Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT

plus these changes unhidden changes:
	remove now meaning --enable-discreteaci configure option
	fix ITS#451, slapd filters
	Add ber_bvecadd() to support above
	constify ldap_pvt_find_wildcard() and misc slapd routines
	renamed some slap.h macros
	likely broken something

configure.in

@@ -141,7 +141,6 @@ OL_ARG_ENABLE(phonetic,[    --enable-phonetic	enable phonetic/soundex], no)dnl
 OL_ARG_ENABLE(quipu,[    --enable-quipu	build quipu migration tools], no)dnl
 OL_ARG_ENABLE(rlookups,[    --enable-rlookups	enable reverse lookups], auto)dnl
 OL_ARG_ENABLE(aci,[    --enable-aci	enable per-object ACIs], no)dnl
-OL_ARG_ENABLE(discreteaci,[    --enable-discreteaci	enable discrete rights in ACIs], no)dnl
 OL_ARG_ENABLE(wrappers,[    --enable-wrappers	enable tcp wrapper support], no)dnl
 OL_ARG_ENABLE(dynamic,[    --enable-dynamic	enable linking built binaries with dynamic libs], no)dnl
 
@@ -242,9 +241,6 @@ if test $ol_enable_slapd = no ; then
 	if test $ol_enable_aci = yes ; then
 		AC_MSG_WARN([slapd disabled, ignoring --enable-aci argument])
 	fi
-	if test $ol_enable_discreteaci = yes ; then
-		AC_MSG_WARN([slapd disabled, ignoring --enable-discreteaci argument])
-	fi
 	if test $ol_with_ldbm_api != auto ; then
 		AC_MSG_WARN([slapd disabled, ignoring --with-ldbm-api argument])
 	fi
@@ -291,7 +287,6 @@ if test $ol_enable_slapd = no ; then
 	ol_enable_quipu=no
 	ol_enable_rlookups=no
 	ol_enable_aci=no
-	ol_enable_discreteaci=no
 	ol_enable_wrappers=no
 	ol_enable_dynamic=no
 
@@ -2206,9 +2201,6 @@ fi
 if test "$ol_enable_aci" != no ; then
 	AC_DEFINE(SLAPD_ACI_ENABLED,1,[define to support per-object ACIs])
 fi
-if test "$ol_enable_discreteaci" != no ; then
-	AC_DEFINE(SLAPD_ACI_DISCRETE_RIGHTS,1,[define to support discrete rights in ACIs])
-fi
 
 if test "$ol_link_modules" != no ; then
 	AC_DEFINE(SLAPD_MODULES,1,[define to support modules])

include/lber.h

@@ -466,6 +466,11 @@ LIBLBER_F( void )
 ber_bvecfree LDAP_P((
 	struct berval **bv ));
 
+LIBLBER_F( int )
+ber_bvecadd LDAP_P((
+	struct berval ***bvec,
+	struct berval *bv ));
+
 LIBLBER_F( struct berval * )
 ber_bvdup LDAP_P((
 	LDAP_CONST struct berval *bv ));

include/ldap_pvt.h

@@ -119,7 +119,7 @@ LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *, LDAP_CONS
 
 /* search.c */
 LIBLDAP_F( char * )
-ldap_pvt_find_wildcard LDAP_P((	char *s ));
+ldap_pvt_find_wildcard LDAP_P((	const char *s ));
 
 LIBLDAP_F( ber_slen_t )
 ldap_pvt_filter_value_unescape LDAP_P(( char *filter ));

include/portable.h.in

@@ -886,9 +886,6 @@
 /* define to support per-object ACIs */
 #undef SLAPD_ACI_ENABLED
 
-/* define to support discrete rights in ACIs */
-#undef SLAPD_ACI_DISCRETE_RIGHTS
-
 /* define to support modules */
 #undef SLAPD_MODULES
 

libraries/liblber/memory.c

@@ -270,6 +270,57 @@ ber_bvecfree( struct berval **bv )
 	LBER_FREE( (char *) bv );
 }
 
+int
+ber_bvecadd( struct berval ***bvec, struct berval *bv )
+{
+	ber_len_t i;
+	struct berval **new;
+
+	ber_int_options.lbo_valid = LBER_INITIALIZED;
+
+	if( bvec == NULL ) {
+		if( bv == NULL ) {
+			/* nothing to add */
+			return 0;
+		}
+
+		*bvec = ber_memalloc( 2 * sizeof(struct berval *) );
+
+		if( *bvec == NULL ) {
+			return -1;
+		}
+
+		(*bvec)[0] = bv;
+		(*bvec)[1] = NULL;
+
+		return 1;
+	}
+
+	BER_MEM_VALID( bvec );
+
+	/* count entries */
+	for ( i = 0; bvec[i] != NULL; i++ ) {
+		/* EMPTY */;
+	}
+
+	if( bv == NULL ) {
+		return i;
+	}
+
+	new = ber_memrealloc( *bvec, (i+2) * sizeof(struct berval *));
+
+	if( new == NULL ) {
+		return -1;
+	}
+
+	*bvec = new;
+
+	(*bvec)[i++] = bv;
+	(*bvec)[i] = NULL;
+
+	return i;
+}
+
 
 struct berval *
 ber_bvdup(

libraries/libldap/search.c

@@ -424,12 +424,12 @@ static int hex2value( int c )
 }
 
 char *
-ldap_pvt_find_wildcard( char *s )
+ldap_pvt_find_wildcard( const char *s )
 {
 	for( ; *s != '\0' ; s++ ) {
 		switch( *s ) {
 		case '*':	/* found wildcard */
-			return s;
+			return (char *) s;
 
 		case '\\':
 			s++; /* skip over escape */

servers/slapd/acl.c

@@ -18,20 +18,37 @@
 static AccessControl * acl_get(
 	AccessControl *ac, int *count,
 	Backend *be, Operation *op,
-	Entry *e, char *attr,
+	Entry *e,
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	AttributeType *type,
+#else
+	const char *attr,
+#endif
 	int nmatches, regmatch_t *matches );
 
 static slap_control_t acl_mask(
 	AccessControl *ac, slap_access_mask_t *mask,
 	Backend *be, Connection *conn, Operation *op,
-	Entry *e, char *attr, struct berval *val,
+	Entry *e,
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	AttributeType *type,
+#else
+	const char *attr,
+#endif
+	struct berval *val,
 	regmatch_t *matches );
 
 #ifdef SLAPD_ACI_ENABLED
 static int aci_mask(
 	Backend *be,
 	Operation *op,
-	Entry *e, char *attr, struct berval *val, struct berval *aci,
+	Entry *e,
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	AttributeType *type,
+#else
+	const char *attr,
+#endif
+	struct berval *val, struct berval *aci,
 	regmatch_t *matches, slap_access_t *grant, slap_access_t *deny );
 
 char *supportedACIMechs[] = {
@@ -41,8 +58,10 @@ char *supportedACIMechs[] = {
 };
 #endif
 
-static int	regex_matches(char *pat, char *str, char *buf, regmatch_t *matches);
-static void	string_expand(char *newbuf, int bufsiz, char *pattern,
+static int	regex_matches(
+	char *pat, char *str, char *buf, regmatch_t *matches);
+static void	string_expand(
+	char *newbuf, int bufsiz, char *pattern,
 	char *match, regmatch_t *matches);
 
 
@@ -67,10 +86,13 @@ access_allowed(
     Connection		*conn,
     Operation		*op,
     Entry		*e,
-    char		*attr,
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	AttributeType	*attr,
+#else
+    const char		*attr,
+#endif
     struct berval	*val,
-    slap_access_t	access
-)
+    slap_access_t	access )
 {
 	int				count;
 	AccessControl	*a;
@@ -105,7 +127,12 @@ access_allowed(
 	 * by ACL_WRITE checking as any found here are not provided
 	 * by the user
 	 */
-	if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	if ( access >= ACL_WRITE && is_at_no_user_mod( attr ) )
+#else
+	if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) )
+#endif
+	{
  		Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
 			" %s access granted\n",
 			attr, 0, 0 );
@@ -202,10 +229,13 @@ acl_get(
     Backend		*be,
     Operation	*op,
     Entry		*e,
-    char		*attr,
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	AttributeType *attr,
+#else
+    const char	*attr,
+#endif
     int			nmatch,
-    regmatch_t	*matches
-)
+    regmatch_t	*matches )
 {
 	assert( e != NULL );
 	assert( count != NULL );
@@ -282,7 +312,11 @@ acl_mask(
     Connection	*conn,
     Operation	*op,
     Entry		*e,
-    char		*attr,
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	AttributeType *attr,
+#else
+    const char	*attr,
+#endif
     struct berval	*val,
 	regmatch_t	*matches
 )
@@ -398,7 +432,6 @@ acl_mask(
 		}
 
 		if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
-			char *dn_at;
 			Attribute	*at;
 			struct berval	bv;
 
@@ -408,14 +441,8 @@ acl_mask(
 			bv.bv_val = op->o_ndn;
 			bv.bv_len = strlen( bv.bv_val );
 
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-			dn_at = at_canonical_name( b->a_dn_at );
-#else
-			dn_at = b->a_dn_at;
-#endif
-
 			/* see if asker is listed in dnattr */ 
-			if ( (at = attr_find( e->e_attrs, dn_at )) != NULL
+			if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 				/* not yet implemented */
 #else
@@ -714,7 +741,7 @@ acl_check_modlist(
 
 #ifdef SLAPD_ACI_ENABLED
 static char *
-aci_bvstrdup (struct berval *bv)
+aci_bvstrdup( struct berval *bv )
 {
 	char *s;
 
@@ -727,7 +754,9 @@ aci_bvstrdup (struct berval *bv)
 }
 
 static int
-aci_strbvcmp (char *s, struct berval *bv)
+aci_strbvcmp(
+	const char *s,
+	struct berval *bv )
 {
 	int res, len;
 
