Start of new operational attribute framework

c80d93f2 · Kurt Zeilenga · 74421a28 · c80d93f2 · c80d93f2 · c80d93f2
Commit c80d93f2 authored Jan 10, 2002 by Kurt Zeilenga
--- a/libraries/liblutil/authpasswd.c
+++ b/libraries/liblutil/authpasswd.c
@@ -15,6 +15,8 @@

 #include "portable.h"

+#ifdef SLAP_AUTHPASSWD
+
 #include <stdio.h>
 #include <ac/stdlib.h>
 #include <ac/string.h>
@@ -938,3 +940,4 @@ static struct berval *hash_crypt(
 }
 #endif
 #endif
+#endif /* SLAPD_AUTHPASSWD */
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1687,6 +1687,15 @@ read_config( const char *fname )
 				return( 1 );
 			}
 			if ( strcasecmp( cargv[1], "off" ) == 0 ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+					"%s: line %d: schema checking disabled! your mileage may vary!\n",
+					fname, lineno ));
+#else
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: schema checking disabled! your mileage may vary!\n",
+				    fname, lineno, 0 );
+#endif
 				global_schemacheck = 0;
 			} else {
 				global_schemacheck = 1;

--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -363,7 +363,7 @@ int main( int argc, char **argv )
 		goto destroy;
 	}

-	if ( schema_init( ) != 0 ) {
+	if ( slap_schema_init( ) != 0 ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG(( "operation", LDAP_LEVEL_CRIT,
 			   "main: schema initialization error\n" ));
@@ -394,7 +394,7 @@ int main( int argc, char **argv )
 		goto destroy;
 	}

-	if ( schema_prep( ) != 0 ) {
+	if ( slap_schema_check( ) != 0 ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG(( "operation", LDAP_LEVEL_CRIT,
 			   "main: schema prep error\n"));

--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -833,8 +833,13 @@ LDAP_SLAPD_F( int ) mods_structural_class(
 /*
 * schema_init.c
 */
-LDAP_SLAPD_F (int) schema_init LDAP_P((void));
-LDAP_SLAPD_F (int) schema_prep LDAP_P((void));
+LDAP_SLAPD_F (int) slap_schema_init LDAP_P((void));
+
+/*
+ * schema_prep.c
+ */
+LDAP_SLAPD_F (int) slap_schema_load LDAP_P((void));
+LDAP_SLAPD_F (int) slap_schema_check LDAP_P((void));

 /*
 * schemaparse.c

--- a/servers/slapd/schema_check.c
+++ b/servers/slapd/schema_check.c
@@ -46,12 +46,20 @@ entry_schema_check(

 	*text = textbuf;

-	/* check single-valued attrs for multiple values */
+	/* misc attribute checks */
 	for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
 		/* there should be at least one value */
 		assert( a->a_vals );
 		assert( a->a_vals[0].bv_val != NULL ); 

+		if( a->a_desc->ad_type->sat_check ) {
+			int rc = (a->a_desc->ad_type->sat_check)(
+				e, a, text, textbuf, textlen );
+			if( rc != LDAP_SUCCESS ) {
+				return rc;
+			}
+		}
+
 		/* if single value type, check for multiple values */
 		if( is_at_single_value( a->a_desc->ad_type ) &&
 			a->a_vals[1].bv_val != NULL )

--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -4252,9 +4252,11 @@ static struct syntax_defs_rec {
 		UTF8StringValidate /* THIS WILL CHANGE FOR NEW ACI SYNTAX */,
 		NULL, NULL},

+#ifdef SLAPD_AUTHPASSWD
 	/* needs updating */
 	{"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP authPassword' )",
 		SLAP_SYNTAX_HIDE, NULL, NULL, NULL},
+#endif

 	/* OpenLDAP Void Syntax */
 	{"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
@@ -4551,6 +4553,7 @@ static struct mrule_defs_rec {
 		caseExactIA5SubstringsFilter,
 		NULL},

