summaryrefslogtreecommitdiffstats
path: root/contrib/slapd-modules/emptyds
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--contrib/slapd-modules/emptyds/Makefile78
-rw-r--r--contrib/slapd-modules/emptyds/README66
-rw-r--r--contrib/slapd-modules/emptyds/emptyds.c325
-rw-r--r--contrib/slapd-modules/emptyds/slapo-emptyds.568
-rw-r--r--contrib/slapd-modules/emptyds/tests/Rules.mk23
-rw-r--r--contrib/slapd-modules/emptyds/tests/data/emptyds.conf54
-rw-r--r--contrib/slapd-modules/emptyds/tests/data/test001.ldif71
-rw-r--r--contrib/slapd-modules/emptyds/tests/data/test001.out54
-rwxr-xr-xcontrib/slapd-modules/emptyds/tests/run218
-rwxr-xr-xcontrib/slapd-modules/emptyds/tests/scripts/all92
-rwxr-xr-xcontrib/slapd-modules/emptyds/tests/scripts/test001-emptyds137
11 files changed, 1186 insertions, 0 deletions
diff --git a/contrib/slapd-modules/emptyds/Makefile b/contrib/slapd-modules/emptyds/Makefile
new file mode 100644
index 0000000..654f856
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/Makefile
@@ -0,0 +1,78 @@
+# $OpenLDAP$
+# This work is part of OpenLDAP Software <http://www.openldap.org/>.
+#
+# Copyright 1998-2022 The OpenLDAP Foundation.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted only as authorized by the OpenLDAP
+# Public License.
+#
+# A copy of this license is available in the file LICENSE in the
+# top-level directory of the distribution or, alternatively, at
+# <http://www.OpenLDAP.org/license.html>.
+
+LDAP_SRC = ../../..
+LDAP_BUILD = $(LDAP_SRC)
+SRCDIR = ./
+LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd
+LDAP_LIB = $(LDAP_BUILD)/libraries/libldap/libldap.la \
+ $(LDAP_BUILD)/libraries/liblber/liblber.la
+
+LIBTOOL = $(LDAP_BUILD)/libtool
+INSTALL = /usr/bin/install
+CC = gcc
+OPT = -g -O2
+DEFS = -DSLAPD_OVER_EDS=SLAPD_MOD_DYNAMIC
+INCS = $(LDAP_INC)
+LIBS = $(LDAP_LIB)
+
+PROGRAMS = emptyds.la
+MANPAGES = slapo-emptyds.5
+CLEAN = *.o *.lo *.la .libs
+LTVER = 0:0:0
+
+prefix=/usr/local
+exec_prefix=$(prefix)
+ldap_subdir=/openldap
+
+libdir=$(exec_prefix)/lib
+libexecdir=$(exec_prefix)/libexec
+moduledir = $(libexecdir)$(ldap_subdir)
+mandir = $(exec_prefix)/share/man
+man5dir = $(mandir)/man5
+
+all: $(PROGRAMS)
+
+d :=
+sp :=
+dir := tests
+include $(dir)/Rules.mk
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(OPT) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+all: $(PROGRAMS)
+
+emptyds.la: emptyds.lo
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+clean:
+ rm -rf $(CLEAN)
+
+install: install-lib install-man FORCE
+
+install-lib: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
+ for p in $(PROGRAMS) ; do \
+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
+ done
+
+install-man: $(MANPAGES)
+ mkdir -p $(DESTDIR)$(man5dir)
+ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
+
+FORCE:
+
diff --git a/contrib/slapd-modules/emptyds/README b/contrib/slapd-modules/emptyds/README
new file mode 100644
index 0000000..914d4e7
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/README
@@ -0,0 +1,66 @@
+emptyds Overlay README
+
+DESCRIPTION
+ This package contains an OpenLDAP overlay called "emptyds" (empty
+ directory string) that eliminates empty values of type directory string
+ (OID 1.3.6.1.4.1.1466.115.121.1.15) from the list of the values in the
+ following manner:
+
+ - add: All empty attribute values will be removed before the add request
+ is executed
+ - mod-replace: A replace with empty values will be modified to a replace
+ without values. As result the attribute will be deleted
+ - mod-add: All empty attribute values will be removed before the mod-add
+ request is executed
+ - mod-delete: All empty attribute values will be removed before the
+ mod-delete request is executed
+
+ If removing all empty values from a modification makes it a no-op, that
+ modification is removed from the list.
+
+ At module load time the emptyds overlay manipulates the syntax checking
+ so that it intercepts the syntax check and allows empty values for
+ attributes of type directory string only. Non-empty values continue to
+ go through the normal check routines. It is therefore very important to
+ configure the overlays in a way that ensures that the emptyds overlay gets
+ the control over the operation before any other overlay. Otherwise it
+ could come to the situation with empty attribute values in the data base.
+
+ David Hawes' addpartial overlay has been used as starting point for this
+ overlay.
