Issue 4262 - Remove legacy tools subpackage

Description:  Remove all the legacy tool scripts, libraries, and obsolete files

Relates: https://github.com/389ds/389-ds-base/issues/4262

Reviewed by: viktor & firstyear (Thanks!!)

Apply Viktor's suggestions

Makefile.am

@@ -55,18 +55,6 @@ RUST_LDFLAGS =
 RUST_DEFINES =
 endif
 
-if ENABLE_PERL
-PERL_ON = 1
-else
-PERL_ON = 0
-endif
-
-if ENABLE_LEGACY
-LEGACY_ON = 1
-else
-LEGACY_ON = 0
-endif
-
 if CLANG_ENABLE
 CLANG_ON = 1
 CLANG_LDFLAGS = -latomic
@@ -237,32 +225,7 @@ LIBPOSIX_WINSYNC_PLUGIN = libposix-winsync-plugin.la
 endif
 
 CLEANFILES =  dberrstrs.h ns-slapd.properties \
-	ldap/admin/src/scripts/template-dbverify ldap/admin/src/template-initconfig \
-	ldap/admin/src/scripts/dscreate.map ldap/admin/src/scripts/remove-ds.pl \
-	ldap/admin/src/scripts/DSCreate.pm ldap/admin/src/scripts/DSMigration.pm \
-	ldap/admin/src/scripts/DSUpdate.pm ldap/admin/src/scripts/dsupdate.map \
-	ldap/admin/src/scripts/dsorgentries.map ldap/admin/src/scripts/migrate-ds.pl \
-	ldap/admin/src/scripts/Migration.pm ldap/admin/src/scripts/SetupDialogs.pm \
-	ldap/admin/src/scripts/setup-ds.pl ldap/admin/src/scripts/setup-ds.res \
-	ldap/admin/src/scripts/start-dirsrv ldap/admin/src/scripts/stop-dirsrv \
-	ldap/admin/src/scripts/restart-dirsrv ldap/admin/src/scripts/Setup.pm \
-	ldap/admin/src/scripts/status-dirsrv \
-	ldap/admin/src/scripts/template-bak2db ldap/admin/src/scripts/template-bak2db.pl \
-	ldap/admin/src/scripts/template-db2bak ldap/admin/src/scripts/template-db2bak.pl \
-	ldap/admin/src/scripts/template-db2index ldap/admin/src/scripts/template-db2index.pl \
-	ldap/admin/src/scripts/template-db2ldif ldap/admin/src/scripts/template-db2ldif.pl \
-	ldap/admin/src/scripts/template-ldif2db ldap/admin/src/scripts/template-ldif2db.pl \
-	ldap/admin/src/scripts/template-ldif2ldap ldap/admin/src/scripts/template-monitor \
-	ldap/admin/src/scripts/template-ns-accountstatus.pl ldap/admin/src/scripts/template-ns-activate.pl \
-	ldap/admin/src/scripts/template-ns-inactivate.pl ldap/admin/src/scripts/template-ns-newpwpolicy.pl \
-	ldap/admin/src/scripts/template-restart-slapd ldap/admin/src/scripts/template-restoreconfig \
-	ldap/admin/src/scripts/template-saveconfig ldap/admin/src/scripts/template-start-slapd \
-	ldap/admin/src/scripts/template-stop-slapd ldap/admin/src/scripts/template-suffix2instance \
-	ldap/admin/src/scripts/template-upgradedb \
-	ldap/admin/src/scripts/template-upgradednformat \
-	ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl \
-	ldap/admin/src/scripts/template-verify-db.pl \
-	ldap/admin/src/scripts/template-vlvindex ldap/admin/src/scripts/DSUtil.pm \
+	ldap/admin/src/template-initconfig \
 	ldap/ldif/template-baseacis.ldif ldap/ldif/template-bitwise.ldif ldap/ldif/template-country.ldif \
 	ldap/ldif/template-dnaplugin.ldif ldap/ldif/template-domain.ldif ldap/ldif/template-dse.ldif \
 	ldap/ldif/template-dse-minimal.ldif \
@@ -270,24 +233,7 @@ CLEANFILES =  dberrstrs.h ns-slapd.properties \
 	ldap/ldif/template-ldapi.ldif ldap/ldif/template-locality.ldif ldap/ldif/template-org.ldif \
 	ldap/ldif/template-orgunit.ldif ldap/ldif/template-pampta.ldif ldap/ldif/template-sasl.ldif \
 	ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif \
-	ldap/admin/src/scripts/bak2db ldap/admin/src/scripts/db2bak ldap/admin/src/scripts/upgradedb \
-	ldap/admin/src/scripts/db2index ldap/admin/src/scripts/db2ldif \
-	ldap/admin/src/scripts/dn2rdn ldap/admin/src/scripts/ldif2db \
-	ldap/admin/src/scripts/ldif2ldap ldap/admin/src/scripts/monitor \
-	ldap/admin/src/scripts/restoreconfig ldap/admin/src/scripts/saveconfig  \
-	ldap/admin/src/scripts/suffix2instance \
-	ldap/admin/src/scripts/upgradednformat ldap/admin/src/scripts/vlvindex \
-	ldap/admin/src/scripts/bak2db.pl ldap/admin/src/scripts/db2bak.pl \
-	ldap/admin/src/scripts/db2index.pl ldap/admin/src/scripts/db2ldif.pl \
-	ldap/admin/src/scripts/fixup-linkedattrs.pl ldap/admin/src/scripts/fixup-memberof.pl \
-	ldap/admin/src/scripts/cleanallruv.pl ldap/admin/src/scripts/ldif2db.pl \
-	ldap/admin/src/scripts/ns-accountstatus.pl ldap/admin/src/scripts/ns-activate.pl \
-	ldap/admin/src/scripts/ns-inactivate.pl ldap/admin/src/scripts/ns-newpwpolicy.pl \
-	ldap/admin/src/scripts/schema-reload.pl ldap/admin/src/scripts/syntax-validate.pl \
-	ldap/admin/src/scripts/usn-tombstone-cleanup.pl ldap/admin/src/scripts/verify-db.pl \
-	ldap/admin/src/scripts/ds_selinux_port_query ldap/admin/src/scripts/ds_selinux_enabled \
-	ldap/admin/src/scripts/dbverify ldap/admin/src/scripts/readnsstate \
-	doxyfile.stamp ldap/admin/src/scripts/dbmon.sh \
+	doxyfile.stamp \
 	$(NULL)
 
 if RUST_ENABLE
@@ -303,7 +249,7 @@ if RUST_ENABLE
 endif
 
 dberrstrs.h: Makefile
-	perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o .
+	$(srcdir)/ldap/servers/slapd/mkDBErrStrs.py -i @db_incdir@ -o .
 
 
 #------------------------
@@ -352,14 +298,6 @@ sbin_PROGRAMS = ns-slapd ldap-agent
 bin_PROGRAMS = dbscan \
 	ldclt \
 	pwdhash
-if ENABLE_LEGACY
-bin_PROGRAMS += \
-	infadd \
-	ldif \
-	migratecred \
-	mmldif \
-	rsearch
-endif
 
 # ----------------------------------------------------------------------------------------
 # This odd looking definition is to keep the libraries in ORDER that they are needed. rsds
@@ -578,12 +516,6 @@ dist_noinst_HEADERS = \
 	ldap/servers/slapd/tools/ldclt/remote.h \
 	ldap/servers/slapd/tools/ldclt/scalab01.h \
 	ldap/servers/slapd/tools/ldclt/utils.h \
-	ldap/servers/slapd/tools/rsearch/addthread.h \
-	ldap/servers/slapd/tools/rsearch/infadd.h \
-	ldap/servers/slapd/tools/rsearch/nametable.h \
-	ldap/servers/slapd/tools/rsearch/rsearch.h \
-	ldap/servers/slapd/tools/rsearch/sdattable.h \
-	ldap/servers/slapd/tools/rsearch/searchthread.h \
 	ldap/servers/snmp/ldap-agent.h \
 	ldap/systools/pio.h \
 	lib/base/lexer_pvt.h \
@@ -638,11 +570,8 @@ dist_noinst_DATA = \
 	$(srcdir)/buildnum.py \
 	$(srcdir)/ldap/admin/src/*.in \
 	$(srcdir)/ldap/admin/src/scripts/*.in \
-	$(srcdir)/ldap/admin/src/scripts/*.ldif \
 	$(srcdir)/ldap/admin/src/scripts/*.py \
-	$(srcdir)/ldap/admin/src/scripts/*.sh \
 	$(srcdir)/ldap/admin/src/scripts/ds-replcheck \
-	$(srcdir)/ldap/admin/src/scripts/migrate-ds.res \
 	$(srcdir)/ldap/ldif/*.in \
 	$(srcdir)/ldap/ldif/*.ldif \
 	$(srcdir)/ldap/schema/*.ldif \
@@ -666,10 +595,7 @@ dist_noinst_DATA = \
 if ENABLE_PERL
 dist_noinst_DATA += \
 	$(srcdir)/ldap/admin/src/*.pl \
-	$(srcdir)/ldap/admin/src/scripts/*.pl \
-	$(srcdir)/ldap/admin/src/scripts/*.pm \
-	$(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl \
-	$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen*
+	$(srcdir)/ldap/servers/slapd/mkDBErrStrs.py
 endif
 
 #------------------------
@@ -688,8 +614,7 @@ endif
 # with the default schema e.g. there is
 # considerable overlap of 60changelog.ldif and 01common.ldif
 # and 60inetmail.ldif and 50ns-mail.ldif among others
-sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
-	$(srcdir)/ldap/ldif/Ace.ldif \
+sampledata_DATA = $(srcdir)/ldap/ldif/Ace.ldif \
 	$(srcdir)/ldap/ldif/European.ldif \
 	$(srcdir)/ldap/ldif/Eurosuffix.ldif \
 	$(srcdir)/ldap/ldif/Example.ldif \
@@ -710,10 +635,7 @@ sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
 	ldap/ldif/template-orgunit.ldif \
 	ldap/ldif/template-baseacis.ldif \
 	ldap/ldif/template-sasl.ldif \
-	$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-FamilyNames \
-	$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-GivenNames \
-	$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-OrgUnits \
-	$(srcdir)/ldap/schema/10rfc2307.ldif \
+	$(srcdir)/ldap/schema/10rfc2307compat.ldif \
 	$(srcdir)/ldap/schema/10rfc2307bis.ldif \
 	$(srcdir)/ldap/schema/60changelog.ldif \
 	$(srcdir)/ldap/schema/60inetmail.ldif \
@@ -726,6 +648,9 @@ sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
 	$(srcdir)/ldap/schema/60samba.ldif \
 	$(srcdir)/ldap/schema/60sendmail.ldif \
 	$(srcdir)/ldap/schema/dsee.schema \
+	$(srcdir)/src/lib389/lib389/cli_ctl/dbgen-FamilyNames \
+	$(srcdir)/src/lib389/lib389/cli_ctl/dbgen-GivenNames \
+	$(srcdir)/src/lib389/lib389/cli_ctl/dbgen-OrgUnits \
 	$(LIBPRESENCE_SCHEMA)
 
 systemschema_DATA = $(srcdir)/ldap/schema/00core.ldif \
@@ -790,61 +715,8 @@ install-data-hook:
 endif
 
 sbin_SCRIPTS =
-if ENABLE_PERL
-sbin_SCRIPTS += ldap/admin/src/scripts/setup-ds.pl \
-	ldap/admin/src/scripts/migrate-ds.pl \
-	ldap/admin/src/scripts/remove-ds.pl \
-	ldap/admin/src/scripts/bak2db.pl \
-	ldap/admin/src/scripts/db2bak.pl \
-	ldap/admin/src/scripts/db2index.pl \
-	ldap/admin/src/scripts/db2ldif.pl \
-	ldap/admin/src/scripts/fixup-linkedattrs.pl \
-	ldap/admin/src/scripts/fixup-memberof.pl \
-	ldap/admin/src/scripts/cleanallruv.pl \
-	ldap/admin/src/scripts/ldif2db.pl \
-	ldap/admin/src/scripts/ns-accountstatus.pl \
-	ldap/admin/src/scripts/ns-activate.pl \
-	ldap/admin/src/scripts/ns-inactivate.pl \
-	ldap/admin/src/scripts/ns-newpwpolicy.pl \
-	ldap/admin/src/scripts/schema-reload.pl \
-	ldap/admin/src/scripts/syntax-validate.pl \
-	ldap/admin/src/scripts/usn-tombstone-cleanup.pl \
-	ldap/admin/src/scripts/verify-db.pl
-endif
-if ENABLE_LEGACY
-sbin_SCRIPTS += \
-	ldap/admin/src/scripts/start-dirsrv \
-	ldap/admin/src/scripts/stop-dirsrv \
-	ldap/admin/src/scripts/restart-dirsrv \
-	ldap/admin/src/scripts/status-dirsrv \
-	ldap/admin/src/scripts/bak2db \
-	ldap/admin/src/scripts/db2bak \
-	ldap/admin/src/scripts/db2index \
-	ldap/admin/src/scripts/db2ldif \
-	ldap/admin/src/scripts/dn2rdn \
-	ldap/admin/src/scripts/ldif2db \
-	ldap/admin/src/scripts/ldif2ldap \
-	ldap/admin/src/scripts/monitor \
-	ldap/admin/src/scripts/restoreconfig \
-	ldap/admin/src/scripts/saveconfig \
-	ldap/admin/src/scripts/suffix2instance \
-	ldap/admin/src/scripts/upgradednformat \
-	ldap/admin/src/scripts/vlvindex \
-	ldap/admin/src/scripts/dbverify \
-	ldap/admin/src/scripts/upgradedb \
-	ldap/admin/src/scripts/dbmon.sh
-endif
-
-bin_SCRIPTS = \
-	ldap/admin/src/scripts/readnsstate
 
-if ENABLE_PERL
-bin_SCRIPTS += ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl \
-	wrappers/cl-dump \
-	ldap/admin/src/scripts/cl-dump.pl \
-	wrappers/repl-monitor \
-	ldap/admin/src/scripts/repl-monitor.pl
-endif
+bin_SCRIPTS =
 
 # For scripts that are "as is".
 dist_bin_SCRIPTS = ldap/admin/src/scripts/ds-replcheck \
@@ -852,26 +724,6 @@ dist_bin_SCRIPTS = ldap/admin/src/scripts/ds-replcheck \
 
 dist_bin_SCRIPTS += ldap/admin/src/logconv.pl
 
-# SCRIPTS makes them executables - these are perl modules
-# and should not be marked as executable - so use DATA
-if ENABLE_PERL
-perl_DATA = ldap/admin/src/scripts/SetupLog.pm \
-	ldap/admin/src/scripts/Resource.pm \
-	ldap/admin/src/scripts/DSUtil.pm \
-	ldap/admin/src/scripts/Setup.pm \
-	ldap/admin/src/scripts/SetupDialogs.pm \
-	ldap/admin/src/scripts/Inf.pm \
-	ldap/admin/src/scripts/DialogManager.pm \
-	ldap/admin/src/scripts/Dialog.pm \
-	ldap/admin/src/scripts/DSDialogs.pm \
-	ldap/admin/src/scripts/Migration.pm \
-	ldap/admin/src/scripts/DSMigration.pm \
-	ldap/admin/src/scripts/FileConn.pm \
-	ldap/admin/src/scripts/DSCreate.pm \
-	ldap/admin/src/scripts/DSUpdate.pm \
-	ldap/admin/src/scripts/DSUpdateDialogs.pm
-endif
-
 python_DATA = ldap/admin/src/scripts/failedbinds.py \
 	ldap/admin/src/scripts/logregex.py
 
@@ -879,46 +731,6 @@ gdbautoload_DATA = ldap/admin/src/scripts/ns-slapd-gdb.py
 
 dist_sysctl_DATA = ldap/admin/src/70-dirsrv.conf
 
-if ENABLE_PERL
-property_DATA = ldap/admin/src/scripts/setup-ds.res \
-	ldap/admin/src/scripts/migrate-ds.res
-
-task_SCRIPTS = ldap/admin/src/scripts/template-bak2db \
-	ldap/admin/src/scripts/template-db2bak \
-	ldap/admin/src/scripts/template-db2index \
-	ldap/admin/src/scripts/template-db2ldif \
-	ldap/admin/src/scripts/template-dn2rdn \
-	ldap/admin/src/scripts/template-ldif2db \
-	ldap/admin/src/scripts/template-ldif2ldap \
-	ldap/admin/src/scripts/template-monitor \
-	ldap/admin/src/scripts/template-restart-slapd \
-	ldap/admin/src/scripts/template-restoreconfig \
-	ldap/admin/src/scripts/template-saveconfig \
-	ldap/admin/src/scripts/template-start-slapd \
-	ldap/admin/src/scripts/template-stop-slapd \
-	ldap/admin/src/scripts/template-suffix2instance \
-	ldap/admin/src/scripts/template-upgradednformat \
-	ldap/admin/src/scripts/template-vlvindex \
-	ldap/admin/src/scripts/template-bak2db.pl \
-	ldap/admin/src/scripts/template-db2bak.pl \
-	ldap/admin/src/scripts/template-db2index.pl \
-	ldap/admin/src/scripts/template-db2ldif.pl \
-	ldap/admin/src/scripts/template-fixup-linkedattrs.pl \
-	ldap/admin/src/scripts/template-fixup-memberof.pl \
-	ldap/admin/src/scripts/template-fixup-memberuid.pl \
-	ldap/admin/src/scripts/template-cleanallruv.pl \
-	ldap/admin/src/scripts/template-ldif2db.pl \
-	ldap/admin/src/scripts/template-ns-accountstatus.pl \
-	ldap/admin/src/scripts/template-ns-activate.pl \
-	ldap/admin/src/scripts/template-ns-inactivate.pl \
-	ldap/admin/src/scripts/template-ns-newpwpolicy.pl \
-	ldap/admin/src/scripts/template-schema-reload.pl \
-	ldap/admin/src/scripts/template-syntax-validate.pl \
-	ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl \
-	ldap/admin/src/scripts/template-verify-db.pl \
-	ldap/admin/src/scripts/template-dbverify
-endif
-
 if SYSTEMD
 # yes, that is an @ in the filename . . .
 systemdsystemunit_DATA = wrappers/$(PACKAGE_NAME)@.service \
@@ -943,9 +755,6 @@ initconfig_DATA = ldap/admin/src/$(PACKAGE_NAME)
 endif
 
 inf_DATA = ldap/admin/src/slapd.inf \
-	ldap/admin/src/scripts/dscreate.map \
-	ldap/admin/src/scripts/dsupdate.map \
-	ldap/admin/src/scripts/dsorgentries.map \
 	ldap/admin/src/defaults.inf
 
 mib_DATA = ldap/servers/snmp/redhat-directory.mib
@@ -975,135 +784,12 @@ dist_man_MANS = man/man1/dbscan.1 \
 	man/man1/ldclt.1 \
 	man/man1/logconv.pl.1 \
 	man/man1/pwdhash.1 \
-	man/man1/readnsstate.1 \
 	man/man5/99user.ldif.5 \
 	man/man8/ns-slapd.8 \
 	man/man5/certmap.conf.5 \
 	man/man5/dirsrv.5 \
 	man/man5/dirsrv.systemd.5 \
 	man/man5/slapd-collations.conf.5
-if ENABLE_LEGACY
-dist_man_MANS += \
-	man/man1/infadd.1 \
-	man/man1/ldif.1 \
-	man/man1/migratecred.1 \
-	man/man1/mmldif.1 \
-	man/man1/rsearch.1
-endif
-if ENABLE_PERL
-dist_man_MANS += man/man1/cl-dump.1 \
-	man/man1/cl-dump.pl.1 \
-	man/man1/dbgen.pl.1 \
-	man/man1/repl-monitor.1 \
-	man/man1/repl-monitor.pl.1 \
-	man/man8/migrate-ds.pl.8 \
-	man/man8/restart-dirsrv.8 \
-	man/man8/setup-ds.pl.8 \
-	man/man8/start-dirsrv.8 \
-	man/man8/stop-dirsrv.8 \
-	man/man8/status-dirsrv.8 \
-	man/man8/bak2db.8 \
-	man/man8/bak2db.pl.8 \
-	man/man8/cleanallruv.pl.8 \
-	man/man8/dbverify.8 \
-	man/man8/db2bak.8 \
-	man/man8/db2bak.pl.8 \
-	man/man8/db2ldif.8 \
-	man/man8/db2ldif.pl.8 \
-	man/man8/db2index.8 \
-	man/man8/db2index.pl.8 \
-	man/man8/fixup-linkedattrs.pl.8 \
-	man/man8/fixup-memberof.pl.8 \
-	man/man8/ldif2db.8 \
-	man/man8/ldif2db.pl.8 \
-	man/man8/dbmon.sh.8 \
-	man/man8/dn2rdn.8 \
-	man/man8/ldif2ldap.8 \
-	man/man8/monitor.8 \
-	man/man8/ns-accountstatus.pl.8 \
-	man/man8/ns-newpwpolicy.pl.8 \
-	man/man8/ns-activate.pl.8 \
-	man/man8/ns-inactivate.pl.8 \
-	man/man8/remove-ds.pl.8 \
-	man/man8/restoreconfig.8 \
-	man/man8/saveconfig.8 \
-	man/man8/schema-reload.pl.8 \
-	man/man8/suffix2instance.8 \
-	man/man8/syntax-validate.pl.8 \
-	man/man8/upgradednformat.8 \
-	man/man8/upgradedb.8 \
-	man/man8/usn-tombstone-cleanup.pl.8 \
-	man/man8/vlvindex.8 \
-	man/man8/verify-db.pl.8 \
-	man/man5/template-initconfig.5
-endif
-
-#------------------------
-# updates
-# the first 3 are just the examples provided - since they
-# do not begin with two digits, they will be ignored
-# the remaining items should begin with two digits that
-# correspond to the order in which they should be applied
-# perl files and LDIF files are DATA - not executable
-# processed by the update script
-# shell scripts and other files are SCRIPTS - executable
-#------------------------
-if ENABLE_PERL
-update_DATA = ldap/admin/src/scripts/exampleupdate.pl \
-	ldap/admin/src/scripts/exampleupdate.ldif \
-	ldap/admin/src/scripts/10cleanupldapi.pl \
-	ldap/admin/src/scripts/10delautodnsuffix.pl \
-	ldap/admin/src/scripts/10fixrundir.pl \
-	ldap/admin/src/scripts/20betxn.pl \
-	ldap/admin/src/scripts/50addchainingsaslpwroles.ldif \
-	ldap/admin/src/scripts/50acctusabilityplugin.ldif \
-	ldap/admin/src/scripts/50automemberplugin.ldif \
-	ldap/admin/src/scripts/50memberofindex.ldif \
-	ldap/admin/src/scripts/50nstombstonecsn.ldif \
-	ldap/admin/src/scripts/50bitstringsyntaxplugin.ldif \
-	ldap/admin/src/scripts/50managedentriesplugin.ldif \
-	ldap/admin/src/scripts/50memberofplugin.ldif \
-	ldap/admin/src/scripts/50deliverymethodsyntaxplugin.ldif \
-	ldap/admin/src/scripts/50nameuidsyntaxplugin.ldif \
-	ldap/admin/src/scripts/50derefplugin.ldif \
-	ldap/admin/src/scripts/50numericstringsyntaxplugin.ldif \
-	ldap/admin/src/scripts/50disableurisyntaxplugin.ldif \
-	ldap/admin/src/scripts/50printablestringsyntaxplugin.ldif \
-	ldap/admin/src/scripts/50enhancedguidesyntaxplugin.ldif \
-	ldap/admin/src/scripts/50schemareloadplugin.ldif \
-	ldap/admin/src/scripts/50entryusnindex.ldif \
-	ldap/admin/src/scripts/50syntaxvalidplugin.ldif \
-	ldap/admin/src/scripts/50faxnumbersyntaxplugin.ldif \
-	ldap/admin/src/scripts/50teletexterminalidsyntaxplugin.ldif \
-	ldap/admin/src/scripts/50faxsyntaxplugin.ldif \
-	ldap/admin/src/scripts/50fixNsState.pl \
-	ldap/admin/src/scripts/50telexnumbersyntaxplugin.ldif \
-	ldap/admin/src/scripts/50guidesyntaxplugin.ldif \
-	ldap/admin/src/scripts/50targetuniqueid.ldif \
-	ldap/admin/src/scripts/60removeLegacyReplication.ldif \
-	ldap/admin/src/scripts/50linkedattrsplugin.ldif \
-	ldap/admin/src/scripts/50usnplugin.ldif \
-	ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif \
-	ldap/admin/src/scripts/50refintprecedence.ldif \
-	ldap/admin/src/scripts/50retroclprecedence.ldif \
-	ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif \
-	ldap/admin/src/scripts/50contentsync.ldif \
-	ldap/admin/src/scripts/60upgradeschemafiles.pl \
-	ldap/admin/src/scripts/60upgradeconfigfiles.pl \
-	ldap/admin/src/scripts/70upgradefromldif.pl \
-	ldap/admin/src/scripts/80upgradednformat.pl \
-	ldap/admin/src/scripts/81changelog.pl \
-	ldap/admin/src/scripts/82targetuniqueidindex.pl \
-	ldap/admin/src/scripts/90subtreerename.pl \
-	ldap/admin/src/scripts/91subtreereindex.pl \
-	ldap/admin/src/scripts/50AES-pbe-plugin.ldif\
-	ldap/admin/src/scripts/50updateconfig.ldif \
-	ldap/admin/src/scripts/52updateAESplugin.pl \
-	ldap/admin/src/scripts/dnaplugindepends.ldif \
-	ldap/admin/src/scripts/91reindex.pl
-
-update_SCRIPTS = ldap/admin/src/scripts/exampleupdate.sh
-endif
 
