Blame SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch

96373c
From c1ac23d7f5f6f14d75bd02cfd55818e2558f7cb9 Mon Sep 17 00:00:00 2001
96373c
From: Mark Reynolds <mreynolds@redhat.com>
96373c
Date: Fri, 3 Nov 2017 09:30:01 -0400
96373c
Subject: [PATCH] Ticket 48393 - Improve replication config validation
96373c
96373c
Bug Description:  There was inconsistent behavior when modifying and adding replication
96373c
                  configurations and agreements.  There were also a few places where
96373c
                  unsigned ints were used for values which made checking for negative
96373c
                  values impossible.
96373c
96373c
Fix Description:  Added a new function to properly check "number" attribute values.
96373c
                  Also forced failure on the actual update if an invalid value was used
96373c
                  (previously we would log an error and use some default value).  Also
96373c
                  made all the int types consistent.
96373c
96373c
https://pagure.io/389-ds-base/issue/48393
96373c
96373c
Reviewed by: firstyear(Thanks!)
96373c
96373c
(cherry picked from commit f6b0e1841059460d6d0071cc771e3fbe834af393)
96373c
---
96373c
 .../suites/replication/replica_config_test.py      | 397 +++++++++++++++++++++
96373c
 ldap/schema/01core389.ldif                         |   3 +-
96373c
 ldap/servers/plugins/replication/repl5.h           |  54 +--
96373c
 ldap/servers/plugins/replication/repl5_agmt.c      | 173 +++++----
96373c
 ldap/servers/plugins/replication/repl5_replica.c   | 280 +++++++++------
96373c
 .../plugins/replication/repl5_replica_config.c     | 158 ++++----
96373c
 ldap/servers/plugins/replication/replutil.c        |  26 ++
96373c
 7 files changed, 792 insertions(+), 299 deletions(-)
96373c
 create mode 100644 dirsrvtests/tests/suites/replication/replica_config_test.py
96373c
96373c
diff --git a/dirsrvtests/tests/suites/replication/replica_config_test.py b/dirsrvtests/tests/suites/replication/replica_config_test.py
96373c
new file mode 100644
96373c
index 000000000..50ea2ece9
96373c
--- /dev/null
96373c
+++ b/dirsrvtests/tests/suites/replication/replica_config_test.py
96373c
@@ -0,0 +1,397 @@
96373c
+import logging
96373c
+import pytest
96373c
+import copy
96373c
+import os
96373c
+import ldap
96373c
+from lib389._constants import *
96373c
+from lib389 import Entry
96373c
+from lib389.topologies import topology_st as topo
96373c
+
96373c
+DEBUGGING = os.getenv("DEBUGGING", default=False)
96373c
+if DEBUGGING:
96373c
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
96373c
+else:
96373c
+    logging.getLogger(__name__).setLevel(logging.INFO)
96373c
+log = logging.getLogger(__name__)
96373c
+
96373c
+REPLICA_DN = 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config'
96373c
+AGMT_DN = 'cn=test_agreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config'
96373c
+notnum = 'invalid'
96373c
+too_big = '9223372036854775807'
96373c
+overflow = '9999999999999999999999999999999999999999999999999999999999999999999'
96373c
+
96373c
+replica_dict = {'objectclass': 'top nsDS5Replica'.split(),
96373c
+                'nsDS5ReplicaRoot': 'dc=example,dc=com',
96373c
+                'nsDS5ReplicaType': '3',
96373c
+                'nsDS5Flags': '1',
96373c
+                'nsDS5ReplicaId': '65535',
96373c
+                'nsds5ReplicaPurgeDelay': '604800',
96373c
+                'nsDS5ReplicaBindDN': 'cn=u',
96373c
+                'cn': 'replica'}
96373c
+
96373c
+agmt_dict = {'objectClass': 'top nsDS5ReplicationAgreement'.split(),
96373c
+             'cn': 'test_agreement',
96373c
+             'nsDS5ReplicaRoot': 'dc=example,dc=com',
96373c
+             'nsDS5ReplicaHost': 'localhost.localdomain',
96373c
+             'nsDS5ReplicaPort': '5555',
96373c
+             'nsDS5ReplicaBindDN': 'uid=tester',
96373c
+             'nsds5ReplicaCredentials': 'password',
96373c
+             'nsDS5ReplicaTransportInfo': 'LDAP',
96373c
+             'nsDS5ReplicaBindMethod': 'SIMPLE'}
96373c
+
96373c
+
96373c
+repl_add_attrs = [('nsDS5ReplicaType', '-1', '4', overflow, notnum, '1'),
96373c
+                  ('nsDS5Flags', '-1', '2', overflow, notnum, '1'),
96373c
+                  ('nsDS5ReplicaId', '0', '65536', overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'),
96373c
+                  ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaReleaseTimeout', '-1', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'),
96373c
+                  ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')]
96373c
+
96373c
+repl_mod_attrs = [('nsDS5Flags', '-1', '2', overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'),
96373c
+                  ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaReleaseTimeout', '-1', too_big, overflow, notnum, '1'),
96373c
+                  ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'),
96373c
+                  ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')]
96373c
+
96373c
+agmt_attrs = [('nsds5ReplicaPort', '0', '65536', overflow, notnum, '389'),
96373c
+              ('nsds5ReplicaTimeout', '-1', too_big, overflow, notnum, '6'),
96373c
+              ('nsds5ReplicaBusyWaitTime', '-1', too_big, overflow, notnum, '6'),
96373c
+              ('nsds5ReplicaSessionPauseTime', '-1', too_big, overflow, notnum, '6'),
96373c
+              ('nsds5ReplicaFlowControlWindow', '-1', too_big, overflow, notnum, '6'),
96373c
+              ('nsds5ReplicaFlowControlPause', '-1', too_big, overflow, notnum, '6'),
96373c
+              ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '6')]
96373c
+
96373c
+
96373c
+def replica_setup(topo):
96373c
+    """Add a valid replica config entry to modify
96373c
+    """
96373c
+    try:
96373c
+        topo.standalone.delete_s(REPLICA_DN)
96373c
+    except:
96373c
+        pass
96373c
+
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((REPLICA_DN, replica_dict)))
96373c
+    except ldap.LDAPError as e:
96373c
+        log.fatal("Failed to add replica entry: " + str(e))
96373c
+        assert False
96373c
+
96373c
+
96373c
+def replica_reset(topo):
96373c
+    try:
96373c
+        topo.standalone.delete_s(REPLICA_DN)
96373c
+    except:
96373c
+        pass
96373c
+
96373c
+
96373c
+def agmt_setup(topo):
96373c
+    """Add a valid replica config entry to modify
96373c
+    """
96373c
+    try:
96373c
+        topo.standalone.delete_s(AGMT_DN)
96373c
+    except:
96373c
+        pass
96373c
+
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((AGMT_DN, agmt_dict)))
96373c
+    except ldap.LDAPError as e:
96373c
+        log.fatal("Failed to add agreement entry: " + str(e))
96373c
+        assert False
96373c
+
96373c
+
96373c
+def agmt_reset(topo):
96373c
+    try:
96373c
+        topo.standalone.delete_s(AGMT_DN)
96373c
+    except:
96373c
+        pass
96373c
+
96373c
+
96373c
+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", repl_add_attrs)
96373c
+def test_replica_num_add(topo, attr, too_small, too_big, overflow, notnum, valid):
96373c
+    """Test all the number values you can set for a replica config entry
96373c
+
96373c
+    :id: a8b47d4a-a089-4d70-8070-e6181209bf92
96373c
+    :setup: standalone instance
96373c
+    :steps:
96373c
+        1. Use a value that is too small
96373c
+        2. Use a value that is too big
96373c
+        3. Use a value that overflows the int
96373c
+        4. Use a value with character value (not a number)
96373c
+        5. Use a valid value
96373c
+    :expectedresults:
96373c
+        1. Add is rejected
96373c
+        2. Add is rejected
96373c
+        3. Add is rejected
96373c
+        4. Add is rejected
96373c
+        5. Add is allowed
96373c
+    """
96373c
+
96373c
+    replica_reset(topo)
96373c
+
96373c
+    # Test too small
96373c
+    my_replica = copy.deepcopy(replica_dict)
96373c
+    my_replica[attr] = too_small
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
96373c
+        log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, too_small))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add replica entry with {}:{}  error: {}".format(attr, too_small, str(e)))
96373c
+
96373c
+    # Test too big
96373c
+    my_replica = copy.deepcopy(replica_dict)
96373c
+    my_replica[attr] = too_big
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
96373c
+        log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, too_big))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add replica entry with {}:{}  error: {}".format(attr, too_big, str(e)))
96373c
+
96373c
+    # Test overflow
96373c
+    my_replica = copy.deepcopy(replica_dict)
96373c
+    my_replica[attr] = overflow
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
96373c
+        log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, overflow))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add replica entry with {}:{}  error: {}".format(attr, overflow, str(e)))
96373c
+
96373c
+    # test not a number
96373c
+    my_replica = copy.deepcopy(replica_dict)
96373c
+    my_replica[attr] = notnum
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
96373c
+        log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, notnum))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add replica entry with {}:{}  error: {}".format(attr, notnum, str(e)))
96373c
+
96373c
+    # Test valid value
96373c
+    my_replica = copy.deepcopy(replica_dict)
96373c
+    my_replica[attr] = valid
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
96373c
+        log.info("Correctly allowed to add replica entry with {}: {}".format(attr, valid))
96373c
+    except ldap.LDAPError as e:
96373c
+        log.fatal("Incorrectly failed to add replica entry with {}: {}  error: {}".format(attr, valid, str(e)))
96373c
+        assert False
96373c
+
96373c
+
96373c
+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", repl_mod_attrs)
96373c
+def test_replica_num_modify(topo, attr, too_small, too_big, overflow, notnum, valid):
96373c
+    """Test all the number values you can set for a replica config entry
96373c
+
96373c
+    :id: a8b47d4a-a089-4d70-8070-e6181209bf93
96373c
+    :setup: standalone instance
96373c
+    :steps:
96373c
+        1. Replace a value that is too small
96373c
+        2. Repalce a value that is too big
96373c
+        3. Replace a value that overflows the int
96373c
+        4. Replace a value with character value (not a number)
96373c
+        5. Replace a vlue with a valid value
96373c
+    :expectedresults:
96373c
+        1. Value is rejected
96373c
+        2. Value is rejected
96373c
+        3. Value is rejected
96373c
+        4. Value is rejected
96373c
+        5. Value is allowed
96373c
+    """
96373c
+
96373c
+    # Value too small
96373c
+    replica_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, too_small)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_small))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_small))
96373c
+
96373c
+    # Value too big
96373c
+    replica_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, too_big)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_big))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_big))
96373c
+
96373c
+    # Value overflow
96373c
+    replica_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, overflow)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, overflow))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, overflow))
96373c
+
96373c
+    # Value not a number
96373c
+    replica_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, notnum)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, notnum))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, notnum))
96373c
+
96373c
+    # Value is valid
96373c
+    replica_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, valid)])
96373c
+        log.info('Correctly added valid agreement attribute value: {}:{}'.format(attr, valid))
96373c
+    except ldap.LDAPError as e:
96373c
+        log.fatal('Valid value for {}:{} was incorrectly rejected.  Error {}'.format(attr, valid, str(e)))
96373c
+        assert False
96373c
+
96373c
+
96373c
+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", agmt_attrs)
96373c
+def test_agmt_num_add(topo, attr, too_small, too_big, overflow, notnum, valid):
96373c
+    """Test all the number values you can set for a replica config entry
96373c
+
96373c
+    :id: a8b47d4a-a089-4d70-8070-e6181209bf94
96373c
+    :setup: standalone instance
96373c
+    :steps:
96373c
+        1. Use a value that is too small
96373c
+        2. Use a value that is too big
96373c
+        3. Use a value that overflows the int
96373c
+        4. Use a value with character value (not a number)
96373c
+        5. Use a valid value
96373c
+    :expectedresults:
96373c
+        1. Add is rejected
96373c
+        2. Add is rejected
96373c
+        3. Add is rejected
96373c
+        4. Add is rejected
96373c
+        5. Add is allowed
96373c
+    """
96373c
+    agmt_reset(topo)
96373c
+
96373c
+    # Test too small
96373c
+    my_agmt = copy.deepcopy(agmt_dict)
96373c
+    my_agmt[attr] = too_small
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
96373c
+        log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, too_small))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add agreement entry with {}:{}  error: {}".format(attr, too_small, str(e)))
96373c
+
96373c
+    # Test too big
96373c
+    my_agmt = copy.deepcopy(agmt_dict)
96373c
+    my_agmt[attr] = too_big
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
96373c
+        log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, too_big))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add agreement entry with {}:{}  error: {}".format(attr, too_big, str(e)))
96373c
+
96373c
+    # Test overflow
96373c
+    my_agmt = copy.deepcopy(agmt_dict)
96373c
+    my_agmt[attr] = overflow
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
96373c
+        log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, overflow))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add agreement entry with {}:{}  error: {}".format(attr, overflow, str(e)))
96373c
+
96373c
+    # test not a number
96373c
+    my_agmt = copy.deepcopy(agmt_dict)
96373c
+    my_agmt[attr] = notnum
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
96373c
+        log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, notnum))
96373c
+        assert False
96373c
+    except ldap.LDAPError as e:
96373c
+        log.info("Correctly failed to add agreement entry with {}:{}  error: {}".format(attr, notnum, str(e)))
96373c
+
96373c
+    # Test valid value
96373c
+    my_agmt = copy.deepcopy(agmt_dict)
96373c
+    my_agmt[attr] = valid
96373c
+    try:
96373c
+        topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
96373c
+        log.info("Correctly allowed to add agreement entry with {}: {}".format(attr, valid))
96373c
+    except ldap.LDAPError as e:
96373c
+        log.fatal("Incorrectly failed to add agreement entry with {}: {}  error: {}".format(attr, valid, str(e)))
96373c
+        assert False
96373c
+
96373c
+
96373c
+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", agmt_attrs)
96373c
+def test_agmt_num_modify(topo, attr, too_small, too_big, overflow, notnum, valid):
96373c
+    """Test all the number values you can set for a replica config entry
96373c
+
96373c
+    :id: a8b47d4a-a089-4d70-8070-e6181209bf95
96373c
+    :setup: standalone instance
96373c
+    :steps:
96373c
+        1. Replace a value that is too small
96373c
+        2. Replace a value that is too big
96373c
+        3. Replace a value that overflows the int
96373c
+        4. Replace a value with character value (not a number)
96373c
+        5. Replace a vlue with a valid value
96373c
+    :expectedresults:
96373c
+        1. Value is rejected
96373c
+        2. Value is rejected
96373c
+        3. Value is rejected
96373c
+        4. Value is rejected
96373c
+        5. Value is allowed
96373c
+    """
96373c
+
96373c
+    # Value too small
96373c
+    agmt_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, too_small)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_small))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_small))
96373c
+
96373c
+    # Value too big
96373c
+    agmt_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, too_big)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_big))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_big))
96373c
+
96373c
+    # Value overflow
96373c
+    agmt_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, overflow)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, overflow))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, overflow))
96373c
+
96373c
+    # Value not a number
96373c
+    agmt_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, notnum)])
96373c
+        log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, notnum))
96373c
+        assert False
96373c
+    except:
96373c
+        log.info('Invalid value for {}:{} was correctly rejected'.format(attr, notnum))
96373c
+
96373c
+    # Value is valid
96373c
+    agmt_setup(topo)
96373c
+    try:
96373c
+        topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, valid)])
96373c
+    except ldap.LDAPError as e:
96373c
+        log.fatal('Valid value for {}:{} was incorrectly rejected.  Error {}'.format(attr, valid, str(e)))
96373c
+        assert False
96373c
+
96373c
+
96373c
+if __name__ == '__main__':
96373c
+    # Run isolated
96373c
+    # -s for DEBUG mode
96373c
+    CURRENT_FILE = os.path.realpath(__file__)
96373c
+    pytest.main("-s %s" % CURRENT_FILE)
96373c
+
96373c
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
96373c
index 246495214..ab124c86c 100644
96373c
--- a/ldap/schema/01core389.ldif
96373c
+++ b/ldap/schema/01core389.ldif
96373c
@@ -303,6 +303,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2331 NAME 'nsslapd-logging-hr-timestamps
96373c
 attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
96373c
 attributeTypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
96373c
 attributeTypes: ( 2.16.840.1.113730.3.1.2335 NAME 'nsds5ReplicaIgnoreMissingChange' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
96373c
+attributeTypes: ( 2.16.840.1.113730.3.1.2336 NAME 'nsDS5ReplicaBindDnGroupCheckInterval' DESC 'Replication configuration setting for controlling the bind dn group check interval' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
96373c
 #
96373c
 # objectclasses
96373c
 #
96373c
@@ -312,7 +313,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.44 NAME 'nsIndex' DESC 'Netscape defined
96373c
 objectClasses: ( 2.16.840.1.113730.3.2.109 NAME 'nsBackendInstance' DESC 'Netscape defined objectclass' SUP top  MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
96373c
 objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape defined objectclass' SUP top  MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
96373c
 objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape defined objectclass' SUP top  MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
96373c
-objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Netscape defined objectclass' SUP top  MUST ( nsDS5ReplicaRoot $  nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout ) X-ORIGIN 'Netscape Directory Server' )
96373c
+objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Replication configuration objectclass' SUP top  MUST ( nsDS5ReplicaRoot $  nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout $ nsDS5ReplicaBindDnGroupCheckInterval ) X-ORIGIN 'Netscape Directory Server' )
96373c
 objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape defined objectclass' SUP top MAY ( nstombstonecsn $ nsParentUniqueId $ nscpEntryDN ) X-ORIGIN 'Netscape Directory Server' )
96373c
 objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults $ nsds5ReplicaIgnoreMissingChange) X-ORIGIN 'Netscape Directory Server' )
96373c
 objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
96373c
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
96373c
index 3bd878d4d..c6e79b7e2 100644
96373c
--- a/ldap/servers/plugins/replication/repl5.h
96373c
+++ b/ldap/servers/plugins/replication/repl5.h
96373c
@@ -330,8 +330,8 @@ void replsupplier_configure(Repl_Supplier *rs, Slapi_PBlock *pb);
96373c
 void replsupplier_start(Repl_Supplier *rs);
96373c
 void replsupplier_stop(Repl_Supplier *rs);
96373c
 void replsupplier_destroy(Repl_Supplier **rs);
96373c
-void replsupplier_notify(Repl_Supplier *rs, PRUint32 eventmask);
96373c
-PRUint32 replsupplier_get_status(Repl_Supplier *rs);
96373c
+void replsupplier_notify(Repl_Supplier *rs, uint32_t eventmask);
96373c
+uint32_t replsupplier_get_status(Repl_Supplier *rs);
96373c
 