@@ -743,7 +772,11 @@ aci_strbvcmp (char *s, struct berval *bv)
 }
 
 static int
-aci_get_part (struct berval *list, int ix, char sep, struct berval *bv)
+aci_get_part(
+	struct berval *list,
+	int ix,
+	char sep,
+	struct berval *bv )
 {
 	int len;
 	char *p;
@@ -778,8 +811,8 @@ aci_get_part (struct berval *list, int ix, char sep, struct berval *bv)
 }
 
 static int
-aci_list_map_rights (
-	struct berval *list)
+aci_list_map_rights(
+	struct berval *list )
 {
 	struct berval bv;
 	slap_access_t mask;
@@ -823,7 +856,10 @@ aci_list_map_rights (
 }
 
 static int
-aci_list_has_attr (struct berval *list, char *attr, struct berval *val)
+aci_list_has_attr(
+	struct berval *list,
+	const char *attr,
+	struct berval *val )
 {
 	struct berval bv, left, right;
 	int i;
@@ -869,7 +905,10 @@ aci_list_has_attr (struct berval *list, char *attr, struct berval *val)
 }
 
 static slap_access_t
-aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val)
+aci_list_get_attr_rights(
+	struct berval *list,
+	const char *attr,
+	struct berval *val )
 {
     struct berval bv;
     slap_access_t mask;
@@ -888,12 +927,12 @@ aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val)
 }
 
 static int
-aci_list_get_rights (
+aci_list_get_rights(
 	struct berval *list,
-	char *attr,
+	const char *attr,
 	struct berval *val,
 	slap_access_t *grant,
-	slap_access_t *deny)
+	slap_access_t *deny )
 {
     struct berval perm, actn;
     slap_access_t *mask;
@@ -974,11 +1013,11 @@ aci_group_member (
 }
 
 static int
-aci_mask (
+aci_mask(
     Backend			*be,
     Operation		*op,
     Entry			*e,
-    char			*attr,
+    const char		*attr,
     struct berval	*val,
     struct berval	*aci,
 	regmatch_t		*matches,
@@ -1063,8 +1102,12 @@ aci_mask (
 			bv.bv_val = op->o_ndn;
 			bv.bv_len = strlen( bv.bv_val );
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			/* not yet implemented */
+#else
 			if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
 				return(1);
+#endif
 		}
 
 	} else if (aci_strbvcmp( "group", &bv ) == 0) {
@@ -1080,7 +1123,8 @@ aci_mask (
 }
 
 char *
-get_supported_acimech (int index)
+get_supported_acimech(
+	int index )
 {
 	if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *)))
 		return(NULL);

servers/slapd/aclparse.c

@@ -1,4 +1,4 @@
-/* acl.c - routines to parse and check acl's */
+/* aclparse.c - routines to parse and check acl's */
 /* $OpenLDAP$ */
 /*
  * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
@@ -95,6 +95,12 @@ parse_acl(
 	char		*left, *right;
 	AccessControl	*a;
 	Access	*b;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	int rc;
+	char *text;
+	static AttributeDescription *member = NULL;
+	static AttributeDescription *aci = NULL;
+#endif
 
 	a = NULL;
 	for ( i = 1; i < argc; i++ ) {
@@ -321,17 +327,17 @@ parse_acl(
 					}
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-					b->a_dn_at = at_find( right );
+					rc = slap_str2ad( right, &b->a_dn_at, &text );
 
-					if( b->a_dn_at == NULL ) {
+					if( rc != LDAP_SUCCESS ) {
 						fprintf( stderr,
-							"%s: line %d: dnattr attribute type undefined.\n",
-							fname, lineno );
+							"%s: line %d: dnattr \"%s\": %s\n",
+							fname, lineno, right, text );
 						acl_usage();
 					}
 
 #ifdef SLAPD_OID_DN_SYNTAX
-					if( strcmp( b->a_dn_at->sat_syntax_oid,
+					if( strcmp( b->a_dn_at->ad_type->sat_syntax_oid,
 						SLAPD_OID_DN_SYNTAX ) != 0 )
 					{
 						fprintf( stderr,
@@ -379,7 +385,14 @@ parse_acl(
 
 					if (name && *name) {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-						b->a_group_at = at_find( name );
+						rc = slap_str2ad( right, &b->a_group_at, &text );
+
+						if( rc != LDAP_SUCCESS ) {
+							fprintf( stderr,
+								"%s: line %d: group \"%s\": %s\n",
+								fname, lineno, right, text );
+							acl_usage();
+						}
 #else
 						b->a_group_at = ch_strdup(name);
 #endif
@@ -387,7 +400,7 @@ parse_acl(
 
 					} else {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-						b->a_group_at = at_find("member");
+						b->a_group_at = member;
 #else
 						b->a_group_at = ch_strdup("member");
 #endif
@@ -402,7 +415,7 @@ parse_acl(
 					}
 
 #ifdef SLAPD_OID_DN_SYNTAX
-					if( strcmp( b->a_group_at->sat_syntax_oid,
+					if( strcmp( b->a_group_at->ad_type->sat_syntax_oid,
 						SLAPD_OID_DN_SYNTAX ) != 0 )
 					{
 						fprintf( stderr,
@@ -478,9 +491,16 @@ parse_acl(
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 					if ( right != NULL && *right != '\0' ) {
-						b->a_aci_at = at_find( right );
+						rc = slap_str2ad( right, &b->a_aci_at, &text );
+
+						if( rc != LDAP_SUCCESS ) {
+							fprintf( stderr,
+								"%s: line %d: aci \"%s\": %s\n",
+								fname, lineno, right, text );
+							acl_usage();
+						}
 					} else {
-						b->a_aci_at = at_find( SLAPD_ACI_DEFAULT_ATTR );
+						b->a_aci_at = aci;
 					}
 
 					if( b->a_aci_at == NULL ) {
@@ -490,7 +510,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( strcmp( b->a_aci_at->sat_syntax_oid,
+					if( strcmp( b->a_aci_at->ad_type->sat_syntax_oid,
 						SLAPD_OID_ACI_SYNTAX ) != 0 )
 					{
 						fprintf( stderr,

servers/slapd/ad.c

@@ -20,6 +20,35 @@
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 
+static int ad_keystring(
+	struct berval *bv )
+{
+	ber_len_t i;
+
+	if( !AD_CHAR( bv->bv_val[0] ) ) {
+		return 1;
+	}
+
+	for( i=1; i<bv->bv_len; i++ ) {
+		if( !AD_CHAR( bv->bv_val[i] ) ) {
+			return 1;
+		}
+	}
+	return 0;
+}
+
+int slap_str2ad(
+	const char *str,
+	AttributeDescription **ad,
+	char **text )
+{
+	struct berval bv;
+	bv.bv_val = (char *) str;
+	bv.bv_len = strlen( str );
+
+	return slap_bv2ad( &bv, ad, text );
+}
+
 int slap_bv2ad(
 	struct berval *bv,
 	AttributeDescription **ad,
@@ -39,8 +68,8 @@ int slap_bv2ad(
 	}
 
 	/* make sure description is IA5 */
-	if( IA5StringValidate( NULL, bv ) != 0 ) {
-		*text = "attribute description contains non-IA5 characters";
+	if( ad_keystring( bv ) ) {
+		*text = "attribute description contains inappropriate characters";
 		return LDAP_UNDEFINED_TYPE;
 	}
 

servers/slapd/at.c

@@ -65,7 +65,7 @@ attr_syntax( const char *type )
  */
 
 void
-attr_syntax_config(
+at_config(
     const char	*fname,
     int		lineno,
     int		argc,
@@ -166,7 +166,7 @@ at_fake_if_needed(
 		argv[0] = (char*) name;
 		argv[1] = "cis";
 		argv[2] = NULL;
-		attr_syntax_config( "implicit", 0, 2, argv );
+		at_config( "implicit", 0, 2, argv );
 		return 0;
 	}
 }

servers/slapd/attr.c

@@ -30,7 +30,6 @@ void
 attr_free( Attribute *a )
 {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	/* not yet implemented */
 	ad_free( &a->a_desc, 0 );
 #else
 	free( a->a_type );
@@ -80,7 +79,6 @@ Attribute *attr_dup( Attribute *a )
 	}
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	/* not yet implemented */
 	tmp->a_desc = a->a_desc;
 	tmp->a_desc.ad_cname = ber_bvdup( a->a_desc.ad_cname );
 	tmp->a_desc.ad_lang = ch_strdup( a->a_desc.ad_lang );
@@ -183,8 +181,7 @@ int
 attr_merge(
     Entry		*e,
     const char		*type,
-    struct berval	**vals
-)
+    struct berval	**vals )
 {
 	Attribute	**a;
 

servers/slapd/back-ldbm/add.c

@@ -30,6 +30,13 @@ ldbm_back_add(
 	int			rootlock = 0;
 	int			rc; 
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *children = NULL;
+#else
+	static const char *children = "children";
+#endif
+
+
 	Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0);
 
 	/* nobody else can add until we lock our parent */
@@ -109,7 +116,7 @@ ldbm_back_add(
 		free(pdn);
 
 		if ( ! access_allowed( be, conn, op, p,
-			"children", NULL, ACL_WRITE ) )
+			children, NULL, ACL_WRITE ) )
 		{
 			/* free parent and writer lock */
 			cache_return_entry_w( &li->li_cache, p ); 

servers/slapd/back-ldbm/alias.c

@@ -215,7 +215,14 @@ static char* get_alias_dn(
 	int *err,
 	char **errmsg )
 {	
-	Attribute *a = attr_find( e->e_attrs, "aliasedobjectname" );
+	Attribute *a;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *aliasedObjectName = NULL;
+#else
+	static const char *aliasedObjectName = NULL;
+#endif
+
+	a = attr_find( e->e_attrs, aliasedObjectName );
 
 	if( a == NULL ) {
 		/*

servers/slapd/back-ldbm/bind.c

@@ -41,6 +41,14 @@ ldbm_back_bind(
 	AUTH_DAT	ad;
 #endif
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *userPassword = NULL;
+	static AttributeDescription *entry = NULL;
+#else
+	static const char *userPassword = "userpassword";
+	static const char *entry = "entry";
+#endif
+
 	Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0);
 
 	*edn = NULL;
@@ -120,7 +128,7 @@ ldbm_back_bind(
 	/* check for deleted */
 
 	if ( ! access_allowed( be, conn, op, e,
-		"entry", NULL, ACL_AUTH ) )
+		entry, NULL, ACL_AUTH ) )
 	{
 		send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
 			NULL, NULL, NULL, NULL );
@@ -184,7 +192,7 @@ ldbm_back_bind(
 		}
 
 		if ( ! access_allowed( be, conn, op, e,
-			"userpassword", NULL, ACL_AUTH ) )
+			userPassword, NULL, ACL_AUTH ) )
 		{
 			send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
 				NULL, NULL, NULL, NULL );
@@ -192,7 +200,7 @@ ldbm_back_bind(
 			goto return_results;
 		}
 
-		if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
+		if ( (a = attr_find( e->e_attrs, userPassword )) == NULL ) {
 			send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
 			    NULL, NULL, NULL, NULL );
 

servers/slapd/back-ldbm/compare.c

@@ -82,7 +82,7 @@ ldbm_back_compare(
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 	if ( ! access_allowed( be, conn, op, e,
-		ava->aa_desc->ad_type->sat_cname, ava->aa_value, ACL_COMPARE ) )
+		ava->aa_desc, ava->aa_value, ACL_COMPARE ) )
 #else
 	if ( ! access_allowed( be, conn, op, e,
 		ava->ava_type, &ava->ava_value, ACL_COMPARE ) )
@@ -95,7 +95,7 @@ ldbm_back_compare(
 	}
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	if ( (a = attr_find( e->e_attrs, ava->aa_desc->ad_cname->bv_val )) == NULL )
+	if ( (a = attr_find( e->e_attrs, ava->aa_desc )) == NULL )
 #else
 	if ( (a = attr_find( e->e_attrs, ava->ava_type )) == NULL )
 #endif

servers/slapd/back-ldbm/delete.c

@@ -32,6 +32,11 @@ ldbm_back_delete(
 	int rootlock = 0;
 	int	rc = -1;
 	int		manageDSAit = get_manageDSAit( op );
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *children = NULL;
+#else
+	static const char *children = "children";
+#endif
 
