[Pkg-openldap-devel] r1246 - in openldap/vendor/openldap-release: . build clients/tools contrib/ldapc++/src contrib/slapd-modules/autogroup contrib/slapd-modules/nssov contrib/slapd-modules/nssov/nss-ldapd/nss contrib/slapd-modules/smbk5pwd doc/guide doc/guide/admin doc/guide/images/src doc/man/man3 doc/man/man5 doc/man/man8 include include/ac libraries/liblber libraries/libldap libraries/liblutil servers/slapd servers/slapd/back-bdb servers/slapd/back-ldap servers/slapd/back-ldif servers/slapd/back-monitor servers/slapd/back-null servers/slapd/back-relay servers/slapd/back-sql servers/slapd/overlays servers/slapd/schema tests/data tests/data/regressions/its4448 tests/progs tests/scripts

matthijs at alioth.debian.org matthijs at alioth.debian.org
Sat Apr 10 16:14:29 UTC 2010


Author: matthijs
Date: 2010-04-10 16:14:23 +0000 (Sat, 10 Apr 2010)
New Revision: 1246

Removed:
   openldap/vendor/openldap-release/servers/slapd/schema/nadf.schema
Modified:
   openldap/vendor/openldap-release/CHANGES
   openldap/vendor/openldap-release/README
   openldap/vendor/openldap-release/build/version.var
   openldap/vendor/openldap-release/clients/tools/common.c
   openldap/vendor/openldap-release/configure
   openldap/vendor/openldap-release/configure.in
   openldap/vendor/openldap-release/contrib/ldapc++/src/LdifReader.cpp
   openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/Makefile
   openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/autogroup.c
   openldap/vendor/openldap-release/contrib/slapd-modules/nssov/ldapns.schema
   openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c
   openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nssov.h
   openldap/vendor/openldap-release/contrib/slapd-modules/nssov/pam.c
   openldap/vendor/openldap-release/contrib/slapd-modules/smbk5pwd/Makefile
   openldap/vendor/openldap-release/doc/guide/admin/allusersgroup-en.png
   openldap/vendor/openldap-release/doc/guide/admin/appendix-ldap-result-codes.sdf
   openldap/vendor/openldap-release/doc/guide/admin/guide.html
   openldap/vendor/openldap-release/doc/guide/admin/overlays.sdf
   openldap/vendor/openldap-release/doc/guide/admin/set-recursivegroup.png
   openldap/vendor/openldap-release/doc/guide/images/src/allusersgroup-en.svg
   openldap/vendor/openldap-release/doc/guide/images/src/set-recursivegroup.svg
   openldap/vendor/openldap-release/doc/guide/preamble.sdf
   openldap/vendor/openldap-release/doc/man/man3/ldap_get_dn.3
   openldap/vendor/openldap-release/doc/man/man3/ldap_result.3
   openldap/vendor/openldap-release/doc/man/man5/ldap.conf.5
   openldap/vendor/openldap-release/doc/man/man5/slapd-config.5
   openldap/vendor/openldap-release/doc/man/man5/slapd-meta.5
   openldap/vendor/openldap-release/doc/man/man5/slapd.conf.5
   openldap/vendor/openldap-release/doc/man/man5/slapo-ppolicy.5
   openldap/vendor/openldap-release/doc/man/man8/slapcat.8
   openldap/vendor/openldap-release/doc/man/man8/slaptest.8
   openldap/vendor/openldap-release/include/ac/param.h
   openldap/vendor/openldap-release/include/ac/socket.h
   openldap/vendor/openldap-release/include/ac/string.h
   openldap/vendor/openldap-release/include/lber.h
   openldap/vendor/openldap-release/include/lber_pvt.h
   openldap/vendor/openldap-release/include/ldap_log.h
   openldap/vendor/openldap-release/include/ldap_pvt.h
   openldap/vendor/openldap-release/include/lutil.h
   openldap/vendor/openldap-release/libraries/liblber/decode.c
   openldap/vendor/openldap-release/libraries/liblber/encode.c
   openldap/vendor/openldap-release/libraries/liblber/lber-int.h
   openldap/vendor/openldap-release/libraries/libldap/getdn.c
   openldap/vendor/openldap-release/libraries/libldap/init.c
   openldap/vendor/openldap-release/libraries/libldap/ldap-tls.h
   openldap/vendor/openldap-release/libraries/libldap/open.c
   openldap/vendor/openldap-release/libraries/libldap/result.c
   openldap/vendor/openldap-release/libraries/libldap/sasl.c
   openldap/vendor/openldap-release/libraries/libldap/tls2.c
   openldap/vendor/openldap-release/libraries/libldap/tls_g.c
   openldap/vendor/openldap-release/libraries/libldap/tls_m.c
   openldap/vendor/openldap-release/libraries/libldap/tls_o.c
   openldap/vendor/openldap-release/libraries/liblutil/tavl.c
   openldap/vendor/openldap-release/libraries/liblutil/utils.c
   openldap/vendor/openldap-release/servers/slapd/acl.c
   openldap/vendor/openldap-release/servers/slapd/alock.c
   openldap/vendor/openldap-release/servers/slapd/back-bdb/cache.c
   openldap/vendor/openldap-release/servers/slapd/back-bdb/idl.c
   openldap/vendor/openldap-release/servers/slapd/back-bdb/monitor.c
   openldap/vendor/openldap-release/servers/slapd/back-ldap/bind.c
   openldap/vendor/openldap-release/servers/slapd/back-ldap/config.c
   openldap/vendor/openldap-release/servers/slapd/back-ldap/extended.c
   openldap/vendor/openldap-release/servers/slapd/back-ldap/search.c
   openldap/vendor/openldap-release/servers/slapd/back-ldif/ldif.c
   openldap/vendor/openldap-release/servers/slapd/back-monitor/init.c
   openldap/vendor/openldap-release/servers/slapd/back-null/null.c
   openldap/vendor/openldap-release/servers/slapd/back-relay/back-relay.h
   openldap/vendor/openldap-release/servers/slapd/back-relay/op.c
   openldap/vendor/openldap-release/servers/slapd/back-relay/proto-back-relay.h
   openldap/vendor/openldap-release/servers/slapd/back-sql/init.c
   openldap/vendor/openldap-release/servers/slapd/backend.c
   openldap/vendor/openldap-release/servers/slapd/bconfig.c
   openldap/vendor/openldap-release/servers/slapd/config.c
   openldap/vendor/openldap-release/servers/slapd/connection.c
   openldap/vendor/openldap-release/servers/slapd/ctxcsn.c
   openldap/vendor/openldap-release/servers/slapd/daemon.c
   openldap/vendor/openldap-release/servers/slapd/dn.c
   openldap/vendor/openldap-release/servers/slapd/filterentry.c
   openldap/vendor/openldap-release/servers/slapd/main.c
   openldap/vendor/openldap-release/servers/slapd/oc.c
   openldap/vendor/openldap-release/servers/slapd/overlays/accesslog.c
   openldap/vendor/openldap-release/servers/slapd/overlays/auditlog.c
   openldap/vendor/openldap-release/servers/slapd/overlays/dds.c
   openldap/vendor/openldap-release/servers/slapd/overlays/dynlist.c
   openldap/vendor/openldap-release/servers/slapd/overlays/memberof.c
   openldap/vendor/openldap-release/servers/slapd/overlays/pcache.c
   openldap/vendor/openldap-release/servers/slapd/overlays/retcode.c
   openldap/vendor/openldap-release/servers/slapd/overlays/sssvlv.c
   openldap/vendor/openldap-release/servers/slapd/overlays/syncprov.c
   openldap/vendor/openldap-release/servers/slapd/overlays/translucent.c
   openldap/vendor/openldap-release/servers/slapd/overlays/unique.c
   openldap/vendor/openldap-release/servers/slapd/proto-slap.h
   openldap/vendor/openldap-release/servers/slapd/result.c
   openldap/vendor/openldap-release/servers/slapd/sasl.c
   openldap/vendor/openldap-release/servers/slapd/schema_init.c
   openldap/vendor/openldap-release/servers/slapd/search.c
   openldap/vendor/openldap-release/servers/slapd/sl_malloc.c
   openldap/vendor/openldap-release/servers/slapd/slap.h
   openldap/vendor/openldap-release/servers/slapd/slapadd.c
   openldap/vendor/openldap-release/servers/slapd/slapcommon.c
   openldap/vendor/openldap-release/servers/slapd/syncrepl.c
   openldap/vendor/openldap-release/tests/data/monitor1.out
   openldap/vendor/openldap-release/tests/data/regressions/its4448/its4448
   openldap/vendor/openldap-release/tests/data/regressions/its4448/slapd-meta.conf
   openldap/vendor/openldap-release/tests/progs/slapd-common.c
   openldap/vendor/openldap-release/tests/scripts/defines.sh
   openldap/vendor/openldap-release/tests/scripts/test017-syncreplication-refresh
   openldap/vendor/openldap-release/tests/scripts/test050-syncrepl-multimaster
   openldap/vendor/openldap-release/tests/scripts/test057-memberof-refint
   openldap/vendor/openldap-release/tests/scripts/test058-syncrepl-asymmetric
Log:
Load openldap-2.4.21 into openldap-release.

Modified: openldap/vendor/openldap-release/CHANGES
===================================================================
--- openldap/vendor/openldap-release/CHANGES	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/CHANGES	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,102 @@
 OpenLDAP 2.4 Change Log
 
+OpenLDAP 2.4.21 Release (2009/12/20)
+	Fixed liblutil for negative microsecond offsets (ITS#6405)
+	Fixed slapd global settings to work without restart (ITS#6428)
+	Fixed slapd looping with SSL/TLS connections (ITS#6412)
+	Fixed slapd syncrepl freeing tasks from queue (ITS#6413)
+	Fixed slapd syncrepl parsing of tls defaults (ITS#6419)
+	Fixed slapd syncrepl uninitialized variables (ITS#6425)
+	Fixed slapd-config Adds with Abstract classes (ITS#6408)
+	Fixed slapo-dynlist behavior with simple filters (ITS#6421)
+	Fixed slapd-ldif access outside database directory (ITS#6414)
+	Fixed slapd-null extraneous assert (ITS#6403)
+	Fixed slapo-translucent with back-null (ITS#6403)
+	Fixed slapo-unique criteria checking (ITS#6270)
+	Build Environment
+		Deleted broken LBER_INVALID macro (ITS#6402)
+		Fixed test058 kill usage (ITS#6420)
+		Fixed meta regression test (ITS#6418)
+	Documentation
+		slapd-meta(5) Note deprecated functions (ITS#6424)
+		admin24 fix set example for group of groups (ITS#6382)
+		admin24 fix dynamic group documentation (ITS#6290)
+
+OpenLDAP 2.4.20 Release (2009/11/27)
+	Fixed client tools with LDAP options (ITS#6283)
+	Fixed liblber embedded NUL values in BerValues (ITS#6353)
+	Fixed liblber inverted LBER_USE_DER test (ITS#6348)
+	Fixed liblber to return failure on certain failures (ITS#6344)
+	Fixed libldap connection initialization (ITS#6386)
+	Fixed libldap sasl buffer sizing (ITS#6327,ITS#6334)
+	Fixed libldap uninitialized return value (ITS#6355)
+	Fixed libldap unlimited timeout (ITS#6388)
+	Added slapd handling of hex server IDs (ITS#6297)
+	Added slapd syncrepl contextCSN storing in subentry (ITS#6373)
+	Fixed slapd asserts in minimal environment (ITS#6361)
+	Fixed slapd authid-rewrite parsing (ITS#6392) 
+	Fixed slapd checks of str2filter (ITS#6391)
+	Fixed slapd configArgs initialization (ITS#6363)
+	Fixed slapd debug handling of LDAP_DEBUG_ANY (ITS#6324)
+	Fixed slapd db_open with connection_fake_init (ITS#6381)
+	Fixed slapd with embedded \0 in bervals (ITS#6378,ITS#6379)
+	Fixed slapd inclusion of ac/unistd.h (ITS#6342)
+	Fixed slapd invalid dn log message (ITS#6309)
+	Fixed slapd lockup on shutdown (ITS#6372)
+	Fixed slapd onetime leak (ITS#6398)
+	Fixed slapd RID range to be decimal only (ITS#6394)
+	Fixed slapd sl_free to better reclaim memory (ITS#6380)
+	Fixed slapd syncrepl deletes in MirrorMode (ITS#6368)
+	Fixed slapd syncrepl to use correct SID (ITS#6367)
+	Fixed slapd termination for one level DNs (ITS#6338)
+	Fixed slapd tls_accept to retry in certain cases (ITS#6304)
+	Fixed slapd-bdb/hdb cache corruption (ITS#6341)
+	Fixed slapd-bdb/hdb entry cache (ITS#6360)
+	Fixed slapd-ldap leak (ITS#6326)
+	Fixed slapd-relay bind segfault (ITS#6337)
+	Fixed slapo-accesslog ensure CSNs are normalized (ITS#6400)
+	Fixed slapo-memberof operational attr updates (ITS#6329)
+	Fixed slapo-pcache entry dupe (ITS#6310)
+	Fixed slapo-syncprov checkpoint conversion (ITS#6370)
+	Fixed slapo-syncprov deadlock (ITS#6335)
+	Fixed slapo-syncprov memory leak (ITS#6376)
+	Fixed slapo-syncprov out of order changes (ITS#6346)
+	Fixed slapo-syncprov psearch with stale cookie (ITS#6397)
+	Build Environment
+		Added additional operations for ITS#6332
+		Fixed memrchr define (ITS#6351)
+		Fixed slapd MAXPATHLEN handling (ITS#6342)
+		Added test050 rapid add/mod/del sequence (ITS#6368)
+		Fixed test057 handling of memberof/refint (ITS#6343)
+		Fixed slapd test error ignoring (ITS#6345)
+		Fixed liblutil constant (ITS#5909)
+	Documentation
+		admin24 fix RFC4511 and other references (ITS#6399)
+		ldap_get_dn(3) typos (ITS#5366)
+		ldap.conf(5) clarify comment usage (ITS#6384)
+		slapd.conf(5) note hex server IDs (ITS#6297)
+		slapd-config(5) note hex server IDs (ITS#6297)
+
+OpenLDAP 2.4.19 Release (2009/10/06)
+	Fixed client tools with null timeouts (ITS#6282)
+	Fixed slapadd to warn about missing attrs for replicas (ITS#6281)
+	Fixed slapd acl cache (ITS#6287)
+	Fixed slapd tools to allow -n for conversion (ITS#6258)
+	Fixed slapd-ldap with null timeouts (ITS#6282)
+	Fixed slapd-ldap with strong binds with relay/translucent (ITS#6296)
+	Fixed slapd-ldif buffer overflow (ITS#6303)
+	Fixed slapo-auditlog comments when modifying (ITS#6286)
+	Fixed slapo-dynlist lock leak (ITS#6308)
+	Fixed slapo-pcache cache corruption (ITS#6242)
+	Fixed slapo-sssvlv sort control dereferencing (ITS#6288)
+	Fixed contrib/autogroup segfaults (ITS#6279)
+	Fixed contrib/nssov getgroupbymembers (ITS#6291)
+	Fixed contrib/smbk5pwd rpath linking (ITS#6323)
+	Build Environment
+		Fixed --enable-deref support (ITS#6311)
+		Fixed contrib/autogroup default libtool path (ITS#6284)
+		Deleted nadf.schema (ITS#6140)
+
 OpenLDAP 2.4.18 Release (2009/09/06)
 	Fixed client tools common options (ITS#6049)
 	Fixed liblber speed and other problems (ITS#6215)
@@ -51,6 +148,7 @@
 	Fixed libldap GnuTLS private key init (ITS#6053)
 	Fixed libldap openssl digest initialization (ITS#6192)
 	Fixed libldap tls NULL error messages (ITS#6079)
+	Fixed libldap_r missing stub (ITS#6188)
 	Fixed liblutil opendir/closedir on windows (ITS#6041)
 	Fixed liblutil for _GNU_SOURCE (ITS#5464,ITS#5666)
 	Added slapd sasl auxprop support (ITS#6147)

Modified: openldap/vendor/openldap-release/README
===================================================================
--- openldap/vendor/openldap-release/README	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/README	2010-04-10 16:14:23 UTC (rev 1246)
@@ -20,8 +20,8 @@
 
     SLAPD:
         BDB and HDB backends require Oracle Berkeley DB 4.4, 4.5,
-        4.6, or 4.7.  It is highly recommended to apply the patches
-        from Oracle for a given release.
+        4.6, 4.7, or 4.8.  It is highly recommended to apply the
+        patches from Oracle for a given release.
 
     CLIENTS/CONTRIB ware:
         Depends on package.  See per package README.
@@ -74,7 +74,7 @@
     <http://www.openldap.org/its/> to be considered.
 
 ---
-$OpenLDAP: pkg/ldap/README,v 1.40.2.12 2009/03/09 00:36:37 hyc Exp $
+$OpenLDAP: pkg/ldap/README,v 1.40.2.13 2009/10/13 16:52:06 quanah Exp $
 
 This work is part of OpenLDAP Software <http://www.openldap.org/>.
 

Modified: openldap/vendor/openldap-release/build/version.var
===================================================================
--- openldap/vendor/openldap-release/build/version.var	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/build/version.var	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.59 2009/09/06 13:22:28 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.67 2009/12/19 23:49:46 kurt Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -15,9 +15,9 @@
 ol_package=OpenLDAP
 ol_major=2
 ol_minor=4
-ol_patch=18
-ol_api_inc=20418
+ol_patch=21
+ol_api_inc=20421
 ol_api_current=7
-ol_api_revision=1
+ol_api_revision=4
 ol_api_age=5
-ol_release_date="2009/09/06"
+ol_release_date="2009/12/20"

Modified: openldap/vendor/openldap-release/clients/tools/common.c
===================================================================
--- openldap/vendor/openldap-release/clients/tools/common.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/clients/tools/common.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* common.c - common routines for the ldap client tools */
-/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.27 2009/08/25 22:58:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.29 2009/09/29 21:47:37 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -1287,7 +1287,10 @@
 		if ( use_tls ) {
 			rc = ldap_start_tls_s( ld, NULL, NULL );
 			if ( rc != LDAP_SUCCESS ) {
-				tool_perror( "ldap_start_tls", rc, NULL, NULL, NULL, NULL );
+				char *msg=NULL;
+				ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
+				tool_perror( "ldap_start_tls", rc, NULL, NULL, msg, NULL );
+				ldap_memfree(msg);
 				if ( use_tls > 1 ) {
 					exit( EXIT_FAILURE );
 				}
@@ -1384,8 +1387,11 @@
 
 		lutil_sasl_freedefs( defaults );
 		if( rc != LDAP_SUCCESS ) {
+			char *msg=NULL;
+			ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
 			tool_perror( "ldap_sasl_interactive_bind_s",
-				rc, NULL, NULL, NULL, NULL );
+				rc, NULL, NULL, msg, NULL );
+			ldap_memfree(msg);
 			exit( rc );
 		}
 #else
@@ -1414,11 +1420,17 @@
 			}
 		}
 
-		if ( ldap_result( ld, msgid, LDAP_MSG_ALL, NULL, &result ) == -1 ) {
+		rc = ldap_result( ld, msgid, LDAP_MSG_ALL, NULL, &result );
+		if ( rc == -1 ) {
 			tool_perror( "ldap_result", -1, NULL, NULL, NULL, NULL );
 			exit( LDAP_LOCAL_ERROR );
 		}
 
+		if ( rc == 0 ) {
+			tool_perror( "ldap_result", LDAP_TIMEOUT, NULL, NULL, NULL, NULL );
+			exit( LDAP_LOCAL_ERROR );
+		}
+
 		rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs,
 			&ctrls, 1 );
 		if ( rc != LDAP_SUCCESS ) {

Modified: openldap/vendor/openldap-release/configure
===================================================================
--- openldap/vendor/openldap-release/configure	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/configure	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in OpenLDAP: pkg/ldap/configure.in,v 1.631.2.26 2009/08/13 00:11:16 quanah Exp .
+# From configure.in OpenLDAP: pkg/ldap/configure.in,v 1.631.2.27 2009/09/30 00:24:39 hyc Exp .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -908,6 +908,7 @@
 BUILD_CONSTRAINT
 BUILD_DDS
 BUILD_DENYOP
+BUILD_DEREF
 BUILD_DYNGROUP
 BUILD_DYNLIST
 BUILD_LASTMOD
@@ -4481,6 +4482,7 @@
 BUILD_CONSTRAINT=no
 BUILD_DDS=no
 BUILD_DENYOP=no
+BUILD_DEREF=no
 BUILD_DYNGROUP=no
 BUILD_DYNLIST=no
 BUILD_LASTMOD=no
@@ -6464,7 +6466,7 @@
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 6467 "configure"' > conftest.$ac_ext
+  echo '#line 6469 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8533,11 +8535,11 @@
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8536: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8538: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8540: \$? = $ac_status" >&5
+   echo "$as_me:8542: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8795,11 +8797,11 @@
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8798: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8800: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8802: \$? = $ac_status" >&5
+   echo "$as_me:8804: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8857,11 +8859,11 @@
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8860: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8862: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:8864: \$? = $ac_status" >&5
+   echo "$as_me:8866: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -11068,7 +11070,7 @@
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 11071 "configure"
+#line 11073 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11166,7 +11168,7 @@
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 11169 "configure"
+#line 11171 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -38328,7 +38330,7 @@
 fi
 
 if test "$ol_enable_deref" != no ; then
-	BUILD_DDS=$ol_enable_deref
+	BUILD_DEREF=$ol_enable_deref
 	if test "$ol_enable_deref" = mod ; then
 		MFLAG=SLAPD_MOD_DYNAMIC
 		SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS deref.la"
@@ -38685,6 +38687,7 @@
 
 
 
+
 # Check whether --with-xxinstall was given.
 if test "${with_xxinstall+set}" = set; then
   withval=$with_xxinstall;
@@ -39499,6 +39502,7 @@
 BUILD_CONSTRAINT!$BUILD_CONSTRAINT$ac_delim
 BUILD_DDS!$BUILD_DDS$ac_delim
 BUILD_DENYOP!$BUILD_DENYOP$ac_delim
+BUILD_DEREF!$BUILD_DEREF$ac_delim
 BUILD_DYNGROUP!$BUILD_DYNGROUP$ac_delim
 BUILD_DYNLIST!$BUILD_DYNLIST$ac_delim
 BUILD_LASTMOD!$BUILD_LASTMOD$ac_delim
@@ -39550,7 +39554,7 @@
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 91; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 92; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

Modified: openldap/vendor/openldap-release/configure.in
===================================================================
--- openldap/vendor/openldap-release/configure.in	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/configure.in	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.26 2009/08/13 00:11:16 quanah Exp $
+dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.27 2009/09/30 00:24:39 hyc Exp $
 dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
 dnl
 dnl Copyright 1998-2009 The OpenLDAP Foundation.
@@ -25,7 +25,7 @@
 dnl Configure.in for OpenLDAP
 AC_COPYRIGHT([[Copyright 1998-2009 The OpenLDAP Foundation. All rights reserved.
 Restrictions apply, see COPYRIGHT and LICENSE files.]])
-AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.26 2009/08/13 00:11:16 quanah Exp $])
+AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.27 2009/09/30 00:24:39 hyc Exp $])
 AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
 m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>])
 AC_CONFIG_SRCDIR(build/version.sh)dnl
@@ -547,6 +547,7 @@
 BUILD_CONSTRAINT=no
 BUILD_DDS=no
 BUILD_DENYOP=no
+BUILD_DEREF=no
 BUILD_DYNGROUP=no
 BUILD_DYNLIST=no
 BUILD_LASTMOD=no
@@ -2821,7 +2822,7 @@
 fi
 
 if test "$ol_enable_deref" != no ; then
-	BUILD_DDS=$ol_enable_deref
+	BUILD_DEREF=$ol_enable_deref
 	if test "$ol_enable_deref" = mod ; then
 		MFLAG=SLAPD_MOD_DYNAMIC
 		SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS deref.la"
@@ -3061,6 +3062,7 @@
   AC_SUBST(BUILD_CONSTRAINT)
   AC_SUBST(BUILD_DDS)
   AC_SUBST(BUILD_DENYOP)
+  AC_SUBST(BUILD_DEREF)
   AC_SUBST(BUILD_DYNGROUP)
   AC_SUBST(BUILD_DYNLIST)
   AC_SUBST(BUILD_LASTMOD)

Modified: openldap/vendor/openldap-release/contrib/ldapc++/src/LdifReader.cpp
===================================================================
--- openldap/vendor/openldap-release/contrib/ldapc++/src/LdifReader.cpp	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/ldapc++/src/LdifReader.cpp	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LdifReader.cpp,v 1.4.2.4 2008/07/09 21:45:42 quanah Exp $
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LdifReader.cpp,v 1.4.2.5 2009/09/29 21:35:03 quanah Exp $
 /*
  * Copyright 2008, OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -179,11 +179,12 @@
 
 LDAPEntry LdifReader::getEntryRecord()
 {
+    std::list<stringpair>::const_iterator i = m_currentRecord.begin();
     if ( m_curRecType != LDAPMsg::SEARCH_ENTRY )
     {
-        // Error
+        throw( std::runtime_error( "The LDIF record: '" + i->second +
+                                   "' is not a valid LDAP Entry" ));
     }
-    std::list<stringpair>::const_iterator i = m_currentRecord.begin();
     LDAPEntry resEntry(i->second);
     i++;
     LDAPAttribute curAttr(i->first);

Modified: openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/Makefile
===================================================================
--- openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/Makefile	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/Makefile	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,3 +1,5 @@
+LIBTOOL=../../../libtool
+
 CPPFLAGS+=-I../../../include -I../../../servers/slapd
 
 all: autogroup.la

Modified: openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/autogroup.c
===================================================================
--- openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/autogroup.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/slapd-modules/autogroup/autogroup.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* autogroup.c - automatic group overlay */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/autogroup/autogroup.c,v 1.2.2.4 2009/08/17 21:48:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/autogroup/autogroup.c,v 1.2.2.5 2009/09/29 21:52:13 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2007-2009 The OpenLDAP Foundation.
@@ -1452,6 +1452,10 @@
 
 	Debug( LDAP_DEBUG_TRACE, "==> autogroup_db_open\n", 0, 0, 0);
 
+	if ( agi == NULL ) {
+		return 0;
+	}
+
 	connection_fake_init( &conn, &opbuf, thrctx );
 	op = &opbuf.ob_op;
 

Modified: openldap/vendor/openldap-release/contrib/slapd-modules/nssov/ldapns.schema
===================================================================
--- openldap/vendor/openldap-release/contrib/slapd-modules/nssov/ldapns.schema	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/slapd-modules/nssov/ldapns.schema	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,5 @@
-# $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/ldapns.schema,v 1.2.2.3 2009/08/17 21:48:58 quanah Exp $
+# $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/ldapns.schema,v 1.2.2.4 2009/10/03 19:40:03 hyc Exp $
+# $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
 # LDAP Name Service Additional Schema
 # http://www.iana.org/assignments/gssapi-service-names
 
@@ -11,6 +12,13 @@
           EQUALITY caseIgnoreMatch
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
 
+attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
+          DESC 'Currently logged in sessions for a user'
+          EQUALITY caseIgnoreMatch
+          SUBSTR caseIgnoreSubstringsMatch
+          ORDERING caseIgnoreOrderingMatch
+          SYNTAX OMsDirectoryString )
+
 objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
           DESC 'Auxiliary object class for adding authorizedService attribute'
           SUP top
@@ -22,3 +30,9 @@
           SUP top
           AUXILIARY
           MAY host )
+
+objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
+          DESC 'Auxiliary object class for login status attribute'
+          SUP top
+          AUXILIARY
+          MAY loginStatus )

Modified: openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c
===================================================================
--- openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nss-ldapd/nss/pam.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -441,6 +441,7 @@
 		if (rc != PAM_IGNORE)
 			pam_warn(appconv, "LDAP authorization failed", PAM_ERROR_MSG, no_warn);
 	} else {
+		rc = ctx2.authz;
 		if (ctx2.authzmsg && ctx2.authzmsg[0])
 			pam_warn(appconv, ctx2.authzmsg, PAM_TEXT_INFO, no_warn);
 		if (ctx2.authz == PAM_SUCCESS) {

Modified: openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nssov.h
===================================================================
--- openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nssov.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/slapd-modules/nssov/nssov.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* nssov.h - NSS overlay header file */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/nssov.h,v 1.1.2.5 2009/08/17 21:48:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/nssov.h,v 1.1.2.6 2009/09/29 18:11:40 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -323,6 +323,7 @@
     /* do the internal search */ \
 	op->o_bd->be_search( op, &rs ); \
 	filter_free_x( op, op->ors_filter, 1 ); \
+	WRITE_INT32(fp,NSLCD_RESULT_END); \
     return 0; \
   }
 

Modified: openldap/vendor/openldap-release/contrib/slapd-modules/nssov/pam.c
===================================================================
--- openldap/vendor/openldap-release/contrib/slapd-modules/nssov/pam.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/slapd-modules/nssov/pam.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* pam.c - pam processing routines */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/pam.c,v 1.13.2.3 2009/08/17 21:48:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/pam.c,v 1.13.2.5 2009/10/03 19:40:03 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -21,16 +21,6 @@
 static int ppolicy_cid;
 static AttributeDescription *ad_loginStatus;
 
-const char *at_loginStatus =
-	"( 1.3.6.1.4.1.4745.1.20.1 "
-	"NAME ( 'loginStatus' ) "
-	"DESC 'Currently logged in sessions for a user' "
-	"EQUALITY caseIgnoreMatch "
-	"SUBSTR caseIgnoreSubstringsMatch "
-	"ORDERING caseIgnoreOrderingMatch "
-	"SYNTAX OMsDirectoryString "
-	"USAGE directoryOperation )";
-
 struct paminfo {
 	struct berval uid;
 	struct berval dn;
@@ -266,7 +256,7 @@
 	char ruserc[32];
 	char rhostc[256];
 	char ttyc[256];
-	int rc = NSLCD_PAM_SUCCESS;
+	int rc;
 	Entry *e = NULL;
 	Attribute *a;
 	SlapReply rs = {REP_RESULT};
@@ -400,9 +390,10 @@
 	}
 	if ((ni->ni_pam_opts & NI_PAM_USERHOST) && nssov_pam_host_ad) {
 		a = attr_find(e->e_attrs, nssov_pam_host_ad);
-		if (!a || value_find_ex( nssov_pam_host_ad,
-			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
-			a->a_vals, &global_host_bv, op->o_tmpmemctx )) {
+		if (!a || attr_valfind( a,
+			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
+			SLAP_MR_VALUE_OF_SYNTAX,
+			&global_host_bv, NULL, op->o_tmpmemctx )) {
 			rc = NSLCD_PAM_PERM_DENIED;
 			authzmsg = hostmsg;
 			goto finish;
@@ -410,9 +401,10 @@
 	}
 	if ((ni->ni_pam_opts & NI_PAM_USERSVC) && nssov_pam_svc_ad) {
 		a = attr_find(e->e_attrs, nssov_pam_svc_ad);
-		if (!a || value_find_ex( nssov_pam_svc_ad,
-			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
-			a->a_vals, &svc, op->o_tmpmemctx )) {
+		if (!a || attr_valfind( a,
+			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
+			SLAP_MR_VALUE_OF_SYNTAX,
+			&svc, NULL, op->o_tmpmemctx )) {
 			rc = NSLCD_PAM_PERM_DENIED;
 			authzmsg = svcmsg;
 			goto finish;
@@ -425,7 +417,7 @@
 	if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) {
 		int id;
 		char *tmp;
-		nssov_mapinfo *mi = &ni->ni_maps[NM_host];
+		nssov_mapinfo *mi = &ni->ni_maps[NM_passwd];
 		a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
 		if (!a) {
 			rc = NSLCD_PAM_PERM_DENIED;
@@ -453,6 +445,7 @@
 		else if (!BER_BVISEMPTY(&ni->ni_pam_template))
 			uid = ni->ni_pam_template;
 	}
+	rc = NSLCD_PAM_SUCCESS;
 
 finish:
 	WRITE_INT32(fp,NSLCD_VERSION);
@@ -664,7 +657,9 @@
 int nssov_pam_init()
 {
 	int code = 0;
+	const char *text;
 	if (!ad_loginStatus)
-		code = register_at( at_loginStatus, &ad_loginStatus, 0 );
+		code = slap_str2ad( "loginStatus", &ad_loginStatus, &text );
+
 	return code;
 }

Modified: openldap/vendor/openldap-release/contrib/slapd-modules/smbk5pwd/Makefile
===================================================================
--- openldap/vendor/openldap-release/contrib/slapd-modules/smbk5pwd/Makefile	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/contrib/slapd-modules/smbk5pwd/Makefile	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/Makefile,v 1.1.6.3 2009/09/01 22:53:30 quanah Exp $
+# $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/Makefile,v 1.1.6.4 2009/10/02 21:16:53 quanah Exp $
 # This work is part of OpenLDAP Software <http://www.openldap.org/>.
 #
 # Copyright 1998-2009 The OpenLDAP Foundation.
@@ -45,7 +45,7 @@
 
 smbk5pwd.la:	smbk5pwd.lo
 	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \
-	-rpath $(libdir) -module -o $@ $? $(LIBS)
+	-rpath $(moduledir) -module -o $@ $? $(LIBS)
 
 clean:
 	rm -f smbk5pwd.lo smbk5pwd.la

Modified: openldap/vendor/openldap-release/doc/guide/admin/allusersgroup-en.png
===================================================================
(Binary files differ)

Modified: openldap/vendor/openldap-release/doc/guide/admin/appendix-ldap-result-codes.sdf
===================================================================
--- openldap/vendor/openldap-release/doc/guide/admin/appendix-ldap-result-codes.sdf	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/guide/admin/appendix-ldap-result-codes.sdf	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,17 +1,17 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.6 2009/01/22 00:00:47 kurt Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.7 2009/11/24 02:41:10 quanah Exp $
 # Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1:  LDAP Result Codes
 
 For the purposes of this guide, we have incorporated the standard LDAP result 
-codes from {{Appendix A.  LDAP Result Codes}} of rfc4511, a copy of which can 
+codes from {{Appendix A.  LDAP Result Codes}} of {{REF:RFC4511}}, a copy of which can 
 be found in {{F:doc/rfc}} of the OpenLDAP source code.
 
 We have expanded the description of each error in relation to the OpenLDAP 
 toolsets.
 LDAP extensions may introduce extension-specific result codes, which are not part
-of rfc4511.
+of RFC4511.
 OpenLDAP returns the result codes related to extensions it implements.
 Their meaning is documented in the extension they are related to.
 
@@ -37,23 +37,23 @@
 
 Existing LDAP result codes are described as follows:
 
-H2: {{success (0)}}
+H2: success (0)
 
 Indicates the successful completion of an operation.  
 
 Note: this code is not used with the Compare operation.  See {{SECT:compareFalse (5)}} 
 and {{SECT:compareTrue (6)}}.
 
-H2: {{operationsError (1)}}
+H2: operationsError (1)
 
 Indicates that the operation is not properly sequenced with
 relation to other operations (of same or different type).
 
 For example, this code is returned if the client attempts to
-StartTLS [RFC4346] while there are other uncompleted operations
+StartTLS ({{REF:RFC4511}} Section 4.14) while there are other uncompleted operations
 or if a TLS layer was already installed.
 
-H2: {{protocolError (2)}}
+H2: protocolError (2)
 
 Indicates the server received data that is not well-formed.
 
@@ -71,33 +71,33 @@
 of the controls as specified, or that the combination of the
 specified controls is invalid or unspecified.
 
-H2: {{timeLimitExceeded (3)}}
+H2: timeLimitExceeded (3)
 
 Indicates that the time limit specified by the client was
 exceeded before the operation could be completed.
 
-H2: {{sizeLimitExceeded (4)}}
+H2: sizeLimitExceeded (4)
 
 Indicates that the size limit specified by the client was
 exceeded before the operation could be completed.
 
-H2: {{compareFalse (5)}}
+H2: compareFalse (5)
 
 Indicates that the Compare operation has successfully
 completed and the assertion has evaluated to FALSE or
 Undefined.
 
-H2: {{compareTrue (6)}}
+H2: compareTrue (6)
 
 Indicates that the Compare operation has successfully
 completed and the assertion has evaluated to TRUE.
 
-H2: {{authMethodNotSupported (7)}}
+H2: authMethodNotSupported (7)
 
 Indicates that the authentication method or mechanism is not
 supported.
 
-H2: {{strongerAuthRequired (8)}}
+H2: strongerAuthRequired (8)
 
 Indicates the server requires strong(er) authentication in
 order to complete the operation.
@@ -107,47 +107,47 @@
 established security association between the client and
 server has unexpectedly failed or been compromised.
 
-H2: {{referral (10)}}
+H2: referral (10)
 
 Indicates that a referral needs to be chased to complete the
-operation (see Section 4.1.10).
+operation (see {{REF:RFC4511}} Section 4.1.10).
 
-H2: {{adminLimitExceeded (11)}}
+H2: adminLimitExceeded (11)
 
 Indicates that an administrative limit has been exceeded.
 
-H2: {{unavailableCriticalExtension (12)}}
+H2: unavailableCriticalExtension (12)
 
-Indicates a critical control is unrecognized (see Section
+Indicates a critical control is unrecognized (see {{REF:RFC4511}} Section
 4.1.11).
 
-H2: {{confidentialityRequired (13)}}
+H2: confidentialityRequired (13)
 
 Indicates that data confidentiality protections are required.
 
-H2: {{saslBindInProgress (14)}}
+H2: saslBindInProgress (14)
 
 Indicates the server requires the client to send a new bind
 request, with the same SASL mechanism, to continue the
-authentication process (see Section 4.2).
+authentication process (see {{REF:RFC4511}} Section 4.2).
 
-H2: {{noSuchAttribute (16)}}
+H2: noSuchAttribute (16)
 
 Indicates that the named entry does not contain the specified
 attribute or attribute value.
 
-H2: {{undefinedAttributeType (17)}}
+H2: undefinedAttributeType (17)
 
 Indicates that a request field contains an unrecognized
 attribute description.
 
-H2: {{inappropriateMatching (18)}}
+H2: inappropriateMatching (18)
 
 Indicates that an attempt was made (e.g., in an assertion) to
 use a matching rule not defined for the attribute type
 concerned.
 
-H2: {{constraintViolation (19)}}
+H2: constraintViolation (19)
 
 Indicates that the client supplied an attribute value that
 does not conform to the constraints placed upon it by the
@@ -156,28 +156,28 @@
 For example, this code is returned when multiple values are
 supplied to an attribute that has a SINGLE-VALUE constraint.
 
-H2: {{attributeOrValueExists (20)}}
+H2: attributeOrValueExists (20)
 
 Indicates that the client supplied an attribute or value to
 be added to an entry, but the attribute or value already
 exists.
 
-H2: {{invalidAttributeSyntax (21)}}
+H2: invalidAttributeSyntax (21)
 
 Indicates that a purported attribute value does not conform
 to the syntax of the attribute.
 
-H2: {{noSuchObject (32)}}
+H2: noSuchObject (32)
 
 Indicates that the object does not exist in the DIT.
 
-H2: {{aliasProblem (33)}}
+H2: aliasProblem (33)
 
 Indicates that an alias problem has occurred.  For example,
 the code may used to indicate an alias has been dereferenced
 that names no object.
 
-H2: {{invalidDNSyntax (34)}}
+H2: invalidDNSyntax (34)
 
 Indicates that an LDAPDN or RelativeLDAPDN field (e.g., search
 base, target entry, ModifyDN newrdn, etc.) of a request does
@@ -185,73 +185,73 @@
 values that do not conform to the syntax of the attribute's
 type.
 
-H2: {{aliasDereferencingProblem (36)}}
+H2: aliasDereferencingProblem (36)
 
 Indicates that a problem occurred while dereferencing an
 alias.  Typically, an alias was encountered in a situation
 where it was not allowed or where access was denied.
 