96373c
 /* In repl5_plugins.c */
96373c
 int multimaster_set_local_purl(void);
96373c
@@ -383,7 +383,7 @@ int agmt_stop(Repl_Agmt *ra);
96373c
 int agmt_replicate_now(Repl_Agmt *ra);
96373c
 char *agmt_get_hostname(const Repl_Agmt *ra);
96373c
 int agmt_get_port(const Repl_Agmt *ra);
96373c
-PRUint32 agmt_get_transport_flags(const Repl_Agmt *ra);
96373c
+uint32_t agmt_get_transport_flags(const Repl_Agmt *ra);
96373c
 char *agmt_get_binddn(const Repl_Agmt *ra);
96373c
 struct berval *agmt_get_credentials(const Repl_Agmt *ra);
96373c
 int agmt_get_bindmethod(const Repl_Agmt *ra);
96373c
@@ -448,8 +448,8 @@ int agmt_set_attrs_to_strip(Repl_Agmt *ra, Slapi_Entry *e);
96373c
 int agmt_set_timeout(Repl_Agmt *ra, long timeout);
96373c
 int agmt_set_ignoremissing(Repl_Agmt *ra, long ignoremissing);
96373c
 void agmt_update_done(Repl_Agmt *ra, int is_total);
96373c
-PRUint64 agmt_get_protocol_timeout(Repl_Agmt *agmt);
96373c
-void agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout);
96373c
+uint64_t agmt_get_protocol_timeout(Repl_Agmt *agmt);
96373c
+void agmt_set_protocol_timeout(Repl_Agmt *agmt, uint64_t timeout);
96373c
 void agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn);
96373c
 void add_agmt_maxcsns(Slapi_Entry *e, Replica *r);
96373c
 void agmt_remove_maxcsn(Repl_Agmt *ra);
96373c
@@ -532,8 +532,8 @@ void *consumer_connection_extension_constructor(void *object, void *parent);
96373c
 void consumer_connection_extension_destructor(void *ext, void *object, void *parent);
96373c
 
96373c
 /* extension helpers for managing exclusive access */
96373c
-consumer_connection_extension *consumer_connection_extension_acquire_exclusive_access(void *conn, PRUint64 connid, int opid);
96373c
-int consumer_connection_extension_relinquish_exclusive_access(void *conn, PRUint64 connid, int opid, PRBool force);
96373c
+consumer_connection_extension *consumer_connection_extension_acquire_exclusive_access(void *conn, uint64_t connid, int opid);
96373c
+int consumer_connection_extension_relinquish_exclusive_access(void *conn, uint64_t connid, int opid, PRBool force);
96373c
 
