Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

servers/slapd/bconfig.c

@@ -535,7 +535,7 @@ static ConfigTable config_back_cf_table[] = {
 #endif
 		"( OLcfgGlAt:38 NAME 'olcPlugin' "
 			"EQUALITY caseIgnoreMatch "
-			"SYNTAX OMsDirectoryString )", NULL, NULL },
+			"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
 	{ "pluginlog", "filename", 2, 2, 0,
 #ifdef LDAP_SLAPI
 		ARG_STRING, &slapi_log_file,
@@ -1418,8 +1418,13 @@ config_generic(ConfigArgs *c) {
 		case CFG_SYNC_SUBENTRY:
 			break;
 
-		/* no-ops, requires slapd restart */
+#ifdef LDAP_SLAPI
 		case CFG_PLUGIN:
+			slapi_int_unregister_plugins(c->be, c->valx);
+			break;
+#endif
+
+		/* no-op, requires slapd restart */
 		case CFG_MODLOAD:
 			snprintf(c->log, sizeof( c->log ), "change requires slapd restart");
 			break;
@@ -2409,7 +2414,7 @@ sortval_reject:
 
 #ifdef LDAP_SLAPI
 		case CFG_PLUGIN:
-			if(slapi_int_read_config(c->be, c->fname, c->lineno, c->argc, c->argv) != LDAP_SUCCESS)
+			if(slapi_int_read_config(c->be, c->fname, c->lineno, c->argc, c->argv, c->valx) != LDAP_SUCCESS)
 				return(1);
 			slapi_plugins_used++;
 			break;
@@ -5676,6 +5681,8 @@ done:
 			overlay_destroy_one( ca->be, (slap_overinst *)ca->bi );
 		} else if ( coptr->co_type == Cft_Schema ) {
 			schema_destroy_one( ca, colst, nocs, last );
+		} else if ( ca->cleanup ) {
+			ca->cleanup( ca );
 		}
 	}
 done_noop:

servers/slapd/bind.c

@@ -60,8 +60,8 @@ do_bind(
 	if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
 		/* log authorization identity demotion */
 		Debug( LDAP_DEBUG_STATS,
-			"%s BIND anonymous mech=implicit ssf=0\n",
-			op->o_log_prefix );
+			"%s BIND anonymous mech=implicit bind_ssf=0 ssf=%d\n",
+			op->o_log_prefix, op->o_conn->c_ssf );
 	}
 	connection2anonymous( op->o_conn );
 	if ( op->o_conn->c_sasl_bind_in_progress ) {
@@ -534,9 +534,9 @@ fe_op_bind_success( Operation *op, SlapReply *rs )
 
 	/* log authorization identity */
 	Debug( LDAP_DEBUG_STATS,
-		"%s BIND dn=\"%s\" mech=%s ssf=0\n",
+		"%s BIND dn=\"%s\" mech=%s bind_ssf=0 ssf=%d\n",
 		op->o_log_prefix,
-		op->o_conn->c_dn.bv_val, op->orb_mech.bv_val );
+		op->o_conn->c_dn.bv_val, op->orb_mech.bv_val, op->o_conn->c_ssf );
 
 	Debug( LDAP_DEBUG_TRACE,
 		"do_bind: v%d bind: \"%s\" to \"%s\"\n",

servers/slapd/connection.c

@@ -1872,14 +1872,14 @@ static int connection_bind_cb( Operation *op, SlapReply *rs )
 
 			/* log authorization identity */
 			Debug( LDAP_DEBUG_STATS,
-				"%s BIND dn=\"%s\" mech=%s sasl_ssf=%d ssf=%d\n",
+				"%s BIND dn=\"%s\" mech=%s bind_ssf=%d ssf=%d\n",
 				op->o_log_prefix,
 				BER_BVISNULL( &op->o_conn->c_dn ) ? "<empty>" : op->o_conn->c_dn.bv_val,
 				op->o_conn->c_authmech.bv_val,
 				op->orb_ssf, op->o_conn->c_ssf );
 