-H2: {{inappropriateAuthentication (48)}}
+H2: inappropriateAuthentication (48)
 
 Indicates the server requires the client that had attempted
 to bind anonymously or without supplying credentials to
 provide some form of credentials.
 
-H2: {{invalidCredentials (49)}}
+H2: invalidCredentials (49)
 
 Indicates that the provided credentials (e.g., the user's name
 and password) are invalid.
 
-H2: {{insufficientAccessRights (50)}}
+H2: insufficientAccessRights (50)
 
 Indicates that the client does not have sufficient access
 rights to perform the operation.
 
-H2: {{busy (51)}}
+H2: busy (51)
 
 Indicates that the server is too busy to service the
 operation.
 
-H2: {{unavailable (52)}}
+H2: unavailable (52)
 
 Indicates that the server is shutting down or a subsystem
 necessary to complete the operation is offline.
 
-H2: {{unwillingToPerform (53)}}
+H2: unwillingToPerform (53)
 
 Indicates that the server is unwilling to perform the
 operation.
 
-H2: {{loopDetect (54)}}
+H2: loopDetect (54)
 
 Indicates that the server has detected an internal loop (e.g.,
 while dereferencing aliases or chaining an operation).
 
-H2: {{namingViolation (64)}}
+H2: namingViolation (64)
 
 Indicates that the entry's name violates naming restrictions.
 
-H2: {{objectClassViolation (65)}}
+H2: objectClassViolation (65)
 
 Indicates that the entry violates object class restrictions.
 
-H2: {{notAllowedOnNonLeaf (66)}}
+H2: notAllowedOnNonLeaf (66)
 
 Indicates that the operation is inappropriately acting upon a
 non-leaf entry.
 
-H2: {{notAllowedOnRDN (67)}}
+H2: notAllowedOnRDN (67)
 
 Indicates that the operation is inappropriately attempting to
 remove a value that forms the entry's relative distinguished
 name.
 
-H2: {{entryAlreadyExists (68)}}
+H2: entryAlreadyExists (68)
 
 Indicates that the request cannot be fulfilled (added, moved,
 or renamed) as the target entry already exists.
 
-H2: {{objectClassModsProhibited (69)}}
+H2: objectClassModsProhibited (69)
 
 Indicates that an attempt to modify the object class(es) of
 an entry's 'objectClass' attribute is prohibited.
@@ -259,11 +259,11 @@
 For example, this code is returned when a client attempts to
 modify the structural object class of an entry.
 
-H2: {{affectsMultipleDSAs (71)}}
+H2: affectsMultipleDSAs (71)
 
 Indicates that the operation cannot be performed as it would
 affect multiple servers (DSAs).
 
-H2: {{other (80)}}
+H2: other (80)
 
 Indicates the server has encountered an internal error.

Modified: openldap/vendor/openldap-release/doc/guide/admin/guide.html
===================================================================
--- openldap/vendor/openldap-release/doc/guide/admin/guide.html	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/guide/admin/guide.html	2010-04-10 16:14:23 UTC (rev 1246)
@@ -23,7 +23,7 @@
 <DIV CLASS="title">
 <H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1>
 <ADDRESS CLASS="doc-author">The OpenLDAP Project &lt;<A HREF="http://www.openldap.org/">http://www.openldap.org/</A>&gt;</ADDRESS>
-<ADDRESS CLASS="doc-modified">6 September 2009</ADDRESS>
+<ADDRESS CLASS="doc-modified">20 December 2009</ADDRESS>
 <BR CLEAR="All">
 </DIV>
 <DIV CLASS="contents">
@@ -810,83 +810,83 @@
 <BR>
 <A HREF="#Result Codes">H.2. Result Codes</A>
 <BR>
-<A HREF="#{{success (0)}}">H.3. <EM>success (0)</EM></A>
+<A HREF="#success (0)">H.3. success (0)</A>
 <BR>
-<A HREF="#{{operationsError (1)}}">H.4. <EM>operationsError (1)</EM></A>
+<A HREF="#operationsError (1)">H.4. operationsError (1)</A>
 <BR>
-<A HREF="#{{protocolError (2)}}">H.5. <EM>protocolError (2)</EM></A>
+<A HREF="#protocolError (2)">H.5. protocolError (2)</A>
 <BR>
-<A HREF="#{{timeLimitExceeded (3)}}">H.6. <EM>timeLimitExceeded (3)</EM></A>
+<A HREF="#timeLimitExceeded (3)">H.6. timeLimitExceeded (3)</A>
 <BR>
-<A HREF="#{{sizeLimitExceeded (4)}}">H.7. <EM>sizeLimitExceeded (4)</EM></A>
+<A HREF="#sizeLimitExceeded (4)">H.7. sizeLimitExceeded (4)</A>
 <BR>
-<A HREF="#{{compareFalse (5)}}">H.8. <EM>compareFalse (5)</EM></A>
+<A HREF="#compareFalse (5)">H.8. compareFalse (5)</A>
 <BR>
-<A HREF="#{{compareTrue (6)}}">H.9. <EM>compareTrue (6)</EM></A>
+<A HREF="#compareTrue (6)">H.9. compareTrue (6)</A>
 <BR>
-<A HREF="#{{authMethodNotSupported (7)}}">H.10. <EM>authMethodNotSupported (7)</EM></A>
+<A HREF="#authMethodNotSupported (7)">H.10. authMethodNotSupported (7)</A>
 <BR>
-<A HREF="#{{strongerAuthRequired (8)}}">H.11. <EM>strongerAuthRequired (8)</EM></A>
+<A HREF="#strongerAuthRequired (8)">H.11. strongerAuthRequired (8)</A>
 <BR>
-<A HREF="#{{referral (10)}}">H.12. <EM>referral (10)</EM></A>
+<A HREF="#referral (10)">H.12. referral (10)</A>
 <BR>
-<A HREF="#{{adminLimitExceeded (11)}}">H.13. <EM>adminLimitExceeded (11)</EM></A>
+<A HREF="#adminLimitExceeded (11)">H.13. adminLimitExceeded (11)</A>
 <BR>
-<A HREF="#{{unavailableCriticalExtension (12)}}">H.14. <EM>unavailableCriticalExtension (12)</EM></A>
+<A HREF="#unavailableCriticalExtension (12)">H.14. unavailableCriticalExtension (12)</A>
 <BR>
-<A HREF="#{{confidentialityRequired (13)}}">H.15. <EM>confidentialityRequired (13)</EM></A>
+<A HREF="#confidentialityRequired (13)">H.15. confidentialityRequired (13)</A>
 <BR>
-<A HREF="#{{saslBindInProgress (14)}}">H.16. <EM>saslBindInProgress (14)</EM></A>
+<A HREF="#saslBindInProgress (14)">H.16. saslBindInProgress (14)</A>
 <BR>
-<A HREF="#{{noSuchAttribute (16)}}">H.17. <EM>noSuchAttribute (16)</EM></A>
+<A HREF="#noSuchAttribute (16)">H.17. noSuchAttribute (16)</A>
 <BR>
-<A HREF="#{{undefinedAttributeType (17)}}">H.18. <EM>undefinedAttributeType (17)</EM></A>
+<A HREF="#undefinedAttributeType (17)">H.18. undefinedAttributeType (17)</A>
 <BR>
-<A HREF="#{{inappropriateMatching (18)}}">H.19. <EM>inappropriateMatching (18)</EM></A>
+<A HREF="#inappropriateMatching (18)">H.19. inappropriateMatching (18)</A>
 <BR>
-<A HREF="#{{constraintViolation (19)}}">H.20. <EM>constraintViolation (19)</EM></A>
+<A HREF="#constraintViolation (19)">H.20. constraintViolation (19)</A>
 <BR>
-<A HREF="#{{attributeOrValueExists (20)}}">H.21. <EM>attributeOrValueExists (20)</EM></A>
+<A HREF="#attributeOrValueExists (20)">H.21. attributeOrValueExists (20)</A>
 <BR>
-<A HREF="#{{invalidAttributeSyntax (21)}}">H.22. <EM>invalidAttributeSyntax (21)</EM></A>
+<A HREF="#invalidAttributeSyntax (21)">H.22. invalidAttributeSyntax (21)</A>
 <BR>
-<A HREF="#{{noSuchObject (32)}}">H.23. <EM>noSuchObject (32)</EM></A>
+<A HREF="#noSuchObject (32)">H.23. noSuchObject (32)</A>
 <BR>
-<A HREF="#{{aliasProblem (33)}}">H.24. <EM>aliasProblem (33)</EM></A>
+<A HREF="#aliasProblem (33)">H.24. aliasProblem (33)</A>
 <BR>
-<A HREF="#{{invalidDNSyntax (34)}}">H.25. <EM>invalidDNSyntax (34)</EM></A>
+<A HREF="#invalidDNSyntax (34)">H.25. invalidDNSyntax (34)</A>
 <BR>
-<A HREF="#{{aliasDereferencingProblem (36)}}">H.26. <EM>aliasDereferencingProblem (36)</EM></A>
+<A HREF="#aliasDereferencingProblem (36)">H.26. aliasDereferencingProblem (36)</A>
 <BR>
-<A HREF="#{{inappropriateAuthentication (48)}}">H.27. <EM>inappropriateAuthentication (48)</EM></A>
+<A HREF="#inappropriateAuthentication (48)">H.27. inappropriateAuthentication (48)</A>
 <BR>
-<A HREF="#{{invalidCredentials (49)}}">H.28. <EM>invalidCredentials (49)</EM></A>
+<A HREF="#invalidCredentials (49)">H.28. invalidCredentials (49)</A>
 <BR>
-<A HREF="#{{insufficientAccessRights (50)}}">H.29. <EM>insufficientAccessRights (50)</EM></A>
+<A HREF="#insufficientAccessRights (50)">H.29. insufficientAccessRights (50)</A>
 <BR>
-<A HREF="#{{busy (51)}}">H.30. <EM>busy (51)</EM></A>
+<A HREF="#busy (51)">H.30. busy (51)</A>
 <BR>
-<A HREF="#{{unavailable (52)}}">H.31. <EM>unavailable (52)</EM></A>
+<A HREF="#unavailable (52)">H.31. unavailable (52)</A>
 <BR>
-<A HREF="#{{unwillingToPerform (53)}}">H.32. <EM>unwillingToPerform (53)</EM></A>
+<A HREF="#unwillingToPerform (53)">H.32. unwillingToPerform (53)</A>
 <BR>
-<A HREF="#{{loopDetect (54)}}">H.33. <EM>loopDetect (54)</EM></A>
+<A HREF="#loopDetect (54)">H.33. loopDetect (54)</A>
 <BR>
-<A HREF="#{{namingViolation (64)}}">H.34. <EM>namingViolation (64)</EM></A>
+<A HREF="#namingViolation (64)">H.34. namingViolation (64)</A>
 <BR>
-<A HREF="#{{objectClassViolation (65)}}">H.35. <EM>objectClassViolation (65)</EM></A>
+<A HREF="#objectClassViolation (65)">H.35. objectClassViolation (65)</A>
 <BR>
-<A HREF="#{{notAllowedOnNonLeaf (66)}}">H.36. <EM>notAllowedOnNonLeaf (66)</EM></A>
+<A HREF="#notAllowedOnNonLeaf (66)">H.36. notAllowedOnNonLeaf (66)</A>
 <BR>
-<A HREF="#{{notAllowedOnRDN (67)}}">H.37. <EM>notAllowedOnRDN (67)</EM></A>
+<A HREF="#notAllowedOnRDN (67)">H.37. notAllowedOnRDN (67)</A>
 <BR>
-<A HREF="#{{entryAlreadyExists (68)}}">H.38. <EM>entryAlreadyExists (68)</EM></A>
+<A HREF="#entryAlreadyExists (68)">H.38. entryAlreadyExists (68)</A>
 <BR>
-<A HREF="#{{objectClassModsProhibited (69)}}">H.39. <EM>objectClassModsProhibited (69)</EM></A>
+<A HREF="#objectClassModsProhibited (69)">H.39. objectClassModsProhibited (69)</A>
 <BR>
-<A HREF="#{{affectsMultipleDSAs (71)}}">H.40. <EM>affectsMultipleDSAs (71)</EM></A>
+<A HREF="#affectsMultipleDSAs (71)">H.40. affectsMultipleDSAs (71)</A>
 <BR>
-<A HREF="#{{other (80)}}">H.41. <EM>other (80)</EM></A></UL>
+<A HREF="#other (80)">H.41. other (80)</A></UL>
 <BR>
 <A HREF="#Glossary">I. Glossary</A><UL>
 <A HREF="#Terms">I.1. Terms</A>
@@ -5219,17 +5219,23 @@
 <P>The configuration for a dynamic group is similar. Let's see an example which would automatically populate an <TT>allusers</TT> group with all the user accounts in the directory.</P>
 <P>In <TT>slapd.conf</TT>(5):</P>
 <PRE>
+       include /path/to/dyngroup.schema
+       ...
        overlay dynlist
-       dynlist-attrset groupOfNames labeledURI member
+       dynlist-attrset groupOfURLs labeledURI member
 </PRE>
+<OL>
+<LI>
+<LI>Note: We must include the <TT>dyngroup.schema</TT> file that defines the
+<LI><TT>groupOfURLs</TT> objectClass used in this example.</OL>
 <P>Let's apply it to the following entry:</P>
 <PRE>
        cn=allusers,ou=group,dc=example,dc=com
        cn: all
-       objectClass: groupOfNames
+       objectClass: groupOfURLs
        labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
 </PRE>
-<P>The behavior is similar to the dynamic list configuration we had before: whenever an entry with the <TT>groupOfNames</TT> object class is retrieved, the search specified in the <TT>labeledURI</TT> attribute is performed. But this time, only the distinguished names of the results are added, and as values of the <TT>member</TT> attribute.</P>
+<P>The behavior is similar to the dynamic list configuration we had before: whenever an entry with the <TT>groupOfURLs</TT> object class is retrieved, the search specified in the <TT>labeledURI</TT> attribute is performed. But this time, only the distinguished names of the results are added, and as values of the <TT>member</TT> attribute.</P>
 <P>This is what we get:</P>
 <P><CENTER><IMG SRC="allusersgroup-en.png" ALIGN="center"></CENTER></P>
 <P ALIGN="Center">Figure X.Y: Dynamic Group for all users</P>
@@ -8923,8 +8929,8 @@
 <P></P>
 <HR>
 <H1><A NAME="LDAP Result Codes">H. LDAP Result Codes</A></H1>
-<P>For the purposes of this guide, we have incorporated the standard LDAP result codes from <EM>Appendix A.  LDAP Result Codes</EM> of rfc4511, a copy of which can be found in <TT>doc/rfc</TT> of the OpenLDAP source code.</P>
-<P>We have expanded the description of each error in relation to the OpenLDAP toolsets. LDAP extensions may introduce extension-specific result codes, which are not part of rfc4511. OpenLDAP returns the result codes related to extensions it implements. Their meaning is documented in the extension they are related to.</P>
+<P>For the purposes of this guide, we have incorporated the standard LDAP result codes from <EM>Appendix A.  LDAP Result Codes</EM> of <A HREF="http://www.rfc-editor.org/rfc/rfc4511.txt">RFC4511</A>, a copy of which can be found in <TT>doc/rfc</TT> of the OpenLDAP source code.</P>
+<P>We have expanded the description of each error in relation to the OpenLDAP toolsets. LDAP extensions may introduce extension-specific result codes, which are not part of RFC4511. OpenLDAP returns the result codes related to extensions it implements. Their meaning is documented in the extension they are related to.</P>
 <H2><A NAME="Non-Error Result Codes">H.1. Non-Error Result Codes</A></H2>
 <P>These result codes (called &quot;non-error&quot; result codes) do not indicate an error condition:</P>
 <PRE>
@@ -8938,93 +8944,93 @@
 <P>The <EM>referral</EM> and <EM>saslBindInProgress</EM> result codes indicate the client needs to take additional action to complete the operation.</P>
 <H2><A NAME="Result Codes">H.2. Result Codes</A></H2>
 <P>Existing LDAP result codes are described as follows:</P>
-<H2><A NAME="{{success (0)}}">H.3. <EM>success (0)</EM></A></H2>
+<H2><A NAME="success (0)">H.3. success (0)</A></H2>
 <P>Indicates the successful completion of an operation.</P>
 <P><HR WIDTH="80%" ALIGN="Left">
 <STRONG>Note: </STRONG>this code is not used with the Compare operation.  See <A HREF="#compareFalse (5)">compareFalse (5)</A> and <A HREF="#compareTrue (6)">compareTrue (6)</A>.
 <HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="{{operationsError (1)}}">H.4. <EM>operationsError (1)</EM></A></H2>
+<H2><A NAME="operationsError (1)">H.4. operationsError (1)</A></H2>
 <P>Indicates that the operation is not properly sequenced with relation to other operations (of same or different type).</P>
-<P>For example, this code is returned if the client attempts to StartTLS [RFC4346] while there are other uncompleted operations or if a TLS layer was already installed.</P>
-<H2><A NAME="{{protocolError (2)}}">H.5. <EM>protocolError (2)</EM></A></H2>
+<P>For example, this code is returned if the client attempts to StartTLS (<A HREF="http://www.rfc-editor.org/rfc/rfc4511.txt">RFC4511</A> Section 4.14) while there are other uncompleted operations or if a TLS layer was already installed.</P>
+<H2><A NAME="protocolError (2)">H.5. protocolError (2)</A></H2>
 <P>Indicates the server received data that is not well-formed.</P>
 <P>For Bind operation only, this code is also used to indicate that the server does not support the requested protocol version.</P>
 <P>For Extended operations only, this code is also used to indicate that the server does not support (by design or configuration) the Extended operation associated with the <EM>requestName</EM>.</P>
 <P>For request operations specifying multiple controls, this may be used to indicate that the server cannot ignore the order of the controls as specified, or that the combination of the specified controls is invalid or unspecified.</P>
-<H2><A NAME="{{timeLimitExceeded (3)}}">H.6. <EM>timeLimitExceeded (3)</EM></A></H2>
+<H2><A NAME="timeLimitExceeded (3)">H.6. timeLimitExceeded (3)</A></H2>
 <P>Indicates that the time limit specified by the client was exceeded before the operation could be completed.</P>
-<H2><A NAME="{{sizeLimitExceeded (4)}}">H.7. <EM>sizeLimitExceeded (4)</EM></A></H2>
+<H2><A NAME="sizeLimitExceeded (4)">H.7. sizeLimitExceeded (4)</A></H2>
 <P>Indicates that the size limit specified by the client was exceeded before the operation could be completed.</P>
-<H2><A NAME="{{compareFalse (5)}}">H.8. <EM>compareFalse (5)</EM></A></H2>
+<H2><A NAME="compareFalse (5)">H.8. compareFalse (5)</A></H2>
 <P>Indicates that the Compare operation has successfully completed and the assertion has evaluated to FALSE or Undefined.</P>
-<H2><A NAME="{{compareTrue (6)}}">H.9. <EM>compareTrue (6)</EM></A></H2>
+<H2><A NAME="compareTrue (6)">H.9. compareTrue (6)</A></H2>
 <P>Indicates that the Compare operation has successfully completed and the assertion has evaluated to TRUE.</P>
-<H2><A NAME="{{authMethodNotSupported (7)}}">H.10. <EM>authMethodNotSupported (7)</EM></A></H2>
+<H2><A NAME="authMethodNotSupported (7)">H.10. authMethodNotSupported (7)</A></H2>
 <P>Indicates that the authentication method or mechanism is not supported.</P>
-<H2><A NAME="{{strongerAuthRequired (8)}}">H.11. <EM>strongerAuthRequired (8)</EM></A></H2>
+<H2><A NAME="strongerAuthRequired (8)">H.11. strongerAuthRequired (8)</A></H2>
 <P>Indicates the server requires strong(er) authentication in order to complete the operation.</P>
 <P>When used with the Notice of Disconnection operation, this code indicates that the server has detected that an established security association between the client and server has unexpectedly failed or been compromised.</P>
-<H2><A NAME="{{referral (10)}}">H.12. <EM>referral (10)</EM></A></H2>
-<P>Indicates that a referral needs to be chased to complete the operation (see Section 4.1.10).</P>
-<H2><A NAME="{{adminLimitExceeded (11)}}">H.13. <EM>adminLimitExceeded (11)</EM></A></H2>
+<H2><A NAME="referral (10)">H.12. referral (10)</A></H2>
+<P>Indicates that a referral needs to be chased to complete the operation (see <A HREF="http://www.rfc-editor.org/rfc/rfc4511.txt">RFC4511</A> Section 4.1.10).</P>
+<H2><A NAME="adminLimitExceeded (11)">H.13. adminLimitExceeded (11)</A></H2>
 <P>Indicates that an administrative limit has been exceeded.</P>
-<H2><A NAME="{{unavailableCriticalExtension (12)}}">H.14. <EM>unavailableCriticalExtension (12)</EM></A></H2>
-<P>Indicates a critical control is unrecognized (see Section 4.1.11).</P>
-<H2><A NAME="{{confidentialityRequired (13)}}">H.15. <EM>confidentialityRequired (13)</EM></A></H2>
+<H2><A NAME="unavailableCriticalExtension (12)">H.14. unavailableCriticalExtension (12)</A></H2>
+<P>Indicates a critical control is unrecognized (see <A HREF="http://www.rfc-editor.org/rfc/rfc4511.txt">RFC4511</A> Section 4.1.11).</P>
+<H2><A NAME="confidentialityRequired (13)">H.15. confidentialityRequired (13)</A></H2>
 <P>Indicates that data confidentiality protections are required.</P>
-<H2><A NAME="{{saslBindInProgress (14)}}">H.16. <EM>saslBindInProgress (14)</EM></A></H2>
-<P>Indicates the server requires the client to send a new bind request, with the same SASL mechanism, to continue the authentication process (see Section 4.2).</P>
-<H2><A NAME="{{noSuchAttribute (16)}}">H.17. <EM>noSuchAttribute (16)</EM></A></H2>
+<H2><A NAME="saslBindInProgress (14)">H.16. saslBindInProgress (14)</A></H2>
+<P>Indicates the server requires the client to send a new bind request, with the same SASL mechanism, to continue the authentication process (see <A HREF="http://www.rfc-editor.org/rfc/rfc4511.txt">RFC4511</A> Section 4.2).</P>
+<H2><A NAME="noSuchAttribute (16)">H.17. noSuchAttribute (16)</A></H2>
 <P>Indicates that the named entry does not contain the specified attribute or attribute value.</P>
-<H2><A NAME="{{undefinedAttributeType (17)}}">H.18. <EM>undefinedAttributeType (17)</EM></A></H2>
+<H2><A NAME="undefinedAttributeType (17)">H.18. undefinedAttributeType (17)</A></H2>
 <P>Indicates that a request field contains an unrecognized attribute description.</P>
-<H2><A NAME="{{inappropriateMatching (18)}}">H.19. <EM>inappropriateMatching (18)</EM></A></H2>
+<H2><A NAME="inappropriateMatching (18)">H.19. inappropriateMatching (18)</A></H2>
 <P>Indicates that an attempt was made (e.g., in an assertion) to use a matching rule not defined for the attribute type concerned.</P>
-<H2><A NAME="{{constraintViolation (19)}}">H.20. <EM>constraintViolation (19)</EM></A></H2>
+<H2><A NAME="constraintViolation (19)">H.20. constraintViolation (19)</A></H2>
 <P>Indicates that the client supplied an attribute value that does not conform to the constraints placed upon it by the data model.</P>
 <P>For example, this code is returned when multiple values are supplied to an attribute that has a SINGLE-VALUE constraint.</P>
-<H2><A NAME="{{attributeOrValueExists (20)}}">H.21. <EM>attributeOrValueExists (20)</EM></A></H2>
+<H2><A NAME="attributeOrValueExists (20)">H.21. attributeOrValueExists (20)</A></H2>
 <P>Indicates that the client supplied an attribute or value to be added to an entry, but the attribute or value already exists.</P>
-<H2><A NAME="{{invalidAttributeSyntax (21)}}">H.22. <EM>invalidAttributeSyntax (21)</EM></A></H2>
+<H2><A NAME="invalidAttributeSyntax (21)">H.22. invalidAttributeSyntax (21)</A></H2>
 <P>Indicates that a purported attribute value does not conform to the syntax of the attribute.</P>
-<H2><A NAME="{{noSuchObject (32)}}">H.23. <EM>noSuchObject (32)</EM></A></H2>
+<H2><A NAME="noSuchObject (32)">H.23. noSuchObject (32)</A></H2>
 <P>Indicates that the object does not exist in the DIT.</P>
-<H2><A NAME="{{aliasProblem (33)}}">H.24. <EM>aliasProblem (33)</EM></A></H2>
+<H2><A NAME="aliasProblem (33)">H.24. aliasProblem (33)</A></H2>
 <P>Indicates that an alias problem has occurred.  For example, the code may used to indicate an alias has been dereferenced that names no object.</P>
-<H2><A NAME="{{invalidDNSyntax (34)}}">H.25. <EM>invalidDNSyntax (34)</EM></A></H2>
+<H2><A NAME="invalidDNSyntax (34)">H.25. invalidDNSyntax (34)</A></H2>
 <P>Indicates that an LDAPDN or RelativeLDAPDN field (e.g., search base, target entry, ModifyDN newrdn, etc.) of a request does not conform to the required syntax or contains attribute values that do not conform to the syntax of the attribute's type.</P>
-<H2><A NAME="{{aliasDereferencingProblem (36)}}">H.26. <EM>aliasDereferencingProblem (36)</EM></A></H2>
+<H2><A NAME="aliasDereferencingProblem (36)">H.26. aliasDereferencingProblem (36)</A></H2>
 <P>Indicates that a problem occurred while dereferencing an alias.  Typically, an alias was encountered in a situation where it was not allowed or where access was denied.</P>
-<H2><A NAME="{{inappropriateAuthentication (48)}}">H.27. <EM>inappropriateAuthentication (48)</EM></A></H2>
+<H2><A NAME="inappropriateAuthentication (48)">H.27. inappropriateAuthentication (48)</A></H2>
 <P>Indicates the server requires the client that had attempted to bind anonymously or without supplying credentials to provide some form of credentials.</P>
-<H2><A NAME="{{invalidCredentials (49)}}">H.28. <EM>invalidCredentials (49)</EM></A></H2>
+<H2><A NAME="invalidCredentials (49)">H.28. invalidCredentials (49)</A></H2>
 <P>Indicates that the provided credentials (e.g., the user's name and password) are invalid.</P>
-<H2><A NAME="{{insufficientAccessRights (50)}}">H.29. <EM>insufficientAccessRights (50)</EM></A></H2>
+<H2><A NAME="insufficientAccessRights (50)">H.29. insufficientAccessRights (50)</A></H2>
 <P>Indicates that the client does not have sufficient access rights to perform the operation.</P>
-<H2><A NAME="{{busy (51)}}">H.30. <EM>busy (51)</EM></A></H2>
+<H2><A NAME="busy (51)">H.30. busy (51)</A></H2>
 <P>Indicates that the server is too busy to service the operation.</P>
-<H2><A NAME="{{unavailable (52)}}">H.31. <EM>unavailable (52)</EM></A></H2>
+<H2><A NAME="unavailable (52)">H.31. unavailable (52)</A></H2>
 <P>Indicates that the server is shutting down or a subsystem necessary to complete the operation is offline.</P>
-<H2><A NAME="{{unwillingToPerform (53)}}">H.32. <EM>unwillingToPerform (53)</EM></A></H2>
+<H2><A NAME="unwillingToPerform (53)">H.32. unwillingToPerform (53)</A></H2>
 <P>Indicates that the server is unwilling to perform the operation.</P>
-<H2><A NAME="{{loopDetect (54)}}">H.33. <EM>loopDetect (54)</EM></A></H2>
+<H2><A NAME="loopDetect (54)">H.33. loopDetect (54)</A></H2>
 <P>Indicates that the server has detected an internal loop (e.g., while dereferencing aliases or chaining an operation).</P>
-<H2><A NAME="{{namingViolation (64)}}">H.34. <EM>namingViolation (64)</EM></A></H2>
+<H2><A NAME="namingViolation (64)">H.34. namingViolation (64)</A></H2>
 <P>Indicates that the entry's name violates naming restrictions.</P>
-<H2><A NAME="{{objectClassViolation (65)}}">H.35. <EM>objectClassViolation (65)</EM></A></H2>
+<H2><A NAME="objectClassViolation (65)">H.35. objectClassViolation (65)</A></H2>
 <P>Indicates that the entry violates object class restrictions.</P>
-<H2><A NAME="{{notAllowedOnNonLeaf (66)}}">H.36. <EM>notAllowedOnNonLeaf (66)</EM></A></H2>
+<H2><A NAME="notAllowedOnNonLeaf (66)">H.36. notAllowedOnNonLeaf (66)</A></H2>
 <P>Indicates that the operation is inappropriately acting upon a non-leaf entry.</P>
-<H2><A NAME="{{notAllowedOnRDN (67)}}">H.37. <EM>notAllowedOnRDN (67)</EM></A></H2>
+<H2><A NAME="notAllowedOnRDN (67)">H.37. notAllowedOnRDN (67)</A></H2>
 <P>Indicates that the operation is inappropriately attempting to remove a value that forms the entry's relative distinguished name.</P>
-<H2><A NAME="{{entryAlreadyExists (68)}}">H.38. <EM>entryAlreadyExists (68)</EM></A></H2>
+<H2><A NAME="entryAlreadyExists (68)">H.38. entryAlreadyExists (68)</A></H2>
 <P>Indicates that the request cannot be fulfilled (added, moved, or renamed) as the target entry already exists.</P>
-<H2><A NAME="{{objectClassModsProhibited (69)}}">H.39. <EM>objectClassModsProhibited (69)</EM></A></H2>
+<H2><A NAME="objectClassModsProhibited (69)">H.39. objectClassModsProhibited (69)</A></H2>
 <P>Indicates that an attempt to modify the object class(es) of an entry's 'objectClass' attribute is prohibited.</P>
 <P>For example, this code is returned when a client attempts to modify the structural object class of an entry.</P>
-<H2><A NAME="{{affectsMultipleDSAs (71)}}">H.40. <EM>affectsMultipleDSAs (71)</EM></A></H2>
+<H2><A NAME="affectsMultipleDSAs (71)">H.40. affectsMultipleDSAs (71)</A></H2>
 <P>Indicates that the operation cannot be performed as it would affect multiple servers (DSAs).</P>
-<H2><A NAME="{{other (80)}}">H.41. <EM>other (80)</EM></A></H2>
+<H2><A NAME="other (80)">H.41. other (80)</A></H2>
 <P>Indicates the server has encountered an internal error.</P>
 <P></P>
 <HR>
@@ -10707,7 +10713,7 @@
 </TR>
 <TR>
 <TD>
-<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4511</A>
+<A HREF="http://www.rfc-editor.org/rfc/rfc4511.txt">RFC4511</A>
 </TD>
 <TD>
 Lightweight Directory Access Protocol (LDAP): The Protocol
@@ -10716,7 +10722,7 @@
 PS
 </TD>
 <TD>
-<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">http://www.rfc-editor.org/rfc/rfc4512.txt</A>
+<A HREF="http://www.rfc-editor.org/rfc/rfc4511.txt">http://www.rfc-editor.org/rfc/rfc4511.txt</A>
 </TD>
 </TR>
 <TR>

Modified: openldap/vendor/openldap-release/doc/guide/admin/overlays.sdf
===================================================================
--- openldap/vendor/openldap-release/doc/guide/admin/overlays.sdf	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/guide/admin/overlays.sdf	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.8.2.27 2009/08/25 23:01:58 quanah Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/overlays.sdf,v 1.8.2.28 2009/12/16 19:07:08 quanah Exp $
 # Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
@@ -551,18 +551,23 @@
 
 In {{F:slapd.conf}}(5):
 
+>       include /path/to/dyngroup.schema
+>       ...
 >       overlay dynlist
->       dynlist-attrset groupOfNames labeledURI member
+>       dynlist-attrset groupOfURLs labeledURI member
++
++Note: We must include the {{F:dyngroup.schema}} file that defines the
++{{F:groupOfURLs}} objectClass used in this example.
 
 Let's apply it to the following entry:
 
 >       cn=allusers,ou=group,dc=example,dc=com
 >       cn: all
->       objectClass: groupOfNames
+>       objectClass: groupOfURLs
 >       labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
 
 The behavior is similar to the dynamic list configuration we had before:
-whenever an entry with the {{F:groupOfNames}} object class is retrieved, the
+whenever an entry with the {{F:groupOfURLs}} object class is retrieved, the
 search specified in the {{F:labeledURI}} attribute is performed. But this time,
 only the distinguished names of the results are added, and as values of the
 {{F:member}} attribute.

Modified: openldap/vendor/openldap-release/doc/guide/admin/set-recursivegroup.png
===================================================================
(Binary files differ)

Modified: openldap/vendor/openldap-release/doc/guide/images/src/allusersgroup-en.svg
===================================================================
--- openldap/vendor/openldap-release/doc/guide/images/src/allusersgroup-en.svg	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/guide/images/src/allusersgroup-en.svg	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,8 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
+
 <svg
    xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:cc="http://creativecommons.org/ns#"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:svg="http://www.w3.org/2000/svg"
    xmlns="http://www.w3.org/2000/svg"
@@ -12,16 +13,22 @@
    height="107.84196"
    id="svg2"
    sodipodi:version="0.32"
-   inkscape:version="0.45.1"
+   inkscape:version="0.46+devel"
    version="1.0"
-   sodipodi:docbase="/home/andreas/palestra"
    sodipodi:docname="allusersgroup-en.svg"
    inkscape:output_extension="org.inkscape.output.svg.inkscape"
-   inkscape:export-filename="/home/andreas/palestra/ppolicy.png"
-   inkscape:export-xdpi="136.2"
-   inkscape:export-ydpi="136.2">
+   inkscape:export-filename="/anything/src/openldap/ldap/doc/guide/admin/allusersgroup-en.png"
+   inkscape:export-xdpi="107.65753"
+   inkscape:export-ydpi="107.65753">
   <defs
      id="defs4">
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 53.920979 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="419.4133 : 53.920979 : 1"
+       inkscape:persp3d-origin="209.70665 : 35.947319 : 1"
+       id="perspective30" />
     <marker
        inkscape:stockid="Arrow2Lstart"
        orient="auto"
@@ -63,11 +70,12 @@
      inkscape:current-layer="layer1"
      showgrid="true"
      showguides="true"
-     inkscape:window-width="1280"
-     inkscape:window-height="953"
+     inkscape:window-width="1274"
+     inkscape:window-height="950"
      inkscape:window-x="0"
-     inkscape:window-y="24"
-     inkscape:guide-bbox="true" />
+     inkscape:window-y="25"
+     inkscape:guide-bbox="true"
+     inkscape:window-maximized="0" />
   <metadata
      id="metadata7">
     <rdf:RDF>
@@ -76,6 +84,7 @@
         <dc:format>image/svg+xml</dc:format>
         <dc:type
            rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
       </cc:Work>
     </rdf:RDF>
   </metadata>
@@ -106,7 +115,7 @@
          y="78.033184"
          id="tspan5379">objectClass: <tspan
    style="font-weight:bold"
-   id="tspan5396">groupOfNames</tspan></tspan><tspan
+   id="tspan5396">groupOfURLs</tspan></tspan><tspan
          sodipodi:role="line"
          x="116.88309"
          y="92.036435"

Modified: openldap/vendor/openldap-release/doc/guide/images/src/set-recursivegroup.svg
===================================================================
--- openldap/vendor/openldap-release/doc/guide/images/src/set-recursivegroup.svg	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/guide/images/src/set-recursivegroup.svg	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,8 +1,9 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
+
 <svg
    xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://web.resource.org/cc/"
+   xmlns:cc="http://creativecommons.org/ns#"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:svg="http://www.w3.org/2000/svg"
    xmlns="http://www.w3.org/2000/svg"
@@ -12,9 +13,8 @@
    height="212.5425"
    id="svg2"
    sodipodi:version="0.32"
-   inkscape:version="0.45.1"
+   inkscape:version="0.47pre4 r22446"
    version="1.0"
-   sodipodi:docbase="/home/andreas/cvs/openldap-guide/images/src"
    sodipodi:docname="set-recursivegroup.svg"
    inkscape:output_extension="org.inkscape.output.svg.inkscape"
    inkscape:export-filename="/home/andreas/set-recursivegroup.png"
@@ -22,6 +22,13 @@
    inkscape:export-ydpi="70.18">
   <defs
      id="defs4">
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 106.27125 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="833.63007 : 106.27125 : 1"
+       inkscape:persp3d-origin="416.81503 : 70.847499 : 1"
+       id="perspective3053" />
     <marker
        inkscape:stockid="Arrow1Lend"
        orient="auto"
@@ -95,19 +102,20 @@
      borderopacity="1.0"
      inkscape:pageopacity="0.0"
      inkscape:pageshadow="2"
-     inkscape:zoom="1.1313286"
-     inkscape:cx="471.10533"
-     inkscape:cy="166.19896"
+     inkscape:zoom="2.9689479"
+     inkscape:cx="232.40369"
+     inkscape:cy="118.87263"
      inkscape:document-units="px"
      inkscape:current-layer="layer1"
      showgrid="true"
      showguides="false"
-     inkscape:window-width="1280"
-     inkscape:window-height="953"
+     inkscape:window-width="1655"
+     inkscape:window-height="1001"
      inkscape:window-x="0"
-     inkscape:window-y="24"
+     inkscape:window-y="25"
      width="1052.3622px"
-     height="744.09449px" />
+     height="744.09449px"
+     inkscape:window-maximized="1" />
   <metadata
      id="metadata7">
     <rdf:RDF>
@@ -306,7 +314,7 @@
          id="text2170"
          y="86.335617"
          x="262.09247"
-         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
+         style="font-size:12px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;font-family:Bitstream Vera Sans"
          xml:space="preserve"><tspan
            y="86.335617"
            x="262.09247"
@@ -329,7 +337,7 @@
            id="tspan3297"
            y="146.33562"
            x="262.09247"
-           sodipodi:role="line">member: cn=accountadm,ou=people,dc=example,dc=com</tspan><tspan
+           sodipodi:role="line">member: cn=accountadm,ou=group,dc=example,dc=com</tspan><tspan
            id="tspan3411"
            y="161.33562"
            x="262.09247"
@@ -345,9 +353,9 @@
          id="rect7321"
          style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.97492063px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" />
       <rect
-         style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none;stroke-width:0.69669151;stroke-opacity:1"
+         style="opacity:0.28915663;fill:#aa9ab2;fill-opacity:1;stroke:none"
          id="rect5582"
-         width="365.16586"
+         width="360.11356"
          height="31.950695"
          x="260.02518"
          y="120.25619"
@@ -378,7 +386,7 @@
        inkscape:export-ydpi="80.970001" />
     <path
        style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#Arrow2Lend);stroke-opacity:1"
-       d="M 407.72184,145.90577 C 440.42676,177.72675 428.93584,200.70858 374.13302,201.5925"
+       d="m 404.35364,144.89531 c 26.30535,21.71639 24.5822,55.81327 -30.22062,56.69719"
        id="path7689"
        sodipodi:nodetypes="cc"
        inkscape:export-filename="/home/andreas/set-recursivegroup.png"
@@ -406,7 +414,7 @@
          id="tspan9639"
          sodipodi:role="line">more<tspan
    id="tspan9641"
-   style="font-weight:bold"></tspan></tspan><tspan
+   style="font-weight:bold" /></tspan><tspan
          y="247.54912"
          x="473.47699"
          sodipodi:role="line"
@@ -427,7 +435,7 @@
          x="473.47699"
          y="112.54912">more<tspan
    style="font-weight:bold"
-   id="tspan9651"></tspan></tspan><tspan
+   id="tspan9651" /></tspan><tspan
          id="tspan9653"
          sodipodi:role="line"
          x="473.47699"
@@ -448,7 +456,7 @@
          id="tspan10628"
          sodipodi:role="line">more<tspan
    id="tspan10630"
-   style="font-weight:bold"></tspan></tspan><tspan
+   style="font-weight:bold" /></tspan><tspan
          y="188.85262"
          x="431.01266"
          sodipodi:role="line"

