First round of imports from HEAD

configure.in

@@ -632,7 +632,7 @@ AC_LIBTOOL_DLOPEN
 AC_PROG_LIBTOOL
 
 LTSTATIC=""
-if test -z "$LTDYNAMIC" -a "${OPENLDAP_CVS}"; then
+if test -z "$LTDYNAMIC"; then
 	LTSTATIC="-static"
 fi
 AC_SUBST(LTSTATIC)dnl

doc/man/man5/slapd.access.5

@@ -266,6 +266,12 @@ pattern, or its trailing part, after a
 exactly matches the 
 .BR domain
 pattern.
+The
+.B domain
+of the contacting host is determined by performing a DNS reverse lookup.
+As this lookup can easily be spoofed, use of the
+.B domain
+statement is strongly discouraged.  By default, reverse lookups are disabled.
 .LP
 The statement
 .B set=<pattern>

doc/man/man5/slapd.conf.5

@@ -520,8 +520,8 @@ may be used to require no conditions (useful for clearly globally
 set conditions within a particular database).
 .TP
 .B reverse-lookup on | off
-Enable/disable client name reverse lookup (default is 
-.BR on 
+Enable/disable client name unverified reverse lookup (default is 
+.BR off 
 if compiled with --enable-rlookups).
 .TP
 .B rootDSE <file>

include/portable.h.in

@@ -164,6 +164,9 @@
 /* Define if you have the getpassphrase function.  */
 #undef HAVE_GETPASSPHRASE
 
+/* Define if you have the getpeereid function.  */
+#undef HAVE_GETPEEREID
+
 /* Define if you have the getpwnam function.  */
 #undef HAVE_GETPWNAM
 
@@ -233,6 +236,9 @@
 /* Define if you have the send function.  */
 #undef HAVE_SEND
 
+/* Define if you have the sendmsg function.  */
+#undef HAVE_SENDMSG
+
 /* Define if you have the sendto function.  */
 #undef HAVE_SENDTO
 
@@ -542,6 +548,9 @@
 /* Define if you have the <sys/types.h> header file.  */
 #undef HAVE_SYS_TYPES_H
 
+/* Define if you have the <sys/ucred.h> header file.  */
+#undef HAVE_SYS_UCRED_H
+
 /* Define if you have the <sys/un.h> header file.  */
 #undef HAVE_SYS_UN_H
 
@@ -695,15 +704,6 @@
 /* define to support LAN Manager passwords */
 #undef SLAPD_LMHASH
 
-/* set to the number of arguments ctime_r() expects */
-#undef CTIME_R_NARGS
-
-/* set to the number of arguments gethostbyname_r() expects */
-#undef GETHOSTBYNAME_R_NARGS
-
-/* set to the number of arguments gethostbyaddr_r() expects */
-#undef GETHOSTBYADDR_R_NARGS
-
 /* if you have NT Threads */
 #undef HAVE_NT_THREADS
 
@@ -746,6 +746,15 @@
 /* define if you have (or want) no threads */
 #undef NO_THREADS
 
+/* set to the number of arguments ctime_r() expects */
+#undef CTIME_R_NARGS
+
+/* set to the number of arguments gethostbyname_r() expects */
+#undef GETHOSTBYNAME_R_NARGS
+
+/* set to the number of arguments gethostbyaddr_r() expects */
+#undef GETHOSTBYADDR_R_NARGS
+
 /* define if Berkeley DB has DB_THREAD support */
 #undef HAVE_BERKELEY_DB_THREAD
 
@@ -887,9 +896,6 @@
 /* define this to add syslog code */
 #undef LDAP_SYSLOG
 
-/* define this to remove -lldap cache support */
-#undef LDAP_NOCACHE
-
 /* define this for LDAP process title support */
 #undef LDAP_PROCTITLE
 

servers/slapd/Makefile.in

@@ -19,7 +19,7 @@ SRCS	= main.c daemon.c connection.c search.c filter.c add.c cr.c \
 		schemaparse.c ad.c at.c mr.c syntax.c oc.c saslauthz.c \
 		oidm.c starttls.c index.c sets.c referral.c \
 		root_dse.c sasl.c module.c suffixalias.c mra.c mods.c \
-		limits.c backglue.c operational.c matchedValues.c \
+		limits.c backglue.c operational.c matchedValues.c cancel.c \
 		$(@PLAT@_SRCS)
 