96373c
 /* mapping tree extension - stores replica object */
96373c
 typedef struct multimaster_mtnode_extension
96373c
@@ -666,8 +666,8 @@ Replica *replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_o
96373c
 void replica_destroy(void **arg);
96373c
 int replica_subentry_update(Slapi_DN *repl_root, ReplicaId rid);
96373c
 int replica_subentry_check(Slapi_DN *repl_root, ReplicaId rid);
96373c
-PRBool replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opid, const char *locking_purl, char **current_purl);
96373c
-void replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid);
96373c
+PRBool replica_get_exclusive_access(Replica *r, PRBool *isInc, uint64_t connid, int opid, const char *locking_purl, char **current_purl);
96373c
+void replica_relinquish_exclusive_access(Replica *r, uint64_t connid, int opid);
96373c
 PRBool replica_get_tombstone_reap_active(const Replica *r);
96373c
 const Slapi_DN *replica_get_root(const Replica *r);
96373c
 const char *replica_get_name(const Replica *r);
96373c
@@ -685,11 +685,13 @@ PRBool replica_is_updatedn(Replica *r, const Slapi_DN *sdn);
96373c
 void replica_set_updatedn(Replica *r, const Slapi_ValueSet *vs, int mod_op);
96373c
 void replica_set_groupdn(Replica *r, const Slapi_ValueSet *vs, int mod_op);
96373c
 char *replica_get_generation(const Replica *r);
96373c
+
96373c
 /* currently supported flags */
96373c
 #define REPLICA_LOG_CHANGES 0x1 /* enable change logging */
96373c
-PRBool replica_is_flag_set(const Replica *r, PRUint32 flag);
96373c
-void replica_set_flag(Replica *r, PRUint32 flag, PRBool clear);
96373c
-void replica_replace_flags(Replica *r, PRUint32 flags);
96373c
+
96373c
+PRBool replica_is_flag_set(const Replica *r, uint32_t flag);
96373c
+void replica_set_flag(Replica *r, uint32_t flag, PRBool clear);
96373c
+void replica_replace_flags(Replica *r, uint32_t flags);
96373c
 void replica_dump(Replica *r);
96373c
 void replica_set_enabled(Replica *r, PRBool enable);
96373c
 Object *replica_get_replica_from_dn(const Slapi_DN *dn);
96373c
@@ -720,7 +722,7 @@ int replica_delete_by_dn(const char *dn);
96373c
 int replica_is_being_configured(const char *dn);
96373c
 void consumer5_set_mapping_tree_state_for_replica(const Replica *r, RUV *supplierRuv);
96373c
 Object *replica_get_for_backend(const char *be_name);
96373c
-void replica_set_purge_delay(Replica *r, PRUint32 purge_delay);
96373c
+void replica_set_purge_delay(Replica *r, uint32_t purge_delay);
96373c
 void replica_set_tombstone_reap_interval(Replica *r, long interval);
96373c
 void replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv);
96373c
 void replica_set_ruv_dirty(Replica *r);
96373c
@@ -730,20 +732,20 @@ char *replica_get_dn(Replica *r);
96373c
 void replica_check_for_tasks(Replica *r, Slapi_Entry *e);
96373c
 void replica_update_state(time_t when, void *arg);
96373c
 void replica_reset_csn_pl(Replica *r);
96373c
-PRUint64 replica_get_protocol_timeout(Replica *r);
96373c
-void replica_set_protocol_timeout(Replica *r, PRUint64 timeout);
96373c
-PRUint64 replica_get_release_timeout(Replica *r);
96373c
-void replica_set_release_timeout(Replica *r, PRUint64 timeout);
96373c
+uint64_t replica_get_protocol_timeout(Replica *r);
96373c
+void replica_set_protocol_timeout(Replica *r, uint64_t timeout);
96373c
+uint64_t replica_get_release_timeout(Replica *r);
96373c
+void replica_set_release_timeout(Replica *r, uint64_t timeout);
96373c
 void replica_set_groupdn_checkinterval(Replica *r, int timeout);
96373c
-PRUint64 replica_get_backoff_min(Replica *r);
96373c
-PRUint64 replica_get_backoff_max(Replica *r);
96373c
-void replica_set_backoff_min(Replica *r, PRUint64 min);
96373c
-void replica_set_backoff_max(Replica *r, PRUint64 max);
96373c
+uint64_t replica_get_backoff_min(Replica *r);
96373c
+uint64_t replica_get_backoff_max(Replica *r);
96373c
+void replica_set_backoff_min(Replica *r, uint64_t min);
96373c
+void replica_set_backoff_max(Replica *r, uint64_t max);
96373c
 int replica_get_agmt_count(Replica *r);
96373c
 void replica_incr_agmt_count(Replica *r);
96373c
 void replica_decr_agmt_count(Replica *r);
96373c
-PRUint64 replica_get_precise_purging(Replica *r);
96373c
-void replica_set_precise_purging(Replica *r, PRUint64 on_off);
96373c
+uint64_t replica_get_precise_purging(Replica *r);
96373c
+void replica_set_precise_purging(Replica *r, uint64_t on_off);
96373c
 PRBool ignore_error_and_keep_going(int error);
96373c
 void replica_check_release_timeout(Replica *r, Slapi_PBlock *pb);
96373c
 void replica_lock_replica(Replica *r);
96373c
@@ -764,8 +766,8 @@ void replica_unlock_replica(Replica *r);
96373c
                                               is active, RECV should back off. And vice versa.  But SEND can coexist. */
96373c
 #define REPLICA_TOTAL_EXCL_RECV         32 /* ditto */
96373c
 
96373c
-PRBool replica_is_state_flag_set(Replica *r, PRInt32 flag);
96373c
-void replica_set_state_flag(Replica *r, PRUint32 flag, PRBool clear);
96373c
+PRBool replica_is_state_flag_set(Replica *r, int32_t flag);
96373c
+void replica_set_state_flag(Replica *r, uint32_t flag, PRBool clear);
96373c
 void replica_set_tombstone_reap_stop(Replica *r, PRBool val);
96373c
 void replica_enable_replication(Replica *r);
96373c
 void replica_disable_replication(Replica *r, Object *r_obj);
96373c
@@ -836,6 +838,8 @@ LDAPControl *create_managedsait_control(void);
96373c
 LDAPControl *create_backend_control(Slapi_DN *sdn);
96373c
 void repl_set_mtn_state_and_referrals(const Slapi_DN *sdn, const char *mtn_state, const RUV *ruv, char **ruv_referrals, char **other_referrals);
96373c
 void repl_set_repl_plugin_path(const char *path);
96373c
+int repl_config_valid_num(const char *config_attr, char *config_attr_value, int64_t min, int64_t max,
96373c
+                          int *returncode, char *errortext, int64_t *retval);
96373c
 
96373c
 /* repl5_updatedn_list.c */
96373c
 typedef void *ReplicaUpdateDNList;
96373c
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
96373c
index e2ab320e4..78fb91ae6 100644
96373c
--- a/ldap/servers/plugins/replication/repl5_agmt.c
96373c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
96373c
@@ -65,31 +65,31 @@
96373c
 struct changecounter
96373c
 {
96373c
     ReplicaId rid;
96373c
-    PRUint32 num_replayed;
96373c
-    PRUint32 num_skipped;
96373c
+    uint32_t num_replayed;
96373c
+    uint32_t num_skipped;
96373c
 };
96373c
 
96373c
 typedef struct repl5agmt
96373c
 {
96373c
     char *hostname;                        /* remote hostname */
96373c
-    int port;                              /* port of remote server */
96373c
-    PRUint32 transport_flags;              /* SSL, TLS, etc. */
96373c
+    int64_t port;                          /* port of remote server */
96373c
+    uint32_t transport_flags;              /* SSL, TLS, etc. */
96373c
     char *binddn;                          /* DN to bind as */
96373c
     struct berval *creds;                  /* Password, or certificate */
96373c
-    int bindmethod;                        /* Bind method - simple, SSL */
96373c
+    int64_t bindmethod;                    /* Bind method - simple, SSL */
96373c
     Slapi_DN *replarea;                    /* DN of replicated area */
96373c
     char **frac_attrs;                     /* list of fractional attributes to be replicated */
96373c
     char **frac_attrs_total;               /* list of fractional attributes to be replicated for total update protocol */
96373c
     PRBool frac_attr_total_defined;        /* TRUE if frac_attrs_total is defined */
96373c
     Schedule *schedule;                    /* Scheduling information */
96373c
-    int auto_initialize;                   /* 1 = automatically re-initialize replica */
96373c
+    int64_t auto_initialize;               /* 1 = automatically re-initialize replica */
96373c
     const Slapi_DN *dn;                    /* DN of replication agreement entry */
96373c
     const Slapi_RDN *rdn;                  /* RDN of replication agreement entry */
96373c
     char *long_name;                       /* Long name (rdn + host, port) of entry, for logging */
96373c
     Repl_Protocol *protocol;               /* Protocol object - manages protocol */
96373c
     struct changecounter **changecounters; /* changes sent/skipped since server start up */
96373c
-    int num_changecounters;
96373c
-    int max_changecounters;
96373c
+    int64_t num_changecounters;
96373c
+    int64_t max_changecounters;
96373c
     time_t last_update_start_time;       /* Local start time of last update session */
96373c
     time_t last_update_end_time;         /* Local end time of last update session */
96373c
     char last_update_status[STATUS_LEN]; /* Status of last update. Format = numeric code <space> textual description */
96373c
@@ -102,35 +102,35 @@ typedef struct repl5agmt
96373c
     Object *consumerRUV;     /* last RUV received from the consumer - used for changelog purging */
96373c
     CSN *consumerSchemaCSN;  /* last schema CSN received from the consumer */
96373c
     ReplicaId consumerRID;   /* indicates if the consumer is the originator of a CSN */
96373c
-    int tmpConsumerRID;      /* Indicates the consumer rid was set from the agmt maxcsn - it should be refreshed */
96373c
-    long timeout;            /* timeout (in seconds) for outbound LDAP connections to remote server */
96373c
+    int64_t tmpConsumerRID;  /* Indicates the consumer rid was set from the agmt maxcsn - it should be refreshed */
96373c
+    int64_t timeout;         /* timeout (in seconds) for outbound LDAP connections to remote server */
96373c
     PRBool stop_in_progress; /* set by agmt_stop when shutting down */
96373c
-    long busywaittime;       /* time in seconds to wait after getting a REPLICA BUSY from the consumer -
96373c
-                          to allow another supplier to finish sending its updates -
96373c
-                          if set to 0, this means to use the default value if we get a busy
96373c
-                          signal from the consumer */
96373c
-    long pausetime;          /* time in seconds to pause after sending updates -
96373c
-                       to allow another supplier to send its updates -
96373c
-                       should be greater than busywaittime -
96373c
-                       if set to 0, this means do not pause */
96373c
+    int64_t busywaittime;    /* time in seconds to wait after getting a REPLICA BUSY from the consumer -
96373c
+                              * to allow another supplier to finish sending its updates -
96373c
+                              * if set to 0, this means to use the default value if we get a busy
96373c
+                              * signal from the consumer
96373c
+                              */
96373c
+    int64_t pausetime;       /* time in seconds to pause after sending updates -
96373c
+                              * to allow another supplier to send its updates -
96373c
+                              * should be greater than busywaittime -
96373c
+                              * if set to 0, this means do not pause
96373c
+                              */
96373c
     void *priv;              /* private data, used for windows-specific agreement data
96373c
-                   for sync agreements or for replication session plug-in
96373c
-                   private data for normal replication agreements */
96373c
+                              * for sync agreements or for replication session plug-in
96373c
+                              * private data for normal replication agreements
96373c
+                              */
96373c
     char **attrs_to_strip;   /* for fractional replication, if a "mod" is empty, strip out these attributes:
96373c
-                            * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */
96373c
-    int agreement_type;
96373c
+                              * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */
96373c
+    int64_t agreement_type;
96373c
     Slapi_Counter *protocol_timeout;
96373c
-    char *maxcsn;             /* agmt max csn */
96373c
-    long flowControlWindow;   /* This is the maximum number of entries
96373c
-                             * sent without acknowledgment
96373c
-                             */
96373c
-    long flowControlPause;    /* When nb of not acknowledged entries overpass totalUpdateWindow
96373c
-                            * This is the duration (in msec) that the RA will pause before sending the next entry
96373c
-                            */
96373c
-    long ignoreMissingChange; /* if set replication will try to continue even if change cannot be found in changelog */
96373c
-    Slapi_RWLock *attr_lock;  /* RW lock for all the stripped attrs */
96373c
-    int WaitForAsyncResults;  /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults))
96373c
-                              * in repl5_inc_waitfor_async_results */
96373c
+    char *maxcsn;                /* agmt max csn */
96373c
+    int64_t flowControlWindow;   /* This is the maximum number of entries sent without acknowledgment */
96373c
+    int64_t flowControlPause;    /* When nb of not acknowledged entries overpass totalUpdateWindow
96373c
+                                  * This is the duration (in msec) that the RA will pause before sending the next entry */
96373c
+    int64_t ignoreMissingChange; /* if set replication will try to continue even if change cannot be found in changelog */
96373c
+    Slapi_RWLock *attr_lock;     /* RW lock for all the stripped attrs */
96373c
+    int64_t WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults))
96373c
+                                  * in repl5_inc_waitfor_async_results */
96373c
 } repl5agmt;
96373c
 