 	Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_delete: %s\n", dn, 0, 0);
 
@@ -117,7 +122,7 @@ ldbm_back_delete(
 
 		/* check parent for "children" acl */
 		if ( ! access_allowed( be, conn, op, p,
-			"children", NULL, ACL_WRITE ) )
+			children, NULL, ACL_WRITE ) )
 		{
 			Debug( LDAP_DEBUG_TRACE,
 				"<=- ldbm_back_delete: no access to parent\n", 0,

servers/slapd/back-ldbm/external.h

@@ -76,7 +76,8 @@ extern int	ldbm_back_abandon LDAP_P(( BackendDB *bd,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 extern int	ldbm_back_group LDAP_P(( BackendDB *bd,
 	Entry *target, const char* gr_ndn, const char* op_ndn,
-	const char* objectclassValue, AttributeType* group_at));
+	const char* objectclassValue,
+	AttributeDescription* group_at));
 #else
 extern int	ldbm_back_group LDAP_P(( BackendDB *bd,
 	Entry *target, const char* gr_ndn, const char* op_ndn,

servers/slapd/back-ldbm/group.c

@@ -29,21 +29,24 @@ ldbm_back_group(
 	const char	*op_ndn,
 	const char	*objectclassValue,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeType *group_at
+	AttributeDescription *group_at
 #else
-	const char	*groupattrName
+	const char	*group_at
 #endif
 )
 {
 	struct ldbminfo *li = (struct ldbminfo *) be->be_private;    
 	Entry        *e;
 	int          rc = 1;
-
 	Attribute   *attr;
-	struct berval bv;
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	char *groupattrName = at_canonical_name( group_at );
+	static AttributeDescription *objectClass = NULL;
+	const char *groupattrName = group_at->ad_cname->bv_val;
+#else
+	struct berval bv;
+	const char *objectClass = "objectclass";
+	const char *groupattrName = group_at;
 #endif
 
 	Debug( LDAP_DEBUG_ARGS,
@@ -88,16 +91,16 @@ ldbm_back_group(
         
 	rc = 1;
         
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-	/* not yet implemented */
-#else
-
-	if ((attr = attr_find(e->e_attrs, "objectclass")) == NULL)  {
+	if ((attr = attr_find(e->e_attrs, objectClass)) == NULL)  {
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
 		goto return_results;
 	}
 	
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	/* not yet implemented */
+#else
+
 	bv.bv_val = "ALIAS";
 	bv.bv_len = sizeof("ALIAS")-1;
 
@@ -127,7 +130,7 @@ ldbm_back_group(
 		goto return_results;
 	}
 
-	if ((attr = attr_find(e->e_attrs, groupattrName)) == NULL) {
+	if ((attr = attr_find(e->e_attrs, group_at)) == NULL) {
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_group: failed to find %s\n",
 			groupattrName, 0, 0 ); 
@@ -148,13 +151,13 @@ ldbm_back_group(
 			op_ndn, gr_ndn, groupattrName ); 
 		goto return_results;
 	}
+#endif
 
 	Debug( LDAP_DEBUG_ACL,
 		"<= ldbm_back_group: \"%s\" is in \"%s\": %s\n", 
 		op_ndn, gr_ndn, groupattrName ); 
 
 	rc = 0;
-#endif
 
 return_results:
 	if( target != e ) {

servers/slapd/back-ldbm/modify.c

@@ -17,6 +17,10 @@
 #include "back-ldbm.h"
 #include "proto-back-ldbm.h"
 
+static int add_values LDAP_P(( Entry *e, Modification *mod, char *dn ));
+static int delete_values LDAP_P(( Entry *e, Modification *mod, char *dn ));
+static int replace_values LDAP_P(( Entry *e, Modification *mod, char *dn ));
+
 /* We need this function because of LDAP modrdn. If we do not 
  * add this there would be a bunch of code replication here 
  * and there and of course the likelihood of bugs increases.
@@ -33,9 +37,8 @@ int ldbm_modify_internal(
 )
 {
 	int err;
-	LDAPMod		*mod;
+	Modification	*mod;
 	Modifications	*ml;
-	Attribute	*a;
 	Attribute	*save_attrs;
 
 	if ( !acl_check_modlist( be, conn, op, e, modlist )) {
@@ -48,7 +51,12 @@ int ldbm_modify_internal(
 	for ( ml = modlist; ml != NULL; ml = ml->ml_next ) {
 		mod = &ml->ml_mod;
 
-		switch ( mod->mod_op ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+		switch ( mod->sm_op )
+#else
+		switch ( mod->mod_op )
+#endif
+		{
 		case LDAP_MOD_ADD:
 			err = add_values( e, mod, op->o_ndn );
 			break;
@@ -65,12 +73,19 @@ int ldbm_modify_internal(
  			/* Avoid problems in index_add_mods()
  			 * We need to add index if necessary.
  			 */
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ 			mod->sm_op = LDAP_MOD_ADD;
+#else
  			mod->mod_op = LDAP_MOD_ADD;
- 			if ( (err = add_values( e, mod, op->o_ndn ))
- 				==  LDAP_TYPE_OR_VALUE_EXISTS ) {
- 
+#endif
+			err = add_values( e, mod, op->o_ndn );
+ 			if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) {
  				err = LDAP_SUCCESS;
- 				mod->mod_op = SLAP_MOD_SOFTADD;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+				mod->sm_op = SLAP_MOD_SOFTADD;
+#else
+				mod->mod_op = SLAP_MOD_SOFTADD;
+#endif
  
  			}
  			break;
@@ -116,9 +131,17 @@ int ldbm_modify_internal(
 	if( save_attrs != NULL ) {
 		for ( ml = modlist; ml != NULL; ml = ml->ml_next ) {
 			mod = &ml->ml_mod;
-			if ( mod->mod_op == LDAP_MOD_REPLACE ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			if ( mod->sm_op == LDAP_MOD_REPLACE )
+#else
+			if ( mod->mod_op == LDAP_MOD_REPLACE )
+#endif
+			{
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+				/* not yet implemented */
+#else
 				/* Need to remove all values from indexes */
-				a = attr_find( save_attrs, mod->mod_type );
+				Attribute *a = attr_find( save_attrs, mod->mod_type );
 
 				if( a != NULL ) {
 					(void) index_change_values( be,
@@ -127,6 +150,7 @@ int ldbm_modify_internal(
 						e->e_id,
 						SLAP_INDEX_DELETE_OP);
 				}
+#endif
 			}
 		}
 		attrs_free( save_attrs );
@@ -233,27 +257,26 @@ error_return:;
 	return( -1 );
 }
 
-int
+static int
 add_values(
     Entry	*e,
-    LDAPMod	*mod,
+    Modification	*mod,
     char	*dn
 )
 {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	/* not yet implemented */
+#else
 	int		i;
 	Attribute	*a;
 
 	/* check if the values we're adding already exist */
 	if ( (a = attr_find( e->e_attrs, mod->mod_type )) != NULL ) {
 		for ( i = 0; mod->mod_bvalues[i] != NULL; i++ ) {
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-			/* not yet implemented */
-#else
 			if ( value_find( a->a_vals, mod->mod_bvalues[i],
 			    a->a_syntax, 3 ) == 0 ) {
 				return( LDAP_TYPE_OR_VALUE_EXISTS );
 			}
-#endif
 		}
 	}
 
@@ -261,17 +284,21 @@ add_values(
 	if( attr_merge( e, mod->mod_type, mod->mod_bvalues ) != 0 ) {
 		return( LDAP_CONSTRAINT_VIOLATION );
 	}
+#endif
 
 	return( LDAP_SUCCESS );
 }
 
-int
+static int
 delete_values(
     Entry	*e,
-    LDAPMod	*mod,
+    Modification	*mod,
     char	*dn
 )
 {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	/* not yet implemented */
+#else
 	int		i, j, k, found;
 	Attribute	*a;
 
@@ -294,14 +321,10 @@ delete_values(
 	for ( i = 0; mod->mod_bvalues[i] != NULL; i++ ) {
 		found = 0;
 		for ( j = 0; a->a_vals[j] != NULL; j++ ) {
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-			/* not yet implemented */
-#else
 			if ( value_cmp( mod->mod_bvalues[i], a->a_vals[j],
 			    a->a_syntax, 3 ) != 0 ) {
 				continue;
 			}
-#endif
 			found = 1;
 
 			/* found a matching value - delete it */
@@ -332,17 +355,21 @@ delete_values(
 			return( LDAP_NO_SUCH_ATTRIBUTE );
 		}
 	}
+#endif
 
 	return( LDAP_SUCCESS );
 }
 
-int
+static int
 replace_values(
     Entry	*e,
-    LDAPMod	*mod,
+    Modification	*mod,
     char	*dn
 )
 {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	/* not yet implemented */
+#else
 	(void) attr_delete( &e->e_attrs, mod->mod_type );
 
 	if ( mod->mod_bvalues != NULL &&
@@ -350,6 +377,7 @@ replace_values(
 	{
 		return( LDAP_CONSTRAINT_VIOLATION );
 	}
+#endif
 
 	return( LDAP_SUCCESS );
 }

servers/slapd/back-ldbm/modrdn.c

@@ -44,6 +44,11 @@ ldbm_back_modrdn(
     char	*newSuperior
 )
 {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *children = NULL;
+#else
+	static const char *children = "children";
+#endif
 	struct ldbminfo	*li = (struct ldbminfo *) be->be_private;
 	char		*p_dn = NULL, *p_ndn = NULL;
 	char		*new_dn = NULL, *new_ndn = NULL;
@@ -145,7 +150,7 @@ ldbm_back_modrdn(
 
 		/* check parent for "children" acl */
 		if ( ! access_allowed( be, conn, op, p,
-			"children", NULL, ACL_WRITE ) )
+			children, NULL, ACL_WRITE ) )
 		{
 			Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
 				0, 0 );
@@ -211,7 +216,7 @@ ldbm_back_modrdn(
 		       np, np->e_id, 0 );
 	    
 		/* check newSuperior for "children" acl */
-		if ( !access_allowed( be, conn, op, np, "children", NULL,
+		if ( !access_allowed( be, conn, op, np, children, NULL,
 				      ACL_WRITE ) )
 		{
 			Debug( LDAP_DEBUG_TRACE,

servers/slapd/back-ldbm/passwd.c

@@ -40,6 +40,12 @@ ldbm_back_exop_passwd(
 
 	char *dn;
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *entry = NULL;
+#else
+	static const char *entry = "entry";
+#endif
+
 	assert( reqoid != NULL );
 	assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, reqoid ) == 0 );
 
