Ubuntu
openldap package

Merge ~sergiodj/ubuntu/+source/openldap:mre-2.5.13-jammy into ubuntu/+source/openldap:ubuntu/jammy-devel

Proposed by Sergio Durigan Junior on 2022-08-05

Status:

Merged

Approved by:

git-ubuntu bot on 2022-08-09

Approved revision:

not available

Merged at revision:

fa9256815f981289f4c9a7a27e0baadce250b561

Proposed branch:

~sergiodj/ubuntu/+source/openldap:mre-2.5.13-jammy

Merge into:

ubuntu/+source/openldap:ubuntu/jammy-devel

Diff against target:

2629 lines (+1610/-143)

50 files modified

CHANGES (+25/-0)
build/version.var (+4/-4)
clients/tools/ldapsearch.c (+4/-3)
configure (+8/-1)
configure.ac (+9/-2)
contrib/slapd-modules/autogroup/autogroup.c (+1/-1)
contrib/slapd-modules/autogroup/slapo-autogroup.5 (+5/-0)
contrib/slapd-modules/emptyds/Makefile (+78/-0)
contrib/slapd-modules/emptyds/README (+66/-0)
contrib/slapd-modules/emptyds/emptyds.c (+325/-0)
contrib/slapd-modules/emptyds/slapo-emptyds.5 (+68/-0)
contrib/slapd-modules/emptyds/tests/Rules.mk (+23/-0)
contrib/slapd-modules/emptyds/tests/data/emptyds.conf (+54/-0)
contrib/slapd-modules/emptyds/tests/data/test001.ldif (+71/-0)
contrib/slapd-modules/emptyds/tests/data/test001.out (+54/-0)
contrib/slapd-modules/emptyds/tests/run (+218/-0)
contrib/slapd-modules/emptyds/tests/scripts/all (+92/-0)
contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds (+137/-0)
debian/changelog (+8/-0)
doc/guide/admin/guide.html (+1/-1)
doc/man/man3/ldap_get_option.3 (+2/-2)
doc/man/man5/slapd-ldap.5 (+3/-1)
doc/man/man5/slapd-meta.5 (+3/-1)
libraries/Makefile.in (+1/-1)
libraries/libldap/deref.c (+4/-10)
libraries/libldap/ldif.c (+2/-1)
libraries/libldap/turn.c (+6/-6)
libraries/libldap/txn.c (+6/-6)
libraries/librewrite/rewrite-int.h (+5/-5)
servers/lloadd/operation.c (+4/-3)
servers/slapd/back-mdb/id2entry.c (+10/-0)
servers/slapd/backend.c (+13/-18)
servers/slapd/backglue.c (+6/-0)
servers/slapd/bind.c (+1/-1)
servers/slapd/ctxcsn.c (+14/-14)
servers/slapd/daemon.c (+2/-3)
servers/slapd/frontend.c (+1/-1)
servers/slapd/overlays/accesslog.c (+2/-0)
servers/slapd/overlays/pcache.c (+0/-1)
servers/slapd/overlays/ppolicy.c (+13/-11)
servers/slapd/overlays/syncprov.c (+60/-10)
servers/slapd/overlays/translucent.c (+1/-1)
servers/slapd/overlays/unique.c (+18/-14)
servers/slapd/slap.h (+9/-3)
servers/slapd/syncrepl.c (+6/-9)
tests/data/slapd-deltasync-provider.conf (+4/-0)
tests/progs/Makefile.in (+1/-1)
tests/progs/slapd-watcher.c (+14/-7)
tests/scripts/test020-proxycache (+5/-0)
tests/scripts/test043-delta-syncrepl (+143/-1)

High

Fix Released

Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot		Approve on 2022-08-09
Bryce Harrington (community)	2022-08-05	Approve on 2022-08-09
Canonical Server Reporter	2022-08-05	Pending
Review via email: mp+427967@code.launchpad.net

Description of the change

This is the MRE for OpenLDAP 2.5.13.

The MRE bug with all the relevant details is bug #1983618.

You can see the bileto ticket here: https://bileto.ubuntu.com/#/ticket/4887

Unfortunately, the "automated test results" link is not working for this ticket. You will need to resort to lp-test-ppa in order to check the results.

As usual with MREs, the review should probably be performed locally instead of via LP's web interface, due to the amount of changes being proposed.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-08-09:

It looks like bileto's "automated test results" link is working again, so I've created another ticket:

https://bileto.ubuntu.com/#/ticket/4895

Revision history for this message

Bryce Harrington (bryce) wrote on 2022-08-09:

Download full text (3.4 KiB)

The lp-test-ppa results for openldap itself look good:

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4895/?format=plain)
  openldap @ amd64:
    09.08.22 19:47:31 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ arm64:
    09.08.22 20:03:51 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ armhf:
    09.08.22 20:03:30 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ ppc64el:
    09.08.22 19:59:53 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ s390x:
    09.08.22 19:58:54 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4

For the broader test dependencies, at least some of the failures (apache2, e.g.) are likely going to be flaky issues. I don't know if a clean bileto run is required for MREs, although certainly sounds like it should be a best practice. In any case, will be some time before those are processed so will leave those to your discretion for any followup.

I did a cursory skim type code review. As documented, there are various bug fixes but most substantial code changes are to slapd, and most of that is the emptyds additions. The emptyds overlay feels like it may be considered more a new feature than a bug fix? If so, may be worth special highlight in the changelog and SRU bug report. It might also be helpful for reviewers to copy and paste in the list of fixes from the release note, into the SRU, i.e.:

    Fixed librewrite declaration of calloc (ITS#9841)
    Fixed libldap memory leaks (ITS#9876)
    Fixed slapd kqueue support (ITS#9847)
    Fixed slapd delta-sync DN leak on ADD ops (ITS#9866)
    Fixed slapd replication with back-glue (ITS#9868)
    Fixed slapd-mdb to check for stale readers on MDB_READERS_FULL (ITS#7165)
    Fixed slapo-accesslog onetime memory leak (ITS#9864)
    Fixed slapo-ppolicy interaction with slapo-rwm (ITS#9871)
    Fixed slapo-syncprov memory leaks (ITS#9867)
    Fixed slapo-syncprov fallback in delta-sync mode (ITS#9823)
    Fixed slapo-uniq...

The lp-test-ppa results for openldap itself look good:

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4895/?format=plain)
  openldap @ amd64:
    09.08.22 19:47:31    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ arm64:
    09.08.22 20:03:51    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ armhf:
    09.08.22 20:03:30    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ ppc64el:
    09.08.22 19:59:53    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
  openldap @ s390x:
    09.08.22 19:58:54    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4

For the broader test dependencies, at least some of the failures (apache2, e.g.) are likely going to be flaky issues.  I don't know if a clean bileto run is required for MREs, although certainly sounds like it should be a best practice.  In any case, will be some time before those are processed so will leave those to your discretion for any followup.

I did a cursory skim type code review.  As documented, there are various bug fixes but most substantial code changes are to slapd, and most of that is the emptyds additions.  The emptyds overlay feels like it may be considered more a new feature than a bug fix?  If so, may be worth special highlight in the changelog and SRU bug report.  It might also be helpful for reviewers to copy and paste in the list of fixes from the release note, into the SRU, i.e.:

However, those are straightforward enough to find via the provided URL in the SRU, so no biggie.

In a review of the Ubuntu delta itself, I confirmed locally the logical changes match the changelog entry for the kinetic release, and the jammy backport adds no further changes.

LGTM, +1

review: Approve

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2022-08-09:

Approvers: sergiodj, bryce
Uploaders: sergiodj, bryce
MP auto-approved

review: Approve

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-08-09:

Download full text (4.4 KiB)

On Tuesday, August 09 2022, Bryce Harrington wrote:

> The lp-test-ppa results for openldap itself look good:
>
> Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4895/?format=plain)
> openldap @ amd64:
> 09.08.22 19:47:31 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
> openldap @ arm64:
> 09.08.22 20:03:51 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
> openldap @ armhf:
> 09.08.22 20:03:30 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
> openldap @ ppc64el:
> 09.08.22 19:59:53 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
> openldap @ s390x:
> 09.08.22 19:58:54 Log 🗒️ ✅ Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
>
> For the broader test dependencies, at least some of the failures (apache2, e.g.) are likely going to be flaky issues. I don't know if a clean bileto run is required for MREs, although certainly sounds like it should be a best practice. In any case, will be some time before those are processed so will leave those to your discretion for any followup.

Thank you for the review, Bryce.

I always strive to have a clean bileto run, but it's currently
impossible to achieve it because of some pre-existing failures (apache2
is indeed one of them). There are a lot of tests still happening on
https://bileto.ubuntu.com/excuses/4895/jammy.html, so I will make sure
to wait for them to finish before I upload.

On Tuesday, August 09 2022, Bryce Harrington wrote:

> The lp-test-ppa results for openldap itself look good:
>
> Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4895/?format=plain)
>   openldap @ amd64:
>     09.08.22 19:47:31    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
>   openldap @ arm64:
>     09.08.22 20:03:51    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
>   openldap @ armhf:
>     09.08.22 20:03:30    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
>   openldap @ ppc64el:
>     09.08.22 19:59:53    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
>   openldap @ s390x:
>     09.08.22 19:58:54    Log 🗒️	✅     Triggers: openldap/2.5.13+dfsg-0ubuntu0.22.04.1~ppa1, django-ldapdb/1.5.1-3, krb5/1.19.2-2, nss-pam-ldapd/0.9.12-2, nsscache/0.42-2, openvpn-auth-ldap/2.0.4-1ubuntu4, python-bonsai/1.3.0+ds-3build1, sssd/2.6.3-1ubuntu3.1, sudo/1.9.9-1ubuntu2, volatildap/1.3.0-2ubuntu4
>
> For the broader test dependencies, at least some of the failures (apache2, e.g.) are likely going to be flaky issues.  I don't know if a clean bileto run is required for MREs, although certainly sounds like it should be a best practice.  In any case, will be some time before those are processed so will leave those to your discretion for any followup.

Thank you for the review, Bryce.

I always strive to have a clean bileto run, but it's currently
impossible to achieve it because of some pre-existing failures (apache2
is indeed one of them).  There are a lot of tests still happening on
https://bileto.ubuntu.com/excuses/4895/jammy.html, so I will make sure
to wait for them to finish before I upload.

> I did a cursory skim type code review.  As documented, there are various bug fixes but most substantial code changes are to slapd, and most of that is the emptyds additions.  The emptyds overlay feels like it may be considered more a new feature than a bug fix?  If so, may be worth special highlight in the changelog and SRU bug report.  It might also be helpful for reviewers to copy and paste in the list of fixes from the release note, into the SRU, i.e.:
>
>     Fixed librewrite declaration of calloc (ITS#9841)
>     Fixed libldap memory leaks (ITS#9876)
>     Fixed slapd kqueue support (ITS#9847)
>     Fixed slapd delta-sync DN leak on ADD ops (ITS#9866)
>     Fixed slapd replication with back-glue (ITS#9868)
>     Fixed slapd-mdb to check for stale readers on MDB_READERS_FULL (ITS#7165)
>     Fixed slapo-accesslog onetime memory leak (ITS#9864)
>     Fixed slapo-ppolicy interaction with slapo-rwm (ITS#9871)
>     Fixed slapo-syncprov memory leaks (ITS#9867)
>     Fixed slapo-syncprov fallback in delta-sync mode (ITS#9823)
>     Fixed slapo-unique to not release NULL entry (ITS#8245)
>
> However, those are straightforward enough to find via the provided URL in the SRU, so no biggie.

I agree with mentioning the new slapo-emptyds contrib module; I'll
adjust the changelog to reflect it.

As for listing the changes in the MRE bug itself, that's a good idea.
Although I already provide the link to the upstream announcement (where
the list of changes can be found), I think it's worth including them in
the bug as well.

> In a review of the Ubuntu delta itself, I confirmed locally the logical changes match the changelog entry for the kinetic release, and the jammy backport adds no further changes.

Thanks again.  I will wait until the dep8 tests are finished before I
proceed with the upload.

