SLAPD_SCHEMA_NOT_COMPAT: numerous changes to syntax flags, mostly minor

added new value_normalize() code
	need LDAPsyntaxes X- field support

servers/slapd/ad.c

@@ -130,14 +130,12 @@ int slap_bv2ad(
 
 	for( i=1; tokens[i] != NULL; i++ ) {
 		if( strcasecmp( tokens[i], "binary" ) == 0 ) {
-			if( desc.ad_flags & SLAP_DESC_BINARY ) {
+			if( slap_ad_is_binary( &desc ) ) {
 				*text = "option \"binary\" specified multiple times";
 				goto done;
 			}
 
-			if(!( desc.ad_type->sat_syntax->ssyn_flags
-				& SLAP_SYNTAX_BINARY ))
-			{
+			if( !slap_syntax_is_binary( desc.ad_type->sat_syntax )) {
 				/* not stored in binary, disallow option */
 				*text = "option \"binary\" with type not supported";
 				goto done;
@@ -166,7 +164,7 @@ int slap_bv2ad(
 	desc.ad_cname = ch_malloc( sizeof( struct berval ) );
 
 	desc.ad_cname->bv_len = strlen( desc.ad_type->sat_cname );
-	if( desc.ad_flags & SLAP_DESC_BINARY ) {
+	if( slap_ad_is_binary( &desc ) ) {
 		desc.ad_cname->bv_len += sizeof("binary");
 	}
 	if( desc.ad_lang != NULL ) {
@@ -176,7 +174,7 @@ int slap_bv2ad(
 	desc.ad_cname->bv_val = ch_malloc( desc.ad_cname->bv_len + 1 );
 
 	strcpy( desc.ad_cname->bv_val, desc.ad_type->sat_cname );
-	if( desc.ad_flags & SLAP_DESC_BINARY ) {
+	if( slap_ad_is_binary( &desc ) ) {
 		strcat( desc.ad_cname->bv_val, ";binary" );
 	}
 

servers/slapd/ava.c

@@ -38,10 +38,10 @@ get_ava(
 )
 {
 	int rc;
-	struct berval type, *value;
+	struct berval type, value, *nvalue;
 	AttributeAssertion *aa;
 
-	rc = ber_scanf( ber, "{oO}", &type, &value );
+	rc = ber_scanf( ber, "{oo}", &type, &value );
 
 	if( rc == LBER_ERROR ) {
 		Debug( LDAP_DEBUG_ANY, "  get_ava ber_scanf\n", 0, 0, 0 );
@@ -56,22 +56,22 @@ get_ava(
 
 	if( rc != LDAP_SUCCESS ) {
 		ch_free( type.bv_val );
-		ber_bvfree( value );
+		ch_free( value.bv_val );
 		ch_free( aa );
 		return rc;
 	}
 
-	rc = value_normalize( aa->aa_desc, usage, value, text );
+	rc = value_normalize( aa->aa_desc, usage, &value, &nvalue, text );
+	ch_free( value.bv_val );
 
 	if( rc != LDAP_SUCCESS ) {
 		ch_free( type.bv_val );
-		ber_bvfree( value );
 		ad_free( aa->aa_desc, 1 );
 		ch_free( aa );
 		return rc;
 	}
 
-	aa->aa_value = value;
+	aa->aa_value = nvalue;
 	*ava = aa;
 
 	return LDAP_SUCCESS;

