Emily Backes · Quanah Gibson-Mount · Kurt Zeilenga · Quanah Gibson-Mount · Sergei Trofimovich · Quanah Gibson-Mount
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -1451,7 +1451,7 @@ dnssrv_free:;
 				ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
 				tool_perror( "ldap_start_tls", rc, NULL, NULL, msg, NULL );
 				ldap_memfree(msg);
-				if ( use_tls > 1 ) {
+				if ( use_tls > 1 || rc < 0 ) {
 					tool_exit( ld, EXIT_FAILURE );
 				}
 			}

--- a/configure
+++ b/configure
 #! /bin/sh
-# From configure.in Id: c4f9dbe3dd538f85d7a57f40fe1d492df83dfb4a .
+# From configure.in Id: 815a5694862ccb9f969c0fad6b60b5c9d225f1a3 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.69.
 #
@@ -854,6 +854,7 @@ BUILD_SLAPI
 BUILD_SLAPD
 BUILD_LIBS_DYNAMIC
 BUILD_THREAD
+BUILD_REWRITE
 WITH_ACI_ENABLED
 WITH_MODULES_ENABLED
 WITH_TLS
@@ -4078,7 +4079,6 @@ Backends="dnssrv \
 	meta \
 	asyncmeta \
 	monitor \
-	ndb \
 	null \
 	passwd \
 	perl \
@@ -4256,7 +4256,7 @@ if test "${enable_ndb+set}" = set; then :
 	ol_enable_ndb="$ol_arg"
  
 else
-  	ol_enable_ndb=${ol_enable_backends:-no}
+  	ol_enable_ndb=no
 fi
  
 # end --enable-ndb
@@ -5118,6 +5118,7 @@ SLAPD_LIBS=
  
 BUILD_SLAPD=no
  
+BUILD_REWRITE=no
 BUILD_THREAD=no
  
 BUILD_SLAPI=no
@@ -6956,7 +6957,7 @@ ia64-*-hpux*)
  ;;
 *-*-irix6*)
  # Find out which ABI we are using.
-  echo '#line 6959 "configure"' > conftest.$ac_ext
+  echo '#line 6960 "configure"' > conftest.$ac_ext
  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
@@ -8636,11 +8637,11 @@ else
   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8639: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8640: $lt_compile\"" >&5)
   (eval "$lt_compile" 2>conftest.err)
   ac_status=$?
   cat conftest.err >&5
-   echo "$as_me:8643: \$? = $ac_status" >&5
+   echo "$as_me:8644: \$? = $ac_status" >&5
   if (exit $ac_status) && test -s "$ac_outfile"; then
     # The compiler can only warn and ignore the option if not recognized
     # So say no if there are warnings other than the usual output.
@@ -8898,11 +8899,11 @@ else
   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8901: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8902: $lt_compile\"" >&5)
   (eval "$lt_compile" 2>conftest.err)
   ac_status=$?
   cat conftest.err >&5
-   echo "$as_me:8905: \$? = $ac_status" >&5
+   echo "$as_me:8906: \$? = $ac_status" >&5
   if (exit $ac_status) && test -s "$ac_outfile"; then
     # The compiler can only warn and ignore the option if not recognized
     # So say no if there are warnings other than the usual output.
@@ -8960,11 +8961,11 @@ else
   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8963: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8964: $lt_compile\"" >&5)
   (eval "$lt_compile" 2>out/conftest.err)
   ac_status=$?
   cat out/conftest.err >&5
-   echo "$as_me:8967: \$? = $ac_status" >&5
+   echo "$as_me:8968: \$? = $ac_status" >&5
   if (exit $ac_status) && test -s out/conftest2.$ac_objext
   then
     # The compiler can only warn and ignore the option if not recognized
@@ -10832,7 +10833,7 @@ else
  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
  lt_status=$lt_dlunknown
  cat > conftest.$ac_ext <<EOF
-#line 10835 "configure"
+#line 10836 "configure"
 #include "confdefs.h"
  
 #if HAVE_DLFCN_H
@@ -10930,7 +10931,7 @@ else
  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
  lt_status=$lt_dlunknown
  cat > conftest.$ac_ext <<EOF
-#line 10933 "configure"
+#line 10934 "configure"
 #include "confdefs.h"
  
 #if HAVE_DLFCN_H
@@ -23718,6 +23719,7 @@ fi
  
  
  
+
  
  
 # Check whether --with-xxinstall was given.

--- a/configure.in
+++ b/configure.in
@@ -528,6 +528,7 @@ SLAPD_LIBS=

 BUILD_SLAPD=no

+BUILD_REWRITE=no
 BUILD_THREAD=no

 BUILD_SLAPI=no
@@ -3042,6 +3043,7 @@ AC_SUBST(WITH_SASL)
 AC_SUBST(WITH_TLS)
 AC_SUBST(WITH_MODULES_ENABLED)
 AC_SUBST(WITH_ACI_ENABLED)
+AC_SUBST(BUILD_REWRITE)
 AC_SUBST(BUILD_THREAD)
 AC_SUBST(BUILD_LIBS_DYNAMIC)


--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile
+++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile
@@ -12,8 +12,11 @@ CC = gcc
 OPT = -g -O2 -Wall
 #DEFS = -DSLAPD_PBKDF2_DEBUG

-INCS = $(LDAP_INC)
-LIBS = $(LDAP_LIB) -lcrypto
+SSL_INC =
+SSL_LIB = -lcrypto
+
+INCS = $(LDAP_INC) $(SSL_INC)
+LIBS = $(LDAP_LIB) $(SSL_LIB)

 PROGRAMS = pw-pbkdf2.la
 MANPAGES = slapd-pw-pbkdf2.5

--- a/contrib/slapd-modules/passwd/pbkdf2/slapo-pw-pbkdf2.5
+++ b/contrib/slapd-modules/passwd/pbkdf2/slapo-pw-pbkdf2.5
-.TH SLAPO-PW-PBKDF2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.TH SLAPD-PW-PBKDF2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
 .\" Copyright 2015-2020 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
-slapo-pw-pbkdf2 \- PBKDF2 password module to slapd
+slapd-pw-pbkdf2 \- PBKDF2 password module to slapd
 .SH SYNOPSIS
 ETCDIR/slapd.conf
 .RS

--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -203,14 +203,16 @@ if defined, selects what
 identities are authorized to exploit the identity assertion feature.
 The string
 .B <authz-regexp>
-follows the rules defined for the
+mostly follows the rules defined for the
 .I authzFrom
 attribute.
 See 
 .BR slapd.conf (5),
 section related to
 .BR authz\-policy ,
-for details on the syntax of this field.
+for details on the syntax of this field.  This parameter differs from
+the documented behavior in relation to the meaning of *, which in this
+case allows anonymous rather than denies.