Modified: openldap/vendor/openldap-release/doc/guide/preamble.sdf
===================================================================
--- openldap/vendor/openldap-release/doc/guide/preamble.sdf	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/guide/preamble.sdf	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-# $OpenLDAP: pkg/openldap-guide/preamble.sdf,v 1.70.2.9 2009/01/22 00:00:47 kurt Exp $
+# $OpenLDAP: pkg/openldap-guide/preamble.sdf,v 1.70.2.10 2009/11/24 02:41:10 quanah Exp $
 # Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
  
@@ -296,7 +296,7 @@
 RFC4346|PS|The Transport Layer Security (TLS) Protocol, Version 1.1|http://www.rfc-editor.org/rfc/rfc4346.txt
 RFC4422|PS|Simple Authentication and Security Layer (SASL)|http://www.rfc-editor.org/rfc/rfc4422.txt
 RFC4510|PS|Lightweight Directory Access Protocol (LDAP): Technical Specification Roadmap|http://www.rfc-editor.org/rfc/rfc4510.txt
-RFC4511|PS|Lightweight Directory Access Protocol (LDAP): The Protocol|http://www.rfc-editor.org/rfc/rfc4512.txt
+RFC4511|PS|Lightweight Directory Access Protocol (LDAP): The Protocol|http://www.rfc-editor.org/rfc/rfc4511.txt
 RFC4512|PS|Lightweight Directory Access Protocol (LDAP): Directory Information Models|http://www.rfc-editor.org/rfc/rfc4512.txt
 RFC4513|PS|Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms|http://www.rfc-editor.org/rfc/rfc4513.txt
 RFC4514|PS|Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names|http://www.rfc-editor.org/rfc/rfc4514.txt

Modified: openldap/vendor/openldap-release/doc/man/man3/ldap_get_dn.3
===================================================================
--- openldap/vendor/openldap-release/doc/man/man3/ldap_get_dn.3	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man3/ldap_get_dn.3	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 .TH LDAP_GET_DN 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_dn.3,v 1.28.2.6 2009/06/03 01:41:54 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_get_dn.3,v 1.28.2.7 2009/10/30 17:57:32 quanah Exp $
 .\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
@@ -15,7 +15,7 @@
 char *ldap_get_dn( LDAP *ld, LDAPMessage *entry )
 .LP
 .ft B
-int ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
+int ldap_str2dn( const char *str, LDAPDN *dn, unsigned flags )
 .LP
 .ft B
 int ldap_dn2str( LDAPDN *dn, char **str, unsigned flags )
@@ -79,7 +79,7 @@
 } LDAPAVA;
 
 typedef LDAPAVA** LDAPRDN;
-typedef LDAPRDN** LDAPDN;
+typedef LDAPRDN* LDAPDN;
 
 .ft
 .fi

Modified: openldap/vendor/openldap-release/doc/man/man3/ldap_result.3
===================================================================
--- openldap/vendor/openldap-release/doc/man/man3/ldap_result.3	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man3/ldap_result.3	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 .TH LDAP_RESULT 3 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_result.3,v 1.20.2.7 2009/06/19 21:57:43 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man3/ldap_result.3,v 1.20.2.8 2009/11/18 17:04:31 quanah Exp $
 .\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
@@ -48,7 +48,11 @@
 is used. With the default setting,
 the  select  blocks  indefinitely.   To
 effect  a  poll,  the  timeout argument should be a non-NULL
-pointer, pointing to a zero-valued timeval structure.  See
+pointer, pointing to a zero-valued timeval structure.
+To obtain the behavior of the default setting, bypassing any value set by 
+.BR ldap_set_option (3),
+set to -1 the \fItv_sec\fP field of the \fItimeout\fP parameter.
+See
 .BR select (2)
 for further details.
 .LP

Modified: openldap/vendor/openldap-release/doc/man/man5/ldap.conf.5
===================================================================
--- openldap/vendor/openldap-release/doc/man/man5/ldap.conf.5	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man5/ldap.conf.5	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 .TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/ldap.conf.5,v 1.33.2.12 2009/06/03 01:41:55 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/ldap.conf.5,v 1.33.2.13 2009/11/18 20:41:15 quanah Exp $
 .\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .SH NAME
@@ -53,15 +53,16 @@
     user files   $HOME/ldaprc,  $HOME/.ldaprc,  ./ldaprc,
     system file  $LDAPCONF,
     user files   $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
-    variables    $LDAP<option-name>.
+    variables    $LDAP<uppercase option name>.
 .fi
 Settings late in the list override earlier ones.
-.SH OPTIONS
+.SH SYNTAX
 The configuration options are case-insensitive;
 their value, on a case by case basis, may be case-sensitive.
 .LP
-Blank lines and lines beginning with a hash mark (`#')
-are ignored up to their end.
+Blank lines are ignored.
+.br
+Lines beginning with a hash mark (`#') are comments, and ignored.
 .LP
 Valid lines are made of an option's name (a sequence of non-blanks,
 conventionally written in uppercase, although not required), 
@@ -74,19 +75,27 @@
 may be incorrect, as the quotes would become part of the value.
 For example,
 
-	URI	"ldap:// ldaps://"
+.nf
+	# Wrong - erroneous quotes:
+	URI     "ldap:// ldaps://"
 
-is incorrect, while
+	# Right - space-separated list of URIs, without quotes:
+	URI     ldap:// ldaps://
 
-	URI	ldap:// ldaps://
+	# Right - DN syntax needs quoting for Example, Inc:
+	BASE    ou=IT staff,o="Example, Inc",c=US
+	# or:
+	BASE    ou=IT staff,o=Example2C Inc,c=US
 
-is correct (note the absence of the double quotes).
+	# Wrong - comment on same line as option:
+	DEREF   never           # Never follow aliases
+.fi
 .LP
 A line cannot be longer than LINE_MAX, which should be more than 2000 bytes
 on all platforms.
 There is no mechanism to split a long line on multiple lines, either for
 beautification or to overcome the above limit.
-.LP
+.SH OPTIONS
 The different configuration options are:
 .TP
 .B URI <ldap[si]://[name[:port]] ...>

Modified: openldap/vendor/openldap-release/doc/man/man5/slapd-config.5
===================================================================
--- openldap/vendor/openldap-release/doc/man/man5/slapd-config.5	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man5/slapd-config.5	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,7 +1,7 @@
 .TH SLAPD-CONFIG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-config.5,v 1.13.2.19 2009/08/25 22:44:24 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-config.5,v 1.13.2.23 2009/11/22 20:31:59 quanah Exp $
 .SH NAME
 slapd\-config \- configuration backend to slapd
 .SH SYNOPSIS
@@ -172,6 +172,22 @@
 OpenLDAP also has the `binary' option built in, but this is a transfer
 option, not a tagging option.
 .TP
+.B olcAuthIDRewrite: <rewrite\-rule>
+Used by the authentication framework to convert simple user names
+to an LDAP DN used for authorization purposes.
+Its purpose is analogous to that of
+.BR olcAuthzRegexp
+(see below).
+The
+.B rewrite\-rule
+is a set of rules analogous to those described in
+.BR slapo\-rwm (5)
+for data rewriting (after stripping the \fIrwm\-\fP prefix).
+.B olcAuthIDRewrite
+and
+.B olcAuthzRegexp
+should not be intermixed.
+.TP
 .B olcAuthzPolicy: <policy>
 Used to specify which rules to use for Proxy Authorization.  Proxy
 authorization allows a client to authenticate to the server using one
@@ -723,7 +739,10 @@
 size allowed.  0 disables security layers.  The default is 65536.
 .TP
 .B olcServerID: <integer> [<URL>]
-Specify an integer ID from 0 to 4095 for this server. These IDs are
+Specify an integer ID from 0 to 4095 for this server (limited
+to 3 hexadecimal digits).  The ID may also be specified as a
+hexadecimal ID by prefixing the value with "0x".
+These IDs are
 required when using multimaster replication and each master must have a
 unique ID. Note that this requirement also applies to separate masters
 contributing to a glued set of databases.
@@ -1611,6 +1630,11 @@
 You may also want to glue such databases together with the
 .B olcSubordinate
 attribute.
+.TP
+.B olcSyncUseSubentry: TRUE | FALSE
+Store the syncrepl contextCSN in a subentry instead of the context entry
+of the database. The subentry's RDN will be "cn=ldapsync". The default is
+FALSE, meaning the contextCSN is stored in the context entry.
 .HP
 .hy 0
 .B olcSyncrepl: rid=<replica ID>
@@ -1668,7 +1692,7 @@
 identifies the current
 .B syncrepl
 directive within the replication consumer site.
-It is a non-negative integer having no more than three digits.
+It is a non-negative integer having no more than three decimal digits.
 
 .B provider
 specifies the replication provider site containing the master content

Modified: openldap/vendor/openldap-release/doc/man/man5/slapd-meta.5
===================================================================
--- openldap/vendor/openldap-release/doc/man/man5/slapd-meta.5	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man5/slapd-meta.5	2010-04-10 16:14:23 UTC (rev 1246)
@@ -2,7 +2,7 @@
 .\" Copyright 1998-2009 The OpenLDAP Foundation, All Rights Reserved.
 .\" Copying restrictions apply.  See the COPYRIGHT file.
 .\" Copyright 2001, Pierangelo Masarati, All rights reserved. <ando at sys-net.it>
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-meta.5,v 1.46.2.16 2009/06/03 01:41:56 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd-meta.5,v 1.46.2.17 2009/12/15 20:37:40 quanah Exp $
 .\"
 .\" Portions of this document should probably be moved to slapd-ldap(5)
 .\" and maybe manual pages for librewrite.
@@ -174,7 +174,9 @@
 This directive, when set to 
 .BR yes ,
 causes the authentication to the remote servers with the pseudo-root
-identity to be deferred until actually needed by subsequent operations.
+identity (the identity defined in each
+.B idassert-bind
+directive) to be deferred until actually needed by subsequent operations.
 Otherwise, all binds as the rootdn are propagated to the targets.
 
 .TP
@@ -539,20 +541,16 @@
 
 .TP
 .B pseudorootdn "<substitute DN in case of rootdn bind>"
-This directive, if present, sets the DN that will be substituted to
-the bind DN if a bind with the backend's "rootdn" succeeds.
-The true "rootdn" of the target server ought not be used; an arbitrary
-administrative DN should used instead.
+Deprecated; use
+.B idassert\-bind
+instead.
 
 .TP
 .B pseudorootpw "<substitute password in case of rootdn bind>"
-This directive sets the credential that will be used in case a bind
-with the backend's "rootdn" succeeds, and the bind is propagated to
-the target using the "pseudorootdn" DN.
+Deprecated; use
+.B idassert\-bind
+instead.
 
-Note: cleartext credentials must be supplied here; as a consequence,
-using the pseudorootdn/pseudorootpw directives is inherently unsafe.
-
 .TP
 .B rewrite* ...
 The rewrite options are described in the "REWRITING" section.

Modified: openldap/vendor/openldap-release/doc/man/man5/slapd.conf.5
===================================================================
--- openldap/vendor/openldap-release/doc/man/man5/slapd.conf.5	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man5/slapd.conf.5	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,7 +1,7 @@
 .TH SLAPD.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.conf.5,v 1.239.2.33 2009/08/25 22:44:24 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapd.conf.5,v 1.239.2.37 2009/11/22 20:31:59 quanah Exp $
 .SH NAME
 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
 .SH SYNOPSIS
@@ -162,6 +162,21 @@
 description.) 
 .RE
 .TP
+.B authid\-rewrite<cmd> <args>
+Used by the authentication framework to convert simple user names
+to an LDAP DN used for authorization purposes.
+Its purpose is analogous to that of
+.BR authz-regexp
+(see below).
+The prefix \fIauthid\-\fP is followed by a set of rules analogous
+to those described in
+.BR slapo\-rwm (5)
+for data rewriting (replace the \fIrwm\-\fP prefix with \fIauthid\-\fP).
+.B authid\-rewrite<cmd>
+and
+.B authz\-regexp
+rules should not be intermixed.
+.TP
 .B authz\-policy <policy>
 Used to specify which rules to use for Proxy Authorization.  Proxy
 authorization allows a client to authenticate to the server using one
@@ -915,7 +930,8 @@
 .TP
 .B serverID <integer> [<URL>]
 Specify an integer ID from 0 to 4095 for this server (limited
-to 3 hexadecimal digits).
+to 3 hexadecimal digits).  The ID may also be specified as a
+hexadecimal ID by prefixing the value with "0x".
 These IDs are
 required when using multimaster replication and each master must have a
 unique ID. Note that this requirement also applies to separate masters
@@ -1601,6 +1617,11 @@
 	overlay syncprov
 .fi
 .RE
+.TP
+.B sync_use_subentry 
+Store the syncrepl contextCSN in a subentry instead of the context entry
+of the database. The subentry's RDN will be "cn=ldapsync". By default
+the contextCSN is stored in the context entry.
 .HP
 .hy 0
 .B syncrepl rid=<replica ID>
@@ -1657,8 +1678,8 @@
 identifies the current
 .B syncrepl
 directive within the replication consumer site.
-It is a non-negative integer not greater than 4095 (limited
-to three hexadecimal digits).
+It is a non-negative integer not greater than 999 (limited
+to three decimal digits).
 
 .B provider
 specifies the replication provider site containing the master content

Modified: openldap/vendor/openldap-release/doc/man/man5/slapo-ppolicy.5
===================================================================
--- openldap/vendor/openldap-release/doc/man/man5/slapo-ppolicy.5	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man5/slapo-ppolicy.5	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,7 +1,7 @@
 .TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-ppolicy.5,v 1.12.2.12 2009/07/01 20:44:21 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-ppolicy.5,v 1.12.2.13 2009/10/30 18:03:16 quanah Exp $
 .SH NAME
 slapo\-ppolicy \- Password Policy overlay to slapd
 .SH SYNOPSIS
@@ -590,7 +590,10 @@
 authenticate the user to the directory.  If
 .B pwdAccountLockedTime   
 is set to 000001010000Z, the user's account has been permanently locked
-and may only be unlocked by an administrator.
+and may only be unlocked by an administrator. Note that account locking
+only takes effect when the
+.B pwdLockout
+password policy attribute is set to "TRUE".
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.17

Modified: openldap/vendor/openldap-release/doc/man/man8/slapcat.8
===================================================================
--- openldap/vendor/openldap-release/doc/man/man8/slapcat.8	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man8/slapcat.8	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,7 +1,7 @@
 .TH SLAPCAT 8C "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 1998-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapcat.8,v 1.28.2.11 2009/06/03 01:42:01 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man8/slapcat.8,v 1.28.2.12 2009/09/29 19:05:44 quanah Exp $
 .SH NAME
 slapcat \- SLAPD database to LDIF utility
 .SH SYNOPSIS
@@ -118,6 +118,7 @@
 .BR slapd\-config (5),
 is always the first database, so use
 .B \-n 0
+to select it.
 
 The
 .B \-n

Modified: openldap/vendor/openldap-release/doc/man/man8/slaptest.8
===================================================================
--- openldap/vendor/openldap-release/doc/man/man8/slaptest.8	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/doc/man/man8/slaptest.8	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,7 +1,7 @@
 .TH SLAPTEST 8C "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/doc/man/man8/slaptest.8,v 1.7.2.10 2009/06/03 01:42:01 quanah Exp $
+.\" $OpenLDAP: pkg/ldap/doc/man/man8/slaptest.8,v 1.7.2.11 2009/09/29 19:05:44 quanah Exp $
 .SH NAME
 slaptest \- Check the suitability of the OpenLDAP slapd.conf file
 .SH SYNOPSIS
@@ -13,6 +13,8 @@
 [\c
 .BI \-F \ confdir\fR]
 [\c
+.BI \-n dbnum\fR]
+[\c
 .BI \-o \ option\fR[ = value\fR]]
 [\c
 .BR \-Q ]
@@ -62,6 +64,15 @@
 default config file is ignored. If dry-run mode is also specified,
 no conversion will occur.
 .TP
+.BI \-n \ dbnum
+Just open and test the \fIdbnum\fR-th database listed in the
+configuration file. 
+To only test the config database
+.BR slapd\-config (5),
+use 
+.B \-n 0
+as it is always the first database.
+.TP
 .BI \-o \ option\fR[ = value\fR]
 Specify an
 .I option

Modified: openldap/vendor/openldap-release/include/ac/param.h
===================================================================
--- openldap/vendor/openldap-release/include/ac/param.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/ac/param.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* Generic param.h */
-/* $OpenLDAP: pkg/ldap/include/ac/param.h,v 1.13.2.4 2009/01/22 00:00:52 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/param.h,v 1.13.2.5 2009/10/30 18:38:01 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -21,6 +21,9 @@
 #include <sys/param.h>
 #endif
 
+/* MAXPATHLEN should come from <unistd.h> */
+#include <ac/unistd.h>
+
 #ifndef MAXPATHLEN
 #	if defined(PATH_MAX)
 #		define MAXPATHLEN	PATH_MAX

Modified: openldap/vendor/openldap-release/include/ac/socket.h
===================================================================
--- openldap/vendor/openldap-release/include/ac/socket.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/ac/socket.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* Generic socket.h */
-/* $OpenLDAP: pkg/ldap/include/ac/socket.h,v 1.67.2.5 2009/01/22 00:00:52 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/socket.h,v 1.67.2.6 2009/10/31 00:00:31 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -82,14 +82,14 @@
 #undef	sock_errstr
 #define sock_errno()	errno
 #define sock_errstr(e)	STRERROR(e)
-#define sock_errset(e)	errno = (e)
+#define sock_errset(e)	((void) (errno = (e)))
 
 #ifdef HAVE_WINSOCK
 #	define tcp_read( s, buf, len )	recv( s, buf, len, 0 )
 #	define tcp_write( s, buf, len )	send( s, buf, len, 0 )
 #	define ioctl( s, c, a )		ioctlsocket( (s), (c), (a) )
 #	define ioctl_t				u_long
-#	define AC_SOCKET_INVALID	((unsigned int) ~0)
+#	define AC_SOCKET_INVALID	((unsigned int) -1)
 
 #	ifdef SD_BOTH
 #		define tcp_close( s )	(shutdown( s, SD_BOTH ), closesocket( s ))

Modified: openldap/vendor/openldap-release/include/ac/string.h
===================================================================
--- openldap/vendor/openldap-release/include/ac/string.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/ac/string.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* Generic string.h */
-/* $OpenLDAP: pkg/ldap/include/ac/string.h,v 1.51.2.4 2009/01/22 00:00:52 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ac/string.h,v 1.51.2.6 2009/11/20 22:13:43 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -94,12 +94,11 @@
 #define memcmp lutil_memcmp
 #endif
 
+void *(lutil_memrchr)(const void *b, int c, size_t n);
 /* GNU extension (glibc >= 2.1.91), only declared when defined(_GNU_SOURCE) */
-#ifndef HAVE_MEMRCHR
-#undef memrchr
-#define memrchr lutil_memrchr
+#if defined(HAVE_MEMRCHR) && defined(_GNU_SOURCE)
+#define lutil_memrchr(b, c, n) memrchr(b, c, n)
 #endif /* ! HAVE_MEMRCHR */
-void * memrchr(const void *b, int c, size_t len);
 
 #define STRLENOF(s)	(sizeof(s)-1)
 

Modified: openldap/vendor/openldap-release/include/lber.h
===================================================================
--- openldap/vendor/openldap-release/include/lber.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/lber.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/include/lber.h,v 1.99.2.8 2009/08/13 00:56:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lber.h,v 1.99.2.11 2009/12/02 16:54:36 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -31,9 +31,13 @@
 
 LDAP_BEGIN_DECL
 
-/* Overview of LBER tag construction
+/*
+ * ber_tag_t represents the identifier octets at the beginning of BER
+ * elements.  OpenLDAP treats them as mere big-endian unsigned integers.
  *
- *	Bits
+ * Actually the BER identifier octets look like this:
+ *
+ *	Bits of 1st octet:
  *	______
  *	8 7 | CLASS
  *	0 0 = UNIVERSAL
@@ -46,16 +50,20 @@
  *		  1 = CONSTRUCTED
  *			___________
  *			| 5 ... 1 | TAG-NUMBER
+ *
+ *  For ASN.1 tag numbers >= 0x1F, TAG-NUMBER above is 0x1F and the next
+ *  BER octets contain the actual ASN.1 tag number:  Big-endian, base
+ *  128, 8.bit = 1 in all but the last octet, minimum number of octets.
  */
 
-/* BER classes and mask */
+/* BER classes and mask (in 1st identifier octet) */
 #define LBER_CLASS_UNIVERSAL	((ber_tag_t) 0x00U)
 #define LBER_CLASS_APPLICATION	((ber_tag_t) 0x40U)
 #define LBER_CLASS_CONTEXT		((ber_tag_t) 0x80U)
 #define LBER_CLASS_PRIVATE		((ber_tag_t) 0xc0U)
 #define LBER_CLASS_MASK			((ber_tag_t) 0xc0U)
 
-/* BER encoding type and mask */
+/* BER encoding type and mask (in 1st identifier octet) */
 #define LBER_PRIMITIVE			((ber_tag_t) 0x00U)
 #define LBER_CONSTRUCTED		((ber_tag_t) 0x20U)
 #define LBER_ENCODING_MASK		((ber_tag_t) 0x20U)
@@ -64,13 +72,10 @@
 #define LBER_MORE_TAG_MASK		((ber_tag_t) 0x80U)
 
 /*
- * Note that LBER_ERROR and LBER_DEFAULT are values that can never appear
- * as valid BER tags, and so it is safe to use them to report errors.  In
- * fact, any tag for which the following is true is invalid:
+ * LBER_ERROR and LBER_DEFAULT are values that can never appear
+ * as valid BER tags, so it is safe to use them to report errors.
+ * Valid tags have (tag & (ber_tag_t) 0xFF) != 0xFF.
  */
-#define LBER_INVALID(t)     (((t) & (ber_tag_t) 0x080UL) \
-	&& (((t) & (ber_tag_t) ~ 0x0FF))
-
 #define LBER_ERROR			((ber_tag_t) -1)
 #define LBER_DEFAULT		((ber_tag_t) -1)
 
@@ -278,6 +283,10 @@
 
 #define	LBER_BV_ALLOC	0x01	/* allocate/copy result, otherwise in-place */
 #define	LBER_BV_NOTERM	0x02	/* omit NUL-terminator if parsing in-place */
+#define	LBER_BV_STRING	0x04	/* fail if berval contains embedded \0 */
+/* LBER_BV_STRING currently accepts a terminating \0 in the berval, because
+ * Active Directory sends that in at least the diagonsticMessage field.
+ */
 
 LBER_F( ber_tag_t )
 ber_get_stringbv LDAP_P((

Modified: openldap/vendor/openldap-release/include/lber_pvt.h
===================================================================
--- openldap/vendor/openldap-release/include/lber_pvt.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/lber_pvt.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/include/lber_pvt.h,v 1.35.2.6 2009/01/22 00:00:51 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lber_pvt.h,v 1.35.2.7 2009/11/20 22:13:43 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -173,7 +173,7 @@
 	((char *) memchr( (bv)->bv_val, (c), (bv)->bv_len ))
 
 #define ber_bvrchr(bv,c) \
-	((char *) memrchr( (bv)->bv_val, (c), (bv)->bv_len ))
+	((char *) lutil_memrchr( (bv)->bv_val, (c), (bv)->bv_len ))
 
 #define ber_bvchr_post(dst,bv,c) \
 	do { \
@@ -190,13 +190,13 @@
 
 #define ber_bvrchr_post(dst,bv,c) \
 	do { \
-		(dst)->bv_val = memrchr( (bv)->bv_val, (c), (bv)->bv_len ); \
+		(dst)->bv_val = lutil_memrchr( (bv)->bv_val, (c), (bv)->bv_len ); \
 		(dst)->bv_len = (dst)->bv_val ? (bv)->bv_len - ((dst)->bv_val - (bv)->bv_val) : 0; \
 	} while (0)
 
 #define ber_bvrchr_pre(dst,bv,c) \
 	do { \
-		(dst)->bv_val = memrchr( (bv)->bv_val, (c), (bv)->bv_len ); \
+		(dst)->bv_val = lutil_memrchr( (bv)->bv_val, (c), (bv)->bv_len ); \
 		(dst)->bv_len = (dst)->bv_val ? ((dst)->bv_val - (bv)->bv_val) : (bv)->bv_len; \
 		(dst)->bv_val = (bv)->bv_val; \
 	} while (0)

Modified: openldap/vendor/openldap-release/include/ldap_log.h
===================================================================
--- openldap/vendor/openldap-release/include/ldap_log.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/ldap_log.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_log.h,v 1.40.2.6 2009/01/22 00:00:52 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_log.h,v 1.40.2.7 2009/10/30 17:52:53 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -123,7 +123,7 @@
 #define LDAP_DEBUG_SYNC		0x4000
 
 #define LDAP_DEBUG_NONE		0x8000
-#define LDAP_DEBUG_ANY		-1
+#define LDAP_DEBUG_ANY		(-1)
 
 /* debugging stuff */
 #ifdef LDAP_DEBUG

Modified: openldap/vendor/openldap-release/include/ldap_pvt.h
===================================================================
--- openldap/vendor/openldap-release/include/ldap_pvt.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/ldap_pvt.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/include/ldap_pvt.h,v 1.91.2.10 2009/02/17 19:14:41 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/include/ldap_pvt.h,v 1.91.2.11 2009/10/31 00:11:22 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  * 
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -262,6 +262,8 @@
 	Sockbuf_Buf				sec_buf_in;
 	Sockbuf_Buf				buf_in;
 	Sockbuf_Buf				buf_out;
+	unsigned int				flags;
+#define LDAP_PVT_SASL_PARTIAL_WRITE	1
 };
  
 #ifndef LDAP_PVT_SASL_LOCAL_SSF

Modified: openldap/vendor/openldap-release/include/lutil.h
===================================================================
--- openldap/vendor/openldap-release/include/lutil.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/include/lutil.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/include/lutil.h,v 1.63.2.7 2009/01/22 00:00:52 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/include/lutil.h,v 1.63.2.8 2009/11/17 17:18:11 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -198,6 +198,8 @@
 LDAP_LUTIL_F( char* )
 lutil_memcopy LDAP_P(( char *dst, const char *src, size_t n ));
 
+#define lutil_strbvcopy(a, bv) lutil_memcopy((a),(bv)->bv_val,(bv)->bv_len)
+
 struct tm;
 
 /* use this macro to statically allocate buffer for lutil_gentime */

Modified: openldap/vendor/openldap-release/libraries/liblber/decode.c
===================================================================
--- openldap/vendor/openldap-release/libraries/liblber/decode.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/liblber/decode.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* decode.c - ber input decoding routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.105.2.8 2009/08/13 00:56:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.105.2.10 2009/11/04 16:08:50 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -345,7 +345,7 @@
  */
 typedef struct bgbvr {
 	const enum bgbvc choice;
-	const int alloc;	/* choice == BvOff ? 0 : LBER_ALLOC */
+	const int option;	/* (ALLOC unless BvOff) | (STRING if ChArray) */
 	ber_len_t siz;		/* input array element size, output count */
 	ber_len_t off;		/* BvOff offset to the struct berval */
 	void *result;
@@ -418,9 +418,9 @@
 
 	n = 0;
 	do {
-		tag = ber_get_stringbv( ber, &bv, b->alloc );
+		tag = ber_get_stringbv( ber, &bv, b->option );
 		if ( tag == LBER_DEFAULT ) {
-			goto nomem;
+			goto failed;
 		}
 
 		/* store my result */
@@ -436,7 +436,7 @@
 				ber->ber_memctx );
 			if ( !bvp ) {
 				ber_memfree_x( bv.bv_val, ber->ber_memctx );
-				goto nomem;
+				goto failed;
 			}
 			res.bv[n] = bvp;
 			*bvp = bv;
@@ -449,8 +449,8 @@
 	} while (++n < i);
 	return tag;
 
-nomem:
-	if (b->choice != BvOff) {	/* BvOff does not have b->alloc set */
+failed:
+	if (b->choice != BvOff) { /* BvOff does not have LBER_BV_ALLOC set */
 		while (--n >= 0) {
 			switch(b->choice) {
 			case ChArray:
@@ -480,9 +480,12 @@
 	char		*data;
 
 	tag = ber_skip_element( ber, bv );
-	if ( tag == LBER_DEFAULT ) {
+	if ( tag == LBER_DEFAULT ||
+		(( option & LBER_BV_STRING ) &&
+		 bv->bv_len && memchr( bv->bv_val, 0, bv->bv_len - 1 )))
+	{
 		bv->bv_val = NULL;
-		return tag;
+		return LBER_DEFAULT;
 	}
 
 	data = bv->bv_val;
@@ -516,6 +519,13 @@
 		return tag;
 	}
 
+	if (( option & LBER_BV_STRING ) &&
+		memchr( bv->bv_val, 0, bv->bv_len - 1 ))
+	{
+		bv->bv_val = NULL;
+		return LBER_DEFAULT;
+	}
+
 	data = bv->bv_val;
 	if ( option & LBER_BV_ALLOC ) {
 		bv->bv_val = (char *) ber_memalloc_x( bv->bv_len + 1,
@@ -541,7 +551,7 @@
 
 	assert( buf != NULL );
 
-	tag = ber_get_stringbv( ber, &bv, LBER_BV_ALLOC );
+	tag = ber_get_stringbv( ber, &bv, LBER_BV_ALLOC | LBER_BV_STRING );
 	*buf = bv.bv_val;
 
 	return tag;
@@ -555,7 +565,7 @@
 
 	assert( buf != NULL );
 
-	tag = ber_get_stringbv_null( ber, &bv, LBER_BV_ALLOC );
+	tag = ber_get_stringbv_null( ber, &bv, LBER_BV_ALLOC | LBER_BV_STRING );
 	*buf = bv.bv_val;
 
 	return tag;
@@ -608,6 +618,10 @@
 		goto fail;
 	}
 
+	if ( memchr( data.bv_val, 0, data.bv_len )) {
+		goto fail;
+	}
+
 	*buf = (char *) ber_memalloc_x( data.bv_len, ber->ber_memctx );
 	if ( *buf == NULL ) {
 		return LBER_DEFAULT;
@@ -811,7 +825,7 @@
 		case 'v':	/* sequence of strings */
 		{
 			bgbvr cookie = {
-				ChArray, LBER_BV_ALLOC, sizeof( char * )
+				ChArray, LBER_BV_ALLOC | LBER_BV_STRING, sizeof( char * )
 			};
 			rc = ber_get_stringbvl( ber, &cookie );
 			*(va_arg( ap, char *** )) = cookie.result;

Modified: openldap/vendor/openldap-release/libraries/liblber/encode.c
===================================================================
--- openldap/vendor/openldap-release/libraries/liblber/encode.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/liblber/encode.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* encode.c - ber output encoding routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/encode.c,v 1.64.2.6 2009/08/13 00:56:58 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/encode.c,v 1.64.2.8 2009/10/31 00:01:23 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -151,6 +151,7 @@
 			der[j] = tmp;
 		}
 		der += len;
+
 		if ( ptr == inend )
 			break;
 
@@ -242,10 +243,10 @@
 	rc = ber_write( ber, (char *) ptr, &header[sizeof(header)] - ptr, 0 );
 	if ( rc >= 0 && ber_write( ber, str, len, 0 ) >= 0 ) {
 		/* length(tag + length + contents) */
-		rc += (int) len;
+		return rc + (int) len;
 	}
 
-	return rc;
+	return -1;
 }
 
 int
@@ -300,10 +301,10 @@
 	rc = ber_write( ber, (char *) ptr, &header[sizeof(header)] - ptr, 0 );
 	if ( rc >= 0 && ber_write( ber, str, len, 0 ) >= 0 ) {
 		/* length(tag + length + unused bit count + bitstring) */
-		rc += (int) len;
+		return rc + (int) len;
 	}
 
-	return rc;
+	return -1;
 }
 
 int
@@ -454,7 +455,7 @@
 
 	/* Store length, and close gap of leftover reserved length octets */
 	len = xlen - SOS_LENLEN;
-	if ( ber->ber_options & LBER_USE_DER ) {
+	if ( !(ber->ber_options & LBER_USE_DER) ) {
 		int i;
 		lenptr[0] = SOS_LENLEN - 1 + 0x80; /* length(length)-1 */
 		for( i = SOS_LENLEN; --i > 0; len >>= 8 ) {

Modified: openldap/vendor/openldap-release/libraries/liblber/lber-int.h
===================================================================
--- openldap/vendor/openldap-release/libraries/liblber/lber-int.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/liblber/lber-int.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblber/lber-int.h,v 1.68.2.5 2009/08/02 21:06:34 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/lber-int.h,v 1.68.2.6 2009/10/30 18:38:27 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -97,7 +97,7 @@
 	 *   ber_sos_ptr   NULL or write cursor for incomplete sequence or set.
 	 *   ber_sos_inner offset(seq/set length octets) if ber_sos_ptr!=NULL.
 	 *   ber_tag       Default tag for next ber_printf() element.
-	 *   ber_usertag   True after a ber_printf format char set ber_tag.
+	 *   ber_usertag   Boolean set by ber_printf "!" if it sets ber_tag.
 	 *   ber_len       Reused for ber_sos_inner.
 	 * When output to a Sockbuf:
 	 *   ber_ptr       End of encoded data to write.

Modified: openldap/vendor/openldap-release/libraries/libldap/getdn.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/getdn.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/getdn.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/getdn.c,v 1.130.2.4 2009/01/22 00:00:54 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/getdn.c,v 1.130.2.5 2009/11/18 01:03:02 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -2131,10 +2131,8 @@
 		
 		/*
 		 * The length was checked in strval2strlen();
-		 * LDAP_UTF8_CHARLEN() should suffice
 		 */
-		cl = LDAP_UTF8_CHARLEN2( &val->bv_val[ s ], cl );
-		assert( cl > 0 );
+		cl = LDAP_UTF8_CHARLEN( &val->bv_val[ s ] );
 		
 		/* 
 		 * there might be some chars we want to escape in form

Modified: openldap/vendor/openldap-release/libraries/libldap/init.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/init.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/init.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/init.c,v 1.102.2.12 2009/08/12 23:40:55 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/init.c,v 1.102.2.13 2009/11/17 17:29:13 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -427,11 +427,34 @@
 		   	ldap_int_sasl_config( gopts, attrs[i].offset, value );
 #endif			 	
 		   	break;
+		case ATTR_GSSAPI:
+#ifdef HAVE_GSSAPI
+			ldap_int_gssapi_config( gopts, attrs[i].offset, value );
+#endif
+			break;
 		case ATTR_TLS:
 #ifdef HAVE_TLS
 		   	ldap_int_tls_config( NULL, attrs[i].offset, value );
 #endif			 	
 		   	break;
+		case ATTR_OPT_TV: {
+			struct timeval tv;
+			char *next;
+			tv.tv_usec = 0;
+			tv.tv_sec = strtol( value, &next, 10 );
+			if ( next != value && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
+				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
+			}
+			} break;
+		case ATTR_OPT_INT: {
+			long l;
+			char *next;
+			l = strtol( value, &next, 10 );
+			if ( next != value && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
+				int v = (int)l;
+				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
+			}
+			} break;
 		}
 	}
 }

Modified: openldap/vendor/openldap-release/libraries/libldap/ldap-tls.h
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/ldap-tls.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/ldap-tls.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /*  ldap-tls.h - TLS defines & prototypes internal to the LDAP library */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/ldap-tls.h,v 1.3.2.1 2009/01/26 23:29:53 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/ldap-tls.h,v 1.3.2.2 2009/10/30 17:48:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -37,7 +37,7 @@
 typedef int (TI_session_connect)(LDAP *ld, tls_session *s);
 typedef int (TI_session_accept)(tls_session *s);
 typedef int (TI_session_upflags)(Sockbuf *sb, tls_session *s, int rc);
-typedef char *(TI_session_errmsg)(int rc, char *buf, size_t len );
+typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len );
 typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
 typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
 typedef int (TI_session_strength)(tls_session *sess);

Modified: openldap/vendor/openldap-release/libraries/libldap/open.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/open.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/open.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/open.c,v 1.110.2.10 2009/01/22 00:00:54 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/open.c,v 1.110.2.12 2009/11/18 22:19:02 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -271,6 +271,8 @@
 		ldap_unbind_ext( ld, NULL, NULL );
 		return( LDAP_NO_MEMORY );
 	}
+	if( url )
+		conn->lconn_server = ldap_url_dup( ld->ld_options.ldo_defludp );
 	ber_sockbuf_ctrl( conn->lconn_sb, LBER_SB_OPT_SET_FD, &fd );
 	ld->ld_defconn = conn;
 	++ld->ld_defconn->lconn_refcnt;	/* so it never gets closed/freed */

Modified: openldap/vendor/openldap-release/libraries/libldap/result.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/result.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/result.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* result.c - wait for an ldap result */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/result.c,v 1.124.2.19 2009/03/05 19:07:21 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/result.c,v 1.124.2.20 2009/11/18 17:04:31 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -276,7 +276,7 @@
 	}
 #endif /* LDAP_DEBUG */
 
-	if ( timeout != NULL ) {
+	if ( timeout != NULL && timeout->tv_sec != -1 ) {
 		tv0 = *timeout;
 		tv = *timeout;
 		tvp = &tv;

Modified: openldap/vendor/openldap-release/libraries/libldap/sasl.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/sasl.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/sasl.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/libldap/sasl.c,v 1.64.2.6 2009/01/22 00:00:55 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/sasl.c,v 1.64.2.7 2009/10/31 00:11:22 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -503,6 +503,7 @@
 	p->ops = i->ops;
 	p->ops_private = i->ops_private;
 	p->sbiod = sbiod;
+	p->flags = 0;
 	ber_pvt_sb_buf_init( &p->sec_buf_in );
 	ber_pvt_sb_buf_init( &p->buf_in );
 	ber_pvt_sb_buf_init( &p->buf_out );
@@ -678,13 +679,14 @@
 {
 	struct sb_sasl_generic_data	*p;
 	int				ret;
+	ber_len_t			len2;
 
 	assert( sbiod != NULL );
 	assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
 
 	p = (struct sb_sasl_generic_data *)sbiod->sbiod_pvt;
 
-	/* Are there anything left in the buffer? */
+	/* Is there anything left in the buffer? */
 	if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) {
 		ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 		if ( ret < 0 ) return ret;
@@ -696,15 +698,23 @@
 		}
 	}
 
+	len2 = p->max_send - 100;	/* For safety margin */
+	len2 = len > len2 ? len2 : len;
+
+	/* If we're just retrying a partial write, tell the
+	 * caller it's done. Let them call again if there's
+	 * still more left to write.
+	 */
+	if ( p->flags & LDAP_PVT_SASL_PARTIAL_WRITE ) {
+		p->flags ^= LDAP_PVT_SASL_PARTIAL_WRITE;
+		return len2;
+	}
+
 	/* now encode the next packet. */
 	p->ops->reset_buf( p, &p->buf_out );
 
-	if ( len > p->max_send - 100 ) {
-		len = p->max_send - 100;	/* For safety margin */
-	}
+	ret = p->ops->encode( p, buf, len2, &p->buf_out );
 
-	ret = p->ops->encode( p, buf, len, &p->buf_out );
-
 	if ( ret != 0 ) {
 		ber_log_printf( LDAP_DEBUG_ANY, sbiod->sbiod_sb->sb_debug,
 			"sb_sasl_generic_write: failed to encode packet\n" );
@@ -714,10 +724,23 @@
 
 	ret = ber_pvt_sb_do_write( sbiod, &p->buf_out );
 