 #////////////////////////////////////////////////////////////////
 #
@@ -2172,16 +1858,6 @@ dbscan_SOURCES = ldap/servers/slapd/tools/dbscan.c
 dbscan_CPPFLAGS = @db_inc@ $(NSPR_INCLUDES) $(AM_CPPFLAGS)
 dbscan_LDADD = $(NSPR_LINK) $(DB_LINK)
 
-#------------------------
-# infadd
-#------------------------
-infadd_SOURCES = ldap/servers/slapd/tools/rsearch/addthread.c \
-	ldap/servers/slapd/tools/rsearch/infadd.c \
-	ldap/servers/slapd/tools/rsearch/nametable.c
-
-infadd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
-infadd_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBSOCKET)
-
 #------------------------
 # ldap-agent
 #------------------------
@@ -2212,32 +1888,6 @@ ldclt_SOURCES = ldap/servers/slapd/tools/ldaptool-sasl.c \
 ldclt_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/ldap/servers/slapd/tools $(DSPLUGIN_CPPFLAGS) $(SASL_CFLAGS)
 ldclt_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBNSL) $(LIBSOCKET) $(LIBDL) $(THREADLIB)
 
-#------------------------
-# ldif
-#------------------------
-ldif_SOURCES = ldap/servers/slapd/tools/ldif.c
-
-ldif_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
-ldif_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK_NOTHR) $(SASL_LINK)
-
-#------------------------
-# migratecred
-#------------------------
-migratecred_SOURCES = ldap/servers/slapd/tools/migratecred.c
-
-migratecred_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
-migratecred_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK)
-migratecred_DEPENDENCIES = libslapd.la
-
-#------------------------
-# mmldif
-#------------------------
-mmldif_SOURCES = ldap/servers/slapd/tools/mmldif.c
-
-mmldif_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
-mmldif_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK_NOTHR) $(SASL_LINK)
-mmldif_DEPENDENCIES = libslapd.la
-
 #------------------------
 # ns-slapd
 #------------------------
@@ -2311,17 +1961,6 @@ pwdhash_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
 pwdhash_LDADD = libslapd.la libsvrcore.la $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK)
 pwdhash_DEPENDENCIES = libslapd.la
 
-#------------------------
-# rsearch
-#------------------------
-rsearch_SOURCES = ldap/servers/slapd/tools/rsearch/nametable.c \
-	ldap/servers/slapd/tools/rsearch/rsearch.c \
-	ldap/servers/slapd/tools/rsearch/sdattable.c \
-	ldap/servers/slapd/tools/rsearch/searchthread.c
-
-rsearch_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS)
-rsearch_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBSOCKET)
-
 #-------------------------
 # CMOCKA TEST PROGRAMS
 #-------------------------

dirsrvtests/tests/suites/acl/acl_deny_test.py

@@ -1,3 +1,11 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2020 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
 import logging
 import pytest
 import os
@@ -5,7 +13,7 @@ import ldap
 import time
 from lib389._constants import *
 from lib389.topologies import topology_st as topo
-from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
+from lib389.idm.user import UserAccount, TEST_USER_PROPERTIES
 from lib389.idm.domain import Domain
 
 pytestmark = pytest.mark.tier1

dirsrvtests/tests/suites/acl/acl_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -14,9 +14,8 @@ from lib389.schema import Schema
 from lib389.idm.domain import Domain
 from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
 from lib389.idm.organizationalrole import OrganizationalRole, OrganizationalRoles
-
 from lib389.topologies import topology_m2
-from lib389._constants import SUFFIX, DN_SCHEMA, DN_DM, DEFAULT_SUFFIX, PASSWORD
+from lib389._constants import SUFFIX, DN_DM, DEFAULT_SUFFIX, PASSWORD
 
 pytestmark = pytest.mark.tier1
 
@@ -243,6 +242,14 @@ def moddn_setup(topology_m2):
                        'userpassword': BIND_PW})
     user.create(properties=user_props, basedn=SUFFIX)
 
+    # Add anonymous read aci
+    ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"
+    ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(m1, SUFFIX)
+    suffix.add('aci', ACI_BODY)
+
     # DIT for staging
     m1.log.info("Add {}".format(STAGING_DN))
     o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
@@ -1062,10 +1069,12 @@ def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup):
 @pytest.fixture(scope="module")
 def rdn_write_setup(topology_m2):
     topology_m2.ms["master1"].log.info("\n\n######## Add entry tuser ########\n")
-    topology_m2.ms["master1"].add_s(Entry((SRC_ENTRY_DN, {
-        'objectclass': "top person".split(),
-        'sn': SRC_ENTRY_CN,
-        'cn': SRC_ENTRY_CN})))
+    user = UserAccount(topology_m2.ms["master1"], SRC_ENTRY_DN)
+    user_props = TEST_USER_PROPERTIES.copy()
+    user_props.update({'sn': SRC_ENTRY_CN,
+                       'cn': SRC_ENTRY_CN,
+                       'userpassword': BIND_PW})
+    user.create(properties=user_props, basedn=SUFFIX)
 
 
 def test_rdn_write_get_ger(topology_m2, rdn_write_setup):

dirsrvtests/tests/suites/acl/deladd_test.py

@@ -361,7 +361,7 @@ def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user, req
 
     # Set ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
-        add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
+        add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
                    f'(version 3.0; acl "{request.node.name}"; '
                    f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')
 
@@ -401,7 +401,7 @@ def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user,
     # Set ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
         add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
-                   f'(targetattr=uid)(version 3.0; acl "{request.node.name}"; '
+                   f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; '
                    f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')
 
     # create connection with USER_WITH_ACI_DELADD
@@ -439,7 +439,7 @@ def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user,
     # Set ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
         add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
-                   f'(targetattr=*)(version 3.0; acl "{request.node.name}"; '
+                   f'(targetattr="*")(version 3.0; acl "{request.node.name}"; '
                    f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')
 
     # create connection with USER_WITH_ACI_DELADD

dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -31,15 +31,13 @@ def env_setup(topology_st):
 
     log.info("Add a container: %s" % CONTAINER_1)
     topology_st.standalone.add_s(Entry((CONTAINER_1,
-                                        {'objectclass': 'top',
-                                         'objectclass': 'organizationalunit',
+                                        {'objectclass': ['top','organizationalunit'],
                                          'ou': CONTAINER_1_OU,
                                          })))
 
     log.info("Add a container: %s" % CONTAINER_2)
     topology_st.standalone.add_s(Entry((CONTAINER_2,
-                                        {'objectclass': 'top',
-                                         'objectclass': 'organizationalunit',
+                                        {'objectclass': ['top', 'organizationalunit'],
                                          'ou': CONTAINER_2_OU,
                                          })))
 

dirsrvtests/tests/suites/acl/globalgroup_part2_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -70,6 +70,14 @@ def test_user(request, topo):
             'userPassword': PW_DM
         })
 
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    suffix.add('aci', ANON_ACI)
+
     uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')
     for demo1 in ['c1', 'CHILD1_GLOBAL']:
         uas.create(properties={
@@ -112,7 +120,7 @@ def test_undefined_in_group_eval_five(topo, test_user, aci_of_user):
             5. Operation should  succeed
     """
 
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
     # This aci should NOT allow access
     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -140,7 +148,7 @@ def test_undefined_in_group_eval_six(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
     # test UNDEFINED in group
     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -168,7 +176,7 @@ def test_undefined_in_group_eval_seven(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
     # test UNDEFINED in group
     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -196,7 +204,7 @@ def test_undefined_in_group_eval_eight(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
     # test UNDEFINED in group
     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -224,7 +232,7 @@ def test_undefined_in_group_eval_nine(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
     # test UNDEFINED in group
     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
@@ -252,7 +260,7 @@ def test_undefined_in_group_eval_ten(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')
     user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
     user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -281,7 +289,7 @@ def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')
     user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
     user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -312,7 +320,7 @@ def test_undefined_in_group_eval_twelve(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
     user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -341,7 +349,7 @@ def test_undefined_in_group_eval_fourteen(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
     user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
     conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
@@ -372,7 +380,7 @@ def test_undefined_in_group_eval_fifteen(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')
     UserAccount(topo.standalone, NESTEDGROUP_OU_GLOBAL).add("description", DEEPUSER_GLOBAL)
     # Here do the same tests for userattr  with the parent keyword.
     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
@@ -399,7 +407,7 @@ def test_undefined_in_group_eval_sixteen(topo, test_user, aci_of_user):
             5. Operation should  succeed
     """
     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
-    domain.add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')
+    domain.add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')
     domain.add("description", DEEPUSER_GLOBAL)
     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
     # Test with parent keyword with not key
@@ -427,7 +435,7 @@ def test_undefined_in_group_eval_seventeen(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
     # Test with the parent keyord
     user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
@@ -455,7 +463,7 @@ def test_undefined_in_group_eval_eighteen(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')
     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
     # Test with parent keyword with not key
     user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])

dirsrvtests/tests/suites/acl/globalgroup_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -72,6 +72,14 @@ def test_user(request, topo):
             'userPassword': PW_DM
         })
 
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    suffix.add('aci', ANON_ACI)
+
     uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')
     for demo1 in ['DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER1_GLOBAL',
                   'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild']:
@@ -361,7 +369,7 @@ def test_undefined_in_group_eval_two(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
     # This aci should  allow access
@@ -389,7 +397,7 @@ def test_undefined_in_group_eval_three(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
     user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
     # test UNDEFINED in group
@@ -417,7 +425,7 @@ def test_undefined_in_group_eval_four(topo, test_user, aci_of_user):
             4. Operation should  succeed
             5. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
     conn = UserAccount(topo.standalone, DEEPUSER1_GLOBAL).bind(PW_DM)
     # test UNDEFINED in group
     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

dirsrvtests/tests/suites/acl/keywords_part2_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -64,24 +64,23 @@ def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
     # Wait till Access Log is generated
     topo.standalone.restart()
 
-    ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
-
     # Add ACI
     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
-    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
-                      f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
+    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; '
+                      f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "::1" ;)')
 
     # create a new connection for the test
     conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
     # Perform Operation
     org = OrganizationalUnit(conn, IP_OU_KEY)
     org.replace("seeAlso", "cn=1")
+
     # remove the aci
-    domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci '
+    domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci '
                                  f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
-                                 f'ip = "{ip_ip}" ;)')
+                                 f'ip = "::1" ;)')
     # Now add aci with new ip
-    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
+    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; '
                       f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)')
 
     # After changing  the ip user cant access data
@@ -104,14 +103,13 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
         2. Operation should  succeed
         3. Operation should  succeed
     """
-    # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
-    ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
+
     # Add ACI
     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
     domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
-                      f'(targetattr=*)(version 3.0; aci "IP aci"; '
+                      f'(targetattr="*")(version 3.0; aci "IP aci"; '
                       f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
-                      f'and ip != "{ip_ip}" ;)')
+                      f'and ip != "::1" ;)')
 
     # create a new connection for the test
     conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
@@ -122,9 +120,9 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
     # Remove the ACI
     domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
     # Add new ACI
-    domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
+    domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")'
                       f'(version 3.0; aci "IP aci"; allow(all) '
-                      f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
+                      f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "::1" ;)')
 
     # now user can access data
     org.replace("seeAlso", "cn=1")
@@ -148,7 +146,7 @@ def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
     # Add ACI
     Domain(topo.standalone,
            DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
-                                      f'(targetattr=*)(version 3.0; aci "IP aci"; allow(all) '
+                                      f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '
                                       f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
 
     # Create a new connection for this test.
@@ -177,7 +175,7 @@ def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
     # Add ACI
     Domain(topo.standalone,
            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
-                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                                      f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
                                       f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
                                       f'(timeofday >= "0000" and timeofday <= "2359") ;)')
 
@@ -206,7 +204,7 @@ def test_user_can_access_the_data_only_in_the_morning(topo, add_user, aci_of_use
     # Add ACI
     Domain(topo.standalone,
            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
-                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                                      f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
                                       f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '
                                       f'and timeofday < "1200" ;)')
 
@@ -239,7 +237,7 @@ def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_u
     # Add ACI
     Domain(topo.standalone,
            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
-                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                                      f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
                                       f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
                                       f'and timeofday > \'1200\' ;)')
 
@@ -275,7 +273,7 @@ def test_timeofday_keyword(topo, add_user, aci_of_user):
     # Add ACI
     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
     domain.add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
-                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                      f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
                       f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
                       f'and timeofday = \'{now_1}\' ;)')
 
@@ -312,7 +310,7 @@ def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user)
     # Add ACI
     Domain(topo.standalone,
            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
-                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
+                                      f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
                                       f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
                                       f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
 
@@ -342,7 +340,7 @@ def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
     # Add ACI
     Domain(topo.standalone,
            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
-                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
+                                      f'(targetattr="*")(version 3.0; aci "Dayofweek aci";  '
                                       f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
                                       f'and dayofweek = \'{today_1}\' ;)')
 
@@ -371,7 +369,7 @@ def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
     # Add ACI
     Domain(topo.standalone,
            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
-                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
+                                      f'(targetattr="*")(version 3.0; aci "Dayofweek aci";  '
                                       f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
                                       f'and dayofweek = "$NEW_DATE" ;)')
 

dirsrvtests/tests/suites/acl/keywords_test.py

@@ -39,11 +39,11 @@ NONE_2_KEY = "uid=NONE_2_KEY,{}".format(AUTHMETHOD_OU_KEY)
 
 
 NONE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
-               f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
+               f'(targetattr="*")(version 3.0; aci "Authmethod aci"; ' \
                f'allow(all) userdn = "ldap:///{NONE_1_KEY}" and authmethod = "none" ;)'
 
 SIMPLE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
-                 f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
+                 f'(targetattr="*")(version 3.0; aci "Authmethod aci"; ' \
                  f'allow(all) userdn = "ldap:///{SIMPLE_1_KEY}" and authmethod = "simple" ;)'
 
 
@@ -236,7 +236,7 @@ def test_user_can_access_the_data_when_connecting_from_any_machine(
     # Add ACI
     Domain(topo.standalone, DEFAULT_SUFFIX)\
         .add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
-                    f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                    f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
                     f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')
 
     # Create a new connection for this test.
@@ -265,9 +265,9 @@ def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
     # Add ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
         add("aci", [f'(target = "ldap:///{DNS_OU_KEY}")'
-                    f'(targetattr=*)(version 3.0; aci "DNS aci"; '
+                    f'(targetattr="*")(version 3.0; aci "DNS aci"; '
                     f'allow(all) userdn = "ldap:///{SUNDNS_KEY}" and dns = "*redhat.com" ;)',
-                    f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
+                    f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
                     f'(version 3.0; aci "DNS aci"; allow(all) '
                     f'userdn = "ldap:///{SUNDNS_KEY}" and dns = "{dns_name}" ;)'])
 
@@ -297,7 +297,7 @@ def test_user_can_access_the_data_when_connecting_from_some_network_only(
     # Add ACI
     Domain(topo.standalone, DEFAULT_SUFFIX)\
         .add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
-                    f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                    f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
                     f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
                     f'and dns = "{dns_name}" ;)')
 
@@ -324,7 +324,7 @@ def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
     # Add ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
         add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
-                   f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                   f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
                    f'userdn = "ldap:///{NETSCAPEDNS_KEY}" and dns != "red.iplanet.com" ;)')
 
     # Create a new connection for this test.
@@ -351,7 +351,7 @@ def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_networ
     # Add ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
         add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
-                   f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                   f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
                    f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
                    f'and dnsalias != "www.redhat.com" ;)')
 
@@ -377,7 +377,7 @@ def test_user_cannot_access_the_data_if_not_from_a_certain_domain(topo, add_user
     """
     # Add ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
-        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
+        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
                    f'(version 3.0; aci "DNS aci"; allow(all) '
                    f'userdn = "ldap:///{NODNS_KEY}" '
                    f'and dns = "RAP.rock.SALSA.house.COM" ;)')
@@ -406,7 +406,7 @@ def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
     """
     # Add ACI
     Domain(topo.standalone, DEFAULT_SUFFIX).\
-        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
+        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
                    f'(version 3.0; aci "DNS aci"; allow(all) '
                    f'userdn = "ldap:///{NODNS_KEY}" and '
                    f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
@@ -438,7 +438,7 @@ def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user,
     """
     # Add ACI that contains both IPv4 and IPv6
     Domain(topo.standalone, DEFAULT_SUFFIX).\
-        add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr=*) '
+        add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr="*") '
                    f'(version 3.0; aci "IP aci"; allow(all) '
                    f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)')
 

dirsrvtests/tests/suites/acl/misc_test.py

@@ -1,6 +1,6 @@
 """
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 RED Hat, Inc.
+# Copyright (C) 2020 RED Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -8,6 +8,7 @@
 # --- END COPYRIGHT BLOCK ----
 """
 
+import ldap
 import os
 import pytest
 
@@ -21,8 +22,6 @@ from lib389.topologies import topology_st as topo
 from lib389.idm.domain import Domain
 from lib389.plugins import ACLPlugin
 
-import ldap
-
 pytestmark = pytest.mark.tier1
 
 PEOPLE = "ou=PEOPLE,{}".format(DEFAULT_SUFFIX)
@@ -37,7 +36,19 @@ def aci_of_user(request, topo):
     :param request:
     :param topo:
     """
-    aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
+
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
+    aci_list = suffix.get_attr_vals('aci')
 
     def finofaci():
         """
@@ -96,7 +107,7 @@ def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
     for i in [('mail', '[email protected]'), ('givenname', 'Anuj'), ('userPassword', PW_DM)]:
         user.set(i[0], i[1])
 
-    aci_target = "(targetattr=givenname)"
+    aci_target = '(targetattr="givenname")'
     aci_allow = ('(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)')
     aci_subject = 'userdn="ldap:///anyone";)'
     Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject)
@@ -132,7 +143,7 @@ def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user):
     uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
     user = uas.create_test_user()
 
-    aci_target = '(target ="ldap:///{}")(targetattr !="userPassword")'.format(CONTAINER_1_DELADD)
+    aci_target = '(target ="ldap:///{}")(targetattr!="userPassword")'.format(CONTAINER_1_DELADD)
     # more_then_40_acl_will not crash_slapd
     for i in range(40):
         aci_allow = '(version 3.0;acl "ACI_{}";allow (read, search, compare)'.format(i)
@@ -163,7 +174,7 @@ def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
     """
     assert Domain(topo.standalone, DEFAULT_SUFFIX).present('aci')
     Domain(topo.standalone, DEFAULT_SUFFIX)\
-        .add("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr !="userPassword")'
+        .replace("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr != "userPassword")'
                      '(version 3.0;acl "anonymous access";allow (search)'
                      '(userdn = "ldap:///anyone");)',
                      f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; '
@@ -176,7 +187,7 @@ def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
     conn = Anonymous(topo.standalone).bind()
     # search_access_should_not_include_read_access
     suffix = Domain(conn, DEFAULT_SUFFIX)
-    with pytest.raises(AssertionError):
+    with pytest.raises(Exception):
         assert suffix.present('aci')
 
 
@@ -211,9 +222,9 @@ def test_only_allow_some_targetattr(topo, clean, aci_of_user):
     # aci will allow only mail targetattr
     assert len(accounts.filter('(mail=*)')) == 2
     # aci will allow only mail targetattr
-    assert not accounts.filter('(cn=*)')
+    assert not accounts.filter('(cn=*)', scope=1)
     # with root no , blockage
-    assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)')) == 2
+    assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)', scope=1)) == 2
 
     for i in uas.list():
         i.delete()
@@ -251,8 +262,8 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
     conn = UserAccount(topo.standalone, user.dn).bind(PW_DM)
     # aci will allow only mail targetattr but only for cn=Anuj
     account = Accounts(conn, DEFAULT_SUFFIX)
-    assert len(account.filter('(mail=*)')) == 5
-    assert not account.filter('(cn=*)')
+    assert len(account.filter('(mail=*)', scope=1)) == 5
+    assert not account.filter('(cn=*)', scope=1)
 
     for i in account.filter('(mail=*)'):
         assert i.get_attr_val_utf8('mail') == '[email protected]'
@@ -261,8 +272,8 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
     conn = Anonymous(topo.standalone).bind()
     # aci will allow only mail targetattr but only for cn=Anuj
     account = Accounts(conn, DEFAULT_SUFFIX)
-    assert len(account.filter('(mail=*)')) == 5
-    assert not account.filter('(cn=*)')
+    assert len(account.filter('(mail=*)', scope=1)) == 5
+    assert not account.filter('(cn=*)', scope=1)
 
     for i in account.filter('(mail=*)'):
         assert i.get_attr_val_utf8('mail') == '[email protected]'
@@ -274,7 +285,6 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
         i.delete()
 
 
-
 @pytest.mark.bz326000
 def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
     """Non-regression test for BUG 326000: MemberURL needs to be normalized
@@ -291,7 +301,7 @@ def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
         3. Operation should  succeed
     """
     ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
-    ou_ou.set('aci', '(targetattr= *)'
+    ou_ou.set('aci', '(targetattr="*")'
                      '(version 3.0; acl "tester"; allow(all) '
                      'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(DEFAULT_SUFFIX))
 
@@ -407,7 +417,6 @@ def test_do_bind_as_201_distinct_users(topo, clean, aci_of_user):
     for i in range(len(uas.list())):
         uas.list()[i].bind(PW_DM)
 
-
 if __name__ == "__main__":
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main("-s -v %s" % CURRENT_FILE)

dirsrvtests/tests/suites/acl/modify_test.py

@@ -42,7 +42,18 @@ def cleanup_tree(request, topo):
 
