From f926e667238e9347f849eb6d9581ccc4b31bd21c Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Wed, 13 May 2020 14:14:46 +0000
Subject: [PATCH] ITS#8873 - Delete obsolete configuration options from
 back-ldap, back-meta, and back-asyncmeta

---
 doc/man/man5/slapd-ldap.5             | 129 ----------
 servers/slapd/back-asyncmeta/config.c |  94 +------
 servers/slapd/back-ldap/config.c      | 353 --------------------------
 servers/slapd/back-meta/config.c      |  99 +-------
 tests/data/slapd-idassert.conf        |   4 +-
 5 files changed, 3 insertions(+), 676 deletions(-)

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 71d25ac99e..77683aaf21 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -144,10 +144,6 @@ The
 .B idassert\-bind
 feature, instead, in some cases can be crafted to implement that behavior,
 which is \fIintrinsically unsafe and should be used with extreme care\fP.
-This directive obsoletes
-.BR acl\-authcDN ,
-and
-.BR acl\-passwd .
 
 The TLS settings default to the same as the main slapd TLS settings,
 except for
@@ -393,14 +389,6 @@ The identity associated to this directive is also used for privileged
 operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP
 is not.  See \fBacl\-bind\fP for details.
 
-This directive obsoletes
-.BR idassert\-authcDN ,
-.BR idassert\-passwd ,
-.BR idassert\-mode ,
-and
-.BR idassert\-method .
-.RE
-
 .TP
 .B idassert-passthru <authz-regexp>
 if defined, selects what
@@ -418,7 +406,6 @@ section related to
 .BR authz\-policy ,
 for details on the syntax of this field.
 
-
 .TP
 .B idle\-timeout <time>
 This directive causes a cached connection to be dropped an recreated
@@ -621,122 +608,6 @@ when set to
 create a temporary connection whenever competing with other threads
 for a shared one; otherwise, wait until the shared connection is available.
 