+#ifdef SLAPD_AUTHPASSWD
 	/* needs updating */
 	{"( 1.3.6.1.4.1.4203.666.4.1 NAME 'authPasswordMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )",
@@ -4558,6 +4561,7 @@ static struct mrule_defs_rec {
 		NULL, NULL,
 		authPasswordMatch, NULL, NULL,
 		NULL},
+#endif

 	{"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' "
 		"SYNTAX 1.3.6.1.4.1.4203.666.2.1 )",
@@ -4584,7 +4588,7 @@ static struct mrule_defs_rec {
 };

 int
-schema_init( void )
+slap_schema_init( void )
 {
 	int		res;
 	int		i;
@@ -4606,7 +4610,7 @@ schema_init( void )
 		);

 		if ( res ) {
-			fprintf( stderr, "schema_init: Error registering syntax %s\n",
+			fprintf( stderr, "slap_schema_init: Error registering syntax %s\n",
 				 syntax_defs[i].sd_desc );
 			return LDAP_OTHER;
 		}
@@ -4615,7 +4619,7 @@ schema_init( void )
 	for ( i=0; mrule_defs[i].mrd_desc != NULL; i++ ) {
 		if( mrule_defs[i].mrd_usage == SLAP_MR_NONE ) {
 			fprintf( stderr,
-				"schema_init: Ingoring unusable matching rule %s\n",
+				"slap_schema_init: Ingoring unusable matching rule %s\n",
 				 mrule_defs[i].mrd_desc );
 			continue;
 		}
@@ -4632,13 +4636,15 @@ schema_init( void )

 		if ( res ) {
 			fprintf( stderr,
-				"schema_init: Error registering matching rule %s\n",
+				"slap_schema_init: Error registering matching rule %s\n",
 				 mrule_defs[i].mrd_desc );
 			return LDAP_OTHER;
 		}
 	}
+
+	res = slap_schema_load();
 	schema_init_done = 1;
-	return LDAP_SUCCESS;
+	return res;
 }

 void

--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@@ -117,100 +117,255 @@ structuralObjectClassMatch(

 static struct slap_schema_oc_map {
 	char *ssom_name;
+	char *ssom_defn;
+	ObjectClassSchemaCheckFN *ssom_check;
 	size_t ssom_offset;
 } oc_map[] = {
-	{ "top", offsetof(struct slap_internal_schema, si_oc_top) },
-	{ "extensibleObject", offsetof(struct slap_internal_schema, si_oc_extensibleObject) },
-	{ "alias", offsetof(struct slap_internal_schema, si_oc_alias) },
-	{ "referral", offsetof(struct slap_internal_schema, si_oc_referral) },
-	{ "LDAProotDSE", offsetof(struct slap_internal_schema, si_oc_rootdse) },
-	{ "subentry", offsetof(struct slap_internal_schema, si_oc_subentry) },
-	{ "subschema", offsetof(struct slap_internal_schema, si_oc_subschema) },
+	{ "top", NULL, 0,
+		offsetof(struct slap_internal_schema, si_oc_top) },
+	{ "extensibleObject", NULL, 0,
+		offsetof(struct slap_internal_schema, si_oc_extensibleObject) },
+	{ "alias", NULL, 0,
+		offsetof(struct slap_internal_schema, si_oc_alias) },
+	{ "referral", NULL, 0,
+		offsetof(struct slap_internal_schema, si_oc_referral) },
+	{ "LDAProotDSE", NULL, 0,
+		offsetof(struct slap_internal_schema, si_oc_rootdse) },
+	{ "subentry", NULL, 0,
+		offsetof(struct slap_internal_schema, si_oc_subentry) },
+	{ "subschema", NULL, 0,
+		offsetof(struct slap_internal_schema, si_oc_subschema) },
 	{ NULL, 0 }
 };

