronization Protocol">17.2.1.1. The LDAP Content Synchronization Protocol</A></H4>
 <P>The LDAP Sync protocol allows a client to maintain a synchronized copy of a DIT fragment. The LDAP Sync operation is defined as a set of controls and other protocol elements which extend the LDAP search operation. This section introduces the LDAP Content Sync protocol only briefly.  For more information, refer to <A HREF="http://www.rfc-editor.org/rfc/rfc4533.txt">RFC4533</A>.</P>
 <P>The LDAP Sync protocol supports both polling and listening for changes by defining two respective synchronization operations: <EM>refreshOnly</EM> and <EM>refreshAndPersist</EM>.  Polling is implemented by the <EM>refreshOnly</EM> operation.  The client copy is synchronized to the server copy at the time of polling.  The server finishes the search operation by returning <EM>SearchResultDone</EM> at the end of the search operation as in the normal search.  The listening is implemented by the <EM>refreshAndPersist</EM> operation.  Instead of finishing the search after returning all entries currently matching the search criteria, the synchronization search remains persistent in the server. Subsequent updates to the synchronization content in the server cause additional entry updates to be sent to the client.</P>
 <P>The <EM>refreshOnly</EM> operation and the refresh stage of the <EM>refreshAndPersist</EM> operation can be performed with a present phase or a delete phase.</P>
@@ -5228,7 +5926,7 @@
 <P>At the end of the <EM>refreshOnly</EM> synchronization, the server sends a synchronization cookie to the client as a state indicator of the client copy after the synchronization is completed.  The client will present the received cookie when it requests the next incremental synchronization to the server.</P>
 <P>When <EM>refreshAndPersist</EM> synchronization is used, the server sends a synchronization cookie at the end of the refresh stage by sending a Sync Info message with TRUE refreshDone.  It also sends a synchronization cookie by attaching it to <EM>SearchResultEntry</EM> generated in the persist stage of the synchronization search. During the persist stage, the server can also send a Sync Info message containing the synchronization cookie at any time the server wants to update the client-side state indicator.  The server also updates a synchronization indicator of the client at the end of the persist stage.</P>
 <P>In the LDAP Sync protocol, entries are uniquely identified by the <TT>entryUUID</TT> attribute value. It can function as a reliable identifier of the entry. The DN of the entry, on the other hand, can be changed over time and hence cannot be considered as the reliable identifier.  The <TT>entryUUID</TT> is attached to each <EM>SearchResultEntry</EM> or <EM>SearchResultReference</EM> as a part of the synchronization control.</P>
-<H3><A NAME="Syncrepl Details">16.3.2. Syncrepl Details</A></H3>
+<H4><A NAME="Syncrepl Details">17.2.1.2. Syncrepl Details</A></H4>
 <P>The syncrepl engine utilizes both the <EM>refreshOnly</EM> and the <EM>refreshAndPersist</EM> operations of the LDAP Sync protocol.  If a syncrepl specification is included in a database definition, <EM>slapd</EM>(8) launches a syncrepl engine as a <EM>slapd</EM>(8) thread and schedules its execution. If the <EM>refreshOnly</EM> operation is specified, the syncrepl engine will be rescheduled at the interval time after a synchronization operation is completed.  If the <EM>refreshAndPersist</EM> operation is specified, the engine will remain active and process the persistent synchronization messages from the provider.</P>
 <P>The syncrepl engine utilizes both the present phase and the delete phase of the refresh synchronization. It is possible to configure a per-scope session log in the provider server which stores the <TT>entryUUID</TT>s of a finite number of entries deleted from a replication content.  Multiple replicas of single provider content share the same per-scope session log. The syncrepl engine uses the delete phase if the session log is present and the state of the consumer server is recent enough that no session log entries are truncated after the last synchronization of the client.  The syncrepl engine uses the present phase if no session log is configured for the replication content or if the consumer replica is too outdated to be covered by the session log.  The current design of the session log store is memory based, so the information contained in the session log is not persistent over multiple provider invocations. It is not currently supported to access the session log store by using LDAP operations. It is also not currently supported to impose access control to the session log.</P>
 <P>As a further optimization, even in the case the synchronization search is not associated with any session log, no entries will be transmitted to the consumer server when there has been no update in the replication context.</P>
@@ -5240,11 +5938,61 @@
 <P>The consumer also stores its replica state, which is the provider's <TT>contextCSN</TT> received as a synchronization cookie, in the <TT>contextCSN</TT> attribute of the suffix entry.  The replica state maintained by a consumer server is used as the synchronization state indicator when it performs subsequent incremental synchronization with the provider server. It is also used as a provider-side synchronization state indicator when it functions as a secondary provider server in a cascading replication configuration.  Since the consumer and provider state information are maintained in the same location within their respective databases, any consumer can be promoted to a provider (and vice versa) without any special actions.</P>
 <P>Because a general search filter can be used in the syncrepl specification, some entries in the context may be omitted from the synchronization content.  The syncrepl engine creates a glue entry to fill in the holes in the replica context if any part of the replica content is subordinate to the holes. The glue entries will not be returned in the search result unless <EM>ManageDsaIT</EM> control is provided.</P>
 <P>Also as a consequence of the search filter used in the syncrepl specification, it is possible for a modification to remove an entry from the replication scope even though the entry has not been deleted on the provider. Logically the entry must be deleted on the consumer but in <EM>refreshOnly</EM> mode the provider cannot detect and propagate this change without the use of the session log.</P>
-<H3><A NAME="Configuring Syncrepl">16.3.3. Configuring Syncrepl</A></H3>
+<P>For configuration, please see the <A HREF="#Syncrepl">Syncrepl</A> section.</P>
+<H3><A NAME="Delta-syncrepl replication">17.2.2. Delta-syncrepl replication</A></H3>
+<UL>
+<LI>Disadvantages of Syncrepl replication:</UL>
+<P>OpenLDAP's syncrepl replication is an object-based replication mechanism. When any attribute value in a replicated object is changed on the provider, each consumer fetches and processes the complete changed object {B:both changed and unchanged attribute values} during replication. This works well, but has drawbacks in some situations.</P>
+<P>For example, suppose you have a database consisting of 100,000 objects of 1 KB each. Further, suppose you routinely run a batch job to change the value of a single two-byte attribute value that appears in each of the 100,000 objects on the master. Not counting LDAP and TCP/IP protocol overhead, each time you run this job each consumer will transfer and process {B:1 GB} of data to process {B:200KB of changes! }</P>
+<P>99.98% of the data that is transmitted and processed in a case like this will be redundant, since it represents values that did not change. This is a waste of valuable transmission and processing bandwidth and can cause an unacceptable replication backlog to develop. While this situation is extreme, it serves to demonstrate a very real problem that is encountered in some LDAP deployments.</P>
+<UL>
+<LI>Where Delta-syncrepl comes in:</UL>
+<P>Delta-syncrepl, a changelog-based variant of syncrepl, is designed to address situations like the one described above. Delta-syncrepl works by maintaining a changelog of a selectable depth on the provider. The replication consumer on each consumer checks the changelog for the changes it needs and, as long as the changelog contains the needed changes, the delta-syncrepl consumer fetches them from the changelog and applies them to its database. If, however, a replica is too far out of sync (or completely empty), conventional syncrepl is used to bring it up to date and replication then switches to the delta-syncrepl mode.</P>
+<P>For configuration, please see the <A HREF="#Delta-syncrepl">Delta-syncrepl</A> section.</P>
+<H2><A NAME="Mixture of both Pull and Push based">17.3. Mixture of both Pull and Push based</A></H2>
+<H3><A NAME="N-Way Multi-Master replication">17.3.1. N-Way Multi-Master replication</A></H3>
+<P>Multi-Master replication is a replication technique using Syncrepl to replicate data to multiple Master Directory servers.</P>
+<UL>
+<LI>Advantages of Multi-Master replication:<UL>
+<LI>If any master fails, other masters will continue to accept updates
+<LI>Avoids a single point of failure
+<LI>Masters can be located in several physical sites i.e. distributed across the network/globe.
+<LI>Good for Automatic failover/High Availability</UL>
+<LI>Disadvantages of Multi-Master replication:<UL>
+<LI>It has <B>NOTHING</B> to do with load balancing
+<LI><A HREF="http://www.openldap.org/faq/data/cache/1240.html">http://www.openldap.org/faq/data/cache/1240.html</A>
+<LI>If connectivity with a master is lost because of a network partition, then &quot;automatic failover&quot; can just compound the problem
+<LI>Typically, a particular machine cannot distinguish between losing contact with a peer because that peer crashed, or because the network link has failed
+<LI>If a network is partitioned and multiple clients start writing to each of the &quot;masters&quot; then reconciliation will be a pain; it may be best to simply deny writes to the clients that are partitioned from the single master
+<LI>Masters <B>must</B> propagate writes to <B>all</B> the other servers, which means the network traffic and write load is constant and spreads across all of the servers</UL></UL>
+<P>For configuration, please see the <A HREF="#N-Way Multi-Master">N-Way Multi-Master</A> section below</P>
+<H3><A NAME="MirrorMode replication">17.3.2. MirrorMode replication</A></H3>
+<P>MirrorMode is a hybrid configuration that provides all of the consistency guarantees of single-master replication, while also providing the high availability of multi-master. In MirrorMode two masters are set up to replicate from each other (as a multi-master configuration) but an external frontend is employed to direct all writes to only one of the two servers. The second master will only be used for writes if the first master crashes, at which point the frontend will switch to directing all writes to the second master. When a crashed master is repaired and restarted it will automatically catch up to any changes on the running master and resync.</P>
+<H4><A NAME="Arguments for MirrorMode">17.3.2.1. Arguments for MirrorMode</A></H4>
+<UL>
+<LI>Provides a high-availability (HA) solution for directory writes (replicas handle reads)
+<LI>As long as one Master is operational, writes can safely be accepted
+<LI>Master nodes replicate from each other, so they are always up to date and can be ready to take over (hot standby)
+<LI>Syncrepl also allows the master nodes to re-synchronize after any downtime
+<LI>Delta-Syncrepl can be used</UL>
+<H4><A NAME="Arguments against MirrorMode">17.3.2.2. Arguments against MirrorMode</A></H4>
+<UL>
+<LI>MirrorMode is not what is termed as a Multi-Master solution. This is because writes have to go to one of the mirror nodes at a time
+<LI>MirrorMode can be termed as Active-Active Hot-Standby, therefor an external server (slapd in proxy mode) or device (hardware load balancer) to manage which master is currently active
+<LI>While syncrepl can recover from a completely empty database, slapadd is much faster
+<LI>Does not provide faster or more scalable write performance (neither could any Multi-Master solution)
+<LI>Backups are managed slightly differently<UL>
+<LI>If backing up the Berkeley database itself and periodically backing up the transaction log files, then the same member of the mirror pair needs to be used to collect logfiles until the next database backup is taken
+<LI>To ensure that both databases are consistent, each database might have to be put in read-only mode while performing a slapcat.
+<LI>When using slapcat, the generated LDIF files can be rather large. This can happen with a non-MirrorMode deployment also.</UL></UL>
+<P>For configuration, please see the <A HREF="#MirrorMode">MirrorMode</A> section below</P>
+<H2><A NAME="Configuring the different replication types">17.4. Configuring the different replication types</A></H2>
+<H3><A NAME="Syncrepl">17.4.1. Syncrepl</A></H3>
+<H4><A NAME="Syncrepl configuration">17.4.1.1. Syncrepl configuration</A></H4>
 <P>Because syncrepl is a consumer-side replication engine, the syncrepl specification is defined in <EM>slapd.conf</EM>(5) of the consumer server, not in the provider server's configuration file.  The initial loading of the replica content can be performed either by starting the syncrepl engine with no synchronization cookie or by populating the consumer replica by adding an <TERM>LDIF</TERM> file dumped as a backup at the provider.</P>
 <P>When loading from a backup, it is not required to perform the initial loading from the up-to-date backup of the provider content. The syncrepl engine will automatically synchronize the initial consumer replica to the current provider content. As a result, it is not required to stop the provider server in order to avoid the replica inconsistency caused by the updates to the provider content during the content backup and loading process.</P>
 <P>When replicating a large scale directory, especially in a bandwidth constrained environment, it is advised to load the consumer replica from a backup instead of performing a full initial load using syncrepl.</P>
-<H4><A NAME="Set up the provider slapd">16.3.3.1. Set up the provider slapd</A></H4>
+<H4><A NAME="Set up the provider slapd">17.4.1.2. Set up the provider slapd</A></H4>
 <P>The provider is implemented as an overlay, so the overlay itself must first be configured in <EM>slapd.conf</EM>(5) before it can be used. The provider has only two configuration directives, for setting checkpoints on the <TT>contextCSN</TT> and for configuring the session log.  Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated content.</P>
 <P>The <TT>contextCSN</TT> checkpoint is configured by the</P>
 <PRE>
@@ -5269,7 +6017,7 @@
         syncprov-checkpoint 100 10
         syncprov-sessionlog 100
 </PRE>
-<H4><A NAME="Set up the consumer slapd">16.3.3.2. Set up the consumer slapd</A></H4>
+<H4><A NAME="Set up the consumer slapd">17.4.1.3. Set up the consumer slapd</A></H4>
 <P>The syncrepl replication is specified in the database section of <EM>slapd.conf</EM>(5) for the replica context.  The syncrepl engine is backend independent and the directive can be defined with any database type.</P>
 <PRE>
         database hdb
@@ -5294,46 +6042,234 @@
 <P>In this example, the consumer will connect to the provider <EM>slapd</EM>(8) at port 389 of <A HREF="ldap://provider.example.com">ldap://provider.example.com</A> to perform a polling (<EM>refreshOnly</EM>) mode of synchronization once a day.  It will bind as <TT>cn=syncuser,dc=example,dc=com</TT> using simple authentication with password &quot;secret&quot;.  Note that the access control privilege of <TT>cn=syncuser,dc=example,dc=com</TT> should be set appropriately in the provider to retrieve the desired replication content. Also the search limits must be high enough on the provider to allow the syncuser to retrieve a complete copy of the requested content.  The consumer uses the rootdn to write to its database so it always has full permissions to write all content.</P>
 <P>The synchronization search in the above example will search for the entries whose objectClass is organizationalPerson in the entire subtree rooted at <TT>dc=example,dc=com</TT>. The requested attributes are <TT>cn</TT>, <TT>sn</TT>, <TT>ou</TT>, <TT>telephoneNumber</TT>, <TT>title</TT>, and <TT>l</TT>. The schema checking is turned off, so that the consumer <EM>slapd</EM>(8) will not enforce entry schema checking when it process updates from the provider <EM>slapd</EM>(8).</P>
 <P>For more detailed information on the syncrepl directive, see the <A HREF="#syncrepl">syncrepl</A> section of <A HREF="#The slapd Configuration File">The slapd Configuration File</A> chapter of this admin guide.</P>
-<H4><A NAME="Start the provider and the consumer slapd">16.3.3.3. Start the provider and the consumer slapd</A></H4>
+<H4><A NAME="Start the provider and the consumer slapd">17.4.1.4. Start the provider and the consumer slapd</A></H4>
 <P>The provider <EM>slapd</EM>(8) is not required to be restarted. <EM>contextCSN</EM> is automatically generated as needed: it might be originally contained in the <TERM>LDIF</TERM> file, generated by <EM>slapadd</EM> (8), generated upon changes in the context, or generated when the first LDAP Sync search arrives at the provider.  If an LDIF file is being loaded which did not previously contain the <EM>contextCSN</EM>, the <EM>-w</EM> option should be used with <EM>slapadd</EM> (8) to cause it to be generated. This will allow the server to startup a little quicker the first time it runs.</P>
 <P>When starting a consumer <EM>slapd</EM>(8), it is possible to provide a synchronization cookie as the <EM>-c cookie</EM> command line option in order to start the synchronization from a specific state.  The cookie is a comma separated list of name=value pairs. Currently supported syncrepl cookie fields are <EM>csn=&lt;csn&gt;</EM> and <EM>rid=&lt;rid&gt;</EM>. <EM>&lt;csn&gt;</EM> represents the current synchronization state of the consumer replica.  <EM>&lt;rid&gt;</EM> identifies a consumer replica locally within the consumer server. It is used to relate the cookie to the syncrepl definition in <EM>slapd.conf</EM>(5) which has the matching replica identifier.  The <EM>&lt;rid&gt;</EM> must have no more than 3 decimal digits.  The command line cookie overrides the synchronization cookie stored in the consumer replica database.</P>
-<H2><A NAME="N-Way Multi-Master">16.4. N-Way Multi-Master</A></H2>
-<P>Import and expand from link:</P>
-<P><A HREF="http://blog.suretecsystems.com/archives/40-OpenLDAP-Weekly-News-Issue-5.html#extended">http://blog.suretecsystems.com/archives/40-OpenLDAP-Weekly-News-Issue-5.html#extended</A></P>
-<H2><A NAME="MirrorMode">16.5. MirrorMode</A></H2>
-<H3><A NAME="Arguments for MirrorMode">16.5.1. Arguments for MirrorMode</A></H3>
-<UL>
-<LI>Provides a high-availability (HA) solution for directory writes (replicas handle reads)
-<LI>As long as one Master is operational, writes can safely be accepted
-<LI>Master nodes replicate from each other, so they are always up to date and can be ready to take over (hot standby)
-<LI>Syncrepl also allows the master nodes to re-synchronize after any downtime
-<LI>Delta-Syncrepl can be used</UL>
-<H3><A NAME="Arguments against MirrorMode">16.5.2. Arguments against MirrorMode</A></H3>
-<UL>
-<LI>MirrorMode is not what is termed as a Multi-Master solution. This is because writes have to go to one of the mirror nodes at a time
-<LI>MirrorMode can be termed as Active-Active Hot-Standby, therefor an external server (slapd in proxy mode) or device (hardware load balancer) to manage which master is currently active
-<LI>While syncrepl can recover from a completely empty database, slapadd is much faster
-<LI>Does not provide faster or more scalable write performance (neither could any Multi-Master solution)
-<LI>Backups are managed slightly differently<UL>
-<LI>If backing up the Berkeley database itself and periodically backing up the transaction log files, then the same member of the mirror pair needs to be used to collect logfiles until the next database backup is taken
-<LI>To ensure that both databases are consistent, each database might have to be put in read-only mode while performing a slapcat.
-<LI>When using slapcat, the generated LDIF files can be rather large. This can happen with a non-MirrorMode deployment also.</UL></UL>
-<H3><A NAME="MirrorMode Configuration">16.5.3. MirrorMode Configuration</A></H3>
+<H3><A NAME="Delta-syncrepl">17.4.2. Delta-syncrepl</A></H3>
+<H4><A NAME="Delta-syncrepl Master configuration">17.4.2.1. Delta-syncrepl Master configuration</A></H4>
+<P>Setting up delta-syncrepl requires configuration changes on both the master and replica servers:</P>
+<PRE>
+     # Give the replica DN unlimited read access.  This ACL may need to be
+     # merged with other ACL statements.
+
+     access to *
+        by dn.base=&quot;cn=replicator,dc=symas,dc=com&quot; read
+        by * break
+
+     # Set the module path location
+     modulepath /opt/symas/lib/openldap
+
+     # Load the hdb backend
+     moduleload back_hdb.la
+
+     # Load the accesslog overlay
+     moduleload accesslog.la
+
+     #Load the syncprov overlay
+     moduleload syncprov.la
+
+     # Accesslog database definitions
+     database hdb
+     suffix cn=accesslog
+     directory /db/accesslog
+     rootdn cn=accesslog
+     index default eq
+     index entryCSN,objectClass,reqEnd,reqResult,reqStart
+
+     overlay syncprov
+     syncprov-nopresent TRUE
+     syncprov-reloadhint TRUE
+
+     # Let the replica DN have limitless searches
+     limits dn.exact=&quot;cn=replicator,dc=symas,dc=com&quot; time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+
+     # Primary database definitions
+     database hdb
+     suffix &quot;dc=symas,dc=com&quot;
+     rootdn &quot;cn=manager,dc=symas,dc=com&quot;
+
+     ## Whatever other configuration options are desired
+
+     # syncprov specific indexing
+     index entryCSN eq
+     index entryUUID eq
+
+     # syncrepl Provider for primary db
+     overlay syncprov
+     syncprov-checkpoint 1000 60
+
+     # accesslog overlay definitions for primary db
+     overlay accesslog
+     logdb cn=accesslog
+     logops writes
+     logsuccess TRUE
+     # scan the accesslog DB every day, and purge entries older than 7 days
+     logpurge 07+00:00 01+00:00
+
+     # Let the replica DN have limitless searches
+     limits dn.exact=&quot;cn=replicator,dc=symas,dc=com&quot; time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+</PRE>
+<P>For more information, always consult the relevant man pages (slapo-accesslog and slapd.conf)</P>
+<H4><A NAME="Delta-syncrepl Replica configuration">17.4.2.2. Delta-syncrepl Replica configuration</A></H4>
+<PRE>
+     # Primary replica database configuration
+     database hdb
+     suffix &quot;dc=symas,dc=com&quot;
+     rootdn &quot;cn=manager,dc=symas,dc=com&quot;
+
+     ## Whatever other configuration bits for the replica, like indexing
+     ## that you want
+
+     # syncrepl specific indices
+     index entryUUID eq
+
+     # syncrepl directives
+     syncrepl  rid=0
+               provider=ldap://ldapmaster.symas.com:389
+               bindmethod=simple
+               binddn=&quot;cn=replicator,dc=symas,dc=com&quot;
+               credentials=secret
+               searchbase=&quot;dc=symas,dc=com&quot;
+               logbase=&quot;cn=accesslog&quot;
+               logfilter=&quot;(&amp;(objectClass=auditWriteObject)(reqResult=0))&quot;
+               schemachecking=on
+               type=refreshAndPersist
+               retry=&quot;60 +&quot;
+               syncdata=accesslog
+
+     # Refer updates to the master
+     updateref               ldap://ldapmaster.symas.com
+</PRE>
+<P>The above configuration assumes that you have a replicator identity defined in your database that can be used to bind to the master with. In addition, all of the databases (primary master, primary replica, and the accesslog storage database) should also have properly tuned <EM>DB_CONFIG</EM> files that meet your needs.</P>
+<H3><A NAME="N-Way Multi-Master">17.4.3. N-Way Multi-Master</A></H3>
+<P>For the following example we will be using 3 Master nodes. Keeping in line with <B>test050-syncrepl-multimaster</B> of the OpenLDAP test suite, we will be configuring <EM>slapd(8)</EM> via <B>cn=config</B></P>
+<P>This sets up the config database:</P>
+<PRE>
+     dn: cn=config
+     objectClass: olcGlobal
+     cn: config
+     olcServerID: 1
+
+     dn: olcDatabase={0}config,cn=config
+     objectClass: olcDatabaseConfig
+     olcDatabase: {0}config
+     olcRootPW: secret
+</PRE>
+<P>second and third servers will have a different olcServerID obviously:</P>
+<PRE>
+     dn: cn=config
+     objectClass: olcGlobal
+     cn: config
+     olcServerID: 2
+
+     dn: olcDatabase={0}config,cn=config
+     objectClass: olcDatabaseConfig
+     olcDatabase: {0}config
+     olcRootPW: secret
+</PRE>
+<P>This sets up syncrepl as a provider (since these are all masters):</P>
+<PRE>
+     dn: cn=module,cn=config
+     objectClass: olcModuleList
+     cn: module
+     olcModulePath: /usr/local/libexec/openldap
+     olcModuleLoad: syncprov.la
+</PRE>
+<P>Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):</P>
+<PRE>
+     dn: cn=config
+     changetype: modify
+     replace: olcServerID
+     olcServerID: 1 $URI1
+     olcServerID: 2 $URI2
+     olcServerID: 3 $URI3
+
+     dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
+     changetype: add
+     objectClass: olcOverlayConfig
+     objectClass: olcSyncProvConfig
+     olcOverlay: syncprov
+
+     dn: olcDatabase={0}config,cn=config
+     changetype: modify
+     add: olcSyncRepl
+     olcSyncRepl: rid=001 provider=$URI1 binddn=&quot;cn=config&quot; bindmethod=simple
+       credentials=secret searchbase=&quot;cn=config&quot; type=refreshAndPersist
+       retry=&quot;5 5 300 5&quot; timeout=1
+     olcSyncRepl: rid=002 provider=$URI2 binddn=&quot;cn=config&quot; bindmethod=simple
+       credentials=secret searchbase=&quot;cn=config&quot; type=refreshAndPersist
+       retry=&quot;5 5 300 5&quot; timeout=1
+     olcSyncRepl: rid=003 provider=$URI3 binddn=&quot;cn=config&quot; bindmethod=simple
+       credentials=secret searchbase=&quot;cn=config&quot; type=refreshAndPersist
+       retry=&quot;5 5 300 5&quot; timeout=1
+     -
+     add: olcMirrorMode
+     olcMirrorMode: TRUE
+</PRE>
+<P>Now start up the Master and a consumer/s, also add the above LDIF to the first consumer, second consumer etc. It will then replicate <B>cn=config</B>. You now have N-Way Multimaster on the config database.</P>
+<P>We still have to replicate the actual data, not just the config, so add to the master (all active and configured consumers/masters will pull down this config, as they are all syncing). Also, replace all <EM>${</EM>} variables with whatever is applicable to your setup:</P>
+<PRE>
+     dn: olcDatabase={1}$BACKEND,cn=config
+     objectClass: olcDatabaseConfig
+     objectClass: olc${BACKEND}Config
+     olcDatabase: {1}$BACKEND
+     olcSuffix: $BASEDN
+     olcDbDirectory: ./db
+     olcRootDN: $MANAGERDN
+     olcRootPW: $PASSWD
+     olcSyncRepl: rid=004 provider=$URI1 binddn=&quot;$MANAGERDN&quot; bindmethod=simple
+       credentials=$PASSWD searchbase=&quot;$BASEDN&quot; type=refreshOnly
+       interval=00:00:00:10 retry=&quot;5 5 300 5&quot; timeout=1
+     olcSyncRepl: rid=005 provider=$URI2 binddn=&quot;$MANAGERDN&quot; bindmethod=simple
+       credentials=$PASSWD searchbase=&quot;$BASEDN&quot; type=refreshOnly
+       interval=00:00:00:10 retry=&quot;5 5 300 5&quot; timeout=1
+     olcSyncRepl: rid=006 provider=$URI3 binddn=&quot;$MANAGERDN&quot; bindmethod=simple
+       credentials=$PASSWD searchbase=&quot;$BASEDN&quot; type=refreshOnly
+       interval=00:00:00:10 retry=&quot;5 5 300 5&quot; timeout=1
+     olcMirrorMode: TRUE
+
+     dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
+     changetype: add
+     objectClass: olcOverlayConfig
+     objectClass: olcSyncProvConfig
+     olcOverlay: syncprov
+</PRE>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>You must have all your server set to the same time via <A HREF="http://www.ntp.org/">http://www.ntp.org/</A>
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H3><A NAME="MirrorMode">17.4.4. MirrorMode</A></H3>
 <P>MirrorMode configuration is actually very easy. If you have ever setup a normal slapd syncrepl provider, then the only change is the following two directives:</P>
 <PRE>
        mirrormode  on
        serverID    1
 </PRE>
 <P><HR WIDTH="80%" ALIGN="Left">
-<STRONG>Note: </STRONG>You need to make sure that the <EM>serverID</EM> of each mirror node pair is different and that the <EM>provider</EM> syncrepl directive points to the opposite mirror node.
+<STRONG>Note: </STRONG>You need to make sure that the <EM>serverID</EM> of each mirror node pair is different and add it as a global configuration option.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H4><A NAME="Mirror Node Configuration">16.5.3.1. Mirror Node Configuration</A></H4>
-<P>This is the same as the <A HREF="#Set up the provider slapd">Set up the provider slapd</A> section, reference <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A> if using <EM>delta-syncrepl</EM>.</P>
-<P>Here's a specific cut down example using <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> in <EM>refreshAndPersist</EM> mode (<EM>delta-syncrepl</EM> can be used also):</P>
+<H4><A NAME="Mirror Node Configuration">17.4.4.1. Mirror Node Configuration</A></H4>
+<P>This is the same as the <A HREF="#Set up the provider slapd">Set up the provider slapd</A> section.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Delta-syncrepl is not yet supported with MirrorMode.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>Here's a specific cut down example using <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> in <EM>refreshAndPersist</EM> mode:</P>
 <P>MirrorMode node 1:</P>
 <PRE>
+       # Global section
+       serverID    1
+       # database section
+
        # syncrepl directives
-       syncrepl      rid=1
+       syncrepl      rid=001
+                     provider=ldap://ldap-ridr1.example.com
+                     bindmethod=simple
+                     binddn=&quot;cn=mirrormode,dc=example,dc=com&quot;
+                     credentials=mirrormode
+                     searchbase=&quot;dc=example,dc=com&quot;
+                     schemachecking=on
+                     type=refreshAndPersist
+                     retry=&quot;60 +&quot;
+
+       syncrepl      rid=002
                      provider=ldap://ldap-rid2.example.com
                      bindmethod=simple
                      binddn=&quot;cn=mirrormode,dc=example,dc=com&quot;
@@ -5344,13 +6280,16 @@
                      retry=&quot;60 +&quot;
 
        mirrormode on
-       serverID    1
 </PRE>
 <P>MirrorMode node 2:</P>
 <PRE>
+       # Global section
+       serverID    2
+       # database section
+
        # syncrepl directives
-       syncrepl      rid=1
-                     provider=ldap://ldap-rid1.example.com
+       syncrepl      rid=001
+                     provider=ldap://ldap-ridr1.example.com
                      bindmethod=simple
                      binddn=&quot;cn=mirrormode,dc=example,dc=com&quot;
                      credentials=mirrormode
@@ -5359,24 +6298,33 @@
                      type=refreshAndPersist
                      retry=&quot;60 +&quot;
 
+       syncrepl      rid=002
+                     provider=ldap://ldap-rid2.example.com
+                     bindmethod=simple
+                     binddn=&quot;cn=mirrormode,dc=example,dc=com&quot;
+                     credentials=mirrormode
+                     searchbase=&quot;dc=example,dc=com&quot;
+                     schemachecking=on
+                     type=refreshAndPersist
+                     retry=&quot;60 +&quot;
+
        mirrormode on
-       serverID    2
 </PRE>
-<P>It's simple really; each MirrorMode node is setup <B>exactly</B> the same, except that the <B>provider</B> directive is set to point to the other MirrorMode node and the <EM>serverID</EM> is unique.</P>
-<H4><A NAME="Failover Configuration">16.5.3.2. Failover Configuration</A></H4>
+<P>It's simple really; each MirrorMode node is setup <B>exactly</B> the same, except that the <EM>serverID</EM> is unique.</P>
+<H5><A NAME="Failover Configuration">17.4.4.1.1. Failover Configuration</A></H5>
 <P>There are generally 2 choices for this; 1.  Hardware proxies/load-balancing or dedicated proxy software, 2. using a Back-LDAP proxy as a syncrepl provider</P>
 <P>A typical enterprise example might be:</P>
 <P><CENTER><IMG SRC="dual_dc.png" ALIGN="center"></CENTER></P>
 <P ALIGN="Center">Figure X.Y: MirrorMode in a Dual Data Center Configuration</P>
-<H4><A NAME="Normal Consumer Configuration">16.5.3.3. Normal Consumer Configuration</A></H4>
+<H5><A NAME="Normal Consumer Configuration">17.4.4.1.2. Normal Consumer Configuration</A></H5>
 <P>This is exactly the same as the <A HREF="#Set up the consumer slapd">Set up the consumer slapd</A> section. It can either setup in normal <A HREF="#syncrepl replication">syncrepl replication</A> mode, or in <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A> mode.</P>
-<H3><A NAME="MirrorMode Summary">16.5.4. MirrorMode Summary</A></H3>
+<H4><A NAME="MirrorMode Summary">17.4.4.2. MirrorMode Summary</A></H4>
 <P>Hopefully you will now have a directory architecture that provides all of the consistency guarantees of single-master replication, whilst also providing the high availability of multi-master replication.</P>
 <P></P>
 <HR>
-<H1><A NAME="Maintenance">17. Maintenance</A></H1>
+<H1><A NAME="Maintenance">18. Maintenance</A></H1>
 <P>System Administration is all about maintenance, so it is only fair that we discuss how to correctly maintain an OpenLDAP deployment.</P>
-<H2><A NAME="Directory Backups">17.1. Directory Backups</A></H2>
+<H2><A NAME="Directory Backups">18.1. Directory Backups</A></H2>
 <P>Backup strategies largely depend on the amount of change in the database and how much of that change an administrator might be willing to lose in a catastrophic failure. There are two basic methods that can be used:</P>
 <P>1. Backup the Berkeley database itself and periodically back up the transaction log files:</P>
 <P>Berkeley DB produces transaction logs that can be used to reconstruct changes from a given point in time. For example, if an administrator were willing to only lose one hour's worth of changes, they could take down the server in the middle of the night, copy the Berkeley database files offsite, and bring the server back online. Then, on an hourly basis, they could force a database checkpoint, capture the log files that have been generated in the past hour, and copy them offsite. The accumulated log files, in combination with the previous database backup, could be used with db_recover to reconstruct the database up to the time the last collection of log files was copied offsite. This method affords good protection, with minimal space overhead.</P>
@@ -5388,7 +6336,7 @@
 </PRE>
 <P>For back-bdb and back-hdb, this command may be ran while slapd(8) is running.</P>
 <P>MORE on actual Berkeley DB backups later covering db_recover etc.</P>
-<H2><A NAME="Berkeley DB Logs">17.2. Berkeley DB Logs</A></H2>
+<H2><A NAME="Berkeley DB Logs">18.2. Berkeley DB Logs</A></H2>
 <P>Berkeley DB log files grow, and the administrator has to deal with it. The procedure is known as log file archival or log file rotation.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>The actual log file rotation is handled by the Berkeley DB engine.
@@ -5401,10 +6349,11 @@
 <P>The files with names <TT>__db.001</TT>, <TT>__db.002</TT>, etc are just shared memory regions (or whatever). These ARE NOT 'logs', they must be left alone. Don't be afraid of them, they do not grow like logs do.</P>
 <P>To understand the <TT>db_archive</TT> interface, the reader should refer to chapter 9 of the Berkeley DB guide. In particular, the following chapters are recommended:</P>
 <UL>
-<LI>Database and log file archival
-<LI>Log file removal
-<LI>Recovery procedures
-<LI>Hot failover</UL>
+<LI>Database and log file archival - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html</A>
+<LI>Log file removal - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/logfile.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/logfile.html</A>
+<LI>Recovery procedures - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/recovery.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/recovery.html</A>
+<LI>Hot failover - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/hotfail.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/hotfail.html</A>
+<LI>Complete list of Berkeley DB flags - <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html">http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html</A></UL>
 <P>Advanced installations can use special environment settings to fine-tune some Berkeley DB options (change the log file limit, etc). This can be done by using the <TT>DB_CONFIG</TT> file. This magic file can be created in BDB backend directory set up by <EM>slapd.conf</EM>(5). More information on this file can be found in File naming chapter. Specific directives can be found in C Interface, look for <EM>DB_ENV-&gt;set_XXXX</EM> calls.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>options set in <TT>DB_CONFIG</TT> file override options set by OpenLDAP. Use them with extreme caution. Do not use them unless You know what You are doing.
@@ -5415,24 +6364,24 @@
 <LI>to fine-tune some specific options (such as shared memory region sizes);
 <LI>to set the log file limit (please read Log file limits before doing this).</UL>
 <P>To figure out the best-practice BDB backup scenario, the reader is highly recommended to read the whole Chapter 9: Berkeley DB Transactional Data Store Applications. This chapter is a set of small pages with examples in C language. Non-programming people can skip this examples without loss of knowledge.</P>
-<H2><A NAME="Checkpointing">17.3. Checkpointing</A></H2>
+<H2><A NAME="Checkpointing">18.3. Checkpointing</A></H2>
 <P>MORE/TIDY</P>
 <P>If you put &quot;checkpoint 1024 5&quot; in slapd.conf (to checkpoint after 1024kb or 5 minutes, for example), this does not checkpoint every 5 minutes as you may think. The explanation from Howard is:</P>
 <P>'In OpenLDAP 2.1 and 2.2 the checkpoint directive acts as follows - *when there is a write operation*, and more than &lt;check&gt; minutes have occurred since the last checkpoint, perform the checkpoint. If more than &lt;check&gt; minutes pass after a write without any other write operations occurring, no checkpoint is performed, so it's possible to lose the last write that occurred.''</P>
 <P>In other words, a write operation occurring less than &quot;check&quot; minutes after the last checkpoint will not be checkpointed until the next write occurs after &quot;check&quot; minutes have passed since the checkpoint.</P>
 <P>This has been modified in 2.3 to indeed checkpoint every so often; in the meantime a workaround is to invoke &quot;db_checkpoint&quot; from a cron script every so often, say 5 minutes.</P>
-<H2><A NAME="Migration">17.4. Migration</A></H2>
+<H2><A NAME="Migration">18.4. Migration</A></H2>
 <P>Exporting to a new system......</P>
 <P></P>
 <HR>
-<H1><A NAME="Monitoring">18. Monitoring</A></H1>
+<H1><A NAME="Monitoring">19. Monitoring</A></H1>
 <P><EM>slapd</EM>(8) supports an optional <TERM>LDAP</TERM> monitoring interface you can use to obtain information regarding the current state of your <EM>slapd</EM> instance.  For instance, the interface allows you to determine how many clients are connected to the server currently. The monitoring information is provided by a specialized backend, the <EM>monitor</EM> backend.  A manual page, <EM>slapd-monitor</EM>(5) is available.</P>
 <P>When the monitoring interface is enabled, LDAP clients may be used to access information provided by the <EM>monitor</EM> backend, subject to access and other controls.</P>
 <P>When enabled, the <EM>monitor</EM> backend dynamically generates and returns objects in response to search requests in the <EM>cn=Monitor</EM> subtree.  Each object contains information about a particular aspect of the server.  The information is held in a combination of user applications and operational attributes.   This information can be access with <EM>ldapsearch(1)</EM>, with any general-purpose LDAP browser, or with specialized monitoring tools.  The <A HREF="#Accessing Monitoring Information">Accessing Monitoring Information</A> section provides a brief tutorial on how to use <EM>ldapsearch</EM>(1) to access monitoring information, while the <A HREF="#Monitor information">Monitor information</A> section details monitoring information base and its organization.</P>
 <P>While support for the monitor backend is included in default builds of slapd(8), this support requires some configuration to become active.  This may be done using either <TT>cn=config</TT> or <EM>slapd.conf</EM>(5).  The former is discussed in the <A HREF="#Monitor configuration via cn=config">Monitor configuration via cn=config</A> section of this of this chapter.  The latter is discussed in the <A HREF="#Monitor configuration via slapd.conf(5)">Monitor configuration via slapd.conf(5)</A> section of this chapter.  These sections assume monitor backend is built into <EM>slapd</EM> (e.g., <TT>--enable-monitor=yes</TT>, the default).  If the monitor backend was built as a module (e.g., <TT>--enable-monitor=mod</TT>, this module must loaded.  Loading of modules is discussed in the <A HREF="#Configuring slapd">Configuring slapd</A> and <A HREF="#The slapd Configuration File">The slapd Configuration File</A> chapters.</P>
-<H2><A NAME="Monitor configuration via cn=config(5)">18.1. Monitor configuration via cn=config(5)</A></H2>
+<H2><A NAME="Monitor configuration via cn=config(5)">19.1. Monitor configuration via cn=config(5)</A></H2>
 <P><EM>This section has yet to be written.</EM></P>
-<H2><A NAME="Monitor configuration via slapd.conf(5)">18.2. Monitor configuration via slapd.conf(5)</A></H2>
+<H2><A NAME="Monitor configuration via slapd.conf(5)">19.2. Monitor configuration via slapd.conf(5)</A></H2>
 <P>Configuration of the slapd.conf(5) to support LDAP monitoring is quite simple.</P>
 <P>First, ensure <EM>core.schema</EM> schema configuration file is included by your <EM>slapd.conf</EM>(5) file.  The <EM>monitor</EM> backend requires it.</P>
 <P>Second, instantiate the <EM>monitor backend</EM> by adding a <EM>database monitor</EM> directive below your existing database sections.  For instance:</P>
@@ -5454,7 +6403,7 @@
                 -b 'cn=Monitor' -s base 1.1
 </PRE>
 <P>Note that unlike general purpose database backends, the database suffix is hardcoded.  It's always <TT>cn=Monitor</TT>.  So no <EM>suffix</EM> directive should be provided.  Also note that general purpose database backends, the monitor backend cannot be instantiated multiple times.  That is, there can only be one (or zero) occurrences of <TT>database monitor</TT> in the server's configuration.</P>
-<H2><A NAME="Accessing Monitoring Information">18.3. Accessing Monitoring Information</A></H2>
+<H2><A NAME="Accessing Monitoring Information">19.3. Accessing Monitoring Information</A></H2>
 <P>As previously discussed, when enabled, the <EM>monitor</EM> backend dynamically generates and returns objects in response to search requests in the <EM>cn=Monitor</EM> subtree.  Each object contains information about a particular aspect of the server.  The information is held in a combination of user applications and operational attributes.  This information can be access with <EM>ldapsearch(1)</EM>, with any general-purpose LDAP browser, or with specialized monitoring tools.</P>
 <P>This section provides a provides a brief tutorial on how to use <EM>ldapsearch</EM>(1) to access monitoring information.</P>
 <P>To inspect any particular monitor object, one performs search operation on the object with a baseObject scope and a <TT>(objectClass=*)</TT> filter.  As the monitoring information is contained in a combination of user applications and operational attributes, the return all user applications attributes (e.g., <TT>'*'</TT>) and all operational attributes (e.g., <TT>'+'</TT>) should be requested.   For instance, to read the <TT>cn=Monitor</TT> object itself, the <EM>ldapsearch</EM>(1) command (modified to fit your configuration) can be used:</P>
@@ -5502,7 +6451,7 @@
         ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W -b 'cn=Monitor' -s sub 1.1
 </PRE>
 <P>If you run this command you will discover that there are many objects in the <EM>cn=Monitor</EM> subtree.  The following section describes some of the commonly available monitoring objects.</P>
-<H2><A NAME="Monitor Information">18.4. Monitor Information</A></H2>
+<H2><A NAME="Monitor Information">19.4. Monitor Information</A></H2>
 <P>The <EM>monitor</EM> backend provides a wealth of information useful for monitoring the slapd(8) contained in set of monitor objects. Each object contains information about a particular aspect of the server, such as a backends, a connection, or a thread. Some objects serve as containers for other objects and used to construct a hierarchy of objects.</P>
 <P>In this hierarchy, the most superior object is {cn=Monitor}. While this object primarily serves as a container for other objects, most of which are containers, this object provides information about this server.  In particular, it provides the slapd(8) version string.  Example:</P>
 <PRE>
@@ -5512,7 +6461,7 @@
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>Examples in this section (and its subsections) have been trimmed to show only key information.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Backends">18.4.1. Backends</A></H3>
+<H3><A NAME="Backends">19.4.1. Backends</A></H3>
 <P>The <TT>cn=Backends,cn=Monitor</TT> object, itself, provides a list of available backends.  The list of available backends all builtin backends, as well as backends loaded by modules.  For example:</P>
 <PRE>
         dn: cn=Backends,cn=Monitor
@@ -5605,7 +6554,7 @@
 </TR>
 </TABLE>
 
-<H3><A NAME="Connections">18.4.2. Connections</A></H3>
+<H3><A NAME="Connections">19.4.2. Connections</A></H3>
 <P>The main entry is empty; it should contain some statistics on the number of connections.</P>
 <P>Dynamic child entries are created for each open connection, with stats on the activity on that connection (the format will be detailed later). There are two special child entries that show the number of total and current connections respectively.</P>
 <P>For example:</P>
@@ -5627,7 +6576,7 @@
    subschemaSubentry: cn=Subschema
    hasSubordinates: FALSE
 </PRE>
-<H3><A NAME="Databases">18.4.3. Databases</A></H3>
+<H3><A NAME="Databases">19.4.3. Databases</A></H3>
 <P>The main entry contains the naming context of each configured database; the child entries contain, for each database, the type and the naming context.</P>
 <P>For example:</P>
 <PRE>
@@ -5641,7 +6590,7 @@
    subschemaSubentry: cn=Subschema
    hasSubordinates: FALSE
 </PRE>
-<H3><A NAME="Listener">18.4.4. Listener</A></H3>
+<H3><A NAME="Listener">19.4.4. Listener</A></H3>
 <P>It contains the description of the devices the server is currently listening on:</P>
 <PRE>
    dn: cn=Listener 0,cn=Listeners,cn=Monitor
@@ -5651,7 +6600,7 @@
    subschemaSubentry: cn=Subschema
    hasSubordinates: FALSE
 </PRE>
-<H3><A NAME="Log">18.4.5. Log</A></H3>
+<H3><A NAME="Log">19.4.5. Log</A></H3>
 <P>It contains the currently active log items.  The <EM>Log</EM> subsystem allows user modify operations on the <EM>description</EM> attribute, whose values <EM>MUST</EM> be in the list of admittable log switches:</P>
 <PRE>
    Trace
@@ -5669,7 +6618,7 @@
    Sync
 </PRE>
 <P>These values can be added, replaced or deleted; they affect what messages are sent to the syslog device. Custom values could be added by custom modules.</P>
-<H3><A NAME="Operations">18.4.6. Operations</A></H3>
+<H3><A NAME="Operations">19.4.6. Operations</A></H3>
 <P>It shows some statistics on the operations performed by the server:</P>
 <PRE>
    Initiated
@@ -5689,7 +6638,7 @@
    Extended
 </PRE>
 <P>There are too many types to list example here, so please try for yourself using <A HREF="#Monitor search example">Monitor search example</A></P>
-<H3><A NAME="Overlays">18.4.7. Overlays</A></H3>
+<H3><A NAME="Overlays">19.4.7. Overlays</A></H3>
 <P>The main entry contains the type of overlays available at run-time; the child entries, for each overlay, contain the type of the overlay.</P>
 <P>It should also contain the modules that have been loaded if dynamic overlays are enabled:</P>
 <PRE>
@@ -5703,9 +6652,9 @@
    subschemaSubentry: cn=Subschema
    hasSubordinates: TRUE
 </PRE>
-<H3><A NAME="SASL">18.4.8. SASL</A></H3>
+<H3><A NAME="SASL">19.4.8. SASL</A></H3>
 <P>Currently empty.</P>
-<H3><A NAME="Statistics">18.4.9. Statistics</A></H3>
+<H3><A NAME="Statistics">19.4.9. Statistics</A></H3>
 <P>It shows some statistics on the data sent by the server:</P>
 <PRE>
    Bytes
@@ -5723,7 +6672,7 @@
    subschemaSubentry: cn=Subschema
    hasSubordinates: FALSE
 </PRE>
-<H3><A NAME="Threads">18.4.10. Threads</A></H3>
+<H3><A NAME="Threads">19.4.10. Threads</A></H3>
 <P>It contains the maximum number of threads enabled at startup and the current backload.</P>
 <P>e.g.</P>
 <PRE>
@@ -5735,7 +6684,7 @@
    subschemaSubentry: cn=Subschema
    hasSubordinates: FALSE
 </PRE>
-<H3><A NAME="Time">18.4.11. Time</A></H3>
+<H3><A NAME="Time">19.4.11. Time</A></H3>
 <P>It contains two child entries with the start time and the current time of the server.</P>
 <P>e.g.</P>
 <P>Start time:</P>
@@ -5756,9 +6705,9 @@
    subschemaSubentry: cn=Subschema
    hasSubordinates: FALSE
 </PRE>
-<H3><A NAME="TLS">18.4.12. TLS</A></H3>
+<H3><A NAME="TLS">19.4.12. TLS</A></H3>
 <P>Currently empty.</P>
-<H3><A NAME="Waiters">18.4.13. Waiters</A></H3>
+<H3><A NAME="Waiters">19.4.13. Waiters</A></H3>
 <P>It contains the number of current read waiters.</P>
 <P>e.g.</P>
 <P>Read waiters:</P>
@@ -5782,29 +6731,35 @@
 <P>Add new monitored things here and discuss, referencing man pages and present examples</P>
 <P></P>
 <HR>
-<H1><A NAME="Tuning">19. Tuning</A></H1>
+<H1><A NAME="Tuning">20. Tuning</A></H1>
 <P>This is perhaps one of the most important chapters in the guide, because if you have not tuned <EM>slapd</EM>(8) correctly or grasped how to design your directory and environment, you can expect very poor performance.</P>
 <P>Reading, understanding and experimenting using the instructions and information in the following sections, will enable you to fully understand how to tailor your directory server to your specific requirements.</P>
 <P>It should be noted that the following information has been collected over time from our community based FAQ. So obviously the benefit of this real world experience and advice should be of great value to the reader.</P>
-<H2><A NAME="Performance Factors">19.1. Performance Factors</A></H2>
+<H2><A NAME="Performance Factors">20.1. Performance Factors</A></H2>
 <P>Various factors can play a part in how your directory performs on your chosen hardware and environment. We will attempt to discuss these here.</P>
-<H3><A NAME="Memory">19.1.1. Memory</A></H3>
+<H3><A NAME="Memory">20.1.1. Memory</A></H3>
 <P>Scale your cache to use available memory and increase system memory if you can.</P>
-<P>More info here.</P>
-<H3><A NAME="Disks">19.1.2. Disks</A></H3>
-<P>Use fast subsystems. Put each database and logs on separate disks.</P>
-<P>Example showing config settings</P>
-<H3><A NAME="Network Topology">19.1.3. Network Topology</A></H3>
+<P>See <A HREF="#Caching">Caching</A></P>
+<H3><A NAME="Disks">20.1.2. Disks</A></H3>
+<P>Use fast subsystems. Put each database and logs on separate disks configurable via <EM>DB_CONFIG</EM>:</P>
+<PRE>
+       # Data Directory
+       set_data_dir /data/db
+
+       # Transaction Log settings
+       set_lg_dir /logs
+</PRE>
+<H3><A NAME="Network Topology">20.1.3. Network Topology</A></H3>
 <P>http://www.openldap.org/faq/data/cache/363.html</P>
 <P>Drawing here.</P>
-<H3><A NAME="Directory Layout Design">19.1.4. Directory Layout Design</A></H3>
+<H3><A NAME="Directory Layout Design">20.1.4. Directory Layout Design</A></H3>
 <P>Reference to other sections and good/bad drawing here.</P>
-<H3><A NAME="Expected Usage">19.1.5. Expected Usage</A></H3>
+<H3><A NAME="Expected Usage">20.1.5. Expected Usage</A></H3>
 <P>Discussion.</P>
-<H2><A NAME="Indexes">19.2. Indexes</A></H2>
-<H3><A NAME="Understanding how a search works">19.2.1. Understanding how a search works</A></H3>
+<H2><A NAME="Indexes">20.2. Indexes</A></H2>
+<H3><A NAME="Understanding how a search works">20.2.1. Understanding how a search works</A></H3>
 <P>If you're searching on a filter that has been indexed, then the search reads the index and pulls exactly the entries that are referenced by the index. If the filter term has not been indexed, then the search must read every single entry in the target scope and test to see if each entry matches the filter. Obviously indexing can save a lot of work when it's used correctly.</P>
-<H3><A NAME="What to index">19.2.2. What to index</A></H3>
+<H3><A NAME="What to index">20.2.2. What to index</A></H3>
 <P>You should create indices to match the actual filter terms used in search queries.</P>
 <PRE>
         index cn,sn,givenname,mail eq
@@ -5812,58 +6767,67 @@
 <P>Each attribute index can be tuned further by selecting the set of index types to generate. For example, substring and approximate search for organizations (o) may make little sense (and isn't like done very often). And searching for <EM>userPassword</EM> likely makes no sense what so ever.</P>
 <P>General rule: don't go overboard with indexes. Unused indexes must be maintained and hence can only slow things down.</P>
 <P>See <EM>slapd.conf</EM>(8) and <EM>slapdindex</EM>(8) for more information</P>
-<H3><A NAME="Presence indexing">19.2.3. Presence indexing</A></H3>
+<H3><A NAME="Presence indexing">20.2.3. Presence indexing</A></H3>
 <P>If your client application uses presence filters and if the target attribute exists on the majority of entries in your target scope, then all of those entries are going to be read anyway, because they are valid members of the result set. In a subtree where 100% of the entries are going to contain the same attributes, the presence index does absolutely NOTHING to benefit the search, because 100% of the entries match that presence filter.</P>
 <P>So the resource cost of generating the index is a complete waste of CPU time, disk, and memory. Don't do it unless you know that it will be used, and that the attribute in question occurs very infrequently in the target data.</P>
 <P>Almost no applications use presence filters in their search queries. Presence indexing is pointless when the target attribute exists on the majority of entries in the database. In most LDAP deployments, presence indexing should not be done, it's just wasted overhead.</P>
 <P>See the <EM>Logging</EM> section below on what to watch our for if you have a frequently searched for attribute that is unindexed.</P>
-<H2><A NAME="Logging">19.3. Logging</A></H2>
-<H3><A NAME="What log level to use">19.3.1. What log level to use</A></H3>
-<P>The default of <EM>loglevel 256</EM> is really the best bet. There's a corollary to this when problems *do* arise, don't try to trace them using syslog. Use the debug flag instead, and capture slapd's stderr output. syslog is too slow for debug tracing, and it's inherently lossy - it will throw away messages when it can't keep up.</P>
+<H2><A NAME="Logging">20.3. Logging</A></H2>
+<H3><A NAME="What log level to use">20.3.1. What log level to use</A></H3>
+<P>The default of <EM>loglevel stats</EM> (256) is really the best bet. There's a corollary to this when problems *do* arise, don't try to trace them using syslog. Use the debug flag instead, and capture slapd's stderr output. syslog is too slow for debug tracing, and it's inherently lossy - it will throw away messages when it can't keep up.</P>
 <P>Contrary to popular belief, <EM>loglevel 0</EM> is not ideal for production as you won't be able to track when problems first arise.</P>
-<H3><A NAME="What to watch out for">19.3.2. What to watch out for</A></H3>
+<H3><A NAME="What to watch out for">20.3.2. What to watch out for</A></H3>
 <P>The most common message you'll see that you should pay attention to is:</P>
 <PRE>
-  &quot;&lt;= bdb_equality_candidates: (foo) index_param failed (18)&quot;
+       &quot;&lt;= bdb_equality_candidates: (foo) index_param failed (18)&quot;
 </PRE>
 <P>That means that some application tried to use an equality filter (<EM>foo=&lt;somevalue&gt;</EM>) and attribute <EM>foo</EM> does not have an equality index. If you see a lot of these messages, you should add the index. If you see one every month or so, it may be acceptable to ignore it.</P>
-<P>The default syslog level is 256 which logs the basic parameters of each request; it usually produces 1-3 lines of output. On Solaris and systems that only provide synchronous syslog, you may want to turn it off completely, but usually you want to leave it enabled so that you'll be able to see index messages whenever they arise. On Linux you can configure syslogd to run asynchronously, in which case the performance hit for moderate syslog traffic pretty much disappears.</P>
-<H3><A NAME="Improving throughput">19.3.3. Improving throughput</A></H3>
+<P>The default syslog level is stats (256) which logs the basic parameters of each request; it usually produces 1-3 lines of output. On Solaris and systems that only provide synchronous syslog, you may want to turn it off completely, but usually you want to leave it enabled so that you'll be able to see index messages whenever they arise. On Linux you can configure syslogd to run asynchronously, in which case the performance hit for moderate syslog traffic pretty much disappears.</P>
+<H3><A NAME="Improving throughput">20.3.3. Improving throughput</A></H3>
 <P>You can improve logging performance on some systems by configuring syslog not to sync the file system with every write (<EM>man syslogd/syslog.conf</EM>). In Linux, you can prepend the log file name with a &quot;-&quot; in <EM>syslog.conf</EM>. For example, if you are using the default LOCAL4 logging you could try:</P>
 <PRE>
-   # LDAP logs
-   LOCAL4.*         -/var/log/ldap
+       # LDAP logs
+       LOCAL4.*         -/var/log/ldap
 </PRE>
 <P>For syslog-ng, add or modify the following line in <EM>syslog-ng.conf</EM>:</P>
 <PRE>
-   options { sync(n); };
+       options { sync(n); };
 </PRE>
 <P>where n is the number of lines which will be buffered before a write.</P>
-<H2><A NAME="BDB/HDB Database Caching">19.4. BDB/HDB Database Caching</A></H2>
+<H2><A NAME="Caching">20.4. Caching</A></H2>
 <P>We all know what caching is, don't we?</P>
 <P>In brief, &quot;A cache is a block of memory for temporary storage of data likely to be used again&quot; - <A HREF="http://en.wikipedia.org/wiki/Cache">http://en.wikipedia.org/wiki/Cache</A></P>
 <P>There are 3 types of caches, BerkeleyDB's own cache, <EM>slapd</EM>(8) entry cache and <TERM>IDL</TERM> (IDL) cache.</P>
-<H3><A NAME="Berkeley DB Cache">19.4.1. Berkeley DB Cache</A></H3>
-<P>BerkeleyDB's own data cache operates on page-sized blocks of raw data.</P>
+<H3><A NAME="Berkeley DB Cache">20.4.1. Berkeley DB Cache</A></H3>
+<P>There are two ways to tune for the BDB cachesize:</P>
+<P>(a) BDB cache size necessary to load the database via slapadd in optimal time</P>
+<P>(b) BDB cache size necessary to have a high performing running slapd once the data is loaded</P>
+<P>For (a), the optimal cachesize is the size of the entire database.  If you already have the database loaded, this is simply a</P>
+<PRE>
+       du -c -h *.bdb
+</PRE>
+<P>in the directory containing the OpenLDAP (<EM>/usr/local/var/openldap-data</EM>) data.</P>
+<P>For (b), the optimal cachesize is just the size of the <EM>id2entry.bdb</EM> file, plus about 10% for growth.</P>
+<P>The tuning of <EM>DB_CONFIG</EM> should be done for each BDB type database instantiated (back-bdb, back-hdb).</P>
 <P>Note that while the <TERM>BDB</TERM> cache is just raw chunks of memory and configured as a memory size, the <EM>slapd</EM>(8) entry cache holds parsed entries, and the size of each entry is variable.</P>
 <P>There is also an IDL cache which is used for Index Data Lookups. If you can fit all of your database into slapd's entry cache, and all of your index lookups fit in the IDL cache, that will provide the maximum throughput.</P>
 <P>If not, but you can fit the entire database into the BDB cache, then you should do that and shrink the slapd entry cache as appropriate.</P>
 <P>Failing that, you should balance the BDB cache against the entry cache.</P>
 <P>It is worth noting that it is not absolutely necessary to configure a BerkeleyDB cache equal in size to your entire database. All that you need is a cache that's large enough for your &quot;working set.&quot;</P>
 <P>That means, large enough to hold all of the most frequently accessed data, plus a few less-frequently accessed items.</P>
-<P>ORACLE LINKS HERE</P>
-<H4><A NAME="Calculating Cachesize">19.4.1.1. Calculating Cachesize</A></H4>
+<P>For more information, please see: <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/ref/am_conf/cachesize.html">http://www.oracle.com/technology/documentation/berkeley-db/db/ref/am_conf/cachesize.html</A></P>
+<H4><A NAME="Calculating Cachesize">20.4.1.1. Calculating Cachesize</A></H4>
 <P>The back-bdb database lives in two main files, <TT>dn2id.bdb</TT> and <TT>id2entry.bdb</TT>. These are B-tree databases. We have never documented the back-bdb internal layout before, because it didn't seem like something anyone should have to worry about, nor was it necessarily cast in stone. But here's how it works today, in OpenLDAP 2.4.</P>
 <P>A B-tree is a balanced tree; it stores data in its leaf nodes and bookkeeping data in its interior nodes (If you don't know what tree data structures look like in general, Google for some references, because that's getting far too elementary for the purposes of this discussion).</P>
 <P>For decent performance, you need enough cache memory to contain all the nodes along the path from the root of the tree down to the particular data item you're accessing. That's enough cache for a single search. For the general case, you want enough cache to contain all the internal nodes in the database.</P>
 <PRE>
-   db_stat -d
+       db_stat -d
 </PRE>
 <P>will tell you how many internal pages are present in a database. You should check this number for both dn2id and id2entry.</P>
 <P>Also note that <EM>id2entry</EM> always uses 16KB per &quot;page&quot;, while <EM>dn2id</EM> uses whatever the underlying filesystem uses, typically 4 or 8KB. To avoid thrashing the, your cache must be at least as large as the number of internal pages in both the <EM>dn2id</EM> and <EM>id2entry</EM> databases, plus some extra space to accommodate the actual leaf data pages.</P>
 <P>For example, in my OpenLDAP 2.4 test database, I have an input LDIF file that's about 360MB. With the back-hdb backend this creates a <EM>dn2id.bdb</EM> that's 68MB, and an <EM>id2entry</EM> that's 800MB. db_stat tells me that <EM>dn2id</EM> uses 4KB pages, has 433 internal pages, and 6378 leaf pages. The id2entry uses 16KB pages, has 52 internal pages, and 45912 leaf pages. In order to efficiently retrieve any single entry in this database, the cache should be at least</P>
 <PRE>
-   (433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB.
+       (433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB.
 </PRE>
 <P>This doesn't take into account other library overhead, so this is even lower than the barest minimum. The default cache size, when nothing is configured, is only 256KB.</P>
 <P>This 2.5MB number also doesn't take indexing into account. Each indexed attribute uses another database file of its own, using a Hash structure.</P>
@@ -5878,49 +6842,33 @@
 <P>With only this index enabled, I'd figure at least a 4MB cache for this backend. (Of course you're using a single cache shared among all of the database files, so the cache pages will most likely get used for something other than what you accounted for, but this gives you a fighting chance.)</P>
 <P>With this 4MB cache I can slapcat this entire database on my 1.3GHz PIII in 1 minute, 40 seconds. With the cache doubled to 8MB, it still takes the same 1:40s. Once you've got enough cache to fit the B-tree internal pages, increasing it further won't have any effect until the cache really is large enough to hold 100% of the data pages. I don't have enough free RAM to hold all the 800MB id2entry data, so 4MB is good enough.</P>
 <P>With back-bdb and back-hdb you can use &quot;db_stat -m&quot; to check how well the database cache is performing.</P>
-<H3><A NAME="{{slapd}}(8) Entry Cache">19.4.2. <EM>slapd</EM>(8) Entry Cache</A></H3>
+<P>For more information on <EM>db_stat</EM>: <A HREF="http://www.oracle.com/technology/documentation/berkeley-db/db/utility/db_stat.html">http://www.oracle.com/technology/documentation/berkeley-db/db/utility/db_stat.html</A></P>
+<H3><A NAME="{{slapd}}(8) Entry Cache (cachesize)">20.4.2. <EM>slapd</EM>(8) Entry Cache (cachesize)</A></H3>
 <P>The <EM>slapd</EM>(8) entry cache operates on decoded entries. The rationale - entries in the entry cache can be used directly, giving the fastest response. If an entry isn't in the entry cache but can be extracted from the BDB page cache, that will avoid an I/O but it will still require parsing, so this will be slower.</P>
 <P>If the entry is in neither cache then BDB will have to flush some of its current cached pages and bring in the needed pages, resulting in a couple of expensive I/Os as well as parsing.</P>
+<P>The most optimal value is of course, the entire number of entries in the database. However, most directory servers don't consistently serve out their entire database, so setting this to a lesser number that more closely matches the believed working set of data is sufficient. This is the second most important parameter for the DB.</P>
 <P>As far as balancing the entry cache vs the BDB cache - parsed entries in memory are generally about twice as large as they are on disk.</P>
 <P>As we have already mentioned, not having a proper database cache size will cause performance issues. These issues are not an indication of corruption occurring in the database. It is merely the fact that the cache is thrashing itself that causes performance/response time to slowdown.</P>
-<P>MOVE BELOW AROUND:</P>
-<P>If you want to setup the cache size, please read:</P>
-<P>(Xref) How do I configure the BDB backend? (Xref) What are the DB_CONFIG configuration directives? http://www.sleepycat.com/docs/utility/db_recover.html</P>
-<P>A default config can be found in the answer:</P>
-<P>(Xref) What are the DB_CONFIG configuration directives?</P>
-<P>just change the set_lg_dir to point to your .log directory or comment that line.</P>
-<P>Quick guide:</P>
-<UL>
-<LI>Create a DB_CONFIG file in your ldap home directory (/var/lib/ldap/DB_CONFIG) with the correct &quot;set_cachesize&quot; value
-<LI>stop your ldap server and run db_recover -h /var/lib/ldap
-<LI>start your ldap server and check the new cache size with:</UL>
-<P>db_stat -h /var/lib/ldap -m | head -n 2</P>
-<UL>
-<LI>this procedure is only needed if you use OpenLDAP 2.2 with the BDB or HDB backends; In OpenLDAP 2.3 DB recovery is performed automatically whenever the DB_CONFIG file is changed or when an unclean shutdown is detected.<UL><UL>
-<LI>On Tuesday, February 22, 2005 12:15 PM -0500 Dusty Doris &lt;openldap at mail.doris.cc&gt; wrote:</UL></UL></UL>
-<P>Few questions, if you change the cachesize and idlecachesize entries, do you have to do anything special aside from restarting slapd, such as run slapindex or db_recover?</P>
-<P>Also, is there any way to tell how much memory these caches are taking up to make sure they are not set too large?  What happens if you set your cachesize too large and you don't have enough available memory to store these?  Will that cause an issue with openldap, or will it just not cache those entries that would make it exceed its available memory.  Will it just use some sort of FIFO on those caches?</P>
-<P>It will consume the memory resources of your system, and likely cause issues.</P>
-<P>Finally, what do most people try to achieve with these values?  Would the goal be to make these as big as the directory?  So, if I have 400,000 dn's in my directory, would it be safe to set these at 400000 or would something like 20,000 be good enough to get a nice performance increase?</P>
-<P>I try to cache the most actively used entries. Unless you expect all 400,000 entries of your DB to be accessed regularly, there is no need to cache that many entries. My entry cache is set to 20,000 (out of a little over 400,000 entries).</P>
-<P>The idlcache has to do with how many unique result sets of searches you want to store in memory. Setting up this cache will allow your most frequently placed searches to get results much faster, but I doubt you want to try and cache the results of every search that hits your system. ;)</P>
-<UL><UL><UL>
-<LI>Quanah</UL></UL></UL>
-<H3><A NAME="{{TERM:IDL}} Cache">19.4.3. <TERM>IDL</TERM> Cache</A></H3>
-<P>http://www.openldap.org/faq/data/cache/1076.html</P>
+<H3><A NAME="{{TERM:IDL}} Cache (idlcachesize)">20.4.3. <TERM>IDL</TERM> Cache (idlcachesize)</A></H3>
+<P>Each IDL holds the search results from a given query, so the IDL cache will end up holding the most frequently requested search results.  For back-bdb, it is generally recommended to match the &quot;cachesize&quot; setting.  For back-hdb, it is generally recommended to be 3x&quot;cachesize&quot;.</P>
+<P>{NOTE: The idlcachesize setting directly affects search performance}</P>
+<H3><A NAME="{{slapd}}(8) Threads">20.4.4. <EM>slapd</EM>(8) Threads</A></H3>
+<P><EM>slapd</EM>(8) can process requests via a configurable number of thread, which in turn affects the in/out rate of connections.</P>
+<P>This value should generally be a function of the number of &quot;real&quot; cores on the system, for example on a server with 2 CPUs with one core each, set this to 8, or 4 threads per real core.  This is a &quot;read&quot; maximized value. The more threads that are configured per core, the slower <EM>slapd</EM>(8) responds for &quot;read&quot; operations.  On the flip side, it appears to handle write operations faster in a heavy write/low read scenario.</P>
+<P>The upper bound for good read performance appears to be 16 threads (which also happens to be the default setting).</P>
 <P></P>
 <HR>
-<H1><A NAME="Troubleshooting">20. Troubleshooting</A></H1>
+<H1><A NAME="Troubleshooting">21. Troubleshooting</A></H1>
 <P>If you're having trouble using OpenLDAP, get onto the OpenLDAP-Software mailing list, or:</P>
 <UL>
 <LI>Browse the list archives at <A HREF="http://www.openldap.org/lists/#archives">http://www.openldap.org/lists/#archives</A>
 <LI>Search the FAQ at <A HREF="http://www.openldap.org/faq/">http://www.openldap.org/faq/</A>
 <LI>Search the Issue Tracking System at <A HREF="http://www.openldap.org/its/">http://www.openldap.org/its/</A></UL>
 <P>Chances are the problem has been solved and explained in detail many times before.</P>
-<H2><A NAME="User or Software errors">20.1. User or Software errors?</A></H2>
+<H2><A NAME="User or Software errors">21.1. User or Software errors?</A></H2>
 <P>More often than not, an error is caused by a configuration problem or a misunderstanding of what you are trying to implement and/or achieve.</P>
 <P>We will now attempt to discuss common user errors.</P>
-<H2><A NAME="Checklist">20.2. Checklist</A></H2>
+<H2><A NAME="Checklist">21.2. Checklist</A></H2>
 <P>The following checklist can help track down your problem. Please try to use if <B>before</B> posting to the list, or in the rare circumstances of reporting a bug.</P>
 <UL>
 &nbsp;</UL><OL>
@@ -5943,7 +6891,7 @@
 <BR>
 &nbsp;
 <LI><B>Have your certificates expired?</B></OL>
-<H2><A NAME="OpenLDAP Bugs">20.3. OpenLDAP Bugs</A></H2>
+<H2><A NAME="OpenLDAP Bugs">21.3. OpenLDAP Bugs</A></H2>
 <P>Sometimes you may encounter an actual OpenLDAP bug, in which case please visit our Issue Tracking system <A HREF="http://www.openldap.org/its/">http://www.openldap.org/its/</A> and report it. However, make sure it's not already a known bug or a common user problem.</P>
 <UL>
 <LI>bugs in historic versions of OpenLDAP will not be considered;
@@ -5953,22 +6901,22 @@
 <STRONG>Note: </STRONG>Our Issue Tracking system is <B>NOT</B> for OpenLDAP <B>Support</B>, please join our mailing Lists: <A HREF="http://www.openldap.org/lists/">http://www.openldap.org/lists/</A> for that.
 <HR WIDTH="80%" ALIGN="Left"></P>
 <P>The information you should provide in your bug report is discussed in our FAQ-O-MATIC at <A HREF="http://www.openldap.org/faq/data/cache/59.html">http://www.openldap.org/faq/data/cache/59.html</A></P>
-<H2><A NAME="3rd party software error">20.4. 3rd party software error</A></H2>
+<H2><A NAME="3rd party software error">21.4. 3rd party software error</A></H2>
 <P>The OpenLDAP Project only supports OpenLDAP software.</P>
 <P>You may however seek commercial support (<A HREF="http://www.openldap.org/support/">http://www.openldap.org/support/</A>) or join the general LDAP forum for non-commercial discussions and information relating to LDAP at: <A HREF="http://www.umich.edu/~dirsvcs/ldap/mailinglist.html">http://www.umich.edu/~dirsvcs/ldap/mailinglist.html</A></P>
-<H2><A NAME="How to contact the OpenLDAP Project">20.5. How to contact the OpenLDAP Project</A></H2>
+<H2><A NAME="How to contact the OpenLDAP Project">21.5. How to contact the OpenLDAP Project</A></H2>
 <UL>
 <LI>Mailing Lists: <A HREF="http://www.openldap.org/lists/">http://www.openldap.org/lists/</A>
 <LI>Project: <A HREF="http://www.openldap.org/project/">http://www.openldap.org/project/</A>
 <LI>Issue Tracking: <A HREF="http://www.openldap.org/its/">http://www.openldap.org/its/</A></UL>
-<H2><A NAME="How to present your problem">20.6. How to present your problem</A></H2>
-<H2><A NAME="Debugging {{slapd}}(8)">20.7. Debugging <EM>slapd</EM>(8)</A></H2>
+<H2><A NAME="How to present your problem">21.6. How to present your problem</A></H2>
+<H2><A NAME="Debugging {{slapd}}(8)">21.7. Debugging <EM>slapd</EM>(8)</A></H2>
 <P>After reading through the above sections and before e-mailing the OpenLDAP lists, you might want to try out some of the following to track down the cause of your problems:</P>
 <UL>
-<LI>Loglevel 256 is generally a good first loglevel to try for getting information useful to list members on issues
+<LI>Loglevel stats (256) is generally a good first loglevel to try for getting information useful to list members on issues
 <LI>Running <EM>slapd -d -1</EM> can often track down fairly simple issues, such as missing schemas and incorrect file permissions for the <EM>slapd</EM> user to things like certs
 <LI>Check your logs for errors, as discussed at <A HREF="http://www.openldap.org/faq/data/cache/358.html">http://www.openldap.org/faq/data/cache/358.html</A></UL>
-<H2><A NAME="Commercial Support">20.8. Commercial Support</A></H2>
+<H2><A NAME="Commercial Support">21.8. Commercial Support</A></H2>
 <P>The firms listed at <A HREF="http://www.openldap.org/support/">http://www.openldap.org/support/</A> offer technical support services catering to OpenLDAP community.</P>
 <P>The listing of any given firm should not be viewed as an endorsement or recommendation of any kind, nor as otherwise indicating there exists a business relationship or an affiliation between any listed firm and the OpenLDAP Foundation or the OpenLDAP Project or its contributors.</P>
 <P></P>
@@ -5981,6 +6929,7 @@
 <LI><A HREF="#When should I use LDAP">When should I use LDAP?</A>
 <LI><A HREF="#When should I not use LDAP">When should I not use LDAP?</A>
 <LI><A HREF="#LDAP vs RDBMS">LDAP vs RDBMS</A>
+<LI><A HREF="#Access Control">Access Control</A>
 <LI><A HREF="#Backends">Backends</A>
 <LI><A HREF="#Overlays">Overlays</A>
 <LI><A HREF="#Replication">Replication</A>
@@ -6054,7 +7003,9 @@
 <UL>
 <LI>monitoring of back-{b,h}db: cache fill-in, non-indexed searches,
 <LI>session tracking control (draft-wahl-ldap-session)
-<LI>subtree delete in back-sql (draft-armijo-ldap-treedelete)</UL>
+<LI>subtree delete in back-sql (draft-armijo-ldap-treedelete)
+<LI>sorted values in multivalued attributes for faster matching
+<LI>lightweight dispatcher for greater throughput under heavy load and on multiprocessor machines. (33% faster than 2.3 on AMD quad-socket dual-core server.)</UL>
 <H3><A NAME="New features in libldap">A.2.12. New features in libldap</A></H3>
 <UL>
 <LI>ldap_sync client API (LDAP Content Sync Operation, RFC 4533)</UL>
@@ -7022,7 +7973,7 @@
 CRAM-MD5
 </TD>
 <TD>
-SASL MD5 Challedge/Response Authentication Mechanism
+SASL MD5 Challenge/Response Authentication Mechanism
 </TD>
 </TR>
 <TR>
@@ -7366,7 +8317,7 @@
 LDAP Sync
 </TD>
 <TD>
-LDAP Content Sychronization
+LDAP Content Synchronization
 </TD>
 </TR>
 <TR>
@@ -8309,6 +9260,20 @@
 </TR>
 <TR>
 <TD>
+<A HREF="http://www.rfc-editor.org/rfc/rfc2589.txt">RFC2589</A>
+</TD>
+<TD>
+Lightweight Directory Access Protocol (v3): Extensions for Dynamic Directory Services
+</TD>
+<TD>
+PS
+</TD>
+<TD>
+<A HREF="http://www.rfc-editor.org/rfc/rfc2589.txt">http://www.rfc-editor.org/rfc/rfc2589.txt</A>
+</TD>
+</TR>
+<TR>
+<TD>
 <A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>
 </TD>
 <TD>
@@ -8452,7 +9417,7 @@
 <A HREF="http://www.rfc-editor.org/rfc/rfc4510.txt">RFC4510</A>
 </TD>
 <TD>
-Lightweight Directory Access Protocol (LDAP) Technical Specification Roadmap
+Lightweight Directory Access Protocol (LDAP): Technical Specification Roadmap
 </TD>
 <TD>
 PS
@@ -8809,7 +9774,7 @@
 <HR>
 <H1><A NAME="OpenLDAP Software Copyright Notices">K. OpenLDAP Software Copyright Notices</A></H1>
 <H2><A NAME="OpenLDAP Copyright Notice">K.1. OpenLDAP Copyright Notice</A></H2>
-<P>Copyright 1998-2007 The OpenLDAP Foundation.<BR><EM>All rights reserved.</EM></P>
+<P>Copyright 1998-2008 The OpenLDAP Foundation.<BR><EM>All rights reserved.</EM></P>
 <P>Redistribution and use in source and binary forms, with or without modification, are permitted <EM>only as authorized</EM> by the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>.</P>
 <P>A copy of this license is available in file <TT>LICENSE</TT> in the top-level directory of the distribution or, alternatively, at &lt;<A HREF="http://www.OpenLDAP.org/license.html">http://www.OpenLDAP.org/license.html</A>&gt;.</P>
 <P>OpenLDAP is a registered trademark of the OpenLDAP Foundation.</P>
@@ -8818,9 +9783,9 @@
 <P>This work also contains materials derived from public sources.</P>
 <P>Additional information about OpenLDAP software can be obtained at &lt;<A HREF="http://www.OpenLDAP.org/">http://www.OpenLDAP.org/</A>&gt;.</P>
 <H2><A NAME="Additional Copyright Notice">K.2. Additional Copyright Notice</A></H2>
-<P>Portions Copyright 1998-2006 Kurt D. Zeilenga.<BR>Portions Copyright 1998-2006 Net Boolean Incorporated.<BR>Portions Copyright 2001-2006 IBM Corporation.<BR><EM>All rights reserved.</EM></P>
+<P>Portions Copyright 1998-2008 Kurt D. Zeilenga.<BR>Portions Copyright 1998-2006 Net Boolean Incorporated.<BR>Portions Copyright 2001-2006 IBM Corporation.<BR><EM>All rights reserved.</EM></P>
 <P>Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the <A HREF="#OpenLDAP Public License">OpenLDAP Public License</A>.</P>
-<P>Portions Copyright 1999-2007 Howard Y.H. Chu.<BR>Portions Copyright 1999-2007 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR>Portions Copyright 2007 Gavin Henry<BR>Portions Copyright 2007 Suretec Systems<BR><EM>All rights reserved.</EM></P>
+<P>Portions Copyright 1999-2007 Howard Y.H. Chu.<BR>Portions Copyright 1999-2007 Symas Corporation.<BR>Portions Copyright 1998-2003 Hallvard B. Furuseth.<BR>Portions Copyright 2007-2008 Gavin Henry<BR>Portions Copyright 2007-2008 Suretec Systems Limited.<BR><EM>All rights reserved.</EM></P>
 <P>Redistribution and use in source and binary forms, with or without modification, are permitted provided that this notice is preserved. The names of the copyright holders may not be used to endorse or promote products derived from this software without their specific prior written permission.  This software is provided ``as is'' without express or implied warranty.</P>
 <H2><A NAME="University of Michigan Copyright Notice">K.3. University of Michigan Copyright Notice</A></H2>
 <P>Portions Copyright 1992-1996 Regents of the University of Michigan.<BR><EM>All rights reserved.</EM></P>
@@ -8886,7 +9851,7 @@
 <P>
 <FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
 ________________<BR>
-<SMALL>&copy; Copyright 2007, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
+<SMALL>&copy; Copyright 2008, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
 
 </DIV>
 

Modified: openldap/trunk/doc/guide/admin/guide.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/guide.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/guide.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/guide.sdf,v 1.7.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/guide.sdf,v 1.7.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 #
 # guide.sdf 

Modified: openldap/trunk/doc/guide/admin/index.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/index.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/index.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/index.sdf,v 1.7.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/index.sdf,v 1.7.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 #
 # index.sdf 

Modified: openldap/trunk/doc/guide/admin/install.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/install.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/install.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/install.sdf,v 1.38.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/install.sdf,v 1.38.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Building and Installing OpenLDAP Software

Modified: openldap/trunk/doc/guide/admin/intro.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/intro.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/intro.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/intro.sdf,v 1.45.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/intro.sdf,v 1.45.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 H1: Introduction to OpenLDAP Directory Services
 

Modified: openldap/trunk/doc/guide/admin/maintenance.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/maintenance.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/maintenance.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/maintenance.sdf,v 1.7.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/maintenance.sdf,v 1.7.2.6 2008/04/14 22:37:01 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Maintenance
@@ -86,10 +86,11 @@
 chapter 9 of the Berkeley DB guide. In particular, the following chapters are 
 recommended:
 
-* Database and log file archival
-* Log file removal
-* Recovery procedures
-* Hot failover
+* Database and log file archival - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html}}
+* Log file removal - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/logfile.html}}
+* Recovery procedures - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/recovery.html}}
+* Hot failover - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/hotfail.html}}
+* Complete list of Berkeley DB flags - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html}}
 
 Advanced installations can use special environment settings to fine-tune some 
 Berkeley DB options (change the log file limit, etc). This can be done by using 

Modified: openldap/trunk/doc/guide/admin/master.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/master.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/master.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/master.sdf,v 1.18.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/master.sdf,v 1.18.2.7 2008/04/14 20:35:10 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 #
 # master file for the OpenLDAP Administrator's Guide
@@ -42,6 +42,9 @@
 !include "slapdconfig.sdf"; chapter
 PB:
 
+!include "access-control.sdf"; chapter
+PB:
+
 !include "runningslapd.sdf"; chapter
 PB:
 

Modified: openldap/trunk/doc/guide/admin/monitoringslapd.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/monitoringslapd.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/monitoringslapd.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/monitoringslapd.sdf,v 1.9.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/monitoringslapd.sdf,v 1.9.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 H1: Monitoring
 

Modified: openldap/trunk/doc/guide/admin/overlays.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/overlays.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/overlays.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.8.2.5 2007/11/27 19:06:07 quanah Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.8.2.19 2008/04/21 21:35:19 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Overlays
@@ -8,34 +8,47 @@
 those provided by backends, which can be stacked on top of the backend calls 
 and as callbacks on top of backend responses to alter their behavior. 
 
-Overlays may be compiled statically into slapd, or when module support
+Overlays may be compiled statically into {{slapd}}, or when module support
 is enabled, they may be dynamically loaded. Most of the overlays
-are only allowed to be configured on individual databases, but some
-may also be configured globally.
+are only allowed to be configured on individual databases.
 
-Essentially they represent a means to:
+Some can be stacked on the {{EX:frontend}} as well, for global use. This means that
+they can be executed after a request is parsed and validated, but right before the 
+appropriate database is selected. The main purpose is to affect operations 
+regardless of the database they will be handled by, and, in some cases, 
+to influence the selection of the database by massaging the request DN. 
 
+Essentially, overlays represent a means to:
+
     * customize the behavior of existing backends without changing the backend 
       code and without requiring one to write a new custom backend with 
       complete functionality
     * write functionality of general usefulness that can be applied to 
       different backend types
 
+When using {{slapd.conf}}(5), overlays that are configured before any other
+databases are considered global, as mentioned above. In fact they are implicitly
+stacked on top of the {{EX:frontend}} database. They can also be explicitly
+configured as such:
+
+>        database frontend
+>        overlay <overlay name>
+
 Overlays are usually documented by separate specific man pages in section 5; 
 the naming convention is
 
 >        slapo-<overlay name>
 
-Not all distributed overlays have a man page yet. Feel free to contribute one, 
-if you think you well understood the behavior of the component and the 
-implications of all the related configuration directives.
+All distributed core overlays have a man page. Feel free to contribute to any, 
+if you think there is anything missing in describing the behavior of the component 
+and the implications of all the related configuration directives.
 
 Official overlays are located in
 
 >        servers/slapd/overlays/
 
 That directory also contains the file slapover.txt, which describes the 
-rationale of the overlay implementation, and may serve as guideline for the 
+rationale of the overlay implementation, and may serve as a guideline for the 
 development of custom overlays.
 
 Contribware overlays are located in
@@ -45,13 +58,7 @@
 along with other types of run-time loadable components; they are officially 
 distributed, but not maintained by the project.
 
-They can be stacked on the frontend as well; this means that they can be 
-executed after a request is parsed and validated, but right before the 
-appropriate database is selected. The main purpose is to affect operations 
-regardless of the database they will be handled by, and, in some cases, 
-to influence the selection of the database by massaging the request DN. 
-
-All the current overlays in 2.4 are listed and described in detail in the 
+All the current overlays in OpenLDAP are listed and described in detail in the 
 following sections.
 
 
@@ -63,22 +70,160 @@
 This overlay can record accesses to a given backend database on another
 database.
 
+This allows all of the activity on a given database to be reviewed using arbitrary 
+LDAP queries, instead of just logging to local flat text files. Configuration 
+options are available for selecting a subset of operation types to log, and to 
+automatically prune older log records from the logging database. Log records 
+are stored with audit schema to assure their readability whether viewed as LDIF 
+or in raw form.
 
+It is also used for {{SECT:delta-syncrepl replication}}
+
 H3: Access Logging Configuration
 
+The following is a basic example that implements Access Logging:
 
+>        database bdb
+>        suffix dc=example,dc=com
+>        ...
+>        overlay accesslog
+>        logdb cn=log
+>        logops writes reads
+>        logold (objectclass=person)
+>        
+>        database bdb
+>        suffix cn=log
+>        ...
+>        index reqStart eq
+>        access to *
+>          by dn.base="cn=admin,dc=example,dc=com" read
+
+The following is an example used for {{SECT:delta-syncrepl replication}}:
+
+>        database hdb
+>        suffix cn=accesslog
+>        directory /usr/local/var/openldap-accesslog
+>        rootdn cn=accesslog
+>        index default eq
+>        index entryCSN,objectClass,reqEnd,reqResult,reqStart
+
+Accesslog overlay definitions for the primary db
+
+>        database bdb
+>        suffix dc=example,dc=com
+>        ...
+>        overlay accesslog
+>        logdb cn=accesslog
+>        logops writes
+>        logsuccess TRUE
+>        # scan the accesslog DB every day, and purge entries older than 7 days
+>        logpurge 07+00:00 01+00:00
+
+An example search result against {{B:cn=accesslog}} might look like:
+
+>        [ghenry at suretec ghenry]# ldapsearch -x -b cn=accesslog
+>        # extended LDIF
+>        #
+>        # LDAPv3
+>        # base <cn=accesslog> with scope subtree
+>        # filter: (objectclass=*)
+>        # requesting: ALL
+>        #
+>        
+>        # accesslog
+>        dn: cn=accesslog
+>        objectClass: auditContainer
+>        cn: accesslog
+>        
+>        # 20080110163829.000004Z, accesslog
+>        dn: reqStart=20080110163829.000004Z,cn=accesslog
+>        objectClass: auditModify
+>        reqStart: 20080110163829.000004Z
+>        reqEnd: 20080110163829.000005Z
+>        reqType: modify
+>        reqSession: 196696
+>        reqAuthzID: cn=admin,dc=suretecsystems,dc=com
+>        reqDN: uid=suretec-46022f8$,ou=Users,dc=suretecsystems,dc=com
+>        reqResult: 0
+>        reqMod: sambaPwdCanChange:- ###CENSORED###
+>        reqMod: sambaPwdCanChange:+ ###CENSORED###
+>        reqMod: sambaNTPassword:- ###CENSORED###
+>        reqMod: sambaNTPassword:+ ###CENSORED###
+>        reqMod: sambaPwdLastSet:- ###CENSORED###
+>        reqMod: sambaPwdLastSet:+ ###CENSORED###
+>        reqMod: entryCSN:= 20080110163829.095157Z#000000#000#000000
+>        reqMod: modifiersName:= cn=admin,dc=suretecsystems,dc=com
+>        reqMod: modifyTimestamp:= 20080110163829Z
+>        
+>        # search result
+>        search: 2
+>        result: 0 Success
+>        
+>        # numResponses: 3
+>        # numEntries: 2
+
+For more information, please see {{slapo-accesslog(5)}} and the {{SECT:delta-syncrepl replication}} section.
+
+
 H2: Audit Logging
 
-This overlay records changes on a given backend database to an LDIF log
-file.
-   
-   
+The Audit Logging overlay can be used to record all changes on a given backend database to a specified log file.
+
 H3: Overview
 
+If the need arises whereby changes need to be logged as standard LDIF, then the auditlog overlay {{B:slapo-auditlog (5)}}
+can be used. Full examples are available in the man page {{B:slapo-auditlog (5)}}
 
 H3: Audit Logging Configuration
 
+If the directory is running vi {{F:slapd.d}}, then the following LDIF could be used to add the overlay to the overlay list 
+in {{B:cn=config}} and set what file the {{TERM:LDIF}} gets logged to (adjust to suit)
 
+>       dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config
+>       changetype: add
+>       objectClass: olcOverlayConfig
+>       objectClass: olcAuditLogConfig
+>       olcOverlay: auditlog
+>       olcAuditlogFile: /tmp/auditlog.ldif
+
+
+In this example for testing, we are logging changes to {{F:/tmp/auditlog.ldif}}
+
+A typical {{TERM:LDIF}} file created by {{B:slapo-auditlog (5)}} would look like:
+
+>       # add 1196797576 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+>       dn: dc=suretecsystems,dc=com
+>       changetype: add
+>       objectClass: dcObject
+>       objectClass: organization
+>       dc: suretecsystems
+>       o: Suretec Systems Ltd.
+>       structuralObjectClass: organization
+>       entryUUID: 1606f8f8-f06e-1029-8289-f0cc9d81e81a
+>       creatorsName: cn=admin,dc=suretecsystems,dc=com
+>       modifiersName: cn=admin,dc=suretecsystems,dc=com
+>       createTimestamp: 20051123130912Z
+>       modifyTimestamp: 20051123130912Z
+>       entryCSN: 20051123130912.000000Z#000001#000#000000
+>       auditContext: cn=accesslog
+>       # end add 1196797576
+>       
+>       # add 1196797577 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
+>       dn: ou=Groups,dc=suretecsystems,dc=com
+>       changetype: add
+>       objectClass: top
+>       objectClass: organizationalUnit
+>       ou: Groups
+>       structuralObjectClass: organizationalUnit
+>       entryUUID: 160aaa2a-f06e-1029-828a-f0cc9d81e81a
+>       creatorsName: cn=admin,dc=suretecsystems,dc=com
+>       modifiersName: cn=admin,dc=suretecsystems,dc=com
+>       createTimestamp: 20051123130912Z
+>       modifyTimestamp: 20051123130912Z
+>       entryCSN: 20051123130912.000000Z#000002#000#000000
+>       # end add 1196797577
+
+
 H2: Chaining
 
 
@@ -93,7 +238,7 @@
 referrals by themselves.
 
 The chain overlay is built on top of the ldap backend; it is compiled by 
-default when --enable-ldap.
+default when {{B:--enable-ldap}}.
 
 
 H3: Chaining Configuration
@@ -101,8 +246,8 @@
 In order to demonstrate how this overlay works, we shall discuss a typical 
 scenario which might be one master server and three Syncrepl slaves. 
 
-On each replica, add this near the top of the file (global), before any database 
-definitions:
+On each replica, add this near the top of the {{slapd.conf}}(5) file
+(global), before any database definitions:
 
 >        overlay                    chain
 >        chain-uri                  "ldap://ldapmaster.example.com"
@@ -122,8 +267,10 @@
 bound to the slave will also exist on the master. If that DN does not have 
 update privileges on the master, nothing will happen.
 
-You will need to restart the slave after these changes. Then, if you are using 
-{{loglevel 256}}, you can monitor an {{ldapmodify}} on the slave and the master.
+You will need to restart the slave after these {{slapd.conf}} changes.
+Then, if you are using {{loglevel stats}} (256), you can monitor an
+{{ldapmodify}} on the slave and the master. (If you're using {{cn=config}}
+no restart is required.)
 
 Now start an {{ldapmodify}} on the slave and watch the logs. You should expect 
 something like:
@@ -173,25 +320,122 @@
 H3: Overview
 
 This overlay enforces a regular expression constraint on all values
-of specified attributes. It is used to enforce a more rigorous
-syntax when the underlying attribute syntax is too general.
+of specified attributes during an LDAP modify request that contains add or modify
+commands. It is used to enforce a more rigorous syntax when the underlying attribute 
+syntax is too general.
 
 
 H3: Constraint Configuration
+
+Configuration via {{slapd.conf}}(5) would look like:
+
+>        overlay constraint
+>        constraint_attribute mail regex ^[:alnum:]+ at mydomain.com$
+>        constraint_attribute title uri
+>        ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+
+A specification like the above would reject any {{mail}} attribute which did not
+look like {{<alpha-numeric string>@mydomain.com}}.
+
+It would also reject any title attribute whose values were not listed in the 
+title attribute of any {{titleCatalog}} entries in the given scope.   
+
+An example for use with {{cn=config}}:
+
+>       dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config
+>       changetype: add
+>       objectClass: olcOverlayConfig
+>       objectClass: olcConstraintConfig
+>       olcOverlay: constraint
+>       olcConstraintAttribute: mail regex ^[:alnum:]+ at mydomain.com$
+>       olcConstraintAttribute: title uri ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+
    
-   
 H2: Dynamic Directory Services
 
 
 H3: Overview
 
-This overlay supports dynamic objects, which have a limited life after
-which they expire and are automatically deleted.
-   
-   
+The {{dds}} overlay to {{slapd}}(8) implements dynamic objects as per {{REF:RFC2589}}.
+The name {{dds}} stands for Dynamic Directory Services. It allows to define 
+dynamic objects, characterized by the {{dynamicObject}} objectClass.
+
+Dynamic objects have a limited lifetime, determined by a time-to-live (TTL) 
+that can be refreshed by means of a specific refresh extended operation. This 
+operation allows to set the Client Refresh Period (CRP), namely the period 
+between refreshes that is required to preserve the dynamic object from expiration. 
+The expiration time is computed by adding the requested TTL to the current time.
+When dynamic objects reach the end of their lifetime without being further 
+refreshed, they are automatically {{deleted}}. There is no guarantee of immediate 
+deletion, so clients should not count on it.
+
 H3: Dynamic Directory Service Configuration
 
+A usage of dynamic objects might be to implement dynamic meetings; in this case, 
+all the participants to the meeting are allowed to refresh the meeting object, 
+but only the creator can delete it (otherwise it will be deleted when the TTL expires).
 
+If we add the overlay to an example database, specifying a Max TTL of 1 day, a 
+min of 10 seconds, with a default TTL of 1 hour. We'll also specify an interval
+of 120 (less than 60s might be too small) seconds between expiration checks and a 
+tolerance of 5 second (lifetime of a dynamic object will be {{entryTtl + tolerance}}).
+
+>       overlay dds
+>       dds-max-ttl     1d
+>       dds-min-ttl     10s
+>       dds-default-ttl 1h
+>       dds-interval    120s
+>       dds-tolerance   5s
+
+and add an index:
+
+>       entryExpireTimestamp
+
+Creating a meeting is as simple as adding the following:
+
+>       dn: cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com
+>       objectClass: groupOfNames
+>       objectClass: dynamicObject
+>       cn: OpenLDAP Documentation Meeting
+>       member: uid=ghenry,ou=People,dc=example,dc=com
+>       member: uid=hyc,ou=People,dc=example,dc=com
+
+H4: Dynamic Directory Service ACLs
+
+Allow users to start a meeting and to join it; restrict refresh to the {{member}}; 
+restrict delete to the creator:
+
+>       access to attrs=userPassword
+>          by self write
+>          by * read
+>       
+>       access to dn.base="ou=Meetings,dc=example,dc=com"
+>                 attrs=children
+>            by users write
+>       
+>       access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+>                 attrs=entry
+>            by dnattr=creatorsName write
+>            by * read
+>       
+>       access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+>                 attrs=participant
+>            by dnattr=creatorsName write
+>            by users selfwrite
+>            by * read
+>       
+>       access to dn.onelevel="ou=Meetings,dc=example,dc=com"
+>                 attrs=entryTtl
+>            by dnattr=member manage
+>            by * read
+
+In simple terms, the user who created the {{OpenLDAP Documentation Meeting}} can add new attendees, 
+refresh the meeting using (basically complete control):
+
+>       ldapexop -x -H ldap://ldaphost "refresh" "cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com" "120" -D "uid=ghenry,ou=People,dc=example,dc=com" -W
+
+Any user can join the meeting, but not add another attendee, but they can refresh the meeting. The ACLs above are quite straight forward to understand.
+
 H2: Dynamic Groups
 
 
@@ -230,7 +474,7 @@
 has to be a subtype of {{F:labeledURI}}. The attributes and values present in
 the search result are added to the entry unless {{F:member-ad}} is used (see
 below).
-* {{F:member-ad}}: if present, changes the overlay behaviour into a dynamic group.
+* {{F:member-ad}}: if present, changes the overlay behavior into a dynamic group.
 Instead of inserting the results of the search in the entry, the distinguished name
 of the results are added as values of this attribute.
 
@@ -275,7 +519,7 @@
 >       objectClass: groupOfNames
 >       labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
 
-The behaviour is similar to the dynamic list configuration we had before:
+The behavior is similar to the dynamic list configuration we had before:
 whenever an entry with the {{F:groupOfNames}} object class is retrieved, the
 search specified in the {{F:labeledURI}} attribute is performed. But this time,
 only the distinguished names of the results are added, and as values of the
@@ -285,7 +529,7 @@
 !import "allusersgroup-en.png"; align="center"; title="Dynamic group for all users"
 FT[align="Center"] Figure X.Y: Dynamic Group for all users
 
-Note that a side effect of this scheme of dymamic groups is that the members
+Note that a side effect of this scheme of dynamic groups is that the members
 need to be specified as full DNs. So, if you are planning in using this for
 {{F:posixGroup}}s, be sure to use RFC2307bis and some attribute which can hold
 distinguished names. The {{F:memberUid}} attribute used in the {{F:posixGroup}}
@@ -520,14 +764,113 @@
 
 H3: Overview
 
-This overlay provides a variety of password control mechanisms,
-e.g. password aging, password reuse and duplication control, mandatory
-password resets, etc.
+This overlay follows the specifications contained in the draft RFC titled 
+draft-behera-ldap-password-policy-09. While the draft itself is expired, it has 
+been implemented in several directory servers, including slapd. Nonetheless, 
+it is important to note that it is a draft, meaning that it is subject to change 
+and is a work-in-progress.
 
+The key abilities of the password policy overlay are as follows:
 
+* Enforce a minimum length for new passwords
+* Make sure passwords are not changed too frequently
+* Cause passwords to expire, provide warnings before they need to be changed, and allow a fixed number of 'grace' logins to allow them to be changed after they have expired
+* Maintain a history of passwords to prevent password re-use
+* Prevent password guessing by locking a password for a specified period of time after repeated authentication failures
+* Force a password to be changed at the next authentication
+* Set an administrative lock on an account
+* Support multiple password policies on a default or a per-object basis.
+* Perform arbitrary quality checks using an external loadable module. This is a non-standard extension of the draft RFC.
+
+
 H3: Password Policy Configuration
 
+Instantiate the module in the database where it will be used, after adding the 
+new ppolicy schema and loading the ppolicy module. The following example shows 
+the ppolicy module being added to the database that handles the naming 
+context "dc=example,dc=com". In this example we are also specifying the DN of 
+a policy object to use if none other is specified in a user's object.
 
+>       database bdb
+>       suffix "dc=example,dc=com"
+>       [...additional database configuration directives go here...]
+>       
+>       overlay ppolicy
+>       ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
+
+
+Now we need a container for the policy objects. In our example the password 
+policy objects are going to be placed in a section of the tree called 
+"ou=policies,dc=example,dc=com":
+
+>       dn: ou=policies,dc=example,dc=com
+>       objectClass: organizationalUnit
+>       objectClass: top
+>       ou: policies
+
+
+The default policy object that we are creating defines the following policies:
+
+* The user is allowed to change his own password. Note that the directory ACLs for this attribute can also affect this ability (pwdAllowUserChange: TRUE).
+* The name of the password attribute is "userPassword" (pwdAttribute: userPassword). Note that this is the only value that is accepted by OpenLDAP for this attribute.
+* The server will check the syntax of the password. If the server is unable to check the syntax (i.e., it was hashed or otherwise encoded by the client) it will return an error refusing the password (pwdCheckQuality: 2).
+* When a client includes the Password Policy Request control with a bind request, the server will respond with a password expiration warning if it is going to expire in ten minutes or less (pwdExpireWarning: 600). The warnings themselves are returned in a Password Policy Response control.
+* When the password for a DN has expired, the server will allow five additional "grace" logins (pwdGraceAuthNLimit: 5).
+* The server will maintain a history of the last five passwords that were used for a DN (pwdInHistory: 5).
+* The server will lock the account after the maximum number of failed bind attempts has been exceeded (pwdLockout: TRUE).
+* When the server has locked an account, the server will keep it locked until an administrator unlocks it (pwdLockoutDuration: 0)
+* The server will reset its failed bind count after a period of 30 seconds.
+* Passwords will not expire (pwdMaxAge: 0).
+* Passwords can be changed as often as desired (pwdMinAge: 0).
+* Passwords must be at least 5 characters in length (pwdMinLength: 5).
+* The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
+* The current password does not need to be included with password change requests (pwdSafeModify: FALSE)
+* The server will only allow five failed binds in a row for a particular DN (pwdMaxFailure: 5).
+
+
+The actual policy would be:
+
+>       dn: cn=default,ou=policies,dc=example,dc=com
+>       cn: default
+>       objectClass: pwdPolicy
+>       objectClass: person
+>       objectClass: top
+>       pwdAllowUserChange: TRUE
+>       pwdAttribute: userPassword
+>       pwdCheckQuality: 2
+>       pwdExpireWarning: 600
+>       pwdFailureCountInterval: 30
+>       pwdGraceAuthNLimit: 5
+>       pwdInHistory: 5
+>       pwdLockout: TRUE
+>       pwdLockoutDuration: 0
+>       pwdMaxAge: 0
+>       pwdMaxFailure: 5
+>       pwdMinAge: 0
+>       pwdMinLength: 5
+>       pwdMustChange: FALSE
+>       pwdSafeModify: FALSE
+>       sn: dummy value
+
+You can create additional policy objects as needed. 
+
+
+There are two ways password policy can be applied to individual objects:
+
+1. The pwdPolicySubentry in a user's object - If a user's object has a
+pwdPolicySubEntry attribute specifying the DN of a policy object, then 
+the policy defined by that object is applied.
+
+2. Default password policy - If there is no specific pwdPolicySubentry set
+for an object, and the password policy module was configured with the DN of a
+default policy object and if that object exists, then the policy defined in
+that object is applied.
+
+Please see {{slapo-ppolicy(5)}} for complete explanations of features and discussion of
+ "Password Management Issues" at {{URL:http://www.connexitor.com/forums/viewtopic.php?f=6&t=25}}
+
+
+
 H2: Referential Integrity
 
 
@@ -678,7 +1021,15 @@
 
 H3: Overview
 
+Overlays can be stacked, which means that more than one overlay
+can be instantiated for each database, or for the {{EX:frontend}}.
+As a consequence, each overlays function is called, if defined,
+when overlay execution is invoked.
+Multiple overlays are executed in reverse order (as a stack)
+with respect to their definition in slapd.conf (5), or with respect
+to their ordering in the config database, as documented in slapd-config (5).
 
+
 H3: Example Scenarios
 
 

Modified: openldap/trunk/doc/guide/admin/preface.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/preface.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/preface.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/preface.sdf,v 1.25.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/preface.sdf,v 1.25.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 # 
 

Modified: openldap/trunk/doc/guide/admin/quickstart.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/quickstart.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/quickstart.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/quickstart.sdf,v 1.44.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/quickstart.sdf,v 1.44.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: A Quick-Start Guide

Modified: openldap/trunk/doc/guide/admin/referrals.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/referrals.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/referrals.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/referrals.sdf,v 1.25.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/referrals.sdf,v 1.25.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Constructing a Distributed Directory Service

Modified: openldap/trunk/doc/guide/admin/replication.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/replication.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/replication.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/replication.sdf,v 1.32.2.9 2007/12/10 15:31:27 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/replication.sdf,v 1.32.2.15 2008/04/21 17:10:13 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Replication
@@ -10,14 +10,11 @@
 {{PRD:OpenLDAP}} has various configuration options for creating a replicated 
 directory. The following sections will discuss these.
 
-H2: Replication Strategies
+H2: Push Based
 
 
-H3: Push Based
+H3: Replacing Slurpd
 
-
-H5: Replacing Slurpd
-
 {{Slurpd}} replication has been deprecated in favor of Syncrepl replication and 
 has been completely removed from OpenLDAP 2.4.
 
@@ -131,72 +128,10 @@
 {{slapd-ldap(8)}} tailoring your replication to fit your specific network 
 topology.
 
-H3: Pull Based
+H2: Pull Based
 
+H3: LDAP Sync Replication
 
-H4: syncrepl replication
-
-
-H4: delta-syncrepl replication
-
-
-H2: Replication Types
-
-
-H3: syncrepl replication
-
-
-H3: delta-syncrepl replication
-
-
-H3: N-Way Multi-Master replication
-
-Multi-Master replication is a replication technique using Syncrepl to replicate 
-data to multiple Master Directory servers. 
-
-* Advantages of Multi-Master replication:
-
-- If any master fails, other masters will continue to accept updates
-- Avoids a single point of failure
-- Masters can be located in several physical sites i.e. distributed across the 
-network/globe.
-- Good for Automatic failover/High Availability
-
-* Disadvantages of Multi-Master replication:
-
-- It has {{B:NOTHING}} to do with load balancing
-- {{URL:http://www.openldap.org/faq/data/cache/1240.html}}
-- If connectivity with a master is lost because of a network partition, then 
-"automatic failover" can just compound the problem
-- Typically, a particular machine cannot distinguish between losing contact
- with a peer because that peer crashed, or because the network link has failed
-- If a network is partitioned and multiple clients start writing to each of the 
-"masters" then reconciliation will be a pain; it may be best to simply deny 
-writes to the clients that are partitioned from the single master
-- Masters {{B:must}} propagate writes to {{B:all}} the other servers, which 
-means the network traffic and write load is constant and spreads across all 
-of the servers
-
-
-This is discussed in full in the {{SECT:N-Way Multi-Master}} section below
-
-H3: MirrorMode replication
-
-MirrorMode is a hybrid configuration that provides all of the consistency
-guarantees of single-master replication, while also providing the high
-availability of multi-master. In MirrorMode two masters are set up to
-replicate from each other (as a multi-master configuration) but an
-external frontend is employed to direct all writes to only one of
-the two servers. The second master will only be used for writes if
-the first master crashes, at which point the frontend will switch to
-directing all writes to the second master. When a crashed master is
-repaired and restarted it will automatically catch up to any changes
-on the running master and resync.
-
-This is discussed in full in the {{SECT:MirrorMode}} section below
-
-H2: LDAP Sync Replication
-
 The {{TERM:LDAP Sync}} Replication engine, {{TERM:syncrepl}} for
 short, is a consumer-side replication engine that enables the
 consumer {{TERM:LDAP}} server to maintain a shadow copy of a
@@ -253,7 +188,7 @@
 syncrepl replication connection.
 
 
-H3: The LDAP Content Synchronization Protocol
+H4: The LDAP Content Synchronization Protocol
 
 The LDAP Sync protocol allows a client to maintain a synchronized
 copy of a DIT fragment. The LDAP Sync operation is defined as a set
@@ -344,7 +279,7 @@
 synchronization control.
 
 
-H3: Syncrepl Details
+H4: Syncrepl Details
 
 The syncrepl engine utilizes both the {{refreshOnly}} and the
 {{refreshAndPersist}} operations of the LDAP Sync protocol.  If a
@@ -450,9 +385,131 @@
 but in {{refreshOnly}} mode the provider cannot detect and propagate
 this change without the use of the session log.
 
+For configuration, please see the {{SECT:Syncrepl}} section.
 
-H3: Configuring Syncrepl
 
+H3: Delta-syncrepl replication
+
+* Disadvantages of Syncrepl replication:
+
+OpenLDAP's syncrepl replication is an object-based replication mechanism. 
+When any attribute value in a replicated object is changed on the provider, 
+each consumer fetches and processes the complete changed object {B:both changed and unchanged attribute values}
+ during replication. This works well, but has drawbacks in some situations. 
+
+For example, suppose you have a database consisting of 100,000 objects of 1 KB 
+each. Further, suppose you routinely run a batch job to change the value of 
+a single two-byte attribute value that appears in each of the 100,000 objects 
+on the master. Not counting LDAP and TCP/IP protocol overhead, each time you 
+run this job each consumer will transfer and process {B:1 GB} of data to process 
+{B:200KB of changes! }
+
+99.98% of the data that is transmitted and processed in a case like this will 
+be redundant, since it represents values that did not change. This is a waste 
+of valuable transmission and processing bandwidth and can cause an unacceptable 
+replication backlog to develop. While this situation is extreme, it serves to 
+demonstrate a very real problem that is encountered in some LDAP deployments.
+
+
+* Where Delta-syncrepl comes in:
+
+Delta-syncrepl, a changelog-based variant of syncrepl, is designed to address 
+situations like the one described above. Delta-syncrepl works by maintaining a 
+changelog of a selectable depth on the provider. The replication consumer on 
+each consumer checks the changelog for the changes it needs and, as long as 
+the changelog contains the needed changes, the delta-syncrepl consumer fetches 
+them from the changelog and applies them to its database. If, however, a replica 
+is too far out of sync (or completely empty), conventional syncrepl is used to 
+bring it up to date and replication then switches to the delta-syncrepl mode.
+
+For configuration, please see the {{SECT:Delta-syncrepl}} section.
+
+
+H2: Mixture of both Pull and Push based
+
+H3: N-Way Multi-Master replication
+
+Multi-Master replication is a replication technique using Syncrepl to replicate 
+data to multiple Master Directory servers. 
+
+* Advantages of Multi-Master replication:
+
+- If any master fails, other masters will continue to accept updates
+- Avoids a single point of failure
+- Masters can be located in several physical sites i.e. distributed across the 
+network/globe.
+- Good for Automatic failover/High Availability
+
+* Disadvantages of Multi-Master replication:
+
+- It has {{B:NOTHING}} to do with load balancing
+- {{URL:http://www.openldap.org/faq/data/cache/1240.html}}
+- If connectivity with a master is lost because of a network partition, then 
+"automatic failover" can just compound the problem
+- Typically, a particular machine cannot distinguish between losing contact
+ with a peer because that peer crashed, or because the network link has failed
+- If a network is partitioned and multiple clients start writing to each of the 
+"masters" then reconciliation will be a pain; it may be best to simply deny 
+writes to the clients that are partitioned from the single master
+- Masters {{B:must}} propagate writes to {{B:all}} the other servers, which 
+means the network traffic and write load is constant and spreads across all 
+of the servers
+
+
+For configuration, please see the {{SECT:N-Way Multi-Master}} section below
+
+H3: MirrorMode replication
+
+MirrorMode is a hybrid configuration that provides all of the consistency
+guarantees of single-master replication, while also providing the high
+availability of multi-master. In MirrorMode two masters are set up to
+replicate from each other (as a multi-master configuration) but an
+external frontend is employed to direct all writes to only one of
+the two servers. The second master will only be used for writes if
+the first master crashes, at which point the frontend will switch to
+directing all writes to the second master. When a crashed master is
+repaired and restarted it will automatically catch up to any changes
+on the running master and resync.
+
+H4: Arguments for MirrorMode
+
+* Provides a high-availability (HA) solution for directory writes (replicas handle reads)
+* As long as one Master is operational, writes can safely be accepted
+* Master nodes replicate from each other, so they are always up to date and
+can be ready to take over (hot standby)
+* Syncrepl also allows the master nodes to re-synchronize after any downtime
+* Delta-Syncrepl can be used
+
+
+H4: Arguments against MirrorMode
+
+* MirrorMode is not what is termed as a Multi-Master solution. This is because 
+writes have to go to one of the mirror nodes at a time
+* MirrorMode can be termed as Active-Active Hot-Standby, therefor an external 
+server (slapd in proxy mode) or device (hardware load balancer) to manage which 
+master is currently active
+* While syncrepl can recover from a completely empty database, slapadd is much 
+faster
+* Does not provide faster or more scalable write performance (neither could 
+  any Multi-Master solution)
+* Backups are managed slightly differently
+- If backing up the Berkeley database itself and periodically backing up the 
+transaction log files, then the same member of the mirror pair needs to be 
+used to collect logfiles until the next database backup is taken 
+- To ensure that both databases are consistent, each database might have to be 
+put in read-only mode while performing a slapcat. 
+- When using slapcat, the generated LDIF files can be rather large. This can 
+happen with a non-MirrorMode deployment also.
+
+For configuration, please see the {{SECT:MirrorMode}} section below
+
+
+H2: Configuring the different replication types
+
+H3: Syncrepl
+
+H4: Syncrepl configuration
+
 Because syncrepl is a consumer-side replication engine, the syncrepl
 specification is defined in {{slapd.conf}}(5) of the consumer
 server, not in the provider server's configuration file.  The initial
@@ -597,46 +654,216 @@
 cookie stored in the consumer replica database.
 
 
-H2: N-Way Multi-Master
+H3: Delta-syncrepl
 
-Import and expand from link:
+H4: Delta-syncrepl Master configuration
 
-{{URL:http://blog.suretecsystems.com/archives/40-OpenLDAP-Weekly-News-Issue-5.html#extended}}
+Setting up delta-syncrepl requires configuration changes on both the master and 
+replica servers:
 
-H2: MirrorMode
+>     # Give the replica DN unlimited read access.  This ACL may need to be
+>     # merged with other ACL statements.
+>     
+>     access to *
+>        by dn.base="cn=replicator,dc=symas,dc=com" read
+>        by * break
+>     
+>     # Set the module path location
+>     modulepath /opt/symas/lib/openldap
+>     
+>     # Load the hdb backend
+>     moduleload back_hdb.la
+>     
+>     # Load the accesslog overlay
+>     moduleload accesslog.la
+>     
+>     #Load the syncprov overlay
+>     moduleload syncprov.la
+>     
+>     # Accesslog database definitions
+>     database hdb
+>     suffix cn=accesslog
+>     directory /db/accesslog
+>     rootdn cn=accesslog
+>     index default eq
+>     index entryCSN,objectClass,reqEnd,reqResult,reqStart
+>     
+>     overlay syncprov
+>     syncprov-nopresent TRUE
+>     syncprov-reloadhint TRUE
+>     
+>     # Let the replica DN have limitless searches
+>     limits dn.exact="cn=replicator,dc=symas,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+>     
+>     # Primary database definitions
+>     database hdb
+>     suffix "dc=symas,dc=com"
+>     rootdn "cn=manager,dc=symas,dc=com"
+>     
+>     ## Whatever other configuration options are desired
+>     
+>     # syncprov specific indexing
+>     index entryCSN eq
+>     index entryUUID eq
+>     
+>     # syncrepl Provider for primary db
+>     overlay syncprov
+>     syncprov-checkpoint 1000 60
+>     
+>     # accesslog overlay definitions for primary db
+>     overlay accesslog
+>     logdb cn=accesslog
+>     logops writes
+>     logsuccess TRUE
+>     # scan the accesslog DB every day, and purge entries older than 7 days
+>     logpurge 07+00:00 01+00:00
+>     
+>     # Let the replica DN have limitless searches
+>     limits dn.exact="cn=replicator,dc=symas,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
 
-H3: Arguments for MirrorMode
+For more information, always consult the relevant man pages (slapo-accesslog and slapd.conf)
 
-* Provides a high-availability (HA) solution for directory writes (replicas handle reads)
-* As long as one Master is operational, writes can safely be accepted
-* Master nodes replicate from each other, so they are always up to date and
-can be ready to take over (hot standby)
-* Syncrepl also allows the master nodes to re-synchronize after any downtime
-* Delta-Syncrepl can be used
 
+H4: Delta-syncrepl Replica configuration
 
-H3: Arguments against MirrorMode
+>     # Primary replica database configuration
+>     database hdb
+>     suffix "dc=symas,dc=com"
+>     rootdn "cn=manager,dc=symas,dc=com"
+>     
+>     ## Whatever other configuration bits for the replica, like indexing
+>     ## that you want
+>     
+>     # syncrepl specific indices
+>     index entryUUID eq
+>     
+>     # syncrepl directives
+>     syncrepl  rid=0
+>               provider=ldap://ldapmaster.symas.com:389
+>               bindmethod=simple
+>               binddn="cn=replicator,dc=symas,dc=com"
+>               credentials=secret
+>               searchbase="dc=symas,dc=com"
+>               logbase="cn=accesslog"
+>               logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
+>               schemachecking=on
+>               type=refreshAndPersist
+>               retry="60 +"
+>               syncdata=accesslog
+>     
+>     # Refer updates to the master
+>     updateref               ldap://ldapmaster.symas.com
 
-* MirrorMode is not what is termed as a Multi-Master solution. This is because 
-writes have to go to one of the mirror nodes at a time
-* MirrorMode can be termed as Active-Active Hot-Standby, therefor an external 
-server (slapd in proxy mode) or device (hardware load balancer) to manage which 
-master is currently active
-* While syncrepl can recover from a completely empty database, slapadd is much 
-faster
-* Does not provide faster or more scalable write performance (neither could 
-  any Multi-Master solution)
-* Backups are managed slightly differently
-- If backing up the Berkeley database itself and periodically backing up the 
-transaction log files, then the same member of the mirror pair needs to be 
-used to collect logfiles until the next database backup is taken 
-- To ensure that both databases are consistent, each database might have to be 
-put in read-only mode while performing a slapcat. 
-- When using slapcat, the generated LDIF files can be rather large. This can 
-happen with a non-MirrorMode deployment also.
 
-H3: MirrorMode Configuration
+The above configuration assumes that you have a replicator identity defined 
+in your database that can be used to bind to the master with. In addition, 
+all of the databases (primary master, primary replica, and the accesslog 
+storage database) should also have properly tuned {{DB_CONFIG}} files that meet 
+your needs.
 
+
+H3: N-Way Multi-Master
+
+For the following example we will be using 3 Master nodes. Keeping in line with
+{{B:test050-syncrepl-multimaster}} of the OpenLDAP test suite, we will be configuring
+{{slapd(8)}} via {{B:cn=config}}
+
+This sets up the config database:
+
+>     dn: cn=config
+>     objectClass: olcGlobal
+>     cn: config
+>     olcServerID: 1
+>     
+>     dn: olcDatabase={0}config,cn=config
+>     objectClass: olcDatabaseConfig
+>     olcDatabase: {0}config
+>     olcRootPW: secret
+
+second and third servers will have a different olcServerID obviously:
+
+>     dn: cn=config
+>     objectClass: olcGlobal
+>     cn: config
+>     olcServerID: 2
+>     
+>     dn: olcDatabase={0}config,cn=config
+>     objectClass: olcDatabaseConfig
+>     olcDatabase: {0}config
+>     olcRootPW: secret
+
+This sets up syncrepl as a provider (since these are all masters):
+
+>     dn: cn=module,cn=config
+>     objectClass: olcModuleList
+>     cn: module
+>     olcModulePath: /usr/local/libexec/openldap
+>     olcModuleLoad: syncprov.la
+
+Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
+
+>     dn: cn=config
+>     changetype: modify
+>     replace: olcServerID
+>     olcServerID: 1 $URI1
+>     olcServerID: 2 $URI2
+>     olcServerID: 3 $URI3
+>     
+>     dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
+>     changetype: add
+>     objectClass: olcOverlayConfig
+>     objectClass: olcSyncProvConfig
+>     olcOverlay: syncprov
+>     
+>     dn: olcDatabase={0}config,cn=config
+>     changetype: modify
+>     add: olcSyncRepl
+>     olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
+>       credentials=secret searchbase="cn=config" type=refreshAndPersist
+>       retry="5 5 300 5" timeout=1
+>     olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
+>       credentials=secret searchbase="cn=config" type=refreshAndPersist
+>       retry="5 5 300 5" timeout=1
+>     olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
+>       credentials=secret searchbase="cn=config" type=refreshAndPersist
+>       retry="5 5 300 5" timeout=1
+>     -
+>     add: olcMirrorMode
+>     olcMirrorMode: TRUE
+
+Now start up the Master and a consumer/s, also add the above LDIF to the first consumer, second consumer etc. It will then replicate {{B:cn=config}}. You now have N-Way Multimaster on the config database.
+
+We still have to replicate the actual data, not just the config, so add to the master (all active and configured consumers/masters will pull down this config, as they are all syncing). Also, replace all {{${}}} variables with whatever is applicable to your setup:
+
+>     dn: olcDatabase={1}$BACKEND,cn=config
+>     objectClass: olcDatabaseConfig
+>     objectClass: olc${BACKEND}Config
+>     olcDatabase: {1}$BACKEND
+>     olcSuffix: $BASEDN
+>     olcDbDirectory: ./db
+>     olcRootDN: $MANAGERDN
+>     olcRootPW: $PASSWD
+>     olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
+>       credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+>       interval=00:00:00:10 retry="5 5 300 5" timeout=1
+>     olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
+>       credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+>       interval=00:00:00:10 retry="5 5 300 5" timeout=1
+>     olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
+>       credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+>       interval=00:00:00:10 retry="5 5 300 5" timeout=1
+>     olcMirrorMode: TRUE
+>     
+>     dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
+>     changetype: add
+>     objectClass: olcOverlayConfig
+>     objectClass: olcSyncProvConfig
+>     olcOverlay: syncprov
+
+Note: You must have all your server set to the same time via {{http://www.ntp.org/}}
+
+H3: MirrorMode
+
 MirrorMode configuration is actually very easy. If you have ever setup a normal
 slapd syncrepl provider, then the only change is the following two directives:
 
@@ -644,21 +871,35 @@
 >       serverID    1
 
 Note: You need to make sure that the {{serverID}} of each mirror node pair is 
-different and that the {{provider}} syncrepl directive points to the opposite 
-mirror node.
+different and add it as a global configuration option.
 
 H4: Mirror Node Configuration
 
-This is the same as the {{SECT:Set up the provider slapd}} section, reference
-{{SECT:delta-syncrepl replication}} if using {{delta-syncrepl}}.
+This is the same as the {{SECT:Set up the provider slapd}} section.
 
+Note: Delta-syncrepl is not yet supported with MirrorMode.
+
 Here's a specific cut down example using {{SECT:LDAP Sync Replication}} in
-{{refreshAndPersist}} mode ({{delta-syncrepl}} can be used also):
+{{refreshAndPersist}} mode:
 
 MirrorMode node 1:
 
+>       # Global section
+>       serverID    1
+>       # database section
+>       
 >       # syncrepl directives    
->       syncrepl      rid=1
+>       syncrepl      rid=001
+>                     provider=ldap://ldap-ridr1.example.com
+>                     bindmethod=simple
+>                     binddn="cn=mirrormode,dc=example,dc=com"
+>                     credentials=mirrormode
+>                     searchbase="dc=example,dc=com"
+>                     schemachecking=on
+>                     type=refreshAndPersist
+>                     retry="60 +"
+>
+>       syncrepl      rid=002
 >                     provider=ldap://ldap-rid2.example.com
 >                     bindmethod=simple
 >                     binddn="cn=mirrormode,dc=example,dc=com"
@@ -669,13 +910,16 @@
 >                     retry="60 +"
 >       
 >       mirrormode on
->       serverID    1
 
 MirrorMode node 2:
 
+>       # Global section
+>       serverID    2
+>       # database section
+>       
 >       # syncrepl directives
->       syncrepl      rid=1
->                     provider=ldap://ldap-rid1.example.com
+>       syncrepl      rid=001
+>                     provider=ldap://ldap-ridr1.example.com
 >                     bindmethod=simple
 >                     binddn="cn=mirrormode,dc=example,dc=com"
 >                     credentials=mirrormode
@@ -683,15 +927,23 @@
 >                     schemachecking=on
 >                     type=refreshAndPersist
 >                     retry="60 +"
+>
+>       syncrepl      rid=002
+>                     provider=ldap://ldap-rid2.example.com
+>                     bindmethod=simple
+>                     binddn="cn=mirrormode,dc=example,dc=com"
+>                     credentials=mirrormode
+>                     searchbase="dc=example,dc=com"
+>                     schemachecking=on
+>                     type=refreshAndPersist
+>                     retry="60 +"
 >       
 >       mirrormode on
->       serverID    2
 
 It's simple really; each MirrorMode node is setup {{B:exactly}} the same, except
-that the {{B:provider}} directive is set to point to the other MirrorMode node
-and the {{serverID}} is unique.
+that the {{serverID}} is unique.
 
