[Pkg-openldap-devel] r1198 - in openldap/trunk: . build clients clients/tools contrib contrib/ldapc++ contrib/ldapc++/src contrib/ldapc++/src/ac contrib/slapd-modules contrib/slapd-modules/acl contrib/slapd-modules/addpartial contrib/slapd-modules/allop contrib/slapd-modules/autogroup contrib/slapd-modules/comp_match contrib/slapd-modules/denyop contrib/slapd-modules/dsaschema contrib/slapd-modules/lastmod contrib/slapd-modules/nops contrib/slapd-modules/nssov contrib/slapd-modules/passwd contrib/slapd-modules/smbk5pwd contrib/slapd-modules/trace contrib/slapd-tools contrib/slapi-plugins/addrdnvalues debian doc doc/devel doc/guide doc/guide/admin doc/guide/images/src doc/guide/release doc/man doc/man/man1 doc/man/man3 doc/man/man5 doc/man/man8 include include/ac libraries libraries/liblber libraries/libldap libraries/libldap_r libraries/liblunicode libraries/liblunicode/ucdata libraries/liblunicode/ure libraries/liblunicode/utbm libraries/liblutil libraries/librewrite servers servers/slapd servers/slapd/back-bdb servers/slapd/back-dnssrv servers/slapd/back-hdb servers/slapd/back-ldap servers/slapd/back-ldif servers/slapd/back-meta servers/slapd/back-monitor servers/slapd/back-null servers/slapd/back-passwd servers/slapd/back-perl servers/slapd/back-relay servers/slapd/back-shell servers/slapd/back-sock servers/slapd/back-sql servers/slapd/back-sql/rdbms_depend/timesten/dnreverse servers/slapd/overlays servers/slapd/schema servers/slapd/shell-backends servers/slapd/slapi tests tests/data tests/data/regressions/its4184 tests/data/regressions/its4326 tests/data/regressions/its4336 tests/data/regressions/its4337 tests/data/regressions/its4448 tests/progs tests/scripts
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Tue Feb 17 17:44:12 UTC 2009
tags 497697 pending
thanks
Author: vorlon
Date: 2009-02-17 17:44:09 +0000 (Tue, 17 Feb 2009)
New Revision: 1198
Added:
openldap/trunk/clients/tools/ldapurl.c
openldap/trunk/contrib/slapd-modules/cloak/
openldap/trunk/contrib/slapd-modules/passwd/sha2/
openldap/trunk/doc/guide/admin/limits.sdf
openldap/trunk/doc/man/man1/ldapurl.1
openldap/trunk/doc/man/man5/slapd-ndb.5
openldap/trunk/doc/man/man5/slapo-collect.5
openldap/trunk/include/lutil_meter.h
openldap/trunk/libraries/libldap/deref.c
openldap/trunk/libraries/libldap/gssapi.c
openldap/trunk/libraries/libldap/ldap-tls.h
openldap/trunk/libraries/libldap/tls2.c
openldap/trunk/libraries/libldap/tls_g.c
openldap/trunk/libraries/libldap/tls_m.c
openldap/trunk/libraries/libldap/tls_o.c
openldap/trunk/libraries/liblutil/meter.c
openldap/trunk/servers/slapd/back-ndb/
openldap/trunk/servers/slapd/overlays/deref.c
openldap/trunk/servers/slapd/schema/pmi.schema
openldap/trunk/tests/data/ndb.conf
openldap/trunk/tests/data/slapd-valregex.conf
openldap/trunk/tests/scripts/monitor_data.sh
openldap/trunk/tests/scripts/test054-syncreplication-parallel-load
openldap/trunk/tests/scripts/test055-valregex
Removed:
openldap/trunk/build/crupdate
openldap/trunk/build/db.4.2.52.patch
openldap/trunk/libraries/libldap/tls.c
Modified:
openldap/trunk/ANNOUNCEMENT
openldap/trunk/CHANGES
openldap/trunk/COPYRIGHT
openldap/trunk/INSTALL
openldap/trunk/Makefile.in
openldap/trunk/README
openldap/trunk/build/dir.mk
openldap/trunk/build/info.mk
openldap/trunk/build/lib-shared.mk
openldap/trunk/build/lib-static.mk
openldap/trunk/build/lib.mk
openldap/trunk/build/man.mk
openldap/trunk/build/missing
openldap/trunk/build/mkdep
openldap/trunk/build/mkdep.aix
openldap/trunk/build/mkrelease
openldap/trunk/build/mkvers.bat
openldap/trunk/build/mkversion
openldap/trunk/build/mod.mk
openldap/trunk/build/openldap.m4
openldap/trunk/build/rules.mk
openldap/trunk/build/srv.mk
openldap/trunk/build/top.mk
openldap/trunk/build/version.h
openldap/trunk/build/version.sh
openldap/trunk/build/version.var
openldap/trunk/clients/Makefile.in
openldap/trunk/clients/tools/Makefile.in
openldap/trunk/clients/tools/common.c
openldap/trunk/clients/tools/common.h
openldap/trunk/clients/tools/ldapcompare.c
openldap/trunk/clients/tools/ldapdelete.c
openldap/trunk/clients/tools/ldapexop.c
openldap/trunk/clients/tools/ldapmodify.c
openldap/trunk/clients/tools/ldapmodrdn.c
openldap/trunk/clients/tools/ldappasswd.c
openldap/trunk/clients/tools/ldapsearch.c
openldap/trunk/clients/tools/ldapwhoami.c
openldap/trunk/configure.in
openldap/trunk/contrib/ConfigOIDs
openldap/trunk/contrib/ldapc++/COPYRIGHT
openldap/trunk/contrib/ldapc++/configure
openldap/trunk/contrib/ldapc++/configure.in
openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp
openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h
openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp
openldap/trunk/contrib/ldapc++/src/LDAPControl.h
openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp
openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h
openldap/trunk/contrib/ldapc++/src/ac/time.h
openldap/trunk/contrib/slapd-modules/README
openldap/trunk/contrib/slapd-modules/acl/README
openldap/trunk/contrib/slapd-modules/acl/posixgroup.c
openldap/trunk/contrib/slapd-modules/addpartial/Makefile
openldap/trunk/contrib/slapd-modules/addpartial/addpartial-overlay.c
openldap/trunk/contrib/slapd-modules/allop/README
openldap/trunk/contrib/slapd-modules/allop/allop.c
openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5
openldap/trunk/contrib/slapd-modules/autogroup/autogroup.c
openldap/trunk/contrib/slapd-modules/comp_match/Makefile
openldap/trunk/contrib/slapd-modules/denyop/denyop.c
openldap/trunk/contrib/slapd-modules/dsaschema/README
openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c
openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c
openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5
openldap/trunk/contrib/slapd-modules/nops/Makefile
openldap/trunk/contrib/slapd-modules/nssov/group.c
openldap/trunk/contrib/slapd-modules/nssov/nssov.c
openldap/trunk/contrib/slapd-modules/nssov/nssov.h
openldap/trunk/contrib/slapd-modules/nssov/passwd.c
openldap/trunk/contrib/slapd-modules/passwd/README
openldap/trunk/contrib/slapd-modules/passwd/kerberos.c
openldap/trunk/contrib/slapd-modules/passwd/netscape.c
openldap/trunk/contrib/slapd-modules/passwd/radius.c
openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
openldap/trunk/contrib/slapd-modules/trace/trace.c
openldap/trunk/contrib/slapd-tools/README
openldap/trunk/contrib/slapi-plugins/addrdnvalues/README
openldap/trunk/debian/changelog
openldap/trunk/doc/Makefile.in
openldap/trunk/doc/devel/args
openldap/trunk/doc/guide/COPYRIGHT
openldap/trunk/doc/guide/admin/Makefile
openldap/trunk/doc/guide/admin/README.spellcheck
openldap/trunk/doc/guide/admin/abstract.sdf
openldap/trunk/doc/guide/admin/access-control.sdf
openldap/trunk/doc/guide/admin/admin.sdf
openldap/trunk/doc/guide/admin/appendix-changes.sdf
openldap/trunk/doc/guide/admin/appendix-common-errors.sdf
openldap/trunk/doc/guide/admin/appendix-configs.sdf
openldap/trunk/doc/guide/admin/appendix-contrib.sdf
openldap/trunk/doc/guide/admin/appendix-deployments.sdf
openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf
openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf
openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
openldap/trunk/doc/guide/admin/aspell.en.pws
openldap/trunk/doc/guide/admin/backends.sdf
openldap/trunk/doc/guide/admin/config.sdf
openldap/trunk/doc/guide/admin/dbtools.sdf
openldap/trunk/doc/guide/admin/glossary.sdf
openldap/trunk/doc/guide/admin/guide.html
openldap/trunk/doc/guide/admin/guide.sdf
openldap/trunk/doc/guide/admin/index.sdf
openldap/trunk/doc/guide/admin/install.sdf
openldap/trunk/doc/guide/admin/intro.sdf
openldap/trunk/doc/guide/admin/maintenance.sdf
openldap/trunk/doc/guide/admin/master.sdf
openldap/trunk/doc/guide/admin/monitoringslapd.sdf
openldap/trunk/doc/guide/admin/overlays.sdf
openldap/trunk/doc/guide/admin/preface.sdf
openldap/trunk/doc/guide/admin/quickstart.sdf
openldap/trunk/doc/guide/admin/referrals.sdf
openldap/trunk/doc/guide/admin/replication.sdf
openldap/trunk/doc/guide/admin/runningslapd.sdf
openldap/trunk/doc/guide/admin/sasl.sdf
openldap/trunk/doc/guide/admin/schema.sdf
openldap/trunk/doc/guide/admin/security.sdf
openldap/trunk/doc/guide/admin/slapdconf2.sdf
openldap/trunk/doc/guide/admin/slapdconfig.sdf
openldap/trunk/doc/guide/admin/title.sdf
openldap/trunk/doc/guide/admin/tls.sdf
openldap/trunk/doc/guide/admin/troubleshooting.sdf
openldap/trunk/doc/guide/admin/tuning.sdf
openldap/trunk/doc/guide/images/src/README.fonts
openldap/trunk/doc/guide/plain.sdf
openldap/trunk/doc/guide/preamble.sdf
openldap/trunk/doc/guide/release/copyright-plain.sdf
openldap/trunk/doc/guide/release/copyright.sdf
openldap/trunk/doc/guide/release/install.sdf
openldap/trunk/doc/guide/release/license-plain.sdf
openldap/trunk/doc/guide/release/license.sdf
openldap/trunk/doc/man/Makefile.in
openldap/trunk/doc/man/man1/Makefile.in
openldap/trunk/doc/man/man1/ldapcompare.1
openldap/trunk/doc/man/man1/ldapdelete.1
openldap/trunk/doc/man/man1/ldapmodify.1
openldap/trunk/doc/man/man1/ldapmodrdn.1
openldap/trunk/doc/man/man1/ldappasswd.1
openldap/trunk/doc/man/man1/ldapsearch.1
openldap/trunk/doc/man/man1/ldapwhoami.1
openldap/trunk/doc/man/man3/Makefile.in
openldap/trunk/doc/man/man3/lber-decode.3
openldap/trunk/doc/man/man3/lber-encode.3
openldap/trunk/doc/man/man3/lber-memory.3
openldap/trunk/doc/man/man3/lber-sockbuf.3
openldap/trunk/doc/man/man3/lber-types.3
openldap/trunk/doc/man/man3/ldap.3
openldap/trunk/doc/man/man3/ldap_abandon.3
openldap/trunk/doc/man/man3/ldap_add.3
openldap/trunk/doc/man/man3/ldap_bind.3
openldap/trunk/doc/man/man3/ldap_compare.3
openldap/trunk/doc/man/man3/ldap_controls.3
openldap/trunk/doc/man/man3/ldap_delete.3
openldap/trunk/doc/man/man3/ldap_error.3
openldap/trunk/doc/man/man3/ldap_extended_operation.3
openldap/trunk/doc/man/man3/ldap_first_attribute.3
openldap/trunk/doc/man/man3/ldap_first_entry.3
openldap/trunk/doc/man/man3/ldap_first_message.3
openldap/trunk/doc/man/man3/ldap_first_reference.3
openldap/trunk/doc/man/man3/ldap_get_dn.3
openldap/trunk/doc/man/man3/ldap_get_option.3
openldap/trunk/doc/man/man3/ldap_get_values.3
openldap/trunk/doc/man/man3/ldap_memory.3
openldap/trunk/doc/man/man3/ldap_modify.3
openldap/trunk/doc/man/man3/ldap_modrdn.3
openldap/trunk/doc/man/man3/ldap_open.3
openldap/trunk/doc/man/man3/ldap_parse_reference.3
openldap/trunk/doc/man/man3/ldap_parse_result.3
openldap/trunk/doc/man/man3/ldap_parse_sort_control.3
openldap/trunk/doc/man/man3/ldap_parse_vlv_control.3
openldap/trunk/doc/man/man3/ldap_rename.3
openldap/trunk/doc/man/man3/ldap_result.3
openldap/trunk/doc/man/man3/ldap_schema.3
openldap/trunk/doc/man/man3/ldap_search.3
openldap/trunk/doc/man/man3/ldap_sort.3
openldap/trunk/doc/man/man3/ldap_sync.3
openldap/trunk/doc/man/man3/ldap_tls.3
openldap/trunk/doc/man/man3/ldap_url.3
openldap/trunk/doc/man/man5/Makefile.in
openldap/trunk/doc/man/man5/ldap.conf.5
openldap/trunk/doc/man/man5/ldif.5
openldap/trunk/doc/man/man5/slapd-bdb.5
openldap/trunk/doc/man/man5/slapd-config.5
openldap/trunk/doc/man/man5/slapd-dnssrv.5
openldap/trunk/doc/man/man5/slapd-ldap.5
openldap/trunk/doc/man/man5/slapd-ldbm.5
openldap/trunk/doc/man/man5/slapd-ldif.5
openldap/trunk/doc/man/man5/slapd-meta.5
openldap/trunk/doc/man/man5/slapd-monitor.5
openldap/trunk/doc/man/man5/slapd-null.5
openldap/trunk/doc/man/man5/slapd-passwd.5
openldap/trunk/doc/man/man5/slapd-relay.5
openldap/trunk/doc/man/man5/slapd-shell.5
openldap/trunk/doc/man/man5/slapd-sock.5
openldap/trunk/doc/man/man5/slapd.access.5
openldap/trunk/doc/man/man5/slapd.backends.5
openldap/trunk/doc/man/man5/slapd.conf.5
openldap/trunk/doc/man/man5/slapd.overlays.5
openldap/trunk/doc/man/man5/slapd.plugin.5
openldap/trunk/doc/man/man5/slapo-accesslog.5
openldap/trunk/doc/man/man5/slapo-auditlog.5
openldap/trunk/doc/man/man5/slapo-chain.5
openldap/trunk/doc/man/man5/slapo-constraint.5
openldap/trunk/doc/man/man5/slapo-dds.5
openldap/trunk/doc/man/man5/slapo-dyngroup.5
openldap/trunk/doc/man/man5/slapo-dynlist.5
openldap/trunk/doc/man/man5/slapo-memberof.5
openldap/trunk/doc/man/man5/slapo-pcache.5
openldap/trunk/doc/man/man5/slapo-ppolicy.5
openldap/trunk/doc/man/man5/slapo-refint.5
openldap/trunk/doc/man/man5/slapo-retcode.5
openldap/trunk/doc/man/man5/slapo-rwm.5
openldap/trunk/doc/man/man5/slapo-syncprov.5
openldap/trunk/doc/man/man5/slapo-translucent.5
openldap/trunk/doc/man/man5/slapo-unique.5
openldap/trunk/doc/man/man5/slapo-valsort.5
openldap/trunk/doc/man/man8/Makefile.in
openldap/trunk/doc/man/man8/slapacl.8
openldap/trunk/doc/man/man8/slapadd.8
openldap/trunk/doc/man/man8/slapauth.8
openldap/trunk/doc/man/man8/slapcat.8
openldap/trunk/doc/man/man8/slapd.8
openldap/trunk/doc/man/man8/slapdn.8
openldap/trunk/doc/man/man8/slapindex.8
openldap/trunk/doc/man/man8/slappasswd.8
openldap/trunk/doc/man/man8/slaptest.8
openldap/trunk/include/Makefile.in
openldap/trunk/include/ac/alloca.h
openldap/trunk/include/ac/assert.h
openldap/trunk/include/ac/bytes.h
openldap/trunk/include/ac/crypt.h
openldap/trunk/include/ac/ctype.h
openldap/trunk/include/ac/dirent.h
openldap/trunk/include/ac/errno.h
openldap/trunk/include/ac/fdset.h
openldap/trunk/include/ac/localize.h
openldap/trunk/include/ac/param.h
openldap/trunk/include/ac/regex.h
openldap/trunk/include/ac/setproctitle.h
openldap/trunk/include/ac/signal.h
openldap/trunk/include/ac/socket.h
openldap/trunk/include/ac/stdarg.h
openldap/trunk/include/ac/stdlib.h
openldap/trunk/include/ac/string.h
openldap/trunk/include/ac/sysexits.h
openldap/trunk/include/ac/syslog.h
openldap/trunk/include/ac/termios.h
openldap/trunk/include/ac/time.h
openldap/trunk/include/ac/unistd.h
openldap/trunk/include/ac/wait.h
openldap/trunk/include/avl.h
openldap/trunk/include/getopt-compat.h
openldap/trunk/include/lber.h
openldap/trunk/include/lber_pvt.h
openldap/trunk/include/lber_types.hin
openldap/trunk/include/ldap.h
openldap/trunk/include/ldap_cdefs.h
openldap/trunk/include/ldap_config.hin
openldap/trunk/include/ldap_defaults.h
openldap/trunk/include/ldap_features.hin
openldap/trunk/include/ldap_int_thread.h
openldap/trunk/include/ldap_log.h
openldap/trunk/include/ldap_pvt.h
openldap/trunk/include/ldap_pvt_thread.h
openldap/trunk/include/ldap_pvt_uc.h
openldap/trunk/include/ldap_queue.h
openldap/trunk/include/ldap_rq.h
openldap/trunk/include/ldap_schema.h
openldap/trunk/include/ldap_utf8.h
openldap/trunk/include/ldif.h
openldap/trunk/include/lutil.h
openldap/trunk/include/lutil_hash.h
openldap/trunk/include/lutil_ldap.h
openldap/trunk/include/lutil_lockf.h
openldap/trunk/include/lutil_md5.h
openldap/trunk/include/lutil_sha1.h
openldap/trunk/include/portable.hin
openldap/trunk/include/rewrite.h
openldap/trunk/include/slapi-plugin.h
openldap/trunk/include/sysexits-compat.h
openldap/trunk/libraries/Makefile.in
openldap/trunk/libraries/liblber/Makefile.in
openldap/trunk/libraries/liblber/assert.c
openldap/trunk/libraries/liblber/bprint.c
openldap/trunk/libraries/liblber/debug.c
openldap/trunk/libraries/liblber/decode.c
openldap/trunk/libraries/liblber/dtest.c
openldap/trunk/libraries/liblber/encode.c
openldap/trunk/libraries/liblber/etest.c
openldap/trunk/libraries/liblber/idtest.c
openldap/trunk/libraries/liblber/io.c
openldap/trunk/libraries/liblber/lber-int.h
openldap/trunk/libraries/liblber/memory.c
openldap/trunk/libraries/liblber/nt_err.c
openldap/trunk/libraries/liblber/options.c
openldap/trunk/libraries/liblber/sockbuf.c
openldap/trunk/libraries/liblber/stdio.c
openldap/trunk/libraries/libldap/Makefile.in
openldap/trunk/libraries/libldap/abandon.c
openldap/trunk/libraries/libldap/add.c
openldap/trunk/libraries/libldap/addentry.c
openldap/trunk/libraries/libldap/apitest.c
openldap/trunk/libraries/libldap/assertion.c
openldap/trunk/libraries/libldap/bind.c
openldap/trunk/libraries/libldap/cancel.c
openldap/trunk/libraries/libldap/charray.c
openldap/trunk/libraries/libldap/compare.c
openldap/trunk/libraries/libldap/controls.c
openldap/trunk/libraries/libldap/cyrus.c
openldap/trunk/libraries/libldap/dds.c
openldap/trunk/libraries/libldap/delete.c
openldap/trunk/libraries/libldap/dnssrv.c
openldap/trunk/libraries/libldap/dntest.c
openldap/trunk/libraries/libldap/error.c
openldap/trunk/libraries/libldap/extended.c
openldap/trunk/libraries/libldap/filter.c
openldap/trunk/libraries/libldap/free.c
openldap/trunk/libraries/libldap/ftest.c
openldap/trunk/libraries/libldap/getattr.c
openldap/trunk/libraries/libldap/getdn.c
openldap/trunk/libraries/libldap/getentry.c
openldap/trunk/libraries/libldap/getvalues.c
openldap/trunk/libraries/libldap/init.c
openldap/trunk/libraries/libldap/ldap-int.h
openldap/trunk/libraries/libldap/ldap_sync.c
openldap/trunk/libraries/libldap/messages.c
openldap/trunk/libraries/libldap/modify.c
openldap/trunk/libraries/libldap/modrdn.c
openldap/trunk/libraries/libldap/open.c
openldap/trunk/libraries/libldap/options.c
openldap/trunk/libraries/libldap/os-ip.c
openldap/trunk/libraries/libldap/os-local.c
openldap/trunk/libraries/libldap/pagectrl.c
openldap/trunk/libraries/libldap/passwd.c
openldap/trunk/libraries/libldap/ppolicy.c
openldap/trunk/libraries/libldap/print.c
openldap/trunk/libraries/libldap/references.c
openldap/trunk/libraries/libldap/request.c
openldap/trunk/libraries/libldap/result.c
openldap/trunk/libraries/libldap/sasl.c
openldap/trunk/libraries/libldap/sbind.c
openldap/trunk/libraries/libldap/schema.c
openldap/trunk/libraries/libldap/search.c
openldap/trunk/libraries/libldap/sort.c
openldap/trunk/libraries/libldap/sortctrl.c
openldap/trunk/libraries/libldap/stctrl.c
openldap/trunk/libraries/libldap/string.c
openldap/trunk/libraries/libldap/t61.c
openldap/trunk/libraries/libldap/test.c
openldap/trunk/libraries/libldap/turn.c
openldap/trunk/libraries/libldap/txn.c
openldap/trunk/libraries/libldap/unbind.c
openldap/trunk/libraries/libldap/url.c
openldap/trunk/libraries/libldap/urltest.c
openldap/trunk/libraries/libldap/utf-8-conv.c
openldap/trunk/libraries/libldap/utf-8.c
openldap/trunk/libraries/libldap/util-int.c
openldap/trunk/libraries/libldap/vlvctrl.c
openldap/trunk/libraries/libldap/whoami.c
openldap/trunk/libraries/libldap_r/Makefile.in
openldap/trunk/libraries/libldap_r/ldap_thr_debug.h
openldap/trunk/libraries/libldap_r/rdwr.c
openldap/trunk/libraries/libldap_r/rmutex.c
openldap/trunk/libraries/libldap_r/rq.c
openldap/trunk/libraries/libldap_r/thr_cthreads.c
openldap/trunk/libraries/libldap_r/thr_debug.c
openldap/trunk/libraries/libldap_r/thr_lwp.c
openldap/trunk/libraries/libldap_r/thr_nt.c
openldap/trunk/libraries/libldap_r/thr_posix.c
openldap/trunk/libraries/libldap_r/thr_pth.c
openldap/trunk/libraries/libldap_r/thr_stub.c
openldap/trunk/libraries/libldap_r/thr_thr.c
openldap/trunk/libraries/libldap_r/threads.c
openldap/trunk/libraries/libldap_r/tpool.c
openldap/trunk/libraries/liblunicode/Makefile.in
openldap/trunk/libraries/liblunicode/ucdata/ucdata.c
openldap/trunk/libraries/liblunicode/ucdata/ucdata.h
openldap/trunk/libraries/liblunicode/ucdata/ucgendat.c
openldap/trunk/libraries/liblunicode/ucdata/ucpgba.c
openldap/trunk/libraries/liblunicode/ucdata/ucpgba.h
openldap/trunk/libraries/liblunicode/ucstr.c
openldap/trunk/libraries/liblunicode/ure/ure.c
openldap/trunk/libraries/liblunicode/ure/ure.h
openldap/trunk/libraries/liblunicode/ure/urestubs.c
openldap/trunk/libraries/liblunicode/utbm/utbm.c
openldap/trunk/libraries/liblunicode/utbm/utbm.h
openldap/trunk/libraries/liblunicode/utbm/utbmstub.c
openldap/trunk/libraries/liblutil/Makefile.in
openldap/trunk/libraries/liblutil/avl.c
openldap/trunk/libraries/liblutil/base64.c
openldap/trunk/libraries/liblutil/csn.c
openldap/trunk/libraries/liblutil/detach.c
openldap/trunk/libraries/liblutil/entropy.c
openldap/trunk/libraries/liblutil/fetch.c
openldap/trunk/libraries/liblutil/getopt.c
openldap/trunk/libraries/liblutil/getpass.c
openldap/trunk/libraries/liblutil/getpeereid.c
openldap/trunk/libraries/liblutil/hash.c
openldap/trunk/libraries/liblutil/ldif.c
openldap/trunk/libraries/liblutil/lockf.c
openldap/trunk/libraries/liblutil/md5.c
openldap/trunk/libraries/liblutil/memcmp.c
openldap/trunk/libraries/liblutil/ntservice.c
openldap/trunk/libraries/liblutil/passfile.c
openldap/trunk/libraries/liblutil/passwd.c
openldap/trunk/libraries/liblutil/ptest.c
openldap/trunk/libraries/liblutil/sasl.c
openldap/trunk/libraries/liblutil/setproctitle.c
openldap/trunk/libraries/liblutil/sha1.c
openldap/trunk/libraries/liblutil/signal.c
openldap/trunk/libraries/liblutil/sockpair.c
openldap/trunk/libraries/liblutil/tavl.c
openldap/trunk/libraries/liblutil/testavl.c
openldap/trunk/libraries/liblutil/testtavl.c
openldap/trunk/libraries/liblutil/utils.c
openldap/trunk/libraries/liblutil/uuid.c
openldap/trunk/libraries/librewrite/Makefile.in
openldap/trunk/libraries/librewrite/config.c
openldap/trunk/libraries/librewrite/context.c
openldap/trunk/libraries/librewrite/info.c
openldap/trunk/libraries/librewrite/ldapmap.c
openldap/trunk/libraries/librewrite/map.c
openldap/trunk/libraries/librewrite/params.c
openldap/trunk/libraries/librewrite/parse.c
openldap/trunk/libraries/librewrite/rewrite-int.h
openldap/trunk/libraries/librewrite/rewrite-map.h
openldap/trunk/libraries/librewrite/rewrite.c
openldap/trunk/libraries/librewrite/rule.c
openldap/trunk/libraries/librewrite/session.c
openldap/trunk/libraries/librewrite/subst.c
openldap/trunk/libraries/librewrite/var.c
openldap/trunk/libraries/librewrite/xmap.c
openldap/trunk/servers/Makefile.in
openldap/trunk/servers/slapd/Makefile.in
openldap/trunk/servers/slapd/abandon.c
openldap/trunk/servers/slapd/aci.c
openldap/trunk/servers/slapd/acl.c
openldap/trunk/servers/slapd/aclparse.c
openldap/trunk/servers/slapd/ad.c
openldap/trunk/servers/slapd/add.c
openldap/trunk/servers/slapd/alock.c
openldap/trunk/servers/slapd/alock.h
openldap/trunk/servers/slapd/at.c
openldap/trunk/servers/slapd/attr.c
openldap/trunk/servers/slapd/ava.c
openldap/trunk/servers/slapd/back-bdb/Makefile.in
openldap/trunk/servers/slapd/back-bdb/add.c
openldap/trunk/servers/slapd/back-bdb/attr.c
openldap/trunk/servers/slapd/back-bdb/back-bdb.h
openldap/trunk/servers/slapd/back-bdb/bind.c
openldap/trunk/servers/slapd/back-bdb/cache.c
openldap/trunk/servers/slapd/back-bdb/compare.c
openldap/trunk/servers/slapd/back-bdb/config.c
openldap/trunk/servers/slapd/back-bdb/dbcache.c
openldap/trunk/servers/slapd/back-bdb/delete.c
openldap/trunk/servers/slapd/back-bdb/dn2entry.c
openldap/trunk/servers/slapd/back-bdb/dn2id.c
openldap/trunk/servers/slapd/back-bdb/error.c
openldap/trunk/servers/slapd/back-bdb/extended.c
openldap/trunk/servers/slapd/back-bdb/filterindex.c
openldap/trunk/servers/slapd/back-bdb/id2entry.c
openldap/trunk/servers/slapd/back-bdb/idl.c
openldap/trunk/servers/slapd/back-bdb/idl.h
openldap/trunk/servers/slapd/back-bdb/index.c
openldap/trunk/servers/slapd/back-bdb/init.c
openldap/trunk/servers/slapd/back-bdb/key.c
openldap/trunk/servers/slapd/back-bdb/modify.c
openldap/trunk/servers/slapd/back-bdb/modrdn.c
openldap/trunk/servers/slapd/back-bdb/monitor.c
openldap/trunk/servers/slapd/back-bdb/nextid.c
openldap/trunk/servers/slapd/back-bdb/operational.c
openldap/trunk/servers/slapd/back-bdb/proto-bdb.h
openldap/trunk/servers/slapd/back-bdb/referral.c
openldap/trunk/servers/slapd/back-bdb/search.c
openldap/trunk/servers/slapd/back-bdb/tools.c
openldap/trunk/servers/slapd/back-bdb/trans.c
openldap/trunk/servers/slapd/back-dnssrv/Makefile.in
openldap/trunk/servers/slapd/back-dnssrv/bind.c
openldap/trunk/servers/slapd/back-dnssrv/compare.c
openldap/trunk/servers/slapd/back-dnssrv/config.c
openldap/trunk/servers/slapd/back-dnssrv/init.c
openldap/trunk/servers/slapd/back-dnssrv/proto-dnssrv.h
openldap/trunk/servers/slapd/back-dnssrv/referral.c
openldap/trunk/servers/slapd/back-dnssrv/search.c
openldap/trunk/servers/slapd/back-hdb/Makefile.in
openldap/trunk/servers/slapd/back-hdb/back-bdb.h
openldap/trunk/servers/slapd/back-ldap/Makefile.in
openldap/trunk/servers/slapd/back-ldap/add.c
openldap/trunk/servers/slapd/back-ldap/back-ldap.h
openldap/trunk/servers/slapd/back-ldap/bind.c
openldap/trunk/servers/slapd/back-ldap/chain.c
openldap/trunk/servers/slapd/back-ldap/compare.c
openldap/trunk/servers/slapd/back-ldap/config.c
openldap/trunk/servers/slapd/back-ldap/delete.c
openldap/trunk/servers/slapd/back-ldap/distproc.c
openldap/trunk/servers/slapd/back-ldap/extended.c
openldap/trunk/servers/slapd/back-ldap/init.c
openldap/trunk/servers/slapd/back-ldap/modify.c
openldap/trunk/servers/slapd/back-ldap/modrdn.c
openldap/trunk/servers/slapd/back-ldap/monitor.c
openldap/trunk/servers/slapd/back-ldap/proto-ldap.h
openldap/trunk/servers/slapd/back-ldap/search.c
openldap/trunk/servers/slapd/back-ldap/unbind.c
openldap/trunk/servers/slapd/back-ldif/Makefile.in
openldap/trunk/servers/slapd/back-ldif/ldif.c
openldap/trunk/servers/slapd/back-meta/Makefile.in
openldap/trunk/servers/slapd/back-meta/add.c
openldap/trunk/servers/slapd/back-meta/back-meta.h
openldap/trunk/servers/slapd/back-meta/bind.c
openldap/trunk/servers/slapd/back-meta/candidates.c
openldap/trunk/servers/slapd/back-meta/compare.c
openldap/trunk/servers/slapd/back-meta/config.c
openldap/trunk/servers/slapd/back-meta/conn.c
openldap/trunk/servers/slapd/back-meta/delete.c
openldap/trunk/servers/slapd/back-meta/dncache.c
openldap/trunk/servers/slapd/back-meta/init.c
openldap/trunk/servers/slapd/back-meta/map.c
openldap/trunk/servers/slapd/back-meta/modify.c
openldap/trunk/servers/slapd/back-meta/modrdn.c
openldap/trunk/servers/slapd/back-meta/proto-meta.h
openldap/trunk/servers/slapd/back-meta/search.c
openldap/trunk/servers/slapd/back-meta/suffixmassage.c
openldap/trunk/servers/slapd/back-meta/unbind.c
openldap/trunk/servers/slapd/back-monitor/Makefile.in
openldap/trunk/servers/slapd/back-monitor/back-monitor.h
openldap/trunk/servers/slapd/back-monitor/backend.c
openldap/trunk/servers/slapd/back-monitor/bind.c
openldap/trunk/servers/slapd/back-monitor/cache.c
openldap/trunk/servers/slapd/back-monitor/compare.c
openldap/trunk/servers/slapd/back-monitor/conn.c
openldap/trunk/servers/slapd/back-monitor/database.c
openldap/trunk/servers/slapd/back-monitor/entry.c
openldap/trunk/servers/slapd/back-monitor/init.c
openldap/trunk/servers/slapd/back-monitor/listener.c
openldap/trunk/servers/slapd/back-monitor/log.c
openldap/trunk/servers/slapd/back-monitor/modify.c
openldap/trunk/servers/slapd/back-monitor/operation.c
openldap/trunk/servers/slapd/back-monitor/operational.c
openldap/trunk/servers/slapd/back-monitor/overlay.c
openldap/trunk/servers/slapd/back-monitor/proto-back-monitor.h
openldap/trunk/servers/slapd/back-monitor/rww.c
openldap/trunk/servers/slapd/back-monitor/search.c
openldap/trunk/servers/slapd/back-monitor/sent.c
openldap/trunk/servers/slapd/back-monitor/thread.c
openldap/trunk/servers/slapd/back-monitor/time.c
openldap/trunk/servers/slapd/back-null/Makefile.in
openldap/trunk/servers/slapd/back-null/null.c
openldap/trunk/servers/slapd/back-passwd/Makefile.in
openldap/trunk/servers/slapd/back-passwd/back-passwd.h
openldap/trunk/servers/slapd/back-passwd/config.c
openldap/trunk/servers/slapd/back-passwd/init.c
openldap/trunk/servers/slapd/back-passwd/proto-passwd.h
openldap/trunk/servers/slapd/back-passwd/search.c
openldap/trunk/servers/slapd/back-perl/Makefile.in
openldap/trunk/servers/slapd/back-perl/SampleLDAP.pm
openldap/trunk/servers/slapd/back-perl/add.c
openldap/trunk/servers/slapd/back-perl/asperl_undefs.h
openldap/trunk/servers/slapd/back-perl/bind.c
openldap/trunk/servers/slapd/back-perl/close.c
openldap/trunk/servers/slapd/back-perl/compare.c
openldap/trunk/servers/slapd/back-perl/config.c
openldap/trunk/servers/slapd/back-perl/delete.c
openldap/trunk/servers/slapd/back-perl/init.c
openldap/trunk/servers/slapd/back-perl/modify.c
openldap/trunk/servers/slapd/back-perl/modrdn.c
openldap/trunk/servers/slapd/back-perl/perl_back.h
openldap/trunk/servers/slapd/back-perl/proto-perl.h
openldap/trunk/servers/slapd/back-perl/search.c
openldap/trunk/servers/slapd/back-relay/Makefile.in
openldap/trunk/servers/slapd/back-relay/back-relay.h
openldap/trunk/servers/slapd/back-relay/init.c
openldap/trunk/servers/slapd/back-relay/op.c
openldap/trunk/servers/slapd/back-relay/proto-back-relay.h
openldap/trunk/servers/slapd/back-shell/Makefile.in
openldap/trunk/servers/slapd/back-shell/add.c
openldap/trunk/servers/slapd/back-shell/bind.c
openldap/trunk/servers/slapd/back-shell/compare.c
openldap/trunk/servers/slapd/back-shell/config.c
openldap/trunk/servers/slapd/back-shell/delete.c
openldap/trunk/servers/slapd/back-shell/fork.c
openldap/trunk/servers/slapd/back-shell/init.c
openldap/trunk/servers/slapd/back-shell/modify.c
openldap/trunk/servers/slapd/back-shell/modrdn.c
openldap/trunk/servers/slapd/back-shell/proto-shell.h
openldap/trunk/servers/slapd/back-shell/result.c
openldap/trunk/servers/slapd/back-shell/search.c
openldap/trunk/servers/slapd/back-shell/searchexample.conf
openldap/trunk/servers/slapd/back-shell/searchexample.sh
openldap/trunk/servers/slapd/back-shell/shell.h
openldap/trunk/servers/slapd/back-shell/unbind.c
openldap/trunk/servers/slapd/back-sock/Makefile.in
openldap/trunk/servers/slapd/back-sock/add.c
openldap/trunk/servers/slapd/back-sock/back-sock.h
openldap/trunk/servers/slapd/back-sock/bind.c
openldap/trunk/servers/slapd/back-sock/compare.c
openldap/trunk/servers/slapd/back-sock/config.c
openldap/trunk/servers/slapd/back-sock/delete.c
openldap/trunk/servers/slapd/back-sock/init.c
openldap/trunk/servers/slapd/back-sock/modify.c
openldap/trunk/servers/slapd/back-sock/modrdn.c
openldap/trunk/servers/slapd/back-sock/opensock.c
openldap/trunk/servers/slapd/back-sock/proto-sock.h
openldap/trunk/servers/slapd/back-sock/result.c
openldap/trunk/servers/slapd/back-sock/search.c
openldap/trunk/servers/slapd/back-sock/searchexample.conf
openldap/trunk/servers/slapd/back-sock/searchexample.pl
openldap/trunk/servers/slapd/back-sock/unbind.c
openldap/trunk/servers/slapd/back-sql/Makefile.in
openldap/trunk/servers/slapd/back-sql/add.c
openldap/trunk/servers/slapd/back-sql/api.c
openldap/trunk/servers/slapd/back-sql/back-sql.h
openldap/trunk/servers/slapd/back-sql/bind.c
openldap/trunk/servers/slapd/back-sql/compare.c
openldap/trunk/servers/slapd/back-sql/config.c
openldap/trunk/servers/slapd/back-sql/delete.c
openldap/trunk/servers/slapd/back-sql/entry-id.c
openldap/trunk/servers/slapd/back-sql/init.c
openldap/trunk/servers/slapd/back-sql/modify.c
openldap/trunk/servers/slapd/back-sql/modrdn.c
openldap/trunk/servers/slapd/back-sql/operational.c
openldap/trunk/servers/slapd/back-sql/proto-sql.h
openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile
openldap/trunk/servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp
openldap/trunk/servers/slapd/back-sql/schema-map.c
openldap/trunk/servers/slapd/back-sql/search.c
openldap/trunk/servers/slapd/back-sql/sql-wrap.c
openldap/trunk/servers/slapd/back-sql/util.c
openldap/trunk/servers/slapd/backend.c
openldap/trunk/servers/slapd/backglue.c
openldap/trunk/servers/slapd/backover.c
openldap/trunk/servers/slapd/bconfig.c
openldap/trunk/servers/slapd/bind.c
openldap/trunk/servers/slapd/cancel.c
openldap/trunk/servers/slapd/ch_malloc.c
openldap/trunk/servers/slapd/compare.c
openldap/trunk/servers/slapd/component.c
openldap/trunk/servers/slapd/component.h
openldap/trunk/servers/slapd/config.c
openldap/trunk/servers/slapd/config.h
openldap/trunk/servers/slapd/connection.c
openldap/trunk/servers/slapd/controls.c
openldap/trunk/servers/slapd/cr.c
openldap/trunk/servers/slapd/ctxcsn.c
openldap/trunk/servers/slapd/daemon.c
openldap/trunk/servers/slapd/delete.c
openldap/trunk/servers/slapd/dn.c
openldap/trunk/servers/slapd/entry.c
openldap/trunk/servers/slapd/extended.c
openldap/trunk/servers/slapd/filter.c
openldap/trunk/servers/slapd/filterentry.c
openldap/trunk/servers/slapd/frontend.c
openldap/trunk/servers/slapd/globals.c
openldap/trunk/servers/slapd/index.c
openldap/trunk/servers/slapd/init.c
openldap/trunk/servers/slapd/ldapsync.c
openldap/trunk/servers/slapd/limits.c
openldap/trunk/servers/slapd/lock.c
openldap/trunk/servers/slapd/main.c
openldap/trunk/servers/slapd/matchedValues.c
openldap/trunk/servers/slapd/modify.c
openldap/trunk/servers/slapd/modrdn.c
openldap/trunk/servers/slapd/mods.c
openldap/trunk/servers/slapd/module.c
openldap/trunk/servers/slapd/mr.c
openldap/trunk/servers/slapd/mra.c
openldap/trunk/servers/slapd/nt_svc.c
openldap/trunk/servers/slapd/oc.c
openldap/trunk/servers/slapd/oidm.c
openldap/trunk/servers/slapd/operation.c
openldap/trunk/servers/slapd/operational.c
openldap/trunk/servers/slapd/overlays/Makefile.in
openldap/trunk/servers/slapd/overlays/accesslog.c
openldap/trunk/servers/slapd/overlays/auditlog.c
openldap/trunk/servers/slapd/overlays/collect.c
openldap/trunk/servers/slapd/overlays/constraint.c
openldap/trunk/servers/slapd/overlays/dds.c
openldap/trunk/servers/slapd/overlays/dyngroup.c
openldap/trunk/servers/slapd/overlays/dynlist.c
openldap/trunk/servers/slapd/overlays/memberof.c
openldap/trunk/servers/slapd/overlays/overlays.c
openldap/trunk/servers/slapd/overlays/pcache.c
openldap/trunk/servers/slapd/overlays/ppolicy.c
openldap/trunk/servers/slapd/overlays/refint.c
openldap/trunk/servers/slapd/overlays/retcode.c
openldap/trunk/servers/slapd/overlays/rwm.c
openldap/trunk/servers/slapd/overlays/rwm.h
openldap/trunk/servers/slapd/overlays/rwmconf.c
openldap/trunk/servers/slapd/overlays/rwmdn.c
openldap/trunk/servers/slapd/overlays/rwmmap.c
openldap/trunk/servers/slapd/overlays/seqmod.c
openldap/trunk/servers/slapd/overlays/syncprov.c
openldap/trunk/servers/slapd/overlays/translucent.c
openldap/trunk/servers/slapd/overlays/unique.c
openldap/trunk/servers/slapd/overlays/valsort.c
openldap/trunk/servers/slapd/passwd.c
openldap/trunk/servers/slapd/phonetic.c
openldap/trunk/servers/slapd/proto-slap.h
openldap/trunk/servers/slapd/referral.c
openldap/trunk/servers/slapd/result.c
openldap/trunk/servers/slapd/root_dse.c
openldap/trunk/servers/slapd/sasl.c
openldap/trunk/servers/slapd/saslauthz.c
openldap/trunk/servers/slapd/schema.c
openldap/trunk/servers/slapd/schema/README
openldap/trunk/servers/slapd/schema/cosine.ldif
openldap/trunk/servers/slapd/schema/duaconf.schema
openldap/trunk/servers/slapd/schema/dyngroup.schema
openldap/trunk/servers/slapd/schema/inetorgperson.ldif
openldap/trunk/servers/slapd/schema/inetorgperson.schema
openldap/trunk/servers/slapd/schema/misc.schema
openldap/trunk/servers/slapd/schema/nadf.schema
openldap/trunk/servers/slapd/schema/nis.ldif
openldap/trunk/servers/slapd/schema/nis.schema
openldap/trunk/servers/slapd/schema/openldap.ldif
openldap/trunk/servers/slapd/schema/openldap.schema
openldap/trunk/servers/slapd/schema_check.c
openldap/trunk/servers/slapd/schema_init.c
openldap/trunk/servers/slapd/schema_prep.c
openldap/trunk/servers/slapd/schemaparse.c
openldap/trunk/servers/slapd/search.c
openldap/trunk/servers/slapd/sets.c
openldap/trunk/servers/slapd/sets.h
openldap/trunk/servers/slapd/shell-backends/Makefile.in
openldap/trunk/servers/slapd/shell-backends/passwd-shell.c
openldap/trunk/servers/slapd/shell-backends/shellutil.c
openldap/trunk/servers/slapd/shell-backends/shellutil.h
openldap/trunk/servers/slapd/sl_malloc.c
openldap/trunk/servers/slapd/slap.h
openldap/trunk/servers/slapd/slapacl.c
openldap/trunk/servers/slapd/slapadd.c
openldap/trunk/servers/slapd/slapauth.c
openldap/trunk/servers/slapd/slapcat.c
openldap/trunk/servers/slapd/slapcommon.c
openldap/trunk/servers/slapd/slapcommon.h
openldap/trunk/servers/slapd/slapdn.c
openldap/trunk/servers/slapd/slapi/Makefile.in
openldap/trunk/servers/slapd/slapi/plugin.c
openldap/trunk/servers/slapd/slapi/printmsg.c
openldap/trunk/servers/slapd/slapi/proto-slapi.h
openldap/trunk/servers/slapd/slapi/slapi.h
openldap/trunk/servers/slapd/slapi/slapi_dn.c
openldap/trunk/servers/slapd/slapi/slapi_ext.c
openldap/trunk/servers/slapd/slapi/slapi_ops.c
openldap/trunk/servers/slapd/slapi/slapi_overlay.c
openldap/trunk/servers/slapd/slapi/slapi_pblock.c
openldap/trunk/servers/slapd/slapi/slapi_utils.c
openldap/trunk/servers/slapd/slapindex.c
openldap/trunk/servers/slapd/slappasswd.c
openldap/trunk/servers/slapd/slaptest.c
openldap/trunk/servers/slapd/starttls.c
openldap/trunk/servers/slapd/str2filter.c
openldap/trunk/servers/slapd/syncrepl.c
openldap/trunk/servers/slapd/syntax.c
openldap/trunk/servers/slapd/txn.c
openldap/trunk/servers/slapd/unbind.c
openldap/trunk/servers/slapd/user.c
openldap/trunk/servers/slapd/value.c
openldap/trunk/servers/slapd/zn_malloc.c
openldap/trunk/tests/Makefile.in
openldap/trunk/tests/data/ditcontentrules.conf
openldap/trunk/tests/data/dn.out
openldap/trunk/tests/data/dynlist.out
openldap/trunk/tests/data/memberof.out
openldap/trunk/tests/data/meta.out
openldap/trunk/tests/data/metaconcurrency.out
openldap/trunk/tests/data/regressions/its4184/its4184
openldap/trunk/tests/data/regressions/its4326/its4326
openldap/trunk/tests/data/regressions/its4326/slapd.conf
openldap/trunk/tests/data/regressions/its4336/its4336
openldap/trunk/tests/data/regressions/its4336/slapd.conf
openldap/trunk/tests/data/regressions/its4337/its4337
openldap/trunk/tests/data/regressions/its4337/slapd.conf
openldap/trunk/tests/data/regressions/its4448/its4448
openldap/trunk/tests/data/regressions/its4448/slapd-meta.conf
openldap/trunk/tests/data/retcode.conf
openldap/trunk/tests/data/slapd-2db.conf
openldap/trunk/tests/data/slapd-aci.conf
openldap/trunk/tests/data/slapd-acl.conf
openldap/trunk/tests/data/slapd-cache-master.conf
openldap/trunk/tests/data/slapd-chain1.conf
openldap/trunk/tests/data/slapd-chain2.conf
openldap/trunk/tests/data/slapd-component.conf
openldap/trunk/tests/data/slapd-config-undo.conf
openldap/trunk/tests/data/slapd-dds.conf
openldap/trunk/tests/data/slapd-deltasync-master.conf
openldap/trunk/tests/data/slapd-deltasync-slave.conf
openldap/trunk/tests/data/slapd-dn.conf
openldap/trunk/tests/data/slapd-dnssrv.conf
openldap/trunk/tests/data/slapd-dynlist.conf
openldap/trunk/tests/data/slapd-emptydn.conf
openldap/trunk/tests/data/slapd-glue-ldap.conf
openldap/trunk/tests/data/slapd-glue-syncrepl1.conf
openldap/trunk/tests/data/slapd-glue-syncrepl2.conf
openldap/trunk/tests/data/slapd-glue.conf
openldap/trunk/tests/data/slapd-idassert.conf
openldap/trunk/tests/data/slapd-ldapglue.conf
openldap/trunk/tests/data/slapd-ldapgluegroups.conf
openldap/trunk/tests/data/slapd-ldapgluepeople.conf
openldap/trunk/tests/data/slapd-limits.conf
openldap/trunk/tests/data/slapd-master.conf
openldap/trunk/tests/data/slapd-meta-target1.conf
openldap/trunk/tests/data/slapd-meta-target2.conf
openldap/trunk/tests/data/slapd-meta.conf
openldap/trunk/tests/data/slapd-nis-master.conf
openldap/trunk/tests/data/slapd-passwd.conf
openldap/trunk/tests/data/slapd-ppolicy.conf
openldap/trunk/tests/data/slapd-proxycache.conf
openldap/trunk/tests/data/slapd-pw.conf
openldap/trunk/tests/data/slapd-ref-slave.conf
openldap/trunk/tests/data/slapd-referrals.conf
openldap/trunk/tests/data/slapd-refint.conf
openldap/trunk/tests/data/slapd-relay.conf
openldap/trunk/tests/data/slapd-repl-slave-remote.conf
openldap/trunk/tests/data/slapd-retcode.conf
openldap/trunk/tests/data/slapd-schema.conf
openldap/trunk/tests/data/slapd-sql-syncrepl-master.conf
openldap/trunk/tests/data/slapd-sql.conf
openldap/trunk/tests/data/slapd-syncrepl-master.conf
openldap/trunk/tests/data/slapd-syncrepl-multiproxy.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist-ldap.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist1.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist2.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-persist3.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-refresh1.conf
openldap/trunk/tests/data/slapd-syncrepl-slave-refresh2.conf
openldap/trunk/tests/data/slapd-translucent-local.conf
openldap/trunk/tests/data/slapd-translucent-remote.conf
openldap/trunk/tests/data/slapd-unique.conf
openldap/trunk/tests/data/slapd-valsort.conf
openldap/trunk/tests/data/slapd-whoami.conf
openldap/trunk/tests/data/slapd.conf
openldap/trunk/tests/data/slapd2.conf
openldap/trunk/tests/data/test-dn.ldif
openldap/trunk/tests/data/test-meta.ldif
openldap/trunk/tests/data/test-ordered-nocp.ldif
openldap/trunk/tests/data/test.schema
openldap/trunk/tests/progs/Makefile.in
openldap/trunk/tests/progs/slapd-addel.c
openldap/trunk/tests/progs/slapd-bind.c
openldap/trunk/tests/progs/slapd-common.c
openldap/trunk/tests/progs/slapd-common.h
openldap/trunk/tests/progs/slapd-modify.c
openldap/trunk/tests/progs/slapd-modrdn.c
openldap/trunk/tests/progs/slapd-read.c
openldap/trunk/tests/progs/slapd-search.c
openldap/trunk/tests/progs/slapd-tester.c
openldap/trunk/tests/run.in
openldap/trunk/tests/scripts/acfilter.sh
openldap/trunk/tests/scripts/all
openldap/trunk/tests/scripts/conf.sh
openldap/trunk/tests/scripts/defines.sh
openldap/trunk/tests/scripts/its-all
openldap/trunk/tests/scripts/passwd-search
openldap/trunk/tests/scripts/relay
openldap/trunk/tests/scripts/sql-all
openldap/trunk/tests/scripts/sql-test000-read
openldap/trunk/tests/scripts/sql-test001-concurrency
openldap/trunk/tests/scripts/sql-test900-write
openldap/trunk/tests/scripts/sql-test901-syncrepl
openldap/trunk/tests/scripts/start-server
openldap/trunk/tests/scripts/start-server-nolog
openldap/trunk/tests/scripts/start-server2
openldap/trunk/tests/scripts/start-server2-nolog
openldap/trunk/tests/scripts/startup_nis_ldap_server.sh
openldap/trunk/tests/scripts/test000-rootdse
openldap/trunk/tests/scripts/test001-slapadd
openldap/trunk/tests/scripts/test002-populate
openldap/trunk/tests/scripts/test003-search
openldap/trunk/tests/scripts/test004-modify
openldap/trunk/tests/scripts/test005-modrdn
openldap/trunk/tests/scripts/test006-acls
openldap/trunk/tests/scripts/test008-concurrency
openldap/trunk/tests/scripts/test009-referral
openldap/trunk/tests/scripts/test010-passwd
openldap/trunk/tests/scripts/test011-glue-slapadd
openldap/trunk/tests/scripts/test012-glue-populate
openldap/trunk/tests/scripts/test013-language
openldap/trunk/tests/scripts/test014-whoami
openldap/trunk/tests/scripts/test015-xsearch
openldap/trunk/tests/scripts/test016-subref
openldap/trunk/tests/scripts/test017-syncreplication-refresh
openldap/trunk/tests/scripts/test018-syncreplication-persist
openldap/trunk/tests/scripts/test019-syncreplication-cascade
openldap/trunk/tests/scripts/test020-proxycache
openldap/trunk/tests/scripts/test021-certificate
openldap/trunk/tests/scripts/test022-ppolicy
openldap/trunk/tests/scripts/test023-refint
openldap/trunk/tests/scripts/test024-unique
openldap/trunk/tests/scripts/test025-limits
openldap/trunk/tests/scripts/test026-dn
openldap/trunk/tests/scripts/test027-emptydn
openldap/trunk/tests/scripts/test028-idassert
openldap/trunk/tests/scripts/test029-ldapglue
openldap/trunk/tests/scripts/test030-relay
openldap/trunk/tests/scripts/test031-component-filter
openldap/trunk/tests/scripts/test032-chain
openldap/trunk/tests/scripts/test033-glue-syncrepl
openldap/trunk/tests/scripts/test034-translucent
openldap/trunk/tests/scripts/test035-meta
openldap/trunk/tests/scripts/test036-meta-concurrency
openldap/trunk/tests/scripts/test037-manage
openldap/trunk/tests/scripts/test038-retcode
openldap/trunk/tests/scripts/test039-glue-ldap-concurrency
openldap/trunk/tests/scripts/test040-subtree-rename
openldap/trunk/tests/scripts/test041-aci
openldap/trunk/tests/scripts/test042-valsort
openldap/trunk/tests/scripts/test043-delta-syncrepl
openldap/trunk/tests/scripts/test044-dynlist
openldap/trunk/tests/scripts/test045-syncreplication-proxied
openldap/trunk/tests/scripts/test046-dds
openldap/trunk/tests/scripts/test047-ldap
openldap/trunk/tests/scripts/test048-syncrepl-multiproxy
openldap/trunk/tests/scripts/test049-sync-config
openldap/trunk/tests/scripts/test050-syncrepl-multimaster
openldap/trunk/tests/scripts/test051-config-undo
openldap/trunk/tests/scripts/test052-memberof
Log:
* New upstream version
- Fixes a bug with the pcache overlay not returning cached entries
(closes: #497697)
Modified: openldap/trunk/ANNOUNCEMENT
===================================================================
--- openldap/trunk/ANNOUNCEMENT 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/ANNOUNCEMENT 2009-02-17 17:44:09 UTC (rev 1198)
@@ -106,6 +106,6 @@
---
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
-Copyright 1999-2008 The OpenLDAP Foundation, Redwood City,
+Copyright 1999-2009 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
Modified: openldap/trunk/CHANGES
===================================================================
--- openldap/trunk/CHANGES 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/CHANGES 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,258 @@
OpenLDAP 2.4 Change Log
+OpenLDAP 2.4.14 Release (2009/02/14)
+ Added libldap option to disable SASL host canonicalization (ITS#5812)
+ Added libldap TLS_PROTOCOL_MIN (ITS#5655)
+ Added libldap GnuTLS support for TLS_CIPHER_SUITE (ITS#5887)
+ Added libldap GnuTLS setting random file (ITS#5462)
+ Added libldap alias dereferencing in C API (ITS#5916)
+ Fixed libldap chasing multiple referrals (ITS#5853)
+ Fixed libldap deref handling (ITS#5768)
+ Fixed libldap NULL pointer deref (ITS#5934)
+ Fixed libldap peer cert memory leak (ITS#5849)
+ Fixed libldap interaction with GnuTLS CN IP-based matches (ITS#5789)
+ Fixed libldap intermediate response behavior (ITS#5896)
+ Fixed libldap IPv6 address handling (ITS#5937)
+ Fixed libldap_r deref building (ITS#5768)
+ Fixed libldap_r slapd lockup when paused during shutdown (ITS#5841)
+ Added slapd syncrepl default retry setting (ITS#5825)
+ Added slapd val.regex expansion (ITS#5804)
+ Added slapd TLS_PROTOCOL_MIN (ITS#5655)
+ Added slapd slapi_pw_find (ITS#2615,ITS#4359)
+ Added slapd compatibility with MSAD ranged values (ITS#5927)
+ Fixed slapd bconfig to return error codes (ITS#5867)
+ Fixed slapd bconfig encoding incorrectly (ITS#5897)
+ Fixed slapd bconfig dangling pointers (ITS#5924)
+ Fixed slapd behavior with superior objectClasses (ITS#5517)
+ Fixed slapd connection assert (ITS#5835)
+ Fixed slapd epoll handling (ITS#5886)
+ Fixed slapd frontend/backend options handling (ITS#5857)
+ Fixed slapd glue with MMR (ITS#5925)
+ Fixed slapd logging on Windows (ITS#5392)
+ Fixed slapd listener comparison (ITS#5613)
+ Fixed slapd manageDSAit with glue entries (ITS#5921)
+ Fixed slapd syncrepl rename handling (ITS#5809)
+ Fixed slapd syncrepl MMR when adding new server (ITS#5850)
+ Fixed slapd syncrepl MMR with deleted entries (ITS#5843)
+ Fixed slapd syncrepl replication with glued DB (ITS#5866)
+ Fixed slapd syncrepl replication with moddn (ITS#5901)
+ Fixed slapd syncrepl replication with referrals (ITS#5881)
+ Fixed slapd syncrepl replication with config tree (ITS#5935)
+ Fixed slapd wake_sds close on Windows (ITS#5855)
+ Fixed slapd-bdb/hdb dncachesize handling (ITS#5860)
+ Fixed slapd-bdb/hdb RFC4528 control support (ITS#5861)
+ Fixed slapd-bdb/hdb trickle task usage (ITS#5864)
+ Fixed slapd-hdb idlcache with empty suffix (ITS#5859)
+ Fixed slapd-ldap idassert-bind validity checking (ITS#5863)
+ Fixed slapd-ldap/meta RFC4525 increment support (ITS#5912)
+ Fixed slapd-ldap/meta search dereferencing (ITS#5916)
+ Fixed slapd-ldap/meta with intermediate response (ITS#5931)
+ Fixed slapd-ldif numerous bugs (ITS#5408)
+ Fixed slapd-ldif rename on same DN (ITS#5319)
+ Fixed slapd-ldif deadlock (ITS#5329)
+ Fixed slapd-meta double response sending (ITS#5854)
+ Fixed slapd-meta alias deref for retry (ITS#5889)
+ Fixed slapd-relay recursion detection (ITS#5943)
+ Fixed slapd-sock descriptor leak (ITS#5939)
+ Fixed slapo-accesslog on glued dbs (ITS#5907)