 .HP
 .hy 0

--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -149,9 +149,17 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf )
 {
 	int rc = -1, fd;
 	struct stat st;
+	char ebuf[128];

 	fd = open( path, O_RDONLY );
-	if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
+	if ( fd < 0 ) {
+		Debug2( LDAP_DEBUG_ANY,
+			"TLS: opening `%s' failed: %s\n",
+			path,
+			AC_STRERROR_R( errno, ebuf, sizeof ebuf ));
+		return -1;
+	}
+	if ( fstat( fd, &st ) == 0 ) {
 		buf->size = st.st_size;
 		buf->data = LDAP_MALLOC( st.st_size + 1 );
 		if ( buf->data ) {
@@ -196,8 +204,21 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 			ctx->cred,
 			lt->lt_cacertfile,
 			GNUTLS_X509_FMT_PEM );
-		if ( rc < 0 ) return -1;
+		if ( rc < 0 ) {
+			Debug3( LDAP_DEBUG_ANY,
+				"TLS: could not use CA certificate file `%s': %s (%d)\n",
+				lo->ldo_tls_cacertfile,
+				gnutls_strerror( rc ),
+				rc );
+			return -1;
+		} else if ( rc == 0 ) {
+			Debug1( LDAP_DEBUG_ANY,
+				"TLS: warning: no certificate loaded from CA certificate file `%s'.\n",
+				lo->ldo_tls_cacertfile );
+			/* only warn, no return */
+		}
 	}
+
 	if (lo->ldo_tls_cacert.bv_val != NULL ) {
 		gnutls_datum_t buf;
 		buf.data = (unsigned char *)lo->ldo_tls_cacert.bv_val;
@@ -206,7 +227,13 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 			ctx->cred,
 			&buf,
 			GNUTLS_X509_FMT_DER );
-		if ( rc < 0 ) return -1;
+		if ( rc < 0 ) {
+			Debug2( LDAP_DEBUG_ANY,
+				"TLS: could not use CA certificate: %s (%d)\n",
+				gnutls_strerror( rc ),
+				rc );
+			return -1;
+		}
 	}

 	if (( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) ||
@@ -231,12 +258,23 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 				GNUTLS_X509_FMT_DER );
 		} else {
 			rc = tlsg_getfile( lt->lt_keyfile, &buf );
-			if ( rc ) return -1;
+			if ( rc ) {
+				Debug1( LDAP_DEBUG_ANY,
+					"TLS: could not use private key file `%s`.\n",
+					lt->lt_keyfile);
+				return -1;
+			}
 			rc = gnutls_x509_privkey_import( key, &buf,
 				GNUTLS_X509_FMT_PEM );
 			LDAP_FREE( buf.data );
 		}
-		if ( rc < 0 ) return rc;
+		if ( rc < 0 ) {
+			Debug2( LDAP_DEBUG_ANY,
+				"TLS: could not use private key: %s (%d)\n",
+				gnutls_strerror( rc ),
+				rc );
+			return rc;
+		}

 		if ( lo->ldo_tls_cert.bv_val ) {
 			buf.data = (unsigned char *)lo->ldo_tls_cert.bv_val;
@@ -245,12 +283,23 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 				GNUTLS_X509_FMT_DER, 0 );
 		} else {
 			rc = tlsg_getfile( lt->lt_certfile, &buf );
-			if ( rc ) return -1;
+			if ( rc ) {
+				Debug1( LDAP_DEBUG_ANY,
+					"TLS: could not use certificate file `%s`.\n",
+					lt->lt_certfile);
+				return -1;
+			}
 			rc = gnutls_x509_crt_list_import( certs, &max, &buf,
 				GNUTLS_X509_FMT_PEM, 0 );
 			LDAP_FREE( buf.data );
 		}
-		if ( rc < 0 ) return rc;
+		if ( rc < 0 ) {
+			Debug2( LDAP_DEBUG_ANY,
+				"TLS: could not use certificate: %s (%d)\n",
+				gnutls_strerror( rc ),
+				rc );
+			return rc;
+		}

 		/* If there's only one cert and it's not self-signed,
 		 * then we have to build the cert chain.
@@ -267,7 +316,13 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 			}
 		}
 		rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
-		if ( rc ) return -1;
+		if ( rc ) {
+			Debug2( LDAP_DEBUG_ANY,
+				"TLS: could not use certificate with key: %s (%d)\n",
+				gnutls_strerror( rc ),
+				rc );
+			return -1;
+		}
 	} else if (( lo->ldo_tls_certfile || lo->ldo_tls_keyfile )) {
 		Debug0( LDAP_DEBUG_ANY,
 		       "TLS: only one of certfile and keyfile specified\n" );

--- a/libraries/libldap_r/thr_posix.c
+++ b/libraries/libldap_r/thr_posix.c
@@ -14,6 +14,8 @@
 * <http://www.OpenLDAP.org/license.html>.
 */

+#define _XOPEN_SOURCE 500	 /* For pthread_setconcurrency() on glibc */
+
 #include "portable.h"

 #if defined( HAVE_PTHREADS )

--- a/servers/slapd/back-ldap/chain.c
+++ b/servers/slapd/back-ldap/chain.c
@@ -1282,7 +1282,7 @@ static ConfigOCs chainocs[] = {
 		"NAME 'olcChainDatabase' "
 		"DESC 'Chain remote server configuration' "
 		"AUXILIARY )",
-		Cft_Misc, olcDatabaseDummy, chain_ldadd
+		Cft_Misc, NULL, chain_ldadd
 #ifdef SLAP_CONFIG_DELETE
 		, NULL, chain_lddel
 #endif
@@ -2318,6 +2318,12 @@ chain_initialize( void )
 	/* Make sure we don't exceed the bits reserved for userland */
 	config_check_userland( CH_LAST );

