backport patch

backport-ITS-7165-back-mdb-check-for-stale-readers-on-MDB_REA.patch

@@ -0,0 +1,36 @@
+From 205e2f1a3e351941a0694e7295e1b3a9b71e5272 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 13 May 2022 16:32:41 +0100
+Subject: [PATCH] ITS#7165 back-mdb: check for stale readers on
+ MDB_READERS_FULL
+
+retry opening a read txn if we cleared any stale readers
+---
+ servers/slapd/back-mdb/id2entry.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/servers/slapd/back-mdb/id2entry.c b/servers/slapd/back-mdb/id2entry.c
+index a7ba23a94..aa6067a0e 100644
+--- a/servers/slapd/back-mdb/id2entry.c
++++ b/servers/slapd/back-mdb/id2entry.c
+@@ -779,7 +779,17 @@ mdb_opinfo_get( Operation *op, struct mdb_info *mdb, int rdonly, mdb_op_info **m
+ 			return rc;
+ 		}
+ 		if ( ldap_pvt_thread_pool_getkey( ctx, mdb->mi_dbenv, &data, NULL ) ) {
++			int retried = 0;
++retry:
+ 			rc = mdb_txn_begin( mdb->mi_dbenv, NULL, MDB_RDONLY, &moi->moi_txn );
++			if (rc == MDB_READERS_FULL && !retried) {
++				int dead;
++				/* if any stale readers were cleared, a slot should be available */
++				if (!mdb_reader_check( mdb->mi_dbenv, &dead ) && dead) {
++					retried = 1;
++					goto retry;
++				}
++			}
+ 			if (rc) {
+ 				Debug( LDAP_DEBUG_ANY, "mdb_opinfo_get: err %s(%d)\n",
+ 					mdb_strerror(rc), rc );
+-- 
+2.33.0
+

backport-ITS-8039-Free-resinfo-even-if-opcookie-is-the-last-o.patch

@@ -0,0 +1,65 @@
+From 6ccc0974e1c9429f7407241b3705230109613278 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Thu, 13 Jan 2022 09:21:21 +0000
+Subject: [PATCH] ITS#8039 Free resinfo even if opcookie is the last owner
+
+---
+ servers/slapd/overlays/syncprov.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index 7a5a637dc..41a409dcd 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -843,24 +843,27 @@ again:
+ static void free_resinfo( syncres *sr )
+ {
+ 	syncres **st;
++	resinfo *ri = sr->s_info;
+ 	int freeit = 0;
+-	ldap_pvt_thread_mutex_lock( &sr->s_info->ri_mutex );
++
++	ldap_pvt_thread_mutex_lock( &ri->ri_mutex );
+ 	for (st = &sr->s_info->ri_list; *st; st = &(*st)->s_rilist) {
+ 		if (*st == sr) {
+ 			*st = sr->s_rilist;
++			if ( !sr->s_info->ri_list )
++				freeit = 1;
++			sr->s_info = NULL;
+ 			break;
+ 		}
+ 	}
+-	if ( !sr->s_info->ri_list )
+-		freeit = 1;
+-	ldap_pvt_thread_mutex_unlock( &sr->s_info->ri_mutex );
++	ldap_pvt_thread_mutex_unlock( &ri->ri_mutex );
+ 	if ( freeit ) {
+-		ldap_pvt_thread_mutex_destroy( &sr->s_info->ri_mutex );
+-		if ( sr->s_info->ri_e )
+-			entry_free( sr->s_info->ri_e );
+-		if ( !BER_BVISNULL( &sr->s_info->ri_cookie ))
+-			ch_free( sr->s_info->ri_cookie.bv_val );
+-		ch_free( sr->s_info );
++		ldap_pvt_thread_mutex_destroy( &ri->ri_mutex );
++		if ( ri->ri_e )
++			entry_free( ri->ri_e );
++		if ( !BER_BVISNULL( &ri->ri_cookie ))
++			ch_free( ri->ri_cookie.bv_val );
++		ch_free( ri );
+ 	}
+ }
+ 
+@@ -1546,6 +1549,10 @@ syncprov_op_cleanup( Operation *op, SlapReply *rs )
+ 	if ( !BER_BVISNULL( &opc->sdn ))
+ 		op->o_tmpfree( opc->sdn.bv_val, op->o_tmpmemctx );
+ 	op->o_callback = cb->sc_next;
++
++	if ( opc->ssres.s_info ) {
++		free_resinfo( &opc->ssres );
++	}
+ 	op->o_tmpfree(cb, op->o_tmpmemctx);
+ 
+ 	return 0;
+-- 
+2.33.0
+

backport-ITS-8245-Do-not-try-to-release-a-NULL-entry.patch

@@ -0,0 +1,62 @@
+From 81b5ca9113d05190af6aff965b63e82730e00f55 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Fri, 10 Jun 2022 09:39:18 +0100
+Subject: [PATCH] ITS#8245 Do not try to release a NULL entry
+
+---
+ servers/slapd/overlays/unique.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/servers/slapd/overlays/unique.c b/servers/slapd/overlays/unique.c
+index 9e8bbeaba..e71fabfd2 100644
+--- a/servers/slapd/overlays/unique.c
++++ b/servers/slapd/overlays/unique.c
+@@ -1229,13 +1229,15 @@ unique_modify(
+ 		return rc;
+ 	}
+ 
+-	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) || (
+-			get_relax(op) > SLAP_CONTROL_IGNORED
+-			&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+-			&& e
+-			&& access_allowed( op, e,
+-				slap_schema.si_ad_entry, NULL,
+-				ACL_MANAGE, NULL ) ) ) {
++	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) {
++		return rc;
++	}
++	if ( get_relax(op) > SLAP_CONTROL_IGNORED
++		&& overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) == LDAP_SUCCESS
++		&& e
++		&& access_allowed( op, e,
++			slap_schema.si_ad_entry, NULL,
++			ACL_MANAGE, NULL ) ) {
+ 		overlay_entry_release_ov( op, e, 0, on );
+ 		return rc;
+ 	}
+@@ -1367,13 +1369,15 @@ unique_modrdn(
+ 	Debug(LDAP_DEBUG_TRACE, "==> unique_modrdn <%s> <%s>\n",
+ 		op->o_req_dn.bv_val, op->orr_newrdn.bv_val );
+ 
+-	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) || (
+-			get_relax(op) > SLAP_CONTROL_IGNORED
+-			&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
+-			&& e
+-			&& access_allowed( op, e,
+-				slap_schema.si_ad_entry, NULL,
+-				ACL_MANAGE, NULL ) ) ) {
++	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) {
++		return rc;
++	}
++	if ( get_relax(op) > SLAP_CONTROL_IGNORED
++		&& overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) == LDAP_SUCCESS
++		&& e
++		&& access_allowed( op, e,
++			slap_schema.si_ad_entry, NULL,
++			ACL_MANAGE, NULL ) ) {
+ 		overlay_entry_release_ov( op, e, 0, on );
+ 		return rc;
+ 	}
+-- 
+2.33.0
+

backport-ITS-9759-Honour-requested-insert-position-in-olcRetc.patch

@@ -0,0 +1,33 @@
+From d094cf2cb5ffd28195ac42dbe631db43c47762af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Tue, 7 Dec 2021 12:06:15 +0000
+Subject: [PATCH] ITS#9759 Honour requested insert position in olcRetcodeItem
+
+---
+ servers/slapd/overlays/retcode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/overlays/retcode.c b/servers/slapd/overlays/retcode.c
+index e0f5b8e04..8b94b4711 100644
+--- a/servers/slapd/overlays/retcode.c
++++ b/servers/slapd/overlays/retcode.c
+@@ -1237,10 +1237,14 @@ rc_cf_gen( ConfigArgs *c )
+ 		}
+ 		*--next = '\0';
+ 		
+-		for ( rdip = &rd->rd_item; *rdip; rdip = &(*rdip)->rdi_next )
+-			/* go to last */ ;
++		/* We're marked X-ORDERED 'VALUES', valx might be valid */
++		for ( i = 0, rdip = &rd->rd_item;
++			*rdip && (c->valx < 0 || i < c->valx);
++			rdip = &(*rdip)->rdi_next, i++ )
++			/* go to position */ ;
+ 
+ 		
++		rdi.rdi_next = *rdip;
+ 		*rdip = ( retcode_item_t * )ch_malloc( sizeof( retcode_item_t ) );
+ 		*(*rdip) = rdi;
+ 
+-- 
+2.33.0
+

backport-ITS-9763-Maintain-values-in-order-of-insertion.patch

@@ -0,0 +1,30 @@
+From e87569f983ef751057c3a80eba3e30a2e14907a2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 8 Dec 2021 17:14:50 +0000
+Subject: [PATCH] ITS#9763 Maintain values in order of insertion
+
+---
+ servers/slapd/overlays/refint.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/overlays/refint.c b/servers/slapd/overlays/refint.c
+index 20f9ef1e9..2e49a94be 100644
+--- a/servers/slapd/overlays/refint.c
++++ b/servers/slapd/overlays/refint.c
+@@ -249,8 +249,11 @@ refint_cf_gen(ConfigArgs *c)
+ 					ip = ch_malloc (
+ 						sizeof ( refint_attrs ) );
+ 					ip->attr = ad;
+-					ip->next = dd->attrs;
+-					dd->attrs = ip;
++
++					for ( pipp = &dd->attrs; *pipp; pipp = &(*pipp)->next )
++						/* Get to the end */ ;
++					ip->next = *pipp;
++					*pipp = ip;
+ 				} else {
+ 					snprintf( c->cr_msg, sizeof( c->cr_msg ),
+ 						"%s <%s>: %s", c->argv[0], c->argv[i], text );
+-- 
+2.33.0
+

backport-ITS-9763-Warn-for-unsupported-configs.patch

@@ -0,0 +1,31 @@
+From 303d3d4028e9fd0e5939bb5d7d1bb9c3fd5f5002 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Tue, 4 Jan 2022 14:05:51 +0000
+Subject: [PATCH] ITS#9763 Warn for unsupported configs
+
+---
+ servers/slapd/overlays/refint.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/servers/slapd/overlays/refint.c b/servers/slapd/overlays/refint.c
+index 04aa1f7ad..6f966a7ea 100644
+--- a/servers/slapd/overlays/refint.c
++++ b/servers/slapd/overlays/refint.c
+@@ -242,6 +242,14 @@ refint_cf_gen(ConfigArgs *c)
+ 		switch ( c->type ) {
+ 		case REFINT_ATTRS:
+ 			rc = 0;
++			if ( c->op != SLAP_CONFIG_ADD && c->argc > 2 ) {
++				/* We wouldn't know how to delete these values later */
++				Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
++					"Supplying multiple names in a single %s value is "
++					"unsupported and will be disallowed in a future version\n",
++					c->argv[0] );
++			}
++
+ 			for ( i=1; i < c->argc; ++i ) {
+ 				ad = NULL;
+ 				if ( slap_str2ad ( c->argv[i], &ad, &text )
+-- 
+2.33.0
+

backport-ITS-9770-slapo-constraint-Maintain-values-in-order-o.patch

@@ -0,0 +1,42 @@
+From 3ca8d6d388ddda5d8f1cfb3e6b354493bc4e3d72 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Fri, 10 Dec 2021 11:46:50 +0000
+Subject: [PATCH] ITS#9770 slapo-constraint: Maintain values in order of
+ insertion
+
+---
+ servers/slapd/overlays/constraint.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
+index 246769f67..c4ae8fffc 100644
+--- a/servers/slapd/overlays/constraint.c
++++ b/servers/slapd/overlays/constraint.c
+@@ -537,8 +537,8 @@ constraint_cf_gen( ConfigArgs *c )
+ 
+ done:;
+ 			if ( rc == LDAP_SUCCESS ) {
+-				constraint *a2 = ch_calloc( sizeof(constraint), 1 );
+-				a2->ap_next = on->on_bi.bi_private;
++				constraint **app, *a2 = ch_calloc( sizeof(constraint), 1 );
++
+ 				a2->ap = ap.ap;
+ 				a2->type = ap.type;
+ 				a2->re = ap.re;
+@@ -556,7 +556,12 @@ done:;
+ 				a2->restrict_ndn = ap.restrict_ndn;
+ 				a2->restrict_filter = ap.restrict_filter;
+ 				a2->restrict_val = ap.restrict_val;
+-				on->on_bi.bi_private = a2;
++
++				for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next )
++					/* Get to the end */ ;
++
++				a2->ap_next = *app;
++				*app = a2;
+ 
+ 			} else {
+ 				Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
+-- 
+2.33.0
+

backport-ITS-9772-Allow-objectClass-edits-that-don-t-actually.patch

@@ -0,0 +1,69 @@
+From 2443e986d1bee1266412ee324b821ab356301e72 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Thu, 13 Jan 2022 11:03:47 +0000
+Subject: [PATCH] ITS#9772 Allow objectClass edits that don't actually change
+ them
+
+---
+ servers/slapd/bconfig.c | 45 +++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 3b1a4b3bc..7b6840be3 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -5895,8 +5895,49 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
+ 	if ( !oc_at ) return LDAP_OBJECT_CLASS_VIOLATION;
+ 
+ 	for (ml = op->orm_modlist; ml; ml=ml->sml_next) {
+-		if (ml->sml_desc == slap_schema.si_ad_objectClass)
+-			return rc;
++		if (ml->sml_desc == slap_schema.si_ad_objectClass) {
++			/* We'd be fine comparing the structural objectclass before and
++			 * after, but AUXILIARY ocs exist so we have to check them all */
++			unsigned int i, j;
++
++			if ( ml->sml_numvals != oc_at->a_numvals ) {
++				snprintf( ca->cr_msg, sizeof(ca->cr_msg),
++					"objectclass modification disallowed" );
++				return LDAP_UNWILLING_TO_PERFORM;
++			}
++
++			for ( i = 0; i < oc_at->a_numvals; i++ ) {
++				ObjectClass *new_oc, *old_oc = oc_bvfind( &oc_at->a_vals[i] );
++				int found = 0;
++
++				if ( old_oc == NULL ) {
++					snprintf( ca->cr_msg, sizeof(ca->cr_msg),
++						"no objectClass named %s",
++						oc_at->a_vals[i].bv_val );
++					return LDAP_OBJECT_CLASS_VIOLATION;
++				}
++				for ( j = 0; j < ml->sml_numvals; j++ ) {
++					new_oc = oc_bvfind( &ml->sml_values[j] );
++					if ( new_oc == NULL ) {
++						snprintf( ca->cr_msg, sizeof(ca->cr_msg),
++							"no objectClass named %s",
++							ml->sml_values[j].bv_val );
++						return LDAP_OBJECT_CLASS_VIOLATION;
++					}
++
++					if ( old_oc == new_oc ) {
++						found = 1;
++						break;
++					}
++				}
++
++				if ( !found ) {
++					snprintf( ca->cr_msg, sizeof(ca->cr_msg),
++						"objectclass modification disallowed" );
++					return LDAP_UNWILLING_TO_PERFORM;
++				}
++			}
++		}
+ 	}
+ 
+ 	colst = count_ocs( oc_at, &nocs );
+-- 
+2.33.0
+

backport-ITS-9781-Relax-refcount-assertion-for-referrals.patch

@@ -0,0 +1,29 @@
+From f4e74d51f5cb02769c02230d1d78692c859c5fb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 19 Jan 2022 10:26:45 +0000
+Subject: [PATCH] ITS#9781 Relax refcount assertion for referrals
+
+---
+ libraries/libldap/request.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
+index b72b875b4..95e402a70 100644
+--- a/libraries/libldap/request.c
++++ b/libraries/libldap/request.c
+@@ -1667,9 +1667,9 @@ ldap_find_request_by_msgid( LDAP *ld, ber_int_t msgid )
+ 
+ 	lr = ldap_tavl_find( ld->ld_requests, &needle, ldap_req_cmp );
+ 	if ( lr != NULL && lr->lr_status != LDAP_REQST_COMPLETED ) {
+-		/* try_read1msg is the only user at the moment and we would free it
+-		 * multiple times if retrieving the request again */
+-		assert( lr->lr_refcnt == 0 );
++		/* lr_refcnt is only negative when we removed it from ld_requests
++		 * already, it is positive if we have sub-requests (referrals) */
++		assert( lr->lr_refcnt >= 0 );
+ 		lr->lr_refcnt++;
+ 		Debug3( LDAP_DEBUG_TRACE, "ldap_find_request_by_msgid: "
+ 				"msgid %d, lr %p lr->lr_refcnt = %d\n",
+-- 
+2.33.0
+

backport-ITS-9799-Clear-c_n_ops_pending-after-we-ve-flushed-c.patch

@@ -0,0 +1,25 @@
+From 0806f69c8c6ac6946c88356f65d9120bf43bdfa4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>
+Date: Thu, 10 Feb 2022 17:30:17 +0000
+Subject: [PATCH] ITS#9799 Clear c_n_ops_pending after we've flushed
+ c_pending_ops
+
+---
+ servers/slapd/connection.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index c739614fe..44ec5b42e 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -734,6 +734,7 @@ static void connection_abandon( Connection *c )
+ 		LDAP_STAILQ_NEXT(o, o_next) = NULL;
+ 		slap_op_free( o, NULL );
+ 	}
++	c->c_n_ops_pending = 0;
+ }
+ 
+ static void
+-- 
+2.33.0
+

