Ubuntu
openldap package

Merge ~sergiodj/ubuntu/+source/openldap:mre-2.5.12-JAMMY into ubuntu/+source/openldap:ubuntu/jammy-devel

Proposed by Sergio Durigan Junior on 2022-06-13

Status:	Merged
Merged at revision:	c185122b7e63f18dfba2f59df2b30af3d837bc63
Proposed branch:	~sergiodj/ubuntu/+source/openldap:mre-2.5.12-JAMMY
Merge into:	ubuntu/+source/openldap:ubuntu/jammy-devel
Diff against target:	1976 lines (+489/-393) 36 files modified CHANGES (+30/-0) build/dir.mk (+5/-5) build/version.var (+4/-4) contrib/slapd-modules/vc/vc.c (+2/-4) debian/changelog (+14/-0) debian/patches/series (+0/-1) dev/null (+0/-274) doc/guide/admin/guide.html (+1/-1) doc/man/man3/ldap_get_option.3 (+22/-1) doc/man/man5/slapd-config.5 (+2/-3) doc/man/man5/slapd.conf.5 (+2/-3) include/ldap_pvt.h (+2/-2) libraries/libldap/ldif.c (+5/-0) libraries/libldap/result.c (+10/-4) libraries/libldap/tls_o.c (+4/-0) servers/slapd/back-asyncmeta/add.c (+1/-0) servers/slapd/back-asyncmeta/config.c (+5/-3) servers/slapd/back-asyncmeta/meta_result.c (+11/-4) servers/slapd/back-asyncmeta/search.c (+1/-0) servers/slapd/back-ldap/config.c (+5/-3) servers/slapd/back-mdb/monitor.c (+2/-1) servers/slapd/back-meta/config.c (+17/-13) servers/slapd/back-sql/search.c (+105/-18) servers/slapd/bconfig.c (+24/-7) servers/slapd/connection.c (+10/-8) servers/slapd/daemon.c (+13/-1) servers/slapd/overlays/dynlist.c (+7/-4) servers/slapd/overlays/pcache.c (+3/-2) servers/slapd/overlays/ppolicy.c (+12/-8) servers/slapd/overlays/syncprov.c (+1/-0) servers/slapd/overlays/translucent.c (+23/-1) servers/slapd/proto-slap.h (+1/-0) servers/slapd/syncrepl.c (+122/-18) tests/data/dynlist.out (+4/-0) tests/scripts/test034-translucent (+8/-0) tests/scripts/test044-dynlist (+11/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Athos Ribeiro (community)	2022-06-13	Approve on 2022-06-13
Canonical Server	2022-06-13	Pending
git-ubuntu bot	2022-06-13	Pending
Canonical Server packageset reviewers	2022-06-13	Pending
Review via email: mp+424587@code.launchpad.net

This proposal supersedes a proposal from 2022-06-10.

Description of the change

This is the (first) MRE for OpenLDAP 2.5.12 targeting Jammy.

As discussed previously (see https://code.launchpad.net/~sergiodj/ubuntu/+source/openldap/+git/openldap/+merge/424341), I decided to approach this MRE using the same procedure we use for the postgresql MREs. IOW: fetch the DFSG-compatible tarball from upstream and update our source package directly, without using Debian's OpenLDAP package and doing a regular merge.

This has a few benefits. The first is that the MRE is much easier to prepare, and doesn't involve any complicated rebases. The second benefit is that we will have more freedom to adopt only the packaging changes that we deem necessary from Debian, instead of adopting everything and then worrying about whether we want to have them MRE'd or not. The third is that the changelog entry becomes simpler: we just have to write about the upstream changes, always.

Just as a reminder, upstream considers the 2.5.x series to be their LTS, so every minor release contains only bugfixes and no new features. This is perfect for MREs, of course.

You can take a look at upstream's CHANGES file if you'd like to check the bugs that have been fixed by this release:

https://git.openldap.org/openldap/openldap/-/blob/2bda1fa98fbcedc6cd5995ea905427b8bef89f9d/CHANGES

It's always a somewhat subjective task to come up with good/important bugs to mention in the changelog entry for an MRE. For now, the policy I'm adopting is to mention only high priority bugs and CVE fixes in the changelog entry (thanks Athos for the suggestion). Other than that, everything else is pretty much as you would expect from an MRE.

There is a bileto ticket where you can find a PPA with the built package plus all of the dep8 results for OpenLDAP's reverse deps:

https://bileto.ubuntu.com/#/ticket/4868

Do note that currently the following packages' dep8 tests are failing:

- apache2 is failing on all architectures due to an unrelated problem when running some tests. I will report a separate bug. migration-reference/0 also fails.

- cyrus-imapd is failing on ppc64el, but that's because the package was never published on Jammy due to a FTBFS.

- sudo is failing on armhf, but that's also something that was happening before and its migration-reference/0 also fails.

- kopanocore is failing on s390x. Likewise, its migration-reference/0 is also failing.

I will post the dep8 test results for the OpenLDAP package as soon as I have them.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-06-10: Posted in a previous version of this proposal

The dep8 tests have finished on Bileto.

- As expected, apache2 is failing. That's OK, as I explained above.

- cyrus-imapd is failing on ppc64el, but that's because the package was never published on Jammy due to a FTBFS.

- sudo is failing on armhf, but that's also something that was happening before and its migration-reference/0 also fails.

- kopanocore is failing on s390x. Likewise, its migration-reference/0 is also failing.

Other than that, everything else has passed. This is good for review/upload.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-06-10: Posted in a previous version of this proposal

Something I forgot to mention: this merge was done against the pkg/import/2.5.12+dfsg-1 tag, not debian/sid. This was done because Debian's 2.5.12+dfsg-2 version includes a fix that is not necessary for Ubuntu, because Ubuntu is already carrying a fix for debconf and Debian isn't. For more details, you can check https://bugs.launchpad.net/ubuntu/+source/debhelper/+bug/1959054.

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2022-06-10: Posted in a previous version of this proposal

This LGTM.

There is one space in line 2 of the changelog that would be nice to remove before uploading.

As for the changelog entries, I understand you put a lot of effort into filtering what should be added. Still, I believe we could come up with some algorithm for that. For instance, only including mentions to CVEs or bugs set to high in the upstream bug tracker. All the entries are in the upstream changelog anyway and it is being referenced in the package chagelog.

I also see you decided to pick debian's 2.5.12+dfsg-1 release instead of 2.5.12+dfsg-2 as a base for the merge.
It was nice of you to reduce the amount of changes introduced in the MRE. You also explained offline that this specific change was only needed in debian since Ubuntu already has a fix in debconf. However, the next steps here would be to move this changes from Ubuntu to Debian to consolidate them there before the next MRE to avoid complications in a possible following merge.

Finally, since this was a merge from a specific Debian commit, I was wondering why you decided not to include a remaining changes section. It should be fine not to have one since this is not a traditional merge, but an MRE. Still, it would be nice to document "how developers should do things" in the MRE documentation page.

review: Approve

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-06-10: Posted in a previous version of this proposal

Download full text (3.5 KiB)

> This LGTM.

Thanks for the review, Athos.

> There is one space in line 2 of the changelog that would be nice to remove before uploading.

Ops, indeed. Fixed.

> As for the changelog entries, I understand you put a lot of effort
> into filtering what should be added. Still, I believe we could come up
> with some algorithm for that. For instance, only including mentions to
> CVEs or bugs set to high in the upstream bug tracker. All the entries
> are in the upstream changelog anyway and it is being referenced in the
> package chagelog.

Yes, agreed. I thought about only mentioning the CVE issue, but that's
moot since it's already been addressed by the Security team in a
previous upload. I revisited the bugs fixed in this release and the
only one marked as high priority is this:

https://bugs.openldap.org/show_bug.cgi?id=9584

I don't know if upstream worries too much about setting bug priorities
or not, so maybe we can't rely on this parameter.

I don't have a good answer for how to approach this problem right now.
For that reason, I'm going to postpone uploading this package until next
week.

> I also see you decided to pick debian's 2.5.12+dfsg-1 release instead of 2.5.12+dfsg-2 as a base for the merge.
> It was nice of you to reduce the amount of changes introduced in the
> MRE. You also explained offline that this specific change was only
> needed in debian since Ubuntu already has a fix in debconf. However,
> the next steps here would be to move this changes from Ubuntu to
> Debian to consolidate them there before the next MRE to avoid
> complications in a possible following merge.

Absolutely.

Dave Jones is already taking care of that here:

https://salsa.debian.org/pkg-debconf/debconf/-/merge_requests/10
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006147

> Finally, since this was a merge from a specific Debian commit, I was
> wondering why you decided not to include a remaining changes
> section. It should be fine not to have one since this is not a
> traditional merge, but an MRE. Still, it would be nice to document
> "how developers should do things" in the MRE documentation page.

Thanks for bringing this up. This prompted me into thinking more about
the changelog entry, and then I realized a misconception I was having
about the MRE.

Initially I thought that openldap was "special" because, aside from
doing the MRE the "standard way" (i.e., just grab the upstream tarball
and update the source package by hand with it), we could also merge the
package from Debian because they are also planning to stick with the
2.5.x series.

However, I noticed that openldap 2.5.x is actually just postgresql-14
right now: both packages get uploaded to Debian unstable as soon as
there's a new upstream microrelease. For postgresql-14, we do our MREs
*without* merging the Debian package. So I now believe that we should
do the same for openldap.

> This LGTM.

Thanks for the review, Athos.

> There is one space in line 2 of the changelog that would be nice to remove before uploading.

Ops, indeed.  Fixed.

Yes, agreed.  I thought about only mentioning the CVE issue, but that's
moot since it's already been addressed by the Security team in a
previous upload.  I revisited the bugs fixed in this release and the
only one marked as high priority is this:

https://bugs.openldap.org/show_bug.cgi?id=9584

I don't know if upstream worries too much about setting bug priorities
or not, so maybe we can't rely on this parameter.

I don't have a good answer for how to approach this problem right now.
For that reason, I'm going to postpone uploading this package until next
week.

Absolutely.

Dave Jones is already taking care of that here:

https://salsa.debian.org/pkg-debconf/debconf/-/merge_requests/10
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006147

Thanks for bringing this up.  This prompted me into thinking more about
the changelog entry, and then I realized a misconception I was having
about the MRE.

However, I noticed that openldap 2.5.x is actually just postgresql-14
right now: both packages get uploaded to Debian unstable as soon as
there's a new upstream microrelease.  For postgresql-14, we do our MREs
*without* merging the Debian package.  So I now believe that we should
do the same for openldap.

This would actually have a few benefits.  The first is that the MRE is
much easier: we really just need to grab the tarball and explode it on
top of the current version of the source package, then update the
patches and write a changelog entry for it.  The second benefit is that
we won't need to worry about changes that are made in the Debian package
and whether we want to have them MRE'd or not.  The third is that the
changelog entry becomes simpler: we just have to write about the
upstream changes, always.

We talked in private about this but I wanted to leave a record of my
thoughts.  I will likely abandon this MP and file a new one following
the regular MRE procedure.

Thanks again.

