diff -Nru openldap-2.5.12+dfsg/build/version.var openldap-2.5.13+dfsg/build/version.var
--- openldap-2.5.12+dfsg/build/version.var	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/build/version.var	2022-07-14 17:09:57.000000000 +0000
@@ -15,9 +15,9 @@
 ol_package=OpenLDAP
 ol_major=2
 ol_minor=5
-ol_patch=12
-ol_api_inc=20512
+ol_patch=13
+ol_api_inc=20513
 ol_api_current=1
-ol_api_revision=7
+ol_api_revision=8
 ol_api_age=1
-ol_release_date="2022/05/04"
+ol_release_date="2022/07/14"
diff -Nru openldap-2.5.12+dfsg/CHANGES openldap-2.5.13+dfsg/CHANGES
--- openldap-2.5.12+dfsg/CHANGES	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/CHANGES	2022-07-14 17:09:57.000000000 +0000
@@ -1,5 +1,30 @@
 OpenLDAP 2.5 Change Log
 
+OpenLDAP 2.5.13 Release (2022/07/14)
+	Fixed librewrite declaration of calloc (ITS#9841)
+	Fixed libldap memory leaks (ITS#9876)
+	Fixed slapd kqueue support (ITS#9847)
+	Fixed slapd delta-sync DN leak on ADD ops (ITS#9866)
+	Fixed slapd replication with back-glue (ITS#9868)
+	Fixed slapd-mdb to check for stale readers on MDB_READERS_FULL (ITS#7165)
+	Fixed slapo-accesslog onetime memory leak (ITS#9864)
+	Fixed slapo-ppolicy interaction with slapo-rwm (ITS#9871)
+	Fixed slapo-syncprov memory leaks (ITS#9867)
+	Fixed slapo-syncprov fallback in delta-sync mode (ITS#9823)
+	Fixed slapo-unique to not release NULL entry (ITS#8245)
+	Build Environment
+		Added slapd-watcher -c contextDN option (ITS#9865)
+		Fixed parallel builds (ITS#9840)
+		Fixed test020 to skip back-wt (ITS#9859)
+		Fixed slapd-watcher SID handling with single URI (ITS#9850)
+		Fixed test043 with workaround for ITS#9878
+	Contrib
+		Added slapo-emptyds contrib module (ITS#8882)
+		Fixed slapo-autogroup backwards compat (ITS#9020)
+	Documentation
+		Fixed ldap_get_option(3) to clarify ldap_get/set_option restrictions (ITS#9824)
+		Fixed slapd-ldap(5),slapd-meta(5) missing bold tag on authz parameter (ITS#9872)
+
 OpenLDAP 2.5.12 Release (2022/05/04)
 	Fixed libldap to drop connection when non-LDAP data is received (ITS#9803)
 	Fixed libldap to allow newlines at end of included file (ITS#9811)
diff -Nru openldap-2.5.12+dfsg/clients/tools/ldapsearch.c openldap-2.5.13+dfsg/clients/tools/ldapsearch.c
--- openldap-2.5.12+dfsg/clients/tools/ldapsearch.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/clients/tools/ldapsearch.c	2022-07-14 17:09:57.000000000 +0000
@@ -1866,12 +1866,13 @@
 			if ( ldapsync && sync_slimit != -1 &&
 					nresponses_psearch >= sync_slimit ) {
 				BerElement *msgidber = NULL;
-				struct berval *msgidvalp = NULL;
+				struct berval msgidval;
 				msgidber = ber_alloc_t(LBER_USE_DER);
 				ber_printf(msgidber, "{i}", msgid);
-				ber_flatten(msgidber, &msgidvalp);
+				ber_flatten2( msgidber, &msgidval, 0 );
 				ldap_extended_operation(ld, LDAP_EXOP_CANCEL,
-					msgidvalp, NULL, NULL, &cancel_msgid);
+					&msgidval, NULL, NULL, &cancel_msgid);
+				ber_free( msgidber, 1 );
 				nresponses_psearch = -1;
 			}
 		}
diff -Nru openldap-2.5.12+dfsg/configure openldap-2.5.13+dfsg/configure
--- openldap-2.5.12+dfsg/configure	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/configure	2022-07-14 17:09:57.000000000 +0000
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Id: 1c372d9fe8d80795909df859a01abd486462d0a2 .
+# From configure.ac Id: 15bca89511fc428731cf9ab71a9b46e37511be67 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.69.
 #
@@ -16316,6 +16316,13 @@
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
+$ac_includes_default
+#ifdef HAVE_SYS_EVENT_H
+#include <sys/event.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
 int main(int argc, char **argv)
 {
 	int kqfd = kqueue();
diff -Nru openldap-2.5.12+dfsg/configure.ac openldap-2.5.13+dfsg/configure.ac
--- openldap-2.5.12+dfsg/configure.ac	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/configure.ac	2022-07-14 17:09:57.000000000 +0000
@@ -25,7 +25,7 @@
 dnl Configure.in for OpenLDAP
 AC_COPYRIGHT([[Copyright 1998-2022 The OpenLDAP Foundation. All rights reserved.
 Restrictions apply, see COPYRIGHT and LICENSE files.]])
-AC_REVISION([$Id: 63b192fdc3ddaf2eabc322c60cd7066c9252e1d8 $])
+AC_REVISION([$Id: 15bca89511fc428731cf9ab71a9b46e37511be67 $])
 AC_INIT([OpenLDAP],,[https://bugs.openldap.org],,[https://www.openldap.org])
 AC_CONFIG_SRCDIR(build/version.sh)dnl
 dnl ----------------------------------------------------------------
@@ -1022,7 +1022,14 @@
 AC_CHECK_HEADERS( sys/event.h )
 if test "${ac_cv_header_sys_event_h}" = yes; then
 AC_MSG_CHECKING(for kqueue system call)
-AC_RUN_IFELSE([AC_LANG_SOURCE([[int main(int argc, char **argv)
+AC_RUN_IFELSE([AC_LANG_SOURCE([[$ac_includes_default
+#ifdef HAVE_SYS_EVENT_H
+#include <sys/event.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+int main(int argc, char **argv)
 {
 	int kqfd = kqueue();
 	exit (kqfd == -1 ? 1 : 0);
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/autogroup/autogroup.c openldap-2.5.13+dfsg/contrib/slapd-modules/autogroup/autogroup.c
--- openldap-2.5.12+dfsg/contrib/slapd-modules/autogroup/autogroup.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/autogroup/autogroup.c	2022-07-14 17:09:57.000000000 +0000
@@ -1733,7 +1733,7 @@
 