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-08-09:

Download full text (4.4 KiB)

On Tuesday, August 09 2022, Bryce Harrington wrote:

Thank you for the review, Bryce.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Sergio Durigan Junior

git-ubuntu developers

 diff --git a/CHANGES b/CHANGES
 index d8092be..736656d 100644
 --- a/CHANGES
 +++ b/CHANGES
@@ -1,5 +1,30 @@
  OpenLDAP 2.5 Change Log
++OpenLDAP 2.5.13 Release (2022/07/14)
++	Fixed librewrite declaration of calloc (ITS#9841)
++	Fixed libldap memory leaks (ITS#9876)
++	Fixed slapd kqueue support (ITS#9847)
++	Fixed slapd delta-sync DN leak on ADD ops (ITS#9866)
++	Fixed slapd replication with back-glue (ITS#9868)
++	Fixed slapd-mdb to check for stale readers on MDB_READERS_FULL (ITS#7165)
++	Fixed slapo-accesslog onetime memory leak (ITS#9864)
++	Fixed slapo-ppolicy interaction with slapo-rwm (ITS#9871)
++	Fixed slapo-syncprov memory leaks (ITS#9867)
++	Fixed slapo-syncprov fallback in delta-sync mode (ITS#9823)
++	Fixed slapo-unique to not release NULL entry (ITS#8245)
++	Build Environment
++		Added slapd-watcher -c contextDN option (ITS#9865)
++		Fixed parallel builds (ITS#9840)
++		Fixed test020 to skip back-wt (ITS#9859)
++		Fixed slapd-watcher SID handling with single URI (ITS#9850)
++		Fixed test043 with workaround for ITS#9878
++	Contrib
++		Added slapo-emptyds contrib module (ITS#8882)
++		Fixed slapo-autogroup backwards compat (ITS#9020)
++	Documentation
++		Fixed ldap_get_option(3) to clarify ldap_get/set_option restrictions (ITS#9824)
++		Fixed slapd-ldap(5),slapd-meta(5) missing bold tag on authz parameter (ITS#9872)
++
  OpenLDAP 2.5.12 Release (2022/05/04)
  	Fixed libldap to drop connection when non-LDAP data is received (ITS#9803)
  	Fixed libldap to allow newlines at end of included file (ITS#9811)
 diff --git a/build/version.var b/build/version.var
 index df94973..64ac2df 100644
 --- a/build/version.var
 +++ b/build/version.var
@@ -15,9 +15,9 @@
  ol_package=OpenLDAP
  ol_major=2
  ol_minor=5
--ol_patch=12
--ol_api_inc=20512
++ol_patch=13
++ol_api_inc=20513
  ol_api_current=1
--ol_api_revision=7
++ol_api_revision=8
  ol_api_age=1
--ol_release_date="2022/05/04"
++ol_release_date="2022/07/14"
 diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
 index a0ca0d7..02b49bd 100644
 --- a/clients/tools/ldapsearch.c
 +++ b/clients/tools/ldapsearch.c
@@ -1866,12 +1866,13 @@ again:
  			if ( ldapsync && sync_slimit != -1 &&
  					nresponses_psearch >= sync_slimit ) {
  				BerElement *msgidber = NULL;
--				struct berval *msgidvalp = NULL;
++				struct berval msgidval;
  				msgidber = ber_alloc_t(LBER_USE_DER);
  				ber_printf(msgidber, "{i}", msgid);
--				ber_flatten(msgidber, &msgidvalp);
++				ber_flatten2( msgidber, &msgidval, 0 );
  				ldap_extended_operation(ld, LDAP_EXOP_CANCEL,
--					msgidvalp, NULL, NULL, &cancel_msgid);
++					&msgidval, NULL, NULL, &cancel_msgid);
++				ber_free( msgidber, 1 );
  				nresponses_psearch = -1;
+ 			}
+ 		}
 diff --git a/configure b/configure
 index bea23a1..f0513cb 100755
 --- a/configure
 +++ b/configure
@@ -1,5 +1,5 @@
  #! /bin/sh
--# From configure.ac Id: 1c372d9fe8d80795909df859a01abd486462d0a2 .
++# From configure.ac Id: 15bca89511fc428731cf9ab71a9b46e37511be67 .
  # Guess values for system-dependent variables and create Makefiles.
  # Generated by GNU Autoconf 2.69.
+ #
@@ -16316,6 +16316,13 @@ $as_echo "no" >&6; }
  else
    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
++$ac_includes_default
++#ifdef HAVE_SYS_EVENT_H
++#include <sys/event.h>
++#endif
++#ifdef HAVE_SYS_TIME_H
++#include <sys/time.h>
++#endif
  int main(int argc, char **argv)
+ {
  	int kqfd = kqueue();
 diff --git a/configure.ac b/configure.ac
 index 0978eeb..626d024 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -25,7 +25,7 @@ dnl ================================================================
  dnl Configure.in for OpenLDAP
  AC_COPYRIGHT([[Copyright 1998-2022 The OpenLDAP Foundation. All rights reserved.
  Restrictions apply, see COPYRIGHT and LICENSE files.]])
--AC_REVISION([$Id: 63b192fdc3ddaf2eabc322c60cd7066c9252e1d8 $])
++AC_REVISION([$Id: 15bca89511fc428731cf9ab71a9b46e37511be67 $])
  AC_INIT([OpenLDAP],,[https://bugs.openldap.org],,[https://www.openldap.org])
  AC_CONFIG_SRCDIR(build/version.sh)dnl
  dnl ----------------------------------------------------------------
@@ -1022,7 +1022,14 @@ dnl ----------------------------------------------------------------
  AC_CHECK_HEADERS( sys/event.h )
  if test "${ac_cv_header_sys_event_h}" = yes; then
  AC_MSG_CHECKING(for kqueue system call)
--AC_RUN_IFELSE([AC_LANG_SOURCE([[int main(int argc, char **argv)
++AC_RUN_IFELSE([AC_LANG_SOURCE([[$ac_includes_default
++#ifdef HAVE_SYS_EVENT_H
++#include <sys/event.h>
++#endif
++#ifdef HAVE_SYS_TIME_H
++#include <sys/time.h>
++#endif
++int main(int argc, char **argv)
+ {
  	int kqfd = kqueue();
  	exit (kqfd == -1 ? 1 : 0);
 diff --git a/contrib/slapd-modules/autogroup/autogroup.c b/contrib/slapd-modules/autogroup/autogroup.c
 index 926703f..cbcedfe 100644
 --- a/contrib/slapd-modules/autogroup/autogroup.c
 +++ b/contrib/slapd-modules/autogroup/autogroup.c
@@ -1733,7 +1733,7 @@ static ConfigTable agcfg[] = {
  static ConfigOCs agocs[] = {
  	{ "( OLcfgCtOc:2.1 "
--		"NAME 'olcAutoGroupConfig' "
++		"NAME ( 'olcAutoGroupConfig' 'olcAutomaticGroups' ) "
  		"DESC 'Automatic groups configuration' "
  		"SUP olcOverlayConfig "
  		"MAY ( "
 diff --git a/contrib/slapd-modules/autogroup/slapo-autogroup.5 b/contrib/slapd-modules/autogroup/slapo-autogroup.5
 index 86fa1a1..4c6414d 100644
 --- a/contrib/slapd-modules/autogroup/slapo-autogroup.5
 +++ b/contrib/slapd-modules/autogroup/slapo-autogroup.5
@@ -93,10 +93,15 @@ The autogroup overlay has been reworked with the 2.5 release to use
  a consistent namespace as with other overlays. As a side-effect the
  following cn=config parameters are deprecated and will be removed in
  a future release:
++.IP \[bu] 2
  .B olcAGattrSet
  is replaced with olcAutoGroupAttrSet
++.IP \[bu]
  .B olcAGmemberOfAd
  is replaced with olcAutoGroupMemberOfAd
++.IP \[bu]
++.B olcAutomaticGroups
++is replaced with olcAutoGroupConfig
  .SH ACKNOWLEDGEMENTS
  This module was originally written in 2007 by Michał
  Szulczyński.  Further enhancements were contributed by Howard
 diff --git a/contrib/slapd-modules/emptyds/Makefile b/contrib/slapd-modules/emptyds/Makefile
 new file mode 100644
 index 0000000..654f856
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/Makefile
@@ -0,0 +1,78 @@
++# $OpenLDAP$
++# This work is part of OpenLDAP Software <http://www.openldap.org/>.
++#
++# Copyright 1998-2022 The OpenLDAP Foundation.
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted only as authorized by the OpenLDAP
++# Public License.
++#
++# A copy of this license is available in the file LICENSE in the
++# top-level directory of the distribution or, alternatively, at
++# <http://www.OpenLDAP.org/license.html>.
++
++LDAP_SRC = ../../..
++LDAP_BUILD = $(LDAP_SRC)
++SRCDIR = ./
++LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
++LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \
++	$(LDAP_BUILD)/libraries/liblber/liblber.la
++
++LIBTOOL = $(LDAP_BUILD)/libtool
++INSTALL = /usr/bin/install
++CC = gcc
++OPT = -g -O2
++DEFS = -DSLAPD_OVER_EDS=SLAPD_MOD_DYNAMIC
++INCS = $(LDAP_INC)
++LIBS = $(LDAP_LIB)
++
++PROGRAMS = emptyds.la
++MANPAGES = slapo-emptyds.5
++CLEAN = *.o *.lo *.la .libs
++LTVER = 0:0:0
++
++prefix=/usr/local
++exec_prefix=$(prefix)
++ldap_subdir=/openldap
++
++libdir=$(exec_prefix)/lib
++libexecdir=$(exec_prefix)/libexec
++moduledir = $(libexecdir)$(ldap_subdir)
++mandir = $(exec_prefix)/share/man
++man5dir = $(mandir)/man5
++
++all: $(PROGRAMS)
++
++d :=
++sp :=
++dir := tests
++include $(dir)/Rules.mk
++
++.SUFFIXES: .c .o .lo
++
++.c.lo:
++	$(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(OPT) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
++
++all: $(PROGRAMS)
++
++emptyds.la: emptyds.lo
++	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
++		-rpath $(moduledir) -module -o $@ $? $(LIBS)
++
++clean:
++	rm -rf $(CLEAN)
++
++install: install-lib install-man FORCE
++
++install-lib: $(PROGRAMS)
++	mkdir -p $(DESTDIR)$(moduledir)
++	for p in $(PROGRAMS) ; do \
++		$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
++	done
++
++install-man: $(MANPAGES)
++	mkdir -p  $(DESTDIR)$(man5dir)
++	$(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
++
++FORCE:
++
 diff --git a/contrib/slapd-modules/emptyds/README b/contrib/slapd-modules/emptyds/README
 new file mode 100644
 index 0000000..914d4e7
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/README
@@ -0,0 +1,66 @@
++emptyds Overlay README
++
++DESCRIPTION
++    This package contains an OpenLDAP overlay called "emptyds" (empty
++    directory string) that eliminates empty values of type directory string
++    (OID 1.3.6.1.4.1.1466.115.121.1.15) from the list of the values in the
++    following manner:
++
++    - add: All empty attribute values will be removed before the add request
++      is executed
++    - mod-replace: A replace with empty values will be modified to a replace
++      without values. As result the attribute will be deleted
++    - mod-add: All empty attribute values will be removed before the mod-add
++      request is executed
++    - mod-delete: All empty attribute values will be removed before the
++      mod-delete request is executed
++
++    If removing all empty values from a modification makes it a no-op, that
++    modification is removed from the list.
++
++    At module load time the emptyds overlay manipulates the syntax checking
++    so that it intercepts the syntax check and allows empty values for
++    attributes of type directory string only. Non-empty values continue to
++    go through the normal check routines. It is therefore very important to
++    configure the overlays in a way that ensures that the emptyds overlay gets
++    the control over the operation before any other overlay. Otherwise it
++    could come to the situation with empty attribute values in the data base.
++
++    David Hawes' addpartial overlay has been used as starting point for this
++    overlay.
++
++BUILDING
++    A Makefile is included, please set your LDAP_SRC directory properly.
++
++INSTALLATION
++    After compiling the emptyds overlay, add the following to your
++    slapd.conf:
++
++    ### slapd.conf
++    ...
++    moduleload emptyds.la
++    ...
++    overlay emptyds
++    ...
++    # before database directive...
++    # this overlay must be the last overlay in the config file to ensure that
++    # requests are modified before other overlays get them.
++    ...
++    ### end slapd.conf
++
++CAVEATS
++    - In order to ensure that emptyds does what it needs to do, it must be
++      the last overlay configured so it will run before the other overlays.
++
++---
++Copyright 2014-2022 The OpenLDAP Foundation.
++Portions Copyright (C) DAASI International GmbH, Tamim Ziai.
++All rights reserved.
++
++Redistribution and use in source and binary forms, with or without
++modification, are permitted only as authorized by the OpenLDAP