+	if ( ret < 0 ) {
+		/* error? */
+		int err = sock_errno();
+		/* caller can retry this */
+		if ( err == EAGAIN || err == EWOULDBLOCK || err == EINTR )
+			p->flags |= LDAP_PVT_SASL_PARTIAL_WRITE;
+		return ret;
+	} else if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) {
+		/* partial write? pretend nothing got written */
+		len2 = 0;
+		p->flags |= LDAP_PVT_SASL_PARTIAL_WRITE;
+	}
+
 	/* return number of bytes encoded, not written, to ensure
 	 * no byte is encoded twice (even if only sent once).
 	 */
-	return len;
+	return len2;
 }
 
 static int

Modified: openldap/vendor/openldap-release/libraries/libldap/tls2.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/tls2.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/tls2.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* tls.c - Handle tls/ssl. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls2.c,v 1.4.2.8 2009/05/01 19:39:03 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls2.c,v 1.4.2.9 2009/10/30 17:48:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -376,7 +376,7 @@
 			return 1;
 		}
 
-		msg = tls_imp->ti_session_errmsg( err, buf, sizeof(buf) );
+		msg = tls_imp->ti_session_errmsg( ssl, err, buf, sizeof(buf) );
 		if ( msg ) {
 			if ( ld->ld_error ) {
 				LDAP_FREE( ld->ld_error );
@@ -438,7 +438,7 @@
 
 		if ( DebugTest( LDAP_DEBUG_ANY ) ) {
 			char buf[256], *msg;
-			msg = tls_imp->ti_session_errmsg( err, buf, sizeof(buf) );
+			msg = tls_imp->ti_session_errmsg( ssl, err, buf, sizeof(buf) );
 			Debug( LDAP_DEBUG_ANY,"TLS: can't accept: %s.\n",
 				msg ? msg : "(unknown)", 0, 0 );
 		}

Modified: openldap/vendor/openldap-release/libraries/libldap/tls_g.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/tls_g.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/tls_g.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* tls_g.c - Handle tls/ssl using GNUTLS. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.6 2009/08/13 00:52:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.7 2009/10/30 17:48:17 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -525,7 +525,7 @@
 }
 
 static char *
-tlsg_session_errmsg( int rc, char *buf, size_t len )
+tlsg_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
 {
 	return (char *)gnutls_strerror( rc );
 }

Modified: openldap/vendor/openldap-release/libraries/libldap/tls_m.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/tls_m.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/tls_m.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* tls_m.c - Handle tls/ssl using Mozilla NSS. */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_m.c,v 1.3.2.7 2009/08/30 22:55:46 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_m.c,v 1.3.2.8 2009/10/30 17:48:17 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -2013,7 +2013,7 @@
 }
 
 static char *
-tlsm_session_errmsg( int rc, char *buf, size_t len )
+tlsm_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
 {
 	int i;
 

Modified: openldap/vendor/openldap-release/libraries/libldap/tls_o.c
===================================================================
--- openldap/vendor/openldap-release/libraries/libldap/tls_o.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/libldap/tls_o.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* tls_o.c - Handle tls/ssl using OpenSSL */
-/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_o.c,v 1.5.2.7 2009/08/25 22:58:08 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_o.c,v 1.5.2.10 2009/10/30 17:55:19 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2008-2009 The OpenLDAP Foundation.
@@ -398,11 +398,22 @@
 }
 
 static char *
-tlso_session_errmsg( int rc, char *buf, size_t len )
+tlso_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
 {
+	char err[256] = "";
+	const char *certerr=NULL;
+	tlso_session *s = (tlso_session *)sess;
+
 	rc = ERR_peek_error();
 	if ( rc ) {
-		ERR_error_string_n( rc, buf, len );
+		ERR_error_string_n( rc, err, sizeof(err) );
+		if ( ( ERR_GET_LIB(rc) == ERR_LIB_SSL ) && 
+				( ERR_GET_REASON(rc) == SSL_R_CERTIFICATE_VERIFY_FAILED ) ) {
+			int certrc = SSL_get_verify_result(s);
+			certerr = (char *)X509_verify_cert_error_string(certrc);
+		}
+		snprintf(buf, len, "%s%s%s%s", err, certerr ? " (" :"", 
+				certerr ? certerr : "", certerr ?  ")" : "" );
 		return buf;
 	}
 	return NULL;
@@ -1066,16 +1077,29 @@
 tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 {
 	RSA *tmp_rsa;
-
 	/* FIXME:  Pregenerate the key on startup */
 	/* FIXME:  Who frees the key? */
+#if OPENSSL_VERSION_NUMBER > 0x00908000
+	BIGNUM *bn = BN_new();
+	tmp_rsa = NULL;
+	if ( bn ) {
+		if ( BN_set_word( bn, RSA_F4 )) {
+			tmp_rsa = RSA_new();
+			if ( tmp_rsa && !RSA_generate_key_ex( tmp_rsa, key_length, bn, NULL )) {
+				RSA_free( tmp_rsa );
+				tmp_rsa = NULL;
+			}
+		}
+		BN_free( bn );
+	}
+#else
 	tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
+#endif
 
 	if ( !tmp_rsa ) {
 		Debug( LDAP_DEBUG_ANY,
 			"TLS: Failed to generate temporary %d-bit %s RSA key\n",
 			key_length, is_export ? "export" : "domestic", 0 );
-		return NULL;
 	}
 	return tmp_rsa;
 }

Modified: openldap/vendor/openldap-release/libraries/liblutil/tavl.c
===================================================================
--- openldap/vendor/openldap-release/libraries/liblutil/tavl.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/liblutil/tavl.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* avl.c - routines to implement an avl tree */
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/tavl.c,v 1.12.2.6 2009/01/22 00:00:58 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/tavl.c,v 1.12.2.7 2009/10/30 18:55:04 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -21,6 +21,7 @@
 
 #include "portable.h"
 
+#include <limits.h>
 #include <stdio.h>
 #include <ac/stdlib.h>
 
@@ -35,6 +36,9 @@
 #define AVL_INTERNAL
 #include "avl.h"
 
+/* Maximum tree depth this host's address space could support */
+#define MAX_TREE_DEPTH	(sizeof(void *) * CHAR_BIT)
+
 static const int avl_bfs[] = {LH, RH};
 
 /*
@@ -189,8 +193,8 @@
 	int side, side_bf, shorter, nside = -1;
 
 	/* parent stack */
-	Avlnode *pptr[sizeof(void *)*8];
-	unsigned char pdir[sizeof(void *)*8];
+	Avlnode *pptr[MAX_TREE_DEPTH];
+	unsigned char pdir[MAX_TREE_DEPTH];
 	int depth = 0;
 
 	if ( *root == NULL )

Modified: openldap/vendor/openldap-release/libraries/liblutil/utils.c
===================================================================
--- openldap/vendor/openldap-release/libraries/liblutil/utils.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/libraries/liblutil/utils.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/libraries/liblutil/utils.c,v 1.33.2.24 2009/04/29 01:48:30 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblutil/utils.c,v 1.33.2.26 2009/12/02 18:34:37 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -379,7 +379,7 @@
 	t = tv.tv_sec;
 
 	if ( tv.tv_sec < prevTv.tv_sec
-		|| ( tv.tv_sec == prevTv.tv_sec && tv.tv_usec == prevTv.tv_usec )) {
+		|| ( tv.tv_sec == prevTv.tv_sec && tv.tv_usec <= prevTv.tv_usec )) {
 		subs++;
 	} else {
 		subs = 0;
@@ -567,7 +567,7 @@
  * Memory Reverse Search
  */
 void *
-lutil_memrchr(const void *b, int c, size_t n)
+(lutil_memrchr)(const void *b, int c, size_t n)
 {
 	if (n != 0) {
 		const unsigned char *s, *bb = b, cc = c;

Modified: openldap/vendor/openldap-release/servers/slapd/acl.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/acl.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/acl.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* acl.c - routines to parse and check acl's */
-/* $OpenLDAP: pkg/ldap/servers/slapd/acl.c,v 1.303.2.22 2009/01/22 00:00:59 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/acl.c,v 1.303.2.23 2009/09/29 21:55:18 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -53,6 +53,7 @@
 	AttributeDescription *desc,
 	struct berval *val,
 	AclRegexMatches *matches,
+	slap_mask_t *mask,
 	AccessControlState *state );
 
 static slap_control_t slap_acl_mask(
@@ -151,6 +152,7 @@
 	const char			*attr;
 	AclRegexMatches			matches;
 	AccessControlState		acl_state = ACL_STATE_INIT;
+	static AccessControlState	state_init = ACL_STATE_INIT;
 
 	assert( op != NULL );
 	assert( e != NULL );
@@ -216,25 +218,27 @@
 
 	if ( state == NULL )
 		state = &acl_state;
-	if ( state->as_vd_ad == desc ) {
+	if ( state->as_desc == desc &&
+		state->as_access == access &&
+		state->as_vd_acl != NULL )
+	{
 		a = state->as_vd_acl;
 		count = state->as_vd_acl_count;
 		if ( state->as_fe_done )
 			state->as_fe_done--;
+		ACL_PRIV_ASSIGN( mask, state->as_vd_mask );
 	} else {
-		state->as_vi_acl = NULL;
+		*state = state_init;
 
 		a = NULL;
 		count = 0;
+		ACL_PRIV_ASSIGN( mask, *maskp );
 	}
-	if ( a == NULL )
-		state->as_fe_done = 0;
 
-	ACL_PRIV_ASSIGN( mask, *maskp );
 	MATCHES_MEMSET( &matches );
 
 	while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
-		&matches, state ) ) != NULL )
+		&matches, &mask, state ) ) != NULL )
 	{
 		int i; 
 		int dnmaxcount = MATCHES_DNMAXCOUNT( &matches );
@@ -278,22 +282,6 @@
 			Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 );
 		}
 
-		if ( state ) {
-			if ( state->as_vi_acl == a &&
-				( state->as_recorded & ACL_STATE_RECORDED_NV ) )
-			{
-				Debug( LDAP_DEBUG_ACL,
-					"=> slap_access_allowed: result was in cache (%s)\n",
-					attr, 0, 0 );
-				ret = state->as_result;
-				goto done;
-			} else {
-				Debug( LDAP_DEBUG_ACL,
-					"=> slap_access_allowed: result not in cache (%s)\n",
-					attr, 0, 0 );
-			}
-		}
-
 		control = slap_acl_mask( a, &mask, op,
 			e, desc, val, &matches, count, state, access );
 
@@ -374,7 +362,6 @@
 	slap_mask_t		*maskp )
 {
 	int				ret = 1;
-	AccessControl			*a = NULL;
 	int				be_null = 0;
 
 #ifdef LDAP_DEBUG
@@ -383,7 +370,6 @@
 	slap_mask_t			mask;
 	slap_access_t			access_level;
 	const char			*attr;
-	static AccessControlState	state_init = ACL_STATE_INIT;
 
 	assert( e != NULL );
 	assert( desc != NULL );
@@ -415,16 +401,20 @@
 		}
 	}
 
-	if ( state ) {
-		if ( state->as_vd_ad == desc ) {
-			if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
-				val == NULL )
+	if ( state != NULL ) {
+		if ( state->as_desc == desc &&
+			state->as_access == access &&
+			state->as_result != -1 &&
+			state->as_vd_acl == NULL )
 			{
+			Debug( LDAP_DEBUG_ACL,
+				"=> access_allowed: result was in cache (%s)\n",
+				attr, 0, 0 );
 				return state->as_result;
-
-			}
 		} else {
-			*state = state_init;
+			Debug( LDAP_DEBUG_ACL,
+				"=> access_allowed: result not in cache (%s)\n",
+				attr, 0, 0 );
 		}
 	}
 
@@ -485,13 +475,9 @@
 
 done:
 	if ( state != NULL ) {
-		/* If not value-dependent, save ACL in case of more attrs */
-		if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
-			state->as_vi_acl = a;
+		state->as_access = access;
 			state->as_result = ret;
-		}
-		state->as_recorded |= ACL_STATE_RECORDED;
-		state->as_vd_ad = desc;
+		state->as_desc = desc;
 	}
 	if ( be_null ) op->o_bd = NULL;
 	if ( maskp ) ACL_PRIV_ASSIGN( *maskp, mask );
@@ -514,6 +500,7 @@
 	AttributeDescription *desc,
 	struct berval	*val,
 	AclRegexMatches	*matches,
+	slap_mask_t *mask,
 	AccessControlState *state )
 {
 	const char *attr;
@@ -628,10 +615,10 @@
 				continue;
 			}
 
-			if( !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
-				state->as_recorded |= ACL_STATE_RECORDED_VD;
+			if ( state->as_vd_acl == NULL ) {
 				state->as_vd_acl = prev;
 				state->as_vd_acl_count = *count - 1;
+				ACL_PRIV_ASSIGN ( state->as_vd_mask, *mask );
 			}
 
 			if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
@@ -727,10 +714,10 @@
  * Record value-dependent access control state
  */
 #define ACL_RECORD_VALUE_STATE do { \
-		if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \
-			state->as_recorded |= ACL_STATE_RECORDED_VD; \
+		if( state && state->as_vd_acl == NULL ) { \
 			state->as_vd_acl = a; \
 			state->as_vd_acl_count = count; \
+			ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \
 		} \
 	} while( 0 )
 
@@ -1024,6 +1011,7 @@
 	AccessControl		*a,
 	int			count,
 	AccessControlState	*state,
+	slap_mask_t			*mask,
 	slap_dn_access		*bdn,
 	struct berval		*opndn )
 {
@@ -1504,7 +1492,7 @@
 
 		if ( b->a_dn_at != NULL ) {
 			if ( acl_mask_dnattr( op, e, val, a,
-					count, state,
+					count, state, mask,
 					&b->a_dn, &op->o_ndn ) )
 			{
 				continue;
@@ -1522,7 +1510,7 @@
 			}
 
 			if ( acl_mask_dnattr( op, e, val, a,
-					count, state,
+					count, state, mask,
 					&b->a_realdn, &ndn ) )
 			{
 				continue;
@@ -2019,7 +2007,7 @@
 				if ( ! access_allowed( op, e,
 					mlist->sml_desc, NULL,
 					( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WDEL,
-					NULL ) )
+					&state ) )
 				{
 					ret = 0;
 					goto done;

Modified: openldap/vendor/openldap-release/servers/slapd/alock.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/alock.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/alock.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* alock.c - access lock library */
-/* $OpenLDAP: pkg/ldap/servers/slapd/alock.c,v 1.5.2.11 2009/03/09 23:16:48 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/alock.c,v 1.5.2.12 2009/11/18 20:49:24 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -409,7 +409,8 @@
 				++live_count;
 
 			} else if (res == ALOCK_UNIQUE
-				&& locktype == ALOCK_UNIQUE) {
+				&& (( locktype & ALOCK_SMASK ) == ALOCK_UNIQUE
+				|| nosave )) {
 				close (info->al_fd);
 				ber_memfree (slot_data.al_appname);
 				return ALOCK_BUSY;

Modified: openldap/vendor/openldap-release/servers/slapd/back-bdb/cache.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-bdb/cache.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-bdb/cache.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* cache.c - routines to maintain an in-core cache of entries */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/cache.c,v 1.120.2.32 2009/07/27 17:38:40 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/cache.c,v 1.120.2.35 2009/11/04 15:47:44 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2000-2009 The OpenLDAP Foundation.
@@ -106,10 +106,14 @@
 }
 
 #define LRU_DEL( c, e ) do { \
-	if ( e == (c)->c_lruhead ) (c)->c_lruhead = e->bei_lruprev; \
-	if ( e == (c)->c_lrutail ) (c)->c_lrutail = e->bei_lruprev; \
-	e->bei_lrunext->bei_lruprev = e->bei_lruprev; \
-	e->bei_lruprev->bei_lrunext = e->bei_lrunext; \
+	if ( e == e->bei_lruprev ) { \
+		(c)->c_lruhead = (c)->c_lrutail = NULL; \
+	} else { \
+		if ( e == (c)->c_lruhead ) (c)->c_lruhead = e->bei_lruprev; \
+		if ( e == (c)->c_lrutail ) (c)->c_lrutail = e->bei_lruprev; \
+		e->bei_lrunext->bei_lruprev = e->bei_lruprev; \
+		e->bei_lruprev->bei_lrunext = e->bei_lrunext; \
+	} \
 	e->bei_lruprev = NULL; \
 } while ( 0 )
 
@@ -968,6 +972,9 @@
 				 */
 				if ( (*eip)->bei_state & CACHE_ENTRY_NOT_CACHED ) {
 					(*eip)->bei_state &= ~CACHE_ENTRY_NOT_CACHED;
+					ldap_pvt_thread_mutex_lock( &bdb->bi_cache.c_count_mutex );
+					++bdb->bi_cache.c_cursize;
+					ldap_pvt_thread_mutex_unlock( &bdb->bi_cache.c_count_mutex );
 				}
 				flag &= ~ID_NOCACHE;
 			}
@@ -1065,20 +1072,17 @@
 	if ( rc == 0 ) {
 		int purge = 0;
 
-		if ( bdb->bi_cache.c_cursize > bdb->bi_cache.c_maxsize ||
-			( bdb->bi_cache.c_eimax && bdb->bi_cache.c_leaves > bdb->bi_cache.c_eimax )) {
+		if (( load && !( flag & ID_NOCACHE )) || bdb->bi_cache.c_eimax ) {
 			ldap_pvt_thread_mutex_lock( &bdb->bi_cache.c_count_mutex );
-			if ( !bdb->bi_cache.c_purging ) {
-				if ( load && !( flag & ID_NOCACHE )) {
-					bdb->bi_cache.c_cursize++;
-					if ( bdb->bi_cache.c_cursize > bdb->bi_cache.c_maxsize ) {
-						purge = 1;
-						bdb->bi_cache.c_purging = 1;
-					}
-				} else if ( bdb->bi_cache.c_eimax && bdb->bi_cache.c_leaves > bdb->bi_cache.c_eimax ) {
+			if ( load && !( flag & ID_NOCACHE )) {
+				bdb->bi_cache.c_cursize++;
+				if ( !bdb->bi_cache.c_purging && bdb->bi_cache.c_cursize > bdb->bi_cache.c_maxsize ) {
 					purge = 1;
 					bdb->bi_cache.c_purging = 1;
 				}
+			} else if ( !bdb->bi_cache.c_purging && bdb->bi_cache.c_eimax && bdb->bi_cache.c_leaves > bdb->bi_cache.c_eimax ) {
+				purge = 1;
+				bdb->bi_cache.c_purging = 1;
 			}
 			ldap_pvt_thread_mutex_unlock( &bdb->bi_cache.c_count_mutex );
 		}

Modified: openldap/vendor/openldap-release/servers/slapd/back-bdb/idl.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-bdb/idl.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-bdb/idl.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* idl.c - ldap id list handling routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/idl.c,v 1.124.2.10 2009/07/27 17:38:41 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/idl.c,v 1.124.2.11 2009/12/02 19:22:09 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2000-2009 The OpenLDAP Foundation.
@@ -378,8 +378,8 @@
 
 	if ( bdb->bi_idl_cache_size >= bdb->bi_idl_cache_max_size ) {
 		int i;
-		ee = bdb->bi_idl_lru_tail;
-		for ( i = 0; ee != NULL && i < 10; i++, ee = eprev ) {
+		eprev = bdb->bi_idl_lru_tail;
+		for ( i = 0; (ee = eprev) != NULL && i < 10; i++ ) {
 			eprev = ee->idl_lru_prev;
 			if ( eprev == ee ) {
 				eprev = NULL;

Modified: openldap/vendor/openldap-release/servers/slapd/back-bdb/monitor.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-bdb/monitor.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-bdb/monitor.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* monitor.c - monitor bdb backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/monitor.c,v 1.19.2.13 2009/08/17 21:52:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-bdb/monitor.c,v 1.19.2.14 2009/10/30 18:07:18 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2000-2009 The OpenLDAP Foundation.
@@ -280,8 +280,9 @@
 			Debug( LDAP_DEBUG_ANY, LDAP_XSTRING(bdb_monitor_initialize)
 				": register_at failed\n",
 				0, 0, 0 );
+		} else {
+			(*s_at[ i ].ad)->ad_type->sat_flags |= SLAP_AT_HIDE;
 		}
-		(*s_at[ i ].ad)->ad_type->sat_flags |= SLAP_AT_HIDE;
 	}
 
 	for ( i = 0; s_oc[ i ].desc != NULL; i++ ) {
@@ -290,8 +291,9 @@
 			Debug( LDAP_DEBUG_ANY, LDAP_XSTRING(bdb_monitor_initialize)
 				": register_oc failed\n",
 				0, 0, 0 );
+		} else {
+			(*s_oc[ i ].oc)->soc_flags |= SLAP_OC_HIDE;
 		}
-		(*s_oc[ i ].oc)->soc_flags |= SLAP_OC_HIDE;
 	}
 
 	return 0;

Modified: openldap/vendor/openldap-release/servers/slapd/back-ldap/bind.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-ldap/bind.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-ldap/bind.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* bind.c - ldap backend bind function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/bind.c,v 1.162.2.24 2009/09/01 22:50:21 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/bind.c,v 1.162.2.25 2009/09/30 00:29:31 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1999-2009 The OpenLDAP Foundation.
@@ -277,6 +277,8 @@
 	ldap_back_controls_free( op, rs, &ctrls );
 
 	if ( rc == LDAP_SUCCESS ) {
+		op->o_conn->c_authz_cookie = op->o_bd->be_private;
+
 		/* If defined, proxyAuthz will be used also when
 		 * back-ldap is the authorizing backend; for this
 		 * purpose, after a successful bind the connection
@@ -1523,6 +1525,7 @@
 	rc = ldap_back_op_result( lc, op, rs, msgid,
 		-1, ( sendok | LDAP_BACK_BINDING ) );
 	if ( rc == LDAP_SUCCESS ) {
+		op->o_conn->c_authz_cookie = op->o_bd->be_private;
 		LDAP_BACK_CONN_ISBOUND_SET( lc );
 	}
 
@@ -2249,6 +2252,7 @@
 		 * so that referral chasing is attempted using the right
 		 * identity */
 		LDAP_BACK_CONN_ISBOUND_SET( lc );
+		op->o_conn->c_authz_cookie = op->o_bd->be_private;
 		if ( !BER_BVISNULL( binddn ) ) {
 			ber_bvreplace( &lc->lc_bound_ndn, binddn );
 		}

Modified: openldap/vendor/openldap-release/servers/slapd/back-ldap/config.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-ldap/config.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-ldap/config.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* config.c - ldap backend configuration file routine */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/config.c,v 1.115.2.14 2009/01/22 00:01:06 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/config.c,v 1.115.2.15 2009/09/29 21:47:37 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2003-2009 The OpenLDAP Foundation.
@@ -2086,7 +2086,10 @@
 retry:
 		rs->sr_err = ldap_whoami( lc->lc_ld, ctrls, NULL, &msgid );
 		if ( rs->sr_err == LDAP_SUCCESS ) {
-			if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) {
+			/* by now, make sure no timeout is used (ITS#6282) */
+			struct timeval tv;
+			tv.tv_sec = -1;
+			if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, &tv, &res ) == -1 ) {
 				ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER,
 					&rs->sr_err );
 				if ( rs->sr_err == LDAP_SERVER_DOWN && doretry ) {

Modified: openldap/vendor/openldap-release/servers/slapd/back-ldap/extended.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-ldap/extended.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-ldap/extended.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* extended.c - ldap backend extended routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/extended.c,v 1.36.2.9 2009/01/22 00:01:06 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/extended.c,v 1.36.2.10 2009/09/29 21:47:37 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2003-2009 The OpenLDAP Foundation.
@@ -190,7 +190,10 @@
 
 	if ( rc == LDAP_SUCCESS ) {
 		/* TODO: set timeout? */
-		if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) {
+		/* by now, make sure no timeout is used (ITS#6282) */
+		struct timeval tv;
+		tv.tv_sec = -1;
+		if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, &tv, &res ) == -1 ) {
 			ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rc );
 			rs->sr_err = rc;
 
@@ -316,7 +319,10 @@
 
 	if ( rc == LDAP_SUCCESS ) {
 		/* TODO: set timeout? */
-		if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) {
+		/* by now, make sure no timeout is used (ITS#6282) */
+		struct timeval tv;
+		tv.tv_sec = -1;
+		if ( ldap_result( lc->lc_ld, msgid, LDAP_MSG_ALL, &tv, &res ) == -1 ) {
 			ldap_get_option( lc->lc_ld, LDAP_OPT_ERROR_NUMBER, &rc );
 			rs->sr_err = rc;
 

Modified: openldap/vendor/openldap-release/servers/slapd/back-ldap/search.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-ldap/search.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-ldap/search.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* search.c - ldap backend search function */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/search.c,v 1.201.2.22 2009/08/25 22:58:09 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldap/search.c,v 1.201.2.23 2009/10/30 18:10:18 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1999-2009 The OpenLDAP Foundation.
@@ -759,6 +759,7 @@
 						( oc = oc_bvfind_undef( &attr->a_vals[i] ) ) != NULL )
 				{
 					ber_dupbv( &pval, &oc->soc_cname );
+					rc = LDAP_SUCCESS;
 
 				} else {
 					LBER_FREE( attr->a_vals[i].bv_val );
@@ -770,8 +771,9 @@
 					BER_BVZERO( &attr->a_vals[last] );
 					i--;
 				}
+			}
 
-			} else if ( pretty ) {
+			if ( rc == LDAP_SUCCESS && pretty ) {
 				LBER_FREE( attr->a_vals[i].bv_val );
 				attr->a_vals[i] = pval;
 			}

Modified: openldap/vendor/openldap-release/servers/slapd/back-ldif/ldif.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-ldif/ldif.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-ldif/ldif.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* ldif.c - the ldif backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldif/ldif.c,v 1.48.2.19 2009/02/05 19:35:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-ldif/ldif.c,v 1.48.2.21 2009/12/04 18:41:53 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -184,9 +184,10 @@
  */
 
 /* Set *res = LDIF filename path for the normalized DN */
-static void
-dn2path( BackendDB *be, struct berval *dn, struct berval *res )
+static int
+ndn2path( Operation *op, struct berval *dn, struct berval *res, int empty_ok )
 {
+	BackendDB *be = op->o_bd;
 	struct ldif_info *li = (struct ldif_info *) be->be_private;
 	struct berval *suffixdn = &be->be_nsuffix[0];
 	const char *start, *end, *next, *p;
@@ -200,6 +201,10 @@
 	assert( !BER_BVISNULL( suffixdn ) );
 	assert( dnIsSuffix( dn, suffixdn ) );
 
+	if ( dn->bv_len == 0 && !empty_ok ) {
+		return LDAP_UNWILLING_TO_PERFORM;
+	}
+
 	start = dn->bv_val;
 	end = start + dn->bv_len;
 
@@ -240,6 +245,8 @@
 	res->bv_len = ptr - res->bv_val;
 
 	assert( res->bv_len <= len );
+
+	return LDAP_SUCCESS;
 }
 
 /*
@@ -570,7 +577,11 @@
 
 	dnParent( &op->o_req_dn, &pdn );
 	dnParent( &op->o_req_ndn, &pndn );
-	dn2path( op->o_bd, &op->o_req_ndn, &path );
+	rc = ndn2path( op, &op->o_req_ndn, &path, 0 );
+	if ( rc != LDAP_SUCCESS ) {
+		goto done;
+	}
+
 	rc = ldif_read_entry( op, path.bv_val, &pdn, &pndn, entryp, text );
 
 	if ( rc == LDAP_SUCCESS && pathp != NULL ) {
@@ -578,6 +589,7 @@
 	} else {
 		SLAP_FREE( path.bv_val );
 	}
+ done:
 	return rc;
 }
 
@@ -593,9 +605,9 @@
 	char *trunc;	/* filename was truncated here */
 	int  inum;		/* num from "attr={num}" in filename, or INT_MIN */
 	char savech;	/* original char at *trunc */
-	char fname;		/* variable length array BVL_NAME(bvl) = &fname */
-#	define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname))
-#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen))
+	/* BVL_NAME(&bvlist) is the filename, allocated after the struct: */
+#	define BVL_NAME(bvl)     ((char *) ((bvl) + 1))
+#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen) + 1)
 } bvlist;
 
 static int
@@ -736,6 +748,7 @@
 			bvl->savech = *trunc;
 			*trunc = '\0';
 
+			/* Insertion sort */
 			for ( prev = listp; (ptr = *prev) != NULL; prev = &ptr->next ) {
 				int cmp = strcmp( BVL_NAME( bvl ), BVL_NAME( ptr ));
 				if ( cmp < 0 || (cmp == 0 && bvl->inum < ptr->inum) )
@@ -872,7 +885,7 @@
 	struct berval path;
 	struct berval pdn, pndn;
 
-	dn2path( op->o_bd, &op->o_req_ndn, &path );
+	(void) ndn2path( op, &op->o_req_ndn, &path, 1 );
 	if ( !BER_BVISEMPTY( &op->o_req_ndn ) ) {
 		/* Read baseObject */
 		dnParent( &op->o_req_dn, &pdn );
@@ -906,18 +919,20 @@
 	char **need_dir,
 	const char **text )
 {
-	BackendDB *be = op->o_bd;
-	struct ldif_info *li = (struct ldif_info *) be->be_private;
+	struct ldif_info *li = (struct ldif_info *) op->o_bd->be_private;
 	struct berval *ndn = &e->e_nname;
 	struct berval ppath = BER_BVNULL;
 	struct stat st;
 	Entry *parent = NULL;
-	int rc = LDAP_SUCCESS;
+	int rc;
 
 	if ( op->o_abandon )
 		return SLAPD_ABANDON;
 
-	dn2path( be, ndn, dnpath );
+	rc = ndn2path( op, ndn, dnpath, 0 );
+	if ( rc != LDAP_SUCCESS ) {
+		return rc;
+	}
 
 	if ( stat( dnpath->bv_val, &st ) == 0 ) { /* entry .ldif file */
 		rc = LDAP_ALREADY_EXISTS;
@@ -1087,12 +1102,12 @@
 	if ( min_dnlen == 0 ) {
 		/* Catch root DSE (empty DN), it is not a referral */
 		min_dnlen = 1;
-		if ( BER_BVISEMPTY( &ndn ) )
-			return LDAP_SUCCESS;
 	}
+	if ( ndn2path( op, &ndn, &path, 0 ) != LDAP_SUCCESS ) {
+		return LDAP_SUCCESS;	/* Root DSE again */
+	}
 
 	entryp = get_manageDSAit( op ) ? NULL : &entry;
-	dn2path( op->o_bd, &ndn, &path );
 	ldap_pvt_thread_rdwr_rlock( &li->li_rdwr );
 
 	for (;;) {
@@ -1320,7 +1335,11 @@
 		goto done;
 	}
 
-	dn2path( op->o_bd, &op->o_req_ndn, &path );
+	rc = ndn2path( op, &op->o_req_ndn, &path, 0 );
+	if ( rc != LDAP_SUCCESS ) {
+		goto done;
+	}
+
 	ldif2dir_len( path );
 	ldif2dir_name( path );
 	if ( rmdir( path.bv_val ) < 0 ) {

Modified: openldap/vendor/openldap-release/servers/slapd/back-monitor/init.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-monitor/init.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-monitor/init.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* init.c - initialize monitor backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/init.c,v 1.125.2.10 2009/08/25 22:48:10 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-monitor/init.c,v 1.125.2.11 2009/11/18 01:25:49 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2001-2009 The OpenLDAP Foundation.
@@ -841,7 +841,7 @@
 	}
 
 	thrctx = ldap_pvt_thread_pool_context();
-	connection_fake_init( &conn, &opbuf, thrctx );
+	connection_fake_init2( &conn, &opbuf, thrctx, 0 );
 	op = &opbuf.ob_op;
 
 	op->o_tag = LDAP_REQ_SEARCH;

Modified: openldap/vendor/openldap-release/servers/slapd/back-null/null.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-null/null.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-null/null.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* null.c - the null backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-null/null.c,v 1.18.2.8 2009/01/22 00:01:09 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-null/null.c,v 1.18.2.9 2009/12/16 19:09:37 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2002-2009 The OpenLDAP Foundation.
@@ -234,8 +234,6 @@
 	int rw,
 	Entry **ent )
 {
-	assert( *ent == NULL );
-
 	/* don't admit the object isn't there */
 	return oc || at ? LDAP_NO_SUCH_ATTRIBUTE : LDAP_BUSY;
 }

Modified: openldap/vendor/openldap-release/servers/slapd/back-relay/back-relay.h
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-relay/back-relay.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-relay/back-relay.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* back-relay.h - relay backend header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/back-relay.h,v 1.6.2.5 2009/08/12 23:57:40 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/back-relay.h,v 1.6.2.6 2009/10/31 00:15:21 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2004-2009 The OpenLDAP Foundation.
@@ -24,8 +24,6 @@
 
 #include "proto-back-relay.h"
 
-/* String rewrite library */
-
 LDAP_BEGIN_DECL
 
 typedef enum relay_operation_e {

Modified: openldap/vendor/openldap-release/servers/slapd/back-relay/op.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-relay/op.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-relay/op.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* op.c - relay backend operations */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/op.c,v 1.15.2.11 2009/08/12 23:58:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/op.c,v 1.15.2.13 2009/11/02 18:27:43 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2004-2009 The OpenLDAP Foundation.
@@ -75,14 +75,14 @@
 	BackendDB *rcb_bd;
 } relay_callback;
 
-int
+static int
 relay_back_cleanup_cb( Operation *op, SlapReply *rs )
 {
 	op->o_bd = ((relay_callback *) op->o_callback)->rcb_bd;
 	return SLAP_CB_CONTINUE;
 }
 
-int
+static int
 relay_back_response_cb( Operation *op, SlapReply *rs )
 {
 	relay_callback	*rcb = (relay_callback *) op->o_callback;
@@ -93,15 +93,22 @@
 	return SLAP_CB_CONTINUE;
 }
 
-#define relay_back_add_cb( rcb, op, bd )			\
-	{							\
+#define relay_back_add_cb( rcb, op ) {				\
 		(rcb)->rcb_sc.sc_next = (op)->o_callback;	\
 		(rcb)->rcb_sc.sc_response = relay_back_response_cb; \
 		(rcb)->rcb_sc.sc_cleanup = 0;			\
 		(rcb)->rcb_sc.sc_private = (op)->o_bd;		\
 		(op)->o_callback = (slap_callback *) (rcb);	\
-	}
+}
 
+#define relay_back_remove_cb( rcb, op ) {			\
+		slap_callback	**sc = &(op)->o_callback;	\
+		for ( ;; sc = &(*sc)->sc_next )			\
+			if ( *sc == (slap_callback *) (rcb) ) {	\
+				*sc = (*sc)->sc_next; break;	\
+			} else if ( *sc == NULL ) break;	\
+}
+
 /*
  * Select the backend database with the operation's DN.  On failure,
  * set/send results depending on operation type <which>'s fail_modes.
@@ -199,16 +206,12 @@
 	} else if ( (func = (&bd->be_bind)[which]) != 0 ) {
 		relay_callback	rcb;
 
-		relay_back_add_cb( &rcb, op, bd );
-
+		relay_back_add_cb( &rcb, op );
 		RELAY_WRAP_OP( op, bd, which, {
 			rc = func( op, rs );
 		});
+		relay_back_remove_cb( &rcb, op );
 
-		if ( op->o_callback == (slap_callback *) &rcb ) {
-			op->o_callback = op->o_callback->sc_next;
-		}
-
 	} else if ( fail_mode & RB_OPERR ) {
 		rs->sr_err = rc;
 		if ( rc == LDAP_UNWILLING_TO_PERFORM ) {

Modified: openldap/vendor/openldap-release/servers/slapd/back-relay/proto-back-relay.h
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-relay/proto-back-relay.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-relay/proto-back-relay.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* proto-back-relay.h - relay backend header file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/proto-back-relay.h,v 1.6.2.5 2009/01/22 00:01:10 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-relay/proto-back-relay.h,v 1.6.2.6 2009/11/02 18:28:32 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2004-2009 The OpenLDAP Foundation.
@@ -34,25 +34,18 @@
 extern BI_db_destroy		relay_back_db_destroy;
 
 extern BI_op_bind		relay_back_op_bind;
-extern BI_op_unbind		relay_back_op_unbind;
 extern BI_op_search		relay_back_op_search;
 extern BI_op_compare		relay_back_op_compare;
 extern BI_op_modify		relay_back_op_modify;
 extern BI_op_modrdn		relay_back_op_modrdn;
 extern BI_op_add		relay_back_op_add;
 extern BI_op_delete		relay_back_op_delete;
-extern BI_op_abandon		relay_back_op_abandon;
-extern BI_op_cancel		relay_back_op_cancel;
 extern BI_op_extended		relay_back_op_extended;
 extern BI_entry_release_rw	relay_back_entry_release_rw;
 extern BI_entry_get_rw		relay_back_entry_get_rw;
-extern BI_chk_referrals		relay_back_chk_referrals;
 extern BI_operational		relay_back_operational;
 extern BI_has_subordinates	relay_back_has_subordinates;
 
-extern BI_connection_init	relay_back_connection_init;
-extern BI_connection_destroy	relay_back_connection_destroy;
-
 LDAP_END_DECL
 
 #endif /* PROTO_BACK_RELAY */

Modified: openldap/vendor/openldap-release/servers/slapd/back-sql/init.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/back-sql/init.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/back-sql/init.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/init.c,v 1.73.2.6 2009/06/02 22:28:46 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/back-sql/init.c,v 1.73.2.7 2009/11/18 01:25:49 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1999-2009 The OpenLDAP Foundation.
@@ -548,7 +548,7 @@
 	}
 
 	/* This should just be to force schema loading */
-	connection_fake_init( &conn, &opbuf, thrctx );
+	connection_fake_init2( &conn, &opbuf, thrctx, 0 );
 	op = &opbuf.ob_op;
 	op->o_bd = bd;
 	if ( backsql_get_db_conn( op, &dbh ) != LDAP_SUCCESS ) {

Modified: openldap/vendor/openldap-release/servers/slapd/backend.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/backend.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/backend.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* backend.c - routines for dealing with back-end databases */
-/* $OpenLDAP: pkg/ldap/servers/slapd/backend.c,v 1.362.2.28 2009/08/25 23:10:31 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/backend.c,v 1.362.2.30 2009/11/22 16:28:23 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -759,10 +759,10 @@
 int
 be_shadow_update( Operation *op )
 {
-	/* This assumes that all internal ops (connid == -1) on a syncrepl
+	/* This assumes that all internal ops (connid <= -1000) on a syncrepl
 	 * database are syncrepl operations.
 	 */
-	return (( SLAP_SYNC_SHADOW( op->o_bd ) && op->o_connid == -1 ) ||
+	return ( ( SLAP_SYNC_SHADOW( op->o_bd ) && SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) ||
 		( SLAP_SHADOW( op->o_bd ) && be_isupdate_dn( op->o_bd, &op->o_ndn ) ) );
 }
 

Modified: openldap/vendor/openldap-release/servers/slapd/bconfig.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/bconfig.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/bconfig.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* bconfig.c - the config backend */
-/* $OpenLDAP: pkg/ldap/servers/slapd/bconfig.c,v 1.202.2.74 2009/08/25 22:44:24 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/bconfig.c,v 1.202.2.84 2009/12/15 20:40:12 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -25,6 +25,7 @@
 #include <ac/ctype.h>
 #include <ac/errno.h>
 #include <sys/stat.h>
+#include <ac/unistd.h>
 
 #include "slap.h"
 