servers/slapd/back-ldbm/attr.c

@@ -109,39 +109,50 @@ attr_index_config(
 		if ( argc == 1 ) {
 			a->ai_indexmask = (
 				SLAP_INDEX_PRESENCE | SLAP_INDEX_EQUALITY |
-			    SLAP_INDEX_APPROX | SLAP_INDEX_SUB);
+			    SLAP_INDEX_APPROX | SLAP_INDEX_SUBSTR);
 		} else {
 			a->ai_indexmask = 0;
 			for ( j = 0; indexes[j] != NULL; j++ ) {
-				if ( strncasecmp( indexes[j], "pres", 4 )
-				    == 0 ) {
+				if ( strncasecmp( indexes[j],
+					"pres", sizeof("pres")-1 ) == 0 )
+				{
 					a->ai_indexmask |= SLAP_INDEX_PRESENCE;
-				} else if ( strncasecmp( indexes[j], "eq", 2 )
-				    == 0 ) {
+
+				} else if ( strncasecmp( indexes[j],
+					"eq", sizeof("eq")-1 ) == 0 )
+				{
 					a->ai_indexmask |= SLAP_INDEX_EQUALITY;
-				} else if ( strncasecmp( indexes[j], "approx",
-				    6 ) == 0 ) {
+
+				} else if ( strncasecmp( indexes[j],
+					"approx", sizeof("approx")-1 ) == 0 )
+				{
 					a->ai_indexmask |= SLAP_INDEX_APPROX;
-				} else if ( strncasecmp( indexes[j], "sub", 3 )
-				    == 0 ) {
-					a->ai_indexmask |= SLAP_INDEX_SUB;
-				} else if ( strncasecmp( indexes[j], "none", 4 )
-				    == 0 ) {
+
+				} else if ( strncasecmp( indexes[j],
+					"sub", sizeof("sub")-1 ) == 0 )
+				{
+					a->ai_indexmask |= SLAP_INDEX_SUBSTR;
+
+				} else if ( strncasecmp( indexes[j],
+					"none", sizeof("none")-1 ) == 0 )
+				{
 					if ( a->ai_indexmask != 0 ) {
-						fprintf( stderr,
-"%s: line %d: index type \"none\" cannot be combined with other types\n",
+						fprintf( stderr, "%s: line %d: "
+							"index type \"none\" cannot be combined with other types\n",
 						    fname, lineno );
 					}
 					a->ai_indexmask = 0;
+
 				} else {
-					fprintf( stderr,
-			"%s: line %d: unknown index type \"%s\" (ignored)\n",
+					fprintf( stderr, "%s: line %d: "
+						"unknown index type \"%s\" (ignored)\n",
 					    fname, lineno, indexes[j] );
-					fprintf( stderr,
-	"valid index types are \"pres\", \"eq\", \"approx\", or \"sub\"\n" );
+					fprintf( stderr, "\tvalid index types are "
+						"\"pres\", \"eq\", \"approx\", or \"sub\"\n" );
 				}
 			}
 		}
+
 		if ( init ) {
 			a->ai_indexmask |= SLAP_INDEX_FROMINIT;
 		}

servers/slapd/back-ldbm/filterindex.c

@@ -333,7 +333,7 @@ substring_comp_candidates(
 		}
 		buf[SUBLEN] = '\0';
 
-		if ( (idl = index_read( be, type, SLAP_INDEX_SUB, buf )) == NULL ) {
+		if ( (idl = index_read( be, type, SLAP_INDEX_SUBSTR, buf )) == NULL ) {
 			return( NULL );
 		}
 	} else if ( prepost == '$' ) {
@@ -344,7 +344,7 @@ substring_comp_candidates(
 		buf[SUBLEN - 1] = '$';
 		buf[SUBLEN] = '\0';
 
-		if ( (idl = index_read( be, type, SLAP_INDEX_SUB, buf )) == NULL ) {
+		if ( (idl = index_read( be, type, SLAP_INDEX_SUBSTR, buf )) == NULL ) {
 			return( NULL );
 		}
 	}
@@ -355,7 +355,7 @@ substring_comp_candidates(
 		}
 		buf[SUBLEN] = '\0';
 
-		if ( (tmp = index_read( be, type, SLAP_INDEX_SUB, buf )) == NULL ) {
+		if ( (tmp = index_read( be, type, SLAP_INDEX_SUBSTR, buf )) == NULL ) {
 			idl_free( idl );
 			return( NULL );
 		}

servers/slapd/back-ldbm/index.c

@@ -371,7 +371,7 @@ index_change_values(
 		/*
 		 * substrings index entry
 		 */
-		if ( indexmask & SLAP_INDEX_SUB ) {
+		if ( indexmask & SLAP_INDEX_SUBSTR ) {
 			/* leading and trailing */
 			if ( len > SUBLEN - 2 ) {
 				buf[0] = '^';
@@ -380,7 +380,7 @@ index_change_values(
 				}
 				buf[SUBLEN] = '\0';
 