+ Fixed slapo-dynlist handling of flags (ITS#5898)
+ Fixed slapo-memberof multiple instantiation (ITS#5903)
+ Fixed slapo-pcache filter sorting (ITS#5756)
+ Fixed slapo-ppolicy to not be global (ITS#5858)
+ Fixed slapo-rwm double free (ITS#5923)
+ Fixed slapo-rwm with back-config (ITS#5906)
+ Fixed slapo-rwm olcRwmRewrite modification (ITS#5940)
+ Added slapo-rwm newRDN rewriting (ITS#5834)
+ Added slapadd progress meter (ITS#5922)
+ Updated contrib/addpartial module (ITS#5764)
+ Added contrib/cloak module (ITS#5872)
+ Added contrib/smbk5pwd gcrypt support (ITS#5410)
+ Added contrib/passwd sha2 support (ITS#5660)
+ Build Environment
+ Fixed test006 appending to log file (ITS#5910)
+ Fixed test036,test039 behavior on error (ITS#5893)
+ Fixed test048 sed pathname substitution (ITS#5910)
+ Fixed test049,test050 to work on windows (ITS#5842)
+ Updated test017,test018,test019 to cover more cases (ITS#5883)
+ Removed patch for BerkeleyDB 4.7.25 (Official patch available)
+ Fixed MSVC 9.0 build issues (ITS#5888)
+ Fixed gss detection on Solaris (ITS#5846)
+ Fixed uuid_create/uuid_unparse_lower detection (ITS#5905)
+ Fixed liblutil tavl_delete to macroize constants (ITS#5909)
+ Documentation
+ admin24 added limits chapter (ITS#5818)
+ admin24 access-control clarify global ACLS (ITS#5851,ITS#5852)
+ admin24 search on nested naming contexts (ITS#5788)
+ admin24 consistent loglevel documentation (ITS#5904)
+ slapd-bdb/hdb expansion on dncachesize behavior (ITS#5721)
+ slapo-constraint(5) example fix (ITS#5895)
+ slap*(8) man pages should mention slapd-config (ITS#5828)
+ slapacl(8c) fix wording (ITS#5918)
+ slapd(8) document sid (ITS#5873)
+ slapd.access(5) clarify global ACLS (ITS#5851,ITS#5852)
+ slapadd/cat/index(8) note -n 0 for slapd-config (ITS#5891)
+ Added SEE ALSO slapd-config(5) to relevant man pages (ITS#5914)
+
+OpenLDAP 2.4.13 Release (2008/11/24)
+ Added libldap dereference control support (ITS#5768)
+ Fixed libldap parameter checking (ITS#5817)
+ Fixed liblutil hex conversion (ITS#5699)
+ Fixed liblutil returning undefined data (ITS#5748)
+ Fixed libldap error code return (ITS#5762)
+ Fixed libldap interaction with GnuTLS CN IP-based matches (ITS#5789)
+ Fixed libldap MAXHOSTNAMELEN typo (ITS#5815)
+ Fixed libldap Ipv6 detection (ITS#5739)
+ Fixed libldap setuid usage with .ldaprc (ITS#4750)
+ Fixed slapacl crasher (ITS#5820)
+ Fixed slapd acl checks on ADD (ITS#4556,ITS#5723)
+ Fixed slapd acl application to newly created backends (ITS#5572)
+ Fixed slapd #if/#elif issues in thread includes (ITS#5824)
+ Added slapd keyword add_content_acl for add checks (ITS#4556,ITS#5723)
+ Fixed slapd concurrent access to connections (ITS#5814)
+ Fixed slapd config backend olcLogFile support (ITS#5765)
+ Fixed slapd contextCSN pending list (ITS#5709)
+ Fixed slapd control criticality (ITS#5785)
+ Added slapd dn.this search limits (ITS#5734)
+ Fixed slapd error status on shutdown (ITS#5745)
+ Fixed slapd filter substring handling (ITS#5803)
+ Fixed slapd nameUIDPretty bitstring parsing (ITS#5750)
+ Fixed slapd null termination of password (ITS#5794)
+ Fixed slapd overlay/database open with real structure (ITS#5724)
+ Fixed slapd parsing of read entry control (ITS#5741)
+ Added slapd PMI schema (ITS#5695)
+ Added slapd private databases in global overlays (ITS#5735,ITS#5736)
+ Fixed slapd rdn generation when it isn't specified (ITS#5819)
+ Fixed slapd slapd.conf validation to LDIF (ITS#5755)
+ Fixed slapd startup scan for CSN (ITS#5640)
+ Fixed slapd statslog printing of released entry (ITS#5775)
+ Added slapd support for certificateListExactMatch (ITS#5700)
+ Fixed slapd syncrepl event loss (ITS#5710)
+ Fixed slapd syncrepl MOD of attrs with no EQ rule (ITS#5781)
+ Fixed slapd syncrepl rename handling (ITS#5809)
+ Fixed slapd syncrepl schema checking (ITS#5798)
+ Fixed slapd syncrepl filter leak (ITS#5826)
+ Fixed slapd undef promote (ITS#5783,ITS#5795)
+ Added slapd What failed? control (ITS#5784)
+ Fixed slapd-bdb/hdb invalid db crash (ITS#5698)
+ Added slapd-bdb/hdb dbpagesize keyword
+ Added slapd-bdb/hdb checksum keyword
+ Fixed slapd-bdb/hdb indexing of entryDN (ITS#5790)
+ Fixed slapd-bdb/hdb lookup of entryDN with equality (ITS#5791)
+ Fixed slapd-bdb/hdb uninitialized bli_flag
+ Fixed slapd-ldap snprintf buffer overflow test (ITS#4467)
+ Fixed slapd-ldap search stop on minor failure (ITS#5816)
+ Fixed slapd-ldif file rename on windows (ITS#5774)
+ Fixed slapd-null read controls support (ITS#5757)
+ Fixed slapd-sql value length with right index (ITS#5779)
+ Fixed slapo-chain/translucent back-config support (ITS#5736)
+ Fixed slapo-chain segv with search references (ITS#5742)
+ Fixed slapo-collect compile with C89 (ITS#5747)
+ Added slapo-constraint support for LDAP URI constraints (ITS#5704)
+ Added slapo-constraint support for constraining rename (ITS#5703)
+ Added slapo-constraint support for relax control (ITS#5705)
+ Added slapo-constraint "set" type (ITS#5702)
+ Fixed slapo-constraint filter parsing error (ITS#5751)
+ Added slapo-dynlist URI restriction ability (ITS#5761)
+ Fixed slapo-ppolicy unaligned BerElement (ITS#5770)
+ Fixed slapo-rwm objectClass preservation (ITS#5760)
+ Fixed slapo-rwm rewriting undefined filter (ITS#5731)
+ Fixed slapo-rwm rewritten DN-valued attrs (ITS#5772)
+ Fixed slapo-rwm reusing freed filter (ITS#5732)
+ Fixed slapo-rwm entry get (ITS#5773)
+ Fixed slapo-syncprov runqueue removal (ITS#5776)
+ Fixed slapo-syncprov unreplicatable ops (ITS#5709)
+ Fixed slapo-syncprov psearch leak (ITS#5827)
+ Added slapo-translucent try local bind when remote fails (ITS#5656)
+ Added slapo-translucent support for PasswordModify exop (ITS#5656)
+ Fixed tools simple bind without SASL (ITS#5753)
+ Fixed tools unaligned BerElement (ITS#5770)
+ Fixed contrib nssov crash on empty groups (ITS#5800)
+ Fixed contrib nssov crash with nssov-map (ITS#5801)
+ Fixed contrib nssov filter and search limits (ITS#5802)
+ Added contrib smbk5pwd honor principal expiration (ITS#5766)
+ Build Environment
+ Added ldapurl command
+ Added slapd GSSAPI refactoring (ITS#5369)
+ Added slapo-deref overlay (ITS#5768)
+ Documentation
+ admin24 added olcLimits to example (ITS#5746)
+ admin24 consolidated on whitespace (ITS#5759)
+ slapd.conf,config(5) subordinate/olcSubordinate keyword (ITS#5788)
+ slapd.conf(5) fixed disable keyword for limits (ITS#5821)
+ slapo-dds(5) manageDIT to relax (ITS#5780)
+ slapo-dds(5) rootdn requirement added (ITS#5811)
+ slapo-syncprov(5) sessionlog clarification (ITS#5806)
+
+OpenLDAP 2.4.12 Release (2008/10/12)
+ Fixed libldap ldap_utf8_strchar arguments (ITS#5720)
+ Fixed libldap TLS_CRLFILE (ITS#5677)
+ Fixed liblutil executables on Windows (ITS#5604)
+ Fixed liblutil microsecond overflows on Windows (ITS#5668)
+ Fixed librewrite memory handling (ITS#5691)
+ Fixed slapd aci performance (ITS#5636)
+ Fixed slapd aci's with sets (ITS#5627)
+ Fixed slapd attribute leak (ITS#5683)
+ Fixed slapd config backend with index greater than sibs (ITS#5684)
+ Fixed slapd custom attribute inheritance (ITS#5642)
+ Fixed slapd dynacl mask handling (ITS#5637)
+ Fixed slapd firstComponentMatch normalization (ITS#5634)
+ Added slapd caseIgnoreListMatch (ITS#5608)
+ Fixed slapd connection events enabled twice (ITS#5725)
+ Fixed slapd memory handling (ITS#5691)
+ Fixed slapd objectClass canonicalization (ITS#5681)
+ Fixed slapd objectClass termination (ITS#5682)
+ Fixed slapd overlay control registration (ITS#5649)
+ Fixed slapd runqueue checking (ITS#5726)
+ Fixed slapd spurious text output (ITS#5688)
+ Fixed slapd socket closing on Windows (ITS#5606)
+ Fixed slapd sortvals comparison (ITS#5578)
+ Added slapd substitute syntax support (ITS#5663)
+ Fixed slapd syncrepl contextCSN detection (ITS#5675)
+ Fixed slapd syncrepl error logging (ITS#5618)
+ Fixed slapd syncrepl runqueue interval (ITS#5719)
+ Fixed slapd-bdb entry return if attr not present (ITS#5650)
+ Fixed slapd-bdb olcDbMode syntax (ITS#5713)
+ Fixed slapd-bdb/hdb release search entries earlier (ITS#5728,ITS#5730)
+ Fixed slapd-bdb/hdb subtree search with empty suffix (ITS#5729)
+ Fixed slapd-dnssrv memory handling (ITS#5691)
+ Fixed slapd-ldap,slapd-meta invalid filter behavior (ITS#5614)
+ Fixed slapd-meta memory handling (ITS#5691)
+ Fixed slapd-meta objectClass filtering (ITS#5647)
+ Fixed slapd-meta quarantine behavior (ITS#5592)
+ Added slapd-ndb experimental backend
+ Fixed slapd-relay initialization (ITS#5643)
+ Fixed slapd-sql freeing of connection (ITS#5607)
+ Fixed slapd-sql fault on NULL fields (ITS#5653)
+ Fixed slapo-accesslog entryCSN generation on purge (ITS#5694)
+ Fixed slapo-constraint string termination (ITS#5609)
+ Fixed slapo-dynlist expansion with mapped attributes (ITS#5717)
+ Fixed slapo-memberof internal operations DN (ITS#5622)
+ Fixed slapo-pcache attrset crash (ITS#5665)
+ Fixed slapo-pcache caching with invalid schema (ITS#5680)
+ Fixed slapo-ppolicy control return on password modify exop (ITS#5711)
+ Fixed slapo-rwm callback cleanup (ITS#5601,ITS#5687)
+ Fixed slapo-rwm attr mapping and merging (ITS#5624)
+ Fixed slapo-rwm objectClass filtering (ITS#5647)
+ Fixed slapo-translucent back-config support (ITS#5689)
+ Fixed slapo-translucent filter usage on merged entries (ITS#5679)
+ Fixed slapo-unique filter validation (ITS#5581)
+ Fixed slapo-unique suffix testing (ITS#5641)
+ Build Environment
+ Fixed ODBC library detection (ITS#5602)
+ Removed pre-BerkeleyDB 4.4 support
+ Added BerkeleyDB 4.7 support (ITS#5523)
+ Included patch for BerkeleyDB 4.7.25 (build/db.4.7.25.patch)
+ Added slapo-collect overlay with enhancements(ITS#5659)
+ Documentation
+ Added slapd-ldap(5), slapd-meta(5) noundeffilter (ITS#5614)
+ Fixed slapd-ldap(5), slapd-meta(5), slapo-pcache(5) schema requirements (ITS#5680)
+ Added slapo-collect(5) man page (ITS#5706)
+ Added slapo-pcache(5) proxycheckcacheability option (ITS#5680)
+ Added slapo-retcode(5) retcode.conf location (ITS#5633)
+ admin24 dontusecopy control update (ITS#5718)
+ admin24 guide updates (ITS#5616)
+ admin24 octetString fix (ITS#5670)
+
OpenLDAP 2.4.11 Release (2008/07/16)
Fixed liblber ber_get_next length decoding (ITS#5580)
Added libldap assertion control (ITS#5560)
Modified: openldap/trunk/COPYRIGHT
===================================================================
--- openldap/trunk/COPYRIGHT 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/COPYRIGHT 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 1998-2008 The OpenLDAP Foundation
+Copyright 1998-2009 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -39,8 +39,8 @@
Portions Copyright 1999-2008 Howard Y.H. Chu.
Portions Copyright 1999-2008 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2008 Gavin Henry.
-Portions Copyright 2008 Suretec Systems.
+Portions Copyright 2008-2009 Gavin Henry.
+Portions Copyright 2008-2009 Suretec Systems Ltd.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/INSTALL
===================================================================
--- openldap/trunk/INSTALL 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/INSTALL 2009-02-17 17:44:09 UTC (rev 1198)
@@ -107,7 +107,7 @@
This work is part of OpenLDAP Software <http://www.openldap.org/>.
-Copyright 1998-2008 The OpenLDAP Foundation.
+Copyright 1998-2009 The OpenLDAP Foundation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/Makefile.in
===================================================================
--- openldap/trunk/Makefile.in 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/Makefile.in 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
# Master Makefile for OpenLDAP
-# $OpenLDAP: pkg/ldap/Makefile.in,v 1.30.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/Makefile.in,v 1.30.2.4 2009/01/22 00:00:34 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/README
===================================================================
--- openldap/trunk/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -19,9 +19,10 @@
POSIX REGEX software (required)
SLAPD:
- BDB and HDB backends require Oracle Berkeley DB 4.2, 4.4,
- 4.5, or 4.6. It is highly recommended to apply the patches
- from Oracle for a given release.
+ BDB and HDB backends require Oracle Berkeley DB 4.4, 4.5,
+ 4.6, or 4.7. It is highly recommended to apply the patches
+ from Oracle for a given release. In addition, for BDB 4.7,
+ it is advised to also use the supplied build/db.4.7.25.patch.
CLIENTS/CONTRIB ware:
Depends on package. See per package README.
@@ -74,11 +75,11 @@
<http://www.openldap.org/its/> to be considered.
---
-$OpenLDAP: pkg/ldap/README,v 1.40.2.7 2008/02/11 23:26:37 kurt Exp $
+$OpenLDAP: pkg/ldap/README,v 1.40.2.10 2009/01/22 00:00:34 kurt Exp $
This work is part of OpenLDAP Software <http://www.openldap.org/>.
-Copyright 1998-2008 The OpenLDAP Foundation.
+Copyright 1998-2009 The OpenLDAP Foundation.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Deleted: openldap/trunk/build/crupdate
===================================================================
--- openldap/trunk/build/crupdate 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/crupdate 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,22 +0,0 @@
-#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/crupdate,v 1.7.2.3 2008/02/11 23:26:37 kurt Exp $
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2008 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-#
-# Update copyright statements
-#
-
-set -e # exit immediately if any errors occur
-
-find . -type f -not -name 'LICENSE*' -print -exec perl -pi -e 's/Copyright ([0-9]{4})([,\-][0-9]{2,4})*,? The OpenLDAP Foundation/Copyright $1-2008 The OpenLDAP Foundation/g;' {} \;
-
Deleted: openldap/trunk/build/db.4.2.52.patch
===================================================================
--- openldap/trunk/build/db.4.2.52.patch 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/db.4.2.52.patch 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,55 +0,0 @@
-As posted to http://www.openldap.org/lists/openldap-devel/200610/msg00027.html
-
-This is Sleepycat bug #14908. The provided patch is for 4.2.52. The
-same bug is present in all versions up to 4.5.20 where it is fixed.
-
--------- Original Message --------
-Subject: region size bug Re: [BDB-Alpha] Berkeley DB 4.5.8 ALPHA
-Date: Mon, 10 Jul 2006 13:37:33 -0700
-From: Howard Chu <hyc at symas.com>
-To: support at sleepycat.com
-CC: support at symas.com
-References: <45A742B5-7DD5-4512-A204-A10FE8FC5DFC at oracle.com>
-
-
-I just ran into this in 4.2.52 but the same calculation occurs in 4.4
-and 4.5.8 alpha:
-
-This computation gives the wrong results when the number of cache
-regions is greater than the number of gigabytes (which we encounter on
-Linux using shared memory regions, which are constrained to much smaller
-than a gigabyte each).
-
-
-in mp/mp_region.c:
-
-
- roff_t reg_size;
-
-
- /* Figure out how big each cache region is. */
- reg_size = (roff_t)(dbenv->mp_gbytes / dbenv->mp_ncache) * GIGABYTE;
- reg_size += ((roff_t)(dbenv->mp_gbytes %
- dbenv->mp_ncache) * GIGABYTE) / dbenv->mp_ncache;
- reg_size += dbenv->mp_bytes / dbenv->mp_ncache;
- *reg_sizep = reg_size;
-
-
-The first reg_size calculation always goes to zero when mp_ncache >
-mp_gbytes.
-This should have been, instead:
- reg_size = GIGABYTE / dbenv->mp_ncache * dbenv->mp_gbytes;
-
---- mp/mp_region.c.O 2003-06-30 10:20:19.000000000 -0700
-+++ mp/mp_region.c 2006-10-27 23:25:05.000000000 -0700
-@@ -43,9 +43,7 @@
- int htab_buckets, ret;
-
- /* Figure out how big each cache region is. */
-- reg_size = (dbenv->mp_gbytes / dbenv->mp_ncache) * GIGABYTE;
-- reg_size += ((dbenv->mp_gbytes %
-- dbenv->mp_ncache) * GIGABYTE) / dbenv->mp_ncache;
-+ reg_size = GIGABYTE / dbenv->mp_ncache * dbenv->mp_gbytes;
- reg_size += dbenv->mp_bytes / dbenv->mp_ncache;
-
- /*
Modified: openldap/trunk/build/dir.mk
===================================================================
--- openldap/trunk/build/dir.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/dir.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/dir.mk,v 1.17.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/dir.mk,v 1.17.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/info.mk
===================================================================
--- openldap/trunk/build/info.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/info.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/info.mk,v 1.12.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/info.mk,v 1.12.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/lib-shared.mk
===================================================================
--- openldap/trunk/build/lib-shared.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/lib-shared.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib-shared.mk,v 1.22.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/lib-shared.mk,v 1.22.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/lib-static.mk
===================================================================
--- openldap/trunk/build/lib-static.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/lib-static.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib-static.mk,v 1.13.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/lib-static.mk,v 1.13.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/lib.mk
===================================================================
--- openldap/trunk/build/lib.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/lib.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/lib.mk,v 1.23.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/lib.mk,v 1.23.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/man.mk
===================================================================
--- openldap/trunk/build/man.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/man.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/man.mk,v 1.32.2.4 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/man.mk,v 1.32.2.5 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/missing
===================================================================
--- openldap/trunk/build/missing 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/missing 2009-02-17 17:44:09 UTC (rev 1198)
@@ -29,7 +29,7 @@
# configuration script generated by Autoconf, and is distributable
# under the same distributions terms as OpenLDAP itself.
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkdep
===================================================================
--- openldap/trunk/build/mkdep 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/mkdep 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
#! /bin/sh -
-# $OpenLDAP: pkg/ldap/build/mkdep,v 1.32.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/mkdep,v 1.32.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkdep.aix
===================================================================
--- openldap/trunk/build/mkdep.aix 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/mkdep.aix 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
#! /bin/sh
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkrelease
===================================================================
--- openldap/trunk/build/mkrelease 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/mkrelease 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/mkrelease,v 1.23.2.4 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/mkrelease,v 1.23.2.5 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkvers.bat
===================================================================
--- openldap/trunk/build/mkvers.bat 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/mkvers.bat 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-:: $OpenLDAP: pkg/ldap/build/mkvers.bat,v 1.7.2.3 2008/02/11 23:26:37 kurt Exp $
+:: $OpenLDAP: pkg/ldap/build/mkvers.bat,v 1.7.2.4 2009/01/22 00:00:41 kurt Exp $
:: This work is part of OpenLDAP Software <http://www.openldap.org/>.
::
-:: Copyright 1998-2008 The OpenLDAP Foundation.
+:: Copyright 1998-2009 The OpenLDAP Foundation.
:: All rights reserved.
::
:: Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/mkversion
===================================================================
--- openldap/trunk/build/mkversion 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/mkversion 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,9 +1,9 @@
#! /bin/sh
# Create a version.c file
-# $OpenLDAP: pkg/ldap/build/mkversion,v 1.14.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/mkversion,v 1.14.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@
cat << __EOF__
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -68,7 +68,7 @@
*/
static const char copyright[] =
-"Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.\n"
+"Copyright 1998-2009 The OpenLDAP Foundation. All rights reserved.\n"
"COPYING RESTRICTIONS APPLY\n";
$static $const char $SYMBOL[] =
Modified: openldap/trunk/build/mod.mk
===================================================================
--- openldap/trunk/build/mod.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/mod.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/mod.mk,v 1.25.2.3 2008/02/11 23:26:37 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/mod.mk,v 1.25.2.4 2009/01/22 00:00:41 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/openldap.m4
===================================================================
--- openldap/trunk/build/openldap.m4 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/openldap.m4 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
dnl OpenLDAP Autoconf Macros
-dnl $OpenLDAP: pkg/ldap/build/openldap.m4,v 1.157.2.5 2008/02/11 23:26:37 kurt Exp $
+dnl $OpenLDAP: pkg/ldap/build/openldap.m4,v 1.157.2.9 2009/01/22 00:00:41 kurt Exp $
dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
dnl
-dnl Copyright 1998-2008 The OpenLDAP Foundation.
+dnl Copyright 1998-2009 The OpenLDAP Foundation.
dnl All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
@@ -120,6 +120,17 @@
])
dnl
dnl --------------------------------------------------------------------
+dnl Check for MSVC
+AC_DEFUN([OL_MSVC],
+[AC_REQUIRE_CPP()dnl
+AC_CACHE_CHECK([whether we are using MS Visual C++], ol_cv_msvc,
+[AC_PREPROC_IFELSE([AC_LANG_SOURCE([[
+#ifndef _MSC_VER
+#include <__FOO__/generate_error.h>
+#endif
+]])],[ol_cv_msvc=yes],[ol_cv_msvc=no])])])
+
+dnl --------------------------------------------------------------------
dnl OpenLDAP version of STDC header check w/ EBCDIC support
AC_DEFUN([OL_HEADER_STDC],
[AC_REQUIRE_CPP()dnl
@@ -288,24 +299,6 @@
#define NULL ((void*)0)
#endif
]], [[
-#if DB_VERSION_MAJOR > 1
- {
- char *version;
- int major, minor, patch;
-
- version = db_version( &major, &minor, &patch );
-
- if( major != DB_VERSION_MAJOR ||
- minor < DB_VERSION_MINOR )
- {
- printf("Berkeley DB version mismatch\n"
- "\theader: %s\n\tlibrary: %s\n",
- DB_VERSION_STRING, version);
- return 1;
- }
- }
-#endif
-
#if DB_VERSION_MAJOR > 2
db_env_create( NULL, 0 );
#elif DB_VERSION_MAJOR > 1
@@ -325,209 +318,53 @@
])
dnl
dnl --------------------------------------------------------------------
-dnl Try to locate appropriate library
-AC_DEFUN([OL_BERKELEY_DB_LINK],
-[ol_cv_lib_db=no
-
-dnl Determine major version
-AC_CACHE_CHECK([for Berkeley DB major version], [ol_cv_bdb_major],[
- ol_cv_bdb_major=0
- if test $ol_cv_bdb_major = 0 ; then
- AC_EGREP_CPP(__db_version, [
+dnl Get major and minor version from <db.h>
+AC_DEFUN([OL_BDB_HEADER_VERSION],
+[AC_CACHE_CHECK([for Berkeley DB major version in db.h], [ol_cv_bdb_major],[
+ AC_LANG_CONFTEST([
#include <db.h>
#ifndef DB_VERSION_MAJOR
# define DB_VERSION_MAJOR 1
#endif
-#if DB_VERSION_MAJOR == 4
-__db_version
-#endif
- ], [ol_cv_bdb_major=4], [:])
- fi
- if test $ol_cv_bdb_major = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MAJOR
-# define DB_VERSION_MAJOR 1
-#endif
-#if DB_VERSION_MAJOR == 3
-__db_version
-#endif
- ], [ol_cv_bdb_major=3], [:])
- fi
- if test $ol_cv_bdb_major = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MAJOR
-# define DB_VERSION_MAJOR 1
-#endif
-#if DB_VERSION_MAJOR == 2
-__db_version
-#endif
- ], [ol_cv_bdb_major=2], [:])
- fi
- if test $ol_cv_bdb_major = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MAJOR
-# define DB_VERSION_MAJOR 1
-#endif
-#if DB_VERSION_MAJOR == 1
-__db_version
-#endif
- ], [ol_cv_bdb_major=1], [:])
- fi
-
- if test $ol_cv_bdb_major = 0 ; then
- AC_MSG_ERROR([Unknown Berkeley DB major version])
- fi
+__db_version DB_VERSION_MAJOR
])
+ set X `eval "$ac_cpp conftest.$ac_ext" | $EGREP __db_version` none none
+ ol_cv_bdb_major=${3}
+])
+case $ol_cv_bdb_major in [[1-9]]*) : ;; *)
+ AC_MSG_ERROR([Unknown Berkeley DB major version in db.h]) ;;
+esac
dnl Determine minor version
-AC_CACHE_CHECK([for Berkeley DB minor version], [ol_cv_bdb_minor],[
- ol_cv_bdb_minor=0
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
+AC_CACHE_CHECK([for Berkeley DB minor version in db.h], [ol_cv_bdb_minor],[
+ AC_LANG_CONFTEST([
#include <db.h>
#ifndef DB_VERSION_MINOR
# define DB_VERSION_MINOR 0
#endif
-#if DB_VERSION_MINOR == 9
-__db_version
-#endif
- ], [ol_cv_bdb_minor=9], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 8
-__db_version
-#endif
- ], [ol_cv_bdb_minor=8], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 7
-__db_version
-#endif
- ], [ol_cv_bdb_minor=7], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 6
-__db_version
-#endif
- ], [ol_cv_bdb_minor=6], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 5
-__db_version
-#endif
- ], [ol_cv_bdb_minor=5], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 4
-__db_version
-#endif
- ], [ol_cv_bdb_minor=4], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 3
-__db_version
-#endif
- ], [ol_cv_bdb_minor=3], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 2
-__db_version
-#endif
- ], [ol_cv_bdb_minor=2], [:])
- fi
- if test $ol_cv_bdb_minor = 0 ; then
- AC_EGREP_CPP(__db_version, [
-#include <db.h>
-#ifndef DB_VERSION_MINOR
-# define DB_VERSION_MINOR 0
-#endif
-#if DB_VERSION_MINOR == 1
-__db_version
-#endif
- ], [ol_cv_bdb_minor=1], [:])
- fi
+__db_version DB_VERSION_MINOR
])
+ set X `eval "$ac_cpp conftest.$ac_ext" | $EGREP __db_version` none none
+ ol_cv_bdb_minor=${3}
+])
+case $ol_cv_bdb_minor in [[0-9]]*) : ;; *)
+ AC_MSG_ERROR([Unknown Berkeley DB minor version in db.h]) ;;
+esac
+])
+dnl
+dnl --------------------------------------------------------------------
+dnl Try to locate appropriate library
+AC_DEFUN([OL_BERKELEY_DB_LINK],
+[ol_cv_lib_db=no
if test $ol_cv_bdb_major = 4 ; then
- if test $ol_cv_bdb_minor = 6 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_6,[-ldb-4.6])
- OL_BERKELEY_DB_TRY(ol_cv_db_db46,[-ldb46])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_46,[-ldb-46])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_6,[-ldb-4-6])
- elif test $ol_cv_bdb_minor = 5 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_5,[-ldb-4.5])
- OL_BERKELEY_DB_TRY(ol_cv_db_db45,[-ldb45])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_45,[-ldb-45])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_5,[-ldb-4-5])
- elif test $ol_cv_bdb_minor = 4 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_4,[-ldb-4.4])
- OL_BERKELEY_DB_TRY(ol_cv_db_db44,[-ldb44])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_44,[-ldb-44])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_4,[-ldb-4-4])
- elif test $ol_cv_bdb_minor = 3 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_3,[-ldb-4.3])
- OL_BERKELEY_DB_TRY(ol_cv_db_db43,[-ldb43])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_43,[-ldb-43])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_3,[-ldb-4-3])
- elif test $ol_cv_bdb_minor = 2 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_2,[-ldb-4.2])
- OL_BERKELEY_DB_TRY(ol_cv_db_db42,[-ldb42])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_42,[-ldb-42])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_4_2,[-ldb-4-2])
- fi
+ OL_BERKELEY_DB_TRY(ol_cv_db_db_4_dot_m,[-ldb-4.$ol_cv_bdb_minor])
+ OL_BERKELEY_DB_TRY(ol_cv_db_db4m,[-ldb4$ol_cv_bdb_minor])
+ OL_BERKELEY_DB_TRY(ol_cv_db_db_4m,[-ldb-4$ol_cv_bdb_minor])
+ OL_BERKELEY_DB_TRY(ol_cv_db_db_4_m,[-ldb-4-$ol_cv_bdb_minor])
OL_BERKELEY_DB_TRY(ol_cv_db_db_4,[-ldb-4])
OL_BERKELEY_DB_TRY(ol_cv_db_db4,[-ldb4])
OL_BERKELEY_DB_TRY(ol_cv_db_db,[-ldb])
-
-elif test $ol_cv_bdb_major = 3 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db3,[-ldb3])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_3,[-ldb-3])
-
-elif test $ol_cv_bdb_major = 2 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db2,[-ldb2])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_2,[-ldb-2])
-
-elif test $ol_cv_bdb_major = 1 ; then
- OL_BERKELEY_DB_TRY(ol_cv_db_db1,[-ldb1])
- OL_BERKELEY_DB_TRY(ol_cv_db_db_1,[-ldb-1])
fi
OL_BERKELEY_DB_TRY(ol_cv_db_none)
])
@@ -535,7 +372,7 @@
dnl --------------------------------------------------------------------
dnl Check if Berkeley DB version
AC_DEFUN([OL_BERKELEY_DB_VERSION],
-[AC_CACHE_CHECK([for Berkeley DB version match], [ol_cv_berkeley_db_version], [
+[AC_CACHE_CHECK([for Berkeley DB library and header version match], [ol_cv_berkeley_db_version], [
ol_LIBS="$LIBS"
LIBS="$LTHREAD_LIBS $LIBS"
if test $ol_cv_lib_db != yes ; then
@@ -674,6 +511,13 @@
[ol_cv_berkeley_db=no
AC_CHECK_HEADERS(db.h)
if test $ac_cv_header_db_h = yes; then
+ OL_BDB_HEADER_VERSION
+ OL_BDB_COMPAT
+
+ if test $ol_cv_bdb_compat != yes ; then
+ AC_MSG_ERROR([BerkeleyDB version incompatible with BDB/HDB backends])
+ fi
+
OL_BERKELEY_DB_LINK
if test "$ol_cv_lib_db" != no ; then
ol_cv_berkeley_db=yes
@@ -685,7 +529,7 @@
dnl --------------------------------------------------------------------
dnl Check for version compatility with back-bdb
AC_DEFUN([OL_BDB_COMPAT],
-[AC_CACHE_CHECK([Berkeley DB version for BDB/HDB backends], [ol_cv_bdb_compat],[
+[AC_CACHE_CHECK([if Berkeley DB version supported by BDB/HDB backends], [ol_cv_bdb_compat],[
AC_EGREP_CPP(__db_version_compat,[
#include <db.h>
@@ -697,44 +541,15 @@
# define DB_VERSION_MINOR 0
#endif
-/* require 4.2 or later, but exclude 4.3 */
-#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 2) && (DB_VERSION_MINOR !=3)
+#define DB_VERSION_MM ((DB_VERSION_MAJOR<<8)|DB_VERSION_MINOR)
+
+/* require 4.4 or later */
+#if DB_VERSION_MM >= 0x0404
__db_version_compat
#endif
], [ol_cv_bdb_compat=yes], [ol_cv_bdb_compat=no])])
])
-dnl --------------------------------------------------------------------
-dnl Find old Berkeley DB 1.85/1.86
-AC_DEFUN([OL_BERKELEY_COMPAT_DB],
-[AC_CHECK_HEADERS(db_185.h db.h)
-if test $ac_cv_header_db_185_h = yes || test $ac_cv_header_db_h = yes; then
- AC_CACHE_CHECK([if Berkeley DB header compatibility], [ol_cv_header_db1],[
- AC_EGREP_CPP(__db_version_1,[
-#if HAVE_DB_185_H
-# include <db_185.h>
-#else
-# include <db.h>
-#endif
-
- /* this check could be improved */
-#ifndef DB_VERSION_MAJOR
-# define DB_VERSION_MAJOR 1
-#endif
-
-#if DB_VERSION_MAJOR == 1
- __db_version_1
-#endif
-], [ol_cv_header_db1=yes], [ol_cv_header_db1=no])])
-
- if test $ol_cv_header_db1 = yes ; then
- OL_BERKELEY_DB_LINK
- if test "$ol_cv_lib_db" != no ; then
- ol_cv_berkeley_db=yes
- fi
- fi
-fi
-])
dnl
dnl ====================================================================
dnl Check POSIX Thread version
@@ -1106,7 +921,9 @@
LIBS="-lfetch -lcom_err $LIBS"
AC_CACHE_CHECK([fetch(3) library],ol_cv_lib_fetch,[
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
+#endif
#include <stdio.h>
#include <fetch.h>]], [[struct url *u = fetchParseURL("file:///"); ]])],[ol_cv_lib_fetch=yes],[ol_cv_lib_fetch=no])])
LIBS=$ol_LIBS
Modified: openldap/trunk/build/rules.mk
===================================================================
--- openldap/trunk/build/rules.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/rules.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/rules.mk,v 1.15.2.3 2008/02/11 23:26:38 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/rules.mk,v 1.15.2.4 2009/01/22 00:00:42 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/srv.mk
===================================================================
--- openldap/trunk/build/srv.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/srv.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/srv.mk,v 1.18.2.3 2008/02/11 23:26:38 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/srv.mk,v 1.18.2.4 2009/01/22 00:00:42 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/top.mk
===================================================================
--- openldap/trunk/build/top.mk 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/top.mk 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/build/top.mk,v 1.103.2.5 2008/02/11 23:26:38 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/top.mk,v 1.103.2.9 2009/01/26 21:24:56 quanah Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -32,6 +32,7 @@
ldap_subdir = @ldap_subdir@
bindir = @bindir@
+datarootdir = @datarootdir@
datadir = @datadir@$(ldap_subdir)
includedir = @includedir@
infodir = @infodir@
@@ -159,6 +160,7 @@
LTHREAD_LIBS = @LTHREAD_LIBS@
BDB_LIBS = @BDB_LIBS@
+SLAPD_NDB_LIBS = @SLAPD_NDB_LIBS@
LDAP_LIBLBER_LA = $(LDAP_LIBDIR)/liblber/liblber.la
LDAP_LIBLDAP_LA = $(LDAP_LIBDIR)/libldap/libldap.la
@@ -185,9 +187,10 @@
KRB5_LIBS = @KRB5_LIBS@
KRB_LIBS = @KRB4_LIBS@ @KRB5_LIBS@
SASL_LIBS = @SASL_LIBS@
+GSSAPI_LIBS = @GSSAPI_LIBS@
TLS_LIBS = @TLS_LIBS@
AUTH_LIBS = @AUTH_LIBS@
-SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
+SECURITY_LIBS = $(SASL_LIBS) $(KRB_LIBS) $(GSSAPI_LIBS) $(TLS_LIBS) $(AUTH_LIBS)
ICU_LIBS = @ICU_LIBS@
MODULES_CPPFLAGS = @SLAPD_MODULES_CPPFLAGS@
Modified: openldap/trunk/build/version.h
===================================================================
--- openldap/trunk/build/version.h 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/version.h 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,6 +1,6 @@
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -13,6 +13,6 @@
*/
static const char copyright[] =
-"Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.\n"
+"Copyright 1998-2009 The OpenLDAP Foundation. All rights reserved.\n"
"COPYING RESTRICTIONS APPLY.\n";
Modified: openldap/trunk/build/version.sh
===================================================================
--- openldap/trunk/build/version.sh 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/version.sh 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.sh,v 1.16.2.3 2008/02/11 23:26:38 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/version.sh,v 1.16.2.4 2009/01/22 00:00:42 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/build/version.var
===================================================================
--- openldap/trunk/build/version.var 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/build/version.var 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
#! /bin/sh
-# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.37 2008/07/16 22:12:19 kurt Exp $
+# $OpenLDAP: pkg/ldap/build/version.var,v 1.9.2.47 2009/02/14 01:07:15 quanah Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -15,9 +15,9 @@
ol_package=OpenLDAP
ol_major=2
ol_minor=4
-ol_patch=11
-ol_api_inc=20411
-ol_api_current=3
+ol_patch=14
+ol_api_inc=20414
+ol_api_current=6
ol_api_revision=0
-ol_api_age=1
-ol_release_date="2008/07/16"
+ol_api_age=4
+ol_release_date="2009/02/14"
Modified: openldap/trunk/clients/Makefile.in
===================================================================
--- openldap/trunk/clients/Makefile.in 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/Makefile.in 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
# Clients Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/clients/Makefile.in,v 1.17.2.3 2008/02/11 23:26:38 kurt Exp $
+# $OpenLDAP: pkg/ldap/clients/Makefile.in,v 1.17.2.4 2009/01/22 00:00:42 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/clients/tools/Makefile.in
===================================================================
--- openldap/trunk/clients/tools/Makefile.in 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/Makefile.in 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
# Makefile for LDAP tools
-# $OpenLDAP: pkg/ldap/clients/tools/Makefile.in,v 1.45.2.3 2008/02/11 23:26:38 kurt Exp $
+# $OpenLDAP: pkg/ldap/clients/tools/Makefile.in,v 1.45.2.5 2009/01/22 00:00:42 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -15,10 +15,10 @@
SRCS = ldapsearch.c ldapmodify.c ldapdelete.c ldapmodrdn.c \
ldappasswd.c ldapwhoami.c ldapcompare.c \
- ldapexop.c common.c
+ ldapexop.c ldapurl.c common.c
OBJS = ldapsearch.o ldapmodify.o ldapdelete.o ldapmodrdn.o \
ldappasswd.o ldapwhoami.o ldapcompare.o \
- ldapexop.o common.o
+ ldapexop.o ldapurl.o common.o
LDAP_INCDIR= ../../include
LDAP_LIBDIR= ../../libraries
@@ -29,10 +29,10 @@
XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
XSRCS = ldsversion.c ldmversion.c lddversion.c ldrversion.c \
- ldpversion.c ldwversion.c ldcversion.c ldeversion.c
+ ldpversion.c ldwversion.c ldcversion.c ldeversion.c lduversion.c
PROGRAMS = ldapsearch ldapmodify ldapdelete ldapmodrdn \
- ldappasswd ldapwhoami ldapcompare ldapexop
+ ldappasswd ldapwhoami ldapcompare ldapexop ldapurl
ldapsearch: ldsversion.o
@@ -59,6 +59,9 @@
ldapexop: ldeversion.o
$(LTLINK) -o $@ ldapexop.o common.o ldeversion.o $(LIBS)
+ldapurl: lduversion.o
+ $(LTLINK) -o $@ ldapurl.o lduversion.o $(LIBS)
+
ldsversion.c: Makefile
@-$(RM) $@
$(MKVERSION) $(MKVOPTS) ldapsearch > $@
@@ -107,6 +110,12 @@
ldeversion.o: ldapexop.o common.o $(XLIBS)
+lduversion.c: Makefile
+ @-$(RM) $@
+ $(MKVERSION) $(MKVOPTS) ldapurl > $@
+
+lduversion.o: ldapurl.o $(XLIBS)
+
install-local: FORCE
-$(MKDIR) $(DESTDIR)$(bindir)
@( \
Modified: openldap/trunk/clients/tools/common.c
===================================================================
--- openldap/trunk/clients/tools/common.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/common.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* common.c - common routines for the ldap client tools */
-/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.8 2008/07/09 00:29:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/common.c,v 1.78.2.19 2009/02/05 23:05:03 quanah Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 2003 Kurt D. Zeilenga.
* Portions Copyright 2003 IBM Corporation.
* All rights reserved.
@@ -62,6 +62,7 @@
int debug = 0;
char *infile = NULL;
int dont = 0;
+int nocanon = 0;
int referrals = 0;
int verbose = 0;
int ldif = 0;
@@ -134,6 +135,13 @@
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
static int print_ppolicy( LDAP *ld, LDAPControl *ctrl );
#endif
+static int print_sss( LDAP *ld, LDAPControl *ctrl );
+#ifdef LDAP_CONTROL_X_DEREF
+static int print_deref( LDAP *ld, LDAPControl *ctrl );
+#endif
+#ifdef LDAP_CONTROL_X_WHATFAILED
+static int print_whatfailed( LDAP *ld, LDAPControl *ctrl );
+#endif
static struct tool_ctrls_t {
const char *oid;
@@ -146,6 +154,13 @@
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
{ LDAP_CONTROL_PASSWORDPOLICYRESPONSE, TOOL_ALL, print_ppolicy },
#endif
+ { LDAP_CONTROL_SORTRESPONSE, TOOL_SEARCH, print_sss },
+#ifdef LDAP_CONTROL_X_DEREF
+ { LDAP_CONTROL_X_DEREF, TOOL_SEARCH, print_deref },
+#endif
+#ifdef LDAP_CONTROL_X_WHATFAILED
+ { LDAP_CONTROL_X_WHATFAILED, TOOL_ALL, print_whatfailed },
+#endif
{ NULL, 0, NULL }
};
@@ -235,6 +250,14 @@
pr_cookie.bv_val = NULL;
pr_cookie.bv_len = 0;
}
+
+ if ( binddn != NULL ) {
+ ber_memfree( binddn );
+ }
+
+ if ( passwd.bv_val != NULL ) {
+ ber_memfree( passwd.bv_val );
+ }
}
void
@@ -245,8 +268,8 @@
N_(" -d level set LDAP debugging level to `level'\n"),
N_(" -D binddn bind DN\n"),
N_(" -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)\n")
-N_(" [!]assert=<filter> (a RFC 4515 Filter string)\n")
-N_(" [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n")
+N_(" [!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)\n")
+N_(" [!]authzid=<authzid> (RFC 4370; \"dn:<dn>\" or \"u:<user>\")\n")
#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
#if 0
/* non-advertized support for proxyDN */
@@ -258,13 +281,13 @@
N_(" one of \"chainingPreferred\", \"chainingRequired\",\n")
N_(" \"referralsPreferred\", \"referralsRequired\"\n")
#endif /* LDAP_CONTROL_X_CHAINING_BEHAVIOR */
-N_(" [!]manageDSAit\n")
+N_(" [!]manageDSAit (RFC 3296)\n")
N_(" [!]noop\n")
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
N_(" ppolicy\n")
#endif
-N_(" [!]postread[=<attrs>] (a comma-separated attribute list)\n")
-N_(" [!]preread[=<attrs>] (a comma-separated attribute list)\n")
+N_(" [!]postread[=<attrs>] (RFC 4527; comma-separated attr list)\n")
+N_(" [!]preread[=<attrs>] (RFC 4527; comma-separated attr list)\n")
N_(" [!]relax\n")
#ifdef LDAP_CONTROL_X_SESSION_TRACKING
N_(" [!]sessiontracking\n")
@@ -278,6 +301,7 @@
N_(" -I use SASL Interactive mode\n"),
N_(" -M enable Manage DSA IT control (-MM to make critical)\n"),
N_(" -n show what would be done but don't actually do it\n"),
+N_(" -N do not use reverse DNS to canonicalize SASL host name\n"),
N_(" -O props SASL security properties\n"),
N_(" -o <opt>[=<optparam] general options\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
@@ -623,7 +647,7 @@
(unsigned char *)bv.bv_val,
bv.bv_len );
- if ( retcode == -1 || retcode > bv.bv_len ) {
+ if ( retcode == -1 || (unsigned) retcode > bv.bv_len ) {
fprintf( stderr, "Unable to parse value of general control %s\n",
control );
usage();
@@ -686,6 +710,9 @@
case 'n': /* print operations, don't actually do them */
dont++;
break;
+ case 'N':
+ nocanon++;
+ break;
case 'o':
control = ber_strdup( optarg );
if ( (cvalue = strchr( control, '=' )) != NULL ) {
@@ -979,7 +1006,11 @@
if (authmethod == -1 && protocol > LDAP_VERSION2) {
#ifdef HAVE_CYRUS_SASL
- authmethod = LDAP_AUTH_SASL;
+ if ( binddn != NULL ) {
+ authmethod = LDAP_AUTH_SIMPLE;
+ } else {
+ authmethod = LDAP_AUTH_SASL;
+ }
#else
authmethod = LDAP_AUTH_SIMPLE;
#endif
@@ -1232,6 +1263,16 @@
exit( EXIT_FAILURE );
}
+#ifdef HAVE_CYRUS_SASL
+ /* canon */
+ if( ldap_set_option( ld, LDAP_OPT_X_SASL_NOCANON,
+ nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
+ {
+ fprintf( stderr, "Could not set LDAP_OPT_X_SASL_NOCANON %s\n",
+ nocanon ? "on" : "off" );
+ exit( EXIT_FAILURE );
+ }
+#endif
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
!= LDAP_OPT_SUCCESS )
{
@@ -1308,7 +1349,7 @@
sctrlsp = sctrls;
}
- assert( nsctrls < sizeof(sctrls)/sizeof(sctrls[0]) );
+ assert( nsctrls < (int) (sizeof(sctrls)/sizeof(sctrls[0])) );
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
@@ -1521,7 +1562,7 @@
ber_init2( ber, NULL, LBER_USE_DER );
- if ( ber_printf( ber, "s", proxydn ) == LBER_ERROR ) {
+ if ( ber_printf( ber, "s", proxydn ) == -1 ) {
exit( EXIT_FAILURE );
}
@@ -1571,8 +1612,8 @@
#endif
if ( preread ) {
- char berbuf[LBER_ELEMENT_SIZEOF];
- BerElement *ber = (BerElement *)berbuf;
+ BerElementBuffer berbuf;
+ BerElement *ber = (BerElement *)&berbuf;
char **attrs = NULL;
if( preread_attrs ) {
@@ -1601,8 +1642,8 @@
}
if ( postread ) {
- char berbuf[LBER_ELEMENT_SIZEOF];
- BerElement *ber = (BerElement *)berbuf;
+ BerElementBuffer berbuf;
+ BerElement *ber = (BerElement *)&berbuf;
char **attrs = NULL;
if( postread_attrs ) {
@@ -1864,6 +1905,154 @@
return 0;
}
+static int
+print_sss( LDAP *ld, LDAPControl *ctrl )
+{
+ int rc;
+ ber_int_t err;
+ char *attr;
+
+ rc = ldap_parse_sortresponse_control( ld, ctrl, &err, &attr );
+ if ( rc == LDAP_SUCCESS ) {
+ char buf[ BUFSIZ ];
+ rc = snprintf( buf, sizeof(buf), "(%d) %s %s",
+ err, ldap_err2string(err), attr ? attr : "" );
+
+ tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
+ "sortResult", buf, rc );
+ }
+
+ return rc;
+}
+
+#ifdef LDAP_CONTROL_X_DEREF
+static int
+print_deref( LDAP *ld, LDAPControl *ctrl )
+{
+ LDAPDerefRes *drhead = NULL, *dr;
+ int rc;
+
+ rc = ldap_parse_derefresponse_control( ld, ctrl, &drhead );
+ if ( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
+
+ for ( dr = drhead; dr != NULL; dr = dr->next ) {
+ LDAPDerefVal *dv;
+ ber_len_t len;
+ char *buf, *ptr;
+
+ len = strlen( dr->derefAttr ) + STRLENOF(": ");
+
+ for ( dv = dr->attrVals; dv != NULL; dv = dv->next ) {
+ if ( dv->vals != NULL ) {
+ int j;
+ ber_len_t tlen = strlen(dv->type);
+
+ for ( j = 0; dv->vals[ j ].bv_val != NULL; j++ ) {
+ len += STRLENOF("<:=>;") + tlen + 4*((dv->vals[ j ].bv_len - 1)/3 + 1);
+ }
+ }
+ }
+ len += dr->derefVal.bv_len + STRLENOF("\n");
+ buf = ldap_memalloc( len + 1 );
+ if ( buf == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ goto done;
+ }
+
+ ptr = buf;
+ ptr = lutil_strcopy( ptr, dr->derefAttr );
+ *ptr++ = ':';
+ *ptr++ = ' ';
+ for ( dv = dr->attrVals; dv != NULL; dv = dv->next ) {
+ if ( dv->vals != NULL ) {
+ int j;
+ for ( j = 0; dv->vals[ j ].bv_val != NULL; j++ ) {
+ int k;
+
+ for ( k = 0; k < dv->vals[ j ].bv_len; k++ ) {
+ if ( !isprint( dv->vals[ j ].bv_val[k] ) ) {
+ k = -1;
+ break;
+ }
+ }
+
+ *ptr++ = '<';
+ ptr = lutil_strcopy( ptr, dv->type );
+ if ( k == -1 ) {
+ *ptr++ = ':';
+ }
+ *ptr++ = '=';
+ if ( k == -1 ) {
+ k = lutil_b64_ntop( dv->vals[ j ].bv_val, dv->vals[ j ].bv_len, ptr, buf + len - ptr );
+ assert( k >= 0 );
+ ptr += k;
+
+ } else {
+ ptr = lutil_memcopy( ptr, dv->vals[ j ].bv_val, dv->vals[ j ].bv_len );
+ }
+ *ptr++ = '>';
+ *ptr++ = ';';
+ }
+ }
+ }
+ ptr = lutil_strncopy( ptr, dr->derefVal.bv_val, dr->derefVal.bv_len );
+ *ptr++ = '\n';
+ *ptr++ = '\0';
+ assert( ptr <= buf + len );
+
+ tool_write_ldif( LDIF_PUT_COMMENT, NULL, buf, ptr - buf);
+
+ ldap_memfree( buf );
+ }
+
+ rc = LDAP_SUCCESS;
+
+done:;
+ ldap_derefresponse_free( drhead );
+
+ return rc;
+}
+#endif
+
+#ifdef LDAP_CONTROL_X_WHATFAILED
+static int
+print_whatfailed( LDAP *ld, LDAPControl *ctrl )
+{
+ BerElement *ber;
+ ber_tag_t tag;
+ ber_len_t siz;
+ BerVarray bva = NULL;
+
+ /* Create a BerElement from the berval returned in the control. */
+ ber = ber_init( &ctrl->ldctl_value );
+
+ if ( ber == NULL ) {
+ return LDAP_NO_MEMORY;
+ }
+
+ siz = sizeof(struct berval);
+ tag = ber_scanf( ber, "[M]", &bva, &siz, 0 );
+ if ( tag != LBER_ERROR ) {
+ int i;
+
+ tool_write_ldif( LDIF_PUT_COMMENT, " what failed:", NULL, 0 );
+
+ for ( i = 0; bva[i].bv_val != NULL; i++ ) {
+ tool_write_ldif( LDIF_PUT_COMMENT, NULL, bva[i].bv_val, bva[i].bv_len );
+ }
+
+ ldap_memfree( bva );
+ }
+
+ ber_free( ber, 1 );
+
+
+ return 0;
+}
+#endif
+
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
static int
print_ppolicy( LDAP *ld, LDAPControl *ctrl )
Modified: openldap/trunk/clients/tools/common.h
===================================================================
--- openldap/trunk/clients/tools/common.h 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/common.h 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* common.h - common definitions for the ldap client tools */
-/* $OpenLDAP: pkg/ldap/clients/tools/common.h,v 1.24.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/common.h,v 1.24.2.4 2009/01/22 00:00:42 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/clients/tools/ldapcompare.c
===================================================================
--- openldap/trunk/clients/tools/ldapcompare.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldapcompare.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldapcompare.c -- LDAP compare tool */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapcompare.c,v 1.43.2.4 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapcompare.c,v 1.43.2.6 2009/01/22 00:00:42 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* All rights reserved.
