unifdef -DSLAP_ACL_HONOR_DISCLOSE

unifdef -DSLAP_ACL_HONOR_MANAGE unifdef -DSLAP_OVERLAY_ACCESS unifdef -DSLAP_ORDERED_PRETTYNORM unifdef -DSLAP_AUTHZ_SYNTAX Move LDAP_COLLECTIVE_ATTRIBUTES, LDAP_COMP_MATCH, and LDAP_SYNC_TIMESTAMP back behind LDAP_DEVEL (as these either too experimental or not yet implemented).
2025-01-06 10:46:21 +08:00 · 2006-04-12 05:53:26 +00:00 · 2006-04-12 05:53:26 +00:00 · eb9a3c1876
commit eb9a3c1876
parent 444ec670e3
29 changed files with 22 additions and 488 deletions
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@ -94,7 +94,6 @@ SLAP_SET_GATHER acl_set_gather2;
 * - can be legally called with op->o_bd == NULL
 */
 #ifdef SLAP_OVERLAY_ACCESS
 int
 slap_access_always_allowed(
 	Operation		*op,
@ -462,281 +461,6 @@ done:
 	return ret;
 }
 #else /* !SLAP_OVERLAY_ACCESS */
 int
 access_allowed_mask(
 	Operation		*op,
 	Entry			*e,
 	AttributeDescription	*desc,
 	struct berval		*val,
 	slap_access_t		access,
 	AccessControlState	*state,
 	slap_mask_t		*maskp )
 {
 	int				ret = 1;
 	int				count;
 	AccessControl			*a = NULL;
 	Backend				*be;
 	int				be_null = 0;
 #ifdef LDAP_DEBUG
 	char				accessmaskbuf[ACCESSMASK_MAXLEN];
 #endif
 	slap_mask_t			mask;
 	slap_control_t			control;
 	slap_access_t			access_level;
 	const char			*attr;
 	regmatch_t			matches[MAXREMATCHES];
 	int				st_same_attr = 0;
 	static AccessControlState	state_init = ACL_STATE_INIT;
 	assert( e != NULL );
 	assert( desc != NULL );
 	access_level = ACL_LEVEL( access );
 	assert( access_level > ACL_NONE );
 	if ( maskp ) ACL_INVALIDATE( *maskp );
 	attr = desc->ad_cname.bv_val;
 	assert( attr != NULL );
 	if ( op ) {
 		if ( op->o_is_auth_check &&
 			( access_level == ACL_SEARCH || access_level == ACL_READ ) )
 		{
 			access = ACL_AUTH;
 		} else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
 			desc == slap_schema.si_ad_entry )
 		{
 			access = ACL_MANAGE;
 		}
 	}
 	if ( state ) {
 		if ( state->as_vd_ad == desc ) {
 			if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
 				val == NULL )
 			{
 				return state->as_result;
 			} else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
 				val != NULL && state->as_vd_acl == NULL )
 			{
 				return state->as_result;
 			}
 			st_same_attr = 1;
 		} else {
 			*state = state_init;
 		}
 		state->as_vd_ad = desc;
 	}
 	Debug( LDAP_DEBUG_ACL,
 		"=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
 		access2str( access ), e->e_dn, attr );
 	if ( op == NULL ) {
 		/* no-op call */
 		goto done;
 	}
 	be = op->o_bd;
 	if ( be == NULL ) {
 		be = LDAP_STAILQ_FIRST(&backendDB);
 		be_null = 1;
 #ifdef LDAP_DEVEL
 		/*
 		 * FIXME: experimental; use first backend rules
 		 * iff there is no global_acl (ITS#3100) */
 		if ( frontendDB->be_acl == NULL ) 
 #endif
 		{
 			op->o_bd = be;
 		}
 	}
 	assert( be != NULL );
 	/* grant database root access */
 	if ( be_isroot( op ) ) {
 		Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
 		if ( maskp ) {
 			mask = ACL_LVL_MANAGE;
 		}
 		goto done;
 	}
 	/*
 	 * no-user-modification operational attributes are ignored
 	 * by ACL_WRITE checking as any found here are not provided
 	 * by the user
 	 *
 	 * NOTE: but they are not ignored for ACL_MANAGE, because
 	 * if we get here it means a non-root user is trying to 
 	 * manage data, so we need to check its privileges.
 	 */
 	if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
 		&& desc != slap_schema.si_ad_entry
 		&& desc != slap_schema.si_ad_children )
 	{
 		Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
 			" %s access granted\n",
 			attr, 0, 0 );
 		goto done;
 	}
 	/* use backend default access if no backend acls */
 	if ( be->be_acl == NULL ) {
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: backend default %s "
 			"access %s to \"%s\"\n",
 			access2str( access ),
 			be->be_dfltaccess >= access_level ? "granted" : "denied",
 			op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
 		ret = be->be_dfltaccess >= access_level;
 		if ( maskp ) {
 			int	i;
 			mask = ACL_PRIV_LEVEL;
 			for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
 				mask |= ACL_ACCESS2PRIV( i );
 			}
 		}
 		goto done;
 #ifdef notdef
 	/* be is always non-NULL */
 	/* use global default access if no global acls */
 	} else if ( be == NULL && frontendDB->be_acl == NULL ) {
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: global default %s access %s to \"%s\"\n",
 			access2str( access ),
 			frontendDB->be_dfltaccess >= access_level ?