backport-ITS-9799-Drop-a-bind-connection-if-there-s-a-timeout.patch

@@ -0,0 +1,40 @@
+From 34ebfac7efd2493f8f4db700b19145986f5112fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 2 Mar 2022 11:44:01 +0000
+Subject: [PATCH] ITS#9799 Drop a bind connection if there's a timeout
+
+---
+ servers/lloadd/operation.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/servers/lloadd/operation.c b/servers/lloadd/operation.c
+index 3414d1d6e..0f875bb8e 100644
+--- a/servers/lloadd/operation.c
++++ b/servers/lloadd/operation.c
+@@ -616,19 +616,20 @@ connection_timeout( LloadConnection *upstream, void *arg )
+                                                LDAP_ADMINLIMIT_EXCEEDED,
+                 "upstream did not respond in time", 0 );
+ 
+-        if ( rc == LDAP_SUCCESS ) {
++        if ( upstream->c_type != LLOAD_C_BIND && rc == LDAP_SUCCESS ) {
+             rc = operation_send_abandon( op, upstream );
+         }
+         operation_unlink( op );
+     }
+ 
+-    /* TODO: if operation_send_abandon failed, we need to kill the upstream */
+     if ( rc == LDAP_SUCCESS ) {
+         connection_write_cb( -1, 0, upstream );
+     }
+ 
+     CONNECTION_LOCK(upstream);
+-    if ( upstream->c_state == LLOAD_C_CLOSING && !upstream->c_ops ) {
++    /* ITS#9799: If a Bind timed out, connection is in an unknown state */
++    if ( upstream->c_type == LLOAD_C_BIND || rc != LDAP_SUCCESS ||
++            ( upstream->c_state == LLOAD_C_CLOSING && !upstream->c_ops ) ) {
+         CONNECTION_DESTROY(upstream);
+     } else {
+         CONNECTION_UNLOCK(upstream);
+-- 
+2.33.0
+

backport-ITS-9802-Fix-argv-handling.patch

@@ -0,0 +1,104 @@
+From 1f5f97d69e76d1db20861fcf28cd0d330352c4bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Tue, 19 Apr 2022 11:02:10 +0100
+Subject: [PATCH] ITS#9802 Fix argv handling
+
+---
+ servers/slapd/back-meta/config.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
+index c38dce1cf..6b1e60779 100644
+--- a/servers/slapd/back-meta/config.c
++++ b/servers/slapd/back-meta/config.c
+@@ -2664,7 +2664,6 @@ idassert-authzFrom	"dn:<rootdn>"
+ 				assert( rc == 0 );
+ 				ch_free( ca.tline );
+ 			}
+-			ch_free( ca.argv );
+ 		}
+ 		argc = c->argc;
+ 		argv = c->argv;
+@@ -2730,7 +2729,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 	case LDAP_BACK_CFG_MAP: {
+ 	/* objectclass/attribute mapping */
+ 		ConfigArgs ca = { 0 };
+-		char *argv[5];
++		char *argv[5], **argvp;
+ 		struct ldapmap rwm_oc;
+ 		struct ldapmap rwm_at;
+ 		int cnt = 0, ix = c->valx;
+@@ -2763,7 +2762,8 @@ idassert-authzFrom	"dn:<rootdn>"
+ 				argv[2] = ca.argv[1];
+ 				argv[3] = ca.argv[2];
+ 				argv[4] = ca.argv[3];
+-				ch_free( ca.argv );
++
++				argvp = ca.argv;
+ 				ca.argv = argv;
+ 				ca.argc++;
+ 				rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
+@@ -2771,7 +2771,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 
+ 				ch_free( ca.tline );
+ 				ca.tline = NULL;
+-				ca.argv = NULL;
++				ca.argv = argvp;
+ 
+ 				/* in case of failure, restore
+ 				 * the existing mapping */
+@@ -2788,7 +2788,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 		}
+ 
+ 		if ( ix < cnt ) {
+-			for ( ; i<cnt ; cnt++ ) {
++			for ( ; i<cnt ; i++ ) {
+ 				ca.line = mt->mt_rwmap.rwm_bva_map[ i ].bv_val;
+ 				ca.argc = 0;
+ 				config_fp_parse_line( &ca );
+@@ -2798,7 +2798,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 				argv[3] = ca.argv[2];
+ 				argv[4] = ca.argv[3];
+ 
+-				ch_free( ca.argv );
++				argvp = ca.argv;
+ 				ca.argv = argv;
+ 				ca.argc++;
+ 				rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc,
+@@ -2806,7 +2806,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 
+ 				ch_free( ca.tline );
+ 				ca.tline = NULL;
+-				ca.argv = NULL;
++				ca.argv = argvp;
+ 
+ 				/* in case of failure, restore
+ 				 * the existing mapping */
+@@ -2814,6 +2814,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 					goto map_fail;
+ 				}
+ 			}
++			ch_free( ca.argv );
+ 		}
+ 
+ 		/* save the map info */
+@@ -2825,7 +2826,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 			/* move it to the right slot */
+ 			if ( ix < cnt ) {
+ 				for ( i=cnt; i>ix; i-- )
+-					mt->mt_rwmap.rwm_bva_map[i+1] = mt->mt_rwmap.rwm_bva_map[i];
++					mt->mt_rwmap.rwm_bva_map[i] = mt->mt_rwmap.rwm_bva_map[i-1];
+ 				mt->mt_rwmap.rwm_bva_map[i] = bv;
+ 
+ 				/* destroy old mapping */
+@@ -2841,6 +2842,7 @@ map_fail:;
+ 			meta_back_map_free( &mt->mt_rwmap.rwm_at );
+ 			mt->mt_rwmap.rwm_oc = rwm_oc;
+ 			mt->mt_rwmap.rwm_at = rwm_at;
++			ch_free( ca.argv );
+ 		}
+ 		} break;
+ 
+-- 
+2.33.0
+

backport-ITS-9802-slapd-ldap-meta-async-meta-plug-memleak-in-.patch

@@ -0,0 +1,72 @@
+From f0a6465f2369696f02dbf2453a6a50089b1558a5 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 21 Mar 2022 12:59:07 +0000
+Subject: [PATCH] ITS#9802 slapd-ldap/meta/async-meta: plug memleak in
+ keepalive config
+
+---
+ servers/slapd/back-asyncmeta/config.c | 8 +++++---
+ servers/slapd/back-ldap/config.c      | 8 +++++---
+ servers/slapd/back-meta/config.c      | 8 +++++---
+ 3 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/back-asyncmeta/config.c b/servers/slapd/back-asyncmeta/config.c
+index 69f134b2b..e4cc5eab7 100644
+--- a/servers/slapd/back-asyncmeta/config.c
++++ b/servers/slapd/back-asyncmeta/config.c
+@@ -2498,9 +2498,11 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
+ 		break;
+ #endif /* SLAPD_META_CLIENT_PR */
+ 
+-	case LDAP_BACK_CFG_KEEPALIVE:
+-		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
+-				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
++	case LDAP_BACK_CFG_KEEPALIVE: {
++		struct berval bv;
++		ber_str2bv( c->argv[1], 0, 1, &bv );
++		slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 );
++		}
+ 		break;
+ 
+ 	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
+index 07fe8e9f1..fb97e8ea3 100644
+--- a/servers/slapd/back-ldap/config.c
++++ b/servers/slapd/back-ldap/config.c
+@@ -2051,9 +2051,11 @@ done_url:;
+ 		}
+ 		break;
+ 
+-	case LDAP_BACK_CFG_KEEPALIVE:
+-		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
+-				 &li->li_tls.sb_keepalive, 0, 0, 0);
++	case LDAP_BACK_CFG_KEEPALIVE: {
++		struct berval bv;
++		ber_str2bv( c->argv[1], 0, 1, &bv );
++		slap_keepalive_parse( &bv, &li->li_tls.sb_keepalive, 0, 0, 0 );
++		}
+ 		break;
+ 
+ 	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
+index 0f876e77f..c38dce1cf 100644
+--- a/servers/slapd/back-meta/config.c
++++ b/servers/slapd/back-meta/config.c
+@@ -2913,9 +2913,11 @@ map_fail:;
+ 		break;
+ #endif /* SLAPD_META_CLIENT_PR */
+ 
+-	case LDAP_BACK_CFG_KEEPALIVE:
+-		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
+-				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
++	case LDAP_BACK_CFG_KEEPALIVE: {
++		struct berval bv;
++		ber_str2bv( c->argv[ 1 ], 0, 1, &bv );
++		slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 );
++		}
+ 		break;
+ 
+ 	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:
+-- 
+2.33.0
+

backport-ITS-9802-slapd-meta-fix-rewrite-config-SEGV.patch

@@ -0,0 +1,38 @@
+From d878ebc3d264dcecb211cf7aacd9d079bd5c5a50 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 15 Mar 2022 16:46:09 +0000
+Subject: [PATCH] ITS#9802 slapd-meta: fix rewrite config SEGV
+
+---
+ servers/slapd/back-meta/config.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
+index 51d090ff0..ad7fbce44 100644
+--- a/servers/slapd/back-meta/config.c
++++ b/servers/slapd/back-meta/config.c
+@@ -2662,9 +2662,9 @@ idassert-authzFrom	"dn:<rootdn>"
+ 						c->fname, c->lineno, ca.argc, ca.argv );
+ 				}
+ 				assert( rc == 0 );
+-				ch_free( ca.argv );
+ 				ch_free( ca.tline );
+ 			}
++			ch_free( ca.argv );
+ 		}
+ 		argc = c->argc;
+ 		argv = c->argv;
+@@ -2699,9 +2699,9 @@ idassert-authzFrom	"dn:<rootdn>"
+ 						c->fname, c->lineno, ca.argc, argv );
+ 				}
+ 				assert( rc == 0 );
+-				ch_free( ca.argv );
+ 				ch_free( ca.tline );
+ 			}
++			ch_free( ca.argv );
+ 		}
+ 
+ 		/* save the rule info */
+-- 
+2.33.0
+

backport-ITS-9802-slapd-meta-fix-rewrite-config-ordering.patch

@@ -0,0 +1,25 @@
+From e9b11154ee6526d8b1b56004f8ec9a4b82a333fe Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 15 Mar 2022 16:46:09 +0000
+Subject: [PATCH] ITS#9802 slapd-meta: fix rewrite config ordering
+
+---
+ servers/slapd/back-meta/config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
+index ad7fbce44..0f876e77f 100644
+--- a/servers/slapd/back-meta/config.c
++++ b/servers/slapd/back-meta/config.c
+@@ -2718,7 +2718,7 @@ idassert-authzFrom	"dn:<rootdn>"
+ 			/* move it to the right slot */
+ 			if ( ix < cnt ) {
+ 				for ( i=cnt; i>ix; i-- )
+-					mt->mt_rwmap.rwm_bva_rewrite[i+1] = mt->mt_rwmap.rwm_bva_rewrite[i];
++					mt->mt_rwmap.rwm_bva_rewrite[i] = mt->mt_rwmap.rwm_bva_rewrite[i-1];
+ 				mt->mt_rwmap.rwm_bva_rewrite[i] = bv;
+ 
+ 				/* destroy old rules */
+-- 
+2.33.0
+

backport-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch

@@ -0,0 +1,44 @@
+From e8813b12b6188d5ba5f174ff8726c438c8ca4bfd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 7 Mar 2022 10:06:49 +0000
+Subject: [PATCH] ITS#9803 Drop connection when receiving non-LDAP data
+
+---
+ libraries/libldap/result.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
+index c1b4a457f..40ff1c172 100644
+--- a/libraries/libldap/result.c
++++ b/libraries/libldap/result.c
+@@ -506,6 +506,16 @@ nextresp3:
+ 		lc->lconn_ber = NULL;
+ 		break;
+ 
++	default:
++		/*
++		 * We read a BerElement that isn't LDAP or the stream has desync'd.
++		 * In either case, anything we read from now on is probably garbage,
++		 * just drop the connection.
++		 */
++		ber_free( ber, 1 );
++		lc->lconn_ber = NULL;
++		/* FALLTHRU */
++
+ 	case LBER_DEFAULT:
+ fail:
+ 		err = sock_errno();
+@@ -521,10 +531,6 @@ fail:
+ 		}
+ 		lc->lconn_status = 0;
+ 		return -1;
+-
+-	default:
+-		ld->ld_errno = LDAP_LOCAL_ERROR;
+-		return -1;
+ 	}
+ 
+ 	/* message id */
+-- 
+2.33.0
+

backport-ITS-9809-pcache-mdb-fix-SEGV-in-monitor-shutdown.patch

@@ -0,0 +1,53 @@
+From e29ba72c5675b7465c3fca95e1c3f3360efa3a97 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 10 Mar 2022 15:26:04 +0000
+Subject: [PATCH] ITS#9809: pcache, mdb: fix SEGV in monitor shutdown
+
+---
+ servers/slapd/back-mdb/monitor.c | 3 ++-
+ servers/slapd/overlays/pcache.c  | 5 +++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/servers/slapd/back-mdb/monitor.c b/servers/slapd/back-mdb/monitor.c
+index 7f26074f5..fc77bc60e 100644
+--- a/servers/slapd/back-mdb/monitor.c
++++ b/servers/slapd/back-mdb/monitor.c
+@@ -578,10 +578,11 @@ mdb_monitor_db_close( BackendDB *be )
+ 		monitor_extra_t		*mbe;
+ 
+ 		if ( mi && mi->bi_extra ) {
++			struct berval dummy = BER_BVNULL;
+ 			mbe = mi->bi_extra;
+ 			mbe->unregister_entry_callback( &mdb->mi_monitor.mdm_ndn,
+ 				(monitor_callback_t *)mdb->mi_monitor.mdm_cb,
+-				NULL, 0, NULL );
++				&dummy, 0, &dummy );
+ 		}
+ 
+ 		memset( &mdb->mi_monitor, 0, sizeof( mdb->mi_monitor ) );
+diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
+index fa70d5d2d..fcf29c60b 100644
+--- a/servers/slapd/overlays/pcache.c
++++ b/servers/slapd/overlays/pcache.c
+@@ -5660,15 +5660,16 @@ pcache_monitor_db_close( BackendDB *be )
+ 	slap_overinst *on = (slap_overinst *)be->bd_info;
+ 	cache_manager *cm = on->on_bi.bi_private;
+ 
+-	if ( cm->monitor_cb != NULL ) {
++	if ( !BER_BVISNULL( &cm->monitor_ndn )) {
+ 		BackendInfo		*mi = backend_info( "monitor" );
+ 		monitor_extra_t		*mbe;
+ 
+ 		if ( mi && mi->bi_extra ) {
++			struct berval dummy = BER_BVNULL;
+ 			mbe = mi->bi_extra;
+ 			mbe->unregister_entry_callback( &cm->monitor_ndn,
+ 				(monitor_callback_t *)cm->monitor_cb,
+-				NULL, 0, NULL );
++				&dummy, 0, &dummy );
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+

backport-ITS-9811-Allow-newlines-at-end-of-included-file.patch

@@ -0,0 +1,35 @@
+From 0dae0704c01adb8b336d35647e75b45c0c21cc10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Fri, 18 Mar 2022 14:51:45 +0000
+Subject: [PATCH] ITS#9811 Allow newlines at end of included file
+
+---
+ libraries/libldap/ldif.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c
+index 7ca5e32cf..900a97960 100644
+--- a/libraries/libldap/ldif.c
++++ b/libraries/libldap/ldif.c
+@@ -796,6 +796,7 @@ ldif_read_record(
+ 		 * back to a previous file. (return from an include)
+ 		 */
+ 		while ( feof( lfp->fp )) {
++pop:
+ 			if ( lfp->prev ) {
+ 				LDIFFP *tmp = lfp->prev;
+ 				fclose( lfp->fp );
+@@ -808,6 +809,10 @@ ldif_read_record(
+ 		}
+ 		if ( !stop ) {
+ 			if ( fgets( line, sizeof( line ), lfp->fp ) == NULL ) {
++				if ( !found_entry && !ferror( lfp->fp ) ) {
++					/* ITS#9811 Reached the end looking for an entry, try again */
++					goto pop;
++				}
+ 				stop = 1;
+ 				len = 0;
+ 			} else {
+-- 
+2.33.0
+

