Sync with HEAD

build/openldap.m4

@@ -18,10 +18,11 @@ dnl Restricted form of AC_ARG_ENABLE that limits user options
 dnl
 dnl $1 = option name
 dnl $2 = help-string
-dnl $3 = default value	(auto)
+dnl $3 = default value	(auto).  "--" means do not set it by default
 dnl $4 = allowed values (auto yes no)
 AC_DEFUN([OL_ARG_ENABLE], [# OpenLDAP --enable-$1
-	AC_ARG_ENABLE($1,changequote(<,>)<$2 [>ifelse($3,,auto,$3)<]>changequote([,]),[
+	AC_ARG_ENABLE($1,ifelse($3,--,[$2],
+		[changequote(<,>)<$2 [>ifelse($3,,auto,$3)<]>changequote([,])]),[
 	ol_arg=invalid
 	for ol_val in ifelse($4,,[auto yes no],[$4]) ; do
 		if test "$enableval" = "$ol_val" ; then
@@ -32,8 +33,8 @@ AC_DEFUN([OL_ARG_ENABLE], [# OpenLDAP --enable-$1
 		AC_MSG_ERROR(bad value $enableval for --enable-$1)
 	fi
 	ol_enable_$1="$ol_arg"
-],
-[	ol_enable_$1=ifelse($3,,"auto","$3")])dnl
+]ifelse($3,--,,[,
+[	ol_enable_$1=ifelse($3,,"auto","$3")]]))dnl
 dnl AC_VERBOSE(OpenLDAP -enable-$1 $ol_enable_$1)
 # end --enable-$1
 ])dnl

clients/tools/common.c

@@ -32,6 +32,14 @@
 #include <ac/unistd.h>
 #include <ac/errno.h>
 
+#ifdef HAVE_CYRUS_SASL
+#ifdef HAVE_SASL_SASL_H
+#include <sasl/sasl.h>
+#else
+#include <sasl.h>
+#endif
+#endif
+
 #include <ldap.h>
 
 #include "lutil_ldap.h"
@@ -709,6 +717,9 @@ tool_args( int argc, char **argv )
 				LDAP_VENDOR_NAME, LDAP_VENDOR_VERSION );
 			if (version > 1) exit( EXIT_SUCCESS );
 		}
+
+		ldap_memfree( api.ldapai_vendor_name );
+		ldap_value_free( api.ldapai_extensions );
 	}
 
 	if (protocol == -1)
@@ -963,6 +974,9 @@ tool_bind( LDAP *ld )
 			}
 		}
 #endif
+		if ( ctrls ) {
+			ldap_controls_free( ctrls );
+		}
 		if ( err != LDAP_SUCCESS || msgbuf[0] ) {
 			fprintf( stderr, "ldap_bind: %s%s\n", ldap_err2string( err ),
 				msgbuf );

clients/tools/ldapmodify.c

@@ -316,12 +316,12 @@ main( int argc, char **argv )
 #endif
 		|| preread || postread )
 	{
-		int err;
 		int i = 0;
 		LDAPControl c[1];
 
 #ifdef LDAP_GROUP_TRANSACTION
 		if( txn ) {
+			int err;
 			txnber = ber_alloc_t( LBER_USE_DER );
 			if( txnber == NULL ) return EXIT_FAILURE;
 
@@ -720,6 +720,9 @@ end_line:
 	if ( newrdn != NULL ) {
 		free( newrdn );
 	}
+	if ( newsup != NULL ) {
+		free( newsup );
+	}
 	if ( pmods != NULL ) {
 		ldap_mods_free( pmods, 1 );
 	}
@@ -1117,7 +1120,7 @@ static int process_response(
 {
 	LDAPMessage	*res;
 	int		rc = LDAP_OTHER;
-	struct timeval	tv = { 0 };
+	struct timeval	tv = { 0, 0 };
 
 	for ( ; ; ) {
 		tv.tv_sec = 0;
@@ -1144,7 +1147,6 @@ static int process_response(
 		}
 	}
 