++Public License.
++
++A copy of this license is available in file LICENSE in the
++top-level directory of the distribution or, alternatively, at
++http://www.OpenLDAP.org/license.html.
 diff --git a/contrib/slapd-modules/emptyds/emptyds.c b/contrib/slapd-modules/emptyds/emptyds.c
 new file mode 100644
 index 0000000..bb3202e
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/emptyds.c
@@ -0,0 +1,325 @@
++/* emptyds.c */
++/* $OpenLDAP$ */
++/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
++ *
++ * Copyright 2014-2022 The OpenLDAP Foundation.
++ * Portions Copyright (C) 2014 DAASI International GmbH, Tamim Ziai.
++ * Portions Copyright (C) 2022 Ondřej Kuzník, Symas Corporation.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted only as authorized by the OpenLDAP
++ * Public License.
++ *
++ * A copy of this license is available in file LICENSE in the
++ * top-level directory of the distribution or, alternatively, at
++ * http://www.OpenLDAP.org/license.html.
++ */
++/* ACKNOLEDGEDMENTS:
++ * This work was initially developed by Tamim Ziai of DAASI International GmbH
++ * for inclusion in OpenLDAP Software.
++ */
++/* slapo-emptyds
++ *
++ * This is an OpenLDAP overlay that accepts empty strings as attribute values
++ * without syntax violation but never actually stores them. This allows
++ * applications that used to work with LDAP implementations allowing empty
++ * strings (such as Novel eDirectory) to continue to work with OpenLDAP without
++ * any modifications. Add and modify change types will be proceeded as follows,
++ * other operations will be forwarded without modifications:
++ *
++ * changeType: add                  changeType: add
++ * sn: <empty>              -->     sn: blah
++ * sn: blah
++ *
++ * changeType: modify               changeType: modify
++ * add: sn                  -->     add: sn
++ * sn: <empty>                      sn: blah
++ * sn: blah
++ *
++ * changeType: modify               changeType: modify
++ * delete: sn               -->     delete: sn
++ * sn: <empty>                      sn: blah
++ * sn: blah
++ *
++ * changeType: modify               changeType: modify
++ * replace: sn              -->     replace: sn
++ * sn: <empty>
++ *
++ */
++
++#include "portable.h"
++#include "slap.h"
++
++static slap_overinst emptyds;
++
++static const char ds_oid[] = "1.3.6.1.4.1.1466.115.121.1.15";
++
++static slap_syntax_validate_func *ssyn_validate_original = NULL;
++static slap_syntax_transform_func *ssyn_pretty_original = NULL;
++static int emptyds_instances = 0;
++
++static unsigned int
++remove_empty_values( Modification *m, Attribute *a )
++{
++	BerVarray vals = m ? m->sm_values : a->a_vals,
++			  nvals = m ? m->sm_nvalues : a->a_nvals;
++	unsigned int i, j, numvals = m ? m->sm_numvals : a->a_numvals;
++
++	for ( i = 0; i < numvals && !BER_BVISEMPTY( &vals[i] ); i++ )
++		/* Find first empty */;
++
++	if ( i == numvals ) return i;
++
++	/*
++	 * We have an empty value at index i, move all of them to the end of the
++	 * list, preserving the order of non-empty values.
++	 */
++	j = i + 1;
++	for ( j = i + 1; j < numvals; j++ ) {
++		struct berval tmp;
++
++		if ( BER_BVISEMPTY( &vals[j] ) ) continue;
++
++		tmp = vals[i];
++		vals[i] = vals[j];
++		vals[j] = tmp;
++
++		if ( nvals && vals != nvals ) {
++			tmp = nvals[i];
++			nvals[i] = nvals[j];
++			nvals[j] = tmp;
++		}
++
++		if ( m && a && m->sm_values != a->a_vals ) {
++			tmp = a->a_vals[i];
++			a->a_vals[i] = a->a_vals[j];
++			a->a_vals[j] = tmp;
++
++			if ( a->a_nvals && a->a_vals != a->a_nvals ) {
++				tmp = a->a_nvals[i];
++				a->a_nvals[i] = a->a_nvals[j];
++				a->a_nvals[j] = tmp;
++			}
++		}
++		i++;
++	}
++
++	/* Free empty vals */
++	for ( ; j && i < j--; ) {
++		ber_memfree( vals[j].bv_val );
++		if ( nvals && vals != nvals ) {
++			ber_memfree( nvals[j].bv_val );
++			BER_BVZERO( &nvals[j] );
++		}
++
++		if ( m && a && m->sm_values != a->a_vals ) {
++			if ( m->sm_values[j].bv_val != a->a_vals[j].bv_val ) {
++				ber_memfree( a->a_vals[j].bv_val );
++				BER_BVZERO( &a->a_vals[j] );
++
++				if ( a->a_nvals && a->a_vals != a->a_nvals ) {
++					ber_memfree( a->a_nvals[j].bv_val );
++					BER_BVZERO( &a->a_nvals[j] );
++				}
++			}
++		}
++		BER_BVZERO( &vals[j] );
++	}
++
++	return i;
++}
++
++/**
++ *  Remove all operations with empty strings.
++ */
++static int
++emptyds_op_add( Operation *op, SlapReply *rs )
++{
++	Attribute **ap, **nexta, *a;
++	Modifications **mlp, **nextp = NULL, *ml;
++	Entry *e = op->ora_e;
++
++	/*
++	 * op->ora_modlist can be NULL, at least accesslog doesn't always populate
++	 * it on an add.
++	 */
++	for ( ap = &e->e_attrs, a = e->e_attrs, mlp = &op->ora_modlist,
++		  ml = op->ora_modlist;
++			a != NULL;
++			ap = nexta, a = *ap, mlp = nextp, ml = ml ? *mlp : NULL ) {
++		AttributeType *at = a->a_desc->ad_type;
++		unsigned int remaining;
++
++		nexta = &a->a_next;
++		if ( ml ) {
++			nextp = &ml->sml_next;
++		}
++
++		if ( at->sat_syntax != slap_schema.si_syn_directoryString ||
++				at->sat_atype.at_usage != LDAP_SCHEMA_USER_APPLICATIONS )
++			continue;
++
++		remaining = remove_empty_values( &ml->sml_mod, a );
++		if ( remaining == a->a_numvals ) continue;
++		/* Empty values found */
++
++		if ( !remaining ) {
++			/* All values are empty */
++			*ap = a->a_next;
++			a->a_next = NULL;
++			nexta = ap;
++
++			if ( ml ) {
++				*mlp = ml->sml_next;
++				ml->sml_next = NULL;
++				nextp = mlp;
++				/* Values are generally shared with attribute */
++				slap_mods_free( ml, ml->sml_values != a->a_vals );
++			}
++			attr_free( a );
++		} else {
++			a->a_numvals = remaining;
++			if ( ml ) {
++				ml->sml_mod.sm_numvals = remaining;
++			}
++		}
++	}
++
++	return SLAP_CB_CONTINUE;
++}
++
++static int
++emptyds_op_modify( Operation *op, SlapReply *rs )
++{
++	Modifications **mlp, **nextp, *ml;
++
++	for ( mlp = &op->orm_modlist, ml = op->orm_modlist; ml != NULL;
++			mlp = nextp, ml = *mlp ) {
++		AttributeType *at = ml->sml_desc->ad_type;
++		unsigned int remaining;
++
++		nextp = &ml->sml_next;
++
++		if ( at->sat_syntax != slap_schema.si_syn_directoryString ||
++				at->sat_atype.at_usage != LDAP_SCHEMA_USER_APPLICATIONS )
++			continue;
++
++		remaining = remove_empty_values( &ml->sml_mod, NULL );
++		if ( remaining == ml->sml_numvals ) continue;
++
++		if ( !remaining ) {
++			/* All values are empty */
++			if ( ml->sml_op == LDAP_MOD_REPLACE ) {
++				/* Replace is kept */
++				if ( ml->sml_nvalues && ml->sml_nvalues != ml->sml_values ) {
++					ber_bvarray_free( ml->sml_nvalues );
++				}
++				if ( ml->sml_values ) {
++					ber_bvarray_free( ml->sml_values );
++				}
++
++				ml->sml_numvals = 0;
++				ml->sml_values = NULL;
++				ml->sml_nvalues = NULL;
++			} else {
++				/* Remove modification */
++				*mlp = ml->sml_next;
++				ml->sml_next = NULL;
++				nextp = mlp;
++				slap_mods_free( ml, 1 );
++			}
++		} else {
++			ml->sml_numvals = remaining;
++		}
++	}
++
++	return SLAP_CB_CONTINUE;
++}
++
++static int
++emptyds_ssyn_validate( Syntax *syntax, struct berval *in )
++{
++	if ( BER_BVISEMPTY( in ) && syntax == slap_schema.si_syn_directoryString ) {
++		return LDAP_SUCCESS;
++	}
++	return ssyn_validate_original( syntax, in );
++}
++
++static int
++emptyds_ssyn_pretty( Syntax *syntax,
++		struct berval *in,
++		struct berval *out,
++		void *memctx )
++{
++	if ( BER_BVISEMPTY( in ) && syntax == slap_schema.si_syn_directoryString ) {
++		return LDAP_SUCCESS;
++	}
++	return ssyn_pretty_original( syntax, in, out, memctx );
++}
++
++static int
++emptyds_db_init( BackendDB *be, ConfigReply *cr )
++{
++	Syntax *syntax = syn_find( ds_oid );
++
++	if ( syntax == NULL ) {
++		Debug( LDAP_DEBUG_TRACE, "emptyds_db_init: "
++				"Syntax %s not found\n",
++				ds_oid );
++	} else {
++		Debug( LDAP_DEBUG_TRACE, "emptyds_db_init: "
++				"Found syntax: %s\n",
++				syntax->ssyn_bvoid.bv_val );
++		if ( ssyn_validate_original == NULL && syntax->ssyn_validate != NULL ) {
++			ssyn_validate_original = syntax->ssyn_validate;
++			syntax->ssyn_validate = emptyds_ssyn_validate;
++		}
++		if ( ssyn_pretty_original == NULL && syntax->ssyn_pretty != NULL ) {
++			ssyn_pretty_original = syntax->ssyn_pretty;
++			syntax->ssyn_pretty = &emptyds_ssyn_pretty;
++		}
++	}
++
++	emptyds_instances++;
++	return LDAP_SUCCESS;
++}
++
++static int
++emptyds_db_destroy( BackendDB *be, ConfigReply *cr )
++{
++	Syntax *syntax = syn_find( ds_oid );
++
++	if ( --emptyds_instances == 0 && syntax != NULL ) {
++		if ( syntax->ssyn_validate == emptyds_ssyn_validate ) {
++			syntax->ssyn_validate = ssyn_validate_original;
++		}
++		ssyn_validate_original = NULL;
++
++		if ( syntax->ssyn_pretty == emptyds_ssyn_pretty ) {
++			syntax->ssyn_pretty = ssyn_pretty_original;
++		}
++		ssyn_pretty_original = NULL;
++	}
++
++	assert( emptyds_instances >= 0 );
++	return LDAP_SUCCESS;
++}
++
++int
++emptyds_init()
++{
++	emptyds.on_bi.bi_type = "emptyds";
++	emptyds.on_bi.bi_op_add = emptyds_op_add;
++	emptyds.on_bi.bi_op_modify = emptyds_op_modify;
++	emptyds.on_bi.bi_db_init = emptyds_db_init;
++	emptyds.on_bi.bi_db_destroy = emptyds_db_destroy;
++
++	return overlay_register( &emptyds );
++}
++
++int
++init_module( int argc, char *argv[] )
++{
++	return emptyds_init();
++}
 diff --git a/contrib/slapd-modules/emptyds/slapo-emptyds.5 b/contrib/slapd-modules/emptyds/slapo-emptyds.5
 new file mode 100644
 index 0000000..75b1059
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/slapo-emptyds.5
@@ -0,0 +1,68 @@
++.TH SLAPO-EDS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
++.\" Copyright 2022 The OpenLDAP Foundation, All Rights Reserved.
++.\" Copyright 2018 Tamim Ziai
++.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
++.\" $OpenLDAP$
++.SH NAME
++slapo-emptyds \- Remove Empty values from Directory String attributes
++Overlay to slapd
++.SH SYNOPSIS
++ETCDIR/slapd.conf
++.SH DESCRIPTION
++Some non-conformant clients will provide empty values for Directory String
++attributes with certain operations. This overlay makes empty values acceptable
++for the Directory String syntax and will adjust all operations to make sure
++these values are never actually stored in the database.
++.LP
++.nf
++.ft tt
++	dn: cn=alex,cn=people,dc=example,dc=org
++	changeType: add                  changeType: add
++	sn: <empty>              -->     sn: blah
++	sn: blah
++
++	dn: cn=alex,cn=people,dc=example,dc=org
++	changeType: modify               changeType: modify
++	add: sn                  -->     add: sn
++	sn: <empty>                      sn: blah
++	sn: blah
++
++	dn: cn=alex,cn=people,dc=example,dc=org
++	changeType: modify               changeType: modify
++	delete: sn               -->     delete: sn
++	sn: <empty>                      sn: blah
++	sn: blah
++
++	dn: cn=alex,cn=people,dc=example,dc=org
++	changeType: modify               changeType: modify
++	replace: sn              -->     replace: sn
++	sn: <empty>
++
++	dn: cn=alex,cn=people,dc=example,dc=org
++	changeType: modify               changeType: modify
++	replace: sn              -->     replace: sn
++	sn: <empty>                      sn: blah
++	sn: blah
++.ft
++.fi
++.LP
++.SH CONFIGURATION
