doc/guide/COPYRIGHT

@@ -25,7 +25,7 @@ Additional information about OpenLDAP can be obtained at
 
 ---
 
-Portions Copyright 1998-2006 Kurt D. Zeilenga.
+Portions Copyright 1998-2008 Kurt D. Zeilenga.
 Portions Copyright 1998-2006 Net Boolean Incorporated.
 Portions Copyright 2001-2006 IBM Corporation.
 All rights reserved.
@@ -39,8 +39,8 @@ Public License.
 Portions Copyright 1999-2007 Howard Y.H. Chu.
 Portions Copyright 1999-2007 Symas Corporation.
 Portions Copyright 1998-2003 Hallvard B. Furuseth.
-Portions Copyright 2007-2008 Gavin Henry
-Portions Copyright 2007-2008 Suretec Systems Limited.
+Portions Copyright 2008 Gavin Henry.
+Portions Copyright 2008 Suretec Systems.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

doc/guide/admin/access-control.sdf

@@ -137,7 +137,9 @@ attribute name and also using a value selector:
 There are two special {{pseudo}} attributes {{EX:entry}} and
 {{EX:children}}.  To read (and hence return) a target entry, the
 subject must have {{EX:read}} access to the target's {{entry}}
-attribute.  To add or delete an entry, the subject must have
+attribute.  To perform a search, the subject must have
+{{EX:search}} access to the search base's {{entry}} attribute.
+To add or delete an entry, the subject must have
 {{EX:write}} access to the entry's {{EX:entry}} attribute AND must
 have {{EX:write}} access to the entry's parent's {{EX:children}}
 attribute.  To rename an entry, the subject must have {{EX:write}}
@@ -552,7 +554,9 @@ attribute name and also using a value selector:
 There are two special {{pseudo}} attributes {{EX:entry}} and
 {{EX:children}}.  To read (and hence return) a target entry, the
 subject must have {{EX:read}} access to the target's {{entry}}
-attribute.  To add or delete an entry, the subject must have
+attribute.  To perform a search, the subject must have
+{{EX:search}} access to the search base's {{entry}} attribute.
+To add or delete an entry, the subject must have
 {{EX:write}} access to the entry's {{EX:entry}} attribute AND must
 have {{EX:write}} access to the entry's parent's {{EX:children}}
 attribute.  To rename an entry, the subject must have {{EX:write}}

doc/guide/admin/appendix-upgrading.sdf

@@ -37,6 +37,22 @@ entries like below, just remove them from the relevant ldif file.
 
 >           olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
 
+H2: ACLs: searches require privileges on the search base
+
+Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
+base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
+bases.
+
+For example, assuming you have the following ACL:
+
+>           access to dn.sub="ou=people,dc=example,dc=com" by * search
+
+Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:
+
+>           access to dn.base="dc=example,dc=com" attrs=entry by * search
+
+Note: The {{slapd.access}}(5) man page states that this requirement was introduced
+with OpenLDAP 2.3. However, it is the default behavior only since 2.4.
 
 
 