-done:;
 	if ( ldap_msgtype( res ) != LDAP_RES_INTERMEDIATE ) {
 		rc = ldap_result2error( ld, res, 1 );
 		if( rc != LDAP_SUCCESS ) ldap_perror( ld, opstr );

clients/tools/ldapmodrdn.c

@@ -265,7 +265,7 @@ static int domodrdn(
 	}
 
 	for ( ; ; ) {
-		struct timeval	tv = { 0 };
+		struct timeval	tv = { 0, 0 };
 
 		if ( tool_check_abandon( ld, id ) ) {
 			return LDAP_CANCELLED;

clients/tools/ldapsearch.c

@@ -338,8 +338,7 @@ handle_private_option( int i )
 					exit( EXIT_FAILURE );
 				}
 			} else {
-				fprintf( stderr, _("Invalid value for PagedResultsControl.\n"),
-					cvalue);
+				fprintf(stderr, _("Invalid value for PagedResultsControl.\n"));
 				exit( EXIT_FAILURE );
 			}
 			pageSize = (ber_int_t) tmp;
@@ -466,7 +465,7 @@ handle_private_option( int i )
 		++ldif;
 		break;
 	case 's':	/* search scope */
-		if ( strncasecmp( optarg, "base", sizeof("base"-1) ) == 0 ) {
+		if ( strncasecmp( optarg, "base", sizeof("base")-1 ) == 0 ) {
 			scope = LDAP_SCOPE_BASE;
 		} else if ( strncasecmp( optarg, "one", sizeof("one")-1 ) == 0 ) {
 			scope = LDAP_SCOPE_ONELEVEL;
@@ -604,7 +603,7 @@ main( int argc, char **argv )
 	{
 		filtpattern = "(objectclass=*)";
 	} else {
-		filtpattern = strdup( argv[optind++] );
+		filtpattern = argv[optind++];
 	}
 
 	if ( argv[optind] != NULL ) {

configure.in

@@ -193,7 +193,7 @@ OL_ARG_ENABLE(spasswd,[    --enable-spasswd	  enable (Cyrus) SASL password verif
 OL_ARG_ENABLE(modules,[    --enable-modules	  enable dynamic module support], no)dnl
 dnl OL_ARG_ENABLE(multimaster,[    --enable-multimaster  enable multimaster replication], no)dnl
 ol_enable_multimaster=${ol_enable_multimaster-no}
-OL_ARG_ENABLE(rewrite,[    --enable-rewrite	  enable DN rewriting in back-ldap and the rwm overlay], auto)dnl
+OL_ARG_ENABLE(rewrite,[    --enable-rewrite	  enable DN rewriting in back-ldap and rwm overlay], auto)dnl
 OL_ARG_ENABLE(rlookups,[    --enable-rlookups	  enable reverse lookups of client hostnames], no)dnl
 OL_ARG_ENABLE(slapi,[    --enable-slapi        enable SLAPI support (experimental)], no)dnl
 OL_ARG_ENABLE(slp,[    --enable-slp          enable SLPv2 support], no)dnl     
@@ -208,37 +208,38 @@ AC_ARG_WITH(xxslapbackends,[
 SLAPD Backend Options:])
 