-H4: Failover Configuration
+H5: Failover Configuration
 
 There are generally 2 choices for this; 1.  Hardware proxies/load-balancing or 
 dedicated proxy software, 2. using a Back-LDAP proxy as a syncrepl provider
@@ -701,13 +953,13 @@
 !import "dual_dc.png"; align="center"; title="MirrorMode Enterprise Configuration"
 FT[align="Center"] Figure X.Y: MirrorMode in a Dual Data Center Configuration
 
-H4: Normal Consumer Configuration
+H5: Normal Consumer Configuration
 
 This is exactly the same as the {{SECT:Set up the consumer slapd}} section. It
 can either setup in normal {{SECT:syncrepl replication}} mode, or in 
 {{SECT:delta-syncrepl replication}} mode.
 
-H3: MirrorMode Summary
+H4: MirrorMode Summary
 
 Hopefully you will now have a directory architecture that provides all of the 
 consistency guarantees of single-master replication, whilst also providing the 

Modified: openldap/trunk/doc/guide/admin/runningslapd.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/runningslapd.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/runningslapd.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/runningslapd.sdf,v 1.16.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/runningslapd.sdf,v 1.16.2.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 H1: Running slapd
 

Modified: openldap/trunk/doc/guide/admin/sasl.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/sasl.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/sasl.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.6 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.7 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Using SASL

Modified: openldap/trunk/doc/guide/admin/schema.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/schema.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/schema.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/schema.sdf,v 1.41.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/schema.sdf,v 1.41.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Schema Specification

Modified: openldap/trunk/doc/guide/admin/security.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/security.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/security.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/security.sdf,v 1.16.2.5 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/security.sdf,v 1.16.2.6 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Security Considerations

Copied: openldap/trunk/doc/guide/admin/set-following-references.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/set-following-references.png)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/admin/set-memberUid.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/set-memberUid.png)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/admin/set-recursivegroup.png (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/admin/set-recursivegroup.png)
===================================================================
(Binary files differ)

Modified: openldap/trunk/doc/guide/admin/slapdconf2.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/slapdconf2.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/slapdconf2.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/slapdconf2.sdf,v 1.20.2.9 2007/11/27 20:31:23 quanah Exp $
-# Copyright 2005-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/slapdconf2.sdf,v 1.20.2.12 2008/04/14 22:37:01 quanah Exp $
+# Copyright 2005-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Configuring slapd
@@ -399,8 +399,7 @@
 This directive grants access (specified by <accesslevel>) to a
 set of entries and/or attributes (specified by <what>) by one or
 more requestors (specified by <who>).
-See the {{SECT:Access Control}} section of this chapter for a
-summary of basic usage.
+See the {{SECT:Access Control}} section of this guide for basic usage.
 
 !if 0
 More detailed discussion of this directive can be found in the
@@ -777,7 +776,8 @@
 checkpointed and they are no longer needed. Without this setting the
 transaction log files will continue to accumulate until some other
 cleanup procedure removes them. See the Berkeley DB documentation for the
-{{EX:db_archive}} command for details.
+{{EX:db_archive}} command for details. For a complete list of Berkeley DB 
+flags please see - {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set_flags.html}}
 
 Ideally the BDB cache must be
 at least as large as the working set of the database, the log buffer size
@@ -946,534 +946,3 @@
 >olcDbConfig: set_flags DB_LOG_AUTOREMOVE
 >olcDbIDLcacheSize: 3000
 >olcDbIndex: objectClass eq
-
-
-H2: Access Control
-
-Access to slapd entries and attributes is controlled by the
-olcAccess attribute, whose values are a sequence of access directives.
-The general form of the olcAccess configuration is:
-
->	olcAccess: <access directive>
->	<access directive> ::= to <what>
->		[by <who> [<access>] [<control>] ]+
->	<what> ::= * |
->		[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
->		[filter=<ldapfilter>] [attrs=<attrlist>]
->	<basic-style> ::= regex | exact
->	<scope-style> ::= base | one | subtree | children
->	<attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
->	<attr> ::= <attrname> | entry | children
->	<who> ::= * | [anonymous | users | self
->			| dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] 
->		[dnattr=<attrname>]
->		[group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
->		[peername[.<basic-style>]=<regex>]
->		[sockname[.<basic-style>]=<regex>]
->		[domain[.<basic-style>]=<regex>]
->		[sockurl[.<basic-style>]=<regex>]
->		[set=<setspec>]
->		[aci=<attrname>]
->	<access> ::= [self]{<level>|<priv>}
->	<level> ::= none | disclose | auth | compare | search | read | write | manage
->	<priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
->	<control> ::= [stop | continue | break]
-
-where the <what> part selects the entries and/or attributes to which
-the access applies, the {{EX:<who>}} part specifies which entities
-are granted access, and the {{EX:<access>}} part specifies the
-access granted. Multiple {{EX:<who> <access> <control>}} triplets
-are supported, allowing many entities to be granted different access
-to the same set of entries and attributes. Not all of these access
-control options are described here; for more details see the
-{{slapd.access}}(5) man page.
-
-
-H3: What to control access to
-
-The <what> part of an access specification determines the entries
-and attributes to which the access control applies.  Entries are
-commonly selected in two ways: by DN and by filter.  The following
-qualifiers select entries by DN:
-
->	to *
->	to dn[.<basic-style>]=<regex>
->	to dn.<scope-style>=<DN>
-
-The first form is used to select all entries.  The second form may
-be used to select entries by matching a regular expression against
-the target entry's {{normalized DN}}.   (The second form is not
-discussed further in this document.)  The third form is used to
-select entries which are within the requested scope of DN.  The
-<DN> is a string representation of the Distinguished Name, as
-described in {{REF:RFC4514}}.
-
-The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
-or {{EX:children}}.  Where {{EX:base}} matches only the entry with
-provided DN, {{EX:one}} matches the entries whose parent is the
-provided DN, {{EX:subtree}} matches all entries in the subtree whose
-root is the provided DN, and {{EX:children}} matches all entries
-under the DN (but not the entry named by the DN).
-
-For example, if the directory contained entries named:
-
->	0: o=suffix
->	1: cn=Manager,o=suffix
->	2: ou=people,o=suffix
->	3: uid=kdz,ou=people,o=suffix
->	4: cn=addresses,uid=kdz,ou=people,o=suffix
->	5: uid=hyc,ou=people,o=suffix
-
-\Then:
-. {{EX:dn.base="ou=people,o=suffix"}} match 2;
-. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
-. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
-. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
-
-
-Entries may also be selected using a filter:
-
->	to filter=<ldap filter>
-
-where <ldap filter> is a string representation of an LDAP
-search filter, as described in {{REF:RFC4515}}.  For example:
-
->	to filter=(objectClass=person)
-
-Note that entries may be selected by both DN and filter by
-including both qualifiers in the <what> clause.
-
->	to dn.one="ou=people,o=suffix" filter=(objectClass=person)
-
-Attributes within an entry are selected by including a comma-separated
-list of attribute names in the <what> selector:
-
->	attrs=<attribute list>
-
-A specific value of an attribute is selected by using a single
-attribute name and also using a value selector:
-
->	attrs=<attribute> val[.<style>]=<regex>
-
-There are two special {{pseudo}} attributes {{EX:entry}} and
-{{EX:children}}.  To read (and hence return) a target entry, the
-subject must have {{EX:read}} access to the target's {{entry}}
-attribute.  To add or delete an entry, the subject must have
-{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
-have {{EX:write}} access to the entry's parent's {{EX:children}}
-attribute.  To rename an entry, the subject must have {{EX:write}}
-access to entry's {{EX:entry}} attribute AND have {{EX:write}}
-access to both the old parent's and new parent's {{EX:children}}
-attributes.  The complete examples at the end of this section should
-help clear things up.
-
-Lastly, there is a special entry selector {{EX:"*"}} that is used to
-select any entry.  It is used when no other {{EX:<what>}}
-selector has been provided.  It's equivalent to "{{EX:dn=.*}}"
-
-
-H3: Who to grant access to
-
-The <who> part identifies the entity or entities being granted
-access. Note that access is granted to "entities" not "entries."
-The following table summarizes entity specifiers:
-
-!block table; align=Center; coltags="EX,N"; \
-	title="Table 5.3: Access Entity Specifiers"
-Specifier|Entities
-*|All, including anonymous and authenticated users
-anonymous|Anonymous (non-authenticated) users
-users|Authenticated users
-self|User associated with target entry
-dn[.<basic-style>]=<regex>|Users matching a regular expression
-dn.<scope-style>=<DN>|Users within scope of a DN
-!endblock
-
-The DN specifier behaves much like <what> clause DN specifiers.
-
-Other control factors are also supported.  For example, a {{EX:<who>}}
-can be restricted by an entry listed in a DN-valued attribute in
-the entry to which the access applies:
-
->	dnattr=<dn-valued attribute name>
-
-The dnattr specification is used to give access to an entry
-whose DN is listed in an attribute of the entry (e.g., give
-access to a group entry to whoever is listed as the owner of
-the group entry).
-
-Some factors may not be appropriate in all environments (or any).
-For example, the domain factor relies on IP to domain name lookups.
-As these can easily be spoofed, the domain factor should be avoided.
-
-
-H3: The access to grant
-
-The kind of <access> granted can be one of the following:
-
-!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
-	title="Table 5.4: Access Levels"
-Level		Privileges	Description
-none		=0			no access
-disclose	=d			needed for information disclosure on error
-auth		=dx			needed to authenticate (bind)
-compare		=cdx		needed to compare
-search		=scdx		needed to apply search filters
-read		=rscdx		needed to read search results
-write		=wrscdx		needed to modify/rename
-manage		=mwrscdx	needed to manage
-!endblock
-
-Each level implies all lower levels of access. So, for example,
-granting someone {{EX:write}} access to an entry also grants them
-{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
-{{EX:disclose}} access.  However, one may use the privileges specifier
-to grant specific permissions.
-
-
-H3: Access Control Evaluation
-
-When evaluating whether some requester should be given access to
-an entry and/or attribute, slapd compares the entry and/or attribute
-to the {{EX:<what>}} selectors given in the configuration.  For
-each entry, access controls provided in the database which holds
-the entry (or the first database if not held in any database) apply
-first, followed by the global access directives (which are held in
-the {{EX:frontend}} database definition).  Within this priority,
-access directives are examined in the order in which they appear
-in the configuration attribute.  Slapd stops with the first
-{{EX:<what>}} selector that matches the entry and/or attribute. The
-corresponding access directive is the one slapd will use to evaluate
-access.
-
-Next, slapd compares the entity requesting access to the {{EX:<who>}}
-selectors within the access directive selected above in the order
-in which they appear. It stops with the first {{EX:<who>}} selector
-that matches the requester. This determines the access the entity
-requesting access has to the entry and/or attribute.
-
-Finally, slapd compares the access granted in the selected
-{{EX:<access>}} clause to the access requested by the client. If
-it allows greater or equal access, access is granted. Otherwise,
-access is denied.
-
-The order of evaluation of access directives makes their placement
-in the configuration file important. If one access directive is
-more specific than another in terms of the entries it selects, it
-should appear first in the configuration. Similarly, if one {{EX:<who>}}
-selector is more specific than another it should come first in the
-access directive. The access control examples given below should
-help make this clear.
-
-
-
-H3: Access Control Examples
-
-The access control facility described above is quite powerful.  This
-section shows some examples of its use for descriptive purposes.
-
-A simple example:
-
->	olcAccess: to * by * read
-
-This access directive grants read access to everyone.
-
->	olcAccess: to *
->		by self write
->		by anonymous auth
->		by * read
-
-This directive allows the user to modify their entry, allows anonymous
-to authenticate against these entries, and allows all others to
-read these entries.  Note that only the first {{EX:by <who>}} clause
-which matches applies.  Hence, the anonymous users are granted
-{{EX:auth}}, not {{EX:read}}.  The last clause could just as well
-have been "{{EX:by users read}}".
-
-It is often desirable to restrict operations based upon the level
-of protection in place.  The following shows how security strength
-factors (SSF) can be used.
-
->	olcAccess: to *
->		by ssf=128 self write
->		by ssf=64 anonymous auth
->		by ssf=64 users read
-
-This directive allows users to modify their own entries if security
-protections of strength 128 or better have been established,
-allows authentication access to anonymous users, and read access
-when strength 64 or better security protections have been established.  If
-the client has not establish sufficient security protections, the
-implicit {{EX:by * none}} clause would be applied.
-
-The following example shows the use of style specifiers to select
-the entries by DN in two access directives where ordering is
-significant.
-
->	olcAccess: to dn.children="dc=example,dc=com"
-> 		by * search
->	olcAccess: to dn.children="dc=com"
-> 		by * read
-
-Read access is granted to entries under the {{EX:dc=com}} subtree,
-except for those entries under the {{EX:dc=example,dc=com}} subtree,
-to which search access is granted.  No access is granted to
-{{EX:dc=com}} as neither access directive matches this DN.  If the
-order of these access directives was reversed, the trailing directive
-would never be reached, since all entries under {{EX:dc=example,dc=com}}
-are also under {{EX:dc=com}} entries.
-
-Also note that if no {{EX:olcAccess: to}} directive matches or no {{EX:by
-<who>}} clause, {{B:access is denied}}.  That is, every {{EX:olcAccess:
-to}} directive ends with an implicit {{EX:by * none}} clause and
-every access list ends with an implicit {{EX:olcAccess: to * by * none}}
-directive.
-
-The next example again shows the importance of ordering, both of
-the access directives and the {{EX:by <who>}} clauses.  It also
-shows the use of an attribute selector to grant access to a specific
-attribute and various {{EX:<who>}} selectors.
-
->	olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
->		by self write
->		by dn.children=dc=example,dc=com" search
->		by peername.regex=IP:10\..+ read
->	olcAccess: to dn.subtree="dc=example,dc=com"
->		by self write
->		by dn.children="dc=example,dc=com" search
->		by anonymous auth
-
-This example applies to entries in the "{{EX:dc=example,dc=com}}"
-subtree. To all attributes except {{EX:homePhone}}, an entry can
-write to itself, entries under {{EX:example.com}} entries can search
-by them, anybody else has no access (implicit {{EX:by * none}})
-excepting for authentication/authorization (which is always done
-anonymously).  The {{EX:homePhone}} attribute is writable by the
-entry, searchable by entries under {{EX:example.com}}, readable by
-clients connecting from network 10, and otherwise not readable
-(implicit {{EX:by * none}}).  All other access is denied by the
-implicit {{EX:access to * by * none}}.
-
-Sometimes it is useful to permit a particular DN to add or
-remove itself from an attribute. For example, if you would like to
-create a group and allow people to add and remove only
-their own DN from the member attribute, you could accomplish
-it with an access directive like this:
-
->	olcAccess: to attrs=member,entry
-> 		by dnattr=member selfwrite
-
-The dnattr {{EX:<who>}} selector says that the access applies to
-entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
-selector says that such members can only add or delete their
-own DN from the attribute, not other values. The addition of
-the entry attribute is required because access to the entry is
-required to access any of the entry's attributes.
-
-
-
-H3: Access Control Ordering
-
-Since the ordering of {{EX:olcAccess}} directives is essential to their
-proper evaluation, but LDAP attributes normally do not preserve the
-ordering of their values, OpenLDAP uses a custom schema extension to
-maintain a fixed ordering of these values. This ordering is maintained
-by prepending a {{EX:"{X}"}} numeric index to each value, similarly to
-the approach used for ordering the configuration entries. These index
-tags are maintained automatically by slapd and do not need to be specified
-when originally defining the values. For example, when you create the
-settings
-
->	olcAccess: to attrs=member,entry
-> 		by dnattr=member selfwrite
->	olcAccess: to dn.children="dc=example,dc=com"
-> 		by * search
->	olcAccess: to dn.children="dc=com"
-> 		by * read
-
-when you read them back using slapcat or ldapsearch they will contain
-
->	olcAccess: {0}to attrs=member,entry
-> 		by dnattr=member selfwrite
->	olcAccess: {1}to dn.children="dc=example,dc=com"
-> 		by * search
->	olcAccess: {2}to dn.children="dc=com"
-> 		by * read
-
-The numeric index may be used to specify a particular value to change
-when using ldapmodify to edit the access rules. This index can be used
-instead of (or in addition to) the actual access value. Using this 
-numeric index is very helpful when multiple access rules are being managed.
-
-For example, if we needed to change the second rule above to grant
-write access instead of search, we could try this LDIF:
-
->	changetype: modify
->	delete: olcAccess
->	olcAccess: to dn.children="dc=example,dc=com" by * search
->	-
->	add: olcAccess
->	olcAccess: to dn.children="dc=example,dc=com" by * write
->	-
-
-But this example {{B:will not}} guarantee that the existing values remain in
-their original order, so it will most likely yield a broken security
-configuration. Instead, the numeric index should be used:
-
->	changetype: modify
->	delete: olcAccess
->	olcAccess: {1}
->	-
->	add: olcAccess
->	olcAccess: {1}to dn.children="dc=example,dc=com" by * write
->	-
-
-This example deletes whatever rule is in value #1 of the {{EX:olcAccess}}
-attribute (regardless of its value) and adds a new value that is
-explicitly inserted as value #1. The result will be
-
->	olcAccess: {0}to attrs=member,entry
-> 		by dnattr=member selfwrite
->	olcAccess: {1}to dn.children="dc=example,dc=com"
-> 		by * write
->	olcAccess: {2}to dn.children="dc=com"
-> 		by * read
-
-which is exactly what was intended.
-
-!if 0
-For more details on how to use the {{EX:access}} directive,
-consult the {{Advanced Access Control}} chapter.
-!endif
-
-
-H2: Configuration Example
-
-The following is an example configuration, interspersed
-with explanatory text. It defines two databases to handle
-different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
-database instances. The line numbers shown are provided for
-reference only and are not included in the actual file. First, the
-global configuration section:
-
-E:  1.	# example config file - global configuration entry
-E:  2.	dn: cn=config
-E:  3.	objectClass: olcGlobal
-E:  4.	cn: config
-E:  5.	olcReferral: ldap://root.openldap.org
-E:  6.	
-
-Line 1 is a comment. Lines 2-4 identify this as the global
-configuration entry.
-The {{EX:olcReferral:}} directive on line 5
-means that queries not local to one of the databases defined
-below will be referred to the LDAP server running on the
-standard port (389) at the host {{EX:root.openldap.org}}.
-Line 6 is a blank line, indicating the end of this entry.
-
-E:  7.	# internal schema
-E:  8.	dn: cn=schema,cn=config
-E:  9.	objectClass: olcSchemaConfig
-E: 10.	cn: schema
-E: 11.	
-
-Line 7 is a comment. Lines 8-10 identify this as the root of
-the schema subtree. The actual schema definitions in this entry
-are hardcoded into slapd so no additional attributes are specified here.
-Line 11 is a blank line, indicating the end of this entry.
-
-E: 12.	# include the core schema
-E: 13.	include: file:///usr/local/etc/openldap/schema/core.ldif
-E: 14.	
-
-Line 12 is a comment. Line 13 is an LDIF include directive which
-accesses the {{core}} schema definitions in LDIF format. Line 14
-is a blank line.
-
-Next comes the database definitions. The first database is the
-special {{EX:frontend}} database whose settings are applied globally
-to all the other databases.
-
-E: 15.	# global database parameters
-E: 16.	dn: olcDatabase=frontend,cn=config
-E: 17.	objectClass: olcDatabaseConfig
-E: 18.	olcDatabase: frontend
-E: 19.	olcAccess: to * by * read
-E: 20.	
-
-Line 15 is a comment. Lines 16-18 identify this entry as the global
-database entry. Line 19 is a global access control. It applies to all
-entries (after any applicable database-specific access controls).
-
-The next entry defines a BDB backend that will handle queries for things
-in the "dc=example,dc=com" portion of the tree. Indices are to be maintained
-for several attributes, and the {{EX:userPassword}} attribute is to be
-protected from unauthorized access.
-
-E: 21.	# BDB definition for example.com
-E: 22.	dn: olcDatabase=bdb,cn=config
-E: 23.	objectClass: olcDatabaseConfig
-E: 24.	objectClass: olcBdbConfig
-E: 25.	olcDatabase: bdb
-E: 26.	olcSuffix: "dc=example,dc=com"
-E: 27.	olcDbDirectory: /usr/local/var/openldap-data
-E: 28.	olcRootDN: "cn=Manager,dc=example,dc=com"
-E: 29.	olcRootPW: secret
-E: 30.	olcDbIndex: uid pres,eq
-E: 31.	olcDbIndex: cn,sn,uid pres,eq,approx,sub
-E: 32.	olcDbIndex: objectClass eq
-E: 33.	olcAccess: to attrs=userPassword
-E: 34.	  by self write
-E: 35.	  by anonymous auth
-E: 36.	  by dn.base="cn=Admin,dc=example,dc=com" write
-E: 37.	  by * none
-E: 38.	olcAccess: to *
-E: 39.	  by self write
-E: 40.	  by dn.base="cn=Admin,dc=example,dc=com" write
-E: 41.	  by * read
-E: 42.	
-
-Line 21 is a comment. Lines 22-25 identify this entry as a BDB database
-configuration entry.  Line 26 specifies the DN suffix
-for queries to pass to this database. Line 27 specifies the directory
-in which the database files will live.
-
-Lines 28 and 29 identify the database {{super-user}} entry and associated
-password. This entry is not subject to access control or size or
-time limit restrictions.
-
-Lines 30 through 32 indicate the indices to maintain for various
-attributes.
-
-Lines 33 through 41 specify access control for entries in this
-database.  As this is the first database, the controls also apply
-to entries not held in any database (such as the Root DSE).  For
-all applicable entries, the {{EX:userPassword}} attribute is writable
-by the entry itself and by the "admin" entry.  It may be used for
-authentication/authorization purposes, but is otherwise not readable.
-All other attributes are writable by the entry and the "admin"
-entry, but may be read by all users (authenticated or not).
-
-Line 42 is a blank line, indicating the end of this entry.
-
-The next section of the example configuration file defines another
-BDB database. This one handles queries involving the
-{{EX:dc=example,dc=net}} subtree but is managed by the same entity
-as the first database.  Note that without line 52, the read access
-would be allowed due to the global access rule at line 19.
-
-E: 43.	# BDB definition for example.net
-E: 44.	dn: olcDatabase=bdb,cn=config
-E: 45.	objectClass: olcDatabaseConfig
-E: 46.	objectClass: olcBdbConfig
-E: 47.	olcDatabase: bdb
-E: 48.	olcSuffix: "dc=example,dc=net"
-E: 49.	olcDbDirectory: /usr/local/var/openldap-data-net
-E: 50.	olcRootDN: "cn=Manager,dc=example,dc=com"
-E: 51.	olcDbIndex: objectClass eq
-E: 52.	olcAccess: to * by users read
-
-
-H2: Converting from slapd.conf(8) to a {{B:cn=config}} directory format
-
-Discuss slap* -f slapd.conf -F slapd.d/  (man slapd-config)

Modified: openldap/trunk/doc/guide/admin/slapdconfig.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/slapdconfig.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/slapdconfig.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/slapdconfig.sdf,v 1.87.2.11 2007/11/27 20:31:23 quanah Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/slapdconfig.sdf,v 1.87.2.14 2008/04/14 20:48:16 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: The slapd Configuration File
@@ -91,9 +91,8 @@
 
 This directive grants access (specified by <accesslevel>) to a set
 of entries and/or attributes (specified by <what>) by one or more
-requestors (specified by <who>).  See the {{SECT:The access
-Configuration Directive}} section of this chapter for a summary of
-basic usage.
+requestors (specified by <who>).  See the {{SECT:Access Control}} section of 
+this guide for basic usage.
 
 !if 0
 More details discussion of this directive can be found in the
@@ -367,6 +366,17 @@
 >		[credentials=<passwd>]
 >		[realm=<realm>]
 >		[secprops=<properties>]
+>		[starttls=yes|critical]
+>		[tls_cert=<file>]
+>		[tls_key=<file>]
+>		[tls_cacert=<file>]
+>		[tls_cacertdir=<path>]
+>		[tls_reqcert=never|allow|try|demand]
+>		[tls_ciphersuite=<ciphers>]
+>		[tls_crlcheck=none|peer|all]
+>		[logbase=<base DN>]
+>		[logfilter=<filter str>]
+>		[syncdata=default|accesslog|changelog]
 
 
 This directive specifies the current database as a replica of the
@@ -408,10 +418,10 @@
 to {{EX:sub}}, the {{EX:filter}} defaults to {{EX:(objectclass=*)}},
 {{EX:attrs}} defaults to {{EX:"*,+"}} to replicate all user and operational
 attributes, and {{EX:attrsonly}} is unset by default. Both {{EX:sizelimit}}
-and {{EX:timelimit}} default to "unlimited", and only integers
+and {{EX:timelimit}} default to "unlimited", and only positive integers
 or "unlimited" may be specified.
 
-The LDAP Content Synchronization protocol has two operation
+The {{TERM[expand]LDAP Sync}} protocol has two operation
 types: {{EX:refreshOnly}} and {{EX:refreshAndPersist}}.
 The operation type is specified by the {{EX:type}} parameter.
 In the {{EX:refreshOnly}} operation, the next synchronization search operation
@@ -419,7 +429,7 @@
 synchronization operation finishes. The interval is specified
 by the {{EX:interval}} parameter. It is set to one day by default.
 In the {{EX:refreshAndPersist}} operation, a synchronization search
-remains persistent in the provider slapd. Further updates to the
+remains persistent in the provider {{slapd}} instance. Further updates to the
 master replica will generate {{EX:searchResultEntry}} to the consumer slapd
 as the search responses to the persistent synchronization search.
 
@@ -447,7 +457,7 @@
 The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
 depending on whether simple password-based authentication or
 {{TERM:SASL}} authentication is to be used when connecting
-to the provider slapd.
+to the provider {{slapd}} instance.
 
 Simple authentication should not be used unless adequate data
 integrity and confidentiality protections are in place (e.g. TLS
@@ -465,13 +475,33 @@
 mechanisms authenticate the identity within. The {{EX:secprops}}
 parameter specifies Cyrus SASL security properties.
 
-The syncrepl replication mechanism is supported by the two primary
-database backends: back-bdb and back-hdb.
+The {{EX:starttls}} parameter specifies use of the StartTLS extended
+operation to establish a TLS session before authenticating to the provider.
+If the {{EX:critical}} argument is supplied, the session will be aborted
+if the StartTLS request fails.  Otherwise the syncrepl session continues
+without TLS.  Note that the main slapd TLS settings are not used by the
+syncrepl engine; by default the TLS parameters from a {{ldap.conf}}(5)
+configuration file will be used.  TLS settings may be specified here,
+in which case any {{ldap.conf}}(5) settings will be completely ignored.
 
-See the {{SECT:LDAP Sync Replication}} chapter of the admin guide
-for more information on how to use this directive.
+Rather than replicating whole entries, the consumer can query logs
+of data modifications.  This mode of operation is referred to as
+{{delta syncrepl}}.  In addition to the above parameters, the
+{{EX:logbase}} and {{EX:logfilter}} parameters must be set appropriately
+for the log that will be used. The {{EX:syncdata}} parameter must
+be set to either {{EX:"accesslog"}} if the log conforms to the
+{{slapo-accesslog}}(5) log format, or {{EX:"changelog"}} if the log
+conforms to the obsolete {{changelog}} format. If the {{EX:syncdata}}
+parameter is omitted or set to {{EX:"default"}} then the log
+parameters are ignored.
 
+The {{syncrepl}} replication mechanism is supported by the {{bdb}} and
+{{hdb}} backends.
 
+See the {{SECT:LDAP Sync Replication}} chapter of this guide for
+more information on how to use this directive.
+
+
 H4: updateref <URL>
 
 This directive is only applicable in a {{slave}} (or {{shadow}})
@@ -503,418 +533,3 @@
 \Default:
 
 >	directory /usr/local/var/openldap-data
-
-
-H2: The access Configuration Directive
-
-Access to entries and attributes is controlled by the
-access configuration file directive. The general form of an
-access line is:
-
->	<access directive> ::= access to <what>
->		[by <who> [<access>] [<control>] ]+
->	<what> ::= * |
->		[dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>]
->		[filter=<ldapfilter>] [attrs=<attrlist>]
->	<basic-style> ::= regex | exact
->	<scope-style> ::= base | one | subtree | children
->	<attrlist> ::= <attr> [val[.<basic-style>]=<regex>] | <attr> , <attrlist>
->	<attr> ::= <attrname> | entry | children
->	<who> ::= * | [anonymous | users | self
->			| dn[.<basic-style>]=<regex> | dn.<scope-style>=<DN>] 
->		[dnattr=<attrname>]
->		[group[/<objectclass>[/<attrname>][.<basic-style>]]=<regex>]
->		[peername[.<basic-style>]=<regex>]
->		[sockname[.<basic-style>]=<regex>]
->		[domain[.<basic-style>]=<regex>]
->		[sockurl[.<basic-style>]=<regex>]
->		[set=<setspec>]
->		[aci=<attrname>]
->	<access> ::= [self]{<level>|<priv>}
->	<level> ::= none | disclose | auth | compare | search | read | write | manage
->	<priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
->	<control> ::= [stop | continue | break]
-
-where the <what> part selects the entries and/or attributes to which
-the access applies, the {{EX:<who>}} part specifies which entities
-are granted access, and the {{EX:<access>}} part specifies the
-access granted. Multiple {{EX:<who> <access> <control>}} triplets
-are supported, allowing many entities to be granted different access
-to the same set of entries and attributes. Not all of these access
-control options are described here; for more details see the
-{{slapd.access}}(5) man page.
-
-
-H3: What to control access to
-
-The <what> part of an access specification determines the entries
-and attributes to which the access control applies.  Entries are
-commonly selected in two ways: by DN and by filter.  The following
-qualifiers select entries by DN:
-
->	to *
->	to dn[.<basic-style>]=<regex>
->	to dn.<scope-style>=<DN>
-
-The first form is used to select all entries.  The second form may
-be used to select entries by matching a regular expression against
-the target entry's {{normalized DN}}.   (The second form is not
-discussed further in this document.)  The third form is used to
-select entries which are within the requested scope of DN.  The
-<DN> is a string representation of the Distinguished Name, as
-described in {{REF:RFC4514}}.
-
-The scope can be either {{EX:base}}, {{EX:one}}, {{EX:subtree}},
-or {{EX:children}}.  Where {{EX:base}} matches only the entry with
-provided DN, {{EX:one}} matches the entries whose parent is the
-provided DN, {{EX:subtree}} matches all entries in the subtree whose
-root is the provided DN, and {{EX:children}} matches all entries
-under the DN (but not the entry named by the DN).
-
-For example, if the directory contained entries named:
-
->	0: o=suffix
->	1: cn=Manager,o=suffix
->	2: ou=people,o=suffix
->	3: uid=kdz,ou=people,o=suffix
->	4: cn=addresses,uid=kdz,ou=people,o=suffix
->	5: uid=hyc,ou=people,o=suffix
-
-\Then:
-. {{EX:dn.base="ou=people,o=suffix"}} match 2;
-. {{EX:dn.one="ou=people,o=suffix"}} match 3, and 5;
-. {{EX:dn.subtree="ou=people,o=suffix"}} match 2, 3, 4, and 5; and
-. {{EX:dn.children="ou=people,o=suffix"}} match 3, 4, and 5.
-
-
-Entries may also be selected using a filter:
-
->	to filter=<ldap filter>
-
-where <ldap filter> is a string representation of an LDAP
-search filter, as described in {{REF:RFC4515}}.  For example:
-
->	to filter=(objectClass=person)
-
-Note that entries may be selected by both DN and filter by
-including both qualifiers in the <what> clause.
-
->	to dn.one="ou=people,o=suffix" filter=(objectClass=person)
-
-Attributes within an entry are selected by including a comma-separated
-list of attribute names in the <what> selector:
-
->	attrs=<attribute list>
-
-A specific value of an attribute is selected by using a single
-attribute name and also using a value selector:
-
->	attrs=<attribute> val[.<style>]=<regex>
-
-There are two special {{pseudo}} attributes {{EX:entry}} and
-{{EX:children}}.  To read (and hence return) a target entry, the
-subject must have {{EX:read}} access to the target's {{entry}}
-attribute.  To add or delete an entry, the subject must have
-{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
-have {{EX:write}} access to the entry's parent's {{EX:children}}
-attribute.  To rename an entry, the subject must have {{EX:write}}
-access to entry's {{EX:entry}} attribute AND have {{EX:write}}
-access to both the old parent's and new parent's {{EX:children}}
-attributes.  The complete examples at the end of this section should
-help clear things up.
-
-Lastly, there is a special entry selector {{EX:"*"}} that is used to
-select any entry.  It is used when no other {{EX:<what>}}
-selector has been provided.  It's equivalent to "{{EX:dn=.*}}"
-
-
-H3: Who to grant access to
-
-The <who> part identifies the entity or entities being granted
-access. Note that access is granted to "entities" not "entries."
-The following table summarizes entity specifiers:
-
-!block table; align=Center; coltags="EX,N"; \
-	title="Table 6.3: Access Entity Specifiers"
-Specifier|Entities
-*|All, including anonymous and authenticated users
-anonymous|Anonymous (non-authenticated) users
-users|Authenticated users
-self|User associated with target entry
-dn[.<basic-style>]=<regex>|Users matching a regular expression
-dn.<scope-style>=<DN>|Users within scope of a DN
-!endblock
-
-The DN specifier behaves much like <what> clause DN specifiers.
-
-Other control factors are also supported.  For example, a {{EX:<who>}}
-can be restricted by an entry listed in a DN-valued attribute in
-the entry to which the access applies:
-
->	dnattr=<dn-valued attribute name>
-
-The dnattr specification is used to give access to an entry
-whose DN is listed in an attribute of the entry (e.g., give
-access to a group entry to whoever is listed as the owner of
-the group entry).
-
-Some factors may not be appropriate in all environments (or any).
-For example, the domain factor relies on IP to domain name lookups.
-As these can easily be spoofed, the domain factor should be avoided.
-
-
-H3: The access to grant
-
-The kind of <access> granted can be one of the following:
-
-!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
-	title="Table 6.4: Access Levels"
-Level		Privileges	Description
-none		=0			no access
-disclose	=d			needed for information disclosure on error
-auth		=dx			needed to authenticate (bind)
-compare		=cdx		needed to compare
-search		=scdx		needed to apply search filters
-read		=rscdx		needed to read search results
-write		=wrscdx		needed to modify/rename
-manage		=mwrscdx	needed to manage
-!endblock
-
-Each level implies all lower levels of access. So, for example,
-granting someone {{EX:write}} access to an entry also grants them
-{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
-{{EX:disclose}} access.  However, one may use the privileges specifier
-to grant specific permissions.
-
-
-H3: Access Control Evaluation
-
-When evaluating whether some requester should be given access to
-an entry and/or attribute, slapd compares the entry and/or attribute
-to the {{EX:<what>}} selectors given in the configuration file.
-For each entry, access controls provided in the database which holds
-the entry (or the first database if not held in any database) apply
-first, followed by the global access directives.  Within this
-priority, access directives are examined in the order in which they
-appear in the config file.  Slapd stops with the first {{EX:<what>}}
-selector that matches the entry and/or attribute. The corresponding
-access directive is the one slapd will use to evaluate access.
-
-Next, slapd compares the entity requesting access to the {{EX:<who>}}
-selectors within the access directive selected above in the order
-in which they appear. It stops with the first {{EX:<who>}} selector
-that matches the requester. This determines the access the entity
-requesting access has to the entry and/or attribute.
-
-Finally, slapd compares the access granted in the selected
-{{EX:<access>}} clause to the access requested by the client. If
-it allows greater or equal access, access is granted. Otherwise,
-access is denied.
-
-The order of evaluation of access directives makes their placement
-in the configuration file important. If one access directive is
-more specific than another in terms of the entries it selects, it
-should appear first in the config file. Similarly, if one {{EX:<who>}}
-selector is more specific than another it should come first in the
-access directive. The access control examples given below should
-help make this clear.
-
-
-
-H3: Access Control Examples
-
-The access control facility described above is quite powerful.  This
-section shows some examples of its use for descriptive purposes.
-
-A simple example:
-
->	access to * by * read
-
-This access directive grants read access to everyone.
-
->	access to *
->		by self write
->		by anonymous auth
->		by * read
-
-This directive allows the user to modify their entry, allows anonymous
-to authentication against these entries, and allows all others to
-read these entries.  Note that only the first {{EX:by <who>}} clause
-which matches applies.  Hence, the anonymous users are granted
-{{EX:auth}}, not {{EX:read}}.  The last clause could just as well
-have been "{{EX:by users read}}".
-
-It is often desirable to restrict operations based upon the level
-of protection in place.  The following shows how security strength
-factors (SSF) can be used.
-
->	access to *
->		by ssf=128 self write
->		by ssf=64 anonymous auth
->		by ssf=64 users read
-
-This directive allows users to modify their own entries if security
-protections have of strength 128 or better have been established,
-allows authentication access to anonymous users, and read access
-when 64 or better security protections have been established.  If
-client has not establish sufficient security protections, the
-implicit {{EX:by * none}} clause would be applied.
-
-The following example shows the use of a style specifiers to select
-the entries by DN in two access directives where ordering is
-significant.
-
->	access to dn.children="dc=example,dc=com"
-> 		by * search
->	access to dn.children="dc=com"
-> 		by * read
-
-Read access is granted to entries under the {{EX:dc=com}} subtree,
-except for those entries under the {{EX:dc=example,dc=com}} subtree,
-to which search access is granted.  No access is granted to
-{{EX:dc=com}} as neither access directive matches this DN.  If the
-order of these access directives was reversed, the trailing directive
-would never be reached, since all entries under {{EX:dc=example,dc=com}}
-are also under {{EX:dc=com}} entries.
-
-Also note that if no {{EX:access to}} directive matches or no {{EX:by
-<who>}} clause, {{B:access is denied}}.  That is, every {{EX:access
-to}} directive ends with an implicit {{EX:by * none}} clause and
-every access list ends with an implicit {{EX:access to * by * none}}
-directive.
-
-The next example again shows the importance of ordering, both of
-the access directives and the {{EX:by <who>}} clauses.  It also
-shows the use of an attribute selector to grant access to a specific
-attribute and various {{EX:<who>}} selectors.
-
->	access to dn.subtree="dc=example,dc=com" attrs=homePhone
->		by self write
->		by dn.children="dc=example,dc=com" search
->		by peername.regex=IP:10\..+ read
->	access to dn.subtree="dc=example,dc=com"
->		by self write
->		by dn.children="dc=example,dc=com" search
->		by anonymous auth
-
-This example applies to entries in the "{{EX:dc=example,dc=com}}"
-subtree. To all attributes except {{EX:homePhone}}, an entry can
-write to itself, entries under {{EX:example.com}} entries can search
-by them, anybody else has no access (implicit {{EX:by * none}})
-excepting for authentication/authorization (which is always done
-anonymously).  The {{EX:homePhone}} attribute is writable by the
-entry, searchable by entries under {{EX:example.com}}, readable by
-clients connecting from network 10, and otherwise not readable
-(implicit {{EX:by * none}}).  All other access is denied by the
-implicit {{EX:access to * by * none}}.
-
-Sometimes it is useful to permit a particular DN to add or
-remove itself from an attribute. For example, if you would like to
-create a group and allow people to add and remove only
-their own DN from the member attribute, you could accomplish
-it with an access directive like this:
-
->	access to attrs=member,entry
-> 		by dnattr=member selfwrite
-
-The dnattr {{EX:<who>}} selector says that the access applies to
-entries listed in the {{EX:member}} attribute. The {{EX:selfwrite}} access
-selector says that such members can only add or delete their
-own DN from the attribute, not other values. The addition of
-the entry attribute is required because access to the entry is
-required to access any of the entry's attributes.
-
-!if 0
-For more details on how to use the {{EX:access}} directive,
-consult the {{Advanced Access Control}} chapter.
-!endif
-
-
-H2: Configuration File Example
-
-The following is an example configuration file, interspersed
-with explanatory text. It defines two databases to handle
-different parts of the {{TERM:X.500}} tree; both are {{TERM:BDB}}
-database instances. The line numbers shown are provided for
-reference only and are not included in the actual file. First, the
-global configuration section:
-
-E:  1.	# example config file - global configuration section
-E:  2.	include /usr/local/etc/schema/core.schema
-E:  3.	referral ldap://root.openldap.org
-E:  4.	access to * by * read
- 
-Line 1 is a comment. Line 2 includes another config file
-which contains {{core}} schema definitions.
-The {{EX:referral}} directive on line 3
-means that queries not local to one of the databases defined
-below will be referred to the LDAP server running on the
-standard port (389) at the host {{EX:root.openldap.org}}.
-
-Line 4 is a global access control.  It applies to all
-entries (after any applicable database-specific access
-controls).
-
-The next section of the configuration file defines a BDB
-backend that will handle queries for things in the
-"dc=example,dc=com" portion of the tree. The
-database is to be replicated to two slave slapds, one on
-truelies, the other on judgmentday. Indices are to be
-maintained for several attributes, and the {{EX:userPassword}}
-attribute is to be protected from unauthorized access.
-
-E:  5.	# BDB definition for the example.com
-E:  6.	database bdb
-E:  7.	suffix "dc=example,dc=com"
-E:  8.	directory /usr/local/var/openldap-data
-E:  9.	rootdn "cn=Manager,dc=example,dc=com"
-E: 10.	rootpw secret
-E: 11.	# indexed attribute definitions
-E: 12.	index uid pres,eq
-E: 13.	index cn,sn,uid pres,eq,approx,sub
-E: 14.	index objectClass eq
-E: 15.	# database access control definitions
-E: 16.	access to attrs=userPassword
-E: 17.		by self write
-E: 18.		by anonymous auth
-E: 19.		by dn.base="cn=Admin,dc=example,dc=com" write
-E: 20.		by * none
-E: 21.	access to *
-E: 22.		by self write
-E: 23.		by dn.base="cn=Admin,dc=example,dc=com" write
-E: 24.		by * read
-
-Line 5 is a comment. The start of the database definition is marked
-by the database keyword on line 6. Line 7 specifies the DN suffix
-for queries to pass to this database. Line 8 specifies the directory
-in which the database files will live.
-
-Lines 9 and 10 identify the database {{super-user}} entry and associated
-password. This entry is not subject to access control or size or
-time limit restrictions.
-
-Lines 12 through 14 indicate the indices to maintain for various
-attributes.
-
-Lines 16 through 24 specify access control for entries in this
-database.  As this is the first database, the controls also apply
-to entries not held in any database (such as the Root DSE).  For
-all applicable entries, the {{EX:userPassword}} attribute is writable
-by the entry itself and by the "admin" entry.  It may be used for
-authentication/authorization purposes, but is otherwise not readable.
-All other attributes are writable by the entry and the "admin"
-entry, but may be read by all users (authenticated or not).
-
-The next section of the example configuration file defines another
-BDB database. This one handles queries involving the
-{{EX:dc=example,dc=net}} subtree but is managed by the same entity
-as the first database.  Note that without line 39, the read access
-would be allowed due to the global access rule at line 4.
-
-E: 33.	# BDB definition for example.net
-E: 34.	database bdb
-E: 35.	suffix "dc=example,dc=net"
-E: 36.	directory /usr/local/var/openldap-data-net
-E: 37.	rootdn "cn=Manager,dc=example,dc=com"
-E: 38.	index objectClass eq
-E: 39.	access to * by users read

Modified: openldap/trunk/doc/guide/admin/title.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/title.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/title.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/title.sdf,v 1.9.6.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007, The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/title.sdf,v 1.9.6.5 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 #
 # Document: OpenLDAP Administrator's Guide

Modified: openldap/trunk/doc/guide/admin/tls.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/tls.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/tls.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/tls.sdf,v 1.13.2.6 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/tls.sdf,v 1.13.2.7 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Using TLS

Modified: openldap/trunk/doc/guide/admin/troubleshooting.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/troubleshooting.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/troubleshooting.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/troubleshooting.sdf,v 1.10.2.3 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/troubleshooting.sdf,v 1.10.2.5 2008/04/14 18:22:18 quanah Exp $
+# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Troubleshooting
@@ -90,7 +90,7 @@
 After reading through the above sections and before e-mailing the OpenLDAP lists, you
 might want to try out some of the following to track down the cause of your problems:
 
-* Loglevel 256 is generally a good first loglevel to try for getting 
+* Loglevel stats (256) is generally a good first loglevel to try for getting 
   information useful to list members on issues
 * Running {{slapd -d -1}} can often track down fairly simple issues, such as 
   missing schemas and incorrect file permissions for the {{slapd}} user to things like certs

Modified: openldap/trunk/doc/guide/admin/tuning.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/tuning.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/admin/tuning.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/tuning.sdf,v 1.9.2.4 2007/11/07 23:01:35 ghenry Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/tuning.sdf,v 1.9.2.7 2008/04/14 18:22:18 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Tuning
@@ -27,14 +27,19 @@
 
 Scale your cache to use available memory and increase system memory if you can.
 
-More info here.
+See {{SECT:Caching}}
 
 
 H3: Disks
 
-Use fast subsystems. Put each database and logs on separate disks.
+Use fast subsystems. Put each database and logs on separate disks configurable
+via {{DB_CONFIG}}:
 
-Example showing config settings
+>       # Data Directory
+>       set_data_dir /data/db
+>       
+>       # Transaction Log settings
+>       set_lg_dir /logs
 
 
 H3: Network Topology
@@ -106,7 +111,7 @@
 
 H3: What log level to use
 
-The default of {{loglevel 256}} is really the best bet. There's a corollary to 
+The default of {{loglevel stats}} (256) is really the best bet. There's a corollary to 
 this when problems *do* arise, don't try to trace them using syslog. 
 Use the debug flag instead, and capture slapd's stderr output. syslog is too 
 slow for debug tracing, and it's inherently lossy - it will throw away messages when it
@@ -119,14 +124,14 @@
 
 The most common message you'll see that you should pay attention to is:
 
->  "<= bdb_equality_candidates: (foo) index_param failed (18)"
+>       "<= bdb_equality_candidates: (foo) index_param failed (18)"
 
 That means that some application tried to use an equality filter ({{foo=<somevalue>}}) 
 and attribute {{foo}} does not have an equality index. If you see a lot of these
 messages, you should add the index. If you see one every month or so, it may
 be acceptable to ignore it.
 
-The default syslog level is 256 which logs the basic parameters of each
+The default syslog level is stats (256) which logs the basic parameters of each
 request; it usually produces 1-3 lines of output. On Solaris and systems that
 only provide synchronous syslog, you may want to turn it off completely, but
 usually you want to leave it enabled so that you'll be able to see index
@@ -141,17 +146,17 @@
 you can prepend the log file name with a "-" in {{syslog.conf}}. For example, 
 if you are using the default LOCAL4 logging you could try:
 
->   # LDAP logs
->   LOCAL4.*         -/var/log/ldap
+>       # LDAP logs
+>       LOCAL4.*         -/var/log/ldap
 
 For syslog-ng, add or modify the following line in {{syslog-ng.conf}}:
 
->   options { sync(n); };
+>       options { sync(n); };
 
 where n is the number of lines which will be buffered before a write.
 
 
-H2: BDB/HDB Database Caching
+H2: Caching
 
 We all know what caching is, don't we? 
 
@@ -164,8 +169,25 @@
 
 H3: Berkeley DB Cache
 
-BerkeleyDB's own data cache operates on page-sized blocks of raw data.
+There are two ways to tune for the BDB cachesize:
 
+(a) BDB cache size necessary to load the database via slapadd in optimal time
+
+(b) BDB cache size necessary to have a high performing running slapd once the data is loaded
+
+For (a), the optimal cachesize is the size of the entire database.  If you 
+already have the database loaded, this is simply a 
+
+>       du -c -h *.bdb 
+
+in the directory containing the OpenLDAP ({{/usr/local/var/openldap-data}}) data.
+
+For (b), the optimal cachesize is just the size of the {{id2entry.bdb}} file, 
+plus about 10% for growth.
+
+The tuning of {{DB_CONFIG}} should be done for each BDB type database 
+instantiated (back-bdb, back-hdb).
+
 Note that while the {{TERM:BDB}} cache is just raw chunks of memory and 
 configured as a memory size, the {{slapd}}(8) entry cache holds parsed entries, 
 and the size of each entry is variable. 
@@ -186,7 +208,7 @@
 That means, large enough to hold all of the most frequently accessed data, 
 plus a few less-frequently accessed items.
 
-ORACLE LINKS HERE
+For more information, please see: {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/ref/am_conf/cachesize.html}}
 
 H4: Calculating Cachesize
 
@@ -206,7 +228,7 @@
 you're accessing. That's enough cache for a single search. For the general case, 
 you want enough cache to contain all the internal nodes in the database. 
 
->   db_stat -d
+>       db_stat -d
 
 will tell you how many internal pages are present in a database. You should 
 check this number for both dn2id and id2entry.
@@ -224,7 +246,7 @@
 internal pages, and 45912 leaf pages. In order to efficiently retrieve any 
 single entry in this database, the cache should be at least
 
->   (433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB.
+>       (433+1) * 4KB + (52+1) * 16KB in size: 1736KB + 848KB =~ 2.5MB.
 
 This doesn't take into account other library overhead, so this is even lower 
 than the barest minimum. The default cache size, when nothing is configured, 
@@ -263,8 +285,9 @@
 With back-bdb and back-hdb you can use "db_stat -m" to check how well the 
 database cache is performing. 
 
+For more information on {{db_stat}}: {{URL:http://www.oracle.com/technology/documentation/berkeley-db/db/utility/db_stat.html}}
 
-H3: {{slapd}}(8) Entry Cache
+H3: {{slapd}}(8) Entry Cache (cachesize)
 
 The {{slapd}}(8) entry cache operates on decoded entries. The rationale - entries 
 in the entry cache can be used directly, giving the fastest response. If an entry 
@@ -275,6 +298,10 @@
 cached pages and bring in the needed pages, resulting in a couple of expensive 
 I/Os as well as parsing.
 
+The most optimal value is of course, the entire number of entries in the database.  
+However, most directory servers don't consistently serve out their entire database, so setting this to a lesser number that more closely matches the believed working set of data is 
+sufficient. This is the second most important parameter for the DB.
+
 As far as balancing the entry cache vs the BDB cache - parsed entries in memory 
 are generally about twice as large as they are on disk. 
 
@@ -284,62 +311,27 @@
 itself that causes performance/response time to slowdown. 
 
 
-MOVE BELOW AROUND:
+H3: {{TERM:IDL}} Cache (idlcachesize)
 
+Each IDL holds the search results from a given query, so the IDL cache will 
+end up holding the most frequently requested search results.  For back-bdb, 
+it is generally recommended to match the "cachesize" setting.  For back-hdb, 
+it is generally recommended to be 3x"cachesize".
 
-If you want to setup the cache size, please read:
+{NOTE: The idlcachesize setting directly affects search performance}
 
- (Xref) How do I configure the BDB backend?
- (Xref) What are the DB_CONFIG configuration directives?
- http://www.sleepycat.com/docs/utility/db_recover.html
 
-A default config can be found in the answer:
+H3: {{slapd}}(8) Threads
 
- (Xref) What are the DB_CONFIG configuration directives?
+{{slapd}}(8) can process requests via a configurable number of thread, which 
+in turn affects the in/out rate of connections.
 
-just change the set_lg_dir to point to your .log directory or comment that line.
+This value should generally be a function of the number of "real" cores on 
+the system, for example on a server with 2 CPUs with one core each, set this 
+to 8, or 4 threads per real core.  This is a "read" maximized value. The more 
+threads that are configured per core, the slower {{slapd}}(8) responds for 
+"read" operations.  On the flip side, it appears to handle write operations 
+faster in a heavy write/low read scenario.
 
-Quick guide:
-* Create a DB_CONFIG file in your ldap home directory (/var/lib/ldap/DB_CONFIG) with the correct "set_cachesize" value
-* stop your ldap server and run db_recover -h /var/lib/ldap
-* start your ldap server and check the new cache size with:
-
-  db_stat -h /var/lib/ldap -m | head -n 2
-
-* this procedure is only needed if you use OpenLDAP 2.2 with the BDB or HDB backends; In OpenLDAP 2.3 DB recovery is performed automatically whenever the DB_CONFIG file is changed or when an unclean shutdown is detected.
-
-
---On Tuesday, February 22, 2005 12:15 PM -0500 Dusty Doris <openldap at mail.doris.cc> wrote:
-
-    Few questions, if you change the cachesize and idlecachesize entries, do
-    you have to do anything special aside from restarting slapd, such as run
-    slapindex or db_recover?
-
-
-    Also, is there any way to tell how much memory these caches are taking up
-    to make sure they are not set too large?  What happens if you set your
-    cachesize too large and you don't have enough available memory to store
-    these?  Will that cause an issue with openldap, or will it just not cache
-    those entries that would make it exceed its available memory.  Will it
-    just use some sort of FIFO on those caches?
-
-
-It will consume the memory resources of your system, and likely cause issues.
-
-    Finally, what do most people try to achieve with these values?  Would the
-    goal be to make these as big as the directory?  So, if I have 400,000 dn's
-    in my directory, would it be safe to set these at 400000 or would
-    something like 20,000 be good enough to get a nice performance increase?
-
-
-I try to cache the most actively used entries. Unless you expect all 400,000 entries of your DB to be accessed regularly, there is no need to cache that many entries. My entry cache is set to 20,000 (out of a little over 400,000 entries).
-
-The idlcache has to do with how many unique result sets of searches you want to store in memory. Setting up this cache will allow your most frequently placed searches to get results much faster, but I doubt you want to try and cache the results of every search that hits your system. ;)
-
---Quanah
-
-
-H3: {{TERM:IDL}} Cache
-
-
-http://www.openldap.org/faq/data/cache/1076.html
+The upper bound for good read performance appears to be 16 threads (which
+also happens to be the default setting).

Copied: openldap/trunk/doc/guide/images/src/README.fonts (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/README.fonts)
===================================================================
--- openldap/trunk/doc/guide/images/src/README.fonts	                        (rev 0)
+++ openldap/trunk/doc/guide/images/src/README.fonts	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,10 @@
+# $OpenLDAP: pkg/openldap-guide/images/src/README.fonts,v 1.2.2.1 2008/02/12 05:47:53 quanah Exp $
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
+# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
+#
+# README.fonts 
+#
+
+In dia we use:
+
+sans Normal 1.00 #000000

Copied: openldap/trunk/doc/guide/images/src/config_dit.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/config_dit.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/config_local.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/config_local.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/config_ref.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/config_ref.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/config_repl.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/config_repl.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/delta-syncrepl.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/delta-syncrepl.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/intro_dctree.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/intro_dctree.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/intro_tree.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/intro_tree.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/mirrormode.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/mirrormode.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/n-way-multi-master.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/n-way-multi-master.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/set-following-references.svg (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/set-following-references.svg)
===================================================================
--- openldap/trunk/doc/guide/images/src/set-following-references.svg	                        (rev 0)
+++ openldap/trunk/doc/guide/images/src/set-following-references.svg	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,272 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="383.93671"
+   height="174.87033"
+   id="svg2"
+   sodipodi:version="0.32"
+   inkscape:version="0.45.1"
+   version="1.0"
+   sodipodi:docbase="/home/andreas/cvs/openldap-guide/images/src"
+   sodipodi:docname="set-managersecretary.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape"
+   inkscape:export-filename="/home/andreas/palestra/managersecretary.png"
+   inkscape:export-xdpi="187.53"
+   inkscape:export-ydpi="187.53">
+  <defs
+     id="defs4">
+    <marker
+       inkscape:stockid="Arrow1Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lend"
+       style="overflow:visible">
+      <path
+         id="path3186"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.8,0,0,-0.8,-10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lstart"
+       style="overflow:visible">
+      <path
+         id="path3183"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(0.8,0,0,0.8,10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Send"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Send"
+       style="overflow:visible">
+      <path
+         id="path3198"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.2,0,0,-0.2,-1.2,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lstart"
+       style="overflow:visible">
+      <path
+         id="path3201"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(1.1,0,0,1.1,1.1,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lend"
+       style="overflow:visible">
+      <path
+         id="path8347"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(-1.1,0,0,-1.1,-1.1,0)" />
+    </marker>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="3.1307244"
+     inkscape:cx="191.96835"
+     inkscape:cy="87.435165"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="true"
+     showguides="false"
+     inkscape:window-width="1280"
+     inkscape:window-height="953"
+     inkscape:window-x="0"
+     inkscape:window-y="24"
+     width="1052.3622px"
+     height="744.09449px" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Camada 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-241.56641,-98.789978)">
+    <g
+       id="g3270"
+       transform="translate(0,-9.9371414e-6)">
+      <text
+         inkscape:export-ydpi="136.2"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         id="text2170"
+         y="112.12766"
+         x="267.92389"
+         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+         xml:space="preserve"><tspan
+           y="112.12766"
+           x="267.92389"
+           id="tspan2172"
+           sodipodi:role="line">DN: uid=john,ou=people,dc=example,dc=com</tspan><tspan
+           id="tspan2174"
+           y="127.12766"
+           x="267.92389"
+           sodipodi:role="line">uid: john</tspan><tspan
+           id="tspan5373"
+           y="142.12766"
+           x="267.92389"
+           sodipodi:role="line">manager: uid=mary,ou=people,dc=example,dc=com</tspan><tspan
+           id="tspan3411"
+           y="157.12766"
+           x="267.92389"
+           sodipodi:role="line" /></text>
+      <rect
+         inkscape:export-ydpi="136.2"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         y="99.161621"
+         x="263.56467"
+         height="53.761242"
+         width="331.86697"
+         id="rect7321"
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.74326539px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" />
+      <rect
+         inkscape:export-ydpi="136.2"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         y="130.60817"
+         x="265.52121"
+         height="17.286547"
+         width="327.07599"
+         id="rect7323"
+         style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1" />
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="299.92389"
+       y="250.12769"
+       id="text2235"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2"><tspan
+         sodipodi:role="line"
+         id="tspan2237"
+         x="299.92389"
+         y="250.12769">DN: uid=jane,ou=people,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="299.92389"
+         y="265.12769"
+         id="tspan2239">uid: jane</tspan><tspan
+         sodipodi:role="line"
+         x="299.92389"
+         y="280.12769"
+         id="tspan2241" /><tspan
+         sodipodi:role="line"
+         x="299.92389"
+         y="295.12769"
+         id="tspan2243" /></text>
+    <rect
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.60843331px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       id="rect2245"
+       width="329.70166"
+       height="36.261875"
+       x="295.49725"
+       y="237.09422"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+    <g
+       id="g3279"
+       transform="translate(0,-1.3751839e-5)">
+      <text
+         xml:space="preserve"
+         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+         x="283.92386"
+         y="181.12766"
+         id="text2223"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2"><tspan
+           sodipodi:role="line"
+           id="tspan2225"
+           x="283.92386"
+           y="181.12766">DN: uid=mary,ou=people,dc=example,dc=com</tspan><tspan
+           sodipodi:role="line"
+           x="283.92386"
+           y="196.12766"
+           id="tspan2227">uid: mary</tspan><tspan
+           sodipodi:role="line"
+           x="283.92386"
+           y="211.12766"
+           id="tspan2229">secretary: uid=jane,ou=people,dc=example,dc=com</tspan><tspan
+           sodipodi:role="line"
+           x="283.92386"
+           y="226.12766"
+           id="tspan2231" /></text>
+      <rect
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.74326539px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+         id="rect2233"
+         width="331.86697"
+         height="53.761246"
+         x="279.56464"
+         y="168.16162"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2" />
+      <rect
+         style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+         id="rect2247"
+         width="327.07599"
+         height="17.286547"
+         x="281.52118"
+         y="197.60815"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2" />
+    </g>
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       d="M 147.97396,105.42967 C 100.43828,122.29717 161.77464,141.46478 161.77464,141.46478"
+       id="path2275"
+       transform="translate(112.15223,34.695502)"
+       sodipodi:nodetypes="cc" />
+    <path
+       sodipodi:nodetypes="cc"
+       id="path3248"
+       d="M 276.12619,208.12517 C 228.59051,224.99267 289.92687,244.16028 289.92687,244.16028"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1" />
+  </g>
+</svg>

Copied: openldap/trunk/doc/guide/images/src/set-memberUid.svg (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/set-memberUid.svg)
===================================================================
--- openldap/trunk/doc/guide/images/src/set-memberUid.svg	                        (rev 0)
+++ openldap/trunk/doc/guide/images/src/set-memberUid.svg	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,272 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="746.3288"
+   height="127.80122"
+   id="svg2"
+   sodipodi:version="0.32"
+   inkscape:version="0.45.1"
+   version="1.0"
+   sodipodi:docbase="/home/andreas/cvs/openldap-guide/images/src"
+   sodipodi:docname="set-memberUid.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape"
+   inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+   inkscape:export-xdpi="70.18"
+   inkscape:export-ydpi="70.18">
+  <defs
+     id="defs4">
+    <marker
+       inkscape:stockid="Arrow1Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lend"
+       style="overflow:visible">
+      <path
+         id="path3186"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.8,0,0,-0.8,-10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lstart"
+       style="overflow:visible">
+      <path
+         id="path3183"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(0.8,0,0,0.8,10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Send"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Send"
+       style="overflow:visible">
+      <path
+         id="path3198"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.2,0,0,-0.2,-1.2,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lstart"
+       style="overflow:visible">
+      <path
+         id="path3201"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(1.1,0,0,1.1,1.1,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lend"
+       style="overflow:visible">
+      <path
+         id="path8347"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(-1.1,0,0,-1.1,-1.1,0)" />
+    </marker>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1.6105502"
+     inkscape:cx="373.1644"
+     inkscape:cy="63.900612"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="true"
+     showguides="false"
+     inkscape:window-width="1280"
+     inkscape:window-height="953"
+     inkscape:window-x="0"
+     inkscape:window-y="24"
+     width="1052.3622px"
+     height="744.09449px" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Camada 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-164.76663,-192.97633)">
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="177.73021"
+       y="206.31401"
+       id="text2170"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2"><tspan
+         sodipodi:role="line"
+         id="tspan2172"
+         x="177.73021"
+         y="206.31401">DN: cn=sudoadm,ou=group,dc=example,dc=com</tspan><tspan
+         sodipodi:role="line"
+         x="177.73021"
+         y="221.31401"
+         id="tspan2174">cn: sudoadm</tspan><tspan
+         sodipodi:role="line"
+         x="177.73021"
+         y="236.31401"
+         id="tspan5373">objectClass: posixGroup</tspan><tspan
+         sodipodi:role="line"
+         x="177.73021"
+         y="251.31401"
+         id="tspan2336">gidNumber: 1000</tspan><tspan
+         sodipodi:role="line"
+         x="177.73021"
+         y="266.31401"
+         id="tspan3411">memberUid: john</tspan></text>
+    <rect
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.98517001px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       id="rect7321"
+       width="316.56842"
+       height="99.014832"
+       x="173.49196"
+       y="193.46892"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-ydpi="136.2" />
+    <rect
+       inkscape:export-ydpi="136.2"
+       inkscape:export-xdpi="136.2"
+       inkscape:export-filename="/home/andreas/palestra/allmail.png"
+       y="255.51881"
+       x="175.66292"
+       height="16.666452"
+       width="107.33646"
+       id="rect5582"
+       style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1" />
+    <path
+       style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-start:url(#Arrow2Lstart);marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       d="M 288.18971,264.67045 C 388.9562,262.34006 478.83987,220.53502 612.19092,219.08835"
+       id="path7687"
+       sodipodi:nodetypes="cc"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001" />
+    <g
+       id="g3381"
+       transform="translate(86,0)">
+      <text
+         xml:space="preserve"
+         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+         x="534.08191"
+         y="208.5367"
+         id="text3318"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2"><tspan
+           sodipodi:role="line"
+           id="tspan3320"
+           x="534.08191"
+           y="208.5367">DN: uid=john,ou=people,dc=example,dc=com</tspan><tspan
+           sodipodi:role="line"
+           x="534.08191"
+           y="223.5367"
+           id="tspan3322">uid: john</tspan><tspan
+           sodipodi:role="line"
+           x="534.08191"
+           y="238.5367"
+           id="tspan3324">objectClass: person</tspan><tspan
+           sodipodi:role="line"
+           x="534.08191"
+           y="253.5367"
+           id="tspan3326">cn: john</tspan><tspan
+           id="tspan3334"
+           sodipodi:role="line"
+           x="534.08191"
+           y="268.5367">givenName: John</tspan><tspan
+           sodipodi:role="line"
+           x="534.08191"
+           y="283.5367"
+           id="tspan3330">sn: Smith</tspan></text>
+      <rect
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.94494522px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+         id="rect3336"
+         width="294.23233"
+         height="98.00956"
+         x="530.39062"
+         y="194.49431"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2" />
+      <rect
+         inkscape:export-ydpi="136.2"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         y="211.30989"
+         x="533.61841"
+         height="16.666452"
+         width="57.336445"
+         id="rect2372"
+         style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1" />
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="164.28616"
+       y="318.28146"
+       id="text3369"><tspan
+         sodipodi:role="line"
+         id="tspan3371"
+         x="164.28616"
+         y="318.28146">[cn=sudoadm,ou=group,dc=example,dc=com]/memberUid</tspan></text>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="646.18683"
+       y="318.97287"
+       id="text3373"><tspan
+         sodipodi:role="line"
+         id="tspan3375"
+         x="646.18683"
+         y="318.97287">user/uid</tspan></text>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="581.57733"
+       y="319.33908"
+       id="text3377"><tspan
+         sodipodi:role="line"
+         id="tspan3379"
+         x="581.57733"
+         y="319.33908">&amp;</tspan></text>
+  </g>
+</svg>

Copied: openldap/trunk/doc/guide/images/src/set-recursivegroup.svg (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/set-recursivegroup.svg)
===================================================================
--- openldap/trunk/doc/guide/images/src/set-recursivegroup.svg	                        (rev 0)
+++ openldap/trunk/doc/guide/images/src/set-recursivegroup.svg	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,497 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="833.63007"
+   height="212.5425"
+   id="svg2"
+   sodipodi:version="0.32"
+   inkscape:version="0.45.1"
+   version="1.0"
+   sodipodi:docbase="/home/andreas/cvs/openldap-guide/images/src"
+   sodipodi:docname="set-recursivegroup.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape"
+   inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+   inkscape:export-xdpi="70.18"
+   inkscape:export-ydpi="70.18">
+  <defs
+     id="defs4">
+    <marker
+       inkscape:stockid="Arrow1Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lend"
+       style="overflow:visible">
+      <path
+         id="path3186"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.8,0,0,-0.8,-10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Lstart"
+       style="overflow:visible">
+      <path
+         id="path3183"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(0.8,0,0,0.8,10,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow1Send"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow1Send"
+       style="overflow:visible">
+      <path
+         id="path3198"
+         d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z "
+         style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+         transform="matrix(-0.2,0,0,-0.2,-1.2,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lstart"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lstart"
+       style="overflow:visible">
+      <path
+         id="path3201"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(1.1,0,0,1.1,1.1,0)" />
+    </marker>
+    <marker
+       inkscape:stockid="Arrow2Lend"
+       orient="auto"
+       refY="0"
+       refX="0"
+       id="Arrow2Lend"
+       style="overflow:visible">
+      <path
+         id="path8347"
+         style="font-size:12px;fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+         d="M 8.7185878,4.0337352 L -2.2072895,0.016013256 L 8.7185884,-4.0017078 C 6.97309,-1.6296469 6.9831476,1.6157441 8.7185878,4.0337352 z "
+         transform="matrix(-1.1,0,0,-1.1,-1.1,0)" />
+    </marker>
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1.1313286"
+     inkscape:cx="471.10533"
+     inkscape:cy="166.19896"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="true"
+     showguides="false"
+     inkscape:window-width="1280"
+     inkscape:window-height="953"
+     inkscape:window-x="0"
+     inkscape:window-y="24"
+     width="1052.3622px"
+     height="744.09449px" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Camada 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-39.91817,-73.881854)">
+    <g
+       id="g3462"
+       transform="translate(30.553822,-0.6080081)"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001">
+      <text
+         xml:space="preserve"
+         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+         x="523.97247"
+         y="89.280624"
+         id="text3318"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2"><tspan
+           sodipodi:role="line"
+           id="tspan3320"
+           x="523.97247"
+           y="89.280624">DN: <tspan
+   style="font-weight:bold"
+   id="tspan7581">uid=john,ou=people,dc=example,dc=com</tspan></tspan><tspan
+           sodipodi:role="line"
+           x="523.97247"
+           y="104.28062"
+           id="tspan3322">uid: john</tspan><tspan
+           sodipodi:role="line"
+           x="523.97247"
+           y="119.28062"
+           id="tspan3324">objectClass: person</tspan><tspan
+           sodipodi:role="line"
+           x="523.97247"
+           y="134.28062"
+           id="tspan3326">cn: john</tspan><tspan
+           id="tspan3334"
+           sodipodi:role="line"
+           x="523.97247"
+           y="149.28062">givenName: John</tspan><tspan
+           sodipodi:role="line"
+           x="523.97247"
+           y="164.28062"
+           id="tspan3330">sn: Smith</tspan></text>
+      <rect
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.97567958px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+         id="rect3336"
+         width="318.06735"
+         height="96.658691"
+         x="520.29657"
+         y="75.253609"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2" />
+    </g>
+    <g
+       id="g3474"
+       transform="translate(30.276908,4.0242246)"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001">
+      <g
+         id="g7676">
+        <text
+           xml:space="preserve"
+           style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+           x="523.97247"
+           y="199.28062"
+           id="text3416"
+           inkscape:export-filename="/home/andreas/palestra/allmail.png"
+           inkscape:export-xdpi="136.2"
+           inkscape:export-ydpi="136.2"><tspan
+             sodipodi:role="line"
+             id="tspan3418"
+             x="523.97247"
+             y="199.28062">DN: <tspan
+   id="tspan7674"
+   style="font-weight:bold">uid=mary,ou=people,dc=example,dc=com</tspan></tspan><tspan
+             sodipodi:role="line"
+             x="523.97247"
+             y="214.28062"
+             id="tspan3420">uid: mary</tspan><tspan
+             sodipodi:role="line"
+             x="523.97247"
+             y="229.28062"
+             id="tspan3422">objectClass: person</tspan><tspan
+             sodipodi:role="line"
+             x="523.97247"
+             y="244.28062"
+             id="tspan3424">cn: mary</tspan><tspan
+             id="tspan3426"
+             sodipodi:role="line"
+             x="523.97247"
+             y="259.28062">givenName: Mary</tspan><tspan
+             sodipodi:role="line"
+             x="523.97247"
+             y="274.28062"
+             id="tspan3432">sn: Smith</tspan></text>
+        <rect
+           style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.98239046px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+           id="rect3460"
+           width="322.48019"
+           height="96.651978"
+           x="520.29993"
+           y="185.25696"
+           inkscape:export-filename="/home/andreas/palestra/allmail.png"
+           inkscape:export-xdpi="136.2"
+           inkscape:export-ydpi="136.2" />
+      </g>
+    </g>
+    <g
+       id="g7550"
+       transform="translate(-109.4887,-12.321663)"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001">
+      <g
+         id="g7614"
+         transform="translate(-103.41823,-0.8839165)">
+        <text
+           inkscape:export-ydpi="136.2"
+           inkscape:export-xdpi="136.2"
+           inkscape:export-filename="/home/andreas/palestra/allmail.png"
+           id="text3350"
+           y="216.91795"
+           x="258.37482"
+           style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+           xml:space="preserve"><tspan
+             y="216.91795"
+             x="258.37482"
+             id="tspan3352"
+             sodipodi:role="line">DN: cn=accountadm,ou=group,dc=example,dc=com</tspan><tspan
+             id="tspan3354"
+             y="231.91795"
+             x="258.37482"
+             sodipodi:role="line">cn: accountadm</tspan><tspan
+             id="tspan3356"
+             y="246.91795"
+             x="258.37482"
+             sodipodi:role="line">objectClass: groupOfNames</tspan><tspan
+             id="tspan3360"
+             y="261.91795"
+             x="258.37482"
+             sodipodi:role="line">member: <tspan
+   id="tspan7612"
+   style="font-weight:bold">uid=mary,ou=people,dc=example,dc=com</tspan></tspan><tspan
+             id="tspan3362"
+             y="276.91795"
+             x="258.37482"
+             sodipodi:role="line" /></text>
+        <rect
+           inkscape:export-ydpi="136.2"
+           inkscape:export-xdpi="136.2"
+           inkscape:export-filename="/home/andreas/palestra/allmail.png"
+           y="203.48654"
+           x="254.13257"
+           height="83.046989"
+           width="371.37915"
+           id="rect3402"
+           style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.97723264px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" />
+        <rect
+           inkscape:export-ydpi="136.2"
+           inkscape:export-xdpi="136.2"
+           inkscape:export-filename="/home/andreas/palestra/allmail.png"
+           y="249.90959"
+           x="256.3075"
+           height="16.297295"
+           width="351.43427"
+           id="rect5542"
+           style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1" />
+      </g>
+    </g>
+    <g
+       id="g7662"
+       transform="translate(-217.44346,0.8839165)"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001">
+      <text
+         inkscape:export-ydpi="136.2"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         id="text2170"
+         y="86.335617"
+         x="262.09247"
+         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+         xml:space="preserve"><tspan
+           y="86.335617"
+           x="262.09247"
+           id="tspan2172"
+           sodipodi:role="line">DN: <tspan
+   style="font-weight:bold"
+   id="tspan7595">cn=sudoadm,ou=group,dc=example,dc=com</tspan></tspan><tspan
+           id="tspan2174"
+           y="101.33562"
+           x="262.09247"
+           sodipodi:role="line">cn: sudoadm</tspan><tspan
+           id="tspan5373"
+           y="116.33562"
+           x="262.09247"
+           sodipodi:role="line">objectClass: groupOfNames</tspan><tspan
+           id="tspan3295"
+           y="131.33562"
+           x="262.09247"
+           sodipodi:role="line">member: uid=john,ou=people,dc=example,dc=com</tspan><tspan
+           id="tspan3297"
+           y="146.33562"
+           x="262.09247"
+           sodipodi:role="line">member: cn=accountadm,ou=people,dc=example,dc=com</tspan><tspan
+           id="tspan3411"
+           y="161.33562"
+           x="262.09247"
+           sodipodi:role="line" /></text>
+      <rect
+         inkscape:export-ydpi="136.2"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         y="73.485397"
+         x="257.84909"
+         height="83.049301"
+         width="369.61365"
+         id="rect7321"
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.97492063px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" />
+      <rect
+         style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+         id="rect5582"
+         width="365.16586"
+         height="31.950695"
+         x="260.02518"
+         y="120.25619"
+         inkscape:export-filename="/home/andreas/palestra/allmail.png"
+         inkscape:export-xdpi="136.2"
+         inkscape:export-ydpi="136.2" />
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="364.2525"
+       y="224.56728"
+       id="text7528"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001"><tspan
+         sodipodi:role="line"
+         id="tspan7530"
+         x="364.2525"
+         y="224.56728">yes!</tspan></text>
+    <path
+       style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       d="M 365.29385,128.78999 C 466.06034,130.87918 457.22118,89.335108 547.38066,84.915525"
+       id="path7687"
+       sodipodi:nodetypes="cc"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001" />
+    <path
+       style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       d="M 407.72184,145.90577 C 440.42676,177.72675 428.93584,200.70858 374.13302,201.5925"
+       id="path7689"
+       sodipodi:nodetypes="cc"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001" />
+    <path
+       sodipodi:nodetypes="cc"
+       id="path7691"
+       d="M 396.23093,243.6739 C 484.62258,241.34352 479.3191,199.79944 547.38066,198.91553"
+       style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001" />
+    <text
+       id="text9637"
+       y="232.54912"
+       x="473.47699"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       xml:space="preserve"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001"><tspan
+         y="232.54912"
+         x="473.47699"
+         id="tspan9639"
+         sodipodi:role="line">more<tspan
+   id="tspan9641"
+   style="font-weight:bold"></tspan></tspan><tspan
+         y="247.54912"
+         x="473.47699"
+         sodipodi:role="line"
+         id="tspan9643"><tspan
+   style="font-weight:bold"
+   id="tspan9645">member</tspan>?</tspan></text>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="473.47699"
+       y="112.54912"
+       id="text9647"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001"><tspan
+         sodipodi:role="line"
+         id="tspan9649"
+         x="473.47699"
+         y="112.54912">more<tspan
+   style="font-weight:bold"
+   id="tspan9651"></tspan></tspan><tspan
+         id="tspan9653"
+         sodipodi:role="line"
+         x="473.47699"
+         y="127.54912"><tspan
+   id="tspan9655"
+   style="font-weight:bold">member</tspan>?</tspan></text>
+    <text
+       id="text10626"
+       y="173.85262"
+       x="431.01266"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       xml:space="preserve"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001"><tspan
+         y="173.85262"
+         x="431.01266"
+         id="tspan10628"
+         sodipodi:role="line">more<tspan
+   id="tspan10630"
+   style="font-weight:bold"></tspan></tspan><tspan
+         y="188.85262"
+         x="431.01266"
+         sodipodi:role="line"
+         id="tspan10632"><tspan
+   style="font-weight:bold"
+   id="tspan10634">member</tspan>?</tspan></text>
+    <text
+       xml:space="preserve"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       x="742.7262"
+       y="130.87918"
+       id="text10640"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001"><tspan
+         sodipodi:role="line"
+         id="tspan10642"
+         x="742.7262"
+         y="130.87918">no <tspan
+   style="font-weight:bold"
+   id="tspan10648">member</tspan></tspan><tspan
+         sodipodi:role="line"
+         x="742.7262"
+         y="145.87918"
+         id="tspan10644">here!</tspan></text>
+    <text
+       id="text10650"
+       y="244.87918"
+       x="742.7262"
+       style="font-size:12px;font-style:italic;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+       xml:space="preserve"
+       inkscape:export-filename="/home/andreas/set-recursivegroup.png"
+       inkscape:export-xdpi="80.970001"
+       inkscape:export-ydpi="80.970001"><tspan
+         y="244.87918"
+         x="742.7262"
+         id="tspan10652"
+         sodipodi:role="line">no <tspan
+   id="tspan10654"
+   style="font-weight:bold">member</tspan></tspan><tspan
+         id="tspan10656"
+         y="259.87918"
+         x="742.7262"
+         sodipodi:role="line">here!</tspan></text>
+  </g>
+</svg>

Copied: openldap/trunk/doc/guide/images/src/syncrepl-firewalls.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/syncrepl-firewalls.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/syncrepl-pull.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/syncrepl-pull.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/syncrepl-push.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/syncrepl-push.dia)
===================================================================
(Binary files differ)

Copied: openldap/trunk/doc/guide/images/src/syncrepl.dia (from rev 1127, openldap/vendor/openldap-2.4.9/doc/guide/images/src/syncrepl.dia)
===================================================================
(Binary files differ)

Modified: openldap/trunk/doc/guide/plain.sdf
===================================================================
--- openldap/trunk/doc/guide/plain.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/plain.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/plain.sdf,v 1.11.2.2 2007/08/31 23:48:46 quanah Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/plain.sdf,v 1.11.2.4 2008/02/13 06:40:32 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 # template for plain documents
@@ -13,7 +13,7 @@
 !macro HTML_FOOTER
 {{INLINE:<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1">}}
 {{INLINE:<B>________________<BR><SMALL>}}
-[[c]]  Copyright 2007,
+[[c]]  Copyright 2008,
 {{INLINE:<A HREF="/foundation/">OpenLDAP Foundation</A>}},
 {{EMAIL: info at OpenLDAP.org}}
 {{INLINE:</SMALL><BR></B></FONT>}}

Modified: openldap/trunk/doc/guide/preamble.sdf
===================================================================
--- openldap/trunk/doc/guide/preamble.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/preamble.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/preamble.sdf,v 1.70.2.4 2007/08/31 23:48:46 quanah Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/preamble.sdf,v 1.70.2.7 2008/04/14 19:18:48 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
  
 #
@@ -55,7 +55,7 @@
 <P>
 <FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
 ________________<BR>
-<SMALL>&copy; Copyright 2007, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
+<SMALL>&copy; Copyright 2008, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
 
 	!endblock
 !endmacro
@@ -91,7 +91,7 @@
 <P>
 <FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
 ________________<BR>
-<SMALL>&copy; Copyright 2007, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
+<SMALL>&copy; Copyright 2008, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info at OpenLDAP.org">info at OpenLDAP.org</A></SMALL></B></FONT>
 
 	!endblock
 !endmacro
@@ -175,7 +175,7 @@
 CER|Canonical Encoding Rules
 CLDAP|Connection-less LDAP
 CN|Common Name
-CRAM-MD5|SASL MD5 Challedge/Response Authentication Mechanism
+CRAM-MD5|SASL MD5 Challenge/Response Authentication Mechanism
 CRL|Certificate Revocation List
 DAP|Directory Access Protocol
 DC|Domain Component
@@ -219,7 +219,7 @@
 Kerberos|Kerberos Authentication Service
 LBER|Lightweight BER
 LDAP|Lightweight Directory Access Protocol
-LDAP Sync|LDAP Content Sychronization
+LDAP Sync|LDAP Content Synchronization
 LDAPv3|LDAP, version 3
 LDIF|LDAP Data Interchange Format
 MD5|Message Digest 5
@@ -284,6 +284,7 @@
 RFC2079|PS|Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifers|http://www.rfc-editor.org/rfc/rfc2079.txt
 RFC2296|PS|Use of Language Codes in LDAP|http://www.rfc-editor.org/rfc/rfc2296.txt
 RFC2307|X|An Approach for Using LDAP as a Network Information Service|http://www.rfc-editor.org/rfc/rfc2307.txt
+RFC2589|PS|Lightweight Directory Access Protocol (v3): Extensions for Dynamic Directory Services|http://www.rfc-editor.org/rfc/rfc2589.txt
 RFC2798|I|Definition of the inetOrgPerson LDAP Object Class|http://www.rfc-editor.org/rfc/rfc2798.txt
 RFC2831|PS|Using Digest Authentication as a SASL Mechanism|http://www.rfc-editor.org/rfc/rfc2831.txt
 RFC2849|PS|The LDAP Data Interchange Format|http://www.rfc-editor.org/rfc/rfc2849.txt
@@ -294,7 +295,7 @@
 RFC4013|PS|SASLprep: Stringprep Profile for User Names and Passwords|http://www.rfc-editor.org/rfc/rfc4013.txt
 RFC4346|PS|The Transport Layer Security (TLS) Protocol, Version 1.1|http://www.rfc-editor.org/rfc/rfc4346.txt
 RFC4422|PS|Simple Authentication and Security Layer (SASL)|http://www.rfc-editor.org/rfc/rfc4422.txt
-RFC4510|PS|Lightweight Directory Access Protocol (LDAP) Technical Specification Roadmap|http://www.rfc-editor.org/rfc/rfc4510.txt
+RFC4510|PS|Lightweight Directory Access Protocol (LDAP): Technical Specification Roadmap|http://www.rfc-editor.org/rfc/rfc4510.txt
 RFC4511|PS|Lightweight Directory Access Protocol (LDAP): The Protocol|http://www.rfc-editor.org/rfc/rfc4512.txt
 RFC4512|PS|Lightweight Directory Access Protocol (LDAP): Directory Information Models|http://www.rfc-editor.org/rfc/rfc4512.txt
 RFC4513|PS|Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms|http://www.rfc-editor.org/rfc/rfc4513.txt

Modified: openldap/trunk/doc/guide/release/copyright-plain.sdf
===================================================================
--- openldap/trunk/doc/guide/release/copyright-plain.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/release/copyright-plain.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/release/copyright-plain.sdf,v 1.10.2.2 2007/08/31 23:48:46 quanah Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/release/copyright-plain.sdf,v 1.10.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 #

Modified: openldap/trunk/doc/guide/release/copyright.sdf
===================================================================
--- openldap/trunk/doc/guide/release/copyright.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/release/copyright.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/release/copyright.sdf,v 1.22.2.2 2007/08/31 23:48:46 quanah Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/release/copyright.sdf,v 1.22.2.6 2008/04/14 20:51:25 quanah Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 !if OPT_PP_HTML
@@ -13,7 +13,7 @@
 H2: OpenLDAP Copyright Notice
 
 !block nofill
-[[copyright]] 1998-2007 The OpenLDAP Foundation.
+[[copyright]] 1998-2008 The OpenLDAP Foundation.
 {{All rights reserved.}}
 !endblock
 
@@ -43,7 +43,7 @@
 H2: Additional Copyright Notice
 
 !block nofill
-Portions [[copyright]] 1998-2006 Kurt D. Zeilenga.
+Portions [[copyright]] 1998-2008 Kurt D. Zeilenga.
 Portions [[copyright]] 1998-2006 Net Boolean Incorporated.
 Portions [[copyright]] 2001-2006 IBM Corporation.
 {{All rights reserved.}}
@@ -58,8 +58,8 @@
 Portions [[copyright]] 1999-2007 Howard Y.H. Chu.
 Portions [[copyright]] 1999-2007 Symas Corporation.
 Portions [[copyright]] 1998-2003 Hallvard B. Furuseth.
-Portions [[copyright]] 2007 Gavin Henry
-Portions [[copyright]] 2007 Suretec Systems
+Portions [[copyright]] 2007-2008 Gavin Henry
+Portions [[copyright]] 2007-2008 Suretec Systems Limited.
 {{All rights reserved.}}
 !endblock
 

Modified: openldap/trunk/doc/guide/release/install.sdf
===================================================================
--- openldap/trunk/doc/guide/release/install.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/release/install.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/release/install.sdf,v 1.23.2.2 2007/08/31 23:48:46 quanah Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/release/install.sdf,v 1.23.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 P1: Making and Installing the OpenLDAP Distribution

Modified: openldap/trunk/doc/guide/release/license-plain.sdf
===================================================================
--- openldap/trunk/doc/guide/release/license-plain.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/release/license-plain.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/release/license-plain.sdf,v 1.10.2.2 2007/08/31 23:48:46 quanah Exp $
-# Copyright 1999-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/release/license-plain.sdf,v 1.10.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 #

Modified: openldap/trunk/doc/guide/release/license.sdf
===================================================================
--- openldap/trunk/doc/guide/release/license.sdf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/guide/release/license.sdf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/release/license.sdf,v 1.12.2.2 2007/08/31 23:48:46 quanah Exp $
-# Copyright 2000-2007 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/release/license.sdf,v 1.12.2.3 2008/02/11 23:26:39 kurt Exp $
+# Copyright 2000-2008 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: OpenLDAP Public License

Modified: openldap/trunk/doc/man/Makefile.in
===================================================================
--- openldap/trunk/doc/man/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # man Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/man/Makefile.in,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
+# $OpenLDAP: pkg/ldap/doc/man/Makefile.in,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/doc/man/man1/Makefile.in
===================================================================
--- openldap/trunk/doc/man/man1/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # man1 Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/man/man1/Makefile.in,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
+# $OpenLDAP: pkg/ldap/doc/man/man1/Makefile.in,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/doc/man/man1/ldapcompare.1
===================================================================
--- openldap/trunk/doc/man/man1/ldapcompare.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/ldapcompare.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAPCOMPARE 1 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapcompare.1,v 1.12.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapcompare.1,v 1.12.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldapcompare \- LDAP compare tool

Modified: openldap/trunk/doc/man/man1/ldapdelete.1
===================================================================
--- openldap/trunk/doc/man/man1/ldapdelete.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/ldapdelete.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAPDELETE 1 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapdelete.1,v 1.42.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapdelete.1,v 1.42.2.5 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldapdelete \- LDAP delete entry tool
@@ -53,6 +53,8 @@
 [\c
 .BI \-Y \ mech\fR]
 [\c
+.BI \-z \ sizelimit\fR]
+[\c
 .BR \-Z[Z] ]
 [\c
 .IR dn ]...
@@ -138,6 +140,11 @@
 verification is done, so if you add this switch, ldapdelete will
 happily delete large portions of your tree.  Use with care.
 .TP
+.BI \-z \ sizelimit
+Use \fIsizelimit\fP when searching for children DN to delete,
+to circumvent any server-side size limit.  Only useful in conjunction
+with \-r.
+.TP
 .BI \-O \ security-properties
 Specify SASL security properties.
 .TP

Modified: openldap/trunk/doc/man/man1/ldapmodify.1
===================================================================
--- openldap/trunk/doc/man/man1/ldapmodify.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/ldapmodify.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAPMODIFY 1 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapmodify.1,v 1.49.2.5 2007/12/10 18:19:13 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapmodify.1,v 1.49.2.7 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
@@ -151,13 +151,6 @@
 .B \-v
 Use verbose mode, with many diagnostics written to standard output.
 .TP
-.B \-F
-Force application of all changes regardless of the contents of input
-lines that begin with
-.I replica:
-(by default, replica: lines are compared against the LDAP server host
-and port in use to decide if a replog record should actually be applied).
-.TP
 .B \-M[M]
 Enable manage DSA IT control.
 .B \-MM
@@ -243,40 +236,9 @@
 , the command will require the operation to be successful.
 .SH INPUT FORMAT
 The contents of \fIfile\fP (or standard input if no \-f flag is given on
-the command line) should conform to the format defined in
-.BR ldif (1)
-(LDIF as defined RFC 2849), or
-.BR slapd.replog (5)
-(an extended form of LDIF)
-with the exceptions noted below.
-.LP
-Lines that begin with "replica:" are matched against the LDAP server host
-and port in use to decide if a particular replog record should be applied.
-Any other lines that precede the "dn:" line are ignored.
-The -F flag can be used to force
-.I ldapmodify
-to apply all of the replog changes, regardless of the presence or
-absence of any "replica:" lines.
-.LP
-If no "changetype:" line is present, the default is "add" if the -a
-flag is set (or if the program was invoked as
-.I ldapadd)
-and "modify" otherwise.
-.LP
-If changetype is "modify" and no "add:", "replace:", or "delete:" lines
-appear, the default is "replace" for
-.BR ldapmodify (1)
-and "add" for
-.BR ldapadd (1).
-.LP
-Note that the above exceptions to the
-.BR slapd.replog (5)
-format allow
+the command line) must conform to the format defined in
 .BR ldif (5)
-entries to be used as input to
-.I ldapmodify
-or
-.I ldapadd.
+(LDIF as defined in RFC 2849).
 .SH EXAMPLES
 Assuming that the file
 .B /tmp/entrymods

Modified: openldap/trunk/doc/man/man1/ldapmodrdn.1
===================================================================
--- openldap/trunk/doc/man/man1/ldapmodrdn.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/ldapmodrdn.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAPMODRDN 1 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapmodrdn.1,v 1.38.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapmodrdn.1,v 1.38.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldapmodrdn \- LDAP rename entry tool

Modified: openldap/trunk/doc/man/man1/ldappasswd.1
===================================================================
--- openldap/trunk/doc/man/man1/ldappasswd.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/ldappasswd.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAPPASSWD 1 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldappasswd.1,v 1.39.2.4 2007/12/10 18:19:13 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldappasswd.1,v 1.39.2.5 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldappasswd \- change the password of an LDAP entry

Modified: openldap/trunk/doc/man/man1/ldapsearch.1
===================================================================
--- openldap/trunk/doc/man/man1/ldapsearch.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/ldapsearch.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAPSEARCH 1 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapsearch.1,v 1.59.2.4 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapsearch.1,v 1.59.2.5 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldapsearch \- LDAP search tool

Modified: openldap/trunk/doc/man/man1/ldapwhoami.1
===================================================================
--- openldap/trunk/doc/man/man1/ldapwhoami.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man1/ldapwhoami.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAPWHOAMI 1 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapwhoami.1,v 1.10.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man1/ldapwhoami.1,v 1.10.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldapwhoami \- LDAP who am i? tool

Modified: openldap/trunk/doc/man/man3/Makefile.in
===================================================================
--- openldap/trunk/doc/man/man3/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # man3 Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/man/man3/Makefile.in,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
+# $OpenLDAP: pkg/ldap/doc/man/man3/Makefile.in,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/doc/man/man3/lber-decode.3
===================================================================
--- openldap/trunk/doc/man/man3/lber-decode.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/lber-decode.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LBER_DECODE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-decode.3,v 1.23.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-decode.3,v 1.23.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ber_get_next, ber_skip_tag, ber_peek_tag, ber_scanf, ber_get_int, ber_get_enum, ber_get_stringb, ber_get_stringa, ber_get_stringal, ber_get_stringbv, ber_get_null, ber_get_boolean, ber_get_bitstring, ber_first_element, ber_next_element \- OpenLDAP LBER simplified Basic Encoding Rules library routines for decoding

Modified: openldap/trunk/doc/man/man3/lber-encode.3
===================================================================
--- openldap/trunk/doc/man/man3/lber-encode.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/lber-encode.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LBER_ENCODE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-encode.3,v 1.21.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-encode.3,v 1.21.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ber_alloc_t, ber_flush, ber_flush2, ber_printf, ber_put_int, ber_put_enum, ber_put_ostring, ber_put_string, ber_put_null, ber_put_boolean, ber_put_bitstring, ber_start_seq, ber_start_set, ber_put_seq, ber_put_set \- OpenLDAP LBER simplified Basic Encoding Rules library routines for encoding

Modified: openldap/trunk/doc/man/man3/lber-memory.3
===================================================================
--- openldap/trunk/doc/man/man3/lber-memory.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/lber-memory.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LBER_MEMORY 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-memory.3,v 1.14.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-memory.3,v 1.14.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ber_memalloc, ber_memcalloc, ber_memrealloc, ber_memfree, ber_memvfree \- OpenLDAP LBER memory allocators

Modified: openldap/trunk/doc/man/man3/lber-sockbuf.3
===================================================================
--- openldap/trunk/doc/man/man3/lber-sockbuf.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/lber-sockbuf.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LBER_SOCKBUF 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-sockbuf.3,v 1.2.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-sockbuf.3,v 1.2.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ber_sockbuf_alloc, ber_sockbuf_free, ber_sockbuf_ctrl, ber_sockbuf_add_io, ber_sockbuf_remove_io, Sockbuf_IO \- OpenLDAP LBER I/O infrastructure

Modified: openldap/trunk/doc/man/man3/lber-types.3
===================================================================
--- openldap/trunk/doc/man/man3/lber-types.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/lber-types.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LBER_TYPES 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-types.3,v 1.19.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/lber-types.3,v 1.19.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ber_int_t, ber_uint_t, ber_len_t, ber_slen_t, ber_tag_t, struct berval, BerValue, BerVarray, BerElement, ber_bvfree, ber_bvecfree, ber_bvecadd, ber_bvarray_free, ber_bvarray_add, ber_bvdup, ber_dupbv, ber_bvstr, ber_bvstrdup, ber_str2bv, ber_alloc_t, ber_init, ber_init2, ber_free \- OpenLDAP LBER types and allocation functions

Modified: openldap/trunk/doc/man/man3/ldap.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap.3,v 1.40.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap.3,v 1.40.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap \- OpenLDAP Lightweight Directory Access Protocol API

Modified: openldap/trunk/doc/man/man3/ldap_abandon.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_abandon.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_abandon.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_ABANDON 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_abandon.3,v 1.17.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_abandon.3,v 1.17.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_abandon_ext \- Abandon an LDAP operation in progress

Modified: openldap/trunk/doc/man/man3/ldap_add.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_add.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_add.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_ADD 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_add.3,v 1.17.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_add.3,v 1.17.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_add_ext, ldap_add_ext_s \- Perform an LDAP add operation

Modified: openldap/trunk/doc/man/man3/ldap_bind.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_bind.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_bind.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_BIND 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_bind.3,v 1.20.2.4 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_bind.3,v 1.20.2.5 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_bind, ldap_bind_s, ldap_simple_bind, ldap_simple_bind_s, ldap_sasl_bind, ldap_sasl_bind_s, ldap_sasl_interactive_bind_s, ldap_parse_sasl_bind_result, ldap_unbind, ldap_unbind_s, ldap_unbind_ext, ldap_unbind_ext_s, ldap_set_rebind_proc \- LDAP bind routines

Modified: openldap/trunk/doc/man/man3/ldap_compare.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_compare.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_compare.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_COMPARE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_compare.3,v 1.16.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_compare.3,v 1.16.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_compare, ldap_compare_s, ldap_compare_ext, ldap_compare_ext_s \- Perform an LDAP compare operation.

Modified: openldap/trunk/doc/man/man3/ldap_controls.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_controls.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_controls.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_CONTROLS 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_controls.3,v 1.1.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_controls.3,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_control_create, ldap_control_find, ldap_control_dup,

Modified: openldap/trunk/doc/man/man3/ldap_delete.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_delete.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_delete.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_DELETE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_delete.3,v 1.16.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_delete.3,v 1.16.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_delete, ldap_delete_s, ldap_delete_ext, ldap_delete_ext_s \- Perform an LDAP delete operation.

Modified: openldap/trunk/doc/man/man3/ldap_error.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_error.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_error.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_ERROR 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_error.3,v 1.21.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_error.3,v 1.21.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_perror, ld_errno, ldap_result2error, ldap_errlist, ldap_err2string \- LDAP protocol error handling routines

Modified: openldap/trunk/doc/man/man3/ldap_extended_operation.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_extended_operation.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_extended_operation.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_EXTENDED_OPERATION 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_extended_operation.3,v 1.1.2.5 2007/11/14 09:04:34 ghenry Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_extended_operation.3,v 1.1.2.6 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_extended_operation, ldap_extended_operation_s \- Extends the LDAP operations to the LDAP server.

Modified: openldap/trunk/doc/man/man3/ldap_first_attribute.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_first_attribute.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_first_attribute.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_FIRST_ATTRIBUTE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_attribute.3,v 1.21.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_attribute.3,v 1.21.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_first_attribute, ldap_next_attribute \- step through LDAP entry attributes

Modified: openldap/trunk/doc/man/man3/ldap_first_entry.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_first_entry.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_first_entry.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_FIRST_ENTRY 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_entry.3,v 1.16.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_entry.3,v 1.16.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_first_entry, ldap_next_entry, ldap_count_entries \- LDAP result entry parsing and counting routines

Modified: openldap/trunk/doc/man/man3/ldap_first_message.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_first_message.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_first_message.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_FIRST_MESSAGE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_message.3,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_message.3,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_first_message, ldap_next_message, ldap_count_messages \- Stepping through messages in a result chain

Modified: openldap/trunk/doc/man/man3/ldap_first_reference.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_first_reference.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_first_reference.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_FIRST_REFERENCE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_reference.3,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_first_reference.3,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_first_reference, ldap_next_reference, ldap_count_references \- Stepping through continuation references in a result chain

Modified: openldap/trunk/doc/man/man3/ldap_get_dn.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_get_dn.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_get_dn.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_GET_DN 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_dn.3,v 1.28.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_dn.3,v 1.28.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_get_dn, ldap_explode_dn, ldap_explode_rdn, ldap_dn2ufn \- LDAP DN handling routines

Modified: openldap/trunk/doc/man/man3/ldap_get_option.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_get_option.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_get_option.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_GET_OPTION 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_option.3,v 1.3.2.4 2007/10/17 14:34:48 ando Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_option.3,v 1.3.2.5 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_get_option, ldap_set_option \- LDAP option handling routines

Modified: openldap/trunk/doc/man/man3/ldap_get_values.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_get_values.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_get_values.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_GET_VALUES 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_values.3,v 1.17.2.3 2007/11/14 09:04:34 ghenry Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_values.3,v 1.17.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_get_values, ldap_get_values_len, ldap_count_values \- LDAP attribute value handling routines

Modified: openldap/trunk/doc/man/man3/ldap_memory.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_memory.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_memory.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_MEMORY 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_memory.3,v 1.1.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_memory.3,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_memfree, ldap_memvfree, ldap_memalloc, ldap_memcalloc, ldap_memrealloc, ldap_strdup \- LDAP memory allocation routines

Modified: openldap/trunk/doc/man/man3/ldap_modify.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_modify.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_modify.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_MODIFY 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_modify.3,v 1.14.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_modify.3,v 1.14.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_modify_ext, ldap_modify_ext_s \- Perform an LDAP modify operation

Modified: openldap/trunk/doc/man/man3/ldap_modrdn.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_modrdn.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_modrdn.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_MODRDN 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_modrdn.3,v 1.14.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_modrdn.3,v 1.14.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_modrdn, ldap_modrdn_s, ldap_modrdn2, ldap_modrdn2_s \- Perform an LDAP modify RDN operation

Modified: openldap/trunk/doc/man/man3/ldap_open.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_open.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_open.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_OPEN 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_open.3,v 1.16.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_open.3,v 1.16.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_init, ldap_initialize, ldap_open \- Initialize the LDAP library and open a connection to an LDAP server

Modified: openldap/trunk/doc/man/man3/ldap_parse_reference.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_parse_reference.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_parse_reference.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_PARSE_REFERENCE 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_reference.3,v 1.12.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_reference.3,v 1.12.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_parse_reference \- Extract referrals and controls from a reference message

Modified: openldap/trunk/doc/man/man3/ldap_parse_result.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_parse_result.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_parse_result.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_PARSE_RESULT 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_result.3,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_result.3,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_parse_result \- Parsing results

Modified: openldap/trunk/doc/man/man3/ldap_parse_sort_control.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_parse_sort_control.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_parse_sort_control.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_PARSE_SORT-CONTROL 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_sort_control.3,v 1.1.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_sort_control.3,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_parse_sort_control \- Decode the information returned from a search operation that used a server-side sort control

Modified: openldap/trunk/doc/man/man3/ldap_parse_vlv_control.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_parse_vlv_control.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_parse_vlv_control.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_PARSE_VLV_CONTROL 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_vlv_control.3,v 1.1.2.3 2007/11/14 09:04:34 ghenry Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_parse_vlv_control.3,v 1.1.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_parse_vlv_control \- Decode the information returned from a search operation that used a VLV (virtual list view) control

Modified: openldap/trunk/doc/man/man3/ldap_rename.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_rename.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_rename.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_RENAME 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_rename.3,v 1.1.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_rename.3,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_rename, ldap_rename_s \- Renames the specified entry.

Modified: openldap/trunk/doc/man/man3/ldap_result.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_result.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_result.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_RESULT 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_result.3,v 1.20.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_result.3,v 1.20.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_result \- Wait for the result of an LDAP operation

Modified: openldap/trunk/doc/man/man3/ldap_schema.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_schema.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_schema.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_SCHEMA 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_schema.3,v 1.15.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 2000-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_schema.3,v 1.15.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 2000-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_str2syntax, ldap_syntax2str, ldap_syntax2name, ldap_syntax_free, ldap_str2matchingrule, ldap_matchingrule2str, ldap_matchingrule2name, ldap_matchingrule_free, ldap_str2attributetype, ldap_attributetype2str, ldap_attributetype2name, ldap_attributetype_free, ldap_str2objectclass, ldap_objectclass2str, ldap_objectclass2name, ldap_objectclass_free, ldap_scherr2str \- Schema definition handling routines

Modified: openldap/trunk/doc/man/man3/ldap_search.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_search.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_search.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_SEARCH 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_search.3,v 1.22.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_search.3,v 1.22.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_search, ldap_search_s, ldap_search_st, ldap_search_ext, ldap_search_ext_s \- Perform an LDAP search operation

Modified: openldap/trunk/doc/man/man3/ldap_sort.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_sort.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_sort.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_SORT 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_sort.3,v 1.15.2.3 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_sort.3,v 1.15.2.4 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_sort_entries, ldap_sort_values, ldap_sort_strcasecmp \- LDAP sorting routines (deprecated)

Modified: openldap/trunk/doc/man/man3/ldap_sync.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_sync.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_sync.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_SYNC 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_sync.3,v 1.1.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 2006 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_sync.3,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 2006-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_sync_init, ldap_sync_init_refresh_only, ldap_sync_init_refresh_and_persist, ldap_sync_poll \- LDAP sync routines

Modified: openldap/trunk/doc/man/man3/ldap_tls.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_tls.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_tls.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_TLS 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_tls.3,v 1.1.2.2 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_tls.3,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_start_tls, ldap_start_tls_s, ldap_tls_inplace, ldap_install_tls \- LDAP TLS initialization routines

Modified: openldap/trunk/doc/man/man3/ldap_url.3
===================================================================
--- openldap/trunk/doc/man/man3/ldap_url.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man3/ldap_url.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP_URL 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_url.3,v 1.18.2.4 2007/11/14 09:04:34 ghenry Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_url.3,v 1.18.2.5 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap_is_ldap_url, ldap_url_parse, ldap_free_urldesc \- LDAP Uniform Resource Locator routines

Modified: openldap/trunk/doc/man/man5/Makefile.in
===================================================================
--- openldap/trunk/doc/man/man5/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # man5 Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/man/man5/Makefile.in,v 1.11.2.2 2007/08/31 23:13:52 quanah Exp $
+# $OpenLDAP: pkg/ldap/doc/man/man5/Makefile.in,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/doc/man/man5/ldap.conf.5
===================================================================
--- openldap/trunk/doc/man/man5/ldap.conf.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/ldap.conf.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/ldap.conf.5,v 1.33.2.5 2007/08/31 23:13:52 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/ldap.conf.5,v 1.33.2.6 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldap.conf, .ldaprc \- ldap configuration file

Modified: openldap/trunk/doc/man/man5/ldif.5
===================================================================
--- openldap/trunk/doc/man/man5/ldif.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/ldif.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH LDIF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/ldif.5,v 1.22.2.2 2007/08/31 23:13:53 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/ldif.5,v 1.22.2.3 2008/02/11 23:26:39 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 ldif \- LDAP Data Interchange Format

Modified: openldap/trunk/doc/man/man5/slapd-bdb.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-bdb.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-bdb.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-BDB 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-bdb.5,v 1.31.2.3 2007/09/26 15:54:28 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-bdb.5,v 1.31.2.5 2008/02/11 23:26:39 kurt Exp $
 .SH NAME
 slapd-bdb, slapd-hdb \- Berkeley DB backends to slapd
 .SH SYNOPSIS
@@ -60,6 +60,25 @@
 \fI<min>\fP minutes to perform the checkpoint.
 See the Berkeley DB reference guide for more details.
 .TP
+.BI cryptfile \ <file>
+Specify the pathname of a file containing an encryption key to use for
+encrypting the database. Encryption is performed using Berkeley DB's
+implementation of AES. Note that encryption can only be configured before
+any database files are created, and changing the key can only be done
+after destroying the current database and recreating it. Encryption is
+not enabled by default, and some distributions of Berkeley DB do not
+support encryption.
+.TP
+.BI cryptkey \ <key>
+Specify an encryption key to use for encrypting the database. This option
+may be used when a separate
+.I cryptfile
+is not desired. Only one of
+.B cryptkey
+or
+.B cryptfile
+may be configured.
+.TP
 .BI dbconfig \ <Berkeley\-DB\-setting>
 Specify a configuration directive to be placed in the
 .B DB_CONFIG

Modified: openldap/trunk/doc/man/man5/slapd-config.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-config.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-config.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-config.5,v 1.13.2.6 2007/12/03 17:47:41 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-config.5,v 1.13.2.7 2008/02/11 23:26:39 kurt Exp $
 .SH NAME
 slapd-config \- configuration backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-dnssrv.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-dnssrv.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-dnssrv.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-DNSSRV 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-dnssrv.5,v 1.11.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-dnssrv.5,v 1.11.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd-dnssrv \- DNS SRV referral backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-ldap.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-ldap.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-ldap.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-LDAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-ldap.5,v 1.41.2.6 2007/09/26 15:36:40 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-ldap.5,v 1.41.2.7 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd-ldap \- LDAP backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-ldbm.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-ldbm.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-ldbm.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-LDBM 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-ldbm.5,v 1.14.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-ldbm.5,v 1.14.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd-ldbm \- Discontinued LDBM backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-ldif.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-ldif.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-ldif.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-LDIF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-ldif.5,v 1.3.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-ldif.5,v 1.3.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd-ldif \- LDIF backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-meta.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-meta.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-meta.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 .TH SLAPD-META 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
 .\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando at sys-net.it>
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-meta.5,v 1.46.2.7 2007/09/13 19:17:15 ando Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-meta.5,v 1.46.2.10 2008/04/14 22:46:48 quanah Exp $
 .\"
 .\" Portions of this document should probably be moved to slapd-ldap(5)
 .\" and maybe manual pages for librewrite.
@@ -139,11 +139,12 @@
 overridden by any per-target directive.
 
 .TP
-.B pseudoroot-bind-defer {NO|yes}
+.B pseudoroot-bind-defer {YES|no}
 This directive, when set to 
 .BR yes ,
 causes the authentication to the remote servers with the pseudo-root
 identity to be deferred until actually needed by subsequent operations.
+Otherwise, all binds as the rootdn are propagated to the targets.
 
 .TP
 .B quarantine <interval>,<num>[;<interval>,<num>[...]]
@@ -286,6 +287,183 @@
 Target <target> must be defined.
 
 .TP
+.B idassert-authzFrom <authz-regexp>
+if defined, selects what
+.I local
+identities are authorized to exploit the identity assertion feature.
+The string
+.B <authz-regexp>
+follows the rules defined for the
+.I authzFrom
+attribute.
+See 
+.BR slapd.conf (5),
+section related to
+.BR authz-policy ,
+for details on the syntax of this field.
+
+.HP
+.hy 0
+.B idassert-bind
+.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
+.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
+.B [authcId=<authentication ID>] [authzId=<authorization ID>]
+.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
+.B [tls_cert=<file>]
+.B [tls_key=<file>]
+.B [tls_cacert=<file>]
+.B [tls_cacertdir=<path>]
+.B [tls_reqcert=never|allow|try|demand]
+.B [tls_ciphersuite=<ciphers>]
+.B [tls_crlcheck=none|peer|all]
+.RS
+Allows to define the parameters of the authentication method that is 
+internally used by the proxy to authorize connections that are 
+authenticated by other databases.
+The identity defined by this directive, according to the properties
+associated to the authentication method, is supposed to have auth access 
+on the target server to attributes used on the proxy for authentication
+and authorization, and to be allowed to authorize the users.
+This requires to have
+.B proxyAuthz
+privileges on a wide set of DNs, e.g.
+.BR authzTo=dn.subtree:"" ,
+and the remote server to have
+.B authz-policy
+set to
+.B to
+or
+.BR both .
+See
+.BR slapd.conf (5)
+for details on these statements and for remarks and drawbacks about
+their usage.
+The supported bindmethods are
+
+\fBnone|simple|sasl\fP
+
+where
+.B none
+is the default, i.e. no \fIidentity assertion\fP is performed.
+
+The authz parameter is used to instruct the SASL bind to exploit 
+.B native 
+SASL authorization, if available; since connections are cached,
+this should only be used when authorizing with a fixed identity
+(e.g. by means of the 
+.B authzDN
+or
+.B authzID
+parameters).
+Otherwise, the default
+.B proxyauthz
+is used, i.e. the proxyAuthz control (Proxied Authorization, RFC 4370)
+is added to all operations.
+
+The supported modes are:
+
+\fB<mode> := {legacy|anonymous|none|self}\fP
+
+If 
+.B <mode>
+is not present, and 
+.B authzId
+is given, the proxy always authorizes that identity.
+.B <authorization ID>
+can be 
+
+\fBu:<user>\fP
+
+\fB[dn:]<DN>\fP
+
+The former is supposed to be expanded by the remote server according 
+to the authz rules; see
+.BR slapd.conf (5)
+for details.
+In the latter case, whether or not the 
+.B dn:
+prefix is present, the string must pass DN validation and normalization.
+
+The default mode is 
+.BR legacy ,
+which implies that the proxy will either perform a simple bind as the
+.I authcDN
+or a SASL bind as the
+.I authcID
+and assert the client's identity when it is not anonymous.
+Direct binds are always proxied.
+The other modes imply that the proxy will always either perform a simple bind 
+as the
+.IR authcDN
+or a SASL bind as the
+.IR authcID ,
+unless restricted by
+.BR idassert-authzFrom
+rules (see below), in which case the operation will fail;
+eventually, it will assert some other identity according to
+.BR <mode> .
+Other identity assertion modes are
+.BR anonymous
+and
+.BR self ,
+which respectively mean that the 
+.I empty 
+or the 
+.IR client 's 
+identity
+will be asserted;
+.BR none ,
+which means that no proxyAuthz control will be used, so the
+.I authcDN
+or the
+.I authcID
+identity will be asserted.
+For all modes that require the use of the
+.I proxyAuthz 
+control, on the remote server the proxy identity must have appropriate 
+.I authzTo
+permissions, or the asserted identities must have appropriate
+.I authzFrom 
+permissions.  Note, however, that the ID assertion feature is mostly 
+useful when the asserted identities do not exist on the remote server.
+
+Flags can be
+
+\fBoverride,[non-]prescriptive\fP
+
+When the 
+.B override
+flag is used, identity assertion takes place even when the database
+is authorizing for the identity of the client, i.e. after binding
+with the provided identity, and thus authenticating it, the proxy
+performs the identity assertion using the configured identity and
+authentication method.
+
+When the
+.B prescriptive
+flag is used (the default), operations fail with
+\fIinappropriateAuthentication\fP
+for those identities whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+If the 
+.B non-prescriptive
+flag is used, operations are performed anonymously for those identities 
+whose assertion is not allowed by the
+.B idassert-authzFrom
+patterns.
+
+The TLS settings default to the same as the main slapd TLS settings,
+except for
+.B tls_reqcert
+which defaults to "demand".
+
+The identity associated to this directive is also used for privileged
+operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
+is not.  See \fBacl-bind\fP for details.
+.RE
+
+.TP
 .B idle-timeout <time>
 This directive causes a cached connection to be dropped an recreated
 after it has been idle for the specified time.

Modified: openldap/trunk/doc/man/man5/slapd-monitor.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-monitor.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-monitor.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-MONITOR 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-monitor.5,v 1.9.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-monitor.5,v 1.9.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd-monitor \- Monitor backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-null.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-null.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-null.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-NULL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2002-2007 The OpenLDAP Foundation.  All Rights Reserved.
+.\" Copyright 2002-2008 The OpenLDAP Foundation.  All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-null.5,v 1.10.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-null.5,v 1.10.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd-null \- Null backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-passwd.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-passwd.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-passwd.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-PASSWD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-passwd.5,v 1.11.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-passwd.5,v 1.11.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd-passwd \- /etc/passwd backend to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd-shell.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd-shell.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd-shell.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD-SHELL 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-shell.5,v 1.16.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-shell.5,v 1.16.2.5 2008/02/11 23:49:02 quanah Exp $
 .SH NAME
 slapd-shell \- Shell backend to slapd
 .SH SYNOPSIS
@@ -14,7 +14,7 @@
 .B slapd
 front-end.
 .LP
-This backend is is primarily intended to be used in prototypes.
+This backend is primarily intended to be used in prototypes.
 .SH WARNING
 The
 .B abandon

Copied: openldap/trunk/doc/man/man5/slapd-sock.5 (from rev 1127, openldap/vendor/openldap-2.4.9/doc/man/man5/slapd-sock.5)
===================================================================
--- openldap/trunk/doc/man/man5/slapd-sock.5	                        (rev 0)
+++ openldap/trunk/doc/man/man5/slapd-sock.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,248 @@
+.TH SLAPD-SOCK 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2007-2008 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-sock.5,v 1.3.2.1 2008/02/09 00:46:08 quanah Exp $
+.SH NAME
+slapd-sock \- Socket backend to slapd
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+The Socket backend to
+.BR slapd (8)
+uses an external program to handle queries, similarly to
+.BR slapd-shell (5).
+However, in this case the external program listens on a Unix domain socket.
+This makes it possible to have a pool of processes, which persist between
+requests. This allows multithreaded operation and a higher level of
+efficiency. The external program must have been started independently;
+.BR slapd (8)
+itself will not start it.
+.SH CONFIGURATION
+These
+.B slapd.conf
+options apply to the SOCK backend database.
+That is, they must follow a "database sock" line and come before any
+subsequent "backend" or "database" lines.
+Other database options are described in the
+.BR slapd.conf (5)
+manual page.
+.TP
+.B extensions      [ binddn | peername | ssf ]*
+Enables the sending of additional meta-attributes with each request.
+.nf
+binddn: <bound DN>
+peername: IP=<address>:<port>
+ssf: <SSF value>
+.fi
+.TP
+.B socketpath      <pathname>
+Gives the path to a Unix domain socket to which the commands will
+be sent and from which replies are received.
+.SH PROTOCOL
+The protocol is essentially the same as
+.BR slapd-shell (5)
+with the addition of a newline to terminate the command parameters. The
+following commands are sent:
+.RS
+.nf
+ADD
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+<entry in LDIF format>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
+BIND
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+method: <method number>
+credlen: <length of <credentials>>
+cred: <credentials>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
+COMPARE
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+<attribute>: <value>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
+DELETE
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
+MODIFY
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+<repeat {
+    <"add"/"delete"/"replace">: <attribute>
+    <repeat { <attribute>: <value> }>
+    -
+}>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
+MODRDN
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+dn: <DN>
+newrdn: <new RDN>
+deleteoldrdn: <0 or 1>
+<if new superior is specified: "newSuperior: <DN>">
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
+SEARCH
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+base: <base DN>
+scope: <0-2, see ldap.h>
+deref: <0-3, see ldap.h>
+sizelimit: <size limit>
+timelimit: <time limit>
+filter: <filter>
+attrsonly: <0 or 1>
+attrs: <"all" or space-separated attribute list>
+<blank line>
+.fi
+.RE
+.PP
+.RS
+.nf
+UNBIND
+msgid: <message id>
+<repeat { "suffix:" <database suffix DN> }>
+<blank line>
+.fi
+.RE
+.LP
+The commands - except \fBunbind\fP - should output:
+.RS
+.nf
+RESULT
+code: <integer>
+matched: <matched DN>
+info: <text>
+.fi
+.RE
+where only RESULT is mandatory, and then close the socket.
+The \fBsearch\fP RESULT should be preceded by the entries in LDIF
+format, each entry followed by a blank line.
+Lines starting with `#' or `DEBUG:' are ignored.
+.SH ACCESS CONTROL
+The
+.B sock
+backend does not honor all ACL semantics as described in
+.BR slapd.access (5).
+In general, access to objects is checked by using a dummy object
+that contains only the DN, so access rules that rely on the contents
+of the object are not honored.
+In detail:
+.LP
+The
+.B add
+operation does not require
+.B write (=w)
+access to the 
+.B children
+pseudo-attribute of the parent entry.
+.LP
+The
+.B bind
+operation requires 
+.B auth (=x)
+access to the 
+.B entry
+pseudo-attribute of the entry whose identity is being assessed;
+.B auth (=x)
+access to the credentials is not checked, but rather delegated 
+to the underlying program.
+.LP
+The
+.B compare
+operation requires 
+.B compare (=c)
+access to the 
+.B entry
+pseudo-attribute
+of the object whose value is being asserted;
+.B compare (=c)
+access to the attribute whose value is being asserted is not checked.
+.LP
+The
+.B delete
+operation does not require
+.B write (=w)
+access to the 
+.B children
+pseudo-attribute of the parent entry.
+.LP
+The
+.B modify
+operation requires
+.B write (=w)
+access to the 
+.B entry 
+pseudo-attribute;
+.B write (=w)
+access to the specific attributes that are modified is not checked.
+.LP
+The
+.B modrdn
+operation does not require
+.B write (=w)
+access to the 
+.B children
+pseudo-attribute of the parent entry, nor to that of the new parent,
+if different;
+.B write (=w)
+access to the distinguished values of the naming attributes
+is not checked.
+.LP
+The
+.B search 
+operation does not require
+.B search (=s)
+access to the 
+.B entry
+pseudo_attribute of the searchBase;
+.B search (=s)
+access to the attributes and values used in the filter is not checked.
+
+.SH EXAMPLE
+There is an example script in the slapd/back-sock/ directory
+in the OpenLDAP source tree.
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.SH SEE ALSO
+.BR slapd.conf (5),
+.BR slapd (8).
+.SH AUTHOR
+Brian Candler

Modified: openldap/trunk/doc/man/man5/slapd.access.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd.access.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd.access.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 .TH SLAPD.ACCESS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slapd.access \- access configuration for slapd, the stand-alone LDAP daemon
@@ -595,7 +595,8 @@
 part, and it is compared against the
 .B <ip>
 portion of the pattern after masking with
-.BR <mask> .
+.BR <mask> :
+\fI((peername & <mask>) == <ip>)\fP.
 As an example, 
 .B peername.ip=127.0.0.1
 and
@@ -951,7 +952,8 @@
 .B search (=s)
 privileges on the 
 .B entry
-pseudo-attribute of the searchBase (NOTE: this was introduced with 2.3).
+pseudo-attribute of the searchBase
+(NOTE: this was introduced with OpenLDAP 2.4).
 Then, for each entry, it requires
 .B search (=s)
 privileges on the attributes that are defined in the filter.
@@ -997,6 +999,10 @@
 attribute of the authorizing identity and/or on the 
 .B authzFrom
 attribute of the authorized identity.
+In general, when an internal lookup is performed for authentication
+or authorization purposes, search-specific privileges (see the access
+requirements for the search operation illustrated above) are relaxed to
+.BR auth .
 
 .LP
 Access control to search entries is checked by the frontend,

Modified: openldap/trunk/doc/man/man5/slapd.backends.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd.backends.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd.backends.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD.BACKENDS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2006-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2006-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.backends.5,v 1.3.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.backends.5,v 1.3.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd.backends \- backends for slapd, the stand-alone LDAP daemon
 .SH DESCRIPTION

Modified: openldap/trunk/doc/man/man5/slapd.conf.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd.conf.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd.conf.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.conf.5,v 1.239.2.14 2007/12/03 17:47:41 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.conf.5,v 1.239.2.15 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapd.overlays.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd.overlays.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd.overlays.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPD.OVERLAYS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2006-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2006-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.overlays.5,v 1.4.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.overlays.5,v 1.4.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapd.overlays \- overlays for slapd, the stand-alone LDAP daemon
 .SH DESCRIPTION

Modified: openldap/trunk/doc/man/man5/slapd.plugin.5
===================================================================
--- openldap/trunk/doc/man/man5/slapd.plugin.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapd.plugin.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 .TH SLAPD.PLUGIN 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2002-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2002-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slapd.plugin \- plugin configuration for slapd, the stand-alone LDAP daemon

Modified: openldap/trunk/doc/man/man5/slapo-accesslog.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-accesslog.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-accesslog.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-accesslog.5,v 1.9.2.4 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-accesslog.5,v 1.9.2.5 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-accesslog \- Access Logging overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-auditlog.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-auditlog.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-auditlog.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,11 +1,13 @@
 .TH SLAPO-AUDITLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-auditlog.5,v 1.3.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-auditlog.5,v 1.3.2.5 2008/02/12 00:29:21 quanah Exp $
 .SH NAME
 slapo-auditlog \- Audit Logging overlay to slapd
 .SH SYNOPSIS
 ETCDIR/slapd.conf
+.TP
+ETCDIR/slapd.d
 .SH DESCRIPTION
 The Audit Logging overlay can be used to record all changes on a given
 backend database to a specified log file. Changes are logged as standard
@@ -26,10 +28,33 @@
 .B auditlog <filename>
 Specify the fully qualified path for the log file.
 .TP
-.B
+.B olcAuditlogFile <filename>
+For use with 
+.B cn=config
+.SH EXAMPLE
+The following LDIF could be used to add this overlay to
+.B cn=config 
+(adjust to suit)
+.LP
+.RS
+.nf
+dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config 
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcAuditLogConfig
+olcOverlay: auditlog
+olcAuditlogFile: /tmp/auditlog.ldif
+.fi
+.RE
+.LP
+.LP
 .SH FILES
 .TP
 ETCDIR/slapd.conf
 default slapd configuration file
+.TP
+ETCDIR/slapd.d
+default slapd configuration directory
 .SH SEE ALSO
-.BR slapd.conf (5).
+.BR slapd.conf (5),
+.BR slapd-config(5).