doc/guide/admin/aspell.en.pws

-personal_ws-1.1 en 1598 
+personal_ws-1.1 en 1634 
 commonName
 bla
 Masarati
 subjectAltName
 api
 BhY
-olcSyncrepl
 olcSyncRepl
+olcSyncrepl
 adamsom
 adamson
 CER
@@ -38,8 +38,8 @@ DIB
 dev
 reqNewSuperior
 librewrite
-memberOf
 memberof
+memberOf
 BSI
 updateref
 buf
@@ -64,6 +64,7 @@ CRP
 postread
 csn
 xvfB
+checkpass
 neverDerefaliases
 dns
 DN's
@@ -87,8 +88,8 @@ dlopen
 eng
 AttributeValue
 attributevalue
-EOF
 DUA
+EOF
 inputfile
 DSP
 refreshDone
@@ -123,10 +124,10 @@ iff
 contextCSN
 auditModify
 auditSearch
-openldap
 OpenLDAP
-resultCode
+openldap
 resultcode
+resultCode
 sysconfig
 indices
 blen
@@ -137,14 +138,17 @@ directoryString
 database's
 iscritical
 gss
+qbuaQ
 ZKKuqbEKJfKSXhUbHG
 invalidAttributeSyntax
 subtree
 Kartik
 newparent
+DkMTwBl
 memcalloc
 ing
 filtertype
+XKqkdPOmY
 regcomp
 ldapmodify
 includedir
@@ -159,13 +163,13 @@ argv
 kdz
 notAllowedOnRDN
 hostport
-starttls
 StartTLS
+starttls
 ldb
 servercredp
 ldd
-ipv
 IPv
+ipv
 hyc
 joe
 bindmethods
@@ -189,16 +193,16 @@ attrstyle
 directoryOperation
 creatorsName
 mem
-oldpasswdfile
 oldPasswdFile
+oldpasswdfile
 uniqueMember
 krb
 libpath
 acknowledgements
 jts
 createTimestamp
-LLL
 MIB
+LLL
 OpenSSL
 openssl
 LOF
@@ -217,6 +221,7 @@ LDAPMatchingRule
 bool
 LRL
 CPPFLAGS
+yWpR
 schemadir
 desc
 lud
@@ -232,14 +237,15 @@ oid
 msg
 attr
 caseExactOrderingMatch
+TmkzUAb
 Subbarao
 aeeiib
 oidlen
 submatches
-olc
 PEM
-PDU
+olc
 OLF
+PDU
 LDAPSchemaExtensionItem
 auth
 Pierangelo
@@ -249,6 +255,7 @@ subdirectories
 OLP
 pwdPolicyChecker
 subst
+mux
 singleLevel
 cleartext
 numattrsets
@@ -277,9 +284,9 @@ rdn
 wZFQrDD
 OTP
 olcSizeLimit
-pos
-sbi
 PRD
+sbi
+pos
 pre
 sudoadm
 stringal
@@ -287,6 +294,7 @@ retoidp
 sdf
 efgh
 accesslog
+PSH
 sed
 cond
 qdescrs
@@ -296,9 +304,10 @@ ldapmodrdn
 sel
 bvec
 TBC
+HtZhZS
 stringbv
-Sep
 SHA
+Sep
 ptr
 conn
 pwd
@@ -315,8 +324,8 @@ myOID
 supportedSASLMechanism
 supportedSASLmechanism
 realnamingcontext
-SMD
 UCD
+SMD
 keytab
 portnumber
 uncached
@@ -329,8 +338,8 @@ sasldb
 UCS
 searchDN
 keytbl
-tgz
 UDP
+tgz
 freemods
 prepend
 errText
@@ -347,22 +356,22 @@ crit
 objectClassViolation
 ssf
 ldapfilter
-rwm
-TOC
 vec
+TOC
+rwm
 pwdChangedTime
 tls
 peernamestyle
 xpasswd
-tmp
 SRP
+tmp
 SSL
 dupbv
 CPUs
 SRV
 entrymods
-rwx
 sss
+rwx
 reqNewRDN
 nopresent
 rebindproc
@@ -372,11 +381,13 @@ syncIdSet
 cron
 accesslevel
 accessor's
+czBJdDqS
 keyval
 alloc
 saslpasswd
 README
 maxentries
+QWGWZpj
 ttl
 undefinedAttributeType
 peercred
@@ -417,10 +428,11 @@ memberURL
 sudoers
 pwdMaxFailure
 pseudorootdn
+MezRroT
 GDBM
 LIBRELEASE
-DSAs
 DSA's
+DSAs
 realloc
 booleanMatch
 compareTrue
@@ -432,6 +444,7 @@ rwxrwxrwx
 al
 realself
 cd
+aQ
 ar
 olcDatabaseConfig
 de
@@ -447,6 +460,7 @@ dn
 fG
 DS
 fi
+EO
 allmail
 du
 eq
@@ -477,8 +491,8 @@ pwdMinLength
 iZ
 ldapdelete
 xyz
-RDBMs
 rdbms
+RDBMs
 extparam
 mk
 ng
@@ -533,6 +547,7 @@ cacert
 notAllowedOnNonLeaf
 attrname
 olcTLSCipherSuite
+Xr
 x's
 xw
 octetStringMatch
@@ -541,8 +556,8 @@ ZZ
 LDVERSION
 testAttr
 backend
-backend's
 backends
+backend's
 BerValues
 Solaris
 structs
@@ -554,9 +569,9 @@ ostring
 policyDN
 testObject
 pwdMaxAge
-bindDn
-bindDN
 binddn
+bindDN
+bindDn
 distributedOperation
 schemachecking
 strvals
@@ -588,6 +603,7 @@ serverctrls
 recursivegroup
 integerMatch
 moduledir
+BlpQmtczb
