suck in changes from devel

Fixed -lldap TLS issues (ITS#733)
Fixed -lldap_r NT threads (ITS#732)
Fixed slapd/ldbm DB_PRIVATE not set bug (ITS#725)
Fixed slapd/ldbm nextid reporting bug
Fixed slapd syntaxes/mr routines (ITS#739)
Fixed slurpd -r buffer overflow (ITS#722)
Added slapd syntax/mr routines
Added slapd allow/disallow options
Added slapd defaultSearchBase and DN verify (ITS#723)
Build Environment
  Added Corba & Java Schema
  Updated MSVC projects for BDB 3.1

CHANGES

@@ -3,19 +3,30 @@ OpenLDAP 2.0 Change Log
 OpenLDAP 2.0.X Engineering
 	Fixed KBIND (ITS#717)
 	Fixed clients/tools -R handling (ITS#726)
+	Fixed -lldap TLS issues (ITS#733)
+	Fixed -lldap_r NT threads (ITS#732)
 	Fixed ldappasswd -A -S crash (ITS#714)
 	Fixed ldappasswd user argument usage
 	Fixed slapd disallow bind_anon (ITS#721)
 	Fixed slapd IPv6 issues (ITS#716)
 	Fixed slapd MIT KPASSWD Compatibility (ITS#715)
 	Fixed slapd time syntax routines (ITS#713)
-	Updated slapd root DSE inappropriate op handling
+	Fixed slapd/ldbm DB_PRIVATE not set bug (ITS#725)
+	Fixed slapd/ldbm nextid reporting bug
+	Fixed slapd syntaxes/mr routines (ITS#739)
+	Fixed slurpd -r buffer overflow (ITS#722)
+	Updated slapd rootDSE inappropriate op handling
+	Added slapd syntax/mr routines
+	Added slapd allow/disallow options
+	Added slapd defaultSearchBase and DN verify (ITS#723)
 	Build Environment
 		Added test000-rootdse
+		Added Corba & Java Schema
+		Updated MSVC projects for BDB 3.1
 		Fixed Kerberos detection (ITS#717)
 		Remove incompatible contribWare
 	Documentation
-		Fixed ldappasswd(1) user argument usage
+		Fixed ldappasswd(1) usage
 		Fixed ldapmodify(1) (ITS#719)
 		Updated release documents (ITS#720)
 

configure

@@ -37,7 +37,7 @@ ac_help="$ac_help
 ac_help="$ac_help
   --enable-referrals	  enable V2 Referrals extension (yes)"
 ac_help="$ac_help
-  --enable-kbind	  enable V2 Kerberos IV bind (auto)"
+  --enable-kbind	  enable V2 Kerberos IV bind (no)"
 ac_help="$ac_help
   --enable-ipv6 	  enable IPv6 support (auto)"
 ac_help="$ac_help
@@ -1284,7 +1284,7 @@ if test "${enable_kbind+set}" = set; then
 	ol_enable_kbind="$ol_arg"
 
 else
-  	ol_enable_kbind="auto"
+  	ol_enable_kbind="no"
 fi
 # end --enable-kbind
 # OpenLDAP --enable-ipv6
@@ -2263,7 +2263,7 @@ if test $ol_enable_kbind = yes -o $ol_enable_kpasswd = yes ; then
 	fi
 	ol_with_kerberos=yes
 elif test $ol_enable_kbind = no -o $ol_enable_kpasswd = no ; then
-	if test $ol_with_kerberos != no -a $ol_with_kerberos != no ; then
+	if test $ol_with_kerberos != no -a $ol_with_kerberos != auto ; then
 		echo "configure: warning: Kerberos detection enabled unnecessarily" 1>&2;
 	fi
 	ol_with_kerberos=no

configure.in

@@ -105,7 +105,7 @@ OL_ARG_ENABLE(syslog,[  --enable-syslog	  enable syslog support], auto)dnl
 OL_ARG_ENABLE(proctitle,[  --enable-proctitle	  enable proctitle support], yes)dnl
 OL_ARG_ENABLE(cache,[  --enable-cache	  enable caching], yes)dnl
 OL_ARG_ENABLE(referrals,[  --enable-referrals	  enable V2 Referrals extension], yes)dnl
-OL_ARG_ENABLE(kbind,[  --enable-kbind	  enable V2 Kerberos IV bind], auto)dnl
+OL_ARG_ENABLE(kbind,[  --enable-kbind	  enable V2 Kerberos IV bind], no)dnl
 OL_ARG_ENABLE(ipv6,[  --enable-ipv6 	  enable IPv6 support], auto)dnl
 OL_ARG_ENABLE(local,[  --enable-local	  enable AF_LOCAL (AF_UNIX) socket support], auto)dnl
 OL_ARG_ENABLE(x_compile,[  --enable-x-compile	  enable cross compiling],
@@ -340,7 +340,7 @@ if test $ol_enable_kbind = yes -o $ol_enable_kpasswd = yes ; then
 	fi
 	ol_with_kerberos=yes
 elif test $ol_enable_kbind = no -o $ol_enable_kpasswd = no ; then
-	if test $ol_with_kerberos != no -a $ol_with_kerberos != no ; then
+	if test $ol_with_kerberos != no -a $ol_with_kerberos != auto ; then
 		AC_MSG_WARN([Kerberos detection enabled unnecessarily]);
 	fi
 	ol_with_kerberos=no

doc/man/man5/slapd.conf.5

@@ -72,6 +72,14 @@ attributes (specified by <what>) by one or more requestors (specified
 by <who>).
 See the "OpenLDAP's Administrator's Guide" for details.
 .TP
+.B allow <features>
+Specify a set of features (separated by white space) to
+allow (default none).
+.B tls_2_anon
+allows Start TLS to force session to anonymous status (see also
+.B disallow
+.BR tls_authc ).
+.TP
 .B argsfile <filename>
 The ( absolute ) name of a file that will hold the 
 .B slapd
@@ -125,17 +133,30 @@ recommended that
 directives be used instead.
 .RE
 .TP
+.B defaultsearchbase <dn>
+Specify a default search base to use when client submits a
+non-base search request with an empty base DN.
+.TP
 .B disallow <features>
-Specify a set of features (separated by white space) to disallow.
+Specify a set of features (separated by white space) to
+disallow (default none).
 .B bind_v2
 disables acceptance of LDAPv2 bind requests.
 .B bind_anon
 disables acceptance of anonymous bind requests.
 .B bind_anon_cred
-disables anonymous bind creditials are not empty (e.g. when
-DN is empty).
+disables anonymous bind creditials are not empty (e.g.
+when DN is empty).
 .B bind_anon_dn
 disables anonymous bind when DN is not empty.
+.B bind_simple
+disables simple (bind) authentication.
+.B bind_krbv4
+disables Kerberos V4 (bind) authentication.
+.B tls_authc
+disables StartTLS if authenticated (see also
+.B allow
+.BR tls_2_anon ).
 .TP
 .B idletimeout <integer>
 Specify the number of seconds to wait before forcibly closing
@@ -242,7 +263,8 @@ cannot find a local database to handle a request.
 If specified multiple times, each url is provided.
 .TP
 .B require <conditions>
-Specify a set of conditions (separated by white space) to require.
+Specify a set of conditions (separated by white space) to
+require (default none).
 The directive may be specified globally and/or per-database.
 .B bind
 requires bind operation prior to directory operations.
@@ -478,7 +500,9 @@ for more information.
 Specify the distinguished name that is not subject to access control 
 or administrative limit restrictions for operations on this database.
 This DN may or may not be associated with an entry.  An empty root
-DN, the default, specifies no root access is to be granted.
+DN (the default) specifies no root access is to be granted.  It is
+recommended that the rootdn only be specified when needed (such as
+when initially populating a database).
 .TP
 .B rootpw <password>
 Specify a password (or hash of the password) for the rootdn.
@@ -488,8 +512,8 @@ the server (see
 desription) as well as cleartext.
 .BR slappasswd (8) 
 may be used to generate a hash of a password.  Cleartext
-and \fB{CRYPT}\fP passwords are not recommended.  The default
-is empty imply authentication of the root DN is by other means
+and \fB{CRYPT}\fP passwords are not recommended.  If empty
+(the default), authentication of the root DN is by other means
 (e.g. SASL).  Use of SASL is encouraged.
 .TP
 .B suffix <dn suffix>

include/ldbm.h

@@ -236,7 +236,7 @@ LDAP_END_DECL
 
 LDAP_BEGIN_DECL
 
-LDAP_LDBM_F (int) ldbm_initialize( void );
+LDAP_LDBM_F (int) ldbm_initialize( const char * );
 LDAP_LDBM_F (int) ldbm_shutdown( void );
 