 			Debug( LDAP_DEBUG_TRACE,
-				"do_bind: SASL/%s bind: dn=\"%s\" sasl_ssf=%d\n",
+				"do_bind: SASL/%s bind: dn=\"%s\" bind_ssf=%d\n",
 				op->o_conn->c_authmech.bv_val,
 				BER_BVISNULL( &op->o_conn->c_dn ) ? "<empty>" : op->o_conn->c_dn.bv_val,
 				op->orb_ssf );

servers/slapd/ldapsync.c

@@ -36,7 +36,8 @@ slap_compose_sync_cookie(
 	struct berval *cookie,
 	BerVarray csn,
 	int rid,
-	int sid )
+	int sid,
+	struct berval *delcsn )
 {
 	int len, numcsn = 0;
 
@@ -65,6 +66,8 @@ slap_compose_sync_cookie(
 		len = 0;
 		for ( i=0; i<numcsn; i++)
 			len += csn[i].bv_len + 1;
+		if ( delcsn && !BER_BVISEMPTY(delcsn) )
+			len += STRLENOF(",delcsn=") + delcsn->bv_len;
 
 		len += STRLENOF("rid=123,csn=");
 		if ( sid >= 0 )
@@ -83,6 +86,10 @@ slap_compose_sync_cookie(
 			*ptr++ = ';';
 		}
 		ptr--;
+		if ( delcsn && !BER_BVISEMPTY(delcsn) ) {
+			ptr = lutil_strcopy( ptr, ",delcsn=" );
+			ptr = lutil_strncopy( ptr, delcsn->bv_val, delcsn->bv_len );
+		}
 		*ptr = '\0';
 		cookie->bv_len = ptr - cookie->bv_val;
 	}
@@ -112,6 +119,11 @@ slap_sync_cookie_free(
 		BER_BVZERO( &cookie->octet_str );
 	}
 
+	if ( !BER_BVISNULL( &cookie->delcsn )) {
+		ch_free( cookie->delcsn.bv_val );
+		BER_BVZERO( &cookie->delcsn );
+	}
+
 	if ( free_cookie ) {
 		ch_free( cookie );
 	}
@@ -273,6 +285,7 @@ slap_parse_sync_cookie(
 	cookie->ctxcsn = NULL;
 	cookie->sids = NULL;
 	cookie->numcsns = 0;
+	BER_BVZERO( &cookie->delcsn );
 
 	end = cookie->octet_str.bv_val + cookie->octet_str.bv_len;
 
@@ -359,6 +372,49 @@ slap_parse_sync_cookie(
 			}
 			continue;
 		}
+		if ( !strncmp( next, "delcsn=", STRLENOF("delcsn=") )) {
+			struct berval stamp;
+
+			next += STRLENOF("delcsn=");
+			while ( next < end ) {
+				csn_str = next;
+				csn_ptr = strchr( csn_str, '#' );
+				if ( !csn_ptr || csn_ptr > end )
+					break;
+				/* ad will be NULL when called from main. we just
+				 * want to parse the rid then. But we still iterate
+				 * through the string to find the end.
+				 */
+				cval = strchr( csn_ptr, ';' );
+				if ( !cval )
+					cval = strchr(csn_ptr, ',' );
+				if ( cval )
+					stamp.bv_len = cval - csn_str;
+				else
+					stamp.bv_len = end - csn_str;
+				if ( ad ) {
+					struct berval bv;
+					stamp.bv_val = csn_str;
+					if ( ad->ad_type->sat_syntax->ssyn_validate(
+						ad->ad_type->sat_syntax, &stamp ) != LDAP_SUCCESS )
+						break;
+					if ( ad->ad_type->sat_equality->smr_normalize(
+						SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
+						ad->ad_type->sat_syntax,
+						ad->ad_type->sat_equality,
+						&stamp, &bv, memctx ) != LDAP_SUCCESS )
+						break;
+					cookie->delcsn = bv;
+				}
+				if ( cval ) {
+					next = cval + 1;
+				} else {
+					next = end;
+				}
+				break;
+			}
+			continue;
+		}
 		next++;
 	}
 	if ( cookie->numcsns ) {
@@ -411,6 +467,7 @@ slap_init_sync_cookie_ctxcsn(
 	value_add_one( &cookie->ctxcsn, &ctxcsn );
 	cookie->numcsns = 1;
 	cookie->sid = -1;
+	BER_BVZERO( &cookie->delcsn );
 
 	return 0;
 }
@@ -455,6 +512,10 @@ slap_dup_sync_cookie(
 			new->sids[i] = src->sids[i];
 	}
 