96373c
 /* Forward declarations */
96373c
@@ -182,7 +182,7 @@ agmt_is_valid(Repl_Agmt *ra)
96373c
     }
96373c
     if (ra->port <= 0) {
96373c
         slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_is_valid - Replication agreement \"%s\" "
96373c
-                                                       "is malformed: invalid port number %d.\n",
96373c
+                                                       "is malformed: invalid port number %ld.\n",
96373c
                       slapi_sdn_get_dn(ra->dn), ra->port);
96373c
         return_value = 0;
96373c
     }
96373c
@@ -241,10 +241,14 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
 {
96373c
     Repl_Agmt *ra;
96373c
     Slapi_Attr *sattr;
96373c
+    char errormsg[SLAPI_DSE_RETURNTEXT_SIZE];
96373c
     char *tmpstr;
96373c
     char **denied_attrs = NULL;
96373c
     char *auto_initialize = NULL;
96373c
     char *val_nsds5BeginReplicaRefresh = "start";
96373c
+    char *val = NULL;
96373c
+    int64_t ptimeout = 0;
96373c
+    int rc = 0;
96373c
 
96373c
     ra = (Repl_Agmt *)slapi_ch_calloc(1, sizeof(repl5agmt));
96373c
     if ((ra->lock = PR_NewLock()) == NULL) {
96373c
@@ -283,8 +287,17 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
 
96373c
     /* Host name of remote replica */
96373c
     ra->hostname = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaHost);
96373c
+
96373c
     /* Port number for remote replica instance */
96373c
-    ra->port = slapi_entry_attr_get_int(e, type_nsds5ReplicaPort);
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaPort))){
96373c
+        int64_t port;
96373c
+        if (repl_config_valid_num(type_nsds5ReplicaPort, val, 1, 65535, &rc, errormsg, &port) != 0) {
96373c
+            goto loser;
96373c
+        }
96373c
+        slapi_ch_free_string(&val);
96373c
+        ra->port = port;
96373c
+    }
96373c
+
96373c
     /* SSL, TLS, or other transport stuff */
96373c
     ra->transport_flags = 0;
96373c
     (void)agmt_set_transportinfo_no_lock(ra, e);
96373c
@@ -313,29 +326,35 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
 
96373c
     /* timeout. */
96373c
     ra->timeout = DEFAULT_TIMEOUT;
96373c
-    if (slapi_entry_attr_find(e, type_nsds5ReplicaTimeout, &sattr) == 0) {
96373c
-        Slapi_Value *sval;
96373c
-        if (slapi_attr_first_value(sattr, &sval) == 0) {
96373c
-            ra->timeout = slapi_value_get_long(sval);
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaTimeout))){
96373c
+        int64_t timeout;
96373c
+        if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &timeout) != 0) {
96373c
+            goto loser;
96373c
         }
96373c
+        slapi_ch_free_string(&val);
96373c
+        ra->timeout = timeout;
96373c
     }
96373c
 
96373c
     /* flow control update window. */
96373c
     ra->flowControlWindow = DEFAULT_FLOWCONTROL_WINDOW;
96373c
-    if (slapi_entry_attr_find(e, type_nsds5ReplicaFlowControlWindow, &sattr) == 0) {
96373c
-        Slapi_Value *sval;
96373c
-        if (slapi_attr_first_value(sattr, &sval) == 0) {
96373c
-            ra->flowControlWindow = slapi_value_get_long(sval);
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlWindow))){
96373c
+        int64_t flow;
96373c
+        if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) {
96373c
+            goto loser;
96373c
         }
96373c
+        slapi_ch_free_string(&val);
96373c
+        ra->flowControlWindow = flow;
96373c
     }
96373c
 
96373c
     /* flow control update pause. */
96373c
     ra->flowControlPause = DEFAULT_FLOWCONTROL_PAUSE;
96373c
-    if (slapi_entry_attr_find(e, type_nsds5ReplicaFlowControlPause, &sattr) == 0) {
96373c
-        Slapi_Value *sval;
96373c
-        if (slapi_attr_first_value(sattr, &sval) == 0) {
96373c
-            ra->flowControlPause = slapi_value_get_long(sval);
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlPause))){
96373c
+        int64_t pause;
96373c
+        if (repl_config_valid_num(type_nsds5ReplicaFlowControlPause, val, 0, INT_MAX, &rc, errormsg, &pause) != 0) {
96373c
+            goto loser;
96373c
         }
96373c
+        slapi_ch_free_string(&val);
96373c
+        ra->flowControlPause = pause;
96373c
     }
96373c
 
96373c
     /* continue on missing change ? */
96373c
@@ -357,7 +376,6 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
     if (NULL != tmpstr) {
96373c
         Object *repl_obj;
96373c
         Replica *replica;
96373c
-        PRUint64 ptimeout = 0;
96373c
 
96373c
         ra->replarea = slapi_sdn_new_dn_passin(tmpstr);
96373c
 
96373c
@@ -367,14 +385,18 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
                 replica_incr_agmt_count(replica);
96373c
             }
96373c
         }
96373c
+    }
96373c
 
96373c
-        /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */
96373c
-        ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
96373c
-        if (ptimeout) {
96373c
-            slapi_counter_set_value(ra->protocol_timeout, ptimeout);
96373c
+    /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_replicaProtocolTimeout))){
96373c
+        if (repl_config_valid_num(type_replicaProtocolTimeout, val, 0, INT_MAX, &rc, errormsg, &ptimeout) != 0) {
96373c
+            goto loser;
96373c
         }
96373c
+        slapi_ch_free_string(&val);
96373c
+        slapi_counter_set_value(ra->protocol_timeout, ptimeout);
96373c
     }
96373c
 
96373c
+
96373c
     /* Replica enabled */
96373c
     tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaEnabled);
96373c
     if (NULL != tmpstr) {
96373c
@@ -384,9 +406,8 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
             ra->is_enabled = PR_TRUE;
96373c
         } else {
96373c
             slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_new_from_entry - "
96373c
-                                                           "Warning invalid value for nsds5ReplicaEnabled (%s), value must be \"on\" or \"off\".  "
96373c
-                                                           "Ignoring this repl agreement.\n",
96373c
-                          tmpstr);
96373c
+                    "Warning invalid value for nsds5ReplicaEnabled (%s), value must be \"on\" or \"off\".  "
96373c
+                    "Ignoring this repl agreement.\n", tmpstr);
96373c
             slapi_ch_free_string(&tmpstr);
96373c
             goto loser;
96373c
         }
96373c
@@ -402,11 +423,24 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
     }
96373c
 
96373c
     /* busy wait time - time to wait after getting REPLICA BUSY from consumer */
96373c
-    ra->busywaittime = slapi_entry_attr_get_long(e, type_nsds5ReplicaBusyWaitTime);
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBusyWaitTime))){
96373c
+        int64_t busytime = 0;
96373c
+        if (repl_config_valid_num(type_nsds5ReplicaBusyWaitTime, val, 0, INT_MAX, &rc, errormsg, &busytime) != 0) {
96373c
+            goto loser;
96373c
+        }
96373c
+        slapi_ch_free_string(&val);
96373c
+        ra->busywaittime = busytime;
96373c
+    }
96373c
 
96373c
     /* pause time - time to pause after a session has ended */
96373c
-    ra->pausetime = slapi_entry_attr_get_long(e, type_nsds5ReplicaSessionPauseTime);
96373c
-
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaSessionPauseTime))){
96373c
+        int64_t pausetime = 0;
96373c
+        if (repl_config_valid_num(type_nsds5ReplicaSessionPauseTime, val, 0, INT_MAX, &rc, errormsg, &pausetime) != 0) {
96373c
+            goto loser;
96373c
+        }
96373c
+        slapi_ch_free_string(&val);
96373c
+        ra->pausetime = pausetime;
96373c
+    }
96373c
     /* consumer's RUV */
96373c
     if (slapi_entry_attr_find(e, type_ruvElement, &sattr) == 0) {
96373c
         RUV *ruv;
96373c
@@ -434,7 +468,7 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
         if (dot) {
96373c
             *dot = '\0';
96373c
         }
96373c
-        ra->long_name = slapi_ch_smprintf("agmt=\"%s\" (%s:%d)", agmtname, hostname, ra->port);
96373c
+        ra->long_name = slapi_ch_smprintf("agmt=\"%s\" (%s:%ld)", agmtname, hostname, ra->port);
96373c
     }
96373c
 