@@ -92,7 +98,7 @@ ldbm_back_exop_passwd(
 		goto done;
 	}
 
-	if( ! access_allowed( be, conn, op, e, "entry", NULL, ACL_WRITE ) ) {
+	if( ! access_allowed( be, conn, op, e, entry, NULL, ACL_WRITE ) ) {
 		*text = ch_strdup("access to authorization entry denied");
 		rc = LDAP_INSUFFICIENT_ACCESS;
 		goto done;

servers/slapd/back-ldbm/proto-back-ldbm.h

@@ -168,10 +168,6 @@ extern int ldbm_back_exop_passwd LDAP_P(( BackendDB *bd,
  * 
  */
 
-int add_values LDAP_P(( Entry *e, LDAPMod *mod, char *dn ));
-int delete_values LDAP_P(( Entry *e, LDAPMod *mod, char *dn ));
-int replace_values LDAP_P(( Entry *e, LDAPMod *mod, char *dn ));
-
 /* returns LDAP error code indicating error OR SLAPD_ABANDON */
 int ldbm_modify_internal LDAP_P((Backend *be,
 	Connection *conn, Operation *op,

servers/slapd/back-ldbm/search.c

@@ -282,8 +282,9 @@ ldbm_back_search(
 				}
 
 				if (e) {
-					/* Tack on subordinates attr */
 					int result;
+#ifdef BROKEN_NUM_SUBORDINATES
+					/* Tack on subordinates attr */
 					ID_BLOCK *idl = NULL;
 					char CATTR_SUBS[] = "numsubordinates";
 
@@ -311,6 +312,7 @@ ldbm_back_search(
 							   vals);
 					    }
 					}
+#endif
 
 					result = send_search_entry(be,
 								   conn,
@@ -319,12 +321,15 @@ ldbm_back_search(
 								   attrs,
 								   attrsonly,
 								   NULL);
+
+#ifdef BROKEN_NUM_SUBORDINATES
 					if (idl)
 					{
 					    idl_free(idl);
 					    attr_delete(&e->e_attrs,
 							CATTR_SUBS);
 					}
+#endif
 
 					switch (result)
 					{
@@ -400,104 +405,97 @@ search_candidates(
 )
 {
 	ID_BLOCK		*candidates;
-	Filter		*f, *rf, *af, *lf;
+	Filter		rf, rf_or, af, af_or, lf, lf_and;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	struct berval rf_or_bv, af_or_bv;
+	static AttributeDescription *objectClass = NULL;
+#endif
 
 	Debug(LDAP_DEBUG_TRACE, "search_candidates: base=\"%s\" s=%d d=%d\n",
 		e->e_ndn, scope, deref );
 
-	f = NULL;
-
 	if( !manageDSAit ) {
 		/* match referrals */
-		rf = (Filter *) ch_malloc( sizeof(Filter) );
-		rf->f_next = NULL;
-		rf->f_choice = LDAP_FILTER_OR;
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
-		rf->f_or = (Filter *) ch_malloc( sizeof(Filter) );
-		rf->f_or->f_choice = LDAP_FILTER_EQUALITY;
-		rf->f_or->f_avtype = ch_strdup( "objectclass" );
-		rf->f_or->f_avvalue.bv_val = ch_strdup( "REFERRAL" );
-		rf->f_or->f_avvalue.bv_len = sizeof("REFERRAL")-1;
-		rf->f_or->f_next = filter;
+		rf.f_next = NULL;
+		rf.f_choice = LDAP_FILTER_OR;
+		rf.f_or = &rf_or;
+		rf.f_or->f_choice = LDAP_FILTER_EQUALITY;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+		rf.f_or->f_av_desc = objectClass;
+		rf.f_or->f_av_value = &rf_or_bv;
+		rf.f_or->f_av_value->bv_val = ch_strdup( "REFERRAL" );
+		rf.f_or->f_av_value->bv_len = sizeof("REFERRAL")-1;
+#else
+		rf.f_or->f_avtype = ch_strdup( "objectclass" );
+		rf.f_or->f_avvalue.bv_val = ch_strdup( "REFERRAL" );
+		rf.f_or->f_avvalue.bv_len = sizeof("REFERRAL")-1;
 #endif
-		f = rf;
+		rf.f_or->f_next = filter;
+		filter = &rf;
 	} else {
-		rf = NULL;
-		f = filter;
+		rf.f_or = NULL;
 	}
 
 	if( deref & LDAP_DEREF_SEARCHING ) {
 		/* match aliases */
-		af = (Filter *) ch_malloc( sizeof(Filter) );
-		af->f_next = NULL;
-		af->f_choice = LDAP_FILTER_OR;
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
-		af->f_or = (Filter *) ch_malloc( sizeof(Filter) );
-		af->f_or->f_choice = LDAP_FILTER_EQUALITY;
-		af->f_or->f_avtype = ch_strdup( "objectclass" );
-		af->f_or->f_avvalue.bv_val = ch_strdup( "ALIAS" );
-		af->f_or->f_avvalue.bv_len = sizeof("ALIAS")-1;
-		af->f_or->f_next = f;
+		af.f_next = NULL;
+		af.f_choice = LDAP_FILTER_OR;
+		af.f_or = &af_or;
+		af.f_or->f_choice = LDAP_FILTER_EQUALITY;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+		af.f_or->f_av_desc = objectClass;
+		af.f_or->f_av_value = &af_or_bv;
+		af.f_or->f_av_value->bv_val = ch_strdup( "ALIAS" );
+		af.f_or->f_av_value->bv_len = sizeof("ALIAS")-1;
+#else
+		af.f_or->f_avtype = ch_strdup( "objectclass" );
+		af.f_or->f_avvalue.bv_val = ch_strdup( "ALIAS" );
+		af.f_or->f_avvalue.bv_len = sizeof("ALIAS")-1;
 #endif
-		f = af;
+		af.f_or->f_next = filter;
+		filter = ⁡
 	} else {
-		af = NULL;
+		af.f_or = NULL;
 	}
 
 	if ( scope == LDAP_SCOPE_SUBTREE ) {
-		lf = (Filter *) ch_malloc( sizeof(Filter) );
-		lf->f_next = NULL;
-		lf->f_choice = LDAP_FILTER_AND;
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
-		lf->f_and = (Filter *) ch_malloc( sizeof(Filter) );
-
-		lf->f_and->f_choice = SLAPD_FILTER_DN_SUBTREE;
-		lf->f_and->f_dn = e->e_ndn;
-
-		lf->f_and->f_next = f;
-#endif
-		f = lf;
+		lf.f_next = NULL;
+		lf.f_choice = LDAP_FILTER_AND;
+		lf.f_and = &lf_and;
+		lf.f_and->f_choice = SLAPD_FILTER_DN_SUBTREE;
+		lf.f_and->f_dn = e->e_ndn;
+		lf.f_and->f_next = filter;
+		filter = &lf;
 
 	} else if ( scope == LDAP_SCOPE_ONELEVEL ) {
-		lf = (Filter *) ch_malloc( sizeof(Filter) );
-		lf->f_next = NULL;
-		lf->f_choice = LDAP_FILTER_AND;
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
-		lf->f_and = (Filter *) ch_malloc( sizeof(Filter) );
-
-		lf->f_and->f_choice = SLAPD_FILTER_DN_ONE;
-		lf->f_and->f_dn = e->e_ndn;
-
-		lf->f_and->f_next = f;
-#endif
-		f = lf;
-
-	} else {
-		lf = NULL;
+		lf.f_next = NULL;
+		lf.f_choice = LDAP_FILTER_AND;
+		lf.f_and = &lf_and;
+		lf.f_and->f_choice = SLAPD_FILTER_DN_ONE;
+		lf.f_and->f_dn = e->e_ndn;
+		lf.f_and->f_next = filter;
+		filter = &lf;
 	}
 
-	candidates = filter_candidates( be, f );
+	candidates = filter_candidates( be, filter );
 
-	/* free up filter additions we allocated above */
-	if( lf != NULL ) {
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
-		free( lf->f_and );
+	/* free dynamically allocated bits */
+	if( af.f_or != NULL ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+		free( af.f_or->f_av_value->bv_val );
+#else
+		free( af.f_or->f_avtype );
+		free( af.f_or->f_avvalue.bv_val );
 #endif
-		free( lf );
 	}
 
-	if( af != NULL ) {
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
-		af->f_or->f_next = NULL;
+	if( rf.f_or != NULL ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+		free( rf.f_or->f_av_value->bv_val );
+#else
+		free( rf.f_or->f_avtype );
+		free( rf.f_or->f_avvalue.bv_val );
 #endif
-		filter_free( af );
-	}
-
-	if( rf != NULL ) {
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
-		rf->f_or->f_next = NULL;
-#endif
-		filter_free( rf );
 	}
 
 	return( candidates );

servers/slapd/backend.c

@@ -648,7 +648,7 @@ Attribute *backend_operational(
 	/* Should be backend specific */
 	a->a_vals = ch_malloc( 2 * sizeof( struct berval * ) );
 	a->a_vals[0] = ch_malloc( sizeof( struct berval ) );
-	a->a_vals[0]->bv_val = strdup( SLAPD_SCHEMA_DN );
+	a->a_vals[0]->bv_val = ch_strdup( SLAPD_SCHEMA_DN );
 	a->a_vals[0]->bv_len = sizeof( SLAPD_SCHEMA_DN ) - 1;
 	a->a_vals[1] = NULL;
 

servers/slapd/config.c

@@ -485,7 +485,7 @@ read_config( const char *fname )
     "%s: line %d: old attribute type format not supported.\n",
 				    fname, lineno, 0 );
 #else
-				attr_syntax_config( fname, lineno, cargc - 1,
+				at_config( fname, lineno, cargc - 1,
 				    &cargv[1] );
 #endif
 			}

servers/slapd/dn.c

@@ -45,13 +45,13 @@ dn_validate( char *dn )
 		switch ( state ) {
 		case B4LEADTYPE:
 		case B4TYPE:
-			if ( LEADOIDCHAR(*s) ) {
+			if ( OID_LEADCHAR(*s) ) {
 				state = INOIDTYPE;
 				*d++ = *s;
-			} else if ( LEADKEYCHAR(*s) ) {
+			} else if ( ATTR_LEADCHAR(*s) ) {
 				state = INKEYTYPE;
 				*d++ = *s;
-			} else if ( ! SPACE( *s ) ) {
+			} else if ( ! ASCII_SPACE( *s ) ) {
 				dn = NULL;
 				state = INKEYTYPE;
 				*d++ = *s;
@@ -59,12 +59,12 @@ dn_validate( char *dn )
 			break;
 
 		case INOIDTYPE:
-			if ( OIDCHAR(*s) ) {
+			if ( OID_CHAR(*s) ) {
 				*d++ = *s;
 			} else if ( *s == '=' ) {
 				state = B4VALUE;
 				*d++ = *s;
-			} else if ( SPACE( *s ) ) {
+			} else if ( ASCII_SPACE( *s ) ) {
 				state = B4EQUAL;
 			} else {
 				dn = NULL;
@@ -73,12 +73,12 @@ dn_validate( char *dn )
 			break;
 