-.SH BACKWARD COMPATIBILITY
-The LDAP backend has been heavily reworked between releases 2.2 and 2.3,
-and subsequently between 2.3 and 2.4.
-As a side-effect, some of the traditional directives have been
-deprecated and should be no longer used, as they might disappear
-in future releases.
-
-.TP
-.B acl\-authcDN "<administrative DN for access control purposes>"
-Formerly known as the
-.BR binddn ,
-it is the DN that is used to query the target server for acl checking;
-it is supposed to have read access on the target server to attributes used
-on the proxy for acl checking.
-There is no risk of giving away such values; they are only used to
-check permissions.
-
-.B The acl\-authcDN identity is by no means implicitly used by the proxy 
-.B when the client connects anonymously.
-The
-.B idassert\-*
-feature can be used (at own risk) for that purpose instead.
-
-This directive is obsoleted by the
-.B binddn
-arg of
-.B acl\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B acl\-passwd <password>
-Formerly known as the
-.BR bindpw ,
-it is the password used with the above
-.B acl\-authcDN
-directive.
-This directive is obsoleted by the
-.B credentials
-arg of
-.B acl\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B idassert\-authcDN "<administrative DN for proxyAuthz purposes>"
-DN which is used to propagate the client's identity to the target
-by means of the proxyAuthz control when the client does not
-belong to the DIT fragment that is being proxied by back-ldap.
-This directive is obsoleted by the
-.B binddn
-arg of
-.BR idassert\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B idassert\-passwd <password>
-Password used with the
-.B idassert\-authcDN
-above.
-This directive is obsoleted by the
-.B credentials
-arg of
-.B idassert\-bind
-when \fIbindmethod\fP=\fBsimple\fP, and will be dismissed in the future.
-
-.TP
-.B idassert\-mode <mode> [<flags>]
-defines what type of
-.I identity assertion
-is used.
-This directive is obsoleted by the
-.B mode
-arg of 
-.BR idassert\-bind ,
-and will be dismissed in the future.
-
-.TP
-.B idassert\-method <method> [<saslargs>]
-This directive is obsoleted by the
-.B bindmethod
-arg of
-.BR idassert\-bind ,
-and will be dismissed in the future.
-
-.TP
-.B port <port>
-this directive is no longer supported.  Use the 
-.B uri
-directive as described above.
-
-.TP
-.B server <hostname[:port]>
-this directive is no longer supported.  Use the 
-.B uri
-directive as described above.
-
-.TP
-.B suffixmassage, map, rewrite*
-These directives are no longer supported by back-ldap; their 
-functionality is now delegated to the
-.B rwm
-overlay.  Essentially, add a statement
-
-.B overlay rwm
-
-first, and prefix all rewrite/map statements with
-.B rwm\-
-to obtain the original behavior.
-See
-.BR slapo\-rwm (5)
-for details.
-.\" However, to ease update from existing configurations, back-ldap still 
-.\" recognizes them and automatically instantiates the
-.\" .B rwm
-.\" overlay if available and not instantiated yet.
-.\" This behavior may change in the future.
-
 .SH ACCESS CONTROL
 The
 .B ldap
diff --git a/servers/slapd/back-asyncmeta/config.c b/servers/slapd/back-asyncmeta/config.c
index b04b9e97d4..5873d9c0a3 100644
--- a/servers/slapd/back-asyncmeta/config.c
+++ b/servers/slapd/back-asyncmeta/config.c
@@ -86,8 +86,6 @@ enum {
 /* Target attrs */
 enum {
 	LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
-	LDAP_BACK_CFG_ACL_AUTHCDN,
-	LDAP_BACK_CFG_ACL_PASSWD,
 	LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
 	LDAP_BACK_CFG_IDASSERT_BIND,
 	LDAP_BACK_CFG_SUFFIXM,
@@ -115,32 +113,6 @@ static ConfigTable a_metacfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
-	{ "acl-authcDN", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-		asyncmeta_back_cf_gen, "( OLcfgDbAt:3.2 "
-			"NAME 'olcDbACLAuthcDn' "
-			"DESC 'Remote ACL administrative identity' "
-			"OBSOLETE "
-			"SYNTAX OMsDN "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; aliases "acl-authcDN" */
-	{ "binddn", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-		asyncmeta_back_cf_gen, NULL, NULL, NULL },
-	{ "acl-passwd", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-		asyncmeta_back_cf_gen, "( OLcfgDbAt:3.3 "
-			"NAME 'olcDbACLPasswd' "
-			"DESC 'Remote ACL administrative identity credentials' "
-			"OBSOLETE "
-			"SYNTAX OMsDirectoryString "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; aliases "acl-passwd" */
-	{ "bindpw", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-		asyncmeta_back_cf_gen, NULL, NULL, NULL },
 	{ "idassert-bind", "args", 2, 0, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
 		asyncmeta_back_cf_gen, "( OLcfgDbAt:3.7 "
@@ -454,9 +426,7 @@ static ConfigOCs a_metaocs[] = {
 		"DESC 'Asyncmeta target configuration' "
 		"SUP olcConfig STRUCTURAL "
 		"MUST ( olcAsyncMetaSub $ olcDbURI ) "
-		"MAY ( olcDbACLAuthcDn "
-			"$ olcDbACLPasswd "
-			"$ olcDbIDAssertAuthzFrom "
+		"MAY ( olcDbIDAssertAuthzFrom "
 			"$ olcDbIDAssertBind "
 			"$ olcDbSuffixMassage "
 			"$ olcDbSubtreeExclude "
@@ -1296,15 +1266,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
 			ber_bvarray_add( &c->rvalue_vals, &bv );
 			} break;
 
-		case LDAP_BACK_CFG_ACL_AUTHCDN:
-		case LDAP_BACK_CFG_ACL_PASSWD:
-			/* FIXME no point here, there is no code implementing
-			 * their features. Was this supposed to implement
-			 * acl-bind like back-ldap?
-			 */
-			rc = 1;
-			break;
-
 		case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
 			BerVarray	*bvp;
 			int		i;
@@ -2153,33 +2114,6 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
 		mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
 		break;
 
-	case LDAP_BACK_CFG_ACL_AUTHCDN:
-	/* name to use for meta_back_group */
-		if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
-			Debug( LDAP_DEBUG_ANY, "%s: "
-				"\"binddn\" statement is deprecated; "
-				"use \"acl-authcDN\" instead\n", c->log );
-			/* FIXME: some day we'll need to throw an error */
-		}
-
-		ber_memfree_x( c->value_dn.bv_val, NULL );
-		mt->mt_binddn = c->value_ndn;
-		BER_BVZERO( &c->value_dn );
-		BER_BVZERO( &c->value_ndn );
-		break;
-
-	case LDAP_BACK_CFG_ACL_PASSWD:
-	/* password to use for meta_back_group */
-		if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
-			Debug( LDAP_DEBUG_ANY, "%s "
-				"\"bindpw\" statement is deprecated; "
-				"use \"acl-passwd\" instead\n", c->log );
-			/* FIXME: some day we'll need to throw an error */
-		}
-
-		ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
-		break;
-
 	case LDAP_BACK_CFG_REBIND:
 	/* save bind creds for referral rebinds? */
 		if ( c->argc == 1 || c->value_int ) {
@@ -2469,8 +2403,6 @@ int
 asyncmeta_back_init_cf( BackendInfo *bi )
 {
 	int			rc;
-	AttributeDescription	*ad = NULL;
-	const char		*text;
 