96373c
     /* DBDB: review this code */
96373c
@@ -534,6 +568,9 @@ agmt_new_from_entry(Slapi_Entry *e)
96373c
 
96373c
     return ra;
96373c
 loser:
96373c
+    slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
96373c
+                  "agmt_new_from_entry - Failed to parse agreement, skipping.\n");
96373c
+    slapi_ch_free_string(&val);
96373c
     agmt_delete((void **)&ra);
96373c
     return NULL;
96373c
 }
96373c
@@ -754,10 +791,10 @@ agmt_start(Repl_Agmt *ra)
96373c
                     char buf[BUFSIZ];
96373c
                     char unavail_buf[BUFSIZ];
96373c
 
96373c
-                    PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%d;", slapi_sdn_get_dn(repl_sdn),
96373c
+                    PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%ld;", slapi_sdn_get_dn(repl_sdn),
96373c
                                 slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
96373c
                                 ra->hostname, ra->port);
96373c
-                    PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%d;unavailable", slapi_sdn_get_dn(repl_sdn),
96373c
+                    PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%ld;unavailable", slapi_sdn_get_dn(repl_sdn),
96373c
                                 slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
96373c
                                 ra->hostname, ra->port);
96373c
                     if (strstr(maxcsns[i], buf) || strstr(maxcsns[i], unavail_buf)) {
96373c
@@ -901,7 +938,7 @@ agmt_get_port(const Repl_Agmt *ra)
96373c
 /*
96373c
  * Return the transport flags for this agreement.
96373c
  */
96373c
-PRUint32
96373c
+uint32_t
96373c
 agmt_get_transport_flags(const Repl_Agmt *ra)
96373c
 {
96373c
     unsigned int return_value;
96373c
@@ -2919,7 +2956,7 @@ agmt_update_done(Repl_Agmt *agmt, int is_total)
96373c
     }
96373c
 }
96373c
 
96373c
-PRUint64
96373c
+uint64_t
96373c
 agmt_get_protocol_timeout(Repl_Agmt *agmt)
96373c
 {
96373c
     if (agmt) {
96373c
@@ -2930,7 +2967,7 @@ agmt_get_protocol_timeout(Repl_Agmt *agmt)
96373c
 }
96373c
 
96373c
 void
96373c
-agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout)
96373c
+agmt_set_protocol_timeout(Repl_Agmt *agmt, uint64_t timeout)
96373c
 {
96373c
     if (agmt) {
96373c
         slapi_counter_set_value(agmt->protocol_timeout, timeout);
96373c
@@ -2992,11 +3029,11 @@ agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn)
96373c
                  * temporarily mark it as "unavailable".
96373c
                  */
96373c
                 slapi_ch_free_string(&agmt->maxcsn);
96373c
-                agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%d;unavailable", slapi_sdn_get_dn(agmt->replarea),
96373c
+                agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%ld;unavailable", slapi_sdn_get_dn(agmt->replarea),
96373c
                                                  slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(agmt->rdn)), agmt->hostname, agmt->port);
96373c
             } else if (rid == oprid) {
96373c
                 slapi_ch_free_string(&agmt->maxcsn);
96373c
-                agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%d;%d;%s", slapi_sdn_get_dn(agmt->replarea),
96373c
+                agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%ld;%d;%s", slapi_sdn_get_dn(agmt->replarea),
96373c
                                                  slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(agmt->rdn)), agmt->hostname,
96373c
                                                  agmt->port, agmt->consumerRID, maxcsn);
96373c
             }
96373c
@@ -3190,10 +3227,10 @@ agmt_remove_maxcsn(Repl_Agmt *ra)
96373c
                     char unavail_buf[BUFSIZ];
96373c
                     struct berval val;
96373c
 
96373c
-                    PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%d;", slapi_sdn_get_dn(ra->replarea),
96373c
+                    PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%ld;", slapi_sdn_get_dn(ra->replarea),
96373c
                                 slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
96373c
                                 ra->hostname, ra->port);
96373c
-                    PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%d;unavailable",
96373c
+                    PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%ld;unavailable",
96373c
                                 slapi_sdn_get_dn(ra->replarea),
96373c
                                 slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
96373c
                                 ra->hostname, ra->port);
96373c
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
96373c
index 92f847f24..e5296bf1c 100644
96373c
--- a/ldap/servers/plugins/replication/repl5_replica.c
96373c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
96373c
@@ -33,42 +33,40 @@ struct replica
96373c
     Slapi_DN *repl_root;               /* top of the replicated are */
96373c
     char *repl_name;                   /* unique replica name */
96373c
     PRBool new_name;                   /* new name was generated - need to be saved */
96373c
-    ReplicaUpdateDNList updatedn_list; /* list of dns with which a supplier should bind
96373c
-                           to update this replica                */
96373c
-    Slapi_ValueSet *updatedn_groups;   /* set of groups whose memebers are
96373c
-                                * allowed to update replica */
96373c
+    ReplicaUpdateDNList updatedn_list; /* list of dns with which a supplier should bind to update this replica */
96373c
+    Slapi_ValueSet *updatedn_groups;   /* set of groups whose memebers are allowed to update replica */
96373c
     ReplicaUpdateDNList groupdn_list;  /* exploded listof dns from update group */
96373c
-    PRUint32 updatedn_group_last_check;
96373c
-    int updatedn_group_check_interval;
96373c
-    ReplicaType repl_type;           /* is this replica read-only ?            */
96373c
-    ReplicaId repl_rid;              /* replicaID                            */
96373c
-    Object *repl_ruv;                /* replica update vector                */
96373c
-    PRBool repl_ruv_dirty;           /* Dirty flag for ruv                   */
96373c
-    CSNPL *min_csn_pl;               /* Pending list for minimal CSN         */
96373c
-    void *csn_pl_reg_id;             /* registration assignment for csn callbacks */
96373c
-    unsigned long repl_state_flags;  /* state flags                            */
96373c
-    PRUint32 repl_flags;             /* persistent, externally visible flags */
96373c
-    PRMonitor *repl_lock;            /* protects entire structure            */
96373c
-    Slapi_Eq_Context repl_eqcxt_rs;  /* context to cancel event that saves ruv */
96373c
-    Slapi_Eq_Context repl_eqcxt_tr;  /* context to cancel event that reaps tombstones */
96373c
-    Object *repl_csngen;             /* CSN generator for this replica */
96373c
-    PRBool repl_csn_assigned;        /* Flag set when new csn is assigned. */
96373c
-    PRUint32 repl_purge_delay;       /* When purgeable, CSNs are held on to for this many extra seconds */
96373c
-    PRBool tombstone_reap_stop;      /* TRUE when the tombstone reaper should stop */
96373c
-    PRBool tombstone_reap_active;    /* TRUE when the tombstone reaper is running */
96373c
-    long tombstone_reap_interval;    /* Time in seconds between tombstone reaping */
96373c
-    Slapi_ValueSet *repl_referral;   /* A list of administrator provided referral URLs */
96373c
-    PRBool state_update_inprogress;  /* replica state is being updated */
96373c
-    PRLock *agmt_lock;               /* protects agreement creation, start and stop */
96373c
-    char *locking_purl;              /* supplier who has exclusive access */
96373c
-    uint64_t locking_conn;           /* The supplier's connection id */
96373c
-    Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */
96373c
-    Slapi_Counter *backoff_min;      /* backoff retry minimum */
96373c
-    Slapi_Counter *backoff_max;      /* backoff retry maximum */
96373c
-    Slapi_Counter *precise_purging;  /* Enable precise tombstone purging */
96373c
-    PRUint64 agmt_count;             /* Number of agmts */
96373c
-    Slapi_Counter *release_timeout;  /* The amount of time to wait before releasing active replica */
96373c
-    PRUint64 abort_session;          /* Abort the current replica session */
96373c
+    uint32_t updatedn_group_last_check;    /* the time of the last group check */
96373c
+    int64_t updatedn_group_check_interval; /* the group check interval */
96373c
+    ReplicaType repl_type;             /* is this replica read-only ? */
96373c
+    ReplicaId repl_rid;                /* replicaID */
96373c
+    Object *repl_ruv;                  /* replica update vector */
96373c
+    PRBool repl_ruv_dirty;             /* Dirty flag for ruv */
96373c
+    CSNPL *min_csn_pl;                 /* Pending list for minimal CSN */
96373c
+    void *csn_pl_reg_id;               /* registration assignment for csn callbacks */
96373c
+    unsigned long repl_state_flags;    /* state flags */
96373c
+    uint32_t repl_flags;               /* persistent, externally visible flags */
96373c
+    PRMonitor *repl_lock;              /* protects entire structure */
96373c
+    Slapi_Eq_Context repl_eqcxt_rs;    /* context to cancel event that saves ruv */
96373c
+    Slapi_Eq_Context repl_eqcxt_tr;    /* context to cancel event that reaps tombstones */
96373c
+    Object *repl_csngen;               /* CSN generator for this replica */
96373c
+    PRBool repl_csn_assigned;          /* Flag set when new csn is assigned. */
96373c
+    int64_t repl_purge_delay;          /* When purgeable, CSNs are held on to for this many extra seconds */
96373c
+    PRBool tombstone_reap_stop;        /* TRUE when the tombstone reaper should stop */
96373c
+    PRBool tombstone_reap_active;      /* TRUE when the tombstone reaper is running */
96373c
+    int64_t tombstone_reap_interval;   /* Time in seconds between tombstone reaping */
96373c
+    Slapi_ValueSet *repl_referral;     /* A list of administrator provided referral URLs */
96373c
+    PRBool state_update_inprogress;    /* replica state is being updated */
96373c
+    PRLock *agmt_lock;                 /* protects agreement creation, start and stop */
96373c
+    char *locking_purl;                /* supplier who has exclusive access */
96373c
+    uint64_t locking_conn;             /* The supplier's connection id */
96373c
+    Slapi_Counter *protocol_timeout;   /* protocol shutdown timeout */
96373c
+    Slapi_Counter *backoff_min;        /* backoff retry minimum */
96373c
+    Slapi_Counter *backoff_max;        /* backoff retry maximum */
96373c
+    Slapi_Counter *precise_purging;    /* Enable precise tombstone purging */
96373c
+    uint64_t agmt_count;               /* Number of agmts */
96373c
+    Slapi_Counter *release_timeout;    /* The amount of time to wait before releasing active replica */
96373c
+    uint64_t abort_session;            /* Abort the current replica session */
96373c
 };
96373c
 
96373c
 
96373c
@@ -532,7 +530,7 @@ replica_subentry_update(Slapi_DN *repl_root, ReplicaId rid)
96373c
  * current_purl is the supplier who already has access, if any
96373c
  */
96373c
 PRBool
96373c
-replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opid, const char *locking_purl, char **current_purl)
96373c
+replica_get_exclusive_access(Replica *r, PRBool *isInc, uint64_t connid, int opid, const char *locking_purl, char **current_purl)
96373c
 {
96373c
     PRBool rval = PR_TRUE;
96373c
 