+	/* olcDatabaseDummy is defined in slapd, and Windows
+	   will not let us initialize a struct element with a data pointer
+	   from another library, so we have to initialize this element
+	   "by hand".  */
+	chainocs[1].co_table = olcDatabaseDummy;
+
 #ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
 	rc = register_supported_control( LDAP_CONTROL_X_CHAINING_BEHAVIOR,
 			/* SLAP_CTRL_GLOBAL| */ SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE, NULL,

--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -696,47 +696,6 @@ meta_suffixm_config(
 	return rc;
 }

-static int
-slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
-{
-	int		i;
-	BerVarray	bva = NULL;
-	char		ibuf[32], *ptr;
-	struct berval	idx;
-
-	assert( in != NULL );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
-		/* count'em */ ;
-
-	if ( i == 0 ) {
-		return 1;
-	}
-
-	idx.bv_val = ibuf;
-
-	bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
-	BER_BVZERO( &bva[ 0 ] );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
-		idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
-		if ( idx.bv_len >= sizeof( ibuf ) ) {
-			ber_bvarray_free( bva );
-			return 1;
-		}
-
-		bva[i].bv_len = idx.bv_len + in[i].bv_len;
-		bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
-		ptr = lutil_strcopy( bva[i].bv_val, ibuf );
-		ptr = lutil_strcopy( ptr, in[i].bv_val );
-		*ptr = '\0';
-		BER_BVZERO( &bva[ i + 1 ] );
-	}
-
-	*out = bva;
-	return 0;
-}
-
 int
 meta_subtree_free( metasubtree_t *ms )
 {

--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -81,9 +81,6 @@ static CfBackInfo cfBackInfo;
 static char	*passwd_salt;
 static FILE *logfile;
 static char	*logfileName;
-#ifdef SLAP_AUTH_REWRITE
-static BerVarray authz_rewrites;
-#endif
 static AccessControl *defacl_parsed = NULL;

 static struct berval cfdir;
@@ -333,9 +330,9 @@ static ConfigTable config_back_cf_table[] = {
 			"SUBSTR caseIgnoreSubstringsMatch "
 			"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
 				NULL, NULL },
-	{ "authid-rewrite", NULL, 2, 0, STRLENOF( "authid-rewrite" ),
+	{ "authid-rewrite", "rewrite", 2, 0, STRLENOF( "authid-rewrite" ),
 #ifdef SLAP_AUTH_REWRITE
-		ARG_MAGIC|CFG_REWRITE|ARG_NO_INSERT, &config_generic,
+		ARG_MAGIC|CFG_REWRITE, &config_generic,
 #else
 		ARG_IGNORED, NULL,
 #endif
@@ -346,7 +343,7 @@ static ConfigTable config_back_cf_table[] = {
 		&config_generic, "( OLcfgGlAt:7 NAME 'olcAuthzPolicy' "
 			"EQUALITY caseIgnoreMatch "
 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
-	{ "authz-regexp", "regexp> <DN", 3, 3, 0, ARG_MAGIC|CFG_AZREGEXP|ARG_NO_INSERT,
+	{ "authz-regexp", "regexp> <DN", 3, 3, 0, ARG_MAGIC|CFG_AZREGEXP,
 		&config_generic, "( OLcfgGlAt:8 NAME 'olcAuthzRegexp' "
 			"EQUALITY caseIgnoreMatch "
 			"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
@@ -1401,29 +1398,7 @@ config_generic(ConfigArgs *c) {
 #endif
 #ifdef SLAP_AUTH_REWRITE
 		case CFG_REWRITE:
-			if ( authz_rewrites ) {
-				struct berval bv, idx;
-				char ibuf[32];
-				int i;
-
-				idx.bv_val = ibuf;
-				for ( i=0; !BER_BVISNULL( &authz_rewrites[i] ); i++ ) {
-					idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
-					if ( idx.bv_len >= sizeof( ibuf ) ) {
-						ber_bvarray_free_x( c->rvalue_vals, NULL );
-						c->rvalue_vals = NULL;
-						break;
-					}
-					bv.bv_len = idx.bv_len + authz_rewrites[i].bv_len;
-					bv.bv_val = ch_malloc( bv.bv_len + 1 );
-					AC_MEMCPY( bv.bv_val, idx.bv_val, idx.bv_len );
-					AC_MEMCPY( &bv.bv_val[ idx.bv_len ],
-						authz_rewrites[i].bv_val,
-						authz_rewrites[i].bv_len + 1 );
-					ber_bvarray_add( &c->rvalue_vals, &bv );
-				}
-			}
-			if ( !c->rvalue_vals ) rc = 1;
+			rc = slap_sasl_rewrite_unparse( &c->rvalue_vals );
 			break;
 #endif
 		default:
@@ -1455,8 +1430,6 @@ config_generic(ConfigArgs *c) {
 		/* no-ops, requires slapd restart */
 		case CFG_PLUGIN:
 		case CFG_MODLOAD:
-		case CFG_AZREGEXP:
-		case CFG_REWRITE:
 			snprintf(c->log, sizeof( c->log ), "change requires slapd restart");
 			break;

@@ -1495,6 +1468,17 @@ config_generic(ConfigArgs *c) {
 			}
 			break;
 #endif /* SLAP_AUXPROP_DONTUSECOPY */
+
+		case CFG_AZREGEXP:
+			rc = slap_sasl_regexp_delete( c->valx );
+			break;
+
+#ifdef SLAP_AUTH_REWRITE
+		case CFG_REWRITE:
+			rc = slap_sasl_rewrite_delete( c->valx );
+			break;
+#endif /* SLAP_AUTH_REWRITE */
+
 		case CFG_SALT:
 			ch_free( passwd_salt );
 			passwd_salt = NULL;
@@ -1884,7 +1868,7 @@ config_generic(ConfigArgs *c) {
 			break;
 		
 		case CFG_AZREGEXP:
-			if (slap_sasl_regexp_config( c->argv[1], c->argv[2] ))
+			if (slap_sasl_regexp_config( c->argv[1], c->argv[2], c->valx ))
 				return(1);
 			break;
 				