 OBJS	= main.o daemon.o connection.o search.o filter.o add.o cr.o \
@@ -32,7 +32,7 @@ OBJS	= main.o daemon.o connection.o search.o filter.o add.o cr.o \
 		schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o \
 		oidm.o starttls.o index.o sets.o referral.o \
 		root_dse.o sasl.o module.o suffixalias.o mra.o mods.o \
-		limits.o backglue.o operational.o matchedValues.o \
+		limits.o backglue.o operational.o matchedValues.o cancel.o \
 		$(@PLAT@_OBJS)
 
 LDAP_INCDIR= ../../include

servers/slapd/abandon.c

 /* abandon.c - decode and handle an ldap abandon operation */
 /* $OpenLDAP$ */
 /*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -109,7 +109,7 @@ do_abandon(
 
 done:
 
-#if LDAP_CLIENT_UPDATE
+#ifdef LDAP_CLIENT_UPDATE
 	for ( i = 0; i < nbackends; i++ ) {
 		if ( strncmp( backends[i].be_type, "bdb", 3 ) ) continue;
 		if ( bdb_abandon( &backends[i], conn, id ) == LDAP_SUCCESS ) {

servers/slapd/acl.c

 /* acl.c - routines to parse and check acl's */
 /* $OpenLDAP$ */
 /*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -130,6 +130,9 @@ access_allowed(
 	slap_control_t control;
 	const char *attr;
 	regmatch_t matches[MAXREMATCHES];
+	int        st_same_attr = 0;
+	int        st_initialized = 0;
+	static AccessControlState state_init = ACL_STATE_INIT;
 
 	assert( e != NULL );
 	assert( desc != NULL );
@@ -139,7 +142,7 @@ access_allowed(
 
 	assert( attr != NULL );
 
-	if( state && state->as_recorded ) { 
+	if( state && state->as_recorded && state->as_vd_ad==desc) { 
 		if( state->as_recorded & ACL_STATE_RECORDED_NV &&
 			val == NULL )
 		{
@@ -150,6 +153,9 @@ access_allowed(
 		{
 			return state->as_result;
 		}
+		st_same_attr = 1;
+	} if (state) {
+		state->as_vd_ad=desc;
 	}
 
 #ifdef NEW_LOGGING
@@ -246,7 +252,7 @@ access_allowed(
 	ret = 0;
 	control = ACL_BREAK;
 
-	if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+	if( st_same_attr ) {
 		assert( state->as_vd_acl != NULL );
 
 		a = state->as_vd_acl;
@@ -290,6 +296,18 @@ access_allowed(
 #endif
 		}
 
+		if (state) {
+			if (state->as_vi_acl == a && (state->as_recorded & ACL_STATE_RECORDED_NV)) {
+				Debug( LDAP_DEBUG_ACL, "access_allowed: result from state (%s)\n", attr, 0, 0 );
+				return state->as_result;
+			} else if (!st_initialized) {
+				Debug( LDAP_DEBUG_ACL, "access_allowed: no res from state (%s)\n", attr, 0, 0);
+			    *state = state_init;
+				state->as_vd_ad=desc;
+				st_initialized=1;
+			}
+		}
+
 vd_access:
 		control = acl_mask( a, &mask, be, conn, op,
 			e, desc, val, matches, count, state );
@@ -342,6 +360,9 @@ vd_access:
 
 done:
 	if( state != NULL ) {
+		/* If not value-dependent, save ACL in case of more attrs */
+		if ( !(state->as_recorded & ACL_STATE_RECORDED_VD) )
+			state->as_vi_acl = a;
 		state->as_recorded |= ACL_STATE_RECORDED;
 		state->as_result = ret;
 	}
@@ -961,7 +982,16 @@ dn_match_cleanup:;
 		}
 