 dynstyle
 bindpw
 AUTHNAME
@@ -598,14 +614,14 @@ IEEE
 regex
 SIGINT
 slappasswd
-errAbsObject
 errABsObject
+errAbsObject
 ldapexop
-objectidentifier
 objectIdentifier
+objectidentifier
 deallocators
-MirrorMode
 mirrormode
+MirrorMode
 loopDetect
 SIGHUP
 authMethodNotSupported
@@ -622,8 +638,8 @@ filtercomp
 expr
 syntaxes
 memrealloc
-returnCode
 returncode
+returnCode
 OpenLDAP's
 exts
 bitstringa
@@ -638,6 +654,7 @@ ietf
 olcSchemaConfig
 bitstrings
 bvalues
+hmev
 realdnattr
 attrpair
 affectsMultipleDSAs
@@ -646,8 +663,8 @@ lastName
 lldap
 cachesize
 slapauth
-attributetype
 attributeType
+attributetype
 GSER
 olcDbNosync
 typedef
@@ -664,14 +681,16 @@ monitoredObject
 TLSVerifyClient
 noidlen
 LDAPNOINIT
-pwdGraceAuthNLimit
 pwdGraceAuthnLimit
+pwdGraceAuthNLimit
 hnPk
+userpassword
 userPassword
 noanonymous
 LIBVERSION
 symas
 dcedn
+glibc
 sublevel
 chroot
 posixGroup
@@ -682,12 +701,14 @@ frontend
 someotherdomain
 proxying
 organisations
+IMAP
 rewriteMap
 monitoredInfo
-modrdn
-ModRDN
 modrDN
+ModRDN
+modrdn
 HREF
+DQTxCYEApdUtNXGgdUac
 inline
 multiproxy
 reqSizeLimit
@@ -698,8 +719,8 @@ reqReferral
 rlookups
 siiiib
 LTSTATIC
-timeLimitExceeded
 timelimitExceeded
+timeLimitExceeded
 XKYnrjvGT
 subtrees
 unixODBC
@@ -711,8 +732,8 @@ reqDN
 dnstyle
 inet
 schemas
-pwdPolicySubEntry
 pwdPolicySubentry
+pwdPolicySubEntry
 reqId
 scanf
 olcBackend
@@ -721,6 +742,7 @@ Arial
 init
 runtime
 onelevel
+YtNFk
 impl
 Autoconf
 stderr
@@ -737,6 +759,7 @@ olcModuleList
 pwdSafeModify
 html
 multimaster
+GCmfuqEvm
 testrun
 rewriteEngine
 slapdindex
@@ -751,8 +774,8 @@ POSIX
 pathname
 noSuchObject
 proxyOld
-berelement
 BerElement
+berelement
 sbiod
 plugin
 http
@@ -762,8 +785,8 @@ ldbm
 numericStringSubstringsMatch
 internet
 storages
-whoami
 WhoAmI
+whoami
 criticality
 addBlanks
 logins
@@ -772,6 +795,7 @@ dbnum
 operationsError
 homePhone
 testTwo
+BmIwN
 ldif
 entryAlreadyExists
 plaintext
@@ -903,6 +927,7 @@ concat
 realanonymous
 invalue
 refreshOnly
+pwcheck
 filesystem
 Naur
 unwillingToPerform
@@ -924,6 +949,7 @@ negttl
 logevels
 AAQSkZJRgABAAAAAQABAAD
 strcast
+aUihad
 failover
 constraintViolation
 cacheable
@@ -968,6 +994,7 @@ basename
 groupOfUniqueNames
 DHAVE
 ludp
+oPdklp
 entryUUID
 ldapapiinfo
 SampleLDAP
@@ -1013,12 +1040,14 @@ typeB
 nelems
 subord
 namingViolation
+PCOq
 inappropriateAuthentication
 mixin
 suders
 syntaxOID
 olcTLSCACertificateFile
 IGJlZ
+userPrincipalName
 TLSCipherSuite
 auditlog
 runningslapd
@@ -1059,6 +1088,7 @@ searchResultEntry
 PIII
 olcDbShmKey
 substr
+testsaslauthd
 reqRespControls
 XXXXXXXXXX
 MANSECT
@@ -1081,6 +1111,7 @@ dcObject
 supportedControl
 addprinc
 logbase
+oMxg
 filterlist
 generalizedTimeMatch
 Google
@@ -1204,6 +1235,7 @@ lucyB
 entryUUIDs
 reqEntries
 sockbuf
+wrongpassword
 olcSaslSecprops
 olcSaslSecProps
 dnSubtreeMatch
@@ -1296,6 +1328,7 @@ SMTP
 srvtab
 ldapadd
 sprintf
+spasswd
 monitorCounterObject
 Instanstantiation
 olcDbConfig
@@ -1362,6 +1395,7 @@ argsfile
 attrvalue
 deallocate
 msgid
+ilOzQ
 modulepath
 logfile
 Supr
@@ -1513,6 +1547,7 @@ ABNF
 dnpattern
 perror
 MSSQL
+VUld
 SmVuc
 ACIs
 errmsgp
@@ -1552,8 +1587,8 @@ wBDARESEhgVG
 multi
 aaa
 ldaprc
-updatedn
 UpdateDN
+updatedn
 LDAPBASE
 LDAPAPIFeatureInfo
 authzTo
@@ -1593,7 +1628,8 @@ ber
 slimit
 ali
 attributeoptions
+BfQ
 uidNumber
-CAs
 CA's
+CAs
 namingContext