 LDAP_LDBM_F (int) ldbm_errno( LDBM ldbm );

libraries/libldap/init.c

@@ -86,8 +86,8 @@ static const struct ol_attribute {
 	{1, ATTR_TLS,		"TLS_KEY",		NULL,	LDAP_OPT_X_TLS_KEYFILE},
   	{0, ATTR_TLS,		"TLS_CACERT",	NULL,	LDAP_OPT_X_TLS_CACERTFILE},
   	{0, ATTR_TLS,		"TLS_CACERTDIR",NULL,	LDAP_OPT_X_TLS_CACERTDIR},
-  	{1, ATTR_TLS,		"TLS_REQCERT",	NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT},
-	{1, ATTR_TLS,		"TLS_RANDFILE",	NULL,	LDAP_OPT_X_TLS_RANDOM_FILE},
+  	{0, ATTR_TLS,		"TLS_REQCERT",	NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT},
+	{0, ATTR_TLS,		"TLS_RANDFILE",	NULL,	LDAP_OPT_X_TLS_RANDOM_FILE},
 #endif
 
 	{0, ATTR_NONE,		NULL,		NULL,	0}
@@ -443,12 +443,6 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl )
 
 	ldap_int_utils_init();
 
-#ifdef HAVE_TLS
-   	ldap_pvt_tls_init();
-#endif
-
-	ldap_int_sasl_init();
-
 	if ( ldap_int_tblsize == 0 )
 		ldap_int_ip_init();
 
@@ -503,4 +497,6 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl )
 	}
 
 	openldap_ldap_init_w_env(gopts, NULL);
+
+	ldap_int_sasl_init();
 }

libraries/libldap/tls.c

@@ -97,7 +97,7 @@ static void tls_init_threads( void )
 #endif /* LDAP_R_COMPILE */
 
 /*
- * Initialize tls system. Should be called only once.
+ * Initialize TLS subsystem. Should be called only once.
  */
 int
 ldap_pvt_tls_init( void )
@@ -105,15 +105,17 @@ ldap_pvt_tls_init( void )
 	static int tls_initialized = 0;
 
 	if ( tls_initialized ) return 0;
+	tls_initialized = 1;
 
 	(void) tls_seed_PRNG( tls_opt_randfile );
 
-	tls_initialized = 1;
 #ifdef LDAP_R_COMPILE
 	tls_init_threads();
 #endif
+
 	SSL_load_error_strings();
 	SSLeay_add_ssl_algorithms();
+
 	/* FIXME: mod_ssl does this */
 	X509V3_add_standard_extensions();
 	return 0;
@@ -651,7 +653,8 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb )
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&p );
 		return p;
 	}
-		return NULL;
+
+	return NULL;
 }
 
 void *
@@ -858,7 +861,6 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 int
 ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 {
-	/* Make sure tls is initialized, including PRNG properly seeded. */
 	ldap_pvt_tls_init();
 
 	/*
@@ -990,9 +992,7 @@ tls_seed_PRNG( const char *randfile )
 {
 #ifndef URANDOM_DEVICE
 	/* no /dev/urandom (or equiv) */
-
-	char buffer[1024];
-	static int egdsocket = 0;
+	char buffer[MAXPATHLEN];
 
 	if (randfile == NULL) {
 		/* The seed file is $RANDFILE if defined, otherwise $HOME/.rnd.
@@ -1000,17 +1000,16 @@ tls_seed_PRNG( const char *randfile )
 		 * an error occurs.    - From RAND_file_name() man page.
 		 * The fact is that when $HOME is NULL, .rnd is used.
 		 */
-		randfile = RAND_file_name(buffer, sizeof( buffer ));
+		randfile = RAND_file_name( buffer, sizeof( buffer ) );
 
 	} else if (RAND_egd(randfile) > 0) {
 		/* EGD socket */
-		egdsocket = 1;
 		return 0;
 	}
 
 	if (randfile == NULL) {
 		Debug( LDAP_DEBUG_ANY,
-			"TLS: Use configuration file or $RANDFILE to define seed file",
+			"TLS: Use configuration file or $RANDFILE to define seed PRNG",
 			0, 0, 0);
 		return -1;
 	}
@@ -1019,7 +1018,7 @@ tls_seed_PRNG( const char *randfile )
 
 	if (RAND_status() == 0) {
 		Debug( LDAP_DEBUG_ANY,
-			"TLS: PRNG has not been seeded with enough data",
+			"TLS: PRNG not been seeded with enough data",
 			0, 0, 0);
 		return -1;
 	}
@@ -1039,40 +1038,36 @@ tls_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
 
 int
 ldap_start_tls_s ( LDAP *ld,
-				LDAPControl **serverctrls,
-				LDAPControl **clientctrls )
+	LDAPControl **serverctrls,
+	LDAPControl **clientctrls )
 {
 #ifdef HAVE_TLS
-	LDAPConn *lc;
 	int rc;
 	char *rspoid = NULL;
 	struct berval *rspdata = NULL;
 
-	if (ld->ld_conns == NULL) {
-		rc = ldap_open_defconn( ld );
-		if (rc != LDAP_SUCCESS)
-			return(rc);
+	/* XXYYZ: this initiates operaton only on default connection! */
+
+	if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) {
+		return LDAP_LOCAL_ERROR;
 	}
 
-	for (lc = ld->ld_conns; lc != NULL; lc = lc->lconn_next) {
-		if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
-			return LDAP_OPERATIONS_ERROR;
-
-		/* XXYYZ: this initiates operaton only on default connection! */
-		rc = ldap_extended_operation_s(ld, LDAP_EXOP_START_TLS,
-			NULL, serverctrls, clientctrls, &rspoid, &rspdata);
-
-		if (rc != LDAP_SUCCESS)
-			return rc;
-		if (rspoid != NULL)
-			LDAP_FREE(rspoid);
-		if (rspdata != NULL)
-			ber_bvfree(rspdata);
-		rc = ldap_pvt_tls_start( ld, lc->lconn_sb, ld->ld_options.ldo_tls_ctx );
-		if (rc != LDAP_SUCCESS)
-			return rc;
+	rc = ldap_extended_operation_s( ld, LDAP_EXOP_START_TLS,
+		NULL, serverctrls, clientctrls, &rspoid, &rspdata );
+	if ( rc != LDAP_SUCCESS ) {
+		return rc;
 	}
-	return LDAP_SUCCESS;
+
+	if ( rspoid != NULL ) {
+		LDAP_FREE(rspoid);
+	}
+
+	if ( rspdata != NULL ) {
+		ber_bvfree( rspdata );
+	}
+
+	rc = ldap_pvt_tls_start( ld, ld->ld_sb, ld->ld_options.ldo_tls_ctx );
+	return rc;
 #else
 	return LDAP_NOT_SUPPORTED;
 #endif

libraries/libldap_r/thr_nt.c

@@ -51,10 +51,7 @@ ldap_pvt_thread_join( ldap_pvt_thread_t thread, void **thread_return )
 {
 	DWORD status;
 	status = WaitForSingleObject( (HANDLE) thread, INFINITE );
-	if (status == WAIT_FAILED) {
-		return -1;
-	}
-	return 0;
+	return status == WAIT_FAILED ? -1 : 0;
 }
 
 int 
@@ -95,7 +92,6 @@ int
 ldap_pvt_thread_cond_wait( ldap_pvt_thread_cond_t *cond, 
 	ldap_pvt_thread_mutex_t *mutex )
 {
-	ReleaseMutex( *mutex );
 	SignalObjectAndWait( *mutex, *cond, INFINITE, FALSE );
 	WaitForSingleObject( *mutex, INFINITE );
 	return( 0 );
@@ -125,8 +121,9 @@ ldap_pvt_thread_mutex_destroy( ldap_pvt_thread_mutex_t *mutex )
 int 
 ldap_pvt_thread_mutex_lock( ldap_pvt_thread_mutex_t *mutex )
 {
-	WaitForSingleObject( *mutex, INFINITE );
-	return ( 0 );
+	DWORD status;
+	status = WaitForSingleObject( *mutex, INFINITE );
+	return status == WAIT_FAILED ? -1 : 0;
 }
 
 int 
@@ -140,12 +137,9 @@ int
 ldap_pvt_thread_mutex_trylock( ldap_pvt_thread_mutex_t *mp )
 {
 	DWORD status;
-
 	status = WaitForSingleObject( *mp, 0 );
-	if ( (status == WAIT_FAILED) || (status == WAIT_TIMEOUT) )
-		return 0;
-	else
-		return 1;
+	return status == WAIT_FAILED || status == WAIT_TIMEOUT
+		? -1 : 0;
 }
 