 		if ( b->a_set_pat.bv_len != 0 ) {
-			if (aci_match_set( &b->a_set_pat, be, e, conn, op, 0 ) == 0) {
+			struct berval bv;
+			char buf[ACL_BUF_SIZE];
+			if( b->a_set_style == ACL_STYLE_REGEX ){
+				bv.bv_len = sizeof(buf) - 1;
+				bv.bv_val = buf;
+				string_expand( &bv, &b->a_set_pat, e->e_ndn, matches );
+			}else{
+				bv = b->a_set_pat;
+			}
+			if (aci_match_set( &bv, be, e, conn, op, 0 ) == 0) {
 				continue;
 			}
 		}
@@ -1201,6 +1231,7 @@ acl_check_modlist(
 )
 {
 	struct berval *bv;
+	AccessControlState state = ACL_STATE_INIT;
 
 	assert( be != NULL );
 
@@ -1255,9 +1286,6 @@ acl_check_modlist(
 	}
 
 	for ( ; mlist != NULL; mlist = mlist->sml_next ) {
-		static AccessControlState state_init = ACL_STATE_INIT;
-		AccessControlState state;
-
 		/*
 		 * no-user-modification operational attributes are ignored
 		 * by ACL_WRITE checking as any found here are not provided
@@ -1276,8 +1304,6 @@ acl_check_modlist(
 			continue;
 		}
 
-		state = state_init;
-
 		switch ( mlist->sml_op ) {
 		case LDAP_MOD_REPLACE:
 			/*

servers/slapd/aclparse.c

 /* aclparse.c - routines to parse and check acl's */
 /* $OpenLDAP$ */
 /*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -185,7 +185,7 @@ parse_acl(
 					} else if ( strcasecmp( style, "one" ) == 0 ) {
 						a->acl_dn_style = ACL_STYLE_ONE;
 						ber_str2bv( right, 0, 1, &a->acl_dn_pat );
-					} else if ( strcasecmp( style, "subtree" ) == 0 ) {
+					} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
 						a->acl_dn_style = ACL_STYLE_SUBTREE;
 						ber_str2bv( right, 0, 1, &a->acl_dn_pat );
 					} else if ( strcasecmp( style, "children" ) == 0 ) {
@@ -307,7 +307,7 @@ parse_acl(
 					sty = ACL_STYLE_BASE;
 				} else if ( strcasecmp( style, "one" ) == 0 ) {
 					sty = ACL_STYLE_ONE;
-				} else if ( strcasecmp( style, "subtree" ) == 0 ) {
+				} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
 					sty = ACL_STYLE_SUBTREE;
 				} else if ( strcasecmp( style, "children" ) == 0 ) {
 					sty = ACL_STYLE_CHILDREN;
@@ -1282,7 +1282,7 @@ acl_usage( void )
 			"\t[aci=<attrname>]\n"
 #endif
 			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
-		"<dnstyle> ::= regex | base | exact (alias of base) | one | sub | children\n"
+		"<dnstyle> ::= regex | base | exact (alias of base) | one | subtree | children\n"
 		"<style> ::= regex | base | exact (alias of base)\n"
 		"<groupflags> ::= R\n"
 		"<access> ::= [self]{<level>|<priv>}\n"

servers/slapd/ad.c

 /* $OpenLDAP$ */
 /*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 /* ad.c - routines for dealing with attribute descriptions */
@@ -18,6 +18,19 @@
 #include "ldap_pvt.h"
 #include "slap.h"
 
+typedef struct Attr_option {
+	struct berval name;	/* option name or prefix */
+	int           prefix;	/* NAME is a tag and range prefix */
+} Attr_option;
+
+static Attr_option lang_option = { { sizeof("lang-")-1, "lang-" }, 1 };
+
+/* Options sorted by name, and number of options */
+static Attr_option *options = &lang_option;
+static int option_count = 1;
+
+static Attr_option *ad_find_option_definition( const char *opt, int optlen );
+
 static int ad_keystring(
 	struct berval *bv )
 {
@@ -45,18 +58,18 @@ void ad_destroy( AttributeDescription *ad )
 	}
 }
 