 @pytest.fixture(scope="function")
 def aci_of_user(request, topo):
-    aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
+    aci_list = suffix.get_attr_vals('aci')
 
     def finofaci():
         domain = Domain(topo.standalone, DEFAULT_SUFFIX)
@@ -262,7 +273,7 @@ def test_allow_write_access_to_userdn_with_multiple_dns(topo, aci_of_user, clean
     ua = UserAccount(conn, USER_DELADD)
     ua.add("title", "Architect")
     assert ua.get_attr_val('title')
-    
+
 
 def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user, cleanup_tree):
     """Modify Test 6 Allow write access to target with wildcards
@@ -324,7 +335,7 @@ def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree, reque
         2. Operation should  succeed
         3. Operation should  succeed
     """
-    ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX, request.node.name)
+    ACI_BODY = '(target = ldap:///{})(targetattr="*")(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX, request.node.name)
     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
 
     for i in ['Product Development', 'Accounting']:
@@ -393,8 +404,7 @@ def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree):
     conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
     # Allow selfwrite access to anyone
     groups = Groups(conn, DEFAULT_SUFFIX)
-    groups.list()[0].add_member(USER_DELADD)
-    group.delete()
+    groups.list()[1].add_member(USER_DELADD)
 
 
 def test_uniquemember_should_also_be_the_owner(topo,  aci_of_user):

dirsrvtests/tests/suites/acl/modrdn_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -102,7 +102,7 @@ def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user, request):
         3. Operation should  succeed
     """
     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",
-        '(target ="ldap:///{}")(targetattr=*)(version 3.0;acl "{}";allow '
+        '(target ="ldap:///{}")(targetattr="*")(version 3.0;acl "{}";allow '
         '(write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX, request.node.name))
     conn = Anonymous(topo.standalone).bind()
     # Allow write privilege to anyone
@@ -130,7 +130,7 @@ def test_allow_write_privilege_to_dynamic_group_with_scope_set_to_base_in_ldap_u
         2. Operation should  succeed
         3. Operation should  succeed
     """
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}"; allow(all)(groupdn = "ldap:///{}"); )'.format(DEFAULT_SUFFIX, request.node.name, DYNAMIC_MODRDN))
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr="*")(version 3.0; acl "{}"; allow(all)(groupdn = "ldap:///{}"); )'.format(DEFAULT_SUFFIX, request.node.name, DYNAMIC_MODRDN))
     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
     # Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
     useraccount = UserAccount(conn, USER_DELADD)
@@ -281,7 +281,7 @@ def test_renaming_target_entry(topo, _add_user, aci_of_user):
     user.set("userPassword", "password")
     ou = OrganizationalUnit(topo.standalone, 'ou=OU0,{}'.format(DEFAULT_SUFFIX))
     ou.create(properties={'ou': 'OU0'})
-    ou.set('aci', '(targetattr=*)(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'.format(TRAC340_MODRDN))
+    ou.set('aci', '(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'.format(TRAC340_MODRDN))
     conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
     assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
     # Test for renaming target entry

dirsrvtests/tests/suites/acl/repeated_ldap_add_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -454,12 +454,12 @@ def test_repeated_ldap_add(topology_st):
     log.info('Inactivate %s' % BINDDN)
     if ds_paths.version < '1.3':
         nsinactivate = '%s/ns-inactivate.pl' % inst_dir
-        nsinactivate_cmd = [nsinactivate, '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN]
+        cli_cmd = [nsinactivate, '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN]
     else:
-        nsinactivate = '%s/ns-inactivate.pl' % ds_paths.sbin_dir
-        nsinactivate_cmd = [nsinactivate, '-Z', SERVERID_STANDALONE, '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN]
-    log.info(nsinactivate_cmd)
-    p = Popen(nsinactivate_cmd)
+        dsidm = '%s/dsidm' % ds_paths.sbin_dir
+        cli_cmd = [dsidm, SERVERID_STANDALONE, '-b', DEFAULT_SUFFIX, 'account', 'lock', BINDDN]
+    log.info(cli_cmd)
+    p = Popen(cli_cmd)
     assert (p.wait() == 0)
 
     log.info('Bind as {%s,%s} which should fail with %s.' % (BINDDN, BUID, ldap.UNWILLING_TO_PERFORM.__name__))

dirsrvtests/tests/suites/acl/roledn_test.py

@@ -78,10 +78,10 @@ def _add_user(request, topo):
                       f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
                       f'(version 3.0; aci "or role aci"; allow(all) '
                       f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
-                      f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
+                      f'(target="ldap:///{ALL_ACCESS}")(targetattr="*")'
                       f'(version 3.0; aci "anyone role aci"; allow(all) '
                       f'roledn = "ldap:///anyone";)',
-                      f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
+                      f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr="*")'
                       f'(version 3.0; aci "not role aci"; allow(all)'
                       f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'])
 

dirsrvtests/tests/suites/acl/search_real_part2_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -24,6 +24,17 @@ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)
 
 @pytest.fixture(scope="function")
 def aci_of_user(request, topo):
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
 
     def finofaci():
@@ -31,9 +42,10 @@ def aci_of_user(request, topo):
         domain.set('aci', None)
         for i in aci_list:
             domain.add("aci", i)
+            pass
 
     request.addfinalizer(finofaci)
-    
+
 
 @pytest.fixture(scope="module")
 def test_uer(request, topo):
@@ -84,7 +96,7 @@ def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer, aci_of_use
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target != ldap:///{})(targetattr=*)".format(CONTAINER_2_DELADD)
+    ACI_TARGET = "(target != ldap:///{})(targetattr=\"*\")".format(CONTAINER_2_DELADD)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -96,7 +108,7 @@ def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer, aci_of_use
     # After binding with USER_ANUJ , aci will limit the search to itself
     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # After binding with root , the actual number of users will be given
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_all_access_with__target_set_on_wildcard_non_leaf(
@@ -119,7 +131,7 @@ def test_deny_all_access_with__target_set_on_wildcard_non_leaf(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target != ldap:///ou=Product*,{})(targetattr=*)".format(
+    ACI_TARGET = "(target != ldap:///ou=Product*,{})(targetattr=\"*\")".format(
         DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -132,7 +144,7 @@ def test_deny_all_access_with__target_set_on_wildcard_non_leaf(
     # aci will limit the search to ou=Product it will block others
     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root , aci will give actual no of users , without any limit.
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_all_access_with__target_set_on_wildcard_leaf(
@@ -155,7 +167,7 @@ def test_deny_all_access_with__target_set_on_wildcard_leaf(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=*)".format(
+    ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=\"*\")".format(
         DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -168,7 +180,7 @@ def test_deny_all_access_with__target_set_on_wildcard_leaf(
     # aci will limit the search to cn=Jeff it will block others
     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_all_access_with_targetfilter_using_equality_search(
@@ -191,7 +203,7 @@ def test_deny_all_access_with_targetfilter_using_equality_search(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(
+    ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr="*")'.format(
         DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -227,7 +239,7 @@ def test_deny_all_access_with_targetfilter_using_equality_search_two(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = '(targetfilter !="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(
+    ACI_TARGET = '(targetfilter !="(uid=Anuj Borah)")(target = ldap:///{})(targetattr="*")'.format(
         DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -240,7 +252,7 @@ def test_deny_all_access_with_targetfilter_using_equality_search_two(
     # aci will limit the search to cn=Jeff it will block others
     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_all_access_with_targetfilter_using_substring_search(
@@ -263,7 +275,7 @@ def test_deny_all_access_with_targetfilter_using_substring_search(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = '(targetfilter ="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(
+    ACI_TARGET = '(targetfilter ="(uid=Anu*)")(target = ldap:///{})(targetattr="*")'.format(
         DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
@@ -299,10 +311,10 @@ def test_deny_all_access_with_targetfilter_using_substring_search_two(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(
+    ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr="*")'.format(
         DEFAULT_SUFFIX
     )
-    ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
+    ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
@@ -313,7 +325,7 @@ def test_deny_all_access_with_targetfilter_using_substring_search_two(
     # aci allow anything cn=j*, it will block others
     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
     # with root there is no blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
+    assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
 
 
 def test_deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search(
@@ -374,19 +386,19 @@ def test_deny_all_access_to__userdn_two(topo, test_uer, aci_of_user):
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
+    ACI_TARGET = "(target = ldap:///{})(targetattr=\"*\")".format(DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn!="ldap:///{}";)'.format(USER_ANANDA)
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
     # aci will not block anything for USER_ANANDA , it block other users
-    assert  2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
-    # aci will not block anything for USER_ANANDA , it block other users
+    # aci will block everything for other users
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
-    # with root thers is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    # with root there is no aci blockage
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
@@ -407,8 +419,8 @@ def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
-    ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
+    ACI_TARGET = "(target = ldap:///{})(targetattr=\"*\")".format(DEFAULT_SUFFIX)
+    ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (all)'
     ACI_SUBJECT = 'userdn="ldap:///{}";)'.format(USER_ANANDA)
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
@@ -416,10 +428,10 @@ def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
     # aci will block anything for USER_ANANDA , it not block other users
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
-    # aci will block anything for USER_ANANDA , it not block other users
-    assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
+    # aci will block anything for other users
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root thers is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_all_access_with_targetfilter_using_presence_search(
@@ -445,7 +457,7 @@ def test_deny_all_access_with_targetfilter_using_presence_search(
     user = UserAccounts(topo.standalone,  DEFAULT_SUFFIX).create_test_user()
     user.set('userPassword', PW_DM)
 
-    ACI_TARGET = '(targetfilter ="(cn=*)")(target = ldap:///{})(targetattr=*)'.format(
+    ACI_TARGET = '(targetfilter ="(cn=*)")(target = ldap:///{})(targetattr="*")'.format(
         DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

dirsrvtests/tests/suites/acl/search_real_part3_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -27,7 +27,18 @@ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)
 
 @pytest.fixture(scope="function")
 def aci_of_user(request, topo):
-    aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
+    aci_list = suffix.get_attr_vals('aci')
 
     def finofaci():
         domain = Domain(topo.standalone, DEFAULT_SUFFIX)
@@ -36,7 +47,7 @@ def aci_of_user(request, topo):
             domain.add("aci", i)
 
     request.addfinalizer(finofaci)
-    
+
 
 @pytest.fixture(scope="module")
 def test_uer(request, topo):
@@ -86,7 +97,7 @@ def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user)
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
+    ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
     ACI_SUBJECT = (
         'userdn="ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)
@@ -99,7 +110,7 @@ def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user)
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
     # aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber
-    assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
     UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')
 
@@ -122,7 +133,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_two(topo, test_uer, aci_of_u
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
+    ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
     ACI_SUBJECT = (
         'userdn != "ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)
@@ -132,7 +143,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_two(topo, test_uer, aci_of_u
     UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445')
     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
     # aci will not block all users having roomnumber=3445 , it will block others
-    assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
     # aci will not block all users having roomnumber=3445 , it will block others
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
@@ -160,7 +171,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
+    ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
     ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format(DEFAULT_SUFFIX)
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -172,7 +183,7 @@ def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(
     # aci will  block all users LDAP URL matching all users
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user):
@@ -210,7 +221,7 @@ def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user):
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
     # USER_ANUJ is not a member
-    assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     group.delete()
 
 
@@ -251,7 +262,7 @@ def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url(
     # aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
     group.delete()
 
 
@@ -290,7 +301,7 @@ def test_deny_read_access_to_dynamic_group_with_scope_set_to_one_in_ldap_url(
     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
     # aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
-    assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
     # aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
@@ -335,7 +346,7 @@ def test_deny_read_access_to_dynamic_group_two(topo, test_uer, aci_of_user):
     # aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";)
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
     group.delete()
 
 
@@ -381,7 +392,7 @@ def test_deny_access_to_group_should_deny_access_to_all_uniquemember(
         'uniquemember': [USER_ANANDA, USER_ANUJ]
     })
 
-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target = ldap:///{})(targetattr=*)'
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target = ldap:///{})(targetattr="*")'
     '(version 3.0; acl "{}"; deny(read)(groupdn = "ldap:///cn=Nested Group 1, {}"); )'.format(DEFAULT_SUFFIX, request.node.name, DEFAULT_SUFFIX))
     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
     # deny_access_to_group_should_deny_access_to_all_uniquemember
@@ -390,7 +401,7 @@ def test_deny_access_to_group_should_deny_access_to_all_uniquemember(
     # deny_access_to_group_should_deny_access_to_all_uniquemember
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_entry_with_lots_100_attributes(topo, test_uer, aci_of_user):
@@ -417,10 +428,10 @@ def test_entry_with_lots_100_attributes(topo, test_uer, aci_of_user):
     # no aci no blockage
     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj*)'))
     # no aci no blockage
-    assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
+    assert 103 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
     conn = Anonymous(topo.standalone).bind()
     # anonymous_search_on_monitor_entry
-    assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
+    assert 103 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
 
 
 @pytest.mark.bz301798

dirsrvtests/tests/suites/acl/search_real_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -26,6 +26,17 @@ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)
 
 @pytest.fixture(scope="function")
 def aci_of_user(request, topo):
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
 
     def finofaci():
@@ -85,7 +96,7 @@ def test_deny_all_access_with_target_set(topo, test_uer, aci_of_user):
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(USER_ANANDA)
+    ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(USER_ANANDA)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -118,7 +129,7 @@ def test_deny_all_access_to_a_target_with_wild_card(topo, test_uer, aci_of_user)
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///uid=Ananda*, ou=*,{})(targetattr=*)".format(
+    ACI_TARGET = '(target = ldap:///uid=Ananda*, ou=*,{})(targetattr="*")'.format(
         DEFAULT_SUFFIX
     )
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
@@ -153,7 +164,7 @@ def test_deny_all_access_without_a_target_set(topo, test_uer, aci_of_user):
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(targetattr=*)"
+    ACI_TARGET = '(targetattr="*")'
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -188,7 +199,7 @@ def test_deny_read_search_and_compare_access_with_target_and_targetattr_set(
         4. Operation should Fail
         5. Operation should success
     """
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(CONTAINER_2_DELADD)
+    ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(CONTAINER_2_DELADD)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -247,7 +258,7 @@ def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user):
     # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
     group = groups.get("group1")
     group.delete()
     posix_groups.get("group2")
@@ -273,7 +284,7 @@ def test_deny_all_access_to_userdnattr(topo, test_uer, aci_of_user):
         5. Operation should success
     """
     UserAccount(topo.standalone, USER_ANUJ).add('manager', USER_ANANDA)
-    ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
+    ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdnattr="manager";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -316,7 +327,7 @@ def test_deny_all_access_with__target_set(topo, test_uer, aci_of_user, request):
     # aci will not block USER_ANANDA will block others
     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
 
 
 def test_deny_all_access_with__targetattr_set(topo, test_uer, aci_of_user):
@@ -348,25 +359,25 @@ def test_deny_all_access_with__targetattr_set(topo, test_uer, aci_of_user):
         'userPassword': PW_DM
     })
 
-    ACI_TARGET = "(targetattr != uid||Objectclass)"
+    ACI_TARGET = '(targetattr != "uid||Objectclass")'
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
     # aci will allow only uid=*
-    assert 3 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
     # aci will allow only uid=*
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
     # aci will allow only uid=*
-    assert 3 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
+    assert 4 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
     # aci will allow only uid=*
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
     # with root there is no aci blockage
-    assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
     # with root there is no aci blockage
-    assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
+    assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
     user.delete()
 
 
@@ -398,7 +409,7 @@ def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user):
         'homeDirectory': '/home/' + 'Anuj12'
     })
 
-    ACI_TARGET = "(targetattr = uid)"
+    ACI_TARGET = '(targetattr="uid")'
     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
     ACI_SUBJECT = 'userdn="ldap:///anyone";)'
     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
@@ -410,7 +421,7 @@ def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user):
     # aci will block only uid=*
     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
     # with root there is no aci blockage
-    assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
+    assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
     testuser.delete()
 
 

dirsrvtests/tests/suites/acl/selfdn_permissions_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -217,7 +217,7 @@ def test_selfdn_permission_search(topology_st, allow_user_init):
     topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
 
     ACI_TARGET = "(target = \"ldap:///cn=*,%s\")" % SUFFIX
-    ACI_TARGETATTR = "(targetattr = *)"
+    ACI_TARGETATTR = '(targetattr="*")'
     ACI_TARGETFILTER = "(targetfilter =\"(objectClass=%s)\")" % OC_NAME
     ACI_ALLOW = "(version 3.0; acl \"SelfDN search-read\"; allow (read, search, compare)"
     ACI_SUBJECT = " userattr = \"member#selfDN\";)"
@@ -272,7 +272,7 @@ def test_selfdn_permission_modify(topology_st, allow_user_init):
     topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
 
     ACI_TARGET = "(target = \"ldap:///cn=*,%s\")" % SUFFIX
-    ACI_TARGETATTR = "(targetattr = *)"
+    ACI_TARGETATTR = '(targetattr="*")'
     ACI_TARGETFILTER = "(targetfilter =\"(objectClass=%s)\")" % OC_NAME
     ACI_ALLOW = "(version 3.0; acl \"SelfDN write\"; allow (write)"
     ACI_SUBJECT = " userattr = \"member#selfDN\";)"

dirsrvtests/tests/suites/acl/syntax_test.py

@@ -1,12 +1,10 @@
-"""
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
 # See LICENSE for details.
 # --- END COPYRIGHT BLOCK ----
-"""
 
 import os
 import pytest
@@ -74,66 +72,66 @@ INVALID = [('test_targattrfilters_1',
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_targattrfilters_19',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI";  deny(write)gropdn="ldap:///anyone";)'),
            ('test_targattrfilters_21',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI";  deny(rite)userdn="ldap:///anyone";)'),
            ('test_targattrfilters_22',
             f'(targt = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI";  deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_targattrfilters_23',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI";   absolute (all)userdn="ldap:///anyone";)'),
            ('test_Missing_acl_mispel',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(version 3.0; alc "Name of the ACI";  deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_Missing_acl_string',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(version 3.0;  "Name of the ACI";  deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_Wrong_version_string',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(version 2.0; acl "Name of the ACI";  deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_Missing_version_string',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(targetattr=*)'
+            f'(targetattr="*")'
             f'(; acl "Name of the ACI";  deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_Authenticate_statement',
             f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
             f'(targetattr != "uid")'
-            f'(targetattr=*)(version 3.0; acl "Name of the ACI";  deny absolute (all)'
+            f'(targetattr="*")(version 3.0; acl "Name of the ACI";  deny absolute (all)'
             f'userdn="ldap:///anyone";)'),
            ('test_Multiple_targets',
             f'(target = ldap:///ou=Product Development,{DEFAULT_SUFFIX})'
-            f'(target = ldap:///ou=Product Testing,{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(target = ldap:///ou=Product Testing,{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_Target_set_to_self',
-            f'(target = ldap:///self)(targetattr=*)'
+            f'(target = ldap:///self)(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_target_set_with_ldap_instead_of_ldap',
-            f'(target = ldap:\\\{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(target = ldap:\\\{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_target_set_with_more_than_three',
-            f'(target = ldap:////{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(target = ldap:////{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_target_set_with_less_than_three',
-            f'(target = ldap://{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(target = ldap://{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_bind_rule_set_with_less_than_three',
-            f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:/anyone";)'),
            ('test_Use_semicolon_instead_of_comma_in_permission',
-            f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny '
             f'(read; search; compare; write)userdn="ldap:///anyone";)'),
            ('test_Use_double_equal_instead_of_equal_in_the_target',
-            f'(target == ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(target == ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
            ('test_use_double_equal_instead_of_equal_in_user_and_group_access',
             f'(target = ldap:///{DEFAULT_SUFFIX})'
@@ -143,21 +141,21 @@ INVALID = [('test_targattrfilters_1',
             f'(target = ldap:///{DEFAULT_SUFFIX})'
             f'(version 3.0; acl  Name of the ACI ; deny absolute (all)userdn = "ldap:///anyone";)'),
            ('test_extra_parentheses_case_1',
-            f'( )(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
+            f'( )(target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone";)'),
            ('test_extra_parentheses_case_2',
-            f'(((((target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
+            f'(((((target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)'
             f'userdn == "ldap:///anyone";)'),
            ('test_extra_parentheses_case_3',
-            f'(((target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
+            f'(((target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute '
             f'(all)userdn = "ldap:///anyone";)))'),
            ('test_no_semicolon_at_the_end_of_the_aci',
-            f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
+            f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone")'),
            ('test_a_character_different_of_a_semicolon_at_the_end_of_the_aci',
-            f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
+            f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
             f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone"%)'),
            ('test_bad_filter',
             f'(target = ldap:///{DEFAULT_SUFFIX}) '
@@ -173,14 +171,14 @@ INVALID = [('test_targattrfilters_1',
 
 FAILED = [('test_targattrfilters_18',
            f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-           f'(targetattr=*)'
+           f'(targetattr="*")'
            f'(version 3.0; acl "Name of the ACI";  deny(write)userdn="ldap:///{"123" * 300}";)'),
           ('test_targattrfilters_20',
            f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
-           f'(targetattr=*)'
+           f'(targetattr="*")'
            f'(version 3.0; acl "Name of the ACI";  deny(write)userdns="ldap:///anyone";)'),
           ('test_bind_rule_set_with_more_than_three',
-           f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
+           f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
            f'(version 3.0; acl "Name of the ACI"; deny absolute (all)'
            f'userdn="ldap:////////anyone";)'),
           ('test_Use_double_equal_instead_of_equal_in_the_targetattr',
@@ -253,7 +251,7 @@ def test_target_set_above_the_entry_test(topo):
     domain = Domain(topo.standalone, "ou=People,{}".format(DEFAULT_SUFFIX))
     with pytest.raises(ldap.INVALID_SYNTAX):
         domain.add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
-                          f'(targetattr=*)(version 3.0; acl "Name of the ACI"; deny absolute '
+                          f'(targetattr="*")(version 3.0; acl "Name of the ACI"; deny absolute '
                           f'(all)userdn="ldap:///anyone";)')
 
 

dirsrvtests/tests/suites/acl/userattr_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -55,7 +55,7 @@ def _add_user(topo):
     """
     This function will create user for the test and in the end entries will be deleted .
     """
-    role_aci_body = '(targetattr=*)(version 3.0; aci "role aci"; allow(all)'
+    role_aci_body = '(targetattr="*")(version 3.0; aci "role aci"; allow(all)'
     # Creating OUs
     ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
     ou_accounting = ous.create(properties={'ou': 'Accounting'})
@@ -77,7 +77,7 @@ def _add_user(topo):
                                             'description': LEVEL_1,
                                             'businessCategory': LEVEL_0})
 
-    inheritance_aci_body = '(targetattr=*)(version 3.0; aci "Inheritance aci"; allow(all) '
+    inheritance_aci_body = '(targetattr="*")(version 3.0; aci "Inheritance aci"; allow(all) '
     ou_inheritance.set('aci', [f'{inheritance_aci_body} '
                                f'userattr = "parent[0].businessCategory#USERDN";)',
                                f'{inheritance_aci_body} '

dirsrvtests/tests/suites/acl/valueacl_part2_test.py

@@ -28,6 +28,17 @@ HUMAN_OU_GLOBAL = "ou=Human Resources,{}".format(DEFAULT_SUFFIX)
 
 @pytest.fixture(scope="function")
 def aci_of_user(request, topo):
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
 
     def finofaci():

dirsrvtests/tests/suites/acl/valueacl_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -28,6 +28,17 @@ HUMAN_OU_GLOBAL = "ou=Human Resources,{}".format(DEFAULT_SUFFIX)
 
 @pytest.fixture(scope="function")
 def aci_of_user(request, topo):
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
 
     def finofaci():

dirsrvtests/tests/suites/attr_encryption/attr_encryption_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -47,7 +47,7 @@ def enable_user_attr_encryption(topo, request):
     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
     test_user = users.create(properties=TEST_USER_PROPERTIES)
     test_user.replace('employeeNumber', '1000')
-    test_user.replace('telephonenumber', '1234567890')
+    test_user.replace('telephoneNumber', '1234567890')
 
     def fin():
         log.info("Remove attribute encryption for various attributes")
@@ -70,7 +70,7 @@ def test_basic(topo, enable_user_attr_encryption):
          1. Restart the server
          2. Check employeenumber encryption enabled
          3. Check telephoneNumber encryption enabled
-         4. Check that encrypted attribute is present for user i.e. telephonenumber
+         4. Check that encrypted attribute is present for user i.e. telephoneNumber
     :expectedresults:
          1. This should be successful
          2. This should be successful
@@ -96,7 +96,7 @@ def test_basic(topo, enable_user_attr_encryption):
     log.info("Check telephoneNumber encryption is enabled")
     assert "telephoneNumber" in enc_attrs_cns
 
