SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify

servers/slapd/acl.c

@@ -448,38 +448,34 @@ acl_mask(
 			bv.bv_val = op->o_ndn;
 			bv.bv_len = strlen( bv.bv_val );
 
-			/* see if asker is listed in dnattr */ 
-			if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL
+			/* see if asker is listed in dnattr */
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-				/* not yet implemented */
-#else
-				&& value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0
-#endif
-			)
+			for( at = attrs_find( e->e_attrs, b->a_dn_at );
+				at == NULL;
+				at = attrs_find( e->e_attrs->a_next, b->a_dn_at ) )
 			{
-				if ( b->a_dn_self && 
-					(val == NULL
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-					/* not yet implemented */
+				if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) {
+				}
+			}
+
 #else
-					|| value_cmp( &bv, val, at->a_syntax, 2 )
-#endif
-					) )
+			/* see if asker is listed in dnattr */
+			if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL &&
+				value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
+			{
+				if ( b->a_dn_self && (val == NULL
+					|| value_cmp( &bv, val, at->a_syntax, 2 ) ) )
 				{
 					continue;
 				}
 
 			/* asker not listed in dnattr - check for self access */
 			} else if ( ! b->a_dn_self || val == NULL
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-					/* not yet implemented */
-#else
-				|| value_cmp( &bv, val, at->a_syntax, 2 ) != 0
-#endif
-			)
+				|| value_cmp( &bv, val, at->a_syntax, 2 ) != 0 )
 			{
 				continue;
 			}
+#endif
 		}
 
 		if ( b->a_group_pat != NULL && op->o_ndn != NULL ) {
@@ -695,10 +691,15 @@ acl_check_modlist(
 		 * by the user
 		 */
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		/* not yet implemented */
+		if ( is_at_no_user_mod( mlist->sml_desc->ad_type ) ) {
+ 			Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:"
+				" modify access granted\n",
+				mlist->sml_desc->ad_cname->bv_val, 0, 0 );
+			continue;
+		}
 #else
 		if ( oc_check_op_no_usermod_attr( mlist->sml_type ) ) {
- 			Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
+ 			Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:"
 				" modify access granted\n",
 				mlist->sml_type, 0, 0 );
 			continue;
@@ -984,10 +985,12 @@ aci_group_member (
 	char *grpoc;
 	char *grpat;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeDescription *grpad = NULL;
+	ObjectClass *grp_oc = NULL;
+	AttributeDescription *grp_ad = NULL;
 	char *text;
 #else
-	char *grpad;
+	char *grp_oc;
+	char *grp_ad;
 #endif
 	int rc;
 
@@ -1014,28 +1017,28 @@ aci_group_member (
 	}
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	rc = slap_str2ad( grpat, &grpad, &text );
+	rc = slap_str2ad( grpat, &grp_ad, &text );
 	if( rc != LDAP_SUCCESS ) {
 		rc = 0;
 		goto done;
 	}
 #else
-	grpad = grpat;
+	grp_ad = grpat;
 #endif
 	rc = 0;
 
 	grpdn = (char *)ch_malloc(1024);
 
-	if (grpoc != NULL && grpad != NULL && grpdn != NULL) {
+	if (grp_oc != NULL && grp_ad != NULL && grpdn != NULL) {
 		string_expand(grpdn, 1024, subjdn, e->e_ndn, matches);
 		if ( dn_normalize(grpdn) != NULL ) {
-			rc = (backend_group(be, e, grpdn, op->o_ndn, grpoc, grpad) == 0);
+			rc = (backend_group(be, e, grpdn, op->o_ndn, grp_oc, grp_ad) == 0);
 		}
 	}
 
-done:
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	if( grpad != NULL ) ad_free( grpad, 1 );
+done:
+	if( grp_ad != NULL ) ad_free( grp_ad, 1 );
 #endif
 	ch_free(grpdn);
 	ch_free(grpat);
@@ -1130,41 +1133,51 @@ aci_mask(
 			return(1);
 