 	/* Make sure we don't exceed the bits reserved for userland */
 	config_check_userland( LDAP_BACK_CFG_LAST );
@@ -2482,29 +2414,5 @@ asyncmeta_back_init_cf( BackendInfo *bi )
 		return rc;
 	}
 
-	/* setup olcDbAclPasswd and olcDbIDAssertPasswd
-	 * to be base64-encoded when written in LDIF form;
-	 * basically, we don't care if it fails */
-	rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
-	if ( rc ) {
-		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-			"warning, unable to get \"olcDbACLPasswd\" "
-			"attribute description: %d: %s\n", rc, text );
-	} else {
-		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-			ad->ad_type->sat_oid );
-	}
-
-	ad = NULL;
-	rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
-	if ( rc ) {
-		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-			"warning, unable to get \"olcDbIDAssertPasswd\" "
-			"attribute description: %d: %s\n", rc, text );
-	} else {
-		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-			ad->ad_type->sat_oid );
-	}
-
 	return 0;
 }
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 4b9fc38bac..a12bce933e 100644
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -43,16 +43,9 @@ static ConfigDriver ldap_pbind_cf_gen;
 enum {
 	LDAP_BACK_CFG_URI = 1,
 	LDAP_BACK_CFG_TLS,
-	LDAP_BACK_CFG_ACL_AUTHCDN,
-	LDAP_BACK_CFG_ACL_PASSWD,
-	LDAP_BACK_CFG_ACL_METHOD,
 	LDAP_BACK_CFG_ACL_BIND,
-	LDAP_BACK_CFG_IDASSERT_MODE,
-	LDAP_BACK_CFG_IDASSERT_AUTHCDN,
-	LDAP_BACK_CFG_IDASSERT_PASSWD,
 	LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
 	LDAP_BACK_CFG_IDASSERT_PASSTHRU,
-	LDAP_BACK_CFG_IDASSERT_METHOD,
 	LDAP_BACK_CFG_IDASSERT_BIND,
 	LDAP_BACK_CFG_REBIND,
 	LDAP_BACK_CFG_CHASE,
@@ -73,7 +66,6 @@ enum {
 	LDAP_BACK_CFG_NOUNDEFFILTER,
 	LDAP_BACK_CFG_ONERR,
 