@@ -102,7 +102,7 @@
const char options[] = "z"
- "Cd:D:e:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "Cd:D:e:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
#ifdef LDAP_CONTROL_DONTUSECOPY
int dontUseCopy = 0;
Modified: openldap/trunk/clients/tools/ldapdelete.c
===================================================================
--- openldap/trunk/clients/tools/ldapdelete.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldapdelete.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldapdelete.c - simple program to delete an entry using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapdelete.c,v 1.118.2.7 2008/02/12 00:32:01 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapdelete.c,v 1.118.2.9 2009/01/22 00:00:42 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* All rights reserved.
*
@@ -78,7 +78,7 @@
const char options[] = "r"
- "cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z";
+ "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z";
int
handle_private_option( int i )
Modified: openldap/trunk/clients/tools/ldapexop.c
===================================================================
--- openldap/trunk/clients/tools/ldapexop.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldapexop.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldapexop.c -- a tool for performing well-known extended operations */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapexop.c,v 1.9.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapexop.c,v 1.9.2.5 2009/01/22 00:00:42 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2005-2008 The OpenLDAP Foundation.
+ * Copyright 2005-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,7 @@
const char options[] = ""
- "d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
+ "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
Modified: openldap/trunk/clients/tools/ldapmodify.c
===================================================================
--- openldap/trunk/clients/tools/ldapmodify.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldapmodify.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldapmodify.c - generic program to modify or add entries using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodify.c,v 1.186.2.7 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodify.c,v 1.186.2.10 2009/01/22 00:00:42 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 2006 Howard Chu.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
@@ -95,8 +95,8 @@
static struct berval BV_DELETEOLDRDN = BER_BVC("deleteoldrdn");
static struct berval BV_NEWSUP = BER_BVC("newsuperior");
-#define BVICMP(a,b) ((a)->bv_len != (b)->bv_len ? \
- (a)->bv_len - (b)->bv_len : strcasecmp((a)->bv_val, (b)->bv_val))
+#define BV_CASEMATCH(a, b) \
+ ((a)->bv_len == (b)->bv_len && 0 == strcasecmp((a)->bv_val, (b)->bv_val))
static int process_ldif_rec LDAP_P(( char *rbuf, int lineno ));
static int parse_ldif_control LDAP_P(( struct berval *val, LDAPControl ***pctrls ));
@@ -151,7 +151,7 @@
const char options[] = "aE:rS:"
- "cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
@@ -457,7 +457,7 @@
freeval[i] = freev;
if ( dn == NULL ) {
- if ( linenum+i == 1 && !BVICMP( btype+i, &BV_VERSION )) {
+ if ( linenum+i == 1 && BV_CASEMATCH( btype+i, &BV_VERSION )) {
int v;
if( vals[i].bv_len == 0 || lutil_atoi( &v, vals[i].bv_val) != 0 || v != 1 ) {
fprintf( stderr,
@@ -466,7 +466,7 @@
}
version++;
- } else if ( !BVICMP( btype+i, &BV_DN )) {
+ } else if ( BV_CASEMATCH( btype+i, &BV_DN )) {
dn = vals[i].bv_val;
idn = i;
}
@@ -494,7 +494,7 @@
i = idn+1;
/* Check for "control" tag after dn and before changetype. */
- if (!BVICMP( btype+i, &BV_CONTROL)) {
+ if ( BV_CASEMATCH( btype+i, &BV_CONTROL )) {
/* Parse and add it to the list of controls */
rc = parse_ldif_control( vals+i, &pctrls );
if (rc != 0) {
@@ -515,7 +515,7 @@
}
/* Check for changetype */
- if ( !BVICMP( btype+i, &BV_CHANGETYPE )) {
+ if ( BV_CASEMATCH( btype+i, &BV_CHANGETYPE )) {
#ifdef LIBERAL_CHANGETYPE_MODOP
/* trim trailing spaces (and log warning ...) */
int icnt;
@@ -533,20 +533,20 @@
}
#endif /* LIBERAL_CHANGETYPE_MODOP */
- if ( BVICMP( vals+i, &BV_MODIFYCT ) == 0 ) {
+ if ( BV_CASEMATCH( vals+i, &BV_MODIFYCT )) {
new_entry = 0;
expect_modop = 1;
- } else if ( BVICMP( vals+i, &BV_ADDCT ) == 0 ) {
+ } else if ( BV_CASEMATCH( vals+i, &BV_ADDCT )) {
new_entry = 1;
modop = LDAP_MOD_ADD;
- } else if ( BVICMP( vals+i, &BV_MODRDNCT ) == 0
- || BVICMP( vals+i, &BV_MODDNCT ) == 0
- || BVICMP( vals+i, &BV_RENAMECT ) == 0)
+ } else if ( BV_CASEMATCH( vals+i, &BV_MODRDNCT )
+ || BV_CASEMATCH( vals+i, &BV_MODDNCT )
+ || BV_CASEMATCH( vals+i, &BV_RENAMECT ))
{
i++;
if ( i >= lines )
goto short_input;
- if ( BVICMP( btype+i, &BV_NEWRDN )) {
+ if ( !BV_CASEMATCH( btype+i, &BV_NEWRDN )) {
fprintf( stderr, _("%s: expecting \"%s:\" but saw"
" \"%s:\" (line %d, entry \"%s\")\n"),
prog, BV_NEWRDN.bv_val, btype[i].bv_val, linenum+i, dn );
@@ -557,7 +557,7 @@
i++;
if ( i >= lines )
goto short_input;
- if ( BVICMP( btype+i, &BV_DELETEOLDRDN )) {
+ if ( !BV_CASEMATCH( btype+i, &BV_DELETEOLDRDN )) {
fprintf( stderr, _("%s: expecting \"%s:\" but saw"
" \"%s:\" (line %d, entry \"%s\")\n"),
prog, BV_DELETEOLDRDN.bv_val, btype[i].bv_val, linenum+i, dn );
@@ -567,7 +567,7 @@
deleteoldrdn = ( vals[i].bv_val[0] == '0' ) ? 0 : 1;
i++;
if ( i < lines ) {
- if ( BVICMP( btype+i, &BV_NEWSUP )) {
+ if ( !BV_CASEMATCH( btype+i, &BV_NEWSUP )) {
fprintf( stderr, _("%s: expecting \"%s:\" but saw"
" \"%s:\" (line %d, entry \"%s\")\n"),
prog, BV_NEWSUP.bv_val, btype[i].bv_val, linenum+i, dn );
@@ -578,7 +578,7 @@
i++;
}
got_all = 1;
- } else if ( BVICMP( vals+i, &BV_DELETECT ) == 0 ) {
+ } else if ( BV_CASEMATCH( vals+i, &BV_DELETECT )) {
got_all = delete_entry = 1;
} else {
fprintf( stderr,
@@ -615,7 +615,7 @@
/* Make sure all attributes with multiple values are contiguous */
for (; i<lines; i++) {
for (j=i+1; j<lines; j++) {
- if ( !BVICMP( btype+i, btype+j )) {
+ if ( BV_CASEMATCH( btype+i, btype+j )) {
nmods--;
/* out of order, move intervening attributes down */
if ( j != i+1 ) {
@@ -649,13 +649,13 @@
k = -1;
BER_BVZERO(&bv);
for (i=idn; i<lines; i++) {
- if ( !BVICMP( btype+i, &BV_DN )) {
+ if ( BV_CASEMATCH( btype+i, &BV_DN )) {
fprintf( stderr, _("%s: attributeDescription \"%s\":"
" (possible missing newline"
" after line %d, entry \"%s\"?)\n"),
prog, btype[i].bv_val, linenum+i - 1, dn );
}
- if ( BVICMP(btype+i,&bv)) {
+ if ( !BV_CASEMATCH( btype+i, &bv )) {
bvl[k++] = NULL;
bv = btype[i];
lm[j].mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
@@ -694,11 +694,11 @@
expect_modop = 0;
expect_sep = 1;
- if ( BVICMP( btype+i, &BV_MODOPADD ) == 0 ) {
+ if ( BV_CASEMATCH( btype+i, &BV_MODOPADD )) {
modop = LDAP_MOD_ADD;
mops[i] = M_SEP;
nmods--;
- } else if ( BVICMP( btype+i, &BV_MODOPREPLACE ) == 0 ) {
+ } else if ( BV_CASEMATCH( btype+i, &BV_MODOPREPLACE )) {
/* defer handling these since they might have no values.
* Use the BVALUES flag to signal that these were
* deferred. If values are provided later, this
@@ -707,11 +707,11 @@
modop = LDAP_MOD_REPLACE;
mops[i] = modop | LDAP_MOD_BVALUES;
btype[i] = vals[i];
- } else if ( BVICMP( btype+i, &BV_MODOPDELETE ) == 0 ) {
+ } else if ( BV_CASEMATCH( btype+i, &BV_MODOPDELETE )) {
modop = LDAP_MOD_DELETE;
mops[i] = modop | LDAP_MOD_BVALUES;
btype[i] = vals[i];
- } else if ( BVICMP( btype+i, &BV_MODOPINCREMENT ) == 0 ) {
+ } else if ( BV_CASEMATCH( btype+i, &BV_MODOPINCREMENT )) {
modop = LDAP_MOD_INCREMENT;
mops[i] = M_SEP;
nmods--;
@@ -729,7 +729,7 @@
expect_modop = 1;
nmods--;
} else {
- if ( BVICMP( btype+i, &bv )) {
+ if ( !BV_CASEMATCH( btype+i, &bv )) {
fprintf( stderr, _("%s: wrong attributeType at"
" line %d, entry \"%s\"\n"),
prog, linenum+i, dn );
@@ -740,8 +740,9 @@
/* If prev op was deferred and matches this type,
* clear the flag
*/
- if ( (mops[i-1]&LDAP_MOD_BVALUES) && !BVICMP(btype+i,
- btype+i-1)) {
+ if ( (mops[i-1] & LDAP_MOD_BVALUES)
+ && BV_CASEMATCH( btype+i, btype+i-1 ))
+ {
mops[i-1] = M_SEP;
nmods--;
}
@@ -756,7 +757,7 @@
for (j=i+1; j<lines; j++) {
if ( mops[j] == M_SEP || mops[i] != mops[j] )
continue;
- if ( !BVICMP( btype+i, btype+j )) {
+ if ( BV_CASEMATCH( btype+i, btype+j )) {
nmods--;
/* out of order, move intervening attributes down */
if ( j != i+1 ) {
@@ -802,7 +803,7 @@
for (i=idn; i<lines; i++) {
if ( mops[i] == M_SEP )
continue;
- if ( mops[i] != mops[i-1] || BVICMP(btype+i,&bv)) {
+ if ( mops[i] != mops[i-1] || !BV_CASEMATCH( btype+i, &bv )) {
bvl[k++] = NULL;
bv = btype[i];
lm[j].mod_op = mops[i] | LDAP_MOD_BVALUES;
Modified: openldap/trunk/clients/tools/ldapmodrdn.c
===================================================================
--- openldap/trunk/clients/tools/ldapmodrdn.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldapmodrdn.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldapmodrdn.c - generic program to modify an entry's RDN using LDAP */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodrdn.c,v 1.116.2.4 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapmodrdn.c,v 1.116.2.6 2009/01/22 00:00:42 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@@ -91,7 +91,7 @@
const char options[] = "rs:"
- "cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
Modified: openldap/trunk/clients/tools/ldappasswd.c
===================================================================
--- openldap/trunk/clients/tools/ldappasswd.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldappasswd.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldappasswd -- a tool for change LDAP passwords */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldappasswd.c,v 1.136.2.4 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldappasswd.c,v 1.136.2.7 2009/01/22 00:00:42 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@@ -81,7 +81,7 @@
const char options[] = "a:As:St:T:"
- "d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
+ "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
@@ -389,7 +389,6 @@
" new password expected", NULL, NULL, NULL );
}
-skip:
if( verbose || code != LDAP_SUCCESS ||
matcheddn || text || refs || ctrls )
{
Modified: openldap/trunk/clients/tools/ldapsearch.c
===================================================================
--- openldap/trunk/clients/tools/ldapsearch.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldapsearch.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldapsearch -- a tool for searching LDAP directories */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapsearch.c,v 1.234.2.9 2008/02/12 19:59:52 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapsearch.c,v 1.234.2.18 2009/01/22 00:00:43 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@@ -126,11 +126,16 @@
fprintf( stderr, _(" -E [!]<ext>[=<extparam>] search extensions (! indicates criticality)\n"));
fprintf( stderr, _(" [!]domainScope (domain scope)\n"));
fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n"));
- fprintf( stderr, _(" [!]mv=<filter> (matched values filter)\n"));
- fprintf( stderr, _(" [!]pr=<size>[/prompt|noprompt] (paged results/prompt)\n"));
- fprintf( stderr, _(" [!]subentries[=true|false] (subentries)\n"));
- fprintf( stderr, _(" [!]sync=ro[/<cookie>] (LDAP Sync refreshOnly)\n"));
- fprintf( stderr, _(" rp[/<cookie>][/<slimit>] (LDAP Sync refreshAndPersist)\n"));
+ fprintf( stderr, _(" [!]mv=<filter> (RFC 3876 matched values filter)\n"));
+ fprintf( stderr, _(" [!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)\n"));
+ fprintf( stderr, _(" [!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]\n"));
+ fprintf( stderr, _(" (RFC 2891 server side sorting)\n"));
+ fprintf( stderr, _(" [!]subentries[=true|false] (RFC 3672 subentries)\n"));
+ fprintf( stderr, _(" [!]sync=ro[/<cookie>] (RFC 4533 LDAP Sync refreshOnly)\n"));
+ fprintf( stderr, _(" rp[/<cookie>][/<slimit>] (refreshAndPersist)\n"));
+#ifdef LDAP_CONTROL_X_DEREF
+ fprintf( stderr, _(" [!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]\n"));
+#endif
fprintf( stderr, _(" [!]<oid>=:<value> (generic control; no response handling)\n"));
fprintf( stderr, _(" -F prefix URL prefix for files (default: %s)\n"), def_urlpre);
fprintf( stderr, _(" -l limit time limit (in seconds, or \"none\" or \"max\") for search\n"));
@@ -199,6 +204,9 @@
static int domainScope = 0;
+static int sss = 0;
+static LDAPSortKey **sss_keys = NULL;
+
static int ldapsync = 0;
static struct berval sync_cookie = { 0, NULL };
static int sync_slimit = -1;
@@ -218,6 +226,12 @@
static int nctrls = 0;
static int save_nctrls = 0;
+#ifdef LDAP_CONTROL_X_DEREF
+static int derefcrit;
+static LDAPDerefSpec *ds;
+static struct berval derefval;
+#endif
+
static int
ctrl_add( void )
{
@@ -251,7 +265,7 @@
const char options[] = "a:Ab:cE:F:l:Ls:S:tT:uz:"
- "Cd:D:e:f:h:H:IMnO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+ "Cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
@@ -395,6 +409,31 @@
domainScope = 1 + crit;
+ } else if ( strcasecmp( control, "sss" ) == 0 ) {
+ char *keyp;
+ if( sss ) {
+ fprintf( stderr,
+ _("server side sorting control previously specified\n"));
+ exit( EXIT_FAILURE );
+ }
+ if( cvalue == NULL ) {
+ fprintf( stderr,
+ _("missing specification of sss control\n") );
+ exit( EXIT_FAILURE );
+ }
+ keyp = cvalue;
+ while ( ( keyp = strchr(keyp, '/') ) != NULL ) {
+ *keyp++ = ' ';
+ }
+ if ( ldap_create_sort_keylist( &sss_keys, cvalue )) {
+ fprintf( stderr,
+ _("server side sorting control value \"%s\" invalid\n"),
+ cvalue );
+ exit( EXIT_FAILURE );
+ }
+
+ sss = 1 + crit;
+
} else if ( strcasecmp( control, "subentries" ) == 0 ) {
if( subentries ) {
fprintf( stderr,
@@ -461,6 +500,51 @@
}
if ( crit ) ldapsync *= -1;
+#ifdef LDAP_CONTROL_X_DEREF
+ } else if ( strcasecmp( control, "deref" ) == 0 ) {
+ int ispecs;
+ char **specs;
+
+ /* cvalue is something like
+ *
+ * derefAttr:attr[,attr[...]][;derefAttr:attr[,attr[...]]]"
+ */
+
+ specs = ldap_str2charray( cvalue, ";" );
+ if ( specs == NULL ) {
+ fprintf( stderr, _("deref specs \"%s\" invalid\n"),
+ cvalue );
+ exit( EXIT_FAILURE );
+ }
+ for ( ispecs = 0; specs[ ispecs ] != NULL; ispecs++ )
+ /* count'em */
+
+ ds = ldap_memcalloc( ispecs + 1, sizeof( LDAPDerefSpec ) );
+ if ( ds == NULL ) {
+ perror( "malloc" );
+ exit( EXIT_FAILURE );
+ }
+
+ for ( ispecs = 0; specs[ ispecs ] != NULL; ispecs++ ) {
+ char *ptr;
+
+ ptr = strchr( specs[ ispecs ], ':' );
+ if ( ptr == NULL ) {
+ fprintf( stderr, _("deref specs \"%s\" invalid\n"),
+ cvalue );
+ exit( EXIT_FAILURE );
+ }
+
+ ds[ ispecs ].derefAttr = specs[ ispecs ];
+ *ptr++ = '\0';
+ ds[ ispecs ].attributes = ldap_str2charray( ptr, "," );
+ }
+
+ derefcrit = 1 + crit;
+
+ ldap_memfree( specs );
+#endif /* LDAP_CONTROL_X_DEREF */
+
} else if ( tool_is_oid( control ) ) {
if ( ctrl_add() ) {
exit( EXIT_FAILURE );
@@ -751,9 +835,13 @@
#ifdef LDAP_CONTROL_DONTUSECOPY
|| dontUseCopy
#endif
+#ifdef LDAP_CONTROL_X_DEREF
+ || derefcrit
+#endif
|| domainScope
|| pagedResults
|| ldapsync
+ || sss
|| subentries
|| valuesReturnFilter )
{
@@ -825,13 +913,13 @@
&sync_cookie );
}
- if ( err == LBER_ERROR ) {
+ if ( err == -1 ) {
ber_free( syncber, 1 );
fprintf( stderr, _("ldap sync control encoding error!\n") );
return EXIT_FAILURE;
}
- if ( ber_flatten( syncber, &syncbvalp ) == LBER_ERROR ) {
+ if ( ber_flatten( syncber, &syncbvalp ) == -1 ) {
return EXIT_FAILURE;
}
@@ -886,6 +974,52 @@
c[i].ldctl_iscritical = pagedResults > 1;
i++;
}
+
+ if ( sss ) {
+ if ( ctrl_add() ) {
+ return EXIT_FAILURE;
+ }
+
+ if ( ldap_create_sort_control_value( ld,
+ sss_keys, &c[i].ldctl_value ) )
+ {
+ return EXIT_FAILURE;
+ }
+
+ c[i].ldctl_oid = LDAP_CONTROL_SORTREQUEST;
+ c[i].ldctl_iscritical = sss > 1;
+ i++;
+ }
+
+#ifdef LDAP_CONTROL_X_DEREF
+ if ( derefcrit ) {
+ if ( derefval.bv_val == NULL ) {
+ int i;
+
+ assert( ds != NULL );
+
+ if ( ldap_create_deref_control_value( ld, ds, &derefval ) != LDAP_SUCCESS ) {
+ return EXIT_FAILURE;
+ }
+
+ for ( i = 0; ds[ i ].derefAttr != NULL; i++ ) {
+ ldap_memfree( ds[ i ].derefAttr );
+ ldap_charray_free( ds[ i ].attributes );
+ }
+ ldap_memfree( ds );
+ ds = NULL;
+ }
+
+ if ( ctrl_add() ) {
+ exit( EXIT_FAILURE );
+ }
+
+ c[ i ].ldctl_iscritical = derefcrit > 1;
+ c[ i ].ldctl_oid = LDAP_CONTROL_X_DEREF;
+ c[ i ].ldctl_value = derefval;
+ i++;
+ }
+#endif /* LDAP_CONTROL_X_DEREF */
}
tool_server_controls( ld, c, i );
@@ -968,6 +1102,16 @@
(pagedResults > 1) ? _("critical ") : "",
pageSize );
}
+ if ( sss ) {
+ printf(_("\n# with server side sorting %scontrol"),
+ sss > 1 ? _("critical ") : "" );
+ }
+#ifdef LDAP_CONTROL_X_DEREF
+ if ( sss ) {
+ printf(_("\n# with dereference %scontrol"),
+ sss > 1 ? _("critical ") : "" );
+ }
+#endif
printf( _("\n#\n\n") );
@@ -1051,6 +1195,12 @@
if ( control != NULL ) {
ber_memfree( control );
}
+ if ( sss_keys != NULL ) {
+ ldap_free_sort_keylist( sss_keys );
+ }
+ if ( derefval.bv_val != NULL ) {
+ ldap_memfree( derefval.bv_val );
+ }
if ( c ) {
for ( ; save_nctrls-- > 0; ) {
@@ -1092,14 +1242,15 @@
int cancel_msgid = -1;
if( filtpatt != NULL ) {
- size_t max_fsize = strlen( filtpatt ) + strlen( value ) + 1;
+ size_t max_fsize = strlen( filtpatt ) + strlen( value ) + 1, outlen;
filter = malloc( max_fsize );
if( filter == NULL ) {
perror( "malloc" );
return EXIT_FAILURE;
}
- if( snprintf( filter, max_fsize, filtpatt, value ) >= max_fsize ) {
+ outlen = snprintf( filter, max_fsize, filtpatt, value );
+ if( outlen >= max_fsize ) {
fprintf( stderr, "Bad filter pattern: \"%s\"\n", filtpatt );
free( filter );
return EXIT_FAILURE;
@@ -1564,7 +1715,7 @@
tool_write_ldif( LDIF_PUT_TEXT,
"text", line,
- next ? next - line : strlen( line ) );
+ next ? (size_t) (next - line) : strlen( line ));
line = next ? next + 1 : NULL;
}
Copied: openldap/trunk/clients/tools/ldapurl.c (from rev 1197, openldap/vendor/openldap-2.4.14/clients/tools/ldapurl.c)
===================================================================
--- openldap/trunk/clients/tools/ldapurl.c (rev 0)
+++ openldap/trunk/clients/tools/ldapurl.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -0,0 +1,304 @@
+/* ldapurl -- a tool for generating LDAP URLs */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapurl.c,v 1.1.2.2 2009/01/22 00:00:43 kurt Exp $ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2008-2009 The OpenLDAP Foundation.
+ * Portions Copyright 2008 Pierangelo Masarati, SysNet
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ */
+/* Portions Copyright (c) 1992-1996 Regents of the University of Michigan.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and that due credit is given
+ * to the University of Michigan at Ann Arbor. The name of the
+ * University may not be used to endorse or promote products derived
+ * from this software without specific prior written permission. This
+ * software is provided ``as is'' without express or implied warranty.
+ */
+/* ACKNOWLEDGEMENTS:
+ * This work was originally developed by Pierangelo Masarati
+ * for inclusion in OpenLDAP software.
+ */
+
+#include "portable.h"
+
+#include <ac/stdlib.h>
+#include <stdio.h>
+#include <ac/unistd.h>
+
+#include "ldap.h"
+#include "ldap_pvt.h"
+#include "lutil.h"
+
+static int
+usage(void)
+{
+ fprintf( stderr, _("usage: %s [options]\n\n"), "ldapurl" );
+ fprintf( stderr, _("generates RFC 4516 LDAP URL with extensions\n\n" ) );
+ fprintf( stderr, _("URL options:\n"));
+ fprintf( stderr, _(" -a attrs comma separated list of attributes\n" ) );
+ fprintf( stderr, _(" -b base (RFC 4514 LDAP DN)\n" ) );
+ fprintf( stderr, _(" -E ext (format: \"ext=value\"; multiple occurrences allowed)\n" ) );
+ fprintf( stderr, _(" -f filter (RFC 4515 LDAP filter)\n" ) );
+ fprintf( stderr, _(" -h host \n" ) );
+ fprintf( stderr, _(" -p port (default: 389 for ldap, 636 for ldaps)\n" ) );
+ fprintf( stderr, _(" -s scope (RFC 4511 searchScope and extensions)\n" ) );
+ fprintf( stderr, _(" -S scheme (RFC 4516 LDAP URL scheme and extensions)\n" ) );
+ exit( EXIT_FAILURE );
+}
+
+static int
+do_uri_create( LDAPURLDesc *lud )
+{
+ char *uri;
+
+ if ( lud->lud_scheme == NULL ) {
+ lud->lud_scheme = "ldap";
+ }
+
+ if ( lud->lud_port == -1 ) {
+ if ( strcasecmp( lud->lud_scheme, "ldap" ) == 0 ) {
+ lud->lud_port = LDAP_PORT;
+
+ } else if ( strcasecmp( lud->lud_scheme, "ldaps" ) == 0 ) {
+ lud->lud_port = LDAPS_PORT;
+
+ } else if ( strcasecmp( lud->lud_scheme, "ldapi" ) == 0 ) {
+ lud->lud_port = 0;
+
+ } else {
+ /* forgiving... */
+ lud->lud_port = 0;
+ }
+ }
+
+ if ( lud->lud_scope == -1 ) {
+ lud->lud_scope = LDAP_SCOPE_DEFAULT;
+ }
+
+ uri = ldap_url_desc2str( lud );
+
+ if ( lud->lud_attrs != NULL ) {
+ ldap_charray_free( lud->lud_attrs );
+ lud->lud_attrs = NULL;
+ }
+
+ if ( lud->lud_exts != NULL ) {
+ free( lud->lud_exts );
+ lud->lud_exts = NULL;
+ }
+
+ if ( uri == NULL ) {
+ fprintf( stderr, "unable to generate URI\n" );
+ exit( EXIT_FAILURE );
+ }
+
+ printf( "%s\n", uri );
+ free( uri );
+
+ return 0;
+}
+
+static int
+do_uri_explode( const char *uri )
+{
+ LDAPURLDesc *lud;
+ int rc;
+
+ rc = ldap_url_parse( uri, &lud );
+ if ( rc != LDAP_URL_SUCCESS ) {
+ fprintf( stderr, "unable to parse URI \"%s\"\n", uri );
+ return 1;
+ }
+
+ if ( lud->lud_scheme != NULL && lud->lud_scheme[0] != '\0' ) {
+ printf( "scheme: %s\n", lud->lud_scheme );
+ }
+
+ if ( lud->lud_host != NULL && lud->lud_host[0] != '\0' ) {
+ printf( "host: %s\n", lud->lud_host );
+ }
+
+ if ( lud->lud_port != 0 ) {
+ printf( "port: %d\n", lud->lud_port );
+ }
+
+ if ( lud->lud_dn != NULL && lud->lud_dn[0] != '\0' ) {
+ printf( "dn: %s\n", lud->lud_dn );
+ }
+
+ if ( lud->lud_attrs != NULL ) {
+ int i;
+
+ for ( i = 0; lud->lud_attrs[i] != NULL; i++ ) {
+ printf( "selector: %s\n", lud->lud_attrs[i] );
+ }
+ }
+
+ if ( lud->lud_scope != LDAP_SCOPE_DEFAULT ) {
+ printf( "scope: %s\n", ldap_pvt_scope2str( lud->lud_scope ) );
+ }
+
+ if ( lud->lud_filter != NULL && lud->lud_filter[0] != '\0' ) {
+ printf( "filter: %s\n", lud->lud_filter );
+ }
+
+ if ( lud->lud_exts != NULL ) {
+ int i;
+
+ for ( i = 0; lud->lud_exts[i] != NULL; i++ ) {
+ printf( "extension: %s\n", lud->lud_exts[i] );
+ }
+ }
+
+ return 0;
+}
+
+int
+main( int argc, char *argv[])
+{
+ LDAPURLDesc lud = { 0 };
+ char *uri = NULL;
+ int gotlud = 0;
+ int nexts = 0;
+
+ lud.lud_port = -1;
+ lud.lud_scope = -1;
+
+ while ( 1 ) {
+ int opt = getopt( argc, argv, "S:h:p:b:a:s:f:E:H:" );
+
+ if ( opt == EOF ) {
+ break;
+ }
+
+ if ( opt == 'H' ) {
+ if ( gotlud ) {
+ fprintf( stderr, "option -H incompatible with previous options\n" );
+ usage();
+ }
+
+ if ( uri != NULL ) {
+ fprintf( stderr, "URI already provided\n" );
+ usage();
+ }
+
+ uri = optarg;
+ continue;
+ }
+
+ switch ( opt ) {
+ case 'S':
+ case 'h':
+ case 'p':
+ case 'b':
+ case 'a':
+ case 's':
+ case 'f':
+ case 'E':
+ if ( uri != NULL ) {
+ fprintf( stderr, "option -%c incompatible with -H\n", opt );
+ usage();
+ }
+ gotlud++;
+ }
+
+ switch ( opt ) {
+ case 'S':
+ if ( lud.lud_scheme != NULL ) {
+ fprintf( stderr, "scheme already provided\n" );
+ usage();
+ }
+ lud.lud_scheme = optarg;
+ break;
+
+ case 'h':
+ if ( lud.lud_host != NULL ) {
+ fprintf( stderr, "host already provided\n" );
+ usage();
+ }
+ lud.lud_host = optarg;
+ break;
+
+ case 'p':
+ if ( lud.lud_port != -1 ) {
+ fprintf( stderr, "port already provided\n" );
+ usage();
+ }
+
+ if ( lutil_atoi( &lud.lud_port, optarg ) ) {
+ fprintf( stderr, "unable to parse port \"%s\"\n", optarg );
+ usage();
+ }
+ break;
+
+ case 'b':
+ if ( lud.lud_dn != NULL ) {
+ fprintf( stderr, "base already provided\n" );
+ usage();
+ }
+ lud.lud_dn = optarg;
+ break;
+
+ case 'a':
+ if ( lud.lud_attrs != NULL ) {
+ fprintf( stderr, "attrs already provided\n" );
+ usage();
+ }
+ lud.lud_attrs = ldap_str2charray( optarg, "," );
+ if ( lud.lud_attrs == NULL ) {
+ fprintf( stderr, "unable to parse attrs list \"%s\"\n", optarg );
+ usage();
+ }
+ break;
+
+ case 's':
+ if ( lud.lud_scope != -1 ) {
+ fprintf( stderr, "scope already provided\n" );
+ usage();
+ }
+
+ lud.lud_scope = ldap_pvt_str2scope( optarg );
+ if ( lud.lud_scope == -1 ) {
+ fprintf( stderr, "unable to parse scope \"%s\"\n", optarg );
+ usage();
+ }
+ break;
+
+ case 'f':
+ if ( lud.lud_filter != NULL ) {
+ fprintf( stderr, "filter already provided\n" );
+ usage();
+ }
+ lud.lud_filter = optarg;
+ break;
+
+ case 'E':
+ lud.lud_exts = (char **)realloc( lud.lud_exts,
+ sizeof( char * ) * ( nexts + 2 ) );
+ lud.lud_exts[ nexts++ ] = optarg;
+ lud.lud_exts[ nexts ] = NULL;
+ break;
+
+ default:
+ assert( opt != 'H' );
+ usage();
+ }
+ }
+
+ if ( uri != NULL ) {
+ return do_uri_explode( uri );
+
+ }
+
+ return do_uri_create( &lud );
+}
Modified: openldap/trunk/clients/tools/ldapwhoami.c
===================================================================
--- openldap/trunk/clients/tools/ldapwhoami.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/clients/tools/ldapwhoami.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* ldapwhoami.c -- a tool for asking the directory "Who Am I?" */
-/* $OpenLDAP: pkg/ldap/clients/tools/ldapwhoami.c,v 1.42.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/clients/tools/ldapwhoami.c,v 1.42.2.5 2009/01/22 00:00:43 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* Portions Copyright 1998-2003 Kurt D. Zeilenga.
* Portions Copyright 1998-2001 Net Boolean Incorporated.
* Portions Copyright 2001-2003 IBM Corporation.
@@ -62,7 +62,7 @@
const char options[] = ""
- "d:D:e:h:H:InO:o:p:QR:U:vVw:WxX:y:Y:Z";
+ "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
Modified: openldap/trunk/configure.in
===================================================================
--- openldap/trunk/configure.in 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/configure.in 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp $
+dnl $OpenLDAP: pkg/ldap/configure.in,v 1.631.2.22 2009/01/26 21:54:23 quanah Exp $
dnl This work is part of OpenLDAP Software <http://www.openldap.org/>.
dnl
-dnl Copyright 1998-2008 The OpenLDAP Foundation.
+dnl Copyright 1998-2009 The OpenLDAP Foundation.
dnl All rights reserved.
dnl
dnl Redistribution and use in source and binary forms, with or without
@@ -23,9 +23,9 @@
define([AC_LIBTOOL_LANG_GCJ_CONFIG], [:])dnl
dnl ================================================================
dnl Configure.in for OpenLDAP
-AC_COPYRIGHT([[Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved.
+AC_COPYRIGHT([[Copyright 1998-2009 The OpenLDAP Foundation. All rights reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.]])
-AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.9 2008/02/11 23:26:37 kurt Exp $])
+AC_REVISION([$OpenLDAP: pkg/ldap/configure.in,v 1.631.2.22 2009/01/26 21:54:23 quanah Exp $])
AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>])
AC_CONFIG_SRCDIR(build/version.sh)dnl
@@ -96,7 +96,7 @@
/* begin of portable.h.pre */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation
+ * Copyright 1998-2009 The OpenLDAP Foundation
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -242,6 +242,8 @@
auto, [auto yes no] )
OL_ARG_WITH(fetch,[ --with-fetch with fetch(3) URL support],
auto, [auto yes no] )
+OL_ARG_WITH(gssapi,[ --with-gssapi with GSSAPI support],
+ auto, [auto yes no] )
OL_ARG_WITH(threads,[ --with-threads with threads],
auto, [auto nt posix mach pth lwp yes no manual] )
OL_ARG_WITH(tls,[ --with-tls with TLS/SSL support auto|openssl|gnutls],
@@ -253,8 +255,8 @@
[ --with-mp with multiple precision statistics auto|longlong|long|bignum|gmp],
auto, [auto longlong long bignum gmp yes no])
OL_ARG_WITH(odbc,
- [ --with-odbc with specific ODBC support iodbc|unixodbc|auto],
- auto, [auto iodbc unixodbc] )
+ [ --with-odbc with specific ODBC support iodbc|unixodbc|odbc32|auto],
+ auto, [auto iodbc unixodbc odbc32] )
dnl ----------------------------------------------------------------
dnl Server options
@@ -286,6 +288,7 @@
ldap \
meta \
monitor \
+ ndb \
null \
passwd \
perl \
@@ -311,6 +314,8 @@
no, [no yes mod], ol_enable_backends)dnl
OL_ARG_ENABLE(monitor,[ --enable-monitor enable monitor backend],
yes, [no yes mod], ol_enable_backends)dnl
+OL_ARG_ENABLE(ndb,[ --enable-ndb enable MySQL NDB Cluster backend],
+ no, [no yes mod], ol_enable_backends)dnl
OL_ARG_ENABLE(null,[ --enable-null enable null backend],
no, [no yes mod], ol_enable_backends)dnl
OL_ARG_ENABLE(passwd,[ --enable-passwd enable passwd backend],
@@ -330,8 +335,10 @@
dnl SLAPD Overlay Options
Overlays="accesslog \
auditlog \
+ collect \
constraint \
dds \
+ deref \
dyngroup \
dynlist \
memberof \
@@ -355,10 +362,14 @@
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(auditlog,[ --enable-auditlog Audit Logging overlay],
no, [no yes mod], ol_enable_overlays)
+OL_ARG_ENABLE(collect,[ --enable-collect Collect overlay],
+ no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(constraint,[ --enable-constraint Attribute Constraint overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(dds,[ --enable-dds Dynamic Directory Services overlay],
no, [no yes mod], ol_enable_overlays)
+OL_ARG_ENABLE(deref,[ --enable-deref Dereference overlay],
+ no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(dyngroup,[ --enable-dyngroup Dynamic Group overlay],
no, [no yes mod], ol_enable_overlays)
OL_ARG_ENABLE(dynlist,[ --enable-dynlist Dynamic List overlay],
@@ -460,6 +471,7 @@
test $ol_enable_ldap = no &&
test $ol_enable_meta = no &&
test $ol_enable_monitor = no &&
+ test $ol_enable_ndb = no &&
test $ol_enable_null = no &&
test $ol_enable_passwd = no &&
test $ol_enable_perl = no &&
@@ -500,6 +512,8 @@
dnl Initialize vars
LDAP_LIBS=
BDB_LIBS=
+SLAPD_NDB_LIBS=
+SLAPD_NDB_INCS=
LTHREAD_LIBS=
LUTIL_LIBS=
@@ -518,6 +532,7 @@
BUILD_LDAP=no
BUILD_META=no
BUILD_MONITOR=no
+BUILD_NDB=no
BUILD_NULL=no
BUILD_PASSWD=no
BUILD_PERL=no
@@ -566,6 +581,7 @@
KRB4_LIBS=
KRB5_LIBS=
SASL_LIBS=
+GSSAPI_LIBS=
TLS_LIBS=
MODULES_LIBS=
SLAPI_LIBS=
@@ -675,12 +691,14 @@
fi
AC_PROG_CPP
+OL_MSVC
dnl ----------------------------------------------------------------
dnl Checks for Windows NT
case $host_os in
*mingw32* ) ac_cv_mingw32=yes ;;
*cygwin* ) ac_cv_cygwin=yes ;;
+ *interix* ) ac_cv_interix=yes ;;
esac
dnl ----------------------------------------------------------------
@@ -826,7 +844,10 @@
)
dnl Only check Winsock on MinGW
-if test "$ac_cv_mingw32" = yes ; then
+if test "$ac_cv_mingw32" = yes \
+ -o "$ac_cv_interix" = yes \
+ -o "$ol_cv_msvc" = yes
+then
AC_CHECK_HEADERS( winsock.h winsock2.h )
fi
@@ -858,37 +879,48 @@
AC_CHECK_LIB(V3, sigset)
fi
+if test $ol_cv_msvc ; then
+ ol_cv_winsock=yes
+fi
+
dnl The following is INTENTIONALLY scripted out because shell does not
dnl support variable names with the '@' character, which is what
dnl autoconf would try to generate if one merely used AC_SEARCH_LIBS
if test "$ac_cv_header_winsock_h" = yes; then
-AC_CACHE_CHECK([for winsock], [ol_cv_winsock],
-save_LIBS="$LIBS"
-for curlib in ws2_32 wsock32; do
- LIBS="$LIBS -l$curlib"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <winsock.h>
+ AC_CACHE_CHECK([for winsock], [ol_cv_winsock],[
+ save_LIBS="$LIBS"
+ for curlib in none ws2_32 wsock32; do
+ if test curlib != none ; then
+ LIBS="$save_LIBS -l$curlib"
+ fi
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <winsock.h>
]], [[
socket(0,0,0);
select(0,NULL,NULL,NULL,NULL);
closesocket(0);
gethostname(NULL,0);
- ]])],[ol_cv_winsock=yes],[ol_cv_winsock=no])
+ ]])],[ol_cv_winsock=$curlib],[ol_cv_winsock=no])
- if test $ol_cv_winsock = yes; then
- AC_DEFINE(HAVE_WINSOCK, 1, [define if you have winsock])
- ac_cv_func_socket=yes
- ac_cv_func_select=yes
- ac_cv_func_closesocket=yes
- ac_cv_func_gethostname=yes
- if test $curlib = ws2_32; then
- ol_cv_winsock=winsock2
- AC_DEFINE(HAVE_WINSOCK2, 1,
- [define if you have winsock2])
+ test "$ol_cv_winsock" != no && break
+ done
+ LIBS="$save_LIBS"
+ ])
+
+ if test $ol_cv_winsock != no ; then
+ AC_DEFINE(HAVE_WINSOCK, 1, [define if you have winsock])
+ ac_cv_func_socket=yes
+ ac_cv_func_select=yes
+ ac_cv_func_closesocket=yes
+ ac_cv_func_gethostname=yes
+
+ if test $ol_cv_winsock != none -a $ol_cv_winsock != yes ; then
+ LIBS="$LIBS -l$ol_cv_winsock"
fi
- break
+
+ if test $ol_cv_winsock = ws2_32 -o $ol_cv_winsock = yes ; then
+ AC_DEFINE(HAVE_WINSOCK2, 1, [define if you have winsock2])
+ fi
fi
- LIBS="$save_LIBS"
-done)
fi
dnl Find socket()
@@ -953,7 +985,6 @@
fi
dnl ----------------------------------------------------------------
-# strerror checks
OL_STRERROR
dnl ----------------------------------------------------------------
@@ -981,12 +1012,14 @@
have_uuid=no
AC_CHECK_HEADERS(sys/uuid.h)
+dnl The HAVE_UUID_TO_STR code path also needs uuid_create
if test $ac_cv_header_sys_uuid_h = yes ; then
save_LIBS="$LIBS"
AC_SEARCH_LIBS([uuid_to_str], [uuid], [have_uuid=yes], :)
+ AC_SEARCH_LIBS([uuid_create], [uuid], :, [have_uuid=no])
LIBS="$save_LIBS"
- if test have_uuid = yes ; then
+ if test $have_uuid = yes ; then
AC_DEFINE(HAVE_UUID_TO_STR,1,
[define if you have uuid_to_str()])
@@ -996,14 +1029,16 @@
fi
dnl Look for uuid_generate
+dnl The HAVE_UUID_GENERATE code path also needs uuid_unparse_lower
if test $have_uuid = no ; then
AC_CHECK_HEADERS(uuid/uuid.h)
if test $ac_cv_header_uuid_uuid_h = yes ; then
save_LIBS="$LIBS"
AC_SEARCH_LIBS([uuid_generate], [uuid], [have_uuid=yes], :)
+ AC_SEARCH_LIBS([uuid_unparse_lower], [uuid], :, [have_uuid=no])
LIBS="$save_LIBS"
- if test have_uuid = yes ; then
+ if test $have_uuid = yes ; then
AC_DEFINE(HAVE_UUID_GENERATE,1,
[define if you have uuid_generate()])
@@ -1111,6 +1146,63 @@
fi
dnl ----------------------------------------------------------------
+dnl GSSAPI
+ol_link_gssapi=no
+
+case $ol_with_gssapi in yes | auto)
+
+ ol_header_gssapi=no
+ AC_CHECK_HEADERS(gssapi/gssapi.h)
+ if test $ac_cv_header_gssapi_gssapi_h = yes ; then
+ ol_header_gssapi=yes
+ else
+ AC_CHECK_HEADERS(gssapi.h)
+ if test $ac_cv_header_gssapi_h = yes ; then
+ ol_header_gssapi=yes
+ fi
+
+ dnl## not every gssapi has gss_oid_to_str()
+ dnl## as it's not defined in the GSSAPI V2 API
+ dnl## anymore
+ saveLIBS="$LIBS"
+ LIBS="$LIBS $GSSAPI_LIBS"
+ AC_CHECK_FUNCS(gss_oid_to_str)
+ LIBS="$saveLIBS"
+ fi
+
+ if test $ol_header_gssapi = yes ; then
+ dnl## we check for gss_wrap
+ dnl## as it's new to the GSSAPI V2 API
+ AC_CHECK_LIB(gssapi, gss_wrap,
+ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi"],
+ [ol_link_gssapi=no])
+ if test $ol_link_gssapi != yes ; then
+ AC_CHECK_LIB(gssapi_krb5, gss_wrap,
+ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgssapi_krb5"],
+ [ol_link_gssapi=no])
+ fi
+ if test $ol_link_gssapi != yes ; then
+ AC_CHECK_LIB(gss, gss_wrap,
+ [ol_link_gssapi=yes;GSSAPI_LIBS="-lgss"],
+ [ol_link_gssapi=no])
+ fi
+ fi
+
+ ;;
+esac
+
+WITH_GSSAPI=no
+if test $ol_link_gssapi = yes; then
+ AC_DEFINE(HAVE_GSSAPI, 1, [define if you have GSSAPI])
+ WITH_GSSAPI=yes
+elif test $ol_with_gssapi = auto ; then
+ AC_MSG_WARN([Could not locate GSSAPI package])
+ AC_MSG_WARN([GSSAPI authentication not supported!])
+elif test $ol_with_gssapi = yes ; then
+ AC_MSG_ERROR([GSSAPI detection failed])
+fi
+
+dnl ----------------------------------------------------------------
dnl TLS/SSL
if test $ol_with_tls = yes ; then
@@ -1840,12 +1932,6 @@
BDB_LIBS="$BDB_LIBS $ol_cv_lib_db"
fi
- OL_BDB_COMPAT
-
- if test $ol_cv_bdb_compat != yes ; then
- AC_MSG_ERROR([BDB/HDB: BerkeleyDB version incompatible])
- fi
-
SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)"
ol_link_bdb=yes
@@ -1929,7 +2015,7 @@
LIBS="$LTHREAD_LIBS"
if test $ol_with_odbc = auto ; then
- ol_with_odbc="iodbc unixodbc"
+ ol_with_odbc="iodbc unixodbc odbc32"
fi
for odbc in $ol_with_odbc ; do
@@ -1949,6 +2035,13 @@
fi
;;
+ odbc32)
+ AC_CHECK_LIB(odbc32, SQLDriverConnect, [have_odbc32=yes], [have_odbc32=no])
+ if test $have_odbc32 = yes ; then
+ ol_link_sql="-lodbc32"
+ fi
+ ;;
+
*)
AC_MSG_ERROR([unknown ODBC library])
;;
@@ -1967,6 +2060,47 @@
fi
dnl ----------------------------------------------------------------
+dnl MySQL NDBapi
+dnl Note: uses C++, but we don't want to add C++ test overhead to
+dnl the rest of the libtool machinery.
+ol_link_ndb=no
+if test $ol_enable_ndb != no ; then
+ AC_CHECK_PROG(MYSQL,mysql_config,yes)
+ if test "$MYSQL" != yes ; then
+ AC_MSG_ERROR([could not locate mysql_config])
+ fi
+
+ SQL_INC=`mysql_config --include`
+ SLAPD_NDB_INCS="$SQL_INC $SQL_INC/storage/ndb $SQL_INC/storage/ndb/ndbapi"
+
+ save_CPPFLAGS="$CPPFLAGS"
+ CPPFLAGS="$SLAPD_NDB_INCS"
+ AC_MSG_CHECKING(for NdbApi.hpp)
+ AC_PREPROC_IFELSE(
+ [AC_LANG_SOURCE([[#include <NdbApi.hpp>]])],
+ AC_MSG_RESULT(yes),
+ AC_MSG_ERROR([could not locate NdbApi headers])
+ )
+ CPPFLAGS="$save_CPPFLAGS"
+
+ SQL_LIB=`mysql_config --libs_r`
+ SLAPD_NDB_LIBS="$SQL_LIB -lndbclient -lstdc++"
+
+ save_LDFLAGS="$LDFLAGS"
+ save_LIBS="$LIBS"
+ LDFLAGS="$SQL_LIB"
+ AC_CHECK_LIB(ndbclient,ndb_init,[: ok],[
+ AC_MSG_ERROR([could not locate ndbclient library])
+ ],[-lstdc++])
+ LIBS="$save_LIBS"
+ LDFLAGS="$save_LDFLAGS"
+
+ if test "$ol_enable_ndb" = yes ; then
+ SLAPD_LIBS="$SLAPD_LIBS \$(SLAPD_NDB_LIBS)"
+ fi
+fi
+
+dnl ----------------------------------------------------------------
dnl International Components for Unicode
OL_ICU
if test "$ol_icu" = no ; then
@@ -2292,9 +2426,12 @@
AC_DEFINE(snprintf, _snprintf, [define to snprintf routine])
])
-AC_CHECK_FUNC(_vsnprintf, [ac_cv_func_vsnprintf=yes
+AC_CHECK_FUNCS(vsnprintf _vsnprintf)
+
+if test $ac_cv_func_vsnprintf = no -a $ac_cv_func__vsnprintf = yes ; then
+ ac_cv_func_vsnprintf=yes
AC_DEFINE(vsnprintf, _vsnprintf, [define to vsnprintf routine])
-])
+fi
AC_FUNC_VPRINTF
@@ -2313,6 +2450,7 @@
flock \
fstat \
getdtablesize \
+ geteuid \
getgrgid \
gethostname \
getpass \
@@ -2572,6 +2710,19 @@
AC_DEFINE_UNQUOTED(SLAPD_META,$MFLAG,[define to support LDAP Metadirectory backend])
fi
+if test "$ol_enable_ndb" != no ; then
+ BUILD_SLAPD=yes
+ BUILD_NDB=$ol_enable_ndb
+ if test "$ol_enable_ndb" = mod ; then
+ SLAPD_DYNAMIC_BACKENDS="$SLAPD_DYNAMIC_BACKENDS back-ndb"
+ MFLAG=SLAPD_MOD_DYNAMIC
+ else
+ SLAPD_STATIC_BACKENDS="$SLAPD_STATIC_BACKENDS back-ndb"
+ MFLAG=SLAPD_MOD_STATIC
+ fi
+ AC_DEFINE_UNQUOTED(SLAPD_NDB,$MFLAG,[define to support NDB backend])
+fi
+
if test "$ol_enable_null" != no ; then
BUILD_SLAPD=yes
BUILD_NULL=$ol_enable_null
@@ -2690,6 +2841,18 @@
AC_DEFINE_UNQUOTED(SLAPD_OVER_AUDITLOG,$MFLAG,[define for Audit Logging overlay])
fi
+if test "$ol_enable_collect" != no ; then
+ BUILD_COLLECT=$ol_enable_collect
+ if test "$ol_enable_collect" = mod ; then
+ MFLAG=SLAPD_MOD_DYNAMIC
+ SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS collect.la"
+ else
+ MFLAG=SLAPD_MOD_STATIC
+ SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS collect.o"
+ fi
+ AC_DEFINE_UNQUOTED(SLAPD_OVER_COLLECT,$MFLAG,[define for Collect overlay])
+fi
+
if test "$ol_enable_constraint" != no ; then
BUILD_CONSTRAINT=$ol_enable_constraint
if test "$ol_enable_constraint" = mod ; then
@@ -2714,6 +2877,18 @@
AC_DEFINE_UNQUOTED(SLAPD_OVER_DDS,$MFLAG,[define for Dynamic Directory Services overlay])
fi
+if test "$ol_enable_deref" != no ; then
+ BUILD_DDS=$ol_enable_deref
+ if test "$ol_enable_deref" = mod ; then
+ MFLAG=SLAPD_MOD_DYNAMIC
+ SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS deref.la"
+ else
+ MFLAG=SLAPD_MOD_STATIC
+ SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS deref.o"
+ fi
+ AC_DEFINE_UNQUOTED(SLAPD_OVER_DEREF,$MFLAG,[define for Dynamic Directory Services overlay])
+fi
+
if test "$ol_enable_dyngroup" != no ; then
BUILD_DYNGROUP=$ol_enable_dyngroup
if test "$ol_enable_dyngroup" = mod ; then
@@ -2889,7 +3064,7 @@
dnl They hurt more than they help.
dnl
-if test "$ac_cv_mingw32" = yes ; then
+if test "$ac_cv_mingw32" = yes -o $ol_cv_msvc = yes ; then
PLAT=NT
SLAPD_MODULES_LDFLAGS=
else
@@ -2916,6 +3091,7 @@
AC_SUBST(BUILD_LDAP)
AC_SUBST(BUILD_META)
AC_SUBST(BUILD_MONITOR)
+ AC_SUBST(BUILD_NDB)
AC_SUBST(BUILD_NULL)
AC_SUBST(BUILD_PASSWD)
AC_SUBST(BUILD_RELAY)
@@ -2926,6 +3102,7 @@
dnl overlays
AC_SUBST(BUILD_ACCESSLOG)
AC_SUBST(BUILD_AUDITLOG)
+ AC_SUBST(BUILD_COLLECT)
AC_SUBST(BUILD_CONSTRAINT)
AC_SUBST(BUILD_DDS)
AC_SUBST(BUILD_DENYOP)
@@ -2947,6 +3124,8 @@
AC_SUBST(LDAP_LIBS)
AC_SUBST(SLAPD_LIBS)
AC_SUBST(BDB_LIBS)
+AC_SUBST(SLAPD_NDB_LIBS)
+AC_SUBST(SLAPD_NDB_INCS)
AC_SUBST(LTHREAD_LIBS)
AC_SUBST(LUTIL_LIBS)
AC_SUBST(WRAP_LIBS)
@@ -2967,6 +3146,7 @@
AC_SUBST(KRB4_LIBS)
AC_SUBST(KRB5_LIBS)
AC_SUBST(SASL_LIBS)
+AC_SUBST(GSSAPI_LIBS)
AC_SUBST(TLS_LIBS)
AC_SUBST(MODULES_LIBS)
AC_SUBST(SLAPI_LIBS)
@@ -3017,6 +3197,7 @@
[servers/slapd/back-ldif/Makefile:build/top.mk:servers/slapd/back-ldif/Makefile.in:build/mod.mk]
[servers/slapd/back-meta/Makefile:build/top.mk:servers/slapd/back-meta/Makefile.in:build/mod.mk]
[servers/slapd/back-monitor/Makefile:build/top.mk:servers/slapd/back-monitor/Makefile.in:build/mod.mk]
+[servers/slapd/back-ndb/Makefile:build/top.mk:servers/slapd/back-ndb/Makefile.in:build/mod.mk]
[servers/slapd/back-null/Makefile:build/top.mk:servers/slapd/back-null/Makefile.in:build/mod.mk]
[servers/slapd/back-passwd/Makefile:build/top.mk:servers/slapd/back-passwd/Makefile.in:build/mod.mk]
[servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk]
@@ -3040,7 +3221,7 @@
cat > $BACKENDSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -3091,7 +3272,7 @@
cat > $OVERLAYSC << ENDX
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/ConfigOIDs
===================================================================
--- openldap/trunk/contrib/ConfigOIDs 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ConfigOIDs 2009-02-17 17:44:09 UTC (rev 1198)
@@ -3,3 +3,4 @@
OLcfgCt{Oc|At}:1 smbk5pwd
OLcfgCt{Oc|At}:2 autogroup
OLcfgCt{Oc|At}:3 nssov
+OLcfgCt{Oc|At}:4 cloak
Modified: openldap/trunk/contrib/ldapc++/COPYRIGHT
===================================================================
--- openldap/trunk/contrib/ldapc++/COPYRIGHT 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/COPYRIGHT 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 1998-2008 The OpenLDAP Foundation
+Copyright 1998-2009 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/ldapc++/configure
===================================================================
--- openldap/trunk/contrib/ldapc++/configure 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/configure 2009-02-17 17:44:09 UTC (rev 1198)
@@ -5,7 +5,7 @@
#
# Report bugs to <http://www.openldap.org/its/ >.
#
-# Copyright 2000-2008 The OpenLDAP Foundation. All rights reserved.