+	if ( !BER_BVISNULL( &src->delcsn )) {
+		ber_dupbv( &new->delcsn, &src->delcsn );
+	}
+
 	if ( !BER_BVISNULL( &src->octet_str )) {
 		ber_dupbv( &new->octet_str, &src->octet_str );
 	}

servers/slapd/overlays/autoca.c

@@ -724,55 +724,55 @@ static int autoca_cf( ConfigArgs *c )
 static ConfigTable autoca_cfg[] = {
 	{ "userClass", "objectclass", 2, 2, 0,
 	  ARG_STRING|ARG_MAGIC|ACA_USRCLASS, autoca_cf,
-	  "( OLcfgOvAt:22.1 NAME 'olcACAuserClass' "
+	  "( OLcfgOvAt:22.1 NAME 'olcAutoCAuserClass' "
 	  "DESC 'ObjectClass of user entries' "
 	  "EQUALITY caseIgnoreMatch "
 	  "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ "serverClass", "objectclass", 2, 2, 0,
 	  ARG_STRING|ARG_MAGIC|ACA_SRVCLASS, autoca_cf,
-	  "( OLcfgOvAt:22.2 NAME 'olcACAserverClass' "
+	  "( OLcfgOvAt:22.2 NAME 'olcAutoCAserverClass' "
 	  "DESC 'ObjectClass of server entries' "
 	  "EQUALITY caseIgnoreMatch "
 	  "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ "userKeybits", "integer", 2, 2, 0,
 	  ARG_INT|ARG_MAGIC|ACA_USRKEYBITS, autoca_cf,
-	  "( OLcfgOvAt:22.3 NAME 'olcACAuserKeybits' "
+	  "( OLcfgOvAt:22.3 NAME 'olcAutoCAuserKeybits' "
 	  "DESC 'Size of PrivateKey for user entries' "
 	  "EQUALITY integerMatch "
 	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "serverKeybits", "integer", 2, 2, 0,
 	  ARG_INT|ARG_MAGIC|ACA_SRVKEYBITS, autoca_cf,
-	  "( OLcfgOvAt:22.4 NAME 'olcACAserverKeybits' "
+	  "( OLcfgOvAt:22.4 NAME 'olcAutoCAserverKeybits' "
 	  "DESC 'Size of PrivateKey for server entries' "
 	  "EQUALITY integerMatch "
 	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "caKeybits", "integer", 2, 2, 0,
 	  ARG_INT|ARG_MAGIC|ACA_CAKEYBITS, autoca_cf,
-	  "( OLcfgOvAt:22.5 NAME 'olcACAKeybits' "
+	  "( OLcfgOvAt:22.5 NAME 'olcAutoCAKeybits' "
 	  "DESC 'Size of PrivateKey for CA certificate' "
 	  "EQUALITY integerMatch "
 	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "userDays", "integer", 2, 2, 0,
 	  ARG_INT|ARG_MAGIC|ACA_USRDAYS, autoca_cf,
-	  "( OLcfgOvAt:22.6 NAME 'olcACAuserDays' "
+	  "( OLcfgOvAt:22.6 NAME 'olcAutoCAuserDays' "
 	  "DESC 'Lifetime of user certificates in days' "
 	  "EQUALITY integerMatch "
 	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "serverDays", "integer", 2, 2, 0,
 	  ARG_INT|ARG_MAGIC|ACA_SRVDAYS, autoca_cf,
-	  "( OLcfgOvAt:22.7 NAME 'olcACAserverDays' "
+	  "( OLcfgOvAt:22.7 NAME 'olcAutoCAserverDays' "
 	  "DESC 'Lifetime of server certificates in days' "
 	  "EQUALITY integerMatch "
 	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "caDays", "integer", 2, 2, 0,
 	  ARG_INT|ARG_MAGIC|ACA_CADAYS, autoca_cf,
-	  "( OLcfgOvAt:22.8 NAME 'olcACADays' "
+	  "( OLcfgOvAt:22.8 NAME 'olcAutoCADays' "
 	  "DESC 'Lifetime of CA certificate in days' "
 	  "EQUALITY integerMatch "
 	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
 	{ "localdn", "dn", 2, 2, 0,
 	  ARG_DN|ARG_MAGIC|ACA_LOCALDN, autoca_cf,
-	  "( OLcfgOvAt:22.9 NAME 'olcACAlocalDN' "
+	  "( OLcfgOvAt:22.9 NAME 'olcAutoCAlocalDN' "
 	  "DESC 'DN of local server cert' "
 	  "EQUALITY distinguishedNameMatch "
 	  "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
@@ -781,13 +781,13 @@ static ConfigTable autoca_cfg[] = {
 