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2022-06-10: Posted in a previous version of this proposal

Ack!

Thanks for the thorough reply :)

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2022-06-13: Posted in a previous version of this proposal

Approvers: sergiodj, athos-ribeiro
Uploaders: sergiodj, athos-ribeiro
MP auto-approved

review: Approve

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2022-06-13:

Given the previous review and exchanges, this got simpler to review.

The changelog looks nicer, BTW.

LGTM! Thanks, Sergio :)

review: Approve

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-06-13:

Thanks, Athos.

Uploaded:

$ dput openldap_2.5.12+dfsg-0ubuntu0.22.04.1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/openldap/openldap_2.5.12+dfsg-0ubuntu0.22.04.1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/openldap/openldap_2.5.12+dfsg-0ubuntu0.22.04.1.dsc: Valid signature from 106DA1C8C3CBBF14
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.5.12+dfsg-0ubuntu0.22.04.1.dsc: done.
  Uploading openldap_2.5.12+dfsg.orig.tar.gz: done.
  Uploading openldap_2.5.12+dfsg-0ubuntu0.22.04.1.debian.tar.xz: done.
  Uploading openldap_2.5.12+dfsg-0ubuntu0.22.04.1_source.buildinfo: done.
  Uploading openldap_2.5.12+dfsg-0ubuntu0.22.04.1_source.changes: done.
Successfully uploaded packages.

I'll also keep an eye on the dep8 results from bileto, since they're an important part of the MRE.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Sergio Durigan Junior