doc/guide/admin/preface.sdf

@@ -19,6 +19,9 @@ Software Copyright Notices}} and the {{SECT:OpenLDAP Public License}}.
 Complete copies of the notices and associated license can be found
 in Appendix K and L, respectively.
 
+Portions of OpenLDAP Software and this document may be copyright
+by other parties and/or subject to additional restrictions.  Individual
+source files should be consulted for additional copyright notices.
 
 P2[notoc] Scope of this Document
 

doc/guide/admin/security.sdf

 # $OpenLDAP$
 # Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
+# Portions Copyright 2008 Andrew Findlay.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Security Considerations
@@ -58,7 +59,8 @@ to the server.  For example, the {{host_options}}(5) rule:
 
 allows only incoming connections from the private network {{F:10.0.0.0}}
 and localhost ({{F:127.0.0.1}}) to access the directory service.
-Note that IP addresses are used as {{slapd}}(8) is not normally
+
+Note: IP addresses are used as {{slapd}}(8) is not normally
 configured to perform reverse lookups.
 
 It is noted that TCP wrappers require the connection to be accepted.
@@ -127,10 +129,11 @@ requested by providing a valid name and password.
 An anonymous bind results in an {{anonymous}} authorization
 association.  Anonymous bind mechanism is enabled by default, but
 can be disabled by specifying "{{EX:disallow bind_anon}}" in
-{{slapd.conf}}(5).  Note that disabling the anonymous bind mechanism
-does not prevent anonymous access to the directory.  To require
-authentication to access the directory, one should instead
-specify "{{EX:require authc}}".
+{{slapd.conf}}(5).  
+
+Note: Disabling the anonymous bind mechanism does not prevent 
+anonymous access to the directory. To require authentication to 
+access the directory, one should instead specify "{{EX:require authc}}".
 
 An unauthenticated bind also results in an {{anonymous}} authorization
 association.  Unauthenticated bind mechanism is disabled by default,
@@ -158,12 +161,250 @@ binds to use encryption of DES equivalent or better.
 The user/password authenticated bind mechanism can be completely
 disabled by setting "{{EX:disallow bind_simple}}".
 
-Note:  An unsuccessful bind always results in the session having
+Note: An unsuccessful bind always results in the session having
 an {{anonymous}} authorization association.
 