 				"granted" : "denied", op->o_dn.bv_val );
 		ret = frontendDB->be_dfltaccess >= access_level;
 		if ( maskp ) {
 			int	i;
 			mask = ACL_PRIV_LEVEL;
 			for ( i = ACL_NONE; i <= global_default_access; i++ ) {
 				mask |= ACL_ACCESS2PRIV( i );
 			}
 		}
 		goto done;
 #endif
 	}
 	ret = 0;
 	control = ACL_BREAK;
 	if ( st_same_attr ) {
 		assert( state->as_vd_acl != NULL );
 		a = state->as_vd_acl;
 		count = state->as_vd_acl_count;
 		if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) {
 			mask = state->as_vd_acl_mask;
 			AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
 			goto vd_access;
 		}
 	} else {
 		if ( state ) state->as_vi_acl = NULL;
 		a = NULL;
 		ACL_INIT(mask);
 		count = 0;
 		memset( matches, '\0', sizeof(matches) );
 	}
 	while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
 		MAXREMATCHES, matches, state ) ) != NULL )
 	{
 		int i;
 		for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) {
 			Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
 				(int)matches[i].rm_so, (int)matches[i].rm_eo );
 			if ( matches[i].rm_so <= matches[0].rm_eo ) {
 				int n;
 				for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) {
 					Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
 				}
 			}
 			Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
 		}
 		if ( state ) {
 			if ( state->as_vi_acl == a &&
 				( state->as_recorded & ACL_STATE_RECORDED_NV ) )
 			{
 				Debug( LDAP_DEBUG_ACL,
 					"access_allowed: result from state (%s)\n",
 					attr, 0, 0 );
 				ret = state->as_result;
 				goto done;
 			} else {
 				Debug( LDAP_DEBUG_ACL,
 					"access_allowed: no res from state (%s)\n",
 					attr, 0, 0 );
 			}
 		}
 vd_access:
 		control = slap_acl_mask( a, &mask, op,
 			e, desc, val, MAXREMATCHES, matches, count, state );
 		if ( control != ACL_BREAK ) {
 			break;
 		}
 		memset( matches, '\0', sizeof(matches) );
 	}
 	if ( ACL_IS_INVALID( mask ) ) {
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: \"%s\" (%s) invalid!\n",
 			e->e_dn, attr, 0 );
 		ACL_INIT(mask);
 	} else if ( control == ACL_BREAK ) {
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: no more rules\n", 0, 0, 0 );
 		goto done;
 	}
 	Debug( LDAP_DEBUG_ACL,
 		"=> access_allowed: %s access %s by %s\n",
 		access2str( access ),
 		ACL_GRANT(mask, access) ? "granted" : "denied",
 		accessmask2str( mask, accessmaskbuf, 1 ) );
 	ret = ACL_GRANT(mask, access);
 done:
 	if ( state != NULL ) {
 		/* If not value-dependent, save ACL in case of more attrs */
 		if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
 			state->as_vi_acl = a;
 			state->as_result = ret;
 		}
 		state->as_recorded |= ACL_STATE_RECORDED;
 	}
 	if ( be_null ) op->o_bd = NULL;
 	if ( maskp ) *maskp = mask;
 	return ret;
 }
 #endif /* !SLAP_OVERLAY_ACCESS */
 /*
 * slap_acl_get - return the acl applicable to entry e, attribute
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@ -2453,11 +2453,6 @@ str2access( const char *str )
 		return ACL_NONE;
 	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
 #ifndef SLAP_ACL_HONOR_DISCLOSE
 		Debug( LDAP_DEBUG_ACL, "str2access: warning, "
 			"\"disclose\" privilege disabled.\n",
 		0, 0, 0 );
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		return ACL_DISCLOSE;
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
--- a/servers/slapd/back-bdb/compare.c
+++ b/servers/slapd/back-bdb/compare.c
@ -66,16 +66,13 @@ dn2entry_retry:
 	e = ei->bei_e;
 	if ( rs->sr_err == DB_NOTFOUND ) {
 		if ( e != NULL ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			/* return referral only if "disclose" is granted on the object */
 			if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
 				NULL, ACL_DISCLOSE, NULL ) )
 			{
 				rs->sr_err = LDAP_NO_SUCH_OBJECT;
-			} else
+			} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 			{
 				rs->sr_matched = ch_strdup( e->e_dn );
 				rs->sr_ref = is_entry_referral( e )
 					? get_entry_referrals( op, e )
@ -103,15 +100,12 @@ dn2entry_retry:
 	}
 	if (!manageDSAit && is_entry_referral( e ) ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 		/* return referral only if "disclose" is granted on the object */
 		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
 			NULL, ACL_DISCLOSE, NULL ) )
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
-		} else
+		} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		{
 			/* entry is a referral, don't allow compare */
 			rs->sr_ref = get_entry_referrals( op, e );
 			rs->sr_err = LDAP_REFERRAL;
@ -131,14 +125,11 @@ dn2entry_retry:
 	if ( get_assert( op ) &&
 		( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
 	{
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
 			NULL, ACL_DISCLOSE, NULL ) )
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
-		} else
+		} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		{
 			rs->sr_err = LDAP_ASSERTION_FAILED;
 		}
 		goto return_results;
@ -147,16 +138,13 @@ dn2entry_retry:
 	if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
 		&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
 	{
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 		/* return error only if "disclose"
 		 * is granted on the object */
 		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
 					NULL, ACL_DISCLOSE, NULL ) )
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
-		} else