-	LDAP_BACK_CFG_REWRITE,
 	LDAP_BACK_CFG_KEEPALIVE,
 
 	LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
@@ -100,37 +92,6 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
-	{ "acl-authcDN", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-		ldap_back_cf_gen, "( OLcfgDbAt:3.2 "
-			"NAME 'olcDbACLAuthcDn' "
-			"DESC 'Remote ACL administrative identity' "
-			"EQUALITY distinguishedNameMatch "
-			"OBSOLETE "
-			"SYNTAX OMsDN "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; aliases "acl-authcDN" */
-	{ "binddn", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-		ldap_back_cf_gen, NULL, NULL, NULL },
-	{ "acl-passwd", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-		ldap_back_cf_gen, "( OLcfgDbAt:3.3 "
-			"NAME 'olcDbACLPasswd' "
-			"DESC 'Remote ACL administrative identity credentials' "
-			"OBSOLETE "
-			"SYNTAX OMsDirectoryString "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; aliases "acl-passwd" */
-	{ "bindpw", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-		ldap_back_cf_gen, NULL, NULL, NULL },
-	/* deprecated, will be removed; aliases "acl-bind" */
-	{ "acl-method", "args", 2, 0, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_ACL_METHOD,
-		ldap_back_cf_gen, NULL, NULL, NULL },
 	{ "acl-bind", "args", 2, 0, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_ACL_BIND,
 		ldap_back_cf_gen, "( OLcfgDbAt:3.4 "
@@ -140,33 +101,6 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
-	{ "idassert-authcDN", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
-		ldap_back_cf_gen, "( OLcfgDbAt:3.5 "
-			"NAME 'olcDbIDAssertAuthcDn' "
-			"DESC 'Remote Identity Assertion administrative identity' "
-			"EQUALITY distinguishedNameMatch "
-			"OBSOLETE "
-			"SYNTAX OMsDN "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; partially aliases "idassert-authcDN" */
-	{ "proxyauthzdn", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHCDN,
-		ldap_back_cf_gen, NULL, NULL, NULL },
-	{ "idassert-passwd", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
-		ldap_back_cf_gen, "( OLcfgDbAt:3.6 "
-			"NAME 'olcDbIDAssertPasswd' "
-			"DESC 'Remote Identity Assertion administrative identity credentials' "
-			"OBSOLETE "
-			"SYNTAX OMsDirectoryString "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; partially aliases "idassert-passwd" */
-	{ "proxyauthzpw", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_PASSWD,
-		ldap_back_cf_gen, NULL, NULL, NULL },
 	{ "idassert-bind", "args", 2, 0, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
 		ldap_back_cf_gen, "( OLcfgDbAt:3.7 "
@@ -176,18 +110,6 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
-	{ "idassert-method", "args", 2, 0, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_METHOD,
-		ldap_back_cf_gen, NULL, NULL, NULL },
-	{ "idassert-mode", "mode>|u:<user>|[dn:]<DN", 2, 0, 0,
-		ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_MODE,
-		ldap_back_cf_gen, "( OLcfgDbAt:3.8 "
-			"NAME 'olcDbIDAssertMode' "
-			"DESC 'Remote Identity Assertion mode' "
-			"OBSOLETE "
-			"SYNTAX OMsDirectoryString "
-			"SINGLE-VALUE)",
-		NULL, NULL },
 	{ "idassert-authzFrom", "authzRule", 2, 2, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
 		ldap_back_cf_gen, "( OLcfgDbAt:3.9 "
@@ -370,16 +292,6 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"X-ORDERED 'VALUES' )",
 		NULL, NULL },
-
-	{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
-		ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
-		ldap_back_cf_gen, NULL, NULL, NULL },
-	{ "map", "attribute|objectClass> [*|<local>] *|<remote", 3, 4, 0,
-		ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
-		ldap_back_cf_gen, NULL, NULL, NULL },
-	{ "rewrite", "<arglist>", 2, 4, STRLENOF( "rewrite" ),
-		ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
-		ldap_back_cf_gen, NULL, NULL, NULL },
 	{ "omit-unknown-schema", "true|FALSE", 2, 2, 0,
 		ARG_MAGIC|ARG_ON_OFF|LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA,
 		ldap_back_cf_gen, "( OLcfgDbAt:3.28 "
@@ -409,13 +321,8 @@ static ConfigOCs ldapocs[] = {
 		"SUP olcDatabaseConfig "
 		"MAY ( olcDbURI "
 			"$ olcDbStartTLS "
-			"$ olcDbACLAuthcDn "
-			"$ olcDbACLPasswd "
 			"$ olcDbACLBind "
-			"$ olcDbIDAssertAuthcDn "
-			"$ olcDbIDAssertPasswd "
 			"$ olcDbIDAssertBind "
-			"$ olcDbIDAssertMode "
 			"$ olcDbIDAssertAuthzFrom "
 			"$ olcDbIDAssertPassThru "
 			"$ olcDbRebindAsUser "
@@ -1068,13 +975,6 @@ ldap_back_cf_gen( ConfigArgs *c )
 			}
 			break;
 
-		case LDAP_BACK_CFG_ACL_AUTHCDN:
-		case LDAP_BACK_CFG_ACL_PASSWD:
-		case LDAP_BACK_CFG_ACL_METHOD:
-			/* handled by LDAP_BACK_CFG_ACL_BIND */
-			rc = 1;
-			break;
-
 		case LDAP_BACK_CFG_ACL_BIND: {
 			int	i;
 
@@ -1097,14 +997,6 @@ ldap_back_cf_gen( ConfigArgs *c )
 			break;
 		}
 
-		case LDAP_BACK_CFG_IDASSERT_MODE:
-		case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
-		case LDAP_BACK_CFG_IDASSERT_PASSWD:
-		case LDAP_BACK_CFG_IDASSERT_METHOD:
-			/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
-			rc = 1;
-			break;
-
 		case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
 		case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
 			BerVarray	*bvp;
@@ -1502,25 +1394,10 @@ ldap_back_cf_gen( ConfigArgs *c )
 			rc = 1;
 			break;
 
-		case LDAP_BACK_CFG_ACL_AUTHCDN:
-		case LDAP_BACK_CFG_ACL_PASSWD:
-		case LDAP_BACK_CFG_ACL_METHOD:
-			/* handled by LDAP_BACK_CFG_ACL_BIND */
-			rc = 1;
-			break;
-
 		case LDAP_BACK_CFG_ACL_BIND:
 			bindconf_free( &li->li_acl );
 			break;
 
