fix "require" inheritance and handling of "none" (ITS#4574)

doc/man/man5/slapd.conf.5

@@ -754,7 +754,9 @@ instance that handles that replication log.
 .B require <conditions>
 Specify a set of conditions (separated by white space) to
 require (default none).
-The directive may be specified globally and/or per-database.
+The directive may be specified globally and/or per-database;
+databases inherit global conditions, so per-database specifications
+are additive.
 .B bind
 requires bind operation prior to directory operations.
 .B LDAPv3
@@ -768,8 +770,9 @@ requires strong authentication prior to directory operations.
 The strong keyword allows protected "simple" authentication
 as well as SASL authentication.
 .B none
-may be used to require no conditions (useful for clearly globally
-set conditions within a particular database).
+may be used to require no conditions (useful to clear out globally
+set conditions within a particular database); it must occur first
+in the list of conditions.
 .TP
 .B reverse-lookup on | off
 Enable/disable client name unverified reverse lookup (default is 

servers/slapd/bconfig.c

@@ -2145,8 +2145,10 @@ config_disallows(ConfigArgs *c) {
 
 static int
 config_requires(ConfigArgs *c) {
-	slap_mask_t requires = 0;
-	int i;
+	slap_mask_t requires = frontendDB->be_requires;
+	int i, argc = c->argc;
+	char **argv = c->argv;
+
 	slap_verbmasks requires_ops[] = {
 		{ BER_BVC("bind"),		SLAP_REQUIRE_BIND },
 		{ BER_BVC("LDAPv3"),		SLAP_REQUIRE_LDAP_V3 },
@@ -2166,7 +2168,13 @@ config_requires(ConfigArgs *c) {
 		}
 		return 0;
 	}
-	i = verbs_to_mask(c->argc, c->argv, requires_ops, &requires);
+	/* "none" can only be first, to wipe out default/global values */
+	if ( strcasecmp( c->argv[ 1 ], "none" ) == 0 ) {
+		argv++;
+		argc--;
+		requires = 0;
+	}
+	i = verbs_to_mask(argc, argv, requires_ops, &requires);
 	if ( i ) {
 		snprintf( c->msg, sizeof( c->msg ), "<%s> unknown feature", c->argv[0] );
 		Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",