 #endif

libraries/libldbm/ldbm.c

@@ -80,7 +80,6 @@ static ldap_pvt_thread_mutex_t ldbm_big_mutex;
  *******************************************************************/
 #if defined( HAVE_BERKELEY_DB ) && (DB_VERSION_MAJOR >= 2)
 
-
 void *
 ldbm_malloc( size_t size )
 {
@@ -102,7 +101,7 @@ ldbm_db_errcall( const char *prefix, char *message )
 /*  a dbEnv for BERKELEYv2  */
 DB_ENV           *ldbm_Env = NULL;
 
-int ldbm_initialize( void )
+int ldbm_initialize( const char* home )
 {
 	int     err;
 	u_int32_t	envFlags;
@@ -121,6 +120,9 @@ int ldbm_initialize( void )
 #endif
 
 	envFlags = 
+#if defined( DB_PRIVATE )
+		DB_PRIVATE |
+#endif
 #if defined( HAVE_BERKELEY_DB_THREAD )
 		DB_THREAD |
 #endif
@@ -128,8 +130,9 @@ int ldbm_initialize( void )
 
 #if DB_VERSION_MAJOR >= 3
 	err = db_env_create( &ldbm_Env, 0 );
-#elif DB_VERSION_MAJOR >= 2
-	err = db_appinit( NULL, NULL, ldbm_Env, envFlags );
+#else
+	envFlags |= DB_USE_ENVIRON;
+	err = db_appinit( home, NULL, ldbm_Env, envFlags );
 #endif
 
 	if ( err ) {
@@ -139,7 +142,11 @@ int ldbm_initialize( void )
 
 #ifdef LDAP_SYSLOG
 		syslog( LOG_INFO,
+#if DB_VERSION_MAJOR >= 3
+			"ldbm_initialize(): FATAL error in db_env_create() : %s\n",
+#else
 			"ldbm_initialize(): FATAL error in db_appinit() : %s\n",
+#endif
 			error );
 #endif
 	 	return( 1 );
@@ -149,12 +156,12 @@ int ldbm_initialize( void )
 	ldbm_Env->set_errcall( ldbm_Env, ldbm_db_errcall );
 	ldbm_Env->set_errpfx( ldbm_Env, "==>" );
 
-        envFlags |= DB_INIT_MPOOL;
+	envFlags |= DB_INIT_MPOOL | DB_USE_ENVIRON;
 
 #if (DB_VERSION_MAJOR > 3) || (DB_VERSION_MINOR >= 1)
-        err = ldbm_Env->open( ldbm_Env, NULL, envFlags, 0 );
+        err = ldbm_Env->open( ldbm_Env, home, envFlags, 0 );
 #else
-        err = ldbm_Env->open( ldbm_Env, NULL, NULL, envFlags, 0 );
+        err = ldbm_Env->open( ldbm_Env, home, NULL, envFlags, 0 );
 #endif
         if ( err != 0 )
         {
@@ -164,7 +171,7 @@ int ldbm_initialize( void )
 
 #ifdef LDAP_SYSLOG
             syslog( LOG_INFO,
-                    "ldbm_initialize(): FATAL error in db_appinit() : %s\n",
+                    "ldbm_initialize(): FATAL error in dbEnv->open() : %s\n",
                     error );
 #endif
 		    ldbm_Env->close( ldbm_Env, 0 );
@@ -190,7 +197,7 @@ int ldbm_shutdown( void )
 
 #else  /* some DB other than Berkeley V2 or greater */
 
-int ldbm_initialize( void )
+int ldbm_initialize( const char * home )
 {
 	if(ldbm_initialized++) return 1;
 
@@ -208,7 +215,7 @@ int ldbm_shutdown( void )
 	return 0;
 }
 
-#endif /* ifdef HAVE_BERKELEY_DB */
+#endif /* HAVE_BERKELEY_DB */
 
 
 #if defined( LDBM_USE_DBHASH ) || defined( LDBM_USE_DBBTREE )

servers/slapd/back-ldbm/add.c

@@ -191,6 +191,26 @@ ldbm_back_add(
 
 	e->e_id = next_id( be );
 
+	if( e->e_id == NOID ) {
+		if( p != NULL) {
+			/* free parent and writer lock */
+			cache_return_entry_w( &li->li_cache, p ); 
+		}
+
+		if ( rootlock ) {
+			/* release root lock */
+			ldap_pvt_thread_mutex_unlock(&li->li_root_mutex);
+		}
+
+		Debug( LDAP_DEBUG_ANY, "ldbm_add: next_id failed\n",
+			0, 0, 0 );
+
+		send_ldap_result( conn, op, LDAP_OTHER,
+			NULL, "next_id add failed", NULL, NULL );
+
+		return( -1 );
+	}
+
 	/*
 	 * Try to add the entry to the cache, assign it a new dnid.
 	 */

servers/slapd/back-ldbm/init.c

@@ -104,7 +104,7 @@ ldbm_back_open(
 	int rc;
 
 	/* initialize the underlying database system */
-	rc = ldbm_initialize();
+	rc = ldbm_initialize( NULL );
 
 	return rc;
 }

servers/slapd/back-ldbm/nextid.c

@@ -123,5 +123,4 @@ next_id( Backend *be )
 
 	ldap_pvt_thread_mutex_unlock( &li->li_nextid_mutex );
 	return id;
-
 }

servers/slapd/bind.c

@@ -53,30 +53,11 @@ do_bind(
 	mech = NULL;
 	cred.bv_val = NULL;
 
-	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
-
 	/*
 	 * Force to connection to "anonymous" until bind succeeds.
 	 */
-
-	if ( conn->c_authmech != NULL ) {
-		free( conn->c_authmech );
-		conn->c_authmech = NULL;
-	}
-
-	if ( conn->c_cdn != NULL ) {
-		free( conn->c_cdn );
-		conn->c_cdn = NULL;
-	}
-
-	if ( conn->c_dn != NULL ) {
-		free( conn->c_dn );
-		conn->c_dn = NULL;
-	}
-
-	conn->c_authc_backend = NULL;
-	conn->c_authz_backend = NULL;
-
+	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+	connection2anonymous( conn );
 	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
 	if ( op->o_dn != NULL ) {
@@ -283,38 +264,78 @@ do_bind(
 		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 	}
 
-	/* accept "anonymous" binds */
-	if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
-		rc = LDAP_SUCCESS;
-		text = NULL;
+	if ( method == LDAP_AUTH_SIMPLE ) {
+		/* accept "anonymous" binds */
+		if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) {
+			rc = LDAP_SUCCESS;
+			text = NULL;
 
-		if( cred.bv_len &&
-			( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
-		{
-			/* cred is not empty, disallow */
-			rc = LDAP_INVALID_CREDENTIALS;
+			if( cred.bv_len &&
+				( global_disallows & SLAP_DISALLOW_BIND_ANON_CRED ))
+			{
+				/* cred is not empty, disallow */
+				rc = LDAP_INVALID_CREDENTIALS;
 
-		} else if ( ndn != NULL && *ndn != '\0' &&
-			( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
-		{
-			/* DN is not empty, disallow */
+			} else if ( ndn != NULL && *ndn != '\0' &&
+				( global_disallows & SLAP_DISALLOW_BIND_ANON_DN ))
+			{
+				/* DN is not empty, disallow */
+				rc = LDAP_UNWILLING_TO_PERFORM;
+				text = "unwilling to allow anonymous bind with non-empty DN";
+
+			} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
+				/* disallow */
+				rc = LDAP_INAPPROPRIATE_AUTH;
+				text = "anonymous bind disallowed";
+			}
+
+			/*
+			 * we already forced connection to "anonymous",
+			 * just need to send success
+			 */
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
+		   		version, 0, 0 );
+			goto cleanup;
+
+		} else if ( global_disallows & SLAP_DISALLOW_BIND_SIMPLE ) {
+			/* disallow simple authentication */
 			rc = LDAP_UNWILLING_TO_PERFORM;
-			text = "unwilling to allow anonymous bind with non-empty DN";
+			text = "unwilling to perform simple authentication";
 
-		} else if ( global_disallows & SLAP_DISALLOW_BIND_ANON ) {
-			/* disallow */
-			rc = LDAP_UNWILLING_TO_PERFORM;
-			text = "anonymous bind disallowed";
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			Debug( LDAP_DEBUG_TRACE,
+				"do_bind: v%d simple bind(%s) disallowed\n",
+		   		version, ndn, 0 );
+			goto cleanup;
 		}
 