backport-ITS-9818-Duplicate-substring-filters-correctly.patch

@@ -0,0 +1,74 @@
+From f7bdf7aaf40b9b9c7825fc614fb09e836f8df8d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 11 Apr 2022 16:57:59 +0100
+Subject: [PATCH] ITS#9818 Duplicate substring filters correctly
+
+---
+ servers/slapd/overlays/translucent.c | 24 +++++++++++++++++++++++-
+ tests/scripts/test034-translucent    |  8 ++++++++
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
+index 01786bf10..d0402fe14 100644
+--- a/servers/slapd/overlays/translucent.c
++++ b/servers/slapd/overlays/translucent.c
+@@ -1000,7 +1000,6 @@ trans_filter_dup(Operation *op, Filter *f, AttributeName *an)
+ 	case LDAP_FILTER_GE:
+ 	case LDAP_FILTER_LE:
+ 	case LDAP_FILTER_APPROX:
+-	case LDAP_FILTER_SUBSTRINGS:
+ 	case LDAP_FILTER_EXT:
+ 		if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) {
+ 			AttributeAssertion *nava;
+@@ -1017,6 +1016,29 @@ trans_filter_dup(Operation *op, Filter *f, AttributeName *an)
+ 		}
+ 		break;
+ 
++	case LDAP_FILTER_SUBSTRINGS:
++		if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) {
++			SubstringsAssertion *nsub;
++
++			n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
++			n->f_choice = f->f_choice;
++
++			nsub = op->o_tmpalloc( sizeof(SubstringsAssertion), op->o_tmpmemctx );
++			*nsub = *f->f_sub;
++			n->f_sub = nsub;
++
++			if ( !BER_BVISNULL( &f->f_sub_initial ))
++				ber_dupbv_x( &n->f_sub_initial, &f->f_sub_initial, op->o_tmpmemctx );
++
++			ber_bvarray_dup_x( &n->f_sub_any, f->f_sub_any, op->o_tmpmemctx );
++
++			if ( !BER_BVISNULL( &f->f_sub_final ))
++				ber_dupbv_x( &n->f_sub_final, &f->f_sub_final, op->o_tmpmemctx );
++
++			n->f_next = NULL;
++		}
++		break;
++
+ 	case LDAP_FILTER_AND:
+ 	case LDAP_FILTER_OR:
+ 	case LDAP_FILTER_NOT: {
+diff --git a/tests/scripts/test034-translucent b/tests/scripts/test034-translucent
+index 511ebeddc..8b834d989 100755
+--- a/tests/scripts/test034-translucent
++++ b/tests/scripts/test034-translucent
+@@ -755,6 +755,14 @@ if test -z "$ATTR" ; then
+ 	exit 1
+ fi
+ 
++$LDAPSEARCH -H $URI2 -b "o=translucent" "(employeeType=consult*)" > $SEARCHOUT 2>&1
++ATTR=`grep dn: $SEARCHOUT` > $NOWHERE 2>&1
++if test -z "$ATTR" ; then
++	echo "got no result, should have found entry"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
+ echo "Testing search: unconfigured remote filter..."
+ $LDAPSEARCH -H $URI2 -b "o=translucent" "(|(employeeType=foo)(carlicense=right))" > $SEARCHOUT 2>&1
+ 
+-- 
+2.33.0
+

backport-ITS-9823-Check-minCSN-when-setting-up-delta-log-repl.patch

@@ -0,0 +1,80 @@
+From c64e663518988afbe5c5414ebb1a06a1864cf414 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Fri, 22 Apr 2022 14:14:16 +0100
+Subject: [PATCH] ITS#9823 Check minCSN when setting up delta-log replay
+
+---
+ servers/slapd/overlays/syncprov.c | 59 ++++++++++++++++++++++++++-----
+ 1 file changed, 51 insertions(+), 8 deletions(-)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index 4b6358fdd..f6ab09949 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -3342,7 +3336,55 @@ no_change:	if ( !(op->o_sync_mode & SLAP_SYNC_PERSIST) ) {
+ 					numcsns, sids, &mincsn, minsid ) ) {
+ 				do_present = SS_PRESENT;
+ 			}
++		} else if ( si->si_nopres && si->si_usehint ) {
++			/* We are instructed to trust minCSN if it exists. */
++			Entry *e;
++			Attribute *a = NULL;
++			int rc;
++
++			/*
++			 * ITS#9580 FIXME: when we've figured out and split the
++			 * sessionlog/deltalog tracking, use the appropriate attribute
++			 */
++			rc = overlay_entry_get_ov( op, &op->o_bd->be_nsuffix[0], NULL,
++					ad_minCSN, 0, &e, on );
++			if ( rc == LDAP_SUCCESS && e != NULL ) {
++				a = attr_find( e->e_attrs, ad_minCSN );
++			}
++
++			if ( a != NULL ) {
++				int *minsids;
++
++				minsids = slap_parse_csn_sids( a->a_vals, a->a_numvals, op->o_tmpmemctx );
++				slap_sort_csn_sids( a->a_vals, minsids, a->a_numvals, op->o_tmpmemctx );
++
++				for ( i=0, j=0; i < a->a_numvals; i++ ) {
++					while ( j < numcsns && minsids[i] > sids[j] ) j++;
++					if ( j < numcsns && minsids[i] == sids[j] &&
++							ber_bvcmp( &a->a_vals[i], &srs->sr_state.ctxcsn[j] ) <= 0 ) {
++						/* minCSN for this serverID is contained, keep going */
++						continue;
++					}
++					/*
++					 * Log DB's minCSN claims we can only replay from a certain
++					 * CSN for this serverID, but consumer's cookie hasn't met that
++					 * threshold: they need to refresh
++					 */
++					Debug( LDAP_DEBUG_SYNC, "%s syncprov_op_search: "
++						"consumer not within recorded mincsn for DB's mincsn=%s\n",
++						op->o_log_prefix, a->a_vals[i].bv_val );
++					rs->sr_err = LDAP_SYNC_REFRESH_REQUIRED;
++					rs->sr_text = "sync cookie is stale";
++					slap_sl_free( minsids, op->o_tmpmemctx );
++					overlay_entry_release_ov( op, e, 0, on );
++					goto bailout;
++				}
++				slap_sl_free( minsids, op->o_tmpmemctx );
++			}
++			if ( e != NULL )
++				overlay_entry_release_ov( op, e, 0, on );
+ 		}
++
+ 		/*
+ 		 * If sessionlog wasn't useful, see if we can find at least one entry
+ 		 * that hasn't changed based on the cookie.
+@@ -3787,6 +3829,7 @@ sp_cf_gen(ConfigArgs *c)
+ 		break;
+ 	case SP_USEHINT:
+ 		si->si_usehint = c->value_int;
++		rc = syncprov_setup_accesslog();
+ 		break;
+ 	case SP_LOGDB:
+ 		if ( si->si_logs ) {
+-- 
+2.33.0
+

backport-ITS-9823-Only-request-minCSN-if-accesslog-is-around.patch

@@ -0,0 +1,37 @@
+From 207604c0b5a5f22562285b889f8687a6bc9a272b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Thu, 7 Jul 2022 21:31:03 +0100
+Subject: [PATCH] ITS#9823 Only request minCSN if accesslog is around
+
+---
+ servers/slapd/overlays/syncprov.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index f6ab09949..5fc39bf17 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -3336,7 +3336,7 @@ no_change:	if ( !(op->o_sync_mode & SLAP_SYNC_PERSIST) ) {
+ 					numcsns, sids, &mincsn, minsid ) ) {
+ 				do_present = SS_PRESENT;
+ 			}
+-		} else if ( si->si_nopres && si->si_usehint ) {
++		} else if ( ad_minCSN != NULL && si->si_nopres && si->si_usehint ) {
+ 			/* We are instructed to trust minCSN if it exists. */
+ 			Entry *e;
+ 			Attribute *a = NULL;
+@@ -3829,7 +3829,10 @@ sp_cf_gen(ConfigArgs *c)
+ 		break;
+ 	case SP_USEHINT:
+ 		si->si_usehint = c->value_int;
+-		rc = syncprov_setup_accesslog();
++		if ( si->si_usehint ) {
++			/* Consider we might be a delta provider, but it's ok if not */
++			(void)syncprov_setup_accesslog();
++		}
+ 		break;
+ 	case SP_LOGDB:
+ 		if ( si->si_logs ) {
+-- 
+2.33.0
+

backport-ITS-9831-Advance-connections-index-correctly.patch

@@ -0,0 +1,32 @@
+From 15573c72fc3f373624bff05d8b29e57f6eb82a58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 25 Apr 2022 16:53:25 +0100
+Subject: [PATCH] ITS#9831 Advance connections[index] correctly
+
+---
+ servers/slapd/connection.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index e2f3a811e..9b363fe13 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -871,13 +871,14 @@ Connection* connection_next( Connection *c, ber_socket_t *index )
+ 
+ 	for(; *index < dtblsize; (*index)++) {
+ 		if( connections[*index].c_sb ) {
+-			c = &connections[(*index)++];
++			c = &connections[*index];
+ 			ldap_pvt_thread_mutex_lock( &c->c_mutex );
+ 			if ( c->c_conn_state == SLAP_C_INVALID ) {
+ 				ldap_pvt_thread_mutex_unlock( &c->c_mutex );
+ 				c = NULL;
+ 				continue;
+ 			}
++			(*index)++;
+ 			break;
+ 		}
+ 	}
+-- 
+2.33.0
+

backport-ITS-9858-back-mdb-delay-indexer-task-startup.patch

@@ -0,0 +1,108 @@
+From 9e5701cdd76154fb8ffb2f7594927c30ee9f896d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 2 Jun 2022 15:55:06 +0100
+Subject: [PATCH] ITS#9858 back-mdb: delay indexer task startup
+
+until after monitor backend is set up.
+---
+ servers/slapd/back-mdb/config.c    | 14 +++++++++++---
+ servers/slapd/back-mdb/init.c      |  6 +++++-
+ servers/slapd/back-mdb/proto-mdb.h |  3 ++-
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c
+index 54361a5ea..1b3cf98fe 100644
+--- a/servers/slapd/back-mdb/config.c
++++ b/servers/slapd/back-mdb/config.c
+@@ -400,20 +400,20 @@ done:
+ 	return rc;
+ }
+ 
+-void
++int
+ mdb_resume_index( BackendDB *be, MDB_txn *txn )
+ {
+ 	struct mdb_info *mdb = be->be_private;
+ 	MDB_cursor *curs;
+ 	MDB_val key, data;
+-	int i, rc;
++	int i, rc, do_task = 0;
+ 	unsigned short *s;
+ 	slap_mask_t *mask;
+ 	AttributeDescription *ad;
+ 
+ 	rc = mdb_cursor_open( txn, mdb->mi_idxckp, &curs );
+ 	if ( rc )
+-		return;
++		return 0;
+ 
+ 	while(( rc = mdb_cursor_get( curs, &key, &data, MDB_NEXT )) == 0) {
+ 		s = key.mv_data;
+@@ -425,11 +425,19 @@ mdb_resume_index( BackendDB *be, MDB_txn *txn )
+ 				mask = data.mv_data;
+ 				mdb->mi_attrs[i]->ai_indexmask = mask[0];
+ 				mdb->mi_attrs[i]->ai_newmask = mask[1];
++				do_task = 1;
+ 				break;
+ 			}
+ 		}
+ 	}
+ 	mdb_cursor_close( curs );
++	return do_task;
++}
++
++void
++mdb_start_index_task( BackendDB *be )
++{
++	struct mdb_info *mdb = be->be_private;
+ 	ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
+ 	mdb->mi_index_task = ldap_pvt_runqueue_insert( &slapd_rq, 36000,
+ 		mdb_online_index, be,
+diff --git a/servers/slapd/back-mdb/init.c b/servers/slapd/back-mdb/init.c
+index 0a0137470..615f912e3 100644
+--- a/servers/slapd/back-mdb/init.c
++++ b/servers/slapd/back-mdb/init.c
+@@ -91,6 +91,7 @@ mdb_db_open( BackendDB *be, ConfigReply *cr )
+ 	unsigned flags;
+ 	char *dbhome;
+ 	MDB_txn *txn;
++	int do_index = 0;
+ 
+ 	if ( be->be_suffix == NULL ) {
+ 		Debug( LDAP_DEBUG_ANY,
+@@ -291,7 +292,7 @@ mdb_db_open( BackendDB *be, ConfigReply *cr )
+ 		MDB_stat st;
+ 		rc = mdb_stat( txn, mdb->mi_idxckp, &st );
+ 		if ( st.ms_entries )
+-			mdb_resume_index( be, txn );
++			do_index = mdb_resume_index( be, txn );
+ 	}
+ 
+ 	rc = mdb_txn_commit(txn);
+@@ -311,6 +312,9 @@ mdb_db_open( BackendDB *be, ConfigReply *cr )
+ 
+ 	mdb->mi_flags |= MDB_IS_OPEN;
+ 
++	if ( do_index )
++		mdb_start_index_task( be );
++
+ 	return 0;
+ 
+ fail:
+diff --git a/servers/slapd/back-mdb/proto-mdb.h b/servers/slapd/back-mdb/proto-mdb.h
+index a0806dd9d..58191e186 100644
+--- a/servers/slapd/back-mdb/proto-mdb.h
++++ b/servers/slapd/back-mdb/proto-mdb.h
+@@ -64,7 +64,8 @@ void mdb_ad_unwind( struct mdb_info *mdb, int prev_ads );
+  */
+ 
+ int mdb_back_init_cf( BackendInfo *bi );
+-void mdb_resume_index( BackendDB *be, MDB_txn *txn );
++int mdb_resume_index( BackendDB *be, MDB_txn *txn );
++void mdb_start_index_task( BackendDB *be );
+ 
+ /*
+  * dn2entry.c
+-- 
+2.33.0
+

backport-ITS-9858-back-mdb-fix-index-reconfig.patch

@@ -0,0 +1,81 @@
+From 395e9b250a1a430e788487f73b292c08fc28540c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 3 Jun 2022 00:48:50 +0100
+Subject: [PATCH] ITS#9858 back-mdb: fix index reconfig
+
+---
+ servers/slapd/back-mdb/attr.c   |  6 +++++-
+ servers/slapd/back-mdb/config.c | 24 ++++++++++++------------
+ 2 files changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/servers/slapd/back-mdb/attr.c b/servers/slapd/back-mdb/attr.c
+index 9567fb522..7219705b2 100644
+--- a/servers/slapd/back-mdb/attr.c
++++ b/servers/slapd/back-mdb/attr.c
+@@ -446,7 +446,11 @@ fail:
+ 					/* If this is leftover from a previous add, commit it */
+ 					if ( b->ai_newmask )
+ 						b->ai_indexmask = b->ai_newmask;
+-					b->ai_newmask = a->ai_newmask;
++					/* If the mask changed, remember it */
++					if ( b->ai_indexmask != a->ai_newmask )
++						b->ai_newmask = a->ai_newmask;
++					else	/* else ignore it */
++						b->ai_newmask = 0;
+ 					ch_free( a );
+ 					rc = 0;
+ 					continue;
+diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c
+index 1b3cf98fe..48143ef4d 100644
+--- a/servers/slapd/back-mdb/config.c
++++ b/servers/slapd/back-mdb/config.c
+@@ -349,7 +349,7 @@ mdb_setup_indexer( struct mdb_info *mdb )
+ 	MDB_txn *txn;
+ 	MDB_cursor *curs;
+ 	MDB_val key, data;
+-	int i, rc;
++	int i, rc, changed = 0;
+ 	unsigned short s;
+ 
+ 	rc = mdb_txn_begin( mdb->mi_dbenv, NULL, 0, &txn );
+@@ -364,17 +364,6 @@ mdb_setup_indexer( struct mdb_info *mdb )
+ 	key.mv_size = sizeof( s );
+ 	key.mv_data = &s;
+ 
+-	/* set indexer task to start at first entry */
+-	{
+-		ID id = 0;
+-		s = 0;			/* key 0 records next entryID to index */
+-		data.mv_size = sizeof( ID );
+-		data.mv_data = &id;
+-		rc = mdb_cursor_put( curs, &key, &data, 0 );
+-		if ( rc )
+-			goto done;
+-	}
+-
+ 	/* record current and new index masks for all new index definitions */
+ 	{
+ 		slap_mask_t mask[2];
+@@ -389,8 +378,19 @@ mdb_setup_indexer( struct mdb_info *mdb )
+ 			rc = mdb_cursor_put( curs, &key, &data, 0 );
+ 			if ( rc )
+ 				goto done;
++			changed = 1;
+ 		}
+ 	}
++
++	/* set indexer task to start at first entry */
++	if ( changed ) {
++		ID id = 0;
++		s = 0;			/* key 0 records next entryID to index */
++		data.mv_size = sizeof( ID );
++		data.mv_data = &id;
++		rc = mdb_cursor_put( curs, &key, &data, 0 );
++	}
++
+ done:
+ 	mdb_cursor_close( curs );
+ 	if ( !rc )
+-- 
+2.33.0
+