 	} else if (aci_strbvcmp( "dnattr", &bv ) == 0) {
-		Attribute *at;
 		char *dnattr = aci_bvstrdup(&sdn);
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		AttributeDescription *dnad = NULL;
-		char *text;
-		rc = slap_str2ad( dnattr, &dnad, &text );
+		Attribute *at;
+		AttributeDescription *ad = NULL;
+		const char *text;
+
+		rc = slap_str2ad( dnattr, &ad, &text );
 		ch_free( dnattr );
 
-		if ( rc == LDAP_SUCCESS ) {
-#else
-			char *dnad = dnattr;
-#endif
-			at = attr_find( e->e_attrs, dnad );
-#ifdef SLAPD_SCHEMA_NOT_COMAT
-			ad_free( dnad, 1 );
-#else
-			ch_free( dnad );
-#endif
-			if (at != NULL) {
-				bv.bv_val = op->o_ndn;
-				bv.bv_len = strlen( bv.bv_val );
-
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-				/* not yet implemented */
-#else
-				if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
-					return(1);
-#endif
-			}
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-		} else {
-			ad_free( dnad, 1 );
-#endif
+		if( rc != LDAP_SUCCESS ) {
+			return 0;
 		}
 
+		rc = 0;
+
+		bv.bv_val = op->o_ndn;
+		bv.bv_len = strlen( bv.bv_val );
+
+		for(at = attrs_find( e->e_attrs, ad );
+			at != NULL;
+			at = attrs_find( at->a_next, ad ) )
+		{
+			if (value_find( ad, at->a_vals, &bv) == 0 ) {
+				rc = 1;
+				break;
+			}
+		}
+
+		ad_free( ad, 1 );
+		return rc;
+
+#else
+		Attribute *at;
+		at = attr_find( e->e_attrs, dnattr );
+		ch_free( dnattr );
+
+		if (at != NULL) {
+			bv.bv_val = op->o_ndn;
+			bv.bv_len = strlen( bv.bv_val );
+
+			if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
+				return(1);
+		}
+#endif
+
 	} else if (aci_strbvcmp( "group", &bv ) == 0) {
 		if (aci_group_member(&sdn, "groupOfNames", "member", be, e, op, matches))
 			return(1);

servers/slapd/aclparse.c

@@ -384,12 +384,49 @@ parse_acl(
 					b->a_group_pat = ch_strdup( right );
 
 					if (value && *value) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+						b->a_group_oc = oc_find( value );
+#else
 						b->a_group_oc = ch_strdup(value);
+#endif
+						if( b->a_group_oc == NULL ) {
+							fprintf( stderr,
+								"%s: line %d: group objectclass \"%s\" unknown\n",
+								fname, lineno, value );
+							acl_usage();
+						}
+
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+						if( is_object_subclass( b->a_group_oc,
+							slap_schema.si_oc_referral ) )
+						{
+							fprintf( stderr,
+								"%s: line %d: group objectclass \"%s\" is subclass of referral\n",
+								fname, lineno, value );
+							acl_usage();
+						}
+
+						if( is_object_subclass( b->a_group_oc,
+							slap_schema.si_oc_alias ) )
+						{
+							fprintf( stderr,
+								"%s: line %d: group objectclass \"%s\" is subclass of alias\n",
+								fname, lineno, value );
+							acl_usage();
+						}
+#endif
+
 						*--value = '/';
+
 					} else {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+						b->a_group_oc = slap_schema.si_oc_groupOfNames;
+#else
 						b->a_group_oc = ch_strdup("groupOfNames");
+#endif
 					}
 
+
 					if (name && *name) {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 						rc = slap_str2ad( right, &b->a_group_at, &text );
@@ -430,6 +467,31 @@ parse_acl(
 							fname, lineno );
 						acl_usage();
 					}
+
+
+					{
+						int rc;
+						struct berval val;
+						struct berval *vals[2];
+
+						val.bv_val = b->a_group_oc->soc_oid;
+						val.bv_len = strlen(val.bv_val);
+						vals[0] = &val;
+						vals[1] = NULL;
+
+
+						rc = oc_check_allowed( b->a_group_at->ad_type, vals );
+
+						if( rc != 0 ) {
+							fprintf( stderr,
+								"%s: line %d: group: \"%s\" not allowed by \"%s\"\n",
+								fname, lineno,
+								b->a_group_at->ad_type,
+								b->a_group_oc->soc_oid );
+							acl_usage();
+						}
+					}
+
 #endif /* SLAPD_SCHEMA_NOT_COMPAT */
 					continue;
 				}