 
 H3: SASL method
 
-The LDAP {{TERM:SASL}} method allows use of any SASL authentication
-mechanism.  The {{SECT:Using SASL}} discusses use of SASL.
+The LDAP {{TERM:SASL}} method allows the use of any SASL authentication
+mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.
+
+H2: Password Storage
+
+LDAP passwords are normally stored in the {{userPassword}} attribute.
+{{REF:RFC4519}} specifies that passwords are not stored in encrypted form,
+but this can create an unwanted security exposure so {{slapd}} provides
+several options for the administrator to choose from.
+
+The {{userPassword}} attribute is allowed to have more than one value,
+and it is possible for each value to be stored in a different form.
+During authentication, {{slapd}} will iterate through the values
+until it finds one that matches the offered password or until it
+runs out of values to inspect. The storage scheme is stored as a prefix
+on the value, so a Unix {{crypt}}-style password might look like this:
+
+> userPassword: {CRYPT}.7D8U/PCF00Hw
+
+In general, it is safest to store passwords in a salted hashed format
+like SSHA. This makes it very hard for an attacker to derive passwords
+from stolen backups or by obtaining access to the on-disk {{slapd}}
+database.
+
+The disadvantage of hashed storage is that it prevents the use of some
+authentication mechanisms such as {{EX:DIGEST-MD5}}.
+
+H3: CLEARTEXT password storage scheme
+
+Cleartext passwords can be stored directly in the {{userPassword}}
+attribute, or can have the '{CLEARTEXT}' prefix. These two values are
+equivalent:
+
+> userPassword: secret
+> userPassword: {CLEARTEXT}secret
+
+H3: CRYPT password storage scheme
+
+This scheme uses the operating system's {{crypt(3)}} hash function.
+It normally produces the traditional Unix-style 13 character hash, but
+on systems with {{EX:glibc2}} it can also generate the more secure
+34-byte MD5 hash.
+
+> userPassword: {CRYPT}aUihad99hmev6
+> userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1
+
+The advantage of the CRYPT scheme is that passwords can be
+transferred to or from an existing Unix password file without having
+to know the cleartext form. Both forms of {{crypt}} include salt so
+they have some resistance to dictionary attacks.
+
+
+Note: Since this scheme uses the operation system's {{crypt(3)}} hash function, 
+it is therefore operation system specific.
+
+H3: MD5 password storage scheme
+
+This scheme simply takes the MD5 hash of the password and stores it in
+base64 encoded form:
+
+> userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
+
+Although safer than cleartext storage, this is not a very secure
+scheme. The MD5 algorithm is fast, and because there is no salt the
+scheme is vulnerable to a dictionary attack.
+
+H3: SMD5 password storage scheme
+
+This improves on the basic MD5 scheme by adding salt (random data
+which means that there are many possible representations of a given
+plaintext password). For example, both of these values represent the
+same password:
+
+> userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E=
+> userPassword: {SMD5}g2/J/7D5EO6+oPdklp5p8YtNFk4=
+
+H3: SHA password storage scheme
+
+Like the MD5 scheme, this simply feeds the password through an SHA
+hash process. SHA is thought to be more secure than MD5, but the lack
+of salt leaves the scheme exposed to dictionary attacks.
+
+> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
+
+H3: SSHA password storage scheme
+
+This is the salted version of the SHA scheme. It is believed to be the
+most secure password storage scheme supported by {{slapd}}.
+
+These values represent the same password:
+
+> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
+> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
+
+H3: SASL password storage scheme
+
+This is not really a password storage scheme at all. It uses the
+value of the {{userPassword}} attribute to delegate password
+verification to another process. See below for more information.
+
+Note: This is not the same as using SASL to authenticate the LDAP
+session.
+
+H3: KERBEROS password storage scheme
+
+This is not really a password storage scheme at all. It uses the
+value of the {{userPassword}} attribute to delegate password
+verification to Kerberos. 
+
+Note: This is not the same as using Kerberos authentication of 
+the LDAP session.
+
+This scheme could be said to defeat the advantages of Kerberos by 
+causing the Kerberos password to be exposed to the {{slapd}} server 
+(and possibly on the network as well).
+
+H2: Pass-Through authentication
+
+Since OpenLDAP 2.0 {{slapd}} has had the ability to delegate password
+verification to a separate process. This uses the {{sasl_checkpass(3)}}
+function so it can use any back-end server that Cyrus SASL supports for
+checking passwords. The choice is very wide, as one option is to use
+{{saslauthd(8)}} which in turn can use local files, Kerberos, an IMAP
+server, another LDAP server, or anything supported by the PAM mechanism.
+
+The server must be built with the {{EX:--enable-spasswd}}
+configuration option to enable pass-through authentication.
+
+Note: This is not the same as using a SASL mechanism to
+authenticate the LDAP session.
+
+Pass-Through authentication works only with plaintext passwords, as 
+used in the "simple bind" and "SASL PLAIN" authentication mechanisms.}}
+
+Pass-Through authentication is selective: it only affects users whose
+{{userPassword}} attribute has a value marked with the "{SASL}"
+scheme. The format of the attribute is:
+
+> userPassword: {SASL}username@realm
+
+The {{username}} and {{realm}} are passed to the SASL authentication
+mechanism and are used to identify the account whose password is to be
+verified. This allows arbitrary mapping between entries in OpenLDAP
+and accounts known to the backend authentication service.
+
+Note: There is no support for changing passwords in the backend
+via {{slapd}}.
+
+It would be wise to use access control to prevent users from changing 
+their passwords through LDAP where they have pass-through authentication 
+enabled.
+
+
+H3: Configuring slapd to use an authentication provider
+
+Where an entry has a "{SASL}" password value, OpenLDAP delegates the
+whole process of validating that entry's password to Cyrus SASL. All
+the configuration is therefore done in SASL config files.
+
+The first
+file to be considered is confusingly named {{slapd.conf}} and is
+typically found in the SASL library directory, often
+{{EX:/usr/lib/sasl2/slapd.conf}} This file governs the use of SASL
+when talking LDAP to {{slapd}} as well as the use of SASL backends for
+pass-through authentication. See {{EX:options.html}} in the {{PRD:Cyrus SASL}}
+docs for full details. Here is a simple example for a server that will
+use {{saslauthd}} to verify passwords:
+
+> mech_list: plain
+> pwcheck_method: saslauthd
+> saslauthd_path: /var/run/sasl2/mux
+
+H3: Configuring saslauthd
+
+{{saslauthd}} is capable of using many different authentication
+services: see {{saslauthd(8)}} for details. A common requirement is to
+delegate some or all authentication to another LDAP server. Here is a
+sample {{EX:saslauthd.conf}} that uses Microsoft Active Directory (AD):
+
+> ldap_servers: ldap://dc1.example.com/ ldap://dc2.example.com/
+> 
+> ldap_search_base: cn=Users,DC=ad,DC=example,DC=com
+> ldap_filter: (userPrincipalName=%u)
+> 
+> ldap_bind_dn: cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com
+> ldap_password: secret
+
+In this case, {{saslauthd}} is run with the {{EX:ldap}} authentication
+mechanism and is set to combine the SASL realm with the login name:
+
+> saslauthd -a ldap -r
+
+This means that the "username@realm" string from the {{userPassword}}
+attribute ends up being used to search AD for
+"userPrincipalName=username@realm" - the password is then verified by
+attempting to bind to AD using the entry found by the search and the
+password supplied by the LDAP client.
+
+H3: Testing pass-through authentication
+
+It is usually best to start with the back-end authentication provider
+and work through {{saslauthd}} and {{slapd}} towards the LDAP client.
+
+In the AD example above, first check that the DN and password that
+{{saslauthd}} will use when it connects to AD are valid:
+
+> ldapsearch -x -H ldap://dc1.example.com/ \
+>      -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \
+>      -w secret \
+>      -b '' \
+>      -s base
+
+Next check that a sample AD user can be found:
+
+> ldapsearch -x -H ldap://dc1.example.com/ \
+>      -D cn=saslauthd,cn=Users,DC=ad,DC=example,DC=com \
+>      -w secret \
+>      -b cn=Users,DC=ad,DC=example,DC=com \
+>      "(userPrincipalName=user@ad.example.com)"
+
+Check that the user can bind to AD:
+
+> ldapsearch -x -H ldap://dc1.example.com/ \
+>      -D cn=user,cn=Users,DC=ad,DC=example,DC=com \
+>      -w userpassword \
+>      -b cn=user,cn=Users,DC=ad,DC=example,DC=com \
+>      -s base \
+>	"(objectclass=*)"
+
+If all that works then {{saslauthd}} should be able to do the same:
+
+> testsaslauthd -u user@ad.example.com -p userpassword
+> testsaslauthd -u user@ad.example.com -p wrongpassword
+
+Now put the magic token into an entry in OpenLDAP:
+
+> userPassword: {SASL}user@ad.example.com
+
+It should now be possible to bind to OpenLDAP using the DN of that
+entry and the password of the AD user.
 

doc/guide/images/src/README.fonts

 # $OpenLDAP$
-# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 2007 The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 #
 # README.fonts 

doc/guide/release/copyright.sdf

@@ -40,7 +40,7 @@ Additional information about OpenLDAP software can be obtained at
 <{{URL:http://www.OpenLDAP.org/}}>.
 