 static struct slap_schema_ad_map {
 	char *ssam_name;
+	char *ssam_defn;
+	AttributeTypeSchemaCheckFN *ssam_check;
 	slap_mr_match_func *ssam_match;
 	slap_mr_indexer_func *ssam_indexer;
 	slap_mr_filter_func *ssam_filter;
 	size_t ssam_offset;
 } ad_map[] = {
-	{ "objectClass",
+	{ "objectClass", "( 2.5.4.0 NAME 'objectClass' "
+			"DESC 'RFC2256: object classes of the entity' "
+			"EQUALITY objectIdentifierMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )",
+			NULL,
 		objectClassMatch, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_objectClass) },
-	{ "structuralObjectClass",
+	{ "structuralObjectClass", "( 2.5.21.9 NAME 'structuralObjectClass' "
+			"DESC 'X.500(93): structural object class of entry' "
+			"EQUALITY objectIdentifierMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 "
+			"NO-USER-MODIFICATION SINGLE-VALUE USAGE directoryOperation )",
+		NULL,
 		structuralObjectClassMatch, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_structuralObjectClass) },

 	/* user entry operational attributes */
-	{ "entryUUID", NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_entryUUID) },
-	{ "entryCSN", NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_entryCSN) },
-	{ "creatorsName", NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_creatorsName) },
-	{ "createTimestamp", NULL, NULL, NULL,
+	{ "createTimestamp", "( 2.5.18.1 NAME 'createTimestamp' "
+			"DESC 'RFC2252: time which object was created' "
+			"EQUALITY generalizedTimeMatch "
+			"ORDERING generalizedTimeOrderingMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_createTimestamp) },
-	{ "modifiersName", NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_modifiersName) },
-	{ "modifyTimestamp", NULL, NULL, NULL,
+	{ "modifyTimestamp", "( 2.5.18.2 NAME 'modifyTimestamp' "
+			"DESC 'RFC2252: time which object was last modified' "
+			"EQUALITY generalizedTimeMatch "
+			"ORDERING generalizedTimeOrderingMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_modifyTimestamp) },
-	{ "hasSubordinates", NULL, NULL, NULL,
+	{ "creatorsName", "( 2.5.18.3 NAME 'creatorsName' "
+			"DESC 'RFC2252: name of creator' "
+			"EQUALITY distinguishedNameMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_creatorsName) },
+	{ "modifiersName", "( 2.5.18.4 NAME 'modifiersName' "
+			"DESC 'RFC2252: name of last modifier' "
+			"EQUALITY distinguishedNameMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_modifiersName) },
+	{ "hasSubordinates", "( 2.5.18.9 NAME 'hasSubordinates' "
+			"DESC 'X.501: entry has children' "
+			"EQUALITY booleanMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_hasSubordinates) },
-	{ "subschemaSubentry", NULL, NULL, NULL,
+	{ "subschemaSubentry", "( 2.5.18.10 NAME 'subschemaSubentry' "
+			"DESC 'RFC2252: name of controlling subschema entry' "
+			"EQUALITY distinguishedNameMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION "
+			"SINGLE-VALUE USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_subschemaSubentry) },