servers/slapd/back-ldbm/compare.c

@@ -107,7 +107,7 @@ ldbm_back_compare(
 		rc = LDAP_COMPARE_FALSE;
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		/* not yet implemented */
+		if ( value_find( ava->aa_desc, a->a_vals, ava->aa_value ) == 0 )
 #else
 		if ( value_find( a->a_vals, &ava->ava_value, a->a_syntax, 1 ) == 0 )
 #endif

servers/slapd/back-ldbm/external.h

@@ -83,14 +83,15 @@ extern int	ldbm_back_abandon LDAP_P(( BackendDB *bd,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 extern int	ldbm_back_group LDAP_P(( BackendDB *bd,
 	Entry *target,
-	const char* gr_ndn, const char* op_ndn,
-	const char* objectclassValue,
+	const char* gr_ndn,
+	const char* op_ndn,
+	ObjectClass* group_oc,
 	AttributeDescription* group_at));
 #else
 extern int	ldbm_back_group LDAP_P(( BackendDB *bd,
 	Entry *target,
 	const char* gr_ndn, const char* op_ndn,
-	const char* objectclassValue,
+	const char* group_oc,
 	const char* group_at));
 #endif
 

servers/slapd/back-ldbm/group.c

@@ -27,10 +27,11 @@ ldbm_back_group(
 	Entry	*target,
 	const char	*gr_ndn,
 	const char	*op_ndn,
-	const char	*objectclassValue,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
+	ObjectClass *group_oc,
 	AttributeDescription *group_at
 #else
+	const char	*group_oc,
 	const char	*group_at
 #endif
 )
@@ -41,12 +42,20 @@ ldbm_back_group(
 	Attribute   *attr;
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeDescription *objectClass = slap_schema.si_ad_objectClass;
-	const char *groupattrName = group_at->ad_cname->bv_val;
+	AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass;
+	const char *group_oc_name = NULL;
+	const char *group_at_name = group_at->ad_cname->bv_val;
+
+	if( group_oc->soc_names && group_oc->soc_names[0] ) {
+		group_oc_name = group_oc->soc_names[0];
+	} else {
+		group_oc_name = group_oc->soc_oid;
+	}
 #else
 	struct berval bv;
-	const char *objectClass = "objectclass";
-	const char *groupattrName = group_at;
+	const char *ad_objectClass = "objectclass";
+	const char *group_oc_name = group_oc;
+	const char *group_at_name = group_at;
 #endif
 
 	Debug( LDAP_DEBUG_ARGS,
@@ -56,8 +65,8 @@ ldbm_back_group(
 		"=> ldbm_back_group: op dn: \"%s\"\n",
 		op_ndn, 0, 0 ); 
 	Debug( LDAP_DEBUG_ARGS,
-		"=> ldbm_back_group: objectClass: \"%s\" attrName: \"%s\"\n", 
-		objectclassValue, groupattrName, 0 ); 
+		"=> ldbm_back_group: oc: \"%s\" at: \"%s\"\n", 
+		group_oc_name, group_at_name, 0 ); 
 
 	Debug( LDAP_DEBUG_ARGS,
 		"=> ldbm_back_group: tr dn: \"%s\"\n",
@@ -91,7 +100,7 @@ ldbm_back_group(
         
 	rc = 1;
         
-	if ((attr = attr_find(e->e_attrs, objectClass)) == NULL)  {
+	if ((attr = attr_find(e->e_attrs, ad_objectClass)) == NULL)  {
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
 		goto return_results;
@@ -120,26 +129,26 @@ ldbm_back_group(
 		goto return_results;
 	}
 