backport-ITS-9863-Forward-lastbind-updates-if-configured.patch

@@ -0,0 +1,66 @@
+From fb1151573f8f597bb724df80de7a1664d1e646a4 Mon Sep 17 00:00:00 2001
+From: Quanah Gibson-Mount <quanah@openldap.org>
+Date: Thu, 23 Jun 2022 17:03:07 +0000
+Subject: [PATCH] ITS#9863 - Forward lastbind updates if configured
+
+Mark lastbind operations as being on the frontendDB so that chaining configurations are honored.
+
+Make pwdLastSuccess flag SLAP_AT_MANAGEABLE
+---
+ servers/slapd/back-ldap/bind.c | 2 +-
+ servers/slapd/bind.c           | 5 ++---
+ servers/slapd/schema_prep.c    | 2 +-
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
+index cad7cfe69..02fb60ea3 100644
+--- a/servers/slapd/back-ldap/bind.c
++++ b/servers/slapd/back-ldap/bind.c
+@@ -1417,7 +1417,7 @@ retry_lock:;
+ 				sb->sb_realm.bv_val,
+ 				sb->sb_authcId.bv_val,
+ 				sb->sb_cred.bv_val,
+-				NULL );
++				sb->sb_authzId.bv_val );
+ 		if ( defaults == NULL ) {
+ 			rs->sr_err = LDAP_OTHER;
+ 			LDAP_BACK_CONN_ISBOUND_CLEAR( lc );
+diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
+index 1a74a8cd4..4b8eda69b 100644
+--- a/servers/slapd/bind.c
++++ b/servers/slapd/bind.c
+@@ -472,9 +472,6 @@ fe_op_lastbind( Operation *op )
+ 	op2.o_dn = op->o_bd->be_rootdn;
+ 	op2.o_ndn = op->o_bd->be_rootndn;
+ 
+-	/*
+-	 * TODO: this is core+frontend, not everything works the same way?
+-	 */
+ 	/*
+ 	 * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy
+ 	 *
+@@ -485,6 +482,8 @@ fe_op_lastbind( Operation *op )
+ 	 * must be configured appropriately for this to be useful.
+ 	 */
+ 	if ( SLAP_SHADOW( op->o_bd ) ) {
++		op2.o_bd = frontendDB;
++
+ 		/* Must use Relax control since these are no-user-mod */
+ 		op2.o_relax = SLAP_CONTROL_CRITICAL;
+ 		op2.o_ctrls = ca;
+diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c
+index 2c557905c..b8793f50f 100644
+--- a/servers/slapd/schema_prep.c
++++ b/servers/slapd/schema_prep.c
+@@ -1028,7 +1028,7 @@ static struct slap_schema_ad_map {
+ 			"SINGLE-VALUE "
+ 			"NO-USER-MODIFICATION "
+ 			"USAGE directoryOperation )",
+-		NULL, 0,
++		NULL, SLAP_AT_MANAGEABLE,
+ 		NULL, NULL,
+ 		NULL, NULL, NULL, NULL, NULL,
+ 		offsetof(struct slap_internal_schema, si_ad_pwdLastSuccess) },
+-- 
+2.33.0
+

