ldap/servers lib/libaccess - 389-commits - Fedora mailing-lists

19 Oct 2011

ldap/servers/plugins/acctpolicy/acct_plugin.c            |   11 
 ldap/servers/plugins/acl/acl.c                           |   46 -
 ldap/servers/plugins/acl/acl.h                           |    2 
 ldap/servers/plugins/acl/acl_ext.c                       |    8 
 ldap/servers/plugins/acl/acleffectiverights.c            |   30 
 ldap/servers/plugins/acl/acllas.c                        |   49 -
 ldap/servers/plugins/acl/acllist.c                       |   43 
 ldap/servers/plugins/acl/aclparse.c                      |   20 
 ldap/servers/plugins/acl/aclplugin.c                     |    8 
 ldap/servers/plugins/automember/automember.c             |   90 --
 ldap/servers/plugins/chainingdb/cb_add.c                 |   29 
 ldap/servers/plugins/chainingdb/cb_bind.c                |   61 -
 ldap/servers/plugins/chainingdb/cb_compare.c             |   46 -
 ldap/servers/plugins/chainingdb/cb_controls.c            |    6 
 ldap/servers/plugins/chainingdb/cb_delete.c              |   43 
 ldap/servers/plugins/chainingdb/cb_instance.c            |   24 
 ldap/servers/plugins/chainingdb/cb_modify.c              |   55 -
 ldap/servers/plugins/chainingdb/cb_modrdn.c              |   92 +-
 ldap/servers/plugins/chainingdb/cb_search.c              |  120 +-
 ldap/servers/plugins/chainingdb/cb_utils.c               |    2 
 ldap/servers/plugins/cos/cos_cache.c                     |  660 +++++++--------
 ldap/servers/plugins/dna/dna.c                           |   62 -
 ldap/servers/plugins/linkedattrs/fixup_task.c            |   16 
 ldap/servers/plugins/linkedattrs/linked_attrs.c          |   48 -
 ldap/servers/plugins/linkedattrs/linked_attrs.h          |    2 
 ldap/servers/plugins/memberof/memberof.c                 |   23 
 ldap/servers/plugins/mep/mep.c                           |  167 +--
 ldap/servers/plugins/pam_passthru/pam_passthru.h         |    2 
 ldap/servers/plugins/pam_passthru/pam_ptconfig.c         |    2 
 ldap/servers/plugins/pam_passthru/pam_ptimpl.c           |   16 
 ldap/servers/plugins/pam_passthru/pam_ptpreop.c          |    9 
 ldap/servers/plugins/passthru/passthru.h                 |    4 
 ldap/servers/plugins/passthru/ptbind.c                   |    6 
 ldap/servers/plugins/passthru/ptconn.c                   |    8 
 ldap/servers/plugins/passthru/ptpreop.c                  |   17 
 ldap/servers/plugins/referint/referint.c                 |  159 +--
 ldap/servers/plugins/replication/cl4_api.c               |    2 
 ldap/servers/plugins/replication/cl5_api.c               |   80 -
 ldap/servers/plugins/replication/cl5_test.c              |    2 
 ldap/servers/plugins/replication/legacy_consumer.c       |   14 
 ldap/servers/plugins/replication/repl.h                  |    2 
 ldap/servers/plugins/replication/repl5.h                 |    3 
 ldap/servers/plugins/replication/repl5_agmt.c            |   15 
 ldap/servers/plugins/replication/repl5_agmtlist.c        |   22 
 ldap/servers/plugins/replication/repl5_inc_protocol.c    |   12 
 ldap/servers/plugins/replication/repl5_init.c            |    4 
 ldap/servers/plugins/replication/repl5_mtnode_ext.c      |   13 
 ldap/servers/plugins/replication/repl5_plugins.c         |    2 
 ldap/servers/plugins/replication/repl5_replica.c         |   26 
 ldap/servers/plugins/replication/repl5_replica_config.c  |   14 
 ldap/servers/plugins/replication/repl5_updatedn_list.c   |    2 
 ldap/servers/plugins/replication/repl_bind.c             |    6 
 ldap/servers/plugins/replication/repl_compare.c          |   17 
 ldap/servers/plugins/replication/repl_connext.c          |    2 
 ldap/servers/plugins/replication/repl_extop.c            |   25 
 ldap/servers/plugins/replication/replutil.c              |   22 
 ldap/servers/plugins/replication/urp.c                   |  105 +-
 ldap/servers/plugins/replication/urp.h                   |    2 
 ldap/servers/plugins/replication/urp_glue.c              |    4 
 ldap/servers/plugins/replication/urp_tombstone.c         |    6 
 ldap/servers/plugins/replication/windows_connection.c    |    2 
 ldap/servers/plugins/replication/windows_private.c       |   16 
 ldap/servers/plugins/replication/windows_protocol_util.c |   50 -
 ldap/servers/plugins/retrocl/retrocl_po.c                |    8 
 ldap/servers/plugins/roles/roles_cache.c                 |   10 
 ldap/servers/plugins/statechange/statechange.c           |   19 
 ldap/servers/plugins/uiduniq/7bit.c                      |   41 
 ldap/servers/plugins/uiduniq/uid.c                       |  137 +--
 ldap/servers/plugins/views/views.c                       |   11 
 ldap/servers/slapd/add.c                                 |   64 -
 ldap/servers/slapd/auditlog.c                            |   25 
 ldap/servers/slapd/auth.c                                |   40 
 ldap/servers/slapd/back-ldbm/ancestorid.c                |   73 +
 ldap/servers/slapd/back-ldbm/dblayer.c                   |    2 
 ldap/servers/slapd/back-ldbm/dn2entry.c                  |   27 
 ldap/servers/slapd/back-ldbm/findentry.c                 |   31 
 ldap/servers/slapd/back-ldbm/id2entry.c                  |   20 
 ldap/servers/slapd/back-ldbm/idl_common.c                |    6 
 ldap/servers/slapd/back-ldbm/import-threads.c            |   74 -
 ldap/servers/slapd/back-ldbm/index.c                     |    2 
 ldap/servers/slapd/back-ldbm/instance.c                  |    1 
 ldap/servers/slapd/back-ldbm/ldbm_add.c                  |   61 -
 ldap/servers/slapd/back-ldbm/ldbm_config.c               |   30 
 ldap/servers/slapd/back-ldbm/ldbm_delete.c               |   16 
 ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c             |    4 
 ldap/servers/slapd/back-ldbm/ldbm_instance_config.c      |   21 
 ldap/servers/slapd/back-ldbm/ldbm_modify.c               |    2 
 ldap/servers/slapd/back-ldbm/ldbm_modrdn.c               |  125 +-
 ldap/servers/slapd/back-ldbm/ldbm_search.c               |   87 +
 ldap/servers/slapd/back-ldbm/ldif2ldbm.c                 |   53 -
 ldap/servers/slapd/back-ldbm/misc.c                      |    3 
 ldap/servers/slapd/back-ldbm/vlv_srch.c                  |    2 
 ldap/servers/slapd/bind.c                                |   79 -
 ldap/servers/slapd/bulk_import.c                         |   39 
 ldap/servers/slapd/charray.c                             |   21 
 ldap/servers/slapd/compare.c                             |   36 
 ldap/servers/slapd/delete.c                              |   77 -
 ldap/servers/slapd/dn.c                                  |  403 ++++++---
 ldap/servers/slapd/dse.c                                 |   98 --
 ldap/servers/slapd/entry.c                               |  203 ++--
 ldap/servers/slapd/extendop.c                            |   21 
 ldap/servers/slapd/fedse.c                               |    2 
 ldap/servers/slapd/libglobs.c                            |    5 
 ldap/servers/slapd/main.c                                |   16 
 ldap/servers/slapd/mapping_tree.c                        |   82 +
 ldap/servers/slapd/modify.c                              |  126 +-
 ldap/servers/slapd/modrdn.c                              |  254 +++--
 ldap/servers/slapd/modutil.c                             |   17 
 ldap/servers/slapd/operation.c                           |   25 
 ldap/servers/slapd/opshared.c                            |  123 +-
 ldap/servers/slapd/passwd_extop.c                        |  152 +--
 ldap/servers/slapd/pblock.c                              |  120 ++
 ldap/servers/slapd/plugin.c                              |   80 -
 ldap/servers/slapd/plugin_acl.c                          |   19 
 ldap/servers/slapd/plugin_internal_op.c                  |  131 +-
 ldap/servers/slapd/plugin_syntax.c                       |   10 
 ldap/servers/slapd/proto-slap.h                          |    2 
 ldap/servers/slapd/proxyauth.c                           |   15 
 ldap/servers/slapd/psearch.c                             |   64 -
 ldap/servers/slapd/pw.c                                  |   41 
 ldap/servers/slapd/pw_mgmt.c                             |   16 
 ldap/servers/slapd/pw_retry.c                            |   51 -
 ldap/servers/slapd/rdn.c                                 |   23 
 ldap/servers/slapd/referral.c                            |   25 
 ldap/servers/slapd/result.c                              |   10 
 ldap/servers/slapd/saslbind.c                            |   25 
 ldap/servers/slapd/search.c                              |   42 
 ldap/servers/slapd/slap.h                                |    5 
 ldap/servers/slapd/slapi-plugin.h                        |  254 +++++
 ldap/servers/slapd/slapi-private.h                       |   11 
 ldap/servers/slapd/task.c                                |   32 
 ldap/servers/slapd/tools/ldclt/ldapfct.c                 |    5 
 ldap/servers/slapd/util.c                                |   49 -
 ldap/servers/slapd/uuid.c                                |    3 
 ldap/servers/slapd/value.c                               |   27 
 lib/libaccess/lasdns.cpp                                 |    8 
 136 files changed, 3483 insertions(+), 2815 deletions(-)
New commits:
commit f6397113666f06848412bb12f754f04258cfa5fa
Author: Noriko Hosoi nhosoi@redhat.com
Date:   Wed Oct 19 16:51:48 2011 -0700
Reduce the number of DN normalization
. Adding SLAPI_TARGET_SDN as well as its macros, SLAPI_SEARCH_TARGET_
      SDN SLAPI_ADD_TARGET_SDN, SLAPI_MODIFY_TARGET_SDN, etc.
    . Adding SLAPI_MODRDN_NEWSUPERIOR_SDN.
    . SLAPI_TARGET_DN and SLAPI_MODRDN_NEWSUPERIOR are kept for the back-
      ward compatibility.  But they are marked as deprecated.  They are
      pointing dn in SLAPI_TARGET_SDN and SLAPI_MODRDN_NEWSUPERIOR_SDN,
      respectively.
    . slapi_pblock_set(.., SLAPI_TARGET_DN/SLAPI_MODRDN_NEWSUPERIOR, dn)
      takes dn string and reset Slapi_DN to SLAPI_TARGET_SDN/SLAPI_MODRDN_
      NEWSUPERIOR_SDN.
    . slapi_pblock_get(.., SLAPI_TARGET_DN/SLAPI_MODRDN_NEWSUPERIOR, &dn)
      retrieves dn out of SLAPI_TARGET_SDN/SLAPI_MODRDN_NEWSUPERIOR_SDN.
    . Replacing slapi_dn_normalization_ext call with generating Slapi_DN
      APIs (e.g., slapi_sdn_new_dn_...) as much as possible and stash it
      in pblock using SLAPI_TARGET_SDN.
    . When a normalized DN string is needed, get it using slapi_sdn_get_[n]dn
      from the stashed Slapi_DN.
    . Introduced a new field "udn" to Slapi_DN.
      "udn" is an original DN.
      "dn" is its normalized DN.
      "ndn" is its case-lowered normalized DN.
      Note: slapi_sdn_get_ndn_len represents the length of the normalized
      DN, which is "dn" as well as "ndn".  Thus, instead of calling strlen
      for the normalized dn, using slapi_sdn_get_ndn_len, as much as possible.
    . Taking advantage of the knowledge of the stage of the DN, call the
      most efficient DN creating API (e.g., slapi_sdn_new_dn_... vs.
      slapi_sdn_new_normdn_... vs. slapi_sdn_new_ndn_...)
Others
    . Replacing inefficient array assignment with memset (acl.c) and
      memcpy (idl_common.c).
    . Fixing invalid memory access in LASDnsBuild (lib/libaccess/lasdns.cpp).
    . Fixing compiler warnings.
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)

diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
index 6d9edb3..5969bec 100644
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -32,7 +32,7 @@ Hewlett-Packard Development Company, L.P.
   login time plus the limit to decide whether to deny the bind.
 */
 static int
-acct_inact_limit( Slapi_PBlock *pb, char *dn, Slapi_Entry *target_entry, acctPolicy *policy )
+acct_inact_limit( Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, acctPolicy *policy )
 {
    char *lasttimestr = NULL;
    time_t lim_t, last_t, cur_t;
@@ -153,7 +153,7 @@ done:
 int
 acct_bind_preop( Slapi_PBlock *pb )
 {
-	char *dn = NULL;
+	const char *dn = NULL;
    Slapi_DN *sdn = NULL;
    Slapi_Entry *target_entry = NULL;
    int rc = 0; /* Optimistic default */
@@ -167,20 +167,19 @@ acct_bind_preop( Slapi_PBlock *pb )
    plugin_id = get_identity();
/* This does not give a copy, so don't free it */
-	if( slapi_pblock_get( pb, SLAPI_BIND_TARGET, &dn ) != 0 ) {
+	if( slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn ) != 0 ) {
    	slapi_log_error( SLAPI_LOG_FATAL, PRE_PLUGIN_NAME,
    		"Error retrieving target DN\n" );
    	rc = -1;
    	goto done;
    }
+	dn = slapi_sdn_get_dn(sdn);
/* The plugin wouldn't get called for anonymous binds but let's check */
    if ( dn == NULL ) {
    	goto done;
    }
-	sdn = slapi_sdn_new_dn_byref( dn );
-
    ldrc = slapi_search_internal_get_entry( sdn, NULL, &target_entry,
    	plugin_id );
@@ -222,8 +221,6 @@ done:
slapi_entry_free( target_entry );
-	slapi_sdn_free( &sdn );
-
    free_acctpolicy( &policy );
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 657c5ec..0ae1a24 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -95,8 +95,8 @@ static void print_access_control_summary( char * source,
    								char *attr,
    								const char *edn,
    								aclResultReason_t *acl_reason);
-static int check_rdn_access( Slapi_PBlock *pb,Slapi_Entry *e, char * newrdn,
-						int access);
+static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, 
+                             const char * newrdn, int access);
/*
@@ -117,7 +117,9 @@ acl_access_allowed_modrdn(
    )
 {
    int retCode ;
-	char *newrdn, *oldrdn;
+	char *newrdn;
+	const char *oldrdn;
+	Slapi_DN *target_sdn = NULL;
    int deleteoldrdn = 0;
/*
@@ -134,9 +136,8 @@ acl_access_allowed_modrdn(
    }
/* Now get the new rdn attribute name and value */
-
-	slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &oldrdn );
-    slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
+	slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &target_sdn );
+	slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
/* Check can add the new naming attribute */
    retCode = check_rdn_access( pb, e, newrdn, ACLPB_SLAPI_ACL_WRITE_ADD) ;
@@ -149,6 +150,7 @@ acl_access_allowed_modrdn(
    /* Check can delete the new naming attribute--if required */
    slapi_pblock_get( pb, SLAPI_MODRDN_DELOLDRDN, &deleteoldrdn );
    if ( deleteoldrdn ) {
+		oldrdn = slapi_sdn_get_dn(target_sdn);
    	retCode = check_rdn_access( pb, e, oldrdn, ACLPB_SLAPI_ACL_WRITE_DEL) ;
    	if ( retCode != LDAP_SUCCESS ) {
    		slapi_log_error( SLAPI_LOG_ACL, plugin_name,
@@ -164,7 +166,7 @@ acl_access_allowed_modrdn(
  * Test if have access to make the first rdn of dn in entry e.
 */
-static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, char *dn,
+static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn,
    					int access) {
    
    char **dns;
@@ -320,7 +322,7 @@ acl_access_allowed(
    TNF_PROBE_0_DEBUG(acl_skipaccess_end,"ACL","");
-	/* Get the bindDN */
+	/* Get the bindDN (normalized & case-ignored) */
    slapi_pblock_get ( pb, SLAPI_REQUESTOR_DN, &clientDn );
/* Initialize aclpb */
@@ -486,7 +488,7 @@ acl_access_allowed(
    	
    	TNF_PROBE_0_DEBUG(acl_aciscan_start,"ACL","");
    	slapi_sdn_done ( aclpb->aclpb_curr_entry_sdn );
-		slapi_sdn_set_dn_byval ( aclpb->aclpb_curr_entry_sdn, n_edn );
+		slapi_sdn_set_ndn_byval ( aclpb->aclpb_curr_entry_sdn, n_edn );
    	acllist_aciscan_update_scan ( aclpb, n_edn ); 
    	TNF_PROBE_0_DEBUG(acl_aciscan_end,"ACL","");
@@ -1064,16 +1066,14 @@ acl_read_access_allowed_on_entry (
    			 * which was found in the entry and that attribute is
    			 * now in aclpb_Evalattr
    			*/
-				aclpb->aclpb_state |= 
-					ACLPB_ACCESS_ALLOWED_USERATTR;
+				aclpb->aclpb_state |= ACLPB_ACCESS_ALLOWED_USERATTR;
    		} else {
 #endif /* DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES */
    			/*
    			 * Access was granted to _an_ attribute in the entry and that
    			 * attribute is now in aclpb_Evalattr
    			*/
-				aclpb->aclpb_state |= 
-					ACLPB_ACCESS_ALLOWED_ON_A_ATTR;
+				aclpb->aclpb_state |= ACLPB_ACCESS_ALLOWED_ON_A_ATTR;
 #ifdef DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES
    		}
 #endif /* DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES */
@@ -1084,8 +1084,8 @@ acl_read_access_allowed_on_entry (
    	} else {
    		/* try the next one */
    		attr_type = NULL;
-#ifdef DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES
-			if (attr_index >= 0) { 
+#ifdef DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES 
+			if (attr_index >= 0) {
    			attr_type = attrs[attr_index++];
    		} else {
 #endif /* DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES */
@@ -1546,7 +1546,7 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
    Slapi_DN		*e_sdn;
    aclUserGroup	*ugroup = NULL;
    
-	e_sdn = slapi_sdn_new_ndn_byval ( n_dn );
+	e_sdn = slapi_sdn_new_normdn_byval ( n_dn );
    /* Before we proceed, Let's first check if we are changing any groups.
    ** If we are, then we need to change the signature
    */
@@ -1836,7 +1836,6 @@ acl__scan_for_acis(Acl_PBlock *aclpb, int *err)
    int				allow_handle;
    int				gen_allow_handle = ACI_MAX_ELEVEL+1;
    int				gen_deny_handle = ACI_MAX_ELEVEL+1;
-	int				i;
    PRUint32		cookie;
    
    TNF_PROBE_0_DEBUG(acl__scan_for_acis_start,"ACL","");
@@ -1849,20 +1848,18 @@ acl__scan_for_acis(Acl_PBlock *aclpb, int *err)
    		aclpb->aclpb_handles_index[0] != -1 ) {
    		int kk = 0;
    		while ( kk < ACLPB_MAX_SELECTED_ACLS && aclpb->aclpb_handles_index[kk] != -1 ) {
-				slapi_log_error(SLAPI_LOG_ACL, plugin_name, "Using ACL Cointainer:%d for evaluation\n", kk);
+				slapi_log_error(SLAPI_LOG_ACL, plugin_name, "Using ACL Container:%d for evaluation\n", kk);
    			kk++;
    		}
    }
-		
+
    memset (&errp, 0, sizeof(NSErr_t));
    *err = ACL_FALSE;
    aclpb->aclpb_num_deny_handles = -1;
    aclpb->aclpb_num_allow_handles = -1;
-	for (i=0; i <= ACI_MAX_ELEVEL; i++) {
-		aclpb->aclpb_deny_handles [i] = NULL;
-		aclpb->aclpb_allow_handles [i] = NULL;
-	}
-		
+	memset(aclpb->aclpb_deny_handles, 0, sizeof(aci_t *)*(ACI_MAX_ELEVEL+1));
+	memset(aclpb->aclpb_allow_handles, 0, sizeof(aci_t *)*(ACI_MAX_ELEVEL+1));
+
    /* Check the signature. If it has changed, start fresh */
    if ( aclpb->aclpb_signature != acl_signature ) {
    	slapi_log_error (SLAPI_LOG_ACL, plugin_name, 
@@ -1873,7 +1870,6 @@ acl__scan_for_acis(Acl_PBlock *aclpb, int *err)
    attr_matched = ACL_FALSE;
    deny_handle = 0;
    allow_handle = 0;
-	i = 0;
aclpb->aclpb_stat_acllist_scanned++;
    aci = acllist_get_first_aci ( aclpb, &cookie );
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index 0d97769..8747de1 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -838,7 +838,7 @@ void		aclutil_print_resource( struct acl_pblock *aclpb, char *right , char *attr
 char *		aclutil_expand_paramString ( char *str, Slapi_Entry *e );
-void		acllist_init_scan (Slapi_PBlock *pb, int scope, char *base);
+void		acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base);
 aci_t * 	acllist_get_first_aci (Acl_PBlock *aclpb, PRUint32 *cookie );
 aci_t * 	acllist_get_next_aci ( Acl_PBlock *aclpb, aci_t *curraci, PRUint32 *cookie );
 aci_t *		acllist_get_aci_new ();
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index 61d8dd1..df7d1ed 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -658,7 +658,7 @@ error:
/* Initializes the aclpb */
 void 
-acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_from_aclcb)
+acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy_from_aclcb)
 {
    struct acl_cblock	*aclcb = NULL;
    char				*authType;
@@ -685,8 +685,8 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_
    aclpb->aclpb_state = ACLPB_INITIALIZED;
/* We make an anonymous user a non null dn which is empty */
-	if (dn && *dn != '\0' ) 
-		slapi_sdn_set_ndn_byval ( aclpb->aclpb_authorization_sdn, dn );
+	if (ndn && *ndn != '\0' ) 
+		slapi_sdn_set_ndn_byval ( aclpb->aclpb_authorization_sdn, ndn );
    else
    	slapi_sdn_set_ndn_byval ( aclpb->aclpb_authorization_sdn, "" );
@@ -716,7 +716,7 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_
    slapi_pblock_get ( pb, SLAPI_CONN_CERT, &aclpb->aclpb_clientcert );
/* See if the we have already a cached info about user's group */
-	aclg_init_userGroup ( aclpb, dn, 0 /* get lock */ );
+	aclg_init_userGroup ( aclpb, ndn, 0 /* get lock */ );
slapi_pblock_get( pb, SLAPI_BE_MAXNESTLEVEL, &aclpb->aclpb_max_nesting_level );
    slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c
index b596c8f..3d1f754 100644
--- a/ldap/servers/plugins/acl/acleffectiverights.c
+++ b/ldap/servers/plugins/acl/acleffectiverights.c
@@ -197,7 +197,6 @@ _ger_parse_control (
    size_t subjectndnlen = 0;
    char *orig = NULL;
    char *normed = NULL;
-	int rc = 0;
if (NULL == subjectndn)
    {
@@ -268,22 +267,17 @@ _ger_parse_control (
    }
/* memmove is safe for overlapping copy */
-	rc = slapi_dn_normalize_ext(orig + 3, 0, &normed, &subjectndnlen);
-	if (rc < 0) {
-		aclutil_str_append ( errbuf, "get-effective-rights: failed to normalize dn: ");
-		aclutil_str_append ( errbuf, orig);
-		slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf );
+	normed = slapi_create_dn_string("%s", orig + 3);
+	if (NULL == normed) {
+		aclutil_str_append (errbuf, "get-effective-rights: failed to normalize dn: ");
+		aclutil_str_append (errbuf, orig);
+		slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf);
    	slapi_ch_free_string(&orig);
    	return LDAP_INVALID_SYNTAX;
    }
-	if (rc == 0) { /* orig+3 is passed in; not terminated */
-		*(normed + subjectndnlen) = '\0';
-		*subjectndn = slapi_ch_strdup(normed);
-		slapi_ch_free_string(&orig);
-	} else {
-		slapi_ch_free_string(&orig);
-		*subjectndn = normed;
-	}
+	slapi_ch_free_string(&orig);
+	*subjectndn = normed;
+	slapi_dn_ignore_case(*subjectndn);
    return LDAP_SUCCESS;
 }
@@ -839,7 +833,8 @@ _ger_generate_template_entry (
    char *object = NULL;
    char *superior = NULL;
    char *p = NULL;
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
    char *dntype = NULL;
    int siz = 0;
    int len = 0;
@@ -856,8 +851,6 @@ _ger_generate_template_entry (
    	rc = LDAP_SUCCESS;
    	goto bailout;
    }
-	/* get the target dn where the template entry is located */
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
    for (i = 0; gerattrs && gerattrs[i]; i++)
    {
    	object = strchr(gerattrs[i], '@');
@@ -907,6 +900,9 @@ _ger_generate_template_entry (
    		siz += strlen(attrs[i]) + 4 + 20;
    	}
    }
+	/* get the target dn where the template entry is located */
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
    if (dn)
    {
    	/* dn: <attr>=<template_name>,<dn>\n\0 */
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index e08c70c..4a82717 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -671,19 +671,17 @@ DS_LASUserDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
    				break;
    			}
    			if (rc == ACL_ERR) {
-			   		slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
-			    			"DS_LASUserDnEval:Error in matching patteren(%s)\n",
-			     			user);
+					slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
+							"DS_LASUserDnEval:Error in matching patteren(%s)\n",
+							user);
    			}
    			slapi_filter_free(f,1);
    		} else {
    			/* Must be a simple dn then */
-				char *normed = NULL;
-				size_t dnlen = 0;
-				rc = slapi_dn_normalize_ext(user, 0, &normed, &dnlen);
-				if (rc == 0) { /* user passed in; not terminated */
-					*(normed + dnlen) = '\0';
-				} else if (rc < 0) { /* normalization failed, user the original */
+				char *normed = slapi_create_dn_string("%s", user);
+				if (NULL == normed) {
+					slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+						"DS_LASUserDnEval:Error in normalizing dn(%s)\n", user);
    				normed = user;
    			}
    			rc = slapi_utf8casecmp((ACLUCHP)lasinfo.clientDn, (ACLUCHP)normed);
@@ -2375,7 +2373,7 @@ static int
 acllas__handle_group_entry (Slapi_Entry* e, void *callback_data)
 {
    struct eval_info	*info;
- 	Slapi_Attr		*currAttr, *nextAttr;
+	Slapi_Attr		*currAttr, *nextAttr;
    char			*n_dn = NULL, *attrType;
    int				n;
    int				i;
@@ -2383,7 +2381,7 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data)
    info = (struct eval_info *) callback_data;
    info->result = ACL_FALSE;
- 	if (e == NULL) {
+	if (e == NULL) {
    	return 0;
    }
@@ -2397,14 +2395,14 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data)
    	Slapi_Value *sval = NULL;
    	const struct berval		*attrVal;
- 		if ((strcasecmp (attrType, type_member) == 0) ||
- 				(strcasecmp (attrType, type_uniquemember) == 0 ))  {
+		if ((strcasecmp (attrType, type_member) == 0) ||
+		    (strcasecmp (attrType, type_uniquemember) == 0 ))  {
i = slapi_attr_first_value ( currAttr,&sval );
    		while ( i != -1 ) {
    			struct member_info	*groupMember = NULL;
    			attrVal = slapi_value_get_berval ( sval );
-				n_dn = slapi_create_dn_string( attrVal->bv_val );
+				n_dn = slapi_create_dn_string( "%s", attrVal->bv_val );
    			if (NULL == n_dn) {
    				slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
    					"acllas__handle_group_entry: Invalid syntax: %s\n",
@@ -3496,7 +3494,6 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
    Slapi_Filter	*f = NULL;
    char *rawdn = NULL;
    char *dn = NULL;
-	size_t dnlen = 0;
    char *p = NULL;
    char *normed = NULL;
    /* ldap(s)://host:port/suffix?attrs?scope?filter */
@@ -3588,26 +3585,22 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
    	/* url has scope and/or filter: ldap(s):///suffix?attr?scope?filter */
    	*p = '\0'; /* null terminate the dn part of rawdn */
    }
-	rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-	if (rc < 0) {
+	dn = slapi_create_dn_string("%s", rawdn);
+	if (NULL == dn) {
    	slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
-						 "acllas__client_match_URL: error normalizing dn [%s] part of URL [%s]\n", rawdn, url);
+		                 "acllas__client_match_URL: error normalizing dn [%s] part of URL [%s]\n",
+		                 rawdn, url);
    	goto done;
-	} else if (rc == 0) { /* url is passed in and not terminated with NULL*/
-		*(dn + dnlen) = '\0';
    }
-	/* else - rawdn normalized in place */
+
    normed = slapi_ch_smprintf("%s%s%s%s%s", 
-			 (prefix_len==LDAP_URL_prefix_len)?
-			  LDAP_URL_prefix_core:LDAPS_URL_prefix_core,
-							   hostport?hostport:"", dn, p?"?":"",p?p+1:"");
+	                           (prefix_len==LDAP_URL_prefix_len)?
+	                           LDAP_URL_prefix_core:LDAPS_URL_prefix_core,
+	                           hostport?hostport:"", dn, p?"?":"",p?p+1:"");
    if (p) {
    	*p = Q; /* put the Q back in rawdn which will un-null terminate the DN part */
    }
-	if (rc > 0) {
-		/* dn was allocated in slapi_dn_normalize_ext */
-		slapi_ch_free_string(&dn);
-	}
+	slapi_ch_free_string(&dn);
    rc = slapi_ldap_url_parse(normed, &ludp, 1, NULL);
    if (rc) {
    	slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c
index b95baac..7e5221d 100644
--- a/ldap/servers/plugins/acl/acllist.c
+++ b/ldap/servers/plugins/acl/acllist.c
@@ -597,7 +597,7 @@ static void free_targetattrfilters( Targetattrfilter ***attrFilterArray) {
/* SEARCH */
 void
-acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
+acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base)
 {
    Acl_PBlock			*aclpb;
    int					i;
@@ -625,7 +625,7 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
/* If base is NULL - it means we are going to go thru all the ACLs
     * This is needed when we do anonymous profile generation.
- 	 */
+	 */
    if ( NULL == base ) {
    	return;
    }
@@ -638,22 +638,28 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
    index = 0;
    aclpb->aclpb_search_base = slapi_ch_strdup ( base );
-	while (basedn ) {
+	while (basedn) {
    	char		*tmp = NULL;
    	