git-ubuntu developers

 diff --git a/CHANGES b/CHANGES
 index c9ce92c..d8092be 100644
 --- a/CHANGES
 +++ b/CHANGES
@@ -1,5 +1,35 @@
  OpenLDAP 2.5 Change Log
++OpenLDAP 2.5.12 Release (2022/05/04)
++	Fixed libldap to drop connection when non-LDAP data is received (ITS#9803)
++	Fixed libldap to allow newlines at end of included file (ITS#9811)
++	Fixed slapd slaptest conversion of olcLastBind (ITS#9808)
++	Fixed slapd usage of thread local counters (ITS#9789)
++	Fixed slapd to clear runqueue task correctly (ITS#9785)
++	Fixed slapd idletimeout handling (ITS#9820)
++	Fixed slapd bconfig locking for cn=config replication (ITS#9584)
++	Fixed slapd syncrepl handling of new sessions (ITS#9584)
++	Fixed slapd to clear connections on bind (ITS#9799)
++	Fixed slapd to correctly advance connections index (ITS#9831)
++	Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801)
++	Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802)
++	Fixed slapd-ldap memory leak in keepalive setting (ITS#9802)
++	Fixed slapd-meta SEGV on config rewrite (ITS#9802)
++	Fixed slapd-meta ordering on config rewrite (ITS#9802)
++	Fixed slapd-meta memory leak in keepalive setting (ITS#9802)
++	Fixed slapd-monitor SEGV on shutdown (ITS#9809)
++	Fixed slapd-sql to properly escape filter value (ITS#9815)
++	Fixed slapo-dynlist dynamic group regression (ITS#9825)
++	Fixed slapo-pcache SEGV on shutdown (ITS#9809)
++	Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
++	Fixed slapo-translucent to correctly duplicate substring filters (ITS#9818)
++	Build Environment
++		Fix compilation with openssl exclusions (ITS#9791)
++		Fix warnings from make jobserver (ITS#9788)
++		Fix compiliation with certain versions of gcc (ITS#9790)
++	Documentation
++		Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804)
++
  OpenLDAP 2.5.11 Release (2022/01/20)
  	Fix broken build release variable
 diff --git a/build/dir.mk b/build/dir.mk
 index a73c6b8..e42406b 100644
 --- a/build/dir.mk
 +++ b/build/dir.mk
@@ -21,7 +21,7 @@ all-common: FORCE
  	@echo "Making all in `$(PWD)`"
  	@for i in $(SUBDIRS) $(ALLDIRS); do 		\
  		echo "  Entering subdirectory $$i";		\
--		( cd $$i && $(MAKE) $(MFLAGS) all );		\
++		( cd $$i && $(MAKE) all );		\
  		if test $$? != 0 ; then exit 1; fi ;	\
  		echo " ";								\
  	done
@@ -30,7 +30,7 @@ install-common: FORCE
  	@echo "Making install in `$(PWD)`"
  	@for i in $(SUBDIRS) $(INSTALLDIRS); do 	\
  		echo "  Entering subdirectory $$i";		\
--		( cd $$i && $(MAKE) $(MFLAGS) install );	\
++		( cd $$i && $(MAKE) install );	\
  		if test $$? != 0 ; then exit 1; fi ;	\
  		echo " ";								\
  	done
@@ -39,7 +39,7 @@ clean-common: FORCE
  	@echo "Making clean in `$(PWD)`"
  	@for i in $(SUBDIRS) $(CLEANDIRS); do		\
  		echo "  Entering subdirectory $$i";		\
--		( cd $$i && $(MAKE) $(MFLAGS) clean );	\
++		( cd $$i && $(MAKE) clean );	\
  		if test $$? != 0 ; then exit 1; fi ;	\
  		echo " ";								\
  	done
@@ -48,7 +48,7 @@ veryclean-common: FORCE
  	@echo "Making veryclean in `$(PWD)`"
  	@for i in $(SUBDIRS) $(CLEANDIRS); do		\
  		echo "  Entering subdirectory $$i";		\
--		( cd $$i && $(MAKE) $(MFLAGS) veryclean );	\
++		( cd $$i && $(MAKE) veryclean );	\
  		if test $$? != 0 ; then exit 1; fi ;	\
  		echo " ";								\
  	done
@@ -57,7 +57,7 @@ depend-common: FORCE
  	@echo "Making depend in `$(PWD)`"
  	@for i in $(SUBDIRS) $(DEPENDDIRS); do		\
  		echo "  Entering subdirectory $$i";		\
--		( cd $$i && $(MAKE) $(MFLAGS) depend );	\
++		( cd $$i && $(MAKE) depend );	\
  		if test $$? != 0 ; then exit 1; fi ;	\
  		echo " ";								\
  	done
 diff --git a/build/version.var b/build/version.var
 index e547d3d..df94973 100644
 --- a/build/version.var
 +++ b/build/version.var
@@ -15,9 +15,9 @@
  ol_package=OpenLDAP
  ol_major=2
  ol_minor=5
--ol_patch=11
--ol_api_inc=20511
++ol_patch=12
++ol_api_inc=20512
  ol_api_current=1
--ol_api_revision=6
++ol_api_revision=7
  ol_api_age=1
--ol_release_date="2022/01/20"
++ol_release_date="2022/05/04"
 diff --git a/contrib/slapd-modules/vc/vc.c b/contrib/slapd-modules/vc/vc.c
 index 2039556..0760af2 100644
 --- a/contrib/slapd-modules/vc/vc.c
 +++ b/contrib/slapd-modules/vc/vc.c
@@ -289,16 +289,14 @@ vc_exop(
  			goto done;
+ 		}
  		conn->refcnt++;
++		operation_counter_init( conn->op, op->o_threadctx );
  		ldap_pvt_thread_mutex_unlock( &vc_mutex );
  	} else {
--		void *thrctx;
--
  		conn = (vc_conn_t *)SLAP_CALLOC( 1, sizeof( vc_conn_t ) );
  		conn->refcnt = 1;
--		thrctx = ldap_pvt_thread_pool_context();
--		connection_fake_init2( &conn->connbuf, &conn->opbuf, thrctx, 0 );
++		connection_fake_init2( &conn->connbuf, &conn->opbuf, op->o_threadctx, 0 );
  		conn->op = &conn->opbuf.ob_op;
  		snprintf( conn->op->o_log_prefix, sizeof( conn->op->o_log_prefix ),
  			"%s VERIFYCREDENTIALS", op->o_log_prefix );
 diff --git a/debian/changelog b/debian/changelog
 index 8fc3770..4c4b66d 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,17 @@
++openldap (2.5.12+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium
++
++  * New upstream version (LP: #1977627).
++    - Fixed slapd syncrepl handling of new sessions (ITS#9584)
++    - Fixed slapd-sql to properly escape filter value (ITS#9815)
++      (CVE-2022-29155)
++      [ Already included in 2.5.11+dfsg-1~exp1ubuntu3.1 ]
++    - More details about this release can be found at:
++      https://git.openldap.org/openldap/openldap/-/blob/2bda1fa98fbcedc6cd5995ea905427b8bef89f9d/CHANGES
++  * d/p/CVE-2022-29155.patch: Dropped patch; included in this new upstream
++    version.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 13 Jun 2022 13:19:52 -0400
++
  openldap (2.5.11+dfsg-1~exp1ubuntu3.1) jammy-security; urgency=medium
    * SECURITY UPDATE: SQL injection in experimental back-sql backend
 diff --git a/debian/patches/CVE-2022-29155.patch b/debian/patches/CVE-2022-29155.patch
 deleted file mode 100644
 index 5f81868..0000000
 --- a/debian/patches/CVE-2022-29155.patch
 +++ /dev/null
@@ -1,274 +0,0 @@
--From 40f3ae4f5c9a8baf75b237220f62c436a571d66e Mon Sep 17 00:00:00 2001
--From: Howard Chu <hyc@openldap.org>
--Date: Wed, 23 Mar 2022 12:43:31 +0000
--Subject: [PATCH] ITS#9815 slapd-sql: escape filter values
--
--Escape filter values to slapd-sql (CVE-2022-29155)
-----
-- servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
-- 1 file changed, 105 insertions(+), 18 deletions(-)
--
--diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
--index 2168a1553b..d4177f6292 100644
----- a/servers/slapd/back-sql/search.c
--+++ b/servers/slapd/back-sql/search.c
--@@ -63,6 +63,38 @@ static void send_paged_response(
-- 	ID  *lastid );
-- #endif /* ! BACKSQL_ARBITRARY_KEY */
--
--+/* Look for chars that need to be escaped, return count of them.
--+ * If out is non-NULL, copy escape'd val to it.
--+ */
--+static int
--+backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
--+{
--+	char *ptr, *end;
--+	int q = 0;
--+
--+	ptr = in->bv_val;
--+	end = ptr + in->bv_len;
--+	while (ptr < end) {
--+		if ( *ptr == '\'' )
--+			q++;
--+		ptr++;
--+	}
--+	if ( q && out ) {
--+		char *dst;
--+		out->bv_len = in->bv_len + q;
--+		out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
--+		ptr = in->bv_val;
--+		dst = out->bv_val;
--+		while (ptr < end ) {
--+			if ( *ptr == '\'' )
--+				*dst++ = '\'';
--+			*dst++ = *ptr++;
--+		}
--+		*dst = '\0';
--+	}
--+	return q;
--+}
--+
-- static int
-- backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
-- {
--@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
-- 	backsql_info		*bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
-- 	int			i;
-- 	int			casefold = 0;
--+	int			escaped = 0;
--+	struct berval	escval, *fvalue;
--
-- 	if ( !f ) {
-- 		return 0;
--@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
--
-- 		BER_BVZERO( &bv );
-- 		if ( f->f_sub_initial.bv_val ) {
---			bv.bv_len += f->f_sub_initial.bv_len;
--+			bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
-- 		}
-- 		if ( f->f_sub_any != NULL ) {
-- 			for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
---				bv.bv_len += f->f_sub_any[ a ].bv_len;
--+				bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
-- 			}
-- 		}
-- 		if ( f->f_sub_final.bv_val ) {
---			bv.bv_len += f->f_sub_final.bv_len;
--+			bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
-- 		}
-- 		bv.bv_len = 2 * bv.bv_len - 1;
-- 		bv.bv_val = ch_malloc( bv.bv_len + 1 );
--
-- 		s = 0;
-- 		if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
---			bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
---			for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
--+			fvalue = &f->f_sub_initial;
--+			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
--+			if ( escaped )
--+				fvalue = &escval;
--+			bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
--+			for ( i = 1; i < fvalue->bv_len; i++ ) {
-- 				bv.bv_val[ s + 2 * i - 1 ] = '%';
---				bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
--+				bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
-- 			}
-- 			bv.bv_val[ s + 2 * i - 1 ] = '%';
-- 			s += 2 * i;
--+			if ( escaped )
--+				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
-- 		}
--
-- 		if ( f->f_sub_any != NULL ) {
-- 			for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
---				bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
---				for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
--+				fvalue = &f->f_sub_any[ a ];
--+				escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
--+				if ( escaped )
--+					fvalue = &escval;
--+				bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
--+				for ( i = 1; i < fvalue->bv_len; i++ ) {
-- 					bv.bv_val[ s + 2 * i - 1 ] = '%';
---					bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
--+					bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
-- 				}
-- 				bv.bv_val[ s + 2 * i - 1 ] = '%';
-- 				s += 2 * i;
--+				if ( escaped )
--+					bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
-- 			}
-- 		}
--
-- 		if ( !BER_BVISNULL( &f->f_sub_final ) ) {
---			bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
---			for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
--+			fvalue = &f->f_sub_final;
--+			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
--+			if ( escaped )
--+				fvalue = &escval;
--+			bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
--+			for ( i = 1; i < fvalue->bv_len; i++ ) {
-- 				bv.bv_val[ s + 2 * i - 1 ] = '%';
---				bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
--+				bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
-- 			}
---				bv.bv_val[ s + 2 * i - 1 ] = '%';
--+			bv.bv_val[ s + 2 * i - 1 ] = '%';
-- 			s += 2 * i;
--+			if ( escaped )
--+				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
-- 		}
--
-- 		bv.bv_val[ s - 1 ] = '\0';
--@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
-- 			f->f_sub_initial.bv_val );
-- #endif /* BACKSQL_TRACE */
--
--+		fvalue = &f->f_sub_initial;