-    log.info("Check that encrypted attribute is present for user i.e. telephonenumber")
+    log.info("Check that encrypted attribute is present for user i.e. telephoneNumber")
     assert enable_user_attr_encryption.present('telephoneNumber')
 
 
@@ -139,8 +139,8 @@ def test_export_import_ciphertext(topo, enable_user_attr_encryption):
     log.info("Check that the encrypted value of attribute is not present in the exported file")
     with open(export_ldif, 'r') as ldif_file:
         ldif = ldif_file.read()
-        assert 'telephonenumber' in ldif
-        assert 'telephonenumber: 1234567890' not in ldif
+        assert 'telephoneNumber' in ldif
+        assert 'telephoneNumber: 1234567890' not in ldif
 
     log.info("Delete the test user entry with encrypted data")
     enable_user_attr_encryption.delete()
@@ -267,7 +267,7 @@ def test_attr_encryption_multiple_backends(topo, enable_user_attr_encryption):
             SSL Enabled
     :steps:
          1. Add two test backends
-         2. Configure attribute encryption for telephonenumber in one test backend
+         2. Configure attribute encryption for telephoneNumber in one test backend
          3. Configure attribute encryption for employeenumber in another test backend
          4. Add a test user in both backends with encrypted attributes
          5. Export data as ciphertext from both backends
@@ -371,8 +371,8 @@ def test_attr_encryption_backends(topo, enable_user_attr_encryption):
          2. Configure attribute encryption for telephoneNumber in one test backend
          3. Add a test user in both backends with telephoneNumber
          4. Export ldif from both test backends
-         5. Check that telephonenumber is encrypted in the ldif file of db1
-         6. Check that telephonenumber is not encrypted in the ldif file of db2
+         5. Check that telephoneNumber is encrypted in the ldif file of db1
+         6. Check that telephoneNumber is not encrypted in the ldif file of db2
          7. Delete both test backends
     :expectedresults:
          1. This should be successful

dirsrvtests/tests/suites/clu/dsidm_config_test.py

@@ -7,7 +7,6 @@
 # --- END COPYRIGHT BLOCK ---
 #
 import time
-import subprocess
 import pytest
 import logging
 import os
@@ -47,11 +46,11 @@ def check_value_in_log_and_reset(content_list, content_list2=None, check_value=N
         if content_list2 is not None:
             log.info('Check if content is present in output')
             for item in content_list + content_list2:
-                assert item in file_content
+                assert item.lower() in file_content.lower()
         else:
             log.info('Check if content is present in output')
             for item in content_list:
-                assert item in file_content
+                assert item.lower() in file_content.lower()
 
         if check_value is not None:
             log.info('Check if value is present in output')

dirsrvtests/tests/suites/cos/indirect_cos_test.py

@@ -1,3 +1,11 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2020 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+
 import logging
 import pytest
 import os
@@ -28,13 +36,9 @@ PW_POLICY_CONT_PEOPLE = 'cn="cn=nsPwPolicyEntry,' \
                         'ou=people,dc=example,dc=com",' \
                         'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com'
 
-PW_POLICY_CONT_PEOPLE2 = 'cn="cn=nsPwPolicyEntry,' \
-                        'dc=example,dc=com",' \
-                        'cn=nsPwPolicyContainerdc=example,dc=com'
-
 
 def check_user(inst):
-    """Search the test user and make sure it has the execpted attrs
+    """Search the test user and make sure it has the expected attrs
     """
     try:
         entries = inst.search_s('dc=example,dc=com', ldap.SCOPE_SUBTREE, "uid=test_user")
@@ -55,17 +59,19 @@ def setup_subtree_policy(topo):
 
     log.info('Create password policy for subtree {}'.format(OU_PEOPLE))
     try:
-        subprocess.call(['%s/ns-newpwpolicy.pl' % topo.standalone.get_sbin_dir(),
-                         '-D', DN_DM, '-w', PASSWORD,
-                         '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE,
-                         '-S', DEFAULT_SUFFIX, '-Z', SERVERID_STANDALONE])
+        subprocess.call(['%s/dsconf' % topo.standalone.get_sbin_dir(),
+                         'slapd-standalone1',
+                         'localpwp',
+                         'addsubtree',
+                         OU_PEOPLE])
+
     except subprocess.CalledProcessError as e:
         log.error('Failed to create pw policy policy for {}: error {}'.format(
             OU_PEOPLE, e.message['desc']))
         raise e
 
     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
-    domain.replace('pwdpolicysubentry', PW_POLICY_CONT_PEOPLE2)
+    domain.replace('pwdpolicysubentry', PW_POLICY_CONT_PEOPLE)
 
     time.sleep(1)
 

dirsrvtests/tests/suites/ds_logs/ds_logs_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2015 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -10,15 +10,14 @@ from decimal import *
 import os
 import logging
 import pytest
-import subprocess
 from lib389._mapped_object import DSLdapObject
 from lib389.topologies import topology_st
 from lib389.plugins import AutoMembershipPlugin, ReferentialIntegrityPlugin, AutoMembershipDefinitions
 from lib389.idm.user import UserAccounts
 from lib389.idm.group import Groups
 from lib389.idm.organizationalunit import OrganizationalUnits
-from lib389._constants import DEFAULT_SUFFIX, LOG_ACCESS_LEVEL, DN_CONFIG, HOST_STANDALONE, PORT_STANDALONE, DN_DM, PASSWORD
-from lib389.utils import ds_is_older
+from lib389._constants import DEFAULT_SUFFIX, LOG_ACCESS_LEVEL
+from lib389.utils import ds_is_older, ds_is_newer
 import ldap
 import glob
 
@@ -251,7 +250,7 @@ def test_plugin_set_invalid(topology_st):
 
     log.info('test_plugin_set_invalid - Expect to fail with junk value')
     with pytest.raises(ldap.OPERATIONS_ERROR):
-        result = topology_st.standalone.config.set(PLUGIN_TIMESTAMP, 'JUNK')
+        topology_st.standalone.config.set(PLUGIN_TIMESTAMP, 'JUNK')
 
 
 @pytest.mark.bz1273549
@@ -288,7 +287,7 @@ def test_log_plugin_on(topology_st, remove_users):
     access_log_lines = topology_st.standalone.ds_access_log.readlines()
     assert len(access_log_lines) > 0
     assert topology_st.standalone.ds_access_log.match(r'^\[.+\d{9}.+\].+')
- 
+
 
 @pytest.mark.bz1273549
 def test_log_plugin_off(topology_st, remove_users):
@@ -654,13 +653,11 @@ def test_internal_log_level_516(topology_st, add_user_log_level_516, disable_acc
                                     r'SRCH base="cn=group,ou=Groups,dc=example,dc=com".*')
     # (Internal) op=10(1)(2) ENTRY dn="cn=group,ou=Groups,dc=example,dc=com"
     assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) '
-                                    r'ENTRY dn="cn=group,ou=Groups,dc=example,dc=com".*')
+                                    r'ENTRY dn="cn=group,ou=groups,dc=example,dc=com".*')
     # (Internal) op=10(1)(2) RESULT err=0 tag=48 nentries=1*')
     assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1*')
     # (Internal) op=10(1)(1) RESULT err=0 tag=48
     assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48.*')
-    # op=10 RESULT err=0 tag=105
-    assert not topo.ds_access_log.match(r'.*op=[0-9]+ RESULT err=0 tag=105.*')
 
     log.info("Check the access logs for MOD operation of the user")
     # op=12 MODRDN dn="uid=test_user_777,ou=branch1,dc=example,dc=com" '
@@ -676,8 +673,8 @@ def test_internal_log_level_516(topology_st, add_user_log_level_516, disable_acc
                                         'ou=branch1,dc=example,dc=com".*')
     # (Internal) op=12(1)(1) RESULT err=0 tag=48 nentries=1
     assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
-    # op=12 RESULT err=0 tag=109
-    assert not topo.ds_access_log.match(r'.*op=[0-9]+ RESULT err=0 tag=109.*')
+    # op=12 RESULT err=0 tag=48
+    assert not topo.ds_access_log.match(r'.*op=[0-9]+ RESULT err=0 tag=48.*')
 
     log.info("Check the access logs for DEL operation of the user")
     # op=15 DEL dn="uid=new_test_user_777,dc=example,dc=com"
@@ -735,14 +732,13 @@ def test_access_log_truncated_search_message(topology_st, clean_access_logs):
     assert not topo.ds_access_log.match(r'.*cn500.*')
 
 
-
+@pytest.mark.skipif(ds_is_newer("1.4.3"), reason="rsearch was removed")
 @pytest.mark.xfail(ds_is_older('1.4.2.0'), reason="May fail because of bug 1732053")
 @pytest.mark.bz1732053
 @pytest.mark.ds50510
 def test_etime_at_border_of_second(topology_st, clean_access_logs):
     topo = topology_st.standalone
 
-
     prog = os.path.join(topo.ds_paths.bin_dir, 'rsearch')
 
     cmd = [prog]
@@ -794,14 +790,14 @@ def test_etime_order_of_magnitude(topology_st, clean_access_logs, remove_users,
          6. Parse the access log looking for the SRCH operation log
          7. From the SRCH string get the start time and op number of the operation
          8. From the op num find the associated RESULT string in the access log
-         9. From the RESULT string get the end time and the etime for the operation 
+         9. From the RESULT string get the end time and the etime for the operation
          10. Calculate the ratio between the calculated elapsed time (end time - start time) and the logged etime
     :expectedresults:
          1. access log buffering is off
          2. Previously existing access logs are deleted
          3. Users are successfully added
          4. Search operation is successful
-         5. Server is restarted and logs are flushed 
+         5. Server is restarted and logs are flushed
          6. SRCH operation log string is catched
          7. start time and op number are collected
          8. RESULT string is catched from the access log
@@ -809,7 +805,7 @@ def test_etime_order_of_magnitude(topology_st, clean_access_logs, remove_users,
          10. ratio between calculated elapsed time and logged etime is less or equal to 1
     """
 
-    entry = DSLdapObject(topology_st.standalone, DEFAULT_SUFFIX)
+    DSLdapObject(topology_st.standalone, DEFAULT_SUFFIX)
 
     log.info('add_users')
     add_users(topology_st.standalone, 30)
@@ -840,7 +836,7 @@ def test_etime_order_of_magnitude(topology_st, clean_access_logs, remove_users,
 
     # The result_str returned looks like :
     # [23/Apr/2020:06:06:14.366429900 -0400] conn=1 op=93 RESULT err=0 tag=101 nentries=30 etime=0.005723017
-    
+
     log.info('get the operation end time from the RESULT string')
     # Here we are getting the sec.nanosec part of the date, '14.366429900' in the above example
     end_time = (result_str.split()[0]).split(':')[3]
@@ -866,7 +862,7 @@ def test_log_base_dn_when_invalid_attr_request(topology_st, disable_access_log_b
     :steps:
          1. Disable the accesslog-logbuffering config parameter
          2. Delete the previous access log
-         3. Perform a base search on the DEFAULT_SUFFIX, using invalid "" "" attribute request
+         3. Perform a base search on the DEFAULT_SUFFIX, using ten empty attribute requests
          4. Check the access log file for 'invalid attribute request'
          5. Check the access log file for 'SRCH base="\(null\)"'
          6. Check the access log file for 'SRCH base="DEFAULT_SUFFIX"'
@@ -886,9 +882,9 @@ def test_log_base_dn_when_invalid_attr_request(topology_st, disable_access_log_b
 
     log.info("Search the default suffix, with invalid '\"\" \"\"' attribute request")
     log.info("A Protocol error exception should be raised, see https://github.com/389ds/389-ds-base/issues/3028")
-    # A ldap.PROTOCOL_ERROR exception is expected
+    # A ldap.PROTOCOL_ERROR exception is expected after 10 empty values
     with pytest.raises(ldap.PROTOCOL_ERROR):
-        assert entry.get_attrs_vals_utf8(['', ''])
+        assert entry.get_attrs_vals_utf8(['', '', '', '', '', '', '', '', '', '', ''])
 
     # Search for appropriate messages in the access log
     log.info('Check the access logs for correct messages')

dirsrvtests/tests/suites/export/export_test.py

@@ -99,14 +99,14 @@ def test_db2ldif_cli_with_non_accessible_ldif_file_path(topo):
         4. 'ERR - bdb_db2ldif - db2ldif: userRoot: can't open file' should be reported
     """
     export_ldif = '/tmp/nonexistent/export.ldif'
-    db2ldif_cmd = os.path.join(topo.standalone.ds_paths.sbin_dir, 'db2ldif')
+    db2ldif_cmd = os.path.join(topo.standalone.ds_paths.sbin_dir, 'dsctl')
 
     log.info("Stopping the instance...")
     topo.standalone.stop()
 
     log.info("Performing an offline export to a non accessible ldif file path - should fail properly")
     try:
-        subprocess.check_call([db2ldif_cmd, '-Z', topo.standalone.serverid, '-s', DEFAULT_SUFFIX, '-a', export_ldif]) 
+        subprocess.check_call([db2ldif_cmd, topo.standalone.serverid, 'db2ldif', 'userroot', export_ldif])
     except subprocess.CalledProcessError as e:
         if format(e.returncode) == '139':
             log.error('db2ldif had a Segmentation fault (core dumped)')

dirsrvtests/tests/suites/filter/basic_filter_test.py

@@ -38,7 +38,7 @@ def test_search_attr(topo):
     user = Accounts(topo.standalone, DEFAULT_SUFFIX)
 
     assert len(user.filter('(mail=*)')) == 4
-    assert len(user.filter('(uid=*)')) == 4
+    assert len(user.filter('(uid=*)')) == 5
 
     # Testing filter is working for other filters
     assert len(user.filter("(objectclass=inetOrgPerson)")) == 4

dirsrvtests/tests/suites/filter/complex_filters_test.py

@@ -1,3 +1,11 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2020 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ----
+
 import logging
 import pytest
 import os
@@ -30,13 +38,13 @@ AND_FILTERS = [("(&(uid=uid1)(sn=last1)(givenname=first1))", 1),
 OR_FILTERS = [("(|(uid=uid1)(sn=last1)(givenname=first1))", 1),
               ("(|(uid=uid1)(|(sn=last1)(givenname=first1)))", 1),
               ("(|(uid=uid1)(|(|(sn=last1))(|(givenname=first1))))", 1),
-              ("(|(objectclass=*)(sn=last1)(|(givenname=first1)))", 14),
+              ("(|(objectclass=*)(sn=last1)(|(givenname=first1)))", 18),
               ("(|(&(objectclass=*)(sn=last1))(|(givenname=first1)))", 1),
               ("(|(&(objectclass=*)(sn=last))(|(givenname=first1)))", 1)]
 
 NOT_FILTERS = [("(&(uid=uid1)(!(cn=NULL)))", 1),
                ("(&(!(cn=NULL))(uid=uid1))", 1),
-               ("(&(uid=*)(&(!(uid=1))(!(givenname=first1))))", 4)]
+               ("(&(uid=*)(&(!(uid=1))(!(givenname=first1))))", 5)]
 
 MIX_FILTERS = [("(&(|(uid=uid1)(uid=NULL))(sn=last1))", 1),
                ("(&(|(uid=uid1)(uid=NULL))(!(sn=NULL)))", 1),
@@ -59,9 +67,9 @@ ZERO_OR_FILTERS = [("(|(uid=NULL)(sn=NULL)(givenname=NULL))", 0),
 
 RANGE_FILTERS = [("(uid>=uid3)", 3),
                  ("(&(uid=*)(uid>=uid3))", 3),
-                 ("(|(uid>=uid3)(uid<=uid5))", 5),
+                 ("(|(uid>=uid3)(uid<=uid5))", 6),
                  ("(&(uid>=uid3)(uid<=uid5))", 3),
-                 ("(|(&(uid>=uid3)(uid<=uid5))(uid=*))", 5)]
+                 ("(|(&(uid>=uid3)(uid<=uid5))(uid=*))", 6)]
 
 LONG_FILTERS = [("(|(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)" +
                  "(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)" +
@@ -71,7 +79,7 @@ LONG_FILTERS = [("(|(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)" +
                  "(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)" +
                  "(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)" +
                  "(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)(uid=*)" +
-                 "(uid=*))", 5)]
+                 "(uid=*))", 6)]
 
 
 # Combine all the filters

dirsrvtests/tests/suites/filter/filter_cert_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -58,11 +58,11 @@ def test_positive(topo):
     user1_cert = users_people.list()[0].get_attr_val("userCertificate;binary")
     assert Accounts(topo.standalone, DEFAULT_SUFFIX).filter(
         f'(userCertificate;binary={search_filter_escape_bytes(user1_cert)})')[0].dn == \
-           'uid=test_user_1,ou=People,dc=example,dc=com'
+           'uid=test_user_1,ou=people,dc=example,dc=com'
     user2_cert = users_people.list()[1].get_attr_val("userCertificate;binary")
     assert Accounts(topo.standalone, DEFAULT_SUFFIX).filter(
         f'(userCertificate;binary={search_filter_escape_bytes(user2_cert)})')[0].dn == \
-           'uid=test_user_2,ou=People,dc=example,dc=com'
+           'uid=test_user_2,ou=people,dc=example,dc=com'
 
 
 if __name__ == '__main__':

dirsrvtests/tests/suites/filter/filter_logic_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2017 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -13,7 +13,7 @@ import ldap
 from lib389.topologies import topology_st
 from lib389._constants import DEFAULT_SUFFIX
 
-from lib389.idm.user import UserAccounts
+from lib389.idm.user import UserAccount, UserAccounts
 
 pytestmark = pytest.mark.tier1
 
@@ -26,26 +26,26 @@ important to note, some tests check greater than 10 elements to assert that k-wa
 works, where as most of these actually hit the filtertest threshold so they early return.
 """
 
-USER0_DN = 'uid=user0,ou=People,%s' % DEFAULT_SUFFIX
-USER1_DN = 'uid=user1,ou=People,%s' % DEFAULT_SUFFIX
-USER2_DN = 'uid=user2,ou=People,%s' % DEFAULT_SUFFIX
-USER3_DN = 'uid=user3,ou=People,%s' % DEFAULT_SUFFIX
-USER4_DN = 'uid=user4,ou=People,%s' % DEFAULT_SUFFIX
-USER5_DN = 'uid=user5,ou=People,%s' % DEFAULT_SUFFIX
-USER6_DN = 'uid=user6,ou=People,%s' % DEFAULT_SUFFIX
-USER7_DN = 'uid=user7,ou=People,%s' % DEFAULT_SUFFIX
-USER8_DN = 'uid=user8,ou=People,%s' % DEFAULT_SUFFIX
-USER9_DN = 'uid=user9,ou=People,%s' % DEFAULT_SUFFIX
-USER10_DN = 'uid=user10,ou=People,%s' % DEFAULT_SUFFIX
-USER11_DN = 'uid=user11,ou=People,%s' % DEFAULT_SUFFIX
-USER12_DN = 'uid=user12,ou=People,%s' % DEFAULT_SUFFIX
-USER13_DN = 'uid=user13,ou=People,%s' % DEFAULT_SUFFIX
-USER14_DN = 'uid=user14,ou=People,%s' % DEFAULT_SUFFIX
-USER15_DN = 'uid=user15,ou=People,%s' % DEFAULT_SUFFIX
-USER16_DN = 'uid=user16,ou=People,%s' % DEFAULT_SUFFIX
-USER17_DN = 'uid=user17,ou=People,%s' % DEFAULT_SUFFIX
-USER18_DN = 'uid=user18,ou=People,%s' % DEFAULT_SUFFIX
-USER19_DN = 'uid=user19,ou=People,%s' % DEFAULT_SUFFIX
+USER0_DN = 'uid=user0,ou=people,%s' % DEFAULT_SUFFIX
+USER1_DN = 'uid=user1,ou=people,%s' % DEFAULT_SUFFIX
+USER2_DN = 'uid=user2,ou=people,%s' % DEFAULT_SUFFIX
+USER3_DN = 'uid=user3,ou=people,%s' % DEFAULT_SUFFIX
+USER4_DN = 'uid=user4,ou=people,%s' % DEFAULT_SUFFIX
+USER5_DN = 'uid=user5,ou=people,%s' % DEFAULT_SUFFIX
+USER6_DN = 'uid=user6,ou=people,%s' % DEFAULT_SUFFIX
+USER7_DN = 'uid=user7,ou=people,%s' % DEFAULT_SUFFIX
+USER8_DN = 'uid=user8,ou=people,%s' % DEFAULT_SUFFIX
+USER9_DN = 'uid=user9,ou=people,%s' % DEFAULT_SUFFIX
+USER10_DN = 'uid=user10,ou=people,%s' % DEFAULT_SUFFIX
+USER11_DN = 'uid=user11,ou=people,%s' % DEFAULT_SUFFIX
+USER12_DN = 'uid=user12,ou=people,%s' % DEFAULT_SUFFIX
+USER13_DN = 'uid=user13,ou=people,%s' % DEFAULT_SUFFIX
+USER14_DN = 'uid=user14,ou=people,%s' % DEFAULT_SUFFIX
+USER15_DN = 'uid=user15,ou=people,%s' % DEFAULT_SUFFIX
+USER16_DN = 'uid=user16,ou=people,%s' % DEFAULT_SUFFIX
+USER17_DN = 'uid=user17,ou=people,%s' % DEFAULT_SUFFIX
+USER18_DN = 'uid=user18,ou=people,%s' % DEFAULT_SUFFIX
+USER19_DN = 'uid=user19,ou=people,%s' % DEFAULT_SUFFIX
 
 @pytest.fixture(scope="module")
 def topology_st_f(topology_st):
@@ -60,6 +60,10 @@ def topology_st_f(topology_st):
             'gidNumber': '%s' % i,
             'homeDirectory': '/home/user%s' % i
         })
+
+
+    demo_user = UserAccount(topology_st.standalone, "uid=demo_user,ou=people,dc=example,dc=com")
+    demo_user.delete()
     # return it
     # print("ATTACH NOW")
     # import time
@@ -68,7 +72,7 @@ def topology_st_f(topology_st):
 
 def _check_filter(topology_st_f, filt, expect_len, expect_dns):
     # print("checking %s" % filt)
-    results = topology_st_f.search_s("ou=People,%s" % DEFAULT_SUFFIX, ldap.SCOPE_ONELEVEL, filt, ['uid',])
+    results = topology_st_f.search_s("ou=people,%s" % DEFAULT_SUFFIX, ldap.SCOPE_ONELEVEL, filt, ['uid',])
     assert len(results) == expect_len
     result_dns = [result.dn for result in results]
     assert set(expect_dns) == set(result_dns)

dirsrvtests/tests/suites/filter/filter_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -114,7 +114,7 @@ def test_filter_scope_one(topology_st):
     :id: cf5a6078-bbe6-4d43-ac71-553c45923f91
     :setup: Standalone instance
     :steps:
-         1. Search cn=Directory Administrators,dc=example,dc=com using ldapsearch with
+         1. Search ou=services,dc=example,dc=com using ldapsearch with
             scope one using base as dc=example,dc=com
          2. Check that search should return only one entry
     :expectedresults:
@@ -122,11 +122,8 @@ def test_filter_scope_one(topology_st):
          2. This should pass
     """
 