@@ -2444,36 +2428,13 @@ sortval_reject:

 #ifdef SLAP_AUTH_REWRITE
 		case CFG_REWRITE: {
-			struct berval bv;
-			char *line;
-			int rc = 0;
+			int rc;

 			if ( c->op == LDAP_MOD_ADD ) {
 				c->argv++;
 				c->argc--;
 			}
-			if(slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv))
-				rc = 1;
-			if ( rc == 0 ) {
-
-				if ( c->argc > 1 ) {
-					char	*s;
-
-					/* quote all args but the first */
-					line = ldap_charray2str( c->argv, "\" \"" );
-					ber_str2bv( line, 0, 0, &bv );
-					s = ber_bvchr( &bv, '"' );
-					assert( s != NULL );
-					/* move the trailing quote of argv[0] to the end */
-					AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
-					bv.bv_val[ bv.bv_len - 1 ] = '"';
-
-				} else {
-					ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
-				}
-
-				ber_bvarray_add( &authz_rewrites, &bv );
-			}
+			rc = slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv, c->valx);
 			if ( c->op == LDAP_MOD_ADD ) {
 				c->argv--;
 				c->argc++;
@@ -3988,6 +3949,47 @@ anlist_unparse( AttributeName *an, char *ptr, ber_len_t buflen ) {
 	return ptr;
 }

+int
+slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
+{
+	int		i;
+	BerVarray	bva = NULL;
+	char		ibuf[32], *ptr;
+	struct berval	idx;
+
+	assert( in != NULL );
+
+	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
+		/* count'em */ ;
+
+	if ( i == 0 ) {
+		return 1;
+	}
+
+	idx.bv_val = ibuf;
+
+	bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
+	BER_BVZERO( &bva[ 0 ] );
+
+	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
+		idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
+		if ( idx.bv_len >= sizeof( ibuf ) ) {
+			ber_bvarray_free( bva );
+			return 1;
+		}
+
+		bva[i].bv_len = idx.bv_len + in[i].bv_len;
+		bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
+		ptr = lutil_strcopy( bva[i].bv_val, ibuf );
+		ptr = lutil_strcopy( ptr, in[i].bv_val );
+		*ptr = '\0';
+		BER_BVZERO( &bva[ i + 1 ] );
+	}
+
+	*out = bva;
+	return 0;
+}
+
 static int
 config_updatedn(ConfigArgs *c) {
 	if (c->op == SLAP_CONFIG_EMIT) {

--- a/servers/slapd/overlays/pcache.c
+++ b/servers/slapd/overlays/pcache.c
@@ -3752,7 +3752,8 @@ static ConfigOCs pcocs[] = {
 	{ "( OLcfgOvOc:2.2 "
 		"NAME 'olcPcacheDatabase' "
 		"DESC 'Cache database configuration' "
-		"AUXILIARY )", Cft_Misc, olcDatabaseDummy, pc_ldadd },
+		/* co_table is initialized in pcache_initialize */
+		"AUXILIARY )", Cft_Misc, NULL, pc_ldadd },
 	{ NULL, 0, NULL }
 };

@@ -5669,6 +5670,13 @@ pcache_initialize()
 	ConfigArgs c;
 	char *argv[ 4 ];

+        /* olcDatabaseDummy is defined in slapd, and Windows
+           will not let us initialize a struct element with a data pointer
+           from another library, so we have to initialize this element
+           "by hand".  */
+        pcocs[1].co_table = olcDatabaseDummy;
+
+
 	code = slap_loglevel_get( &debugbv, &pcache_debug );
 	if ( code ) {
 		return code;

--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
@@ -1968,46 +1968,6 @@ static ConfigOCs rwmocs[] = {
 	{ NULL, 0, NULL }
 };

-static void
-slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
-{
-	int		i;
-	BerVarray	bva = NULL;
-	char		ibuf[32], *ptr;
-	struct berval	idx;
-
-	assert( in != NULL );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
-		/* count'em */ ;
-
-	if ( i == 0 ) {
-		return;
-	}
-
-	idx.bv_val = ibuf;
-
-	bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
-	BER_BVZERO( &bva[ 0 ] );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
-		idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), "{%d}", i );
-		if ( idx.bv_len >= sizeof( ibuf ) ) {
-			ber_bvarray_free( bva );
-			return;
-		}
-
-		bva[i].bv_len = idx.bv_len + in[i].bv_len;
-		bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
-		ptr = lutil_strcopy( bva[i].bv_val, ibuf );
-		ptr = lutil_strcopy( ptr, in[i].bv_val );
-		*ptr = '\0';
-		BER_BVZERO( &bva[ i + 1 ] );
-	}
-
-	*out = bva;
-}
-
 static int
 rwm_bva_add(
 	BerVarray		*bva,
@@ -2108,10 +2068,7 @@ rwm_cf_gen( ConfigArgs *c )
 				rc = 1;

 			} else {
-				slap_bv_x_ordered_unparse( rwmap->rwm_bva_rewrite, &c->rvalue_vals );
-				if ( !c->rvalue_vals ) {
-					rc = 1;
-				}
+				rc = slap_bv_x_ordered_unparse( rwmap->rwm_bva_rewrite, &c->rvalue_vals );
 			}
 			break;


--- a/servers/slapd/overlays/translucent.c
+++ b/servers/slapd/overlays/translucent.c
@@ -113,7 +113,8 @@ static ConfigOCs translucentocs[] = {
 	{ "( OLcfgOvOc:14.2 "
 	  "NAME 'olcTranslucentDatabase' "
 	  "DESC 'Translucent target database configuration' "
-	  "AUXILIARY )", Cft_Misc, olcDatabaseDummy, translucent_ldadd },
+	/* co_table is initialized in translucent_initialize() */
+	  "AUXILIARY )", Cft_Misc, NULL, translucent_ldadd },
 	{ NULL, 0, NULL }
 };
 /* for translucent_init() */
@@ -1388,6 +1389,12 @@ int translucent_initialize() {

 	int rc;