--+		escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
--+		if ( escaped )
--+			fvalue = &escval;
-- 		start = bsi->bsi_flt_where.bb_val.bv_len;
-- 		backsql_strfcat_x( &bsi->bsi_flt_where,
-- 				bsi->bsi_op->o_tmpmemctx,
-- 				"b",
---				&f->f_sub_initial );
--+				fvalue );
--+		if ( escaped )
--+			bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
-- 		if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
-- 			ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
-- 		}
--@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
-- 				i, f->f_sub_any[ i ].bv_val );
-- #endif /* BACKSQL_TRACE */
--
--+			fvalue = &f->f_sub_any[ i ];
--+			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
--+			if ( escaped )
--+				fvalue = &escval;
-- 			start = bsi->bsi_flt_where.bb_val.bv_len;
-- 			backsql_strfcat_x( &bsi->bsi_flt_where,
-- 					bsi->bsi_op->o_tmpmemctx,
-- 					"bc",
---					&f->f_sub_any[ i ],
--+					fvalue,
-- 					'%' );
--+			if ( escaped )
--+				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
-- 			if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
-- 				/*
-- 				 * Note: toupper('%') = '%'
--@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
-- 			f->f_sub_final.bv_val );
-- #endif /* BACKSQL_TRACE */
--
--+		fvalue = &f->f_sub_final;
--+		escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
--+		if ( escaped )
--+			fvalue = &escval;
-- 		start = bsi->bsi_flt_where.bb_val.bv_len;
--     		backsql_strfcat_x( &bsi->bsi_flt_where,
-- 				bsi->bsi_op->o_tmpmemctx,
-- 				"b",
---				&f->f_sub_final );
--+				fvalue );
--+		if ( escaped )
--+			bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
--   		if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
-- 			ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
-- 		}
--@@ -1182,6 +1252,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r
-- 	struct berval		*filter_value = NULL;
-- 	MatchingRule		*matching_rule = NULL;
-- 	struct berval		ordering = BER_BVC("<=");
--+	struct berval		escval;
--+	int					escaped = 0;
--
-- 	Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
-- 		at->bam_ad->ad_cname.bv_val );
--@@ -1236,6 +1308,10 @@ equality_match:;
-- 			casefold = 1;
-- 		}
--
--+		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
--+		if ( escaped )
--+			filter_value = &escval;
--+
-- 		/* FIXME: directoryString filtering should use a similar
-- 		 * approach to deal with non-prettified values like
-- 		 * " A  non    prettified   value  ", by using a LIKE
--@@ -1316,6 +1392,10 @@ equality_match:;
-- 			casefold = 1;
-- 		}
--
--+		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
--+		if ( escaped )
--+			filter_value = &escval;
--+
-- 		/*
-- 		 * FIXME: should we uppercase the operands?
-- 		 */
--@@ -1349,7 +1429,7 @@ equality_match:;
-- 					&at->bam_sel_expr,
-- 					&ordering,
-- 					'\'',
---					&f->f_av_value,
--+					filter_value,
-- 					(ber_len_t)STRLENOF( /* (' */ "')" ),
-- 						/* ( */ "')" );
-- 		}
--@@ -1373,13 +1453,17 @@ equality_match:;
-- 	case LDAP_FILTER_APPROX:
-- 		/* we do our best */
--
--+		filter_value = &f->f_av_value;
--+		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
--+		if ( escaped )
--+			filter_value = &escval;
-- 		/*
-- 		 * maybe we should check type of at->sel_expr here somehow,
-- 		 * to know whether upper_func is applicable, but for now
-- 		 * upper_func stuff is made for Oracle, where UPPER is
-- 		 * safely applicable to NUMBER etc.
-- 		 */
---		(void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
--+		(void)backsql_process_filter_like( bsi, at, 1, filter_value );
-- 		break;
--
-- 	default:
--@@ -1393,6 +1477,9 @@ equality_match:;
--
-- 	}
--
--+	if ( escaped )
--+		bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
--+
-- 	Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
-- 		at->bam_ad->ad_cname.bv_val );
--
----
--GitLab
--
 diff --git a/debian/patches/series b/debian/patches/series
 index 34a5f20..a8d57cb 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -13,4 +13,3 @@ add-tlscacert-option-to-ldap-conf
  fix-build-top-mk
  switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
  set-maintainer-name
--CVE-2022-29155.patch
 diff --git a/doc/guide/admin/guide.html b/doc/guide/admin/guide.html
 index c256e1b..7415912 100644
 --- a/doc/guide/admin/guide.html
 +++ b/doc/guide/admin/guide.html
@@ -23,7 +23,7 @@
  <DIV CLASS="title">
  <H1 CLASS="doc-title">OpenLDAP Software 2.5 Administrator's Guide</H1>
  <ADDRESS CLASS="doc-author">The OpenLDAP Project &lt;<A HREF="https://www.openldap.org/">https://www.openldap.org/</A>&gt;</ADDRESS>
--<ADDRESS CLASS="doc-modified">20 January 2022</ADDRESS>
++<ADDRESS CLASS="doc-modified">4 May 2022</ADDRESS>
  <BR CLEAR="All">
  </DIV>
  <DIV CLASS="contents">
 diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
 index f08cd01..3477f02 100644
 --- a/doc/man/man3/ldap_get_option.3
 +++ b/doc/man/man3/ldap_get_option.3
@@ -455,6 +455,12 @@ This option is OpenLDAP specific.
  .B LDAP_OPT_TCP_USER_TIMEOUT
  Allows to configure TCP_USER_TIMEOUT in milliseconds on the connection, overriding the operating system setting.
  This option is OpenLDAP specific and supported only on Linux 2.6.37 or higher.
++.B invalue
++must be a
++.BR "const unsigned int *" ;
++.BR outvalue
++must be an
++.BR "unsigned int *" .
  .SH SASL OPTIONS
  The SASL options are OpenLDAP specific.
@@ -587,6 +593,7 @@ must be a
  .BR "char **" .
  Its content needs to be freed by the caller using
  .BR ldap_memfree (3).
++.TP
  .B LDAP_OPT_X_SASL_CBINDING
  Sets/gets the channel-binding type to use in SASL,
  one of
@@ -602,7 +609,6 @@ must be
  .BR outvalue
  must be
  .BR "int *" .
--.TP
  .SH TCP OPTIONS
  The TCP options are OpenLDAP specific.
  Mainly intended for use with Linux, they may not be portable.
@@ -873,6 +879,21 @@ must be
  .BR "char **" ,
  and its contents need to be freed by the caller using
  .BR ldap_memfree (3).
++.TP
++.B LDAP_OPT_X_TLS_PEERKEY_HASH
++Sets the (public) key that the application expects the peer to be using.
++.B invalue
++must be
++.BR "const char *"
++containing the base64 encoding of the expected peer's key or in the format
++.B "<hashalg>:<peerkey hash base64 encoded>"
++where as a TLS session is established, the library will hash the peer's key
++with the provided hash algorithm and compare it with value provided and will
++only allow the session to continue if they match. This happens regardless of
++certificate checking strategy. The list of supported
++.B hashalg
++values depends on the crypto library used, check its documentation to get
++a list.
  .SH ERRORS
  On success, the functions return
  .BR LDAP_OPT_SUCCESS ,
 diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
 index 9e40804..d402340 100644
 --- a/doc/man/man5/slapd-config.5
 +++ b/doc/man/man5/slapd-config.5
@@ -1945,9 +1945,8 @@ The \fBsizelimit\fP and \fBtimelimit\fP only
  accept "unlimited" and positive integers, and both default to "unlimited".
  The \fBsizelimit\fP and \fBtimelimit\fP parameters define
  a consumer requested limitation on the number of entries that can be returned
--by the LDAP Content Synchronization operation; as such, it is intended
--to implement partial replication based on the size of the replicated database
--and on the time required by the synchronization.
++by the LDAP Content Synchronization operation; these should be left unchanged
++from the default otherwise replication may never succeed.
  Note, however, that any provider-side limits for the replication identity
  will be enforced by the provider regardless of the limits requested
  by the LDAP Content Synchronization operation, much like for any other
 diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
 index 37ec52e..6ec19c5 100644
 --- a/doc/man/man5/slapd.conf.5
 +++ b/doc/man/man5/slapd.conf.5
@@ -1877,9 +1877,8 @@ The \fBsizelimit\fP and \fBtimelimit\fP only
  accept "unlimited" and positive integers, and both default to "unlimited".
  The \fBsizelimit\fP and \fBtimelimit\fP parameters define
  a consumer requested limitation on the number of entries that can be returned
--by the LDAP Content Synchronization operation; as such, it is intended
--to implement partial replication based on the size of the replicated database
--and on the time required by the synchronization.
++by the LDAP Content Synchronization operation; these should be left unchanged
++from the default otherwise replication may never succeed.
  Note, however, that any provider-side limits for the replication identity
  will be enforced by the provider regardless of the limits requested
  by the LDAP Content Synchronization operation, much like for any other
 diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
 index 27a5afd..ba6ec15 100644
 --- a/include/ldap_pvt.h
 +++ b/include/ldap_pvt.h
@@ -185,11 +185,11 @@ ldap_pvt_get_hname LDAP_P((
  #define LDAP_IPADDRLEN	sizeof("IP=255.255.255.255:65336")
  #endif
--typedef union Sockaddr Sockaddr;
++union Sockaddr;
  LDAP_F (void)
  ldap_pvt_sockaddrstr LDAP_P((
--	Sockaddr *sa,
++	union Sockaddr *sa,
  	struct berval * ));
 diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c
 index 7ca5e32..900a979 100644
 --- a/libraries/libldap/ldif.c
 +++ b/libraries/libldap/ldif.c
@@ -796,6 +796,7 @@ ldif_read_record(
  		 * back to a previous file. (return from an include)
  		 */
  		while ( feof( lfp->fp )) {
++pop:
  			if ( lfp->prev ) {
  				LDIFFP *tmp = lfp->prev;
  				fclose( lfp->fp );
@@ -808,6 +809,10 @@ ldif_read_record(
+ 		}
  		if ( !stop ) {
  			if ( fgets( line, sizeof( line ), lfp->fp ) == NULL ) {
++				if ( !found_entry && !ferror( lfp->fp ) ) {
++					/* ITS#9811 Reached the end looking for an entry, try again */
++					goto pop;
++				}
  				stop = 1;
  				len = 0;
  			} else {
 diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
 index c1b4a45..40ff1c1 100644
 --- a/libraries/libldap/result.c
 +++ b/libraries/libldap/result.c
@@ -506,6 +506,16 @@ nextresp3:
  		lc->lconn_ber = NULL;
  		break;
++	default:
++		/*
++		 * We read a BerElement that isn't LDAP or the stream has desync'd.
++		 * In either case, anything we read from now on is probably garbage,
++		 * just drop the connection.
++		 */
++		ber_free( ber, 1 );
++		lc->lconn_ber = NULL;
++		/* FALLTHRU */
++
  	case LBER_DEFAULT:
  fail:
  		err = sock_errno();
@@ -521,10 +531,6 @@ fail:
+ 		}
  		lc->lconn_status = 0;
  		return -1;
--
--	default:
--		ld->ld_errno = LDAP_LOCAL_ERROR;
--		return -1;
+ 	}
  	/* message id */
 diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 index c31c657..834d986 100644
 --- a/libraries/libldap/tls_o.c
 +++ b/libraries/libldap/tls_o.c
@@ -1026,8 +1026,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
  #ifndef OPENSSL_NO_MD2
  	     md == EVP_md2() ||
  #endif
++#ifndef OPENSSL_NO_MD4
  	     md == EVP_md4() ||
++#endif
++#ifndef OPENSSL_NO_MD5
  	     md == EVP_md5() ||
++#endif
  	     md == EVP_sha1() )
  		md = EVP_sha256();