+		} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		{
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		}
 		goto return_results;
--- a/servers/slapd/back-bdb/search.c
+++ b/servers/slapd/back-bdb/search.c
@ -319,9 +319,7 @@ bdb_search( Operation *op, SlapReply *rs )
 	Entry		*matched = NULL;
 	EntryInfo	*ei, ei_root = {0};
 	struct berval	realbase = BER_BVNULL;
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	slap_mask_t	mask;
 #endif
 	int		manageDSAit;
 	int		tentries = 0;
 	ID		lastid = NOID;
@ -424,7 +422,6 @@ dn2entry_retry:
 		if ( matched != NULL ) {
 			BerVarray erefs = NULL;
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			/* return referral only if "disclose"
 			 * is granted on the object */
 			if ( ! access_allowed( op, matched,
@ -433,9 +430,7 @@ dn2entry_retry:
 			{
 				rs->sr_err = LDAP_NO_SUCH_OBJECT;
-			} else
+			} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 			{
 				ber_dupbv( &matched_dn, &matched->e_name );
 				erefs = is_entry_referral( matched )
@ -483,7 +478,6 @@ dn2entry_retry:
 		return rs->sr_err;
 	}
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	/* NOTE: __NEW__ "search" access is required
 	 * on searchBase object */
 	if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
@ -504,7 +498,6 @@ dn2entry_retry:
 		send_ldap_result( op, rs );
 		return rs->sr_err;
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 	if ( !manageDSAit && e != &e_root && is_entry_referral( e ) ) {
 		/* entry is a referral, don't allow add */
--- a/servers/slapd/back-dnssrv/init.c
+++ b/servers/slapd/back-dnssrv/init.c
@ -67,9 +67,7 @@ dnssrv_back_initialize(
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;
 #ifdef SLAP_OVERLAY_ACCESS
 	bi->bi_access_allowed = slap_access_always_allowed;
 #endif /* SLAP_OVERLAY_ACCESS */
 	return 0;
 }
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@ -1059,7 +1059,6 @@ done_url:;
 	case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
 		struct berval	bv;
 #ifdef SLAP_AUTHZ_SYNTAX
 		struct berval	in;
 		int		rc;
@ -1072,9 +1071,6 @@ done_url:;
 			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
 			return 1;
 		}
 #else /* !SLAP_AUTHZ_SYNTAX */
 		ber_str2bv( c->argv[ 1 ], 0, 1, &bv );
 #endif /* !SLAP_AUTHZ_SYNTAX */
 		ber_bvarray_add( &li->li_idassert_authz, &bv );
 		} break;
--- a/servers/slapd/back-ldif/ldif.c
+++ b/servers/slapd/back-ldif/ldif.c
@ -1249,9 +1249,7 @@ ldif_back_initialize(
 	bi->bi_entry_get_rw = ldif_back_entry_get;
 #if 0	/* NOTE: uncomment to completely disable access control */
 #ifdef SLAP_OVERLAY_ACCESS
 	bi->bi_access_allowed = slap_access_always_allowed;
 #endif /* SLAP_OVERLAY_ACCESS */
 #endif
 	bi->bi_tool_entry_open = ldif_tool_entry_open;
--- a/servers/slapd/back-monitor/compare.c
+++ b/servers/slapd/back-monitor/compare.c
@ -39,15 +39,12 @@ monitor_back_compare( struct slap_op *op, struct slap_rep *rs)
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			if ( !access_allowed_mask( op, matched,
 					slap_schema.si_ad_entry,
 					NULL, ACL_DISCLOSE, NULL, NULL ) )
 			{
 				/* do nothing */ ;
-			} else 
+			} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 			{
 				rs->sr_matched = matched->e_dn;
 			}
 		}
@ -97,13 +94,11 @@ return_results:;
 		break;
 	default:
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 		if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
 				NULL, ACL_DISCLOSE, NULL, NULL ) )
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		break;
 	}
--- a/servers/slapd/back-monitor/modify.c
+++ b/servers/slapd/back-monitor/modify.c
@ -45,15 +45,12 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			if ( !access_allowed_mask( op, matched,
 					slap_schema.si_ad_entry,
 					NULL, ACL_DISCLOSE, NULL, NULL ) )
 			{
 				/* do nothing */ ;
-			} else 
+			} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 			{
 				rs->sr_matched = matched->e_dn;
 			}
 		}
@ -75,7 +72,6 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 		rc = monitor_entry_modify( op, rs, e );
 	}
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	if ( rc != LDAP_SUCCESS ) {
 		if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
 				NULL, ACL_DISCLOSE, NULL, NULL ) )
@ -83,7 +79,6 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 			rc = LDAP_NO_SUCH_OBJECT;
 		}
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 	rs->sr_err = rc;
 	send_ldap_result( op, rs );
--- a/servers/slapd/back-monitor/search.c
+++ b/servers/slapd/back-monitor/search.c
@ -175,15 +175,12 @@ monitor_back_search( Operation *op, SlapReply *rs )
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			if ( !access_allowed_mask( op, matched,
 					slap_schema.si_ad_entry,
 					NULL, ACL_DISCLOSE, NULL, NULL ) )
 			{
 				/* do nothing */ ;
-			} else 
+			} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 			{
 				rs->sr_matched = matched->e_dn;
 			}
 		}
@ -204,12 +201,9 @@ monitor_back_search( Operation *op, SlapReply *rs )
 	{
 		monitor_cache_release( mi, e );
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 		if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
-		} else 
+		} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		{
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		}
--- a/servers/slapd/back-sql/add.c
+++ b/servers/slapd/back-sql/add.c
@ -1478,7 +1478,6 @@ done:;
 	 * in deleting that row.