-		slapi_sdn_set_ndn_byref ( aclpb->aclpb_aclContainer->acic_sdn, basedn );
+		slapi_sdn_set_normdn_byref(aclpb->aclpb_aclContainer->acic_sdn, basedn);
-		root = (AciContainer *) avl_find( acllistRoot, 
-									(caddr_t) aclpb->aclpb_aclContainer, 
-									(IFP) __acllist_aciContainer_node_cmp);
+		root = (AciContainer *) avl_find(acllistRoot, 
+		                                 (caddr_t) aclpb->aclpb_aclContainer, 
+		                                 (IFP) __acllist_aciContainer_node_cmp);
    	if ( index >= ACLPB_MAX_SELECTED_ACLS -2 ) {
    		aclpb->aclpb_handles_index[0] = -1;
    		slapi_ch_free ( (void **) &basedn);
    		break;
-		} else  if ( NULL != root ) {
+		} else if ( NULL != root ) {
    		aclpb->aclpb_base_handles_index[index++] = root->acic_index;
    		aclpb->aclpb_base_handles_index[index] = -1;
-		} 
+		} else if ( NULL == root ) {
+			/* slapi_dn_parent returns the "parent" dn syntactically.
+			 * Most likely, basedn is above suffix (e.g., dn=com).
+			 * Thus, no need to make it FATAL. */
+			slapi_log_error ( SLAPI_LOG_ACL, plugin_name, 
+			                  "Failed to find root for base: %s \n", basedn );
+		}
    	tmp = slapi_dn_parent ( basedn );
    	slapi_ch_free ( (void **) &basedn);
    	basedn = tmp;
@@ -679,11 +685,12 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
  * the given operation.
 */
+/* edn is normalized & case-ignored */
 void 
 acllist_aciscan_update_scan (  Acl_PBlock *aclpb, char *edn )
 {
-	int		i, index = 0;
+	int		index = 0;
    char		*basedn = NULL;
    AciContainer	*root;
    int is_not_search_base = 1;
@@ -700,15 +707,13 @@ acllist_aciscan_update_scan (  Acl_PBlock *aclpb, char *edn )
     * This stuff is only used if it's a search operation.
     */
    if ( aclpb->aclpb_search_base ) {
-	 	while ( aclpb->aclpb_base_handles_index[index] != -1 &&
-				index < ACLPB_MAX_SELECTED_ACLS -2 ) {
-			aclpb->aclpb_handles_index[index] = 
-				aclpb->aclpb_base_handles_index[index];
-			index++;
-		}
    	if ( strcasecmp ( edn, aclpb->aclpb_search_base) == 0) {
    		is_not_search_base = 0;
    	}
+		for (index = 0; (aclpb->aclpb_base_handles_index[index] != -1) && 
+		                (index < ACLPB_MAX_SELECTED_ACLS - 2); index++) ;
+		memcpy(aclpb->aclpb_handles_index, aclpb->aclpb_base_handles_index,
+		       sizeof(*aclpb->aclpb_handles_index) * index);
    }
    aclpb->aclpb_handles_index[index] = -1;
@@ -760,11 +765,6 @@ acllist_aciscan_update_scan (  Acl_PBlock *aclpb, char *edn )
    }
acllist_done_aciContainer ( aclpb->aclpb_aclContainer );
-	i = 0;
-	while ( i < ACLPB_MAX_SELECTED_ACLS && aclpb->aclpb_handles_index[i]  != -1 ) {
-		i++;
-	}
-
 }
aci_t *
@@ -889,6 +889,7 @@ acllist_acicache_WRITE_LOCK( )
 }
/* This routine must be called with the acicache write lock taken */
+/* newdn is normalized & case-ignored */
 int
 acllist_moddn_aci_needsLock ( Slapi_DN *oldsdn, char *newdn )
 {
diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
index a137db9..15b373b 100644
--- a/ldap/servers/plugins/acl/aclparse.c
+++ b/ldap/servers/plugins/acl/aclparse.c
@@ -533,8 +533,7 @@ __aclp__copy_normalized_str (char *src, char *endsrc, char *start,
 {
    char *p = NULL;
    int rc = -1; 
-	char *dn = NULL;
-	size_t dnlen = 0;
+	const char *dn = NULL;
p = PL_strnstr(src, LDAP_URL_prefix, endsrc - src);
    if (p) {
@@ -553,6 +552,8 @@ __aclp__copy_normalized_str (char *src, char *endsrc, char *start,
    rc = 0;
    if (p && strlen(p) > 0) {
    	size_t len = 0;
+		Slapi_DN sdn;
+		char bak;
    	/* strip the string starting from ? */
    	char *q = PL_strnchr(p, '?', endsrc - p);
    	if (q) {
@@ -560,18 +561,17 @@ __aclp__copy_normalized_str (char *src, char *endsrc, char *start,
    	} else {
    		len = endsrc - p;
    	}
+		bak = *(p + len);
+		*(p + len) = '\0';
    	/* Normalize the value of userdn and append it to ret_str */
-		rc = slapi_dn_normalize_ext(p, len, &dn, &dnlen);
-		if (rc < 0) {
-			return rc;
-		}
+		slapi_sdn_init_dn_byref(&sdn, p);
+		dn = slapi_sdn_get_dn(&sdn);
    	/* append up to ldap(s):/// */
    	aclutil_str_append_ext(dest, destlen, start, p - start);
    	/* append the DN part */
-		aclutil_str_append_ext(dest, destlen, dn, dnlen);
-		if (rc > 0) { /* if rc == 0, p is passed in */
-			slapi_ch_free_string(&dn);
-		}
+		aclutil_str_append_ext(dest, destlen, dn, strlen(dn));
+		slapi_sdn_done(&sdn);
+		*(p + len) = bak;
    	if (q) {
    		/* append the rest from '?' */
    		aclutil_str_append_ext(dest, destlen, q, endsrc - q);
diff --git a/ldap/servers/plugins/acl/aclplugin.c b/ldap/servers/plugins/acl/aclplugin.c
index 66ef707..ecd1e11 100644
--- a/ldap/servers/plugins/acl/aclplugin.c
+++ b/ldap/servers/plugins/acl/aclplugin.c
@@ -135,7 +135,8 @@ static int
 aclplugin_preop_search ( Slapi_PBlock *pb )
 {
    int 		scope;
-	char		*base = NULL;
+	const char	*base = NULL;
+	Slapi_DN	*sdn = NULL;
    int			optype;
    int			isRoot;
    int			rc = 0;
@@ -151,7 +152,8 @@ aclplugin_preop_search ( Slapi_PBlock *pb )
    	return rc;
    }
-	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &sdn );
+	base = slapi_sdn_get_dn(sdn);
    /* For anonymous client  doing search nothing needs to be set up */
    if ( optype == SLAPI_OPERATION_SEARCH && aclanom_is_client_anonymous ( pb )  &&
    		! slapi_dn_issuffix( base, "cn=monitor") ) {
@@ -244,7 +246,7 @@ aclplugin_preop_common( Slapi_PBlock *pb )
    	slapi_log_error( SLAPI_LOG_ACL, plugin_name,
    			"proxied authorization dn is (%s)\n", proxy_dn );
    	acl_init_aclpb ( pb, aclpb, proxy_dn, 1 );
-		aclpb = acl_new_proxy_aclpb (pb );
+		aclpb = acl_new_proxy_aclpb ( pb );
    	acl_init_aclpb ( pb, aclpb, dn, 0 );
    	slapi_ch_free ( (void **) &proxy_dn );
    	
diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
index 2e1d496..89ed1da 100644
--- a/ldap/servers/plugins/automember/automember.c
+++ b/ldap/servers/plugins/automember/automember.c
@@ -92,10 +92,10 @@ static void automember_free_config_entry(struct configEntry ** entry);
 /*
  * helpers
  */
-static char *automember_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *automember_get_sdn(Slapi_PBlock *pb);
 static Slapi_DN *automember_get_config_area();
 static void automember_set_config_area(Slapi_DN *sdn);
-static int automember_dn_is_config(char *dn);
+static int automember_dn_is_config(Slapi_DN *sdn);
 static int automember_oktodo(Slapi_PBlock *pb);
 static int automember_isrepl(Slapi_PBlock *pb);
 static void automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e);
@@ -275,7 +275,7 @@ automember_postop_init(Slapi_PBlock *pb)
 static int
 automember_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *plugindn = NULL;
     char *config_area = NULL;
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -298,14 +298,14 @@ automember_start(Slapi_PBlock * pb)
     /*
      * Get the plug-in target dn from the system
      * and store it for future use. */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &plugindn);
+    if (NULL == plugindn || 0 == slapi_sdn_get_ndn_len(plugindn)) {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_start: unable to retrieve plugin dn\n");
         return -1;
     }
-    automember_set_plugin_sdn(slapi_sdn_new_dn_byref(plugindn));
+    automember_set_plugin_sdn(slapi_sdn_dup(plugindn));
/* Set the alternate config area if one is defined. */
     slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area);
@@ -804,28 +804,19 @@ automember_delete_config()
     return;
 }
-
-/*
- * Helper functions
- */
-static char *
-automember_get_dn(Slapi_PBlock * pb)
+static Slapi_DN *
+automember_get_sdn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
-                    "--> automember_get_dn\n");
+                    "--> automember_get_sdn\n");
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
-        slapi_log_error(SLAPI_LOG_FATAL, AUTOMEMBER_PLUGIN_SUBSYSTEM,
-                        "automember_get_dn: failed to get dn of changed entry");
-        goto bail;
-    }
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
-  bail:
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
-                    "<-- automember_get_dn\n");
+                    "<-- automember_get_sdn\n");
-    return dn;
+    return sdn;
 }
void
@@ -846,20 +837,17 @@ automember_get_config_area()
  * Checks if dn is an auto membership config entry.
  */
 static int
-automember_dn_is_config(char *dn)
+automember_dn_is_config(Slapi_DN *sdn)
 {
     int ret = 0;
-    Slapi_DN *sdn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "--> automember_dn_is_config\n");
-    if (dn == NULL) {
+    if (sdn == NULL) {
         goto bail;
     }
-    sdn = slapi_sdn_new_dn_byref(dn);
-
     /* If an alternate config area is configured, treat it's child
      * entries as config entries.  If the alternate config area is
      * not configured, treat children of the top-level plug-in
@@ -877,7 +865,6 @@ automember_dn_is_config(char *dn)
     }
bail:
-    slapi_sdn_free(&sdn);
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "<-- automember_dn_is_config\n");
@@ -1579,7 +1566,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn,
 static int
 automember_pre_op(Slapi_PBlock * pb, int modop)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     Slapi_Entry *e = 0;
     Slapi_Mods *smods = 0;
     LDAPMod **mods;
@@ -1594,10 +1581,10 @@ automember_pre_op(Slapi_PBlock * pb, int modop)
     if (!g_plugin_started)
         goto bail;
-    if (0 == (dn = automember_get_dn(pb)))
+    if (0 == (sdn = automember_get_sdn(pb)))
         goto bail;
-    if (automember_dn_is_config(dn)) {
+    if (automember_dn_is_config(sdn)) {
         /* Validate config changes, but don't apply them.
          * This allows us to reject invalid config changes
          * here at the pre-op stage.  Applying the config
@@ -1609,10 +1596,8 @@ automember_pre_op(Slapi_PBlock * pb, int modop)
         } else if (LDAP_CHANGETYPE_MODIFY == modop) {
             /* Fetch the entry being modified so we can
              * create the resulting entry for validation. */
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
-            if (tmp_dn) {
-                slapi_search_internal_get_entry(tmp_dn, 0, &e, automember_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
+            if (sdn) {
+                slapi_search_internal_get_entry(sdn, 0, &e, automember_get_plugin_id());
                 free_entry = 1;
             }
@@ -1692,7 +1677,7 @@ automember_mod_pre_op(Slapi_PBlock * pb)
 static int
 automember_mod_post_op(Slapi_PBlock *pb)
 {
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "--> automember_mod_post_op\n");
@@ -1702,9 +1687,9 @@ automember_mod_post_op(Slapi_PBlock *pb)
         goto bail;
     }
-    if (automember_oktodo(pb) && (dn = automember_get_dn(pb))) {
+    if (automember_oktodo(pb) && (sdn = automember_get_sdn(pb))) {
         /* Check if the config is being modified and reload if so. */
-        if (automember_dn_is_config(dn)) {
+        if (automember_dn_is_config(sdn)) {
             automember_load_config();
         }
     }
@@ -1720,7 +1705,7 @@ static int
 automember_add_post_op(Slapi_PBlock *pb)
 {
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     struct configEntry *config = NULL;
     PRCList *list = NULL;
@@ -1732,14 +1717,15 @@ automember_add_post_op(Slapi_PBlock *pb)
         return 0;
/* Reload config if a config entry was added. */
-    if ((dn = automember_get_dn(pb))) {
-        if (automember_dn_is_config(dn)) {
+    if ((sdn = automember_get_sdn(pb))) {
+        if (automember_dn_is_config(sdn)) {
             automember_load_config();
         }
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_add_post_op: Error "
                         "retrieving dn\n");
+        goto bail;
     }
/* If replication, just bail. */
@@ -1777,7 +1763,7 @@ automember_add_post_op(Slapi_PBlock *pb)
                 config = (struct configEntry *)list;
/* Does the entry meet scope and filter requirements? */
-                if (slapi_dn_issuffix(dn, config->scope) &&
+                if (slapi_dn_issuffix(slapi_sdn_get_dn(sdn), config->scope) &&
                     (slapi_filter_test_simple(e, config->filter) == 0)) {
                     /* Find out what membership changes are needed and make them. */
                     automember_update_membership(config, e);
@@ -1791,9 +1777,9 @@ automember_add_post_op(Slapi_PBlock *pb)
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_add_post_op: Error "
-                        "retrieving post-op entry %s\n", dn);
+                        "retrieving post-op entry %s\n", slapi_sdn_get_dn(sdn));
     }
-
+bail:
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "<-- automember_add_post_op\n");
@@ -1808,7 +1794,7 @@ automember_add_post_op(Slapi_PBlock *pb)
 static int
 automember_del_post_op(Slapi_PBlock *pb)
 {
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "--> automember_del_post_op\n");
@@ -1819,8 +1805,8 @@ automember_del_post_op(Slapi_PBlock *pb)
     }
/* Reload config if a config entry was deleted. */
-    if ((dn = automember_get_dn(pb))) {
-        if (automember_dn_is_config(dn))
+    if ((sdn = automember_get_sdn(pb))) {
+        if (automember_dn_is_config(sdn))
             automember_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -1843,8 +1829,8 @@ automember_del_post_op(Slapi_PBlock *pb)
 static int
 automember_modrdn_post_op(Slapi_PBlock *pb)
 {
-    char *old_dn = NULL;
-    char *new_dn = NULL;
+    Slapi_DN *old_sdn = NULL;
+    Slapi_DN *new_sdn = NULL;
     Slapi_Entry *post_e = NULL;
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -1859,7 +1845,7 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
      * config entries. */
     slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &post_e);
     if (post_e) {
-        new_dn = slapi_entry_get_ndn(post_e);
+        new_sdn = slapi_entry_get_sdn(post_e);
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_modrdn_post_op: Error "
@@ -1867,8 +1853,8 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
         return 0;
     }
-    if ((old_dn = automember_get_dn(pb))) {
-        if (automember_dn_is_config(old_dn) || automember_dn_is_config(new_dn))
+    if ((old_sdn = automember_get_sdn(pb))) {
+        if (automember_dn_is_config(old_sdn) || automember_dn_is_config(new_sdn))
             automember_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
diff --git a/ldap/servers/plugins/chainingdb/cb_add.c b/ldap/servers/plugins/chainingdb/cb_add.c
index 501865a..116ac92 100644
--- a/ldap/servers/plugins/chainingdb/cb_add.c
+++ b/ldap/servers/plugins/chainingdb/cb_add.c
@@ -65,41 +65,44 @@ chaining_back_add ( Slapi_PBlock *pb )
    char         		**referrals=NULL;
    LDAPMod			** mods;
    LDAPMessage		* res;
-	char 			*dn,* matched_msg, *error_msg;
+	char 			* matched_msg, *error_msg;
+	const char		*dn = NULL;
+	Slapi_DN		*sdn = NULL;
    char			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
    cb_outgoing_conn	*cnx;
    