-		/*
-		 * we already forced connection to "anonymous",
-		 * just need to send success
-		 */
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+	} else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) {
+		if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) {
+			/* disallow simple authentication */
+			rc = LDAP_UNWILLING_TO_PERFORM;
+			text = "unwilling to perform Kerberos V4 bind";
+
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+			Debug( LDAP_DEBUG_TRACE, "do_bind: v%d Kerberos V4 bind\n",
+				version, 0, 0 );
+			goto cleanup;
+		}
+#endif
+
+	} else {
+		rc = LDAP_AUTH_UNKNOWN;
+		text = "unknown authentication method";
+
 		send_ldap_result( conn, op, rc,
 			NULL, text, NULL, NULL );
-		Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n",
-	   		version, 0, 0 );
+		Debug( LDAP_DEBUG_TRACE,
+			"do_bind: v%d unknown authentication method (%d)\n",
+			version, method, 0 );
 		goto cleanup;
 	}
 

servers/slapd/config.c

@@ -26,6 +26,7 @@ int		deftime = SLAPD_DEFAULT_TIMELIMIT;
 AccessControl	*global_acl = NULL;
 slap_access_t		global_default_access = ACL_READ;
 slap_mask_t		global_restrictops = 0;
+slap_mask_t		global_allows = 0;
 slap_mask_t		global_disallows = 0;
 slap_mask_t		global_requires = 0;
 slap_ssf_set_t	global_ssf_set;
@@ -36,6 +37,8 @@ char	*global_host = NULL;
 char	*global_realm = NULL;
 char		*ldap_srvtab = "";
 char		*default_passwd_hash;
+char		*default_search_base = NULL;
+char		*default_search_nbase = NULL;
 
 char   *slapd_pid_file  = NULL;
 char   *slapd_args_file = NULL;
@@ -165,6 +168,48 @@ read_config( const char *fname )
 
 			ldap_pvt_thread_set_concurrency( c );
 
+		/* default search base */
+		} else if ( strcasecmp( cargv[0], "defaultSearchBase" ) == 0 ) {
+			if ( cargc < 2 ) {
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+					"missing dn in \"defaultSearchBase <dn>\" line\n",
+					fname, lineno, 0 );
+				return 1;
+
+			} else if ( cargc > 2 ) {
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+					"extra cruft after <dn> in \"defaultSearchBase %s\", "
+					"line (ignored)\n",
+					fname, lineno, cargv[1] );
+			}
+
+			if ( bi != NULL || be != NULL ) {
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+					"defaultSearchBaase line must appear prior to "
+					"any backend or database definition\n",
+				    fname, lineno, 0 );
+				return 1;
+			}
+
+			if ( default_search_nbase != NULL ) {
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+					"default search base \"%s\" already defined "
+					"(discarding old)\n",
+					fname, lineno, default_search_base );
+				free( default_search_base );
+				free( default_search_nbase );
+			}
+
+			default_search_base = ch_strdup( cargv[1] );
+			default_search_nbase = ch_strdup( cargv[1] );
+
+			if( dn_normalize( default_search_nbase ) == NULL ) {
+				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+					"invalid default search base \"%s\"\n",
+					fname, lineno, default_search_base );
+				return 1;
+			}
+	       
 		/* set maximum threads in thread pool */
 		} else if ( strcasecmp( cargv[0], "threads" ) == 0 ) {
 			int c;
@@ -338,7 +383,18 @@ read_config( const char *fname )
 				    fname, lineno, tmp_be->be_suffix[0] );
 			} else {
 				char *dn = ch_strdup( cargv[1] );
-				(void) dn_validate( dn );
+				if( dn_validate( dn ) == NULL ) {
+					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+						"suffix DN invalid \"%s\"\n",
+				    	fname, lineno, cargv[1] );
+					return 1;
+
+				} else if( *dn == '\0' && default_search_nbase != NULL ) {
+					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+						"suffix DN empty and default "
+						"search base provided \"%s\" (assuming okay)\n",
+			    		fname, lineno, default_search_base );
+				}
 				charray_add( &be->be_suffix, dn );
 				(void) ldap_pvt_str2upper( dn );
 				charray_add( &be->be_nsuffix, dn );
@@ -486,6 +542,41 @@ read_config( const char *fname )
 			}
 
 
+		/* allow these features */
+		} else if ( strcasecmp( cargv[0], "allows" ) == 0 ||
+			strcasecmp( cargv[0], "allow" ) == 0 )
+		{
+			slap_mask_t	allows;
+
+			if ( be != NULL ) {
+				Debug( LDAP_DEBUG_ANY,
+"%s: line %d: allow line must appear prior to database definitions\n",
+				    fname, lineno, 0 );
+			}
+
+			if ( cargc < 2 ) {
+				Debug( LDAP_DEBUG_ANY,
+	    "%s: line %d: missing feature(s) in \"allow <features>\" line\n",
+				    fname, lineno, 0 );
+				return( 1 );
+			}
+
+			allows = 0;
+
+			for( i=1; i < cargc; i++ ) {
+				if( strcasecmp( cargv[i], "tls_2_anon" ) == 0 ) {
+					allows |= SLAP_ALLOW_TLS_2_ANON;
+
+				} else if( strcasecmp( cargv[i], "none" ) != 0 ) {
+					Debug( LDAP_DEBUG_ANY,
+		    "%s: line %d: unknown feature %s in \"allow <features>\" line\n",
+					    fname, lineno, cargv[i] );
+					return( 1 );
+				}
+			}
+
+			global_allows = allows;
+
 		/* disallow these features */
 		} else if ( strcasecmp( cargv[0], "disallows" ) == 0 ||
 			strcasecmp( cargv[0], "disallow" ) == 0 )
@@ -500,7 +591,7 @@ read_config( const char *fname )
 
 			if ( cargc < 2 ) {
 				Debug( LDAP_DEBUG_ANY,
-	    "%s: line %d: missing feature(s) in \"disallows <features>\" line\n",
+	    "%s: line %d: missing feature(s) in \"disallow <features>\" line\n",
 				    fname, lineno, 0 );
 				return( 1 );
 			}
@@ -520,6 +611,15 @@ read_config( const char *fname )
 				} else if( strcasecmp( cargv[i], "bind_anon_dn" ) == 0 ) {
 					disallows |= SLAP_DISALLOW_BIND_ANON_DN;
 
+				} else if( strcasecmp( cargv[i], "bind_simple" ) == 0 ) {
+					disallows |= SLAP_DISALLOW_BIND_SIMPLE;
+
+				} else if( strcasecmp( cargv[i], "bind_krbv4" ) == 0 ) {
+					disallows |= SLAP_DISALLOW_BIND_KRBV4;
+
+				} else if( strcasecmp( cargv[i], "tls_authc" ) == 0 ) {
+					disallows |= SLAP_DISALLOW_TLS_AUTHC;
+
 				} else if( strcasecmp( cargv[i], "none" ) != 0 ) {
 					Debug( LDAP_DEBUG_ANY,
 		    "%s: line %d: unknown feature %s in \"disallow <features>\" line\n",

servers/slapd/connection.c

@@ -473,6 +473,30 @@ long connection_init(
     return id;
 }
 
+void connection2anonymous( Connection *c )
+{
+    assert( connections != NULL );
+    assert( c != NULL );
+
+	if(c->c_authmech != NULL ) {
+		free(c->c_authmech);
+		c->c_authmech = NULL;
+	}
+
+    if(c->c_dn != NULL) {
+        free(c->c_dn);
+        c->c_dn = NULL;
+    }
+
+	if(c->c_cdn != NULL) {
+		free(c->c_cdn);
+		c->c_cdn = NULL;
+	}
+
+	c->c_authc_backend = NULL;
+	c->c_authz_backend = NULL;
+}
+
 static void
 connection_destroy( Connection *c )
 {
@@ -492,22 +516,13 @@ connection_destroy( Connection *c )
 
     c->c_activitytime = c->c_starttime = 0;
 
-	if(c->c_authmech != NULL ) {
-		free(c->c_authmech);
-		c->c_authmech = NULL;
-	}
-    if(c->c_dn != NULL) {
-        free(c->c_dn);
-        c->c_dn = NULL;
-    }
-	if(c->c_cdn != NULL) {
-		free(c->c_cdn);
-		c->c_cdn = NULL;
-	}
+	connection2anonymous( c );
+
 	if(c->c_listener_url != NULL) {
 		free(c->c_listener_url);
 		c->c_listener_url = NULL;
 	}
+
 	if(c->c_peer_domain != NULL) {
 		free(c->c_peer_domain);
 		c->c_peer_domain = NULL;
@@ -991,12 +1006,19 @@ int connection_read(ber_socket_t s)
 		/* connections_mutex and c_mutex are locked */
 		connection_closing( c );
 		connection_close( c );
+		connection_return( c );
+		ldap_pvt_thread_mutex_unlock( &connections_mutex );
+		return 0;
 	}
 