++This overlay has no specific configuration, however in order to ensure that it
++does what it needs to do, it should be the last overlay configured so it will
++run before the other overlays.
++.SH EXAMPLES
++.LP
++.RS
++.nf
++overlay emptyds
++.RE
++.SH FILES
++.TP
++ETCDIR/slapd.conf
++default slapd configuration file
++.SH SEE ALSO
++.BR slapd.conf (5).
++.SH ACKNOWLEDGEMENTS
++This module was written in 2014 by Tamim Ziai for DAASI International and
++updated in 2022 by Ondřej Kuzník for inclusion in the OpenLDAP project.
++.so ../Project
 diff --git a/contrib/slapd-modules/emptyds/tests/Rules.mk b/contrib/slapd-modules/emptyds/tests/Rules.mk
 new file mode 100644
 index 0000000..c25c1d2
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/tests/Rules.mk
@@ -0,0 +1,23 @@
++sp := $(sp).x
++dirstack_$(sp) := $(d)
++d := $(dir)
++
++.PHONY: test
++
++CLEAN += clients servers tests/progs tests/schema tests/testdata tests/testrun
++
++test: all clients servers tests/progs
++
++test:
++	cd tests; \
++		SRCDIR=$(abspath $(LDAP_SRC)) \
++		LDAP_BUILD=$(abspath $(LDAP_BUILD)) \
++		TOPDIR=$(abspath $(SRCDIR)) \
++		LIBTOOL=$(abspath $(LIBTOOL)) \
++			$(abspath $(SRCDIR))/tests/run all
++
++servers clients tests/progs:
++	ln -s $(abspath $(LDAP_BUILD))/$@ $@
++
++d := $(dirstack_$(sp))
++sp := $(basename $(sp))
 diff --git a/contrib/slapd-modules/emptyds/tests/data/emptyds.conf b/contrib/slapd-modules/emptyds/tests/data/emptyds.conf
 new file mode 100644
 index 0000000..221fe81
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/tests/data/emptyds.conf
@@ -0,0 +1,54 @@
++# basic slapd config -- for testing of slapo-emptyds
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2022 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++include		@SCHEMADIR@/core.schema
++include		@SCHEMADIR@/cosine.schema
++include		@SCHEMADIR@/inetorgperson.schema
++include		@SCHEMADIR@/openldap.schema
++include		@SCHEMADIR@/nis.schema
++include		@DATADIR@/test.schema
++#
++pidfile		@TESTDIR@/slapd.1.pid
++argsfile	@TESTDIR@/slapd.1.args
++
++#mod#modulepath	../servers/slapd/back-@BACKEND@/
++#mod#moduleload	back_@BACKEND@.la
++#accesslogmod#modulepath ../servers/slapd/overlays/
++#accesslogmod#moduleload accesslog.la
++moduleload ../emptyds.la
++
++database	@BACKEND@
++suffix		"dc=example,dc=com"
++rootdn		"cn=Manager,dc=example,dc=com"
++rootpw		secret
++#~null~#directory	@TESTDIR@/db.1.a
++
++overlay accesslog
++logdb cn=log
++logops writes
++logsuccess true
++
++overlay emptyds
++
++database	@BACKEND@
++suffix		"cn=log"
++rootdn		"cn=Manager,dc=example,dc=com"
++#~null~#directory	@TESTDIR@/db.1.b
++
++## This one makes no difference except we want to make sure we can
++## safely instantiate the overlay on multiple databases
++overlay emptyds
++
++database	monitor
 diff --git a/contrib/slapd-modules/emptyds/tests/data/test001.ldif b/contrib/slapd-modules/emptyds/tests/data/test001.ldif
 new file mode 100644
 index 0000000..b7f289a
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/tests/data/test001.ldif
@@ -0,0 +1,71 @@
++# slapd prevents us from adding the same value multiple times
++dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
++changetype: modify
++add: description
++description: one
++description:
++description: two
++description: three
++description: four
++# a space is distinct from an empty value
++description:: ICAg
++-
++replace: drink
++drink: Earl Grey, hot
++-
++delete: description
++description:
++-
++replace: drink
++drink: Earl Grey, hot
++
++# there is no such restriction on deletes, so we exercise this part of the overlay here
++dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
++changetype: modify
++delete: description
++description:
++description: four
++description:
++description: three
++description: two
++description:
++description:
++description: one
++description:
++-
++add: description
++description:
++
++dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
++changetype: modify
++replace: drink
++drink:
++
++dn: cn=All Staff,ou=Groups,dc=example,dc=com
++changetype: modify
++delete: member
++-
++add: member
++# an empty DN should not be stripped
++member:
++member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
++
++dn: cn=Gern Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
++changetype: add
++objectclass: testPerson
++cn: Gern Jensen
++sn: Jensen
++uid: gjensen
++title:
++postaladdress: ITD $ 535 W. William St $ Anytown, MI 48103
++seealso: cn=All Staff,ou=Groups,dc=example,dc=com
++drink: Coffee
++homepostaladdress: 844 Brown St. Apt. 4 $ Anytown, MI 48104
++description: Very odd
++description:
++description: More than you think
++facsimiletelephonenumber: +1 313 555 7557
++telephonenumber: +1 313 555 8343
++mail: gjensen@mailgw.example.com
++homephone: +1 313 555 8844
++testTime: 20050304001801.234Z
 diff --git a/contrib/slapd-modules/emptyds/tests/data/test001.out b/contrib/slapd-modules/emptyds/tests/data/test001.out
 new file mode 100644
 index 0000000..6f41247
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/tests/data/test001.out
@@ -0,0 +1,54 @@
++dn: reqStart=timestamp,cn=log
++reqDN: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
++reqMod: description:+ one
++reqMod: description:+ two
++reqMod: description:+ three
++reqMod: description:+ four
++# "description:+    " that's a space, then 3 spaces for value
++reqMod:: ZGVzY3JpcHRpb246KyAgICA=
++reqMod: drink:= Earl Grey, hot
++# second mod was removed, so we have two replaces in succession now and need
++# to separate them (":")
++reqMod:: Og==
++reqMod: drink:= Earl Grey, hot
++
++dn: reqStart=timestamp,cn=log
++reqDN: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
++reqMod: description:- four
++reqMod: description:- three
++reqMod: description:- two
++reqMod: description:- one
++# second mod is removed
++
++dn: reqStart=timestamp,cn=log
++reqDN: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
++reqMod: drink:=
++
++dn: reqStart=timestamp,cn=log
++reqDN: cn=All Staff,ou=Groups,dc=example,dc=com
++reqMod: member:-
++# "member:+ " adding an empty DN
++reqMod:: bWVtYmVyOisg
++reqMod: member:+ cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example
++ ,dc=com
++
++dn: reqStart=timestamp,cn=log
++reqDN: cn=Gern Jensen,ou=Information Technology Division,ou=People,dc=example,
++ dc=com
++reqMod: objectClass:+ testPerson
++reqMod: cn:+ Gern Jensen
++reqMod: sn:+ Jensen
++reqMod: uid:+ gjensen
++reqMod: postalAddress:+ ITD $ 535 W. William St $ Anytown, MI 48103
++reqMod: seeAlso:+ cn=All Staff,ou=Groups,dc=example,dc=com
++reqMod: drink:+ Coffee
++reqMod: homePostalAddress:+ 844 Brown St. Apt. 4 $ Anytown, MI 48104
++reqMod: description:+ Very odd
++reqMod: description:+ More than you think
++reqMod: facsimileTelephoneNumber:+ +1 313 555 7557
++reqMod: telephoneNumber:+ +1 313 555 8343
++reqMod: mail:+ gjensen@mailgw.example.com
++reqMod: homePhone:+ +1 313 555 8844
++reqMod: testTime:+ 20050304001801.234Z
++reqMod: structuralObjectClass:+ testPerson
++
 diff --git a/contrib/slapd-modules/emptyds/tests/run b/contrib/slapd-modules/emptyds/tests/run
 new file mode 100755
 index 0000000..e28820c
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/tests/run
@@ -0,0 +1,218 @@
++#!/bin/sh
++## $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2022 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++##
++## ACKNOWLEDGEMENTS:
++## This module was written in 2016 by Ondřej Kuzník for Symas Corp.
++
++USAGE="$0 [-b <backend>] [-c] [-k] [-l #] [-p] [-s {ro|rp}] [-u] [-w] <script>"
++
++TOPSRCDIR="${SRCDIR-$LDAP_SRC}"
++SRCDIR="${TOPSRCDIR}/tests"
++eval `grep EGREP_CMD= ${LDAP_BUILD}/tests/run`
++eval `$EGREP_CMD -e '^LN_S=' ${LDAP_BUILD}/tests/run`
++
++export SRCDIR TOPSRCDIR LN_S EGREP_CMD
++
++. "${SRCDIR}/scripts/defines.sh"
++
++BACKEND=
++CLEAN=no
++WAIT=0
++KILLSERVERS=yes
++PRESERVE=${PRESERVE-no}
++SYNCMODE=${SYNCMODE-rp}
++USERDATA=no
++LOOP=1
++COUNTER=1
++
++while test $# -gt 0 ; do
++	case "$1" in
++		-b | -backend)
++			BACKEND="$2"
++			shift; shift ;;
++
++		-c | -clean)
++			CLEAN=yes
++			shift ;;
++
++		-k | -kill)
++			KILLSERVERS=no
++			shift ;;
++		-l | -loop)
++			NUM="`echo $2 | sed 's/[0-9]//g'`"
++			if [ -z "$NUM" ]; then
++				LOOP=$2
++			else
++				echo "Loop variable not an int: $2"
++				echo "$USAGE"; exit 1
++			fi
++			shift ;
++			shift ;;
++
++		-p | -preserve)
++			PRESERVE=yes
++			shift ;;
++
++		-s | -syncmode)
++			case "$2" in
++				ro | rp)
++					SYNCMODE="$2"
++					;;
++				*)
++					echo "unknown sync mode $2"
++					echo "$USAGE"; exit 1
++					;;
++			esac
++			shift; shift ;;
++
++		-u | -userdata)
++			USERDATA=yes
++			shift ;;
++
++		-w | -wait)
++			WAIT=1
++			shift ;;
++
++		-)
++			shift
++			break ;;
++
++		-*)
++			echo "$USAGE"; exit 1
++			;;
++
++		*)
++			break ;;
++	esac
++done
++
++eval `$EGREP_CMD -e '^AC' ${LDAP_BUILD}/tests/run`
++export `$EGREP_CMD -e '^AC' ${LDAP_BUILD}/tests/run | sed 's/=.*//'`
++
++if test -z "$BACKEND" ; then
++	for b in mdb ; do
++		if eval "test \"\$AC_$b\" != no" ; then
++			BACKEND=$b
++			break
++		fi
++	done
++	if test -z "$BACKEND" ; then
++		echo "No suitable default database backend configured" >&2
++		exit 1
++	fi
++fi
++
++BACKENDTYPE=`eval 'echo $AC_'$BACKEND`
++if test "x$BACKENDTYPE" = "x" ; then
++	BACKENDTYPE="unknown"
++fi
++
++# Backend features.  indexdb: indexing and unchecked limit.
++# maindb: main storage backend.  Currently index,limits,mode,paged results.
++INDEXDB=noindexdb MAINDB=nomaindb
++case $BACKEND in
++	mdb) INDEXDB=indexdb MAINDB=maindb ;;
++esac
++
++export	BACKEND BACKENDTYPE INDEXDB MAINDB \
++	WAIT KILLSERVERS PRESERVE SYNCMODE USERDATA \
++	SRCDIR
++
++if test $# = 0 ; then
++	echo "$USAGE"; exit 1
++fi
++
++# need defines.sh for the definitions of the directories
++. $SRCDIR/scripts/defines.sh
++
++SCRIPTDIR="${TOPDIR}/tests/scripts"
++
++export SCRIPTDIR
++
++SCRIPTNAME="$1"
++shift
++
++if test -x "${SCRIPTDIR}/${SCRIPTNAME}" ; then
++	SCRIPT="${SCRIPTDIR}/${SCRIPTNAME}"
++elif test -x "`echo ${SCRIPTDIR}/test*-${SCRIPTNAME}`"; then
++	SCRIPT="`echo ${SCRIPTDIR}/test*-${SCRIPTNAME}`"
++elif test -x "`echo ${SCRIPTDIR}/${SCRIPTNAME}-*`"; then
++	SCRIPT="`echo ${SCRIPTDIR}/${SCRIPTNAME}-*`"
++else
++	echo "run: ${SCRIPTNAME} not found (or not executable)"
++	exit 1;
++fi
++
++if test ! -r ${DATADIR}/test.ldif ; then
++	${LN_S} ${SRCDIR}/data ${DATADIR}
++fi
++if test ! -r ${SCHEMADIR}/core.schema ; then
++	${LN_S} ${TOPSRCDIR}/servers/slapd/schema ${SCHEMADIR}
++fi
++if test ! -r ./data; then
++	${LN_S} ${TOPDIR}/tests/data ./
++fi
++
++if test -d ${TESTDIR} ; then
++	if test $PRESERVE = no ; then
++		echo "Cleaning up test run directory leftover from previous run."
++		/bin/rm -rf ${TESTDIR}
++	elif test $PRESERVE = yes ; then
++		echo "Cleaning up only database directories leftover from previous run."
++		/bin/rm -rf ${TESTDIR}/db.*
++	fi
++fi
++mkdir -p ${TESTDIR}
++
++if test $USERDATA = yes ; then
++	if test ! -d userdata ; then
++		echo "User data directory (userdata) does not exist."
++		exit 1
++	fi
++	cp -R userdata/* ${TESTDIR}
++fi
++
++# disable LDAP initialization
++LDAPNOINIT=true; export LDAPNOINIT
++
++echo "Running ${SCRIPT} for ${BACKEND}..."