96373c
@@ -608,7 +606,7 @@ done:
96373c
  * Relinquish exclusive access to the replica
96373c
  */
96373c
 void
96373c
-replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid)
96373c
+replica_relinquish_exclusive_access(Replica *r, uint64_t connid, int opid)
96373c
 {
96373c
     PRBool isInc;
96373c
 
96373c
@@ -915,7 +913,7 @@ replica_get_type(const Replica *r)
96373c
     return r->repl_type;
96373c
 }
96373c
 
96373c
-PRUint64
96373c
+uint64_t
96373c
 replica_get_protocol_timeout(Replica *r)
96373c
 {
96373c
     if (r) {
96373c
@@ -925,7 +923,7 @@ replica_get_protocol_timeout(Replica *r)
96373c
     }
96373c
 }
96373c
 
96373c
-PRUint64
96373c
+uint64_t
96373c
 replica_get_release_timeout(Replica *r)
96373c
 {
96373c
     if (r) {
96373c
@@ -936,7 +934,7 @@ replica_get_release_timeout(Replica *r)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_release_timeout(Replica *r, PRUint64 limit)
96373c
+replica_set_release_timeout(Replica *r, uint64_t limit)
96373c
 {
96373c
     if (r) {
96373c
         slapi_counter_set_value(r->release_timeout, limit);
96373c
@@ -944,7 +942,7 @@ replica_set_release_timeout(Replica *r, PRUint64 limit)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_protocol_timeout(Replica *r, PRUint64 timeout)
96373c
+replica_set_protocol_timeout(Replica *r, uint64_t timeout)
96373c
 {
96373c
     if (r) {
96373c
         slapi_counter_set_value(r->protocol_timeout, timeout);
96373c
@@ -1182,7 +1180,7 @@ replica_get_generation(const Replica *r)
96373c
 }
96373c
 
96373c
 PRBool
96373c
-replica_is_flag_set(const Replica *r, PRUint32 flag)
96373c
+replica_is_flag_set(const Replica *r, uint32_t flag)
96373c
 {
96373c
     if (r)
96373c
         return (r->repl_flags & flag);
96373c
@@ -1191,7 +1189,7 @@ replica_is_flag_set(const Replica *r, PRUint32 flag)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_flag(Replica *r, PRUint32 flag, PRBool clear)
96373c
+replica_set_flag(Replica *r, uint32_t flag, PRBool clear)
96373c
 {
96373c
     if (r == NULL)
96373c
         return;
96373c
@@ -1208,7 +1206,7 @@ replica_set_flag(Replica *r, PRUint32 flag, PRBool clear)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_replace_flags(Replica *r, PRUint32 flags)
96373c
+replica_replace_flags(Replica *r, uint32_t flags)
96373c
 {
96373c
     if (r) {
96373c
         replica_lock(r->repl_lock);
96373c
@@ -1829,17 +1827,18 @@ _replica_check_validity(const Replica *r)
96373c
 static int
96373c
 _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
 {
96373c
-    Slapi_Attr *a = NULL;
96373c
     Slapi_Attr *attr;
96373c
     CSNGen *gen;
96373c
     char *precise_purging = NULL;
96373c
     char buf[SLAPI_DSE_RETURNTEXT_SIZE];
96373c
     char *errormsg = errortext ? errortext : buf;
96373c
     char *val;
96373c
-    int backoff_min;
96373c
-    int backoff_max;
96373c
-    int ptimeout = 0;
96373c
-    int release_timeout = 0;
96373c
+    int64_t backoff_min;
96373c
+    int64_t backoff_max;
96373c
+    int64_t ptimeout = 0;
96373c
+    int64_t release_timeout = 0;
96373c
+    int64_t interval = 0;
96373c
+    int64_t rtype = 0;
96373c
     int rc;
96373c
 
96373c
     PR_ASSERT(r && e);
96373c
@@ -1847,7 +1846,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
     /* get replica root */
96373c
     val = slapi_entry_attr_get_charptr(e, attr_replicaRoot);
96373c
     if (val == NULL) {
96373c
-        PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Failed to retrieve %s attribute from (%s)\n",
96373c
+        PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Failed to retrieve %s attribute from (%s)",
96373c
                     attr_replicaRoot,
96373c
                     (char *)slapi_entry_get_dn((Slapi_Entry *)e));
96373c
         slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - %s\n",
96373c
@@ -1858,66 +1857,94 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
     r->repl_root = slapi_sdn_new_dn_passin(val);
96373c
 
96373c
     /* get replica type */
96373c
-    val = slapi_entry_attr_get_charptr(e, attr_replicaType);
96373c
-    if (val) {
96373c
-        r->repl_type = atoi(val);
96373c
-        slapi_ch_free((void **)&val);
96373c
+    if (slapi_entry_attr_exists(e, attr_replicaType)) {
96373c
+        if ((val = slapi_entry_attr_get_charptr(e, attr_replicaType))) {
96373c
+            if (repl_config_valid_num(attr_replicaType, val, 0, REPLICA_TYPE_UPDATABLE, &rc, errormsg, &rtype) != 0) {
96373c
+                slapi_ch_free_string(&val);
96373c
+                return -1;
96373c
+            }
96373c
+            r->repl_type = rtype;
96373c
+            slapi_ch_free_string(&val);
96373c
+        } else {
96373c
+            r->repl_type = REPLICA_TYPE_READONLY;
96373c
+        }
96373c
     } else {
96373c
         r->repl_type = REPLICA_TYPE_READONLY;
96373c
     }
96373c
 
96373c
-    /* grab and validate the backoff retry settings */
96373c
+    /* grab and validate the backoff min retry settings */
96373c
     if (slapi_entry_attr_exists(e, type_replicaBackoffMin)) {
96373c
-        backoff_min = slapi_entry_attr_get_int(e, type_replicaBackoffMin);
96373c
-        if (backoff_min <= 0) {
96373c
-            slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
96373c
-                                                               "Invalid value for %s: %d  Using default value (%d)\n",
96373c
-                          type_replicaBackoffMin, backoff_min, PROTOCOL_BACKOFF_MINIMUM);
96373c
+        if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMin))) {
96373c
+            if (repl_config_valid_num(type_replicaBackoffMin, val, 1, INT_MAX, &rc, errormsg, &backoff_min) != 0) {
96373c
+                slapi_ch_free_string(&val);
96373c
+                return -1;
96373c
+            }
96373c
+            slapi_ch_free_string(&val);
96373c
+        } else {
96373c
             backoff_min = PROTOCOL_BACKOFF_MINIMUM;
96373c
         }
96373c
     } else {
96373c
         backoff_min = PROTOCOL_BACKOFF_MINIMUM;
96373c
     }
96373c
 
96373c
+    /* grab and validate the backoff max retry settings */
96373c
     if (slapi_entry_attr_exists(e, type_replicaBackoffMax)) {
96373c
-        backoff_max = slapi_entry_attr_get_int(e, type_replicaBackoffMax);
96373c
-        if (backoff_max <= 0) {
96373c
-            slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
96373c
-                                                               "Invalid value for %s: %d  Using default value (%d)\n",
96373c
-                          type_replicaBackoffMax, backoff_max, PROTOCOL_BACKOFF_MAXIMUM);
96373c
+        if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMax))) {
96373c
+            if (repl_config_valid_num(type_replicaBackoffMax, val, 1, INT_MAX, &rc, errormsg, &backoff_max) != 0) {
96373c
+                slapi_ch_free_string(&val);
96373c
+                return -1;
96373c
+            }
96373c
+            slapi_ch_free_string(&val);
96373c
+        } else {
96373c
             backoff_max = PROTOCOL_BACKOFF_MAXIMUM;
96373c
         }
96373c
     } else {
96373c
         backoff_max = PROTOCOL_BACKOFF_MAXIMUM;
96373c
     }
96373c
 
96373c
+    /* Verify backoff min and max work together */
96373c
     if (backoff_min > backoff_max) {
96373c
-        /* Ok these values are invalid, reset back the defaults */
96373c
-        slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
96373c
-                                                           "Backoff minimum (%d) can not be greater than "
96373c
-                                                           "the backoff maximum (%d).  Using default values: min (%d) max (%d)\n",
96373c
-                      backoff_min, backoff_max, PROTOCOL_BACKOFF_MINIMUM, PROTOCOL_BACKOFF_MAXIMUM);
96373c
-        slapi_counter_set_value(r->backoff_min, PROTOCOL_BACKOFF_MINIMUM);
96373c
-        slapi_counter_set_value(r->backoff_max, PROTOCOL_BACKOFF_MAXIMUM);
96373c
+        PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
+                    "Backoff minimum (%ld) can not be greater than the backoff maximum (%ld).",
96373c
+                    backoff_min, backoff_max);
96373c
+        slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - "
96373c
+                      "%s\n", errormsg);
96373c
+        return -1;
96373c
     } else {
96373c
         slapi_counter_set_value(r->backoff_min, backoff_min);
96373c
         slapi_counter_set_value(r->backoff_max, backoff_max);
96373c
     }
96373c
 
96373c
     /* get the protocol timeout */
96373c
-    ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
96373c
-    if (ptimeout <= 0) {
96373c
-        slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
96373c
+    if (slapi_entry_attr_exists(e, type_replicaProtocolTimeout)) {
96373c
+        if ((val = slapi_entry_attr_get_charptr(e, type_replicaProtocolTimeout))) {
96373c
+            if (repl_config_valid_num(type_replicaProtocolTimeout, val, 0, INT_MAX, &rc, errormsg, &ptimeout) != 0) {
96373c
+                slapi_ch_free_string(&val);
96373c
+                return -1;
96373c
+            }
96373c
+            slapi_ch_free_string(&val);
96373c
+            slapi_counter_set_value(r->protocol_timeout, ptimeout);
96373c
+        } else {
96373c
+            slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
96373c
+        }
96373c
     } else {
96373c
-        slapi_counter_set_value(r->protocol_timeout, ptimeout);
96373c
+        slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
96373c
     }
96373c
 
96373c
     /* Get the release timeout */
96373c
-    release_timeout = slapi_entry_attr_get_int(e, type_replicaReleaseTimeout);
96373c
-    if (release_timeout <= 0) {
96373c
-        slapi_counter_set_value(r->release_timeout, 0);
96373c
+    if (slapi_entry_attr_exists(e, type_replicaReleaseTimeout)) {
96373c
+        if ((val = slapi_entry_attr_get_charptr(e, type_replicaReleaseTimeout))) {
96373c
+            if (repl_config_valid_num(type_replicaReleaseTimeout, val, 0, INT_MAX, &rc, errortext, &release_timeout) != 0) {
96373c
+                slapi_ch_free_string(&val);
96373c
+                return -1;
96373c
+            }
96373c
+            slapi_counter_set_value(r->release_timeout, release_timeout);
96373c
+            slapi_ch_free_string(&val);
96373c
+        } else {
96373c
+            slapi_counter_set_value(r->release_timeout, 0);
96373c
+        }
96373c
     } else {
96373c
-        slapi_counter_set_value(r->release_timeout, release_timeout);
96373c
+        slapi_counter_set_value(r->release_timeout, 0);
96373c
     }
96373c
 