-		case LDAP_BACK_CFG_IDASSERT_MODE:
-		case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
-		case LDAP_BACK_CFG_IDASSERT_PASSWD:
-		case LDAP_BACK_CFG_IDASSERT_METHOD:
-			/* handled by LDAP_BACK_CFG_IDASSERT_BIND */
-			rc = 1;
-			break;
-
 		case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
 		case LDAP_BACK_CFG_IDASSERT_PASSTHRU: {
 			BerVarray *bvp;
@@ -1822,56 +1699,6 @@ done_url:;
 #endif
 		break;
 
-	case LDAP_BACK_CFG_ACL_AUTHCDN:
-		switch ( li->li_acl_authmethod ) {
-		case LDAP_AUTH_NONE:
-			li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
-			break;
-
-		case LDAP_AUTH_SIMPLE:
-			break;
-
-		default:
-			snprintf( c->cr_msg, sizeof( c->cr_msg),
-				"\"acl-authcDN <DN>\" incompatible "
-				"with auth method %d",
-				li->li_acl_authmethod );
-			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-			return 1;
-		}
-		if ( !BER_BVISNULL( &li->li_acl_authcDN ) ) {
-			free( li->li_acl_authcDN.bv_val );
-		}
-		ber_memfree_x( c->value_dn.bv_val, NULL );
-		li->li_acl_authcDN = c->value_ndn;
-		BER_BVZERO( &c->value_dn );
-		BER_BVZERO( &c->value_ndn );
-		break;
-
-	case LDAP_BACK_CFG_ACL_PASSWD:
-		switch ( li->li_acl_authmethod ) {
-		case LDAP_AUTH_NONE:
-			li->li_acl_authmethod = LDAP_AUTH_SIMPLE;
-			break;
-
-		case LDAP_AUTH_SIMPLE:
-			break;
-
-		default:
-			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"acl-passwd <cred>\" incompatible "
-				"with auth method %d",
-				li->li_acl_authmethod );
-			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-			return 1;
-		}
-		if ( !BER_BVISNULL( &li->li_acl_passwd ) ) {
-			free( li->li_acl_passwd.bv_val );
-		}
-		ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_acl_passwd );
-		break;
-
-	case LDAP_BACK_CFG_ACL_METHOD:
 	case LDAP_BACK_CFG_ACL_BIND:
 		for ( i = 1; i < c->argc; i++ ) {
 			if ( bindconf_parse( c->argv[ i ], &li->li_acl ) ) {
@@ -1887,141 +1714,6 @@ done_url:;
 #endif
 		break;
 