+# Copyright 2000-2009 The OpenLDAP Foundation. All rights reserved.
# Restrictions apply, see COPYRIGHT and LICENSE files.
#
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1581,7 +1581,7 @@
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
-Copyright 2000-2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2000-2009 The OpenLDAP Foundation. All rights reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.
_ACEOF
exit
Modified: openldap/trunk/contrib/ldapc++/configure.in
===================================================================
--- openldap/trunk/contrib/ldapc++/configure.in 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/configure.in 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,13 +1,13 @@
-dnl $OpenLDAP: pkg/ldap/contrib/ldapc++/configure.in,v 1.8.2.7 2008/07/09 21:59:44 quanah Exp $
+dnl $OpenLDAP: pkg/ldap/contrib/ldapc++/configure.in,v 1.8.2.8 2009/01/22 00:00:44 kurt Exp $
dnl Copyright 2000-2008, OpenLDAP Foundation, All Rights Reserved.
dnl COPYING RESTRICTIONS APPLY, see COPYRIGHT file
dnl Process this file with autoconf to produce a configure script.
-AC_COPYRIGHT([[Copyright 2000-2008 The OpenLDAP Foundation. All rights reserved.
+AC_COPYRIGHT([[Copyright 2000-2009 The OpenLDAP Foundation. All rights reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.]])
-AC_REVISION([$OpenLDAP: pkg/ldap/contrib/ldapc++/configure.in,v 1.8.2.7 2008/07/09 21:59:44 quanah Exp $])
+AC_REVISION([$OpenLDAP: pkg/ldap/contrib/ldapc++/configure.in,v 1.8.2.8 2009/01/22 00:00:44 kurt Exp $])
AC_INIT(ldapcpplib, [] , [http://www.openldap.org/its/] )
AC_CONFIG_SRCDIR(src/LDAPConnection.h)
AM_INIT_AUTOMAKE(foreign)
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttrType.cpp 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.cpp,v 1.3.4.3 2008/05/01 21:28:42 quanah Exp $
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.cpp,v 1.3.4.4 2008/09/02 23:58:15 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -19,7 +19,7 @@
usage = 0;
}
-LDAPAttrType::LDAPAttrType (string at_item) {
+LDAPAttrType::LDAPAttrType (string at_item, int flags ) {
DEBUG(LDAP_DEBUG_CONSTRUCT,
"LDAPAttrType::LDAPAttrType( )" << endl);
@@ -27,7 +27,7 @@
LDAPAttributeType *a;
int ret;
const char *errp;
- a = ldap_str2attributetype (at_item.c_str(), &ret, &errp,SCHEMA_PARSE_FLAG);
+ a = ldap_str2attributetype (at_item.c_str(), &ret, &errp, flags);
if (a) {
this->setNames( a->at_names );
Modified: openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/src/LDAPAttrType.h 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.h,v 1.3.4.3 2008/05/01 21:28:42 quanah Exp $
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPAttrType.h,v 1.3.4.4 2008/09/02 23:58:15 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -12,9 +12,6 @@
#include "StringList.h"
-#define SCHEMA_PARSE_FLAG 0x03
-
-
using namespace std;
/**
@@ -43,7 +40,8 @@
* "( SuSE.YaST.Attr:19 NAME ( 'skelDir' ) DESC ''
* EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )"
*/
- LDAPAttrType (string at_item);
+ LDAPAttrType (string at_item, int flags = LDAP_SCHEMA_ALLOW_NO_OID |
+ LDAP_SCHEMA_ALLOW_QUOTED );
/**
* Destructor
Modified: openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControl.cpp 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.cpp,v 1.4.10.1 2008/04/14 23:09:26 quanah Exp $
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.cpp,v 1.4.10.2 2008/09/03 18:03:43 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -10,13 +10,6 @@
using namespace std;
-LDAPCtrl::LDAPCtrl(const LDAPCtrl& c){
- DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPCtrl::LDAPCtrl(&)" << endl);
- m_oid=c.m_oid;
- m_data=c.m_data;
- m_isCritical=c.m_isCritical;
-}
-
LDAPCtrl::LDAPCtrl(const char *oid, bool critical, const char* data,
int length){
DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPCtrl::LDAPCtrl()" << endl);
@@ -28,10 +21,10 @@
m_data.assign(data,length);
}else{
m_data=string();
+ m_noData=true;
}
}
-
LDAPCtrl::LDAPCtrl(const string& oid, bool critical, const string& data){
DEBUG(LDAP_DEBUG_CONSTRUCT,"LDAPCtrl::LDAPCtrl()" << endl);
DEBUG(LDAP_DEBUG_CONSTRUCT | LDAP_DEBUG_PARAMETER,
@@ -39,6 +32,7 @@
m_oid=oid;
m_isCritical=critical;
m_data=data;
+ m_noData=false;
}
LDAPCtrl::LDAPCtrl(const LDAPControl* ctrl){
@@ -62,6 +56,10 @@
return m_isCritical;
}
+bool LDAPCtrl::hasData() const{
+ return !m_noData;
+}
+
string LDAPCtrl::getData() const {
DEBUG(LDAP_DEBUG_TRACE,"LDAPCtrl::getData()" << endl);
return m_data;
@@ -73,9 +71,14 @@
ret->ldctl_oid= new char[m_oid.size() + 1];
m_oid.copy(ret->ldctl_oid,string::npos);
ret->ldctl_oid[m_oid.size()]=0;
- ret->ldctl_value.bv_len=m_data.size();
- ret->ldctl_value.bv_val= new char[m_data.size()];
- m_data.copy(ret->ldctl_value.bv_val,string::npos);
+ if ( m_noData ) {
+ ret->ldctl_value.bv_len = 0;
+ ret->ldctl_value.bv_val = NULL;
+ } else {
+ ret->ldctl_value.bv_len=m_data.size();
+ ret->ldctl_value.bv_val= new char[m_data.size()];
+ m_data.copy(ret->ldctl_value.bv_val,string::npos);
+ }
ret->ldctl_iscritical = ( m_isCritical ? 1:0);
return ret;
}
Modified: openldap/trunk/contrib/ldapc++/src/LDAPControl.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPControl.h 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/src/LDAPControl.h 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.h,v 1.5.10.1 2008/04/14 23:09:26 quanah Exp $
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPControl.h,v 1.5.10.2 2008/09/03 18:03:43 quanah Exp $
/*
* Copyright 2000, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -17,11 +17,6 @@
class LDAPCtrl{
public :
/**
- * Copy-constructor
- */
- LDAPCtrl(const LDAPCtrl& c);
-
- /**
* Constructor.
* @param oid: The Object Identifier of the Control
* @param critical: "true" if the Control should be handled
@@ -29,7 +24,7 @@
* @param data: If there is data for the control, put it here.
* @param length: The length of the data field
*/
- LDAPCtrl(const char *oid, bool critical, const char *data=0,
+ LDAPCtrl(const char *oid, bool critical=false, const char *data=0,
int length=0);
/**
@@ -39,8 +34,8 @@
* critical by the server.
* @param data: If there is data for the control, put it here.
*/
- LDAPCtrl(const std::string& oid, bool critical=false,
- const std::string& data=std::string());
+ LDAPCtrl(const std::string& oid, bool critical,
+ const std::string& data);
/**
* Creates a copy of the Control that "ctrl is pointing to
@@ -58,8 +53,14 @@
std::string getOID() const;
/**
- * @return The Data of the control as a std::string-Objekt
+ * @return true if there is no "Control Value" (there is a
+ * difference between no and an empty control value)
*/
+ bool hasData() const;
+
+ /**
+ * @return The Data of the control as a std::string-Object
+ */
std::string getData() const;
/**
@@ -80,6 +81,7 @@
std::string m_oid;
std::string m_data;
bool m_isCritical;
+ bool m_noData;
};
#endif //LDAP_CONTROL_H
Modified: openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/src/LDAPObjClass.cpp 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.cpp,v 1.3.6.2 2008/05/01 21:28:42 quanah Exp $
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.cpp,v 1.3.6.3 2008/09/02 23:58:15 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -33,7 +33,7 @@
sup = oc.sup;
}
-LDAPObjClass::LDAPObjClass (string oc_item) {
+LDAPObjClass::LDAPObjClass (string oc_item, int flags ) {
DEBUG(LDAP_DEBUG_CONSTRUCT,
"LDAPObjClass::LDAPObjClass( )" << endl);
@@ -41,7 +41,7 @@
LDAPObjectClass *o;
int ret;
const char *errp;
- o = ldap_str2objectclass ( oc_item.c_str(), &ret, &errp, SCHEMA_PARSE_FLAG);
+ o = ldap_str2objectclass ( oc_item.c_str(), &ret, &errp, flags );
if (o) {
this->setNames (o->oc_names);
Modified: openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/src/LDAPObjClass.h 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.h,v 1.3.6.2 2008/05/01 21:28:42 quanah Exp $
+// $OpenLDAP: pkg/ldap/contrib/ldapc++/src/LDAPObjClass.h,v 1.3.6.3 2008/09/02 23:58:15 quanah Exp $
/*
* Copyright 2003, OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -12,9 +12,6 @@
#include "StringList.h"
-#define SCHEMA_PARSE_FLAG 0x03
-
-
using namespace std;
/**
@@ -36,7 +33,7 @@
/**
* Copy constructor
*/
- LDAPObjClass (const LDAPObjClass& oc);
+ LDAPObjClass( const LDAPObjClass& oc );
/**
* Constructs new object and fills the data structure by parsing the
@@ -46,7 +43,8 @@
* "( SuSE.YaST.OC:5 NAME 'userTemplate' SUP objectTemplate STRUCTURAL
* DESC 'User object template' MUST ( cn ) MAY ( secondaryGroup ))"
*/
- LDAPObjClass (string oc_item);
+ LDAPObjClass (string oc_item, int flags = LDAP_SCHEMA_ALLOW_NO_OID |
+ LDAP_SCHEMA_ALLOW_QUOTED);
/**
* Destructor
Modified: openldap/trunk/contrib/ldapc++/src/ac/time.h
===================================================================
--- openldap/trunk/contrib/ldapc++/src/ac/time.h 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/ldapc++/src/ac/time.h 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
/* Generic time.h */
-/* $OpenLDAP: pkg/ldap/contrib/ldapc++/src/ac/time.h,v 1.7.2.4 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/ldapc++/src/ac/time.h,v 1.7.2.5 2009/01/22 00:00:44 kurt Exp $ */
/*
- * Copyright 1998-2008 The OpenLDAP Foundation, Redwood City, California, USA
+ * Copyright 1998-2009 The OpenLDAP Foundation, Redwood City, California, USA
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted only
Modified: openldap/trunk/contrib/slapd-modules/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2008-2009 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
@@ -20,6 +20,9 @@
autogroup (overlay)
Automated updates of group memberships.
+cloak (overlay)
+ Hide specific attributes unless explicitely requested
+
comp_match (plugin)
Component Matching rules (RFC 3687).
@@ -52,4 +55,4 @@
trace (overlay)
Trace overlay invocation.
-$OpenLDAP: pkg/ldap/contrib/slapd-modules/README,v 1.3.2.1 2008/07/09 00:33:24 quanah Exp $
+$OpenLDAP: pkg/ldap/contrib/slapd-modules/README,v 1.3.2.3 2009/01/22 00:00:44 kurt Exp $
Modified: openldap/trunk/contrib/slapd-modules/acl/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/acl/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/acl/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 2005-2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2005-2009 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/acl/posixgroup.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/acl/posixgroup.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/acl/posixgroup.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/acl/posixgroup.c,v 1.3.2.4 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/acl/posixgroup.c,v 1.3.2.5 2009/01/22 00:00:45 kurt Exp $ */
/*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/addpartial/Makefile
===================================================================
--- openldap/trunk/contrib/slapd-modules/addpartial/Makefile 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/addpartial/Makefile 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,6 +1,7 @@
-OPENLDAP_SRC=/usr/local/src/openldap-2.4.6
-CPPFLAGS+=-I${OPENLDAP_SRC}/include -I${OPENLDAP_SRC}/servers/slapd
-LDFLAGS+=-L/usr/local/openldap-2.4.6
+# $OpenLDAP: pkg/ldap/contrib/slapd-modules/addpartial/Makefile,v 1.1.2.4 2009/01/21 00:18:19 quanah Exp $
+OPENLDAP_SRC=../../..
+OPENLDAP_BLD=../../..
+CPPFLAGS+=-I${OPENLDAP_SRC}/include -I${OPENLDAP_SRC}/servers/slapd -I${OPENLDAP_BLD}/include
CC=gcc
all: addpartial-overlay.so
Modified: openldap/trunk/contrib/slapd-modules/addpartial/addpartial-overlay.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/addpartial/addpartial-overlay.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/addpartial/addpartial-overlay.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -16,8 +16,8 @@
*
* Author: David H. Hawes, Jr.
* Email: dhawes at vt.edu
- * Version: $Revision: 6588 $
- * Updated: $Date: 2007-11-07 13:29:25 -0500 (Wed, 07 Nov 2007) $
+ * Version: $Revision: 8385 $
+ * Updated: $Date: 2008-11-04 12:19:52 -0500 (Tue, 04 Nov 2008) $
*
* addpartial-overlay
*
@@ -33,7 +33,6 @@
#include "portable.h"
#include "slap.h"
-static int addpartial_search_cb( Operation *op, SlapReply *rs);
static int collect_error_msg_cb( Operation *op, SlapReply *rs);
static slap_overinst addpartial;
@@ -46,10 +45,8 @@
{
Operation nop = *op;
SlapReply nrs = { REP_RESULT };
- Filter *filter = NULL;
Entry *toAdd = NULL;
- struct berval fstr = BER_BVNULL;
- slap_callback cb = { NULL, addpartial_search_cb, NULL, NULL };
+ Entry *found = NULL;
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
int rc;
@@ -64,61 +61,20 @@
{
return SLAP_CB_CONTINUE;
}
-
- rs->sr_text = NULL;
- nop.o_callback = &cb;
- op->o_bd->bd_info = (BackendInfo *) on->on_info;
- nop.o_tag = LDAP_REQ_SEARCH;
- nop.o_ctrls = NULL;
-
- filter = str2filter("(objectclass=*)");
- filter2bv(filter, &fstr);
+ rc = overlay_entry_get_ov(&nop, &nop.o_req_ndn, NULL, NULL, 0, &found, on);
- nop.ors_scope = LDAP_SCOPE_BASE;
- nop.ors_deref = LDAP_DEREF_NEVER;
- nop.ors_slimit = -1;//SLAP_NO_LIMIT;
- nop.ors_tlimit = -1;//SLAP_NO_LIMIT;
- nop.ors_attrsonly = 0;
- nop.ors_attrs = slap_anlist_no_attrs;
- nop.ors_filter = filter;
- nop.ors_filterstr = fstr;
-
- memset(&nrs, 0, sizeof(nrs));
- nrs.sr_type = REP_RESULT;
- nrs.sr_err = LDAP_SUCCESS;
- nrs.sr_entry = NULL;
- nrs.sr_flags |= REP_ENTRY_MUSTBEFREED;
- nrs.sr_text = NULL;
-
- Debug(LDAP_DEBUG_TRACE, "%s: performing search\n", addpartial.on_bi.bi_type,
- 0,0);
-
- if(nop.o_bd->be_search)
+ if(rc != LDAP_SUCCESS)
{
- rc = nop.o_bd->be_search(&nop, &nrs);
- Debug(LDAP_DEBUG_TRACE, "%s: search performed\n",
- addpartial.on_bi.bi_type,0,0);
+ Debug(LDAP_DEBUG_TRACE,
+ "%s: no entry found, falling through to normal add\n",
+ addpartial.on_bi.bi_type, 0, 0);
+ return SLAP_CB_CONTINUE;
}
else
- {
- Debug(LDAP_DEBUG_TRACE, "%s: backend missing search function\n",
- addpartial.on_bi.bi_type,0,0);
- }
-
- if(filter)
- filter_free(filter);
- if(fstr.bv_val)
- ch_free(fstr.bv_val);
-
- if(rc != LDAP_SUCCESS)
- return SLAP_CB_CONTINUE;
- else
{
- Entry *found = NULL;
Debug(LDAP_DEBUG_TRACE, "%s: found the dn\n", addpartial.on_bi.bi_type,
0,0);
- found = (Entry *) cb.sc_private;
if(found)
{
@@ -150,8 +106,7 @@
mod->sml_op &= LDAP_MOD_OP;
mod->sml_next = NULL;
mod->sml_desc = attr->a_desc;
- mod->sml_type.bv_val = attr->a_desc->ad_cname.bv_val;
- mod->sml_type.bv_len = strlen(mod->sml_type.bv_val);
+ mod->sml_type = attr->a_desc->ad_cname;
mod->sml_values = attr->a_vals;
mod->sml_nvalues = attr->a_nvals;
mod->sml_numvals = attr->a_numvals;
@@ -190,8 +145,7 @@
mod->sml_op &= LDAP_MOD_OP;
mod->sml_next = NULL;
mod->sml_desc = attr->a_desc;
- mod->sml_type.bv_val = attr->a_desc->ad_cname.bv_val;
- mod->sml_type.bv_len = strlen(mod->sml_type.bv_val);
+ mod->sml_type = attr->a_desc->ad_cname;
mod->sml_values = attr->a_vals;
mod->sml_nvalues = attr->a_nvals;
mod->sml_numvals = attr->a_numvals;
@@ -245,9 +199,7 @@
mod->sml_op &= LDAP_MOD_OP;
mod->sml_next = NULL;
mod->sml_desc = attr->a_desc;
- mod->sml_type.bv_val =
- attr->a_desc->ad_cname.bv_val;
- mod->sml_type.bv_len = strlen(mod->sml_type.bv_val);
+ mod->sml_type = attr->a_desc->ad_cname;
mod->sml_values = attr->a_vals;
mod->sml_nvalues = attr->a_nvals;
mod->sml_numvals = attr->a_numvals;
@@ -278,9 +230,7 @@
mod->sml_op = LDAP_MOD_REPLACE;
mod->sml_next = NULL;
mod->sml_desc = attr->a_desc;
- mod->sml_type.bv_val =
- attr->a_desc->ad_cname.bv_val;
- mod->sml_type.bv_len = strlen(mod->sml_type.bv_val);
+ mod->sml_type = attr->a_desc->ad_cname;
mod->sml_values = NULL;
mod->sml_nvalues = NULL;
mod->sml_numvals = 0;
@@ -296,71 +246,69 @@
}
}
+ overlay_entry_release_ov(&nop, found, 0, on);
+
if(mods)
{
+ Modifications *m = NULL;
+ Modifications *toDel;
+ int modcount;
+ slap_callback nullcb = { NULL, collect_error_msg_cb,
+ NULL, NULL };
+
Debug(LDAP_DEBUG_TRACE, "%s: mods to do...\n",
addpartial.on_bi.bi_type, 0, 0);
- if(nop.o_bd->be_modify)
- {
- Modifications *m = NULL;
- int modcount;
- slap_callback nullcb = { NULL, collect_error_msg_cb,
- NULL, NULL };
- char textbuf[SLAP_TEXT_BUFLEN];
- size_t textlen = sizeof textbuf;
- memset(&nrs, 0, sizeof(nrs));
- nrs.sr_type = REP_RESULT;
- nrs.sr_err = LDAP_SUCCESS;
- nrs.sr_entry = NULL;
- nrs.sr_text = NULL;
+ memset(&nrs, 0, sizeof(nrs));
+ nrs.sr_type = REP_RESULT;
+ nrs.sr_err = LDAP_SUCCESS;
+ nrs.sr_entry = NULL;
+ nrs.sr_text = NULL;
- nop.o_tag = LDAP_REQ_MODIFY;
- nop.orm_modlist = mods;
- nop.o_callback = &nullcb;
- nop.o_bd->bd_info = (BackendInfo *) on->on_info;
+ nop.o_tag = LDAP_REQ_MODIFY;
+ nop.orm_modlist = mods;
+ nop.orm_no_opattrs = 0;
+ nop.o_callback = &nullcb;
+ nop.o_bd->bd_info = (BackendInfo *) on->on_info;
- for(m = mods, modcount = 0; m; m = m->sml_next,
- modcount++)
- {
- /* count number of mods */
- }
+ for(m = mods, modcount = 0; m; m = m->sml_next,
+ modcount++)
+ {
+ /* count number of mods */
+ }
- Debug(LDAP_DEBUG_TRACE, "%s: number of mods: %d\n",
- addpartial.on_bi.bi_type, modcount, 0);
+ Debug(LDAP_DEBUG_TRACE, "%s: number of mods: %d\n",
+ addpartial.on_bi.bi_type, modcount, 0);
+ if(nop.o_bd->be_modify)
+ {
rc = (nop.o_bd->be_modify)(&nop, &nrs);
+ }
- if(rc == LDAP_SUCCESS)
+ if(rc == LDAP_SUCCESS)
+ {
+ Debug(LDAP_DEBUG_TRACE,
+ "%s: modify successful\n",
+ addpartial.on_bi.bi_type, 0, 0);
+ }
+ else
+ {
+ Debug(LDAP_DEBUG_TRACE, "%s: modify unsuccessful: %d\n",
+ addpartial.on_bi.bi_type, rc, 0);
+ rs->sr_err = rc;
+ if(nullcb.sc_private)
{
- Debug(LDAP_DEBUG_TRACE,
- "%s: modify successful\n",
- addpartial.on_bi.bi_type, 0, 0);
+ rs->sr_text = nullcb.sc_private;
}
- else
- {
- Debug(LDAP_DEBUG_TRACE, "%s: modify unsuccessful: %d\n",
- addpartial.on_bi.bi_type, rc, 0);
- rs->sr_err = rc;
- if(nrs.sr_text)
- {
- rs->sr_text = nullcb.sc_private;
- }
- }
+ }
- Debug(LDAP_DEBUG_TRACE, "%s: freeing mods...\n",
- addpartial.on_bi.bi_type, 0, 0);
+ Debug(LDAP_DEBUG_TRACE, "%s: freeing mods...\n",
+ addpartial.on_bi.bi_type, 0, 0);
- if(mods != NULL)
- {
- Modifications *toDel;
-
- for(toDel = mods; toDel; toDel = mods)
- {
- mods = mods->sml_next;
- ch_free(toDel);
- }
- }
+ for(toDel = mods; toDel; toDel = mods)
+ {
+ mods = mods->sml_next;
+ ch_free(toDel);
}
}
else
@@ -368,9 +316,6 @@
Debug(LDAP_DEBUG_TRACE, "%s: no mods to process\n",
addpartial.on_bi.bi_type, 0, 0);
}
-
- if(found != NULL)
- entry_free(found);
}
else
{
@@ -387,26 +332,6 @@
}
}
-static int addpartial_search_cb( Operation *op, SlapReply *rs)
-{
- Entry *entry = NULL;
-
- if(rs->sr_type != REP_SEARCH) return 0;
-
- Debug(LDAP_DEBUG_TRACE, "%s: addpartial_search_cb\n",
- addpartial.on_bi.bi_type, 0, 0);
-
- if(rs->sr_entry)
- {
- Debug(LDAP_DEBUG_TRACE, "%s: dn found: %s\n",
- addpartial.on_bi.bi_type, rs->sr_entry->e_nname.bv_val, 0);
- entry = rs->sr_entry;
- op->o_callback->sc_private = (void *) entry_dup(entry);
- }
-
- return 0;
-}
-
static int collect_error_msg_cb( Operation *op, SlapReply *rs)
{
if(rs->sr_text)
@@ -427,5 +352,5 @@
int init_module(int argc, char *argv[])
{
- return addpartial_init();
+ return addpartial_init();
}
Modified: openldap/trunk/contrib/slapd-modules/allop/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/allop/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2009 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/allop/allop.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/allop.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/allop/allop.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* allop.c - returns all operational attributes when appropriate */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/allop.c,v 1.3.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/allop.c,v 1.3.2.4 2009/01/22 00:00:45 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2005-2008 The OpenLDAP Foundation.
+ * Copyright 2005-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5
===================================================================
--- openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/allop/slapo-allop.5 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
.TH SLAPO-ALLOP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2008 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2009 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.\" $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/slapo-allop.5,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $
+.\" $OpenLDAP: pkg/ldap/contrib/slapd-modules/allop/slapo-allop.5,v 1.2.2.4 2009/01/22 00:00:45 kurt Exp $
.SH NAME
slapo-allop \- All Operational Attributes overlay
.SH SYNOPSIS
Modified: openldap/trunk/contrib/slapd-modules/autogroup/autogroup.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/autogroup/autogroup.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/autogroup/autogroup.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
/* autogroup.c - automatic group overlay */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/autogroup/autogroup.c,v 1.2.2.1 2008/02/08 23:00:43 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/autogroup/autogroup.c,v 1.2.2.2 2008/11/10 19:57:30 quanah Exp $ */
/*
* Copyright 2007 Michał Szulczyński.
* All rights reserved.
@@ -1503,7 +1503,7 @@
op->o_bd->be_search( op, &rs );
op->o_bd->bd_info = (BackendInfo *)on;
- filter_free_x( op, op->ors_filter );
+ filter_free_x( op, op->ors_filter, 1 );
op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
}
ldap_pvt_thread_mutex_unlock( &agi->agi_mutex );
Copied: openldap/trunk/contrib/slapd-modules/cloak (from rev 1197, openldap/vendor/openldap-2.4.14/contrib/slapd-modules/cloak)
Modified: openldap/trunk/contrib/slapd-modules/comp_match/Makefile
===================================================================
--- openldap/trunk/contrib/slapd-modules/comp_match/Makefile 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/comp_match/Makefile 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,7 +1,7 @@
-# $OpenLDAP: pkg/ldap/contrib/slapd-modules/comp_match/Makefile,v 1.11.2.3 2008/02/11 23:26:38 kurt Exp $
+# $OpenLDAP: pkg/ldap/contrib/slapd-modules/comp_match/Makefile,v 1.11.2.4 2009/01/22 00:00:45 kurt Exp $
# This work is part of OpenLDAP Software <http://www.openldap.org/>.
#
-# Copyright 2003-2008 The OpenLDAP Foundation.
+# Copyright 2003-2009 The OpenLDAP Foundation.
# Portions Copyright 2004 by IBM Corporation.
# All rights reserved.
Modified: openldap/trunk/contrib/slapd-modules/denyop/denyop.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/denyop/denyop.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/denyop/denyop.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* denyop.c - Denies operations */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/denyop/denyop.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/denyop/denyop.c,v 1.2.2.4 2009/01/22 00:00:45 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2004-2008 The OpenLDAP Foundation.
+ * Copyright 2004-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/dsaschema/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/dsaschema/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/dsaschema/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2009 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/dsaschema/dsaschema.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/dsaschema/dsaschema.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/dsaschema/dsaschema.c,v 1.5.2.4 2009/01/22 00:00:45 kurt Exp $ */
/*
- * Copyright 2004-2008 The OpenLDAP Foundation.
+ * Copyright 2004-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/lastmod/lastmod.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* lastmod.c - returns last modification info */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/lastmod/lastmod.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/lastmod/lastmod.c,v 1.2.2.4 2009/01/22 00:00:45 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2004-2008 The OpenLDAP Foundation.
+ * Copyright 2004-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5
===================================================================
--- openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/lastmod/slapo-lastmod.5 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-.\" Copyright 2004-2008 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.TH SLAPO_LASTMOD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.SH NAME
Modified: openldap/trunk/contrib/slapd-modules/nops/Makefile
===================================================================
--- openldap/trunk/contrib/slapd-modules/nops/Makefile 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/nops/Makefile 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,9 +1,16 @@
-CPPFLAGS+=-I../../../include -I../../../servers/slapd
+# $OpenLDAP: pkg/ldap/contrib/slapd-modules/nops/Makefile,v 1.1.2.3 2009/02/02 18:32:58 quanah Exp $
+CPPFLAGS+=-I../../../include -I../../../servers/slapd
+CPPFLAGS+=-DSLAPD_OVER_NOPS=SLAPD_MOD_DYNAMIC
+LIBS=-lldap_r -llber -lcrypto
-all: nops.so
+all: nops.la
-nops.so: nops.c
- $(CC) -shared $(CPPFLAGS) -Wall -o $@ $?
+nops.lo: nops.c
+ $(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) -c $?
+nops.la: nops.lo
+ $(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \
+ -rpath $(PREFIX)/lib -module -o $@ $? $(LIBS)
+
clean:
- rm nops.so
+ rm nops.lo nops.la
Modified: openldap/trunk/contrib/slapd-modules/nssov/group.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/nssov/group.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/nssov/group.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
/* group.c - group lookup routines */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/group.c,v 1.1.2.1 2008/07/08 18:53:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/group.c,v 1.1.2.2 2008/11/10 22:39:09 quanah Exp $ */
/*
* Copyright 2008 by Howard Chu, Symas Corp.
* All rights reserved.
@@ -191,26 +191,31 @@
i += a->a_numvals;
if ( b )
i += b->a_numvals;
- if ( i )
+ if ( i ) {
members = cbp->op->o_tmpalloc( (i+1) * sizeof(struct berval), cbp->op->o_tmpmemctx );
- if ( a ) {
- for (i=0; i<a->a_numvals; i++) {
- if (isvalidusername(&a->a_vals[i])) {
- ber_dupbv_x(&members[j],&a->a_vals[i],cbp->op->o_tmpmemctx);
- j++;
+ if ( a ) {
+ for (i=0; i<a->a_numvals; i++) {
+ if (isvalidusername(&a->a_vals[i])) {
+ ber_dupbv_x(&members[j],&a->a_vals[i],cbp->op->o_tmpmemctx);
+ j++;
+ }
}
}
- }
- a = b;
- if ( a ) {
- for (i=0; i<a->a_numvals; i++) {
- if (nssov_dn2uid(cbp->op,cbp->ni,&a->a_nvals[i],&members[j]))
- j++;
+ a = b;
+ if ( a ) {
+ for (i=0; i<a->a_numvals; i++) {
+ if (nssov_dn2uid(cbp->op,cbp->ni,&a->a_nvals[i],&members[j]))
+ j++;
+ }
}
+ nummembers = j;
+ BER_BVZERO(&members[j]);
+ } else {
+ members=NULL;
+ nummembers = 0;
}
- nummembers = j;
- BER_BVZERO(&members[j]);
+
} else {
members=NULL;
nummembers = 0;
Modified: openldap/trunk/contrib/slapd-modules/nssov/nssov.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/nssov/nssov.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/nssov/nssov.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
/* nssov.c - nss-ldap overlay for slapd */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/nssov.c,v 1.1.2.1 2008/07/08 18:53:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/nssov.c,v 1.1.2.2 2008/11/10 22:40:35 quanah Exp $ */
/*
* Copyright 2008 by Howard Chu, Symas Corp.
* All rights reserved.
@@ -476,7 +476,6 @@
case NSS_MAP:
rc = 1;
for (i=NM_alias;i<NM_NONE;i++) {
- int j;
mi = &ni->ni_maps[i];
for (j=0;!BER_BVISNULL(&mi->mi_attrkeys[j]);j++) {
@@ -486,10 +485,10 @@
map.bv_len = nss_svcs[i].word.bv_len +
mi->mi_attrkeys[j].bv_len +
- mi->mi_attrs->an_desc->ad_cname.bv_len + 2;
+ mi->mi_attrs[j].an_desc->ad_cname.bv_len + 2;
map.bv_val = ch_malloc(map.bv_len + 1);
sprintf(map.bv_val, "%s %s %s", nss_svcs[i].word.bv_val,
- mi->mi_attrkeys[j].bv_val, mi->mi_attrs->an_desc->ad_cname.bv_val );
+ mi->mi_attrkeys[j].bv_val, mi->mi_attrs[j].an_desc->ad_cname.bv_val );
ber_bvarray_add( &c->rvalue_vals, &map );
rc = 0;
}
Modified: openldap/trunk/contrib/slapd-modules/nssov/nssov.h
===================================================================
--- openldap/trunk/contrib/slapd-modules/nssov/nssov.h 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/nssov/nssov.h 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* nssov.h - NSS overlay header file */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/nssov.h,v 1.1.2.1 2008/07/08 18:53:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/nssov.h,v 1.1.2.3 2009/01/22 00:00:45 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2008 The OpenLDAP Foundation.
+ * Copyright 2008-2009 The OpenLDAP Foundation.
* Portions Copyright 2008 Howard Chu.
*/
@@ -277,7 +277,7 @@
op->ors_slimit = SLAP_NO_LIMIT; \
/* do the internal search */ \
op->o_bd->be_search( op, &rs ); \
- filter_free_x( op, op->ors_filter ); \
+ filter_free_x( op, op->ors_filter, 1 ); \
return 0; \
}
Modified: openldap/trunk/contrib/slapd-modules/nssov/passwd.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/nssov/passwd.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/nssov/passwd.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
/* passwd.c - password lookup routines */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/passwd.c,v 1.1.2.1 2008/07/08 18:53:57 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/nssov/passwd.c,v 1.1.2.3 2008/11/10 22:41:45 quanah Exp $ */
/*
* Copyright 2008 by Howard Chu, Symas Corp.
* All rights reserved.
@@ -172,7 +172,7 @@
if (!isvalidusername(uid))
return 0;
/* we have to look up the entry */
- nssov_filter_byid(mi,UIDN_KEY,uid,&filter);
+ nssov_filter_byid(mi,UID_KEY,uid,&filter);
BER_BVZERO(dn);
cb.sc_private = dn;
cb.sc_response = uid2dn_cb;
@@ -184,8 +184,10 @@
op2.ors_filterstr = filter;
op2.ors_filter = str2filter_x( op, filter.bv_val );
op2.ors_attrs = slap_anlist_no_attrs;
+ op2.ors_tlimit = SLAP_NO_LIMIT;
+ op2.ors_slimit = SLAP_NO_LIMIT;
rc = op2.o_bd->be_search( &op2, &rs );
- filter_free_x( op, op2.ors_filter );
+ filter_free_x( op, op2.ors_filter, 1 );
return rc == LDAP_SUCCESS;
}
Modified: openldap/trunk/contrib/slapd-modules/passwd/README
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/passwd/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2009 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapd-modules/passwd/kerberos.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/kerberos.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/passwd/kerberos.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/kerberos.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/kerberos.c,v 1.5.2.4 2009/01/22 00:00:46 kurt Exp $ */
/*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/passwd/netscape.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/netscape.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/passwd/netscape.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/netscape.c,v 1.5.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/netscape.c,v 1.5.2.4 2009/01/22 00:00:46 kurt Exp $ */
/*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-modules/passwd/radius.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/passwd/radius.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/passwd/radius.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,6 +1,6 @@
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/radius.c,v 1.2.2.4 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/radius.c,v 1.2.2.5 2009/01/22 00:00:46 kurt Exp $ */
/*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Copied: openldap/trunk/contrib/slapd-modules/passwd/sha2 (from rev 1197, openldap/vendor/openldap-2.4.14/contrib/slapd-modules/passwd/sha2)
Modified: openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/smbk5pwd/smbk5pwd.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
/* smbk5pwd.c - Overlay for managing Samba and Heimdal passwords */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.12 2008/07/09 22:59:00 quanah Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/smbk5pwd/smbk5pwd.c,v 1.17.2.14 2009/01/26 21:05:10 quanah Exp $ */
/*
* Copyright 2004-2005 by Howard Chu, Symas Corp.
* All rights reserved.
@@ -59,12 +59,18 @@
static AttributeDescription *ad_krb5Key;
static AttributeDescription *ad_krb5KeyVersionNumber;
static AttributeDescription *ad_krb5PrincipalName;
+static AttributeDescription *ad_krb5ValidEnd;
static ObjectClass *oc_krb5KDCEntry;
#endif
#ifdef DO_SAMBA
+#ifdef HAVE_GNUTLS
+#include <gcrypt.h>
+typedef unsigned char DES_cblock[8];
+#else
#include <openssl/des.h>
#include <openssl/md4.h>
+#endif
#include "ldap_utf8.h"
static AttributeDescription *ad_sambaLMPassword;
@@ -129,7 +135,9 @@
k[6] = ((lpw[5]&0x3F)<<2) | (lpw[6]>>6);
k[7] = ((lpw[6]&0x7F)<<1);
+#ifdef HAVE_OPENSSL
des_set_odd_parity( key );
+#endif
}
#define MAX_PWLEN 256
@@ -163,21 +171,45 @@
{
char UcasePassword[15];
DES_cblock key;
- DES_key_schedule schedule;
DES_cblock StdText = "KGS!@#$%";
DES_cblock hbuf[2];
+#ifdef HAVE_OPENSSL
+ DES_key_schedule schedule;
+#elif defined(HAVE_GNUTLS)
+ gcry_cipher_hd_t h = NULL;
+ gcry_error_t err;
+ err = gcry_cipher_open( &h, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_CBC, 0 );
+ if ( err ) return;
+#endif
+
strncpy( UcasePassword, passwd->bv_val, 14 );
UcasePassword[14] = '\0';
ldap_pvt_str2upper( UcasePassword );
lmPasswd_to_key( UcasePassword, &key );
+#ifdef HAVE_GNUTLS
+ err = gcry_cipher_setkey( h, &key, sizeof(key) );
+ if ( err == 0 ) {
+ err = gcry_cipher_encrypt( h, &hbuf[0], sizeof(key), &StdText, sizeof(key) );
+ if ( err == 0 ) {
+ gcry_cipher_reset( h );
+ lmPasswd_to_key( &UcasePassword[7], &key );
+ err = gcry_cipher_setkey( h, &key, sizeof(key) );
+ if ( err == 0 ) {
+ err = gcry_cipher_encrypt( h, &hbuf[1], sizeof(key), &StdText, sizeof(key) );
+ }
+ }
+ gcry_cipher_close( h );
+ }
+#elif defined(HAVE_OPENSSL)
des_set_key_unchecked( &key, schedule );
des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
lmPasswd_to_key( &UcasePassword[7], &key );
des_set_key_unchecked( &key, schedule );
des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
+#endif
hexify( (char *)hbuf, hash );
}
@@ -192,14 +224,20 @@
* 256 UCS2 characters, not 256 bytes...
*/
char hbuf[HASHLEN];
+#ifdef HAVE_OPENSSL
MD4_CTX ctx;
+#endif
if (passwd->bv_len > MAX_PWLEN*2)
passwd->bv_len = MAX_PWLEN*2;
-
+
+#ifdef HAVE_OPENSSL
MD4_Init( &ctx );
MD4_Update( &ctx, passwd->bv_val, passwd->bv_len );
MD4_Final( (unsigned char *)hbuf, &ctx );
+#elif defined(HAVE_GNUTLS)
+ gcry_md_hash_buffer(GCRY_MD_MD4, hbuf, passwd->bv_val, passwd->bv_len );
+#endif
hexify( hbuf, hash );
}
@@ -273,9 +311,9 @@
int rc;
Entry *e;
Attribute *a;
- krb5_error_code ret;
- krb5_keyblock key;
- krb5_salt salt;
+ krb5_error_code ret;
+ krb5_keyblock key;
+ krb5_salt salt;
hdb_entry ent;
/* Find our thread context, find our Operation */
@@ -300,6 +338,19 @@
memset( &ent, 0, sizeof(ent) );
ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
if ( ret ) break;
+
+ a = attr_find( e->e_attrs, ad_krb5ValidEnd );
+ if (a) {
+ struct lutil_tm tm;
+ struct lutil_timet tt;
+ if ( lutil_parsetime( a->a_vals[0].bv_val, &tm ) == 0 &&
+ lutil_tm2time( &tm, &tt ) == 0 && tt.tt_usec < op->o_time ) {
+ /* Account is expired */
+ rc = LUTIL_PASSWD_ERR;
+ break;
+ }
+ }
+
krb5_get_pw_salt( context, ent.principal, &salt );
krb5_free_principal( context, ent.principal );
@@ -840,6 +891,7 @@
{ "krb5Key", &ad_krb5Key },
{ "krb5KeyVersionNumber", &ad_krb5KeyVersionNumber },
{ "krb5PrincipalName", &ad_krb5PrincipalName },
+ { "krb5ValidEnd", &ad_krb5ValidEnd },
{ NULL }
},
#endif /* DO_KRB5 */
@@ -908,7 +960,7 @@
char *err_str, *err_msg = "<unknown error>";
err_str = krb5_get_error_string( context );
if (!err_str)
- err_msg = krb5_get_err_text( context, ret );
+ err_msg = (char *)krb5_get_err_text( context, ret );
Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
"unable to initialize krb5 admin context: %s (%d).\n",
err_str ? err_str : err_msg, ret, 0 );
Modified: openldap/trunk/contrib/slapd-modules/trace/trace.c
===================================================================
--- openldap/trunk/contrib/slapd-modules/trace/trace.c 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-modules/trace/trace.c 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
/* trace.c - traces overlay invocation */
-/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/trace/trace.c,v 1.2.2.3 2008/02/11 23:26:38 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/contrib/slapd-modules/trace/trace.c,v 1.2.2.4 2009/01/22 00:00:46 kurt Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2006-2008 The OpenLDAP Foundation.
+ * Copyright 2006-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/contrib/slapd-tools/README
===================================================================
--- openldap/trunk/contrib/slapd-tools/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapd-tools/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 2004-2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2004-2009 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/contrib/slapi-plugins/addrdnvalues/README
===================================================================
--- openldap/trunk/contrib/slapi-plugins/addrdnvalues/README 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/contrib/slapi-plugins/addrdnvalues/README 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 2003-2008 The OpenLDAP Foundation. All rights reserved.
+Copyright 2003-2009 The OpenLDAP Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/debian/changelog 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,3 +1,11 @@
+openldap (2.4.11-2) UNRELEASED; urgency=low
+
+ * New upstream version
+ - Fixes a bug with the pcache overlay not returning cached entries
+ (closes: #497697)
+
+ -- Steve Langasek <vorlon at debian.org> Tue, 17 Feb 2009 09:41:22 -0800
+
openldap (2.4.11-1) unstable; urgency=low
* New upstream version (closes: #499560).
Modified: openldap/trunk/doc/Makefile.in
===================================================================
--- openldap/trunk/doc/Makefile.in 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/Makefile.in 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
## doc Makefile.in for OpenLDAP
-# $OpenLDAP: pkg/ldap/doc/Makefile.in,v 1.11.2.3 2008/02/11 23:26:39 kurt Exp $
+# $OpenLDAP: pkg/ldap/doc/Makefile.in,v 1.11.2.4 2009/01/22 00:00:46 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2008 The OpenLDAP Foundation.
+## Copyright 1998-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/doc/devel/args
===================================================================
--- openldap/trunk/doc/devel/args 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/devel/args 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,11 +1,13 @@
Tools ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
-ldapcompare * DE**HI*K M*OPQR UVWXYZ de *h**k *nop* vwxyz
-ldapdelete *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *nop* vwxyz
-ldapmodify *CDE**HI*K M*OPQRS UVWXYZabcde *h**k *nop*r t vwxy
-ldapmodrdn *CDE**HI*K M*OPQR UVWXYZ cdef*h**k *nop*rs vwxy
-ldappasswd A*CDE**HI* *O QRS UVWXYZa def*h** * o * s vwxy
-ldapsearch A*CDE**HI*KLM*OPQRSTUVWXYZab def*h**kl*nop* stuvwxyz
-ldapwhoami * DE**HI* *O QR UVWXYZ def*h** *nop* vwxy
+ldapcompare * DE**HI** MNOPQR UVWXYZ de *h*** *nop* vwxyz
+ldapdelete *CDE**HI** MNOPQR UVWXYZ cdef*h*** *nop* vwxyz
+ldapexop * D **HI** NO QR UVWXYZ de *h*** *nop vwxy
+ldapmodify *CDE**HI** MNOPQRS UVWXYZabcde *h*** *nop*r t vwxy
+ldapmodrdn *CDE**HI** MNOPQR UVWXYZ cdef*h*** *nop*rs vwxy
+ldappasswd A*CDE**HI** NO QRS UVWXYZa def*h*** * o * s vwxy
+ldapsearch A*CDE**HI**LMNOPQRSTUVWXYZab def*h***l*nop* stuvwxyz
+ldapurl * E**H ** S ab f*h*** * p* s
+ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy
* reserved
@@ -32,6 +34,8 @@
-x simple bind
-y Bind password-file
-w Bind password
+
+Not used
-4 IPv4 only
-6 IPv6 only
@@ -50,10 +54,10 @@
-Q SASL quiet mode (default: automatic)
-* LDAPv2+ Only (DEPRECATED)
+* LDAPv2+ Only (REMOVED)
-K LDAPv2 Kerberos Bind (Step 1 only)
-k LDAPv2 Kerberos Bind
---
-$OpenLDAP: pkg/ldap/doc/devel/args,v 1.29.2.3 2008/02/09 00:53:37 quanah Exp $
+$OpenLDAP: pkg/ldap/doc/devel/args,v 1.29.2.5 2009/01/21 00:27:40 quanah Exp $
Modified: openldap/trunk/doc/guide/COPYRIGHT
===================================================================
--- openldap/trunk/doc/guide/COPYRIGHT 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/COPYRIGHT 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-Copyright 1998-2008 The OpenLDAP Foundation
+Copyright 1998-2009 The OpenLDAP Foundation
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -39,8 +39,8 @@
Portions Copyright 1999-2008 Howard Y.H. Chu.
Portions Copyright 1999-2008 Symas Corporation.
Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2008 Gavin Henry.
-Portions Copyright 2008 Suretec Systems.
+Portions Copyright 2008-2009 Gavin Henry.
+Portions Copyright 2008-2009 Suretec Systems Ltd.
All rights reserved.
Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/doc/guide/admin/Makefile
===================================================================
--- openldap/trunk/doc/guide/admin/Makefile 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/Makefile 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,8 +1,8 @@
## Makefile for OpenLDAP Administrator's Guide
-# $OpenLDAP: pkg/openldap-guide/admin/Makefile,v 1.5.2.10 2008/07/10 00:58:19 quanah Exp $
+# $OpenLDAP: pkg/openldap-guide/admin/Makefile,v 1.5.2.11 2009/01/22 00:00:47 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 2005-2008 The OpenLDAP Foundation.
+## Copyright 2005-2009 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
Modified: openldap/trunk/doc/guide/admin/README.spellcheck
===================================================================
--- openldap/trunk/doc/guide/admin/README.spellcheck 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/README.spellcheck 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/README.spellcheck,v 1.2.2.3 2008/02/11 23:26:39 kurt Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/README.spellcheck,v 1.2.2.4 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# README.spellcheck
Modified: openldap/trunk/doc/guide/admin/abstract.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/abstract.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/abstract.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/abstract.sdf,v 1.7.2.5 2008/02/11 23:26:39 kurt Exp $
-# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/abstract.sdf,v 1.7.2.6 2009/01/22 00:00:47 kurt Exp $
+# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# OpenLDAP Administrator's Guide: Abstract
Modified: openldap/trunk/doc/guide/admin/access-control.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/access-control.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/access-control.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.3.2.2 2008/05/20 00:17:58 quanah Exp $
-# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/access-control.sdf,v 1.3.2.5 2009/02/02 22:45:18 quanah Exp $
+# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Access Control
@@ -218,8 +218,15 @@
an entry and/or attribute, slapd compares the entry and/or attribute
to the {{EX:<what>}} selectors given in the configuration file.
For each entry, access controls provided in the database which holds
-the entry (or the first database if not held in any database) apply
-first, followed by the global access directives. Within this
+the entry (or the global access directives if not held in any database) apply
+first, followed by the global access directives. However, when dealing with
+an access list, because the global access list is effectively appended
+to each per-database list, if the resulting list is non-empty then the
+access list will end with an implicit {{EX:access to * by * none}} directive.
+If there are no access directives applicable to a backend, then a default
+read is used.
+
+Within this
priority, access directives are examined in the order in which they
appear in the config file. Slapd stops with the first {{EX:<what>}}
selector that matches the entry and/or attribute. The corresponding
@@ -304,9 +311,12 @@
Also note that if no {{EX:access to}} directive matches or no {{EX:by
<who>}} clause, {{B:access is denied}}. That is, every {{EX:access
-to}} directive ends with an implicit {{EX:by * none}} clause and
-every access list ends with an implicit {{EX:access to * by * none}}
-directive.
+to}} directive ends with an implicit {{EX:by * none}} clause. When dealing
+with an access list, because the global access list is effectively appended
+to each per-database list, if the resulting list is non-empty then the access
+list will end with an implicit {{EX:access to * by * none}} directive. If
+there are no access directives applicable to a backend, then a default read is
+used.
The next example again shows the importance of ordering, both of
the access directives and the {{EX:by <who>}} clauses. It also
@@ -422,9 +432,7 @@
attributes.
Lines 16 through 24 specify access control for entries in this
-database. As this is the first database, the controls also apply
-to entries not held in any database (such as the Root DSE). For
-all applicable entries, the {{EX:userPassword}} attribute is writable
+database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
@@ -635,9 +643,16 @@
an entry and/or attribute, slapd compares the entry and/or attribute
to the {{EX:<what>}} selectors given in the configuration. For
each entry, access controls provided in the database which holds
-the entry (or the first database if not held in any database) apply
+the entry (or the global access directives if not held in any database) apply
first, followed by the global access directives (which are held in
-the {{EX:frontend}} database definition). Within this priority,
+the {{EX:frontend}} database definition). However, when dealing with
+an access list, because the global access list is effectively appended
+to each per-database list, if the resulting list is non-empty then the
+access list will end with an implicit {{EX:access to * by * none}} directive.
+If there are no access directives applicable to a backend, then a default
+read is used.
+
+Within this priority,
access directives are examined in the order in which they appear
in the configuration attribute. Slapd stops with the first
{{EX:<what>}} selector that matches the entry and/or attribute. The
@@ -722,10 +737,11 @@
are also under {{EX:dc=com}} entries.
Also note that if no {{EX:olcAccess: to}} directive matches or no {{EX:by
-<who>}} clause, {{B:access is denied}}. That is, every {{EX:olcAccess:
-to}} directive ends with an implicit {{EX:by * none}} clause and
-every access list ends with an implicit {{EX:olcAccess: to * by * none}}
-directive.
+<who>}} clause, {{B:access is denied}}. When dealing with an access list,
+because the global access list is effectively appended to each per-database
+list, if the resulting list is non-empty then the access list will end with
+an implicit {{EX:access to * by * none}} directive. If there are no access
+directives applicable to a backend, then a default read is used.
The next example again shows the importance of ordering, both of
the access directives and the {{EX:by <who>}} clauses. It also
@@ -944,9 +960,7 @@
attributes.
Lines 33 through 41 specify access control for entries in this
-database. As this is the first database, the controls also apply
-to entries not held in any database (such as the Root DSE). For
-all applicable entries, the {{EX:userPassword}} attribute is writable
+database. For all applicable entries, the {{EX:userPassword}} attribute is writable
by the entry itself and by the "admin" entry. It may be used for
authentication/authorization purposes, but is otherwise not readable.
All other attributes are writable by the entry and the "admin"
Modified: openldap/trunk/doc/guide/admin/admin.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/admin.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/admin.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/admin.sdf,v 1.2.2.5 2008/02/11 23:26:39 kurt Exp $
-# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/admin.sdf,v 1.2.2.6 2009/01/22 00:00:47 kurt Exp $
+# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# guide.sdf
Modified: openldap/trunk/doc/guide/admin/appendix-changes.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-changes.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-changes.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-changes.sdf,v 1.8.2.6 2008/04/14 22:36:18 quanah Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-changes.sdf,v 1.8.2.7 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Changes Since Previous Release
Modified: openldap/trunk/doc/guide/admin/appendix-common-errors.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-common-errors.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-common-errors.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-common-errors.sdf,v 1.4.2.3 2008/02/11 23:26:39 kurt Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-common-errors.sdf,v 1.4.2.5 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Common errors encountered when using OpenLDAP Software
@@ -162,7 +162,7 @@
Common causes include:
-* extraneous white space (especially trailing white space)
+* extraneous whitespace (especially trailing whitespace)
* improperly encoded characters (LDAPv3 uses UTF-8 encoded Unicode)
* empty values (few syntaxes allow empty values)
Modified: openldap/trunk/doc/guide/admin/appendix-configs.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-configs.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-configs.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-configs.sdf,v 1.2.2.4 2008/02/11 23:26:39 kurt Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-configs.sdf,v 1.2.2.5 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Configuration File Examples
Modified: openldap/trunk/doc/guide/admin/appendix-contrib.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-contrib.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-contrib.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-contrib.sdf,v 1.1.2.5 2008/07/09 00:40:40 quanah Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-contrib.sdf,v 1.1.2.6 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: OpenLDAP Software Contributions
Modified: openldap/trunk/doc/guide/admin/appendix-deployments.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-deployments.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-deployments.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-deployments.sdf,v 1.1.2.3 2008/02/11 23:26:39 kurt Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-deployments.sdf,v 1.1.2.4 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Real World OpenLDAP Deployments and Examples
Modified: openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-ldap-result-codes.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,15 +1,19 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.4 2008/02/11 23:26:39 kurt Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-ldap-result-codes.sdf,v 1.1.2.6 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: LDAP Result Codes
For the purposes of this guide, we have incorporated the standard LDAP result
-codes from {{Appendix A. LDAP Result Codes}} of rfc4511. A copy of which can
+codes from {{Appendix A. LDAP Result Codes}} of rfc4511, a copy of which can
be found in {{F:doc/rfc}} of the OpenLDAP source code.
We have expanded the description of each error in relation to the OpenLDAP
toolsets.
+LDAP extensions may introduce extension-specific result codes, which are not part
+of rfc4511.
+OpenLDAP returns the result codes related to extensions it implements.
+Their meaning is documented in the extension they are related to.
H2: Non-Error Result Codes
Modified: openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-recommended-versions.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-recommended-versions.sdf,v 1.3.2.3 2008/02/11 23:26:39 kurt Exp $
-# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-recommended-versions.sdf,v 1.3.2.6 2009/01/22 00:00:47 kurt Exp $
+# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Recommended OpenLDAP Software Dependency Versions
@@ -22,11 +22,11 @@
|{{PRD:Heimdal}}|Version
|{{PRD:MIT Kerberos}}|Version
Database Software|{{PRD:Berkeley DB}}:|
-||4.2
||4.4
||4.5
||4.6
-||Note: It is highly recommended to apply the patches from for a given release.
