Merge from HEAD

servers/slapd/Makefile.in

@@ -17,7 +17,6 @@ SLAPTOOLS=slapadd slapcat slapdn slapindex slappasswd slaptest slapauth slapacl
 PROGRAMS=slapd $(SLAPTOOLS)
 XPROGRAMS=sslapd libbackends.a .backend liboverlays.a
 XSRCS=version.c
-STRIP=-s
 
 SUBDIRS=back-* shell-backends slapi overlays
 
@@ -43,7 +42,7 @@ SRCS	= main.c globals.c bconfig.c config.c daemon.c \
 
 OBJS	= main.o globals.o bconfig.o config.o daemon.o \
 		connection.o search.o filter.o add.o cr.o \
-		attr.o entry.o backend.o result.o operation.o \
+		attr.o entry.o backend.o backends.o result.o operation.o \
 		dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o \
 		value.o ava.o bind.o unbind.o abandon.o filterentry.o \
 		phonetic.o acl.o str2filter.o aclparse.o init.o user.o \
@@ -62,7 +61,7 @@ LDAP_INCDIR= ../../include -I$(srcdir) -I$(srcdir)/slapi -I.
 LDAP_LIBDIR= ../../libraries
 
 SLAP_DIR=
-SLAPD_STATIC_DEPENDS=@SLAPD_NO_STATIC@ libbackends.a
+SLAPD_STATIC_DEPENDS=@SLAPD_NO_STATIC@ libbackends.a liboverlays.a
 SLAPD_STATIC_BACKENDS=@SLAPD_STATIC_BACKENDS@
 SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BACKENDS@
 
@@ -71,7 +70,7 @@ SLAPI_LIBS=@LIBSLAPI@ @SLAPI_LIBS@
 XDEFS = $(MODULES_CPPFLAGS)
 XLDFLAGS = $(MODULES_LDFLAGS)
 
-XLIBS = $(SLAPD_STATIC_DEPENDS) liboverlays.a $(SLAPD_L)
+XLIBS = $(SLAPD_STATIC_DEPENDS) $(SLAPD_L)
 XXLIBS = $(SLAPD_LIBS) $(SECURITY_LIBS) $(LUTIL_LIBS)
 XXXLIBS = $(LTHREAD_LIBS) $(SLAPI_LIBS) $(MODULES_LIBS)
 
@@ -81,12 +80,12 @@ BUILD_SRV = @BUILD_SLAPD@
 all-local-srv: all-cffiles
 
 NT_SLAPD_DEPENDS = slapd.exp
-NT_SLAPD_OBJECTS = slapd.exp symdummy.o $(OBJS) backends.o version.o
+NT_SLAPD_OBJECTS = slapd.exp symdummy.o $(OBJS) version.o
 
-UNIX_SLAPD_DEPENDS = $(SLAPD_STATIC_DEPENDS) backends.o version.o $(SLAPD_L)
-UNIX_SLAPD_OBJECTS = $(OBJS) backends.o version.o
+UNIX_SLAPD_DEPENDS = $(SLAPD_STATIC_DEPENDS) version.o $(SLAPD_L)
+UNIX_SLAPD_OBJECTS = $(OBJS) version.o
 
-SLAPD_DEPENDS = liboverlays.a $(@PLAT@_SLAPD_DEPENDS)
+SLAPD_DEPENDS = $(@PLAT@_SLAPD_DEPENDS)
 SLAPD_OBJECTS = $(@PLAT@_SLAPD_OBJECTS)
 
 # Notes about slapd for Windows
@@ -190,6 +189,13 @@ slapd.def: libbackends.a liboverlays.a version.o
 		    done; \
 		    test -z "$$obj" && continue; \
 		    ;; \
+		*.la) \
+		    if test -n "$LTSTATIC"; then \
+			    base=`expr "$$i" : ".*/\(.*\).la"`; \
+			    path=`expr "$$i" : "\(.*/\).*"`; \
+			    obj=$$path.libs/$$base.a; \
+		    fi; \
+		    ;; \
 		*.o | *.a) \
 		    obj=$$i; \
 	    esac; \
@@ -263,13 +269,16 @@ slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
 		$(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); done
 