 		case INKEYTYPE:
-			if ( KEYCHAR(*s) ) {
+			if ( ATTR_CHAR(*s) ) {
 				*d++ = *s;
 			} else if ( *s == '=' ) {
 				state = B4VALUE;
 				*d++ = *s;
-			} else if ( SPACE( *s ) ) {
+			} else if ( ASCII_SPACE( *s ) ) {
 				state = B4EQUAL;
 			} else {
 				dn = NULL;
@@ -90,7 +90,7 @@ dn_validate( char *dn )
 			if ( *s == '=' ) {
 				state = B4VALUE;
 				*d++ = *s;
-			} else if ( ! SPACE( *s ) ) {
+			} else if ( ! ASCII_SPACE( *s ) ) {
 				/* not a valid dn - but what can we do here? */
 				*d++ = *s;
 				dn = NULL;
@@ -101,15 +101,15 @@ dn_validate( char *dn )
 			if ( *s == '"' ) {
 				state = INQUOTEDVALUE;
 				*d++ = *s;
-			} else if ( ! SPACE( *s ) ) { 
+			} else if ( ! ASCII_SPACE( *s ) ) { 
 				state = INVALUE;
 				*d++ = *s;
 			}
 			break;
 
 		case INVALUE:
-			if ( !gotesc && SEPARATOR( *s ) ) {
-				while ( SPACE( *(d - 1) ) )
+			if ( !gotesc && RDN_SEPARATOR( *s ) ) {
+				while ( ASCII_SPACE( *(d - 1) ) )
 					d--;
 				state = B4TYPE;
 				if ( *s == '+' ) {
@@ -117,8 +117,8 @@ dn_validate( char *dn )
 				} else {
 					*d++ = ',';
 				}
-			} else if ( gotesc && !NEEDSESCAPE( *s ) &&
-			    !SEPARATOR( *s ) ) {
+			} else if ( gotesc && !RDN_NEEDSESCAPE( *s ) &&
+			    !RDN_SEPARATOR( *s ) ) {
 				*--d = *s;
 				d++;
 			} else {
@@ -130,7 +130,7 @@ dn_validate( char *dn )
 			if ( !gotesc && *s == '"' ) {
 				state = B4SEPARATOR;
 				*d++ = *s;
-			} else if ( gotesc && !NEEDSESCAPE( *s ) ) {
+			} else if ( gotesc && !RDN_NEEDSESCAPE( *s ) ) {
 				*--d = *s;
 				d++;
 			} else {
@@ -138,7 +138,7 @@ dn_validate( char *dn )
 			}
 			break;
 		case B4SEPARATOR:
-			if ( SEPARATOR( *s ) ) {
+			if ( RDN_SEPARATOR( *s ) ) {
 				state = B4TYPE;
 				*d++ = *s;
 			}
@@ -210,7 +210,7 @@ dn_parent(
 		return NULL;
 	}
 
-	while(*dn && SPACE(*dn)) {
+	while(*dn != '\0' && ASCII_SPACE(*dn)) {
 		dn++;
 	}
 
@@ -223,7 +223,7 @@ dn_parent(
 	}
 
 	/*
-	 * else assume it is an X.500-style name, which looks like
+	 * assume it is an X.500-style name, which looks like
 	 * foo=bar,sha=baz,...
 	 */
 
@@ -242,7 +242,7 @@ dn_parent(
 		} else {
 			if ( *s == '"' ) {
 				inquote = 1;
-			} else if ( DNSEPARATOR( *s ) ) {
+			} else if ( DN_SEPARATOR( *s ) ) {
 				return( ch_strdup( &s[1] ) );
 			}
 		}
@@ -262,7 +262,7 @@ char * dn_rdn(
 		return NULL;
 	}
 
-	while(*dn && SPACE(*dn)) {
+	while(*dn && ASCII_SPACE(*dn)) {
 		dn++;
 	}
 
@@ -292,7 +292,7 @@ char * dn_rdn(
 		} else {
 			if ( *s == '"' ) {
 				inquote = 1;
-			} else if ( DNSEPARATOR( *s ) ) {
+			} else if ( DN_SEPARATOR( *s ) ) {
 				*s = '\0';
 				return( dn );
 			}
@@ -387,7 +387,7 @@ get_next_substring( char * s, char d )
 
 	/* Skip leading spaces */
 	
-	while ( *s && SPACE(*s) ) {
+	while ( *s && ASCII_SPACE(*s) ) {
 	    
 		s++;
 	    

servers/slapd/filter.c

@@ -290,10 +290,9 @@ get_substring_filter(
 #else
 		/* we should call a substring syntax normalization routine */
 		value_normalize( val->bv_val, syntax );
-#endif
-
 		/* this is bogus, value_normalize should take a berval */
 		val->bv_len = strlen( val->bv_val );
+#endif
 
 		switch ( tag ) {
 		case LDAP_SUBSTRING_INITIAL:
@@ -313,7 +312,10 @@ get_substring_filter(
 
 		case LDAP_SUBSTRING_ANY:
 			Debug( LDAP_DEBUG_FILTER, "  ANY\n", 0, 0, 0 );
-			charray_add( (char ***) &f->f_sub_any, (char *) val );
+			if( ber_bvecadd( &f->f_sub_any, val ) < 0 ) {
+				ber_bvfree( val );
+				goto return_error;
+			}
 
 			if( fstr ) {
 				*fstr = ch_realloc( *fstr,

servers/slapd/filterentry.c

@@ -199,7 +199,6 @@ test_ava_filter(
 	if ( be != NULL && ! access_allowed( be, conn, op, e,
 		ava->aa_desc->ad_type->sat_cname, ava->aa_value, ACL_SEARCH ) )
 #else
-	int rc;
 
 	if ( be != NULL && ! access_allowed( be, conn, op, e,
 		ava->ava_type, &ava->ava_value, ACL_SEARCH ) )
@@ -227,12 +226,23 @@ test_ava_filter(
 
 	for ( i = 0; a->a_vals[i] != NULL; i++ ) {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		/* not yet implemented */
-		int rc;
+		int rc = -1;
+
+		switch ( type ) {
+		case LDAP_FILTER_EQUALITY:
+			break;
+		case LDAP_FILTER_APPROX:
+			break;
+
+		case LDAP_FILTER_GE:
+		case LDAP_FILTER_LE:
+			break;
+		}
+
+		if( rc == LDAP_COMPARE_TRUE ) return LDAP_COMPARE_TRUE;
 #else
 		int rc = value_cmp( a->a_vals[i], &ava->ava_value, a->a_syntax,
 		    3 );
-#endif
 
 		switch ( type ) {
 		case LDAP_FILTER_EQUALITY:
@@ -254,6 +264,7 @@ test_ava_filter(
 			}
 			break;
 		}
+#endif
 	}
 
 	return( LDAP_COMPARE_FALSE );
@@ -472,9 +483,7 @@ test_substring_filter(
     Filter	*f
 )
 {
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-	/* not yet implemented */
-#else
+#ifndef SLAPD_SCHEMA_NOT_COMPAT
 	Attribute	*a;
 	int		i, rc;
 	char		*p, *end, *realval, *tmp;

servers/slapd/mr.c

@@ -110,6 +110,7 @@ mr_insert(
 int
 mr_add(
     LDAP_MATCHING_RULE		*mr,
+	unsigned usage,
 	slap_mr_convert_func *convert,
 	slap_mr_normalize_func *normalize,
     slap_mr_match_func	*match,
@@ -125,6 +126,7 @@ mr_add(
 	smr = (MatchingRule *) ch_calloc( 1, sizeof(MatchingRule) );
 	memcpy( &smr->smr_mrule, mr, sizeof(LDAP_MATCHING_RULE));
 
+	smr->smr_usage = usage;
 	smr->smr_convert = convert;
 	smr->smr_normalize = normalize;
 	smr->smr_match = match;
@@ -150,6 +152,7 @@ mr_add(
 int
 register_matching_rule(
 	char * desc,
+	unsigned usage,
 	slap_mr_convert_func *convert,
 	slap_mr_normalize_func *normalize,
 	slap_mr_match_func *match,
@@ -160,6 +163,12 @@ register_matching_rule(
 	int		code;
 	const char	*err;
 
+	if( usage == SLAP_MR_NONE ) {
+		Debug( LDAP_DEBUG_ANY, "register_matching_rule: not usable %s\n",
+		    desc, 0, 0 );
+		return -1;
+	}
+
 	mr = ldap_str2matchingrule( desc, &code, &err);
 	if ( !mr ) {
 		Debug( LDAP_DEBUG_ANY, "Error in register_matching_rule: %s before %s in %s\n",
@@ -167,7 +176,7 @@ register_matching_rule(
 		return( -1 );
 	}
 
-	code = mr_add( mr, convert, normalize, match, indexer, filter, &err );
+	code = mr_add( mr, usage, convert, normalize, match, indexer, filter, &err );
 	if ( code ) {
 		Debug( LDAP_DEBUG_ANY, "Error in register_syntax: %s for %s in %s\n",
 		    scherr2str(code), err, desc );

servers/slapd/oc.c

@@ -22,6 +22,11 @@ int is_entry_objectclass(
 {
 	Attribute *attr;
 	struct berval bv;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *objectClass = NULL;
+#else
+	static const char *objectClass = "objectclass";
+#endif
 
 	if( e == NULL || oc == NULL || *oc == '\0' )
 		return 0;
@@ -29,7 +34,7 @@ int is_entry_objectclass(
 	/*
 	 * find objectClass attribute
 	 */
-	attr = attr_find(e->e_attrs, "objectclass");
+	attr = attr_find(e->e_attrs, objectClass);
 
 	if( attr == NULL ) {
 		/* no objectClass attribute */

servers/slapd/proto-slap.h

@@ -11,6 +11,11 @@
 LDAP_BEGIN_DECL
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
+LIBSLAPD_F (int) slap_str2ad LDAP_P((
+	const char *,
+	AttributeDescription **ad,
+	char **text ));
+
 LIBSLAPD_F (int) slap_bv2ad LDAP_P((
 	struct berval *bv,
 	AttributeDescription **ad,
@@ -19,21 +24,32 @@ LIBSLAPD_F (int) slap_bv2ad LDAP_P((
 LIBSLAPD_F (void) ad_free LDAP_P((
 	AttributeDescription *desc,
 	int freeit ));
+
+LIBSLAPD_F (int) ad_inlist LDAP_P((
+	AttributeDescription *desc,
+	char **attrs ));
+#else
+#define ad_inlist(d,a) charray_inlist(a,d)
 #endif
 