 static ConfigOCs autoca_ocs[] = {
 	{ "( OLcfgOvOc:22.1 "
-	  "NAME 'olcACAConfig' "
+	  "NAME 'olcAutoCAConfig' "
 	  "DESC 'AutoCA configuration' "
 	  "SUP olcOverlayConfig "
-	  "MAY ( olcACAuserClass $ olcACAserverClass $ "
-	   "olcACAuserKeybits $ olcACAserverKeybits $ olcACAKeyBits $ "
-	   "olcACAuserDays $ olcACAserverDays $ olcACADays $ "
-	   "olcACAlocalDN ) )",
+	  "MAY ( olcAutoCAuserClass $ olcAutoCAserverClass $ "
+	   "olcAutoCAuserKeybits $ olcAutoCAserverKeybits $ olcAutoCAKeyBits $ "
+	   "olcAutoCAuserDays $ olcAutoCAserverDays $ olcAutoCADays $ "
+	   "olcAutoCAlocalDN ) )",
 	  Cft_Overlay, autoca_cfg },
 	{ NULL, 0, NULL }
 };

servers/slapd/overlays/dyngroup.c

@@ -123,7 +123,7 @@ static int dgroup_cf( ConfigArgs *c )
 static ConfigTable dgroupcfg[] = {
 	{ "attrpair", "member-attribute> <URL-attribute", 3, 3, 0,
 	  ARG_MAGIC, dgroup_cf,
-	  "( OLcfgOvAt:17.1 NAME 'olcDGAttrPair' "
+	  "( OLcfgOvAt:17.1 NAME ( 'olcDynGroupAttrPair' 'olcDGAttrPair' ) "
 	  "EQUALITY caseIgnoreMatch "
 	  "DESC 'Member and MemberURL attribute pair' "
 	  "SYNTAX OMsDirectoryString )", NULL, NULL },
@@ -132,10 +132,10 @@ static ConfigTable dgroupcfg[] = {
 
 static ConfigOCs dgroupocs[] = {
 	{ "( OLcfgOvOc:17.1 "
-	  "NAME 'olcDGConfig' "
+	  "NAME ( 'olcDynGroupConfig' 'olcDGConfig' ) "
 	  "DESC 'Dynamic Group configuration' "
 	  "SUP olcOverlayConfig "
-	  "MAY olcDGAttrPair )",
+	  "MAY olcDynGroupAttrPair)",
 	  Cft_Overlay, dgroupcfg },
 	{ NULL, 0, NULL }
 };

servers/slapd/overlays/dynlist.c

@@ -1398,7 +1398,7 @@ static ConfigDriver	dl_cfgen;
 static ConfigTable dlcfg[] = {
 	{ "dynlist-attrset", "group-oc> [uri] <URL-ad> <[mapped:]member-ad> [...]",
 		3, 0, 0, ARG_MAGIC|DL_ATTRSET, dl_cfgen,
-		"( OLcfgOvAt:8.1 NAME 'olcDlAttrSet' "
+		"( OLcfgOvAt:8.1 NAME ( 'olcDynListAttrSet' 'olcDlAttrSet' ) "
 			"DESC 'Dynamic list: <group objectClass>, <URL attributeDescription>, <member attributeDescription>' "
 			"EQUALITY caseIgnoreMatch "
 			"SYNTAX OMsDirectoryString "
@@ -1417,10 +1417,10 @@ static ConfigTable dlcfg[] = {
 
 static ConfigOCs dlocs[] = {
 	{ "( OLcfgOvOc:8.1 "
-		"NAME 'olcDynamicList' "
+		"NAME ( 'olcDynListConfig' 'olcDynamicList' ) "
 		"DESC 'Dynamic list configuration' "
 		"SUP olcOverlayConfig "
-		"MAY olcDLattrSet )",
+		"MAY olcDynListAttrSet )",
 		Cft_Overlay, dlcfg, NULL, NULL },
 	{ NULL, 0, NULL }
 };

servers/slapd/overlays/memberof.c

@@ -1759,7 +1759,7 @@ static ConfigTable mo_cfg[] = {
 
 static ConfigOCs mo_ocs[] = {
 	{ "( OLcfgOvOc:18.1 "
-		"NAME 'olcMemberOf' "
+		"NAME ( 'olcMemberOfConfig' 'olcMemberOf' ) "
 		"DESC 'Member-of configuration' "
 		"SUP olcOverlayConfig "
 		"MAY ( "

servers/slapd/overlays/ppolicy.c

@@ -55,6 +55,7 @@ typedef struct pp_info {
 	int use_lockout;		/* send AccountLocked result? */
 	int hash_passwords;		/* transparently hash cleartext pwds */
 	int forward_updates;	/* use frontend for policy state updates */
+	int disable_write;
 } pp_info;
 