 static ConfigOCs agocs[] = {
 	{ "( OLcfgCtOc:2.1 "
-		"NAME 'olcAutoGroupConfig' "
+		"NAME ( 'olcAutoGroupConfig' 'olcAutomaticGroups' ) "
 		"DESC 'Automatic groups configuration' "
 		"SUP olcOverlayConfig "
 		"MAY ( "
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/autogroup/slapo-autogroup.5 openldap-2.5.13+dfsg/contrib/slapd-modules/autogroup/slapo-autogroup.5
--- openldap-2.5.12+dfsg/contrib/slapd-modules/autogroup/slapo-autogroup.5	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/autogroup/slapo-autogroup.5	2022-07-14 17:09:57.000000000 +0000
@@ -93,10 +93,15 @@
 a consistent namespace as with other overlays. As a side-effect the
 following cn=config parameters are deprecated and will be removed in
 a future release:
+.IP \[bu] 2
 .B olcAGattrSet
 is replaced with olcAutoGroupAttrSet
+.IP \[bu]
 .B olcAGmemberOfAd
 is replaced with olcAutoGroupMemberOfAd
+.IP \[bu]
+.B olcAutomaticGroups
+is replaced with olcAutoGroupConfig
 .SH ACKNOWLEDGEMENTS
 This module was originally written in 2007 by Michał
 Szulczyński.  Further enhancements were contributed by Howard
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/emptyds.c openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/emptyds.c
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/emptyds.c	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/emptyds.c	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,325 @@
+/* emptyds.c */
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2014-2022 The OpenLDAP Foundation.
+ * Portions Copyright (C) 2014 DAASI International GmbH, Tamim Ziai.
+ * Portions Copyright (C) 2022 Ondřej Kuzník, Symas Corporation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * http://www.OpenLDAP.org/license.html.
+ */
+/* ACKNOLEDGEDMENTS:
+ * This work was initially developed by Tamim Ziai of DAASI International GmbH
+ * for inclusion in OpenLDAP Software.
+ */
+/* slapo-emptyds
+ *
+ * This is an OpenLDAP overlay that accepts empty strings as attribute values
+ * without syntax violation but never actually stores them. This allows
+ * applications that used to work with LDAP implementations allowing empty
+ * strings (such as Novel eDirectory) to continue to work with OpenLDAP without
+ * any modifications. Add and modify change types will be proceeded as follows,
+ * other operations will be forwarded without modifications:
+ *
+ * changeType: add                  changeType: add
+ * sn: <empty>              -->     sn: blah
+ * sn: blah
+ *
+ * changeType: modify               changeType: modify
+ * add: sn                  -->     add: sn
+ * sn: <empty>                      sn: blah
+ * sn: blah
+ *
+ * changeType: modify               changeType: modify
+ * delete: sn               -->     delete: sn
+ * sn: <empty>                      sn: blah
+ * sn: blah
+ *
+ * changeType: modify               changeType: modify
+ * replace: sn              -->     replace: sn
+ * sn: <empty>
+ *
+ */
+
+#include "portable.h"
+#include "slap.h"
+
+static slap_overinst emptyds;
+
+static const char ds_oid[] = "1.3.6.1.4.1.1466.115.121.1.15";
+
+static slap_syntax_validate_func *ssyn_validate_original = NULL;
+static slap_syntax_transform_func *ssyn_pretty_original = NULL;
+static int emptyds_instances = 0;
+
+static unsigned int
+remove_empty_values( Modification *m, Attribute *a )
+{
+	BerVarray vals = m ? m->sm_values : a->a_vals,
+			  nvals = m ? m->sm_nvalues : a->a_nvals;
+	unsigned int i, j, numvals = m ? m->sm_numvals : a->a_numvals;
+
+	for ( i = 0; i < numvals && !BER_BVISEMPTY( &vals[i] ); i++ )
+		/* Find first empty */;
+
+	if ( i == numvals ) return i;
+
+	/*
+	 * We have an empty value at index i, move all of them to the end of the
+	 * list, preserving the order of non-empty values.
+	 */
+	j = i + 1;
+	for ( j = i + 1; j < numvals; j++ ) {
+		struct berval tmp;
+
+		if ( BER_BVISEMPTY( &vals[j] ) ) continue;
+
+		tmp = vals[i];
+		vals[i] = vals[j];
+		vals[j] = tmp;
+
+		if ( nvals && vals != nvals ) {
+			tmp = nvals[i];
+			nvals[i] = nvals[j];
+			nvals[j] = tmp;
+		}
+
+		if ( m && a && m->sm_values != a->a_vals ) {
+			tmp = a->a_vals[i];
+			a->a_vals[i] = a->a_vals[j];
+			a->a_vals[j] = tmp;
+
+			if ( a->a_nvals && a->a_vals != a->a_nvals ) {
+				tmp = a->a_nvals[i];
+				a->a_nvals[i] = a->a_nvals[j];
+				a->a_nvals[j] = tmp;
+			}
+		}
+		i++;
+	}
+
+	/* Free empty vals */
+	for ( ; j && i < j--; ) {
+		ber_memfree( vals[j].bv_val );
+		if ( nvals && vals != nvals ) {
+			ber_memfree( nvals[j].bv_val );
+			BER_BVZERO( &nvals[j] );
+		}
+
+		if ( m && a && m->sm_values != a->a_vals ) {
+			if ( m->sm_values[j].bv_val != a->a_vals[j].bv_val ) {
+				ber_memfree( a->a_vals[j].bv_val );
+				BER_BVZERO( &a->a_vals[j] );
+
+				if ( a->a_nvals && a->a_vals != a->a_nvals ) {
+					ber_memfree( a->a_nvals[j].bv_val );
+					BER_BVZERO( &a->a_nvals[j] );
+				}
+			}
+		}
+		BER_BVZERO( &vals[j] );
+	}
+
+	return i;
+}
+
+/**
+ *  Remove all operations with empty strings.
+ */
+static int
+emptyds_op_add( Operation *op, SlapReply *rs )
+{
+	Attribute **ap, **nexta, *a;
+	Modifications **mlp, **nextp = NULL, *ml;
+	Entry *e = op->ora_e;
+
+	/*
+	 * op->ora_modlist can be NULL, at least accesslog doesn't always populate
+	 * it on an add.
+	 */
+	for ( ap = &e->e_attrs, a = e->e_attrs, mlp = &op->ora_modlist,
+		  ml = op->ora_modlist;
+			a != NULL;
+			ap = nexta, a = *ap, mlp = nextp, ml = ml ? *mlp : NULL ) {
+		AttributeType *at = a->a_desc->ad_type;
+		unsigned int remaining;
+
+		nexta = &a->a_next;
+		if ( ml ) {
+			nextp = &ml->sml_next;
+		}
+
+		if ( at->sat_syntax != slap_schema.si_syn_directoryString ||
+				at->sat_atype.at_usage != LDAP_SCHEMA_USER_APPLICATIONS )
+			continue;
+
+		remaining = remove_empty_values( &ml->sml_mod, a );
+		if ( remaining == a->a_numvals ) continue;
+		/* Empty values found */
+
+		if ( !remaining ) {
+			/* All values are empty */
+			*ap = a->a_next;
+			a->a_next = NULL;
+			nexta = ap;
+
+			if ( ml ) {
+				*mlp = ml->sml_next;
+				ml->sml_next = NULL;
+				nextp = mlp;
+				/* Values are generally shared with attribute */
+				slap_mods_free( ml, ml->sml_values != a->a_vals );
+			}
+			attr_free( a );
+		} else {
+			a->a_numvals = remaining;
+			if ( ml ) {
+				ml->sml_mod.sm_numvals = remaining;
+			}
+		}
+	}
+
+	return SLAP_CB_CONTINUE;
+}
+
+static int
+emptyds_op_modify( Operation *op, SlapReply *rs )
+{
+	Modifications **mlp, **nextp, *ml;
+
+	for ( mlp = &op->orm_modlist, ml = op->orm_modlist; ml != NULL;
+			mlp = nextp, ml = *mlp ) {
+		AttributeType *at = ml->sml_desc->ad_type;
+		unsigned int remaining;
+
+		nextp = &ml->sml_next;
+
+		if ( at->sat_syntax != slap_schema.si_syn_directoryString ||
+				at->sat_atype.at_usage != LDAP_SCHEMA_USER_APPLICATIONS )
+			continue;
+
+		remaining = remove_empty_values( &ml->sml_mod, NULL );
+		if ( remaining == ml->sml_numvals ) continue;
+
+		if ( !remaining ) {
+			/* All values are empty */
+			if ( ml->sml_op == LDAP_MOD_REPLACE ) {
+				/* Replace is kept */
+				if ( ml->sml_nvalues && ml->sml_nvalues != ml->sml_values ) {
+					ber_bvarray_free( ml->sml_nvalues );
+				}
+				if ( ml->sml_values ) {
+					ber_bvarray_free( ml->sml_values );
+				}
+
+				ml->sml_numvals = 0;
+				ml->sml_values = NULL;
+				ml->sml_nvalues = NULL;
+			} else {
+				/* Remove modification */
+				*mlp = ml->sml_next;
+				ml->sml_next = NULL;
+				nextp = mlp;
+				slap_mods_free( ml, 1 );
+			}
+		} else {
+			ml->sml_numvals = remaining;
+		}
+	}
+
+	return SLAP_CB_CONTINUE;
+}
+
+static int
+emptyds_ssyn_validate( Syntax *syntax, struct berval *in )
+{
+	if ( BER_BVISEMPTY( in ) && syntax == slap_schema.si_syn_directoryString ) {
+		return LDAP_SUCCESS;
+	}
+	return ssyn_validate_original( syntax, in );
+}
+
+static int
+emptyds_ssyn_pretty( Syntax *syntax,
+		struct berval *in,
+		struct berval *out,
+		void *memctx )
+{
+	if ( BER_BVISEMPTY( in ) && syntax == slap_schema.si_syn_directoryString ) {
+		return LDAP_SUCCESS;
+	}
+	return ssyn_pretty_original( syntax, in, out, memctx );
+}
+
+static int
+emptyds_db_init( BackendDB *be, ConfigReply *cr )
+{
+	Syntax *syntax = syn_find( ds_oid );
+
+	if ( syntax == NULL ) {
+		Debug( LDAP_DEBUG_TRACE, "emptyds_db_init: "
+				"Syntax %s not found\n",
+				ds_oid );
+	} else {
+		Debug( LDAP_DEBUG_TRACE, "emptyds_db_init: "
+				"Found syntax: %s\n",
+				syntax->ssyn_bvoid.bv_val );
+		if ( ssyn_validate_original == NULL && syntax->ssyn_validate != NULL ) {
+			ssyn_validate_original = syntax->ssyn_validate;
+			syntax->ssyn_validate = emptyds_ssyn_validate;
+		}
+		if ( ssyn_pretty_original == NULL && syntax->ssyn_pretty != NULL ) {
+			ssyn_pretty_original = syntax->ssyn_pretty;
+			syntax->ssyn_pretty = &emptyds_ssyn_pretty;
+		}
+	}
+
+	emptyds_instances++;
+	return LDAP_SUCCESS;
+}
+
+static int
+emptyds_db_destroy( BackendDB *be, ConfigReply *cr )
+{
+	Syntax *syntax = syn_find( ds_oid );
+
+	if ( --emptyds_instances == 0 && syntax != NULL ) {
+		if ( syntax->ssyn_validate == emptyds_ssyn_validate ) {
+			syntax->ssyn_validate = ssyn_validate_original;
+		}
+		ssyn_validate_original = NULL;
+
+		if ( syntax->ssyn_pretty == emptyds_ssyn_pretty ) {
+			syntax->ssyn_pretty = ssyn_pretty_original;
+		}
+		ssyn_pretty_original = NULL;
+	}
+
+	assert( emptyds_instances >= 0 );
+	return LDAP_SUCCESS;
+}
+
+int
+emptyds_init()
+{
+	emptyds.on_bi.bi_type = "emptyds";
+	emptyds.on_bi.bi_op_add = emptyds_op_add;
+	emptyds.on_bi.bi_op_modify = emptyds_op_modify;
+	emptyds.on_bi.bi_db_init = emptyds_db_init;
+	emptyds.on_bi.bi_db_destroy = emptyds_db_destroy;
+
+	return overlay_register( &emptyds );
+}
+
+int
+init_module( int argc, char *argv[] )
+{
+	return emptyds_init();
+}
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/Makefile openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/Makefile
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/Makefile	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/Makefile	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,78 @@
+# $OpenLDAP$
+# This work is part of OpenLDAP Software <http://www.openldap.org/>.
+#
+# Copyright 1998-2022 The OpenLDAP Foundation.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted only as authorized by the OpenLDAP
+# Public License.
+#
+# A copy of this license is available in the file LICENSE in the
+# top-level directory of the distribution or, alternatively, at
+# <http://www.OpenLDAP.org/license.html>.
+
+LDAP_SRC = ../../..
+LDAP_BUILD = $(LDAP_SRC)
+SRCDIR = ./
+LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
+LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \
+	$(LDAP_BUILD)/libraries/liblber/liblber.la
+
+LIBTOOL = $(LDAP_BUILD)/libtool
+INSTALL = /usr/bin/install
+CC = gcc
+OPT = -g -O2
+DEFS = -DSLAPD_OVER_EDS=SLAPD_MOD_DYNAMIC
+INCS = $(LDAP_INC)
+LIBS = $(LDAP_LIB)
+
+PROGRAMS = emptyds.la
+MANPAGES = slapo-emptyds.5
+CLEAN = *.o *.lo *.la .libs
+LTVER = 0:0:0
+
+prefix=/usr/local
+exec_prefix=$(prefix)
+ldap_subdir=/openldap
+
+libdir=$(exec_prefix)/lib
+libexecdir=$(exec_prefix)/libexec
+moduledir = $(libexecdir)$(ldap_subdir)
+mandir = $(exec_prefix)/share/man
+man5dir = $(mandir)/man5
+
+all: $(PROGRAMS)
+
+d :=
+sp :=
+dir := tests
+include $(dir)/Rules.mk
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(OPT) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+all: $(PROGRAMS)
+
+emptyds.la: emptyds.lo
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+		-rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+clean:
+	rm -rf $(CLEAN)
+
+install: install-lib install-man FORCE
+
+install-lib: $(PROGRAMS)
+	mkdir -p $(DESTDIR)$(moduledir)
+	for p in $(PROGRAMS) ; do \
+		$(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
+	done
+
+install-man: $(MANPAGES)
+	mkdir -p  $(DESTDIR)$(man5dir)
+	$(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
+
+FORCE:
+
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/README openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/README
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/README	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/README	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,66 @@
+emptyds Overlay README
+
+DESCRIPTION
+    This package contains an OpenLDAP overlay called "emptyds" (empty
+    directory string) that eliminates empty values of type directory string
+    (OID 1.3.6.1.4.1.1466.115.121.1.15) from the list of the values in the
+    following manner:
+    
+    - add: All empty attribute values will be removed before the add request
+      is executed
+    - mod-replace: A replace with empty values will be modified to a replace
+      without values. As result the attribute will be deleted
+    - mod-add: All empty attribute values will be removed before the mod-add
+      request is executed
+    - mod-delete: All empty attribute values will be removed before the
+      mod-delete request is executed
+    
+    If removing all empty values from a modification makes it a no-op, that
+    modification is removed from the list.
+    
+    At module load time the emptyds overlay manipulates the syntax checking
+    so that it intercepts the syntax check and allows empty values for
+    attributes of type directory string only. Non-empty values continue to
+    go through the normal check routines. It is therefore very important to
+    configure the overlays in a way that ensures that the emptyds overlay gets
+    the control over the operation before any other overlay. Otherwise it
+    could come to the situation with empty attribute values in the data base.
+    
+    David Hawes' addpartial overlay has been used as starting point for this
+    overlay.
+     
+BUILDING
+    A Makefile is included, please set your LDAP_SRC directory properly.
+
+INSTALLATION
+    After compiling the emptyds overlay, add the following to your
+    slapd.conf:
+
+    ### slapd.conf
+    ...
+    moduleload emptyds.la
+    ...
+    overlay emptyds
+    ...
+    # before database directive...
+    # this overlay must be the last overlay in the config file to ensure that
+    # requests are modified before other overlays get them.
+    ...
+    ### end slapd.conf
+
+CAVEATS
+    - In order to ensure that emptyds does what it needs to do, it must be
+      the last overlay configured so it will run before the other overlays.
+
+---
+Copyright 2014-2022 The OpenLDAP Foundation.
+Portions Copyright (C) DAASI International GmbH, Tamim Ziai.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted only as authorized by the OpenLDAP
+Public License.
+
+A copy of this license is available in file LICENSE in the
+top-level directory of the distribution or, alternatively, at
+http://www.OpenLDAP.org/license.html.
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/slapo-emptyds.5 openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/slapo-emptyds.5
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/slapo-emptyds.5	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/slapo-emptyds.5	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,68 @@
+.TH SLAPO-EDS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2022 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 2018 Tamim Ziai 
+.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapo-emptyds \- Remove Empty values from Directory String attributes
+Overlay to slapd
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+Some non-conformant clients will provide empty values for Directory String
+attributes with certain operations. This overlay makes empty values acceptable
+for the Directory String syntax and will adjust all operations to make sure
+these values are never actually stored in the database.
+.LP
+.nf
+.ft tt
+	dn: cn=alex,cn=people,dc=example,dc=org
+	changeType: add                  changeType: add
+	sn: <empty>              -->     sn: blah
+	sn: blah
+
+	dn: cn=alex,cn=people,dc=example,dc=org
+	changeType: modify               changeType: modify
+	add: sn                  -->     add: sn
+	sn: <empty>                      sn: blah
+	sn: blah
+
+	dn: cn=alex,cn=people,dc=example,dc=org
+	changeType: modify               changeType: modify
+	delete: sn               -->     delete: sn
+	sn: <empty>                      sn: blah
+	sn: blah
+
+	dn: cn=alex,cn=people,dc=example,dc=org
+	changeType: modify               changeType: modify
+	replace: sn              -->     replace: sn
+	sn: <empty>
+
+	dn: cn=alex,cn=people,dc=example,dc=org
+	changeType: modify               changeType: modify
+	replace: sn              -->     replace: sn
+	sn: <empty>                      sn: blah
+	sn: blah
+.ft
+.fi
+.LP
+.SH CONFIGURATION
+This overlay has no specific configuration, however in order to ensure that it
+does what it needs to do, it should be the last overlay configured so it will
+run before the other overlays.
+.SH EXAMPLES
+.LP
+.RS
+.nf
+overlay emptyds
+.RE
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.SH SEE ALSO
+.BR slapd.conf (5).
+.SH ACKNOWLEDGEMENTS
+This module was written in 2014 by Tamim Ziai for DAASI International and
+updated in 2022 by Ondřej Kuzník for inclusion in the OpenLDAP project.
+.so ../Project
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/data/emptyds.conf openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/data/emptyds.conf
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/data/emptyds.conf	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/data/emptyds.conf	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,54 @@
+# basic slapd config -- for testing of slapo-emptyds
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include		@SCHEMADIR@/core.schema
+include		@SCHEMADIR@/cosine.schema
+include		@SCHEMADIR@/inetorgperson.schema
+include		@SCHEMADIR@/openldap.schema
+include		@SCHEMADIR@/nis.schema
+include		@DATADIR@/test.schema
+#
+pidfile		@TESTDIR@/slapd.1.pid
+argsfile	@TESTDIR@/slapd.1.args
+
+#mod#modulepath	../servers/slapd/back-@BACKEND@/
+#mod#moduleload	back_@BACKEND@.la
+#accesslogmod#modulepath ../servers/slapd/overlays/
+#accesslogmod#moduleload accesslog.la
+moduleload ../emptyds.la
+
+database	@BACKEND@
+suffix		"dc=example,dc=com"
+rootdn		"cn=Manager,dc=example,dc=com"
+rootpw		secret
+#~null~#directory	@TESTDIR@/db.1.a
+
+overlay accesslog
+logdb cn=log
+logops writes
+logsuccess true
+
+overlay emptyds
+
+database	@BACKEND@
+suffix		"cn=log"
+rootdn		"cn=Manager,dc=example,dc=com"
+#~null~#directory	@TESTDIR@/db.1.b
+
+## This one makes no difference except we want to make sure we can
+## safely instantiate the overlay on multiple databases
+overlay emptyds
+
+database	monitor
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.ldif openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.ldif
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.ldif	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.ldif	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,71 @@
+# slapd prevents us from adding the same value multiple times
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modify
+add: description
+description: one
+description: 
+description: two
+description: three
+description: four
+# a space is distinct from an empty value
+description:: ICAg
+-
+replace: drink
+drink: Earl Grey, hot
+-
+delete: description
+description: 
+-
+replace: drink
+drink: Earl Grey, hot
+
+# there is no such restriction on deletes, so we exercise this part of the overlay here
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modify
+delete: description
+description: 
+description: four
+description: 
+description: three
+description: two
+description: 
+description: 
+description: one
+description: 
+-
+add: description
+description: 
+
+dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modify
+replace: drink
+drink: 
+
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+delete: member
+-
+add: member
+# an empty DN should not be stripped
+member: 
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+
+dn: cn=Gern Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
+changetype: add
+objectclass: testPerson
+cn: Gern Jensen
+sn: Jensen
+uid: gjensen
+title: 
+postaladdress: ITD $ 535 W. William St $ Anytown, MI 48103
+seealso: cn=All Staff,ou=Groups,dc=example,dc=com
+drink: Coffee
+homepostaladdress: 844 Brown St. Apt. 4 $ Anytown, MI 48104
+description: Very odd
+description: 
+description: More than you think
+facsimiletelephonenumber: +1 313 555 7557
+telephonenumber: +1 313 555 8343
+mail: gjensen@mailgw.example.com
+homephone: +1 313 555 8844
+testTime: 20050304001801.234Z
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.out openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.out
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.out	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/data/test001.out	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,54 @@
+dn: reqStart=timestamp,cn=log
+reqDN: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+reqMod: description:+ one
+reqMod: description:+ two
+reqMod: description:+ three
+reqMod: description:+ four
+# "description:+    " that's a space, then 3 spaces for value
+reqMod:: ZGVzY3JpcHRpb246KyAgICA=
+reqMod: drink:= Earl Grey, hot
+# second mod was removed, so we have two replaces in succession now and need
+# to separate them (":")
+reqMod:: Og==
+reqMod: drink:= Earl Grey, hot
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+reqMod: description:- four
+reqMod: description:- three
+reqMod: description:- two
+reqMod: description:- one
+# second mod is removed
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+reqMod: drink:=
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=All Staff,ou=Groups,dc=example,dc=com
+reqMod: member:-
+# "member:+ " adding an empty DN
+reqMod:: bWVtYmVyOisg
+reqMod: member:+ cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example
+ ,dc=com
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=Gern Jensen,ou=Information Technology Division,ou=People,dc=example,
+ dc=com
+reqMod: objectClass:+ testPerson
+reqMod: cn:+ Gern Jensen
+reqMod: sn:+ Jensen
+reqMod: uid:+ gjensen
+reqMod: postalAddress:+ ITD $ 535 W. William St $ Anytown, MI 48103
+reqMod: seeAlso:+ cn=All Staff,ou=Groups,dc=example,dc=com
+reqMod: drink:+ Coffee
+reqMod: homePostalAddress:+ 844 Brown St. Apt. 4 $ Anytown, MI 48104
+reqMod: description:+ Very odd
+reqMod: description:+ More than you think
+reqMod: facsimileTelephoneNumber:+ +1 313 555 7557
+reqMod: telephoneNumber:+ +1 313 555 8343
+reqMod: mail:+ gjensen@mailgw.example.com
+reqMod: homePhone:+ +1 313 555 8844
+reqMod: testTime:+ 20050304001801.234Z
+reqMod: structuralObjectClass:+ testPerson
+
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/Rules.mk openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/Rules.mk
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/Rules.mk	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/Rules.mk	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,23 @@
+sp := $(sp).x
+dirstack_$(sp) := $(d)
+d := $(dir)
+
+.PHONY: test
+
+CLEAN += clients servers tests/progs tests/schema tests/testdata tests/testrun
+
+test: all clients servers tests/progs
+
+test:
+	cd tests; \
+		SRCDIR=$(abspath $(LDAP_SRC)) \
+		LDAP_BUILD=$(abspath $(LDAP_BUILD)) \
+		TOPDIR=$(abspath $(SRCDIR)) \
+		LIBTOOL=$(abspath $(LIBTOOL)) \
+			$(abspath $(SRCDIR))/tests/run all
+
+servers clients tests/progs:
+	ln -s $(abspath $(LDAP_BUILD))/$@ $@
+
+d := $(dirstack_$(sp))
+sp := $(basename $(sp))
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/run openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/run
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/run	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/run	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,218 @@
+#!/bin/sh
+## $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+##
+## ACKNOWLEDGEMENTS:
+## This module was written in 2016 by Ondřej Kuzník for Symas Corp.
+
+USAGE="$0 [-b <backend>] [-c] [-k] [-l #] [-p] [-s {ro|rp}] [-u] [-w] <script>"
+
+TOPSRCDIR="${SRCDIR-$LDAP_SRC}"
+SRCDIR="${TOPSRCDIR}/tests"
+eval `grep EGREP_CMD= ${LDAP_BUILD}/tests/run`
+eval `$EGREP_CMD -e '^LN_S=' ${LDAP_BUILD}/tests/run`
+
+export SRCDIR TOPSRCDIR LN_S EGREP_CMD
+
+. "${SRCDIR}/scripts/defines.sh"
+
+BACKEND=
+CLEAN=no
+WAIT=0
+KILLSERVERS=yes
+PRESERVE=${PRESERVE-no}
+SYNCMODE=${SYNCMODE-rp}
+USERDATA=no
+LOOP=1
+COUNTER=1
+
+while test $# -gt 0 ; do
+	case "$1" in
+		-b | -backend)
+			BACKEND="$2"
+			shift; shift ;;
+
+		-c | -clean)
+			CLEAN=yes
+			shift ;;
+
+		-k | -kill)
+			KILLSERVERS=no
+			shift ;;
+		-l | -loop)
+			NUM="`echo $2 | sed 's/[0-9]//g'`"
+			if [ -z "$NUM" ]; then
+				LOOP=$2
+			else
+				echo "Loop variable not an int: $2"
+				echo "$USAGE"; exit 1
+			fi
+			shift ;
+			shift ;;
+
+		-p | -preserve)
+			PRESERVE=yes
+			shift ;;
+
+		-s | -syncmode)
+			case "$2" in
+				ro | rp)
+					SYNCMODE="$2"
+					;;
+				*)
+					echo "unknown sync mode $2"
+					echo "$USAGE"; exit 1
+					;;
+			esac
+			shift; shift ;;
+
+		-u | -userdata)
+			USERDATA=yes
+			shift ;;
+
+		-w | -wait)
+			WAIT=1
+			shift ;;
+
+		-)
+			shift
+			break ;;
+
+		-*)
+			echo "$USAGE"; exit 1
+			;;
+
+		*)
+			break ;;
+	esac
+done
+
+eval `$EGREP_CMD -e '^AC' ${LDAP_BUILD}/tests/run`
+export `$EGREP_CMD -e '^AC' ${LDAP_BUILD}/tests/run | sed 's/=.*//'`
+
+if test -z "$BACKEND" ; then
+	for b in mdb ; do
+		if eval "test \"\$AC_$b\" != no" ; then
+			BACKEND=$b
+			break
+		fi
+	done
+	if test -z "$BACKEND" ; then
+		echo "No suitable default database backend configured" >&2
+		exit 1
+	fi
+fi
+
+BACKENDTYPE=`eval 'echo $AC_'$BACKEND`
+if test "x$BACKENDTYPE" = "x" ; then
+	BACKENDTYPE="unknown"
+fi
+
+# Backend features.  indexdb: indexing and unchecked limit.
+# maindb: main storage backend.  Currently index,limits,mode,paged results.
+INDEXDB=noindexdb MAINDB=nomaindb
+case $BACKEND in
+	mdb) INDEXDB=indexdb MAINDB=maindb ;;
+esac
+
+export	BACKEND BACKENDTYPE INDEXDB MAINDB \
+	WAIT KILLSERVERS PRESERVE SYNCMODE USERDATA \
+	SRCDIR
+
+if test $# = 0 ; then
+	echo "$USAGE"; exit 1
+fi
+
+# need defines.sh for the definitions of the directories
+. $SRCDIR/scripts/defines.sh
+
+SCRIPTDIR="${TOPDIR}/tests/scripts"
+
+export SCRIPTDIR
+
+SCRIPTNAME="$1"
+shift
+
+if test -x "${SCRIPTDIR}/${SCRIPTNAME}" ; then
+	SCRIPT="${SCRIPTDIR}/${SCRIPTNAME}"
+elif test -x "`echo ${SCRIPTDIR}/test*-${SCRIPTNAME}`"; then
+	SCRIPT="`echo ${SCRIPTDIR}/test*-${SCRIPTNAME}`"
+elif test -x "`echo ${SCRIPTDIR}/${SCRIPTNAME}-*`"; then
+	SCRIPT="`echo ${SCRIPTDIR}/${SCRIPTNAME}-*`"
+else
+	echo "run: ${SCRIPTNAME} not found (or not executable)"
+	exit 1;
+fi
+
+if test ! -r ${DATADIR}/test.ldif ; then
+	${LN_S} ${SRCDIR}/data ${DATADIR}
+fi
+if test ! -r ${SCHEMADIR}/core.schema ; then
+	${LN_S} ${TOPSRCDIR}/servers/slapd/schema ${SCHEMADIR}
+fi
+if test ! -r ./data; then
+	${LN_S} ${TOPDIR}/tests/data ./
+fi
+
+if test -d ${TESTDIR} ; then
+	if test $PRESERVE = no ; then
+		echo "Cleaning up test run directory leftover from previous run."
+		/bin/rm -rf ${TESTDIR}
+	elif test $PRESERVE = yes ; then
+		echo "Cleaning up only database directories leftover from previous run."
+		/bin/rm -rf ${TESTDIR}/db.*
+	fi
+fi
+mkdir -p ${TESTDIR}
+
+if test $USERDATA = yes ; then
+	if test ! -d userdata ; then
+		echo "User data directory (userdata) does not exist."
+		exit 1
+	fi
+	cp -R userdata/* ${TESTDIR}
+fi
+
+# disable LDAP initialization
+LDAPNOINIT=true; export LDAPNOINIT
+
+echo "Running ${SCRIPT} for ${BACKEND}..."
+while [ $COUNTER -le $LOOP ]; do
+	if [ $LOOP -gt 1 ]; then
+		echo "Running $COUNTER of $LOOP iterations"
+	fi
+	$SCRIPT $*
+	RC=$?
+
+	if test $CLEAN = yes ; then
+		echo "Cleaning up test run directory from this run."
+		/bin/rm -rf ${TESTDIR}
+		echo "Cleaning up symlinks."
+		/bin/rm -f ${DATADIR} ${SCHEMADIR}
+	fi
+
+	if [ $RC -ne 0 ]; then
+		if [ $LOOP -gt 1 ]; then
+			echo "Failed after $COUNTER of $LOOP iterations"
+		fi
+		exit $RC
+	else
+		COUNTER=`expr $COUNTER + 1`
+		if [ $COUNTER -le $LOOP ]; then
+			echo "Cleaning up test run directory from this run."
+			/bin/rm -rf ${TESTDIR}
+		fi
+	fi
+done
+exit $RC
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/scripts/all openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/scripts/all
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/scripts/all	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/scripts/all	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,92 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+. $SRCDIR/scripts/defines.sh
+
+TB="" TN=""
+if test -t 1 ; then
+	TB=`$SHTOOL echo -e "%B" 2>/dev/null`
+	TN=`$SHTOOL echo -e "%b" 2>/dev/null`
+fi
+
+FAILCOUNT=0
+SKIPCOUNT=0
+SLEEPTIME=10
+
+echo ">>>>> Executing all LDAP tests for $BACKEND"
+
+if [ -n "$NOEXIT" ]; then
+	echo "Result	Test" > $TESTWD/results
+fi
+
+for CMD in ${SCRIPTDIR}/test*; do
+	case "$CMD" in
+		*~)		continue;;
+		*.bak)	continue;;
+		*.orig)	continue;;
+		*.sav)	continue;;
+		*)		test -f "$CMD" || continue;;
+	esac
+
+	# remove cruft from prior test
+	if test $PRESERVE = yes ; then
+		/bin/rm -rf $TESTDIR/db.*
+	else
+		/bin/rm -rf $TESTDIR
+	fi
+
+	BCMD=`basename $CMD`
+	if [ -x "$CMD" ]; then
+		echo ">>>>> Starting ${TB}$BCMD${TN} for $BACKEND..."
+		$CMD
+		RC=$?
+		if test $RC -eq 0 ; then
+			echo ">>>>> $BCMD completed ${TB}OK${TN} for $BACKEND."
+		else
+			echo ">>>>> $BCMD ${TB}failed${TN} for $BACKEND"
+			FAILCOUNT=`expr $FAILCOUNT + 1`
+
+			if [ -n "$NOEXIT" ]; then
+				echo "Continuing."
+			else
+				echo "(exit $RC)"
+				exit $RC
+			fi
+		fi
+	else
+		echo ">>>>> Skipping ${TB}$BCMD${TN} for $BACKEND."
+		SKIPCOUNT=`expr $SKIPCOUNT + 1`
+		RC="-"
+	fi
+
+	if [ -n "$NOEXIT" ]; then
+		echo "$RC	$BCMD" >> $TESTWD/results
+	fi
+
+#	echo ">>>>> waiting $SLEEPTIME seconds for things to exit"
+#	sleep $SLEEPTIME
+	echo ""
+done
+
+if [ -n "$NOEXIT" ]; then
+	if [ "$FAILCOUNT" -gt 0 ]; then
+		cat $TESTWD/results
+		echo "$FAILCOUNT tests for $BACKEND ${TB}failed${TN}. Please review the test log."
+	else
+		echo "All executed tests for $BACKEND ${TB}succeeded${TN}."
+	fi
+fi
+
+echo "$SKIPCOUNT tests for $BACKEND were ${TB}skipped${TN}."
diff -Nru openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds
--- openldap-2.5.12+dfsg/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds	1970-01-01 00:00:00.000000000 +0000
+++ openldap-2.5.13+dfsg/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds	2022-07-14 17:09:57.000000000 +0000
@@ -0,0 +1,137 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+##
+## ACKNOWLEDGEMENTS:
+## This module was written in 2019 by Tamim Ziai for DAASI International
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+LDIF=${TOPDIR}/tests/data/test001.out
+
+if test $ACCESSLOG = accesslogno; then
+	echo "Accesslog overlay not available, test skipped"
+	exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1A $DBDIR1B
+
+. $CONFFILTER $BACKEND < "${TOPDIR}/tests/data/emptyds.conf" > $CONF1
+
+echo "Running slapadd to build slapd database... "
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+	echo "slapadd failed ($RC)!"
+	exit $RC
+fi
+
+echo "Starting slapd on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h $URI1 -d $LVL >> $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+	echo PID $PID
+	read foo
+fi
+KILLPIDS="$PID"
+
+sleep $SLEEP0
+
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting ${SLEEP1} seconds for slapd to start..."
+	sleep ${SLEEP1}
+done
+
+echo "Checking add/modify handling... "
+
+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+	> $TESTOUT -f "${TOPDIR}/tests/data/test001.ldif"
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Checking modrdn handling (should still fail with invalidDNSyntax)... "
+
+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+	>> $TESTOUT 2>&1 <<EOMOD
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modrdn
+newrdn: cn=
+deleteoldrdn: 0
+EOMOD
+RC=$?
+case $RC in
+34)
+	echo "	ldapmodify failed ($RC)"
+	;;
+0)
+	echo "	ldapmodify should have failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+	;;
+*)
+	echo "	ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+	;;
+esac
+
+echo "Dumping accesslog..."
+
+$LDAPSEARCH -b "cn=log" -H $URI1 \
+	'objectClass=auditWriteObject' reqDN reqMod | \
+	grep -v -e 'entryCSN' -e '\(create\|modify\)Timestamp' \
+		-e '\(modifier\|creator\)sName' -e 'entryUUID' | \
+	sed -e 's/reqStart=[^,]*,/reqStart=timestamp,/' \
+	> $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	exit $RC
+fi
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+# Expectations:
+# - all empty values for directoryString pruned
+# - empty adds/deletes removed, empty replaces kept
+# - remaining values keep the same order as submitted
+# - other syntaxes (especially DNs) are kept intact
+echo "Filtering ldapsearch results..."
+$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+$LDIFFILTER < $LDIF > $LDIFFLT
+
+echo "Comparing filter output..."
+$CMP $LDIFFLT $SEARCHFLT > $CMPOUT
+
+if test $? != 0 ; then
+	echo "Comparison failed"
+	exit 1
+fi
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0
diff -Nru openldap-2.5.12+dfsg/debian/changelog openldap-2.5.13+dfsg/debian/changelog
--- openldap-2.5.12+dfsg/debian/changelog	2022-06-13 17:19:52.000000000 +0000
+++ openldap-2.5.13+dfsg/debian/changelog	2022-08-05 14:51:52.000000000 +0000
@@ -1,3 +1,11 @@
+openldap (2.5.13+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium
+
+  * New upstream version (LP: #1983618).
+    - Several fixes, including memory leaks that affected libldap.
+    - Added slapo-emptyds contrib module (ITS#8882).
+
+ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 05 Aug 2022 10:51:52 -0400
+
 openldap (2.5.12+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium
 