    if ( (rc=cb_forward_operation(pb)) != LDAP_SUCCESS ) {
-               	cb_send_ldap_result( pb, rc, NULL, "Remote data access disabled", 0, NULL );
+		cb_send_ldap_result( pb, rc, NULL, "Remote data access disabled", 0, NULL );
    	return -1;
    }
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
    cb = cb_get_instance(be);
/* Update monitor info */
    cb_update_monitor_info(pb,cb,SLAPI_OPERATION_ADD);
/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
      return -1;
-        }
+	}
+	slapi_pblock_get( pb, SLAPI_ADD_TARGET_SDN, &sdn );
+	slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &e );
- 	slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn );
-        slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &e );
+	dn = slapi_sdn_get_dn(sdn);
/* Check local access controls */
    if (cb->local_acl && !cb->associated_be_is_disabled) {
    	char * errbuf=NULL;
-        	rc = cb_access_allowed (pb, e, NULL, NULL, SLAPI_ACL_ADD, &errbuf);
-   		if ( rc != LDAP_SUCCESS ) {
-                	cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
-                	slapi_ch_free((void **)&errbuf);
+		rc = cb_access_allowed (pb, e, NULL, NULL, SLAPI_ACL_ADD, &errbuf);
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+			slapi_ch_free((void **)&errbuf);
    		return -1;
    	}
-        }
+	}
/* Build LDAPMod from the SLapi_Entry */
    cb_eliminate_illegal_attributes(cb,e);
diff --git a/ldap/servers/plugins/chainingdb/cb_bind.c b/ldap/servers/plugins/chainingdb/cb_bind.c
index 0d46b7a..edc45f3 100644
--- a/ldap/servers/plugins/chainingdb/cb_bind.c
+++ b/ldap/servers/plugins/chainingdb/cb_bind.c
@@ -47,10 +47,11 @@ cb_free_bervals( struct berval **bvs );
static int
-cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
-        struct berval *creds, LDAPControl **reqctrls,
-        char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
-        LDAPControl ***resctrlsp , int * status);
+cb_sasl_bind_once_s( cb_conn_pool *pool, const char *dn, int method, 
+                     char * mechanism, struct berval *creds, 
+                     LDAPControl **reqctrls, char **matcheddnp, 
+                     char **errmsgp, struct berval ***refurlsp,
+                     LDAPControl ***resctrlsp , int * status);
/*
  * Attempt to chain a bind request off to "srvr." We return an LDAP error
@@ -67,17 +68,18 @@ cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
static int
 cb_sasl_bind_s(Slapi_PBlock * pb, cb_conn_pool *pool, int tries,
-        char *dn, int method,char * mechanism, struct berval *creds, LDAPControl **reqctrls,
-        char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
-        LDAPControl ***resctrlsp ,int *status) {
-
+               const char *dn, int method,char * mechanism, 
+               struct berval *creds, LDAPControl **reqctrls,
+               char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
+               LDAPControl ***resctrlsp ,int *status)
+{
     int         rc;
do {
          /* check to see if operation has been abandoned...*/
-	if (LDAP_AUTH_SIMPLE!=method)
-		return LDAP_AUTH_METHOD_NOT_SUPPORTED;
+    if (LDAP_AUTH_SIMPLE!=method)
+        return LDAP_AUTH_METHOD_NOT_SUPPORTED;
if ( slapi_op_abandoned( pb )) {
             rc = LDAP_USER_CANCELLED;
@@ -91,10 +93,11 @@ cb_sasl_bind_s(Slapi_PBlock * pb, cb_conn_pool *pool, int tries,
 }
static int
-cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
-        struct berval *creds, LDAPControl **reqctrls,
-        char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
-        LDAPControl ***resctrlsp , int * status )
+cb_sasl_bind_once_s( cb_conn_pool *pool, const char *dn, int method, 
+                     char * mechanism, struct berval *creds, 
+                     LDAPControl **reqctrls, char **matcheddnp, 
+                     char **errmsgp, struct berval ***refurlsp,
+                     LDAPControl ***resctrlsp , int * status )
 {
     int                 rc, msgid;
     char                **referrals;
@@ -225,18 +228,20 @@ release_and_return:
 }
int
-chainingdb_bind( Slapi_PBlock *pb ) {
+chainingdb_bind( Slapi_PBlock *pb )
+{
int 			status=LDAP_SUCCESS;
    int 			allocated_errmsg;
    int 			rc=LDAP_SUCCESS;
    cb_backend_instance 	*cb;
    Slapi_Backend		*be;
-	char                    *dn;
-        int                     method;
-        struct berval           *creds, **urls;
+	const char      *dn = NULL;
+	Slapi_DN        *sdn = NULL;
+	int                     method;
+	struct berval           *creds, **urls;
    char 			*matcheddn,*errmsg;
-    	LDAPControl         	**reqctrls, **resctrls, **ctrls;
+	LDAPControl         	**reqctrls, **resctrls, **ctrls;
    char 			* mechanism;
    int 			freectrls=1;
    int 			bind_retry;
@@ -258,16 +263,18 @@ chainingdb_bind( Slapi_PBlock *pb ) {
    if (ctrls)
    	ldap_controls_free(ctrls);
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
-        slapi_pblock_get( pb, SLAPI_BIND_TARGET, &dn );
-        slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn );
+	slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method );
    slapi_pblock_get( pb, SLAPI_BIND_SASLMECHANISM, &mechanism);
-        slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds );
-        slapi_pblock_get( pb, SLAPI_REQCONTROLS, &reqctrls );
-        cb = cb_get_instance(be);
+	slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds );
+	slapi_pblock_get( pb, SLAPI_REQCONTROLS, &reqctrls );
+	cb = cb_get_instance(be);
-	if ( NULL == dn ) 
-		dn="";
+	if ( NULL == sdn ) {
+		sdn = slapi_sdn_new_ndn_byval("");
+	}
+	dn = slapi_sdn_get_ndn(sdn);
/* always allow noauth simple binds */
         if (( method == LDAP_AUTH_SIMPLE) && creds->bv_len == 0 ) {
diff --git a/ldap/servers/plugins/chainingdb/cb_compare.c b/ldap/servers/plugins/chainingdb/cb_compare.c
index ccbc175..16f6c7b 100644
--- a/ldap/servers/plugins/chainingdb/cb_compare.c
+++ b/ldap/servers/plugins/chainingdb/cb_compare.c
@@ -63,29 +63,33 @@ chaining_back_compare ( Slapi_PBlock *pb )
    LDAP 			*ld=NULL;
    char         		**referrals=NULL;
    LDAPMessage		* res;
-	char 			*type,*dn,* matched_msg, *error_msg;
+	char 			*type, *matched_msg, *error_msg;
+	const char 		*dn = NULL;
+	Slapi_DN		*sdn = NULL; 
    char 			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
    cb_outgoing_conn	*cnx;
-        if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
-        	cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
-                return -1;
-        }
+	if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
+		cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
+		return -1;
+	}
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
    cb = cb_get_instance(be);
-        cb_update_monitor_info(pb,cb,SLAPI_OPERATION_COMPARE);
+	cb_update_monitor_info(pb,cb,SLAPI_OPERATION_COMPARE);
/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
-                return -1;
-        }
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+		return -1;
+	}
+
+	slapi_pblock_get( pb, SLAPI_COMPARE_TARGET_SDN, &sdn );
+	slapi_pblock_get( pb, SLAPI_COMPARE_TYPE, &type );
+	slapi_pblock_get( pb, SLAPI_COMPARE_VALUE, &bval );
-        slapi_pblock_get( pb, SLAPI_COMPARE_TARGET, &dn );
-        slapi_pblock_get( pb, SLAPI_COMPARE_TYPE, &type );
-        slapi_pblock_get( pb, SLAPI_COMPARE_VALUE, &bval );
+	dn = slapi_sdn_get_dn(sdn);
/* 
     * Check local acls
@@ -96,17 +100,17 @@ chaining_back_compare ( Slapi_PBlock *pb )
if (checkacl) {
    	char * errbuf=NULL;
-          	Slapi_Entry *te = slapi_entry_alloc();
-          	slapi_entry_set_dn(te,slapi_ch_strdup(dn));
-          	rc = cb_access_allowed (pb, te, type, bval, SLAPI_ACL_COMPARE,&errbuf);
-          	slapi_entry_free(te);
+		Slapi_Entry *te = slapi_entry_alloc();
+		slapi_entry_set_sdn(te, sdn); /* sdn: copied */
+		rc = cb_access_allowed (pb, te, type, bval, SLAPI_ACL_COMPARE,&errbuf);
+		slapi_entry_free(te);
-   		if ( rc != LDAP_SUCCESS ) {
-                	cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
    		slapi_ch_free((void **) &errbuf);
    		return 1;
    	}
-        }
+	}
/*
     * Grab a connection handle
diff --git a/ldap/servers/plugins/chainingdb/cb_controls.c b/ldap/servers/plugins/chainingdb/cb_controls.c
index da2d283..f079901 100644
--- a/ldap/servers/plugins/chainingdb/cb_controls.c
+++ b/ldap/servers/plugins/chainingdb/cb_controls.c
@@ -201,9 +201,9 @@ int cb_update_controls( Slapi_PBlock * pb,
                 char * requestorCopy=NULL;
rootdn=cb_get_rootdn();
-                slapi_pblock_get( pb, SLAPI_REQUESTOR_DN, &requestor );
-                requestorCopy=slapi_ch_strdup(requestor);
-                slapi_dn_normalize_case(requestorCopy);
+                slapi_pblock_get( pb, SLAPI_REQUESTOR_NDN, &requestor );
+                requestorCopy = slapi_ch_strdup(requestor);
+                slapi_dn_ignore_case(requestorCopy);
if (!strcmp( requestorCopy, rootdn )) {    /* UTF8- aware */
                     slapi_log_error( SLAPI_LOG_PLUGIN,CB_PLUGIN_SUBSYSTEM,
diff --git a/ldap/servers/plugins/chainingdb/cb_delete.c b/ldap/servers/plugins/chainingdb/cb_delete.c
index 992f606..87a69a2 100644
--- a/ldap/servers/plugins/chainingdb/cb_delete.c
+++ b/ldap/servers/plugins/chainingdb/cb_delete.c
@@ -62,27 +62,30 @@ chaining_back_delete ( Slapi_PBlock *pb )
    LDAP 			*ld=NULL;
    char         		**referrals=NULL;
    LDAPMessage		* res;
-	char 			*dn,* matched_msg, *error_msg;
+	const char 		*dn = NULL;
+	Slapi_DN		*sdn = NULL;
+	char 			*matched_msg, *error_msg;
    char			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
    cb_outgoing_conn	*cnx;
-        if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
-                cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
-                return -1;
-        }
+	if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
+		cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
+		return -1;
+	}
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
    cb = cb_get_instance(be);
-        cb_update_monitor_info(pb,cb,SLAPI_OPERATION_DELETE);
+	cb_update_monitor_info(pb,cb,SLAPI_OPERATION_DELETE);
/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
-                return -1;
-        }
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+		return -1;
+	}
- 	slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn );
+	slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
/* 
     * Check local acls
@@ -90,17 +93,17 @@ chaining_back_delete ( Slapi_PBlock *pb )
if (cb->local_acl && !cb->associated_be_is_disabled) {
    	char * errbuf=NULL;
-          	Slapi_Entry *te = slapi_entry_alloc();
-	  	slapi_entry_set_dn(te,slapi_ch_strdup(dn));
-       	  	rc = cb_access_allowed (pb, te, NULL, NULL, SLAPI_ACL_DELETE,&errbuf);
-	  	slapi_entry_free(te);
+		Slapi_Entry *te = slapi_entry_alloc();
+		slapi_entry_set_sdn(te, sdn); /* sdn: copied */
+		rc = cb_access_allowed (pb, te, NULL, NULL, SLAPI_ACL_DELETE,&errbuf);
+		slapi_entry_free(te);
-   		if ( rc != LDAP_SUCCESS ) {
-                	cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
-                	slapi_ch_free((void **)&errbuf);
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+			slapi_ch_free((void **)&errbuf);
    		return -1;
    	}
-        }
+	}
/*
     * Grab a connection handle
diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c b/ldap/servers/plugins/chainingdb/cb_instance.c
index 145d5a3..9a33916 100644
--- a/ldap/servers/plugins/chainingdb/cb_instance.c
+++ b/ldap/servers/plugins/chainingdb/cb_instance.c
@@ -850,9 +850,9 @@ static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int
if (apply) {
-	        slapi_rwlock_wrlock(inst->rwl_config_lock);
+		slapi_rwlock_wrlock(inst->rwl_config_lock);
    	if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
-	    		( phase != CB_CONFIG_PHASE_STARTUP )) {
+		    ( phase != CB_CONFIG_PHASE_STARTUP )) {
/* Dynamic modif   */
    		/* Free user later */
@@ -862,10 +862,11 @@ static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int
    		rc=CB_REOPEN_CONN;
    	}
-		inst->pool->binddn=slapi_ch_strdup((char *) value);
+		/* normalize and ignore the case */
+		inst->pool->binddn = slapi_create_dn_string_case("%s", (char *)value);
+		/* not normalized */
    	inst->pool->binddn2=slapi_ch_strdup((char *) value);
-		slapi_dn_normalize_case(inst->pool->binddn);
-	        slapi_rwlock_unlock(inst->rwl_config_lock);
+		slapi_rwlock_unlock(inst->rwl_config_lock);
    } else {
/* Security check */
@@ -877,19 +878,18 @@ static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int
    	char * theValueCopy = NULL;
if (value) {
-			theValueCopy=slapi_ch_strdup((char *) value);
-			slapi_dn_normalize_case(theValueCopy);
+			theValueCopy = slapi_create_dn_string_case("%s", (char *) value);
    	}
slapi_rwlock_rdlock(inst->rwl_config_lock);
-                if (inst->impersonate && theValueCopy && 
-                        !strcmp(theValueCopy,rootdn)) {	/* UTF8-aware. See cb_get_dn() */
-                        rc=LDAP_UNWILLING_TO_PERFORM; 
+		if (inst->impersonate && theValueCopy && 
+		    !strcmp(theValueCopy,rootdn)) {	/* UTF8-aware. See cb_get_dn() */
+			rc=LDAP_UNWILLING_TO_PERFORM; 
    		if (errorbuf) {
    			PR_snprintf(errorbuf,SLAPI_DSE_RETURNTEXT_SIZE, "value %s not allowed",rootdn);
    		}
-                }
-                slapi_rwlock_unlock(inst->rwl_config_lock);
+		}
+		slapi_rwlock_unlock(inst->rwl_config_lock);
slapi_ch_free((void **)&theValueCopy);
    	slapi_ch_free((void **)&rootdn);
diff --git a/ldap/servers/plugins/chainingdb/cb_modify.c b/ldap/servers/plugins/chainingdb/cb_modify.c
index fcfb310..aa914b9 100644
--- a/ldap/servers/plugins/chainingdb/cb_modify.c
+++ b/ldap/servers/plugins/chainingdb/cb_modify.c
@@ -65,51 +65,54 @@ chaining_back_modify ( Slapi_PBlock *pb )
    char         		**referrals=NULL;
    LDAPMod			** mods;
    LDAPMessage		* res;
-	char 			*dn,* matched_msg, *error_msg;
+	const char 		*dn = NULL;
+	Slapi_DN		*sdn = NULL;
+	char 			*matched_msg, *error_msg;
    char 			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
    cb_outgoing_conn	*cnx;
-        if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
-                cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
-                return -1;
-        }
+	if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
+		cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
+		return -1;
+	}
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
    cb = cb_get_instance(be);
-        cb_update_monitor_info(pb,cb,SLAPI_OPERATION_MODIFY);
+	cb_update_monitor_info(pb,cb,SLAPI_OPERATION_MODIFY);
/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
-                return -1;
-        }
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+		return -1;
+	}
- 	slapi_pblock_get( pb, SLAPI_MODIFY_TARGET, &dn );
+	slapi_pblock_get( pb, SLAPI_MODIFY_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
if (cb_debug_on()) {
-        	slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,"modify: target:<%s>\n",dn);
+		slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,"modify: target:<%s>\n",dn);
    }
ctrls=serverctrls=NULL;
-        slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
-        slapi_pblock_get( pb, SLAPI_REQCONTROLS, &ctrls );
+	slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
+	slapi_pblock_get( pb, SLAPI_REQCONTROLS, &ctrls );
/* Check acls				*/
    