 OL_ARG_ENABLE(backends,[    --enable-backends	  enable all available backends no|yes|mod],
-	no, [no yes mod])dnl
+	--, [no yes mod])dnl
+test -n "$ol_enable_backends" && ol_dflt_backends="$ol_enable_backends"
 OL_ARG_ENABLE(bdb,[    --enable-bdb	  enable Berkeley DB backend no|yes|mod],
-	yes, [no yes mod])dnl
+	${ol_dflt_backends-yes}, [no yes mod])dnl
 OL_ARG_ENABLE(dnssrv,[    --enable-dnssrv	  enable dnssrv backend no|yes|mod],
-	no, [no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
 OL_ARG_ENABLE(hdb,[    --enable-hdb	  enable Hierarchical DB backend no|yes|mod],
-	yes, [no yes mod])dnl
+	${ol_dflt_backends-yes}, [no yes mod])dnl
 OL_ARG_ENABLE(ldap,[    --enable-ldap	  enable ldap backend no|yes|mod],
-	no, [no yes mod])dnl
-OL_ARG_ENABLE(ldbm,[    --enable-ldbm	  enable ldbm backend no|yes|mod], no,
-	[no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
+OL_ARG_ENABLE(ldbm,[    --enable-ldbm	  enable ldbm backend no|yes|mod],
+	${ol_dflt_backends-no}, [no yes mod])dnl
 OL_ARG_WITH(ldbm_api,[      --with-ldbm-api     with LDBM API auto|berkeley|bcompat|mdbm|gdbm],
 	auto, [auto berkeley bcompat mdbm gdbm])
 OL_ARG_WITH(ldbm_type,[      --with-ldbm-type	  use LDBM type auto|btree|hash],
 	auto, [auto btree hash])
 OL_ARG_ENABLE(meta,[    --enable-meta	  enable metadirectory backend no|yes|mod],
-	no, [no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
 OL_ARG_ENABLE(monitor,[    --enable-monitor	  enable monitor backend no|yes|mod],
-	yes, [no yes mod])dnl
+	${ol_dflt_backends-yes}, [no yes mod])dnl
 OL_ARG_ENABLE(null,[    --enable-null	  enable null backend no|yes|mod],
-	no, [no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
 OL_ARG_ENABLE(passwd,[    --enable-passwd	  enable passwd backend no|yes|mod],
-	no, [no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
 OL_ARG_ENABLE(perl,[    --enable-perl	  enable perl backend no|yes|mod],
-	no, [no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
 OL_ARG_ENABLE(relay,[    --enable-relay  	  enable relay backend no|yes|mod],
-	yes, [no yes mod])dnl
+	${ol_dflt_backends-yes}, [no yes mod])dnl
 OL_ARG_ENABLE(shell,[    --enable-shell	  enable shell backend no|yes|mod],
-	no, [no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
 OL_ARG_ENABLE(sql,[    --enable-sql	  enable sql backend no|yes|mod],
-	no, [no yes mod])dnl
+	${ol_dflt_backends-no}, [no yes mod])dnl
 
 dnl ----------------------------------------------------------------
 dnl SLAPD Overlay Options
@@ -249,35 +250,36 @@ AC_ARG_WITH(xxslapoverlays,[
 SLAPD Overlay Options:])
 
 OL_ARG_ENABLE(overlays,[    --enable-overlays	  enable all available overlays no|yes|mod],
-	no, [no yes mod])dnl
-OL_ARG_ENABLE(accesslog,[    --enable-accesslog  	  In-Directory Access Logging overlay no|yes|mod],
-	no, [no yes mod])
+	--, [no yes mod])dnl
+test -n "$ol_enable_overlays" && ol_dflt_overlays="$ol_enable_overlays"
+OL_ARG_ENABLE(accesslog,[    --enable-accesslog	  In-Directory Access Logging overlay no|yes|mod],
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(denyop,[    --enable-denyop  	  Deny Operation overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(dyngroup,[    --enable-dyngroup	  Dynamic Group overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(dynlist,[    --enable-dynlist	  Dynamic List overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(glue,[    --enable-glue	  Backend Glue overlay no|yes|mod],
-	yes, [no yes mod])
+	${ol_dflt_overlays-yes}, [no yes mod])
 OL_ARG_ENABLE(lastmod,[    --enable-lastmod	  Last Modification overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(ppolicy,[    --enable-ppolicy	  Password Policy overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(proxycache,[    --enable-proxycache	  Proxy Cache overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(refint,[    --enable-refint	  Referential Integrity overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(retcode,[    --enable-retcode	  Return Code testing overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(rwm,[    --enable-rwm       	  Rewrite/Remap overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(syncprov,[    --enable-syncprov	  Syncrepl Provider overlay no|yes|mod],
-	yes, [no yes mod])
+	${ol_dflt_overlays-yes}, [no yes mod])
 OL_ARG_ENABLE(translucent,[    --enable-translucent  Translucent Proxy overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 OL_ARG_ENABLE(unique,[    --enable-unique       Attribute Uniqueness overlay no|yes|mod],
-	no, [no yes mod])
+	${ol_dflt_overlays-no}, [no yes mod])
 