   * New upstream version (LP: #1977627).
diff -Nru openldap-2.5.12+dfsg/doc/guide/admin/guide.html openldap-2.5.13+dfsg/doc/guide/admin/guide.html
--- openldap-2.5.12+dfsg/doc/guide/admin/guide.html	2022-05-04 15:54:39.000000000 +0000
+++ openldap-2.5.13+dfsg/doc/guide/admin/guide.html	2022-07-14 18:36:30.000000000 +0000
@@ -23,7 +23,7 @@
 <DIV CLASS="title">
 <H1 CLASS="doc-title">OpenLDAP Software 2.5 Administrator's Guide</H1>
 <ADDRESS CLASS="doc-author">The OpenLDAP Project &lt;<A HREF="https://www.openldap.org/">https://www.openldap.org/</A>&gt;</ADDRESS>
-<ADDRESS CLASS="doc-modified">4 May 2022</ADDRESS>
+<ADDRESS CLASS="doc-modified">14 July 2022</ADDRESS>
 <BR CLEAR="All">
 </DIV>
 <DIV CLASS="contents">
diff -Nru openldap-2.5.12+dfsg/doc/man/man3/ldap_get_option.3 openldap-2.5.13+dfsg/doc/man/man3/ldap_get_option.3
--- openldap-2.5.12+dfsg/doc/man/man3/ldap_get_option.3	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/doc/man/man3/ldap_get_option.3	2022-07-14 17:09:57.000000000 +0000
@@ -463,7 +463,7 @@
 .BR "unsigned int *" .
 