-	if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_READ, NULL ) )
+	if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_READ, NULL ) ) {
 		slapd_set_read( s, 1 );
-	if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_WRITE, NULL ) )
+	}
+
+	if ( ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_NEEDS_WRITE, NULL ) ) {
 		slapd_set_write( s, 1 );
+	}
+
 	connection_return( c );
 	ldap_pvt_thread_mutex_unlock( &connections_mutex );
 	return 0;

servers/slapd/proto-slap.h

@@ -286,6 +286,8 @@ LDAP_SLAPD_F (Connection *) connection_first LDAP_P((ber_socket_t *));
 LDAP_SLAPD_F (Connection *) connection_next LDAP_P((Connection *, ber_socket_t *));
 LDAP_SLAPD_F (void) connection_done LDAP_P((Connection *));
 
+LDAP_SLAPD_F (void) connection2anonymous LDAP_P((Connection *));
+
 /*
  * dn.c
  */
@@ -312,8 +314,11 @@ LDAP_SLAPD_F (int) entry_destroy LDAP_P((void));
 
 LDAP_SLAPD_F (Entry *) str2entry LDAP_P(( char	*s ));
 LDAP_SLAPD_F (char *) entry2str LDAP_P(( Entry *e, int *len ));
-LDAP_SLAPD_F (void) entry_free LDAP_P(( Entry *e ));
 
+LDAP_SLAPD_F (int) entry_decode LDAP_P(( struct berval *bv, Entry **e ));
+LDAP_SLAPD_F (int) entry_encode LDAP_P(( Entry *e, struct berval **bv ));
+
+LDAP_SLAPD_F (void) entry_free LDAP_P(( Entry *e ));
 LDAP_SLAPD_F (int) entry_cmp LDAP_P(( Entry *a, Entry *b ));
 LDAP_SLAPD_F (int) entry_dn_cmp LDAP_P(( Entry *a, Entry *b ));
 LDAP_SLAPD_F (int) entry_id_cmp LDAP_P(( Entry *a, Entry *b ));
@@ -753,6 +758,7 @@ LDAP_SLAPD_F (int)	krbv4_ldap_auth();
  */
 
 LDAP_SLAPD_F (slap_mask_t)	global_restrictops;
+LDAP_SLAPD_F (slap_mask_t)	global_allows;
 LDAP_SLAPD_F (slap_mask_t)	global_disallows;
 LDAP_SLAPD_F (slap_mask_t)	global_requires;
 LDAP_SLAPD_F (slap_ssf_set_t)	global_ssf_set;
@@ -772,6 +778,8 @@ LDAP_SLAPD_F (char)		*global_realm;
 LDAP_SLAPD_F (char)		*default_passwd_hash;
 LDAP_SLAPD_F (int)		lber_debug;
 LDAP_SLAPD_F (int)		ldap_syslog;
+LDAP_SLAPD_F (char *)	default_search_base;
+LDAP_SLAPD_F (char *)	default_search_nbase;
 
 LDAP_SLAPD_F (ldap_pvt_thread_mutex_t)	num_sent_mutex;
 LDAP_SLAPD_F (long)		num_bytes_sent;

servers/slapd/schema/README

@@ -2,9 +2,11 @@ This directory contains schema definitions for use with slapd(5).
 
 File                    Description
 ----                    -----------
+corba.schema            Corba Object (RFC 2714) schema
 core.schema             OpenLDAP "core"
 cosine.schema           COSINE Pilot schema
 inetorgperson.schema    InetOrgPerson schema
+java.schema             Java Object (RFC 2713) schema
 krb5-kdc.schema         Kerberos V KDC schema
 microsoft.ext.schema    Microsoft schema
 microsoft.schema        Microsoft schema

servers/slapd/schema/corba.schema

@@ -0,0 +1,222 @@
+# Corba Object Schema
+# $OpenLDAP$
+# depends upon core.schema
+
+# Network Working Group                                            V. Ryan
+# Request for Comments: 2714                                        R. Lee
+# Category: Informational                                      S. Seligman
+#                                                   Sun Microsystems, Inc.
+#                                                             October 1999
+# 
+# 
+#   Schema for Representing CORBA Object References in an LDAP Directory
+# 
+# Status of this Memo
+# 
+#    This memo provides information for the Internet community.  It does
+#    not specify an Internet standard of any kind.  Distribution of this
+#    memo is unlimited.
+# 
+# Copyright Notice
+# 
+#    Copyright (C) The Internet Society (1999).  All Rights Reserved.
+# 
+# Abstract
+# 
+#    CORBA [CORBA] is the Common Object Request Broker Architecture
+#    defined by the Object Management Group. This document defines the
+#    schema for representing CORBA object references in an LDAP directory
+#    [LDAPv3].
+# 
+# [trimmed]
+
+# 3. Attribute Type Definitions
+# 
+#    The following attribute types are defined in this document:
+# 
+#        corbaIor
+#        corbaRepositoryId
+# 
+# 3.1 corbaIor
+# 
+#    This attribute stores the string representation of the interoperable
+#    object reference (IOR) for a CORBA object. An IOR is an opaque handle
+#    for the object which contains the information necessary to locate the
+#    object, even if the object is in another ORB.
+# 
+#    This attribute's syntax is 'IA5 String' and its case is
+#    insignificant.
+# 
+#    ( 1.3.6.1.4.1.42.2.27.4.1.14
+#     NAME 'corbaIor'
+#     DESC 'Stringified interoperable object reference of a CORBA object'
+#     EQUALITY caseIgnoreIA5Match
+#     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+#     SINGLE-VALUE
+#    )
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.14
+	NAME 'corbaIor'
+	DESC 'Stringified interoperable object reference of a CORBA object'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	SINGLE-VALUE )
+
+# 3.2 corbaRepositoryId
+# 
+#    Each CORBA interface has a unique "repository id" (also called "type
+#    id") that identifies the interface.  A CORBA object has one or more
+#    repository ids, one for each interface that it implements.
+# 
+#    The format of a repository id can be any string, but the OMG
+#    specifies four standard formats:
+# 
+#       a. IDL-style
+# 
+#        IDL:Prefix/ModuleName/InterfaceName:VersionNumber
+# 
+#    For example, the repository id for the "NamingContext" in OMG's COS
+#    Naming module is:  "IDL:omg.org/CosNaming/NamingContext:1.0".
+# 
+#       b. RMI-style
+# 
+#        RMI:ClassName:HashCode[:SUID]
+# 
+#    This format is used by RMI-IIOP remote objects [RMI-IIOP].
+#    "ClassName" is the fully qualified name of the class (for example,
+#    "java.lang.String"). "HashCode" is the object's hash code (that is,
+#    that obtained by invoking the "hashCode()" method).  "SUID" is the
+#    "stream unique identifier", which is a 64-bit number that uniquely
+#    identifies the serialization version of the class; SUID is optional
+#    in the repository id.
+# 
+#       c. DCE-style
+# 
+#        DCE:UUID
+# 
+#    This format is used for DCE/CORBA interoperability [CORBA-DCE].
+#    "UUID" represents a DCE UUID.
+# 
+#       d. "local"
+# 
+#    This format is defined by the local Object Request Broker (ORB).
+# 
+#    The corbaRepositoryId attribute is a multivalued attribute; each
+#    value records a single repository id of an interface implemented by
+#    the CORBA object.  This attribute need not contain a complete list of
+#    the interfaces implemented by the CORBA object.
+# 
+#    This attribute's syntax is 'Directory String' and its case is
+#    significant.  The values of this attribute are encoded using UTF-8.
+#    Some values may require translation from their native representation
+#    in order to be correctly encoded using UTF-8.
+# 
+#    ( 1.3.6.1.4.1.42.2.27.4.1.15
+#     NAME 'corbaRepositoryId'
+#     DESC 'Repository ids of interfaces implemented by a CORBA object'
+#     EQUALITY caseExactMatch
+#     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+#    )
+# 
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.15
+	NAME 'corbaRepositoryId'
+	DESC 'Repository ids of interfaces implemented by a CORBA object'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# 4. Object Class Definitions
+# 
+#    The following object classes are defined in this document:
+# 
+#        corbaContainer
+#        corbaObject
+#        corbaObjectReference
+# 
+# 4.1 corbaContainer
+# 
+#    This structural object class represents a container for a CORBA
+#    object.
+# 
+#    ( 1.3.6.1.4.1.42.2.27.4.2.10
+#     NAME 'corbaContainer'
+#     DESC 'Container for a CORBA object'
+#     SUP top
+#     STRUCTURAL
+#     MUST ( cn )
+#    )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.10
+	NAME 'corbaContainer'
+	DESC 'Container for a CORBA object'
+	SUP top
+	STRUCTURAL
+	MUST cn )
+
+# 4.2 corbaObject
+# 
+#    This abstract object class is the root class for representing a CORBA
+#    object.
+# 
+#    ( 1.3.6.1.4.1.42.2.27.4.2.9
+#     NAME 'corbaObject'
+#     DESC 'CORBA object representation'
+#     SUP top
+#     ABSTRACT
+#     MAY ( corbaRepositoryId $ description )
+#    )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.9
+	NAME 'corbaObject'
+	DESC 'CORBA object representation'
+	SUP top
+	ABSTRACT
+	MAY ( corbaRepositoryId $ description ) )
+
+# 4.3 corbaObjectReference
+# 
+#    This auxiliary object class represents a CORBA object reference.  It
+#    must be mixed in with a structural object class.
+# 
+#    ( 1.3.6.1.4.1.42.2.27.4.2.11
+#     NAME 'corbaObjectReference'
+#     DESC 'CORBA interoperable object reference'
+#     SUP corbaObject
+#     AUXILIARY
+#     MUST ( corbaIor )
+#    )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.11
+	NAME 'corbaObjectReference'
+	DESC 'CORBA interoperable object reference'
+	SUP corbaObject
+	AUXILIARY
+	MUST corbaIor )
+ 
+# 10.  Full Copyright Statement
+# 
+#    Copyright (C) The Internet Society (1999).  All Rights Reserved.
+# 
+#    This document and translations of it may be copied and furnished to
+#    others, and derivative works that comment on or otherwise explain it
+#    or assist in its implementation may be prepared, copied, published
+#    and distributed, in whole or in part, without restriction of any
+#    kind, provided that the above copyright notice and this paragraph are
+#    included on all such copies and derivative works.  However, this
+#    document itself may not be modified in any way, such as by removing
+#    the copyright notice or references to the Internet Society or other
+#    Internet organizations, except as needed for the purpose of
+#    developing Internet standards in which case the procedures for
+#    copyrights defined in the Internet Standards process must be
+#    followed, or as required to translate it into languages other than
+#    English.
+# 
+#    The limited permissions granted above are perpetual and will not be
+#    revoked by the Internet Society or its successors or assigns.
+# 
+#    This document and the information contained herein is provided on an
+#    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+#    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+#    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+#    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+#    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