    if ( cb->local_acl && !cb->associated_be_is_disabled ) {
-                char * errbuf=NULL;
-                Slapi_Entry *te = slapi_entry_alloc();
-                slapi_entry_set_dn(te,slapi_ch_strdup(dn));
-       		rc = slapi_acl_check_mods( pb, te, mods, &errbuf);
-                slapi_entry_free(te);
-
-                if ( rc != LDAP_SUCCESS ) {
-                        cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
-                        slapi_ch_free((void **)&errbuf);
-                        return -1;
-                }
+		char * errbuf=NULL;
+		Slapi_Entry *te = slapi_entry_alloc();
+		slapi_entry_set_sdn(te, sdn); /* sdn: copied */
+		rc = slapi_acl_check_mods( pb, te, mods, &errbuf);
+		slapi_entry_free(te);
+
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+			slapi_ch_free((void **)&errbuf);
+			return -1;
+		}
    }
diff --git a/ldap/servers/plugins/chainingdb/cb_modrdn.c b/ldap/servers/plugins/chainingdb/cb_modrdn.c
index 2efff02..b6b882b 100644
--- a/ldap/servers/plugins/chainingdb/cb_modrdn.c
+++ b/ldap/servers/plugins/chainingdb/cb_modrdn.c
@@ -54,20 +54,25 @@
 int
 chaining_back_modrdn ( Slapi_PBlock *pb )
 {
-
-	Slapi_Backend		* be;
-	cb_backend_instance 	*cb;
-	LDAPControl 		**ctrls, **serverctrls;
-	int 			rc,parse_rc,msgid,i;
-	LDAP 			*ld=NULL;
-	char         		**referrals=NULL;
-	LDAPMessage		* res;
-	char 			* matched_msg, *error_msg,* pdn, *newdn, *dn;
-	int 			deleteoldrdn=0;
-	char 			* newsuperior, *newrdn;
-	char			* cnxerrbuf=NULL;
-   	time_t 			endtime;
-	cb_outgoing_conn	* cnx;
+        Slapi_Backend       * be;
+        cb_backend_instance *cb;
+        LDAPControl         **ctrls, **serverctrls;
+        int                 rc,parse_rc,msgid,i;
+        LDAP                *ld=NULL;
+        char                **referrals=NULL;
+        LDAPMessage         *res;
+        char                *matched_msg, *error_msg;
+        char                *newdn = NULL;
+        const char          *pdn = NULL;
+        char                *ndn = NULL;
+        Slapi_DN            *sdn = NULL;
+        Slapi_DN            *psdn = NULL;
+        int                 deleteoldrdn = 0;
+        Slapi_DN            *newsuperior = NULL;
+        char                *newrdn = NULL;
+        char                * cnxerrbuf=NULL;
+        time_t              endtime;
+        cb_outgoing_conn    *cnx;
if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
                 cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
@@ -75,38 +80,36 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
         }
slapi_pblock_get( pb, SLAPI_BACKEND, &be );
-	cb = cb_get_instance(be);
+        cb = cb_get_instance(be);
cb_update_monitor_info(pb,cb,SLAPI_OPERATION_MODRDN);
-	/* Check wether the chaining BE is available or not */
+        /* Check wether the chaining BE is available or not */
         if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
                 return -1;
         }
-	newsuperior=newdn=newrdn=dn=NULL;
-  	slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &dn );
+        slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &sdn );
         slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
-        slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior );
+        slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperior );
         slapi_pblock_get( pb, SLAPI_MODRDN_DELOLDRDN, &deleteoldrdn );
-	/*
-	 * Construct the new dn
-	 */
+        ndn = (char *)slapi_sdn_get_ndn(sdn);
-	dn = slapi_dn_normalize_case(dn);
-        if ( (pdn = slapi_dn_parent( dn )) != NULL ) {
-                /* parent + rdn + separator(s) + null */
-                newdn = (char *) slapi_ch_malloc( strlen( pdn ) + strlen( newrdn ) + 3 );
-                strcpy( newdn, newrdn );
-                strcat( newdn, "," );
-                strcat( newdn, pdn );
-
-        	slapi_ch_free((void **)&pdn );
+        /*
+         * Construct the new dn
+         */
+        psdn = slapi_sdn_new();
+        slapi_sdn_get_parent(sdn, psdn);
+        pdn = slapi_sdn_get_ndn(psdn);
+        if ( pdn ) {
+            /* parent + rdn + separator(s) + null */
+            newdn = slapi_ch_smprintf("%s,%s", newrdn, pdn);
         } else {
-                newdn = slapi_ch_strdup( newrdn );
+            newdn = slapi_ch_strdup( newrdn );
         }
+        slapi_sdn_free(&psdn);
/*
     * Make sure the current backend is managing
@@ -119,19 +122,19 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
if (cb->local_acl && !cb->associated_be_is_disabled) {
    	/* 
-	 	* Check local acls
-	 	* Keep in mind We don't have the entry for acl evaluation
-	 	*/
+		* Check local acls
+		* Keep in mind We don't have the entry for acl evaluation
+		*/
char * errbuf=NULL;
-          	Slapi_Entry *te = slapi_entry_alloc();
-          	slapi_entry_set_dn(te,slapi_ch_strdup(dn));
-       	  	rc = cb_access_allowed (pb, te, NULL, NULL, SLAPI_ACL_WRITE,&errbuf);
-          	slapi_entry_free(te);
-
-   		if ( rc != LDAP_SUCCESS ) {
-                	cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
-                	slapi_ch_free((void **)&errbuf);
+		Slapi_Entry *te = slapi_entry_alloc();
+		slapi_entry_set_sdn(te, sdn); /* sdn: copied */
+		rc = cb_access_allowed (pb, te, NULL, NULL, SLAPI_ACL_WRITE,&errbuf);
+		slapi_entry_free(te);
+
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+			slapi_ch_free((void **)&errbuf);
    		return -1;
    	}
         }
@@ -183,7 +186,8 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
     * Send LDAP operation to the remote host
     */
-	rc = ldap_rename ( ld,dn,newrdn,newsuperior,deleteoldrdn,ctrls,NULL,&msgid);
+	rc = ldap_rename ( ld, ndn, newrdn, slapi_sdn_get_dn(newsuperior),
+	                   deleteoldrdn, ctrls, NULL, &msgid );
if ( NULL != ctrls)
                 ldap_controls_free(ctrls);
diff --git a/ldap/servers/plugins/chainingdb/cb_search.c b/ldap/servers/plugins/chainingdb/cb_search.c
index a16ed4c..92eb2ea 100644
--- a/ldap/servers/plugins/chainingdb/cb_search.c
+++ b/ldap/servers/plugins/chainingdb/cb_search.c
@@ -58,41 +58,45 @@ chainingdb_build_candidate_list ( Slapi_PBlock *pb )
Slapi_Backend		* be;
    Slapi_Operation		* op;
-	char 			*target, *filter;
+	char 			*filter;
+	const char		*target = NULL;
+	Slapi_DN		*target_sdn = NULL;
    int			scope,attrsonly,sizelimit,timelimit,rc,searchreferral;
    char 			**attrs=NULL;
    LDAPControl 		**controls=NULL;		
    LDAPControl 		**ctrls=NULL;		
-        LDAP                    *ld=NULL;
-	cb_backend_instance 	*cb = NULL;
+	LDAP				*ld=NULL;
+	cb_backend_instance	*cb = NULL;
    cb_searchContext 	*ctx=NULL;
    struct timeval		timeout;
    time_t			optime;
    int 			doit,parse_rc;
- 	LDAPMessage 		*res=NULL;
-        char                    *matched_msg,*error_msg;
-        LDAPControl             **serverctrls=NULL;
-        char                    **referrals=NULL;
+	LDAPMessage 		*res=NULL;
+	char                    *matched_msg,*error_msg;
+	LDAPControl             **serverctrls=NULL;
+	char                    **referrals=NULL;
    char			*cnxerrbuf=NULL;
    time_t 			endbefore=0;
    time_t			endtime;
    cb_outgoing_conn	*cnx;
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
    cb = cb_get_instance(be);
-        slapi_pblock_get( pb, SLAPI_OPERATION, &op );
-        slapi_pblock_get( pb, SLAPI_SEARCH_STRFILTER, &filter );
-        slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
-        slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
-        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &target );
+	slapi_pblock_get( pb, SLAPI_OPERATION, &op );
+	slapi_pblock_get( pb, SLAPI_SEARCH_STRFILTER, &filter );
+	slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
+	slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &target_sdn );
-        if ( LDAP_SUCCESS != (parse_rc=cb_forward_operation(pb) )) {
+	target = slapi_sdn_get_dn(target_sdn);
+
+	if ( LDAP_SUCCESS != (parse_rc=cb_forward_operation(pb) )) {
/* Don't return errors */
if (cb_debug_on()) {
-        		slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
+			slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
    		"local search: base:<%s> scope:<%s> filter:<%s>\n",target,
    		scope==LDAP_SCOPE_SUBTREE?"SUBTREE":scope==LDAP_SCOPE_ONELEVEL ? "ONE-LEVEL" : "BASE" , filter);
    	}
@@ -135,28 +139,28 @@ chainingdb_build_candidate_list ( Slapi_PBlock *pb )
if (( scope != LDAP_SCOPE_BASE ) && ( searchreferral )) {
-		int 			i;
-                struct  berval          bv,*bvals[2];
-                Slapi_Entry 		** aciArray=(Slapi_Entry **) slapi_ch_malloc(2*sizeof(Slapi_Entry *));
-		Slapi_Entry 		*anEntry = slapi_entry_alloc();
+		int i;
+		struct berval bv,*bvals[2];
+		Slapi_Entry ** aciArray=(Slapi_Entry **) slapi_ch_malloc(2*sizeof(Slapi_Entry *));
+		Slapi_Entry *anEntry = slapi_entry_alloc();
-                slapi_entry_set_dn(anEntry,slapi_ch_strdup(target));
+		slapi_entry_set_sdn(anEntry, target_sdn);
-                bvals[1]=NULL;
-                bvals[0]=&bv;
-                bv.bv_val="referral";
+		bvals[1]=NULL;
+		bvals[0]=&bv;
+		bv.bv_val="referral";
    	bv.bv_len=strlen(bv.bv_val);
-                slapi_entry_add_values( anEntry, "objectclass", bvals);
+		slapi_entry_add_values( anEntry, "objectclass", bvals);
-        	slapi_rwlock_rdlock(cb->rwl_config_lock);
+		slapi_rwlock_rdlock(cb->rwl_config_lock);
    	for (i=0; cb->url_array && cb->url_array[i]; i++) {
    		char * anUrl = slapi_ch_smprintf("%s%s",cb->url_array[i],target);
-                	bv.bv_val=anUrl;
+			                                 bv.bv_val=anUrl;
    		bv.bv_len=strlen(bv.bv_val);
-                	slapi_entry_attr_merge( anEntry, "ref", bvals);
+			slapi_entry_attr_merge( anEntry, "ref", bvals);
    		slapi_ch_free((void **)&anUrl);
    	}
-        	slapi_rwlock_unlock(cb->rwl_config_lock);
+		slapi_rwlock_unlock(cb->rwl_config_lock);
    	
    	aciArray[0]=anEntry;
    	aciArray[1]=NULL;
@@ -442,12 +446,12 @@ int
 chainingdb_next_search_entry ( Slapi_PBlock *pb )
 {
-	char 			*target;
+	Slapi_DN	*target_sdn = NULL;
    int			sizelimit, timelimit;
    int			rc, parse_rc, retcode;
    int			i, attrsonly;
    time_t			optime;
- 	LDAPMessage 		*res=NULL;
+	LDAPMessage 		*res=NULL;
    char 			*matched_msg,*error_msg;
    cb_searchContext 	*ctx=NULL;
    Slapi_Entry 		*entry;
@@ -459,13 +463,13 @@ chainingdb_next_search_entry ( Slapi_PBlock *pb )
matched_msg=error_msg=NULL;
-        slapi_pblock_get( pb, SLAPI_SEARCH_RESULT_SET, &ctx );
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
-    	slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
-        slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit );
-        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &target );
-        slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
-        slapi_pblock_get( pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly );
+	slapi_pblock_get( pb, SLAPI_SEARCH_RESULT_SET, &ctx );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
+	slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &target_sdn );
+	slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+	slapi_pblock_get( pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly );
cb = cb_get_instance(be);
@@ -656,22 +660,22 @@ chainingdb_next_search_entry ( Slapi_PBlock *pb )
    	case LDAP_RES_SEARCH_REFERENCE:
/* The server sent a search reference encountered during the 
-            		 * search operation. 
+			 * search operation. 
    		 */
    	