-	bv.bv_val = (char *) objectclassValue;
+	bv.bv_val = (char *) group_oc_name;
 	bv.bv_len = strlen( bv.bv_val );         
 
 	if (value_find(attr->a_vals, &bv, attr->a_syntax, 1) != 0) {
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_group: failed to find %s in objectClass\n", 
-				objectclassValue, 0, 0 ); 
+				group_oc_name, 0, 0 ); 
 		goto return_results;
 	}
 
 	if ((attr = attr_find(e->e_attrs, group_at)) == NULL) {
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_group: failed to find %s\n",
-			groupattrName, 0, 0 ); 
+			group_at_name, 0, 0 ); 
 		goto return_results;
 	}
 
 	Debug( LDAP_DEBUG_ACL,
 		"<= ldbm_back_group: found objectClass %s and %s\n",
-		objectclassValue, groupattrName, 0 ); 
+		group_oc_name, group_at_name, 0 ); 
 
 	bv.bv_val = (char *) op_ndn;
 	bv.bv_len = strlen( op_ndn );         
@@ -148,14 +157,14 @@ ldbm_back_group(
 	{
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_group: \"%s\" not in \"%s\": %s\n", 
-			op_ndn, gr_ndn, groupattrName ); 
+			op_ndn, gr_ndn, group_at_name ); 
 		goto return_results;
 	}
 #endif
 
 	Debug( LDAP_DEBUG_ACL,
 		"<= ldbm_back_group: \"%s\" is in \"%s\": %s\n", 
-		op_ndn, gr_ndn, groupattrName ); 
+		op_ndn, gr_ndn, group_at_name ); 
 
 	rc = 0;
 

servers/slapd/back-ldbm/modify.c

@@ -123,13 +123,13 @@ int ldbm_modify_internal(
 		switch ( mod->sm_op ) {
 		case LDAP_MOD_REPLACE: {
 			/* Need to remove all values from indexes */
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			/* not yet implemented */
+#else
 			Attribute *a = save_attrs
 				? attr_find( save_attrs, mod->sm_desc )
 				: NULL;
 
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-			/* not yet implemented */
-#else
 			if( a != NULL ) {
 				(void) index_change_values( be,
 					mod->mod_type,
@@ -177,13 +177,13 @@ int ldbm_modify_internal(
 
 		case LDAP_MOD_DELETE: {
 			/* Need to add all remaining values */
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			/* not yet implemented */
+#else
 			Attribute *a = e->e_attrs
 				? attr_find( e->e_attrs, mod->sm_desc )
 				: NULL;
 
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-			/* not yet implemented */
-#else
 			if( a != NULL ) {
 				(void) index_change_values( be,
 					mod->mod_type,
@@ -313,14 +313,14 @@ add_values(
 	if ( a != NULL ) {
 		for ( i = 0; mod->sm_bvalues[i] != NULL; i++ ) {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-			/* not yet implemented */
+			if ( value_find( desc, a->a_vals, mod->sm_bvalues[i] ) == 0 )
 #else
 			if ( value_find( a->a_vals, mod->sm_bvalues[i],
 			    a->a_syntax, 3 ) == 0 )
+#endif
 			{
 				return( LDAP_TYPE_OR_VALUE_EXISTS );
 			}
-#endif
 		}
 	}
 
@@ -339,33 +339,45 @@ delete_values(
     char	*dn
 )
 {
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-	/* not yet implemented */
-#else
 	int		i, j, k, found;
 	Attribute	*a;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	char *desc = mod->sm_desc->ad_cname->bv_val;
+#else
+	char *desc = mod->mod_type;
+#endif
 
 	/* delete the entire attribute */
-	if ( mod->mod_bvalues == NULL ) {
+	if ( mod->sm_bvalues == NULL ) {
 		Debug( LDAP_DEBUG_ARGS, "removing entire attribute %s\n",
-		    mod->mod_type, 0, 0 );
-		return( attr_delete( &e->e_attrs, mod->mod_type ) ?
+		    desc, 0, 0 );
+		return( attr_delete( &e->e_attrs, mod->sm_desc ) ?
 		    LDAP_NO_SUCH_ATTRIBUTE : LDAP_SUCCESS );
 	}
 