servers/slapd/schema/java.schema

@@ -0,0 +1,388 @@
+# Java Object Schema
+# $OpenLDAP$
+# depends upon core.schema
+
+# Network Working Group                                            V. Ryan
+# Request for Comments: 2713                                   S. Seligman
+# Category: Informational                                           R. Lee
+#                                                   Sun Microsystems, Inc.
+#                                                             October 1999
+# 
+# 
+#      Schema for Representing Java(tm) Objects in an LDAP Directory
+# 
+# Status of this Memo
+# 
+#    This memo provides information for the Internet community.  It does
+#    not specify an Internet standard of any kind.  Distribution of this
+#    memo is unlimited.
+# 
+# Copyright Notice
+# 
+#    Copyright (C) The Internet Society (1999).  All Rights Reserved.
+# 
+# Abstract
+# 
+#    This document defines the schema for representing Java(tm) objects in
+#    an LDAP directory [LDAPv3].  It defines schema elements to represent
+#    a Java serialized object [Serial], a Java marshalled object [RMI], a
+#    Java remote object [RMI], and a JNDI reference [JNDI].
+# 
+
+# [trimmed]
+
+# 3 Attribute Type Definitions
+# 
+#    The following attribute types are defined in this document:
+# 
+#        javaClassName
+#        javaClassNames
+#        javaCodebase
+#        javaSerializedData
+#        javaFactory
+#        javaReferenceAddress
+#        javaDoc
+# 
+# 3.1 javaClassName
+# 
+#    This attribute stores the fully qualified name of the Java object's
+#    "distinguished" class or interface (for example, "java.lang.String").
+#    It is a single-valued attribute. This attribute's syntax is '
+#    Directory String' and its case is significant.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.1.6
+#          NAME 'javaClassName'
+#          DESC 'Fully qualified name of distinguished Java class or
+#                interface'
+#          EQUALITY caseExactMatch
+#          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+#          SINGLE-VALUE
+#        )
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6
+	NAME 'javaClassName'
+	DESC 'Fully qualified name of distinguished Java class or interface'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	SINGLE-VALUE )
+ 
+# 3.2 javaCodebase
+# 
+#    This attribute stores the Java class definition's locations.  It
+#    specifies the locations from which to load the class definition for
+#    the class specified by the javaClassName attribute.  Each value of
+#    the attribute contains an ordered list of URLs, separated by spaces.
+#    For example, a value of "url1 url2 url3" means that the three
+#    (possibly interdependent) URLs (url1, url2, and url3) form the
+#    codebase for loading in the Java class definition.
+# 
+#    If the javaCodebase attribute contains more than one value, each
+#    value is an independent codebase. That is, there is no relationship
+#    between the URLs in one value and those in another; each value can be
+#    viewed as an alternate source for loading the Java class definition.
+#    See [Java] for information regarding class loading.
+# 
+#    This attribute's syntax is 'IA5 String' and its case is significant.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.1.7
+#          NAME 'javaCodebase'
+#          DESC 'URL(s) specifying the location of class definition'
+#          EQUALITY caseExactIA5Match
+#          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+#        )
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.7
+	NAME 'javaCodebase'
+	DESC 'URL(s) specifying the location of class definition'
+	EQUALITY caseExactIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 3.3 javaClassNames
+# 
+#    This attribute stores the Java object's fully qualified class or
+#    interface names (for example, "java.lang.String").  It is a
+#    multivalued attribute. When more than one value is present, each is
+#    the name of a class or interface, or ancestor class or interface, of
+#    this object.
+# 
+#    This attribute's syntax is 'Directory String' and its case is
+#    significant.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.1.13
+#          NAME 'javaClassNames'
+#          DESC 'Fully qualified Java class or interface name'
+#          EQUALITY caseExactMatch
+#          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+#        )
+# 
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.13
+	NAME 'javaClassNames'
+	DESC 'Fully qualified Java class or interface name'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+# 3.4 javaSerializedData
+# 
+#    This attribute stores the serialized form of a Java object.  The
+#    serialized form is described in [Serial].
+# 
+#    This attribute's syntax is 'Octet String'.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.1.8
+#          NAME 'javaSerializedData
+#          DESC 'Serialized form of a Java object'
+#          SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+#          SINGLE-VALUE
+#        )
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.8
+	NAME 'javaSerializedData
+	DESC 'Serialized form of a Java object'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+	SINGLE-VALUE )
+
+# 3.5 javaFactory
+# 
+#    This attribute stores the fully qualified class name of the object
+#    factory (for example, "com.wiz.jndi.WizObjectFactory") that can be
+#    used to create an instance of the object identified by the
+#    javaClassName attribute.
+# 
+#    This attribute's syntax is 'Directory String' and its case is
+#    significant.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.1.10
+#          NAME 'javaFactory'
+#          DESC 'Fully qualified Java class name of a JNDI object factory'
+#          EQUALITY caseExactMatch
+#          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+#          SINGLE-VALUE
+#        )
+# 
+atttributetype ( 1.3.6.1.4.1.42.2.27.4.1.10
+	NAME 'javaFactory'
+	DESC 'Fully qualified Java class name of a JNDI object factory'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	SINGLE-VALUE )
+
+# 3.6 javaReferenceAddress
+# 
+#    This attribute represents the sequence of addresses of a JNDI
+#    reference.  Each of its values represents one address, a Java object
+#    of type javax.naming.RefAddr.  Its value is a concatenation of the
+#    address type and address contents, preceded by a sequence number (the
+#    order of addresses in a JNDI reference is significant).  For example:
+# 
+#        #0#TypeA#ValA
+#        #1#TypeB#ValB
+#        #2#TypeC##rO0ABXNyABpq...
+# 
+#    In more detail, the value is encoded as follows:
+# 
+#    The delimiter is the first character of the value.  For readability
+#    the character '#' is recommended when it is not otherwise used
+#    anywhere in the value, but any character may be used subject to
+#    restrictions given below.
+# 
+#    The first delimiter is followed by the sequence number.  The sequence
+#    number of an address is its position in the JNDI reference, with the
+#    first address being numbered 0.  It is represented by its shortest
+#    string form, in decimal notation.
+# 
+#    The sequence number is followed by a delimiter, then by the address
+#    type, and then by another delimiter.  If the address is of Java class
+#    javax.naming.StringRefAddr, then this delimiter is followed by the
+#    value of the address contents (which is a string).  Otherwise, this
+#    delimiter is followed immediately by another delimiter, and then by
+#    the Base64 encoding of the serialized form of the entire address.
+# 
+#    The delimiter may be any character other than a digit or a character
+#    contained in the address type.  In addition, if the address contents
+#    is a string, the delimiter may not be the first character of that
+#    string.
+# 
+#    This attribute's syntax is 'Directory String' and its case is
+#    significant.  It can contain multiple values.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.1.11
+#          NAME 'javaReferenceAddress'
+#          DESC 'Addresses associated with a JNDI Reference'
+#          EQUALITY caseExactMatch
+#          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+#        )
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.11
+	NAME 'javaReferenceAddress'
+	DESC 'Addresses associated with a JNDI Reference'
+	EQUALITY caseExactMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# 3.7 javaDoc
+# 
+#    This attribute stores a pointer to the Java documentation for the
+#    class.  It's value is a URL. For example, the following URL points to
+#    the specification of the java.lang.String class:
+#    http://java.sun.com/products/jdk/1.2/docs/api/java/lang/String.html
+# 
+#    This attribute's syntax is 'IA5 String' and its case is significant.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.1.12
+#          NAME 'javaDoc'
+#          DESC 'The Java documentation for the class'
+#          EQUALITY caseExactIA5Match
+#          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+#        )
+# 
+attributetype ( 1.3.6.1.4.1.42.2.27.4.1.12
+	NAME 'javaDoc'
+	DESC 'The Java documentation for the class'
+	EQUALITY caseExactIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+# 4 Object Class Definitions
+# 
+#    The following object classes are defined in this document:
+# 
+#        javaContainer
+#        javaObject
+#        javaSerializedObject
+#        javaMarshalledObject
+#        javaNamingReference
+# 
+# 4.1 javaContainer
+# 
+#    This structural object class represents a container for a Java
+#    object.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.2.1
+#          NAME 'javaContainer'
+#          DESC 'Container for a Java object'
+#          SUP top
+#          STRUCTURAL
+#          MUST ( cn )
+#        )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1
+	NAME 'javaContainer'
+	DESC 'Container for a Java object'
+	SUP top
+	STRUCTURAL
+	MUST cn )
+
+# 4.2 javaObject
+# 
+#    This abstract object class represents a Java object.  A javaObject
+#    cannot exist in the directory; only auxiliary or structural
+#    subclasses of it can exist in the directory.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.2.4
+#          NAME 'javaObject'
+#          DESC 'Java object representation'
+#          SUP top
+#          ABSTRACT
+#          MUST ( javaClassName )
+#          MAY ( javaClassNames $
+#                javaCodebase $
+#                javaDoc $
+#                description )
+#        )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.4
+	NAME 'javaObject'
+	DESC 'Java object representation'
+	SUP top
+	ABSTRACT
+	MUST javaClassName
+	MAY ( javaClassNames $ javaCodebase $
+		javaDoc $ description ) )
+
+# 4.3 javaSerializedObject
+# 
+#    This auxiliary object class represents a Java serialized object.  It
+#    must be mixed in with a structural object class.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.2.5
+#          NAME 'javaSerializedObject'
+#          DESC 'Java serialized object'
+#          SUP javaObject
+#          AUXILIARY
+#          MUST ( javaSerializedData )
+#        )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.5
+	NAME 'javaSerializedObject'
+	DESC 'Java serialized object'
+	SUP javaObject
+	AUXILIARY
+	MUST javaSerializedData )
+ 
+# 4.4 javaMarshalledObject
+# 
+#    This auxiliary object class represents a Java marshalled object.  It
+#    must be mixed in with a structural object class.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.2.8
+#          NAME 'javaMarshalledObject'
+#          DESC 'Java marshalled object'
+#          SUP javaObject
+#          AUXILIARY
+#          MUST ( javaSerializedData )
+#        )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.8
+	NAME 'javaMarshalledObject'
+	DESC 'Java marshalled object'
+	SUP javaObject
+	AUXILIARY
+	MUST javaSerializedData )
+
+# 4.5 javaNamingReference
+# 
+#    This auxiliary object class represents a JNDI reference.  It must be
+#    mixed in with a structural object class.
+# 
+#        ( 1.3.6.1.4.1.42.2.27.4.2.7
+#          NAME 'javaNamingReference'
+#          DESC 'JNDI reference'
+#          SUP javaObject
+#          AUXILIARY
+#          MAY ( javaReferenceAddress $
+#                javaFactory )
+#        )
+# 
+objectclass ( 1.3.6.1.4.1.42.2.27.4.2.7
+	NAME 'javaNamingReference'
+	DESC 'JNDI reference'
+	SUP javaObject
+	AUXILIARY
+	MAY ( javaReferenceAddress $ javaFactory ) )
+ 
+# Full Copyright Statement
+# 
+#    Copyright (C) The Internet Society (1999).  All Rights Reserved.
+# 
+#    This document and translations of it may be copied and furnished to
+#    others, and derivative works that comment on or otherwise explain it
+#    or assist in its implementation may be prepared, copied, published
+#    and distributed, in whole or in part, without restriction of any
+#    kind, provided that the above copyright notice and this paragraph are
+#    included on all such copies and derivative works.  However, this
+#    document itself may not be modified in any way, such as by removing
+#    the copyright notice or references to the Internet Society or other
+#    Internet organizations, except as needed for the purpose of
+#    developing Internet standards in which case the procedures for
+#    copyrights defined in the Internet Standards process must be
+#    followed, or as required to translate it into languages other than
+#    English.
+# 
+#    The limited permissions granted above are perpetual and will not be
+#    revoked by the Internet Society or its successors or assigns.
+# 
+#    This document and the information contained herein is provided on an
+#    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+#    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+#    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+#    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+#    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