-    parent_dn="dn: dc=example,dc=com"
-    child_dn="dn: cn=Directory Administrators,dc=example,dc=com"
-
     log.info('Search user using ldapsearch with scope one')
-    results = topology_st.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_ONELEVEL,'cn=Directory Administrators',['cn'] )
+    results = topology_st.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_ONELEVEL,'ou=services',['ou'] )
     log.info(results)
 
     log.info('Search should only have one entry')
@@ -251,7 +248,7 @@ def test_extended_search(topology_st):
          8. This should return one entry
     """
     log.info('Running test_filter_escaped...')
-    
+
     ATTR_VAL = 'ext-test-entry'
     USER1_DN = "uid=%s,%s" % (ATTR_VAL, DEFAULT_SUFFIX)
 

dirsrvtests/tests/suites/filter/filter_with_non_root_user_test.py

@@ -16,6 +16,7 @@ import pytest
 
 from lib389._constants import DEFAULT_SUFFIX, PW_DM
 from lib389.topologies import topology_st as topo
+from lib389.idm.domain import Domain
 from lib389.idm.user import UserAccounts, UserAccount
 from lib389.idm.account import Accounts
 
@@ -231,6 +232,12 @@ def _create_entries(topo):
     """
     Will create necessary users for this script.
     """
+
+    # Add anonymous aci
+    ANON_ACI = "(targetattr != \"userpassword\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    suffix.add('aci', ANON_ACI)
+
     # Creating Users
     users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
     for user, room in [('scarte2', '2013'),

dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py

@@ -11,6 +11,7 @@ from lib389.tasks import *
 from lib389.utils import *
 from lib389.topologies import topology_st
 from lib389.idm.user import UserAccounts
+from lib389.idm.domain import Domain
 
 from lib389._constants import DN_DM, DEFAULT_SUFFIX, DN_CONFIG, PASSWORD
 
@@ -30,7 +31,7 @@ TEST_PARAMS = [(DN_ROOT, False, [
                 'supportedControl', 'supportedExtension',
                 'supportedFeatures', 'supportedLDAPVersion',
                 'supportedSASLMechanisms', 'vendorName', 'vendorVersion'
-]),
+               ]),
                (DN_ROOT, True, [
                 'createTimestamp', 'creatorsName',
                 'modifiersName', 'modifyTimestamp', 'namingContexts',
@@ -59,7 +60,8 @@ TEST_PARAMS = [(DN_ROOT, False, [
                 'entryid', 'modifyTimestamp', 'nsUniqueId', 'parentid'
                ]),
                (DN_CONFIG, False, [
-                'numSubordinates', 'passwordHistory'
+                'numSubordinates', 'passwordHistory',  'modifyTimestamp',
+                'modifiersName'
                ])
             ]
 
@@ -80,6 +82,18 @@ def create_user(topology_st):
         'homeDirectory': '/home/test'
     })
 
+    # Add anonymous access aci
+    ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
+    suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX)
+    try:
+        suffix.add('aci', ANON_ACI)
+    except ldap.TYPE_OR_VALUE_EXISTS:
+        pass
+
+
 @pytest.fixture(scope="module")
 def user_aci(topology_st):
     """Don't allow modifiersName attribute for the test user

dirsrvtests/tests/suites/fractional/fractional_test.py

@@ -311,7 +311,7 @@ def test_newly_added_attribute_nsds5replicatedattributelisttotal(_create_entries
     check_all_replicated()
     user = f'uid=test_user_1000,ou=People,{DEFAULT_SUFFIX}'
     for instance in (MASTER1, MASTER2, CONSUMER1, CONSUMER2):
-        assert Groups(instance, DEFAULT_SUFFIX).list()[0].get_attr_val_utf8("member") == user
+        assert Groups(instance, DEFAULT_SUFFIX).list()[1].get_attr_val_utf8("member") == user
         assert UserAccount(instance, user).get_attr_val_utf8("sn") == "test_user_1000"
     # The attributes mentioned in the nsds5replicatedattributelist
     # excluded from incremental updates.
@@ -345,7 +345,7 @@ def test_attribute_nsds5replicatedattributelisttotal(_create_entries, _add_user_
         agreement.wait_reinit()
     check_all_replicated()
     for instance in (MASTER1, MASTER2):
-        assert Groups(MASTER1, DEFAULT_SUFFIX).list()[0].get_attr_val_utf8("member") == user
+        assert Groups(MASTER1, DEFAULT_SUFFIX).list()[1].get_attr_val_utf8("member") == user
         assert UserAccount(instance, user).get_attr_val_utf8("sn") == "test_user_1000"
     for instance in (CONSUMER1, CONSUMER2):
         for value in ("memberOf", "manager", "sn"):

dirsrvtests/tests/suites/healthcheck/health_config_test.py

@@ -32,10 +32,6 @@ ds_paths = Paths()
 pytestmark = pytest.mark.skipif(ds_paths.perl_enabled and (os.getenv('PYINSTALL') is None),
                                 reason="These tests need to use python installer")
 
-if DEBUGGING:
-    logging.getLogger(__name__).setLevel(logging.DEBUG)
-else:
-    logging.getLogger(__name__).setLevel(logging.INFO)
 log = logging.getLogger(__name__)
 
 
@@ -45,7 +41,7 @@ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searc
     args.verbose = instance.verbose
     args.list_errors = False
     args.list_checks = False
-    args.check = None
+    args.check = ['config', 'refint', 'backends', 'monitor-disk-space', 'logs']
     args.dry_run = False
 
     if json:

dirsrvtests/tests/suites/healthcheck/health_repl_test.py

@@ -9,11 +9,8 @@
 
 import pytest
 import os
-import subprocess
-import distro
-
 from lib389.idm.user import UserAccounts
-from lib389.replica import Changelog5, ReplicationManager, Replicas
+from lib389.replica import Changelog, ReplicationManager, Replicas
 from lib389.utils import *
 from lib389._constants import *
 from lib389.cli_base import FakeArgs
@@ -27,11 +24,6 @@ JSON_OUTPUT = '[]'
 ds_paths = Paths()
 pytestmark = pytest.mark.skipif(ds_paths.perl_enabled and (os.getenv('PYINSTALL') is None),
                                 reason="These tests need to use python installer")
-
-if DEBUGGING:
-    logging.getLogger(__name__).setLevel(logging.DEBUG)
-else:
-    logging.getLogger(__name__).setLevel(logging.INFO)
 log = logging.getLogger(__name__)
 
 
@@ -41,7 +33,7 @@ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searc
     args.verbose = instance.verbose
     args.list_errors = False
     args.list_checks = False
-    args.check = None
+    args.check = ['replication', 'backends:userroot:cl_trimming']
     args.dry_run = False
 
     if json:
@@ -71,7 +63,7 @@ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searc
 
 def set_changelog_trimming(instance):
     log.info('Get the changelog enteries')
-    inst_changelog = Changelog5(instance)
+    inst_changelog = Changelog(instance, suffix=DEFAULT_SUFFIX)
 
     log.info('Set nsslapd-changelogmaxage to 30d')
     inst_changelog.add('nsslapd-changelogmaxage', '30')
@@ -149,24 +141,25 @@ def test_healthcheck_changelog_trimming_not_configured(topology_m2):
         1. Success
         2. Success
         3. Healthcheck reports DSCLLE0001 code and related details
-        4. Healthcheck reports DSCLLE0001 code and related details
+        4. Healthcheck reports DSCLLE0001 code and related details (json)
         5. Success
         6. Healthcheck reports no issue found
-        7. Healthcheck reports no issue found
+        7. Healthcheck reports no issue found (json)
     """
 
     M1 = topology_m2.ms['master1']
-    M2 = topology_m2.ms['master2']
 
     RET_CODE = 'DSCLLE0001'
 
     log.info('Get the changelog entries for M1')
-    changelog_m1 = Changelog5(M1)
+    changelog_m1 = Changelog(M1, suffix=DEFAULT_SUFFIX)
 
     log.info('Check nsslapd-changelogmaxage value')
     if changelog_m1.get_attr_val('nsslapd-changelogmaxage') is not None:
         changelog_m1.remove_all('nsslapd-changelogmaxage')
 
+    time.sleep(3)
+
     run_healthcheck_and_flush_log(topology_m2, M1, RET_CODE, json=False)
     run_healthcheck_and_flush_log(topology_m2, M1, RET_CODE, json=True)
 

dirsrvtests/tests/suites/healthcheck/health_security_test.py

@@ -11,8 +11,7 @@ import pytest
 import os
 import subprocess
 import distro
-
-
+import time
 from datetime import *
 from lib389.config import Encryption
 from lib389.utils import *
@@ -26,16 +25,12 @@ CMD_OUTPUT = 'No issues found.'
 JSON_OUTPUT = '[]'
 
 ds_paths = Paths()
-pytestmark = pytest.mark.skipif(ds_paths.asan_enabled or ds_paths.perl_enabled and (os.getenv('PYINSTALL') is None),
-                                reason="These tests can only be run with python installer and disabled ASAN")
+pytestmark = pytest.mark.skipif(ds_paths.perl_enabled and (os.getenv('PYINSTALL') is None),
+                                reason="These tests need to use python installer")
 
 libfaketime = pytest.importorskip('libfaketime')
 libfaketime.reexec_if_needed()
 
-if DEBUGGING:
-    logging.getLogger(__name__).setLevel(logging.DEBUG)
-else:
-    logging.getLogger(__name__).setLevel(logging.INFO)
 log = logging.getLogger(__name__)
 
 
@@ -55,7 +50,7 @@ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searc
     args.verbose = instance.verbose
     args.list_errors = False
     args.list_checks = False
-    args.check = None
+    args.check = ['config', 'encryption', 'tls', 'fschecks']
     args.dry_run = False
 
     if json:
@@ -308,6 +303,7 @@ def test_healthcheck_certif_expiring_within_30d(topology_st):
     date_future = datetime.now() + timedelta(days=701)
 
     with libfaketime.fake_time(date_future):
+        time.sleep(1)
         run_healthcheck_and_flush_log(topology_st, standalone, RET_CODE, json=False)
         run_healthcheck_and_flush_log(topology_st, standalone, RET_CODE, json=True)
 
@@ -346,6 +342,7 @@ def test_healthcheck_certif_expired(topology_st):
     date_future = datetime.now() + timedelta(days=731)
 
     with libfaketime.fake_time(date_future):
+        time.sleep(1)
         run_healthcheck_and_flush_log(topology_st, standalone, RET_CODE, json=False)
         run_healthcheck_and_flush_log(topology_st, standalone, RET_CODE, json=True)
 

dirsrvtests/tests/suites/healthcheck/health_sync_test.py

@@ -9,7 +9,7 @@
 
 import pytest
 import os
-
+import time
 from datetime import *
 from lib389.agreement import Agreements
 from lib389.idm.user import UserAccounts
@@ -25,10 +25,6 @@ ds_paths = Paths()
 pytestmark = pytest.mark.skipif(ds_paths.perl_enabled and (os.getenv('PYINSTALL') is None),
                                 reason="These tests need to use python installer")
 
-if DEBUGGING:
-    logging.getLogger(__name__).setLevel(logging.DEBUG)
-else:
-    logging.getLogger(__name__).setLevel(logging.INFO)
 log = logging.getLogger(__name__)
 
 
@@ -38,7 +34,7 @@ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searc
     args.verbose = instance.verbose
     args.list_errors = False
     args.list_checks = False
-    args.check = None
+    args.check = ['replication']
     args.dry_run = False
 
     if json:
@@ -112,20 +108,22 @@ def test_healthcheck_replication_out_of_sync_not_broken(topology_m3):
     test_users_m2 = UserAccounts(M2, DEFAULT_SUFFIX)
     test_users_m3 = UserAccounts(M3, DEFAULT_SUFFIX)
     test_users_m2.create_test_user(1000, 2000)
-    test_users_m3.create_test_user(1001, 2000)
-
-    log.info('Init M2->M3 agreement')
-    agmt = Agreements(M2).list()[1]
-    agmt.begin_reinit()
-    agmt.wait_reinit()
+    for user_num in range(1001, 3000):
+        test_users_m3.create_test_user(user_num, 2000)
+    time.sleep(2)
 
     log.info('Stop M2 and M3')
     M2.stop()
     M3.stop()
 
-    log.info('Start M1 first, then M3')
+    log.info('Start M1 first, then M2, so that M2 acquires M1')
     M1.start()
+    M2.start()
+    time.sleep(2)
+
+    log.info('Start M3 which should not be able to acquire M1 since M2 is updating it')
     M3.start()
+    time.sleep(2)
 
     run_healthcheck_and_flush_log(topology_m3, M3, RET_CODE, json=False)
     run_healthcheck_and_flush_log(topology_m3, M3, RET_CODE, json=True)

dirsrvtests/tests/suites/healthcheck/healthcheck_test.py

@@ -9,10 +9,9 @@
 
 import pytest
 import os
-
 from lib389.backend import Backends
 from lib389.mappingTree import MappingTrees
-from lib389.replica import Changelog5
+from lib389.replica import Changelog5,  Changelog
 from lib389.utils import *
 from lib389._constants import *
 from lib389.cli_base import FakeArgs
@@ -22,15 +21,12 @@ from lib389.paths import Paths
 
 CMD_OUTPUT = 'No issues found.'
 JSON_OUTPUT = '[]'
+CHANGELOG = 'cn=changelog,{}'.format(DN_USERROOT_LDBM)
 
 ds_paths = Paths()
 pytestmark = pytest.mark.skipif(ds_paths.perl_enabled and (os.getenv('PYINSTALL') is None),
                                 reason="These tests need to use python installer")
 
-if DEBUGGING:
-    logging.getLogger(__name__).setLevel(logging.DEBUG)
-else:
-    logging.getLogger(__name__).setLevel(logging.INFO)
 log = logging.getLogger(__name__)
 
 
@@ -65,11 +61,13 @@ def run_healthcheck_and_flush_log(topology, instance, searched_code=None, json=F
 
 
 def set_changelog_trimming(instance):
-    log.info('Get the changelog enteries')
-    inst_changelog = Changelog5(instance)
-
     log.info('Set nsslapd-changelogmaxage to 30d')
-    inst_changelog.add('nsslapd-changelogmaxage', '30')
+
+    if ds_supports_new_changelog():
+        cl = Changelog(instance, DEFAULT_SUFFIX)
+    else:
+        cl = Changelog5(instance)
+    cl.replace('nsslapd-changelogmaxage', '30')
 
 
 def test_healthcheck_disabled_suffix(topology_st):
@@ -144,6 +142,7 @@ def test_healthcheck_list_checks(topology_st):
 
     output_list = ['config:hr_timestamp',
                    'config:passwordscheme',
+                   'backends:userroot:cl_trimming',
                    'backends:userroot:mappingtree',
                    'backends:userroot:search',
                    'backends:userroot:virt_attrs',
@@ -154,7 +153,6 @@ def test_healthcheck_list_checks(topology_st):
                    'monitor-disk-space:disk_space',
                    'replication:agmts_status',
                    'replication:conflicts',
-                   'changelog:cl_trimming',
                    'dseldif:nsstate',
                    'tls:certificate_expiration',
                    'logs:notes']
@@ -233,6 +231,7 @@ def test_healthcheck_check_option(topology_st):
 
     output_list = ['config:hr_timestamp',
                    'config:passwordscheme',
+                   'backends:userroot:cl_trimming',
                    'backends:userroot:mappingtree',
                    'backends:userroot:search',
                    'backends:userroot:virt_attrs',
@@ -243,7 +242,6 @@ def test_healthcheck_check_option(topology_st):
                    'monitor-disk-space:disk_space',
                    'replication:agmts_status',
                    'replication:conflicts',
-                   'changelog:cl_trimming',
                    'dseldif:nsstate',
                    'tls:certificate_expiration',
                    'logs:notes']

dirsrvtests/tests/suites/import/regression_test.py

@@ -288,6 +288,7 @@ ou: myDups00001
     with open(ldif_file, "w") as fd:
         fd.write(l)
         fd.close()
+    os.chmod(ldif_file, 0o777)
 
     log.info('Import ldif with duplicate entry')
     assert standalone.tasks.importLDIF(suffix=DEFAULT_SUFFIX, input_file=ldif_file, args={TASK_WAIT: True})
@@ -305,13 +306,13 @@ ou: myDups00001
 @pytest.mark.tier2
 @pytest.mark.xfail(ds_is_older("1.3.10.1"), reason="bz1749595 not fixed on versions older than 1.3.10.1")
 def test_large_ldif2db_ancestorid_index_creation(topo):
-    """Import with ldif2db a large file - check that the ancestorid index creation phase has a correct performance 
+    """Import with ldif2db a large file - check that the ancestorid index creation phase has a correct performance
 
     :id: fe7f78f6-6e60-425d-ad47-b39b67e29113
     :setup: Standalone instance
     :steps:
         1. Delete the previous errors log to start from a fresh one
-        2. Create test suffix and backend 
+        2. Create test suffix and backend
         3. Create a large nested ldif file
         4. Stop the server
         5. Run an offline import
@@ -334,7 +335,7 @@ def test_large_ldif2db_ancestorid_index_creation(topo):
         10. Start and end times are successfully extracted
         11. The duration of the ancestorid index creation process should be less than 10s
     """
-    
+
     ldif_dir = topo.standalone.get_ldif_dir()
     ldif_file = os.path.join(topo.standalone.ds_paths.ldif_dir, 'large_nested.ldif')
 
@@ -343,7 +344,7 @@ def test_large_ldif2db_ancestorid_index_creation(topo):
     num_users = 100000
 
     # Choose a limited number of users per node to get as much as possible non-leaf entries
-    node_limit = 5 
+    node_limit = 5
 
     # top suffix
     suffix = 'o=test'
@@ -355,7 +356,7 @@ def test_large_ldif2db_ancestorid_index_creation(topo):
     topo.standalone.deleteErrorLogs()
 
     log.info('Add suffix:{} and backend: {}...'.format(suffix, backend))
-                                                         
+
     backends = Backends(topo.standalone)
     backends.create(properties={'nsslapd-suffix': suffix,
                                 'name': backend})
@@ -399,7 +400,7 @@ def test_large_ldif2db_ancestorid_index_creation(topo):
     # We are getting the sec.nanosec part of the date, '27.245967313' in the above example
     start_time = (start_ancestorid_indexing_op_str.split()[0]).split(':')[3]
     end_time = (end_ancestorid_indexing_op_str.split()[0]).split(':')[3]
-  
+
     log.info('Calculate the elapsed time for the ancestorid non-leaf IDs index creation')
     etime = (Decimal(end_time) - Decimal(start_time))
     # The time for the ancestorid index creation should be less than 10s for an offline import of an ldif file with 100000 entries / 5 entries per node

dirsrvtests/tests/suites/memberof_plugin/regression_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2017 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -88,14 +88,14 @@ def send_updates_now(server):
 
 
 def _find_memberof(server, member_dn, group_dn):
-    #To get the specific server's (M1, C1 and H1) user and group
+    # To get the specific server's (M1, C1 and H1) user and group
     user = UserAccount(server, member_dn)
     assert user.exists()
     group = Group(server, group_dn)
     assert group.exists()
 
-    #test that the user entry should have memberof attribute with sepecified group dn value
-    assert group._dn in user.get_attr_vals_utf8('memberOf')
+    # test that the user entry should have memberof attribute with specified group dn value
+    assert group._dn.lower() in user.get_attr_vals_utf8_l('memberOf')
 
 
 @pytest.mark.bz1352121
@@ -168,8 +168,8 @@ def test_memberof_with_repl(topo):
     test_groups = []
 
     # Step 3
-    #In for loop create users and add them in the user list
-    #it creates user_0 to user_9 (range is fun)
+    # In for loop create users and add them in the user list
+    # it creates user_0 to user_9 (range is fun)
     for i in range(10):
         CN = '%s%d' % (USER_CN, i)
         users = UserAccounts(M1, SUFFIX)
@@ -179,8 +179,8 @@ def test_memberof_with_repl(topo):
         time.sleep(2)
         test_users.append(testuser)
 
-    #In for loop create groups and add them to the group list
-    #it creates group_0 to group_2 (range is fun)
+    # In for loop create groups and add them to the group list
+    # it creates group_0 to group_2 (range is fun)
     for i in range(3):
         CN = '%s%d' % (GROUP_CN, i)
         groups = Groups(M1, SUFFIX)
@@ -189,7 +189,7 @@ def test_memberof_with_repl(topo):
         test_groups.append(testgroup)
 
     # Step 4
-    #Now start testing by adding differnt user to differn group
+    # Now start testing by adding differnt user to differn group
     if not ds_is_older('1.3.7'):
         test_groups[0].remove('objectClass', 'nsMemberOf')
 
@@ -198,7 +198,7 @@ def test_memberof_with_repl(topo):
     grp1_dn = test_groups[1].dn
 
     test_groups[0].add_member(member_dn)
-    time.sleep(5)
+    time.sleep(2)
 
     # Step 5
     for i in [M1, H1, C1]:
@@ -206,7 +206,7 @@ def test_memberof_with_repl(topo):
 
     # Step 6
     test_groups[1].add_member(test_groups[0].dn)
-    time.sleep(5)
+    time.sleep(2)
 
     # Step 7
     for i in [grp0_dn, grp1_dn]:
@@ -219,7 +219,7 @@ def test_memberof_with_repl(topo):
 
     # Step 9
     test_groups[1].remove_member(test_groups[0].dn)
-    time.sleep(5)
+    time.sleep(2)
 
     # Step 10
     # For negative testcase, we are using assertionerror
@@ -230,7 +230,7 @@ def test_memberof_with_repl(topo):
 
     # Step 11
     test_groups[0].remove_member(member_dn)
-    time.sleep(5)
+    time.sleep(2)
 
     # Step 12
     for inst in [M1, H1, C1]:
@@ -244,7 +244,7 @@ def test_memberof_with_repl(topo):
 
     # Step 14
     test_groups[0].add_member(member_dn)
-    time.sleep(5)
+    time.sleep(2)
 
     # Step 15
     for i in [M1, H1]:
@@ -265,6 +265,7 @@ def test_memberof_with_repl(topo):
 
     # Step 18
     memberof.fixup(SUFFIX)
+    # have to sleep instead of task.wait() because the task opens a thread and exits
     time.sleep(5)
 
     # Step 19
@@ -317,7 +318,7 @@ def test_scheme_violation_errors_logged(topo_m2):
     assert user_memberof_attr
     log.info('memberOf attr value - {}'.format(user_memberof_attr))
 
-    pattern = ".*oc_check_allowed_sv.*{}.*memberOf.*not allowed.*".format(testuser.dn)
+    pattern = ".*oc_check_allowed_sv.*{}.*memberOf.*not allowed.*".format(testuser.dn.lower())
     log.info("pattern = %s" % pattern)
     assert inst.ds_error_log.match(pattern)
 

dirsrvtests/tests/suites/paged_results/paged_results_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -14,7 +14,7 @@ from ldap.controls import SimplePagedResultsControl, GetEffectiveRightsControl
 from lib389.tasks import *
 from lib389.utils import *
 from lib389.topologies import topology_st
-from lib389._constants import DN_LDBM, DN_DM, DEFAULT_SUFFIX, BACKEND_NAME, PASSWORD
+from lib389._constants import DN_LDBM, DN_DM, DEFAULT_SUFFIX
 
 from lib389._controls import SSSRequestControl
 
@@ -88,7 +88,7 @@ def new_suffixes(topology_st):
 
     bes = Backends(topology_st.standalone)
 
-    be_1 = bes.create(properties={
+    bes.create(properties={
         'cn': 'NEW_BACKEND_1',
         'nsslapd-suffix': NEW_SUFFIX_1,
     })
@@ -158,7 +158,7 @@ def del_users(users_list):
 
 
 def change_conf_attr(topology_st, suffix, attr_name, attr_value):
-    """Change configurational attribute in the given suffix.
+    """Change configuration attribute in the given suffix.
 