Modified: openldap/trunk/doc/man/man5/slapo-chain.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-chain.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-chain.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-CHAIN 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-chain.5,v 1.10.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-chain.5,v 1.10.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-chain \- chain overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-constraint.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-constraint.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-constraint.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,19 +1,24 @@
 .TH SLAPO-CONSTRAINT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 2005-2006 Hewlett-Packard Company
+.\" Copyright 2006-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-constraint.5,v 1.2.2.4 2008/02/12 00:20:58 quanah Exp $
 .SH NAME
 slapo-constraint \- Attribute Constraint Overlay to slapd
 .SH SYNOPSIS
 ETCDIR/slapd.conf
 .SH DESCRIPTION
-The constraint overlay is used to enforce a regular expression
-constraint on all values of specified attributes. Attributes can
+The constraint overlay is used to ensure that attribute values match
+some constraints beyond basic LDAP syntax.  Attributes can
 have multiple constraints placed upon them, and all must be satisfied
 when modifying an attribute value under constraint.
 .LP
 This overlay is intended to be used to force syntactic regularity upon
 certain string represented data which have well known canonical forms,
 like telephone numbers, post codes, FQDNs, etc.
+.LP
+It constrains only LDAP adds and modify commands and only seeks to
+control the add and modify value of a modify request.
 .SH CONFIGURATION
 This
 .B slapd.conf
@@ -25,33 +30,55 @@
 .B constraint_attribute <attribute_name> <type> <value>
 Specifies the constraint which should apply to the attribute named as
 the first parameter.
-At the moment only one type of constraint is supported -
-.B
-regex.
+Two types of constraint are currently supported -
+.B regex
+and
+.BR uri .
+
 The parameter following the
-.B
-regex
+.B regex
 type is a Unix style regular expression (See
-.B
-regex(7))
+.BR regex (7)
+). The parameter following the
+.B uri
+type is an LDAP URI. The URI will be evaluated using an internal search.
+It must not include a hostname, and it must include a list of attributes
+to evaluate.
 
 Any attempt to add or modify an attribute named as part of the
-constraint overlay specification which does not fit the regular
-expression constraint listed will fail with a
+constraint overlay specification which does not fit the 
+constraint listed will fail with a
 LDAP_CONSTRAINT_VIOLATION error.
 .SH EXAMPLES
-.B
+.LP
+.RS
+.nf
+overlay constraint
 constraint_attribute mail regex ^[:alnum:]+ at mydomain.com$
+constraint_attribute title uri
+  ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+.fi
 
 A specification like the above would reject any
-.B
-mail
+.B mail
 attribute which did not look like
 .B
 <alpha-numeric string>@mydomain.com
+It would also reject any
+.B title
+attribute whose values were not listed in the
+.B title
+attribute of any
+.B titleCatalog
+entries in the given scope.
+.RE
 .SH FILES
 .TP
 ETCDIR/slapd.conf
 default slapd configuration file
 .SH SEE ALSO
 .BR slapd.conf (5).
+.SH ACKNOWLEDGEMENTS
+This module was written in 2005 by Neil Dunbar of Hewlett-Packard and subsequently
+extended by Howard Chu and Emmanuel Dreyfus.
+.so ../Project

Modified: openldap/trunk/doc/man/man5/slapo-dds.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-dds.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-dds.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-DDS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 2005-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-dds.5,v 1.1.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-dds.5,v 1.1.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-dds \- Dynamic Directory Services overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-dyngroup.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-dyngroup.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-dyngroup.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-DYNGROUP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-dyngroup.5,v 1.2.2.1 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-dyngroup.5,v 1.2.2.2 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-dyngroup \- Dynamic Group overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-dynlist.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-dynlist.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-dynlist.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-DYNLIST 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-dynlist.5,v 1.7.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-dynlist.5,v 1.7.2.4 2008/05/01 21:19:41 quanah Exp $
 .SH NAME
 slapo-dynlist \- Dynamic List overlay to slapd
 .SH SYNOPSIS
@@ -50,7 +50,7 @@
 .B overlay
 directive.
 .TP
-.B dynlist-attrset <group-oc> <URL-ad> [<member-ad>]
+.B dynlist-attrset <group-oc> <URL-ad> [[<mapped-ad>:]<member-ad> ...]
 The value 
 .B <group-oc> 
 is the name of the objectClass that triggers the dynamic expansion of the
@@ -82,6 +82,15 @@
 entry as values of the
 .B <member-ad>
 attribute.
+
+Alternatively, 
+.B <mapped-ad>:<member-ad>
+can be used to remap attributes obtained through expansion. 
+.B <member-ad>
+attributes are not filled by expanded DN, but are remapped as
+.B <mapped-ad> 
+attributes. Multiple mapping statements can be used.
+
 .LP
 The dynlist overlay may be used with any backend, but it is mainly 
 intended for use with local storage backends.
@@ -173,3 +182,5 @@
 .SH ACKNOWLEDGEMENTS
 .P
 This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.
+.P
+Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.

Modified: openldap/trunk/doc/man/man5/slapo-memberof.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-memberof.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-memberof.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-MEMBEROF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-memberof.5,v 1.1.2.1 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-memberof.5,v 1.1.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-memberof \- Reverse Group Membership overlay to slapd
 .SH SYNOPSIS
@@ -36,59 +36,69 @@
 configuration options are defined for the memberofoverlay.
 
 .TP
-.B memberof-group-oc <group-oc>
+.BI memberof-group-oc \ <group-oc>
 The value 
-.B <group-oc> 
+.I <group-oc> 
 is the name of the objectClass that triggers the reverse group membership
 update.
 It defaults to \fIgroupOfNames\fP.
 
 .TP
-.B memberof-member-ad <member-ad>
+.BI memberof-member-ad \ <member-ad>
 The value 
-.B <member-ad> 
+.I <member-ad> 
 is the name of the attribute that contains the names of the members
 in the group objects; it must be DN-valued.
 It defaults to \fImember\fP.
 
 .TP
-.B memberof-memberof-ad <memberof-ad>
+.BI memberof-memberof-ad \ <memberof-ad>
 The value 
-.B <memberof-ad> 
+.I <memberof-ad> 
 is the name of the attribute that contains the names of the groups
 an entry is member of; it must be DN-valued.  Its contents are 
 automatically updated by the overlay.
 It defaults to \fImemberOf\fP.
 
 .TP
-.B memberof-dn <dn>
+.BI memberof-dn \ <dn>
 The value 
-.B <dn> 
+.I <dn> 
 contains the DN that is used as \fImodifiersName\fP for internal 
 modifications performed to update the reverse group membership.
 It defaults to the \fIrootdn\fP of the underlying database.
 
 .TP
-.B memberof-dangling {ignore, drop, error}
+.BI "memberof-dangling {" ignore ", " drop ", " error "}"
 This option determines the behavior of the overlay when, during 
 a modification, it encounters dangling references.
 The default is
-.BR ignore ,
+.IR ignore ,
 which may leave dangling references.
 Other options are
-.BR drop ,
+.IR drop ,
 which discards those modifications that would result in dangling
 references, and
-.BR error ,
+.IR error ,
 which causes modifications that would result in dangling references
 to fail.
 
 .TP
-.B memberof-refint {true|FALSE}
+.BI memberof-dangling-error \ <error-code>
+If
+.BR memberof-dangling
+is set to
+.IR error ,
+this configuration parameter can be used to modify the response code
+returned in case of violation.  It defaults to "constraint violation",
+but other implementations are known to return "no such object" instead.
+
+.TP
+.BI "memberof-refint {" true "|" FALSE "}"
 This option determines whether the overlay will try to preserve
 referential integrity or not.
 If set to
-.BR TRUE ,
+.IR TRUE ,
 when an entry containing values of the "is member of" attribute is modified,
 the corresponding groups are modified as well.
 

Modified: openldap/trunk/doc/man/man5/slapo-pcache.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-pcache.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-pcache.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 .TH SLAPO-PCACHE 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
 .\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando at sys-net.it>
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-pcache.5,v 1.14.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-pcache.5,v 1.14.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-pcache \- proxycache overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-ppolicy.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-ppolicy.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-ppolicy.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-ppolicy.5,v 1.12.2.5 2007/11/14 09:04:34 ghenry Exp $
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-ppolicy.5,v 1.12.2.7 2008/04/24 08:15:34 hyc Exp $
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .SH NAME
@@ -491,7 +491,7 @@
 .SH OPERATIONAL ATTRIBUTES
 .P
 The operational attributes used by the
-.B passwd_policy
+.B ppolicy
 module are stored in the user's entry.  Most of these attributes
 are not intended to be changed directly by users; they are there
 to track user activity.  They have been detailed here so that
@@ -500,6 +500,19 @@
 .B ppolicy
 module.
 
+.P
+Note that the current IETF Password Policy proposal does not define
+how these operational attributes are expected to behave in a
+replication environment. In general, authentication attempts on
+a slave server only affect the copy of the operational attributes
+on that slave and will not affect any attributes for
+a user's entry on the master server. Operational attribute changes
+resulting from authentication attempts on a master server
+will usually replicate to the slaves (and also overwrite
+any changes that originated on the slave). 
+These behaviors are not guaranteed and are subject to change
+when a formal specification emerges.
+
 .B userPassword
 .P
 The

Modified: openldap/trunk/doc/man/man5/slapo-refint.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-refint.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-refint.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-REFINT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-refint.5,v 1.5.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-refint.5,v 1.5.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-refint \- Referential Integrity overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-retcode.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-retcode.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-retcode.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 .TH SLAPO-RETCODE 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
 .\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando at sys-net.it>
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-retcode.5,v 1.9.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-retcode.5,v 1.9.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-retcode \- return code overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-rwm.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-rwm.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-rwm.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 .TH SLAPO-RWM 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 1998-2008 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
 .\" Copyright 2004, Pierangelo Masarati, All rights reserved. <ando at sys-net.it>
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-rwm.5,v 1.14.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-rwm.5,v 1.14.2.4 2008/02/11 23:26:40 kurt Exp $
 .\"
 .\" Portions of this document should probably be moved to slapd-ldap(5)
 .\" and maybe manual pages for librewrite.

Modified: openldap/trunk/doc/man/man5/slapo-syncprov.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-syncprov.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-syncprov.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-SYNCPROV 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-syncprov.5,v 1.9.2.3 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-syncprov.5,v 1.9.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-syncprov \- Sync Provider overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-translucent.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-translucent.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-translucent.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-TRANSLUCENT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-translucent.5,v 1.4.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-translucent.5,v 1.4.2.4 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-translucent \- Translucent Proxy overlay to slapd
 .SH SYNOPSIS
@@ -36,7 +36,7 @@
 .BR slapd-ldap (5).
 These
 .B slapd.conf
-options are specific to the Translucent Proxy overlay; they should appear 
+options are specific to the Translucent Proxy overlay; they must appear 
 after the
 .B overlay
 directive.
@@ -57,6 +57,32 @@
 must be created by hand. Glue records are always created for a
 .B modify
 operation.
+.TP
+.B translucent_local <attr[,attr...]>
+Specify a list of attributes that should be searched for in the local database
+when used in a search filter. By default, search filters are only handled by
+the remote database. With this directive, search filters will be split into a
+local and remote portion, and local attributes will be searched locally.
+.TP
+.B translucent_remote <attr[,attr...]>
+Specify a list of attributes that should be searched for in the remote database
+when used in a search filter. This directive complements the
+.B translucent_local
+directive. Attributes may be specified as both local and remote if desired.
+.LP
+If neither
+.B translucent_local
+nor
+.B translucent_remote
+are specified, the default behavior is to search the remote database with the
+complete search filter. If only
+.B translucent_local
+is specified, searches will only be run on the local database. Likewise, if only
+.B translucent_remote
+is specified, searches will only be run on the remote database. In any case, both
+the local and remote entries corresponding to a search result will be merged
+before being returned to the client.
+
 .SH CAVEATS
 .LP
 The Translucent Proxy overlay will disable schema checking in the local database,

Modified: openldap/trunk/doc/man/man5/slapo-unique.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-unique.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-unique.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-UNIQUE 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-unique.5,v 1.6.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-unique.5,v 1.6.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-unique \- Attribute Uniqueness overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man5/slapo-valsort.5
===================================================================
--- openldap/trunk/doc/man/man5/slapo-valsort.5	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man5/slapo-valsort.5	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 .TH SLAPO-VALSORT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-valsort.5,v 1.4.2.2 2007/08/31 23:13:53 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-valsort.5,v 1.4.2.3 2008/02/11 23:26:40 kurt Exp $
 .SH NAME
 slapo-valsort \- Value Sorting overlay to slapd
 .SH SYNOPSIS

Modified: openldap/trunk/doc/man/man8/Makefile.in
===================================================================
--- openldap/trunk/doc/man/man8/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # man8 Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/man/man8/Makefile.in,v 1.11.2.2 2007/08/31 23:13:53 quanah Exp $
+# $OpenLDAP: pkg/ldap/doc/man/man8/Makefile.in,v 1.11.2.3 2008/02/11 23:26:40 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/doc/man/man8/slapacl.8
===================================================================
--- openldap/trunk/doc/man/man8/slapacl.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slapacl.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 .TH SLAPACL 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slapacl \- Check access to a list of attributes.

Modified: openldap/trunk/doc/man/man8/slapadd.8
===================================================================
--- openldap/trunk/doc/man/man8/slapadd.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slapadd.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH SLAPADD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapadd.8,v 1.34.2.7 2007/11/14 09:04:34 ghenry Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapadd.8,v 1.34.2.8 2008/02/11 23:26:40 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slapadd \- Add entries to a SLAPD database

Modified: openldap/trunk/doc/man/man8/slapauth.8
===================================================================
--- openldap/trunk/doc/man/man8/slapauth.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slapauth.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 .TH SLAPAUTH 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slapauth \- Check a list of string-represented IDs for LDAP authc/authz

Modified: openldap/trunk/doc/man/man8/slapcat.8
===================================================================
--- openldap/trunk/doc/man/man8/slapcat.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slapcat.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH SLAPCAT 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapcat.8,v 1.28.2.6 2007/11/14 09:04:34 ghenry Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapcat.8,v 1.28.2.7 2008/02/11 23:26:40 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slapcat \- SLAPD database to LDIF utility

Modified: openldap/trunk/doc/man/man8/slapd.8
===================================================================
--- openldap/trunk/doc/man/man8/slapd.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slapd.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
-.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapd.8,v 1.64.2.5 2007/08/31 23:13:53 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapd.8,v 1.64.2.6 2008/02/11 23:26:40 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .TH SLAPD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
 .SH NAME

Modified: openldap/trunk/doc/man/man8/slapdn.8
===================================================================
--- openldap/trunk/doc/man/man8/slapdn.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slapdn.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 .TH SLAPDN 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slapdn \- Check a list of string-represented LDAP DNs based on schema syntax

Modified: openldap/trunk/doc/man/man8/slapindex.8
===================================================================
--- openldap/trunk/doc/man/man8/slapindex.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slapindex.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,9 @@
 .TH SLAPINDEX 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapindex.8,v 1.19.2.8 2007/11/27 19:29:13 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapindex.8,v 1.19.2.10 2008/02/11 23:26:40 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
-slapindex \- SLAPD index to LDIF utility
+slapindex \- Reindex entries in a SLAPD database
 .SH SYNOPSIS
 .B SBINDIR/slapindex
 .B [\-b suffix]
@@ -28,7 +28,9 @@
 indices based upon the current contents of a database.
 It opens the given database determined by the database number or
 suffix and updates the indices for all values of all attributes
-of all entries.
+of all entries. If a list of specific attributes is provided
+on the command line, only the indices for those attributes will
+be regenerated.
 Databases configured as
 .B subordinate
 of this one are also re-indexed, unless \fB-g\fP is specified.

Modified: openldap/trunk/doc/man/man8/slappasswd.8
===================================================================
--- openldap/trunk/doc/man/man8/slappasswd.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slappasswd.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 .TH SLAPPASSWD 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man8/slappasswd.8,v 1.21.2.4 2007/08/31 23:13:53 quanah Exp $
-.\" Copyright 1998-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" $OpenLDAP: pkg/ldap/doc/man/man8/slappasswd.8,v 1.21.2.5 2008/02/11 23:26:40 kurt Exp $
+.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slappasswd \- OpenLDAP password utility

Modified: openldap/trunk/doc/man/man8/slaptest.8
===================================================================
--- openldap/trunk/doc/man/man8/slaptest.8	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/doc/man/man8/slaptest.8	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 .TH SLAPTEST 8C "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
 slaptest \- Check the suitability of the OpenLDAP slapd.conf file

Modified: openldap/trunk/include/Makefile.in
===================================================================
--- openldap/trunk/include/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # include Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/include/Makefile.in,v 1.33.2.2 2007/08/31 23:13:53 quanah Exp $
+# $OpenLDAP: pkg/ldap/include/Makefile.in,v 1.33.2.3 2008/02/11 23:26:40 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/alloca.h
===================================================================
--- openldap/trunk/include/ac/alloca.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/alloca.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic alloca.h */
-/* $OpenLDAP: pkg/ldap/include/ac/alloca.h,v 1.18.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/alloca.h,v 1.18.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/assert.h
===================================================================
--- openldap/trunk/include/ac/assert.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/assert.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic assert.h */
-/* $OpenLDAP: pkg/ldap/include/ac/assert.h,v 1.21.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/assert.h,v 1.21.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/bytes.h
===================================================================
--- openldap/trunk/include/ac/bytes.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/bytes.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic bytes.h */
-/* $OpenLDAP: pkg/ldap/include/ac/bytes.h,v 1.20.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/bytes.h,v 1.20.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/crypt.h
===================================================================
--- openldap/trunk/include/ac/crypt.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/crypt.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic crypt.h */
-/* $OpenLDAP: pkg/ldap/include/ac/crypt.h,v 1.10.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/crypt.h,v 1.10.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/ctype.h
===================================================================
--- openldap/trunk/include/ac/ctype.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/ctype.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic ctype.h */
-/* $OpenLDAP: pkg/ldap/include/ac/ctype.h,v 1.16.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/ctype.h,v 1.16.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/dirent.h
===================================================================
--- openldap/trunk/include/ac/dirent.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/dirent.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic dirent.h */
-/* $OpenLDAP: pkg/ldap/include/ac/dirent.h,v 1.14.2.3 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/dirent.h,v 1.14.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/errno.h
===================================================================
--- openldap/trunk/include/ac/errno.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/errno.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic errno.h */
-/* $OpenLDAP: pkg/ldap/include/ac/errno.h,v 1.30.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/errno.h,v 1.30.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/fdset.h
===================================================================
--- openldap/trunk/include/ac/fdset.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/fdset.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* redefine FD_SET */
-/* $OpenLDAP: pkg/ldap/include/ac/fdset.h,v 1.5.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/fdset.h,v 1.5.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/localize.h
===================================================================
--- openldap/trunk/include/ac/localize.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/localize.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* localize.h (i18n/l10n) */
-/* $OpenLDAP: pkg/ldap/include/ac/localize.h,v 1.7.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/localize.h,v 1.7.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/param.h
===================================================================
--- openldap/trunk/include/ac/param.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/param.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic param.h */
-/* $OpenLDAP: pkg/ldap/include/ac/param.h,v 1.13.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/param.h,v 1.13.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/regex.h
===================================================================
--- openldap/trunk/include/ac/regex.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/regex.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic Regex */
-/* $OpenLDAP: pkg/ldap/include/ac/regex.h,v 1.17.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/regex.h,v 1.17.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/setproctitle.h
===================================================================
--- openldap/trunk/include/ac/setproctitle.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/setproctitle.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic setproctitle.h */
-/* $OpenLDAP: pkg/ldap/include/ac/setproctitle.h,v 1.21.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/setproctitle.h,v 1.21.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/signal.h
===================================================================
--- openldap/trunk/include/ac/signal.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/signal.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic signal.h */
-/* $OpenLDAP: pkg/ldap/include/ac/signal.h,v 1.25.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/signal.h,v 1.25.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/socket.h
===================================================================
--- openldap/trunk/include/ac/socket.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/socket.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic socket.h */
-/* $OpenLDAP: pkg/ldap/include/ac/socket.h,v 1.67.2.3 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/socket.h,v 1.67.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/stdarg.h
===================================================================
--- openldap/trunk/include/ac/stdarg.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/stdarg.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic stdarg.h */
-/* $OpenLDAP: pkg/ldap/include/ac/stdarg.h,v 1.19.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/stdarg.h,v 1.19.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/stdlib.h
===================================================================
--- openldap/trunk/include/ac/stdlib.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/stdlib.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic stdlib.h */
-/* $OpenLDAP: pkg/ldap/include/ac/stdlib.h,v 1.19.2.3 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/stdlib.h,v 1.19.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/string.h
===================================================================
--- openldap/trunk/include/ac/string.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/string.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic string.h */
-/* $OpenLDAP: pkg/ldap/include/ac/string.h,v 1.51.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/string.h,v 1.51.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/sysexits.h
===================================================================
--- openldap/trunk/include/ac/sysexits.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/sysexits.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic sysexits */
-/* $OpenLDAP: pkg/ldap/include/ac/sysexits.h,v 1.12.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/sysexits.h,v 1.12.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/syslog.h
===================================================================
--- openldap/trunk/include/ac/syslog.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/syslog.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic syslog.h */
-/* $OpenLDAP: pkg/ldap/include/ac/syslog.h,v 1.17.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/syslog.h,v 1.17.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/termios.h
===================================================================
--- openldap/trunk/include/ac/termios.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/termios.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic termios.h */
-/* $OpenLDAP: pkg/ldap/include/ac/termios.h,v 1.18.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/termios.h,v 1.18.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/time.h
===================================================================
--- openldap/trunk/include/ac/time.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/time.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic time.h */
-/* $OpenLDAP: pkg/ldap/include/ac/time.h,v 1.18.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/time.h,v 1.18.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/unistd.h
===================================================================
--- openldap/trunk/include/ac/unistd.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/unistd.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic unistd.h */
-/* $OpenLDAP: pkg/ldap/include/ac/unistd.h,v 1.37.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/unistd.h,v 1.37.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ac/wait.h
===================================================================
--- openldap/trunk/include/ac/wait.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ac/wait.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* Generic wait.h */
-/* $OpenLDAP: pkg/ldap/include/ac/wait.h,v 1.16.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/wait.h,v 1.16.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/avl.h
===================================================================
--- openldap/trunk/include/avl.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/avl.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* avl.h - avl tree definitions */
-/* $OpenLDAP: pkg/ldap/include/avl.h,v 1.29.2.3 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/avl.h,v 1.29.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/getopt-compat.h
===================================================================
--- openldap/trunk/include/getopt-compat.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/getopt-compat.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* getopt-compat.h -- getopt(3) compatibility header */
-/* $OpenLDAP: pkg/ldap/include/getopt-compat.h,v 1.19.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/getopt-compat.h,v 1.19.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lber.h
===================================================================
--- openldap/trunk/include/lber.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lber.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lber.h,v 1.99.2.3 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lber.h,v 1.99.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lber_pvt.h
===================================================================
--- openldap/trunk/include/lber_pvt.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lber_pvt.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lber_pvt.h,v 1.35.2.3 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lber_pvt.h,v 1.35.2.5 2008/03/21 00:43:00 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -201,7 +201,7 @@
 		(dst)->bv_val = (bv)->bv_val; \
 	} while (0)
 
-#define BER_BVC(s)		{ STRLENOF(s), (s) }
+#define BER_BVC(s)		{ STRLENOF(s), (char *)(s) }
 #define BER_BVNULL		{ 0L, NULL }
 #define BER_BVZERO(bv) \
 	do { \

Modified: openldap/trunk/include/lber_types.hin
===================================================================
--- openldap/trunk/include/lber_types.hin	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lber_types.hin	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lber_types.hin,v 1.3.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lber_types.hin,v 1.3.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap.h
===================================================================
--- openldap/trunk/include/ldap.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap.h,v 1.312.2.8 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap.h,v 1.312.2.9 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_cdefs.h
===================================================================
--- openldap/trunk/include/ldap_cdefs.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_cdefs.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_cdefs.h,v 1.29.2.3 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_cdefs.h,v 1.29.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_config.hin
===================================================================
--- openldap/trunk/include/ldap_config.hin	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_config.hin	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_config.hin,v 1.3.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_config.hin,v 1.3.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_defaults.h
===================================================================
--- openldap/trunk/include/ldap_defaults.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_defaults.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_defaults.h,v 1.33.2.3 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_defaults.h,v 1.33.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_features.hin
===================================================================
--- openldap/trunk/include/ldap_features.hin	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_features.hin	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_features.hin,v 1.3.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_features.hin,v 1.3.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_int_thread.h
===================================================================
--- openldap/trunk/include/ldap_int_thread.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_int_thread.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldap_int_thread.h - ldap internal thread wrappers header file */
-/* $OpenLDAP: pkg/ldap/include/ldap_int_thread.h,v 1.20.2.4 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_int_thread.h,v 1.20.2.5 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_log.h
===================================================================
--- openldap/trunk/include/ldap_log.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_log.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_log.h,v 1.40.2.4 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_log.h,v 1.40.2.5 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_pvt.h
===================================================================
--- openldap/trunk/include/ldap_pvt.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_pvt.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_pvt.h,v 1.91.2.4 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_pvt.h,v 1.91.2.6 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -169,7 +169,7 @@
 	struct berval *, LDAPRDN *, char **, unsigned flags, void *ctx ));
 LDAP_F( int ) ldap_rdn2bv_x LDAP_P(( 
 	LDAPRDN rdn, struct berval *bv, unsigned flags, void *ctx ));
-#endif
+#endif /* LDAP_AVA_NULL */
 
 /* url.c */
 LDAP_F (void) ldap_pvt_hex_unescape LDAP_P(( char *s ));
@@ -225,7 +225,7 @@
 
 #ifndef LDAP_PVT_SASL_LOCAL_SSF
 #define LDAP_PVT_SASL_LOCAL_SSF	71	/* SSF for Unix Domain Sockets */
-#endif
+#endif /* ! LDAP_PVT_SASL_LOCAL_SSF */
 
 struct ldap;
 struct ldapmsg;
@@ -316,6 +316,8 @@
  * If none is available, unsigned long data is used.
  */
 
+LDAP_BEGIN_DECL
+
 #ifdef USE_MP_BIGNUM
 /*
  * Use OpenSSL's BIGNUM
@@ -404,4 +406,15 @@
 
 #include "ldap_pvt_uc.h"
 
+LDAP_END_DECL
+
+LDAP_BEGIN_DECL
+
+#include <limits.h>				/* get CHAR_BIT */
+
+/* Buffer space for sign, decimal digits and \0. Note: log10(2) < 146/485. */
+#define LDAP_PVT_INTTYPE_CHARS(type) (((sizeof(type)*CHAR_BIT-1)*146)/485 + 3)
+
+LDAP_END_DECL
+
 #endif /* _LDAP_PVT_H */

Modified: openldap/trunk/include/ldap_pvt_thread.h
===================================================================
--- openldap/trunk/include/ldap_pvt_thread.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_pvt_thread.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldap_pvt_thread.h - ldap threads header file */
-/* $OpenLDAP: pkg/ldap/include/ldap_pvt_thread.h,v 1.51.2.6 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_pvt_thread.h,v 1.51.2.10 2008/03/21 00:46:03 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -244,10 +244,18 @@
 	ldap_pvt_thread_pool_param_t param, void *value ));
 
 LDAP_F( int )
+ldap_pvt_thread_pool_pausing LDAP_P((
+	ldap_pvt_thread_pool_t *pool ));
+
+LDAP_F( int )
 ldap_pvt_thread_pool_backload LDAP_P((
 	ldap_pvt_thread_pool_t *pool ));
 
 LDAP_F( int )
+ldap_pvt_thread_pool_pausecheck LDAP_P((
+	ldap_pvt_thread_pool_t *pool ));
+
+LDAP_F( int )
 ldap_pvt_thread_pool_pause LDAP_P((
 	ldap_pvt_thread_pool_t *pool ));
 
@@ -272,7 +280,9 @@
 	void *ctx,
 	void *key,
 	void *data,
-	ldap_pvt_thread_pool_keyfree_t *kfree ));
+	ldap_pvt_thread_pool_keyfree_t *kfree,
+	void **olddatap,
+	ldap_pvt_thread_pool_keyfree_t **oldkfreep ));
 
 LDAP_F( void )
 ldap_pvt_thread_pool_purgekey LDAP_P(( void *key ));

Modified: openldap/trunk/include/ldap_pvt_uc.h
===================================================================
--- openldap/trunk/include/ldap_pvt_uc.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_pvt_uc.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_pvt_uc.h,v 1.31.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_pvt_uc.h,v 1.31.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_queue.h
===================================================================
--- openldap/trunk/include/ldap_queue.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_queue.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldap_queue.h -- queue macros */
-/* $OpenLDAP: pkg/ldap/include/ldap_queue.h,v 1.13.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_queue.h,v 1.13.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_rq.h
===================================================================
--- openldap/trunk/include/ldap_rq.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_rq.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_rq.h,v 1.14.2.3 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_rq.h,v 1.14.2.4 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_schema.h
===================================================================
--- openldap/trunk/include/ldap_schema.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_schema.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_schema.h,v 1.36.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_schema.h,v 1.36.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldap_utf8.h
===================================================================
--- openldap/trunk/include/ldap_utf8.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldap_utf8.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_utf8.h,v 1.13.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_utf8.h,v 1.13.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/ldif.h
===================================================================
--- openldap/trunk/include/ldif.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/ldif.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/ldif.h,v 1.31.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldif.h,v 1.31.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lutil.h
===================================================================
--- openldap/trunk/include/lutil.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lutil.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lutil.h,v 1.63.2.4 2007/12/03 15:04:30 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lutil.h,v 1.63.2.5 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lutil_hash.h
===================================================================
--- openldap/trunk/include/lutil_hash.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lutil_hash.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lutil_hash.h,v 1.8.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lutil_hash.h,v 1.8.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lutil_ldap.h
===================================================================
--- openldap/trunk/include/lutil_ldap.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lutil_ldap.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lutil_ldap.h,v 1.11.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lutil_ldap.h,v 1.11.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lutil_lockf.h
===================================================================
--- openldap/trunk/include/lutil_lockf.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lutil_lockf.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lutil_lockf.h,v 1.17.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lutil_lockf.h,v 1.17.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lutil_md5.h
===================================================================
--- openldap/trunk/include/lutil_md5.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lutil_md5.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lutil_md5.h,v 1.24.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lutil_md5.h,v 1.24.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/lutil_sha1.h
===================================================================
--- openldap/trunk/include/lutil_sha1.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/lutil_sha1.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/lutil_sha1.h,v 1.28.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lutil_sha1.h,v 1.28.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/include/portable.hin
===================================================================
--- openldap/trunk/include/portable.hin	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/portable.hin	2008-05-25 14:29:31 UTC (rev 1128)
@@ -4,7 +4,7 @@
 /* begin of portable.h.pre */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation
+ * Copyright 1998-2008 The OpenLDAP Foundation
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1014,6 +1014,9 @@
 /* define to support SHELL backend */
 #undef SLAPD_SHELL
 
+/* define to support SOCK backend */
+#undef SLAPD_SOCK
+
 /* define to support SASL passwords */
 #undef SLAPD_SPASSWD
 

Modified: openldap/trunk/include/rewrite.h
===================================================================
--- openldap/trunk/include/rewrite.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/rewrite.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
-/* $OpenLDAP: pkg/ldap/include/rewrite.h,v 1.15.2.2 2007/08/31 23:13:53 quanah Exp $
+/* $OpenLDAP: pkg/ldap/include/rewrite.h,v 1.15.2.3 2008/02/11 23:26:40 kurt Exp $
  */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/include/slapi-plugin.h
===================================================================
--- openldap/trunk/include/slapi-plugin.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/slapi-plugin.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/slapi-plugin.h,v 1.52.2.4 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/slapi-plugin.h,v 1.52.2.5 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002,2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/include/sysexits-compat.h
===================================================================
--- openldap/trunk/include/sysexits-compat.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/include/sysexits-compat.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/include/sysexits-compat.h,v 1.11.2.2 2007/08/31 23:13:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/sysexits-compat.h,v 1.11.2.3 2008/02/11 23:26:40 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/Makefile.in
===================================================================
--- openldap/trunk/libraries/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Libraries Makefile for OpenLDAP
-# $OpenLDAP: pkg/ldap/libraries/Makefile.in,v 1.26.2.2 2007/08/31 23:13:54 quanah Exp $
+# $OpenLDAP: pkg/ldap/libraries/Makefile.in,v 1.26.2.3 2008/02/11 23:26:40 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/Makefile.in
===================================================================
--- openldap/trunk/libraries/liblber/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # LIBLBER
-# $OpenLDAP: pkg/ldap/libraries/liblber/Makefile.in,v 1.37.2.3 2007/11/15 00:31:05 quanah Exp $
+# $OpenLDAP: pkg/ldap/libraries/liblber/Makefile.in,v 1.37.2.4 2008/02/11 23:26:41 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/assert.c
===================================================================
--- openldap/trunk/libraries/liblber/assert.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/assert.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/assert.c,v 1.13.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/assert.c,v 1.13.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/bprint.c
===================================================================
--- openldap/trunk/libraries/liblber/bprint.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/bprint.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/bprint.c,v 1.57.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/bprint.c,v 1.57.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/debug.c
===================================================================
--- openldap/trunk/libraries/liblber/debug.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/debug.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/debug.c,v 1.21.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/debug.c,v 1.21.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/decode.c
===================================================================
--- openldap/trunk/libraries/liblber/decode.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/decode.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* decode.c - ber input decoding routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.105.2.3 2007/10/18 01:37:30 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.105.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/dtest.c
===================================================================
--- openldap/trunk/libraries/liblber/dtest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/dtest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* dtest.c - lber decoding test program */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/dtest.c,v 1.37.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/dtest.c,v 1.37.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/encode.c
===================================================================
--- openldap/trunk/libraries/liblber/encode.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/encode.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* encode.c - ber output encoding routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/encode.c,v 1.64.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/encode.c,v 1.64.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/etest.c
===================================================================
--- openldap/trunk/libraries/liblber/etest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/etest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* etest.c - lber encoding test program */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/etest.c,v 1.35.2.3 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/etest.c,v 1.35.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/idtest.c
===================================================================
--- openldap/trunk/libraries/liblber/idtest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/idtest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* idtest.c - ber decoding test program using isode libraries */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/idtest.c,v 1.18.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/idtest.c,v 1.18.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/io.c
===================================================================
--- openldap/trunk/libraries/liblber/io.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/io.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* io.c - ber general i/o routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/io.c,v 1.111.2.6 2007/10/18 01:37:30 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/io.c,v 1.111.2.7 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/lber-int.h
===================================================================
--- openldap/trunk/libraries/liblber/lber-int.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/lber-int.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/lber-int.h,v 1.68.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/lber-int.h,v 1.68.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/memory.c
===================================================================
--- openldap/trunk/libraries/liblber/memory.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/memory.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/memory.c,v 1.64.2.3 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/memory.c,v 1.64.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/nt_err.c
===================================================================
--- openldap/trunk/libraries/liblber/nt_err.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/nt_err.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/nt_err.c,v 1.15.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/nt_err.c,v 1.15.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/options.c
===================================================================
--- openldap/trunk/libraries/liblber/options.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/options.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/options.c,v 1.43.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/options.c,v 1.43.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/sockbuf.c
===================================================================
--- openldap/trunk/libraries/liblber/sockbuf.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/sockbuf.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* sockbuf.c - i/o routines with support for adding i/o layers. */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/sockbuf.c,v 1.65.2.3 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/sockbuf.c,v 1.65.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblber/stdio.c
===================================================================
--- openldap/trunk/libraries/liblber/stdio.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblber/stdio.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/stdio.c,v 1.11.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/stdio.c,v 1.11.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/Makefile.in
===================================================================
--- openldap/trunk/libraries/libldap/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for LDAP -lldap
-# $OpenLDAP: pkg/ldap/libraries/libldap/Makefile.in,v 1.79.2.3 2007/08/31 23:13:54 quanah Exp $
+# $OpenLDAP: pkg/ldap/libraries/libldap/Makefile.in,v 1.79.2.4 2008/02/11 23:26:41 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/abandon.c
===================================================================
--- openldap/trunk/libraries/libldap/abandon.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/abandon.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* abandon.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/abandon.c,v 1.41.2.5 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/abandon.c,v 1.41.2.7 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -355,8 +355,7 @@
 	begin = 0;
 	end = n - 1;
 
-	if ( n > 0 ) {
-		if ( id < v[ begin ] ) {
+		if ( n <= 0 || id < v[ begin ] ) {
 			*idxp = 0;
 
 		} else if ( id > v[ end ] ) {
@@ -366,7 +365,7 @@
 			int		pos;
 			ber_int_t	curid;
 	
-			while ( end >= begin ) {
+			do {
 				pos = (begin + end)/2;
 				curid = v[ pos ];
 	
@@ -374,25 +373,18 @@
 					end = pos - 1;
 	
 				} else if ( id > curid ) {
-					begin = pos + 1;
+					begin = ++pos;
 	
 				} else {
 					/* already abandoned? */
-					*idxp = pos;
 					rc = 1;
 					break;
 				}
-			}
+			} while ( end >= begin );
 	
-			if ( rc == 0 ) {
-				*idxp = pos + ( id > curid ? 1 : 0 );
-			}
+			*idxp = pos;
 		}
 
-	} else {
-		*idxp = 0;
-	}
-
 	return rc;
 }
 

Modified: openldap/trunk/libraries/libldap/add.c
===================================================================
--- openldap/trunk/libraries/libldap/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* add.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/add.c,v 1.27.2.2 2007/08/31 23:13:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/add.c,v 1.27.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/addentry.c
===================================================================
--- openldap/trunk/libraries/libldap/addentry.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/addentry.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* addentry.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/addentry.c,v 1.16.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/addentry.c,v 1.16.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/apitest.c
===================================================================
--- openldap/trunk/libraries/libldap/apitest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/apitest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* apitest.c -- OpenLDAP API Test Program */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/apitest.c,v 1.25.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/apitest.c,v 1.25.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/libldap/bind.c
===================================================================
--- openldap/trunk/libraries/libldap/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bind.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/bind.c,v 1.24.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/bind.c,v 1.24.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/cancel.c
===================================================================
--- openldap/trunk/libraries/libldap/cancel.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/cancel.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/cancel.c,v 1.10.2.3 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/cancel.c,v 1.10.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/charray.c
===================================================================
--- openldap/trunk/libraries/libldap/charray.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/charray.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* charray.c - routines for dealing with char * arrays */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/charray.c,v 1.16.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/charray.c,v 1.16.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/compare.c
===================================================================
--- openldap/trunk/libraries/libldap/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/compare.c,v 1.29.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/compare.c,v 1.29.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/controls.c
===================================================================
--- openldap/trunk/libraries/libldap/controls.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/controls.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/controls.c,v 1.48.2.4 2007/10/17 02:03:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/controls.c,v 1.48.2.5 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/cyrus.c
===================================================================
--- openldap/trunk/libraries/libldap/cyrus.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/cyrus.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/cyrus.c,v 1.133.2.6 2007/10/08 09:52:25 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/cyrus.c,v 1.133.2.8 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -670,9 +670,9 @@
 	{
 		char authid[sizeof("gidNumber=4294967295+uidNumber=4294967295,"
 			"cn=peercred,cn=external,cn=auth")];
-		sprintf( authid, "gidNumber=%d+uidNumber=%d,"
+		sprintf( authid, "gidNumber=%u+uidNumber=%u,"
 			"cn=peercred,cn=external,cn=auth",
-			(int) getegid(), (int) geteuid() );
+			getegid(), geteuid() );
 		(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid,
 			LDAP_PVT_SASL_LOCAL_SSF );
 	}

Modified: openldap/trunk/libraries/libldap/dds.c
===================================================================
--- openldap/trunk/libraries/libldap/dds.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/dds.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/dds.c,v 1.2.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/dds.c,v 1.2.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions Copyright 2005-2006 SysNet s.n.c.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/libldap/delete.c
===================================================================
--- openldap/trunk/libraries/libldap/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/delete.c,v 1.26.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/delete.c,v 1.26.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/dnssrv.c
===================================================================
--- openldap/trunk/libraries/libldap/dnssrv.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/dnssrv.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/dnssrv.c,v 1.39.2.3 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/dnssrv.c,v 1.39.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/dntest.c
===================================================================
--- openldap/trunk/libraries/libldap/dntest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/dntest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* dntest.c -- OpenLDAP DN API Test Program */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/dntest.c,v 1.27.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/dntest.c,v 1.27.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/error.c
===================================================================
--- openldap/trunk/libraries/libldap/error.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/error.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/error.c,v 1.76.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/error.c,v 1.76.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/extended.c
===================================================================
--- openldap/trunk/libraries/libldap/extended.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/extended.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/extended.c,v 1.39.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/extended.c,v 1.39.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -291,7 +291,6 @@
 	int				freeit )
 {
 	BerElement *ber;
-	ber_tag_t rc;
 	ber_tag_t tag;
 	ber_len_t len;
 	struct berval *resdata;
@@ -324,9 +323,9 @@
 		return ld->ld_errno;
 	}
 
-	rc = ber_scanf( ber, "{" /*}*/ );
+	tag = ber_scanf( ber, "{" /*}*/ );
 
-	if( rc == LBER_ERROR ) {
+	if( tag == LBER_ERROR ) {
 		ld->ld_errno = LDAP_DECODING_ERROR;
 		ber_free( ber, 0 );
 		return ld->ld_errno;
@@ -367,16 +366,16 @@
 	}
 
 	if ( serverctrls == NULL ) {
-		rc = LDAP_SUCCESS;
+		ld->ld_errno = LDAP_SUCCESS;
 		goto free_and_return;
 	}
 
 	if ( ber_scanf( ber, /*{*/ "}" ) == LBER_ERROR ) {
-		rc = LDAP_DECODING_ERROR;
+		ld->ld_errno = LDAP_DECODING_ERROR;
 		goto free_and_return;
 	}
 
-	rc = ldap_pvt_get_controls( ber, serverctrls );
+	ld->ld_errno = ldap_pvt_get_controls( ber, serverctrls );
 
 free_and_return:
 	ber_free( ber, 0 );
@@ -397,6 +396,6 @@
 		ldap_msgfree( res );
 	}
 
-	return LDAP_SUCCESS;
+	return ld->ld_errno;
 }
 

Modified: openldap/trunk/libraries/libldap/filter.c
===================================================================
--- openldap/trunk/libraries/libldap/filter.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/filter.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* search.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/filter.c,v 1.29.2.3 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/filter.c,v 1.29.2.6 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -50,7 +50,8 @@
 static int put_substring_filter LDAP_P((
 	BerElement *ber,
 	char *type,
-	char *str ));
+	char *str,
+	char *nextstar ));
 
 static int put_filter_list LDAP_P((
 	BerElement *ber,
@@ -693,7 +694,7 @@
 				ftype = LDAP_FILTER_PRESENT;
 
 			} else {
-				rc = put_substring_filter( ber, str, value );
+				rc = put_substring_filter( ber, str, value, nextstar );
 				goto done;
 			}
 		} break;
@@ -720,9 +721,8 @@
 }
 
 static int
-put_substring_filter( BerElement *ber, char *type, char *val )
+put_substring_filter( BerElement *ber, char *type, char *val, char *nextstar )
 {
-	char *nextstar;
 	int gotstar = 0;
 	ber_tag_t	ftype = LDAP_FILTER_SUBSTRINGS;
 
@@ -734,12 +734,13 @@
 	}
 
 	for( ; *val; val=nextstar ) {
-		nextstar = ldap_pvt_find_wildcard( val );
+		if ( gotstar )
+			nextstar = ldap_pvt_find_wildcard( val );
 
 		if ( nextstar == NULL ) {
 			return -1;
 		}
-		
+
 		if ( *nextstar == '\0' ) {
 			ftype = LDAP_SUBSTRING_FINAL;
 		} else {
@@ -754,7 +755,7 @@
 		if ( *val != '\0' || ftype == LDAP_SUBSTRING_ANY ) {
 			ber_slen_t len = ldap_pvt_filter_value_unescape( val );
 
-			if ( len < 0  ) {
+			if ( len <= 0  ) {
 				return -1;
 			}
 
@@ -1097,7 +1098,7 @@
 				ftype = LDAP_FILTER_PRESENT;
 
 			} else {
-				rc = put_substring_filter( ber, str, value );
+				rc = put_substring_filter( ber, str, value, nextstar );
 				goto done;
 			}
 		} break;

Modified: openldap/trunk/libraries/libldap/free.c
===================================================================
--- openldap/trunk/libraries/libldap/free.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/free.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* free.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/free.c,v 1.22.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/free.c,v 1.22.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/ftest.c
===================================================================
--- openldap/trunk/libraries/libldap/ftest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/ftest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ftest.c -- OpenLDAP Filter API Test */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/ftest.c,v 1.15.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/ftest.c,v 1.15.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/getattr.c
===================================================================
--- openldap/trunk/libraries/libldap/getattr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/getattr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/getattr.c,v 1.35.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/getattr.c,v 1.35.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/getdn.c
===================================================================
--- openldap/trunk/libraries/libldap/getdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/getdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/getdn.c,v 1.130.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/getdn.c,v 1.130.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/getentry.c
===================================================================
--- openldap/trunk/libraries/libldap/getentry.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/getentry.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/getentry.c,v 1.28.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/getentry.c,v 1.28.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/getvalues.c
===================================================================
--- openldap/trunk/libraries/libldap/getvalues.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/getvalues.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/getvalues.c,v 1.26.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/getvalues.c,v 1.26.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/init.c
===================================================================
--- openldap/trunk/libraries/libldap/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/init.c,v 1.102.2.4 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/init.c,v 1.102.2.5 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/ldap-int.h
===================================================================
--- openldap/trunk/libraries/libldap/ldap-int.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/ldap-int.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /*  ldap-int.h - defines & prototypes internal to the LDAP library */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/ldap-int.h,v 1.168.2.6 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/ldap-int.h,v 1.168.2.7 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/ldap_sync.c
===================================================================
--- openldap/trunk/libraries/libldap/ldap_sync.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/ldap_sync.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/ldap_sync.c,v 1.2.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/ldap_sync.c,v 1.2.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2006-2007 The OpenLDAP Foundation.
+ * Copyright 2006-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/messages.c
===================================================================
--- openldap/trunk/libraries/libldap/messages.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/messages.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* messages.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/messages.c,v 1.17.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/messages.c,v 1.17.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/modify.c
===================================================================
--- openldap/trunk/libraries/libldap/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/modify.c,v 1.25.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/modify.c,v 1.25.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/modrdn.c
===================================================================
--- openldap/trunk/libraries/libldap/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/modrdn.c,v 1.30.2.2 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/modrdn.c,v 1.30.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/open.c
===================================================================
--- openldap/trunk/libraries/libldap/open.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/open.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/open.c,v 1.110.2.5 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/open.c,v 1.110.2.7 2008/02/11 23:56:32 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -82,7 +82,7 @@
 	}
 
 	Debug( LDAP_DEBUG_TRACE, "ldap_open: %s\n",
-		ld == NULL ? "succeeded" : "failed", 0, 0 );
+		ld != NULL ? "succeeded" : "failed", 0, 0 );
 
 	return ld;
 }

Modified: openldap/trunk/libraries/libldap/options.c
===================================================================
--- openldap/trunk/libraries/libldap/options.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/options.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/options.c,v 1.75.2.5 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/options.c,v 1.75.2.6 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/os-ip.c
===================================================================
--- openldap/trunk/libraries/libldap/os-ip.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/os-ip.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* os-ip.c -- platform-specific TCP & UDP related code */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/os-ip.c,v 1.118.2.3 2007/08/31 23:13:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/os-ip.c,v 1.118.2.7 2008/04/15 00:00:36 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Lars Uffmann.
  * All rights reserved.
  *
@@ -575,7 +575,7 @@
 
 		(void)memset((char *)&sin, '\0', sizeof sin);
 		sin.sin_family = AF_INET;
-		sin.sin_port = htons((short) port);
+		sin.sin_port = htons((unsigned short) port);
 
 		if( use_hp ) {
 			AC_MEMCPY( &sin.sin_addr, hp->h_addr_list[i],

Modified: openldap/trunk/libraries/libldap/os-local.c
===================================================================
--- openldap/trunk/libraries/libldap/os-local.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/os-local.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* os-local.c -- platform-specific domain socket code */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/os-local.c,v 1.44.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/os-local.c,v 1.44.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/pagectrl.c
===================================================================
--- openldap/trunk/libraries/libldap/pagectrl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/pagectrl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Copyright 2006 Hans Leidekker
  * All rights reserved.
  *
@@ -256,7 +256,7 @@
 
 	ld->ld_errno = ldap_parse_pageresponse_control( ld, c, countp, &cookie );
 	if ( ld->ld_errno == LDAP_SUCCESS ) {
-		*cookiep = LDAP_MALLOC( sizeof( struct berval * ) );
+		*cookiep = LDAP_MALLOC( sizeof( struct berval ) );
 		if ( *cookiep == NULL ) {
 			ld->ld_errno = LDAP_NO_MEMORY;
 		} else {

Modified: openldap/trunk/libraries/libldap/passwd.c
===================================================================
--- openldap/trunk/libraries/libldap/passwd.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/passwd.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/passwd.c,v 1.18.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/passwd.c,v 1.18.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/ppolicy.c
===================================================================
--- openldap/trunk/libraries/libldap/ppolicy.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/ppolicy.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/ppolicy.c,v 1.11.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/ppolicy.c,v 1.11.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Hewlett-Packard Company.
  * Portions Copyright 2004 Howard Chu, Symas Corp.
  * All rights reserved.

Modified: openldap/trunk/libraries/libldap/print.c
===================================================================
--- openldap/trunk/libraries/libldap/print.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/print.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/print.c,v 1.16.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/print.c,v 1.16.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/references.c
===================================================================
--- openldap/trunk/libraries/libldap/references.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/references.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* references.c */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/references.c,v 1.24.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/references.c,v 1.24.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/request.c
===================================================================
--- openldap/trunk/libraries/libldap/request.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/request.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/request.c,v 1.125.2.6 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/request.c,v 1.125.2.7 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/result.c
===================================================================
--- openldap/trunk/libraries/libldap/result.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/result.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* result.c - wait for an ldap result */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/result.c,v 1.124.2.8 2007/10/17 20:14:11 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/result.c,v 1.124.2.10 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -322,7 +322,7 @@
 		}
 #endif /* LDAP_DEBUG */
 
-        	if ( ( *result = chkResponseList( ld, msgid, all ) ) != NULL ) {
+		if ( ( *result = chkResponseList( ld, msgid, all ) ) != NULL ) {
 			rc = (*result)->lm_msgtype;
 
 		} else {
@@ -350,7 +350,7 @@
 			ldap_pvt_thread_mutex_unlock( &ld->ld_conn_mutex );
 #endif
 
-		    	if ( !lc_ready ) {
+			if ( !lc_ready ) {
 				rc = ldap_int_select( ld, tvp );
 #ifdef LDAP_DEBUG
 				if ( rc == -1 ) {

Modified: openldap/trunk/libraries/libldap/sasl.c
===================================================================
--- openldap/trunk/libraries/libldap/sasl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/sasl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/sasl.c,v 1.64.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/sasl.c,v 1.64.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -201,7 +201,7 @@
 		rc = ldap_parse_sasl_bind_result( ld, result, &scredp, 0 );
 	}
 
-	if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
+	if ( rc != LDAP_SUCCESS ) {
 		ldap_msgfree( result );
 		return( rc );
 	}
@@ -347,7 +347,7 @@
 		ldap_msgfree( res );
 	}
 
-	return( ld->ld_errno );
+	return( LDAP_SUCCESS );
 }
 
 int

Modified: openldap/trunk/libraries/libldap/sbind.c
===================================================================
--- openldap/trunk/libraries/libldap/sbind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/sbind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/sbind.c,v 1.25.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/sbind.c,v 1.25.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/schema.c
===================================================================
--- openldap/trunk/libraries/libldap/schema.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/schema.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/schema.c,v 1.77.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/schema.c,v 1.77.2.4 2008/04/14 22:32:48 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,6 +30,8 @@
 
 #include <ldap_schema.h>
 
+static const char EndOfInput[] = "end of input";
+
 static const char *
 choose_name( char *names[], const char *fallback )
 {
@@ -1514,7 +1516,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_syntax_free(syn);
 			return NULL;
 		case TK_RIGHTPAREN:
@@ -1679,7 +1681,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_matchingrule_free(mr);
 			return NULL;
 		case TK_RIGHTPAREN:
@@ -1878,7 +1880,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_matchingruleuse_free(mru);
 			return NULL;
 		case TK_RIGHTPAREN:
@@ -2110,7 +2112,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_attributetype_free(at);
 			return NULL;
 		case TK_RIGHTPAREN:
@@ -2483,7 +2485,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_objectclass_free(oc);
 			return NULL;
 		case TK_RIGHTPAREN:
@@ -2762,7 +2764,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_contentrule_free(cr);
 			return NULL;
 		case TK_RIGHTPAREN:
@@ -2987,7 +2989,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_structurerule_free(sr);
 			return NULL;
 		case TK_RIGHTPAREN:
@@ -3176,7 +3178,7 @@
 		switch (kind) {
 		case TK_EOS:
 			*code = LDAP_SCHERR_NORIGHTPAREN;
-			*errp = ss;
+			*errp = EndOfInput;
 			ldap_nameform_free(nf);
 			return NULL;
 		case TK_RIGHTPAREN:

Modified: openldap/trunk/libraries/libldap/search.c
===================================================================
--- openldap/trunk/libraries/libldap/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/search.c,v 1.76.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/search.c,v 1.76.2.5 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -358,7 +358,7 @@
 	    == -1 )
 		return( ld->ld_errno );
 
-	if ( ldap_result( ld, msgid, LDAP_MSG_ALL, timeout, res ) == -1 )
+	if ( ldap_result( ld, msgid, LDAP_MSG_ALL, timeout, res ) == -1 || !*res )
 		return( ld->ld_errno );
 
 	if ( ld->ld_errno == LDAP_TIMEOUT ) {
@@ -386,7 +386,7 @@
 	    == -1 )
 		return( ld->ld_errno );
 
-	if ( ldap_result( ld, msgid, LDAP_MSG_ALL, (struct timeval *) NULL, res ) == -1 || !res )
+	if ( ldap_result( ld, msgid, LDAP_MSG_ALL, (struct timeval *) NULL, res ) == -1 || !*res )
 		return( ld->ld_errno );
 
 	return( ldap_result2error( ld, *res, 0 ) );

Modified: openldap/trunk/libraries/libldap/sort.c
===================================================================
--- openldap/trunk/libraries/libldap/sort.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/sort.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* sort.c -- LDAP library entry and value sort routines */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/sort.c,v 1.27.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/sort.c,v 1.27.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/sortctrl.c
===================================================================
--- openldap/trunk/libraries/libldap/sortctrl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/sortctrl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/sortctrl.c,v 1.19.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/sortctrl.c,v 1.19.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/stctrl.c
===================================================================
--- openldap/trunk/libraries/libldap/stctrl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/stctrl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/stctrl.c,v 1.3.2.1 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/stctrl.c,v 1.3.2.2 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 2007 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/libldap/string.c
===================================================================
--- openldap/trunk/libraries/libldap/string.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/string.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/string.c,v 1.23.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/string.c,v 1.23.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/t61.c
===================================================================
--- openldap/trunk/libraries/libldap/t61.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/t61.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/t61.c,v 1.9.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/t61.c,v 1.9.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/test.c
===================================================================
--- openldap/trunk/libraries/libldap/test.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/test.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/test.c,v 1.55.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/test.c,v 1.55.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/tls.c
===================================================================
--- openldap/trunk/libraries/libldap/tls.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/tls.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* tls.c - Handle tls/ssl using SSLeay, OpenSSL or GNUTLS. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls.c,v 1.133.2.7 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls.c,v 1.133.2.9 2008/02/12 00:48:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -307,6 +307,7 @@
 			/* unrecognized cipher suite */
 			return -1;
 		}
+		ptr += len + 1;
 	} while (end);
 
 	/* Space for all 3 lists */
@@ -348,6 +349,7 @@
 				break;
 			}
 		}
+		ptr += len + 1;
 	} while (end);
 	kx[nkx] = 0;
 	cipher[ncipher] = 0;

Modified: openldap/trunk/libraries/libldap/turn.c
===================================================================
--- openldap/trunk/libraries/libldap/turn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/turn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/turn.c,v 1.3.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/turn.c,v 1.3.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/txn.c
===================================================================
--- openldap/trunk/libraries/libldap/txn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/txn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/txn.c,v 1.8.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/txn.c,v 1.8.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2006-2007 The OpenLDAP Foundation.
+ * Copyright 2006-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/unbind.c
===================================================================
--- openldap/trunk/libraries/libldap/unbind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/unbind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/unbind.c,v 1.56.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/unbind.c,v 1.56.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/url.c
===================================================================
--- openldap/trunk/libraries/libldap/url.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/url.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* LIBLDAP url.c -- LDAP URL (RFC 4516) related routines */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/url.c,v 1.94.2.4 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/url.c,v 1.94.2.8 2008/02/11 23:41:37 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -582,19 +582,17 @@
 	len += sep;
 
 	if ( u->lud_port ) {
-		char	buf[] = ":65535";
+		unsigned p = u->lud_port;
+		if ( p > 65535 )
+			return -1;
 
-		len += snprintf( buf, sizeof( buf ), ":%d", u->lud_port );
-		if ( u->lud_host && u->lud_host[0] ) {
-			len += strlen( u->lud_host );
-		}
+		len += (p > 999 ? 5 + (p > 9999) : p > 99 ? 4 : 2 + (p > 9));
+	}
 
-	} else {
-		if ( u->lud_host && u->lud_host[0] ) {
-			len += hex_escape_len( u->lud_host, URLESC_SLASH );
-			if ( !is_ipc && strchr( u->lud_host, ':' )) {
-				len += 2;	/* IPv6, [] */
-			}
+	if ( u->lud_host && u->lud_host[0] ) {
+		len += hex_escape_len( u->lud_host, URLESC_SLASH );
+		if ( !is_ipc && strchr( u->lud_host, ':' )) {
+			len += 2;	/* IPv6, [] */
 		}
 	}
 
@@ -644,14 +642,16 @@
 	}
 
 	if ( u->lud_port ) {
-		len -= sprintf( s, "%s://%s%s%s:%d%n", u->lud_scheme,
+		sofar = sprintf( s, "%s://%s%s%s:%d", u->lud_scheme,
 				is_v6 ? "[" : "",
 				u->lud_host ? u->lud_host : "",
 				is_v6 ? "]" : "",
-				u->lud_port, &sofar );
+				u->lud_port );
+		len -= sofar;
 
 	} else {
-		len -= sprintf( s, "%s://%n", u->lud_scheme, &sofar );
+		sofar = sprintf( s, "%s://", u->lud_scheme );
+		len -= sofar;
 		if ( u->lud_host && u->lud_host[0] ) {
 			if ( is_v6 ) {
 				s[sofar++] = '[';

Modified: openldap/trunk/libraries/libldap/urltest.c
===================================================================
--- openldap/trunk/libraries/libldap/urltest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/urltest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* urltest.c -- OpenLDAP URL API Test Program */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/urltest.c,v 1.1.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/urltest.c,v 1.1.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/utf-8-conv.c
===================================================================
--- openldap/trunk/libraries/libldap/utf-8-conv.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/utf-8-conv.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/utf-8-conv.c,v 1.16.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/utf-8-conv.c,v 1.16.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/utf-8.c
===================================================================
--- openldap/trunk/libraries/libldap/utf-8.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/utf-8.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* utf-8.c -- Basic UTF-8 routines */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/utf-8.c,v 1.36.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/utf-8.c,v 1.36.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/util-int.c
===================================================================
--- openldap/trunk/libraries/libldap/util-int.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/util-int.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/util-int.c,v 1.57.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/util-int.c,v 1.57.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998 A. Hartgers.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/libldap/vlvctrl.c
===================================================================
--- openldap/trunk/libraries/libldap/vlvctrl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/vlvctrl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/vlvctrl.c,v 1.21.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/vlvctrl.c,v 1.21.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap/whoami.c
===================================================================
--- openldap/trunk/libraries/libldap/whoami.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap/whoami.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/whoami.c,v 1.10.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/whoami.c,v 1.10.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/Makefile.in
===================================================================
--- openldap/trunk/libraries/libldap_r/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for LDAP -lldap
-# $OpenLDAP: pkg/ldap/libraries/libldap_r/Makefile.in,v 1.79.2.3 2007/08/31 23:13:56 quanah Exp $
+# $OpenLDAP: pkg/ldap/libraries/libldap_r/Makefile.in,v 1.79.2.5 2008/02/11 23:26:41 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -56,7 +56,7 @@
 XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
 XXXLIBS = $(LTHREAD_LIBS)
 NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
-UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
 
 .links : Makefile
 	@for i in $(XXSRCS); do \

Modified: openldap/trunk/libraries/libldap_r/ldap_thr_debug.h
===================================================================
--- openldap/trunk/libraries/libldap_r/ldap_thr_debug.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/ldap_thr_debug.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldap_thr_debug.h - preprocessor magic for LDAP_THREAD_DEBUG */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/ldap_thr_debug.h,v 1.3.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/ldap_thr_debug.h,v 1.3.2.5 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -119,7 +119,7 @@
 #define	ldap_pvt_thread_pool_resume		ldap_int_thread_pool_resume
 #define	ldap_pvt_thread_pool_destroy	ldap_int_thread_pool_destroy
 #define	ldap_pvt_thread_pool_getkey		ldap_int_thread_pool_getkey
-#define	ldap_pvt_thread_pool_setkey		ldap_int_thread_pool_setkey
+#define	ldap_pvt_thread_pool_setkey	ldap_int_thread_pool_setkey
 #define	ldap_pvt_thread_pool_purgekey	ldap_int_thread_pool_purgekey
 #define	ldap_pvt_thread_pool_context	ldap_int_thread_pool_context
 #define	ldap_pvt_thread_pool_context_reset ldap_int_thread_pool_context_reset

Modified: openldap/trunk/libraries/libldap_r/rdwr.c
===================================================================
--- openldap/trunk/libraries/libldap_r/rdwr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/rdwr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/rdwr.c,v 1.28.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/rdwr.c,v 1.28.2.3 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/rmutex.c
===================================================================
--- openldap/trunk/libraries/libldap_r/rmutex.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/rmutex.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/rmutex.c,v 1.2.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/rmutex.c,v 1.2.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2006-2007 The OpenLDAP Foundation.
+ * Copyright 2006-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/rq.c
===================================================================
--- openldap/trunk/libraries/libldap_r/rq.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/rq.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/rq.c,v 1.23.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/rq.c,v 1.23.2.4 2008/02/11 23:26:41 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/libldap_r/thr_cthreads.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_cthreads.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_cthreads.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_cthreads.c - wrapper for mach cthreads */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_cthreads.c,v 1.20.2.3 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_cthreads.c,v 1.20.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/thr_debug.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_debug.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_debug.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_debug.c - wrapper around the chosen thread wrapper, for debugging. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_debug.c,v 1.5.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_debug.c,v 1.5.2.6 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1246,11 +1246,14 @@
 	void *xctx,
 	void *key,
 	void *data,
-	ldap_pvt_thread_pool_keyfree_t *kfree )
+	ldap_pvt_thread_pool_keyfree_t *kfree,
+	void **olddatap,
+	ldap_pvt_thread_pool_keyfree_t **oldkfreep )
 {
 	int rc;
 	ERROR_IF( !threading_enabled, "ldap_pvt_thread_pool_setkey" );
-	rc = ldap_int_thread_pool_setkey( xctx, key, data, kfree );
+	rc = ldap_int_thread_pool_setkey(
+		xctx, key, data, kfree, olddatap, oldkfreep );
 	ERROR_IF( rc, "ldap_pvt_thread_pool_setkey" );
 	return rc;
 }

Modified: openldap/trunk/libraries/libldap_r/thr_lwp.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_lwp.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_lwp.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_lwp.c - wrappers around SunOS LWP threads */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_lwp.c,v 1.20.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_lwp.c,v 1.20.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/thr_nt.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_nt.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_nt.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_nt.c - wrapper around NT threads */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_nt.c,v 1.32.2.4 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_nt.c,v 1.32.2.5 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/thr_posix.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_posix.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_posix.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_posix.c - wrapper around posix and posixish thread implementations.  */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_posix.c,v 1.46.2.3 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_posix.c,v 1.46.2.5 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,6 +31,7 @@
 #define LDAP_THREAD_IMPLEMENTATION
 #define LDAP_THREAD_RDWR_IMPLEMENTATION
 #include "ldap_thr_debug.h"	 /* May rename the symbols defined below */
+#include <signal.h>			 /* For pthread_kill() */
 
 #if HAVE_PTHREADS < 6
 #  define LDAP_INT_THREAD_ATTR_DEFAULT		pthread_attr_default

Modified: openldap/trunk/libraries/libldap_r/thr_pth.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_pth.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_pth.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_pth.c - wrappers around GNU Pth */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_pth.c,v 1.16.2.3 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_pth.c,v 1.16.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/thr_stub.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_stub.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_stub.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_stub.c - stubs for the threads */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_stub.c,v 1.27.2.4 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_stub.c,v 1.27.2.7 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -201,8 +201,12 @@
 }
 
 int ldap_pvt_thread_pool_setkey (
-	void *ctx, void *key, void *data, ldap_pvt_thread_pool_keyfree_t *kfree )
+	void *ctx, void *key,
+	void *data, ldap_pvt_thread_pool_keyfree_t *kfree,
+	void **olddatap, ldap_pvt_thread_pool_keyfree_t **oldkfreep )
 {
+	if ( olddatap ) *olddatap = NULL;
+	if ( oldkfreep ) *oldkfreep = 0;
 	return(0);
 }
 

Modified: openldap/trunk/libraries/libldap_r/thr_thr.c
===================================================================
--- openldap/trunk/libraries/libldap_r/thr_thr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/thr_thr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thr_thr.c - wrappers around solaris threads */
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_thr.c,v 1.18.2.3 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/thr_thr.c,v 1.18.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/threads.c
===================================================================
--- openldap/trunk/libraries/libldap_r/threads.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/threads.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/threads.c,v 1.18.2.3 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/threads.c,v 1.18.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/libldap_r/tpool.c
===================================================================
--- openldap/trunk/libraries/libldap_r/tpool.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/libldap_r/tpool.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap_r/tpool.c,v 1.52.2.8 2007/11/07 20:58:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap_r/tpool.c,v 1.52.2.13 2008/03/21 00:46:03 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -17,6 +17,7 @@
 
 #include <stdio.h>
 
+#include <ac/signal.h>
 #include <ac/stdarg.h>
 #include <ac/stdlib.h>
 #include <ac/string.h>
@@ -31,12 +32,6 @@
 
 #ifndef LDAP_THREAD_HAVE_TPOOL
 
-typedef enum ldap_int_thread_pool_state_e {
-	LDAP_INT_THREAD_POOL_RUNNING,
-	LDAP_INT_THREAD_POOL_FINISHING,
-	LDAP_INT_THREAD_POOL_STOPPING
-} ldap_int_thread_pool_state_t;
-
 /* Thread-specific key with data and optional free function */
 typedef struct ldap_int_tpool_key_s {
 	void *ltk_key;
@@ -52,6 +47,9 @@
 /* Max number of threads */
 #define	LDAP_MAXTHR	1024	/* must be a power of 2 */
 
+/* (Theoretical) max number of pending requests */
+#define MAX_PENDING (INT_MAX/2)	/* INT_MAX - (room to avoid overflow) */
+
 /* Context: thread ID and thread-specific key/data pairs */
 typedef struct ldap_int_thread_userctx_s {
 	ldap_pvt_thread_t ltu_id;
@@ -88,6 +86,8 @@
 	void *ltt_arg;
 } ldap_int_thread_task_t;
 
+typedef LDAP_STAILQ_HEAD(tcq, ldap_int_thread_task_s) ldap_int_tpool_plist_t;
+
 struct ldap_int_thread_pool_s {
 	LDAP_STAILQ_ENTRY(ldap_int_thread_pool_s) ltp_next;
 
@@ -100,23 +100,56 @@
 	/* ltp_active_count <= 1 && ltp_pause */
 	ldap_pvt_thread_cond_t ltp_pcond;
 
+	/* ltp_pause == 0 ? &ltp_pending_list : &empty_pending_list,
+	 * maintaned to reduce work for pool_wrapper()
+	 */
+	ldap_int_tpool_plist_t *ltp_work_list;
+
 	/* pending tasks, and unused task objects */
-	LDAP_STAILQ_HEAD(tcq, ldap_int_thread_task_s) ltp_pending_list;
+	ldap_int_tpool_plist_t ltp_pending_list;
 	LDAP_SLIST_HEAD(tcl, ldap_int_thread_task_s) ltp_free_list;
 
-	ldap_int_thread_pool_state_t ltp_state;
+	/* The pool is finishing, waiting for its threads to close.
+	 * They close when ltp_pending_list is done.  pool_submit()
+	 * rejects new tasks.  ltp_max_pending = -(its old value).
+	 */
+	int ltp_finishing;
 
-	/* some active request needs to be the sole active request */
-	int ltp_pause;
+	/* Some active task needs to be the sole active task.
+	 * Atomic variable so ldap_pvt_thread_pool_pausing() can read it.
+	 * Note: Pauses adjust ltp_<open_count/vary_open_count/work_list>,
+	 * so pool_<submit/wrapper>() mostly can avoid testing ltp_pause.
+	 */
+	volatile sig_atomic_t ltp_pause;
 
-	long ltp_max_count;			/* max number of threads in pool, or 0 */
-	long ltp_max_pending;		/* max pending or paused requests, or 0 */
-	long ltp_pending_count;		/* pending or paused requests */
-	long ltp_active_count;		/* active, not paused requests */
-	long ltp_open_count;		/* number of threads */
-	long ltp_starting;			/* currenlty starting threads */
+	/* Max number of threads in pool, or 0 for default (LDAP_MAXTHR) */
+	int ltp_max_count;
+
+	/* Max number of pending + paused requests, negated when ltp_finishing */
+	int ltp_max_pending;
+
+	int ltp_pending_count;		/* Pending or paused requests */
+	int ltp_active_count;		/* Active, not paused requests */
+	int ltp_open_count;			/* Number of threads, negated when ltp_pause */
+	int ltp_starting;			/* Currenlty starting threads */
+
+	/* >0 if paused or we may open a thread, <0 if we should close a thread.
+	 * Updated when ltp_<finishing/pause/max_count/open_count> change.
+	 * Maintained to reduce the time ltp_mutex must be locked in
+	 * ldap_pvt_thread_pool_<submit/wrapper>().
+	 */
+	int ltp_vary_open_count;
+#	define SET_VARY_OPEN_COUNT(pool)	\
+		((pool)->ltp_vary_open_count =	\
+		 (pool)->ltp_pause      ?  1 :	\
+		 (pool)->ltp_finishing  ? -1 :	\
+		 ((pool)->ltp_max_count ? (pool)->ltp_max_count : LDAP_MAXTHR) \
+		 - (pool)->ltp_open_count)
 };
 
+static ldap_int_tpool_plist_t empty_pending_list =
+	LDAP_STAILQ_HEAD_INITIALIZER(empty_pending_list);
+
 static int ldap_int_has_thread_pool = 0;
 static LDAP_STAILQ_HEAD(tpq, ldap_int_thread_pool_s)
 	ldap_int_thread_pool_list =
@@ -168,8 +201,8 @@
 
 	if (! (0 <= max_threads && max_threads <= LDAP_MAXTHR))
 		max_threads = 0;
-	if (max_pending < 0)
-		max_pending = 0;
+	if (! (1 <= max_pending && max_pending <= MAX_PENDING))
+		max_pending = MAX_PENDING;
 
 	*tpool = NULL;
 	pool = (ldap_pvt_thread_pool_t) LDAP_CALLOC(1,
@@ -188,11 +221,15 @@
 		return(rc);
 
 	ldap_int_has_thread_pool = 1;
-	pool->ltp_state = LDAP_INT_THREAD_POOL_RUNNING;
+
 	pool->ltp_max_count = max_threads;
+	SET_VARY_OPEN_COUNT(pool);
 	pool->ltp_max_pending = max_pending;
+
 	LDAP_STAILQ_INIT(&pool->ltp_pending_list);
+	pool->ltp_work_list = &pool->ltp_pending_list;
 	LDAP_SLIST_INIT(&pool->ltp_free_list);
+
 	ldap_pvt_thread_mutex_lock(&ldap_pvt_thread_pool_mutex);
 	LDAP_STAILQ_INSERT_TAIL(&ldap_int_thread_pool_list, pool, ltp_next);
 	ldap_pvt_thread_mutex_unlock(&ldap_pvt_thread_pool_mutex);
@@ -213,6 +250,7 @@
 	 * lock the mutex right now, since no threads are running.
 	 */
 	pool->ltp_open_count++;
+	SET_VARY_OPEN_COUNT(pool);
 
 	ldap_pvt_thread_t thr;
 	rc = ldap_pvt_thread_create( &thr, 1, ldap_int_thread_pool_wrapper, pool );
@@ -256,23 +294,17 @@
 		return(-1);
 
 	ldap_pvt_thread_mutex_lock(&pool->ltp_mutex);
-	if (pool->ltp_state != LDAP_INT_THREAD_POOL_RUNNING
-		|| (pool->ltp_max_pending
-			&& pool->ltp_pending_count >= pool->ltp_max_pending))
-	{
-		ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
-		return(-1);
-	}
 
+	if (pool->ltp_pending_count >= pool->ltp_max_pending)
+		goto failed;
+
 	task = LDAP_SLIST_FIRST(&pool->ltp_free_list);
 	if (task) {
 		LDAP_SLIST_REMOVE_HEAD(&pool->ltp_free_list, ltt_next.l);
 	} else {
 		task = (ldap_int_thread_task_t *) LDAP_MALLOC(sizeof(*task));
-		if (task == NULL) {
-			ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
-			return(-1);
-		}
+		if (task == NULL)
+			goto failed;
 	}
 
 	task->ltt_start_routine = start_routine;
@@ -280,17 +312,18 @@
 
 	pool->ltp_pending_count++;
 	LDAP_STAILQ_INSERT_TAIL(&pool->ltp_pending_list, task, ltt_next.q);
-	if (pool->ltp_pause) {
-		ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
-		return(0);
-	}
-	ldap_pvt_thread_cond_signal(&pool->ltp_cond);
-	if (pool->ltp_open_count < pool->ltp_active_count + pool->ltp_pending_count
-		&& (pool->ltp_open_count <
-			(pool->ltp_max_count ? pool->ltp_max_count : LDAP_MAXTHR)))
+
+	/* true if ltp_pause != 0 or we should open (create) a thread */
+	if (pool->ltp_vary_open_count > 0 &&
+		pool->ltp_open_count < pool->ltp_active_count+pool->ltp_pending_count)
 	{
+		if (pool->ltp_pause)
+			goto done;
+
+		pool->ltp_starting++;
 		pool->ltp_open_count++;
-		pool->ltp_starting++;
+		SET_VARY_OPEN_COUNT(pool);
+
 		if (0 != ldap_pvt_thread_create(
 			&thr, 1, ldap_int_thread_pool_wrapper, pool))
 		{
@@ -299,6 +332,8 @@
 			 */
 			pool->ltp_starting--;
 			pool->ltp_open_count--;
+			SET_VARY_OPEN_COUNT(pool);
+
 			if (pool->ltp_open_count == 0) {
 				/* no open threads at all?!?
 				 */
@@ -314,24 +349,28 @@
 					 * back out of ltp_pending_count, free the task,
 					 * report the error.
 					 */
+					pool->ltp_pending_count--;
 					LDAP_STAILQ_REMOVE(&pool->ltp_pending_list, task,
 						ldap_int_thread_task_s, ltt_next.q);
-					pool->ltp_pending_count--;
-					ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
-					LDAP_FREE(task);
-					return(-1);
+					LDAP_SLIST_INSERT_HEAD(&pool->ltp_free_list, task,
+						ltt_next.l);
+					goto failed;
 				}
 			}
 			/* there is another open thread, so this
 			 * task will be handled eventually.
-			 * continue on, we have signalled that
-			 * the task is waiting.
 			 */
 		}
 	}
+	ldap_pvt_thread_cond_signal(&pool->ltp_cond);
 
+ done:
 	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
 	return(0);
+
+ failed:
+	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
+	return(-1);
 }
 
 /* Set max #threads.  value <= 0 means max supported #threads (LDAP_MAXTHR) */
@@ -354,7 +393,10 @@
 		return(-1);
 
 	ldap_pvt_thread_mutex_lock(&pool->ltp_mutex);
+
 	pool->ltp_max_count = max_threads;
+	SET_VARY_OPEN_COUNT(pool);
+
 	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
 	return(0);
 }
@@ -387,10 +429,16 @@
 
 	case LDAP_PVT_THREAD_POOL_PARAM_MAX_PENDING:
 		count = pool->ltp_max_pending;
+		if (count < 0)
+			count = -count;
+		if (count == MAX_PENDING)
+			count = 0;
 		break;
 
 	case LDAP_PVT_THREAD_POOL_PARAM_OPEN:
 		count = pool->ltp_open_count;
+		if (count < 0)
+			count = -count;
 		break;
 
 	case LDAP_PVT_THREAD_POOL_PARAM_STARTING:
@@ -422,33 +470,13 @@
 	case LDAP_PVT_THREAD_POOL_PARAM_BACKLOAD_MAX:
 		break;
 
-	case LDAP_PVT_THREAD_POOL_PARAM_STATE: {
-		static struct {
-			char				*name;
-			ldap_int_thread_pool_state_t	state;
-		}		str2state[] = {
-			{ "running",	LDAP_INT_THREAD_POOL_RUNNING },
-			{ "finishing",	LDAP_INT_THREAD_POOL_FINISHING },
-			{ "stopping",	LDAP_INT_THREAD_POOL_STOPPING },
-			{ NULL }
-		};
-		int		i;
+	case LDAP_PVT_THREAD_POOL_PARAM_STATE:
+		*((char **)value) =
+			pool->ltp_pause ? "pausing" :
+			!pool->ltp_finishing ? "running" :
+			pool->ltp_pending_count ? "finishing" : "stopping";
+		break;
 
-		if ( pool->ltp_pause ) {
-			*((char **)value) = "pausing";
-		} else {
-			for ( i = 0; str2state[ i ].name != NULL; i++ ) {
-				if ( str2state[ i ].state == pool->ltp_state ) {
-					break;
-				}
-			}
-			*((char **)value) = str2state[ i ].name;
-		}
-		if ( *((char **)value) != NULL ) {
-			count = -2;
-		}
-		} break;
-
 	case LDAP_PVT_THREAD_POOL_PARAM_UNKNOWN:
 		break;
 	}
@@ -462,6 +490,23 @@
 }
 
 /*
+ * true if pool is pausing; does not lock any mutex to check.
+ * 0 if not pause, 1 if pause, -1 if error or no pool.
+ */
+int
+ldap_pvt_thread_pool_pausing( ldap_pvt_thread_pool_t *tpool )
+{
+	int rc = -1;
+	struct ldap_int_thread_pool_s *pool;
+
+	if ( tpool != NULL && (pool = *tpool) != NULL ) {
+		rc = pool->ltp_pause;
+	}
+
+	return rc;
+}
+
+/*
  * wrapper for ldap_pvt_thread_pool_query(), left around
  * for backwards compatibility
  */
@@ -505,29 +550,33 @@
 	if (pool != pptr) return(-1);
 
 	ldap_pvt_thread_mutex_lock(&pool->ltp_mutex);
-	pool->ltp_state = run_pending
-		? LDAP_INT_THREAD_POOL_FINISHING
-		: LDAP_INT_THREAD_POOL_STOPPING;
 
+	pool->ltp_finishing = 1;
+	SET_VARY_OPEN_COUNT(pool);
+	if (pool->ltp_max_pending > 0)
+		pool->ltp_max_pending = -pool->ltp_max_pending;
+
+	if (!run_pending) {
+		while ((task = LDAP_STAILQ_FIRST(&pool->ltp_pending_list)) != NULL) {
+			LDAP_STAILQ_REMOVE_HEAD(&pool->ltp_pending_list, ltt_next.q);
+			LDAP_FREE(task);
+		}
+		pool->ltp_pending_count = 0;
+	}
+
 	while (pool->ltp_open_count) {
 		if (!pool->ltp_pause)
 			ldap_pvt_thread_cond_broadcast(&pool->ltp_cond);
 		ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex);
 	}
-	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
 
-	while ((task = LDAP_STAILQ_FIRST(&pool->ltp_pending_list)) != NULL)
-	{
-		LDAP_STAILQ_REMOVE_HEAD(&pool->ltp_pending_list, ltt_next.q);
-		LDAP_FREE(task);
-	}
-
 	while ((task = LDAP_SLIST_FIRST(&pool->ltp_free_list)) != NULL)
 	{
 		LDAP_SLIST_REMOVE_HEAD(&pool->ltp_free_list, ltt_next.l);
 		LDAP_FREE(task);
 	}
 
+	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
 	ldap_pvt_thread_cond_destroy(&pool->ltp_pcond);
 	ldap_pvt_thread_cond_destroy(&pool->ltp_cond);
 	ldap_pvt_thread_mutex_destroy(&pool->ltp_mutex);
@@ -544,6 +593,7 @@
 {
 	struct ldap_int_thread_pool_s *pool = xpool;
 	ldap_int_thread_task_t *task;
+	ldap_int_tpool_plist_t *work_list;
 	ldap_int_thread_userctx_t ctx, *kctx;
 	unsigned i, keyslot, hash;
 
@@ -578,24 +628,13 @@
 	pool->ltp_starting--;
 
 	for (;;) {
-		while (pool->ltp_pause)
-			ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex);
-
-		if (pool->ltp_state == LDAP_INT_THREAD_POOL_STOPPING)
-			break;
-
-		task = LDAP_STAILQ_FIRST(&pool->ltp_pending_list);
-		if (task == NULL) {
-			if (pool->ltp_state == LDAP_INT_THREAD_POOL_FINISHING)
-				break;
-
-			if (pool->ltp_open_count >
-				(pool->ltp_max_count ? pool->ltp_max_count : LDAP_MAXTHR))
-			{
-				/* too many threads running (can happen if the
-				 * maximum threads value is set during ongoing
-				 * operation using ldap_pvt_thread_pool_maxthreads)
-				 * so let this thread die.
+		work_list = pool->ltp_work_list; /* help the compiler a bit */
+		task = LDAP_STAILQ_FIRST(work_list);
+		if (task == NULL) {	/* paused or no pending tasks */
+			if (pool->ltp_vary_open_count < 0) {
+				/* not paused, and either finishing or too many
+				 * threads running (can happen if ltp_max_count
+				 * was reduced) so let this thread die.
 				 */
 				break;
 			}
@@ -612,12 +651,11 @@
 			 * check idle time.
 			 */
 
-			assert(pool->ltp_state == LDAP_INT_THREAD_POOL_RUNNING);
 			ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex);
 			continue;
 		}
 
-		LDAP_STAILQ_REMOVE_HEAD(&pool->ltp_pending_list, ltt_next.q);
+		LDAP_STAILQ_REMOVE_HEAD(work_list, ltt_next.q);
 		pool->ltp_pending_count--;
 		pool->ltp_active_count++;
 		ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
@@ -632,6 +670,8 @@
 			ldap_pvt_thread_cond_signal(&pool->ltp_pcond);
 	}
 
+	assert(!pool->ltp_pause); /* thread_keys writable, ltp_open_count >= 0 */
+
 	/* The ltp_mutex lock protects ctx->ltu_key from pool_purgekey()
 	 * during this call, since it prevents new pauses. */
 	ldap_pvt_thread_pool_context_reset(&ctx);
@@ -641,8 +681,9 @@
 	ldap_pvt_thread_mutex_unlock(&ldap_pvt_thread_pool_mutex);
 
 	pool->ltp_open_count--;
+	SET_VARY_OPEN_COUNT(pool);
 	/* let pool_destroy know we're all done */
-	if (pool->ltp_open_count < 1)
+	if (pool->ltp_open_count == 0)
 		ldap_pvt_thread_cond_signal(&pool->ltp_cond);
 
 	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
@@ -651,10 +692,8 @@
 	return(NULL);
 }
 
-/* Pause the pool.  Return when all other threads are paused. */
-int
-ldap_pvt_thread_pool_pause ( 
-	ldap_pvt_thread_pool_t *tpool )
+static int
+handle_pause( ldap_pvt_thread_pool_t *tpool, int do_pause )
 {
 	struct ldap_int_thread_pool_s *pool;
 
@@ -666,6 +705,9 @@
 	if (pool == NULL)
 		return(0);
 
+	if (! (do_pause || pool->ltp_pause))
+		return(0);
+
 	ldap_pvt_thread_mutex_lock(&pool->ltp_mutex);
 
 	/* If someone else has already requested a pause, we have to wait */
@@ -682,16 +724,43 @@
 		pool->ltp_active_count++;
 	}
 
-	/* Wait for everyone else to pause or finish */
-	pool->ltp_pause = 1;
-	while (pool->ltp_active_count > 1) {
-		ldap_pvt_thread_cond_wait(&pool->ltp_pcond, &pool->ltp_mutex);
+	if (do_pause) {
+		/* Wait for everyone else to pause or finish */
+		pool->ltp_pause = 1;
+		/* Let ldap_pvt_thread_pool_submit() through to its ltp_pause test,
+		 * and do not finish threads in ldap_pvt_thread_pool_wrapper() */
+		pool->ltp_open_count = -pool->ltp_open_count;
+		SET_VARY_OPEN_COUNT(pool);
+		/* Hide pending tasks from ldap_pvt_thread_pool_wrapper() */
+		pool->ltp_work_list = &empty_pending_list;
+
+		while (pool->ltp_active_count > 1) {
+			ldap_pvt_thread_cond_wait(&pool->ltp_pcond, &pool->ltp_mutex);
+		}
 	}
 
 	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
-	return(0);
+	return(!do_pause);
 }
 
+/*
+ * If a pause was requested, wait for it.  If several threads
+ * are waiting to pause, let through one or more pauses.
+ * Return 1 if we waited, 0 if not, -1 at parameter error.
+ */
+int
+ldap_pvt_thread_pool_pausecheck( ldap_pvt_thread_pool_t *tpool )
+{
+	return handle_pause( tpool, 0 );
+}
+
+/* Pause the pool.  Return when all other threads are paused. */
+int
+ldap_pvt_thread_pool_pause( ldap_pvt_thread_pool_t *tpool )
+{
+	return handle_pause( tpool, 1 );
+}
+
 /* End a pause */
 int
 ldap_pvt_thread_pool_resume ( 
@@ -708,9 +777,17 @@
 		return(0);
 
 	ldap_pvt_thread_mutex_lock(&pool->ltp_mutex);
+
+	assert(pool->ltp_pause);
 	pool->ltp_pause = 0;
-	if (pool->ltp_state == LDAP_INT_THREAD_POOL_RUNNING)
+	if (pool->ltp_open_count <= 0) /* true when paused, but be paranoid */
+		pool->ltp_open_count = -pool->ltp_open_count;
+	SET_VARY_OPEN_COUNT(pool);
+	pool->ltp_work_list = &pool->ltp_pending_list;
+
+	if (!pool->ltp_finishing)
 		ldap_pvt_thread_cond_broadcast(&pool->ltp_cond);
+
 	ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex);
 	return(0);
 }
@@ -760,7 +837,9 @@
 	void *xctx,
 	void *key,
 	void *data,
-	ldap_pvt_thread_pool_keyfree_t *kfree )
+	ldap_pvt_thread_pool_keyfree_t *kfree,
+	void **olddatap,
+	ldap_pvt_thread_pool_keyfree_t **oldkfreep )
 {
 	ldap_int_thread_userctx_t *ctx = xctx;
 	int i, found;
@@ -776,6 +855,22 @@
 		}
 	}
 
+	if ( olddatap ) {
+		if ( found ) {
+			*olddatap = ctx->ltu_key[i].ltk_data;
+		} else {
+			*olddatap = NULL;
+		}
+	}
+
+	if ( oldkfreep ) {
+		if ( found ) {
+			*oldkfreep = ctx->ltu_key[i].ltk_free;
+		} else {
+			*oldkfreep = 0;
+		}
+	}
+
 	if ( data || kfree ) {
 		if ( i>=MAXKEYS )
 			return ENOMEM;
@@ -828,7 +923,7 @@
 	void *ctx = NULL;
 
 	ldap_pvt_thread_key_getdata( ldap_tpool_key, &ctx );
-	return ctx ? ctx : &ldap_int_main_thrctx;
+	return ctx ? ctx : (void *) &ldap_int_main_thrctx;
 }
 
 /*

Modified: openldap/trunk/libraries/liblunicode/Makefile.in
===================================================================
--- openldap/trunk/libraries/liblunicode/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for LDAP -llunicode
-# $OpenLDAP: pkg/ldap/libraries/liblunicode/Makefile.in,v 1.31.2.4 2007/10/19 02:54:28 hyc Exp $
+# $OpenLDAP: pkg/ldap/libraries/liblunicode/Makefile.in,v 1.31.2.5 2008/02/11 23:26:42 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ucdata/ucdata.c
===================================================================
--- openldap/trunk/libraries/liblunicode/ucdata/ucdata.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ucdata/ucdata.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucdata.c,v 1.32.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucdata.c,v 1.32.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ucdata/ucdata.h
===================================================================
--- openldap/trunk/libraries/liblunicode/ucdata/ucdata.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ucdata/ucdata.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucdata.h,v 1.19.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucdata.h,v 1.19.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ucdata/ucgendat.c
===================================================================
--- openldap/trunk/libraries/liblunicode/ucdata/ucgendat.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ucdata/ucgendat.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucgendat.c,v 1.39.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucgendat.c,v 1.39.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ucdata/ucpgba.c
===================================================================
--- openldap/trunk/libraries/liblunicode/ucdata/ucpgba.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ucdata/ucpgba.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucpgba.c,v 1.7.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucpgba.c,v 1.7.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ucdata/ucpgba.h
===================================================================
--- openldap/trunk/libraries/liblunicode/ucdata/ucpgba.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ucdata/ucpgba.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucpgba.h,v 1.8.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucdata/ucpgba.h,v 1.8.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ucstr.c
===================================================================
--- openldap/trunk/libraries/liblunicode/ucstr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ucstr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucstr.c,v 1.37.2.2 2007/08/31 23:13:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ucstr.c,v 1.37.2.4 2008/04/14 19:12:11 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -128,7 +128,12 @@
 	if ( len == 0 ) {
 		return ber_dupbv_x( newbv, bv, ctx );
 	}
-	
+
+	if ( !newbv ) {
+		newbv = ber_memalloc_x( sizeof(struct berval), ctx );
+		if ( !newbv ) return NULL;
+	}
+
 	/* Should first check to see if string is already in proper
 	 * normalized form. This is almost as time consuming as
 	 * the normalization though.
@@ -138,7 +143,7 @@
 	if ( LDAP_UTF8_ISASCII( s ) ) {
 		if ( casefold ) {
 			outsize = len + 7;
-			out = (char *) malloc( outsize );
+			out = (char *) ber_memalloc_x( outsize, ctx );
 			if ( out == NULL ) {
 				return NULL;
 			}
@@ -150,7 +155,9 @@
 			if ( i == len ) {
 				out[outpos++] = TOLOWER( s[len-1] );
 				out[outpos] = '\0';
-				return ber_str2bv( out, outpos, 0, newbv);
+				newbv->bv_val = out;
+				newbv->bv_len = outpos;
+				return newbv;
 			}
 		} else {
 			for ( i = 1; (i < len) && LDAP_UTF8_ISASCII(s + i); i++ ) {
@@ -162,7 +169,7 @@
 			}
 				
 			outsize = len + 7;
-			out = (char *) malloc( outsize );
+			out = (char *) ber_memalloc_x( outsize, ctx );
 			if ( out == NULL ) {
 				return NULL;
 			}
@@ -171,7 +178,7 @@
 		}
 	} else {
 		outsize = len + 7;
-		out = (char *) malloc( outsize );
+		out = (char *) ber_memalloc_x( outsize, ctx );
 		if ( out == NULL ) {
 			return NULL;
 		}
@@ -179,9 +186,9 @@
 		i = 0;
 	}
 
-	p = ucs = malloc( len * sizeof(*ucs) );
+	p = ucs = ber_memalloc_x( len * sizeof(*ucs), ctx );
 	if ( ucs == NULL ) {
-		free(out);
+		ber_memfree_x(out, ctx);
 		return NULL;
 	}
 
@@ -198,8 +205,8 @@
 		while ( i < len ) {
 			clen = LDAP_UTF8_CHARLEN2( s + i, clen );
 			if ( clen == 0 ) {
-				free( ucs );
-				free( out );
+				ber_memfree_x( ucs, ctx );
+				ber_memfree_x( out, ctx );
 				return NULL;
 			}
 			if ( clen == 1 ) {
@@ -210,8 +217,8 @@
 			i++;
 			for( j = 1; j < clen; j++ ) {
 				if ( (s[i] & 0xc0) != 0x80 ) {
-					free( ucs );
-					free( out );
+					ber_memfree_x( ucs, ctx );
+					ber_memfree_x( out, ctx );
 					return NULL;
 				}
 				*p <<= 6;
@@ -239,11 +246,11 @@
 				   6 bytes and terminator */
 				if ( outsize - outpos < 7 ) {
 					outsize = ucsoutlen - j + outpos + 6;
-					outtmp = (char *) realloc( out, outsize );
+					outtmp = (char *) ber_memrealloc_x( out, outsize, ctx );
 					if ( outtmp == NULL ) {
-						free( out );
-						free( ucs );
-						free( ucsout );
+						ber_memfree_x( ucsout, ctx );
+						ber_memfree_x( ucs, ctx );
+						ber_memfree_x( out, ctx );
 						return NULL;
 					}
 					out = outtmp;
@@ -252,7 +259,7 @@
 			}
 		}
 
-		free( ucsout );
+		ber_memfree_x( ucsout, ctx );
 		ucsout = NULL;
 		
 		if ( i == len ) {
@@ -264,10 +271,10 @@
 		/* Allocate more space in out if necessary */
 		if (len - i >= outsize - outpos) {
 			outsize += 1 + ((len - i) - (outsize - outpos));
-			outtmp = (char *) realloc(out, outsize);
+			outtmp = (char *) ber_memrealloc_x(out, outsize, ctx);
 			if (outtmp == NULL) {
-				free(out);
-				free(ucs);
+				ber_memfree_x( ucs, ctx );
+				ber_memfree_x( out, ctx );
 				return NULL;
 			}
 			out = outtmp;
@@ -288,9 +295,11 @@
 		p = ucs + 1;
 	}
 
-	free( ucs );
+	ber_memfree_x( ucs, ctx );
 	out[outpos] = '\0';
-	return ber_str2bv( out, outpos, 0, newbv );
+	newbv->bv_val = out;
+	newbv->bv_len = outpos;
+	return newbv;
 }
 
 /* compare UTF8-strings, optionally ignore casing */

Modified: openldap/trunk/libraries/liblunicode/ure/ure.c
===================================================================
--- openldap/trunk/libraries/liblunicode/ure/ure.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ure/ure.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ure/ure.c,v 1.17.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ure/ure.c,v 1.17.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ure/ure.h
===================================================================
--- openldap/trunk/libraries/liblunicode/ure/ure.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ure/ure.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ure/ure.h,v 1.13.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ure/ure.h,v 1.13.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/ure/urestubs.c
===================================================================
--- openldap/trunk/libraries/liblunicode/ure/urestubs.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/ure/urestubs.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ure/urestubs.c,v 1.14.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/ure/urestubs.c,v 1.14.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/utbm/utbm.c
===================================================================
--- openldap/trunk/libraries/liblunicode/utbm/utbm.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/utbm/utbm.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/utbm/utbm.c,v 1.7.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/utbm/utbm.c,v 1.7.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/utbm/utbm.h
===================================================================
--- openldap/trunk/libraries/liblunicode/utbm/utbm.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/utbm/utbm.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/utbm/utbm.h,v 1.8.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/utbm/utbm.h,v 1.8.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblunicode/utbm/utbmstub.c
===================================================================
--- openldap/trunk/libraries/liblunicode/utbm/utbmstub.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblunicode/utbm/utbmstub.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblunicode/utbm/utbmstub.c,v 1.6.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblunicode/utbm/utbmstub.c,v 1.6.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/Makefile.in
===================================================================
--- openldap/trunk/libraries/liblutil/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile for -llutil
-# $OpenLDAP: pkg/ldap/libraries/liblutil/Makefile.in,v 1.38.2.2 2007/08/31 23:13:57 quanah Exp $
+# $OpenLDAP: pkg/ldap/libraries/liblutil/Makefile.in,v 1.38.2.3 2008/02/11 23:26:42 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ## 
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/avl.c
===================================================================
--- openldap/trunk/libraries/liblutil/avl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/avl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* avl.c - routines to implement an avl tree */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/avl.c,v 1.9.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/avl.c,v 1.9.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/base64.c
===================================================================
--- openldap/trunk/libraries/liblutil/base64.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/base64.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* base64.c -- routines to encode/decode base64 data */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/base64.c,v 1.15.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/base64.c,v 1.15.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 1995 IBM Corporation.
  * All rights reserved.

Modified: openldap/trunk/libraries/liblutil/csn.c
===================================================================
--- openldap/trunk/libraries/liblutil/csn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/csn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* csn.c - Change Sequence Number routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/csn.c,v 1.14.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/csn.c,v 1.14.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/liblutil/detach.c
===================================================================
--- openldap/trunk/libraries/liblutil/detach.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/detach.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* detach.c -- routines to daemonize a process */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/detach.c,v 1.18.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/detach.c,v 1.18.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/entropy.c
===================================================================
--- openldap/trunk/libraries/liblutil/entropy.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/entropy.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* entropy.c -- routines for providing pseudo-random data */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/entropy.c,v 1.29.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/entropy.c,v 1.29.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/liblutil/fetch.c
===================================================================
--- openldap/trunk/libraries/liblutil/fetch.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/fetch.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* fetch.c - routines for fetching data at URLs */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/fetch.c,v 1.10.2.4 2007/12/02 01:54:33 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/fetch.c,v 1.10.2.5 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/liblutil/getopt.c
===================================================================
--- openldap/trunk/libraries/liblutil/getopt.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/getopt.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* getopt.c -- replacement getopt(3) routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/getopt.c,v 1.16.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/getopt.c,v 1.16.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/liblutil/getpass.c
===================================================================
--- openldap/trunk/libraries/liblutil/getpass.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/getpass.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* getpass.c -- get password from user */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/getpass.c,v 1.17.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/getpass.c,v 1.17.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/liblutil/getpeereid.c
===================================================================
--- openldap/trunk/libraries/liblutil/getpeereid.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/getpeereid.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* getpeereid.c */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/getpeereid.c,v 1.24.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/getpeereid.c,v 1.24.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/hash.c
===================================================================
--- openldap/trunk/libraries/liblutil/hash.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/hash.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/hash.c,v 1.8.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/hash.c,v 1.8.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/liblutil/ldif.c
===================================================================
--- openldap/trunk/libraries/liblutil/ldif.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/ldif.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldif.c - routines for dealing with LDIF files */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/ldif.c,v 1.15.2.5 2007/09/03 21:53:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/ldif.c,v 1.15.2.6 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/lockf.c
===================================================================
--- openldap/trunk/libraries/liblutil/lockf.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/lockf.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/lockf.c,v 1.15.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/lockf.c,v 1.15.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/md5.c
===================================================================
--- openldap/trunk/libraries/liblutil/md5.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/md5.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* md5.c -- MD5 message-digest algorithm */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/md5.c,v 1.19.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/md5.c,v 1.19.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/memcmp.c
===================================================================
--- openldap/trunk/libraries/liblutil/memcmp.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/memcmp.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/memcmp.c,v 1.9.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/memcmp.c,v 1.9.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/ntservice.c
===================================================================
--- openldap/trunk/libraries/liblutil/ntservice.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/ntservice.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/ntservice.c,v 1.31.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/ntservice.c,v 1.31.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/passfile.c
===================================================================
--- openldap/trunk/libraries/liblutil/passfile.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/passfile.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/passfile.c,v 1.8.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/passfile.c,v 1.8.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/passwd.c
===================================================================
--- openldap/trunk/libraries/liblutil/passwd.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/passwd.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/passwd.c,v 1.104.2.3 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/passwd.c,v 1.104.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/ptest.c
===================================================================
--- openldap/trunk/libraries/liblutil/ptest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/ptest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/ptest.c,v 1.12.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/ptest.c,v 1.12.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/sasl.c
===================================================================
--- openldap/trunk/libraries/liblutil/sasl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/sasl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/sasl.c,v 1.22.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/sasl.c,v 1.22.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/setproctitle.c
===================================================================
--- openldap/trunk/libraries/liblutil/setproctitle.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/setproctitle.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/setproctitle.c,v 1.15.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/setproctitle.c,v 1.15.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/sha1.c
===================================================================
--- openldap/trunk/libraries/liblutil/sha1.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/sha1.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/sha1.c,v 1.26.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/sha1.c,v 1.26.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/signal.c
===================================================================
--- openldap/trunk/libraries/liblutil/signal.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/signal.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/signal.c,v 1.10.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/signal.c,v 1.10.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/sockpair.c
===================================================================
--- openldap/trunk/libraries/liblutil/sockpair.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/sockpair.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/sockpair.c,v 1.17.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/sockpair.c,v 1.17.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/tavl.c
===================================================================
--- openldap/trunk/libraries/liblutil/tavl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/tavl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* avl.c - routines to implement an avl tree */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/tavl.c,v 1.12.2.3 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/tavl.c,v 1.12.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions Copyright (c) 2005 by Howard Chu, Symas Corp.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/liblutil/testavl.c
===================================================================
--- openldap/trunk/libraries/liblutil/testavl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/testavl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* testavl.c - Test Tim Howes AVL code */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/testavl.c,v 1.4.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/testavl.c,v 1.4.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/testtavl.c
===================================================================
--- openldap/trunk/libraries/liblutil/testtavl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/testtavl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* testavl.c - Test Tim Howes AVL code */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/testtavl.c,v 1.2.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/testtavl.c,v 1.2.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/liblutil/utils.c
===================================================================
--- openldap/trunk/libraries/liblutil/utils.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/utils.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/utils.c,v 1.33.2.15 2007/12/10 18:00:18 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/utils.c,v 1.33.2.17 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -17,6 +17,7 @@
 
 #include <stdio.h>
 #include <ac/stdlib.h>
+#include <ac/stdarg.h>
 #include <ac/string.h>
 #include <ac/ctype.h>
 #include <ac/unistd.h>
@@ -885,3 +886,53 @@
 	return 0;
 }
 
+/*
+ * formatted print to string
+ *
+ * - if return code < 0, the error code returned by vsnprintf(3) is returned
+ *
+ * - if return code > 0, the buffer was not long enough;
+ *	- if next is not NULL, *next will be set to buf + bufsize - 1
+ *	- if len is not NULL, *len will contain the required buffer length
+ *
+ * - if return code == 0, the buffer was long enough;
+ *	- if next is not NULL, *next will point to the end of the string printed so far
+ *	- if len is not NULL, *len will contain the length of the string printed so far 
+ */
+int
+lutil_snprintf( char *buf, ber_len_t bufsize, char **next, ber_len_t *len, LDAP_CONST char *fmt, ... )
+{
+	va_list		ap;
+	int		ret;
+
+	assert( buf != NULL );
+	assert( bufsize > 0 );
+	assert( fmt != NULL );
+
+	va_start( ap, fmt );
+	ret = vsnprintf( buf, bufsize, fmt, ap );
+	va_end( ap );
+
+	if ( ret < 0 ) {
+		return ret;
+	}
+
+	if ( len ) {
+		*len = ret;
+	}
+
+	if ( ret >= bufsize ) {
+		if ( next ) {
+			*next = &buf[ bufsize - 1 ];
+		}
+
+		return 1;
+	}
+
+	if ( next ) {
+		*next = &buf[ ret ];
+	}
+
+	return 0;
+}
+

Modified: openldap/trunk/libraries/liblutil/uuid.c
===================================================================
--- openldap/trunk/libraries/liblutil/uuid.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/liblutil/uuid.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* uuid.c -- Universally Unique Identifier routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/uuid.c,v 1.28.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/uuid.c,v 1.28.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/libraries/librewrite/Makefile.in
===================================================================
--- openldap/trunk/libraries/librewrite/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # LIBREWRITE
-# $OpenLDAP: pkg/ldap/libraries/librewrite/Makefile.in,v 1.14.2.2 2007/08/31 23:13:57 quanah Exp $
+# $OpenLDAP: pkg/ldap/libraries/librewrite/Makefile.in,v 1.14.2.3 2008/02/11 23:26:42 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/config.c
===================================================================
--- openldap/trunk/libraries/librewrite/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/config.c,v 1.14.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/config.c,v 1.14.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/context.c
===================================================================
--- openldap/trunk/libraries/librewrite/context.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/context.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/context.c,v 1.15.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/context.c,v 1.15.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/info.c
===================================================================
--- openldap/trunk/libraries/librewrite/info.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/info.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/info.c,v 1.15.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/info.c,v 1.15.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/ldapmap.c
===================================================================
--- openldap/trunk/libraries/librewrite/ldapmap.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/ldapmap.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/ldapmap.c,v 1.12.2.3 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/ldapmap.c,v 1.12.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/map.c
===================================================================
--- openldap/trunk/libraries/librewrite/map.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/map.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/map.c,v 1.21.2.3 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/map.c,v 1.21.2.4 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/params.c
===================================================================
--- openldap/trunk/libraries/librewrite/params.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/params.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/params.c,v 1.9.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/params.c,v 1.9.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/parse.c
===================================================================
--- openldap/trunk/libraries/librewrite/parse.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/parse.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/parse.c,v 1.9.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/parse.c,v 1.9.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/rewrite-int.h
===================================================================
--- openldap/trunk/libraries/librewrite/rewrite-int.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/rewrite-int.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/rewrite-int.h,v 1.20.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/rewrite-int.h,v 1.20.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/rewrite-map.h
===================================================================
--- openldap/trunk/libraries/librewrite/rewrite-map.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/rewrite-map.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/rewrite-map.h,v 1.7.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/rewrite-map.h,v 1.7.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/rewrite.c
===================================================================
--- openldap/trunk/libraries/librewrite/rewrite.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/rewrite.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/rewrite.c,v 1.16.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/rewrite.c,v 1.16.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/rule.c
===================================================================
--- openldap/trunk/libraries/librewrite/rule.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/rule.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/rule.c,v 1.23.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/rule.c,v 1.23.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/session.c
===================================================================
--- openldap/trunk/libraries/librewrite/session.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/session.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/session.c,v 1.19.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/session.c,v 1.19.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/subst.c
===================================================================
--- openldap/trunk/libraries/librewrite/subst.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/subst.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/subst.c,v 1.22.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/subst.c,v 1.22.2.3 2008/02/11 23:26:42 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/var.c
===================================================================
--- openldap/trunk/libraries/librewrite/var.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/var.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/var.c,v 1.13.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/var.c,v 1.13.2.3 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/libraries/librewrite/xmap.c
===================================================================
--- openldap/trunk/libraries/librewrite/xmap.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/libraries/librewrite/xmap.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/libraries/librewrite/xmap.c,v 1.12.2.2 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/librewrite/xmap.c,v 1.12.2.3 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/Makefile.in
===================================================================
--- openldap/trunk/servers/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # servers Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/servers/Makefile.in,v 1.12.2.2 2007/08/31 23:13:57 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/Makefile.in,v 1.12.2.3 2008/02/11 23:26:43 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/DB_CONFIG
===================================================================
--- openldap/trunk/servers/slapd/DB_CONFIG	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/DB_CONFIG	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
-# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.3.2.3 2007/08/31 23:13:57 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.3.2.4 2007/12/18 11:53:27 ghenry Exp $
 # Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
 #
-# See Sleepycat Berkeley DB documentation
-#   <http://www.sleepycat.com/docs/ref/env/db_config.html>
+# See the Oracle Berkeley DB documentation
+#   <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
 # for detail description of DB_CONFIG syntax and semantics.
 #
 # Hints can also be found in the OpenLDAP Software FAQ

Modified: openldap/trunk/servers/slapd/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 ## Makefile.in for slapd
-# $OpenLDAP: pkg/ldap/servers/slapd/Makefile.in,v 1.186.2.5 2007/11/20 18:54:55 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/Makefile.in,v 1.186.2.6 2008/02/11 23:26:43 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/abandon.c
===================================================================
--- openldap/trunk/servers/slapd/abandon.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/abandon.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* abandon.c - decode and handle an ldap abandon operation */
-/* $OpenLDAP: pkg/ldap/servers/slapd/abandon.c,v 1.52.2.3 2007/11/07 20:58:38 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/abandon.c,v 1.52.2.4 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/aci.c
===================================================================
--- openldap/trunk/servers/slapd/aci.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/aci.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* aci.c - routines to parse and check acl's */
-/* $OpenLDAP: pkg/ldap/servers/slapd/aci.c,v 1.14.2.5 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/aci.c,v 1.14.2.6 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/acl.c
===================================================================
--- openldap/trunk/servers/slapd/acl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/acl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* acl.c - routines to parse and check acl's */
-/* $OpenLDAP: pkg/ldap/servers/slapd/acl.c,v 1.303.2.11 2007/11/27 18:25:33 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/acl.c,v 1.303.2.15 2008/05/01 21:40:09 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1280,7 +1280,7 @@
 					/* extract IP and try exact match */
 					} else if ( b->a_peername_style == ACL_STYLE_IP ) {
 						char		*port;
-						char		buf[] = "255.255.255.255";
+						char		buf[STRLENOF("255.255.255.255") + 1];
 						struct berval	ip;
 						unsigned long	addr;
 						int		port_number = -1;
@@ -1325,7 +1325,7 @@
 					/* extract IPv6 and try exact match */
 					} else if ( b->a_peername_style == ACL_STYLE_IPV6 ) {
 						char		*port;
-						char		buf[] = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
+						char		buf[STRLENOF("FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF") + 1];
 						struct berval	ip;
 						struct in6_addr	addr;
 						int		port_number = -1;
@@ -2031,6 +2031,10 @@
 
 		for ( j = 0; !BER_BVISNULL( &rs->sr_attrs[ j ].an_name ); j++ ) {
 			AttributeDescription	*desc = rs->sr_attrs[ j ].an_desc;
+
+			if ( desc == NULL ) {
+				continue;
+			}
 			
 			if ( desc == slap_schema.si_ad_entryDN ) {
 				bvalsp = bvals;
@@ -2071,7 +2075,6 @@
 	int			nattrs = 0;
 	slap_callback		cb = { NULL, acl_set_cb_gather, NULL, NULL };
 	acl_set_gather_t	p = { 0 };
-	const char		*text = NULL;
 
 	/* this routine needs to return the bervals instead of
 	 * plain strings, since syntax is not known.  It should
@@ -2083,6 +2086,10 @@
 
 	rc = ldap_url_parse( name->bv_val, &ludp );
 	if ( rc != LDAP_URL_SUCCESS ) {
+		Debug( LDAP_DEBUG_TRACE,
+			"%s acl_set_gather: unable to parse URL=\"%s\"\n",
+			cp->asc_op->o_log_prefix, name->bv_val, 0 );
+
 		rc = LDAP_PROTOCOL_ERROR;
 		goto url_done;
 	}
@@ -2091,6 +2098,10 @@
 	{
 		/* host part must be empty */
 		/* extensions parts must be empty */
+		Debug( LDAP_DEBUG_TRACE,
+			"%s acl_set_gather: host/exts must be absent in URL=\"%s\"\n",
+			cp->asc_op->o_log_prefix, name->bv_val, 0 );
+
 		rc = LDAP_PROTOCOL_ERROR;
 		goto url_done;
 	}
@@ -2101,11 +2112,19 @@
 			&op2.o_req_ndn, cp->asc_op->o_tmpmemctx );
 	BER_BVZERO( &op2.o_req_dn );
 	if ( rc != LDAP_SUCCESS ) {
+		Debug( LDAP_DEBUG_TRACE,
+			"%s acl_set_gather: DN=\"%s\" normalize failed\n",
+			cp->asc_op->o_log_prefix, op2.o_req_dn.bv_val, 0 );
+
 		goto url_done;
 	}
 
 	op2.o_bd = select_backend( &op2.o_req_ndn, 1 );
 	if ( ( op2.o_bd == NULL ) || ( op2.o_bd->be_search == NULL ) ) {
+		Debug( LDAP_DEBUG_TRACE,
+			"%s acl_set_gather: no database could be selected for DN=\"%s\"\n",
+			cp->asc_op->o_log_prefix, op2.o_req_ndn.bv_val, 0 );
+
 		rc = LDAP_NO_SUCH_OBJECT;
 		goto url_done;
 	}
@@ -2116,6 +2135,10 @@
 				cp->asc_op->o_tmpmemctx );
 		op2.ors_filter = str2filter_x( cp->asc_op, op2.ors_filterstr.bv_val );
 		if ( op2.ors_filter == NULL ) {
+			Debug( LDAP_DEBUG_TRACE,
+				"%s acl_set_gather: unable to parse filter=\"%s\"\n",
+				cp->asc_op->o_log_prefix, op2.ors_filterstr.bv_val, 0 );
+
 			rc = LDAP_PROTOCOL_ERROR;
 			goto url_done;
 		}
@@ -2131,19 +2154,25 @@
 
 	/* Grap the attributes */
 	if ( ludp->lud_attrs ) {
+		int i;
+
 		for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ )
 			;
 
-		anlistp = slap_sl_malloc( sizeof( AttributeName ) * ( nattrs + 2 ),
+		anlistp = slap_sl_calloc( sizeof( AttributeName ), nattrs + 2,
 				cp->asc_op->o_tmpmemctx );
 
-		for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ ) {
-			ber_str2bv( ludp->lud_attrs[ nattrs ], 0, 0, &anlistp[ nattrs ].an_name );
-			anlistp[ nattrs ].an_desc = NULL;
-			rc = slap_bv2ad( &anlistp[ nattrs ].an_name,
-					&anlistp[ nattrs ].an_desc, &text );
-			if ( rc != LDAP_SUCCESS ) {
-				goto url_done;
+		for ( i = 0, nattrs = 0; ludp->lud_attrs[ i ]; i++ ) {
+			struct berval		name;
+			AttributeDescription	*desc = NULL;
+			const char		*text = NULL;
+
+			ber_str2bv( ludp->lud_attrs[ i ], 0, 0, &name );
+			rc = slap_bv2ad( &name, &desc, &text );
+			if ( rc == LDAP_SUCCESS ) {
+				anlistp[ nattrs ].an_name = name;
+				anlistp[ nattrs ].an_desc = desc;
+				nattrs++;
 			}
 		}
 
@@ -2171,6 +2200,7 @@
 	op2.ors_attrs = anlistp;
 	op2.ors_attrsonly = 0;
 	op2.o_private = cp->asc_op->o_private;
+	op2.o_extra = cp->asc_op->o_extra;
 
 	cb.sc_private = &p;
 

Modified: openldap/trunk/servers/slapd/aclparse.c
===================================================================
--- openldap/trunk/servers/slapd/aclparse.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/aclparse.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* aclparse.c - routines to parse and check acl's */
-/* $OpenLDAP: pkg/ldap/servers/slapd/aclparse.c,v 1.198.2.4 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/aclparse.c,v 1.198.2.6 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,7 +39,7 @@
 #include "lutil.h"
 
 static const char style_base[] = "base";
-char *style_strings[] = {
+const char *style_strings[] = {
 	"regex",
 	"expand",
 	"exact",

Modified: openldap/trunk/servers/slapd/ad.c
===================================================================
--- openldap/trunk/servers/slapd/ad.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/ad.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ad.c - routines for dealing with attribute descriptions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/ad.c,v 1.95.2.3 2007/08/31 23:13:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/ad.c,v 1.95.2.4 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/add.c
===================================================================
--- openldap/trunk/servers/slapd/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/add.c,v 1.244.2.4 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/add.c,v 1.244.2.6 2008/03/21 01:01:07 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48,6 +48,7 @@
 	size_t		textlen = sizeof( textbuf );
 	int		rc = 0;
 	int		freevals = 1;
+	OpExtraDB oex;
 
 	Debug( LDAP_DEBUG_TRACE, "%s do_add\n",
 		op->o_log_prefix, 0, 0 );
@@ -185,8 +186,13 @@
 
 	freevals = 0;
 
+	oex.oe.oe_key = (void *)do_add;
+	oex.oe_db = NULL;
+	LDAP_SLIST_INSERT_HEAD(&op->o_extra, &oex.oe, oe_next);
+
 	op->o_bd = frontendDB;
 	rc = frontendDB->be_add( op, rs );
+	LDAP_SLIST_REMOVE(&op->o_extra, &oex.oe, OpExtra, oe_next);
 
 #ifdef LDAP_X_TXN
 	if ( rc == LDAP_X_TXN_SPECIFY_OKAY ) {
@@ -195,17 +201,15 @@
 	} else
 #endif
 	if ( rc == 0 ) {
-		if ( op->ora_e != NULL && op->o_private != NULL ) {
+		if ( op->ora_e != NULL && oex.oe_db != NULL ) {
 			BackendDB	*bd = op->o_bd;
 
-			op->o_bd = (BackendDB *)op->o_private;
-			op->o_private = NULL;
+			op->o_bd = oex.oe_db;
 
 			be_entry_release_w( op, op->ora_e );
 
 			op->ora_e = NULL;
 			op->o_bd = bd;
-			op->o_private = NULL;
 		}
 	}
 
@@ -329,11 +333,17 @@
 
 			rc = op->o_bd->be_add( op, rs );
 			if ( rc == LDAP_SUCCESS ) {
+				OpExtra *oex;
 				/* NOTE: be_entry_release_w() is
 				 * called by do_add(), so that global
 				 * overlays on the way back can
 				 * at least read the entry */
-				op->o_private = op->o_bd;
+				LDAP_SLIST_FOREACH(oex, &op->o_extra, oe_next) {
+					if ( oex->oe_key == (void *)do_add ) {
+						((OpExtraDB *)oex)->oe_db = op->o_bd;
+						break;
+					}
+				}
 			}
 
 		} else {

Modified: openldap/trunk/servers/slapd/alock.c
===================================================================
--- openldap/trunk/servers/slapd/alock.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/alock.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* alock.c - access lock library */
-/* $OpenLDAP: pkg/ldap/servers/slapd/alock.c,v 1.5.2.6 2007/09/26 15:46:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/alock.c,v 1.5.2.7 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004-2005 Symas Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/alock.h
===================================================================
--- openldap/trunk/servers/slapd/alock.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/alock.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* alock.h - access lock header */
-/* $OpenLDAP: pkg/ldap/servers/slapd/alock.h,v 1.3.2.3 2007/09/26 15:46:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/alock.h,v 1.3.2.4 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004-2005 Symas Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/at.c
===================================================================
--- openldap/trunk/servers/slapd/at.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/at.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* at.c - routines for dealing with attribute types */
-/* $OpenLDAP: pkg/ldap/servers/slapd/at.c,v 1.84.2.3 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/at.c,v 1.84.2.5 2008/04/14 22:08:32 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1031,7 +1031,7 @@
 }
 
 int
-register_at( char *def, AttributeDescription **rad, int dupok )
+register_at( const char *def, AttributeDescription **rad, int dupok )
 {
 	LDAPAttributeType *at;
 	int code, freeit = 0;

Modified: openldap/trunk/servers/slapd/attr.c
===================================================================
--- openldap/trunk/servers/slapd/attr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/attr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* attr.c - routines for dealing with attributes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/attr.c,v 1.112.2.6 2007/11/27 19:52:32 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/attr.c,v 1.112.2.7 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/ava.c
===================================================================
--- openldap/trunk/servers/slapd/ava.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/ava.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ava.c - routines for dealing with attribute value assertions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/ava.c,v 1.45.2.2 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/ava.c,v 1.45.2.3 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-bdb
-# $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/Makefile.in,v 1.34.2.4 2007/08/31 23:14:01 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/Makefile.in,v 1.34.2.5 2008/02/11 23:26:45 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/add.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* add.c - ldap BerkeleyDB back-end add routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/add.c,v 1.152.2.6 2007/11/11 19:33:12 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/add.c,v 1.152.2.10 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33,6 +33,7 @@
 	AttributeDescription *children = slap_schema.si_ad_children;
 	AttributeDescription *entry = slap_schema.si_ad_entry;
 	DB_TXN		*ltid = NULL, *lt2;
+	ID eid = NOID;
 	struct bdb_op_info opinfo = {0};
 	int subentry;
 	BDB_LOCKER	locker = 0, rlocker = 0;
@@ -92,7 +93,6 @@
 
 	ctrls[num_ctrls] = 0;
 
-
 	/* check entry's schema */
 	rs->sr_err = entry_schema_check( op, op->oq_add.rs_e, NULL,
 		get_relax(op), 1, &rs->sr_text, textbuf, textlen );
@@ -115,20 +115,6 @@
 
 	subentry = is_entry_subentry( op->oq_add.rs_e );
 
-	/*
-	 * acquire an ID outside of the operation transaction
-	 * to avoid serializing adds.
-	 */
-	rs->sr_err = bdb_next_id( op->o_bd, NULL, &op->oq_add.rs_e->e_id );
-	if( rs->sr_err != 0 ) {
-		Debug( LDAP_DEBUG_TRACE,
-			LDAP_XSTRING(bdb_add) ": next_id failed (%d)\n",
-			rs->sr_err, 0, 0 );
-		rs->sr_err = LDAP_OTHER;
-		rs->sr_text = "internal error";
-		goto return_results;
-	}
-
 	/* Get our thread locker ID */
 	rs->sr_err = LOCK_ID( bdb->bi_dbenv, &rlocker );
 
@@ -143,7 +129,8 @@
 		}
 		rs->sr_err = TXN_ABORT( ltid );
 		ltid = NULL;
-		op->o_private = NULL;
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+		opinfo.boi_oe.oe_key = NULL;
 		op->o_do_not_cache = opinfo.boi_acl_cache;
 		if( rs->sr_err != 0 ) {
 			rs->sr_err = LDAP_OTHER;
@@ -172,13 +159,12 @@
 
 	locker = TXN_ID ( ltid );
 
-	opinfo.boi_bdb = op->o_bd;
+	opinfo.boi_oe.oe_key = bdb;
 	opinfo.boi_txn = ltid;
-	opinfo.boi_locker = locker;
 	opinfo.boi_err = 0;
 	opinfo.boi_acl_cache = op->o_do_not_cache;
-	op->o_private = &opinfo;
-	
+	LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next );
+
 	/*
 	 * Get the parent dn and see if the corresponding entry exists.
 	 */
@@ -316,6 +302,19 @@
 		goto return_results;;
 	}
 
+	if ( eid == NOID ) {
+		rs->sr_err = bdb_next_id( op->o_bd, &eid );
+		if( rs->sr_err != 0 ) {
+			Debug( LDAP_DEBUG_TRACE,
+				LDAP_XSTRING(bdb_add) ": next_id failed (%d)\n",
+				rs->sr_err, 0, 0 );
+			rs->sr_err = LDAP_OTHER;
+			rs->sr_text = "internal error";
+			goto return_results;
+		}
+		op->oq_add.rs_e->e_id = eid;
+	}
+
 	/* nested transaction */
 	rs->sr_err = TXN_BEGIN( bdb->bi_dbenv, ltid, &lt2, 
 		bdb->bi_db_opflags );
@@ -440,7 +439,8 @@
 	}
 
 	ltid = NULL;
-	op->o_private = NULL;
+	LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	opinfo.boi_oe.oe_key = NULL;
 
 	if ( rs->sr_err != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_TRACE,
@@ -466,7 +466,9 @@
 	if( ltid != NULL ) {
 		TXN_ABORT( ltid );
 	}
-	op->o_private = NULL;
+	if ( opinfo.boi_oe.oe_key ) {
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	}
 
 	if( success == LDAP_SUCCESS ) {
 		/* We own the entry now, and it can be purged at will