+
+BUILDING
+ A Makefile is included, please set your LDAP_SRC directory properly.
+
+INSTALLATION
+ After compiling the emptyds overlay, add the following to your
+ slapd.conf:
+
+ ### slapd.conf
+ ...
+ moduleload emptyds.la
+ ...
+ overlay emptyds
+ ...
+ # before database directive...
+ # this overlay must be the last overlay in the config file to ensure that
+ # requests are modified before other overlays get them.
+ ...
+ ### end slapd.conf
+
+CAVEATS
+ - In order to ensure that emptyds does what it needs to do, it must be
+ the last overlay configured so it will run before the other overlays.
+
+---
+Copyright 2014-2022 The OpenLDAP Foundation.
+Portions Copyright (C) DAASI International GmbH, Tamim Ziai.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted only as authorized by the OpenLDAP
+Public License.
+
+A copy of this license is available in file LICENSE in the
+top-level directory of the distribution or, alternatively, at
+http://www.OpenLDAP.org/license.html.
diff --git a/contrib/slapd-modules/emptyds/emptyds.c b/contrib/slapd-modules/emptyds/emptyds.c
new file mode 100644
index 0000000..bb3202e
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/emptyds.c
@@ -0,0 +1,325 @@
+/* emptyds.c */
+/* $OpenLDAP$ */
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 2014-2022 The OpenLDAP Foundation.
+ * Portions Copyright (C) 2014 DAASI International GmbH, Tamim Ziai.
+ * Portions Copyright (C) 2022 Ondřej Kuzník, Symas Corporation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * http://www.OpenLDAP.org/license.html.
+ */
+/* ACKNOLEDGEDMENTS:
+ * This work was initially developed by Tamim Ziai of DAASI International GmbH
+ * for inclusion in OpenLDAP Software.
+ */
+/* slapo-emptyds
+ *
+ * This is an OpenLDAP overlay that accepts empty strings as attribute values
+ * without syntax violation but never actually stores them. This allows
+ * applications that used to work with LDAP implementations allowing empty
+ * strings (such as Novel eDirectory) to continue to work with OpenLDAP without
+ * any modifications. Add and modify change types will be proceeded as follows,
+ * other operations will be forwarded without modifications:
+ *
+ * changeType: add changeType: add
+ * sn: <empty> --> sn: blah
+ * sn: blah
+ *
+ * changeType: modify changeType: modify
+ * add: sn --> add: sn
+ * sn: <empty> sn: blah
+ * sn: blah
+ *
+ * changeType: modify changeType: modify
+ * delete: sn --> delete: sn
+ * sn: <empty> sn: blah
+ * sn: blah
+ *
+ * changeType: modify changeType: modify
+ * replace: sn --> replace: sn
+ * sn: <empty>
+ *
+ */
+
+#include "portable.h"
+#include "slap.h"
+
+static slap_overinst emptyds;
+
+static const char ds_oid[] = "1.3.6.1.4.1.1466.115.121.1.15";
+
+static slap_syntax_validate_func *ssyn_validate_original = NULL;
+static slap_syntax_transform_func *ssyn_pretty_original = NULL;
+static int emptyds_instances = 0;
+
+static unsigned int
+remove_empty_values( Modification *m, Attribute *a )
+{
+ BerVarray vals = m ? m->sm_values : a->a_vals,
+ nvals = m ? m->sm_nvalues : a->a_nvals;
+ unsigned int i, j, numvals = m ? m->sm_numvals : a->a_numvals;
+
+ for ( i = 0; i < numvals && !BER_BVISEMPTY( &vals[i] ); i++ )
+ /* Find first empty */;
+
+ if ( i == numvals ) return i;
+
+ /*
+ * We have an empty value at index i, move all of them to the end of the
+ * list, preserving the order of non-empty values.
+ */
+ j = i + 1;
+ for ( j = i + 1; j < numvals; j++ ) {
+ struct berval tmp;
+
+ if ( BER_BVISEMPTY( &vals[j] ) ) continue;
+
+ tmp = vals[i];
+ vals[i] = vals[j];
+ vals[j] = tmp;
+
+ if ( nvals && vals != nvals ) {
+ tmp = nvals[i];
+ nvals[i] = nvals[j];
+ nvals[j] = tmp;
+ }
+
+ if ( m && a && m->sm_values != a->a_vals ) {
+ tmp = a->a_vals[i];
+ a->a_vals[i] = a->a_vals[j];
+ a->a_vals[j] = tmp;
+
+ if ( a->a_nvals && a->a_vals != a->a_nvals ) {
+ tmp = a->a_nvals[i];
+ a->a_nvals[i] = a->a_nvals[j];
+ a->a_nvals[j] = tmp;
+ }
+ }
+ i++;
+ }
+
+ /* Free empty vals */
+ for ( ; j && i < j--; ) {
+ ber_memfree( vals[j].bv_val );
+ if ( nvals && vals != nvals ) {
+ ber_memfree( nvals[j].bv_val );
+ BER_BVZERO( &nvals[j] );
+ }
+
+ if ( m && a && m->sm_values != a->a_vals ) {
+ if ( m->sm_values[j].bv_val != a->a_vals[j].bv_val ) {
+ ber_memfree( a->a_vals[j].bv_val );
+ BER_BVZERO( &a->a_vals[j] );
+
+ if ( a->a_nvals && a->a_vals != a->a_nvals ) {
+ ber_memfree( a->a_nvals[j].bv_val );
+ BER_BVZERO( &a->a_nvals[j] );
+ }
+ }
+ }
+ BER_BVZERO( &vals[j] );
+ }
+
+ return i;
+}
+
+/**
+ * Remove all operations with empty strings.