+||4.7
+||Note: It is highly recommended to apply the patches from Oracle for a given release.
Threads:
|POSIX {{pthreads}}|Version
|Mach {{CThreads}}|Version
Modified: openldap/trunk/doc/guide/admin/appendix-upgrading.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/appendix-upgrading.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/appendix-upgrading.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.5 2008/05/20 00:17:58 quanah Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.6 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Upgrading from 2.3.x
Modified: openldap/trunk/doc/guide/admin/aspell.en.pws
===================================================================
--- openldap/trunk/doc/guide/admin/aspell.en.pws 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/aspell.en.pws 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,4 +1,4 @@
-personal_ws-1.1 en 1644
+personal_ws-1.1 en 1687
commonName
bla
Masarati
@@ -6,8 +6,8 @@
api
usnCreated
BhY
+olcSyncRepl
olcSyncrepl
-olcSyncRepl
adamsom
adamson
CER
@@ -25,6 +25,7 @@
BNF
TLSEphemeralDHParamFile
ppolicy
+gavin
ASN
ava
Chu
@@ -39,8 +40,8 @@
dev
reqNewSuperior
librewrite
+memberof
memberOf
-memberof
BSI
updateref
buf
@@ -64,6 +65,7 @@
CRP
postread
csn
+laura
checkpass
xvfB
neverDerefaliases
@@ -82,6 +84,7 @@
ando
reqDeleteOldRDN
DSA
+dontusecopy
msgfree
DSE
keycol
@@ -89,14 +92,15 @@
eng
AttributeValue
attributevalue
+DUA
EOF
-DUA
inputfile
DSP
refreshDone
dst
NOSYNC
env
+pagedResultsControl
dup
hdb
LDIFv
@@ -105,9 +109,11 @@
subschemaSubentry
interoperate
gid
+testdb
gif
memfree
struct
+dirsync
IAB
fmt
SysNet
@@ -125,15 +131,16 @@
contextCSN
auditModify
auditSearch
+OpenLDAP
openldap
-OpenLDAP
+resultcode
resultCode
-resultcode
sysconfig
indices
blen
APIs
lresolv
+uidObject
Contribware
directoryString
database's
@@ -141,6 +148,7 @@
qbuaQ
gss
ZKKuqbEKJfKSXhUbHG
+employeeType
invalidAttributeSyntax
subtree
Kartik
@@ -149,6 +157,7 @@
memcalloc
ing
filtertype
+ini
XKqkdPOmY
regcomp
ldapmodify
@@ -160,17 +169,18 @@
dynlist
args
hardcoded
+pgsql
argv
kdz
notAllowedOnRDN
hostport
+StartTLS
starttls
-StartTLS
ldb
servercredp
ldd
+IPv
ipv
-IPv
hyc
joe
bindmethods
@@ -202,8 +212,8 @@
acknowledgements
jts
createTimestamp
+MIB
LLL
-MIB
OpenSSL
openssl
LOF
@@ -243,10 +253,10 @@
aeeiib
oidlen
submatches
+PEM
olc
-PEM
+OLF
PDU
-OLF
LDAPSchemaExtensionItem
auth
Pierangelo
@@ -262,10 +272,11 @@
numattrsets
requestDN
caseExactSubstringsMatch
+NSS
PKI
-NSS
olcSyncProvConfig
ple
+jones
NTP
auditModRDN
checkpointing
@@ -286,9 +297,9 @@
wZFQrDD
OTP
olcSizeLimit
+PRD
+sbi
pos
-sbi
-PRD
pre
sudoadm
stringal
@@ -308,8 +319,8 @@
HtZhZS
TBC
stringbv
+SHA
Sep
-SHA
ptr
conn
pwd
@@ -326,8 +337,8 @@
supportedSASLMechanism
supportedSASLmechanism
realnamingcontext
+UCD
SMD
-UCD
keytab
portnumber
uncached
@@ -340,8 +351,8 @@
UCS
searchDN
keytbl
+UDP
tgz
-UDP
freemods
prepend
nssov
@@ -359,22 +370,23 @@
objectClassViolation
ssf
ldapfilter
+vec
+TOC
rwm
-TOC
-vec
pwdChangedTime
tls
peernamestyle
xpasswd
+SRP
tmp
-SRP
SSL
dupbv
CPUs
+itsupport
SRV
entrymods
+sss
rwx
-sss
reqNewRDN
nopresent
rebindproc
@@ -402,6 +414,7 @@
uri
tty
url
+sambaGroupMapping
XED
sortKey
UTF
@@ -413,6 +426,7 @@
txt
UTR
XER
+roomNumber
olcDbIDLcacheSize
namespace
LDAPControl
@@ -435,8 +449,8 @@
MezRroT
GDBM
LIBRELEASE
+DSA's
DSAs
-DSA's
realloc
booleanMatch
compareTrue
@@ -455,6 +469,7 @@
derated
auditDelete
cn
+ee
versa
cp
bv
@@ -477,6 +492,7 @@
regexec
IG
msgidp
+noEstimate
kb
organizationalUnit
Warper
@@ -495,8 +511,8 @@
iZ
ldapdelete
xyz
+rdbms
RDBMs
-rdbms
extparam
mk
ng
@@ -505,6 +521,7 @@
NL
logfiles
mr
+octetStringSubstringsMatch
ok
mv
LTVERSION
@@ -560,8 +577,8 @@
LDVERSION
testAttr
backend
+backends
backend's
-backends
BerValues
Solaris
structs
@@ -573,15 +590,16 @@
policyDN
testObject
pwdMaxAge
+binddn
+bindDN
bindDn
-bindDN
-binddn
distributedOperation
schemachecking
strvals
dataflow
robert
fqdn
+prtotal
admittable
Makefile
IANA
@@ -595,6 +613,7 @@
searchResultDone
MAXLEN
pwdInHistory
+realtime
reqAttrsOnly
sysconfdir
searchResultReference
@@ -612,20 +631,21 @@
bindpw
AUTHNAME
UniqueName
+blahblah
saslmech
pthreads
IEEE
regex
SIGINT
slappasswd
+errABsObject
errAbsObject
-errABsObject
ldapexop
+objectIdentifier
objectidentifier
-objectIdentifier
deallocators
+mirrormode
MirrorMode
-mirrormode
loopDetect
SIGHUP
authMethodNotSupported
@@ -642,8 +662,8 @@
expr
syntaxes
memrealloc
+returncode
returnCode
-returncode
OpenLDAP's
exts
bitstringa
@@ -667,8 +687,8 @@
lldap
cachesize
slapauth
+attributeType
attributetype
-attributeType
GSER
olcDbNosync
typedef
@@ -685,13 +705,15 @@
TLSVerifyClient
noidlen
LDAPNOINIT
+henry
+pwdGraceAuthnLimit
pwdGraceAuthNLimit
-pwdGraceAuthnLimit
hnPk
+userpassword
userPassword
-userpassword
noanonymous
LIBVERSION
+anyuser
symas
dcedn
glibc
@@ -708,12 +730,14 @@
organisations
rewriteMap
monitoredInfo
+modrDN
+ModRDN
modrdn
-ModRDN
-modrDN
HREF
DQTxCYEApdUtNXGgdUac
inline
+ConnSettings
+ShowSystemTables
multiproxy
reqSizeLimit
kerberos
@@ -723,8 +747,8 @@
rlookups
siiiib
LTSTATIC
+timelimitExceeded
timeLimitExceeded
-timelimitExceeded
XKYnrjvGT
subtrees
unixODBC
@@ -736,9 +760,10 @@
dnstyle
inet
schemas
+pwdPolicySubentry
pwdPolicySubEntry
-pwdPolicySubentry
reqId
+backsql
scanf
olcBackend
TLSCACertificatePath
@@ -765,6 +790,7 @@
GCmfuqEvm
multimaster
testrun
+olcUniqueURI
rewriteEngine
slapdindex
LTFINISH
@@ -798,6 +824,7 @@
dbnum
operationsError
homePhone
+octetStringOrderingMatch
testTwo
BmIwN
ldif
@@ -805,6 +832,7 @@
plaintext
someoneelse
errDisconnect
+UserName
username
accessee
LDAPURLDesc
@@ -969,11 +997,13 @@
proxyAuthz
config
IDSET
-ODBC
+odbc
searchFilter
wholeSubtree
SASLprep
nisMailAlias
+libodbcpsqlS
+OxObjects
attributeDescription
groupnummer
lsei
@@ -1030,6 +1060,7 @@
attribute's
pPasswd
metadirectory
+Mitya
assciated
myObjectClass
OIDs
@@ -1070,8 +1101,8 @@
errObject
XXLIBS
reqAssertion
+nops
PDUs
-nops
baseObject
bvecadd
perl
@@ -1122,6 +1153,7 @@
filterlist
generalizedTimeMatch
strongAuthRequired
+Kovalev
Google
sessionlog
balancer
@@ -1184,10 +1216,13 @@
ldapport
octetString
repl
+FakeOidIndex
ERXRTc
LxsdLy
lastmod
integerOrderingMatch
+sambaGroupType
+RowVersioning
searchEntryDN
pwdLockout
sbin
@@ -1211,6 +1246,7 @@
xeXBkeFxlZ
priv
proxyTemplates
+FileUsage
bvals
givenName
givenname
@@ -1289,6 +1325,7 @@
searchbase
berval
slen
+metadata
lookup
databasetype
rewriteRules
@@ -1301,6 +1338,7 @@
reloadHint
moduleload
hasSubordinates
+ShowOidColumn
contextp
LDAPModifying
nameAndOptionalUID
@@ -1348,6 +1386,7 @@
XLIBS
freeit
invalidDNSyntax
+sambaSID
zeilenga
addAttrDN
syncdata
@@ -1364,13 +1403,13 @@
mandir
RXER
SSFs
-octetStringOrderingStringMatch
auditCompare
pEntry
strongAuthNotSupported
endblock
LDAPAVA
startup
+sharedemail
olcReplicationInterval
TLSv
libtool's
@@ -1435,9 +1474,11 @@
bitstring
objclass
oplist
+libodbcpsql
LDAPObjectClass
sockurl
somevalue
+businessCategory
getpid
monitorIsShadow
confidentialityRequired
@@ -1447,6 +1488,7 @@
TTLs
attrdesc
ghenry
+odbcinst
reqType
slapover
BerkeleyDB's
@@ -1473,6 +1515,7 @@
urls
olcAuditLogConfig
reqMod
+joebloggs
pwdHistory
entryTtl
olcIdleTimeout
@@ -1504,8 +1547,8 @@
saslargs
OBJEXT
LDAPAttributeType
+newpasswdfile
newPasswdFile
-newpasswdfile
boolean
liblber
ucdata
@@ -1529,6 +1572,7 @@
abcd
olcRootPW
dnattr
+Servername
AttributeTypeDescription
strdup
domainScope
@@ -1567,12 +1611,12 @@
supportedSASLMechanisms
ACLs
reqMethod
+authzId
+authzid
authzID
-authzid
-authzId
hasSubordintes
+proxyCache
proxycache
-proxyCache
slaptest
olcLogLevel
LDAPDN
@@ -1597,8 +1641,8 @@
multi
aaa
ldaprc
+UpdateDN
updatedn
-UpdateDN
LDAPBASE
LDAPAPIFeatureInfo
authzTo
@@ -1633,13 +1677,12 @@
baz
params
generalizedTimeOrderingMatch
-octetStringSubstringsStringMatch
ber
slimit
ali
attributeoptions
BfQ
uidNumber
+CA's
CAs
-CA's
namingContext
Modified: openldap/trunk/doc/guide/admin/backends.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/backends.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/backends.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/backends.sdf,v 1.8.2.6 2008/07/12 05:51:38 quanah Exp $
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/backends.sdf,v 1.8.2.7 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Backends
Modified: openldap/trunk/doc/guide/admin/config.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/config.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/config.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/config.sdf,v 1.14.2.6 2008/04/14 20:43:48 quanah Exp $
-# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/config.sdf,v 1.14.2.7 2009/01/22 00:00:47 kurt Exp $
+# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: The Big Picture - Configuration Choices
Modified: openldap/trunk/doc/guide/admin/dbtools.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/dbtools.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/dbtools.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/dbtools.sdf,v 1.24.2.6 2008/02/11 23:26:39 kurt Exp $
-# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/dbtools.sdf,v 1.24.2.7 2009/01/22 00:00:47 kurt Exp $
+# Copyright 1999-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Database Creation and Maintenance Tools
Modified: openldap/trunk/doc/guide/admin/glossary.sdf
===================================================================
--- openldap/trunk/doc/guide/admin/glossary.sdf 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/glossary.sdf 2009-02-17 17:44:09 UTC (rev 1198)
@@ -1,5 +1,5 @@
-# $OpenLDAP: pkg/openldap-guide/admin/glossary.sdf,v 1.5.2.5 2008/02/11 23:26:39 kurt Exp $
-# Copyright 2006-2008 The OpenLDAP Foundation, All Rights Reserved.
+# $OpenLDAP: pkg/openldap-guide/admin/glossary.sdf,v 1.5.2.6 2009/01/22 00:00:47 kurt Exp $
+# Copyright 2006-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Glossary
Modified: openldap/trunk/doc/guide/admin/guide.html
===================================================================
--- openldap/trunk/doc/guide/admin/guide.html 2009-02-17 16:29:10 UTC (rev 1197)
+++ openldap/trunk/doc/guide/admin/guide.html 2009-02-17 17:44:09 UTC (rev 1198)
@@ -23,7 +23,7 @@
<DIV CLASS="title">
<H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1>
<ADDRESS CLASS="doc-author">The OpenLDAP Project <<A HREF="http://www.openldap.org/">http://www.openldap.org/</A>></ADDRESS>
-<ADDRESS CLASS="doc-modified">16 July 2008</ADDRESS>
+<ADDRESS CLASS="doc-modified">13 February 2009</ADDRESS>
<BR CLEAR="All">
</DIV>
<DIV CLASS="contents">
@@ -114,495 +114,525 @@
<BR>
<A HREF="#BDB and HDB Database Directives">6.2.4. BDB and HDB Database Directives</A></UL></UL>
<BR>
-<A HREF="#Access Control">7. Access Control</A><UL>
-<A HREF="#Introduction">7.1. Introduction</A>
+<A HREF="#Running slapd">7. Running slapd</A><UL>
+<A HREF="#Command-Line Options">7.1. Command-Line Options</A>
<BR>
-<A HREF="#Access Control via Static Configuration">7.2. Access Control via Static Configuration</A><UL>
-<A HREF="#What to control access to">7.2.1. What to control access to</A>
+<A HREF="#Starting slapd">7.2. Starting slapd</A>
<BR>
-<A HREF="#Who to grant access to">7.2.2. Who to grant access to</A>
+<A HREF="#Stopping slapd">7.3. Stopping slapd</A></UL>
<BR>
-<A HREF="#The access to grant">7.2.3. The access to grant</A>
+<A HREF="#Access Control">8. Access Control</A><UL>
+<A HREF="#Introduction">8.1. Introduction</A>
<BR>
-<A HREF="#Access Control Evaluation">7.2.4. Access Control Evaluation</A>
+<A HREF="#Access Control via Static Configuration">8.2. Access Control via Static Configuration</A><UL>
+<A HREF="#What to control access to">8.2.1. What to control access to</A>
<BR>
-<A HREF="#Access Control Examples">7.2.5. Access Control Examples</A>
+<A HREF="#Who to grant access to">8.2.2. Who to grant access to</A>
<BR>
-<A HREF="#Configuration File Example">7.2.6. Configuration File Example</A></UL>
+<A HREF="#The access to grant">8.2.3. The access to grant</A>
<BR>
-<A HREF="#Access Control via Dynamic Configuration">7.3. Access Control via Dynamic Configuration</A><UL>
-<A HREF="#What to control access to">7.3.1. What to control access to</A>
+<A HREF="#Access Control Evaluation">8.2.4. Access Control Evaluation</A>
<BR>
-<A HREF="#Who to grant access to">7.3.2. Who to grant access to</A>
+<A HREF="#Access Control Examples">8.2.5. Access Control Examples</A>
<BR>
-<A HREF="#The access to grant">7.3.3. The access to grant</A>
+<A HREF="#Configuration File Example">8.2.6. Configuration File Example</A></UL>
<BR>
-<A HREF="#Access Control Evaluation">7.3.4. Access Control Evaluation</A>
+<A HREF="#Access Control via Dynamic Configuration">8.3. Access Control via Dynamic Configuration</A><UL>
+<A HREF="#What to control access to">8.3.1. What to control access to</A>
<BR>
-<A HREF="#Access Control Examples">7.3.5. Access Control Examples</A>
+<A HREF="#Who to grant access to">8.3.2. Who to grant access to</A>
<BR>
-<A HREF="#Access Control Ordering">7.3.6. Access Control Ordering</A>
+<A HREF="#The access to grant">8.3.3. The access to grant</A>
<BR>
-<A HREF="#Configuration Example">7.3.7. Configuration Example</A>
+<A HREF="#Access Control Evaluation">8.3.4. Access Control Evaluation</A>
<BR>
-<A HREF="#Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">7.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></UL>
+<A HREF="#Access Control Examples">8.3.5. Access Control Examples</A>
<BR>
-<A HREF="#Access Control Common Examples">7.4. Access Control Common Examples</A><UL>
-<A HREF="#Basic ACLs">7.4.1. Basic ACLs</A>
+<A HREF="#Access Control Ordering">8.3.6. Access Control Ordering</A>
<BR>
-<A HREF="#Matching Anonymous and Authenticated users">7.4.2. Matching Anonymous and Authenticated users</A>
+<A HREF="#Configuration Example">8.3.7. Configuration Example</A>
<BR>
-<A HREF="#Controlling rootdn access">7.4.3. Controlling rootdn access</A>
+<A HREF="#Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">8.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></UL>
<BR>
-<A HREF="#Managing access with Groups">7.4.4. Managing access with Groups</A>
+<A HREF="#Access Control Common Examples">8.4. Access Control Common Examples</A><UL>
+<A HREF="#Basic ACLs">8.4.1. Basic ACLs</A>
<BR>
-<A HREF="#Granting access to a subset of attributes">7.4.5. Granting access to a subset of attributes</A>
+<A HREF="#Matching Anonymous and Authenticated users">8.4.2. Matching Anonymous and Authenticated users</A>
<BR>
-<A HREF="#Allowing a user write to all entries below theirs">7.4.6. Allowing a user write to all entries below theirs</A>
+<A HREF="#Controlling rootdn access">8.4.3. Controlling rootdn access</A>
<BR>
-<A HREF="#Allowing entry creation">7.4.7. Allowing entry creation</A>
+<A HREF="#Managing access with Groups">8.4.4. Managing access with Groups</A>
<BR>
-<A HREF="#Tips for using regular expressions in Access Control">7.4.8. Tips for using regular expressions in Access Control</A>
+<A HREF="#Granting access to a subset of attributes">8.4.5. Granting access to a subset of attributes</A>
<BR>
-<A HREF="#Granting and Denying access based on security strength factors (ssf)">7.4.9. Granting and Denying access based on security strength factors (ssf)</A>
+<A HREF="#Allowing a user write to all entries below theirs">8.4.6. Allowing a user write to all entries below theirs</A>
<BR>
-<A HREF="#When things aren\'t working as expected">7.4.10. When things aren't working as expected</A></UL>
+<A HREF="#Allowing entry creation">8.4.7. Allowing entry creation</A>
<BR>
-<A HREF="#Sets - Granting rights based on relationships">7.5. Sets - Granting rights based on relationships</A><UL>
-<A HREF="#Groups of Groups">7.5.1. Groups of Groups</A>
+<A HREF="#Tips for using regular expressions in Access Control">8.4.8. Tips for using regular expressions in Access Control</A>
<BR>
-<A HREF="#Group ACLs without DN syntax">7.5.2. Group ACLs without DN syntax</A>
+<A HREF="#Granting and Denying access based on security strength factors (ssf)">8.4.9. Granting and Denying access based on security strength factors (ssf)</A>
<BR>
-<A HREF="#Following references">7.5.3. Following references</A></UL></UL>
+<A HREF="#When things aren\'t working as expected">8.4.10. When things aren't working as expected</A></UL>
<BR>
-<A HREF="#Running slapd">8. Running slapd</A><UL>
-<A HREF="#Command-Line Options">8.1. Command-Line Options</A>
+<A HREF="#Sets - Granting rights based on relationships">8.5. Sets - Granting rights based on relationships</A><UL>
+<A HREF="#Groups of Groups">8.5.1. Groups of Groups</A>
<BR>
-<A HREF="#Starting slapd">8.2. Starting slapd</A>
+<A HREF="#Group ACLs without DN syntax">8.5.2. Group ACLs without DN syntax</A>
<BR>
-<A HREF="#Stopping slapd">8.3. Stopping slapd</A></UL>
+<A HREF="#Following references">8.5.3. Following references</A></UL></UL>
<BR>
-<A HREF="#Database Creation and Maintenance Tools">9. Database Creation and Maintenance Tools</A><UL>
-<A HREF="#Creating a database over LDAP">9.1. Creating a database over LDAP</A>
+<A HREF="#Limits">9. Limits</A><UL>
+<A HREF="#Introduction">9.1. Introduction</A>
<BR>
-<A HREF="#Creating a database off-line">9.2. Creating a database off-line</A><UL>
-<A HREF="#The {{EX:slapadd}} program">9.2.1. The <TT>slapadd</TT> program</A>
+<A HREF="#Soft and Hard limits">9.2. Soft and Hard limits</A>
<BR>
-<A HREF="#The {{EX:slapindex}} program">9.2.2. The <TT>slapindex</TT> program</A>
+<A HREF="#Global Limits">9.3. Global Limits</A>
<BR>
-<A HREF="#The {{EX:slapcat}} program">9.2.3. The <TT>slapcat</TT> program</A></UL>
+<A HREF="#Per-Database Limits">9.4. Per-Database Limits</A><UL>
+<A HREF="#Specify who the limits apply to">9.4.1. Specify who the limits apply to</A>
<BR>
-<A HREF="#The LDIF text entry format">9.3. The LDIF text entry format</A></UL>
+<A HREF="#Specify time limits">9.4.2. Specify time limits</A>
<BR>
-<A HREF="#Backends">10. Backends</A><UL>
-<A HREF="#Berkeley DB Backends">10.1. Berkeley DB Backends</A><UL>
-<A HREF="#Overview">10.1.1. Overview</A>
+<A HREF="#Specifying size limits">9.4.3. Specifying size limits</A>
<BR>
-<A HREF="#back-bdb/back-hdb Configuration">10.1.2. back-bdb/back-hdb Configuration</A>
+<A HREF="#Size limits and Paged Results">9.4.4. Size limits and Paged Results</A></UL>
<BR>
-<A HREF="#Further Information">10.1.3. Further Information</A></UL>
+<A HREF="#Example Limit Configurations">9.5. Example Limit Configurations</A><UL>
+<A HREF="#Simple Global Limits">9.5.1. Simple Global Limits</A>
<BR>
-<A HREF="#LDAP">10.2. LDAP</A><UL>
-<A HREF="#Overview">10.2.1. Overview</A>
+<A HREF="#Global Hard and Soft Limits">9.5.2. Global Hard and Soft Limits</A>
<BR>
-<A HREF="#back-ldap Configuration">10.2.2. back-ldap Configuration</A>
+<A HREF="#Giving specific users larger limits">9.5.3. Giving specific users larger limits</A>
<BR>
-<A HREF="#Further Information">10.2.3. Further Information</A></UL>
+<A HREF="#Limiting who can do paged searches">9.5.4. Limiting who can do paged searches</A></UL>
<BR>
-<A HREF="#LDIF">10.3. LDIF</A><UL>
-<A HREF="#Overview">10.3.1. Overview</A>
+<A HREF="#Further Information">9.6. Further Information</A></UL>
<BR>
-<A HREF="#back-ldif Configuration">10.3.2. back-ldif Configuration</A>
+<A HREF="#Database Creation and Maintenance Tools">10. Database Creation and Maintenance Tools</A><UL>
+<A HREF="#Creating a database over LDAP">10.1. Creating a database over LDAP</A>
<BR>
-<A HREF="#Further Information">10.3.3. Further Information</A></UL>
+<A HREF="#Creating a database off-line">10.2. Creating a database off-line</A><UL>
+<A HREF="#The {{EX:slapadd}} program">10.2.1. The <TT>slapadd</TT> program</A>
<BR>
-<A HREF="#Metadirectory">10.4. Metadirectory</A><UL>
-<A HREF="#Overview">10.4.1. Overview</A>
+<A HREF="#The {{EX:slapindex}} program">10.2.2. The <TT>slapindex</TT> program</A>
<BR>
-<A HREF="#back-meta Configuration">10.4.2. back-meta Configuration</A>
+<A HREF="#The {{EX:slapcat}} program">10.2.3. The <TT>slapcat</TT> program</A></UL>
<BR>
-<A HREF="#Further Information">10.4.3. Further Information</A></UL>
+<A HREF="#The LDIF text entry format">10.3. The LDIF text entry format</A></UL>
<BR>
-<A HREF="#Monitor">10.5. Monitor</A><UL>
-<A HREF="#Overview">10.5.1. Overview</A>
+<A HREF="#Backends">11. Backends</A><UL>
+<A HREF="#Berkeley DB Backends">11.1. Berkeley DB Backends</A><UL>
+<A HREF="#Overview">11.1.1. Overview</A>
<BR>
-<A HREF="#back-monitor Configuration">10.5.2. back-monitor Configuration</A>
+<A HREF="#back-bdb/back-hdb Configuration">11.1.2. back-bdb/back-hdb Configuration</A>
<BR>
-<A HREF="#Further Information">10.5.3. Further Information</A></UL>
+<A HREF="#Further Information">11.1.3. Further Information</A></UL>
<BR>
-<A HREF="#Null">10.6. Null</A><UL>
-<A HREF="#Overview">10.6.1. Overview</A>
+<A HREF="#LDAP">11.2. LDAP</A><UL>
+<A HREF="#Overview">11.2.1. Overview</A>
<BR>
-<A HREF="#back-null Configuration">10.6.2. back-null Configuration</A>
+<A HREF="#back-ldap Configuration">11.2.2. back-ldap Configuration</A>
<BR>
-<A HREF="#Further Information">10.6.3. Further Information</A></UL>
+<A HREF="#Further Information">11.2.3. Further Information</A></UL>
<BR>
-<A HREF="#Passwd">10.7. Passwd</A><UL>
-<A HREF="#Overview">10.7.1. Overview</A>
+<A HREF="#LDIF">11.3. LDIF</A><UL>
+<A HREF="#Overview">11.3.1. Overview</A>
<BR>
-<A HREF="#back-passwd Configuration">10.7.2. back-passwd Configuration</A>
+<A HREF="#back-ldif Configuration">11.3.2. back-ldif Configuration</A>
<BR>
-<A HREF="#Further Information">10.7.3. Further Information</A></UL>
+<A HREF="#Further Information">11.3.3. Further Information</A></UL>
<BR>
-<A HREF="#Perl/Shell">10.8. Perl/Shell</A><UL>
-<A HREF="#Overview">10.8.1. Overview</A>
+<A HREF="#Metadirectory">11.4. Metadirectory</A><UL>
+<A HREF="#Overview">11.4.1. Overview</A>
<BR>
-<A HREF="#back-perl/back-shell Configuration">10.8.2. back-perl/back-shell Configuration</A>
+<A HREF="#back-meta Configuration">11.4.2. back-meta Configuration</A>
<BR>
-<A HREF="#Further Information">10.8.3. Further Information</A></UL>
+<A HREF="#Further Information">11.4.3. Further Information</A></UL>
<BR>
-<A HREF="#Relay">10.9. Relay</A><UL>
-<A HREF="#Overview">10.9.1. Overview</A>
+<A HREF="#Monitor">11.5. Monitor</A><UL>
+<A HREF="#Overview">11.5.1. Overview</A>
<BR>
-<A HREF="#back-relay Configuration">10.9.2. back-relay Configuration</A>
+<A HREF="#back-monitor Configuration">11.5.2. back-monitor Configuration</A>
<BR>
-<A HREF="#Further Information">10.9.3. Further Information</A></UL>
+<A HREF="#Further Information">11.5.3. Further Information</A></UL>
<BR>
-<A HREF="#SQL">10.10. SQL</A><UL>
-<A HREF="#Overview">10.10.1. Overview</A>
+<A HREF="#Null">11.6. Null</A><UL>
+<A HREF="#Overview">11.6.1. Overview</A>
<BR>
-<A HREF="#back-sql Configuration">10.10.2. back-sql Configuration</A>
+<A HREF="#back-null Configuration">11.6.2. back-null Configuration</A>
<BR>
-<A HREF="#Further Information">10.10.3. Further Information</A></UL></UL>
+<A HREF="#Further Information">11.6.3. Further Information</A></UL>
<BR>
-<A HREF="#Overlays">11. Overlays</A><UL>
-<A HREF="#Access Logging">11.1. Access Logging</A><UL>
-<A HREF="#Overview">11.1.1. Overview</A>
+<A HREF="#Passwd">11.7. Passwd</A><UL>
+<A HREF="#Overview">11.7.1. Overview</A>
<BR>
-<A HREF="#Access Logging Configuration">11.1.2. Access Logging Configuration</A>
+<A HREF="#back-passwd Configuration">11.7.2. back-passwd Configuration</A>
<BR>
-<A HREF="#Further Information">11.1.3. Further Information</A></UL>
+<A HREF="#Further Information">11.7.3. Further Information</A></UL>
<BR>
-<A HREF="#Audit Logging">11.2. Audit Logging</A><UL>
-<A HREF="#Overview">11.2.1. Overview</A>
+<A HREF="#Perl/Shell">11.8. Perl/Shell</A><UL>
+<A HREF="#Overview">11.8.1. Overview</A>
<BR>
-<A HREF="#Audit Logging Configuration">11.2.2. Audit Logging Configuration</A>
+<A HREF="#back-perl/back-shell Configuration">11.8.2. back-perl/back-shell Configuration</A>
<BR>
-<A HREF="#Further Information">11.2.3. Further Information</A></UL>
+<A HREF="#Further Information">11.8.3. Further Information</A></UL>
<BR>
-<A HREF="#Chaining">11.3. Chaining</A><UL>
-<A HREF="#Overview">11.3.1. Overview</A>
+<A HREF="#Relay">11.9. Relay</A><UL>
+<A HREF="#Overview">11.9.1. Overview</A>
<BR>
-<A HREF="#Chaining Configuration">11.3.2. Chaining Configuration</A>
+<A HREF="#back-relay Configuration">11.9.2. back-relay Configuration</A>
<BR>
-<A HREF="#Handling Chaining Errors">11.3.3. Handling Chaining Errors</A>
+<A HREF="#Further Information">11.9.3. Further Information</A></UL>
<BR>
-<A HREF="#Further Information">11.3.4. Further Information</A></UL>
+<A HREF="#SQL">11.10. SQL</A><UL>
+<A HREF="#Overview">11.10.1. Overview</A>
<BR>
-<A HREF="#Constraints">11.4. Constraints</A><UL>
-<A HREF="#Overview">11.4.1. Overview</A>
+<A HREF="#back-sql Configuration">11.10.2. back-sql Configuration</A>
<BR>
-<A HREF="#Constraint Configuration">11.4.2. Constraint Configuration</A>
+<A HREF="#Further Information">11.10.3. Further Information</A></UL></UL>
<BR>
-<A HREF="#Further Information">11.4.3. Further Information</A></UL>
+<A HREF="#Overlays">12. Overlays</A><UL>
+<A HREF="#Access Logging">12.1. Access Logging</A><UL>
+<A HREF="#Overview">12.1.1. Overview</A>
<BR>
-<A HREF="#Dynamic Directory Services">11.5. Dynamic Directory Services</A><UL>
-<A HREF="#Overview">11.5.1. Overview</A>
+<A HREF="#Access Logging Configuration">12.1.2. Access Logging Configuration</A>
<BR>
-<A HREF="#Dynamic Directory Service Configuration">11.5.2. Dynamic Directory Service Configuration</A>
+<A HREF="#Further Information">12.1.3. Further Information</A></UL>
<BR>
-<A HREF="#Further Information">11.5.3. Further Information</A></UL>
+<A HREF="#Audit Logging">12.2. Audit Logging</A><UL>
+<A HREF="#Overview">12.2.1. Overview</A>
<BR>
-<A HREF="#Dynamic Groups">11.6. Dynamic Groups</A><UL>
-<A HREF="#Overview">11.6.1. Overview</A>
+<A HREF="#Audit Logging Configuration">12.2.2. Audit Logging Configuration</A>
<BR>
-<A HREF="#Dynamic Group Configuration">11.6.2. Dynamic Group Configuration</A></UL>
+<A HREF="#Further Information">12.2.3. Further Information</A></UL>
<BR>
-<A HREF="#Dynamic Lists">11.7. Dynamic Lists</A><UL>
-<A HREF="#Overview">11.7.1. Overview</A>
+<A HREF="#Chaining">12.3. Chaining</A><UL>
+<A HREF="#Overview">12.3.1. Overview</A>
<BR>
-<A HREF="#Dynamic List Configuration">11.7.2. Dynamic List Configuration</A>
+<A HREF="#Chaining Configuration">12.3.2. Chaining Configuration</A>
<BR>
-<A HREF="#Further Information">11.7.3. Further Information</A></UL>
+<A HREF="#Handling Chaining Errors">12.3.3. Handling Chaining Errors</A>
<BR>
-<A HREF="#Reverse Group Membership Maintenance">11.8. Reverse Group Membership Maintenance</A><UL>
-<A HREF="#Overview">11.8.1. Overview</A>
+<A HREF="#Read-Back of Chained Modifications">12.3.4. Read-Back of Chained Modifications</A>
<BR>
-<A HREF="#Member Of Configuration">11.8.2. Member Of Configuration</A>
+<A HREF="#Further Information">12.3.5. Further Information</A></UL>
<BR>
-<A HREF="#Further Information">11.8.3. Further Information</A></UL>
+<A HREF="#Constraints">12.4. Constraints</A><UL>
+<A HREF="#Overview">12.4.1. Overview</A>
<BR>
-<A HREF="#The Proxy Cache Engine">11.9. The Proxy Cache Engine</A><UL>
-<A HREF="#Overview">11.9.1. Overview</A>
+<A HREF="#Constraint Configuration">12.4.2. Constraint Configuration</A>
<BR>
-<A HREF="#Proxy Cache Configuration">11.9.2. Proxy Cache Configuration</A>
+<A HREF="#Further Information">12.4.3. Further Information</A></UL>
<BR>
-<A HREF="#Further Information">11.9.3. Further Information</A></UL>
+<A HREF="#Dynamic Directory Services">12.5. Dynamic Directory Services</A><UL>
+<A HREF="#Overview">12.5.1. Overview</A>
<BR>
-<A HREF="#Password Policies">11.10. Password Policies</A><UL>
-<A HREF="#Overview">11.10.1. Overview</A>
+<A HREF="#Dynamic Directory Service Configuration">12.5.2. Dynamic Directory Service Configuration</A>
<BR>
-<A HREF="#Password Policy Configuration">11.10.2. Password Policy Configuration</A>
+<A HREF="#Further Information">12.5.3. Further Information</A></UL>
<BR>
-<A HREF="#Further Information">11.10.3. Further Information</A></UL>
+<A HREF="#Dynamic Groups">12.6. Dynamic Groups</A><UL>
+<A HREF="#Overview">12.6.1. Overview</A>
<BR>
-<A HREF="#Referential Integrity">11.11. Referential Integrity</A><UL>
-<A HREF="#Overview">11.11.1. Overview</A>
+<A HREF="#Dynamic Group Configuration">12.6.2. Dynamic Group Configuration</A></UL>
<BR>
-<A HREF="#Referential Integrity Configuration">11.11.2. Referential Integrity Configuration</A>
+<A HREF="#Dynamic Lists">12.7. Dynamic Lists</A><UL>
+<A HREF="#Overview">12.7.1. Overview</A>
<BR>
-<A HREF="#Further Information">11.11.3. Further Information</A></UL>
+<A HREF="#Dynamic List Configuration">12.7.2. Dynamic List Configuration</A>
<BR>
-<A HREF="#Return Code">11.12. Return Code</A><UL>
-<A HREF="#Overview">11.12.1. Overview</A>
+<A HREF="#Further Information">12.7.3. Further Information</A></UL>
<BR>
-<A HREF="#Return Code Configuration">11.12.2. Return Code Configuration</A>
+<A HREF="#Reverse Group Membership Maintenance">12.8. Reverse Group Membership Maintenance</A><UL>
+<A HREF="#Overview">12.8.1. Overview</A>
<BR>
-<A HREF="#Further Information">11.12.3. Further Information</A></UL>
+<A HREF="#Member Of Configuration">12.8.2. Member Of Configuration</A>
<BR>
-<A HREF="#Rewrite/Remap">11.13. Rewrite/Remap</A><UL>
-<A HREF="#Overview">11.13.1. Overview</A>
+<A HREF="#Further Information">12.8.3. Further Information</A></UL>
<BR>
-<A HREF="#Rewrite/Remap Configuration">11.13.2. Rewrite/Remap Configuration</A>
+<A HREF="#The Proxy Cache Engine">12.9. The Proxy Cache Engine</A><UL>
+<A HREF="#Overview">12.9.1. Overview</A>
<BR>
-<A HREF="#Further Information">11.13.3. Further Information</A></UL>
+<A HREF="#Proxy Cache Configuration">12.9.2. Proxy Cache Configuration</A>
<BR>
-<A HREF="#Sync Provider">11.14. Sync Provider</A><UL>
-<A HREF="#Overview">11.14.1. Overview</A>
+<A HREF="#Further Information">12.9.3. Further Information</A></UL>
<BR>
-<A HREF="#Sync Provider Configuration">11.14.2. Sync Provider Configuration</A>
+<A HREF="#Password Policies">12.10. Password Policies</A><UL>
+<A HREF="#Overview">12.10.1. Overview</A>
<BR>
-<A HREF="#Further Information">11.14.3. Further Information</A></UL>
+<A HREF="#Password Policy Configuration">12.10.2. Password Policy Configuration</A>
<BR>
-<A HREF="#Translucent Proxy">11.15. Translucent Proxy</A><UL>
-<A HREF="#Overview">11.15.1. Overview</A>
+<A HREF="#Further Information">12.10.3. Further Information</A></UL>
<BR>
-<A HREF="#Translucent Proxy Configuration">11.15.2. Translucent Proxy Configuration</A>
+<A HREF="#Referential Integrity">12.11. Referential Integrity</A><UL>
+<A HREF="#Overview">12.11.1. Overview</A>
<BR>
-<A HREF="#Further Information">11.15.3. Further Information</A></UL>
+<A HREF="#Referential Integrity Configuration">12.11.2. Referential Integrity Configuration</A>
<BR>
-<A HREF="#Attribute Uniqueness">11.16. Attribute Uniqueness</A><UL>
-<A HREF="#Overview">11.16.1. Overview</A>
+<A HREF="#Further Information">12.11.3. Further Information</A></UL>
<BR>
-<A HREF="#Attribute Uniqueness Configuration">11.16.2. Attribute Uniqueness Configuration</A>
+<A HREF="#Return Code">12.12. Return Code</A><UL>
+<A HREF="#Overview">12.12.1. Overview</A>
<BR>
-<A HREF="#Further Information">11.16.3. Further Information</A></UL>
+<A HREF="#Return Code Configuration">12.12.2. Return Code Configuration</A>
<BR>
-<A HREF="#Value Sorting">11.17. Value Sorting</A><UL>
-<A HREF="#Overview">11.17.1. Overview</A>
+<A HREF="#Further Information">12.12.3. Further Information</A></UL>
<BR>
-<A HREF="#Value Sorting Configuration">11.17.2. Value Sorting Configuration</A>
+<A HREF="#Rewrite/Remap">12.13. Rewrite/Remap</A><UL>
+<A HREF="#Overview">12.13.1. Overview</A>
<BR>
-<A HREF="#Further Information">11.17.3. Further Information</A></UL>
+<A HREF="#Rewrite/Remap Configuration">12.13.2. Rewrite/Remap Configuration</A>
<BR>
-<A HREF="#Overlay Stacking">11.18. Overlay Stacking</A><UL>
-<A HREF="#Overview">11.18.1. Overview</A>
+<A HREF="#Further Information">12.13.3. Further Information</A></UL>
<BR>
-<A HREF="#Example Scenarios">11.18.2. Example Scenarios</A></UL></UL>
+<A HREF="#Sync Provider">12.14. Sync Provider</A><UL>
+<A HREF="#Overview">12.14.1. Overview</A>
<BR>
-<A HREF="#Schema Specification">12. Schema Specification</A><UL>
-<A HREF="#Distributed Schema Files">12.1. Distributed Schema Files</A>
+<A HREF="#Sync Provider Configuration">12.14.2. Sync Provider Configuration</A>
<BR>
-<A HREF="#Extending Schema">12.2. Extending Schema</A><UL>
-<A HREF="#Object Identifiers">12.2.1. Object Identifiers</A>
+<A HREF="#Further Information">12.14.3. Further Information</A></UL>
<BR>
-<A HREF="#Naming Elements">12.2.2. Naming Elements</A>
+<A HREF="#Translucent Proxy">12.15. Translucent Proxy</A><UL>
+<A HREF="#Overview">12.15.1. Overview</A>
<BR>
-<A HREF="#Local schema file">12.2.3. Local schema file</A>
+<A HREF="#Translucent Proxy Configuration">12.15.2. Translucent Proxy Configuration</A>
<BR>
-<A HREF="#Attribute Type Specification">12.2.4. Attribute Type Specification</A>
+<A HREF="#Further Information">12.15.3. Further Information</A></UL>
<BR>
-<A HREF="#Object Class Specification">12.2.5. Object Class Specification</A>
+<A HREF="#Attribute Uniqueness">12.16. Attribute Uniqueness</A><UL>
+<A HREF="#Overview">12.16.1. Overview</A>
<BR>
-<A HREF="#OID Macros">12.2.6. OID Macros</A></UL></UL>
+<A HREF="#Attribute Uniqueness Configuration">12.16.2. Attribute Uniqueness Configuration</A>
<BR>
-<A HREF="#Security Considerations">13. Security Considerations</A><UL>
-<A HREF="#Network Security">13.1. Network Security</A><UL>
-<A HREF="#Selective Listening">13.1.1. Selective Listening</A>
+<A HREF="#Further Information">12.16.3. Further Information</A></UL>
<BR>
-<A HREF="#IP Firewall">13.1.2. IP Firewall</A>
+<A HREF="#Value Sorting">12.17. Value Sorting</A><UL>
+<A HREF="#Overview">12.17.1. Overview</A>
<BR>
-<A HREF="#TCP Wrappers">13.1.3. TCP Wrappers</A></UL>
+<A HREF="#Value Sorting Configuration">12.17.2. Value Sorting Configuration</A>
<BR>
-<A HREF="#Data Integrity and Confidentiality Protection">13.2. Data Integrity and Confidentiality Protection</A><UL>
-<A HREF="#Security Strength Factors">13.2.1. Security Strength Factors</A></UL>
+<A HREF="#Further Information">12.17.3. Further Information</A></UL>
<BR>
-<A HREF="#Authentication Methods">13.3. Authentication Methods</A><UL>
-<A HREF="#"simple" method">13.3.1. "simple" method</A>
+<A HREF="#Overlay Stacking">12.18. Overlay Stacking</A><UL>
+<A HREF="#Overview">12.18.1. Overview</A>
<BR>
-<A HREF="#SASL method">13.3.2. SASL method</A></UL>
+<A HREF="#Example Scenarios">12.18.2. Example Scenarios</A></UL></UL>
<BR>
-<A HREF="#Password Storage">13.4. Password Storage</A><UL>
-<A HREF="#SSHA password storage scheme">13.4.1. SSHA password storage scheme</A>
+<A HREF="#Schema Specification">13. Schema Specification</A><UL>
+<A HREF="#Distributed Schema Files">13.1. Distributed Schema Files</A>
<BR>
-<A HREF="#CRYPT password storage scheme">13.4.2. CRYPT password storage scheme</A>
+<A HREF="#Extending Schema">13.2. Extending Schema</A><UL>
+<A HREF="#Object Identifiers">13.2.1. Object Identifiers</A>
<BR>
-<A HREF="#MD5 password storage scheme">13.4.3. MD5 password storage scheme</A>
+<A HREF="#Naming Elements">13.2.2. Naming Elements</A>
<BR>
-<A HREF="#SMD5 password storage scheme">13.4.4. SMD5 password storage scheme</A>
+<A HREF="#Local schema file">13.2.3. Local schema file</A>
<BR>
-<A HREF="#SHA password storage scheme">13.4.5. SHA password storage scheme</A>
+<A HREF="#Attribute Type Specification">13.2.4. Attribute Type Specification</A>
<BR>
-<A HREF="#SASL password storage scheme">13.4.6. SASL password storage scheme</A>
+<A HREF="#Object Class Specification">13.2.5. Object Class Specification</A>
<BR>
-<A HREF="#KERBEROS password storage scheme">13.4.7. KERBEROS password storage scheme</A></UL>
+<A HREF="#OID Macros">13.2.6. OID Macros</A></UL></UL>
<BR>
-<A HREF="#Pass-Through authentication">13.5. Pass-Through authentication</A><UL>
-<A HREF="#Configuring slapd to use an authentication provider">13.5.1. Configuring slapd to use an authentication provider</A>
+<A HREF="#Security Considerations">14. Security Considerations</A><UL>
+<A HREF="#Network Security">14.1. Network Security</A><UL>
+<A HREF="#Selective Listening">14.1.1. Selective Listening</A>
<BR>
-<A HREF="#Configuring saslauthd">13.5.2. Configuring saslauthd</A>
+<A HREF="#IP Firewall">14.1.2. IP Firewall</A>
<BR>
-<A HREF="#Testing pass-through authentication">13.5.3. Testing pass-through authentication</A></UL></UL>
+<A HREF="#TCP Wrappers">14.1.3. TCP Wrappers</A></UL>
<BR>
-<A HREF="#Using SASL">14. Using SASL</A><UL>
-<A HREF="#SASL Security Considerations">14.1. SASL Security Considerations</A>
+<A HREF="#Data Integrity and Confidentiality Protection">14.2. Data Integrity and Confidentiality Protection</A><UL>
+<A HREF="#Security Strength Factors">14.2.1. Security Strength Factors</A></UL>
<BR>
-<A HREF="#SASL Authentication">14.2. SASL Authentication</A><UL>
-<A HREF="#GSSAPI">14.2.1. GSSAPI</A>
+<A HREF="#Authentication Methods">14.3. Authentication Methods</A><UL>
+<A HREF="#"simple" method">14.3.1. "simple" method</A>
<BR>
-<A HREF="#KERBEROS_V4">14.2.2. KERBEROS_V4</A>
+<A HREF="#SASL method">14.3.2. SASL method</A></UL>
<BR>
-<A HREF="#DIGEST-MD5">14.2.3. DIGEST-MD5</A>
+<A HREF="#Password Storage">14.4. Password Storage</A><UL>
+<A HREF="#SSHA password storage scheme">14.4.1. SSHA password storage scheme</A>
<BR>
-<A HREF="#Mapping Authentication Identities">14.2.4. Mapping Authentication Identities</A>
+<A HREF="#CRYPT password storage scheme">14.4.2. CRYPT password storage scheme</A>
<BR>
-<A HREF="#Direct Mapping">14.2.5. Direct Mapping</A>
+<A HREF="#MD5 password storage scheme">14.4.3. MD5 password storage scheme</A>
<BR>
-<A HREF="#Search-based mappings">14.2.6. Search-based mappings</A></UL>
+<A HREF="#SMD5 password storage scheme">14.4.4. SMD5 password storage scheme</A>
<BR>
-<A HREF="#SASL Proxy Authorization">14.3. SASL Proxy Authorization</A><UL>
-<A HREF="#Uses of Proxy Authorization">14.3.1. Uses of Proxy Authorization</A>
+<A HREF="#SHA password storage scheme">14.4.5. SHA password storage scheme</A>
<BR>
-<A HREF="#SASL Authorization Identities">14.3.2. SASL Authorization Identities</A>
+<A HREF="#SASL password storage scheme">14.4.6. SASL password storage scheme</A>
<BR>
-<A HREF="#Proxy Authorization Rules">14.3.3. Proxy Authorization Rules</A></UL></UL>
+<A HREF="#KERBEROS password storage scheme">14.4.7. KERBEROS password storage scheme</A></UL>
<BR>
-<A HREF="#Using TLS">15. Using TLS</A><UL>
-<A HREF="#TLS Certificates">15.1. TLS Certificates</A><UL>
-<A HREF="#Server Certificates">15.1.1. Server Certificates</A>
+<A HREF="#Pass-Through authentication">14.5. Pass-Through authentication</A><UL>
+<A HREF="#Configuring slapd to use an authentication provider">14.5.1. Configuring slapd to use an authentication provider</A>
<BR>
-<A HREF="#Client Certificates">15.1.2. Client Certificates</A></UL>
+<A HREF="#Configuring saslauthd">14.5.2. Configuring saslauthd</A>
<BR>
-<A HREF="#TLS Configuration">15.2. TLS Configuration</A><UL>
-<A HREF="#Server Configuration">15.2.1. Server Configuration</A>
+<A HREF="#Testing pass-through authentication">14.5.3. Testing pass-through authentication</A></UL></UL>
<BR>
-<A HREF="#Client Configuration">15.2.2. Client Configuration</A></UL></UL>
+<A HREF="#Using SASL">15. Using SASL</A><UL>
+<A HREF="#SASL Security Considerations">15.1. SASL Security Considerations</A>
<BR>
-<A HREF="#Constructing a Distributed Directory Service">16. Constructing a Distributed Directory Service</A><UL>
-<A HREF="#Subordinate Knowledge Information">16.1. Subordinate Knowledge Information</A>
+<A HREF="#SASL Authentication">15.2. SASL Authentication</A><UL>
+<A HREF="#GSSAPI">15.2.1. GSSAPI</A>
<BR>
-<A HREF="#Superior Knowledge Information">16.2. Superior Knowledge Information</A>
+<A HREF="#KERBEROS_V4">15.2.2. KERBEROS_V4</A>
<BR>
-<A HREF="#The ManageDsaIT Control">16.3. The ManageDsaIT Control</A></UL>
+<A HREF="#DIGEST-MD5">15.2.3. DIGEST-MD5</A>
<BR>
-<A HREF="#Replication">17. Replication</A><UL>
-<A HREF="#Push Based">17.1. Push Based</A><UL>
-<A HREF="#Replacing Slurpd">17.1.1. Replacing Slurpd</A></UL>
+<A HREF="#Mapping Authentication Identities">15.2.4. Mapping Authentication Identities</A>
<BR>
-<A HREF="#Pull Based">17.2. Pull Based</A><UL>
-<A HREF="#LDAP Sync Replication">17.2.1. LDAP Sync Replication</A>
+<A HREF="#Direct Mapping">15.2.5. Direct Mapping</A>
<BR>
-<A HREF="#Delta-syncrepl replication">17.2.2. Delta-syncrepl replication</A></UL>
+<A HREF="#Search-based mappings">15.2.6. Search-based mappings</A></UL>
<BR>
-<A HREF="#Mixture of both Pull and Push based">17.3. Mixture of both Pull and Push based</A><UL>
-<A HREF="#N-Way Multi-Master replication">17.3.1. N-Way Multi-Master replication</A>
+<A HREF="#SASL Proxy Authorization">15.3. SASL Proxy Authorization</A><UL>
+<A HREF="#Uses of Proxy Authorization">15.3.1. Uses of Proxy Authorization</A>
<BR>
-<A HREF="#MirrorMode replication">17.3.2. MirrorMode replication</A></UL>
+<A HREF="#SASL Authorization Identities">15.3.2. SASL Authorization Identities</A>
<BR>
-<A HREF="#Configuring the different replication types">17.4. Configuring the different replication types</A><UL>
-<A HREF="#Syncrepl">17.4.1. Syncrepl</A>
+<A HREF="#Proxy Authorization Rules">15.3.3. Proxy Authorization Rules</A></UL></UL>
<BR>
-<A HREF="#Delta-syncrepl">17.4.2. Delta-syncrepl</A>
+<A HREF="#Using TLS">16. Using TLS</A><UL>
+<A HREF="#TLS Certificates">16.1. TLS Certificates</A><UL>
+<A HREF="#Server Certificates">16.1.1. Server Certificates</A>
<BR>
-<A HREF="#N-Way Multi-Master">17.4.3. N-Way Multi-Master</A>
+<A HREF="#Client Certificates">16.1.2. Client Certificates</A></UL>
<BR>
-<A HREF="#MirrorMode">17.4.4. MirrorMode</A></UL></UL>
+<A HREF="#TLS Configuration">16.2. TLS Configuration</A><UL>
+<A HREF="#Server Configuration">16.2.1. Server Configuration</A>
<BR>
-<A HREF="#Maintenance">18. Maintenance</A><UL>
-<A HREF="#Directory Backups">18.1. Directory Backups</A>
+<A HREF="#Client Configuration">16.2.2. Client Configuration</A></UL></UL>
<BR>
-<A HREF="#Berkeley DB Logs">18.2. Berkeley DB Logs</A>
+<A HREF="#Constructing a Distributed Directory Service">17. Constructing a Distributed Directory Service</A><UL>
+<A HREF="#Subordinate Knowledge Information">17.1. Subordinate Knowledge Information</A>
<BR>
-<A HREF="#Checkpointing">18.3. Checkpointing</A>
+<A HREF="#Superior Knowledge Information">17.2. Superior Knowledge Information</A>
<BR>
-<A HREF="#Migration">18.4. Migration</A></UL>
+<A HREF="#The ManageDsaIT Control">17.3. The ManageDsaIT Control</A></UL>
<BR>
-<A HREF="#Monitoring">19. Monitoring</A><UL>
-<A HREF="#Monitor configuration via cn=config(5)">19.1. Monitor configuration via cn=config(5)</A>
+<A HREF="#Replication">18. Replication</A><UL>
+<A HREF="#Replication Technology">18.1. Replication Technology</A><UL>
+<A HREF="#LDAP Sync Replication">18.1.1. LDAP Sync Replication</A></UL>
<BR>
-<A HREF="#Monitor configuration via slapd.conf(5)">19.2. Monitor configuration via slapd.conf(5)</A>
+<A HREF="#Deployment Alternatives">18.2. Deployment Alternatives</A><UL>
+<A HREF="#Delta-syncrepl replication">18.2.1. Delta-syncrepl replication</A>
<BR>