servers/slapd/search.c

@@ -202,6 +202,13 @@ do_search(
 		}
 	}
 
+	if( nbase[0] == '\0' && default_search_nbase != NULL ) {
+		ch_free( base );
+		ch_free( nbase );
+		base = ch_strdup( default_search_base );
+		nbase = ch_strdup( default_search_nbase );
+	}
+
 	/*
 	 * We could be serving multiple database backends.  Select the
 	 * appropriate one, or send a referral to our "referral server"

servers/slapd/sets.c

@@ -4,16 +4,17 @@
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
-#include "portable.h"
+#include "portable.h"
 
-#include <stdio.h>
+#include <stdio.h>
 #include <ac/string.h>
-
+
 #include "slap.h"
 #include "sets.h"
 
 static char **set_join (char **lset, int op, char **rset);
-static char **set_chase (SET_GATHER gatherer, void *cookie, char **set, char *attr, int attrlen, int closure);
+static char **set_chase (SET_GATHER gatherer,
+	void *cookie, char **set, char *attr, int attrlen, int closure);
 static int set_samedn (char *dn1, char *dn2);
 
 long
@@ -119,7 +120,8 @@ set_join (char **lset, int op, char **rset)
 }
 
 static char **
-set_chase (SET_GATHER gatherer, void *cookie, char **set, char *attr, int attrlen, int closure)
+set_chase (SET_GATHER gatherer,
+	void *cookie, char **set, char *attr, int attrlen, int closure)
 {
 	char **vals, **nset;
 	char attrstr[32];
@@ -195,14 +197,19 @@ set_samedn (char *dn1, char *dn2)
 }
 
 int
-set_filter (SET_GATHER gatherer, void *cookie, char *filter, char *user, char *this, char ***results)
+set_filter (SET_GATHER gatherer,
+	void *cookie, char *filter, char *user, char *this, char ***results)
 {
-#	define IS_SET(x)	( (long)(x) >= 256 )
-#	define IS_OP(x)	( (long)(x) < 256 )
-#	define SF_ERROR(x)	{ rc = -1; goto _error; }
-#	define SF_TOP()	(char **)( (stp < 0) ? 0 : stack[stp] )
-#	define SF_POP()	(char **)( (stp < 0) ? 0 : stack[stp--] )
-#	define SF_PUSH(x)	{ if (stp >= 63) SF_ERROR(overflow); stack[++stp] = (char **)(long)(x); }
+#define IS_SET(x)	( (long)(x) >= 256 )
+#define IS_OP(x)	( (long)(x) < 256 )
+#define SF_ERROR(x)	do { rc = -1; goto _error; } while (0)
+#define SF_TOP()	( (char **)( (stp < 0) ? 0 : stack[stp] ) )
+#define SF_POP()	( (char **)( (stp < 0) ? 0 : stack[stp--] ) )
+#define SF_PUSH(x)	do { \
+		if (stp >= 63) SF_ERROR(overflow); \
+		stack[++stp] = (char **)(long)(x); \
+	} while (0)
+
 	char c;
 	char **set, **lset;
 	int len, op, rc, stp;
@@ -345,7 +352,8 @@ set_filter (SET_GATHER gatherer, void *cookie, char *filter, char *user, char *t
 				SF_ERROR(syntax);
 			} else {
 				SF_POP();
-				set = set_chase(gatherer, cookie, SF_POP(), filter, len, c == '*');
+				set = set_chase(gatherer,
+					cookie, SF_POP(), filter, len, c == '*');
 				if (set == NULL)
 					SF_ERROR(memory);
 				if (c == '*')

servers/slapd/slap.h

@@ -256,7 +256,7 @@ typedef struct slap_syntax {
 #define slap_syntax_is_ber(s)		slap_syntax_is_flag((s),SLAP_SYNTAX_BER)
 #define slap_syntax_is_hidden(s)	slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE)
 