 
-H2: Additional Copyright Notice
+H2: Additional Copyright Notices
 
 !block nofill
 Portions [[copyright]] 1998-2008 Kurt D. Zeilenga.
@@ -58,7 +58,7 @@ Public License}}.
 Portions [[copyright]] 1999-2007 Howard Y.H. Chu.
 Portions [[copyright]] 1999-2007 Symas Corporation.
 Portions [[copyright]] 1998-2003 Hallvard B. Furuseth.
-Portions [[copyright]] 2007-2008 Gavin Henry
+Portions [[copyright]] 2007-2008 Gavin Henry.
 Portions [[copyright]] 2007-2008 Suretec Systems Limited.
 {{All rights reserved.}}
 !endblock

doc/man/man5/slapd-config.5

@@ -1585,6 +1585,8 @@ with the inner suffix must come first in the configuration file.
 .B [sizelimit=<limit>]
 .B [timelimit=<limit>]
 .B [schemachecking=on|off]
+.B [network-timeout=<seconds>]
+.B [timeout=<seconds>]
 .B [bindmethod=simple|sasl]
 .B [binddn=<dn>]
 .B [saslmech=<mech>]
@@ -1687,6 +1689,17 @@ consumer site by turning on the
 .B schemachecking
 parameter. The default is off.
 
+The
+.B network-timeout
+parameter sets how long the consumer will wait to establish a
+network connection to the provider. Once a connection is
+established, the
+.B timeout
+parameter determines how long the consumer will wait for the initial
+Bind request to complete. The defaults for these parameters come
+from 
+.BR ldap.conf (5).
+
 A
 .B bindmethod
 of 

doc/man/man5/slapd.conf.5

@@ -1397,67 +1397,6 @@ regular settings should be configured before any overlay settings.
 This option puts the database into "read-only" mode.  Any attempts to 
 modify the database will return an "unwilling to perform" error.  By
 default, readonly is off.
-.HP
-.hy 0
-.B replica uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port] 
-.B [starttls=yes|critical]
-.B [suffix=<suffix> [...]]
-.B bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
-.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
-.B [authcId=<authentication ID>] [authzId=<authorization ID>]
-.B [attrs[!]=<attr list>]
-.RS
-Specify a replication site for this database.  Refer to the "OpenLDAP 
-Administrator's Guide" for detailed information on setting up a replicated
-.B slapd
-directory service. Zero or more
-.B suffix
-instances can be used to select the subtrees that will be replicated
-(defaults to all the database). 
-.B host
-is deprecated in favor of the
-.B uri
-option.
-.B uri
-allows the replica LDAP server to be specified as an LDAP URI. 
-A
-.B bindmethod
-of
-.B simple
-requires the options
-.B binddn 
-and
-.B credentials  
-and should only be used when adequate security services 
-(e.g TLS or IPSEC) are in place. A
-.B bindmethod 
-of
-.B sasl 
-requires the option
-.B saslmech. 
-Specific security properties (as with the
-.B sasl-secprops
-keyword above) for a SASL bind can be set with the
-.B secprops
-option. A non-default SASL realm can be set with the
-.B realm
-option.
-If the 
-.B mechanism
-will use Kerberos, a kerberos instance should be given in 
-.B authcId.
-An
-.B attr list
-can be given after the 
-.B attrs
-keyword to allow the selective replication of the listed attributes only;
-if the optional 
-.B !
-mark is used, the list is considered exclusive, i.e. the listed attributes
-are not replicated.
-If an objectClass is listed, all the related attributes
-are (are not) replicated.
-.RE
 .TP
 .B restrict <oplist>
 Specify a whitespace separated list of operations that are restricted.
@@ -1583,6 +1522,8 @@ in order to work over all of the glued databases. E.g.
 .B [sizelimit=<limit>]
 .B [timelimit=<limit>]
 .B [schemachecking=on|off]
+.B [network-timeout=<seconds>]
+.B [timeout=<seconds>]
 .B [bindmethod=simple|sasl]
 .B [binddn=<dn>]
 .B [saslmech=<mech>]
@@ -1694,6 +1635,17 @@ and distinguished values must be present.
 As a consequence, schema checking should be \fBoff\fP when partial
 replication is used.
 
+The
+.B network-timeout
+parameter sets how long the consumer will wait to establish a
+network connection to the provider. Once a connection is
+established, the
+.B timeout
+parameter determines how long the consumer will wait for the initial
+Bind request to complete. The defaults for these parameters come
+from 
+.BR ldap.conf (5).
+
 A
 .B bindmethod
 of 

doc/man/man5/slapo-constraint.5

@@ -31,7 +31,9 @@ directive.
 Specifies the constraint which should apply to the attribute named as
 the first parameter.
 Two types of constraint are currently supported -
-.B regex
+.B regex ,
+.B size ,
+.B count ,
 and
 .BR uri .
 
@@ -45,6 +47,12 @@ type is an LDAP URI. The URI will be evaluated using an internal search.
 It must not include a hostname, and it must include a list of attributes
 to evaluate.
 