+ */
+static int
+emptyds_op_add( Operation *op, SlapReply *rs )
+{
+ Attribute **ap, **nexta, *a;
+ Modifications **mlp, **nextp = NULL, *ml;
+ Entry *e = op->ora_e;
+
+ /*
+ * op->ora_modlist can be NULL, at least accesslog doesn't always populate
+ * it on an add.
+ */
+ for ( ap = &e->e_attrs, a = e->e_attrs, mlp = &op->ora_modlist,
+ ml = op->ora_modlist;
+ a != NULL;
+ ap = nexta, a = *ap, mlp = nextp, ml = ml ? *mlp : NULL ) {
+ AttributeType *at = a->a_desc->ad_type;
+ unsigned int remaining;
+
+ nexta = &a->a_next;
+ if ( ml ) {
+ nextp = &ml->sml_next;
+ }
+
+ if ( at->sat_syntax != slap_schema.si_syn_directoryString ||
+ at->sat_atype.at_usage != LDAP_SCHEMA_USER_APPLICATIONS )
+ continue;
+
+ remaining = remove_empty_values( &ml->sml_mod, a );
+ if ( remaining == a->a_numvals ) continue;
+ /* Empty values found */
+
+ if ( !remaining ) {
+ /* All values are empty */
+ *ap = a->a_next;
+ a->a_next = NULL;
+ nexta = ap;
+
+ if ( ml ) {
+ *mlp = ml->sml_next;
+ ml->sml_next = NULL;
+ nextp = mlp;
+ /* Values are generally shared with attribute */
+ slap_mods_free( ml, ml->sml_values != a->a_vals );
+ }
+ attr_free( a );
+ } else {
+ a->a_numvals = remaining;
+ if ( ml ) {
+ ml->sml_mod.sm_numvals = remaining;
+ }
+ }
+ }
+
+ return SLAP_CB_CONTINUE;
+}
+
+static int
+emptyds_op_modify( Operation *op, SlapReply *rs )
+{
+ Modifications **mlp, **nextp, *ml;
+
+ for ( mlp = &op->orm_modlist, ml = op->orm_modlist; ml != NULL;
+ mlp = nextp, ml = *mlp ) {
+ AttributeType *at = ml->sml_desc->ad_type;
+ unsigned int remaining;
+
+ nextp = &ml->sml_next;
+
+ if ( at->sat_syntax != slap_schema.si_syn_directoryString ||
+ at->sat_atype.at_usage != LDAP_SCHEMA_USER_APPLICATIONS )
+ continue;
+
+ remaining = remove_empty_values( &ml->sml_mod, NULL );
+ if ( remaining == ml->sml_numvals ) continue;
+
+ if ( !remaining ) {
+ /* All values are empty */
+ if ( ml->sml_op == LDAP_MOD_REPLACE ) {
+ /* Replace is kept */
+ if ( ml->sml_nvalues && ml->sml_nvalues != ml->sml_values ) {
+ ber_bvarray_free( ml->sml_nvalues );
+ }
+ if ( ml->sml_values ) {
+ ber_bvarray_free( ml->sml_values );
+ }
+
+ ml->sml_numvals = 0;
+ ml->sml_values = NULL;
+ ml->sml_nvalues = NULL;
+ } else {
+ /* Remove modification */
+ *mlp = ml->sml_next;
+ ml->sml_next = NULL;
+ nextp = mlp;
+ slap_mods_free( ml, 1 );
+ }
+ } else {
+ ml->sml_numvals = remaining;
+ }
+ }
+
+ return SLAP_CB_CONTINUE;
+}
+
+static int
+emptyds_ssyn_validate( Syntax *syntax, struct berval *in )
+{
+ if ( BER_BVISEMPTY( in ) && syntax == slap_schema.si_syn_directoryString ) {
+ return LDAP_SUCCESS;
+ }
+ return ssyn_validate_original( syntax, in );
+}
+
+static int
+emptyds_ssyn_pretty( Syntax *syntax,
+ struct berval *in,
+ struct berval *out,
+ void *memctx )
+{
+ if ( BER_BVISEMPTY( in ) && syntax == slap_schema.si_syn_directoryString ) {
+ return LDAP_SUCCESS;
+ }
+ return ssyn_pretty_original( syntax, in, out, memctx );
+}
+
+static int
+emptyds_db_init( BackendDB *be, ConfigReply *cr )
+{
+ Syntax *syntax = syn_find( ds_oid );
+
+ if ( syntax == NULL ) {
+ Debug( LDAP_DEBUG_TRACE, "emptyds_db_init: "
+ "Syntax %s not found\n",
+ ds_oid );
+ } else {
+ Debug( LDAP_DEBUG_TRACE, "emptyds_db_init: "
+ "Found syntax: %s\n",
+ syntax->ssyn_bvoid.bv_val );
+ if ( ssyn_validate_original == NULL && syntax->ssyn_validate != NULL ) {