 	 */
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	if ( e != NULL ) {
 		int	disclose = 1;
@ -1503,7 +1502,6 @@ done:;
 			}
 		}
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 	send_ldap_result( op, rs );
 	slap_graduate_commit_csn( op );
--- a/servers/slapd/back-sql/compare.c
+++ b/servers/slapd/back-sql/compare.c
@ -150,7 +150,6 @@ return_results:;
 		break;
 	default:
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 		if ( !BER_BVISNULL( &e.e_nname ) &&
 				! access_allowed( op, &e,
 					slap_schema.si_ad_entry, NULL,
@ -159,7 +158,6 @@ return_results:;
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			rs->sr_text = NULL;
 		}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		break;
 	}
--- a/servers/slapd/back-sql/delete.c
+++ b/servers/slapd/back-sql/delete.c
@ -448,7 +448,6 @@ backsql_delete( Operation *op, SlapReply *rs )
 	}
 done:;
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	if ( e != NULL ) {
 		if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
 					ACL_DISCLOSE, NULL ) )
@ -462,7 +461,6 @@ done:;
 			}
 		}
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 	send_ldap_result( op, rs );
--- a/servers/slapd/back-sql/modify.c
+++ b/servers/slapd/back-sql/modify.c
@ -174,7 +174,6 @@ do_transact:;
 	SQLTransact( SQL_NULL_HENV, dbh, CompletionType );
 done:;
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	if ( e != NULL ) {
 		if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
 					ACL_DISCLOSE, NULL ) )
@ -188,7 +187,6 @@ done:;
 			}
 		}
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 	send_ldap_result( op, rs );
 	slap_graduate_commit_csn( op );
--- a/servers/slapd/back-sql/modrdn.c
+++ b/servers/slapd/back-sql/modrdn.c
@ -464,7 +464,6 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 	}
 done:;
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	if ( e != NULL ) {
 		if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
 					ACL_DISCLOSE, NULL ) )
@ -478,7 +477,6 @@ done:;
 			}
 		}
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 	/*
 	 * Commit only if all operations succeed
--- a/servers/slapd/back-sql/search.c
+++ b/servers/slapd/back-sql/search.c
@ -1968,7 +1968,6 @@ backsql_search( Operation *op, SlapReply *rs )
 		/* fall thru */
 	default:
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 		if ( !BER_BVISNULL( &base_entry.e_nname )
 				&& !access_allowed( op, &base_entry,
 					slap_schema.si_ad_entry, NULL,
@ -1982,7 +1981,6 @@ backsql_search( Operation *op, SlapReply *rs )
 			rs->sr_matched = NULL;
 			rs->sr_text = NULL;
 		}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		send_ldap_result( op, rs );
@ -1997,7 +1995,6 @@ backsql_search( Operation *op, SlapReply *rs )
 		goto done;
 	}
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 	/* NOTE: __NEW__ "search" access is required
 	 * on searchBase object */
 	{
@ -2028,7 +2025,6 @@ backsql_search( Operation *op, SlapReply *rs )
 			goto done;
 		}
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 	bsi.bsi_e = NULL;
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@ -1420,13 +1420,8 @@ backend_group(
 	be_orig = op->o_bd;
 	op->o_bd = frontendDB;
 #ifdef SLAP_OVERLAY_ACCESS
 	rc = frontendDB->be_group( op, target, gr_ndn,
 		op_ndn, group_oc, group_at );
 #else /* ! SLAP_OVERLAY_ACCESS */
 	rc = fe_acl_group( op, target, gr_ndn,
 		op_ndn, group_oc, group_at );
 #endif /* ! SLAP_OVERLAY_ACCESS */
 	op->o_bd = be_orig;
 	return rc;
@ -1573,13 +1568,8 @@ backend_attribute(
 	be_orig = op->o_bd;
 	op->o_bd = frontendDB;
 #ifdef SLAP_OVERLAY_ACCESS
 	rc = frontendDB->be_attribute( op, target, edn,
 		entry_at, vals, access );
 #else /* !SLAP_OVERLAY_ACCESS */
 	rc = fe_acl_attribute( op, target, edn,
 		entry_at, vals, access );
 #endif /* !SLAP_OVERLAY_ACCESS */
 	op->o_bd = be_orig;
 	return rc;
--- a/servers/slapd/backover.c
+++ b/servers/slapd/backover.c
@ -239,7 +239,6 @@ over_back_response ( Operation *op, SlapReply *rs )
 	return rc;
 }
 #ifdef SLAP_OVERLAY_ACCESS
 static int
 over_access_allowed(
 	Operation		*op,
@ -450,7 +449,6 @@ over_acl_attribute(
 	return rc;
 }
 #endif /* SLAP_OVERLAY_ACCESS */
 /*
 * default return code in case of missing backend function
@ -1018,12 +1016,10 @@ overlay_config( BackendDB *be, const char *ov )
 		bi->bi_chk_referrals = over_aux_chk_referrals;
 		bi->bi_chk_controls = over_aux_chk_controls;
 #ifdef SLAP_OVERLAY_ACCESS
 		/* these have specific arglists */