++while [ $COUNTER -le $LOOP ]; do
++	if [ $LOOP -gt 1 ]; then
++		echo "Running $COUNTER of $LOOP iterations"
++	fi
++	$SCRIPT $*
++	RC=$?
++
++	if test $CLEAN = yes ; then
++		echo "Cleaning up test run directory from this run."
++		/bin/rm -rf ${TESTDIR}
++		echo "Cleaning up symlinks."
++		/bin/rm -f ${DATADIR} ${SCHEMADIR}
++	fi
++
++	if [ $RC -ne 0 ]; then
++		if [ $LOOP -gt 1 ]; then
++			echo "Failed after $COUNTER of $LOOP iterations"
++		fi
++		exit $RC
++	else
++		COUNTER=`expr $COUNTER + 1`
++		if [ $COUNTER -le $LOOP ]; then
++			echo "Cleaning up test run directory from this run."
++			/bin/rm -rf ${TESTDIR}
++		fi
++	fi
++done
++exit $RC
 diff --git a/contrib/slapd-modules/emptyds/tests/scripts/all b/contrib/slapd-modules/emptyds/tests/scripts/all
 new file mode 100755
 index 0000000..a5c1774
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/tests/scripts/all
@@ -0,0 +1,92 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2022 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++. $SRCDIR/scripts/defines.sh
++
++TB="" TN=""
++if test -t 1 ; then
++	TB=`$SHTOOL echo -e "%B" 2>/dev/null`
++	TN=`$SHTOOL echo -e "%b" 2>/dev/null`
++fi
++
++FAILCOUNT=0
++SKIPCOUNT=0
++SLEEPTIME=10
++
++echo ">>>>> Executing all LDAP tests for $BACKEND"
++
++if [ -n "$NOEXIT" ]; then
++	echo "Result	Test" > $TESTWD/results
++fi
++
++for CMD in ${SCRIPTDIR}/test*; do
++	case "$CMD" in
++		*~)		continue;;
++		*.bak)	continue;;
++		*.orig)	continue;;
++		*.sav)	continue;;
++		*)		test -f "$CMD" || continue;;
++	esac
++
++	# remove cruft from prior test
++	if test $PRESERVE = yes ; then
++		/bin/rm -rf $TESTDIR/db.*
++	else
++		/bin/rm -rf $TESTDIR
++	fi
++
++	BCMD=`basename $CMD`
++	if [ -x "$CMD" ]; then
++		echo ">>>>> Starting ${TB}$BCMD${TN} for $BACKEND..."
++		$CMD
++		RC=$?
++		if test $RC -eq 0 ; then
++			echo ">>>>> $BCMD completed ${TB}OK${TN} for $BACKEND."
++		else
++			echo ">>>>> $BCMD ${TB}failed${TN} for $BACKEND"
++			FAILCOUNT=`expr $FAILCOUNT + 1`
++
++			if [ -n "$NOEXIT" ]; then
++				echo "Continuing."
++			else
++				echo "(exit $RC)"
++				exit $RC
++			fi
++		fi
++	else
++		echo ">>>>> Skipping ${TB}$BCMD${TN} for $BACKEND."
++		SKIPCOUNT=`expr $SKIPCOUNT + 1`
++		RC="-"
++	fi
++
++	if [ -n "$NOEXIT" ]; then
++		echo "$RC	$BCMD" >> $TESTWD/results
++	fi
++
++#	echo ">>>>> waiting $SLEEPTIME seconds for things to exit"
++#	sleep $SLEEPTIME
++	echo ""
++done
++
++if [ -n "$NOEXIT" ]; then
++	if [ "$FAILCOUNT" -gt 0 ]; then
++		cat $TESTWD/results
++		echo "$FAILCOUNT tests for $BACKEND ${TB}failed${TN}. Please review the test log."
++	else
++		echo "All executed tests for $BACKEND ${TB}succeeded${TN}."
++	fi
++fi
++
++echo "$SKIPCOUNT tests for $BACKEND were ${TB}skipped${TN}."
 diff --git a/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds b/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds
 new file mode 100755
 index 0000000..b8d715a
 --- /dev/null
 +++ b/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds
@@ -0,0 +1,137 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 2022 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++##
++## ACKNOWLEDGEMENTS:
++## This module was written in 2019 by Tamim Ziai for DAASI International
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++LDIF=${TOPDIR}/tests/data/test001.out
++
++if test $ACCESSLOG = accesslogno; then
++	echo "Accesslog overlay not available, test skipped"
++	exit 0
++fi
++
++mkdir -p $TESTDIR $DBDIR1A $DBDIR1B
++
++. $CONFFILTER $BACKEND < "${TOPDIR}/tests/data/emptyds.conf" > $CONF1
++
++echo "Running slapadd to build slapd database... "
++$SLAPADD -f $CONF1 -l $LDIFORDERED
++RC=$?
++if test $RC != 0 ; then
++	echo "slapadd failed ($RC)!"
++	exit $RC
++fi
++
++echo "Starting slapd on TCP/IP port $PORT1..."
++$SLAPD -f $CONF1 -h $URI1 -d $LVL >> $LOG1 2>&1 &
++PID=$!
++if test $WAIT != 0 ; then
++	echo PID $PID
++	read foo
++fi
++KILLPIDS="$PID"
++
++sleep $SLEEP0
++
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
++		'objectclass=*' > /dev/null 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting ${SLEEP1} seconds for slapd to start..."
++	sleep ${SLEEP1}
++done
++
++echo "Checking add/modify handling... "
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
++	> $TESTOUT -f "${TOPDIR}/tests/data/test001.ldif"
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Checking modrdn handling (should still fail with invalidDNSyntax)... "
++
++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
++	>> $TESTOUT 2>&1 <<EOMOD
++dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
++changetype: modrdn
++newrdn: cn=
++deleteoldrdn: 0
++EOMOD
++RC=$?
++case $RC in
++34)
++	echo "	ldapmodify failed ($RC)"
++	;;
++0)
++	echo "	ldapmodify should have failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++	;;
++*)
++	echo "	ldapmodify failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++	;;
++esac
++
++echo "Dumping accesslog..."
++
++$LDAPSEARCH -b "cn=log" -H $URI1 \
++	'objectClass=auditWriteObject' reqDN reqMod | \
++	grep -v -e 'entryCSN' -e '\(create\|modify\)Timestamp' \
++		-e '\(modifier\|creator\)sName' -e 'entryUUID' | \
++	sed -e 's/reqStart=[^,]*,/reqStart=timestamp,/' \
++	> $SEARCHOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	exit $RC
++fi
++
++test $KILLSERVERS != no && kill -HUP $KILLPIDS
++
++# Expectations:
++# - all empty values for directoryString pruned
++# - empty adds/deletes removed, empty replaces kept
++# - remaining values keep the same order as submitted
++# - other syntaxes (especially DNs) are kept intact
++echo "Filtering ldapsearch results..."
++$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
++$LDIFFILTER < $LDIF > $LDIFFLT
++
++echo "Comparing filter output..."
++$CMP $LDIFFLT $SEARCHFLT > $CMPOUT
++
++if test $? != 0 ; then
++	echo "Comparison failed"
++	exit 1
++fi
++
++echo ">>>>> Test succeeded"
++
++test $KILLSERVERS != no && wait
++
++exit 0
 diff --git a/debian/changelog b/debian/changelog
 index 4c4b66d..c228ce0 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,11 @@
++openldap (2.5.13+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium
++
++  * New upstream version (LP: #1983618).
++    - Several fixes, including memory leaks that affected libldap.
++    - Added slapo-emptyds contrib module (ITS#8882).
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 05 Aug 2022 10:51:52 -0400
++
  openldap (2.5.12+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium
    * New upstream version (LP: #1977627).
 diff --git a/doc/guide/admin/guide.html b/doc/guide/admin/guide.html
 index 7415912..7e924c8 100644
 --- a/doc/guide/admin/guide.html
 +++ b/doc/guide/admin/guide.html
@@ -23,7 +23,7 @@
  <DIV CLASS="title">
  <H1 CLASS="doc-title">OpenLDAP Software 2.5 Administrator's Guide</H1>
  <ADDRESS CLASS="doc-author">The OpenLDAP Project &lt;<A HREF="https://www.openldap.org/">https://www.openldap.org/</A>&gt;</ADDRESS>
--<ADDRESS CLASS="doc-modified">4 May 2022</ADDRESS>
++<ADDRESS CLASS="doc-modified">14 July 2022</ADDRESS>
  <BR CLEAR="All">
  </DIV>
  <DIV CLASS="contents">
 diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
 index 3477f02..b98ad60 100644
 --- a/doc/man/man3/ldap_get_option.3
 +++ b/doc/man/man3/ldap_get_option.3
@@ -463,7 +463,7 @@ must be an
  .BR "unsigned int *" .
  .SH SASL OPTIONS
--The SASL options are OpenLDAP specific.
++The SASL options are OpenLDAP specific and unless otherwise noted, require an LDAP handle to be passed.
  .TP
  .B LDAP_OPT_X_SASL_AUTHCID
  Gets the SASL authentication identity;
@@ -507,7 +507,7 @@ in form of a NULL-terminated array of strings;
  .BR outvalue
  must be
  .BR "char ***" .
--The caller must not free or otherwise muck with it.
++The caller must not free or otherwise muck with it. This option can be used globally.
  .TP
  .B LDAP_OPT_X_SASL_NOCANON
  Sets/gets the NOCANON flag.
 diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
 index 8a4fa2e..ffcbe81 100644
 --- a/doc/man/man5/slapd-ldap.5
 +++ b/doc/man/man5/slapd-ldap.5
@@ -268,7 +268,9 @@ where
  .B none
  is the default, i.e. no \fIidentity assertion\fP is performed.
--The authz parameter is used to instruct the SASL bind to exploit
++The
++.B authz
++parameter is used to instruct the SASL bind to exploit
  .B native
  SASL authorization, if available; since connections are cached,
  this should only be used when authorizing with a fixed identity
 diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
 index e3d8089..2134ff6 100644
 --- a/doc/man/man5/slapd-meta.5
 +++ b/doc/man/man5/slapd-meta.5
@@ -417,7 +417,9 @@ where
  .B none
  is the default, i.e. no \fIidentity assertion\fP is performed.
--The authz parameter is used to instruct the SASL bind to exploit
++The
++.B authz
++parameter is used to instruct the SASL bind to exploit
  .B native
  SASL authorization, if available; since connections are cached,
  this should only be used when authorizing with a fixed identity
 diff --git a/libraries/Makefile.in b/libraries/Makefile.in
 index 5d05889..b3a9127 100644
 --- a/libraries/Makefile.in
 +++ b/libraries/Makefile.in
@@ -24,7 +24,7 @@ PKGCONFIG_DIR=$(DESTDIR)$(libdir)/pkgconfig
  PKGCONFIG_SRCDIRS=liblber libldap
  install-local:
--	@$(MKDIR) $(PKGCONFIG_DIR)
++	@-$(MKDIR) $(PKGCONFIG_DIR)
  	@for i in $(PKGCONFIG_SRCDIRS); do \
  	    $(INSTALL_DATA) $$i/*.pc $(PKGCONFIG_DIR); \
  	done
 diff --git a/libraries/libldap/deref.c b/libraries/libldap/deref.c
 index 801954e..f187a9f 100644
 --- a/libraries/libldap/deref.c
 +++ b/libraries/libldap/deref.c
@@ -160,7 +160,8 @@ ldap_parse_derefresponse_control(
  	LDAPControl	*ctrl,
  	LDAPDerefRes	**drp2 )
+ {
--	BerElement *ber;
++	BerElementBuffer berbuf;
++	BerElement *ber = (BerElement *)&berbuf;
  	ber_tag_t tag;
  	ber_len_t len;
  	char *last;
@@ -172,13 +173,8 @@ ldap_parse_derefresponse_control(
  		return LDAP_PARAM_ERROR;
+ 	}
--	/* Create a BerElement from the berval returned in the control. */
--	ber = ber_init( &ctrl->ldctl_value );
--
--	if ( ber == NULL ) {
--		ld->ld_errno = LDAP_NO_MEMORY;
--		return ld->ld_errno;
--	}
++	/* Set up a BerElement from the berval returned in the control. */
++	ber_init2( ber, &ctrl->ldctl_value, 0 );
  	/* Extract the count and cookie from the control. */
  	drp = &drhead;
@@ -243,8 +239,6 @@ ldap_parse_derefresponse_control(
  	tag = 0;
  done:;
--        ber_free( ber, 1 );
--
  	if ( tag == LBER_ERROR ) {
  		if ( drhead != NULL ) {
  			ldap_derefresponse_free( drhead );
 diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c
 index 900a979..57e44f8 100644
 --- a/libraries/libldap/ldif.c
 +++ b/libraries/libldap/ldif.c
@@ -729,7 +729,8 @@ ldif_open(
  	if ( fp ) {
  		lfp = ber_memalloc( sizeof( LDIFFP ));
  		if ( lfp == NULL ) {
--		    return NULL;
++			fclose( fp );
++			return NULL;
+ 		}
  		lfp->fp = fp;
  		lfp->prev = NULL;
 diff --git a/libraries/libldap/turn.c b/libraries/libldap/turn.c
 index 565b449..7725f01 100644
 --- a/libraries/libldap/turn.c
 +++ b/libraries/libldap/turn.c
@@ -44,7 +44,7 @@ ldap_turn(
+ {
  #ifdef LDAP_EXOP_X_TURN
  	BerElement *turnvalber = NULL;
--	struct berval *turnvalp = NULL;
++	struct berval turnval;
  	int rc;