 
 dnl ----------------------------------------------------------------
@@ -294,36 +296,15 @@ AC_ENABLE_SHARED
 
 dnl ----------------------------------------------------------------
 
-dnl General "enable" options
-# Activate any backends that were not explicitly enabled.
-# Note that back_bdb defaults to "yes" so this loop won't touch it.
-if test $ol_enable_backends != no ; then
-	for i in $Backends; do
-		eval "ol_tmp=\$ol_enable_$i"
-		if test $ol_tmp = no ; then
-			eval "ol_enable_$i=$ol_enable_backends"
-		fi
-	done
-fi
-# Activate the overlays
-if test $ol_enable_overlays != no ; then
-	for i in $Overlays; do
-		eval "ol_tmp=\$ol_enable_$i"
-		if test $ol_tmp = no ; then
-			eval "ol_enable_$i=$ol_enable_overlays"
-		fi
-	done
-fi
-
 # validate options
 if test $ol_enable_slapd = no ; then
 	dnl SLAPD was specificallly disabled
 	if test $ol_enable_slapi = yes ; then
 		AC_MSG_WARN([slapd disabled, ignoring --enable-slapi argument])
 	fi
-	if test $ol_enable_backends != no ; then
+	case "$ol_enable_backends" in yes | mod)
 		AC_MSG_WARN([slapd disabled, ignoring --enable-backends argument])
-	fi
+	esac
 	for i in $Backends; do
 		eval "ol_tmp=\$ol_enable_$i"
 		if test $ol_tmp != no ; then
@@ -359,9 +340,9 @@ if test $ol_enable_slapd = no ; then
 		AC_MSG_WARN([slapd disabled, ignoring --enable-rewrite argument])
 	fi
 	dnl overlays
-	if test $ol_enable_overlays != no ; then
+	case "$ol_enable_overlays" in yes | mod)
 		AC_MSG_WARN([slapd disabled, ignoring --enable-overlays argument])
-	fi
+	esac
 	for i in $Overlays; do
 		eval "ol_tmp=\$ol_enable_$i"
 		if test $ol_tmp != no ; then
@@ -373,8 +354,8 @@ if test $ol_enable_slapd = no ; then
 	# force settings to no
 	ol_enable_slapi=no
 
-	ol_enable_backends=no
-	ol_enable_overlays=no
+	ol_enable_backends=
+	ol_enable_overlays=
 	ol_enable_modules=no
 	ol_enable_multimaster=no
 	ol_enable_rlookups=no
@@ -774,11 +755,11 @@ if test $am_cv_sys_posix_termios = yes ; then
 		[define if you have POSIX termios])
 fi
 
-AC_CHECK_HEADERS(	\
+AC_CHECK_HEADERS(		\
 	arpa/inet.h		\
-	arpa/nameser.h	\
+	arpa/nameser.h		\
 	assert.h		\
-	bits/types.h	\
+	bits/types.h		\
 	conio.h			\
 	crypt.h			\
 	direct.h		\
@@ -791,7 +772,7 @@ AC_CHECK_HEADERS(	\
 	libutil.h		\
 	limits.h		\
 	locale.h		\
-	netinet/tcp.h	\
+	netinet/tcp.h		\
 	malloc.h		\
 	memory.h		\
 	psap.h			\
@@ -809,11 +790,11 @@ AC_CHECK_HEADERS(	\
 	sys/errno.h		\
 	sys/ioctl.h		\
 	sys/param.h		\
-	sys/resource.h	\
-	sys/select.h	\
-	sys/socket.h	\
+	sys/resource.h		\
+	sys/select.h		\
+	sys/socket.h		\
 	sys/stat.h		\
-	sys/syslog.h	\
+	sys/syslog.h		\
 	sys/time.h		\
 	sys/types.h		\
 	sys/ucred.h		\
@@ -821,6 +802,7 @@ AC_CHECK_HEADERS(	\
 	syslog.h		\
 	termios.h		\
 	unistd.h		\
+	utime.h			\
 	winsock.h		\
 	winsock2.h		\
 )

contrib/slapd-modules/passwd/kerberos.c

@@ -12,12 +12,12 @@
  * <http://www.OpenLDAP.org/license.html>.
  */
 
-#include <string.h>
 #include <unistd.h>
 
 #include <lber.h>
 #include <lber_pvt.h>	/* BER_BVC definition */
 #include "lutil.h"
+#include <ac/string.h>
 