-/* Is there an AttributeDescription for this type that uses this language? */
-AttributeDescription * ad_find_lang(
+/* Is there an AttributeDescription for this type that uses these tags? */
+AttributeDescription * ad_find_tags(
 	AttributeType *type,
-	struct berval *lang )
+	struct berval *tags )
 {
 	AttributeDescription *ad;
 
 	ldap_pvt_thread_mutex_lock( &type->sat_ad_mutex );
 	for (ad = type->sat_ad; ad; ad=ad->ad_next)
 	{
-		if (ad->ad_lang.bv_len == lang->bv_len &&
-			!strcasecmp(ad->ad_lang.bv_val, lang->bv_val))
+		if (ad->ad_tags.bv_len == tags->bv_len &&
+			!strcasecmp(ad->ad_tags.bv_val, tags->bv_val))
 			break;
 	}
 	ldap_pvt_thread_mutex_unlock( &type->sat_ad_mutex );
@@ -102,14 +115,14 @@ int slap_bv2ad(
 	AttributeDescription desc, *d2;
 	char *name, *options;
 	char *opt, *next;
-	int nlang;
-	int langlen;
+	int ntags;
+	int tagslen;
 
 	/* hardcoded limits for speed */
-#define MAX_LANG_OPTIONS 128
-	struct berval langs[MAX_LANG_OPTIONS+1];
-#define MAX_LANG_LEN 1024
-	char langbuf[MAX_LANG_LEN];
+#define MAX_TAGGING_OPTIONS 128
+	struct berval tags[MAX_TAGGING_OPTIONS+1];
+#define MAX_TAGS_LEN 1024
+	char tagbuf[MAX_TAGS_LEN];
 
 	assert( ad != NULL );
 	assert( *ad == NULL ); /* temporary */
@@ -147,9 +160,9 @@ int slap_bv2ad(
 	/*
 	 * parse options in place
 	 */
-	nlang = 0;
-	memset( langs, 0, sizeof( langs ));
-	langlen = 0;
+	ntags = 0;
+	memset( tags, 0, sizeof( tags ));
+	tagslen = 0;
 
 	for( opt=options; opt != NULL; opt=next ) {
 		int optlen;
@@ -178,17 +191,16 @@ int slap_bv2ad(
 			desc.ad_flags |= SLAP_DESC_BINARY;
 			continue;
 
-		} else if ( optlen >= sizeof("lang-")-1 &&
-			strncasecmp( opt, "lang-", sizeof("lang-")-1 ) == 0 )
+		} else if ( ad_find_option_definition( opt, optlen ) )
 		{
 			int i;
 
 			if( opt[optlen-1] == '-' ) {
-				desc.ad_flags |= SLAP_DESC_LANG_RANGE;
+				desc.ad_flags |= SLAP_DESC_TAG_RANGE;
 			}
 
-			if( nlang >= MAX_LANG_OPTIONS ) {
-				*text = "too many language options";
+			if( ntags >= MAX_TAGGING_OPTIONS ) {
+				*text = "too many tagging options";
 				return rtn;
 			}
 
@@ -196,38 +208,38 @@ int slap_bv2ad(
 			 * tags should be presented in sorted order,
 			 * so run the array in reverse.
 			 */
-			for( i=nlang-1; i>=0; i-- ) {
+			for( i=ntags-1; i>=0; i-- ) {
 				int rc;
 
-				rc = strncasecmp( opt, langs[i].bv_val,
-					(unsigned) optlen < langs[i].bv_len
-						? optlen : langs[i].bv_len );
+				rc = strncasecmp( opt, tags[i].bv_val,
+					(unsigned) optlen < tags[i].bv_len
+						? optlen : tags[i].bv_len );
 
-				if( rc == 0 && (unsigned)optlen == langs[i].bv_len ) {
+				if( rc == 0 && (unsigned)optlen == tags[i].bv_len ) {
 					/* duplicate (ignore) */
 					goto done;
 
 				} else if ( rc > 0 ||
-					( rc == 0 && (unsigned)optlen > langs[i].bv_len ))
+					( rc == 0 && (unsigned)optlen > tags[i].bv_len ))
 				{
-					AC_MEMCPY( &langs[i+1], &langs[i],
-						(nlang-i)*sizeof(struct berval) );
-					langs[i].bv_val = opt;
-					langs[i].bv_len = optlen;
+					AC_MEMCPY( &tags[i+1], &tags[i],
+						(ntags-i)*sizeof(struct berval) );
+					tags[i].bv_val = opt;
+					tags[i].bv_len = optlen;
 					goto done;
 				}
 			}
 