 /* Our per-connection info - note, it is not per-instance, it is 
@@ -415,7 +416,8 @@ static ldap_pvt_thread_mutex_t chk_syntax_mutex;
 enum {
 	PPOLICY_DEFAULT = 1,
 	PPOLICY_HASH_CLEARTEXT,
-	PPOLICY_USE_LOCKOUT
+	PPOLICY_USE_LOCKOUT,
+	PPOLICY_DISABLE_WRITE,
 };
 
 static ConfigDriver ppolicy_cf_default;
@@ -448,6 +450,12 @@ static ConfigTable ppolicycfg[] = {
 	  "DESC 'Warn clients with AccountLocked' "
 	  "EQUALITY booleanMatch "
 	  "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
+	{ "ppolicy_disable_write", "on|off", 1, 2, 0,
+	  ARG_ON_OFF|ARG_OFFSET|PPOLICY_DISABLE_WRITE,
+	  (void *)offsetof(pp_info,disable_write),
+	  "( OLcfgOvAt:12.5 NAME 'olcPPolicyDisableWrite' "
+	  "DESC 'Prevent all policy overlay writes' "
+	  "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
 };
 
@@ -1571,7 +1579,7 @@ done:
 	be_entry_release_r( op, e );
 
 locked:
-	if ( mod ) {
+	if ( mod && !pi->disable_write ) {
 		Operation op2 = *op;
 		SlapReply r2 = { REP_RESULT };
 		slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
@@ -1610,6 +1618,8 @@ locked:
 			op2.o_bd->bd_info = (BackendInfo *)on->on_info;
 		}
 		rc = op2.o_bd->be_modify( &op2, &r2 );
+	}
+	if ( mod ) {
 		slap_mods_free( mod, 1 );
 	}
 
@@ -1984,6 +1994,7 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 	op->o_bd->bd_info = (BackendInfo *)on;
 
 	if ( rc != LDAP_SUCCESS ) return SLAP_CB_CONTINUE;
+	if ( pi->disable_write ) return SLAP_CB_CONTINUE;
 
 	/* If this is a replica, we may need to tweak some of the
 	 * master's modifications. Otherwise, just pass it through.

servers/slapd/overlays/syncprov.c

@@ -887,7 +887,8 @@ syncprov_sendresp( Operation *op, resinfo *ri, syncops *so, int mode )
 	rs.sr_flags = REP_CTRLS_MUSTBEFREED;
 	csns[0] = ri->ri_csn;
 	BER_BVZERO( &csns[1] );
-	slap_compose_sync_cookie( op, &cookie, csns, so->s_rid, slap_serverID ? slap_serverID : -1 );
+	slap_compose_sync_cookie( op, &cookie, csns, so->s_rid,
+				 slap_serverID ? slap_serverID : -1, NULL );
 
 #ifdef LDAP_DEBUG
 	if ( so->s_sid > 0 ) {
@@ -1139,7 +1140,7 @@ syncprov_qresp( opcookie *opc, syncops *so, int mode )
 		syncprov_info_t	*si = opc->son->on_bi.bi_private;
 
 		slap_compose_sync_cookie( NULL, &ri->ri_cookie, si->si_ctxcsn,
-			so->s_rid, slap_serverID ? slap_serverID : -1);
+			so->s_rid, slap_serverID ? slap_serverID : -1, NULL );
 	}
 	Debug( LDAP_DEBUG_SYNC, "%s syncprov_qresp: "
 		"set up a new syncres mode=%d csn=%s\n",
@@ -1317,15 +1318,17 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit )
 