-<A HREF="#Accessing Monitoring Information">19.3. Accessing Monitoring Information</A>
+<A HREF="#N-Way Multi-Master replication">18.2.2. N-Way Multi-Master replication</A>
<BR>
-<A HREF="#Monitor Information">19.4. Monitor Information</A><UL>
-<A HREF="#Backends">19.4.1. Backends</A>
+<A HREF="#MirrorMode replication">18.2.3. MirrorMode replication</A>
<BR>
-<A HREF="#Connections">19.4.2. Connections</A>
+<A HREF="#Syncrepl Proxy Mode">18.2.4. Syncrepl Proxy Mode</A></UL>
<BR>
-<A HREF="#Databases">19.4.3. Databases</A>
+<A HREF="#Configuring the different replication types">18.3. Configuring the different replication types</A><UL>
+<A HREF="#Syncrepl">18.3.1. Syncrepl</A>
<BR>
-<A HREF="#Listener">19.4.4. Listener</A>
+<A HREF="#Delta-syncrepl">18.3.2. Delta-syncrepl</A>
<BR>
-<A HREF="#Log">19.4.5. Log</A>
+<A HREF="#N-Way Multi-Master">18.3.3. N-Way Multi-Master</A>
<BR>
-<A HREF="#Operations">19.4.6. Operations</A>
+<A HREF="#MirrorMode">18.3.4. MirrorMode</A>
<BR>
-<A HREF="#Overlays">19.4.7. Overlays</A>
+<A HREF="#Syncrepl Proxy">18.3.5. Syncrepl Proxy</A></UL></UL>
<BR>
-<A HREF="#SASL">19.4.8. SASL</A>
+<A HREF="#Maintenance">19. Maintenance</A><UL>
+<A HREF="#Directory Backups">19.1. Directory Backups</A>
<BR>
-<A HREF="#Statistics">19.4.9. Statistics</A>
+<A HREF="#Berkeley DB Logs">19.2. Berkeley DB Logs</A>
<BR>
-<A HREF="#Threads">19.4.10. Threads</A>
+<A HREF="#Checkpointing">19.3. Checkpointing</A>
<BR>
-<A HREF="#Time">19.4.11. Time</A>
+<A HREF="#Migration">19.4. Migration</A></UL>
<BR>
-<A HREF="#TLS">19.4.12. TLS</A>
+<A HREF="#Monitoring">20. Monitoring</A><UL>
+<A HREF="#Monitor configuration via cn=config(5)">20.1. Monitor configuration via cn=config(5)</A>
<BR>
-<A HREF="#Waiters">19.4.13. Waiters</A></UL></UL>
+<A HREF="#Monitor configuration via slapd.conf(5)">20.2. Monitor configuration via slapd.conf(5)</A>
<BR>
-<A HREF="#Tuning">20. Tuning</A><UL>
-<A HREF="#Performance Factors">20.1. Performance Factors</A><UL>
-<A HREF="#Memory">20.1.1. Memory</A>
+<A HREF="#Accessing Monitoring Information">20.3. Accessing Monitoring Information</A>
<BR>
-<A HREF="#Disks">20.1.2. Disks</A>
+<A HREF="#Monitor Information">20.4. Monitor Information</A><UL>
+<A HREF="#Backends">20.4.1. Backends</A>
<BR>
-<A HREF="#Network Topology">20.1.3. Network Topology</A>
+<A HREF="#Connections">20.4.2. Connections</A>
<BR>
-<A HREF="#Directory Layout Design">20.1.4. Directory Layout Design</A>
+<A HREF="#Databases">20.4.3. Databases</A>
<BR>
-<A HREF="#Expected Usage">20.1.5. Expected Usage</A></UL>
+<A HREF="#Listener">20.4.4. Listener</A>
<BR>
-<A HREF="#Indexes">20.2. Indexes</A><UL>
-<A HREF="#Understanding how a search works">20.2.1. Understanding how a search works</A>
+<A HREF="#Log">20.4.5. Log</A>
<BR>
-<A HREF="#What to index">20.2.2. What to index</A>
+<A HREF="#Operations">20.4.6. Operations</A>
<BR>
-<A HREF="#Presence indexing">20.2.3. Presence indexing</A></UL>
+<A HREF="#Overlays">20.4.7. Overlays</A>
<BR>
-<A HREF="#Logging">20.3. Logging</A><UL>
-<A HREF="#What log level to use">20.3.1. What log level to use</A>
+<A HREF="#SASL">20.4.8. SASL</A>
<BR>
-<A HREF="#What to watch out for">20.3.2. What to watch out for</A>
+<A HREF="#Statistics">20.4.9. Statistics</A>
<BR>
-<A HREF="#Improving throughput">20.3.3. Improving throughput</A></UL>
+<A HREF="#Threads">20.4.10. Threads</A>
<BR>
-<A HREF="#Caching">20.4. Caching</A><UL>
-<A HREF="#Berkeley DB Cache">20.4.1. Berkeley DB Cache</A>
+<A HREF="#Time">20.4.11. Time</A>
<BR>
-<A HREF="#{{slapd}}(8) Entry Cache (cachesize)">20.4.2. <EM>slapd</EM>(8) Entry Cache (cachesize)</A>
+<A HREF="#TLS">20.4.12. TLS</A>
<BR>
-<A HREF="#{{TERM:IDL}} Cache (idlcachesize)">20.4.3. <TERM>IDL</TERM> Cache (idlcachesize)</A>
+<A HREF="#Waiters">20.4.13. Waiters</A></UL></UL>
<BR>
-<A HREF="#{{slapd}}(8) Threads">20.4.4. <EM>slapd</EM>(8) Threads</A></UL></UL>
+<A HREF="#Tuning">21. Tuning</A><UL>
+<A HREF="#Performance Factors">21.1. Performance Factors</A><UL>
+<A HREF="#Memory">21.1.1. Memory</A>
<BR>
-<A HREF="#Troubleshooting">21. Troubleshooting</A><UL>
-<A HREF="#User or Software errors">21.1. User or Software errors?</A>
+<A HREF="#Disks">21.1.2. Disks</A>
<BR>
-<A HREF="#Checklist">21.2. Checklist</A>
+<A HREF="#Network Topology">21.1.3. Network Topology</A>
<BR>
-<A HREF="#OpenLDAP Bugs">21.3. OpenLDAP Bugs</A>
+<A HREF="#Directory Layout Design">21.1.4. Directory Layout Design</A>
<BR>
-<A HREF="#3rd party software error">21.4. 3rd party software error</A>
+<A HREF="#Expected Usage">21.1.5. Expected Usage</A></UL>
<BR>
-<A HREF="#How to contact the OpenLDAP Project">21.5. How to contact the OpenLDAP Project</A>
+<A HREF="#Indexes">21.2. Indexes</A><UL>
+<A HREF="#Understanding how a search works">21.2.1. Understanding how a search works</A>
<BR>
-<A HREF="#How to present your problem">21.6. How to present your problem</A>
+<A HREF="#What to index">21.2.2. What to index</A>
<BR>
-<A HREF="#Debugging {{slapd}}(8)">21.7. Debugging <EM>slapd</EM>(8)</A>
+<A HREF="#Presence indexing">21.2.3. Presence indexing</A></UL>
<BR>
-<A HREF="#Commercial Support">21.8. Commercial Support</A></UL>
+<A HREF="#Logging">21.3. Logging</A><UL>
+<A HREF="#What log level to use">21.3.1. What log level to use</A>
<BR>
+<A HREF="#What to watch out for">21.3.2. What to watch out for</A>
+<BR>
+<A HREF="#Improving throughput">21.3.3. Improving throughput</A></UL>
+<BR>
+<A HREF="#Caching">21.4. Caching</A><UL>
+<A HREF="#Berkeley DB Cache">21.4.1. Berkeley DB Cache</A>
+<BR>
+<A HREF="#{{slapd}}(8) Entry Cache (cachesize)">21.4.2. <EM>slapd</EM>(8) Entry Cache (cachesize)</A>
+<BR>
+<A HREF="#{{TERM:IDL}} Cache (idlcachesize)">21.4.3. <TERM>IDL</TERM> Cache (idlcachesize)</A>
+<BR>
+<A HREF="#{{slapd}}(8) Threads">21.4.4. <EM>slapd</EM>(8) Threads</A></UL></UL>
+<BR>
+<A HREF="#Troubleshooting">22. Troubleshooting</A><UL>
+<A HREF="#User or Software errors">22.1. User or Software errors?</A>
+<BR>
+<A HREF="#Checklist">22.2. Checklist</A>
+<BR>
+<A HREF="#OpenLDAP Bugs">22.3. OpenLDAP Bugs</A>
+<BR>
+<A HREF="#3rd party software error">22.4. 3rd party software error</A>
+<BR>
+<A HREF="#How to contact the OpenLDAP Project">22.5. How to contact the OpenLDAP Project</A>
+<BR>
+<A HREF="#How to present your problem">22.6. How to present your problem</A>
+<BR>
+<A HREF="#Debugging {{slapd}}(8)">22.7. Debugging <EM>slapd</EM>(8)</A>
+<BR>
+<A HREF="#Commercial Support">22.8. Commercial Support</A></UL>
+<BR>
<A HREF="#Changes Since Previous Release">A. Changes Since Previous Release</A><UL>
<A HREF="#New Guide Sections">A.1. New Guide Sections</A>
<BR>
@@ -1063,7 +1093,7 @@
<P><B>Internationalization</B>: <EM>slapd</EM> supports Unicode and language tags.</P>
<P><B>Choice of database backends</B>: <EM>slapd</EM> comes with a variety of different database backends you can choose from. They include <TERM>BDB</TERM>, a high-performance transactional database backend; <TERM>HDB</TERM>, a hierarchical high-performance transactional backend; <EM>SHELL</EM>, a backend interface to arbitrary shell scripts; and PASSWD, a simple backend interface to the <EM>passwd</EM>(5) file. The BDB and HDB backends utilize <A HREF="http://www.oracle.com/">Oracle</A> <A HREF="http://www.oracle.com/database/berkeley-db/db/index.html">Berkeley DB</A>.</P>
<P><B>Multiple database instances</B>: <EM>slapd</EM> can be configured to serve multiple databases at the same time. This means that a single <EM>slapd</EM> server can respond to requests for many logically different portions of the LDAP tree, using the same or different database backends.</P>
-<P><B>Generic modules API</B>: If you require even more customization, <EM>slapd</EM> lets you write your own modules easily. <EM>slapd</EM> consists of two distinct parts: a front end that handles protocol communication with LDAP clients; and modules which handle specific tasks such as database operations. Because these two pieces communicate via a well-defined <TERM>C</TERM> <TERM>API</TERM>, you can write your own customized modules which extend <EM>slapd</EM> in numerous ways. Also, a number of <EM>programmable database</EM> modules are provided. These allow you to expose external data sources to <EM>slapd</EM> using popular programming languages (<A HREF="http://www.perl.org/">Perl</A>, <EM>shell</EM>, and <TERM>SQL</TERM>.</P>
+<P><B>Generic modules API</B>: If you require even more customization, <EM>slapd</EM> lets you write your own modules easily. <EM>slapd</EM> consists of two distinct parts: a front end that handles protocol communication with LDAP clients; and modules which handle specific tasks such as database operations. Because these two pieces communicate via a well-defined <TERM>C</TERM> <TERM>API</TERM>, you can write your own customized modules which extend <EM>slapd</EM> in numerous ways. Also, a number of <EM>programmable database</EM> modules are provided. These allow you to expose external data sources to <EM>slapd</EM> using popular programming languages (<A HREF="http://www.perl.org/">Perl</A>, <EM>shell</EM>, and <TERM>SQL</TERM>).</P>
<P><B>Threads</B>: <EM>slapd</EM> is threaded for high performance. A single multi-threaded <EM>slapd</EM> process handles all incoming requests using a pool of threads. This reduces the amount of system overhead required while providing high performance.</P>
<P><B>Replication</B>: <EM>slapd</EM> can be configured to maintain shadow copies of directory information. This <EM>single-master/multiple-slave</EM> replication scheme is vital in high-volume environments where a single <EM>slapd</EM> installation just doesn't provide the necessary availability or reliability. For extremely demanding environments where a single point of failure is not acceptable, <EM>multi-master</EM> replication is also available. <EM>slapd</EM> includes support for <EM>LDAP Sync</EM>-based replication.</P>
<P><B>Proxy Cache</B>: <EM>slapd</EM> can be configured as a caching LDAP proxy service.</P>
@@ -1258,7 +1288,7 @@
<BR>
This command will search for and retrieve every entry in the database.</OL>
<P>You are now ready to add more entries using <EM>ldapadd</EM>(1) or another LDAP client, experiment with various configuration options, backend arrangements, etc..</P>
-<P>Note that by default, the <EM>slapd</EM>(8) database grants <EM>read access to everybody</EM> excepting the <EM>super-user</EM> (as specified by the <TT>rootdn</TT> configuration directive). It is highly recommended that you establish controls to restrict access to authorized users. Access controls are discussed in the <A HREF="#The access Configuration Directive">The access Configuration Directive</A> section of <A HREF="#The slapd Configuration File">The slapd Configuration File</A> chapter. You are also encouraged to read the <A HREF="#Security Considerations">Security Considerations</A>, <A HREF="#Using SASL">Using SASL</A> and <A HREF="#Using TLS">Using TLS</A> sections.</P>
+<P>Note that by default, the <EM>slapd</EM>(8) database grants <EM>read access to everybody</EM> excepting the <EM>super-user</EM> (as specified by the <TT>rootdn</TT> configuration directive). It is highly recommended that you establish controls to restrict access to authorized users. Access controls are discussed in the <A HREF="#Access Control">Access Control</A> chapter. You are also encouraged to read the <A HREF="#Security Considerations">Security Considerations</A>, <A HREF="#Using SASL">Using SASL</A> and <A HREF="#Using TLS">Using TLS</A> sections.</P>
<P>The following chapters provide more detailed information on making, installing, and running <EM>slapd</EM>(8).</P>
<P></P>
<HR>
@@ -1311,7 +1341,7 @@
<P>Heimdal Kerberos is available from <A HREF="http://www.pdc.kth.se/heimdal/">http://www.pdc.kth.se/heimdal/</A>. MIT Kerberos is available from <A HREF="http://web.mit.edu/kerberos/www/">http://web.mit.edu/kerberos/www/</A>.</P>
<P>Use of strong authentication services, such as those provided by Kerberos, is highly recommended.</P>
<H3><A NAME="Database Software">4.2.4. Database Software</A></H3>
-<P>OpenLDAP's <EM>slapd</EM>(8) <TERM>BDB</TERM> and <TERM>HDB</TERM> primary database backends require <A HREF="http://www.oracle.com/">Oracle Corporation</A> <A HREF="http://www.oracle.com/database/berkeley-db/db/index.html">Berkeley DB</A>. If not available at configure time, you will not be able build <EM>slapd</EM>(8) with these primary database backends.</P>
+<P>OpenLDAP's <EM>slapd</EM>(8) <TERM>BDB</TERM> and <TERM>HDB</TERM> primary database backends require <A HREF="http://www.oracle.com/">Oracle Corporation</A> <A HREF="http://www.oracle.com/database/berkeley-db/db/index.html">Berkeley DB</A>. If not available at configure time, you will not be able to build <EM>slapd</EM>(8) with these primary database backends.</P>
<P>Your operating system may provide a supported version of <A HREF="http://www.oracle.com/database/berkeley-db/db/index.html">Berkeley DB</A> in the base system or as an optional software component. If not, you'll have to obtain and install it yourself.</P>
<P><A HREF="http://www.oracle.com/database/berkeley-db/db/index.html">Berkeley DB</A> is available from <A HREF="http://www.oracle.com/">Oracle Corporation</A>'s Berkeley DB download page <A HREF="http://www.oracle.com/technology/software/products/berkeley-db/index.html">http://www.oracle.com/technology/software/products/berkeley-db/index.html</A>.</P>
<P>There are several versions available. Generally, the most recent release (with published patches) is recommended. This package is required if you wish to use the <TERM>BDB</TERM> or <TERM>HDB</TERM> database backends.</P>
@@ -1492,7 +1522,7 @@
</PRE>
<P>Some of the entries listed above have a numeric index <TT>"{X}"</TT> in their names. While most configuration settings have an inherent ordering dependency (i.e., one setting must take effect before a subsequent one may be set), LDAP databases are inherently unordered. The numeric index is used to enforce a consistent ordering in the configuration database, so that all ordering dependencies are preserved. In most cases the index does not have to be provided; it will be automatically generated based on the order in which entries are created.</P>
<P>Configuration directives are specified as values of individual attributes. Most of the attributes and objectClasses used in the slapd configuration have a prefix of <TT>"olc"</TT> (OpenLDAP Configuration) in their names. Generally there is a one-to-one correspondence between the attributes and the old-style <TT>slapd.conf</TT> configuration keywords, using the keyword as the attribute name, with the "olc" prefix attached.</P>
-<P>A configuration directive may take arguments. If so, the arguments are separated by white space. If an argument contains white space, the argument should be enclosed in double quotes <TT>"like this"</TT>. In the descriptions that follow, arguments that should be replaced by actual text are shown in brackets <TT><></TT>.</P>
+<P>A configuration directive may take arguments. If so, the arguments are separated by whitespace. If an argument contains whitespace, the argument should be enclosed in double quotes <TT>"like this"</TT>. In the descriptions that follow, arguments that should be replaced by actual text are shown in brackets <TT><></TT>.</P>
<P>The distribution contains an example configuration file that will be installed in the <TT>/usr/local/etc/openldap</TT> directory. A number of files containing schema definitions (attribute types and object classes) are also provided in the <TT>/usr/local/etc/openldap/schema</TT> directory.</P>
<H2><A NAME="Configuration Directives">5.2. Configuration Directives</A></H2>
<P>This section details commonly used configuration directives. For a complete list, see the <EM>slapd-config</EM>(5) manual page. This section will treat the configuration directives in a top-down order, starting with the global directives in the <TT>cn=config</TT> entry. Each directive will be described along with its default value (if any) and an example of its use.</P>
@@ -1501,7 +1531,7 @@
<H4><A NAME="olcIdleTimeout: <integer>">5.2.1.1. olcIdleTimeout: <integer></A></H4>
<P>Specify the number of seconds to wait before forcibly closing an idle client connection. A value of 0, the default, disables this feature.</P>
<H4><A NAME="olcLogLevel: <level>">5.2.1.2. olcLogLevel: <level></A></H4>
-<P>This directive specifies the level at which debugging statements and operation statistics should be syslogged (currently logged to the <EM>syslogd</EM>(8) <TT>LOG_LOCAL4</TT> facility). You must have configured OpenLDAP <TT>--enable-debug</TT> (the default) for this to work (except for the two statistics levels, which are always enabled). Log levels may be specified as integers or by keyword. Multiple log levels may be used and the levels are additive. To display what levels correspond to what kind of debugging, invoke slapd with <TT>-?</TT> or consult the table below. The possible values for <level> are:</P>
+<P>This directive specifies the level at which debugging statements and operation statistics should be syslogged (currently logged to the <EM>syslogd</EM>(8) <TT>LOG_LOCAL4</TT> facility). You must have configured OpenLDAP <TT>--enable-debug</TT> (the default) for this to work (except for the two statistics levels, which are always enabled). Log levels may be specified as integers or by keyword. Multiple log levels may be used and the levels are additive. To display what levels correspond to what kind of debugging, invoke slapd with <TT>-d?</TT> or consult the table below. The possible values for <level> are:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 5.1: Debugging Levels</CAPTION>
<TR CLASS="heading">
@@ -1520,7 +1550,7 @@
-1
</TD>
<TD ALIGN='Left'>
-Any
+any
</TD>
<TD>
enable all debugging
@@ -1542,10 +1572,10 @@
1
</TD>
<TD ALIGN='Left'>
-Trace
+(0x1 trace)
</TD>
<TD>
-trace function calls
+trace function callss
</TD>
</TR>
<TR>
@@ -1553,7 +1583,7 @@
2
</TD>
<TD ALIGN='Left'>
-Packets
+(0x2 packets)
</TD>
<TD>
debug packet handling
@@ -1564,7 +1594,7 @@
4
</TD>
<TD ALIGN='Left'>
-Args
+(0x4 args)
</TD>
<TD>
heavy trace debugging
@@ -1575,7 +1605,7 @@
8
</TD>
<TD ALIGN='Left'>
-Conns
+(0x8 conns)
</TD>
<TD>
connection management
@@ -1586,7 +1616,7 @@
16
</TD>
<TD ALIGN='Left'>
-BER
+(0x10 BER)
</TD>
<TD>
print out packets sent and received
@@ -1597,7 +1627,7 @@
32
</TD>
<TD ALIGN='Left'>
-Filter
+(0x20 filter)
</TD>
<TD>
search filter processing
@@ -1608,7 +1638,7 @@
64
</TD>
<TD ALIGN='Left'>
-Config
+(0x40 config)
</TD>
<TD>
configuration processing
@@ -1619,7 +1649,7 @@
128
</TD>
<TD ALIGN='Left'>
-ACL
+(0x80 ACL)
</TD>
<TD>
access control list processing
@@ -1630,7 +1660,7 @@
256
</TD>
<TD ALIGN='Left'>
-Stats
+(0x100 stats)
</TD>
<TD>
stats log connections/operations/results
@@ -1641,7 +1671,7 @@
512
</TD>
<TD ALIGN='Left'>
-Stats2
+(0x200 stats2)
</TD>
<TD>
stats log entries sent
@@ -1652,7 +1682,7 @@
1024
</TD>
<TD ALIGN='Left'>
-Shell
+(0x400 shell)
</TD>
<TD>
print communication with shell backends
@@ -1663,7 +1693,7 @@
2048
</TD>
<TD ALIGN='Left'>
-Parse
+(0x800 parse)
</TD>
<TD>
print entry parsing debugging
@@ -1671,52 +1701,55 @@
</TR>
<TR>
<TD ALIGN='Right'>
-4096
+16384
</TD>
<TD ALIGN='Left'>
-Cache
+(0x4000 sync)
</TD>
<TD>
-database cache processing
+syncrepl consumer processing
</TD>
</TR>
<TR>
<TD ALIGN='Right'>
-8192
+32768
</TD>
<TD ALIGN='Left'>
-Index
+(0x8000 none)
</TD>
<TD>
-database indexing
+only messages that get logged whatever log level is set
</TD>
</TR>
-<TR>
-<TD ALIGN='Right'>
-16384
-</TD>
-<TD ALIGN='Left'>
-Sync
-</TD>
-<TD>
-syncrepl consumer processing
-</TD>
-</TR>
</TABLE>
-<P>Example:</P>
+<P>The desired log level can be input as a single integer that combines the (ORed) desired levels, both in decimal or in hexadecimal notation, as a list of integers (that are ORed internally), or as a list of the names that are shown between brackets, such that</P>
<PRE>
- olcLogLevel: -1
+ olcLogLevel 129
+ olcLogLevel 0x81
+ olcLogLevel 128 1
+ olcLogLevel 0x80 0x1
+ olcLogLevel acl trace
</PRE>
+<P>are equivalent.</P>
+<P>Examples:</P>
+<PRE>
+ olcLogLevel -1
+</PRE>
<P>This will cause lots and lots of debugging information to be logged.</P>
<PRE>
- olcLogLevel: Conns Filter
+ olcLogLevel conns filter
</PRE>
<P>Just log the connection and search filter processing.</P>
+<PRE>
+ olcLogLevel none
+</PRE>
+<P>Log those messages that are logged regardless of the configured loglevel. This differs from setting the log level to 0, when no logging occurs. At least the <TT>None</TT> level is required to have high priority messages logged.</P>
<P>Default:</P>
<PRE>
- olcLogLevel: Stats
+ olcLogLevel stats
</PRE>
+<P>Basic stats logging is configured by default. However, if no olcLogLevel is defined, no logging occurs (equivalent to a 0 level).</P>
<H4><A NAME="olcReferral <URI>">5.2.1.3. olcReferral <URI></A></H4>
<P>This directive specifies the referral to pass back when slapd cannot find a local database to handle a request.</P>
<P>Example:</P>
@@ -1954,6 +1987,7 @@
<PRE>
olcSizeLimit: 500
</PRE>
+<P>See the <A HREF="#Limits">Limits</A> section of this guide and slapd-config(5) for more details.</P>
<H4><A NAME="olcSuffix: <dn suffix>">5.2.5.7. olcSuffix: <dn suffix></A></H4>
<P>This directive specifies the DN suffix of queries that will be passed to this backend database. Multiple suffix lines can be given, and usually at least one is required for each database definition. (Some backend types, such as <TT>frontend</TT> and <TT>monitor</TT> use a hard-coded suffix which may not be overridden in the configuration.)</P>
<P>Example:</P>
@@ -2021,6 +2055,7 @@
<PRE>
olcTimeLimit: 3600
</PRE>
+<P>See the <A HREF="#Limits">Limits</A> section of this guide and slapd-config(5) for more details.</P>
<H4><A NAME="olcUpdateref: <URL>">5.2.5.10. olcUpdateref: <URL></A></H4>
<P>This directive is only applicable in a slave slapd. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each <TERM>URL</TERM> is provided.</P>
<P>Example:</P>
@@ -2104,8 +2139,8 @@
<P>If this setting is changed while slapd is running, an internal task will be run to generate the changed index data. All server operations can continue as normal while the indexer does its work. If slapd is stopped before the index task completes, indexing will have to be manually completed using the slapindex tool.</P>
<H4><A NAME="olcDbLinearIndex: { TRUE | FALSE }">5.2.6.8. olcDbLinearIndex: { TRUE | FALSE }</A></H4>
<P>If this setting is <TT>TRUE</TT> slapindex will index one attribute at a time. The default settings is <TT>FALSE</TT> in which case all indexed attributes of an entry are processed at the same time. When enabled, each indexed attribute is processed individually, using multiple passes through the entire database. This option improves slapindex performance when the database size exceeds the BDB cache size. When the BDB cache is large enough, this option is not needed and will decrease performance. Also by default, slapadd performs full indexing and so a separate slapindex run is not needed. With this option, slapadd does no indexing and slapindex must be used.</P>
-<H4><A NAME="olcDbMode: <integer>">5.2.6.9. olcDbMode: <integer></A></H4>
-<P>This directive specifies the file protection mode that newly created database index files should have.</P>
+<H4><A NAME="olcDbMode: { <octal> | <symbolic> }">5.2.6.9. olcDbMode: { <octal> | <symbolic> }</A></H4>
+<P>This directive specifies the file protection mode that newly created database index files should have. This can be in the form <TT>0600</TT> or <TT>-rw-------</TT></P>
<P>Default:</P>
<PRE>
olcDbMode: 0600
@@ -2146,7 +2181,7 @@
<P>An alternate configuration file location can be specified via a command-line option to <EM>slapd</EM>(8). This chapter describes the general format of the <EM>slapd.conf</EM>(5) configuration file, followed by a detailed description of commonly used config file directives.</P>
<H2><A NAME="Configuration File Format">6.1. Configuration File Format</A></H2>
<P>The <EM>slapd.conf</EM>(5) file consists of three types of configuration information: global, backend specific, and database specific. Global information is specified first, followed by information associated with a particular backend type, which is then followed by information associated with a particular database instance. Global directives can be overridden in backend and/or database directives, and backend directives can be overridden by database directives.</P>
-<P>Blank lines and comment lines beginning with a '<TT>#</TT>' character are ignored. If a line begins with white space, it is considered a continuation of the previous line (even if the previous line is a comment).</P>
+<P>Blank lines and comment lines beginning with a '<TT>#</TT>' character are ignored. If a line begins with whitespace, it is considered a continuation of the previous line (even if the previous line is a comment).</P>
<P>The general format of slapd.conf is as follows:</P>
<PRE>
# global configuration directives
@@ -2171,7 +2206,7 @@
# subsequent backend & database definitions & config directives
...
</PRE>
-<P>A configuration directive may take arguments. If so, they are separated by white space. If an argument contains white space, the argument should be enclosed in double quotes <TT>"like this"</TT>. If an argument contains a double quote or a backslash character `<TT>\</TT>', the character should be preceded by a backslash character `<TT>\</TT>'.</P>
+<P>A configuration directive may take arguments. If so, they are separated by whitespace. If an argument contains whitespace, the argument should be enclosed in double quotes <TT>"like this"</TT>. If an argument contains a double quote or a backslash character `<TT>\</TT>', the character should be preceded by a backslash character `<TT>\</TT>'.</P>
<P>The distribution contains an example configuration file that will be installed in the <TT>/usr/local/etc/openldap</TT> directory. A number of files containing schema definitions (attribute types and object classes) are also provided in the <TT>/usr/local/etc/openldap/schema</TT> directory.</P>
<H2><A NAME="Configuration File Directives">6.2. Configuration File Directives</A></H2>
<P>This section details commonly used configuration directives. For a complete list, see the <EM>slapd.conf</EM>(5) manual page. This section separates the configuration file directives into global, backend-specific and data-specific categories, describing each directive and its default value (if any), and giving an example of its use.</P>
@@ -2192,7 +2227,7 @@
<STRONG>Note: </STRONG>You should be careful when using this directive - there is no small limit on the number of nested include directives, and no loop detection is done.
<HR WIDTH="80%" ALIGN="Left"></P>
<H4><A NAME="loglevel <integer>">6.2.1.5. loglevel <integer></A></H4>
-<P>This directive specifies the level at which debugging statements and operation statistics should be syslogged (currently logged to the <EM>syslogd</EM>(8) <TT>LOG_LOCAL4</TT> facility). You must have configured OpenLDAP <TT>--enable-debug</TT> (the default) for this to work (except for the two statistics levels, which are always enabled). Log levels are additive. To display what numbers correspond to what kind of debugging, invoke slapd with <TT>-?</TT> or consult the table below. The possible values for <integer> are:</P>
+<P>This directive specifies the level at which debugging statements and operation statistics should be syslogged (currently logged to the <EM>syslogd</EM>(8) <TT>LOG_LOCAL4</TT> facility). You must have configured OpenLDAP <TT>--enable-debug</TT> (the default) for this to work (except for the two statistics levels, which are always enabled). Log levels may be specified as integers or by keyword. Multiple log levels may be used and the levels are additive. To display what numbers correspond to what kind of debugging, invoke slapd with <TT>-d?</TT> or consult the table below. The possible values for <integer> are:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 6.1: Debugging Levels</CAPTION>
<TR CLASS="heading">
@@ -2200,6 +2235,9 @@
<STRONG>Level</STRONG>
</TD>
<TD ALIGN='Left'>
+<STRONG>Keyword</STRONG>
+</TD>
+<TD>
<STRONG>Description</STRONG>
</TD>
</TR>
@@ -2208,6 +2246,9 @@
-1
</TD>
<TD ALIGN='Left'>
+any
+</TD>
+<TD>
enable all debugging
</TD>
</TR>
@@ -2216,6 +2257,9 @@
0
</TD>
<TD ALIGN='Left'>
+
+</TD>
+<TD>
no debugging
</TD>
</TR>
@@ -2224,6 +2268,9 @@
1
</TD>
<TD ALIGN='Left'>
+(0x1 trace)
+</TD>
+<TD>
trace function calls
</TD>
</TR>
@@ -2232,6 +2279,9 @@
2
</TD>
<TD ALIGN='Left'>
+(0x2 packets)
+</TD>
+<TD>
debug packet handling
</TD>
</TR>
@@ -2240,6 +2290,9 @@
4
</TD>
<TD ALIGN='Left'>
+(0x4 args)
+</TD>
+<TD>
heavy trace debugging
</TD>
</TR>
@@ -2248,6 +2301,9 @@
8
</TD>
<TD ALIGN='Left'>
+(0x8 conns)
+</TD>
+<TD>
connection management
</TD>
</TR>
@@ -2256,6 +2312,9 @@
16
</TD>
<TD ALIGN='Left'>
+(0x10 BER)
+</TD>
+<TD>
print out packets sent and received
</TD>
</TR>
@@ -2264,6 +2323,9 @@
32
</TD>
<TD ALIGN='Left'>
+(0x20 filter)
+</TD>
+<TD>
search filter processing
</TD>
</TR>
@@ -2272,14 +2334,20 @@
64
</TD>
<TD ALIGN='Left'>
-configuration file processing
+(0x40 config)
</TD>
+<TD>
+configuration processing
+</TD>
</TR>
<TR>
<TD ALIGN='Right'>
128
</TD>
<TD ALIGN='Left'>
+(0x80 ACL)
+</TD>
+<TD>
access control list processing
</TD>
</TR>
@@ -2288,6 +2356,9 @@
256
</TD>
<TD ALIGN='Left'>
+(0x100 stats)
+</TD>
+<TD>
stats log connections/operations/results
</TD>
</TR>
@@ -2296,6 +2367,9 @@
512
</TD>
<TD ALIGN='Left'>
+(0x200 stats2)
+</TD>
+<TD>
stats log entries sent
</TD>
</TR>
@@ -2304,6 +2378,9 @@
1024
</TD>
<TD ALIGN='Left'>
+(0x400 shell)
+</TD>
+<TD>
print communication with shell backends
</TD>
</TR>
@@ -2312,20 +2389,63 @@
2048
</TD>
<TD ALIGN='Left'>
+(0x800 parse)
+</TD>
+<TD>
print entry parsing debugging
</TD>
</TR>
+<TR>
+<TD ALIGN='Right'>
+16384
+</TD>
+<TD ALIGN='Left'>
+(0x4000 sync)
+</TD>
+<TD>
+syncrepl consumer processing
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+32768
+</TD>
+<TD ALIGN='Left'>
+(0x8000 none)
+</TD>
+<TD>
+only messages that get logged whatever log level is set
+</TD>
+</TR>
</TABLE>
-<P>Example:</P>
+<P>The desired log level can be input as a single integer that combines the (ORed) desired levels, both in decimal or in hexadecimal notation, as a list of integers (that are ORed internally), or as a list of the names that are shown between brackets, such that</P>
<PRE>
+ loglevel 129
+ loglevel 0x81
+ loglevel 128 1
+ loglevel 0x80 0x1
+ loglevel acl trace
+</PRE>
+<P>are equivalent.</P>
+<P>Examples:</P>
+<PRE>
loglevel -1
</PRE>
<P>This will cause lots and lots of debugging information to be logged.</P>
+<PRE>
+ loglevel conns filter
+</PRE>
+<P>Just log the connection and search filter processing.</P>
+<PRE>
+ loglevel none
+</PRE>
+<P>Log those messages that are logged regardless of the configured loglevel. This differs from setting the log level to 0, when no logging occurs. At least the <TT>None</TT> level is required to have high priority messages logged.</P>
<P>Default:</P>
<PRE>
- loglevel 256
+ loglevel stats
</PRE>
+<P>Basic stats logging is configured by default. However, if no loglevel is defined, no logging occurs (equivalent to a 0 level).</P>
<H4><A NAME="objectclass <{{REF:RFC4512}} Object Class Description>"> </A>6.2.1.6. objectclass <<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A> Object Class Description></H4>
<P>This directive defines an object class. Please see the <A HREF="#Schema Specification">Schema Specification</A> chapter for information regarding how to use this directive.</P>
<H4><A NAME="referral <URI>">6.2.1.7. referral <URI></A></H4>
@@ -2341,12 +2461,14 @@
<PRE>
sizelimit 500
</PRE>
+<P>See the <A HREF="#Limits">Limits</A> section of this guide and slapd.conf(5) for more details.</P>
<H4><A NAME="timelimit <integer>">6.2.1.9. timelimit <integer></A></H4>
<P>This directive specifies the maximum number of seconds (in real time) slapd will spend answering a search request. If a request is not finished in this time, a result indicating an exceeded timelimit will be returned.</P>
<P>Default:</P>
<PRE>
timelimit 3600
</PRE>
+<P>See the <A HREF="#Limits">Limits</A> section of this guide and slapd.conf(5) for more details.</P>
<H3><A NAME="General Backend Directives">6.2.2. General Backend Directives</A></H3>
<P>Directives in this section apply only to the backend in which they are defined. They are supported by every type of backend. Backend directives apply to all databases instances of the same type and, depending on the directive, may be overridden by database directives.</P>
<H4><A NAME="backend <type>">6.2.2.1. backend <type></A></H4>
@@ -2457,13 +2579,16 @@
database bdb
</PRE>
<P>This marks the beginning of a new <TERM>BDB</TERM> database instance declaration.</P>
-<H4><A NAME="readonly { on | off }">6.2.3.2. readonly { on | off }</A></H4>
+<H4><A NAME="limits <who> <limit> [<limit> [...]]">6.2.3.2. limits <who> <limit> [<limit> [...]]</A></H4>
+<P>Specify time and size limits based on who initiated an operation.</P>
+<P>See the <A HREF="#Limits">Limits</A> section of this guide and slapd.conf(5) for more details.</P>
+<H4><A NAME="readonly { on | off }">6.2.3.3. readonly { on | off }</A></H4>
<P>This directive puts the database into "read-only" mode. Any attempts to modify the database will return an "unwilling to perform" error.</P>
<P>Default:</P>
<PRE>
readonly off
</PRE>
-<H4><A NAME="rootdn <DN>">6.2.3.3. rootdn <DN></A></H4>
+<H4><A NAME="rootdn <DN>">6.2.3.4. rootdn <DN></A></H4>
<P>This directive specifies the DN that is not subject to access control or administrative limit restrictions for operations on this database. The DN need not refer to an entry in this database or even in the directory. The DN may refer to a SASL identity.</P>
<P>Entry-based Example:</P>
<PRE>
@@ -2474,7 +2599,7 @@
rootdn "uid=root,cn=example.com,cn=digest-md5,cn=auth"
</PRE>
<P>See the <A HREF="#SASL Authentication">SASL Authentication</A> section for information on SASL authentication identities.</P>
-<H4><A NAME="rootpw <password>">6.2.3.4. rootpw <password></A></H4>
+<H4><A NAME="rootpw <password>">6.2.3.5. rootpw <password></A></H4>
<P>This directive can be used to specifies a password for the DN for the rootdn (when the rootdn is set to a DN within the database).</P>
<P>Example:</P>
<PRE>
@@ -2486,7 +2611,7 @@
rootpw {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QN
</PRE>
<P>The hash was generated using the command <TT>slappasswd -s secret</TT>.</P>
-<H4><A NAME="suffix <dn suffix>">6.2.3.5. suffix <dn suffix></A></H4>
+<H4><A NAME="suffix <dn suffix>">6.2.3.6. suffix <dn suffix></A></H4>
<P>This directive specifies the DN suffix of queries that will be passed to this backend database. Multiple suffix lines can be given, and at least one is required for each database definition.</P>
<P>Example:</P>
<PRE>
@@ -2496,7 +2621,7 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>When the backend to pass a query to is selected, slapd looks at the suffix line(s) in each database definition in the order they appear in the file. Thus, if one database suffix is a prefix of another, it must appear after it in the config file.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H4><A NAME="syncrepl">6.2.3.6. syncrepl</A></H4>
+<H4><A NAME="syncrepl">6.2.3.7. syncrepl</A></H4>
<PRE>
syncrepl rid=<replica ID>
provider=ldap[s]://<hostname>[:port]
@@ -2547,7 +2672,7 @@
<P>Rather than replicating whole entries, the consumer can query logs of data modifications. This mode of operation is referred to as <EM>delta syncrepl</EM>. In addition to the above parameters, the <TT>logbase</TT> and <TT>logfilter</TT> parameters must be set appropriately for the log that will be used. The <TT>syncdata</TT> parameter must be set to either <TT>"accesslog"</TT> if the log conforms to the <EM>slapo-accesslog</EM>(5) log format, or <TT>"changelog"</TT> if the log conforms to the obsolete <EM>changelog</EM> format. If the <TT>syncdata</TT> parameter is omitted or set to <TT>"default"</TT> then the log parameters are ignored.</P>
<P>The <EM>syncrepl</EM> replication mechanism is supported by the <EM>bdb</EM> and <EM>hdb</EM> backends.</P>
<P>See the <A HREF="#LDAP Sync Replication">LDAP Sync Replication</A> chapter of this guide for more information on how to use this directive.</P>
-<H4><A NAME="updateref <URL>">6.2.3.7. updateref <URL></A></H4>
+<H4><A NAME="updateref <URL>">6.2.3.8. updateref <URL></A></H4>
<P>This directive is only applicable in a <EM>slave</EM> (or <EM>shadow</EM>) <EM>slapd</EM>(8) instance. It specifies the URL to return to clients which submit update requests upon the replica. If specified multiple times, each <TERM>URL</TERM> is provided.</P>
<P>Example:</P>
<PRE>
@@ -2563,14 +2688,263 @@
</PRE>
<P></P>
<HR>
-<H1><A NAME="Access Control">7. Access Control</A></H1>
-<H2><A NAME="Introduction">7.1. Introduction</A></H2>
+<H1><A NAME="Running slapd">7. Running slapd</A></H1>
+<P><EM>slapd</EM>(8) is designed to be run as a standalone service. This allows the server to take advantage of caching, manage concurrency issues with underlying databases, and conserve system resources. Running from <EM>inetd</EM>(8) is <EM>NOT</EM> an option.</P>
+<H2><A NAME="Command-Line Options">7.1. Command-Line Options</A></H2>
+<P><EM>slapd</EM>(8) supports a number of command-line options as detailed in the manual page. This section details a few commonly used options.</P>
+<PRE>
+ -f <filename>
+</PRE>
+<P>This option specifies an alternate configuration file for slapd. The default is normally <TT>/usr/local/etc/openldap/slapd.conf</TT>.</P>
+<PRE>
+ -F <slapd-config-directory>
+</PRE>
+<P>Specifies the slapd configuration directory. The default is <TT>/usr/local/etc/openldap/slapd.d</TT>.</P>
+<P>If both <TT>-f</TT> and <TT>-F</TT> are specified, the config file will be read and converted to config directory format and written to the specified directory. If neither option is specified, slapd will attempt to read the default config directory before trying to use the default config file. If a valid config directory exists then the default config file is ignored. All of the slap tools that use the config options observe this same behavior.</P>
+<PRE>
+ -h <URLs>
+</PRE>
+<P>This option specifies alternative listener configurations. The default is <TT>ldap:///</TT> which implies <TERM>LDAP</TERM> over <TERM>TCP</TERM> on all interfaces on the default LDAP port 389. You can specify specific host-port pairs or other protocol schemes (such as <TT>ldaps://</TT> or <TT>ldapi://</TT>). For example, <TT>-h "ldaps:// ldap://127.0.0.1:666"</TT> will create two listeners: one for the (non-standard) <TT>ldaps://</TT> scheme on all interfaces on the default <TT>ldaps://</TT> port 636, and one for the standard <TT>ldap://</TT> scheme on the <TT>localhost</TT> (<EM>loopback</EM>) interface on port 666. Hosts may be specified using using hostnames or <TERM>IPv4</TERM> or <TERM>IPv6</TERM> addresses. Port values must be numeric.</P>
+<PRE>
+ -n <service-name>
+</PRE>
+<P>This option specifies the service name used for logging and other purposes. The default service name is <TT>slapd</TT>.</P>
+<PRE>
+ -l <syslog-local-user>
+</PRE>
+<P>This option specifies the local user for the <EM>syslog</EM>(8) facility. Values can be <TT>LOCAL0</TT>, <TT>LOCAL1</TT>, <TT>LOCAL2</TT>, ..., and <TT>LOCAL7</TT>. The default is <TT>LOCAL4</TT>. This option may not be supported on all systems.</P>
+<PRE>
+ -u user -g group
+</PRE>
+<P>These options specify the user and group, respectively, to run as. <TT>user</TT> can be either a user name or uid. <TT>group</TT> can be either a group name or gid.</P>
+<PRE>
+ -r directory
+</PRE>
+<P>This option specifies a run-time directory. slapd will <EM>chroot</EM>(2) to this directory after opening listeners but before reading any configuration files or initializing any backends.</P>
+<UL>
+</UL>
+<PRE>
+ -d <level> | ?
+</PRE>
+<P>This option sets the slapd debug level to <level>. When level is a `?' character, the various debugging levels are printed and slapd exits, regardless of any other options you give it. Current debugging levels are</P>
+<TABLE CLASS="columns" BORDER ALIGN='Center'>
+<CAPTION ALIGN=top>Table 7.1: Debugging Levels</CAPTION>
+<TR CLASS="heading">
+<TD ALIGN='Right'>
+<STRONG>Level</STRONG>
+</TD>
+<TD ALIGN='Left'>
+<STRONG>Keyword</STRONG>
+</TD>
+<TD>
+<STRONG>Description</STRONG>
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+-1
+</TD>
+<TD ALIGN='Left'>
+any
+</TD>
+<TD>
+enable all debugging
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+0
+</TD>
+<TD ALIGN='Left'>
+
+</TD>
+<TD>
+no debugging
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+1
+</TD>
+<TD ALIGN='Left'>
+(0x1 trace)
+</TD>
+<TD>
+trace function calls
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+2
+</TD>
+<TD ALIGN='Left'>
+(0x2 packets)
+</TD>
+<TD>
+debug packet handling
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+4
+</TD>
+<TD ALIGN='Left'>
+(0x4 args)
+</TD>
+<TD>
+heavy trace debugging
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+8
+</TD>
+<TD ALIGN='Left'>
+(0x8 conns)
+</TD>
+<TD>
+connection management
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+16
+</TD>
+<TD ALIGN='Left'>
+(0x10 BER)
+</TD>
+<TD>
+print out packets sent and received
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+32
+</TD>
+<TD ALIGN='Left'>
+(0x20 filter)
+</TD>
+<TD>
+search filter processing
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+64
+</TD>
+<TD ALIGN='Left'>
+(0x40 config)
+</TD>
+<TD>
+configuration processing
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+128
+</TD>
+<TD ALIGN='Left'>
+(0x80 ACL)
+</TD>
+<TD>
+access control list processing
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+256
+</TD>
+<TD ALIGN='Left'>
+(0x100 stats)
+</TD>
+<TD>
+stats log connections/operations/results
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+512
+</TD>
+<TD ALIGN='Left'>
+(0x200 stats2)
+</TD>
+<TD>
+stats log entries sent
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+1024
+</TD>
+<TD ALIGN='Left'>
+(0x400 shell)
+</TD>
+<TD>
+print communication with shell backends
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+2048
+</TD>
+<TD ALIGN='Left'>
+(0x800 parse)
+</TD>
+<TD>
+print entry parsing debugging
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+16384
+</TD>
+<TD ALIGN='Left'>
+(0x4000 sync)
+</TD>
+<TD>
+syncrepl consumer processing
+</TD>
+</TR>
+<TR>
+<TD ALIGN='Right'>
+32768
+</TD>
+<TD ALIGN='Left'>
+(0x8000 none)
+</TD>
+<TD>
+only messages that get logged whatever log level is set
+</TD>
+</TR>
+</TABLE>
+
+<P>You may enable multiple levels by specifying the debug option once for each desired level. Or, since debugging levels are additive, you can do the math yourself. That is, if you want to trace function calls and watch the config file being processed, you could set level to the sum of those two levels (in this case, <TT> -d 65</TT>). Or, you can let slapd do the math, (e.g. <TT> -d 1 -d 64</TT>). Consult <TT><ldap_log.h></TT> for more details.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>slapd must have been compiled with <TT>--enable-debug</TT> defined for any debugging information beyond the two stats levels to be available (the default).