 
-sslapd: version.o backends.o
-	$(LTLINK) -static -o $@ $(OBJS) version.o backends.o $(LIBS) $(WRAP_LIBS)
+sslapd: version.o
+	$(LTLINK) -static -o $@ $(OBJS) version.o $(LIBS) $(WRAP_LIBS)
 
 dummy $(SLAPD_DYNAMIC_BACKENDS): slapd
 	cd $@; $(MAKE) $(MFLAGS) all
 	@touch $@
 
+dynamic_overlays: slapd
+	cd overlays; $(MAKE) $(MFLAGS) dynamic
+
 #
 # In Windows, dynamic backends have to be built after slapd. For this
 # reason, we only build static backends now and dynamic backends later.
@@ -312,7 +321,7 @@ libbackends.a: .backend
 	@ls -l libbackends.a; echo ""
 
 liboverlays.a: FORCE
-	@cd overlays; $(MAKE) $(MFLAGS) all
+	cd overlays; $(MAKE) $(MFLAGS) static
 
 version.c: Makefile
 	@-$(RM) $@
@@ -372,7 +381,7 @@ install-slapd: FORCE
 	    fi; \
 	done
 
-all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS)
+all-cffiles: slapd $(SLAPD_DYNAMIC_BACKENDS) dynamic_overlays
 	@if test $(PLAT) = NT; then \
 	    sysconfdir=`cygpath -w $(sysconfdir) | \
 		$(SED) -e 's/\\\\/\\\\\\\\\\\\\\\\/g'`; \

servers/slapd/aclparse.c

@@ -438,8 +438,9 @@ parse_acl(
 						acl_usage();
 					}
 
-				} else if ( strcasecmp( left, "attr" ) == 0
-						|| strcasecmp( left, "attrs" ) == 0 ) {
+				} else if ( strcasecmp( left, "attr" ) == 0		/* TOLERATED */
+						|| strcasecmp( left, "attrs" ) == 0 )	/* DOCUMENTED */
+				{
 					a->acl_attrs = str2anlist( a->acl_attrs,
 						right, "," );
 					if ( a->acl_attrs == NULL ) {
@@ -464,58 +465,63 @@ parse_acl(
 						acl_usage();
 					}
 					ber_str2bv( right, 0, 1, &a->acl_attrval );
-					if ( style && strcasecmp( style, "regex" ) == 0 ) {
-						int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
-							REG_EXTENDED | REG_ICASE | REG_NOSUB );
-						if ( e ) {
-							char buf[512];
-							regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
-							fprintf( stderr, "%s: line %d: "
-								"regular expression \"%s\" bad because of %s\n",
-								fname, lineno, right, buf );
-							acl_usage();
-						}
-						a->acl_attrval_style = ACL_STYLE_REGEX;
-					} else {
-						/* FIXME: if the attribute has DN syntax, we might
-						 * allow one, subtree and children styles as well */
-						if ( !strcasecmp( style, "exact" ) ) {
-							a->acl_attrval_style = ACL_STYLE_BASE;
+					a->acl_attrval_style = ACL_STYLE_BASE;
+					if ( style != NULL ) {
+						if ( strcasecmp( style, "regex" ) == 0 ) {
+							int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
+								REG_EXTENDED | REG_ICASE | REG_NOSUB );
+							if ( e ) {
+								char buf[512];
+								regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
+								fprintf( stderr, "%s: line %d: "
+									"regular expression \"%s\" bad because of %s\n",
+									fname, lineno, right, buf );
+								acl_usage();
+							}
+							a->acl_attrval_style = ACL_STYLE_REGEX;
 