-				change_value( be, db, at_cn, SLAP_INDEX_SUB,
+				change_value( be, db, at_cn, SLAP_INDEX_SUBSTR,
 					      buf, id, idl_funct );
 
 				p = val + len - SUBLEN + 1;
@@ -390,7 +390,7 @@ index_change_values(
 				buf[SUBLEN - 1] = '$';
 				buf[SUBLEN] = '\0';
 
-				change_value( be, db, at_cn, SLAP_INDEX_SUB,
+				change_value( be, db, at_cn, SLAP_INDEX_SUBSTR,
 					      buf, id, idl_funct );
 			}
 
@@ -401,7 +401,7 @@ index_change_values(
 				}
 				buf[SUBLEN] = '\0';
 
-				change_value( be, db, at_cn, SLAP_INDEX_SUB,
+				change_value( be, db, at_cn, SLAP_INDEX_SUBSTR,
 					      buf, id, idl_funct );
 			}
 		}
@@ -430,7 +430,7 @@ index2prefix( int indextype )
 	case SLAP_INDEX_APPROX:
 		prefix = APPROX_PREFIX;
 		break;
-	case SLAP_INDEX_SUB:
+	case SLAP_INDEX_SUBSTR:
 		prefix = SUB_PREFIX;
 		break;
 	default:

servers/slapd/compare.c

@@ -33,15 +33,15 @@ do_compare(
 	char	*dn = NULL, *ndn=NULL;
 	struct berval desc;
 	struct berval value;
-	Backend	*be;
-	int rc = LDAP_SUCCESS;
-	char *text = NULL;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
+	struct berval *nvalue;
 	AttributeAssertion ava;
-	ava.aa_desc = NULL;
 #else
 	Ava	ava;
 #endif
+	Backend	*be;
+	int rc = LDAP_SUCCESS;
+	char *text = NULL;
 
 	desc.bv_val = NULL;
 	value.bv_val = NULL;
@@ -106,7 +106,7 @@ do_compare(
 		goto cleanup;
 	}
 
-	rc = value_normalize( ava.aa_desc, SLAP_MR_EQUALITY, &value, &text );
+	rc = value_normalize( ava.aa_desc, SLAP_MR_EQUALITY, &value, &nvalue, &text );
 
 	if( rc != LDAP_SUCCESS ) {
 		send_ldap_result( conn, op, rc, NULL,
@@ -114,7 +114,7 @@ do_compare(
 		goto cleanup;
 	}
 
-	ava.aa_value = &value;
+	ava.aa_value = nvalue;
 
 	Debug( LDAP_DEBUG_ARGS, "do_compare: dn (%s) attr (%s) value (%s)\n",
 	    dn, ava.aa_desc->ad_cname, ava.aa_value->bv_val );

servers/slapd/entry.c

@@ -121,6 +121,7 @@ str2entry( char *s )
 
 		bval.bv_val = value;
 		bval.bv_len = vlen;
+
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 		/* not yet implemented */
 #else

servers/slapd/filter.c

@@ -230,7 +230,7 @@ get_filter(
 		Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		err = get_ava( ber, &f->f_ava, SLAP_MR_APPROX, text );
+		err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY_APPROX, text );
 #else
 		err = get_ava( ber, &f->f_ava, text );
 #endif
@@ -374,7 +374,8 @@ get_substring_filter(
 	ber_tag_t	tag;
 	ber_len_t	len;
 	ber_tag_t	rc;
-	struct berval *val;
+	struct berval *value;
+	struct berval *nvalue;
 	char		*last;
 	struct berval type;
 #ifndef SLAPD_SCHEMA_NOT_COMPAT
@@ -431,14 +432,14 @@ get_substring_filter(
 	{
 		unsigned usage;
 
-		rc = ber_scanf( ber, "O", &val );
+		rc = ber_scanf( ber, "O", &value );
 		if ( rc == LBER_ERROR ) {
 			rc = SLAPD_DISCONNECT;
 			goto return_error;
 		}
 