 		/* Don't send ops back to the originator */
 		if ( opc->osid > 0 && opc->osid == ss->s_sid ) {
-			Debug( LDAP_DEBUG_SYNC, "syncprov_matchops: skipping original sid %03x\n",
-				opc->osid );
+			Debug( LDAP_DEBUG_SYNC, "%s syncprov_matchops: "
+				"skipping original sid %03x\n",
+				ss->s_op->o_log_prefix, opc->osid );
 			continue;
 		}
 
 		/* Don't send ops back to the messenger */
 		if ( opc->rsid > 0 && opc->rsid == ss->s_sid ) {
-			Debug( LDAP_DEBUG_SYNC, "syncprov_matchops: skipping relayed sid %03x\n",
-				opc->rsid );
+			Debug( LDAP_DEBUG_SYNC, "%s syncprov_matchops: "
+				"skipping relayed sid %03x\n",
+				ss->s_op->o_log_prefix, opc->rsid );
 			continue;
 		}
 
@@ -1389,8 +1392,9 @@ syncprov_matchops( Operation *op, opcookie *opc, int saveit )
 			ldap_pvt_thread_mutex_unlock( &ss->s_mutex );
 		}
 
-		Debug( LDAP_DEBUG_TRACE, "syncprov_matchops: sid %03x fscope %d rc %d\n",
-			ss->s_sid, fc.fscope, rc );
+		Debug( LDAP_DEBUG_TRACE, "%s syncprov_matchops: "
+			"sid %03x fscope %d rc %d\n",
+			ss->s_op->o_log_prefix, ss->s_sid, fc.fscope, rc );
 
 		/* check if current o_req_dn is in scope and matches filter */
 		if ( fc.fscope && rc == LDAP_COMPARE_TRUE ) {
@@ -1710,21 +1714,114 @@ playlog_cb( Operation *op, SlapReply *rs )
 	return rs->sr_err;
 }
 
-/* enter with sl->sl_mutex locked, release before returning */
-static void
-syncprov_playlog( Operation *op, SlapReply *rs, sessionlog *sl,
-	sync_control *srs, BerVarray ctxcsn, int numcsns, int *sids )
+/*
+ * Check whether the last nmods UUIDs in the uuids list exist in the database
+ * and (still) match the op filter, zero out the bv_len of any that still exist
+ * and return the number of UUIDs we have confirmed are gone now.
+ */
+static int
+check_uuidlist_presence(
+		Operation *op,
+		struct berval *uuids,
+		int len,
+		int nmods )
+{
+	slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
+	Operation fop = *op;
+	SlapReply frs = { REP_RESULT };
+	Filter mf, af;
+	AttributeAssertion eq = ATTRIBUTEASSERTION_INIT;
+	slap_callback cb = {0};
+	int i, mods = nmods;
+
+	fop.o_sync_mode = 0;
+	fop.o_callback = &cb;
+	fop.ors_limit = NULL;
+	fop.ors_tlimit = SLAP_NO_LIMIT;
+	fop.ors_attrs = slap_anlist_all_attributes;
+	fop.ors_attrsonly = 0;
+	fop.o_managedsait = SLAP_CONTROL_CRITICAL;
+
+	af.f_choice = LDAP_FILTER_AND;
+	af.f_next = NULL;
+	af.f_and = &mf;
+	mf.f_choice = LDAP_FILTER_EQUALITY;
+	mf.f_ava = &eq;
+	mf.f_av_desc = slap_schema.si_ad_entryUUID;
+	mf.f_next = fop.ors_filter;
+
+	fop.ors_filter = ⁡
+
+	cb.sc_response = playlog_cb;
+
+	fop.o_bd->bd_info = (BackendInfo *)on->on_info;
+	for ( i=0; i<nmods; i++ ) {
+		mf.f_av_value = uuids[ len - 1 - i ];
+		cb.sc_private = NULL;
+		fop.ors_slimit = 1;
+
+		if ( BER_BVISEMPTY( &mf.f_av_value ) ) {
+			mods--;
+			continue;
+		}
+
+		rs_reinit( &frs, REP_RESULT );
+		fop.o_bd->be_search( &fop, &frs );
+		if ( cb.sc_private ) {
+			uuids[ len - 1 - i ].bv_len = 0;
+			mods--;
+		}
+	}
+	fop.o_bd->bd_info = (BackendInfo *)on;
+
+	return mods;
+}
+
+static int
+syncprov_play_sessionlog( Operation *op, SlapReply *rs, sync_control *srs,
+		BerVarray ctxcsn, int numcsns, int *sids,
+		struct berval *mincsn, int minsid )
 {
 	slap_overinst		*on = (slap_overinst *)op->o_bd->bd_info;
+	syncprov_info_t *si = (syncprov_info_t *)on->on_bi.bi_private;
+	sessionlog *sl = si->si_logs;
+	int i, j, ndel, num, nmods, mmods, do_play = 0, rc = -1;
+	BerVarray uuids, csns;
+	struct berval uuid[2] = {}, csn[2] = {};
 	slog_entry *se;
-	int i, j, ndel, num, nmods, mmods;
-	char cbuf[LDAP_PVT_CSNSTR_BUFSIZE];
-	BerVarray uuids;
-	struct berval delcsn[2];
+	TAvlnode *entry;
 