 	/* delete specific values - find the attribute first */
-	if ( (a = attr_find( e->e_attrs, mod->mod_type )) == NULL ) {
+	if ( (a = attr_find( e->e_attrs, mod->sm_desc )) == NULL ) {
 		Debug( LDAP_DEBUG_ARGS, "could not find attribute %s\n",
-		    mod->mod_type, 0, 0 );
+		    desc, 0, 0 );
 		return( LDAP_NO_SUCH_ATTRIBUTE );
 	}
 
 	/* find each value to delete */
-	for ( i = 0; mod->mod_bvalues[i] != NULL; i++ ) {
+	for ( i = 0; mod->sm_bvalues[i] != NULL; i++ ) {
 		found = 0;
 		for ( j = 0; a->a_vals[j] != NULL; j++ ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			int match;
+			const char *text;
+			int rc = value_match( &match, mod->sm_desc, NULL,
+				mod->sm_bvalues[i], a->a_vals[j], &text );
+
+			if( rc == LDAP_SUCCESS && match == 0 )
+#else
 			if ( value_cmp( mod->mod_bvalues[i], a->a_vals[j],
-			    a->a_syntax, 3 ) != 0 ) {
+			    a->a_syntax, 3 ) != 0 )
+#endif
+			{
 				continue;
 			}
 			found = 1;
@@ -381,8 +393,8 @@ delete_values(
 			if ( a->a_vals[0] == NULL) {
 				Debug( LDAP_DEBUG_ARGS,
 					"removing entire attribute %s\n",
-					mod->mod_type, 0, 0 );
-				if ( attr_delete( &e->e_attrs, mod->mod_type ) ) {
+					desc, 0, 0 );
+				if ( attr_delete( &e->e_attrs, mod->sm_desc ) ) {
 					return LDAP_NO_SUCH_ATTRIBUTE;
 				}
 			}
@@ -394,11 +406,10 @@ delete_values(
 		if ( ! found ) {
 			Debug( LDAP_DEBUG_ARGS,
 			    "could not find value for attr %s\n",
-			    mod->mod_type, 0, 0 );
+			    desc, 0, 0 );
 			return LDAP_NO_SUCH_ATTRIBUTE;
 		}
 	}
-#endif
 
 	return( LDAP_SUCCESS );
 }

servers/slapd/back-ldbm/modrdn.c

@@ -320,34 +320,28 @@ ldbm_back_modrdn(
 	/* Retrieve the old rdn from the entry's dn */
 
 	if ( (old_rdn = dn_rdn( be, dn )) == NULL ) {
-
 		Debug( LDAP_DEBUG_TRACE,
 		       "ldbm_back_modrdn: can't figure out old_rdn from dn\n",
 		       0, 0, 0 );
 		send_ldap_result( conn, op, LDAP_OTHER,
 			NULL, "could not parse old DN", NULL, NULL );
 		goto return_results;		
-
 	}
 
 	if ( (old_rdn_type = rdn_attr_type( old_rdn )) == NULL ) {
-	    
 		Debug( LDAP_DEBUG_TRACE,
 		       "ldbm_back_modrdn: can't figure out the old_rdn type\n",
 		       0, 0, 0 );
 		send_ldap_result( conn, op, LDAP_OTHER,
 			NULL, "count parse RDN from old DN", NULL, NULL );
 		goto return_results;		
-		
 	}
 	
 	if ( strcasecmp( old_rdn_type, new_rdn_type ) != 0 ) {
-
 	    /* Not a big deal but we may say something */
 	    Debug( LDAP_DEBUG_TRACE,
 		   "ldbm_back_modrdn: old_rdn_type=%s, new_rdn_type=%s!\n",
 		   old_rdn_type, new_rdn_type, 0 );
-	    
 	}		
 
 		Debug( LDAP_DEBUG_TRACE, "ldbm_back_modrdn: DN_X500\n",
@@ -363,13 +357,28 @@ ldbm_back_modrdn(
 		add_bv.bv_len = strlen(new_rdn_val);
 		
