diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index bae64808f036cd0d4b120d0e0e5382825ab61f8c..699b0696d79dd85ad7a2734629e1177fff6acd0e 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -133,6 +133,10 @@ recommended that
directives be used instead.
.RE
.TP
+.B defaultsearchbase <dn>
+Specify a default search base to use when client submits a
+non-base search request with an empty base DN.
+.TP
.B disallow <features>
Specify a set of features (separated by white space) to
disallow (default none).
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index b364a3066eca8ba6e2dd84bda481a3de0f470a25..ef8fe5e0f2630841913eaf78861b32a06588f443 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -38,6 +38,8 @@ char *global_realm = NULL;
char *global_ucdata_path = NULL;
char *ldap_srvtab = "";
char *default_passwd_hash;
+char *default_search_base = NULL;
+char *default_search_nbase = NULL;
char *slapd_pid_file = NULL;
char *slapd_args_file = NULL;
@@ -167,6 +169,47 @@ read_config( const char *fname )
ldap_pvt_thread_set_concurrency( c );
+ /* default search base */
+ } else if ( strcasecmp( cargv[0], "defaultSearchBase" ) == 0 ) {
+ if ( cargc < 2 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "missing dn in \"defaultSearchBase <dn>\" line\n",
+ fname, lineno, 0 );
+ return 1;
+
+ } else if ( cargc > 2 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "extra cruft after <dn> in \"defaultSearchBase %s\", "
+ "line (ignored)\n",
+ fname, lineno, cargv[1] );
+ }
+
+ if ( bi != NULL || be != NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "defaultSearchBaase line must appear prior to "
+ "any backend or database definition\n",
+ fname, lineno, 0 );
+ return 1;
+ }
+
+ if ( default_search_base != NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "default search base \"%s\" already defined "
+ "(discarding old)\n",
+ fname, lineno, default_search_base );
+ free( default_search_base );
+ }
+
+ default_search_base = ch_strdup( cargv[1] );
+ default_search_nbase = ch_strdup( cargv[1] );
+
+ if( dn_normalize( default_search_nbase ) == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "invalid default search base \"%s\""
+ "(discarding old)\n",
+ fname, lineno, default_search_base );
+ }
+
/* set maximum threads in thread pool */
} else if ( strcasecmp( cargv[0], "threads" ) == 0 ) {
int c;
@@ -359,7 +402,18 @@ read_config( const char *fname )
fname, lineno, tmp_be->be_suffix[0] );
} else {
char *dn = ch_strdup( cargv[1] );
- (void) dn_validate( dn );
+ if( dn_validate( dn ) == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "suffix DN invalid \"%s\"\n",
+ fname, lineno, cargv[1] );
+ return 1;
+
+ } else if( *dn == '\0' && default_search_nbase != NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "suffix DN empty and default "
+ "search base provided \"%s\" (assuming okay)\n",
+ fname, lineno, default_search_base );
+ }
charray_add( &be->be_suffix, dn );
(void) ldap_pvt_str2upper( dn );
charray_add( &be->be_nsuffix, dn );
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 11721406076c4a5360ffe757b9e2c3475aea2110..fbcb5e2510a3d079616f8db7ec587ec12de1b28f 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -776,6 +776,8 @@ LDAP_SLAPD_F (char) *global_ucdata_path;
LDAP_SLAPD_F (char) *default_passwd_hash;
LDAP_SLAPD_F (int) lber_debug;
LDAP_SLAPD_F (int) ldap_syslog;
+LDAP_SLAPD_F (char *) default_search_base;
+LDAP_SLAPD_F (char *) default_search_nbase;
LDAP_SLAPD_F (ldap_pvt_thread_mutex_t) num_sent_mutex;
LDAP_SLAPD_F (long) num_bytes_sent;
diff --git a/servers/slapd/search.c b/servers/slapd/search.c
index 92e36b0ab8b7cb6919b18c4fcb61c7b36235d89e..1749dede2778a7e9418b0abac8ee0c62706a8fd7 100644
--- a/servers/slapd/search.c
+++ b/servers/slapd/search.c
@@ -202,6 +202,13 @@ do_search(
}
}
+ if( nbase[0] == '\0' && default_search_nbase != NULL ) {
+ ch_free( base );
+ ch_free( nbase );
+ base = ch_strdup( default_search_base );
+ nbase = ch_strdup( default_search_nbase );
+ }
+
/*
* We could be serving multiple database backends. Select the
* appropriate one, or send a referral to our "referral server"