  	turnvalber = ber_alloc_t( LBER_USE_DER );
@@ -53,10 +53,10 @@ ldap_turn(
  	} else {
  		ber_printf( turnvalber, "{s}", identifier );
+ 	}
--	ber_flatten( turnvalber, &turnvalp );
++	ber_flatten2( turnvalber, &turnval, 0 );
  	rc = ldap_extended_operation( ld, LDAP_EXOP_X_TURN,
--			turnvalp, sctrls, cctrls, msgidp );
++			&turnval, sctrls, cctrls, msgidp );
  	ber_free( turnvalber, 1 );
  	return rc;
  #else
@@ -74,7 +74,7 @@ ldap_turn_s(
+ {
  #ifdef LDAP_EXOP_X_TURN
  	BerElement *turnvalber = NULL;
--	struct berval *turnvalp = NULL;
++	struct berval turnval;
  	int rc;
  	turnvalber = ber_alloc_t( LBER_USE_DER );
@@ -83,10 +83,10 @@ ldap_turn_s(
  	} else {
  		ber_printf( turnvalber, "{s}", identifier );
+ 	}
--	ber_flatten( turnvalber, &turnvalp );
++	ber_flatten2( turnvalber, &turnval, 0 );
  	rc = ldap_extended_operation_s( ld, LDAP_EXOP_X_TURN,
--			turnvalp, sctrls, cctrls, NULL, NULL );
++			&turnval, sctrls, cctrls, NULL, NULL );
  	ber_free( turnvalber, 1 );
  	return rc;
  #else
 diff --git a/libraries/libldap/txn.c b/libraries/libldap/txn.c
 index 66b22e8..6409002 100644
 --- a/libraries/libldap/txn.c
 +++ b/libraries/libldap/txn.c
@@ -68,7 +68,7 @@ ldap_txn_end(
+ {
  	int rc;
  	BerElement *txnber = NULL;
--	struct berval *txnval = NULL;
++	struct berval txnval;
  	assert( txnid != NULL );
@@ -80,10 +80,10 @@ ldap_txn_end(
  		ber_printf( txnber, "{bON}", commit, txnid );
+ 	}
--	ber_flatten( txnber, &txnval );
++	ber_flatten2( txnber, &txnval, 0 );
  	rc = ldap_extended_operation( ld, LDAP_EXOP_TXN_END,
--		txnval, sctrls, cctrls, msgidp );
++		&txnval, sctrls, cctrls, msgidp );
  	ber_free( txnber, 1 );
  	return rc;
@@ -100,7 +100,7 @@ ldap_txn_end_s(
+ {
  	int rc;
  	BerElement *txnber = NULL;
--	struct berval *txnval = NULL;
++	struct berval txnval;
  	struct berval *retdata = NULL;
  	if ( retidp != NULL ) *retidp = -1;
@@ -113,10 +113,10 @@ ldap_txn_end_s(
  		ber_printf( txnber, "{bON}", commit, txnid );
+ 	}
--	ber_flatten( txnber, &txnval );
++	ber_flatten2( txnber, &txnval, 0 );
  	rc = ldap_extended_operation_s( ld, LDAP_EXOP_TXN_END,
--		txnval, sctrls, cctrls, NULL, &retdata );
++		&txnval, sctrls, cctrls, NULL, &retdata );
  	ber_free( txnber, 1 );
 diff --git a/libraries/librewrite/rewrite-int.h b/libraries/librewrite/rewrite-int.h
 index 0deb72b..441db51 100644
 --- a/libraries/librewrite/rewrite-int.h
 +++ b/libraries/librewrite/rewrite-int.h
@@ -40,6 +40,11 @@
  #include <rewrite.h>
++#ifndef NO_THREADS
++#define USE_REWRITE_LDAP_PVT_THREADS
++#include <ldap_pvt_thread.h>
++#endif
++
  #define malloc(x)	ber_memalloc(x)
  #define calloc(x,y)	ber_memcalloc(x,y)
  #define realloc(x,y)	ber_memrealloc(x,y)
@@ -47,11 +52,6 @@
  #undef strdup
  #define	strdup(x)	ber_strdup(x)
--#ifndef NO_THREADS
--#define USE_REWRITE_LDAP_PVT_THREADS
--#include <ldap_pvt_thread.h>
--#endif
--
  /*
   * For details, see RATIONALE.
   */
 diff --git a/servers/lloadd/operation.c b/servers/lloadd/operation.c
 index 4fdc190..9074404 100644
 --- a/servers/lloadd/operation.c
 +++ b/servers/lloadd/operation.c
@@ -589,19 +589,20 @@ connection_timeout( LloadConnection *upstream, void *arg )
                                                 LDAP_ADMINLIMIT_EXCEEDED,
                  "upstream did not respond in time", 0 );
--        if ( rc == LDAP_SUCCESS ) {
++        if ( upstream->c_type != LLOAD_C_BIND && rc == LDAP_SUCCESS ) {
              rc = operation_send_abandon( op, upstream );
+         }
          operation_unlink( op );
+     }
--    /* TODO: if operation_send_abandon failed, we need to kill the upstream */
      if ( rc == LDAP_SUCCESS ) {
          connection_write_cb( -1, 0, upstream );
+     }
      CONNECTION_LOCK(upstream);
--    if ( upstream->c_state == LLOAD_C_CLOSING && !upstream->c_ops ) {
++    /* ITS#9799: If a Bind timed out, connection is in an unknown state */
++    if ( upstream->c_type == LLOAD_C_BIND || rc != LDAP_SUCCESS ||
++            ( upstream->c_state == LLOAD_C_CLOSING && !upstream->c_ops ) ) {
          CONNECTION_DESTROY(upstream);
      } else {
          CONNECTION_UNLOCK(upstream);
 diff --git a/servers/slapd/back-mdb/id2entry.c b/servers/slapd/back-mdb/id2entry.c
 index a7ba23a..aa6067a 100644
 --- a/servers/slapd/back-mdb/id2entry.c
 +++ b/servers/slapd/back-mdb/id2entry.c
@@ -779,7 +779,17 @@ mdb_opinfo_get( Operation *op, struct mdb_info *mdb, int rdonly, mdb_op_info **m
  			return rc;
+ 		}
  		if ( ldap_pvt_thread_pool_getkey( ctx, mdb->mi_dbenv, &data, NULL ) ) {
++			int retried = 0;
++retry:
  			rc = mdb_txn_begin( mdb->mi_dbenv, NULL, MDB_RDONLY, &moi->moi_txn );
++			if (rc == MDB_READERS_FULL && !retried) {
++				int dead;
++				/* if any stale readers were cleared, a slot should be available */
++				if (!mdb_reader_check( mdb->mi_dbenv, &dead ) && dead) {
++					retried = 1;
++					goto retry;
++				}
++			}
  			if (rc) {
  				Debug( LDAP_DEBUG_ANY, "mdb_opinfo_get: err %s(%d)\n",
  					mdb_strerror(rc), rc );
 diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
 index 42f9039..cfe35aa 100644
 --- a/servers/slapd/backend.c
 +++ b/servers/slapd/backend.c
@@ -199,10 +199,7 @@ int backend_startup_one(Backend *be, ConfigReply *cr)
  	assert( be != NULL );
--	be->be_pending_csn_list = (struct be_pcl *)
--		ch_calloc( 1, sizeof( struct be_pcl ) );
--
--	LDAP_TAILQ_INIT( be->be_pending_csn_list );
++	LDAP_TAILQ_INIT( &be->be_pcsn_st.be_pcsn_list );
  	Debug( LDAP_DEBUG_TRACE,
  		"backend_startup_one: starting \"%s\"\n",
@@ -433,18 +430,15 @@ int backend_shutdown( Backend *be )
  void
  backend_stopdown_one( BackendDB *bd )
+ {
--	if ( bd->be_pending_csn_list ) {
--		struct slap_csn_entry *csne;
--		csne = LDAP_TAILQ_FIRST( bd->be_pending_csn_list );
--		while ( csne ) {
--			struct slap_csn_entry *tmp_csne = csne;
++	struct slap_csn_entry *csne;
++	csne = LDAP_TAILQ_FIRST( &bd->be_pcsn_st.be_pcsn_list );
++	while ( csne ) {
++		struct slap_csn_entry *tmp_csne = csne;
--			LDAP_TAILQ_REMOVE( bd->be_pending_csn_list, csne, ce_csn_link );
--			ch_free( csne->ce_csn.bv_val );
--			csne = LDAP_TAILQ_NEXT( csne, ce_csn_link );
--			ch_free( tmp_csne );
--		}
--		ch_free( bd->be_pending_csn_list );
++		LDAP_TAILQ_REMOVE( &bd->be_pcsn_st.be_pcsn_list, csne, ce_csn_link );
++		ch_free( csne->ce_csn.bv_val );
++		csne = LDAP_TAILQ_NEXT( csne, ce_csn_link );
++		ch_free( tmp_csne );
+ 	}
  	if ( bd->bd_info->bi_db_destroy ) {
@@ -487,7 +481,7 @@ void backend_destroy_one( BackendDB *bd, int dynamic )
  		ber_bvarray_free( bd->be_update_refs );
+ 	}
--	ldap_pvt_thread_mutex_destroy( &bd->be_pcl_mutex );
++	ldap_pvt_thread_mutex_destroy( &bd->be_pcsn_st.be_pcsn_mutex );
  	if ( dynamic ) {
  		free( bd );
@@ -624,7 +618,8 @@ backend_db_init(
  	be->be_requires = frontendDB->be_requires;
  	be->be_ssf_set = frontendDB->be_ssf_set;
--	ldap_pvt_thread_mutex_init( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_init( &be->be_pcsn_st.be_pcsn_mutex );
++	be->be_pcsn_p = &be->be_pcsn_st;
   	/* assign a default depth limit for alias deref */
  	be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH;
@@ -638,7 +633,7 @@ backend_db_init(
  		/* If we created and linked this be, remove it and free it */
  		if ( !b0 ) {
  			LDAP_STAILQ_REMOVE(&backendDB, be, BackendDB, be_next);
--			ldap_pvt_thread_mutex_destroy( &be->be_pcl_mutex );
++			ldap_pvt_thread_mutex_destroy( &be->be_pcsn_st.be_pcsn_mutex );
  			ch_free( be );
  			be = NULL;
  			nbackends--;
 diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c
 index e7db4ff..3183f2f 100644
 --- a/servers/slapd/backglue.c
 +++ b/servers/slapd/backglue.c
@@ -1381,6 +1381,11 @@ glue_sub_del( BackendDB *b0 )
  				gi->gi_nodes--;
+ 			}
+ 		}
++		/* Mark as no longer linked/sub */
++		b0->be_flags &= ~(SLAP_DBFLAG_GLUE_SUBORDINATE|SLAP_DBFLAG_GLUE_LINKED|
++			SLAP_DBFLAG_GLUE_ADVERTISE);
++		b0->be_pcsn_p = &b0->be_pcsn_st;
++		break;
+ 	}
  	if ( be == NULL )
  		rc = LDAP_NO_SUCH_OBJECT;
@@ -1440,6 +1445,7 @@ glue_sub_attach( int online )
  				&gi->gi_n[gi->gi_nodes].gn_pdn );
  			gi->gi_nodes++;
  			on->on_bi.bi_private = gi;
++			ga->ga_be->be_pcsn_p = be->be_pcsn_p;
  			ga->ga_be->be_flags |= SLAP_DBFLAG_GLUE_LINKED;
  			break;
+ 		}
 diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
 index 5159461..de602c9 100644
 --- a/servers/slapd/bind.c
 +++ b/servers/slapd/bind.c
@@ -500,7 +500,7 @@ fe_op_lastbind( Operation *op )
+ 		}
+ 	}
--	rc = op->o_bd->be_modify( &op2, &r2 );
++	rc = op2.o_bd->be_modify( &op2, &r2 );
  	slap_mods_free( m, 1 );
  done:
 diff --git a/servers/slapd/ctxcsn.c b/servers/slapd/ctxcsn.c
 index 55da649..a8f73c3 100644
 --- a/servers/slapd/ctxcsn.c
 +++ b/servers/slapd/ctxcsn.c
@@ -54,9 +54,9 @@ slap_get_commit_csn(
  		sid = slap_parse_csn_sid( &op->o_csn );
+ 	}
--	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
--	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
  		if ( csne->ce_op == op ) {
  			csne->ce_state = SLAP_CSN_COMMIT;
  			if ( foundit ) *foundit = 1;
@@ -64,7 +64,7 @@ slap_get_commit_csn(
+ 		}
+ 	}
--	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
  		if ( sid != -1 && sid == csne->ce_sid ) {
  			if ( csne->ce_state == SLAP_CSN_COMMIT ) committed_csne = csne;
  			if ( csne->ce_state == SLAP_CSN_PENDING ) break;
@@ -82,7 +82,7 @@ slap_get_commit_csn(
  			maxcsn->bv_val[0] = 0;
+ 		}
+ 	}
--	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
+ }
  void
@@ -91,16 +91,16 @@ slap_rewind_commit_csn( Operation *op )
  	struct slap_csn_entry *csne;
  	BackendDB *be = op->o_bd->bd_self;
--	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
--	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
  		if ( csne->ce_op == op ) {
  			csne->ce_state = SLAP_CSN_PENDING;
  			break;
+ 		}
+ 	}
--	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
+ }
  void
@@ -113,11 +113,11 @@ slap_graduate_commit_csn( Operation *op )
  	if ( op->o_bd == NULL ) return;
  	be = op->o_bd->bd_self;
--	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
--	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
  		if ( csne->ce_op == op ) {
--			LDAP_TAILQ_REMOVE( be->be_pending_csn_list,
++			LDAP_TAILQ_REMOVE( &be->be_pcsn_p->be_pcsn_list,
  				csne, ce_csn_link );
  			Debug( LDAP_DEBUG_SYNC, "slap_graduate_commit_csn: removing %p %s\n",
  				csne, csne->ce_csn.bv_val );
@@ -130,7 +130,7 @@ slap_graduate_commit_csn( Operation *op )
+ 		}
+ 	}
--	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
  	return;
+ }
@@ -194,10 +194,10 @@ slap_queue_csn(
  	pending->ce_op = op;
  	pending->ce_state = SLAP_CSN_PENDING;
--	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
--	LDAP_TAILQ_INSERT_TAIL( be->be_pending_csn_list,
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
++	LDAP_TAILQ_INSERT_TAIL( &be->be_pcsn_p->be_pcsn_list,
  		pending, ce_csn_link );
--	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
+ }
  int
 diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
 index 2f78b77..18db97a 100644
 --- a/servers/slapd/daemon.c
 +++ b/servers/slapd/daemon.c
@@ -227,11 +227,10 @@ static slap_daemon_st *slap_daemon;
      slap_daemon[t].sd_kq = kqueue(); \
  } while (0)
--/* a kqueue fd obtained before a fork can't be used in child process.