+ ssyn_validate_original = syntax->ssyn_validate;
+ syntax->ssyn_validate = emptyds_ssyn_validate;
+ }
+ if ( ssyn_pretty_original == NULL && syntax->ssyn_pretty != NULL ) {
+ ssyn_pretty_original = syntax->ssyn_pretty;
+ syntax->ssyn_pretty = &emptyds_ssyn_pretty;
+ }
+ }
+
+ emptyds_instances++;
+ return LDAP_SUCCESS;
+}
+
+static int
+emptyds_db_destroy( BackendDB *be, ConfigReply *cr )
+{
+ Syntax *syntax = syn_find( ds_oid );
+
+ if ( --emptyds_instances == 0 && syntax != NULL ) {
+ if ( syntax->ssyn_validate == emptyds_ssyn_validate ) {
+ syntax->ssyn_validate = ssyn_validate_original;
+ }
+ ssyn_validate_original = NULL;
+
+ if ( syntax->ssyn_pretty == emptyds_ssyn_pretty ) {
+ syntax->ssyn_pretty = ssyn_pretty_original;
+ }
+ ssyn_pretty_original = NULL;
+ }
+
+ assert( emptyds_instances >= 0 );
+ return LDAP_SUCCESS;
+}
+
+int
+emptyds_init()
+{
+ emptyds.on_bi.bi_type = "emptyds";
+ emptyds.on_bi.bi_op_add = emptyds_op_add;
+ emptyds.on_bi.bi_op_modify = emptyds_op_modify;
+ emptyds.on_bi.bi_db_init = emptyds_db_init;
+ emptyds.on_bi.bi_db_destroy = emptyds_db_destroy;
+
+ return overlay_register( &emptyds );
+}
+
+int
+init_module( int argc, char *argv[] )
+{
+ return emptyds_init();
+}
diff --git a/contrib/slapd-modules/emptyds/slapo-emptyds.5 b/contrib/slapd-modules/emptyds/slapo-emptyds.5
new file mode 100644
index 0000000..75b1059
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/slapo-emptyds.5
@@ -0,0 +1,68 @@
+.TH SLAPO-EDS 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2022 The OpenLDAP Foundation, All Rights Reserved.
+.\" Copyright 2018 Tamim Ziai
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapo-emptyds \- Remove Empty values from Directory String attributes
+Overlay to slapd
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+Some non-conformant clients will provide empty values for Directory String
+attributes with certain operations. This overlay makes empty values acceptable
+for the Directory String syntax and will adjust all operations to make sure
+these values are never actually stored in the database.
+.LP
+.nf
+.ft tt
+ dn: cn=alex,cn=people,dc=example,dc=org
+ changeType: add changeType: add
+ sn: <empty> --> sn: blah
+ sn: blah
+
+ dn: cn=alex,cn=people,dc=example,dc=org
+ changeType: modify changeType: modify
+ add: sn --> add: sn
+ sn: <empty> sn: blah
+ sn: blah
+
+ dn: cn=alex,cn=people,dc=example,dc=org
+ changeType: modify changeType: modify
+ delete: sn --> delete: sn
+ sn: <empty> sn: blah
+ sn: blah
+
+ dn: cn=alex,cn=people,dc=example,dc=org
+ changeType: modify changeType: modify
+ replace: sn --> replace: sn
+ sn: <empty>
+
+ dn: cn=alex,cn=people,dc=example,dc=org
+ changeType: modify changeType: modify
+ replace: sn --> replace: sn
+ sn: <empty> sn: blah
+ sn: blah
+.ft
+.fi
+.LP
+.SH CONFIGURATION
+This overlay has no specific configuration, however in order to ensure that it
+does what it needs to do, it should be the last overlay configured so it will
+run before the other overlays.
+.SH EXAMPLES
+.LP
+.RS
+.nf
+overlay emptyds
+.RE
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.SH SEE ALSO
+.BR slapd.conf (5).
+.SH ACKNOWLEDGEMENTS
+This module was written in 2014 by Tamim Ziai for DAASI International and
+updated in 2022 by Ondřej Kuzník for inclusion in the OpenLDAP project.