-		if ( val == NULL || val->bv_len == 0 ) {
-			ber_bvfree( val );
+		if ( value == NULL || value->bv_len == 0 ) {
+			ber_bvfree( value );
 			rc = LDAP_INVALID_SYNTAX;
 			goto return_error;
 		} 
@@ -464,22 +465,24 @@ get_substring_filter(
 				"  unknown substring choice=%ld\n",
 				(long) tag, 0, 0 );
 
-			ber_bvfree( val );
+			ber_bvfree( value );
 			goto return_error;
 		}
 
-		rc = value_normalize( f->f_sub_desc, usage, val, text );
+		rc = value_normalize( f->f_sub_desc, usage, value, &nvalue, text );
+		ber_bvfree( value );
 
 		if( rc != LDAP_SUCCESS ) {
-			ber_bvfree( val );
 			goto return_error;
 		}
+
+		value = nvalue;
 #else
 
 		/* we should call a substring syntax normalization routine */
-		value_normalize( val->bv_val, syntax );
+		value_normalize( value->bv_val, syntax );
 		/* this is bogus, value_normalize should take a berval */
-		val->bv_len = strlen( val->bv_val );
+		value->bv_len = strlen( value->bv_val );
 #endif
 
 		rc = LDAP_PROTOCOL_ERROR;
@@ -488,48 +491,47 @@ get_substring_filter(
 		case LDAP_SUBSTRING_INITIAL:
 			Debug( LDAP_DEBUG_FILTER, "  INITIAL\n", 0, 0, 0 );
 			if ( f->f_sub_initial != NULL ) {
-				ber_bvfree( val );
+				ber_bvfree( value );
 				goto return_error;
 			}
 
-
-			f->f_sub_initial = val;
+			f->f_sub_initial = value;
 
 			if( fstr ) {
 				*fstr = ch_realloc( *fstr,
-					strlen( *fstr ) + val->bv_len + 1 );
-				strcat( *fstr, val->bv_val );
+					strlen( *fstr ) + value->bv_len + 1 );
+				strcat( *fstr, value->bv_val );
 			}
 			break;
 
 		case LDAP_SUBSTRING_ANY:
 			Debug( LDAP_DEBUG_FILTER, "  ANY\n", 0, 0, 0 );
-			if( ber_bvecadd( &f->f_sub_any, val ) < 0 ) {
-				ber_bvfree( val );
+			if( ber_bvecadd( &f->f_sub_any, value ) < 0 ) {
+				ber_bvfree( value );
 				goto return_error;
 			}
 
 			if( fstr ) {
 				*fstr = ch_realloc( *fstr,
-					strlen( *fstr ) + val->bv_len + 2 );
+					strlen( *fstr ) + value->bv_len + 2 );
 				strcat( *fstr, "*" );
-				strcat( *fstr, val->bv_val );
+				strcat( *fstr, value->bv_val );
 			}
 			break;
 
 		case LDAP_SUBSTRING_FINAL:
 			Debug( LDAP_DEBUG_FILTER, "  FINAL\n", 0, 0, 0 );
 			if ( f->f_sub_final != NULL ) {
-				ber_bvfree( val );
+				ber_bvfree( value );
 				goto return_error;
 			}
-			f->f_sub_final = val;
+			f->f_sub_final = value;
 
 			if( fstr ) {
 				*fstr = ch_realloc( *fstr,
-					strlen( *fstr ) + val->bv_len + 2 );
+					strlen( *fstr ) + value->bv_len + 2 );
 				strcat( *fstr, "*" );
-				strcat( *fstr, val->bv_val );
+				strcat( *fstr, value->bv_val );
 			}
 			break;
 
@@ -538,7 +540,7 @@ get_substring_filter(
 				"  unknown substring type=%ld\n",
 				(long) tag, 0, 0 );
 
-			ber_bvfree( val );
+			ber_bvfree( value );
 
 return_error:
 			Debug( LDAP_DEBUG_FILTER, "  error=%ld\n",

servers/slapd/modify.c

@@ -313,8 +313,8 @@ int slap_modlist2mods(
 			return rc;
 		}
 
-		if((ad->ad_type->sat_syntax->ssyn_flags & SLAP_SYNTAX_BINARY)
-			&& !( ad->ad_flags & SLAP_DESC_BINARY ))
+		if( slap_syntax_is_binary( ad->ad_type->sat_syntax )
+			&& !slap_ad_is_binary( ad ))
 		{
 			/* attribute requires binary transfer */
 			slap_mods_free( mod );
@@ -322,6 +322,15 @@ int slap_modlist2mods(
 			return LDAP_UNDEFINED_TYPE;
 		}
 