backport-ITS-9863-Regression-test-case-for-pwdLastSuccess.patch

@@ -0,0 +1,897 @@
+From cfa6c07c0ef15fd218013859903401f04f953965 Mon Sep 17 00:00:00 2001
+From: Quanah Gibson-Mount <quanah@openldap.org>
+Date: Mon, 27 Jun 2022 22:21:51 +0000
+Subject: [PATCH] ITS#9863 - Regression test case for pwdLastSuccess
+
+Define a regression test case for modifying pwdLastSuccess that also
+uses SASL/EXTERNAL for the chain database
+---
+ tests/data/regressions/its9863/db.ldif        |  39 +++
+ tests/data/regressions/its9863/its9863        | 292 ++++++++++++++++++
+ .../regressions/its9863/slapd-consumer.ldif   | 154 +++++++++
+ .../regressions/its9863/slapd-provider.ldif   | 117 +++++++
+ tests/data/tls/certs/ldap-server.crt          |  32 ++
+ tests/data/tls/create-crt.sh                  |  64 +++-
+ tests/data/tls/private/ldap-server.key        |  52 ++++
+ tests/run.in                                  |   3 +-
+ tests/scripts/defines.sh                      |   1 +
+ 9 files changed, 740 insertions(+), 14 deletions(-)
+ create mode 100644 tests/data/regressions/its9863/db.ldif
+ create mode 100755 tests/data/regressions/its9863/its9863
+ create mode 100644 tests/data/regressions/its9863/slapd-consumer.ldif
+ create mode 100644 tests/data/regressions/its9863/slapd-provider.ldif
+ create mode 100644 tests/data/tls/certs/ldap-server.crt
+ create mode 100644 tests/data/tls/private/ldap-server.key
+
+diff --git a/tests/data/regressions/its9863/db.ldif b/tests/data/regressions/its9863/db.ldif
+new file mode 100644
+index 000000000..c7c478bb8
+--- /dev/null
++++ b/tests/data/regressions/its9863/db.ldif
+@@ -0,0 +1,39 @@
++dn: dc=example,dc=com
++objectClass: top
++objectClass: organization
++objectClass: dcObject
++o: example
++dc: example
++
++dn: cn=replicator,dc=example,dc=com
++objectClass: top
++objectClass: organizationalRole
++objectClass: simpleSecurityObject
++cn: replicator
++description: Replication user
++userPassword: secret
++
++dn: cn=ldap-server,dc=example,dc=com
++objectClass: top
++objectClass: organizationalRole
++objectClass: simpleSecurityObject
++cn: ldap-server
++description: ldap-server sasl object
++userPassword: secret
++authzTo: {0}dn.regex:^(.+,)+dc=example,dc=com$
++
++dn: ou=people,dc=example,dc=com
++objectClass: top
++objectClass: organizationalUnit
++ou: people
++
++dn: uid=test,ou=people,dc=example,dc=com
++objectClass: top
++objectClass: person
++objectClass: inetOrgPerson
++cn: test test
++uid: test
++sn: Test
++givenName: Test
++userPassword: secret
++
+diff --git a/tests/data/regressions/its9863/its9863 b/tests/data/regressions/its9863/its9863
+new file mode 100755
+index 000000000..d6b479515
+--- /dev/null
++++ b/tests/data/regressions/its9863/its9863
+@@ -0,0 +1,292 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 2022 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++ITS=9863
++ITSDIR=$DATADIR/regressions/its$ITS
++
++if test $BACKLDAP = "ldapno" ; then
++	echo "LDAP backend not available, test skipped"
++	exit 0
++fi
++if test $SYNCPROV = "syncprovno" ; then
++	echo "syncprov overlay not available, test skipped"
++	exit 0
++fi
++if test $AUDITLOG = "auditlogno" ; then
++	echo "auditlog overlay not available, test skipped"
++	exit 0
++fi
++if test $UNIQUE = "uniqueno" ; then
++	echo "unique overlay not available, test skipped"
++	exit 0
++fi
++if test $CONSTRAINT = "constraintno" ; then
++	echo "constraint overlay not available, test skipped"
++	exit 0
++fi
++
++echo "This test checks slapo-chain behavior when forwarding lastbind"
++echo "information to a provider as the rootdn when using a SASL mechanism"
++echo "and authzto to allow identity assumption"
++echo "Test #1 ensures that authzid in IDAssertBind is working correctly."
++echo "Test #2 ensures that ACLbind works correctly."
++
++PDIR=$TESTDIR/prov
++CDIR=$TESTDIR/cons
++mkdir -p $TESTDIR $PDIR/db $PDIR/slapd.d
++mkdir -p $CDIR/db $CDIR/slapd.d
++
++$SLAPPASSWD -g -n >$CONFIGPWF
++
++cp -r $DATADIR/tls $TESTDIR
++cp $ITSDIR/db.ldif $TESTDIR
++
++#
++# Start slapd that acts as a remote LDAP server that will be proxied
++#
++echo "Running slapadd to build database on the provider..."
++. $CONFFILTER $BACKEND <  $ITSDIR/slapd-provider.ldif > $CONFLDIF
++$SLAPADD -F $PDIR/slapd.d -n 0 -l $CONFLDIF
++$SLAPADD -F $PDIR/slapd.d -q -b $BASEDN -l $TESTDIR/db.ldif
++RC=$?
++if test $RC != 0 ; then
++	echo "slapadd failed ($RC)!"
++	exit $RC
++fi
++
++echo "Starting slapd provider on TCP/IP port $PORT1 and ${PORT2}..."
++$SLAPD -F $PDIR/slapd.d -h "$URI1 $SURI2" -d $LVL > $LOG1 2>&1 &
++PROVPID=$!
++if test $WAIT != 0 ; then
++	echo PROVPID $PROVPID
++	read foo
++fi
++KILLPIDS="$KILLPIDS $PROVPID"
++
++echo "Using ldapsearch to check that slapd is running..."
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
++		-D $MANAGERDN \
++		-w $PASSWD \
++		'objectclass=*' > /dev/null 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting $SLEEP0 seconds for slapd to start..."
++	sleep $SLEEP0
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $PROVPID
++	exit $RC
++fi
++
++#
++# Start slapd consumer
++#
++echo "Starting slapd consumer on TCP/IP port $PORT3 and ${PORT4}..."
++. $CONFFILTER $BACKEND < $ITSDIR/slapd-consumer.ldif > $CONF2
++$SLAPADD -F $CDIR/slapd.d -n 0 -l $CONF2
++$SLAPD -F $CDIR/slapd.d -h "$URI3 $SURI4" -d $LVL > $LOG2 2>&1 &
++CONSPID=$!
++if test $WAIT != 0 ; then
++	echo CONSPID $CONSPID
++	read foo
++fi
++KILLPIDS="$KILLPIDS $CONSPID"
++
++echo "Using ldapsearch to check that slapd is running..."
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "$MONITORDN" -H $URI3 \
++		-D $MANAGERDN \
++		-w $PASSWD \
++		'objectclass=*' > /dev/null 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting $SLEEP0 seconds for slapd to start..."
++	sleep $SLEEP0
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPWHOAMI -H $URI3 -x -D "cn=replicator,dc=example,dc=com" -w secret >/dev/null
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapwhoami failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Sleeping $SLEEP1 seconds for replication of pwdLastSuccess attribute..."
++sleep $SLEEP1
++
++$LDAPSEARCH -H $URI3 -D "$MANAGERDN" -w $PASSWD -b "$BASEDN" "(cn=replicator)" pwdLastSuccess > $SEARCHOUT 2>&1
++PWDLASTSUCCESS=`grep "pwdLastSuccess:" $SEARCHOUT | wc -l`
++
++if test $PWDLASTSUCCESS != 1 ; then
++	echo "Failure: pwdLastSuccess failed to replicate"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
++echo "Reconfiguring for ACL bind test..."
++$LDAPMODIFY -H $URI3 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
++dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
++changetype: modify
++replace: olcDbIDAssertBind
++olcDbIDAssertBind: mode=self flags=override,prescriptive,proxy-authz-critical 
++ bindmethod=sasl saslmech=external tls_cert=$TESTDIR/tls/certs/ldap-server.crt 
++ tls_key=$TESTDIR/tls/private/ldap-server.key 
++ tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt
++-
++add: olcDbACLBind
++olcDbACLBind: bindmethod=sasl saslmech=external tls_cert=$TESTDIR/tls/certs/ldap-server.crt 
++ tls_key=$TESTDIR/tls/private/ldap-server.key 
++ tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt 
++ authzid="dn:cn=manager,dc=example,dc=com"
++EOF
++
++RC=$?
++if test $RC != 0; then
++        echo "ldapmodify failed ($RC)!"
++        test $KILLSERVERS != no && kill -HUP $KILLPIDS
++        exit $RC
++fi
++
++echo "Stopping consumer to test recovery..."
++kill -HUP $CONSPID
++wait $CONSPID
++
++KILLPIDS="$PROVPID"
++
++echo "Starting slapd consumer on TCP/IP port $PORT3 and ${PORT4}..."
++$SLAPD -F $CDIR/slapd.d -h "$URI3 $SURI4" -d $LVL > $LOG2 2>&1 &
++CONSPID=$!
++if test $WAIT != 0 ; then
++	echo CONSPID $CONSPID
++	read foo
++fi
++KILLPIDS="$KILLPIDS $CONSPID"
++
++echo "Using ldapsearch to check that slapd is running..."
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "$MONITORDN" -H $URI3 \
++		-D $MANAGERDN \
++		-w $PASSWD \
++		'objectclass=*' > /dev/null 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting $SLEEP0 seconds for slapd to start..."
++	sleep $SLEEP0
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPMODIFY -H $URI1 -D "$MANAGERDN" -w $PASSWD -e \!relax <<EOF >>$TESTOUT 2>&1
++dn: cn=replicator,dc=example,dc=com
++changetype: modify
++delete: pwdLastSuccess
++EOF
++
++RC=$?
++if test $RC != 0; then
++        echo "ldapmodify failed ($RC)!"
++        test $KILLSERVERS != no && kill -HUP $KILLPIDS
++        exit $RC
++fi
++
++echo "Sleeping $SLEEP1 seconds for replication of delete for pwdLastSuccess attribute..."
++sleep $SLEEP1
++
++$LDAPSEARCH -H $URI3 -D "$MANAGERDN" -w $PASSWD -b "$BASEDN" "(cn=replicator)" pwdLastSuccess > $SEARCHOUT 2>&1
++PWDLASTSUCCESS=`grep "pwdLastSuccess:" $SEARCHOUT | wc -l`
++
++if test $PWDLASTSUCCESS != 0 ; then
++	echo "Failure: pwdLastSuccess failed to delete"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
++$LDAPWHOAMI -H $URI3 -x -D "cn=replicator,dc=example,dc=com" -w secret >/dev/null
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapwhoami failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo "Sleeping $SLEEP1 seconds for replication of pwdLastSuccess attribute..."
++sleep $SLEEP1
++
++$LDAPSEARCH -H $URI3 -D "$MANAGERDN" -w $PASSWD -b "$BASEDN" "(cn=replicator)" pwdLastSuccess > $SEARCHOUT 2>&1
++PWDLASTSUCCESS=`grep "pwdLastSuccess:" $SEARCHOUT | wc -l`
++
++if test $PWDLASTSUCCESS != 1 ; then
++	echo "Failure: pwdLastSuccess failed to replicate"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit 1
++fi
++
++USER="uid=test,ou=people,dc=example,dc=com"
++echo "Changing password for $USER to test proxied user modifications work..."
++$LDAPPASSWD -H $URI3 \
++    -w secret -s secret \
++    -D "$USER" >> $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++    echo "ldappasswd failed ($RC)!"
++    test $KILLSERVERS != no && kill -HUP $KILLPIDS
++    exit $RC
++fi
++
++echo "Changing cn for $USER to test disallowed proxied user modifications should fail..."
++$LDAPMODIFY -H $URI3 -D "$USER" -w $PASSWD <<EOF >>$TESTOUT 2>&1
++dn: $USER
++changetype: modify
++replace: cn
++cn: blahblahblah
++EOF
++
++RC=$?
++if test $RC != 50; then
++        echo "ldapmodify should have failed with result code 50, got ($RC)!"
++        test $KILLSERVERS != no && kill -HUP $KILLPIDS
++        exit $RC
++fi
++
++test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
++
++echo ">>>>> Test succeeded"
++
++test $KILLSERVERS != no && wait
++
++exit 0
+diff --git a/tests/data/regressions/its9863/slapd-consumer.ldif b/tests/data/regressions/its9863/slapd-consumer.ldif
+new file mode 100644
+index 000000000..8f7b0fd84
+--- /dev/null
++++ b/tests/data/regressions/its9863/slapd-consumer.ldif
+@@ -0,0 +1,154 @@
++dn: cn=config
++objectClass: olcGlobal
++cn: config
++olcLogLevel: Sync
++olcLogLevel: Stats
++olcTLSCACertificateFile: @TESTDIR@/tls/ca/certs/testsuiteCA.crt
++olcTLSCertificateKeyFile: @TESTDIR@/tls/private/localhost.key
++olcTLSCertificateFile: @TESTDIR@/tls/certs/localhost.crt
++olcTLSVerifyClient: hard
++olcIndexHash64: TRUE
++olcAuthzPolicy: to
++olcAuthzRegexp: {0}"cn=ldap-server,ou=OpenLDAP Test Suite,o=OpenLDAP Foundation,ST=CA,C=US" "cn=ldap-server,dc=example,dc=com"
++olcPidFile: @TESTDIR@/slapd.2.pid
++olcArgsFile: @TESTDIR@/slapd.2.args
++
++dn: cn=schema,cn=config
++objectClass: olcSchemaConfig
++cn: schema
++
++include: file://@TESTWD@/@SCHEMADIR@/core.ldif
++include: file://@TESTWD@/@SCHEMADIR@/cosine.ldif
++include: file://@TESTWD@/@SCHEMADIR@/inetorgperson.ldif
++include: file://@TESTWD@/@SCHEMADIR@/misc.ldif
++include: file://@TESTWD@/@SCHEMADIR@/nis.ldif
++
++#mod#dn: cn=module{0},cn=config
++#mod#objectClass: olcModuleList
++#mod#cn: module{0}
++#mod#olcModulePath: @TESTWD@/../servers/slapd/back-@BACKEND@/
++#mod#olcModuleLoad: {0}back_@BACKEND@.la
++
++#mod#dn: cn=module{1},cn=config
++#mod#objectClass: olcModuleList
++#mod#cn: module{1}
++#mod#olcModulePath: @TESTWD@/../servers/slapd/back-ldap/
++#mod#olcModuleLoad: {0}back_ldap.la
++
++dn: cn=module{2},cn=config
++objectClass: olcModuleList
++cn: module{2}
++olcModulePath: @TESTWD@/../servers/slapd/overlays
++olcModuleLoad: {0}syncprov.la
++olcModuleLoad: {1}unique.la
++olcModuleLoad: {2}constraint.la
++
++#mdb#dn: olcBackend={0}mdb,cn=config
++#mdb#objectClass: olcBackendConfig
++#mdb#objectClass: olcMdbBkConfig
++#mdb#olcBackend: {0}mdb
++#mdb#olcBkMdbIdlExp: 18
++
++dn: olcDatabase={-1}frontend,cn=config
++objectClass: olcDatabaseConfig
++objectClass: olcFrontendConfig
++olcDatabase: {-1}frontend
++olcAccess: {0}to dn.base=""  by * read
++olcAccess: {1}to dn.base="cn=Subschema"  by * read
++
++dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcChainConfig
++olcOverlay: {0}chain
++olcChainCacheURI: FALSE
++olcChainMaxReferralDepth: 1
++olcChainReturnError: TRUE
++
++dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
++objectClass: olcLDAPConfig
++objectClass: olcChainDatabase
++olcDatabase: {0}ldap
++olcDbIDAssertBind: mode=self flags=override,prescriptive,proxy-authz-critical 
++ bindmethod=sasl saslmech=external tls_cert=@TESTDIR@/tls/certs/ldap-server.crt 
++ tls_key=@TESTDIR@/tls/private/ldap-server.key 
++ tls_cacert=@TESTDIR@/tls/ca/certs/testsuiteCA.crt 
++ authzid="dn:cn=manager,dc=example,dc=com"
++olcDbRebindAsUser: TRUE
++olcDbChaseReferrals: TRUE
++olcDbProxyWhoAmI: FALSE
++olcDbProtocolVersion: 3
++olcDbSingleConn: FALSE
++olcDbCancel: abandon
++olcDbUseTemporaryConn: FALSE
++olcDbConnectionPoolMax: 8
++olcDbSessionTrackingRequest: TRUE
++olcDbNoRefs: FALSE
++olcDbNoUndefFilter: FALSE
++olcDbURI: @SURIP2@
++
++dn: olcDatabase={0}config,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {0}config
++olcRootPW:< file://@TESTDIR@/configpw
++olcAccess: {0}to *  by * none
++
++dn: olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcDatabaseConfig
++objectClass: olc@BACKEND@Config
++olcDatabase: {1}@BACKEND@
++olcSuffix: dc=example,dc=com
++olcRootDN: cn=manager,dc=example,dc=com
++olcRootPW: secret
++olcLastBindPrecision: 3600
++olcLastBind: TRUE
++#~null~#olcDbDirectory: @TESTDIR@/cons/db
++#indexdb#olcDbIndex: default eq
++#indexdb#olcDbIndex: objectClass
++#indexdb#olcDbIndex: cn
++#indexdb#olcDbIndex: entryUUID
++#indexdb#olcDbIndex: entryCSN
++#indexdb#olcDbIndex: mail
++#indexdb#olcDbIndex: uid
++#indexdb#olcDbIndex: uidNumber
++#indexdb#olcDbIndex: gidNumber
++#mdb#olcDbMaxSize: 33554432
++#mdb#olcDbMultival: default 100,10
++olcLimits: {0}dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited 
++  time.hard=unlimited size.soft=unlimited size.hard=unlimited
++olcAccess: {0}to attrs=userPassword  by self write  by dn.exact="cn=replicator,dc=example,dc=com" read  by anonymous auth
++olcAccess: {1}to attrs=authzto  by dn.exact="cn=replicator,dc=example,dc=com" read  by * auth
++olcAccess: {2}to *  by * read
++olcSyncrepl: {0}rid=100 provider=@SURIP2@ bindmethod=sasl 
++ saslmech=external authzid="dn:cn=replicator,dc=example,dc=com" 
++ searchbase="dc=example,dc=com" 
++ type=refreshAndPersist keepalive=60:5:2 retry="5 6 60 +" 
++ tls_cert=@TESTDIR@/tls/certs/ldap-server.crt 
++ tls_key=@TESTDIR@/tls/private/ldap-server.key 
++ tls_cacert=@TESTDIR@/tls/ca/certs/testsuiteCA.crt 
++ timeout=3
++olcUpdateRef: @SURIP2@
++
++dn: olcOverlay={0}syncprov,olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcSyncProvConfig
++olcOverlay: {0}syncprov
++olcSpCheckpoint: 20 10
++
++dn: olcOverlay={1}unique,olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcUniqueConfig
++olcOverlay: {1}unique
++olcUniqueURI: ldap:///?uid?sub?
++olcUniqueURI: ldap:///?uidNumber?sub?
++olcUniqueURI: ldap:///?mail?sub?
++
++dn: olcOverlay={2}constraint,olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcConstraintConfig
++olcOverlay: {2}constraint
++olcConstraintAttribute: gidNumber regex ^[0-9]{4,5}$
++
++dn: olcDatabase={2}monitor,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {2}monitor
++olcAccess: {0}to dn.subtree="cn=monitor"  by * read
+diff --git a/tests/data/regressions/its9863/slapd-provider.ldif b/tests/data/regressions/its9863/slapd-provider.ldif
+new file mode 100644
+index 000000000..aeeac571e
+--- /dev/null
++++ b/tests/data/regressions/its9863/slapd-provider.ldif
+@@ -0,0 +1,117 @@
++dn: cn=config
++objectClass: olcGlobal
++cn: config
++olcLogLevel: Sync
++olcLogLevel: Stats
++olcTLSCACertificateFile: @TESTDIR@/tls/ca/certs/testsuiteCA.crt
++olcTLSCertificateKeyFile: @TESTDIR@/tls/private/localhost.key
++olcTLSCertificateFile: @TESTDIR@/tls/certs/localhost.crt
++olcTLSVerifyClient: hard
++olcIndexHash64: TRUE
++olcAuthzPolicy: to
++olcAuthzRegexp: {0}"cn=ldap-server,ou=OpenLDAP Test Suite,o=OpenLDAP Foundation,ST=CA,C=US" "cn=ldap-server,dc=example,dc=com"
++olcPidFile: @TESTDIR@/slapd.1.pid
++olcArgsFile: @TESTDIR@/slapd.1.args
++
++dn: cn=schema,cn=config
++objectClass: olcSchemaConfig
++cn: schema
++
++include: file://@TESTWD@/@SCHEMADIR@/core.ldif
++include: file://@TESTWD@/@SCHEMADIR@/cosine.ldif
++include: file://@TESTWD@/@SCHEMADIR@/inetorgperson.ldif
++include: file://@TESTWD@/@SCHEMADIR@/misc.ldif
++include: file://@TESTWD@/@SCHEMADIR@/nis.ldif
++
++#mod#dn: cn=module{0},cn=config
++#mod#objectClass: olcModuleList
++#mod#cn: module{0}
++#mod#olcModulePath: @TESTWD@/../servers/slapd/back-@BACKEND@/
++#mod#olcModuleLoad: {0}back_@BACKEND@.la
++
++dn: cn=module{1},cn=config
++objectClass: olcModuleList
++cn: module{1}
++olcModulePath: @TESTWD@/../servers/slapd/overlays
++olcModuleLoad: {0}syncprov.la
++olcModuleLoad: {1}auditlog.la
++olcModuleLoad: {2}unique.la
++olcModuleLoad: {3}constraint.la
++
++#mdb#dn: olcBackend={0}mdb,cn=config
++#mdb#objectClass: olcBackendConfig
++#mdb#objectClass: olcMdbBkConfig
++#mdb#olcBackend: {0}mdb
++#mdb#olcBkMdbIdlExp: 18
++
++dn: olcDatabase={-1}frontend,cn=config
++objectClass: olcDatabaseConfig
++objectClass: olcFrontendConfig
++olcDatabase: {-1}frontend
++olcAccess: {0}to dn.base=""  by * read
++olcAccess: {1}to dn.base="cn=Subschema"  by * read
++
++dn: olcDatabase={0}config,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {0}config
++olcRootPW:< file://@TESTDIR@/configpw
++olcAccess: {0}to *  by * none
++
++dn: olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcDatabaseConfig
++objectClass: olc@BACKEND@Config
++olcDatabase: {1}@BACKEND@
++olcSuffix: dc=example,dc=com
++olcRootDN: cn=Manager,dc=example,dc=com
++olcRootPW: secret
++olcLastBindPrecision: 3600
++olcLastBind: FALSE
++olcLimits: {0}dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited
++  time.hard=unlimited size.soft=unlimited size.hard=unlimited
++olcAccess: {0}to attrs=userPassword  by self write  by dn.exact="cn=replicator,dc=example,dc=com" read  by anonymous auth
++olcAccess: {1}to attrs=authzto  by dn.exact="cn=replicator,dc=example,dc=com" read  by * auth
++olcAccess: {2}to *  by * read
++#~null~#olcDbDirectory: @TESTDIR@/prov/db
++#indexdb#olcDbIndex: default eq
++#indexdb#olcDbIndex: objectClass
++#indexdb#olcDbIndex: cn
++#indexdb#olcDbIndex: entryUUID
++#indexdb#olcDbIndex: entryCSN
++#indexdb#olcDbIndex: mail
++#indexdb#olcDbIndex: uid
++#indexdb#olcDbIndex: uidNumber
++#indexdb#olcDbIndex: gidNumber
++#mdb#olcDbMaxSize: 33554432
++#mdb#olcDbMultival: default 100,10
++
++dn: olcOverlay={0}syncprov,olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcSyncProvConfig
++olcOverlay: {0}syncprov
++olcSpCheckpoint: 20 10
++olcSpSessionlog: 150000
++
++dn: olcOverlay={1}auditlog,olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcAuditlogConfig
++olcOverlay: {1}auditlog
++olcAuditlogFile: @TESTDIR@/audit.log
++
++dn: olcOverlay={2}unique,olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcUniqueConfig
++olcOverlay: {2}unique
++olcUniqueURI: ldap:///?uid?sub?
++olcUniqueURI: ldap:///?uidNumber?sub?
++olcUniqueURI: ldap:///?mail?sub?
++
++dn: olcOverlay={3}constraint,olcDatabase={1}@BACKEND@,cn=config
++objectClass: olcOverlayConfig
++objectClass: olcConstraintConfig
++olcOverlay: {3}constraint
++olcConstraintAttribute: gidNumber regex ^[0-9]{4,5}$
++
++dn: olcDatabase={2}monitor,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {2}monitor
++olcAccess: {0}to dn.subtree="cn=monitor"  by * read
+diff --git a/tests/data/tls/certs/ldap-server.crt b/tests/data/tls/certs/ldap-server.crt
+new file mode 100644
+index 000000000..ead23b9f1
+--- /dev/null
++++ b/tests/data/tls/certs/ldap-server.crt
+@@ -0,0 +1,32 @@
++-----BEGIN CERTIFICATE-----
++MIIFhzCCA2+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
++BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMjIwNjI3MjE1MDE2WhgPMjUyMzA3
++MTEyMTUwMTZaMGwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
++T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0
++ZTEUMBIGA1UEAwwLbGRhcC1zZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
++ggIKAoICAQDgxEKurztQjO6n/4YV+VY0D1VH2E24TtfIWsAzwD0jnFCELVYreRaC
++WX4E6Bj/lXn1j/sMNBd7JidukgRqyx+AtTAtbmmOfZVzZZcNc65DuL/41Yviitvg
++nIiJcRjYEzVIeb5ixtvfEKhlREWS2TncBdK9U3yvr10z9xe2LvY1514r9Gf9u0Qn
++BNuogZDcs2w17ZmI9hzGcLWkE/6FBofIaiI779YcYb2dA9HFiKb9/CdJYY5pioUG
++CbTGKYINkDCblLEFV5j2mLosV6ueE6q6liK1fi+62LEOkPvieEMQBMIJaw2YrKD5
++TiGRJ67Ji97blifwG4JNSJLGxqZxQZNRruQOOjNjS/AgtWDmY+krmRAjfJiM7lhA
++BrlxLOTZKciEUmSbpvT0PPwBF90dOU9clQyOESQjkZEZeRdjQOapuzhJqlEI8rUD
++UiGKT0FeGLIQasvuGdKxZKm3DckI5/ABYP6byXJPGwAZMHcGeCznaUwreaQ4v9UZ
++5SyrIsRQbO6wMx6NIfPlvJyubeiTf8I/soO3VJfjyvuHWPd55R00gTNN9EXeaJUh
++8SBG+QClJ1NTt8/jN+ci6koTCi4/DynMZiKa5PwBHlayrtP8+sl4LsIispnWxUiO
++x7Xbco7ciXsrdm/FZVnugDiDF/pmW1nqcGVMXaf3L1QLPVrV0pOi7wIDAQABo0gw
++RjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SH
++BH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADggIBAAcVPBdG
++rNC9ttlri4Ane9i+1Q6UGdbuXwBS+RQsfkmKY6ayHL+sWEeX7MinBiAmEEGkmYYw
++Ns4MLDldLqjQKITb5pCf+tIdVeCF7YpmC752grWmpQuvgOxvvxyrwSlt76X5OTAy
++ho8tl/bs0rbEmFUWR/FEBWIYNbYArYYgQjWyrZxyMjTzZSUO+tuXFV1bk8qM7bn0
++P9EcDyhtQrsOAXem/CDhWfwMLOGihb3Bw61n+dpypR/9Jaue10K9fsiIYcar+lHY
++QD4WEn5mH0wO2ExuGObyk3Vhs9cL7cVi4gSMH9yFbHG1hKUiOnZgj6FPIAlVz4Md
++LhkOdm7C6fkvhElvtHQPKOTSNqvDVwuHi2GeESg6LAY/IUhNqdK++KRsRRVLtMBe
++fFp34trd2q1VXa379rl5NCoV290nSNgpx6m9BUq3sZpjdo/dLZCwrN24IAN4okNN
++EE5h/7F5uSopkZYmwYjRYoEWig8UNtqqidYxVo60p372tBwgHb/U9FkUS0L91XKS
++xwPnlS9Hice7TgauQHtNO6E8Un960r0uhsO/+cW16/3A2WZWT91WLpTV3y4ALLBX
++H7qxCGvGoZgzE7uXQCtaZqaZuaciVe2Z2JTP+7IeiGZI/eKA3UVSiduBWLR+SbzI
++RxokaAYxcjCWjN6Hgp4RR1DCBZmNNKNzlwlZ
++-----END CERTIFICATE-----
+diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
+index 739f8eaf1..7c05093c4 100755
+--- a/tests/data/tls/create-crt.sh
++++ b/tests/data/tls/create-crt.sh
+@@ -8,9 +8,10 @@ fi
+ KEY_BITS=4096
+ KEY_TYPE=rsa:$KEY_BITS
+ 
+-USAGE="$0 [-s] [-u <user@domain.com>]"
++USAGE="$0 [-s] [-l] [-u <user@domain.com>]"
+ SERVER=0
+ USER=0
++LDAP_USER=0
+ EMAIL=
+ 
+ while test $# -gt 0 ; do
+@@ -26,6 +27,9 @@ while test $# -gt 0 ; do
+ 			USER=1;
+ 			EMAIL="$2";
+ 			shift; shift;;
++		-l | -ldap)
++			LDAP_USER=1;
++			shift;;
+ 		-)
+ 			shift;;
+ 		-*)
+@@ -36,23 +40,40 @@ while test $# -gt 0 ; do
+ 	esac
+ done
+ 
+-if [ $SERVER = 0 -a $USER = 0 ]; then
++if [ $SERVER = 0 -a $USER = 0 -a $LDAP_USER = 0 ]; then
+ 	echo "$USAGE";
+ 	exit 1;
+ fi
+ 
+-rm -rf ./openssl.cnf cruft
+-mkdir -p private certs cruft/private cruft/certs
++cleanup() {
++
++	rm -rf ./openssl.cnf cruft
++	if [ $SERVER = 1 ]; then
++		rm -f localhost.csr
++	fi
++	if [ $USER = 1 ]; then
++		rm -f $EMAIL.csr
++	fi
++	if [ $LDAP_USER = 1 ]; then
++		rm -f ldap-server.csr
++	fi
++
++}
++
++setup() {
++	mkdir -p private certs cruft/private cruft/certs
+ 
+-echo "00" > cruft/serial
+-touch cruft/index.txt
+-touch cruft/index.txt.attr
+-hn=$(hostname -f)
+-sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf >  ./openssl.cnf
++	echo "00" > cruft/serial
++	touch cruft/index.txt
++	touch cruft/index.txt.attr
++	hn=$(hostname -f)
++	sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf >  ./openssl.cnf
++}
+ 
+ if [ $SERVER = 1 ]; then
+-	rm -rf private/localhost.key certs/localhost.crt
+ 
++	$(cleanup)
++	$(setup)
+ 	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \
+ 		-newkey $KEY_TYPE -config ./openssl.cnf \
+ 		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
+@@ -62,11 +83,12 @@ if [ $SERVER = 1 ]; then
+ 		-keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \
+ 		-batch >/dev/null 2>&1
+ 
+-	rm -rf ./openssl.cnf ./localhost.csr cruft
+ fi
+ 
+ if [ $USER = 1 ]; then
+-	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr
++
++	$(cleanup)
++	$(setup)
+ 
+ 	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \
+ 		-newkey $KEY_TYPE -config ./openssl.cnf \
+@@ -77,5 +99,21 @@ if [ $USER = 1 ]; then
+ 		-keyfile ca/private/testsuiteCA.key -extensions req_distinguished_name \
+ 		-cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1
+ 
+-	rm -rf ./openssl.cnf ./$EMAIL.csr cruft
+ fi
++
++if [ $LDAP_USER = 1 ]; then
++
++	$(cleanup)
++	$(setup)
++
++	$openssl req -new -nodes -out ldap-server.csr -keyout private/ldap-server.key \
++		-newkey $KEY_TYPE -config ./openssl.cnf \
++		-subj "/CN=ldap-server/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
++		-batch > /dev/null 2>&1
++
++	$openssl ca -out certs/ldap-server.crt -notext -config ./openssl.cnf -days 183000 -in ldap-server.csr \
++		-keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \
++		-batch >/dev/null 2>&1
++fi
++
++$(cleanup)
+diff --git a/tests/data/tls/private/ldap-server.key b/tests/data/tls/private/ldap-server.key
+new file mode 100644
+index 000000000..3dbe24f3e
+--- /dev/null
++++ b/tests/data/tls/private/ldap-server.key
+@@ -0,0 +1,52 @@
++-----BEGIN PRIVATE KEY-----
++MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDgxEKurztQjO6n
++/4YV+VY0D1VH2E24TtfIWsAzwD0jnFCELVYreRaCWX4E6Bj/lXn1j/sMNBd7Jidu
++kgRqyx+AtTAtbmmOfZVzZZcNc65DuL/41YviitvgnIiJcRjYEzVIeb5ixtvfEKhl
++REWS2TncBdK9U3yvr10z9xe2LvY1514r9Gf9u0QnBNuogZDcs2w17ZmI9hzGcLWk
++E/6FBofIaiI779YcYb2dA9HFiKb9/CdJYY5pioUGCbTGKYINkDCblLEFV5j2mLos
++V6ueE6q6liK1fi+62LEOkPvieEMQBMIJaw2YrKD5TiGRJ67Ji97blifwG4JNSJLG
++xqZxQZNRruQOOjNjS/AgtWDmY+krmRAjfJiM7lhABrlxLOTZKciEUmSbpvT0PPwB
++F90dOU9clQyOESQjkZEZeRdjQOapuzhJqlEI8rUDUiGKT0FeGLIQasvuGdKxZKm3
++DckI5/ABYP6byXJPGwAZMHcGeCznaUwreaQ4v9UZ5SyrIsRQbO6wMx6NIfPlvJyu
++beiTf8I/soO3VJfjyvuHWPd55R00gTNN9EXeaJUh8SBG+QClJ1NTt8/jN+ci6koT
++Ci4/DynMZiKa5PwBHlayrtP8+sl4LsIispnWxUiOx7Xbco7ciXsrdm/FZVnugDiD
++F/pmW1nqcGVMXaf3L1QLPVrV0pOi7wIDAQABAoICAGjz+9cpx96jEEWuEWRtWw1Q
++I5g6rn/jgOrzRVBk8aeRNB+kM9p03kfblfagkhu2Jo69vpJCOLyuYjdFQ37CfmFR
++Ob/dELkSdxi9VT1YyQSiXjHJNVqBUI6fSTo0b09mGLlQ78+b38tXMeqnaH1bpaLR
++rUfulghLMJA1TwMpBprBAL4xj+Vw7i/yGseiSIxl05+S5OCJW4Jl2stU8sIW/Ixe
++0sF+ClKSaUHKKMe+OYvblFS1kxRBNEBPg/QMKcg/jhL36Xj/IFP1mOlfvqk/sbcS
++p/5rf8oVqQeON6/WTCpMrnZLYLvrz/bZvt7S0tEV2OhcQyXhEoUX4EGlPM8hubHI
++bIZ01RCMXQudnt+5PLpuA7yCw65JOY9pRjrLcnBtV3iZphLc1RAdFfg5BU3a4ncP
++unpwWxOihROeWtyJDz5767Pnu7mSMjgmWG3ua4raOCSrDL8zlSmMCTt5z65S2qfK
++7VwUBJiRykxkWJdE8zY8wjbF5EpJ/ID9zJqMSlOavonpG239DDZpDV9TA/sOf2zd
++KOoi7g+PVnzTXP5z1VhGON1LCWI6k6sPrpy+P0nYbZBML+YMnT1QufgT2D7UbCuH
++IQsa+fT6xwZsYkwljWGhwilqt2btDIimVASijuoFsq4wPykiijyNgCcy4dJ856/7
++3P/Wh29G2bxWZafK2pVBAoIBAQD5/2qbcfFEp25A6FAnNrqCznvcF3mcPHksICt5
++/uo22H2nuNxewtUKy316NrmfcnwbcHImi6rMdg6gaS3RxOytMlrOUGbTeb9RzDnP
++xR7g9kHDRAbHTPd9R+20wJxLh8zwEgfuAfN3SF6oGda9u+tXpEwfCHdYby2sam1F
++CzQPODNMdknY+fa25OVzkysqLJ/+a9Pg9O/prdoJP0I1qfw4kC8osZ56gbd1wbS9
++1vRZm3HAgHYqFvW10ESoWoHpR1yPE6oeF8IX4EdDV+bOMRZ+z4RptdcliYllwCUm
++/Ab1HusqBaOsGDIiqvsscQ5IhBYgjmkmJmGVYf5amMcNEgPxAoIBAQDmKcOU425e
++gXcfGxEB/AKsXXDDFd8hHyJmCY2PlekPv8ZG1O85rIjAES7Qruodu7u7d3M+sHbI
++R0+upfyEIYZaA3VUorYu3CW69kOB90aMP/2s0p8xSqxbxcZPjbOlYiSRI2V793BI
++QlfIBFkw/iIy8k/zxW5D/SU8+nRmxovvidgjQyHE3f9f5kKs6J9XdE0ZFUSCV2RE
++TMn0vQENS6rCqb/yym491UN4hyPiJ25iWBeOrGGONlpcr6xNg1dRZLAGmlc4YqYU
++5r21INToeIhgXEOpo4VADL0dUu3FKTlKb+19Rjt5nhkfueVA1seyPwJgOj0EA7PU
++7iioc2dsqXTfAoIBAQCL7l5ysb11Sy5YYHB08ppFG2SS1gT44ZSFkWAkgf4BQv5a
++ggu/ctiimTIb1UPjLsau6SrLzoOEvFQFj7nY35wGedgAAVr85fmjxGdbl59oFg7L
++SGlu5vLkif1Qnjsdv96DReRwYWEwlC5/cy8StnvNa6Y7/JYoxtpO1qdg7RtvpWp5
++UwCU1Z011DtmjKqtiZroYtyO3yrmpqwTXvglZ4dI9dOfuIPXWIIjBJCxbf8JpQtv
++z7fUaVOROAkmHrr2oz34y+39uBipGp1o4WvMYAeSZX9dWC4b0bc5X+qrvof6bhr9
++Q3jQnB577y52OrXe+ygTgwLyGqumXNptRXStKTdRAoIBAA5gwYUFiBmDQOvChxd2
++pLwbwjWNojixdzakliFIHh0Lv9kg6CjULF7DNAd5RcrBtYKKfbqGz4THX6TrXZDr
++fzcUTDoTSAo5WmoJhEIULmYIgVJQff1YStgYzMCfe39zWBFxAp/x3yPEcTNfgirb
++VUuVc4Uo6jB5GeBrTOY2tPsrw0LAqNVhgNh+y999UKbn7wEIIRV7XBogKeWOAQjR
++l0M9023ZU3WtYt+eoZE5IV4nXqFdB2MY5iAwITVeZRACmDRxY81z7CgWGfe8q1Ay
++Z2KNoPRx8JsFsLKqQYw1fQy3XUCcKI76X1tqA3Y/dI4f/YgBW1pq2MsObZ/IRce1
++9kUCggEAHvDh4YlD24SKn+2vRrBNp47eG9fn9zd3dfY9k9eeG7rOP6vKS/AKdFGc
++GCllEcC/Woi5DWq5Umx16OsgQpREssQ3hEUjuNOYyuDL27E4D8KjQROGdhQw+itx
++IzEPnTytpSqEFu+eypDInTA/cTVxojM3U3k1qL+ercwztlMEH63fCK4+aHWjw62B
++1fQ+8bYnWP5sp599dly8+NrOEZ4kCCNrqL9MOB7CbFYhl0UihuRueaBTMvt9YwS1
++LF+mKHPZcvPkdzpR3pwDfV2ixyUmqRIG8VCREW8y05WU3HYcXM2uApln2DMtY6Pm
++g7XvX+klu0IVdEI/JQfstyDExiM7cA==
++-----END PRIVATE KEY-----
+diff --git a/tests/run.in b/tests/run.in
+index 4c51f54be..f6723af17 100644
+--- a/tests/run.in
++++ b/tests/run.in
+@@ -45,6 +45,7 @@ AC_wt=@BUILD_WT@
+ # overlays
+ AC_accesslog=accesslog@BUILD_ACCESSLOG@
+ AC_argon2=argon2@BUILD_PW_ARGON2@
++AC_auditlog=auditlog@BUILD_AUDITLOG@
+ AC_autoca=autoca@BUILD_AUTOCA@
+ AC_constraint=constraint@BUILD_CONSTRAINT@
+ AC_dds=dds@BUILD_DDS@
+@@ -83,7 +84,7 @@ if test "${AC_asyncmeta}" = "asyncmetamod" && test "${AC_LIBS_DYNAMIC}" = "stati
+ 	AC_meta="asyncmetano"
+ fi
+ export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_perl AC_relay AC_sql \
+-	AC_accesslog AC_argon2 AC_autoca AC_constraint AC_dds AC_deref AC_dynlist \
++	AC_accesslog AC_argon2 AC_auditlog AC_autoca AC_constraint AC_dds AC_deref AC_dynlist \
+ 	AC_homedir AC_memberof AC_otp AC_pcache AC_ppolicy AC_refint AC_remoteauth \
+ 	AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
+ 	AC_valsort \
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index 82514dfe8..670dea373 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -43,6 +43,7 @@ BACKSQL=${AC_sql-sqlno}
+ # overlays
+ ACCESSLOG=${AC_accesslog-accesslogno}
+ ARGON2=${AC_argon2-argon2no}
++AUDITLOG=${AC_auditlog-auditlogno}
+ AUTOCA=${AC_autoca-autocano}
+ CONSTRAINT=${AC_constraint-constraintno}
+ DDS=${AC_dds-ddsno}
+-- 
+2.33.0
+