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		/* not yet implemented */
+		{
+			int rc;
+			const char *text;
+
+			mod[0].sml_desc = NULL;
+			rc = slap_str2ad( new_rdn_type, &mod[0].sml_desc, &text );
+
+			if( rc != LDAP_SUCCESS ) {
+				Debug( LDAP_DEBUG_TRACE,
+					"ldbm_back_modrdn: %s: %s (new)\n",
+					text, new_rdn_type, 0 );
+				send_ldap_result( conn, op, rc,
+					NULL, text, NULL, NULL );
+				goto return_results;		
+			}
+		}
 #else
-		mod[0].ml_type = new_rdn_type;	
-		mod[0].ml_bvalues = add_bvals;
-		mod[0].ml_op = SLAP_MOD_SOFTADD;
-		mod[0].ml_next = NULL;
+		mod[0].sml_type = new_rdn_type;	
 #endif
+		mod[0].sml_bvalues = add_bvals;
+		mod[0].sml_op = SLAP_MOD_SOFTADD;
+		mod[0].sml_next = NULL;
 
 		/* Remove old rdn value if required */
 
@@ -383,7 +392,7 @@ ldbm_back_modrdn(
 				       "ldbm_back_modrdn: can't figure out old_rdn_val from old_rdn\n",
 				       0, 0, 0 );
 				send_ldap_result( conn, op, LDAP_OTHER,
-					NULL, "cound not parse value from old RDN", NULL, NULL );
+					NULL, "could not parse value from old RDN", NULL, NULL );
 				goto return_results;		
 			}
 
@@ -396,17 +405,29 @@ ldbm_back_modrdn(
 			del_bv.bv_len = strlen(old_rdn_val);
 
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-			/* not yet implemented */
+			{
+				int rc;
+				const char *text;
+
+				mod[1].sml_desc = NULL;
+				rc = slap_str2ad( old_rdn_type, &mod[0].sml_desc, &text );
+
+				if( rc != LDAP_SUCCESS ) {
+					Debug( LDAP_DEBUG_TRACE,
+						"ldbm_back_modrdn: %s: %s (old)\n",
+						text, old_rdn_type, 0 );
+					send_ldap_result( conn, op, rc,
+						NULL, text, NULL, NULL );
+					goto return_results;		
+				}
+			}
 #else
-			/* No need to normalize old_rdn_type, delete_values()
-			 * does that for us
-			 */
-			mod[0].ml_next = &mod[1];
-			mod[1].ml_type = old_rdn_type;	
-			mod[1].ml_bvalues = del_bvals;
-			mod[1].ml_op = LDAP_MOD_DELETE;
-			mod[1].ml_next = NULL;
+			mod[1].sml_type = old_rdn_type;	
 #endif
+			mod[0].sml_next = &mod[1];
+			mod[1].sml_bvalues = del_bvals;
+			mod[1].sml_op = LDAP_MOD_DELETE;
+			mod[1].sml_next = NULL;
 
 			Debug( LDAP_DEBUG_TRACE,
 			       "ldbm_back_modrdn: removing old_rdn_val=%s\n",

servers/slapd/backend.c

@@ -635,19 +635,20 @@ backend_group(
 	Entry	*target,
 	const char	*gr_ndn,
 	const char	*op_ndn,
-	const char	*objectclassValue,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
+	ObjectClass *group_oc,
 	AttributeDescription *group_at
 #else
+	const char	*group_oc,
 	const char	*group_at
 #endif
 )
 {
 	if (be->be_group)
 		return( be->be_group(be, target, gr_ndn, op_ndn,
-			objectclassValue, group_at) );
+			group_oc, group_at) );
 	else
-		return(1);
+		return LDAP_UNWILLING_TO_PERFORM;
 }
 
 #ifdef SLAPD_SCHEMA_DN

servers/slapd/modify.c

@@ -453,7 +453,7 @@ int slap_mods_opattrs(
 
 	mod = (Modifications *) ch_calloc( 1, sizeof( Modifications ) );
 	mod->sml_op = mop;
-	mod->sml_desc = slap_schema.si_ad_modifiersName;
+	mod->sml_desc = ad_dup( slap_schema.si_ad_modifiersName );
 	mod->sml_bvalues = (struct berval **) malloc( 2 * sizeof( struct berval * ) );
 	mod->sml_bvalues[0] = ber_bvdup( &name );
 	mod->sml_bvalues[1] = NULL;
@@ -462,7 +462,7 @@ int slap_mods_opattrs(
 