+		if( !slap_syntax_is_binary( ad->ad_type->sat_syntax )
+			&& slap_ad_is_binary( ad ))
+		{
+			/* attribute requires binary transfer */
+			slap_mods_free( mod );
+			*text = "attribute disallows ;binary transfer";
+			return LDAP_UNDEFINED_TYPE;
+		}
+
 		if (!update && is_at_no_user_mod( ad->ad_type )) {
 			/* user modification disallowed */
 			slap_mods_free( mod );
@@ -378,7 +387,6 @@ int slap_mods_opattrs(
 	Modifications **modtail,
 	char **text )
 {
-	int rc;
 	struct berval name, timestamp;
 	time_t now = slap_get_time();
 	char timebuf[22];

servers/slapd/proto-slap.h

@@ -569,7 +569,9 @@ LIBSLAPD_F (int) oc_add LDAP_P((LDAP_OBJECT_CLASS *oc, const char **err));
 
 LIBSLAPD_F (Syntax *) syn_find LDAP_P((const char *synname));
 LIBSLAPD_F (Syntax *) syn_find_desc LDAP_P((const char *syndesc, int *slen));
-LIBSLAPD_F (int) syn_add LDAP_P((LDAP_SYNTAX *syn, int flags,
+LIBSLAPD_F (int) syn_add LDAP_P((
+	LDAP_SYNTAX *syn,
+	unsigned flags,
 	slap_syntax_validate_func *validate,
 	slap_syntax_transform_func *ber2str,
 	slap_syntax_transform_func *str2ber,
@@ -585,12 +587,15 @@ LIBSLAPD_F (int) mr_add LDAP_P((LDAP_MATCHING_RULE *mr,
 	slap_mr_filter_func *filter,
 	const char **err));
 
-LIBSLAPD_F (int) register_syntax LDAP_P((char *desc, int flags,
+LIBSLAPD_F (int) register_syntax LDAP_P((
+	char *desc,
+	unsigned flags,
 	slap_syntax_validate_func *validate,
 	slap_syntax_transform_func *ber2str,
 	slap_syntax_transform_func *str2ber ));
 
-LIBSLAPD_F (int) register_matching_rule LDAP_P((char * desc,
+LIBSLAPD_F (int) register_matching_rule LDAP_P((
+	char * desc,
 	unsigned usage,
 	slap_mr_convert_func *convert,
 	slap_mr_normalize_func *normalize,
@@ -667,15 +672,16 @@ LIBSLAPD_F (char *) suffix_alias LDAP_P(( Backend *be, char *ndn ));
 LIBSLAPD_F (int) value_normalize LDAP_P((
 	AttributeDescription *ad,
 	unsigned usage,
-	struct berval *val,
+	struct berval *in,
+	struct berval **out,
 	char ** text ));
 #else
 LIBSLAPD_F (int) value_add_fast LDAP_P(( struct berval ***vals, struct berval **addvals, int nvals, int naddvals, int *maxvals ));
-LIBSLAPD_F (int) value_add LDAP_P(( struct berval ***vals, struct berval **addvals ));
 LIBSLAPD_F (void) value_normalize LDAP_P(( char *s, int syntax ));
 LIBSLAPD_F (int) value_cmp LDAP_P(( struct berval *v1, struct berval *v2, int syntax, int normalize ));
 LIBSLAPD_F (int) value_find LDAP_P(( struct berval **vals, struct berval *v, int syntax, int normalize ));
 #endif
+LIBSLAPD_F (int) value_add LDAP_P(( struct berval ***vals, struct berval **addvals ));
 
 /*
  * user.c

servers/slapd/schema/core.schema

@@ -82,14 +82,6 @@ attributetype ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms'
 attributetype ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 USAGE dSAOperation )
 