+	{ "entryUUID", "( 1.3.6.1.4.1.4203.666.1.6 NAME 'entryUUID' "   
+			"DESC 'LCUP/LDUP: universally unique identifier' "
+			"EQUALITY octetStringMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_entryUUID) },
+	{ "entryCSN", "( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' "
+			"DESC 'LCUP/LDUP: change sequence number' "
+			"EQUALITY octetStringMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{64} "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_entryCSN) },
+
 	/* root DSE attributes */
-	{ "namingContexts", NULL, NULL, NULL,
+	{ "namingContexts", "( 1.3.6.1.4.1.1466.101.120.5 "
+			"NAME 'namingContexts' "
+			"DESC 'RFC2252: naming contexts' "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_namingContexts) },
-	{ "supportedControl", NULL, NULL, NULL,
+	{ "supportedControl", "( 1.3.6.1.4.1.1466.101.120.13 "
+			"NAME 'supportedControl' "
+		   "DESC 'RFC2252: supported controls' "
+		   "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedControl) },
-	{ "supportedExtension", NULL, NULL, NULL,
+	{ "supportedExtension", "( 1.3.6.1.4.1.1466.101.120.7 "
+			"NAME 'supportedExtension' "
+			"DESC 'RFC2252: supported extended operations' "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedExtension) },
-	{ "supportedLDAPVersion", NULL, NULL, NULL,
+	{ "supportedLDAPVersion", "( 1.3.6.1.4.1.1466.101.120.15 "
+			"NAME 'supportedLDAPVersion' "
+			"DESC 'RFC2252: supported LDAP versions' "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedLDAPVersion) },
-	{ "supportedSASLMechanisms", NULL, NULL, NULL,
+	{ "supportedSASLMechanisms", "( 1.3.6.1.4.1.1466.101.120.14 "
+			"NAME 'supportedSASLMechanisms' "
+			"DESC 'RFC2252: supported SASL mechanisms'"
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedSASLMechanisms) },
-	{ "supportedFeatures", NULL, NULL, NULL,
+	{ "supportedFeatures", "( 1.3.6.1.4.1.4203.1.3.5 "
+			"NAME 'supportedFeatures' "
+			"DESC 'features supported by the server' "
+			"EQUALITY objectIdentifierMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 "
+			"USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedFeatures) },

 	/* subschema subentry attributes */
-	{ "attributeTypes", NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_attributeTypes) },
-	{ "ldapSyntaxes", NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_ldapSyntaxes) },
-	{ "matchingRules", NULL, NULL, NULL,
+	{ "matchingRules", "( 2.5.21.4 NAME 'matchingRules' "
+			"DESC 'RFC2252: matching rules' "
+			"EQUALITY objectIdentifierFirstComponentMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.30 USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_matchingRules) },
-	{ "objectClasses", NULL, NULL, NULL,
+	{ "attributeTypes", "( 2.5.21.5 NAME 'attributeTypes' "
+			"DESC 'RFC2252: attribute types' "
+			"EQUALITY objectIdentifierFirstComponentMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.3 USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_attributeTypes) },
+	{ "objectClasses", "( 2.5.21.6 NAME 'objectClasses' "
+			"DESC 'RFC2252: object classes' "
+			"EQUALITY objectIdentifierFirstComponentMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.37 USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_objectClasses) },

+	{ "ldapSyntaxes", "( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' "
+			"DESC 'RFC2252: LDAP syntaxes' "
+			"EQUALITY objectIdentifierFirstComponentMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.54 USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_ldapSyntaxes) },
+
 	/* knowledge information */
-	{ "aliasedObjectName", NULL, NULL, NULL,
+	{ "aliasedObjectName", "( 2.5.4.1 "
+			"NAME ( 'aliasedObjectName' 'aliasedEntryName' ) "
+			"DESC 'RFC2256: name of aliased object' "
+			"EQUALITY distinguishedNameMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_aliasedObjectName) },
-	{ "ref", NULL, NULL, NULL,
+	{ "ref", "( 2.16.840.1.113730.3.1.34 NAME 'ref' "
+			"DESC 'namedref: subordinate referral URL' "
+			"EQUALITY caseExactMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
+			"USAGE distributedOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_ref) },

 	/* access control internals */
-	{ "entry", NULL, NULL, NULL,
+	{ "entry", "( 1.3.6.1.4.1.4203.1.3.1 "
+			"NAME 'entry' "
+			"DESC 'OpenLDAP ACL entry pseudo-attribute' "
+			"SYNTAX 1.3.6.1.4.1.4203.1.1.1 "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_entry) },
-	{ "children", NULL, NULL, NULL,
+	{ "children", "( 1.3.6.1.4.1.4203.1.3.2 "
+			"NAME 'children' "
+			"DESC 'OpenLDAP ACL children pseudo-attribute' "
+			"SYNTAX 1.3.6.1.4.1.4203.1.1.1 "
+			"SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_children) },
 #ifdef SLAPD_ACI_ENABLED
-	{ "OpenLDAPaci", NULL, NULL, NULL,
+	{ "OpenLDAPaci", "( 1.3.6.1.4.1.4203.666.1.5 "
+			"NAME 'OpenLDAPaci' "
+			"DESC 'OpenLDAP access control information (experimental)' "
+			"EQUALITY OpenLDAPaciMatch "
+			"SYNTAX 1.3.6.1.4.1.4203.666.2.1 "
+			"USAGE directoryOperation )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_aci) },
 #endif