-- * close it and reacquire it.
++/* a kqueue fd obtained before a fork isn't inherited by child process.
++ * reacquire it.
   */
  # define SLAP_SOCK_INIT2() do { \
--	close(slap_daemon[0].sd_kq); \
  	slap_daemon[0].sd_kq = kqueue(); \
  } while (0)
 diff --git a/servers/slapd/frontend.c b/servers/slapd/frontend.c
 index c773f49..d0ca419 100644
 --- a/servers/slapd/frontend.c
 +++ b/servers/slapd/frontend.c
@@ -108,7 +108,7 @@ frontend_init( void )
  	frontendDB->be_def_limit.lms_s_pr_hide = 0;			/* don't hide number of entries left */
  	frontendDB->be_def_limit.lms_s_pr_total = 0;			/* number of total entries returned by pagedResults equal to hard limit */
--	ldap_pvt_thread_mutex_init( &frontendDB->be_pcl_mutex );
++	ldap_pvt_thread_mutex_init( &frontendDB->be_pcsn_st.be_pcsn_mutex );
  	/* suffix */
  	frontendDB->be_suffix = ch_calloc( 2, sizeof( struct berval ) );
 diff --git a/servers/slapd/overlays/accesslog.c b/servers/slapd/overlays/accesslog.c
 index ed62c21..cbdaa53 100644
 --- a/servers/slapd/overlays/accesslog.c
 +++ b/servers/slapd/overlays/accesslog.c
@@ -2283,6 +2283,8 @@ accesslog_db_destroy(
  		ch_free( li->li_sids );
  	if ( li->li_mincsn )
  		ber_bvarray_free( li->li_mincsn );
++	if ( li->li_db_suffix.bv_val )
++		ch_free( li->li_db_suffix.bv_val );
  	ldap_pvt_thread_mutex_destroy( &li->li_log_mutex );
  	ldap_pvt_thread_mutex_destroy( &li->li_op_rmutex );
  	free( li );
 diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
 index fcf29c6..423c196 100644
 --- a/servers/slapd/overlays/pcache.c
 +++ b/servers/slapd/overlays/pcache.c
@@ -4540,7 +4540,6 @@ pcache_db_init(
  	SLAP_DBFLAGS(&cm->db) |= SLAP_DBFLAG_NO_SCHEMA_CHECK;
  	cm->db.be_private = NULL;
  	cm->db.bd_self = &cm->db;
--	cm->db.be_pending_csn_list = NULL;
  	cm->qm = qm;
  	cm->numattrsets = 0;
  	cm->num_entries_limit = 5;
 diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
 index a2c86f6..a3f2e70 100644
 --- a/servers/slapd/overlays/ppolicy.c
 +++ b/servers/slapd/overlays/ppolicy.c
@@ -1405,7 +1405,8 @@ free_pwd_history_list( pw_hist **l )
+ }
  typedef struct ppbind {
--	slap_overinst *on;
++	pp_info *pi;
++	BackendDB *be;
  	int send_ctrl;
  	int set_restrict;
  	LDAPControl **oldctrls;
@@ -1455,8 +1456,7 @@ static int
  ppolicy_bind_response( Operation *op, SlapReply *rs )
+ {
  	ppbind *ppb = op->o_callback->sc_private;
--	slap_overinst *on = ppb->on;
--	pp_info *pi = on->on_bi.bi_private;
++	pp_info *pi = ppb->pi;
  	Modifications *mod = ppb->mod, *m;
  	int pwExpired = 0;
  	int ngut = -1, warn = -1, fc = 0, age, rc;
@@ -1467,7 +1467,7 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
  	char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
  	char nowstr_usec[ LDAP_LUTIL_GENTIME_BUFSIZE+8 ];
  	struct berval timestamp, timestamp_usec;
--	BackendInfo *bi = op->o_bd->bd_info;
++	BackendDB *be = op->o_bd;
  	LDAPControl *ctrl = NULL;
  	Entry *e;
@@ -1477,9 +1477,9 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
  		goto locked;
+ 	}
--	op->o_bd->bd_info = (BackendInfo *)on->on_info;
++	op->o_bd = ppb->be;
  	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
--	op->o_bd->bd_info = bi;
++	op->o_bd = be;
  	if ( rc != LDAP_SUCCESS ) {
  		ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
@@ -1781,8 +1781,9 @@ check_expiring_password:
+ 	}
  done:
--	op->o_bd->bd_info = (BackendInfo *)on->on_info;
++	op->o_bd = ppb->be;
  	be_entry_release_r( op, e );
++	op->o_bd = be;
  locked:
  	if ( mod && !pi->disable_write ) {
@@ -1821,7 +1822,7 @@ locked:
  				op2.orm_no_opattrs = 1;
  				op2.o_dont_replicate = 1;
+ 			}
--			op2.o_bd->bd_info = (BackendInfo *)on->on_info;
++			op2.o_bd = ppb->be;
+ 		}
  		rc = op2.o_bd->be_modify( &op2, &r2 );
  		if ( rc != LDAP_SUCCESS ) {
@@ -1852,7 +1853,6 @@ locked:
  		ppb->oldctrls = add_passcontrol( op, rs, ctrl );
  		op->o_callback->sc_cleanup = ppolicy_ctrls_cleanup;
+ 	}
--	op->o_bd->bd_info = bi;
  	ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
  	return SLAP_CB_CONTINUE;
+ }
@@ -1885,7 +1885,8 @@ ppolicy_bind( Operation *op, SlapReply *rs )
  		cb = op->o_tmpcalloc( sizeof(ppbind)+sizeof(slap_callback),
 , op->o_tmpmemctx );
  		ppb = (ppbind *)(cb+1);
--		ppb->on = on;
++		ppb->pi = on->on_bi.bi_private;
++		ppb->be = op->o_bd->bd_self;
  		ppb->pErr = PP_noError;
  		ppb->set_restrict = 1;
@@ -2175,7 +2176,8 @@ ppolicy_compare(
  		cb = op->o_tmpcalloc( sizeof(ppbind)+sizeof(slap_callback),
 , op->o_tmpmemctx );
  		ppb = (ppbind *)(cb+1);
--		ppb->on = on;
++		ppb->pi = on->on_bi.bi_private;
++		ppb->be = op->o_bd->bd_self;
  		ppb->pErr = PP_noError;
  		ppb->send_ctrl = 1;
  		/* failures here don't lockout the connection */
 diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
 index 36978d6..6d749a5 100644
 --- a/servers/slapd/overlays/syncprov.c
 +++ b/servers/slapd/overlays/syncprov.c
@@ -3163,6 +3163,8 @@ syncprov_op_search( Operation *op, SlapReply *rs )
  			 */
  			ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
  			if ( slapd_shutdown ) {
++aband:
++				ch_free( sop->s_base.bv_val );
  				ch_free( sop );
  				return SLAPD_ABANDON;
+ 			}
@@ -3172,8 +3174,7 @@ syncprov_op_search( Operation *op, SlapReply *rs )
+ 		}
  		if ( op->o_abandon ) {
  			ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
--			ch_free( sop );
--			return SLAPD_ABANDON;
++			goto aband;
+ 		}
  		ldap_pvt_thread_mutex_init( &sop->s_mutex );
  		sop->s_next = si->si_ops;
@@ -3242,14 +3243,8 @@ syncprov_op_search( Operation *op, SlapReply *rs )
  		if (srs->sr_state.numcsns != numcsns) {
  			/* consumer doesn't have the right number of CSNs */
  			Debug( LDAP_DEBUG_SYNC, "%s syncprov_op_search: "
--				"consumer cookie is missing a csn we track%s\n",
--				op->o_log_prefix, si->si_nopres ? ", rejecting" : "" );
--
--			if ( si->si_nopres ) {
--				rs->sr_err = LDAP_SYNC_REFRESH_REQUIRED;
--				rs->sr_text = "not enough information to resync, please use other means";
--				goto bailout;
--			}
++				"consumer cookie is missing a csn we track\n",
++				op->o_log_prefix );
  			changed = SS_CHANGED;
  			if ( srs->sr_state.ctxcsn ) {
@@ -3302,6 +3297,7 @@ bailout:
  						sp = &(*sp)->s_next;
  					*sp = sop->s_next;
  					ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
++					ch_free( sop->s_base.bv_val );
  					ch_free( sop );
+ 				}
  				rs->sr_ctrls = NULL;
@@ -3348,7 +3344,55 @@ no_change:	if ( !(op->o_sync_mode & SLAP_SYNC_PERSIST) ) {
  					numcsns, sids, &mincsn, minsid ) ) {
  				do_present = SS_PRESENT;
+ 			}
++		} else if ( ad_minCSN != NULL && si->si_nopres && si->si_usehint ) {
++			/* We are instructed to trust minCSN if it exists. */
++			Entry *e;
++			Attribute *a = NULL;
++			int rc;
++
++			/*
++			 * ITS#9580 FIXME: when we've figured out and split the
++			 * sessionlog/deltalog tracking, use the appropriate attribute
++			 */
++			rc = overlay_entry_get_ov( op, &op->o_bd->be_nsuffix[0], NULL,
++					ad_minCSN, 0, &e, on );
++			if ( rc == LDAP_SUCCESS && e != NULL ) {
++				a = attr_find( e->e_attrs, ad_minCSN );
++			}
++
++			if ( a != NULL ) {
++				int *minsids;
++
++				minsids = slap_parse_csn_sids( a->a_vals, a->a_numvals, op->o_tmpmemctx );
++				slap_sort_csn_sids( a->a_vals, minsids, a->a_numvals, op->o_tmpmemctx );
++
++				for ( i=0, j=0; i < a->a_numvals; i++ ) {
++					while ( j < numcsns && minsids[i] > sids[j] ) j++;
++					if ( j < numcsns && minsids[i] == sids[j] &&
++							ber_bvcmp( &a->a_vals[i], &srs->sr_state.ctxcsn[j] ) <= 0 ) {
++						/* minCSN for this serverID is contained, keep going */
++						continue;
++					}
++					/*
++					 * Log DB's minCSN claims we can only replay from a certain
++					 * CSN for this serverID, but consumer's cookie hasn't met that
++					 * threshold: they need to refresh
++					 */
++					Debug( LDAP_DEBUG_SYNC, "%s syncprov_op_search: "
++						"consumer not within recorded mincsn for DB's mincsn=%s\n",
++						op->o_log_prefix, a->a_vals[i].bv_val );
++					rs->sr_err = LDAP_SYNC_REFRESH_REQUIRED;
++					rs->sr_text = "sync cookie is stale";
++					slap_sl_free( minsids, op->o_tmpmemctx );
++					overlay_entry_release_ov( op, e, 0, on );
++					goto bailout;
++				}
++				slap_sl_free( minsids, op->o_tmpmemctx );
++			}
++			if ( e != NULL )
++				overlay_entry_release_ov( op, e, 0, on );
+ 		}
++
  		/*
  		 * If sessionlog wasn't useful, see if we can find at least one entry
  		 * that hasn't changed based on the cookie.
@@ -3793,6 +3837,10 @@ sp_cf_gen(ConfigArgs *c)
  		break;
  	case SP_USEHINT:
  		si->si_usehint = c->value_int;
++		if ( si->si_usehint ) {
++			/* Consider we might be a delta provider, but it's ok if not */
++			(void)syncprov_setup_accesslog();
++		}
  		break;
  	case SP_LOGDB:
  		if ( si->si_logs ) {
@@ -4137,6 +4185,8 @@ syncprov_db_destroy(
  			ber_bvarray_free( si->si_ctxcsn );
  		if ( si->si_sids )
  			ch_free( si->si_sids );
++		if ( si->si_logbase.bv_val )
++			ch_free( si->si_logbase.bv_val );
  		ldap_pvt_thread_mutex_destroy( &si->si_resp_mutex );
  		ldap_pvt_thread_mutex_destroy( &si->si_mods_mutex );
  		ldap_pvt_thread_mutex_destroy( &si->si_ops_mutex );
 diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
 index a034a58..2d31bb0 100644
 --- a/servers/slapd/overlays/translucent.c
 +++ b/servers/slapd/overlays/translucent.c
@@ -1439,7 +1439,7 @@ translucent_db_destroy( BackendDB *be, ConfigReply *cr )
  			backend_stopdown_one( &ov->db );
+ 		}
--		ldap_pvt_thread_mutex_destroy( &ov->db.be_pcl_mutex );
++		ldap_pvt_thread_mutex_destroy( &ov->db.be_pcsn_st.be_pcsn_mutex );
  		ch_free(ov);
  		on->on_bi.bi_private = NULL;
+ 	}
 diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
 index 952c1ed..7a7c8fb 100644
 --- a/servers/slapd/overlays/unique.c
 +++ b/servers/slapd/overlays/unique.c
@@ -1225,13 +1225,15 @@ unique_modify(
  		return rc;
+ 	}
--	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) || (
--			get_relax(op) > SLAP_CONTROL_IGNORED
--			&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
--			&& e
--			&& access_allowed( op, e,
--				slap_schema.si_ad_entry, NULL,
--				ACL_MANAGE, NULL ) ) ) {
++	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) {
++		return rc;
++	}
++	if ( get_relax(op) > SLAP_CONTROL_IGNORED
++		&& overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) == LDAP_SUCCESS
++		&& e
++		&& access_allowed( op, e,
++			slap_schema.si_ad_entry, NULL,
++			ACL_MANAGE, NULL ) ) {
  		overlay_entry_release_ov( op, e, 0, on );
  		return rc;
+ 	}
@@ -1363,13 +1365,15 @@ unique_modrdn(
  	Debug(LDAP_DEBUG_TRACE, "==> unique_modrdn <%s> <%s>\n",
  		op->o_req_dn.bv_val, op->orr_newrdn.bv_val );
--	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) || (
--			get_relax(op) > SLAP_CONTROL_IGNORED
--			&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
--			&& e
--			&& access_allowed( op, e,
--				slap_schema.si_ad_entry, NULL,
--				ACL_MANAGE, NULL ) ) ) {
++	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) {
++		return rc;
++	}
++	if ( get_relax(op) > SLAP_CONTROL_IGNORED
++		&& overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) == LDAP_SUCCESS
++		&& e
++		&& access_allowed( op, e,