-attributetype ( supportedACIMechanismsOID NAME 'supportedACIMechanisms'
-     DESC 'list of access control mechanisms supported by this directory server'
-     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38  USAGE dSAOperation )
-
-attributetype ( aCIMechanismOID NAME 'aCIMechanism'
-     DESC 'list of access control mechanism supported in this subtree'
-     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38  USAGE dSAOperation )
-
 # LDAP Subschema Atrribute from RFC2252
 
 attributetype ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes'
@@ -588,3 +580,20 @@ objectclass ( 1.3.6.1.4.1.4203.666.3.2
 	NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' )
 	DESC 'OpenLDAP Root DSE object'
 	SUP top STRUCTURAL MAY cn )
+
+#
+# IETF LDAPext WG Access Control Model
+#	likely to change!
+attributetype ( supportedACIMechanismsOID NAME 'supportedACIMechanisms'
+     DESC 'list of access control mechanisms supported by this directory server'
+     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38  USAGE dSAOperation )
+
+attributetype ( aCIMechanismOID NAME 'aCIMechanism'
+     DESC 'list of access control mechanism supported in this subtree'
+     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38  USAGE dSAOperation )
+
+attributetype ( ldapACIOID NAME 'ldapACI'
+	DESC 'LDAP access control information'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	USAGE directoryOperation )

servers/slapd/schema_init.c

@@ -16,8 +16,9 @@
 #include "slap.h"
 #include "ldap_pvt.h"
 
+#define berValidate blobValidate
 static int
-octetStringValidate(
+blobValidate(
 	Syntax *syntax,
 	struct berval *in )
 {
@@ -150,18 +151,21 @@ IA5StringConvert(
 	struct berval *in,
 	struct berval **out )
 {
-	ber_len_t i;
+	ldap_unicode_t *u;
+	ber_len_t i, len = in->bv_len;
 	struct berval *bv = ch_malloc( sizeof(struct berval) );
-	bv->bv_len = (in->bv_len+1) * sizeof( ldap_unicode_t );
-	bv->bv_val = ch_malloc( bv->bv_len );
 
-	for(i=0; i < in->bv_len; i++ ) {
+	bv->bv_len = len * sizeof( ldap_unicode_t );
+	bv->bv_val = (char *) u = ch_malloc( bv->bv_len + sizeof( ldap_unicode_t ) );;
+
+	for(i=0; i < len; i++ ) {
 		/*
 		 * IA5StringValidate should have been called to ensure
 		 * input is limited to IA5.
 		 */
-		bv->bv_val[i] = in->bv_val[i];
+		u[i] = in->bv_val[i];
 	}
+	u[i] = 0;
 
 	*out = bv;
 	return 0;
@@ -269,27 +273,33 @@ struct syntax_defs_rec {
 	slap_syntax_transform_func *sd_str2ber;
 };
 
+#define X_BINARY ""
+#define X_NOT_H_R ""
+
 struct syntax_defs_rec syntax_defs[] = {
-	{"( 1.3.6.1.4.1.1466.115.121.1.1 DESC 'ACI Item' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.2 DESC 'Access Point' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.1 DESC 'ACI Item' " X_BINARY X_NOT_H_R ")",
+		SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.2 DESC 'Access Point' " X_NOT_H_R ")",
+		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Description' )",
 		0, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio' " X_NOT_H_R ")",
+		SLAP_SYNTAX_BLOB, blobValidate, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' " X_BINARY X_NOT_H_R ")",
+		SLAP_SYNTAX_BER, berValidate, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )",
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )",
 		0, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' "
+		X_BINARY X_NOT_H_R ")",
+		SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' "
+		X_BINARY X_NOT_H_R ")",
+		SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair'
+		" X_BINARY X_NOT_H_R ")",
+		SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )",
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'DN' )",
@@ -312,8 +322,8 @@ struct syntax_defs_rec syntax_defs[] = {
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Number' )",
 		0, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' " X_NOT_H_R ")",
+		SLAP_SYNTAX_BLOB, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' )",
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' )",
@@ -322,8 +332,8 @@ struct syntax_defs_rec syntax_defs[] = {
 		0, IA5StringValidate, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'Integer' )",
 		0, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' " X_NOT_H_R ")",
+		SLAP_SYNTAX_BLOB, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.29 DESC 'Master And Shadow Access Points' )",
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.30 DESC 'Matching Rule Description' )",
@@ -347,7 +357,7 @@ struct syntax_defs_rec syntax_defs[] = {
 	{"( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' )",
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' )",
-		0, octetStringValidate, NULL, NULL},
+		NULL, blobValidate, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )",
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.42 DESC 'Protocol Information' )",
@@ -356,8 +366,9 @@ struct syntax_defs_rec syntax_defs[] = {
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )",
 		0, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' )",
-		SLAP_SYNTAX_BINARY, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' "
+		X_BINARY X_NOT_H_R ")",
+		SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )",
 		0, NULL, NULL, NULL},
 	{"( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' )",