+	/* olcDatabaseDummy is defined in slapd, and Windows
+	   will not let us initialize a struct element with a data pointer
+	   from another library, so we have to initialize this element
+	   "by hand".  */
+	translucentocs[1].co_table = olcDatabaseDummy;
+
 	Debug(LDAP_DEBUG_TRACE, "==> translucent_initialize\n" );

 	translucent.on_bi.bi_type	= "translucent";

--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -760,6 +760,7 @@ LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ))
 LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
 	const char *fname, int lineno, int argc, char **argv ));
 LDAP_SLAPD_F (char *) anlist_unparse LDAP_P(( AttributeName *, char *, ber_len_t buflen ));
+LDAP_SLAPD_F (int) slap_bv_x_ordered_unparse LDAP_P(( BerVarray in, BerVarray *out ));
 LDAP_SLAPD_F (int) slap_keepalive_parse( struct berval *val, void *bc,
 	slap_cf_aux_table *tab0, const char *tabmsg, int unparse );

@@ -1714,7 +1715,7 @@ LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
 	struct berval *authcid,
 	struct berval *authzid ));
 LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((
-	const char *match, const char *replace ));
+	const char *match, const char *replace, int valx ));
 LDAP_SLAPD_F (void) slap_sasl_regexp_unparse LDAP_P(( BerVarray *bva ));
 LDAP_SLAPD_F (int) slap_sasl_setpolicy LDAP_P(( const char * ));
 LDAP_SLAPD_F (const char *) slap_sasl_getpolicy LDAP_P(( void ));
@@ -1723,9 +1724,13 @@ LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P((
 	const char *fname,
 	int lineno,
 	int argc, 
-	char **argv ));
-LDAP_SLAPD_F (void) slap_sasl_regexp_destroy LDAP_P(( void ));
+	char **argv,
+	int valx ));
+LDAP_SLAPD_F (int) slap_sasl_rewrite_delete LDAP_P(( int valx ));
+LDAP_SLAPD_F (int) slap_sasl_rewrite_unparse LDAP_P(( BerVarray *bva ));
 #endif /* SLAP_AUTH_REWRITE */
+LDAP_SLAPD_F (void) slap_sasl_regexp_destroy LDAP_P(( void ));
+LDAP_SLAPD_F (int) slap_sasl_regexp_delete LDAP_P(( int valx ));
 LDAP_SLAPD_F (int) authzValidate LDAP_P((
 	Syntax *syn, struct berval *in ));
 #if 0

--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -28,6 +28,7 @@
 #include "slap.h"

 #include "lutil.h"
+#include "config.h"

 #define SASLREGEX_REPLACE 10

@@ -68,9 +69,11 @@

 typedef struct sasl_regexp {
  char *sr_match;						/* regexp match pattern */
-  char *sr_replace; 					/* regexp replace pattern */
+  char *sr_replace;					/* regexp replace pattern */
+#ifndef SLAP_AUTH_REWRITE
  regex_t sr_workspace;					/* workspace for regexp engine */
  int sr_offset[SASLREGEX_REPLACE+2];	/* offsets of $1,$2... in *replace */
+#endif
 } SaslRegexp_t;

 static int nSaslRegexp = 0;
@@ -80,6 +83,7 @@ static SaslRegexp_t *SaslRegexp = NULL;
 #include "rewrite.h"
 struct rewrite_info	*sasl_rwinfo = NULL;
 #define AUTHID_CONTEXT	"authid"
+static BerVarray	authz_rewrites = NULL;
 #endif /* SLAP_AUTH_REWRITE */

 /* What SASL proxy authorization policies are allowed? */
@@ -1279,7 +1283,7 @@ static int slap_sasl_rx_off(char *rep, int *off)
 #endif /* ! SLAP_AUTH_REWRITE */

 #ifdef SLAP_AUTH_REWRITE
-int slap_sasl_rewrite_config( 
+static int slap_sasl_rewrite_config_argv(
 		const char	*fname,
 		int		lineno,
 		int		argc,
@@ -1287,22 +1291,80 @@ int slap_sasl_rewrite_config(
 )
 {
 	int	rc;
-	char	*savearg0;
+	char	*argv0 = NULL;
+
+	if ( strncasecmp( argv[0], "authid-", STRLENOF( "authid-" ) ) == 0 ) {
+		/* strip "authid-" prefix for parsing */
+		argv0 = argv[0];
+		argv[0] = &argv0[ STRLENOF( "authid-" ) ];
+	}

 	/* init at first call */
 	if ( sasl_rwinfo == NULL ) {
- 		sasl_rwinfo = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
+		sasl_rwinfo = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
 	}

-	/* strip "authid-" prefix for parsing */
-	savearg0 = argv[0];
-	argv[0] += STRLENOF( "authid-" );
- 	rc = rewrite_parse( sasl_rwinfo, fname, lineno, argc, argv );
-	argv[0] = savearg0;
+	rc = rewrite_parse( sasl_rwinfo, fname, lineno, argc, argv );
+
+	if ( argv0 )
+		argv[0] = argv0;
+
+	return rc;
+}
+
+static int slap_sasl_rewrite_config_bv(
+		const char	*fname,
+		int		lineno,
+		struct berval	bv
+)
+{
+	int rc;
+	ConfigArgs ca = { 0 };
+
+	ca.line = bv.bv_val;
+	ca.argc = 0;
+	config_fp_parse_line( &ca );
+
+	rc = slap_sasl_rewrite_config_argv( fname, lineno, ca.argc, ca.argv );
+
+	ch_free( ca.tline );
+	ch_free( ca.argv );

 	return rc;
 }

+static void
+slap_sasl_rewrite_bva_add(
+		BerVarray	*bva,
+		int		idx,
+		int		argc,
+		char		**argv
+)
+{
+	char		*line, *s;
+	struct berval	bv;
+
+	if ( argc > 1 ) {
+		/* quote all args but the first */
+		line = ldap_charray2str( argv, "\" \"" );
+		ber_str2bv( line, 0, 0, &bv );
+		s = ber_bvchr( &bv, '"' );
+		assert( s != NULL );
+
+		/* move the trailing quote of argv[0] to the end */
+		AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
+		bv.bv_val[ bv.bv_len - 1 ] = '"';
+	} else {
+		ber_str2bv( argv[ 0 ], 0, 1, &bv );
+	}
+
+	if ( idx == -1 ) {
+		ber_bvarray_add( bva, &bv );
+	} else {
+		(*bva)[ idx ] = bv;
+	}
+}
+
 static int
 slap_sasl_rewrite_destroy( void )
 {
@@ -1314,89 +1376,238 @@ slap_sasl_rewrite_destroy( void )
 	return 0;
 }