 .SH SASL OPTIONS
-The SASL options are OpenLDAP specific.
+The SASL options are OpenLDAP specific and unless otherwise noted, require an LDAP handle to be passed.
 .TP
 .B LDAP_OPT_X_SASL_AUTHCID
 Gets the SASL authentication identity;
@@ -507,7 +507,7 @@
 .BR outvalue
 must be
 .BR "char ***" .
-The caller must not free or otherwise muck with it.
+The caller must not free or otherwise muck with it. This option can be used globally.
 .TP
 .B LDAP_OPT_X_SASL_NOCANON
 Sets/gets the NOCANON flag.
diff -Nru openldap-2.5.12+dfsg/doc/man/man5/slapd-ldap.5 openldap-2.5.13+dfsg/doc/man/man5/slapd-ldap.5
--- openldap-2.5.12+dfsg/doc/man/man5/slapd-ldap.5	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/doc/man/man5/slapd-ldap.5	2022-07-14 17:09:57.000000000 +0000
@@ -268,7 +268,9 @@
 .B none
 is the default, i.e. no \fIidentity assertion\fP is performed.
 
-The authz parameter is used to instruct the SASL bind to exploit 
+The
+.B authz
+parameter is used to instruct the SASL bind to exploit
 .B native 
 SASL authorization, if available; since connections are cached,
 this should only be used when authorizing with a fixed identity
diff -Nru openldap-2.5.12+dfsg/doc/man/man5/slapd-meta.5 openldap-2.5.13+dfsg/doc/man/man5/slapd-meta.5
--- openldap-2.5.12+dfsg/doc/man/man5/slapd-meta.5	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/doc/man/man5/slapd-meta.5	2022-07-14 17:09:57.000000000 +0000
@@ -417,7 +417,9 @@
 .B none
 is the default, i.e. no \fIidentity assertion\fP is performed.
 