backport-ITS-9864-slapo-accesslog-plug-onetime-memleaks.patch

@@ -0,0 +1,25 @@
+From 95f959e2155420cdd274a9fc1f75011a075d11fc Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Jun 2022 16:10:59 +0100
+Subject: [PATCH] ITS#9864 slapo-accesslog: plug onetime memleaks
+
+---
+ servers/slapd/overlays/accesslog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/servers/slapd/overlays/accesslog.c b/servers/slapd/overlays/accesslog.c
+index 49a36df59..5418a66e3 100644
+--- a/servers/slapd/overlays/accesslog.c
++++ b/servers/slapd/overlays/accesslog.c
+@@ -2448,6 +2450,8 @@ accesslog_db_destroy(
+ 		ch_free( li->li_sids );
+ 	if ( li->li_mincsn )
+ 		ber_bvarray_free( li->li_mincsn );
++	if ( li->li_db_suffix.bv_val )
++		ch_free( li->li_db_suffix.bv_val );
+ 	ldap_pvt_thread_mutex_destroy( &li->li_log_mutex );
+ 	ldap_pvt_thread_mutex_destroy( &li->li_op_rmutex );
+ 	free( li );
+-- 
+2.33.0
+

backport-ITS-9866-delta-sync-fix-DN-leak-on-Adds.patch

@@ -0,0 +1,52 @@
+From 14972a7ae1142cccdad6db3ac50ecc47d0ecfa91 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Jun 2022 21:32:07 +0100
+Subject: [PATCH] ITS#9866 delta-sync: fix DN leak on Adds
+
+---
+ servers/slapd/syncrepl.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
+index 7707a8945..32e351738 100644
+--- a/servers/slapd/syncrepl.c
++++ b/servers/slapd/syncrepl.c
+@@ -3114,10 +3114,8 @@ syncrepl_message_to_op(
+ 				ch_free( bvals );
+ 				goto done;
+ 			}
+-			ber_dupbv( &op->o_req_dn, &dn );
+-			ber_dupbv( &op->o_req_ndn, &ndn );
+-			slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
+-			slap_sl_free( dn.bv_val, op->o_tmpmemctx );
++			op->o_req_dn = dn;
++			op->o_req_ndn = ndn;
+ 			freeReqDn = 1;
+ 		} else if ( !ber_bvstrcasecmp( &bv, &ls->ls_req ) ) {
+ 			int i = verb_to_mask( bvals[0].bv_val, modops );
+@@ -3227,9 +3225,8 @@ syncrepl_message_to_op(
+ 		if ( op->o_tag == LDAP_REQ_ADD ) {
+ 			Entry *e = entry_alloc();
+ 			op->ora_e = e;
+-			op->ora_e->e_name = op->o_req_dn;
+-			op->ora_e->e_nname = op->o_req_ndn;
+-			freeReqDn = 0;
++			ber_dupbv( &op->ora_e->e_name, &op->o_req_dn );
++			ber_dupbv( &op->ora_e->e_nname, &op->o_req_ndn );
+ 			rc = slap_mods2entry( modlist, &op->ora_e, 1, 0, &text, txtbuf, textlen);
+ 			if( rc != LDAP_SUCCESS ) {
+ 				Debug( LDAP_DEBUG_ANY, "syncrepl_message_to_op: %s "
+@@ -3373,8 +3370,8 @@ done:
+ 		op->o_tmpfree( op->orr_nnewDN.bv_val, op->o_tmpmemctx );
+ 	}
+ 	if ( freeReqDn ) {
+-		ch_free( op->o_req_ndn.bv_val );
+-		ch_free( op->o_req_dn.bv_val );
++		op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
++		op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
+ 	}
+ 	ber_free( ber, 0 );
+ 	return rc;
+-- 
+2.33.0
+

backport-ITS-9867-syncprov-plug-findbase-memleak.patch

@@ -0,0 +1,43 @@
+From 745a71b18d8da9b48509169dc2f27cc1f05912a6 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Jun 2022 21:36:24 +0100
+Subject: [PATCH] ITS#9867 syncprov: plug findbase memleak
+
+---
+ servers/slapd/overlays/syncprov.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index d1d3b1c10..499988662 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -3155,6 +3155,8 @@ syncprov_op_search( Operation *op, SlapReply *rs )
+ 			 */
+ 			ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
+ 			if ( slapd_shutdown ) {
++aband:
++				ch_free( sop->s_base.bv_val );
+ 				ch_free( sop );
+ 				return SLAPD_ABANDON;
+ 			}
+@@ -3164,8 +3166,7 @@ syncprov_op_search( Operation *op, SlapReply *rs )
+ 		}
+ 		if ( op->o_abandon ) {
+ 			ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
+-			ch_free( sop );
+-			return SLAPD_ABANDON;
++			goto aband;
+ 		}
+ 		ldap_pvt_thread_mutex_init( &sop->s_mutex );
+ 		sop->s_next = si->si_ops;
+@@ -3294,6 +3295,7 @@ bailout:
+ 						sp = &(*sp)->s_next;
+ 					*sp = sop->s_next;
+ 					ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
++					ch_free( sop->s_base.bv_val );
+ 					ch_free( sop );
+ 				}
+ 				rs->sr_ctrls = NULL;
+-- 
+2.33.0
+

backport-ITS-9867-syncprov-plug-onetime-leak.patch

@@ -0,0 +1,26 @@
+From d64f85e161081a61b1f46963f104b10080096df6 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Jun 2022 22:14:41 +0100
+Subject: [PATCH] ITS#9867 syncprov: plug onetime leak
+
+Since 43ebfa8fb42 ITS#6467
+---
+ servers/slapd/overlays/syncprov.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
+index 499988662..4b6358fdd 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -4131,6 +4131,8 @@ syncprov_db_destroy(
+ 			ber_bvarray_free( si->si_ctxcsn );
+ 		if ( si->si_sids )
+ 			ch_free( si->si_sids );
++		if ( si->si_logbase.bv_val )
++			ch_free( si->si_logbase.bv_val );
+ 		ldap_pvt_thread_mutex_destroy( &si->si_resp_mutex );
+ 		ldap_pvt_thread_mutex_destroy( &si->si_mods_mutex );
+ 		ldap_pvt_thread_mutex_destroy( &si->si_ops_mutex );
+-- 
+2.33.0
+