     Returns previous attribute value.
     """
@@ -318,8 +318,7 @@ def test_search_limits_fail(topology_st, create_user, page_size, users_num,
         pctrls = []
         while True:
             log.info('Getting page %d' % (pages,))
-            if pages == 0 and (time_val or attr_name in ('nsslapd-lookthroughlimit',
-                                                         'nsslapd-pagesizelimit')):
+            if pages == 0 and (time_val or attr_name == 'nsslapd-pagesizelimit'):
                 rtype, rdata, rmsgid, rctrls = conn.result3(msgid)
             else:
                 with pytest.raises(expected_err):

dirsrvtests/tests/suites/password/password_policy_test.py

@@ -14,6 +14,7 @@ import os
 import pytest
 import time
 from lib389.topologies import topology_st as topo
+from lib389.idm.domain import Domain
 from lib389.idm.organizationalunit import OrganizationalUnits
 from lib389.idm.user import UserAccounts, UserAccount
 from lib389._constants import DEFAULT_SUFFIX
@@ -47,6 +48,14 @@ def _policy_setup(topo):
     """
     Will do pretest setup.
     """
+
+    # Add self user modification and anonymous aci
+    USER_SELF_MOD_ACI = '(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)'
+    ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    suffix.add('aci', USER_SELF_MOD_ACI)
+    suffix.add('aci', ANON_ACI)
+
     for suffix, ou in [(DEFAULT_SUFFIX, 'dirsec'), (f'ou=people,{DEFAULT_SUFFIX}', 'others')]:
         OrganizationalUnits(topo.standalone, suffix).create(properties={
             'ou': ou

dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -13,6 +13,7 @@ from lib389.tasks import *
 from lib389.utils import *
 from lib389.topologies import topology_st
 from lib389._constants import DEFAULT_SUFFIX, PASSWORD, DN_DM
+from lib389.idm.domain import Domain
 from lib389.idm.user import UserAccounts
 from lib389.idm.organizationalunit import OrganizationalUnits
 
@@ -35,6 +36,13 @@ def password_policy(topology_st):
     topology_st.standalone.config.set('nsslapd-pwpolicy-local', 'off')
     topology_st.standalone.config.set('passwordMinCategories', '1')
 
+    # Add self user modification and anonymous aci
+    USER_SELF_MOD_ACI = '(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)'
+    ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
+    suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX)
+    suffix.add('aci', USER_SELF_MOD_ACI)
+    suffix.add('aci', ANON_ACI)
+
 
 @pytest.fixture(scope="module")
 def create_user(topology_st):
@@ -303,10 +311,9 @@ def test_config_set_few_user_attributes(topology_st, create_user, password_polic
     """
 
     standalone = topology_st.standalone
-
+    standalone.simple_bind_s(DN_DM, PASSWORD)
     standalone.log.info('Set passwordUserAttributes to "description loginShell"')
     standalone.config.set('passwordUserAttributes', 'description loginshell')
-
     standalone.restart()
 
     standalone.log.info("Verify passwordUserAttributes has the values")
@@ -344,7 +351,7 @@ def test_config_set_few_bad_words(topology_st, create_user, password_policy):
     """
 
     standalone = topology_st.standalone
-
+    standalone.simple_bind_s(DN_DM, PASSWORD)
     standalone.log.info('Set passwordBadWords to "fedora redhat"')
     standalone.config.set('passwordBadWords', 'fedora redhat')
 

dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -14,8 +14,7 @@ from lib389.utils import *
 from lib389.topologies import topology_st
 from lib389.idm.user import UserAccounts
 from lib389.idm.organizationalunit import OrganizationalUnits
-from lib389._constants import (DEFAULT_SUFFIX, DN_CONFIG, PASSWORD, DN_DM,
-                               HOST_STANDALONE, PORT_STANDALONE, SERVERID_STANDALONE)
+from lib389._constants import (DEFAULT_SUFFIX, DN_CONFIG, PASSWORD, DN_DM)
 from dateutil.parser import parse as dt_parse
 from lib389.config import Config
 import datetime
@@ -97,7 +96,6 @@ def global_policy_default(topology_st, request):
 
     def fin():
         """Resets the defaults"""
-
         log.info('Reset the defaults')
         topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
         for key in attrs.keys():
@@ -142,11 +140,11 @@ def local_policy(topology_st, add_user):
 
     log.info("Setting fine grained policy for user ({})".format(USER_DN))
 
-    subprocess.call(['%s/ns-newpwpolicy.pl' % topology_st.standalone.get_sbin_dir(),
-                     '-D', DN_DM,
-                     '-w', PASSWORD, '-h', HOST_STANDALONE,
-                     '-p', str(PORT_STANDALONE), '-U', USER_DN,
-                     '-Z', SERVERID_STANDALONE])
+    subprocess.call(['%s/dsconf' % topology_st.standalone.get_sbin_dir(),
+                     'slapd-standalone1',
+                     'localpwp',
+                     'adduser',
+                     USER_DN])
     # A short sleep is required after modifying password policy
     time.sleep(0.5)
 
@@ -476,7 +474,7 @@ def test_with_local_policy(topology_st, global_policy, local_policy):
             passwordMaxAge: 172800
             passwordWarning: 86400
             passwordSendExpiringTime: on
-            Fine grained password policy for the user using ns-newpwpolicy.pl
+            Fine grained password policy for the user using: dsconf INST localpwp
     :steps:
         1. Bind as the normal user
         2. Request the control for the user
@@ -594,7 +592,7 @@ def test_password_expire_works(topology_st):
     assert expire_time != expire_time2 != expire_time3
     config.replace('passwordExp', 'off')
 
-    
+
 if __name__ == '__main__':
     # Run isolated
     # -s for DEBUG mode

dirsrvtests/tests/suites/password/pwp_test.py

@@ -465,7 +465,7 @@ def test_passwordlockout(topo, _fix_password):
     user.replace('userpassword', 'dby3rs2')
     admin = _create_user(topo, 'diradmin', 'Anuj Borah', '1002', 'diradmin')
     # Adding admin user diradmin to Directory Administrator group
-    Group(topo.standalone, f'cn=Directory Administrators,{DEFAULT_SUFFIX}').add('uniquemember', admin.dn)
+    Group(topo.standalone, f'cn=user_passwd_reset,ou=permissions,{DEFAULT_SUFFIX}').add('member', admin.dn)
     # Turn on passwordlockout
     # Sets lockout duration to 30 seconds
     # Sets failure count reset duration to 30 sec

dirsrvtests/tests/suites/password/regression_test.py

@@ -44,7 +44,7 @@ def _check_unhashed_userpw(inst, user_dn, is_present=False):
     unhashed_pwd_attribute = 'unhashed#user#password'
 
     if ds_supports_new_changelog():
-        dbscanOut = inst.dbscan(DEFAULT_BENAME, 'changelog')
+        dbscanOut = inst.dbscan(DEFAULT_BENAME, 'replication_changelog')
     else:
         changelog_dbdir = os.path.join(os.path.dirname(inst.dbdir), DEFAULT_CHANGELOG_DB)
         for dbfile in os.listdir(changelog_dbdir):

dirsrvtests/tests/suites/plugins/accpol_test.py

@@ -157,26 +157,26 @@ def userpw_reset(topology_st, suffix, subtree, userid, nousrs, bindusr, bindpw,
 
 
 def nsact_inact(topology_st, suffix, subtree, userid, nousrs, command, expected):
-    """Account activate/in-activate/status using ns-activate/inactivate/accountstatus.pl"""
+    """Account activate/in-activate/status using dsidm"""
 
-    log.info('Account activate/in-activate/status using ns-activate/inactivate/accountstatus.pl')
+    log.info('Account activate/in-activate/status using dsidm')
     while (nousrs > 0):
         usrrdn = '{}{}'.format(userid, nousrs)
         userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix)
         log.info('Running {} for user {}'.format(command, userdn))
-        if ds_is_older('1.3'):
-            action = '{}/{}'.format(inst_dir, command)
-            try:
-                output = subprocess.check_output([action, '-D', DN_DM, '-w', PASSWORD, '-I', userdn])
-            except subprocess.CalledProcessError as err:
-                output = err.output
-        else:
-            action = '{}/{}'.format(topology_st.standalone.ds_paths.sbin_dir, command)
-            try:
-                output = subprocess.check_output(
-                    [action, '-Z', SERVERID_STANDALONE, '-D', DN_DM, '-w', PASSWORD, '-I', userdn])
-            except subprocess.CalledProcessError as err:
-                output = err.output
+
+        dsidm_cmd = ['%s/dsidm' % topology_st.standalone.get_sbin_dir(),
+                     'slapd-standalone1',
+                     '-b', DEFAULT_SUFFIX,
+                     'account', command,
+                     userdn]
+
+        log.info('Running {} for user {}'.format(dsidm_cmd, userdn))
+        try:
+            output = subprocess.check_output(dsidm_cmd)
+        except subprocess.CalledProcessError as err:
+            output = err.output
+
         log.info('output: {}'.format(output))
         assert ensure_bytes(expected) in output
         nousrs = nousrs - 1
@@ -302,7 +302,7 @@ def account_status(topology_st, suffix, subtree, userid, nousrs, ulimit, tochck)
     while (nousrs > ulimit):
         usrrdn = '{}{}'.format(userid, nousrs)
         userdn = 'uid={},{},{}'.format(usrrdn, subtree, suffix)
-        user = UserAccount(topology_st.standalone,  dn=userdn)
+        user = UserAccount(topology_st.standalone, dn=userdn)
         if (tochck == "Enabled"):
             try:
                 user.bind(USER_PASW)
@@ -764,7 +764,7 @@ def test_glnoalt_nologin(topology_st, accpol_global):
 
 
 def test_glinact_nsact(topology_st, accpol_global):
-    """Verify if user account can be activated using ns-activate.pl script.
+    """Verify if user account can be activated using dsidm.
 
     :id: 876a7a7c-0b3f-4cd2-9b45-1dc80846e334
     :setup: Standalone instance, Global account policy plugin configuration,
@@ -772,7 +772,7 @@ def test_glinact_nsact(topology_st, accpol_global):
     :steps:
         1. Configure Global account policy plugin
         2. Add few users to ou=groups subtree in the default suffix
-        3. Wait for few secs and inactivate user using ns-inactivate.pl
+        3. Wait for few secs and inactivate user using dsidm
         4. Wait till accountInactivityLimit exceeded.
         5. Run ldapsearch as normal user, expected error 19.
         6. Activate user using ns-activate.pl script
@@ -795,20 +795,21 @@ def test_glinact_nsact(topology_st, accpol_global):
     subtree = "ou=groups"
     userid = "nsactusr"
     nousrs = 1
+
     log.info('AccountInactivityLimit set to 12. Account will be inactivated if not accessed in 12 secs')
     add_users(topology_st, suffix, subtree, userid, nousrs, 0)
     log.info('Sleep for 3 secs to check if account is not inactivated, expected value 0')
     time.sleep(3)
-    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "ns-activate.pl", "")
+    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "unlock", "")
     log.info('Sleep for 10 secs to check if account is inactivated, expected value 19')
     time.sleep(10)
-    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "ns-activate.pl", "")
+    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "unlock", "")
     account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Disabled")
-    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "ns-accountstatus.pl",
-                "- inactivated (inactivity limit exceeded)")
+    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "entry-status",
+                "inactivity limit exceeded")
     add_time_attr(topology_st, suffix, subtree, userid, nousrs, 'lastLoginTime')
     account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Enabled")
-    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "ns-accountstatus.pl", "- activated")
+    nsact_inact(topology_st, suffix, subtree, userid, nousrs, "entry-status", "activated")
     del_users(topology_st, suffix, subtree, userid, nousrs)
 
 

dirsrvtests/tests/suites/psearch/psearch_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -64,7 +64,7 @@ def test_psearch(topology_st):
     # Now run the result again and see what's there.
     results = _run_psearch(topology_st.standalone, msg_id)
     # assert our group is in the changeset.
-    assert(group.dn == results[0])
+    assert(group.dn.lower() == results[0])
 
 
 if __name__ == '__main__':

dirsrvtests/tests/suites/replication/conflict_resolve_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2018 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -117,7 +117,7 @@ def _test_base(topology):
     M1 = topology.ms["master1"]
 
     conts = nsContainers(M1, SUFFIX)
-    base_m2 = conts.create(properties={'cn': 'test_container'})
+    base_m2 = conts.ensure_state(properties={'cn': 'test_container'})
 
     for inst in topology:
         inst.config.loglevel([ErrorLog.DEFAULT, ErrorLog.REPLICA], service='error')

dirsrvtests/tests/suites/roles/basic_test.py

@@ -1,5 +1,5 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2019 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
@@ -186,8 +186,12 @@ def test_managedrole(topo):
 
     # Set an aci that will deny  ROLE1 manage role
     Domain(topo.standalone, DEFAULT_SUFFIX).\
-        add('aci', '(targetattr=*)(version 3.0; aci "role aci";'
+        add('aci', '(targetattr="*")(version 3.0; aci "role aci";'
                    ' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
+    # Add self user modification and anonymous aci
+    ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
+    suffix.add('aci', ANON_ACI)
 
     # Crate a connection with cn=Fail which is member of ROLE1
     conn = UserAccount(topo.standalone, "uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
@@ -274,7 +278,7 @@ def test_nestedrole(topo, _final):
 
     # Create a ACI with deny access to nested role entry
     Domain(topo.standalone, DEFAULT_SUFFIX).\
-        add('aci', f'(targetattr=*)(version 3.0; aci '
+        add('aci', f'(targetattr="*")(version 3.0; aci '
                    f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)')
 
     # Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1

dirsrvtests/tests/suites/sasl/regression_test.py

@@ -1,15 +1,14 @@
 # --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2016 Red Hat, Inc.
+# Copyright (C) 2020 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
 # See LICENSE for details.
 # --- END COPYRIGHT BLOCK ---
 #
-import base64
+
 import os
 import pytest
-import subprocess
 from lib389.tasks import *
 from lib389.utils import *
 from lib389.topologies import topology_m2
@@ -146,11 +145,11 @@ def test_openldap_no_nss_crypto(topology_m2):
 
     log.info('##### Searching for entries on master1...')
     entries = m1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
-    assert 10 == len(entries)
+    assert 11 == len(entries)
 
     log.info('##### Searching for entries on master2...')
     entries = m2.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
-    assert 10 == len(entries)
+    assert 11 == len(entries)
 
     relocate_pem_files(topology_m2)
 
@@ -162,11 +161,11 @@ def test_openldap_no_nss_crypto(topology_m2):
 
     log.info('##### Searching for entries on master1...')
     entries = m1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
-    assert 20 == len(entries)
+    assert 21 == len(entries)
 
     log.info('##### Searching for entries on master2...')
     entries = m2.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
-    assert 20 == len(entries)
+    assert 21 == len(entries)
 
     output_file = os.path.join(m1.get_ldif_dir(), "master1.ldif")
     m1.tasks.exportLDIF(benamebase='userRoot', output_file=output_file, args={'wait': True})

dirsrvtests/tests/suites/setup_ds/setup_ds_test.py

@@ -1,84 +0,0 @@
-import pytest
-from lib389.utils import *
-from lib389._constants import (DEFAULT_SUFFIX, SER_HOST, SER_PORT,
-                               SER_SERVERID_PROP, SER_CREATION_SUFFIX, SER_INST_SCRIPTS_ENABLED,
-                               args_instance, ReplicaRole)
-
-from lib389 import DirSrv
-
-pytestmark = pytest.mark.tier0
-
-DEBUGGING = os.getenv("DEBUGGING", default=False)
-if DEBUGGING:
-    logging.getLogger(__name__).setLevel(logging.DEBUG)
-else:
-    logging.getLogger(__name__).setLevel(logging.INFO)
-log = logging.getLogger(__name__)
-
-
-def create_instance(config_attr):
-    log.info('create_instance - Installs the instance and Sets the value of InstScriptsEnabled to true OR false.')
-
-    log.info("Set up the instance and set the config_attr")
-    instance_data = generate_ds_params(1, ReplicaRole.STANDALONE)
-    # Create instance
-    standalone = DirSrv(verbose=False)
-
-    # Args for the instance
-    args_instance[SER_HOST] = instance_data[SER_HOST]
-    args_instance[SER_PORT] = instance_data[SER_PORT]
-    args_instance[SER_SERVERID_PROP] = instance_data[SER_SERVERID_PROP]
-    args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
-    args_instance[SER_INST_SCRIPTS_ENABLED] = config_attr
-    args_standalone = args_instance.copy()
-    standalone.allocate(args_standalone)
-    if standalone.exists():
-        standalone.delete()
-    standalone.create()
-    standalone.open()
-    return standalone
-
-
[email protected]("config_attr", ('true', 'false'))
-def test_slapd_InstScriptsEnabled(config_attr):
-    """Tests InstScriptsEnabled attribute with "True" and "False" options
-
-    :id: 02faac7f-c44d-4a3e-bf2d-1021e51da1ed
-    :parametrized: yes
-    :setup: Standalone instance with slapd.InstScriptsEnabled option as "True" and "False"
-
-    :steps:
-         1. Execute setup-ds.pl with slapd.InstScriptsEnabled option as "True".
-         2. Check if /usr/lib64/dirsrv/slapd-instance instance script directory is created or not.
-         3. Execute setup-ds.pl with slapd.InstScriptsEnabled option as "False".
-         4. Check if /usr/lib64/dirsrv/slapd-instance instance script directory is created or not.
-
-    :expectedresults:
-         1. Instance should be created.
-         2. /usr/lib64/dirsrv/slapd-instance instance script directory should be created.
-         3. Instance should be created.
-         4. /usr/lib64/dirsrv/slapd-instance instance script directory should not be created.
-    """
-
-    log.info('set SER_INST_SCRIPTS_ENABLED to {}'.format(config_attr))
-    standalone = create_instance(config_attr)
-
-    # Checking the presence of instance script directory when SER_INST_SCRIPTS_ENABLED is set to true and false
-    if config_attr == 'true':
-        log.info('checking the presence of instance script directory when SER_INST_SCRIPTS_ENABLED is set to true')
-        assert os.listdir('/usr/lib64/dirsrv/slapd-standalone1')
-
-    elif config_attr == 'false':
-        log.info('checking instance script directory does not present when SER_INST_SCRIPTS_ENABLED is set to false')
-        assert not os.path.exists("/usr/lib64/dirsrv/slapd-standalone1")
-
-    # Remove instance
-    standalone.delete()
-
-
-if __name__ == '__main__':
-    # Run isolated
-    # -s for DEBUG mode
-    CURRENT_FILE = os.path.realpath(__file__)
-    pytest.main("-s %s" % CURRENT_FILE)
-

docs/CREDITS.artwork

@@ -1 +0,0 @@
-Tops artwork by Logan Megginson

docs/intro.md

@@ -1,143 +0,0 @@
-Nunc Stans
-==========
-Nunc Stans is an event framework wrapper that provides a thread pool for event
-callback execution.  It provides thread safety to event frameworks by isolating
-and protecting the thread safe parts from the non-thread safe parts, and allows
-multi-threaded applications to use event frameworks that are not thread safe.
-It has been primarily developed using [libevent](http://libevent.org "libevent
-home page") , but has also been tested with [tevent](https://tevent.samba.org
-"tevent home page").   Nunc Stans uses lock free data structures where possible,
-to avoid mutex contention. The ​[liblfds](http://liblfds.org "Lock Free Data Structure")
-library is used.
-
-There are two main components: the *event loop thread and queue*, and the
-*worker threads and queues*.  The basic concept is the
-[Thread Pool Pattern](https://en.wikipedia.org/wiki/Thread_pool_pattern "Thread
-Pool Pattern description"), where the primary source of tasks (*job* in nunc
-stans) for the task queue (the *work queue* in nunc stans) is provided by the
-event framework for I/O, timer, and signal events.
-
-License
--------
-Nunc Stans is licensed under the GNU General Public License version 3 or later.
-Nunc Stans also provides an exception for the use of OpenSSL.  See the files
-'COPYING', 'COPYING.openssl', and 'COPYING.liblfds' for more information.
-
-Event Loop Thread And Queue
----------------------------
-
-The event queue is essentially the "main loop" of the application.  It runs in
-its own thread.  The event queue thread is the only thread that interfaces with
-the event framework - adding events, removing events, and
-issuing the callbacks when the event is triggered.  This guarantees that all
-interactions with the event framework are performed in a thread safe manner.
-When a threaded application wants to be called back because of some event (I/O,
-timer, signal), it posts the event and callback data to the event queue.  All
-interaction with the event queue is thread safe - multiple threads can post
-requests to the event queue at the same time.  The event loop thread dequeues
-all of the event requests from the event queue, creates/removes
-events, then calls the event waiting function of the event framework.  This
-assumes the underlying event framework has a function that allows waiting for a
-single event - something like `event_base_loop()` in libevent, or
-`tevent_loop_wait()` in tevent.
-
-When the application wants events to be triggered as soon as possible, but the
-event framework is waiting for very long lived events, the event queue has a
-persistent I/O listener called the *event_q_wakeup_pipe*.  When the application
-adds an event, nunc-stans will write to the pipe, which will cause the event
-framework to immediately wake up and add the pending events, then do a thread
-yield to allow the event framework thread to execute.
-
-When an event is triggered by I/O, timer, or signal, the event callback is
-called.  The callback can either be run in the event loop thread, or can be
-handed off to the *work queue* for execution in a *worker thread*.  The
-application uses the flag *NS_JOB_THREAD* to specify that a job will be
-executed in a worker thread.
-
-**NOTE:** Jobs executed in the event loop thread don't need locking if they
-don't use resources shared with other threads.  This corresponds to a single
-threaded app where all jobs are run inside the main loop and no locking is
-required.  However, just as in that case, jobs run in the event loop thread
-must be very careful to execute very quickly and not block on I/O or other
-resources.  This can lead to event starvation.
-
-Worker Threads and Queues
--------------------------
-
-When a job is placed on the *work queue*, it will be executed in a *worker
-thread*.  The number of worker threads is specified when nunc stans is
-initialized.  Each worker thread sleeps on a condition variable
-(e.g. `pthread_cond_wait()`).  When a job is placed on the work queue, nunc
-stans will notify the condition variable, waking up one of the worker threads.
-This worker thread will dequeue the job from the work queue and execute it.
-The work queue is thread safe - the event loop thread can enqueue jobs at the
-same time as the worker threads dequeue jobs.  Note that the worker threads
-only execute jobs which have the *NS_JOB_THREAD* flag.  Jobs without this flag
-will be executed in the event loop thread.
-
-Diagram
--------
-![Nunc Stans Diagram](nunc-stans-intro.png "Nunc Stans Diagram")
-
-Diagram Explanation
--------------------
-
-The solid thick lines represent the flow of data, typically an `ns_job_t`
-object.  The small dotted lines represent the flow of the program, or the flow
-of control.  In the case of the signal and notification events, these represent
-the program sending a signal or notification, but not yielding control.  The
-thick dashed lines represent the flow of data and program i.e. a function that
-takes an `ns_job_t` object and is the primary program path.  The *event queue*
-and the *work queue* are thread safe FIFO/queue objects.  The bottom of the
-stack of ellipses is the tail and the top is the head, labeled "head".  The
-shaded box labeled "event framework" is the event framework (e.g. libevent).
-The boxes that are partially in and partially outside of the event framework
-are functions that take nunc stans objects and convert them into the format
-used by the event framework.  Note that the "add/remove event in
-framework" function will pass ownership of the job into the event framework, so
-that the event framework will opaquely own that data in the case of add events.
-The shaded box labeled "event loop callback" is called by the
-event framework for each triggered event.  The event loop callback will either
-execute the job immediately (for non-threaded jobs) or queue the job on the
-work queue for execution by a worker thread (for threaded jobs - the
-`NS_JOB_THREADED` job flag).
-
-The event loop thread and the worker threads are represented by large boxes.
-Everything in the box happens inside that thread.  The boxes that are partly
-inside and partly outside represent functions (e.g. the functions to
-add/delete an event job) and data structures (the event queue, the
-wakeup fd) that are thread safe or are otherwise protected and can be accessed
-both from within and outside of the thread.  Although the diagram shows only 1
-worker thread, there will usually be more than one, and they all share the same
-work queue, which is thread safe.
-
-The usual starting point is the application represented by the **APP** icon on
-the left side.  The application will typically create a new event job (e.g. a
-network socket listener).  The job will be handed off to the event queue for
-processing by the event loop thread.  If this is not happening inside the event
-loop thread, the event framework will be notified.  This is necessary because
-the event framework could be waiting for a very long time if there are no I/O
-or signals happening, or if the timer jobs are very long lived.  This will
-wakeup the event framework immediately so that it will loop back around to
-process the events in the event queue.  The event loop will dequeue all of the
-jobs from the event queue and perform the appropriate add/remove job in
-the event framework.  This ensures that only the single event loop thread, not
-multiple threads, will interact with the event framework.  Then the event
-framework will wait for events.  Once an event is triggered, the event
-framework will iterate through all of the triggered events and call the event
-loop callback for each one.  This callback will either execute the job
-immediately or add the job to the work queue for a worker thread.  This will
-also signal the worker threads (e.g. something like `pthread_cond_wait`) to
-notify them that there is a new job for processing.  Once all of the events are
-processed, the event loop goes back to the top to see if there are more events
-to process.  The worker thread signal will typically wake up 1 of the worker
-threads, which will dequeue the job and execute it.
-
-Note that the job callback is called both with the data (the `ns_job_t` object)
-and the program flow.  This callback is entry point into the application.  It
-is the responsibility of the callback to manage the `ns_job_t` object, either
-by calling `ns_job_done` to dispose of it safely, or by calling `ns_job_rearm` to
-"re-arm" the event.  If the
-job is not a threaded job, it is executed in the event loop thread, and can
-block all other events from being processed, so great care must be taken not to
-perform any long running task or otherwise block the thread.