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H2><A NAME="Starting slapd">7.2. Starting slapd</A></H2>
+<P>In general, slapd is run like this:</P>
+<PRE>
+ /usr/local/libexec/slapd [<option>]*
+</PRE>
+<P>where <TT>/usr/local/libexec</TT> is determined by <TT>configure</TT> and <option> is one of the options described above (or in <EM>slapd</EM>(8)). Unless you have specified a debugging level (including level <TT>0</TT>), slapd will automatically fork and detach itself from its controlling terminal and run in the background.</P>
+<H2><A NAME="Stopping slapd">7.3. Stopping slapd</A></H2>
+<P>To kill off <EM>slapd</EM>(8) safely, you should give a command like this</P>
+<PRE>
+ kill -INT `cat /usr/local/var/slapd.pid`
+</PRE>
+<P>where <TT>/usr/local/var</TT> is determined by <TT>configure</TT>.</P>
+<P>Killing slapd by a more drastic method may cause information loss or database corruption.</P>
+<P></P>
+<HR>
+<H1><A NAME="Access Control">8. Access Control</A></H1>
+<H2><A NAME="Introduction">8.1. Introduction</A></H2>
<P>As the directory gets populated with more and more data of varying sensitivity, controlling the kinds of access granted to the directory becomes more and more critical. For instance, the directory may contain data of a confidential nature that you may need to protect by contract or by law. Or, if using the directory to control access to other services, inappropriate access to the directory may create avenues of attack to your sites security that result in devastating damage to your assets.</P>
<P>Access to your directory can be configured via two methods, the first using <A HREF="#The slapd Configuration File">The slapd Configuration File</A> and the second using the <EM>slapd-config</EM>(5) format (<A HREF="#Configuring slapd">Configuring slapd</A>).</P>
<P>The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the <EM>rootdn</EM> is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.</P>
<P>As a consequence, it's useless (and results in a performance penalty) to explicitly list the <EM>rootdn</EM> among the <EM><by></EM> clauses.</P>
<P>The following sections will describe Access Control Lists in more details and follow with some examples and recommendations.</P>
-<H2><A NAME="Access Control via Static Configuration">7.2. Access Control via Static Configuration</A></H2>
+<H2><A NAME="Access Control via Static Configuration">8.2. Access Control via Static Configuration</A></H2>
<P>Access to entries and attributes is controlled by the access configuration file directive. The general form of an access line is:</P>
<PRE>
<access directive> ::= access to <what>
@@ -2598,7 +2972,7 @@
<control> ::= [stop | continue | break]
</PRE>
<P>where the <what> part selects the entries and/or attributes to which the access applies, the <TT><who></TT> part specifies which entities are granted access, and the <TT><access></TT> part specifies the access granted. Multiple <TT><who> <access> <control></TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
-<H3><A NAME="What to control access to">7.2.1. What to control access to</A></H3>
+<H3><A NAME="What to control access to">8.2.1. What to control access to</A></H3>
<P>The <what> part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN:</P>
<PRE>
to *
@@ -2647,7 +3021,7 @@
</PRE>
<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To perform a search, the subject must have <TT>search</TT> access to the search base's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
<P>Lastly, there is a special entry selector <TT>"*"</TT> that is used to select any entry. It is used when no other <TT><what></TT> selector has been provided. It's equivalent to "<TT>dn=.*</TT>"</P>
-<H3><A NAME="Who to grant access to">7.2.2. Who to grant access to</A></H3>
+<H3><A NAME="Who to grant access to">8.2.2. Who to grant access to</A></H3>
<P>The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 6.3: Access Entity Specifiers</CAPTION>
@@ -2716,7 +3090,7 @@
</PRE>
<P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
<P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
-<H3><A NAME="The access to grant">7.2.3. The access to grant</A></H3>
+<H3><A NAME="The access to grant">8.2.3. The access to grant</A></H3>
<P>The kind of <access> granted can be one of the following:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 6.4: Access Levels</CAPTION>
@@ -2822,12 +3196,13 @@
</TABLE>
<P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access. However, one may use the privileges specifier to grant specific permissions.</P>
-<H3><A NAME="Access Control Evaluation">7.2.4. Access Control Evaluation</A></H3>
-<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT><what></TT> selectors given in the configuration file. For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives. Within this priority, access directives are examined in the order in which they appear in the config file. Slapd stops with the first <TT><what></TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
+<H3><A NAME="Access Control Evaluation">8.2.4. Access Control Evaluation</A></H3>
+<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT><what></TT> selectors given in the configuration file. For each entry, access controls provided in the database which holds the entry (or the global access directives if not held in any database) apply first, followed by the global access directives. However, when dealing with an access list, because the global access list is effectively appended to each per-database list, if the resulting list is non-empty then the access list will end with an implicit <TT>access to * by * none</TT> directive. If there are no access directives applicable to a backend, then a default read is used.</P>
+<P>Within this priority, access directives are examined in the order in which they appear in the config file. Slapd stops with the first <TT><what></TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
<P>Next, slapd compares the entity requesting access to the <TT><who></TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT><who></TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
<P>Finally, slapd compares the access granted in the selected <TT><access></TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
<P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the config file. Similarly, if one <TT><who></TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
-<H3><A NAME="Access Control Examples">7.2.5. Access Control Examples</A></H3>
+<H3><A NAME="Access Control Examples">8.2.5. Access Control Examples</A></H3>
<P>The access control facility described above is quite powerful. This section shows some examples of its use for descriptive purposes.</P>
<P>A simple example:</P>
<PRE>
@@ -2857,7 +3232,7 @@
by * read
</PRE>
<P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted. No access is granted to <TT>dc=com</TT> as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
-<P>Also note that if no <TT>access to</TT> directive matches or no <TT>by <who></TT> clause, <B>access is denied</B>. That is, every <TT>access to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>access to * by * none</TT> directive.</P>
+<P>Also note that if no <TT>access to</TT> directive matches or no <TT>by <who></TT> clause, <B>access is denied</B>. That is, every <TT>access to</TT> directive ends with an implicit <TT>by * none</TT> clause. When dealing with an access list, because the global access list is effectively appended to each per-database list, if the resulting list is non-empty then the access list will end with an implicit <TT>access to * by * none</TT> directive. If there are no access directives applicable to a backend, then a default read is used.</P>
<P>The next example again shows the importance of ordering, both of the access directives and the <TT>by <who></TT> clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <TT><who></TT> selectors.</P>
<PRE>
access to dn.subtree="dc=example,dc=com" attrs=homePhone
@@ -2876,7 +3251,7 @@
by dnattr=member selfwrite
</PRE>
<P>The dnattr <TT><who></TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
-<H3><A NAME="Configuration File Example">7.2.6. Configuration File Example</A></H3>
+<H3><A NAME="Configuration File Example">8.2.6. Configuration File Example</A></H3>
<P>The following is an example configuration file, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
<PRE>
1. # example config file - global configuration section
@@ -2912,7 +3287,7 @@
<P>Line 5 is a comment. The start of the database definition is marked by the database keyword on line 6. Line 7 specifies the DN suffix for queries to pass to this database. Line 8 specifies the directory in which the database files will live.</P>
<P>Lines 9 and 10 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
<P>Lines 12 through 14 indicate the indices to maintain for various attributes.</P>
-<P>Lines 16 through 24 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).</P>
+<P>Lines 16 through 24 specify access control for entries in this database. For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).</P>
<P>The next section of the example configuration file defines another BDB database. This one handles queries involving the <TT>dc=example,dc=net</TT> subtree but is managed by the same entity as the first database. Note that without line 39, the read access would be allowed due to the global access rule at line 4.</P>
<PRE>
33. # BDB definition for example.net
@@ -2923,7 +3298,7 @@
38. index objectClass eq
39. access to * by users read
</PRE>
-<H2><A NAME="Access Control via Dynamic Configuration">7.3. Access Control via Dynamic Configuration</A></H2>
+<H2><A NAME="Access Control via Dynamic Configuration">8.3. Access Control via Dynamic Configuration</A></H2>
<P>Access to slapd entries and attributes is controlled by the olcAccess attribute, whose values are a sequence of access directives. The general form of the olcAccess configuration is:</P>
<PRE>
olcAccess: <access directive>
@@ -2952,7 +3327,7 @@
<control> ::= [stop | continue | break]
</PRE>
<P>where the <what> part selects the entries and/or attributes to which the access applies, the <TT><who></TT> part specifies which entities are granted access, and the <TT><access></TT> part specifies the access granted. Multiple <TT><who> <access> <control></TT> triplets are supported, allowing many entities to be granted different access to the same set of entries and attributes. Not all of these access control options are described here; for more details see the <EM>slapd.access</EM>(5) man page.</P>
-<H3><A NAME="What to control access to">7.3.1. What to control access to</A></H3>
+<H3><A NAME="What to control access to">8.3.1. What to control access to</A></H3>
<P>The <what> part of an access specification determines the entries and attributes to which the access control applies. Entries are commonly selected in two ways: by DN and by filter. The following qualifiers select entries by DN:</P>
<PRE>
to *
@@ -3001,7 +3376,7 @@
</PRE>
<P>There are two special <EM>pseudo</EM> attributes <TT>entry</TT> and <TT>children</TT>. To read (and hence return) a target entry, the subject must have <TT>read</TT> access to the target's <EM>entry</EM> attribute. To perform a search, the subject must have <TT>search</TT> access to the search base's <EM>entry</EM> attribute. To add or delete an entry, the subject must have <TT>write</TT> access to the entry's <TT>entry</TT> attribute AND must have <TT>write</TT> access to the entry's parent's <TT>children</TT> attribute. To rename an entry, the subject must have <TT>write</TT> access to entry's <TT>entry</TT> attribute AND have <TT>write</TT> access to both the old parent's and new parent's <TT>children</TT> attributes. The complete examples at the end of this section should help clear things up.</P>
<P>Lastly, there is a special entry selector <TT>"*"</TT> that is used to select any entry. It is used when no other <TT><what></TT> selector has been provided. It's equivalent to "<TT>dn=.*</TT>"</P>
-<H3><A NAME="Who to grant access to">7.3.2. Who to grant access to</A></H3>
+<H3><A NAME="Who to grant access to">8.3.2. Who to grant access to</A></H3>
<P>The <who> part identifies the entity or entities being granted access. Note that access is granted to "entities" not "entries." The following table summarizes entity specifiers:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 5.3: Access Entity Specifiers</CAPTION>
@@ -3070,7 +3445,7 @@
</PRE>
<P>The dnattr specification is used to give access to an entry whose DN is listed in an attribute of the entry (e.g., give access to a group entry to whoever is listed as the owner of the group entry).</P>
<P>Some factors may not be appropriate in all environments (or any). For example, the domain factor relies on IP to domain name lookups. As these can easily be spoofed, the domain factor should be avoided.</P>
-<H3><A NAME="The access to grant">7.3.3. The access to grant</A></H3>
+<H3><A NAME="The access to grant">8.3.3. The access to grant</A></H3>
<P>The kind of <access> granted can be one of the following:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 5.4: Access Levels</CAPTION>
@@ -3176,12 +3551,13 @@
</TABLE>
<P>Each level implies all lower levels of access. So, for example, granting someone <TT>write</TT> access to an entry also grants them <TT>read</TT>, <TT>search</TT>, <TT>compare</TT>, <TT>auth</TT> and <TT>disclose</TT> access. However, one may use the privileges specifier to grant specific permissions.</P>
-<H3><A NAME="Access Control Evaluation">7.3.4. Access Control Evaluation</A></H3>
-<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT><what></TT> selectors given in the configuration. For each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives (which are held in the <TT>frontend</TT> database definition). Within this priority, access directives are examined in the order in which they appear in the configuration attribute. Slapd stops with the first <TT><what></TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
+<H3><A NAME="Access Control Evaluation">8.3.4. Access Control Evaluation</A></H3>
+<P>When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute to the <TT><what></TT> selectors given in the configuration. For each entry, access controls provided in the database which holds the entry (or the global access directives if not held in any database) apply first, followed by the global access directives (which are held in the <TT>frontend</TT> database definition). However, when dealing with an access list, because the global access list is effectively appended to each per-database list, if the resulting list is non-empty then the access list will end with an implicit <TT>access to * by * none</TT> directive. If there are no access directives applicable to a backend, then a default read is used.</P>
+<P>Within this priority, access directives are examined in the order in which they appear in the configuration attribute. Slapd stops with the first <TT><what></TT> selector that matches the entry and/or attribute. The corresponding access directive is the one slapd will use to evaluate access.</P>
<P>Next, slapd compares the entity requesting access to the <TT><who></TT> selectors within the access directive selected above in the order in which they appear. It stops with the first <TT><who></TT> selector that matches the requester. This determines the access the entity requesting access has to the entry and/or attribute.</P>
<P>Finally, slapd compares the access granted in the selected <TT><access></TT> clause to the access requested by the client. If it allows greater or equal access, access is granted. Otherwise, access is denied.</P>
<P>The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the configuration. Similarly, if one <TT><who></TT> selector is more specific than another it should come first in the access directive. The access control examples given below should help make this clear.</P>
-<H3><A NAME="Access Control Examples">7.3.5. Access Control Examples</A></H3>
+<H3><A NAME="Access Control Examples">8.3.5. Access Control Examples</A></H3>
<P>The access control facility described above is quite powerful. This section shows some examples of its use for descriptive purposes.</P>
<P>A simple example:</P>
<PRE>
@@ -3211,7 +3587,7 @@
by * read
</PRE>
<P>Read access is granted to entries under the <TT>dc=com</TT> subtree, except for those entries under the <TT>dc=example,dc=com</TT> subtree, to which search access is granted. No access is granted to <TT>dc=com</TT> as neither access directive matches this DN. If the order of these access directives was reversed, the trailing directive would never be reached, since all entries under <TT>dc=example,dc=com</TT> are also under <TT>dc=com</TT> entries.</P>
-<P>Also note that if no <TT>olcAccess: to</TT> directive matches or no <TT>by <who></TT> clause, <B>access is denied</B>. That is, every <TT>olcAccess: to</TT> directive ends with an implicit <TT>by * none</TT> clause and every access list ends with an implicit <TT>olcAccess: to * by * none</TT> directive.</P>
+<P>Also note that if no <TT>olcAccess: to</TT> directive matches or no <TT>by <who></TT> clause, <B>access is denied</B>. When dealing with an access list, because the global access list is effectively appended to each per-database list, if the resulting list is non-empty then the access list will end with an implicit <TT>access to * by * none</TT> directive. If there are no access directives applicable to a backend, then a default read is used.</P>
<P>The next example again shows the importance of ordering, both of the access directives and the <TT>by <who></TT> clauses. It also shows the use of an attribute selector to grant access to a specific attribute and various <TT><who></TT> selectors.</P>
<PRE>
olcAccess: to dn.subtree="dc=example,dc=com" attrs=homePhone
@@ -3230,7 +3606,7 @@
by dnattr=member selfwrite
</PRE>
<P>The dnattr <TT><who></TT> selector says that the access applies to entries listed in the <TT>member</TT> attribute. The <TT>selfwrite</TT> access selector says that such members can only add or delete their own DN from the attribute, not other values. The addition of the entry attribute is required because access to the entry is required to access any of the entry's attributes.</P>
-<H3><A NAME="Access Control Ordering">7.3.6. Access Control Ordering</A></H3>
+<H3><A NAME="Access Control Ordering">8.3.6. Access Control Ordering</A></H3>
<P>Since the ordering of <TT>olcAccess</TT> directives is essential to their proper evaluation, but LDAP attributes normally do not preserve the ordering of their values, OpenLDAP uses a custom schema extension to maintain a fixed ordering of these values. This ordering is maintained by prepending a <TT>"{X}"</TT> numeric index to each value, similarly to the approach used for ordering the configuration entries. These index tags are maintained automatically by slapd and do not need to be specified when originally defining the values. For example, when you create the settings</P>
<PRE>
olcAccess: to attrs=member,entry
@@ -3280,7 +3656,7 @@
by * read
</PRE>
<P>which is exactly what was intended.</P>
-<H3><A NAME="Configuration Example">7.3.7. Configuration Example</A></H3>
+<H3><A NAME="Configuration Example">8.3.7. Configuration Example</A></H3>
<P>The following is an example configuration, interspersed with explanatory text. It defines two databases to handle different parts of the <TERM>X.500</TERM> tree; both are <TERM>BDB</TERM> database instances. The line numbers shown are provided for reference only and are not included in the actual file. First, the global configuration section:</P>
<PRE>
1. # example config file - global configuration entry
@@ -3343,7 +3719,7 @@
<P>Line 21 is a comment. Lines 22-25 identify this entry as a BDB database configuration entry. Line 26 specifies the DN suffix for queries to pass to this database. Line 27 specifies the directory in which the database files will live.</P>
<P>Lines 28 and 29 identify the database <EM>super-user</EM> entry and associated password. This entry is not subject to access control or size or time limit restrictions.</P>
<P>Lines 30 through 32 indicate the indices to maintain for various attributes.</P>
-<P>Lines 33 through 41 specify access control for entries in this database. As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).</P>
+<P>Lines 33 through 41 specify access control for entries in this database. For all applicable entries, the <TT>userPassword</TT> attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).</P>
<P>Line 42 is a blank line, indicating the end of this entry.</P>
<P>The next section of the example configuration file defines another BDB database. This one handles queries involving the <TT>dc=example,dc=net</TT> subtree but is managed by the same entity as the first database. Note that without line 52, the read access would be allowed due to the global access rule at line 19.</P>
<PRE>
@@ -3358,10 +3734,10 @@
51. olcDbIndex: objectClass eq
52. olcAccess: to * by users read
</PRE>
-<H3><A NAME="Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">7.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></H3>
+<H3><A NAME="Converting from {{slapd.conf}}(5) to a {{B:cn=config}} directory format">8.3.8. Converting from <EM>slapd.conf</EM>(5) to a <B>cn=config</B> directory format</A></H3>
<P>Discuss slap* -f slapd.conf -F slapd.d/ (man slapd-config)</P>
-<H2><A NAME="Access Control Common Examples">7.4. Access Control Common Examples</A></H2>
-<H3><A NAME="Basic ACLs">7.4.1. Basic ACLs</A></H3>
+<H2><A NAME="Access Control Common Examples">8.4. Access Control Common Examples</A></H2>
+<H3><A NAME="Basic ACLs">8.4.1. Basic ACLs</A></H3>
<P>Generally one should start with some basic ACLs such as:</P>
<PRE>
access to attr=userPassword
@@ -3377,7 +3753,7 @@
</PRE>
<P>The first ACL allows users to update (but not read) their passwords, anonymous users to authenticate against this attribute, and (implicitly) denying all access to others.</P>
<P>The second ACL allows users full access to their entry, authenticated users read access to anything, and (implicitly) denying all access to others (in this case, anonymous users).</P>
-<H3><A NAME="Matching Anonymous and Authenticated users">7.4.2. Matching Anonymous and Authenticated users</A></H3>
+<H3><A NAME="Matching Anonymous and Authenticated users">8.4.2. Matching Anonymous and Authenticated users</A></H3>
<P>An anonymous user has a empty DN. While the <EM>dn.exact=""</EM> or <EM>dn.regex="^$"</EM> could be used, <EM>slapd</EM>(8)) offers an anonymous shorthand which should be used instead.</P>
<PRE>
access to *
@@ -3392,7 +3768,7 @@
by * none
</PRE>
<P>This ACL grants read permissions to authenticated users while denying others (i.e.: anonymous users).</P>
-<H3><A NAME="Controlling rootdn access">7.4.3. Controlling rootdn access</A></H3>
+<H3><A NAME="Controlling rootdn access">8.4.3. Controlling rootdn access</A></H3>
<P>You could specify the <EM>rootdn</EM> in <EM>slapd.conf</EM>(5) or {[slapd.d}} without specifying a <EM>rootpw</EM>. Then you have to add an actual directory entry with the same dn, e.g.:</P>
<PRE>
dn: cn=Manager,o=MyOrganization
@@ -3411,7 +3787,7 @@
by * none
</PRE>
<P>The ACLs above will only allow binding using rootdn from localhost and 192.168.0.0/24.</P>
-<H3><A NAME="Managing access with Groups">7.4.4. Managing access with Groups</A></H3>
+<H3><A NAME="Managing access with Groups">8.4.4. Managing access with Groups</A></H3>
<P>There are a few ways to do this. One approach is illustrated here. Consider the following DIT layout:</P>
<PRE>
+-dc=example,dc=com
@@ -3462,7 +3838,7 @@
<STRONG>Note: </STRONG>the specified member attribute type MUST be of DN or <EM>NameAndOptionalUID</EM> syntax, and the specified object class SHOULD allow the attribute type.
<HR WIDTH="80%" ALIGN="Left"></P>
<P>Dynamic Groups are also supported in Access Control. Please see <EM>slapo-dynlist</EM>(5) and the <A HREF="#Dynamic Lists">Dynamic Lists</A> overlay section.</P>
-<H3><A NAME="Granting access to a subset of attributes">7.4.5. Granting access to a subset of attributes</A></H3>
+<H3><A NAME="Granting access to a subset of attributes">8.4.5. Granting access to a subset of attributes</A></H3>
<P>You can grant access to a set of attributes by specifying a list of attribute names in the ACL <EM>to</EM> clause. To be useful, you also need to grant access to the <EM>entry</EM> itself. Also note how <EM>children</EM> controls the ability to add, delete, and rename entries.</P>
<PRE>
# mail: self may write, authenticated users may read
@@ -3491,7 +3867,7 @@
by * none
</PRE>
<P>ObjectClass names may also be specified in this list, which will affect all the attributes that are required and/or allowed by that <EM>objectClass</EM>. Actually, names in <EM>attrlist</EM> that are prefixed by <EM>@</EM> are directly treated as objectClass names. A name prefixed by <EM>!</EM> is also treated as an objectClass, but in this case the access rule affects the attributes that are not required nor allowed by that <EM>objectClass</EM>.</P>
-<H3><A NAME="Allowing a user write to all entries below theirs">7.4.6. Allowing a user write to all entries below theirs</A></H3>
+<H3><A NAME="Allowing a user write to all entries below theirs">8.4.6. Allowing a user write to all entries below theirs</A></H3>
<P>For a setup where a user can write to its own record and to all of its children:</P>
<PRE>
access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
@@ -3499,7 +3875,7 @@
by anonymous auth
</PRE>
<P>(Add more examples for above)</P>
-<H3><A NAME="Allowing entry creation">7.4.7. Allowing entry creation</A></H3>
+<H3><A NAME="Allowing entry creation">8.4.7. Allowing entry creation</A></H3>
<P>Let's say, you have it like this:</P>
<PRE>
o=<basedn>
@@ -3561,7 +3937,7 @@
# submatches from the "what" clause, so a "regex" compilation and evaluation
# is no longer required.
</PRE>
-<H3><A NAME="Tips for using regular expressions in Access Control">7.4.8. Tips for using regular expressions in Access Control</A></H3>
+<H3><A NAME="Tips for using regular expressions in Access Control">8.4.8. Tips for using regular expressions in Access Control</A></H3>
<P>Always use <EM>dn.regex=<pattern></EM> when you intend to use regular expression matching. <EM>dn=<pattern></EM> alone defaults to <EM>dn.exact<pattern></EM>.</P>
<P>Use <EM>(.+)</EM> instead of <EM>(.*)</EM> when you want at least one char to be matched. <EM>(.*)</EM> matches the empty string as well.</P>
<P>Don't use regular expressions for matches that can be done otherwise in a safer and cheaper manner. Examples:</P>
@@ -3601,7 +3977,7 @@
by dn.onelevel,expand="ou=Admin,$1" write
</PRE>
<P>where the regex in the <EM><what></EM> clause is more compact, and the one in the <EM><by></EM> clause is replaced by a much more efficient scoping style of onelevel with substring expansion.</P>
-<H3><A NAME="Granting and Denying access based on security strength factors (ssf)">7.4.9. Granting and Denying access based on security strength factors (ssf)</A></H3>
+<H3><A NAME="Granting and Denying access based on security strength factors (ssf)">8.4.9. Granting and Denying access based on security strength factors (ssf)</A></H3>
<P>You can restrict access based on the security strength factor (SSF)</P>
<PRE>
access to dn="cn=example,cn=edu"
@@ -3616,7 +3992,7 @@
</PRE>
<P>256 is recommended.</P>
<P>See <EM>slapd.conf</EM>(5) for information on <EM>ssf</EM>.</P>
-<H3><A NAME="When things aren\'t working as expected">7.4.10. When things aren't working as expected</A></H3>
+<H3><A NAME="When things aren\'t working as expected">8.4.10. When things aren't working as expected</A></H3>
<P>Consider this example:</P>
<PRE>
access to *
@@ -3638,13 +4014,13 @@
</PRE>
<P>The general rule is: "special access rules first, generic access rules last"</P>
<P>See also <EM>slapd.access</EM>(8), loglevel 128 and <EM>slapacl</EM>(8) for debugging information.</P>
-<H2><A NAME="Sets - Granting rights based on relationships">7.5. Sets - Granting rights based on relationships</A></H2>
+<H2><A NAME="Sets - Granting rights based on relationships">8.5. Sets - Granting rights based on relationships</A></H2>
<P>Sets are best illustrated via examples. The following sections will present a few set ACL examples in order to facilitate their understanding.</P>
<P>(Sets in Access Controls FAQ Entry: <A HREF="http://www.openldap.org/faq/data/cache/1133.html">http://www.openldap.org/faq/data/cache/1133.html</A>)</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>Sets are considered experimental.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Groups of Groups">7.5.1. Groups of Groups</A></H3>
+<H3><A NAME="Groups of Groups">8.5.1. Groups of Groups</A></H3>
<P>The OpenLDAP ACL for groups doesn't expand groups within groups, which are groups that have another group as a member. For example:</P>
<PRE>
dn: cn=sudoadm,ou=group,dc=example,dc=com
@@ -3679,7 +4055,7 @@
{"uid=john,ou=people,dc=example,dc=com","uid=mary,ou=people,dc=example,dc=com"} & user
</PRE>
<P>If the authenticated user's DN is any one of those two, write access is granted. So this set will include <TT>mary</TT> in the <TT>sudoadm</TT> group and she will be allowed the write access.</P>
-<H3><A NAME="Group ACLs without DN syntax">7.5.2. Group ACLs without DN syntax</A></H3>
+<H3><A NAME="Group ACLs without DN syntax">8.5.2. Group ACLs without DN syntax</A></H3>
<P>The traditional group ACLs, and even the previous example about recursive groups, require that the members are specified as DNs instead of just usernames.</P>
<P>With sets, however, it's also possible to use simple names in group ACLs, as this example will show.</P>
<P>Let's say we want to allow members of the <TT>sudoadm</TT> group to write to the <TT>ou=suders</TT> branch of our tree. But our group definition now is using <TT>memberUid</TT> for the group members:</P>
@@ -3701,7 +4077,7 @@
<P><CENTER><IMG SRC="set-memberUid.png" ALIGN="center"></CENTER></P>
<P ALIGN="Center">Figure X.Y: Sets with <TT>memberUid</TT></P>
<P>In this case, it's a match. If it were <TT>mary</TT> authenticating, however, she would be denied write access to <TT>ou=sudoers</TT> because her <TT>uid</TT> attribute is not listed in the group's <TT>memberUid</TT>.</P>
-<H3><A NAME="Following references">7.5.3. Following references</A></H3>
+<H3><A NAME="Following references">8.5.3. Following references</A></H3>
<P>We will now show a quite powerful example of what can be done with sets. This example tends to make OpenLDAP administrators smile after they have understood it and its implications.</P>
<P>Let's start with an user entry:</P>
<PRE>
@@ -3757,192 +4133,189 @@
<P>It's almost the same ACL as before, but we now also require that the connecting user be a member of the (possibly nested) <TT>cn=executive</TT> group.</P>
<P></P>
<HR>
-<H1><A NAME="Running slapd">8. Running slapd</A></H1>
-<P><EM>slapd</EM>(8) is designed to be run as a standalone service. This allows the server to take advantage of caching, manage concurrency issues with underlying databases, and conserve system resources. Running from <EM>inetd</EM>(8) is <EM>NOT</EM> an option.</P>
-<H2><A NAME="Command-Line Options">8.1. Command-Line Options</A></H2>
-<P><EM>slapd</EM>(8) supports a number of command-line options as detailed in the manual page. This section details a few commonly used options.</P>
+<H1><A NAME="Limits">9. Limits</A></H1>
+<H2><A NAME="Introduction">9.1. Introduction</A></H2>
+<P>It is usually desirable to limit the server resources that can be consumed by each LDAP client. OpenLDAP provides two sets of limits: a size limit, which can restrict the <EM>number</EM> of entries that a client can retrieve in a single operation, and a time limit which restricts the length of time that an operation may continue. Both types of limit can be given different values depending on who initiated the operation.</P>
+<H2><A NAME="Soft and Hard limits">9.2. Soft and Hard limits</A></H2>
+<P>The server administrator can specify both <EM>soft limits</EM> and <EM>hard limits</EM>. Soft limits can be thought of as being the default limit value. Hard limits cannot be exceeded by ordinary LDAP users.</P>
+<P>LDAP clients can specify their own size and time limits when issuing search operations. This feature has been present since the earliest version of X.500.</P>
+<P>If the client specifies a limit then the lower of the requested value and the <EM>hard limit</EM> will become the limit for the operation.</P>
+<P>If the client does not specify a limit then the server applies the <EM>soft limit</EM>.</P>
+<P>Soft and Hard limits are often referred to together as <EM>administrative limits</EM>. Thus, if an LDAP client requests a search that would return more results than the limits allow it will get an <EM>adminLimitExceeded</EM> error. Note that the server will usually return some results even if the limit has been exceeded: this feature is useful to clients that just want to check for the existence of some entries without needing to see them all.</P>
+<P>The <EM>rootdn</EM> is not subject to any limits.</P>
+<H2><A NAME="Global Limits">9.3. Global Limits</A></H2>
+<P>Limits specified in the global part of the server configuration act as defaults which are used if no database has more specific limits set.</P>
+<P>In a <EM>slapd.conf</EM>(5) configuration the keywords are <TT>sizelimit</TT> and <TT>timelimit</TT>. When using the <EM>slapd config</EM> backend, the corresponding attributes are <TT>olcSizeLimit</TT> and <TT>olcTimeLimit</TT>. The syntax of these values are the same in both cases.</P>
+<P>The simple form sets both soft and hard limits to the same value:</P>
<PRE>
- -f <filename>
+ sizelimit {<integer>|unlimited}
+ timelimit {<integer>|unlimited}
</PRE>
-<P>This option specifies an alternate configuration file for slapd. The default is normally <TT>/usr/local/etc/openldap/slapd.conf</TT>.</P>
+<P>The default sizelimit is 500 entries and the default timelimit is 3600 seconds.</P>
+<P>An extended form allows soft and hard limits to be set separately:</P>
<PRE>
- -F <slapd-config-directory>
+ sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
+ timelimit time[.{soft|hard}]=<integer> [...]
</PRE>
-<P>Specifies the slapd configuration directory. The default is <TT>/usr/local/etc/openldap/slapd.d</TT></P>
-<P>If both <TT>-f</TT> and <TT>-F</TT> are specified, the config file will be read and converted to config directory format and written to the specified directory. If neither option is specified, slapd will attempt to read the default config directory before trying to use the default config file. If a valid config directory exists then the default config file is ignored. All of the slap tools that use the config options observe this same behavior.</P>
+<P>Thus, to set a soft sizelimit of 10 entries and a hard limit of 75 entries:</P>
<PRE>
- -h <URLs>
+ sizelimit size.soft=10 size.hard=75
</PRE>
-<P>This option specifies alternative listener configurations. The default is <TT>ldap:///</TT> which implies <TERM>LDAP</TERM> over <TERM>TCP</TERM> on all interfaces on the default LDAP port 389. You can specify specific host-port pairs or other protocol schemes (such as <TT>ldaps://</TT> or <TT>ldapi://</TT>). For example, <TT>-h "ldaps:// ldap://127.0.0.1:666"</TT> will create two listeners: one for the (non-standard) <TT>ldaps://</TT> scheme on all interfaces on the default <TT>ldaps://</TT> port 636, and one for the standard <TT>ldap://</TT> scheme on the <TT>localhost</TT> (<EM>loopback</EM>) interface on port 666. Hosts may be specified using using hostnames or <TERM>IPv4</TERM> or <TERM>IPv6</TERM> addresses. Port values must be numeric.</P>
+<P>The <EM>unchecked</EM> keyword sets a limit on how many entries the server will examine once it has created an initial set of candidate results by using indices. This can be very important in a large directory, as a search that cannot be satisfied from an index might cause the server to examine millions of entries, therefore always make sure the correct indexes are configured.</P>
+<H2><A NAME="Per-Database Limits">9.4. Per-Database Limits</A></H2>
+<P>Each database can have its own set of limits that override the global ones. The syntax is more flexible, and it allows different limits to be applied to different entities. Note that an <EM>entity</EM> is different from an <EM>entry</EM>: the term <EM>entity</EM> is used here to indicate the ID of the person or process that has initiated the LDAP operation.</P>
+<P>In a <EM>slapd.conf</EM>(5) configuration the keyword is <TT>limits</TT>. When using the <EM>slapd config</EM> backend, the corresponding attribute is <TT>olcLimits</TT>. The syntax of the values is the same in both cases.</P>
<PRE>
- -n <service-name>
+ limits <who> <limit> [<limit> [...]]
</PRE>
-<P>This option specifies the service name used for logging and other purposes. The default service name is <TT>slapd</TT>.</P>
-<PRE>
- -l <syslog-local-user>
-</PRE>
-<P>This option specifies the local user for the <EM>syslog</EM>(8) facility. Values can be <TT>LOCAL0</TT>, <TT>LOCAL1</TT>, <TT>LOCAL2</TT>, ..., and <TT>LOCAL7</TT>. The default is <TT>LOCAL4</TT>. This option may not be supported on all systems.</P>
-<PRE>
- -u user -g group
-</PRE>
-<P>These options specify the user and group, respectively, to run as. <TT>user</TT> can be either a user name or uid. <TT>group</TT> can be either a group name or gid.</P>
-<PRE>
- -r directory
-</PRE>
-<P>This option specifies a run-time directory. slapd will <EM>chroot</EM>(2) to this directory after opening listeners but before reading any configuration files or initializing any backends.</P>
-<UL>
-</UL>
-<PRE>
- -d <level> | ?
-</PRE>
-<P>This option sets the slapd debug level to <level>. When level is a `?' character, the various debugging levels are printed and slapd exits, regardless of any other options you give it. Current debugging levels are</P>
+<P>The <EM>limits</EM> clause can be specified multiple times to apply different limits to different initiators. The server examines each clause in turn until it finds one that matches the ID that requested the operation. If no match is found, the global limits will be used.</P>
+<H3><A NAME="Specify who the limits apply to">9.4.1. Specify who the limits apply to</A></H3>
+<P>The <TT><who></TT> part of the <EM>limits</EM> clause can take any of these values:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
-<CAPTION ALIGN=top>Table 7.1: Debugging Levels</CAPTION>
+<CAPTION ALIGN=top>Table ZZZ.ZZZ: Entity Specifiers</CAPTION>
<TR CLASS="heading">
-<TD ALIGN='Right'>
-<STRONG>Level</STRONG>
+<TD>
+<STRONG>Specifier</STRONG>
</TD>
-<TD ALIGN='Left'>
-<STRONG>Description</STRONG>
+<TD>
+<STRONG>Entities</STRONG>
</TD>
</TR>
<TR>
-<TD ALIGN='Right'>
--1
+<TD>
+<TT>*</TT>
</TD>
-<TD ALIGN='Left'>
-enable all debugging
+<TD>
+All, including anonymous and authenticated users
</TD>
</TR>
<TR>
-<TD ALIGN='Right'>
-0
+<TD>
+<TT>anonymous</TT>
</TD>
-<TD ALIGN='Left'>
-no debugging
+<TD>
+Anonymous (non-authenticated) users
</TD>
</TR>
<TR>
-<TD ALIGN='Right'>
-1
+<TD>
+<TT>users</TT>
</TD>
-<TD ALIGN='Left'>
-trace function calls
+<TD>
+Authenticated users
</TD>
</TR>
<TR>
-<TD ALIGN='Right'>
-2
+<TD>
+<TT>self</TT>
</TD>
-<TD ALIGN='Left'>
-debug packet handling
+<TD>
+User associated with target entry
</TD>
</TR>
<TR>
-<TD ALIGN='Right'>
-4
+<TD>
+<TT>dn[.<basic-style>]=<regex></TT>
</TD>
-<TD ALIGN='Left'>
-heavy trace debugging
+<TD>
+Users matching a regular expression
</TD>
</TR>
<TR>
-<TD ALIGN='Right'>
-8
+<TD>
+<TT>dn.<scope-style>=<DN></TT>
</TD>
-<TD ALIGN='Left'>
-connection management
+<TD>
+Users within scope of a DN
</TD>
</TR>
<TR>
-<TD ALIGN='Right'>
-16
+<TD>
+<TT>group[/oc[/at]]=<pattern></TT>
</TD>
-<TD ALIGN='Left'>
-print out packets sent and received
+<TD>
+Members of a group
</TD>
</TR>
-<TR>
-<TD ALIGN='Right'>
-32
-</TD>
-<TD ALIGN='Left'>
-search filter processing
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Right'>
-64
-</TD>
-<TD ALIGN='Left'>
-configuration file processing
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Right'>
-128
-</TD>
-<TD ALIGN='Left'>
-access control list processing
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Right'>
-256
-</TD>
-<TD ALIGN='Left'>
-stats log connections/operations/results
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Right'>
-512
-</TD>
-<TD ALIGN='Left'>
-stats log entries sent
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Right'>
-1024
-</TD>
-<TD ALIGN='Left'>
-print communication with shell backends
-</TD>
-</TR>
-<TR>
-<TD ALIGN='Right'>
-2048
-</TD>
-<TD ALIGN='Left'>
-print entry parsing debugging
-</TD>
-</TR>
</TABLE>
-<P>You may enable multiple levels by specifying the debug option once for each desired level. Or, since debugging levels are additive, you can do the math yourself. That is, if you want to trace function calls and watch the config file being processed, you could set level to the sum of those two levels (in this case, <TT> -d 65</TT>). Or, you can let slapd do the math, (e.g. <TT> -d 1 -d 64</TT>). Consult <TT><ldap_log.h></TT> for more details.</P>
-<P><HR WIDTH="80%" ALIGN="Left">
-<STRONG>Note: </STRONG>slapd must have been compiled with <TT>-DLDAP_DEBUG</TT> defined for any debugging information beyond the two stats levels to be available.
-<HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="Starting slapd">8.2. Starting slapd</A></H2>
-<P>In general, slapd is run like this:</P>
+<P>The rules for specifying <TT><who></TT> are the same as those used in access-control rules.</P>
+<H3><A NAME="Specify time limits">9.4.2. Specify time limits</A></H3>
+<P>The syntax for time limits is</P>
<PRE>
- /usr/local/libexec/slapd [<option>]*
+ time[.{soft|hard}]=<integer>
</PRE>
-<P>where <TT>/usr/local/libexec</TT> is determined by <TT>configure</TT> and <option> is one of the options described above (or in <EM>slapd</EM>(8)). Unless you have specified a debugging level (including level <TT>0</TT>), slapd will automatically fork and detach itself from its controlling terminal and run in the background.</P>
-<H2><A NAME="Stopping slapd">8.3. Stopping slapd</A></H2>
-<P>To kill off <EM>slapd</EM>(8) safely, you should give a command like this</P>
+<P>where integer is the number of seconds slapd will spend answering a search request.</P>
+<P>If neither <EM>soft</EM> nor <EM>hard</EM> is specified, the value is used for both, e.g.:</P>
<PRE>
- kill -INT `cat /usr/local/var/slapd.pid`
+ limits anonymous time=27
</PRE>
-<P>where <TT>/usr/local/var</TT> is determined by <TT>configure</TT>.</P>
-<P>Killing slapd by a more drastic method may cause information loss or database corruption.</P>
+<P>The value <EM>unlimited</EM> may be used to remove the hard time limit entirely, e.g.:</P>
+<PRE>
+ limits dn.exact="cn=anyuser,dc=example,dc=org" time.hard=unlimited
+</PRE>
+<H3><A NAME="Specifying size limits">9.4.3. Specifying size limits</A></H3>
+<P>The syntax for size limit is</P>
+<PRE>
+ size[.{soft|hard|unchecked}]=<integer>
+</PRE>
+<P>where <TT><integer></TT> is the maximum number of entries slapd will return when answering a search request.</P>
+<P>Soft, hard, and "unchecked" limits are available, with the same meanings described for the global limits configuration above.</P>
+<H3><A NAME="Size limits and Paged Results">9.4.4. Size limits and Paged Results</A></H3>
+<P>If the LDAP client adds the <EM>pagedResultsControl</EM> to the search operation, the hard size limit is used by default, because the request for a specific page size is considered an explicit request for a limitation on the number of entries to be returned. However, the size limit applies to the total count of entries returned within the search, and not to a single page.</P>
+<P>Additional size limits may be enforced for paged searches.</P>
+<P>The <TT>size.pr</TT> limit controls the maximum page size:</P>
+<PRE>
+ size.pr={<integer>|noEstimate|unlimited}
+</PRE>
+<P><TT><integer></TT> is the maximum page size if no explicit size is set. <TT>noEstimate</TT> has no effect in the current implementation as the server does not return an estimate of the result size anyway. <TT>unlimited</TT> indicates that no limit is applied to the maximum page size.</P>
+<P>The <TT>size.prtotal</TT> limit controls the total number of entries that can be returned by a paged search. By default the limit is the same as the normal <TT>size.hard</TT> limit.</P>
+<PRE>
+ size.prtotal={<integer>|unlimited|disabled}
+</PRE>
+<P><TT>unlimited</TT> removes the limit on the number of entries that can be returned by a paged search. <TT>disabled</TT> can be used to selectively disable paged result searches.</P>
+<H2><A NAME="Example Limit Configurations">9.5. Example Limit Configurations</A></H2>
+<H3><A NAME="Simple Global Limits">9.5.1. Simple Global Limits</A></H3>
+<P>This simple global configuration fragment applies size and time limits to all searches by all users except <EM>rootdn</EM>. It limits searches to 50 results and sets an overall time limit of 10 seconds.</P>
+<PRE>
+ sizelimit 50
+ timelimit 10
+</PRE>
+<H3><A NAME="Global Hard and Soft Limits">9.5.2. Global Hard and Soft Limits</A></H3>
+<P>It is sometimes useful to limit the size of result sets but to allow clients to request a higher limit where needed. This can be achieved by setting separate hard and soft limits.</P>
+<PRE>
+ sizelimit size.soft=5 size.hard=100
+</PRE>
+<P>To prevent clients from doing very inefficient non-indexed searches, add the <EM>unchecked</EM> limit:</P>
+<PRE>
+ sizelimit size.soft=5 size.hard=100 size.unchecked=100
+</PRE>
+<H3><A NAME="Giving specific users larger limits">9.5.3. Giving specific users larger limits</A></H3>
+<P>Having set appropriate default limits in the global configuration, you may want to give certain users the ability to retrieve larger result sets. Here is a way to do that in the per-database configuration:</P>
+<PRE>
+ limits dn.exact="cn=anyuser,dc=example,dc=org" size=100000
+ limits dn.exact="cn=personnel,dc=example,dc=org" size=100000
+ limits dn.exact="cn=dirsync,dc=example,dc=org" size=100000
+</PRE>
+<P>It is generally best to avoid mentioning specific users in the server configuration. A better way is to give the higher limits to a group:</P>
+<PRE>
+ limits group/groupOfNames/member="cn=bigwigs,dc=example,dc=org" size=100000
+</PRE>
+<H3><A NAME="Limiting who can do paged searches">9.5.4. Limiting who can do paged searches</A></H3>
+<P>It may be required that certain applications need very large result sets that they retrieve using paged searches, but that you do not want ordinary LDAP users to use the pagedResults control. The <EM>pr</EM> and <EM>prtotal</EM> limits can help:</P>
+<PRE>
+ limits group/groupOfNames/member="cn=dirsync,dc=example,dc=org" size.prtotal=unlimited
+ limits users size.soft=5 size.hard=100 size.prtotal=disabled
+ limits anonymous size.soft=2 size.hard=5 size.prtotal=disabled
+</PRE>
+<H2><A NAME="Further Information">9.6. Further Information</A></H2>
+<P>For further information please see <EM>slapd.conf</EM>(5), <EM>ldapsearch</EM>(1) and <EM>slapd.access</EM>(5)</P>
<P></P>
<HR>
-<H1><A NAME="Database Creation and Maintenance Tools">9. Database Creation and Maintenance Tools</A></H1>
+<H1><A NAME="Database Creation and Maintenance Tools">10. Database Creation and Maintenance Tools</A></H1>
<P>This section tells you how to create a slapd database from scratch, and how to do trouble shooting if you run into problems. There are two ways to create a database. First, you can create the database on-line using <TERM>LDAP</TERM>. With this method, you simply start up slapd and add entries using the LDAP client of your choice. This method is fine for relatively small databases (a few hundred or thousand entries, depending on your requirements). This method works for database types which support updates.</P>
<P>The second method of database creation is to do it off-line using special utilities provided with <EM>slapd</EM>(8). This method is best if you have many thousands of entries to create, which would take an unacceptably long time using the LDAP method, or if you want to ensure the database is not accessed while it is being created. Note that not all database types support these utilities.</P>
-<H2><A NAME="Creating a database over LDAP">9.1. Creating a database over LDAP</A></H2>
+<H2><A NAME="Creating a database over LDAP">10.1. Creating a database over LDAP</A></H2>
<P>With this method, you use the LDAP client of your choice (e.g., the <EM>ldapadd</EM>(1)) to add entries, just like you would once the database is created. You should be sure to set the following options in the configuration file before starting <EM>slapd</EM>(8).</P>
<PRE>
suffix <dn>
@@ -4002,7 +4375,7 @@
ldapadd -f entries.ldif -x -D "cn=Manager,dc=example,dc=com" -w secret
</PRE>
<P>The above command assumes settings provided in the above examples.</P>
-<H2><A NAME="Creating a database off-line">9.2. Creating a database off-line</A></H2>
+<H2><A NAME="Creating a database off-line">10.2. Creating a database off-line</A></H2>
<P>The second method of database creation is to do it off-line, using the slapd database tools described below. This method is best if you have many thousands of entries to create, which would take an unacceptably long time to add using the LDAP method described above. These tools read the slapd configuration file and an input file containing a text representation of the entries to add. For database types which support the tools, they produce the database files directly (otherwise you must use the on-line method above). There are several important configuration options you will want to be sure and set in the config file database definition first:</P>
<PRE>
suffix <dn>
@@ -4029,7 +4402,7 @@
index objectClass eq
</PRE>
<P>This would create presence, equality, approximate, and substring indices for the <TT>cn</TT>, <TT>sn</TT>, and <TT>uid</TT> attributes and an equality index for the <TT>objectClass</TT> attribute. Note that not all index types are available with all attribute types. See <A HREF="#The slapd Configuration File">The slapd Configuration File</A> section for more information on this option.</P>
-<H3><A NAME="The {{EX:slapadd}} program">9.2.1. The <TT>slapadd</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapadd}} program">10.2.1. The <TT>slapadd</TT> program</A></H3>
<P>Once you've configured things to your liking, you create the primary database and associated indices by running the <EM>slapadd</EM>(8) program:</P>
<PRE>
slapadd -l <inputfile> -f <slapdconfigfile>
@@ -4060,21 +4433,21 @@
-b <suffix>
</PRE>
<P>An optional argument that specifies which database to modify. The provided suffix is matched against a database <TT>suffix</TT> directive to determine the database number. Should not be used in conjunction with <TT>-n</TT>.</P>
-<H3><A NAME="The {{EX:slapindex}} program">9.2.2. The <TT>slapindex</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapindex}} program">10.2.2. The <TT>slapindex</TT> program</A></H3>
<P>Sometimes it may be necessary to regenerate indices (such as after modifying <EM>slapd.conf</EM>(5)). This is possible using the <EM>slapindex</EM>(8) program. <EM>slapindex</EM> is invoked like this</P>
<PRE>
slapindex -f <slapdconfigfile>
[-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
</PRE>
<P>Where the <TT>-f</TT>, <TT>-d</TT>, <TT>-n</TT> and <TT>-b</TT> options are the same as for the <EM>slapadd</EM>(1) program. <EM>slapindex</EM> rebuilds all indices based upon the current database contents.</P>
-<H3><A NAME="The {{EX:slapcat}} program">9.2.3. The <TT>slapcat</TT> program</A></H3>
+<H3><A NAME="The {{EX:slapcat}} program">10.2.3. The <TT>slapcat</TT> program</A></H3>
<P>The <TT>slapcat</TT> program is used to dump the database to an <TERM>LDIF</TERM> file. This can be useful when you want to make a human-readable backup of your database or when you want to edit your database off-line. The program is invoked like this:</P>
<PRE>
slapcat -l <filename> -f <slapdconfigfile>
[-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
</PRE>
<P>where <TT>-n</TT> or <TT>-b</TT> is used to select the database in the <EM>slapd.conf</EM>(5) specified using <TT>-f</TT>. The corresponding <TERM>LDIF</TERM> output is written to standard output or to the file specified using the <TT>-l</TT> option.</P>
-<H2><A NAME="The LDIF text entry format">9.3. The LDIF text entry format</A></H2>
+<H2><A NAME="The LDIF text entry format">10.3. The LDIF text entry format</A></H2>
<P>The <TERM>LDAP Data Interchange Format</TERM> (LDIF) is used to represent LDAP entries in a simple text format. This section provides a brief description of the LDIF entry format which complements <EM>ldif</EM>(5) and the technical specification <A HREF="http://www.rfc-editor.org/rfc/rfc2849.txt">RFC2849</A>.</P>
<P>The basic form of an entry is:</P>
<PRE>
@@ -4146,25 +4519,25 @@
<HR WIDTH="80%" ALIGN="Left"></P>
<P></P>
<HR>
-<H1><A NAME="Backends">10. Backends</A></H1>
-<H2><A NAME="Berkeley DB Backends">10.1. Berkeley DB Backends</A></H2>
-<H3><A NAME="Overview">10.1.1. Overview</A></H3>
+<H1><A NAME="Backends">11. Backends</A></H1>
+<H2><A NAME="Berkeley DB Backends">11.1. Berkeley DB Backends</A></H2>
+<H3><A NAME="Overview">11.1.1. Overview</A></H3>
<P>The <EM>bdb</EM> backend to <EM>slapd</EM>(8) is the recommended primary backend for a normal <EM>slapd</EM> database. It uses the Oracle Berkeley DB (<TERM>BDB</TERM>) package to store data. It makes extensive use of indexing and caching (see the <A HREF="#Tuning">Tuning</A> section) to speed data access.</P>
<P><EM>hdb</EM> is a variant of the <EM>bdb</EM> backend that uses a hierarchical database layout which supports subtree renames. It is otherwise identical to the <EM>bdb</EM> behavior, and all the same configuration options apply.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>An <EM>hdb</EM> database needs a large <EM>idlcachesize</EM> for good search performance, typically three times the <EM>cachesize</EM> (entry cache size) or larger.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="back-bdb/back-hdb Configuration">10.1.2. back-bdb/back-hdb Configuration</A></H3>
+<H3><A NAME="back-bdb/back-hdb Configuration">11.1.2. back-bdb/back-hdb Configuration</A></H3>
<P>MORE LATER</P>
-<H3><A NAME="Further Information">10.1.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.1.3. Further Information</A></H3>
<P><EM>slapd-bdb</EM>(5)</P>
-<H2><A NAME="LDAP">10.2. LDAP</A></H2>
-<H3><A NAME="Overview">10.2.1. Overview</A></H3>
+<H2><A NAME="LDAP">11.2. LDAP</A></H2>
+<H3><A NAME="Overview">11.2.1. Overview</A></H3>
<P>The LDAP backend to <EM>slapd</EM>(8) is not an actual database; instead it acts as a proxy to forward incoming requests to another LDAP server. While processing requests it will also chase referrals, so that referrals are fully processed instead of being returned to the <EM>slapd</EM> client.</P>
<P>Sessions that explicitly <EM>Bind</EM> to the <EM>back-ldap</EM> database always create their own private connection to the remote LDAP server. Anonymous sessions will share a single anonymous connection to the remote server. For sessions bound through other mechanisms, all sessions with the same DN will share the same connection. This connection pooling strategy can enhance the proxy's efficiency by reducing the overhead of repeatedly making/breaking multiple connections.</P>
<P>The ldap database can also act as an information service, i.e. the identity of locally authenticated clients is asserted to the remote server, possibly in some modified form. For this purpose, the proxy binds to the remote server with some administrative identity, and, if required, authorizes the asserted identity.</P>
<P>It is heavily used by a lot of other <A HREF="#Backends">Backends</A> and <A HREF="#Overlays">Overlays</A>.</P>
-<H3><A NAME="back-ldap Configuration">10.2.2. back-ldap Configuration</A></H3>
+<H3><A NAME="back-ldap Configuration">11.2.2. back-ldap Configuration</A></H3>
<P>As previously mentioned, <EM>slapd-ldap(5)</EM> is used behind the scenes by many other <A HREF="#Backends">Backends</A> and <A HREF="#Overlays">Overlays</A>. Some of them merely provide a few configuration directive themselves, but have available to the administrator the whole of the <EM>slapd-ldap(5)</EM> options.</P>
<P>For example, the <A HREF="#Translucent Proxy">Translucent Proxy</A>, which retrieves entries from a remote LDAP server that can be partially overridden by the defined database, has only four specific <EM>translucent-</EM> directives, but can be configured using any of the normal <EM>slapd-ldap(5)</EM> options. See {[slapo-translucent(5)}} for details.</P>
<P>Other <A HREF="#Overlays">Overlays</A> allow you to tag directives in front of a normal <EM>slapd-ldap(5)</EM> directive. For example, the <EM>slapo-chain(5)</EM> overlay does this:</P>
@@ -4180,13 +4553,13 @@
</PRE>
<P>The URI list is space or comma-separated. Whenever the server that responds is not the first one in the list, the list is rearranged and the responsive server is moved to the head, so that it will be first contacted the next time a connection needs be created.</P>
<P>This feature can be used to provide a form of load balancing when using <A HREF="#MirrorMode replication">MirrorMode replication</A>.</P>
-<H3><A NAME="Further Information">10.2.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.2.3. Further Information</A></H3>
<P><EM>slapd-ldap</EM>(5)</P>
-<H2><A NAME="LDIF">10.3. LDIF</A></H2>
-<H3><A NAME="Overview">10.3.1. Overview</A></H3>
+<H2><A NAME="LDIF">11.3. LDIF</A></H2>
+<H3><A NAME="Overview">11.3.1. Overview</A></H3>
<P>The LDIF backend to <EM>slapd</EM>(8) is a basic storage backend that stores entries in text files in LDIF format, and exploits the filesystem to create the tree structure of the database. It is intended as a cheap, low performance easy to use backend.</P>
<P>When using the <EM>cn=config</EM> dynamic configuration database with persistent storage, the configuration data is stored using this backend. See <EM>slapd-config</EM>(5) for more information</P>
-<H3><A NAME="back-ldif Configuration">10.3.2. back-ldif Configuration</A></H3>
+<H3><A NAME="back-ldif Configuration">11.3.2. back-ldif Configuration</A></H3>
<P>Like many other backends, the LDIF backend can be instantiated with very few configuration lines:</P>
<PRE>
include ./schema/core.schema
@@ -4238,23 +4611,23 @@
modifyTimestamp: 20080711142643Z
</PRE>
<P>This is the complete format you would get when exporting your directory using <TT>slapcat</TT> etc.</P>
-<H3><A NAME="Further Information">10.3.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.3.3. Further Information</A></H3>
<P><EM>slapd-ldif</EM>(5)</P>
-<H2><A NAME="Metadirectory">10.4. Metadirectory</A></H2>
-<H3><A NAME="Overview">10.4.1. Overview</A></H3>
+<H2><A NAME="Metadirectory">11.4. Metadirectory</A></H2>
+<H3><A NAME="Overview">11.4.1. Overview</A></H3>
<P>The meta backend to <EM>slapd</EM>(8) performs basic LDAP proxying with respect to a set of remote LDAP servers, called "targets". The information contained in these servers can be presented as belonging to a single Directory Information Tree (<TERM>DIT</TERM>).</P>
<P>A basic knowledge of the functionality of the <EM>slapd-ldap</EM>(5) backend is recommended. This backend has been designed as an enhancement of the ldap backend. The two backends share many features (actually they also share portions of code). While the ldap backend is intended to proxy operations directed to a single server, the meta backend is mainly intended for proxying of multiple servers and possibly naming context masquerading.</P>
<P>These features, although useful in many scenarios, may result in excessive overhead for some applications, so its use should be carefully considered.</P>
-<H3><A NAME="back-meta Configuration">10.4.2. back-meta Configuration</A></H3>
+<H3><A NAME="back-meta Configuration">11.4.2. back-meta Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">10.4.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.4.3. Further Information</A></H3>
<P><EM>slapd-meta</EM>(5)</P>
-<H2><A NAME="Monitor">10.5. Monitor</A></H2>
-<H3><A NAME="Overview">10.5.1. Overview</A></H3>
+<H2><A NAME="Monitor">11.5. Monitor</A></H2>
+<H3><A NAME="Overview">11.5.1. Overview</A></H3>
<P>The monitor backend to <EM>slapd</EM>(8) is not an actual database; if enabled, it is automatically generated and dynamically maintained by slapd with information about the running status of the daemon.</P>
<P>To inspect all monitor information, issue a subtree search with base <EM>cn=Monitor</EM>, requesting that attributes "+" and "*" are returned. The monitor backend produces mostly operational attributes, and LDAP only returns operational attributes that are explicitly requested. Requesting attribute "+" is an extension which requests all operational attributes.</P>
<P>See the <A HREF="#Monitoring">Monitoring</A> section.</P>
-<H3><A NAME="back-monitor Configuration">10.5.2. back-monitor Configuration</A></H3>
+<H3><A NAME="back-monitor Configuration">11.5.2. back-monitor Configuration</A></H3>
<P>The monitor database can be instantiated only once, i.e. only one occurrence of "database monitor" can occur in the <EM>slapd.conf(5)</EM> file. Also the suffix is automatically set to <EM>"cn=Monitor"</EM>.</P>
<P>You can however set a <EM>rootdn</EM> and <EM>rootpw</EM>. The following is all that is needed to instantiate a monitor backend:</P>
<PRE>
@@ -4304,10 +4677,10 @@
description: This subsystem contains information about available backends.
</PRE>
<P>Please see the <A HREF="#Monitoring">Monitoring</A> section for complete examples of information available via this backend.</P>
-<H3><A NAME="Further Information">10.5.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.5.3. Further Information</A></H3>
<P><EM>slapd-monitor</EM>(5)</P>
-<H2><A NAME="Null">10.6. Null</A></H2>
-<H3><A NAME="Overview">10.6.1. Overview</A></H3>
+<H2><A NAME="Null">11.6. Null</A></H2>
+<H3><A NAME="Overview">11.6.1. Overview</A></H3>
<P>The Null backend to <EM>slapd</EM>(8) is surely the most useful part of slapd:</P>
<UL>
<LI>Searches return success but no entries.
@@ -4316,7 +4689,7 @@
<LI>Binds other than as the rootdn fail unless the database option "bind on" is given.