backport-ITS-9868-Fixup-pending_csn_list-for-backglue.patch

@@ -0,0 +1,262 @@
+From 0d1db3c2b161b21beefc3d82622cfeb98fa95152 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 18 Jun 2022 16:36:00 +0100
+Subject: [PATCH] ITS#9868 Fixup pending_csn_list for backglue
+
+Define in a new structure and point to it for more flexible access
+---
+ servers/slapd/backend.c              | 31 ++++++++++++----------------
+ servers/slapd/backglue.c             |  1 +
+ servers/slapd/ctxcsn.c               | 28 ++++++++++++-------------
+ servers/slapd/frontend.c             |  2 +-
+ servers/slapd/overlays/pcache.c      |  1 -
+ servers/slapd/overlays/translucent.c |  2 +-
+ servers/slapd/slap.h                 | 12 ++++++++---
+ 7 files changed, 39 insertions(+), 38 deletions(-)
+
+diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
+index 24a82f399..57cf1fe2d 100644
+--- a/servers/slapd/backend.c
++++ b/servers/slapd/backend.c
+@@ -199,10 +199,7 @@ int backend_startup_one(Backend *be, ConfigReply *cr)
+ 
+ 	assert( be != NULL );
+ 
+-	be->be_pending_csn_list = (struct be_pcl *)
+-		ch_calloc( 1, sizeof( struct be_pcl ) );
+-
+-	LDAP_TAILQ_INIT( be->be_pending_csn_list );
++	LDAP_TAILQ_INIT( &be->be_pcsn_st.be_pcsn_list );
+ 
+ 	Debug( LDAP_DEBUG_TRACE,
+ 		"backend_startup_one: starting \"%s\"\n",
+@@ -433,18 +430,15 @@ int backend_shutdown( Backend *be )
+ void
+ backend_stopdown_one( BackendDB *bd )
+ {
+-	if ( bd->be_pending_csn_list ) {
+-		struct slap_csn_entry *csne;
+-		csne = LDAP_TAILQ_FIRST( bd->be_pending_csn_list );
+-		while ( csne ) {
+-			struct slap_csn_entry *tmp_csne = csne;
++	struct slap_csn_entry *csne;
++	csne = LDAP_TAILQ_FIRST( &bd->be_pcsn_st.be_pcsn_list );
++	while ( csne ) {
++		struct slap_csn_entry *tmp_csne = csne;
+ 
+-			LDAP_TAILQ_REMOVE( bd->be_pending_csn_list, csne, ce_csn_link );
+-			ch_free( csne->ce_csn.bv_val );
+-			csne = LDAP_TAILQ_NEXT( csne, ce_csn_link );
+-			ch_free( tmp_csne );
+-		}
+-		ch_free( bd->be_pending_csn_list );
++		LDAP_TAILQ_REMOVE( &bd->be_pcsn_st.be_pcsn_list, csne, ce_csn_link );
++		ch_free( csne->ce_csn.bv_val );
++		csne = LDAP_TAILQ_NEXT( csne, ce_csn_link );
++		ch_free( tmp_csne );
+ 	}
+ 
+ 	if ( bd->bd_info->bi_db_destroy ) {
+@@ -487,7 +481,7 @@ void backend_destroy_one( BackendDB *bd, int dynamic )
+ 		ber_bvarray_free( bd->be_update_refs );
+ 	}
+ 
+-	ldap_pvt_thread_mutex_destroy( &bd->be_pcl_mutex );
++	ldap_pvt_thread_mutex_destroy( &bd->be_pcsn_st.be_pcsn_mutex );
+ 
+ 	if ( dynamic ) {
+ 		free( bd );
+@@ -624,7 +618,8 @@ backend_db_init(
+ 	be->be_requires = frontendDB->be_requires;
+ 	be->be_ssf_set = frontendDB->be_ssf_set;
+ 
+-	ldap_pvt_thread_mutex_init( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_init( &be->be_pcsn_st.be_pcsn_mutex );
++	be->be_pcsn_p = &be->be_pcsn_st;
+ 
+  	/* assign a default depth limit for alias deref */
+ 	be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; 
+@@ -638,7 +633,7 @@ backend_db_init(
+ 		/* If we created and linked this be, remove it and free it */
+ 		if ( !b0 ) {
+ 			LDAP_STAILQ_REMOVE(&backendDB, be, BackendDB, be_next);
+-			ldap_pvt_thread_mutex_destroy( &be->be_pcl_mutex );
++			ldap_pvt_thread_mutex_destroy( &be->be_pcsn_st.be_pcsn_mutex );
+ 			ch_free( be );
+ 			be = NULL;
+ 			nbackends--;
+diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c
+index e7db4ff2d..6f8d3324b 100644
+--- a/servers/slapd/backglue.c
++++ b/servers/slapd/backglue.c
+@@ -1440,6 +1440,7 @@ glue_sub_attach( int online )
+ 				&gi->gi_n[gi->gi_nodes].gn_pdn );
+ 			gi->gi_nodes++;
+ 			on->on_bi.bi_private = gi;
++			ga->ga_be->be_pcsn_p = be->be_pcsn_p;
+ 			ga->ga_be->be_flags |= SLAP_DBFLAG_GLUE_LINKED;
+ 			break;
+ 		}
+diff --git a/servers/slapd/ctxcsn.c b/servers/slapd/ctxcsn.c
+index 55da64956..a8f73c319 100644
+--- a/servers/slapd/ctxcsn.c
++++ b/servers/slapd/ctxcsn.c
+@@ -54,9 +54,9 @@ slap_get_commit_csn(
+ 		sid = slap_parse_csn_sid( &op->o_csn );
+ 	}
+ 
+-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
+ 
+-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
+ 		if ( csne->ce_op == op ) {
+ 			csne->ce_state = SLAP_CSN_COMMIT;
+ 			if ( foundit ) *foundit = 1;
+@@ -64,7 +64,7 @@ slap_get_commit_csn(
+ 		}
+ 	}
+ 
+-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
+ 		if ( sid != -1 && sid == csne->ce_sid ) {
+ 			if ( csne->ce_state == SLAP_CSN_COMMIT ) committed_csne = csne;
+ 			if ( csne->ce_state == SLAP_CSN_PENDING ) break;
+@@ -82,7 +82,7 @@ slap_get_commit_csn(
+ 			maxcsn->bv_val[0] = 0;
+ 		}
+ 	}
+-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
+ }
+ 
+ void
+@@ -91,16 +91,16 @@ slap_rewind_commit_csn( Operation *op )
+ 	struct slap_csn_entry *csne;
+ 	BackendDB *be = op->o_bd->bd_self;
+ 
+-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
+ 
+-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
+ 		if ( csne->ce_op == op ) {
+ 			csne->ce_state = SLAP_CSN_PENDING;
+ 			break;
+ 		}
+ 	}
+ 
+-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
+ }
+ 
+ void
+@@ -113,11 +113,11 @@ slap_graduate_commit_csn( Operation *op )
+ 	if ( op->o_bd == NULL ) return;
+ 	be = op->o_bd->bd_self;
+ 
+-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
+ 
+-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
++	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
+ 		if ( csne->ce_op == op ) {
+-			LDAP_TAILQ_REMOVE( be->be_pending_csn_list,
++			LDAP_TAILQ_REMOVE( &be->be_pcsn_p->be_pcsn_list,
+ 				csne, ce_csn_link );
+ 			Debug( LDAP_DEBUG_SYNC, "slap_graduate_commit_csn: removing %p %s\n",
+ 				csne, csne->ce_csn.bv_val );
+@@ -130,7 +130,7 @@ slap_graduate_commit_csn( Operation *op )
+ 		}
+ 	}
+ 
+-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
+ 
+ 	return;
+ }
+@@ -194,10 +194,10 @@ slap_queue_csn(
+ 	pending->ce_op = op;
+ 	pending->ce_state = SLAP_CSN_PENDING;
+ 
+-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
+-	LDAP_TAILQ_INSERT_TAIL( be->be_pending_csn_list,
++	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
++	LDAP_TAILQ_INSERT_TAIL( &be->be_pcsn_p->be_pcsn_list,
+ 		pending, ce_csn_link );
+-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
++	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
+ }
+ 
+ int
+diff --git a/servers/slapd/frontend.c b/servers/slapd/frontend.c
+index c773f49c4..d0ca419ab 100644
+--- a/servers/slapd/frontend.c
++++ b/servers/slapd/frontend.c
+@@ -108,7 +108,7 @@ frontend_init( void )
+ 	frontendDB->be_def_limit.lms_s_pr_hide = 0;			/* don't hide number of entries left */
+ 	frontendDB->be_def_limit.lms_s_pr_total = 0;			/* number of total entries returned by pagedResults equal to hard limit */
+ 
+-	ldap_pvt_thread_mutex_init( &frontendDB->be_pcl_mutex );
++	ldap_pvt_thread_mutex_init( &frontendDB->be_pcsn_st.be_pcsn_mutex );
+ 
+ 	/* suffix */
+ 	frontendDB->be_suffix = ch_calloc( 2, sizeof( struct berval ) );
+diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c
+index fcf29c60b..423c19641 100644
+--- a/servers/slapd/overlays/pcache.c
++++ b/servers/slapd/overlays/pcache.c
+@@ -4540,7 +4540,6 @@ pcache_db_init(
+ 	SLAP_DBFLAGS(&cm->db) |= SLAP_DBFLAG_NO_SCHEMA_CHECK;
+ 	cm->db.be_private = NULL;
+ 	cm->db.bd_self = &cm->db;
+-	cm->db.be_pending_csn_list = NULL;
+ 	cm->qm = qm;
+ 	cm->numattrsets = 0;
+ 	cm->num_entries_limit = 5;
+diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c
+index d0402fe14..2cd18a350 100644
+--- a/servers/slapd/overlays/translucent.c
++++ b/servers/slapd/overlays/translucent.c
+@@ -1440,7 +1440,7 @@ translucent_db_destroy( BackendDB *be, ConfigReply *cr )
+ 			backend_stopdown_one( &ov->db );
+ 		}
+ 
+-		ldap_pvt_thread_mutex_destroy( &ov->db.be_pcl_mutex );
++		ldap_pvt_thread_mutex_destroy( &ov->db.be_pcsn_st.be_pcsn_mutex );
+ 		ch_free(ov);
+ 		on->on_bi.bi_private = NULL;
+ 	}
+diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
+index fee283f37..4a7a3f06b 100644
+--- a/servers/slapd/slap.h
++++ b/servers/slapd/slap.h
+@@ -1790,7 +1790,13 @@ struct sync_cookie {
+ 
+ LDAP_STAILQ_HEAD( slap_sync_cookie_s, sync_cookie );
+ 
+-LDAP_TAILQ_HEAD( be_pcl, slap_csn_entry );
++/* Defs for pending_csn_list */
++LDAP_TAILQ_HEAD( be_pclh, slap_csn_entry );
++
++typedef struct be_pcsn {
++	struct be_pclh			be_pcsn_list;
++	ldap_pvt_thread_mutex_t	be_pcsn_mutex;
++} be_pcsn;
+ 
+ #ifndef SLAP_MAX_CIDS
+ #define	SLAP_MAX_CIDS	32	/* Maximum number of supported controls */
+@@ -1999,8 +2005,8 @@ struct BackendDB {
+ 	/* Consumer Information */
+ 	struct berval be_update_ndn;	/* allowed to make changes (in replicas) */
+ 	BerVarray	be_update_refs;	/* where to refer modifying clients to */
+-	struct		be_pcl	*be_pending_csn_list;
+-	ldap_pvt_thread_mutex_t					be_pcl_mutex;
++	be_pcsn	be_pcsn_st;			/* be_pending_csn_list now inside this */
++	be_pcsn	*be_pcsn_p;
+ 	struct syncinfo_s						*be_syncinfo; /* For syncrepl */
+ 
+ 	void    *be_pb;         /* Netscape plugin */
+-- 
+2.33.0
+

backport-ITS-9868-also-fixup-glue_sub_del.patch

@@ -0,0 +1,28 @@
+From fbe844f814e853184f5fb877da48a294f8bd874e Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 22 Jun 2022 14:50:58 +0100
+Subject: [PATCH] ITS#9868 also fixup glue_sub_del()
+
+---
+ servers/slapd/backglue.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c
+index 6f8d3324b..3183f2f46 100644
+--- a/servers/slapd/backglue.c
++++ b/servers/slapd/backglue.c
+@@ -1381,6 +1381,11 @@ glue_sub_del( BackendDB *b0 )
+ 				gi->gi_nodes--;
+ 			}
+ 		}
++		/* Mark as no longer linked/sub */
++		b0->be_flags &= ~(SLAP_DBFLAG_GLUE_SUBORDINATE|SLAP_DBFLAG_GLUE_LINKED|
++			SLAP_DBFLAG_GLUE_ADVERTISE);
++		b0->be_pcsn_p = &b0->be_pcsn_st;
++		break;
+ 	}
+ 	if ( be == NULL )
+ 		rc = LDAP_NO_SUCH_OBJECT;
+-- 
+2.33.0
+

backport-ITS-9871-slapo-ppolicy-use-explicit-backend-in-bind_.patch

@@ -0,0 +1,105 @@
+From 4e3687cda37b8ed0c6b377d32b6e25dc1b07a735 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 24 Jun 2022 16:49:45 +0100
+Subject: [PATCH] ITS#9871 slapo-ppolicy: use explicit backend in bind_response
+
+---
+ servers/slapd/overlays/ppolicy.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
+index 1815837aa..7913f35c0 100644
+--- a/servers/slapd/overlays/ppolicy.c
++++ b/servers/slapd/overlays/ppolicy.c
+@@ -1656,7 +1656,8 @@ free_pwd_history_list( pw_hist **l )
+ }
+ 
+ typedef struct ppbind {
+-	slap_overinst *on;
++	pp_info *pi;
++	BackendDB *be;
+ 	int send_ctrl;
+ 	int set_restrict;
+ 	LDAPControl **oldctrls;
+@@ -1706,8 +1707,7 @@ static int
+ ppolicy_bind_response( Operation *op, SlapReply *rs )
+ {
+ 	ppbind *ppb = op->o_callback->sc_private;
+-	slap_overinst *on = ppb->on;
+-	pp_info *pi = on->on_bi.bi_private;
++	pp_info *pi = ppb->pi;
+ 	Modifications *mod = ppb->mod, *m;
+ 	int pwExpired = 0;
+ 	int ngut = -1, warn = -1, fc = 0, age, rc;
+@@ -1718,7 +1718,7 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
+ 	char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
+ 	char nowstr_usec[ LDAP_LUTIL_GENTIME_BUFSIZE+8 ];
+ 	struct berval timestamp, timestamp_usec;
+-	BackendInfo *bi = op->o_bd->bd_info;
++	BackendDB *be = op->o_bd;
+ 	LDAPControl *ctrl = NULL;
+ 	Entry *e;
+ 
+@@ -1728,9 +1728,9 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
+ 		goto locked;
+ 	}
+ 
+-	op->o_bd->bd_info = (BackendInfo *)on->on_info;
++	op->o_bd = ppb->be;
+ 	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
+-	op->o_bd->bd_info = bi;
++	op->o_bd = be;
+ 
+ 	if ( rc != LDAP_SUCCESS ) {
+ 		ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
+@@ -2032,8 +2032,9 @@ check_expiring_password:
+ 	}
+ 
+ done:
+-	op->o_bd->bd_info = (BackendInfo *)on->on_info;
++	op->o_bd = ppb->be;
+ 	be_entry_release_r( op, e );
++	op->o_bd = be;
+ 
+ locked:
+ 	if ( mod && !pi->disable_write ) {
+@@ -2072,7 +2073,7 @@ locked:
+ 				op2.orm_no_opattrs = 1;
+ 				op2.o_dont_replicate = 1;
+ 			}
+-			op2.o_bd->bd_info = (BackendInfo *)on->on_info;
++			op2.o_bd = ppb->be;
+ 		}
+ 		rc = op2.o_bd->be_modify( &op2, &r2 );
+ 		if ( rc != LDAP_SUCCESS ) {
+@@ -2103,7 +2104,6 @@ locked:
+ 		ppb->oldctrls = add_passcontrol( op, rs, ctrl );
+ 		op->o_callback->sc_cleanup = ppolicy_ctrls_cleanup;
+ 	}
+-	op->o_bd->bd_info = bi;
+ 	ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
+ 	return SLAP_CB_CONTINUE;
+ }
+@@ -2136,7 +2136,8 @@ ppolicy_bind( Operation *op, SlapReply *rs )
+ 		cb = op->o_tmpcalloc( sizeof(ppbind)+sizeof(slap_callback),
+ 			1, op->o_tmpmemctx );
+ 		ppb = (ppbind *)(cb+1);
+-		ppb->on = on;
++		ppb->pi = on->on_bi.bi_private;
++		ppb->be = op->o_bd->bd_self;
+ 		ppb->pErr = PP_noError;
+ 		ppb->set_restrict = 1;
+ 
+@@ -2426,7 +2427,8 @@ ppolicy_compare(
+ 		cb = op->o_tmpcalloc( sizeof(ppbind)+sizeof(slap_callback),
+ 			1, op->o_tmpmemctx );
+ 		ppb = (ppbind *)(cb+1);
+-		ppb->on = on;
++		ppb->pi = on->on_bi.bi_private;
++		ppb->be = op->o_bd->bd_self;
+ 		ppb->pErr = PP_noError;
+ 		ppb->send_ctrl = 1;
+ 		/* failures here don't lockout the connection */
+-- 
+2.33.0
+