+.so ../Project
diff --git a/contrib/slapd-modules/emptyds/tests/Rules.mk b/contrib/slapd-modules/emptyds/tests/Rules.mk
new file mode 100644
index 0000000..c25c1d2
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/tests/Rules.mk
@@ -0,0 +1,23 @@
+sp := $(sp).x
+dirstack_$(sp) := $(d)
+d := $(dir)
+
+.PHONY: test
+
+CLEAN += clients servers tests/progs tests/schema tests/testdata tests/testrun
+
+test: all clients servers tests/progs
+
+test:
+ cd tests; \
+ SRCDIR=$(abspath $(LDAP_SRC)) \
+ LDAP_BUILD=$(abspath $(LDAP_BUILD)) \
+ TOPDIR=$(abspath $(SRCDIR)) \
+ LIBTOOL=$(abspath $(LIBTOOL)) \
+ $(abspath $(SRCDIR))/tests/run all
+
+servers clients tests/progs:
+ ln -s $(abspath $(LDAP_BUILD))/$@ $@
+
+d := $(dirstack_$(sp))
+sp := $(basename $(sp))
diff --git a/contrib/slapd-modules/emptyds/tests/data/emptyds.conf b/contrib/slapd-modules/emptyds/tests/data/emptyds.conf
new file mode 100644
index 0000000..221fe81
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/tests/data/emptyds.conf
@@ -0,0 +1,54 @@
+# basic slapd config -- for testing of slapo-emptyds
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/openldap.schema
+include @SCHEMADIR@/nis.schema
+include @DATADIR@/test.schema
+#
+pidfile @TESTDIR@/slapd.1.pid
+argsfile @TESTDIR@/slapd.1.args
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
+#accesslogmod#modulepath ../servers/slapd/overlays/
+#accesslogmod#moduleload accesslog.la
+moduleload ../emptyds.la
+
+database @BACKEND@
+suffix "dc=example,dc=com"
+rootdn "cn=Manager,dc=example,dc=com"
+rootpw secret
+#~null~#directory @TESTDIR@/db.1.a
+
+overlay accesslog
+logdb cn=log
+logops writes
+logsuccess true
+
+overlay emptyds
+
+database @BACKEND@
+suffix "cn=log"
+rootdn "cn=Manager,dc=example,dc=com"
+#~null~#directory @TESTDIR@/db.1.b
+
+## This one makes no difference except we want to make sure we can
+## safely instantiate the overlay on multiple databases
+overlay emptyds
+
+database monitor
diff --git a/contrib/slapd-modules/emptyds/tests/data/test001.ldif b/contrib/slapd-modules/emptyds/tests/data/test001.ldif
new file mode 100644
index 0000000..b7f289a
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/tests/data/test001.ldif
@@ -0,0 +1,71 @@
+# slapd prevents us from adding the same value multiple times
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modify
+add: description
+description: one
+description:
+description: two
+description: three
+description: four
+# a space is distinct from an empty value
+description:: ICAg
+-
+replace: drink
+drink: Earl Grey, hot
+-
+delete: description
+description:
+-
+replace: drink
+drink: Earl Grey, hot
+
+# there is no such restriction on deletes, so we exercise this part of the overlay here
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modify
+delete: description
+description:
+description: four
+description:
+description: three
+description: two
+description:
+description:
+description: one
+description:
+-
+add: description
+description:
+
+dn: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modify
+replace: drink
+drink:
+
+dn: cn=All Staff,ou=Groups,dc=example,dc=com
+changetype: modify
+delete: member
+-
+add: member
+# an empty DN should not be stripped
+member:
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com
+
+dn: cn=Gern Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
+changetype: add
+objectclass: testPerson
+cn: Gern Jensen
+sn: Jensen
+uid: gjensen
+title:
+postaladdress: ITD $ 535 W. William St $ Anytown, MI 48103
+seealso: cn=All Staff,ou=Groups,dc=example,dc=com
+drink: Coffee
+homepostaladdress: 844 Brown St. Apt. 4 $ Anytown, MI 48104
+description: Very odd
+description:
+description: More than you think
+facsimiletelephonenumber: +1 313 555 7557
+telephonenumber: +1 313 555 8343
+mail: gjensen@mailgw.example.com
+homephone: +1 313 555 8844
+testTime: 20050304001801.234Z
diff --git a/contrib/slapd-modules/emptyds/tests/data/test001.out b/contrib/slapd-modules/emptyds/tests/data/test001.out
new file mode 100644