-int slap_sasl_regexp_rewrite_config(
+int slap_sasl_rewrite_config(
 		const char	*fname,
 		int		lineno,
-		const char	*match,
-		const char	*replace,
-		const char	*context )
+		int		argc,
+		char		**argv,
+		int		valx
+)
+{
+	int	rc, i, last;
+	char	*line;
+	struct berval bv;
+	struct rewrite_info *rw = sasl_rwinfo;
+
+	for ( last = 0; authz_rewrites && !BER_BVISNULL( &authz_rewrites[ last ] ); last++ )
+		/* count'em */ ;
+
+	if ( valx == -1 || valx >= last ) {
+		valx = -1;
+		rc = slap_sasl_rewrite_config_argv( fname, lineno, argc, argv );
+		if ( rc == 0 ) {
+			slap_sasl_rewrite_bva_add( &authz_rewrites, valx, argc, argv );
+		}
+		return rc;
+	}
+
+	sasl_rwinfo = NULL;
+
+	for ( i = 0; i < valx; i++ )
+	{
+		rc = slap_sasl_rewrite_config_bv( fname, lineno, authz_rewrites[ i ] );
+		assert( rc == 0 );
+	}
+
+	rc = slap_sasl_rewrite_config_argv( fname, lineno, argc, argv );
+	if ( rc != 0 ) {
+		slap_sasl_rewrite_destroy();
+		sasl_rwinfo = rw;
+		return 1;
+	}
+
+	for ( i = valx; authz_rewrites && !BER_BVISNULL( &authz_rewrites[ i ] ); i++ )
+	{
+		rc = slap_sasl_rewrite_config_bv( fname, lineno, authz_rewrites[ i ] );
+		assert( rc == 0 );
+	}
+
+	authz_rewrites = ch_realloc( authz_rewrites,
+			( last + 2 )*sizeof( struct berval ) );
+	BER_BVZERO( &authz_rewrites[ last + 1 ] );
+
+	for ( i = last - 1; i >= valx; i-- )
+	{
+		authz_rewrites[ i + 1 ] = authz_rewrites[ i ];
+	}
+
+	slap_sasl_rewrite_bva_add( &authz_rewrites, valx, argc, argv );
+
+	if ( rw )
+		rewrite_info_delete( &rw );
+
+	return rc;
+}
+
+int slap_sasl_rewrite_delete( int valx ) {
+	int rc, i;
+
+	if ( valx == -1 ) {
+		slap_sasl_rewrite_destroy();
+		if ( authz_rewrites ) {
+			ber_bvarray_free( authz_rewrites );
+			authz_rewrites = NULL;
+		}
+		return 0;
+	}
+
+	for ( i = 0; !BER_BVISNULL( &authz_rewrites[ i ] ); i++ )
+		/* count'em */ ;
+
+	if ( valx >= i ) {
+		return 1;
+	}
+
+	ber_memfree( authz_rewrites[ i ].bv_val );
+	for ( i = valx; !BER_BVISNULL( &authz_rewrites[ i + 1 ] ); i++ )
+	{
+		authz_rewrites[ i ] = authz_rewrites[ i + 1 ];
+	}
+	BER_BVZERO( &authz_rewrites[ i ] );
+
+	slap_sasl_rewrite_destroy();
+
+	for ( i = 0; !BER_BVISNULL( &authz_rewrites[ i ] ); i++ )
+	{
+		rc = slap_sasl_rewrite_config_bv( "slapd", 0, authz_rewrites[ i ] );
+		assert( rc == 0 );
+	}
+
+	return rc;
+}
+
+int slap_sasl_rewrite_unparse( BerVarray *bva ) {
+	if ( authz_rewrites ) {
+		return slap_bv_x_ordered_unparse( authz_rewrites, bva );
+	}
+	return 0;
+}
+
+static int
+slap_sasl_regexp_rewrite_config(
+		struct rewrite_info	**rwinfo,
+		const char		*fname,
+		int			lineno,
+		const char		*match,
+		const char		*replace,
+		const char		*context )
 {
 	int	rc;
 	char	*argvRule[] = { "rewriteRule", NULL, NULL, ":@", NULL };
+	struct rewrite_info *rw = *rwinfo;

 	/* init at first call */
-	if ( sasl_rwinfo == NULL ) {
+	if ( rw == NULL ) {
 		char *argvEngine[] = { "rewriteEngine", "on", NULL };
 		char *argvContext[] = { "rewriteContext", NULL, NULL };

 		/* initialize rewrite engine */
- 		sasl_rwinfo = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
+		rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );

 		/* switch on rewrite engine */
- 		rc = rewrite_parse( sasl_rwinfo, fname, lineno, 2, argvEngine );
- 		if (rc != LDAP_SUCCESS) {
-			return rc;
+		rc = rewrite_parse( rw, fname, lineno, 2, argvEngine );
+		if (rc != LDAP_SUCCESS) {
+			goto out;
 		}

 		/* create generic authid context */
 		argvContext[1] = AUTHID_CONTEXT;
- 		rc = rewrite_parse( sasl_rwinfo, fname, lineno, 2, argvContext );
- 		if (rc != LDAP_SUCCESS) {
-			return rc;
+		rc = rewrite_parse( rw, fname, lineno, 2, argvContext );
+		if (rc != LDAP_SUCCESS) {
+			goto out;
 		}
 	}

 	argvRule[1] = (char *)match;
 	argvRule[2] = (char *)replace;
- 	rc = rewrite_parse( sasl_rwinfo, fname, lineno, 4, argvRule );
+	rc = rewrite_parse( rw, fname, lineno, 4, argvRule );
+out:
+	if (rc == LDAP_SUCCESS) {
+		*rwinfo = rw;
+	} else {
+		rewrite_info_delete( &rw );
+	}

 	return rc;
 }
 #endif /* SLAP_AUTH_REWRITE */

-int slap_sasl_regexp_config( const char *match, const char *replace )
+int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
 {
-	int rc;
-	SaslRegexp_t *reg;
-
-	SaslRegexp = (SaslRegexp_t *) ch_realloc( (char *) SaslRegexp,
-	  (nSaslRegexp + 1) * sizeof(SaslRegexp_t) );
+	int i, rc;
+	SaslRegexp_t sr;
+	struct rewrite_info *rw = NULL;