 #ifdef HAVE_KRB5
 #include <krb5.h>

contrib/slapd-modules/passwd/netscape.c

@@ -12,13 +12,13 @@
  * <http://www.OpenLDAP.org/license.html>.
  */
 
-#include <string.h>
 #include <unistd.h>
 
 #include <lber.h>
 #include <lber_pvt.h>
 #include "lutil.h"
 #include "lutil_md5.h"
+#include <ac/string.h>
 
 static LUTIL_PASSWD_CHK_FUNC chk_ns_mta_md5;
 static const struct berval scheme = BER_BVC("{NS-MTA-MD5}");

doc/guide/admin/install.sdf

@@ -112,10 +112,10 @@ configure detects a usable Cyrus SASL installation.
 
 H3: Database Software
 
-OpenLDAP's {{slapd}}(8) primary database backend, {{TERM:BDB}},
-requires {{ORG[expand]Sleepycat}} {{PRD:Berkeley DB}}.
+OpenLDAP's {{slapd}}(8) {{TERM:BDB}} and {{TERM:HDB}} primary database backends
+require {{ORG[expand]Sleepycat}} {{PRD:Berkeley DB}}.
 If not available at configure time, you will not be able build
-{{slapd}}(8) with this primary database backend.
+{{slapd}}(8) with these primary database backends.
 
 Your operating system may provide a supported version of
 {{PRD:Berkeley DB}} in the base system or as an optional
@@ -126,7 +126,7 @@ install it yourself.
 download page {{URL: http://www.sleepycat.com/download/}}.  There
 are several versions available.  Generally, the most recent release
 (with published patches) is recommended.  This package is required
-if you wish to use the {{TERM:BDB}} database backend.
+if you wish to use the {{TERM:BDB}} or {{TERM:HDB}} database backends.
 
 OpenLDAP's {{slapd}}(8) LDBM backend supports a variety of data
 base managers including {{PRD:Berkeley DB}} and {{PRD:GDBM}}.

doc/guide/admin/sasl.sdf

@@ -1,4 +1,4 @@
-# Copyright 1999-2003, The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2005, The OpenLDAP Foundation, All Rights Reserved.
 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
 
 H1: Using SASL
@@ -328,15 +328,15 @@ become available (see below).
 
 The LDAP administrator will need to tell the slapd server how to
 map an authentication request DN to a user's authentication DN.
-This is done by adding one or more {{EX:sasl-regexp}} directives to
+This is done by adding one or more {{EX:authz-regexp}} directives to
 the {{slapd.conf}}(5) file.  This directive takes two arguments:
 
->	sasl-regexp   <search pattern>   <replacement pattern>
+>	authz-regexp   <search pattern>   <replacement pattern>
 
 The authentication request DN is compared to the search pattern
 using the regular expression functions {{regcomp}}() and {{regexec}}(),
 and if it matches, it is rewritten as the replacement pattern. If
-there are multiple {{EX:sasl-regexp}} directives, only the first
+there are multiple {{EX:authz-regexp}} directives, only the first
 whose search pattern matches the authentication identity is used.
 The string that is output from the replacement pattern should be
 the authentication DN of the user or an LDAP URL.  If replacement
@@ -375,16 +375,16 @@ and the user's actual LDAP entry is:
 
 >	uid=adamson,ou=people,dc=example,dc=com
 
-then the following {{EX:sasl-regexp}} directive in {{slapd.conf}}(5)
+then the following {{EX:authz-regexp}} directive in {{slapd.conf}}(5)
 would provide for direct mapping.
 