+The 
+.B size
+type can be used to enfore a limit on an attribute length, and the
+.B count
+type limits the count of an attribute.
+
 Any attempt to add or modify an attribute named as part of the
 constraint overlay specification which does not fit the 
 constraint listed will fail with a
@@ -54,6 +62,8 @@ LDAP_CONSTRAINT_VIOLATION error.
 .RS
 .nf
 overlay constraint
+constraint_attribute jpegPhoto size 131072
+constraint_attribute userPassword count 3
 constraint_attribute mail regex ^[:alnum:]+@mydomain.com$
 constraint_attribute title uri
   ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)

doc/man/man5/slapo-dynlist.5

@@ -50,7 +50,7 @@ occurrences, and it must appear after the
 .B overlay
 directive.
 .TP
-.B dynlist-attrset <group-oc> <URL-ad> [<member-ad>]
+.B dynlist-attrset <group-oc> <URL-ad> [[<mapped-ad>:]<member-ad> ...]
 The value 
 .B <group-oc> 
 is the name of the objectClass that triggers the dynamic expansion of the
@@ -82,6 +82,15 @@ of the URI were present in the
 entry as values of the
 .B <member-ad>
 attribute.
+
+Alternatively, 
+.B <mapped-ad>:<member-ad>
+can be used to remap attributes obtained through expansion. 
+.B <member-ad>
+attributes are not filled by expanded DN, but are remapped as
+.B <mapped-ad> 
+attributes. Multiple mapping statements can be used.
+
 .LP
 The dynlist overlay may be used with any backend, but it is mainly 
 intended for use with local storage backends.
@@ -173,3 +182,5 @@ overlay supports dynamic configuration via
 .SH ACKNOWLEDGEMENTS
 .P
 This module was written in 2004 by Pierangelo Masarati for SysNet s.n.c.
+.P
+Attribute remapping was contributed in 2008 by Emmanuel Dreyfus.

doc/man/man5/slapo-refint.5

@@ -39,7 +39,7 @@ They should appear after the
 .B overlay
 directive.
 .TP
-.B refint_attributes <attribute...>
+.B refint_attributes <attribute> [...]
 Specify one or more attributes for which integrity will be maintained
 as described above.
 .TP
@@ -49,6 +49,12 @@ would otherwise be deleted from an attribute. This can be useful in cases
 where the schema requires the existence of an attribute for which referential
 integrity is enforced. The attempted deletion of a required attribute will
 otherwise result in an Object Class Violation, causing the request to fail.
+The string must be a valid DN.
+.TP
+.B refint_modifiersname <DN>
+Specify the DN to be used as the modifiersName of the internal modifications
+performed by the overlay.
+It defaults to "\fIcn=Referential Integrity Overlay\fP".
 .B
 .SH FILES
 .TP

doc/man/man5/slapo-rwm.5

@@ -427,8 +427,8 @@ This limit is overridden by setting specific per-rule limits
 with the `M{n}' flag.
 
 .SH "MAPS"
-Currently, few maps are builtin and there are no provisions for developers
-to register new map types at runtime.
+Currently, few maps are builtin but additional map types may be
+registered at runtime.
 
 Supported maps are:
 .TP
@@ -470,6 +470,20 @@ The parameter
 can be 2 or 3 to indicate the protocol version that must be used.
 The default is 3.
 
+.TP
+.B slapd <URI>
+The
+.B slapd
+map expands a value by performing an internal LDAP search.
+Its configuration is based on a mandatory URI, which must begin with
+.B "ldap:///"
+(i.e., it must be an LDAP URI and it must not specify a host).
+As with the
+LDAP map, the
+.B attrs
+portion must contain exactly one attribute, and if
+a multi-valued attribute is used, only the first value is considered.
+
 .SH "REWRITE CONFIGURATION EXAMPLES"
 .nf
 # set to `off' to disable rewriting

libraries/libldap/os-ip.c

@@ -36,6 +36,9 @@
 #ifdef HAVE_IO_H
 #include <io.h>
 #endif /* HAVE_IO_H */
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
 
 #include "ldap-int.h"
 
@@ -110,6 +113,9 @@ ldap_int_socket(LDAP *ld, int family, int type )
 {
 	ber_socket_t s = socket(family, type, 0);
 	osip_debug(ld, "ldap_new_socket: %d\n",s,0,0);
+#ifdef FD_CLOEXEC
+	fcntl(s, F_SETFD, FD_CLOEXEC);
+#endif
 	return ( s );
 }
 

libraries/libldap/os-local.c

@@ -47,6 +47,9 @@
 #ifdef HAVE_IO_H
 #include <io.h>
 #endif /* HAVE_IO_H */
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
 