-The authz parameter is used to instruct the SASL bind to exploit 
+The
+.B authz
+parameter is used to instruct the SASL bind to exploit
 .B native 
 SASL authorization, if available; since connections are cached,
 this should only be used when authorizing with a fixed identity
diff -Nru openldap-2.5.12+dfsg/libraries/libldap/deref.c openldap-2.5.13+dfsg/libraries/libldap/deref.c
--- openldap-2.5.12+dfsg/libraries/libldap/deref.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/libraries/libldap/deref.c	2022-07-14 17:09:57.000000000 +0000
@@ -160,7 +160,8 @@
 	LDAPControl	*ctrl,
 	LDAPDerefRes	**drp2 )
 {
-	BerElement *ber;
+	BerElementBuffer berbuf;
+	BerElement *ber = (BerElement *)&berbuf;
 	ber_tag_t tag;
 	ber_len_t len;
 	char *last;
@@ -172,13 +173,8 @@
 		return LDAP_PARAM_ERROR;
 	}
 
-	/* Create a BerElement from the berval returned in the control. */
-	ber = ber_init( &ctrl->ldctl_value );
-
-	if ( ber == NULL ) {
-		ld->ld_errno = LDAP_NO_MEMORY;
-		return ld->ld_errno;
-	}
+	/* Set up a BerElement from the berval returned in the control. */
+	ber_init2( ber, &ctrl->ldctl_value, 0 );
 
 	/* Extract the count and cookie from the control. */
 	drp = &drhead;
@@ -243,8 +239,6 @@
 	tag = 0;
 
 done:;
-        ber_free( ber, 1 );
-
 	if ( tag == LBER_ERROR ) {
 		if ( drhead != NULL ) {
 			ldap_derefresponse_free( drhead );
diff -Nru openldap-2.5.12+dfsg/libraries/libldap/ldif.c openldap-2.5.13+dfsg/libraries/libldap/ldif.c
--- openldap-2.5.12+dfsg/libraries/libldap/ldif.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/libraries/libldap/ldif.c	2022-07-14 17:09:57.000000000 +0000
@@ -729,7 +729,8 @@
 	if ( fp ) {
 		lfp = ber_memalloc( sizeof( LDIFFP ));
 		if ( lfp == NULL ) {
-		    return NULL;
+			fclose( fp );
+			return NULL;
 		}
 		lfp->fp = fp;
 		lfp->prev = NULL;
diff -Nru openldap-2.5.12+dfsg/libraries/libldap/turn.c openldap-2.5.13+dfsg/libraries/libldap/turn.c
--- openldap-2.5.12+dfsg/libraries/libldap/turn.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/libraries/libldap/turn.c	2022-07-14 17:09:57.000000000 +0000
@@ -44,7 +44,7 @@
 {
 #ifdef LDAP_EXOP_X_TURN
 	BerElement *turnvalber = NULL;
-	struct berval *turnvalp = NULL;
+	struct berval turnval;
 	int rc;
 
 	turnvalber = ber_alloc_t( LBER_USE_DER );
@@ -53,10 +53,10 @@
 	} else {
 		ber_printf( turnvalber, "{s}", identifier );
 	}
-	ber_flatten( turnvalber, &turnvalp );
+	ber_flatten2( turnvalber, &turnval, 0 );
 
 	rc = ldap_extended_operation( ld, LDAP_EXOP_X_TURN,
-			turnvalp, sctrls, cctrls, msgidp );
+			&turnval, sctrls, cctrls, msgidp );
 	ber_free( turnvalber, 1 );
 	return rc;
 #else
@@ -74,7 +74,7 @@
 {
 #ifdef LDAP_EXOP_X_TURN
 	BerElement *turnvalber = NULL;
-	struct berval *turnvalp = NULL;
+	struct berval turnval;
 	int rc;
 
 	turnvalber = ber_alloc_t( LBER_USE_DER );
@@ -83,10 +83,10 @@
 	} else {
 		ber_printf( turnvalber, "{s}", identifier );
 	}
-	ber_flatten( turnvalber, &turnvalp );
+	ber_flatten2( turnvalber, &turnval, 0 );
 
 	rc = ldap_extended_operation_s( ld, LDAP_EXOP_X_TURN,
-			turnvalp, sctrls, cctrls, NULL, NULL );
+			&turnval, sctrls, cctrls, NULL, NULL );
 	ber_free( turnvalber, 1 );
 	return rc;
 #else
diff -Nru openldap-2.5.12+dfsg/libraries/libldap/txn.c openldap-2.5.13+dfsg/libraries/libldap/txn.c
--- openldap-2.5.12+dfsg/libraries/libldap/txn.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/libraries/libldap/txn.c	2022-07-14 17:09:57.000000000 +0000
@@ -68,7 +68,7 @@
 {
 	int rc;
 	BerElement *txnber = NULL;
-	struct berval *txnval = NULL;
+	struct berval txnval;
 
 	assert( txnid != NULL );
 
@@ -80,10 +80,10 @@
 		ber_printf( txnber, "{bON}", commit, txnid );
 	}
 
-	ber_flatten( txnber, &txnval );
+	ber_flatten2( txnber, &txnval, 0 );
 
 	rc = ldap_extended_operation( ld, LDAP_EXOP_TXN_END,
-		txnval, sctrls, cctrls, msgidp );
+		&txnval, sctrls, cctrls, msgidp );
 
 	ber_free( txnber, 1 );
 	return rc;
@@ -100,7 +100,7 @@
 {
 	int rc;
 	BerElement *txnber = NULL;
-	struct berval *txnval = NULL;
+	struct berval txnval;
 	struct berval *retdata = NULL;
 
 	if ( retidp != NULL ) *retidp = -1;
@@ -113,10 +113,10 @@
 		ber_printf( txnber, "{bON}", commit, txnid );
 	}
 
-	ber_flatten( txnber, &txnval );
+	ber_flatten2( txnber, &txnval, 0 );
 
 	rc = ldap_extended_operation_s( ld, LDAP_EXOP_TXN_END,
-		txnval, sctrls, cctrls, NULL, &retdata );
+		&txnval, sctrls, cctrls, NULL, &retdata );
 
 	ber_free( txnber, 1 );
 
diff -Nru openldap-2.5.12+dfsg/libraries/librewrite/rewrite-int.h openldap-2.5.13+dfsg/libraries/librewrite/rewrite-int.h
--- openldap-2.5.12+dfsg/libraries/librewrite/rewrite-int.h	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/libraries/librewrite/rewrite-int.h	2022-07-14 17:09:57.000000000 +0000
@@ -40,6 +40,11 @@
 
 #include <rewrite.h>
 
+#ifndef NO_THREADS
+#define USE_REWRITE_LDAP_PVT_THREADS
+#include <ldap_pvt_thread.h>
+#endif
+
 #define malloc(x)	ber_memalloc(x)
 #define calloc(x,y)	ber_memcalloc(x,y)
 #define realloc(x,y)	ber_memrealloc(x,y)
@@ -47,11 +52,6 @@
 #undef strdup
 #define	strdup(x)	ber_strdup(x)
 
-#ifndef NO_THREADS
-#define USE_REWRITE_LDAP_PVT_THREADS
-#include <ldap_pvt_thread.h>
-#endif
-
 /*
  * For details, see RATIONALE.
  */
diff -Nru openldap-2.5.12+dfsg/libraries/Makefile.in openldap-2.5.13+dfsg/libraries/Makefile.in
--- openldap-2.5.12+dfsg/libraries/Makefile.in	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/libraries/Makefile.in	2022-07-14 17:09:57.000000000 +0000
@@ -24,7 +24,7 @@
 PKGCONFIG_SRCDIRS=liblber libldap
 
 install-local:
-	@$(MKDIR) $(PKGCONFIG_DIR)
+	@-$(MKDIR) $(PKGCONFIG_DIR)
 	@for i in $(PKGCONFIG_SRCDIRS); do \
 	    $(INSTALL_DATA) $$i/*.pc $(PKGCONFIG_DIR); \
 	done
diff -Nru openldap-2.5.12+dfsg/servers/lloadd/operation.c openldap-2.5.13+dfsg/servers/lloadd/operation.c
--- openldap-2.5.12+dfsg/servers/lloadd/operation.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/lloadd/operation.c	2022-07-14 17:09:57.000000000 +0000
@@ -589,19 +589,20 @@
                                                LDAP_ADMINLIMIT_EXCEEDED,
                 "upstream did not respond in time", 0 );
 
-        if ( rc == LDAP_SUCCESS ) {
+        if ( upstream->c_type != LLOAD_C_BIND && rc == LDAP_SUCCESS ) {
             rc = operation_send_abandon( op, upstream );
         }
         operation_unlink( op );
     }
 
-    /* TODO: if operation_send_abandon failed, we need to kill the upstream */
     if ( rc == LDAP_SUCCESS ) {
         connection_write_cb( -1, 0, upstream );
     }
 
     CONNECTION_LOCK(upstream);
-    if ( upstream->c_state == LLOAD_C_CLOSING && !upstream->c_ops ) {
+    /* ITS#9799: If a Bind timed out, connection is in an unknown state */
+    if ( upstream->c_type == LLOAD_C_BIND || rc != LDAP_SUCCESS ||
+            ( upstream->c_state == LLOAD_C_CLOSING && !upstream->c_ops ) ) {
         CONNECTION_DESTROY(upstream);
     } else {
         CONNECTION_UNLOCK(upstream);
diff -Nru openldap-2.5.12+dfsg/servers/slapd/backend.c openldap-2.5.13+dfsg/servers/slapd/backend.c
--- openldap-2.5.12+dfsg/servers/slapd/backend.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/backend.c	2022-07-14 17:09:57.000000000 +0000
@@ -199,10 +199,7 @@
 
 	assert( be != NULL );
 
-	be->be_pending_csn_list = (struct be_pcl *)
-		ch_calloc( 1, sizeof( struct be_pcl ) );
-
-	LDAP_TAILQ_INIT( be->be_pending_csn_list );
+	LDAP_TAILQ_INIT( &be->be_pcsn_st.be_pcsn_list );
 
 	Debug( LDAP_DEBUG_TRACE,
 		"backend_startup_one: starting \"%s\"\n",
@@ -433,18 +430,15 @@
 void
 backend_stopdown_one( BackendDB *bd )
 {
-	if ( bd->be_pending_csn_list ) {
-		struct slap_csn_entry *csne;
-		csne = LDAP_TAILQ_FIRST( bd->be_pending_csn_list );
-		while ( csne ) {
-			struct slap_csn_entry *tmp_csne = csne;
-
-			LDAP_TAILQ_REMOVE( bd->be_pending_csn_list, csne, ce_csn_link );
-			ch_free( csne->ce_csn.bv_val );
-			csne = LDAP_TAILQ_NEXT( csne, ce_csn_link );
-			ch_free( tmp_csne );
-		}
-		ch_free( bd->be_pending_csn_list );
+	struct slap_csn_entry *csne;
+	csne = LDAP_TAILQ_FIRST( &bd->be_pcsn_st.be_pcsn_list );
+	while ( csne ) {
+		struct slap_csn_entry *tmp_csne = csne;
+
+		LDAP_TAILQ_REMOVE( &bd->be_pcsn_st.be_pcsn_list, csne, ce_csn_link );
+		ch_free( csne->ce_csn.bv_val );
+		csne = LDAP_TAILQ_NEXT( csne, ce_csn_link );
+		ch_free( tmp_csne );
 	}
 
 	if ( bd->bd_info->bi_db_destroy ) {
@@ -487,7 +481,7 @@
 		ber_bvarray_free( bd->be_update_refs );
 	}
 
-	ldap_pvt_thread_mutex_destroy( &bd->be_pcl_mutex );
+	ldap_pvt_thread_mutex_destroy( &bd->be_pcsn_st.be_pcsn_mutex );
 
 	if ( dynamic ) {
 		free( bd );
@@ -624,7 +618,8 @@
 	be->be_requires = frontendDB->be_requires;
 	be->be_ssf_set = frontendDB->be_ssf_set;
 