 		bi->bi_access_allowed = over_access_allowed;
 		bi->bi_acl_group = over_acl_group;
 		bi->bi_acl_attribute = over_acl_attribute;
 #endif /* SLAP_OVERLAY_ACCESS */
 		bi->bi_connection_init = over_connection_init;
 		bi->bi_connection_destroy = over_connection_destroy;
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -4928,9 +4928,7 @@ config_back_initialize( BackendInfo *bi )
 	bi->bi_chk_referrals = 0;
 #ifdef SLAP_OVERLAY_ACCESS
 	bi->bi_access_allowed = slap_access_always_allowed;
 #endif /* SLAP_OVERLAY_ACCESS */
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;
--- a/servers/slapd/compare.c
+++ b/servers/slapd/compare.c
@ -284,7 +284,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
 			}
 		} else {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			/* return error only if "disclose"
 			 * is granted on the object */
 			if ( backend_access( op, NULL, &op->o_req_ndn,
@ -293,7 +292,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
 			{
 				rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		}
 		send_ldap_result( op, rs );
@ -328,7 +326,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
 				ava.aa_desc, &vals, ACL_COMPARE );
 		switch ( rs->sr_err ) {
 		default:
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			/* return error only if "disclose"
 			 * is granted on the object */
 			if ( backend_access( op, NULL, &op->o_req_ndn,
@ -338,7 +335,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
 			{
 				rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 			break;
 		case LDAP_SUCCESS:
@ -416,7 +412,6 @@ static int compare_entry(
 	}
 done:
 #ifdef LDAP_ACL_HONOR_DISCLOSE
 	if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
 		if ( ! access_allowed( op, e,
 			slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
@ -424,7 +419,6 @@ done:
 			rc = LDAP_NO_SUCH_OBJECT;
 		}
 	}
 #endif
 	return rc;
 }
--- a/servers/slapd/entry.c
+++ b/servers/slapd/entry.c
@ -269,23 +269,14 @@ str2entry2( char *s, int checkvals )
 				ad->ad_type->sat_syntax->ssyn_pretty;
 			if ( pretty ) {
 #ifdef SLAP_ORDERED_PRETTYNORM
 				rc = ordered_value_pretty( ad,
 					&vals[i], &pval, NULL );
 #else /* ! SLAP_ORDERED_PRETTYNORM */
 				rc = pretty( ad->ad_type->sat_syntax,
 					&vals[i], &pval, NULL );
 #endif /* ! SLAP_ORDERED_PRETTYNORM */
 			} else if ( validate ) {
 				/*
 			 	 * validate value per syntax
 			 	 */
 #ifdef SLAP_ORDERED_PRETTYNORM
 				rc = ordered_value_validate( ad, &vals[i], LDAP_MOD_ADD );
 #else /* ! SLAP_ORDERED_PRETTYNORM */
 				rc = validate( ad->ad_type->sat_syntax, &vals[i] );
 #endif /* ! SLAP_ORDERED_PRETTYNORM */
 			} else {
 				Debug( LDAP_DEBUG_ANY,
@ -315,19 +306,11 @@ str2entry2( char *s, int checkvals )
 		if ( ad->ad_type->sat_equality &&
 			ad->ad_type->sat_equality->smr_normalize )
 		{
 #ifdef SLAP_ORDERED_PRETTYNORM
 			rc = ordered_value_normalize(
 				SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
 				ad,
 				ad->ad_type->sat_equality,
 				&vals[i], &nvals[i], NULL );
 #else /* ! SLAP_ORDERED_PRETTYNORM */
 			rc = ad->ad_type->sat_equality->smr_normalize(
 				SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
 				ad->ad_type->sat_syntax,
 				ad->ad_type->sat_equality,
 				&vals[i], &nvals[i], NULL );
 #endif /* ! SLAP_ORDERED_PRETTYNORM */
 			if ( rc ) {
 				Debug( LDAP_DEBUG_ANY,
--- a/servers/slapd/frontend.c
+++ b/servers/slapd/frontend.c
@ -119,11 +119,9 @@ frontend_init( void )
 	frontendDB->bd_info->bi_entry_get_rw = fe_entry_get_rw;
 	frontendDB->bd_info->bi_entry_release_rw = fe_entry_release_rw;
 #endif
 #ifdef SLAP_OVERLAY_ACCESS
 	frontendDB->bd_info->bi_access_allowed = fe_access_allowed;
 	frontendDB->bd_info->bi_acl_group = fe_acl_group;
 	frontendDB->bd_info->bi_acl_attribute = fe_acl_attribute;
 #endif /* SLAP_OVERLAY_ACCESS */
 #if 0
 	/* FIXME: is this too early? */
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@ -656,21 +656,11 @@ int slap_mods_check(
 				struct berval pval;
 				if ( pretty ) {
 #ifdef SLAP_ORDERED_PRETTYNORM
 					rc = ordered_value_pretty( ad,
 						&ml->sml_values[nvals], &pval, ctx );
 #else /* ! SLAP_ORDERED_PRETTYNORM */
 					rc = pretty( ad->ad_type->sat_syntax,
 						&ml->sml_values[nvals], &pval, ctx );
 #endif /* ! SLAP_ORDERED_PRETTYNORM */
 				} else {
 #ifdef SLAP_ORDERED_PRETTYNORM
 					rc = ordered_value_validate( ad,
 						&ml->sml_values[nvals], ml->sml_op );
 #else /* ! SLAP_ORDERED_PRETTYNORM */