-						} else if ( a->acl_attrs[0].an_desc->ad_type->
-							sat_syntax == slap_schema.si_syn_distinguishedName )
-						{
-							if ( !strcasecmp( style, "baseObject" ) ||
-								!strcasecmp( style, "base" ) )
-							{
+						} else {
+							/* FIXME: if the attribute has DN syntax, we might
+							 * allow one, subtree and children styles as well */
+							if ( !strcasecmp( style, "base" ) ||
+								!strcasecmp( style, "exact" ) ) {
 								a->acl_attrval_style = ACL_STYLE_BASE;
-							} else if ( !strcasecmp( style, "onelevel" ) ||
-								!strcasecmp( style, "one" ) )
-							{
-								a->acl_attrval_style = ACL_STYLE_ONE;
-							} else if ( !strcasecmp( style, "subtree" ) ||
-								!strcasecmp( style, "sub" ) )
+
+							} else if ( a->acl_attrs[0].an_desc->ad_type->
+								sat_syntax == slap_schema.si_syn_distinguishedName )
 							{
-								a->acl_attrval_style = ACL_STYLE_SUBTREE;
-							} else if ( !strcasecmp( style, "children" ) ) {
-								a->acl_attrval_style = ACL_STYLE_CHILDREN;
+								if ( !strcasecmp( style, "baseObject" ) ||
+									!strcasecmp( style, "base" ) )
+								{
+									a->acl_attrval_style = ACL_STYLE_BASE;
+								} else if ( !strcasecmp( style, "onelevel" ) ||
+									!strcasecmp( style, "one" ) )
+								{
+									a->acl_attrval_style = ACL_STYLE_ONE;
+								} else if ( !strcasecmp( style, "subtree" ) ||
+									!strcasecmp( style, "sub" ) )
+								{
+									a->acl_attrval_style = ACL_STYLE_SUBTREE;
+								} else if ( !strcasecmp( style, "children" ) ) {
+									a->acl_attrval_style = ACL_STYLE_CHILDREN;
+								} else {
+									fprintf( stderr, 
+										"%s: line %d: unknown val.<style> \"%s\" "
+										"for attributeType \"%s\" with DN syntax; "
+										"using \"base\"\n",
+										fname, lineno, style,
+										a->acl_attrs[0].an_desc->ad_cname.bv_val );
+									a->acl_attrval_style = ACL_STYLE_BASE;
+								}
+
 							} else {
 								fprintf( stderr, 
 									"%s: line %d: unknown val.<style> \"%s\" "
-									"for attributeType \"%s\" with DN syntax; "
-									"using \"base\"\n",
+									"for attributeType \"%s\"; using \"exact\"\n",
 									fname, lineno, style,
 									a->acl_attrs[0].an_desc->ad_cname.bv_val );
 								a->acl_attrval_style = ACL_STYLE_BASE;
 							}
-
-						} else {
-							fprintf( stderr, 
-								"%s: line %d: unknown val.<style> \"%s\" "
-								"for attributeType \"%s\"; using \"exact\"\n",
-								fname, lineno, style,
-								a->acl_attrs[0].an_desc->ad_cname.bv_val );
-							a->acl_attrval_style = ACL_STYLE_BASE;
 						}
 					}
 					
@@ -690,8 +696,12 @@ parse_acl(
 					case ACL_STYLE_REGEX:
 						fprintf( stderr, "%s: line %d: "
 							"\"regex\" style implies "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier" 
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 
 					case ACL_STYLE_EXPAND:
@@ -700,8 +710,12 @@ parse_acl(
 						fprintf( stderr, "%s: line %d: "
 							"\"expand\" style used "
 							"in conjunction with "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier"
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 #endif
 						break;
 