-	ldap_pvt_thread_mutex_init( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_init( &be->be_pcsn_st.be_pcsn_mutex );
+	be->be_pcsn_p = &be->be_pcsn_st;
 
  	/* assign a default depth limit for alias deref */
 	be->be_max_deref_depth = SLAPD_DEFAULT_MAXDEREFDEPTH; 
@@ -638,7 +633,7 @@
 		/* If we created and linked this be, remove it and free it */
 		if ( !b0 ) {
 			LDAP_STAILQ_REMOVE(&backendDB, be, BackendDB, be_next);
-			ldap_pvt_thread_mutex_destroy( &be->be_pcl_mutex );
+			ldap_pvt_thread_mutex_destroy( &be->be_pcsn_st.be_pcsn_mutex );
 			ch_free( be );
 			be = NULL;
 			nbackends--;
diff -Nru openldap-2.5.12+dfsg/servers/slapd/backglue.c openldap-2.5.13+dfsg/servers/slapd/backglue.c
--- openldap-2.5.12+dfsg/servers/slapd/backglue.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/backglue.c	2022-07-14 17:09:57.000000000 +0000
@@ -1381,6 +1381,11 @@
 				gi->gi_nodes--;
 			}
 		}
+		/* Mark as no longer linked/sub */
+		b0->be_flags &= ~(SLAP_DBFLAG_GLUE_SUBORDINATE|SLAP_DBFLAG_GLUE_LINKED|
+			SLAP_DBFLAG_GLUE_ADVERTISE);
+		b0->be_pcsn_p = &b0->be_pcsn_st;
+		break;
 	}
 	if ( be == NULL )
 		rc = LDAP_NO_SUCH_OBJECT;
@@ -1440,6 +1445,7 @@
 				&gi->gi_n[gi->gi_nodes].gn_pdn );
 			gi->gi_nodes++;
 			on->on_bi.bi_private = gi;
+			ga->ga_be->be_pcsn_p = be->be_pcsn_p;
 			ga->ga_be->be_flags |= SLAP_DBFLAG_GLUE_LINKED;
 			break;
 		}
diff -Nru openldap-2.5.12+dfsg/servers/slapd/back-mdb/id2entry.c openldap-2.5.13+dfsg/servers/slapd/back-mdb/id2entry.c
--- openldap-2.5.12+dfsg/servers/slapd/back-mdb/id2entry.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/back-mdb/id2entry.c	2022-07-14 17:09:57.000000000 +0000
@@ -779,7 +779,17 @@
 			return rc;
 		}
 		if ( ldap_pvt_thread_pool_getkey( ctx, mdb->mi_dbenv, &data, NULL ) ) {
+			int retried = 0;
+retry:
 			rc = mdb_txn_begin( mdb->mi_dbenv, NULL, MDB_RDONLY, &moi->moi_txn );
+			if (rc == MDB_READERS_FULL && !retried) {
+				int dead;
+				/* if any stale readers were cleared, a slot should be available */
+				if (!mdb_reader_check( mdb->mi_dbenv, &dead ) && dead) {
+					retried = 1;
+					goto retry;
+				}
+			}
 			if (rc) {
 				Debug( LDAP_DEBUG_ANY, "mdb_opinfo_get: err %s(%d)\n",
 					mdb_strerror(rc), rc );
diff -Nru openldap-2.5.12+dfsg/servers/slapd/bind.c openldap-2.5.13+dfsg/servers/slapd/bind.c
--- openldap-2.5.12+dfsg/servers/slapd/bind.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/bind.c	2022-07-14 17:09:57.000000000 +0000
@@ -500,7 +500,7 @@
 		}
 	}
 
-	rc = op->o_bd->be_modify( &op2, &r2 );
+	rc = op2.o_bd->be_modify( &op2, &r2 );
 	slap_mods_free( m, 1 );
 
 done:
diff -Nru openldap-2.5.12+dfsg/servers/slapd/ctxcsn.c openldap-2.5.13+dfsg/servers/slapd/ctxcsn.c
--- openldap-2.5.12+dfsg/servers/slapd/ctxcsn.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/ctxcsn.c	2022-07-14 17:09:57.000000000 +0000
@@ -54,9 +54,9 @@
 		sid = slap_parse_csn_sid( &op->o_csn );
 	}
 
-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
 
-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
+	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
 		if ( csne->ce_op == op ) {
 			csne->ce_state = SLAP_CSN_COMMIT;
 			if ( foundit ) *foundit = 1;
@@ -64,7 +64,7 @@
 		}
 	}
 
-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
+	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
 		if ( sid != -1 && sid == csne->ce_sid ) {
 			if ( csne->ce_state == SLAP_CSN_COMMIT ) committed_csne = csne;
 			if ( csne->ce_state == SLAP_CSN_PENDING ) break;
@@ -82,7 +82,7 @@
 			maxcsn->bv_val[0] = 0;
 		}
 	}
-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
 }
 
 void
@@ -91,16 +91,16 @@
 	struct slap_csn_entry *csne;
 	BackendDB *be = op->o_bd->bd_self;
 
-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
 
-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
+	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
 		if ( csne->ce_op == op ) {
 			csne->ce_state = SLAP_CSN_PENDING;
 			break;
 		}
 	}
 
-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
 }
 
 void
@@ -113,11 +113,11 @@
 	if ( op->o_bd == NULL ) return;
 	be = op->o_bd->bd_self;
 
-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
 
-	LDAP_TAILQ_FOREACH( csne, be->be_pending_csn_list, ce_csn_link ) {
+	LDAP_TAILQ_FOREACH( csne, &be->be_pcsn_p->be_pcsn_list, ce_csn_link ) {
 		if ( csne->ce_op == op ) {
-			LDAP_TAILQ_REMOVE( be->be_pending_csn_list,
+			LDAP_TAILQ_REMOVE( &be->be_pcsn_p->be_pcsn_list,
 				csne, ce_csn_link );
 			Debug( LDAP_DEBUG_SYNC, "slap_graduate_commit_csn: removing %p %s\n",
 				csne, csne->ce_csn.bv_val );
@@ -130,7 +130,7 @@
 		}
 	}
 
-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
 
 	return;
 }
@@ -194,10 +194,10 @@
 	pending->ce_op = op;
 	pending->ce_state = SLAP_CSN_PENDING;
 
-	ldap_pvt_thread_mutex_lock( &be->be_pcl_mutex );
-	LDAP_TAILQ_INSERT_TAIL( be->be_pending_csn_list,
+	ldap_pvt_thread_mutex_lock( &be->be_pcsn_p->be_pcsn_mutex );
+	LDAP_TAILQ_INSERT_TAIL( &be->be_pcsn_p->be_pcsn_list,
 		pending, ce_csn_link );
-	ldap_pvt_thread_mutex_unlock( &be->be_pcl_mutex );
+	ldap_pvt_thread_mutex_unlock( &be->be_pcsn_p->be_pcsn_mutex );
 }
 
 int
diff -Nru openldap-2.5.12+dfsg/servers/slapd/daemon.c openldap-2.5.13+dfsg/servers/slapd/daemon.c
--- openldap-2.5.12+dfsg/servers/slapd/daemon.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/daemon.c	2022-07-14 17:09:57.000000000 +0000
@@ -227,11 +227,10 @@
     slap_daemon[t].sd_kq = kqueue(); \
 } while (0)
 
-/* a kqueue fd obtained before a fork can't be used in child process.
- * close it and reacquire it.
+/* a kqueue fd obtained before a fork isn't inherited by child process.
+ * reacquire it.
  */
 # define SLAP_SOCK_INIT2() do { \
-	close(slap_daemon[0].sd_kq); \
 	slap_daemon[0].sd_kq = kqueue(); \
 } while (0)
 
diff -Nru openldap-2.5.12+dfsg/servers/slapd/frontend.c openldap-2.5.13+dfsg/servers/slapd/frontend.c
--- openldap-2.5.12+dfsg/servers/slapd/frontend.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/frontend.c	2022-07-14 17:09:57.000000000 +0000
@@ -108,7 +108,7 @@
 	frontendDB->be_def_limit.lms_s_pr_hide = 0;			/* don't hide number of entries left */
 	frontendDB->be_def_limit.lms_s_pr_total = 0;			/* number of total entries returned by pagedResults equal to hard limit */
 
-	ldap_pvt_thread_mutex_init( &frontendDB->be_pcl_mutex );
+	ldap_pvt_thread_mutex_init( &frontendDB->be_pcsn_st.be_pcsn_mutex );
 
 	/* suffix */
 	frontendDB->be_suffix = ch_calloc( 2, sizeof( struct berval ) );
diff -Nru openldap-2.5.12+dfsg/servers/slapd/overlays/accesslog.c openldap-2.5.13+dfsg/servers/slapd/overlays/accesslog.c
--- openldap-2.5.12+dfsg/servers/slapd/overlays/accesslog.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/overlays/accesslog.c	2022-07-14 17:09:57.000000000 +0000
@@ -2283,6 +2283,8 @@
 		ch_free( li->li_sids );
 	if ( li->li_mincsn )
 		ber_bvarray_free( li->li_mincsn );
+	if ( li->li_db_suffix.bv_val )
+		ch_free( li->li_db_suffix.bv_val );
 	ldap_pvt_thread_mutex_destroy( &li->li_log_mutex );
 	ldap_pvt_thread_mutex_destroy( &li->li_op_rmutex );
 	free( li );
diff -Nru openldap-2.5.12+dfsg/servers/slapd/overlays/pcache.c openldap-2.5.13+dfsg/servers/slapd/overlays/pcache.c
--- openldap-2.5.12+dfsg/servers/slapd/overlays/pcache.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/overlays/pcache.c	2022-07-14 17:09:57.000000000 +0000
@@ -4540,7 +4540,6 @@
 	SLAP_DBFLAGS(&cm->db) |= SLAP_DBFLAG_NO_SCHEMA_CHECK;
 	cm->db.be_private = NULL;
 	cm->db.bd_self = &cm->db;
-	cm->db.be_pending_csn_list = NULL;
 	cm->qm = qm;
 	cm->numattrsets = 0;
 	cm->num_entries_limit = 5;
diff -Nru openldap-2.5.12+dfsg/servers/slapd/overlays/ppolicy.c openldap-2.5.13+dfsg/servers/slapd/overlays/ppolicy.c
--- openldap-2.5.12+dfsg/servers/slapd/overlays/ppolicy.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/overlays/ppolicy.c	2022-07-14 17:09:57.000000000 +0000
@@ -1405,7 +1405,8 @@
 }
 
 typedef struct ppbind {
-	slap_overinst *on;
+	pp_info *pi;
+	BackendDB *be;
 	int send_ctrl;
 	int set_restrict;
 	LDAPControl **oldctrls;
@@ -1455,8 +1456,7 @@
 ppolicy_bind_response( Operation *op, SlapReply *rs )
 {
 	ppbind *ppb = op->o_callback->sc_private;
-	slap_overinst *on = ppb->on;
-	pp_info *pi = on->on_bi.bi_private;
+	pp_info *pi = ppb->pi;
 	Modifications *mod = ppb->mod, *m;
 	int pwExpired = 0;
 	int ngut = -1, warn = -1, fc = 0, age, rc;
@@ -1467,7 +1467,7 @@
 	char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
 	char nowstr_usec[ LDAP_LUTIL_GENTIME_BUFSIZE+8 ];
 	struct berval timestamp, timestamp_usec;
-	BackendInfo *bi = op->o_bd->bd_info;
+	BackendDB *be = op->o_bd;
 	LDAPControl *ctrl = NULL;
 	Entry *e;
 
