Add ignore-subtree and restrict-subtree settings

Add {nis,schema-compat}-ignore-subtree (subtrees under which we ignore
contents and updates )and {nis,schema-compat}-restrict-subtree (subtrees
out of which we ignore contents and updates, if set) settings, and
default the former to "cn=tasks,cn=config".

This should avoid cases where we're looking through the ldbm backend for
entries which have a dangling reference to a newly-added task (which,
because it's in the DSE, means we acquire an ldbm lock after acquiring
our internal lock) while also updating a compat entry after its source
entry is modified (for example, by the memberOf plugin, which results in
us attempting to acquire our lock while the ldbm lock is already held).

40 files changed, 682 insertions, 0 deletions

diff --git a/tests/test37-schema-ignore/after.sh b/tests/test37-schema-ignore/after.sh
new file mode 100755
index 0000000..0579ab2
--- /dev/null
+++ b/tests/test37-schema-ignore/after.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+echo '[updated]'
+search -b "cn=NIS Server,cn=plugins,cn=config" dn nis-domain nis-map | $LDIFSORT
+echo '[result]'
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test37-schema-ignore/after.txt b/tests/test37-schema-ignore/after.txt
new file mode 100644
index 0000000..cbbef96
--- /dev/null
+++ b/tests/test37-schema-ignore/after.txt
@@ -0,0 +1,20 @@
+[updated]
+dn: cn=NIS Server,cn=plugins,cn=config
+
+dn: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+nis-domain: example.com
+nis-map: mac2name
+
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+nis-domain: example.com
+nis-map: name2mac
+nis-map: name2mac2
+
+[result]
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test37-schema-ignore/before.sh b/tests/test37-schema-ignore/before.sh
new file mode 100755
index 0000000..b85c1ab
--- /dev/null
+++ b/tests/test37-schema-ignore/before.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test37-schema-ignore/before.txt b/tests/test37-schema-ignore/before.txt
new file mode 100644
index 0000000..9c92512
--- /dev/null
+++ b/tests/test37-schema-ignore/before.txt
@@ -0,0 +1,7 @@
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test37-schema-ignore/change.sh b/tests/test37-schema-ignore/change.sh
new file mode 100755
index 0000000..0db2c95
--- /dev/null
+++ b/tests/test37-schema-ignore/change.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+modify << EOF
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+changetype: modify
+add: nis-map
+nis-map: name2mac2
+-
+
+dn: cn=g2,cn=groups,cn=accounts,dc=example,dc=com
+changetype: modify
+add: member
+member: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+-
+
+EOF
diff --git a/tests/test37-schema-ignore/change.txt b/tests/test37-schema-ignore/change.txt
new file mode 100644
index 0000000..50b0ac7
--- /dev/null
+++ b/tests/test37-schema-ignore/change.txt
@@ -0,0 +1,4 @@
+modifying entry "nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config"
+
+modifying entry "cn=g2,cn=groups,cn=accounts,dc=example,dc=com"
+
diff --git a/tests/test37-schema-ignore/description.txt b/tests/test37-schema-ignore/description.txt
new file mode 100644
index 0000000..9248be6
--- /dev/null
+++ b/tests/test37-schema-ignore/description.txt
@@ -0,0 +1 @@
+ignore selected subtrees
diff --git a/tests/test37-schema-ignore/dse.ldif b/tests/test37-schema-ignore/dse.ldif
new file mode 100644
index 0000000..79e5e3a
--- /dev/null
+++ b/tests/test37-schema-ignore/dse.ldif
@@ -0,0 +1,37 @@
+dn: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+cn: compat-group
+schema-compat-container-group: cn=compat,cn=accounts,dc=example,dc=com
+schema-compat-container-rdn: ou=group
+schema-compat-check-access: yes
+schema-compat-search-base: cn=groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-base: cn=managed-groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-filter: (&(objectClass=posixGroup)(gidNumber>=1500))
+schema-compat-entry-rdn: cn=%{cn}
+schema-compat-entry-attribute: objectclass=extensibleObject
+schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
+schema-compat-entry-attribute: memberCN=%deref_r("member","nis-map")
+schema-compat-entry-attribute: gidNumber=%{gidNumber}