++			slap_schema.si_ad_entry, NULL,
++			ACL_MANAGE, NULL ) ) {
  		overlay_entry_release_ov( op, e, 0, on );
  		return rc;
+ 	}
 diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
 index 0fc78d7..5cf2f46 100644
 --- a/servers/slapd/slap.h
 +++ b/servers/slapd/slap.h
@@ -1786,7 +1786,13 @@ struct sync_cookie {
  LDAP_STAILQ_HEAD( slap_sync_cookie_s, sync_cookie );
--LDAP_TAILQ_HEAD( be_pcl, slap_csn_entry );
++/* Defs for pending_csn_list */
++LDAP_TAILQ_HEAD( be_pclh, slap_csn_entry );
++
++typedef struct be_pcsn {
++	struct be_pclh			be_pcsn_list;
++	ldap_pvt_thread_mutex_t	be_pcsn_mutex;
++} be_pcsn;
  #ifndef SLAP_MAX_CIDS
  #define	SLAP_MAX_CIDS	32	/* Maximum number of supported controls */
@@ -1990,8 +1996,8 @@ struct BackendDB {
  	/* Consumer Information */
  	struct berval be_update_ndn;	/* allowed to make changes (in replicas) */
  	BerVarray	be_update_refs;	/* where to refer modifying clients to */
--	struct		be_pcl	*be_pending_csn_list;
--	ldap_pvt_thread_mutex_t					be_pcl_mutex;
++	be_pcsn	be_pcsn_st;			/* be_pending_csn_list now inside this */
++	be_pcsn	*be_pcsn_p;
  	struct syncinfo_s						*be_syncinfo; /* For syncrepl */
  	void    *be_pb;         /* Netscape plugin */
 diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
 index 6ed5580..52e67e4 100644
 --- a/servers/slapd/syncrepl.c
 +++ b/servers/slapd/syncrepl.c
@@ -3107,10 +3107,8 @@ syncrepl_message_to_op(
  				ch_free( bvals );
  				goto done;
+ 			}
--			ber_dupbv( &op->o_req_dn, &dn );
--			ber_dupbv( &op->o_req_ndn, &ndn );
--			slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
--			slap_sl_free( dn.bv_val, op->o_tmpmemctx );
++			op->o_req_dn = dn;
++			op->o_req_ndn = ndn;
  			freeReqDn = 1;
  		} else if ( !ber_bvstrcasecmp( &bv, &ls->ls_req ) ) {
  			int i = verb_to_mask( bvals[0].bv_val, modops );
@@ -3220,9 +3218,8 @@ syncrepl_message_to_op(
  		if ( op->o_tag == LDAP_REQ_ADD ) {
  			Entry *e = entry_alloc();
  			op->ora_e = e;
--			op->ora_e->e_name = op->o_req_dn;
--			op->ora_e->e_nname = op->o_req_ndn;
--			freeReqDn = 0;
++			ber_dupbv( &op->ora_e->e_name, &op->o_req_dn );
++			ber_dupbv( &op->ora_e->e_nname, &op->o_req_ndn );
  			rc = slap_mods2entry( modlist, &op->ora_e, 1, 0, &text, txtbuf, textlen);
  			if( rc != LDAP_SUCCESS ) {
  				Debug( LDAP_DEBUG_ANY, "syncrepl_message_to_op: %s "
@@ -3353,8 +3350,8 @@ done:
+ 		}
+ 	}
  	if ( freeReqDn ) {
--		ch_free( op->o_req_ndn.bv_val );
--		ch_free( op->o_req_dn.bv_val );
++		op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
++		op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
+ 	}
  	ber_free( ber, 0 );
  	return rc;
 diff --git a/tests/data/slapd-deltasync-provider.conf b/tests/data/slapd-deltasync-provider.conf
 index 03fd714..14327d1 100644
 --- a/tests/data/slapd-deltasync-provider.conf
 +++ b/tests/data/slapd-deltasync-provider.conf
@@ -29,6 +29,10 @@ argsfile	@TESTDIR@/slapd.1.args
  #accesslogmod#modulepath ../servers/slapd/overlays/
  #accesslogmod#moduleload accesslog.la
++database	config
++include		@TESTDIR@/configpw.conf
++
++
  #######################################################################
  # provider database definitions
  #######################################################################
 diff --git a/tests/progs/Makefile.in b/tests/progs/Makefile.in
 index 0421982..5e7a2a2 100644
 --- a/tests/progs/Makefile.in
 +++ b/tests/progs/Makefile.in
@@ -56,7 +56,7 @@ slapd-modify: slapd-modify.o $(OBJS) $(XLIBS)
  slapd-bind: slapd-bind.o $(OBJS) $(XLIBS)
  	$(LTLINK) -o $@ slapd-bind.o $(OBJS) $(LIBS)
--ldif-filter: ldif-filter.o $(XLIBS)
++ldif-filter: ldif-filter.o $(OBJS) $(XLIBS)
  	$(LTLINK) -o $@ ldif-filter.o $(OBJS) $(LIBS)
  slapd-mtread: slapd-mtread.o $(OBJS) $(XLIBS)
 diff --git a/tests/progs/slapd-watcher.c b/tests/progs/slapd-watcher.c
 index 116d63f..0fed11f 100644
 --- a/tests/progs/slapd-watcher.c
 +++ b/tests/progs/slapd-watcher.c
@@ -139,12 +139,13 @@ usage( char *name, char opt )
  		"[-x | -Y <SASL mech>] "
  		"[-i <interval>] "
  		"[-s <sids>] "
++		"[-c <contextDN>] "
  		"[-b <baseDN> ] URI[...]\n",
  		name );
  	exit( EXIT_FAILURE );
+ }
--struct berval base;
++struct berval base, cbase;
  int interval = 10;
  int numservers;
  server *servers;
@@ -509,9 +510,9 @@ setup_server( struct tester_conn_args *config, server *sv, int first )
+ 		}
  		ldap_msgfree( res );
--		if ( base.bv_val ) {
++		if ( cbase.bv_val ) {
  			char *attr2[] = { at_contextCSN.bv_val, NULL };
--			rc = ldap_search_ext_s( ld, base.bv_val, LDAP_SCOPE_BASE, "(objectClass=*)",
++			rc = ldap_search_ext_s( ld, cbase.bv_val, LDAP_SCOPE_BASE, "(objectClass=*)",
  				attr2, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res );
  			switch(rc) {
  			case LDAP_SUCCESS:
@@ -573,11 +574,17 @@ main( int argc, char **argv )
  	config = tester_init( "slapd-watcher", TESTER_TESTER );
  	config->authmethod = LDAP_AUTH_SIMPLE;
--	while ( ( i = getopt( argc, argv, "D:O:R:U:X:Y:b:d:i:s:w:x" ) ) != EOF )
++	while ( ( i = getopt( argc, argv, "D:O:R:U:X:Y:b:c:d:i:s:w:x" ) ) != EOF )
+ 	{
  		switch ( i ) {
--		case 'b':		/* base DN for contextCSN lookups */
++		case 'b':		/* base DN for DB entrycount lookups */
  			ber_str2bv( optarg, 0, 0, &base );
++			if ( !cbase.bv_val )
++				cbase = base;
++			break;
++
++		case 'c':		/* base DN for contextCSN lookups */
++			ber_str2bv( optarg, 0, 0, &cbase );
  			break;
  		case 'i':
@@ -628,7 +635,7 @@ main( int argc, char **argv )
  		monfilter = MONFILTER;
+ 	}
--	if ( numservers > 1 ) {
++	if ( sids || numservers > 1 ) {
  		for ( i=0; i<numservers; i++ )
  			if ( sids )
  				servers[i].sid = atoi(sids[i]);
@@ -693,7 +700,7 @@ server_down1:
+ 				}
  				if (( servers[i].flags & HAS_BASE ) && !msg2[i] ) {
  					char *attrs[2] = { at_contextCSN.bv_val };
--					rc = ldap_search_ext( ld, base.bv_val,
++					rc = ldap_search_ext( ld, cbase.bv_val,
  						LDAP_SCOPE_BASE, "(objectClass=*)",
  						attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &msg2[i] );
  					if ( rc != LDAP_SUCCESS ) {
 diff --git a/tests/scripts/test020-proxycache b/tests/scripts/test020-proxycache
 index 8b38a7b..af4cc9e 100755
 --- a/tests/scripts/test020-proxycache
 +++ b/tests/scripts/test020-proxycache
@@ -40,6 +40,11 @@ if test $BACKEND = ldif ; then
  	exit 0
  fi
++if test $BACKEND = wt ; then
++	echo "Test does not support $BACKEND backend, test skipped"
++	exit 0
++fi
++
  mkdir -p $TESTDIR $DBDIR1 $DBDIR2
  # Test proxy caching:
 diff --git a/tests/scripts/test043-delta-syncrepl b/tests/scripts/test043-delta-syncrepl
 index c919478..0d30e72 100755
 --- a/tests/scripts/test043-delta-syncrepl
 +++ b/tests/scripts/test043-delta-syncrepl
@@ -34,6 +34,8 @@ mkdir -p $TESTDIR $DBDIR1A $DBDIR1B $DBDIR2
  SPEC="mdb=a"
++$SLAPPASSWD -g -n >$CONFIGPWF
++echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
+ #
  # Test replication:
  # - start provider
@@ -129,6 +131,7 @@ sleep $SLEEP1
  echo "Stopping the provider, sleeping 10 seconds and restarting it..."
  kill -HUP "$PID"
++wait $PID
  sleep 10
  echo "RESTART" >> $LOG1
  $SLAPD -f $CONF1 -h $URI1 -d $LVL >> $LOG1 2>&1 &
@@ -296,7 +299,8 @@ fi
  echo "Stopping consumer to test recovery..."
  kill -HUP $CONSUMERPID
--sleep 10
++wait $CONSUMERPID
++KILLPIDS="$PID"
  echo "Modifying more entries on the provider..."
  $LDAPMODIFY -v -D "$BJORNSDN" -H $URI1 -w bjorn >> \
@@ -388,6 +392,144 @@ if test $RC != 0 ; then
  	exit $RC
  fi
++echo "Filtering provider results..."
++$LDIFFILTER -b $BACKEND -s $SPEC < $PROVIDEROUT | grep -iv "^auditcontext:" > $PROVIDERFLT
++echo "Filtering consumer results..."
++$LDIFFILTER -b $BACKEND -s $SPEC < $CONSUMEROUT | grep -iv "^auditcontext:" > $CONSUMERFLT
++
++echo "Comparing retrieved entries from provider and consumer..."
++$CMP $PROVIDERFLT $CONSUMERFLT > $CMPOUT
++
++if test $? != 0 ; then
++	echo "test failed - provider and consumer databases differ"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
++echo "Stopping consumer to test recovery after logpurge expired..."
++kill -HUP $CONSUMERPID
++wait $CONSUMERPID
++KILLPIDS="$PID"
++
++echo "Modifying even more entries on the provider..."
++$LDAPMODIFY -v -D "$BJORNSDN" -H $URI1 -w bjorn >> \
++	$TESTOUT 2>&1 << EOMODS
++dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
++changetype: delete
++
++dn: cn=Bjorn Jensen, ou=Information Technology Division, ou=People, dc=example,dc=com
++changetype: modify
++add: drink
++drink: Sangria
++
++dn: cn=George D. Stevens, ou=Retired, ou=People, dc=example,dc=com
++changetype: add
++objectclass: OpenLDAPperson
++sn: Stevens
++uid: gstevens
++cn: George D. Stevens
++
++dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,
++ dc=com
++changetype: modify
++replace: drink
++drink: cold water
++
++dn: cn=Some Staff,ou=Groups,dc=example,dc=com
++changetype: modrdn
++newrdn: cn=More Staff
++deleteoldrdn: 1
++
++EOMODS
++
++echo "Configuring logpurge of 1 second..."
++$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
++	$TESTOUT 2>&1 << EOMODS
++
++dn: olcOverlay={1}accesslog,olcDatabase={2}$BACKEND,cn=config
++changetype: modify
++replace: olcAccessLogPurge
++olcAccessLogPurge: 0+00:00:02 0+00:00:01
++-
++
++EOMODS
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapmodify failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Waiting 4 seconds for accesslog to be purged..."
++sleep 4
++
++echo "Using ldapsearch to check if accesslog is empty..."
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -b "cn=log" -H $URI1 -z 1 \
++		> $SEARCHOUT 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting 3 seconds for accesslog to be purged..."
++	sleep 3
++done
++
++if test $RC != 0; then
++	echo "Accesslog did not purge in time"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
++
++echo "Restarting consumer..."
++echo "RESTART" >> $LOG2
++$SLAPD -f $CONF2 -h $URI2 -d $LVL >> $LOG2 2>&1 &
++CONSUMERPID=$!
++if test $WAIT != 0 ; then
++	echo CONSUMERPID $CONSUMERPID
++	read foo
++fi
++KILLPIDS="$PID $CONSUMERPID"
++
++echo "Waiting $SLEEP1 seconds for syncrepl to reschedule (ITS#9878) and poking it..."
++sleep $SLEEP1
++
++$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
++    'objectclass=*' > /dev/null 2>&1
++RC=$?
++
++if test $RC != 0; then
++	echo "ldapsearch failed at consumer ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
++sleep $SLEEP1
++
++echo "Using ldapsearch to read all the entries from the provider..."
++$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \
++	'objectclass=*' \* + > $PROVIDEROUT 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at provider ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Using ldapsearch to read all the entries from the consumer..."
++$LDAPSEARCH -S "" -b "$BASEDN" -H $URI2 \
++	'objectclass=*' \* + > $CONSUMEROUT 2>&1
++RC=$?
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed at consumer ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
  test $KILLSERVERS != no && kill -HUP $KILLPIDS
  echo "Filtering provider results..."

Ubuntuopenldap package

Merge ~sergiodj/ubuntu/+source/openldap:mre-2.5.13-jammy into ubuntu/+source/openldap:ubuntu/jammy-devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
openldap package