->	sasl-regexp 
+>	authz-regexp 
 >	  uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
 >	  uid=$1,ou=people,dc=example,dc=com
 
 An even more lenient rule could be written as
 
->	sasl-regexp
+>	authz-regexp
 >	  uid=([^,]*),cn=[^,]*,cn=auth 
 >	  uid=$1,ou=people,dc=example,dc=com
 
@@ -395,11 +395,11 @@ several strict directives than one lenient directive which has
 security holes.  If there is only one authentication mechanism in
 place at your site, and zero or one realms in use, you might be
 able to map between authentication identities and LDAP DN's with a
-single {{EX:sasl-regexp}} directive.
+single {{EX:authz-regexp}} directive.
 
 Don't forget to allow for the case where the realm is omitted as
 well as the case with an explicitly specified realm. This may well
-require a separate {{EX:sasl-regexp}} directive for each case, with
+require a separate {{EX:authz-regexp}} directive for each case, with
 the explicit-realm entry being listed first.
 
 H3: Search-based mappings
@@ -421,7 +421,7 @@ user whose entry is as follows:
 The information in the authentication request DN is insufficient
 to allow the user's DN to be directly derived, instead the user's
 DN must be searched for.  For these situations, a replacement pattern
-which produces a LDAP URL can be used in the {{EX:sasl-regexp}}
+which produces a LDAP URL can be used in the {{EX:authz-regexp}}
 directives.  This URL will then be used to perform an internal
 search of the LDAP database to find the person's authentication DN.
 
@@ -441,10 +441,10 @@ maintain the clarity of what information goes where in the string.
 
 Suppose that the person in the example from above did in fact have
 an authentication username of "adamson" and that information was
-kept in the attribute "uid" in their LDAP entry. The {{EX:sasl-regexp}}
+kept in the attribute "uid" in their LDAP entry. The {{EX:authz-regexp}}
 directive might be written as
 
->	sasl-regexp 
+>	authz-regexp 
 >	  uid=([^,]*),cn=example.com,cn=gssapi,cn=auth  
 >	  ldap:///ou=people,dc=example,dc=com??one?(uid=$1)
 
@@ -465,17 +465,17 @@ to a different subtree in the directory.  These can be handled with
 statements of the form:
 
 >	# Match Engineering realm
->	sasl-regexp
+>	authz-regexp
 >	   uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth
 >	   ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
 >
 >	# Match Accounting realm
->	sasl-regexp
+>	authz-regexp
 >	   uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth
 >	   ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
 >
 >	# Default realm is customers.example.com
->	sasl-regexp
+>	authz-regexp
 >	   uid=([^,]*),cn=digest-md5,cn=auth
 >	   ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
 
@@ -580,7 +580,7 @@ an {{authorization request DN}} of the form
 >	uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
 
 That authorization request DN is then run through the same
-{{EX:sasl-regexp}} process to convert it into a legitimate authorization
+{{EX:authz-regexp}} process to convert it into a legitimate authorization
 DN from the database. If it cannot be converted due to a failed
 search from an LDAP URL, the authorization request fails with
 "inappropriate access".  Otherwise, the DN string is now a legitimate
@@ -597,10 +597,10 @@ Once slapd has the authorization DN, the actual approval process
 begins. There are two attributes that the LDAP administrator can
 put into LDAP entries to allow authorization:
 
->	saslAuthzTo
->	saslAuthzFrom
+>	authzTo
+>	authzFrom
 
-Both can be multivalued.  The {{EX:saslAuthzTo}} attribute is a
+Both can be multivalued.  The {{EX:authzTo}} attribute is a
 source rule, and it is placed into the entry associated with the
 authentication DN to tell what authorization DNs the authenticated
 DN is allowed to assume.  The second attribute is a destination
@@ -609,8 +609,8 @@ authorization DN to tell which authenticated DNs may assume it.
 