-/* XXX -> UCS-2 Converter */
+/* X -> Y Converter */
 typedef int slap_mr_convert_func LDAP_P((
 	struct berval * in,
 	struct berval ** out ));
@@ -455,6 +455,7 @@ struct slap_internal_schema {
 
 	/* Other attributes descriptions */
 	AttributeDescription *si_ad_userPassword;
+	AttributeDescription *si_ad_authPassword;
 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 	AttributeDescription *si_ad_krbName;
 #endif
@@ -853,6 +854,8 @@ struct slap_backend_db {
 	| SLAP_RESTRICT_OP_MODIFY \
 	| SLAP_RESTRICT_OP_RENAME )
 
+#define SLAP_ALLOW_TLS_2_ANON	0x0001U /* StartTLS -> Anonymous */
+
 #define SLAP_DISALLOW_BIND_V2	0x0001U	/* LDAPv2 bind */
 #define SLAP_DISALLOW_BIND_ANON 0x0002U /* no anonymous */
 #define SLAP_DISALLOW_BIND_ANON_CRED \
@@ -860,6 +863,11 @@ struct slap_backend_db {
 #define SLAP_DISALLOW_BIND_ANON_DN \
 								0x0008U /* dn should be empty */
 
+#define SLAP_DISALLOW_BIND_SIMPLE	0x0010U	/* simple authentication */
+#define SLAP_DISALLOW_BIND_KRBV4	0x0020U /* Kerberos V4 authentication */
+
+#define SLAP_DISALLOW_TLS_AUTHC	0x0100U	/* TLS while authenticated */
+
 	slap_mask_t	be_requires;	/* pre-operation requirements */
 #define SLAP_REQUIRE_BIND		0x0001U	/* bind before op */
 #define SLAP_REQUIRE_LDAP_V3	0x0002U	/* LDAPv3 before op */
@@ -867,7 +875,6 @@ struct slap_backend_db {
 #define SLAP_REQUIRE_SASL		0x0008U	/* SASL before op  */
 #define SLAP_REQUIRE_STRONG		0x0010U	/* strong authentication before op */
 
-
 	/* Required Security Strength Factor */
 	slap_ssf_set_t be_ssf_set;
 

servers/slapd/slapd.dsp

@@ -53,7 +53,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 advapi32.lib sasl.lib hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\Release"
+# ADD LINK32 advapi32.lib libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\Release"
 
 !ELSEIF  "$(CFG)" == "slapd - Win32 Debug"
 
@@ -77,7 +77,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 advapi32.lib hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\Debug"
+# ADD LINK32 advapi32.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\Debug"
 
 !ELSEIF  "$(CFG)" == "slapd - Win32 Single Debug"
 
@@ -102,7 +102,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 hs_regexd.lib libdbs.lib wsock32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\SDebug"
+# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\SDebug"
 
 !ELSEIF  "$(CFG)" == "slapd - Win32 Single Release"
 
@@ -127,7 +127,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 hs_regex.lib libdb.lib wsock32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 sasl.lib hs_regex.lib libdb.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease"
+# ADD LINK32 libdb.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease"
 
 !ENDIF 
 

servers/slapd/starttls.c

@@ -59,6 +59,21 @@ starttls_extop (
 		goto done;
 	}
 
+	if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+		( conn->c_dn != NULL ) )
+	{
+		*text = "cannot start TLS after authentication";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
+		( conn->c_dn != NULL ) )
+	{
+		/* force to anonymous */
+		connection2anonymous( conn );
+	}
+
 	/* fail if TLS could not be initialized */
 	if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
 		|| ctx == NULL)

servers/slapd/tools/mimic.c

@@ -152,3 +152,7 @@ char * slap_sasl_secprops( const char *in )
 	return NULL;
 }
 
+void connection2anonymous( Connection *c )
+{
+	assert(0);
+}

servers/slapd/tools/slapadd.dsp

@@ -53,7 +53,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 libdb.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release"
+# ADD LINK32 libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release"
 
 !ELSEIF  "$(CFG)" == "slapadd - Win32 Debug"
 
@@ -77,7 +77,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug"
+# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug"
 
 !ELSEIF  "$(CFG)" == "slapadd - Win32 Single Debug"
 
@@ -102,7 +102,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib hs_regexd.lib libdbs.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug"
+# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug"
 
 !ELSEIF  "$(CFG)" == "slapadd - Win32 Single Release"
 
@@ -127,7 +127,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 hs_regex.lib libdb.lib ws2_32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 libdbs.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease"
+# ADD LINK32 libdbs.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease"
 
 !ENDIF 
 

servers/slapd/tools/slapcat.dsp

@@ -53,7 +53,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 libdb.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release"
+# ADD LINK32 libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release"
 
 !ELSEIF  "$(CFG)" == "slapcat - Win32 Debug"
 
@@ -77,7 +77,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug"
+# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug"
 
 !ELSEIF  "$(CFG)" == "slapcat - Win32 Single Debug"
 
@@ -102,7 +102,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 oldbm32.lib libdb.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\libraries\Debug"
-# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug"
+# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug"
 
 !ELSEIF  "$(CFG)" == "slapcat - Win32 Single Release"
 
@@ -126,7 +126,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib libdb.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\libraries\Release"
-# ADD LINK32 libdbs.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease"
+# ADD LINK32 libdbs.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\SRelease"
 
 !ENDIF 
 

servers/slapd/tools/slapindex.dsp

@@ -54,7 +54,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 libdb.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release"
+# ADD LINK32 libdb31.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\..\Release"
 
 !ELSEIF  "$(CFG)" == "slapindex - Win32 Debug"
 
@@ -78,7 +78,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug"
+# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\Debug"
 
 !ELSEIF  "$(CFG)" == "slapindex - Win32 Single Debug"
 
@@ -103,7 +103,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib shell32.lib hs_regexd.lib libdbs.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 libdb.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug"
+# ADD LINK32 libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept /libpath:"..\..\..\SDebug"
 
 !ELSEIF  "$(CFG)" == "slapindex - Win32 Single Release"
 
@@ -128,7 +128,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 hs_regex.lib libdb.lib ws2_32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 libdbs.lib sasl.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease"
+# ADD LINK32 libdbs.lib libdb31.lib hs_regex.lib libsasl.lib ws2_32.lib /nologo /subsystem:console /machine:I386 /libpath:"..\..\SRelease"
 
 !ENDIF 
 

servers/slurpd/args.c

@@ -106,7 +106,9 @@ doargs(
 	    g->slapd_configfile = strdup( optarg );
 	    break;
 	case 'r':	/* slapd replog file */
-	    strcpy( g->slapd_replogfile, optarg );
+	    strncpy( g->slapd_replogfile, optarg,
+			sizeof(g->slapd_replogfile)-1 );
+		g->slapd_replogfile[sizeof(g->slapd_replogfile)-1] = '\0';
 	    rflag++;
 	    break;
 	case 't':	/* dir to use for our copies of replogs */
@@ -150,7 +152,4 @@ doargs(
 #endif
 
     return 0;
-
 }
-
-

tests/scripts/test000-rootdse

@@ -41,7 +41,11 @@ cat $SEARCHOUT
 if test $RC != 0 ; then
 	echo ">>>>> Test failed"
 else
-	echo ">>>>> Test succeeded"
+	if grep "TLS:" $SEARCHOUT; then
+		RC=-1
+	else
+	    echo ">>>>> Test succeeded"
+	fi
 fi