-			if( nlang ) {
-				AC_MEMCPY( &langs[1], &langs[0],
-					nlang*sizeof(struct berval) );
+			if( ntags ) {
+				AC_MEMCPY( &tags[1], &tags[0],
+					ntags*sizeof(struct berval) );
 			}
-			langs[0].bv_val = opt;
-			langs[0].bv_len = optlen;
+			tags[0].bv_val = opt;
+			tags[0].bv_len = optlen;
 
 done:;
-			langlen += optlen + 1;
-			nlang++;
+			tagslen += optlen + 1;
+			ntags++;
 
 		} else {
 			*text = "unrecognized option";
@@ -235,27 +247,27 @@ done:;
 		}
 	}
 
-	if( nlang > 0 ) {
+	if( ntags > 0 ) {
 		int i;
 
-		if( langlen > MAX_LANG_LEN ) {
-			*text = "language options too long";
+		if( tagslen > MAX_TAGS_LEN ) {
+			*text = "tagging options too long";
 			return rtn;
 		}
 
-		desc.ad_lang.bv_val = langbuf;
-		langlen = 0;
+		desc.ad_tags.bv_val = tagbuf;
+		tagslen = 0;
 
-		for( i=0; i<nlang; i++ ) {
-			AC_MEMCPY( &desc.ad_lang.bv_val[langlen],
-				langs[i].bv_val, langs[i].bv_len );
+		for( i=0; i<ntags; i++ ) {
+			AC_MEMCPY( &desc.ad_tags.bv_val[tagslen],
+				tags[i].bv_val, tags[i].bv_len );
 
-			langlen += langs[i].bv_len;
-			desc.ad_lang.bv_val[langlen++] = ';';
+			tagslen += tags[i].bv_len;
+			desc.ad_tags.bv_val[tagslen++] = ';';
 		}
 
-		desc.ad_lang.bv_val[--langlen] = '\0';
-		desc.ad_lang.bv_len = langlen;
+		desc.ad_tags.bv_val[--tagslen] = '\0';
+		desc.ad_tags.bv_len = tagslen;
 	}
 
 	/* see if a matching description is already cached */
@@ -263,14 +275,14 @@ done:;
 		if( d2->ad_flags != desc.ad_flags ) {
 			continue;
 		}
-		if( d2->ad_lang.bv_len != desc.ad_lang.bv_len ) {
+		if( d2->ad_tags.bv_len != desc.ad_tags.bv_len ) {
 			continue;
 		}
-		if( d2->ad_lang.bv_len == 0 ) {
+		if( d2->ad_tags.bv_len == 0 ) {
 			break;
 		}
-		if( strncasecmp( d2->ad_lang.bv_val, desc.ad_lang.bv_val,
-			desc.ad_lang.bv_len ) == 0 )
+		if( strncasecmp( d2->ad_tags.bv_val, desc.ad_tags.bv_val,
+			desc.ad_tags.bv_len ) == 0 )
 		{
 			break;
 		}
@@ -284,12 +296,12 @@ done:;
 		for (d2 = desc.ad_type->sat_ad; d2; d2=d2->ad_next) {
 			if (d2->ad_flags != desc.ad_flags)
 				continue;
-			if (d2->ad_lang.bv_len != desc.ad_lang.bv_len)
+			if (d2->ad_tags.bv_len != desc.ad_tags.bv_len)
 				continue;
-			if (d2->ad_lang.bv_len == 0)
+			if (d2->ad_tags.bv_len == 0)
 				break;
-			if (strncasecmp(d2->ad_lang.bv_val, desc.ad_lang.bv_val,
-				desc.ad_lang.bv_len) == 0)
+			if (strncasecmp(d2->ad_tags.bv_val, desc.ad_tags.bv_val,
+				desc.ad_tags.bv_len) == 0)
 				break;
 		}
 		if (d2) {
@@ -300,44 +312,73 @@ done:;
 		/* Allocate a single contiguous block. If there are no
 		 * options, we just need space for the AttrDesc structure.
 		 * Otherwise, we need to tack on the full name length +
-		 * options length.
+		 * options length, + maybe tagging options length again.
 		 */
-		if (desc.ad_lang.bv_len || desc.ad_flags != SLAP_DESC_NONE) {
-			dlen = desc.ad_type->sat_cname.bv_len;
-			if (desc.ad_lang.bv_len) {
-				dlen += 1+desc.ad_lang.bv_len;
+		if (desc.ad_tags.bv_len || desc.ad_flags != SLAP_DESC_NONE) {
+			dlen = desc.ad_type->sat_cname.bv_len + 1;
+			if (desc.ad_tags.bv_len) {
+				dlen += 1+desc.ad_tags.bv_len;
 			}
 			if( slap_ad_is_binary( &desc ) ) {
-				dlen += sizeof(";binary")-1;
+				dlen += sizeof(";binary")+desc.ad_tags.bv_len;
 			}
 		}
 