 					rc = validate( ad->ad_type->sat_syntax,
 						&ml->sml_values[nvals] );
 #endif /* ! SLAP_ORDERED_PRETTYNORM */
 				}
 				if( rc != 0 ) {
@ -716,19 +706,11 @@ int slap_mods_check(
 					(nvals+1)*sizeof(struct berval), ctx );
 				for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
 #ifdef SLAP_ORDERED_PRETTYNORM
 					rc = ordered_value_normalize(
 						SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
 						ad,
 						ad->ad_type->sat_equality,
 						&ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
 #else /* ! SLAP_ORDERED_PRETTYNORM */
 					rc = ad->ad_type->sat_equality->smr_normalize(
 						SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
 						ad->ad_type->sat_syntax,
 						ad->ad_type->sat_equality,
 						&ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
 #endif /* ! SLAP_ORDERED_PRETTYNORM */
 					if ( rc ) {
 						Debug( LDAP_DEBUG_ANY,
 							"<= str2entry NULL (ssyn_normalize %d)\n",
--- a/servers/slapd/overlays/dds.c
+++ b/servers/slapd/overlays/dds.c
@ -357,7 +357,6 @@ dds_op_add( Operation *op, SlapReply *rs )
 			slap_schema.si_oc_dynamicObject, NULL, 0, &e );
 		if ( rc == LDAP_SUCCESS && e != NULL ) {
 			if ( !is_dynamicObject ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 				/* return referral only if "disclose"
 				 * is granted on the object */
 				if ( ! access_allowed( op, e,
@ -367,9 +366,7 @@ dds_op_add( Operation *op, SlapReply *rs )
 					rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
 					send_ldap_result( op, rs );
-				} else
+				} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 				{
 					rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
 					send_ldap_error( op, rs, rc, "no static subordinate entries allowed for dynamicObject" );
 				}
@ -580,15 +577,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
 					if ( BER_BVISEMPTY( &bv_entryTtl ) 
 						|| !bvmatch( &bv_entryTtl, &mod->sml_values[ 0 ] ) )
 					{
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 						rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn, 
 							slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
 						if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
 							rs->sr_err = LDAP_NO_SUCH_OBJECT;
-						} else
+						} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 						{
 							rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
 						}
 						goto done;
@ -609,15 +603,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
 				assert( BER_BVISNULL( &mod->sml_values[ 1 ] ) );
 				if ( !BER_BVISEMPTY( &bv_entryTtl ) ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 					rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn, 
 						slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
 					if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
 						rs->sr_err = LDAP_NO_SUCH_OBJECT;
-					} else
+					} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 					{
 						rs->sr_text = "attribute 'entryTtl' cannot have multiple values";
 						rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
 					}
@ -649,15 +640,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
 			case LDAP_MOD_INCREMENT:
 				if ( BER_BVISEMPTY( &bv_entryTtl ) ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 					rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn, 
 						slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
 					if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
 						rs->sr_err = LDAP_NO_SUCH_OBJECT;
-					} else
+					} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 					{
 						rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
 						rs->sr_text = "modify/increment: entryTtl: no such attribute";
 					}
@ -678,7 +666,6 @@ dds_op_modify( Operation *op, SlapReply *rs )
 				}
 				if ( rs->sr_err != LDAP_SUCCESS ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 					rc = backend_attribute( op, NULL, &op->o_req_ndn, 
 						slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
 					if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
@ -686,7 +673,6 @@ dds_op_modify( Operation *op, SlapReply *rs )
 						rs->sr_err = LDAP_NO_SUCH_OBJECT;
 					}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 					goto done;
 				}
@ -761,7 +747,6 @@ done:;
 				rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
 			}
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 			if ( rc != LDAP_SUCCESS ) {