@@ -847,7 +861,34 @@ parse_acl(
 						bdn->a_pat = bv;
 					}
 					bdn->a_style = sty;
-					bdn->a_expand = expand;
+					if ( expand ) {
+						char	*exp;
+						int	gotit = 0;
+
+						for ( exp = strchr( bdn->a_pat.bv_val, '$' );
+								exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
+								exp = strchr( exp, '$' ) )
+						{
+							if ( isdigit( exp[ 1 ] ) ) {
+								gotit = 1;
+								break;
+							}
+						}
+
+						if ( gotit == 1 ) {
+							bdn->a_expand = expand;
+
+						} else {
+							fprintf( stderr,
+								"%s: line %d: \"expand\" used "
+								"with no expansions in \"pattern\""
+								SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+								fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+							acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+						} 
+					}
 					if ( sty == ACL_STYLE_SELF ) {
 						bdn->a_self_level = level;
 

servers/slapd/back-bdb/attr.c

@@ -258,7 +258,7 @@ bdb_attr_index_config(
 				continue;
 			}
 			fprintf( stderr, "%s: line %d: duplicate index definition "
-				"for attr \"%s\" (ignored)\n",
+				"for attr \"%s\"" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 				fname, lineno, attrs[i] );
 
 			return LDAP_PARAM_ERROR;

servers/slapd/back-bdb/config.c

@@ -68,7 +68,7 @@ static ConfigTable bdbcfg[] = {
 		bdb_cf_gen, "( OLcfgDbAt:1.2 NAME 'olcDbCheckpoint' "
 			"DESC 'Database checkpoint interval in kbytes and minutes' "
 			"SYNTAX OMsDirectoryString SINGLE-VALUE )",NULL, NULL },
-	{ "dbconfig", "DB_CONFIG setting", 3, 0, 0, ARG_MAGIC|BDB_CONFIG,
+	{ "dbconfig", "DB_CONFIG setting", 1, 0, 0, ARG_MAGIC|BDB_CONFIG,
 		bdb_cf_gen, "( OLcfgDbAt:1.3 NAME 'olcDbConfig' "
 			"DESC 'BerkeleyDB DB_CONFIG configuration directives' "
 			"SYNTAX OMsDirectoryString )",NULL, NULL },

servers/slapd/back-bdb/init.c

@@ -582,8 +582,10 @@ bdb_db_close( BackendDB *be )
 
 	/* close db environment */
 	if( bdb->bi_dbenv ) {
-		/* force a checkpoint */
-		if ( !( slapMode & SLAP_TOOL_QUICK )) {
+		/* force a checkpoint, but not if we were ReadOnly,
+		 * and not in Quick mode since there are no transactions there.
+		 */
+		if ( !( slapMode & ( SLAP_TOOL_QUICK|SLAP_TOOL_READONLY ))) {
 			rc = TXN_CHECKPOINT( bdb->bi_dbenv, 0, 0, DB_FORCE );
 			if( rc != 0 ) {
 				Debug( LDAP_DEBUG_ANY,

servers/slapd/back-ldap/back-ldap.h

@@ -93,14 +93,20 @@ struct ldapinfo {
 #define LDAP_BACK_F_USE_TLS		0x02U
 #define LDAP_BACK_F_PROPAGATE_TLS	0x04U
 #define LDAP_BACK_F_TLS_CRITICAL	0x08U
+#define LDAP_BACK_F_TLS_MASK		(LDAP_BACK_F_USE_TLS|LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
 #define LDAP_BACK_F_CHASE_REFERRALS	0x10U
 
+#define	LDAP_BACK_F_SUPPORT_T_F			0x80U
+#define	LDAP_BACK_F_SUPPORT_T_F_DISCOVER	0x40U
+
 #define LDAP_BACK_SAVECRED(li)		( (li)->flags & LDAP_BACK_F_SAVECRED )
 #define LDAP_BACK_USE_TLS(li)		( (li)->flags & LDAP_BACK_F_USE_TLS )
 #define LDAP_BACK_PROPAGATE_TLS(li)	( (li)->flags & LDAP_BACK_F_PROPAGATE_TLS )
 #define LDAP_BACK_TLS_CRITICAL(li)	( (li)->flags & LDAP_BACK_F_TLS_CRITICAL )
 #define LDAP_BACK_CHASE_REFERRALS(li)	( (li)->flags & LDAP_BACK_F_CHASE_REFERRALS )
 