servers/slapd/slap.h

@@ -105,7 +105,7 @@ LIBSLAPD_F (int) slap_debug;
 #define SLAP_INDEX_PRESENCE      0x0001U
 #define SLAP_INDEX_EQUALITY      0x0002U
 #define SLAP_INDEX_APPROX        0x0004U
-#define SLAP_INDEX_SUB           0x0008U
+#define SLAP_INDEX_SUBSTR        0x0008U
 #define SLAP_INDEX_EXTENDED		 0x0010U
 #define SLAP_INDEX_UNDEFINED     0x1000U
 #define SLAP_INDEX_FROMINIT      0x8000U	/* psuedo type */
@@ -147,22 +147,32 @@ typedef int slap_syntax_transform_func LDAP_P((
 
 typedef struct slap_syntax {
 	LDAP_SYNTAX			ssyn_syn;
+#define ssyn_oid		ssyn_syn.syn_oid
+#define ssyn_desc		ssyn_syn.syn_desc
+
 	unsigned	ssyn_flags;
 
 #define SLAP_SYNTAX_NONE	0x0U
-#define SLAP_SYNTAX_BINARY	0x1U
+#define SLAP_SYNTAX_BLOB	0x1U /* syntax treated as blob (audio) */
+#define SLAP_SYNTAX_BINARY	0x2U /* binary transfer required (certificate) */
+#define SLAP_SYNTAX_BER		0x4U /* stored using BER encoding (binary,certificate) */
 
 	slap_syntax_validate_func	*ssyn_validate;
 
+#ifdef SLAPD_BINARY_CONVERSION
 	/* convert to and from binary */
 	slap_syntax_transform_func	*ssyn_ber2str;
 	slap_syntax_transform_func	*ssyn_str2ber;
+#endif
 
 	struct slap_syntax		*ssyn_next;
-#define ssyn_oid			ssyn_syn.syn_oid
-#define ssyn_desc			ssyn_syn.syn_desc
 } Syntax;
 
+#define slap_syntax_is_flag(s,flag) ((int)((s)->ssyn_flags & (flag)) ? 1 : 0)
+#define slap_syntax_is_blob(s)		slap_syntax_is_flag((s),SLAP_SYNTAX_BLOB)
+#define slap_syntax_is_binary(s)	slap_syntax_is_flag((s),SLAP_SYNTAX_BINARY)
+#define slap_syntax_is_ber(s)		slap_syntax_is_flag((s),SLAP_SYNTAX_BER)
+
 /* XXX -> UCS-2 Converter */
 typedef int slap_mr_convert_func LDAP_P((
 	struct berval * in,
@@ -211,14 +221,15 @@ typedef struct slap_matching_rule {
 
 #define SLAP_MR_NONE			0x0000U
 #define SLAP_MR_EQUALITY		0x0100U
-#define SLAP_MR_APPROX			0x0200U
-#define SLAP_MR_ORDERING		0x0400U
-#define SLAP_MR_SUBSTR			0x0800U
-#define SLAP_MR_EXT				0x1000U
+#define SLAP_MR_ORDERING		0x0200U
+#define SLAP_MR_SUBSTR			0x0400U
+#define SLAP_MR_EXT				0x0800U
 
