diff --git a/servers/slapd/add.c b/servers/slapd/add.c
index 190070feebf3dde5a64ad014b18e701bd279fec7..8f3b3082ff4b687efeb8a403984113d198ced380 100644
--- a/servers/slapd/add.c
+++ b/servers/slapd/add.c
@@ -146,8 +146,18 @@ do_add( Connection *conn, Operation *op )
 	if( e->e_ndn == NULL || *e->e_ndn == '\0' ) {
 		/* protocolError may be a more appropriate error */
 		send_ldap_result( conn, op, rc = LDAP_ALREADY_EXISTS,
-			NULL, "root DSE exists", NULL, NULL );
+			NULL, "root DSE already exists",
+			NULL, NULL );
 		goto done;
+
+#if defined( SLAPD_SCHEMA_DN )
+	} else if ( strcasecmp( ndn, SLAPD_SCHEMA_DN ) == 0 ) {
+		/* protocolError may be a more appropriate error */
+		send_ldap_result( conn, op, rc = LDAP_ALREADY_EXISTS,
+			NULL, "subschema subentry already exists",
+			NULL, NULL );
+		goto done;
+#endif
 	}
 
 	manageDSAit = get_manageDSAit( op );
diff --git a/servers/slapd/delete.c b/servers/slapd/delete.c
index 4b6caecdfcde24b453fb889e24ecdebc05d75c67..3696769962d001b1546b070755d04069e3273510 100644
--- a/servers/slapd/delete.c
+++ b/servers/slapd/delete.c
@@ -72,6 +72,16 @@ do_delete(
 		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 			NULL, "cannot delete the root DSE", NULL, NULL );
 		goto cleanup;
+
+#ifdef SLAPD_SCHEMA_DN
+	} else if ( strcasecmp( ndn, SLAPD_SCHEMA_DN ) == 0 ) {
+		Debug( LDAP_DEBUG_ANY, "do_delete: subschema subentry!\n", 0, 0, 0 );
+		/* protocolError would likely be a more appropriate error */
+		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
+			NULL, "cannot delete the root DSE", NULL, NULL );
+		goto cleanup;
+
+#endif
 	}
 
 	Statslog( LDAP_DEBUG_STATS, "conn=%ld op=%d DEL dn=\"%s\"\n",
diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c
index f2b31234b55538d5b9387c7854c1ae30b65d6508..8c4957543c4dde1894c3dff1fe093bddef28603c 100644
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@@ -158,6 +158,16 @@ do_modify(
 		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 			NULL, "modify upon the root DSE not supported", NULL, NULL );
 		goto cleanup;
+
+#if defined( SLAPD_SCHEMA_DN )
+	} else if ( strcasecmp( ndn, SLAPD_SCHEMA_DN ) == 0 ) {
+		Debug( LDAP_DEBUG_ANY, "do_modify: subschema subentry!\n", 0, 0, 0 );
+
+		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
+			NULL, "modification of subschema subentry not supported",
+			NULL, NULL );
+		goto cleanup;
+#endif
 	}
 
 #ifdef LDAP_DEBUG
diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
index c4fffbbf84f5eeba6dac806682d45803bbb9d130..fc8d3964eb1cd95a8d3907ccedabed01e17c5bbf 100644
--- a/servers/slapd/modrdn.c
+++ b/servers/slapd/modrdn.c
@@ -156,6 +156,15 @@ do_modrdn(
 		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 			NULL, "cannot rename the root DSE", NULL, NULL );
 		goto cleanup;
+
+#ifdef SLAPD_SCHEMA_DN
+	} else if ( strcasecmp( ndn, SLAPD_SCHEMA_DN ) == 0 ) {
+		Debug( LDAP_DEBUG_ANY, "do_modrdn: subschema subentry!\n", 0, 0, 0 );
+
+		send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
+			NULL, "cannot rename subschema subentry", NULL, NULL );
+		goto cleanup;
+#endif
 	}
 
 	Statslog( LDAP_DEBUG_STATS, "conn=%ld op=%d MODRDN dn=\"%s\"\n",
diff --git a/servers/slapd/result.c b/servers/slapd/result.c
index 2164ec08d672f7905a732ab16003ec014fd0f94f..64f04464f09359010f8befd673a4071f06eeff17 100644
--- a/servers/slapd/result.c
+++ b/servers/slapd/result.c
@@ -730,6 +730,7 @@ send_search_entry(
 			ber_free( ber, 1 );
 			send_ldap_result( conn, op, LDAP_OTHER,
 			    NULL, "encoding description error", NULL, NULL );
+			attrs_free( aa );
 			goto error_return;
 		}
 
@@ -751,6 +752,7 @@ send_search_entry(
 					ber_free( ber, 1 );
 					send_ldap_result( conn, op, LDAP_OTHER,
 						NULL, "encoding values error", NULL, NULL );
+					attrs_free( aa );
 					goto error_return;
 				}
 			}
@@ -761,6 +763,7 @@ send_search_entry(
 			ber_free( ber, 1 );
 			send_ldap_result( conn, op, LDAP_OTHER,
 			    NULL, "encode end error", NULL, NULL );
+			attrs_free( aa );
 			goto error_return;
 		}
 	}