<LI>The slapadd(8) and slapcat(8) tools are equally exciting.</UL>
<P>Inspired by the <TT>/dev/null</TT> device.</P>
-<H3><A NAME="back-null Configuration">10.6.2. back-null Configuration</A></H3>
+<H3><A NAME="back-null Configuration">11.6.2. back-null Configuration</A></H3>
<P>This has to be one of the shortest configurations you'll ever do. In order to test this, your <TT>slapd.conf</TT> file would look like:</P>
<PRE>
modulepath /usr/local/libexec/openldap
@@ -4345,13 +4718,13 @@
# numResponses: 1
</PRE>
-<H3><A NAME="Further Information">10.6.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.6.3. Further Information</A></H3>
<P><EM>slapd-null</EM>(5)</P>
-<H2><A NAME="Passwd">10.7. Passwd</A></H2>
-<H3><A NAME="Overview">10.7.1. Overview</A></H3>
+<H2><A NAME="Passwd">11.7. Passwd</A></H2>
+<H3><A NAME="Overview">11.7.1. Overview</A></H3>
<P>The PASSWD backend to <EM>slapd</EM>(8) serves up the user account information listed in the system <EM>passwd</EM>(5) file (defaulting to <TT>/etc/passwd</TT>).</P>
<P>This backend is provided for demonstration purposes only. The DN of each entry is "uid=<username>,<suffix>".</P>
-<H3><A NAME="back-passwd Configuration">10.7.2. back-passwd Configuration</A></H3>
+<H3><A NAME="back-passwd Configuration">11.7.2. back-passwd Configuration</A></H3>
<P>The configuration using <TT>slapd.conf</TT> a slightly longer, but not much. For example:</P>
<PRE>
include ./schema/core.schema
@@ -4387,33 +4760,33 @@
sn: root
description: root
</PRE>
-<H3><A NAME="Further Information">10.7.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.7.3. Further Information</A></H3>
<P><EM>slapd-passwd</EM>(5)</P>
-<H2><A NAME="Perl/Shell">10.8. Perl/Shell</A></H2>
-<H3><A NAME="Overview">10.8.1. Overview</A></H3>
+<H2><A NAME="Perl/Shell">11.8. Perl/Shell</A></H2>
+<H3><A NAME="Overview">11.8.1. Overview</A></H3>
<P>The Perl backend to <EM>slapd</EM>(8) works by embedding a <EM>perl</EM>(1) interpreter into <EM>slapd</EM>(8). Any perl database section of the configuration file <EM>slapd.conf</EM>(5) must then specify what Perl module to use. Slapd then creates a new Perl object that handles all the requests for that particular instance of the backend.</P>
<P>The Shell backend to <EM>slapd</EM>(8) executes external programs to implement operations, and is designed to make it easy to tie an existing database to the slapd front-end. This backend is is primarily intended to be used in prototypes.</P>
-<H3><A NAME="back-perl/back-shell Configuration">10.8.2. back-perl/back-shell Configuration</A></H3>
+<H3><A NAME="back-perl/back-shell Configuration">11.8.2. back-perl/back-shell Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">10.8.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.8.3. Further Information</A></H3>
<P><EM>slapd-shell</EM>(5) and <EM>slapd-perl</EM>(5)</P>
-<H2><A NAME="Relay">10.9. Relay</A></H2>
-<H3><A NAME="Overview">10.9.1. Overview</A></H3>
+<H2><A NAME="Relay">11.9. Relay</A></H2>
+<H3><A NAME="Overview">11.9.1. Overview</A></H3>
<P>The primary purpose of this <EM>slapd</EM>(8) backend is to map a naming context defined in a database running in the same <EM>slapd</EM>(8) instance into a virtual naming context, with attributeType and objectClass manipulation, if required. It requires the rwm overlay.</P>
<P>This backend and the above mentioned overlay are experimental.</P>
-<H3><A NAME="back-relay Configuration">10.9.2. back-relay Configuration</A></H3>
+<H3><A NAME="back-relay Configuration">11.9.2. back-relay Configuration</A></H3>
<P>LATER</P>
-<H3><A NAME="Further Information">10.9.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.9.3. Further Information</A></H3>
<P><EM>slapd-relay</EM>(5)</P>
-<H2><A NAME="SQL">10.10. SQL</A></H2>
-<H3><A NAME="Overview">10.10.1. Overview</A></H3>
+<H2><A NAME="SQL">11.10. SQL</A></H2>
+<H3><A NAME="Overview">11.10.1. Overview</A></H3>
<P>The primary purpose of this <EM>slapd</EM>(8) backend is to PRESENT information stored in some RDBMS as an LDAP subtree without any programming (some SQL and maybe stored procedures can't be considered programming, anyway ;).</P>
<P>That is, for example, when you (some ISP) have account information you use in an RDBMS, and want to use modern solutions that expect such information in LDAP (to authenticate users, make email lookups etc.). Or you want to synchronize or distribute information between different sites/applications that use RDBMSes and/or LDAP. Or whatever else...</P>
<P>It is <B>NOT</B> designed as a general-purpose backend that uses RDBMS instead of BerkeleyDB (as the standard BDB backend does), though it can be used as such with several limitations. Please see <A HREF="#LDAP vs RDBMS">LDAP vs RDBMS</A> for discussion.</P>
<P>The idea is to use some meta-information to translate LDAP queries to SQL queries, leaving relational schema untouched, so that old applications can continue using it without any modifications. This allows SQL and LDAP applications to interoperate without replication, and exchange data as needed.</P>
<P>The SQL backend is designed to be tunable to virtually any relational schema without having to change source (through that meta-information mentioned). Also, it uses ODBC to connect to RDBMSes, and is highly configurable for SQL dialects RDBMSes may use, so it may be used for integration and distribution of data on different RDBMSes, OSes, hosts etc., in other words, in highly heterogeneous environments.</P>
<P>This backend is experimental.</P>
-<H3><A NAME="back-sql Configuration">10.10.2. back-sql Configuration</A></H3>
+<H3><A NAME="back-sql Configuration">11.10.2. back-sql Configuration</A></H3>
<P>This backend has to be one of the most abused and complex backends there is. Therefore, we will go through a simple, small example that comes with the OpenLDAP source and can be found in <TT>servers/slapd/back-sql/rdbms_depend/README</TT></P>
<P>For this example we will be using PostgreSQL.</P>
<P>First, we add to <TT>/etc/odbc.ini</TT> a block of the form:</P>
@@ -4476,11 +4849,11 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>This backend is experimental.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Further Information">10.10.3. Further Information</A></H3>
+<H3><A NAME="Further Information">11.10.3. Further Information</A></H3>
<P><EM>slapd-sql</EM>(5) and <TT>servers/slapd/back-sql/rdbms_depend/README</TT></P>
<P></P>
<HR>
-<H1><A NAME="Overlays">11. Overlays</A></H1>
+<H1><A NAME="Overlays">12. Overlays</A></H1>
<P>Overlays are software components that provide hooks to functions analogous to those provided by backends, which can be stacked on top of the backend calls and as callbacks on top of backend responses to alter their behavior.</P>
<P>Overlays may be compiled statically into <EM>slapd</EM>, or when module support is enabled, they may be dynamically loaded. Most of the overlays are only allowed to be configured on individual databases.</P>
<P>Some can be stacked on the <TT>frontend</TT> as well, for global use. This means that they can be executed after a request is parsed and validated, but right before the appropriate database is selected. The main purpose is to affect operations regardless of the database they will be handled by, and, in some cases, to influence the selection of the database by massaging the request DN.</P>
@@ -4509,12 +4882,12 @@
</PRE>
<P>along with other types of run-time loadable components; they are officially distributed, but not maintained by the project.</P>
<P>All the current overlays in OpenLDAP are listed and described in detail in the following sections.</P>
-<H2><A NAME="Access Logging">11.1. Access Logging</A></H2>
-<H3><A NAME="Overview">11.1.1. Overview</A></H3>
+<H2><A NAME="Access Logging">12.1. Access Logging</A></H2>
+<H3><A NAME="Overview">12.1.1. Overview</A></H3>
<P>This overlay can record accesses to a given backend database on another database.</P>
<P>This allows all of the activity on a given database to be reviewed using arbitrary LDAP queries, instead of just logging to local flat text files. Configuration options are available for selecting a subset of operation types to log, and to automatically prune older log records from the logging database. Log records are stored with audit schema to assure their readability whether viewed as LDIF or in raw form.</P>
<P>It is also used for <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A></P>
-<H3><A NAME="Access Logging Configuration">11.1.2. Access Logging Configuration</A></H3>
+<H3><A NAME="Access Logging Configuration">12.1.2. Access Logging Configuration</A></H3>
<P>The following is a basic example that implements Access Logging:</P>
<PRE>
database bdb
@@ -4596,13 +4969,13 @@
# numResponses: 3
# numEntries: 2
</PRE>
-<H3><A NAME="Further Information">11.1.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.1.3. Further Information</A></H3>
<P><EM>slapo-accesslog(5)</EM> and the <A HREF="#delta-syncrepl replication">delta-syncrepl replication</A> section.</P>
-<H2><A NAME="Audit Logging">11.2. Audit Logging</A></H2>
+<H2><A NAME="Audit Logging">12.2. Audit Logging</A></H2>
<P>The Audit Logging overlay can be used to record all changes on a given backend database to a specified log file.</P>
-<H3><A NAME="Overview">11.2.1. Overview</A></H3>
+<H3><A NAME="Overview">12.2.1. Overview</A></H3>
<P>If the need arises whereby changes need to be logged as standard LDIF, then the auditlog overlay <B>slapo-auditlog (5)</B> can be used. Full examples are available in the man page <B>slapo-auditlog (5)</B></P>
-<H3><A NAME="Audit Logging Configuration">11.2.2. Audit Logging Configuration</A></H3>
+<H3><A NAME="Audit Logging Configuration">12.2.2. Audit Logging Configuration</A></H3>
<P>If the directory is running vi <TT>slapd.d</TT>, then the following LDIF could be used to add the overlay to the overlay list in <B>cn=config</B> and set what file the <TERM>LDIF</TERM> gets logged to (adjust to suit)</P>
<PRE>
dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config
@@ -4647,14 +5020,14 @@
entryCSN: 20051123130912.000000Z#000002#000#000000
# end add 1196797577
</PRE>
-<H3><A NAME="Further Information">11.2.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.2.3. Further Information</A></H3>
<P><EM>slapo-auditlog(5)</EM></P>
-<H2><A NAME="Chaining">11.3. Chaining</A></H2>
-<H3><A NAME="Overview">11.3.1. Overview</A></H3>
+<H2><A NAME="Chaining">12.3. Chaining</A></H2>
+<H3><A NAME="Overview">12.3.1. Overview</A></H3>
<P>The chain overlay provides basic chaining capability to the underlying database.</P>
<P>What is chaining? It indicates the capability of a DSA to follow referrals on behalf of the client, so that distributed systems are viewed as a single virtual DSA by clients that are otherwise unable to "chase" (i.e. follow) referrals by themselves.</P>
<P>The chain overlay is built on top of the ldap backend; it is compiled by default when <B>--enable-ldap</B>.</P>
-<H3><A NAME="Chaining Configuration">11.3.2. Chaining Configuration</A></H3>
+<H3><A NAME="Chaining Configuration">12.3.2. Chaining Configuration</A></H3>
<P>In order to demonstrate how this overlay works, we shall discuss a typical scenario which might be one master server and three Syncrepl slaves.</P>
<P>On each replica, add this near the top of the <EM>slapd.conf</EM>(5) file (global), before any database definitions:</P>
<PRE>
@@ -4702,22 +5075,25 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>You can clearly see the PROXYAUTHZ line on the master, indicating the proper identity assertion for the update on the master. Also note the slave immediately receiving the Syncrepl update from the master.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H3><A NAME="Handling Chaining Errors">11.3.3. Handling Chaining Errors</A></H3>
+<H3><A NAME="Handling Chaining Errors">12.3.3. Handling Chaining Errors</A></H3>
<P>By default, if chaining fails, the original referral is returned to the client under the assumption that the client might want to try and follow the referral.</P>
<P>With the following directive however, if the chaining fails at the provider side, the actual error is returned to the client.</P>
<PRE>
chain-return-error TRUE
</PRE>
-<H3><A NAME="Further Information">11.3.4. Further Information</A></H3>
+<H3><A NAME="Read-Back of Chained Modifications">12.3.4. Read-Back of Chained Modifications</A></H3>
+<P>Occasionally, applications want to read back the data that they just wrote. If a modification requested to a shadow server was silently chained to its producer, an immediate read could result in receiving data not yet synchronized. In those cases, clients should use the <B>dontusecopy</B> control to ensure they are directed to the authoritative source for that piece of data.</P>
+<P>This control usually causes a referral to the actual source of the data to be returned. However, when the <EM>slapo-chain(5)</EM> overlay is used, it intercepts the referral being returned in response to the <B>dontusecopy</B> control, and tries to fetch the requested data.</P>
+<H3><A NAME="Further Information">12.3.5. Further Information</A></H3>
<P><EM>slapo-chain(5)</EM></P>
-<H2><A NAME="Constraints">11.4. Constraints</A></H2>
-<H3><A NAME="Overview">11.4.1. Overview</A></H3>
+<H2><A NAME="Constraints">12.4. Constraints</A></H2>
+<H3><A NAME="Overview">12.4.1. Overview</A></H3>
<P>This overlay enforces a regular expression constraint on all values of specified attributes during an LDAP modify request that contains add or modify commands. It is used to enforce a more rigorous syntax when the underlying attribute syntax is too general.</P>
-<H3><A NAME="Constraint Configuration">11.4.2. Constraint Configuration</A></H3>
+<H3><A NAME="Constraint Configuration">12.4.2. Constraint Configuration</A></H3>
<P>Configuration via <EM>slapd.conf</EM>(5) would look like:</P>
<PRE>
overlay constraint
- constraint_attribute mail regex ^[:alnum:]+ at mydomain.com$
+ constraint_attribute mail regex ^[[:alnum:]]+ at mydomain.com$
constraint_attribute title uri
ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
</PRE>
@@ -4730,16 +5106,16 @@
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: constraint
- olcConstraintAttribute: mail regex ^[:alnum:]+ at mydomain.com$
+ olcConstraintAttribute: mail regex ^[[:alnum:]]+ at mydomain.com$
olcConstraintAttribute: title uri ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
</PRE>
-<H3><A NAME="Further Information">11.4.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.4.3. Further Information</A></H3>
<P><EM>slapo-constraint(5)</EM></P>
-<H2><A NAME="Dynamic Directory Services">11.5. Dynamic Directory Services</A></H2>
-<H3><A NAME="Overview">11.5.1. Overview</A></H3>
+<H2><A NAME="Dynamic Directory Services">12.5. Dynamic Directory Services</A></H2>
+<H3><A NAME="Overview">12.5.1. Overview</A></H3>
<P>The <EM>dds</EM> overlay to <EM>slapd</EM>(8) implements dynamic objects as per <A HREF="http://www.rfc-editor.org/rfc/rfc2589.txt">RFC2589</A>. The name <EM>dds</EM> stands for Dynamic Directory Services. It allows to define dynamic objects, characterized by the <EM>dynamicObject</EM> objectClass.</P>
<P>Dynamic objects have a limited lifetime, determined by a time-to-live (TTL) that can be refreshed by means of a specific refresh extended operation. This operation allows to set the Client Refresh Period (CRP), namely the period between refreshes that is required to preserve the dynamic object from expiration. The expiration time is computed by adding the requested TTL to the current time. When dynamic objects reach the end of their lifetime without being further refreshed, they are automatically <EM>deleted</EM>. There is no guarantee of immediate deletion, so clients should not count on it.</P>
-<H3><A NAME="Dynamic Directory Service Configuration">11.5.2. Dynamic Directory Service Configuration</A></H3>
+<H3><A NAME="Dynamic Directory Service Configuration">12.5.2. Dynamic Directory Service Configuration</A></H3>
<P>A usage of dynamic objects might be to implement dynamic meetings; in this case, all the participants to the meeting are allowed to refresh the meeting object, but only the creator can delete it (otherwise it will be deleted when the TTL expires).</P>
<P>If we add the overlay to an example database, specifying a Max TTL of 1 day, a min of 10 seconds, with a default TTL of 1 hour. We'll also specify an interval of 120 (less than 60s might be too small) seconds between expiration checks and a tolerance of 5 second (lifetime of a dynamic object will be <EM>entryTtl + tolerance</EM>).</P>
<PRE>
@@ -4763,7 +5139,7 @@
member: uid=ghenry,ou=People,dc=example,dc=com
member: uid=hyc,ou=People,dc=example,dc=com
</PRE>
-<H4><A NAME="Dynamic Directory Service ACLs">11.5.2.1. Dynamic Directory Service ACLs</A></H4>
+<H4><A NAME="Dynamic Directory Service ACLs">12.5.2.1. Dynamic Directory Service ACLs</A></H4>
<P>Allow users to start a meeting and to join it; restrict refresh to the <EM>member</EM>; restrict delete to the creator:</P>
<PRE>
access to attrs=userPassword
@@ -4795,16 +5171,16 @@
ldapexop -x -H ldap://ldaphost "refresh" "cn=OpenLDAP Documentation Meeting,ou=Meetings,dc=example,dc=com" "120" -D "uid=ghenry,ou=People,dc=example,dc=com" -W
</PRE>
<P>Any user can join the meeting, but not add another attendee, but they can refresh the meeting. The ACLs above are quite straight forward to understand.</P>
-<H3><A NAME="Further Information">11.5.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.5.3. Further Information</A></H3>
<P><EM>slapo-dds(5)</EM></P>
-<H2><A NAME="Dynamic Groups">11.6. Dynamic Groups</A></H2>
-<H3><A NAME="Overview">11.6.1. Overview</A></H3>
+<H2><A NAME="Dynamic Groups">12.6. Dynamic Groups</A></H2>
+<H3><A NAME="Overview">12.6.1. Overview</A></H3>
<P>This overlay extends the Compare operation to detect members of a dynamic group. This overlay is now deprecated as all of its functions are available using the <A HREF="#Dynamic Lists">Dynamic Lists</A> overlay.</P>
-<H3><A NAME="Dynamic Group Configuration">11.6.2. Dynamic Group Configuration</A></H3>
-<H2><A NAME="Dynamic Lists">11.7. Dynamic Lists</A></H2>
-<H3><A NAME="Overview">11.7.1. Overview</A></H3>
+<H3><A NAME="Dynamic Group Configuration">12.6.2. Dynamic Group Configuration</A></H3>
+<H2><A NAME="Dynamic Lists">12.7. Dynamic Lists</A></H2>
+<H3><A NAME="Overview">12.7.1. Overview</A></H3>
<P>This overlay allows expansion of dynamic groups and lists. Instead of having the group members or list attributes hard coded, this overlay allows us to define an LDAP search whose results will make up the group or list.</P>
-<H3><A NAME="Dynamic List Configuration">11.7.2. Dynamic List Configuration</A></H3>
+<H3><A NAME="Dynamic List Configuration">12.7.2. Dynamic List Configuration</A></H3>
<P>This module can behave both as a dynamic list and dynamic group, depending on the configuration. The syntax is as follows:</P>
<PRE>
overlay dynlist
@@ -4851,14 +5227,14 @@
<P><CENTER><IMG SRC="allusersgroup-en.png" ALIGN="center"></CENTER></P>
<P ALIGN="Center">Figure X.Y: Dynamic Group for all users</P>
<P>Note that a side effect of this scheme of dynamic groups is that the members need to be specified as full DNs. So, if you are planning in using this for <TT>posixGroup</TT>s, be sure to use RFC2307bis and some attribute which can hold distinguished names. The <TT>memberUid</TT> attribute used in the <TT>posixGroup</TT> object class can hold only names, not DNs, and is therefore not suitable for dynamic groups.</P>
-<H3><A NAME="Further Information">11.7.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.7.3. Further Information</A></H3>
<P><EM>slapo-dynlist(5)</EM></P>
-<H2><A NAME="Reverse Group Membership Maintenance">11.8. Reverse Group Membership Maintenance</A></H2>
-<H3><A NAME="Overview">11.8.1. Overview</A></H3>
+<H2><A NAME="Reverse Group Membership Maintenance">12.8. Reverse Group Membership Maintenance</A></H2>
+<H3><A NAME="Overview">12.8.1. Overview</A></H3>
<P>In some scenarios, it may be desirable for a client to be able to determine which groups an entry is a member of, without performing an additional search. Examples of this are applications using the <TERM>DIT</TERM> for access control based on group authorization.</P>
<P>The <B>memberof</B> overlay updates an attribute (by default <B>memberOf</B>) whenever changes occur to the membership attribute (by default <B>member</B>) of entries of the objectclass (by default <B>groupOfNames</B>) configured to trigger updates.</P>
<P>Thus, it provides maintenance of the list of groups an entry is a member of, when usual maintenance of groups is done by modifying the members on the group entry.</P>
-<H3><A NAME="Member Of Configuration">11.8.2. Member Of Configuration</A></H3>
+<H3><A NAME="Member Of Configuration">12.8.2. Member Of Configuration</A></H3>
<P>The typical use of this overlay requires just enabling the overlay for a specific database. For example, with the following minimal slapd.conf:</P>
<PRE>
include /usr/share/openldap/schema/core.schema
@@ -4914,35 +5290,35 @@
memberOf: cn=testgroup,ou=Group,dc=example,dc=com
</PRE>
<P>Note that the <B>memberOf</B> attribute is an operational attribute, so it must be requested explicitly.</P>
-<H3><A NAME="Further Information">11.8.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.8.3. Further Information</A></H3>
<P><EM>slapo-memberof(5)</EM></P>
-<H2><A NAME="The Proxy Cache Engine">11.9. The Proxy Cache Engine</A></H2>
+<H2><A NAME="The Proxy Cache Engine">12.9. The Proxy Cache Engine</A></H2>
<P><TERM>LDAP</TERM> servers typically hold one or more subtrees of a <TERM>DIT</TERM>. Replica (or shadow) servers hold shadow copies of entries held by one or more master servers. Changes are propagated from the master server to replica (slave) servers using LDAP Sync replication. An LDAP cache is a special type of replica which holds entries corresponding to search filters instead of subtrees.</P>
-<H3><A NAME="Overview">11.9.1. Overview</A></H3>
+<H3><A NAME="Overview">12.9.1. Overview</A></H3>
<P>The proxy cache extension of slapd is designed to improve the responsiveness of the ldap and meta backends. It handles a search request (query) by first determining whether it is contained in any cached search filter. Contained requests are answered from the proxy cache's local database. Other requests are passed on to the underlying ldap or meta backend and processed as usual.</P>
<P>E.g. <TT>(shoesize>=9)</TT> is contained in <TT>(shoesize>=8)</TT> and <TT>(sn=Richardson)</TT> is contained in <TT>(sn=Richards*)</TT></P>
<P>Correct matching rules and syntaxes are used while comparing assertions for query containment. To simplify the query containment problem, a list of cacheable "templates" (defined below) is specified at configuration time. A query is cached or answered only if it belongs to one of these templates. The entries corresponding to cached queries are stored in the proxy cache local database while its associated meta information (filter, scope, base, attributes) is stored in main memory.</P>
<P>A template is a prototype for generating LDAP search requests. Templates are described by a prototype search filter and a list of attributes which are required in queries generated from the template. The representation for prototype filter is similar to <A HREF="http://www.rfc-editor.org/rfc/rfc4515.txt">RFC4515</A>, except that the assertion values are missing. Examples of prototype filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.</P>
<P>The cache replacement policy removes the least recently used (LRU) query and entries belonging to only that query. Queries are allowed a maximum time to live (TTL) in the cache thus providing weak consistency. A background task periodically checks the cache for expired queries and removes them.</P>
<P>The Proxy Cache paper (<A HREF="http://www.openldap.org/pub/kapurva/proxycaching.pdf">http://www.openldap.org/pub/kapurva/proxycaching.pdf</A>) provides design and implementation details.</P>
-<H3><A NAME="Proxy Cache Configuration">11.9.2. Proxy Cache Configuration</A></H3>
+<H3><A NAME="Proxy Cache Configuration">12.9.2. Proxy Cache Configuration</A></H3>
<P>The cache configuration specific directives described below must appear after a <TT>overlay proxycache</TT> directive within a <TT>"database meta"</TT> or <TT>database ldap</TT> section of the server's <EM>slapd.conf</EM>(5) file.</P>
-<H4><A NAME="Setting cache parameters">11.9.2.1. Setting cache parameters</A></H4>
+<H4><A NAME="Setting cache parameters">12.9.2.1. Setting cache parameters</A></H4>
<PRE>
proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
</PRE>
<P>This directive enables proxy caching and sets general cache parameters. The <DB> parameter specifies which underlying database is to be used to hold cached entries. It should be set to <TT>bdb</TT> or <TT>hdb</TT>. The <maxentries> parameter specifies the total number of entries which may be held in the cache. The <nattrsets> parameter specifies the total number of attribute sets (as specified by the <TT>proxyAttrSet</TT> directive) that may be defined. The <entrylimit> parameter specifies the maximum number of entries in a cacheable query. The <period> specifies the consistency check period (in seconds). In each period, queries with expired TTLs are removed.</P>
-<H4><A NAME="Defining attribute sets">11.9.2.2. Defining attribute sets</A></H4>
+<H4><A NAME="Defining attribute sets">12.9.2.2. Defining attribute sets</A></H4>
<PRE>
proxyAttrset <index> <attrs...>
</PRE>
<P>Used to associate a set of attributes to an index. Each attribute set is associated with an index number from 0 to <numattrsets>-1. These indices are used by the proxyTemplate directive to define cacheable templates.</P>
-<H4><A NAME="Specifying cacheable templates">11.9.2.3. Specifying cacheable templates</A></H4>
+<H4><A NAME="Specifying cacheable templates">12.9.2.3. Specifying cacheable templates</A></H4>
<PRE>
proxyTemplate <prototype_string> <attrset_index> <TTL>
</PRE>
<P>Specifies a cacheable template and the "time to live" (in sec) <TTL> for queries belonging to the template. A template is described by its prototype filter string and set of required attributes identified by <attrset_index>.</P>
-<H4><A NAME="Example">11.9.2.4. Example</A></H4>
+<H4><A NAME="Example">12.9.2.4. Example</A></H4>
<P>An example <EM>slapd.conf</EM>(5) database section for a caching server which proxies for the <TT>"dc=example,dc=com"</TT> subtree held at server <TT>ldap.example.com</TT>.</P>
<PRE>
database ldap
@@ -4961,9 +5337,9 @@
index objectClass eq
index cn,sn,uid,mail pres,eq,sub
</PRE>
-<H5><A NAME="Cacheable Queries">11.9.2.4.1. Cacheable Queries</A></H5>
+<H5><A NAME="Cacheable Queries">12.9.2.4.1. Cacheable Queries</A></H5>
<P>A LDAP search query is cacheable when its filter matches one of the templates as defined in the "proxyTemplate" statements and when it references only the attributes specified in the corresponding attribute set. In the example above the attribute set number 0 defines that only the attributes: <TT>mail postaladdress telephonenumber</TT> are cached for the following proxyTemplates.</P>
-<H5><A NAME="Examples:">11.9.2.4.2. Examples:</A></H5>
+<H5><A NAME="Examples:">12.9.2.4.2. Examples:</A></H5>
<PRE>
Filter: (&(sn=Richard*)(givenName=jack))
Attrs: mail telephoneNumber
@@ -4979,10 +5355,10 @@
Attrs: mail telephoneNumber
</PRE>
<P>is not cacheable, because the filter does not match the template ( logical OR "|" condition instead of logical AND "&" )</P>
-<H3><A NAME="Further Information">11.9.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.9.3. Further Information</A></H3>
<P><EM>slapo-pcache(5)</EM></P>
-<H2><A NAME="Password Policies">11.10. Password Policies</A></H2>
-<H3><A NAME="Overview">11.10.1. Overview</A></H3>
+<H2><A NAME="Password Policies">12.10. Password Policies</A></H2>
+<H3><A NAME="Overview">12.10.1. Overview</A></H3>
<P>This overlay follows the specifications contained in the draft RFC titled draft-behera-ldap-password-policy-09. While the draft itself is expired, it has been implemented in several directory servers, including slapd. Nonetheless, it is important to note that it is a draft, meaning that it is subject to change and is a work-in-progress.</P>
<P>The key abilities of the password policy overlay are as follows:</P>
<UL>
@@ -4995,7 +5371,7 @@
<LI>Set an administrative lock on an account
<LI>Support multiple password policies on a default or a per-object basis.
<LI>Perform arbitrary quality checks using an external loadable module. This is a non-standard extension of the draft RFC.</UL>
-<H3><A NAME="Password Policy Configuration">11.10.2. Password Policy Configuration</A></H3>
+<H3><A NAME="Password Policy Configuration">12.10.2. Password Policy Configuration</A></H3>
<P>Instantiate the module in the database where it will be used, after adding the new ppolicy schema and loading the ppolicy module. The following example shows the ppolicy module being added to the database that handles the naming context "dc=example,dc=com". In this example we are also specifying the DN of a policy object to use if none other is specified in a user's object.</P>
<PRE>
database bdb
@@ -5058,14 +5434,14 @@
<P>1. The pwdPolicySubentry in a user's object - If a user's object has a pwdPolicySubEntry attribute specifying the DN of a policy object, then the policy defined by that object is applied.</P>
<P>2. Default password policy - If there is no specific pwdPolicySubentry set for an object, and the password policy module was configured with the DN of a default policy object and if that object exists, then the policy defined in that object is applied.</P>
<P>Please see <EM>slapo-ppolicy(5)</EM> for complete explanations of features and discussion of "Password Management Issues" at <A HREF="http://www.connexitor.com/forums/viewtopic.php?f=6&t=25">http://www.connexitor.com/forums/viewtopic.php?f=6&t=25</A></P>
-<H3><A NAME="Further Information">11.10.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.10.3. Further Information</A></H3>
<P><EM>slapo-ppolicy(5)</EM></P>
-<H2><A NAME="Referential Integrity">11.11. Referential Integrity</A></H2>
-<H3><A NAME="Overview">11.11.1. Overview</A></H3>
+<H2><A NAME="Referential Integrity">12.11. Referential Integrity</A></H2>
+<H3><A NAME="Overview">12.11.1. Overview</A></H3>
<P>This overlay can be used with a backend database such as slapd-bdb(5) to maintain the cohesiveness of a schema which utilizes reference attributes.</P>
<P>Whenever a <EM>modrdn</EM> or <EM>delete</EM> is performed, that is, when an entry's DN is renamed or an entry is removed, the server will search the directory for references to this DN (in selected attributes: see below) and update them accordingly. If it was a <EM>delete</EM> operation, the reference is deleted. If it was a <EM>modrdn</EM> operation, then the reference is updated with the new DN.</P>
<P>For example, a very common administration task is to maintain group membership lists, specially when users are removed from the directory. When an user account is deleted or renamed, all groups this user is a member of have to be updated. LDAP administrators usually have scripts for that. But we can use the <TT>refint</TT> overlay to automate this task. In this example, if the user is removed from the directory, the overlay will take care to remove the user from all the groups he/she was a member of. No more scripting for this.</P>
-<H3><A NAME="Referential Integrity Configuration">11.11.2. Referential Integrity Configuration</A></H3>
+<H3><A NAME="Referential Integrity Configuration">12.11.2. Referential Integrity Configuration</A></H3>
<P>The configuration for this overlay is as follows:</P>
<PRE>
overlay refint
@@ -5088,14 +5464,14 @@
<P ALIGN="Center">Figure X.Y: Maintaining referential integrity in groups</P>
<P>Notice that if we rename (<TT>modrdn</TT>) the <TT>john</TT> entry to, say, <TT>jsmith</TT>, the refint overlay will also rename the reference in the <TT>member</TT> attribute, so the group membership stays correct.</P>
<P>If we removed all users from the directory who are a member of this group, then the end result would be a single member in the group: <TT>cn=admin,dc=example,dc=com</TT>. This is the <TT>refint_nothing</TT> parameter kicking into action so that the schema is not violated.</P>
-<H3><A NAME="Further Information">11.11.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.11.3. Further Information</A></H3>
<P><EM>slapo-refint(5)</EM></P>
-<H2><A NAME="Return Code">11.12. Return Code</A></H2>
-<H3><A NAME="Overview">11.12.1. Overview</A></H3>
+<H2><A NAME="Return Code">12.12. Return Code</A></H2>
+<H3><A NAME="Overview">12.12.1. Overview</A></H3>
<P>This overlay is useful to test the behavior of clients when server-generated erroneous and/or unusual responses occur, for example; error codes, referrals, excessive response times and so on.</P>
<P>This would be classed as a debugging tool whilst developing client software or additional Overlays.</P>
<P>For detailed information, please see the <EM>slapo-retcode(5)</EM> man page.</P>
-<H3><A NAME="Return Code Configuration">11.12.2. Return Code Configuration</A></H3>
+<H3><A NAME="Return Code Configuration">12.12.2. Return Code Configuration</A></H3>
<P>The retcode overlay utilizes the "return code" schema described in the man page. This schema is specifically designed for use with this overlay and is not intended to be used otherwise.</P>
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>The necessary schema is loaded automatically by the overlay.
@@ -5132,52 +5508,250 @@
retcode-item "cn=strongerAuthRequired" 0x08 text="same as strongAuthRequired"
</PRE>
<P>Please see <TT>tests/data/retcode.conf</TT> for a complete <TT>retcode.conf</TT></P>
-<H3><A NAME="Further Information">11.12.3. Further Information</A></H3>
+<H3><A NAME="Further Information">12.12.3. Further Information</A></H3>
<P><EM>slapo-retcode(5)</EM></P>
-<H2><A NAME="Rewrite/Remap">11.13. Rewrite/Remap</A></H2>
-<H3><A NAME="Overview">11.13.1. Overview</A></H3>
+<H2><A NAME="Rewrite/Remap">12.13. Rewrite/Remap</A></H2>
+<H3><A NAME="Overview">12.13.1. Overview</A></H3>
<P>It performs basic DN/data rewrite and objectClass/attributeType mapping. Its usage is mostly intended to provide virtual views of existing data either remotely, in conjunction with the proxy backend described in <EM>slapd-ldap(5)</EM>, or locally, in conjunction with the relay backend described in <EM>slapd-relay(5)</EM>.</P>
<P>This overlay is extremely configurable and advanced, therefore recommended reading is the <EM>slapo-rwm(5)</EM> man page.</P>
-<H3><A NAME="Rewrite/Remap Configuration">11.13.2. Rewrite/Remap Configuration</A></H3>
-<H3><A NAME="Further Information">11.13.3. Further Information</A></H3>
+<H3><A NAME="Rewrite/Remap Configuration">12.13.2. Rewrite/Remap Configuration</A></H3>
+<H3><A NAME="Further Information">12.13.3. Further Information</A></H3>
<P><EM>slapo-rwm(5)</EM></P>
-<H2><A NAME="Sync Provider">11.14. Sync Provider</A></H2>
-<H3><A NAME="Overview">11.14.1. Overview</A></H3>
-<P>This overlay implements the provider-side support for syncrepl replication, including persistent search functionality</P>
-<H3><A NAME="Sync Provider Configuration">11.14.2. Sync Provider Configuration</A></H3>
-<H3><A NAME="Further Information">11.14.3. Further Information</A></H3>
-<P><EM>slapo-syncprov(5)</EM></P>
-<H2><A NAME="Translucent Proxy">11.15. Translucent Proxy</A></H2>
-<H3><A NAME="Overview">11.15.1. Overview</A></H3>
-<P>This overlay can be used with a backend database such as slapd-bdb (5) to create a "translucent proxy".</P>
-<P>Content of entries retrieved from a remote LDAP server can be partially overridden by the database.</P>
-<H3><A NAME="Translucent Proxy Configuration">11.15.2. Translucent Proxy Configuration</A></H3>
-<H3><A NAME="Further Information">11.15.3. Further Information</A></H3>
+<H2><A NAME="Sync Provider">12.14. Sync Provider</A></H2>
+<H3><A NAME="Overview">12.14.1. Overview</A></H3>
+<P>This overlay implements the provider-side support for the LDAP Content Synchronization (<A HREF="http://www.rfc-editor.org/rfc/rfc4533.txt">RFC4533</A>) as well as syncrepl replication support, including persistent search functionality.</P>
+<H3><A NAME="Sync Provider Configuration">12.14.2. Sync Provider Configuration</A></H3>
+<P>There is very little configuration needed for this overlay, in fact for many situations merely loading the overlay will suffice.</P>
+<P>However, because the overlay creates a contextCSN attribute in the root entry of the database which is updated for every write operation performed against the database and only updated in memory, it is recommended to configure a checkpoint so that the contextCSN is written into the underlying database to minimize recovery time after an unclean shutdown:</P>
+<PRE>
+ overlay syncprov
+ syncprov-checkpoint 100 10
+</PRE>
+<P>For every 100 operations or 10 minutes, which ever is sooner, the contextCSN will be checkpointed.</P>
+<P>The four configuration directives available are <B>syncprov-checkpoint</B>, <B>syncprov-sessionlog</B>, <B>syncprov-nopresent</B> and <B>syncprov-reloadhint</B> which are covered in the man page discussing various other scenarios where this overlay can be used.</P>
+<H3><A NAME="Further Information">12.14.3. Further Information</A></H3>
+<P>The <EM>slapo-syncprov(5)</EM> man page and the <A HREF="#Configuring the different replication types">Configuring the different replication types</A> section</P>
+<H2><A NAME="Translucent Proxy">12.15. Translucent Proxy</A></H2>
+<H3><A NAME="Overview">12.15.1. Overview</A></H3>
+<P>This overlay can be used with a backend database such as <EM>slapd-bdb</EM>(5) to create a "translucent proxy".</P>
+<P>Entries retrieved from a remote LDAP server may have some or all attributes overridden, or new attributes added, by entries in the local database before being presented to the client.</P>
+<P>A search operation is first populated with entries from the remote LDAP server, the attributes of which are then overridden with any attributes defined in the local database. Local overrides may be populated with the add, modify, and modrdn operations, the use of which is restricted to the root user of the translucent local database.</P>
+<P>A compare operation will perform a comparison with attributes defined in the local database record (if any) before any comparison is made with data in the remote database.</P>
+<H3><A NAME="Translucent Proxy Configuration">12.15.2. Translucent Proxy Configuration</A></H3>
+<P>There are various options available with this overlay, but for this example we will demonstrate adding new attributes to a remote entry and also searching against these newly added local attributes. For more information about overriding remote entries and search configuration, please see <EM>slapo-translucent(5)</EM></P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>The Translucent Proxy overlay will disable schema checking in the local database, so that an entry consisting of overlay attributes need not adhere to the complete schema.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>First we configure the overlay in the normal manner:</P>
+<PRE>
+ include /usr/local/etc/openldap/schema/core.schema
+ include /usr/local/etc/openldap/schema/cosine.schema
+ include /usr/local/etc/openldap/schema/nis.schema
+ include /usr/local/etc/openldap/schema/inetorgperson.schema
+
+ pidfile ./slapd.pid
+ argsfile ./slapd.args
+
+ modulepath /usr/local/libexec/openldap
+ moduleload back_bdb.la
+ moduleload back_ldap.la
+ moduleload translucent.la
+
+ database bdb
+ suffix "dc=suretecsystems,dc=com"
+ rootdn "cn=trans,dc=suretecsystems,dc=com"
+ rootpw secret
+ directory ./openldap-data
+
+ index objectClass eq
+
+ overlay translucent
+ translucent_local carLicense
+
+ uri ldap://192.168.X.X:389
+ lastmod off
+ acl-bind binddn="cn=admin,dc=suretecsystems,dc=com" credentials="blahblah"
+</PRE>
+<P>You will notice the overlay directive and a directive to say what attribute we want to be able to search against in the local database. We must also load the ldap backend which will connect to the remote directory server.</P>
+<P>Now we take an example LDAP group:</P>
+<PRE>
+ # itsupport, Groups, suretecsystems.com
+ dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com
+ objectClass: posixGroup
+ objectClass: sambaGroupMapping
+ cn: itsupport
+ gidNumber: 1000
+ sambaSID: S-1-5-21-XXX
+ sambaGroupType: 2
+ displayName: itsupport
+ memberUid: ghenry
+ memberUid: joebloggs
+</PRE>
+<P>and create an LDIF file we can use to add our data to the local database, using some pretty strange choices of new attributes for demonstration purposes:</P>
+<PRE>
+ [ghenry at suretec test_configs]$ cat test-translucent-add.ldif
+ dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com
+ businessCategory: frontend-override
+ carLicense: LIVID
+ employeeType: special
+ departmentNumber: 9999999
+ roomNumber: 41L-535
+</PRE>
+<P>Searching against the proxy gives:</P>
+<PRE>
+ [ghenry at suretec test_configs]$ ldapsearch -x -H ldap://127.0.0.1:9001 "(cn=itsupport)"
+ # itsupport, Groups, OxObjects, suretecsystems.com
+ dn: cn=itsupport,ou=Groups,ou=OxObjects,dc=suretecsystems,dc=com
+ objectClass: posixGroup
+ objectClass: sambaGroupMapping
+ cn: itsupport
+ gidNumber: 1003
+ SAMBASID: S-1-5-21-XXX
+ SAMBAGROUPTYPE: 2
+ displayName: itsupport
+ memberUid: ghenry
+ memberUid: joebloggs
+ roomNumber: 41L-535
+ departmentNumber: 9999999
+ employeeType: special
+ carLicense: LIVID
+ businessCategory: frontend-override
+</PRE>
+<P>Here we can see that the 5 new attributes are added to the remote entry before being returned to the our client.</P>
+<P>Because we have configured a local attribute to search against:</P>
+<PRE>
+ overlay translucent
+ translucent_local carLicense
+</PRE>
+<P>we can also search for that to return the completely fabricated entry:</P>
+<PRE>
+ ldapsearch -x -H ldap://127.0.0.1:9001 (carLicense=LIVID)
+</PRE>
+<P>This is an extremely feature because you can then extend a remote directory server locally and also search against the local entries.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>Because the translucent overlay does not perform any DN rewrites, the local and remote database instances must have the same suffix. Other configurations will probably fail with No Such Object and other errors
+<HR WIDTH="80%" ALIGN="Left"></P>
+<H3><A NAME="Further Information">12.15.3. Further Information</A></H3>
<P><EM>slapo-translucent(5)</EM></P>
-<H2><A NAME="Attribute Uniqueness">11.16. Attribute Uniqueness</A></H2>
-<H3><A NAME="Overview">11.16.1. Overview</A></H3>
-<P>This overlay can be used with a backend database such as slapd-bdb (5) to enforce the uniqueness of some or all attributes within a subtree.</P>
-<H3><A NAME="Attribute Uniqueness Configuration">11.16.2. Attribute Uniqueness Configuration</A></H3>
-<H3><A NAME="Further Information">11.16.3. Further Information</A></H3>
+<H2><A NAME="Attribute Uniqueness">12.16. Attribute Uniqueness</A></H2>
+<H3><A NAME="Overview">12.16.1. Overview</A></H3>
+<P>This overlay can be used with a backend database such as <EM>slapd-bdb(5)</EM> to enforce the uniqueness of some or all attributes within a subtree.</P>
+<H3><A NAME="Attribute Uniqueness Configuration">12.16.2. Attribute Uniqueness Configuration</A></H3>
+<P>This overlay is only effective on new data from the point the overlay is enabled. To check uniqueness for existing data, you can export and import your data again via the LDAP Add operation, which will not be suitable for large amounts of data, unlike <B>slapcat</B>.</P>
+<P>For the following example, if uniqueness were enforced for the <B>mail</B> attribute, the subtree would be searched for any other records which also have a <B>mail</B> attribute containing the same value presented with an <B>add</B>, <B>modify</B> or <B>modrdn</B> operation which are unique within the configured scope. If any are found, the request is rejected.</P>
+<P><HR WIDTH="80%" ALIGN="Left">
+<STRONG>Note: </STRONG>If no attributes are specified, for example <B>ldap:///??sub?</B>, then the URI applies to all non-operational attributes. However, the keyword <B>ignore</B> can be specified to exclude certain non-operational attributes.
+<HR WIDTH="80%" ALIGN="Left"></P>
+<P>To search at the base dn of the current backend database ensuring uniqueness of the <B>mail</B> attribute, we simply add the following configuration:</P>
+<PRE>
+ overlay unique
+ unique_uri ldap:///?mail?sub?
+</PRE>
+<P>For an existing entry of:</P>
+<PRE>
+ dn: cn=gavin,dc=suretecsystems,dc=com
+ objectClass: top
+ objectClass: inetorgperson
+ cn: gavin
+ sn: henry
+ mail: ghenry at suretecsystems.com
+</PRE>
+<P>and we then try to add a new entry of:</P>
+<PRE>
+ dn: cn=robert,dc=suretecsystems,dc=com
+ objectClass: top
+ objectClass: inetorgperson
+ cn: robert
+ sn: jones
+ mail: ghenry at suretecsystems.com
+</PRE>
+<P>would result in an error like so:</P>
+<PRE>
+ adding new entry "cn=robert,dc=example,dc=com"
+ ldap_add: Constraint violation (19)
+ additional info: some attributes not unique
+</PRE>
+<P>The overlay can have multiple URIs specified within a domain, allowing complex selections of objects and also have multiple <B>unique_uri</B> statements or <B>olcUniqueURI</B> attributes which will create independent domains.</P>
+<P>For more information and details about the <B>strict</B> and <B>ignore</B> keywords, please see the <EM>slapo-unique(5)</EM> man page.</P>
+<H3><A NAME="Further Information">12.16.3. Further Information</A></H3>
<P><EM>slapo-unique(5)</EM></P>
-<H2><A NAME="Value Sorting">11.17. Value Sorting</A></H2>
-<H3><A NAME="Overview">11.17.1. Overview</A></H3>
-<P>This overlay can be used to enforce a specific order for the values of an attribute when it is returned in a search.</P>
-<H3><A NAME="Value Sorting Configuration">11.17.2. Value Sorting Configuration</A></H3>
-<H3><A NAME="Further Information">11.17.3. Further Information</A></H3>
+<H2><A NAME="Value Sorting">12.17. Value Sorting</A></H2>
+<H3><A NAME="Overview">12.17.1. Overview</A></H3>
+<P>The Value Sorting overlay can be used with a backend database to sort the values of specific multi-valued attributes within a subtree. The sorting occurs whenever the attributes are returned in a search response.</P>
+<H3><A NAME="Value Sorting Configuration">12.17.2. Value Sorting Configuration</A></H3>
+<P>Sorting can be specified in ascending or descending order, using either numeric or alphanumeric sort methods. Additionally, a "weighted" sort can be specified, which uses a numeric weight prepended to the attribute values.</P>
+<P>The weighted sort is always performed in ascending order, but may be combined with the other methods for values that all have equal weights. The weight is specified by prepending an integer weight {<weight>} in front of each value of the attribute for which weighted sorting is desired. This weighting factor is stripped off and never returned in search results.</P>
+<P>Here are a few examples:</P>
+<PRE>
+ loglevel sync stats
+
+ database hdb
+ suffix "dc=suretecsystems,dc=com"
+ directory /usr/local/var/openldap-data
+
+ ......
+
+ overlay valsort
+ valsort-attr memberUid ou=Groups,dc=suretecsystems,dc=com alpha-ascend
+</PRE>
+<P>For example, ascend:</P>
+<PRE>
+ # sharedemail, Groups, suretecsystems.com
+ dn: cn=sharedemail,ou=Groups,dc=suretecsystems,dc=com
+ objectClass: posixGroup
+ objectClass: top
+ cn: sharedemail
+ gidNumber: 517
+ memberUid: admin
+ memberUid: dovecot
+ memberUid: laura
+ memberUid: suretec
+</PRE>
+<P>For weighted, we change our data to:</P>
+<PRE>
+ # sharedemail, Groups, suretecsystems.com
+ dn: cn=sharedemail,ou=Groups,dc=suretecsystems,dc=com
+ objectClass: posixGroup
+ objectClass: top
+ cn: sharedemail
+ gidNumber: 517
+ memberUid: {4}admin
+ memberUid: {2}dovecot
+ memberUid: {1}laura
+ memberUid: {3}suretec
+</PRE>
+<P>and change the config to:</P>
+<PRE>
+ overlay valsort
+ valsort-attr memberUid ou=Groups,dc=suretecsystems,dc=com weighted
+</PRE>
+<P>Searching now results in:</P>
+<PRE>
+ # sharedemail, Groups, OxObjects, suretecsystems.com
+ dn: cn=sharedemail,ou=Groups,ou=OxObjects,dc=suretecsystems,dc=com
+ objectClass: posixGroup
+ objectClass: top
+ cn: sharedemail
+ gidNumber: 517
+ memberUid: laura
+ memberUid: dovecot
+ memberUid: suretec
+ memberUid: admin
+</PRE>
+<H3><A NAME="Further Information">12.17.3. Further Information</A></H3>
<P><EM>slapo-valsort(5)</EM></P>
-<H2><A NAME="Overlay Stacking">11.18. Overlay Stacking</A></H2>
-<H3><A NAME="Overview">11.18.1. Overview</A></H3>
+<H2><A NAME="Overlay Stacking">12.18. Overlay Stacking</A></H2>
+<H3><A NAME="Overview">12.18.1. Overview</A></H3>
<P>Overlays can be stacked, which means that more than one overlay can be instantiated for each database, or for the <TT>frontend</TT>. As a consequence, each overlays function is called, if defined, when overlay execution is invoked. Multiple overlays are executed in reverse order (as a stack) with respect to their definition in slapd.conf (5), or with respect to their ordering in the config database, as documented in slapd-config (5).</P>
-<H3><A NAME="Example Scenarios">11.18.2. Example Scenarios</A></H3>
-<H4><A NAME="Samba">11.18.2.1. Samba</A></H4>
+<H3><A NAME="Example Scenarios">12.18.2. Example Scenarios</A></H3>
+<H4><A NAME="Samba">12.18.2.1. Samba</A></H4>
<P></P>
<HR>
-<H1><A NAME="Schema Specification">12. Schema Specification</A></H1>
+<H1><A NAME="Schema Specification">13. Schema Specification</A></H1>
<P>This chapter describes how to extend the user schema used by <EM>slapd</EM>(8). The chapter assumes the reader is familiar with the <TERM>LDAP</TERM>/<TERM>X.500</TERM> information model.</P>
<P>The first section, <A HREF="#Distributed Schema Files">Distributed Schema Files</A> details optional schema definitions provided in the distribution and where to obtain other definitions. The second section, <A HREF="#Extending Schema">Extending Schema</A>, details how to define new schema items.</P>
<P>This chapter does not discuss how to extend system schema used by <EM>slapd</EM>(8) as this requires source code modification. System schema includes all operational attribute types or any object class which allows or requires an operational attribute (directly or indirectly).</P>
-<H2><A NAME="Distributed Schema Files">12.1. Distributed Schema Files</A></H2>
+<H2><A NAME="Distributed Schema Files">13.1. Distributed Schema Files</A></H2>
<P>OpenLDAP Software is distributed with a set of schema specifications for your use. Each set is defined in a file suitable for inclusion (using the <TT>include</TT> directive) in your <EM>slapd.conf</EM>(5) file. These schema files are normally installed in the <TT>/usr/local/etc/openldap/schema</TT> directory.</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 8.1: Provided Schema Specifications</CAPTION>
@@ -5250,7 +5824,7 @@
<P><HR WIDTH="80%" ALIGN="Left">
<STRONG>Note: </STRONG>You should not modify any of the schema items defined in provided files.
<HR WIDTH="80%" ALIGN="Left"></P>
-<H2><A NAME="Extending Schema">12.2. Extending Schema</A></H2>
+<H2><A NAME="Extending Schema">13.2. Extending Schema</A></H2>
<P>Schema used by <EM>slapd</EM>(8) may be extended to support additional syntaxes, matching rules, attribute types, and object classes. This chapter details how to add user application attribute types and object classes using the syntaxes and matching rules already supported by slapd. slapd can also be extended to support additional syntaxes, matching rules and system schema, but this requires some programming and hence is not discussed here.</P>
<P>There are five steps to defining new schema:</P>
<OL>
@@ -5259,7 +5833,7 @@
<LI>create local schema file
<LI>define custom attribute types (if necessary)
<LI>define custom object classes</OL>
-<H3><A NAME="Object Identifiers">12.2.1. Object Identifiers</A></H3>
+<H3><A NAME="Object Identifiers">13.2.1. Object Identifiers</A></H3>
<P>Each schema element is identified by a globally unique <TERM>Object Identifier</TERM> (OID). OIDs are also used to identify other objects. They are commonly found in protocols described by <TERM>ASN.1</TERM>. In particular, they are heavily used by the <TERM>Simple Network Management Protocol</TERM> (SNMP). As OIDs are hierarchical, your organization can obtain one OID and branch it as needed. For example, if your organization were assigned OID <TT>1.1</TT>, you could branch the tree as follows:</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 8.2: Example OID hierarchy</CAPTION>
@@ -5338,12 +5912,12 @@
<STRONG>Note: </STRONG>PENs obtained using this form may be used for any purpose including identifying LDAP schema elements.
<HR WIDTH="80%" ALIGN="Left"></P>
<P>Alternatively, OID name space may be available from a national authority (e.g., <A HREF="http://www.ansi.org/">ANSI</A>, <A HREF="http://www.bsi-global.com/">BSI</A>).</P>
-<H3><A NAME="Naming Elements">12.2.2. Naming Elements</A></H3>
-<P>In addition to assigning a unique object identifier to each schema element, you should provide a least one textual name for each element. Names should be registered with the <A HREF="http://www.iana.org/">IANA</A> or prefixed with "x-" to place in the "private use" name space.</P>
+<H3><A NAME="Naming Elements">13.2.2. Naming Elements</A></H3>
+<P>In addition to assigning a unique object identifier to each schema element, you should provide at least one textual name for each element. Names should be registered with the <A HREF="http://www.iana.org/">IANA</A> or prefixed with "x-" to place in the "private use" name space.</P>
<P>The name should be both descriptive and not likely to clash with names of other schema elements. In particular, any name you choose should not clash with present or future Standard Track names (this is assured if you registered names or use names beginning with "x-").</P>
<P>It is noted that you can obtain your own registered name prefix so as to avoid having to register your names individually. See <A HREF="http://www.rfc-editor.org/rfc/rfc4520.txt">RFC4520</A> for details.</P>
<P>In the examples below, we have used a short prefix '<TT>x-my-</TT>'. Such a short prefix would only be suitable for a very large, global organization. In general, we recommend something like '<TT>x-de-Firm-</TT>' (German company) or '<TT>x-com-Example</TT>' (elements associated with organization associated with <TT>example.com</TT>).</P>
-<H3><A NAME="Local schema file">12.2.3. Local schema file</A></H3>
+<H3><A NAME="Local schema file">13.2.3. Local schema file</A></H3>
<P>The <TT>objectclass</TT> and <TT>attributeTypes</TT> configuration file directives can be used to define schema rules on entries in the directory. It is customary to create a file to contain definitions of your custom schema items. We recommend you create a file <TT>local.schema</TT> in <TT>/usr/local/etc/openldap/schema/local.schema</TT> and then include this file in your <EM>slapd.conf</EM>(5) file immediately after other schema <TT>include</TT> directives.</P>
<PRE>
# include schema
@@ -5353,7 +5927,7 @@
# include local schema
include /usr/local/etc/openldap/schema/local.schema
</PRE>
-<H3><A NAME="Attribute Type Specification">12.2.4. Attribute Type Specification</A></H3>
+<H3><A NAME="Attribute Type Specification">13.2.4. Attribute Type Specification</A></H3>
<P>The <EM>attributetype</EM> directive is used to define a new attribute type. The directive uses the same Attribute Type Description (as defined in <A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A>) used by the attributeTypes attribute found in the subschema subentry, e.g.:</P>
<PRE>
attributetype <<A HREF="http://www.rfc-editor.org/rfc/rfc4512.txt">RFC4512</A> Attribute Type Description>
@@ -5397,7 +5971,7 @@
SUP name )
</PRE>
<P>Notice that each defines the attribute's OID, provides a short name, and a brief description. Each name is an alias for the OID. <EM>slapd</EM>(8) returns the first listed name when returning results.</P>
-<P>The first attribute, <TT>name</TT>, holds values of <TT>directoryString</TT> (<TERM>UTF-8</TERM> encoded Unicode) syntax. The syntax is specified by OID (1.3.6.1.4.1.1466.115.121.1.15 identifies the directoryString syntax). A length recommendation of 32768 is specified. Servers should support values of this length, but may support longer values The field does NOT specify a size constraint, so is ignored on servers (such as slapd) which don't impose such size limits. In addition, the equality and substring matching uses case ignore rules. Below are tables listing commonly used syntax and matching rules (<EM>slapd</EM>(8) supports these and many more).</P>
+<P>The first attribute, <TT>name</TT>, holds values of <TT>directoryString</TT> (<TERM>UTF-8</TERM> encoded Unicode) syntax. The syntax is specified by OID (1.3.6.1.4.1.1466.115.121.1.15 identifies the directoryString syntax). A length recommendation of 32768 is specified. Servers should support values of this length, but may support longer values. The field does NOT specify a size constraint, so is ignored on servers (such as slapd) which don't impose such size limits. In addition, the equality and substring matching uses case ignore rules. Below are tables listing commonly used syntax and matching rules (<EM>slapd</EM>(8) supports these and many more).</P>
<TABLE CLASS="columns" BORDER ALIGN='Center'>
<CAPTION ALIGN=top>Table 8.3: Commonly Used Syntaxes</CAPTION>
<TR CLASS="heading">
@@ -5662,7 +6236,7 @@
</TR>
<TR>
<TD>
-<TT>octetStringOrderingStringMatch</TT>
+<TT>octetStringOrderingMatch</TT>
</TD>
<TD>
ordering
@@ -5673,13 +6247,13 @@
</TR>
<TR>
<TD>
-<TT>octetStringSubstringsStringMatch</TT>
+<TT>octetStringSubstringsMatch ordering</TT>
</TD>
<TD>
-ordering
+octet st
</TD>
<TD>
-octet string
+ring
</TD>
</TR>
<TR>
@@ -5698,7 +6272,7 @@
<P>The second attribute, <TT>cn</TT>, is a subtype of <TT>name</TT> hence it inherits the syntax, matching rules, and usage of <TT>name</TT>. <TT>commonName</TT> is an alternative name.</P>
<P>Neither attribute is restricted to a single value. Both are meant for usage by user applications. Neither is obsolete nor collective.</P>
<P>The following subsections provide a couple of examples.</P>
-<H4><A NAME="x-my-UniqueName">12.2.4.1. x-my-UniqueName</A></H4>
+<H4><A NAME="x-my-UniqueName">13.2.4.1. x-my-UniqueName</A></H4>
<P>Many organizations maintain a single unique name for each user. Though one could use <TT>displayName</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>), this attribute is really meant to be controlled by the user, not the organization. We could just copy the definition of <TT>displayName</TT> from <TT>inetorgperson.schema</TT> and replace the OID, name, and description, e.g:</P>
<PRE>
attributetype ( 1.1.2.1.1 NAME 'x-my-UniqueName'
@@ -5714,7 +6288,7 @@
DESC 'unique name with my organization'
SUP name )
</PRE>
-<H4><A NAME="x-my-Photo">12.2.4.2. x-my-Photo</A></H4>
+<H4><A NAME="x-my-Photo">13.2.4.2. x-my-Photo</A></H4>
<P>Many organizations maintain a photo of each each user. A <TT>x-my-Photo</TT> attribute type could be defined to hold a photo. Of course, one could use just use <TT>jpegPhoto</TT> (<A HREF="http://www.rfc-editor.org/rfc/rfc2798.txt">RFC2798</A>) (or a subtype) to hold the photo. However, you can only do this if the photo is in <EM>JPEG File Interchange Format</EM>. Alternatively, an attribute type which uses the <EM>Octet String</EM> syntax can be defined, e.g.:</P>
<PRE>
attributetype ( 1.1.2.1.2 NAME 'x-my-Photo'
@@ -5730,7 +6304,7 @@
DESC 'URI and optional labe