-#define SLAP_MR_SUBSTR_INITIAL	(SLAP_MR_SUBSTR | 0x0001U )
-#define SLAP_MR_SUBSTR_ANY		(SLAP_MR_SUBSTR | 0x0002U )
-#define SLAP_MR_SUBSTR_FINAL	(SLAP_MR_SUBSTR | 0x0004U )
+#define SLAP_MR_EQUALITY_APPROX	( SLAP_MR_EQUALITY | 0x0001U )
+
+#define SLAP_MR_SUBSTR_INITIAL	( SLAP_MR_SUBSTR | 0x0001U )
+#define SLAP_MR_SUBSTR_ANY		( SLAP_MR_SUBSTR | 0x0002U )
+#define SLAP_MR_SUBSTR_FINAL	( SLAP_MR_SUBSTR | 0x0004U )
 
 	Syntax					*smr_syntax;
 	slap_mr_convert_func	*smr_convert;
@@ -300,6 +311,8 @@ typedef struct slap_attr_desc {
 #define SLAP_DESC_BINARY	0x1U
 } AttributeDescription;
 
+#define slap_ad_is_binary(ad)	( (int)((ad)->ad_flags & SLAP_DESC_BINARY) ? 1 : 0 )
+
 /*
  * pointers to schema elements used internally
  */

servers/slapd/syntax.c

@@ -102,7 +102,7 @@ syn_insert(
 int
 syn_add(
     LDAP_SYNTAX		*syn,
-	int flags,
+	unsigned flags,
     slap_syntax_validate_func	*validate,
     slap_syntax_transform_func	*ber2str,
     slap_syntax_transform_func	*str2ber,
@@ -113,20 +113,27 @@ syn_add(
 	int		code;
 
 	ssyn = (Syntax *) ch_calloc( 1, sizeof(Syntax) );
-	memcpy( &ssyn->ssyn_syn, syn, sizeof(LDAP_SYNTAX));
+
+	memcpy( &ssyn->ssyn_syn, syn, sizeof(LDAP_SYNTAX) );
+
+	ssyn->ssyn_next = NULL;
 
 	ssyn->ssyn_flags = flags;
 	ssyn->ssyn_validate = validate;
+
+#ifdef SLAPD_BINARY_CONVERSION
 	ssyn->ssyn_ber2str = ber2str;
 	ssyn->ssyn_str2ber = str2ber;
+#endif
 
-	code = syn_insert(ssyn,err);
+	code = syn_insert(ssyn, err);
 	return code;
 }
 
 int
 register_syntax(
-	char * desc, int flags,
+	char * desc,
+	unsigned flags,
 	slap_syntax_validate_func *validate,
 	slap_syntax_transform_func *ber2str,
 	slap_syntax_transform_func *str2ber )

servers/slapd/value.c

@@ -92,10 +92,51 @@ int
 value_normalize(
 	AttributeDescription *ad,
 	unsigned usage,
-	struct berval *val,
+	struct berval *in,
+	struct berval **out,
 	char **text )
 {
-	/* not yet implemented */
+	int rc;
+	MatchingRule *mr;
+
+	switch( usage & SLAP_MR_TYPE_MASK ) {
+	case SLAP_MR_NONE:
+	case SLAP_MR_EQUALITY:
+		mr = ad->ad_type->sat_equality;
+		break;
+	case SLAP_MR_ORDERING:
+		mr = ad->ad_type->sat_ordering;
+		break;
+	case SLAP_MR_SUBSTR:
+		mr = ad->ad_type->sat_substr;
+		break;
+	case SLAP_MR_EXT:
+	default:
+		assert( 0 );
+		*text = "internal error";
+		return LDAP_OTHER;
+	}
+
+	if( mr == NULL ) {
+		*text = "inappropriate matching request";
+		return LDAP_INAPPROPRIATE_MATCHING;
+	}
+
+	/* we only support equality matching of binary attributes */
+	if( slap_ad_is_binary( ad ) && usage != SLAP_MR_EQUALITY ) {
+		*text = "inappropriate binary matching";
+		return LDAP_INAPPROPRIATE_MATCHING;
+	}
+
+	rc = (mr->smr_normalize)( usage,
+		ad->ad_type->sat_syntax,
+		mr, in, out );
+
+	if( rc != LDAP_SUCCESS ) {
+		*text = "unable to normalize value";
+		return LDAP_INVALID_SYNTAX;
+	}
+
 	return LDAP_SUCCESS;
 }