 				rc = backend_attribute( op, NULL, &op->o_req_ndn, 
 					slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
@ -770,7 +755,6 @@ done:;
 					rs->sr_err = LDAP_NO_SUCH_OBJECT;
 				}
 			}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 		}
 	}
@ -850,7 +834,6 @@ dds_op_rename( Operation *op, SlapReply *rs )
 			slap_schema.si_oc_dynamicObject, NULL, 0, &e );
 		if ( rc == LDAP_SUCCESS && e != NULL ) {
 			if ( !is_dynamicObject ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 				/* return referral only if "disclose"
 				 * is granted on the object */
 				if ( ! access_allowed( op, e,
@ -860,9 +843,7 @@ dds_op_rename( Operation *op, SlapReply *rs )
 					rs->sr_err = LDAP_NO_SUCH_OBJECT;
 					send_ldap_result( op, rs );
-				} else
+				} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 				{
 					send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION,
 						"static entry cannot have dynamicObject as newSuperior" );
 				}
@ -1072,7 +1053,6 @@ dds_op_extended( Operation *op, SlapReply *rs )
 			rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
 				NULL, NULL, 0, &e );
 			if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
 #ifdef SLAP_ACL_HONOR_DISCLOSE
 				/* return referral only if "disclose"
 				 * is granted on the object */
 				if ( ! access_allowed( op, e,
@ -1081,9 +1061,7 @@ dds_op_extended( Operation *op, SlapReply *rs )
 				{
 					rs->sr_err = LDAP_NO_SUCH_OBJECT;
-				} else
+				} else {
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 				{
 					rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
 					rs->sr_text = "refresh operation only applies to dynamic objects";
 				}
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -50,7 +50,6 @@ LDAP_SLAPD_F (int) access_allowed_mask LDAP_P((
 	AccessControlState *state,
 	slap_mask_t *mask ));
 #define access_allowed(op,e,desc,val,access,state) access_allowed_mask(op,e,desc,val,access,state,NULL)
 #ifdef SLAP_OVERLAY_ACCESS
 LDAP_SLAPD_F (int) slap_access_allowed LDAP_P((
 	Operation		*op,
 	Entry			*e,
@ -67,7 +66,6 @@ LDAP_SLAPD_F (int) slap_access_always_allowed LDAP_P((
 	slap_access_t		access,
 	AccessControlState	*state,
 	slap_mask_t		*maskp ));
 #endif /* SLAP_OVERLAY_ACCESS */
 LDAP_SLAPD_F (int) acl_check_modlist LDAP_P((
 	Operation *op, Entry *e, Modifications *ml ));
@ -1440,7 +1438,6 @@ LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P((
 	int argc, 
 	char **argv ));
 #endif /* SLAP_AUTH_REWRITE */
 #ifdef SLAP_AUTHZ_SYNTAX
 LDAP_SLAPD_F (int) authzValidate LDAP_P((
 	Syntax *syn, struct berval *in ));
 #if 0
@ -1464,7 +1461,6 @@ LDAP_SLAPD_F (int) authzNormalize LDAP_P((
 	struct berval *val,
 	struct berval *normalized,
 	void *ctx ));
 #endif /* SLAP_AUTHZ_SYNTAX */
 /*
 * schema.c
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@ -202,7 +202,6 @@ int slap_parse_user( struct berval *id, struct berval *user,
 	return LDAP_SUCCESS;
 }
 #ifdef SLAP_AUTHZ_SYNTAX
 int
 authzValidate(
 	Syntax *syntax,
@ -919,7 +918,6 @@ authzPretty(
 	return rc;
 }
 #endif /* SLAP_AUTHZ_SYNTAX */
 static int
 slap_parseURI(
@ -936,9 +934,7 @@ slap_parseURI(
 	int		rc;
 	LDAPURLDesc	*ludp;
 #ifdef SLAP_ORDERED_PRETTYNORM
 	struct berval	idx;
 #endif /* SLAP_ORDERED_PRETTYNORM */
 	assert( uri != NULL && !BER_BVISNULL( uri ) );
 	BER_BVZERO( base );
@ -952,7 +948,6 @@ slap_parseURI(
 	rc = LDAP_PROTOCOL_ERROR;
 #ifdef SLAP_ORDERED_PRETTYNORM
 	idx = *uri;
 	if ( idx.bv_val[ 0 ] == '{' ) {
 		char	*ptr;
@ -965,7 +960,6 @@ slap_parseURI(
 		idx.bv_val = ptr;
 		uri = &idx;
 	}
 #endif /* SLAP_ORDERED_PRETTYNORM */
 	/*
 	 * dn[.<dnstyle>]:<dnpattern>
@ -1677,13 +1671,7 @@ slap_sasl_match( Operation *opx, struct berval *rule,
 	/* NOTE: don't normalize rule if authz syntax is enabled */
 	rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
-		&op.ors_scope, &op.ors_filter, &op.ors_filterstr, 
+		&op.ors_scope, &op.ors_filter, &op.ors_filterstr, 0 );
 #ifdef SLAP_AUTHZ_SYNTAX
 		0
 #else /* ! SLAP_AUTHZ_SYNTAX */
 		1
 #endif /* ! SLAP_AUTHZ_SYNTAX */
 		);
 	if( rc != LDAP_SUCCESS ) goto CONCLUDED;
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@ -67,10 +67,8 @@
 #define csnIndexer				generalizedTimeIndexer
 #define csnFilter				generalizedTimeFilter
 #ifdef SLAP_AUTHZ_SYNTAX
 /* FIXME: temporary */
 #define authzMatch				octetStringMatch
 #endif /* SLAP_AUTHZ_SYNTAX */
 unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
 unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT;