    		/* heart-beat management */
-       			if (cb->max_idle_time>0)
-	       			endtime=current_time() + cb->max_idle_time;
+			if (cb->max_idle_time>0)
+				endtime=current_time() + cb->max_idle_time;
parse_rc = ldap_parse_reference( ctx->ld, res, &referrals, NULL, 1 );
-         		if ( parse_rc != LDAP_SUCCESS ) {
-	               		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, 
-					ldap_err2string( parse_rc ), 0, NULL);
+			if ( parse_rc != LDAP_SUCCESS ) {
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, 
+				                     ldap_err2string( parse_rc ), 0, NULL);
    			cb_release_op_connection(cb->pool,ctx->ld,CB_LDAP_CONN_ERROR(parse_rc));
    			slapi_ch_free((void **)&ctx);
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,NULL);
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,NULL);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,NULL);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,NULL);
    			return -1;
    		}
@@ -681,27 +685,27 @@ chainingdb_next_search_entry ( Slapi_PBlock *pb )
{
-   				struct  berval          bv;
+				struct  berval          bv;
    			int 			i;
-                		struct  berval          *bvals[2];
-                		Slapi_Entry *anEntry = slapi_entry_alloc();
-                		slapi_entry_set_dn(anEntry,slapi_ch_strdup(target));
+				struct  berval          *bvals[2];
+				Slapi_Entry *anEntry = slapi_entry_alloc();
+				slapi_entry_set_sdn(anEntry, target_sdn);
-                		bvals[1]=NULL;
-                		bvals[0]=&bv;
+				bvals[1]=NULL;
+				bvals[0]=&bv;
-                		bv.bv_val="referral";
-                		bv.bv_len=strlen(bv.bv_val);
-                		slapi_entry_add_values( anEntry, "objectclass", bvals);
+				bv.bv_val="referral";
+				bv.bv_len=strlen(bv.bv_val);
+				slapi_entry_add_values( anEntry, "objectclass", bvals);
for (i=0;referrals[i] != NULL; i++) {
-                			bv.bv_val=referrals[i];
+					bv.bv_val=referrals[i];
    				bv.bv_len=strlen(bv.bv_val);
-                			slapi_entry_add_values( anEntry, "ref", bvals);
+					slapi_entry_add_values( anEntry, "ref", bvals);
    			}
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,ctx);
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,anEntry);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,ctx);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,anEntry);
    			cb_set_acl_policy(pb);
    		}
diff --git a/ldap/servers/plugins/chainingdb/cb_utils.c b/ldap/servers/plugins/chainingdb/cb_utils.c
index 3b0123c..2492226 100644
--- a/ldap/servers/plugins/chainingdb/cb_utils.c
+++ b/ldap/servers/plugins/chainingdb/cb_utils.c
@@ -50,7 +50,7 @@ char * cb_get_rootdn() {
    if (ret == NULL) 
    	ret = slapi_ch_strdup(CB_DIRECTORY_MANAGER_DN);
    if (ret)
-		slapi_dn_normalize_case(ret);	/* UTF8-aware */
+		slapi_dn_ignore_case(ret);	/* UTF8-aware */
    return ret;
 }
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index bfb585e..6265728 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -679,57 +679,58 @@ static int cos_cache_build_definition_list(cosDefinitions **pDefs, int *vattr_ca
    if(pSuffixSearch)
    	slapi_pblock_get( pSuffixSearch, SLAPI_PLUGIN_INTOP_RESULT, &ret);
-	if(pSuffixSearch && ret == LDAP_SUCCESS)
+	if(!pSuffixSearch || ret != LDAP_SUCCESS) {
+		LDAPDebug( LDAP_DEBUG_ANY, 
+		           "cos_cache_build_definition_list: failed to find suffixes\n",
+		           0,0,0);
+		ret = -1;
+		goto next;
+	}
+
+	/* iterate through the suffixes and search for cos definitions */
+	slapi_pblock_get( pSuffixSearch, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, 
+	                  &pSuffixList );
+	if(!pSuffixList) {
+		goto next;
+	}
+	while(pSuffixList[suffixIndex])
    {
-		/* iterate through the suffixes and search for cos definitions */
-		slapi_pblock_get( pSuffixSearch, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &pSuffixList);
-		if(pSuffixList)
+		if(!slapi_entry_first_attr(pSuffixList[suffixIndex], &suffixAttr))
    	{
-			while(pSuffixList[suffixIndex])
+			do
    		{
-				if(!slapi_entry_first_attr(pSuffixList[suffixIndex], &suffixAttr))
+				attrType = 0;
+				slapi_attr_get_type(suffixAttr, &attrType);
+				if(attrType && !slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"namingcontexts"))
    			{
-					do
+					if(!slapi_attr_get_bervals_copy(suffixAttr, &suffixVals))
    				{
-						attrType = 0;
-						slapi_attr_get_type(suffixAttr, &attrType);
-						if(attrType && !slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"namingcontexts"))
+						valIndex = 0;
+
+						if(suffixVals)
    					{
-							if(!slapi_attr_get_bervals_copy(suffixAttr, &suffixVals))
+							while(suffixVals[valIndex])
    						{
-								valIndex = 0;
-
-								if(suffixVals)
-								{
-									while(suffixVals[valIndex])
-									{
-										/* here's a suffix, lets search it... */
-										if(suffixVals[valIndex]->bv_val)
-											if(!cos_cache_add_dn_defs(suffixVals[valIndex]->bv_val ,pDefs, vattr_cacheable))
-												cos_def_available = 1;
-										
-										valIndex++;
-									}
+								/* here's a suffix, lets search it... */
+								if(suffixVals[valIndex]->bv_val)
+									if(!cos_cache_add_dn_defs(suffixVals[valIndex]->bv_val ,pDefs, vattr_cacheable))
+										cos_def_available = 1;
+								
+								valIndex++;
+							}
-									ber_bvecfree( suffixVals );
-									suffixVals = NULL;
-								}
-							}
+							ber_bvecfree( suffixVals );
+							suffixVals = NULL;
    					}
-
-					} while(!slapi_entry_next_attr(pSuffixList[suffixIndex], suffixAttr, &suffixAttr));
+					}
    			}
-				suffixIndex++;
-			}
+
+			} while(!slapi_entry_next_attr(pSuffixList[suffixIndex], suffixAttr, &suffixAttr));
    	}
+		suffixIndex++;
    }
-	else
-	{
-		LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_build_definition_list: failed to find suffixes\n",0,0,0);
-		ret = -1;
-	}
-
+next:
    if(cos_def_available == 0)
    {
    	if(firstTime)
@@ -768,7 +769,8 @@ struct dn_defs_info {
  * if a particular attempt to add a definition fails: info.ret gets set to
  * zero only if we succed to add a def.
 */
-static int 	cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) {
+static int 	cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
+{
    struct dn_defs_info *info;
    cosAttrValue **pSneakyVal = 0;
    cosAttrValue *pObjectclass = 0;
@@ -793,286 +795,276 @@ static int 	cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) {
    info->vattr_cacheable = -1;
cos_cache_add_attrval(&pDn, slapi_entry_get_dn(e));
-	if(!slapi_entry_first_attr(e, &dnAttr))
-	{
-		do
+	if(slapi_entry_first_attr(e, &dnAttr)) {
+		goto bail;
+	}
+
+	do {
+		attrType = 0;		
+		/* we need to fill in the details of the definition now */
+		slapi_attr_get_type(dnAttr, &attrType);		
+		if(!attrType) {
+			continue;
+		}
+		pSneakyVal = 0;
+		if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"objectclass"))
+			pSneakyVal = &pObjectclass;
+		else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosTargetTree"))
+			pSneakyVal = &pCosTargetTree;
+		else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosTemplateDn"))
+			pSneakyVal = &pCosTemplateDn;
+		else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosSpecifier"))
+			pSneakyVal = &pCosSpecifier;
+		else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosAttribute"))
+			pSneakyVal = &pCosAttribute;
+		else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosIndirectSpecifier"))
+			pSneakyVal = &pCosSpecifier;			
+		if(!pSneakyVal) {
+			continue;
+		}
+		/* It's a type we're interested in */
+		if(slapi_attr_get_bervals_copy(dnAttr, &dnVals)) {
+			continue;
+		}
+		valIndex = 0;
+		if(!dnVals) {
+			continue;
+		}
+		for (valIndex = 0; dnVals[valIndex]; valIndex++)
    	{
-			attrType = 0;		
-			/* we need to fill in the details of the definition now */
-			slapi_attr_get_type(dnAttr, &attrType);		
-			if(attrType)
+			if(!dnVals[valIndex]->bv_val) {
+				continue;
+			}
+			/*
+			parse any overide or default values
+			and deal with them
+			*/
+			if(pSneakyVal == &pCosAttribute)
    		{
-				pSneakyVal = 0;
-				if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"objectclass"))
-					pSneakyVal = &pObjectclass;
-				else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosTargetTree"))
-					pSneakyVal = &pCosTargetTree;
-				else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosTemplateDn"))
-					pSneakyVal = &pCosTemplateDn;
-				else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosSpecifier"))
-					pSneakyVal = &pCosSpecifier;
-				else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosAttribute"))
-					pSneakyVal = &pCosAttribute;
-				else if(!slapi_utf8casecmp((unsigned char*)attrType, (unsigned char*)"cosIndirectSpecifier"))
-					pSneakyVal = &pCosSpecifier;			
-				if(pSneakyVal)
+				int qualifier_hit = 0;
+				int op_qualifier_hit = 0;
+				int merge_schemes_qualifier_hit = 0;
+				int override_qualifier_hit =0;
+				int default_qualifier_hit = 0;
+				int operational_default_qualifier_hit = 0;
+				do
    			{
-					/* It's a type we're interested in */
-					if(!slapi_attr_get_bervals_copy(dnAttr, &dnVals))
+					qualifier_hit = 0;
+
+					if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " operational"))
    				{
-						valIndex = 0;						
-						if(dnVals)
-						{
-							while(dnVals[valIndex])
-							{
-								if(dnVals[valIndex]->bv_val)
-								{
-								/*
-								parse any overide or default values
-								and deal with them
-									*/
-									if(pSneakyVal == &pCosAttribute)
-									{
-										int qualifier_hit = 0;
-										int op_qualifier_hit = 0;
-										int merge_schemes_qualifier_hit = 0;
-										int override_qualifier_hit =0;
-										int default_qualifier_hit = 0;
-										int operational_default_qualifier_hit = 0;
-										do
-										{
-											qualifier_hit = 0;
+						/* matched */
+						op_qualifier_hit = 1;
+						qualifier_hit = 1;
+					}
+					
+					if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " merge-schemes"))
+					{
+						/* matched */
+						merge_schemes_qualifier_hit = 1;
+						qualifier_hit = 1;
+					}
-											if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " operational"))
-											{
-												/* matched */
-												op_qualifier_hit = 1;
-												qualifier_hit = 1;
-											}
-											
-											if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " merge-schemes"))
-											{
-												/* matched */
-												merge_schemes_qualifier_hit = 1;
-												qualifier_hit = 1;
-											}
+					if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " override"))
+					{
+						/* matched */
+						override_qualifier_hit = 1;
+						qualifier_hit = 1;
+					}
+					
+					if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " default")) {
+						default_qualifier_hit = 1;
+						qualifier_hit = 1;
+					}
-											if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " override"))
-											{
-												/* matched */
-												override_qualifier_hit = 1;
-												qualifier_hit = 1;
-											}
-											
-											if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " default")) {
-												default_qualifier_hit = 1;
-												qualifier_hit = 1;
-											}
+					if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " operational-default")) {
+						operational_default_qualifier_hit = 1;
+						qualifier_hit = 1;
+					}
+				}
+				while(qualifier_hit == 1);
-											if(cos_cache_backwards_stricmp_and_clip(dnVals[valIndex]->bv_val, " operational-default")) {
-												operational_default_qualifier_hit = 1;
-												qualifier_hit = 1;
-											}
-										}
-										while(qualifier_hit == 1);
-
-										/*
-									 	* At this point, dnVals[valIndex]->bv_val
-									 	* is the value of cosAttribute, stripped of
-									 	* any qualifiers, so add this pure attribute type to
-										* the appropriate lists.
-										*/
-								
-										if ( op_qualifier_hit ) {
-											cos_cache_add_attrval(&pCosOperational,
-													dnVals[valIndex]->bv_val);
-										}
-										if ( merge_schemes_qualifier_hit ) {
-											cos_cache_add_attrval(&pCosMerge,
-													dnVals[valIndex]->bv_val);
-										}
-										if ( override_qualifier_hit ) {
-											cos_cache_add_attrval(&pCosOverrides,
-													dnVals[valIndex]->bv_val);										
-										}
-										if ( default_qualifier_hit ) {
-											/* attr is added below in pSneakyVal, in any case */
-										}
+				/*
+				* At this point, dnVals[valIndex]->bv_val
+				* is the value of cosAttribute, stripped of
+				* any qualifiers, so add this pure attribute type to
+				* the appropriate lists.
+				*/
+		
+				if ( op_qualifier_hit ) {
+					cos_cache_add_attrval(&pCosOperational,
+					                      dnVals[valIndex]->bv_val);
+				}
+				if ( merge_schemes_qualifier_hit ) {
+					cos_cache_add_attrval(&pCosMerge, dnVals[valIndex]->bv_val);
+				}
+				if ( override_qualifier_hit ) {
+					cos_cache_add_attrval(&pCosOverrides,
+					                      dnVals[valIndex]->bv_val);
+				}
+				if ( default_qualifier_hit ) {
+					/* attr is added below in pSneakyVal, in any case */
+				}
-										if ( operational_default_qualifier_hit ) {
-											cos_cache_add_attrval(&pCosOpDefault,
-													dnVals[valIndex]->bv_val);
-										}
+				if ( operational_default_qualifier_hit ) {
+					cos_cache_add_attrval(&pCosOpDefault,
+					                      dnVals[valIndex]->bv_val);
+				}
-										if(!pCosTargetTree)
-										{
-											/* get the parent of the definition */
-											
-											char *parent = NULL;
-											size_t plen = 0;
-											int rc = 0;
-											char *orig = slapi_dn_parent(pDn->val);
-											rc = slapi_dn_normalize_ext(orig,
-															0, &parent, &plen);
-											if (rc < 0) {
-												LDAPDebug(LDAP_DEBUG_ANY, 
-													"cos_cache_build_definition_list: failed to normalize parent dn %s. Adding the pre normalized dn.\n", orig, 0, 0);
-												parent = orig;
-											} else if (rc == 0) {
-												/* passed in. not terminated */
-												*(parent + plen) = '\0';
-											}
-											
-											cos_cache_add_attrval(&pCosTargetTree, parent);
-											if(!pCosTemplateDn)
-												cos_cache_add_attrval(&pCosTemplateDn, parent);
-											
-											if (orig != parent) {
-												slapi_ch_free_string(&orig);
-											}
-											slapi_ch_free_string(&parent);
-										}
-										
-										slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);			
-									} /* if(attrType is cosAttribute) */
-																
-									/*
-									 * Add the attributetype to the appropriate
-									 * list.
-									*/											
-									cos_cache_add_attrval(pSneakyVal,
-												dnVals[valIndex]->bv_val);								
-								}/*if(dnVals[valIndex]->bv_val)*/
-								
-								valIndex++;
-							}/* while(dnVals[valIndex]) */
-							
-							ber_bvecfree( dnVals );
-							dnVals = NULL;
-						}/*if(dnVals)*/
+				if(!pCosTargetTree)
+				{
+					/* get the parent of the definition */
+					char *orig = slapi_dn_parent(pDn->val);
+					Slapi_DN *psdn = slapi_sdn_new_dn_byval(orig);
+					char *parent = (char *)slapi_sdn_get_dn(psdn);
+					if (!parent) {
+						parent = (char *)slapi_sdn_get_udn(psdn);
+						LDAPDebug(LDAP_DEBUG_ANY, 
+						  "cos_cache_build_definition_list: "
+						  "failed to normalize parent dn %s. "
+						  "Adding the pre normalized dn.\n", 
+						  parent, 0, 0);
    				}
-				}/*if(pSneakyVal)*/
-			}/*if(attrType)*/
+					cos_cache_add_attrval(&pCosTargetTree, parent);
+					if (!pCosTemplateDn) {
+						cos_cache_add_attrval(&pCosTemplateDn, parent);
+					}
+					slapi_sdn_free(&psdn);
+				}
+				
+				slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle,
+				                        dnVals[valIndex]->bv_val, NULL, NULL);
+			} /* if(attrType is cosAttribute) */
+										
+			/*
+			 * Add the attributetype to the appropriate
+			 * list.
+			 */
+			cos_cache_add_attrval(pSneakyVal, dnVals[valIndex]->bv_val);
    		