+	int		version;
+
 	Avlnode		*conntree;
 
 	int		rwm_started;

servers/slapd/back-ldap/config.c

@@ -217,49 +217,37 @@ ldap_back_db_config(
 		li->url = ch_strdup( argv[ 1 ] );
 #endif
 
-	} else if ( strncasecmp( argv[0], "tls-", STRLENOF( "tls-" ) ) == 0 ) {
+	} else if ( strcasecmp( argv[0], "tls" ) == 0 ) {
+		if ( argc != 2 ) {
+			fprintf( stderr,
+		"%s: line %d: \"tls <what>\" needs 1 argument.\n",
+					fname, lineno );
+			return( 1 );
+		}
 
-		/* start tls */
-		if ( strcasecmp( argv[0], "tls-start" ) == 0 ) {
-			if ( argc != 1 ) {
-				fprintf( stderr,
-		"%s: line %d: tls-start takes no arguments\n",
-						fname, lineno );
-				return( 1 );
-			}
+		/* start */
+		if ( strcasecmp( argv[1], "start" ) == 0 ) {
 			li->flags |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
 	
 		/* try start tls */
-		} else if ( strcasecmp( argv[0], "tls-try-start" ) == 0 ) {
-			if ( argc != 1 ) {
-				fprintf( stderr,
-		"%s: line %d: tls-try-start takes no arguments\n",
-						fname, lineno );
-				return( 1 );
-			}
+		} else if ( strcasecmp( argv[1], "try-start" ) == 0 ) {
 			li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
 			li->flags |= LDAP_BACK_F_USE_TLS;
 	
 		/* propagate start tls */
-		} else if ( strcasecmp( argv[0], "tls-propagate" ) == 0 ) {
-			if ( argc != 1 ) {
-				fprintf( stderr,
-		"%s: line %d: tls-propagate takes no arguments\n",
-						fname, lineno );
-				return( 1 );
-			}
+		} else if ( strcasecmp( argv[1], "propagate" ) == 0 ) {
 			li->flags |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
 		
 		/* try start tls */
-		} else if ( strcasecmp( argv[0], "tls-try-propagate" ) == 0 ) {
-			if ( argc != 1 ) {
-				fprintf( stderr,
-		"%s: line %d: tls-try-propagate takes no arguments\n",
-						fname, lineno );
-				return( 1 );
-			}
+		} else if ( strcasecmp( argv[1], "try-propagate" ) == 0 ) {
 			li->flags &= ~LDAP_BACK_F_TLS_CRITICAL;
 			li->flags |= LDAP_BACK_F_PROPAGATE_TLS;
+
+		} else {
+			fprintf( stderr,
+		"%s: line %d: \"tls <what>\": unknown argument \"%s\".\n",
+					fname, lineno, argv[1] );
+			return( 1 );
 		}
 	
 	/* remote ACL stuff... */
@@ -291,24 +279,50 @@ ldap_back_db_config(
 		li->flags |= LDAP_BACK_F_SAVECRED;
 
 	} else if ( strcasecmp( argv[0], "chase-referrals" ) == 0 ) {
-		if ( argc != 1 ) {
+		if ( argc != 2 ) {
 			fprintf( stderr,
-	"%s: line %d: \"chase-referrals\" takes no arguments\n",
+	"%s: line %d: \"chase-referrals\" needs 1 argument.\n",
 					fname, lineno );
 			return( 1 );
 		}
 
-		li->flags |= LDAP_BACK_F_CHASE_REFERRALS;
+		/* this is the default; we add it because the default might change... */
+		if ( strcasecmp( argv[1], "yes" ) == 0 ) {
+			li->flags |= LDAP_BACK_F_CHASE_REFERRALS;
 