+schema-compat-ignore-subtree: cn=NIS Server,cn=plugins,cn=config
+
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+nis-domain: example.com
+nis-map: name2mac
+nis-base: cn=computers, cn=Accounts, dc=example, dc=com
+nis-filter: objectclass=ieee802device
+nis-keys-format: %mregsub("%{macaddress} %{cn}","(..:..:..:..:..:..) (.*)","%2")
+nis-values-format:  %{macaddress} %{cn}
+
+dn: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+nis-domain: example.com
+nis-map: mac2name
+nis-base: cn=computers, cn=Accounts, dc=example, dc=com
+nis-filter: objectclass=ieee802device
+nis-keys-format: %mregsub("%{macaddress} %{cn}","(..:..:..:..:..:..) (.*)","%1")
+nis-values-format:  %{macaddress} %{cn}
+
diff --git a/tests/test37-schema-ignore/plugin-process-all.txt b/tests/test37-schema-ignore/plugin-process-all.txt
new file mode 100644
index 0000000..fc7b80d
--- /dev/null
+++ b/tests/test37-schema-ignore/plugin-process-all.txt
@@ -0,0 +1 @@
+verifying that we get called
diff --git a/tests/test37-schema-ignore/userRoot.ldif b/tests/test37-schema-ignore/userRoot.ldif
new file mode 100644
index 0000000..f450895
--- /dev/null
+++ b/tests/test37-schema-ignore/userRoot.ldif
@@ -0,0 +1,87 @@
+# users, accounts, example.com
+dn: cn=users,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: users
+
+# groups, accounts, example.com
+dn: cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# managed-groups, accounts, example.com
+dn: cn=managed-groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# tuser1, users, accounts, example.com
+dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser1
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1003
+gecos: tuser1
+sn: User
+homeDirectory: /home/tuser1
+cn: Tim User
+uidNumber: 1101
+
+# tuser2, users, accounts, example.com
+dn: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser2
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser2
+sn: User
+homeDirectory: /home/tuser2
+cn: Timmy User
+uidNumber: 1102
+
+# tuser3, users, accounts, example.com
+dn: uid=tuser3,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser3
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser3
+sn: User
+homeDirectory: /home/tuser3
+cn: Timothy User
+uidNumber: 1103
+
+# g1, groups, accounts, example.com
+dn: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 1001
+cn: g1
+description: g1
+member: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+member: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+
+# g2, groups, accounts, example.com
+dn: cn=g2,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 2002
+cn: g2
+description: g2
+member: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+member: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+
diff --git a/tests/test38-schema-restrict/after.sh b/tests/test38-schema-restrict/after.sh
new file mode 100755
index 0000000..0579ab2
--- /dev/null
+++ b/tests/test38-schema-restrict/after.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+echo '[updated]'
+search -b "cn=NIS Server,cn=plugins,cn=config" dn nis-domain nis-map | $LDIFSORT
+echo '[result]'
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test38-schema-restrict/after.txt b/tests/test38-schema-restrict/after.txt
new file mode 100644
index 0000000..cbbef96
--- /dev/null
+++ b/tests/test38-schema-restrict/after.txt
@@ -0,0 +1,20 @@
+[updated]
+dn: cn=NIS Server,cn=plugins,cn=config
+
+dn: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+nis-domain: example.com
+nis-map: mac2name
+
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+nis-domain: example.com
+nis-map: name2mac
+nis-map: name2mac2
+
+[result]
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test38-schema-restrict/before.sh b/tests/test38-schema-restrict/before.sh
new file mode 100755
index 0000000..b85c1ab
--- /dev/null
+++ b/tests/test38-schema-restrict/before.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test38-schema-restrict/before.txt b/tests/test38-schema-restrict/before.txt
new file mode 100644
index 0000000..9c92512
--- /dev/null
+++ b/tests/test38-schema-restrict/before.txt
@@ -0,0 +1,7 @@
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test38-schema-restrict/change.sh b/tests/test38-schema-restrict/change.sh
new file mode 100755