 	mod = (Modifications *) ch_calloc( 1, sizeof( Modifications ) );
 	mod->sml_op = mop;
-	mod->sml_desc = slap_schema.si_ad_modifyTimestamp;
+	mod->sml_desc = ad_dup( slap_schema.si_ad_modifyTimestamp );
 	mod->sml_bvalues = (struct berval **) malloc( 2 * sizeof( struct berval * ) );
 	mod->sml_bvalues[0] = ber_bvdup( &timestamp );
 	mod->sml_bvalues[1] = NULL;

servers/slapd/oc.c

@@ -16,6 +16,29 @@
 #include "slap.h"
 #include "ldap_pvt.h"
 
+int is_object_subclass(
+	ObjectClass *sub,
+	ObjectClass *sup )
+{
+	int i;
+
+	if( sup == sub ) {
+		return 1;
+	}
+
+	if( sup->soc_sups == NULL ) {
+		return 0;
+	}
+
+	for( i=0; sup->soc_sups[i] != NULL; i++ ) {
+		if( is_object_subclass( sup->soc_sups[i], sup ) ) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
 int is_entry_objectclass(
 	Entry*	e,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT

servers/slapd/proto-slap.h

@@ -197,16 +197,16 @@ LIBSLAPD_F (int) backend_group LDAP_P((Backend *be,
 	Entry *target,
 	const char *gr_ndn,
 	const char *op_ndn,
-	const char *objectclassValue,
-	AttributeDescription *groupAttrType
+	ObjectClass *group_oc,
+	AttributeDescription *group_at
 ));
 #else
 LIBSLAPD_F (int) backend_group LDAP_P((Backend *be,
 	Entry *target,
 	const char *gr_ndn,
 	const char *op_ndn,
-	const char *objectclassValue,
-	const char *groupattrName
+	const char *group_oc,
+	const char *group_at
 ));
 #endif
 
@@ -568,8 +568,17 @@ LIBSLAPD_F (int) oc_check_op_attr LDAP_P(( const char *type ));
 LIBSLAPD_F (int) oc_check_op_usermod_attr LDAP_P(( const char *type ));
 LIBSLAPD_F (int) oc_check_op_no_usermod_attr LDAP_P(( const char *type ));
 #endif
-LIBSLAPD_F (ObjectClass *) oc_find LDAP_P((const char *ocname));
-LIBSLAPD_F (int) oc_add LDAP_P((LDAP_OBJECT_CLASS *oc, const char **err));
+LIBSLAPD_F (ObjectClass *) oc_find LDAP_P((
+	const char *ocname));
+
+LIBSLAPD_F (int) oc_add LDAP_P((
+	LDAP_OBJECT_CLASS *oc,
+	const char **err));
+
+LIBSLAPD_F (int) is_object_subclass LDAP_P((
+	ObjectClass *sub,
+	ObjectClass *sup ));
+
 
 LIBSLAPD_F (Syntax *) syn_find LDAP_P((const char *synname));
 LIBSLAPD_F (Syntax *) syn_find_desc LDAP_P((const char *syndesc, int *slen));
@@ -637,6 +646,11 @@ LIBSLAPD_F (int) is_entry_objectclass LDAP_P((
 /*
  * schema_check.c
  */
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+int oc_check_allowed(
+	AttributeType *type,
+	struct berval **oclist );
+#endif
 LIBSLAPD_F (int) entry_schema_check LDAP_P((
 	Entry *e, Attribute *attrs,
 	const char** text ));
@@ -707,10 +721,8 @@ LIBSLAPD_F (int) value_match LDAP_P((
 	const char ** text ));
 LIBSLAPD_F (int) value_find LDAP_P((
 	AttributeDescription *ad,
-	MatchingRule *mr,
 	struct berval **values,
-	struct berval *value,
-	const char ** text ));
+	struct berval *value ));
 #else
 LIBSLAPD_F (int) value_add_fast LDAP_P(( struct berval ***vals, struct berval **addvals, int nvals, int naddvals, int *maxvals ));
 LIBSLAPD_F (void) value_normalize LDAP_P(( char *s, int syntax ));

servers/slapd/schema_check.c

@@ -16,11 +16,7 @@
 #include "slap.h"
 #include "ldap_pvt.h"
 