@@ -189,6 +190,7 @@
 	CFG_IX_INTLEN,
 	CFG_SYNTAX,
 	CFG_ACL_ADD,
+	CFG_SYNC_SUBENTRY,
 
 	CFG_LAST
 };
@@ -603,6 +605,10 @@
 		&config_suffix, "( OLcfgDbAt:0.10 NAME 'olcSuffix' "
 			"EQUALITY distinguishedNameMatch "
 			"SYNTAX OMsDN )", NULL, NULL },
+	{ "sync_use_subentry", NULL, 0, 0, 0, ARG_ON_OFF|ARG_DB|ARG_MAGIC|CFG_SYNC_SUBENTRY,
+		&config_generic, "( OLcfgDbAt:0.19 NAME 'olcSyncUseSubentry' "
+			"DESC 'Store sync context in a subentry' "
+			"SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
 	{ "syncrepl", NULL, 0, 0, 0, ARG_DB|ARG_MAGIC,
 		&syncrepl_config, "( OLcfgDbAt:0.11 NAME 'olcSyncrepl' "
 			"EQUALITY caseIgnoreMatch "
@@ -814,7 +820,7 @@
 		 "olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ "
 		 "olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ "
 		 "olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ "
-		 "olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ "
+		 "olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ "
 		 "olcTimeLimit $ olcUpdateDN $ olcUpdateRef $ olcMirrorMode $ "
 		 "olcMonitoring ) )",
 		 	Cft_Database, NULL, cfAddDatabase },
@@ -1084,6 +1090,9 @@
 		case CFG_LASTMOD:
 			c->value_int = (SLAP_NOLASTMOD(c->be) == 0);
 			break;
+		case CFG_SYNC_SUBENTRY:
+			c->value_int = (SLAP_SYNC_SUBENTRY(c->be) != 0);
+			break;
 		case CFG_MIRRORMODE:
 			if ( SLAP_SHADOW(c->be))
 				c->value_int = (SLAP_SINGLE_SHADOW(c->be) == 0);
@@ -1196,6 +1205,7 @@
 		case CFG_SSTR_IF_MAX:
 		case CFG_SSTR_IF_MIN:
 		case CFG_ACL_ADD:
+		case CFG_SYNC_SUBENTRY:
 			break;
 
 		/* no-ops, requires slapd restart */
@@ -1783,7 +1793,8 @@
 				ServerID *si, **sip;
 				LDAPURLDesc *lud;
 				int num;
-				if ( lutil_atoi( &num, c->argv[1] ) ||
+				if (( lutil_atoi( &num, c->argv[1] ) &&	
+					lutil_atoix( &num, c->argv[1], 16 )) ||
 					num < 0 || num > SLAP_SYNC_SID_MAX )
 				{
 					snprintf( c->cr_msg, sizeof( c->cr_msg ),
@@ -1828,7 +1839,7 @@
 					BER_BVZERO( &si->si_url );
 					slap_serverID = num;
 					Debug( LDAP_DEBUG_CONFIG,
-						"%s: SID=%d\n",
+						"%s: SID=0x%03x\n",
 						c->log, slap_serverID, 0 );
 				}
 				si->si_next = NULL;
@@ -1841,7 +1852,7 @@
 					if ( l ) {
 						slap_serverID = si->si_num;
 						Debug( LDAP_DEBUG_CONFIG,
-							"%s: SID=%d (listener=%s)\n",
+							"%s: SID=0x%03x (listener=%s)\n",
 							c->log, slap_serverID,
 							l->sl_url.bv_val );
 					}
@@ -1899,6 +1910,13 @@
 				SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_HIDDEN;
 			break;
 
+		case CFG_SYNC_SUBENTRY:
+			if (c->value_int)
+				SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_SYNC_SUBENTRY;
+			else
+				SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_SYNC_SUBENTRY;
+			break;
+
 		case CFG_SSTR_IF_MAX:
 			if (c->value_uint < index_substr_if_minlen) {
 				snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> invalid value", c->argv[0] );
@@ -1992,29 +2010,40 @@
 		case CFG_REWRITE: {
 			struct berval bv;
 			char *line;
-			
+			int rc = 0;
+
+			if ( c->op == LDAP_MOD_ADD ) {
+				c->argv++;
+				c->argc--;
+			}
 			if(slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv))
-				return(1);
+				rc = 1;
+			if ( rc == 0 ) {
 
-			if ( c->argc > 1 ) {
-				char	*s;
+				if ( c->argc > 1 ) {
+					char	*s;
 
-				/* quote all args but the first */
-				line = ldap_charray2str( c->argv, "\" \"" );
-				ber_str2bv( line, 0, 0, &bv );
-				s = ber_bvchr( &bv, '"' );
-				assert( s != NULL );
-				/* move the trailing quote of argv[0] to the end */
-				AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
-				bv.bv_val[ bv.bv_len - 1 ] = '"';
+					/* quote all args but the first */
+					line = ldap_charray2str( c->argv, "\" \"" );
+					ber_str2bv( line, 0, 0, &bv );
+					s = ber_bvchr( &bv, '"' );
+					assert( s != NULL );
+					/* move the trailing quote of argv[0] to the end */
+					AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
+					bv.bv_val[ bv.bv_len - 1 ] = '"';
 
-			} else {
-				ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
+				} else {
+					ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
+				}
+
+				ber_bvarray_add( &authz_rewrites, &bv );
 			}
-			
-			ber_bvarray_add( &authz_rewrites, &bv );
+			if ( c->op == LDAP_MOD_ADD ) {
+				c->argv--;
+				c->argc++;
 			}
-			break;
+			return rc;
+			}
 #endif
 
 
@@ -2179,14 +2208,23 @@
 			rc = 1;
 		return rc;
 	} else if ( c->op == LDAP_MOD_DELETE ) {
-		/* Reset to defaults */
-		lim->lms_s_soft = SLAPD_DEFAULT_SIZELIMIT;
-		lim->lms_s_hard = 0;
-		lim->lms_s_unchecked = -1;
-		lim->lms_s_pr = 0;
-		lim->lms_s_pr_hide = 0;
-		lim->lms_s_pr_total = 0;
-		return 0;
+		/* Reset to defaults or values from frontend */
+		if ( c->be == frontendDB ) {
+			lim->lms_s_soft = SLAPD_DEFAULT_SIZELIMIT;
+			lim->lms_s_hard = 0;
+			lim->lms_s_unchecked = -1;
+			lim->lms_s_pr = 0;
+			lim->lms_s_pr_hide = 0;
+			lim->lms_s_pr_total = 0;
+		} else {
+			lim->lms_s_soft = frontendDB->be_def_limit.lms_s_soft;
+			lim->lms_s_hard = frontendDB->be_def_limit.lms_s_hard;
+			lim->lms_s_unchecked = frontendDB->be_def_limit.lms_s_unchecked;
+			lim->lms_s_pr = frontendDB->be_def_limit.lms_s_pr;
+			lim->lms_s_pr_hide = frontendDB->be_def_limit.lms_s_pr_hide;
+			lim->lms_s_pr_total = frontendDB->be_def_limit.lms_s_pr_total;
+		}
+		goto ok;
 	}
 	for(i = 1; i < c->argc; i++) {
 		if(!strncasecmp(c->argv[i], "size", 4)) {
@@ -2211,6 +2249,35 @@
 			lim->lms_s_hard = 0;
 		}
 	}
+
+ok:
+	if ( ( c->be == frontendDB ) && ( c->ca_entry ) ) {
+		/* This is a modification to the global limits apply it to
+		 * the other databases as needed */
+		AttributeDescription *ad=NULL;
+		const char *text = NULL;
+		CfEntryInfo *ce = c->ca_entry->e_private;
+
+		slap_str2ad(c->argv[0], &ad, &text);
+		/* if we got here... */
+		assert( ad != NULL );
+
+		if ( ce->ce_type == Cft_Global ){
+			ce = ce->ce_kids;
+		}
+		for (; ce; ce=ce->ce_sibs) {
+			Entry *dbe = ce->ce_entry;
+			if ( (ce->ce_type == Cft_Database) && (ce->ce_be != frontendDB)
+					&& (!attr_find(dbe->e_attrs, ad)) ) {
+				ce->ce_be->be_def_limit.lms_s_soft = lim->lms_s_soft;
+				ce->ce_be->be_def_limit.lms_s_hard = lim->lms_s_hard;
+				ce->ce_be->be_def_limit.lms_s_unchecked =lim->lms_s_unchecked;
+				ce->ce_be->be_def_limit.lms_s_pr =lim->lms_s_pr;
+				ce->ce_be->be_def_limit.lms_s_pr_hide =lim->lms_s_pr_hide;
+				ce->ce_be->be_def_limit.lms_s_pr_total =lim->lms_s_pr_total;
+			}
+		}
+	}
 	return(0);
 }
 
@@ -2230,10 +2297,15 @@
 			rc = 1;
 		return rc;
 	} else if ( c->op == LDAP_MOD_DELETE ) {
-		/* Reset to defaults */
-		lim->lms_t_soft = SLAPD_DEFAULT_TIMELIMIT;
-		lim->lms_t_hard = 0;
-		return 0;
+		/* Reset to defaults or values from frontend */
+		if ( c->be == frontendDB ) {
+			lim->lms_t_soft = SLAPD_DEFAULT_TIMELIMIT;
+			lim->lms_t_hard = 0;
+		} else {
+			lim->lms_t_soft = frontendDB->be_def_limit.lms_t_soft;
+			lim->lms_t_hard = frontendDB->be_def_limit.lms_t_hard;
+		}
+		goto ok;
 	}
 	for(i = 1; i < c->argc; i++) {
 		if(!strncasecmp(c->argv[i], "time", 4)) {
@@ -2258,6 +2330,31 @@
 			lim->lms_t_hard = 0;
 		}
 	}
+
+ok:
+	if ( ( c->be == frontendDB ) && ( c->ca_entry ) ) {
+		/* This is a modification to the global limits apply it to
+		 * the other databases as needed */
+		AttributeDescription *ad=NULL;
+		const char *text = NULL;
+		CfEntryInfo *ce = c->ca_entry->e_private;
+
+		slap_str2ad(c->argv[0], &ad, &text);
+		/* if we got here... */
+		assert( ad != NULL );
+
+		if ( ce->ce_type == Cft_Global ){
+			ce = ce->ce_kids;
+		}
+		for (; ce; ce=ce->ce_sibs) {
+			Entry *dbe = ce->ce_entry;
+			if ( (ce->ce_type == Cft_Database) && (ce->ce_be != frontendDB)
+					&& (!attr_find(dbe->e_attrs, ad)) ) {
+				ce->ce_be->be_def_limit.lms_t_soft = lim->lms_t_soft;
+				ce->ce_be->be_def_limit.lms_t_hard = lim->lms_t_hard;
+			}
+		}
+	}
 	return(0);
 }
 
@@ -2481,7 +2578,7 @@
 }
 
 static int
-tcp_buffer_unparse( int idx, int size, int rw, Listener *l, struct berval *val )
+tcp_buffer_unparse( int size, int rw, Listener *l, struct berval *val )
 {
 	char buf[sizeof("2147483648")], *ptr;
 
@@ -2526,7 +2623,7 @@
 }
 
 static int
-tcp_buffer_add_one( int argc, char **argv, int idx )
+tcp_buffer_add_one( int argc, char **argv )
 {
 	int rc = 0;
 	int size = -1, rw = 0;
@@ -2541,7 +2638,7 @@
 	}
 
 	/* unparse for later use */
-	rc = tcp_buffer_unparse( idx, size, rw, l, &val );
+	rc = tcp_buffer_unparse( size, rw, l, &val );
 	if ( rc != LDAP_SUCCESS ) {
 		return rc;
 	}
@@ -2579,8 +2676,7 @@
 
 	tcp_buffer = SLAP_REALLOC( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) );
 	/* append */
-	idx = tcp_buffer_num;
-	tcp_buffer[ idx ] = val;
+	tcp_buffer[ tcp_buffer_num ] = val;
 
 	tcp_buffer_num++;
 	BER_BVZERO( &tcp_buffer[ tcp_buffer_num ] );
@@ -2625,7 +2721,7 @@
 			}
 
 			/* unparse for later use */
-			rc = tcp_buffer_unparse( tcp_buffer_num, size, rw, l, &val );
+			rc = tcp_buffer_unparse( size, rw, l, &val );
 			if ( rc != LDAP_SUCCESS ) {
 				return 1;
 			}
@@ -2658,13 +2754,12 @@
 
 	} else {
 		int rc;
-		int idx;
 
-		rc = tcp_buffer_add_one( c->argc - 1, &c->argv[ 1 ], idx );
+		rc = tcp_buffer_add_one( c->argc - 1, &c->argv[ 1 ] );
 		if ( rc ) {
 			snprintf( c->cr_msg, sizeof( c->cr_msg ),
 				"<%s> unable to add value #%d",
-				c->argv[0], idx );
+				c->argv[0], tcp_buffer_num );
 			Debug( LDAP_DEBUG_ANY, "%s: %s\n",
 				c->log, c->cr_msg, 0 );
 			return 1;
@@ -3050,7 +3145,7 @@
 loglevel_init( void )
 {
 	slap_verbmasks	lo[] = {
-		{ BER_BVC("Any"),	-1 },
+		{ BER_BVC("Any"),	(slap_mask_t) LDAP_DEBUG_ANY },
 		{ BER_BVC("Trace"),	LDAP_DEBUG_TRACE },
 		{ BER_BVC("Packets"),	LDAP_DEBUG_PACKETS },
 		{ BER_BVC("Args"),	LDAP_DEBUG_ARGS },
@@ -3202,9 +3297,11 @@
 
 	fprintf( out, "Installed log subsystems:\n\n" );
 	for ( i = 0; !BER_BVISNULL( &loglevel_ops[ i ].word ); i++ ) {
-		fprintf( out, "\t%-30s (%lu)\n",
-			loglevel_ops[ i ].word.bv_val,
-			loglevel_ops[ i ].mask );
+		unsigned mask = loglevel_ops[ i ].mask & 0xffffffffUL;
+		fprintf( out,
+			(mask == ((slap_mask_t) -1 & 0xffffffffUL)
+			 ? "\t%-30s (-1, 0xffffffff)\n" : "\t%-30s (%u, 0x%x)\n"),
+			loglevel_ops[ i ].word.bv_val, mask, mask );
 	}
 
 	fprintf( out, "\nNOTE: custom log subsystems may be later installed "
@@ -4576,6 +4673,7 @@
 
 	ca->valx = -1;
 	ca->line = NULL;
+	ca->argc = 1;
 	if ( cfn->c_cr_head ) {
 		struct berval bv = BER_BVC("olcDitContentRules");
 		ad = NULL;
@@ -4675,6 +4773,9 @@
 			Debug( LDAP_DEBUG_TRACE, "%s: config_add_internal: "
 				"DN=\"%s\" already exists\n",
 				log_prefix, e->e_name.bv_val, 0 );
+			/* global schema ignores all writes */
+			if ( ce->ce_type == Cft_Schema && ce->ce_parent->ce_type == Cft_Global )
+				return LDAP_COMPARE_TRUE;
 			return LDAP_ALREADY_EXISTS;
 		}
 	}
@@ -4899,10 +5000,10 @@
 ok:
 	/* Newly added databases and overlays need to be started up */
 	if ( CONFIG_ONLINE_ADD( ca )) {
-		if ( colst[0]->co_type == Cft_Database ) {
+		if ( coptr->co_type == Cft_Database ) {
 			rc = backend_startup_one( ca->be, &ca->reply );
 
-		} else if ( colst[0]->co_type == Cft_Overlay ) {
+		} else if ( coptr->co_type == Cft_Overlay ) {
 			if ( ca->bi->bi_db_open ) {
 				BackendInfo *bi_orig = ca->be->bd_info;
 				ca->be->bd_info = ca->bi;
@@ -4928,7 +5029,7 @@
 	ce->ce_parent = last;
 	ce->ce_entry = entry_dup( e );
 	ce->ce_entry->e_private = ce;
-	ce->ce_type = colst[0]->co_type;
+	ce->ce_type = coptr->co_type;
 	ce->ce_be = ca->be;
 	ce->ce_bi = ca->bi;
 	ce->ce_private = ca->ca_private;
@@ -4973,12 +5074,12 @@
 
 done:
 	if ( rc ) {
-		if ( (colst[0]->co_type == Cft_Database) && ca->be ) {
+		if ( (coptr->co_type == Cft_Database) && ca->be ) {
 			if ( ca->be != frontendDB )
 				backend_destroy_one( ca->be, 1 );
-		} else if ( (colst[0]->co_type == Cft_Overlay) && ca->bi ) {
+		} else if ( (coptr->co_type == Cft_Overlay) && ca->bi ) {
 			overlay_destroy_one( ca->be, (slap_overinst *)ca->bi );
-		} else if ( colst[0]->co_type == Cft_Schema ) {
+		} else if ( coptr->co_type == Cft_Schema ) {
 			schema_destroy_one( ca, colst, nocs, last );
 		}
 	}
@@ -5160,7 +5261,14 @@
 	ldap_pvt_thread_pool_resume( &connection_pool );
 
 out:;
-	send_ldap_result( op, rs );
+	{	int repl = op->o_dont_replicate;
+		if ( rs->sr_err == LDAP_COMPARE_TRUE ) {
+			rs->sr_err = LDAP_SUCCESS;
+			op->o_dont_replicate = 1;
+		}
+		send_ldap_result( op, rs );
+		op->o_dont_replicate = repl;
+	}
 	slap_graduate_commit_csn( op );
 	return rs->sr_err;
 }
@@ -5391,6 +5499,7 @@
 					}
 					ca->line = bv.bv_val;
 					ca->valx = d->idx[i];
+					config_parse_vals(ct, ca, d->idx[i] );
 					rc = config_del_vals( ct, ca );
 					if ( rc != LDAP_SUCCESS ) break;
 					if ( s )
@@ -5402,6 +5511,7 @@
 			} else {
 				ca->valx = -1;
 				ca->line = NULL;
+				ca->argc = 1;
 				rc = config_del_vals( ct, ca );
 				if ( rc ) rc = LDAP_OTHER;
 				if ( s )
@@ -5448,6 +5558,7 @@
 					a->a_flags &= ~(SLAP_ATTR_IXDEL|SLAP_ATTR_IXADD);
 					ca->valx = -1;
 					ca->line = NULL;
+					ca->argc = 1;
 					config_del_vals( ct, ca );
 				}
 				for ( i=0; !BER_BVISNULL( &s->a_vals[i] ); i++ ) {
@@ -5462,6 +5573,7 @@
 				ct = config_find_table( colst, nocs, a->a_desc, ca );
 				ca->valx = -1;
 				ca->line = NULL;
+				ca->argc = 1;
 				config_del_vals( ct, ca );
 				s = attr_find( save_attrs, a->a_desc );
 				if ( s ) {

Modified: openldap/vendor/openldap-release/servers/slapd/config.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/config.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/config.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* config.c - configuration file handling routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/config.c,v 1.441.2.26 2009/08/02 21:26:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/config.c,v 1.441.2.31 2009/12/12 06:18:52 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -33,6 +33,7 @@
 #include <ac/signal.h>
 #include <ac/socket.h>
 #include <ac/errno.h>
+#include <ac/unistd.h>
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -41,10 +42,6 @@
 #define	S_ISREG(m)	(((m) & _S_IFMT) == _S_IFREG)
 #endif
 
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
 #include "slap.h"
 #ifdef LDAP_SLAPI
 #include "slapi/slapi.h"
@@ -417,6 +414,7 @@
 
 	/* If there is no handler, just ignore it */
 	if ( cf->arg_type & ARG_MAGIC ) {
+		c->argv[0] = cf->ad->ad_cname.bv_val;
 		c->op = LDAP_MOD_DELETE;
 		c->type = cf->arg_type & ARGS_USERLAND;
 		rc = (*((ConfigDriver*)cf->arg_item))(c);
@@ -1212,8 +1210,32 @@
 	{ BER_BVNULL, 0 }
 };
 
+static int
+slap_sb_uri(
+	struct berval *val,
+	void *bcp,
+	slap_cf_aux_table *tab0,
+	const char *tabmsg,
+	int unparse )
+{
+	slap_bindconf *bc = bcp;
+	if ( unparse ) {
+		if ( bc->sb_uri.bv_len >= val->bv_len )
+			return -1;
+		val->bv_len = bc->sb_uri.bv_len;
+		AC_MEMCPY( val->bv_val, bc->sb_uri.bv_val, val->bv_len );
+	} else {
+		bc->sb_uri = *val;
+#ifdef HAVE_TLS
+		if ( ldap_is_ldaps_url( val->bv_val ))
+			bc->sb_tls_do_init = 1;
+#endif
+	}
+	return 0;
+}
+
 static slap_cf_aux_table bindkey[] = {
-	{ BER_BVC("uri="), offsetof(slap_bindconf, sb_uri), 'b', 1, NULL },
+	{ BER_BVC("uri="), 0, 'x', 1, slap_sb_uri },
 	{ BER_BVC("version="), offsetof(slap_bindconf, sb_version), 'i', 0, versionkey },
 	{ BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'i', 0, methkey },
 	{ BER_BVC("timeout="), offsetof(slap_bindconf, sb_timeout_api), 'i', 0, NULL },
@@ -1226,21 +1248,20 @@
 	{ BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 1, NULL },
 	{ BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, (slap_verbmasks *)authzNormalize },
 #ifdef HAVE_TLS
-	{ BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey },
-
-	/* NOTE: replace "13" with the actual index
+	/* NOTE: replace "12" with the actual index
 	 * of the first TLS-related line */
-#define aux_TLS (bindkey+13)	/* beginning of TLS keywords */
+#define aux_TLS (bindkey+12)	/* beginning of TLS keywords */
 
+	{ BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey },
 	{ BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL },
 	{ BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL },
 	{ BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
 	{ BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL },
-	{ BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 1, NULL },
-	{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 1, NULL },
-	{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 1, NULL },
+	{ BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL },
+	{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
+	{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
 #ifdef HAVE_OPENSSL_CRL
-	{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 1, NULL },
+	{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
 #endif
 #endif
 	{ BER_BVNULL, 0, 0, 0, NULL }
@@ -1332,6 +1353,20 @@
 
 				rc = lutil_atoulx( ulptr, val, 0 );
 				break;
+
+			case 'x':
+				if ( tab->aux != NULL ) {
+					struct berval value;
+					slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux;
+
+					ber_str2bv( val, 0, 1, &value );
+
+					rc = func( &value, (void *)((char *)dst + tab->off), tab, tabmsg, 0 );
+
+				} else {
+					rc = 1;
+				}
+				break;
 			}
 
 			if ( rc ) {
@@ -1422,6 +1457,26 @@
 			ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ), "%lu", *ulptr );
 			break;
 
+		case 'x':
+			*ptr++ = ' ';
+			ptr = lutil_strcopy( ptr, tab->key.bv_val );
+			if ( tab->quote ) *ptr++ = '"';
+			if ( tab->aux != NULL ) {
+				struct berval value;
+				slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux;
+				int rc;
+
+				value.bv_val = ptr;
+				value.bv_len = buf + sizeof( buf ) - ptr;
+
+				rc = func( &value, (void *)((char *)src + tab->off), tab, "(unparse)", 1 );
+				if ( rc == 0 ) {
+					ptr += value.bv_len;
+				}
+			}
+			if ( tab->quote ) *ptr++ = '"';
+			break;
+
 		default:
 			assert( 0 );
 		}

Modified: openldap/vendor/openldap-release/servers/slapd/connection.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/connection.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/connection.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/connection.c,v 1.358.2.34 2009/08/28 22:39:45 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/connection.c,v 1.358.2.39 2009/12/04 15:44:37 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -48,28 +48,10 @@
 static Connection *connections = NULL;
 
 static ldap_pvt_thread_mutex_t conn_nextid_mutex;
-static unsigned long conn_nextid = 0;
+static unsigned long conn_nextid = SLAPD_SYNC_SYNCCONN_OFFSET;
 
 static const char conn_lost_str[] = "connection lost";
 
-/* structure state (protected by connections_mutex) */
-enum sc_struct_state {
-	SLAP_C_UNINITIALIZED = 0,	/* MUST BE ZERO (0) */
-	SLAP_C_UNUSED,
-	SLAP_C_USED,
-	SLAP_C_PENDING
-};
-
-/* connection state (protected by c_mutex ) */
-enum sc_conn_state {
-	SLAP_C_INVALID = 0,		/* MUST BE ZERO (0) */
-	SLAP_C_INACTIVE,		/* zero threads */
-	SLAP_C_CLOSING,			/* closing */
-	SLAP_C_ACTIVE,			/* one or more threads */
-	SLAP_C_BINDING,			/* binding */
-	SLAP_C_CLIENT			/* outbound client conn */
-};
-
 const char *
 connection_state2str( int state )
 {
@@ -783,7 +765,9 @@
 {
 	assert( connections != NULL );
 	assert( c != NULL );
-	assert( c->c_struct_state == SLAP_C_USED );
+
+	if ( c->c_struct_state != SLAP_C_USED ) return;
+
 	assert( c->c_conn_state != SLAP_C_INVALID );
 
 	/* c_mutex must be locked by caller */
@@ -816,7 +800,9 @@
 {
 	assert( connections != NULL );
 	assert( c != NULL );
-	assert( c->c_struct_state == SLAP_C_USED );
+
+	if ( c->c_struct_state != SLAP_C_USED ) return;
+
 	assert( c->c_conn_state == SLAP_C_CLOSING );
 
 	/* NOTE: c_mutex should be locked by caller */
@@ -1376,6 +1362,11 @@
 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
 			slap_sasl_external( c, c->c_tls_ssf, &authid );
 			if ( authid.bv_val ) free( authid.bv_val );
+		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
+			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */
+			slapd_set_write( s, 1 );
+			connection_return( c );
+			return 0;
 		}
 
 		/* if success and data is ready, fall thru to data input loop */
@@ -1875,6 +1866,14 @@
 		return -1;
 	}
 
+#ifdef HAVE_TLS
+	if ( c->c_is_tls && c->c_needs_tls_accept ) {
+		connection_return( c );
+		connection_read_activate( s );
+		return 0;
+	}
+#endif
+
 	c->c_n_write++;
 
 	Debug( LDAP_DEBUG_TRACE,

Modified: openldap/vendor/openldap-release/servers/slapd/ctxcsn.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/ctxcsn.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/ctxcsn.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* ctxcsn.c -- Context CSN Management Routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/ctxcsn.c,v 1.40.2.14 2009/03/13 19:53:40 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/ctxcsn.c,v 1.40.2.15 2009/11/18 01:16:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2003-2009 The OpenLDAP Foundation.
@@ -26,6 +26,8 @@
 #include "slap.h"
 #include "lutil_ldap.h"
 
+const struct berval slap_ldapsync_bv = BER_BVC("ldapsync");
+const struct berval slap_ldapsync_cn_bv = BER_BVC("cn=ldapsync");
 int slap_serverID;
 
 /* maxcsn->bv_val must point to a char buf[LDAP_LUTIL_CSNSTR_BUFSIZE] */
@@ -133,6 +135,46 @@
 	return;
 }
 
+static struct berval ocbva[] = {
+	BER_BVC("top"),
+	BER_BVC("subentry"),
+	BER_BVC("syncProviderSubentry"),
+	BER_BVNULL
+};
+
+Entry *
+slap_create_context_csn_entry(
+	Backend *be,
+	struct berval *context_csn )
+{
+	Entry* e;
+
+	struct berval bv;
+
+	e = entry_alloc();
+
+	attr_merge( e, slap_schema.si_ad_objectClass,
+		ocbva, NULL );
+	attr_merge_one( e, slap_schema.si_ad_structuralObjectClass,
+		&ocbva[1], NULL );
+	attr_merge_one( e, slap_schema.si_ad_cn,
+		(struct berval *)&slap_ldapsync_bv, NULL );
+
+	if ( context_csn ) {
+		attr_merge_one( e, slap_schema.si_ad_contextCSN,
+			context_csn, NULL );
+	}
+
+	BER_BVSTR( &bv, "{}" );
+	attr_merge_one( e, slap_schema.si_ad_subtreeSpecification, &bv, NULL );
+
+	build_new_dn( &e->e_name, &be->be_nsuffix[0],
+		(struct berval *)&slap_ldapsync_cn_bv, NULL );
+	ber_dupbv( &e->e_nname, &e->e_name );
+
+	return e;
+}
+
 void
 slap_queue_csn(
 	Operation *op,

Modified: openldap/vendor/openldap-release/servers/slapd/daemon.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/daemon.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/daemon.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/daemon.c,v 1.380.2.31 2009/08/25 22:44:25 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/daemon.c,v 1.380.2.33 2009/11/17 17:08:41 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -989,13 +989,17 @@
 void
 slapd_set_read( ber_socket_t s, int wake )
 {
+	int do_wake = 1;
 	ldap_pvt_thread_mutex_lock( &slap_daemon.sd_mutex );
 
-	assert( SLAP_SOCK_IS_ACTIVE( s ));
-	if (!SLAP_SOCK_IS_READ( s )) SLAP_SOCK_SET_READ( s );
-
+	if( SLAP_SOCK_IS_ACTIVE( s ) && !SLAP_SOCK_IS_READ( s )) {
+		SLAP_SOCK_SET_READ( s );
+	} else {
+		do_wake = 0;
+	}
 	ldap_pvt_thread_mutex_unlock( &slap_daemon.sd_mutex );
-	WAKE_LISTENER(wake);
+	if ( do_wake )
+		WAKE_LISTENER(wake);
 }
 
 time_t
@@ -1620,6 +1624,7 @@
 			"daemon: lutil_pair() failed rc=%d\n", rc, 0, 0 );
 		return rc;
 	}
+	ber_pvt_socket_set_nonblock( wake_sds[1], 1 );
 
 	SLAP_SOCK_INIT;
 

Modified: openldap/vendor/openldap-release/servers/slapd/dn.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/dn.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/dn.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* dn.c - routines for dealing with distinguished names */
-/* $OpenLDAP: pkg/ldap/servers/slapd/dn.c,v 1.182.2.13 2009/08/12 23:38:56 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/dn.c,v 1.182.2.14 2009/10/30 18:33:08 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -964,8 +964,8 @@
 
 	/* one-level dn */
 	if ( p == NULL ) {
+		pdn->bv_val = dn->bv_val + dn->bv_len;
 		pdn->bv_len = 0;
-		pdn->bv_val = dn->bv_val + dn->bv_len;
 		return;
 	}
 

Modified: openldap/vendor/openldap-release/servers/slapd/filterentry.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/filterentry.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/filterentry.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* filterentry.c - apply a filter to an entry */
-/* $OpenLDAP: pkg/ldap/servers/slapd/filterentry.c,v 1.104.2.7 2009/06/02 23:09:42 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/filterentry.c,v 1.104.2.8 2009/11/18 01:26:53 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -169,7 +169,7 @@
 
 	if ( op == NULL ) {
 		memctx = NULL;
-		memfree = slap_sl_free;
+		memfree = slap_sl_mfuncs.bmf_free;
 	} else {
 		memctx = op->o_tmpmemctx;
 		memfree = op->o_tmpfree;

Modified: openldap/vendor/openldap-release/servers/slapd/main.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/main.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/main.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/main.c,v 1.239.2.19 2009/06/02 23:39:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/main.c,v 1.239.2.20 2009/10/30 17:52:53 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -270,7 +270,18 @@
 		ldap_charray_free( levels );
 
 	} else {
-		if ( lutil_atoix( &level, arg, 0 ) != 0 ) {
+		int rc;
+
+		if ( arg[0] == '-' ) {
+			rc = lutil_atoix( &level, arg, 0 );
+		} else {
+			unsigned ulevel;
+
+			rc = lutil_atoux( &ulevel, arg, 0 );
+			level = (int)ulevel;
+		}
+
+		if ( rc ) {
 			fprintf( stderr,
 				"unrecognized log level "
 				"\"%s\"\n", arg );

Modified: openldap/vendor/openldap-release/servers/slapd/oc.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/oc.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/oc.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* oc.c - object class routines */
-/* $OpenLDAP: pkg/ldap/servers/slapd/oc.c,v 1.77.2.10 2009/01/22 00:01:02 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/oc.c,v 1.77.2.11 2009/10/30 18:06:26 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -807,6 +807,10 @@
 			ch_free( soc->soc_allowed );
 		}
 
+		if ( soc->soc_oidmacro ) {
+			ch_free( soc->soc_oidmacro );
+		}
+
 		ch_free( soc );
 
 	} else if ( rsoc ) {

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/accesslog.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/accesslog.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/accesslog.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* accesslog.c - log operations for audit/history purposes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/accesslog.c,v 1.37.2.23 2009/03/05 18:26:47 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/accesslog.c,v 1.37.2.25 2009/11/24 05:50:11 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -580,11 +580,12 @@
 	a = attr_find( rs->sr_entry->e_attrs,
 		slap_schema.si_ad_entryCSN );
 	if ( a ) {
-		ber_len_t len = a->a_vals[0].bv_len;
-		if ( len > pd->csn.bv_len )
-			len = pd->csn.bv_len;
-		if ( memcmp( a->a_vals[0].bv_val, pd->csn.bv_val, len ) > 0 ) {
-			AC_MEMCPY( pd->csn.bv_val, a->a_vals[0].bv_val, len );
+		ber_len_t len = a->a_nvals[0].bv_len;
+		/* Paranoid len check, normalized CSNs are always the same length */
+		if ( len > LDAP_LUTIL_CSNSTR_BUFSIZE )
+			len = LDAP_LUTIL_CSNSTR_BUFSIZE;
+		if ( memcmp( a->a_nvals[0].bv_val, pd->csn.bv_val, len ) > 0 ) {
+			AC_MEMCPY( pd->csn.bv_val, a->a_nvals[0].bv_val, len );
 			pd->csn.bv_len = len;
 		}
 	}

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/auditlog.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/auditlog.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/auditlog.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* auditlog.c - log modifications for audit/history purposes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/auditlog.c,v 1.7.2.8 2009/01/22 00:01:12 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/auditlog.c,v 1.7.2.9 2009/09/29 21:43:53 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -73,7 +73,7 @@
 	Attribute *a;
 	Modifications *m;
 	struct berval *b, *who = NULL;
-	char *what, *suffix;
+	char *what, *whatm, *suffix;
 	time_t stamp;
 	int i;
 
@@ -147,15 +147,15 @@
 	  case LDAP_REQ_MODIFY:
 		for(m = op->orm_modlist; m; m = m->sml_next) {
 			switch(m->sml_op & LDAP_MOD_OP) {
-				case LDAP_MOD_ADD:	 what = "add";		break;
-				case LDAP_MOD_REPLACE:	 what = "replace";	break;
-				case LDAP_MOD_DELETE:	 what = "delete";	break;
-				case LDAP_MOD_INCREMENT: what = "increment";	break;
+				case LDAP_MOD_ADD:	 whatm = "add";		break;
+				case LDAP_MOD_REPLACE:	 whatm = "replace";	break;
+				case LDAP_MOD_DELETE:	 whatm = "delete";	break;
+				case LDAP_MOD_INCREMENT: whatm = "increment";	break;
 				default:
 					fprintf(f, "# MOD_TYPE_UNKNOWN:%02x\n", m->sml_op & LDAP_MOD_OP);
 					continue;
 			}
-			fprintf(f, "%s: %s\n", what, m->sml_desc->ad_cname.bv_val);
+			fprintf(f, "%s: %s\n", whatm, m->sml_desc->ad_cname.bv_val);
 			if((b = m->sml_values) != NULL)
 			  for(i = 0; b[i].bv_val; i++)
 				fprint_ldif(f, m->sml_desc->ad_cname.bv_val, b[i].bv_val, b[i].bv_len);

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/dds.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/dds.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/dds.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dds.c,v 1.7.2.13 2009/08/13 00:47:41 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dds.c,v 1.7.2.14 2009/11/18 01:25:49 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -137,7 +137,7 @@
 	int		rc;
 	char		*extra = "";
 
-	connection_fake_init( &conn, &opbuf, ctx );
+	connection_fake_init2( &conn, &opbuf, ctx, 0 );
 	op = &opbuf.ob_op;
 
 	op->o_tag = LDAP_REQ_SEARCH;
@@ -1627,7 +1627,7 @@
 	int		rc;
 	char		*extra = "";
 
-	connection_fake_init( &conn, &opbuf, ctx );
+	connection_fake_init2( &conn, &opbuf, ctx, 0 );
 	op = &opbuf.ob_op;
 
 	op->o_tag = LDAP_REQ_SEARCH;

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/dynlist.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/dynlist.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/dynlist.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* dynlist.c - dynamic list overlay */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dynlist.c,v 1.20.2.28 2009/08/25 23:13:42 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/dynlist.c,v 1.20.2.30 2009/12/08 22:55:13 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2003-2009 The OpenLDAP Foundation.
@@ -170,20 +170,27 @@
 }
 
 static int
-dynlist_make_filter( Operation *op, struct berval *oldf, struct berval *newf )
+dynlist_make_filter( Operation *op, Entry *e, const char *url, struct berval *oldf, struct berval *newf )
 {
 	slap_overinst	*on = (slap_overinst *)op->o_bd->bd_info;
 	dynlist_info_t	*dli = (dynlist_info_t *)on->on_bi.bi_private;
 
 	char		*ptr;
+	int		needBrackets = 0;
 
 	assert( oldf != NULL );
 	assert( newf != NULL );
 	assert( !BER_BVISNULL( oldf ) );
 	assert( !BER_BVISEMPTY( oldf ) );
 
+	if ( oldf->bv_val[0] != '(' ) {
+		Debug( LDAP_DEBUG_ANY, "%s: dynlist, DN=\"%s\": missing brackets in URI=\"%s\" filter\n",
+			op->o_log_prefix, e->e_name.bv_val, url );
+		needBrackets = 2;
+	}
+
 	newf->bv_len = STRLENOF( "(&(!(objectClass=" "))" ")" )
-		+ dli->dli_oc->soc_cname.bv_len + oldf->bv_len;
+		+ dli->dli_oc->soc_cname.bv_len + oldf->bv_len + needBrackets;
 	newf->bv_val = op->o_tmpalloc( newf->bv_len + 1, op->o_tmpmemctx );
 	if ( newf->bv_val == NULL ) {
 		return -1;
@@ -191,7 +198,9 @@
 	ptr = lutil_strcopy( newf->bv_val, "(&(!(objectClass=" );
 	ptr = lutil_strcopy( ptr, dli->dli_oc->soc_cname.bv_val );
 	ptr = lutil_strcopy( ptr, "))" );
+	if ( needBrackets ) *ptr++ = '(';
 	ptr = lutil_strcopy( ptr, oldf->bv_val );
+	if ( needBrackets ) *ptr++ = ')';
 	ptr = lutil_strcopy( ptr, ")" );
 	newf->bv_len = ptr - newf->bv_val;
 
@@ -611,7 +620,7 @@
 		} else {
 			struct berval	flt;
 			ber_str2bv( lud->lud_filter, 0, 0, &flt );
-			if ( dynlist_make_filter( op, &flt, &o.ors_filterstr ) ) {
+			if ( dynlist_make_filter( op, rs->sr_entry, url->bv_val, &flt, &o.ors_filterstr ) ) {
 				/* error */
 				goto cleanup;
 			}
@@ -863,7 +872,7 @@
 
 release:;
 	if ( e != NULL ) {
-		overlay_entry_release_ov( op, e, 0, on );
+		overlay_entry_release_ov( &o, e, 0, on );
 	}
 
 	return SLAP_CB_CONTINUE;

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/memberof.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/memberof.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/memberof.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* memberof.c - back-reference for group membership */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/memberof.c,v 1.2.2.18 2009/02/03 19:06:20 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/memberof.c,v 1.2.2.20 2009/11/17 17:37:39 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2007 Pierangelo Masarati <ando at sys-net.it>
@@ -224,16 +224,8 @@
 		a = attr_find( rs->sr_entry->e_attrs, mc->ad );
 		if ( a != NULL ) {
 			ber_bvarray_dup_x( &mc->vals, a->a_nvals, op->o_tmpmemctx );
-		}
 
-		if ( a && attr_find( a->a_next, mc->ad ) != NULL ) {
-			Debug( LDAP_DEBUG_ANY,
-				"%s: memberof_saveMember_cb(\"%s\"): "
-				"more than one occurrence of \"%s\" "
-				"attribute.\n",
-				op->o_log_prefix,
-				rs->sr_entry->e_name.bv_val,
-				mc->ad->ad_cname.bv_val );
+			assert( attr_find( a->a_next, mc->ad ) == NULL );
 		}
 	}
 