Modified: openldap/trunk/servers/slapd/back-bdb/attr.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/attr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/attr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* attr.c - backend routines for dealing with attributes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/attr.c,v 1.36.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/attr.c,v 1.36.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/back-bdb.h
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/back-bdb.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/back-bdb.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* back-bdb.h - bdb back-end header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/back-bdb.h,v 1.141.2.10 2007/12/06 17:29:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/back-bdb.h,v 1.141.2.14 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -235,6 +235,8 @@
 	alock_info_t	bi_alock_info;
 	char		*bi_db_config_path;
 	BerVarray	bi_db_config;
+	char		*bi_db_crypt_file;
+	struct berval	bi_db_crypt_key;
 	bdb_monitor_t	bi_monitor;
 
 #ifdef BDB_MONITOR_IDX
@@ -265,9 +267,8 @@
 };
 
 struct bdb_op_info {
-	BackendDB*	boi_bdb;
+	OpExtra boi_oe;
 	DB_TXN*		boi_txn;
-	BDB_LOCKER	boi_locker;
 	u_int32_t	boi_err;
 	int		boi_acl_cache;
 	struct bdb_lock_info *boi_locks;	/* used when no txn */

Modified: openldap/trunk/servers/slapd/back-bdb/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bind.c - bdb backend bind routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/bind.c,v 1.45.2.3 2007/09/07 10:34:18 ando Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/bind.c,v 1.45.2.4 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/cache.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/cache.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/cache.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* cache.c - routines to maintain an in-core cache of entries */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/cache.c,v 1.120.2.7 2007/12/06 05:43:27 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/cache.c,v 1.120.2.15 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -251,15 +251,28 @@
 	EntryInfo *ei;
 	int free = 0;
 
-	bdb_cache_entry_db_unlock( bdb, lock );
 	ei = e->e_private;
-	bdb_cache_entryinfo_lock( ei );
-	if ( ei->bei_state & CACHE_ENTRY_NOT_CACHED ) {
-		ei->bei_e = NULL;
-		ei->bei_state ^= CACHE_ENTRY_NOT_CACHED;
-		free = 1;
+	if ( ei &&
+		( ei->bei_state & CACHE_ENTRY_NOT_CACHED ) &&
+		( bdb_cache_entryinfo_trylock( ei ) == 0 )) {
+		if ( ei->bei_state & CACHE_ENTRY_NOT_CACHED ) {
+			/* Releasing the entry can only be done when
+			 * we know that nobody else is using it, i.e we
+			 * should have an entry_db writelock.  But the
+			 * flag is only set by the thread that loads the
+			 * entry, and only if no other threads has found
+			 * it while it was working.  All other threads
+			 * clear the flag, which mean that we should be
+			 * the only thread using the entry if the flag
+			 * is set here.
+			 */
+			ei->bei_e = NULL;
+			ei->bei_state ^= CACHE_ENTRY_NOT_CACHED;
+			free = 1;
+		}
+		bdb_cache_entryinfo_unlock( ei );
 	}
-	bdb_cache_entryinfo_unlock( ei );
+	bdb_cache_entry_db_unlock( bdb, lock );
 	if ( free ) {
 		e->e_private = NULL;
 		bdb_entry_return( e );
@@ -852,6 +865,11 @@
 
 	/* Ok, we found the info, do we have the entry? */
 	if ( rc == 0 ) {
+		if ( !( flag & ID_LOCKED )) {
+			bdb_cache_entryinfo_lock( *eip );
+			flag |= ID_LOCKED;
+		}
+
 		if ( (*eip)->bei_state & CACHE_ENTRY_DELETED ) {
 			rc = DB_NOTFOUND;
 		} else {
@@ -871,13 +889,13 @@
 				(*eip)->bei_state |= CACHE_ENTRY_LOADING;
 			}
 
-			/* If the entry was loaded before but uncached, and we need
-			 * it again, clear the uncached state
-			 */
-			if ( (*eip)->bei_state & CACHE_ENTRY_NOT_CACHED ) {
-				(*eip)->bei_state ^= CACHE_ENTRY_NOT_CACHED;
-				if ( flag & ID_NOCACHE )
-					flag ^= ID_NOCACHE;
+			if ( !load ) {
+				/* Clear the uncached state if we are not
+				 * loading it, i.e it is already cached or
+				 * another thread is currently loading it.
+				 */
+				(*eip)->bei_state &= ~CACHE_ENTRY_NOT_CACHED;
+				flag &= ~ID_NOCACHE;
 			}
 
 			if ( flag & ID_LOCKED ) {
@@ -904,9 +922,13 @@
 #endif
 						ep = NULL;
 						bdb_cache_lru_link( bdb, *eip );
-						if ( flag & ID_NOCACHE ) {
-							bdb_cache_entryinfo_lock( *eip );
-							(*eip)->bei_state |= CACHE_ENTRY_NOT_CACHED;
+						if (( flag & ID_NOCACHE ) &&
+							( bdb_cache_entryinfo_trylock( *eip ) == 0 )) {
+							/* Set the cached state only if no other thread
+							 * found the info while we were loading the entry.
+							 */
+							if ( (*eip)->bei_finders == 1 )
+								(*eip)->bei_state |= CACHE_ENTRY_NOT_CACHED;
 							bdb_cache_entryinfo_unlock( *eip );
 						}
 					}
@@ -942,12 +964,12 @@
 					}
 #endif
 				}
-				bdb_cache_entryinfo_lock( *eip );
-				(*eip)->bei_finders--;
-				if ( load )
-					(*eip)->bei_state ^= CACHE_ENTRY_LOADING;
-				bdb_cache_entryinfo_unlock( *eip );
 			}
+			bdb_cache_entryinfo_lock( *eip );
+			(*eip)->bei_finders--;
+			if ( load )
+				(*eip)->bei_state ^= CACHE_ENTRY_LOADING;
+			bdb_cache_entryinfo_unlock( *eip );
 		}
 	}
 	if ( flag & ID_LOCKED ) {
@@ -1235,18 +1257,19 @@
 
 	assert( e->e_private != NULL );
 
+	/* Lock the entry's info */
+	bdb_cache_entryinfo_lock( ei );
+
 	/* Set this early, warn off any queriers */
 	ei->bei_state |= CACHE_ENTRY_DELETED;
 
-	/* Lock the entry's info */
-	bdb_cache_entryinfo_lock( ei );
+	bdb_cache_entryinfo_unlock( ei );
 
 	/* Get write lock on the data */
 	rc = bdb_cache_entry_db_relock( bdb, locker, ei, 1, 0, lock );
 	if ( rc ) {
 		/* couldn't lock, undo and give up */
 		ei->bei_state ^= CACHE_ENTRY_DELETED;
-		bdb_cache_entryinfo_unlock( ei );
 		return rc;
 	}
 
@@ -1261,8 +1284,6 @@
 	/* free lru mutex */
 	ldap_pvt_thread_mutex_unlock( &bdb->bi_cache.c_lru_mutex );
 
-	/* Leave entry info locked */
-
 	return( rc );
 }
 
@@ -1271,6 +1292,8 @@
 	Cache *cache,
 	EntryInfo *ei )
 {
+	/* Enter with ei locked */
+
 	if ( ei->bei_e ) {
 		ei->bei_e->e_private = NULL;
 #ifdef SLAP_ZONE_ALLOC
@@ -1449,7 +1472,7 @@
 	void *ctx = ldap_pvt_thread_pool_context();
 
 	if ( !ldap_pvt_thread_pool_getkey( ctx, env, &data, NULL ) ) {
-		ldap_pvt_thread_pool_setkey( ctx, env, NULL, NULL );
+		ldap_pvt_thread_pool_setkey( ctx, env, NULL, 0, NULL, NULL );
 		bdb_locker_id_free( env, data );
 	}
 }
@@ -1494,7 +1517,7 @@
 		data = (void *)((long)lockid);
 #endif
 		if ( ( rc = ldap_pvt_thread_pool_setkey( ctx, env,
-			data, bdb_locker_id_free ) ) ) {
+			data, bdb_locker_id_free, NULL, NULL ) ) ) {
 			XLOCK_ID_FREE( env, lockid );
 			Debug( LDAP_DEBUG_ANY, "bdb_locker_id: err %s(%d)\n",
 				db_strerror(rc), rc, 0 );

Modified: openldap/trunk/servers/slapd/back-bdb/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* compare.c - bdb backend compare routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/compare.c,v 1.51.2.4 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/compare.c,v 1.51.2.5 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* config.c - bdb backend configuration file routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/config.c,v 1.91.2.7 2007/10/18 01:03:41 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/config.c,v 1.91.2.11 2008/04/14 21:28:42 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42,6 +42,8 @@
 enum {
 	BDB_CHKPT = 1,
 	BDB_CONFIG,
+	BDB_CRYPTFILE,
+	BDB_CRYPTKEY,
 	BDB_DIRECTORY,
 	BDB_NOSYNC,
 	BDB_DIRTYR,
@@ -70,6 +72,14 @@
 		bdb_cf_gen, "( OLcfgDbAt:1.2 NAME 'olcDbCheckpoint' "
 			"DESC 'Database checkpoint interval in kbytes and minutes' "
 			"SYNTAX OMsDirectoryString SINGLE-VALUE )",NULL, NULL },
+	{ "cryptfile", "file", 2, 2, 0, ARG_STRING|ARG_MAGIC|BDB_CRYPTFILE,
+		bdb_cf_gen, "( OLcfgDbAt:1.13 NAME 'olcDbCryptFile' "
+			"DESC 'Pathname of file containing the DB encryption key' "
+			"SYNTAX OMsDirectoryString SINGLE-VALUE )",NULL, NULL },
+	{ "cryptkey", "key", 2, 2, 0, ARG_BERVAL|ARG_MAGIC|BDB_CRYPTKEY,
+		bdb_cf_gen, "( OLcfgDbAt:1.14 NAME 'olcDbCryptKey' "
+			"DESC 'DB encryption key' "
+			"SYNTAX OMsOctetString SINGLE-VALUE )",NULL, NULL },
 	{ "dbconfig", "DB_CONFIG setting", 1, 0, 0, ARG_MAGIC|BDB_CONFIG,
 		bdb_cf_gen, "( OLcfgDbAt:1.3 NAME 'olcDbConfig' "
 			"DESC 'BerkeleyDB DB_CONFIG configuration directives' "
@@ -143,6 +153,7 @@
 		"SUP olcDatabaseConfig "
 		"MUST olcDbDirectory "
 		"MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ "
+		"olcDbCryptFile $ olcDbCryptKey $ "
 		"olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ "
 		"olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ "
 		"olcDbMode $ olcDbSearchStack $ olcDbShmKey $ "
@@ -326,9 +337,9 @@
 	
 	if ( bdb->bi_flags & BDB_RE_OPEN ) {
 		bdb->bi_flags ^= BDB_RE_OPEN;
-		rc = c->be->bd_info->bi_db_close( c->be, NULL );
+		rc = c->be->bd_info->bi_db_close( c->be, &c->reply );
 		if ( rc == 0 )
-			rc = c->be->bd_info->bi_db_open( c->be, NULL );
+			rc = c->be->bd_info->bi_db_open( c->be, &c->reply );
 		/* If this fails, we need to restart */
 		if ( rc ) {
 			slapd_shutdown = 2;
@@ -364,6 +375,25 @@
 			}
 			break;
 
+		case BDB_CRYPTFILE:
+			if ( bdb->bi_db_crypt_file ) {
+				c->value_string = ch_strdup( bdb->bi_db_crypt_file );
+			} else {
+				rc = 1;
+			}
+			break;
+
+		/* If a crypt file has been set, its contents are copied here.
+		 * But we don't want the key to be incorporated here.
+		 */
+		case BDB_CRYPTKEY:
+			if ( !bdb->bi_db_crypt_file && !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+				value_add_one( &c->rvalue_vals, &bdb->bi_db_crypt_key );
+			} else {
+				rc = 1;
+			}
+			break;
+
 		case BDB_DIRECTORY:
 			if ( bdb->bi_dbenv_home ) {
 				c->value_string = ch_strdup( bdb->bi_dbenv_home );
@@ -453,9 +483,11 @@
 			if ( bdb->bi_txn_cp_task ) {
 				struct re_s *re = bdb->bi_txn_cp_task;
 				bdb->bi_txn_cp_task = NULL;
+				ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 				if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ) )
 					ldap_pvt_runqueue_stoptask( &slapd_rq, re );
 				ldap_pvt_runqueue_remove( &slapd_rq, re );
+				ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 			}
 			bdb->bi_txn_cp = 0;
 			break;
@@ -472,6 +504,21 @@
 			bdb->bi_flags |= BDB_UPD_CONFIG;
 			c->cleanup = bdb_cf_cleanup;
 			break;
+		/* Doesn't really make sense to change these on the fly;
+		 * the entire DB must be dumped and reloaded
+		 */
+		case BDB_CRYPTFILE:
+			if ( bdb->bi_db_crypt_file ) {
+				ch_free( bdb->bi_db_crypt_file );
+				bdb->bi_db_crypt_file = NULL;
+			}
+			/* FALLTHRU */
+		case BDB_CRYPTKEY:
+			if ( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+				ch_free( bdb->bi_db_crypt_key.bv_val );
+				BER_BVZERO( &bdb->bi_db_crypt_key );
+			}
+			break;
 		case BDB_DIRECTORY:
 			bdb->bi_flags |= BDB_RE_OPEN;
 			bdb->bi_flags ^= BDB_HAS_CONFIG;
@@ -575,9 +622,11 @@
 						c->log );
 					return 1;
 				}
+				ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 				bdb->bi_txn_cp_task = ldap_pvt_runqueue_insert( &slapd_rq,
 					bdb->bi_txn_cp_min * 60, bdb_checkpoint, bdb,
 					LDAP_XSTRING(bdb_checkpoint), c->be->be_suffix[0].bv_val );
+				ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 			}
 		}
 		} break;
@@ -616,6 +665,22 @@
 		}
 		break;
 
+	case BDB_CRYPTFILE:
+		rc = lutil_get_filed_password( c->value_string, &bdb->bi_db_crypt_key );
+		if ( rc == 0 ) {
+			bdb->bi_db_crypt_file = c->value_string;
+		}
+		break;
+
+	/* Cannot set key if file was already set */
+	case BDB_CRYPTKEY:
+		if ( bdb->bi_db_crypt_file ) {
+			rc = 1;
+		} else {
+			bdb->bi_db_crypt_key = c->value_bv;
+		}
+		break;
+
 	case BDB_DIRECTORY: {
 		FILE *f;
 		char *ptr, *testpath;
@@ -686,9 +751,11 @@
 					c->log );
 				return 1;
 			}
+			ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 			bdb->bi_index_task = ldap_pvt_runqueue_insert( &slapd_rq, 36000,
 				bdb_online_index, c->be,
 				LDAP_XSTRING(bdb_online_index), c->be->be_suffix[0].bv_val );
+			ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 		}
 		break;
 

Modified: openldap/trunk/servers/slapd/back-bdb/dbcache.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/dbcache.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/dbcache.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* dbcache.c - manage cache of open databases */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dbcache.c,v 1.43.2.4 2007/11/26 04:08:37 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dbcache.c,v 1.43.2.6 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -104,9 +104,23 @@
 			"bdb_db_cache: db_create(%s) failed: %s (%d)\n",
 			bdb->bi_dbenv_home, db_strerror(rc), rc );
 		ldap_pvt_thread_mutex_unlock( &bdb->bi_database_mutex );
+		ch_free( db );
 		return rc;
 	}
 
+	if( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+		rc = db->bdi_db->set_flags( db->bdi_db, DB_ENCRYPT );
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"bdb_db_cache: db set_flags(DB_ENCRYPT)(%s) failed: %s (%d)\n",
+				bdb->bi_dbenv_home, db_strerror(rc), rc );
+			ldap_pvt_thread_mutex_unlock( &bdb->bi_database_mutex );
+			db->bdi_db->close( db->bdi_db, 0 );
+			ch_free( db );
+			return rc;
+		}
+	}
+
 	rc = db->bdi_db->set_pagesize( db->bdi_db, BDB_PAGESIZE );
 #ifdef BDB_INDEX_USE_HASH
 	rc = db->bdi_db->set_h_hash( db->bdi_db, bdb_db_hash );

Modified: openldap/trunk/servers/slapd/back-bdb/delete.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* delete.c - bdb backend delete routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/delete.c,v 1.155.2.5 2007/12/06 05:43:27 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/delete.c,v 1.155.2.8 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -124,7 +124,8 @@
 			0, 0, 0 );
 		rs->sr_err = TXN_ABORT( ltid );
 		ltid = NULL;
-		op->o_private = NULL;
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+		opinfo.boi_oe.oe_key = NULL;
 		op->o_do_not_cache = opinfo.boi_acl_cache;
 		if( rs->sr_err != 0 ) {
 			rs->sr_err = LDAP_OTHER;
@@ -155,12 +156,11 @@
 
 	locker = TXN_ID ( ltid );
 
-	opinfo.boi_bdb = op->o_bd;
+	opinfo.boi_oe.oe_key = bdb;
 	opinfo.boi_txn = ltid;
-	opinfo.boi_locker = locker;
 	opinfo.boi_err = 0;
 	opinfo.boi_acl_cache = op->o_do_not_cache;
-	op->o_private = &opinfo;
+	LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next );
 
 	if ( !be_issuffix( op->o_bd, &op->o_req_ndn ) ) {
 		dnParent( &op->o_req_ndn, &pdn );
@@ -537,7 +537,8 @@
 		rs->sr_err = TXN_COMMIT( ltid, 0 );
 	}
 	ltid = NULL;
-	op->o_private = NULL;
+	LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	opinfo.boi_oe.oe_key = NULL;
 
 	BDB_LOG_PRINTF( bdb->bi_dbenv, NULL, "slapd Committed delete %s(%d)",
 		e->e_nname.bv_val, e->e_id );
@@ -573,6 +574,7 @@
 	if( e != NULL ) {
 		if ( rs->sr_err == LDAP_SUCCESS ) {
 			/* Free the EntryInfo and the Entry */
+			bdb_cache_entryinfo_lock( BEI(e) );
 			bdb_cache_delete_cleanup( &bdb->bi_cache, BEI(e) );
 		} else {
 			bdb_unlocked_cache_return_entry_w(&bdb->bi_cache, e);
@@ -582,7 +584,9 @@
 	if( ltid != NULL ) {
 		TXN_ABORT( ltid );
 	}
-	op->o_private = NULL;
+	if ( opinfo.boi_oe.oe_key ) {
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	}
 
 	send_ldap_result( op, rs );
 	slap_graduate_commit_csn( op );

Modified: openldap/trunk/servers/slapd/back-bdb/dn2entry.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/dn2entry.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/dn2entry.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* dn2entry.c - routines to deal with the dn2id / id2entry glue */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dn2entry.c,v 1.28.2.6 2007/12/06 05:43:27 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dn2entry.c,v 1.28.2.7 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/dn2id.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/dn2id.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/dn2id.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* dn2id.c - routines to deal with the dn2id index */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dn2id.c,v 1.137.2.6 2007/12/13 07:05:24 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/dn2id.c,v 1.137.2.9 2008/04/14 19:37:25 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -302,7 +302,7 @@
 	data.flags = DB_DBT_USERMEM;
 
 	rc = db->cursor( db, NULL, &cursor, bdb->bi_db_opflags );
-	if ( rc ) goto leave;
+	if ( rc ) goto func_leave;
 
 	rc = bdb_dn2id_lock( bdb, dn, 0, locker, lock );
 	if ( rc ) goto nolock;
@@ -316,7 +316,7 @@
 
 nolock:
 	cursor->c_close( cursor );
-leave:
+func_leave:
 
 	if( rc != 0 ) {
 		Debug( LDAP_DEBUG_TRACE, "<= bdb_dn2id: get failed: %s (%d)\n",
@@ -465,7 +465,7 @@
 )
 {
 	diskNode *un, *cn;
-	int rc, ul, cl;
+	int rc;
 
 	un = (diskNode *)usrkey->data;
 	cn = (diskNode *)curkey->data;
@@ -624,7 +624,7 @@
 		}
 	}
 
-leave:
+func_leave:
 	op->o_tmpfree( d, op->o_tmpmemctx );
 	Debug( LDAP_DEBUG_TRACE, "<= hdb_dn2id_add 0x%lx: %d\n", e->e_id, rc, 0 );
 
@@ -674,7 +674,7 @@
 	data.data = d;
 
 	rc = db->cursor( db, txn, &cursor, bdb->bi_db_opflags );
-	if ( rc ) goto leave;
+	if ( rc ) goto func_leave;
 
 	/* We hold this lock until the TXN completes */
 	rc = bdb_dn2id_lock( bdb, &e->e_nname, 1, TXN_ID( txn ), &lock );
@@ -703,7 +703,7 @@
 
 nolock:
 	cursor->c_close( cursor );
-leave:
+func_leave:
 	op->o_tmpfree( d, op->o_tmpmemctx );
 
 	/* Delete IDL cache entries */
@@ -779,7 +779,7 @@
 	data.data = d;
 
 	rc = bdb_dn2id_lock( bdb, in, 0, locker, lock );
-	if ( rc ) goto leave;
+	if ( rc ) goto func_leave;
 
 	rc = cursor->c_get( cursor, &key, &data, DB_GET_BOTH_RANGE );
 	if ( rc == 0 && (dlen[1] != d->nrdnlen[1] || dlen[0] != d->nrdnlen[0] ||
@@ -803,7 +803,7 @@
 		}
 	}
 
-leave:
+func_leave:
 	cursor->c_close( cursor );
 	op->o_tmpfree( d, op->o_tmpmemctx );
 	if( rc != 0 ) {

Modified: openldap/trunk/servers/slapd/back-bdb/error.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/error.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/error.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* error.c - BDB errcall routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/error.c,v 1.18.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/error.c,v 1.18.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/extended.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/extended.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/extended.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* extended.c - bdb backend extended routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/extended.c,v 1.18.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/extended.c,v 1.18.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/filterindex.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/filterindex.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/filterindex.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* filterindex.c - generate the list of candidate entries from a filter */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/filterindex.c,v 1.64.2.4 2007/12/06 05:43:27 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/filterindex.c,v 1.64.2.5 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/id2entry.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/id2entry.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/id2entry.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* id2entry.c - routines to deal with the id2entry database */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/id2entry.c,v 1.72.2.3 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/id2entry.c,v 1.72.2.6 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -242,7 +242,8 @@
 	int rw )
 {
 	struct bdb_info *bdb = (struct bdb_info *) op->o_bd->be_private;
-	struct bdb_op_info *boi = NULL;
+	struct bdb_op_info *boi;
+	OpExtra *oex;
  
 	/* slapMode : SLAP_SERVER_MODE, SLAP_TOOL_MODE,
 			SLAP_TRUNCATE_MODE, SLAP_UNDEFINED_MODE */
@@ -257,7 +258,10 @@
 #endif
 		}
 		/* free entry and reader or writer lock */
-		boi = (struct bdb_op_info *)op->o_private;
+		LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) {
+			if ( oex->oe_key == bdb ) break;
+		}
+		boi = (struct bdb_op_info *)oex;
 
 		/* lock is freed with txn */
 		if ( !boi || boi->boi_txn ) {
@@ -274,8 +278,8 @@
 				}
 			}
 			if ( !boi->boi_locks ) {
+				LDAP_SLIST_REMOVE( &op->o_extra, &boi->boi_oe, OpExtra, oe_next );
 				op->o_tmpfree( boi, op->o_tmpmemctx );
-				op->o_private = NULL;
 			}
 		}
 	} else {
@@ -328,15 +332,19 @@
 		"=> bdb_entry_get: oc: \"%s\", at: \"%s\"\n",
 		oc ? oc->soc_cname.bv_val : "(null)", at_name, 0);
 
-	if( op ) boi = (struct bdb_op_info *) op->o_private;
-	if( boi != NULL && op->o_bd->be_private == boi->boi_bdb->be_private ) {
-		txn = boi->boi_txn;
-		locker = boi->boi_locker;
+	if( op ) {
+		OpExtra *oex;
+		LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) {
+			if ( oex->oe_key == bdb ) break;
+		}
+		boi = (struct bdb_op_info *)oex;
+		if ( boi )
+			txn = boi->boi_txn;
 	}
 
 	if ( txn != NULL ) {
 		locker = TXN_ID ( txn );
-	} else if ( !locker ) {
+	} else {
 		rc = LOCK_ID ( bdb->bi_dbenv, &locker );
 		free_lock_id = 1;
 		switch(rc) {
@@ -408,8 +416,8 @@
 			if ( op ) {
 				if ( !boi ) {
 					boi = op->o_tmpcalloc(1,sizeof(struct bdb_op_info),op->o_tmpmemctx);
-					boi->boi_bdb = op->o_bd;
-					op->o_private = boi;
+					boi->boi_oe.oe_key = bdb;
+					LDAP_SLIST_INSERT_HEAD( &op->o_extra, &boi->boi_oe, oe_next );
 				}
 				if ( !boi->boi_txn ) {
 					struct bdb_lock_info *bli;

Modified: openldap/trunk/servers/slapd/back-bdb/idl.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/idl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/idl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* idl.c - ldap id list handling routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/idl.c,v 1.124.2.5 2007/09/26 20:41:38 ando Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/idl.c,v 1.124.2.7 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -715,10 +715,6 @@
 
 	assert( id != NOID );
 
-	if ( bdb->bi_idl_cache_size ) {
-		bdb_idl_cache_del( bdb, db, key );
-	}
-
 	DBTzero( &data );
 	data.size = sizeof( ID );
 	data.ulen = data.size;
@@ -891,6 +887,12 @@
 		cursor->c_close( cursor );
 		return rc;
 	}
+	/* If key was added (didn't already exist) and using IDL cache,
+	 * update key in IDL cache.
+	 */
+	if ( !rc && bdb->bi_idl_cache_max_size ) {
+		bdb_idl_cache_add_id( bdb, db, key, id );
+	}
 	rc = cursor->c_close( cursor );
 	if( rc != 0 ) {
 		Debug( LDAP_DEBUG_ANY, "=> bdb_idl_insert_key: "
@@ -923,7 +925,7 @@
 	}
 	assert( id != NOID );
 
-	if ( bdb->bi_idl_cache_max_size ) {
+	if ( bdb->bi_idl_cache_size ) {
 		bdb_idl_cache_del( bdb, db, key );
 	}
 

Modified: openldap/trunk/servers/slapd/back-bdb/idl.h
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/idl.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/idl.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* idl.h - ldap bdb back-end ID list header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/idl.h,v 1.19.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/idl.h,v 1.19.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/index.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/index.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/index.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* index.c - routines for dealing with attribute indexes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/index.c,v 1.61.2.4 2007/12/01 18:10:47 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/index.c,v 1.61.2.7 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -477,7 +477,7 @@
 {
 	int rc;
 	Attribute *ap = e->e_attrs;
-#ifdef LDAP_COMP_MATCH
+#if 0 /* ifdef LDAP_COMP_MATCH */
 	ComponentReference *cr_list = NULL;
 	ComponentReference *cr = NULL, *dupped_cr = NULL;
 	void* decoded_comp;
@@ -499,7 +499,7 @@
 
 	/* add each attribute to the indexes */
 	for ( ; ap != NULL; ap = ap->a_next ) {
-#ifdef LDAP_COMP_MATCH
+#if 0 /* ifdef LDAP_COMP_MATCH */
 		AttrInfo *ai;
 		/* see if attribute has components to be indexed */
 		ai = bdb_attr_mask( op->o_bd->be_private, ap->a_desc->ad_type->sat_ad );

Modified: openldap/trunk/servers/slapd/back-bdb/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize bdb backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/init.c,v 1.247.2.8 2007/12/06 15:13:57 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/init.c,v 1.247.2.11 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -279,6 +279,18 @@
 
 	bdb->bi_dbenv->set_lk_detect( bdb->bi_dbenv, bdb->bi_lock_detect );
 
+	if ( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+		rc = bdb->bi_dbenv->set_encrypt( bdb->bi_dbenv, bdb->bi_db_crypt_key.bv_val,
+			DB_ENCRYPT_AES );
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				LDAP_XSTRING(bdb_db_open) ": database \"%s\": "
+				"dbenv set_encrypt failed: %s (%d).\n",
+				be->be_suffix[0].bv_val, db_strerror(rc), rc );
+			goto fail;
+		}
+	}
+
 	/* One long-lived TXN per thread, two TXNs per write op */
 	bdb->bi_dbenv->set_tx_max( bdb->bi_dbenv, connection_pool_max * 3 );
 
@@ -390,6 +402,20 @@
 			goto fail;
 		}
 
+		if( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+			rc = db->bdi_db->set_flags( db->bdi_db, DB_ENCRYPT );
+			if ( rc ) {
+				snprintf(cr->msg, sizeof(cr->msg),
+					"database \"%s\": db set_flags(DB_ENCRYPT)(%s) failed: %s (%d).",
+					be->be_suffix[0].bv_val, 
+					bdb->bi_dbenv_home, db_strerror(rc), rc );
+				Debug( LDAP_DEBUG_ANY,
+					LDAP_XSTRING(bdb_db_open) ": %s\n",
+					cr->msg, 0, 0 );
+				goto fail;
+			}
+		}
+
 		if( i == BDB_ID2ENTRY ) {
 			if ( slapMode & SLAP_TOOL_MODE )
 				db->bdi_db->mpf->set_priority( db->bdi_db->mpf,
@@ -574,7 +600,7 @@
 	/* close db environment */
 	if( bdb->bi_dbenv ) {
 		/* Free cache locker if we enabled locking */
-		if ( !( slapMode & SLAP_TOOL_QUICK )) {
+		if ( !( slapMode & SLAP_TOOL_QUICK ) && bdb->bi_cache.c_locker ) {
 #if DB_VERSION_FULL >= 0x04060012
 			XLOCK_ID_FREE(bdb->bi_dbenv, bdb->bi_cache.c_locker->id);
 #else

Modified: openldap/trunk/servers/slapd/back-bdb/key.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/key.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/key.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* index.c - routines for dealing with attribute indexes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/key.c,v 1.20.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/key.c,v 1.20.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/modify.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* modify.c - bdb backend modify routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/modify.c,v 1.156.2.6 2007/12/10 17:54:46 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/modify.c,v 1.156.2.11 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -283,7 +283,7 @@
 				/* attribute was completely deleted */
 				vals = ap->a_nvals;
 			}
-			if ( !BER_BVISEMPTY( vals )) {
+			if ( !BER_BVISNULL( vals )) {
 				rc = bdb_index_values( op, tid, ap->a_desc,
 					vals, e->e_id, SLAP_INDEX_DELETE_OP );
 				if ( rc != LDAP_SUCCESS ) {
@@ -410,7 +410,8 @@
 
 		rs->sr_err = TXN_ABORT( ltid );
 		ltid = NULL;
-		op->o_private = NULL;
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+		opinfo.boi_oe.oe_key = NULL;
 		op->o_do_not_cache = opinfo.boi_acl_cache;
 		if( rs->sr_err != 0 ) {
 			rs->sr_err = LDAP_OTHER;
@@ -439,12 +440,11 @@
 
 	locker = TXN_ID ( ltid );
 
-	opinfo.boi_bdb = op->o_bd;
+	opinfo.boi_oe.oe_key = bdb;
 	opinfo.boi_txn = ltid;
-	opinfo.boi_locker = locker;
 	opinfo.boi_err = 0;
 	opinfo.boi_acl_cache = op->o_do_not_cache;
-	op->o_private = &opinfo;
+	LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next );
 
 	/* get entry or ancestor */
 	rs->sr_err = bdb_dn2entry( op, ltid, &op->o_req_ndn, &ei, 1,
@@ -667,7 +667,8 @@
 		rs->sr_err = TXN_COMMIT( ltid, 0 );
 	}
 	ltid = NULL;
-	op->o_private = NULL;
+	LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	opinfo.boi_oe.oe_key = NULL;
 
 	if( rs->sr_err != 0 ) {
 		Debug( LDAP_DEBUG_TRACE,
@@ -706,7 +707,9 @@
 	if( ltid != NULL ) {
 		TXN_ABORT( ltid );
 	}
-	op->o_private = NULL;
+	if ( opinfo.boi_oe.oe_key ) {
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	}
 
 	if( e != NULL ) {
 		bdb_unlocked_cache_return_entry_w (&bdb->bi_cache, e);
@@ -720,5 +723,8 @@
 		slap_sl_free( (*postread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx );
 		slap_sl_free( *postread_ctrl, op->o_tmpmemctx );
 	}
+
+	rs->sr_text = NULL;
+
 	return rs->sr_err;
 }

Modified: openldap/trunk/servers/slapd/back-bdb/modrdn.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* modrdn.c - bdb backend modrdn routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/modrdn.c,v 1.185.2.6 2007/12/06 05:43:27 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/modrdn.c,v 1.185.2.11 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -134,7 +134,8 @@
 
 		rs->sr_err = TXN_ABORT( ltid );
 		ltid = NULL;
-		op->o_private = NULL;
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+		opinfo.boi_oe.oe_key = NULL;
 		op->o_do_not_cache = opinfo.boi_acl_cache;
 		if( rs->sr_err != 0 ) {
 			rs->sr_err = LDAP_OTHER;
@@ -165,12 +166,11 @@
 
 	locker = TXN_ID ( ltid );
 
-	opinfo.boi_bdb = op->o_bd;
+	opinfo.boi_oe.oe_key = bdb;
 	opinfo.boi_txn = ltid;
-	opinfo.boi_locker = locker;
 	opinfo.boi_err = 0;
 	opinfo.boi_acl_cache = op->o_do_not_cache;
-	op->o_private = &opinfo;
+	LDAP_SLIST_INSERT_HEAD( &op->o_extra, &opinfo.boi_oe, oe_next );
 
 	/* get entry */
 	rs->sr_err = bdb_dn2entry( op, ltid, &op->o_req_ndn, &ei, 1,
@@ -560,6 +560,9 @@
 	case DB_NOTFOUND:
 		break;
 	case 0:
+		/* Allow rename to same DN */
+		if ( nei == ei )
+			break;
 		rs->sr_err = LDAP_ALREADY_EXISTS;
 		goto return_results;
 	default:
@@ -737,6 +740,8 @@
 		} else {
 			rs->sr_err = LDAP_X_NO_OPERATION;
 			ltid = NULL;
+			/* Only free attrs if they were dup'd.  */
+			if ( dummy.e_attrs == e->e_attrs ) dummy.e_attrs = NULL;
 			goto return_results;
 		}
 
@@ -760,7 +765,8 @@
 	}
  
 	ltid = NULL;
-	op->o_private = NULL;
+	LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	opinfo.boi_oe.oe_key = NULL;
  
 	if( rs->sr_err != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_TRACE,
@@ -819,7 +825,9 @@
 	if( ltid != NULL ) {
 		TXN_ABORT( ltid );
 	}
-	op->o_private = NULL;
+	if ( opinfo.boi_oe.oe_key ) {
+		LDAP_SLIST_REMOVE( &op->o_extra, &opinfo.boi_oe, OpExtra, oe_next );
+	}
 
 	if( preread_ctrl != NULL && (*preread_ctrl) != NULL ) {
 		slap_sl_free( (*preread_ctrl)->ldctl_value.bv_val, op->o_tmpmemctx );

Modified: openldap/trunk/servers/slapd/back-bdb/monitor.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/monitor.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/monitor.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* monitor.c - monitor bdb backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/monitor.c,v 1.19.2.7 2007/11/15 00:59:10 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/monitor.c,v 1.19.2.8 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/nextid.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/nextid.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/nextid.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize bdb backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/nextid.c,v 1.26.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/nextid.c,v 1.26.2.4 2008/02/12 00:34:58 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -21,7 +21,7 @@
 
 #include "back-bdb.h"
 
-int bdb_next_id( BackendDB *be, DB_TXN *tid, ID *out )
+int bdb_next_id( BackendDB *be, ID *out )
 {
 	struct bdb_info *bdb = (struct bdb_info *) be->be_private;
 

Modified: openldap/trunk/servers/slapd/back-bdb/operational.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/operational.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/operational.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* operational.c - bdb backend operational attributes function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/operational.c,v 1.29.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/operational.c,v 1.29.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-bdb/proto-bdb.h
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/proto-bdb.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/proto-bdb.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/proto-bdb.h,v 1.137.2.7 2007/12/06 15:13:57 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/proto-bdb.h,v 1.137.2.9 2008/02/12 00:34:58 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -419,7 +419,7 @@
 #define bdb_next_id					BDB_SYMBOL(next_id)
 #define bdb_last_id					BDB_SYMBOL(last_id)
 
-int bdb_next_id( BackendDB *be, DB_TXN *tid, ID *id );
+int bdb_next_id( BackendDB *be, ID *id );
 int bdb_last_id( BackendDB *be, DB_TXN *tid );
 
 /*

Modified: openldap/trunk/servers/slapd/back-bdb/referral.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/referral.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/referral.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* referral.c - BDB backend referral handler */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/referral.c,v 1.42.2.3 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/referral.c,v 1.42.2.6 2008/04/16 16:41:17 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -65,8 +65,8 @@
 	case 0:
 		break;
 	case LDAP_BUSY:
-		send_ldap_error( op, rs, LDAP_BUSY, "ldap server busy" );
 		LOCK_ID_FREE ( bdb->bi_dbenv, locker );
+		rs->sr_text = "ldap server busy";
 		return LDAP_BUSY;
 	case DB_LOCK_DEADLOCK:
 	case DB_LOCK_NOTGRANTED:
@@ -76,13 +76,13 @@
 			LDAP_XSTRING(bdb_referrals)
 			": dn2entry failed: %s (%d)\n",
 			db_strerror(rc), rc, 0 ); 
-		send_ldap_error( op, rs, LDAP_OTHER, "internal error" );
 		LOCK_ID_FREE ( bdb->bi_dbenv, locker );
-		return rs->sr_err;
+		rs->sr_text = "internal error";
+		return LDAP_OTHER;
 	}
 
 	if ( rc == DB_NOTFOUND ) {
-		rc = 0;
+		rc = LDAP_SUCCESS;
 		rs->sr_matched = NULL;
 		if ( e != NULL ) {
 			Debug( LDAP_DEBUG_TRACE,
@@ -93,7 +93,7 @@
 			if( is_entry_referral( e ) ) {
 				BerVarray ref = get_entry_referrals( op, e );
 				rc = LDAP_OTHER;
-				rs->sr_ref = referral_rewrite( ref, NULL,
+				rs->sr_ref = referral_rewrite( ref, &e->e_name,
 					&op->o_req_dn, LDAP_SCOPE_DEFAULT );
 				ber_bvarray_free( ref );
 				if ( rs->sr_ref ) {
@@ -104,10 +104,6 @@
 
 			bdb_cache_return_entry_r (bdb, e, &lock);
 			e = NULL;
-		} else if ( !be_issuffix( op->o_bd, &op->o_req_ndn ) && default_referral != NULL ) {
-			rc = LDAP_OTHER;
-			rs->sr_ref = referral_rewrite( default_referral,
-				NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
 		}
 
 		if( rs->sr_ref != NULL ) {
@@ -117,9 +113,7 @@
 			ber_bvarray_free( rs->sr_ref );
 			rs->sr_ref = NULL;
 		} else if ( rc != LDAP_SUCCESS ) {
-			rs->sr_err = rc;
 			rs->sr_text = rs->sr_matched ? "bad referral object" : NULL;
-			send_ldap_result( op, rs );
 		}
 
 		LOCK_ID_FREE ( bdb->bi_dbenv, locker );
@@ -148,8 +142,8 @@
 			ber_bvarray_free( rs->sr_ref );
 			rs->sr_ref = NULL;
 		} else {
-			send_ldap_error( op, rs, LDAP_OTHER, "bad referral object" );
-			rc = rs->sr_err;
+			rc = LDAP_OTHER;
+			rs->sr_text = "bad referral object";
 		}
 
 		rs->sr_matched = NULL;

Modified: openldap/trunk/servers/slapd/back-bdb/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* search.c - search operation */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/search.c,v 1.246.2.9 2007/11/20 18:46:34 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/search.c,v 1.246.2.14 2008/05/01 21:39:35 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -322,11 +322,16 @@
 	DB_LOCK		lock;
 	struct	bdb_op_info	*opinfo = NULL;
 	DB_TXN			*ltid = NULL;
+	OpExtra *oex;
 
 	Debug( LDAP_DEBUG_TRACE, "=> " LDAP_XSTRING(bdb_search) "\n", 0, 0, 0);
 	attrs = op->oq_search.rs_attrs;
 
-	opinfo = (struct bdb_op_info *) op->o_private;
+	LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) {
+		if ( oex->oe_key == bdb )
+			break;
+	}
+	opinfo = (struct bdb_op_info *) oex;
 
 	manageDSAit = get_manageDSAit( op );
 
@@ -998,7 +1003,7 @@
 	void *ret = NULL;
 
 	if ( op->o_threadctx ) {
-		ldap_pvt_thread_pool_getkey( op->o_threadctx, search_stack,
+		ldap_pvt_thread_pool_getkey( op->o_threadctx, (void *)search_stack,
 			&ret, NULL );
 	} else {
 		ret = bdb->bi_search_stack;
@@ -1008,8 +1013,8 @@
 		ret = ch_malloc( bdb->bi_search_stack_depth * BDB_IDL_UM_SIZE
 			* sizeof( ID ) );
 		if ( op->o_threadctx ) {
-			ldap_pvt_thread_pool_setkey( op->o_threadctx, search_stack,
-				ret, search_stack_free );
+			ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)search_stack,
+				ret, search_stack_free, NULL, NULL );
 		} else {
 			bdb->bi_search_stack = ret;
 		}
@@ -1160,10 +1165,6 @@
 			goto done;
 		}
 
-	} else {
-		/* Initial request.  Initialize state. */
-		ps->ps_cookie = 0;
-		ps->ps_count = 0;
 	}
 
 done:;

Modified: openldap/trunk/servers/slapd/back-bdb/tools.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/tools.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/tools.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* tools.c - tools for slap tools */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/tools.c,v 1.105.2.8 2007/12/13 07:05:24 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/tools.c,v 1.105.2.10 2008/02/12 00:34:58 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -364,7 +364,7 @@
 				ei = &eidummy;
 			}
 		}
-		rc = bdb_next_id( op->o_bd, tid, &e->e_id );
+		rc = bdb_next_id( op->o_bd, &e->e_id );
 		if ( rc ) {
 			snprintf( text->bv_val, text->bv_len,
 				"next_id failed: %s (%d)",

Modified: openldap/trunk/servers/slapd/back-bdb/trans.c
===================================================================
--- openldap/trunk/servers/slapd/back-bdb/trans.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-bdb/trans.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* trans.c - bdb backend transaction routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/trans.c,v 1.8.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/trans.c,v 1.8.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-dnssrv/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-dnssrv
-# $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/Makefile.in,v 1.14.2.2 2007/08/31 23:14:01 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/Makefile.in,v 1.14.2.3 2008/02/11 23:26:46 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## Portions Copyright 1998-2003 Kurt D. Zeilenga.
 ## All rights reserved.
 ##

Modified: openldap/trunk/servers/slapd/back-dnssrv/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bind.c - DNS SRV backend bind function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/bind.c,v 1.22.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/bind.c,v 1.22.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-dnssrv/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* compare.c - DNS SRV backend compare function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/compare.c,v 1.18.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/compare.c,v 1.18.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-dnssrv/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* config.c - DNS SRV backend configuration file routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/config.c,v 1.16.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/config.c,v 1.16.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-dnssrv/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize ldap backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/init.c,v 1.29.2.3 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/init.c,v 1.29.2.4 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-dnssrv/proto-dnssrv.h
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/proto-dnssrv.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/proto-dnssrv.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/proto-dnssrv.h,v 1.5.2.2 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/proto-dnssrv.h,v 1.5.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-dnssrv/referral.c
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/referral.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/referral.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* referral.c - DNS SRV backend referral handler */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/referral.c,v 1.26.2.3 2007/08/31 23:14:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/referral.c,v 1.26.2.4 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-dnssrv/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-dnssrv/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-dnssrv/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* search.c - DNS SRV backend search function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/search.c,v 1.44.2.3 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-dnssrv/search.c,v 1.44.2.4 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-hdb/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-hdb/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-hdb/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile for back-hdb
-# $OpenLDAP: pkg/ldap/servers/slapd/back-hdb/Makefile.in,v 1.14.2.5 2007/10/23 21:25:37 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-hdb/Makefile.in,v 1.14.2.6 2008/02/11 23:26:46 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-hdb/back-bdb.h
===================================================================
--- openldap/trunk/servers/slapd/back-hdb/back-bdb.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-hdb/back-bdb.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* back-bdb.h - hdb back-end header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-hdb/back-bdb.h,v 1.5.2.2 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-hdb/back-bdb.h,v 1.5.2.3 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 Howard Chu @ Symas Corp.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-ldap/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-ldap
-# $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/Makefile.in,v 1.30.2.3 2007/08/31 23:14:02 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/Makefile.in,v 1.30.2.4 2008/02/11 23:26:46 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-ldap/add.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* add.c - ldap backend add function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/add.c,v 1.61.2.4 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/add.c,v 1.61.2.5 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldap/back-ldap.h
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/back-ldap.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/back-ldap.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* back-ldap.h - ldap backend header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/back-ldap.h,v 1.88.2.6 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/back-ldap.h,v 1.88.2.8 2008/02/12 00:25:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -424,6 +424,12 @@
 #define LDAP_BACK_PRINT_CONNTREE 0
 #endif /* !LDAP_BACK_PRINT_CONNTREE */
 
+typedef struct ldap_extra_t {
+	int (*proxy_authz_ctrl)( Operation *op, SlapReply *rs, struct berval *bound_ndn,
+		int version, slap_idassert_t *si, LDAPControl	*ctrl );
+	int (*controls_free)( Operation *op, SlapReply *rs, LDAPControl ***pctrls );
+} ldap_extra_t;
+
 LDAP_END_DECL
 
 #include "proto-ldap.h"

Modified: openldap/trunk/servers/slapd/back-ldap/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bind.c - ldap backend bind function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/bind.c,v 1.162.2.14 2007/10/17 00:45:15 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/bind.c,v 1.162.2.17 2008/04/14 20:02:21 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -1228,6 +1228,8 @@
 {
 	ber_tag_t *tptr = op->o_callback->sc_private;
 	op->o_tag = *tptr;
+	rs->sr_tag = slap_req2res( op->o_tag );
+
 	return SLAP_CB_CONTINUE;
 }
 
@@ -1390,15 +1392,26 @@
 
 		lutil_sasl_freedefs( defaults );
 
-		rs->sr_err = slap_map_api2result( rs );
-		if ( rs->sr_err != LDAP_SUCCESS ) {
+		switch ( rs->sr_err ) {
+		case LDAP_SUCCESS:
+			LDAP_BACK_CONN_ISBOUND_SET( lc );
+			break;
+
+		case LDAP_LOCAL_ERROR:
+			/* list client API error codes that require
+			 * to taint the connection */
+			/* FIXME: should actually retry? */
+			LDAP_BACK_CONN_TAINTED_SET( lc );
+
+			/* fallthru */
+
+		default:
 			LDAP_BACK_CONN_ISBOUND_CLEAR( lc );
+			rs->sr_err = slap_map_api2result( rs );
 			if ( sendok & LDAP_BACK_SENDERR ) {
 				send_ldap_result( op, rs );
 			}
-
-		} else {
-			LDAP_BACK_CONN_ISBOUND_SET( lc );
+			break;
 		}
 
 		if ( LDAP_BACK_QUARANTINE( li ) ) {
@@ -1467,7 +1480,7 @@
 		}
 
 		rc = 0;
-		goto leave;
+		goto func_leave;
 	}
 
 	rc = ldap_back_op_result( lc, op, rs, msgid,
@@ -1486,7 +1499,7 @@
 		ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc );
 	}
 
-leave:;
+func_leave:;
 	if ( op->o_callback == &cb )
 		op->o_callback = cb.sc_next;
 	op->o_tag = o_tag;
@@ -2134,15 +2147,26 @@
 				LDAP_SASL_QUIET, lutil_sasl_interact,
 				defaults );
 
-		rs->sr_err = slap_map_api2result( rs );
-		if ( rs->sr_err != LDAP_SUCCESS ) {
+		switch ( rs->sr_err ) {
+		case LDAP_SUCCESS:
+			LDAP_BACK_CONN_ISBOUND_SET( lc );
+			break;
+
+		case LDAP_LOCAL_ERROR:
+			/* list client API error codes that require
+			 * to taint the connection */
+			/* FIXME: should actually retry? */
+			LDAP_BACK_CONN_TAINTED_SET( lc );
+
+			/* fallthru */
+
+		default:
 			LDAP_BACK_CONN_ISBOUND_CLEAR( lc );
+			rs->sr_err = slap_map_api2result( rs );
 			if ( sendok & LDAP_BACK_SENDERR ) {
 				send_ldap_result( op, rs );
 			}
-
-		} else {
-			LDAP_BACK_CONN_ISBOUND_SET( lc );
+			break;
 		}
 
 		lutil_sasl_freedefs( defaults );

Modified: openldap/trunk/servers/slapd/back-ldap/chain.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/chain.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/chain.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* chain.c - chain LDAP operations */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/chain.c,v 1.52.2.6 2007/09/14 21:59:28 ando Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/chain.c,v 1.52.2.7 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 Howard Chu.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-ldap/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* compare.c - ldap backend compare function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/compare.c,v 1.60.2.4 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/compare.c,v 1.60.2.5 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldap/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* config.c - ldap backend configuration file routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/config.c,v 1.115.2.7 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/config.c,v 1.115.2.8 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldap/delete.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* delete.c - ldap backend delete function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/delete.c,v 1.46.2.4 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/delete.c,v 1.46.2.5 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldap/distproc.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/distproc.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/distproc.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* distproc.c - implement distributed procedures */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/distproc.c,v 1.3.2.5 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/distproc.c,v 1.3.2.7 2008/02/12 00:58:15 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 Howard Chu.
  * All rights reserved.
  *
@@ -298,7 +298,7 @@
 	 * database.  This fix is likely to intercept also entries
 	 * generated by back-perl and so. */
 	if ( rs->sr_entry->e_private == NULL ) {
-		return 0;
+		return LDAP_SUCCESS;
 	}
 
 	return SLAP_CB_CONTINUE;

Modified: openldap/trunk/servers/slapd/back-ldap/extended.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/extended.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/extended.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* extended.c - ldap backend extended routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/extended.c,v 1.36.2.7 2007/09/29 08:30:58 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/extended.c,v 1.36.2.8 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-ldap/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize ldap backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/init.c,v 1.99.2.5 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/init.c,v 1.99.2.7 2008/02/12 00:25:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.
@@ -32,6 +32,11 @@
 #include "config.h"
 #include "back-ldap.h"
 
+static const ldap_extra_t ldap_extra = {
+	ldap_back_proxy_authz_ctrl,
+	ldap_back_controls_free
+};
+
 int
 ldap_back_open( BackendInfo	*bi )
 {
@@ -83,6 +88,8 @@
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = ldap_back_conn_destroy;
 
+	bi->bi_extra = (void *)&ldap_extra;
+
 	rc = chain_initialize();
 	if ( rc ) {
 		return rc;

Modified: openldap/trunk/servers/slapd/back-ldap/modify.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* modify.c - ldap backend modify function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/modify.c,v 1.69.2.4 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/modify.c,v 1.69.2.5 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldap/modrdn.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* modrdn.c - ldap backend modrdn function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/modrdn.c,v 1.47.2.5 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/modrdn.c,v 1.47.2.7 2008/04/14 18:57:13 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.
@@ -44,6 +44,7 @@
 	ldap_back_send_t	retrying = LDAP_BACK_RETRYING;
 	int			rc = LDAP_SUCCESS;
 	char			*newSup = NULL;
+	struct berval		newrdn = BER_BVNULL;
 
 	if ( !ldap_back_dobind( &lc, op, rs, LDAP_BACK_SENDERR ) ) {
 		return rs->sr_err;
@@ -72,6 +73,13 @@
 		newSup = op->orr_newSup->bv_val;
 	}
 
+	/* NOTE: we need to copy the newRDN in case it was formed
+	 * from a DN by simply changing the length (ITS#5397) */
+	newrdn = op->orr_newrdn;
+	if ( newrdn.bv_val[ newrdn.bv_len ] != '\0' ) {
+		ber_dupbv_x( &newrdn, &op->orr_newrdn, op->o_tmpmemctx );
+	}
+
 retry:
 	ctrls = op->o_ctrls;
 	rc = ldap_back_controls_add( op, rs, lc, &ctrls );
@@ -82,7 +90,7 @@
 	}
 
 	rs->sr_err = ldap_rename( lc->lc_ld, op->o_req_dn.bv_val,
-			op->orr_newrdn.bv_val, newSup,
+			newrdn.bv_val, newSup,
 			op->orr_deleteoldrdn, ctrls, NULL, &msgid );
 	rc = ldap_back_op_result( lc, op, rs, msgid,
 		li->li_timeout[ SLAP_OP_MODRDN ],
@@ -99,6 +107,10 @@
 cleanup:
 	(void)ldap_back_controls_free( op, rs, &ctrls );
 
+	if ( newrdn.bv_val != op->orr_newrdn.bv_val ) {
+		op->o_tmpfree( newrdn.bv_val, op->o_tmpmemctx );
+	}
+
 	if ( lc != NULL ) {
 		ldap_back_release_conn( li, lc );
 	}

Modified: openldap/trunk/servers/slapd/back-ldap/monitor.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/monitor.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/monitor.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* monitor.c - monitor ldap backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/monitor.c,v 1.2.2.3 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/monitor.c,v 1.2.2.4 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldap/proto-ldap.h
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/proto-ldap.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/proto-ldap.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/proto-ldap.h,v 1.15.2.5 2007/08/31 23:14:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/proto-ldap.h,v 1.15.2.6 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-ldap/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* search.c - ldap backend search function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/search.c,v 1.201.2.8 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/search.c,v 1.201.2.9 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldap/unbind.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldap/unbind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldap/unbind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* unbind.c - ldap backend unbind function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/unbind.c,v 1.33.2.3 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/unbind.c,v 1.33.2.4 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-ldif/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-ldif/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldif/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-ldif
-# $OpenLDAP: pkg/ldap/servers/slapd/back-ldif/Makefile.in,v 1.2.2.2 2007/08/31 23:14:03 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-ldif/Makefile.in,v 1.2.2.3 2008/02/11 23:26:46 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2005-2007 The OpenLDAP Foundation.
+## Copyright 2005-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-ldif/ldif.c
===================================================================
--- openldap/trunk/servers/slapd/back-ldif/ldif.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-ldif/ldif.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldif.c - the ldif backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldif/ldif.c,v 1.48.2.9 2007/11/27 20:27:31 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldif/ldif.c,v 1.48.2.14 2008/04/21 18:53:52 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -50,8 +50,55 @@
 #define mkdir(a,b)	mkdir(a)
 #endif
 
+
 #define LDIF	".ldif"
+#define LDIF_FILETYPE_SEP	'.'			/* LDIF[0] */
 
+/*
+ * Unsafe/translated characters in the filesystem.
+ *
+ * LDIF_UNSAFE_CHAR(c) returns true if the character c is not to be used
+ * in relative filenames, except it should accept '\\' even if unsafe and
+ * need not reject '{' and '}'.  The value should be a constant expression.
+ *
+ * If '\\' is unsafe, #define LDIF_ESCAPE_CHAR as a safe character.
+ *
+ * If '{' and '}' are unsafe, #define IX_FSL/IX_FSR as safe characters.
+ * (Not digits, '-' or '+'.  IX_FSL == IX_FSR is allowed.)
+ *
+ * Characters are escaped as LDIF_ESCAPE_CHAR followed by two hex digits,
+ * except '\\' is replaced with LDIF_ESCAPE_CHAR and {} with IX_FS[LR].
+ * Also some LDIF special chars are hex-escaped.
+ *
+ * Thus an LDIF filename is a valid normalized RDN (or suffix DN)
+ * followed by ".ldif", except with '\\' replaced with LDIF_ESCAPE_CHAR.
+ */
+
+#ifndef _WIN32
+
+/*
+ * Unix/MacOSX version.  ':' vs '/' can cause confusion on MacOSX so we
+ * escape both.  We escape them on Unix so both OS variants get the same
+ * filenames.
+ */
+#define LDIF_ESCAPE_CHAR	'\\'
+#define LDIF_UNSAFE_CHAR(c)	((c) == '/' || (c) == ':')
+
+#else /* _WIN32 */
+
+/* Windows version - Microsoft's list of unsafe characters, except '\\' */
+#define LDIF_ESCAPE_CHAR	'^'
+#define LDIF_UNSAFE_CHAR(c)	\
+	((c) == '/' || (c) == ':' || \
+	 (c) == '<' || (c) == '>' || (c) == '"' || \
+	 (c) == '|' || (c) == '?' || (c) == '*')
+
+#endif /* !_WIN32 */
+
+/*
+ * Left and Right "{num}" prefix to ordered RDNs ("olcDatabase={1}bdb").
+ * IX_DN* are for LDAP RDNs, IX_FS* for their .ldif filenames.
+ */
 #define IX_DNL	'{'
 #define	IX_DNR	'}'
 #ifndef IX_FSL
@@ -59,6 +106,33 @@
 #define IX_FSR	IX_DNR
 #endif
 
+/*
+ * Test for unsafe chars, as well as chars handled specially by back-ldif:
+ * - If the escape char is not '\\', it must itself be escaped.  Otherwise
+ *   '\\' and the escape char would map to the same character.
+ * - Escape the '.' in ".ldif", so the directory for an RDN that actually
+ *   ends with ".ldif" can not conflict with a file of the same name.  And
+ *   since some OSes/programs choke on multiple '.'s, escape all of them.
+ * - If '{' and '}' are translated to some other characters, those
+ *   characters must in turn be escaped when they occur in an RDN.
+ */
+#ifndef LDIF_NEED_ESCAPE
+#define	LDIF_NEED_ESCAPE(c) \
+	((LDIF_UNSAFE_CHAR(c)) || \
+	 LDIF_MAYBE_UNSAFE(c, LDIF_ESCAPE_CHAR) || \
+	 LDIF_MAYBE_UNSAFE(c, LDIF_FILETYPE_SEP) || \
+	 LDIF_MAYBE_UNSAFE(c, IX_FSL) || \
+	 (IX_FSR != IX_FSL && LDIF_MAYBE_UNSAFE(c, IX_FSR)))
+#endif
+/*
+ * Helper macro for LDIF_NEED_ESCAPE(): Treat character x as unsafe if
+ * back-ldif does not already treat is specially.
+ */
+#define LDIF_MAYBE_UNSAFE(c, x) \
+	(!(LDIF_UNSAFE_CHAR(x) || (x) == '\\' || (x) == IX_DNL || (x) == IX_DNR) \
+	 && (c) == (x))
+
+
 #define ENTRY_BUFF_INCREMENT 500
 
 static ConfigTable ldifcfg[] = {
@@ -67,7 +141,7 @@
 		"( OLcfgDbAt:0.1 NAME 'olcDbDirectory' "
 			"DESC 'Directory for database content' "
 			"EQUALITY caseIgnoreMatch "
-			"SYNTAX OMsDirectoryString )", NULL, NULL },
+			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED,
 		NULL, NULL, NULL, NULL }
 };
@@ -81,86 +155,64 @@
 	{ NULL, 0, NULL }
 };
 
+
+/* Set *res = LDIF filename path for the normalized DN */
 static void
-dn2path(struct berval * orig_dn, struct berval * suffixdn, struct berval * base_path,
-	struct berval *res)
+dn2path( BackendDB *be, struct berval *dn, struct berval *res )
 {
-	char *ptr, *sep, *end;
-	int nsep = 0;
-	struct berval dn;
+	struct ldif_info *li = (struct ldif_info *) be->be_private;
+	struct berval *suffixdn = &be->be_nsuffix[0];
+	const char *start, *end, *next, *p;
+	char ch, *ptr;
+	ber_len_t len;
+	static const char hex[] = "0123456789ABCDEF";
 
-	assert( orig_dn != NULL );
-	assert( !BER_BVISNULL( orig_dn ) );
+	assert( dn != NULL );
+	assert( !BER_BVISNULL( dn ) );
 	assert( suffixdn != NULL );
 	assert( !BER_BVISNULL( suffixdn ) );
-	assert( dnIsSuffix( orig_dn, suffixdn ) );
+	assert( dnIsSuffix( dn, suffixdn ) );
 
-	dn = *orig_dn;
+	start = dn->bv_val;
+	end = start + dn->bv_len;
 
-	/* escape dirsep's
-	 * use "\" + hexpair, so the escaped DN remains formally valid */
-	for ( ptr = dn.bv_val, end = &dn.bv_val[dn.bv_len]; ptr < end; ptr++ ) {
-		if ( ptr[0] == LDAP_DIRSEP[0] ) {
-			nsep++;
-		}
+	/* Room for dir, dirsep, dn, LDIF, "\hexpair"-escaping of unsafe chars */
+	len = li->li_base_path.bv_len + dn->bv_len + (1 + STRLENOF( LDIF ));
+	for ( p = start; p < end; ) {
+		ch = *p++;
+		if ( LDIF_NEED_ESCAPE( ch ) )
+			len += 2;
 	}
+	res->bv_val = ch_malloc( len + 1 );
 
-	if ( nsep ) {
-		char	*p;
-
-		dn.bv_len += 2*nsep;
-		dn.bv_val = ch_malloc( dn.bv_len + 1 );
-
-		for ( ptr = orig_dn->bv_val, end = &orig_dn->bv_val[orig_dn->bv_len], p = dn.bv_val;
-			ptr < end; ptr++, p++)
-		{
-			static const char hex[] = "0123456789ABCDEF";
-			if ( ptr[0] == LDAP_DIRSEP[0] ) {
-				*p++ = '\\';
-				*p++ = hex[(LDAP_DIRSEP[0] & 0xF0U) >> 4];
-				*p = hex[LDAP_DIRSEP[0] & 0x0FU];
-			} else {
-				p[0] = ptr[0];
+	ptr = lutil_strcopy( res->bv_val, li->li_base_path.bv_val );
+	for ( next = end - suffixdn->bv_len; end > start; end = next ) {
+		/* Set p = start of DN component, next = &',' or start of DN */
+		while ( (p = next) > start ) {
+			--next;
+			if ( DN_SEPARATOR( *next ) )
+				break;
+		}
+		/* Append <dirsep> <p..end-1: RDN or database-suffix> */
+		for ( *ptr++ = LDAP_DIRSEP[0]; p < end; *ptr++ = ch ) {
+			ch = *p++;
+			if ( LDIF_ESCAPE_CHAR != '\\' && ch == '\\' ) {
+				ch = LDIF_ESCAPE_CHAR;
+			} else if ( IX_FSL != IX_DNL && ch == IX_DNL ) {
+				ch = IX_FSL;
+			} else if ( IX_FSR != IX_DNR && ch == IX_DNR ) {
+				ch = IX_FSR;
+			} else if ( LDIF_NEED_ESCAPE( ch ) ) {
+				*ptr++ = LDIF_ESCAPE_CHAR;
+				*ptr++ = hex[(ch & 0xFFU) >> 4];
+				ch = hex[ch & 0x0FU];
 			}
 		}
-		p[0] = '\0';
 	}
+	ptr = lutil_strcopy( ptr, LDIF );
+	res->bv_len = ptr - res->bv_val;
 
-	res->bv_len = dn.bv_len + base_path->bv_len + 1 + STRLENOF( LDIF );
-	res->bv_val = ch_malloc( res->bv_len + 1 );
-	ptr = lutil_strcopy( res->bv_val, base_path->bv_val );
-	*ptr++ = LDAP_DIRSEP[0];
-	ptr = lutil_strcopy( ptr, suffixdn->bv_val );
-	end = dn.bv_val + dn.bv_len - suffixdn->bv_len - 1;
-	while ( end > dn.bv_val ) {
-		for (sep = end-1; sep >= dn.bv_val && !DN_SEPARATOR( *sep ); sep--);
-		*ptr++ = LDAP_DIRSEP[0];
-		ptr = lutil_strncopy( ptr, sep+1, end-sep-1 );
-		end = sep;
-	}
-	strcpy(ptr, LDIF);
-#if IX_FSL != IX_DNL
-	{
-		struct berval bv;
-		bv = *res;
-		while ( ptr = ber_bvchr( &bv, IX_DNL ) ) {
-			*ptr++ = IX_FSL;
-			assert( ( ptr - bv.bv_val ) <= bv.bv_len );
-			bv.bv_len -= ( ptr - bv.bv_val );
-			bv.bv_val = ptr;
-			ptr = ber_bvchr( &bv, IX_DNR );
-			if ( !ptr )
-				break;
-			*ptr++ = IX_FSR;
-			assert( ( ptr - bv.bv_val ) <= bv.bv_len );
-			bv.bv_len -= ( ptr - bv.bv_val );
-			bv.bv_val = ptr;
-		}
-	}
-#endif
-	if ( dn.bv_val != orig_dn->bv_val ) {
-		ch_free( dn.bv_val );
-	}
+	assert( res->bv_len <= len );
 }
 
 static char * slurp_file(int fd) {
@@ -195,7 +247,7 @@
 }
 
 /*
- * return number of bytes written, or -1 in case of error
+ * return nonnegative for success or -1 for error
  * do not return numbers less than -1
  */
 static int spew_file(int fd, char * spew, int len) {
@@ -350,28 +402,34 @@
 	return ldentry;
 }
 
-static Entry * get_entry(Operation *op, struct berval *base_path) {
+static int
+get_entry(
+	Operation *op,
+	Entry **entryp,
+	struct berval *pathp )
+{
+	int rc;
 	struct berval path, pdn, pndn;
 	int fd;
 
 	dnParent(&op->o_req_dn, &pdn);
 	dnParent(&op->o_req_ndn, &pndn);
-	dn2path(&op->o_req_ndn, op->o_bd->be_nsuffix, base_path, &path);
+	dn2path( op->o_bd, &op->o_req_ndn, &path );
 	fd = open(path.bv_val, O_RDONLY);
 	/* error opening file (mebbe should log error) */
 	if ( fd == -1 && ( errno != ENOENT || op->o_tag != LDAP_REQ_ADD ) ) {
 		Debug( LDAP_DEBUG_ANY, "failed to open file \"%s\": %s\n",
 			path.bv_val, STRERROR(errno), 0 );
 	}
+	*entryp = fd < 0 ? NULL : get_entry_for_fd( fd, &pdn, &pndn );
+	rc = *entryp ? LDAP_SUCCESS : LDAP_NO_SUCH_OBJECT;
 
-	if(path.bv_val != NULL)
+	if ( rc == LDAP_SUCCESS && pathp != NULL ) {
+		*pathp = path;
+	} else {
 		SLAP_FREE(path.bv_val);
-
-	if ( fd != -1 ) {
-		return get_entry_for_fd(fd, &pdn, &pndn);
 	}
-
-	return NULL;
+	return rc;
 }
 
 static void fullpath(struct berval *base, struct berval *name, struct berval *res) {
@@ -393,81 +451,83 @@
 } bvlist;
 
 
-static int r_enum_tree(enumCookie *ck, struct berval *path,
+static int r_enum_tree(enumCookie *ck, struct berval *path, int base,
 	struct berval *pdn, struct berval *pndn)
 {
-	Entry *e;
-	int fd, rc = LDAP_SUCCESS;
+	Entry *e = NULL;
+	int fd = 0, rc = LDAP_SUCCESS;
 
-	fd = open( path->bv_val, O_RDONLY );
-	if ( fd < 0 ) {
-		Debug( LDAP_DEBUG_TRACE,
-			"=> ldif_enum_tree: failed to open %s: %s\n",
-			path->bv_val, STRERROR(errno), 0 );
-		return LDAP_NO_SUCH_OBJECT;
-	}
+	if ( !base ) {
+		fd = open( path->bv_val, O_RDONLY );
+		if ( fd < 0 ) {
+			Debug( LDAP_DEBUG_TRACE,
+				"=> ldif_enum_tree: failed to open %s: %s\n",
+				path->bv_val, STRERROR(errno), 0 );
+			return LDAP_NO_SUCH_OBJECT;
+		}
 
-	e = get_entry_for_fd(fd, pdn, pndn);
-	if ( !e ) {
-		Debug( LDAP_DEBUG_ANY,
-			"=> ldif_enum_tree: failed to read entry for %s\n",
-			path->bv_val, 0, 0 );
-		return LDAP_BUSY;
-	}
+		e = get_entry_for_fd(fd, pdn, pndn);
+		if ( !e ) {
+			Debug( LDAP_DEBUG_ANY,
+				"=> ldif_enum_tree: failed to read entry for %s\n",
+				path->bv_val, 0, 0 );
+			return LDAP_BUSY;
+		}
 
-	if ( ck->op->ors_scope == LDAP_SCOPE_BASE ||
-		ck->op->ors_scope == LDAP_SCOPE_SUBTREE ) {
-		/* Send right away? */
-		if ( ck->rs ) {
-			/*
-			 * if it's a referral, add it to the list of referrals. only do
-			 * this for non-base searches, and don't check the filter
-			 * explicitly here since it's only a candidate anyway.
-			 */
-			if ( !get_manageDSAit( ck->op )
-					&& ck->op->ors_scope != LDAP_SCOPE_BASE
-					&& is_entry_referral( e ) )
-			{
-				BerVarray erefs = get_entry_referrals( ck->op, e );
-				ck->rs->sr_ref = referral_rewrite( erefs,
-						&e->e_name, NULL,
-						ck->op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL
-							? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE );
-
-				ck->rs->sr_entry = e;
-				rc = send_search_reference( ck->op, ck->rs );
-				ber_bvarray_free( ck->rs->sr_ref );
-				ber_bvarray_free( erefs );
-				ck->rs->sr_ref = NULL;
-				ck->rs->sr_entry = NULL;
-
-			} else if ( test_filter( ck->op, e, ck->op->ors_filter ) == LDAP_COMPARE_TRUE )
-			{
-				ck->rs->sr_entry = e;
-				ck->rs->sr_attrs = ck->op->ors_attrs;
-				ck->rs->sr_flags = REP_ENTRY_MODIFIABLE;
-				rc = send_search_entry(ck->op, ck->rs);
-				ck->rs->sr_entry = NULL;
+		if ( ck->op->ors_scope == LDAP_SCOPE_BASE ||
+			ck->op->ors_scope == LDAP_SCOPE_SUBTREE ) {
+			/* Send right away? */
+			if ( ck->rs ) {
+				/*
+				 * if it's a referral, add it to the list of referrals. only do
+				 * this for non-base searches, and don't check the filter
+				 * explicitly here since it's only a candidate anyway.
+				 */
+				if ( !get_manageDSAit( ck->op )
+						&& ck->op->ors_scope != LDAP_SCOPE_BASE
+						&& is_entry_referral( e ) )
+				{
+					BerVarray erefs = get_entry_referrals( ck->op, e );
+					ck->rs->sr_ref = referral_rewrite( erefs,
+							&e->e_name, NULL,
+							ck->op->oq_search.rs_scope == LDAP_SCOPE_ONELEVEL
+								? LDAP_SCOPE_BASE : LDAP_SCOPE_SUBTREE );
+	
+					ck->rs->sr_entry = e;
+					rc = send_search_reference( ck->op, ck->rs );
+					ber_bvarray_free( ck->rs->sr_ref );
+					ber_bvarray_free( erefs );
+					ck->rs->sr_ref = NULL;
+					ck->rs->sr_entry = NULL;
+	
+				} else if ( test_filter( ck->op, e, ck->op->ors_filter ) == LDAP_COMPARE_TRUE )
+				{
+					ck->rs->sr_entry = e;
+					ck->rs->sr_attrs = ck->op->ors_attrs;
+					ck->rs->sr_flags = REP_ENTRY_MODIFIABLE;
+					rc = send_search_entry(ck->op, ck->rs);
+					ck->rs->sr_entry = NULL;
+				}
+				fd = 1;
+				if ( rc )
+					goto done;
+			} else {
+			/* Queueing up for tool mode */
+				if(ck->entries == NULL) {
+					ck->entries = (Entry **) ch_malloc(sizeof(Entry *) * ENTRY_BUFF_INCREMENT);
+					ck->elen = ENTRY_BUFF_INCREMENT;
+				}
+				if(ck->eind >= ck->elen) { /* grow entries if necessary */	
+					ck->entries = (Entry **) ch_realloc(ck->entries, sizeof(Entry *) * (ck->elen) * 2);
+					ck->elen *= 2;
+				}
+	
+				ck->entries[ck->eind++] = e;
+				fd = 0;
 			}
+		} else {
 			fd = 1;
-			if ( rc )
-				goto done;
-		} else {
-		/* Queueing up for tool mode */
-			if(ck->entries == NULL) {
-				ck->entries = (Entry **) ch_malloc(sizeof(Entry *) * ENTRY_BUFF_INCREMENT);
-				ck->elen = ENTRY_BUFF_INCREMENT;
-			}
-			if(ck->eind >= ck->elen) { /* grow entries if necessary */	
-				ck->entries = (Entry **) ch_realloc(ck->entries, sizeof(Entry *) * (ck->elen) * 2);
-				ck->elen *= 2;
-			}
-
-			ck->entries[ck->eind++] = e;
-			fd = 0;
 		}
-	} else {
-		fd = 1;
 	}
 
 	if ( ck->op->ors_scope != LDAP_SCOPE_BASE ) {
@@ -551,7 +611,9 @@
 					AC_MEMCPY( ptr->bv.bv_val + ptr->off, ptr->num.bv_val,
 						ptr->num.bv_len );
 				fullpath( path, &ptr->bv, &fpath );
-				rc = r_enum_tree(ck, &fpath, &e->e_name, &e->e_nname );
+				rc = r_enum_tree(ck, &fpath, 0,
+					e != NULL ? &e->e_name : pdn,
+					e != NULL ? &e->e_nname : pndn );
 				free(fpath.bv_val);
 			}
 			if ( ptr->num.bv_val )
@@ -570,21 +632,23 @@
 	enumCookie *ck
 )
 {
-	struct ldif_info *li = (struct ldif_info *) ck->op->o_bd->be_private;
 	struct berval path;
 	struct berval pdn, pndn;
 	int rc;
 
 	dnParent( &ck->op->o_req_dn, &pdn );
 	dnParent( &ck->op->o_req_ndn, &pndn );
-	dn2path( &ck->op->o_req_ndn, &ck->op->o_bd->be_nsuffix[0], &li->li_base_path, &path);
-	rc = r_enum_tree(ck, &path, &pdn, &pndn);
+	dn2path( ck->op->o_bd, &ck->op->o_req_ndn, &path );
+	rc = r_enum_tree(ck, &path, BER_BVISEMPTY( &ck->op->o_req_ndn ) ? 1 : 0, &pdn, &pndn);
 	ch_free( path.bv_val );
 	return rc;
 }
 
-/* Get the parent path plus the LDIF suffix */
-static void get_parent_path(struct berval * dnpath, struct berval *res) {
+
+/* Get the parent directory path, plus the LDIF suffix overwritten by a \0 */
+static void
+get_parent_path( struct berval *dnpath, struct berval *res )
+{
 	int dnpathlen = dnpath->bv_len;
 	int i;
 	
@@ -606,7 +670,7 @@
 	char textbuf[SLAP_TEXT_BUFLEN];
 	int rc = modlist ? LDAP_UNWILLING_TO_PERFORM : LDAP_SUCCESS;
 	int is_oc = 0;
-	Modification *mods = NULL;
+	Modification *mods;
 
 	if (!acl_check_modlist(op, entry, modlist)) {
 		return LDAP_INSUFFICIENT_ACCESS;
@@ -647,8 +711,6 @@
 				sizeof( textbuf ) );
 			break;
 
-			break;
-
 		case SLAP_MOD_SOFTADD:
 			mods->sm_op = LDAP_MOD_ADD;
 			rc = modify_add_values(entry, mods,
@@ -660,12 +722,10 @@
 				rc = LDAP_SUCCESS;
 			}
 			break;
-		default:
-			break;
 		}
 		if(rc != LDAP_SUCCESS) break;
 	}
-	
+
 	if(rc == LDAP_SUCCESS) {
 		if ( is_oc ) {
 			entry->e_ocflags = 0;
@@ -697,28 +757,35 @@
 		return rc;
 	}
 
+	if ( BER_BVISEMPTY( &op->o_req_ndn ) ) {
+		/* the empty DN cannot be a referral */
+		return rc;
+	}
+
 	li = (struct ldif_info *)op->o_bd->be_private;
 	ldap_pvt_thread_rdwr_rlock( &li->li_rdwr );
-	entry = get_entry( op, &li->li_base_path );
+	get_entry( op, &entry, NULL );
 
 	/* no object is found for them */
 	if ( entry == NULL ) {
 		struct berval	odn = op->o_req_dn;
 		struct berval	ondn = op->o_req_ndn;
+		struct berval	pndn = ondn;
+		ber_len_t		min_dnlen = op->o_bd->be_nsuffix[0].bv_len;
 
-		struct berval	pndn = op->o_req_ndn;
+		if ( min_dnlen == 0 )
+			min_dnlen = 1;	   /* catch empty DN */
 
 		for ( ; entry == NULL; ) {
 			dnParent( &pndn, &pndn );
-			
-			if ( !dnIsSuffix( &pndn, &op->o_bd->be_nsuffix[0] ) ) {
+			if ( pndn.bv_len < min_dnlen ) {
 				break;
 			}
 
 			op->o_req_dn = pndn;
 			op->o_req_ndn = pndn;
 
-			entry = get_entry( op, &li->li_base_path );
+			get_entry( op, &entry, NULL );
 		}
 
 		ldap_pvt_thread_rdwr_runlock( &li->li_rdwr );
@@ -758,9 +825,7 @@
 			rs->sr_ref = NULL;
 
 		} else if ( rc != LDAP_SUCCESS ) {
-			rs->sr_err = rc;
 			rs->sr_text = rs->sr_matched ? "bad referral object" : NULL;
-			send_ldap_result( op, rs );
 		}
 
 		if ( rs->sr_matched ) {
@@ -791,8 +856,8 @@
 			rs->sr_ref = NULL;
 
 		} else {
-			send_ldap_error( op, rs, LDAP_OTHER, "bad referral object" );
-			rc = rs->sr_err;
+			rc = LDAP_OTHER;
+			rs->sr_text = "bad referral object";
 		}
 
 		rs->sr_matched = NULL;
@@ -804,14 +869,17 @@
 	return rc;
 }
 
+
+/* LDAP operations */
+
 static int
 ldif_back_bind( Operation *op, SlapReply *rs )
 {
-	struct ldif_info *li = NULL;
-	Attribute * a = NULL;
+	struct ldif_info *li;
+	Attribute *a;
 	AttributeDescription *password = slap_schema.si_ad_userPassword;
-	int return_val = 0;
-	Entry * entry = NULL;
+	int return_val;
+	Entry *entry;
 
 	switch ( be_rootdn_bind( op, rs ) ) {
 	case SLAP_CB_CONTINUE:
@@ -825,10 +893,10 @@
 
 	li = (struct ldif_info *) op->o_bd->be_private;
 	ldap_pvt_thread_rdwr_rlock(&li->li_rdwr);
-	entry = get_entry(op, &li->li_base_path);
+	return_val = get_entry(op, &entry, NULL);
 
 	/* no object is found for them */
-	if(entry == NULL) {
+	if(return_val != LDAP_SUCCESS) {
 		rs->sr_err = return_val = LDAP_INVALID_CREDENTIALS;
 		goto return_result;
 	}
@@ -897,7 +965,7 @@
 
 	ldap_pvt_thread_rdwr_wlock(&li->li_rdwr);
 
-	dn2path(&dn, &op->o_bd->be_nsuffix[0], &li->li_base_path, &leaf_path);
+	dn2path( op->o_bd, &dn, &leaf_path );
 
 	if(leaf_path.bv_val != NULL) {
 		struct berval base = BER_BVNULL;
@@ -906,7 +974,7 @@
 
 		statres = stat(base.bv_val, &stats); /* check if container exists */
 		if(statres == -1 && errno == ENOENT) { /* container missing */
-			base.bv_val[base.bv_len] = '.';
+			base.bv_val[base.bv_len] = LDIF_FILETYPE_SEP;
 			statres = stat(base.bv_val, &stats); /* check for leaf node */
 			base.bv_val[base.bv_len] = '\0';
 			if(statres == -1 && errno == ENOENT) {
@@ -956,17 +1024,15 @@
 static int ldif_back_modify(Operation *op, SlapReply *rs) {
 	struct ldif_info *li = (struct ldif_info *) op->o_bd->be_private;
 	Modifications * modlst = op->orm_modlist;
-	struct berval path = BER_BVNULL;
-	Entry * entry = NULL;
+	struct berval path;
+	Entry *entry;
 	int spew_res;
 
 	slap_mods_opattrs( op, &op->orm_modlist, 1 );
 
 	ldap_pvt_thread_rdwr_wlock(&li->li_rdwr);
-	dn2path(&op->o_req_ndn, &op->o_bd->be_nsuffix[0], &li->li_base_path,
-		&path);
-	entry = get_entry(op, &li->li_base_path);
 
+	rs->sr_err = get_entry( op, &entry, &path );
 	if(entry != NULL) {
 		rs->sr_err = apply_modify_to_entry(entry, modlst, op, rs);
 		if(rs->sr_err == LDAP_SUCCESS) {
@@ -979,15 +1045,11 @@
 				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
 			}
 		}
+
+		entry_free( entry );
+		SLAP_FREE( path.bv_val );
 	}
-	else {
-		rs->sr_err = LDAP_NO_SUCH_OBJECT;
-	}
-	
-	if(entry != NULL)
-		entry_free(entry);
-	if(path.bv_val != NULL)
-		SLAP_FREE(path.bv_val);
+
 	rs->sr_text = NULL;
 	ldap_pvt_thread_rdwr_wunlock(&li->li_rdwr);
 	send_ldap_result(op, rs);
@@ -997,7 +1059,7 @@
 
 static int ldif_back_delete(Operation *op, SlapReply *rs) {
 	struct ldif_info *li = (struct ldif_info *) op->o_bd->be_private;
-	struct berval path = BER_BVNULL;
+	struct berval path;
 	int res = 0;
 
 	if ( BER_BVISEMPTY( &op->o_csn )) {
@@ -1010,11 +1072,11 @@
 	}
 
 	ldap_pvt_thread_rdwr_wlock(&li->li_rdwr);
-	dn2path(&op->o_req_ndn, &op->o_bd->be_nsuffix[0], &li->li_base_path, &path);
 
+	dn2path( op->o_bd, &op->o_req_ndn, &path );
 	path.bv_val[path.bv_len - STRLENOF(LDIF)] = '\0';
 	res = rmdir(path.bv_val);
-	path.bv_val[path.bv_len - STRLENOF(LDIF)] = '.';
+	path.bv_val[path.bv_len - STRLENOF(LDIF)] = LDIF_FILETYPE_SEP;
 	rs->sr_err = LDAP_SUCCESS;
 	if ( res ) {
 		switch ( errno ) {
@@ -1023,15 +1085,17 @@
 			break;
 
 		case ENOENT:
-			rs->sr_err = LDAP_NO_SUCH_OBJECT;
+			/* is leaf, go on */
+			res = 0;
 			break;
 
 		default:
 			rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
 			break;
 		}
+	}
 
-	} else {
+	if ( !res ) {
 		res = unlink(path.bv_val);
 		if ( res == -1 ) {
 			switch ( errno ) {
@@ -1054,18 +1118,19 @@
 }
 
 
-static int move_entry(Entry * entry, struct berval * ndn,
-			   struct berval * newndn, struct berval * suffixdn,
-			   struct berval * base_path) {
+static int
+ldif_move_entry(
+	Operation *op,
+	Entry *entry,
+	struct berval *oldpath )
+{
 	int res;
 	int exists_res;
-	struct berval path;
 	struct berval newpath;
 
-	dn2path(ndn, suffixdn, base_path, &path);
-	dn2path(newndn, suffixdn, base_path, &newpath);
+	dn2path( op->o_bd, &entry->e_nname, &newpath );
 
-	if((entry == NULL || path.bv_val == NULL) || newpath.bv_val == NULL) {
+	if((entry == NULL || oldpath->bv_val == NULL) || newpath.bv_val == NULL) {
 		/* some object doesn't exist */
 		res = LDAP_NO_SUCH_OBJECT;
 	}
@@ -1076,10 +1141,10 @@
 			res = spew_entry(entry, &newpath, 0, NULL);
 			if(res != -1) {
 				/* if this fails we should log something bad */
-				res = unlink(path.bv_val);
-				path.bv_val[path.bv_len - STRLENOF(".ldif")] = '\0';
+				res = unlink( oldpath->bv_val );
+				oldpath->bv_val[oldpath->bv_len - STRLENOF(".ldif")] = '\0';
 				newpath.bv_val[newpath.bv_len - STRLENOF(".ldif")] = '\0';
-				res = rename(path.bv_val, newpath.bv_val);
+				res = rename( oldpath->bv_val, newpath.bv_val );
 				res = LDAP_SUCCESS;
 			}
 			else {
@@ -1105,8 +1170,6 @@
 
 	if(newpath.bv_val != NULL)
 		SLAP_FREE(newpath.bv_val);
-	if(path.bv_val != NULL)
-		SLAP_FREE(path.bv_val);
 	return res;
 }
 
@@ -1115,17 +1178,16 @@
 {
 	struct ldif_info *li = (struct ldif_info *) op->o_bd->be_private;
 	struct berval new_dn = BER_BVNULL, new_ndn = BER_BVNULL;
-	struct berval p_dn;
-	Entry * entry = NULL;
-	int res;
+	struct berval p_dn, old_path;
+	Entry *entry;
+	int rc;
 
 	slap_mods_opattrs( op, &op->orr_modlist, 1 );
 
 	ldap_pvt_thread_rdwr_wlock( &li->li_rdwr );
-	entry = get_entry( op, &li->li_base_path );
 
-	/* build the mods to the entry */
-	if ( entry != NULL ) {
+	rc = get_entry( op, &entry, &old_path );
+	if ( rc == LDAP_SUCCESS ) {
 		/* build new dn, and new ndn for the entry */
 		if ( op->oq_modrdn.rs_newSup != NULL ) {
 			struct berval	op_dn = op->o_req_dn,
@@ -1136,10 +1198,10 @@
 			p_dn = *op->oq_modrdn.rs_newSup;
 			op->o_req_dn = *op->oq_modrdn.rs_newSup;
 			op->o_req_ndn = *op->oq_modrdn.rs_nnewSup;
-			np = get_entry( op, &li->li_base_path );
+			rc = get_entry( op, &np, NULL );
 			op->o_req_dn = op_dn;
 			op->o_req_ndn = op_ndn;
-			if ( np == NULL ) {
+			if ( rc != LDAP_SUCCESS ) {
 				goto no_such_object;
 			}
 			entry_free( np );
@@ -1154,43 +1216,37 @@
 		entry->e_nname = new_ndn;
 
 		/* perform the modifications */
-		res = apply_modify_to_entry( entry, op->orr_modlist, op, rs );
-		if ( res == LDAP_SUCCESS ) {
-			rs->sr_err = move_entry( entry, &op->o_req_ndn,
-						&new_ndn,
-						&op->o_bd->be_nsuffix[0],
-						&li->li_base_path );
-		} else {
-			rs->sr_err = res;
-		}
-	} else {
+		rc = apply_modify_to_entry( entry, op->orr_modlist, op, rs );
+		if ( rc == LDAP_SUCCESS )
+			rc = ldif_move_entry( op, entry, &old_path );
+
 no_such_object:;
-		/* entry was null */
-		rs->sr_err = LDAP_NO_SUCH_OBJECT;
+		entry_free( entry );
+		SLAP_FREE( old_path.bv_val );
 	}
 
-	if ( entry != NULL ) {
-		entry_free( entry );
-	}
 	rs->sr_text = "";
 	ldap_pvt_thread_rdwr_wunlock( &li->li_rdwr );
+	rs->sr_err = rc;
 	send_ldap_result( op, rs );
 	slap_graduate_commit_csn( op );
 	return rs->sr_err;
 }
 
-/* return LDAP_SUCCESS IFF we can retrieve the specified entry.
- */
-int ldif_back_entry_get(
+
+/* Return LDAP_SUCCESS IFF we retrieve the specified entry. */
+static int
+ldif_back_entry_get(
 	Operation *op,
 	struct berval *ndn,
 	ObjectClass *oc,
 	AttributeDescription *at,
 	int rw,
-	Entry **ent )
+	Entry **e )
 {
 	struct ldif_info *li = (struct ldif_info *) op->o_bd->be_private;
 	struct berval op_dn = op->o_req_dn, op_ndn = op->o_req_ndn;
+	int rc;
 
 	assert( ndn != NULL );
 	assert( !BER_BVISNULL( ndn ) );
@@ -1198,19 +1254,23 @@
 	ldap_pvt_thread_rdwr_rlock( &li->li_rdwr );
 	op->o_req_dn = *ndn;
 	op->o_req_ndn = *ndn;
-	*ent = get_entry( op, &li->li_base_path );
+	rc = get_entry( op, e, NULL );
 	op->o_req_dn = op_dn;
 	op->o_req_ndn = op_ndn;
 	ldap_pvt_thread_rdwr_runlock( &li->li_rdwr );
 
-	if ( *ent && oc && !is_entry_objectclass_or_sub( *ent, oc ) ) {
-		entry_free( *ent );
-		*ent = NULL;
+	if ( rc == LDAP_SUCCESS && oc && !is_entry_objectclass_or_sub( *e, oc ) ) {
+		rc = LDAP_NO_SUCH_ATTRIBUTE;
+		entry_free( *e );
+		*e = NULL;
 	}
 
-	return ( *ent == NULL ? 1 : 0 );
+	return rc;
 }
 
+
+/* Slap tools */
+
 static int ldif_tool_entry_open(BackendDB *be, int mode) {
 	struct ldif_info *li = (struct ldif_info *) be->be_private;
 	li->li_tool_current = 0;
@@ -1266,14 +1326,12 @@
 }
 
 static ID ldif_tool_entry_put(BackendDB * be, Entry * e, struct berval *text) {
-	struct ldif_info *li = (struct ldif_info *) be->be_private;
-	struct berval dn = e->e_nname;
 	struct berval leaf_path = BER_BVNULL;
 	struct stat stats;
 	int statres;
 	int res = LDAP_SUCCESS;
 
-	dn2path(&dn, &be->be_nsuffix[0], &li->li_base_path, &leaf_path);
+	dn2path( be, &e->e_nname, &leaf_path );
 
 	if(leaf_path.bv_val != NULL) {
 		struct berval base = BER_BVNULL;
@@ -1282,7 +1340,7 @@
 
 		statres = stat(base.bv_val, &stats); /* check if container exists */
 		if(statres == -1 && errno == ENOENT) { /* container missing */
-			base.bv_val[base.bv_len] = '.';
+			base.bv_val[base.bv_len] = LDIF_FILETYPE_SEP;
 			statres = stat(base.bv_val, &stats); /* check for leaf node */
 			base.bv_val[base.bv_len] = '\0';
 			if(statres == -1 && errno == ENOENT) {
@@ -1316,6 +1374,9 @@
 		return NOID;
 }
 
+
+/* Setup */
+
 static int
 ldif_back_db_init( BackendDB *be, ConfigReply *cr )
 {
@@ -1325,6 +1386,7 @@
 	be->be_private = li;
 	be->be_cf_ocs = ldifocs;
 	ldap_pvt_thread_rdwr_init(&li->li_rdwr);
+	SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_ONE_SUFFIX;
 	return 0;
 }
 

Modified: openldap/trunk/servers/slapd/back-meta/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-meta/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-meta
-# $OpenLDAP: pkg/ldap/servers/slapd/back-meta/Makefile.in,v 1.16.2.2 2007/08/31 23:14:03 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-meta/Makefile.in,v 1.16.2.3 2008/02/11 23:26:46 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-meta/add.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/add.c,v 1.51.2.5 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/add.c,v 1.51.2.7 2008/02/12 00:25:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -183,13 +183,13 @@
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
 			/* if the identity changed, there might be need to re-authz */
-			(void)ldap_back_controls_free( op, rs, &ctrls );
+			(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 			goto retry;
 		}
 	}
 
 cleanup:;
-	(void)ldap_back_controls_free( op, rs, &ctrls );
+	(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 
 	for ( --i; i >= 0; --i ) {
 		free( attrs[ i ]->mod_bvalues );

Modified: openldap/trunk/servers/slapd/back-meta/back-meta.h
===================================================================
--- openldap/trunk/servers/slapd/back-meta/back-meta.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/back-meta.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/back-meta.h,v 1.64.2.7 2007/10/17 00:49:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/back-meta.h,v 1.64.2.9 2008/02/12 00:25:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -397,6 +397,9 @@
 	time_t			mi_idle_timeout;
 	struct timeval		mi_bind_timeout;
 	time_t			mi_timeout[ SLAP_OP_LAST ];
+
+	ldap_extra_t	*mi_ldap_extra;
+
 } metainfo_t;
 
 typedef enum meta_op_type {

Modified: openldap/trunk/servers/slapd/back-meta/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/bind.c,v 1.95.2.12 2007/10/18 00:20:07 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/bind.c,v 1.95.2.15 2008/04/14 21:24:34 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -145,7 +145,7 @@
 			rc = LDAP_SUCCESS;
 			gotit = 1;
 
-		} else if ( isroot == 0 ) {
+		} else if ( !isroot ) {
 			/*
 			 * A bind operation is expected to have
 			 * ONE CANDIDATE ONLY!
@@ -249,10 +249,15 @@
 			meta_back_print_conntree( mi, "<<< meta_back_bind" );
 #endif /* META_BACK_PRINT_CONNTREE */
 			if ( lerr == 0 ) {
+#if 0
+				/* NOTE: a connection cannot be privileged
+				 * and be in the avl tree at the same time
+				 */
 				if ( isroot ) {
 					LDAP_BACK_CONN_ISPRIV_SET( mc );
 					LDAP_BACK_PCONN_SET( mc, op );
 				}
+#endif
 				LDAP_BACK_CONN_CACHED_SET( mc );
 
 			} else {
@@ -509,7 +514,7 @@
 		ldap_pvt_thread_yield();
 	}
 
-	ldap_back_controls_free( op, rs, &ctrls );
+	mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 
 	meta_back_bind_op_result( op, rs, mc, candidate, msgid, LDAP_BACK_DONTSEND );
 	if ( rs->sr_err != LDAP_SUCCESS ) {
@@ -1553,7 +1558,7 @@
  *
  * if any needs to be added, it is prepended to existing ones,
  * in a newly allocated array.  The companion function
- * ldap_back_controls_free() must be used to restore the original
+ * mi->mi_ldap_extra->controls_free() must be used to restore the original
  * status of op->o_ctrls.
  */
 int
@@ -1595,7 +1600,7 @@
 	/* put controls that go __before__ existing ones here */
 
 	/* proxyAuthz for identity assertion */
-	switch ( ldap_back_proxy_authz_ctrl( op, rs, &msc->msc_bound_ndn,
+	switch ( mi->mi_ldap_extra->proxy_authz_ctrl( op, rs, &msc->msc_bound_ndn,
 		mt->mt_version, &mt->mt_idassert, &c[ j1 ] ) )
 	{
 	case SLAP_CB_CONTINUE:

Modified: openldap/trunk/servers/slapd/back-meta/candidates.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/candidates.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/candidates.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/candidates.c,v 1.28.2.4 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/candidates.c,v 1.28.2.5 2008/02/11 23:26:46 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-meta/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/compare.c,v 1.50.2.5 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/compare.c,v 1.50.2.7 2008/02/12 00:25:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -129,13 +129,13 @@
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
 			/* if the identity changed, there might be need to re-authz */
-			(void)ldap_back_controls_free( op, rs, &ctrls );
+			(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 			goto retry;
 		}
 	}
 
 cleanup:;
-	(void)ldap_back_controls_free( op, rs, &ctrls );
+	(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 
 	if ( mdn.bv_val != op->o_req_dn.bv_val ) {
 		free( mdn.bv_val );

Modified: openldap/trunk/servers/slapd/back-meta/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/config.c,v 1.74.2.8 2007/11/27 19:49:13 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/config.c,v 1.74.2.10 2008/04/14 22:46:48 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -802,7 +802,7 @@
 	{
 		if ( argc != 2 ) {
 			Debug( LDAP_DEBUG_ANY,
-	"%s: line %d: \"[pseudo]root-bind-defer {FALSE|true}\" takes 1 argument\n",
+	"%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\" takes 1 argument\n",
 				fname, lineno, 0 );
 			return( 1 );
 		}
@@ -818,7 +818,7 @@
 
 		default:
 			Debug( LDAP_DEBUG_ANY,
-	"%s: line %d: \"[pseudo]root-bind-defer {FALSE|true}\": invalid arg \"%s\".\n",
+	"%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\": invalid arg \"%s\".\n",
 				fname, lineno, argv[ 1 ] );
 			return 1;
 		}

Modified: openldap/trunk/servers/slapd/back-meta/conn.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/conn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/conn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/conn.c,v 1.86.2.12 2007/11/27 19:49:13 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/conn.c,v 1.86.2.15 2008/04/14 21:19:57 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -140,11 +140,30 @@
  */
 #if META_BACK_PRINT_CONNTREE > 0
 static void
+meta_back_print( metaconn_t *mc, char *avlstr )
+{
+	int	i;
+
+	fputs( "targets=[", stderr );
+	for ( i = 0; i < mc->mc_info->mi_ntargets; i++ ) {
+		fputc( mc->mc_conns[ i ].msc_ld ? '*' : 'o', stderr);
+	}
+	fputc( ']', stderr );
+
+	fprintf( stderr, " mc=%p local=\"%s\" conn=%p refcnt=%d%s %s\n",
+		(void *)mc,
+		mc->mc_local_ndn.bv_val ? mc->mc_local_ndn.bv_val : "",
+		(void *)mc->mc_conn,
+		mc->mc_refcnt,
+		LDAP_BACK_CONN_TAINTED( mc ) ? " tainted" : "",
+		avlstr );
+}
+
+static void
 meta_back_ravl_print( Avlnode *root, int depth )
 {
 	int     	i;
-	metaconn_t	*mc;
-	
+
 	if ( root == 0 ) {
 		return;
 	}
@@ -154,15 +173,11 @@
 	for ( i = 0; i < depth; i++ ) {
 		fprintf( stderr, "-" );
 	}
+	fputc( ' ', stderr );
 
-	mc = (metaconn_t *)root->avl_data;
-	fprintf( stderr, "mc=%p local=\"%s\" conn=%p %s refcnt=%d%s\n",
-		(void *)mc,
-		mc->mc_local_ndn.bv_val ? mc->mc_local_ndn.bv_val : "",
-		(void *)mc->mc_conn,
-		avl_bf2str( root->avl_bf ), mc->mc_refcnt,
-		LDAP_BACK_CONN_TAINTED( mc ) ? " tainted" : "" );
-	
+	meta_back_print( (metaconn_t *)root->avl_data,
+		avl_bf2str( root->avl_bf ) );
+
 	meta_back_ravl_print( root->avl_left, depth + 1 );
 }
 
@@ -192,11 +207,8 @@
 
 		LDAP_TAILQ_FOREACH( mc, &mi->mi_conn_priv[ c ].mic_priv, mc_q )
 		{
-			fprintf( stderr, "    [%d] mc=%p local=\"%s\" conn=%p refcnt=%d flags=0x%08x\n",
-				i,
-				(void *)mc,
-				mc->mc_local_ndn.bv_val ? mc->mc_local_ndn.bv_val : "",
-				(void *)mc->mc_conn, mc->mc_refcnt, mc->msc_mscflags );
+			fprintf( stderr, "    [%d] ", i );
+			meta_back_print( mc, "" );
 			i++;
 		}
 	}
@@ -948,7 +960,8 @@
 			data = (void *)mc;
 			ldap_pvt_thread_pool_setkey( op->o_threadctx,
 					&meta_back_candidates_dummy, data,
-					meta_back_candidates_keyfree );
+					meta_back_candidates_keyfree,
+					NULL, NULL );
 
 		} else {
 			mi->mi_candidates = mc;
@@ -1611,7 +1624,7 @@
 		}
 
 #if META_BACK_PRINT_CONNTREE > 0
-		meta_back_print_conntree( mi, ">>> meta_back_getconn" );
+		meta_back_print_conntree( mi, "<<< meta_back_getconn" );
 #endif /* META_BACK_PRINT_CONNTREE */
 		ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
 

Modified: openldap/trunk/servers/slapd/back-meta/delete.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/delete.c,v 1.37.2.5 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/delete.c,v 1.37.2.7 2008/02/12 00:25:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -81,13 +81,13 @@
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
 			/* if the identity changed, there might be need to re-authz */
-			(void)ldap_back_controls_free( op, rs, &ctrls );
+			(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 			goto retry;
 		}
 	}
 
 cleanup:;
-	(void)ldap_back_controls_free( op, rs, &ctrls );
+	(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 
 	if ( mdn.bv_val != op->o_req_dn.bv_val ) {
 		free( mdn.bv_val );

Modified: openldap/trunk/servers/slapd/back-meta/dncache.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/dncache.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/dncache.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/dncache.c,v 1.16.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/dncache.c,v 1.16.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-meta/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/init.c,v 1.58.2.5 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/init.c,v 1.58.2.8 2008/04/14 22:46:48 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -99,6 +99,10 @@
  		return -1;
  	}
 
+	/* set default flags */
+	mi->mi_flags =
+		META_BACK_F_DEFER_ROOTDN_BIND;
+
 	/*
 	 * At present the default is no default target;
 	 * this may change
@@ -134,6 +138,7 @@
 	ConfigReply	*cr )
 {
 	metainfo_t	*mi = (metainfo_t *)be->be_private;
+	BackendInfo *bi;
 
 	int		i,
 			not_always = 0,
@@ -148,6 +153,15 @@
 		return 1;
 	}
 
+	bi = backend_info( "ldap" );
+	if ( !bi || !bi->bi_extra ) {
+		Debug( LDAP_DEBUG_ANY,
+			"meta_back_db_open: needs back-ldap\n",
+			0, 0, 0 );
+		return 1;
+	}
+	mi->mi_ldap_extra = (ldap_extra_t *)bi->bi_extra;
+
 	for ( i = 0; i < mi->mi_ntargets; i++ ) {
 		slap_bindconf	sb = { BER_BVNULL };
 		metatarget_t	*mt = mi->mi_targets[ i ];

Modified: openldap/trunk/servers/slapd/back-meta/map.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/map.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/map.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* map.c - ldap backend mapping routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/map.c,v 1.15.2.6 2007/10/18 01:35:12 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/map.c,v 1.15.2.7 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-meta/modify.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/modify.c,v 1.52.2.5 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/modify.c,v 1.52.2.7 2008/02/12 00:25:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -192,13 +192,13 @@
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
 			/* if the identity changed, there might be need to re-authz */
-			(void)ldap_back_controls_free( op, rs, &ctrls );
+			(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 			goto retry;
 		}
 	}
 
 cleanup:;
-	(void)ldap_back_controls_free( op, rs, &ctrls );
+	(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 
 	if ( mdn.bv_val != op->o_req_dn.bv_val ) {
 		free( mdn.bv_val );

Modified: openldap/trunk/servers/slapd/back-meta/modrdn.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/modrdn.c,v 1.39.2.6 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/modrdn.c,v 1.39.2.9 2008/04/14 18:57:13 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -44,6 +44,7 @@
 	int		msgid;
 	int		do_retry = 1;
 	LDAPControl	**ctrls = NULL;
+	struct berval	newrdn = BER_BVNULL;
 
 	mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );
 	if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {
@@ -118,6 +119,13 @@
 		goto cleanup;
 	}
 
+	/* NOTE: we need to copy the newRDN in case it was formed
+	 * from a DN by simply changing the length (ITS#5397) */
+	newrdn = op->orr_newrdn;
+	if ( newrdn.bv_val[ newrdn.bv_len ] != '\0' ) {
+		ber_dupbv_x( &newrdn, &op->orr_newrdn, op->o_tmpmemctx );
+	}
+
 retry:;
 	ctrls = op->o_ctrls;
 	if ( meta_back_controls_add( op, rs, mc, candidate, &ctrls ) != LDAP_SUCCESS )
@@ -127,7 +135,7 @@
 	}
 
 	rs->sr_err = ldap_rename( mc->mc_conns[ candidate ].msc_ld,
-			mdn.bv_val, op->orr_newrdn.bv_val,
+			mdn.bv_val, newrdn.bv_val,
 			mnewSuperior.bv_val, op->orr_deleteoldrdn,
 			ctrls, NULL, &msgid );
 	rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
@@ -136,13 +144,13 @@
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
 			/* if the identity changed, there might be need to re-authz */
-			(void)ldap_back_controls_free( op, rs, &ctrls );
+			(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 			goto retry;
 		}
 	}
 
 cleanup:;
-	(void)ldap_back_controls_free( op, rs, &ctrls );
+	(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 
 	if ( mdn.bv_val != op->o_req_dn.bv_val ) {
 		free( mdn.bv_val );
@@ -156,6 +164,10 @@
 		BER_BVZERO( &mnewSuperior );
 	}
 
+	if ( newrdn.bv_val != op->orr_newrdn.bv_val ) {
+		op->o_tmpfree( newrdn.bv_val, op->o_tmpmemctx );
+	}
+
 	if ( mc ) {
 		meta_back_release_conn( mi, mc );
 	}

Modified: openldap/trunk/servers/slapd/back-meta/proto-meta.h
===================================================================
--- openldap/trunk/servers/slapd/back-meta/proto-meta.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/proto-meta.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/proto-meta.h,v 1.5.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/proto-meta.h,v 1.5.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-meta/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/search.c,v 1.146.2.7 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/search.c,v 1.146.2.11 2008/04/21 17:03:23 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.
@@ -624,7 +624,7 @@
 		if ( nretries && meta_back_retry( op, rs, mcp, candidate, LDAP_BACK_DONTSEND ) ) {
 			nretries = 0;
 			/* if the identity changed, there might be need to re-authz */
-			(void)ldap_back_controls_free( op, rs, &ctrls );
+			(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 			goto retry;
 		}
 
@@ -641,7 +641,7 @@
 	}
 
 done:;
-	(void)ldap_back_controls_free( op, rs, &ctrls );
+	(void)mi->mi_ldap_extra->controls_free( op, rs, &ctrls );
 
 	if ( mapped_attrs ) {
 		free( mapped_attrs );
@@ -2041,8 +2041,11 @@
 					mod.sm_op = LDAP_MOD_ADD;
 					mod.sm_desc = (*ap)->a_desc;
 					mod.sm_type = mod.sm_desc->ad_cname;
+					mod.sm_numvals = (*ap)->a_numvals;
 					mod.sm_values = (*tap)->a_vals;
-					mod.sm_nvalues = (*tap)->a_nvals;
+					if ( (*tap)->a_nvals != (*tap)->a_vals ) {
+						mod.sm_nvalues = (*tap)->a_nvals;
+					}
 
 					(void)modify_add_values( &e, &mod,
 						/* permissive */ 1,

Modified: openldap/trunk/servers/slapd/back-meta/suffixmassage.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/suffixmassage.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/suffixmassage.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* suffixmassage.c - massages ldap backend dns */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/suffixmassage.c,v 1.7.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/suffixmassage.c,v 1.7.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-meta/unbind.c
===================================================================
--- openldap/trunk/servers/slapd/back-meta/unbind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-meta/unbind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/unbind.c,v 1.30.2.4 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/unbind.c,v 1.30.2.5 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * Portions Copyright 1999-2003 Howard Chu.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-monitor/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-monitor
-# $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/Makefile.in,v 1.20.2.2 2007/08/31 23:14:03 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/Makefile.in,v 1.20.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-monitor/back-monitor.h
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/back-monitor.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/back-monitor.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* back-monitor.h - ldap monitor back-end header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/back-monitor.h,v 1.52.2.4 2007/09/29 09:27:01 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/back-monitor.h,v 1.52.2.5 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/backend.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/backend.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/backend.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* backend.c - deals with backend subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/backend.c,v 1.41.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/backend.c,v 1.41.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bind.c - monitor backend bind routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/bind.c,v 1.17.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/bind.c,v 1.17.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/cache.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/cache.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/cache.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* cache.c - routines to maintain an in-core cache of entries */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/cache.c,v 1.27.2.3 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/cache.c,v 1.27.2.5 2008/05/01 21:25:42 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -154,13 +154,18 @@
 	*ep = NULL;
 
 	tmp_mc.mc_ndn = *ndn;
+retry:;
 	ldap_pvt_thread_mutex_lock( &mi->mi_cache_mutex );
 	mc = ( monitor_cache_t * )avl_find( mi->mi_cache,
 			( caddr_t )&tmp_mc, monitor_cache_cmp );
 
 	if ( mc != NULL ) {
 		/* entry is returned with mutex locked */
-		monitor_cache_lock( mc->mc_e );
+		if ( monitor_cache_trylock( mc->mc_e ) ) {
+			ldap_pvt_thread_mutex_unlock( &mi->mi_cache_mutex );
+			ldap_pvt_thread_yield();
+			goto retry;
+		}
 		*ep = mc->mc_e;
 	}
 

Modified: openldap/trunk/servers/slapd/back-monitor/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* compare.c - monitor backend compare routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/compare.c,v 1.24.2.4 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/compare.c,v 1.24.2.5 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/conn.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/conn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/conn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* conn.c - deal with connection subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/conn.c,v 1.72.2.5 2007/10/08 09:48:15 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/conn.c,v 1.72.2.7 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -236,7 +236,7 @@
 
 	if ( n != -1 ) {
 		Attribute	*a;
-		char		buf[] = "+9223372036854775807L";
+		char		buf[LDAP_PVT_INTTYPE_CHARS(long)];
 		ber_len_t	len;
 
 		a = attr_find( e->e_attrs, mi->mi_ad_monitorCounter );

Modified: openldap/trunk/servers/slapd/back-monitor/database.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/database.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/database.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* database.c - deals with database subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/database.c,v 1.80.2.7 2007/10/08 09:48:15 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/database.c,v 1.80.2.9 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -835,6 +835,7 @@
 	
 							BER_BVZERO( &a->a_vals[ k - 1 ] );
 							BER_BVZERO( &a->a_nvals[ k - 1 ] );
+							a->a_numvals--;
 						}
 					}
 				}
@@ -860,9 +861,16 @@
 	
 							BER_BVZERO( &a->a_vals[ k - 1 ] );
 							BER_BVZERO( &a->a_nvals[ k - 1 ] );
+							a->a_numvals--;
 						}
 					}
 				}
+
+				if ( a->a_vals == NULL ) {
+					assert( a->a_numvals == 0 );
+
+					attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation );
+				}
 			}
 		}
 

Modified: openldap/trunk/servers/slapd/back-monitor/entry.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/entry.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/entry.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* entry.c - monitor backend entry handling routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/entry.c,v 1.21.2.4 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/entry.c,v 1.21.2.5 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize monitor backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/init.c,v 1.125.2.4 2007/09/29 09:27:01 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/init.c,v 1.125.2.6 2008/04/24 08:13:39 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -356,7 +356,7 @@
 
 	el.el_type = LIMBO_DATABASE;
 
-	el.el_be = be;
+	el.el_be = be->bd_self;
 	el.el_ndn = ndn;
 	
 	for ( elpp = &mi->mi_entry_limbo;

Modified: openldap/trunk/servers/slapd/back-monitor/listener.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/listener.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/listener.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* listener.c - deals with listener subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/listener.c,v 1.31.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/listener.c,v 1.31.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/log.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/log.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/log.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* log.c - deal with log subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/log.c,v 1.56.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/log.c,v 1.56.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -395,6 +395,7 @@
 				a->a_vals[ k - 1 ] = a->a_vals[ k ];
 			}
 			BER_BVZERO( &a->a_vals[ k - 1 ] );
+			a->a_numvals--;
 
 			break;
 		}
@@ -409,6 +410,8 @@
 
 	/* if no values remain, delete the entire attribute */
 	if ( BER_BVISNULL( &a->a_vals[ 0 ] ) ) {
+		assert( a->a_numvals == 0 );
+
 		/* should already be zero */
 		*newlevel = 0;
 		

Modified: openldap/trunk/servers/slapd/back-monitor/modify.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* modify.c - monitor backend modify routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/modify.c,v 1.24.2.3 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/modify.c,v 1.24.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/operation.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/operation.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/operation.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* operation.c - deal with operation subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/operation.c,v 1.46.2.3 2007/11/07 20:58:38 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/operation.c,v 1.46.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/operational.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/operational.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/operational.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* operational.c - monitor backend operational attributes function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/operational.c,v 1.17.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/operational.c,v 1.17.2.4 2008/02/12 00:58:15 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -62,6 +62,6 @@
 		ap = &(*ap)->a_next;
 	}
 	
-	return 0;
+	return LDAP_SUCCESS;
 }
 

Modified: openldap/trunk/servers/slapd/back-monitor/overlay.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/overlay.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/overlay.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 /* overlay.c - deals with overlay subsystem */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/proto-back-monitor.h
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/proto-back-monitor.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/proto-back-monitor.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/proto-back-monitor.h,v 1.33.2.4 2007/09/29 09:27:01 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/proto-back-monitor.h,v 1.33.2.5 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/rww.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/rww.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/rww.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* readw.c - deal with read waiters subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/rww.c,v 1.36.2.2 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/rww.c,v 1.36.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -162,7 +162,7 @@
 	struct berval	nrdn;
 
 	Attribute	*a;
-	char 		buf[] = "+9223372036854775807L";
+	char 		buf[LDAP_PVT_INTTYPE_CHARS(long)];
 	long		num = 0;
 	ber_len_t	len;
 

Modified: openldap/trunk/servers/slapd/back-monitor/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* search.c - monitor backend search function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/search.c,v 1.39.2.4 2007/08/31 23:14:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/search.c,v 1.39.2.5 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/sent.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/sent.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/sent.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* sent.c - deal with data sent subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/sent.c,v 1.42.2.3 2007/11/07 20:58:38 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/sent.c,v 1.42.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-monitor/thread.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/thread.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/thread.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* thread.c - deal with thread subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/thread.c,v 1.38.2.5 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/thread.c,v 1.38.2.7 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -260,6 +260,7 @@
 				ber_bvarray_free( a->a_vals );
 				a->a_vals = NULL;
 				a->a_nvals = NULL;
+				a->a_numvals = 0;
 			}
 
 			i = 0;
@@ -292,6 +293,7 @@
 				ber_bvarray_free( a->a_vals );
 				a->a_vals = NULL;
 				a->a_nvals = NULL;
+				a->a_numvals = 0;
 			}
 	
 			i = 0;

Modified: openldap/trunk/servers/slapd/back-monitor/time.c
===================================================================
--- openldap/trunk/servers/slapd/back-monitor/time.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-monitor/time.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* time.c - deal with time subsystem */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/time.c,v 1.37.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/time.c,v 1.37.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * Portions Copyright 2001-2003 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-null/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-null/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-null/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-null
-# $OpenLDAP: pkg/ldap/servers/slapd/back-null/Makefile.in,v 1.9.2.2 2007/08/31 23:14:04 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-null/Makefile.in,v 1.9.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-null/null.c
===================================================================
--- openldap/trunk/servers/slapd/back-null/null.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-null/null.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* null.c - the null backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-null/null.c,v 1.18.2.3 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-null/null.c,v 1.18.2.5 2008/02/12 00:58:15 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -70,7 +70,8 @@
 
 
 /* for overlays */
-int null_back_entry_get(
+static int
+null_back_entry_get(
 	Operation *op,
 	struct berval *ndn,
 	ObjectClass *oc,
@@ -78,8 +79,10 @@
 	int rw,
 	Entry **ent )
 {
-	*ent = NULL;
-	return 1;
+	assert( *ent == NULL );
+
+	/* don't admit the object isn't there */
+	return oc || at ? LDAP_NO_SUCH_ATTRIBUTE : LDAP_BUSY;
 }
 
 

Modified: openldap/trunk/servers/slapd/back-passwd/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-passwd/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-passwd/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-passwd
-# $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/Makefile.in,v 1.20.2.2 2007/08/31 23:14:04 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/Makefile.in,v 1.20.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-passwd/back-passwd.h
===================================================================
--- openldap/trunk/servers/slapd/back-passwd/back-passwd.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-passwd/back-passwd.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/back-passwd.h,v 1.7.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/back-passwd.h,v 1.7.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-passwd/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-passwd/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-passwd/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* config.c - passwd backend configuration file routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/config.c,v 1.14.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/config.c,v 1.14.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-passwd/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-passwd/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-passwd/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize passwd backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/init.c,v 1.32.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/init.c,v 1.32.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-passwd/proto-passwd.h
===================================================================
--- openldap/trunk/servers/slapd/back-passwd/proto-passwd.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-passwd/proto-passwd.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/proto-passwd.h,v 1.5.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/proto-passwd.h,v 1.5.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-passwd/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-passwd/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-passwd/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* search.c - /etc/passwd backend search function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/search.c,v 1.79.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-passwd/search.c,v 1.79.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-perl/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-perl/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-perl
-# $OpenLDAP: pkg/ldap/servers/slapd/back-perl/Makefile.in,v 1.20.2.2 2007/08/31 23:14:04 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-perl/Makefile.in,v 1.20.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## Portions Copyright 1999 John C. Quillan.
 ## All rights reserved.
 ##

Modified: openldap/trunk/servers/slapd/back-perl/SampleLDAP.pm
===================================================================
--- openldap/trunk/servers/slapd/back-perl/SampleLDAP.pm	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/SampleLDAP.pm	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # This is a sample Perl module for the OpenLDAP server slapd.
-# $OpenLDAP: pkg/ldap/servers/slapd/back-perl/SampleLDAP.pm,v 1.10.2.2 2007/08/31 23:14:04 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-perl/SampleLDAP.pm,v 1.10.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## Portions Copyright 1999 John C. Quillan.
 ## All rights reserved.
 ##

Modified: openldap/trunk/servers/slapd/back-perl/add.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/add.c,v 1.20.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/add.c,v 1.20.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/asperl_undefs.h
===================================================================
--- openldap/trunk/servers/slapd/back-perl/asperl_undefs.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/asperl_undefs.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/asperl_undefs.h,v 1.7.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/asperl_undefs.h,v 1.7.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-perl/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/bind.c,v 1.24.2.3 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/bind.c,v 1.24.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/close.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/close.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/close.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/close.c,v 1.17.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/close.c,v 1.17.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/compare.c,v 1.26.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/compare.c,v 1.26.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/config.c,v 1.22.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/config.c,v 1.22.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/delete.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/delete.c,v 1.20.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/delete.c,v 1.20.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/init.c,v 1.44.2.3 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/init.c,v 1.44.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/modify.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/modify.c,v 1.23.2.3 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/modify.c,v 1.23.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/modrdn.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/modrdn.c,v 1.22.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/modrdn.c,v 1.22.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/perl_back.h
===================================================================
--- openldap/trunk/servers/slapd/back-perl/perl_back.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/perl_back.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/perl_back.h,v 1.15.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/perl_back.h,v 1.15.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/proto-perl.h
===================================================================
--- openldap/trunk/servers/slapd/back-perl/proto-perl.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/proto-perl.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/proto-perl.h,v 1.5.2.3 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/proto-perl.h,v 1.5.2.4 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-perl/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-perl/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-perl/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/search.c,v 1.31.2.2 2007/08/31 23:14:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-perl/search.c,v 1.31.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 John C. Quillan.
  * Portions Copyright 2002 myinternet Limited.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-relay/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-relay/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-relay/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-relay
-# $OpenLDAP: pkg/ldap/servers/slapd/back-relay/Makefile.in,v 1.5.2.2 2007/08/31 23:14:04 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-relay/Makefile.in,v 1.5.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-relay/back-relay.h
===================================================================
--- openldap/trunk/servers/slapd/back-relay/back-relay.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-relay/back-relay.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,8 @@
 /* back-relay.h - relay backend header file */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/back-relay.h,v 1.6.2.3 2008/02/12 01:03:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-relay/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-relay/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-relay/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,8 @@
 /* init.c - initialize relay backend */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/init.c,v 1.19.2.4 2008/02/12 01:03:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-relay/op.c
===================================================================
--- openldap/trunk/servers/slapd/back-relay/op.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-relay/op.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,8 @@
 /* op.c - relay backend operations */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/op.c,v 1.15.2.6 2008/02/12 01:03:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -25,6 +26,17 @@
 #include "slap.h"
 #include "back-relay.h"
 
+#define	RB_ERR_MASK		(0x0000FFFFU)
+#define RB_ERR			(0x10000000U)
+#define RB_UNSUPPORTED_FLAG	(0x20000000U)
+#define RB_REFERRAL		(0x40000000U)
+#define RB_SEND			(0x80000000U)
+#define RB_UNSUPPORTED		(LDAP_UNWILLING_TO_PERFORM|RB_ERR|RB_UNSUPPORTED_FLAG)
+#define	RB_UNSUPPORTED_SEND	(RB_UNSUPPORTED|RB_SEND)
+#define	RB_REFERRAL_SEND	(RB_REFERRAL|RB_SEND)
+#define	RB_ERR_SEND		(RB_ERR|RB_SEND)
+#define	RB_ERR_REFERRAL_SEND	(RB_ERR|RB_REFERRAL|RB_SEND)
+
 static int
 relay_back_swap_bd( Operation *op, SlapReply *rs )
 {
@@ -37,451 +49,302 @@
 	return SLAP_CB_CONTINUE;
 }
 
-static void
-relay_back_add_cb( slap_callback *cb, Operation *op )
-{
-	cb->sc_next = op->o_callback;
-	cb->sc_response = relay_back_swap_bd;
-	cb->sc_cleanup = relay_back_swap_bd;
-	cb->sc_private = op->o_bd;
-	op->o_callback = cb;
-}
+#define relay_back_add_cb( cb, op ) \
+	{						\
+		(cb)->sc_next = (op)->o_callback;	\
+		(cb)->sc_response = relay_back_swap_bd;	\
+		(cb)->sc_cleanup = relay_back_swap_bd;	\
+		(cb)->sc_private = (op)->o_bd;		\
+		(op)->o_callback = (cb);		\
+	}
 
 /*
  * selects the backend if not enforced at config;
  * in case of failure, behaves based on err:
  *	-1			don't send result
- *	LDAP_SUCCESS		don't send result; may send referral
- *	any valid error 	send as error result
+ *	LDAP_SUCCESS		don't send result; may send referral if dosend
+ *	any valid error 	send as error result if dosend
  */
 static BackendDB *
-relay_back_select_backend( Operation *op, SlapReply *rs, int err, int dosend )
+relay_back_select_backend( Operation *op, SlapReply *rs, slap_mask_t fail_mode )
 {
 	relay_back_info		*ri = (relay_back_info *)op->o_bd->be_private;
 	BackendDB		*bd = ri->ri_bd;
+	int			rc = ( fail_mode & RB_ERR_MASK );
 
 	if ( bd == NULL && !BER_BVISNULL( &op->o_req_ndn ) ) {
 		bd = select_backend( &op->o_req_ndn, 1 );
 		if ( bd == op->o_bd ) {
-			if ( err > LDAP_SUCCESS && dosend ) {
-				send_ldap_error( op, rs,
-						LDAP_UNWILLING_TO_PERFORM, 
-						"back-relay would call self" );
+			Debug( LDAP_DEBUG_ANY,
+				"%s: back-relay for DN=\"%s\" would call self.\n",
+				op->o_log_prefix, op->o_req_dn.bv_val, 0 );
+			if ( fail_mode & RB_ERR ) {
+				rs->sr_err = rc;
+				if ( fail_mode & RB_SEND ) {
+					send_ldap_result( op, rs );
+				}
 			}
+
 			return NULL;
 		}
 	}
 
-	if ( bd == NULL && err > -1 ) {
-		if ( default_referral ) {
+	if ( bd == NULL ) {
+		if ( ( fail_mode & RB_REFERRAL )
+			&& ( fail_mode & RB_SEND )
+			&& !BER_BVISNULL( &op->o_req_ndn )
+			&& default_referral )
+		{
 			rs->sr_err = LDAP_REFERRAL;
-			if ( dosend ) {
-				rs->sr_ref = referral_rewrite(
-					default_referral,
-					NULL, &op->o_req_dn,
-					LDAP_SCOPE_DEFAULT );
-				if ( !rs->sr_ref ) {
-					rs->sr_ref = default_referral;
-				}
 
-				send_ldap_result( op, rs );
-
-				if ( rs->sr_ref != default_referral ) {
-					ber_bvarray_free( rs->sr_ref );
-				}
+			/* if we set sr_err to LDAP_REFERRAL,
+			 * we must provide one */
+			rs->sr_ref = referral_rewrite(
+				default_referral,
+				NULL, &op->o_req_dn,
+				LDAP_SCOPE_DEFAULT );
+			if ( !rs->sr_ref ) {
+				rs->sr_ref = default_referral;
 			}
 
-		} else {
-			/* NOTE: err is LDAP_INVALID_CREDENTIALS for bind,
-			 * LDAP_NO_SUCH_OBJECT for other operations.
-			 * noSuchObject cannot be returned by bind */
-			rs->sr_err = err;
-			if ( dosend ) {
-				send_ldap_result( op, rs );
+			send_ldap_result( op, rs );
+
+			if ( rs->sr_ref != default_referral ) {
+				ber_bvarray_free( rs->sr_ref );
 			}
+
+			return NULL;
 		}
+
+		/* NOTE: err is LDAP_INVALID_CREDENTIALS for bind,
+		 * LDAP_NO_SUCH_OBJECT for other operations.
+		 * noSuchObject cannot be returned by bind */
+		rs->sr_err = rc;
+		if ( fail_mode & RB_SEND ) {
+			send_ldap_result( op, rs );
+		}
 	}
 
 	return bd;
 }
 
-int
-relay_back_op_bind( Operation *op, SlapReply *rs )
+static int
+relay_back_op(
+	Operation	*op,
+	SlapReply	*rs,
+	BackendDB	*bd,
+	BI_op_func	*func,
+	slap_mask_t	fail_mode )
 {
-	BackendDB		*bd;
-	int			rc = 1;
+	int			rc = ( fail_mode & RB_ERR_MASK );
 
-	/* allow rootdn as a means to auth without the need to actually
- 	 * contact the proxied DSA */
-	switch ( be_rootdn_bind( op, rs ) ) {
-	case SLAP_CB_CONTINUE:
-		break;
-
-	default:
-		return rs->sr_err;
-	}
-
-	bd = relay_back_select_backend( op, rs, LDAP_INVALID_CREDENTIALS, 1 );
-	if ( bd == NULL ) {
-		return rc;
-	}
-
-	if ( bd->be_bind ) {
+	if ( func ) {
 		BackendDB	*be = op->o_bd;
 		slap_callback	cb;
 
 		relay_back_add_cb( &cb, op );
 
 		op->o_bd = bd;
-		rc = bd->be_bind( op, rs );
+		rc = func( op, rs );
 		op->o_bd = be;
 
 		if ( op->o_callback == &cb ) {
 			op->o_callback = op->o_callback->sc_next;
 		}
 
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
+	} else if ( fail_mode & RB_ERR ) {
+		rs->sr_err = rc;
+		if ( fail_mode & RB_UNSUPPORTED_FLAG ) {
+			rs->sr_text = "operation not supported within naming context";
+		}
+
+		if ( fail_mode & RB_SEND ) {
+			send_ldap_result( op, rs );
+		}
 	}
 
 	return rc;
 }
 
 int
-relay_back_op_unbind( Operation *op, SlapReply *rs )
+relay_back_op_bind( Operation *op, SlapReply *rs )
 {
-	BackendDB		*bd;
-	int			rc = 1;
+	BackendDB	*bd;
 
-	bd = relay_back_select_backend( op, rs, LDAP_SUCCESS, 0 );
+	/* allow rootdn as a means to auth without the need to actually
+ 	 * contact the proxied DSA */
+	switch ( be_rootdn_bind( op, rs ) ) {
+	case SLAP_CB_CONTINUE:
+		break;
+
+	default:
+		return rs->sr_err;
+	}
+
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_INVALID_CREDENTIALS | RB_ERR_SEND ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd && bd->be_unbind ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
+	return relay_back_op( op, rs, bd, bd->be_bind,
+		( LDAP_INVALID_CREDENTIALS | RB_ERR_SEND ) );
+}
 
-		relay_back_add_cb( &cb, op );
+int
+relay_back_op_unbind( Operation *op, SlapReply *rs )
+{
+	BackendDB		*bd;
 
-		op->o_bd = bd;
-		rc = bd->be_unbind( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
+	bd = relay_back_select_backend( op, rs, 0 );
+	if ( bd != NULL ) {
+		(void)relay_back_op( op, rs, bd, bd->be_unbind, 0 );
 	}
 
 	return 0;
-
 }
 
 int
 relay_back_op_search( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_NO_SUCH_OBJECT, 1 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_NO_SUCH_OBJECT | RB_ERR_REFERRAL_SEND ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_search ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_search( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_search,
+		RB_UNSUPPORTED_SEND );
 }
 
 int
 relay_back_op_compare( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_NO_SUCH_OBJECT, 1 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_NO_SUCH_OBJECT | RB_ERR_REFERRAL_SEND ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_compare ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_compare( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_compare,
+		( SLAP_CB_CONTINUE | RB_ERR ) );
 }
 
 int
 relay_back_op_modify( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_NO_SUCH_OBJECT, 1 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_NO_SUCH_OBJECT | RB_ERR_REFERRAL_SEND ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_modify ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_modify( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_modify,
+		RB_UNSUPPORTED_SEND );
 }
 
 int
 relay_back_op_modrdn( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_NO_SUCH_OBJECT, 1 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_NO_SUCH_OBJECT | RB_ERR_REFERRAL_SEND ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_modrdn ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_modrdn( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_modrdn,
+		RB_UNSUPPORTED_SEND );
 }
 
 int
 relay_back_op_add( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_NO_SUCH_OBJECT, 1 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_NO_SUCH_OBJECT | RB_ERR_REFERRAL_SEND ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_add ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_add( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_add,
+		RB_UNSUPPORTED_SEND );
 }
 
 int
 relay_back_op_delete( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_NO_SUCH_OBJECT, 1 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_NO_SUCH_OBJECT | RB_ERR_REFERRAL_SEND ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_delete ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_delete( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_delete,
+		RB_UNSUPPORTED_SEND );
 }
 
 int
 relay_back_op_abandon( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_SUCCESS, 0 );
+	bd = relay_back_select_backend( op, rs, 0 );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_abandon ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_abandon( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_abandon, 0 );
 }
 
 int
 relay_back_op_cancel( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
+	int			rc;
 
-	bd = relay_back_select_backend( op, rs, LDAP_CANNOT_CANCEL, 0 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_CANNOT_CANCEL | RB_ERR ) );
 	if ( bd == NULL ) {
-		return 1;
+		if ( op->o_cancel == SLAP_CANCEL_REQ ) {
+			op->o_cancel = LDAP_CANNOT_CANCEL;
+		}
+		return rs->sr_err;
 	}
 
-	if ( bd->be_cancel ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_cancel( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
+	rc = relay_back_op( op, rs, bd, bd->be_cancel,
+		( LDAP_CANNOT_CANCEL | RB_ERR ) );
+	if ( rc == LDAP_CANNOT_CANCEL && op->o_cancel == SLAP_CANCEL_REQ )
+	{
+		op->o_cancel = LDAP_CANNOT_CANCEL;
 	}
 
 	return rc;
-
 }
 
 int
 relay_back_op_extended( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_NO_SUCH_OBJECT, 0 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_NO_SUCH_OBJECT | RB_ERR | RB_REFERRAL ) );
 	if ( bd == NULL ) {
-		return 1;
+		return rs->sr_err;
 	}
 
-	if ( bd->be_extended ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_extended( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
-	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-				"operation not supported "
-				"within naming context" );
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_extended,
+		RB_UNSUPPORTED );
 }
 
 int
@@ -550,9 +413,9 @@
 relay_back_chk_referrals( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 0;
 
-	bd = relay_back_select_backend( op, rs, LDAP_SUCCESS, 1 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_SUCCESS | RB_ERR_REFERRAL_SEND ) );
 	/* FIXME: this test only works if there are no overlays, so
 	 * it is nearly useless; if made stricter, no nested back-relays
 	 * can be instantiated... too bad. */
@@ -569,32 +432,16 @@
 		}
 	}
 
-	if ( bd->be_chk_referrals ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_chk_referrals( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_chk_referrals, LDAP_SUCCESS );
 }
 
 int
 relay_back_operational( Operation *op, SlapReply *rs )
 {
 	BackendDB		*bd;
-	int			rc = 1;
 
-	bd = relay_back_select_backend( op, rs, LDAP_SUCCESS, 0 );
+	bd = relay_back_select_backend( op, rs,
+		( LDAP_SUCCESS | RB_ERR ) );
 	/* FIXME: this test only works if there are no overlays, so
 	 * it is nearly useless; if made stricter, no nested back-relays
 	 * can be instantiated... too bad. */
@@ -602,23 +449,7 @@
 		return 0;
 	}
 
-	if ( bd->be_operational ) {
-		BackendDB	*be = op->o_bd;
-		slap_callback	cb;
-
-		relay_back_add_cb( &cb, op );
-
-		op->o_bd = bd;
-		rc = bd->be_operational( op, rs );
-		op->o_bd = be;
-
-		if ( op->o_callback == &cb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-	}
-
-	return rc;
-
+	return relay_back_op( op, rs, bd, bd->be_operational, 0 );
 }
 
 int
@@ -628,7 +459,8 @@
 	BackendDB		*bd;
 	int			rc = 1;
 
-	bd = relay_back_select_backend( op, &rs, LDAP_SUCCESS, 0 );
+	bd = relay_back_select_backend( op, &rs,
+		( LDAP_SUCCESS | RB_ERR ) );
 	/* FIXME: this test only works if there are no overlays, so
 	 * it is nearly useless; if made stricter, no nested back-relays
 	 * can be instantiated... too bad. */

Modified: openldap/trunk/servers/slapd/back-relay/proto-back-relay.h
===================================================================
--- openldap/trunk/servers/slapd/back-relay/proto-back-relay.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-relay/proto-back-relay.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,8 @@
+/* proto-back-relay.h - relay backend header file */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/proto-back-relay.h,v 1.6.2.4 2008/02/12 01:03:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/back-shell/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-shell/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-shell
-# $OpenLDAP: pkg/ldap/servers/slapd/back-shell/Makefile.in,v 1.22.2.2 2007/08/31 23:14:05 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-shell/Makefile.in,v 1.22.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/add.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* add.c - shell backend add function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/add.c,v 1.27.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/add.c,v 1.27.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bind.c - shell backend bind function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/bind.c,v 1.27.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/bind.c,v 1.27.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* compare.c - shell backend compare function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/compare.c,v 1.28.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/compare.c,v 1.28.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* config.c - shell backend configuration file routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/config.c,v 1.18.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/config.c,v 1.18.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/delete.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* delete.c - shell backend delete function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/delete.c,v 1.26.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/delete.c,v 1.26.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/fork.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/fork.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/fork.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* fork.c - fork and exec a process, connecting stdin/out w/pipes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/fork.c,v 1.18.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/fork.c,v 1.18.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize shell backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/init.c,v 1.37.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/init.c,v 1.37.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/modify.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* modify.c - shell backend modify function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/modify.c,v 1.33.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/modify.c,v 1.33.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/modrdn.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* modrdn.c - shell backend modrdn function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/modrdn.c,v 1.28.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/modrdn.c,v 1.28.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/proto-shell.h
===================================================================
--- openldap/trunk/servers/slapd/back-shell/proto-shell.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/proto-shell.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/proto-shell.h,v 1.4.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/proto-shell.h,v 1.4.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/result.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/result.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/result.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* result.c - shell backend result reading function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/result.c,v 1.23.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/result.c,v 1.23.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* search.c - shell backend search function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/search.c,v 1.29.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/search.c,v 1.29.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/searchexample.conf
===================================================================
--- openldap/trunk/servers/slapd/back-shell/searchexample.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/searchexample.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/servers/slapd/back-shell/searchexample.conf,v 1.10.2.2 2007/08/31 23:14:05 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-shell/searchexample.conf,v 1.10.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/searchexample.sh
===================================================================
--- openldap/trunk/servers/slapd/back-shell/searchexample.sh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/searchexample.sh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/servers/slapd/back-shell/searchexample.sh,v 1.9.2.2 2007/08/31 23:14:05 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-shell/searchexample.sh,v 1.9.2.3 2008/02/11 23:26:47 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/shell.h
===================================================================
--- openldap/trunk/servers/slapd/back-shell/shell.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/shell.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* shell.h - shell backend header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/shell.h,v 1.24.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/shell.h,v 1.24.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-shell/unbind.c
===================================================================
--- openldap/trunk/servers/slapd/back-shell/unbind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-shell/unbind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* unbind.c - shell backend unbind function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/unbind.c,v 1.23.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-shell/unbind.c,v 1.23.2.3 2008/02/11 23:26:47 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Copied: openldap/trunk/servers/slapd/back-sock (from rev 1127, openldap/vendor/openldap-2.4.9/servers/slapd/back-sock)

Modified: openldap/trunk/servers/slapd/back-sql/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/back-sql/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for back-sql
-# $OpenLDAP: pkg/ldap/servers/slapd/back-sql/Makefile.in,v 1.16.2.2 2007/08/31 23:14:05 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/back-sql/Makefile.in,v 1.16.2.3 2008/02/11 23:26:48 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/back-sql/add.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/add.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/add.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/add.c,v 1.50.2.4 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/add.c,v 1.50.2.6 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * Portions Copyright 2004 Mark Adamson.
@@ -794,7 +794,7 @@
 		int		prc = LDAP_SUCCESS;
 		/* first parameter #, parameter order */
 		SQLUSMALLINT	pno, po;
-		char		logbuf[] = "val[18446744073709551615UL], id=18446744073709551615UL";
+		char		logbuf[ STRLENOF("val[], id=") + 2*LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 		
 		/*
 		 * Do not deal with the objectClass that is used

Modified: openldap/trunk/servers/slapd/back-sql/api.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/api.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/api.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/back-sql.h
===================================================================
--- openldap/trunk/servers/slapd/back-sql/back-sql.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/back-sql.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/back-sql.h,v 1.49.2.3 2007/11/27 19:45:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/back-sql.h,v 1.49.2.4 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Mararati.
  * Portions Copyright 2004 Mark Adamson.