-		d2 = ch_malloc(sizeof(AttributeDescription) + dlen + 1);
+		d2 = ch_malloc(sizeof(AttributeDescription) + dlen);
 		d2->ad_type = desc.ad_type;
 		d2->ad_flags = desc.ad_flags;
 		d2->ad_cname.bv_len = desc.ad_type->sat_cname.bv_len;
-		d2->ad_lang.bv_len = desc.ad_lang.bv_len;
+		d2->ad_tags.bv_len = desc.ad_tags.bv_len;
 
 		if (dlen == 0) {
 			d2->ad_cname.bv_val = d2->ad_type->sat_cname.bv_val;
-			d2->ad_lang.bv_val = NULL;
+			d2->ad_tags.bv_val = NULL;
 		} else {
+			char *cp, *op, *lp;
+			int j;
 			d2->ad_cname.bv_val = (char *)(d2+1);
 			strcpy(d2->ad_cname.bv_val, d2->ad_type->sat_cname.bv_val);
+			cp = d2->ad_cname.bv_val + d2->ad_cname.bv_len;
 			if( slap_ad_is_binary( &desc ) ) {
-				strcpy(d2->ad_cname.bv_val+d2->ad_cname.bv_len,
-					";binary");
-				d2->ad_cname.bv_len += sizeof(";binary")-1;
+				op = cp;
+				lp = NULL;
+				if( desc.ad_tags.bv_len ) {
+					lp = desc.ad_tags.bv_val;
+					while( strncasecmp(lp, "binary", sizeof("binary")-1) < 0
+					       && (lp = strchr( lp, ';' )) != NULL )
+						++lp;
+					if( lp != desc.ad_tags.bv_val ) {
+						*cp++ = ';';
+						j = (lp
+						     ? lp - desc.ad_tags.bv_val - 1
+						     : strlen( desc.ad_tags.bv_val ));
+						strncpy(cp, desc.ad_tags.bv_val, j);
+						cp += j;
+					}
+				}
+				strcpy(cp, ";binary");
+				cp += sizeof(";binary")-1;
+				if( lp != NULL ) {
+					*cp++ = ';';
+					strcpy(cp, lp);
+					cp += strlen( cp );
+				}
+				d2->ad_cname.bv_len = cp - d2->ad_cname.bv_val;
+				if( desc.ad_tags.bv_len )
+					ldap_pvt_str2lower(op);
+				j = 1;
+			} else {
+				j = 0;
 			}
-			if( d2->ad_lang.bv_len ) {
-				d2->ad_cname.bv_val[d2->ad_cname.bv_len++]=';';
-				d2->ad_lang.bv_val = d2->ad_cname.bv_val+
-					d2->ad_cname.bv_len;
-				strncpy(d2->ad_lang.bv_val,desc.ad_lang.bv_val,
-					d2->ad_lang.bv_len);
-				d2->ad_lang.bv_val[d2->ad_lang.bv_len] = '\0';
-				ldap_pvt_str2lower(d2->ad_lang.bv_val);
-				d2->ad_cname.bv_len += d2->ad_lang.bv_len;
+			if( desc.ad_tags.bv_len ) {
+				lp = d2->ad_cname.bv_val + d2->ad_cname.bv_len + j;
+				if ( j == 0 )