@@ -393,6 +385,7 @@
 	ml->sml_flags = SLAP_MOD_INTERNAL;
 	ml->sml_next = op2.orm_modlist;
 	op2.orm_modlist = ml;
+	op2.orm_no_opattrs = 0;
 
 	if ( new_ndn != NULL ) {
 		assert( !BER_BVISNULL( new_dn ) );

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/pcache.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/pcache.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/pcache.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/pcache.c,v 1.88.2.40 2009/08/25 21:24:47 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/pcache.c,v 1.88.2.47 2009/11/23 16:24:55 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2003-2009 The OpenLDAP Foundation.
@@ -768,6 +768,10 @@
 		}
 		query.scope = lud->lud_scope;
 		query.filter = str2filter( lud->lud_filter );
+		if ( query.filter == NULL ) {
+			rc = -1;
+			goto error;
+		}
 
 		tempstr.bv_val = ch_malloc( strlen( lud->lud_filter ) + 1 );
 		tempstr.bv_len = 0;
@@ -823,6 +827,7 @@
 merge_entry(
 	Operation		*op,
 	Entry			*e,
+	int			dup,
 	struct berval*		query_uuid )
 {
 	int		rc;
@@ -836,6 +841,8 @@
 
 	slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
 
+	if ( dup )
+		e = entry_dup( e );
 	attr = e->e_attrs;
 	e->e_attrs = NULL;
 
@@ -862,6 +869,7 @@
 			modlist->sml_op = LDAP_MOD_ADD;
 			op->o_tag = LDAP_REQ_MODIFY;
 			op->orm_modlist = modlist;
+			op->o_managedsait = SLAP_CONTROL_CRITICAL;
 			op->o_bd->be_modify( op, &sreply );
 			slap_mods_free( modlist, 1 );
 		} else if ( rc == LDAP_REFERRAL ||
@@ -876,7 +884,7 @@
 		}
 	} else {
 		if ( op->ora_e == e )
-			be_entry_release_w( op, e );
+			entry_free( e );
 		rc = 1;
 	}
 
@@ -2284,7 +2292,7 @@
 			remove_query_and_data( op_tmp, rs, cm, &crp_uuid );
 		}
 
-		return_val = merge_entry(op_tmp, e, query_uuid);
+		return_val = merge_entry(op_tmp, e, 0, query_uuid);
 		ldap_pvt_thread_mutex_lock(&cm->cache_mutex);
 		cm->cur_entries += return_val;
 		Debug( pcache_debug,
@@ -2470,7 +2478,14 @@
 			} else if ( rs->sr_err == LDAP_SIZELIMIT_EXCEEDED
 				&& si->qtemp->limitttl )
 			{
+				Entry *e;
+
 				si->caching_reason = PC_SIZELIMIT;
+				for (;si->head; si->head=e) {
+					e = si->head->e_private;
+					si->head->e_private = NULL;
+					entry_free(si->head);
+				}
 			}
 
 		} else if ( si->qtemp->negttl && !si->count && !si->over &&
@@ -2629,7 +2644,14 @@
 	}
 	*p2 = '\0';
 	op->o_tmpfree( vals, op->o_tmpmemctx );
-	return str2filter_x( op, fbv->bv_val );
+
+	/* FIXME: are we sure str2filter_x can't fail?
+	 * caller needs to check */
+	{
+		Filter *f = str2filter_x( op, fbv->bv_val );
+		assert( f != NULL );
+		return f;
+	}
 }
 
 /* Check if the requested entry is from the cache and has a valid
@@ -3189,7 +3211,7 @@
 			/* No local entry, just add it. FIXME: we are not checking
 			 * the cache entry limit here
 			 */
-			 merge_entry( op, rs->sr_entry, &ri->ri_q->q_uuid );
+			 merge_entry( op, rs->sr_entry, 1, &ri->ri_q->q_uuid );
 		} else {
 			/* Entry exists, update it */
 			Entry ne;
@@ -4376,9 +4398,13 @@
 	cm->check_cacheability = 0;
 	cm->response_cb = PCACHE_RESPONSE_CB_TAIL;
 	cm->defer_db_open = 1;
+	cm->cache_binds = 0;
 	cm->cc_period = 1000;
 	cm->cc_paused = 0;
 	cm->cc_arg = NULL;
+#ifdef PCACHE_MONITOR
+	cm->monitor_cb = NULL;
+#endif /* PCACHE_MONITOR */
 
 	qm->attr_sets = NULL;
 	qm->templates = NULL;
@@ -4484,7 +4510,7 @@
 			AttributeAssertion	ava = ATTRIBUTEASSERTION_INIT;
 			AttributeName	attrs[ 2 ] = {{{ 0 }}};
 
-			connection_fake_init( &conn, &opbuf, thrctx );
+			connection_fake_init2( &conn, &opbuf, thrctx, 0 );
 			op = &opbuf.ob_op;
 
 			op->o_bd = &cm->db;
@@ -4670,7 +4696,7 @@
 
 		thrctx = ldap_pvt_thread_pool_context();
 
-		connection_fake_init( &conn, &opbuf, thrctx );
+		connection_fake_init2( &conn, &opbuf, thrctx, 0 );
 		op = &opbuf.ob_op;
 
 		if ( qm->templates != NULL ) {

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/retcode.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/retcode.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/retcode.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* retcode.c - customizable response for client testing purposes */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/retcode.c,v 1.18.2.10 2009/01/22 00:01:13 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/retcode.c,v 1.18.2.11 2009/11/22 19:39:43 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2005-2009 The OpenLDAP Foundation.
@@ -257,6 +257,9 @@
 		1, &op2.ors_filterstr, op2.o_tmpmemctx );
 	op2.ors_filter = str2filter_x( &op2, op2.ors_filterstr.bv_val );
 
+	/* errAbsObject is defined by this overlay! */
+	assert( op2.ors_filter != NULL );
+
 	db.bd_info = on->on_info->oi_orig;
 	op2.o_bd = &db;
 

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/sssvlv.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/sssvlv.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/sssvlv.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* sssvlv.c - server side sort / virtual list view */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/sssvlv.c,v 1.9.2.3 2009/07/27 17:30:42 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/sssvlv.c,v 1.9.2.4 2009/09/29 19:07:07 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2009 The OpenLDAP Foundation.
@@ -696,7 +696,7 @@
 	int						rc			= SLAP_CB_CONTINUE;
 	int	ok;
 	sort_op *so, so2;
-	sort_ctrl *sc = op->o_controls[sss_cid];
+	sort_ctrl *sc;
 	PagedResultsState *ps;
 	vlv_ctrl *vc;
 
@@ -725,6 +725,7 @@
 		op->o_req_dn.bv_val, op->ors_filterstr.bv_val,
 		op->o_ctrlflag[sss_cid]);
 
+	sc = op->o_controls[sss_cid];
 	if ( sc->sc_nkeys > si->svi_max_keys ) {
 		rs->sr_text = "Too many sort keys";
 		rs->sr_err = LDAP_UNWILLING_TO_PERFORM;

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/syncprov.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/syncprov.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/syncprov.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/syncprov.c,v 1.147.2.58 2009/04/05 01:29:48 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/syncprov.c,v 1.147.2.70 2009/11/24 00:53:26 quanah Exp $ */
 /* syncprov.c - syncrepl provider */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
@@ -48,6 +48,7 @@
 /* A queued result of a persistent search */
 typedef struct syncres {
 	struct syncres *s_next;
+	Entry *s_e;
 	struct berval s_dn;
 	struct berval s_ndn;
 	struct berval s_uuid;
@@ -124,6 +125,7 @@
 typedef struct syncprov_info_t {
 	syncops		*si_ops;
 	BerVarray	si_ctxcsn;	/* ldapsync context */
+	struct berval	si_contextdn;
 	int		*si_sids;
 	int		si_numcsns;
 	int		si_chkops;	/* checkpointing info */
@@ -137,12 +139,14 @@
 	ldap_pvt_thread_rdwr_t	si_csn_rwlock;
 	ldap_pvt_thread_mutex_t	si_ops_mutex;
 	ldap_pvt_thread_mutex_t	si_mods_mutex;
+	ldap_pvt_thread_mutex_t	si_resp_mutex;
 } syncprov_info_t;
 
 typedef struct opcookie {
 	slap_overinst *son;
 	syncmatches *smatches;
 	modtarget *smt;
+	Entry *se;
 	struct berval sdn;	/* DN of entry, for deletes */
 	struct berval sndn;
 	struct berval suuid;	/* UUID of entry */
@@ -152,6 +156,11 @@
 	short sreference;	/* Is the entry a reference? */
 } opcookie;
 
+typedef struct mutexint {
+	ldap_pvt_thread_mutex_t mi_mutex;
+	int mi_int;
+} mutexint;
+
 typedef struct fbase_cookie {
 	struct berval *fdn;	/* DN of a modified entry, for scope testing */
 	syncops *fss;	/* persistent search we're testing against */
@@ -737,6 +746,36 @@
 	return rc;
 }
 
+/* Should find a place to cache these */
+static mutexint *get_mutexint()
+{
+	mutexint *mi = ch_malloc( sizeof( mutexint ));
+	ldap_pvt_thread_mutex_init( &mi->mi_mutex );
+	mi->mi_int = 1;
+	return mi;
+}
+
+static void inc_mutexint( mutexint *mi )
+{
+	ldap_pvt_thread_mutex_lock( &mi->mi_mutex );
+	mi->mi_int++;
+	ldap_pvt_thread_mutex_unlock( &mi->mi_mutex );
+}
+
+/* return resulting counter */
+static int dec_mutexint( mutexint *mi )
+{
+	int i;
+	ldap_pvt_thread_mutex_lock( &mi->mi_mutex );
+	i = --mi->mi_int;
+	ldap_pvt_thread_mutex_unlock( &mi->mi_mutex );
+	if ( !i ) {
+		ldap_pvt_thread_mutex_destroy( &mi->mi_mutex );
+		ch_free( mi );
+	}
+	return i;
+}
+
 static void
 syncprov_free_syncop( syncops *so )
 {
@@ -760,6 +799,12 @@
 	ch_free( so->s_base.bv_val );
 	for ( sr=so->s_res; sr; sr=srnext ) {
 		srnext = sr->s_next;
+		if ( sr->s_e ) {
+			if ( !dec_mutexint( sr->s_e->e_private )) {
+				sr->s_e->e_private = NULL;
+				entry_free( sr->s_e );
+			}
+		}
 		ch_free( sr );
 	}
 	ldap_pvt_thread_mutex_destroy( &so->s_mutex );
@@ -768,8 +813,7 @@
 
 /* Send a persistent search response */
 static int
-syncprov_sendresp( Operation *op, opcookie *opc, syncops *so,
-	Entry **e, int mode )
+syncprov_sendresp( Operation *op, opcookie *opc, syncops *so, int mode )
 {
 	slap_overinst *on = opc->son;
 
@@ -790,15 +834,13 @@
 	}
 
 #ifdef LDAP_DEBUG
-	if ( !BER_BVISNULL( &cookie )) {
-		if ( so->s_sid > 0 ) {
-			Debug( LDAP_DEBUG_SYNC, "syncprov_sendresp: to=%03x, cookie=%s\n",
-				so->s_sid, cookie.bv_val , 0 );
-		} else {
-			Debug( LDAP_DEBUG_SYNC, "syncprov_sendresp: cookie=%s\n",
-				cookie.bv_val, 0, 0 );
-		}
-	}		
+	if ( so->s_sid > 0 ) {
+		Debug( LDAP_DEBUG_SYNC, "syncprov_sendresp: to=%03x, cookie=%s\n",
+			so->s_sid, cookie.bv_val ? cookie.bv_val : "", 0 );
+	} else {
+		Debug( LDAP_DEBUG_SYNC, "syncprov_sendresp: cookie=%s\n",
+			cookie.bv_val ? cookie.bv_val : "", 0, 0 );
+	}
 #endif
 
 	e_uuid.e_attrs = &a_uuid;
@@ -811,35 +853,29 @@
 	}
 
 	rs.sr_ctrls = ctrls;
-	op->o_bd->bd_info = (BackendInfo *)on->on_info;
+	rs.sr_entry = &e_uuid;
+	if ( mode == LDAP_SYNC_ADD || mode == LDAP_SYNC_MODIFY ) {
+		e_uuid = *opc->se;
+		e_uuid.e_private = NULL;
+	}
+
 	switch( mode ) {
 	case LDAP_SYNC_ADD:
-		rs.sr_entry = *e;
-		if ( rs.sr_entry->e_private )
-			rs.sr_flags = REP_ENTRY_MUSTRELEASE;
 		if ( opc->sreference && so->s_op->o_managedsait <= SLAP_CONTROL_IGNORED ) {
 			rs.sr_ref = get_entry_referrals( op, rs.sr_entry );
 			rs.sr_err = send_search_reference( op, &rs );
 			ber_bvarray_free( rs.sr_ref );
-			if ( !rs.sr_entry )
-				*e = NULL;
 			break;
 		}
 		/* fallthru */
 	case LDAP_SYNC_MODIFY:
-		rs.sr_entry = *e;
-		if ( rs.sr_entry->e_private )
-			rs.sr_flags = REP_ENTRY_MUSTRELEASE;
 		rs.sr_attrs = op->ors_attrs;
 		rs.sr_err = send_search_entry( op, &rs );
-		if ( !rs.sr_entry )
-			*e = NULL;
 		break;
 	case LDAP_SYNC_DELETE:
 		e_uuid.e_attrs = NULL;
 		e_uuid.e_name = opc->sdn;
 		e_uuid.e_nname = opc->sndn;
-		rs.sr_entry = &e_uuid;
 		if ( opc->sreference && so->s_op->o_managedsait <= SLAP_CONTROL_IGNORED ) {
 			struct berval bv = BER_BVNULL;
 			rs.sr_ref = &bv;
@@ -853,7 +889,14 @@
 	}
 	/* In case someone else freed it already? */
 	if ( rs.sr_ctrls ) {
-		op->o_tmpfree( rs.sr_ctrls[0], op->o_tmpmemctx );
+		int i;
+		for ( i=0; rs.sr_ctrls[i]; i++ ) {
+			if ( rs.sr_ctrls[i] == ctrls[0] ) {
+				op->o_tmpfree( ctrls[0]->ldctl_value.bv_val, op->o_tmpmemctx );
+				ctrls[0]->ldctl_value.bv_val = NULL;
+				break;
+			}
+		}
 		rs.sr_ctrls = NULL;
 	}
 
@@ -898,23 +941,16 @@
 			opc.suuid = sr->s_uuid;
 			opc.sctxcsn = sr->s_csn;
 			opc.sreference = sr->s_isreference;
-			e = NULL;
+			opc.se = sr->s_e;
 
-			if ( sr->s_mode != LDAP_SYNC_DELETE ) {
-				rc = overlay_entry_get_ov( op, &opc.sndn, NULL, NULL, 0, &e, on );
-				if ( rc ) {
-					Debug( LDAP_DEBUG_SYNC, "syncprov_qplay: failed to get %s, "
-						"error (%d), ignoring...\n", opc.sndn.bv_val, rc, 0 );
-					ch_free( sr );
-					rc = 0;
-					continue;
+			rc = syncprov_sendresp( op, &opc, so, sr->s_mode );
+
+			if ( opc.se ) {
+				if ( !dec_mutexint( opc.se->e_private )) {
+					opc.se->e_private = NULL;
+					entry_free ( opc.se );
 				}
 			}
-			rc = syncprov_sendresp( op, &opc, so, &e, sr->s_mode );
-
-			if ( e ) {
-				overlay_entry_release_ov( op, e, 0, on );
-			}
 		}
 
 		ch_free( sr );
@@ -1007,6 +1043,10 @@
 		srsize += cookie.bv_len + 1;
 	sr = ch_malloc( srsize );
 	sr->s_next = NULL;
+	sr->s_e = opc->se;
+	/* bump refcount on this entry */
+	if ( opc->se )
+		inc_mutexint( opc->se->e_private );
 	sr->s_dn.bv_val = (char *)(sr + 1);
 	sr->s_dn.bv_len = opc->sdn.bv_len;
 	sr->s_mode = mode;
@@ -1150,9 +1190,12 @@
 		rc = overlay_entry_get_ov( op, fc.fdn, NULL, NULL, 0, &e, on );
 		/* If we're sending responses now, make a copy and unlock the DB */
 		if ( e && !saveit ) {
-			Entry *e2 = entry_dup( e );
+			if ( !opc->se ) {
+				opc->se = entry_dup( e );
+				opc->se->e_private = get_mutexint();
+			}
 			overlay_entry_release_ov( op, e, 0, on );
-			e = e2;
+			e = opc->se;
 		}
 		if ( rc ) {
 			op->o_bd = b0;
@@ -1160,6 +1203,13 @@
 		}
 	} else {
 		e = op->ora_e;
+		if ( !saveit ) {
+			if ( !opc->se ) {
+				opc->se = entry_dup( e );
+				opc->se->e_private = get_mutexint();
+			}
+			e = opc->se;
+		}
 	}
 
 	if ( saveit || op->o_tag == LDAP_REQ_ADD ) {
@@ -1189,22 +1239,18 @@
 		if ( ss->s_op->o_abandon )
 			continue;
 
-		/* First time thru, check for possible skips */
-		if ( saveit || op->o_tag == LDAP_REQ_ADD ) {
+		/* Don't send ops back to the originator */
+		if ( opc->osid > 0 && opc->osid == ss->s_sid ) {
+			Debug( LDAP_DEBUG_SYNC, "syncprov_matchops: skipping original sid %03x\n",
+				opc->osid, 0, 0 );
+			continue;
+		}
 
-			/* Don't send ops back to the originator */
-			if ( opc->osid > 0 && opc->osid == ss->s_sid ) {
-				Debug( LDAP_DEBUG_SYNC, "syncprov_matchops: skipping original sid %03x\n",
-					opc->osid, 0, 0 );
-				continue;
-			}
-
-			/* Don't send ops back to the messenger */
-			if ( opc->rsid > 0 && opc->rsid == ss->s_sid ) {
-				Debug( LDAP_DEBUG_SYNC, "syncprov_matchops: skipping relayed sid %03x\n",
-					opc->rsid, 0, 0 );
-				continue;
-			}
+		/* Don't send ops back to the messenger */
+		if ( opc->rsid > 0 && opc->rsid == ss->s_sid ) {
+			Debug( LDAP_DEBUG_SYNC, "syncprov_matchops: skipping relayed sid %03x\n",
+				opc->rsid, 0, 0 );
+			continue;
 		}
 
 		/* validate base */
@@ -1224,7 +1270,6 @@
 			continue;
 		}
 
-
 		/* If we're sending results now, look for this op in old matches */
 		if ( !saveit ) {
 			syncmatches *old;
@@ -1296,9 +1341,17 @@
 		if ( !SLAP_ISOVERLAY( op->o_bd )) {
 			op->o_bd = &db;
 		}
-		overlay_entry_release_ov( op, e, 0, on );
+		if ( saveit )
+			overlay_entry_release_ov( op, e, 0, on );
 		op->o_bd = b0;
 	}
+	if ( opc->se && !saveit ) {
+		if ( !dec_mutexint( opc->se->e_private )) {
+			opc->se->e_private = NULL;
+			entry_free( opc->se );
+			opc->se = NULL;
+		}
+	}
 	if ( freefdn ) {
 		op->o_tmpfree( fc.fdn->bv_val, op->o_tmpmemctx );
 	}
@@ -1324,15 +1377,14 @@
 	/* Remove op from lock table */
 	mt = opc->smt;
 	if ( mt ) {
-		modinst *mi = mt->mt_mods;
-
+		ldap_pvt_thread_mutex_lock( &mt->mt_mutex );
+		mt->mt_mods = mt->mt_mods->mi_next;
 		/* If there are more, promote the next one */
-		if ( mi->mi_next ) {
-			ldap_pvt_thread_mutex_lock( &mt->mt_mutex );
-			mt->mt_mods = mi->mi_next;
+		if ( mt->mt_mods ) {
 			mt->mt_op = mt->mt_mods->mi_op;
 			ldap_pvt_thread_mutex_unlock( &mt->mt_mutex );
 		} else {
+			ldap_pvt_thread_mutex_unlock( &mt->mt_mutex );
 			ldap_pvt_thread_mutex_lock( &si->si_mods_mutex );
 			avl_delete( &si->si_mods, mt, sp_avl_cmp );
 			ldap_pvt_thread_mutex_unlock( &si->si_mods_mutex );
@@ -1361,6 +1413,7 @@
 	SlapReply rsm = { 0 };
 	slap_callback cb = {0};
 	BackendDB be;
+
 #ifdef CHECK_CSN
 	Syntax *syn = slap_schema.si_ad_contextCSN->ad_type->sat_syntax;
 
@@ -1387,12 +1440,26 @@
 		be = *on->on_info->oi_origdb;
 		opm.o_bd = &be;
 	}
-	opm.o_req_dn = opm.o_bd->be_suffix[0];
-	opm.o_req_ndn = opm.o_bd->be_nsuffix[0];
+	opm.o_req_dn = si->si_contextdn;
+	opm.o_req_ndn = si->si_contextdn;
 	opm.o_bd->bd_info = on->on_info->oi_orig;
 	opm.o_managedsait = SLAP_CONTROL_NONCRITICAL;
 	opm.o_no_schema_check = 1;
 	opm.o_bd->be_modify( &opm, &rsm );
+
+	if ( rsm.sr_err == LDAP_NO_SUCH_OBJECT &&
+		SLAP_SYNC_SUBENTRY( opm.o_bd )) {
+		const char	*text;
+		char txtbuf[SLAP_TEXT_BUFLEN];
+		size_t textlen = sizeof txtbuf;
+		Entry *e = slap_create_context_csn_entry( opm.o_bd, NULL );
+		slap_mods2entry( &mod, &e, 0, 1, &text, txtbuf, textlen);
+		opm.ora_e = e;
+		opm.o_bd->be_add( &opm, &rsm );
+		if ( e == opm.ora_e )
+			be_entry_release_w( &opm, opm.ora_e );
+	}
+
 	if ( mod.sml_next != NULL ) {
 		slap_mods_free( mod.sml_next, 1 );
 	}
@@ -1646,13 +1713,58 @@
 		char cbuf[LDAP_LUTIL_CSNSTR_BUFSIZE];
 		int do_check = 0, have_psearches, foundit, csn_changed = 0;
 
+		ldap_pvt_thread_mutex_lock( &si->si_resp_mutex );
+
 		/* Update our context CSN */
 		cbuf[0] = '\0';
 		maxcsn.bv_val = cbuf;
 		maxcsn.bv_len = sizeof(cbuf);
 		ldap_pvt_thread_rdwr_wlock( &si->si_csn_rwlock );
 
-		if ( op->o_dont_replicate && op->o_tag == LDAP_REQ_MODIFY &&
+		slap_get_commit_csn( op, &maxcsn, &foundit );
+		if ( BER_BVISEMPTY( &maxcsn ) && SLAP_GLUE_SUBORDINATE( op->o_bd )) {
+			/* syncrepl queues the CSN values in the db where
+			 * it is configured , not where the changes are made.
+			 * So look for a value in the glue db if we didn't
+			 * find any in this db.
+			 */
+			BackendDB *be = op->o_bd;
+			op->o_bd = select_backend( &be->be_nsuffix[0], 1);
+			maxcsn.bv_val = cbuf;
+			maxcsn.bv_len = sizeof(cbuf);
+			slap_get_commit_csn( op, &maxcsn, &foundit );
+			op->o_bd = be;
+		}
+		if ( !BER_BVISEMPTY( &maxcsn ) ) {
+			int i, sid;
+#ifdef CHECK_CSN
+			Syntax *syn = slap_schema.si_ad_contextCSN->ad_type->sat_syntax;
+			assert( !syn->ssyn_validate( syn, &maxcsn ));
+#endif
+			sid = slap_parse_csn_sid( &maxcsn );
+			for ( i=0; i<si->si_numcsns; i++ ) {
+				if ( sid == si->si_sids[i] ) {
+					if ( ber_bvcmp( &maxcsn, &si->si_ctxcsn[i] ) > 0 ) {
+						ber_bvreplace( &si->si_ctxcsn[i], &maxcsn );
+						csn_changed = 1;
+					}
+					break;
+				}
+			}
+			/* It's a new SID for us */
+			if ( i == si->si_numcsns ) {
+				value_add_one( &si->si_ctxcsn, &maxcsn );
+				csn_changed = 1;
+				si->si_numcsns++;
+				si->si_sids = ch_realloc( si->si_sids, si->si_numcsns *
+					sizeof(int));
+				si->si_sids[i] = sid;
+			}
+		}
+
+		/* Don't do any processing for consumer contextCSN updates */
+		if ( op->o_dont_replicate ) {
+			if ( op->o_tag == LDAP_REQ_MODIFY &&
 				op->orm_modlist->sml_op == LDAP_MOD_REPLACE &&
 				op->orm_modlist->sml_desc == slap_schema.si_ad_contextCSN ) {
 			/* Catch contextCSN updates from syncrepl. We have to look at
@@ -1664,7 +1776,6 @@
 
 			for ( i=0; i<mod->sml_numvals; i++ ) {
 				sid = slap_parse_csn_sid( &mod->sml_values[i] );
-
 				for ( j=0; j<si->si_numcsns; j++ ) {
 					if ( sid == si->si_sids[j] ) {
 						if ( ber_bvcmp( &mod->sml_values[i], &si->si_ctxcsn[j] ) > 0 ) {
@@ -1699,69 +1810,19 @@
 					}
 				}
 			}
-			return SLAP_CB_CONTINUE;
-		}
-
-		slap_get_commit_csn( op, &maxcsn, &foundit );
-		if ( BER_BVISEMPTY( &maxcsn ) && SLAP_GLUE_SUBORDINATE( op->o_bd )) {
-			/* syncrepl queues the CSN values in the db where
-			 * it is configured , not where the changes are made.
-			 * So look for a value in the glue db if we didn't
-			 * find any in this db.
-			 */
-			BackendDB *be = op->o_bd;
-			op->o_bd = select_backend( &be->be_nsuffix[0], 1);
-			maxcsn.bv_val = cbuf;
-			maxcsn.bv_len = sizeof(cbuf);
-			slap_get_commit_csn( op, &maxcsn, &foundit );
-			op->o_bd = be;
-		}
-		if ( !BER_BVISEMPTY( &maxcsn ) ) {
-			int i, sid;
-#ifdef CHECK_CSN
-			Syntax *syn = slap_schema.si_ad_contextCSN->ad_type->sat_syntax;
-			assert( !syn->ssyn_validate( syn, &maxcsn ));
-#endif
-			sid = slap_parse_csn_sid( &maxcsn );
-			for ( i=0; i<si->si_numcsns; i++ ) {
-				if ( sid == si->si_sids[i] ) {
-					if ( ber_bvcmp( &maxcsn, &si->si_ctxcsn[i] ) > 0 ) {
-						ber_bvreplace( &si->si_ctxcsn[i], &maxcsn );
-						csn_changed = 1;
-					}
-					break;
-				}
+			} else {
+			ldap_pvt_thread_rdwr_wunlock( &si->si_csn_rwlock );
 			}
-			/* It's a new SID for us */
-			if ( i == si->si_numcsns ) {
-				value_add_one( &si->si_ctxcsn, &maxcsn );
-				csn_changed = 1;
-				si->si_numcsns++;
-				si->si_sids = ch_realloc( si->si_sids, si->si_numcsns *
-					sizeof(int));
-				si->si_sids[i] = sid;
-			}
-#if 0
-		} else if ( !foundit ) {
-			/* internal ops that aren't meant to be replicated */
-			ldap_pvt_thread_rdwr_wunlock( &si->si_csn_rwlock );
-			return SLAP_CB_CONTINUE;
-#endif
+			goto leave;
 		}
 
-		/* Don't do any processing for consumer contextCSN updates */
-		if ( op->o_dont_replicate ) {
-			ldap_pvt_thread_rdwr_wunlock( &si->si_csn_rwlock );
-			return SLAP_CB_CONTINUE;
-		}
-
 		si->si_numops++;
 		if ( si->si_chkops || si->si_chktime ) {
 			/* Never checkpoint adding the context entry,
 			 * it will deadlock
 			 */
 			if ( op->o_tag != LDAP_REQ_ADD ||
-				!dn_match( &op->o_req_ndn, &op->o_bd->be_nsuffix[0] )) {
+				!dn_match( &op->o_req_ndn, &si->si_contextdn )) {
 				if ( si->si_chkops && si->si_numops >= si->si_chkops ) {
 					do_check = 1;
 					si->si_numops = 0;
@@ -1819,7 +1880,7 @@
 		if ( si->si_logs && op->o_tag != LDAP_REQ_ADD ) {
 			syncprov_add_slog( op );
 		}
-
+leave:		ldap_pvt_thread_mutex_unlock( &si->si_resp_mutex );
 	}
 	return SLAP_CB_CONTINUE;
 }
@@ -1835,14 +1896,14 @@
 	syncprov_info_t		*si = on->on_bi.bi_private;
 	int rc = SLAP_CB_CONTINUE;
 
-	if ( dn_match( &op->o_req_ndn, op->o_bd->be_nsuffix ) &&
+	if ( dn_match( &op->o_req_ndn, &si->si_contextdn ) &&
 		op->oq_compare.rs_ava->aa_desc == slap_schema.si_ad_contextCSN )
 	{
 		Entry e = {0};
 		Attribute a = {0};
 
-		e.e_name = op->o_bd->be_suffix[0];
-		e.e_nname = op->o_bd->be_nsuffix[0];
+		e.e_name = si->si_contextdn;
+		e.e_nname = si->si_contextdn;
 		e.e_attrs = &a;
 
 		a.a_desc = slap_schema.si_ad_contextCSN;
@@ -1946,6 +2007,15 @@
 		mt = avl_find( si->si_mods, &mtdummy, sp_avl_cmp );
 		if ( mt ) {
 			ldap_pvt_thread_mutex_lock( &mt->mt_mutex );
+			if ( mt->mt_mods == NULL ) {
+				/* Cannot reuse this mt, as another thread is about
+				 * to release it in syncprov_op_cleanup.
+				 */
+				ldap_pvt_thread_mutex_unlock( &mt->mt_mutex );
+				mt = NULL;
+			}
+		}
+		if ( mt ) {
 			ldap_pvt_thread_mutex_unlock( &si->si_mods_mutex );
 			mt->mt_tail->mi_next = mi;
 			mt->mt_tail = mi;
@@ -2403,6 +2473,8 @@
 						changed = SS_CHANGED;
 					else if ( newer > 0 ) {
 					/* our state is older, tell consumer nothing */
+						rs->sr_err = LDAP_SUCCESS;
+bailout:
 						if ( sop ) {
 							syncops **sp = &si->si_ops;
 							
@@ -2413,7 +2485,6 @@
 							ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
 							ch_free( sop );
 						}
-						rs->sr_err = LDAP_SUCCESS;
 						rs->sr_ctrls = NULL;
 						send_ldap_result( op, rs );
 						return rs->sr_err;
@@ -2468,8 +2539,9 @@
 					ber_bvarray_free_x( ctxcsn, op->o_tmpmemctx );
 				if ( sids )
 					op->o_tmpfree( sids, op->o_tmpmemctx );
-				send_ldap_error( op, rs, LDAP_SYNC_REFRESH_REQUIRED, "sync cookie is stale" );
-				return rs->sr_err;
+				rs->sr_err = LDAP_SYNC_REFRESH_REQUIRED;
+				rs->sr_text = "sync cookie is stale";
+				goto bailout;
 			}
 			if ( srs->sr_state.ctxcsn ) {
 				ber_bvarray_free_x( srs->sr_state.ctxcsn, op->o_tmpmemctx );
@@ -2489,8 +2561,7 @@
 					ber_bvarray_free_x( ctxcsn, op->o_tmpmemctx );
 				if ( sids )
 					op->o_tmpfree( sids, op->o_tmpmemctx );
-				send_ldap_result( op, rs );
-				return rs->sr_err;
+				goto bailout;
 			}
 		}
 	} else {
@@ -2572,7 +2643,7 @@
 		return SLAP_CB_CONTINUE;
 
 	if ( rs->sr_entry &&
-		dn_match( &rs->sr_entry->e_nname, op->o_bd->be_nsuffix )) {
+		dn_match( &rs->sr_entry->e_nname, &si->si_contextdn )) {
 
 		if ( SLAP_OPATTRS( rs->sr_attr_flags ) ||
 			ad_inlist( slap_schema.si_ad_contextCSN, rs->sr_attrs )) {
@@ -2679,8 +2750,11 @@
 		case SP_CHKPT:
 			if ( si->si_chkops || si->si_chktime ) {
 				struct berval bv;
+				/* we assume si_chktime is a multiple of 60
+				 * because the parsed value was originally
+				 * multiplied by 60 */
 				bv.bv_len = snprintf( c->cr_msg, sizeof( c->cr_msg ),
-					"%d %d", si->si_chkops, si->si_chktime );
+					"%d %d", si->si_chkops, si->si_chktime/60 );
 				if ( bv.bv_len >= sizeof( c->cr_msg ) ) {
 					rc = 1;
 				} else {
@@ -2856,13 +2930,19 @@
 	}
 
 	thrctx = ldap_pvt_thread_pool_context();
-	connection_fake_init( &conn, &opbuf, thrctx );
+	connection_fake_init2( &conn, &opbuf, thrctx, 0 );
 	op = &opbuf.ob_op;
 	op->o_bd = be;
 	op->o_dn = be->be_rootdn;
 	op->o_ndn = be->be_rootndn;
 
-	rc = overlay_entry_get_ov( op, be->be_nsuffix, NULL,
+	if ( SLAP_SYNC_SUBENTRY( be )) {
+		build_new_dn( &si->si_contextdn, be->be_nsuffix,
+			(struct berval *)&slap_ldapsync_cn_bv, NULL );
+	} else {
+		si->si_contextdn = be->be_nsuffix[0];
+	}
+	rc = overlay_entry_get_ov( op, &si->si_contextdn, NULL,
 		slap_schema.si_ad_contextCSN, 0, &e, on );
 
 	if ( e ) {
@@ -2935,7 +3015,7 @@
 		void *thrctx;
 
 		thrctx = ldap_pvt_thread_pool_context();
-		connection_fake_init( &conn, &opbuf, thrctx );
+		connection_fake_init2( &conn, &opbuf, thrctx, 0 );
 		op = &opbuf.ob_op;
 		op->o_bd = be;
 		op->o_dn = be->be_rootdn;
@@ -2967,6 +3047,7 @@
 	ldap_pvt_thread_rdwr_init( &si->si_csn_rwlock );
 	ldap_pvt_thread_mutex_init( &si->si_ops_mutex );
 	ldap_pvt_thread_mutex_init( &si->si_mods_mutex );
+	ldap_pvt_thread_mutex_init( &si->si_resp_mutex );
 
 	csn_anlist[0].an_desc = slap_schema.si_ad_entryCSN;
 	csn_anlist[0].an_name = slap_schema.si_ad_entryCSN->ad_cname;
@@ -3004,6 +3085,7 @@
 			ber_bvarray_free( si->si_ctxcsn );
 		if ( si->si_sids )
 			ch_free( si->si_sids );
+		ldap_pvt_thread_mutex_destroy( &si->si_resp_mutex );
 		ldap_pvt_thread_mutex_destroy( &si->si_mods_mutex );
 		ldap_pvt_thread_mutex_destroy( &si->si_ops_mutex );
 		ldap_pvt_thread_rdwr_destroy( &si->si_csn_rwlock );

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/translucent.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/translucent.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/translucent.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* translucent.c - translucent proxy module */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/translucent.c,v 1.13.2.32 2009/08/25 23:05:25 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/translucent.c,v 1.13.2.33 2009/12/02 19:32:38 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2004-2009 The OpenLDAP Foundation.
@@ -585,7 +585,7 @@
 	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
 	translucent_info *ov = on->on_bi.bi_private;
 	AttributeAssertion *ava = op->orc_ava;
-	Entry *e;
+	Entry *e = NULL;
 	BackendDB *db;
 	int rc;
 
@@ -852,6 +852,7 @@
 	} else {
 	/* Else we have remote, get local */
 		op->o_bd = tc->db;
+		le = NULL;
 		rc = overlay_entry_get_ov(op, &rs->sr_entry->e_nname, NULL, NULL, 0, &le, on);
 		if ( rc == LDAP_SUCCESS && le ) {
 			re = entry_dup( rs->sr_entry );

Modified: openldap/vendor/openldap-release/servers/slapd/overlays/unique.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/overlays/unique.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/overlays/unique.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* unique.c - attribute uniqueness module */
-/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/unique.c,v 1.20.2.16 2009/08/02 18:44:04 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/overlays/unique.c,v 1.20.2.17 2009/12/02 16:52:10 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2004-2009 The OpenLDAP Foundation.
@@ -1074,13 +1074,13 @@
 	      domain = domain->next )
 	{
 		unique_domain_uri *uri;
-		int ks = STRLENOF("(|)");
 
 		for ( uri = domain->uri;
 		      uri;
 		      uri = uri->next )
 		{
 			int len;
+			int ks = 0;
 
 			if ( uri->ndn.bv_val
 			     && !dnIsSuffix( &op->o_req_ndn, &uri->ndn ))
@@ -1117,7 +1117,7 @@
 			if ( !ks ) continue;
 
 			/* terminating NUL */
-			ks++;
+			ks += sizeof("(|)");
 
 			if ( uri->filter.bv_val && uri->filter.bv_len )
 				ks += uri->filter.bv_len + STRLENOF ("(&)");
@@ -1195,13 +1195,13 @@
 	      domain = domain->next )
 	{
 		unique_domain_uri *uri;
-		int ks = STRLENOF("(|)");
 
 		for ( uri = domain->uri;
 		      uri;
 		      uri = uri->next )
 		{
 			int len;
+			int ks = 0;
 
 			if ( uri->ndn.bv_val
 			     && !dnIsSuffix( &op->o_req_ndn, &uri->ndn ))
@@ -1228,7 +1228,7 @@
 			if ( !ks ) continue;
 
 			/* terminating NUL */
-			ks++;
+			ks += sizeof("(|)");
 
 			if ( uri->filter.bv_val && uri->filter.bv_len )
 				ks += uri->filter.bv_len + STRLENOF ("(&)");
@@ -1309,13 +1309,13 @@
 	      domain = domain->next )
 	{
 		unique_domain_uri *uri;
-		int ks = STRLENOF("(|)");
 
 		for ( uri = domain->uri;
 		      uri;
 		      uri = uri->next )
 		{
 			int i, len;
+			int ks = 0;
 
 			if ( uri->ndn.bv_val
 			     && !dnIsSuffix( &op->o_req_ndn, &uri->ndn )
@@ -1364,7 +1364,7 @@
 			if ( !ks ) continue;
 
 			/* terminating NUL */
-			ks++;
+			ks += sizeof("(|)");
 
 			if ( uri->filter.bv_val && uri->filter.bv_len )
 				ks += uri->filter.bv_len + STRLENOF ("(&)");

Modified: openldap/vendor/openldap-release/servers/slapd/proto-slap.h
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/proto-slap.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/proto-slap.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/proto-slap.h,v 1.670.2.54 2009/08/25 22:44:25 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/proto-slap.h,v 1.670.2.55 2009/11/18 01:16:16 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -814,10 +814,13 @@
  */
 
 LDAP_SLAPD_V( int ) slap_serverID;
+LDAP_SLAPD_V( const struct berval ) slap_ldapsync_bv;
+LDAP_SLAPD_V( const struct berval ) slap_ldapsync_cn_bv;
 LDAP_SLAPD_F (void) slap_get_commit_csn LDAP_P((
 	Operation *, struct berval *maxcsn, int *foundit ));
 LDAP_SLAPD_F (void) slap_rewind_commit_csn LDAP_P(( Operation * ));
 LDAP_SLAPD_F (void) slap_graduate_commit_csn LDAP_P(( Operation * ));
+LDAP_SLAPD_F (Entry *) slap_create_context_csn_entry LDAP_P(( Backend *, struct berval *));
 LDAP_SLAPD_F (int) slap_get_csn LDAP_P(( Operation *, struct berval *, int ));
 LDAP_SLAPD_F (void) slap_queue_csn LDAP_P(( Operation *, struct berval * ));
 