backport-ITS-9876-Coverity-fixes-plug-memleaks.patch

@@ -0,0 +1,137 @@
+From 78618653c23168b0cc143eca54264191fa5a8bd6 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 5 Jul 2022 03:49:34 +0100
+Subject: [PATCH] ITS#9876 Coverity fixes: plug memleaks
+
+---
+ libraries/libldap/deref.c |  1 +
+ libraries/libldap/ldif.c  |  3 ++-
+ libraries/libldap/turn.c  | 12 ++++++------
+ libraries/libldap/txn.c   | 12 ++++++------
+ 4 files changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/libraries/libldap/deref.c b/libraries/libldap/deref.c
+index 801954eb9..7d3471ad3 100644
+--- a/libraries/libldap/deref.c
++++ b/libraries/libldap/deref.c
+@@ -193,6 +193,7 @@ ldap_parse_derefresponse_control(
+ 		dr = LDAP_CALLOC( 1, sizeof(LDAPDerefRes) );
+ 		if ( dr == NULL ) {
+ 			ldap_derefresponse_free( drhead );
++			ber_free( ber, 1 );
+ 			*drp2 = NULL;
+ 			ld->ld_errno = LDAP_NO_MEMORY;
+ 			return ld->ld_errno;
+diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c
+index 900a97960..57e44f8c7 100644
+--- a/libraries/libldap/ldif.c
++++ b/libraries/libldap/ldif.c
+@@ -729,7 +729,8 @@ ldif_open(
+ 	if ( fp ) {
+ 		lfp = ber_memalloc( sizeof( LDIFFP ));
+ 		if ( lfp == NULL ) {
+-		    return NULL;
++			fclose( fp );
++			return NULL;
+ 		}
+ 		lfp->fp = fp;
+ 		lfp->prev = NULL;
+diff --git a/libraries/libldap/turn.c b/libraries/libldap/turn.c
+index 565b449af..7725f01d0 100644
+--- a/libraries/libldap/turn.c
++++ b/libraries/libldap/turn.c
+@@ -44,7 +44,7 @@ ldap_turn(
+ {
+ #ifdef LDAP_EXOP_X_TURN
+ 	BerElement *turnvalber = NULL;
+-	struct berval *turnvalp = NULL;
++	struct berval turnval;
+ 	int rc;
+ 
+ 	turnvalber = ber_alloc_t( LBER_USE_DER );
+@@ -53,10 +53,10 @@ ldap_turn(
+ 	} else {
+ 		ber_printf( turnvalber, "{s}", identifier );
+ 	}
+-	ber_flatten( turnvalber, &turnvalp );
++	ber_flatten2( turnvalber, &turnval, 0 );
+ 
+ 	rc = ldap_extended_operation( ld, LDAP_EXOP_X_TURN,
+-			turnvalp, sctrls, cctrls, msgidp );
++			&turnval, sctrls, cctrls, msgidp );
+ 	ber_free( turnvalber, 1 );
+ 	return rc;
+ #else
+@@ -74,7 +74,7 @@ ldap_turn_s(
+ {
+ #ifdef LDAP_EXOP_X_TURN
+ 	BerElement *turnvalber = NULL;
+-	struct berval *turnvalp = NULL;
++	struct berval turnval;
+ 	int rc;
+ 
+ 	turnvalber = ber_alloc_t( LBER_USE_DER );
+@@ -83,10 +83,10 @@ ldap_turn_s(
+ 	} else {
+ 		ber_printf( turnvalber, "{s}", identifier );
+ 	}
+-	ber_flatten( turnvalber, &turnvalp );
++	ber_flatten2( turnvalber, &turnval, 0 );
+ 
+ 	rc = ldap_extended_operation_s( ld, LDAP_EXOP_X_TURN,
+-			turnvalp, sctrls, cctrls, NULL, NULL );
++			&turnval, sctrls, cctrls, NULL, NULL );
+ 	ber_free( turnvalber, 1 );
+ 	return rc;
+ #else
+diff --git a/libraries/libldap/txn.c b/libraries/libldap/txn.c
+index 66b22e873..640900234 100644
+--- a/libraries/libldap/txn.c
++++ b/libraries/libldap/txn.c
+@@ -68,7 +68,7 @@ ldap_txn_end(
+ {
+ 	int rc;
+ 	BerElement *txnber = NULL;
+-	struct berval *txnval = NULL;
++	struct berval txnval;
+ 
+ 	assert( txnid != NULL );
+ 
+@@ -80,10 +80,10 @@ ldap_txn_end(
+ 		ber_printf( txnber, "{bON}", commit, txnid );
+ 	}
+ 
+-	ber_flatten( txnber, &txnval );
++	ber_flatten2( txnber, &txnval, 0 );
+ 
+ 	rc = ldap_extended_operation( ld, LDAP_EXOP_TXN_END,
+-		txnval, sctrls, cctrls, msgidp );
++		&txnval, sctrls, cctrls, msgidp );
+ 
+ 	ber_free( txnber, 1 );
+ 	return rc;
+@@ -100,7 +100,7 @@ ldap_txn_end_s(
+ {
+ 	int rc;
+ 	BerElement *txnber = NULL;
+-	struct berval *txnval = NULL;
++	struct berval txnval;
+ 	struct berval *retdata = NULL;
+ 
+ 	if ( retidp != NULL ) *retidp = -1;
+@@ -113,10 +113,10 @@ ldap_txn_end_s(
+ 		ber_printf( txnber, "{bON}", commit, txnid );
+ 	}
+ 
+-	ber_flatten( txnber, &txnval );
++	ber_flatten2( txnber, &txnval, 0 );
+ 
+ 	rc = ldap_extended_operation_s( ld, LDAP_EXOP_TXN_END,
+-		txnval, sctrls, cctrls, NULL, &retdata );
++		&txnval, sctrls, cctrls, NULL, &retdata );
+ 
+ 	ber_free( txnber, 1 );
+ 
+-- 
+2.33.0
+

backport-ITS-9876-Some-more-leaks-plugged.patch

@@ -0,0 +1,81 @@
+From c07e961d40942635ef4b6e75e8da8b101865c148 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Thu, 7 Jul 2022 16:42:10 +0100
+Subject: [PATCH] ITS#9876 Some more leaks plugged
+
+---
+ clients/tools/ldapsearch.c |  7 ++++---
+ libraries/libldap/deref.c  | 15 ++++-----------
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
+index a0ca0d79f..02b49bd1c 100644
+--- a/clients/tools/ldapsearch.c
++++ b/clients/tools/ldapsearch.c
+@@ -1866,12 +1866,13 @@ again:
+ 			if ( ldapsync && sync_slimit != -1 &&
+ 					nresponses_psearch >= sync_slimit ) {
+ 				BerElement *msgidber = NULL;
+-				struct berval *msgidvalp = NULL;
++				struct berval msgidval;
+ 				msgidber = ber_alloc_t(LBER_USE_DER);
+ 				ber_printf(msgidber, "{i}", msgid);
+-				ber_flatten(msgidber, &msgidvalp);
++				ber_flatten2( msgidber, &msgidval, 0 );
+ 				ldap_extended_operation(ld, LDAP_EXOP_CANCEL,
+-					msgidvalp, NULL, NULL, &cancel_msgid);
++					&msgidval, NULL, NULL, &cancel_msgid);
++				ber_free( msgidber, 1 );
+ 				nresponses_psearch = -1;
+ 			}
+ 		}
+diff --git a/libraries/libldap/deref.c b/libraries/libldap/deref.c
+index 7d3471ad3..f187a9fd4 100644
+--- a/libraries/libldap/deref.c
++++ b/libraries/libldap/deref.c
+@@ -160,7 +160,8 @@ ldap_parse_derefresponse_control(
+ 	LDAPControl	*ctrl,
+ 	LDAPDerefRes	**drp2 )
+ {
+-	BerElement *ber;
++	BerElementBuffer berbuf;
++	BerElement *ber = (BerElement *)&berbuf;
+ 	ber_tag_t tag;
+ 	ber_len_t len;
+ 	char *last;
+@@ -172,13 +173,8 @@ ldap_parse_derefresponse_control(
+ 		return LDAP_PARAM_ERROR;
+ 	}
+ 
+-	/* Create a BerElement from the berval returned in the control. */
+-	ber = ber_init( &ctrl->ldctl_value );
+-
+-	if ( ber == NULL ) {
+-		ld->ld_errno = LDAP_NO_MEMORY;
+-		return ld->ld_errno;
+-	}
++	/* Set up a BerElement from the berval returned in the control. */
++	ber_init2( ber, &ctrl->ldctl_value, 0 );
+ 
+ 	/* Extract the count and cookie from the control. */
+ 	drp = &drhead;
+@@ -193,7 +189,6 @@ ldap_parse_derefresponse_control(
+ 		dr = LDAP_CALLOC( 1, sizeof(LDAPDerefRes) );
+ 		if ( dr == NULL ) {
+ 			ldap_derefresponse_free( drhead );
+-			ber_free( ber, 1 );
+ 			*drp2 = NULL;
+ 			ld->ld_errno = LDAP_NO_MEMORY;
+ 			return ld->ld_errno;
+@@ -244,8 +239,6 @@ ldap_parse_derefresponse_control(
+ 	tag = 0;
+ 
+ done:;
+-        ber_free( ber, 1 );
+-
+ 	if ( tag == LBER_ERROR ) {
+ 		if ( drhead != NULL ) {
+ 			ldap_derefresponse_free( drhead );
+-- 
+2.33.0
+

backport-ITS-9882-bind-fix-9863-commit-use-correct-op-backend.patch

@@ -0,0 +1,26 @@
+From 4528bdb3f37f0e457850095ad7f003bc9853df68 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 11 Jul 2022 17:55:37 +0100
+Subject: [PATCH] ITS#9882 bind: fix #9863 commit, use correct op/backend for
+ mod
+
+---
+ servers/slapd/bind.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
+index 4b8eda69b..19598f11a 100644
+--- a/servers/slapd/bind.c
++++ b/servers/slapd/bind.c
+@@ -500,7 +500,7 @@ fe_op_lastbind( Operation *op )
+ 		}
+ 	}
+ 
+-	rc = op->o_bd->be_modify( &op2, &r2 );
++	rc = op2.o_bd->be_modify( &op2, &r2 );
+ 	slap_mods_free( m, 1 );
+ 
+ done:
+-- 
+2.33.0
+

backport-ITS-9898-tests-fix-slapd-addel-non-std-syntax.patch

@@ -0,0 +1,29 @@
+From 21abafcc9d040b0aa1cf7e47b76abc975e27dc68 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 9 Aug 2022 18:11:30 +0100
+Subject: [PATCH] ITS#9898 tests: fix slapd-addel non-std syntax
+
+Broken in f5bef58cae5e16d56c48b1efd55249fa7ce54cc6
+---
+ tests/progs/slapd-addel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/progs/slapd-addel.c b/tests/progs/slapd-addel.c
+index ca007ce3f..f67c1fbde 100644
+--- a/tests/progs/slapd-addel.c
++++ b/tests/progs/slapd-addel.c
+@@ -65,9 +65,9 @@ main( int argc, char **argv )
+ 	char *filename = NULL, *buf = NULL;
+ 	int		friendly = 0;
+ 	struct LDIFFP *fp;
+-	LDIFRecord	record = {};
++	LDIFRecord	record = {0};
+ 	struct tester_conn_args	*config;
+-	struct berval bv = {};
++	struct berval bv = {0};
+ 	unsigned long lineno = 0;
+ 
+ 	config = tester_init( "slapd-addel", TESTER_ADDEL );
+-- 
+2.33.0
+

backport-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch

@@ -0,0 +1,26 @@
+From ea8dd2d279c5aeaf9d4672a4e95bebd99babcce1 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 24 Aug 2022 14:40:51 +0100
+Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
+
+Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
+---
+ libraries/libldap/fetch.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
+index 9e426dc64..536871bcf 100644
+--- a/libraries/libldap/fetch.c
++++ b/libraries/libldap/fetch.c
+@@ -69,6 +69,8 @@ ldif_open_url(
+ 		}
+ 
+ 		p = ber_strdup( urlstr );
++		if ( p == NULL )
++			return NULL;
+ 
+ 		/* But we should convert to LDAP_DIRSEP before use */
+ 		if ( LDAP_DIRSEP[0] != '/' ) {
+-- 
+2.33.0
+

openldap.spec

@@ -2,7 +2,7 @@
 
 Name:           openldap
 Version:        2.6.0
-Release:        4
+Release:        5
 Summary:        LDAP support libraries
 License:        OLDAP-2.8
 URL:            https://www.openldap.org/
@@ -26,6 +26,45 @@ Patch7:         backport-check-password-makefile.patch
 Patch8:         backport-check-password.patch
 Patch9:         add-ber_sockbuf_io_udp-to-liber.map.patch
 Patch10:	backport-fix-cve-2022-29155.patch
+Patch6000:      backport-ITS-7165-back-mdb-check-for-stale-readers-on-MDB_REA.patch
+Patch6001:      backport-ITS-8039-Free-resinfo-even-if-opcookie-is-the-last-o.patch
+Patch6002:      backport-ITS-8245-Do-not-try-to-release-a-NULL-entry.patch
+Patch6003:      backport-ITS-9759-Honour-requested-insert-position-in-olcRetc.patch
+Patch6004:      backport-ITS-9763-Maintain-values-in-order-of-insertion.patch
+Patch6005:      backport-ITS-9763-Warn-for-unsupported-configs.patch
+Patch6006:      backport-ITS-9770-slapo-constraint-Maintain-values-in-order-o.patch
+Patch6007:      backport-ITS-9772-Allow-objectClass-edits-that-don-t-actually.patch
+Patch6008:      backport-ITS-9781-Relax-refcount-assertion-for-referrals.patch
+Patch6009:      backport-ITS-9799-Clear-c_n_ops_pending-after-we-ve-flushed-c.patch
+Patch6010:      backport-ITS-9799-Drop-a-bind-connection-if-there-s-a-timeout.patch
+Patch6011:      backport-ITS-9802-slapd-ldap-meta-async-meta-plug-memleak-in-.patch
+Patch6012:      backport-ITS-9802-slapd-meta-fix-rewrite-config-ordering.patch
+Patch6013:      backport-ITS-9802-slapd-meta-fix-rewrite-config-SEGV.patch
+Patch6014:      backport-ITS-9802-Fix-argv-handling.patch
+Patch6015:      backport-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch
+Patch6016:      backport-ITS-9809-pcache-mdb-fix-SEGV-in-monitor-shutdown.patch
+Patch6017:      backport-ITS-9811-Allow-newlines-at-end-of-included-file.patch
+Patch6018:      backport-ITS-9818-Duplicate-substring-filters-correctly.patch
+Patch6019:      backport-ITS-9823-Check-minCSN-when-setting-up-delta-log-repl.patch
+Patch6020:      backport-ITS-9823-Only-request-minCSN-if-accesslog-is-around.patch
+Patch6021:      backport-ITS-9831-Advance-connections-index-correctly.patch
+Patch6022:      backport-ITS-9858-back-mdb-delay-indexer-task-startup.patch
+Patch6023:      backport-ITS-9858-back-mdb-fix-index-reconfig.patch
+Patch6024:      backport-ITS-9863-Forward-lastbind-updates-if-configured.patch
+Patch6025:      backport-ITS-9863-Regression-test-case-for-pwdLastSuccess.patch
+Patch6026:      backport-ITS-9864-slapo-accesslog-plug-onetime-memleaks.patch
+Patch6027:      backport-ITS-9866-delta-sync-fix-DN-leak-on-Adds.patch
+Patch6028:      backport-ITS-9867-syncprov-plug-findbase-memleak.patch
+Patch6029:      backport-ITS-9867-syncprov-plug-onetime-leak.patch
+Patch6030:      backport-ITS-9868-also-fixup-glue_sub_del.patch
+Patch6031:      backport-ITS-9868-Fixup-pending_csn_list-for-backglue.patch
+Patch6032:      backport-ITS-9871-slapo-ppolicy-use-explicit-backend-in-bind_.patch
+Patch6033:      backport-ITS-9876-Coverity-fixes-plug-memleaks.patch
+Patch6034:      backport-ITS-9876-Some-more-leaks-plugged.patch
+Patch6035:      backport-ITS-9882-bind-fix-9863-commit-use-correct-op-backend.patch
+Patch6036:      backport-ITS-9898-tests-fix-slapd-addel-non-std-syntax.patch
+Patch6037:      backport-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
+
 
 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
 BuildRequires:  glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@@ -101,6 +140,45 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch9 -p1
 %patch10 -p1
 
+%patch6000 -p1
+%patch6001 -p1
+%patch6002 -p1
+%patch6003 -p1
+%patch6004 -p1
+%patch6005 -p1
+%patch6006 -p1
+%patch6007 -p1
+%patch6008 -p1
+%patch6009 -p1
+%patch6010 -p1
+%patch6011 -p1
+%patch6012 -p1
+%patch6013 -p1
+%patch6014 -p1
+%patch6015 -p1
+%patch6016 -p1
+%patch6017 -p1
+%patch6018 -p1
+%patch6019 -p1
+%patch6020 -p1
+%patch6021 -p1
+%patch6022 -p1
+%patch6023 -p1
+%patch6024 -p1
+%patch6025 -p1
+%patch6026 -p1
+%patch6027 -p1
+%patch6028 -p1
+%patch6029 -p1
+%patch6030 -p1
+%patch6031 -p1
+%patch6032 -p1
+%patch6033 -p1
+%patch6034 -p1
+%patch6035 -p1
+%patch6036 -p1
+%patch6037 -p1
+
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
 ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
@@ -381,6 +459,9 @@ popd
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
 
 %changelog
+* Mon Nov 7 2022 zhujunhao <zhujunhao11@huawei.com> - 2.6.0-5
+- backport patch
+
 * Mon Jun 13 2022 Chenyx <chenyixiong3@huawei.com> - 2.6.0-4
 - License compliance rectification