 /*
  * acl.c
  */
 
-LIBSLAPD_F (int) access_allowed LDAP_P(( Backend *be, Connection *conn,
-	Operation *op, Entry *e,
-	char *attr, struct berval *val, slap_access_t access ));
-
-LIBSLAPD_F (int) acl_check_modlist LDAP_P(( Backend *be,
-	Connection *conn,
-	Operation *op,
-	Entry *e,
-	Modifications *ml ));
+#if SLAPD_SCHEMA_NOT_COMPAT
+LIBSLAPD_F (int) access_allowed LDAP_P((
+	Backend *be, Connection *conn, Operation *op,
+	Entry *e, AttributeDescription *type, struct berval *val,
+	slap_access_t access ));
+#else
+LIBSLAPD_F (int) access_allowed LDAP_P((
+	Backend *be, Connection *conn, Operation *op,
+	Entry *e, const char *attr, struct berval *val,
+	slap_access_t access ));
+#endif
+LIBSLAPD_F (int) acl_check_modlist LDAP_P((
+	Backend *be, Connection *conn, Operation *op,
+	Entry *e, Modifications *ml ));
 
 LIBSLAPD_F (void) acl_append( AccessControl **l, AccessControl *a );
 
@@ -44,8 +60,7 @@ LIBSLAPD_F (char *) get_supported_acimech LDAP_P((int index));
  */
 
 LIBSLAPD_F (void) parse_acl LDAP_P(( Backend *be,
-	const char *fname,
-	int lineno,
+	const char *fname, int lineno,
 	int argc, char **argv ));
 
 LIBSLAPD_F (char *) access2str LDAP_P(( slap_access_t access ));
@@ -68,11 +83,17 @@ LIBSLAPD_F (int) attr_merge_fast LDAP_P(( Entry *e, const char *type,
 LIBSLAPD_F (int) attr_merge LDAP_P(( Entry *e, const char *type,
 	struct berval **vals ));
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+LIBSLAPD_F (Attribute *) attr_find LDAP_P(( Attribute *a, AttributeDescription *desc ));
+LIBSLAPD_F (int) attr_delete LDAP_P(( Attribute **attrs, AttributeDescription *desc ));
+#else
 LIBSLAPD_F (Attribute *) attr_find LDAP_P(( Attribute *a, const char *type ));
 LIBSLAPD_F (int) attr_delete LDAP_P(( Attribute **attrs, const char *type ));
 LIBSLAPD_F (int) attr_syntax LDAP_P(( const char *type ));
+#endif
 
-LIBSLAPD_F (void) attr_syntax_config LDAP_P(( const char *fname, int lineno, int argc, char **argv ));
+
+LIBSLAPD_F (void) at_config LDAP_P(( const char *fname, int lineno, int argc, char **argv ));
 LIBSLAPD_F (AttributeType *) at_find LDAP_P(( const char *name ));
 LIBSLAPD_F (int) at_find_in_list LDAP_P(( AttributeType *sat, AttributeType **list ));
 LIBSLAPD_F (int) at_append_to_list LDAP_P(( AttributeType *sat, AttributeType ***listp ));
@@ -146,7 +167,7 @@ LIBSLAPD_F (int) backend_group LDAP_P((Backend *be,
 	const char *gr_ndn,
 	const char *op_ndn,
 	const char *objectclassValue,
-	AttributeType *groupAttrType
+	AttributeDescription *groupAttrType
 ));
 #else
 LIBSLAPD_F (int) backend_group LDAP_P((Backend *be,
@@ -502,6 +523,7 @@ LIBSLAPD_F (int) syn_add LDAP_P((LDAP_SYNTAX *syn, int flags,
 
 LIBSLAPD_F (MatchingRule *) mr_find LDAP_P((const char *mrname));
 LIBSLAPD_F (int) mr_add LDAP_P((LDAP_MATCHING_RULE *mr,
+	unsigned usage,
 	slap_mr_convert_func *convert,
 	slap_mr_normalize_func *normalize,
 	slap_mr_match_func *match,
@@ -515,6 +537,7 @@ LIBSLAPD_F (int) register_syntax LDAP_P((char *desc, int flags,
 	slap_syntax_transform_func *str2ber ));
 
 LIBSLAPD_F (int) register_matching_rule LDAP_P((char * desc,
+	unsigned usage,
 	slap_mr_convert_func *convert,
 	slap_mr_normalize_func *normalize,
 	slap_mr_match_func *match,
@@ -573,7 +596,7 @@ LIBSLAPD_F (int) starttls_extop LDAP_P((
  * str2filter.c
  */
 
-LIBSLAPD_F (Filter *) str2filter LDAP_P(( char *str ));
+LIBSLAPD_F (Filter *) str2filter LDAP_P(( const char *str ));
 
 /*
  * suffixalias.c

servers/slapd/result.c

@@ -128,7 +128,13 @@ struct berval **get_entry_referrals(
 	struct berval **refs;
 	unsigned i, j;
 
-	attr = attr_find( e->e_attrs, "ref" );
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *ref = NULL;
+#else
+	static const char *ref = "ref";
+#endif
+
+	attr = attr_find( e->e_attrs, ref );
 
 	if( attr == NULL ) return NULL;
 
@@ -622,10 +628,16 @@ send_search_entry(
 	int		userattrs;
 	int		opattrs;
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *entry = NULL;
+#else
+	static const char *entry = "entry";
+#endif
+
 	Debug( LDAP_DEBUG_TRACE, "=> send_search_entry: \"%s\"\n", e->e_dn, 0, 0 );
 
 	if ( ! access_allowed( be, conn, op, e,
-		"entry", NULL, ACL_READ ) )
+		entry, NULL, ACL_READ ) )
 	{
 		Debug( LDAP_DEBUG_ACL, "acl: access to entry not allowed\n",
 		    0, 0, 0 );
@@ -663,28 +675,36 @@ send_search_entry(
 		: charray_inlist( attrs, LDAP_ALL_OPERATIONAL_ATTRIBUTES );
 
 	for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
-		char *desc;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		desc = a->a_desc.ad_type->sat_cname;
+		AttributeDescription *desc = &a->a_desc;
 #else
-		desc = a->a_type;
+		char *desc = a->a_type;
 #endif
 
 		if ( attrs == NULL ) {
 			/* all addrs request, skip operational attributes */
-			if( !opattrs && oc_check_op_attr( desc ) ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			if( is_at_operational( desc->ad_type ) )
+#else
+			if( oc_check_op_attr( desc ) )
+#endif
+			{
 				continue;
 			}
 
 		} else {
 			/* specific addrs requested */
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			if ( is_at_operational( desc->ad_type ) )
+#else
 			if ( oc_check_op_attr( desc ) )
+#endif
 			{
-				if( !opattrs && !charray_inlist( attrs, desc ) ) {
+				if( !opattrs && !ad_inlist( desc, attrs ) ) {
 					continue;
 				}
 			} else {
-				if (!userattrs && !charray_inlist( attrs, desc ) ) {
+				if (!userattrs && !ad_inlist( desc, attrs ) ) {
 					continue;
 				}
 			}
@@ -740,28 +760,37 @@ send_search_entry(
 	aa = backend_operational( be, e );
 	
 	for (a = aa ; a == NULL; a = a->a_next ) {
-		char *desc;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		desc = a->a_desc.ad_type->sat_cname;
+		AttributeDescription *desc = &a->a_desc;
 #else
-		desc = a->a_type;
+		char *desc = a->a_type;
 #endif
 
 		if ( attrs == NULL ) {
 			/* all addrs request, skip operational attributes */
-			if( !opattrs && oc_check_op_attr( desc ) ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			if( is_at_operational( desc->ad_type ) )
+#else
+			if( oc_check_op_attr( desc ) )
+#endif
+			{
 				continue;
 			}
 
 		} else {
 			/* specific addrs requested */
-			if (  oc_check_op_attr( desc ) ) {
-				if( !opattrs && !charray_inlist( attrs, desc ) )
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			if( is_at_operational( desc->ad_type ) )
+#else
+			if( oc_check_op_attr( desc ) )
+#endif
+			{
+				if( !opattrs && !ad_inlist( desc, attrs ) )
 				{
 					continue;
 				}
 			} else {
-				if (!userattrs && !charray_inlist( attrs, desc ) )
+				if (!userattrs && !ad_inlist( desc, attrs ) )
 				{
 					continue;
 				}
@@ -869,10 +898,18 @@ send_search_reference(
 	int rc;
 	int bytes;
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *ref = NULL;
+	static AttributeDescription *entry = NULL;
+#else
+	static const char *ref = "ref";
+	static const char *entry = "entry";
+#endif
+
 	Debug( LDAP_DEBUG_TRACE, "=> send_search_reference (%s)\n", e->e_dn, 0, 0 );
 
 	if ( ! access_allowed( be, conn, op, e,
-		"entry", NULL, ACL_READ ) )
+		entry, NULL, ACL_READ ) )
 	{
 		Debug( LDAP_DEBUG_ACL,
 			"send_search_reference: access to entry not allowed\n",
@@ -881,7 +918,7 @@ send_search_reference(
 	}
 
 	if ( ! access_allowed( be, conn, op, e,
-		"ref", NULL, ACL_READ ) )
+		ref, NULL, ACL_READ ) )
 	{
 		Debug( LDAP_DEBUG_ACL,
 			"send_search_reference: access to reference not allowed\n",

servers/slapd/root_dse.c

@@ -45,6 +45,9 @@ root_dse_info( Connection *conn, Operation *op, char **attrs, int attrsonly )
 		}
 	}
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	/* we shouldn't publish subentries as naming contexts */
+#else
 #if defined( SLAPD_MONITOR_DN )
 	val.bv_val = SLAPD_MONITOR_DN;
 	val.bv_len = strlen( val.bv_val );
@@ -62,6 +65,7 @@ root_dse_info( Connection *conn, Operation *op, char **attrs, int attrsonly )
 	val.bv_val = SLAPD_SCHEMA_DN;
 	val.bv_len = strlen( val.bv_val );
 	attr_merge( e, "namingContexts", vals );
+#endif
 #endif
 
 	/* altServer unsupported */

servers/slapd/schema_check.c

@@ -39,11 +39,17 @@ schema_check_entry( Entry *e )
 	ObjectClass *oc;
 	int		i;
 	int		ret = 0;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	static AttributeDescription *objectClass = NULL;
+#else
+	static const char *objectClass = "objectclass";
+#endif
+
 
 	if( !global_schemacheck ) return 0;
 
 	/* find the object class attribute - could error out here */
-	if ( (aoc = attr_find( e->e_attrs, "objectclass" )) == NULL ) {
+	if ( (aoc = attr_find( e->e_attrs, objectClass )) == NULL ) {
 		Debug( LDAP_DEBUG_ANY, "No object class for entry (%s)\n",
 		    e->e_dn, 0, 0 );
 		return( 1 );

servers/slapd/schema_init.c

@@ -53,6 +53,7 @@ UTF8StringValidate(
 
 static int
 UTF8StringNormalize(
+	int use,
 	Syntax *syntax,
 	MatchingRule *mr,
 	struct berval *val,
@@ -129,7 +130,7 @@ UTF8StringNormalize(
 	return 0;
 }
 