-	reg = &SaslRegexp[nSaslRegexp];
+	if ( valx < 0 || valx > nSaslRegexp )
+		valx = nSaslRegexp;

 #ifdef SLAP_AUTH_REWRITE
-	rc = slap_sasl_regexp_rewrite_config( "sasl-regexp", 0,
+	for ( i = 0; i < valx; i++) {
+		rc = slap_sasl_regexp_rewrite_config( &rw, "sasl-regexp", 0,
+				SaslRegexp[i].sr_match,
+				SaslRegexp[i].sr_replace,
+				AUTHID_CONTEXT);
+		assert( rc == 0 );
+	}
+
+	rc = slap_sasl_regexp_rewrite_config( &rw, "sasl-regexp", 0,
 			match, replace, AUTHID_CONTEXT );
 #else /* ! SLAP_AUTH_REWRITE */
-
 	/* Precompile matching pattern */
-	rc = regcomp( &reg->sr_workspace, match, REG_EXTENDED|REG_ICASE );
+	rc = regcomp( &sr.sr_workspace, match, REG_EXTENDED|REG_ICASE );
 	if ( rc ) {
 		Debug( LDAP_DEBUG_ANY,
 			"SASL match pattern %s could not be compiled by regexp engine\n",
 			match );
-
-#ifdef ENABLE_REWRITE
-		/* Dummy block to force symbol references in librewrite */
-		if ( slapMode == ( SLAP_SERVER_MODE|SLAP_TOOL_MODE )) {
-			rewrite_info_init( 0 );
-		}
-#endif
 		return( LDAP_OTHER );
 	}

-	rc = slap_sasl_rx_off( replace, reg->sr_offset );
+	rc = slap_sasl_rx_off( replace, sr.sr_offset );
 #endif /* ! SLAP_AUTH_REWRITE */
+
 	if ( rc == LDAP_SUCCESS ) {
-		reg->sr_match = ch_strdup( match );
-		reg->sr_replace = ch_strdup( replace );
+		SaslRegexp = (SaslRegexp_t *) ch_realloc( (char *) SaslRegexp,
+				(nSaslRegexp + 1) * sizeof(SaslRegexp_t) );
+
+		for ( i = nSaslRegexp; i > valx; i-- ) {
+			SaslRegexp[i] = SaslRegexp[i - 1];
+		}
+
+		SaslRegexp[i] = sr;
+		SaslRegexp[i].sr_match = ch_strdup( match );
+		SaslRegexp[i].sr_replace = ch_strdup( replace );

 		nSaslRegexp++;
+
+#ifdef SLAP_AUTH_REWRITE
+		for ( i = valx + 1; i < nSaslRegexp; i++ ) {
+			rc = slap_sasl_regexp_rewrite_config( &rw, "sasl-regexp", 0,
+					SaslRegexp[i].sr_match,
+					SaslRegexp[i].sr_replace,
+					AUTHID_CONTEXT);
+			assert( rc == 0 );
+		}
+
+		slap_sasl_rewrite_destroy();
+		sasl_rwinfo = rw;
+	} else {
+		rewrite_info_delete( &rw );
+#endif
 	}

 	return rc;
 }

+static void
+slap_sasl_regexp_destroy_one( int n )
+{
+	ch_free( SaslRegexp[ n ].sr_match );
+	ch_free( SaslRegexp[ n ].sr_replace );
+#ifndef SLAP_AUTH_REWRITE
+	regfree( &SaslRegexp[ n ].sr_workspace );
+#endif /* ! SLAP_AUTH_REWRITE */
+}
+
 void
 slap_sasl_regexp_destroy( void )
 {
@@ -1404,14 +1615,12 @@ slap_sasl_regexp_destroy( void )
 		int	n;

 		for ( n = 0; n < nSaslRegexp; n++ ) {
-			ch_free( SaslRegexp[ n ].sr_match );
-			ch_free( SaslRegexp[ n ].sr_replace );
-#ifndef SLAP_AUTH_REWRITE
-			regfree( &SaslRegexp[ n ].sr_workspace );
-#endif /* SLAP_AUTH_REWRITE */
+			slap_sasl_regexp_destroy_one( n );
 		}

 		ch_free( SaslRegexp );
+		SaslRegexp = NULL;
+		nSaslRegexp = 0;
 	}

 #ifdef SLAP_AUTH_REWRITE
@@ -1419,6 +1628,39 @@ slap_sasl_regexp_destroy( void )
 #endif /* SLAP_AUTH_REWRITE */
 }