@@ -1477,9 +1477,9 @@
 		goto locked;
 	}
 
-	op->o_bd->bd_info = (BackendInfo *)on->on_info;
+	op->o_bd = ppb->be;
 	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
-	op->o_bd->bd_info = bi;
+	op->o_bd = be;
 
 	if ( rc != LDAP_SUCCESS ) {
 		ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
@@ -1781,8 +1781,9 @@
 	}
 
 done:
-	op->o_bd->bd_info = (BackendInfo *)on->on_info;
+	op->o_bd = ppb->be;
 	be_entry_release_r( op, e );
+	op->o_bd = be;
 
 locked:
 	if ( mod && !pi->disable_write ) {
@@ -1821,7 +1822,7 @@
 				op2.orm_no_opattrs = 1;
 				op2.o_dont_replicate = 1;
 			}
-			op2.o_bd->bd_info = (BackendInfo *)on->on_info;
+			op2.o_bd = ppb->be;
 		}
 		rc = op2.o_bd->be_modify( &op2, &r2 );
 		if ( rc != LDAP_SUCCESS ) {
@@ -1852,7 +1853,6 @@
 		ppb->oldctrls = add_passcontrol( op, rs, ctrl );
 		op->o_callback->sc_cleanup = ppolicy_ctrls_cleanup;
 	}
-	op->o_bd->bd_info = bi;
 	ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
 	return SLAP_CB_CONTINUE;
 }
@@ -1885,7 +1885,8 @@
 		cb = op->o_tmpcalloc( sizeof(ppbind)+sizeof(slap_callback),
 			1, op->o_tmpmemctx );
 		ppb = (ppbind *)(cb+1);
-		ppb->on = on;
+		ppb->pi = on->on_bi.bi_private;
+		ppb->be = op->o_bd->bd_self;
 		ppb->pErr = PP_noError;
 		ppb->set_restrict = 1;
 
@@ -2175,7 +2176,8 @@
 		cb = op->o_tmpcalloc( sizeof(ppbind)+sizeof(slap_callback),
 			1, op->o_tmpmemctx );
 		ppb = (ppbind *)(cb+1);
-		ppb->on = on;
+		ppb->pi = on->on_bi.bi_private;
+		ppb->be = op->o_bd->bd_self;
 		ppb->pErr = PP_noError;
 		ppb->send_ctrl = 1;
 		/* failures here don't lockout the connection */
diff -Nru openldap-2.5.12+dfsg/servers/slapd/overlays/syncprov.c openldap-2.5.13+dfsg/servers/slapd/overlays/syncprov.c
--- openldap-2.5.12+dfsg/servers/slapd/overlays/syncprov.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/overlays/syncprov.c	2022-07-14 17:09:57.000000000 +0000
@@ -3163,6 +3163,8 @@
 			 */
 			ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
 			if ( slapd_shutdown ) {
+aband:
+				ch_free( sop->s_base.bv_val );
 				ch_free( sop );
 				return SLAPD_ABANDON;
 			}
@@ -3172,8 +3174,7 @@
 		}
 		if ( op->o_abandon ) {
 			ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
-			ch_free( sop );
-			return SLAPD_ABANDON;
+			goto aband;
 		}
 		ldap_pvt_thread_mutex_init( &sop->s_mutex );
 		sop->s_next = si->si_ops;
@@ -3242,14 +3243,8 @@
 		if (srs->sr_state.numcsns != numcsns) {
 			/* consumer doesn't have the right number of CSNs */
 			Debug( LDAP_DEBUG_SYNC, "%s syncprov_op_search: "
-				"consumer cookie is missing a csn we track%s\n",
-				op->o_log_prefix, si->si_nopres ? ", rejecting" : "" );
-
-			if ( si->si_nopres ) {
-				rs->sr_err = LDAP_SYNC_REFRESH_REQUIRED;
-				rs->sr_text = "not enough information to resync, please use other means";
-				goto bailout;
-			}
+				"consumer cookie is missing a csn we track\n",
+				op->o_log_prefix );
 
 			changed = SS_CHANGED;
 			if ( srs->sr_state.ctxcsn ) {
@@ -3302,6 +3297,7 @@
 						sp = &(*sp)->s_next;
 					*sp = sop->s_next;
 					ldap_pvt_thread_mutex_unlock( &si->si_ops_mutex );
+					ch_free( sop->s_base.bv_val );
 					ch_free( sop );
 				}
 				rs->sr_ctrls = NULL;
@@ -3348,7 +3344,55 @@
 					numcsns, sids, &mincsn, minsid ) ) {
 				do_present = SS_PRESENT;
 			}
+		} else if ( ad_minCSN != NULL && si->si_nopres && si->si_usehint ) {
+			/* We are instructed to trust minCSN if it exists. */
+			Entry *e;
+			Attribute *a = NULL;
+			int rc;
+
+			/*
+			 * ITS#9580 FIXME: when we've figured out and split the
+			 * sessionlog/deltalog tracking, use the appropriate attribute
+			 */
+			rc = overlay_entry_get_ov( op, &op->o_bd->be_nsuffix[0], NULL,
+					ad_minCSN, 0, &e, on );
+			if ( rc == LDAP_SUCCESS && e != NULL ) {
+				a = attr_find( e->e_attrs, ad_minCSN );
+			}
+
+			if ( a != NULL ) {
+				int *minsids;
+
+				minsids = slap_parse_csn_sids( a->a_vals, a->a_numvals, op->o_tmpmemctx );
+				slap_sort_csn_sids( a->a_vals, minsids, a->a_numvals, op->o_tmpmemctx );
+
+				for ( i=0, j=0; i < a->a_numvals; i++ ) {
+					while ( j < numcsns && minsids[i] > sids[j] ) j++;
+					if ( j < numcsns && minsids[i] == sids[j] &&
+							ber_bvcmp( &a->a_vals[i], &srs->sr_state.ctxcsn[j] ) <= 0 ) {
+						/* minCSN for this serverID is contained, keep going */
+						continue;
+					}
+					/*
+					 * Log DB's minCSN claims we can only replay from a certain
+					 * CSN for this serverID, but consumer's cookie hasn't met that
+					 * threshold: they need to refresh
+					 */
+					Debug( LDAP_DEBUG_SYNC, "%s syncprov_op_search: "
+						"consumer not within recorded mincsn for DB's mincsn=%s\n",
+						op->o_log_prefix, a->a_vals[i].bv_val );
+					rs->sr_err = LDAP_SYNC_REFRESH_REQUIRED;
+					rs->sr_text = "sync cookie is stale";
+					slap_sl_free( minsids, op->o_tmpmemctx );
+					overlay_entry_release_ov( op, e, 0, on );
+					goto bailout;
+				}
+				slap_sl_free( minsids, op->o_tmpmemctx );
+			}
+			if ( e != NULL )
+				overlay_entry_release_ov( op, e, 0, on );
 		}
+
 		/*
 		 * If sessionlog wasn't useful, see if we can find at least one entry
 		 * that hasn't changed based on the cookie.
@@ -3793,6 +3837,10 @@
 		break;
 	case SP_USEHINT:
 		si->si_usehint = c->value_int;
+		if ( si->si_usehint ) {
+			/* Consider we might be a delta provider, but it's ok if not */
+			(void)syncprov_setup_accesslog();
+		}
 		break;
 	case SP_LOGDB:
 		if ( si->si_logs ) {
@@ -4137,6 +4185,8 @@
 			ber_bvarray_free( si->si_ctxcsn );
 		if ( si->si_sids )
 			ch_free( si->si_sids );
+		if ( si->si_logbase.bv_val )
+			ch_free( si->si_logbase.bv_val );
 		ldap_pvt_thread_mutex_destroy( &si->si_resp_mutex );
 		ldap_pvt_thread_mutex_destroy( &si->si_mods_mutex );
 		ldap_pvt_thread_mutex_destroy( &si->si_ops_mutex );
diff -Nru openldap-2.5.12+dfsg/servers/slapd/overlays/translucent.c openldap-2.5.13+dfsg/servers/slapd/overlays/translucent.c
--- openldap-2.5.12+dfsg/servers/slapd/overlays/translucent.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/overlays/translucent.c	2022-07-14 17:09:57.000000000 +0000
@@ -1439,7 +1439,7 @@
 			backend_stopdown_one( &ov->db );
 		}
 
-		ldap_pvt_thread_mutex_destroy( &ov->db.be_pcl_mutex );
+		ldap_pvt_thread_mutex_destroy( &ov->db.be_pcsn_st.be_pcsn_mutex );
 		ch_free(ov);
 		on->on_bi.bi_private = NULL;
 	}
diff -Nru openldap-2.5.12+dfsg/servers/slapd/overlays/unique.c openldap-2.5.13+dfsg/servers/slapd/overlays/unique.c
--- openldap-2.5.12+dfsg/servers/slapd/overlays/unique.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/overlays/unique.c	2022-07-14 17:09:57.000000000 +0000
@@ -1225,13 +1225,15 @@
 		return rc;
 	}
 
-	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) || (
-			get_relax(op) > SLAP_CONTROL_IGNORED
-			&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
-			&& e
-			&& access_allowed( op, e,
-				slap_schema.si_ad_entry, NULL,
-				ACL_MANAGE, NULL ) ) ) {
+	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) {
+		return rc;
+	}
+	if ( get_relax(op) > SLAP_CONTROL_IGNORED
+		&& overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) == LDAP_SUCCESS
+		&& e
+		&& access_allowed( op, e,
+			slap_schema.si_ad_entry, NULL,
+			ACL_MANAGE, NULL ) ) {
 		overlay_entry_release_ov( op, e, 0, on );
 		return rc;
 	}
@@ -1363,13 +1365,15 @@
 	Debug(LDAP_DEBUG_TRACE, "==> unique_modrdn <%s> <%s>\n",
 		op->o_req_dn.bv_val, op->orr_newrdn.bv_val );
 
-	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) || (
-			get_relax(op) > SLAP_CONTROL_IGNORED
-			&& overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
-			&& e
-			&& access_allowed( op, e,
-				slap_schema.si_ad_entry, NULL,
-				ACL_MANAGE, NULL ) ) ) {
+	if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) {
+		return rc;
+	}
+	if ( get_relax(op) > SLAP_CONTROL_IGNORED
+		&& overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on ) == LDAP_SUCCESS
+		&& e
+		&& access_allowed( op, e,
+			slap_schema.si_ad_entry, NULL,
+			ACL_MANAGE, NULL ) ) {
 		overlay_entry_release_ov( op, e, 0, on );
 		return rc;
 	}
diff -Nru openldap-2.5.12+dfsg/servers/slapd/slap.h openldap-2.5.13+dfsg/servers/slapd/slap.h
--- openldap-2.5.12+dfsg/servers/slapd/slap.h	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/slap.h	2022-07-14 17:09:57.000000000 +0000
@@ -1786,7 +1786,13 @@
 
 LDAP_STAILQ_HEAD( slap_sync_cookie_s, sync_cookie );
 
-LDAP_TAILQ_HEAD( be_pcl, slap_csn_entry );
+/* Defs for pending_csn_list */
+LDAP_TAILQ_HEAD( be_pclh, slap_csn_entry );
+
+typedef struct be_pcsn {
+	struct be_pclh			be_pcsn_list;
+	ldap_pvt_thread_mutex_t	be_pcsn_mutex;
+} be_pcsn;
 