Modified: openldap/trunk/servers/slapd/back-sql/bind.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/bind.c,v 1.41.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/bind.c,v 1.41.2.3 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/compare.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/compare.c,v 1.24.2.4 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/compare.c,v 1.24.2.5 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/config.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/config.c,v 1.32.2.3 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/config.c,v 1.32.2.5 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * Portions Copyright 2004 Mark Adamson.
@@ -540,8 +540,8 @@
 			0, 0 );
 
 	} else if ( !strcasecmp( argv[ 0 ], "fetch_attrs" ) ) {
-		char	*str, *s, *next;
-		char	delimstr[] = ",";
+		char		*str, *s, *next;
+		const char	*delimstr = ",";
 
 		if ( argc < 2 ) {
 			Debug( LDAP_DEBUG_TRACE,
@@ -761,10 +761,10 @@
 			"objectClass: extensibleObject\n"
 			"description: builtin baseObject for back-sql\n"
 			"description: all entries mapped "
-			"in the \"ldap_entries\" table\n"
-			"description: must have "
-			"\"" BACKSQL_BASEOBJECT_IDSTR "\" "
-			"in the \"parent\" column",
+				"in table \"ldap_entries\" "
+				"must have "
+				"\"" BACKSQL_BASEOBJECT_IDSTR "\" "
+				"in the \"parent\" column",
 			be->be_suffix[0].bv_val );
 
 	bi->sql_baseObject = str2entry( buf );

Modified: openldap/trunk/servers/slapd/back-sql/delete.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/delete.c,v 1.35.2.7 2007/11/27 19:45:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/delete.c,v 1.35.2.8 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/entry-id.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/entry-id.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/entry-id.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/entry-id.c,v 1.67.2.5 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/entry-id.c,v 1.67.2.6 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * Portions Copyright 2004 Mark Adamson.

Modified: openldap/trunk/servers/slapd/back-sql/init.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/init.c,v 1.73.2.3 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/init.c,v 1.73.2.4 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/modify.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/modify.c,v 1.53.2.4 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/modify.c,v 1.53.2.5 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/modrdn.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/modrdn.c,v 1.39.2.4 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/modrdn.c,v 1.39.2.5 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/operational.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/operational.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/operational.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/operational.c,v 1.21.2.4 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/operational.c,v 1.21.2.5 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/proto-sql.h
===================================================================
--- openldap/trunk/servers/slapd/back-sql/proto-sql.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/proto-sql.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Mararati.
  * All rights reserved.
@@ -235,7 +235,7 @@
  * util.c
  */
 
-extern char 
+extern const char 
 	backsql_def_oc_query[],
 	backsql_def_needs_select_oc_query[],
 	backsql_def_at_query[],
@@ -246,8 +246,7 @@
 	backsql_def_subtree_cond[],
 	backsql_def_upper_subtree_cond[],
 	backsql_id_query[],
-	backsql_def_concat_func[];
-extern char 
+	backsql_def_concat_func[],
 	backsql_check_dn_ru_query[];
 
 struct berbuf * backsql_strcat_x( struct berbuf *dest, void *memctx, ... );

Modified: openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile
===================================================================
--- openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-## Copyright 1997-2007 The OpenLDAP Foundation, All Rights Reserved.
+## Copyright 1997-2008 The OpenLDAP Foundation, All Rights Reserved.
 ##  COPYING RESTRICTIONS APPLY, see COPYRIGHT file
 
 #

Modified: openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp
===================================================================
--- openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-// Copyright 1997-2007 The OpenLDAP Foundation, All Rights Reserved.
+// Copyright 1997-2008 The OpenLDAP Foundation, All Rights Reserved.
 //  COPYING RESTRICTIONS APPLY, see COPYRIGHT file
 
 // (c) Copyright 1999-2001 TimesTen Performance Software. All rights reserved.

Modified: openldap/trunk/servers/slapd/back-sql/schema-map.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/schema-map.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/schema-map.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/schema-map.c,v 1.59.2.4 2007/11/15 22:13:38 ando Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/schema-map.c,v 1.59.2.6 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * Portions Copyright 2004 Mark Adamson.
@@ -189,7 +189,7 @@
 backsql_add_sysmaps( backsql_info *bi, backsql_oc_map_rec *oc_map )
 {
 	backsql_at_map_rec	*at_map;
-	char			s[] = "+9223372036854775807L";
+	char			s[LDAP_PVT_INTTYPE_CHARS(long)];
 	struct berval		sbv;
 	struct berbuf		bb;
 	
@@ -228,13 +228,11 @@
 
 	at_map->bam_add_proc = NULL;
 	{
-		char	tmp[] =
-			"INSERT INTO ldap_entry_objclasses "
+		char	tmp[STRLENOF("INSERT INTO ldap_entry_objclasses "
 			"(entry_id,oc_name) VALUES "
 			"((SELECT id FROM ldap_entries "
-			"WHERE oc_map_id="
-			"18446744073709551615UL "	/* 64 bit ULONG */
-			"AND keyval=?),?)";
+			"WHERE oc_map_id= "
+			"AND keyval=?),?)") + LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 		snprintf( tmp, sizeof(tmp), 
 			"INSERT INTO ldap_entry_objclasses "
 			"(entry_id,oc_name) VALUES "
@@ -246,12 +244,10 @@
 
 	at_map->bam_delete_proc = NULL;
 	{
-		char	tmp[] =
-			"DELETE FROM ldap_entry_objclasses "
+		char	tmp[STRLENOF("DELETE FROM ldap_entry_objclasses "
 			"WHERE entry_id=(SELECT id FROM ldap_entries "
-			"WHERE oc_map_id="
-			"18446744073709551615UL "	/* 64 bit ULONG */
-			"AND keyval=?) AND oc_name=?";
+			"WHERE oc_map_id= "
+			"AND keyval=?) AND oc_name=?") + LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 		snprintf( tmp, sizeof(tmp), 
 			"DELETE FROM ldap_entry_objclasses "
 			"WHERE entry_id=(SELECT id FROM ldap_entries "

Modified: openldap/trunk/servers/slapd/back-sql/search.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/search.c,v 1.117.2.6 2007/11/08 19:16:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/search.c,v 1.117.2.8 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * Portions Copyright 2004 Mark Adamson.
@@ -864,7 +864,7 @@
 		struct berval	keyval;
 #else /* ! BACKSQL_ARBITRARY_KEY */
 		unsigned long	keyval;
-		char		keyvalbuf[] = "18446744073709551615";
+		char		keyvalbuf[LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 #endif /* ! BACKSQL_ARBITRARY_KEY */
 
 		switch ( f->f_choice ) {

Modified: openldap/trunk/servers/slapd/back-sql/sql-wrap.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/sql-wrap.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/sql-wrap.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/sql-wrap.c,v 1.43.2.3 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/sql-wrap.c,v 1.43.2.5 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * Portions Copyright 2004 Mark Adamson.
@@ -519,7 +519,7 @@
 			data = (void *)dbh;
 			ldap_pvt_thread_pool_setkey( op->o_threadctx,
 					&backsql_db_conn_dummy, data,
-					backsql_db_conn_keyfree );
+					backsql_db_conn_keyfree, NULL, NULL );
 
 		} else {
 			bi->sql_dbh = dbh;

Modified: openldap/trunk/servers/slapd/back-sql/util.c
===================================================================
--- openldap/trunk/servers/slapd/back-sql/util.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/back-sql/util.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/util.c,v 1.45.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/util.c,v 1.45.2.4 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 Dmitry Kovalev.
  * Portions Copyright 2002 Pierangelo Masarati.
  * All rights reserved.
@@ -37,32 +37,32 @@
 
 #define BACKSQL_STR_GROW 256
 
-char backsql_def_oc_query[] = 
+const char backsql_def_oc_query[] = 
 	"SELECT id,name,keytbl,keycol,create_proc,delete_proc,expect_return "
 	"FROM ldap_oc_mappings";
-char backsql_def_needs_select_oc_query[] = 
+const char backsql_def_needs_select_oc_query[] = 
 	"SELECT id,name,keytbl,keycol,create_proc,create_keyval,delete_proc,"
 	"expect_return FROM ldap_oc_mappings";
-char backsql_def_at_query[] = 
+const char backsql_def_at_query[] = 
 	"SELECT name,sel_expr,from_tbls,join_where,add_proc,delete_proc,"
 	"param_order,expect_return,sel_expr_u FROM ldap_attr_mappings "
 	"WHERE oc_map_id=?";
-char backsql_def_delentry_stmt[] = "DELETE FROM ldap_entries WHERE id=?";
-char backsql_def_renentry_stmt[] =
+const char backsql_def_delentry_stmt[] = "DELETE FROM ldap_entries WHERE id=?";
+const char backsql_def_renentry_stmt[] =
 	"UPDATE ldap_entries SET dn=?,parent=?,keyval=? WHERE id=?";
-char backsql_def_insentry_stmt[] = 
+const char backsql_def_insentry_stmt[] = 
 	"INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) "
 	"VALUES (?,?,?,?)";
-char backsql_def_delobjclasses_stmt[] = "DELETE FROM ldap_entry_objclasses "
+const char backsql_def_delobjclasses_stmt[] = "DELETE FROM ldap_entry_objclasses "
 	"WHERE entry_id=?";
-char backsql_def_subtree_cond[] = "ldap_entries.dn LIKE CONCAT('%',?)";
-char backsql_def_upper_subtree_cond[] = "(ldap_entries.dn) LIKE CONCAT('%',?)";
-char backsql_id_query[] = "SELECT id,keyval,oc_map_id,dn FROM ldap_entries WHERE ";
+const char backsql_def_subtree_cond[] = "ldap_entries.dn LIKE CONCAT('%',?)";
+const char backsql_def_upper_subtree_cond[] = "(ldap_entries.dn) LIKE CONCAT('%',?)";
+const char backsql_id_query[] = "SELECT id,keyval,oc_map_id,dn FROM ldap_entries WHERE ";
 /* better ?||? or cast(?||? as varchar) */ 
-char backsql_def_concat_func[] = "CONCAT(?,?)";
+const char backsql_def_concat_func[] = "CONCAT(?,?)";
 
 /* TimesTen */
-char backsql_check_dn_ru_query[] = "SELECT dn_ru FROM ldap_entries";
+const char backsql_check_dn_ru_query[] = "SELECT dn_ru FROM ldap_entries";
 
 struct berbuf *
 backsql_strcat_x( struct berbuf *dest, void *memctx, ... )

Modified: openldap/trunk/servers/slapd/backend.c
===================================================================
--- openldap/trunk/servers/slapd/backend.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/backend.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* backend.c - routines for dealing with back-end databases */
-/* $OpenLDAP: pkg/ldap/servers/slapd/backend.c,v 1.362.2.7 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/backend.c,v 1.362.2.17 2008/04/24 08:13:39 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -269,7 +269,7 @@
 
 	/* open frontend, if required */
 	if ( frontendDB->bd_info->bi_db_open ) {
-		rc = frontendDB->bd_info->bi_db_open( frontendDB, NULL );
+		rc = frontendDB->bd_info->bi_db_open( frontendDB, &cr );
 		if ( rc != 0 ) {
 			Debug( LDAP_DEBUG_ANY,
 				"backend_startup: bi_db_open(frontend) failed! (%d)\n",
@@ -585,6 +585,7 @@
 	}
 
 	be->bd_info = bi;
+	be->bd_self = be;
 
 	be->be_def_limit = frontendDB->be_def_limit;
 	be->be_dfltaccess = frontendDB->be_dfltaccess;
@@ -783,7 +784,7 @@
  * checks if binding as rootdn
  *
  * return value:
- *	SLAP_CB_CONTINUE		if not the rootdn
+ *	SLAP_CB_CONTINUE		if not the rootdn, or if rootpw is null
  *	LDAP_SUCCESS			if rootdn & rootpw
  *	LDAP_INVALID_CREDENTIALS	if rootdn & !rootpw
  *
@@ -795,6 +796,9 @@
 be_rootdn_bind( Operation *op, SlapReply *rs )
 {
 	int		rc;
+#ifdef SLAPD_SPASSWD
+	void	*old_authctx = NULL;
+#endif
 
 	assert( op->o_tag == LDAP_REQ_BIND );
 	assert( op->orb_method == LDAP_AUTH_SIMPLE );
@@ -819,14 +823,15 @@
 	}
 
 #ifdef SLAPD_SPASSWD
-	ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
-		op->o_conn->c_sasl_authctx, NULL );
+	ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
+		op->o_conn->c_sasl_authctx, 0, &old_authctx, NULL );
 #endif
 
 	rc = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL );
 
 #ifdef SLAPD_SPASSWD
-	ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind, NULL, NULL );
+	ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
+		old_authctx, 0, NULL, NULL );
 #endif
 
 	rc = ( rc == 0 ? LDAP_SUCCESS : LDAP_INVALID_CREDENTIALS );
@@ -1345,9 +1350,19 @@
 	int rc;
 	GroupAssertion *g;
 	Backend *be = op->o_bd;
+	OpExtra		*oex;
 
-	op->o_bd = select_backend( gr_ndn, 0 );
+	LDAP_SLIST_FOREACH(oex, &op->o_extra, oe_next) {
+		if ( oex->oe_key == (void *)backend_group )
+			break;
+	}
 
+	if ( oex && ((OpExtraDB *)oex)->oe_db )
+		op->o_bd = ((OpExtraDB *)oex)->oe_db;
+
+	if ( !op->o_bd || !SLAP_DBHIDDEN( op->o_bd ))
+		op->o_bd = select_backend( gr_ndn, 0 );
+
 	for ( g = op->o_groups; g; g = g->ga_next ) {
 		if ( g->ga_be != op->o_bd || g->ga_oc != group_oc ||
 			g->ga_at != group_at || g->ga_len != gr_ndn->bv_len )
@@ -1552,17 +1567,23 @@
 	AttributeDescription *group_at )
 {
 	int			rc;
-	BackendDB		*be_orig;
+	BackendDB *be_orig;
+	OpExtraDB	oex;
 
 	if ( op->o_abandon ) {
 		return SLAPD_ABANDON;
 	}
 
+	oex.oe_db = op->o_bd;
+	oex.oe.oe_key = (void *)backend_group;
+	LDAP_SLIST_INSERT_HEAD(&op->o_extra, &oex.oe, oe_next);
+
 	be_orig = op->o_bd;
 	op->o_bd = frontendDB;
 	rc = frontendDB->be_group( op, target, gr_ndn,
 		op_ndn, group_oc, group_at );
 	op->o_bd = be_orig;
+	LDAP_SLIST_REMOVE(&op->o_extra, &oex.oe, OpExtra, oe_next);
 
 	return rc;
 }
@@ -1582,9 +1603,19 @@
 	int			freeattr = 0, i, j, rc = LDAP_SUCCESS;
 	AccessControlState	acl_state = ACL_STATE_INIT;
 	Backend			*be = op->o_bd;
+	OpExtra		*oex;
 
-	op->o_bd = select_backend( edn, 0 );
+	LDAP_SLIST_FOREACH(oex, &op->o_extra, oe_next) {
+		if ( oex->oe_key == (void *)backend_attribute )
+			break;
+	}
 
+	if ( oex && ((OpExtraDB *)oex)->oe_db )
+		op->o_bd = ((OpExtraDB *)oex)->oe_db;
+
+	if ( !op->o_bd || !SLAP_DBHIDDEN( op->o_bd ))
+		op->o_bd = select_backend( edn, 0 );
+
 	if ( target && dn_match( &target->e_nname, edn ) ) {
 		e = target;
 
@@ -1702,13 +1733,19 @@
 	slap_access_t access )
 {
 	int			rc;
-	BackendDB		*be_orig;
+	BackendDB *be_orig;
+	OpExtraDB	oex;
 
+	oex.oe_db = op->o_bd;
+	oex.oe.oe_key = (void *)backend_attribute;
+	LDAP_SLIST_INSERT_HEAD(&op->o_extra, &oex.oe, oe_next);
+
 	be_orig = op->o_bd;
 	op->o_bd = frontendDB;
 	rc = frontendDB->be_attribute( op, target, edn,
 		entry_at, vals, access );
 	op->o_bd = be_orig;
+	LDAP_SLIST_REMOVE(&op->o_extra, &oex.oe, OpExtra, oe_next);
 
 	return rc;
 }
@@ -1734,7 +1771,9 @@
 	assert( edn != NULL );
 	assert( access > ACL_NONE );
 
-	op->o_bd = select_backend( edn, 0 );
+	if ( !op->o_bd ) {
+		op->o_bd = select_backend( edn, 0 );
+	}
 
 	if ( target && dn_match( &target->e_nname, edn ) ) {
 		e = target;
@@ -1826,8 +1865,15 @@
 	SlapReply *rs )
 {
 	Attribute		**ap;
-	int			rc = 0;
+	int			rc = LDAP_SUCCESS;
+	BackendDB		*be_orig = op->o_bd;
+	OpExtra		*oex;
 
+	LDAP_SLIST_FOREACH(oex, &op->o_extra, oe_next) {
+		if ( oex->oe_key == (void *)backend_operational )
+			break;
+	}
+
 	for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next )
 		/* just count them */ ;
 
@@ -1852,19 +1898,20 @@
 		ap = &(*ap)->a_next;
 	}
 
-	if ( op->o_bd != NULL ) {
-		BackendDB		*be_orig = op->o_bd;
+	/* Let the overlays have a chance at this */
+	if ( oex && ((OpExtraDB *)oex)->oe_db )
+		op->o_bd = ((OpExtraDB *)oex)->oe_db;
 
-		/* Let the overlays have a chance at this */
+	if ( !op->o_bd || !SLAP_DBHIDDEN( op->o_bd ))
 		op->o_bd = select_backend( &op->o_req_ndn, 0 );
-		if ( op->o_bd != NULL && !be_match( op->o_bd, frontendDB ) &&
-			( SLAP_OPATTRS( rs->sr_attr_flags ) || rs->sr_attrs ) &&
-			op->o_bd->be_operational != NULL )
-		{
-			rc = op->o_bd->be_operational( op, rs );
-		}
-		op->o_bd = be_orig;
+
+	if ( op->o_bd != NULL && !be_match( op->o_bd, frontendDB ) &&
+		( SLAP_OPATTRS( rs->sr_attr_flags ) || rs->sr_attrs ) &&
+		op->o_bd->be_operational != NULL )
+	{
+		rc = op->o_bd->be_operational( op, rs );
 	}
+	op->o_bd = be_orig;
 
 	return rc;
 }
@@ -1873,13 +1920,19 @@
 {
 	int rc;
 	BackendDB *be_orig;
+	OpExtraDB	oex;
 
+	oex.oe_db = op->o_bd;
+	oex.oe.oe_key = (void *)backend_operational;
+	LDAP_SLIST_INSERT_HEAD(&op->o_extra, &oex.oe, oe_next);
+
 	/* Moved this into the frontend so global overlays are called */
 
 	be_orig = op->o_bd;
 	op->o_bd = frontendDB;
 	rc = frontendDB->be_operational( op, rs );
 	op->o_bd = be_orig;
+	LDAP_SLIST_REMOVE(&op->o_extra, &oex.oe, OpExtra, oe_next);
 
 	return rc;
 }

Modified: openldap/trunk/servers/slapd/backglue.c
===================================================================
--- openldap/trunk/servers/slapd/backglue.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/backglue.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* backglue.c - backend glue */
-/* $OpenLDAP: pkg/ldap/servers/slapd/backglue.c,v 1.112.2.8 2007/11/15 00:34:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/backglue.c,v 1.112.2.11 2008/04/14 21:15:02 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -620,6 +620,7 @@
 	glueinfo		*gi = on->on_bi.bi_private;
 	static int glueOpened = 0;
 	int i, j, same, bsame = 0, rc = 0;
+	ConfigReply cr = {0};
 
 	if (glueOpened) return 0;
 
@@ -650,7 +651,7 @@
 					gi->gi_n[i].gn_be->bd_info );
 			/* Let backend.c take care of the rest of startup */
 			if ( !rc )
-				rc = backend_startup_one( gi->gi_n[i].gn_be, NULL );
+				rc = backend_startup_one( gi->gi_n[i].gn_be, &cr );
 			if ( rc ) break;
 		}
 		if ( !rc && !bsame && on->on_info->oi_orig->bi_open )
@@ -791,6 +792,49 @@
 	return rc;
 }
 
+static ID
+glue_tool_dn2id_get (
+	BackendDB *b0,
+	struct berval *dn
+)
+{
+	BackendDB *be, b2;
+	int rc = -1;
+
+	b2 = *b0;
+	b2.bd_info = (BackendInfo *)glue_tool_inst( b0->bd_info );
+	be = glue_back_select (&b2, dn);
+	if ( be == &b2 ) be = &toolDB;
+
+	if (!be->be_dn2id_get)
+		return NOID;
+
+	if (!glueBack) {
+		if ( be->be_entry_open ) {
+			rc = be->be_entry_open (be, glueMode);
+		}
+		if (rc != 0) {
+			return NOID;
+		}
+	} else if (be != glueBack) {
+		/* If this entry belongs in a different branch than the
+		 * previous one, close the current database and open the
+		 * new one.
+		 */
+		if ( glueBack->be_entry_close ) {
+			glueBack->be_entry_close (glueBack);
+		}
+		if ( be->be_entry_open ) {
+			rc = be->be_entry_open (be, glueMode);
+		}
+		if (rc != 0) {
+			return NOID;
+		}
+	}
+	glueBack = be;
+	return be->be_dn2id_get (be, dn);
+}
+
 static Entry *
 glue_tool_entry_get (
 	BackendDB *b0,
@@ -847,6 +891,19 @@
 	return be->be_entry_put (be, e, text);
 }
 
+static ID
+glue_tool_entry_modify (
+	BackendDB *b0,
+	Entry *e,
+	struct berval *text
+)
+{
+	if (!glueBack || !glueBack->be_entry_modify)
+		return NOID;
+
+	return glueBack->be_entry_modify (glueBack, e, text);
+}
+
 static int
 glue_tool_entry_reindex (
 	BackendDB *b0,
@@ -920,17 +977,17 @@
 		oi->oi_bi.bi_tool_entry_next = glue_tool_entry_next;
 	if ( bi->bi_tool_entry_get )
 		oi->oi_bi.bi_tool_entry_get = glue_tool_entry_get;
+	if ( bi->bi_tool_dn2id_get )
+		oi->oi_bi.bi_tool_dn2id_get = glue_tool_dn2id_get;
 	if ( bi->bi_tool_entry_put )
 		oi->oi_bi.bi_tool_entry_put = glue_tool_entry_put;
 	if ( bi->bi_tool_entry_reindex )
 		oi->oi_bi.bi_tool_entry_reindex = glue_tool_entry_reindex;
+	if ( bi->bi_tool_entry_modify )
+		oi->oi_bi.bi_tool_entry_modify = glue_tool_entry_modify;
 	if ( bi->bi_tool_sync )
 		oi->oi_bi.bi_tool_sync = glue_tool_sync;
 
-	/*FIXME : need to add support */
-	oi->oi_bi.bi_tool_dn2id_get = 0;
-	oi->oi_bi.bi_tool_entry_modify = 0;
-
 	SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_GLUE_INSTANCE;
 
 	return 0;

Modified: openldap/trunk/servers/slapd/backover.c
===================================================================
--- openldap/trunk/servers/slapd/backover.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/backover.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* backover.c - backend overlay routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/backover.c,v 1.71.2.5 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/backover.c,v 1.71.2.8 2008/04/24 08:13:39 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29,43 +29,7 @@
 
 static slap_overinst *overlays;
 
-enum db_which {
-	db_open = 0,
-	db_close,
-	db_destroy,
-	db_last
-};
-
 static int
-over_db_func(
-	BackendDB *be,
-	enum db_which which
-)
-{
-	slap_overinfo *oi = be->bd_info->bi_private;
-	slap_overinst *on = oi->oi_list;
-	BackendInfo *bi_orig = be->bd_info;
-	BI_db_open **func;
-	int rc = 0;
-
-	func = &oi->oi_orig->bi_db_open;
-	if ( func[which] ) {
-		be->bd_info = oi->oi_orig;
-		rc = func[which]( be, NULL );
-	}
-
-	for (; on && rc == 0; on=on->on_next) {
-		be->bd_info = &on->on_bi;
-		func = &on->on_bi.bi_db_open;
-		if (func[which]) {
-			rc = func[which]( be, NULL );
-		}
-	}
-	be->bd_info = bi_orig;
-	return rc;
-}
-
-static int
 over_db_config(
 	BackendDB *be,
 	const char *fname,
@@ -172,7 +136,25 @@
 	ConfigReply *cr
 )
 {
-	return over_db_func( be, db_open );
+	slap_overinfo *oi = be->bd_info->bi_private;
+	slap_overinst *on = oi->oi_list;
+	BackendDB db = *be;
+	int rc = 0;
+
+	db.be_flags |= SLAP_DBFLAG_OVERLAY;
+	db.bd_info = oi->oi_orig;
+	if ( db.bd_info->bi_db_open ) {
+		rc = db.bd_info->bi_db_open( &db, cr );
+	}
+
+	for (; on && rc == 0; on=on->on_next) {
+		db.bd_info = &on->on_bi;
+		if ( db.bd_info->bi_db_open ) {
+			rc = db.bd_info->bi_db_open( &db, cr );
+		}
+	}
+
+	return rc;
 }
 
 static int
@@ -189,13 +171,13 @@
 	for (; on && rc == 0; on=on->on_next) {
 		be->bd_info = &on->on_bi;
 		if ( be->bd_info->bi_db_close ) {
-			rc = be->bd_info->bi_db_close( be, NULL );
+			rc = be->bd_info->bi_db_close( be, cr );
 		}
 	}
 
 	if ( oi->oi_orig->bi_db_close ) {
 		be->bd_info = oi->oi_orig;
-		rc = be->bd_info->bi_db_close( be, NULL );
+		rc = be->bd_info->bi_db_close( be, cr );
 	}
 
 	be->bd_info = bi_orig;
@@ -210,17 +192,29 @@
 {
 	slap_overinfo *oi = be->bd_info->bi_private;
 	slap_overinst *on = oi->oi_list, *next;
+	BackendInfo *bi_orig = be->bd_info;
 	int rc;
 
-	rc = over_db_func( be, db_destroy );
+	be->bd_info = oi->oi_orig;
+	if ( be->bd_info->bi_db_destroy ) {
+		rc = be->bd_info->bi_db_destroy( be, cr );
+	}
 
+	for (; on && rc == 0; on=on->on_next) {
+		be->bd_info = &on->on_bi;
+		if ( be->bd_info->bi_db_destroy ) {
+			rc = be->bd_info->bi_db_destroy( be, cr );
+		}
+	}
+
+	on = oi->oi_list;
 	if ( on ) {
 		for (next = on->on_next; on; on=next) {
 			next = on->on_next;
 			free( on );
 		}
 	}
-
+	be->bd_info = bi_orig;
 	free( oi );
 	return rc;
 }
@@ -1248,10 +1242,10 @@
 
 	} else {
 		if ( overlay_is_inst( be, ov ) ) {
-			Debug( LDAP_DEBUG_ANY, "overlay_config(): "
-				"overlay \"%s\" already in list\n",
-				ov, 0, 0 );
 			if ( SLAPO_SINGLE( be ) ) {
+				Debug( LDAP_DEBUG_ANY, "overlay_config(): "
+					"overlay \"%s\" already in list\n",
+					ov, 0, 0 );
 				return 1;
 			}
 		}

Modified: openldap/trunk/servers/slapd/bconfig.c
===================================================================
--- openldap/trunk/servers/slapd/bconfig.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/bconfig.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bconfig.c - the config backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/bconfig.c,v 1.202.2.22 2007/12/03 15:04:31 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/bconfig.c,v 1.202.2.30 2008/04/14 22:20:28 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -189,8 +189,8 @@
 } OidRec;
 
 static OidRec OidMacros[] = {
-	/* OpenLDAProot:666.11.1 */
-	{ "OLcfg", "1.3.6.1.4.1.4203.666.11.1" },
+	/* OpenLDAProot:1.12.2 */
+	{ "OLcfg", "1.3.6.1.4.1.4203.1.12.2" },
 	{ "OLcfgAt", "OLcfg:3" },
 	{ "OLcfgGlAt", "OLcfgAt:0" },
 	{ "OLcfgBkAt", "OLcfgAt:1" },
@@ -230,6 +230,7 @@
  * OLcfg{Bk|Db}{Oc|At}:4		-> back-monitor
  * OLcfg{Bk|Db}{Oc|At}:5		-> back-relay
  * OLcfg{Bk|Db}{Oc|At}:6		-> back-sql
+ * OLcfg{Bk|Db}{Oc|At}:7		-> back-sock
  */
 
 /*
@@ -797,6 +798,11 @@
 
 static ServerID *sid_list;
 
+typedef struct voidList {
+	struct voidList *vl_next;
+	void *vl_ptr;
+} voidList;
+
 typedef struct ADlist {
 	struct ADlist *al_next;
 	AttributeDescription *al_desc;
@@ -883,7 +889,7 @@
 			}
 			break;
 		case CFG_OID: {
-			ConfigFile *cf = c->private;
+			ConfigFile *cf = c->ca_private;
 			if ( !cf )
 				oidm_unparse( &c->rvalue_vals, NULL, NULL, 1 );
 			else if ( cf->c_om_head )
@@ -897,7 +903,7 @@
 			ad_unparse_options( &c->rvalue_vals );
 			break;
 		case CFG_OC: {
-			ConfigFile *cf = c->private;
+			ConfigFile *cf = c->ca_private;
 			if ( !cf )
 				oc_unparse( &c->rvalue_vals, NULL, NULL, 1 );
 			else if ( cf->c_oc_head )
@@ -908,7 +914,7 @@
 			}
 			break;
 		case CFG_ATTR: {
-			ConfigFile *cf = c->private;
+			ConfigFile *cf = c->ca_private;
 			if ( !cf )
 				at_unparse( &c->rvalue_vals, NULL, NULL, 1 );
 			else if ( cf->c_at_head )
@@ -919,7 +925,7 @@
 			}
 			break;
 		case CFG_DIT: {
-			ConfigFile *cf = c->private;
+			ConfigFile *cf = c->ca_private;
 			if ( !cf )
 				cr_unparse( &c->rvalue_vals, NULL, NULL, 1 );
 			else if ( cf->c_cr_head )
@@ -934,7 +940,12 @@
 			AccessControl *a;
 			char *src, *dst, ibuf[11];
 			struct berval bv, abv;
-			for (i=0, a=c->be->be_acl; a; i++,a=a->acl_next) {
+			AccessControl *end;
+			if ( c->be == frontendDB )
+				end = NULL;
+			else
+				end = frontendDB->be_acl;
+			for (i=0, a=c->be->be_acl; a && a != end; i++,a=a->acl_next) {
 				abv.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
 				if ( abv.bv_len >= sizeof( ibuf ) ) {
 					ber_bvarray_free_x( c->rvalue_vals, NULL );
@@ -962,7 +973,7 @@
 			break;
 		}
 		case CFG_ROOTDSE: {
-			ConfigFile *cf = c->private;
+			ConfigFile *cf = c->ca_private;
 			if ( cf->c_dseFiles ) {
 				value_add( &c->rvalue_vals, cf->c_dseFiles );
 			} else {
@@ -1031,7 +1042,7 @@
 			} break;
 #ifdef SLAPD_MODULES
 		case CFG_MODLOAD: {
-			ModPaths *mp = c->private;
+			ModPaths *mp = c->ca_private;
 			if (mp->mp_loads) {
 				int i;
 				for (i=0; !BER_BVISNULL(&mp->mp_loads[i]); i++) {
@@ -1053,7 +1064,7 @@
 			}
 			break;
 		case CFG_MODPATH: {
-			ModPaths *mp = c->private;
+			ModPaths *mp = c->ca_private;
 			if ( !BER_BVISNULL( &mp->mp_path ))
 				value_add_one( &c->rvalue_vals, &mp->mp_path );
 
@@ -1198,7 +1209,7 @@
 					return 1;
 				}
 			}
-			cfn = c->private;
+			cfn = c->ca_private;
 			if ( c->valx < 0 ) {
 				ObjectClass *oc;
 
@@ -1236,7 +1247,7 @@
 					return 1;
 				}
 			}
-			cfn = c->private;
+			cfn = c->ca_private;
 			if ( c->valx < 0 ) {
 				AttributeType *at;
 
@@ -1416,8 +1427,8 @@
 		case CFG_OID: {
 			OidMacro *om;
 
-			if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private )
-				cfn = c->private;
+			if ( c->op == LDAP_MOD_ADD && c->ca_private && cfn != c->ca_private )
+				cfn = c->ca_private;
 			if(parse_oidm(c, 1, &om))
 				return(1);
 			if (!cfn->c_om_head) cfn->c_om_head = om;
@@ -1428,8 +1439,8 @@
 		case CFG_OC: {
 			ObjectClass *oc, *prev;
 
-			if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private )
-				cfn = c->private;
+			if ( c->op == LDAP_MOD_ADD && c->ca_private && cfn != c->ca_private )
+				cfn = c->ca_private;
 			if ( c->valx < 0 ) {
 				prev = cfn->c_oc_tail;
 			} else {
@@ -1460,8 +1471,8 @@
 		case CFG_ATTR: {
 			AttributeType *at, *prev;
 
-			if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private )
-				cfn = c->private;
+			if ( c->op == LDAP_MOD_ADD && c->ca_private && cfn != c->ca_private )
+				cfn = c->ca_private;
 			if ( c->valx < 0 ) {
 				prev = cfn->c_at_tail;
 			} else {
@@ -1492,8 +1503,8 @@
 		case CFG_DIT: {
 			ContentRule *cr;
 
-			if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private )
-				cfn = c->private;
+			if ( c->op == LDAP_MOD_ADD && c->ca_private && cfn != c->ca_private )
+				cfn = c->ca_private;
 			if(parse_cr(c, &cr)) return(1);
 			if (!cfn->c_cr_head) cfn->c_cr_head = cr;
 			cfn->c_cr_tail = cr;
@@ -1589,8 +1600,8 @@
 			{
 				struct berval bv;
 				ber_str2bv( c->argv[1], 0, 1, &bv );
-				if ( c->op == LDAP_MOD_ADD && c->private && cfn != c->private )
-					cfn = c->private;
+				if ( c->op == LDAP_MOD_ADD && c->ca_private && cfn != c->ca_private )
+					cfn = c->ca_private;
 				ber_bvarray_add( &cfn->c_dseFiles, &bv );
 			}
 			break;
@@ -1784,8 +1795,8 @@
 			/* If we're just adding a module on an existing modpath,
 			 * make sure we've selected the current path.
 			 */
-			if ( c->op == LDAP_MOD_ADD && c->private && modcur != c->private ) {
-				modcur = c->private;
+			if ( c->op == LDAP_MOD_ADD && c->ca_private && modcur != c->ca_private ) {
+				modcur = c->ca_private;
 				/* This should never fail */
 				if ( module_path( modcur->mp_path.bv_val )) {
 					snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> module path no longer valid",
@@ -1833,7 +1844,7 @@
 				mp->mp_next = NULL;
 				mp->mp_loads = NULL;
 				modlast = mp;
-				c->private = mp;
+				c->ca_private = mp;
 				modcur = mp;
 			}
 			
@@ -1892,8 +1903,8 @@
 static int
 config_fname(ConfigArgs *c) {
 	if(c->op == SLAP_CONFIG_EMIT) {
-		if (c->private) {
-			ConfigFile *cf = c->private;
+		if (c->ca_private) {
+			ConfigFile *cf = c->ca_private;
 			value_add_one( &c->rvalue_vals, &cf->c_file );
 			return 0;
 		}
@@ -3034,7 +3045,7 @@
 		ch_free( cf->c_file.bv_val );
 		ch_free( cf );
 	} else {
-		c->private = cf;
+		c->ca_private = cf;
 	}
 	return(rc);
 }
@@ -3959,14 +3970,14 @@
 	/* This entry is hardcoded, don't re-parse it */
 	if ( p->ce_type == Cft_Global ) {
 		cfn = p->ce_private;
-		ca->private = cfn;
+		ca->ca_private = cfn;
 		return LDAP_COMPARE_TRUE;
 	}
 	if ( p->ce_type != Cft_Schema )
 		return LDAP_CONSTRAINT_VIOLATION;
 
 	cfn = ch_calloc( 1, sizeof(ConfigFile) );
-	ca->private = cfn;
+	ca->ca_private = cfn;
 	cfo = p->ce_private;
 	cfn->c_sibs = cfo->c_kids;
 	cfo->c_kids = cfn;
@@ -4218,7 +4229,7 @@
 	rc = LDAP_CONSTRAINT_VIOLATION;
 	if ( coptr->co_type == Cft_Global && !last ) {
 		cfn = cfb->cb_config;
-		ca->private = cfn;
+		ca->ca_private = cfn;
 		ca->be = frontendDB;	/* just to get past check_vals */
 		rc = LDAP_SUCCESS;
 	}
@@ -4371,7 +4382,7 @@
 	ce->ce_type = colst[0]->co_type;
 	ce->ce_be = ca->be;
 	ce->ce_bi = ca->bi;
-	ce->ce_private = ca->private;
+	ce->ce_private = ca->ca_private;
 	ca->ca_entry = ce->ce_entry;
 	if ( !last ) {
 		cfb->cb_root = ce;
@@ -4654,7 +4665,7 @@
 	init_config_argv( ca );
 	ca->be = ce->ce_be;
 	ca->bi = ce->ce_bi;
-	ca->private = ce->ce_private;
+	ca->ca_private = ce->ce_private;
 	ca->ca_entry = e;
 	ca->fname = "slapd";
 	ca->ca_op = op;
@@ -4769,8 +4780,9 @@
 		/* check that the entry still obeys the schema */
 		rc = entry_schema_check(op, e, NULL, 0, 0,
 			&rs->sr_text, ca->cr_msg, sizeof(ca->cr_msg) );
-		if ( rc ) goto out_noop;
 	}
+	if ( rc ) goto out_noop;
+
 	/* Basic syntax checks are OK. Do the actual settings. */
 	for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) {
 		ct = config_find_table( colst, nocs, ml->sml_desc, ca );
@@ -5286,18 +5298,23 @@
 {
 	CfBackInfo *cfb;
 	CfEntryInfo *ce, *last;
+	int rc = LDAP_NO_SUCH_OBJECT;
 
 	cfb = (CfBackInfo *)op->o_bd->be_private;
 
 	ce = config_find_base( cfb->cb_root, ndn, &last );
 	if ( ce ) {
 		*ent = ce->ce_entry;
-		if ( *ent && oc && !is_entry_objectclass_or_sub( *ent, oc ) ) {
-			*ent = NULL;
+		if ( *ent ) {
+			rc = LDAP_SUCCESS;
+			if ( oc && !is_entry_objectclass_or_sub( *ent, oc ) ) {
+				rc = LDAP_NO_SUCH_ATTRIBUTE;
+				*ent = NULL;
+			}
 		}
 	}
 
-	return ( *ent == NULL ? 1 : 0 );
+	return rc;
 }
 
 static void
@@ -5363,7 +5380,7 @@
 		BER_BVZERO( &pdn );
 	}
 
-	ce->ce_private = c->private;
+	ce->ce_private = c->ca_private;
 	ce->ce_be = c->be;
 	ce->ce_bi = c->bi;
 
@@ -5408,13 +5425,16 @@
 	rc = structural_class(oc_at->a_vals, &oc, NULL, &text, c->cr_msg,
 		sizeof(c->cr_msg), op ? op->o_tmpmemctx : NULL );
 	attr_merge_normalize_one(e, slap_schema.si_ad_structuralObjectClass, &oc->soc_cname, NULL );
-	if ( op && !op->o_noop ) {
+	if ( op ) {
 		op->ora_e = e;
 		op->ora_modlist = NULL;
-		op->o_bd->be_add( op, rs );
-		if ( ( rs->sr_err != LDAP_SUCCESS ) 
-				&& (rs->sr_err != LDAP_ALREADY_EXISTS) ) {
-			return NULL;
+		slap_add_opattrs( op, NULL, NULL, 0, 0 );
+		if ( !op->o_noop ) {
+			op->o_bd->be_add( op, rs );
+			if ( ( rs->sr_err != LDAP_SUCCESS ) 
+					&& (rs->sr_err != LDAP_ALREADY_EXISTS) ) {
+				return NULL;
+			}
 		}
 	}
 	if ( ceprev ) {
@@ -5433,7 +5453,7 @@
 	Operation *op, SlapReply *rs )
 {
 	Entry *e;
-	ConfigFile *cf = c->private;
+	ConfigFile *cf = c->ca_private;
 	char *ptr;
 	struct berval bv;
 
@@ -5462,13 +5482,13 @@
 		c->value_dn.bv_len += bv.bv_len;
 		c->value_dn.bv_val[c->value_dn.bv_len] ='\0';
 
-		c->private = cf;
+		c->ca_private = cf;
 		e = config_build_entry( op, rs, ceparent, c, &c->value_dn,
 			&CFOC_SCHEMA, NULL );
 		if ( !e ) {
 			return -1;
 		} else if ( e && cf->c_kids ) {
-			c->private = cf->c_kids;
+			c->ca_private = cf->c_kids;
 			config_build_schema_inc( c, e->e_private, op, rs );
 		}
 	}
@@ -5493,7 +5513,7 @@
 			/* FIXME: how can indicate error? */
 			return -1;
 		}
-		c->private = mp;
+		c->ca_private = mp;
 		if ( ! config_build_entry( op, rs, ceparent, c, &c->value_dn, &CFOC_MODULE, NULL )) {
 			return -1;
 		}
@@ -5570,7 +5590,7 @@
 		}
 	} else {
 		SlapReply rs = {REP_RESULT};
-		c.private = NULL;
+		c.ca_private = NULL;
 		e = config_build_entry( op, &rs, cfb->cb_root, &c, &schema_rdn,
 			&CFOC_SCHEMA, NULL );
 		if ( !e ) {
@@ -5636,7 +5656,7 @@
 
 	/* create root of tree */
 	rdn = config_rdn;
-	c.private = cfb->cb_config;
+	c.ca_private = cfb->cb_config;
 	c.be = frontendDB;
 	e = config_build_entry( op, &rs, NULL, &c, &rdn, &CFOC_GLOBAL, NULL );
 	if ( !e ) {
@@ -5662,7 +5682,7 @@
 	 * files.
 	 */
 	rdn = schema_rdn;
-	c.private = NULL;
+	c.ca_private = NULL;
 	e = config_build_entry( op, &rs, ceparent, &c, &rdn, &CFOC_SCHEMA, NULL );
 	if ( !e ) {
 		return -1;
@@ -5676,7 +5696,7 @@
 	/* Create schema nodes for included schema... */
 	if ( cfb->cb_config->c_kids ) {
 		c.depth = 0;
-		c.private = cfb->cb_config->c_kids;
+		c.ca_private = cfb->cb_config->c_kids;
 		if (config_build_schema_inc( &c, ce, op, &rs )) {
 			return -1;
 		}
@@ -5759,8 +5779,19 @@
 			slap_overinst *on;
 			Entry *oe;
 			int j;
+			voidList *vl, *v0 = NULL;
 
-			for (j=0,on=oi->oi_list; on; j++,on=on->on_next) {
+			/* overlays are in LIFO order, must reverse stack */
+			for (on=oi->oi_list; on; on=on->on_next) {
+				vl = ch_malloc( sizeof( voidList ));
+				vl->vl_next = v0;
+				v0 = vl;
+				vl->vl_ptr = on;
+			}
+			for (j=0; vl; j++,vl=v0) {
+				on = vl->vl_ptr;
+				v0 = vl->vl_next;
+				ch_free( vl );
 				if ( on->on_bi.bi_db_config && !on->on_bi.bi_cf_ocs ) {
 					Debug( LDAP_DEBUG_ANY,
 						"WARNING: No dynamic config support for overlay %s.\n",

Modified: openldap/trunk/servers/slapd/bind.c
===================================================================
--- openldap/trunk/servers/slapd/bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* bind.c - decode an ldap bind operation and pass it to a backend db */
-/* $OpenLDAP: pkg/ldap/servers/slapd/bind.c,v 1.201.2.3 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/bind.c,v 1.201.2.4 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/cancel.c
===================================================================
--- openldap/trunk/servers/slapd/cancel.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/cancel.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* cancel.c - LDAP cancel extended operation */
-/* $OpenLDAP: pkg/ldap/servers/slapd/cancel.c,v 1.23.2.3 2007/11/07 20:58:38 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/cancel.c,v 1.23.2.4 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/ch_malloc.c
===================================================================
--- openldap/trunk/servers/slapd/ch_malloc.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/ch_malloc.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ch_malloc.c - malloc routines that test returns from malloc and friends */
-/* $OpenLDAP: pkg/ldap/servers/slapd/ch_malloc.c,v 1.28.2.2 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/ch_malloc.c,v 1.28.2.3 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/compare.c
===================================================================
--- openldap/trunk/servers/slapd/compare.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/compare.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/compare.c,v 1.136.2.7 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/compare.c,v 1.136.2.8 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/component.c
===================================================================
--- openldap/trunk/servers/slapd/component.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/component.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* component.c -- Component Filter Match Routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/component.c,v 1.31.2.2 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/component.c,v 1.31.2.3 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 by IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/component.h
===================================================================
--- openldap/trunk/servers/slapd/component.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/component.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* component.h */
-/* $OpenLDAP: pkg/ldap/servers/slapd/component.h,v 1.4.2.2 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/component.h,v 1.4.2.3 2008/02/11 23:26:43 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 by IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/config.c
===================================================================
--- openldap/trunk/servers/slapd/config.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/config.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* config.c - configuration file handling routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/config.c,v 1.441.2.10 2007/11/08 19:30:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/config.c,v 1.441.2.16 2008/04/14 22:20:28 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -496,9 +496,6 @@
 			fprintf( stderr, "init_config_attrs: register_at failed\n" );
 			return code;
 		}
-#ifndef LDAP_DEVEL
-		ct[i].ad->ad_type->sat_flags |= SLAP_AT_HIDE;
-#endif
 	}
 
 	return 0;
@@ -514,9 +511,6 @@
 			fprintf( stderr, "init_config_ocs: register_oc failed\n" );
 			return code;
 		}
-#ifndef LDAP_DEVEL
-		ocs[i].co_oc->soc_flags |= SLAP_OC_HIDE;
-#endif
 	}
 	return 0;
 }
@@ -843,6 +837,10 @@
 	rc = 0;
 
 done:
+	if ( cf ) {
+		cf->be = c->be;
+		cf->bi = c->bi;
+	}
 	ch_free(c->tline);
 	fclose(fp);
 	ch_free(c->argv);
@@ -1003,6 +1001,140 @@
 	return -1;
 }
 
+/* register a new verbmask */
+static int
+slap_verbmask_register( slap_verbmasks *vm_, slap_verbmasks **vmp, struct berval *bv, int mask )
+{
+	slap_verbmasks	*vm = *vmp;
+	int		i;
+
+	/* check for duplicate word */
+	/* NOTE: we accept duplicate codes; the first occurrence will be used
+	 * when mapping from mask to verb */
+	i = verb_to_mask( bv->bv_val, vm );
+	if ( !BER_BVISNULL( &vm[ i ].word ) ) {
+		return -1;
+	}
+
+	for ( i = 0; !BER_BVISNULL( &vm[ i ].word ); i++ )
+		;
+
+	if ( vm == vm_ ) {
+		/* first time: duplicate array */
+		vm = ch_calloc( i + 2, sizeof( slap_verbmasks ) );
+		for ( i = 0; !BER_BVISNULL( &vm_[ i ].word ); i++ )
+		{
+			ber_dupbv( &vm[ i ].word, &vm_[ i ].word );
+			*((slap_mask_t*)&vm[ i ].mask) = vm_[ i ].mask;
+		}
+
+	} else {
+		vm = ch_realloc( vm, (i + 2) * sizeof( slap_verbmasks ) );
+	}
+
+	ber_dupbv( &vm[ i ].word, bv );
+	*((slap_mask_t*)&vm[ i ].mask) = mask;
+
+	BER_BVZERO( &vm[ i+1 ].word );
+
+	*vmp = vm;
+
+	return i;
+}
+
+static slap_verbmasks slap_ldap_response_code_[] = {
+	{ BER_BVC("success"),				LDAP_SUCCESS },
+
+	{ BER_BVC("operationsError"),			LDAP_OPERATIONS_ERROR },
+	{ BER_BVC("protocolError"),			LDAP_PROTOCOL_ERROR },
+	{ BER_BVC("timelimitExceeded"),			LDAP_TIMELIMIT_EXCEEDED },
+	{ BER_BVC("sizelimitExceeded"),			LDAP_SIZELIMIT_EXCEEDED },
+	{ BER_BVC("compareFalse"),			LDAP_COMPARE_FALSE },
+	{ BER_BVC("compareTrue"),			LDAP_COMPARE_TRUE },
+
+	{ BER_BVC("authMethodNotSupported"),		LDAP_AUTH_METHOD_NOT_SUPPORTED },
+	{ BER_BVC("strongAuthNotSupported"),		LDAP_STRONG_AUTH_NOT_SUPPORTED },
+	{ BER_BVC("strongAuthRequired"),		LDAP_STRONG_AUTH_REQUIRED },
+	{ BER_BVC("strongerAuthRequired"),		LDAP_STRONGER_AUTH_REQUIRED },
+#if 0 /* not LDAPv3 */
+	{ BER_BVC("partialResults"),			LDAP_PARTIAL_RESULTS },
+#endif
+
+	{ BER_BVC("referral"),				LDAP_REFERRAL },
+	{ BER_BVC("adminlimitExceeded"),		LDAP_ADMINLIMIT_EXCEEDED },
+	{ BER_BVC("unavailableCriticalExtension"),	LDAP_UNAVAILABLE_CRITICAL_EXTENSION },
+	{ BER_BVC("confidentialityRequired"),		LDAP_CONFIDENTIALITY_REQUIRED },
+	{ BER_BVC("saslBindInProgress"),		LDAP_SASL_BIND_IN_PROGRESS },
+
+	{ BER_BVC("noSuchAttribute"),			LDAP_NO_SUCH_ATTRIBUTE },
+	{ BER_BVC("undefinedType"),			LDAP_UNDEFINED_TYPE },
+	{ BER_BVC("inappropriateMatching"),		LDAP_INAPPROPRIATE_MATCHING },
+	{ BER_BVC("constraintViolation"),		LDAP_CONSTRAINT_VIOLATION },
+	{ BER_BVC("typeOrValueExists"),			LDAP_TYPE_OR_VALUE_EXISTS },
+	{ BER_BVC("invalidSyntax"),			LDAP_INVALID_SYNTAX },
+
+	{ BER_BVC("noSuchObject"),			LDAP_NO_SUCH_OBJECT },
+	{ BER_BVC("aliasProblem"),			LDAP_ALIAS_PROBLEM },
+	{ BER_BVC("invalidDnSyntax"),			LDAP_INVALID_DN_SYNTAX },
+#if 0 /* not LDAPv3 */
+	{ BER_BVC("isLeaf"),				LDAP_IS_LEAF },
+#endif
+	{ BER_BVC("aliasDerefProblem"),			LDAP_ALIAS_DEREF_PROBLEM },
+
+	{ BER_BVC("proxyAuthzFailure"),			LDAP_X_PROXY_AUTHZ_FAILURE },
+	{ BER_BVC("inappropriateAuth"),			LDAP_INAPPROPRIATE_AUTH },
+	{ BER_BVC("invalidCredentials"),		LDAP_INVALID_CREDENTIALS },
+	{ BER_BVC("insufficientAccess"),		LDAP_INSUFFICIENT_ACCESS },
+
+	{ BER_BVC("busy"),				LDAP_BUSY },
+	{ BER_BVC("unavailable"),			LDAP_UNAVAILABLE },
+	{ BER_BVC("unwillingToPerform"),		LDAP_UNWILLING_TO_PERFORM },
+	{ BER_BVC("loopDetect"),			LDAP_LOOP_DETECT },
+
+	{ BER_BVC("namingViolation"),			LDAP_NAMING_VIOLATION },
+	{ BER_BVC("objectClassViolation"),		LDAP_OBJECT_CLASS_VIOLATION },
+	{ BER_BVC("notAllowedOnNonleaf"),		LDAP_NOT_ALLOWED_ON_NONLEAF },
+	{ BER_BVC("notAllowedOnRdn"),			LDAP_NOT_ALLOWED_ON_RDN },
+	{ BER_BVC("alreadyExists"),			LDAP_ALREADY_EXISTS },
+	{ BER_BVC("noObjectClassMods"),			LDAP_NO_OBJECT_CLASS_MODS },
+	{ BER_BVC("resultsTooLarge"),			LDAP_RESULTS_TOO_LARGE },
+	{ BER_BVC("affectsMultipleDsas"),		LDAP_AFFECTS_MULTIPLE_DSAS },
+
+	{ BER_BVC("other"),				LDAP_OTHER },
+
+	/* extension-specific */
+
+	{ BER_BVC("cupResourcesExhausted"),		LDAP_CUP_RESOURCES_EXHAUSTED },
+	{ BER_BVC("cupSecurityViolation"),		LDAP_CUP_SECURITY_VIOLATION },
+	{ BER_BVC("cupInvalidData"),			LDAP_CUP_INVALID_DATA },
+	{ BER_BVC("cupUnsupportedScheme"),		LDAP_CUP_UNSUPPORTED_SCHEME },
+	{ BER_BVC("cupReloadRequired"),			LDAP_CUP_RELOAD_REQUIRED },
+
+	{ BER_BVC("cancelled"),				LDAP_CANCELLED },
+	{ BER_BVC("noSuchOperation"),			LDAP_NO_SUCH_OPERATION },
+	{ BER_BVC("tooLate"),				LDAP_TOO_LATE },
+	{ BER_BVC("cannotCancel"),			LDAP_CANNOT_CANCEL },
+
+	{ BER_BVC("assertionFailed"),			LDAP_ASSERTION_FAILED },
+
+	{ BER_BVC("proxiedAuthorizationDenied"),	LDAP_PROXIED_AUTHORIZATION_DENIED },
+
+	{ BER_BVC("syncRefreshRequired"),		LDAP_SYNC_REFRESH_REQUIRED },
+
+	{ BER_BVC("noOperation"),			LDAP_X_NO_OPERATION },
+
+	{ BER_BVNULL,				0 }
+};
+
+slap_verbmasks *slap_ldap_response_code = slap_ldap_response_code_;
+
+int
+slap_ldap_response_code_register( struct berval *bv, int err )
+{
+	return slap_verbmask_register( slap_ldap_response_code_,
+		&slap_ldap_response_code, bv, err );
+}
+
 #ifdef HAVE_TLS
 static slap_verbmasks tlskey[] = {
 	{ BER_BVC("no"),	SB_TLS_OFF },
@@ -1264,19 +1396,18 @@
 int
 slap_tls_get_config( LDAP *ld, int opt, char **val )
 {
+#ifdef HAVE_TLS
 	slap_verbmasks *keys;
 	int i, ival;
 
 	*val = NULL;
 	switch( opt ) {
-#ifdef HAVE_TLS
 	case LDAP_OPT_X_TLS_CRLCHECK:
 		keys = crlkeys;
 		break;
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		keys = vfykeys;
 		break;
-#endif
 	default:
 		return -1;
 	}
@@ -1287,6 +1418,7 @@
 			return 0;
 		}
 	}
+#endif
 	return -1;
 }
 

Modified: openldap/trunk/servers/slapd/config.h
===================================================================
--- openldap/trunk/servers/slapd/config.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/config.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* config.h - configuration abstraction structure */
-/* $OpenLDAP: pkg/ldap/servers/slapd/config.h,v 1.34.2.4 2007/09/29 08:01:42 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/config.h,v 1.34.2.11 2008/04/14 18:25:54 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -19,15 +19,17 @@
 
 #include<ac/string.h>
 
+LDAP_BEGIN_DECL
+
 typedef struct ConfigTable {
-	char *name;
-	char *what;
+	const char *name;
+	const char *what;
 	int min_args;
 	int max_args;
 	int length;
 	unsigned int arg_type;
 	void *arg_item;
-	char *attribute;
+	const char *attribute;
 	AttributeDescription *ad;
 	void *notify;
 } ConfigTable;
@@ -97,7 +99,7 @@
 	Operation *op, SlapReply *rs, Entry *parent, struct config_args_s *ca );
 
 typedef struct ConfigOCs {
-	char *co_def;
+	const char *co_def;
 	ConfigType co_type;
 	ConfigTable *co_table;
 	ConfigLDAPadd *co_ldadd;
@@ -108,10 +110,10 @@
 
 typedef int (ConfigDriver)(struct config_args_s *c);
 
-typedef struct config_reply_s {
+struct config_reply_s {
 	int err;
 	char msg[SLAP_TEXT_BUFLEN];
-} ConfigReply;
+};
 
 typedef struct config_args_s {
 	int argc;
@@ -121,7 +123,7 @@
 	char *tline;
 	const char *fname;
 	int lineno;
-	char log[MAXPATHLEN + STRLENOF(": line 18446744073709551615") + 1];
+	char log[MAXPATHLEN + STRLENOF(": line ") + LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 #define cr_msg reply.msg
 	ConfigReply reply;
 	int depth;
@@ -150,7 +152,7 @@
 	BackendDB *be;
 	BackendInfo *bi;
 	Entry *ca_entry;	/* entry being modified */
-	void *private;	/* anything */
+	void *ca_private;	/* anything */
 	ConfigDriver *cleanup;
 	ConfigType table;	/* which config table did we come from */
 } ConfigArgs;
@@ -196,4 +198,9 @@
 
 #define	SLAP_X_ORDERED_FMT	"{%d}"
 
+extern slap_verbmasks *slap_ldap_response_code;
+extern int slap_ldap_response_code_register( struct berval *bv, int err );
+
+LDAP_END_DECL
+
 #endif /* CONFIG_H */

Modified: openldap/trunk/servers/slapd/connection.c
===================================================================
--- openldap/trunk/servers/slapd/connection.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/connection.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/connection.c,v 1.358.2.11 2007/11/27 20:11:48 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/connection.c,v 1.358.2.16 2008/04/21 18:51:10 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -971,12 +971,13 @@
 	slap_counters_t *sc;
 	void *vsc = NULL;
 
-	if ( ldap_pvt_thread_pool_getkey( ctx, conn_counter_init, &vsc, NULL ) || !vsc ) {
+	if ( ldap_pvt_thread_pool_getkey(
+			ctx, (void *)conn_counter_init, &vsc, NULL ) || !vsc ) {
 		vsc = ch_malloc( sizeof( slap_counters_t ));
 		sc = vsc;
 		slap_counters_init( sc );
-		ldap_pvt_thread_pool_setkey( ctx, conn_counter_init, vsc,
-			conn_counter_destroy );
+		ldap_pvt_thread_pool_setkey( ctx, (void*)conn_counter_init, vsc,
+			conn_counter_destroy, NULL, NULL );
 
 		ldap_pvt_thread_mutex_lock( &slap_counters.sc_mutex );
 		sc->sc_next = slap_counters.sc_next;
@@ -1620,6 +1621,9 @@
 {
 	Operation *op;
 
+	if( conn->c_writewaiter )
+		return 0;
+
 	if( conn->c_conn_state == SLAP_C_CLOSING ) {
 		Debug( LDAP_DEBUG_TRACE, "connection_resched: "
 			"attempting closing conn=%lu sd=%d\n",
@@ -1628,7 +1632,7 @@
 		return 0;
 	}
 
-	if( conn->c_conn_state != SLAP_C_ACTIVE || conn->c_writewaiter ) {
+	if( conn->c_conn_state != SLAP_C_ACTIVE ) {
 		/* other states need different handling */
 		return 0;
 	}
@@ -1896,6 +1900,27 @@
 }
 
 void
+operation_fake_init(
+	Connection *conn,
+	Operation *op,
+	void *ctx,
+	int newmem )
+{
+	/* set memory context */
+	op->o_tmpmemctx = slap_sl_mem_create(SLAP_SLAB_SIZE, SLAP_SLAB_STACK, ctx,
+		newmem );
+	op->o_tmpmfuncs = &slap_sl_mfuncs;
+	op->o_threadctx = ctx;
+	op->o_tid = ldap_pvt_thread_pool_tid( ctx );
+
+	op->o_counters = &slap_counters;
+	op->o_conn = conn;
+	op->o_connid = op->o_conn->c_connid;
+	connection_init_log_prefix( op );
+}
+
+
+void
 connection_fake_init2(
 	Connection *conn,
 	OperationBuffer *opbuf,
@@ -1917,33 +1942,23 @@
 	op->o_hdr = &opbuf->ob_hdr;
 	op->o_controls = opbuf->ob_controls;
 
-	/* set memory context */
-	op->o_tmpmemctx = slap_sl_mem_create(SLAP_SLAB_SIZE, SLAP_SLAB_STACK, ctx,
-		newmem );
-	op->o_tmpmfuncs = &slap_sl_mfuncs;
-	op->o_threadctx = ctx;
-	op->o_tid = ldap_pvt_thread_pool_tid( ctx );
+	operation_fake_init( conn, op, ctx, newmem );
 
-	op->o_counters = &slap_counters;
-	op->o_conn = conn;
-	op->o_connid = op->o_conn->c_connid;
-	connection_init_log_prefix( op );
-
 #ifdef LDAP_SLAPI
 	if ( slapi_plugins_used ) {
 		conn_fake_extblock *eb;
 		void *ebx = NULL;
 
 		/* Use thread keys to make sure these eventually get cleaned up */
-		if ( ldap_pvt_thread_pool_getkey( ctx, connection_fake_init, &ebx,
-			NULL )) {
+		if ( ldap_pvt_thread_pool_getkey( ctx, (void *)connection_fake_init,
+				&ebx, NULL )) {
 			eb = ch_malloc( sizeof( *eb ));
 			slapi_int_create_object_extensions( SLAPI_X_EXT_CONNECTION, conn );
 			slapi_int_create_object_extensions( SLAPI_X_EXT_OPERATION, op );
 			eb->eb_conn = conn->c_extensions;
 			eb->eb_op = op->o_hdr->oh_extensions;
-			ldap_pvt_thread_pool_setkey( ctx, connection_fake_init, eb,
-				connection_fake_destroy );
+			ldap_pvt_thread_pool_setkey( ctx, (void *)connection_fake_init,
+				eb, connection_fake_destroy, NULL, NULL );
 		} else {
 			eb = ebx;
 			conn->c_extensions = eb->eb_conn;

Modified: openldap/trunk/servers/slapd/controls.c
===================================================================
--- openldap/trunk/servers/slapd/controls.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/controls.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/controls.c,v 1.174.2.8 2007/11/08 19:16:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/controls.c,v 1.174.2.10 2008/04/14 22:15:21 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1102,6 +1102,10 @@
 	ps->ps_size = size;
 	ps->ps_cookieval = cookie;
 	op->o_pagedresults_state = ps;
+	if ( !cookie.bv_len ) {
+		ps->ps_count = 0;
+		ps->ps_cookie = 0;
+	}
 
 	/* NOTE: according to RFC 2696 3.:
 

Modified: openldap/trunk/servers/slapd/cr.c
===================================================================
--- openldap/trunk/servers/slapd/cr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/cr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* cr.c - content rule routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/cr.c,v 1.22.2.2 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/cr.c,v 1.22.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/ctxcsn.c
===================================================================
--- openldap/trunk/servers/slapd/ctxcsn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/ctxcsn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ctxcsn.c -- Context CSN Management Routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/ctxcsn.c,v 1.40.2.4 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/ctxcsn.c,v 1.40.2.6 2008/02/12 00:44:15 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
  *
@@ -99,6 +99,8 @@
 		if ( csne->ce_opid == op->o_opid && csne->ce_connid == op->o_connid ) {
 			LDAP_TAILQ_REMOVE( op->o_bd->be_pending_csn_list,
 				csne, ce_csn_link );
+			Debug( LDAP_DEBUG_SYNC, "slap_graduate_commit_csn: removing %p %s\n",
+				csne->ce_csn.bv_val, csne->ce_csn.bv_val, 0 );
 			if ( op->o_csn.bv_val == csne->ce_csn.bv_val ) {
 				BER_BVZERO( &op->o_csn );
 			}
@@ -162,6 +164,9 @@
 
 	pending = (struct slap_csn_entry *) ch_calloc( 1,
 			sizeof( struct slap_csn_entry ));
+
+	Debug( LDAP_DEBUG_SYNC, "slap_queue_csn: queing %p %s\n", csn->bv_val, csn->bv_val, 0 );
+
 	ldap_pvt_thread_mutex_lock( op->o_bd->be_pcl_mutexp );
 
 	ber_dupbv( &pending->ce_csn, csn );

Modified: openldap/trunk/servers/slapd/daemon.c
===================================================================
--- openldap/trunk/servers/slapd/daemon.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/daemon.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/daemon.c,v 1.380.2.8 2007/11/27 20:11:48 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/daemon.c,v 1.380.2.10 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 2007 by Howard Chu, Symas Corporation.
  * All rights reserved.
  *
@@ -1058,7 +1058,7 @@
 						S_IRGRP, S_IWGRP, S_IXGRP,
 						S_IROTH, S_IWOTH, S_IXOTH
 					};
-					static char	c[] = "-rwxrwxrwx"; 
+					static const char	c[] = "-rwxrwxrwx"; 
 
 					if ( value[ j ] == c[ j ] ) {
 						p |= m[ j ];

Modified: openldap/trunk/servers/slapd/delete.c
===================================================================
--- openldap/trunk/servers/slapd/delete.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/delete.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/delete.c,v 1.138.2.2 2007/08/31 23:13:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/delete.c,v 1.138.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/dn.c
===================================================================
--- openldap/trunk/servers/slapd/dn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/dn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* dn.c - routines for dealing with distinguished names */
-/* $OpenLDAP: pkg/ldap/servers/slapd/dn.c,v 1.182.2.7 2007/09/01 11:40:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/dn.c,v 1.182.2.8 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/entry.c
===================================================================
--- openldap/trunk/servers/slapd/entry.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/entry.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* entry.c - routines for dealing with entries */
-/* $OpenLDAP: pkg/ldap/servers/slapd/entry.c,v 1.148.2.5 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/entry.c,v 1.148.2.7 2008/02/11 23:43:39 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -241,155 +241,157 @@
 		}
 	}
 
-	for ( i=0; i<=lines; i++ ) {
-		ad_prev = ad;
-		if ( !ad || ( i<lines && !bvcasematch( type+i, &ad->ad_cname ))) {
-			ad = NULL;
-			rc = slap_bv2ad( type+i, &ad, &text );
-
-			if( rc != LDAP_SUCCESS ) {
-				Debug( slapMode & SLAP_TOOL_MODE
-					? LDAP_DEBUG_ANY : LDAP_DEBUG_TRACE,
-					"<= str2entry: str2ad(%s): %s\n", type[i].bv_val, text, 0 );
-				if( slapMode & SLAP_TOOL_MODE ) {
-					goto fail;
+	if ( lines > 0 ) {
+		for ( i=0; i<=lines; i++ ) {
+			ad_prev = ad;
+			if ( !ad || ( i<lines && !bvcasematch( type+i, &ad->ad_cname ))) {
+				ad = NULL;
+				rc = slap_bv2ad( type+i, &ad, &text );
+	
+				if( rc != LDAP_SUCCESS ) {
+					Debug( slapMode & SLAP_TOOL_MODE
+						? LDAP_DEBUG_ANY : LDAP_DEBUG_TRACE,
+						"<= str2entry: str2ad(%s): %s\n", type[i].bv_val, text, 0 );
+					if( slapMode & SLAP_TOOL_MODE ) {
+						goto fail;
+					}
+	
+					rc = slap_bv2undef_ad( type+i, &ad, &text, 0 );
+					if( rc != LDAP_SUCCESS ) {
+						Debug( LDAP_DEBUG_ANY,
+							"<= str2entry: slap_str2undef_ad(%s): %s\n",
+								type[i].bv_val, text, 0 );
+						goto fail;
+					}
 				}
-
-				rc = slap_bv2undef_ad( type+i, &ad, &text, 0 );
-				if( rc != LDAP_SUCCESS ) {
+	
+				/* require ';binary' when appropriate (ITS#5071) */
+				if ( slap_syntax_is_binary( ad->ad_type->sat_syntax ) && !slap_ad_is_binary( ad ) ) {
 					Debug( LDAP_DEBUG_ANY,
-						"<= str2entry: slap_str2undef_ad(%s): %s\n",
-							type[i].bv_val, text, 0 );
+						"str2entry: attributeType %s #%d: "
+						"needs ';binary' transfer as per syntax %s\n", 
+						ad->ad_cname.bv_val, 0,
+						ad->ad_type->sat_syntax->ssyn_oid );
 					goto fail;
 				}
 			}
-
-			/* require ';binary' when appropriate (ITS#5071) */
-			if ( slap_syntax_is_binary( ad->ad_type->sat_syntax ) && !slap_ad_is_binary( ad ) ) {
-				Debug( LDAP_DEBUG_ANY,
-					"str2entry: attributeType %s #%d: "
-					"needs ';binary' transfer as per syntax %s\n", 
-					ad->ad_cname.bv_val, 0,
-					ad->ad_type->sat_syntax->ssyn_oid );
-				goto fail;
-			}
-		}
-
-		if (( ad_prev && ad != ad_prev ) || ( i == lines )) {
-			int j, k;
-			/* FIXME: we only need this when migrating from an unsorted DB */
-			if ( atail != &ahead && atail->a_desc->ad_type->sat_flags & SLAP_AT_SORTED_VAL ) {
-				rc = slap_sort_vals( (Modifications *)atail, &text, &j, NULL );
-				if ( rc == LDAP_SUCCESS ) {
-					atail->a_flags |= SLAP_ATTR_SORTED_VALS;
-				} else if ( rc == LDAP_TYPE_OR_VALUE_EXISTS ) {
-					Debug( LDAP_DEBUG_ANY,
-						"str2entry: attributeType %s value #%d provided more than once\n",
-						atail->a_desc->ad_cname.bv_val, j, 0 );
-					goto fail;
+	
+			if (( ad_prev && ad != ad_prev ) || ( i == lines )) {
+				int j, k;
+				/* FIXME: we only need this when migrating from an unsorted DB */
+				if ( atail != &ahead && atail->a_desc->ad_type->sat_flags & SLAP_AT_SORTED_VAL ) {
+					rc = slap_sort_vals( (Modifications *)atail, &text, &j, NULL );
+					if ( rc == LDAP_SUCCESS ) {
+						atail->a_flags |= SLAP_ATTR_SORTED_VALS;
+					} else if ( rc == LDAP_TYPE_OR_VALUE_EXISTS ) {
+						Debug( LDAP_DEBUG_ANY,
+							"str2entry: attributeType %s value #%d provided more than once\n",
+							atail->a_desc->ad_cname.bv_val, j, 0 );
+						goto fail;
+					}
 				}
-			}
-			atail->a_next = attr_alloc( NULL );
-			atail = atail->a_next;
-			atail->a_flags = 0;
-			atail->a_numvals = attr_cnt;
-			atail->a_desc = ad_prev;
-			atail->a_vals = ch_malloc( (attr_cnt + 1) * sizeof(struct berval));
-			if( ad_prev->ad_type->sat_equality &&
-				ad_prev->ad_type->sat_equality->smr_normalize )
-				atail->a_nvals = ch_malloc( (attr_cnt + 1) * sizeof(struct berval));
-			else
-				atail->a_nvals = NULL;
-			k = i - attr_cnt;
-			for ( j=0; j<attr_cnt; j++ ) {
-				if ( freeval[k] )
-					atail->a_vals[j] = vals[k];
+				atail->a_next = attr_alloc( NULL );
+				atail = atail->a_next;
+				atail->a_flags = 0;
+				atail->a_numvals = attr_cnt;
+				atail->a_desc = ad_prev;
+				atail->a_vals = ch_malloc( (attr_cnt + 1) * sizeof(struct berval));
+				if( ad_prev->ad_type->sat_equality &&
+					ad_prev->ad_type->sat_equality->smr_normalize )
+					atail->a_nvals = ch_malloc( (attr_cnt + 1) * sizeof(struct berval));
 				else
-					ber_dupbv( atail->a_vals+j, &vals[k] );
-				vals[k].bv_val = NULL;
+					atail->a_nvals = NULL;
+				k = i - attr_cnt;
+				for ( j=0; j<attr_cnt; j++ ) {
+					if ( freeval[k] )
+						atail->a_vals[j] = vals[k];
+					else
+						ber_dupbv( atail->a_vals+j, &vals[k] );
+					vals[k].bv_val = NULL;
+					if ( atail->a_nvals ) {
+						atail->a_nvals[j] = nvals[k];
+						nvals[k].bv_val = NULL;
+					}
+					k++;
+				}
+				BER_BVZERO( &atail->a_vals[j] );
 				if ( atail->a_nvals ) {
-					atail->a_nvals[j] = nvals[k];
-					nvals[k].bv_val = NULL;
+					BER_BVZERO( &atail->a_nvals[j] );
+				} else {
+					atail->a_nvals = atail->a_vals;
 				}
-				k++;
+				attr_cnt = 0;
+				if ( i == lines ) break;
 			}
-			BER_BVZERO( &atail->a_vals[j] );
-			if ( atail->a_nvals ) {
-				BER_BVZERO( &atail->a_nvals[j] );
-			} else {
-				atail->a_nvals = atail->a_vals;
-			}
-			attr_cnt = 0;
-			if ( i == lines ) break;
-		}
-
-		if ( BER_BVISNULL( &vals[i] ) ) {
-			Debug( LDAP_DEBUG_ANY,
-				"str2entry: attributeType %s #%d: "
-				"no value\n", 
-				ad->ad_cname.bv_val, attr_cnt, 0 );
-			goto fail;
-		}
-
-		if( slapMode & SLAP_TOOL_MODE ) {
-			struct berval pval;
-			slap_syntax_validate_func *validate =
-				ad->ad_type->sat_syntax->ssyn_validate;
-			slap_syntax_transform_func *pretty =
-				ad->ad_type->sat_syntax->ssyn_pretty;
-
-			if ( pretty ) {
-				rc = ordered_value_pretty( ad,
-					&vals[i], &pval, NULL );
-
-			} else if ( validate ) {
-				/*
-			 	 * validate value per syntax
-			 	 */
-				rc = ordered_value_validate( ad, &vals[i], LDAP_MOD_ADD );
-
-			} else {
+	
+			if ( BER_BVISNULL( &vals[i] ) ) {
 				Debug( LDAP_DEBUG_ANY,
 					"str2entry: attributeType %s #%d: "
-					"no validator for syntax %s\n", 
-					ad->ad_cname.bv_val, attr_cnt,
-					ad->ad_type->sat_syntax->ssyn_oid );
+					"no value\n", 
+					ad->ad_cname.bv_val, attr_cnt, 0 );
 				goto fail;
 			}
-
-			if( rc != 0 ) {
-				Debug( LDAP_DEBUG_ANY,
-					"str2entry: invalid value "
-					"for attributeType %s #%d (syntax %s)\n",
-					ad->ad_cname.bv_val, attr_cnt,
-					ad->ad_type->sat_syntax->ssyn_oid );
-				goto fail;
+	
+			if( slapMode & SLAP_TOOL_MODE ) {
+				struct berval pval;
+				slap_syntax_validate_func *validate =
+					ad->ad_type->sat_syntax->ssyn_validate;
+				slap_syntax_transform_func *pretty =
+					ad->ad_type->sat_syntax->ssyn_pretty;
+	
+				if ( pretty ) {
+					rc = ordered_value_pretty( ad,
+						&vals[i], &pval, NULL );
+	
+				} else if ( validate ) {
+					/*
+				 	 * validate value per syntax
+				 	 */
+					rc = ordered_value_validate( ad, &vals[i], LDAP_MOD_ADD );
+	
+				} else {
+					Debug( LDAP_DEBUG_ANY,
+						"str2entry: attributeType %s #%d: "
+						"no validator for syntax %s\n", 
+						ad->ad_cname.bv_val, attr_cnt,
+						ad->ad_type->sat_syntax->ssyn_oid );
+					goto fail;
+				}
+	
+				if( rc != 0 ) {
+					Debug( LDAP_DEBUG_ANY,
+						"str2entry: invalid value "
+						"for attributeType %s #%d (syntax %s)\n",
+						ad->ad_cname.bv_val, attr_cnt,
+						ad->ad_type->sat_syntax->ssyn_oid );
+					goto fail;
+				}
+	
+				if( pretty ) {
+					if ( freeval[i] ) free( vals[i].bv_val );
+					vals[i] = pval;
+					freeval[i] = 1;
+				}
 			}
-
-			if( pretty ) {
-				if ( freeval[i] ) free( vals[i].bv_val );
-				vals[i] = pval;
-				freeval[i] = 1;
+	
+			if ( ad->ad_type->sat_equality &&
+				ad->ad_type->sat_equality->smr_normalize )
+			{
+				rc = ordered_value_normalize(
+					SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
+					ad,
+					ad->ad_type->sat_equality,
+					&vals[i], &nvals[i], NULL );
+	
+				if ( rc ) {
+					Debug( LDAP_DEBUG_ANY,
+				   		"<= str2entry NULL (smr_normalize %s %d)\n", ad->ad_cname.bv_val, rc, 0 );
+					goto fail;
+				}
 			}
+	
+			attr_cnt++;
 		}
-
-		if ( ad->ad_type->sat_equality &&
-			ad->ad_type->sat_equality->smr_normalize )
-		{
-			rc = ordered_value_normalize(
-				SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
-				ad,
-				ad->ad_type->sat_equality,
-				&vals[i], &nvals[i], NULL );
-
-			if ( rc ) {
-				Debug( LDAP_DEBUG_ANY,
-			   		"<= str2entry NULL (smr_normalize %s %d)\n", ad->ad_cname.bv_val, rc, 0 );
-				goto fail;
-			}
-		}
-
-		attr_cnt++;
 	}
 
 	free( type );

Modified: openldap/trunk/servers/slapd/extended.c
===================================================================
--- openldap/trunk/servers/slapd/extended.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/extended.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/extended.c,v 1.92.2.4 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/extended.c,v 1.92.2.5 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/filter.c
===================================================================
--- openldap/trunk/servers/slapd/filter.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/filter.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* filter.c - routines for parsing and dealing with filters */
-/* $OpenLDAP: pkg/ldap/servers/slapd/filter.c,v 1.134.2.10 2007/11/09 15:15:17 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/filter.c,v 1.134.2.12 2008/02/18 22:25:47 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -608,7 +608,9 @@
 simple:
 		value = f->f_av_value;
 		if ( f->f_av_desc->ad_type->sat_equality &&
-			( f->f_av_desc->ad_type->sat_equality->smr_usage & SLAP_MR_MUTATION_NORMALIZER )) {
+			!undef &&
+			( f->f_av_desc->ad_type->sat_equality->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))
+		{
 			f->f_av_desc->ad_type->sat_equality->smr_normalize(
 				(SLAP_MR_DENORMALIZE|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX),
 				NULL, NULL, &f->f_av_value, &value, op->o_tmpmemctx );

Modified: openldap/trunk/servers/slapd/filterentry.c
===================================================================
--- openldap/trunk/servers/slapd/filterentry.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/filterentry.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* filterentry.c - apply a filter to an entry */
-/* $OpenLDAP: pkg/ldap/servers/slapd/filterentry.c,v 1.104.2.3 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/filterentry.c,v 1.104.2.4 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/frontend.c
===================================================================
--- openldap/trunk/servers/slapd/frontend.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/frontend.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,8 @@
 /* frontend.c - routines for dealing with frontend */
+/* $OpenLDAP: pkg/ldap/servers/slapd/frontend.c,v 1.19.2.6 2008/04/24 08:13:39 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42,11 +43,57 @@
 static BackendDB	slap_frontendDB;
 BackendDB	*frontendDB;
 
+static int
+fe_entry_get_rw(
+	Operation *op,
+	struct berval *ndn,
+	ObjectClass *oc,
+	AttributeDescription *at,
+	int rw,
+	Entry **e )
+{
+	BackendDB	*bd;
+	int		rc = LDAP_NO_SUCH_OBJECT;
+
+	bd = op->o_bd;
+	op->o_bd = select_backend( ndn, 0 );
+	if ( op->o_bd != NULL ) {
+		if ( op->o_bd->be_fetch ) {
+			rc = op->o_bd->be_fetch( op, ndn, oc, at, rw, e );
+		}
+	}
+	op->o_bd = bd;
+
+	return rc;
+}
+
+static int
+fe_entry_release_rw(
+	Operation *op,
+	Entry *e,
+	int rw )
+{
+	BackendDB	*bd;
+	int		rc = LDAP_NO_SUCH_OBJECT;
+
+	bd = op->o_bd;
+	op->o_bd = select_backend( &e->e_nname, 0 );
+	if ( op->o_bd != NULL ) {
+		if ( op->o_bd->be_release ) {
+			rc = op->o_bd->be_release( op, e, rw );
+		}
+	}
+	op->o_bd = bd;
+
+	return rc;
+}
+
 int
 frontend_init( void )
 {
 	/* data */
 	frontendDB = &slap_frontendDB;
+	frontendDB->bd_self = frontendDB;
 
 	/* ACLs */
 	frontendDB->be_dfltaccess = ACL_READ;
@@ -115,10 +162,8 @@
 	frontendDB->bd_info->bi_op_search = fe_op_search;
 	frontendDB->bd_info->bi_extended = fe_extended;
 	frontendDB->bd_info->bi_operational = fe_aux_operational;
-#if 0
 	frontendDB->bd_info->bi_entry_get_rw = fe_entry_get_rw;
 	frontendDB->bd_info->bi_entry_release_rw = fe_entry_release_rw;
-#endif
 	frontendDB->bd_info->bi_access_allowed = fe_access_allowed;
 	frontendDB->bd_info->bi_acl_group = fe_acl_group;
 	frontendDB->bd_info->bi_acl_attribute = fe_acl_attribute;

Modified: openldap/trunk/servers/slapd/globals.c
===================================================================
--- openldap/trunk/servers/slapd/globals.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/globals.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* globals.c - various global variables */
-/* $OpenLDAP: pkg/ldap/servers/slapd/globals.c,v 1.15.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/globals.c,v 1.15.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/index.c
===================================================================
--- openldap/trunk/servers/slapd/index.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/index.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* index.c - index utilities */
-/* $OpenLDAP: pkg/ldap/servers/slapd/index.c,v 1.17.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/index.c,v 1.17.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/init.c
===================================================================
--- openldap/trunk/servers/slapd/init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* init.c - initialize various things */
-/* $OpenLDAP: pkg/ldap/servers/slapd/init.c,v 1.97.2.7 2007/11/07 20:58:38 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/init.c,v 1.97.2.9 2008/02/12 00:46:46 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -179,16 +179,6 @@
 		return 1;
 	}
 
-#ifdef HAVE_TLS
-	/* Library defaults to full certificate checking. This is correct when
-	 * a client is verifying a server because all servers should have a
-	 * valid cert. But few clients have valid certs, so we want our default
-	 * to be no checking. The config file can override this as usual.
-	 */
-	rc = 0;
-	(void) ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
-#endif
-
 	if ( frontend_init() ) {
 		slap_debug |= LDAP_DEBUG_NONE;
 		Debug( LDAP_DEBUG_ANY,

Modified: openldap/trunk/servers/slapd/ldapsync.c
===================================================================
--- openldap/trunk/servers/slapd/ldapsync.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/ldapsync.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* ldapsync.c -- LDAP Content Sync Routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/ldapsync.c,v 1.32.2.6 2007/10/18 01:35:12 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/ldapsync.c,v 1.32.2.7 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/limits.c
===================================================================
--- openldap/trunk/servers/slapd/limits.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/limits.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* limits.c - routines to handle regex-based size and time limits */
-/* $OpenLDAP: pkg/ldap/servers/slapd/limits.c,v 1.73.2.5 2007/11/15 00:37:15 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/limits.c,v 1.73.2.6 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/lock.c
===================================================================
--- openldap/trunk/servers/slapd/lock.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/lock.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* lock.c - routines to open and apply an advisory lock to a file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/lock.c,v 1.32.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/lock.c,v 1.32.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/main.c
===================================================================
--- openldap/trunk/servers/slapd/main.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/main.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/main.c,v 1.239.2.10 2007/11/08 19:30:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/main.c,v 1.239.2.12 2008/02/12 00:46:46 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -736,6 +736,13 @@
 		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
 		goto destroy;
 	}
+	/* Library defaults to full certificate checking. This is correct when
+	 * a client is verifying a server because all servers should have a
+	 * valid cert. But few clients have valid certs, so we want our default
+	 * to be no checking. The config file can override this as usual.
+	 */
+	rc = LDAP_OPT_X_TLS_NEVER;
+	(void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
 #endif
 
 	rc = slap_init( serverMode, serverName );

Modified: openldap/trunk/servers/slapd/matchedValues.c
===================================================================
--- openldap/trunk/servers/slapd/matchedValues.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/matchedValues.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/matchedValues.c,v 1.28.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/matchedValues.c,v 1.28.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/modify.c
===================================================================
--- openldap/trunk/servers/slapd/modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/modify.c,v 1.276.2.6 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/modify.c,v 1.276.2.9 2008/04/14 22:05:06 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -383,6 +383,10 @@
 			continue;
 		}
 
+		if ( ml->sml_flags & SLAP_MOD_INTERNAL ) {
+			continue;
+		}
+
 		if ( get_relax( op ) ) {
 			if ( ml->sml_desc->ad_type->sat_flags & SLAP_AT_MANAGEABLE ) {
 				ml->sml_flags |= SLAP_MOD_MANAGING;
@@ -585,6 +589,7 @@
 					ml->sml_values[nvals] = pval;
 				}
 			}
+			ml->sml_values[nvals].bv_len = 0;
 			ml->sml_numvals = nvals;
 
 			/*

Modified: openldap/trunk/servers/slapd/modrdn.c
===================================================================
--- openldap/trunk/servers/slapd/modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/modrdn.c,v 1.170.2.3 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/modrdn.c,v 1.170.2.5 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -214,9 +214,9 @@
 int
 fe_op_modrdn( Operation *op, SlapReply *rs )
 {
-	Backend		*newSuperior_be = NULL;
-	struct berval	pdn = BER_BVNULL;
+	struct berval	dest_ndn = BER_BVNULL, dest_pndn, pdn = BER_BVNULL;
 	BackendDB	*op_be, *bd = op->o_bd;
+	ber_slen_t	diff;
 	
 	if( op->o_req_ndn.bv_len == 0 ) {
 		Debug( LDAP_DEBUG_ANY, "%s do_modrdn: root dse!\n",
@@ -234,6 +234,23 @@
 		goto cleanup;
 	}
 
+	if( op->orr_nnewSup ) {
+		dest_pndn = *op->orr_nnewSup;
+	} else {
+		dnParent( &op->o_req_ndn, &dest_pndn );
+	}
+	build_new_dn( &dest_ndn, &dest_pndn, &op->orr_nnewrdn, op->o_tmpmemctx );
+
+	diff = (ber_slen_t) dest_ndn.bv_len - (ber_slen_t) op->o_req_ndn.bv_len;
+	if ( diff > 0 ? dnIsSuffix( &dest_ndn, &op->o_req_ndn )
+		: diff < 0 && dnIsSuffix( &op->o_req_ndn, &dest_ndn ) )
+	{
+		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
+			diff > 0 ? "cannot place an entry below itself"
+			: "cannot place an entry above itself" );
+		goto cleanup;
+	}
+
 	/*
 	 * We could be serving multiple database backends.  Select the
 	 * appropriate one, or send a referral to our "referral server"
@@ -275,19 +292,11 @@
 		goto cleanup;
 	}
 
-	/* Make sure that the entry being changed and the newSuperior are in 
-	 * the same backend, otherwise we return an error.
-	 */
-	if( op->orr_newSup ) {
-		newSuperior_be = select_backend( op->orr_nnewSup, 0 );
-
-		if ( newSuperior_be != op->o_bd ) {
-			/* newSuperior is in different backend */
+	/* check that destination DN is in the same backend as source DN */
+	if ( select_backend( &dest_ndn, 0 ) != op->o_bd ) {
 			send_ldap_error( op, rs, LDAP_AFFECTS_MULTIPLE_DSAS,
 				"cannot rename between DSAs" );
-
 			goto cleanup;
-		}
 	}
 
 	/*
@@ -367,6 +376,8 @@
 	}
 
 cleanup:;
+	if ( dest_ndn.bv_val != NULL )
+		ber_memfree_x( dest_ndn.bv_val, op->o_tmpmemctx );
 	op->o_bd = bd;
 	return rs->sr_err;
 }

Modified: openldap/trunk/servers/slapd/mods.c
===================================================================
--- openldap/trunk/servers/slapd/mods.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/mods.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/mods.c,v 1.59.2.4 2007/11/27 19:52:32 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/mods.c,v 1.59.2.5 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/module.c
===================================================================
--- openldap/trunk/servers/slapd/module.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/module.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/module.c,v 1.29.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/module.c,v 1.29.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/mr.c
===================================================================
--- openldap/trunk/servers/slapd/mr.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/mr.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* mr.c - routines to manage matching rule definitions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/mr.c,v 1.64.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/mr.c,v 1.64.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/mra.c
===================================================================
--- openldap/trunk/servers/slapd/mra.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/mra.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* mra.c - routines for dealing with extensible matching rule assertions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/mra.c,v 1.45.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/mra.c,v 1.45.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/nt_svc.c
===================================================================
--- openldap/trunk/servers/slapd/nt_svc.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/nt_svc.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/nt_svc.c,v 1.27.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/nt_svc.c,v 1.27.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/oc.c
===================================================================
--- openldap/trunk/servers/slapd/oc.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/oc.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* oc.c - object class routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/oc.c,v 1.77.2.3 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/oc.c,v 1.77.2.6 2008/04/14 22:08:32 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -502,6 +502,10 @@
 	}
 #endif
 
+	if ( *oc == NULL ) {
+		return 0;
+	}
+
 	*oc = LDAP_STAILQ_NEXT(*oc,soc_next);
 
 	return (*oc != NULL);
@@ -892,7 +896,7 @@
 }
 
 int
-register_oc( char *def, ObjectClass **soc, int dupok )
+register_oc( const char *def, ObjectClass **soc, int dupok )
 {
 	LDAPObjectClass *oc;
 	int code;

Modified: openldap/trunk/servers/slapd/oidm.c
===================================================================
--- openldap/trunk/servers/slapd/oidm.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/oidm.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* oidm.c - object identifier macro routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/oidm.c,v 1.21.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/oidm.c,v 1.21.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/operation.c
===================================================================
--- openldap/trunk/servers/slapd/operation.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/operation.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* operation.c - routines to deal with pending ldap operations */
-/* $OpenLDAP: pkg/ldap/servers/slapd/operation.c,v 1.75.2.4 2007/11/07 20:58:38 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/operation.c,v 1.75.2.8 2008/02/12 20:48:44 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -117,13 +117,10 @@
 	op->o_controls = opbuf->ob_controls;
 
 	if ( ctx ) {
-		Operation *op2;
-		void *otmp = NULL;
-		ldap_pvt_thread_pool_getkey( ctx, (void *)slap_op_free, &otmp, NULL );
-		op2 = otmp;
+		void *op2 = NULL;
+		ldap_pvt_thread_pool_setkey( ctx, (void *)slap_op_free,
+			op, slap_op_q_destroy, &op2, NULL );
 		LDAP_STAILQ_NEXT( op, o_next ) = op2;
-		ldap_pvt_thread_pool_setkey( ctx, (void *)slap_op_free, (void *)op,
-			slap_op_q_destroy );
 	} else {
 		ber_memfree_x( op, NULL );
 	}
@@ -132,8 +129,8 @@
 void
 slap_op_time(time_t *t, int *nop)
 {
-	*t = slap_get_time();
 	ldap_pvt_thread_mutex_lock( &slap_op_mutex );
+	*t = slap_get_time();
 	if ( *t == last_time ) {
 		*nop = ++last_incr;
 	} else {
@@ -160,8 +157,8 @@
 		if ( otmp ) {
 			op = otmp;
 			otmp = LDAP_STAILQ_NEXT( op, o_next );
-			ldap_pvt_thread_pool_setkey( ctx, (void *)slap_op_free, otmp,
-				slap_op_q_destroy );
+			ldap_pvt_thread_pool_setkey( ctx, (void *)slap_op_free,
+				otmp, slap_op_q_destroy, NULL, NULL );
 		}
 	}
 	if (!op) {

Modified: openldap/trunk/servers/slapd/operational.c
===================================================================
--- openldap/trunk/servers/slapd/operational.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/operational.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 /* operational.c - routines to deal with on-the-fly operational attrs */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/overlays/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/overlays/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for overlays
-# $OpenLDAP: pkg/ldap/servers/slapd/overlays/Makefile.in,v 1.41.2.4 2007/10/23 21:25:37 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/overlays/Makefile.in,v 1.41.2.5 2008/02/11 23:26:48 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2003-2007 The OpenLDAP Foundation.
+## Copyright 2003-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/overlays/accesslog.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/accesslog.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/accesslog.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* accesslog.c - log operations for audit/history purposes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/accesslog.c,v 1.37.2.13 2007/12/10 18:03:30 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/accesslog.c,v 1.37.2.17 2008/05/01 20:37:48 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions copyright 2004-2005 Symas Corporation.
  * All rights reserved.
  *
@@ -67,7 +67,6 @@
 	Entry *li_old;
 	log_attr *li_oldattrs;
 	int li_success;
-	int li_unlock;
 	ldap_pvt_thread_rmutex_t li_op_rmutex;
 	ldap_pvt_thread_mutex_t li_log_mutex;
 } log_info;
@@ -770,9 +769,11 @@
 			if ( li->li_task ) {
 				struct re_s *re = li->li_task;
 				li->li_task = NULL;
+				ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 				if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ))
 					ldap_pvt_runqueue_stoptask( &slapd_rq, re );
 				ldap_pvt_runqueue_remove( &slapd_rq, re );
+				ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 			}
 			li->li_age = 0;
 			li->li_cycle = 0;
@@ -844,12 +845,15 @@
 					struct re_s *re = li->li_task;
 					if ( re )
 						re->interval.tv_sec = li->li_cycle;
-					else
+					else {
+						ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 						li->li_task = ldap_pvt_runqueue_insert( &slapd_rq,
 							li->li_cycle, accesslog_purge, li,
 							"accesslog_purge", li->li_db ?
 								li->li_db->be_suffix[0].bv_val :
 								c->be->be_suffix[0].bv_val );
+						ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
+					}
 				}
 			}
 			break;
@@ -1339,10 +1343,17 @@
 		return SLAP_CB_CONTINUE;
 
 	if ( lo->mask & LOG_OP_WRITES ) {
+		slap_callback *cb;
 		ldap_pvt_thread_mutex_lock( &li->li_log_mutex );
 		old = li->li_old;
 		li->li_old = NULL;
-		li->li_unlock = 0;
+		/* Disarm mod_cleanup */
+		for ( cb = op->o_callback; cb; cb = cb->sc_next ) {
+			if ( cb->sc_private == (void *)on ) {
+				cb->sc_private = NULL;
+				break;
+			}
+		}
 		ldap_pvt_thread_rmutex_unlock( &li->li_op_rmutex, op->o_tid );
 	}
 
@@ -1693,12 +1704,11 @@
 {
 	slap_callback *sc = op->o_callback;
 	slap_overinst *on = sc->sc_private;
-	log_info *li = on->on_bi.bi_private;
 	op->o_callback = sc->sc_next;
 
 	op->o_tmpfree( sc, op->o_tmpmemctx );
 
-	if ( li->li_unlock ) {
+	if ( on ) {
 		BackendInfo *bi = op->o_bd->bd_info;
 		op->o_bd->bd_info = (BackendInfo *)on;
 		accesslog_response( op, rs );
@@ -1714,15 +1724,15 @@
 	log_info *li = on->on_bi.bi_private;
 
 	if ( li->li_ops & LOG_OP_WRITES ) {
-		slap_callback *cb = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx );
+		slap_callback *cb = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx ), *cb2;
 		cb->sc_cleanup = accesslog_mod_cleanup;
 		cb->sc_response = NULL;
 		cb->sc_private = on;
-		cb->sc_next = op->o_callback;
-		op->o_callback = cb;
+		cb->sc_next = NULL;
+		for ( cb2 = op->o_callback; cb2->sc_next; cb2 = cb2->sc_next );
+		cb2->sc_next = cb;
 
 		ldap_pvt_thread_rmutex_lock( &li->li_op_rmutex, op->o_tid );
-		li->li_unlock = 1;
 		if ( li->li_oldf && ( op->o_tag == LDAP_REQ_DELETE ||
 			op->o_tag == LDAP_REQ_MODIFY ||
 			( op->o_tag == LDAP_REQ_MODRDN && li->li_oldattrs ))) {
@@ -2017,8 +2027,10 @@
 		ber_dupbv( &li->li_db->be_rootndn, li->li_db->be_nsuffix );
 	}
 
+	ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 	ldap_pvt_runqueue_insert( &slapd_rq, 3600, accesslog_db_root, on,
 		"accesslog_db_root", li->li_db->be_suffix[0].bv_val );
+	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 
 	return 0;
 }

Modified: openldap/trunk/servers/slapd/overlays/auditlog.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/auditlog.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/auditlog.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* auditlog.c - log modifications for audit/history purposes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/auditlog.c,v 1.7.2.5 2007/11/27 19:59:20 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/auditlog.c,v 1.7.2.7 2008/04/14 21:18:48 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions copyright 2004-2005 Symas Corporation.
  * All rights reserved.
  *
@@ -74,7 +74,7 @@
 	Modifications *m;
 	struct berval *b, *who = NULL;
 	char *what, *suffix;
-	long stamp = slap_get_time();
+	time_t stamp;
 	int i;
 
 	if ( rs->sr_err != LDAP_SUCCESS ) return SLAP_CB_CONTINUE;
@@ -125,8 +125,9 @@
 		return SLAP_CB_CONTINUE;
 	}
 
+	stamp = slap_get_time();
 	fprintf(f, "# %s %ld %s%s%s\n",
-		what, stamp, suffix, who ? " " : "", who ? who->bv_val : "");
+		what, (long)stamp, suffix, who ? " " : "", who ? who->bv_val : "");
 
 	if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) &&
 		(!who || !dn_match( who, &op->o_conn->c_dn )))
@@ -173,7 +174,7 @@
 		break;
 	}
 
-	fprintf(f, "# end %s %ld\n\n", what, stamp);
+	fprintf(f, "# end %s %ld\n\n", what, (long)stamp);
 
 	fclose(f);
 	ldap_pvt_thread_mutex_unlock(&ad->ad_mutex);

Modified: openldap/trunk/servers/slapd/overlays/collect.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/collect.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/collect.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* collect.c - Demonstration of overlay code */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/collect.c,v 1.5.2.3 2007/11/27 18:11:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/collect.c,v 1.5.2.4 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 Howard Chu.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/overlays/constraint.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/constraint.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/constraint.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,8 @@
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/constraint.c,v 1.2.2.7 2008/02/11 23:46:12 quanah Exp $ */
 /* constraint.c - Overlay to constrain attributes to certain values */
 /* 
- *
  * Copyright 2003-2004 Hewlett-Packard Company
+ * Copyright 2007 Emmanuel Dreyfus
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -13,7 +14,8 @@
  * <http://www.OpenLDAP.org/license.html>.
  */
 /*
- * Author: Neil Dunbar <neil.dunbar at hp.com>
+ * Authors: Neil Dunbar <neil.dunbar at hp.com>
+ *			Emmannuel Dreyfus <manu at netbsd.org>
  */
 #include "portable.h"
 
@@ -25,6 +27,7 @@
 #include <ac/socket.h>
 #include <ac/regex.h>
 
+#include "lutil.h"
 #include "slap.h"
 #include "config.h"
 
@@ -37,6 +40,7 @@
  */
 
 #define REGEX_STR "regex"
+#define URI_STR "uri"
 
 /*
  * Linked list of attribute constraints which we should enforce.
@@ -47,298 +51,488 @@
  */
 
 typedef struct constraint {
-    struct constraint *ap_next;
-    AttributeDescription *ap;
-    regex_t *re;
-    char *re_str; /* string representation of regex */
+	struct constraint *ap_next;
+	AttributeDescription *ap;
+	regex_t *re;
+	LDAPURLDesc *lud;
+	AttributeDescription **attrs;
+	struct berval val; /* constraint value */
+	struct berval dn;
+	struct berval filter;
 } constraint;
 
 enum {
-    CONSTRAINT_ATTRIBUTE = 1
+	CONSTRAINT_ATTRIBUTE = 1
 };
 
 static ConfigDriver constraint_cf_gen;
 
 static ConfigTable constraintcfg[] = {
-    { "constraint_attribute", "attribute regex <regular expression>",
-      4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
-      "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
-      "DESC 'regular expression constraint for attribute' "
+	{ "constraint_attribute", "attribute> (regex|uri) <value",
+	  4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
+	  "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
+	  "DESC 'regular expression constraint for attribute' "
 	  "EQUALITY caseIgnoreMatch "
-      "SYNTAX OMsDirectoryString )", NULL, NULL },
-    { NULL, NULL, 0, 0, 0, ARG_IGNORED }
+	  "SYNTAX OMsDirectoryString )", NULL, NULL },
+	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
 };
 
 static ConfigOCs constraintocs[] = {
-    { "( OLcfgOvOc:13.1 "
-      "NAME 'olcConstraintConfig' "
-      "DESC 'Constraint overlay configuration' "
-      "SUP olcOverlayConfig "
-      "MAY ( olcConstraintAttribute ) )",
-      Cft_Overlay, constraintcfg },
-    { NULL, 0, NULL }
+	{ "( OLcfgOvOc:13.1 "
+	  "NAME 'olcConstraintConfig' "
+	  "DESC 'Constraint overlay configuration' "
+	  "SUP olcOverlayConfig "
+	  "MAY ( olcConstraintAttribute ) )",
+	  Cft_Overlay, constraintcfg },
+	{ NULL, 0, NULL }
 };
 
+static void
+constraint_free( constraint *cp )
+{
+	if (cp->re) {
+		regfree(cp->re);
+		ch_free(cp->re);
+	}
+	if (!BER_BVISNULL(&cp->val))
+		ch_free(cp->val.bv_val);
+	if (cp->lud)
+		ldap_free_urldesc(cp->lud);
+	if (cp->attrs)
+		ch_free(cp->attrs);
+	ch_free(cp);
+}
+
 static int
 constraint_cf_gen( ConfigArgs *c )
 {
-    slap_overinst *on = (slap_overinst *)(c->bi);
-    constraint *cn = on->on_bi.bi_private, *cp;
-    struct berval bv;
-    int i, rc = 0;
-    constraint ap = { NULL, NULL, NULL  }, *a2 = NULL;
-    const char *text = NULL;
-    
-    switch ( c->op ) {
-        case SLAP_CONFIG_EMIT:
-            switch (c->type) {
-                case CONSTRAINT_ATTRIBUTE:
-                    for (cp=cn; cp; cp=cp->ap_next) {
-                        int len;
-                        char *s;
-                        
-                        len = cp->ap->ad_cname.bv_len +
-                            strlen( REGEX_STR ) + strlen( cp->re_str) + 3;
-                        s = ch_malloc(len);
-                        if (!s) continue;
-                        snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
-                                 REGEX_STR, cp->re_str);
-                        bv.bv_val = s;
-                        bv.bv_len = strlen(s);
-                        rc = value_add_one( &c->rvalue_vals, &bv );
-                        if (rc) return rc;
-                        rc = value_add_one( &c->rvalue_nvals, &bv );
-                        if (rc) return rc;
-                        ch_free(s);
-                    }
-                    break;
-                default:
-                    abort();
-                    break;
-            }
-            break;
-        case LDAP_MOD_DELETE:
-            switch (c->type) {
-                case CONSTRAINT_ATTRIBUTE:
-                    if (!cn) break; /* nothing to do */
-                    
-                    if (c->valx < 0) {
-                            /* zap all constraints */
-                        while (cn) {
-                            cp = cn->ap_next;
-                            if (cn->re) {
-                                regfree(cn->re);
-                                ch_free(cn->re);
-                            }
-                            if (cn->re_str) ch_free(cn->re_str);
-                            ch_free(cn);
-                            cn = cp;
-                        }
-                        
-                        on->on_bi.bi_private = NULL;
-                    } else {
-                        constraint **cpp;
-                        
-                            /* zap constraint numbered 'valx' */
-                        for(i=0, cp = cn, cpp = &cn;
-                            (cp) && (i<c->valx);
-                            i++, cpp = &cp->ap_next, cp = *cpp);
+	slap_overinst *on = (slap_overinst *)(c->bi);
+	constraint *cn = on->on_bi.bi_private, *cp;
+	struct berval bv;
+	int i, rc = 0;
+	constraint ap = { NULL, NULL, NULL	}, *a2 = NULL;
+	const char *text = NULL;
+	
+	switch ( c->op ) {
+	case SLAP_CONFIG_EMIT:
+		switch (c->type) {
+		case CONSTRAINT_ATTRIBUTE:
+			for (cp=cn; cp; cp=cp->ap_next) {
+				int len;
+				char *s;
+				char *tstr = NULL;
 
-                        if (cp) {
-                                /* zap cp, and join cpp to cp->ap_next */
-                            *cpp = cp->ap_next;
-                            if (cp->re) {
-                                regfree(cp->re);
-                                ch_free(cp->re);
-                            }
-                            if (cp->re_str) ch_free(cp->re_str);
-                            ch_free(cp);
-                        }
-                        on->on_bi.bi_private = cn;
-                    }
-                    
-                    break;
-                default:
-                    abort();
-                    break;
-            }
-            break;
-        case SLAP_CONFIG_ADD:
-        case LDAP_MOD_ADD:
-            switch (c->type) {
-                case CONSTRAINT_ATTRIBUTE:
-                    if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
-						snprintf( c->cr_msg, sizeof( c->cr_msg ),
-							"%s <%s>: %s\n", c->argv[0], c->argv[1], text );
-                        Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
-                               "%s: %s\n", c->log, c->cr_msg, 0 );
-                        return( ARG_BAD_CONF );
-                    }
+				len = cp->ap->ad_cname.bv_len + 3;
+				if (cp->re) {
+					len += STRLENOF(REGEX_STR);
+					tstr = REGEX_STR;
+				} else if (cp->lud) {
+					len += STRLENOF(URI_STR);
+					tstr = URI_STR;
+				}
+				len += cp->val.bv_len;
 
-                    if ( strcasecmp( c->argv[2], "regex" ) == 0) {
-                        int err;
-            
-                        ap.re = ch_malloc( sizeof(regex_t) );
-                        if ((err = regcomp( ap.re,
-                                            c->argv[3], REG_EXTENDED )) != 0) {
-                            char errmsg[1024];
-                            
-                            regerror( err, ap.re, errmsg, sizeof(errmsg) );
-                            ch_free(ap.re);
+				s = ch_malloc(len);
+
+				bv.bv_len = snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
+						 tstr, cp->val.bv_val);
+				bv.bv_val = s;
+				rc = value_add_one( &c->rvalue_vals, &bv );
+				if (rc) return rc;
+				rc = value_add_one( &c->rvalue_nvals, &bv );
+				if (rc) return rc;
+				ch_free(s);
+			}
+			break;
+		default:
+			abort();
+			break;
+		}
+		break;
+	case LDAP_MOD_DELETE:
+		switch (c->type) {
+		case CONSTRAINT_ATTRIBUTE:
+			if (!cn) break; /* nothing to do */
+					
+			if (c->valx < 0) {
+				/* zap all constraints */
+				while (cn) {
+					cp = cn->ap_next;
+					constraint_free( cn );
+					cn = cp;
+				}
+						
+				on->on_bi.bi_private = NULL;
+			} else {
+				constraint **cpp;
+						
+				/* zap constraint numbered 'valx' */
+				for(i=0, cp = cn, cpp = &cn;
+					(cp) && (i<c->valx);
+					i++, cpp = &cp->ap_next, cp = *cpp);
+
+				if (cp) {
+					/* zap cp, and join cpp to cp->ap_next */
+					*cpp = cp->ap_next;
+					constraint_free( cp );
+				}
+				on->on_bi.bi_private = cn;
+			}
+			break;
+
+		default:
+			abort();
+			break;
+		}
+		break;
+	case SLAP_CONFIG_ADD:
+	case LDAP_MOD_ADD:
+		switch (c->type) {
+		case CONSTRAINT_ATTRIBUTE:
+			if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
+				snprintf( c->cr_msg, sizeof( c->cr_msg ),
+					"%s <%s>: %s\n", c->argv[0], c->argv[1], text );
+				Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+					   "%s: %s\n", c->log, c->cr_msg, 0 );
+				return( ARG_BAD_CONF );
+			}
+
+			if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
+				int err;
+			
+				ap.re = ch_malloc( sizeof(regex_t) );
+				if ((err = regcomp( ap.re,
+					c->argv[3], REG_EXTENDED )) != 0) {
+					char errmsg[1024];
+							
+					regerror( err, ap.re, errmsg, sizeof(errmsg) );
+					ch_free(ap.re);
+					snprintf( c->cr_msg, sizeof( c->cr_msg ),
+					   "%s %s: Illegal regular expression \"%s\": Error %s",
+					   c->argv[0], c->argv[1], c->argv[3], errmsg);
+					Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+						"%s: %s\n", c->log, c->cr_msg, 0 );
+					ap.re = NULL;
+					return( ARG_BAD_CONF );
+				}
+				ber_str2bv( c->argv[3], 0, 1, &ap.val );
+			} else if ( strcasecmp( c->argv[2], URI_STR ) == 0) {
+				int err;
+			
+				err = ldap_url_parse(c->argv[3], &ap.lud);
+				if ( err != LDAP_URL_SUCCESS ) {
+					snprintf( c->cr_msg, sizeof( c->cr_msg ),
+						"%s %s: Invalid URI \"%s\"",
+						c->argv[0], c->argv[1], c->argv[3]);
+					Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+						"%s: %s\n", c->log, c->cr_msg, 0 );
+					return( ARG_BAD_CONF );
+				}
+
+				if (ap.lud->lud_host != NULL) {
+					snprintf( c->cr_msg, sizeof( c->cr_msg ),
+						"%s %s: unsupported hostname in URI \"%s\"",
+						c->argv[0], c->argv[1], c->argv[3]);
+					Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+						"%s: %s\n", c->log, c->cr_msg, 0 );
+
+					ldap_free_urldesc(ap.lud);
+
+					return( ARG_BAD_CONF );
+				}
+
+				for ( i=0; ap.lud->lud_attrs[i]; i++);
+				/* FIXME: This is worthless without at least one attr */
+				if ( i ) {
+					ap.attrs = ch_malloc( (i+1)*sizeof(AttributeDescription *));
+					for ( i=0; ap.lud->lud_attrs[i]; i++) {
+						ap.attrs[i] = NULL;
+						if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
+							ch_free( ap.attrs );
 							snprintf( c->cr_msg, sizeof( c->cr_msg ),
-                                   "%s %s: Illegal regular expression \"%s\": Error %s",
-                                   c->argv[0], c->argv[1], c->argv[3], errmsg);
-                            Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
-									"%s: %s\n", c->log, c->cr_msg, 0 );
-                            ap.re = NULL;
-                            return( ARG_BAD_CONF );
-                        }
-                        ap.re_str = ch_strdup( c->argv[3] );
-                    } else {
-						snprintf( c->cr_msg, sizeof( c->cr_msg ),
-                               "%s %s: Unknown constraint type: %s",
-                               c->argv[0], c->argv[1], c->argv[2] );
-                        Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
-                               "%s: %s\n", c->log, c->cr_msg, 0 );
-                        return ( ARG_BAD_CONF );
-                    }
-                    
+								"%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
+							Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+								   "%s: %s\n", c->log, c->cr_msg, 0 );
+							return( ARG_BAD_CONF );
+						}
+					}
+					ap.attrs[i] = NULL;
+				}
 