-	{ "userPassword", NULL, NULL, NULL,
+	/* userApplication attributes */
+	{ "name", "( 2.5.4.41 NAME 'name' "
+			"DESC 'RFC2256: common supertype of name attributes' "
+			"EQUALITY caseIgnoreMatch "
+			"SUBSTR caseIgnoreSubstringsMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_name) },
+	{ "cn", "( 2.5.4.3 NAME ( 'cn' 'commonName' ) "
+			"DESC 'RFC2256: common name(s) for which the entity is known by' "
+			"SUP name )",
+		NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_cn) },
+
+	{ "userPassword", "( 2.5.4.35 NAME 'userPassword' "
+			"DESC 'RFC2256/2307: password of user' "
+			"EQUALITY octetStringMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )",
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_userPassword) },
-	{ "authPassword", NULL, NULL, NULL,
+
+#ifdef SLAPD_AUTHPASSWD
+	{ "authPassword", NULL,
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_authPassword) },
+#endif
 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	{ "krbName", NULL, NULL, NULL,
+	{ "krbName", NULL,
+		NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_krbName) },
 #endif

-	{ NULL, NULL, NULL, NULL, 0 }
+	{ NULL, NULL, NULL, NULL, NULL, NULL, 0 }
 };

 static AttributeType slap_at_undefined = {
@@ -222,6 +377,7 @@ static AttributeType slap_at_undefined = {
 	NULL, /* subtypes */
 	NULL, NULL, NULL, NULL,	/* matching rules */
 	NULL, /* syntax (this may need to be defined) */
+	(AttributeTypeSchemaCheckFN *) 0, /* schema check function */
 	NULL, /* attribute description */
 	NULL  /* next */
 	/* mutex (don't know how to initialize it :) */
@@ -250,26 +406,54 @@ static struct slap_schema_syn_map {
 };

 int
-schema_prep( void )
+slap_schema_load( void )
+{
+	return LDAP_SUCCESS;
+}
+
+int
+slap_schema_check( void )
 {
 	int i;
 	/* we should only be called once after schema_init() was called */
 	assert( schema_init_done == 1 );

-	for( i=0; oc_map[i].ssom_name; i++ ) {
-		ObjectClass ** ocp = (ObjectClass **)
-			&(((char *) &slap_schema)[oc_map[i].ssom_offset]);
+	for( i=0; syn_map[i].sssm_name; i++ ) {
+		Syntax ** synp = (Syntax **)
+			&(((char *) &slap_schema)[syn_map[i].sssm_offset]);

-		*ocp = oc_find( oc_map[i].ssom_name );
+		*synp = syn_find( syn_map[i].sssm_name );

-		if( *ocp == NULL ) {
-			fprintf( stderr,
-				"No objectClass \"%s\" defined in schema\n",
-				oc_map[i].ssom_name );
-			return LDAP_OBJECT_CLASS_VIOLATION;
+		if( *synp == NULL ) {
+			fprintf( stderr, "slap_schema_check: "
+				"No syntax \"%s\" defined in schema\n",
+				syn_map[i].sssm_name );
+			return LDAP_INVALID_SYNTAX;
 		}
 	}