index 0000000..6f41247
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/tests/data/test001.out
@@ -0,0 +1,54 @@
+dn: reqStart=timestamp,cn=log
+reqDN: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+reqMod: description:+ one
+reqMod: description:+ two
+reqMod: description:+ three
+reqMod: description:+ four
+# "description:+ " that's a space, then 3 spaces for value
+reqMod:: ZGVzY3JpcHRpb246KyAgICA=
+reqMod: drink:= Earl Grey, hot
+# second mod was removed, so we have two replaces in succession now and need
+# to separate them (":")
+reqMod:: Og==
+reqMod: drink:= Earl Grey, hot
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+reqMod: description:- four
+reqMod: description:- three
+reqMod: description:- two
+reqMod: description:- one
+# second mod is removed
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com
+reqMod: drink:=
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=All Staff,ou=Groups,dc=example,dc=com
+reqMod: member:-
+# "member:+ " adding an empty DN
+reqMod:: bWVtYmVyOisg
+reqMod: member:+ cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example
+ ,dc=com
+
+dn: reqStart=timestamp,cn=log
+reqDN: cn=Gern Jensen,ou=Information Technology Division,ou=People,dc=example,
+ dc=com
+reqMod: objectClass:+ testPerson
+reqMod: cn:+ Gern Jensen
+reqMod: sn:+ Jensen
+reqMod: uid:+ gjensen
+reqMod: postalAddress:+ ITD $ 535 W. William St $ Anytown, MI 48103
+reqMod: seeAlso:+ cn=All Staff,ou=Groups,dc=example,dc=com
+reqMod: drink:+ Coffee
+reqMod: homePostalAddress:+ 844 Brown St. Apt. 4 $ Anytown, MI 48104
+reqMod: description:+ Very odd
+reqMod: description:+ More than you think
+reqMod: facsimileTelephoneNumber:+ +1 313 555 7557
+reqMod: telephoneNumber:+ +1 313 555 8343
+reqMod: mail:+ gjensen@mailgw.example.com
+reqMod: homePhone:+ +1 313 555 8844
+reqMod: testTime:+ 20050304001801.234Z
+reqMod: structuralObjectClass:+ testPerson
+
diff --git a/contrib/slapd-modules/emptyds/tests/run b/contrib/slapd-modules/emptyds/tests/run
new file mode 100755
index 0000000..e28820c
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/tests/run
@@ -0,0 +1,218 @@
+#!/bin/sh
+## $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+##
+## ACKNOWLEDGEMENTS:
+## This module was written in 2016 by Ondřej Kuzník for Symas Corp.
+
+USAGE="$0 [-b <backend>] [-c] [-k] [-l #] [-p] [-s {ro|rp}] [-u] [-w] <script>"
+
+TOPSRCDIR="${SRCDIR-$LDAP_SRC}"
+SRCDIR="${TOPSRCDIR}/tests"
+eval `grep EGREP_CMD= ${LDAP_BUILD}/tests/run`
+eval `$EGREP_CMD -e '^LN_S=' ${LDAP_BUILD}/tests/run`
+
+export SRCDIR TOPSRCDIR LN_S EGREP_CMD
+
+. "${SRCDIR}/scripts/defines.sh"
+
+BACKEND=
+CLEAN=no
+WAIT=0
+KILLSERVERS=yes
+PRESERVE=${PRESERVE-no}
+SYNCMODE=${SYNCMODE-rp}
+USERDATA=no
+LOOP=1
+COUNTER=1
+
+while test $# -gt 0 ; do
+ case "$1" in
+ -b | -backend)
+ BACKEND="$2"
+ shift; shift ;;
+
+ -c | -clean)
+ CLEAN=yes
+ shift ;;
+
+ -k | -kill)
+ KILLSERVERS=no
+ shift ;;
+ -l | -loop)
+ NUM="`echo $2 | sed 's/[0-9]//g'`"
+ if [ -z "$NUM" ]; then
+ LOOP=$2
+ else
+ echo "Loop variable not an int: $2"
+ echo "$USAGE"; exit 1
+ fi
+ shift ;
+ shift ;;
+
+ -p | -preserve)
+ PRESERVE=yes
+ shift ;;
+
+ -s | -syncmode)
+ case "$2" in
+ ro | rp)
+ SYNCMODE="$2"
+ ;;
+ *)
+ echo "unknown sync mode $2"
+ echo "$USAGE"; exit 1
+ ;;
+ esac
+ shift; shift ;;
+
+ -u | -userdata)
+ USERDATA=yes
+ shift ;;
+
+ -w | -wait)
+ WAIT=1
+ shift ;;
+
+ -)
+ shift
+ break ;;
+
+ -*)
+ echo "$USAGE"; exit 1
+ ;;
+
+ *)
+ break ;;
+ esac
+done
+
+eval `$EGREP_CMD -e '^AC' ${LDAP_BUILD}/tests/run`
+export `$EGREP_CMD -e '^AC' ${LDAP_BUILD}/tests/run | sed 's/=.*//'`
+
+if test -z "$BACKEND" ; then
+ for b in mdb ; do
+ if eval "test \"\$AC_$b\" != no" ; then
+ BACKEND=$b
+ break
+ fi
+ done
+ if test -z "$BACKEND" ; then
+ echo "No suitable default database backend configured" >&2
+ exit 1
+ fi
+fi
+
+BACKENDTYPE=`eval 'echo $AC_'$BACKEND`
+if test "x$BACKENDTYPE" = "x" ; then
+ BACKENDTYPE="unknown"
+fi
+
+# Backend features. indexdb: indexing and unchecked limit.