 diff --git a/servers/slapd/back-asyncmeta/add.c b/servers/slapd/back-asyncmeta/add.c
 index d32415b..1f194ed 100644
 --- a/servers/slapd/back-asyncmeta/add.c
 +++ b/servers/slapd/back-asyncmeta/add.c
@@ -51,6 +51,7 @@ asyncmeta_error_cleanup(Operation *op,
+ 	}
  	asyncmeta_drop_bc(mc, bc);
  	slap_sl_mem_setctx(op->o_threadctx, op->o_tmpmemctx);
++	operation_counter_init( op, op->o_threadctx );
  	ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex);
  	send_ldap_result(op, rs);
  	return LDAP_SUCCESS;
 diff --git a/servers/slapd/back-asyncmeta/config.c b/servers/slapd/back-asyncmeta/config.c
 index 866fb98..849ac01 100644
 --- a/servers/slapd/back-asyncmeta/config.c
 +++ b/servers/slapd/back-asyncmeta/config.c
@@ -2405,9 +2405,11 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
  		break;
  #endif /* SLAPD_META_CLIENT_PR */
--	case LDAP_BACK_CFG_KEEPALIVE:
--		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
--				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
++	case LDAP_BACK_CFG_KEEPALIVE: {
++		struct berval bv;
++		ber_str2bv( c->argv[1], 0, 1, &bv );
++		slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 );
++		}
  		break;
  	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
 diff --git a/servers/slapd/back-asyncmeta/meta_result.c b/servers/slapd/back-asyncmeta/meta_result.c
 index 07863bb..0ce279a 100644
 --- a/servers/slapd/back-asyncmeta/meta_result.c
 +++ b/servers/slapd/back-asyncmeta/meta_result.c
@@ -650,6 +650,7 @@ asyncmeta_send_all_pending_ops(a_metaconn_t *mc, int candidate, void *ctx, int d
  		bc->op->o_threadctx = ctx;
  		bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx );
  		slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx);
++		operation_counter_init( bc->op, ctx );
  		bc->bc_active++;
  		ret = asyncmeta_send_pending_op(bc, candidate);
  		if (ret != META_SEARCH_CANDIDATE) {
@@ -699,6 +700,7 @@ asyncmeta_return_bind_errors(a_metaconn_t *mc, int candidate, SlapReply *bind_re
  			bc->op->o_threadctx = ctx;
  			bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx );
  			slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx);
++			operation_counter_init( bc->op, ctx );
  			bc->rs.sr_err = bind_result->sr_err;
  			bc->rs.sr_text = bind_result->sr_text;
  			mc->pending_ops--;
@@ -1422,6 +1424,7 @@ asyncmeta_op_read_error(a_metaconn_t *mc, int candidate, int error, void* ctx)
  		bc->op->o_threadctx = ctx;
  		bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx );
  		slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx);
++		operation_counter_init( bc->op, ctx );
  		op = bc->op;
  		rs = &bc->rs;
@@ -1569,6 +1572,7 @@ retry_bc:
  		bc->op->o_threadctx = ctx;
  		bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx );
  		slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx);
++		operation_counter_init( bc->op, ctx );
  		if (bc->op->o_abandon) {
  			ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex );
  			asyncmeta_drop_bc( mc, bc);
@@ -1668,12 +1672,14 @@ void* asyncmeta_timeout_loop(void *ctx, void *arg)
+ 			}
  			if (bc->op->o_abandon ) {
--					/* set our memctx */
--				bc->op->o_threadctx = ctx;
--				bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx );
--				slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx);
  				Operation *op = bc->op;
++				/* set our memctx */
++				op->o_threadctx = ctx;
++				op->o_tid = ldap_pvt_thread_pool_tid( ctx );
++				slap_sl_mem_setctx(ctx, op->o_tmpmemctx);
++				operation_counter_init( op, ctx );
++
  				LDAP_STAILQ_REMOVE(&mc->mc_om_list, bc, bm_context_t, bc_next);
  				mc->pending_ops--;
  				for (j=0; j<mi->mi_ntargets; j++) {
@@ -1730,6 +1736,7 @@ void* asyncmeta_timeout_loop(void *ctx, void *arg)
  			bc->op->o_threadctx = ctx;
  			bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx );
  			slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx);
++			operation_counter_init( bc->op, ctx );
  			if (bc->searchtime) {
  				timeout_err = LDAP_TIMELIMIT_EXCEEDED;
 diff --git a/servers/slapd/back-asyncmeta/search.c b/servers/slapd/back-asyncmeta/search.c
 index 5310ca1..0b0db82 100644
 --- a/servers/slapd/back-asyncmeta/search.c
 +++ b/servers/slapd/back-asyncmeta/search.c
@@ -58,6 +58,7 @@ asyncmeta_handle_onerr_stop(Operation *op,
+ 		}
+ 	}
  	slap_sl_mem_setctx(op->o_threadctx, op->o_tmpmemctx);
++	operation_counter_init( op, op->o_threadctx );
  	ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex);
  	send_ldap_result(op, rs);
+ }
 diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
 index 07fe8e9..fb97e8e 100644
 --- a/servers/slapd/back-ldap/config.c
 +++ b/servers/slapd/back-ldap/config.c
@@ -2051,9 +2051,11 @@ done_url:;
+ 		}
  		break;
--	case LDAP_BACK_CFG_KEEPALIVE:
--		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
--				 &li->li_tls.sb_keepalive, 0, 0, 0);
++	case LDAP_BACK_CFG_KEEPALIVE: {
++		struct berval bv;
++		ber_str2bv( c->argv[1], 0, 1, &bv );
++		slap_keepalive_parse( &bv, &li->li_tls.sb_keepalive, 0, 0, 0 );
++		}
  		break;
  	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
 diff --git a/servers/slapd/back-mdb/monitor.c b/servers/slapd/back-mdb/monitor.c
 index 7f26074..fc77bc6 100644
 --- a/servers/slapd/back-mdb/monitor.c
 +++ b/servers/slapd/back-mdb/monitor.c
@@ -578,10 +578,11 @@ mdb_monitor_db_close( BackendDB *be )
  		monitor_extra_t		*mbe;
  		if ( mi && mi->bi_extra ) {
++			struct berval dummy = BER_BVNULL;
  			mbe = mi->bi_extra;
  			mbe->unregister_entry_callback( &mdb->mi_monitor.mdm_ndn,
  				(monitor_callback_t *)mdb->mi_monitor.mdm_cb,
--				NULL, 0, NULL );
++				&dummy, 0, &dummy );
+ 		}
  		memset( &mdb->mi_monitor, 0, sizeof( mdb->mi_monitor ) );
 diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
 index 51d090f..6b1e607 100644
 --- a/servers/slapd/back-meta/config.c
 +++ b/servers/slapd/back-meta/config.c
@@ -2662,7 +2662,6 @@ idassert-authzFrom	"dn:<rootdn>"
  						c->fname, c->lineno, ca.argc, ca.argv );
+ 				}
  				assert( rc == 0 );
--				ch_free( ca.argv );
  				ch_free( ca.tline );
+ 			}
+ 		}
@@ -2699,9 +2698,9 @@ idassert-authzFrom	"dn:<rootdn>"
  						c->fname, c->lineno, ca.argc, argv );
+ 				}
  				assert( rc == 0 );
--				ch_free( ca.argv );
  				ch_free( ca.tline );
+ 			}
++			ch_free( ca.argv );
+ 		}
  		/* save the rule info */
@@ -2718,7 +2717,7 @@ idassert-authzFrom	"dn:<rootdn>"
  			/* move it to the right slot */
  			if ( ix < cnt ) {
  				for ( i=cnt; i>ix; i-- )
--					mt->mt_rwmap.rwm_bva_rewrite[i+1] = mt->mt_rwmap.rwm_bva_rewrite[i];
++					mt->mt_rwmap.rwm_bva_rewrite[i] = mt->mt_rwmap.rwm_bva_rewrite[i-1];
  				mt->mt_rwmap.rwm_bva_rewrite[i] = bv;
  				/* destroy old rules */
@@ -2730,7 +2729,7 @@ idassert-authzFrom	"dn:<rootdn>"
  	case LDAP_BACK_CFG_MAP: {
  	/* objectclass/attribute mapping */
  		ConfigArgs ca = { 0 };
--		char *argv[5];
++		char *argv[5], **argvp;
  		struct ldapmap rwm_oc;
  		struct ldapmap rwm_at;
  		int cnt = 0, ix = c->valx;
@@ -2763,7 +2762,8 @@ idassert-authzFrom	"dn:<rootdn>"
  				argv[2] = ca.argv[1];
  				argv[3] = ca.argv[2];
  				argv[4] = ca.argv[3];
--				ch_free( ca.argv );
++
++				argvp = ca.argv;
  				ca.argv = argv;
  				ca.argc++;
  				rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
@@ -2771,7 +2771,7 @@ idassert-authzFrom	"dn:<rootdn>"
  				ch_free( ca.tline );
  				ca.tline = NULL;
--				ca.argv = NULL;
++				ca.argv = argvp;
  				/* in case of failure, restore
  				 * the existing mapping */
@@ -2788,7 +2788,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 		}
  		if ( ix < cnt ) {
--			for ( ; i<cnt ; cnt++ ) {
++			for ( ; i<cnt ; i++ ) {
  				ca.line = mt->mt_rwmap.rwm_bva_map[ i ].bv_val;
  				ca.argc = 0;
  				config_fp_parse_line( &ca );
@@ -2798,7 +2798,7 @@ idassert-authzFrom	"dn:<rootdn>"
  				argv[3] = ca.argv[2];
  				argv[4] = ca.argv[3];
--				ch_free( ca.argv );
++				argvp = ca.argv;
  				ca.argv = argv;
  				ca.argc++;
  				rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
@@ -2806,7 +2806,7 @@ idassert-authzFrom	"dn:<rootdn>"
  				ch_free( ca.tline );
  				ca.tline = NULL;
--				ca.argv = NULL;
++				ca.argv = argvp;
  				/* in case of failure, restore
  				 * the existing mapping */
@@ -2814,6 +2814,7 @@ idassert-authzFrom	"dn:<rootdn>"
  					goto map_fail;
+ 				}
+ 			}
++			ch_free( ca.argv );
+ 		}
  		/* save the map info */
@@ -2825,7 +2826,7 @@ idassert-authzFrom	"dn:<rootdn>"
  			/* move it to the right slot */
  			if ( ix < cnt ) {
  				for ( i=cnt; i>ix; i-- )
--					mt->mt_rwmap.rwm_bva_map[i+1] = mt->mt_rwmap.rwm_bva_map[i];
++					mt->mt_rwmap.rwm_bva_map[i] = mt->mt_rwmap.rwm_bva_map[i-1];
  				mt->mt_rwmap.rwm_bva_map[i] = bv;
  				/* destroy old mapping */
@@ -2841,6 +2842,7 @@ map_fail:;
  			meta_back_map_free( &mt->mt_rwmap.rwm_at );
  			mt->mt_rwmap.rwm_oc = rwm_oc;
  			mt->mt_rwmap.rwm_at = rwm_at;
++			ch_free( ca.argv );
+ 		}
  		} break;
@@ -2913,9 +2915,11 @@ map_fail:;
  		break;
  #endif /* SLAPD_META_CLIENT_PR */
--	case LDAP_BACK_CFG_KEEPALIVE:
--		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
--				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
++	case LDAP_BACK_CFG_KEEPALIVE: {
++		struct berval bv;
++		ber_str2bv( c->argv[ 1 ], 0, 1, &bv );
++		slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 );
++		}
  		break;
  	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
 diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c
 index 2168a15..d4177f6 100644
 --- a/servers/slapd/back-sql/search.c
 +++ b/servers/slapd/back-sql/search.c
@@ -63,6 +63,38 @@ static void send_paged_response(
  	ID  *lastid );
  #endif /* ! BACKSQL_ARBITRARY_KEY */
++/* Look for chars that need to be escaped, return count of them.
++ * If out is non-NULL, copy escape'd val to it.
++ */
++static int
++backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
++{
++	char *ptr, *end;
++	int q = 0;
++
++	ptr = in->bv_val;
++	end = ptr + in->bv_len;
++	while (ptr < end) {
++		if ( *ptr == '\'' )
++			q++;
++		ptr++;
++	}
++	if ( q && out ) {
++		char *dst;
++		out->bv_len = in->bv_len + q;
++		out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
++		ptr = in->bv_val;
++		dst = out->bv_val;
++		while (ptr < end ) {
++			if ( *ptr == '\'' )
++				*dst++ = '\'';
++			*dst++ = *ptr++;
++		}
++		*dst = '\0';
++	}
++	return q;
++}
++
  static int
  backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
+ {
@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
  	backsql_info		*bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
  	int			i;
  	int			casefold = 0;
++	int			escaped = 0;
++	struct berval	escval, *fvalue;
  	if ( !f ) {
  		return 0;
@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
  		BER_BVZERO( &bv );
  		if ( f->f_sub_initial.bv_val ) {
--			bv.bv_len += f->f_sub_initial.bv_len;
++			bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
+ 		}
  		if ( f->f_sub_any != NULL ) {
  			for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