-int
+static int
 IA5StringValidate(
 	Syntax *syntax,
 	struct berval *val )
@@ -168,6 +169,7 @@ IA5StringConvert(
 
 static int
 IA5StringNormalize(
+	int use,
 	Syntax *syntax,
 	MatchingRule *mr,
 	struct berval *val,
@@ -237,22 +239,26 @@ IA5StringNormalize(
 
 static int
 caseExactIA5Match(
+	int use,
 	Syntax *syntax,
 	MatchingRule *mr,
 	struct berval *value,
-	struct berval *assertedValue )
+	void *assertedValue )
 {
-	return strcmp( value->bv_val, assertedValue->bv_val );
+	return strcmp( value->bv_val,
+		((struct berval *) assertedValue)->bv_val );
 }
 
 static int
 caseIgnoreIA5Match(
+	int use,
 	Syntax *syntax,
 	MatchingRule *mr,
 	struct berval *value,
-	struct berval *assertedValue )
+	void *assertedValue )
 {
-	return strcasecmp( value->bv_val, assertedValue->bv_val );
+	return strcasecmp( value->bv_val,
+		((struct berval *) assertedValue)->bv_val );
 }
 
 struct syntax_defs_rec {
@@ -360,6 +366,7 @@ struct syntax_defs_rec syntax_defs[] = {
 
 struct mrule_defs_rec {
 	char *						mrd_desc;
+	unsigned					mrd_usage;
 	slap_mr_convert_func *		mrd_convert;
 	slap_mr_normalize_func *	mrd_normalize;
 	slap_mr_match_func *		mrd_match;
@@ -425,110 +432,136 @@ struct mrule_defs_rec {
 struct mrule_defs_rec mrule_defs[] = {
 	{"( 2.5.13.0 NAME 'objectIdentifierMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, objectIdentifierMatch, NULL, NULL},
 
 	{"( 2.5.13.1 NAME 'distinguishedNameMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, distinguishedNameMatch, NULL, NULL},
 
 	{"( 2.5.13.2 NAME 'caseIgnoreMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, UTF8StringNormalize, caseIgnoreMatch, NULL, NULL},
 
 	{"( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )",
+		SLAP_MR_ORDERING,
 		NULL, UTF8StringNormalize, caseIgnoreOrderingMatch, NULL, NULL},
 
 	{"( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )",
+		SLAP_MR_SUBSTR | SLAP_MR_EXT,
 		NULL, UTF8StringNormalize, caseIgnoreSubstringsMatch, NULL, NULL},
 
 	/* Next three are not in the RFC's, but are needed for compatibility */
 	{"( 2.5.13.5 NAME 'caseExactMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, UTF8StringNormalize, caseExactMatch, NULL, NULL},
 
 	{"( 2.5.13.6 NAME 'caseExactOrderingMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )",
+		SLAP_MR_ORDERING,
 		NULL, UTF8StringNormalize, caseExactOrderingMatch, NULL, NULL},
 
 	{"( 2.5.13.7 NAME 'caseExactSubstringsMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )",
+		SLAP_MR_SUBSTR | SLAP_MR_EXT,
 		NULL, UTF8StringNormalize, caseExactSubstringsMatch, NULL, NULL},
 
 	{"( 2.5.13.8 NAME 'numericStringMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, numericStringMatch, NULL, NULL},
 
 	{"( 2.5.13.10 NAME 'numericStringSubstringsMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )",
+		SLAP_MR_SUBSTR | SLAP_MR_EXT,
 		NULL, NULL, numericStringSubstringsMatch, NULL, NULL},
 
 	{"( 2.5.13.11 NAME 'caseIgnoreListMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, caseIgnoreListMatch, NULL, NULL},
 
 	{"( 2.5.13.14 NAME 'integerMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )",
+		SLAP_MR_NONE | SLAP_MR_EXT,
 		NULL, NULL, integerMatch, NULL, NULL},
 
 	{"( 2.5.13.16 NAME 'bitStringMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )",
+		SLAP_MR_NONE | SLAP_MR_EXT,
 		NULL, NULL, bitStringMatch, NULL, NULL},
 
 	{"( 2.5.13.17 NAME 'octetStringMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, octetStringMatch, NULL, NULL},
 
 	{"( 2.5.13.20 NAME 'telephoneNumberMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, telephoneNumberMatch, NULL, NULL},
 
 	{"( 2.5.13.21 NAME 'telephoneNumberSubstringsMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )",
+		SLAP_MR_SUBSTR | SLAP_MR_EXT,
 		NULL, NULL, telephoneNumberSubstringsMatch, NULL, NULL},
 
 	{"( 2.5.13.22 NAME 'presentationAddressMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 )",
+		SLAP_MR_NONE | SLAP_MR_EXT,
 		NULL, NULL, presentationAddressMatch, NULL, NULL},
 
 	{"( 2.5.13.23 NAME 'uniqueMemberMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )",
+		SLAP_MR_NONE | SLAP_MR_EXT,
 		NULL, NULL, uniqueMemberMatch, NULL, NULL},
 
 	{"( 2.5.13.24 NAME 'protocolInformationMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )",
+		SLAP_MR_NONE | SLAP_MR_EXT,
 		NULL, NULL, protocolInformationMatch, NULL, NULL},
 
 	{"( 2.5.13.27 NAME 'generalizedTimeMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, generalizedTimeMatch, NULL, NULL},
 
 	{"( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )",
+		SLAP_MR_ORDERING,
 		NULL, NULL, generalizedTimeOrderingMatch, NULL, NULL},
 
 	{"( 2.5.13.29 NAME 'integerFirstComponentMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, integerFirstComponentMatch, NULL, NULL},
 
 	{"( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, NULL, objectIdentifierFirstComponentMatch, NULL, NULL},
 
 	{"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, IA5StringNormalize, caseExactIA5Match, NULL, NULL},
 
 	{"( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )",
+		SLAP_MR_EQUALITY | SLAP_MR_EXT,
 		NULL, IA5StringNormalize, caseIgnoreIA5Match, NULL, NULL},
 
 	{"( 1.3.6.1.4.1.1466.109.114.3 NAME 'caseIgnoreIA5SubstringsMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )",
+		SLAP_MR_SUBSTR,
 		NULL, IA5StringNormalize, caseIgnoreIA5SubstringsMatch, NULL, NULL},
 
-	{NULL, NULL, NULL, NULL}
+	{NULL, SLAP_MR_NONE, NULL, NULL, NULL}
 };
 
 int
@@ -557,8 +590,16 @@ schema_init( void )
 	}
 
 	for ( i=0; mrule_defs[i].mrd_desc != NULL; i++ ) {
+		if( mrule_defs[i].mrd_usage == SLAP_MR_NONE ) {
+			fprintf( stderr,
+				"schema_init: Ingoring unusable matching rule %s\n",
+				 mrule_defs[i].mrd_desc );
+			continue;
+		}
+
 		res = register_matching_rule(
 			mrule_defs[i].mrd_desc,
+			mrule_defs[i].mrd_usage,
 			mrule_defs[i].mrd_convert,
 			mrule_defs[i].mrd_normalize,
 		    mrule_defs[i].mrd_match,

servers/slapd/schemaparse.c

@@ -178,31 +178,38 @@ static char *
 find_oidm(char *oid)
 {
 	OidMacro *om;
-	char *new;
-	int pos, suflen;
 
 	/* OID macros must start alpha */
-	if ( !isdigit( *oid ) )
-	{
-	    for (om = om_list; om; om=om->som_next)
-	    {
-		if ((pos = dscompare(om->som_name, oid, ':')))
-		{
-			suflen = strlen(oid + pos);
-			new = ch_calloc(1, om->som_oid.bv_len + suflen + 1);
-			strcpy(new, om->som_oid.bv_val);
-			if (suflen)
-			{
-				suflen = om->som_oid.bv_len;
-				new[suflen++] = '.';
-				strcpy(new+suflen, oid+pos+1);
-			}
-			return new;
-		}
-	    }
-	    return NULL;
+	if ( isdigit( *oid ) )	{
+		return oid;
 	}
-	return oid;
+
+    for (om = om_list; om; om=om->som_next) {
+		char **names = om->som_names;
+
+		if( names == NULL ) {
+			continue;
+		}
+
+		for( ; *names != NULL ; names++ ) {
+			int pos = dscompare(*names, oid, ':');
+
+			if( pos ) {
+				int suflen = strlen(oid + pos);
+				char *new = ch_calloc(1,
+					om->som_oid.bv_len + suflen + 1);
+				strcpy(new, om->som_oid.bv_val);
+
+				if( suflen ) {
+					suflen = om->som_oid.bv_len;
+					new[suflen++] = '.';
+					strcpy(new+suflen, oid+pos+1);
+				}
+				return new;
+			}
+		}
+	}
+	return NULL;
 }
 
 void
@@ -213,15 +220,29 @@ parse_oidm(
     char 	**argv
 )
 {
+	char *oid;
 	OidMacro *om;
 
 	if (argc != 3) {
-usage:	fprintf( stderr, "ObjectIdentifier <name> <oid>\n");
+		fprintf( stderr, "%s: line %d: too many arguments\n",
+			fname, lineno );
+usage:	fprintf( stderr, "\tObjectIdentifier <name> <oid>\n");
+		exit( EXIT_FAILURE );
+	}
+
+	oid = find_oidm( argv[1] );
+	if( oid != NULL ) {
+		fprintf( stderr,
+			"%s: line %d: "
+			"ObjectIdentifier \"%s\" previously defined \"%s\"",
+			fname, lineno, argv[1], oid );
 		exit( EXIT_FAILURE );
 	}
 
 	om = (OidMacro *) ch_malloc( sizeof(OidMacro) );
-	om->som_name = ch_strdup( argv[1] );
+
+	om->som_names = NULL;
+	charray_add( &om->som_names, argv[1] );
 	om->som_oid.bv_val = find_oidm( argv[2] );
 
 	if (!om->som_oid.bv_val) {

servers/slapd/slap.h

@@ -54,7 +54,7 @@ LDAP_BEGIN_DECL
  * JCG 05/1999 (gomez@engr.sgi.com)
  */
 #define SLAP_MOD_SOFTADD	0x1000
-#undef LDAP_MOD_BVALUES
+#undef LDAP_MOD_BVALUES /* we always use BVALUES */
 
 #define ON	1
 #define OFF	(-1)
@@ -65,26 +65,28 @@ LDAP_BEGIN_DECL
 /* psuedo error code to indicating abandoned operation */
 #define SLAPD_ABANDON -1
 
-/* XXYYZ: these macros assume 'x' is an ASCII x */
-#define DNSEPARATOR(c)	((c) == ',' || (c) == ';')
-#define SEPARATOR(c)	((c) == ',' || (c) == ';' || (c) == '+')
-#define SPACE(c)	((c) == ' ' || (c) == '\n')
-
+/* We assume "C" locale, that is US-ASCII */
+#define ASCII_SPACE(c)	( (c) == ' ' )
 #define ASCII_LOWER(c)	( (c) >= 'a' && (c) <= 'z' )
 #define ASCII_UPPER(c)	( (c) >= 'A' && (c) <= 'Z' )
 #define ASCII_ALPHA(c)	( ASCII_LOWER(c) || ASCII_UPPER(c) )
 #define ASCII_DIGIT(c)	( (c) >= '0' && (c) <= '9' )
 #define ASCII_ALNUM(c)	( ASCII_ALPHA(c) || ASCII_DIGIT(c) )
 