+# maindb: main storage backend. Currently index,limits,mode,paged results.
+INDEXDB=noindexdb MAINDB=nomaindb
+case $BACKEND in
+ mdb) INDEXDB=indexdb MAINDB=maindb ;;
+esac
+
+export BACKEND BACKENDTYPE INDEXDB MAINDB \
+ WAIT KILLSERVERS PRESERVE SYNCMODE USERDATA \
+ SRCDIR
+
+if test $# = 0 ; then
+ echo "$USAGE"; exit 1
+fi
+
+# need defines.sh for the definitions of the directories
+. $SRCDIR/scripts/defines.sh
+
+SCRIPTDIR="${TOPDIR}/tests/scripts"
+
+export SCRIPTDIR
+
+SCRIPTNAME="$1"
+shift
+
+if test -x "${SCRIPTDIR}/${SCRIPTNAME}" ; then
+ SCRIPT="${SCRIPTDIR}/${SCRIPTNAME}"
+elif test -x "`echo ${SCRIPTDIR}/test*-${SCRIPTNAME}`"; then
+ SCRIPT="`echo ${SCRIPTDIR}/test*-${SCRIPTNAME}`"
+elif test -x "`echo ${SCRIPTDIR}/${SCRIPTNAME}-*`"; then
+ SCRIPT="`echo ${SCRIPTDIR}/${SCRIPTNAME}-*`"
+else
+ echo "run: ${SCRIPTNAME} not found (or not executable)"
+ exit 1;
+fi
+
+if test ! -r ${DATADIR}/test.ldif ; then
+ ${LN_S} ${SRCDIR}/data ${DATADIR}
+fi
+if test ! -r ${SCHEMADIR}/core.schema ; then
+ ${LN_S} ${TOPSRCDIR}/servers/slapd/schema ${SCHEMADIR}
+fi
+if test ! -r ./data; then
+ ${LN_S} ${TOPDIR}/tests/data ./
+fi
+
+if test -d ${TESTDIR} ; then
+ if test $PRESERVE = no ; then
+ echo "Cleaning up test run directory leftover from previous run."
+ /bin/rm -rf ${TESTDIR}
+ elif test $PRESERVE = yes ; then
+ echo "Cleaning up only database directories leftover from previous run."
+ /bin/rm -rf ${TESTDIR}/db.*
+ fi
+fi
+mkdir -p ${TESTDIR}
+
+if test $USERDATA = yes ; then
+ if test ! -d userdata ; then
+ echo "User data directory (userdata) does not exist."
+ exit 1
+ fi
+ cp -R userdata/* ${TESTDIR}
+fi
+
+# disable LDAP initialization
+LDAPNOINIT=true; export LDAPNOINIT
+
+echo "Running ${SCRIPT} for ${BACKEND}..."
+while [ $COUNTER -le $LOOP ]; do
+ if [ $LOOP -gt 1 ]; then
+ echo "Running $COUNTER of $LOOP iterations"
+ fi
+ $SCRIPT $*
+ RC=$?
+
+ if test $CLEAN = yes ; then
+ echo "Cleaning up test run directory from this run."
+ /bin/rm -rf ${TESTDIR}
+ echo "Cleaning up symlinks."
+ /bin/rm -f ${DATADIR} ${SCHEMADIR}
+ fi
+
+ if [ $RC -ne 0 ]; then
+ if [ $LOOP -gt 1 ]; then
+ echo "Failed after $COUNTER of $LOOP iterations"
+ fi
+ exit $RC
+ else
+ COUNTER=`expr $COUNTER + 1`
+ if [ $COUNTER -le $LOOP ]; then
+ echo "Cleaning up test run directory from this run."
+ /bin/rm -rf ${TESTDIR}
+ fi
+ fi
+done
+exit $RC
diff --git a/contrib/slapd-modules/emptyds/tests/scripts/all b/contrib/slapd-modules/emptyds/tests/scripts/all
new file mode 100755
index 0000000..a5c1774
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/tests/scripts/all
@@ -0,0 +1,92 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+. $SRCDIR/scripts/defines.sh
+
+TB="" TN=""
+if test -t 1 ; then
+ TB=`$SHTOOL echo -e "%B" 2>/dev/null`
+ TN=`$SHTOOL echo -e "%b" 2>/dev/null`
+fi
+
+FAILCOUNT=0
+SKIPCOUNT=0
+SLEEPTIME=10
+
+echo ">>>>> Executing all LDAP tests for $BACKEND"
+
+if [ -n "$NOEXIT" ]; then
+ echo "Result Test" > $TESTWD/results
+fi
+
+for CMD in ${SCRIPTDIR}/test*; do
+ case "$CMD" in
+ *~) continue;;
+ *.bak) continue;;
+ *.orig) continue;;
+ *.sav) continue;;
+ *) test -f "$CMD" || continue;;
+ esac
+
+ # remove cruft from prior test
+ if test $PRESERVE = yes ; then
+ /bin/rm -rf $TESTDIR/db.*
+ else
+ /bin/rm -rf $TESTDIR
+ fi
+
+ BCMD=`basename $CMD`
+ if [ -x "$CMD" ]; then
+ echo ">>>>> Starting ${TB}$BCMD${TN} for $BACKEND..."