-	} else if ( strcasecmp( argv[0], "dont-chase-referrals" ) == 0 ) {
-		if ( argc != 1 ) {
+		} else if ( strcasecmp( argv[1], "no" ) == 0 ) {
+			li->flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
+
+		} else {
+			fprintf( stderr,
+		"%s: line %d: \"chase-referrals {yes|no}\": unknown argument \"%s\".\n",
+					fname, lineno, argv[1] );
+			return( 1 );
+		}
+	
+	} else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
+		if ( argc != 2 ) {
 			fprintf( stderr,
-	"%s: line %d: \"dont-chase-referrals\" takes no arguments\n",
+		"%s: line %d: \"t-f-support {no|yes|discover}\" needs 1 argument.\n",
 					fname, lineno );
 			return( 1 );
 		}
 
-		li->flags &= ~LDAP_BACK_F_CHASE_REFERRALS;
+		if ( strcasecmp( argv[ 1 ], "no" ) == 0 ) {
+			li->flags &= ~(LDAP_BACK_F_SUPPORT_T_F|LDAP_BACK_F_SUPPORT_T_F_DISCOVER);
+
+		} else if ( strcasecmp( argv[ 1 ], "yes" ) == 0 ) {
+			li->flags |= LDAP_BACK_F_SUPPORT_T_F;
+
+		} else if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
+			li->flags |= LDAP_BACK_F_SUPPORT_T_F_DISCOVER;
+
+		} else {
+			fprintf( stderr,
+	"%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
+				fname, lineno, argv[ 1 ] );
+			return 1;
+		}
 
 	/* intercept exop_who_am_i? */
 	} else if ( strcasecmp( argv[0], "proxy-whoami" ) == 0 ) {
@@ -352,6 +366,7 @@ ldap_back_db_config(
 				"triggered by \"%s\" directive.\n",
 				fname, lineno, argv[ 0 ] );
 
+		/* this is the default; we add it because the default might change... */
 			li->rwm_started = 1;
 
 			return ( *be->bd_info->bi_db_config )( be, fname, lineno, argc, argv );
@@ -606,6 +621,8 @@ parse_idassert(
 		ber_bvarray_add( &li->idassert_authz, &rule );
 
 	} else if ( strcasecmp( argv[0], "idassert-method" ) == 0 ) {
+		char	*argv1;
+
 		if ( argc < 2 ) {
 			fprintf( stderr,
 	"%s: line %d: missing method in \"%s <method>\" line\n",
@@ -613,7 +630,12 @@ parse_idassert(
 			return( 1 );
 		}
 
-		if ( strcasecmp( argv[1], "none" ) == 0 ) {
+		argv1 = argv[1];
+		if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
+			argv1 += STRLENOF( "bindmethod=" );
+		}
+
+		if ( strcasecmp( argv1, "none" ) == 0 ) {
 			/* FIXME: is this at all useful? */
 			li->idassert_authmethod = LDAP_AUTH_NONE;
 
@@ -623,7 +645,7 @@ parse_idassert(
 					fname, lineno, argv[0], argv[1] );
 			}
 
-		} else if ( strcasecmp( argv[1], "simple" ) == 0 ) {
+		} else if ( strcasecmp( argv1, "simple" ) == 0 ) {
 			li->idassert_authmethod = LDAP_AUTH_SIMPLE;
 
 			if ( argc != 2 ) {
@@ -632,7 +654,7 @@ parse_idassert(
 					fname, lineno, argv[0], argv[1] );
 			}
 
-		} else if ( strcasecmp( argv[1], "sasl" ) == 0 ) {
+		} else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
 #ifdef HAVE_CYRUS_SASL
 			int	arg;
 
@@ -823,6 +845,8 @@ parse_acl_auth(
 		ber_str2bv( argv[1], 0, 1, &li->acl_passwd );
 
 	} else if ( strcasecmp( argv[0], "acl-method" ) == 0 ) {
+		char	*argv1;
+
 		if ( argc < 2 ) {
 			fprintf( stderr,
 	"%s: line %d: missing method in \"%s <method>\" line\n",
@@ -830,7 +854,12 @@ parse_acl_auth(
 			return( 1 );
 		}
 