-	case LDAP_BACK_CFG_IDASSERT_MODE:
-		i = verb_to_mask( c->argv[1], idassert_mode );
-		if ( BER_BVISNULL( &idassert_mode[i].word ) ) {
-			if ( strncasecmp( c->argv[1], "u:", STRLENOF( "u:" ) ) == 0 ) {
-				li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERID;
-				ber_str2bv( c->argv[1], 0, 1, &li->li_idassert_authzID );
-				li->li_idassert_authzID.bv_val[ 0 ] = 'u';
-				
-			} else {
-				struct berval	id, ndn;
-
-				ber_str2bv( c->argv[1], 0, 0, &id );
-
-				if ( strncasecmp( c->argv[1], "dn:", STRLENOF( "dn:" ) ) == 0 ) {
-					id.bv_val += STRLENOF( "dn:" );
-					id.bv_len -= STRLENOF( "dn:" );
-				}
-
-				rc = dnNormalize( 0, NULL, NULL, &id, &ndn, NULL );
-                                if ( rc != LDAP_SUCCESS ) {
-                                        Debug( LDAP_DEBUG_ANY,
-                                                "%s: line %d: idassert ID \"%s\" is not a valid DN\n",
-                                                c->fname, c->lineno, c->argv[1] );
-                                        return 1;
-                                }
-
-                                li->li_idassert_authzID.bv_len = STRLENOF( "dn:" ) + ndn.bv_len;
-                                li->li_idassert_authzID.bv_val = ch_malloc( li->li_idassert_authzID.bv_len + 1 );
-                                AC_MEMCPY( li->li_idassert_authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
-                                AC_MEMCPY( &li->li_idassert_authzID.bv_val[ STRLENOF( "dn:" ) ], ndn.bv_val, ndn.bv_len + 1 );
-                                ch_free( ndn.bv_val );
-
-                                li->li_idassert_mode = LDAP_BACK_IDASSERT_OTHERDN;
-			}
-
-		} else {
-			li->li_idassert_mode = idassert_mode[i].mask;
-		}
-
-		if ( c->argc > 2 ) {
-			int	i;
-
-			for ( i = 2; i < c->argc; i++ ) {
-				if ( strcasecmp( c->argv[ i ], "override" ) == 0 ) {
-					li->li_idassert_flags |= LDAP_BACK_AUTH_OVERRIDE;
-
-				} else if ( strcasecmp( c->argv[ i ], "prescriptive" ) == 0 ) {
-					li->li_idassert_flags |= LDAP_BACK_AUTH_PRESCRIPTIVE;
-
-				} else if ( strcasecmp( c->argv[ i ], "non-prescriptive" ) == 0 ) {
-					li->li_idassert_flags &= ( ~LDAP_BACK_AUTH_PRESCRIPTIVE );
-
-				} else if ( strcasecmp( c->argv[ i ], "obsolete-proxy-authz" ) == 0 ) {
-					if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND ) {
-						Debug( LDAP_DEBUG_ANY,
-                                       	 		"%s: line %d: \"obsolete-proxy-authz\" flag "
-                                        		"in \"idassert-mode <args>\" "
-                                        		"incompatible with previously issued \"obsolete-encoding-workaround\" flag.\n",
-												c->fname, c->lineno );
-                                		return 1;
-					}
-					li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ;
-
-				} else if ( strcasecmp( c->argv[ i ], "obsolete-encoding-workaround" ) == 0 ) {
-					if ( li->li_idassert_flags & LDAP_BACK_AUTH_OBSOLETE_PROXY_AUTHZ ) {
-						Debug( LDAP_DEBUG_ANY,
-                                       	 		"%s: line %d: \"obsolete-encoding-workaround\" flag "
-                                        		"in \"idassert-mode <args>\" "
-                                        		"incompatible with previously issued \"obsolete-proxy-authz\" flag.\n",
-												c->fname, c->lineno );
-                                		return 1;
-					}
-					li->li_idassert_flags |= LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND;
-
-				} else {
-					Debug( LDAP_DEBUG_ANY,
-                                        	"%s: line %d: unknown flag #%d "
-                                        	"in \"idassert-mode <args> "
-                                        	"[<flags>]\" line.\n",
-                                        	c->fname, c->lineno, i - 2 );
-                                	return 1;
-				}
-                        }
-                }
-		break;
-
-	case LDAP_BACK_CFG_IDASSERT_AUTHCDN:
-		switch ( li->li_idassert_authmethod ) {
-		case LDAP_AUTH_NONE:
-			li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
-			break;
-
-		case LDAP_AUTH_SIMPLE:
-			break;
-
-		default:
-			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"idassert-authcDN <DN>\" incompatible "
-				"with auth method %d",
-				li->li_idassert_authmethod );
-			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-			return 1;
-		}
-		if ( !BER_BVISNULL( &li->li_idassert_authcDN ) ) {
-			free( li->li_idassert_authcDN.bv_val );
-		}
-		ber_memfree_x( c->value_dn.bv_val, NULL );
-		li->li_idassert_authcDN = c->value_ndn;
-		BER_BVZERO( &c->value_dn );
-		BER_BVZERO( &c->value_ndn );
-		break;
-
-	case LDAP_BACK_CFG_IDASSERT_PASSWD:
-		switch ( li->li_idassert_authmethod ) {
-		case LDAP_AUTH_NONE:
-			li->li_idassert_authmethod = LDAP_AUTH_SIMPLE;
-			break;
-
-		case LDAP_AUTH_SIMPLE:
-			break;
-
-		default:
-			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"idassert-passwd <cred>\" incompatible "
-				"with auth method %d",
-				li->li_idassert_authmethod );
-			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-			return 1;
-		}
-		if ( !BER_BVISNULL( &li->li_idassert_passwd ) ) {
-			free( li->li_idassert_passwd.bv_val );
-		}
-		ber_str2bv( c->argv[ 1 ], 0, 1, &li->li_idassert_passwd );
-		break;
-
 	case LDAP_BACK_CFG_IDASSERT_AUTHZFROM:
 		rc = slap_idassert_authzfrom_parse( c, &li->li_idassert );
 		break;
@@ -2030,14 +1722,6 @@ done_url:;
 		rc = slap_idassert_passthru_parse( c, &li->li_idassert );
 		break;
 