-                    a2 = ch_malloc( sizeof(constraint) );
-                    a2->ap_next = on->on_bi.bi_private;
-                    a2->ap = ap.ap;
-                    a2->re = ap.re;
-                    a2->re_str = ap.re_str;
-                    on->on_bi.bi_private = a2;
-                    break;
-                default:
-                    abort();
-                    break;
-            }
-            break;
-        default:
-            abort();
-    }
+				if (ap.lud->lud_dn == NULL)
+					ap.lud->lud_dn = ch_strdup("");
 
-    return rc;
+				if (ap.lud->lud_filter == NULL)
+					ap.lud->lud_filter = ch_strdup("objectClass=*");
+
+				ber_str2bv( c->argv[3], 0, 1, &ap.val );
+			} else {
+				snprintf( c->cr_msg, sizeof( c->cr_msg ),
+				   "%s %s: Unknown constraint type: %s",
+				   c->argv[0], c->argv[1], c->argv[2] );
+				Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+				   "%s: %s\n", c->log, c->cr_msg, 0 );
+				return ( ARG_BAD_CONF );
+			}
+
+			a2 = ch_calloc( sizeof(constraint), 1 );
+			a2->ap_next = on->on_bi.bi_private;
+			a2->ap = ap.ap;
+			a2->re = ap.re;
+			a2->val = ap.val;
+			a2->lud = ap.lud;
+			if ( a2->lud ) {
+				ber_str2bv(a2->lud->lud_dn, 0, 0, &a2->dn);
+				ber_str2bv(a2->lud->lud_filter, 0, 0, &a2->filter);
+			}
+			a2->attrs = ap.attrs;
+			on->on_bi.bi_private = a2;
+			break;
+		default:
+			abort();
+			break;
+		}
+		break;
+	default:
+		abort();
+	}
+
+	return rc;
 }
 
 static int
-constraint_violation( constraint *c, struct berval *bv )
+constraint_uri_cb( Operation *op, SlapReply *rs ) 
 {
-    if ((!c) || (!bv)) return 0;
-    
-    if ((c->re) &&
-        (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
-        
-        return 1; /* regular expression violation */
-    
-    return 0;
+	if(rs->sr_type == REP_SEARCH) {
+		int *foundp = op->o_callback->sc_private;
+
+		*foundp = 1;
+
+		Debug(LDAP_DEBUG_TRACE, "==> constraint_uri_cb <%s>\n",
+			rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0);
+	}
+	return 0;
 }
 
+static int
+constraint_violation( constraint *c, struct berval *bv, Operation *op, SlapReply *rs)
+{
+	if ((!c) || (!bv)) return 0;
+	
+	if ((c->re) &&
+		(regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
+		return 1; /* regular expression violation */
+
+	if (c->lud) {
+		Operation nop = *op;
+		slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+		slap_callback cb;
+		SlapReply nrs = { REP_RESULT };
+		int i;
+		int found;
+		int rc;
+		size_t len;
+		struct berval filterstr;
+		char *ptr;
+
+		found = 0;
+
+		nrs.sr_entry = NULL;
+		nrs.sr_nentries = 0;
+
+		cb.sc_next = NULL;
+		cb.sc_response = constraint_uri_cb;
+		cb.sc_cleanup = NULL;
+		cb.sc_private = &found;
+
+		nop.o_protocol = LDAP_VERSION3;
+		nop.o_tag = LDAP_REQ_SEARCH;
+		nop.o_time = slap_get_time();
+		if (c->lud->lud_dn) {
+			struct berval dn;
+
+			ber_str2bv(c->lud->lud_dn, 0, 0, &dn);
+			nop.o_req_dn = dn;
+			nop.o_req_ndn = dn;
+			nop.o_bd = select_backend(&nop.o_req_ndn, 1 );
+			if (!nop.o_bd || !nop.o_bd->be_search) {
+				return 1; /* unexpected error */
+			}
+		} else {
+			nop.o_req_dn = nop.o_bd->be_nsuffix[0];
+			nop.o_req_ndn = nop.o_bd->be_nsuffix[0];
+			nop.o_bd = on->on_info->oi_origdb;
+		}
+		nop.o_do_not_cache = 1;
+		nop.o_callback = &cb;
+
+		nop.ors_scope = c->lud->lud_scope;
+		nop.ors_deref = LDAP_DEREF_NEVER;
+		nop.ors_slimit = SLAP_NO_LIMIT;
+		nop.ors_tlimit = SLAP_NO_LIMIT;
+		nop.ors_limit = NULL;
+
+		nop.ors_attrsonly = 0;
+		nop.ors_attrs = slap_anlist_no_attrs;
+
+		len = STRLENOF("(&(") + 
+			  c->filter.bv_len +
+			  STRLENOF(")(|");
+
+		for (i = 0; c->attrs[i]; i++) {
+			len += STRLENOF("(") +
+				   c->attrs[i]->ad_cname.bv_len +
+				   STRLENOF("=") + 
+				   bv->bv_len +
+				   STRLENOF(")");
+		}
+
+		len += STRLENOF("))");
+		filterstr.bv_len = len;
+		filterstr.bv_val = op->o_tmpalloc(len + 1, op->o_tmpmemctx);
+
+		ptr = filterstr.bv_val +
+			snprintf(filterstr.bv_val, len, "(&(%s)(|", c->lud->lud_filter);
+		for (i = 0; c->attrs[i]; i++) {
+			*ptr++ = '(';
+			ptr = lutil_strcopy( ptr, c->attrs[i]->ad_cname.bv_val );
+			*ptr++ = '=';
+			ptr = lutil_strcopy( ptr, bv->bv_val );
+			*ptr++ = ')';
+		}
+		*ptr++ = ')';
+		*ptr++ = ')';
+
+		Debug(LDAP_DEBUG_TRACE, 
+			"==> constraint_violation uri filter = %s\n",
+			filterstr.bv_val, 0, 0);
+
+		nop.ors_filterstr = filterstr;
+		nop.ors_filter = str2filter_x(&nop, filterstr.bv_val);
+
+		rc = nop.o_bd->be_search( &nop, &nrs );
+		
+		op->o_tmpfree(filterstr.bv_val, op->o_tmpmemctx);
+		Debug(LDAP_DEBUG_TRACE, 
+			"==> constraint_violation uri rc = %d, found = %d\n",
+			rc, found, 0);
+
+		if((rc != LDAP_SUCCESS) && (rc != LDAP_NO_SUCH_OBJECT)) {
+			send_ldap_error(op, rs, rc, 
+				"constraint_violation uri search failed");
+			return 1; /* unexpected error */
+		}
+
+		if (!found)
+			return 1; /* constraint violation */
+			
+	}
+	
+	return 0;
+}
+
 static char *
-print_message( const char *errtext, AttributeDescription *a )
+print_message( struct berval *errtext, AttributeDescription *a )
 {
-    char *ret;
-    int sz;
-    
-    sz = strlen(errtext) + sizeof(" on ") + a->ad_cname.bv_len;
-    ret = ch_malloc(sz);
-    snprintf( ret, sz, "%s on %s", errtext, a->ad_cname.bv_val );
-    return ret;
+	char *ret;
+	int sz;
+	
+	sz = errtext->bv_len + sizeof(" on ") + a->ad_cname.bv_len;
+	ret = ch_malloc(sz);
+	snprintf( ret, sz, "%s on %s", errtext->bv_val, a->ad_cname.bv_val );
+	return ret;
 }
 
 static int
 constraint_add( Operation *op, SlapReply *rs )
 {
-    slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
-    Attribute *a;
-    constraint *c = on->on_bi.bi_private, *cp;
-    BerVarray b = NULL;
-    int i;
-    const char *rsv = "add breaks regular expression constraint";
-    char *msg;
-    
-    if ((a = op->ora_e->e_attrs) == NULL) {
-        op->o_bd->bd_info = (BackendInfo *)(on->on_info);
-        send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
-                        "constraint_add() got null op.ora_e.e_attrs");
-        return(rs->sr_err);
-    }
+	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+	Attribute *a;
+	constraint *c = on->on_bi.bi_private, *cp;
+	BerVarray b = NULL;
+	int i;
+	struct berval rsv = BER_BVC("add breaks constraint");
+	char *msg;
 
-    for(; a; a = a->a_next ) {
-            /* we don't constrain operational attributes */
-    
-        if (is_at_operational(a->a_desc->ad_type)) continue;
-        
-        for(cp = c; cp; cp = cp->ap_next) {
-            if (cp->ap != a->a_desc) continue;
-            if ((b = a->a_vals) == NULL) continue;
-                
-            for(i=0; b[i].bv_val; i++) {
-                int cv = constraint_violation( cp, &b[i]);
-                    
-                if (cv) {
-                        /* regex violation */
-                    op->o_bd->bd_info = (BackendInfo *)(on->on_info);
-                    msg = print_message( rsv, a->a_desc );
-                    send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
-                    ch_free(msg);
-                    return (rs->sr_err);
-                }
-            }
-        }
-    }
+	if ((a = op->ora_e->e_attrs) == NULL) {
+		op->o_bd->bd_info = (BackendInfo *)(on->on_info);
+		send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
+			"constraint_add() got null op.ora_e.e_attrs");
+		return(rs->sr_err);
+	}
+
+	for(; a; a = a->a_next ) {
+		/* we don't constrain operational attributes */
+		if (is_at_operational(a->a_desc->ad_type)) continue;
+
+		for(cp = c; cp; cp = cp->ap_next) {
+			if (cp->ap != a->a_desc) continue;
+			if ((b = a->a_vals) == NULL) continue;
+				
+			for(i=0; b[i].bv_val; i++) {
+				int cv = constraint_violation( cp, &b[i], op, rs);
+					
+				if (cv) {
+					/* violation */
+					op->o_bd->bd_info = (BackendInfo *)(on->on_info);
+					msg = print_message( &rsv, a->a_desc );
+					send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
+					ch_free(msg);
+					return (rs->sr_err);
+				}
+			}
+		}
+	}
 	/* Default is to just fall through to the normal processing */
-    return SLAP_CB_CONTINUE;
+	return SLAP_CB_CONTINUE;
 }
 
 static int
 constraint_modify( Operation *op, SlapReply *rs )
 {
-    slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
-    constraint *c = on->on_bi.bi_private, *cp;
-    Modifications *m;
-    BerVarray b = NULL;
-    int i;
-    const char *rsv = "modify breaks regular expression constraint";
-    char *msg;
-    
-    if ((m = op->orm_modlist) == NULL) {
-        op->o_bd->bd_info = (BackendInfo *)(on->on_info);
-        send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
-                        "constraint_modify() got null orm_modlist");
-        return(rs->sr_err);
-    }
+	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
+	constraint *c = on->on_bi.bi_private, *cp;
+	Modifications *m;
+	BerVarray b = NULL;
+	int i;
+	struct berval rsv = BER_BVC("modify breaks constraint");
+	char *msg;
+	
+	if ((m = op->orm_modlist) == NULL) {
+		op->o_bd->bd_info = (BackendInfo *)(on->on_info);
+		send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
+						"constraint_modify() got null orm_modlist");
+		return(rs->sr_err);
+	}
 
-    for(;m; m = m->sml_next) {
-        if (is_at_operational( m->sml_desc->ad_type )) continue;
-        if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
-            (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
-            continue;
-            /* we only care about ADD and REPLACE modifications */
-        if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
-            continue;
+	for(;m; m = m->sml_next) {
+		if (is_at_operational( m->sml_desc->ad_type )) continue;
+		if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
+			(( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
+			continue;
+		/* we only care about ADD and REPLACE modifications */
+		if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
+			continue;
 
-        for(cp = c; cp; cp = cp->ap_next) {
-            if (cp->ap != m->sml_desc) continue;
-            
-            for(i=0; b[i].bv_val; i++) {
-                int cv = constraint_violation( cp, &b[i]);
-                
-                if (cv) {
-                        /* regex violation */
-                    op->o_bd->bd_info = (BackendInfo *)(on->on_info);
-                    msg = print_message( rsv, m->sml_desc );
-                    send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
-                    ch_free(msg);
-                    return (rs->sr_err);
-                }
-            }
-        }
-    }
-    
-    return SLAP_CB_CONTINUE;
+		for(cp = c; cp; cp = cp->ap_next) {
+			if (cp->ap != m->sml_desc) continue;
+			
+			for(i=0; b[i].bv_val; i++) {
+				int cv = constraint_violation( cp, &b[i], op, rs);
+				
+				if (cv) {
+					/* violation */
+					op->o_bd->bd_info = (BackendInfo *)(on->on_info);
+					msg = print_message( &rsv, m->sml_desc );
+					send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
+					ch_free(msg);
+					return (rs->sr_err);
+				}
+			}
+		}
+	}
+	
+	return SLAP_CB_CONTINUE;
 }
 
 static int
@@ -346,54 +540,43 @@
 	BackendDB *be,
 	ConfigReply *cr )
 {
-    slap_overinst *on = (slap_overinst *) be->bd_info;
-    constraint *ap, *a2;
+	slap_overinst *on = (slap_overinst *) be->bd_info;
+	constraint *ap, *a2;
 
-    for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
-        a2 = ap->ap_next;
-        if (ap->re_str) ch_free(ap->re_str);
-        if (ap->re) {
-            regfree( ap->re );
-            ch_free( ap->re );
-        }
-        
-        ch_free( ap );
-    }
+	for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
+		a2 = ap->ap_next;
+		constraint_free( ap );
+	}
 
-    return 0;
+	return 0;
 }
 
 static slap_overinst constraint_ovl;
 
-/* This overlay is set up for dynamic loading via moduleload. For static
- * configuration, you'll need to arrange for the slap_overinst to be
- * initialized and registered by some other function inside slapd.
- */
-
 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
 static
 #endif
 int
 constraint_initialize( void ) {
-    int rc;
+	int rc;
 
-    constraint_ovl.on_bi.bi_type = "constraint";
-    constraint_ovl.on_bi.bi_db_close = constraint_close;
-    constraint_ovl.on_bi.bi_op_add = constraint_add;
-    constraint_ovl.on_bi.bi_op_modify = constraint_modify;
+	constraint_ovl.on_bi.bi_type = "constraint";
+	constraint_ovl.on_bi.bi_db_close = constraint_close;
+	constraint_ovl.on_bi.bi_op_add = constraint_add;
+	constraint_ovl.on_bi.bi_op_modify = constraint_modify;
 
-    constraint_ovl.on_bi.bi_private = NULL;
-    
-    constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
-    rc = config_register_schema( constraintcfg, constraintocs );
-    if (rc) return rc;
-    
-    return overlay_register( &constraint_ovl );
+	constraint_ovl.on_bi.bi_private = NULL;
+	
+	constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
+	rc = config_register_schema( constraintcfg, constraintocs );
+	if (rc) return rc;
+	
+	return overlay_register( &constraint_ovl );
 }
 
 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
 int init_module(int argc, char *argv[]) {
-    return constraint_initialize();
+	return constraint_initialize();
 }
 #endif
 

Modified: openldap/trunk/servers/slapd/overlays/dds.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/dds.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/dds.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dds.c,v 1.7.2.7 2007/12/10 17:51:41 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dds.c,v 1.7.2.9 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions Copyright 2005-2006 SysNet s.n.c.
  * All rights reserved.
  *
@@ -395,7 +395,7 @@
 	/* handle dynamic object operational attr(s) */
 	if ( is_dynamicObject ) {
 		time_t		ttl, expire;
-		char		ttlbuf[] = "31557600";
+		char		ttlbuf[STRLENOF("31557600") + 1];
 		char		tsbuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
 		struct berval	bv;
 
@@ -414,10 +414,12 @@
 
 		ttl = DDS_DEFAULT_TTL( di );
 
+		/* assert because should be checked at configure */
 		assert( ttl <= DDS_RF2589_MAX_TTL );
 
 		bv.bv_val = ttlbuf;
 		bv.bv_len = snprintf( ttlbuf, sizeof( ttlbuf ), "%ld", ttl );
+		assert( bv.bv_len < sizeof( ttlbuf ) );
 
 		/* FIXME: apparently, values in op->ora_e are malloc'ed
 		 * on the thread's slab; works fine by chance,
@@ -1004,7 +1006,7 @@
 		slap_callback	sc = { 0 };
 		Modifications	ttlmod = { { 0 } };
 		struct berval	ttlvalues[ 2 ];
-		char		ttlbuf[] = "31557600";
+		char		ttlbuf[STRLENOF("31557600") + 1];
 
 		rs->sr_err = slap_parse_refresh( op->ore_reqdata, NULL, &ttl,
 			&rs->sr_text, NULL );

Modified: openldap/trunk/servers/slapd/overlays/dyngroup.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/dyngroup.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/dyngroup.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* dyngroup.c - Demonstration of overlay code */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dyngroup.c,v 1.10.2.2 2007/08/31 23:14:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dyngroup.c,v 1.10.2.3 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Copyright 2003 by Howard Chu.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/overlays/dynlist.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/dynlist.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/dynlist.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,10 @@
 /* dynlist.c - dynamic list overlay */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dynlist.c,v 1.20.2.11 2007/11/27 18:11:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dynlist.c,v 1.20.2.14 2008/05/01 21:19:41 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004-2005 Pierangelo Masarati.
+ * Portions Copyright 2008 Emmanuel Dreyfus.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -58,16 +59,25 @@
 static AttributeName *slap_anlist_no_attrs = anlist_no_attrs;
 #endif
 
-static AttributeDescription *ad_dgIdentity;
+static AttributeDescription *ad_dgIdentity, *ad_dgAuthz;
 
+typedef struct dynlist_map_t {
+	AttributeDescription *dlm_member_ad;
+	AttributeDescription *dlm_mapped_ad;
+	struct dynlist_map_t *dlm_next;
+} dynlist_map_t;
+
 typedef struct dynlist_info_t {
 	ObjectClass		*dli_oc;
 	AttributeDescription	*dli_ad;
-	AttributeDescription	*dli_member_ad;
+	struct dynlist_map_t	*dli_dlm;
 	struct berval		dli_default_filter;
 	struct dynlist_info_t	*dli_next;
 } dynlist_info_t;
 
+#define DYNLIST_USAGE \
+	"\"dynlist-attrset <oc> <URL-ad> [[<mapped-ad>:]<member-ad> ...]\": "
+
 static dynlist_info_t *
 dynlist_is_dynlist_next( Operation *op, SlapReply *rs, dynlist_info_t *old_dli )
 {
@@ -149,6 +159,7 @@
 	AccessControlState	acl_state = ACL_STATE_INIT;
 
 	dynlist_sc_t		*dlc;
+	dynlist_map_t		*dlm;
 
 	if ( rs->sr_type != REP_SEARCH ) {
 		return 0;
@@ -167,7 +178,9 @@
 		goto done;
 	}
 
-	if ( dlc->dlc_dli->dli_member_ad ) {
+	for ( dlm = dlc->dlc_dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
+		if (dlm->dlm_mapped_ad != NULL)
+			continue;
 
 		/* if access allowed, try to add values, emulating permissive
 		 * control to silently ignore duplicates */
@@ -185,8 +198,8 @@
 			BER_BVZERO( &nvals[ 1 ] );
 
 			mod.sm_op = LDAP_MOD_ADD;
-			mod.sm_desc = dlc->dlc_dli->dli_member_ad;
-			mod.sm_type = dlc->dlc_dli->dli_member_ad->ad_cname;
+			mod.sm_desc = dlm->dlm_member_ad;
+			mod.sm_type = dlm->dlm_member_ad->ad_cname;
 			mod.sm_values = vals;
 			mod.sm_nvalues = nvals;
 			mod.sm_numvals = 1;
@@ -282,15 +295,25 @@
 			Modification	mod;
 			const char	*text = NULL;
 			char		textbuf[1024];
+			dynlist_map_t	*dlm;
+			AttributeDescription *ad;
 
 			BER_BVZERO( &vals[j] );
 			if ( nvals ) {
 				BER_BVZERO( &nvals[j] );
 			}
 
+			ad = a->a_desc;
+			for ( dlm = dlc->dlc_dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
+				if ( dlm->dlm_member_ad == a->a_desc ) {
+					ad = dlm->dlm_mapped_ad;
+					break;
+				}
+			}
+
 			mod.sm_op = LDAP_MOD_ADD;
-			mod.sm_desc = a->a_desc;
-			mod.sm_type = a->a_desc->ad_cname;
+			mod.sm_desc = ad;
+			mod.sm_type = ad->ad_cname;
 			mod.sm_values = vals;
 			mod.sm_nvalues = nvals;
 			mod.sm_numvals = j;
@@ -328,6 +351,7 @@
 	int		opattrs,
 			userattrs;
 	dynlist_sc_t	dlc = { 0 };
+	dynlist_map_t	*dlm;
 
 	a = attrs_find( rs->sr_entry->e_attrs, dli->dli_ad );
 	if ( a == NULL ) {
@@ -344,8 +368,32 @@
 #endif /* SLAP_OPATTRS */
 
 	/* Don't generate member list if it wasn't requested */
-	if ( dli->dli_member_ad && !userattrs && !ad_inlist( dli->dli_member_ad, rs->sr_attrs ) ) {
+	for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
+		if ( userattrs ||
+		     ad_inlist( dlm->dlm_member_ad, rs->sr_attrs ) ) 
+			break;
+	}
+	if ( dli->dli_dlm && !dlm )
 		return SLAP_CB_CONTINUE;
+
+	if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) {
+		Attribute *authz = NULL;
+
+		/* if not rootdn and dgAuthz is present,
+		 * check if user can be authorized as dgIdentity */
+		if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
+			&& ( authz = attrs_find( rs->sr_entry->e_attrs, ad_dgAuthz ) ) )
+		{
+			if ( slap_sasl_matches( op, authz->a_nvals,
+				&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
+			{
+				return SLAP_CB_CONTINUE;
+			}
+		}
+
+		o.o_dn = id->a_vals[0];
+		o.o_ndn = id->a_nvals[0];
+		o.o_groups = NULL;
 	}
 
 	if ( !( rs->sr_flags & REP_ENTRY_MODIFIABLE ) ) {
@@ -355,12 +403,6 @@
 	}
 	e_flags = rs->sr_flags | ( REP_ENTRY_MODIFIABLE | REP_ENTRY_MUSTBEFREED );
 
-	if ( ad_dgIdentity && ( id = attrs_find( e->e_attrs, ad_dgIdentity ))) {
-		o.o_dn = id->a_vals[0];
-		o.o_ndn = id->a_nvals[0];
-		o.o_groups = NULL;
-	}
-
 	dlc.dlc_e = e;
 	dlc.dlc_dli = dli;
 	cb.sc_private = &dlc;
@@ -379,6 +421,7 @@
 		int		i, j;
 		struct berval	dn;
 		int		rc;
+		dynlist_map_t	*dlm;
 
 		BER_BVZERO( &o.o_req_dn );
 		BER_BVZERO( &o.o_req_ndn );
@@ -417,7 +460,13 @@
 		}
 		o.ors_scope = lud->lud_scope;
 
-		if ( dli->dli_member_ad != NULL ) {
+		for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
+			if ( dlm->dlm_mapped_ad != NULL ) {
+				break;
+			}
+		}
+
+		if ( dli->dli_dlm && !dlm ) {
 			/* if ( lud->lud_attrs != NULL ),
 			 * the URL should be ignored */
 			o.ors_attrs = slap_anlist_no_attrs;
@@ -550,23 +599,45 @@
 	dynlist_info_t	*dli = (dynlist_info_t *)on->on_bi.bi_private;
 	Operation o = *op;
 	Entry *e = NULL;
+	dynlist_map_t *dlm;
 
 	for ( ; dli != NULL; dli = dli->dli_next ) {
-		if ( op->oq_compare.rs_ava->aa_desc == dli->dli_member_ad ) {
+		for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next )
+			if ( op->oq_compare.rs_ava->aa_desc == dlm->dlm_member_ad )
+				break;
+
+		if ( dli->dli_dlm && dlm ) {
 			/* This compare is for one of the attributes we're
 			 * interested in. We'll use slapd's existing dyngroup
 			 * evaluator to get the answer we want.
 			 */
-			struct berval *id = NULL;
+			BerVarray id = NULL, authz = NULL;
 
 			o.o_do_not_cache = 1;
 
 			if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
-				ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS ) {
+				ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
+			{
+				/* if not rootdn and dgAuthz is present,
+				 * check if user can be authorized as dgIdentity */
+				if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
+					&& backend_attribute( &o, NULL, &o.o_req_ndn,
+						ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
+				{
+					
+					rs->sr_err = slap_sasl_matches( op, authz,
+						&o.o_ndn, &o.o_ndn );
+					ber_bvarray_free_x( authz, op->o_tmpmemctx );
+					if ( rs->sr_err != LDAP_SUCCESS ) {
+						goto done;
+					}
+				}
+
 				o.o_dn = *id;
 				o.o_ndn = *id;
 				o.o_groups = NULL; /* authz changed, invalidate cached groups */
 			}
+
 			rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
 				&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
 			switch ( rs->sr_err ) {
@@ -586,6 +657,7 @@
 				break;
 			}
 
+done:;
 			if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
 
 			return SLAP_CB_CONTINUE;
@@ -593,17 +665,34 @@
 	}
 
 	if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
-		LDAP_SUCCESS || e == NULL ) {
+		LDAP_SUCCESS || e == NULL )
+	{
 		return SLAP_CB_CONTINUE;
 	}
+
 	if ( ad_dgIdentity ) {
 		Attribute *id = attrs_find( e->e_attrs, ad_dgIdentity );
 		if ( id ) {
+			Attribute *authz;
+
+			/* if not rootdn and dgAuthz is present,
+			 * check if user can be authorized as dgIdentity */
+			if ( ad_dgAuthz && !BER_BVISEMPTY( &id->a_nvals[0] ) && !be_isroot( op )
+				&& ( authz = attrs_find( e->e_attrs, ad_dgAuthz ) ) )
+			{
+				if ( slap_sasl_matches( op, authz->a_nvals,
+					&o.o_ndn, &o.o_ndn ) != LDAP_SUCCESS )
+				{
+					goto release;
+				}
+			}
+
 			o.o_dn = id->a_vals[0];
 			o.o_ndn = id->a_nvals[0];
 			o.o_groups = NULL;
 		}
 	}
+
 	dli = (dynlist_info_t *)on->on_bi.bi_private;
 	for ( ; dli != NULL && rs->sr_err != LDAP_COMPARE_TRUE; dli = dli->dli_next ) {
 		Attribute	*a;
@@ -785,11 +874,11 @@
 		ObjectClass		*oc;
 		AttributeDescription	*ad = NULL,
 					*member_ad = NULL;
+		dynlist_map_t		*dlm = NULL;
 		const char		*text;
 
-		if ( argc < 3 || argc > 4 ) {
-			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+		if ( argc < 3 ) {
+			Debug( LDAP_DEBUG_ANY, "%s: line %d: " DYNLIST_USAGE
 				"invalid arg number #%d.\n",
 				fname, lineno, argc );
 			return 1;
@@ -797,8 +886,7 @@
 
 		oc = oc_find( argv[1] );
 		if ( oc == NULL ) {
-			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+			Debug( LDAP_DEBUG_ANY, "%s: line %d: " DYNLIST_USAGE
 				"unable to find ObjectClass \"%s\"\n",
 				fname, lineno, argv[ 1 ] );
 			return 1;
@@ -806,41 +894,90 @@
 
 		rc = slap_str2ad( argv[2], &ad, &text );
 		if ( rc != LDAP_SUCCESS ) {
-			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+			Debug( LDAP_DEBUG_ANY, "%s: line %d: " DYNLIST_USAGE
 				"unable to find AttributeDescription \"%s\"\n",
 				fname, lineno, argv[2] );
 			return 1;
 		}
 
 		if ( !is_at_subtype( ad->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) {
-			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+			Debug( LDAP_DEBUG_ANY, "%s: line %d: " DYNLIST_USAGE
 				"AttributeDescription \"%s\" "
 				"must be a subtype of \"labeledURI\"\n",
 				fname, lineno, argv[2] );
 			return 1;
 		}
 
-		if ( argc == 4 ) {
-			rc = slap_str2ad( argv[3], &member_ad, &text );
+		for ( i = 3; i < argc; i++ ) {
+			char *arg; 
+			char *cp;
+			AttributeDescription *member_ad = NULL;
+			AttributeDescription *mapped_ad = NULL;
+			dynlist_map_t *dlmp;
+			dynlist_map_t *dlml;
+
+
+			/*
+			 * If no mapped attribute is given, dn is used 
+			 * for backward compatibility.
+			 */
+			arg = argv[i];
+			if ( cp = strchr( arg, (int)':' ) != NULL ) {
+				struct berval bv;
+				ber_str2bv( arg, cp - arg, 0, &bv );
+				rc = slap_bv2ad( &bv, &mapped_ad, &text );
+				if ( rc != LDAP_SUCCESS ) {
+					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+						DYNLIST_USAGE
+						"unable to find mapped AttributeDescription \"%s\"\n",
+						fname, lineno, arg );
+					return 1;
+				}
+				
+				arg = cp + 1;
+			}
+
+			rc = slap_str2ad( arg, &member_ad, &text );
 			if ( rc != LDAP_SUCCESS ) {
 				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+					DYNLIST_USAGE
 					"unable to find AttributeDescription \"%s\"\n",
-					fname, lineno, argv[3] );
+					fname, lineno, arg );
 				return 1;
 			}
+
+			dlmp = (dynlist_map_t *)ch_calloc( 1, sizeof( dynlist_map_t ) );
+			if ( dlm == NULL ) {
+				dlm = dlmp;
+				dlml = NULL;
+			}
+			dlmp->dlm_member_ad = member_ad;
+			dlmp->dlm_mapped_ad = mapped_ad;
+			dlmp->dlm_next = NULL;
+		
+			if ( dlml != NULL )
+				dlml->dlm_next = dlmp;
+			dlml = dlmp;
 		}
 
 		for ( dlip = (dynlist_info_t **)&on->on_bi.bi_private;
 			*dlip; dlip = &(*dlip)->dli_next )
 		{
-			/* The same URL attribute / member attribute pair
-			 * cannot be repeated */
-			if ( (*dlip)->dli_ad == ad && (*dlip)->dli_member_ad == member_ad ) {
+			/* 
+			 * The same URL attribute / member attribute pair
+			 * cannot be repeated, but we enforce this only 
+			 * when the member attribute is unique. Performing
+			 * the check for multiple values would require
+			 * sorting and comparing the lists, which is left
+			 * as a future improvement
+			 */
+			if ( (*dlip)->dli_ad == ad &&
+			     (*dlip)->dli_dlm->dlm_next == NULL &&
+			     dlm->dlm_next == NULL &&
+			     dlm->dlm_member_ad == (*dlip)->dli_dlm->dlm_member_ad &&
+			     dlm->dlm_mapped_ad == (*dlip)->dli_dlm->dlm_mapped_ad ) {
 				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+					DYNLIST_USAGE
 					"URL attributeDescription \"%s\" already mapped.\n",
 					fname, lineno, ad->ad_cname.bv_val );
 #if 0
@@ -853,9 +990,18 @@
 		*dlip = (dynlist_info_t *)ch_calloc( 1, sizeof( dynlist_info_t ) );
 		(*dlip)->dli_oc = oc;
 		(*dlip)->dli_ad = ad;
-		(*dlip)->dli_member_ad = member_ad;
+		(*dlip)->dli_dlm = dlm;
 
 		if ( dynlist_build_def_filter( *dlip ) ) {
+			dynlist_map_t *dlm = (*dlip)->ldi_dlm;
+			dynlist_map_t *dlm_next;
+
+			while ( dlm != NULL ) {
+				dlm_next = dlm->dlm_next;
+				ch_free( dlm );
+				dlm = dlm_next;
+			}
+
 			ch_free( *dlip );
 			*dlip = NULL;
 			return 1;
@@ -916,9 +1062,17 @@
 		for ( dlip = (dynlist_info_t **)&on->on_bi.bi_private;
 			*dlip; dlip = &(*dlip)->dli_next )
 		{
-			/* The same URL attribute / member attribute pair
-			 * cannot be repeated */
-			if ( (*dlip)->dli_ad == ad && (*dlip)->dli_member_ad == member_ad ) {
+			/* 
+			 * The same URL attribute / member attribute pair
+			 * cannot be repeated, but we enforce this only 
+			 * when the member attribute is unique. Performing
+			 * the check for multiple values would require
+			 * sorting and comparing the lists, which is left
+			 * as a future improvement
+			 */
+			if ( (*dlip)->dli_ad == ad &&
+			     (*dlip)->dli_dlm->dlm_next == NULL &&
+			     member_ad == (*dlip)->dli_dlm->dlm_member_ad ) {
 				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 					"\"dynlist-attrpair <member-ad> <URL-ad>\": "
 					"URL attributeDescription \"%s\" already mapped.\n",
@@ -933,9 +1087,12 @@
 		*dlip = (dynlist_info_t *)ch_calloc( 1, sizeof( dynlist_info_t ) );
 		(*dlip)->dli_oc = oc;
 		(*dlip)->dli_ad = ad;
-		(*dlip)->dli_member_ad = member_ad;
+		(*dlip)->dli_dlm = (dynlist_map_t *)ch_calloc( 1, sizeof( dynlist_map_t ) );
+		(*dlip)->dli_dlm->dlm_member_ad = member_ad;
+		(*dlip)->dli_dlm->dlm_mapped_ad = NULL;
 
 		if ( dynlist_build_def_filter( *dlip ) ) {
+			ch_free( (*dlip)->dli_dlm );
 			ch_free( *dlip );
 			*dlip = NULL;
 			return 1;
@@ -958,9 +1115,10 @@
 
 static ConfigDriver	dl_cfgen;
 
+/* XXXmanu 255 is the maximum arguments we allow. Can we go beyond? */
 static ConfigTable dlcfg[] = {
 	{ "dynlist-attrset", "group-oc> <URL-ad> <member-ad",
-		3, 4, 0, ARG_MAGIC|DL_ATTRSET, dl_cfgen,
+		3, 255, 0, ARG_MAGIC|DL_ATTRSET, dl_cfgen,
 		"( OLcfgOvAt:8.1 NAME 'olcDLattrSet' "
 			"DESC 'Dynamic list: <group objectClass>, <URL attributeDescription>, <member attributeDescription>' "
 			"EQUALITY caseIgnoreMatch "
@@ -1002,6 +1160,7 @@
 			for ( i = 0; dli; i++, dli = dli->dli_next ) {
 				struct berval	bv;
 				char		*ptr = c->cr_msg;
+				dynlist_map_t	*dlm;
 
 				assert( dli->dli_oc != NULL );
 				assert( dli->dli_ad != NULL );
@@ -1011,10 +1170,16 @@
 					dli->dli_oc->soc_cname.bv_val,
 					dli->dli_ad->ad_cname.bv_val );
 
-				if ( dli->dli_member_ad != NULL ) {
+				for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
 					ptr[ 0 ] = ' ';
 					ptr++;
-					ptr = lutil_strcopy( ptr, dli->dli_member_ad->ad_cname.bv_val );
+					if ( dlm->dlm_mapped_ad ) {
+						ptr = lutil_strcopy( ptr, dlm->dlm_mapped_ad->ad_cname.bv_val );
+						ptr[ 0 ] = ':';
+						ptr++;
+					}
+						
+					ptr = lutil_strcopy( ptr, dlm->dlm_member_ad->ad_cname.bv_val );
 				}
 
 				bv.bv_val = c->cr_msg;
@@ -1042,9 +1207,18 @@
 				dynlist_info_t	*dli_next;
 
 				for ( dli_next = dli; dli_next; dli = dli_next ) {
+					dynlist_map_t *dlm = dli->dli_dlm;
+					dynlist_map_t *dlm_next;
+
 					dli_next = dli->dli_next;
 
 					ch_free( dli->dli_default_filter.bv_val );
+
+					while ( dlm != NULL ) {
+						dlm_next = dlm->dlm_next;
+						ch_free( dlm );
+						dlm = dlm_next;
+					}
 					ch_free( dli );
 				}
 
@@ -1052,6 +1226,8 @@
 
 			} else {
 				dynlist_info_t	**dlip;
+				dynlist_map_t *dlm;
+				dynlist_map_t *dlm_next;
 
 				for ( i = 0, dlip = (dynlist_info_t **)&on->on_bi.bi_private;
 					i < c->valx; i++ )
@@ -1065,6 +1241,13 @@
 				dli = *dlip;
 				*dlip = dli->dli_next;
 				ch_free( dli->dli_default_filter.bv_val );
+
+				dlm = dli->dli_dlm;
+				while ( dlm != NULL ) {
+					dlm_next = dlm->dlm_next;
+					ch_free( dlm );
+					dlm = dlm_next;
+				}
 				ch_free( dli );
 
 				dli = (dynlist_info_t *)on->on_bi.bi_private;
@@ -1089,14 +1272,13 @@
 		dynlist_info_t		**dlip,
 					*dli_next = NULL;
 		ObjectClass		*oc = NULL;
-		AttributeDescription	*ad = NULL,
-					*member_ad = NULL;
+		AttributeDescription	*ad = NULL;
+		dynlist_map_t           *dlm = NULL;
 		const char		*text;
 
 		oc = oc_find( c->argv[ 1 ] );
 		if ( oc == NULL ) {
-			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+			snprintf( c->cr_msg, sizeof( c->cr_msg ), DYNLIST_USAGE
 				"unable to find ObjectClass \"%s\"",
 				c->argv[ 1 ] );
 			Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
@@ -1106,8 +1288,7 @@
 
 		rc = slap_str2ad( c->argv[ 2 ], &ad, &text );
 		if ( rc != LDAP_SUCCESS ) {
-			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+			snprintf( c->cr_msg, sizeof( c->cr_msg ), DYNLIST_USAGE
 				"unable to find AttributeDescription \"%s\"",
 				c->argv[ 2 ] );
 			Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
@@ -1116,8 +1297,7 @@
 		}
 
 		if ( !is_at_subtype( ad->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) {
-			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+			snprintf( c->cr_msg, sizeof( c->cr_msg ), DYNLIST_USAGE
 				"AttributeDescription \"%s\" "
 				"must be a subtype of \"labeledURI\"",
 				c->argv[ 2 ] );
@@ -1126,36 +1306,59 @@
 			return 1;
 		}
 
-		if ( c->argc == 4 ) {
-			rc = slap_str2ad( c->argv[ 3 ], &member_ad, &text );
+		for ( i = 3; i < c->argc; i++ ) {
+			char *arg; 
+			char *cp;
+			AttributeDescription *member_ad = NULL;
+			AttributeDescription *mapped_ad = NULL;
+			dynlist_map_t *dlmp;
+			dynlist_map_t *dlml;
+
+
+			/*
+			 * If no mapped attribute is given, dn is used 
+			 * for backward compatibility.
+			 */
+			arg = c->argv[i];
+			if ( ( cp = strchr( arg, ':' ) ) != NULL ) {
+				struct berval bv;
+				ber_str2bv( arg, cp - arg, 0, &bv );
+				rc = slap_bv2ad( &bv, &mapped_ad, &text );
+				if ( rc != LDAP_SUCCESS ) {
+					snprintf( c->cr_msg, sizeof( c->cr_msg ),
+						DYNLIST_USAGE
+						"unable to find mapped AttributeDescription #%d \"%s\"\n",
+						i - 3, c->argv[ i ] );
+					Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
+						c->log, c->cr_msg, 0 );
+					return 1;
+				}
+				arg = cp + 1;
+			}
+
+			rc = slap_str2ad( arg, &member_ad, &text );
 			if ( rc != LDAP_SUCCESS ) {
 				snprintf( c->cr_msg, sizeof( c->cr_msg ),
-					"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
-					"unable to find AttributeDescription \"%s\"\n",
-					c->argv[ 3 ] );
+					DYNLIST_USAGE
+					"unable to find AttributeDescription #%d \"%s\"\n",
+					i - 3, c->argv[ i ] );
 				Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
 					c->log, c->cr_msg, 0 );
 				return 1;
 			}
-		}
 
-		for ( dlip = (dynlist_info_t **)&on->on_bi.bi_private;
-			*dlip; dlip = &(*dlip)->dli_next )
-		{
-			/* The same URL attribute / member attribute pair
-			 * cannot be repeated */
-			if ( (*dlip)->dli_ad == ad && (*dlip)->dli_member_ad == member_ad ) {
-				snprintf( c->cr_msg, sizeof( c->cr_msg ),
-					"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
-					"URL attributeDescription \"%s\" already mapped.\n",
-					ad->ad_cname.bv_val );
-				Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
-					c->log, c->cr_msg, 0 );
-#if 0
-				/* make it a warning... */
-				return 1;
-#endif
+			dlmp = (dynlist_map_t *)ch_calloc( 1, sizeof( dynlist_map_t ) );
+			if ( dlm == NULL ) {
+				dlm = dlmp;
+				dlml = NULL;
 			}
+			dlmp->dlm_member_ad = member_ad;
+			dlmp->dlm_mapped_ad = mapped_ad;
+			dlmp->dlm_next = NULL;
+		
+			if ( dlml != NULL ) 
+				dlml->dlm_next = dlmp;
+			dlml = dlmp;
 		}
 
 		if ( c->valx > 0 ) {
@@ -1166,7 +1369,7 @@
 			{
 				if ( *dlip == NULL ) {
 					snprintf( c->cr_msg, sizeof( c->cr_msg ),
-						"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+						DYNLIST_USAGE
 						"invalid index {%d}\n",
 						c->valx );
 					Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
@@ -1187,7 +1390,7 @@
 
 		(*dlip)->dli_oc = oc;
 		(*dlip)->dli_ad = ad;
-		(*dlip)->dli_member_ad = member_ad;
+		(*dlip)->dli_dlm = dlm;
 		(*dlip)->dli_next = dli_next;
 
 		rc = dynlist_build_def_filter( *dlip );
@@ -1242,7 +1445,7 @@
 
 		if ( !is_at_subtype( ad->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) {
 			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"dynlist-attrset <oc> <URL-ad> [<member-ad>]\": "
+				DYNLIST_USAGE
 				"AttributeDescription \"%s\" "
 				"must be a subtype of \"labeledURI\"",
 				c->argv[ 2 ] );
@@ -1254,9 +1457,17 @@
 		for ( dlip = (dynlist_info_t **)&on->on_bi.bi_private;
 			*dlip; dlip = &(*dlip)->dli_next )
 		{
-			/* The same URL attribute / member attribute pair
-			 * cannot be repeated */
-			if ( (*dlip)->dli_ad == ad && (*dlip)->dli_member_ad == member_ad ) {
+			/* 
+			 * The same URL attribute / member attribute pair
+			 * cannot be repeated, but we enforce this only 
+			 * when the member attribute is unique. Performing
+			 * the check for multiple values would require
+			 * sorting and comparing the lists, which is left
+			 * as a future improvement
+			 */
+			if ( (*dlip)->dli_ad == ad &&
+			     (*dlip)->dli_dlm->dlm_next == NULL &&
+			     member_ad == (*dlip)->dli_dlm->dlm_member_ad ) {
 				snprintf( c->cr_msg, sizeof( c->cr_msg ),
 					"\"dynlist-attrpair <member-ad> <URL-ad>\": "
 					"URL attributeDescription \"%s\" already mapped.\n",
@@ -1274,7 +1485,9 @@
 
 		(*dlip)->dli_oc = oc;
 		(*dlip)->dli_ad = ad;
-		(*dlip)->dli_member_ad = member_ad;
+		(*dlip)->dli_dlm = (dynlist_map_t *)ch_calloc( 1, sizeof( dynlist_map_t ) );
+		(*dlip)->dli_dlm->dlm_member_ad = member_ad;
+		(*dlip)->dli_dlm->dlm_mapped_ad = NULL;
 
 		rc = dynlist_build_def_filter( *dlip );
 
@@ -1353,6 +1566,15 @@
 		/* Just a warning */
 	}
 
+	rc = slap_str2ad( "dgAuthz", &ad_dgAuthz, &text );
+	if ( rc != LDAP_SUCCESS ) {
+		snprintf( cr->msg, sizeof( cr->msg),
+			"unable to fetch attributeDescription \"dgAuthz\": %d (%s)",
+			rc, text );
+		Debug( LDAP_DEBUG_ANY, "dynlist_db_open: %s\n", cr->msg, 0, 0 );
+		/* Just a warning */
+	}
+
 	return 0;
 }
 
@@ -1368,9 +1590,18 @@
 				*dli_next;
 
 		for ( dli_next = dli; dli_next; dli = dli_next ) {
+			dynlist_map_t *dlm;
+			dynlist_map_t *dlm_next;
+
 			dli_next = dli->dli_next;
 
 			ch_free( dli->dli_default_filter.bv_val );
+			dlm = dli->dli_dlm;
+			while ( dlm != NULL ) {
+				dlm_next = dlm->dlm_next;
+				ch_free( dlm );
+				dlm = dlm_next;
+			}
 			ch_free( dli );
 		}
 	}

Modified: openldap/trunk/servers/slapd/overlays/memberof.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/memberof.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/memberof.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,5 +1,5 @@
 /* memberof.c - back-reference for group membership */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/memberof.c,v 1.2.2.5 2007/12/10 17:47:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/memberof.c,v 1.2.2.14 2008/02/11 23:34:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2007 Pierangelo Masarati <ando at sys-net.it>
@@ -155,6 +155,8 @@
 #define	MEMBEROF_FREFINT	0x04U
 #define	MEMBEROF_FREVERSE	0x08U
 
+	ber_int_t		mo_dangling_err;
+
 #define MEMBEROF_CHK(mo,f) \
 	(((mo)->mo_flags & (f)) == (f))
 #define MEMBEROF_DANGLING_CHECK(mo) \
@@ -192,7 +194,7 @@
 static BerVarray
 memberof_saved_member_get( Operation *op, void *keyp )
 {
-	BerVarray	vals;
+	void		*vals;
 	BerVarray	*key = (BerVarray *)keyp;
 
 	assert( op != NULL );
@@ -202,10 +204,8 @@
 		*key = NULL;
 
 	} else {
-		ldap_pvt_thread_pool_getkey( op->o_threadctx,
-				key, (void **)&vals, NULL );
 		ldap_pvt_thread_pool_setkey( op->o_threadctx,
-				key, NULL, NULL );
+				key, NULL, 0, &vals, NULL );
 	}
 
 	return vals;
@@ -230,8 +230,13 @@
 		*key = saved_vals;
 
 	} else {
+		void	*old_vals = NULL;
+
 		ldap_pvt_thread_pool_setkey( op->o_threadctx, key,
-				saved_vals, memberof_saved_member_free );
+				saved_vals, memberof_saved_member_free, &old_vals, NULL );
+		if ( old_vals != NULL ) {
+			ber_bvarray_free( old_vals );
+		}
 	}
 }
 
@@ -264,6 +269,7 @@
 	if ( rs->sr_type == REP_SEARCH ) {
 		memberof_cookie_t	*mc;
 		Attribute		*a;
+		BerVarray		vals = NULL;
 
 		mc = (memberof_cookie_t *)op->o_callback->sc_private;
 		mc->foundit = 1;
@@ -272,12 +278,13 @@
 		assert( rs->sr_entry->e_attrs != NULL );
 
 		a = attr_find( rs->sr_entry->e_attrs, mc->ad );
+		if ( a != NULL ) {
+			vals = a->a_nvals;
+		}
 
-		assert( a != NULL );
+		memberof_saved_member_set( op, mc->key, vals );
 
-		memberof_saved_member_set( op, mc->key, a->a_nvals );
-
-		if ( attr_find( a->a_next, mc->ad ) != NULL ) {
+		if ( a && attr_find( a->a_next, mc->ad ) != NULL ) {
 			Debug( LDAP_DEBUG_ANY,
 				"%s: memberof_saveMember_cb(\"%s\"): "
 				"more than one occurrence of \"%s\" "
@@ -403,6 +410,7 @@
 	slap_callback	cb = { NULL, slap_null_cb, NULL, NULL };
 	Modifications	mod[ 2 ] = { { { 0 } } }, *ml;
 	struct berval	values[ 4 ], nvalues[ 4 ];
+	int		mcnt = 0;
 
 	op2.o_tag = LDAP_REQ_MODIFY;
 
@@ -414,23 +422,28 @@
 	op2.o_callback = &cb;
 	op2.o_dn = op->o_bd->be_rootdn;
 	op2.o_ndn = op->o_bd->be_rootndn;
+	op2.orm_modlist = NULL;
 
-	ml = &mod[ 0 ];
-	ml->sml_numvals = 1;
-	ml->sml_values = &values[ 0 ];
-	ml->sml_values[ 0 ] = mo->mo_dn;
-	BER_BVZERO( &ml->sml_values[ 1 ] );
-	ml->sml_nvalues = &nvalues[ 0 ];
-	ml->sml_nvalues[ 0 ] = mo->mo_ndn;
-	BER_BVZERO( &ml->sml_nvalues[ 1 ] );
-	ml->sml_desc = slap_schema.si_ad_modifiersName;
-	ml->sml_type = ml->sml_desc->ad_cname;
-	ml->sml_op = LDAP_MOD_REPLACE;
-	ml->sml_flags = SLAP_MOD_INTERNAL;
-	ml->sml_next = NULL;
-	op2.orm_modlist = ml;
+	if ( !BER_BVISNULL( &mo->mo_ndn ) ) {
+		ml = &mod[ mcnt ];
+		ml->sml_numvals = 1;
+		ml->sml_values = &values[ 0 ];
+		ml->sml_values[ 0 ] = mo->mo_dn;
+		BER_BVZERO( &ml->sml_values[ 1 ] );
+		ml->sml_nvalues = &nvalues[ 0 ];
+		ml->sml_nvalues[ 0 ] = mo->mo_ndn;
+		BER_BVZERO( &ml->sml_nvalues[ 1 ] );
+		ml->sml_desc = slap_schema.si_ad_modifiersName;
+		ml->sml_type = ml->sml_desc->ad_cname;
+		ml->sml_op = LDAP_MOD_REPLACE;
+		ml->sml_flags = SLAP_MOD_INTERNAL;
+		ml->sml_next = op2.orm_modlist;
+		op2.orm_modlist = ml;
 
-	ml = &mod[ 1 ];
+		mcnt++;
+	}
+
+	ml = &mod[ mcnt ];
 	ml->sml_numvals = 1;
 	ml->sml_values = &values[ 2 ];
 	BER_BVZERO( &ml->sml_values[ 1 ] );
@@ -439,44 +452,71 @@
 	ml->sml_desc = ad;
 	ml->sml_type = ml->sml_desc->ad_cname;
 	ml->sml_flags = SLAP_MOD_INTERNAL;
-	ml->sml_next = NULL;
-	op2.orm_modlist->sml_next = ml;
+	ml->sml_next = op2.orm_modlist;
+	op2.orm_modlist = ml;
 
 	if ( new_ndn != NULL ) {
 		assert( !BER_BVISNULL( new_dn ) );
 		assert( !BER_BVISNULL( new_ndn ) );
 
-		ml = &mod[ 1 ];
+		ml = &mod[ mcnt ];
 		ml->sml_op = LDAP_MOD_ADD;
 
 		ml->sml_values[ 0 ] = *new_dn;
 		ml->sml_nvalues[ 0 ] = *new_ndn;
 
 		(void)op->o_bd->be_modify( &op2, &rs2 );
+		if ( rs2.sr_err != LDAP_SUCCESS ) {
+			char buf[ SLAP_TEXT_BUFLEN ];
+			snprintf( buf, sizeof( buf ),
+				"memberof_value_modify %s=\"%s\" failed err=%d text=%s",
+				ad->ad_cname.bv_val, new_dn->bv_val, rs2.sr_err,
+				rs2.sr_text ? rs2.sr_text : "" );
+			Debug( LDAP_DEBUG_ANY, "%s: %s\n",
+				op->o_log_prefix, buf, 0 );
+		}
 
-		assert( op2.orm_modlist == &mod[ 0 ] );
-		assert( op2.orm_modlist->sml_next == &mod[ 1 ] );
-		ml = op2.orm_modlist->sml_next->sml_next;
+		assert( op2.orm_modlist == &mod[ mcnt ] );
+		assert( mcnt == 0 || op2.orm_modlist->sml_next == &mod[ 0 ] );
+		ml = op2.orm_modlist->sml_next;
+		if ( mcnt == 1 ) {
+			assert( ml == &mod[ 0 ] );
+			ml = ml->sml_next;
+		}
 		if ( ml != NULL ) {
 			slap_mods_free( ml, 1 );
 		}
+
+		mod[ 0 ].sml_next = NULL;
 	}
 
 	if ( old_ndn != NULL ) {
 		assert( !BER_BVISNULL( old_dn ) );
 		assert( !BER_BVISNULL( old_ndn ) );
 
-		ml = &mod[ 1 ];
+		ml = &mod[ mcnt ];
 		ml->sml_op = LDAP_MOD_DELETE;
 
 		ml->sml_values[ 0 ] = *old_dn;
 		ml->sml_nvalues[ 0 ] = *old_ndn;
 
 		(void)op->o_bd->be_modify( &op2, &rs2 );
+		if ( rs2.sr_err != LDAP_SUCCESS ) {
+			char buf[ SLAP_TEXT_BUFLEN ];
+			snprintf( buf, sizeof( buf ),
+				"memberof_value_modify %s=\"%s\" failed err=%d text=%s",
+				ad->ad_cname.bv_val, old_dn->bv_val, rs2.sr_err,
+				rs2.sr_text ? rs2.sr_text : "" );
+			Debug( LDAP_DEBUG_ANY, "%s: %s\n",
+				op->o_log_prefix, buf, 0 );
+		}
 
-		assert( op2.orm_modlist == &mod[ 0 ] );
-		assert( op2.orm_modlist->sml_next == &mod[ 1 ] );
-		ml = op2.orm_modlist->sml_next->sml_next;
+		assert( op2.orm_modlist == &mod[ mcnt ] );
+		ml = op2.orm_modlist->sml_next;
+		if ( mcnt == 1 ) {
+			assert( ml == &mod[ 0 ] );
+			ml = ml->sml_next;
+		}
 		if ( ml != NULL ) {
 			slap_mods_free( ml, 1 );
 		}
@@ -528,7 +568,7 @@
 
 	if ( MEMBEROF_DANGLING_CHECK( mo )
 			&& !get_relax( op )
-			&& is_entry_objectclass( op->ora_e, mo->mo_oc_group, 0 ) )
+			&& is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) )
 	{
 		op->o_dn = op->o_bd->be_rootdn;
 		op->o_dn = op->o_bd->be_rootndn;
@@ -545,12 +585,8 @@
 			assert( a->a_nvals != NULL );
 
 			for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
-				Entry		*e;
+				Entry		*e = NULL;
 
-				/* FIXME: entry_get_rw does not pass
-				 * thru overlays yet; when it does, we
-				 * might need to make a copy of the DN */
-
 				rc = be_entry_get_rw( op, &a->a_nvals[ i ],
 						NULL, NULL, 0, &e );
 				if ( rc == LDAP_SUCCESS ) {
@@ -559,7 +595,7 @@
 				}
 
 				if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
-					rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
+					rc = rs->sr_err = mo->mo_dangling_err;
 					rs->sr_text = "adding non-existing object "
 						"as group member";
 					send_ldap_result( op, rs );
@@ -637,7 +673,7 @@
 				}
 
 				if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
-					rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
+					rc = rs->sr_err = mo->mo_dangling_err;
 					rs->sr_text = "adding non-existing object "
 						"as memberof";
 					send_ldap_result( op, rs );
@@ -824,7 +860,7 @@
 						}
 		
 						if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
-							rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
+							rc = rs->sr_err = mo->mo_dangling_err;
 							rs->sr_text = "adding non-existing object "
 								"as group member";
 							send_ldap_result( op, rs );
@@ -921,7 +957,7 @@
 						}
 
 						if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
-							rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
+							rc = rs->sr_err = mo->mo_dangling_err;
 							rs->sr_text = "deleting non-existing object "
 								"as memberof";
 							send_ldap_result( op, rs );
@@ -1032,7 +1068,7 @@
 				op->o_bd->bd_info = (BackendInfo *)on;
 				if ( rc != LDAP_SUCCESS ) {
 					if ( MEMBEROF_DANGLING_ERROR( mo ) ) {
-						rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
+						rc = rs->sr_err = mo->mo_dangling_err;
 						rs->sr_text = "adding non-existing object "
 							"as memberof";
 						send_ldap_result( op, rs );
@@ -1149,7 +1185,7 @@
 		}
 	}
 
-	if ( is_entry_objectclass( op->ora_e, mo->mo_oc_group, 0 ) ) {
+	if ( is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) ) {
 		Attribute	*a;
 
 		for ( a = attrs_find( op->ora_e->e_attrs, mo->mo_ad_member );
@@ -1191,6 +1227,7 @@
 					NULL, NULL );
 		}
 
+		memberof_saved_member_set( op, &saved_memberof_vals, NULL );
  		ber_bvarray_free( vals );
 	}
 
@@ -1204,6 +1241,7 @@
 						NULL, NULL );
 			}
 
+			memberof_saved_member_set( op, &saved_member_vals, NULL );
 	 		ber_bvarray_free( vals );
 		}
 	}
@@ -1475,9 +1513,13 @@
 	ConfigReply	*cr )
 {
 	slap_overinst	*on = (slap_overinst *)be->bd_info;
-	memberof_t	tmp_mo = { 0 }, *mo;
+	memberof_t		*mo;
 
 	mo = (memberof_t *)ch_calloc( 1, sizeof( memberof_t ) );
+
+	/* safe default */
+	mo->mo_dangling_err = LDAP_CONSTRAINT_VIOLATION;
+
 	on->on_bi.bi_private = (void *)mo;
 
 	return 0;
@@ -1487,12 +1529,16 @@
 	MO_DN = 1,
 	MO_DANGLING,
 	MO_REFINT,
+	MO_GROUP_OC,
+	MO_MEMBER_AD,
+	MO_MEMBER_OF_AD,
 #if 0
 	MO_REVERSE,
 #endif
-	MO_GROUP_OC,
-	MO_MEMBER_AD,
-	MO_MEMBER_OF_AD
+
+	MO_DANGLING_ERROR,
+
+	MO_LAST
 };
 
 static ConfigDriver mo_cf_gen;
@@ -1558,6 +1604,13 @@
 		NULL, NULL },
 #endif
 
+	{ "memberof-dangling-error", "error code",
+		2, 2, 0, ARG_MAGIC|MO_DANGLING_ERROR, mo_cf_gen,
+		"( OLcfgOvAt:18.7 NAME 'olcMemberOfDanglingError' "
+			"DESC 'Error code returned in case of dangling back reference' "
+			"SYNTAX OMsDirectoryString SINGLE-VALUE )",
+		NULL, NULL },
+
 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
 };
 
@@ -1569,6 +1622,7 @@
 		"MAY ( "
 			"olcMemberOfDN "
 			"$ olcMemberOfDangling "
+			"$ olcMemberOfDanglingError"
 			"$ olcMemberOfRefInt "
 			"$ olcMemberOfGroupOC "
 			"$ olcMemberOfMemberAD "
@@ -1671,6 +1725,25 @@
 			}
 			break;
 
+		case MO_DANGLING_ERROR:
+			if ( mo->mo_flags & MEMBEROF_FDANGLING_ERROR ) {
+				char buf[ SLAP_TEXT_BUFLEN ];
+				enum_to_verb( slap_ldap_response_code, mo->mo_dangling_err, &bv );
+				if ( BER_BVISNULL( &bv ) ) {
+					bv.bv_len = snprintf( buf, sizeof( buf ), "0x%x", mo->mo_dangling_err );
+					if ( bv.bv_len < sizeof( buf ) ) {
+						bv.bv_val = buf;
+					} else {
+						rc = 1;
+						break;
+					}
+				}
+				value_add_one( &c->rvalue_vals, &bv );
+			} else {
+				rc = 1;
+			}
+			break;
+
 		case MO_REFINT:
 			c->value_int = MEMBEROF_REFINT( mo );
 			break;
@@ -1730,6 +1803,15 @@
 			mo->mo_flags |= dangling_mode[ i ].mask;
 			break;
 
+		case MO_DANGLING_ERROR:
+			i = verb_to_mask( c->argv[ 1 ], slap_ldap_response_code );
+			if ( !BER_BVISNULL( &slap_ldap_response_code[ i ].word ) ) {
+				mo->mo_dangling_err = slap_ldap_response_code[ i ].mask;
+			} else if ( lutil_atoix( &mo->mo_dangling_err, c->argv[ 1 ], 0 ) ) {
+				return 1;
+			}
+			break;
+
 		case MO_REFINT:
 			if ( c->value_int ) {
 				mo->mo_flags |= MEMBEROF_FREFINT;
@@ -1868,7 +1950,7 @@
 		}
 	}
 
-    if( ! mo->mo_oc_group ){
+	if( ! mo->mo_oc_group ){
 		mo->mo_oc_group = oc_find( SLAPD_GROUP_CLASS );
 		if ( mo->mo_oc_group == NULL ) {
 			Debug( LDAP_DEBUG_ANY,
@@ -1879,7 +1961,7 @@
 		}
 	}
 
-	if ( BER_BVISNULL( &mo->mo_dn ) ) {
+	if ( BER_BVISNULL( &mo->mo_dn ) && !BER_BVISNULL( &be->be_rootdn ) ) {
 		ber_dupbv( &mo->mo_dn, &be->be_rootdn );
 		ber_dupbv( &mo->mo_ndn, &be->be_rootndn );
 	}

Modified: openldap/trunk/servers/slapd/overlays/overlays.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/overlays.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/overlays.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* overlays.c - Static overlay framework */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/overlays.c,v 1.24.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/overlays.c,v 1.24.2.3 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Copyright 2003 by Howard Chu.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/overlays/pcache.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/pcache.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/pcache.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/pcache.c,v 1.88.2.13 2007/11/27 19:56:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/pcache.c,v 1.88.2.16 2008/04/14 21:13:44 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 IBM Corporation.
  * Portions Copyright 2003 Symas Corporation.
  * All rights reserved.
@@ -2663,7 +2663,7 @@
 static int
 pc_ldadd_cleanup( ConfigArgs *c )
 {
-	slap_overinst *on = c->private;
+	slap_overinst *on = c->ca_private;
 	return pcache_db_open2( on, &c->reply );
 }
 
@@ -2685,7 +2685,7 @@
 		ca->cleanup = pc_ldadd_cleanup;
 	else
 		cm->defer_db_open = 0;
-	ca->private = on;
+	ca->ca_private = on;
 	return LDAP_SUCCESS;
 }
 
@@ -3209,7 +3209,7 @@
 	query_manager*  qm = cm->qm;
 	int rc;
 
-	rc = backend_startup_one( &cm->db, NULL );
+	rc = backend_startup_one( &cm->db, cr );
 	if ( rc == 0 ) {
 		cm->defer_db_open = 0;
 	}

Modified: openldap/trunk/servers/slapd/overlays/ppolicy.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/ppolicy.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/ppolicy.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/ppolicy.c,v 1.75.2.8 2007/11/21 17:43:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/ppolicy.c,v 1.75.2.11 2008/02/13 01:58:56 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004-2005 Howard Chu, Symas Corporation.
  * Portions Copyright 2004 Hewlett-Packard Company.
  * All rights reserved.
@@ -1550,35 +1550,35 @@
 				delmod = ml;
 			}
 
-			if ((deladd == 1) && ((ml->sml_op == LDAP_MOD_ADD) ||
-				  (ml->sml_op == LDAP_MOD_REPLACE)))
-			{
-				deladd = 2;
-			}
-
 			if ((ml->sml_op == LDAP_MOD_ADD) ||
 				(ml->sml_op == LDAP_MOD_REPLACE))
 			{
-				/* FIXME: there's no easy way to ensure
-				 * that add does not cause multiple
-				 * userPassword values; one way (that 
-				 * would be consistent with the single
-				 * password constraint) would be to turn
-				 * add into replace); another would be
-				 * to disallow add.
-				 *
-				 * Let's check at least that a single value
-				 * is being added
-				 */
-				assert( ml->sml_values != NULL );
-				assert( !BER_BVISNULL( &ml->sml_values[ 0 ] ) );
-				if ( addmod || !BER_BVISNULL( &ml->sml_values[ 1 ] ) ) {
-					rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 
-					rs->sr_text = "Password policy only allows one password value";
-					goto return_results;
-				}
+				if ( ml->sml_values && !BER_BVISNULL( &ml->sml_values[0] )) {
+					if ( deladd == 1 )
+						deladd = 2;
 
-				addmod = ml;
+					/* FIXME: there's no easy way to ensure
+					 * that add does not cause multiple
+					 * userPassword values; one way (that 
+					 * would be consistent with the single
+					 * password constraint) would be to turn
+					 * add into replace); another would be
+					 * to disallow add.
+					 *
+					 * Let's check at least that a single value
+					 * is being added
+					 */
+					if ( addmod || !BER_BVISNULL( &ml->sml_values[ 1 ] ) ) {
+						rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 
+						rs->sr_text = "Password policy only allows one password value";
+						goto return_results;
+					}
+
+					addmod = ml;
+				} else {
+					/* replace can have no values, add cannot */
+					assert( ml->sml_op == LDAP_MOD_REPLACE );
+				}
 			}
 
 		} else if ( !is_at_operational( ml->sml_desc->ad_type ) ) {
@@ -1622,30 +1622,18 @@
 	 * if we have a "safe password modify policy", then we need to check if we're doing
 	 * a delete (with the old password), followed by an add (with the new password).
 	 *
-	 * If we don't have this, then we fail with an error. We also skip all the checks if
+	 * If we got just a delete with nothing else, just let it go. We also skip all the checks if
 	 * the root user is bound. Root can do anything, including avoid the policies.
 	 */
 
 	if (!pwmod) goto do_modify;
 
 	/*
-	 * Did we get a valid add mod?
-	 */
-
-	if (!addmod) {
-		rs->sr_err = LDAP_OTHER;
-		rs->sr_text = "Internal Error";
-		Debug( LDAP_DEBUG_TRACE,
-			"cannot locate modification supplying new password\n", 0, 0, 0 );
-		goto return_results;
-	}
-
-	/*
 	 * Build the password history list in ascending time order
 	 * We need this, even if the user is root, in order to maintain
 	 * the pwdHistory operational attributes properly.
 	 */
-	if (pp.pwdInHistory > 0 && (ha = attr_find( e->e_attrs, ad_pwdHistory ))) {
+	if (addmod && pp.pwdInHistory > 0 && (ha = attr_find( e->e_attrs, ad_pwdHistory ))) {
 		struct berval oldpw;
 		time_t oldtime;
 
@@ -1667,6 +1655,20 @@
 
 	if (be_isroot( op )) goto do_modify;
 
+	if (!pp.pwdAllowUserChange) {
+		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		rs->sr_text = "User alteration of password is not allowed";
+		pErr = PP_passwordModNotAllowed;
+		goto return_results;
+	}
+
+	/* Just deleting? */
+	if (!addmod) {
+		/* skip everything else */
+		pwmod = 0;
+		goto do_modify;
+	}
+
 	/* This is a pwdModify exop that provided the old pw.
 	 * We need to create a Delete mod for this old pw and 
 	 * let the matching value get found later
@@ -1697,13 +1699,6 @@
 		goto return_results;
 	}
 
-	if (!pp.pwdAllowUserChange) {
-		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-		rs->sr_text = "User alteration of password is not allowed";
-		pErr = PP_passwordModNotAllowed;
-		goto return_results;
-	}
-
 	/* Check age, but only if pwdReset is not TRUE */
 	pa = attr_find( e->e_attrs, ad_pwdReset );
 	if ((!pa || !bvmatch( &pa->a_nvals[0], &slap_true_bv )) &&
@@ -1771,7 +1766,8 @@
 		}
 	}
 
-	if (pa) {
+	/* If pwdInHistory is zero, passwords may be reused */
+	if (pa && pp.pwdInHistory > 0) {
 		/*
 		 * Last check - the password history.
 		 */
@@ -1787,8 +1783,6 @@
 			goto return_results;
 		}
 	
-		if (pp.pwdInHistory < 1) goto do_modify;
-	
 		/*
 		 * Iterate through the password history, and fail on any
 		 * password matches.

Modified: openldap/trunk/servers/slapd/overlays/refint.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/refint.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/refint.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* refint.c - referential integrity module */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/refint.c,v 1.19.2.5 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/refint.c,v 1.19.2.8 2008/04/14 20:13:41 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Symas Corporation.
  * All rights reserved.
  *
@@ -492,6 +492,195 @@
 	return(0);
 }
 
+static int
+refint_repair(
+	Operation	*op,
+	SlapReply	*rs,
+	refint_data	*id,
+	refint_q	*rq )
+{
+	dependent_data	*dp, *dp_next;
+	int		rc;
+
+	op->o_callback->sc_response = refint_search_cb;
+	op->o_req_dn = op->o_bd->be_suffix[ 0 ];
+	op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ];
+	op->o_dn = op->o_bd->be_rootdn;
+	op->o_ndn = op->o_bd->be_rootndn;
+
+	/* search */
+	rc = op->o_bd->be_search( op, rs );
+
+	if ( rc != LDAP_SUCCESS ) {
+		Debug( LDAP_DEBUG_TRACE,
+			"refint_repair: search failed: %d\n",
+			rc, 0, 0 );
+		return 0;
+	}
+
+	/* safety? paranoid just in case */
+	if ( op->o_callback->sc_private == NULL ) {
+		Debug( LDAP_DEBUG_TRACE,
+			"refint_repair: callback wiped out sc_private?!\n",
+			0, 0, 0 );
+		return 0;
+	}
+
+	/* Set up the Modify requests */
+	op->o_callback->sc_response = &slap_null_cb;
+
+	/*
+	 * [our search callback builds a list of attrs]
+	 * foreach attr:
+	 *	make sure its dn has a backend;
+	 *	build Modification* chain;
+	 *	call the backend modify function;
+	 *
+	 */
+
+	for ( dp = rq->attrs; dp; dp = dp_next ) {
+		Operation	op2 = *op;
+		SlapReply	rs2 = { 0 };
+		refint_attrs	*ra;
+		Modifications	*m, *first = NULL;
+
+		dp_next = dp->next;
+
+		op2.o_tag = LDAP_REQ_MODIFY;
+		op2.orm_modlist = NULL;
+		op2.o_req_dn	= dp->dn;
+		op2.o_req_ndn	= dp->ndn;
+		op2.o_bd = select_backend( &dp->ndn, 1 );
+		if ( !op2.o_bd ) {
+			Debug( LDAP_DEBUG_TRACE,
+				"refint_repair: no backend for DN %s!\n",
+				dp->dn.bv_val, 0, 0 );
+			return 0;
+		}
+
+		rs2.sr_type = REP_RESULT;
+		for ( ra = dp->attrs; ra; ra = dp->attrs ) {
+			size_t	len;
+
+			dp->attrs = ra->next;
+			/* Set our ModifiersName */
+			if ( SLAP_LASTMOD( op->o_bd ) ) {
+				m = op2.o_tmpalloc( sizeof(Modifications) +
+					4*sizeof(BerValue), op2.o_tmpmemctx );
+				m->sml_next = op2.orm_modlist;
+				if ( !first )
+					first = m;
+				op2.orm_modlist = m;
+				m->sml_op = LDAP_MOD_REPLACE;
+				m->sml_flags = SLAP_MOD_INTERNAL;
+				m->sml_desc = slap_schema.si_ad_modifiersName;
+				m->sml_type = m->sml_desc->ad_cname;
+				m->sml_numvals = 1;
+				m->sml_values = (BerVarray)(m+1);
+				m->sml_nvalues = m->sml_values+2;
+				BER_BVZERO( &m->sml_values[1] );
+				BER_BVZERO( &m->sml_nvalues[1] );
+				m->sml_values[0] = refint_dn;
+				m->sml_nvalues[0] = refint_ndn;
+			}
+			if ( !BER_BVISEMPTY( &rq->newdn ) || ( ra->next &&
+				ra->attr == ra->next->attr ) )
+			{
+				len = sizeof(Modifications);
+
+				if ( ra->new_vals == NULL ) {
+					len += 4*sizeof(BerValue);
+				}
+
+				m = op2.o_tmpalloc( len, op2.o_tmpmemctx );
+				m->sml_next = op2.orm_modlist;
+				if ( !first )
+					first = m;
+				op2.orm_modlist = m;
+				m->sml_op = LDAP_MOD_ADD;
+				m->sml_flags = 0;
+				m->sml_desc = ra->attr;
+				m->sml_type = ra->attr->ad_cname;
+				if ( ra->new_vals == NULL ) {
+					m->sml_values = (BerVarray)(m+1);
+					m->sml_nvalues = m->sml_values+2;
+					BER_BVZERO( &m->sml_values[1] );
+					BER_BVZERO( &m->sml_nvalues[1] );
+					m->sml_numvals = 1;
+					if ( BER_BVISEMPTY( &rq->newdn ) ) {
+						op2.o_tmpfree( ra, op2.o_tmpmemctx );
+						ra = dp->attrs;
+						dp->attrs = ra->next;
+						m->sml_values[0] = id->nothing;
+						m->sml_nvalues[0] = id->nnothing;
+					} else {
+						m->sml_values[0] = rq->newdn;
+						m->sml_nvalues[0] = rq->newndn;
+					}
+				} else {
+					m->sml_values = ra->new_vals;
+					m->sml_nvalues = ra->new_nvals;
+					m->sml_numvals = ra->ra_numvals;
+				}
+			}
+
+			len = sizeof(Modifications);
+			if ( ra->old_vals == NULL ) {
+				len += 4*sizeof(BerValue);
+			}
+
+			m = op2.o_tmpalloc( len, op2.o_tmpmemctx );
+			m->sml_next = op2.orm_modlist;
+			op2.orm_modlist = m;
+			if ( !first )
+				first = m;
+			m->sml_op = LDAP_MOD_DELETE;
+			m->sml_flags = 0;
+			m->sml_desc = ra->attr;
+			m->sml_type = ra->attr->ad_cname;
+			if ( ra->old_vals == NULL ) {
+				m->sml_numvals = 1;
+				m->sml_values = (BerVarray)(m+1);
+				m->sml_nvalues = m->sml_values+2;
+				m->sml_values[0] = rq->olddn;
+				m->sml_nvalues[0] = rq->oldndn;
+				BER_BVZERO( &m->sml_values[1] );
+				BER_BVZERO( &m->sml_nvalues[1] );
+			} else {
+				m->sml_values = ra->old_vals;
+				m->sml_nvalues = ra->old_nvals;
+				m->sml_numvals = ra->ra_numvals;
+			}
+			op2.o_tmpfree( ra, op2.o_tmpmemctx );
+		}
+
+		op2.o_dn = op2.o_bd->be_rootdn;
+		op2.o_ndn = op2.o_bd->be_rootndn;
+		slap_op_time( &op2.o_time, &op2.o_tincr );
+		if ( ( rc = op2.o_bd->be_modify( &op2, &rs2 ) ) != LDAP_SUCCESS ) {
+			Debug( LDAP_DEBUG_TRACE,
+				"refint_repair: dependent modify failed: %d\n",
+				rs2.sr_err, 0, 0 );
+		}
+
+		while ( ( m = op2.orm_modlist ) ) {
+			op2.orm_modlist = m->sml_next;
+			if ( m->sml_values && m->sml_values != (BerVarray)(m+1) ) {
+				ber_bvarray_free_x( m->sml_values, op2.o_tmpmemctx );
+				ber_bvarray_free_x( m->sml_nvalues, op2.o_tmpmemctx );
+			}
+			op2.o_tmpfree( m, op2.o_tmpmemctx );
+			if ( m == first ) break;
+		}
+		slap_mods_free( op2.orm_modlist, 1 );
+		op2.o_tmpfree( dp->ndn.bv_val, op2.o_tmpmemctx );
+		op2.o_tmpfree( dp->dn.bv_val, op2.o_tmpmemctx );
+		op2.o_tmpfree( dp, op2.o_tmpmemctx );
+	}
+
+	return 0;
+}
+
 static void *
 refint_qtask( void *ctx, void *arg )
 {
@@ -504,9 +693,7 @@
 	slap_callback cb = { NULL, NULL, NULL, NULL };
 	Filter ftop, *fptr;
 	refint_q *rq;
-	dependent_data *dp, *dp_next;
-	refint_attrs *ra, *ip;
-	int rc;
+	refint_attrs *ip;
 
 	connection_fake_init( &conn, &opbuf, ctx );
 	op = &opbuf.ob_op;
@@ -533,7 +720,7 @@
 		fptr->f_choice = LDAP_FILTER_EXT;
 		fptr->f_mra = (MatchingRuleAssertion *)(fptr+1);
 		fptr->f_mr_rule = mr_dnSubtreeMatch;
-		fptr->f_mr_rule_text = mr_dnSubtreeMatch->smr_str;
+		fptr->f_mr_rule_text = mr_dnSubtreeMatch->smr_bvoid;
 		fptr->f_mr_desc = ip->attr;
 		fptr->f_mr_dnattrs = 0;
 		fptr->f_next = ftop.f_or;
@@ -553,7 +740,7 @@
 		if ( !rq )
 			break;
 
-		for (fptr = ftop.f_or; fptr; fptr=fptr->f_next )
+		for (fptr = ftop.f_or; fptr; fptr = fptr->f_next )
 			fptr->f_mr_value = rq->oldndn;
 
 		filter2bv_x( op, op->ors_filter, &op->ors_filterstr );
@@ -572,182 +759,28 @@
 		/* no attrs! */
 		op->ors_attrs = slap_anlist_no_attrs;
 
-		op->o_req_ndn = id->dn;
-		op->o_req_dn = id->dn;
-		op->o_bd = rq->db;
-		op->o_dn = op->o_bd->be_rootdn;
-		op->o_ndn = op->o_bd->be_rootndn;
 		slap_op_time( &op->o_time, &op->o_tincr );
 
-		/* search */
-		rc = op->o_bd->be_search(op, &rs);
+		if ( rq->db != NULL ) {
+			op->o_bd = rq->db;
+			refint_repair( op, &rs, id, rq );
 
-		op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+		} else {
+			BackendDB	*be;
 
-		if(rc != LDAP_SUCCESS) {
-			Debug( LDAP_DEBUG_TRACE,
-				"refint_response: search failed: %d\n",
-				rc, 0, 0 );
-			continue;
-		}
-
-		/* safety? paranoid just in case */
-		if(!cb.sc_private) {
-			Debug( LDAP_DEBUG_TRACE,
-				"refint_response: callback wiped out sc_private?!\n",
-				0, 0, 0 );
-			continue;
-		}
-
-		/* Set up the Modify requests */
-		cb.sc_response	= &slap_null_cb;
-		op->o_tag	= LDAP_REQ_MODIFY;
-
-		/*
-		** [our search callback builds a list of attrs]
-		** foreach attr:
-		**	make sure its dn has a backend;
-		**	build Modification* chain;
-		**	call the backend modify function;
-		**
-		*/
-
-		for(dp = rq->attrs; dp; dp = dp_next) {
-			Modifications *m, *first = NULL;
-
-			dp_next = dp->next;
-
-			op->orm_modlist = NULL;
-
-			op->o_req_dn	= dp->dn;
-			op->o_req_ndn	= dp->ndn;
-			op->o_bd = select_backend(&dp->ndn, 1);
-			if(!op->o_bd) {
-				Debug( LDAP_DEBUG_TRACE,
-					"refint_response: no backend for DN %s!\n",
-					dp->dn.bv_val, 0, 0 );
-				goto done;
-			}
-			rs.sr_type	= REP_RESULT;
-			for (ra = dp->attrs; ra; ra = dp->attrs) {
-				size_t	len;
-
-				dp->attrs = ra->next;
-				/* Set our ModifiersName */
-				if ( SLAP_LASTMOD( op->o_bd )) {
-					m = op->o_tmpalloc( sizeof(Modifications) +
-						4*sizeof(BerValue), op->o_tmpmemctx );
-					m->sml_next = op->orm_modlist;
-					if ( !first )
-						first = m;
-					op->orm_modlist = m;
-					m->sml_op = LDAP_MOD_REPLACE;
-					m->sml_flags = SLAP_MOD_INTERNAL;
-					m->sml_desc = slap_schema.si_ad_modifiersName;
-					m->sml_type = m->sml_desc->ad_cname;
-					m->sml_numvals = 1;
-					m->sml_values = (BerVarray)(m+1);
-					m->sml_nvalues = m->sml_values+2;
-					BER_BVZERO( &m->sml_values[1] );
-					BER_BVZERO( &m->sml_nvalues[1] );
-					m->sml_values[0] = refint_dn;
-					m->sml_nvalues[0] = refint_ndn;
+			LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
+				/* we may want to skip cn=config */
+				if ( be == LDAP_STAILQ_FIRST(&backendDB) ) {
+					continue;
 				}
-				if ( !BER_BVISEMPTY( &rq->newdn ) || ( ra->next &&
-					ra->attr == ra->next->attr ))
-				{
-					len = sizeof(Modifications);
 
-					if ( ra->new_vals == NULL ) {
-						len += 4*sizeof(BerValue);
-					}
-
-					m = op->o_tmpalloc( len, op->o_tmpmemctx );
-					m->sml_next = op->orm_modlist;
-					if ( !first )
-						first = m;
-					op->orm_modlist = m;
-					m->sml_op = LDAP_MOD_ADD;
-					m->sml_flags = 0;
-					m->sml_desc = ra->attr;
-					m->sml_type = ra->attr->ad_cname;
-					if ( ra->new_vals == NULL ) {
-						m->sml_values = (BerVarray)(m+1);
-						m->sml_nvalues = m->sml_values+2;
-						BER_BVZERO( &m->sml_values[1] );
-						BER_BVZERO( &m->sml_nvalues[1] );
-						m->sml_numvals = 1;
-						if ( BER_BVISEMPTY( &rq->newdn )) {
-							op->o_tmpfree( ra, op->o_tmpmemctx );
-							ra = dp->attrs;
-							dp->attrs = ra->next;
-							m->sml_values[0] = id->nothing;
-							m->sml_nvalues[0] = id->nnothing;
-						} else {
-							m->sml_values[0] = rq->newdn;
-							m->sml_nvalues[0] = rq->newndn;
-						}
-					} else {
-						m->sml_values = ra->new_vals;
-						m->sml_nvalues = ra->new_nvals;
-						m->sml_numvals = ra->ra_numvals;
-					}
+				if ( be->be_search && be->be_modify ) {
+					op->o_bd = be;
+					refint_repair( op, &rs, id, rq );
 				}
-
-				len = sizeof(Modifications);
-				if ( ra->old_vals == NULL ) {
-					len += 4*sizeof(BerValue);
-				}
-
-				m = op->o_tmpalloc( len, op->o_tmpmemctx );
-				m->sml_next = op->orm_modlist;
-				op->orm_modlist = m;
-				if ( !first )
-					first = m;
-				m->sml_op = LDAP_MOD_DELETE;
-				m->sml_flags = 0;
-				m->sml_desc = ra->attr;
-				m->sml_type = ra->attr->ad_cname;
-				if ( ra->old_vals == NULL ) {
-					m->sml_numvals = 1;
-					m->sml_values = (BerVarray)(m+1);
-					m->sml_nvalues = m->sml_values+2;
-					m->sml_values[0] = rq->olddn;
-					m->sml_nvalues[0] = rq->oldndn;
-					BER_BVZERO( &m->sml_values[1] );
-					BER_BVZERO( &m->sml_nvalues[1] );
-				} else {
-					m->sml_values = ra->old_vals;
-					m->sml_nvalues = ra->old_nvals;
-					m->sml_numvals = ra->ra_numvals;
-				}
-				op->o_tmpfree( ra, op->o_tmpmemctx );
 			}
+		}
 
-			op->o_dn = op->o_bd->be_rootdn;
-			op->o_ndn = op->o_bd->be_rootndn;
-			slap_op_time( &op->o_time, &op->o_tincr );
-			if((rc = op->o_bd->be_modify(op, &rs)) != LDAP_SUCCESS) {
-				Debug( LDAP_DEBUG_TRACE,
-					"refint_response: dependent modify failed: %d\n",
-					rs.sr_err, 0, 0 );
-			}
-
-			while (( m = op->orm_modlist )) {
-				op->orm_modlist = m->sml_next;
-				if ( m->sml_values && m->sml_values != (BerVarray)(m+1) ) {
-					ber_bvarray_free_x( m->sml_values, op->o_tmpmemctx );
-					ber_bvarray_free_x( m->sml_nvalues, op->o_tmpmemctx );
-				}
-				op->o_tmpfree( m, op->o_tmpmemctx );
-				if ( m == first ) break;
-			}
-			slap_mods_free( op->orm_modlist, 1 );
-			op->o_tmpfree( dp->ndn.bv_val, op->o_tmpmemctx );
-			op->o_tmpfree( dp->dn.bv_val, op->o_tmpmemctx );
-			op->o_tmpfree( dp, op->o_tmpmemctx );
-		}
-done:
 		if ( !BER_BVISNULL( &rq->newndn )) {
 			ch_free( rq->newndn.bv_val );
 			ch_free( rq->newdn.bv_val );
@@ -789,7 +822,7 @@
 	BerValue pdn;
 	int ac;
 	refint_q *rq;
-	BackendDB *db;
+	BackendDB *db = NULL;
 	refint_attrs *ip;
 
 	id->message = "_refint_response";
@@ -817,20 +850,22 @@
 	**
 	*/
 
-	db = select_backend(&id->dn, 1);
+	if ( on->on_info->oi_origdb != frontendDB ) {
+		db = select_backend(&id->dn, 1);
 
-	if(db) {
-		if (!db->be_search || !db->be_modify) {
+		if ( db ) {
+			if ( !db->be_search || !db->be_modify ) {
+				Debug( LDAP_DEBUG_TRACE,
+					"refint_response: backend missing search and/or modify\n",
+					0, 0, 0 );
+				return SLAP_CB_CONTINUE;
+			}
+		} else {
 			Debug( LDAP_DEBUG_TRACE,
-				"refint_response: backend missing search and/or modify\n",
-				0, 0, 0 );
+				"refint_response: no backend for our baseDN %s??\n",
+				id->dn.bv_val, 0, 0 );
 			return SLAP_CB_CONTINUE;
 		}
-	} else {
-		Debug( LDAP_DEBUG_TRACE,
-			"refint_response: no backend for our baseDN %s??\n",
-			id->dn.bv_val, 0, 0 );
-		return SLAP_CB_CONTINUE;
 	}
 
 	rq = ch_calloc( 1, sizeof( refint_q ));
@@ -839,7 +874,7 @@
 	rq->db = db;
 	rq->rdata = id;
 
-	if(op->o_tag == LDAP_REQ_MODRDN) {
+	if ( op->o_tag == LDAP_REQ_MODRDN ) {
 		if ( op->oq_modrdn.rs_newSup ) {
 			pdn = *op->oq_modrdn.rs_newSup;
 		} else {

Modified: openldap/trunk/servers/slapd/overlays/retcode.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/retcode.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/retcode.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* retcode.c - customizable response for client testing purposes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/retcode.c,v 1.18.2.6 2007/09/01 13:59:14 ando Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/retcode.c,v 1.18.2.7 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions Copyright 2005 Pierangelo Masarati <ando at sys-net.it>
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/overlays/rwm.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/rwm.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/rwm.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* rwm.c - rewrite/remap operations */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwm.c,v 1.70.2.8 2007/09/29 09:55:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwm.c,v 1.70.2.10 2008/02/15 18:11:46 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 Pierangelo Masarati.
  * All rights reserved.
  *
@@ -1227,7 +1227,9 @@
 					mod.sm_type = mod.sm_desc->ad_cname;
 					mod.sm_numvals = (*tap)->a_numvals;
 					mod.sm_values = (*tap)->a_vals;
-					mod.sm_nvalues = (*tap)->a_nvals;
+					if ( (*tap)->a_nvals != (*tap)->a_vals ) {
+						mod.sm_nvalues = (*tap)->a_nvals;
+					}
 
 					(void)modify_add_values( &e, &mod,
 						/* permissive */ 1,
@@ -1614,6 +1616,7 @@
 				fname, lineno, argv[ 1 ] );
 			return 1;
 		}
+
 	} else if ( strcasecmp( argv[0], "normalize-mapped-attrs" ) ==  0 ) {
 		if ( argc !=2 ) { 
 			fprintf( stderr,

Modified: openldap/trunk/servers/slapd/overlays/rwm.h
===================================================================
--- openldap/trunk/servers/slapd/overlays/rwm.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/rwm.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* rwm.h - dn rewrite/attribute mapping header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwm.h,v 1.15.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwm.h,v 1.15.2.3 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/overlays/rwmconf.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/rwmconf.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/rwmconf.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* rwmconf.c - rewrite/map configuration file routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwmconf.c,v 1.25.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwmconf.c,v 1.25.2.3 2008/02/11 23:26:48 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/overlays/rwmdn.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/rwmdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/rwmdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* rwmdn.c - massages dns */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwmdn.c,v 1.18.2.3 2007/09/01 11:40:22 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwmdn.c,v 1.18.2.4 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/overlays/rwmmap.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/rwmmap.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/rwmmap.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* rwmmap.c - rewrite/mapping routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwmmap.c,v 1.31.2.5 2007/10/18 01:35:12 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/rwmmap.c,v 1.31.2.6 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999-2003 Howard Chu.
  * Portions Copyright 2000-2003 Pierangelo Masarati.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/overlays/seqmod.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/seqmod.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/seqmod.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 /* seqmod.c - sequenced modifies */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/overlays/syncprov.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/syncprov.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/syncprov.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/syncprov.c,v 1.147.2.14 2007/12/10 18:10:39 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/syncprov.c,v 1.147.2.22 2008/05/06 01:05:41 hyc Exp $ */
 /* syncprov.c - syncrepl provider */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -696,7 +696,7 @@
 		break;
 	}
 
-	fop.o_bd->bd_info = on->on_info->oi_orig;
+	fop.o_bd->bd_info = (BackendInfo *)on->on_info;
 	fop.o_bd->be_search( &fop, &frs );
 	fop.o_bd->bd_info = (BackendInfo *)on;
 
@@ -737,6 +737,13 @@
 		ldap_pvt_thread_mutex_unlock( &so->s_mutex );
 		return;
 	}
+	if ( so->s_qtask ) {
+		ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+		if ( ldap_pvt_runqueue_isrunning( &slapd_rq, so->s_qtask ) )
+			ldap_pvt_runqueue_stoptask( &slapd_rq, so->s_qtask );
+		ldap_pvt_runqueue_remove( &slapd_rq, so->s_qtask );
+		ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
+	}
 	ldap_pvt_thread_mutex_unlock( &so->s_mutex );
 	if ( so->s_flags & PS_IS_DETACHED ) {
 		filter_free( so->s_op->ors_filter );
@@ -837,8 +844,10 @@
 
 /* Play back queued responses */
 static int
-syncprov_qplay( Operation *op, slap_overinst *on, syncops *so )
+syncprov_qplay( Operation *op, struct re_s *rtask )
 {
+	syncops *so = rtask->arg;
+	slap_overinst *on = LDAP_SLIST_FIRST(&so->s_op->o_extra)->oe_key;
 	syncres *sr;
 	Entry *e;
 	opcookie opc;
@@ -853,10 +862,10 @@
 			so->s_res = sr->s_next;
 		if ( !so->s_res )
 			so->s_restail = NULL;
-		ldap_pvt_thread_mutex_unlock( &so->s_mutex );
-
+		/* Exit loop with mutex held */
 		if ( !sr || so->s_op->o_abandon )
 			break;
+		ldap_pvt_thread_mutex_unlock( &so->s_mutex );
 
 		opc.sdn = sr->s_dn;
 		opc.sndn = sr->s_ndn;
@@ -883,9 +892,24 @@
 
 		ch_free( sr );
 
-		if ( rc )
+		if ( rc ) {
+			/* Exit loop with mutex held */
+			ldap_pvt_thread_mutex_lock( &so->s_mutex );
 			break;
+		}
 	}
+
+	/* wait until we get explicitly scheduled again */
+	ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+	ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
+	if ( rc == 0 ) {
+		ldap_pvt_runqueue_resched( &slapd_rq, rtask, 1 );
+	} else {
+		/* bail out on any error */
+		ldap_pvt_runqueue_remove( &slapd_rq, rtask );
+	}
+	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
+	ldap_pvt_thread_mutex_unlock( &so->s_mutex );
 	return rc;
 }
 
@@ -895,7 +919,6 @@
 {
 	struct re_s *rtask = arg;
 	syncops *so = rtask->arg;
-	slap_overinst *on = so->s_op->o_private;
 	OperationBuffer opbuf;
 	Operation *op;
 	BackendDB be;
@@ -917,25 +940,14 @@
 	be = *so->s_op->o_bd;
 	be.be_flags |= SLAP_DBFLAG_OVERLAY;
 	op->o_bd = &be;
-	op->o_private = NULL;
+	LDAP_SLIST_FIRST(&op->o_extra) = NULL;
 	op->o_callback = NULL;
 
-	rc = syncprov_qplay( op, on, so );
+	rc = syncprov_qplay( op, rtask );
 
 	/* decrement use count... */
 	syncprov_free_syncop( so );
 
-	/* wait until we get explicitly scheduled again */
-	ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
-	ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
-	if ( rc == 0 ) {
-		ldap_pvt_runqueue_resched( &slapd_rq, rtask, 1 );
-	} else {
-		/* bail out on any error */
-		ldap_pvt_runqueue_remove( &slapd_rq, rtask );
-	}
-	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
-
 #if 0	/* FIXME: connection_close isn't exported from slapd.
 		 * should it be?
 		 */
@@ -1164,10 +1176,14 @@
 	for (ss = si->si_ops, sprev = (syncops *)&si->si_ops; ss;
 		sprev = ss, ss=snext)
 	{
+		Operation op2;
 		syncmatches *sm;
 		int found = 0;
 
 		snext = ss->s_next;
+		if ( ss->s_op->o_abandon )
+			continue;
+
 		/* validate base */
 		fc.fss = ss;
 		fc.fbase = 0;
@@ -1208,8 +1224,11 @@
 			}
 		}
 
+		if ( fc.fscope )
+			op2 = *ss->s_op;
+
 		/* check if current o_req_dn is in scope and matches filter */
-		if ( fc.fscope && test_filter( op, e, ss->s_op->ors_filter ) ==
+		if ( fc.fscope && test_filter( &op2, e, ss->s_op->ors_filter ) ==
 			LDAP_COMPARE_TRUE ) {
 			if ( saveit ) {
 				sm = op->o_tmpalloc( sizeof(syncmatches), op->o_tmpmemctx );
@@ -1301,6 +1320,7 @@
 	Operation opm;
 	SlapReply rsm = { 0 };
 	slap_callback cb = {0};
+	BackendDB be;
 
 	mod.sml_numvals = si->si_numcsns;
 	mod.sml_values = si->si_ctxcsn;
@@ -1316,8 +1336,12 @@
 	opm.o_callback = &cb;
 	opm.orm_modlist = &mod;
 	opm.orm_no_opattrs = 1;
-	opm.o_req_dn = op->o_bd->be_suffix[0];
-	opm.o_req_ndn = op->o_bd->be_nsuffix[0];
+	if ( SLAP_GLUE_SUBORDINATE( op->o_bd )) {
+		be = *on->on_info->oi_origdb;
+		opm.o_bd = &be;
+	}
+	opm.o_req_dn = opm.o_bd->be_suffix[0];
+	opm.o_req_ndn = opm.o_bd->be_nsuffix[0];
 	opm.o_bd->bd_info = on->on_info->oi_orig;
 	opm.o_managedsait = SLAP_CONTROL_NONCRITICAL;
 	opm.o_no_schema_check = 1;
@@ -1325,7 +1349,6 @@
 	if ( mod.sml_next != NULL ) {
 		slap_mods_free( mod.sml_next, 1 );
 	}
-	opm.orm_no_opattrs = 0;
 }
 
 static void
@@ -1519,7 +1542,7 @@
 		fop.ors_filter = &af;
 
 		cb.sc_response = playlog_cb;
-		fop.o_bd->bd_info = on->on_info->oi_orig;
+		fop.o_bd->bd_info = (BackendInfo *)on->on_info;
 
 		for ( i=ndel; i<num; i++ ) {
 			if ( uuids[i].bv_len == 0 ) continue;
@@ -1540,13 +1563,16 @@
 	if ( ndel ) {
 		struct berval cookie;
 
-		slap_compose_sync_cookie( op, &cookie, delcsn, srs->sr_state.rid,
-			srs->sr_state.sid );
+		if ( delcsn[0].bv_len ) {
+			slap_compose_sync_cookie( op, &cookie, delcsn, srs->sr_state.rid,
+				srs->sr_state.sid );
+		}
 
 		Debug( LDAP_DEBUG_SYNC, "syncprov_playlog: cookie=%s\n", cookie.bv_val, 0, 0 );
 
 		uuids[ndel].bv_val = NULL;
-		syncprov_sendinfo( op, rs, LDAP_TAG_SYNC_ID_SET, &cookie, 0, uuids, 1 );
+		syncprov_sendinfo( op, rs, LDAP_TAG_SYNC_ID_SET,
+			delcsn[0].bv_len ? &cookie : NULL, 0, uuids, 1 );
 		op->o_tmpfree( cookie.bv_val, op->o_tmpmemctx );
 	}
 	op->o_tmpfree( uuids, op->o_tmpmemctx );
@@ -1607,8 +1633,12 @@
 			}
 			if ( si->si_chktime &&
 				(op->o_time - si->si_chklast >= si->si_chktime )) {
-				do_check = 1;
-				si->si_chklast = op->o_time;
+				if ( si->si_chklast ) {
+					do_check = 1;
+					si->si_chklast = op->o_time;
+				} else {
+					si->si_chklast = 1;
+				}
 			}
 		}
 		ldap_pvt_thread_rdwr_wunlock( &si->si_csn_rwlock );
@@ -1771,7 +1801,13 @@
 			/* wait for this op to get to head of list */
 			while ( mt->mt_mods != mi ) {
 				ldap_pvt_thread_mutex_unlock( &mt->mt_mutex );
-				ldap_pvt_thread_yield();
+				/* FIXME: if dynamic config can delete overlays or
+				 * databases we'll have to check for cleanup here.
+				 * Currently it's not an issue because there are
+				 * no dynamic config deletes...
+				 */
+				if ( !ldap_pvt_thread_pool_pausecheck( &connection_pool ))
+					ldap_pvt_thread_yield();
 				ldap_pvt_thread_mutex_lock( &mt->mt_mutex );
 
 				/* clean up if the caller is giving up */
@@ -1839,6 +1875,7 @@
 typedef struct SyncOperationBuffer {
 	Operation		sob_op;
 	Opheader		sob_hdr;
+	OpExtra			sob_oe;
 	AttributeName	sob_extra;	/* not always present */
 	/* Further data allocated here */
 } SyncOperationBuffer;
@@ -1867,6 +1904,7 @@
 	sopbuf2 = ch_calloc( 1, size );
 	op2 = &sopbuf2->sob_op;
 	op2->o_hdr = &sopbuf2->sob_hdr;
+	LDAP_SLIST_FIRST(&op2->o_extra) = &sopbuf2->sob_oe;
 
 	/* Copy the fields we care about explicitly, leave the rest alone */
 	*op2->o_hdr = *op->o_hdr;
@@ -1874,7 +1912,8 @@
 	op2->o_time = op->o_time;
 	op2->o_bd = on->on_info->oi_origdb;
 	op2->o_request = op->o_request;
-	op2->o_private = on;
+	LDAP_SLIST_FIRST(&op2->o_extra)->oe_key = on;
+	LDAP_SLIST_NEXT(LDAP_SLIST_FIRST(&op2->o_extra), oe_next) = NULL;
 
 	ptr = (char *) sopbuf2 + offsetof( SyncOperationBuffer, sob_extra );
 	if ( i ) {
@@ -1925,12 +1964,10 @@
 	op2->o_do_not_cache = 1;
 
 	/* Add op2 to conn so abandon will find us */
-	ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
 	op->o_conn->c_n_ops_executing++;
 	op->o_conn->c_n_ops_completed--;
 	LDAP_STAILQ_INSERT_TAIL( &op->o_conn->c_ops, op2, o_next );
 	so->s_flags |= PS_IS_DETACHED;
-	ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
 
 	/* Prevent anyone else from trying to send a result for this op */
 	op->o_abandon = 1;
@@ -2040,15 +2077,27 @@
 
 			/* Detach this Op from frontend control */
 			ldap_pvt_thread_mutex_lock( &ss->ss_so->s_mutex );
+			ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
 
-			/* Turn off the refreshing flag */
-			ss->ss_so->s_flags ^= PS_IS_REFRESHING;
+			/* But not if this connection was closed along the way */
+			if ( op->o_abandon ) {
+				ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
+				ldap_pvt_thread_mutex_unlock( &ss->ss_so->s_mutex );
+				syncprov_free_syncop( ss->ss_so );
+				return SLAPD_ABANDON;
 
-			syncprov_detach_op( op, ss->ss_so, on );
+			} else {
+				/* Turn off the refreshing flag */
+				ss->ss_so->s_flags ^= PS_IS_REFRESHING;
 
-			/* If there are queued responses, fire them off */
-			if ( ss->ss_so->s_res )
-				syncprov_qstart( ss->ss_so );
+				syncprov_detach_op( op, ss->ss_so, on );
+
+				ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
+
+				/* If there are queued responses, fire them off */
+				if ( ss->ss_so->s_res )
+					syncprov_qstart( ss->ss_so );
+			}
 			ldap_pvt_thread_mutex_unlock( &ss->ss_so->s_mutex );
 
 			return LDAP_SUCCESS;
@@ -2208,6 +2257,9 @@
 				}
 				goto shortcut;
 			}
+		} else {
+			/* consumer doesn't have the right number of CSNs */
+			changed = SS_CHANGED;
 		}
 		/* Do we have a sessionlog for this search? */
 		sl=si->si_logs;
@@ -2350,8 +2402,15 @@
 				}
 
 				if ( !ap ) {
-					if ( !rs->sr_flags & REP_ENTRY_MODIFIABLE ) {
-						rs->sr_entry = entry_dup( rs->sr_entry );
+					if ( !(rs->sr_flags & REP_ENTRY_MODIFIABLE) ) {
+						Entry *e = entry_dup( rs->sr_entry );
+						if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
+							overlay_entry_release_ov( op, rs->sr_entry, 0, on );
+							rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
+						} else if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
+							entry_free( rs->sr_entry );
+						}
+						rs->sr_entry = e;
 						rs->sr_flags |=
 							REP_ENTRY_MODIFIABLE|REP_ENTRY_MUSTBEFREED;
 						a = attr_find( rs->sr_entry->e_attrs,

Modified: openldap/trunk/servers/slapd/overlays/translucent.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/translucent.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/translucent.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* translucent.c - translucent proxy module */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/translucent.c,v 1.13.2.11 2007/11/29 22:53:50 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/translucent.c,v 1.13.2.16 2008/04/14 21:13:44 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2005 Symas Corporation.
  * All rights reserved.
  *
@@ -36,6 +36,8 @@
 /* config block */
 typedef struct translucent_info {
 	BackendDB db;			/* captive backend */
+	AttributeName *local;	/* valid attrs for local filters */
+	AttributeName *remote;	/* valid attrs for remote filters */
 	int strict;
 	int no_glue;
 	int defer_db_open;
@@ -44,6 +46,13 @@
 static ConfigLDAPadd translucent_ldadd;
 static ConfigCfAdd translucent_cfadd;
 
+static ConfigDriver translucent_cf_gen;
+
+enum {
+	TRANS_LOCAL = 1,
+	TRANS_REMOTE
+};
+
 static ConfigTable translucentcfg[] = {
 	{ "translucent_strict", "on|off", 1, 2, 0,
 	  ARG_ON_OFF|ARG_OFFSET,
@@ -57,6 +66,18 @@
 	  "( OLcfgOvAt:14.2 NAME 'olcTranslucentNoGlue' "
 	  "DESC 'Disable automatic glue records for ADD and MODRDN' "
 	  "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
+	{ "translucent_local", "attr[,attr...]", 1, 2, 0,
+	  ARG_STRING|ARG_MAGIC|TRANS_LOCAL,
+	  translucent_cf_gen,
+	  "( OLcfgOvAt:14.3 NAME 'olcTranslucentLocal' "
+	  "DESC 'Attributes to use in local search filter' "
+	  "SYNTAX OMsDirectoryString )", NULL, NULL },
+	{ "translucent_remote", "attr[,attr...]", 1, 2, 0,
+	  ARG_STRING|ARG_MAGIC|TRANS_REMOTE,
+	  translucent_cf_gen,
+	  "( OLcfgOvAt:14.4 NAME 'olcTranslucentRemote' "
+	  "DESC 'Attributes to use in remote search filter' "
+	  "SYNTAX OMsDirectoryString )", NULL, NULL },
 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
 };
 
@@ -73,7 +94,8 @@
 	  "NAME 'olcTranslucentConfig' "
 	  "DESC 'Translucent configuration' "
 	  "SUP olcOverlayConfig "
-	  "MAY ( olcTranslucentStrict $ olcTranslucentNoGlue ) )",
+	  "MAY ( olcTranslucentStrict $ olcTranslucentNoGlue $"
+	  " olcTranslucentLocal $ olcTranslucentRemote ) )",
 	  Cft_Overlay, translucentcfg, NULL, translucent_cfadd },
 	{ "( OLcfgOvOc:14.2 "
 	  "NAME 'olcTranslucentDatabase' "
@@ -86,7 +108,7 @@
 static int
 translucent_ldadd_cleanup( ConfigArgs *ca )
 {
-	slap_overinst *on = ca->private;
+	slap_overinst *on = ca->ca_private;
 	translucent_info *ov = on->on_bi.bi_private;
 
 	ov->defer_db_open = 0;
@@ -108,7 +130,7 @@
 	on = (slap_overinst *)cei->ce_bi;
 	ov = on->on_bi.bi_private;
 	ca->be = &ov->db;
-	ca->private = on;
+	ca->ca_private = on;
 	if ( CONFIG_ONLINE_ADD( ca ))
 		ca->cleanup = translucent_ldadd_cleanup;
 	else
@@ -147,6 +169,51 @@
 	return 0;
 }
 
+static int
+translucent_cf_gen( ConfigArgs *c )
+{
+	slap_overinst	*on = (slap_overinst *)c->bi;
+	translucent_info *ov = on->on_bi.bi_private;
+	AttributeName **an, *a2;
+	int i;
+
+	if ( c->type == TRANS_LOCAL )
+		an = &ov->local;
+	else
+		an = &ov->remote;
+
+	if ( c->op == SLAP_CONFIG_EMIT ) {
+		if ( !*an )
+			return 1;
+		for ( i = 0; !BER_BVISNULL(&(*an)[i].an_name); i++ ) {
+			value_add_one( &c->rvalue_vals, &(*an)[i].an_name );
+		}
+		return ( i < 1 );
+	} else if ( c->op == LDAP_MOD_DELETE ) {
+		if ( c->valx < 0 ) {
+			anlist_free( *an, 1, NULL );
+			*an = NULL;
+		} else {
+			i = c->valx;
+			ch_free( (*an)[i].an_name.bv_val );
+			do {
+				(*an)[i] = (*an)[i+1];
+			} while ( !BER_BVISNULL( &(*an)[i].an_name ));
+		}
+		return 0;
+	}
+	a2 = str2anlist( *an, c->argv[1], "," );
+	if ( !a2 ) {
+		snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s unable to parse attribute %s",
+			c->argv[0], c->argv[1] );
+		Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+			"%s: %s\n", c->log, c->cr_msg, 0 );
+		return ARG_BAD_CONF;
+	}
+	*an = a2;
+	return 0;
+}
+
 static slap_overinst translucent;
 
 /*
@@ -538,7 +605,7 @@
 **
 */
 	rc = overlay_entry_get_ov(op, &op->o_req_ndn, NULL, ava->aa_desc, 0, &e, on);
-	if(e && rc == LDAP_SUCCESS) {
+	if(rc == LDAP_SUCCESS && e) {
 		overlay_entry_release_ov(op, e, 0, on);
 		return(SLAP_CB_CONTINUE);
 	}
@@ -563,46 +630,123 @@
 
 /*
 ** translucent_search_cb()
-**	merge local data with the search result
+**	merge local data with remote data
 **
+** Four cases:
+** 1: remote search, no local filter
+**	merge data and send immediately
+** 2: remote search, with local filter
+**	merge data and save
+** 3: local search, no remote filter
+**	merge data and send immediately
+** 4: local search, with remote filter
+**	check list, merge, send, delete
 */
 
+#define	RMT_SIDE	0
+#define	LCL_SIDE	1
+#define	USE_LIST	2
+
+typedef struct trans_ctx {
+	BackendDB *db;
+	slap_overinst *on;
+	Filter *orig;
+	Avlnode *list;
+	int step;
+} trans_ctx;
+
 static int translucent_search_cb(Operation *op, SlapReply *rs) {
+	trans_ctx *tc;
 	BackendDB *db;
 	slap_overinst *on;
-	Entry *e, *re = NULL;
+	translucent_info *ov;
+	Entry *le, *re;
 	Attribute *a, *ax, *an, *as = NULL;
 	int rc;
 
+	tc = op->o_callback->sc_private;
+
+	/* Don't let the op complete while we're gathering data */
+	if ( rs->sr_type == REP_RESULT && ( tc->step & USE_LIST ))
+		return 0;
+
 	if(!op || !rs || rs->sr_type != REP_SEARCH || !rs->sr_entry)
 		return(SLAP_CB_CONTINUE);
 
 	Debug(LDAP_DEBUG_TRACE, "==> translucent_search_cb: %s\n",
 		rs->sr_entry->e_name.bv_val, 0, 0);
 
+	on = tc->on;
+	ov = on->on_bi.bi_private;
+
 	db = op->o_bd;
-	op->o_bd = op->o_callback->sc_private;
-	on = (slap_overinst *) op->o_bd->bd_info;
+	re = NULL;
 
-	rc = overlay_entry_get_ov(op, &rs->sr_entry->e_nname, NULL, NULL, 0, &e, on);
+	/* If we have local, get remote */
+	if ( tc->step & LCL_SIDE ) {
+		le = rs->sr_entry;
+		/* If entry is already on list, use it */
+		if ( tc->step & USE_LIST ) {
+			re = tavl_delete( &tc->list, le, entry_dn_cmp );
+			if ( re ) {
+				if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
+					rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
+					be_entry_release_r( op, rs->sr_entry );
+				}
+				if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
+					rs->sr_flags ^= REP_ENTRY_MUSTBEFREED;
+					entry_free( rs->sr_entry );
+				}
+				rc = test_filter( op, re, tc->orig );
+				if ( rc == LDAP_COMPARE_TRUE ) {
+					rs->sr_flags |= REP_ENTRY_MUSTBEFREED;
+					rs->sr_entry = re;
+					return SLAP_CB_CONTINUE;
+				} else {
+					entry_free( re );
+					rs->sr_entry = NULL;
+					return 0;
+				}
+			}
+		}
+		op->o_bd = &ov->db;
+		rc = be_entry_get_rw( op, &rs->sr_entry->e_nname, NULL, NULL, 0, &re );
+		if ( rc == LDAP_SUCCESS && re ) {
+			Entry *tmp = entry_dup( re );
+			be_entry_release_r( op, re );
+			re = tmp;
+		}
+	} else {
+	/* Else we have remote, get local */
+		op->o_bd = tc->db;
+		rc = overlay_entry_get_ov(op, &rs->sr_entry->e_nname, NULL, NULL, 0, &le, on);
+		if ( rc == LDAP_SUCCESS && le ) {
+			re = entry_dup( rs->sr_entry );
+			if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
+				rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
+				be_entry_release_r( op, rs->sr_entry );
+			}
+			if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
+				rs->sr_flags ^= REP_ENTRY_MUSTBEFREED;
+				entry_free( rs->sr_entry );
+			}
+		} else {
+			le = NULL;
+		}
+	}
 
 /*
-** if we got an entry from local backend:
-**	make a copy of this search result;
+** if we got remote and local entry:
 **	foreach local attr:
-**		foreach search result attr:
-**			if match, result attr with local attr;
+**		foreach remote attr:
+**			if match, remote attr with local attr;
 **			if new local, add to list;
-**	append new local attrs to search result;
+**	append new local attrs to remote;
 **
 */
 
-	if(e && rc == LDAP_SUCCESS) {
-		re = entry_dup(rs->sr_entry);
-		for(ax = e->e_attrs; ax; ax = ax->a_next) {
-#if 0
-			if(is_at_operational(ax->a_desc->ad_type)) continue;
-#endif
+	if ( re && le ) {
+		for(ax = le->e_attrs; ax; ax = ax->a_next) {
 			for(a = re->e_attrs; a; a = a->a_next) {
 				if(a->a_desc == ax->a_desc) {
 					if(a->a_vals != a->a_nvals)
@@ -619,7 +763,19 @@
 			an->a_next = as;
 			as = an;
 		}
-		overlay_entry_release_ov(op, e, 0, on);
+		/* Dispose of local entry */
+		if ( tc->step & LCL_SIDE ) {
+			if ( rs->sr_flags & REP_ENTRY_MUSTRELEASE ) {
+				rs->sr_flags ^= REP_ENTRY_MUSTRELEASE;
+				be_entry_release_r( op, rs->sr_entry );
+			}
+			if ( rs->sr_flags & REP_ENTRY_MUSTBEFREED ) {
+				rs->sr_flags ^= REP_ENTRY_MUSTBEFREED;
+				entry_free( rs->sr_entry );
+			}
+		} else {
+			overlay_entry_release_ov(op, le, 0, on);
+		}
 
 		/* literally append, so locals are always last */
 		if(as) {
@@ -630,14 +786,145 @@
 				re->e_attrs = as;
 			}
 		}
-		rs->sr_entry = re;
-		rs->sr_flags |= REP_ENTRY_MUSTBEFREED;
+		/* If both filters, save entry for later */
+		if ( tc->step == (USE_LIST|RMT_SIDE) ) {
+			tavl_insert( &tc->list, re, entry_dn_cmp, avl_dup_error );
+			rs->sr_entry = NULL;
+			rc = 0;
+		} else {
+		/* send it now */
+			rs->sr_entry = re;
+			rs->sr_flags |= REP_ENTRY_MUSTBEFREED;
+			rc = SLAP_CB_CONTINUE;
+		}
+	} else if ( le ) {
+	/* Only a local entry: remote was deleted
+	 * Ought to delete the local too...
+	 */
+	 	rc = 0;
+	} else if ( tc->step & USE_LIST ) {
+	/* Only a remote entry, but both filters:
+	 * Test the complete filter
+	 */
+		rc = test_filter( op, rs->sr_entry, tc->orig );
+		if ( rc == LDAP_COMPARE_TRUE ) {
+			rc = SLAP_CB_CONTINUE;
+		} else {
+			rc = 0;
+		}
+	} else {
+	/* Only a remote entry, only remote filter:
+	 * just pass thru
+	 */
+		rc = SLAP_CB_CONTINUE;
 	}
 
 	op->o_bd = db;
-	return(SLAP_CB_CONTINUE);
+	return rc;
 }
 
+/* Dup the filter, excluding invalid elements */
+static Filter *
+trans_filter_dup(Operation *op, Filter *f, AttributeName *an)
+{
+	Filter *n = NULL;
+
+	if ( !f )
+		return NULL;
+
+	switch( f->f_choice & SLAPD_FILTER_MASK ) {
+	case SLAPD_FILTER_COMPUTED:
+		n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
+		n->f_choice = f->f_choice;
+		n->f_result = f->f_result;
+		n->f_next = NULL;
+		break;
+
+	case LDAP_FILTER_PRESENT:
+		if ( ad_inlist( f->f_desc, an )) {
+			n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
+			n->f_choice = f->f_choice;
+			n->f_desc = f->f_desc;
+			n->f_next = NULL;
+		}
+		break;
+
+	case LDAP_FILTER_EQUALITY:
+	case LDAP_FILTER_GE:
+	case LDAP_FILTER_LE:
+	case LDAP_FILTER_APPROX:
+	case LDAP_FILTER_SUBSTRINGS:
+	case LDAP_FILTER_EXT:
+		if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) {
+			n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
+			n->f_choice = f->f_choice;
+			n->f_ava = f->f_ava;
+			n->f_next = NULL;
+		}
+		break;
+
+	case LDAP_FILTER_AND:
+	case LDAP_FILTER_OR:
+	case LDAP_FILTER_NOT: {
+		Filter **p;
+
+		n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
+		n->f_choice = f->f_choice;
+		n->f_next = NULL;
+
+		for ( p = &n->f_list, f = f->f_list; f; f = f->f_next ) {
+			*p = trans_filter_dup( op, f, an );
+			if ( !*p )
+				continue;
+			p = &(*p)->f_next;
+		}
+		/* nothing valid in this list */
+		if ( !n->f_list ) {
+			op->o_tmpfree( n, op->o_tmpmemctx );
+			return NULL;
+		}
+		/* Only 1 element in this list */
+		if ((n->f_choice & SLAPD_FILTER_MASK) != LDAP_FILTER_NOT &&
+			!n->f_list->f_next ) {
+			f = n->f_list;
+			*n = *f;
+			op->o_tmpfree( f, op->o_tmpmemctx );
+		}
+		break;
+	}
+	}
+	return n;
+}
+
+static void
+trans_filter_free( Operation *op, Filter *f )
+{
+	Filter *n, *p, *next;
+
+	f->f_choice &= SLAPD_FILTER_MASK;
+
+	switch( f->f_choice ) {
+	case LDAP_FILTER_AND:
+	case LDAP_FILTER_OR:
+	case LDAP_FILTER_NOT:
+		/* Free in reverse order */
+		n = NULL;
+		for ( p = f->f_list; p; p = next ) {
+			next = p->f_next;
+			p->f_next = n;
+			n = p;
+		}
+		for ( p = n; p; p = next ) {
+			next = p->f_next;
+			trans_filter_free( op, p );
+		}
+		break;
+	default:
+		break;
+	}
+	op->o_tmpfree( f, op->o_tmpmemctx );
+}
+
 /*
 ** translucent_search()
 **	search via captive backend;
@@ -649,7 +936,10 @@
 	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
 	translucent_info *ov = on->on_bi.bi_private;
 	slap_callback cb = { NULL, NULL, NULL, NULL };
-	int rc;
+	trans_ctx tc;
+	Filter *fl, *fr;
+	struct berval fbv;
+	int rc = 0;
 
 	Debug(LDAP_DEBUG_TRACE, "==> translucent_search: <%s> %s\n",
 		op->o_req_dn.bv_val, op->ors_filterstr.bv_val, 0);
@@ -659,15 +949,76 @@
 			"remote DB not available");
 		return(rs->sr_err);
 	}
+
+	fr = ov->remote ? trans_filter_dup( op, op->ors_filter, ov->remote ) : NULL;
+	fl = ov->local ? trans_filter_dup( op, op->ors_filter, ov->local ) : NULL;
 	cb.sc_response = (slap_response *) translucent_search_cb;
-	cb.sc_private = op->o_bd;
+	cb.sc_private = &tc;
 	cb.sc_next = op->o_callback;
 
+	tc.db = op->o_bd;
+	tc.on = on;
+	tc.orig = op->ors_filter;
+	tc.list = NULL;
+	tc.step = 0;
+	fbv = op->ors_filterstr;
+
 	op->o_callback = &cb;
-	op->o_bd = &ov->db;
-	rc = ov->db.bd_info->bi_op_search(op, rs);
-	op->o_bd = cb.sc_private;
 
+	if ( fr || !fl ) {
+		op->o_bd = &ov->db;
+		tc.step |= RMT_SIDE;
+		if ( fl ) {
+			tc.step |= USE_LIST;
+			op->ors_filter = fr;
+			filter2bv_x( op, fr, &op->ors_filterstr );
+		}
+		rc = ov->db.bd_info->bi_op_search(op, rs);
+		op->o_bd = tc.db;
+		if ( fl ) {
+			op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+		}
+	}
+	if ( fl && !rc ) {
+		tc.step |= LCL_SIDE;
+		op->ors_filter = fl;
+		filter2bv_x( op, fl, &op->ors_filterstr );
+		rc = overlay_op_walk( op, rs, op_search, on->on_info, on->on_next );
+		op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+	}
+	op->ors_filterstr = fbv;
+	op->ors_filter = tc.orig;
+	op->o_callback = cb.sc_next;
+	/* Send out anything remaining on the list and finish */
+	if ( tc.step & USE_LIST ) {
+		if ( tc.list ) {
+			Avlnode *av;
+
+			av = tavl_end( tc.list, TAVL_DIR_LEFT );
+			while ( av ) {
+				rs->sr_entry = av->avl_data;
+				rc = test_filter( op, rs->sr_entry, op->ors_filter );
+				if ( rc == LDAP_COMPARE_TRUE ) {
+					rs->sr_flags = REP_ENTRY_MUSTBEFREED;
+					rc = send_search_entry( op, rs );
+					if ( rc ) break;
+				} else {
+					entry_free( rs->sr_entry );
+				}
+				av = tavl_next( av, TAVL_DIR_RIGHT );
+			}
+			tavl_free( tc.list, NULL );
+			rs->sr_entry = NULL;
+		}
+		send_ldap_result( op, rs );
+	}
+
+	/* Free in reverse order */
+	if ( fl )
+		trans_filter_free( op, fl );
+	if ( fr )
+		trans_filter_free( op, fr );
+
 	return rc;
 }
 
@@ -796,7 +1147,7 @@
 	if ( ov->defer_db_open )
 		return 0;
 
-	rc = backend_startup_one( &ov->db, NULL );
+	rc = backend_startup_one( &ov->db, cr );
 
 	if(rc) Debug(LDAP_DEBUG_TRACE,
 		"translucent: bi_db_open() returned error %d\n", rc, 0, 0);
@@ -806,8 +1157,7 @@
 
 /*
 ** translucent_db_close()
-**	if the captive backend has a close() method, call it;
-**	free any config data;
+**	if the captive backend has a close() method, call it
 **
 */
 
@@ -829,7 +1179,8 @@
 
 /*
 ** translucent_db_destroy()
-**	if the captive backend has a db_destroy() method, call it
+**	if the captive backend has a db_destroy() method, call it;
+**	free any config data
 **
 */
 
@@ -843,6 +1194,10 @@
 	Debug(LDAP_DEBUG_TRACE, "==> translucent_db_destroy\n", 0, 0, 0);
 
 	if ( ov ) {
+		if ( ov->remote )
+			anlist_free( ov->remote, 1, NULL );
+		if ( ov->local )
+			anlist_free( ov->local, 1, NULL );
 		if ( ov->db.be_private != NULL ) {
 			backend_stopdown_one( &ov->db );
 		}