+	ldap_pvt_thread_mutex_lock( &sl->sl_mutex );
+	/* Are there any log entries, and is the consumer state
+	 * present in the session log?
+	 */
 	if ( !sl->sl_num ) {
 		ldap_pvt_thread_mutex_unlock( &sl->sl_mutex );
-		return;
+		return rc;
+	}
+	assert( sl->sl_num > 0 );
+
+	for ( i=0; i<sl->sl_numcsns; i++ ) {
+		/* SID not present == new enough */
+		if ( minsid < sl->sl_sids[i] ) {
+			do_play = 1;
+			break;
+		}
+		/* SID present */
+		if ( minsid == sl->sl_sids[i] ) {
+			/* new enough? */
+			if ( ber_bvcmp( mincsn, &sl->sl_mincsn[i] ) >= 0 )
+				do_play = 1;
+			break;
+		}
+	}
+	/* SID not present == new enough */
+	if ( i == sl->sl_numcsns )
+		do_play = 1;
+
+	if ( !do_play ) {
+		ldap_pvt_thread_mutex_unlock( &sl->sl_mutex );
+		return rc;
 	}
 
 	num = sl->sl_num;
@@ -1733,20 +1830,20 @@ syncprov_playlog( Operation *op, SlapReply *rs, sessionlog *sl,
 	sl->sl_playing++;
 	ldap_pvt_thread_mutex_unlock( &sl->sl_mutex );
 
-	uuids = op->o_tmpalloc( (num+1) * sizeof( struct berval ) +
-		num * UUID_LEN, op->o_tmpmemctx );
-	uuids[0].bv_val = (char *)(uuids + num + 1);
-
-	delcsn[0].bv_len = 0;
-	delcsn[0].bv_val = cbuf;
-	BER_BVZERO(&delcsn[1]);
+	uuids = op->o_tmpalloc( (num) * sizeof( struct berval ) +
+			num * UUID_LEN, op->o_tmpmemctx );
+	uuids[0].bv_val = (char *)(uuids + num);
+	csns = op->o_tmpalloc( (num) * sizeof( struct berval ) +
+			num * LDAP_PVT_CSNSTR_BUFSIZE, op->o_tmpmemctx );
+	csns[0].bv_val = (char *)(csns + num);
 
 	/* Make a copy of the relevant UUIDs. Put the Deletes up front
 	 * and everything else at the end. Do this first so we can
 	 * unlock the list mutex.
 	 */
-	Debug( LDAP_DEBUG_SYNC, "srs csn %s\n",
-		srs->sr_state.ctxcsn[0].bv_val );
+	Debug( LDAP_DEBUG_SYNC, "%s syncprov_play_sessionlog: "
+		"sync control csn %s\n",
+		op->o_log_prefix, srs->sr_state.ctxcsn[0].bv_val );
 	for ( se=sl->sl_head; se; se=se->se_next ) {
 		int k;
 
@@ -1754,10 +1851,11 @@ syncprov_playlog( Operation *op, SlapReply *rs, sessionlog *sl,
 			char uuidstr[40];
 			lutil_uuidstr_from_normalized( se->se_uuid.bv_val, se->se_uuid.bv_len,
 				uuidstr, 40 );
-			Debug( LDAP_DEBUG_SYNC, "%s syncprov_playlog: "
+			Debug( LDAP_DEBUG_SYNC, "%s syncprov_play_sessionlog: "
 				"log entry tag=%lu uuid=%s cookie=%s\n",
 				op->o_log_prefix, se->se_tag, uuidstr, se->se_csn.bv_val );