 #ifndef SLAP_MAX_CIDS
 #define	SLAP_MAX_CIDS	32	/* Maximum number of supported controls */
@@ -1990,8 +1996,8 @@
 	/* Consumer Information */
 	struct berval be_update_ndn;	/* allowed to make changes (in replicas) */
 	BerVarray	be_update_refs;	/* where to refer modifying clients to */
-	struct		be_pcl	*be_pending_csn_list;
-	ldap_pvt_thread_mutex_t					be_pcl_mutex;
+	be_pcsn	be_pcsn_st;			/* be_pending_csn_list now inside this */
+	be_pcsn	*be_pcsn_p;
 	struct syncinfo_s						*be_syncinfo; /* For syncrepl */
 
 	void    *be_pb;         /* Netscape plugin */
diff -Nru openldap-2.5.12+dfsg/servers/slapd/syncrepl.c openldap-2.5.13+dfsg/servers/slapd/syncrepl.c
--- openldap-2.5.12+dfsg/servers/slapd/syncrepl.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/servers/slapd/syncrepl.c	2022-07-14 17:09:57.000000000 +0000
@@ -3107,10 +3107,8 @@
 				ch_free( bvals );
 				goto done;
 			}
-			ber_dupbv( &op->o_req_dn, &dn );
-			ber_dupbv( &op->o_req_ndn, &ndn );
-			slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
-			slap_sl_free( dn.bv_val, op->o_tmpmemctx );
+			op->o_req_dn = dn;
+			op->o_req_ndn = ndn;
 			freeReqDn = 1;
 		} else if ( !ber_bvstrcasecmp( &bv, &ls->ls_req ) ) {
 			int i = verb_to_mask( bvals[0].bv_val, modops );
@@ -3220,9 +3218,8 @@
 		if ( op->o_tag == LDAP_REQ_ADD ) {
 			Entry *e = entry_alloc();
 			op->ora_e = e;
-			op->ora_e->e_name = op->o_req_dn;
-			op->ora_e->e_nname = op->o_req_ndn;
-			freeReqDn = 0;
+			ber_dupbv( &op->ora_e->e_name, &op->o_req_dn );
+			ber_dupbv( &op->ora_e->e_nname, &op->o_req_ndn );
 			rc = slap_mods2entry( modlist, &op->ora_e, 1, 0, &text, txtbuf, textlen);
 			if( rc != LDAP_SUCCESS ) {
 				Debug( LDAP_DEBUG_ANY, "syncrepl_message_to_op: %s "
@@ -3353,8 +3350,8 @@
 		}
 	}
 	if ( freeReqDn ) {
-		ch_free( op->o_req_ndn.bv_val );
-		ch_free( op->o_req_dn.bv_val );
+		op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
+		op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
 	}
 	ber_free( ber, 0 );
 	return rc;
diff -Nru openldap-2.5.12+dfsg/tests/data/slapd-deltasync-provider.conf openldap-2.5.13+dfsg/tests/data/slapd-deltasync-provider.conf
--- openldap-2.5.12+dfsg/tests/data/slapd-deltasync-provider.conf	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/tests/data/slapd-deltasync-provider.conf	2022-07-14 17:09:57.000000000 +0000
@@ -29,6 +29,10 @@
 #accesslogmod#modulepath ../servers/slapd/overlays/
 #accesslogmod#moduleload accesslog.la
 
+database	config
+include		@TESTDIR@/configpw.conf
+
+
 #######################################################################
 # provider database definitions
 #######################################################################
diff -Nru openldap-2.5.12+dfsg/tests/progs/Makefile.in openldap-2.5.13+dfsg/tests/progs/Makefile.in
--- openldap-2.5.12+dfsg/tests/progs/Makefile.in	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/tests/progs/Makefile.in	2022-07-14 17:09:57.000000000 +0000
@@ -56,7 +56,7 @@
 slapd-bind: slapd-bind.o $(OBJS) $(XLIBS)
 	$(LTLINK) -o $@ slapd-bind.o $(OBJS) $(LIBS)
 
-ldif-filter: ldif-filter.o $(XLIBS)
+ldif-filter: ldif-filter.o $(OBJS) $(XLIBS)
 	$(LTLINK) -o $@ ldif-filter.o $(OBJS) $(LIBS)
 
 slapd-mtread: slapd-mtread.o $(OBJS) $(XLIBS)
diff -Nru openldap-2.5.12+dfsg/tests/progs/slapd-watcher.c openldap-2.5.13+dfsg/tests/progs/slapd-watcher.c
--- openldap-2.5.12+dfsg/tests/progs/slapd-watcher.c	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/tests/progs/slapd-watcher.c	2022-07-14 17:09:57.000000000 +0000
@@ -139,12 +139,13 @@
 		"[-x | -Y <SASL mech>] "
 		"[-i <interval>] "
 		"[-s <sids>] "
+		"[-c <contextDN>] "
 		"[-b <baseDN> ] URI[...]\n",
 		name );
 	exit( EXIT_FAILURE );
 }
 
-struct berval base;
+struct berval base, cbase;
 int interval = 10;
 int numservers;
 server *servers;
@@ -509,9 +510,9 @@
 		}
 		ldap_msgfree( res );
 
-		if ( base.bv_val ) {
+		if ( cbase.bv_val ) {
 			char *attr2[] = { at_contextCSN.bv_val, NULL };
-			rc = ldap_search_ext_s( ld, base.bv_val, LDAP_SCOPE_BASE, "(objectClass=*)",
+			rc = ldap_search_ext_s( ld, cbase.bv_val, LDAP_SCOPE_BASE, "(objectClass=*)",
 				attr2, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &res );
 			switch(rc) {
 			case LDAP_SUCCESS:
@@ -573,11 +574,17 @@
 	config = tester_init( "slapd-watcher", TESTER_TESTER );
 	config->authmethod = LDAP_AUTH_SIMPLE;
 
-	while ( ( i = getopt( argc, argv, "D:O:R:U:X:Y:b:d:i:s:w:x" ) ) != EOF )
+	while ( ( i = getopt( argc, argv, "D:O:R:U:X:Y:b:c:d:i:s:w:x" ) ) != EOF )
 	{
 		switch ( i ) {
-		case 'b':		/* base DN for contextCSN lookups */
+		case 'b':		/* base DN for DB entrycount lookups */
 			ber_str2bv( optarg, 0, 0, &base );
+			if ( !cbase.bv_val )
+				cbase = base;
+			break;
+
+		case 'c':		/* base DN for contextCSN lookups */
+			ber_str2bv( optarg, 0, 0, &cbase );
 			break;
 
 		case 'i':
@@ -628,7 +635,7 @@
 		monfilter = MONFILTER;
 	}
 
-	if ( numservers > 1 ) {
+	if ( sids || numservers > 1 ) {
 		for ( i=0; i<numservers; i++ )
 			if ( sids )
 				servers[i].sid = atoi(sids[i]);
@@ -693,7 +700,7 @@
 				}
 				if (( servers[i].flags & HAS_BASE ) && !msg2[i] ) {
 					char *attrs[2] = { at_contextCSN.bv_val };
-					rc = ldap_search_ext( ld, base.bv_val,
+					rc = ldap_search_ext( ld, cbase.bv_val,
 						LDAP_SCOPE_BASE, "(objectClass=*)",
 						attrs, 0, NULL, NULL, NULL, LDAP_NO_LIMIT, &msg2[i] );
 					if ( rc != LDAP_SUCCESS ) {
diff -Nru openldap-2.5.12+dfsg/tests/scripts/test020-proxycache openldap-2.5.13+dfsg/tests/scripts/test020-proxycache
--- openldap-2.5.12+dfsg/tests/scripts/test020-proxycache	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/tests/scripts/test020-proxycache	2022-07-14 17:09:57.000000000 +0000
@@ -40,6 +40,11 @@
 	exit 0
 fi
 
+if test $BACKEND = wt ; then
+	echo "Test does not support $BACKEND backend, test skipped"
+	exit 0
+fi
+
 mkdir -p $TESTDIR $DBDIR1 $DBDIR2
 
 # Test proxy caching:
diff -Nru openldap-2.5.12+dfsg/tests/scripts/test043-delta-syncrepl openldap-2.5.13+dfsg/tests/scripts/test043-delta-syncrepl
--- openldap-2.5.12+dfsg/tests/scripts/test043-delta-syncrepl	2022-05-04 14:57:30.000000000 +0000
+++ openldap-2.5.13+dfsg/tests/scripts/test043-delta-syncrepl	2022-07-14 17:09:57.000000000 +0000
@@ -34,6 +34,8 @@
 
 SPEC="mdb=a"
 
+$SLAPPASSWD -g -n >$CONFIGPWF
+echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf
 #
 # Test replication:
 # - start provider
@@ -129,6 +131,7 @@
 
 echo "Stopping the provider, sleeping 10 seconds and restarting it..."
 kill -HUP "$PID"
+wait $PID
 sleep 10
 echo "RESTART" >> $LOG1
 $SLAPD -f $CONF1 -h $URI1 -d $LVL >> $LOG1 2>&1 &
@@ -296,7 +299,8 @@
 
 echo "Stopping consumer to test recovery..."
 kill -HUP $CONSUMERPID
-sleep 10
+wait $CONSUMERPID
+KILLPIDS="$PID"
 
 echo "Modifying more entries on the provider..."
 $LDAPMODIFY -v -D "$BJORNSDN" -H $URI1 -w bjorn >> \
@@ -368,6 +372,144 @@
 
 echo "Using ldapsearch to read all the entries from the provider..."
 $LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \
+	'objectclass=*' \* + > $PROVIDEROUT 2>&1
+RC=$?
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed at provider ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Using ldapsearch to read all the entries from the consumer..."
+$LDAPSEARCH -S "" -b "$BASEDN" -H $URI2 \
+	'objectclass=*' \* + > $CONSUMEROUT 2>&1
+RC=$?
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed at consumer ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Filtering provider results..."
+$LDIFFILTER -b $BACKEND -s $SPEC < $PROVIDEROUT | grep -iv "^auditcontext:" > $PROVIDERFLT
+echo "Filtering consumer results..."
+$LDIFFILTER -b $BACKEND -s $SPEC < $CONSUMEROUT | grep -iv "^auditcontext:" > $CONSUMERFLT
+
+echo "Comparing retrieved entries from provider and consumer..."
+$CMP $PROVIDERFLT $CONSUMERFLT > $CMPOUT
+
+if test $? != 0 ; then
+	echo "test failed - provider and consumer databases differ"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Stopping consumer to test recovery after logpurge expired..."
+kill -HUP $CONSUMERPID
+wait $CONSUMERPID
+KILLPIDS="$PID"
+
+echo "Modifying even more entries on the provider..."
+$LDAPMODIFY -v -D "$BJORNSDN" -H $URI1 -w bjorn >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: delete
+
+dn: cn=Bjorn Jensen, ou=Information Technology Division, ou=People, dc=example,dc=com
+changetype: modify
+add: drink
+drink: Sangria
+
+dn: cn=George D. Stevens, ou=Retired, ou=People, dc=example,dc=com
+changetype: add
+objectclass: OpenLDAPperson
+sn: Stevens
+uid: gstevens
+cn: George D. Stevens
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,
+ dc=com
+changetype: modify
+replace: drink
+drink: cold water
+
+dn: cn=Some Staff,ou=Groups,dc=example,dc=com
+changetype: modrdn
+newrdn: cn=More Staff
+deleteoldrdn: 1
+
+EOMODS
+
+echo "Configuring logpurge of 1 second..."
+$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
+	$TESTOUT 2>&1 << EOMODS
+
+dn: olcOverlay={1}accesslog,olcDatabase={2}$BACKEND,cn=config
+changetype: modify
+replace: olcAccessLogPurge
+olcAccessLogPurge: 0+00:00:02 0+00:00:01
+-
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Waiting 4 seconds for accesslog to be purged..."
+sleep 4
+
+echo "Using ldapsearch to check if accesslog is empty..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -b "cn=log" -H $URI1 -z 1 \
+		> $SEARCHOUT 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 3 seconds for accesslog to be purged..."
+	sleep 3
+done
+
+if test $RC != 0; then
+	echo "Accesslog did not purge in time"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+
+echo "Restarting consumer..."
+echo "RESTART" >> $LOG2
+$SLAPD -f $CONF2 -h $URI2 -d $LVL >> $LOG2 2>&1 &
+CONSUMERPID=$!
+if test $WAIT != 0 ; then
+	echo CONSUMERPID $CONSUMERPID
+	read foo
+fi
+KILLPIDS="$PID $CONSUMERPID"
+
+echo "Waiting $SLEEP1 seconds for syncrepl to reschedule (ITS#9878) and poking it..."
+sleep $SLEEP1
+
+$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
+    'objectclass=*' > /dev/null 2>&1
+RC=$?
+
+if test $RC != 0; then
+	echo "ldapsearch failed at consumer ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..."
+sleep $SLEEP1
+
+echo "Using ldapsearch to read all the entries from the provider..."
+$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \
 	'objectclass=*' \* + > $PROVIDEROUT 2>&1
 RC=$?