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-static int oc_check_allowed(
-	AttributeType *type,
-	struct berval **oclist );
-#else
+#ifndef SLAPD_SCHEMA_NOT_COMPAT
 static int		oc_check_allowed(char *type, struct berval **oclist);
 #endif
 static char *	oc_check_required(Entry *e, struct berval *ocname);
@@ -181,8 +177,10 @@ oc_check_required( Entry *e, struct berval *ocname )
 	return( NULL );
 }
 
-static int
-oc_check_allowed(
+#ifndef SLAPD_SCHEMA_NOT_COMPAT
+static
+#endif
+int oc_check_allowed(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 	AttributeType *at,
 #else

servers/slapd/schema_prep.c

@@ -47,9 +47,7 @@ struct slap_schema_oc_map {
 	{ "LDAProotDSE", offsetof(struct slap_internal_schema, si_oc_rootdse) },
 	{ "LDAPsubentry", offsetof(struct slap_internal_schema, si_oc_subentry) },
 	{ "subschema", offsetof(struct slap_internal_schema, si_oc_subschema) },
-#ifdef SLAPD_ACI_ENABLED
 	{ "groupOfNames", offsetof(struct slap_internal_schema, si_oc_groupOfNames) },
-#endif
 	{ NULL, 0 }
 };
 

servers/slapd/slap.h

@@ -336,9 +336,7 @@ struct slap_internal_schema {
 	ObjectClass *si_oc_subentry;
 	ObjectClass *si_oc_subschema;
 	ObjectClass *si_oc_rootdse;
-#ifdef SLAPD_ACI_ENABLED
 	ObjectClass *si_oc_groupOfNames;
-#endif
 
 	/* objectClass attribute */
 	AttributeDescription *si_ad_objectClass;
@@ -734,10 +732,11 @@ typedef struct slap_access {
 
 	/* ACL Groups */
 	char		*a_group_pat;
-	char		*a_group_oc;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
+	ObjectClass				*a_group_oc;
 	AttributeDescription	*a_group_at;
 #else
+	char		*a_group_oc;
 	char		*a_group_at;
 #endif
 
@@ -989,12 +988,12 @@ struct slap_backend_info {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 	int	(*bi_acl_group)  LDAP_P((Backend *bd,
 		Entry *e, const char *bdn, const char *edn,
-		const char *objectclassValue,
+		ObjectClass *group_oc,
 		AttributeDescription *group_at ));
 #else
 	int	(*bi_acl_group)  LDAP_P((Backend *bd,
 		Entry *e, const char *bdn, const char *edn,
-		const char *objectclassValue,
+		const char *group_oc,
 		const char *group_at ));
 #endif
 

servers/slapd/slapd.conf

@@ -39,4 +39,6 @@ rootdn		"cn=Manager, dc=my-domain, dc=com"
 # cleartext passwords, especially for the rootdn, should
 # be avoid.  See slapd.conf(5) for details.
 rootpw		secret
+# this directory MUST exist and be writable by the slapd/tools
+# process before running slapd and/or tools.
 directory	%LOCALSTATEDIR%/openldap-ldbm

servers/slapd/value.c

@@ -274,10 +274,8 @@ value_cmp(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 int value_find(
 	AttributeDescription *ad,
-	MatchingRule *mr,
 	struct berval **vals,
-	struct berval *val,
-	const char ** text )
+	struct berval *val )
 #else
 int
 value_find(
@@ -288,12 +286,20 @@ value_find(
 #endif
 {
 	int	i;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	MatchingRule *mr = ad->ad_type->sat_equality;
+
+	if( mr == NULL ) {
+		return LDAP_INAPPROPRIATE_MATCHING;
+	}
+#endif
 
 	for ( i = 0; vals[i] != NULL; i++ ) {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 		int rc;
 		int match;
-		rc = value_match( &match, ad, mr, vals[i], val, text );
+		const char *text;
+		rc = value_match( &match, ad, mr, vals[i], val, &text );
 
 		if( rc == LDAP_SUCCESS && match == 0 )
 #else