 The choice of which authorization policy attribute to use is up to
 the administrator.  Source rules are checked first in the person's
-authentication DN entry, and if none of the {{EX:saslAuthzTo}} rules
-specify the authorization is permitted, the {{EX:saslAuthzFrom}}
+authentication DN entry, and if none of the {{EX:authzTo}} rules
+specify the authorization is permitted, the {{EX:authzFrom}}
 rules in the authorization DN entry are then checked. If neither
 case specifies that the request be honored, the request is denied.
 Since the default behaviour is to deny authorization requests, rules
@@ -618,16 +618,16 @@ only specify that a request be allowed; there are no negative rules
 telling what authorizations to deny.
 
 The value(s) in the two attributes are of the same form as the
-output of the replacement pattern of a {{EX:sasl-regexp}} directive:
-either a DN or an LDAP URL. For example, if a {{EX:saslAuthzTo}}
+output of the replacement pattern of a {{EX:authz-regexp}} directive:
+either a DN or an LDAP URL. For example, if a {{EX:authzTo}}
 value is a DN, that DN is one the authenticated user can authorize
-to. On the other hand, if the {{EX:saslAuthzTo}} value is an LDAP
+to. On the other hand, if the {{EX:authzTo}} value is an LDAP
 URL, the URL is used as an internal search of the LDAP database,
 and the authenticated user can become ANY DN returned by the search.
 If an LDAP entry looked like:
 
 >	dn: cn=WebUpdate,dc=example,dc=com
->	saslAuthzTo: ldap:///dc=example,dc=com??sub?(objectclass=person)
+>	authzTo: ldap:///dc=example,dc=com??sub?(objectclass=person)
 
 then any user who authenticated as {{EX:cn=WebUpdate,dc=example,dc=com}}
 could authorize to any other LDAP entry under the search base
@@ -636,18 +636,18 @@ could authorize to any other LDAP entry under the search base
 
 H4: Notes on Proxy Authorization Rules
 
-An LDAP URL in a {{EX:saslAuthzTo}} or {{EX:saslAuthzFrom}} attribute
+An LDAP URL in a {{EX:authzTo}} or {{EX:authzFrom}} attribute
 will return a set of DNs.  Each DN returned will be checked.  Searches
 which return a large set can cause the authorization process to
 take an uncomfortably long time. Also, searches should be performed
 on attributes that have been indexed by slapd.
 
-To help produce more sweeping rules for {{EX:saslAuthzFrom}} and
-{{EX:saslAuthzTo}}, the values of these attributes are allowed to
+To help produce more sweeping rules for {{EX:authzFrom}} and
+{{EX:authzTo}}, the values of these attributes are allowed to
 be DNs with regular expression characters in them. This means a
 source rule like
 
->	saslAuthzTo: uid=[^,]*,dc=example,dc=com
+>	authzTo: uid=[^,]*,dc=example,dc=com
 
 would allow that authenticated user to authorize to any DN that
 matches the regular expression pattern given. This regular expression
@@ -663,8 +663,8 @@ identity of the form "{{EX:u:<username>}}" as an authorization rule.
 
 H4: Policy Configuration
 
-The decision of which type of rules to use, {{EX:saslAuthzFrom}}
-or {{EX:saslAuthzTo}}, will depend on the site's situation. For
+The decision of which type of rules to use, {{EX:authzFrom}}
+or {{EX:authzTo}}, will depend on the site's situation. For
 example, if the set of people who may become a given identity can
 easily be written as a search filter, then a single destination
 rule could be written. If the set of people is not easily defined
@@ -673,16 +673,16 @@ to write a source rule in the entries of each of those people who
 should be allowed to perform the proxy authorization.
 
 By default, processing of proxy authorization rules is disabled.
-The {{EX:sasl-authz-policy}} directive must be set in the
+The {{EX:authz-policy}} directive must be set in the
 {{slapd.conf}}(5) file to enable authorization. This directive can
 be set to {{EX:none}} for no rules (the default), {{EX:from}} for
 source rules, {{EX:to}} for destination rules, or {{EX:both}} for
 both source and destination rules.
 