Modified: openldap/trunk/servers/slapd/overlays/unique.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/unique.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/unique.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* unique.c - attribute uniqueness module */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/unique.c,v 1.20.2.4 2007/11/27 18:11:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/unique.c,v 1.20.2.5 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004,2006-2007 Symas Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/overlays/valsort.c
===================================================================
--- openldap/trunk/servers/slapd/overlays/valsort.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/overlays/valsort.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* valsort.c - sort attribute values */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/valsort.c,v 1.17.2.4 2007/11/27 18:11:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/valsort.c,v 1.17.2.5 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * Portions copyright 2005 Symas Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/passwd.c
===================================================================
--- openldap/trunk/servers/slapd/passwd.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/passwd.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* passwd.c - password extended operation routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/passwd.c,v 1.128.2.6 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/passwd.c,v 1.128.2.10 2008/02/11 23:34:15 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -505,8 +505,10 @@
 	AccessControlState	acl_state = ACL_STATE_INIT;
 
 #ifdef SLAPD_SPASSWD
-	ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
-		op->o_conn->c_sasl_authctx, NULL );
+	void		*old_authctx = NULL;
+
+	ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
+		op->o_conn->c_sasl_authctx, 0, &old_authctx, NULL );
 #endif
 
 	for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
@@ -524,8 +526,8 @@
 	}
 
 #ifdef SLAPD_SPASSWD
-	ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
-		NULL, NULL );
+	ldap_pvt_thread_pool_setkey( op->o_threadctx, (void *)slap_sasl_bind,
+		old_authctx, 0, NULL, NULL );
 #endif
 
 	return result;

Modified: openldap/trunk/servers/slapd/phonetic.c
===================================================================
--- openldap/trunk/servers/slapd/phonetic.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/phonetic.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* phonetic.c - routines to do phonetic matching */
-/* $OpenLDAP: pkg/ldap/servers/slapd/phonetic.c,v 1.22.2.2 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/phonetic.c,v 1.22.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/proto-slap.h
===================================================================
--- openldap/trunk/servers/slapd/proto-slap.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/proto-slap.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/proto-slap.h,v 1.670.2.17 2007/12/03 15:04:31 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/proto-slap.h,v 1.670.2.24 2008/04/14 22:08:32 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -98,7 +98,7 @@
 /*
  * aclparse.c
  */
-LDAP_SLAPD_V (char *) style_strings[];
+LDAP_SLAPD_V (LDAP_CONST char *) style_strings[];
 
 LDAP_SLAPD_F (int) parse_acl LDAP_P(( Backend *be,
 	const char *fname, int lineno,
@@ -248,7 +248,7 @@
 	BerVarray *bva, AttributeType *start, AttributeType *end, int system ));
 
 LDAP_SLAPD_F (int) register_at LDAP_P((
-	char *at,
+	const char *at,
 	AttributeDescription **ad,
 	int dupok ));
 
@@ -756,6 +756,11 @@
 	OperationBuffer *opbuf,
 	void *threadctx,
 	int newmem ));
+LDAP_SLAPD_F (void) operation_fake_init LDAP_P((
+	Connection *conn,
+	Operation *op,
+	void *threadctx,
+	int newmem ));
 LDAP_SLAPD_F (void) connection_assign_nextid LDAP_P((Connection *));
 
 /*
@@ -1363,7 +1368,7 @@
 	BerVarray *bva, ObjectClass *start, ObjectClass *end, int system ));
 
 LDAP_SLAPD_F (int) register_oc LDAP_P((
-	char *desc,
+	const char *desc,
 	ObjectClass **oc,
 	int dupok ));
 
@@ -1389,9 +1394,6 @@
 	BerElement *ber, ber_int_t msgid,
 	ber_tag_t tag, ber_int_t id, void *ctx ));
 
-LDAP_SLAPD_F (int) slap_op_add LDAP_P(( Operation **olist, Operation *op ));
-LDAP_SLAPD_F (int) slap_op_remove LDAP_P(( Operation **olist, Operation *op ));
-LDAP_SLAPD_F (Operation *) slap_op_pop LDAP_P(( Operation **olist ));
 LDAP_SLAPD_F (slap_op_t) slap_req2op LDAP_P(( ber_tag_t tag ));
 
 /*
@@ -1629,7 +1631,7 @@
 	Entry *e,
 	Attribute *attrs,
 	int manage,
-	int add_soc,
+	int add,
 	const char** text,
 	char *textbuf, size_t textlen );
 
@@ -1716,7 +1718,7 @@
 
 LDAP_SLAPD_F (void) slap_sl_mem_init LDAP_P(( void ));
 LDAP_SLAPD_F (void *) slap_sl_mem_create LDAP_P((
-						ber_len_t size, int stack, void *ctx, int new ));
+						ber_len_t size, int stack, void *ctx, int flag ));
 LDAP_SLAPD_F (void) slap_sl_mem_detach LDAP_P(( void *ctx, void *memctx ));
 LDAP_SLAPD_F (void) slap_sl_mem_destroy LDAP_P(( void *key, void *data ));
 LDAP_SLAPD_F (void *) slap_sl_context LDAP_P(( void *ptr ));
@@ -2039,7 +2041,7 @@
 
 # define UI2BVX(bv,ui,ctx) \
 	do { \
-		char		buf[] = "+9223372036854775807L"; \
+		char		buf[LDAP_PVT_INTTYPE_CHARS(long)]; \
 		ber_len_t	len; \
 		len = snprintf( buf, sizeof( buf ), UI2BV_FORMAT, (ui) ); \
 		if ( len > (bv)->bv_len ) { \

Modified: openldap/trunk/servers/slapd/referral.c
===================================================================
--- openldap/trunk/servers/slapd/referral.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/referral.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* referral.c - muck with referrals */
-/* $OpenLDAP: pkg/ldap/servers/slapd/referral.c,v 1.28.2.4 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/referral.c,v 1.28.2.5 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/result.c
===================================================================
--- openldap/trunk/servers/slapd/result.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/result.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* result.c - routines to send ldap results, errors, and referrals */
-/* $OpenLDAP: pkg/ldap/servers/slapd/result.c,v 1.289.2.10 2007/12/10 18:10:39 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/result.c,v 1.289.2.13 2008/04/14 23:43:59 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -522,14 +522,20 @@
 		(void)slap_cleanup_play( op, rs );
 	}
 
-	if ( rs->sr_matched && rs->sr_flags & REP_MATCHED_MUSTBEFREED ) {
-		free( (char *)rs->sr_matched );
-		rs->sr_matched = NULL;
+	if ( rs->sr_flags & REP_MATCHED_MUSTBEFREED ) {
+		rs->sr_flags ^= REP_MATCHED_MUSTBEFREED; /* paranoia */
+		if ( rs->sr_matched ) {
+			free( (char *)rs->sr_matched );
+			rs->sr_matched = NULL;
+		}
 	}
 
-	if ( rs->sr_ref && rs->sr_flags & REP_REF_MUSTBEFREED ) {
-		ber_bvarray_free( rs->sr_ref );
-		rs->sr_ref = NULL;
+	if ( rs->sr_flags & REP_REF_MUSTBEFREED ) {
+		rs->sr_flags ^= REP_REF_MUSTBEFREED; /* paranoia */
+		if ( rs->sr_ref ) {
+			ber_bvarray_free( rs->sr_ref );
+			rs->sr_ref = NULL;
+		}
 	}
 
 	return rc;
@@ -625,6 +631,14 @@
 	rs->sr_msgid = (rs->sr_tag != LBER_SEQUENCE) ? op->o_msgid : 0;
 
 abandon:
+	if ( rs->sr_flags & REP_REF_MUSTBEFREED ) {
+		if ( rs->sr_ref == NULL ) {
+			rs->sr_flags ^= REP_REF_MUSTBEFREED;
+			ber_bvarray_free( oref );
+		}
+		oref = NULL; /* send_ldap_response() will free rs->sr_ref if != NULL */
+	}
+
 	if ( send_ldap_response( op, rs ) == SLAP_CB_CONTINUE ) {
 		if ( op->o_tag == LDAP_REQ_SEARCH ) {
 			char nbuf[64];
@@ -743,8 +757,7 @@
 
 	/* Every 64 entries, check for thread pool pause */
 	if ( ( ( rs->sr_nentries & 0x3f ) == 0x3f ) &&
-		ldap_pvt_thread_pool_query( &connection_pool,
-			LDAP_PVT_THREAD_POOL_PARAM_PAUSING, &i ) == 0 && i )
+		ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 )
 	{
 		return LDAP_BUSY;
 	}

Modified: openldap/trunk/servers/slapd/root_dse.c
===================================================================
--- openldap/trunk/servers/slapd/root_dse.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/root_dse.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* root_dse.c - Provides the Root DSA-Specific Entry */
-/* $OpenLDAP: pkg/ldap/servers/slapd/root_dse.c,v 1.113.2.7 2007/08/31 23:13:59 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/root_dse.c,v 1.113.2.8 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/sasl.c
===================================================================
--- openldap/trunk/servers/slapd/sasl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/sasl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/sasl.c,v 1.239.2.6 2007/11/08 19:30:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/sasl.c,v 1.239.2.12 2008/02/12 00:54:34 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35,21 +35,14 @@
 #ifdef HAVE_CYRUS_SASL
 # ifdef HAVE_SASL_SASL_H
 #  include <sasl/sasl.h>
-# else
-#  include <sasl.h>
-# endif
-
-# if SASL_VERSION_MAJOR >= 2
-# ifdef HAVE_SASL_SASL_H
 #  include <sasl/saslplug.h>
 # else
+#  include <sasl.h>
 #  include <saslplug.h>
 # endif
-#  define	SASL_CONST const
-# else
-#  define	SASL_CONST
-# endif
 
+# define	SASL_CONST const
+
 #define SASL_VERSION_FULL	((SASL_VERSION_MAJOR << 16) |\
 	(SASL_VERSION_MINOR << 8) | SASL_VERSION_STEP)
 
@@ -87,7 +80,6 @@
 	}
 
 	switch (priority) {
-#if SASL_VERSION_MAJOR >= 2
 	case SASL_LOG_NONE:
 		level = LDAP_DEBUG_NONE;
 		label = "None";
@@ -120,20 +112,6 @@
 		level = LDAP_DEBUG_TRACE;
 		label = "Password Trace";
 		break;
-#else
-	case SASL_LOG_ERR:
-		level = LDAP_DEBUG_ANY;
-		label = "Error";
-		break;
-	case SASL_LOG_WARNING:
-		level = LDAP_DEBUG_TRACE;
-		label = "Warning";
-		break;
-	case SASL_LOG_INFO:
-		level = LDAP_DEBUG_TRACE;
-		label = "Info";
-		break;
-#endif
 	default:
 		return SASL_BADPARAM;
 	}
@@ -146,18 +124,19 @@
 	return SASL_OK;
 }
 
-
-#if SASL_VERSION_MAJOR >= 2
 static const char *slap_propnames[] = {
-	"*slapConn", "*slapAuthcDN", "*slapAuthzDN", NULL };
+	"*slapConn", "*slapAuthcDNlen", "*slapAuthcDN",
+	"*slapAuthzDNlen", "*slapAuthzDN", NULL };
 
 static Filter generic_filter = { LDAP_FILTER_PRESENT, { 0 }, NULL };
 static struct berval generic_filterstr = BER_BVC("(objectclass=*)");
 
 #define	SLAP_SASL_PROP_CONN	0
-#define	SLAP_SASL_PROP_AUTHC	1
-#define	SLAP_SASL_PROP_AUTHZ	2
-#define	SLAP_SASL_PROP_COUNT	3	/* Number of properties we used */
+#define	SLAP_SASL_PROP_AUTHCLEN	1
+#define	SLAP_SASL_PROP_AUTHC	2
+#define	SLAP_SASL_PROP_AUTHZLEN	3
+#define	SLAP_SASL_PROP_AUTHZ	4
+#define	SLAP_SASL_PROP_COUNT	5	/* Number of properties we used */
 
 typedef struct lookup_info {
 	int flags;
@@ -237,7 +216,8 @@
 					 * past the scheme name, skip this value.
 					 */
 #ifdef SLAPD_CLEARTEXT
-					if ( !ber_bvstrcasecmp( bv, &sc_cleartext ) ) {
+					if ( !strncasecmp( bv->bv_val, sc_cleartext.bv_val,
+						sc_cleartext.bv_len )) {
 						struct berval cbv;
 						cbv.bv_len = bv->bv_len - sc_cleartext.bv_len;
 						if ( cbv.bv_len > 0 ) {
@@ -282,16 +262,25 @@
 					AC_MEMCPY( &conn, sl.list[i].values[0], sizeof( conn ) );
 				continue;
 			}
-			if ( (flags & SASL_AUXPROP_AUTHZID) &&
-				!strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZ] ) ) {
+			if ( flags & SASL_AUXPROP_AUTHZID ) {
+				if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZLEN] )) {
+					if ( sl.list[i].values && sl.list[i].values[0] )
+						AC_MEMCPY( &op.o_req_ndn.bv_len, sl.list[i].values[0],
+							sizeof( op.o_req_ndn.bv_len ) );
+				} else if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZ] )) {
+					if ( sl.list[i].values )
+						op.o_req_ndn.bv_val = (char *)sl.list[i].values[0];
+					break;
+				}
+			}
 
+			if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHCLEN] )) {
 				if ( sl.list[i].values && sl.list[i].values[0] )
-					AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) );
-				break;
-			}
-			if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
-				if ( sl.list[i].values && sl.list[i].values[0] ) {
-					AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) );
+					AC_MEMCPY( &op.o_req_ndn.bv_len, sl.list[i].values[0],
+						sizeof( op.o_req_ndn.bv_len ) );
+			} else if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
+				if ( sl.list[i].values ) {
+					op.o_req_ndn.bv_val = (char *)sl.list[i].values[0];
 					if ( !(flags & SASL_AUXPROP_AUTHZID) )
 						break;
 				}
@@ -406,6 +395,7 @@
 	unsigned ulen)
 {
 	Operation op = {0};
+	Opheader oph;
 	SlapReply rs = {REP_RESULT};
 	int rc, i, j;
 	Connection *conn = NULL;
@@ -431,10 +421,13 @@
 					AC_MEMCPY( &conn, pr[i].values[0], sizeof( conn ) );
 				continue;
 			}
-			if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
-				if ( pr[i].values && pr[i].values[0] ) {
-					AC_MEMCPY( &op.o_req_ndn, pr[i].values[0], sizeof( struct berval ) );
-				}
+			if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHCLEN] )) {
+				if ( pr[i].values && pr[i].values[0] )
+					AC_MEMCPY( &op.o_req_ndn.bv_len, pr[i].values[0],
+						sizeof( op.o_req_ndn.bv_len ) );
+			} else if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
+				if ( pr[i].values )
+					op.o_req_ndn.bv_val = (char *)pr[i].values[0];
 			}
 		}
 	}
@@ -476,7 +469,13 @@
 			&text, textbuf, textlen );
 
 		if ( rc == LDAP_SUCCESS ) {
-			op.o_hdr = conn->c_sasl_bindop->o_hdr;
+			if ( conn->c_sasl_bindop ) {
+				op.o_hdr = conn->c_sasl_bindop->o_hdr;
+			} else {
+				op.o_hdr = &oph;
+				memset( &oph, 0, sizeof(oph) );
+				operation_fake_init( conn, &op, ldap_pvt_thread_pool_context(), 0 );
+			}
 			op.o_tag = LDAP_REQ_MODIFY;
 			op.o_ndn = op.o_req_ndn;
 			op.o_callback = &cb;
@@ -579,9 +578,9 @@
 		prop_request( props, slap_propnames );
 
 	if ( flags & SASL_CU_AUTHID )
-		which = SLAP_SASL_PROP_AUTHC;
+		which = SLAP_SASL_PROP_AUTHCLEN;
 	else
-		which = SLAP_SASL_PROP_AUTHZ;
+		which = SLAP_SASL_PROP_AUTHZLEN;
 
 	/* Need to store the Connection for auxprop_lookup */
 	if ( !auxvals[SLAP_SASL_PROP_CONN].values ) {
@@ -630,13 +629,20 @@
 
 	names[0] = slap_propnames[which];
 	names[1] = NULL;
+	prop_set( props, names[0], (char *)&dn.bv_len, sizeof( dn.bv_len ) );
 
-	prop_set( props, names[0], (char *)&dn, sizeof( dn ) );
+	which++;
+	names[0] = slap_propnames[which];
+	prop_set( props, names[0], dn.bv_val, dn.bv_len );
 
 	Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: %s=\"%s\"\n",
 		conn ? conn->c_connid : -1, names[0]+1,
 		dn.bv_val ? dn.bv_val : "<EMPTY>" );
 
+	/* Not needed any more, SASL has copied it */
+	if ( conn && conn->c_sasl_bindop )
+		conn->c_sasl_bindop->o_tmpfree( dn.bv_val, conn->c_sasl_bindop->o_tmpmemctx );
+
 done:
 	AC_MEMCPY( out, in, inlen );
 	out[inlen] = '\0';
@@ -675,7 +681,6 @@
 		"authcid=\"%s\" authzid=\"%s\"\n",
 		conn ? conn->c_connid : -1, auth_identity, requested_user );
 	if ( conn->c_sasl_dn.bv_val ) {
-		ch_free( conn->c_sasl_dn.bv_val );
 		BER_BVZERO( &conn->c_sasl_dn );
 	}
 
@@ -688,15 +693,17 @@
 		return SASL_NOAUTHZ;
 	}
 
-	AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
+	AC_MEMCPY( &authcDN.bv_len, auxvals[0].values[0], sizeof(authcDN.bv_len) );
+	authcDN.bv_val = auxvals[1].values ? (char *)auxvals[1].values[0] : NULL;
 	conn->c_sasl_dn = authcDN;
 
 	/* Nothing to do if no authzID was given */
-	if ( !auxvals[1].name || !auxvals[1].values ) {
+	if ( !auxvals[2].name || !auxvals[2].values ) {
 		goto ok;
 	}
 	
-	AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
+	AC_MEMCPY( &authzDN.bv_len, auxvals[2].values[0], sizeof(authzDN.bv_len) );
+	authzDN.bv_val = auxvals[3].values ? (char *)auxvals[3].values[0] : NULL;
 
 	rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
 	if ( rc != LDAP_SUCCESS ) {
@@ -705,21 +712,13 @@
 			(long) (conn ? conn->c_connid : -1), rc, 0 );
 
 		sasl_seterror( sconn, 0, "not authorized" );
-		ch_free( authzDN.bv_val );
 		return SASL_NOAUTHZ;
 	}
 
 	/* FIXME: we need yet another dup because slap_sasl_getdn()
 	 * is using the bind operation slab */
-	if ( conn->c_sasl_bindop ) {
-		ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
-		slap_sl_free( authzDN.bv_val,
-				conn->c_sasl_bindop->o_tmpmemctx );
+	ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
 
-	} else {
-		conn->c_sasl_authz_dn = authzDN;
-	}
-
 ok:
 	if (conn->c_sasl_bindop) {
 		Statslog( LDAP_DEBUG_STATS,
@@ -734,109 +733,7 @@
 		authzDN.bv_val ? authzDN.bv_val : "", 0 );
 	return SASL_OK;
 } 
-#else
-static int
-slap_sasl_authorize(
-	void *context,
-	char *authcid,
-	char *authzid,
-	const char **user,
-	const char **errstr)
-{
-	struct berval authcDN, authzDN = BER_BVNULL;
-	int rc;
-	Connection *conn = context;
-	char *realm;
-	struct berval	bvauthcid, bvauthzid;
 
-	*user = NULL;
-	if ( conn->c_sasl_dn.bv_val ) {
-		ch_free( conn->c_sasl_dn.bv_val );
-		BER_BVZERO( &conn->c_sasl_dn );
-	}
-
-	Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
-		"authcid=\"%s\" authzid=\"%s\"\n",
-		(long) (conn ? conn->c_connid : -1),
-		authcid ? authcid : "<empty>",
-		authzid ? authzid : "<empty>" );
-
-	/* Figure out how much data we have for the dn */
-	rc = sasl_getprop( conn->c_sasl_authctx, SASL_REALM, (void **)&realm );
-	if( rc != SASL_OK && rc != SASL_NOTDONE ) {
-		Debug(LDAP_DEBUG_TRACE,
-			"authorize: getprop(REALM) failed!\n", 0,0,0);
-		*errstr = "Could not extract realm";
-		return SASL_NOAUTHZ;
-	}
-
-	/* Convert the identities to DN's. If no authzid was given, client will
-	   be bound as the DN matching their username */
-	bvauthcid.bv_val = authcid;
-	bvauthcid.bv_len = authcid ? strlen( authcid ) : 0;
-	rc = slap_sasl_getdn( conn, NULL, &bvauthcid, realm,
-		&authcDN, SLAP_GETDN_AUTHCID );
-	if( rc != LDAP_SUCCESS ) {
-		*errstr = ldap_err2string( rc );
-		return SASL_NOAUTHZ;
-	}
-	conn->c_sasl_dn = authcDN;
-	if( ( authzid == NULL ) || !strcmp( authcid, authzid ) ) {
-		Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
-		 "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
-
-		goto ok;
-	}
-
-	bvauthzid.bv_val = authzid;
-	bvauthzid.bv_len = authzid ? strlen( authzid ) : 0;
-	rc = slap_sasl_getdn( conn, NULL, &bvauthzid, realm,
-		&authzDN, SLAP_GETDN_AUTHZID );
-	if( rc != LDAP_SUCCESS ) {
-		*errstr = ldap_err2string( rc );
-		return SASL_NOAUTHZ;
-	}
-
-	rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
-	if( rc ) {
-		Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
-			"proxy authorization disallowed (%d)\n",
-			(long) (conn ? conn->c_connid : -1), rc, 0 );
-
-		*errstr = "not authorized";
-		ch_free( authzDN.bv_val );
-		return SASL_NOAUTHZ;
-	}
-
-	/* FIXME: we need yet another dup because slap_sasl_getdn()
-	 * is using the bind operation slab */
-	if ( conn->c_sasl_bindop ) {
-		ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
-		slap_sl_free( authzDN.bv_val,
-				conn->c_sasl_bindop->o_tmpmemctx );
-
-	} else {
-		conn->c_sasl_authz_dn = authzDN;
-	}
-
-ok:
-	Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
-		" authorization allowed authzDN=\"%s\"\n",
-		(long) (conn ? conn->c_connid : -1),
-		authzDN.bv_val ? authzDN.bv_val : "", 0 );
-
-	if ( conn->c_sasl_bindop ) {
-		Statslog( LDAP_DEBUG_STATS,
-			"%s BIND authcid=\"%s\" authzid=\"%s\"\n",
-			conn->c_sasl_bindop->o_log_prefix, 
-			authcid, authzid ? authzid : "", 0, 0 );
-	}
-
-	*errstr = NULL;
-	return SASL_OK;
-}
-#endif /* SASL_VERSION_MAJOR >= 2 */
-
 static int
 slap_sasl_err2ldap( int saslerr )
 {
@@ -933,20 +830,13 @@
 	rtn = LUTIL_PASSWD_ERR;
 
 	ctx = ldap_pvt_thread_pool_context();
-	ldap_pvt_thread_pool_getkey( ctx, slap_sasl_bind, &sconn, NULL );
+	ldap_pvt_thread_pool_getkey( ctx, (void *)slap_sasl_bind, &sconn, NULL );
 
 	if( sconn != NULL ) {
 		int sc;
-# if SASL_VERSION_MAJOR < 2
 		sc = sasl_checkpass( sconn,
 			passwd->bv_val, passwd->bv_len,
-			cred->bv_val, cred->bv_len,
-			text );
-# else
-		sc = sasl_checkpass( sconn,
-			passwd->bv_val, passwd->bv_len,
 			cred->bv_val, cred->bv_len );
-# endif
 		rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
 	}
 
@@ -1217,22 +1107,12 @@
 	}
 #endif
 
-	/* SASL 2 does its own memory management internally */
-#if SASL_VERSION_MAJOR < 2
-	sasl_set_alloc(
-		ber_memalloc,
-		ber_memcalloc,
-		ber_memrealloc,
-		ber_memfree ); 
-#endif
-
 	sasl_set_mutex(
 		ldap_pvt_sasl_mutex_new,
 		ldap_pvt_sasl_mutex_lock,
 		ldap_pvt_sasl_mutex_unlock,
 		ldap_pvt_sasl_mutex_dispose );
 
-#if SASL_VERSION_MAJOR >= 2
 	generic_filter.f_desc = slap_schema.si_ad_objectClass;
 
 	rc = sasl_auxprop_add_plugin( "slapd", slap_auxprop_init );
@@ -1241,7 +1121,7 @@
 			0, 0, 0 );
 		return -1;
 	}
-#endif
+
 	/* should provide callbacks for logging */
 	/* server name should be configurable */
 	rc = sasl_server_init( server_callbacks, "slapd" );
@@ -1249,10 +1129,6 @@
 	if( rc != SASL_OK ) {
 		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: server init failed\n",
 			0, 0, 0 );
-#if SASL_VERSION_MAJOR < 2
-		/* A no-op used to make sure we linked with Cyrus 1.5 */
-		sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL );
-#endif
 
 		return -1;
 	}
@@ -1285,7 +1161,6 @@
 	return 0;
 }
 
-#if SASL_VERSION_MAJOR >= 2
 static char *
 slap_sasl_peer2ipport( struct berval *peer )
 {
@@ -1319,7 +1194,6 @@
 
 	return ipport;
 }
-#endif
 
 int slap_sasl_open( Connection *conn, int reopen )
 {
@@ -1329,10 +1203,7 @@
 
 	sasl_conn_t *ctx = NULL;
 	sasl_callback_t *session_callbacks;
-
-#if SASL_VERSION_MAJOR >= 2
 	char *ipremoteport = NULL, *iplocalport = NULL;
-#endif
 
 	assert( conn->c_sasl_authctx == NULL );
 
@@ -1340,11 +1211,7 @@
 		assert( conn->c_sasl_extra == NULL );
 
 		session_callbacks =
-#if SASL_VERSION_MAJOR >= 2
 			SLAP_CALLOC( 5, sizeof(sasl_callback_t));
-#else
-			SLAP_CALLOC( 3, sizeof(sasl_callback_t));
-#endif
 		if( session_callbacks == NULL ) {
 			Debug( LDAP_DEBUG_ANY, 
 				"slap_sasl_open: SLAP_MALLOC failed", 0, 0, 0 );
@@ -1360,11 +1227,9 @@
 		session_callbacks[cb].proc = &slap_sasl_authorize;
 		session_callbacks[cb++].context = conn;
 
-#if SASL_VERSION_MAJOR >= 2
 		session_callbacks[cb].id = SASL_CB_CANON_USER;
 		session_callbacks[cb].proc = &slap_sasl_canonicalize;
 		session_callbacks[cb++].context = conn;
-#endif
 
 		session_callbacks[cb].id = SASL_CB_LIST_END;
 		session_callbacks[cb].proc = NULL;
@@ -1376,7 +1241,6 @@
 	conn->c_sasl_layers = 0;
 
 	/* create new SASL context */
-#if SASL_VERSION_MAJOR >= 2
 	if ( conn->c_sock_name.bv_len != 0 &&
 		strncmp( conn->c_sock_name.bv_val, "IP=", STRLENOF( "IP=" ) ) == 0 )
 	{
@@ -1397,10 +1261,6 @@
 	if ( ipremoteport != NULL ) {
 		ch_free( ipremoteport );
 	}
-#else
-	sc = sasl_server_new( "ldap", sasl_host, global_realm,
-		session_callbacks, SASL_SECURITY_LAYER, &ctx );
-#endif
 
 	if( sc != SASL_OK ) {
 		Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
@@ -1445,7 +1305,7 @@
 	slap_ssf_t ssf,
 	struct berval *auth_id )
 {
-#if SASL_VERSION_MAJOR >= 2
+#ifdef HAVE_CYRUS_SASL
 	int sc;
 	sasl_conn_t *ctx = conn->c_sasl_authctx;
 	sasl_ssf_t sasl_ssf = ssf;
@@ -1466,26 +1326,6 @@
 	if ( sc != SASL_OK ) {
 		return LDAP_OTHER;
 	}
-
-#elif defined(HAVE_CYRUS_SASL)
-	int sc;
-	sasl_conn_t *ctx = conn->c_sasl_authctx;
-	sasl_external_properties_t extprops;
-
-	if ( ctx == NULL ) {
-		return LDAP_UNAVAILABLE;
-	}
-
-	memset( &extprops, '\0', sizeof(extprops) );
-	extprops.ssf = ssf;
-	extprops.auth_id = auth_id ? auth_id->bv_val : NULL;
-
-	sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
-		(void *) &extprops );
-
-	if ( sc != SASL_OK ) {
-		return LDAP_OTHER;
-	}
 #elif defined(SLAP_BUILTIN_SASL)
 	/* built-in SASL implementation */
 	SASL_CTX *ctx = conn->c_sasl_authctx;
@@ -1533,10 +1373,6 @@
 		}
 
 		mechs = ldap_str2charray( mechstr, "," );
-
-#if SASL_VERSION_MAJOR < 2
-		ch_free( mechstr );
-#endif
 	}
 #elif defined(SLAP_BUILTIN_SASL)
 	/* builtin SASL implementation */
@@ -1608,28 +1444,19 @@
 		return rs->sr_err;
 	}
 
-#if SASL_VERSION_MAJOR >= 2
 #define	START( ctx, mech, cred, clen, resp, rlen, err ) \
 	sasl_server_start( ctx, mech, cred, clen, resp, rlen )
 #define	STEP( ctx, cred, clen, resp, rlen, err ) \
 	sasl_server_step( ctx, cred, clen, resp, rlen )
-#else
-#define	START( ctx, mech, cred, clen, resp, rlen, err ) \
-	sasl_server_start( ctx, mech, cred, clen, resp, rlen, err )
-#define	STEP( ctx, cred, clen, resp, rlen, err ) \
-	sasl_server_step( ctx, cred, clen, resp, rlen, err )
-#endif
 
 	if ( !op->o_conn->c_sasl_bind_in_progress ) {
 		/* If we already authenticated once, must use a new context */
 		if ( op->o_conn->c_sasl_done ) {
 			sasl_ssf_t ssf = 0;
 			const char *authid = NULL;
-#if SASL_VERSION_MAJOR >= 2
 			sasl_getprop( ctx, SASL_SSF_EXTERNAL, (void *)&ssf );
 			sasl_getprop( ctx, SASL_AUTH_EXTERNAL, (void *)&authid );
 			if ( authid ) authid = ch_strdup( authid );
-#endif
 			if ( ctx != op->o_conn->c_sasl_sockctx ) {
 				sasl_dispose( &ctx );
 			}
@@ -1637,13 +1464,11 @@
 				
 			slap_sasl_open( op->o_conn, 1 );
 			ctx = op->o_conn->c_sasl_authctx;
-#if SASL_VERSION_MAJOR >= 2
 			if ( authid ) {
 				sasl_setprop( ctx, SASL_SSF_EXTERNAL, &ssf );
 				sasl_setprop( ctx, SASL_AUTH_EXTERNAL, authid );
 				ch_free( (char *)authid );
 			}
-#endif
 		}
 		sc = START( ctx,
 			op->o_conn->c_sasl_bind_mech.bv_val,
@@ -1661,7 +1486,7 @@
 	if ( sc == SASL_OK ) {
 		sasl_ssf_t *ssf = NULL;
 
-		op->orb_edn = op->o_conn->c_sasl_dn;
+		ber_dupbv_x( &op->orb_edn, &op->o_conn->c_sasl_dn, op->o_tmpmemctx );
 		BER_BVZERO( &op->o_conn->c_sasl_dn );
 		op->o_conn->c_sasl_done = 1;
 
@@ -1706,27 +1531,17 @@
 		}
 	} else if ( sc == SASL_CONTINUE ) {
 		rs->sr_err = LDAP_SASL_BIND_IN_PROGRESS,
-#if SASL_VERSION_MAJOR >= 2
 		rs->sr_text = sasl_errdetail( ctx );
-#endif
 		rs->sr_sasldata = &response;
 		send_ldap_sasl( op, rs );
 
 	} else {
-		if ( op->o_conn->c_sasl_dn.bv_len )
-			ch_free( op->o_conn->c_sasl_dn.bv_val );
 		BER_BVZERO( &op->o_conn->c_sasl_dn );
-#if SASL_VERSION_MAJOR >= 2
 		rs->sr_text = sasl_errdetail( ctx );
-#endif
 		rs->sr_err = slap_sasl_err2ldap( sc ),
 		send_ldap_result( op, rs );
 	}
 
-#if SASL_VERSION_MAJOR < 2
-	if( response.bv_len ) ch_free( response.bv_val );
-#endif
-
 	Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0);
 
 #elif defined(SLAP_BUILTIN_SASL)
@@ -1823,16 +1638,11 @@
 		rs->sr_rspdata = slap_passwd_return( &new );
 	}
 
-#if SASL_VERSION_MAJOR < 2
-	rs->sr_err = sasl_setpass( op->o_conn->c_sasl_authctx,
-		id.bv_val, new.bv_val, new.bv_len, 0, &rs->sr_text );
-#else
 	rs->sr_err = sasl_setpass( op->o_conn->c_sasl_authctx, id.bv_val,
 		new.bv_val, new.bv_len, old.bv_val, old.bv_len, 0 );
 	if( rs->sr_err != SASL_OK ) {
 		rs->sr_text = sasl_errdetail( op->o_conn->c_sasl_authctx );
 	}
-#endif
 	switch(rs->sr_err) {
 		case SASL_OK:
 			rs->sr_err = LDAP_SUCCESS;

Modified: openldap/trunk/servers/slapd/saslauthz.c
===================================================================
--- openldap/trunk/servers/slapd/saslauthz.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/saslauthz.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/saslauthz.c,v 1.163.2.6 2007/09/04 00:39:45 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/saslauthz.c,v 1.163.2.8 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
  * All rights reserved.
  *
@@ -1665,7 +1665,7 @@
 
 	Debug( LDAP_DEBUG_TRACE,
 	   "===>slap_sasl_match: comparing DN %s to rule %s\n",
-		assertDN->bv_val, rule->bv_val, 0 );
+		assertDN->bv_len ? assertDN->bv_val : "(null)", rule->bv_val, 0 );
 
 	/* NOTE: don't normalize rule if authz syntax is enabled */
 	rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
@@ -2038,11 +2038,16 @@
 	int rc = LDAP_INAPPROPRIATE_AUTH;
 
 	/* User binding as anonymous */
-	if ( authzDN == NULL ) {
+	if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
 		rc = LDAP_SUCCESS;
 		goto DONE;
 	}
 
+	/* User is anonymous */
+	if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) {
+		goto DONE;
+	}
+
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_authorized: can %s become %s?\n",
 		authcDN->bv_len ? authcDN->bv_val : "(null)",

Modified: openldap/trunk/servers/slapd/schema/README
===================================================================
--- openldap/trunk/servers/slapd/schema/README	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/README	2008-05-25 14:29:31 UTC (rev 1128)
@@ -34,7 +34,7 @@
 
 This notice applies to all files in this directory.
 
-Copyright 1998-2007 The OpenLDAP Foundation, Redwood City, California, USA
+Copyright 1998-2008 The OpenLDAP Foundation, Redwood City, California, USA
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -77,4 +77,4 @@
 
 
 ---
-$OpenLDAP: pkg/ldap/servers/slapd/schema/README,v 1.29.2.2 2007/08/31 23:14:06 quanah Exp $
+$OpenLDAP: pkg/ldap/servers/slapd/schema/README,v 1.29.2.3 2008/02/11 23:26:49 kurt Exp $

Modified: openldap/trunk/servers/slapd/schema/cosine.ldif
===================================================================
--- openldap/trunk/servers/slapd/schema/cosine.ldif	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/cosine.ldif	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # RFC1274: Cosine and Internet X.500 schema
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.ldif,v 1.1.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/cosine.ldif,v 1.1.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/duaconf.schema
===================================================================
--- openldap/trunk/servers/slapd/schema/duaconf.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/duaconf.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/duaconf.schema,v 1.5.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/duaconf.schema,v 1.5.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/dyngroup.schema
===================================================================
--- openldap/trunk/servers/slapd/schema/dyngroup.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/dyngroup.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # dyngroup.schema -- Dynamic Group schema
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/dyngroup.schema,v 1.6.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/dyngroup.schema,v 1.6.2.4 2008/02/12 05:17:43 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -67,6 +67,13 @@
 	DESC 'Identity to use when processing the memberURL'
 	SUP distinguishedName SINGLE-VALUE )
 
+attributeType ( DynGroupAttr:2
+	NAME 'dgAuthz'
+	DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity'
+	EQUALITY authzMatch
+	SYNTAX 1.3.6.1.4.1.4203.666.2.7
+	X-ORDERED 'VALUES' )
+
 objectClass ( NetscapeLDAPobjectClass:33
 	NAME 'groupOfURLs'
 	SUP top STRUCTURAL
@@ -79,4 +86,6 @@
 objectClass ( DynGroupOC:1
 	NAME 'dgIdentityAux'
 	SUP top AUXILIARY
-	MAY dgIdentity )
+	MAY ( dgIdentity $ dgAuthz ) )
+
+

Modified: openldap/trunk/servers/slapd/schema/inetorgperson.ldif
===================================================================
--- openldap/trunk/servers/slapd/schema/inetorgperson.ldif	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/inetorgperson.ldif	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # InetOrgPerson (RFC2798)
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.ldif,v 1.1.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.ldif,v 1.1.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/inetorgperson.schema
===================================================================
--- openldap/trunk/servers/slapd/schema/inetorgperson.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/inetorgperson.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # inetorgperson.schema -- InetOrgPerson (RFC2798)
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.schema,v 1.18.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/inetorgperson.schema,v 1.18.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/misc.schema
===================================================================
--- openldap/trunk/servers/slapd/schema/misc.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/misc.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # misc.schema -- assorted schema definitions
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/misc.schema,v 1.30.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/misc.schema,v 1.30.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/nadf.schema
===================================================================
--- openldap/trunk/servers/slapd/schema/nadf.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/nadf.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # nadf.schema -- NADF-defined schema
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/nadf.schema,v 1.13.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/nadf.schema,v 1.13.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/nis.ldif
===================================================================
--- openldap/trunk/servers/slapd/schema/nis.ldif	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/nis.ldif	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # NIS (RFC2307)
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/nis.ldif,v 1.1.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/nis.ldif,v 1.1.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/nis.schema
===================================================================
--- openldap/trunk/servers/slapd/schema/nis.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/nis.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/nis.schema,v 1.15.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/nis.schema,v 1.15.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/openldap.ldif
===================================================================
--- openldap/trunk/servers/slapd/schema/openldap.ldif	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/openldap.ldif	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/openldap.ldif,v 1.2.2.3 2007/10/08 08:39:33 ando Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/openldap.ldif,v 1.2.2.4 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema/openldap.schema
===================================================================
--- openldap/trunk/servers/slapd/schema/openldap.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema/openldap.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/openldap.schema,v 1.24.2.3 2007/10/08 08:39:33 ando Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/schema/openldap.schema,v 1.24.2.4 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema.c
===================================================================
--- openldap/trunk/servers/slapd/schema.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* schema.c - routines to manage schema definitions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/schema.c,v 1.105.2.3 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/schema.c,v 1.105.2.4 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schema_check.c
===================================================================
--- openldap/trunk/servers/slapd/schema_check.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema_check.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* schema_check.c - routines to enforce schema definitions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/schema_check.c,v 1.103.2.3 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/schema_check.c,v 1.103.2.6 2008/04/18 22:33:55 ando Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32,6 +32,7 @@
 static int entry_naming_check(
 	Entry *e,
 	int manage,
+	int add_naming,
 	const char** text,
 	char *textbuf, size_t textlen );
 /*
@@ -47,7 +48,7 @@
 	Entry *e,
 	Attribute *oldattrs,
 	int manage,
-	int add_soc,
+	int add,
 	const char** text,
 	char *textbuf, size_t textlen )
 {
@@ -135,7 +136,7 @@
 	assert( aoc->a_vals[0].bv_val != NULL );
 
 	/* check the structural object class attribute */
-	if ( asc == NULL && !add_soc ) {
+	if ( asc == NULL && !add ) {
 		Debug( LDAP_DEBUG_ANY,
 			"No structuralObjectClass for entry (%s)\n",
 		    e->e_dn, 0, 0 );
@@ -150,7 +151,7 @@
 		return rc;
 	}
 
-	if ( asc == NULL && add_soc ) {
+	if ( asc == NULL && add ) {
 		attr_merge_one( e, ad_structuralObjectClass, &oc->soc_cname, NULL );
 		asc = attr_find( e->e_attrs, ad_structuralObjectClass );
 		sc = oc;
@@ -224,7 +225,7 @@
 
 	/* naming check */
 	if ( !is_entry_glue ( e ) ) {
-		rc = entry_naming_check( e, manage, text, textbuf, textlen );
+		rc = entry_naming_check( e, manage, add, text, textbuf, textlen );
 		if( rc != LDAP_SUCCESS ) {
 			goto done;
 		}
@@ -355,8 +356,8 @@
 					}
 				}
 
-				if( xc == NULL ) {
-					snprintf( textbuf, textlen, "instanstantiation of "
+				if( xc != NULL ) {
+					snprintf( textbuf, textlen, "instantiation of "
 						"abstract objectClass '%s' not allowed",
 						aoc->a_vals[i].bv_val );
 
@@ -762,6 +763,7 @@
 entry_naming_check(
 	Entry *e,
 	int manage,
+	int add_naming,
 	const char** text,
 	char *textbuf, size_t textlen )
 {
@@ -792,6 +794,7 @@
 		AttributeDescription *desc = NULL;
 		Attribute *attr;
 		const char *errtext;
+		int add = 0;
 
 		if( ava->la_flags & LDAP_AVA_BINARY ) {
 			snprintf( textbuf, textlen, 
@@ -852,37 +855,51 @@
 			snprintf( textbuf, textlen, 
 				"naming attribute '%s' is not present in entry",
 				ava->la_attr.bv_val );
-			rc = LDAP_NAMING_VIOLATION;
-			break;
+			if ( add_naming ) {
+				add = 1;
+
+			} else {
+				rc = LDAP_NAMING_VIOLATION;
+			}
+
+		} else {
+			rc = attr_valfind( attr, SLAP_MR_VALUE_OF_ASSERTION_SYNTAX|
+				SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
+				&ava->la_value, NULL, NULL );
+
+			if( rc != 0 ) {
+				switch( rc ) {
+				case LDAP_INAPPROPRIATE_MATCHING:
+					snprintf( textbuf, textlen, 
+						"inappropriate matching for naming attribute '%s'",
+						ava->la_attr.bv_val );
+					break;
+				case LDAP_INVALID_SYNTAX:
+					snprintf( textbuf, textlen, 
+						"value of naming attribute '%s' is invalid",
+						ava->la_attr.bv_val );
+					break;
+				case LDAP_NO_SUCH_ATTRIBUTE:
+					snprintf( textbuf, textlen, 
+						"value of naming attribute '%s' is not present in entry",
+						ava->la_attr.bv_val );
+					if ( add_naming ) {
+						add = 1;
+					}
+					break;
+				default:
+					snprintf( textbuf, textlen, 
+						"naming attribute '%s' is inappropriate",
+						ava->la_attr.bv_val );
+				}
+				rc = LDAP_NAMING_VIOLATION;
+			}
 		}
 
-		rc = attr_valfind( attr, SLAP_MR_VALUE_OF_ASSERTION_SYNTAX|
-			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
-			&ava->la_value, NULL, NULL );
+		if ( add ) {
+			attr_merge_normalize_one( e, desc, &ava->la_value, NULL );
 
-		if( rc != 0 ) {
-			switch( rc ) {
-			case LDAP_INAPPROPRIATE_MATCHING:
-				snprintf( textbuf, textlen, 
-					"inappropriate matching for naming attribute '%s'",
-					ava->la_attr.bv_val );
-				break;
-			case LDAP_INVALID_SYNTAX:
-				snprintf( textbuf, textlen, 
-					"value of naming attribute '%s' is invalid",
-					ava->la_attr.bv_val );
-				break;
-			case LDAP_NO_SUCH_ATTRIBUTE:
-				snprintf( textbuf, textlen, 
-					"value of naming attribute '%s' is not present in entry",
-					ava->la_attr.bv_val );
-				break;
-			default:
-				snprintf( textbuf, textlen, 
-					"naming attribute '%s' is inappropriate",
-					ava->la_attr.bv_val );
-			}
-			rc = LDAP_NAMING_VIOLATION;
+		} else if ( rc != LDAP_SUCCESS ) {
 			break;
 		}
 	}

Modified: openldap/trunk/servers/slapd/schema_init.c
===================================================================
--- openldap/trunk/servers/slapd/schema_init.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema_init.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* schema_init.c - init builtin schema */
-/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.17 2007/12/03 15:04:31 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.20 2008/04/14 20:01:31 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2239,10 +2239,10 @@
 		}
 		rc = integerVal2Key( &values[i], &keys[i], &itmp, ctx );
 		if ( rc )
-			goto leave;
+			goto func_leave;
 	}
 	*keysp = keys;
-leave:
+func_leave:
 	if ( itmp.bv_val != ibuf ) {
 		slap_sl_free( itmp.bv_val, ctx );
 	}
@@ -3142,7 +3142,7 @@
 	sn2.bv_len = sn.bv_len;
 	if ( lutil_str2bin( &sn, &sn2, ctx )) {
 		rc = LDAP_INVALID_SYNTAX;
-		goto leave;
+		goto func_leave;
 	}
 
 	/* make room for sn + "$" */
@@ -3154,7 +3154,7 @@
 		out->bv_len = 0;
 		slap_sl_free( ni.bv_val, ctx );
 		rc = LDAP_OTHER;
-		goto leave;
+		goto func_leave;
 	}
 
 	n = 0;
@@ -3192,7 +3192,7 @@
 	Debug( LDAP_DEBUG_TRACE, "<<< serialNumberAndIssuerNormalize: <%s>\n",
 		out->bv_val, 0, 0 );
 
-leave:
+func_leave:
 	if ( stmp != sbuf )
 		slap_sl_free( stmp, ctx );
 	slap_sl_free( ni.bv_val, ctx );
@@ -3561,6 +3561,114 @@
 	return hexValidate( NULL, &bv );
 }
 
+/* Normalize a CSN in OpenLDAP 2.1 format */
+static int
+csnNormalize21(
+	slap_mask_t usage,
+	Syntax *syntax,
+	MatchingRule *mr,
+	struct berval *val,
+	struct berval *normalized,
+	void *ctx )
+{
+	struct berval	gt, cnt, sid, mod;
+	struct berval	bv;
+	char		buf[ STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" ) + 1 ];
+	char		*ptr;
+	int		i;
+
+	assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ) != 0 );
+	assert( !BER_BVISEMPTY( val ) );
+
+	gt = *val;
+
+	ptr = ber_bvchr( &gt, '#' );
+	if ( ptr == NULL || ptr - gt.bv_val == gt.bv_len ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	gt.bv_len = ptr - gt.bv_val;
+	if ( gt.bv_len != STRLENOF( "YYYYmmddHH:MM:SSZ" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	if ( gt.bv_val[ 10 ] != ':' || gt.bv_val[ 13 ] != ':' ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	cnt.bv_val = ptr + 1;
+	cnt.bv_len = val->bv_len - ( cnt.bv_val - val->bv_val );
+
+	ptr = ber_bvchr( &cnt, '#' );
+	if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	cnt.bv_len = ptr - cnt.bv_val;
+	if ( cnt.bv_len != STRLENOF( "0x0000" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	if ( strncmp( cnt.bv_val, "0x", STRLENOF( "0x" ) ) != 0 ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	cnt.bv_val += STRLENOF( "0x" );
+	cnt.bv_len -= STRLENOF( "0x" );
+
+	sid.bv_val = ptr + 1;
+	sid.bv_len = val->bv_len - ( sid.bv_val - val->bv_val );
+		
+	ptr = ber_bvchr( &sid, '#' );
+	if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	sid.bv_len = ptr - sid.bv_val;
+	if ( sid.bv_len != STRLENOF( "0" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	mod.bv_val = ptr + 1;
+	mod.bv_len = val->bv_len - ( mod.bv_val - val->bv_val );
+	if ( mod.bv_len != STRLENOF( "0000" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	bv.bv_len = STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" );
+	bv.bv_val = buf;
+
+	ptr = bv.bv_val;
+	ptr = lutil_strncopy( ptr, gt.bv_val, STRLENOF( "YYYYmmddHH" ) );
+	ptr = lutil_strncopy( ptr, &gt.bv_val[ STRLENOF( "YYYYmmddHH:" ) ],
+		STRLENOF( "MM" ) );
+	ptr = lutil_strncopy( ptr, &gt.bv_val[ STRLENOF( "YYYYmmddHH:MM:" ) ],
+		STRLENOF( "SS" ) );
+	ptr = lutil_strcopy( ptr, ".000000Z#00" );
+	ptr = lutil_strncopy( ptr, cnt.bv_val, cnt.bv_len );
+	*ptr++ = '#';
+	*ptr++ = '0';
+	*ptr++ = '0';
+	*ptr++ = sid.bv_val[ 0 ];
+	*ptr++ = '#';
+	*ptr++ = '0';
+	*ptr++ = '0';
+	for ( i = 0; i < mod.bv_len; i++ ) {
+		*ptr++ = TOLOWER( mod.bv_val[ i ] );
+	}
+	*ptr = '\0';
+
+	assert( ptr - bv.bv_val == bv.bv_len );
+
+	if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
+	ber_dupbv_x( normalized, &bv, ctx );
+
+	return LDAP_SUCCESS;
+}
+
 /* Normalize a CSN in OpenLDAP 2.3 format */
 static int
 csnNormalize23(
@@ -3572,6 +3680,8 @@
 	void *ctx )
 {
 	struct berval	gt, cnt, sid, mod;
+	struct berval	bv;
+	char		buf[ STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" ) + 1 ];
 	char		*ptr;
 	int		i;
 
@@ -3586,7 +3696,9 @@
 	}
 
 	gt.bv_len = ptr - gt.bv_val;
-	assert( gt.bv_len == STRLENOF( "YYYYmmddHHMMSSZ" ) );
+	if ( gt.bv_len != STRLENOF( "YYYYmmddHHMMSSZ" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
 	cnt.bv_val = ptr + 1;
 	cnt.bv_len = val->bv_len - ( cnt.bv_val - val->bv_val );
@@ -3597,7 +3709,9 @@
 	}
 
 	cnt.bv_len = ptr - cnt.bv_val;
-	assert( cnt.bv_len == STRLENOF( "000000" ) );
+	if ( cnt.bv_len != STRLENOF( "000000" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
 	sid.bv_val = ptr + 1;
 	sid.bv_len = val->bv_len - ( sid.bv_val - val->bv_val );
@@ -3608,16 +3722,20 @@
 	}
 
 	sid.bv_len = ptr - sid.bv_val;
-	assert( sid.bv_len == STRLENOF( "00" ) );
+	if ( sid.bv_len != STRLENOF( "00" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
 	mod.bv_val = ptr + 1;
 	mod.bv_len = val->bv_len - ( mod.bv_val - val->bv_val );
-	assert( mod.bv_len == STRLENOF( "000000" ) );
+	if ( mod.bv_len != STRLENOF( "000000" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
-	normalized->bv_len = STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" );
-	normalized->bv_val = ber_memalloc_x( normalized->bv_len + 1, ctx );
+	bv.bv_len = STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" );
+	bv.bv_val = buf;
 
-	ptr = normalized->bv_val;
+	ptr = bv.bv_val;
 	ptr = lutil_strncopy( ptr, gt.bv_val, gt.bv_len - 1 );
 	ptr = lutil_strcopy( ptr, ".000000Z#" );
 	ptr = lutil_strncopy( ptr, cnt.bv_val, cnt.bv_len );
@@ -3632,8 +3750,13 @@
 	}
 	*ptr = '\0';
 
-	assert( ptr - normalized->bv_val == normalized->bv_len );
+	assert( ptr - bv.bv_val == bv.bv_len );
+	if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
+	ber_dupbv_x( normalized, &bv, ctx );
+
 	return LDAP_SUCCESS;
 }
 
@@ -3666,14 +3789,24 @@
 		return csnNormalize23( usage, syntax, mr, val, normalized, ctx );
 	}
 
-	assert( val->bv_len == STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" ) );
+	if ( val->bv_len == STRLENOF( "YYYYmmddHH:MM:SSZ#0xSSSS#I#ssss" ) ) {
+		/* Openldap 2.1 */
 
+		return csnNormalize21( usage, syntax, mr, val, normalized, ctx );
+	}
+
+	if ( val->bv_len != STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ#SSSSSS#SID#ssssss" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
+
 	ptr = ber_bvchr( val, '#' );
 	if ( ptr == NULL || ptr - val->bv_val == val->bv_len ) {
 		return LDAP_INVALID_SYNTAX;
 	}
 
-	assert( ptr - val->bv_val == STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ" ) );
+	if ( ptr - val->bv_val != STRLENOF( "YYYYmmddHHMMSS.uuuuuuZ" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
 	cnt.bv_val = ptr + 1;
 	cnt.bv_len = val->bv_len - ( cnt.bv_val - val->bv_val );
@@ -3683,7 +3816,9 @@
 		return LDAP_INVALID_SYNTAX;
 	}
 
-	assert( ptr - cnt.bv_val == STRLENOF( "000000" ) );
+	if ( ptr - cnt.bv_val != STRLENOF( "000000" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
 	sid.bv_val = ptr + 1;
 	sid.bv_len = val->bv_len - ( sid.bv_val - val->bv_val );
@@ -3694,12 +3829,16 @@
 	}
 
 	sid.bv_len = ptr - sid.bv_val;
-	assert( sid.bv_len == STRLENOF( "000" ) );
+	if ( sid.bv_len != STRLENOF( "000" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
 	mod.bv_val = ptr + 1;
 	mod.bv_len = val->bv_len - ( mod.bv_val - val->bv_val );
 
-	assert( mod.bv_len == STRLENOF( "000000" ) );
+	if ( mod.bv_len != STRLENOF( "000000" ) ) {
+		return LDAP_INVALID_SYNTAX;
+	}
 
 	ber_dupbv_x( normalized, val, ctx );
 

Modified: openldap/trunk/servers/slapd/schema_prep.c
===================================================================
--- openldap/trunk/servers/slapd/schema_prep.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schema_prep.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* schema_prep.c - load builtin schema */
-/* $OpenLDAP: pkg/ldap/servers/slapd/schema_prep.c,v 1.169.2.5 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/schema_prep.c,v 1.169.2.6 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/schemaparse.c
===================================================================
--- openldap/trunk/servers/slapd/schemaparse.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/schemaparse.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* schemaparse.c - routines to parse config file objectclass definitions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/schemaparse.c,v 1.80.2.3 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/schemaparse.c,v 1.80.2.4 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/search.c
===================================================================
--- openldap/trunk/servers/slapd/search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/search.c,v 1.181.2.3 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/search.c,v 1.181.2.5 2008/04/14 22:16:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -241,8 +241,7 @@
 {
 	BackendDB		*bd = op->o_bd;
 
-	/* fake while loop to allow breaking out */
-	while ( op->ors_scope == LDAP_SCOPE_BASE ) {
+	if ( op->ors_scope == LDAP_SCOPE_BASE ) {
 		Entry *entry = NULL;
 
 		if ( BER_BVISEMPTY( &op->o_req_ndn ) ) {
@@ -299,7 +298,6 @@
 			send_ldap_result( op, rs );
 			goto return_results;
 		}
-		break;
 	}
 
 	if( BER_BVISEMPTY( &op->o_req_ndn ) && !BER_BVISEMPTY( &default_search_nbase ) ) {

Modified: openldap/trunk/servers/slapd/sets.c
===================================================================
--- openldap/trunk/servers/slapd/sets.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/sets.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/sets.c,v 1.28.2.5 2007/10/24 15:03:23 ando Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/sets.c,v 1.28.2.9 2008/04/14 19:20:45 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2000-2007 The OpenLDAP Foundation.
+ * Copyright 2000-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -151,16 +151,19 @@
 							sizeof( struct berval ),
 							cp->set_op->o_tmpmemctx );
 					BER_BVZERO( &set[ 0 ] );
-					return set;
+					goto done2;
 				}
-				return set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
+				set = set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
+				goto done2;
 			}
 			slap_set_dispose( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
-			return set_dup( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
+			set = set_dup( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
+			goto done2;
 		}
 		if ( rset == NULL || BER_BVISNULL( &rset[ 0 ] ) ) {
 			slap_set_dispose( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
-			return set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
+			set = set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
+			goto done2;
 		}
 
 		/* worst scenario: no duplicates */
@@ -277,25 +280,13 @@
 		j = slap_set_size( lset );
 
 		/* handle empty set cases */
-		if ( i == 0 ) {
-			if ( j == 0 ) {
-				set = cp->set_op->o_tmpcalloc( i * j + 1, sizeof( struct berval ),
-						cp->set_op->o_tmpmemctx );
-				if ( set == NULL ) {
-					break;
-				}
-				BER_BVZERO( &set[ 0 ] );
+		if ( i == 0 || j == 0 ) {
+			set = cp->set_op->o_tmpcalloc( 1, sizeof( struct berval ),
+					cp->set_op->o_tmpmemctx );
+			if ( set == NULL ) {
 				break;
-
-			} else {
-				set = set_dup( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
-				lset = NULL;
-				break;
 			}
-
-		} else if ( j == 0 ) {
-			set = set_dup( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
-			rset = NULL;
+			BER_BVZERO( &set[ 0 ] );
 			break;
 		}
 
@@ -364,6 +355,18 @@
 	if ( lset ) slap_set_dispose( cp, lset, SLAP_SET_LREF2REF( op_flags ) );
 	if ( rset ) slap_set_dispose( cp, rset, SLAP_SET_RREF2REF( op_flags ) );
 
+done2:;
+	if ( LogTest( LDAP_DEBUG_ACL ) ) {
+		if ( BER_BVISNULL( set ) ) {
+			Debug( LDAP_DEBUG_ACL, "  ACL set: empty\n", 0, 0, 0 );
+
+		} else {
+			for ( i = 0; !BER_BVISNULL( &set[ i ] ); i++ ) {
+				Debug( LDAP_DEBUG_ACL, "  ACL set[%ld]=%s\n", i, set[i].bv_val, 0 );
+			}
+		}
+	}
+
 	return set;
 }
 
@@ -706,20 +709,19 @@
 			break;
 
 		default:
-			if ( ( c != '_' )
-					&& ( c < 'A' || c > 'Z' )
-					&& ( c < 'a' || c > 'z' ) )
-			{
+			if ( !AD_LEADCHAR( c ) ) {
 				SF_ERROR( syntax );
 			}
 			filter--;
 			for ( len = 1;
-					( c = filter[ len ] )
-						&& ( ( c >= '0' && c <= '9' )
-							|| ( c >= 'A' && c <= 'Z' )
-							|| ( c >= 'a' && c <= 'z' ) );
-					len++ )
-				/* count */ ;
+				( c = filter[ len ] ) && AD_CHAR( c );
+				len++ )
+			{
+				/* count */
+				if ( c == '-' && !AD_CHAR( filter[ len + 1 ] ) ) {
+					break;
+				}
+			}
 			if ( len == 4
 				&& memcmp( "this", filter, len ) == 0 )
 			{

Modified: openldap/trunk/servers/slapd/sets.h
===================================================================
--- openldap/trunk/servers/slapd/sets.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/sets.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/sets.h,v 1.21.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/sets.h,v 1.21.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/shell-backends/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/shell-backends/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/shell-backends/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for shell-backends
-# $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/Makefile.in,v 1.14.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/Makefile.in,v 1.14.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/shell-backends/passwd-shell.c
===================================================================
--- openldap/trunk/servers/slapd/shell-backends/passwd-shell.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/shell-backends/passwd-shell.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* passwd-shell.c - passwd(5) shell-based backend for slapd(8) */
-/* $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/passwd-shell.c,v 1.14.2.3 2007/11/27 18:11:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/passwd-shell.c,v 1.14.2.4 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/shell-backends/shellutil.c
===================================================================
--- openldap/trunk/servers/slapd/shell-backends/shellutil.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/shell-backends/shellutil.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* shellutil.c - common routines useful when building shell-based backends */
-/* $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/shellutil.c,v 1.17.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/shellutil.c,v 1.17.2.3 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/shell-backends/shellutil.h
===================================================================
--- openldap/trunk/servers/slapd/shell-backends/shellutil.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/shell-backends/shellutil.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* shellutil.h */
-/* $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/shellutil.h,v 1.11.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/shell-backends/shellutil.h,v 1.11.2.3 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/sl_malloc.c
===================================================================
--- openldap/trunk/servers/slapd/sl_malloc.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/sl_malloc.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* sl_malloc.c - malloc routines using a per-thread slab */
-/* $OpenLDAP: pkg/ldap/servers/slapd/sl_malloc.c,v 1.39.2.3 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/sl_malloc.c,v 1.39.2.6 2008/02/11 23:34:15 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -129,7 +129,7 @@
 			slheap = sh;
 #else
 			ldap_pvt_thread_pool_setkey(ctx, (void *)slap_sl_mem_init,
-				(void *)sh, slap_sl_mem_destroy);
+				(void *)sh, slap_sl_mem_destroy, NULL, NULL);
 #endif
 		} else if ( size > (char *)sh->sh_end - (char *)sh->sh_base ) {
 			void	*newptr;
@@ -162,7 +162,7 @@
 			slheap = sh;
 #else
 			ldap_pvt_thread_pool_setkey(ctx, (void *)slap_sl_mem_init,
-				(void *)sh, slap_sl_mem_destroy);
+				(void *)sh, slap_sl_mem_destroy, NULL, NULL);
 #endif
 		} else {
 			for (i = 0; i <= sh->sh_maxorder - order_start; i++) {
@@ -246,7 +246,8 @@
 	slheap = NULL;
 #else
 	/* separate from context */
-	ldap_pvt_thread_pool_setkey( ctx, (void *)slap_sl_mem_init, NULL, NULL );
+	ldap_pvt_thread_pool_setkey( ctx, (void *)slap_sl_mem_init,
+		NULL, 0, NULL, NULL );
 #endif
 }
 

Modified: openldap/trunk/servers/slapd/slap.h
===================================================================
--- openldap/trunk/servers/slapd/slap.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slap.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* slap.h - stand alone ldap server include file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slap.h,v 1.764.2.19 2007/11/27 20:19:14 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slap.h,v 1.764.2.26 2008/04/24 08:13:39 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1006,11 +1006,11 @@
 };
 
 struct MatchingRuleAssertion {
+	AttributeDescription	*ma_desc;	/* optional */
+	struct berval		ma_value;	/* required */
 	MatchingRule		*ma_rule;	/* optional */
 	struct berval		ma_rule_text;	/* optional */
-	AttributeDescription	*ma_desc;	/* optional */
 	int			ma_dnattrs;	/* boolean */
-	struct berval		ma_value;	/* required */
 #ifdef LDAP_COMP_MATCH
 	ComponentFilter		*ma_cf;	/* component filter */
 #endif
@@ -1707,6 +1707,7 @@
 
 struct BackendDB {
 	BackendInfo	*bd_info;	/* pointer to shared backend info */
+	BackendDB	*bd_self;	/* pointer to this struct */
 
 	/* fields in this structure (and routines acting on this structure)
 	   should be renamed from be_ to bd_ */
@@ -1903,8 +1904,8 @@
 	const char *fname, int lineno,
 	int argc, char **argv));
 
-struct config_reply_s ; /* config.h */
-typedef int (BI_db_func) LDAP_P((Backend *bd, struct config_reply_s *c));
+typedef struct config_reply_s ConfigReply; /* config.h */
+typedef int (BI_db_func) LDAP_P((Backend *bd, ConfigReply *cr));
 typedef BI_db_func BI_db_init;
 typedef BI_db_func BI_db_open;
 typedef BI_db_func BI_db_close;
@@ -2446,7 +2447,7 @@
 
 	slap_counters_t	*oh_counters;
 
-	char		oh_log_prefix[ /* sizeof("conn=18446744073709551615 op=18446744073709551615") */ SLAP_TEXT_BUFLEN ];
+	char		oh_log_prefix[ /* sizeof("conn= op=") + 2*LDAP_PVT_INTTYPE_CHARS(unsigned long) */ SLAP_TEXT_BUFLEN ];
 
 #ifdef LDAP_SLAPI
 	void	*oh_extensions;		/* NS-SLAPI plugin */
@@ -2466,6 +2467,20 @@
 	req_pwdexop_s oq_pwdexop;
 } OpRequest;
 
+/* This is only a header. Actual users should define their own
+ * structs with the oe_next / oe_key fields at the top and
+ * whatever else they need following.
+ */
+typedef struct OpExtra {
+	LDAP_SLIST_ENTRY(OpExtra) oe_next;
+	void *oe_key;
+} OpExtra;
+
+typedef struct OpExtraDB {
+	OpExtra oe;
+	BackendDB *oe_db;
+} OpExtraDB;
+
 struct Operation {
 	Opheader *o_hdr;
 
@@ -2657,7 +2672,9 @@
 	LDAPControl	**o_ctrls;	 /* controls */
 	struct berval o_csn;
 
+	/* DEPRECATE o_private - use o_extra instead */
 	void	*o_private;	/* anything the backend needs */
+	LDAP_SLIST_HEAD(o_e, OpExtra) o_extra;	/* anything the backend needs */
 
 	LDAP_STAILQ_ENTRY(Operation)	o_next;	/* next operation in list */
 };

Modified: openldap/trunk/servers/slapd/slapacl.c
===================================================================
--- openldap/trunk/servers/slapd/slapacl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapacl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapadd.c
===================================================================
--- openldap/trunk/servers/slapd/slapadd.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapadd.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapadd.c,v 1.36.2.4 2007/11/15 00:27:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapadd.c,v 1.36.2.7 2008/04/14 21:15:47 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
@@ -203,6 +203,7 @@
 					if( continuemode ) continue;
 					break;
 				}
+				textbuf[ 0 ] = '\0';
 			}
 		}
 
@@ -255,33 +256,33 @@
 				attr_merge( e, slap_schema.si_ad_creatorsName, vals, nvals );
 			}
 
-			if( attr_find( e->e_attrs, slap_schema.si_ad_modifiersName )
+			if( attr_find( e->e_attrs, slap_schema.si_ad_createTimestamp )
 				== NULL )
 			{
-				vals[0] = name;
-				nvals[0] = nname;
-				attr_merge( e, slap_schema.si_ad_modifiersName, vals, nvals );
+				vals[0] = timestamp;
+				attr_merge( e, slap_schema.si_ad_createTimestamp, vals, NULL );
 			}
 
-			if( attr_find( e->e_attrs, slap_schema.si_ad_createTimestamp )
+			if( attr_find( e->e_attrs, slap_schema.si_ad_entryCSN )
 				== NULL )
 			{
-				vals[0] = timestamp;
-				attr_merge( e, slap_schema.si_ad_createTimestamp, vals, NULL );
+				vals[0] = csn;
+				attr_merge( e, slap_schema.si_ad_entryCSN, vals, NULL );
 			}
 
-			if( attr_find( e->e_attrs, slap_schema.si_ad_modifyTimestamp )
+			if( attr_find( e->e_attrs, slap_schema.si_ad_modifiersName )
 				== NULL )
 			{
-				vals[0] = timestamp;
-				attr_merge( e, slap_schema.si_ad_modifyTimestamp, vals, NULL );
+				vals[0] = name;
+				nvals[0] = nname;
+				attr_merge( e, slap_schema.si_ad_modifiersName, vals, nvals );
 			}
 
-			if( attr_find( e->e_attrs, slap_schema.si_ad_entryCSN )
+			if( attr_find( e->e_attrs, slap_schema.si_ad_modifyTimestamp )
 				== NULL )
 			{
-				vals[0] = csn;
-				attr_merge( e, slap_schema.si_ad_entryCSN, vals, NULL );
+				vals[0] = timestamp;
+				attr_merge( e, slap_schema.si_ad_modifyTimestamp, vals, NULL );
 			}
 
 			if ( update_ctxcsn ) {

Modified: openldap/trunk/servers/slapd/slapauth.c
===================================================================
--- openldap/trunk/servers/slapd/slapauth.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapauth.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapcat.c
===================================================================
--- openldap/trunk/servers/slapd/slapcat.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapcat.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapcat.c,v 1.7.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapcat.c,v 1.7.2.6 2008/04/14 18:45:07 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.
@@ -32,7 +32,7 @@
 #include "slapcommon.h"
 #include "ldif.h"
 
-static int gotsig;
+static volatile sig_atomic_t gotsig;
 
 static RETSIGTYPE
 slapcat_sig( int sig )
@@ -123,8 +123,13 @@
 			break;
 		}
 
-		fputs( data, ldiffp->fp );
-		fputs( "\n", ldiffp->fp );
+		if ( fputs( data, ldiffp->fp ) == EOF ||
+			fputs( "\n", ldiffp->fp ) == EOF ) {
+			fprintf(stderr, "%s: error writing output.\n",
+				progname);
+			rc = EXIT_FAILURE;
+			break;
+		}
 	}
 
 	be->be_entry_close( be );

Modified: openldap/trunk/servers/slapd/slapcommon.c
===================================================================
--- openldap/trunk/servers/slapd/slapcommon.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapcommon.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* slapcommon.c - common routine for the slap tools */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapcommon.c,v 1.73.2.6 2007/11/27 19:27:10 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapcommon.c,v 1.73.2.7 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * Portions Copyright 2003 IBM Corporation.
  * All rights reserved.

Modified: openldap/trunk/servers/slapd/slapcommon.h
===================================================================
--- openldap/trunk/servers/slapd/slapcommon.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapcommon.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* slapcommon.h - common definitions for the slap tools */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapcommon.h,v 1.14.2.3 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapcommon.h,v 1.14.2.4 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/slapdn.c
===================================================================
--- openldap/trunk/servers/slapd/slapdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapi/Makefile.in
===================================================================
--- openldap/trunk/servers/slapd/slapi/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for SLAPI
-# $OpenLDAP: pkg/ldap/servers/slapd/slapi/Makefile.in,v 1.18.2.2 2007/08/31 23:14:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/servers/slapd/slapi/Makefile.in,v 1.18.2.3 2008/02/11 23:26:49 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## Portions Copyright IBM Corp. 1997,2002,2003
 ## All rights reserved.
 ##

Modified: openldap/trunk/servers/slapd/slapi/plugin.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/plugin.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/plugin.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/plugin.c,v 1.43.2.4 2007/11/27 18:11:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/plugin.c,v 1.43.2.5 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002-2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapi/printmsg.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/printmsg.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/printmsg.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/printmsg.c,v 1.15.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/printmsg.c,v 1.15.2.3 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002-2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapi/proto-slapi.h
===================================================================
--- openldap/trunk/servers/slapd/slapi/proto-slapi.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/proto-slapi.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/proto-slapi.h,v 1.47.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/proto-slapi.h,v 1.47.2.3 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002-2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapi/slapi.h
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/slapi.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi.h,v 1.56.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi.h,v 1.56.2.3 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002-2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapi/slapi_dn.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi_dn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/slapi_dn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_dn.c,v 1.5.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_dn.c,v 1.5.2.3 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2005-2007 The OpenLDAP Foundation.
+ * Copyright 2005-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/slapi/slapi_ext.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi_ext.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/slapi_ext.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_ext.c,v 1.16.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_ext.c,v 1.16.2.3 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/slapi/slapi_ops.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi_ops.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/slapi_ops.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_ops.c,v 1.111.2.2 2007/08/31 23:14:06 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_ops.c,v 1.111.2.4 2008/03/21 01:01:07 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002-2003 IBM Corporation.
  * All rights reserved.
  *
@@ -419,6 +419,8 @@
 {
 	SlapReply		*rs;
 	Slapi_Entry		*entry_orig = NULL;
+	OpExtraDB oex;
+	int rc;
 
 	if ( pb == NULL ) {
 		return -1;
@@ -478,16 +480,20 @@
 		goto cleanup;
 	}
 
-	if ( slapi_int_func_internal_pb( pb, op_add ) == 0 ) {
-		if ( pb->pb_op->ora_e != NULL && pb->pb_op->o_private != NULL ) {
+	oex.oe.oe_key = (void *)do_add;
+	oex.oe_db = NULL;
+	LDAP_SLIST_INSERT_HEAD(&pb->pb_op->o_extra, &oex.oe, oe_next);
+	rc = slapi_int_func_internal_pb( pb, op_add );
+	LDAP_SLIST_REMOVE(&pb->pb_op->o_extra, &oex.oe, OpExtra, oe_next);
+
+	if ( !rc ) {
+		if ( pb->pb_op->ora_e != NULL && oex.oe_db != NULL ) {
 			BackendDB	*bd = pb->pb_op->o_bd;
 
-			pb->pb_op->o_bd = (BackendDB *)pb->pb_op->o_private;
-			pb->pb_op->o_private = NULL;
+			pb->pb_op->o_bd = oex.oe_db;
 			be_entry_release_w( pb->pb_op, pb->pb_op->ora_e );
 			pb->pb_op->ora_e = NULL;
 			pb->pb_op->o_bd = bd;
-			pb->pb_op->o_private = NULL;
 		}
 	}
 

Modified: openldap/trunk/servers/slapd/slapi/slapi_overlay.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi_overlay.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/slapi_overlay.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* slapi_overlay.c - SLAPI overlay */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_overlay.c,v 1.40.2.5 2007/08/31 23:14:07 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_overlay.c,v 1.40.2.6 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2001-2007 The OpenLDAP Foundation.
+ * Copyright 2001-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/slapi/slapi_pblock.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi_pblock.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/slapi_pblock.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_pblock.c,v 1.63.2.6 2007/10/08 10:18:11 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_pblock.c,v 1.63.2.7 2008/02/11 23:26:49 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002-2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapi/slapi_utils.c
===================================================================
--- openldap/trunk/servers/slapd/slapi/slapi_utils.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapi/slapi_utils.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_utils.c,v 1.189.2.8 2007/11/27 20:00:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapi/slapi_utils.c,v 1.189.2.9 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2002-2007 The OpenLDAP Foundation.
+ * Copyright 2002-2008 The OpenLDAP Foundation.
  * Portions Copyright 1997,2002-2003 IBM Corporation.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slapindex.c
===================================================================
--- openldap/trunk/servers/slapd/slapindex.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slapindex.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapindex.c,v 1.3.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapindex.c,v 1.3.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slappasswd.c
===================================================================
--- openldap/trunk/servers/slapd/slappasswd.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slappasswd.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slappasswd.c,v 1.5.2.4 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slappasswd.c,v 1.5.2.5 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1998-2003 Kurt D. Zeilenga.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/slaptest.c
===================================================================
--- openldap/trunk/servers/slapd/slaptest.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/slaptest.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,6 @@
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2007 The OpenLDAP Foundation.
+ * Copyright 2004-2008 The OpenLDAP Foundation.
  * Portions Copyright 2004 Pierangelo Masarati.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/starttls.c
===================================================================
--- openldap/trunk/servers/slapd/starttls.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/starttls.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/starttls.c,v 1.41.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/starttls.c,v 1.41.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/str2filter.c
===================================================================
--- openldap/trunk/servers/slapd/str2filter.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/str2filter.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* str2filter.c - parse an RFC 4515 string filter */
-/* $OpenLDAP: pkg/ldap/servers/slapd/str2filter.c,v 1.43.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/str2filter.c,v 1.43.2.3 2008/02/11 23:26:44 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/syncrepl.c
===================================================================
--- openldap/trunk/servers/slapd/syncrepl.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/syncrepl.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* syncrepl.c -- Replication Engine which uses the LDAP Sync protocol */
-/* $OpenLDAP: pkg/ldap/servers/slapd/syncrepl.c,v 1.254.2.21 2007/11/27 20:11:48 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/syncrepl.c,v 1.254.2.32 2008/05/01 22:01:03 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * Portions Copyright 2003 by IBM Corporation.
  * Portions Copyright 2003 by Howard Chu, Symas Corporation.
  * All rights reserved.
@@ -96,6 +96,7 @@
 	int			si_refreshDone;
 	int			si_syncdata;
 	int			si_logstate;
+	ber_int_t	si_msgid;
 	Avlnode			*si_presentlist;
 	LDAP			*si_ld;
 	Connection		*si_conn;
@@ -105,7 +106,7 @@
 
 static int syncuuid_cmp( const void *, const void * );
 static int avl_presentlist_insert( syncinfo_t* si, struct berval *syncUUID );
-static void syncrepl_del_nonpresent( Operation *, syncinfo_t *, BerVarray, struct berval * );
+static void syncrepl_del_nonpresent( Operation *, syncinfo_t *, BerVarray, struct sync_cookie *, int );
 static int syncrepl_message_to_op(
 					syncinfo_t *, Operation *, LDAPMessage * );
 static int syncrepl_message_to_entry(
@@ -342,7 +343,6 @@
 	BerElementBuffer berbuf;
 	BerElement *ber = (BerElement *)&berbuf;
 	LDAPControl c[2], *ctrls[3];
-	ber_int_t	msgid;
 	int rc;
 	int rhint;
 	char *base;
@@ -427,12 +427,118 @@
 	}
 
 	rc = ldap_search_ext( si->si_ld, base, scope, filter, attrs, attrsonly,
-		ctrls, NULL, NULL, si->si_slimit, &msgid );
+		ctrls, NULL, NULL, si->si_slimit, &si->si_msgid );
 	ber_free_buf( ber );
 	return rc;
 }
 
 static int
+check_syncprov(
+	Operation *op,
+	syncinfo_t *si )
+{
+	AttributeName at[2];
+	Attribute a = {0};
+	Entry e = {0};
+	SlapReply rs = {0};
+	int i, j, changed = 0;
+
+	/* Look for contextCSN from syncprov overlay. If
+	 * there's no overlay, this will be a no-op. That means
+	 * this is a pure consumer, so local changes will not be
+	 * allowed, and all changes will already be reflected in
+	 * the cookieState.
+	 */
+	a.a_desc = slap_schema.si_ad_contextCSN;
+	e.e_attrs = &a;
+	e.e_name = op->o_bd->be_suffix[0];
+	e.e_nname = op->o_bd->be_nsuffix[0];
+	at[0].an_name = a.a_desc->ad_cname;
+	at[0].an_desc = a.a_desc;
+	BER_BVZERO( &at[1].an_name );
+	rs.sr_entry = &e;
+	rs.sr_flags = REP_ENTRY_MODIFIABLE;
+	rs.sr_attrs = at;
+	op->o_req_dn = e.e_name;
+	op->o_req_ndn = e.e_nname;
+
+	ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_mutex );
+	i = backend_operational( op, &rs );
+	if ( i == LDAP_SUCCESS && a.a_nvals ) {
+		int num = a.a_numvals;
+		/* check for differences */
+		if ( num != si->si_cookieState->cs_num ) {
+			changed = 1;
+		} else {
+			for ( i=0; i<num; i++ ) {
+				if ( ber_bvcmp( &a.a_nvals[i],
+					&si->si_cookieState->cs_vals[i] )) {
+					changed =1;
+					break;
+				}
+			}
+		}
+		if ( changed ) {
+			ber_bvarray_free( si->si_cookieState->cs_vals );
+			ch_free( si->si_cookieState->cs_sids );
+			si->si_cookieState->cs_num = num;
+			si->si_cookieState->cs_vals = a.a_nvals;
+			si->si_cookieState->cs_sids = slap_parse_csn_sids( a.a_nvals,
+				num, NULL );
+			si->si_cookieState->cs_age++;
+		} else {
+			ber_bvarray_free( a.a_nvals );
+		}
+		ber_bvarray_free( a.a_vals );
+	}
+	/* See if the cookieState has changed due to anything outside
+	 * this particular consumer. That includes other consumers in
+	 * the same context, or local changes detected above.
+	 */
+	if ( si->si_cookieState->cs_num > 0 && si->si_cookieAge !=
+		si->si_cookieState->cs_age ) {
+		if ( !si->si_syncCookie.numcsns ) {
+			ber_bvarray_free( si->si_syncCookie.ctxcsn );
+			ber_bvarray_dup_x( &si->si_syncCookie.ctxcsn,
+				si->si_cookieState->cs_vals, NULL );
+			changed = 1;
+		} else {
+			for (i=0; !BER_BVISNULL( &si->si_syncCookie.ctxcsn[i] ); i++) {
+				/* bogus, just dup everything */
+				if ( si->si_syncCookie.sids[i] == -1 ) {
+					ber_bvarray_free( si->si_syncCookie.ctxcsn );
+					ber_bvarray_dup_x( &si->si_syncCookie.ctxcsn,
+						si->si_cookieState->cs_vals, NULL );
+					changed = 1;
+					break;
+				}
+				for (j=0; j<si->si_cookieState->cs_num; j++) {
+					if ( si->si_syncCookie.sids[i] !=
+						si->si_cookieState->cs_sids[j] )
+						continue;
+					if ( bvmatch( &si->si_syncCookie.ctxcsn[i],
+						&si->si_cookieState->cs_vals[j] ))
+						break;
+					ber_bvreplace( &si->si_syncCookie.ctxcsn[i],
+						&si->si_cookieState->cs_vals[j] );
+					changed = 1;
+					break;
+				}
+			}
+		}
+	}
+	if ( changed ) {
+		si->si_cookieAge = si->si_cookieState->cs_age;
+		ch_free( si->si_syncCookie.octet_str.bv_val );
+		slap_compose_sync_cookie( NULL, &si->si_syncCookie.octet_str,
+			si->si_syncCookie.ctxcsn, si->si_syncCookie.rid,
+			si->si_syncCookie.sid );
+	}
+	ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_mutex );
+	return changed;
+}
+
+static int
 do_syncrep1(
 	Operation *op,
 	syncinfo_t *si )
@@ -468,16 +574,16 @@
 
 	ldap_set_option( si->si_ld, LDAP_OPT_TIMELIMIT, &si->si_tlimit );
 
+	si->si_syncCookie.rid = si->si_rid;
+	si->si_syncCookie.sid = SLAP_SINGLE_SHADOW( si->si_be ) ? -1 :
+		slap_serverID;
+
 	/* We've just started up, or the remote server hasn't sent us
 	 * any meaningful state.
 	 */
 	if ( BER_BVISNULL( &si->si_syncCookie.octet_str ) ) {
 		int i;
 
-		si->si_syncCookie.rid = si->si_rid;
-		si->si_syncCookie.sid = SLAP_SINGLE_SHADOW( si->si_be ) ? -1 :
-			slap_serverID;
-
 		LDAP_STAILQ_FOREACH( sc, &slap_sync_cookie, sc_next ) {
 			if ( si->si_rid == sc->rid ) {
 				cmdline_cookie_found = 1;
@@ -538,96 +644,8 @@
 			si->si_syncCookie.ctxcsn, si->si_syncCookie.rid,
 			si->si_syncCookie.sid );
 	} else {
-		AttributeName at[2];
-		Attribute a = {0};
-		Entry e = {0};
-		SlapReply rs = {0};
-		int i, j, changed = 0;
-
-		/* Look for contextCSN from syncprov overlay. If
-		 * there's no overlay, this will be a no-op. That means
-		 * this is a pure consumer, so local changes will not be
-		 * allowed, and all changes will already be reflected in
-		 * the cookieState.
-		 */
-		a.a_desc = slap_schema.si_ad_contextCSN;
-		e.e_attrs = &a;
-		e.e_name = si->si_wbe->be_suffix[0];
-		e.e_nname = si->si_wbe->be_nsuffix[0];
-		rs.sr_entry = &e;
-		rs.sr_flags = REP_ENTRY_MODIFIABLE;
-		at[0].an_name = a.a_desc->ad_cname;
-		at[0].an_desc = a.a_desc;
-		BER_BVZERO( &at[1].an_name );
-		op->o_req_dn = e.e_name;
-		op->o_req_ndn = e.e_nname;
-
-		ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_mutex );
-		rc = backend_operational( op, &rs );
-		if ( rc == LDAP_SUCCESS && a.a_vals ) {
-			int num = a.a_numvals;
-			/* check for differences */
-			if ( num != si->si_cookieState->cs_num ) {
-				changed = 1;
-			} else {
-				for ( i=0; i<num; i++ ) {
-					if ( ber_bvcmp( &a.a_vals[i],
-						&si->si_cookieState->cs_vals[i] )) {
-						changed =1;
-						break;
-					}
-				}
-			}
-			if ( changed ) {
-				ber_bvarray_free( si->si_cookieState->cs_vals );
-				ch_free( si->si_cookieState->cs_sids );
-				si->si_cookieState->cs_num = num;
-				si->si_cookieState->cs_vals = a.a_vals;
-				si->si_cookieState->cs_sids = slap_parse_csn_sids( a.a_vals,
-					num, NULL );
-				si->si_cookieState->cs_age++;
-			} else {
-				ber_bvarray_free( a.a_vals );
-			}
-			changed = 0;
-		}
-		/* See if the cookieState has changed due to anything outside
-		 * this particular consumer. That includes other consumers in
-		 * the same context, or local changes detected above.
-		 */
-		if ( si->si_cookieState->cs_num > 1 && si->si_cookieAge !=
-			si->si_cookieState->cs_age ) {
-
-			for (i=0; !BER_BVISNULL( &si->si_syncCookie.ctxcsn[i] ); i++) {
-				/* bogus, just dup everything */
-				if ( si->si_syncCookie.sids[i] == -1 ) {
-					ber_bvarray_free( si->si_syncCookie.ctxcsn );
-					ber_bvarray_dup_x( &si->si_syncCookie.ctxcsn,
-						si->si_cookieState->cs_vals, NULL );
-					changed = 1;
-					break;
-				}
-				for (j=0; j<si->si_cookieState->cs_num; j++) {
-					if ( si->si_syncCookie.sids[i] !=
-						si->si_cookieState->cs_sids[j] )
-						continue;
-					if ( bvmatch( &si->si_syncCookie.ctxcsn[i],
-						&si->si_cookieState->cs_vals[j] ))
-						break;
-					ber_bvreplace( &si->si_syncCookie.ctxcsn[i],
-						&si->si_cookieState->cs_vals[j] );
-					changed = 1;
-					break;
-				}
-			}
-			if ( changed ) {
-				ch_free( si->si_syncCookie.octet_str.bv_val );
-				slap_compose_sync_cookie( NULL, &si->si_syncCookie.octet_str,
-					si->si_syncCookie.ctxcsn, si->si_syncCookie.rid,
-					SLAP_SINGLE_SHADOW( si->si_be ) ? -1 : slap_serverID );
-			}
-		}
-		ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_mutex );
+		/* Look for contextCSN from syncprov overlay. */
+		check_syncprov( op, si );
 	}
 
 	si->si_refreshDone = 0;
@@ -664,14 +682,14 @@
 		return -1;
 	}
 
-	for (i=0; !BER_BVISNULL( &sc1->ctxcsn[i] ); i++) {
-		for (j=0; !BER_BVISNULL( &sc2->ctxcsn[j] ); j++) {
+	for (i=0; i<sc1->numcsns; i++) {
+		for (j=0; j<sc2->numcsns; j++) {
 			if ( sc1->sids[i] != sc2->sids[j] )
 				continue;
 			value_match( &match, slap_schema.si_ad_entryCSN,
 				slap_schema.si_ad_entryCSN->ad_type->sat_ordering,
 				SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
-				&sc1->ctxcsn[i], &sc2->ctxcsn[i], &text );
+				&sc1->ctxcsn[i], &sc2->ctxcsn[j], &text );
 			if ( match < 0 ) {
 				*which = j;
 				return match;
@@ -682,6 +700,8 @@
 	return match;
 }
 
+#define	SYNC_PAUSED	-3
+
 static int
 do_syncrep2(
 	Operation *op,
@@ -693,7 +713,6 @@
 	BerElementBuffer berbuf;
 	BerElement	*ber = (BerElement *)&berbuf;
 
-	LDAPMessage	*res = NULL;
 	LDAPMessage	*msg = NULL;
 
 	char		*retoid = NULL;
@@ -743,133 +762,281 @@
 		tout_p = NULL;
 	}
 
-	while ( ( rc = ldap_result( si->si_ld, LDAP_RES_ANY, LDAP_MSG_ONE,
-		tout_p, &res ) ) > 0 )
+	while ( ( rc = ldap_result( si->si_ld, si->si_msgid, LDAP_MSG_ONE,
+		tout_p, &msg ) ) > 0 )
 	{
 		if ( slapd_shutdown ) {
 			rc = -2;
 			goto done;
 		}
-		for( msg = ldap_first_message( si->si_ld, res );
-			msg != NULL;
-			msg = ldap_next_message( si->si_ld, msg ) )
-		{
-			if ( slapd_shutdown ) {
-				rc = -2;
-				goto done;
-			}
-			switch( ldap_msgtype( msg ) ) {
-			case LDAP_RES_SEARCH_ENTRY:
-				ldap_get_entry_controls( si->si_ld, msg, &rctrls );
-				/* we can't work without the control */
-				rctrlp = NULL;
-				if ( rctrls ) {
-					LDAPControl **next;
-					/* NOTE: make sure we use the right one;
-					 * a better approach would be to run thru
-					 * the whole list and take care of all */
-					rctrlp = ldap_control_find( LDAP_CONTROL_SYNC_STATE, rctrls, &next );
-					if ( next && ldap_control_find( LDAP_CONTROL_SYNC_STATE, next, NULL ) )
-					{
-						Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
-							"got search entry with multiple "
-							"Sync State control\n", si->si_ridtxt, 0, 0 );
-						rc = -1;
-						goto done;
-					}
-				}
-				if ( rctrlp == NULL ) {
+		switch( ldap_msgtype( msg ) ) {
+		case LDAP_RES_SEARCH_ENTRY:
+			ldap_get_entry_controls( si->si_ld, msg, &rctrls );
+			/* we can't work without the control */
+			rctrlp = NULL;
+			if ( rctrls ) {
+				LDAPControl **next;
+				/* NOTE: make sure we use the right one;
+				 * a better approach would be to run thru
+				 * the whole list and take care of all */
+				rctrlp = ldap_control_find( LDAP_CONTROL_SYNC_STATE, rctrls, &next );
+				if ( next && ldap_control_find( LDAP_CONTROL_SYNC_STATE, next, NULL ) )
+				{
 					Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
-						"got search entry without "
+						"got search entry with multiple "
 						"Sync State control\n", si->si_ridtxt, 0, 0 );
 					rc = -1;
 					goto done;
 				}
+			}
+			if ( rctrlp == NULL ) {
+				Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
+					"got search entry without "
+					"Sync State control\n", si->si_ridtxt, 0, 0 );
+				rc = -1;
+				goto done;
+			}
+			ber_init2( ber, &rctrlp->ldctl_value, LBER_USE_DER );
+			ber_scanf( ber, "{em" /*"}"*/, &syncstate, &syncUUID );
+			/* FIXME: what if syncUUID is NULL or empty?
+			 * (happens with back-sql...) */
+			if ( BER_BVISEMPTY( &syncUUID ) ) {
+				Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
+					"got empty syncUUID with LDAP_SYNC_%s\n",
+					si->si_ridtxt,
+					syncrepl_state2str( syncstate ), 0 );
+				ldap_controls_free( rctrls );
+				rc = -1;
+				goto done;
+			}
+			if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) {
+				ber_scanf( ber, /*"{"*/ "m}", &cookie );
+
+				Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
+					BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
+
+				if ( !BER_BVISNULL( &cookie ) ) {
+					ch_free( syncCookie.octet_str.bv_val );
+					ber_dupbv( &syncCookie.octet_str, &cookie );
+				}
+				if ( !BER_BVISNULL( &syncCookie.octet_str ) )
+				{
+					slap_parse_sync_cookie( &syncCookie, NULL );
+					if ( syncCookie.ctxcsn ) {
+						int i, sid = slap_parse_csn_sid( syncCookie.ctxcsn );
+						for ( i =0; i<si->si_cookieState->cs_num; i++ ) {
+							if ( si->si_cookieState->cs_sids[i] == sid && 
+								ber_bvcmp( syncCookie.ctxcsn, &si->si_cookieState->cs_vals[i] ) <= 0 ) {
+								Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s CSN too old, ignoring %s\n",
+									si->si_ridtxt, syncCookie.ctxcsn->bv_val, 0 );
+								ldap_controls_free( rctrls );
+								rc = 0;
+								goto done;
+							}
+						}
+					}
+				}
+			}
+			rc = 0;
+			if ( si->si_syncdata && si->si_logstate == SYNCLOG_LOGGING ) {
+				modlist = NULL;
+				if ( ( rc = syncrepl_message_to_op( si, op, msg ) ) == LDAP_SUCCESS &&
+					syncCookie.ctxcsn )
+				{
+					rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
+				} else switch ( rc ) {
+					case LDAP_ALREADY_EXISTS:
+					case LDAP_NO_SUCH_OBJECT:
+					case LDAP_NO_SUCH_ATTRIBUTE:
+					case LDAP_TYPE_OR_VALUE_EXISTS:
+						rc = LDAP_SYNC_REFRESH_REQUIRED;
+						si->si_logstate = SYNCLOG_FALLBACK;
+						ldap_abandon_ext( si->si_ld, si->si_msgid, NULL, NULL );
+						break;
+					default:
+						break;
+				}
+			} else if ( ( rc = syncrepl_message_to_entry( si, op, msg,
+				&modlist, &entry, syncstate ) ) == LDAP_SUCCESS )
+			{
+				if ( ( rc = syncrepl_entry( si, op, entry, &modlist,
+					syncstate, &syncUUID, syncCookie.ctxcsn ) ) == LDAP_SUCCESS &&
+					syncCookie.ctxcsn )
+				{
+					rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
+				}
+			}
+			ldap_controls_free( rctrls );
+			if ( modlist ) {
+				slap_mods_free( modlist, 1 );
+			}
+			if ( rc )
+				goto done;
+			break;
+
+		case LDAP_RES_SEARCH_REFERENCE:
+			Debug( LDAP_DEBUG_ANY,
+				"do_syncrep2: %s reference received error\n",
+				si->si_ridtxt, 0, 0 );
+			break;
+
+		case LDAP_RES_SEARCH_RESULT:
+			Debug( LDAP_DEBUG_SYNC,
+				"do_syncrep2: %s LDAP_RES_SEARCH_RESULT\n",
+				si->si_ridtxt, 0, 0 );
+			ldap_parse_result( si->si_ld, msg, &err, NULL, NULL, NULL,
+				&rctrls, 0 );
+#ifdef LDAP_X_SYNC_REFRESH_REQUIRED
+			if ( err == LDAP_X_SYNC_REFRESH_REQUIRED ) {
+				/* map old result code to registered code */
+				err = LDAP_SYNC_REFRESH_REQUIRED;
+			}
+#endif
+			if ( err == LDAP_SYNC_REFRESH_REQUIRED ) {
+				if ( si->si_logstate == SYNCLOG_LOGGING ) {
+					si->si_logstate = SYNCLOG_FALLBACK;
+				}
+				rc = err;
+				goto done;
+			}
+			if ( rctrls ) {
+				rctrlp = *rctrls;
 				ber_init2( ber, &rctrlp->ldctl_value, LBER_USE_DER );
-				ber_scanf( ber, "{em" /*"}"*/, &syncstate, &syncUUID );
-				/* FIXME: what if syncUUID is NULL or empty?
-				 * (happens with back-sql...) */
-				if ( BER_BVISEMPTY( &syncUUID ) ) {
-					Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
-						"got empty syncUUID with LDAP_SYNC_%s\n",
-						si->si_ridtxt,
-						syncrepl_state2str( syncstate ), 0 );
-					ldap_controls_free( rctrls );
-					rc = -1;
-					goto done;
-				}
+
+				ber_scanf( ber, "{" /*"}"*/);
 				if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) {
-					ber_scanf( ber, /*"{"*/ "m}", &cookie );
+					ber_scanf( ber, "m", &cookie );
 
 					Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
 						BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
 
 					if ( !BER_BVISNULL( &cookie ) ) {
 						ch_free( syncCookie.octet_str.bv_val );
-						ber_dupbv( &syncCookie.octet_str, &cookie );
+						ber_dupbv( &syncCookie.octet_str, &cookie);
 					}
 					if ( !BER_BVISNULL( &syncCookie.octet_str ) )
 					{
 						slap_parse_sync_cookie( &syncCookie, NULL );
 					}
 				}
-				rc = 0;
-				if ( si->si_syncdata && si->si_logstate == SYNCLOG_LOGGING ) {
-					modlist = NULL;
-					if ( ( rc = syncrepl_message_to_op( si, op, msg ) ) == LDAP_SUCCESS &&
-						syncCookie.ctxcsn )
-					{
-						rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
-					}
-				} else if ( ( rc = syncrepl_message_to_entry( si, op, msg,
-					&modlist, &entry, syncstate ) ) == LDAP_SUCCESS )
+				if ( ber_peek_tag( ber, &len ) == LDAP_TAG_REFRESHDELETES )
 				{
-					if ( ( rc = syncrepl_entry( si, op, entry, &modlist,
-						syncstate, &syncUUID, syncCookie.ctxcsn ) ) == LDAP_SUCCESS &&
-						syncCookie.ctxcsn )
-					{
-						rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
-					}
+					ber_scanf( ber, "b", &refreshDeletes );
 				}
+				ber_scanf( ber, /*"{"*/ "}" );
+			}
+			if ( SLAP_MULTIMASTER( op->o_bd ) && check_syncprov( op, si )) {
+				slap_sync_cookie_free( &syncCookie_req, 0 );
+				slap_dup_sync_cookie( &syncCookie_req, &si->si_syncCookie );
+			}
+			if ( !syncCookie.ctxcsn ) {
+				match = 1;
+			} else if ( !syncCookie_req.ctxcsn ) {
+				match = -1;
+				m = 0;
+			} else {
+				match = compare_csns( &syncCookie_req, &syncCookie, &m );
+			}
+			if ( rctrls ) {
 				ldap_controls_free( rctrls );
-				if ( modlist ) {
-					slap_mods_free( modlist, 1 );
+			}
+			if (si->si_type != LDAP_SYNC_REFRESH_AND_PERSIST) {
+				/* FIXME : different error behaviors according to
+				 *	1) err code : LDAP_BUSY ...
+				 *	2) on err policy : stop service, stop sync, retry
+				 */
+				if ( refreshDeletes == 0 && match < 0 &&
+					err == LDAP_SUCCESS &&
+					syncCookie_req.numcsns == syncCookie.numcsns )
+				{
+					syncrepl_del_nonpresent( op, si, NULL,
+						&syncCookie, m );
+				} else {
+					avl_free( si->si_presentlist, ch_free );
+					si->si_presentlist = NULL;
 				}
-				if ( rc )
-					goto done;
-				break;
+			}
+			if ( syncCookie.ctxcsn && match < 0 && err == LDAP_SUCCESS )
+			{
+				rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
+			}
+			if ( err == LDAP_SUCCESS
+				&& si->si_logstate == SYNCLOG_FALLBACK ) {
+				si->si_logstate = SYNCLOG_LOGGING;
+				rc = LDAP_SYNC_REFRESH_REQUIRED;
+			} else {
+				rc = -2;
+			}
+			goto done;
+			break;
 
-			case LDAP_RES_SEARCH_REFERENCE:
-				Debug( LDAP_DEBUG_ANY,
-					"do_syncrep2: %s reference received error\n",
-					si->si_ridtxt, 0, 0 );
-				break;
+		case LDAP_RES_INTERMEDIATE:
+			rc = ldap_parse_intermediate( si->si_ld, msg,
+				&retoid, &retdata, NULL, 0 );
+			if ( !rc && !strcmp( retoid, LDAP_SYNC_INFO ) ) {
+				ber_init2( ber, retdata, LBER_USE_DER );
 
-			case LDAP_RES_SEARCH_RESULT:
-				Debug( LDAP_DEBUG_SYNC,
-					"do_syncrep2: %s LDAP_RES_SEARCH_RESULT\n",
-					si->si_ridtxt, 0, 0 );
-				ldap_parse_result( si->si_ld, msg, &err, NULL, NULL, NULL,
-					&rctrls, 0 );
-#ifdef LDAP_X_SYNC_REFRESH_REQUIRED
-				if ( err == LDAP_X_SYNC_REFRESH_REQUIRED ) {
-					/* map old result code to registered code */
-					err = LDAP_SYNC_REFRESH_REQUIRED;
-				}
-#endif
-				if ( err == LDAP_SYNC_REFRESH_REQUIRED ) {
-					if ( si->si_logstate == SYNCLOG_LOGGING ) {
-						si->si_logstate = SYNCLOG_FALLBACK;
+				switch ( si_tag = ber_peek_tag( ber, &len ) ) {
+				ber_tag_t tag;
+				case LDAP_TAG_SYNC_NEW_COOKIE:
+					Debug( LDAP_DEBUG_SYNC,
+						"do_syncrep2: %s %s - %s\n", 
+						si->si_ridtxt,
+						"LDAP_RES_INTERMEDIATE", 
+						"NEW_COOKIE" );
+					ber_scanf( ber, "tm", &tag, &cookie );
+					break;
+				case LDAP_TAG_SYNC_REFRESH_DELETE:
+				case LDAP_TAG_SYNC_REFRESH_PRESENT:
+					Debug( LDAP_DEBUG_SYNC,
+						"do_syncrep2: %s %s - %s\n", 
+						si->si_ridtxt,
+						"LDAP_RES_INTERMEDIATE", 
+						si_tag == LDAP_TAG_SYNC_REFRESH_PRESENT ?
+						"REFRESH_PRESENT" : "REFRESH_DELETE" );
+					if ( si_tag == LDAP_TAG_SYNC_REFRESH_DELETE ) {
+						si->si_refreshDelete = 1;
+					} else {
+						si->si_refreshPresent = 1;
 					}
-					rc = err;
-					goto done;
-				}
-				if ( rctrls ) {
-					rctrlp = *rctrls;
-					ber_init2( ber, &rctrlp->ldctl_value, LBER_USE_DER );
+					ber_scanf( ber, "t{" /*"}"*/, &tag );
+					if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE )
+					{
+						ber_scanf( ber, "m", &cookie );
 
-					ber_scanf( ber, "{" /*"}"*/);
-					if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) {
+						Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
+							BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
+
+						if ( !BER_BVISNULL( &cookie ) ) {
+							ch_free( syncCookie.octet_str.bv_val );
+							ber_dupbv( &syncCookie.octet_str, &cookie );
+						}
+						if ( !BER_BVISNULL( &syncCookie.octet_str ) )
+						{
+							slap_parse_sync_cookie( &syncCookie, NULL );
+						}
+					}
+					/* Defaults to TRUE */
+					if ( ber_peek_tag( ber, &len ) ==
+						LDAP_TAG_REFRESHDONE )
+					{
+						ber_scanf( ber, "b", &si->si_refreshDone );
+					} else
+					{
+						si->si_refreshDone = 1;
+					}
+					ber_scanf( ber, /*"{"*/ "}" );
+					break;
+				case LDAP_TAG_SYNC_ID_SET:
+					Debug( LDAP_DEBUG_SYNC,
+						"do_syncrep2: %s %s - %s\n", 
+						si->si_ridtxt,
+						"LDAP_RES_INTERMEDIATE", 
+						"SYNC_ID_SET" );
+					ber_scanf( ber, "t{" /*"}"*/, &tag );
+					if ( ber_peek_tag( ber, &len ) ==
+						LDAP_TAG_SYNC_COOKIE )
+					{
 						ber_scanf( ber, "m", &cookie );
 
 						Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
@@ -877,19 +1044,48 @@
 
 						if ( !BER_BVISNULL( &cookie ) ) {
 							ch_free( syncCookie.octet_str.bv_val );
-							ber_dupbv( &syncCookie.octet_str, &cookie);
+							ber_dupbv( &syncCookie.octet_str, &cookie );
 						}
 						if ( !BER_BVISNULL( &syncCookie.octet_str ) )
 						{
 							slap_parse_sync_cookie( &syncCookie, NULL );
+							compare_csns( &syncCookie_req, &syncCookie, &m );
 						}
 					}
-					if ( ber_peek_tag( ber, &len ) == LDAP_TAG_REFRESHDELETES )
+					if ( ber_peek_tag( ber, &len ) ==
+						LDAP_TAG_REFRESHDELETES )
 					{
 						ber_scanf( ber, "b", &refreshDeletes );
 					}
+					ber_scanf( ber, "[W]", &syncUUIDs );
 					ber_scanf( ber, /*"{"*/ "}" );
+					if ( refreshDeletes ) {
+						syncrepl_del_nonpresent( op, si, syncUUIDs,
+							&syncCookie, m );
+						ber_bvarray_free_x( syncUUIDs, op->o_tmpmemctx );
+					} else {
+						int i;
+						for ( i = 0; !BER_BVISNULL( &syncUUIDs[i] ); i++ ) {
+							(void)avl_presentlist_insert( si, &syncUUIDs[i] );
+							slap_sl_free( syncUUIDs[i].bv_val, op->o_tmpmemctx );
+						}
+						slap_sl_free( syncUUIDs, op->o_tmpmemctx );
+					}
+					slap_sync_cookie_free( &syncCookie, 0 );
+					break;
+				default:
+					Debug( LDAP_DEBUG_ANY,
+						"do_syncrep2: %s unknown syncinfo tag (%ld)\n",
+						si->si_ridtxt, (long) si_tag, 0 );
+					ldap_memfree( retoid );
+					ber_bvfree( retdata );
+					continue;
 				}
+
+				if ( SLAP_MULTIMASTER( op->o_bd ) && check_syncprov( op, si )) {
+					slap_sync_cookie_free( &syncCookie_req, 0 );
+					slap_dup_sync_cookie( &syncCookie_req, &si->si_syncCookie );
+				}
 				if ( !syncCookie.ctxcsn ) {
 					match = 1;
 				} else if ( !syncCookie_req.ctxcsn ) {
@@ -898,201 +1094,54 @@
 				} else {
 					match = compare_csns( &syncCookie_req, &syncCookie, &m );
 				}
-				if ( rctrls ) {
-					ldap_controls_free( rctrls );
-				}
-				if (si->si_type != LDAP_SYNC_REFRESH_AND_PERSIST) {
-					/* FIXME : different error behaviors according to
-					 *	1) err code : LDAP_BUSY ...
-					 *	2) on err policy : stop service, stop sync, retry
-					 */
-					if ( refreshDeletes == 0 && match < 0 &&
-						err == LDAP_SUCCESS )
-					{
+
+				if ( match < 0 ) {
+					if ( si->si_refreshPresent == 1 &&
+						syncCookie_req.numcsns == syncCookie.numcsns ) {
 						syncrepl_del_nonpresent( op, si, NULL,
-							&syncCookie.ctxcsn[m] );
-					} else {
-						avl_free( si->si_presentlist, ch_free );
-						si->si_presentlist = NULL;
+							&syncCookie, m );
 					}
-				}
-				if ( syncCookie.ctxcsn && match < 0 && err == LDAP_SUCCESS )
-				{
-					rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
-				}
-				if ( err == LDAP_SUCCESS
-					&& si->si_logstate == SYNCLOG_FALLBACK ) {
-					si->si_logstate = SYNCLOG_LOGGING;
-					rc = LDAP_SYNC_REFRESH_REQUIRED;
-				} else {
-					rc = -2;
-				}
-				goto done;
-				break;
 
-			case LDAP_RES_INTERMEDIATE:
-				rc = ldap_parse_intermediate( si->si_ld, msg,
-					&retoid, &retdata, NULL, 0 );
-				if ( !rc && !strcmp( retoid, LDAP_SYNC_INFO ) ) {
-					ber_init2( ber, retdata, LBER_USE_DER );
-
-					switch ( si_tag = ber_peek_tag( ber, &len ) ) {
-					ber_tag_t tag;
-					case LDAP_TAG_SYNC_NEW_COOKIE:
-						Debug( LDAP_DEBUG_SYNC,
-							"do_syncrep2: %s %s - %s\n", 
-							si->si_ridtxt,
-							"LDAP_RES_INTERMEDIATE", 
-							"NEW_COOKIE" );
-						ber_scanf( ber, "tm", &tag, &cookie );
-						break;
-					case LDAP_TAG_SYNC_REFRESH_DELETE:
-					case LDAP_TAG_SYNC_REFRESH_PRESENT:
-						Debug( LDAP_DEBUG_SYNC,
-							"do_syncrep2: %s %s - %s\n", 
-							si->si_ridtxt,
-							"LDAP_RES_INTERMEDIATE", 
-							si_tag == LDAP_TAG_SYNC_REFRESH_PRESENT ?
-							"REFRESH_PRESENT" : "REFRESH_DELETE" );
-						if ( si_tag == LDAP_TAG_SYNC_REFRESH_DELETE ) {
-							si->si_refreshDelete = 1;
-						} else {
-							si->si_refreshPresent = 1;
-						}
-						ber_scanf( ber, "t{" /*"}"*/, &tag );
-						if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE )
-						{
-							ber_scanf( ber, "m", &cookie );
-
-							Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
-								BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
-
-							if ( !BER_BVISNULL( &cookie ) ) {
-								ch_free( syncCookie.octet_str.bv_val );
-								ber_dupbv( &syncCookie.octet_str, &cookie );
-							}
-							if ( !BER_BVISNULL( &syncCookie.octet_str ) )
-							{
-								slap_parse_sync_cookie( &syncCookie, NULL );
-							}
-						}
-						/* Defaults to TRUE */
-						if ( ber_peek_tag( ber, &len ) ==
-							LDAP_TAG_REFRESHDONE )
-						{
-							ber_scanf( ber, "b", &si->si_refreshDone );
-						} else
-						{
-							si->si_refreshDone = 1;
-						}
-						ber_scanf( ber, /*"{"*/ "}" );
-						break;
-					case LDAP_TAG_SYNC_ID_SET:
-						Debug( LDAP_DEBUG_SYNC,
-							"do_syncrep2: %s %s - %s\n", 
-							si->si_ridtxt,
-							"LDAP_RES_INTERMEDIATE", 
-							"SYNC_ID_SET" );
-						ber_scanf( ber, "t{" /*"}"*/, &tag );
-						if ( ber_peek_tag( ber, &len ) ==
-							LDAP_TAG_SYNC_COOKIE )
-						{
-							ber_scanf( ber, "m", &cookie );
-
-							Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
-								BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
-
-							if ( !BER_BVISNULL( &cookie ) ) {
-								ch_free( syncCookie.octet_str.bv_val );
-								ber_dupbv( &syncCookie.octet_str, &cookie );
-							}
-							if ( !BER_BVISNULL( &syncCookie.octet_str ) )
-							{
-								slap_parse_sync_cookie( &syncCookie, NULL );
-								compare_csns( &syncCookie_req, &syncCookie, &m );
-							}
-						}
-						if ( ber_peek_tag( ber, &len ) ==
-							LDAP_TAG_REFRESHDELETES )
-						{
-							ber_scanf( ber, "b", &refreshDeletes );
-						}
-						ber_scanf( ber, "[W]", &syncUUIDs );
-						ber_scanf( ber, /*"{"*/ "}" );
-						if ( refreshDeletes ) {
-							syncrepl_del_nonpresent( op, si, syncUUIDs,
-								&syncCookie.ctxcsn[m] );
-							ber_bvarray_free_x( syncUUIDs, op->o_tmpmemctx );
-						} else {
-							int i;
-							for ( i = 0; !BER_BVISNULL( &syncUUIDs[i] ); i++ ) {
-								(void)avl_presentlist_insert( si, &syncUUIDs[i] );
-								slap_sl_free( syncUUIDs[i].bv_val, op->o_tmpmemctx );
-							}
-							slap_sl_free( syncUUIDs, op->o_tmpmemctx );
-						}
-						slap_sync_cookie_free( &syncCookie, 0 );
-						break;
-					default:
-						Debug( LDAP_DEBUG_ANY,
-							"do_syncrep2: %s unknown syncinfo tag (%ld)\n",
-							si->si_ridtxt, (long) si_tag, 0 );
-						ldap_memfree( retoid );
-						ber_bvfree( retdata );
-						continue;
+					if ( syncCookie.ctxcsn )
+					{
+						rc = syncrepl_updateCookie( si, op, psub, &syncCookie);
 					}
+				} 
 
-					if ( !syncCookie.ctxcsn ) {
-						match = 1;
-					} else if ( !syncCookie_req.ctxcsn ) {
-						match = -1;
-						m = 0;
-					} else {
-						match = compare_csns( &syncCookie_req, &syncCookie, &m );
-					}
-
-					if ( match < 0 ) {
-						if ( si->si_refreshPresent == 1 ) {
-							syncrepl_del_nonpresent( op, si, NULL,
-								&syncCookie.ctxcsn[m] );
-						}
-
-						if ( syncCookie.ctxcsn )
-						{
-							rc = syncrepl_updateCookie( si, op, psub, &syncCookie);
-						}
-					} 
-
-					ldap_memfree( retoid );
-					ber_bvfree( retdata );
-					break;
-
-				} else {
-					Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
-						"unknown intermediate response (%d)\n",
-						si->si_ridtxt, rc, 0 );
-					ldap_memfree( retoid );
-					ber_bvfree( retdata );
-					break;
-				}
+				ldap_memfree( retoid );
+				ber_bvfree( retdata );
 				break;
 
-			default:
+			} else {
 				Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
-					"unknown message (0x%02lx)\n",
-					si->si_ridtxt,
-					(unsigned long)ldap_msgtype( msg ), 0 );
+					"unknown intermediate response (%d)\n",
+					si->si_ridtxt, rc, 0 );
+				ldap_memfree( retoid );
+				ber_bvfree( retdata );
 				break;
+			}
+			break;
 
-			}
-			if ( !BER_BVISNULL( &syncCookie.octet_str ) ) {
-				slap_sync_cookie_free( &syncCookie_req, 0 );
-				slap_dup_sync_cookie( &syncCookie_req, &syncCookie );
-				slap_sync_cookie_free( &syncCookie, 0 );
-			}
+		default:
+			Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
+				"unknown message (0x%02lx)\n",
+				si->si_ridtxt,
+				(unsigned long)ldap_msgtype( msg ), 0 );
+			break;
+
 		}
-		ldap_msgfree( res );
-		res = NULL;
+		if ( !BER_BVISNULL( &syncCookie.octet_str ) ) {
+			slap_sync_cookie_free( &syncCookie_req, 0 );
+			slap_dup_sync_cookie( &syncCookie_req, &syncCookie );
+			slap_sync_cookie_free( &syncCookie, 0 );
+		}
+		ldap_msgfree( msg );
+		msg = NULL;
+		if ( ldap_pvt_thread_pool_pausing( &connection_pool )) {
+			slap_sync_cookie_free( &syncCookie, 0 );
+			slap_sync_cookie_free( &syncCookie_req, 0 );
+			return SYNC_PAUSED;
+		}
 	}
 
 	if ( rc == -1 ) {
@@ -1110,7 +1159,7 @@
 	slap_sync_cookie_free( &syncCookie, 0 );
 	slap_sync_cookie_free( &syncCookie_req, 0 );
 
-	if ( res ) ldap_msgfree( res );
+	if ( msg ) ldap_msgfree( msg );
 
 	if ( rc && rc != LDAP_SYNC_REFRESH_REQUIRED && si->si_ld ) {
 		if ( si->si_conn ) {
@@ -1135,7 +1184,7 @@
 	OperationBuffer opbuf;
 	Operation *op;
 	int rc = LDAP_SUCCESS;
-	int dostop = 0;
+	int dostop = 0, do_setup = 0;
 	ber_socket_t s;
 	int i, defer = 1, fail = 0;
 	Backend *be;
@@ -1145,6 +1194,7 @@
 	if ( si == NULL )
 		return NULL;
 
+	/* There will never be more than one instance active */
 	ldap_pvt_thread_mutex_lock( &si->si_mutex );
 
 	switch( abs( si->si_type ) ) {
@@ -1177,25 +1227,40 @@
 	op->o_tmpmfuncs = &ch_mfuncs;
 
 	op->o_managedsait = SLAP_CONTROL_NONCRITICAL;
-	op->o_bd = be = si->si_be;
-	op->o_dn = op->o_bd->be_rootdn;
-	op->o_ndn = op->o_bd->be_rootndn;
-	if ( !si->si_schemachecking )
-		op->o_no_schema_check = 1;
+	be = si->si_be;
 
-	/* If we're glued, send writes through the glue parent */
+	/* Coordinate contextCSN updates with any syncprov overlays
+	 * in use. This may be complicated by the use of the glue
+	 * overlay.
+	 *
+	 * Typically there is a single syncprov mastering the entire
+	 * glued tree. In that case, our contextCSN updates should
+	 * go to the master DB.
+	 *
+	 * Alternatively, there may be individual syncprov overlays
+	 * on each glued branch. In that case, each syncprov only
+	 * knows about changes within its own branch. And so our
+	 * contextCSN updates should only go to the local DB.
+	 */
 	if ( !si->si_wbe ) {
-		if ( SLAP_GLUE_SUBORDINATE( be )) {
+		if ( SLAP_GLUE_SUBORDINATE( be ) && !overlay_is_inst( be, "syncprov" )) {
 			si->si_wbe = select_backend( &be->be_nsuffix[0], 1 );
 		} else {
 			si->si_wbe = be;
 		}
 	}
+	if ( !si->si_schemachecking )
+		op->o_no_schema_check = 1;
 
 	/* Establish session, do search */
 	if ( !si->si_ld ) {
 		si->si_refreshDelete = 0;
 		si->si_refreshPresent = 0;
+
+		/* use main DB when retrieving contextCSN */
+		op->o_bd = si->si_wbe;
+		op->o_dn = op->o_bd->be_rootdn;
+		op->o_ndn = op->o_bd->be_rootndn;
 		rc = do_syncrep1( op, si );
 	}
 
@@ -1204,6 +1269,10 @@
 	if ( rc == LDAP_SUCCESS ) {
 		ldap_get_option( si->si_ld, LDAP_OPT_DESC, &s );
 
+		/* use current DB */
+		op->o_bd = be;
+		op->o_dn = op->o_bd->be_rootdn;
+		op->o_ndn = op->o_bd->be_rootndn;
 		rc = do_syncrep2( op, si );
 		if ( rc == LDAP_SYNC_REFRESH_REQUIRED )	{
 			rc = ldap_sync_search( si, op->o_tmpmemctx );
@@ -1217,29 +1286,33 @@
 			rc = -1;
 		}
 
-		if ( abs(si->si_type) == LDAP_SYNC_REFRESH_AND_PERSIST ) {
-			/* If we succeeded, enable the connection for further listening.
-			 * If we failed, tear down the connection and reschedule.
-			 */
-			if ( rc == LDAP_SUCCESS ) {
-				if ( si->si_conn ) {
-					connection_client_enable( si->si_conn );
-				} else {
-					si->si_conn = connection_client_setup( s, do_syncrepl, arg );
-				} 
-			} else if ( si->si_conn ) {
-				dostop = 1;
+		if ( rc != SYNC_PAUSED ) {
+			if ( abs(si->si_type) == LDAP_SYNC_REFRESH_AND_PERSIST ) {
+				/* If we succeeded, enable the connection for further listening.
+				 * If we failed, tear down the connection and reschedule.
+				 */
+				if ( rc == LDAP_SUCCESS ) {
+					if ( si->si_conn ) {
+						connection_client_enable( si->si_conn );
+						goto success;
+					} else {
+						do_setup = 1;
+					} 
+				} else if ( si->si_conn ) {
+					dostop = 1;
+				}
+			} else {
+				if ( rc == -2 ) rc = 0;
 			}
-		} else {
-			if ( rc == -2 ) rc = 0;
 		}
 	}
 
-	/* At this point, we have 4 cases:
+	/* At this point, we have 5 cases:
 	 * 1) for any hard failure, give up and remove this task
-	 * 2) for ServerDown, reschedule this task to run
-	 * 3) for Refresh and Success, reschedule to run
-	 * 4) for Persist and Success, reschedule to defer
+	 * 2) for ServerDown, reschedule this task to run later
+	 * 3) for threadpool pause, reschedule to run immediately
+	 * 4) for Refresh and Success, reschedule to run
+	 * 5) for Persist and Success, reschedule to defer
 	 */
 	ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 
@@ -1252,7 +1325,11 @@
 		si->si_conn = NULL;
 	}
 
-	if ( rc == LDAP_SUCCESS ) {
+	if ( rc == SYNC_PAUSED ) {
+		rtask->interval.tv_sec = 0;
+		ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 );
+		rc = 0;
+	} else if ( rc == LDAP_SUCCESS ) {
 		if ( si->si_type == LDAP_SYNC_REFRESH_ONLY ) {
 			defer = 0;
 		}
@@ -1285,6 +1362,11 @@
 	}
 
 	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
+
+	if ( do_setup )
+		si->si_conn = connection_client_setup( s, do_syncrepl, arg );
+
+success:
 	ldap_pvt_thread_mutex_unlock( &si->si_mutex );
 
 	if ( rc ) {
@@ -2270,7 +2352,8 @@
 	Operation *op,
 	syncinfo_t *si,
 	BerVarray uuids,
-	struct berval *cookiecsn )
+	struct sync_cookie *sc,
+	int m )
 {
 	Backend* be = op->o_bd;
 	slap_callback	cb = { NULL };
@@ -2323,6 +2406,8 @@
 		}
 		si->si_refreshDelete ^= NP_DELETE_ONE;
 	} else {
+		Filter *cf, *of;
+
 		memset( &an[0], 0, 2 * sizeof( AttributeName ) );
 		an[0].an_name = slap_schema.si_ad_entryUUID->ad_cname;
 		an[0].an_desc = slap_schema.si_ad_entryUUID;
@@ -2330,21 +2415,56 @@
 		op->ors_slimit = SLAP_NO_LIMIT;
 		op->ors_attrsonly = 0;
 		op->ors_filter = str2filter_x( op, si->si_filterstr.bv_val );
-		op->ors_filterstr = si->si_filterstr;
+		/* In multimaster, updates can continue to arrive while
+		 * we're searching. Limit the search result to entries
+		 * older than all of our cookie CSNs.
+		 */
+		if ( SLAP_MULTIMASTER( op->o_bd )) {
+			Filter *f;
+			int i;
+			cf = op->o_tmpalloc( (sc->numcsns+1) * sizeof(Filter) +
+				sc->numcsns * sizeof(AttributeAssertion), op->o_tmpmemctx );
+			f = cf;
+			f->f_choice = LDAP_FILTER_AND;
+			f->f_next = NULL;
+			f->f_and = f+1;
+			of = f->f_and;
+			for ( i=0; i<sc->numcsns; i++ ) {
+				f = of;
+				f->f_choice = LDAP_FILTER_LE;
+				f->f_ava = (AttributeAssertion *)(f+1);
+				f->f_av_desc = slap_schema.si_ad_entryCSN;
+				f->f_av_value = sc->ctxcsn[i];
+				f->f_next = (Filter *)(f->f_ava+1);
+				of = f->f_next;
+			}
+			f->f_next = op->ors_filter;
+			of = op->ors_filter;
+			op->ors_filter = cf;
+			filter2bv_x( op, op->ors_filter, &op->ors_filterstr );
+		} else {
+			cf = NULL;
+			op->ors_filterstr = si->si_filterstr;
+		}
 		op->o_nocaching = 1;
 
 		if ( limits_check( op, &rs_search ) == 0 ) {
 			rc = be->be_search( op, &rs_search );
 		}
+		if ( SLAP_MULTIMASTER( op->o_bd )) {
+			op->o_tmpfree( cf, op->o_tmpmemctx );
+			op->ors_filter = of;
+		}
 		if ( op->ors_filter ) filter_free_x( op, op->ors_filter );
+
 	}
 
 	op->o_nocaching = 0;
 
 	if ( !LDAP_LIST_EMPTY( &si->si_nonpresentlist ) ) {
 
-		if ( cookiecsn && !BER_BVISNULL( cookiecsn ) ) {
-			csn = *cookiecsn;
+		if ( sc->ctxcsn && !BER_BVISNULL( &sc->ctxcsn[m] ) ) {
+			csn = sc->ctxcsn[m];
 		} else {
 			csn = si->si_syncCookie.ctxcsn[0];
 		}
@@ -2590,7 +2710,7 @@
 	struct sync_cookie *syncCookie )
 {
 	Backend *be = op->o_bd;
-	Modifications mod[2];
+	Modifications mod;
 	struct berval first = BER_BVNULL;
 
 	int rc, i, j, len;
@@ -2598,24 +2718,22 @@
 	slap_callback cb = { NULL };
 	SlapReply	rs_modify = {REP_RESULT};
 
-	mod[0].sml_op = LDAP_MOD_DELETE;
-	mod[0].sml_desc = slap_schema.si_ad_contextCSN;
-	mod[0].sml_type = mod[0].sml_desc->ad_cname;
-	mod[0].sml_values = NULL;
-	mod[0].sml_nvalues = NULL;
-	mod[0].sml_numvals = 0;
-	mod[0].sml_next = &mod[1];
+	mod.sml_op = LDAP_MOD_REPLACE;
+	mod.sml_desc = slap_schema.si_ad_contextCSN;
+	mod.sml_type = mod.sml_desc->ad_cname;
+	mod.sml_nvalues = NULL;
+	mod.sml_next = NULL;
 
-	mod[1].sml_op = LDAP_MOD_ADD;
-	mod[1].sml_desc = slap_schema.si_ad_contextCSN;
-	mod[1].sml_type = mod[0].sml_desc->ad_cname;
-	mod[1].sml_values = NULL;
-	mod[1].sml_nvalues = NULL;
-	mod[1].sml_numvals = 0;
-	mod[1].sml_next = NULL;
-
 	ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_mutex );
 
+	/* clone the cookieState CSNs so we can Replace the whole thing */
+	mod.sml_numvals = si->si_cookieState->cs_num;
+	mod.sml_values = op->o_tmpalloc(( mod.sml_numvals+1 )*sizeof(struct berval), op->o_tmpmemctx );
+	for ( i=0; i<mod.sml_numvals; i++ )
+		mod.sml_values[i] = si->si_cookieState->cs_vals[i];
+	BER_BVZERO( &mod.sml_values[i] );
+
+	/* find any CSNs in the syncCookie that are newer than the cookieState */
 	for ( i=0; i<syncCookie->numcsns; i++ ) {
 		for ( j=0; j<si->si_cookieState->cs_num; j++ ) {
 			if ( syncCookie->sids[i] != si->si_cookieState->cs_sids[j] )
@@ -2625,12 +2743,7 @@
 				len = si->si_cookieState->cs_vals[j].bv_len;
 			if ( memcmp( syncCookie->ctxcsn[i].bv_val,
 				si->si_cookieState->cs_vals[j].bv_val, len ) > 0 ) {
-				ber_bvarray_add_x( &mod[0].sml_values,
-					&si->si_cookieState->cs_vals[j], op->o_tmpmemctx );
-				mod[0].sml_numvals++;
-				ber_bvarray_add_x( &mod[1].sml_values,
-					&syncCookie->ctxcsn[i], op->o_tmpmemctx );
-				mod[1].sml_numvals++;
+				mod.sml_values[j] = syncCookie->ctxcsn[i];
 				if ( BER_BVISNULL( &first ))
 					first = syncCookie->ctxcsn[i];
 			}
@@ -2638,9 +2751,10 @@
 		}
 		/* there was no match for this SID, it's a new CSN */
 		if ( j == si->si_cookieState->cs_num ) {
-			ber_bvarray_add_x( &mod[1].sml_values,
-				&syncCookie->ctxcsn[i], op->o_tmpmemctx );
-			mod[1].sml_numvals++;
+			mod.sml_values = op->o_tmprealloc( mod.sml_values,
+				( mod.sml_numvals+2 )*sizeof(struct berval), op->o_tmpmemctx );
+			mod.sml_values[mod.sml_numvals++] = syncCookie->ctxcsn[i];
+			BER_BVZERO( &mod.sml_values[mod.sml_numvals] );
 			if ( BER_BVISNULL( &first ))
 				first = syncCookie->ctxcsn[i];
 		}
@@ -2648,6 +2762,7 @@
 	/* Should never happen, ITS#5065 */
 	if ( BER_BVISNULL( &first )) {
 		ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_mutex );
+		op->o_tmpfree( mod.sml_values, op->o_tmpmemctx );
 		return 0;
 	}
 	op->o_bd = si->si_wbe;
@@ -2665,11 +2780,7 @@
 	/* update contextCSN */
 	op->o_msgid = SLAP_SYNC_UPDATE_MSGID;
 
-	if ( mod[0].sml_values )
-		op->orm_modlist = mod;
-	else
-		op->orm_modlist = &mod[1];
-
+	op->orm_modlist = &mod;
 	op->orm_no_opattrs = 1;
 	rc = op->o_bd->be_modify( op, &rs_modify );
 	op->orm_no_opattrs = 0;
@@ -2679,21 +2790,15 @@
 		slap_sync_cookie_free( &si->si_syncCookie, 0 );
 		slap_dup_sync_cookie( &si->si_syncCookie, syncCookie );
 		/* If we replaced any old values */
-		if ( mod[0].sml_values ) {
-			for ( i=0; !BER_BVISNULL( &mod[0].sml_values[i] ); i++ ) {
-				for ( j=0; j<si->si_cookieState->cs_num; j++ ) {
-					if ( mod[0].sml_values[i].bv_val !=
-						si->si_cookieState->cs_vals[j].bv_val )
-						continue;
-					ber_bvreplace( &si->si_cookieState->cs_vals[j],
-						&mod[1].sml_values[i] );
-					break;
-				}
-			}
-		} else {
-			/* Else we just added */
-			si->si_cookieState->cs_num += syncCookie->numcsns;
-			value_add( &si->si_cookieState->cs_vals, syncCookie->ctxcsn );
+		for ( i=0; i<si->si_cookieState->cs_num; i++ ) {
+			if ( mod.sml_values[i].bv_val != si->si_cookieState->cs_vals[i].bv_val )
+					ber_bvreplace( &si->si_cookieState->cs_vals[i],
+						&mod.sml_values[i] );
+		}
+		/* Handle any added values */
+		if ( i < mod.sml_numvals ) {
+			si->si_cookieState->cs_num = mod.sml_numvals;
+			value_add( &si->si_cookieState->cs_vals, &mod.sml_values[i] );
 			free( si->si_cookieState->cs_sids );
 			si->si_cookieState->cs_sids = slap_parse_csn_sids(
 				si->si_cookieState->cs_vals, si->si_cookieState->cs_num, NULL );
@@ -2708,13 +2813,11 @@
 	}
 	ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_mutex );
 
-	slap_graduate_commit_csn( op );
 	op->o_bd = be;
 	op->o_tmpfree( op->o_csn.bv_val, op->o_tmpmemctx );
 	BER_BVZERO( &op->o_csn );
-	if ( mod[1].sml_next ) slap_mods_free( mod[1].sml_next, 1 );
-	op->o_tmpfree( mod[1].sml_values, op->o_tmpmemctx );
-	op->o_tmpfree( mod[0].sml_values, op->o_tmpmemctx );
+	if ( mod.sml_next ) slap_mods_free( mod.sml_next, 1 );
+	op->o_tmpfree( mod.sml_values, op->o_tmpmemctx );
 
 	return rc;
 }
@@ -2931,10 +3034,9 @@
 					} else if ( rc == 0 ) {
 						Debug( LDAP_DEBUG_SYNC,
 							"dn_callback : entries have identical CSN "
-							"%s ours %s, new %s\n",
+							"%s %s\n",
 							rs->sr_entry->e_name.bv_val,
-							old->a_vals[0].bv_val,
-							new->a_vals[0].bv_val );
+							old->a_vals[0].bv_val, 0 );
 						return LDAP_SUCCESS;
 					}
 				}
@@ -3228,6 +3330,7 @@
 		}
 	
 		/* re-fetch it, in case it was already removed */
+		ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 		sie->si_re = ldap_pvt_runqueue_find( &slapd_rq, do_syncrepl, sie );
 		if ( sie->si_re ) {
 			if ( ldap_pvt_runqueue_isrunning( &slapd_rq, sie->si_re ) )
@@ -3235,6 +3338,7 @@
 			ldap_pvt_runqueue_remove( &slapd_rq, sie->si_re );
 		}
 	
+		ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 	 	ldap_pvt_thread_mutex_destroy( &sie->si_mutex );
 	
 		bindconf_free( &sie->si_bindconf );
@@ -3522,7 +3626,7 @@
 				si->si_anfile = attr_fname;
 			} else {
 				char *str, *s, *next;
-				char delimstr[] = " ,\t";
+				const char *delimstr = " ,\t";
 				str = ch_strdup( val );
 				for ( s = ldap_pvt_strtok( str, delimstr, &next );
 						s != NULL;
@@ -3885,9 +3989,11 @@
 
 			if ( !isMe ) {
 				init_syncrepl( si );
+				ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
 				si->si_re = ldap_pvt_runqueue_insert( &slapd_rq,
 					si->si_interval, do_syncrepl, si, "do_syncrepl",
 					si->si_ridtxt );
+				ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 				if ( si->si_re )
 					rc = config_sync_shadow( c ) ? -1 : 0;
 				else
@@ -4116,13 +4222,18 @@
 			for ( sip = &c->be->be_syncinfo, i=0; *sip; i++ ) {
 				si = *sip;
 				if ( c->valx == -1 || i == c->valx ) {
+					int isrunning = 0;
 					*sip = si->si_next;
 					/* If the task is currently active, we have to leave
 					 * it running. It will exit on its own. This will only
 					 * happen when running on the cn=config DB.
 					 */
-					if ( si->si_re &&
-						ldap_pvt_runqueue_isrunning( &slapd_rq, si->si_re ) ) {
+					if ( si->si_re ) {
+						ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+						isrunning = ldap_pvt_runqueue_isrunning( &slapd_rq, si->si_re );
+						ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
+					}
+					if ( si->si_re && isrunning ) {
 						si->si_ctype = 0;
 					} else {
 						syncinfo_free( si, 0 );

Modified: openldap/trunk/servers/slapd/syntax.c
===================================================================
--- openldap/trunk/servers/slapd/syntax.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/syntax.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* syntax.c - routines to manage syntax definitions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/syntax.c,v 1.43.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/syntax.c,v 1.43.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/txn.c
===================================================================
--- openldap/trunk/servers/slapd/txn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/txn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* txn.c - LDAP Transactions */
-/* $OpenLDAP: pkg/ldap/servers/slapd/txn.c,v 1.6.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/txn.c,v 1.6.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/unbind.c
===================================================================
--- openldap/trunk/servers/slapd/unbind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/unbind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* unbind.c - decode an ldap unbind operation and pass it to a backend db */
-/* $OpenLDAP: pkg/ldap/servers/slapd/unbind.c,v 1.26.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/unbind.c,v 1.26.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/user.c
===================================================================
--- openldap/trunk/servers/slapd/user.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/user.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* user.c - set user id, group id and group access list */
-/* $OpenLDAP: pkg/ldap/servers/slapd/user.c,v 1.25.2.2 2007/08/31 23:14:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/user.c,v 1.25.2.3 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * Portions Copyright 1999 PM Lashley.
  * All rights reserved.
  *

Modified: openldap/trunk/servers/slapd/value.c
===================================================================
--- openldap/trunk/servers/slapd/value.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/value.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* value.c - routines for dealing with values */
-/* $OpenLDAP: pkg/ldap/servers/slapd/value.c,v 1.96.2.5 2007/09/29 09:55:21 hyc Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/value.c,v 1.96.2.6 2008/02/11 23:26:45 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/servers/slapd/zn_malloc.c
===================================================================
--- openldap/trunk/servers/slapd/zn_malloc.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/servers/slapd/zn_malloc.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 /* zn_malloc.c - zone-based malloc routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/zn_malloc.c,v 1.11.2.2 2007/08/31 23:14:00 quanah Exp $*/
+/* $OpenLDAP: pkg/ldap/servers/slapd/zn_malloc.c,v 1.11.2.3 2008/02/11 23:26:45 kurt Exp $*/
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2003-2007 The OpenLDAP Foundation.
+ * Copyright 2003-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/Makefile.in
===================================================================
--- openldap/trunk/tests/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # Makefile.in for tests
-# $OpenLDAP: pkg/ldap/tests/Makefile.in,v 1.60.2.3 2007/08/31 23:14:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/Makefile.in,v 1.60.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/ditcontentrules.conf
===================================================================
--- openldap/trunk/tests/data/ditcontentrules.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/ditcontentrules.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/tests/data/ditcontentrules.conf,v 1.6.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/ditcontentrules.conf,v 1.6.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/dn.out
===================================================================
--- openldap/trunk/tests/data/dn.out	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/dn.out	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,3 +1,4 @@
+# Searching database...
 dn: dc=example,dc=com
 objectClass: domain
 objectClass: domainRelatedObject
@@ -4,11 +5,40 @@
 dc: example
 associatedDomain: example.com
 
+dn: ou=LDAPv2,dc=example,dc=com
+objectClass: organizationalUnit
+ou: LDAPv2
+description: RFC 1779 compliant DN string representation
+
 dn: ou=LDAPv3,dc=example,dc=com
 objectClass: organizationalUnit
 ou: LDAPv3
 description: RFC 2253 compliant DN string representation
 
+dn: cn=May Succeed 1,ou=LDAPv2,dc=example,dc=com
+objectClass: groupOfNames
+cn: May Succeed 1
+member:
+description: " " // space, quote characters (") are not part of the string
+
+dn: cn=May Succeed 3,ou=LDAPv2,dc=example,dc=com
+objectClass: groupOfNames
+cn: May Succeed 3
+member: uid=jsmith,o=example,c=US
+description: UID=jsmith, O=example, C=US // spaces
+
+dn: cn=May Succeed 4,ou=LDAPv2,dc=example,dc=com
+objectClass: groupOfNames
+cn: May Succeed 4
+member: uid=jsmith,o=example,c=US
+description: UID=jsmith;O=example;C=US // semi-colons
+
+dn: cn=May Succeed 6,ou=LDAPv2,dc=example,dc=com
+objectClass: groupOfNames
+cn: May Succeed 6
+member: cn=John Smith,o=example,c=US
+description: CN="John Smith",O=example,C=US // quotes
+
 dn: cn=Must Succeed,ou=LDAPv3,dc=example,dc=com
 objectClass: groupOfNames
 cn: Must Succeed
@@ -43,47 +73,6 @@
 description: CN=Lu\C4\8Di\C4\87
 description: testUUID=597ae2f6-16a6-1027-98f4-abcdefABCDEF,DC=Example
 
-dn: cn=Unescaped Equals,ou=LDAPv3,dc=example,dc=com
-objectClass: groupOfNames
-cn: Unescaped Equals
-member: cn=Unescaped Equals,ou=LDAPv3,dc=example,dc=com
-member: cn=A*x\3Db is a linear algebra problem,ou=LDAPv3,dc=example,dc=com
-description: cn=A*x=b is a linear algebra problem,ou=LDAPv3,dc=example,dc=com 
- // unescaped EQUALS
-
-dn: ou=LDAPv2,dc=example,dc=com
-objectClass: organizationalUnit
-ou: LDAPv2
-description: RFC 1779 compliant DN string representation
-
-dn: cn=May Succeed 1,ou=LDAPv2,dc=example,dc=com
-objectClass: groupOfNames
-cn: May Succeed 1
-member:
-description: " " // space, quote characters (") are not part of the string
-
-dn: cn=May Succeed 3,ou=LDAPv2,dc=example,dc=com
-objectClass: groupOfNames
-cn: May Succeed 3
-member: uid=jsmith,o=example,c=US
-description: UID=jsmith, O=example, C=US // spaces
-
-dn: cn=May Succeed 4,ou=LDAPv2,dc=example,dc=com
-objectClass: groupOfNames
-cn: May Succeed 4
-member: uid=jsmith,o=example,c=US
-description: UID=jsmith;O=example;C=US // semi-colons
-
-dn: cn=May Succeed 6,ou=LDAPv2,dc=example,dc=com
-objectClass: groupOfNames
-cn: May Succeed 6
-member: cn=John Smith,o=example,c=US
-description: CN="John Smith",O=example,C=US // quotes
-
-dn: ou=Related Syntaxes,dc=example,dc=com
-objectClass: organizationalUnit
-ou: Related Syntaxes
-
 dn: cn=Name and Optional UID,ou=Related Syntaxes,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: Name and Optional UID
@@ -99,6 +88,10 @@
 description: dc=example,dc=com#'1000'B // with DN portion
 description: dc=example,dc=com#'0'B // with DN portion and just one '0'
 
+dn: ou=Related Syntaxes,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Related Syntaxes
+
 dn: cn=Should Parse as DN,cn=Name and Optional UID,ou=Related Syntaxes,dc=exam
  ple,dc=com
 objectClass: groupOfUniqueNames
@@ -110,6 +103,15 @@
 description: dc=example,dc=com#'0B // malformed UID?
 description: dc=example,dc=com '0'B // malformed UID?
 