index 0000000..0db2c95
--- /dev/null
+++ b/tests/test38-schema-restrict/change.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+modify << EOF
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+changetype: modify
+add: nis-map
+nis-map: name2mac2
+-
+
+dn: cn=g2,cn=groups,cn=accounts,dc=example,dc=com
+changetype: modify
+add: member
+member: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+-
+
+EOF
diff --git a/tests/test38-schema-restrict/change.txt b/tests/test38-schema-restrict/change.txt
new file mode 100644
index 0000000..50b0ac7
--- /dev/null
+++ b/tests/test38-schema-restrict/change.txt
@@ -0,0 +1,4 @@
+modifying entry "nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config"
+
+modifying entry "cn=g2,cn=groups,cn=accounts,dc=example,dc=com"
+
diff --git a/tests/test38-schema-restrict/description.txt b/tests/test38-schema-restrict/description.txt
new file mode 100644
index 0000000..78e51e5
--- /dev/null
+++ b/tests/test38-schema-restrict/description.txt
@@ -0,0 +1 @@
+restrict updates to selected subtrees
diff --git a/tests/test38-schema-restrict/dse.ldif b/tests/test38-schema-restrict/dse.ldif
new file mode 100644
index 0000000..402bbf2
--- /dev/null
+++ b/tests/test38-schema-restrict/dse.ldif
@@ -0,0 +1,37 @@
+dn: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+cn: compat-group
+schema-compat-container-group: cn=compat,cn=accounts,dc=example,dc=com
+schema-compat-container-rdn: ou=group
+schema-compat-check-access: yes
+schema-compat-search-base: cn=groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-base: cn=managed-groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-filter: (&(objectClass=posixGroup)(gidNumber>=1500))
+schema-compat-entry-rdn: cn=%{cn}
+schema-compat-entry-attribute: objectclass=extensibleObject
+schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
+schema-compat-entry-attribute: memberCN=%deref_r("member","nis-map")
+schema-compat-entry-attribute: gidNumber=%{gidNumber}
+schema-compat-restrict-subtree: cn=accounts,dc=example,dc=com
+
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+nis-domain: example.com
+nis-map: name2mac
+nis-base: cn=computers, cn=Accounts, dc=example, dc=com
+nis-filter: objectclass=ieee802device
+nis-keys-format: %mregsub("%{macaddress} %{cn}","(..:..:..:..:..:..) (.*)","%2")
+nis-values-format:  %{macaddress} %{cn}
+
+dn: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+nis-domain: example.com
+nis-map: mac2name
+nis-base: cn=computers, cn=Accounts, dc=example, dc=com
+nis-filter: objectclass=ieee802device
+nis-keys-format: %mregsub("%{macaddress} %{cn}","(..:..:..:..:..:..) (.*)","%1")
+nis-values-format:  %{macaddress} %{cn}
+
diff --git a/tests/test38-schema-restrict/plugin-process-all.txt b/tests/test38-schema-restrict/plugin-process-all.txt
new file mode 100644
index 0000000..fc7b80d
--- /dev/null
+++ b/tests/test38-schema-restrict/plugin-process-all.txt
@@ -0,0 +1 @@
+verifying that we get called
diff --git a/tests/test38-schema-restrict/userRoot.ldif b/tests/test38-schema-restrict/userRoot.ldif
new file mode 100644
index 0000000..f450895
--- /dev/null
+++ b/tests/test38-schema-restrict/userRoot.ldif
@@ -0,0 +1,87 @@
+# users, accounts, example.com
+dn: cn=users,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: users
+
+# groups, accounts, example.com
+dn: cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# managed-groups, accounts, example.com
+dn: cn=managed-groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# tuser1, users, accounts, example.com
+dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser1
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1003
+gecos: tuser1
+sn: User
+homeDirectory: /home/tuser1
+cn: Tim User
+uidNumber: 1101
+
+# tuser2, users, accounts, example.com
+dn: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser2
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser2
+sn: User
+homeDirectory: /home/tuser2
+cn: Timmy User
+uidNumber: 1102
+
+# tuser3, users, accounts, example.com
+dn: uid=tuser3,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser3
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser3
+sn: User
+homeDirectory: /home/tuser3
+cn: Timothy User
+uidNumber: 1103
+
+# g1, groups, accounts, example.com
+dn: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 1001
+cn: g1
+description: g1
+member: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+member: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+
+# g2, groups, accounts, example.com
+dn: cn=g2,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 2002
+cn: g2
+description: g2
+member: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+member: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+
diff --git a/tests/test39-schema-restrictignore/after.sh b/tests/test39-schema-restrictignore/after.sh
new file mode 100755
index 0000000..0579ab2
--- /dev/null
+++ b/tests/test39-schema-restrictignore/after.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+echo '[updated]'
+search -b "cn=NIS Server,cn=plugins,cn=config" dn nis-domain nis-map | $LDIFSORT
+echo '[result]'
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test39-schema-restrictignore/after.txt b/tests/test39-schema-restrictignore/after.txt
new file mode 100644
index 0000000..cbbef96
--- /dev/null
+++ b/tests/test39-schema-restrictignore/after.txt
@@ -0,0 +1,20 @@
+[updated]
+dn: cn=NIS Server,cn=plugins,cn=config
+
+dn: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+nis-domain: example.com
+nis-map: mac2name
+
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+nis-domain: example.com
+nis-map: name2mac
+nis-map: name2mac2
+
+[result]
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test39-schema-restrictignore/before.sh b/tests/test39-schema-restrictignore/before.sh
new file mode 100755
index 0000000..b85c1ab
--- /dev/null
+++ b/tests/test39-schema-restrictignore/before.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test39-schema-restrictignore/before.txt b/tests/test39-schema-restrictignore/before.txt
new file mode 100644
index 0000000..9c92512
--- /dev/null
+++ b/tests/test39-schema-restrictignore/before.txt
@@ -0,0 +1,7 @@
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test39-schema-restrictignore/change.sh b/tests/test39-schema-restrictignore/change.sh
new file mode 100755
index 0000000..0db2c95
--- /dev/null
+++ b/tests/test39-schema-restrictignore/change.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+modify << EOF
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+changetype: modify
+add: nis-map
+nis-map: name2mac2
+-
+
+dn: cn=g2,cn=groups,cn=accounts,dc=example,dc=com
+changetype: modify
+add: member
+member: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+-
+
+EOF
diff --git a/tests/test39-schema-restrictignore/change.txt b/tests/test39-schema-restrictignore/change.txt
new file mode 100644
index 0000000..50b0ac7
--- /dev/null
+++ b/tests/test39-schema-restrictignore/change.txt
@@ -0,0 +1,4 @@
+modifying entry "nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config"
+
+modifying entry "cn=g2,cn=groups,cn=accounts,dc=example,dc=com"
+
diff --git a/tests/test39-schema-restrictignore/description.txt b/tests/test39-schema-restrictignore/description.txt
new file mode 100644
index 0000000..2699c9a
--- /dev/null
+++ b/tests/test39-schema-restrictignore/description.txt
@@ -0,0 +1 @@
+restrict and ignore, working together
diff --git a/tests/test39-schema-restrictignore/dse.ldif b/tests/test39-schema-restrictignore/dse.ldif
new file mode 100644
index 0000000..1fbf5f9
--- /dev/null
+++ b/tests/test39-schema-restrictignore/dse.ldif
@@ -0,0 +1,38 @@
+dn: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+cn: compat-group
+schema-compat-container-group: cn=compat,cn=accounts,dc=example,dc=com
+schema-compat-container-rdn: ou=group
+schema-compat-check-access: yes
+schema-compat-search-base: cn=groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-base: cn=managed-groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-filter: (&(objectClass=posixGroup)(gidNumber>=1500))
+schema-compat-entry-rdn: cn=%{cn}
+schema-compat-entry-attribute: objectclass=extensibleObject
+schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
+schema-compat-entry-attribute: memberCN=%deref_r("member","nis-map")
+schema-compat-entry-attribute: gidNumber=%{gidNumber}
+schema-compat-ignore-subtree: cn=NIS Server,cn=plugins,cn=config
+schema-compat-restrict-subtree: cn=accounts,dc=example,dc=com
+
+dn: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+nis-domain: example.com
+nis-map: name2mac
+nis-base: cn=computers, cn=Accounts, dc=example, dc=com
+nis-filter: objectclass=ieee802device
+nis-keys-format: %mregsub("%{macaddress} %{cn}","(..:..:..:..:..:..) (.*)","%2")
+nis-values-format:  %{macaddress} %{cn}
+
+dn: nis-domain=example.com+nis-map=mac2name,cn=NIS Server,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+nis-domain: example.com
+nis-map: mac2name
+nis-base: cn=computers, cn=Accounts, dc=example, dc=com
+nis-filter: objectclass=ieee802device
+nis-keys-format: %mregsub("%{macaddress} %{cn}","(..:..:..:..:..:..) (.*)","%1")
+nis-values-format:  %{macaddress} %{cn}
+
diff --git a/tests/test39-schema-restrictignore/plugin-process-all.txt b/tests/test39-schema-restrictignore/plugin-process-all.txt
new file mode 100644
index 0000000..fc7b80d
--- /dev/null
+++ b/tests/test39-schema-restrictignore/plugin-process-all.txt
@@ -0,0 +1 @@
+verifying that we get called
diff --git a/tests/test39-schema-restrictignore/userRoot.ldif b/tests/test39-schema-restrictignore/userRoot.ldif
new file mode 100644
index 0000000..f450895
--- /dev/null
+++ b/tests/test39-schema-restrictignore/userRoot.ldif
@@ -0,0 +1,87 @@
+# users, accounts, example.com
+dn: cn=users,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: users
+
+# groups, accounts, example.com
+dn: cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# managed-groups, accounts, example.com
+dn: cn=managed-groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# tuser1, users, accounts, example.com
+dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser1
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1003
+gecos: tuser1
+sn: User
+homeDirectory: /home/tuser1
+cn: Tim User
+uidNumber: 1101
+
+# tuser2, users, accounts, example.com
+dn: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser2
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser2
+sn: User
+homeDirectory: /home/tuser2
+cn: Timmy User
+uidNumber: 1102
+
+# tuser3, users, accounts, example.com
+dn: uid=tuser3,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser3
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser3
+sn: User
+homeDirectory: /home/tuser3
+cn: Timothy User
+uidNumber: 1103
+
+# g1, groups, accounts, example.com
+dn: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 1001
+cn: g1
+description: g1
+member: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+member: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+
+# g2, groups, accounts, example.com
+dn: cn=g2,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 2002
+cn: g2
+description: g2
+member: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+member: nis-domain=example.com+nis-map=name2mac,cn=NIS Server,cn=plugins,cn=config
+
diff --git a/tests/test40-schema-ignoredefault/after.sh b/tests/test40-schema-ignoredefault/after.sh
new file mode 100755
index 0000000..278fcae
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/after.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo '[result]'
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test40-schema-ignoredefault/after.txt b/tests/test40-schema-ignoredefault/after.txt
new file mode 100644
index 0000000..db120fb
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/after.txt
@@ -0,0 +1,8 @@
+[result]
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test40-schema-ignoredefault/before.sh b/tests/test40-schema-ignoredefault/before.sh
new file mode 100755
index 0000000..b85c1ab
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/before.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+search -b cn=compat,cn=accounts,dc=example,dc=com dn gidNumber memberCN | $LDIFSORT
diff --git a/tests/test40-schema-ignoredefault/before.txt b/tests/test40-schema-ignoredefault/before.txt
new file mode 100644
index 0000000..9c92512
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/before.txt
@@ -0,0 +1,7 @@
+dn: cn=compat,cn=accounts,dc=example,dc=com
+
+dn: cn=g2,ou=group,cn=compat,cn=accounts,dc=example,dc=com
+gidNumber: 2002
+
+dn: ou=group,cn=compat,cn=accounts,dc=example,dc=com
+
diff --git a/tests/test40-schema-ignoredefault/change.sh b/tests/test40-schema-ignoredefault/change.sh
new file mode 100755
index 0000000..d1510b9
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/change.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+add << EOF
+dn: cn=reindex now,cn=index,cn=tasks,cn=config
+changetype: add
+objectclass: top
+objectclass: extensibleObject
+cn: reindex now
+nsInstance: userRoot
+nsIndexAttribute: objectclass
+nsIndexAttribute: aci
+nsIndexAttribute: cn
+nsIndexAttribute: mail
+nsIndexAttribute: member
+nsIndexAttribute: memberOf
+nsIndexAttribute: uid
+nis-map: bogus
+
+EOF
diff --git a/tests/test40-schema-ignoredefault/change.txt b/tests/test40-schema-ignoredefault/change.txt
new file mode 100644
index 0000000..7cfd0b0
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/change.txt
@@ -0,0 +1,2 @@
+adding new entry "cn=reindex now,cn=index,cn=tasks,cn=config"
+
diff --git a/tests/test40-schema-ignoredefault/description.txt b/tests/test40-schema-ignoredefault/description.txt
new file mode 100644
index 0000000..d883f1f
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/description.txt
@@ -0,0 +1 @@
+ignore default subtrees
diff --git a/tests/test40-schema-ignoredefault/dse.ldif b/tests/test40-schema-ignoredefault/dse.ldif
new file mode 100644
index 0000000..b134a65
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/dse.ldif
@@ -0,0 +1,16 @@
+dn: cn=compat-group,cn=Schema Compatibility,cn=plugins,cn=config
+objectClass: top
+objectClass: extensibleObject
+cn: compat-group
+schema-compat-container-group: cn=compat,cn=accounts,dc=example,dc=com
+schema-compat-container-rdn: ou=group
+schema-compat-check-access: yes
+schema-compat-search-base: cn=groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-base: cn=managed-groups,cn=Accounts,dc=example,dc=com
+schema-compat-search-filter: (&(objectClass=posixGroup)(gidNumber>=1500))
+schema-compat-entry-rdn: cn=%{cn}
+schema-compat-entry-attribute: objectclass=extensibleObject
+schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
+schema-compat-entry-attribute: memberCN=%deref_r("member","nis-map")
+schema-compat-entry-attribute: gidNumber=%{gidNumber}
+
diff --git a/tests/test40-schema-ignoredefault/plugin-process-all.txt b/tests/test40-schema-ignoredefault/plugin-process-all.txt
new file mode 100644
index 0000000..fc7b80d
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/plugin-process-all.txt
@@ -0,0 +1 @@
+verifying that we get called
diff --git a/tests/test40-schema-ignoredefault/userRoot.ldif b/tests/test40-schema-ignoredefault/userRoot.ldif
new file mode 100644
index 0000000..cc579f8
--- /dev/null
+++ b/tests/test40-schema-ignoredefault/userRoot.ldif
@@ -0,0 +1,86 @@
+# users, accounts, example.com
+dn: cn=users,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: users
+
+# groups, accounts, example.com
+dn: cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# managed-groups, accounts, example.com
+dn: cn=managed-groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# tuser1, users, accounts, example.com
+dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser1
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1003
+gecos: tuser1
+sn: User
+homeDirectory: /home/tuser1
+cn: Tim User
+uidNumber: 1101
+
+# tuser2, users, accounts, example.com
+dn: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser2
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser2
+sn: User
+homeDirectory: /home/tuser2
+cn: Timmy User
+uidNumber: 1102
+
+# tuser3, users, accounts, example.com
+dn: uid=tuser3,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser3
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: inetUser
+loginShell: /bin/sh
+gidNumber: 1004
+gecos: tuser3
+sn: User
+homeDirectory: /home/tuser3
+cn: Timothy User
+uidNumber: 1103
+
+# g1, groups, accounts, example.com
+dn: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 1001
+cn: g1
+description: g1
+member: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+member: cn=reindex now,cn=index,cn=tasks,cn=config
+
+# g2, groups, accounts, example.com
+dn: cn=g2,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+objectClass: inetUser
+gidNumber: 2002
+cn: g2
+description: g2
+member: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+