96373c
     /* check for precise tombstone purging */
96373c
@@ -1929,10 +1956,11 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
             slapi_counter_set_value(r->precise_purging, 0);
96373c
         } else {
96373c
             /* Invalid value */
96373c
-            slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
96373c
-                                                               "Invalid value for %s: %s  Using default value (off)\n",
96373c
-                          type_replicaPrecisePurge, precise_purging);
96373c
-            slapi_counter_set_value(r->precise_purging, 0);
96373c
+            PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Invalid value for %s: %s",
96373c
+                        type_replicaPrecisePurge, precise_purging);
96373c
+            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - "
96373c
+                          "%s\n", errormsg);
96373c
+            return -1;
96373c
         }
96373c
         slapi_ch_free_string(&precise_purging);
96373c
     } else {
96373c
@@ -1940,7 +1968,19 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
     }
96373c
 
96373c
     /* get replica flags */
96373c
-    r->repl_flags = slapi_entry_attr_get_ulong(e, attr_flags);
96373c
+    if (slapi_entry_attr_exists(e, attr_flags)) {
96373c
+        int64_t rflags;
96373c
+        if((val = slapi_entry_attr_get_charptr(e, attr_flags))) {
96373c
+            if (repl_config_valid_num(attr_flags, val, 0, 1, &rc, errortext, &rflags) != 0) {
96373c
+                return -1;
96373c
+            }
96373c
+            r->repl_flags = (uint32_t)rflags;
96373c
+        } else {
96373c
+            r->repl_flags = 0;
96373c
+        }
96373c
+    } else {
96373c
+        r->repl_flags = 0;
96373c
+    }
96373c
 
96373c
     /*
96373c
      * Get replicaid
96373c
@@ -1955,20 +1995,13 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
     else if (r->repl_type == REPLICA_TYPE_UPDATABLE ||
96373c
              r->repl_type == REPLICA_TYPE_PRIMARY) {
96373c
         if ((val = slapi_entry_attr_get_charptr(e, attr_replicaId))) {
96373c
-            int temprid = atoi(val);
96373c
-            slapi_ch_free((void **)&val);
96373c
-            if (temprid <= 0 || temprid >= READ_ONLY_REPLICA_ID) {
96373c
-                PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                            "Attribute %s must have a value greater than 0 "
96373c
-                            "and less than %d: entry %s",
96373c
-                            attr_replicaId, READ_ONLY_REPLICA_ID,
96373c
-                            (char *)slapi_entry_get_dn((Slapi_Entry *)e));
96373c
-                slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
96373c
-                              "_replica_init_from_config - %s\n", errormsg);
96373c
+            int64_t rid;
96373c
+            if (repl_config_valid_num(attr_replicaId, val, 1, 65535, &rc, errormsg, &rid) != 0) {
96373c
+                slapi_ch_free_string(&val);
96373c
                 return -1;
96373c
-            } else {
96373c
-                r->repl_rid = (ReplicaId)temprid;
96373c
             }
96373c
+            r->repl_rid = (ReplicaId)rid;
96373c
+            slapi_ch_free_string(&val);
96373c
         } else {
96373c
             PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
                         "Failed to retrieve required %s attribute from %s",
96373c
@@ -2003,10 +2036,13 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
     r->groupdn_list = replica_groupdn_list_new(r->updatedn_groups);
96373c
     r->updatedn_group_last_check = time(NULL);
96373c
     /* get groupdn check interval */
96373c
-    val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval);
96373c
-    if (val) {
96373c
-        r->updatedn_group_check_interval = atoi(val);
96373c
-        slapi_ch_free((void **)&val);
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval))) {
96373c
+        if (repl_config_valid_num(attr_replicaBindDnGroupCheckInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) {
96373c
+            slapi_ch_free_string(&val);
96373c
+            return -1;
96373c
+        }
96373c
+        r->updatedn_group_check_interval = interval;
96373c
+        slapi_ch_free_string(&val);
96373c
     } else {
96373c
         r->updatedn_group_check_interval = -1;
96373c
     }
96373c
@@ -2041,18 +2077,26 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
96373c
      * since we don't know about LCUP replicas, and they can just
96373c
      * turn up whenever they want to.
96373c
      */
96373c
-    if (slapi_entry_attr_find(e, type_replicaPurgeDelay, &a) == -1) {
96373c
-        /* No purge delay provided, so use default */
96373c
-        r->repl_purge_delay = 60 * 60 * 24 * 7; /* One week, in seconds */
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_replicaPurgeDelay))) {
96373c
+        if (repl_config_valid_num(type_replicaPurgeDelay, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) {
96373c
+            slapi_ch_free_string(&val);
96373c
+            return -1;
96373c
+        }
96373c
+        r->repl_purge_delay = interval;
96373c
+        slapi_ch_free_string(&val);
96373c
     } else {
96373c
-        r->repl_purge_delay = slapi_entry_attr_get_uint(e, type_replicaPurgeDelay);
96373c
+        r->repl_purge_delay = 60 * 60 * 24 * 7; /* One week, in seconds */
96373c
     }
96373c
 
96373c
-    if (slapi_entry_attr_find(e, type_replicaTombstonePurgeInterval, &a) == -1) {
96373c
-        /* No reap interval provided, so use default */
96373c
-        r->tombstone_reap_interval = 3600 * 24; /* One day */
96373c
+    if ((val = slapi_entry_attr_get_charptr(e, type_replicaTombstonePurgeInterval))) {
96373c
+        if (repl_config_valid_num(type_replicaTombstonePurgeInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) {
96373c
+            slapi_ch_free_string(&val);
96373c
+            return -1;
96373c
+        }
96373c
+        r->tombstone_reap_interval = interval;
96373c
+        slapi_ch_free_string(&val);
96373c
     } else {
96373c
-        r->tombstone_reap_interval = slapi_entry_attr_get_int(e, type_replicaTombstonePurgeInterval);
96373c
+        r->tombstone_reap_interval = 3600 * 24; /* One week, in seconds */
96373c
     }
96373c
 
96373c
     r->tombstone_reap_stop = r->tombstone_reap_active = PR_FALSE;
96373c
@@ -3534,7 +3578,7 @@ replica_log_ruv_elements_nolock(const Replica *r)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_purge_delay(Replica *r, PRUint32 purge_delay)
96373c
+replica_set_purge_delay(Replica *r, uint32_t purge_delay)
96373c
 {
96373c
     PR_ASSERT(r);
96373c
     replica_lock(r->repl_lock);
96373c
@@ -3710,7 +3754,7 @@ replica_set_ruv_dirty(Replica *r)
96373c
 }
96373c
 
96373c
 PRBool
96373c
-replica_is_state_flag_set(Replica *r, PRInt32 flag)
96373c
+replica_is_state_flag_set(Replica *r, int32_t flag)
96373c
 {
96373c
     PR_ASSERT(r);
96373c
     if (r)
96373c
@@ -3720,7 +3764,7 @@ replica_is_state_flag_set(Replica *r, PRInt32 flag)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_state_flag(Replica *r, PRUint32 flag, PRBool clear)
96373c
+replica_set_state_flag(Replica *r, uint32_t flag, PRBool clear)
96373c
 {
96373c
     if (r == NULL)
96373c
         return;
96373c
@@ -3994,7 +4038,7 @@ replica_get_attr(Slapi_PBlock *pb, const char *type, void *value)
96373c
     return rc;
96373c
 }
96373c
 
96373c
-PRUint64
96373c
+uint64_t
96373c
 replica_get_backoff_min(Replica *r)
96373c
 {
96373c
     if (r) {
96373c
@@ -4004,7 +4048,7 @@ replica_get_backoff_min(Replica *r)
96373c
     }
96373c
 }
96373c
 
96373c
-PRUint64
96373c
+uint64_t
96373c
 replica_get_backoff_max(Replica *r)
96373c
 {
96373c
     if (r) {
96373c
@@ -4015,7 +4059,7 @@ replica_get_backoff_max(Replica *r)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_backoff_min(Replica *r, PRUint64 min)
96373c
+replica_set_backoff_min(Replica *r, uint64_t min)
96373c
 {
96373c
     if (r) {
96373c
         slapi_counter_set_value(r->backoff_min, min);
96373c
@@ -4023,7 +4067,7 @@ replica_set_backoff_min(Replica *r, PRUint64 min)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_backoff_max(Replica *r, PRUint64 max)
96373c
+replica_set_backoff_max(Replica *r, uint64_t max)
96373c
 {
96373c
     if (r) {
96373c
         slapi_counter_set_value(r->backoff_max, max);
96373c
@@ -4031,14 +4075,14 @@ replica_set_backoff_max(Replica *r, PRUint64 max)
96373c
 }
96373c
 
96373c
 void
96373c
-replica_set_precise_purging(Replica *r, PRUint64 on_off)
96373c
+replica_set_precise_purging(Replica *r, uint64_t on_off)
96373c
 {
96373c
     if (r) {
96373c
         slapi_counter_set_value(r->precise_purging, on_off);
96373c
     }
96373c
 }
96373c
 