--				bv.bv_len += f->f_sub_any[ a ].bv_len;
++				bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
+ 			}
+ 		}
  		if ( f->f_sub_final.bv_val ) {
--			bv.bv_len += f->f_sub_final.bv_len;
++			bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
+ 		}
  		bv.bv_len = 2 * bv.bv_len - 1;
  		bv.bv_val = ch_malloc( bv.bv_len + 1 );
  		s = 0;
  		if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
--			bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
--			for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
++			fvalue = &f->f_sub_initial;
++			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++			if ( escaped )
++				fvalue = &escval;
++			bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++			for ( i = 1; i < fvalue->bv_len; i++ ) {
  				bv.bv_val[ s + 2 * i - 1 ] = '%';
--				bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
++				bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ 			}
  			bv.bv_val[ s + 2 * i - 1 ] = '%';
  			s += 2 * i;
++			if ( escaped )
++				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ 		}
  		if ( f->f_sub_any != NULL ) {
  			for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
--				bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
--				for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
++				fvalue = &f->f_sub_any[ a ];
++				escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++				if ( escaped )
++					fvalue = &escval;
++				bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++				for ( i = 1; i < fvalue->bv_len; i++ ) {
  					bv.bv_val[ s + 2 * i - 1 ] = '%';
--					bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
++					bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ 				}
  				bv.bv_val[ s + 2 * i - 1 ] = '%';
  				s += 2 * i;
++				if ( escaped )
++					bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ 			}
+ 		}
  		if ( !BER_BVISNULL( &f->f_sub_final ) ) {
--			bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
--			for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
++			fvalue = &f->f_sub_final;
++			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++			if ( escaped )
++				fvalue = &escval;
++			bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++			for ( i = 1; i < fvalue->bv_len; i++ ) {
  				bv.bv_val[ s + 2 * i - 1 ] = '%';
--				bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
++				bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ 			}
--				bv.bv_val[ s + 2 * i - 1 ] = '%';
++			bv.bv_val[ s + 2 * i - 1 ] = '%';
  			s += 2 * i;
++			if ( escaped )
++				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ 		}
  		bv.bv_val[ s - 1 ] = '\0';
@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
  			f->f_sub_initial.bv_val );
  #endif /* BACKSQL_TRACE */
++		fvalue = &f->f_sub_initial;
++		escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++		if ( escaped )
++			fvalue = &escval;
  		start = bsi->bsi_flt_where.bb_val.bv_len;
  		backsql_strfcat_x( &bsi->bsi_flt_where,
  				bsi->bsi_op->o_tmpmemctx,
  				"b",
--				&f->f_sub_initial );
++				fvalue );
++		if ( escaped )
++			bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
  		if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
  			ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ 		}
@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
  				i, f->f_sub_any[ i ].bv_val );
  #endif /* BACKSQL_TRACE */
++			fvalue = &f->f_sub_any[ i ];
++			escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++			if ( escaped )
++				fvalue = &escval;
  			start = bsi->bsi_flt_where.bb_val.bv_len;
  			backsql_strfcat_x( &bsi->bsi_flt_where,
  					bsi->bsi_op->o_tmpmemctx,
  					"bc",
--					&f->f_sub_any[ i ],
++					fvalue,
  					'%' );
++			if ( escaped )
++				bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
  			if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
  				/*
  				 * Note: toupper('%') = '%'
@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f,
  			f->f_sub_final.bv_val );
  #endif /* BACKSQL_TRACE */
++		fvalue = &f->f_sub_final;
++		escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++		if ( escaped )
++			fvalue = &escval;
  		start = bsi->bsi_flt_where.bb_val.bv_len;
      		backsql_strfcat_x( &bsi->bsi_flt_where,
  				bsi->bsi_op->o_tmpmemctx,
  				"b",
--				&f->f_sub_final );
++				fvalue );
++		if ( escaped )
++			bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
    		if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
  			ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ 		}
@@ -1182,6 +1252,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r
  	struct berval		*filter_value = NULL;
  	MatchingRule		*matching_rule = NULL;
  	struct berval		ordering = BER_BVC("<=");
++	struct berval		escval;
++	int					escaped = 0;
  	Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
  		at->bam_ad->ad_cname.bv_val );
@@ -1236,6 +1308,10 @@ equality_match:;
  			casefold = 1;
+ 		}
++		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++		if ( escaped )
++			filter_value = &escval;
++
  		/* FIXME: directoryString filtering should use a similar
  		 * approach to deal with non-prettified values like
  		 * " A  non    prettified   value  ", by using a LIKE
@@ -1316,6 +1392,10 @@ equality_match:;
  			casefold = 1;
+ 		}
++		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++		if ( escaped )
++			filter_value = &escval;
++
  		/*
  		 * FIXME: should we uppercase the operands?
  		 */
@@ -1349,7 +1429,7 @@ equality_match:;
  					&at->bam_sel_expr,
  					&ordering,
  					'\'',
--					&f->f_av_value,
++					filter_value,
  					(ber_len_t)STRLENOF( /* (' */ "')" ),
  						/* ( */ "')" );
+ 		}
@@ -1373,13 +1453,17 @@ equality_match:;
  	case LDAP_FILTER_APPROX:
  		/* we do our best */
++		filter_value = &f->f_av_value;
++		escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++		if ( escaped )
++			filter_value = &escval;
  		/*
  		 * maybe we should check type of at->sel_expr here somehow,
  		 * to know whether upper_func is applicable, but for now
  		 * upper_func stuff is made for Oracle, where UPPER is
  		 * safely applicable to NUMBER etc.
  		 */
--		(void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
++		(void)backsql_process_filter_like( bsi, at, 1, filter_value );
  		break;
  	default:
@@ -1393,6 +1477,9 @@ equality_match:;
+ 	}
++	if ( escaped )
++		bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
++
  	Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
  		at->bam_ad->ad_cname.bv_val );
 diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
 index 3e6136f..c5c69ba 100644
 --- a/servers/slapd/bconfig.c
 +++ b/servers/slapd/bconfig.c
@@ -75,6 +75,7 @@ typedef struct {
  	BackendDB	cb_db;	/* underlying database */
  	int		cb_got_ldif;
  	int		cb_use_ldif;
++	ldap_pvt_thread_rdwr_t cb_rwlock;
  } CfBackInfo;
  static CfBackInfo cfBackInfo;
@@ -1363,7 +1364,7 @@ config_generic(ConfigArgs *c) {
  			c->value_int = (SLAP_NOLASTMOD(c->be) == 0);
  			break;
  		case CFG_LASTBIND:
--			c->value_int = (SLAP_NOLASTMOD(c->be) == 0);
++			c->value_int = (SLAP_LASTBIND(c->be) != 0);
  			break;
  		case CFG_SYNC_SUBENTRY:
  			c->value_int = (SLAP_SYNC_SUBENTRY(c->be) != 0);
@@ -5959,6 +5960,8 @@ config_back_add( Operation *op, SlapReply *rs )
  	if ( slap_pause_server() < 0 )
  		dopause = 0;
++	ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock );
++
  	/* Strategy:
  	 * 1) check for existence of entry
  	 * 2) check for sibling renumbering
@@ -6007,6 +6010,7 @@ config_back_add( Operation *op, SlapReply *rs )
+ 	}
  out2:;
++	ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock );
  	if ( dopause )
  		slap_unpause_server();
@@ -6493,6 +6497,7 @@ config_back_modify( Operation *op, SlapReply *rs )
  		if ( slap_pause_server() < 0 )
  			do_pause = 0;
+ 	}
++	ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock );
  	/* Strategy:
  	 * 1) perform the Modify on the cached Entry.
@@ -6524,6 +6529,7 @@ config_back_modify( Operation *op, SlapReply *rs )
  		op->o_ndn = ndn;
+ 	}
++	ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock );
  	if ( do_pause )
  		slap_unpause_server();
  out:
@@ -6663,6 +6669,8 @@ config_back_modrdn( Operation *op, SlapReply *rs )
  	if ( slap_pause_server() < 0 )
  		dopause = 0;
++	ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock );
++
  	if ( ce->ce_type == Cft_Schema ) {
  		req_modrdn_s modr = op->oq_modrdn;
  		struct berval rdn;
@@ -6727,6 +6735,8 @@ config_back_modrdn( Operation *op, SlapReply *rs )
  		op->oq_modrdn = modr;
+ 	}
++	ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock );
++
  	if ( dopause )
  		slap_unpause_server();
  out:
@@ -6762,6 +6772,8 @@ config_back_delete( Operation *op, SlapReply *rs )
  		if ( slap_pause_server() < 0 )
  			dopause = 0;
++		ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock );
++
  		if ( ce->ce_type == Cft_Overlay ){
  			overlay_remove( ce->ce_be, (slap_overinst *)ce->ce_bi, op );
  		} else if ( ce->ce_type == Cft_Misc ) {
@@ -6780,8 +6792,7 @@ config_back_delete( Operation *op, SlapReply *rs )
  			if ( !oc_at ) {
  				rs->sr_err = LDAP_OTHER;
  				rs->sr_text = "objectclass not found";
--				if ( dopause ) slap_unpause_server();
--				goto out;
++				goto out2;
+ 			}
  			for ( i=0; !BER_BVISNULL(&oc_at->a_nvals[i]); i++ ) {
  				co.co_name = &oc_at->a_nvals[i];
@@ -6798,8 +6809,7 @@ config_back_delete( Operation *op, SlapReply *rs )
  						/* FIXME: We should return a helpful error message
  						 * here */
+ 					}
--					if ( dopause ) slap_unpause_server();
--					goto out;
++					goto out2;
+ 				}
  				break;
+ 			}
@@ -6807,8 +6817,7 @@ config_back_delete( Operation *op, SlapReply *rs )
  			if ( ce->ce_be == frontendDB || ce->ce_be == op->o_bd ){
  				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
  				rs->sr_text = "Cannot delete config or frontend database";
--				if ( dopause ) slap_unpause_server();
--				goto out;
++				goto out2;
+ 			}
  			if ( ce->ce_be->bd_info->bi_db_close ) {
  				ce->ce_be->bd_info->bi_db_close( ce->ce_be, NULL );
@@ -6869,6 +6878,8 @@ config_back_delete( Operation *op, SlapReply *rs )
  		ce->ce_entry->e_private=NULL;
  		entry_free(ce->ce_entry);
  		ch_free(ce);
++out2:
++		ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock );
  		if ( dopause ) slap_unpause_server();
  	} else {
  		rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
@@ -6890,6 +6901,7 @@ config_back_search( Operation *op, SlapReply *rs )
  	cfb = (CfBackInfo *)op->o_bd->be_private;
++	ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock );
  	ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last );
  	if ( !ce ) {
  		if ( last )
@@ -6924,6 +6936,7 @@ config_back_search( Operation *op, SlapReply *rs )
+ 	}
  out:
++	ldap_pvt_thread_rdwr_runlock( &cfb->cb_rwlock );
  	send_ldap_result( op, rs );
  	return rs->sr_err;
+ }
@@ -7659,6 +7672,8 @@ config_back_db_destroy( BackendDB *be, ConfigReply *cr )