 #include "ldap-int.h"
 #include "ldap_defaults.h"
@@ -89,6 +92,9 @@ ldap_pvt_socket(LDAP *ld)
 {
 	ber_socket_t s = socket(PF_LOCAL, SOCK_STREAM, 0);
 	oslocal_debug(ld, "ldap_new_socket: %d\n",s,0,0);
+#ifdef FD_CLOEXEC
+	fcntl(s, F_SETFD, FD_CLOEXEC);
+#endif
 	return ( s );
 }
 

libraries/libldap/request.c

@@ -631,6 +631,9 @@ ldap_free_connection( LDAP *ld, LDAPConn *lc, int force, int unbind )
 				} else {
 				    prevlc->lconn_next = tmplc->lconn_next;
 				}
+				if ( ld->ld_defconn == lc ) {
+					ld->ld_defconn = NULL;
+				}
 				break;
 			}
 			prevlc = tmplc;
@@ -675,6 +678,8 @@ ldap_free_connection( LDAP *ld, LDAPConn *lc, int force, int unbind )
 
 		if ( lc->lconn_sb != ld->ld_sb ) {
 			ber_sockbuf_free( lc->lconn_sb );
+		} else {
+			ber_int_sb_close( lc->lconn_sb );
 		}
 
 		if ( lc->lconn_rebind_queue != NULL) {

libraries/libldap/result.c

@@ -582,6 +582,11 @@ nextresp3:
 
 	/* id == 0 iff unsolicited notification message (RFC 4511) */
 
+	/* id < 0 is invalid, just toss it. FIXME: should we disconnect? */
+	if ( id < 0 ) {
+		goto retry_ber;
+	}
+	
 	/* if it's been abandoned, toss it */
 	if ( id > 0 ) {
 		if ( ldap_abandoned( ld, id, &idx ) ) {
@@ -602,8 +607,8 @@ nextresp3:
 			}
 
 			Debug( LDAP_DEBUG_ANY,
-				"abandoned/discarded ld %p msgid %ld message type %s\n",
-				(void *)ld, (long)id, ldap_int_msgtype2str( tag ) );
+				"abandoned/discarded ld %p msgid %d message type %s\n",
+				(void *)ld, id, ldap_int_msgtype2str( tag ) );
 
 retry_ber:
 			ber_free( ber, 1 );
@@ -629,8 +634,8 @@ retry_ber:
 			}
 
 			Debug( LDAP_DEBUG_ANY,
-				"no request for response on ld %p msgid %ld message type %s (tossing)\n",
-				(void *)ld, (long)id, msg );
+				"no request for response on ld %p msgid %d message type %s (tossing)\n",
+				(void *)ld, id, msg );
 
 			goto retry_ber;
 		}
@@ -652,8 +657,8 @@ nextresp2:
 	}
 
 	Debug( LDAP_DEBUG_TRACE,
-		"read1msg: ld %p msgid %ld message type %s\n",
-		(void *)ld, (long)lr->lr_msgid, ldap_int_msgtype2str( tag ) );
+		"read1msg: ld %p msgid %d message type %s\n",
+		(void *)ld, id, ldap_int_msgtype2str( tag ) );
 
 	if ( id == 0 ) {
 		/* unsolicited notification message (RFC 4511) */
@@ -900,8 +905,8 @@ nextresp2:
 			{
 				id = lr->lr_msgid;
 				tag = lr->lr_res_msgtype;
-				Debug( LDAP_DEBUG_TRACE, "request done: ld %p msgid %ld\n",
-					(void *)ld, (long) id, 0 );
+				Debug( LDAP_DEBUG_TRACE, "request done: ld %p msgid %d\n",
+					(void *)ld, id, 0 );
 				Debug( LDAP_DEBUG_TRACE,
 					"res_errno: %d, res_error: <%s>, "
 					"res_matched: <%s>\n",
@@ -1156,8 +1161,8 @@ nextresp2:
 		goto exit;
 	}
 
-	Debug( LDAP_DEBUG_TRACE, "adding response ld %p msgid %ld type %ld:\n",
-		(void *)ld, (long) newmsg->lm_msgid, (long) newmsg->lm_msgtype );
+	Debug( LDAP_DEBUG_TRACE, "adding response ld %p msgid %d type %ld:\n",
+		(void *)ld, newmsg->lm_msgid, (long) newmsg->lm_msgtype );
 
 	/* part of a search response - add to end of list of entries */
 	l->lm_chain_tail->lm_chain = newmsg;

libraries/libldap_r/thr_stub.c

@@ -226,6 +226,16 @@ int ldap_pvt_thread_pool_resume (
 	return(0);
 }
 
+int ldap_pvt_thread_pool_pausing( ldap_pvt_thread_pool_t *tpool )
+{
+	return(0);
+}
+
+ldap_pvt_thread_pool_pausecheck( ldap_pvt_thread_pool_t *tpool )
+{
+	return(0);
+}
+	
 void *ldap_pvt_thread_pool_context( )
 {
 	return(NULL);

servers/slapd/acl.c

@@ -2049,11 +2049,11 @@ acl_set_cb_gather( Operation *op, SlapReply *rs )
 					bvalsp = a->a_nvals;
 				}
 			}
-		}
 
-		if ( bvalsp ) {
-			p->bvals = slap_set_join( p->cookie, p->bvals,
-					( '|' | SLAP_SET_RREF ), bvalsp );
+			if ( bvalsp ) {
+				p->bvals = slap_set_join( p->cookie, p->bvals,
+						( '|' | SLAP_SET_RREF ), bvalsp );
+			}
 		}
 
 	} else {
@@ -2200,6 +2200,7 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de
 	op2.ors_attrs = anlistp;
 	op2.ors_attrsonly = 0;
 	op2.o_private = cp->asc_op->o_private;
+	op2.o_extra = cp->asc_op->o_extra;
 
 	cb.sc_private = &p;