docs/job-safety.md

@@ -1,90 +0,0 @@
-Nunc Stans Job Safety
-=====================
-
-Nunc Stans 0.2.0 comes with many improvements for job safety. Most consumers of
-this framework will not notice the difference if they are using it "correctly",
-but in other cases, you may find you have error conditions.
-
-Jobs now flow through a set of states in their lifetime.
-
-States
-------
-
-* WAITING: This represents a job that is idle, and not owned by a worker or event thread. Any thread can alter this job.
-* NEEDS_DELETE: This represents a job that is marked for deletion. It cannot be accessed again!
-* DELETED: This represents a job that is deleted. In theory, you can never access a job in this state.
-* NEEDS_ARM: This is a job that is about to be placed into the event or work queue for arming, but has not yet been queued.
-* ARMED: This is a job that is currently in the event queue or work queue waiting to be executed.
-* RUNNING: This is a job that is in the process of executing it's callback right now.
-
-Diagram
--------
-
-![Nunc Stans Job States](nunc-stans-job-states.png "Nunc Stans Job States")
-
-WAITING
--------
-
-All jobs start in the WAITING state. At this point, the job can have two transitions. It is sent to ns_job_done, and marked as NEEDS_DELETE, or it can be sent to ns_job_rearm, and marked as NEEDS_ARM. A job that is WAITING can be safely modify with ns_job_set_* and accessed with ns_job_get_* from any thread.
-
-NEEDS_ARM
----------
-
-Once a job is in the NEEDS_ARM state, it can not be altered by ns_job_set_*. It can be read from with ns_job_get_*. It can be sent to ns_job_done (which moves to NEEDS_DELETE), but generally this is only from within the job callback, with code like the following.
-
-    callback(ns_job_t *job) {
-        ns_job_rearm(job);
-        ns_job_done(job);
-    }
-
-
-NEEDS_ARM in most cases will quickly move to the next state, ARMED
-
-ARMED
------
-
-In the ARMED state, this means that the job has been sucessfully queued into the event *or* work queue. In the ARMED state, the job can be read from with ns_job_get_*, but it cannot be altered with ns_job_set_*. If a job could be altered while queued, this could cause issues with the intent of what the job should do (set_data, set_cb, set_done_cb) etc.
-
-A job that is ARMED and queued can NOT be removed from the queue, or stopped from running. This is a point of no return!
-
-RUNNING
--------
-
-In the RUNNING state, the job is in the process of executing the callback that the job contains. While RUNNING, the thread that is executing the callback may call ns_job_done, ns_job_rearm, ns_job_get_* and ns_job_set_* upon the job. Note, that calling both ns_job_done and ns_job_rearm from the callback, as the 'done' is a 'stronger' action we will delete the job even though rearm was also called.
-
-While RUNNING other threads (ie, not the worker thread executing the callback) may only call ns_job_get_* upon the job. Due to the design of the synchronisation underneath, this will block until the execution of the callback, so for all intents and purposes by the time the external thread is able to call ns_job_get_*, the job will have moved to NEEDS_DELETE, NEEDS_ARM or WAITING.
-
-NEEDS_DELETE
-------------
-
-When you call ns_job_done, this marks the job as NEEDS_DELETE. The deletion actually occurs at "some later point". When a job is set to NEEDS_DELETE, you may *not* call any of the ns_job_get_* and ns_job_set_* functions on the job.
-
-DELETED
--------
-
-This state only exists on the job briefly. This means we are in the process of deleting the job internally. We execute the ns_job_done_cb at this point, so that the user may clean up and free any data as required. Only the ns_job_done_cb thread may access the job at this point.
-
-
-Putting it all together
------------------------
-
-This state machine encourages certain types of work flows with jobs. This is because the current states are opaque to the caller, and are enforced inside of nunc-stans. The most obviously side effect of a state machine violation is a ASSERT failure with -DDEBUG, or PR_FAILURE from get()/set(). This encourages certain practices:
-
-* Only single threads should be accessing jobs. This prevents races and sync issues.
-* Data and variables should exist in a single job. Avoid shared (heap) memory locations!
-* Changing jobs should only happen from within the callback, as you can guarantee a consistent state without needing to spin/block on ns_job_set_*.
-* You may not need mutexes on your data or thread locals, as the job provides the correct cpu synchronisation guarantees. Consider that each job takes a "root" data node, then all other allocated variables are referenced there only by the single thread. You can now dispose of mutexes, as the job will guarantee the synchronisation of this data.
-* Jobs work well if stack variables are used inside the callback functions, rather than heap.
-
-Some work flows that don't work well here:
-
-* Having threads alter in-flight jobs. This causes race conditions and inconsistencies.
-* Sharing heap data via pointers in jobs. This means you need a mutex on the data, which causes a serialisation point: Why bother with thread pools if you are just going to serialise on some data points anyway!
-* Modifying jobs and what they handle. Don't do it! Just ns_job_done on the job, and create a new one that matches what you want to do.
-* Map reduce: Nunc-Stans doesn't provide a good way to aggregate data on the return, IE reduce. You may need to provide a queue or some other method to reduce if you were interested in this.
-
-Examples
---------
-
-Inside of the nunc-stans project, the tests/cmocka/stress_test.c code is a good example of a socket server and socket client using nunc-stans that adheres to these principles.
-

ldap/admin/src/makemccvlvindexes

@@ -1,214 +0,0 @@
-#!/usr/bin/env perl
-#
-# BEGIN COPYRIGHT BLOCK
-# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
-# Copyright (C) 2005 Red Hat, Inc.
-# All rights reserved.
-#
-# License: GPL (version 3 or any later version).
-# See LICENSE for details. 
-# END COPYRIGHT BLOCK
-#
-
-# makemccvlvindexes
-
-sub usage_and_exit
-{
-    print "makemccvlvindexes usage\n";
-    print "\n";
-    print "This script analyses an LDAP directory in order to create VLV indices which\n";
-    print "could be configured to improve the performance of one-level searches.\n";
-    print "This is principally to be used to tune the directory browsing feature\n";
-    print "of the Mission Control Console.\n";
-    print "\n";
-    print "An LDAP client can only take advantage of these indices if it is itself\n";
-    print "VLV enabled. See the following specification for full details.\n";
-    print "\n";
-    print "ftp://ftp.ietf.org/internet-drafts/draft-ietf-ldapext-ldapv3-vlv-00.txt\n";
-    print "\n";
-    print "Command Line Arguments\n";
-    print "-?           - help\n";
-    print "-D rootdn    - Provide a root DN.  Default= '$rootdn'\n";
-    print "-w password  - Provide a password for the root DN.\n";
-    print "-h host      - Provide a host name. Default= '$host'\n";
-    print "-p port      - Provide a port. Default= '$port'\n";
-    print "-t threshold - Provide a container subordinate threshold. Default= $threshold\n";
-    print "-f filter    - Provide a search filter. Default= '$vlvfilter'\n";
-    print "-s sort      - Provide a sort specification. Default='$vlvsort'\n";
-    print "-n           - Do the work, but don't create the indices\n";
-    exit;
-}
-
-# Initialise some things
-$vlvfilter= "(objectclass=*)";
-$vlvsort= "sn givenname cn ou o";
-$rootdn= "cn= Directory Manager";
-$host= "localhost";
-$port= "389";
-$threshold= 1000;
-$really_do_it= "1";
-
-# Process the command line arguments
-while( $arg = shift)
-{
-    if($arg eq "-?")
-    {
-        usage_and_exit();
-    }
-    elsif($arg eq "-D")
-    {
-        $rootdn= shift @ARGV;
-    }
-    elsif($arg eq "-w")
-    {
-        $rootpw= shift @ARGV;
-    }
-    elsif($arg eq "-h")
-    {
-        $host= shift @ARGV;
-    }
-    elsif($arg eq "-p")
-    {
-        $port= shift @ARGV;
-    }
-    elsif($arg eq "-t")
-    {
-        $threshold= shift @ARGV;
-    }
-    elsif($arg eq "-f")
-    {
-        $vlvfilter= shift @ARGV;
-    }
-    elsif($arg eq "-s")
-    {
-        $vlvsort= shift @ARGV;
-    }
-    elsif($arg eq "-n")
-    {
-        $really_do_it= "0";
-    }
-    else
-    {
-        print "$arg: Unknown command line argument.\n";
-    }
-}
-
-$ldapsearch= "ldapsearch -h $host -p $port";
-$ldapmodify= "ldapmodify -h $host -p $port -D \"$rootdn\" -w $rootpw";
-
-if( $vlvfilter eq "" ||
-    $vlvsort eq "" ||
-    $rootdn eq "" ||
-    $host eq "" ||
-    $port eq "" ||
-    $threshold eq "")
-{
-    print "Error: Need command line information..\n";
-    usage_and_exit();
-}
-
-if( $rootpw eq "" )
-{
-    print "Warning: No root DN password provided.  Won't be able to add VLV Search and Index entries.\n";
-}
-
-# Tell the user what we're up to.
-print "Searching all naming contexts on '$host:$port' for containers with more than $threshold subordinate entries\n";
-
-# Read the naming contexts from the root dse
-@namingcontexts= `$ldapsearch -s base -b \"\" \"objectclass=*\" namingcontexts`;
-
-# Get rid of the first line 'dn:'
-shift @namingcontexts;
-
-# Foreach naming context...
-foreach $nc (@namingcontexts)
-{
-    # Extract the base from the naming context
-    @base= split ' ', $nc;
-    shift @base;
-
-    # Find all the containers
-    print "Searching naming context '@base' for containers.\n";
-    @containers= `$ldapsearch -s subtree -b \"@base\" \"numsubordinates=*\" numsubordinates`;
-    chop @containers;
-
-    # Foreach container
-
-    while(@containers)
-    {
-        # <dn, count, blank>
-        $dn_line= shift @containers;
-        $count_line= shift @containers;
-        shift @containers;
-
-        # Extract the count, and check it against the threshold
-        @count_array= split ' ', $count_line;
-        $count= @count_array[1];
-        $dn= substr($dn_line,4);
-        print "Found container '$dn' with $count subordinates. ";
-        if($count > $threshold)
-        {
-            # We've found a container that should be indexed.
-            # Extract the DN and RDN of the container
-            $comma_position= (index $dn, ',');
-            if($comma_position== -1)
-            {
-                $rdn= $dn
-            }
-            else
-            {
-                $rdn= substr($dn, 0, $comma_position);
-            }
-
-            # Tell the user what we're up to.
-            print "Adding VLV Search and Index entries.\n";
-
-            # Build the vlv search and index entries to be added.
-            $vlvsearch_name= "MCC $rdn";
-            @vlvsearch= ( 
-                        "dn: cn=$vlvsearch_name, cn=config, cn=ldbm\n",
-                        "objectclass: top\n",
-                        "objectclass: vlvSearch\n",
-                        "cn: $vlvsearch_name\n",
-                        "vlvbase: $dn\n",
-                        "vlvfilter: $vlvfilter\n",
-                        "vlvscope: 1\n\n" );
-
-            $vlvindex_name= "SN $vlvsearch_name";
-            @vlvindex= (
-                        "dn: cn=$vlvindex_name, cn=$vlvsearch_name, cn=config, cn=ldbm\n",
-                        "objectclass: top\n",
-                        "objectclass: vlvIndex\n",
-                        "cn: $vlvindex_name\n",
-                        "vlvsort: $vlvsort\n\n" );
-
-            @vlvnames = ( @vlvnames, "\"" . $vlvindex_name . "\"");
-
-            if($really_do_it eq "1")
-            {
-                open(FD,"| $ldapmodify -a -c");
-                print FD @vlvsearch;
-                print FD @vlvindex;
-                close(FD);
-            }
-        }
-        else
-        {
-            print "Too small.\n";
-        }
-    }
-}
-
-# Dump a script to actually create the indexes
-if($really_do_it eq "1" && $#vlvnames > 0)
-{
-    print "\n";
-    print "$#vlvnames VLV indices have been declared.  Execute the following commands to build the index files.\n";
-    print "\n";
-    print "<config-dir>\\stop\n";
-    print "slapd db2index -f <config-dir> -V @vlvnames\n";
-    print "<config-dir>\\start\n";
-}
-
-

ldap/admin/src/makevlvindex

@@ -1,112 +0,0 @@
-#!/usr/bin/env perl
-#
-# BEGIN COPYRIGHT BLOCK
-# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
-# Copyright (C) 2005 Red Hat, Inc.
-# All rights reserved.
-#
-# License: GPL (version 3 or any later version).
-# See LICENSE for details. 
-# END COPYRIGHT BLOCK
-#
-
-# makevlvindex
-
-sub usage_and_exit
-{
-    print "makevlvindex [options]\n";
-    print "\n";
-    print "Options:\n";
-    print "-?              - help\n";
-    print "-D rootdn       - Provide a root DN.  Default= '$rootdn'\n";
-    print "-w password     - Provide a password for the root DN.\n";
-    print "-h host         - Provide a host name. Default= '$host'\n";
-    print "-p port         - Provide a port. Default= '$port'\n";
-    print "-sn search_name - RDN of the vlvSearch parent entry.\n";
-    print "-in index_name  - RDN for the vlvIndex child entry.\n";
-    print "-s sort         - Provide a sort specification. Default='$vlvsort'\n";
-    exit;
-}
-
-# Initialise some things
-$vlvsearch_name= "";
-$vlvindex_name= "";
-$vlvsort= "sn givenname cn ou o";
-$rootdn= "cn=Directory Manager";
-$host= "localhost";
-$port= "389";
-
-# Process the command line arguments
-while( $arg = shift)
-{
-    if($arg eq "-?")
-    {
-        usage_and_exit();
-    }
-    elsif($arg eq "-D")
-    {
-        $rootdn= shift @ARGV;
-    }
-    elsif($arg eq "-w")
-    {
-        $rootpw= shift @ARGV;
-    }
-    elsif($arg eq "-h")
-    {
-        $host= shift @ARGV;
-    }
-    elsif($arg eq "-p")
-    {
-        $port= shift @ARGV;
-    }
-    elsif($arg eq "-sn")
-    {
-        $vlvsearch_name= shift @ARGV;
-    }
-    elsif($arg eq "-in")
-    {
-        $vlvindex_name= shift @ARGV;
-    }
-    elsif($arg eq "-s")
-    {
-        $vlvsort= shift @ARGV;
-    }
-    else
-    {
-        print "$arg: Unknown command line argument.\n";
-    }
-}
-
-$ldapmodify= "ldapmodify -h $host -p $port -D \"$rootdn\" -w $rootpw";
-
-if( $vlvsearch_name eq "" ||
-    $vlvindex_name eq "" ||
-    $vlvsort eq "" ||
-    $rootdn eq "" ||
-    $host eq "" ||
-    $port eq "")
-{
-    print "Error: Need command line information..\n";
-    usage_and_exit();
-}
-
-if( $rootpw eq "" )
-{
-    print "Warning: No root DN password provided.  Won't be able to add VLV Search and Index entries.\n";
-}
-
-# Tell the user what we're up to.
-print "Adding VLV Search entry.\n";
-
-@vlvindex= (
-            "dn: cn=$vlvindex_name, cn=$vlvsearch_name, cn=config, cn=ldbm\n",
-            "objectclass: top\n",
-            "objectclass: vlvIndex\n",
-            "cn: $vlvindex_name\n",
-            "vlvsort: $vlvsort\n\n" );
-
-open(FD,"| $ldapmodify -a -c");
-print FD @vlvindex;
-close(FD);
-
-

ldap/admin/src/makevlvsearch

@@ -1,141 +0,0 @@
-#!/usr/bin/env perl
-#
-# BEGIN COPYRIGHT BLOCK
-# Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
-# Copyright (C) 2005 Red Hat, Inc.
-# All rights reserved.
-#
-# License: GPL (version 3 or any later version).
-# See LICENSE for details. 
-# END COPYRIGHT BLOCK
-#
-
-# makevlvsearch
-
-sub usage_and_exit
-{
-    print "makevlvsearch [options]\n";
-    print "\n";
-    print "May be used to create just a vlvSearch entry, or to create\n";
-    print "both a vlvSearch and vlvIndex entry.\n";
-    print "\n";
-    print "Options:\n";
-    print "-?              - help\n";
-    print "-D rootdn       - Provide a root DN.  Default= '$rootdn'\n";
-    print "-w password     - Provide a password for the root DN.\n";
-    print "-h host         - Provide a host name. Default= '$host'\n";
-    print "-p port         - Provide a port. Default= '$port'\n";
-    print "-b scope        - Provide a scope. 1 or 2. Default= '$vlvscope'\n";
-    print "-f filter       - Provide a search filter. Default= '$vlvfilter'\n";
-    print "-sn search_name - RDN of the vlvSearch parent entry.\n";
-    print "-in index_name  - RDN for the vlvIndex child entry.\n";
-    print "-s sort         - Provide a sort specification. Default='$vlvsort'\n";
-    exit;
-}
-
-# Initialise some things
-$vlvsearch_name= "";
-$vlvindex_name= "";
-$vlvscope= "2";
-$vlvfilter= "(objectclass=*)";
-$vlvsort= "";
-$rootdn= "cn=Directory Manager";
-$host= "localhost";
-$port= "389";
-
-# Process the command line arguments
-while( $arg = shift)
-{
-    if($arg eq "-?")
-    {
-        usage_and_exit();
-    }
-    elsif($arg eq "-D")
-    {
-        $rootdn= shift @ARGV;
-    }
-    elsif($arg eq "-w")
-    {
-        $rootpw= shift @ARGV;
-    }
-    elsif($arg eq "-h")
-    {
-        $host= shift @ARGV;
-    }
-    elsif($arg eq "-p")
-    {
-        $port= shift @ARGV;
-    }
-    elsif($arg eq "-b")
-    {
-        $vlvscope= shift @ARGV;
-    }
-    elsif($arg eq "-f")
-    {
-        $vlvfilter= shift @ARGV;
-    }
-    elsif($arg eq "-s")
-    {
-        $vlvsort= shift @ARGV;
-    }
-    elsif($arg eq "-sn")
-    {
-        $vlvsearch_name= shift @ARGV;
-    }
-    elsif($arg eq "-in")
-    {
-        $vlvindex_name= shift @ARGV;
-    }
-    else
-    {
-        print "$arg: Unknown command line argument.\n";
-    }
-}
-
-$ldapmodify= "ldapmodify -h $host -p $port -D \"$rootdn\" -w $rootpw";
-
-if( $vlvfilter eq "" ||
-    $vlvscope eq "" ||
-    $vlvsearch_name eq "" ||
-    $rootdn eq "" ||
-    $host eq "" ||
-    $port eq "")
-{
-    print "Error: Need command line information..\n";
-    usage_and_exit();
-}
-
-if( $rootpw eq "" )
-{
-    print "Warning: No root DN password provided.  Won't be able to add VLV Search and Index entries.\n";
-}
-
-# Tell the user what we're up to.
-print "Adding VLV Search and Index entries.\n";
-
-# Build the vlv search and index entries to be added.
-@vlvsearch= ( 
-            "dn: cn=$vlvsearch_name, cn=config, cn=ldbm\n",
-            "objectclass: top\n",
-            "objectclass: vlvSearch\n",
-            "cn: $vlvsearch_name\n",
-            "vlvbase: $dn\n",
-            "vlvfilter: $vlvfilter\n",
-            "vlvscope: $vlvscope\n\n" );
-
-@vlvindex= (
-            "dn: cn=$vlvindex_name, cn=$vlvsearch_name, cn=config, cn=ldbm\n",
-            "objectclass: top\n",
-            "objectclass: vlvIndex\n",
-            "cn: $vlvindex_name\n",
-            "vlvsort: $vlvsort\n\n" );
-
-open(FD,"| $ldapmodify -a -c");
-print FD @vlvsearch;
-if( not($vlvindex_name eq "" || $vlvsort eq ""))
-{
-    print FD @vlvindex;
-}
-close(FD);
-
-

ldap/admin/src/scripts/10cleanupldapi.pl

@@ -1,23 +0,0 @@
-use Mozilla::LDAP::Conn;
-use Mozilla::LDAP::Utils qw(normalizeDN);
-use Mozilla::LDAP::API qw(:constant ldap_url_parse ldap_explode_dn);
-
-sub runinst {
-    my ($inf, $inst, $dseldif, $conn) = @_;
-
-    my @errs;
-    my $ldapifile;
-
-    # see if nsslapd-rundir is defined
-    my $ent = $conn->search("cn=config", "base", "(objectclass=*)");
-    if (!$ent) {
-        return ('error_finding_config_entry', 'cn=config', $conn->getErrorString());
-    }
-
-    $ldapifile = $ent->getValues('nsslapd-ldapifilepath');
-    if ($ldapifile) {
-        unlink($ldapifile);
-    }
-
-    return ();
-}

ldap/admin/src/scripts/10delautodnsuffix.pl

@@ -1,23 +0,0 @@
-use Mozilla::LDAP::Conn;
-use Mozilla::LDAP::Utils qw(normalizeDN);
-use Mozilla::LDAP::API qw(:constant ldap_url_parse ldap_explode_dn);
-
-sub runinst {
-    my ($inf, $inst, $dseldif, $conn) = @_;
-
-    my @errs;
-
-    # see if nsslapd-ldapiautodnsuffix is defined
-    my $ent = $conn->search("cn=config", "base", "(objectclass=*)");
-    if (!$ent) {
-        return ('error_finding_config_entry', 'cn=config', $conn->getErrorString());
-    }
-
-    if ($ent->getValues('nsslapd-ldapiautodnsuffix')) {
-        $ent->remove('nsslapd-ldapiautodnsuffix');
-        $conn->update($ent);
-        # ignore errors - cn=config attr deletion not allowed over ldap
-    }
-
-    return ();
-}