-#define LEADKEYCHAR(c)	( ASCII_ALPHA(c) )
-#define KEYCHAR(c)	( ASCII_ALNUM(c) || (c) == '-' )
-#define LEADOIDCHAR(c)	( ASCII_DIGIT(c) )
-#define OIDCHAR(c)	( ASCII_DIGIT(c) || (c) == '.' )
+#define DN_SEPARATOR(c)	((c) == ',' || (c) == ';')
+#define RDN_SEPARATOR(c)	((c) == ',' || (c) == ';' || (c) == '+')
+#define RDN_NEEDSESCAPE(c)	((c) == '\\' || (c) == '"')
 
-#define LEADATTRCHAR(c)	( LEADKEYCHAR(c) || LEADOIDCHAR(c) )
-#define ATTRCHAR(c)	( KEYCHAR((c)) || (c) == '.' )
+#define DESC_LEADCHAR(c)	( ASCII_ALPHA(c) )
+#define DESC_CHAR(c)	( ASCII_ALNUM(c) || (c) == '-' )
+#define OID_LEADCHAR(c)	( ASCII_DIGIT(c) )
+#define OID_CHAR(c)	( ASCII_DIGIT(c) || (c) == '.' )
 
-#define NEEDSESCAPE(c)	((c) == '\\' || (c) == '"')
+#define ATTR_LEADCHAR(c)	( DESC_LEADCHAR(c) || OID_LEADCHAR(c) )
+#define ATTR_CHAR(c)	( DESC_CHAR((c)) || (c) == '.' )
+
+#define AD_LEADCHAR(c)	( ATTR_CHAR(c) )
+#define AD_CHAR(c)		( ATTR_CHAR(c) || (c) == ';' )
 
 #define SLAPD_ACI_DEFAULT_ATTR		"aci"
 
@@ -122,8 +124,8 @@ LIBSLAPD_F (int) slap_debug;
 #define SLAP_SCHERR_MR_INCOMPLETE	12
 
 typedef struct slap_oid_macro {
-	char *som_name;
 	struct berval som_oid;
+	char **som_names;
 	struct slap_oid_macro *som_next;
 } OidMacro;
 
@@ -131,7 +133,6 @@ typedef struct slap_oid_macro {
 struct slap_syntax;
 struct slap_matching_rule;
 
-
 typedef int slap_syntax_validate_func LDAP_P((
 	struct slap_syntax *syntax,
 	struct berval * in));
@@ -166,6 +167,7 @@ typedef int slap_mr_convert_func LDAP_P((
 
 /* Normalizer */
 typedef int slap_mr_normalize_func LDAP_P((
+	unsigned use,
 	struct slap_syntax *syntax, /* NULL if in is asserted value */
 	struct slap_matching_rule *mr,
 	struct berval * in,
@@ -173,13 +175,15 @@ typedef int slap_mr_normalize_func LDAP_P((
 
 /* Match (compare) function */
 typedef int slap_mr_match_func LDAP_P((
+	unsigned use,
 	struct slap_syntax *syntax,	/* syntax of stored value */
 	struct slap_matching_rule *mr,
 	struct berval * value,
-	struct berval * assertValue ));
+	void * assertValue ));
 
 /* Index generation function */
 typedef int slap_mr_indexer_func LDAP_P((
+	unsigned use,
 	struct slap_syntax *syntax,	/* syntax of stored value */
 	struct slap_matching_rule *mr,
 	struct berval **values,
@@ -188,6 +192,7 @@ typedef int slap_mr_indexer_func LDAP_P((
 struct slap_filter; 	/* forward declaration */
 /* Filter index function */
 typedef int slap_mr_filter_func LDAP_P((
+	unsigned use,
 	struct slap_syntax *syntax,	/* syntax of stored value */
 	struct slap_matching_rule *mr,
 	struct slap_filter *filter,
@@ -195,6 +200,13 @@ typedef int slap_mr_filter_func LDAP_P((
 
 typedef struct slap_matching_rule {
 	LDAP_MATCHING_RULE		smr_mrule;
+	unsigned				smr_usage;
+#define SLAP_MR_NONE		0x00U
+#define SLAP_MR_EQUALITY	0x01U
+#define SLAP_MR_APPROX		0x02U
+#define SLAP_MR_ORDERING	0x04U
+#define SLAP_MR_SUBSTR		0x08U
+#define SLAP_MR_EXT			0x10U
 	Syntax					*smr_syntax;
 	slap_mr_convert_func	*smr_convert;
 	slap_mr_normalize_func	*smr_normalize;
@@ -571,7 +583,7 @@ typedef struct slap_access {
 
 	char		*a_dn_pat;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeType	*a_dn_at;
+	AttributeDescription	*a_dn_at;
 #else
 	char		*a_dn_at;
 #endif
@@ -585,7 +597,7 @@ typedef struct slap_access {
 
 #ifdef SLAPD_ACI_ENABLED
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeType	*a_aci_at;
+	AttributeDescription	*a_aci_at;
 #else
 	char		*a_aci_at;
 #endif
@@ -595,7 +607,7 @@ typedef struct slap_access {
 	char		*a_group_pat;
 	char		*a_group_oc;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeType	*a_group_at;
+	AttributeDescription	*a_group_at;
 #else
 	char		*a_group_at;
 #endif
@@ -846,7 +858,7 @@ struct slap_backend_info {
 	int	(*bi_acl_group)  LDAP_P((Backend *bd,
 		Entry *e, const char *bdn, const char *edn,
 		const char *objectclassValue,
-		AttributeType *group_at ));
+		AttributeDescription *group_at ));
 #else
 	int	(*bi_acl_group)  LDAP_P((Backend *bd,
 		Entry *e, const char *bdn, const char *edn,

servers/slapd/str2filter.c

@@ -16,18 +16,14 @@
 #include "slap.h"
 #include <ldap_pvt.h>
 
-static char	*find_matching_paren(char *s);
-static Filter	*str2list(char *str, long unsigned int ftype);
-static Filter	*str2simple(char *str);
-static int	str2subvals(char *val, Filter *f);
+static char	*find_matching_paren( const char *s );
+static Filter	*str2list( const char *str, long unsigned int ftype);
+static Filter	*str2simple( const char *str);
+static int	str2subvals( const char *val, Filter *f);
 
 Filter *
-str2filter( char *str )
+str2filter( const char *str )
 {
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-	/* not yet implemented */
-	return NULL;
-#else
 	Filter	*f = NULL;
 	char	*end, *freeme;
 
@@ -94,16 +90,14 @@ str2filter( char *str )
 
 	free( freeme );
 	return( f );
-#endif
 }
 
-#ifndef SLAPD_SCHEMA_NOT_COMPAT
 /*
  * Put a list of filters like this "(filter1)(filter2)..."
  */
 
 static Filter *
-str2list( char *str, unsigned long ftype )
+str2list( const char *str, unsigned long ftype )
 {
 	Filter	*f;
 	Filter	**fp;
@@ -146,7 +140,7 @@ str2list( char *str, unsigned long ftype )
 }
 
 static Filter *
-str2simple( char *str )
+str2simple( const char *str )
 {
 	Filter		*f;
 	char		*s;
@@ -157,7 +151,7 @@ str2simple( char *str )
 	if ( (s = strchr( str, '=' )) == NULL ) {
 		return( NULL );
 	}
-	value = s + 1;
+	value = &s[1];
 	*s-- = '\0';
 	savechar = *s;
 
@@ -176,6 +170,11 @@ str2simple( char *str )
 		f->f_choice = LDAP_FILTER_APPROX;
 		*s = '\0';
 		break;
+	case ':':
+		f->f_choice = LDAP_FILTER_EXT;
+		*s = '\0';
+		break;
+
 	default:
 		if ( ldap_pvt_find_wildcard( value ) == NULL ) {
 			f->f_choice = LDAP_FILTER_EQUALITY;
@@ -183,6 +182,7 @@ str2simple( char *str )
 			f->f_choice = LDAP_FILTER_PRESENT;
 		} else {
 			f->f_choice = LDAP_FILTER_SUBSTRINGS;
+#ifndef SLAPD_SCHEMA_NOT_COMPAT
 			f->f_sub_type = ch_strdup( str );
 			if ( str2subvals( value, f ) != 0 ) {
 				filter_free( f );
@@ -191,10 +191,12 @@ str2simple( char *str )
 			}
 			*(value-1) = '=';
 			return( f );
+#endif
 		}
 		break;
 	}
 
+#ifndef SLAPD_SCHEMA_NOT_COMPAT
 	if ( f->f_choice == LDAP_FILTER_PRESENT ) {
 		f->f_type = ch_strdup( str );
 	} else {
@@ -206,20 +208,21 @@ str2simple( char *str )
 
 	*s = savechar;
 	*(value-1) = '=';
+#endif
 	return( f );
 }
 
 static int
-str2subvals( char *val, Filter *f )
+str2subvals( const char *in, Filter *f )
 {
-	char	*nextstar, *freeme;
+	char	*nextstar, *val, *freeme;
 	int	gotstar;
 
-	Debug( LDAP_DEBUG_FILTER, "str2subvals \"%s\"\n", val, 0, 0 );
+	Debug( LDAP_DEBUG_FILTER, "str2subvals \"%s\"\n", in, 0, 0 );
 
-	if( val == NULL ) return 0;
+	if( in == NULL ) return 0;
 
-	val = freeme = ch_strdup( val );
+	val = freeme = ch_strdup( in );
 	gotstar = 0;
 
 	while ( *val ) {
@@ -252,7 +255,7 @@ str2subvals( char *val, Filter *f )
  */
 
 static char *
-find_matching_paren( char *s )
+find_matching_paren( const char *s )
 {
 	int	balance, escape;
 
@@ -266,7 +269,7 @@ find_matching_paren( char *s )
 				balance--;
 		}
 		if ( balance == 0 ) {
-			return( s );
+			return (char *) s;
 		}
 		if ( *s == '\\' && ! escape )
 			escape = 1;
@@ -274,7 +277,5 @@ find_matching_paren( char *s )
 			escape = 0;
 	}
 
-	return( NULL );
+	return NULL;
 }
-
-#endif

servers/slapd/suffixalias.c

@@ -50,7 +50,7 @@ char *suffix_alias(
 			/* alias is longer than dn */
 			continue;
 		} else if ( diff > 0 ) {
-			if ( ! DNSEPARATOR(dn[diff-1]) ) {
+			if ( ! DN_SEPARATOR(dn[diff-1]) ) {
 				/* boundary is not at a DN separator */
 				continue;
 			}