-	case LDAP_BACK_CFG_IDASSERT_METHOD:
-		/* no longer supported */
-		snprintf( c->cr_msg, sizeof( c->cr_msg ),
-			"\"idassert-method <args>\": "
-			"no longer supported; use \"idassert-bind\"" );
-		Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-		return 1;
-
 	case LDAP_BACK_CFG_IDASSERT_BIND:
 		rc = slap_idassert_parse( c, &li->li_idassert );
 		break;
@@ -2338,15 +2022,6 @@ done_url:;
 		li->li_flags |= onerr_mode[i].mask;
 		break;
 
-	case LDAP_BACK_CFG_REWRITE:
-		snprintf( c->cr_msg, sizeof( c->cr_msg ),
-			"rewrite/remap capabilities have been moved "
-			"to the \"rwm\" overlay; see slapo-rwm(5) "
-			"for details (hint: add \"overlay rwm\" "
-			"and prefix all directives with \"rwm-\")" );
-		Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg );
-		return 1;
-
 	case LDAP_BACK_CFG_OMIT_UNKNOWN_SCHEMA:
 		if ( c->value_int ) {
 			li->li_flags |= LDAP_BACK_F_OMIT_UNKNOWN_SCHEMA;
@@ -2374,8 +2049,6 @@ int
 ldap_back_init_cf( BackendInfo *bi )
 {
 	int			rc;
-	AttributeDescription	*ad = NULL;
-	const char		*text;
 
 	/* Make sure we don't exceed the bits reserved for userland */
 	config_check_userland( LDAP_BACK_CFG_LAST );
@@ -2387,32 +2060,6 @@ ldap_back_init_cf( BackendInfo *bi )
 		return rc;
 	}
 
-	/* setup olcDbAclPasswd and olcDbIDAssertPasswd 
-	 * to be base64-encoded when written in LDIF form;
-	 * basically, we don't care if it fails */
-	rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
-	if ( rc ) {
-		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-			"warning, unable to get \"olcDbACLPasswd\" "
-			"attribute description: %d: %s\n",
-			rc, text );
-	} else {
-		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-			ad->ad_type->sat_oid );
-	}
-
-	ad = NULL;
-	rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
-	if ( rc ) {
-		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-			"warning, unable to get \"olcDbIDAssertPasswd\" "
-			"attribute description: %d: %s\n",
-			rc, text );
-	} else {
-		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-			ad->ad_type->sat_oid );
-	}
-
 	return 0;
 }
 
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index 32970c68ef..73926611ba 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -91,8 +91,6 @@ enum {
 /* Target attrs */
 enum {
 	LDAP_BACK_CFG_URI = LDAP_BACK_CFG_LAST_BOTH,
-	LDAP_BACK_CFG_ACL_AUTHCDN,
-	LDAP_BACK_CFG_ACL_PASSWD,
 	LDAP_BACK_CFG_IDASSERT_AUTHZFROM,
 	LDAP_BACK_CFG_IDASSERT_BIND,
 	LDAP_BACK_CFG_REWRITE,
@@ -127,33 +125,6 @@ static ConfigTable metacfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
-	{ "acl-authcDN", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-		meta_back_cf_gen, "( OLcfgDbAt:3.2 "
-			"NAME 'olcDbACLAuthcDn' "
-			"DESC 'Remote ACL administrative identity' "
-			"EQUALITY distinguishedNameMatch "
-			"OBSOLETE "
-			"SYNTAX OMsDN "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; aliases "acl-authcDN" */
-	{ "binddn", "DN", 2, 2, 0,
-		ARG_DN|ARG_MAGIC|LDAP_BACK_CFG_ACL_AUTHCDN,
-		meta_back_cf_gen, NULL, NULL, NULL },
-	{ "acl-passwd", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-		meta_back_cf_gen, "( OLcfgDbAt:3.3 "
-			"NAME 'olcDbACLPasswd' "
-			"DESC 'Remote ACL administrative identity credentials' "
-			"OBSOLETE "
-			"SYNTAX OMsDirectoryString "
-			"SINGLE-VALUE )",
-		NULL, NULL },
-	/* deprecated, will be removed; aliases "acl-passwd" */
-	{ "bindpw", "cred", 2, 2, 0,
-		ARG_MAGIC|LDAP_BACK_CFG_ACL_PASSWD,
-		meta_back_cf_gen, NULL, NULL, NULL },
 	{ "idassert-bind", "args", 2, 0, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_IDASSERT_BIND,
 		meta_back_cf_gen, "( OLcfgDbAt:3.7 "
@@ -506,9 +477,7 @@ static ConfigOCs metaocs[] = {
 		"DESC 'Meta target configuration' "
 		"SUP olcConfig STRUCTURAL "
 		"MUST ( olcMetaSub $ olcDbURI ) "
-		"MAY ( olcDbACLAuthcDn "
-			"$ olcDbACLPasswd "
-			"$ olcDbIDAssertAuthzFrom "
+		"MAY ( olcDbIDAssertAuthzFrom "
 			"$ olcDbIDAssertBind "
 			"$ olcDbMap "
 			"$ olcDbRewrite "
@@ -1408,15 +1377,6 @@ meta_back_cf_gen( ConfigArgs *c )
 			ber_bvarray_add( &c->rvalue_vals, &bv );
 			} break;
 