ldap/admin/src/scripts/10fixrundir.pl

@@ -1,39 +0,0 @@
-use Mozilla::LDAP::Conn;
-use Mozilla::LDAP::Utils qw(normalizeDN);
-use Mozilla::LDAP::API qw(:constant ldap_url_parse ldap_explode_dn);
-
-sub runinst {
-    my ($inf, $inst, $dseldif, $conn) = @_;
-
-    my @errs;
-    my $mode;
-
-    # see if nsslapd-rundir is defined
-    my $ent = $conn->search("cn=config", "base", "(objectclass=*)");
-    if (!$ent) {
-        return ('error_finding_config_entry', 'cn=config', $conn->getErrorString());
-    }
-
-    if (!$ent->getValues('nsslapd-rundir')) {
-        $ent->setValues('nsslapd-rundir', $inf->{slapd}->{run_dir});
-        # mark as modified so update will use a replace instead of an add
-        $ent->attrModified('nsslapd-rundir');
-        $conn->update($ent);
-        my $rc = $conn->getErrorCode();
-        if ($rc) {
-            return ('error_updating_entry', 'cn=config', $conn->getErrorString());
-        }
-    }
-
-    # ensure that other doesn't have permissions on rundir
-    $mode = (stat($inf->{slapd}->{run_dir}))[2] or return ('error_chmoding_file', $inf->{slapd}->{run_dir}, $!);
-    # mask off permissions for other
-    $mode &= 07770;
-    $! = 0; # clear errno
-    chmod $mode, $inf->{slapd}->{run_dir};
-    if ($!) {
-        return ('error_chmoding_file', $inf->{slapd}->{run_dir}, $!);
-    }
-
-    return ();
-}

ldap/admin/src/scripts/20betxn.pl

@@ -1,74 +0,0 @@
-use Mozilla::LDAP::Conn;
-use Mozilla::LDAP::Utils qw(normalizeDN);
-use Mozilla::LDAP::API qw(:constant ldap_url_parse ldap_explode_dn);
-
-sub runinst {
-    my ($inf, $inst, $dseldif, $conn) = @_;
-
-    my @errs;
-    my $ldapifile;
-
-    # Turn on nsslapd-pluginbetxn for 
-    #     cn=Multimaster Replication Plugin
-    #     cn=Roles Plugin,cn=plugins,cn=config
-    #     cn=USN,cn=plugins,cn=config
-    #     cn=Retro Changelog Plugin,cn=plugins,cn=config
-    my @objplugins = (
-        "cn=Multimaster Replication Plugin,cn=plugins,cn=config",
-        "cn=Roles Plugin,cn=plugins,cn=config",
-        "cn=USN,cn=plugins,cn=config",
-        "cn=Retro Changelog Plugin,cn=plugins,cn=config"
-    );
-    foreach my $plugin (@objplugins) {
-        my $ent = $conn->search($plugin, "base", "(cn=*)");
-        if (!$ent) {
-            return ('error_finding_config_entry', $plugin, $conn->getErrorString());
-        }
-        $ent->setValues('nsslapd-pluginbetxn', "on");
-        $conn->update($ent);
-    }
-
-    # Set betxnpreoperation to nsslapd-plugintype for 
-    #     cn=7-bit check,cn=plugins,cn=config
-    #     cn=attribute uniqueness,cn=plugins,cn=config
-    #     cn=Auto Membership Plugin,cn=plugins,cn=config
-    #     cn=Linked Attributes,cn=plugins,cn=config
-    #     cn=Managed Entries,cn=plugins,cn=config
-    #     cn=PAM Pass Through Auth,cn=plugins,cn=config
-    @preplugins = (
-          "cn=7-bit check,cn=plugins,cn=config",
-          "cn=attribute uniqueness,cn=plugins,cn=config",
-          "cn=Auto Membership Plugin,cn=plugins,cn=config",
-          "cn=Linked Attributes,cn=plugins,cn=config",
-          "cn=Managed Entries,cn=plugins,cn=config",
-          "cn=PAM Pass Through Auth,cn=plugins,cn=config"
-    );
-    foreach my $plugin (@preplugins) {
-        my $ent = $conn->search($plugin, "base", "(cn=*)");
-        if (!$ent) {
-            return ('error_finding_config_entry', $plugin, $conn->getErrorString());
-        }
-        $ent->setValues('nsslapd-pluginType', "betxnpreoperation");
-        $conn->update($ent);
-    }
-
-    # Set betxnpostoperation to nsslapd-plugintype for 
-    #     cn=MemberOf Plugin,cn=plugins,cn=config
-    #     cn=referential integrity postoperation,cn=plugins,cn=config
-    #     cn=State Change Plugin,cn=plugins,cn=config
-    @postplugins = (
-          "cn=MemberOf Plugin,cn=plugins,cn=config",
-          "cn=referential integrity postoperation,cn=plugins,cn=config",
-          "cn=State Change Plugin,cn=plugins,cn=config"
-    );
-    foreach my $plugin (@postplugins) {
-        my $ent = $conn->search($plugin, "base", "(cn=*)");
-        if (!$ent) {
-            return ('error_finding_config_entry', $plugin, $conn->getErrorString());
-        }
-        $ent->setValues('nsslapd-pluginType', "betxnpostoperation");
-        $conn->update($ent);
-    }
-
-    return ();
-}

ldap/admin/src/scripts/50AES-pbe-plugin.ldif

@@ -1,16 +0,0 @@
-dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: AES
-nsslapd-pluginpath: libpbe-plugin
-nsslapd-plugininitfunc: aes_init
-nsslapd-plugintype: reverpwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginarg0: nsmultiplexorcredentials
-nsslapd-pluginarg1: nsds5ReplicaCredentials
-nsslapd-pluginprecedence: 1
-nsslapd-pluginid: ID
-nsslapd-pluginDescription: DESC
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR

ldap/admin/src/scripts/50acctusabilityplugin.ldif

@@ -1,21 +0,0 @@
-dn: cn=Account Usability Plugin,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Account Usability Plugin
-nsslapd-pluginpath: libacctusability-plugin
-nsslapd-plugininitfunc: auc_init
-nsslapd-plugintype: preoperation
-nsslapd-pluginenabled: on
-nsslapd-plugin-depends-on-type: database
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC
-
-dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
-objectClass: top
-objectClass: directoryServerFeature
-oid: 1.3.6.1.4.1.42.2.27.9.5.8
-cn: Account Usable Request Control

ldap/admin/src/scripts/50addchainingsaslpwroles.ldif

@@ -1,6 +0,0 @@
-dn: cn=config,cn=chaining database,cn=plugins,cn=config
-changetype: modify
-add: nsPossibleChainingComponents
-nsPossibleChainingComponents: cn=password policy,cn=components,cn=config
-nsPossibleChainingComponents: cn=sasl,cn=components,cn=config
-nsPossibleChainingComponents: cn=roles,cn=components,cn=config

ldap/admin/src/scripts/50automemberplugin.ldif

@@ -1,15 +0,0 @@
-dn: cn=Auto Membership Plugin,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Auto Membership Plugin
-nsslapd-pluginpath: libautomember-plugin
-nsslapd-plugininitfunc: automember_init
-nsslapd-plugintype: preoperation
-nsslapd-pluginenabled: on
-nsslapd-plugin-depends-on-type: database
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50bitstringsyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Bit String Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Bit String
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: bitstring_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50contentsync.ldif

@@ -1,23 +0,0 @@
-dn: cn=Content Synchronization,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Content Synchronization
-nsslapd-pluginpath: libcontentsync-plugin
-nsslapd-plugininitfunc: sync_init
-nsslapd-plugintype: object
-nsslapd-pluginenabled: off
-nsslapd-plugin-depends-on-named: Retro Changelog Plugin
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC
-
-dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
-objectClass: top
-objectClass: directoryServerFeature
-oid: 1.3.6.1.4.1.4203.1.9.1.1
-cn: Sync Request Control
-aci: (targetattr != "aci")(version 3.0; acl "Sync Request Control"; allow( read
- , search ) userdn = "ldap:///all";)

ldap/admin/src/scripts/50deliverymethodsyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Delivery Method Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Delivery Method Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: delivery_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50derefplugin.ldif

@@ -1,16 +0,0 @@
-dn: cn=deref,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-objectclass: nsContainer
-cn: deref
-nsslapd-pluginpath: libderef-plugin
-nsslapd-plugininitfunc: deref_init
-nsslapd-plugintype: preoperation
-nsslapd-pluginenabled: on
-nsslapd-plugin-depends-on-type: database
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50disableurisyntaxplugin.ldif

@@ -1,9 +0,0 @@
-dn: cn=URI Syntax,cn=plugins,cn=config
-changetype: modify
-replace: nsslapd-pluginenabled
-nsslapd-pluginenabled: off
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50enhancedguidesyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Enhanced Guide Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Enhanced Guide Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: enhancedguide_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50entryusnindex.ldif

@@ -1,7 +0,0 @@
-dn: cn=entryusn,cn=default indexes, cn=config,cn=ldbm database,cn=plugins,cn=config
-objectclass: top
-objectclass: nsIndex
-cn: entryusn
-nssystemindex: true
-nsindextype: eq
-nsmatchingrule: integerOrderingMatch

ldap/admin/src/scripts/50faxnumbersyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Facsimile Telephone Number Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: facsimile_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50faxsyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Fax Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Fax Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: fax_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50fixNsState.pl

@@ -1,241 +0,0 @@
-use Mozilla::LDAP::Conn;
-use Mozilla::LDAP::Entry;
-use Mozilla::LDAP::Utils qw(normalizeDN);
-use Mozilla::LDAP::API qw(:constant ldap_url_parse ldap_explode_dn);
-use DSUtil qw(debug);
-use Config;
-use Math::BigInt;
-
-# # Determine the endianness of your system
-my $packfmt32 = "VVA6vCx3"; # must be 20 bytes
-my $packfmt64 = "VVA6vCx7"; # must be 24 bytes
-
-my $is_big_endian = unpack('xc', pack('s', 1));
-# see if we are on an LP64 system
-my $is64 = ($Config{longsize} == 8);
-
-sub convert_to_32bit {
-    my $val64 = shift;
-    return ($val64 >> 32, $val64 & 0xffffffff);
-}
-
-sub convert_from_32bit {
-    my ($hi, $lo) = @_;
-    return ($hi << 32) + $lo;
-}
-
-sub convert_uniqueid {
-    my $ent = shift;
-    my $val = shift;
-
-    if (!$ent || !$val) {
-        return (0, 0);
-    }
-
-    my $hex = unpack('H*', $val);
-    #print "hex=$hex\n";
-
-    my $fmt32 = "VVA6vC";
-    my $bigfmt32 = "NNA6nC";
-    my $fmt64 = "VVA6vC";
-    my $bigfmt64 = "NNA6nC";
-    my $fmt = $fmt32;
-    my $bigfmt = $bigfmt32;
-    my $packfmt = $packfmt32;
-    if (length($val) > 20) {
-        $fmt = $fmt64;
-        $bigfmt = $bigfmt64;
-        $packfmt = $packfmt64;
-    } elsif ($is64) {
-        # cannot convert 32-bit to 64-bit - just delete the entry and continue
-        debug(1, "Cannot convert 32-bit nsState value $hex to 64-bit - deleting entry " .
-              $ent->getDN() . " and continuing\n");
-        return (-1, 0);
-    } else { # 32-bit to 32-bit - just leave it alone
-        debug(1, "Skipping 32-bit nsState value $hex in entry " .
-              $ent->getDN() . " and continuing\n");
-        return (0, 0);
-    }
-    if ($is_big_endian) {
-        $packfmt32 = "NNA6nCx3";
-        $packfmt64 = "NNA6nCx7";
-    }
-
-    if ($is64) {
-        $packfmt = $packfmt64;
-    }
-    
-    my ($tslow, $tshigh, $node, $clockseq, $last_update) = unpack($fmt, $val);
-    my $ts = convert_from_32bit($tshigh, $tslow);
-    my $tssecs = ($ts - 0x01B21DD213814000) / 10000000;
-    my $curts = time;
-    my $tsdiff = abs($curts - $tssecs);
-    my $maxdiff = 86400*365*10; # 10 years
-    if (($tsdiff > $maxdiff) || (($last_update != 0) && ($last_update != 1))) {
-        # try big endian
-        ($tshigh, $tslow, $node, $clockseq, $last_update) = unpack($bigfmt, $val);
-        $ts = convert_from_32bit($tshigh, $tslow);
-        $tssecs = ($ts - 0x01B21DD213814000) / 10000000;
-        $tsdiff = abs($curts - $tssecs);
-        if (($tsdiff > $maxdiff) || (($last_update != 0) && ($last_update != 1))) {
-            debug(0, "Error: could not parse nsstate $hex - tsdiff is $tsdiff seconds or ", ($tsdiff/86400), " days\n");
-            return (0, 0, 'error_could_not_parse_nsstate', $ent->getDN(), $hex);
-        }
-    }
-
-    # format for the target system
-    ($tshigh, $tslow) = convert_to_32bit($ts);
-    my $newval = pack($packfmt, $tslow, $tshigh, $node, $clockseq, $last_update);
-    my $rc = 0;
-    if ($val ne $newval) { # changed
-        my $hex2 = unpack('H*', $newval);
-        debug(1, "Converted old nsState val in ", $ent->getDN(), " from $hex to $hex2\n");
-        $rc = 1; # changed
-    }
-    return ($rc, $newval);
-}
-
-sub convert_replica {
-    my $ent = shift;
-    my $val = shift;
-
-    if (!$ent || !$val) {
-        return (0, 0);
-    }
-
-    my $len = length($val);
-    my $pad;
-    my $timefmt;
-    my ($rid, $sampled_time, $local_offset, $remote_offset, $seq_num);
-    my ($st_high, $st_low, $lo_high, $lo_low, $ro_high, $ro_low);
-    my $fmtstr;
-    my $bigfmtstr;
-    if ($len <= 20) {
-        $pad = 2; # padding for short H values
-        $timefmt = 'V'; # timevals are unsigned 32-bit int - try little-endian 'V' first
-        $fmtstr = "vx" . $pad . $timefmt . "3vx" . $pad;
-        $bigfmtstr = 'nx' . $pad . 'N' . '3nx' . $pad;
-        ($rid, $sampled_time, $local_offset, $remote_offset, $seq_num) = unpack($fmtstr, $val);
-    } else {
-        $pad = 6; # padding for short H values
-        $timefmt = 'V'; # timevals are unsigned 64-bit int
-        $fmtstr = "vx" . $pad . $timefmt . "6vx" . $pad;
-        $bigfmtstr = 'nx' . $pad . 'N' . '6nx' . $pad;
-        ($rid, $st_low, $st_high, $lo_low, $lo_high, $ro_low, $ro_high, $seq_num) = unpack($fmtstr, $val);
-        $sampled_time = convert_from_32bit($st_high, $st_low);
-        $local_offset = convert_from_32bit($lo_high, $lo_low);
-        $remote_offset = convert_from_32bit($ro_high, $ro_low);
-    }
-    # short - padbytes - 3 timevals - short - padbytes
-    my $hex = unpack('H*', $val);
-    my $now = time;
-    my $tdiff = abs($now - $sampled_time);
-    my $maxdiff = 86400*365*10; # 10 years
-    if ($tdiff > $maxdiff) { # try big endian
-        if ($len <= 20) {
-            ($rid, $sampled_time, $local_offset, $remote_offset, $seq_num) = unpack($bigfmtstr, $val);
-        } else {
-            ($rid, $st_high, $st_low, $lo_high, $lo_low, $ro_high, $ro_low, $seq_num) = unpack($bigfmtstr, $val);
-            $sampled_time = convert_from_32bit($st_high, $st_low);
-            $local_offset = convert_from_32bit($lo_high, $lo_low);
-            $remote_offset = convert_from_32bit($ro_high, $ro_low);
-        }
-        my $tdiff = abs($now - $sampled_time);
-        if ($tdiff > $maxdiff) { # error
-            debug(0, "Error: could not parse nsstate $hex - tdiff is $tdiff seconds or", ($tdiff/86400), " days\n");
-            return (0, 0, 'error_could_not_parse_nsstate', $ent->getDN(), $hex);
-        }
-    }
-    # format for the target system
-    my $packfmt;
-    my @packargs;
-    if ($is64) {
-        my $packfmt = "vx" . $pad . "V6vx" . $pad;
-        if ($is_big_endian) {
-            $packfmt = "nx" . $pad . "N6nx" . $pad;
-        }
-        $st_high = $st >> 32;
-        ($st_high, $st_low) = convert_to_32bit($sampled_time);
-        ($lo_high, $lo_low) = convert_to_32bit($local_offset);
-        ($ro_high, $ro_low) = convert_to_32bit($remote_offset);
-        @packargs = ($rid, $st_low, $st_high, $lo_low, $lo_high, $ro_low, $ro_high, $seq_num);
-    } else {
-        my $packfmt = "vx" . $pad . "V3vx" . $pad;
-        if ($is_big_endian) {
-            $packfmt = "nx" . $pad . "N3nx" . $pad;
-        }
-        @packargs = ($rid, $sampled_time, $local_offset, $remote_offset, $seq_num);
-    }
-    my $newval = pack($fmtstr, @packargs);
-    my $rc = 0;
-    if ($val ne $newval) { # changed
-        my $hex2 = unpack('H*', $newval);
-        debug(1, "Converted old nsState val in ", $ent->getDN(), " from $hex to $hex2\n");
-        $rc = 1; # changed
-    }
-    return ($rc, $newval);
-}
-
-sub runinst {
-    my ($inf, $inst, $dseldif, $conn) = @_;
-
-    my $ent = $conn->search("cn=config", "sub", "(cn=uniqueid generator)");
-    if ($ent) {
-        my ($rc, $newval, @errs) = convert_uniqueid($ent, $ent->getValues('nsState'));
-        if (@errs) {
-            return @errs;
-        }
-        if ($rc) { # changed
-            if ($rc == -1) { # delete it
-                if (!$conn->delete($ent->getDN())) {
-                    return ("error_deleteall_entries", $ent->getDN(), $conn->getErrorString());
-                }
-            } else {
-                $ent->setValues('nsState', $newval);
-                if (!$conn->update($ent)) {
-                    return ("error_updating_entry", $ent->getDN(), $conn->getErrorString());
-                }
-            }
-        }
-    }
-
-    for ($ent = $conn->search("cn=config", "sub", "(cn=replica)");
-        $ent; $ent = $conn->nextEntry) {
-        my ($rc, $newval, @errs) = convert_replica($ent, $ent->getValues('nsState'));
-        if (@errs) {
-            return @errs;
-        }
-        if ($rc) { # changed
-            $ent->setValues('nsState', $newval);
-            if (!$conn->update($ent)) {
-                return ("error_updating_entry", $ent->getDN(), $conn->getErrorString());
-            }
-        }
-    }
-
-    return ();
-}
-
-sub testit {
-#my $val = 'ACm2BdIdsgH+tw/8AAB+swEAAAA=';
-#my $val = 'AOj+tyuA4AHsNZ7S9NnxZwEAAAAAAAAA';
-#my $val = 'ABI3gdIdsgH3TJWpAACGIgEAAAA=';
-#my $testval = "00a43cb4d11db2018b7912fd0000a42e01000000";
-#my $testval = "0029B605D21DB201FEB70FFC00007EB301000000";
-#my $testval = "00E8FEB72B80E001EC359ED2F4D9F1670100000000000000";
-#my $testval = "00123781D21DB201F74C95A90000862201000000";
-my $testval = '01E0D2DA53198600A12C2D6BADF15D630100000000000000';
-my $testreplval = "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00N\\\x8b5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00";
-my $testdecval = $testval;
-# base16 decode
-$testdecval =~ s/(..)/chr(hex($1))/eg;
-my $ent = new Mozilla::LDAP::Entry;
-$ent->setDN("cn=uniqueid generator");
-my ($rc, $newval) = convert_uniqueid($ent, $testdecval);
-$ent->setDN('cn=replica');
-my ($rc, $newval2) = convert_replica($ent, $testreplval);
-}
-
-testit() unless caller();
-
-1;

ldap/admin/src/scripts/50guidesyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Guide Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Guide Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: guide_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50linkedattrsplugin.ldif

@@ -1,16 +0,0 @@
-dn: cn=Linked Attributes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-objectclass: nsContainer
-cn: Linked Attributes
-nsslapd-pluginpath: liblinkedattrs-plugin
-nsslapd-plugininitfunc: linked_attrs_init
-nsslapd-plugintype: preoperation
-nsslapd-pluginenabled: on
-nsslapd-plugin-depends-on-type: database
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50managedentriesplugin.ldif

@@ -1,16 +0,0 @@
-dn: cn=Managed Entries,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-objectclass: nsContainer
-cn: Managed Entries
-nsslapd-pluginpath: libmanagedentries-plugin
-nsslapd-plugininitfunc: mep_init
-nsslapd-plugintype: preoperation
-nsslapd-pluginenabled: on
-nsslapd-plugin-depends-on-type: database
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50memberofindex.ldif

@@ -1,6 +0,0 @@
-dn: cn=memberOf,cn=default indexes, cn=config,cn=ldbm database,cn=plugins,cn=config
-objectclass: top
-objectclass: nsIndex
-cn: memberOf
-nssystemindex: false
-nsindextype: eq

ldap/admin/src/scripts/50memberofplugin.ldif

@@ -1,17 +0,0 @@
-dn: cn=MemberOf Plugin,cn=plugins,cn=config
-objectClass: top
-objectClass: nsSlapdPlugin
-objectClass: extensibleObject
-cn: MemberOf Plugin
-nsslapd-pluginpath: libmemberof-plugin
-nsslapd-plugininitfunc: memberof_postop_init
-nsslapd-plugintype: postoperation
-nsslapd-pluginenabled: off
-nsslapd-plugin-depends-on-type: database
-memberOfGroupAttr: member
-memberOfAttr: memberOf
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50nameuidsyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Name And Optional UID Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Name And Optional UID Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: nameoptuid_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50nstombstonecsn.ldif

@@ -1,7 +0,0 @@
-dn: cn=nsTombstoneCSN,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
-changetype: add
-objectclass: top
-objectclass: nsIndex
-cn: nsTombstoneCSN
-nssystemindex: true
-nsindextype: eq

ldap/admin/src/scripts/50numericstringsyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Numeric String Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Numeric String Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: numstr_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50printablestringsyntaxplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Printable String Syntax,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Printable String Syntax
-nsslapd-pluginpath: libsyntax-plugin
-nsslapd-plugininitfunc: printable_init
-nsslapd-plugintype: syntax
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50refintprecedence.ldif

@@ -1,4 +0,0 @@
-dn: cn=referential integrity postoperation,cn=plugins,cn=config
-changetype: modify
-replace: nsslapd-pluginPrecedence
-nsslapd-pluginPrecedence: 40

ldap/admin/src/scripts/50retroclprecedence.ldif

@@ -1,4 +0,0 @@
-dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
-changetype: modify
-replace: nsslapd-pluginPrecedence
-nsslapd-pluginPrecedence: 25

ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif

@@ -1,15 +0,0 @@
-dn: cn=RootDN Access Control,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: RootDN Access Control
-nsslapd-pluginpath: librootdn-access-plugin.so
-nsslapd-plugininitfunc: rootdn_init
-nsslapd-plugintype: internalpreoperation
-nsslapd-pluginenabled: off
-nsslapd-plugin-depends-on-type: database
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50schemareloadplugin.ldif

@@ -1,14 +0,0 @@
-dn: cn=Schema Reload,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-objectclass: extensibleObject
-cn: Schema Reload
-nsslapd-pluginpath: libschemareload-plugin
-nsslapd-plugininitfunc: schemareload_init
-nsslapd-plugintype: object
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC

ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif

@@ -1,13 +0,0 @@
-dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: SMD5
-nsslapd-pluginpath: libpwdstorage-plugin
-nsslapd-plugininitfunc: smd5_pwd_storage_scheme_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-# these will be replaced when the server loads the plugin
-nsslapd-pluginId: ID
-nsslapd-pluginVersion: PACKAGE_VERSION
-nsslapd-pluginVendor: VENDOR
-nsslapd-pluginDescription: DESC