Modified: openldap/vendor/openldap-release/servers/slapd/result.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/result.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/result.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* result.c - routines to send ldap results, errors, and referrals */
-/* $OpenLDAP: pkg/ldap/servers/slapd/result.c,v 1.289.2.30 2009/08/13 00:02:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/result.c,v 1.289.2.31 2009/11/22 16:29:34 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -927,7 +927,7 @@
 			if( e_flags == NULL ) {
 		    	Debug( LDAP_DEBUG_ANY, 
 					"send_search_entry: conn %lu slap_sl_calloc failed\n",
-					op->o_connid ? op->o_connid : 0, 0, 0 );
+					op->o_connid, 0, 0 );
 				ber_free( ber, 1 );
 	
 				send_ldap_error( op, rs, LDAP_OTHER, "out of memory" );
@@ -945,7 +945,7 @@
 			if ( rc == -1 ) {
 			    	Debug( LDAP_DEBUG_ANY, "send_search_entry: "
 					"conn %lu matched values filtering failed\n",
-					op->o_connid ? op->o_connid : 0, 0, 0 );
+					op->o_connid, 0, 0 );
 				if ( op->o_res_ber == NULL ) ber_free_buf( ber );
 				send_ldap_error( op, rs, LDAP_OTHER,
 					"matched values filtering error" );
@@ -1112,7 +1112,7 @@
 			    	Debug( LDAP_DEBUG_ANY,
 					"send_search_entry: conn %lu "
 					"matched values filtering failed\n", 
-					op->o_connid ? op->o_connid : 0, 0, 0);
+					op->o_connid, 0, 0);
 				if ( op->o_res_ber == NULL ) ber_free_buf( ber );
 				send_ldap_error( op, rs, LDAP_OTHER,
 					"matched values filtering error" );

Modified: openldap/vendor/openldap-release/servers/slapd/sasl.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/sasl.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/sasl.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/sasl.c,v 1.239.2.18 2009/08/13 00:02:37 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/sasl.c,v 1.239.2.20 2009/12/02 16:57:37 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -266,7 +266,8 @@
 	const char *user,
 	unsigned ulen)
 {
-	Operation op = {0};
+	OperationBuffer opbuf = {{ NULL }};
+	Operation *op = (Operation *)&opbuf;
 	int i, doit = 0;
 	Connection *conn = NULL;
 	lookup_info sl;
@@ -286,22 +287,22 @@
 			if ( flags & SASL_AUXPROP_AUTHZID ) {
 				if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZLEN] )) {
 					if ( sl.list[i].values && sl.list[i].values[0] )
-						AC_MEMCPY( &op.o_req_ndn.bv_len, sl.list[i].values[0],
-							sizeof( op.o_req_ndn.bv_len ) );
+						AC_MEMCPY( &op->o_req_ndn.bv_len, sl.list[i].values[0],
+							sizeof( op->o_req_ndn.bv_len ) );
 				} else if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZ] )) {
 					if ( sl.list[i].values )
-						op.o_req_ndn.bv_val = (char *)sl.list[i].values[0];
+						op->o_req_ndn.bv_val = (char *)sl.list[i].values[0];
 					break;
 				}
 			}
 
 			if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHCLEN] )) {
 				if ( sl.list[i].values && sl.list[i].values[0] )
-					AC_MEMCPY( &op.o_req_ndn.bv_len, sl.list[i].values[0],
-						sizeof( op.o_req_ndn.bv_len ) );
+					AC_MEMCPY( &op->o_req_ndn.bv_len, sl.list[i].values[0],
+						sizeof( op->o_req_ndn.bv_len ) );
 			} else if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
 				if ( sl.list[i].values ) {
-					op.o_req_ndn.bv_val = (char *)sl.list[i].values[0];
+					op->o_req_ndn.bv_val = (char *)sl.list[i].values[0];
 					if ( !(flags & SASL_AUXPROP_AUTHZID) )
 						break;
 				}
@@ -336,30 +337,30 @@
 
 		cb.sc_private = &sl;
 
-		op.o_bd = select_backend( &op.o_req_ndn, 1 );
+		op->o_bd = select_backend( &op->o_req_ndn, 1 );
 
-		if ( op.o_bd ) {
+		if ( op->o_bd ) {
 			/* For rootdn, see if we can use the rootpw */
-			if ( be_isroot_dn( op.o_bd, &op.o_req_ndn ) &&
-				!BER_BVISEMPTY( &op.o_bd->be_rootpw )) {
+			if ( be_isroot_dn( op->o_bd, &op->o_req_ndn ) &&
+				!BER_BVISEMPTY( &op->o_bd->be_rootpw )) {
 				struct berval cbv = BER_BVNULL;
 
 				/* If there's a recognized scheme, see if it's CLEARTEXT */
-				if ( lutil_passwd_scheme( op.o_bd->be_rootpw.bv_val )) {
-					if ( !strncasecmp( op.o_bd->be_rootpw.bv_val,
+				if ( lutil_passwd_scheme( op->o_bd->be_rootpw.bv_val )) {
+					if ( !strncasecmp( op->o_bd->be_rootpw.bv_val,
 						sc_cleartext.bv_val, sc_cleartext.bv_len )) {
 
 						/* If it's CLEARTEXT, skip past scheme spec */
-						cbv.bv_len = op.o_bd->be_rootpw.bv_len -
+						cbv.bv_len = op->o_bd->be_rootpw.bv_len -
 							sc_cleartext.bv_len;
 						if ( cbv.bv_len ) {
-							cbv.bv_val = op.o_bd->be_rootpw.bv_val +
+							cbv.bv_val = op->o_bd->be_rootpw.bv_val +
 								sc_cleartext.bv_len;
 						}
 					}
 				/* No scheme, use the whole value */
 				} else {
-					cbv = op.o_bd->be_rootpw;
+					cbv = op->o_bd->be_rootpw;
 				}
 				if ( !BER_BVISEMPTY( &cbv )) {
 					for( i = 0; sl.list[i].name; i++ ) {
@@ -380,27 +381,28 @@
 				}
 			}
 
-			if ( op.o_bd->be_search ) {
+			if ( op->o_bd->be_search ) {
 				SlapReply rs = {REP_RESULT};
-				op.o_hdr = conn->c_sasl_bindop->o_hdr;
-				op.o_tag = LDAP_REQ_SEARCH;
-				op.o_dn = conn->c_ndn;
-				op.o_ndn = conn->c_ndn;
-				op.o_callback = &cb;
-				slap_op_time( &op.o_time, &op.o_tincr );
-				op.o_do_not_cache = 1;
-				op.o_is_auth_check = 1;
-				op.o_req_dn = op.o_req_ndn;
-				op.ors_scope = LDAP_SCOPE_BASE;
-				op.ors_deref = LDAP_DEREF_NEVER;
-				op.ors_tlimit = SLAP_NO_LIMIT;
-				op.ors_slimit = 1;
-				op.ors_filter = &generic_filter;
-				op.ors_filterstr = generic_filterstr;
+				op->o_hdr = conn->c_sasl_bindop->o_hdr;
+				op->o_controls = opbuf.ob_controls;
+				op->o_tag = LDAP_REQ_SEARCH;
+				op->o_dn = conn->c_ndn;
+				op->o_ndn = conn->c_ndn;
+				op->o_callback = &cb;
+				slap_op_time( &op->o_time, &op->o_tincr );
+				op->o_do_not_cache = 1;
+				op->o_is_auth_check = 1;
+				op->o_req_dn = op->o_req_ndn;
+				op->ors_scope = LDAP_SCOPE_BASE;
+				op->ors_deref = LDAP_DEREF_NEVER;
+				op->ors_tlimit = SLAP_NO_LIMIT;
+				op->ors_slimit = 1;
+				op->ors_filter = &generic_filter;
+				op->ors_filterstr = generic_filterstr;
 				/* FIXME: we want all attributes, right? */
-				op.ors_attrs = NULL;
+				op->ors_attrs = NULL;
 
-				op.o_bd->be_search( &op, &rs );
+				op->o_bd->be_search( op, &rs );
 			}
 		}
 	}

Deleted: openldap/vendor/openldap-release/servers/slapd/schema/nadf.schema
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/schema/nadf.schema	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/schema/nadf.schema	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,182 +0,0 @@
-# nadf.schema -- NADF-defined schema
-# $OpenLDAP: pkg/ldap/servers/slapd/schema/nadf.schema,v 1.13.2.4 2009/01/22 00:01:14 kurt Exp $
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2009 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-# These are definitions from the North American Directory Forum
-# They are intended to be used with QUIPU/X.500 not LDAPv3.
-# Your mileage may vary.
-
-# They were acquired from ftp://ftp.gte.com/pub/nadf/nadf-docs/sd-04.ps
-# Our thanks to Harald T. Alvestrand that provided the pointer.
-
-# This is a preliminary version and is likely to be incorrect in
-# a number of areas.  Use with exterme caution.
-
-# The root for OIDs is joint-iso-ccitt mhs-motis(6) group(6) grimstad(5)
-# nadf(2).  In othor words, barring any error, 2.6.6.5.2.  Then,
-# nadfOink ::= 2.6.6.5.2.0
-# nadfModule ::= 2.6.6.5.2.1
-# nadfAttributeType ::= 2.6.6.5.2.4
-# nadfObjectClass ::= 2.6.6.5.2.6
-
-# Attribute Type Definition
-
-attributetype ( 2.6.6.5.2.4.1 NAME 'fipsStateNumericCode'
-	EQUALITY numericStringMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{2} )
-
-# It is probably inconvenient to give this attribute that syntax
-# (Printable String) instead of Directory String.
-
-attributetype ( 2.6.6.5.2.4.2 NAME 'fipsStateAlphaCode'
-	EQUALITY caseIgnoreMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{2} )
-
-attributetype ( 2.6.6.5.2.4.3 NAME 'fipsCountyNumericCode'
-	EQUALITY numericStringMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{5} )
-
-# It seems that fips55 is fipsPlaceNumericCode, is this so?
-
-attributetype ( 2.6.6.5.2.4.4 NAME ( 'fipsPlaceNumericCode' 'fips55' )
-	EQUALITY numericStringMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{5} )
-
-attributetype ( 2.6.6.5.2.4.5 NAME 'ansiOrgNumericCode'
-	EQUALITY integerMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-# Apparently, 'ad' is an alias for 'addmdName'
-
-attributetype ( 2.6.6.5.2.4.6 NAME ( 'addmdName' 'ad' )
-	EQUALITY caseIgnoreMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-# I don't know what syntax to give this.  I will use binary for the
-# time being.
-
-attributetype ( 2.6.6.5.2.4.7 NAME 'nadfSearchGuide'
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
-
-attributetype ( 2.6.6.5.2.4.8 NAME 'supplementaryInformation'
-	EQUALITY caseIgnoreMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{76} )
-
-attributetype ( 2.6.6.5.2.4.9 NAME 'namingLink'
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
-
-attributetype ( 2.6.6.5.2.4.10 NAME 'reciprocalNamingLink'
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
-	SINGLE-VALUE )
-
-# Numbers 11 to 14 are obsolete
-
-# Next one is unused.  BTW, this attribute is supposed to be
-# case-exact match, but we cannot make that match unless we
-# define the string with IA5 syntax and we don't have a
-# clear base for this.
-
-attributetype ( 2.6.6.5.2.4.15 NAME 'logicalDSAReference'
-	EQUALITY caseIgnoreMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
-attributetype ( 2.6.6.5.2.4.16 NAME 'multiMediaInformation'
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
-
-# Number 17, 18 and 19 are EDI-related attributes for the nadfEDIUser
-# class that we did not have and has been left out below.
-
-# Object classes
-
-# According to the intended use described in section 3.3.1 in the spec,
-# this can only be ABSTRACT.
-# We had lastModifiedTime as 'allows', but sd-04 has it as MUST.
-# We did not have multiMediaInformation neither on this class nor
-# on any of its derived classes.
-
-objectclass ( 2.6.6.5.2.6.7 NAME 'nadfObject' SUP top ABSTRACT
-	MUST lastModifiedTime
-	MAY ( multiMediaInformation $ nadfSearchGuide $
-	supplementaryInformation ) )
-
-# I think all classes derived from locality should be considered
-# STRUCTURAL, since locality is.
-
-objectclass ( 2.6.6.5.2.6.1 NAME 'usStateOrEquivalent'
-	SUP ( locality $ nadfObject ) STRUCTURAL
-	MUST ( l $ fipsStateNumericCode $ fipsStateAlphaCode $ st ) )
-
-objectclass ( 2.6.6.5.2.6.2 NAME 'usPlace'
-	SUP ( locality $ nadfObject ) STRUCTURAL
-	MUST ( l $ fipsPlaceNumericCode ) )
-
-objectclass ( 2.6.6.5.2.6.3 NAME 'usCountyOrEquivalent' SUP usPlace STRUCTURAL
-	MUST fipsCountyNumericCode )
-
-# applicationEntity is STRUCTURAL, so we will declare this one the same
-
-objectclass ( 2.6.6.5.2.6.5 NAME 'nadfApplicationEntity'
-	SUP applicationEntity STRUCTURAL
-	MUST supportedApplicationContext )
-
-# Following our heuristic, this one will be STRUCTURAL since organization
-# is too.  We did not have 'o' as 'requires', but if this is really a
-# subclass of organization, then 'o' becomes MUST by inheritance
-
-objectclass ( 2.6.6.5.2.6.6 NAME 'nadfADDMD'
-	SUP ( organization $ nadfObject ) STRUCTURAL
-	MUST addmdName )
-
-# Number 7 is nadfObject described above.
-
-# This one quacks like an AUXILIARY object class
-
-objectclass ( 2.6.6.5.2.6.8 NAME 'publicObject' SUP top AUXILIARY
-	MUST namingLink )
-
-# And so does this one
-
-objectclass ( 2.6.6.5.2.6.9 NAME 'providerObject' SUP top AUXILIARY
-	MUST reciprocalNamingLink )
-
-# The spec says number 10 is obsolete
-
-# This one also strongly smells like AUXILIARY
-
-objectclass ( 2.6.6.5.2.6.11 NAME 'fips55Object' SUP top AUXILIARY
-	MUST fipsPlaceNumericCode
-	MAY st )
-
-# The spec says numbers 12 to 18 are obsolete
-
-# Another obviously AUXILIARY class
-
-objectclass ( 2.6.6.5.2.6.19 NAME 'nationalObject' SUP top AUXILIARY
-	MUST c )
-
-# So is this one
-
-objectclass ( 2.6.6.5.2.6.20 NAME 'ansiOrgObject' SUP top AUXILIARY
-	MUST ansiOrgNumericCode )
-
-# We did not have the next one, but it is innocuous
-
-objectclass ( 2.6.6.5.2.6.21 NAME 'caProvinceOrTerritory'
-	SUP ( locality $ nadfObject ) STRUCTURAL
-	MUST st )
-
-# According to the spec, numbers 22, 23 and 24 are obsolete
-
-# Number 25 was nadfEDIuser as a subclass of edi-user.  Sorry we cannot
-# deal with this one and we did not have it anyway.

Modified: openldap/vendor/openldap-release/servers/slapd/schema_init.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/schema_init.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/schema_init.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* schema_init.c - init builtin schema */
-/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.36 2009/08/13 00:35:54 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.37 2009/11/17 17:18:11 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -2265,8 +2265,7 @@
 
 	p = normalized->bv_val;
 	for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
-		p = lutil_strncopy( p, nlines[l].bv_val, nlines[l].bv_len );
-
+		p = lutil_strbvcopy( p, &nlines[l] );
 		*p++ = '$';
 	}
 	*--p = '\0';
@@ -3329,9 +3328,9 @@
 
 	p = out->bv_val;
 	p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
-	p = lutil_strncopy( p, sn.bv_val, sn.bv_len );
+	p = lutil_strbvcopy( p, &sn );
 	p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
-	p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+	p = lutil_strbvcopy( p, &ni );
 	p = lutil_strcopy( p, /*{*/ "\" }" );
 
 	assert( p == &out->bv_val[out->bv_len] );
@@ -3491,9 +3490,9 @@
 	p = out->bv_val;
 
 	p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
-	p = lutil_strncopy( p, sn3.bv_val, sn3.bv_len );
+	p = lutil_strbvcopy( p, &sn3 );
 	p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
-	p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+	p = lutil_strbvcopy( p, &ni );
 	p = lutil_strcopy( p, /*{*/ "\" }" );
 
 	assert( p == &out->bv_val[out->bv_len] );
@@ -3588,9 +3587,9 @@
 	p = normalized->bv_val;
 
 	p = lutil_strcopy( p, "{ serialNumber " /*}*/ );
-	p = lutil_strncopy( p, sn2.bv_val, sn2.bv_len );
+	p = lutil_strbvcopy( p, &sn2 );
 	p = lutil_strcopy( p, ", issuer rdnSequence:\"" );
-	p = lutil_strncopy( p, issuer_dn.bv_val, issuer_dn.bv_len );
+	p = lutil_strbvcopy( p, &issuer_dn );
 	p = lutil_strcopy( p, /*{*/ "\" }" );
 
 	rc = LDAP_SUCCESS;
@@ -3920,9 +3919,9 @@
 
 	p = out->bv_val;
 	p = lutil_strcopy( p, "{ issuer rdnSequence:\"" /*}*/ );
-	p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+	p = lutil_strbvcopy( p, &ni );
 	p = lutil_strcopy( p, "\", thisUpdate \"" );
-	p = lutil_strncopy( p, tu.bv_val, tu.bv_len );
+	p = lutil_strbvcopy( p, &tu );
 	p = lutil_strcopy( p, /*{*/ "\" }" );
 
 	assert( p == &out->bv_val[out->bv_len] );
@@ -3986,9 +3985,9 @@
 	p = out->bv_val;
 
 	p = lutil_strcopy( p, "{ issuer rdnSequence:\"" /*}*/ );
-	p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+	p = lutil_strbvcopy( p, &ni );
 	p = lutil_strcopy( p, "\", thisUpdate \"" );
-	p = lutil_strncopy( p, tu2.bv_val, tu2.bv_len );
+	p = lutil_strbvcopy( p, &tu2 );
 	p = lutil_strcopy( p, /*{*/ "\" }" );
 
 	assert( p == &out->bv_val[out->bv_len] );
@@ -4081,9 +4080,9 @@
 	p = normalized->bv_val;
 
 	p = lutil_strcopy( p, "{ issuer rdnSequence:\"" );
-	p = lutil_strncopy( p, issuer_dn.bv_val, issuer_dn.bv_len );
+	p = lutil_strbvcopy( p, &issuer_dn );
 	p = lutil_strcopy( p, "\", thisUpdate \"" );
-	p = lutil_strncopy( p, thisUpdate.bv_val, thisUpdate.bv_len );
+	p = lutil_strbvcopy( p, &thisUpdate );
 	p = lutil_strcopy( p, /*{*/ "\" }" );
 
 	rc = LDAP_SUCCESS;
@@ -4516,11 +4515,11 @@
 
 	p = out->bv_val;
 	p = lutil_strcopy( p, "{ serialNumber " );
-	p = lutil_strncopy( p, sn.bv_val, sn.bv_len );
+	p = lutil_strbvcopy( p, &sn );
 	p = lutil_strcopy( p, ", issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"" );
-	p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+	p = lutil_strbvcopy( p, &ni );
 	p = lutil_strcopy( p, "\" }, serial " );
-	p = lutil_strncopy( p, i_sn.bv_val, i_sn.bv_len );
+	p = lutil_strbvcopy( p, &i_sn );
 	p = lutil_strcopy( p, " } } }" );
 
 	assert( p == &out->bv_val[out->bv_len] );
@@ -4630,11 +4629,11 @@
 	p = out->bv_val;
 
 	p = lutil_strcopy( p, "{ serialNumber " );
-	p = lutil_strncopy( p, sn3.bv_val, sn3.bv_len );
+	p = lutil_strbvcopy( p, &sn3 );
 	p = lutil_strcopy( p, ", issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"" );
-	p = lutil_strncopy( p, ni.bv_val, ni.bv_len );
+	p = lutil_strbvcopy( p, &ni );
 	p = lutil_strcopy( p, "\" }, serial " );
-	p = lutil_strncopy( p, i_sn3.bv_val, i_sn3.bv_len );
+	p = lutil_strbvcopy( p, &i_sn3 );
 	p = lutil_strcopy( p, " } } }" );
 
 	assert( p == &out->bv_val[out->bv_len] );
@@ -4763,11 +4762,11 @@
 	p = normalized->bv_val;
 
 	p = lutil_strcopy( p, "{ serialNumber " );
-	p = lutil_strncopy( p, sn2.bv_val, sn2.bv_len );
+	p = lutil_strbvcopy( p, &sn2 );
 	p = lutil_strcopy( p, ", issuer { baseCertificateID { issuer { directoryName:rdnSequence:\"" );
-	p = lutil_strncopy( p, issuer_dn.bv_val, issuer_dn.bv_len );
+	p = lutil_strbvcopy( p, &issuer_dn );
 	p = lutil_strcopy( p, "\" }, serial " );
-	p = lutil_strncopy( p, i_sn2.bv_val, i_sn2.bv_len );
+	p = lutil_strbvcopy( p, &i_sn2 );
 	p = lutil_strcopy( p, " } } }" );
 
 	Debug( LDAP_DEBUG_TRACE, "attributeCertificateExactNormalize: %s\n",
@@ -5108,7 +5107,7 @@
 	ptr = lutil_strncopy( ptr, &gt.bv_val[ STRLENOF( "YYYYmmddHH:MM:" ) ],
 		STRLENOF( "SS" ) );
 	ptr = lutil_strcopy( ptr, ".000000Z#00" );
-	ptr = lutil_strncopy( ptr, cnt.bv_val, cnt.bv_len );
+	ptr = lutil_strbvcopy( ptr, &cnt );
 	*ptr++ = '#';
 	*ptr++ = '0';
 	*ptr++ = '0';
@@ -5201,7 +5200,7 @@
 	ptr = bv.bv_val;
 	ptr = lutil_strncopy( ptr, gt.bv_val, gt.bv_len - 1 );
 	ptr = lutil_strcopy( ptr, ".000000Z#" );
-	ptr = lutil_strncopy( ptr, cnt.bv_val, cnt.bv_len );
+	ptr = lutil_strbvcopy( ptr, &cnt );
 	*ptr++ = '#';
 	*ptr++ = '0';
 	for ( i = 0; i < sid.bv_len; i++ ) {

Modified: openldap/vendor/openldap-release/servers/slapd/search.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/search.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/search.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/search.c,v 1.181.2.9 2009/07/27 20:19:18 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/search.c,v 1.181.2.10 2009/11/17 16:28:25 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -112,7 +112,7 @@
 
 	rs->sr_err = dnPrettyNormal( NULL, &base, &op->o_req_dn, &op->o_req_ndn, op->o_tmpmemctx );
 	if( rs->sr_err != LDAP_SUCCESS ) {
-		Debug( LDAP_DEBUG_ANY, "%s do_search: invalid dn (%s)\n",
+		Debug( LDAP_DEBUG_ANY, "%s do_search: invalid dn: \"%s\"\n",
 			op->o_log_prefix, base.bv_val, 0 );
 		send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
 		goto return_results;

Modified: openldap/vendor/openldap-release/servers/slapd/sl_malloc.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/sl_malloc.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/sl_malloc.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* sl_malloc.c - malloc routines using a per-thread slab */
-/* $OpenLDAP: pkg/ldap/servers/slapd/sl_malloc.c,v 1.39.2.9 2009/04/29 01:22:17 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/sl_malloc.c,v 1.39.2.10 2009/11/18 01:22:22 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2003-2009 The OpenLDAP Foundation.
@@ -90,6 +90,14 @@
 static struct slab_heap *slheap;
 #endif
 
+/* This allocator always returns memory aligned on a 2-int boundary.
+ *
+ * The stack-based allocator stores the size as a ber_len_t at both
+ * the head and tail of the allocated block. When freeing a block, the
+ * tail length is ORed with 1 to mark it as free. Freed space can only
+ * be reclaimed from the tail forward. If the tail block is never freed,
+ * nothing else will be reclaimed until the slab is reset...
+ */
 void *
 slap_sl_mem_create(
 	ber_len_t size,
@@ -114,7 +122,7 @@
 	sh = sh_tmp;
 #endif
 
-	if ( !new )
+	if ( sh && !new )
 		return sh;
 
 	/* round up to doubleword boundary */
@@ -138,7 +146,12 @@
 			if ( newptr == NULL ) return NULL;
 			sh->sh_base = newptr;
 		}
-		sh->sh_last = sh->sh_base;
+		/* insert dummy len */
+		{
+			ber_len_t *i = sh->sh_base;
+			*i++ = 0;
+			sh->sh_last = i;
+		}
 		sh->sh_end = (char *) sh->sh_base + size;
 		sh->sh_stack = stack;
 		return sh;
@@ -258,13 +271,8 @@
 )
 {
 	struct slab_heap *sh = ctx;
-	ber_len_t size_shift;
 	int pad = 2*sizeof(int)-1, pad_shift;
-	int order = -1, order_start = -1;
-	struct slab_object *so_new, *so_left, *so_right;
 	ber_len_t *ptr, *newptr;
-	unsigned long diff;
-	int i, j;
 
 #ifdef SLAP_NO_SL_MALLOC
 	newptr = ber_memalloc_x( size, NULL );
@@ -281,8 +289,8 @@
 		exit( EXIT_FAILURE );
 	}
 
-	/* round up to doubleword boundary */
-	size += sizeof(ber_len_t) + pad;
+	/* round up to doubleword boundary, plus space for len at head and tail */
+	size += 2*sizeof(ber_len_t) + pad;
 	size &= ~pad;
 
 	if (sh->sh_stack) {
@@ -293,10 +301,18 @@
 			return ch_malloc(size);
 		}
 		newptr = sh->sh_last;
-		*newptr++ = size - sizeof(ber_len_t);
 		sh->sh_last = (char *) sh->sh_last + size;
+		size -= sizeof(ber_len_t);
+		*newptr++ = size;
+		*(ber_len_t *)((char *)sh->sh_last - sizeof(ber_len_t)) = size;
 		return( (void *)newptr );
 	} else {
+		struct slab_object *so_new, *so_left, *so_right;
+		ber_len_t size_shift;
+		int order = -1, order_start = -1;
+		unsigned long diff;
+		int i, j;
+
 		size_shift = size - 1;
 		do {
 			order++;
@@ -412,21 +428,26 @@
 		size += pad + sizeof( ber_len_t );
 		size &= ~pad;
 
+		p--;
+
 		/* Never shrink blocks */
-		if (size <= p[-1]) {
-			newptr = p;
+		if (size <= p[0]) {
+			newptr = ptr;
 	
 		/* If reallocing the last block, we can grow it */
-		} else if ((char *)ptr + p[-1] == sh->sh_last &&
+		} else if ((char *)ptr + p[0] == sh->sh_last &&
 			(char *)ptr + size < (char *)sh->sh_end ) {
-			newptr = p;
-			sh->sh_last = (char *)sh->sh_last + size - p[-1];
-			p[-1] = size;
-	
+			newptr = ptr;
+			sh->sh_last = (char *)ptr + size;
+			p[0] = size;
+			p[size/sizeof(ber_len_t)] = size;
+
 		/* Nowhere to grow, need to alloc and copy */
 		} else {
-			newptr = slap_sl_malloc(size, ctx);
-			AC_MEMCPY(newptr, ptr, p[-1]);
+			newptr = slap_sl_malloc(size-sizeof(ber_len_t), ctx);
+			AC_MEMCPY(newptr, ptr, p[0]-sizeof(ber_len_t));
+			/* mark old region as free */
+			p[p[0]/sizeof(ber_len_t)] |= 1;
 		}
 		return newptr;
 	} else {
@@ -447,13 +468,8 @@
 slap_sl_free(void *ptr, void *ctx)
 {
 	struct slab_heap *sh = ctx;
-	int size, size_shift, order_size;
-	int pad = 2*sizeof(int)-1, pad_shift;
+	ber_len_t size;
 	ber_len_t *p = (ber_len_t *)ptr, *tmpp;
-	int order_start = -1, order = -1;
-	struct slab_object *so;
-	unsigned long diff;
-	int i, inserted = 0;
 
 	if (!ptr)
 		return;
@@ -465,10 +481,31 @@
 
 	if (!sh || ptr < sh->sh_base || ptr >= sh->sh_end) {
 		ber_memfree_x(ptr, NULL);
-	} else if (sh->sh_stack && (char *)ptr + p[-1] == sh->sh_last) {
-		p--;
-		sh->sh_last = p;
-	} else if (!sh->sh_stack) {
+	} else if (sh->sh_stack) {
+		tmpp = (ber_len_t *)((char *)ptr + p[-1]);
+		/* mark it free */
+		tmpp[-1] |= 1;
+		/* reclaim free space off tail */
+		while ( tmpp == sh->sh_last ) {
+			if ( tmpp[-1] & 1 ) {
+				size = tmpp[-1] ^ 1;
+				ptr = (char *)tmpp - size;
+				p = (ber_len_t *)ptr;
+				p--;
+				sh->sh_last = p;
+				tmpp = sh->sh_last;
+			} else {
+				break;
+			}
+		}
+	} else {
+		int size_shift, order_size;
+		int pad = 2*sizeof(int)-1, pad_shift;
+		int order_start = -1, order = -1;
+		struct slab_object *so;
+		unsigned long diff;
+		int i, inserted = 0;
+
 		size = *(--p);
 		size_shift = size + sizeof(ber_len_t) - 1;
 		do {

Modified: openldap/vendor/openldap-release/servers/slapd/slap.h
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/slap.h	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/slap.h	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* slap.h - stand alone ldap server include file */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slap.h,v 1.764.2.54 2009/08/25 22:44:25 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slap.h,v 1.764.2.59 2009/12/12 06:18:53 hyc Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -1527,27 +1527,27 @@
 	struct AccessControl	*acl_next;
 } AccessControl;
 
-typedef enum {
-	ACL_STATE_NOT_RECORDED			= 0x0,
-	ACL_STATE_RECORDED_VD			= 0x1,
-	ACL_STATE_RECORDED_NV			= 0x2,
-	ACL_STATE_RECORDED			= ( ACL_STATE_RECORDED_VD | ACL_STATE_RECORDED_NV )
-} slap_acl_state_t;
-
 typedef struct AccessControlState {
 	/* Access state */
-	AccessControl *as_vi_acl;
-	AccessControl *as_vd_acl;
-	AttributeDescription *as_vd_ad;
 
+	/* The stored state is valid when requesting as_access access
+	 * to the as_desc attributes.	 */
+	AttributeDescription *as_desc;
+	slap_access_t	as_access;
 
-	slap_acl_state_t as_recorded;
+	/* Value dependent acl where processing can restart */
+	AccessControl  *as_vd_acl;
 	int as_vd_acl_count;
+	slap_mask_t		as_vd_mask;
+
+	/* The cached result after evaluating a value independent attr.
+	 * Only valid when != -1 and as_vd_acl == NULL */
 	int as_result;
+
+	/* True if started to process frontend ACLs */
 	int as_fe_done;
 } AccessControlState;
-#define ACL_STATE_INIT { NULL, NULL, NULL, \
-	ACL_STATE_NOT_RECORDED, 0, 0, 0 }
+#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, ACL_PRIV_NONE, -1, 0 }
 
 typedef struct AclRegexMatches {        
 	int dn_count;
@@ -1630,6 +1630,14 @@
 	void *aux;
 } slap_cf_aux_table;
 
+typedef int 
+slap_cf_aux_table_parse_x LDAP_P((
+	struct berval *val,
+	void *bc,
+	slap_cf_aux_table *tab0,
+	const char *tabmsg,
+	int unparse ));
+
 #define SLAP_LIMIT_TIME	1
 #define SLAP_LIMIT_SIZE	2
 
@@ -1703,6 +1711,13 @@
 
 #define SLAP_SYNC_RID_MAX	999
 #define SLAP_SYNC_SID_MAX	4095	/* based on liblutil/csn.c field width */
+
+/* fake conn connid constructed as rid; real connids start
+ * at SLAPD_SYNC_CONN_OFFSET */
+#define SLAPD_SYNC_SYNCCONN_OFFSET (SLAP_SYNC_RID_MAX + 1)
+#define SLAPD_SYNC_IS_SYNCCONN(connid) ((connid) < SLAPD_SYNC_SYNCCONN_OFFSET)
+#define SLAPD_SYNC_RID2SYNCCONN(rid) (rid)
+
 #define SLAP_SYNCUUID_SET_SIZE 256
 
 struct sync_cookie {
@@ -1804,6 +1819,7 @@
 #define SLAP_DBFLAG_SHADOW_MASK		(SLAP_DBFLAG_SHADOW|SLAP_DBFLAG_SINGLE_SHADOW|SLAP_DBFLAG_SYNC_SHADOW|SLAP_DBFLAG_SLURP_SHADOW)
 #define SLAP_DBFLAG_CLEAN		0x10000U /* was cleanly shutdown */
 #define SLAP_DBFLAG_ACL_ADD		0x20000U /* check attr ACLs on adds */
+#define SLAP_DBFLAG_SYNC_SUBENTRY	0x40000U /* use subentry for context */
 	slap_mask_t	be_flags;
 #define SLAP_DBFLAGS(be)			((be)->be_flags)
 #define SLAP_NOLASTMOD(be)			(SLAP_DBFLAGS(be) & SLAP_DBFLAG_NOLASTMOD)
@@ -1830,6 +1846,7 @@
 #define SLAP_MULTIMASTER(be)			(!SLAP_SINGLE_SHADOW(be))
 #define SLAP_DBCLEAN(be)			(SLAP_DBFLAGS(be) & SLAP_DBFLAG_CLEAN)
 #define SLAP_DBACL_ADD(be)			(SLAP_DBFLAGS(be) & SLAP_DBFLAG_ACL_ADD)
+#define SLAP_SYNC_SUBENTRY(be)			(SLAP_DBFLAGS(be) & SLAP_DBFLAG_SYNC_SUBENTRY)
 
 	slap_mask_t	be_restrictops;		/* restriction operations */
 #define SLAP_RESTRICT_OP_ADD		0x0001U
@@ -2760,9 +2777,26 @@
 /*
  * represents a connection from an ldap client
  */
+/* structure state (protected by connections_mutex) */
+enum sc_struct_state {
+	SLAP_C_UNINITIALIZED = 0,	/* MUST BE ZERO (0) */
+	SLAP_C_UNUSED,
+	SLAP_C_USED,
+	SLAP_C_PENDING
+};
+
+/* connection state (protected by c_mutex ) */
+enum sc_conn_state {
+	SLAP_C_INVALID = 0,		/* MUST BE ZERO (0) */
+	SLAP_C_INACTIVE,		/* zero threads */
+	SLAP_C_CLOSING,			/* closing */
+	SLAP_C_ACTIVE,			/* one or more threads */
+	SLAP_C_BINDING,			/* binding */
+	SLAP_C_CLIENT			/* outbound client conn */
+};
 struct Connection {
-	int			c_struct_state; /* structure management state */
-	int			c_conn_state;	/* connection state */
+	enum sc_struct_state	c_struct_state; /* structure management state */
+	enum sc_conn_state	c_conn_state;	/* connection state */
 	int			c_conn_idx;		/* slot in connections array */
 	ber_socket_t	c_sd;
 	const char	*c_close_reason; /* why connection is closing */

Modified: openldap/vendor/openldap-release/servers/slapd/slapadd.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/slapadd.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/slapadd.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapadd.c,v 1.36.2.13 2009/07/08 00:28:21 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapadd.c,v 1.36.2.15 2009/11/18 01:16:17 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -280,6 +280,13 @@
 			struct berval nname;
 			char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
 
+			enum {
+				GOT_NONE = 0x0,
+				GOT_CSN = 0x1,
+				GOT_UUID = 0x2,
+				GOT_ALL = (GOT_CSN|GOT_UUID)
+			} got = GOT_ALL;
+
 			vals[1].bv_len = 0;
 			vals[1].bv_val = NULL;
 
@@ -305,6 +312,7 @@
 			if( attr_find( e->e_attrs, slap_schema.si_ad_entryUUID )
 				== NULL )
 			{
+				got &= ~GOT_UUID;
 				vals[0].bv_len = lutil_uuidstr( uuidbuf, sizeof( uuidbuf ) );
 				vals[0].bv_val = uuidbuf;
 				attr_merge_normalize_one( e, slap_schema.si_ad_entryUUID, vals, NULL );
@@ -328,6 +336,7 @@
 			if( attr_find( e->e_attrs, slap_schema.si_ad_entryCSN )
 				== NULL )
 			{
+				got &= ~GOT_CSN;
 				vals[0] = csn;
 				attr_merge( e, slap_schema.si_ad_entryCSN, vals, NULL );
 			}
@@ -347,6 +356,19 @@
 				attr_merge( e, slap_schema.si_ad_modifyTimestamp, vals, NULL );
 			}
 
+			if ( SLAP_SINGLE_SHADOW(be) && got != GOT_ALL ) {
+				char buf[SLAP_TEXT_BUFLEN];
+
+				snprintf( buf, sizeof(buf),
+					"%s%s%s",
+					( !(got & GOT_UUID) ? slap_schema.si_ad_entryUUID->ad_cname.bv_val : "" ),
+					( !(got & GOT_CSN) ? "," : "" ),
+					( !(got & GOT_CSN) ? slap_schema.si_ad_entryCSN->ad_cname.bv_val : "" ) );
+
+				Debug( LDAP_DEBUG_ANY, "%s: warning, missing attrs %s from entry dn=\"%s\"\n",
+					progname, buf, e->e_name.bv_val );
+			}
+
 			if ( update_ctxcsn ) {
 				int rc_sid;
 
@@ -356,8 +378,8 @@
 				rc_sid = slap_parse_csn_sid( &attr->a_nvals[ 0 ] );
 				if ( rc_sid < 0 ) {
 					Debug( LDAP_DEBUG_ANY, "%s: could not "
-						"extract SID from entryCSN=%s\n",
-						progname, attr->a_nvals[ 0 ].bv_val, 0 );
+						"extract SID from entryCSN=%s, entry dn=\"%s\"\n",
+						progname, attr->a_nvals[ 0 ].bv_val, e->e_name.bv_val );
 
 				} else {
 					assert( rc_sid <= SLAP_SYNC_SID_MAX );
@@ -416,10 +438,32 @@
 	}
 
 	if ( rc == EXIT_SUCCESS && update_ctxcsn && !dryrun && sid != SLAP_SYNC_SID_MAX + 1 ) {
-		ctxcsn_id = be->be_dn2id_get( be, be->be_nsuffix );
+		struct berval ctxdn;
+		if ( SLAP_SYNC_SUBENTRY( be )) {
+			build_new_dn( &ctxdn, &be->be_nsuffix[0],
+				(struct berval *)&slap_ldapsync_cn_bv, NULL );
+		} else {
+			ctxdn = be->be_nsuffix[0];
+		}
+		ctxcsn_id = be->be_dn2id_get( be, &ctxdn );
 		if ( ctxcsn_id == NOID ) {
-			fprintf( stderr, "%s: context entry is missing\n", progname );
-			rc = EXIT_FAILURE;
+			if ( SLAP_SYNC_SUBENTRY( be )) {
+				ctxcsn_e = slap_create_context_csn_entry( be, NULL );
+				for ( sid = 0; sid <= SLAP_SYNC_SID_MAX; sid++ ) {
+					if ( maxcsn[ sid ].bv_len ) {
+						attr_merge_one( ctxcsn_e, slap_schema.si_ad_contextCSN,
+							&maxcsn[ sid ], NULL );
+					}
+				}
+				ctxcsn_id = be->be_entry_put( be, ctxcsn_e, &bvtext );
+				if ( ctxcsn_id == NOID ) {
+					fprintf( stderr, "%s: couldn't create context entry\n", progname );
+					rc = EXIT_FAILURE;
+				}
+			} else {
+				fprintf( stderr, "%s: context entry is missing\n", progname );
+				rc = EXIT_FAILURE;
+			}
 		} else {
 			ctxcsn_e = be->be_entry_get( be, ctxcsn_id );
 			if ( ctxcsn_e != NULL ) {