@ -4180,11 +4178,9 @@ static slap_syntax_defs_rec syntax_defs[] = {
 	{"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
 		SLAP_SYNTAX_HIDE, inValidate, NULL},
 #ifdef SLAP_AUTHZ_SYNTAX
 	/* FIXME: OID is unused, but not registered yet */
 	{"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
 		SLAP_SYNTAX_HIDE, authzValidate, authzPretty},
 #endif /* SLAP_AUTHZ_SYNTAX */
 	{NULL, 0, NULL, NULL}
 };
@ -4618,7 +4614,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
 		NULL, NULL,
 		"CSNMatch" },
 #ifdef SLAP_AUTHZ_SYNTAX
 	/* FIXME: OID is unused, but not registered yet */
 	{"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' "
 		"SYNTAX 1.3.6.1.4.1.4203.666.2.7 )",
@ -4626,7 +4621,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
 		NULL, authzNormalize, authzMatch,
 		NULL, NULL,
 		NULL},
 #endif /* SLAP_AUTHZ_SYNTAX */
 	{NULL, SLAP_MR_NONE, NULL,
 		NULL, NULL, NULL, NULL, NULL,
--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@ -855,16 +855,9 @@ static struct slap_schema_ad_map {
 	{ "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 "
 			"NAME ( 'authzTo' 'saslAuthzTo' ) "
 			"DESC 'proxy authorization targets' "
 #ifdef SLAP_AUTHZ_SYNTAX
 			"EQUALITY authzMatch "
 			"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
 #else /* ! SLAP_AUTHZ_SYNTAX */
 			"EQUALITY caseExactMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
 #endif /* ! SLAP_AUTHZ_SYNTAX */
 #ifdef SLAP_ORDERED_PRETTYNORM
 			"X-ORDERED 'VALUES' "
 #endif /* SLAP_ORDERED_PRETTYNORM */
 			"USAGE distributedOperation )",
 		NULL, SLAP_AT_HIDE,
 		NULL, NULL,
@ -873,16 +866,9 @@ static struct slap_schema_ad_map {
 	{ "authzFrom", "( 1.3.6.1.4.1.4203.666.1.9 "
 			"NAME ( 'authzFrom' 'saslAuthzFrom' ) "
 			"DESC 'proxy authorization sources' "
 #ifdef SLAP_AUTHZ_SYNTAX
 			"EQUALITY authzMatch "
 			"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
 #else /* ! SLAP_AUTHZ_SYNTAX */
 			"EQUALITY caseExactMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
 #endif /* ! SLAP_AUTHZ_SYNTAX */
 #ifdef SLAP_ORDERED_PRETTYNORM
 			"X-ORDERED 'VALUES' "
 #endif /* SLAP_ORDERED_PRETTYNORM */
 			"USAGE distributedOperation )",
 		NULL, SLAP_AT_HIDE,
 		NULL, NULL,
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -64,26 +64,19 @@ LDAP_BEGIN_DECL
 #define SLAP_SEM_LOAD_CONTROL
 #endif
-#define SLAP_ACL_HONOR_DISCLOSE	/* partially implemented */
+#ifdef LDAP_DEVEL
 #define SLAP_ACL_HONOR_MANAGE	/* not yet implemented */
 #define SLAP_OVERLAY_ACCESS
 #define LDAP_COMP_MATCH
 #define LDAP_DYNAMIC_OBJECTS
 #define LDAP_SYNC_TIMESTAMP
 #define LDAP_COLLECTIVE_ATTRIBUTES
-#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
+#define LDAP_COMP_MATCH
 #define LDAP_SYNC_TIMESTAMP
 #endif
-#define SLAP_ORDERED_PRETTYNORM
+#define LDAP_DYNAMIC_OBJECTS
-#define SLAP_AUTHZ_SYNTAX
+#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
 #ifdef ENABLE_REWRITE
 #define SLAP_AUTH_REWRITE	1 /* use librewrite for sasl-regexp */
 #endif
 #if defined(LDAP_SLAPI) && !defined(SLAP_OVERLAY_ACCESS)
 #define SLAP_OVERLAY_ACCESS
 #endif
 /*
 * SLAPD Memory allocation macros
 *
@ -2019,7 +2012,6 @@ typedef int (BI_entry_get_rw) LDAP_P(( struct slap_op *op, struct berval *ndn,
 typedef int (BI_operational) LDAP_P(( struct slap_op *op, struct slap_rep *rs ));
 typedef int (BI_has_subordinates) LDAP_P(( struct slap_op *op,
 	Entry *e, int *hasSubs ));
 #ifdef SLAP_OVERLAY_ACCESS
 typedef int (BI_access_allowed) LDAP_P(( struct slap_op *op, Entry *e,
 	AttributeDescription *desc, struct berval *val, slap_access_t access,
 	AccessControlState *state, slap_mask_t *maskp ));
@ -2029,7 +2021,6 @@ typedef int (BI_acl_group) LDAP_P(( struct slap_op *op, Entry *target,
 typedef int (BI_acl_attribute) LDAP_P(( struct slap_op *op, Entry *target,
 	struct berval *entry_ndn, AttributeDescription *entry_at,
 	BerVarray *vals, slap_access_t access ));
 #endif /* SLAP_OVERLAY_ACCESS */
 typedef int (BI_conn_func) LDAP_P(( BackendDB *bd, struct slap_conn *c ));
 typedef BI_conn_func BI_connection_init;
@ -2128,11 +2119,9 @@ struct slap_backend_info {
 	BI_entry_release_rw	*bi_entry_release_rw;
 	BI_has_subordinates	*bi_has_subordinates;
 #ifdef SLAP_OVERLAY_ACCESS
 	BI_access_allowed	*bi_access_allowed;
 	BI_acl_group		*bi_acl_group;
 	BI_acl_attribute	*bi_acl_attribute;
 #endif /* SLAP_OVERLAY_ACCESS */
 	BI_connection_init	*bi_connection_init;
 	BI_connection_destroy	*bi_connection_destroy;