  	ch_free( cfdir.bv_val );
++	ldap_pvt_thread_rdwr_destroy( &cfb->cb_rwlock );
++
  	ldap_avl_free( CfOcTree, NULL );
  	if ( cfb->cb_db.bd_info ) {
@@ -7693,6 +7708,8 @@ config_back_db_init( BackendDB *be, ConfigReply* cr )
  	ber_dupbv( &dn, &be->be_rootdn );
  	ber_bvarray_add( &be->be_nsuffix, &dn );
++	ldap_pvt_thread_rdwr_init( &cfb->cb_rwlock );
++
  	/* Hide from namingContexts */
  	SLAP_BFLAGS(be) |= SLAP_BFLAG_CONFIG;
 diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
 index 324c3b0..b8ea92a 100644
 --- a/servers/slapd/connection.c
 +++ b/servers/slapd/connection.c
@@ -212,7 +212,7 @@ int connections_timeout_idle(time_t now)
  		/* Don't timeout a slow-running request or a persistent
  		 * outbound connection.
  		 */
--		if((( c->c_n_ops_executing || c->c_n_ops_async ) && !c->c_writewaiter)
++		if( c->c_n_ops_executing || c->c_n_ops_async
  			|| c->c_conn_state == SLAP_C_CLIENT ) {
  			continue;
+ 		}
@@ -244,7 +244,7 @@ void connections_drop()
  		/* Don't close a slow-running request or a persistent
  		 * outbound connection.
  		 */
--		if((( c->c_n_ops_executing || c->c_n_ops_async ) && !c->c_writewaiter)
++		if( c->c_n_ops_executing || c->c_n_ops_async
  			|| c->c_conn_state == SLAP_C_CLIENT ) {
  			continue;
+ 		}
@@ -734,6 +734,7 @@ static void connection_abandon( Connection *c )
  		LDAP_STAILQ_NEXT(o, o_next) = NULL;
  		slap_op_free( o, NULL );
+ 	}
++	c->c_n_ops_pending = 0;
+ }
  static void
@@ -870,13 +871,14 @@ Connection* connection_next( Connection *c, ber_socket_t *index )
  	for(; *index < dtblsize; (*index)++) {
  		if( connections[*index].c_sb ) {
--			c = &connections[(*index)++];
++			c = &connections[*index];
  			ldap_pvt_thread_mutex_lock( &c->c_mutex );
  			if ( c->c_conn_state == SLAP_C_INVALID ) {
  				ldap_pvt_thread_mutex_unlock( &c->c_mutex );
  				c = NULL;
  				continue;
+ 			}
++			(*index)++;
  			break;
+ 		}
+ 	}
@@ -963,18 +965,18 @@ conn_counter_destroy( void *key, void *data )
  	ldap_pvt_thread_mutex_unlock( &slap_counters.sc_mutex );
+ }
--static void
--conn_counter_init( Operation *op, void *ctx )
++void
++operation_counter_init( Operation *op, void *ctx )
+ {
  	slap_counters_t *sc;
  	void *vsc = NULL;
  	if ( ldap_pvt_thread_pool_getkey(
--			ctx, (void *)conn_counter_init, &vsc, NULL ) || !vsc ) {
++			ctx, (void *)operation_counter_init, &vsc, NULL ) || !vsc ) {
  		vsc = ch_malloc( sizeof( slap_counters_t ));
  		sc = vsc;
  		slap_counters_init( sc );
--		ldap_pvt_thread_pool_setkey( ctx, (void*)conn_counter_init, vsc,
++		ldap_pvt_thread_pool_setkey( ctx, (void*)operation_counter_init, vsc,
  			conn_counter_destroy, NULL, NULL );
  		ldap_pvt_thread_mutex_lock( &slap_counters.sc_mutex );
@@ -1030,7 +1032,7 @@ connection_operation( void *ctx, void *arg_v )
  		op->o_qtime.tv_sec--;
+ 	}
  	op->o_qtime.tv_sec -= op->o_time;
--	conn_counter_init( op, ctx );
++	operation_counter_init( op, ctx );
  	ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex );
  	/* FIXME: returns 0 in case of failure */
  	ldap_pvt_mp_add_ulong(op->o_counters->sc_ops_initiated, 1);
 diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
 index c982cc9..2f78b77 100644
 --- a/servers/slapd/daemon.c
 +++ b/servers/slapd/daemon.c
@@ -2413,6 +2413,18 @@ slap_listener_activate(
+ }
  static void *
++slapd_rtask_trampoline(
++	void	*ctx,
++	void	*arg )
++{
++	struct re_s *rtask = arg;
++
++	/* invalidate pool_cookie */
++	rtask->pool_cookie = NULL;
++	return rtask->routine( ctx, arg );
++}
++
++static void *
  slapd_daemon_task(
  	void *ptr )
+ {
@@ -2775,7 +2787,7 @@ loop:
  					ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 );
  					ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
  					ldap_pvt_thread_pool_submit2( &connection_pool,
--						rtask->routine, (void *) rtask, &rtask->pool_cookie );
++						slapd_rtask_trampoline, (void *) rtask, &rtask->pool_cookie );
  					ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+ 				}
  				rtask = ldap_pvt_runqueue_next_sched( &slapd_rq, &cat );
 diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c
 index b04f65c..3490cfb 100644
 --- a/servers/slapd/overlays/dynlist.c
 +++ b/servers/slapd/overlays/dynlist.c
@@ -1208,13 +1208,16 @@ dynlist_filter_stgroup( Operation *op, Filter *n, Attribute *a )
  	Filter *dnf, *orf = NULL;
  	int i;
--	if ( a->a_numvals == 1 ) {
++	if ( a->a_numvals == 1 && n->f_choice == SLAPD_FILTER_COMPUTED ) {
  		dnf = n;
  	} else {
  		orf = n;
--		orf->f_choice = LDAP_FILTER_OR;
++		if ( n->f_choice != LDAP_FILTER_OR ) {
++			orf->f_choice = LDAP_FILTER_OR;
++			orf->f_list = NULL;
++		}
  		dnf = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
--		dnf->f_next = NULL;
++		dnf->f_next = orf->f_list;
  		orf->f_list = dnf;
+ 	}
@@ -1298,9 +1301,9 @@ dynlist_filter_dup( Operation *op, Filter *f, AttributeDescription *ad, dynlist_
  		break;
  	case LDAP_FILTER_EQUALITY:
--		n->f_choice = SLAPD_FILTER_COMPUTED;
  		if ( f->f_av_desc == ad ) {
  			dynlist_name_t *dyn = ldap_tavl_find( ds->ds_names, &f->f_av_value, dynlist_avl_cmp );
++			n->f_choice = SLAPD_FILTER_COMPUTED;
  			if ( dyn && !dynlist_filter_group( op, dyn, n, ds ))
  				break;
+ 		}
 diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
 index fa70d5d..fcf29c6 100644
 --- a/servers/slapd/overlays/pcache.c
 +++ b/servers/slapd/overlays/pcache.c
@@ -5660,15 +5660,16 @@ pcache_monitor_db_close( BackendDB *be )
  	slap_overinst *on = (slap_overinst *)be->bd_info;
  	cache_manager *cm = on->on_bi.bi_private;
--	if ( cm->monitor_cb != NULL ) {
++	if ( !BER_BVISNULL( &cm->monitor_ndn )) {
  		BackendInfo		*mi = backend_info( "monitor" );
  		monitor_extra_t		*mbe;
  		if ( mi && mi->bi_extra ) {
++			struct berval dummy = BER_BVNULL;
  			mbe = mi->bi_extra;
  			mbe->unregister_entry_callback( &cm->monitor_ndn,
  				(monitor_callback_t *)cm->monitor_cb,
--				NULL, 0, NULL );
++				&dummy, 0, &dummy );
+ 		}
+ 	}
 diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
 index abde6d2..a2c86f6 100644
 --- a/servers/slapd/overlays/ppolicy.c
 +++ b/servers/slapd/overlays/ppolicy.c
@@ -2215,6 +2215,7 @@ ppolicy_add(
  	PassPolicy pp;
  	Attribute *pa;
  	const char *txt;
++	int is_pwdadmin = 0;
  	if ( ppolicy_restrict( op, rs ) != SLAP_CB_CONTINUE )
  		return rs->sr_err;
@@ -2223,10 +2224,14 @@ ppolicy_add(
  	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) )
  		return SLAP_CB_CONTINUE;
++	ppolicy_get( op, op->ora_e, &pp );
++
++	if ( access_allowed( op, op->ora_e, pp.ad, NULL, ACL_MANAGE, NULL ) ) {
++		is_pwdadmin = 1;
++	}
++
  	/* Check for password in entry */
--	if ((pa = attr_find( op->oq_add.rs_e->e_attrs,
--		slap_schema.si_ad_userPassword )))
--	{
++	if ( (pa = attr_find( op->oq_add.rs_e->e_attrs, pp.ad )) ) {
  		assert( pa->a_vals != NULL );
  		assert( !BER_BVISNULL( &pa->a_vals[ 0 ] ) );
@@ -2235,15 +2240,13 @@ ppolicy_add(
  			return rs->sr_err;
+ 		}
--		ppolicy_get( op, op->ora_e, &pp );
--
  		/*
--		 * new entry contains a password - if we're not the root user
++		 * new entry contains a password - if we're not the password admin
  		 * then we need to check that the password fits in with the
  		 * security policy for the new entry.
  		 */
--		if (pp.pwdCheckQuality > 0 && !be_isroot( op )) {
++		if ( pp.pwdCheckQuality > 0 && !is_pwdadmin ) {
  			struct berval *bv = &(pa->a_vals[0]);
  			int rc, send_ctrl = 0;
  			LDAPPasswordPolicyError pErr = PP_noError;
@@ -2305,7 +2308,8 @@ ppolicy_add(
+ 		}
  		/* If password aging is in effect, set the pwdChangedTime */
--		if ( pp.pwdMaxAge || pp.pwdMinAge ) {
++		if ( ( pp.pwdMaxAge || pp.pwdMinAge ) &&
++				!attr_find( op->ora_e->e_attrs, ad_pwdChangedTime ) ) {
  			struct berval timestamp;
  			char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
  			time_t now = slap_get_time();
 diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
 index 364ee8a..36978d6 100644
 --- a/servers/slapd/overlays/syncprov.c
 +++ b/servers/slapd/overlays/syncprov.c
@@ -1075,6 +1075,7 @@ syncprov_qtask( void *ctx, void *arg )
  	op->o_tmpmemctx = slap_sl_mem_create(SLAP_SLAB_SIZE, SLAP_SLAB_STACK, ctx, 1);
  	op->o_tmpmfuncs = &slap_sl_mfuncs;
  	op->o_threadctx = ctx;
++	operation_counter_init( op, ctx );
  	/* syncprov_qplay expects a fake db */
  	be = *so->s_op->o_bd;
 diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
 index 1e4e338..a034a58 100644
 --- a/servers/slapd/overlays/translucent.c
 +++ b/servers/slapd/overlays/translucent.c
@@ -999,7 +999,6 @@ trans_filter_dup(Operation *op, Filter *f, AttributeName *an)
  	case LDAP_FILTER_GE:
  	case LDAP_FILTER_LE:
  	case LDAP_FILTER_APPROX:
--	case LDAP_FILTER_SUBSTRINGS:
  	case LDAP_FILTER_EXT:
  		if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) {
  			AttributeAssertion *nava;
@@ -1016,6 +1015,29 @@ trans_filter_dup(Operation *op, Filter *f, AttributeName *an)
+ 		}
  		break;
++	case LDAP_FILTER_SUBSTRINGS:
++		if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) {
++			SubstringsAssertion *nsub;
++
++			n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
++			n->f_choice = f->f_choice;
++
++			nsub = op->o_tmpalloc( sizeof(SubstringsAssertion), op->o_tmpmemctx );
++			*nsub = *f->f_sub;
++			n->f_sub = nsub;
++
++			if ( !BER_BVISNULL( &f->f_sub_initial ))
++				ber_dupbv_x( &n->f_sub_initial, &f->f_sub_initial, op->o_tmpmemctx );
++
++			ber_bvarray_dup_x( &n->f_sub_any, f->f_sub_any, op->o_tmpmemctx );
++
++			if ( !BER_BVISNULL( &f->f_sub_final ))
++				ber_dupbv_x( &n->f_sub_final, &f->f_sub_final, op->o_tmpmemctx );
++
++			n->f_next = NULL;
++		}
++		break;
++
  	case LDAP_FILTER_AND:
  	case LDAP_FILTER_OR:
  	case LDAP_FILTER_NOT: {
 diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
 index a9a6f4c..d7073d7 100644
 --- a/servers/slapd/proto-slap.h
 +++ b/servers/slapd/proto-slap.h
@@ -800,6 +800,7 @@ LDAP_SLAPD_F (Connection *) connection_init LDAP_P((
  	struct berval *id
  	LDAP_PF_LOCAL_SENDMSG_ARG(struct berval *peerbv)));
++LDAP_SLAPD_F (void) operation_counter_init LDAP_P(( Operation *op, void *threadctx ));
  LDAP_SLAPD_F (void) connection_closing LDAP_P((
  	Connection *c, const char *why ));
  LDAP_SLAPD_F (int) connection_is_active LDAP_P(( ber_socket_t s ));
 diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
 index bccef38..6ed5580 100644
 --- a/servers/slapd/syncrepl.c
 +++ b/servers/slapd/syncrepl.c
@@ -58,6 +58,8 @@ static AttributeDescription *sy_ad_dseeLastChange;
  #define	UUIDLEN	16
++struct syncinfo_s;
++
  struct nonpresent_entry {
  	struct berval *npe_name;
  	struct berval *npe_nname;
@@ -85,8 +87,19 @@ typedef struct cookie_state {
  	struct berval *cs_pvals;
  	int *cs_psids;
  	int	cs_pnum;
++
++	/* serialize multi-consumer refreshes */
++	ldap_pvt_thread_mutex_t	cs_refresh_mutex;
++	struct syncinfo_s *cs_refreshing;
  } cookie_state;
++#define SYNC_TIMEOUT	0
++#define SYNC_SHUTDOWN	-100
++#define SYNC_ERROR		-101
++#define SYNC_REPOLL		-102
++#define SYNC_PAUSED		-103
++#define SYNC_BUSY		-104