Modified: openldap/vendor/openldap-release/servers/slapd/slapcommon.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/slapcommon.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/slapcommon.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* slapcommon.c - common routine for the slap tools */
-/* $OpenLDAP: pkg/ldap/servers/slapd/slapcommon.c,v 1.73.2.16 2009/07/08 00:28:21 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/slapcommon.c,v 1.73.2.18 2009/11/24 00:51:40 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -92,7 +92,7 @@
 		break;
 
 	case SLAPTEST:
-		options = " [-u]\n";
+		options = " [-n databasenumber] [-u]\n";
 		break;
 
 	case SLAPSCHEMA:
@@ -268,7 +268,7 @@
 		break;
 
 	case SLAPTEST:
-		options = "d:f:F:o:Quv";
+		options = "d:f:F:n:o:Quv";
 		mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
 		break;
 
@@ -608,8 +608,11 @@
 	}
 
 	switch ( tool ) {
+	case SLAPTEST:
+		if ( dbnum >= 0 )
+			goto get_db;
+		/* FALLTHRU */
 	case SLAPDN:
-	case SLAPTEST:
 	case SLAPAUTH:
 		be = NULL;
 		goto startup;
@@ -733,6 +736,7 @@
 		exit( EXIT_FAILURE );
 
 	} else {
+get_db:
 		LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
 			if ( dbnum == 0 ) break;
 			dbnum--;
@@ -759,6 +763,11 @@
 		conffile = NULL;
 	}
 
+	if ( confdir != NULL ) {
+		ch_free( confdir );
+		confdir = NULL;
+	}
+
 	if ( ldiffile != NULL ) {
 		ch_free( ldiffile );
 		ldiffile = NULL;

Modified: openldap/vendor/openldap-release/servers/slapd/syncrepl.c
===================================================================
--- openldap/vendor/openldap-release/servers/slapd/syncrepl.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/servers/slapd/syncrepl.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 /* syncrepl.c -- Replication Engine which uses the LDAP Sync protocol */
-/* $OpenLDAP: pkg/ldap/servers/slapd/syncrepl.c,v 1.254.2.85 2009/08/25 23:43:35 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/servers/slapd/syncrepl.c,v 1.254.2.102 2009/12/08 23:15:42 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 2003-2009 The OpenLDAP Foundation.
@@ -44,8 +44,14 @@
 	int cs_ref;
 	struct berval *cs_vals;
 	int *cs_sids;
+	
+	/* pending changes, not yet committed */
+	ldap_pvt_thread_mutex_t	cs_pmutex;
+	int	cs_pnum;
+	struct berval *cs_pvals;
+	int *cs_psids;
 } cookie_state;
-	
+
 #define	SYNCDATA_DEFAULT	0	/* entries are plain LDAP entries */
 #define	SYNCDATA_ACCESSLOG	1	/* entries are accesslog format */
 #define	SYNCDATA_CHANGELOG	2	/* entries are changelog format */
@@ -69,7 +75,9 @@
 	struct berval		si_base;
 	struct berval		si_logbase;
 	struct berval		si_filterstr;
+	Filter			*si_filter;
 	struct berval		si_logfilterstr;
+	struct berval		si_contextdn;
 	int			si_scope;
 	int			si_attrsonly;
 	char			*si_anfile;
@@ -119,7 +127,7 @@
 					Modifications**,int, struct berval*,
 					struct berval *cookieCSN );
 static int syncrepl_updateCookie(
-					syncinfo_t *, Operation *, struct berval *,
+					syncinfo_t *, Operation *,
 					struct sync_cookie * );
 static struct berval * slap_uuidstr_from_normalized(
 					struct berval *, struct berval *, void * );
@@ -458,8 +466,8 @@
 	 */
 	a.a_desc = slap_schema.si_ad_contextCSN;
 	e.e_attrs = &a;
-	e.e_name = op->o_bd->be_suffix[0];
-	e.e_nname = op->o_bd->be_nsuffix[0];
+	e.e_name = si->si_contextdn;
+	e.e_nname = si->si_contextdn;
 	at[0].an_name = a.a_desc->ad_cname;
 	at[0].an_desc = a.a_desc;
 	BER_BVZERO( &at[1].an_name );
@@ -578,8 +586,9 @@
 	{
 		ber_len_t ssf; /* ITS#5403, 3864 LDAP_OPT_X_SASL_SSF probably ought
 						  to use sasl_ssf_t but currently uses ber_len_t */
-		ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &ssf );
-		op->o_sasl_ssf = ssf;
+		if ( ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &ssf )
+			== LDAP_SUCCESS )
+			op->o_sasl_ssf = ssf;
 	}
 	op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf )
 		?  op->o_sasl_ssf : op->o_tls_ssf;
@@ -627,7 +636,7 @@
 				BerVarray csn = NULL;
 				void *ctx = op->o_tmpmemctx;
 
-				op->o_req_ndn = op->o_bd->be_nsuffix[0];
+				op->o_req_ndn = si->si_contextdn;
 				op->o_req_dn = op->o_req_ndn;
 
 				/* try to read stored contextCSN */
@@ -663,6 +672,11 @@
 			si->si_syncCookie.ctxcsn, si->si_syncCookie.rid,
 			si->si_syncCookie.sid );
 	} else {
+		/* ITS#6367: recreate the cookie so it has our SID, not our peer's */
+		ch_free( si->si_syncCookie.octet_str.bv_val );
+		slap_compose_sync_cookie( NULL, &si->si_syncCookie.octet_str,
+			si->si_syncCookie.ctxcsn, si->si_syncCookie.rid,
+			si->si_syncCookie.sid );
 		/* Look for contextCSN from syncprov overlay. */
 		check_syncprov( op, si );
 	}
@@ -753,10 +767,9 @@
 			err = LDAP_SUCCESS;
 	ber_len_t	len;
 
-	struct berval	*psub;
 	Modifications	*modlist = NULL;
 
-	int				match, m;
+	int				match, m, punlock = -1;
 
 	struct timeval *tout_p = NULL;
 	struct timeval tout = { 0, 0 };
@@ -775,8 +788,6 @@
 
 	Debug( LDAP_DEBUG_TRACE, "=>do_syncrep2 %s\n", si->si_ridtxt, 0, 0 );
 
-	psub = &si->si_be->be_nsuffix[0];
-
 	slap_dup_sync_cookie( &syncCookie_req, &si->si_syncCookie );
 
 	if ( abs(si->si_type) == LDAP_SYNC_REFRESH_AND_PERSIST ) {
@@ -799,7 +810,7 @@
 			ldap_get_entry_controls( si->si_ld, msg, &rctrls );
 			/* we can't work without the control */
 			if ( rctrls ) {
-				LDAPControl **next;
+				LDAPControl **next = NULL;
 				/* NOTE: make sure we use the right one;
 				 * a better approach would be to run thru
 				 * the whole list and take care of all */
@@ -841,8 +852,9 @@
 			if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) {
 				ber_scanf( ber, /*"{"*/ "m}", &cookie );
 
-				Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
-					BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
+				Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s cookie=%s\n",
+					si->si_ridtxt,
+					BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0 );
 
 				if ( !BER_BVISNULL( &cookie ) ) {
 					ch_free( syncCookie.octet_str.bv_val );
@@ -853,16 +865,51 @@
 					slap_parse_sync_cookie( &syncCookie, NULL );
 					if ( syncCookie.ctxcsn ) {
 						int i, sid = slap_parse_csn_sid( syncCookie.ctxcsn );
+						check_syncprov( op, si );
 						for ( i =0; i<si->si_cookieState->cs_num; i++ ) {
-							if ( si->si_cookieState->cs_sids[i] == sid && 
-								ber_bvcmp( syncCookie.ctxcsn, &si->si_cookieState->cs_vals[i] ) <= 0 ) {
-								Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s CSN too old, ignoring %s\n",
-									si->si_ridtxt, syncCookie.ctxcsn->bv_val, 0 );
-								ldap_controls_free( rctrls );
-								rc = 0;
+							if ( si->si_cookieState->cs_sids[i] == sid ) {
+								if ( ber_bvcmp( syncCookie.ctxcsn, &si->si_cookieState->cs_vals[i] ) <= 0 ) {
+									Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s CSN too old, ignoring %s\n",
+										si->si_ridtxt, syncCookie.ctxcsn->bv_val, 0 );
+									ldap_controls_free( rctrls );
+									rc = 0;
+									goto done;
+								}
+								break;
+							}
+						}
+						/* check pending CSNs too */
+						while ( ldap_pvt_thread_mutex_trylock( &si->si_cookieState->cs_pmutex )) {
+							if ( slapd_shutdown ) {
+								rc = -2;
 								goto done;
 							}
+							if ( !ldap_pvt_thread_pool_pausecheck( &connection_pool ))
+								ldap_pvt_thread_yield();
 						}
+						for ( i =0; i<si->si_cookieState->cs_pnum; i++ ) {
+							if ( si->si_cookieState->cs_psids[i] == sid ) {
+								if ( ber_bvcmp( syncCookie.ctxcsn, &si->si_cookieState->cs_pvals[i] ) <= 0 ) {
+									Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s CSN pending, ignoring %s\n",
+										si->si_ridtxt, syncCookie.ctxcsn->bv_val, 0 );
+									ldap_controls_free( rctrls );
+									rc = 0;
+									ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_pmutex );
+									goto done;
+								}
+								ber_bvreplace( &si->si_cookieState->cs_pvals[i],
+									syncCookie.ctxcsn );
+								break;
+							}
+						}
+						/* new SID, add it */
+						if ( i == si->si_cookieState->cs_pnum ) {
+							value_add( &si->si_cookieState->cs_pvals, syncCookie.ctxcsn );
+							si->si_cookieState->cs_pnum++;
+							si->si_cookieState->cs_psids = ch_realloc( si->si_cookieState->cs_psids, si->si_cookieState->cs_pnum * sizeof(int));
+							si->si_cookieState->cs_psids[i] = sid;
+						}
+						punlock = i;
 					}
 					op->o_controls[slap_cids.sc_LDAPsync] = &syncCookie;
 				}
@@ -873,7 +920,7 @@
 				if ( ( rc = syncrepl_message_to_op( si, op, msg ) ) == LDAP_SUCCESS &&
 					syncCookie.ctxcsn )
 				{
-					rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
+					rc = syncrepl_updateCookie( si, op, &syncCookie );
 				} else switch ( rc ) {
 					case LDAP_ALREADY_EXISTS:
 					case LDAP_NO_SUCH_OBJECT:
@@ -893,9 +940,25 @@
 					syncstate, &syncUUID, syncCookie.ctxcsn ) ) == LDAP_SUCCESS &&
 					syncCookie.ctxcsn )
 				{
-					rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
+					rc = syncrepl_updateCookie( si, op, &syncCookie );
 				}
 			}
+			if ( punlock >= 0 ) {
+				/* on failure, revert pending CSN */
+				if ( rc != LDAP_SUCCESS ) {
+					int i;
+					for ( i = 0; i<si->si_cookieState->cs_num; i++ ) {
+						if ( si->si_cookieState->cs_sids[i] == si->si_cookieState->cs_psids[punlock] ) {
+							ber_bvreplace( &si->si_cookieState->cs_pvals[punlock],
+								&si->si_cookieState->cs_vals[i] );
+							break;
+						}
+					}
+					if ( i == si->si_cookieState->cs_num )
+						si->si_cookieState->cs_pvals[punlock].bv_val[0] = '\0';
+				}
+				ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_pmutex );
+			}
 			ldap_controls_free( rctrls );
 			if ( modlist ) {
 				slap_mods_free( modlist, 1 );
@@ -935,7 +998,7 @@
 					si->si_ridtxt, err, ldap_err2string( err ) );
 			}
 			if ( rctrls ) {
-				LDAPControl **next;
+				LDAPControl **next = NULL;
 				/* NOTE: make sure we use the right one;
 				 * a better approach would be to run thru
 				 * the whole list and take care of all */
@@ -961,8 +1024,9 @@
 				if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) {
 					ber_scanf( ber, "m", &cookie );
 
-					Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
-						BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
+					Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s cookie=%s\n",
+						si->si_ridtxt, 
+						BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0 );
 
 					if ( !BER_BVISNULL( &cookie ) ) {
 						ch_free( syncCookie.octet_str.bv_val );
@@ -1013,7 +1077,7 @@
 			}
 			if ( syncCookie.ctxcsn && match < 0 && err == LDAP_SUCCESS )
 			{
-				rc = syncrepl_updateCookie( si, op, psub, &syncCookie );
+				rc = syncrepl_updateCookie( si, op, &syncCookie );
 			}
 			if ( err == LDAP_SUCCESS
 				&& si->si_logstate == SYNCLOG_FALLBACK ) {
@@ -1071,8 +1135,9 @@
 					{
 						ber_scanf( ber, "m", &cookie );
 
-						Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
-							BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
+						Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s cookie=%s\n",
+							si->si_ridtxt, 
+							BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0 );
 
 						if ( !BER_BVISNULL( &cookie ) ) {
 							ch_free( syncCookie.octet_str.bv_val );
@@ -1107,8 +1172,9 @@
 					{
 						ber_scanf( ber, "m", &cookie );
 
-						Debug( LDAP_DEBUG_SYNC, "do_syncrep2: cookie=%s\n",
-							BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0, 0 );
+						Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s cookie=%s\n",
+							si->si_ridtxt,
+							BER_BVISNULL( &cookie ) ? "" : cookie.bv_val, 0 );
 
 						if ( !BER_BVISNULL( &cookie ) ) {
 							ch_free( syncCookie.octet_str.bv_val );
@@ -1174,7 +1240,7 @@
 
 					if ( syncCookie.ctxcsn )
 					{
-						rc = syncrepl_updateCookie( si, op, psub, &syncCookie);
+						rc = syncrepl_updateCookie( si, op, &syncCookie);
 					}
 				} 
 
@@ -1302,6 +1368,8 @@
 
 	connection_fake_init( &conn, &opbuf, ctx );
 	op = &opbuf.ob_op;
+	/* o_connids must be unique for slap_graduate_commit_csn */
+	op->o_connid = SLAPD_SYNC_RID2SYNCCONN(si->si_rid);
 
 	op->o_managedsait = SLAP_CONTROL_NONCRITICAL;
 	be = si->si_be;
@@ -1324,12 +1392,18 @@
 		if ( SLAP_GLUE_SUBORDINATE( be ) && !overlay_is_inst( be, "syncprov" )) {
 			BackendDB * top_be = select_backend( &be->be_nsuffix[0], 1 );
 			if ( overlay_is_inst( top_be, "syncprov" ))
-				si->si_wbe = select_backend( &be->be_nsuffix[0], 1 );
+				si->si_wbe = top_be;
 			else
 				si->si_wbe = be;
 		} else {
 			si->si_wbe = be;
 		}
+		if ( SLAP_SYNC_SUBENTRY( si->si_wbe )) {
+			build_new_dn( &si->si_contextdn, &si->si_wbe->be_nsuffix[0],
+				(struct berval *)&slap_ldapsync_cn_bv, NULL );
+		} else {
+			si->si_contextdn = si->si_wbe->be_nsuffix[0];
+		}
 	}
 	if ( !si->si_schemachecking )
 		op->o_no_schema_check = 1;
@@ -2665,7 +2739,7 @@
 		op->ors_tlimit = SLAP_NO_LIMIT;
 		op->ors_limit = NULL;
 		op->ors_attrsonly = 0;
-		op->ors_filter = str2filter_x( op, si->si_filterstr.bv_val );
+		op->ors_filter = filter_dup( si->si_filter, op->o_tmpmemctx );
 		/* In multimaster, updates can continue to arrive while
 		 * we're searching. Limit the search result to entries
 		 * older than our newest cookie CSN.
@@ -2957,7 +3031,6 @@
 syncrepl_updateCookie(
 	syncinfo_t *si,
 	Operation *op,
-	struct berval *pdn,
 	struct sync_cookie *syncCookie )
 {
 	Backend *be = op->o_bd;
@@ -2967,7 +3040,7 @@
 	Syntax *syn = slap_schema.si_ad_contextCSN->ad_type->sat_syntax;
 #endif
 
-	int rc, i, j;
+	int rc, i, j, changed = 0;
 	ber_len_t len;
 
 	slap_callback cb = { NULL };
@@ -3009,6 +3082,7 @@
 			if ( memcmp( syncCookie->ctxcsn[i].bv_val,
 				si->si_cookieState->cs_vals[j].bv_val, len ) > 0 ) {
 				mod.sml_values[j] = syncCookie->ctxcsn[i];
+				changed = 1;
 				if ( BER_BVISNULL( &first ) ) {
 					first = syncCookie->ctxcsn[i];
 
@@ -3031,10 +3105,11 @@
 			{
 				first = syncCookie->ctxcsn[i];
 			}
+			changed = 1;
 		}
 	}
 	/* Should never happen, ITS#5065 */
-	if ( BER_BVISNULL( &first )) {
+	if ( BER_BVISNULL( &first ) || !changed ) {
 		ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_mutex );
 		op->o_tmpfree( mod.sml_values, op->o_tmpmemctx );
 		return 0;
@@ -3048,8 +3123,8 @@
 	cb.sc_private = si;
 
 	op->o_callback = &cb;
-	op->o_req_dn = op->o_bd->be_suffix[0];
-	op->o_req_ndn = op->o_bd->be_nsuffix[0];
+	op->o_req_dn = si->si_contextdn;
+	op->o_req_ndn = si->si_contextdn;
 
 	/* update contextCSN */
 	op->o_dont_replicate = 1;
@@ -3057,6 +3132,20 @@
 	op->orm_modlist = &mod;
 	op->orm_no_opattrs = 1;
 	rc = op->o_bd->be_modify( op, &rs_modify );
+
+	if ( rs_modify.sr_err == LDAP_NO_SUCH_OBJECT &&
+		SLAP_SYNC_SUBENTRY( op->o_bd )) {
+		const char	*text;
+		char txtbuf[SLAP_TEXT_BUFLEN];
+		size_t textlen = sizeof txtbuf;
+		Entry *e = slap_create_context_csn_entry( op->o_bd, NULL );
+		rc = slap_mods2entry( &mod, &e, 0, 1, &text, txtbuf, textlen);
+		op->ora_e = e;
+		rc = op->o_bd->be_add( op, &rs_modify );
+		if ( e == op->ora_e )
+			be_entry_release_w( op, op->ora_e );
+	}
+
 	op->orm_no_opattrs = 0;
 	op->o_dont_replicate = 0;
 
@@ -3686,6 +3775,9 @@
 		if ( sie->si_filterstr.bv_val ) {
 			ch_free( sie->si_filterstr.bv_val );
 		}
+		if ( sie->si_filter ) {
+			filter_free( sie->si_filter );
+		}
 		if ( sie->si_logfilterstr.bv_val ) {
 			ch_free( sie->si_logfilterstr.bv_val );
 		}
@@ -3695,6 +3787,9 @@
 		if ( sie->si_logbase.bv_val ) {
 			ch_free( sie->si_logbase.bv_val );
 		}
+		if ( sie->si_be && SLAP_SYNC_SUBENTRY( sie->si_be )) {
+			ch_free( sie->si_contextdn.bv_val );
+		}
 		if ( sie->si_attrs ) {
 			int i = 0;
 			while ( sie->si_attrs[i] != NULL ) {
@@ -3764,6 +3859,9 @@
 				ch_free( sie->si_cookieState->cs_sids );
 				ber_bvarray_free( sie->si_cookieState->cs_vals );
 				ldap_pvt_thread_mutex_destroy( &sie->si_cookieState->cs_mutex );
+				ch_free( sie->si_cookieState->cs_psids );
+				ber_bvarray_free( sie->si_cookieState->cs_pvals );
+				ldap_pvt_thread_mutex_destroy( &sie->si_cookieState->cs_pmutex );
 				ch_free( sie->si_cookieState );
 			}
 		}
@@ -3904,6 +4002,12 @@
 			}
 		}
 	}
+	if ( j < 1 || si->si_retrynum_init[j-1] != RETRYNUM_FOREVER ) {
+		Debug( LDAP_DEBUG_CONFIG,
+			"%s: syncrepl will eventually stop retrying; the \"retry\" parameter should end with a '+'.\n",
+			c->log, 0, 0 );
+	}
+
 	si->si_retrynum_init[j] = RETRYNUM_TAIL;
 	si->si_retrynum[j] = RETRYNUM_TAIL;
 	si->si_retryinterval[j] = 0;
@@ -3941,10 +4045,10 @@
 				Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 				return -1;
 			}
-			if ( tmp > SLAP_SYNC_SID_MAX || tmp < 0 ) {
+			if ( tmp > SLAP_SYNC_RID_MAX || tmp < 0 ) {
 				snprintf( c->cr_msg, sizeof( c->cr_msg ),
 					"Error: parse_syncrepl_line: "
-					"syncrepl id %d is out of range [0..4095]", tmp );
+					"syncrepl id %d is out of range [0..%d]", tmp, SLAP_SYNC_RID_MAX );
 				Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 				return -1;
 			}
@@ -3956,6 +4060,10 @@
 		{
 			val = c->argv[ i ] + STRLENOF( PROVIDERSTR "=" );
 			ber_str2bv( val, 0, 1, &si->si_bindconf.sb_uri );
+#ifdef HAVE_TLS
+			if ( ldap_is_ldaps_url( val ))
+				si->si_bindconf.sb_tls_do_init = 1;
+#endif
 			si->si_got |= GOT_PROVIDER;
 		} else if ( !strncasecmp( c->argv[ i ], SCHEMASTR "=",
 					STRLENOF( SCHEMASTR "=" ) ) )
@@ -4286,6 +4394,13 @@
 		}
 	}
 
+	si->si_filter = str2filter( si->si_filterstr.bv_val );
+	if ( si->si_filter == NULL ) {
+		Debug( LDAP_DEBUG_ANY, "syncrepl %s " SEARCHBASESTR "=\"%s\": unable to parse filter=\"%s\"\n", 
+			si->si_ridtxt, c->be->be_suffix ? c->be->be_suffix[ 0 ].bv_val : "(null)", si->si_filterstr.bv_val );
+		return 1;
+	}
+
 	return 0;
 }
 
@@ -4437,6 +4552,7 @@
 		} else {
 			si->si_cookieState = ch_calloc( 1, sizeof( cookie_state ));
 			ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_mutex );
+			ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_pmutex );
 
 			c->be->be_syncinfo = si;
 		}
@@ -4468,7 +4584,7 @@
 	si->si_bindconf.sb_version = LDAP_VERSION3;
 
 	ptr = buf;
-	assert( si->si_rid >= 0 && si->si_rid <= SLAP_SYNC_SID_MAX );
+	assert( si->si_rid >= 0 && si->si_rid <= SLAP_SYNC_RID_MAX );
 	len = snprintf( ptr, WHATSLEFT, IDSTR "=%03d " PROVIDERSTR "=%s",
 		si->si_rid, si->si_bindconf.sb_uri.bv_val );
 	if ( len >= sizeof( buf ) ) return;
@@ -4645,6 +4761,8 @@
 				si = *sip;
 				if ( c->valx == -1 || i == c->valx ) {
 					*sip = si->si_next;
+					si->si_ctype = -1;
+					si->si_next = NULL;
 					/* If the task is currently active, we have to leave
 					 * it running. It will exit on its own. This will only
 					 * happen when running on the cn=config DB.
@@ -4653,22 +4771,34 @@
 						if ( ldap_pvt_thread_mutex_trylock( &si->si_mutex )) {
 							isrunning = 1;
 						} else {
+							/* There is no active thread, but we must still
+							 * ensure that no thread is (or will be) queued
+							 * while we removes the task.
+							 */
+							struct re_s *re = si->si_re;
+							si->si_re = NULL;
+
 							if ( si->si_conn ) {
-								/* If there's a persistent connection, it may
-								 * already have a thread queued. We know it's
-								 * not active, so it must be pending and we
-								 * can simply cancel it now.
-								 */
-								ldap_pvt_thread_pool_retract( &connection_pool,
-									si->si_re->routine, si->si_re );
+								connection_client_stop( si->si_conn );
+								si->si_conn = NULL;
 							}
+
+							ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+							if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ) ) {
+								ldap_pvt_runqueue_stoptask( &slapd_rq, re );
+								isrunning = 1;
+							}
+							ldap_pvt_runqueue_remove( &slapd_rq, re );
+							ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
+
+							if ( ldap_pvt_thread_pool_retract( &connection_pool,
+									re->routine, re ) > 0 )
+								isrunning = 0;
+
 							ldap_pvt_thread_mutex_unlock( &si->si_mutex );
 						}
 					}
-					if ( isrunning ) {
-						si->si_ctype = -1;
-						si->si_next = NULL;
-					} else {
+					if ( !isrunning ) {
 						syncinfo_free( si, 0 );
 					}
 					if ( i == c->valx )

Modified: openldap/vendor/openldap-release/tests/data/monitor1.out
===================================================================
--- openldap/vendor/openldap-release/tests/data/monitor1.out	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/data/monitor1.out	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-dn: cn=Connection 1,cn=Connections,cn=Monitor
+dn: cn=Connection 1001,cn=Connections,cn=Monitor
 structuralObjectClass: monitorConnection
 monitorConnectionProtocol: 3
 monitorConnectionOpsReceived: 2
@@ -11,7 +11,7 @@
 monitorConnectionMask: rx
 monitorConnectionListener: ldap://localhost:@PORT1@/
 monitorConnectionLocalAddress: IP=127.0.0.1:@PORT1@
-entryDN: cn=Connection 1,cn=Connections,cn=Monitor
+entryDN: cn=Connection 1001,cn=Connections,cn=Monitor
 
 dn: cn=Connections,cn=Monitor
 structuralObjectClass: monitorContainer

Modified: openldap/vendor/openldap-release/tests/data/regressions/its4448/its4448
===================================================================
--- openldap/vendor/openldap-release/tests/data/regressions/its4448/its4448	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/data/regressions/its4448/its4448	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/its4448,v 1.1.2.4 2009/01/22 00:01:17 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/its4448,v 1.1.2.5 2009/12/15 20:37:40 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -297,7 +297,7 @@
 
 echo "Using ldapsearch to retrieve all the entries..."
 $LDAPSEARCH -S "" -b "$METABASEDN" -h $LOCALHOST -p $PORT3 \
-			'objectClass=*' > $SEARCHOUT 2>&1
+			'(objectClass=*)' > $SEARCHOUT 2>&1
 RC=$?
 
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
@@ -312,7 +312,7 @@
 echo "Filtering original ldif used to create database..."
 . $LDIFFILTER < $METACONCURRENCYOUT > $LDIFFLT
 echo "Comparing filter output..."
-$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
+$BCMP $SEARCHFLT $LDIFFLT > $CMPOUT
 
 if test $? != 0 ; then
 	echo "comparison failed - slapd-meta search/modification didn't succeed"

Modified: openldap/vendor/openldap-release/tests/data/regressions/its4448/slapd-meta.conf
===================================================================
--- openldap/vendor/openldap-release/tests/data/regressions/its4448/slapd-meta.conf	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/data/regressions/its4448/slapd-meta.conf	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 # master slapd config -- for testing
-# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/slapd-meta.conf,v 1.1.2.4 2009/01/22 00:01:17 kurt Exp $
+# $OpenLDAP: pkg/ldap/tests/data/regressions/its4448/slapd-meta.conf,v 1.1.2.5 2009/12/15 20:37:40 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -52,7 +52,10 @@
 
 uri		"@URI1 at o=Example,c=US"
 suffixmassage	"o=Example,c=US" "dc=example,dc=com"
-pseudorootdn	"cn=manager,dc=example,dc=com"
-pseudorootpw	secret
+idassert-bind	bindmethod=simple
+		binddn="cn=manager,dc=example,dc=com"
+		credentials=secret
+		mode=none
+idassert-authzFrom "*"
 
 #monitor#database	monitor

Modified: openldap/vendor/openldap-release/tests/progs/slapd-common.c
===================================================================
--- openldap/vendor/openldap-release/tests/progs/slapd-common.c	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/progs/slapd-common.c	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,4 +1,4 @@
-/* $OpenLDAP: pkg/ldap/tests/progs/slapd-common.c,v 1.4.2.8 2009/02/10 17:13:05 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/tests/progs/slapd-common.c,v 1.4.2.9 2009/10/30 23:59:29 quanah Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1999-2009 The OpenLDAP Foundation.
@@ -38,13 +38,17 @@
 static char progname[ BUFSIZ ];
 tester_t progtype;
 
-#define	TESTER_SERVER_LAST	(LDAP_OTHER + 1)
-#define TESTER_CLIENT_LAST	(- LDAP_REFERRAL_LIMIT_EXCEEDED + 1)
-static int ignore_server[ TESTER_SERVER_LAST ];
-static int ignore_client[ TESTER_CLIENT_LAST ];
+/*
+ * ignore_count[] is indexed by result code:
+ * negative for OpenLDAP client-side errors, positive for protocol codes.
+ */
+#define	TESTER_CLIENT_FIRST	LDAP_REFERRAL_LIMIT_EXCEEDED /* negative */
+#define	TESTER_SERVER_LAST	LDAP_OTHER
+static int ignore_base	[ -TESTER_CLIENT_FIRST + TESTER_SERVER_LAST + 1 ];
+#define    ignore_count	(ignore_base - TESTER_CLIENT_FIRST)
 
-static struct {
-	char	*name;
+static const struct {
+	const char *name;
 	int	err;
 } ignore_str2err[] = {
 	{ "OPERATIONS_ERROR",		LDAP_OPERATIONS_ERROR },
@@ -130,15 +134,9 @@
 
 	if ( strcmp( err, "ALL" ) == 0 ) {
 		for ( i = 0; ignore_str2err[ i ].name != NULL; i++ ) {
-			int	err = ignore_str2err[ i ].err;
-
-			if ( err > 0 ) {
-				ignore_server[ err ] = 1;
-
-			} else if ( err < 0 ) {
-				ignore_client[ -err ] = 1;
-			}
+			ignore_count[ ignore_str2err[ i ].err ] = 1;
 		}
+		ignore_count[ LDAP_SUCCESS ] = 0;
 
 		return 0;
 	}
@@ -156,11 +154,8 @@
 		if ( strcmp( err, ignore_str2err[ i ].name ) == 0 ) {
 			int	err = ignore_str2err[ i ].err;
 
-			if ( err > 0 ) {
-				ignore_server[ err ] = ignore;
-
-			} else if ( err < 0 ) {
-				ignore_client[ -err ] = ignore;
+			if ( err != LDAP_SUCCESS ) {
+				ignore_count[ err ] = ignore;
 			}
 
 			return err;
@@ -191,27 +186,11 @@
 {
 	int rc = 1;
 
-	if ( err > 0 ) {
-		if ( err < TESTER_SERVER_LAST ) {
-			rc = ignore_server[ err ];
-			if ( rc > 0 ) {
-				ignore_server[ err ]++;
-
-			} else if ( rc < 0 ) {
-				ignore_server[ err ]--;
-			}
+	if ( err && TESTER_CLIENT_FIRST <= err && err <= TESTER_SERVER_LAST ) {
+		rc = ignore_count[ err ];
+		if ( rc != 0 ) {
+			ignore_count[ err ] = rc + (rc > 0 ? 1 : -1);
 		}
-
-	} else if ( err < 0 ) {
-		if ( -err < TESTER_CLIENT_LAST ) {
-			rc = ignore_client[ -err ];
-			if ( rc > 0 ) {
-				ignore_client[ -err ]++;
-
-			} else if ( rc < 0 ) {
-				ignore_server[ err ]--;
-			}
-		}
 	}
 
 	/* SUCCESS is always "ignored" */
@@ -319,4 +298,3 @@
 {
 	fprintf( stderr, "%s: %s\n", progname, msg );
 }
-

Modified: openldap/vendor/openldap-release/tests/scripts/defines.sh
===================================================================
--- openldap/vendor/openldap-release/tests/scripts/defines.sh	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/scripts/defines.sh	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/defines.sh,v 1.141.2.22 2009/04/28 00:48:08 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/defines.sh,v 1.141.2.23 2009/12/04 18:38:02 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -192,7 +192,7 @@
 LDAPCOMPARE="$CLIENTDIR/ldapcompare $TOOLARGS"
 LDAPEXOP="$CLIENTDIR/ldapexop $TOOLARGS"
 SLAPDTESTER=$PROGDIR/slapd-tester
-LVL=${SLAPD_DEBUG-261}
+LVL=${SLAPD_DEBUG-0x4105}
 LOCALHOST=localhost
 BASEPORT=${SLAPD_BASEPORT-9010}
 PORT1=`expr $BASEPORT + 1`

Modified: openldap/vendor/openldap-release/tests/scripts/test017-syncreplication-refresh
===================================================================
--- openldap/vendor/openldap-release/tests/scripts/test017-syncreplication-refresh	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/scripts/test017-syncreplication-refresh	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test017-syncreplication-refresh,v 1.33.2.8 2009/03/05 23:32:21 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test017-syncreplication-refresh,v 1.33.2.9 2009/11/18 01:29:50 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -255,6 +255,41 @@
 echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
 sleep $SLEEP1
 
+echo "Performing larger modify on the producer..."
+$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD > \
+	$TESTOUT 2>&1 << EOMODS
+dn: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+replace: objectClass
+objectClass: groupOfNames
+-
+replace: cn
+cn: Alumni Assoc Staff
+-
+replace: description
+description: blablabla
+-
+replace: member
+member: cn=Manager,dc=example,dc=com
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+
+EOMODS
+
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
+sleep $SLEEP1
+
 echo "Try updating the consumer slapd..."
 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT2 -w $PASSWD > \
 	$TESTOUT 2>&1 << EOMODS

Modified: openldap/vendor/openldap-release/tests/scripts/test050-syncrepl-multimaster
===================================================================
--- openldap/vendor/openldap-release/tests/scripts/test050-syncrepl-multimaster	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/scripts/test050-syncrepl-multimaster	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test050-syncrepl-multimaster,v 1.3.2.16 2009/03/09 23:09:06 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test050-syncrepl-multimaster,v 1.3.2.19 2009/11/20 23:19:45 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -637,7 +637,40 @@
 
 echo "Restarting servers..."
 KILLPIDS=""
-n=1
+
+echo "Starting server 1 on TCP/IP port $PORT1..."
+echo "======================= RESTART =======================" >> $LOG1
+cd ${XDIR}1
+$SLAPD -F slapd.d -h $URI1 -d $LVL $TIMING >> $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+    echo PID $PID
+    read foo
+fi
+KILLPIDS="$PID"
+cd $TESTWD
+
+sleep 1
+
+echo "Using ldapsearch to check that server 1 is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "" -H $URI1 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+n=2
 while [ $n -le $MMR ]; do
 PORT=`expr $BASEPORT + $n`
 URI="ldap://${LOCALHOST}:$PORT/"
@@ -653,6 +686,13 @@
 fi
 KILLPIDS="$KILLPIDS $PID"
 cd $TESTWD
+n=`expr $n + 1`
+done
+
+n=2
+while [ $n -le $MMR ]; do
+PORT=`expr $BASEPORT + $n`
+URI="ldap://${LOCALHOST}:$PORT/"
 echo "Using ldapsearch to check that server $n is running..."
 for i in 0 1 2 3 4 5; do
 	$LDAPSEARCH -s base -b "" -H $URI \
@@ -677,6 +717,68 @@
 echo "Waiting $SLEEP1 seconds for servers to resync..."
 sleep $SLEEP1
 
+echo "Using ldapmodify to add/modify/delete entries from server 1..."
+for i in 1 2 3 4 5 6 7 8 9 10; do
+echo "  iteration $i"
+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+	>> $TESTOUT 2>&1 << EOMODS
+dn: cn=Add-Mod-Del,dc=example,dc=com
+changetype: add
+cn: Add-Mod-Del
+objectclass: organizationalRole
+
+dn: cn=Add-Mod-Del,dc=example,dc=com
+changetype: modify
+replace: description
+description: guinea pig
+-
+
+dn: cn=Add-Mod-Del,dc=example,dc=com
+changetype: delete
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed for server 1 database ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+done
+
+echo "Waiting $SLEEP1 seconds for servers to resync..."
+sleep $SLEEP1
+
+n=1
+while [ $n -le $MMR ]; do
+PORT=`expr $BASEPORT + $n`
+URI="ldap://${LOCALHOST}:$PORT/"
+
+echo "Using ldapsearch to read all the entries from server $n..."
+$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD  \
+	'objectclass=*' > $TESTDIR/server$n.out 2>&1
+RC=$?
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed at server $n ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+. $LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt
+n=`expr $n + 1`
+done
+
+n=2
+while [ $n -le $MMR ]; do
+echo "Comparing retrieved entries from server 1 and server $n..."
+$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+
+if test $? != 0 ; then
+	echo "test failed - server 1 and server $n databases differ"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+n=`expr $n + 1`
+done
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 echo ">>>>> Test succeeded"

Modified: openldap/vendor/openldap-release/tests/scripts/test057-memberof-refint
===================================================================
--- openldap/vendor/openldap-release/tests/scripts/test057-memberof-refint	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/scripts/test057-memberof-refint	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test057-memberof-refint,v 1.3.2.3 2009/06/30 00:34:05 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test057-memberof-refint,v 1.3.2.4 2009/10/30 23:56:26 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -22,6 +22,11 @@
 	exit 0
 fi 
 
+if test $REFINT = refintno; then 
+	echo "Referential Integrity overlay not available, test skipped"
+	exit 0
+fi 
+
 if test "$BACKEND" != "hdb" ; then
 	echo "Test does not support $BACKEND"
 	exit 0

Modified: openldap/vendor/openldap-release/tests/scripts/test058-syncrepl-asymmetric
===================================================================
--- openldap/vendor/openldap-release/tests/scripts/test058-syncrepl-asymmetric	2010-04-10 16:01:24 UTC (rev 1245)
+++ openldap/vendor/openldap-release/tests/scripts/test058-syncrepl-asymmetric	2010-04-10 16:14:23 UTC (rev 1246)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# $OpenLDAP: pkg/ldap/tests/scripts/test058-syncrepl-asymmetric,v 1.1.2.3 2009/08/13 00:50:43 quanah Exp $
+# $OpenLDAP: pkg/ldap/tests/scripts/test058-syncrepl-asymmetric,v 1.1.2.4 2009/12/07 19:22:32 quanah Exp $
 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 ##
 ## Copyright 1998-2009 The OpenLDAP Foundation.
@@ -1643,7 +1643,7 @@
 		"(description=Modify$NMUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to site1 search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1
@@ -1656,7 +1656,7 @@
 		"(description=Modify$MNUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to central search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1
@@ -1731,7 +1731,7 @@
 		"(description=Modify$MNUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to central search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1
@@ -1744,7 +1744,7 @@
 		"(description=Modify$MNUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to central search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1
@@ -1801,7 +1801,7 @@
 		"(description=Modify$NMUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to site2 search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1
@@ -1877,7 +1877,7 @@
 		"(description=Modify$MNUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to site2 search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1
@@ -1890,7 +1890,7 @@
 		"(description=Modify$MNUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to site2 search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1
@@ -1947,7 +1947,7 @@
 		"(description=Modify$MNUM)" 2>&1 | awk '/^dn:/ {print "NOK"}'`
 	if test "x$RESULT" = "xNOK" ; then
 		echo "Change was replicated to central search!"
-		test $KILLSERVERS != no && KILL -HUP $KILLPIDS
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	fi
 	sleep 1




More information about the Pkg-openldap-devel mailing list