+ $CMD
+ RC=$?
+ if test $RC -eq 0 ; then
+ echo ">>>>> $BCMD completed ${TB}OK${TN} for $BACKEND."
+ else
+ echo ">>>>> $BCMD ${TB}failed${TN} for $BACKEND"
+ FAILCOUNT=`expr $FAILCOUNT + 1`
+
+ if [ -n "$NOEXIT" ]; then
+ echo "Continuing."
+ else
+ echo "(exit $RC)"
+ exit $RC
+ fi
+ fi
+ else
+ echo ">>>>> Skipping ${TB}$BCMD${TN} for $BACKEND."
+ SKIPCOUNT=`expr $SKIPCOUNT + 1`
+ RC="-"
+ fi
+
+ if [ -n "$NOEXIT" ]; then
+ echo "$RC $BCMD" >> $TESTWD/results
+ fi
+
+# echo ">>>>> waiting $SLEEPTIME seconds for things to exit"
+# sleep $SLEEPTIME
+ echo ""
+done
+
+if [ -n "$NOEXIT" ]; then
+ if [ "$FAILCOUNT" -gt 0 ]; then
+ cat $TESTWD/results
+ echo "$FAILCOUNT tests for $BACKEND ${TB}failed${TN}. Please review the test log."
+ else
+ echo "All executed tests for $BACKEND ${TB}succeeded${TN}."
+ fi
+fi
+
+echo "$SKIPCOUNT tests for $BACKEND were ${TB}skipped${TN}."
diff --git a/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds b/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds
new file mode 100755
index 0000000..b8d715a
--- /dev/null
+++ b/contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds
@@ -0,0 +1,137 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2022 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+##
+## ACKNOWLEDGEMENTS:
+## This module was written in 2019 by Tamim Ziai for DAASI International
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+LDIF=${TOPDIR}/tests/data/test001.out
+
+if test $ACCESSLOG = accesslogno; then
+ echo "Accesslog overlay not available, test skipped"
+ exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1A $DBDIR1B
+
+. $CONFFILTER $BACKEND < "${TOPDIR}/tests/data/emptyds.conf" > $CONF1
+
+echo "Running slapadd to build slapd database... "
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+ echo "slapadd failed ($RC)!"
+ exit $RC
+fi
+
+echo "Starting slapd on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h $URI1 -d $LVL >> $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+ echo PID $PID
+ read foo
+fi
+KILLPIDS="$PID"
+
+sleep $SLEEP0
+
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting ${SLEEP1} seconds for slapd to start..."
+ sleep ${SLEEP1}
+done
+
+echo "Checking add/modify handling... "
+
+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+ > $TESTOUT -f "${TOPDIR}/tests/data/test001.ldif"
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+echo "Checking modrdn handling (should still fail with invalidDNSyntax)... "
+
+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+ >> $TESTOUT 2>&1 <<EOMOD
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com
+changetype: modrdn
+newrdn: cn=
+deleteoldrdn: 0
+EOMOD
+RC=$?
+case $RC in
+34)
+ echo " ldapmodify failed ($RC)"
+ ;;
+0)
+ echo " ldapmodify should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+ ;;
+*)
+ echo " ldapmodify failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ ;;
+esac
+
+echo "Dumping accesslog..."
+
+$LDAPSEARCH -b "cn=log" -H $URI1 \
+ 'objectClass=auditWriteObject' reqDN reqMod | \
+ grep -v -e 'entryCSN' -e '\(create\|modify\)Timestamp' \
+ -e '\(modifier\|creator\)sName' -e 'entryUUID' | \
+ sed -e 's/reqStart=[^,]*,/reqStart=timestamp,/' \
+ > $SEARCHOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ exit $RC
+fi
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+# Expectations:
+# - all empty values for directoryString pruned
+# - empty adds/deletes removed, empty replaces kept
+# - remaining values keep the same order as submitted
+# - other syntaxes (especially DNs) are kept intact
+echo "Filtering ldapsearch results..."
+$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+$LDIFFILTER < $LDIF > $LDIFFLT
+
+echo "Comparing filter output..."
+$CMP $LDIFFLT $SEARCHFLT > $CMPOUT
+
+if test $? != 0 ; then
+ echo "Comparison failed"
+ exit 1
+fi
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0