+int slap_sasl_regexp_delete( int valx )
+{
+	int rc = 0;
+
+	if ( valx >= nSaslRegexp ) {
+		rc = 1;
+	} else if ( valx < 0 || nSaslRegexp == 1 ) {
+		slap_sasl_regexp_destroy();
+	} else {
+		int i;
+
+		slap_sasl_regexp_destroy_one( valx );
+		nSaslRegexp--;
+
+		for ( i = valx; i < nSaslRegexp; i++ ) {
+			SaslRegexp[ i ] = SaslRegexp[ i + 1 ];
+		}
+
+#ifdef SLAP_AUTH_REWRITE
+		slap_sasl_rewrite_destroy();
+		for ( i = 0; i < nSaslRegexp; i++ ) {
+			rc = slap_sasl_regexp_rewrite_config( &sasl_rwinfo, "sasl-regexp", 0,
+					SaslRegexp[ i ].sr_match,
+					SaslRegexp[ i ].sr_replace,
+					AUTHID_CONTEXT );
+			assert( rc == 0 );
+		}
+#endif /* SLAP_AUTH_REWRITE */
+	}
+
+	return rc;
+}
+
 void slap_sasl_regexp_unparse( BerVarray *out )
 {
 	int i;
@@ -1534,8 +1776,8 @@ static int slap_authz_regexp( struct berval *in, struct berval *out,
 			"[rw] %s: \"%s\" -> \"%s\"\n",
 			context, in->bv_val, out->bv_val );		
 		return 1;
- 		
- 	case REWRITE_REGEXEC_UNWILLING:
+
+	case REWRITE_REGEXEC_UNWILLING:
 	case REWRITE_REGEXEC_ERR:
 	default:
 		return 0;
@@ -1544,7 +1786,7 @@ static int slap_authz_regexp( struct berval *in, struct berval *out,
 #else /* ! SLAP_AUTH_REWRITE */
 	char *saslname = in->bv_val;
 	SaslRegexp_t *reg;
-  	regmatch_t sr_strings[SASLREGEX_REPLACE];	/* strings matching $1,$2 ... */
+	regmatch_t sr_strings[SASLREGEX_REPLACE];	/* strings matching $1,$2 ... */
 	int i;

 	memset( out, 0, sizeof( *out ) );

--- a/tests/run.in
+++ b/tests/run.in
@@ -59,6 +59,7 @@ AC_WITH_TLS=@WITH_TLS@
 AC_TLS_TYPE=@WITH_TLS_TYPE@
 AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@
 AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@
+AC_REWRITE=@BUILD_REWRITE@
 AC_THREADS=threads@BUILD_THREAD@
 AC_LIBS_DYNAMIC=lib@BUILD_LIBS_DYNAMIC@

@@ -77,7 +78,7 @@ export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_relay AC_sql \
 	AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
 	AC_valsort \
 	AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \
-	AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE
+	AC_REWRITE AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE

 if test ! -x ../servers/slapd/slapd ; then
 	echo "Could not locate slapd(8)"

--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -51,6 +51,7 @@ WITH_TLS=${AC_WITH_TLS-no}
 WITH_TLS_TYPE=${AC_TLS_TYPE-no}

 ACI=${AC_ACI_ENABLED-acino}
+REWRITE=${AC_REWRITE-no}
 THREADS=${AC_THREADS-threadsno}
 SLEEP0=${SLEEP0-1}
 SLEEP1=${SLEEP1-7}

--- a/tests/scripts/test076-authid-rewrite
+++ b/tests/scripts/test076-authid-rewrite
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+if test $WITH_SASL = no; then
+	echo "SASL authentication not available, test skipped"
+	exit 0
+fi
+
+CONFDIR=$TESTDIR/slapd.d
+
+mkdir -p $TESTDIR $CONFDIR $DBDIR1
+
+$SLAPPASSWD -g -n >$CONFIGPWF
+
+echo "Starting slapd on TCP/IP port $PORT1... $PWD"
+. $CONFFILTER $BACKEND $MONITORDB < $DYNAMICCONF > $CONFLDIF
+$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
+cd $TESTDIR
+$SLAPD -F ./slapd.d -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+    echo PID $PID
+    read foo
+fi
+KILLPIDS="$PID"
+cd $TESTWD
+
+sleep 1
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "" -H $URI1 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Adding schema and database..."
+$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
+include: file://$ABS_SCHEMADIR/core.ldif
+
+include: file://$ABS_SCHEMADIR/cosine.ldif
+
+include: file://$ABS_SCHEMADIR/inetorgperson.ldif
+
+include: file://$ABS_SCHEMADIR/openldap.ldif
+
+include: file://$ABS_SCHEMADIR/nis.ldif
+EOF
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapadd failed for schema config ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+if [ "$BACKENDTYPE" = mod ]; then
+	$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND
+olcModuleLoad: back_$BACKEND.la
+EOF
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapadd failed for backend config ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+fi
+
+$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
+dn: olcDatabase={1}$BACKEND,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olc${BACKEND}Config
+olcDatabase: {1}$BACKEND
+olcSuffix: $BASEDN
+olcDbDirectory: $DBDIR1
+olcRootDN: $MANAGERDN
+olcRootPW: $PASSWD
+EOF
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapadd failed for database config ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+if test $INDEXDB = indexdb ; then
+	$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
+dn: olcDatabase={1}$BACKEND,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: objectClass,entryUUID,entryCSN eq
+olcDbIndex: cn,uid pres,eq,sub
+EOF
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapmodify failed for index config ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+fi
+
+echo "Using ldapadd to populate the database..."
+$LDAPADD -H $URI1 -D "$MANAGERDN" -w $PASSWD < $LDIFORDERED >>$TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapadd failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo
+
+echo "Adding olcAuthzRegexp rule for static mapping..."
+$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+add: olcAuthzRegexp
+olcAuthzRegexp: uid=manager,cn=[^,]+,cn=auth $MANAGERDN
+EOF
+RC=$?
+if test $RC != 0; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+ID=Manager
+echo "Testing ldapwhoami as $ID..."
+$LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD
+RC=$?
+if test $RC != 0; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo
+
+echo "Adding olcAuthzRegexp rule to search by uid..."
+$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+add: olcAuthzRegexp
+olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1)
+EOF
+RC=$?
+if test $RC != 0; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+ID=Manager
+echo "Testing ldapwhoami as $ID..."
+$LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD
+RC=$?
+if test $RC != 0; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+ID=bjensen
+echo "Testing ldapwhoami as $ID..."
+$LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID
+RC=$?
+if test $RC != 0; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo
+
+echo "Inserting olcAuthzRegexp rule before the last..."
+$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+add: olcAuthzRegexp
+olcAuthzRegexp: {1}uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen)
+EOF
+RC=$?
+if test $RC != 0; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+ID=Manager
+echo "Testing ldapwhoami as $ID..."
+$LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD
+RC=$?
+if test $RC != 0; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+ID=babs
+echo "Testing ldapwhoami as $ID..."
+$LDAPSASLWHOAMI -H $URI1 -U $ID -w bjensen
+RC=$?
+if test $RC != 0; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS