diff --git a/PyKAdminCommon.c b/PyKAdminCommon.c
index fa33e8fea2070c9062f9f7eeee1f0c09ff34815b..105118aa893f8f6648c3955558c106c1fa321f79 100644
--- a/PyKAdminCommon.c
+++ b/PyKAdminCommon.c
@@ -33,6 +33,8 @@ inline char *PyUnicode_or_PyBytes_asCString(PyObject *in_str) {
         out_str = PyBytes_AsString(in_str);
     }
 
+    out_str = strdup(out_str);
+
     return out_str;
 }
 
@@ -598,27 +600,160 @@ int pykadmin_policy_ent_rec_compare(krb5_context ctx, kadm5_policy_ent_rec *a, k
     return result;
 }
 
-/*
-krb5_error_code pykadmin_copy_kadm_ent_rec(PyKAdminObject *kadmin, kadm5_principal_ent_rec *src, kadm5_principal_ent_rec *dst) {
 
-    krb5_error_code retval = 0;
+/* this is taken from the kadmin.c source
+    https://github.com/krb5/krb5/blob/master/src/kadmin/cli/kadmin.c */
+void pykadmin_append_tl_data(krb5_int16 *n_tl_datap, krb5_tl_data **tl_datap,
+            krb5_int16 tl_type, krb5_ui_2 len, krb5_octet *contents) {
+    krb5_tl_data *tl_data;
+    krb5_octet *copy;
 
-    memcpy(src, dst, sizeof(kadm5_principal_ent_rec));
+    copy = malloc(len);
+    tl_data = calloc(1, sizeof(*tl_data));
+    if (copy == NULL || tl_data == NULL) {
+        exit(1);
+    }
+    memcpy(copy, contents, len);
 
-    retval = krb5_copy_principal(kadmin->context, src->principal, &dst->principal);
+    tl_data->tl_data_type = tl_type;
+    tl_data->tl_data_length = len;
+    tl_data->tl_data_contents = copy;
+    tl_data->tl_data_next = NULL;
 
-    if (retval) goto done; 
+    for (; *tl_datap != NULL; tl_datap = &(*tl_datap)->tl_data_next);
+    *tl_datap = tl_data;
+    (*n_tl_datap)++;
+}
 
+char **pykadmin_parse_db_args(PyObject *object) {
 
+    static const char DB_ARGS_ERROR[] = "Unable to parse db_args; valid types are set, list, tuple or dictionary.";
+    static const char FORMAT_STR[] = "%s=%s";
 
+    char **db_args = NULL;
+    size_t n_args  = 0;
+
+    Py_ssize_t index = 0;
+
+    if (object) {
+
+        if (PyDict_Check(object)) {
+
+            PyObject *key    = NULL;
+            PyObject *value  = NULL;
+            
+            char *key_cstr   = NULL;
+            char *value_cstr = NULL;
+            char *argument   = NULL;
+
+            size_t length    = 0; 
+
+            while (PyDict_Next(object, &index, &key, &value)) {
+
+                if (PyUnicodeBytes_Check(key) && PyUnicodeBytes_Check(value)) {
+
+                    key_cstr = PyUnicode_or_PyBytes_asCString(key);
+                    value_cstr = PyUnicode_or_PyBytes_asCString(value);
+
+                    length = strlen(key_cstr) + strlen(value_cstr) + 4; // strlen("=\"\"\0") == 4
+                    argument = calloc(length, sizeof(char));
+
+                    if (argument) { 
+                        snprintf(argument, length, FORMAT_STR, key_cstr, value_cstr);
+
+                        db_args = realloc(db_args, sizeof(intptr_t) * (n_args + 1));
+                        if (!db_args) {
+                            // todo unable to allocate memory!
+                        }
+
+                        db_args[n_args++] = argument;
+                    }
+                }
+            }
+        }
+        else if (PySequence_Check(object)) {
+
+            PyObject *item     = NULL;
+            PyObject *sequence = NULL;
+
+            char *item_cstr    = NULL;
+            
+            Py_ssize_t size    = 0;
+
+            sequence = PySequence_Fast(object, DB_ARGS_ERROR);
+            size = PySequence_Size(object);
+
+            for (; index < size; index++) {
+
+                item = PySequence_Fast_GET_ITEM(sequence, index);
+
+                if (PyUnicodeBytes_Check(item)) {
+
+                    item_cstr = PyUnicode_or_PyBytes_asCString(item);
+
+                    db_args = realloc(db_args, sizeof(intptr_t) * (n_args + 1));
+                    if (!db_args) {
+                        // todo unable to allocate memory!
+                        // raise MemoryError (PyExc_MemoryError)
+                    }
+
+                    db_args[n_args++] = item_cstr;
+                }
+
+            }
+
+            Py_DECREF(sequence);
+        }
+        else {
+            PyErr_SetString(PyExc_TypeError, DB_ARGS_ERROR);
+            db_args = NULL;
+        }
+
+        if (db_args) {
+            // NULL terminate arguments 
+            db_args = realloc(db_args, sizeof(intptr_t) * (n_args + 1));
+            db_args[n_args] = NULL;
+        }
 
-done:
-    if (retval && entry->principal) {
-        krb5_free_principal(kadmin->context, entry->principal);
-        entry->principal = NULL;
     }
-    return retval;
+
+    return db_args; 
 }
-*/
 
 
+void pykadmin_principal_append_db_args(kadm5_principal_ent_rec *entry, PyObject *args) {
+
+    char **db_args = pykadmin_parse_db_args(args);
+
+    Py_ssize_t index = 0;
+
+    if (db_args) {
+
+        while(db_args[index] != NULL) {
+
+            pykadmin_append_tl_data(&entry->n_tl_data, &entry->tl_data, 
+                KRB5_TL_DB_ARGS, strlen(db_args[index]) + 1, (krb5_octet *)db_args[index]);
+            index ++;
+        }
+
+    }
+
+    pykadmin_free_db_args(db_args);
+
+}
+ 
+void pykadmin_free_db_args(char **db_args) {
+
+    size_t index = 0;
+
+    if (db_args) {
+
+        while(db_args[index] != NULL) {
+            free(db_args[index++]);
+        }
+
+        free(db_args);
+    }
+
+}
+
diff --git a/PyKAdminCommon.h b/PyKAdminCommon.h
index e2e81485350aeac61f18bd11a413547801aa1cd5..08fd4e9fe82798dda42eb51a5d0545b9db378dfe 100644
--- a/PyKAdminCommon.h
+++ b/PyKAdminCommon.h
@@ -9,6 +9,7 @@
 #include <krb5/krb5.h>
 #include <string.h>
 
+#include "pykadmin.h"
 #include "PyKAdminXDR.h"
 #include "PyKAdminObject.h"
 #include <bytesobject.h>
@@ -34,8 +35,6 @@ int pykadmin_seconds_from_pydatetime(PyObject *delta);
 char *pykadmin_timestamp_as_isodate(time_t timestamp, const char *zero);
 char *pykadmin_timestamp_as_deltastr(int seconds, const char *zero);
 
-
-
 krb5_error_code pykadmin_kadm_from_kdb(PyKAdminObject *kadmin, krb5_db_entry *kdb, kadm5_principal_ent_rec *entry, long mask); 
 
 krb5_error_code pykadmin_policy_kadm_from_osa(krb5_context ctx, osa_policy_ent_rec *osa, kadm5_policy_ent_rec *entry, long mask); 
@@ -44,6 +43,23 @@ int pykadmin_principal_ent_rec_compare(krb5_context ctx, kadm5_principal_ent_rec
 int pykadmin_policy_ent_rec_compare(krb5_context ctx, kadm5_policy_ent_rec *a, kadm5_policy_ent_rec *b);
 
 
+
+/* db_args */
+
+void pykadmin_append_tl_data(krb5_int16 *n_tl_datap, krb5_tl_data **tl_datap,
+            krb5_int16 tl_type, krb5_ui_2 len, krb5_octet *contents);
+
+// this call will handle parsing, tl_data copy, and freeing the db_args. 
+//  resulting tl_data will be freed by the call to kadm5_free_principal_ent()
+
+void pykadmin_principal_append_db_args(kadm5_principal_ent_rec *entry, PyObject *object);
+
+char **pykadmin_parse_db_args(PyObject *args);
+void pykadmin_free_db_args(char **db_args);
+
+
+
+
 // TODO
 //krb5_error_code pykadmin_copy_kadm_ent_rec(PyKAdminObject *kadmin, kadm5_principal_ent_rec *src, kadm5_principal_ent_rec *dst);
 
diff --git a/PyKAdminObject.c b/PyKAdminObject.c
index f2809f03c6ca4227882e529bb37a171566406d29..e70d4ae3a8253cb221d4cdfea1519dc6944981f0 100644
--- a/PyKAdminObject.c
+++ b/PyKAdminObject.c
@@ -7,7 +7,6 @@
 
 #include "PyKAdminCommon.h"
 
-
 static void PyKAdminObject_dealloc(PyKAdminObject *self) {
     
     kadm5_ret_t retval;
@@ -100,7 +99,6 @@ static PyObject *PyKAdminObject_principal_exists(PyKAdminObject *self, PyObject
 
 static PyObject *PyKAdminObject_delete_principal(PyKAdminObject *self, PyObject *args, PyObject *kwds) {
 
-    
     kadm5_ret_t retval = KADM5_OK;
     krb5_error_code code = 0;
     krb5_principal princ = NULL;
@@ -133,6 +131,7 @@ static PyObject *PyKAdminObject_create_principal(PyKAdminObject *self, PyObject
     krb5_error_code code = 0;
     char *princ_name = NULL;
     char *princ_pass = NULL;
+    PyDictObject *db_args = NULL;
 
     kadm5_principal_ent_rec entry;
     
@@ -140,16 +139,22 @@ static PyObject *PyKAdminObject_create_principal(PyKAdminObject *self, PyObject
     entry.attributes = 0;
 
     // todo set default attributes.
-    
+    static char *kwlist[] = {"db_args", NULL};
+
     if (!PyArg_ParseTuple(args, "s|z", &princ_name, &princ_pass))
         return NULL;
+    
+    if (!PyArg_ParseTupleAndKeywords(PyTuple_New(0), kwds, "|O", kwlist, &db_args))
+        return NULL;
+
+    pykadmin_principal_append_db_args(&entry, db_args);
 
     if (self->server_handle) {
 
         code = krb5_parse_name(self->context, princ_name, &entry.principal);
         if (code) { PyKAdmin_RETURN_ERROR(retval, "krb5_parse_name"); }
 
-        retval = kadm5_create_principal(self->server_handle, &entry, KADM5_PRINCIPAL, princ_pass); 
+        retval = kadm5_create_principal(self->server_handle, &entry, KADM5_PRINCIPAL | KADM5_TL_DATA, princ_pass); 
         if (retval != KADM5_OK) { PyKAdmin_RETURN_ERROR(retval, "kadm5_create_principal"); }
 
     }
@@ -170,6 +175,8 @@ static PyKAdminPrincipalObject *PyKAdminObject_get_principal(PyKAdminObject *sel
 
     principal = PyKAdminPrincipalObject_principal_with_name(self, client_name);
 
+    
+
     return principal;
 }
 
@@ -395,9 +402,9 @@ static PyObject *PyKAdminObject_each_policy(PyKAdminObject *self, PyObject *args
 
 static PyMethodDef PyKAdminObject_methods[] = {
 
-    {"ank",                 (PyCFunction)PyKAdminObject_create_principal, METH_VARARGS, ""},
-    {"addprinc",            (PyCFunction)PyKAdminObject_create_principal, METH_VARARGS, ""},
-    {"add_principal",       (PyCFunction)PyKAdminObject_create_principal, METH_VARARGS, ""},
+    {"ank",                 (PyCFunction)PyKAdminObject_create_principal, (METH_VARARGS | METH_KEYWORDS), ""},
+    {"addprinc",            (PyCFunction)PyKAdminObject_create_principal, (METH_VARARGS | METH_KEYWORDS), ""},
+    {"add_principal",       (PyCFunction)PyKAdminObject_create_principal, (METH_VARARGS | METH_KEYWORDS), ""},
 
     {"delprinc",            (PyCFunction)PyKAdminObject_delete_principal, METH_VARARGS, ""},
     {"delete_principal",    (PyCFunction)PyKAdminObject_delete_principal, METH_VARARGS, ""},
diff --git a/kadmin.c b/kadmin.c
index 93f1648902434569dec62430e9a29117397377a1..650c62094fac115cc7439f4a783aeb091045350b 100644
--- a/kadmin.c
+++ b/kadmin.c
@@ -176,70 +176,6 @@ static PyObject *_kadmin_set_option(PyObject *self, PyObject *args, PyObject *kw
     return NULL;
 }
 
-char **_kadmin_dict_to_db_args(PyObject *dict) {
-
-    PyObject *key   = NULL;
-    PyObject *value = NULL;
-
-    char *str_key   = NULL;
-    char *str_value = NULL;
-    char *argument  = NULL;
-    char **db_args  = NULL;
-
-    Py_ssize_t index  = 0;
-    Py_ssize_t position  = 0;
-
-    if (dict) {    
-
-        Py_ssize_t length = PyDict_Size(dict) + 1;
-
-        db_args = calloc(length, sizeof(intptr_t));
-
-        if (db_args && PyDict_CheckExact(dict)) {
-
-            while (PyDict_Next(dict, &position, &key, &value)) {
-
-                if (PyUnicodeBytes_Check(key) && PyUnicodeBytes_Check(value)) {
-
-                    str_key   = PyUnicode_or_PyBytes_asCString(key);
-                    str_value = PyUnicode_or_PyBytes_asCString(value);
-
-                    if (str_key && str_value) {
-
-                        length = strlen(str_key) + strlen(str_value) + 2;
-                        argument = calloc(length, sizeof(char));
-
-                        if (argument) {
-                            snprintf(argument, length, "%s=%s", str_key, str_value);
-                            db_args[index++] = argument;
-                        }
-                    }
-                }
-            }
-
-            db_args[index] = NULL;
-        }
-    }
-
-
-    return db_args;
-
-}
-
-void _kadmin_free_db_args(char **db_args) {
-
-    Py_ssize_t index = 0;
-
-    if (db_args) {
-
-        while(db_args[index] != NULL) {
-            free(db_args[index++]);
-        }
-
-        free(db_args);
-    }
-
-}
 
 #ifdef KADMIN_LOCAL
 static PyKAdminObject *_kadmin_local(PyObject *self, PyObject *args) {
@@ -247,17 +183,16 @@ static PyKAdminObject *_kadmin_local(PyObject *self, PyObject *args) {
     static const char *kROOT_ADMIN = "root/admin";
 
     PyKAdminObject *kadmin = PyKAdminObject_create();
-    PyObject *db_args_dict = NULL;
+    PyObject *py_db_args = NULL;
     kadm5_ret_t retval     = KADM5_OK; 
     int result             = 0;
     char **db_args         = NULL;
     char *client_name      = NULL;
 
-    if (!PyArg_ParseTuple(args, "|O!", &PyDict_Type, &db_args_dict))
+    if (!PyArg_ParseTuple(args, "|O", &py_db_args))
         return NULL; 
 
-    if (db_args_dict)
-        db_args = _kadmin_dict_to_db_args(db_args_dict);
+    db_args = pykadmin_parse_db_args(py_db_args);
 
     kadm5_config_params *params = calloc(0x1, sizeof(kadm5_config_params));
 
@@ -278,8 +213,8 @@ static PyKAdminObject *_kadmin_local(PyObject *self, PyObject *args) {
                 db_args, 
                 &kadmin->server_handle);
 
-    if (db_args) 
-        _kadmin_free_db_args(db_args);
+
+    pykadmin_free_db_args(db_args);
 
     if (retval != KADM5_OK) { PyKAdmin_RETURN_ERROR(retval, "kadm5_init_with_password.local"); }
 
@@ -292,7 +227,7 @@ static PyKAdminObject *_kadmin_local(PyObject *self, PyObject *args) {
 static PyKAdminObject *_kadmin_init_with_ccache(PyObject *self, PyObject *args) {
     
     PyKAdminObject *kadmin = PyKAdminObject_create();
-    PyObject *db_args_dict = NULL;
+    PyObject *py_db_args = NULL;
     kadm5_ret_t retval = KADM5_OK;
     krb5_error_code code = 0;
 
@@ -308,10 +243,10 @@ static PyKAdminObject *_kadmin_init_with_ccache(PyObject *self, PyObject *args)
     memset(&cc, 0, sizeof(krb5_ccache));
 
     // TODO : unpack database args as an optional third parameter (will be a dict or array)
-    if (!PyArg_ParseTuple(args, "|zzO!", &client_name, &ccache_name, &PyDict_Type, &db_args_dict))
+    if (!PyArg_ParseTuple(args, "|zzO", &client_name, &ccache_name, &py_db_args))
         return NULL; 
 
-    db_args = _kadmin_dict_to_db_args(db_args_dict);
+    db_args = pykadmin_parse_db_args(py_db_args);
 
     if (!ccache_name) {
         code = krb5_cc_default(kadmin->context, &cc);
@@ -342,8 +277,7 @@ static PyKAdminObject *_kadmin_init_with_ccache(PyObject *self, PyObject *args)
                 db_args, 
                 &kadmin->server_handle);
 
-    if (db_args) 
-        _kadmin_free_db_args(db_args);
+    pykadmin_free_db_args(db_args);
 
     if (retval != KADM5_OK) { PyKAdmin_RETURN_ERROR(retval, "kadm5_init_with_creds"); }
 
@@ -356,7 +290,7 @@ static PyKAdminObject *_kadmin_init_with_keytab(PyObject *self, PyObject *args)
 
     PyKAdminObject *kadmin = PyKAdminObject_create();
 
-    PyObject *db_args_dict = NULL;
+    PyObject *py_db_args = NULL;
     kadm5_ret_t retval = KADM5_OK;
     krb5_error_code code = 0;
 
@@ -367,10 +301,10 @@ static PyKAdminObject *_kadmin_init_with_keytab(PyObject *self, PyObject *args)
 
     kadm5_config_params *params = calloc(0x1, sizeof(kadm5_config_params));
 
-    if (!PyArg_ParseTuple(args, "|zzO!", &client_name, &keytab_name, &PyDict_Type, &db_args_dict))
+    if (!PyArg_ParseTuple(args, "|zzO", &client_name, &keytab_name, &py_db_args))
         return NULL; 
 
-    db_args = _kadmin_dict_to_db_args(db_args_dict);
+    db_args = pykadmin_parse_db_args(py_db_args);
 
     if (keytab_name == NULL) {
         keytab_name = "/etc/krb5.keytab";
@@ -399,8 +333,7 @@ static PyKAdminObject *_kadmin_init_with_keytab(PyObject *self, PyObject *args)
                 db_args, 
                 &kadmin->server_handle);
 
-    if (db_args) 
-        _kadmin_free_db_args(db_args);
+    pykadmin_free_db_args(db_args);
 
     if (retval != KADM5_OK) { PyKAdmin_RETURN_ERROR(retval, "kadm5_init_with_skey"); }
 
@@ -411,7 +344,7 @@ static PyKAdminObject *_kadmin_init_with_keytab(PyObject *self, PyObject *args)
 static PyKAdminObject *_kadmin_init_with_password(PyObject *self, PyObject *args) {
 
     PyKAdminObject *kadmin = PyKAdminObject_create();
-    PyObject *db_args_dict = NULL;
+    PyObject *py_db_args = NULL;
     kadm5_ret_t retval = KADM5_OK;
     
     char *client_name = NULL;
@@ -420,10 +353,10 @@ static PyKAdminObject *_kadmin_init_with_password(PyObject *self, PyObject *args
      
     kadm5_config_params *params = calloc(0x1, sizeof(kadm5_config_params));
 
-    if (!PyArg_ParseTuple(args, "zz|O!", &client_name, &password, &PyDict_Type, &db_args_dict))
+    if (!PyArg_ParseTuple(args, "zz|O", &client_name, &password, &py_db_args))
         return NULL;
 
-    db_args = _kadmin_dict_to_db_args(db_args_dict);
+    db_args = pykadmin_parse_db_args(py_db_args);
 
     retval = kadm5_init_with_password(
                 kadmin->context, 
@@ -436,8 +369,7 @@ static PyKAdminObject *_kadmin_init_with_password(PyObject *self, PyObject *args
                 db_args, 
                 &kadmin->server_handle);
 
-    if (db_args) 
-        _kadmin_free_db_args(db_args);
+    pykadmin_free_db_args(db_args);
 
     if (retval != KADM5_OK) { PyKAdmin_RETURN_ERROR(retval, "kadm5_init_with_password"); }
 
diff --git a/test/kldap/cn_config.ldif b/test/kldap/cn_config.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..e6367bb60a220d6e1adf9b99f73b65c153c178ce
--- /dev/null
+++ b/test/kldap/cn_config.ldif
@@ -0,0 +1,9 @@
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcPidFile: /var/run/openldap/slapd.pid
+olcLogFile: /var/log/openldap/slapd.log
+olcTLSVerifyClient: try
+olcPasswordHash: {SSHA}
+olcThreads: 16
+olcToolThreads: 8
\ No newline at end of file
diff --git a/test/kldap/cn_module.ldif b/test/kldap/cn_module.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..746b6e3a716e45b9543980fec57ede0596ff26b3
--- /dev/null
+++ b/test/kldap/cn_module.ldif
@@ -0,0 +1,9 @@
+dn: cn=module,cn=config
+changetype: add
+objectClass: olcModuleList
+cn: module
+olcModulePath: /usr/lib64/openldap
+olcModuleLoad: syncprov.la
+olcModuleLoad: memberof.la
+olcModuleLoad: accesslog.la
+olcModuleLoad: back_ldap.la
\ No newline at end of file
diff --git a/test/kldap/dit.ldif b/test/kldap/dit.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..e91c6c588db9b33fc549191d496942c4968e8349
--- /dev/null
+++ b/test/kldap/dit.ldif
@@ -0,0 +1,59 @@
+
+
+dn: dc=example,dc=com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: Example Company
+dc: example
+
+dn: ou=people,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: people
+
+dn: uid=russell,ou=people,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: russell
+cn: Russell J Jancewicz
+userPassword: password
+sn: Jancewicz
+
+dn: uid=steven,ou=people,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: steven
+cn: Steven User
+userPassword: password
+sn: User
+
+dn: ou=accounts,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: accounts
+
+dn: ou=kerberos,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: kerberos
+
+dn: uid=kadmin,ou=accounts,dc=example,dc=com
+objectClass: top
+objectClass: account
+objectClass: simpleSecurityObject
+uid: kadmin
+userPassword: KADMIND_PASSWORD
+
+dn: uid=krb5kdc,ou=accounts,dc=example,dc=com
+objectClass: top
+objectClass: account
+objectClass: simpleSecurityObject
+uid: krb5kdc
+userPassword: KRB5KDC_PASSWORD
+
+
diff --git a/test/kldap/kdb_create.expect b/test/kldap/kdb_create.expect
new file mode 100644
index 0000000000000000000000000000000000000000..70e018fd3c6254610d3496c44418524cc689c020
--- /dev/null
+++ b/test/kldap/kdb_create.expect
@@ -0,0 +1,15 @@
+#!/usr/bin/expect
+
+set timeout -1
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/sbin/kdb5_ldap_util -D cn=root,dc=example,dc=com -w MDB_ROOT -H ldapi:/// create -subtrees dc=example,dc=com -r EXAMPLE.COM -s"
+expect -exact "/usr/sbin/kdb5_ldap_util -D cn=root,dc=example,dc=com -w MDB_ROOT -H ldapi:/// create -subtrees dc=example,dc=com -r EXAMPLE.COM -s"
+send -- "\r"
+expect "Enter KDC database master key: "
+send -- "MASTER_PASSWORD\r"
+expect "Re-enter KDC database master key to verify: "
+send -- "MASTER_PASSWORD\r"
+expect "\r"
+send -- "exit\r"
+expect eof
\ No newline at end of file
diff --git a/test/kldap/krb5.conf b/test/kldap/krb5.conf
new file mode 100644
index 0000000000000000000000000000000000000000..0dc791fb3d65db0e0900eb918ce7d121668f2658
--- /dev/null
+++ b/test/kldap/krb5.conf
@@ -0,0 +1,33 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = EXAMPLE.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h 
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+ EXAMPLE.COM = { 
+  kdc = kerberos.example.com
+  admin_server = kerberos.example.com
+  database_module = openldap
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+
+[dbmodules]
+  openldap = {
+    db_library = kldap
+    ldap_servers = ldapi:///
+    ldap_kerberos_container_dn = dc=example,dc=com
+    ldap_kdc_dn = uid=krb5kdc,ou=accounts,dc=example,dc=com
+    ldap_kadmind_dn = uid=kadmin,ou=accounts,dc=example,dc=com
+    ldap_service_password_file = /var/kerberos/krb5kdc/.ldap.EXAMPLE.COM
+  }
\ No newline at end of file
diff --git a/test/kldap/ldap.conf b/test/kldap/ldap.conf
new file mode 100644
index 0000000000000000000000000000000000000000..453806474113db8570ced757bf6ef47fcc94de2d
--- /dev/null
+++ b/test/kldap/ldap.conf
@@ -0,0 +1,16 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	dc=example,dc=com
+URI	    ldapi:///
+SASL_MECH EXTERNAL
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+TLS_CACERTDIR	/etc/openldap/certs
diff --git a/test/kldap/ldap_kdb.expect b/test/kldap/ldap_kdb.expect
new file mode 100644
index 0000000000000000000000000000000000000000..98a12b88eb8565bdedc8f36e3805d7a6d94b991a
--- /dev/null
+++ b/test/kldap/ldap_kdb.expect
@@ -0,0 +1,15 @@
+#!/usr/bin/expect
+
+set timeout -1
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/sbin/kdb5_util create -s"
+expect -exact "/usr/sbin/kdb5_util create -s"
+send -- "\r"
+expect "Enter KDC database master key: "
+send -- "y4xfpgb4\r"
+expect "Re-enter KDC database master key to verify: "
+send -- "y4xfpgb4\r"
+expect "\r"
+send -- "exit\r"
+expect eof 
\ No newline at end of file
diff --git a/test/kldap/olcDatabase_0.ldif b/test/kldap/olcDatabase_0.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..2b25e3ce86f91c3bf523461c301f22b85a609906
--- /dev/null
+++ b/test/kldap/olcDatabase_0.ldif
@@ -0,0 +1,8 @@
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcRootPW: CONFIG_ROOT
+olcAccess: to attrs=olcRootPW by none
+olcAccess: to *
+  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+  by * none
\ No newline at end of file
diff --git a/test/kldap/olcDatabase_mdb.ldif b/test/kldap/olcDatabase_mdb.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..aed572ca88739cea21fb8ae6ee4fab430b0b816b
--- /dev/null
+++ b/test/kldap/olcDatabase_mdb.ldif
@@ -0,0 +1,26 @@
+# {1}mdb, config
+dn: olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcDbDirectory: /srv/ldap/example.com
+olcSuffix: dc=example,dc=com
+olcRootDN: cn=root,dc=example,dc=com
+olcRootPW: MDB_ROOT
+olcLimits: dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time=unlimited size=unlimited
+olcDbIndex: default pres,eq
+olcDbIndex: objectClass,entryCSN,entryUUID eq
+olcDbIndex: uid,krbPrincipalName eq,sub,subinitial,subany,subfinal
+#
+olcAccess: to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
+  by dn.exact="uid=kadmin,ou=accounts,dc=example,dc=com" write
+  by dn.exact="uid=krb5kdc,ou=accounts,dc=example,dc=com" write
+  by * break
+olcAccess: to dn.base="dc=example,dc=com" by * read
+olcAccess: to attrs=entry by dn.children="ou=accounts,dc=example,dc=com" read by * break
+olcAccess: to attrs=userPassword,krbPrincipalName,authzfrom,authzto by anonymous auth by * break
+#
+olcDbCheckpoint: 512 30
+olcDbMaxsize: 17179869184
+olcDbNoSync: FALSE
diff --git a/test/kldap/schema/collective.ldif b/test/kldap/schema/collective.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..09ef56257097dcc52bd1f69a8e20bc9befd0d3b8
--- /dev/null
+++ b/test/kldap/schema/collective.ldif
@@ -0,0 +1,48 @@
+# collective.ldif -- Collective attribute schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (2003).
+## Please see full copyright statement below.
+#
+# From RFC 3671 [portions trimmed]:
+# 	Collective Attributes in LDAP
+#
+# This file was automatically generated from collective.schema; see that file
+# for complete references.
+#
+dn: cn=collective,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: collective
+olcAttributeTypes: {0}( 2.5.4.7.1 NAME 'c-l' SUP l COLLECTIVE )
+olcAttributeTypes: {1}( 2.5.4.8.1 NAME 'c-st' SUP st COLLECTIVE )
+olcAttributeTypes: {2}( 2.5.4.9.1 NAME 'c-street' SUP street COLLECTIVE )
+olcAttributeTypes: {3}( 2.5.4.10.1 NAME 'c-o' SUP o COLLECTIVE )
+olcAttributeTypes: {4}( 2.5.4.11.1 NAME 'c-ou' SUP ou COLLECTIVE )
+olcAttributeTypes: {5}( 2.5.4.16.1 NAME 'c-PostalAddress' SUP postalAddress CO
+ LLECTIVE )
+olcAttributeTypes: {6}( 2.5.4.17.1 NAME 'c-PostalCode' SUP postalCode COLLECTI
+ VE )
+olcAttributeTypes: {7}( 2.5.4.18.1 NAME 'c-PostOfficeBox' SUP postOfficeBox CO
+ LLECTIVE )
+olcAttributeTypes: {8}( 2.5.4.19.1 NAME 'c-PhysicalDeliveryOfficeName' SUP phy
+ sicalDeliveryOfficeName COLLECTIVE )
+olcAttributeTypes: {9}( 2.5.4.20.1 NAME 'c-TelephoneNumber' SUP telephoneNumbe
+ r COLLECTIVE )
+olcAttributeTypes: {10}( 2.5.4.21.1 NAME 'c-TelexNumber' SUP telexNumber COLLE
+ CTIVE )
+olcAttributeTypes: {11}( 2.5.4.23.1 NAME 'c-FacsimileTelephoneNumber' SUP facs
+ imileTelephoneNumber COLLECTIVE )
+olcAttributeTypes: {12}( 2.5.4.25.1 NAME 'c-InternationalISDNNumber' SUP inter
+ nationalISDNNumber COLLECTIVE )
diff --git a/test/kldap/schema/corba.ldif b/test/kldap/schema/corba.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..f2416edf275eb983a6fde1131f25e483e3bc892b
--- /dev/null
+++ b/test/kldap/schema/corba.ldif
@@ -0,0 +1,42 @@
+# corba.ldif -- Corba Object Schema
+#	depends upon core.ldif
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (1999).
+## Please see full copyright statement below.
+#
+# From RFC 2714 [portions trimmed]:
+#   Schema for Representing CORBA Object References in an LDAP Directory
+#
+# This file was automatically generated from corba.schema; see that file
+# for complete references.
+#
+dn: cn=corba,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: corba
+olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.4.1.14 NAME 'corbaIor' DESC 'Strin
+ gified interoperable object reference of a CORBA object' EQUALITY caseIgnoreI
+ A5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.4.1.15 NAME 'corbaRepositoryId' DE
+ SC 'Repository ids of interfaces implemented by a CORBA object' EQUALITY case
+ ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.42.2.27.4.2.10 NAME 'corbaContainer' DESC '
+ Container for a CORBA object' SUP top STRUCTURAL MUST cn )
+olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.4.2.9 NAME 'corbaObject' DESC 'CORB
+ A object representation' SUP top ABSTRACT MAY ( corbaRepositoryId $ descripti
+ on ) )
+olcObjectClasses: {2}( 1.3.6.1.4.1.42.2.27.4.2.11 NAME 'corbaObjectReference' 
+ DESC 'CORBA interoperable object reference' SUP corbaObject AUXILIARY MUST co
+ rbaIor )
diff --git a/test/kldap/schema/core.ldif b/test/kldap/schema/core.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..4f827909235d2126c5b6c1b484184c0c78606ede
--- /dev/null
+++ b/test/kldap/schema/core.ldif
@@ -0,0 +1,591 @@
+# OpenLDAP Core schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (1997-2003).
+## All Rights Reserved.
+##
+## This document and translations of it may be copied and furnished to
+## others, and derivative works that comment on or otherwise explain it
+## or assist in its implementation may be prepared, copied, published
+## and distributed, in whole or in part, without restriction of any
+## kind, provided that the above copyright notice and this paragraph are
+## included on all such copies and derivative works.  However, this
+## document itself may not be modified in any way, such as by removing
+## the copyright notice or references to the Internet Society or other
+## Internet organizations, except as needed for the purpose of
+## developing Internet standards in which case the procedures for
+## copyrights defined in the Internet Standards process must be         
+## followed, or as required to translate it into languages other than
+## English.
+##                                                                      
+## The limited permissions granted above are perpetual and will not be  
+## revoked by the Internet Society or its successors or assigns.        
+## 
+## This document and the information contained herein is provided on an 
+## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+#
+#
+#
+# Includes LDAPv3 schema items from:
+#	RFC 2252/2256 (LDAPv3)
+#
+# Select standard track schema items:
+#	RFC 1274 (uid/dc)
+#	RFC 2079 (URI)
+#	RFC 2247 (dc/dcObject)
+#	RFC 2587 (PKI)
+#	RFC 2589 (Dynamic Directory Services)
+#
+# Select informational schema items:
+#	RFC 2377 (uidObject)
+#
+#
+# Standard attribute types from RFC 2256
+#
+dn: cn=core,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: core
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass'
+#	DESC 'RFC2256: object classes of the entity'
+#	EQUALITY objectIdentifierMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' )
+#	DESC 'RFC2256: name of aliased object'
+#	EQUALITY distinguishedNameMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.2 NAME 'knowledgeInformation'
+  DESC 'RFC2256: knowledge information'
+  EQUALITY caseIgnoreMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' )
+#	DESC 'RFC2256: common name(s) for which the entity is known by'
+#	SUP name )
+#
+olcAttributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surname' )
+  DESC 'RFC2256: last (family) name(s) for which the entity is known by'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.5 NAME 'serialNumber'
+  DESC 'RFC2256: serial number of the entity'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
+#
+# RFC 4519 definition ('countryName' in X.500 and RFC2256)
+olcAttributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' )
+  DESC 'RFC4519: two-letter ISO-3166 country code'
+  SUP name
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
+  SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.7 NAME ( 'l' 'localityName' )
+  DESC 'RFC2256: locality which this object resides in'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
+  DESC 'RFC2256: state or province which this object resides in'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
+  DESC 'RFC2256: street address of this object'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+#
+olcAttributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationName' )
+  DESC 'RFC2256: organization this object belongs to'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
+  DESC 'RFC2256: organizational unit this object belongs to'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.12 NAME 'title'
+  DESC 'RFC2256: title associated with the entity'
+  SUP name )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.13 NAME 'description'
+#	DESC 'RFC2256: descriptive information'
+#	EQUALITY caseIgnoreMatch
+#	SUBSTR caseIgnoreSubstringsMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
+#
+# Deprecated by enhancedSearchGuide
+olcAttributeTypes: ( 2.5.4.14 NAME 'searchGuide'
+  DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
+#
+olcAttributeTypes: ( 2.5.4.15 NAME 'businessCategory'
+  DESC 'RFC2256: business category'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+#
+olcAttributeTypes: ( 2.5.4.16 NAME 'postalAddress'
+  DESC 'RFC2256: postal address'
+  EQUALITY caseIgnoreListMatch
+  SUBSTR caseIgnoreListSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+#
+olcAttributeTypes: ( 2.5.4.17 NAME 'postalCode'
+  DESC 'RFC2256: postal code'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+#
+olcAttributeTypes: ( 2.5.4.18 NAME 'postOfficeBox'
+  DESC 'RFC2256: Post Office Box'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+#
+olcAttributeTypes: ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
+  DESC 'RFC2256: Physical Delivery Office Name'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+#
+olcAttributeTypes: ( 2.5.4.20 NAME 'telephoneNumber'
+  DESC 'RFC2256: Telephone Number'
+  EQUALITY telephoneNumberMatch
+  SUBSTR telephoneNumberSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
+#
+olcAttributeTypes: ( 2.5.4.21 NAME 'telexNumber'
+  DESC 'RFC2256: Telex Number'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
+#
+olcAttributeTypes: ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
+  DESC 'RFC2256: Teletex Terminal Identifier'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
+#
+olcAttributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
+  DESC 'RFC2256: Facsimile (Fax) Telephone Number'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
+#
+olcAttributeTypes: ( 2.5.4.24 NAME 'x121Address'
+  DESC 'RFC2256: X.121 Address'
+  EQUALITY numericStringMatch
+  SUBSTR numericStringSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
+#
+olcAttributeTypes: ( 2.5.4.25 NAME 'internationaliSDNNumber'
+  DESC 'RFC2256: international ISDN number'
+  EQUALITY numericStringMatch
+  SUBSTR numericStringSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
+#
+olcAttributeTypes: ( 2.5.4.26 NAME 'registeredAddress'
+  DESC 'RFC2256: registered postal address'
+  SUP postalAddress
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+#
+olcAttributeTypes: ( 2.5.4.27 NAME 'destinationIndicator'
+  DESC 'RFC2256: destination indicator'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
+#
+olcAttributeTypes: ( 2.5.4.28 NAME 'preferredDeliveryMethod'
+  DESC 'RFC2256: preferred delivery method'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
+  SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.29 NAME 'presentationAddress'
+  DESC 'RFC2256: presentation address'
+  EQUALITY presentationAddressMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
+  SINGLE-VALUE )
+#
+olcAttributeTypes: ( 2.5.4.30 NAME 'supportedApplicationContext'
+  DESC 'RFC2256: supported application context'
+  EQUALITY objectIdentifierMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+#
+olcAttributeTypes: ( 2.5.4.31 NAME 'member'
+  DESC 'RFC2256: member of a group'
+  SUP distinguishedName )
+#
+olcAttributeTypes: ( 2.5.4.32 NAME 'owner'
+  DESC 'RFC2256: owner (of the object)'
+  SUP distinguishedName )
+#
+olcAttributeTypes: ( 2.5.4.33 NAME 'roleOccupant'
+  DESC 'RFC2256: occupant of role'
+  SUP distinguishedName )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.34 NAME 'seeAlso'
+#	DESC 'RFC2256: DN of related object'
+#	SUP distinguishedName )
+#
+# system schema
+#olcAttributeTypes: ( 2.5.4.35 NAME 'userPassword'
+#	DESC 'RFC2256/2307: password of user'
+#	EQUALITY octetStringMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
+#
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+olcAttributeTypes: ( 2.5.4.36 NAME 'userCertificate'
+  DESC 'RFC2256: X.509 user certificate, use ;binary'
+  EQUALITY certificateExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+#
+# Must be transferred using ;binary
+# with certificateExactMatch rule (per X.509)
+olcAttributeTypes: ( 2.5.4.37 NAME 'cACertificate'
+  DESC 'RFC2256: X.509 CA certificate, use ;binary'
+  EQUALITY certificateExactMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.38 NAME 'authorityRevocationList'
+  DESC 'RFC2256: X.509 authority revocation list, use ;binary'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.39 NAME 'certificateRevocationList'
+  DESC 'RFC2256: X.509 certificate revocation list, use ;binary'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+#
+# Must be stored and requested in the binary form
+olcAttributeTypes: ( 2.5.4.40 NAME 'crossCertificatePair'
+  DESC 'RFC2256: X.509 cross certificate pair, use ;binary'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
+#
+# 2.5.4.41 is defined above as it's used for subtyping
+#olcAttributeTypes: ( 2.5.4.41 NAME 'name'
+#	EQUALITY caseIgnoreMatch
+#	SUBSTR caseIgnoreSubstringsMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+#
+olcAttributeTypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' )
+  DESC 'RFC2256: first name(s) for which the entity is known by'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.43 NAME 'initials'
+  DESC 'RFC2256: initials of some or all of names, but not the surname(s).'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.44 NAME 'generationQualifier'
+  DESC 'RFC2256: name qualifier indicating a generation'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.45 NAME 'x500UniqueIdentifier'
+  DESC 'RFC2256: X.500 unique identifier'
+  EQUALITY bitStringMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
+#
+olcAttributeTypes: ( 2.5.4.46 NAME 'dnQualifier'
+  DESC 'RFC2256: DN qualifier'
+  EQUALITY caseIgnoreMatch
+  ORDERING caseIgnoreOrderingMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
+#
+olcAttributeTypes: ( 2.5.4.47 NAME 'enhancedSearchGuide'
+  DESC 'RFC2256: enhanced search guide'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
+#
+olcAttributeTypes: ( 2.5.4.48 NAME 'protocolInformation'
+  DESC 'RFC2256: protocol information'
+  EQUALITY protocolInformationMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
+#
+# 2.5.4.49 is defined above as it's used for subtyping
+#olcAttributeTypes: ( 2.5.4.49 NAME 'distinguishedName'
+#	EQUALITY distinguishedNameMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+#
+olcAttributeTypes: ( 2.5.4.50 NAME 'uniqueMember'
+  DESC 'RFC2256: unique member of a group'
+  EQUALITY uniqueMemberMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
+#
+olcAttributeTypes: ( 2.5.4.51 NAME 'houseIdentifier'
+  DESC 'RFC2256: house identifier'
+  EQUALITY caseIgnoreMatch
+  SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.52 NAME 'supportedAlgorithms'
+  DESC 'RFC2256: supported algorithms'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
+#
+# Must be transferred using ;binary
+olcAttributeTypes: ( 2.5.4.53 NAME 'deltaRevocationList'
+  DESC 'RFC2256: delta revocation list; use ;binary'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+#
+olcAttributeTypes: ( 2.5.4.54 NAME 'dmdName'
+  DESC 'RFC2256: name of DMD'
+  SUP name )
+#
+olcAttributeTypes: ( 2.5.4.65 NAME 'pseudonym'
+  DESC 'X.520(4th): pseudonym for the object'
+  SUP name )
+#
+# Standard object classes from RFC2256
+#
+# system schema
+#olcObjectClasses: ( 2.5.6.1 NAME 'alias'
+#	DESC 'RFC2256: an alias'
+#	SUP top STRUCTURAL
+#	MUST aliasedObjectName )
+#
+olcObjectClasses: ( 2.5.6.2 NAME 'country'
+  DESC 'RFC2256: a country'
+  SUP top STRUCTURAL
+  MUST c
+  MAY ( searchGuide $ description ) )
+#
+olcObjectClasses: ( 2.5.6.3 NAME 'locality'
+  DESC 'RFC2256: a locality'
+  SUP top STRUCTURAL
+  MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.4 NAME 'organization'
+  DESC 'RFC2256: an organization'
+  SUP top STRUCTURAL
+  MUST o
+  MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+  x121Address $ registeredAddress $ destinationIndicator $
+  preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+  telephoneNumber $ internationaliSDNNumber $ 
+  facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+  postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.5 NAME 'organizationalUnit'
+  DESC 'RFC2256: an organizational unit'
+  SUP top STRUCTURAL
+  MUST ou
+  MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+  x121Address $ registeredAddress $ destinationIndicator $
+  preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+  telephoneNumber $ internationaliSDNNumber $
+  facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+  postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.6 NAME 'person'
+  DESC 'RFC2256: a person'
+  SUP top STRUCTURAL
+  MUST ( sn $ cn )
+  MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
+#
+olcObjectClasses: ( 2.5.6.7 NAME 'organizationalPerson'
+  DESC 'RFC2256: an organizational person'
+  SUP person STRUCTURAL
+  MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $
+  preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+  telephoneNumber $ internationaliSDNNumber $ 
+  facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+  postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
+#
+olcObjectClasses: ( 2.5.6.8 NAME 'organizationalRole'
+  DESC 'RFC2256: an organizational role'
+  SUP top STRUCTURAL
+  MUST cn
+  MAY ( x121Address $ registeredAddress $ destinationIndicator $
+  preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+  telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+  seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
+  postOfficeBox $ postalCode $ postalAddress $
+  physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.9 NAME 'groupOfNames'
+  DESC 'RFC2256: a group of names (DNs)'
+  SUP top STRUCTURAL
+  MUST ( member $ cn )
+  MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+#
+olcObjectClasses: ( 2.5.6.10 NAME 'residentialPerson'
+  DESC 'RFC2256: an residential person'
+  SUP person STRUCTURAL
+  MUST l
+  MAY ( businessCategory $ x121Address $ registeredAddress $
+  destinationIndicator $ preferredDeliveryMethod $ telexNumber $
+  teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $
+  facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
+  postOfficeBox $ postalCode $ postalAddress $
+  physicalDeliveryOfficeName $ st $ l ) )
+#
+olcObjectClasses: ( 2.5.6.11 NAME 'applicationProcess'
+  DESC 'RFC2256: an application process'
+  SUP top STRUCTURAL
+  MUST cn
+  MAY ( seeAlso $ ou $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.12 NAME 'applicationEntity'
+  DESC 'RFC2256: an application entity'
+  SUP top STRUCTURAL
+  MUST ( presentationAddress $ cn )
+  MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
+  description ) )
+#
+olcObjectClasses: ( 2.5.6.13 NAME 'dSA'
+  DESC 'RFC2256: a directory system agent (a server)'
+  SUP applicationEntity STRUCTURAL
+  MAY knowledgeInformation )
+#
+olcObjectClasses: ( 2.5.6.14 NAME 'device'
+  DESC 'RFC2256: a device'
+  SUP top STRUCTURAL
+  MUST cn
+  MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
+#
+olcObjectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser'
+  DESC 'RFC2256: a strong authentication user'
+  SUP top AUXILIARY
+  MUST userCertificate )
+#
+olcObjectClasses: ( 2.5.6.16 NAME 'certificationAuthority'
+  DESC 'RFC2256: a certificate authority'
+  SUP top AUXILIARY
+  MUST ( authorityRevocationList $ certificateRevocationList $
+  cACertificate ) MAY crossCertificatePair )
+#
+olcObjectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames'
+  DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
+  SUP top STRUCTURAL
+  MUST ( uniqueMember $ cn )
+  MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+#
+olcObjectClasses: ( 2.5.6.18 NAME 'userSecurityInformation'
+  DESC 'RFC2256: a user security information'
+  SUP top AUXILIARY
+  MAY ( supportedAlgorithms ) )
+#
+olcObjectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
+  SUP certificationAuthority
+  AUXILIARY MAY ( deltaRevocationList ) )
+#
+olcObjectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint'
+  SUP top STRUCTURAL
+  MUST ( cn )
+  MAY ( certificateRevocationList $ authorityRevocationList $
+  deltaRevocationList ) )
+#
+olcObjectClasses: ( 2.5.6.20 NAME 'dmd'
+  SUP top STRUCTURAL
+  MUST ( dmdName )
+  MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
+  x121Address $ registeredAddress $ destinationIndicator $
+  preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+  telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+  street $ postOfficeBox $ postalCode $ postalAddress $
+  physicalDeliveryOfficeName $ st $ l $ description ) )
+#
+#
+# Object Classes from RFC 2587
+#
+olcObjectClasses: ( 2.5.6.21 NAME 'pkiUser'
+  DESC 'RFC2587: a PKI user'
+  SUP top AUXILIARY
+  MAY userCertificate )
+#
+olcObjectClasses: ( 2.5.6.22 NAME 'pkiCA'
+  DESC 'RFC2587: PKI certificate authority'
+  SUP top AUXILIARY
+  MAY ( authorityRevocationList $ certificateRevocationList $
+  cACertificate $ crossCertificatePair ) )
+#
+olcObjectClasses: ( 2.5.6.23 NAME 'deltaCRL'
+  DESC 'RFC2587: PKI user'
+  SUP top AUXILIARY
+  MAY deltaRevocationList )
+#
+#
+# Standard Track URI label schema from RFC 2079
+# system schema
+#olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
+#	DESC 'RFC2079: Uniform Resource Identifier with optional label'
+#	EQUALITY caseExactMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+#
+olcObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject'
+  DESC 'RFC2079: object that contains the URI attribute type'
+  MAY ( labeledURI )
+  SUP top AUXILIARY )
+#
+#
+# Derived from RFC 1274, but with new "short names"
+#
+#olcAttributeTypes: ( 0.9.2342.19200300.100.1.1
+#	NAME ( 'uid' 'userid' )
+#	DESC 'RFC1274: user identifier'
+#	EQUALITY caseIgnoreMatch
+#	SUBSTR caseIgnoreSubstringsMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+#
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.3
+  NAME ( 'mail' 'rfc822Mailbox' )
+  DESC 'RFC1274: RFC822 Mailbox'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+#
+olcObjectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
+  DESC 'RFC1274: simple security object'
+  SUP top AUXILIARY
+  MUST userPassword )
+#
+# RFC 1274 + RFC 2247
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.25
+  NAME ( 'dc' 'domainComponent' )
+  DESC 'RFC1274/2247: domain component'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+#
+# RFC 2247
+olcObjectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
+  DESC 'RFC2247: domain component object'
+  SUP top AUXILIARY MUST dc )
+#
+# RFC 2377
+olcObjectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject'
+  DESC 'RFC2377: uid object'
+  SUP top AUXILIARY MUST uid )
+#
+# From COSINE Pilot
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.37
+  NAME 'associatedDomain'
+  DESC 'RFC1274: domain associated with object'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema)
+olcAttributeTypes: ( 1.2.840.113549.1.9.1
+  NAME ( 'email' 'emailAddress' 'pkcs9email' )
+  DESC 'RFC3280: legacy attribute for email addresses in DNs'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+#
diff --git a/test/kldap/schema/cosine.ldif b/test/kldap/schema/cosine.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..9b437f856b0863e8796f33e7fbfec566e75e1629
--- /dev/null
+++ b/test/kldap/schema/cosine.ldif
@@ -0,0 +1,200 @@
+# RFC1274: Cosine and Internet X.500 schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# RFC1274: Cosine and Internet X.500 schema
+#
+# This file contains LDAPv3 schema derived from X.500 COSINE "pilot"
+# schema.  As this schema was defined for X.500(89), some
+# oddities were introduced in the mapping to LDAPv3.  The
+# mappings were based upon: draft-ietf-asid-ldapv3-attributes-03.txt
+# (a work in progress)
+#
+# Note: It seems that the pilot schema evolved beyond what was
+# described in RFC1274.  However, this document attempts to describes
+# RFC1274 as published.
+#
+# Depends on core.ldif
+#
+# This file was automatically generated from cosine.schema; see that
+# file for complete background.
+#
+dn: cn=cosine,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: cosine
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.2 NAME 'textEncodedORAddress' 
+ EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'RFC1274: g
+ eneral information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDri
+ nk' ) DESC 'RFC1274: favorite drink' EQUALITY caseIgnoreMatch SUBSTR caseIgno
+ reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' DESC 'RFC1
+ 274: room number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S
+ YNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.7 NAME 'photo' DESC 'RFC1274: 
+ photo (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.23{25000} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'RFC12
+ 74: category of user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'RFC1274: h
+ ost computer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA
+ X 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'RFC127
+ 4: DN of manager' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115
+ .121.1.12 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' D
+ ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR 
+ caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' DESC '
+ RFC1274: title of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri
+ ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' DES
+ C 'RFC1274: version of document' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSu
+ bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DESC
+  'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DE
+ SC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBSTR c
+ aseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTe
+ lephoneNumber' ) DESC 'RFC1274: home telephone number' EQUALITY telephoneNumb
+ erMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.50 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'RFC
+ 1274: DN of secretary' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.12 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNTAX
+  1.3.6.1.4.1.1466.115.121.1.39 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY ca
+ seIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY c
+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY c
+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY c
+ aseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.30 NAME 'sOARecord' EQUALITY 
+ caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALIT
+ Y caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC
+  'RFC1274: DN of entry associated with domain' EQUALITY distinguishedNameMatc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' D
+ ESC 'RFC1274: home postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIg
+ noreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' DESC 
+ 'RFC1274: personal title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstring
+ sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTel
+ ephoneNumber' ) DESC 'RFC1274: mobile telephone number' EQUALITY telephoneNum
+ berMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.50 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelep
+ honeNumber' ) DESC 'RFC1274: pager telephone number' EQUALITY telephoneNumber
+ Match SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .50 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCount
+ ryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBS
+ TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DE
+ SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus
+ ' DESC 'RFC1274: organizational status' EQUALITY caseIgnoreMatch SUBSTR caseI
+ gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.46 NAME 'janetMailbox' DESC '
+ RFC1274: Janet mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst
+ ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.47 NAME 'mailPreferenceOption
+ ' DESC 'RFC1274: mail preference option' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' DESC '
+ RFC1274: name of building' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin
+ gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.49 NAME 'dSAQuality' DESC 'RF
+ C1274: DSA Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.19 SINGLE-VALUE )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.50 NAME 'singleLevelQuality' 
+ DESC 'RFC1274: Single Level Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.13 SIN
+ GLE-VALUE )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.51 NAME 'subtreeMinimumQualit
+ y' DESC 'RFC1274: Subtree Mininum Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 13 SINGLE-VALUE )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQualit
+ y' DESC 'RFC1274: Subtree Maximun Quality' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 13 SINGLE-VALUE )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' D
+ ESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 23 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'R
+ FC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466
+ .115.121.1.12 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC1274
+ : audio (u-law)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.4{25000} )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' D
+ ESC 'RFC1274: publisher of document' EQUALITY caseIgnoreMatch SUBSTR caseIgno
+ reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilo
+ tPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822
+ Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ hom
+ ePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ busine
+ ssCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelep
+ honeNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature 
+ ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCT
+ URAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationNam
+ e $ organizationalUnitName $ host ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUC
+ TURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ loca
+ lityName $ organizationName $ organizationalUnitName $ documentTitle $ docume
+ ntVersion $ documentAuthor $ documentLocation $ documentPublisher ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURA
+ L MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber 
+ ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top
+  STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ l
+ ocalityName $ organizationName $ organizationalUnitName ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCT
+ URAL MUST domainComponent MAY ( associatedName $ organizationName $ descripti
+ on $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $
+  stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAdd
+ ress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber 
+ $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ tel
+ exNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress
+  $ x121Address ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP d
+ omain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telepho
+ neNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOffi
+ ceBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ 
+ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDelivery
+ Method $ destinationIndicator $ registeredAddress $ x121Address ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain 
+ STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAME
+ Record ) )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' D
+ ESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associat
+ edDomain )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP c
+ ountry STRUCTURAL MUST friendlyCountryName )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SU
+ P ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STR
+ UCTURAL MAY dSAQuality )
+olcObjectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' 
+ SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximu
+ mQuality ) )
diff --git a/test/kldap/schema/duaconf.ldif b/test/kldap/schema/duaconf.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..7749b6207aff03b8d72c0093a55095cc964355cf
--- /dev/null
+++ b/test/kldap/schema/duaconf.ldif
@@ -0,0 +1,83 @@
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# DUA schema from draft-joslin-config-schema (a work in progress)
+#
+# This file was automatically generated from duaconf.schema; see that file
+# for complete references.
+#
+dn: cn=duaconf,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: duaconf
+olcObjectIdentifier: {0}DUAConfSchemaOID 1.3.6.1.4.1.11.1.3.1
+olcAttributeTypes: {0}( DUAConfSchemaOID:1.0 NAME 'defaultServerList' DESC 'De
+ fault LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX
+  1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: {1}( DUAConfSchemaOID:1.1 NAME 'defaultSearchBase' DESC 'De
+ fault LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
+olcAttributeTypes: {2}( DUAConfSchemaOID:1.2 NAME 'preferredServerList' DESC '
+ Preferred LDAP server host addresses to be used by a            DUA' EQUALITY
+  caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: {3}( DUAConfSchemaOID:1.3 NAME 'searchTimeLimit' DESC 'Maxi
+ mum time in seconds a DUA should allow for a            search to complete' E
+ QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {4}( DUAConfSchemaOID:1.4 NAME 'bindTimeLimit' DESC 'Maximu
+ m time in seconds a DUA should allow for the            bind operation to com
+ plete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU
+ E )
+olcAttributeTypes: {5}( DUAConfSchemaOID:1.5 NAME 'followReferrals' DESC 'Tell
+ s DUA if it should follow referrals            returned by a DSA search resul
+ t' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {6}( DUAConfSchemaOID:1.16 NAME 'dereferenceAliases' DESC '
+ Tells DUA if it should dereference aliases' EQUALITY booleanMatch SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {7}( DUAConfSchemaOID:1.6 NAME 'authenticationMethod' DESC 
+ 'A keystring which identifies the type of            authentication method us
+ ed to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.15 SINGLE-VALUE )
+olcAttributeTypes: {8}( DUAConfSchemaOID:1.7 NAME 'profileTTL' DESC 'Time to l
+ ive, in seconds, before a client DUA            should re-read this configura
+ tion profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
+ LE-VALUE )
+olcAttributeTypes: {9}( DUAConfSchemaOID:1.14 NAME 'serviceSearchDescriptor' D
+ ESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTA
+ X 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {10}( DUAConfSchemaOID:1.9 NAME 'attributeMap' DESC 'Attrib
+ ute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.26 )
+olcAttributeTypes: {11}( DUAConfSchemaOID:1.10 NAME 'credentialLevel' DESC 'Id
+ entifies type of credentials a DUA should            use when binding to the 
+ LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+olcAttributeTypes: {12}( DUAConfSchemaOID:1.11 NAME 'objectclassMap' DESC 'Obj
+ ectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.26 )
+olcAttributeTypes: {13}( DUAConfSchemaOID:1.12 NAME 'defaultSearchScope' DESC 
+ 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6
+ .1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {14}( DUAConfSchemaOID:1.13 NAME 'serviceCredentialLevel' D
+ ESC 'Identifies type of credentials a DUA            should use when binding 
+ to the LDAP server for a            specific service' EQUALITY caseIgnoreIA5M
+ atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {15}( DUAConfSchemaOID:1.15 NAME 'serviceAuthenticationMeth
+ od' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIg
+ noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcObjectClasses: {0}( DUAConfSchemaOID:2.5 NAME 'DUAConfigProfile' DESC 'Abst
+ raction of a base configuration for a DUA' SUP top STRUCTURAL MUST cn MAY ( d
+ efaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchSco
+ pe $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod
+  $ followReferrals $ dereferenceAliases $ serviceSearchDescriptor $ serviceCr
+ edentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $
+  profileTTL ) )
diff --git a/test/kldap/schema/dyngroup.ldif b/test/kldap/schema/dyngroup.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..6c96a1516c172cf539a7030958e18fef1eae4666
--- /dev/null
+++ b/test/kldap/schema/dyngroup.ldif
@@ -0,0 +1,71 @@
+# dyngroup.schema -- Dynamic Group schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# Dynamic Group schema (experimental), as defined by Netscape.  See
+# http://www.redhat.com/docs/manuals/ent-server/pdf/esadmin611.pdf
+# page 70 for details on how these groups were used.
+#
+# A description of the objectclass definition is available here:
+# http://www.redhat.com/docs/manuals/dir-server/schema/7.1/oc_dir.html#1303745
+#
+# depends upon:
+#       core.schema
+#
+# These definitions are considered experimental due to the lack of
+# a formal specification (e.g., RFC).
+#
+# NOT RECOMMENDED FOR PRODUCTION USE!  USE WITH CAUTION!
+#
+# The Netscape documentation describes this as an auxiliary objectclass
+# but their implementations have always defined it as a structural class.
+# The sloppiness here is because Netscape-derived servers don't actually
+# implement the X.500 data model, and they don't honor the distinction
+# between structural and auxiliary classes. This fact is noted here:
+# http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636
+#
+# In accordance with other existing implementations, we define it as a
+# structural class.
+#
+# Our definition of memberURL also does not match theirs but again
+# their published definition and what works in practice do not agree.
+# In other words, the Netscape definitions are broken and interoperability
+# is not guaranteed.
+#
+# Also see the new DynGroup proposed spec at
+# http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02
+dn: cn=dyngroup,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: dyngroup
+olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
+olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
+olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
+olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
+olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
+olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
+olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
+olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
+olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
+ dentifies an URL associated with each member of a group. Any type of labeled 
+ URL can be used.' SUP labeledURI )
+olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
+  when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
+olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
+ tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
+ uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
+olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
+ TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ description $ o $ ou $
+  owner $ seeAlso ) )
+olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
+  ( dgIdentity $ dgAuthz ) )
diff --git a/test/kldap/schema/eduorg.ldif b/test/kldap/schema/eduorg.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..6c2ce5ace6a6cd848670dd5fbe1f0468dba9225b
--- /dev/null
+++ b/test/kldap/schema/eduorg.ldif
@@ -0,0 +1,22 @@
+# mace-dir, schema, config
+dn: cn=eduorg,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: eduorg
+olcAttributeTypes: {0}( 1.3.6.1.4.1.5923.1.2.1.2  NAME 'eduOrgHomePageURI' DES
+ C 'eduOrg per Internet2 and EDUCAUSE' EQUALITY caseExactMatch SYNTAX '1.3.6.1
+ .4.1.1466.115.121.1.15' )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.5923.1.2.1.3  NAME 'eduOrgIdentityAuthNPol
+ icyURI' DESC 'eduOrg per Internet2 and EDUCAUSE' EQUALITY caseExactMatch SYNT
+ AX '1.3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.5923.1.2.1.4  NAME 'eduOrgLegalName' DESC 
+ 'eduOrg per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.
+ 4.1.1466.115.121.1.15' )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.5923.1.2.1.5  NAME 'eduOrgSuperiorURI' DES
+ C 'eduOrg per Internet2 and EDUCAUSE' EQUALITY caseExactMatch SYNTAX '1.3.6.1
+ .4.1.1466.115.121.1.15' )
+olcAttributeTypes: {4}( 1.3.6.1.4.1.5923.1.2.1.6 NAME 'eduOrgWhitePagesURI' DE
+ SC 'eduOrg per Internet2 and EDUCAUSE' EQUALITY caseExactMatch SYNTAX '1.3.6.
+ 1.4.1.1466.115.121.1.15' )
+olcObjectClasses: {0}( 1.3.6.1.4.1.5923.1.2.2NAME 'eduOrg' AUXILIARY MAY ( cn 
+ $ eduOrgHomePageURI $   eduOrgIdentityAuthNPolicyURI $ eduOrgLegalName $   ed
+ uOrgSuperiorURI $ eduOrgWhitePagesURI ))
diff --git a/test/kldap/schema/eduperson.ldif b/test/kldap/schema/eduperson.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..ac5bedaa8c5e3a33ea2804a3f639d058f8ddda76
--- /dev/null
+++ b/test/kldap/schema/eduperson.ldif
@@ -0,0 +1,45 @@
+# mace-dir, schema, config
+dn: cn=eduperson,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: eduperson
+olcAttributeTypes: {0}( 1.3.6.1.4.1.5923.1.1.1.1 NAME 'eduPersonAffiliation' D
+ ESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SUBSTR ca
+ seIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'eduPersonNickname' DESC
+  'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SUBSTR caseI
+ gnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.5923.1.1.1.3 NAME 'eduPersonOrgDN' DESC 'e
+ duPerson per Internet2 and EDUCAUSE' EQUALITY distinguishedNameMatch SYNTAX '
+ 1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.5923.1.1.1.4 NAME 'eduPersonOrgUnitDN' DES
+ C 'eduPerson per Internet2 and EDUCAUSE' EQUALITY distinguishedNameMatch SYNT
+ AX '1.3.6.1.4.1.1466.115.121.1.12' )
+olcAttributeTypes: {4}( 1.3.6.1.4.1.5923.1.1.1.5 NAME 'eduPersonPrimaryAffilia
+ tion' DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SU
+ BSTR caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-
+ VALUE )
+olcAttributeTypes: {5}( 1.3.6.1.4.1.5923.1.1.1.6 NAME 'eduPersonPrincipalName'
+  DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SUBSTR 
+ caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE
+  )
+olcAttributeTypes: {6}( 1.3.6.1.4.1.5923.1.1.1.7 NAME 'eduPersonEntitlement' D
+ ESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseExactMatch SYNTAX '1.
+ 3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: {7}( 1.3.6.1.4.1.5923.1.1.1.8 NAME 'eduPersonPrimaryOrgUnit
+ DN' DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY distinguishedNameMat
+ ch SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
+olcAttributeTypes: {8}( 1.3.6.1.4.1.5923.1.1.1.9 NAME 'eduPersonScopedAffiliat
+ ion' DESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYN
+ TAX '1.3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: {9}( 1.3.6.1.4.1.5923.1.1.1.10 NAME 'eduPersonTargetedID' D
+ ESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYNTAX '1
+ .3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: {10}( 1.3.6.1.4.1.5923.1.1.1.11 NAME 'eduPersonAssurance' D
+ ESC 'eduPerson per Internet2 and EDUCAUSE' EQUALITY caseIgnoreMatch SYNTAX '1
+ .3.6.1.4.1.1466.115.121.1.15' )
+olcObjectClasses: {0}( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' DESC 'eduPerson
+  per Internet2 and EDUCAUSE' AUXILIARY MAY ( eduPersonAffiliation $ eduPerson
+ Nickname $ eduPersonOrgDN $    eduPersonOrgUnitDN $ eduPersonPrimaryAffiliati
+ on $   eduPersonPrincipalName $ eduPersonEntitlement $   eduPersonPrimaryOrgU
+ nitDN $ eduPersonScopedAffiliation $   eduPersonTargetedID $ eduPersonAssuran
+ ce ))
diff --git a/test/kldap/schema/inetorgperson.ldif b/test/kldap/schema/inetorgperson.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..31a0080255dc87e4a88db1878d348ba0038bb6fd
--- /dev/null
+++ b/test/kldap/schema/inetorgperson.ldif
@@ -0,0 +1,69 @@
+# InetOrgPerson (RFC2798)
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# InetOrgPerson (RFC2798)
+#
+# Depends upon
+#   Definition of an X.500 Attribute Type and an Object Class to Hold
+#   Uniform Resource Identifiers (URIs) [RFC2079]
+#	(core.ldif)
+#
+#   A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2256]
+#	(core.ldif)
+#
+#   The COSINE and Internet X.500 Schema [RFC1274] (cosine.ldif)
+#
+# This file was automatically generated from inetorgperson.schema; see
+# that file for complete references.
+#
+dn: cn=inetorgperson,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: inetorgperson
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'RFC279
+ 8: vehicle license or registration plate' EQUALITY caseIgnoreMatch SUBSTR cas
+ eIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC '
+ RFC2798: identifies a department within an organization' EQUALITY caseIgnoreM
+ atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'RFC
+ 2798: preferred name to be used when displaying entries' EQUALITY caseIgnoreM
+ atch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI
+ NGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'RF
+ C2798: numerically identifies an employee within an organization' EQUALITY ca
+ seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.15 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'RFC2
+ 798: type of employment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgn
+ oreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'RFC2
+ 798: a JPEG image' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC
+  'RFC2798: preferred written or spoken language for a person' EQUALITY caseIg
+ noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 15 SINGLE-VALUE )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' D
+ ESC 'RFC2798: PKCS#7 SignedData used to support S/MIME' SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.5 )
+olcAttributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RFC2
+ 798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.1466.1
+ 15.121.1.5 )
+olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2
+ 798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY 
+ ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ em
+ ployeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ ini
+ tials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo 
+ $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre
+ ferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
diff --git a/test/kldap/schema/java.ldif b/test/kldap/schema/java.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..fc7d032bbe7c10443dd70aadce790fb7f3fd0f76
--- /dev/null
+++ b/test/kldap/schema/java.ldif
@@ -0,0 +1,59 @@
+# java.ldif -- Java Object Schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# Java Object Schema (defined in RFC 2713)
+#	depends upon core.ldif
+#
+# This file was automatically generated from java.schema; see that file
+# for complete references.
+#
+dn: cn=java,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: java
+olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.4.1.6 NAME 'javaClassName' DESC 'F
+ ully qualified name of distinguished Java class or interface' EQUALITY caseEx
+ actMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.4.1.7 NAME 'javaCodebase' DESC 'UR
+ L(s) specifying the location of class definition' EQUALITY caseExactIA5Match 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.4.1.13 NAME 'javaClassNames' DESC 
+ 'Fully qualified Java class or interface name' EQUALITY caseExactMatch SYNTAX
+  1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.4.1.8 NAME 'javaSerializedData' DE
+ SC 'Serialized form of a Java object' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SI
+ NGLE-VALUE )
+olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.4.1.10 NAME 'javaFactory' DESC 'Fu
+ lly qualified Java class name of a JNDI object factory' EQUALITY caseExactMat
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
+olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.4.1.11 NAME 'javaReferenceAddress'
+  DESC 'Addresses associated with a JNDI Reference' EQUALITY caseExactMatch SY
+ NTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.4.1.12 NAME 'javaDoc' DESC 'The Ja
+ va documentation for the class' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1
+ .1466.115.121.1.26 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.42.2.27.4.2.1 NAME 'javaContainer' DESC 'Co
+ ntainer for a Java object' SUP top STRUCTURAL MUST cn )
+olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.4.2.4 NAME 'javaObject' DESC 'Java 
+ object representation' SUP top ABSTRACT MUST javaClassName MAY ( javaClassNam
+ es $ javaCodebase $ javaDoc $ description ) )
+olcObjectClasses: {2}( 1.3.6.1.4.1.42.2.27.4.2.5 NAME 'javaSerializedObject' D
+ ESC 'Java serialized object' SUP javaObject AUXILIARY MUST javaSerializedData
+  )
+olcObjectClasses: {3}( 1.3.6.1.4.1.42.2.27.4.2.8 NAME 'javaMarshalledObject' D
+ ESC 'Java marshalled object' SUP javaObject AUXILIARY MUST javaSerializedData
+  )
+olcObjectClasses: {4}( 1.3.6.1.4.1.42.2.27.4.2.7 NAME 'javaNamingReference' DE
+ SC 'JNDI reference' SUP javaObject AUXILIARY MAY ( javaReferenceAddress $ jav
+ aFactory ) )
diff --git a/test/kldap/schema/kerberos.ldif b/test/kldap/schema/kerberos.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..e9fc014a81bcc4d34b5836e79e69bbb1c0aaa16f
--- /dev/null
+++ b/test/kldap/schema/kerberos.ldif
@@ -0,0 +1,153 @@
+
+dn: cn=kerberos,cn=schema,cn=config 
+objectClass: olcSchemaConfig
+cn: kerberos
+olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' 
+ EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1
+ .1466.115.121.1.26 )
+olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUAL
+ ITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466
+ .115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' 
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC
+  'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpira
+ tion' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING
+ LE-VALUE )
+olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQ
+ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' 
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAg
+ e' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReference
+ s' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' E
+ QUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' E
+ QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' E
+ QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' E
+ QUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' 
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRefe
+ rences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
+ )
+olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAt
+ tr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU
+ E )
+olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' E
+ QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' E
+ QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' E
+ QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffCha
+ rs' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength'
+  EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLen
+ gth' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE 
+ )
+olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUAL
+ ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInter
+ val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE 
+ )
+olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' 
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUA
+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALIT
+ Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts'
+  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALU
+ E )
+olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRefe
+ rence' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 S
+ INGLE-VALUE )
+olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpir
+ ation' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
+ GLE-VALUE )
+olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey'
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyR
+ eference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
+ 2 SINGLE-VALUE )
+olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQU
+ ALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSal
+ tTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncS
+ altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' E
+ QUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange
+ ' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-V
+ ALUE )
+olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQU
+ ALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE 
+ )
+olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALIT
+ Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAlia
+ ses' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfu
+ lAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
+ GLE-VALUE )
+olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAut
+ h' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-
+ VALUE )
+olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCo
+ unt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE 
+ )
+olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQ
+ UALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferen
+ ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContaine
+ rRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {47}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo'
+  EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.26 )
+olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP t
+ op STRUCTURAL MUST cn )
+olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' 
+ SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSe
+ archScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltType
+ s $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers 
+ $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
+olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top
+  ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
+olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP 
+ krbService STRUCTURAL )
+olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP 
+ krbService STRUCTURAL )
+olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SU
+ P top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ kr
+ bPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswo
+ rdExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krb
+ LastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulA
+ uth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDe
+ legateTo ) )
+olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP t
+ op STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
+olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SU
+ P top AUXILIARY MAY krbPrincipalReferences )
+olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP
+  krbService STRUCTURAL )
+olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP 
+ top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffCha
+ rs $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailure
+ CountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ kr
+ bPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
+olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAu
+ x' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewabl
+ eAge ) )
+olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' 
+ SUP top STRUCTURAL MUST cn )
\ No newline at end of file
diff --git a/test/kldap/schema/misc.ldif b/test/kldap/schema/misc.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..cd7d7980c4e98eb9fdaaf9bed1d968717e3ec319
--- /dev/null
+++ b/test/kldap/schema/misc.ldif
@@ -0,0 +1,45 @@
+# misc.ldif -- assorted schema definitions
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# Assorted definitions from several sources, including
+# ''works in progress''.  Contents of this file are
+# subject to change (including deletion) without notice.
+#
+# Not recommended for production use!
+# Use with extreme caution!
+#
+# This file was automatically generated from misc.schema; see that file
+# for complete references.
+#
+dn: cn=misc,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: misc
+olcAttributeTypes: {0}( 2.16.840.1.113730.3.1.13 NAME 'mailLocalAddress' DESC 
+ 'RFC822 email address of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: {1}( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'FQDN of
+  the SMTP/MTA of this recipient' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.26{256} SINGLE-VALUE )
+olcAttributeTypes: {2}( 2.16.840.1.113730.3.1.47 NAME 'mailRoutingAddress' DES
+ C 'RFC822 routing address of this recipient' EQUALITY caseIgnoreIA5Match SYNT
+ AX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.2.1.15 NAME 'rfc822MailMember' DES
+ C 'rfc822 mail address of group member(s)' EQUALITY caseIgnoreIA5Match SYNTAX
+  1.3.6.1.4.1.1466.115.121.1.26 )
+olcObjectClasses: {0}( 2.16.840.1.113730.3.2.147 NAME 'inetLocalMailRecipient'
+  DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( mailLocalAddres
+ s $ mailHost $ mailRoutingAddress ) )
+olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.1.2.5 NAME 'nisMailAlias' DESC 'NIS
+  mail alias' SUP top STRUCTURAL MUST cn MAY rfc822MailMember )
diff --git a/test/kldap/schema/nis.ldif b/test/kldap/schema/nis.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..946051b2e3fd02ec5aa146f1f73c00b48a05d339
--- /dev/null
+++ b/test/kldap/schema/nis.ldif
@@ -0,0 +1,120 @@
+# NIS (RFC2307)
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# Definitions from RFC2307 (Experimental)
+#	An Approach for Using LDAP as a Network Information Service
+#
+# Depends upon core.ldif and cosine.ldif
+#
+# This file was automatically generated from nis.schema; see that file
+# for complete references.
+#
+dn: cn=nis,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: nis
+olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; th
+ e common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc
+ h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolut
+ e path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to th
+ e login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
+ 6 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY integ
+ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY integerM
+ atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integer
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerM
+ atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerMat
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactI
+ A5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY ca
+ seExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.11
+ 5.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgr
+ oup triple' SYNTAX 1.3.6.1.1.1.0.0 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY intege
+ rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' SUP name )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' EQUALITY int
+ egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' EQUALITY integer
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address
+ ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP netw
+ ork' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SI
+ NGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP netm
+ ask' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SI
+ NGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address'
+  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.bootp
+ aramd parameter' SYNTAX 1.3.6.1.1.1.0.1 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image nam
+ e' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' SUP name )
+olcAttributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' EQUALITY caseExac
+ tIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.26{1024} SINGLE-VALUE )
+olcObjectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction o
+ f an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNu
+ mber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ 
+ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional a
+ ttributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword
+  $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive 
+ $ shadowExpire $ shadowFlag $ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of 
+ a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPas
+ sword $ memberUid $ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an I
+ nternet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipSe
+ rviceProtocol ) MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of 
+ an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description
+  ) MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an O
+ NC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) M
+ AY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a ho
+ st, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ desc
+ ription $ manager ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of a
+ n IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmas
+ kNumber $ l $ description $ manager ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of
+  a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNe
+ tgroup $ description ) )
+olcObjectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstracti
+ on of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description )
+olcObjectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a 
+ NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY descri
+ ption )
+olcObjectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device w
+ ith a MAC address' SUP top AUXILIARY MAY macAddress )
+olcObjectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device 
+ with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) )
diff --git a/test/kldap/schema/openldap.ldif b/test/kldap/schema/openldap.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..5f0c76a0b889e01de2f8367c2a0c7210095e32d2
--- /dev/null
+++ b/test/kldap/schema/openldap.ldif
@@ -0,0 +1,88 @@
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+#
+# OpenLDAP Project's directory schema items
+#
+# depends upon:
+#	core.schema
+#	cosine.schema
+#	inetorgperson.schema
+#
+# These are provided for informational purposes only.
+#
+# This openldap.ldif file is provided as a demonstration of how to
+# convert a *.schema file into *.ldif format. The key points:
+#   In LDIF, a blank line terminates an entry. Blank lines in a *.schema
+#     file should be replaced with a single '#' to turn them into
+#     comments, or they should just be removed.
+#   In addition to the actual schema directives, the file needs a small
+#     header to make it a valid LDAP entry. This header must provide the
+#     dn of the entry, the objectClass, and the cn, as shown here:
+#
+dn: cn=openldap,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: openldap
+#
+# The schema directives need to be changed to LDAP Attributes.
+#   First a basic string substitution can be done on each of the keywords:
+#     objectIdentifier -> olcObjectIdentifier:
+#     objectClass -> olcObjectClasses:
+#     attributeType -> olcAttributeTypes:
+#   Then leading whitespace must be fixed. The slapd.conf format allows
+#     tabs or spaces to denote line continuation, while LDIF only allows
+#     the space character.
+#   Also slapd.conf preserves the continuation character, while LDIF strips
+#     it out. So a single TAB/SPACE in slapd.conf must be replaced with
+#     two SPACEs in LDIF, otherwise the continued text may get joined as
+#     a single word.
+#   The directives must be listed in a proper sequence:
+#     All olcObjectIdentifiers must be first, so they may be referenced by
+#        any following definitions.
+#     All olcAttributeTypes must be next, so they may be referenced by any
+#        following objectClass definitions.
+#     All olcObjectClasses must be after the olcAttributeTypes.
+#   And of course, any superior must occur before anything that inherits
+#     from it.
+#
+olcObjectIdentifier: OpenLDAProot 1.3.6.1.4.1.4203
+#
+olcObjectIdentifier: OpenLDAP OpenLDAProot:1
+olcObjectIdentifier: OpenLDAPattributeType OpenLDAP:3
+olcObjectIdentifier: OpenLDAPobjectClass OpenLDAP:4
+#
+olcObjectClasses: ( OpenLDAPobjectClass:3
+  NAME 'OpenLDAPorg'
+  DESC 'OpenLDAP Organizational Object'
+  SUP organization
+  MAY ( buildingName $ displayName $ labeledURI ) )
+#
+olcObjectClasses: ( OpenLDAPobjectClass:4
+  NAME 'OpenLDAPou'
+  DESC 'OpenLDAP Organizational Unit Object'
+  SUP organizationalUnit
+  MAY ( buildingName $ displayName $ labeledURI $ o ) )
+#
+olcObjectClasses: ( OpenLDAPobjectClass:5
+  NAME 'OpenLDAPperson'
+  DESC 'OpenLDAP Person'
+  SUP ( pilotPerson $ inetOrgPerson )
+  MUST ( uid $ cn )
+  MAY ( givenName $ labeledURI $ o ) )
+#
+olcObjectClasses: ( OpenLDAPobjectClass:6
+  NAME 'OpenLDAPdisplayableObject'
+  DESC 'OpenLDAP Displayable Object'
+  AUXILIARY
+  MAY displayName )
diff --git a/test/kldap/schema/pmi.ldif b/test/kldap/schema/pmi.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..eab4a12fa38592faa149f0f2da827ed7e55c97e5
--- /dev/null
+++ b/test/kldap/schema/pmi.ldif
@@ -0,0 +1,123 @@
+# OpenLDAP X.509 PMI schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (1997-2006).
+## All Rights Reserved.
+#
+# Includes LDAPv3 schema items from:
+# ITU X.509 (08/2005)
+#
+# This file was automatically generated from pmi.schema; see that file
+# for complete references.
+#
+dn: cn=pmi,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: pmi
+olcObjectIdentifier: {0}id-oc-pmiUser 2.5.6.24
+olcObjectIdentifier: {1}id-oc-pmiAA 2.5.6.25
+olcObjectIdentifier: {2}id-oc-pmiSOA 2.5.6.26
+olcObjectIdentifier: {3}id-oc-attCertCRLDistributionPts 2.5.6.27
+olcObjectIdentifier: {4}id-oc-privilegePolicy 2.5.6.32
+olcObjectIdentifier: {5}id-oc-pmiDelegationPath 2.5.6.33
+olcObjectIdentifier: {6}id-oc-protectedPrivilegePolicy 2.5.6.34
+olcObjectIdentifier: {7}id-at-attributeCertificate 2.5.4.58
+olcObjectIdentifier: {8}id-at-attributeCertificateRevocationList 2.5.4.59
+olcObjectIdentifier: {9}id-at-aACertificate 2.5.4.61
+olcObjectIdentifier: {10}id-at-attributeDescriptorCertificate 2.5.4.62
+olcObjectIdentifier: {11}id-at-attributeAuthorityRevocationList 2.5.4.63
+olcObjectIdentifier: {12}id-at-privPolicy 2.5.4.71
+olcObjectIdentifier: {13}id-at-role 2.5.4.72
+olcObjectIdentifier: {14}id-at-delegationPath 2.5.4.73
+olcObjectIdentifier: {15}id-at-protPrivPolicy 2.5.4.74
+olcObjectIdentifier: {16}id-at-xMLPrivilegeInfo 2.5.4.75
+olcObjectIdentifier: {17}id-at-xMLPprotPrivPolicy 2.5.4.76
+olcObjectIdentifier: {18}id-mr 2.5.13
+olcObjectIdentifier: {19}id-mr-attributeCertificateMatch id-mr:42
+olcObjectIdentifier: {20}id-mr-attributeCertificateExactMatch id-mr:45
+olcObjectIdentifier: {21}id-mr-holderIssuerMatch id-mr:46
+olcObjectIdentifier: {22}id-mr-authAttIdMatch id-mr:53
+olcObjectIdentifier: {23}id-mr-roleSpecCertIdMatch id-mr:54
+olcObjectIdentifier: {24}id-mr-basicAttConstraintsMatch id-mr:55
+olcObjectIdentifier: {25}id-mr-delegatedNameConstraintsMatch id-mr:56
+olcObjectIdentifier: {26}id-mr-timeSpecMatch id-mr:57
+olcObjectIdentifier: {27}id-mr-attDescriptorMatch id-mr:58
+olcObjectIdentifier: {28}id-mr-acceptableCertPoliciesMatch id-mr:59
+olcObjectIdentifier: {29}id-mr-delegationPathMatch id-mr:61
+olcObjectIdentifier: {30}id-mr-sOAIdentifierMatch id-mr:66
+olcObjectIdentifier: {31}id-mr-indirectIssuerMatch id-mr:67
+olcObjectIdentifier: {32}AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1
+olcObjectIdentifier: {33}CertificateList 1.3.6.1.4.1.1466.115.121.1.9
+olcObjectIdentifier: {34}AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4
+olcObjectIdentifier: {35}PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5
+olcObjectIdentifier: {36}RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6
+olcLdapSyntaxes: {0}( 1.3.6.1.4.1.4203.666.11.10.2.4 DESC 'X.509 PMI attribute
+  cartificate path: SEQUENCE OF AttributeCertificate' X-SUBST '1.3.6.1.4.1.146
+ 6.115.121.1.15' )
+olcLdapSyntaxes: {1}( 1.3.6.1.4.1.4203.666.11.10.2.5 DESC 'X.509 PMI policy sy
+ ntax' X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
+olcLdapSyntaxes: {2}( 1.3.6.1.4.1.4203.666.11.10.2.6 DESC 'X.509 PMI role synt
+ ax' X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
+olcAttributeTypes: {0}( id-at-role NAME 'role' DESC 'X.509 Role attribute, use
+  ;binary' SYNTAX RoleSyntax )
+olcAttributeTypes: {1}( id-at-xMLPrivilegeInfo NAME 'xmlPrivilegeInfo' DESC 'X
+ .509 XML privilege information attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
+ 5 )
+olcAttributeTypes: {2}( id-at-attributeCertificate NAME 'attributeCertificateA
+ ttribute' DESC 'X.509 Attribute certificate attribute, use ;binary' EQUALITY 
+ attributeCertificateExactMatch SYNTAX AttributeCertificate )
+olcAttributeTypes: {3}( id-at-aACertificate NAME 'aACertificate' DESC 'X.509 A
+ A certificate attribute, use ;binary' EQUALITY attributeCertificateExactMatch
+  SYNTAX AttributeCertificate )
+olcAttributeTypes: {4}( id-at-attributeDescriptorCertificate NAME 'attributeDe
+ scriptorCertificate' DESC 'X.509 Attribute descriptor certificate attribute, 
+ use ;binary' EQUALITY attributeCertificateExactMatch SYNTAX AttributeCertific
+ ate )
+olcAttributeTypes: {5}( id-at-attributeCertificateRevocationList NAME 'attribu
+ teCertificateRevocationList' DESC 'X.509 Attribute certificate revocation lis
+ t attribute, use ;binary' SYNTAX CertificateList X-EQUALITY 'certificateListE
+ xactMatch, not implemented yet' )
+olcAttributeTypes: {6}( id-at-attributeAuthorityRevocationList NAME 'attribute
+ AuthorityRevocationList' DESC 'X.509 AA certificate revocation list attribute
+ , use ;binary' SYNTAX CertificateList X-EQUALITY 'certificateListExactMatch, 
+ not implemented yet' )
+olcAttributeTypes: {7}( id-at-delegationPath NAME 'delegationPath' DESC 'X.509
+  Delegation path attribute, use ;binary' SYNTAX AttCertPath )
+olcAttributeTypes: {8}( id-at-privPolicy NAME 'privPolicy' DESC 'X.509 Privile
+ ge policy attribute, use ;binary' SYNTAX PolicySyntax )
+olcAttributeTypes: {9}( id-at-protPrivPolicy NAME 'protPrivPolicy' DESC 'X.509
+  Protected privilege policy attribute, use ;binary' EQUALITY attributeCertifi
+ cateExactMatch SYNTAX AttributeCertificate )
+olcAttributeTypes: {10}( id-at-xMLPprotPrivPolicy NAME 'xmlPrivPolicy' DESC 'X
+ .509 XML Protected privilege policy attribute' SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.15 )
+olcObjectClasses: {0}( id-oc-pmiUser NAME 'pmiUser' DESC 'X.509 PMI user objec
+ t class' SUP top AUXILIARY MAY attributeCertificateAttribute )
+olcObjectClasses: {1}( id-oc-pmiAA NAME 'pmiAA' DESC 'X.509 PMI AA object clas
+ s' SUP top AUXILIARY MAY ( aACertificate $ attributeCertificateRevocationList
+  $ attributeAuthorityRevocationList ) )
+olcObjectClasses: {2}( id-oc-pmiSOA NAME 'pmiSOA' DESC 'X.509 PMI SOA object c
+ lass' SUP top AUXILIARY MAY ( attributeCertificateRevocationList $ attributeA
+ uthorityRevocationList $ attributeDescriptorCertificate ) )
+olcObjectClasses: {3}( id-oc-attCertCRLDistributionPts NAME 'attCertCRLDistrib
+ utionPt' DESC 'X.509 Attribute certificate CRL distribution point object clas
+ s' SUP top AUXILIARY MAY ( attributeCertificateRevocationList $ attributeAuth
+ orityRevocationList ) )
+olcObjectClasses: {4}( id-oc-pmiDelegationPath NAME 'pmiDelegationPath' DESC '
+ X.509 PMI delegation path' SUP top AUXILIARY MAY delegationPath )
+olcObjectClasses: {5}( id-oc-privilegePolicy NAME 'privilegePolicy' DESC 'X.50
+ 9 Privilege policy object class' SUP top AUXILIARY MAY privPolicy )
+olcObjectClasses: {6}( id-oc-protectedPrivilegePolicy NAME 'protectedPrivilege
+ Policy' DESC 'X.509 Protected privilege policy object class' SUP top AUXILIAR
+ Y MAY protPrivPolicy )
diff --git a/test/kldap/schema/ppolicy.ldif b/test/kldap/schema/ppolicy.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..9aefd66eaa78a7b093f1d8df24dd27ccd4bbacca
--- /dev/null
+++ b/test/kldap/schema/ppolicy.ldif
@@ -0,0 +1,75 @@
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 2004-2012 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+## Portions Copyright (C) The Internet Society (2004).
+## Please see full copyright statement below.
+#
+# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
+#	Password Policy for LDAP Directories
+# With extensions from Hewlett-Packard:
+#	pwdCheckModule etc.
+#
+# Contents of this file are subject to change (including deletion)
+# without notice.
+#
+# Not recommended for production use!
+# Use with extreme caution!
+#
+# This file was automatically generated from ppolicy.schema; see that file
+# for complete references.
+#
+dn: cn=ppolicy,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: ppolicy
+olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
+  objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
+ tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
+ tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
+  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
+ ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
+  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
+ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
+ ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
+ QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
+ ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
+ val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE 
+ )
+olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL
+ ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' 
+ EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
+ ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
+ oadable module that instantiates "check_password() function' EQUALITY caseExa
+ ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
+  AUXILIARY MAY pwdCheckModule )
+olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
+ LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
+ Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
+  pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
+  $ pwdAllowUserChange $ pwdSafeModify ) )
diff --git a/test/kldap/schema/samba.ldif b/test/kldap/schema/samba.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..e8fe2029ea2339f61c9f610cb86d4bd18d47b69f
--- /dev/null
+++ b/test/kldap/schema/samba.ldif
@@ -0,0 +1,187 @@
+# samba, schema, config
+dn: cn=samba,cn=schema,cn=config
+changetype: add
+objectClass: olcSchemaConfig
+cn: samba
+olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
+ anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.26{32} SINGLE-VALUE )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M
+ D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
+ .1.1466.115.121.1.26{32} SINGLE-VALUE )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac
+ count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ {16} SINGLE-VALUE )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T
+ imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 
+ 'Timestamp of when the user is allowed to update the password' EQUALITY integ
+ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC
+  'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti
+ mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.27 SINGLE-VALUE )
+olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T
+ imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.27 SINGLE-VALUE )
+olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC '
+ Timestamp of when the user will be logged off automatically' EQUALITY integer
+ Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D
+ ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
+ ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
+ 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
+ Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ {42} SINGLE-VALUE )
+olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
+ river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
+ 3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
+olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 
+ 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
+ 1.15{255} SINGLE-VALUE )
+olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 
+ 'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.15{255} SINGLE-VALUE )
+olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' 
+ DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
+ eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
+olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
+ me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.15{128} )
+olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
+ Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 
+ 1.3.6.1.4.1.1466.115.121.1.15{128} )
+olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
+ Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.15{1050} )
+olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
+ ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
+  EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
+ y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
+ .3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
+ ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.26{64} SINGLE-VALUE )
+olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
+ urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 26{64} )
+olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
+ T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
+ LE-VALUE )
+olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 
+ 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
+  'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
+ t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
+ ' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
+ hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
+ LE-VALUE )
+olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
+ Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
+  1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
+ A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
+ INGLE-VALUE )
+olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
+ C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .27 SINGLE-VALUE )
+olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
+  'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26 SINGLE-VALUE )
+olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' 
+ DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.15 )
+olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
+ Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
+ .121.1.26 )
+olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
+  'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
+ 4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' 
+ DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
+ rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
+ C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
+ ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
+ aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
+ LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
+ inimum password age, in seconds (default: 0 => allow immediate password chang
+ e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
+ ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
+ erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
+ Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
+ egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' 
+ DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
+ tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 
+ 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
+  integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
+ ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
+ gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
+  DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
+ tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
+ assword' DESC 'Previous clear text password (used for trusted domain password
+ s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
+ ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( 
+ cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
+ ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ 
+ sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
+ ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
+ oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
+ PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
+olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
+ amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
+ pType ) MAY ( displayName $ description $ sambaSIDList ) )
+olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 
+ 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
+ sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
+olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
+ d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
+ Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
+ sClearTextPassword )
+olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
+ omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
+  ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
+ ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
+ axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
+ dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange 
+ ) )
+olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
+ l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
+ er ) )
+olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
+ ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
+ idNumber ) )
+olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
+ tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
+olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba 
+ Configuration Section' SUP top AUXILIARY MAY description )
+olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
+ hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
+olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 
+ 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
+ mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
+ n $ description ) )
diff --git a/test/kldap/schemas.bash b/test/kldap/schemas.bash
new file mode 100644
index 0000000000000000000000000000000000000000..0b677caf4d5cefb586469c55dad82ae356beb4ed
--- /dev/null
+++ b/test/kldap/schemas.bash
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+echo "loading schema files..."
+
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/core.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/cosine.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/inetorgperson.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/nis.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/eduorg.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/eduperson.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/kerberos.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/misc.ldif
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./schema/samba.ldif
+
diff --git a/test/kldap/setup.bash b/test/kldap/setup.bash
new file mode 100644
index 0000000000000000000000000000000000000000..3a73e835b9e17ba7978eab675708e6b83ca232b0
--- /dev/null
+++ b/test/kldap/setup.bash
@@ -0,0 +1,96 @@
+
+
+function mkpasswd {
+    python -c "import string, random; print ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in xrange(32))"
+}
+
+# generate passwords 
+MASTER_PASSWORD=`mkpasswd`
+CONFIG_ROOT=`mkpasswd`
+MDB_ROOT=`mkpasswd`
+
+KRB5KDC_PASSWORD=`mkpasswd`
+KADMIND_PASSWORD=`mkpasswd`
+
+kdb5_ldap_util destroy -f
+
+# load an updated krb5.conf with correct permissions
+chown --reference=/etc/krb5.conf ./krb5.conf 
+chmod --reference=/etc/krb5.conf ./krb5.conf 
+cp ./krb5.conf /etc/krb5.conf
+restorecon /etc/krb5.conf
+
+chown --reference=/etc/openldap/ldap.conf ./ldap.conf 
+chmod --reference=/etc/openldap/ldap.conf ./ldap.conf 
+cp ./ldap.conf /etc/openldap/ldap.conf
+restorecon /etc/openldap/ldap.conf
+
+# setup database directory
+mkdir -p /srv/ldap/example.com/
+
+# make sure selinux is alright with our directory serving ldap data
+semanage fcontext -ae /var/lib/ldap /srv/ldap/example.com
+restorecon -Rv /srv/ldap
+
+# halt any existing slapd server
+service slapd stop
+killall slapd
+
+# purge old configurations and data
+rm -rf /etc/openldap/slapd.d/*
+rm -rf /srv/ldap/example.com/*
+
+# load cn=config database
+slapadd -n0 -F /etc/openldap/slapd.d/ -l ./cn_config.ldif
+
+cat ./olcDatabase_0.ldif | sed -e "s#CONFIG_ROOT#$CONFIG_ROOT#g" > /tmp/olcDatabase_0.ldif
+
+slapadd -n0 -F /etc/openldap/slapd.d/ -l /tmp/olcDatabase_0.ldif
+
+# restore permissions before starting server
+chown -R ldap:ldap /etc/openldap
+chown -R ldap:ldap /srv/ldap/example.com
+
+# start server
+service slapd start
+
+# add modules
+ldapmodify -D "cn=config" -H ldapi:/// -x -w "$CONFIG_ROOT" -a -f ./cn_module.ldif
+
+# add schemas (kerberos.ldif is added here)
+bash ./schemas.bash
+
+# configure a database (mdb) for use to store data
+cat ./olcDatabase_mdb.ldif | sed -e "s#MDB_ROOT#$MDB_ROOT#g" > /tmp/olcDatabase_mdb.ldif
+
+ldapmodify -D "cn=config" -H ldapi:/// -x -w "$CONFIG_ROOT" -a -f /tmp/olcDatabase_mdb.ldif
+
+# create our dit including the accounts for kerberos and test accounts for db_args 
+ldapmodify -Q -H ldapi:/// -Y EXTERNAL -ac -f ./dit.ldif
+
+# set the password so it hashes properly
+ldappasswd -Q -s $KADMIND_PASSWORD uid=kadmin,ou=accounts,dc=example,dc=com
+ldappasswd -Q -s $KRB5KDC_PASSWORD uid=krb5kdc,ou=accounts,dc=example,dc=com
+
+# init kerberos realm inside the ldap database
+cat ./kdb_create.expect | sed -e "s#MASTER_PASSWORD#$MASTER_PASSWORD#g" | sed -e "s#MDB_ROOT#$MDB_ROOT#g" > /tmp/kdb_create.expect
+expect /tmp/kdb_create.expect
+
+cat ./stash_kadmind.expect | sed -e "s#MDB_ROOT#$MDB_ROOT#g" | sed -e "s#KADMIND_PASSWORD#$KADMIND_PASSWORD#g" > /tmp/stash_kadmind.expect
+expect /tmp/stash_kadmind.expect
+
+cat ./stash_krb5kdc.expect | sed -e "s#MDB_ROOT#$MDB_ROOT#g" | sed -e "s#KRB5KDC_PASSWORD#$KRB5KDC_PASSWORD#g" > /tmp/stash_krb5kdc.expect
+expect /tmp/stash_krb5kdc.expect
+
+
+# create default accounts
+kadmin.local -q "ank -randkey kadmin/admin"
+kadmin.local -q "ank -randkey kadmin/changepw"
+
+# restart kadmin and krb5kdc 
+service kadmin restart
+service krb5kdc restart
+
+
+
+
diff --git a/test/kldap/stash_kadmind.expect b/test/kldap/stash_kadmind.expect
new file mode 100644
index 0000000000000000000000000000000000000000..9cc4ca033a979c29a667f5a255b2f7c68aa47617
--- /dev/null
+++ b/test/kldap/stash_kadmind.expect
@@ -0,0 +1,15 @@
+#!/usr/bin/expect
+
+set timeout -1
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/sbin/kdb5_ldap_util -D cn=root,dc=example,dc=com -w MDB_ROOT -H ldapi:/// stashsrvpw -f /var/kerberos/krb5kdc/.ldap.EXAMPLE.COM uid=kadmin,ou=accounts,dc=example,dc=com"
+expect -exact "/usr/sbin/kdb5_ldap_util -D cn=root,dc=example,dc=com -w MDB_ROOT -H ldapi:/// stashsrvpw -f /var/kerberos/krb5kdc/.ldap.EXAMPLE.COM uid=kadmin,ou=accounts,dc=example,dc=com"
+send -- "\r"
+expect "Password for \"uid=kadmin,ou=accounts,dc=example,dc=com\": "
+send -- "KADMIND_PASSWORD\r"
+expect "Re-enter password for \"uid=kadmin,ou=accounts,dc=example,dc=com\": "
+send -- "KADMIND_PASSWORD\r"
+expect "\r"
+send -- "exit\r"
+expect eof
\ No newline at end of file
diff --git a/test/kldap/stash_krb5kdc.expect b/test/kldap/stash_krb5kdc.expect
new file mode 100644
index 0000000000000000000000000000000000000000..b0005a27e73df524e4211b3ad4239771a64139ca
--- /dev/null
+++ b/test/kldap/stash_krb5kdc.expect
@@ -0,0 +1,15 @@
+#!/usr/bin/expect
+
+set timeout -1
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/sbin/kdb5_ldap_util -D cn=root,dc=example,dc=com -w MDB_ROOT -H ldapi:/// stashsrvpw -f /var/kerberos/krb5kdc/.ldap.EXAMPLE.COM uid=krb5kdc,ou=accounts,dc=example,dc=com"
+expect -exact "/usr/sbin/kdb5_ldap_util -D cn=root,dc=example,dc=com -w MDB_ROOT -H ldapi:/// stashsrvpw -f /var/kerberos/krb5kdc/.ldap.EXAMPLE.COM uid=krb5kdc,ou=accounts,dc=example,dc=com"
+send -- "\r"
+expect "Password for \"uid=krb5kdc,ou=accounts,dc=example,dc=com\": "
+send -- "KRB5KDC_PASSWORD\r"
+expect "Re-enter password for \"uid=krb5kdc,ou=accounts,dc=example,dc=com\": "
+send -- "KRB5KDC_PASSWORD\r"
+expect "\r"
+send -- "exit\r"
+expect eof
\ No newline at end of file
diff --git a/test/stock/kdb_create.expect b/test/stock/kdb_create.expect
new file mode 100644
index 0000000000000000000000000000000000000000..8796b64274a711c36efb69709054f15c49bf24a1
--- /dev/null
+++ b/test/stock/kdb_create.expect
@@ -0,0 +1,15 @@
+#!/usr/bin/expect
+
+set timeout -1
+spawn $env(SHELL)
+match_max 100000
+send -- "/usr/sbin/kdb5_util create -s"
+expect -exact "/usr/sbin/kdb5_util create -s"
+send -- "\r"
+expect "Enter KDC database master key: "
+send -- "MASTER_PASSWORD\r"
+expect "Re-enter KDC database master key to verify: "
+send -- "MASTER_PASSWORD\r"
+expect "\r"
+send -- "exit\r"
+expect eof
\ No newline at end of file
diff --git a/test/stock/krb5.conf b/test/stock/krb5.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e4dbf4f0c62fe4f21641712512850491eabca6d6
--- /dev/null
+++ b/test/stock/krb5.conf
@@ -0,0 +1,22 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = EXAMPLE.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h 
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+ EXAMPLE.COM = { 
+  kdc = kerberos.example.com
+  admin_server = kerberos.example.com
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
diff --git a/test/stock/setup.bash b/test/stock/setup.bash
new file mode 100644
index 0000000000000000000000000000000000000000..422c667ea69bf061d324aa4d3328954ac7ec1598
--- /dev/null
+++ b/test/stock/setup.bash
@@ -0,0 +1,24 @@
+
+function mkpasswd {
+    python -c "import string, random; print ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in xrange(32))"
+}
+
+kdb5_util destroy -f
+
+# load an updated krb5.conf with correct permissions
+chown --reference=/etc/krb5.conf ./krb5.conf 
+chmod --reference=/etc/krb5.conf ./krb5.conf 
+cp ./krb5.conf /etc/krb5.conf
+restorecon /etc/krb5.conf
+
+MASTER_PASSWORD=`mkpasswd`
+
+cat ./kdb_create.expect | sed -e "s#MASTER_PASSWORD#$MASTER_PASSWORD#g" > /tmp/kdb_create.expect
+
+expect /tmp/kdb_create.expect
+
+kadmin.local -q "ank -randkey kadmin/admin"
+kadmin.local -q "ank -randkey kadmin/changepw"
+
+service kadmin restart
+service krb5kdc restart
\ No newline at end of file