++
  #define	SYNCDATA_DEFAULT	0	/* entries are plain LDAP entries */
  #define	SYNCDATA_ACCESSLOG	1	/* entries are accesslog format */
  #define	SYNCDATA_CHANGELOG	2	/* entries are changelog format */
@@ -139,6 +152,7 @@ typedef struct syncinfo_s {
  	int			si_refreshDelete;
  	int			si_refreshPresent;
  	int			si_refreshDone;
++	int			si_paused;
  	int			si_syncdata;
  	int			si_logstate;
  	int			si_lazyCommit;
@@ -488,6 +502,64 @@ init_syncrepl(syncinfo_t *si)
  	si->si_exattrs = exattrs;
+ }
++static int
++start_refresh(syncinfo_t *si)
++{
++	ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_refresh_mutex );
++	if ( si->si_cookieState->cs_refreshing ) {
++		struct re_s* rtask = si->si_re;
++
++		ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
++		ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
++		ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
++
++		si->si_paused = 1;
++		Debug( LDAP_DEBUG_SYNC, "start_refresh: %s "
++				"a refresh on %s in progress, pausing\n",
++				si->si_ridtxt, si->si_cookieState->cs_refreshing->si_ridtxt );
++		ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_refresh_mutex );
++		return SYNC_BUSY;
++	}
++	si->si_cookieState->cs_refreshing = si;
++	ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_refresh_mutex );
++
++	return LDAP_SUCCESS;
++}
++
++static int
++refresh_finished(syncinfo_t *si)
++{
++	syncinfo_t *sie;
++	int removed = 0;
++
++	ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_refresh_mutex );
++	if ( si->si_cookieState->cs_refreshing == si ) {
++		si->si_cookieState->cs_refreshing = NULL;
++		removed = 1;
++	}
++
++	if ( removed ) {
++		for ( sie = si->si_be->be_syncinfo; sie; sie = sie->si_next ) {
++			if ( sie->si_paused ) {
++				struct re_s* rtask = sie->si_re;
++
++				Debug( LDAP_DEBUG_SYNC, "refresh_finished: %s "
++						"rescheduling refresh on %s\n",
++						si->si_ridtxt, sie->si_ridtxt );
++				sie->si_paused = 0;
++				ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
++				rtask->interval.tv_sec = 0;
++				ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 );
++				rtask->interval.tv_sec = si->si_interval;
++				ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
++				break;
++			}
++		}
++	}
++	ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_refresh_mutex );
++	return removed;
++}
++
  static struct berval generic_filterstr = BER_BVC("(objectclass=*)");
  static int
@@ -511,6 +583,8 @@ ldap_sync_search(
  	ber_init2( ber, NULL, LBER_USE_DER );
  	ber_set_option( ber, LBER_OPT_BER_MEMCTX, &ctx );
++	si->si_msgid = 0;
++
  	/* If we're using a log but we have no state, then fallback to
  	 * normal mode for a full refresh.
  	 */
@@ -519,6 +593,11 @@ ldap_sync_search(
  			LDAPMessage *res, *msg;
  			unsigned long first = 0, last = 0;
  			int gotfirst = 0, gotlast = 0;
++
++			if ( (rc = start_refresh( si )) ) {
++				return rc;
++			}
++
  			/* See if we're new enough for the remote server */
  			lattrs[0] = "firstchangenumber";
  			lattrs[1] = "lastchangenumber";
@@ -597,6 +676,10 @@ ldap_sync_search(
  		attrs = lattrs;
  		attrsonly = 0;
  	} else {
++		if ( (rc = start_refresh( si )) ) {
++			return rc;
++		}
++
  		rhint = 1;
  		base = si->si_base.bv_val;
  		filter = si->si_filterstr.bv_val;
@@ -680,6 +763,10 @@ ldap_sync_search(
+ 		}
+ 	}
++	si->si_refreshDone = 0;
++	si->si_refreshPresent = 0;
++	si->si_refreshDelete = 0;
++
  	rc = ldap_search_ext( si->si_ld, base, scope, filter, attrs, attrsonly,
  		ctrls, NULL, NULL, si->si_slimit, &si->si_msgid );
  	ber_free_buf( ber );
@@ -929,7 +1016,6 @@ do_syncrep1(
  #endif
  	si->si_lastconnect = slap_get_time();
--	si->si_refreshDone = 0;
  	rc = slap_client_connect( &si->si_ld, &si->si_bindconf );
  	if ( rc != LDAP_SUCCESS ) {
  		goto done;
@@ -1095,7 +1181,10 @@ do_syncrep1(
  	rc = ldap_sync_search( si, op->o_tmpmemctx );
--	if( rc != LDAP_SUCCESS ) {
++	if ( rc == SYNC_BUSY ) {
++		return rc;
++	} else if ( rc != LDAP_SUCCESS ) {
++		refresh_finished( si );
  		Debug( LDAP_DEBUG_ANY, "do_syncrep1: %s "
  			"ldap_search_ext: %s (%d)\n",
  			si->si_ridtxt, ldap_err2string( rc ), rc );
@@ -1187,12 +1276,6 @@ check_csn_age(
  	return rc;
+ }
--#define SYNC_TIMEOUT	0
--#define SYNC_SHUTDOWN	-100
--#define SYNC_ERROR		-101
--#define SYNC_REPOLL		-102
--#define SYNC_PAUSED		-103
--
  static int
  get_pmutex(
  	syncinfo_t *si
@@ -1236,6 +1319,8 @@ do_syncrep2(
  	struct timeval tout = { 0, 0 };
  	int		refreshDeletes = 0;
++	int		refreshing = !si->si_refreshDone &&
++			!( si->si_syncdata && si->si_logstate == SYNCLOG_LOGGING );
  	char empty[6] = "empty";
  	if ( slapd_shutdown ) {
@@ -1291,6 +1376,7 @@ do_syncrep2(
  				break;
+ 			}
  #endif
++			punlock = -1;
  			ldap_get_entry_controls( si->si_ld, msg, &rctrls );
  			ldap_get_dn_ber( si->si_ld, msg, NULL, &bdn );
  			if (!bdn.bv_len) {
@@ -1307,8 +1393,6 @@ do_syncrep2(
  						/* The notification control is only sent during persist phase */
  						rctrlp = ldap_control_find( LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE, rctrls, &next );
  						if ( rctrlp ) {
--							if ( !si->si_refreshDone )
--								si->si_refreshDone = 1;
  							if ( si->si_refreshDone )
  								syncrepl_dsee_update( si, op );
+ 						}
@@ -1380,7 +1464,6 @@ do_syncrep2(
  				rc = -1;
  				goto done;
+ 			}
--			punlock = -1;
  			if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) {
  				if ( ber_scanf( ber, /*"{"*/ "m}", &cookie ) != LBER_ERROR ) {
@@ -1716,6 +1799,14 @@ logerr:
  						"LDAP_RES_INTERMEDIATE",
  						si_tag == LDAP_TAG_SYNC_REFRESH_PRESENT ?
  						"REFRESH_PRESENT" : "REFRESH_DELETE" );
++					if ( si->si_refreshDone ) {
++						Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s "
++								"server sent multiple refreshDone "
++								"messages? Ending session\n",
++								si->si_ridtxt );
++						rc = LDAP_PROTOCOL_ERROR;
++						goto done;
++					}
  					if ( si_tag == LDAP_TAG_SYNC_REFRESH_DELETE ) {
  						si->si_refreshDelete = 1;
  					} else {
@@ -1754,9 +1845,9 @@ logerr:
  						si->si_refreshDone = 1;
+ 					}
  					ber_scanf( ber, /*"{"*/ "}" );
--					if ( si->si_refreshDone ) {
--						Debug( LDAP_DEBUG_SYNC, "do_syncrep1: %s finished refresh\n",
--							si->si_ridtxt );
++					if ( refreshing && si->si_refreshDone ) {
++						refresh_finished( si );
++						refreshing = 0;
+ 					}
  					break;
  				case LDAP_TAG_SYNC_ID_SET:
@@ -1903,6 +1994,9 @@ done:
  			"do_syncrep2: %s (%d) %s\n",
  			si->si_ridtxt, err, ldap_err2string( err ) );
+ 	}
++	if ( refreshing && ( rc || si->si_refreshDone ) ) {
++		refresh_finished( si );
++	}
  	slap_sync_cookie_free( &syncCookie, 0 );
  	slap_sync_cookie_free( &syncCookie_req, 0 );
@@ -2041,9 +2135,6 @@ do_syncrepl(
  	/* Establish session, do search */
  	if ( !si->si_ld ) {
--		si->si_refreshDelete = 0;
--		si->si_refreshPresent = 0;
--
  		if ( si->si_presentlist ) {
  		    presentlist_free( si->si_presentlist );
  		    si->si_presentlist = NULL;
@@ -2054,6 +2145,13 @@ do_syncrepl(
  		op->o_dn = op->o_bd->be_rootdn;
  		op->o_ndn = op->o_bd->be_rootndn;
  		rc = do_syncrep1( op, si );
++	} else if ( !si->si_msgid ) {
++		/* We got a SYNC_BUSY, now told to resume */
++		rc = ldap_sync_search( si, op->o_tmpmemctx );
++	}
++	if ( rc == SYNC_BUSY ) {
++		ldap_pvt_thread_mutex_unlock( &si->si_mutex );
++		return NULL;
+ 	}
  reload:
@@ -6007,6 +6105,9 @@ syncinfo_free( syncinfo_t *sie, int free_all )
  			ch_free( npe );
+ 		}
  		if ( sie->si_cookieState ) {
++			/* Could be called from do_syncrepl (server unpaused) */
++			refresh_finished( sie );
++
  			sie->si_cookieState->cs_ref--;
  			if ( !sie->si_cookieState->cs_ref ) {
  				ch_free( sie->si_cookieState->cs_sids );
@@ -6016,6 +6117,8 @@ syncinfo_free( syncinfo_t *sie, int free_all )
  				ch_free( sie->si_cookieState->cs_psids );
  				ber_bvarray_free( sie->si_cookieState->cs_pvals );
  				ldap_pvt_thread_mutex_destroy( &sie->si_cookieState->cs_pmutex );
++				ldap_pvt_thread_mutex_destroy( &sie->si_cookieState->cs_refresh_mutex );
++				assert( sie->si_cookieState->cs_refreshing == NULL );
  				ch_free( sie->si_cookieState );
+ 			}
+ 		}
@@ -7231,6 +7334,7 @@ add_syncrepl(
  			si->si_cookieState = ch_calloc( 1, sizeof( cookie_state ));
  			ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_mutex );
  			ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_pmutex );
++			ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_refresh_mutex );
  			ldap_pvt_thread_cond_init( &si->si_cookieState->cs_cond );
  			c->be->be_syncinfo = si;
@@ -7489,7 +7593,7 @@ syncrepl_config( ConfigArgs *c )
  								ldap_pvt_runqueue_stoptask( &slapd_rq, re );
  								isrunning = 1;
+ 							}
--							if ( ldap_pvt_thread_pool_retract( re->pool_cookie ) > 0 )
++							if ( !re->pool_cookie || ldap_pvt_thread_pool_retract( re->pool_cookie ) > 0 )
  								isrunning = 0;
  							ldap_pvt_runqueue_remove( &slapd_rq, re );
 diff --git a/tests/data/dynlist.out b/tests/data/dynlist.out
 index 0e9e479..926e830 100644
 --- a/tests/data/dynlist.out
 +++ b/tests/data/dynlist.out
@@ -679,6 +679,10 @@ memberOf: cn=bonus group,ou=groups,dc=example,dc=com
  memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com
  memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com
++dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example
++ ,dc=com
++uid: jjones
++
  # Testing negated filtered memberOf functionality...
  dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,
   dc=com
 diff --git a/tests/scripts/test034-translucent b/tests/scripts/test034-translucent
 index 511ebed..8b834d9 100755
 --- a/tests/scripts/test034-translucent
 +++ b/tests/scripts/test034-translucent
@@ -755,6 +755,14 @@ if test -z "$ATTR" ; then
  	exit 1
  fi
++$LDAPSEARCH -H $URI2 -b "o=translucent" "(employeeType=consult*)" > $SEARCHOUT 2>&1
++ATTR=`grep dn: $SEARCHOUT` > $NOWHERE 2>&1
++if test -z "$ATTR" ; then
++	echo "got no result, should have found entry"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
  echo "Testing search: unconfigured remote filter..."
  $LDAPSEARCH -H $URI2 -b "o=translucent" "(|(employeeType=foo)(carlicense=right))" > $SEARCHOUT 2>&1
 diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist
 index 52960ea..b7a6b20 100755
 --- a/tests/scripts/test044-dynlist
 +++ b/tests/scripts/test044-dynlist
@@ -1049,6 +1049,17 @@ if test $RC != 0 ; then
  	exit $RC
  fi
++$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \
++	-D "$BABSDN" -w bjensen \
++	"(&(uid=jjones)(memberOf=cn=jjs,ou=groups,$BASEDN))" 'uid' \
++	>> $SEARCHOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
  echo "Testing negated filtered memberOf functionality..."
  echo "# Testing negated filtered memberOf functionality..." >> $SEARCHOUT

Ubuntuopenldap package

Merge ~sergiodj/ubuntu/+source/openldap:mre-2.5.12-JAMMY into ubuntu/+source/openldap:ubuntu/jammy-devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openldap package