+	for( i=0; mr_map[i].ssmm_name; i++ ) {
+		MatchingRule ** mrp = (MatchingRule **)
+			&(((char *) &slap_schema)[mr_map[i].ssmm_offset]);
+
+		*mrp = mr_find( mr_map[i].ssmm_name );
+
+		if( *mrp == NULL ) {
+			fprintf( stderr, "slap_schema_check: "
+				"No matching rule \"%s\" defined in schema\n",
+				mr_map[i].ssmm_name );
+			return LDAP_INAPPROPRIATE_MATCHING;
+		}
+	}
+
+	slap_at_undefined.sat_syntax = syn_find( SLAPD_OCTETSTRING_SYNTAX );
+	if( slap_at_undefined.sat_syntax == NULL ) {
+		fprintf( stderr, "slap_schema_check: "
+			"No octetString syntax \"" SLAPD_OCTETSTRING_SYNTAX "\"\n" );
+		return LDAP_INVALID_SYNTAX;
+	}
+	slap_schema.si_at_undefined = &slap_at_undefined;
+
 	for( i=0; ad_map[i].ssam_name; i++ ) {
 		int rc;
 		const char *text;
@@ -282,7 +466,7 @@ schema_prep( void )
 		rc = slap_str2ad( ad_map[i].ssam_name, adp, &text );

 		if( rc != LDAP_SUCCESS ) {
-			fprintf( stderr,
+			fprintf( stderr, "slap_schema_check: "
 				"No attribute \"%s\" defined in schema\n",
 				ad_map[i].ssam_name );
 			return rc;
@@ -294,39 +478,17 @@ schema_prep( void )
 		}
 	}

-	slap_at_undefined.sat_syntax = syn_find( SLAPD_OCTETSTRING_SYNTAX );
-	if( slap_at_undefined.sat_syntax == NULL ) {
-		fprintf( stderr,
-			"No octetString syntax \"" SLAPD_OCTETSTRING_SYNTAX "\"\n" );
-		return LDAP_INVALID_SYNTAX;
-	}
-	slap_schema.si_at_undefined = &slap_at_undefined;
-
-	for( i=0; mr_map[i].ssmm_name; i++ ) {
-		MatchingRule ** mrp = (MatchingRule **)
-			&(((char *) &slap_schema)[mr_map[i].ssmm_offset]);
-
-		*mrp = mr_find( mr_map[i].ssmm_name );
-
-		if( *mrp == NULL ) {
-			fprintf( stderr,
-				"No matching rule \"%s\" defined in schema\n",
-				mr_map[i].ssmm_name );
-			return LDAP_INAPPROPRIATE_MATCHING;
-		}
-	}
-
-	for( i=0; syn_map[i].sssm_name; i++ ) {
-		Syntax ** synp = (Syntax **)
-			&(((char *) &slap_schema)[syn_map[i].sssm_offset]);
+	for( i=0; oc_map[i].ssom_name; i++ ) {
+		ObjectClass ** ocp = (ObjectClass **)
+			&(((char *) &slap_schema)[oc_map[i].ssom_offset]);

-		*synp = syn_find( syn_map[i].sssm_name );
+		*ocp = oc_find( oc_map[i].ssom_name );

-		if( *synp == NULL ) {
-			fprintf( stderr,
-				"No syntax \"%s\" defined in schema\n",
-				syn_map[i].sssm_name );
-			return LDAP_INVALID_SYNTAX;
+		if( *ocp == NULL ) {
+			fprintf( stderr, "slap_schema_check: "
+				"No objectClass \"%s\" defined in schema\n",
+				oc_map[i].ssom_name );
+			return LDAP_OBJECT_CLASS_VIOLATION;
 		}
 	}


--- a/servers/slapd/schemaparse.c
+++ b/servers/slapd/schemaparse.c
@@ -16,7 +16,7 @@
 #include "slap.h"
 #include "ldap_schema.h"

-int	global_schemacheck = 1; /* schemacheck on is default */
+int	global_schemacheck = 1; /* schemacheck ON is default */

 static void		oc_usage(void); 
 static void		at_usage(void);

--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -409,6 +409,12 @@ typedef struct slap_matching_rule {

 struct slap_attr_desc;

+typedef int (AttributeTypeSchemaCheckFN)(
+	struct slap_entry *e,
+	struct slap_attr *attr,
+	const char** text,
+	char *textbuf, size_t textlen );
+
 typedef struct slap_attribute_type {
 	LDAPAttributeType		sat_atype;