-		if ( strcasecmp( argv[1], "none" ) == 0 ) {
+		argv1 = argv[1];
+		if ( strncasecmp( argv1, "bindmethod=", STRLENOF( "bindmethod=" ) ) == 0 ) {
+			argv1 += STRLENOF( "bindmethod=" );
+		}
+
+		if ( strcasecmp( argv1, "none" ) == 0 ) {
 			/* FIXME: is this at all useful? */
 			li->acl_authmethod = LDAP_AUTH_NONE;
 
@@ -840,7 +869,7 @@ parse_acl_auth(
 					fname, lineno, argv[0], argv[1] );
 			}
 
-		} else if ( strcasecmp( argv[1], "simple" ) == 0 ) {
+		} else if ( strcasecmp( argv1, "simple" ) == 0 ) {
 			li->acl_authmethod = LDAP_AUTH_SIMPLE;
 
 			if ( argc != 2 ) {
@@ -849,7 +878,7 @@ parse_acl_auth(
 					fname, lineno, argv[0], argv[1] );
 			}
 
-		} else if ( strcasecmp( argv[1], "sasl" ) == 0 ) {
+		} else if ( strcasecmp( argv1, "sasl" ) == 0 ) {
 #ifdef HAVE_CYRUS_SASL
 			int	arg;
 

servers/slapd/back-ldap/init.c

@@ -113,6 +113,9 @@ ldap_back_db_init( Backend *be )
 	/* initialize flags */
 	li->flags = LDAP_BACK_F_CHASE_REFERRALS;
 
+	/* initialize version */
+	li->version = LDAP_VERSION3;
+
 	ldap_pvt_thread_mutex_init( &li->conn_mutex );
 
 	be->be_private = li;
@@ -175,6 +178,19 @@ ldap_back_db_open( BackendDB *be )
 	}
 #endif /* SLAPD_MONITOR */
 
+	if ( li->flags & LDAP_BACK_F_SUPPORT_T_F_DISCOVER ) {
+		int		rc;
+
+		li->flags &= ~LDAP_BACK_F_SUPPORT_T_F_DISCOVER;
+
+		rc = slap_discover_feature( li->url, li->version,
+				slap_schema.si_ad_supportedFeatures->ad_cname.bv_val,
+				LDAP_FEATURE_ABSOLUTE_FILTERS );
+		if ( rc == LDAP_COMPARE_TRUE ) {
+			li->flags |= LDAP_BACK_F_SUPPORT_T_F;
+		}
+	}
+
 	return 0;
 }
 

servers/slapd/back-ldap/search.c

@@ -41,6 +41,96 @@ ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent,
 	 struct berval *bdn, int flags );
 #define LDAP_BUILD_ENTRY_PRIVATE	0x01
 
+/*
+ * Quick'n'dirty rewrite of filter in case of error, to deal with
+ * <draft-zeilenga-ldap-t-f>.
+ */
+static int
+ldap_back_munge_filter(
+	Operation	*op,
+	struct berval	*filter )
+{
+	struct ldapinfo	*li = (struct ldapinfo *) op->o_bd->be_private;
+
+	char		*ptr;
+	int		gotit = 0;
+
+	Debug( LDAP_DEBUG_ARGS, "=> ldap_back_munge_filter \"%s\"\n",
+			filter->bv_val, 0, 0 );
+
+	for ( ptr = strstr( filter->bv_val, "(?=" ); 
+			ptr;
+			ptr = strstr( ptr, "(?=" ) )
+	{
+		static struct berval
+			bv_true = BER_BVC( "(?=true)" ),
+			bv_false = BER_BVC( "(?=false)" ),
+			bv_t = BER_BVC( "(&)" ),
+			bv_f = BER_BVC( "(|)" ),
+			bv_T = BER_BVC( "(objectClass=*)" ),