96373c
-PRUint64
96373c
+uint64_t
96373c
 replica_get_precise_purging(Replica *r)
96373c
 {
96373c
     if (r) {
96373c
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
96373c
index 7477a292c..9c3c75458 100644
96373c
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
96373c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
96373c
@@ -405,28 +405,35 @@ replica_config_modify(Slapi_PBlock *pb,
96373c
                 } else if (strcasecmp(config_attr, attr_replicaBindDnGroup) == 0) {
96373c
                     *returncode = replica_config_change_updatedngroup(r, mods[i], errortext, apply_mods);
96373c
                 } else if (strcasecmp(config_attr, attr_replicaBindDnGroupCheckInterval) == 0) {
96373c
-                    int interval = atoi(config_attr_value);
96373c
-                    replica_set_groupdn_checkinterval(r, interval);
96373c
+                    int64_t interval = 0;
96373c
+                    if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &interval) == 0) {
96373c
+                        replica_set_groupdn_checkinterval(r, interval);
96373c
+                    } else {
96373c
+                        break;
96373c
+                    }
96373c
                 } else if (strcasecmp(config_attr, attr_replicaType) == 0) {
96373c
+                    int64_t rtype;
96373c
                     slapi_ch_free_string(&new_repl_type);
96373c
-                    new_repl_type = slapi_ch_strdup(config_attr_value);
96373c
+                    if (repl_config_valid_num(config_attr, config_attr_value, 1, 3, returncode, errortext, &rtype) == 0) {
96373c
+                        new_repl_type = slapi_ch_strdup(config_attr_value);
96373c
+                    } else {
96373c
+                        break;
96373c
+                    }
96373c
                 } else if (strcasecmp(config_attr, attr_replicaId) == 0) {
96373c
-                    char *endp = NULL;
96373c
                     int64_t rid = 0;
96373c
-                    errno = 0;
96373c
-                    rid = strtoll(config_attr_value, &endp, 10);
96373c
-                    if (*endp != '\0' || rid > 65535 || rid < 1 || errno == ERANGE) {
96373c
-                        *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
-                        PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                            "Attribute %s value (%s) is invalid, must be a number between 1 and 65535.\n",
96373c
-                            config_attr, config_attr_value);
96373c
-                        slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
96373c
+                    if (repl_config_valid_num(config_attr, config_attr_value, 1, 65535, returncode, errortext, &rid) == 0) {
96373c
+                        slapi_ch_free_string(&new_repl_id);
96373c
+                        new_repl_id = slapi_ch_strdup(config_attr_value);
96373c
+                    } else {
96373c
                         break;
96373c
                     }
96373c
-                    slapi_ch_free_string(&new_repl_id);
96373c
-                    new_repl_id = slapi_ch_strdup(config_attr_value);
96373c
                 } else if (strcasecmp(config_attr, attr_flags) == 0) {
96373c
-                    *returncode = replica_config_change_flags(r, config_attr_value, errortext, apply_mods);
96373c
+                    int64_t rflags = 0;
96373c
+                    if (repl_config_valid_num(config_attr, config_attr_value, 0, 1, returncode, errortext, &rflags) == 0) {
96373c
+                        *returncode = replica_config_change_flags(r, config_attr_value, errortext, apply_mods);
96373c
+                    } else {
96373c
+                        break;
96373c
+                    }
96373c
                 } else if (strcasecmp(config_attr, TASK_ATTR) == 0) {
96373c
                     *returncode = replica_execute_task(mtnode_ext->replica, config_attr_value, errortext, apply_mods);
96373c
                 } else if (strcasecmp(config_attr, attr_replicaReferral) == 0) {
96373c
@@ -442,18 +449,21 @@ replica_config_modify(Slapi_PBlock *pb,
96373c
                     }
96373c
                 } else if (strcasecmp(config_attr, type_replicaPurgeDelay) == 0) {
96373c
                     if (apply_mods && config_attr_value[0]) {
96373c
-                        PRUint32 delay;
96373c
-                        if (isdigit(config_attr_value[0])) {
96373c
-                            delay = (unsigned int)atoi(config_attr_value);
96373c
+                        int64_t delay = 0;
96373c
+                        if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &delay) == 0) {
96373c
                             replica_set_purge_delay(r, delay);
96373c
-                        } else
96373c
-                            *returncode = LDAP_OPERATIONS_ERROR;
96373c
+                        } else {
96373c
+                            break;
96373c
+                        }
96373c
                     }
96373c
                 } else if (strcasecmp(config_attr, type_replicaTombstonePurgeInterval) == 0) {
96373c
                     if (apply_mods && config_attr_value[0]) {
96373c
-                        long interval;
96373c
-                        interval = atol(config_attr_value);
96373c
-                        replica_set_tombstone_reap_interval(r, interval);
96373c
+                        int64_t interval;
96373c
+                        if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &interval) == 0) {
96373c
+                            replica_set_tombstone_reap_interval(r, interval);
96373c
+                        } else {
96373c
+                            break;
96373c
+                        }
96373c
                     }
96373c
                 }
96373c
                 /* ignore modifiers attributes added by the server */
96373c
@@ -461,73 +471,55 @@ replica_config_modify(Slapi_PBlock *pb,
96373c
                     *returncode = LDAP_SUCCESS;
96373c
                 } else if (strcasecmp(config_attr, type_replicaProtocolTimeout) == 0) {
96373c
                     if (apply_mods) {
96373c
-                        PRUint64 ptimeout = 0;
96373c
-
96373c
-                        ptimeout = atoll(config_attr_value);
96373c
-
96373c
-                        if (ptimeout <= 0) {
96373c
-                            *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
-                            PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                                        "Attribute %s value (%s) is invalid, must be a number greater than zero.\n",
96373c
-                                        config_attr, config_attr_value);
96373c
-                            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
96373c
+                        int64_t ptimeout = 0;
96373c
+                        if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &ptimeout) == 0) {
96373c
+                            replica_set_protocol_timeout(r, ptimeout);
96373c
+                        } else {
96373c
                             break;
96373c
                         }
96373c
-                        replica_set_protocol_timeout(r, ptimeout);
96373c
                     }
96373c
                 } else if (strcasecmp(config_attr, type_replicaBackoffMin) == 0) {
96373c
                     if (apply_mods) {
96373c
-                        uint64_t val = atoll(config_attr_value);
96373c
-                        uint64_t max;
96373c
-
96373c
-                        if (val <= 0) {
96373c
-                            *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
-                            PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                                        "Attribute %s value (%s) is invalid, must be a number greater than zero.\n",
96373c
-                                        config_attr, config_attr_value);
96373c
-                            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
96373c
-                            break;
96373c
-                        }
96373c
-                        max = replica_get_backoff_max(r);
96373c
-                        if (val > max){
96373c
-                            *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
-                            PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                                        "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n",
96373c
-                                        config_attr, config_attr_value, (int)max);
96373c
-                            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
96373c
+                        int64_t val = 0;
96373c
+                        int64_t max;
96373c
+                        if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) {
96373c
+                            max = replica_get_backoff_max(r);
96373c
+                            if (val > max){
96373c
+                                *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
+                                PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
+                                            "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n",
96373c
+                                            config_attr, config_attr_value, (int)max);
96373c
+                                slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
96373c
+                                break;
96373c
+                            }
96373c
+                            replica_set_backoff_min(r, val);
96373c
+                        } else {
96373c
                             break;
96373c
                         }
96373c
-                        replica_set_backoff_min(r, val);
96373c
                     }
96373c
                 } else if (strcasecmp(config_attr, type_replicaBackoffMax) == 0) {
96373c
                     if (apply_mods) {
96373c
-                        uint64_t val = atoll(config_attr_value);
96373c
-                        uint64_t min;
96373c
-
96373c
-                        if (val <= 0) {
96373c
-                            *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
-                            PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                                        "Attribute %s value (%s) is invalid, must be a number greater than zero.\n",
96373c
-                                        config_attr, config_attr_value);
96373c
-                            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n",
96373c
-                                          errortext);
96373c
-                            break;
96373c
-                        }
96373c
-                        min = replica_get_backoff_min(r);
96373c
-                        if (val < min) {
96373c
-                            *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
-                            PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                                        "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n",
96373c
-                                        config_attr, config_attr_value, (int)min);
96373c
-                            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
96373c
+                        int64_t val = 0;
96373c
+                        int64_t min;
96373c
+                        if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) {
96373c
+                            min = replica_get_backoff_min(r);
96373c
+                            if (val < min) {
96373c
+                                *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
+                                PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
+                                            "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n",
96373c
+                                            config_attr, config_attr_value, (int)min);
96373c
+                                slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
96373c
+                                break;
96373c
+                            }
96373c
+                            replica_set_backoff_max(r, val);
96373c
+                        } else {
96373c
                             break;
96373c
                         }
96373c
-                        replica_set_backoff_max(r, val);
96373c
                     }
96373c
                 } else if (strcasecmp(config_attr, type_replicaPrecisePurge) == 0) {
96373c
                     if (apply_mods) {
96373c
                         if (config_attr_value[0]) {
96373c
-                            PRUint64 on_off = 0;
96373c
+                            uint64_t on_off = 0;
96373c
 
96373c
                             if (strcasecmp(config_attr_value, "on") == 0) {
96373c
                                 on_off = 1;
96373c
@@ -550,19 +542,11 @@ replica_config_modify(Slapi_PBlock *pb,
96373c
                     }
96373c
                 } else if (strcasecmp(config_attr, type_replicaReleaseTimeout) == 0) {
96373c
                     if (apply_mods) {
96373c
-                        long val = atol(config_attr_value);
96373c
-
96373c
-                        if (val < 0) {
96373c
-                            *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
-                            PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
-                                        "Attribute %s value (%s) is invalid, must be a number zero or greater.\n",
96373c
-                                        config_attr, config_attr_value);
96373c
-                            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
96373c
-                                          "replica_config_modify - %s\n", errortext);
96373c
-                            break;
96373c
-                        } else {
96373c
-                            /* Set the timeout */
96373c
+                        int64_t val;
96373c
+                        if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) {
96373c
                             replica_set_release_timeout(r, val);
96373c
+                        } else {
96373c
+                            break;
96373c
                         }
96373c
                     }
96373c
                 } else {
96373c
@@ -1011,7 +995,7 @@ replica_config_change_flags(Replica *r, const char *new_flags, char *returntext
96373c
     PR_ASSERT(r);
96373c
 
96373c
     if (apply_mods) {
96373c
-        PRUint32 flags;
96373c
+        uint32_t flags;
96373c
 
96373c
         flags = atol(new_flags);
96373c
 
96373c
diff --git a/ldap/servers/plugins/replication/replutil.c b/ldap/servers/plugins/replication/replutil.c
96373c
index 1b0446788..7cc132362 100644
96373c
--- a/ldap/servers/plugins/replication/replutil.c
96373c
+++ b/ldap/servers/plugins/replication/replutil.c
96373c
@@ -1061,3 +1061,29 @@ repl_set_repl_plugin_path(const char *path)
96373c
 {
96373c
     replpluginpath = slapi_ch_strdup(path);
96373c
 }
96373c
+
96373c
+int
96373c
+repl_config_valid_num(const char *config_attr, char *config_attr_value, int64_t min, int64_t max,
96373c
+                      int *returncode, char *errortext, int64_t *retval)
96373c
+{
96373c
+    int rc = 0;
96373c
+    char *endp = NULL;
96373c
+    int64_t val;
96373c
+    errno = 0;
96373c
+
96373c
+    val = strtol(config_attr_value, &endp, 10);
96373c
+    if (*endp != '\0' || val < min || val > max || errno == ERANGE) {
96373c
+        *returncode = LDAP_UNWILLING_TO_PERFORM;
96373c
+        if (errortext){
96373c
+            PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
96373c
+                        "Attribute %s value (%s) is invalid, must be a number between %ld and %ld.",
96373c
+                        config_attr, config_attr_value, min, max);
96373c
+            slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "repl_config_valid_num - %s\n",
96373c
+                          errortext);
96373c
+        }
96373c
+        rc = -1;
96373c
+    } else {
96373c
+        *retval = val;
96373c
+    }
96373c
+    return rc;
96373c
+}
96373c
-- 
96373c
2.13.6
96373c