-		case LDAP_BACK_CFG_ACL_AUTHCDN:
-		case LDAP_BACK_CFG_ACL_PASSWD:
-			/* FIXME no point here, there is no code implementing
-			 * their features. Was this supposed to implement
-			 * acl-bind like back-ldap?
-			 */
-			rc = 1;
-			break;
-
 		case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
 			BerVarray	*bvp;
 			int		i;
@@ -2308,35 +2268,6 @@ meta_back_cf_gen( ConfigArgs *c )
 		mc->mc_bind_timeout.tv_usec = c->value_ulong%1000000;
 		break;
 
-	case LDAP_BACK_CFG_ACL_AUTHCDN:
-	/* name to use for meta_back_group */
-		if ( strcasecmp( c->argv[ 0 ], "binddn" ) == 0 ) {
-			Debug( LDAP_DEBUG_ANY, "%s: "
-				"\"binddn\" statement is deprecated; "
-				"use \"acl-authcDN\" instead\n",
-				c->log );
-			/* FIXME: some day we'll need to throw an error */
-		}
-
-		ber_memfree_x( c->value_dn.bv_val, NULL );
-		mt->mt_binddn = c->value_ndn;
-		BER_BVZERO( &c->value_dn );
-		BER_BVZERO( &c->value_ndn );
-		break;
-
-	case LDAP_BACK_CFG_ACL_PASSWD:
-	/* password to use for meta_back_group */
-		if ( strcasecmp( c->argv[ 0 ], "bindpw" ) == 0 ) {
-			Debug( LDAP_DEBUG_ANY, "%s "
-				"\"bindpw\" statement is deprecated; "
-				"use \"acl-passwd\" instead\n",
-				c->log );
-			/* FIXME: some day we'll need to throw an error */
-		}
-
-		ber_str2bv( c->argv[ 1 ], 0L, 1, &mt->mt_bindpw );
-		break;
-
 	case LDAP_BACK_CFG_REBIND:
 	/* save bind creds for referral rebinds? */
 		if ( c->argc == 1 || c->value_int ) {
@@ -2979,8 +2910,6 @@ int
 meta_back_init_cf( BackendInfo *bi )
 {
 	int			rc;
-	AttributeDescription	*ad = NULL;
-	const char		*text;
 
 	/* Make sure we don't exceed the bits reserved for userland */
 	config_check_userland( LDAP_BACK_CFG_LAST );
@@ -2992,32 +2921,6 @@ meta_back_init_cf( BackendInfo *bi )
 		return rc;
 	}
 
-	/* setup olcDbAclPasswd and olcDbIDAssertPasswd
-	 * to be base64-encoded when written in LDIF form;
-	 * basically, we don't care if it fails */
-	rc = slap_str2ad( "olcDbACLPasswd", &ad, &text );
-	if ( rc ) {
-		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-			"warning, unable to get \"olcDbACLPasswd\" "
-			"attribute description: %d: %s\n",
-			rc, text );
-	} else {
-		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-			ad->ad_type->sat_oid );
-	}
-
-	ad = NULL;
-	rc = slap_str2ad( "olcDbIDAssertPasswd", &ad, &text );
-	if ( rc ) {
-		Debug( LDAP_DEBUG_ANY, "config_back_initialize: "
-			"warning, unable to get \"olcDbIDAssertPasswd\" "
-			"attribute description: %d: %s\n",
-			rc, text );
-	} else {
-		(void)ldif_must_b64_encode_register( ad->ad_cname.bv_val,
-			ad->ad_type->sat_oid );
-	}
-
 	return 0;
 }
 
diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
index 5d13f218fc..6a329e483f 100644
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@@ -102,9 +102,7 @@ database	ldap
 suffix		"o=Esempio,c=IT"
 uri		"@URI1@"
 
-acl-authcDN	"cn=Proxy IT,ou=Admin,dc=example,dc=com"
-acl-passwd	proxy
-
+acl-bind	bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy"
 idassert-bind	bindmethod=simple binddn="cn=Proxy IT,ou=Admin,dc=example,dc=com" credentials="proxy" authzId="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
 
 # authorizes database