+dn: cn=Unescaped Equals,ou=LDAPv3,dc=example,dc=com
+objectClass: groupOfNames
+cn: Unescaped Equals
+member: cn=Unescaped Equals,ou=LDAPv3,dc=example,dc=com
+member: cn=A*x\3Db is a linear algebra problem,ou=LDAPv3,dc=example,dc=com
+description: cn=A*x=b is a linear algebra problem,ou=LDAPv3,dc=example,dc=com 
+ // unescaped EQUALS
+
+# Searching database for DN="OU=Sales+CN=J. Smith,DC=example,DC=net"...
 dn: cn=Must Succeed,ou=LDAPv3,dc=example,dc=com
 objectClass: groupOfNames
 cn: Must Succeed
@@ -144,6 +146,7 @@
 description: CN=Lu\C4\8Di\C4\87
 description: testUUID=597ae2f6-16a6-1027-98f4-abcdefABCDEF,DC=Example
 
+# Searching database for entryUUID-named DN="testUUID=597ae2f6-16a6-1027-98f4-ABCDEFabcdef,DC=Example"...
 dn: cn=Must Succeed,ou=LDAPv3,dc=example,dc=com
 objectClass: groupOfNames
 cn: Must Succeed
@@ -178,6 +181,8 @@
 description: CN=Lu\C4\8Di\C4\87
 description: testUUID=597ae2f6-16a6-1027-98f4-abcdefABCDEF,DC=Example
 
+# Searching database for nameAndOptionalUID="dc=example,dc=com"...
+# Searching database for nameAndOptionalUID="dc=example,dc=com#'001000'B"...
 dn: cn=Name and Optional UID,ou=Related Syntaxes,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: Name and Optional UID
@@ -193,6 +198,7 @@
 description: dc=example,dc=com#'1000'B // with DN portion
 description: dc=example,dc=com#'0'B // with DN portion and just one '0'
 
+# Searching database for uniqueMember~="dc=example,dc=com" (approx)...
 dn: cn=Name and Optional UID,ou=Related Syntaxes,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: Name and Optional UID
@@ -208,6 +214,7 @@
 description: dc=example,dc=com#'1000'B // with DN portion
 description: dc=example,dc=com#'0'B // with DN portion and just one '0'
 
+# Searching database for uniqueMember~="dc=example,dc=com#'001000'B" (approx)...
 dn: cn=Name and Optional UID,ou=Related Syntaxes,dc=example,dc=com
 objectClass: groupOfUniqueNames
 cn: Name and Optional UID

Modified: openldap/trunk/tests/data/do_add.1
===================================================================
--- openldap/trunk/tests/data/do_add.1	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/do_add.1	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com
+dn: cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com
 objectClass: OpenLDAPperson
 cn: James A Jones 2
 cn: James Jones

Modified: openldap/trunk/tests/data/do_add.2
===================================================================
--- openldap/trunk/tests/data/do_add.2	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/do_add.2	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-cn=James A Jones 3,ou=Alumni Association,ou=People,dc=example,dc=com
+dn: cn=James A Jones 3,ou=Alumni Association,ou=People,dc=example,dc=com
 objectClass: OpenLDAPperson
 cn: James A Jones 3
 cn: James Jones

Modified: openldap/trunk/tests/data/do_add.3
===================================================================
--- openldap/trunk/tests/data/do_add.3	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/do_add.3	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-cn=James A Jones 4,ou=People,dc=example,dc=com
+dn: cn=James A Jones 4,ou=People,dc=example,dc=com
 objectClass: OpenLDAPperson
 cn: James A Jones 4
 cn: James Jones

Modified: openldap/trunk/tests/data/do_add.4
===================================================================
--- openldap/trunk/tests/data/do_add.4	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/do_add.4	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,4 @@
-cn=James A Jones 5,dc=example,dc=com
+dn: cn=James A Jones 5,dc=example,dc=com
 objectClass: OpenLDAPperson
 cn: James A Jones 5
 cn: James Jones

Modified: openldap/trunk/tests/data/dynlist.out
===================================================================
--- openldap/trunk/tests/data/dynlist.out	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/dynlist.out	2008-05-25 14:29:31 UTC (rev 1128)
@@ -139,7 +139,7 @@
 objectClass: dgIdentityAux
 cn: Dynamic List of Members
 memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
-dgIdentity: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=ex
+dgIdentity: cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,dc=ex
  ample,dc=com
 member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
  ple,dc=com
@@ -156,3 +156,39 @@
 member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
 member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
 
+# Testing list search with dgIdentity and dgAuthz anonymously...
+dn: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com
+objectClass: groupOfURLs
+objectClass: dgIdentityAux
+cn: Dynamic List of Members
+memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
+dgIdentity: cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,dc=ex
+ ample,dc=com
+dgAuthz: {0}dn:cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People,
+ dc=example,dc=com
+
+# Testing list search with dgIdentity and dgAuthz as the authorized identity...
+dn: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com
+objectClass: groupOfURLs
+objectClass: dgIdentityAux
+cn: Dynamic List of Members
+memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
+dgIdentity: cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,dc=ex
+ ample,dc=com
+dgAuthz: {0}dn:cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People,
+ dc=example,dc=com
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
+ ple,dc=com
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=exampl
+ e,dc=com
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa
+ mple,dc=com
+member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc
+ =com
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+

Modified: openldap/trunk/tests/data/emptydn.out
===================================================================
--- openldap/trunk/tests/data/emptydn.out	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/emptydn.out	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,28 +1,28 @@
-dn: c=US
-objectClass: country
-c: US
-
-dn: o=Example,c=US
+dn: o=Esempio,c=IT
 objectClass: organization
+o: Esempio
+o: Esempio S.p.A.
 o: Example
-o: Example, Inc.
 
-dn: c=UK
-objectClass: country
-c: UK
-
 dn: o=Example,c=UK
 objectClass: organization
 o: Example
 o: Example, Ltd.
 
+dn: o=Example,c=US
+objectClass: organization
+o: Example
+o: Example, Inc.
+
 dn: c=IT
 objectClass: country
 c: IT
 
-dn: o=Esempio,c=IT
-objectClass: organization
-o: Esempio
-o: Esempio S.p.A.
-o: Example
+dn: c=UK
+objectClass: country
+c: UK
 
+dn: c=US
+objectClass: country
+c: US
+

Modified: openldap/trunk/tests/data/emptydn.out.slapadd
===================================================================
--- openldap/trunk/tests/data/emptydn.out.slapadd	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/emptydn.out.slapadd	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,38 +1,38 @@
-dn: c=US
+dn: o=Beispiel,c=DE
+objectClass: organization
+o: Beispiel
+o: Beispiel GmbH
+o: Example
+
+dn: c=DE
 objectClass: country
-c: US
+c: DE
 
-dn: o=Example,c=US
+dn: o=Esempio,c=IT
 objectClass: organization
+o: Esempio
+o: Esempio S.p.A.
 o: Example
-o: Example, Inc.
 
-dn: c=UK
-objectClass: country
-c: UK
-
 dn: o=Example,c=UK
 objectClass: organization
 o: Example
 o: Example, Ltd.
 
+dn: o=Example,c=US
+objectClass: organization
+o: Example
+o: Example, Inc.
+
 dn: c=IT
 objectClass: country
 c: IT
 
-dn: o=Esempio,c=IT
-objectClass: organization
-o: Esempio
-o: Esempio S.p.A.
-o: Example
+dn: c=UK
+objectClass: country
+c: UK
 
-dn: c=DE
+dn: c=US
 objectClass: country
-c: DE
+c: US
 
-dn: o=Beispiel,c=DE
-objectClass: organization
-o: Beispiel
-o: Beispiel GmbH
-o: Example
-

Modified: openldap/trunk/tests/data/regressions/its4184/its4184
===================================================================
--- openldap/trunk/tests/data/regressions/its4184/its4184	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4184/its4184	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4184/its4184,v 1.4.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4184/its4184,v 1.4.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4326/its4326
===================================================================
--- openldap/trunk/tests/data/regressions/its4326/its4326	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4326/its4326	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4326/its4326,v 1.2.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4326/its4326,v 1.2.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4326/slapd.conf
===================================================================
--- openldap/trunk/tests/data/regressions/its4326/slapd.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4326/slapd.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # proxy slapd config -- for regression of back-ldap server unavailable issue
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4326/slapd.conf,v 1.2.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4326/slapd.conf,v 1.2.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4336/its4336
===================================================================
--- openldap/trunk/tests/data/regressions/its4336/its4336	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4336/its4336	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4336/its4336,v 1.2.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4336/its4336,v 1.2.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4336/slapd.conf
===================================================================
--- openldap/trunk/tests/data/regressions/its4336/slapd.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4336/slapd.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4336/slapd.conf,v 1.2.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4336/slapd.conf,v 1.2.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4337/its4337
===================================================================
--- openldap/trunk/tests/data/regressions/its4337/its4337	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4337/its4337	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4337/its4337,v 1.1.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4337/its4337,v 1.1.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4337/slapd.conf
===================================================================
--- openldap/trunk/tests/data/regressions/its4337/slapd.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4337/slapd.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4337/slapd.conf,v 1.1.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4337/slapd.conf,v 1.1.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4448/its4448
===================================================================
--- openldap/trunk/tests/data/regressions/its4448/its4448	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4448/its4448	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/its4448,v 1.1.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/its4448,v 1.1.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/regressions/its4448/slapd-meta.conf
===================================================================
--- openldap/trunk/tests/data/regressions/its4448/slapd-meta.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/regressions/its4448/slapd-meta.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/slapd-meta.conf,v 1.1.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/slapd-meta.conf,v 1.1.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/relay.out
===================================================================
--- openldap/trunk/tests/data/relay.out	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/relay.out	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,4 +1,100 @@
 # searching base="dc=example,dc=com"...
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+member: cn=Manager,dc=example,dc=com
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
+ ple,dc=com
+member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc
+ =com
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa
+ mple,dc=com
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=exampl
+ e,dc=com
+owner: cn=Manager,dc=example,dc=com
+cn: All Staff
+description: Everyone in the sample data
+objectClass: groupOfNames
+
+dn: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com
+member: cn=Manager,dc=example,dc=com
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+owner: cn=Manager,dc=example,dc=com
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
+objectClass: groupOfNames
+
+dn: ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Alumni Association
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,
+ dc=com
+objectClass: OpenLDAPperson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid: bjensen
+title: Mythical Manager, Research Systems
+postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
+ own, MI 48103-4943
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+userPassword:: YmplbnNlbg==
+mail: bjensen at mailgw.example.com
+homePostalAddress: 123 Wesley $ Anytown, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homePhone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimileTelephoneNumber: +1 313 555 2274
+telephoneNumber: +1 313 555 9022
+
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc
+ =com
+objectClass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+userPassword:: Ympvcm4=
+homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
+mail: bjorn at mailgw.example.com
+homePhone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimileTelephoneNumber: +1 313 555 2177
+telephoneNumber: +1 313 555 0355
+
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+objectClass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
+drink: Lemonade
+homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
+description: Very tall
+facsimileTelephoneNumber: +1 313 555 3223
+telephoneNumber: +1 313 555 3664
+mail: dots at mail.alumni.example.com
+homePhone: +1 313 555 0454
+
 dn: dc=example,dc=com
 objectClass: top
 objectClass: organization
@@ -15,21 +111,10 @@
 telephoneNumber: +1 313 555 1817
 associatedDomain: example.com
 
-dn: ou=People,dc=example,dc=com
-objectClass: organizationalUnit
-objectClass: extensibleObject
-ou: People
-uidNumber: 0
-gidNumber: 0
-
 dn: ou=Groups,dc=example,dc=com
 objectClass: organizationalUnit
 ou: Groups
 
-dn: ou=Alumni Association,ou=People,dc=example,dc=com
-objectClass: organizationalUnit
-ou: Alumni Association
-
 dn: ou=Information Technology Division,ou=People,dc=example,dc=com
 objectClass: organizationalUnit
 ou: Information Technology Division
@@ -173,98 +258,6 @@
  8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
  ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
 
-dn: cn=All Staff,ou=Groups,dc=example,dc=com
-member: cn=Manager,dc=example,dc=com
-member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam
- ple,dc=com
-member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc
- =com
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa
- mple,dc=com
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=exampl
- e,dc=com
-owner: cn=Manager,dc=example,dc=com
-cn: All Staff
-description: Everyone in the sample data
-objectClass: groupOfNames
-
-dn: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com
-member: cn=Manager,dc=example,dc=com
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
-owner: cn=Manager,dc=example,dc=com
-description: All Alumni Assoc Staff
-cn: Alumni Assoc Staff
-objectClass: groupOfNames
-
-dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,
- dc=com
-objectClass: OpenLDAPperson
-cn: Barbara Jensen
-cn: Babs Jensen
-sn:: IEplbnNlbiA=
-uid: bjensen
-title: Mythical Manager, Research Systems
-postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
- own, MI 48103-4943
-seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
-userPassword:: YmplbnNlbg==
-mail: bjensen at mailgw.example.com
-homePostalAddress: 123 Wesley $ Anytown, MI 48103
-description: Mythical manager of the rsdd unix project
-drink: water
-homePhone: +1 313 555 2333
-pager: +1 313 555 3233
-facsimileTelephoneNumber: +1 313 555 2274
-telephoneNumber: +1 313 555 9022
-
-dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc
- =com
-objectClass: OpenLDAPperson
-cn: Bjorn Jensen
-cn: Biiff Jensen
-sn: Jensen
-uid: bjorn
-seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
-userPassword:: Ympvcm4=
-homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
-drink: Iced Tea
-description: Hiker, biker
-title: Director, Embedded Systems
-postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
-mail: bjorn at mailgw.example.com
-homePhone: +1 313 555 5444
-pager: +1 313 555 4474
-facsimileTelephoneNumber: +1 313 555 2177
-telephoneNumber: +1 313 555 0355
-
-dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
-objectClass: OpenLDAPperson
-cn: Dorothy Stevens
-cn: Dot Stevens
-sn: Stevens
-uid: dots
-title: Secretary, UM Alumni Association
-postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
-seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com
-drink: Lemonade
-homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
-description: Very tall
-facsimileTelephoneNumber: +1 313 555 3223
-telephoneNumber: +1 313 555 3664
-mail: dots at mail.alumni.example.com
-homePhone: +1 313 555 0454
-
 dn: cn=ITD Staff,ou=Groups,dc=example,dc=com
 owner: cn=Manager,dc=example,dc=com
 description: All ITD Staff
@@ -394,6 +387,13 @@
 facsimileTelephoneNumber: +1 313 555 7762
 telephoneNumber: +1 313 555 4177
 
+dn: ou=People,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+
 dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
 objectClass: OpenLDAPperson
 cn: Ursula Hampster
@@ -410,6 +410,102 @@
 telephoneNumber: +1 313 555 5331
 
 # searching base="o=Example,c=US"...
+dn: cn=All Staff,ou=Groups,o=Example,c=US
+member: cn=Manager,o=Example,c=US
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Examp
+ le,c=US
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=John Doe,ou=Information Technology Division,ou=People,o=Example,c=U
+ S
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Exam
+ ple,c=US
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example
+ ,c=US
+owner: cn=Manager,o=Example,c=US
+cn: All Staff
+description: Everyone in the sample data
+objectClass: groupOfNames
+
+dn: cn=Alumni Assoc Staff,ou=Groups,o=Example,c=US
+member: cn=Manager,o=Example,c=US
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
+owner: cn=Manager,o=Example,c=US
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
+objectClass: groupOfNames
+
+dn: ou=Alumni Association,ou=People,o=Example,c=US
+objectClass: organizationalUnit
+ou: Alumni Association
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Example,c
+ =US
+objectClass: OpenLDAPperson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid: bjensen
+title: Mythical Manager, Research Systems
+postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
+ own, MI 48103-4943
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+userPassword:: YmplbnNlbg==
+mail: bjensen at mailgw.example.com
+homePostalAddress: 123 Wesley $ Anytown, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homePhone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimileTelephoneNumber: +1 313 555 2274
+telephoneNumber: +1 313 555 9022
+
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example,c=U
+ S
+objectClass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+userPassword:: Ympvcm4=
+homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
+mail: bjorn at mailgw.example.com
+homePhone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimileTelephoneNumber: +1 313 555 2177
+telephoneNumber: +1 313 555 0355
+
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
+objectClass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+drink: Lemonade
+homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
+description: Very tall
+facsimileTelephoneNumber: +1 313 555 3223
+telephoneNumber: +1 313 555 3664
+mail: dots at mail.alumni.example.com
+homePhone: +1 313 555 0454
+
 dn: o=Example,c=US
 objectClass: top
 objectClass: organization
@@ -426,21 +522,10 @@
 telephoneNumber: +1 313 555 1817
 associatedDomain: example.com
 
-dn: ou=People,o=Example,c=US
-objectClass: organizationalUnit
-objectClass: extensibleObject
-ou: People
-uidNumber: 0
-gidNumber: 0
-
 dn: ou=Groups,o=Example,c=US
 objectClass: organizationalUnit
 ou: Groups
 
-dn: ou=Alumni Association,ou=People,o=Example,c=US
-objectClass: organizationalUnit
-ou: Alumni Association
-
 dn: ou=Information Technology Division,ou=People,o=Example,c=US
 objectClass: organizationalUnit
 ou: Information Technology Division
@@ -584,98 +669,6 @@
  8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
  ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
 
-dn: cn=All Staff,ou=Groups,o=Example,c=US
-member: cn=Manager,o=Example,c=US
-member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Examp
- le,c=US
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=John Doe,ou=Information Technology Division,ou=People,o=Example,c=U
- S
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Exam
- ple,c=US
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example
- ,c=US
-owner: cn=Manager,o=Example,c=US
-cn: All Staff
-description: Everyone in the sample data
-objectClass: groupOfNames
-
-dn: cn=Alumni Assoc Staff,ou=Groups,o=Example,c=US
-member: cn=Manager,o=Example,c=US
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
-owner: cn=Manager,o=Example,c=US
-description: All Alumni Assoc Staff
-cn: Alumni Assoc Staff
-objectClass: groupOfNames
-
-dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Example,c
- =US
-objectClass: OpenLDAPperson
-cn: Barbara Jensen
-cn: Babs Jensen
-sn:: IEplbnNlbiA=
-uid: bjensen
-title: Mythical Manager, Research Systems
-postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
- own, MI 48103-4943
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
-userPassword:: YmplbnNlbg==
-mail: bjensen at mailgw.example.com
-homePostalAddress: 123 Wesley $ Anytown, MI 48103
-description: Mythical manager of the rsdd unix project
-drink: water
-homePhone: +1 313 555 2333
-pager: +1 313 555 3233
-facsimileTelephoneNumber: +1 313 555 2274
-telephoneNumber: +1 313 555 9022
-
-dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example,c=U
- S
-objectClass: OpenLDAPperson
-cn: Bjorn Jensen
-cn: Biiff Jensen
-sn: Jensen
-uid: bjorn
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
-userPassword:: Ympvcm4=
-homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
-drink: Iced Tea
-description: Hiker, biker
-title: Director, Embedded Systems
-postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
-mail: bjorn at mailgw.example.com
-homePhone: +1 313 555 5444
-pager: +1 313 555 4474
-facsimileTelephoneNumber: +1 313 555 2177
-telephoneNumber: +1 313 555 0355
-
-dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
-objectClass: OpenLDAPperson
-cn: Dorothy Stevens
-cn: Dot Stevens
-sn: Stevens
-uid: dots
-title: Secretary, UM Alumni Association
-postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
-drink: Lemonade
-homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
-description: Very tall
-facsimileTelephoneNumber: +1 313 555 3223
-telephoneNumber: +1 313 555 3664
-mail: dots at mail.alumni.example.com
-homePhone: +1 313 555 0454
-
 dn: cn=ITD Staff,ou=Groups,o=Example,c=US
 owner: cn=Manager,o=Example,c=US
 description: All ITD Staff
@@ -805,6 +798,13 @@
 facsimileTelephoneNumber: +1 313 555 7762
 telephoneNumber: +1 313 555 4177
 
+dn: ou=People,o=Example,c=US
+objectClass: organizationalUnit
+objectClass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+
 dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
 objectClass: OpenLDAPperson
 cn: Ursula Hampster
@@ -821,6 +821,102 @@
 telephoneNumber: +1 313 555 5331
 
 # searching base="o=Esempio,c=IT"...
+dn: cn=All Staff,ou=Groups,o=Esempio,c=IT
+member: cn=Manager,o=Esempio,c=IT
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esemp
+ io,c=IT
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=John Doe,ou=Information Technology Division,ou=People,o=Esempio,c=I
+ T
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Esem
+ pio,c=IT
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio
+ ,c=IT
+owner: cn=Manager,o=Esempio,c=IT
+cn: All Staff
+description: Everyone in the sample data
+objectClass: groupOfNames
+
+dn: cn=Alumni Assoc Staff,ou=Groups,o=Esempio,c=IT
+member: cn=Manager,o=Esempio,c=IT
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
+owner: cn=Manager,o=Esempio,c=IT
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
+objectClass: groupOfNames
+
+dn: ou=Alumni Association,ou=People,o=Esempio,c=IT
+objectClass: organizationalUnit
+ou: Alumni Association
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esempio,c
+ =IT
+objectClass: OpenLDAPperson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid: bjensen
+title: Mythical Manager, Research Systems
+postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
+ own, MI 48103-4943
+seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
+userPassword:: YmplbnNlbg==
+mail: bjensen at mailgw.example.com
+homePostalAddress: 123 Wesley $ Anytown, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homePhone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimileTelephoneNumber: +1 313 555 2274
+telephoneNumber: +1 313 555 9022
+
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio,c=I
+ T
+objectClass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
+userPassword:: Ympvcm4=
+homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
+mail: bjorn at mailgw.example.com
+homePhone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimileTelephoneNumber: +1 313 555 2177
+telephoneNumber: +1 313 555 0355
+
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
+objectClass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
+drink: Lemonade
+homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
+description: Very tall
+facsimileTelephoneNumber: +1 313 555 3223
+telephoneNumber: +1 313 555 3664
+mail: dots at mail.alumni.example.com
+homePhone: +1 313 555 0454
+
 dn: o=Esempio,c=IT
 objectClass: top
 objectClass: organization
@@ -837,21 +933,10 @@
 telephoneNumber: +1 313 555 1817
 associatedDomain: example.com
 
-dn: ou=People,o=Esempio,c=IT
-objectClass: organizationalUnit
-objectClass: extensibleObject
-ou: People
-uidNumber: 0
-gidNumber: 0
-
 dn: ou=Groups,o=Esempio,c=IT
 objectClass: organizationalUnit
 ou: Groups
 
-dn: ou=Alumni Association,ou=People,o=Esempio,c=IT
-objectClass: organizationalUnit
-ou: Alumni Association
-
 dn: ou=Information Technology Division,ou=People,o=Esempio,c=IT
 objectClass: organizationalUnit
 ou: Information Technology Division
@@ -995,98 +1080,6 @@
  8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
  ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
 
-dn: cn=All Staff,ou=Groups,o=Esempio,c=IT
-member: cn=Manager,o=Esempio,c=IT
-member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esemp
- io,c=IT
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=John Doe,ou=Information Technology Division,ou=People,o=Esempio,c=I
- T
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Esem
- pio,c=IT
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio
- ,c=IT
-owner: cn=Manager,o=Esempio,c=IT
-cn: All Staff
-description: Everyone in the sample data
-objectClass: groupOfNames
-
-dn: cn=Alumni Assoc Staff,ou=Groups,o=Esempio,c=IT
-member: cn=Manager,o=Esempio,c=IT
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
-owner: cn=Manager,o=Esempio,c=IT
-description: All Alumni Assoc Staff
-cn: Alumni Assoc Staff
-objectClass: groupOfNames
-
-dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esempio,c
- =IT
-objectClass: OpenLDAPperson
-cn: Barbara Jensen
-cn: Babs Jensen
-sn:: IEplbnNlbiA=
-uid: bjensen
-title: Mythical Manager, Research Systems
-postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
- own, MI 48103-4943
-seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
-userPassword:: YmplbnNlbg==
-mail: bjensen at mailgw.example.com
-homePostalAddress: 123 Wesley $ Anytown, MI 48103
-description: Mythical manager of the rsdd unix project
-drink: water
-homePhone: +1 313 555 2333
-pager: +1 313 555 3233
-facsimileTelephoneNumber: +1 313 555 2274
-telephoneNumber: +1 313 555 9022
-
-dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio,c=I
- T
-objectClass: OpenLDAPperson
-cn: Bjorn Jensen
-cn: Biiff Jensen
-sn: Jensen
-uid: bjorn
-seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
-userPassword:: Ympvcm4=
-homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
-drink: Iced Tea
-description: Hiker, biker
-title: Director, Embedded Systems
-postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
-mail: bjorn at mailgw.example.com
-homePhone: +1 313 555 5444
-pager: +1 313 555 4474
-facsimileTelephoneNumber: +1 313 555 2177
-telephoneNumber: +1 313 555 0355
-
-dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
-objectClass: OpenLDAPperson
-cn: Dorothy Stevens
-cn: Dot Stevens
-sn: Stevens
-uid: dots
-title: Secretary, UM Alumni Association
-postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
-seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
-drink: Lemonade
-homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
-description: Very tall
-facsimileTelephoneNumber: +1 313 555 3223
-telephoneNumber: +1 313 555 3664
-mail: dots at mail.alumni.example.com
-homePhone: +1 313 555 0454
-
 dn: cn=ITD Staff,ou=Groups,o=Esempio,c=IT
 owner: cn=Manager,o=Esempio,c=IT
 description: All ITD Staff
@@ -1216,6 +1209,13 @@
 facsimileTelephoneNumber: +1 313 555 7762
 telephoneNumber: +1 313 555 4177
 
+dn: ou=People,o=Esempio,c=IT
+objectClass: organizationalUnit
+objectClass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+
 dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
 objectClass: OpenLDAPperson
 cn: Ursula Hampster
@@ -1232,6 +1232,65 @@
 telephoneNumber: +1 313 555 5331
 
 # searching base="o=Beispiel,c=DE"...
+dn: cn=All Staff,ou=Groups,o=Beispiel,c=DE
+member: cn=Manager,o=Beispiel,c=DE
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Beisp
+ iel,c=DE
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=John Doe,ou=Information Technology Division,ou=People,o=Beispiel,c=
+ DE
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Beis
+ piel,c=DE
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Beispie
+ l,c=DE
+owner: cn=Manager,o=Beispiel,c=DE
+cn: All Staff
+description: Everyone in the sample data
+objectClass: groupOfNames
+
+dn: cn=Alumni Assoc Staff,ou=Groups,o=Beispiel,c=DE
+member: cn=Manager,o=Beispiel,c=DE
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+owner: cn=Manager,o=Beispiel,c=DE
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
+objectClass: groupOfNames
+
+dn: ou=Alumni Association,ou=People,o=Beispiel,c=DE
+objectClass: organizationalUnit
+ou: Alumni Association
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Beispiel,
+ c=DE
+objectClass: OpenLDAPperson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid: bjensen
+title: Mythical Manager, Research Systems
+postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
+ own, MI 48103-4943
+seeAlso: cn=All Staff,ou=Groups,o=Beispiel,c=DE
+userPassword:: YmplbnNlbg==
+mail: bjensen at mailgw.example.com
+homePostalAddress: 123 Wesley $ Anytown, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homePhone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimileTelephoneNumber: +1 313 555 2274
+telephoneNumber: +1 313 555 9022
+
 dn: o=Beispiel,c=DE
 objectClass: top
 objectClass: organization
@@ -1248,21 +1307,47 @@
 telephoneNumber: +1 313 555 1817
 associatedDomain: example.com
 
-dn: ou=People,o=Beispiel,c=DE
-objectClass: organizationalUnit
-objectClass: extensibleObject
-ou: People
-uidNumber: 0
-gidNumber: 0
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Beispiel,c=
+ DE
+objectClass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seeAlso: cn=All Staff,ou=Groups,o=Beispiel,c=DE
+userPassword:: Ympvcm4=
+homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
+mail: bjorn at mailgw.example.com
+homePhone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimileTelephoneNumber: +1 313 555 2177
+telephoneNumber: +1 313 555 0355
 
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Beispiel,c=DE
+objectClass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,o=Beispiel,c=DE
+drink: Lemonade
+homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
+description: Very tall
+facsimileTelephoneNumber: +1 313 555 3223
+telephoneNumber: +1 313 555 3664
+mail: dots at mail.alumni.example.com
+homePhone: +1 313 555 0454
+
 dn: ou=Groups,o=Beispiel,c=DE
 objectClass: organizationalUnit
 ou: Groups
 
-dn: ou=Alumni Association,ou=People,o=Beispiel,c=DE
-objectClass: organizationalUnit
-ou: Alumni Association
-
 dn: ou=Information Technology Division,ou=People,o=Beispiel,c=DE
 objectClass: organizationalUnit
 ou: Information Technology Division
@@ -1406,98 +1491,6 @@
  8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
  ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
 
-dn: cn=All Staff,ou=Groups,o=Beispiel,c=DE
-member: cn=Manager,o=Beispiel,c=DE
-member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Beisp
- iel,c=DE
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=John Doe,ou=Information Technology Division,ou=People,o=Beispiel,c=
- DE
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Beis
- piel,c=DE
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Beispie
- l,c=DE
-owner: cn=Manager,o=Beispiel,c=DE
-cn: All Staff
-description: Everyone in the sample data
-objectClass: groupOfNames
-
-dn: cn=Alumni Assoc Staff,ou=Groups,o=Beispiel,c=DE
-member: cn=Manager,o=Beispiel,c=DE
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-owner: cn=Manager,o=Beispiel,c=DE
-description: All Alumni Assoc Staff
-cn: Alumni Assoc Staff
-objectClass: groupOfNames
-
-dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Beispiel,
- c=DE
-objectClass: OpenLDAPperson
-cn: Barbara Jensen
-cn: Babs Jensen
-sn:: IEplbnNlbiA=
-uid: bjensen
-title: Mythical Manager, Research Systems
-postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
- own, MI 48103-4943
-seeAlso: cn=All Staff,ou=Groups,o=Beispiel,c=DE
-userPassword:: YmplbnNlbg==
-mail: bjensen at mailgw.example.com
-homePostalAddress: 123 Wesley $ Anytown, MI 48103
-description: Mythical manager of the rsdd unix project
-drink: water
-homePhone: +1 313 555 2333
-pager: +1 313 555 3233
-facsimileTelephoneNumber: +1 313 555 2274
-telephoneNumber: +1 313 555 9022
-
-dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Beispiel,c=
- DE
-objectClass: OpenLDAPperson
-cn: Bjorn Jensen
-cn: Biiff Jensen
-sn: Jensen
-uid: bjorn
-seeAlso: cn=All Staff,ou=Groups,o=Beispiel,c=DE
-userPassword:: Ympvcm4=
-homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
-drink: Iced Tea
-description: Hiker, biker
-title: Director, Embedded Systems
-postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
-mail: bjorn at mailgw.example.com
-homePhone: +1 313 555 5444
-pager: +1 313 555 4474
-facsimileTelephoneNumber: +1 313 555 2177
-telephoneNumber: +1 313 555 0355
-
-dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Beispiel,c=DE
-objectClass: OpenLDAPperson
-cn: Dorothy Stevens
-cn: Dot Stevens
-sn: Stevens
-uid: dots
-title: Secretary, UM Alumni Association
-postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
-seeAlso: cn=All Staff,ou=Groups,o=Beispiel,c=DE
-drink: Lemonade
-homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
-description: Very tall
-facsimileTelephoneNumber: +1 313 555 3223
-telephoneNumber: +1 313 555 3664
-mail: dots at mail.alumni.example.com
-homePhone: +1 313 555 0454
-
 dn: cn=ITD Staff,ou=Groups,o=Beispiel,c=DE
 owner: cn=Manager,o=Beispiel,c=DE
 description: All ITD Staff
@@ -1627,6 +1620,13 @@
 facsimileTelephoneNumber: +1 313 555 7762
 telephoneNumber: +1 313 555 4177
 
+dn: ou=People,o=Beispiel,c=DE
+objectClass: organizationalUnit
+objectClass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+
 dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Beispiel,c=DE
 objectClass: OpenLDAPperson
 cn: Ursula Hampster
@@ -1643,6 +1643,127 @@
 telephoneNumber: +1 313 555 5331
 
 # searching base="o=Example,c=US"...
+dn: cn=Added Group,ou=Groups,o=Example,c=US
+objectClass: groupOfNames
+cn: Added Group
+member: cn=Added Group,ou=Groups,o=Example,c=US
+
+dn: cn=Added User,ou=Alumni Association,ou=People,o=Example,c=US
+objectClass: OpenLDAPperson
+cn: Added User
+sn: User
+uid: auser
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+homePhone: +49 1234567890
+drink: Beer
+mail: auser at mail.alumni.example.com
+telephoneNumber: +49 1234-567-890
+description: Just added in o=Beispiel,c=DE naming context
+
+dn: cn=All Staff,ou=Groups,o=Example,c=US
+member: cn=Manager,o=Example,c=US
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Examp
+ le,c=US
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=John Doe,ou=Information Technology Division,ou=People,o=Example,c=U
+ S
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Exam
+ ple,c=US
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example
+ ,c=US
+owner: cn=Manager,o=Example,c=US
+cn: All Staff
+description: Everyone in the sample data
+objectClass: groupOfNames
+
+dn: cn=Alumni Assoc Staff,ou=Groups,o=Example,c=US
+member: cn=Manager,o=Example,c=US
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
+owner: cn=Manager,o=Example,c=US
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
+objectClass: groupOfNames
+
+dn: ou=Alumni Association,ou=People,o=Example,c=US
+objectClass: organizationalUnit
+ou: Alumni Association
+
+dn: cn=Another Added Group,ou=Groups,o=Example,c=US
+objectClass: groupOfNames
+objectClass: uidObject
+cn: Another Added Group
+member: cn=Added Group,ou=Groups,o=Example,c=US
+member: cn=Another Added Group,ou=Groups,o=Example,c=US
+uid: added
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Example,c
+ =US
+objectClass: OpenLDAPperson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid: bjensen
+title: Mythical Manager, Research Systems
+postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
+ own, MI 48103-4943
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+userPassword:: YmplbnNlbg==
+mail: bjensen at mailgw.example.com
+homePostalAddress: 123 Wesley $ Anytown, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homePhone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimileTelephoneNumber: +1 313 555 2274
+telephoneNumber: +1 313 555 9022
+
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example,c=U
+ S
+objectClass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+userPassword:: Ympvcm4=
+homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
+mail: bjorn at mailgw.example.com
+homePhone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimileTelephoneNumber: +1 313 555 2177
+telephoneNumber: +1 313 555 0355
+
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
+objectClass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+drink: Lemonade
+homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
+description: Very tall
+facsimileTelephoneNumber: +1 313 555 3223
+telephoneNumber: +1 313 555 3664
+mail: dots at mail.alumni.example.com
+homePhone: +1 313 555 0454
+
 dn: o=Example,c=US
 objectClass: top
 objectClass: organization
@@ -1659,21 +1780,10 @@
 telephoneNumber: +1 313 555 1817
 associatedDomain: example.com
 
-dn: ou=People,o=Example,c=US
-objectClass: organizationalUnit
-objectClass: extensibleObject
-ou: People
-uidNumber: 0
-gidNumber: 0
-
 dn: ou=Groups,o=Example,c=US
 objectClass: organizationalUnit
 ou: Groups
 
-dn: ou=Alumni Association,ou=People,o=Example,c=US
-objectClass: organizationalUnit
-ou: Alumni Association
-
 dn: ou=Information Technology Division,ou=People,o=Example,c=US
 objectClass: organizationalUnit
 ou: Information Technology Division
@@ -1817,98 +1927,6 @@
  8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
  ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
 
-dn: cn=All Staff,ou=Groups,o=Example,c=US
-member: cn=Manager,o=Example,c=US
-member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Examp
- le,c=US
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=John Doe,ou=Information Technology Division,ou=People,o=Example,c=U
- S
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Exam
- ple,c=US
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example
- ,c=US
-owner: cn=Manager,o=Example,c=US
-cn: All Staff
-description: Everyone in the sample data
-objectClass: groupOfNames
-
-dn: cn=Alumni Assoc Staff,ou=Groups,o=Example,c=US
-member: cn=Manager,o=Example,c=US
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Example,c=US
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
-owner: cn=Manager,o=Example,c=US
-description: All Alumni Assoc Staff
-cn: Alumni Assoc Staff
-objectClass: groupOfNames
-
-dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Example,c
- =US
-objectClass: OpenLDAPperson
-cn: Barbara Jensen
-cn: Babs Jensen
-sn:: IEplbnNlbiA=
-uid: bjensen
-title: Mythical Manager, Research Systems
-postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
- own, MI 48103-4943
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
-userPassword:: YmplbnNlbg==
-mail: bjensen at mailgw.example.com
-homePostalAddress: 123 Wesley $ Anytown, MI 48103
-description: Mythical manager of the rsdd unix project
-drink: water
-homePhone: +1 313 555 2333
-pager: +1 313 555 3233
-facsimileTelephoneNumber: +1 313 555 2274
-telephoneNumber: +1 313 555 9022
-
-dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Example,c=U
- S
-objectClass: OpenLDAPperson
-cn: Bjorn Jensen
-cn: Biiff Jensen
-sn: Jensen
-uid: bjorn
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
-userPassword:: Ympvcm4=
-homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
-drink: Iced Tea
-description: Hiker, biker
-title: Director, Embedded Systems
-postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
-mail: bjorn at mailgw.example.com
-homePhone: +1 313 555 5444
-pager: +1 313 555 4474
-facsimileTelephoneNumber: +1 313 555 2177
-telephoneNumber: +1 313 555 0355
-
-dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Example,c=US
-objectClass: OpenLDAPperson
-cn: Dorothy Stevens
-cn: Dot Stevens
-sn: Stevens
-uid: dots
-title: Secretary, UM Alumni Association
-postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
-drink: Lemonade
-homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
-description: Very tall
-facsimileTelephoneNumber: +1 313 555 3223
-telephoneNumber: +1 313 555 3664
-mail: dots at mail.alumni.example.com
-homePhone: +1 313 555 0454
-
 dn: cn=ITD Staff,ou=Groups,o=Example,c=US
 owner: cn=Manager,o=Example,c=US
 description: All ITD Staff
@@ -2022,6 +2040,13 @@
 description: Manager of the directory
 userPassword:: c2VjcmV0
 
+dn: ou=People,o=Example,c=US
+objectClass: organizationalUnit
+objectClass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+
 dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
 objectClass: OpenLDAPperson
 cn: Ursula Hampster
@@ -2040,34 +2065,130 @@
 description: Just added self to seeAlso in o=Beispiel,c=DE virtual naming cont
  ext
 
-dn: cn=Added User,ou=Alumni Association,ou=People,o=Example,c=US
+# refldap://localhost:9012/ou=Referrals,o=Beispiel,c=DE??sub
+
+# searching base="o=Esempio,c=IT"...
+dn: cn=Added Group,ou=Groups,o=Esempio,c=IT
+objectClass: groupOfUniqueNames
+cn: Added Group
+uniqueMember: cn=Added Group,ou=Groups,dc=example,dc=com
+
+dn: cn=Added User,ou=Alumni Association,ou=People,o=Esempio,c=IT
 objectClass: OpenLDAPperson
 cn: Added User
 sn: User
 uid: auser
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
 homePhone: +49 1234567890
 drink: Beer
 mail: auser at mail.alumni.example.com
 telephoneNumber: +49 1234-567-890
 description: Just added in o=Beispiel,c=DE naming context
 
-# refldap://localhost:9012/ou=Referrals,o=Beispiel,c=DE??sub
+dn: cn=All Staff,ou=Groups,o=Esempio,c=IT
+member: cn=Manager,o=Esempio,c=IT
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esemp
+ io,c=IT
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=John Doe,ou=Information Technology Division,ou=People,o=Esempio,c=I
+ T
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Esem
+ pio,c=IT
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio
+ ,c=IT
+owner: cn=Manager,o=Esempio,c=IT
+cn: All Staff
+description: Everyone in the sample data
+objectClass: groupOfNames
 
-dn: cn=Added Group,ou=Groups,o=Example,c=US
+dn: cn=Alumni Assoc Staff,ou=Groups,o=Esempio,c=IT
+member: cn=Manager,o=Esempio,c=IT
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
+owner: cn=Manager,o=Esempio,c=IT
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
 objectClass: groupOfNames
-cn: Added Group
-member: cn=Added Group,ou=Groups,o=Example,c=US
 
-dn: cn=Another Added Group,ou=Groups,o=Example,c=US
-objectClass: groupOfNames
-objectClass: uidObject
+dn: ou=Alumni Association,ou=People,o=Esempio,c=IT
+objectClass: organizationalUnit
+ou: Alumni Association
+
+dn: cn=Another Added Group,ou=Groups,o=Esempio,c=IT
+objectClass: groupOfUniqueNames
+objectClass: dcObject
 cn: Another Added Group
-member: cn=Added Group,ou=Groups,o=Example,c=US
-member: cn=Another Added Group,ou=Groups,o=Example,c=US
-uid: added
+uniqueMember: cn=Added Group,ou=Groups,dc=example,dc=com
+uniqueMember: cn=Another Added Group,ou=Groups,dc=example,dc=com
+dc: added
 
-# searching base="o=Esempio,c=IT"...
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esempio,c
+ =IT
+objectClass: OpenLDAPperson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid: bjensen
+title: Mythical Manager, Research Systems
+postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
+ own, MI 48103-4943
+seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
+userPassword:: YmplbnNlbg==
+mail: bjensen at mailgw.example.com
+homePostalAddress: 123 Wesley $ Anytown, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homePhone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimileTelephoneNumber: +1 313 555 2274
+telephoneNumber: +1 313 555 9022
+
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio,c=I
+ T
+objectClass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
+userPassword:: Ympvcm4=
+homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
+mail: bjorn at mailgw.example.com
+homePhone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimileTelephoneNumber: +1 313 555 2177
+telephoneNumber: +1 313 555 0355
+
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
+objectClass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
+seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
+drink: Lemonade
+homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
+description: Very tall
+facsimileTelephoneNumber: +1 313 555 3223
+telephoneNumber: +1 313 555 3664
+mail: dots at mail.alumni.example.com
+homePhone: +1 313 555 0454
+
 dn: o=Esempio,c=IT
 objectClass: top
 objectClass: organization
@@ -2084,21 +2205,10 @@
 telephoneNumber: +1 313 555 1817
 associatedDomain: example.com
 
-dn: ou=People,o=Esempio,c=IT
-objectClass: organizationalUnit
-objectClass: extensibleObject
-ou: People
-uidNumber: 0
-gidNumber: 0
-
 dn: ou=Groups,o=Esempio,c=IT
 objectClass: organizationalUnit
 ou: Groups
 
-dn: ou=Alumni Association,ou=People,o=Esempio,c=IT
-objectClass: organizationalUnit
-ou: Alumni Association
-
 dn: ou=Information Technology Division,ou=People,o=Esempio,c=IT
 objectClass: organizationalUnit
 ou: Information Technology Division
@@ -2242,98 +2352,6 @@
  8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
  ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
 
-dn: cn=All Staff,ou=Groups,o=Esempio,c=IT
-member: cn=Manager,o=Esempio,c=IT
-member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esemp
- io,c=IT
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=John Doe,ou=Information Technology Division,ou=People,o=Esempio,c=I
- T
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Esem
- pio,c=IT
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio
- ,c=IT
-owner: cn=Manager,o=Esempio,c=IT
-cn: All Staff
-description: Everyone in the sample data
-objectClass: groupOfNames
-
-dn: cn=Alumni Assoc Staff,ou=Groups,o=Esempio,c=IT
-member: cn=Manager,o=Esempio,c=IT
-member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Jane Doe,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=Esempio,c=IT
-member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
-owner: cn=Manager,o=Esempio,c=IT
-description: All Alumni Assoc Staff
-cn: Alumni Assoc Staff
-objectClass: groupOfNames
-
-dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Esempio,c
- =IT
-objectClass: OpenLDAPperson
-cn: Barbara Jensen
-cn: Babs Jensen
-sn:: IEplbnNlbiA=
-uid: bjensen
-title: Mythical Manager, Research Systems
-postalAddress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Anyt
- own, MI 48103-4943
-seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
-userPassword:: YmplbnNlbg==
-mail: bjensen at mailgw.example.com
-homePostalAddress: 123 Wesley $ Anytown, MI 48103
-description: Mythical manager of the rsdd unix project
-drink: water
-homePhone: +1 313 555 2333
-pager: +1 313 555 3233
-facsimileTelephoneNumber: +1 313 555 2274
-telephoneNumber: +1 313 555 9022
-
-dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Esempio,c=I
- T
-objectClass: OpenLDAPperson
-cn: Bjorn Jensen
-cn: Biiff Jensen
-sn: Jensen
-uid: bjorn
-seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
-userPassword:: Ympvcm4=
-homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
-drink: Iced Tea
-description: Hiker, biker
-title: Director, Embedded Systems
-postalAddress: Info Tech Division $ 535 W. William St. $ Anytown, MI 48103
-mail: bjorn at mailgw.example.com
-homePhone: +1 313 555 5444
-pager: +1 313 555 4474
-facsimileTelephoneNumber: +1 313 555 2177
-telephoneNumber: +1 313 555 0355
-
-dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=Esempio,c=IT
-objectClass: OpenLDAPperson
-cn: Dorothy Stevens
-cn: Dot Stevens
-sn: Stevens
-uid: dots
-title: Secretary, UM Alumni Association
-postalAddress: Alumni Association $ 111 Maple St $ Anytown, MI 48109
-seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
-drink: Lemonade
-homePostalAddress: 377 White St. Apt. 3 $ Anytown, MI 48104
-description: Very tall
-facsimileTelephoneNumber: +1 313 555 3223
-telephoneNumber: +1 313 555 3664
-mail: dots at mail.alumni.example.com
-homePhone: +1 313 555 0454
-
 dn: cn=ITD Staff,ou=Groups,o=Esempio,c=IT
 owner: cn=Manager,o=Esempio,c=IT
 description: All ITD Staff
@@ -2447,6 +2465,13 @@
 description: Manager of the directory
 userPassword:: c2VjcmV0
 
+dn: ou=People,o=Esempio,c=IT
+objectClass: organizationalUnit
+objectClass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+
 dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Esempio,c=IT
 objectClass: OpenLDAPperson
 cn: Ursula Hampster
@@ -2465,33 +2490,8 @@
 description: Just added self to seeAlso in o=Beispiel,c=DE virtual naming cont
  ext
 
-dn: cn=Added User,ou=Alumni Association,ou=People,o=Esempio,c=IT
-objectClass: OpenLDAPperson
-cn: Added User
-sn: User
-uid: auser
-seeAlso: cn=All Staff,ou=Groups,o=Esempio,c=IT
-homePhone: +49 1234567890
-drink: Beer
-mail: auser at mail.alumni.example.com
-telephoneNumber: +49 1234-567-890
-description: Just added in o=Beispiel,c=DE naming context
-
 # refldap://localhost:9012/ou=Referrals,o=Beispiel,c=DE??sub
 
-dn: cn=Added Group,ou=Groups,o=Esempio,c=IT
-objectClass: groupOfUniqueNames
-cn: Added Group
-uniqueMember: cn=Added Group,ou=Groups,dc=example,dc=com
-
-dn: cn=Another Added Group,ou=Groups,o=Esempio,c=IT
-objectClass: groupOfUniqueNames
-objectClass: dcObject
-cn: Another Added Group
-uniqueMember: cn=Added Group,ou=Groups,dc=example,dc=com
-uniqueMember: cn=Another Added Group,ou=Groups,dc=example,dc=com
-dc: added
-
 # searching filter="(objectClass=referral)"
 # 	attrs="'*' ref"
 # 	base="dc=example,dc=com"...
@@ -2530,6 +2530,9 @@
 # searching filter="(seeAlso=cn=all staff,ou=Groups,o=Example,c=US)"
 # 	attrs="seeAlso"
 # 	base="o=Example,c=US"...
+dn: cn=Added User,ou=Alumni Association,ou=People,o=Example,c=US
+seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
+
 dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Example,c
  =US
 seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
@@ -2561,9 +2564,6 @@
 seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
 seeAlso: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=Example,c=US
 
-dn: cn=Added User,ou=Alumni Association,ou=People,o=Example,c=US
-seeAlso: cn=All Staff,ou=Groups,o=Example,c=US
-
 # refldap://localhost:9012/ou=Referrals,o=Beispiel,c=DE??sub
 
 # searching filter="(uid=example)"
@@ -2577,9 +2577,9 @@
 # searching filter="(member=cn=Another Added Group,ou=Groups,o=Example,c=US)"
 # 	attrs="member"
 # 	base="o=Example,c=US"...
-# refldap://localhost:9012/ou=Referrals,o=Beispiel,c=DE??sub
-
 dn: cn=Another Added Group,ou=Groups,o=Example,c=US
 member: cn=Added Group,ou=Groups,o=Example,c=US
 member: cn=Another Added Group,ou=Groups,o=Example,c=US
 
+# refldap://localhost:9012/ou=Referrals,o=Beispiel,c=DE??sub
+

Modified: openldap/trunk/tests/data/retcode.conf
===================================================================
--- openldap/trunk/tests/data/retcode.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/retcode.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # slapo-retcode standard track response codes configuration example
-# $Header$
+# $OpenLDAP: pkg/ldap/tests/data/retcode.conf,v 1.5.2.3 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Copied: openldap/trunk/tests/data/slapd-2db.conf (from rev 1127, openldap/vendor/openldap-2.4.9/tests/data/slapd-2db.conf)
===================================================================
--- openldap/trunk/tests/data/slapd-2db.conf	                        (rev 0)
+++ openldap/trunk/tests/data/slapd-2db.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -0,0 +1,52 @@
+# stand-alone slapd config -- for testing (with indexing)
+# $OpenLDAP: pkg/ldap/tests/data/slapd-2db.conf,v 1.1.2.1 2008/02/11 17:47:04 hallvard Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include		@SCHEMADIR@/core.schema
+include		@SCHEMADIR@/cosine.schema
+include		@SCHEMADIR@/inetorgperson.schema
+include		@SCHEMADIR@/openldap.schema
+#
+pidfile		@TESTDIR@/slapd.1.pid
+argsfile	@TESTDIR@/slapd.1.args
+
+#mod#modulepath	../servers/slapd/back- at BACKEND@/
+#mod#moduleload	back_ at BACKEND@.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database	@BACKEND@
+suffix          "cn=Everyone,ou=Groups,dc=example,dc=com"
+directory	@TESTDIR@/db.1.a
+subordinate
+#bdb#index		objectClass	eq
+#bdb#index		cn,sn,uid	pres,eq,sub
+#hdb#index		objectClass	eq
+#hdb#index		cn,sn,uid	pres,eq,sub
+
+database	@BACKEND@
+suffix		"dc=example,dc=com"
+directory	@TESTDIR@/db.1.b
+rootdn		"cn=Manager,dc=example,dc=com"
+rootpw		secret
+#bdb#index		objectClass	eq
+#bdb#index		cn,sn,uid	pres,eq,sub
+#hdb#index		objectClass	eq
+#hdb#index		cn,sn,uid	pres,eq,sub
+
+#monitor#database	monitor

Modified: openldap/trunk/tests/data/slapd-aci.conf
===================================================================
--- openldap/trunk/tests/data/slapd-aci.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-aci.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-aci.conf,v 1.4.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-aci.conf,v 1.4.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-acl.conf
===================================================================
--- openldap/trunk/tests/data/slapd-acl.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-acl.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-acl.conf,v 1.46.2.4 2003/12/15 22:05:29
-  kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-acl.conf,v 1.71.2.5 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-cache-master.conf
===================================================================
--- openldap/trunk/tests/data/slapd-cache-master.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-cache-master.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for proxy cache testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-cache-master.conf,v 1.2.2.4 2003/12/15 
- 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-cache-master.conf,v 1.14.2.4 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-chain1.conf
===================================================================
--- openldap/trunk/tests/data/slapd-chain1.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-chain1.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-chain1.conf,v 1.9.2.4 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-chain2.conf
===================================================================
--- openldap/trunk/tests/data/slapd-chain2.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-chain2.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-chain2.conf,v 1.9.2.4 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-component.conf
===================================================================
--- openldap/trunk/tests/data/slapd-component.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-component.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-master.conf,v 1.33.2.4 2003/12/15 22:05
- :29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-component.conf,v 1.13.2.4 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-dds.conf
===================================================================
--- openldap/trunk/tests/data/slapd-dds.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-dds.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-dds.conf,v 1.2.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-dds.conf,v 1.2.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2005-2007 The OpenLDAP Foundation.
+## Copyright 2005-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-deltasync-master.conf
===================================================================
--- openldap/trunk/tests/data/slapd-deltasync-master.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-deltasync-master.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing of Delta SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-master.conf,v 1.1.2.4 2003/12/
- 15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-deltasync-master.conf,v 1.3.2.4 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-deltasync-slave.conf
===================================================================
--- openldap/trunk/tests/data/slapd-deltasync-slave.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-deltasync-slave.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # slave slapd config -- for testing of Delta SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist1.conf,v 1.4.2.4 
- 2003/12/15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-deltasync-slave.conf,v 1.2.2.4 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-dn.conf
===================================================================
--- openldap/trunk/tests/data/slapd-dn.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-dn.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with refint overlay)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-dn.conf,v 1.10.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-dn.conf,v 1.10.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-dnssrv.conf
===================================================================
--- openldap/trunk/tests/data/slapd-dnssrv.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-dnssrv.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # DNS SRV slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-dnssrv.conf,v 1.10.2.2 2003/12/15 22:05
- :29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-dnssrv.conf,v 1.19.2.3 2008/02/12 01:07:39 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-dynlist.conf
===================================================================
--- openldap/trunk/tests/data/slapd-dynlist.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-dynlist.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 # stand-alone slapd config -- for testing (with indexing)
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-emptydn.conf
===================================================================
--- openldap/trunk/tests/data/slapd-emptydn.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-emptydn.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with refint overlay)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-emptydn.conf,v 1.8.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-emptydn.conf,v 1.8.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-glue-ldap.conf
===================================================================
--- openldap/trunk/tests/data/slapd-glue-ldap.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-glue-ldap.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-glue-ldap.conf,v 1.6.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-glue-ldap.conf,v 1.6.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-glue-syncrepl1.conf
===================================================================
--- openldap/trunk/tests/data/slapd-glue-syncrepl1.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-glue-syncrepl1.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # stand-alone slapd config -- for backglue testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-glue.conf,v 1.5.2.4 2003/12/15 22:05:29
-  kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-glue-syncrepl1.conf,v 1.9.2.4 2008/02/12 01:10:27 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-glue-syncrepl2.conf
===================================================================
--- openldap/trunk/tests/data/slapd-glue-syncrepl2.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-glue-syncrepl2.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # stand-alone slapd config -- for backglue testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-glue.conf,v 1.5.2.4 2003/12/15 22:05:29
-  kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-glue-syncrepl2.conf,v 1.9.2.4 2008/02/12 01:10:27 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-glue.conf
===================================================================
--- openldap/trunk/tests/data/slapd-glue.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-glue.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # stand-alone slapd config -- for backglue testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-glue.conf,v 1.5.2.4 2003/12/15 22:05:29
-  kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-glue.conf,v 1.21.2.4 2008/02/12 01:10:27 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-idassert.conf
===================================================================
--- openldap/trunk/tests/data/slapd-idassert.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-idassert.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-idassert.conf,v 1.16.2.5 2008/04/15 00:05:16 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-ldapglue.conf
===================================================================
--- openldap/trunk/tests/data/slapd-ldapglue.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-ldapglue.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-ldapglue.conf,v 1.12.2.5 2008/04/15 00:05:16 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-ldapgluegroups.conf
===================================================================
--- openldap/trunk/tests/data/slapd-ldapgluegroups.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-ldapgluegroups.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-ldapgluegroups.conf,v 1.8.2.5 2008/02/12 01:10:27 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-ldapgluepeople.conf
===================================================================
--- openldap/trunk/tests/data/slapd-ldapgluepeople.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-ldapgluepeople.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-ldapgluepeople.conf,v 1.10.2.5 2008/02/12 01:10:27 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-limits.conf
===================================================================
--- openldap/trunk/tests/data/slapd-limits.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-limits.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-limits.conf,v 1.13.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-limits.conf,v 1.13.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-master.conf
===================================================================
--- openldap/trunk/tests/data/slapd-master.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-master.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-master.conf,v 1.33.2.4 2003/12/15 22:05
- :29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-master.conf,v 1.47.2.4 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-meta-target1.conf
===================================================================
--- openldap/trunk/tests/data/slapd-meta-target1.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-meta-target1.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-meta-target1.conf,v 1.1.2.1 2007/10/18 00:20:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-meta-target1.conf,v 1.1.2.2 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-meta-target2.conf
===================================================================
--- openldap/trunk/tests/data/slapd-meta-target2.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-meta-target2.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-meta-target2.conf,v 1.1.2.1 2007/10/18 00:20:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-meta-target2.conf,v 1.1.2.2 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-meta.conf
===================================================================
--- openldap/trunk/tests/data/slapd-meta.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-meta.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-meta.conf,v 1.12.2.3 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-meta.conf,v 1.12.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-nis-master.conf
===================================================================
--- openldap/trunk/tests/data/slapd-nis-master.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-nis-master.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing (needs updating)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-nis-master.conf,v 1.10.2.2 2003/12/15 2
- 2:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-nis-master.conf,v 1.20.2.4 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-passwd.conf
===================================================================
--- openldap/trunk/tests/data/slapd-passwd.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-passwd.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-passwd.conf,v 1.10.2.4 2003/12/15 22:05
- :29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-passwd.conf,v 1.21.2.3 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-ppolicy.conf
===================================================================
--- openldap/trunk/tests/data/slapd-ppolicy.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-ppolicy.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-ppolicy.conf,v 1.11.2.3 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-ppolicy.conf,v 1.11.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-proxycache.conf
===================================================================
--- openldap/trunk/tests/data/slapd-proxycache.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-proxycache.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # proxy cache slapd config 
-# $OpenLDAP: pkg/ldap/tests/data/slapd-proxycache.conf,v 1.6.2.4 2003/12/15 22
- :05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-proxycache.conf,v 1.24.2.6 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-pw.conf
===================================================================
--- openldap/trunk/tests/data/slapd-pw.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-pw.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.34.2.5 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-ref-slave.conf
===================================================================
--- openldap/trunk/tests/data/slapd-ref-slave.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-ref-slave.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # slave slapd config -- for default referral testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-ref-slave.conf,v 1.25.2.4 2003/12/15 22
- :05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-ref-slave.conf,v 1.40.2.4 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-referrals.conf
===================================================================
--- openldap/trunk/tests/data/slapd-referrals.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-referrals.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # referral slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-referrals.conf,v 1.2.2.4 2003/12/15 22:
- 05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-referrals.conf,v 1.15.2.4 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-refint.conf
===================================================================
--- openldap/trunk/tests/data/slapd-refint.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-refint.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with refint overlay)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-refint.conf,v 1.9.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-refint.conf,v 1.9.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-relay.conf
===================================================================
--- openldap/trunk/tests/data/slapd-relay.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-relay.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-relay.conf,v 1.13.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-relay.conf,v 1.13.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-repl-slave-remote.conf
===================================================================
--- openldap/trunk/tests/data/slapd-repl-slave-remote.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-repl-slave-remote.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # slave slapd config -- for testing of replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-repl-slave-remote.conf,v 1.2.2.4 2007/09/26 16:04:57 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-repl-slave-remote.conf,v 1.2.2.5 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-retcode.conf
===================================================================
--- openldap/trunk/tests/data/slapd-retcode.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-retcode.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $Header$
+# $OpenLDAP: pkg/ldap/tests/data/slapd-retcode.conf,v 1.4.2.4 2008/02/12 01:13:56 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-schema.conf
===================================================================
--- openldap/trunk/tests/data/slapd-schema.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-schema.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-schema.conf,v 1.20.2.4 2003/12/15 22:05
- :29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-schema.conf,v 1.35.2.5 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-sql-syncrepl-master.conf
===================================================================
--- openldap/trunk/tests/data/slapd-sql-syncrepl-master.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-sql-syncrepl-master.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-sql-syncrepl-master.conf,v 1.6.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-sql-syncrepl-master.conf,v 1.6.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-sql.conf
===================================================================
--- openldap/trunk/tests/data/slapd-sql.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-sql.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-sql.conf,v 1.15.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-sql.conf,v 1.15.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-syncrepl-master.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-master.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-master.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing of SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-master.conf,v 1.1.2.4 2003/12/
- 15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-master.conf,v 1.17.2.4 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-syncrepl-multiproxy.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-multiproxy.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-multiproxy.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # slave slapd config -- for testing of SYNC replication with intermediate proxy
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-multiproxy.conf,v 1.2.2.3 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-multiproxy.conf,v 1.2.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-syncrepl-slave-persist-ldap.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-slave-persist-ldap.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-slave-persist-ldap.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # slave slapd config -- for testing of SYNC replication with intermediate proxy
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist-ldap.conf,v 1.5.2.4 2007/09/26 16:04:57 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist-ldap.conf,v 1.5.2.5 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-syncrepl-slave-persist1.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-slave-persist1.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-slave-persist1.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # slave slapd config -- for testing of SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist1.conf,v 1.4.2.4 
- 2003/12/15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist1.conf,v 1.23.2.4 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-syncrepl-slave-persist2.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-slave-persist2.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-slave-persist2.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,6 +1,5 @@
 # slave slapd config -- for testing of SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist2.conf,v 1.4.2.4 
- 2003/12/15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist2.conf,v 1.15.2.2 2008/02/12 01:17:14 quanah Exp $
 
 include		@SCHEMADIR@/core.schema
 include		@SCHEMADIR@/cosine.schema

Modified: openldap/trunk/tests/data/slapd-syncrepl-slave-persist3.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-slave-persist3.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-slave-persist3.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # slave slapd config -- for testing of SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist3.conf,v 1.4.2.4 
- 2003/12/15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-persist3.conf,v 1.18.2.4 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-syncrepl-slave-refresh1.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-slave-refresh1.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-slave-refresh1.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # slave slapd config -- for testing of SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-refresh1.conf,v 1.5.2.4 
- 2003/12/15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-refresh1.conf,v 1.28.2.4 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-syncrepl-slave-refresh2.conf
===================================================================
--- openldap/trunk/tests/data/slapd-syncrepl-slave-refresh2.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-syncrepl-slave-refresh2.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # slave slapd config -- for testing of SYNC replication
-# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-refresh2.conf,v 1.5.2.4 
- 2003/12/15 22:05:29 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-syncrepl-slave-refresh2.conf,v 1.20.2.4 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-translucent-local.conf
===================================================================
--- openldap/trunk/tests/data/slapd-translucent-local.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-translucent-local.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with translucent overlay)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-translucent-local.conf,v 1.9.2.3 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-translucent-local.conf,v 1.9.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-translucent-remote.conf
===================================================================
--- openldap/trunk/tests/data/slapd-translucent-remote.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-translucent-remote.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with translucent overlay)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-translucent-remote.conf,v 1.6.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-translucent-remote.conf,v 1.6.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-unique.conf
===================================================================
--- openldap/trunk/tests/data/slapd-unique.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-unique.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with unique overlay)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-unique.conf,v 1.11.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-unique.conf,v 1.11.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-valsort.conf
===================================================================
--- openldap/trunk/tests/data/slapd-valsort.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-valsort.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with unique overlay)
-# $OpenLDAP: pkg/ldap/tests/data/slapd-valsort.conf,v 1.3.2.4 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-valsort.conf,v 1.3.2.5 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd-whoami.conf
===================================================================
--- openldap/trunk/tests/data/slapd-whoami.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd-whoami.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
- kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd-whoami.conf,v 1.10.2.5 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd.conf
===================================================================
--- openldap/trunk/tests/data/slapd.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd.conf,v 1.39.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd.conf,v 1.39.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/slapd2.conf
===================================================================
--- openldap/trunk/tests/data/slapd2.conf	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/slapd2.conf	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,9 +1,8 @@
 # stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP: pkg/ldap/tests/data/slapd2.conf,v 1.2.2.3 2003/12/15 22:05:29 kur
- t Exp $
+# $OpenLDAP: pkg/ldap/tests/data/slapd2.conf,v 1.11.2.4 2008/02/12 01:17:14 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/data/test.schema
===================================================================
--- openldap/trunk/tests/data/test.schema	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/data/test.schema	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 # OpenLDAP Test schema
-# $OpenLDAP: pkg/ldap/tests/data/test.schema,v 1.9.2.3 2007/09/26 15:31:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/data/test.schema,v 1.9.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/Makefile.in
===================================================================
--- openldap/trunk/tests/progs/Makefile.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/Makefile.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 ## Makefile.in for test programs
-# $OpenLDAP: pkg/ldap/tests/progs/Makefile.in,v 1.22.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/progs/Makefile.in,v 1.22.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-addel.c
===================================================================
--- openldap/trunk/tests/progs/slapd-addel.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-addel.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-addel.c,v 1.41.2.4 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-addel.c,v 1.41.2.6 2008/04/14 21:43:13 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -278,7 +278,10 @@
 
 			if (( nl = strchr( line, '\r' )) || ( nl = strchr( line, '\n' )))
 				*nl = '\0';
-			entry = strdup( line );
+			nl = line;
+			if ( !strncasecmp( nl, "dn: ", 4 ))
+				nl += 4;
+			entry = strdup( nl );
 
 		}
 

Modified: openldap/trunk/tests/progs/slapd-bind.c
===================================================================
--- openldap/trunk/tests/progs/slapd-bind.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-bind.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-bind.c,v 1.18.2.6 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-bind.c,v 1.18.2.7 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-common.c
===================================================================
--- openldap/trunk/tests/progs/slapd-common.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-common.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-common.c,v 1.4.2.5 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-common.c,v 1.4.2.6 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-common.h
===================================================================
--- openldap/trunk/tests/progs/slapd-common.h	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-common.h	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-common.h,v 1.2.2.4 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-common.h,v 1.2.2.5 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-modify.c
===================================================================
--- openldap/trunk/tests/progs/slapd-modify.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-modify.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-modify.c,v 1.19.2.4 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-modify.c,v 1.19.2.5 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-modrdn.c
===================================================================
--- openldap/trunk/tests/progs/slapd-modrdn.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-modrdn.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-modrdn.c,v 1.22.2.4 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-modrdn.c,v 1.22.2.5 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-read.c
===================================================================
--- openldap/trunk/tests/progs/slapd-read.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-read.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-read.c,v 1.37.2.5 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-read.c,v 1.37.2.6 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-search.c
===================================================================
--- openldap/trunk/tests/progs/slapd-search.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-search.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-search.c,v 1.41.2.6 2007/08/31 23:14:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-search.c,v 1.41.2.7 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/progs/slapd-tester.c
===================================================================
--- openldap/trunk/tests/progs/slapd-tester.c	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/progs/slapd-tester.c	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-tester.c,v 1.46.2.6 2007/10/17 01:09:02 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-tester.c,v 1.46.2.8 2008/02/11 23:26:50 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1999-2007 The OpenLDAP Foundation.
+ * Copyright 1999-2008 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -140,7 +140,7 @@
 	int		sextra_args = 0;
 	char		scmd[MAXPATHLEN];
 	/* static so that its address can be used in initializer below. */
-	static char	sloops[] = "18446744073709551615UL";
+	static char	sloops[LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 	/* read */
 	char		*rfile = NULL;
 	char		*rreqs[MAXREQS];
@@ -150,14 +150,14 @@
 	int		ranum;
 	int		rextra_args = 0;
 	char		rcmd[MAXPATHLEN];
-	static char	rloops[] = "18446744073709551615UL";
+	static char	rloops[LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 	/* addel */
 	char		*afiles[MAXREQS];
 	int		anum = 0;
 	char		*aargs[MAXARGS];
 	int		aanum;
 	char		acmd[MAXPATHLEN];
-	static char	aloops[] = "18446744073709551615UL";
+	static char	aloops[LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 	/* modrdn */
 	char		*nfile = NULL;
 	char		*nreqs[MAXREQS];
@@ -165,7 +165,7 @@
 	char		*nargs[MAXARGS];
 	int		nanum;
 	char		ncmd[MAXPATHLEN];
-	static char	nloops[] = "18446744073709551615UL";
+	static char	nloops[LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 	/* modify */
 	char		*mfile = NULL;
 	char		*mreqs[MAXREQS];
@@ -174,7 +174,7 @@
 	char		*margs[MAXARGS];
 	int		manum;
 	char		mcmd[MAXPATHLEN];
-	static char	mloops[] = "18446744073709551615UL";
+	static char	mloops[LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 	/* bind */
 	char		*bfile = NULL;
 	char		*breqs[MAXREQS];
@@ -184,7 +184,7 @@
 	char		*bargs[MAXARGS];
 	int		banum;
 	char		bcmd[MAXPATHLEN];
-	static char	bloops[] = "18446744073709551615UL";
+	static char	bloops[LDAP_PVT_INTTYPE_CHARS(unsigned long)];
 	char		**bargs_extra = NULL;
 
 	char		*friendlyOpt = NULL;

Modified: openldap/trunk/tests/run.in
===================================================================
--- openldap/trunk/tests/run.in	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/run.in	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #!/bin/sh
-# $OpenLDAP: pkg/ldap/tests/run.in,v 1.47.2.5 2007/10/16 23:43:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/run.in,v 1.47.2.6 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/acfilter.sh
===================================================================
--- openldap/trunk/tests/scripts/acfilter.sh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/acfilter.sh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/acfilter.sh,v 1.11.2.2 2007/08/31 23:14:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/acfilter.sh,v 1.11.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/all
===================================================================
--- openldap/trunk/tests/scripts/all	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/all	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/all,v 1.26.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/all,v 1.26.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/conf.sh
===================================================================
--- openldap/trunk/tests/scripts/conf.sh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/conf.sh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/conf.sh,v 1.49.2.7 2007/11/27 20:21:56 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/conf.sh,v 1.49.2.8 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/defines.sh
===================================================================
--- openldap/trunk/tests/scripts/defines.sh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/defines.sh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/defines.sh,v 1.141.2.9 2007/11/20 19:11:27 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/defines.sh,v 1.141.2.12 2008/04/14 21:51:34 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -77,6 +77,7 @@
 # conf
 CONF=$DATADIR/slapd.conf
 CONFTWO=$DATADIR/slapd2.conf
+CONF2DB=$DATADIR/slapd-2db.conf
 MCONF=$DATADIR/slapd-master.conf
 COMPCONF=$DATADIR/slapd-component.conf
 PWCONF=$DATADIR/slapd-pw.conf
@@ -204,6 +205,7 @@
 
 # LDIF
 LDIF=$DATADIR/test.ldif
+LDIFADD1=$DATADIR/do_add.1
 LDIFGLUED=$DATADIR/test-glued.ldif
 LDIFORDERED=$DATADIR/test-ordered.ldif
 LDIFORDEREDCP=$DATADIR/test-ordered-cp.ldif

Modified: openldap/trunk/tests/scripts/its-all
===================================================================
--- openldap/trunk/tests/scripts/its-all	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/its-all	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/its-all,v 1.4.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/its-all,v 1.4.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/passwd-search
===================================================================
--- openldap/trunk/tests/scripts/passwd-search	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/passwd-search	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/passwd-search,v 1.12.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/passwd-search,v 1.12.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/relay
===================================================================
--- openldap/trunk/tests/scripts/relay	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/relay	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/relay,v 1.13.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/relay,v 1.13.2.5 2008/02/11 23:52:49 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -61,7 +61,7 @@
 BASEDN="dc=example,dc=com"
 echo "Searching base=\"$BASEDN\"..."
 echo "# searching base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
 	echo "Search failed ($RC)!"
@@ -72,7 +72,7 @@
 BASEDN="o=Example,c=US"
 echo "Searching base=\"$BASEDN\"..."
 echo "# searching base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
 	echo "Search failed ($RC)!"
@@ -83,7 +83,7 @@
 BASEDN="o=Esempio,c=IT"
 echo "Searching base=\"$BASEDN\"..."
 echo "# searching base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
 	echo "Search failed ($RC)!"
@@ -94,7 +94,7 @@
 BASEDN="o=Beispiel,c=DE"
 echo "Searching base=\"$BASEDN\"..."
 echo "# searching base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
 	echo "Search failed ($RC)!"
@@ -233,7 +233,7 @@
 
 echo "Searching base=\"$BASEDN\"..."
 echo "# searching base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
 	echo "Search failed ($RC)!"
@@ -244,7 +244,7 @@
 BASEDN="o=Esempio,c=IT"
 echo "Searching base=\"$BASEDN\"..."
 echo "# searching base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" >> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
 	echo "Search failed ($RC)!"
@@ -261,7 +261,7 @@
 BASEDN="dc=example,dc=com"
 echo "	base=\"$BASEDN\"..."
 echo "# 	base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" -M "$FILTER" '*' ref \
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" -M "$FILTER" '*' ref \
 	>> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
@@ -273,7 +273,7 @@
 BASEDN="o=Example,c=US"
 echo "	base=\"$BASEDN\"..."
 echo "# 	base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" -M "$FILTER" '*' ref \
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" -M "$FILTER" '*' ref \
 	>> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
@@ -285,7 +285,7 @@
 BASEDN="o=Esempio,c=IT"
 echo "	base=\"$BASEDN\"..."
 echo "# 	base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" -M "$FILTER" '*' ref \
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" -M "$FILTER" '*' ref \
 	>> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
@@ -302,7 +302,7 @@
 echo "# searching filter=\"$FILTER\"" >> $SEARCHOUT
 echo "# 	attrs=\"seeAlso\"" >> $SEARCHOUT
 echo "# 	base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" "$FILTER" seeAlso \
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" "$FILTER" seeAlso \
 	>> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
@@ -318,7 +318,7 @@
 echo "# searching filter=\"$FILTER\"" >> $SEARCHOUT
 echo "# 	attrs=\"uid\"" >> $SEARCHOUT
 echo "# 	base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" "$FILTER" uid \
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" "$FILTER" uid \
 	>> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
@@ -334,7 +334,7 @@
 echo "# searching filter=\"$FILTER\"" >> $SEARCHOUT
 echo "# 	attrs=\"member\"" >> $SEARCHOUT
 echo "# 	base=\"$BASEDN\"..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 -b "$BASEDN" "$FILTER" member \
+$LDAPSEARCH -S '' -h $LOCALHOST -p $PORT1 -b "$BASEDN" "$FILTER" member \
 	>> $SEARCHOUT 2>&1
 RC=$?
 if test $RC != 0 ; then

Modified: openldap/trunk/tests/scripts/sql-all
===================================================================
--- openldap/trunk/tests/scripts/sql-all	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/sql-all	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/sql-all,v 1.5.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/sql-all,v 1.5.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/sql-test000-read
===================================================================
--- openldap/trunk/tests/scripts/sql-test000-read	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/sql-test000-read	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/sql-test000-read,v 1.11.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/sql-test000-read,v 1.11.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/sql-test001-concurrency
===================================================================
--- openldap/trunk/tests/scripts/sql-test001-concurrency	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/sql-test001-concurrency	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/sql-test001-concurrency,v 1.4.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/sql-test001-concurrency,v 1.4.2.4 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/sql-test900-write
===================================================================
--- openldap/trunk/tests/scripts/sql-test900-write	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/sql-test900-write	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/sql-test900-write,v 1.12.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/sql-test900-write,v 1.12.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/sql-test901-syncrepl
===================================================================
--- openldap/trunk/tests/scripts/sql-test901-syncrepl	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/sql-test901-syncrepl	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/sql-test901-syncrepl,v 1.4.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/sql-test901-syncrepl,v 1.4.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/start-server
===================================================================
--- openldap/trunk/tests/scripts/start-server	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/start-server	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/start-server,v 1.5.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/start-server,v 1.5.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/start-server-nolog
===================================================================
--- openldap/trunk/tests/scripts/start-server-nolog	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/start-server-nolog	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/start-server-nolog,v 1.5.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/start-server-nolog,v 1.5.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/start-server2
===================================================================
--- openldap/trunk/tests/scripts/start-server2	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/start-server2	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/start-server2,v 1.5.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/start-server2,v 1.5.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/start-server2-nolog
===================================================================
--- openldap/trunk/tests/scripts/start-server2-nolog	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/start-server2-nolog	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/start-server2-nolog,v 1.5.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/start-server2-nolog,v 1.5.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/startup_nis_ldap_server.sh
===================================================================
--- openldap/trunk/tests/scripts/startup_nis_ldap_server.sh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/startup_nis_ldap_server.sh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/startup_nis_ldap_server.sh,v 1.14.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/startup_nis_ldap_server.sh,v 1.14.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test000-rootdse
===================================================================
--- openldap/trunk/tests/scripts/test000-rootdse	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test000-rootdse	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test000-rootdse,v 1.29.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test000-rootdse,v 1.29.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test001-slapadd
===================================================================
--- openldap/trunk/tests/scripts/test001-slapadd	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test001-slapadd	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test001-slapadd,v 1.44.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test001-slapadd,v 1.44.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test002-populate
===================================================================
--- openldap/trunk/tests/scripts/test002-populate	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test002-populate	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test002-populate,v 1.41.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test002-populate,v 1.41.2.3 2008/02/11 23:26:50 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test003-search
===================================================================
--- openldap/trunk/tests/scripts/test003-search	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test003-search	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test003-search,v 1.61.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test003-search,v 1.61.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test004-modify
===================================================================
--- openldap/trunk/tests/scripts/test004-modify	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test004-modify	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test004-modify,v 1.60.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test004-modify,v 1.60.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test005-modrdn
===================================================================
--- openldap/trunk/tests/scripts/test005-modrdn	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test005-modrdn	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test005-modrdn,v 1.49.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test005-modrdn,v 1.49.2.6 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -16,11 +16,11 @@
 echo "running defines.sh"
 . $SRCDIR/scripts/defines.sh
 
-mkdir -p $TESTDIR $DBDIR1
+mkdir -p $TESTDIR $DBDIR1A $DBDIR1B
 
 echo "Running slapadd to build slapd database..."
-. $CONFFILTER $BACKEND $MONITORDB < $CONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+. $CONFFILTER $BACKEND $MONITORDB < $CONF2DB > $CONF1
+$SLAPADD -f $CONF1 -b "$BASEDN" -l $LDIFORDERED
 RC=$?
 if test $RC != 0 ; then
 	echo "slapadd failed ($RC)!"
@@ -221,9 +221,28 @@
 	exit -1
 fi
 
-echo "Testing modrdn with newSuperior as child of target "
+echo "Testing modrdn to another database (should fail with affectsMultipleDSAs)"
 $LDAPMODRDN -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
-	$TESTOUT 2>&1  -s 'cn=Sub1, ou=FooBar, cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com' \
+	$TESTOUT 2>&1 'cn=All Staff,ou=Groups,dc=example,dc=com' 'cn=Everyone'
+RC=$?
+case $RC in
+0)
+	echo "ldapmodrdn succeeded, should have failed!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit -1
+	;;
+71)
+	;;
+*)
+	echo "ldapmodrdn failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+	;;
+esac
+
+echo "Testing modrdn with newSuperior = target (should fail with unwillingToPerform)"
+$LDAPMODRDN -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	$TESTOUT 2>&1  -s 'cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com' \
 	'cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com' 'cn=James A Jones 1'
 
 RC=$?
@@ -233,8 +252,7 @@
 	test $KILLSERVERS != no && kill -HUP $KILLPIDS
 	exit -1
 	;;
-32)
-	echo "ldapmodrdn failed (noSuchObject)"
+53)
 	;;
 *)
 	echo "ldapmodrdn failed ($RC)!"
@@ -243,6 +261,36 @@
 	;;
 esac
 
+echo "Testing modrdn with newRdn exact same as target..."
+$LDAPMODRDN -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	$TESTOUT 2>&1 'cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com' 'cn=James A Jones 1'
+
+RC=$?
+case $RC in
+0)
+	;;
+*)
+	echo "ldapmodrdn failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+	;;
+esac
+
+echo "Testing modrdn with newRdn same as target, changed case..."
+$LDAPMODRDN -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	$TESTOUT 2>&1 'cn=James A Jones 1, ou=Alumni Association, ou=People, dc=example, dc=com' 'cn=James A JONES 1'
+
+RC=$?
+case $RC in
+0)
+	;;
+*)
+	echo "ldapmodrdn failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+	;;
+esac
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 echo ">>>>> Test succeeded"

Modified: openldap/trunk/tests/scripts/test006-acls
===================================================================
--- openldap/trunk/tests/scripts/test006-acls	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test006-acls	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test006-acls,v 1.59.2.4 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test006-acls,v 1.59.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test008-concurrency
===================================================================
--- openldap/trunk/tests/scripts/test008-concurrency	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test008-concurrency	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test008-concurrency,v 1.40.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test008-concurrency,v 1.40.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test009-referral
===================================================================
--- openldap/trunk/tests/scripts/test009-referral	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test009-referral	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test009-referral,v 1.38.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test009-referral,v 1.38.2.4 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test010-passwd
===================================================================
--- openldap/trunk/tests/scripts/test010-passwd	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test010-passwd	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test010-passwd,v 1.26.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test010-passwd,v 1.26.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test011-glue-slapadd
===================================================================
--- openldap/trunk/tests/scripts/test011-glue-slapadd	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test011-glue-slapadd	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test011-glue-slapadd,v 1.11.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test011-glue-slapadd,v 1.11.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test012-glue-populate
===================================================================
--- openldap/trunk/tests/scripts/test012-glue-populate	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test012-glue-populate	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test012-glue-populate,v 1.9.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test012-glue-populate,v 1.9.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test013-language
===================================================================
--- openldap/trunk/tests/scripts/test013-language	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test013-language	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test013-language,v 1.16.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test013-language,v 1.16.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test014-whoami
===================================================================
--- openldap/trunk/tests/scripts/test014-whoami	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test014-whoami	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test014-whoami,v 1.23.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test014-whoami,v 1.23.2.4 2008/02/11 23:44:27 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -428,7 +428,7 @@
 
 BINDDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
 BINDPW=bjorn
-AUTHZID="dn:"
+AUTHZID="dn:cn=don't!"
 echo "Testing ldapwhoami as ${BINDDN} for ${AUTHZID} (no authzTo; should fail)..."
 $LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$BINDDN" -w $BINDPW \
 	-e \!authzid="$AUTHZID"

Modified: openldap/trunk/tests/scripts/test015-xsearch
===================================================================
--- openldap/trunk/tests/scripts/test015-xsearch	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test015-xsearch	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test015-xsearch,v 1.23.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test015-xsearch,v 1.23.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test016-subref
===================================================================
--- openldap/trunk/tests/scripts/test016-subref	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test016-subref	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test016-subref,v 1.12.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test016-subref,v 1.12.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test017-syncreplication-refresh
===================================================================
--- openldap/trunk/tests/scripts/test017-syncreplication-refresh	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test017-syncreplication-refresh	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test017-syncreplication-refresh,v 1.33.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test017-syncreplication-refresh,v 1.33.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test018-syncreplication-persist
===================================================================
--- openldap/trunk/tests/scripts/test018-syncreplication-persist	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test018-syncreplication-persist	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test018-syncreplication-persist,v 1.38.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test018-syncreplication-persist,v 1.38.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test019-syncreplication-cascade
===================================================================
--- openldap/trunk/tests/scripts/test019-syncreplication-cascade	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test019-syncreplication-cascade	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test019-syncreplication-cascade,v 1.19.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test019-syncreplication-cascade,v 1.19.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test020-proxycache
===================================================================
--- openldap/trunk/tests/scripts/test020-proxycache	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test020-proxycache	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test020-proxycache,v 1.26.2.8 2007/11/29 12:46:24 hyc Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test020-proxycache,v 1.26.2.9 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test021-certificate
===================================================================
--- openldap/trunk/tests/scripts/test021-certificate	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test021-certificate	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test021-certificate,v 1.19.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test021-certificate,v 1.19.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test022-ppolicy
===================================================================
--- openldap/trunk/tests/scripts/test022-ppolicy	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test022-ppolicy	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test022-ppolicy,v 1.17.2.4 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test022-ppolicy,v 1.17.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test023-refint
===================================================================
--- openldap/trunk/tests/scripts/test023-refint	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test023-refint	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test023-refint,v 1.10.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test023-refint,v 1.10.2.5 2008/04/14 19:58:09 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -158,6 +158,7 @@
 	$TESTOUT 2>&1 << ETEST
 dn: uid=special,ou=users,o=refint
 objectClass: inetOrgPerson
+objectClass: extensibleObject
 uid: special
 sn: special
 cn: special
@@ -171,6 +172,13 @@
 member: uid=alice,ou=users,o=refint
 ETEST
 
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapadd failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
 echo "Testing delete when referential attribute is a MUST..."
 $LDAPMODIFY -v -D "$REFINTDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
 	$TESTOUT 2>&1 << EDEL

Modified: openldap/trunk/tests/scripts/test024-unique
===================================================================
--- openldap/trunk/tests/scripts/test024-unique	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test024-unique	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test024-unique,v 1.8.2.3 2007/11/28 22:34:19 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test024-unique,v 1.8.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -36,8 +36,8 @@
 fi
 
 echo "Starting slapd on TCP/IP port $PORT1..."
-mkdir testrun/confdir
-$SLAPD -f $CONF1 -F testrun/confdir -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
+mkdir $TESTDIR/confdir
+$SLAPD -f $CONF1 -F $TESTDIR/confdir -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
 PID=$!
 if test $WAIT != 0 ; then
     echo PID $PID
@@ -114,8 +114,8 @@
 fi
 
 echo Dynamically retrieving initial configuration...
-$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >testrun/initial-config.ldif
-cat <<EOF >testrun/initial-reference.ldif
+$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/initial-config.ldif
+cat <<EOF >$TESTDIR/initial-reference.ldif
 dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcUniqueConfig
@@ -125,7 +125,7 @@
 olcUniqueAttribute: displayName
 
 EOF
-diff testrun/initial-config.ldif testrun/initial-reference.ldif > /dev/null 2>&1
+diff $TESTDIR/initial-config.ldif $TESTDIR/initial-reference.ldif > /dev/null 2>&1
 RC=$?
 if test $RC != 0 ; then
     echo "Initial configuration is not reported correctly."
@@ -164,8 +164,8 @@
 fi
 
 echo Verifying initial configuration intact...
-$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >testrun/initial-config-recheck.ldif
-diff testrun/initial-config-recheck.ldif testrun/initial-reference.ldif > /dev/null 2>&1
+$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/initial-config-recheck.ldif
+diff $TESTDIR/initial-config-recheck.ldif $TESTDIR/initial-reference.ldif > /dev/null 2>&1
 RC=$?
 if test $RC != 0 ; then
     echo "Initial configuration damaged by unsuccessful modifies."
@@ -188,8 +188,8 @@
 fi
 
 echo Verifying base removal...
-$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >testrun/baseremoval-config.ldif
-cat >testrun/baseremoval-reference.ldif <<EOF
+$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/baseremoval-config.ldif
+cat >$TESTDIR/baseremoval-reference.ldif <<EOF
 dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcUniqueConfig
@@ -198,7 +198,7 @@
 olcUniqueAttribute: displayName
 
 EOF
-diff testrun/baseremoval-config.ldif testrun/baseremoval-reference.ldif > /dev/null 2>&1
+diff $TESTDIR/baseremoval-config.ldif $TESTDIR/baseremoval-reference.ldif > /dev/null 2>&1
 RC=$?
 if test $RC != 0 ; then
     echo "Configuration damaged by base removal"
@@ -305,8 +305,8 @@
 fi
 
 echo Dynamically retrieving second configuration...
-$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >testrun/second-config.ldif
-cat >testrun/second-reference.ldif <<EOF
+$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/second-config.ldif
+cat >$TESTDIR/second-reference.ldif <<EOF
 dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcUniqueConfig
@@ -315,7 +315,7 @@
 olcUniqueURI: ldap:///?description?one
 
 EOF
-diff testrun/second-config.ldif testrun/second-reference.ldif > /dev/null 2>&1
+diff $TESTDIR/second-config.ldif $TESTDIR/second-reference.ldif > /dev/null 2>&1
 RC=$?
 if test $RC != 0 ; then
     echo "Second configuration is not reported correctly."
@@ -408,8 +408,8 @@
 fi
 
 echo Verifying second configuration intact...
-$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >testrun/second-config-recheck.ldif
-diff testrun/second-config-recheck.ldif testrun/second-reference.ldif > /dev/null 2>&1
+$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/second-config-recheck.ldif
+diff $TESTDIR/second-config-recheck.ldif $TESTDIR/second-reference.ldif > /dev/null 2>&1
 RC=$?
 if test $RC != 0 ; then
     echo "Second configuration damaged by rejected modifies."
@@ -437,8 +437,8 @@
 fi
 
 echo Dynamically retrieving third configuration...
-$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >testrun/third-config.ldif
-cat >testrun/third-reference.ldif <<EOF
+$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/third-config.ldif
+cat >$TESTDIR/third-reference.ldif <<EOF
 dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcUniqueConfig
@@ -447,7 +447,7 @@
 olcUniqueURI: ldap:///?sn?sub?(cn=e*)
 
 EOF
-diff testrun/third-config.ldif testrun/third-reference.ldif > /dev/null 2>&1
+diff $TESTDIR/third-config.ldif $TESTDIR/third-reference.ldif > /dev/null 2>&1
 RC=$?
 if test $RC != 0 ; then
     echo "Third configuration is not reported correctly."
@@ -508,8 +508,8 @@
 fi
 
 echo Dynamically retrieving fourth configuration...
-$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >testrun/fourth-config.ldif
-cat >testrun/fourth-reference.ldif <<EOF
+$LDAPSEARCH -S "" -b olcOverlay='{0}'unique,olcDatabase='{1}'$BACKEND,cn=config -D cn=config -y $CONFIGPWF -h $LOCALHOST -p $PORT1 -LLL | tr -d \\r >$TESTDIR/fourth-config.ldif
+cat >$TESTDIR/fourth-reference.ldif <<EOF
 dn: olcOverlay={0}unique,olcDatabase={1}$BACKEND,cn=config
 objectClass: olcOverlayConfig
 objectClass: olcUniqueConfig
@@ -517,7 +517,7 @@
 olcUniqueURI: ignore ldap:///?objectClass,uid,cn,sn?sub
 
 EOF
-diff testrun/fourth-config.ldif testrun/fourth-reference.ldif > /dev/null 2>&1
+diff $TESTDIR/fourth-config.ldif $TESTDIR/fourth-reference.ldif > /dev/null 2>&1
 RC=$?
 if test $RC != 0 ; then
     echo "Fourth configuration is not reported correctly."

Modified: openldap/trunk/tests/scripts/test025-limits
===================================================================
--- openldap/trunk/tests/scripts/test025-limits	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test025-limits	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test025-limits,v 1.19.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test025-limits,v 1.19.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -496,6 +496,8 @@
 	;;
 esac
 
+case $BACKEND in bdb | hdb)
+
 echo "Testing higher than unchecked limit requested for unchecked limited ID..."
 $LDAPRSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 -w secret \
 	-D 'cn=Unchecked Limited User,ou=People,dc=example,dc=com' \
@@ -547,6 +549,9 @@
 		exit $RC
 	;;
 esac
+;;
+*)	echo "Skipping test for unchecked limit with $BACKEND backend." ;;
+esac
 
 echo "Testing no limits requested for limited regex..."
 $LDAPRSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 -w secret \

Modified: openldap/trunk/tests/scripts/test026-dn
===================================================================
--- openldap/trunk/tests/scripts/test026-dn	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test026-dn	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 #! /bin/sh
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@
 
 echo "Searching database..."
 echo "# Searching database..." >> $SEARCHOUT
-$LDAPSEARCH -b "$BASEDN" -h $LOCALHOST -p $PORT1 >> $SEARCHOUT 2>&1
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 >> $SEARCHOUT 2>&1
 
 RC=$?
 if test $RC != 0 ; then
@@ -67,7 +67,7 @@
 DN="OU=Sales+CN=J. Smith,DC=example,DC=net"
 echo "Searching database for DN=\"$DN\"..."
 echo "# Searching database for DN=\"$DN\"..." >> $SEARCHOUT
-$LDAPSEARCH -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	"(member=$DN)" >> $SEARCHOUT 2>&1
 
 RC=$?
@@ -80,7 +80,7 @@
 DN="testUUID=597ae2f6-16a6-1027-98f4-ABCDEFabcdef,DC=Example"
 echo "Searching database for entryUUID-named DN=\"$DN\"..."
 echo "# Searching database for entryUUID-named DN=\"$DN\"..." >> $SEARCHOUT
-$LDAPSEARCH -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	"(member=$DN)" \
 	>> $SEARCHOUT 2>&1
 
@@ -94,7 +94,7 @@
 DN="dc=example,dc=com"
 echo "Searching database for nameAndOptionalUID=\"$DN\"..."
 echo "# Searching database for nameAndOptionalUID=\"$DN\"..." >> $SEARCHOUT
-$LDAPSEARCH -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	"(uniqueMember=$DN)" >> $SEARCHOUT 2>&1
 
 RC=$?
@@ -107,7 +107,7 @@
 DN="dc=example,dc=com#'001000'B"
 echo "Searching database for nameAndOptionalUID=\"$DN\"..."
 echo "# Searching database for nameAndOptionalUID=\"$DN\"..." >> $SEARCHOUT
-$LDAPSEARCH -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	"(uniqueMember=$DN)" >> $SEARCHOUT 2>&1
 
 RC=$?
@@ -120,7 +120,7 @@
 DN="dc=example,dc=com"
 echo "Searching database for uniqueMember~=\"$DN\" (approx)..."
 echo "# Searching database for uniqueMember~=\"$DN\" (approx)..." >> $SEARCHOUT
-$LDAPSEARCH -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	"(uniqueMember~=)" >> $SEARCHOUT 2>&1
 
 RC=$?
@@ -133,7 +133,7 @@
 DN="dc=example,dc=com#'001000'B"
 echo "Searching database for uniqueMember~=\"$DN\" (approx)..."
 echo "# Searching database for uniqueMember~=\"$DN\" (approx)..." >> $SEARCHOUT
-$LDAPSEARCH -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	"(uniqueMember~=$DN)" >> $SEARCHOUT 2>&1
 
 RC=$?

Modified: openldap/trunk/tests/scripts/test027-emptydn
===================================================================
--- openldap/trunk/tests/scripts/test027-emptydn	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test027-emptydn	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 #! /bin/sh
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -66,7 +66,7 @@
 
 echo "Searching database..."
 
-$LDAPSEARCH -b "" -h $LOCALHOST -p $PORT1 > $SEARCHOUT 2>&1
+$LDAPSEARCH -S "" -b "" -h $LOCALHOST -p $PORT1 > $SEARCHOUT 2>&1
 
 RC=$?
 if test $RC != 0 ; then
@@ -143,7 +143,7 @@
 
 echo "Searching database..."
 
-$LDAPSEARCH -b "" -h $LOCALHOST -p $PORT1 > $SEARCHOUT 2>&1
+$LDAPSEARCH -S "" -b "" -h $LOCALHOST -p $PORT1 > $SEARCHOUT 2>&1
 
 RC=$?
 if test $RC != 0 ; then

Modified: openldap/trunk/tests/scripts/test028-idassert
===================================================================
--- openldap/trunk/tests/scripts/test028-idassert	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test028-idassert	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test028-idassert,v 1.12.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test028-idassert,v 1.12.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test029-ldapglue
===================================================================
--- openldap/trunk/tests/scripts/test029-ldapglue	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test029-ldapglue	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test029-ldapglue,v 1.8.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test029-ldapglue,v 1.8.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test030-relay
===================================================================
--- openldap/trunk/tests/scripts/test030-relay	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test030-relay	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test030-relay,v 1.21.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test030-relay,v 1.21.2.4 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test031-component-filter
===================================================================
--- openldap/trunk/tests/scripts/test031-component-filter	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test031-component-filter	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test031-component-filter,v 1.17.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test031-component-filter,v 1.17.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test032-chain
===================================================================
--- openldap/trunk/tests/scripts/test032-chain	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test032-chain	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test032-chain,v 1.11.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test032-chain,v 1.11.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test033-glue-syncrepl
===================================================================
--- openldap/trunk/tests/scripts/test033-glue-syncrepl	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test033-glue-syncrepl	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 #! /bin/sh
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test034-translucent
===================================================================
--- openldap/trunk/tests/scripts/test034-translucent	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test034-translucent	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test034-translucent,v 1.8.2.4 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test034-translucent,v 1.8.2.6 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -723,6 +723,76 @@
 	exit 1
 fi
 
+echo "Testing search: unconfigured local filter..."
+$LDAPSEARCH -H $URI2 -b "o=translucent" "(employeeType=consultant)" > $SEARCHOUT 2>&1
+
+ATTR=`grep dn: $SEARCHOUT` > $NOWHERE 2>&1
+if test -n "$ATTR" ; then
+	echo "got result $ATTR, should have been no result"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Dynamically configuring local slapd with translucent_local..."
+
+$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF
+dn: olcOverlay={0}translucent,olcDatabase={$DBIX}$BACKEND,cn=config
+changetype: modify
+add: olcTranslucentLocal
+olcTranslucentLocal: employeeType
+EOF
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapmodify of dynamic config failed ($RC)"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit 1
+fi
+
+echo "Testing search: configured local filter..."
+$LDAPSEARCH -H $URI2 -b "o=translucent" "(employeeType=consultant)" > $SEARCHOUT 2>&1
+
+ATTR=`grep dn: $SEARCHOUT` > $NOWHERE 2>&1
+if test -z "$ATTR" ; then
+	echo "got no result, should have found entry"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Testing search: unconfigured remote filter..."
+$LDAPSEARCH -H $URI2 -b "o=translucent" "(|(employeeType=foo)(carlicense=right))" > $SEARCHOUT 2>&1
+
+ATTR=`grep dn: $SEARCHOUT` > $NOWHERE 2>&1
+if test -n "$ATTR" ; then
+	echo "got result $ATTR, should have been no result"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Dynamically configuring local slapd with translucent_remote..."
+
+$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF
+dn: olcOverlay={0}translucent,olcDatabase={$DBIX}$BACKEND,cn=config
+changetype: modify
+add: olcTranslucentRemote
+olcTranslucentRemote: carLicense
+EOF
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapmodify of dynamic config failed ($RC)"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit 1
+fi
+
+echo "Testing search: configured remote filter..."
+$LDAPSEARCH -H $URI2 -b "o=translucent" "(|(employeeType=foo)(carlicense=right))" > $SEARCHOUT 2>&1
+
+ATTR=`grep dn: $SEARCHOUT` > $NOWHERE 2>&1
+if test -z "$ATTR" ; then
+	echo "got no result, should have found entry"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 echo ">>>>> Test succeeded"

Modified: openldap/trunk/tests/scripts/test035-meta
===================================================================
--- openldap/trunk/tests/scripts/test035-meta	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test035-meta	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test035-meta,v 1.14.2.3 2007/10/18 00:20:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test035-meta,v 1.14.2.4 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test036-meta-concurrency
===================================================================
--- openldap/trunk/tests/scripts/test036-meta-concurrency	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test036-meta-concurrency	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test036-meta-concurrency,v 1.17.2.4 2007/10/18 00:20:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test036-meta-concurrency,v 1.17.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test037-manage
===================================================================
--- openldap/trunk/tests/scripts/test037-manage	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test037-manage	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test037-manage,v 1.12.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test037-manage,v 1.12.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -16,6 +16,11 @@
 echo "running defines.sh"
 . $SRCDIR/scripts/defines.sh
 
+if test $BACKEND = "ldif" ; then 
+	echo "LDIF backend does not support manageDIT control, test skipped"
+	exit 0
+fi 
+
 mkdir -p $TESTDIR $DBDIR1
 
 echo "Running slapadd to build slapd database..."

Modified: openldap/trunk/tests/scripts/test038-retcode
===================================================================
--- openldap/trunk/tests/scripts/test038-retcode	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test038-retcode	2008-05-25 14:29:31 UTC (rev 1128)
@@ -2,7 +2,7 @@
 # $Header$
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test039-glue-ldap-concurrency
===================================================================
--- openldap/trunk/tests/scripts/test039-glue-ldap-concurrency	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test039-glue-ldap-concurrency	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test039-glue-ldap-concurrency,v 1.10.2.3 2007/10/18 00:20:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test039-glue-ldap-concurrency,v 1.10.2.4 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test040-subtree-rename
===================================================================
--- openldap/trunk/tests/scripts/test040-subtree-rename	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test040-subtree-rename	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test040-subtree-rename,v 1.4.2.2 2007/08/31 23:14:09 quanah Exp $ */
+# $OpenLDAP: pkg/ldap/tests/scripts/test040-subtree-rename,v 1.4.2.3 2008/02/11 23:26:51 kurt Exp $ */
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test041-aci
===================================================================
--- openldap/trunk/tests/scripts/test041-aci	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test041-aci	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test041-aci,v 1.9.2.3 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test041-aci,v 1.9.2.4 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test042-valsort
===================================================================
--- openldap/trunk/tests/scripts/test042-valsort	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test042-valsort	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test042-valsort,v 1.4.2.4 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test042-valsort,v 1.4.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2004-2007 The OpenLDAP Foundation.
+## Copyright 2004-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test043-delta-syncrepl
===================================================================
--- openldap/trunk/tests/scripts/test043-delta-syncrepl	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test043-delta-syncrepl	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test043-delta-syncrepl,v 1.4.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test043-delta-syncrepl,v 1.4.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test044-dynlist
===================================================================
--- openldap/trunk/tests/scripts/test044-dynlist	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test044-dynlist	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,7 +1,7 @@
 #! /bin/sh
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -316,7 +316,7 @@
 	exit $RC
 fi
 
-CMPDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,$BASEDN"
+CMPDN="$BJORNSDN"
 echo "Testing list compare..."
 echo "# Testing list compare..." >> $SEARCHOUT
 $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
@@ -451,6 +451,42 @@
 	exit $RC
 fi
 
+echo "Testing dgAuthz..."
+
+CMPDN="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,$BASEDN"
+$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD \
+	> $TESTOUT 2>&1 << EOMODS
+dn: cn=Dynamic List of Members,$LISTDN
+changetype: modify
+add: dgAuthz
+dgAuthz: dn:$BABSDN
+EOMODS
+
+echo "Testing list search with dgIdentity and dgAuthz anonymously..."
+echo "# Testing list search with dgIdentity and dgAuthz anonymously..." >> $SEARCHOUT
+$LDAPSEARCH -S "" -b "$LISTDN" -h $LOCALHOST -p $PORT1 \
+	'(cn=Dynamic List of Members)' '*' \
+	>> $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Testing list search with dgIdentity and dgAuthz as the authorized identity..."
+echo "# Testing list search with dgIdentity and dgAuthz as the authorized identity..." >> $SEARCHOUT
+$LDAPSEARCH -S "" -b "$LISTDN" -h $LOCALHOST -p $PORT1 \
+	-D "$BABSDN" -w bjensen \
+	'(cn=Dynamic List of Members)' '*' \
+	>> $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 LDIF=$DYNLISTOUT

Modified: openldap/trunk/tests/scripts/test045-syncreplication-proxied
===================================================================
--- openldap/trunk/tests/scripts/test045-syncreplication-proxied	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test045-syncreplication-proxied	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test045-syncreplication-proxied,v 1.14.2.5 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test045-syncreplication-proxied,v 1.14.2.6 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test046-dds
===================================================================
--- openldap/trunk/tests/scripts/test046-dds	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test046-dds	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test046-dds,v 1.4.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test046-dds,v 1.4.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 2005-2007 The OpenLDAP Foundation.
+## Copyright 2005-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test047-ldap
===================================================================
--- openldap/trunk/tests/scripts/test047-ldap	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test047-ldap	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test047-ldap,v 1.1.2.3 2007/10/18 00:20:07 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test047-ldap,v 1.1.2.5 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -23,6 +23,11 @@
 	exit 0
 fi
 
+if test $RWM = rwmno ; then 
+	echo "rwm (rewrite/remap) overlay not available, test skipped"
+	exit 0
+fi 
+
 rm -rf $TESTDIR
 
 mkdir -p $TESTDIR $DBDIR1 $DBDIR2

Modified: openldap/trunk/tests/scripts/test048-syncrepl-multiproxy
===================================================================
--- openldap/trunk/tests/scripts/test048-syncrepl-multiproxy	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test048-syncrepl-multiproxy	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test048-syncrepl-multiproxy,v 1.1.2.5 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test048-syncrepl-multiproxy,v 1.1.2.6 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test049-sync-config
===================================================================
--- openldap/trunk/tests/scripts/test049-sync-config	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test049-sync-config	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test049-sync-config,v 1.4.2.3 2007/09/02 00:02:15 hyc Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test049-sync-config,v 1.4.2.4 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test050-syncrepl-multimaster
===================================================================
--- openldap/trunk/tests/scripts/test050-syncrepl-multimaster	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test050-syncrepl-multimaster	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test050-syncrepl-multimaster,v 1.3.2.4 2007/11/20 19:11:27 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test050-syncrepl-multimaster,v 1.3.2.8 2008/05/05 21:42:54 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without
@@ -157,13 +157,13 @@
 add: olcSyncRepl
 olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 -
 add: olcMirrorMode
 olcMirrorMode: TRUE
@@ -213,13 +213,13 @@
 add: olcSyncRepl
 olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 -
 add: olcMirrorMode
 olcMirrorMode: TRUE
@@ -263,13 +263,13 @@
 add: olcSyncRepl
 olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
   credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
-  retry="5 5 300 5" timeout=1
+  retry="5 5 300 5" timeout=3
 -
 add: olcMirrorMode
 olcMirrorMode: TRUE
@@ -321,13 +321,13 @@
 olcRootPW: $PASSWD
 olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
   credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
-  interval=00:00:00:10 retry="5 5 300 5" timeout=1
+  interval=00:00:00:10 retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
   credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
-  interval=00:00:00:10 retry="5 5 300 5" timeout=1
+  interval=00:00:00:10 retry="5 5 300 5" timeout=3
 olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
   credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
-  interval=00:00:00:10 retry="5 5 300 5" timeout=1
+  interval=00:00:00:10 retry="5 5 300 5" timeout=3
 olcMirrorMode: TRUE
 
 dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
@@ -348,7 +348,7 @@
 	>> $TESTOUT 2>&1
 RC=$?
 if test $RC != 0 ; then
-	echo "ldapadd failed for database config ($RC)!"
+	echo "ldapadd failed for producer database ($RC)!"
 	test $KILLSERVERS != no && kill -HUP $KILLPIDS
 	exit $RC
 fi
@@ -357,6 +357,20 @@
 echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
 sleep $SLEEP
 
+echo "Using ldapadd to populate consumer..."
+$LDAPADD -D "$MANAGERDN" -H $URI2 -w $PASSWD -f $LDIFADD1 \
+	>> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapadd failed for consumer database ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+SLEEP=20
+echo "Waiting $SLEEP seconds for syncrepl to receive changes..."
+sleep $SLEEP
+
 echo "Using ldapsearch to check that syncrepl received database changes..."
 RC=32
 for i in 0 1 2 3 4 5; do

Modified: openldap/trunk/tests/scripts/test051-config-undo
===================================================================
--- openldap/trunk/tests/scripts/test051-config-undo	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test051-config-undo	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test051-config-undo,v 1.2.2.2 2007/08/31 23:14:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test051-config-undo,v 1.2.2.3 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2006 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without

Modified: openldap/trunk/tests/scripts/test052-memberof
===================================================================
--- openldap/trunk/tests/scripts/test052-memberof	2008-05-25 14:24:14 UTC (rev 1127)
+++ openldap/trunk/tests/scripts/test052-memberof	2008-05-25 14:29:31 UTC (rev 1128)
@@ -1,8 +1,8 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test052-memberof,v 1.4.2.1 2007/10/16 23:43:09 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test052-memberof,v 1.4.2.2 2008/02/11 23:26:51 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
-## Copyright 1998-2007 The OpenLDAP Foundation.
+## Copyright 1998-2008 The OpenLDAP Foundation.
 ## All rights reserved.
 ##
 ## Redistribution and use in source and binary forms, with or without




More information about the Pkg-openldap-devel mailing list