 Destination rules are extremely powerful. If ordinary users have
-access to write the {{EX:saslAuthzTo}} attribute in their own
+access to write the {{EX:authzTo}} attribute in their own
 entries, then they can write rules that would allow them to authorize
 as anyone else.  As such, when using destination rules, the
-{{EX:saslAuthzTo}} attribute should be protected with an ACL that
+{{EX:authzTo}} attribute should be protected with an ACL that
 only allows privileged users to set its values.
 

doc/guide/admin/slapdconf2.sdf

@@ -25,6 +25,10 @@ command-line option to {{slapd}}(8) or {{slurpd}}(8). This chapter
 describes the general format of the configuration system, followed by a
 detailed description of commonly used config settings.
 
+Note: some of the backends and of the distributed overlays
+do not support runtime configuration yet.  In those cases,
+the old style {{slapd.conf}}(5) file must be used.
+
 Note: the current version of {{slurpd}} has not been updated for
 compatibility with this new configuration engine. If you must use
 slurpd for replication at your site, you will have to maintain an
@@ -371,7 +375,9 @@ supported backend types listed in Table 5.2.
 	title="Table 5.2: Database Backends"
 Types	Description
 bdb	Berkeley DB transactional backend
+config	Slapd configuration backend
 dnssrv	DNS SRV backend
+hdb	Hierarchical variant of bdb backend
 ldap	Lightweight Directory Access Protocol (Proxy) backend
 ldbm	Lightweight DBM backend
 ldif	Lightweight Data Interchange Format backend
@@ -387,9 +393,10 @@ sql	SQL Programmable backend
 
 >	olcBackend: bdb
 
-There are no other directives defined for this entry, so generally
-it will not be needed. However, specific backend types may define
-additional attributes for their particular use.
+There are no other directives defined for this entry.  Specific backend
+types may define additional attributes for their particular use but so
+far none have ever been defined.  As such, these directives usually do
+not appear in any actual configurations.
 
 
 H4: Sample Entry
@@ -417,6 +424,11 @@ database-level options that should be applied to all the other
 databases. Subsequent database definitions may also override some
 frontend settings.
 
+The {{EX:config}} database is also special; both the {{EX:config}} and
+the {{EX:frontend}} databases are always created implicitly even if they
+are not explicitly configured, and they are created before any other
+databases.
+
 \Example:
 
 >	olcDatabase: bdb
@@ -761,12 +773,19 @@ If specified multiple times, each {{TERM:URL}} is provided.
 >	olcUpdateref:	ldap://master.example.net
 
 
-H4: Sample Entry
+H4: Sample Entries
 
 >dn: olcDatabase=frontend,cn=config
 >objectClass: olcDatabaseConfig
+>objectClass: olcFrontendConfig
 >olcDatabase: frontend
 >olcReadOnly: FALSE
+>
+>dn: olcDatabase=config,cn=config
+>objectClass: olcDatabaseConfig
+>olcDatabase: config
+>olcRootDN: cn=Manager,dc=example,dc=com
+
 
 H3: BDB and HDB Database Directives
 

doc/guide/admin/slapdconfig.sdf

@@ -236,6 +236,7 @@ supported backend types listed in Table 5.2.
 Types	Description
 bdb	Berkeley DB transactional backend
 dnssrv	DNS SRV backend
+hdb	Hierarchical variant of bdb backend
 ldap	Lightweight Directory Access Protocol (Proxy) backend
 ldbm	Lightweight DBM backend
 meta	Meta Directory backend
@@ -562,12 +563,14 @@ If specified multiple times, each {{TERM:URL}} is provided.
 >	updateref	ldap://master.example.net
 
 
-H3: BDB Database Directives
+H3: BDB and HDB Database Directives
 
-Directives in this category only apply to a {{TERM:BDB}} database.
-That is, they must follow a "database bdb" line and come before any
+Directives in this category only apply to both the {{TERM:BDB}}
+and the {{TERM:HDB}} database.
+That is, they must follow a "database bdb" or "database hdb" line
+and come before any
 subsequent "backend" or "database" line.  For a complete reference
-of BDB configuration directives, see {{slapd-bdb}}(5).
+of BDB/HDB configuration directives, see {{slapd-bdb}}(5).
 
 
 H4: directory <directory>