diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
index 495eca4b70b100ca944f8cd5936f41f577b17087..52ea2fecd911bac1cfd18c3fc19d5c0f2d575188 100644
--- a/servers/slapd/dn.c
+++ b/servers/slapd/dn.c
@@ -11,10 +11,6 @@
 
 #include "slap.h"
 
-#define DNSEPARATOR(c)	(c == ',' || c == ';')
-#define SEPARATOR(c)	(c == ',' || c == ';' || c == '+')
-#define SPACE(c)	(c == ' ' || c == '\n')
-#define NEEDSESCAPE(c)	(c == '\\' || c == '"')
 #define B4TYPE		0
 #define INTYPE		1
 #define B4EQUAL		2
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index e0049038dc863b6379fe57cd14a69d61dcd67564..721c214dabf44c3e1d72aaff65ba8dc71109a88b 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -43,6 +43,11 @@
 
 #define MAXREMATCHES 10
 
+#define DNSEPARATOR(c)	((c) == ',' || (c) == ';')
+#define SEPARATOR(c)	((c) == ',' || (c) == ';' || (c) == '+')
+#define SPACE(c)	((c) == ' ' || (c) == '\n')
+#define NEEDSESCAPE(c)	((c) == '\\' || (c) == '"')
+
 LDAP_BEGIN_DECL
 
 extern int slap_debug;
diff --git a/servers/slapd/suffixalias.c b/servers/slapd/suffixalias.c
index 06d182928142dfe925f78d787e569b44aaa11065..7fff1f617004afca743bbd51c4903c7b12d44cb6 100644
--- a/servers/slapd/suffixalias.c
+++ b/servers/slapd/suffixalias.c
@@ -1,4 +1,10 @@
 /*
+ * Copyright 1999 The OpenLDAP Foundation, All Rights Reserved.
+ *
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file in the top level
+ * directory of this package.
+ */
+/* Portions
  * Copyright (c) 1998 Will Ballantyne, ITSD, Government of BC
  * All rights reserved.
  *
@@ -18,7 +24,7 @@
 #include "slap.h"
 
 /* 
- * given a dn (or root part), return an aliased dn if any of the 
+ * given a normalized uppercased dn (or root part), return an aliased dn if any of the 
  * alias suffixes match
  */
 char *suffixAlias (char *dn, Operation *op, Backend *be)
@@ -32,18 +38,27 @@ char *suffixAlias (char *dn, Operation *op, Backend *be)
               be->be_suffixAlias != NULL && be->be_suffixAlias[i] != NULL;
               i += 2) {
                 int aliasLength = strlen (be->be_suffixAlias[i]);
-                if (aliasLength > dnLength) {
-                        continue;
-                }
+		int diff = dnLength - aliasLength;
+
+		if ( diff < 0 ) {
+			/* alias is longer than dn */
+			continue;
+		} else if ( diff > 0 ) {
+			if ( ! DNSEPARATOR(dn[diff-1]) ) {
+				/* boundary is not at a DN separator */
+				continue;
+			}
+			/* At a DN Separator */
+			/* XXX or an escaped separator... oh well */
+		}
 
-                if (!strcasecmp(be->be_suffixAlias[i], 
-				dn + (dnLength - aliasLength))) {
+		if (!strcmp(be->be_suffixAlias[i], &dn[diff])) {
                         char *oldDN = dn;
-                        dn = ch_malloc ( (dnLength - aliasLength) +
-                                          strlen (be->be_suffixAlias[ i+1 ]) + 1);
-                        strncpy (dn, oldDN, dnLength - aliasLength);
-                        strcpy  (dn + (dnLength - aliasLength), be->be_suffixAlias[ i+1 ]);
-                        Debug( LDAP_DEBUG_ARGS, "ALIAS: converted %s to %s", oldDN, dn, 0);
+			dn = ch_malloc( diff + strlen(be->be_suffixAlias[i+1]) + 1 );
+			strncpy( dn, oldDN, diff );
+			strcpy( &dn[diff], be->be_suffixAlias[i+1] );
+			Debug( LDAP_DEBUG_ARGS, "SuffixAlias: converted \"%s\" to \"%s\"",
+				oldDN, dn, 0);
                         free (oldDN);
 			break;
 		}