-		} while(!slapi_entry_next_attr(e, dnAttr, &dnAttr));
+		}/* for (valIndex = 0; dnVals[valIndex]; valIndex++) */
    	
-		/*
-		determine the type of class of service scheme 
-		*/
-		
-		if(pObjectclass)
+		ber_bvecfree( dnVals );
+		dnVals = NULL;
+	} while(!slapi_entry_next_attr(e, dnAttr, &dnAttr));
+	
+	/*
+	determine the type of class of service scheme 
+	*/
+	
+	if(pObjectclass)
+	{
+		if(cos_cache_attrval_exists(pObjectclass, "cosDefinition"))
    	{
-			if(cos_cache_attrval_exists(pObjectclass, "cosDefinition"))
-			{
-				cosType = COSTYPE_CLASSIC;
-			}
-			else if(cos_cache_attrval_exists(pObjectclass, "cosClassicDefinition"))
-			{
-				cosType = COSTYPE_CLASSIC;
-				
-			}
-			else if(cos_cache_attrval_exists(pObjectclass, "cosPointerDefinition"))
-			{
-				cosType = COSTYPE_POINTER;
-				
-			}
-			else if(cos_cache_attrval_exists(pObjectclass, "cosIndirectDefinition"))
-			{
-				cosType = COSTYPE_INDIRECT;
-				
-			}
-			else
-				cosType = COSTYPE_BADTYPE;
+			cosType = COSTYPE_CLASSIC;
    	}
-		
-		/*	
-		we should now have a full definition, 
-		do some sanity checks because we don't
-		want bogus entries in the cache 
-		then ship it
-		*/
-		
-		/* these must exist */
-		if(		pDn &&
-			pObjectclass && 
+		else if(cos_cache_attrval_exists(pObjectclass, "cosClassicDefinition"))
+		{
+			cosType = COSTYPE_CLASSIC;
    		
-			(
-			(cosType == COSTYPE_CLASSIC &&
-			pCosTemplateDn && 
-			pCosSpecifier &&   
-			pCosAttribute ) 
-			||
-			(cosType == COSTYPE_POINTER &&
-			pCosTemplateDn && 
-			pCosAttribute ) 
-			||
-			(cosType == COSTYPE_INDIRECT &&
-			pCosSpecifier &&   
-			pCosAttribute ) 
-			)
-			)
+		}
+		else if(cos_cache_attrval_exists(pObjectclass, "cosPointerDefinition"))
    	{
-			int rc = 0;
-		/*
-		we'll leave the referential integrity stuff
-		up to the referint plug-in and assume all
-		is good - if it's not then we just have a
-		useless definition and we'll nag copiously later.
-			*/
-			char *pTmpDn = slapi_ch_strdup(pDn->val); /* because dn gets hosed on error */
-			char ebuf[ BUFSIZ ];
+			cosType = COSTYPE_POINTER;
    		
-			if(!(rc = cos_cache_add_defn(info->pDefs, &pDn, cosType,
-									&pCosTargetTree, &pCosTemplateDn, 
-									&pCosSpecifier, &pCosAttribute,
-									&pCosOverrides, &pCosOperational,
-									&pCosMerge, &pCosOpDefault))) {
-				info->ret = 0;  /* we have succeeded to add the defn*/
-			} else {
-				/*
-				 * Failed but we will continue the search for other defs
-				 * Don't reset info->ret....it keeps track of any success
-				*/
-				if ( rc == COS_DEF_ERROR_NO_TEMPLATES) {
-					LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s"
-						"--no CoS Templates found, "
-						"which should be added before the CoS Definition.\n",
-						escape_string(pTmpDn, ebuf), 0, 0);
-				} else {
-					LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s\n"
-						"--error(%d)\n",
-						escape_string(pTmpDn, ebuf), rc, 0);
-				}
-			}
+		}
+		else if(cos_cache_attrval_exists(pObjectclass, "cosIndirectDefinition"))
+		{
+			cosType = COSTYPE_INDIRECT;
    		
-			slapi_ch_free_string(&pTmpDn);
    	}
    	else
-		{
-		/* 
-		this definition is brain dead - bail
-		if we have a dn use it to report, if not then *really* bad
-		things are going on
+			cosType = COSTYPE_BADTYPE;
+	}
+	
+	/*	
+	we should now have a full definition, 
+	do some sanity checks because we don't
+	want bogus entries in the cache 
+	then ship it
+	*/
+	
+	/* these must exist */
+	if(		pDn &&
+		pObjectclass && 
+		
+		(
+		(cosType == COSTYPE_CLASSIC &&
+		pCosTemplateDn && 
+		pCosSpecifier &&   
+		pCosAttribute ) 
+		||
+		(cosType == COSTYPE_POINTER &&
+		pCosTemplateDn && 
+		pCosAttribute ) 
+		||
+		(cosType == COSTYPE_INDIRECT &&
+		pCosSpecifier &&   
+		pCosAttribute ) 
+		)
+		)
+	{
+		int rc = 0;
+	/*
+	we'll leave the referential integrity stuff
+	up to the referint plug-in and assume all
+	is good - if it's not then we just have a
+	useless definition and we'll nag copiously later.
+		*/
+		char *pTmpDn = slapi_ch_strdup(pDn->val); /* because dn gets hosed on error */
+		char ebuf[ BUFSIZ ];
+		
+		if(!(rc = cos_cache_add_defn(info->pDefs, &pDn, cosType,
+								&pCosTargetTree, &pCosTemplateDn, 
+								&pCosSpecifier, &pCosAttribute,
+								&pCosOverrides, &pCosOperational,
+								&pCosMerge, &pCosOpDefault))) {
+			info->ret = 0;  /* we have succeeded to add the defn*/
+		} else {
+			/*
+			 * Failed but we will continue the search for other defs
+			 * Don't reset info->ret....it keeps track of any success
    		*/
-			if(pDn)
-			{
-				LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_add_dn_defs: incomplete cos definition detected in %s, discarding from cache.\n",pDn->val,0,0);
+			if ( rc == COS_DEF_ERROR_NO_TEMPLATES) {
+				LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s"
+					"--no CoS Templates found, "
+					"which should be added before the CoS Definition.\n",
+					escape_string(pTmpDn, ebuf), 0, 0);
+			} else {
+				LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s\n"
+					"--error(%d)\n",
+					escape_string(pTmpDn, ebuf), rc, 0);
    		}
-			else
-				LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_add_dn_defs: incomplete cos definition detected, no DN to report, discarding from cache.\n",0,0,0);
-			
-			if(pCosTargetTree)
-				cos_cache_del_attrval_list(&pCosTargetTree);
-			if(pCosTemplateDn)
-				cos_cache_del_attrval_list(&pCosTemplateDn);
-			if(pCosSpecifier)
-				cos_cache_del_attrval_list(&pCosSpecifier);
-			if(pCosAttribute)
-				cos_cache_del_attrval_list(&pCosAttribute);
-			if(pDn)
-				cos_cache_del_attrval_list(&pDn);
    	}
-	}/*if(!slapi_entry_first_attr(e, &dnAttr))*/
+		
+		slapi_ch_free_string(&pTmpDn);
+	}
+	else
+	{
+	/* 
+	this definition is brain dead - bail
+	if we have a dn use it to report, if not then *really* bad
+	things are going on
+		*/
+		if(pDn)
+		{
+			LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_add_dn_defs: incomplete cos definition detected in %s, discarding from cache.\n",pDn->val,0,0);
+		}
+		else
+			LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_add_dn_defs: incomplete cos definition detected, no DN to report, discarding from cache.\n",0,0,0);
+		
+		if(pCosTargetTree)
+			cos_cache_del_attrval_list(&pCosTargetTree);
+		if(pCosTemplateDn)
+			cos_cache_del_attrval_list(&pCosTemplateDn);
+		if(pCosSpecifier)
+			cos_cache_del_attrval_list(&pCosSpecifier);
+		if(pCosAttribute)
+			cos_cache_del_attrval_list(&pCosAttribute);
+		if(pDn)
+			cos_cache_del_attrval_list(&pDn);
+	}
+bail:
    /* we don't keep the objectclasses, so lets free them */
    if(pObjectclass) {
    		cos_cache_del_attrval_list(&pObjectclass);
@@ -1544,7 +1536,8 @@ static void cos_cache_del_attrval_list(cosAttrValue **pVal)
    ---------------------
    adds a value to an attribute value list
 */
-static int cos_cache_add_attrval(cosAttrValue **attrval, char *val)
+static int 
+cos_cache_add_attrval(cosAttrValue **attrval, char *val)
 {
    int ret = 0;
    cosAttrValue *theVal;
@@ -1953,36 +1946,28 @@ static int cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAt
    	char *grade = NULL;
    	int grade_index = 0;
    	int index = 0;
-		int lastindex = 0;
    	int template_default = 0;
-		char *dnval = NULL;
-		size_t dnlen = 0;
-		int rc = 0;
-
-		rc = slapi_dn_normalize_ext(dn->val, 0, &dnval, &dnlen);
-		if (rc < 0) {
+		char *ptr = NULL;
+		char *normed = slapi_create_dn_string("%s", dn->val);
+		if (normed) {
+			slapi_ch_free_string(&dn->val);
+			dn->val = normed;
+		} else {
    		LDAPDebug(LDAP_DEBUG_ANY, 
    			"cos_cache_add_tmpl: failed to normalize dn %s. "
-				"Processing the pre normalized dn.\n", dn->val, 0, 0);
-		} else if (rc == 0) {
-			/* passed in. not terminated */
-			*(dnval + dnlen) = '\0';
-		} else {
-			slapi_ch_free_string(&dn->val);
-			dn->val = dnval;
+				"Processing the pre normalized dn.\n", 
+				dn->val, 0, 0);
    	}
    	grade = (char*)slapi_ch_malloc(strlen(dn->val)+1);
/* extract the cos grade */
-		while(dn->val[index] != '=' && dn->val[index] != '\0')
-			index++;
-		lastindex = strlen(dn->val) - 1;
-		
-		if(dn->val[index] == '=')
+		ptr = strchr(dn->val, '=');
+
+		if (ptr)
    	{
    		int quotes = 0;
-
-			index++;
+			int lastindex = strlen(dn->val) - 1;
+			index = ptr - dn->val + 1;
/* copy the grade (supports one level of quote nesting in rdn) */
    		while(dn->val[index] != ',' || dn->val[index-1] == '\' || quotes == 1)
@@ -2405,21 +2390,15 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Sl
    	while((hit == 0 || merge_mode) && pTargetTree)
    	{
    		{
-				int rc = 0;
-				char *tval = NULL;
-				size_t tlen = 0;
-				rc = slapi_dn_normalize_ext(pTargetTree->val, 0, &tval, &tlen);
-				if (rc < 0) {
+				char *normed = slapi_create_dn_string("%s", pTargetTree->val);
+				if (normed) {
+					slapi_ch_free_string(&pTargetTree->val);
+					pTargetTree->val = normed;
+				} else {
    				LDAPDebug(LDAP_DEBUG_ANY, 
    					"cos_cache_query_attr: failed to normalize dn %s. "
    					"Processing the pre normalized dn.\n",
    					pTargetTree->val, 0, 0);
-				} else if (rc == 0) {
-					/* passed in. not terminated */
-					*(tval + tlen) = '\0';
-				} else {
-					slapi_ch_free_string(&pTargetTree->val);
-					pTargetTree->val = tval;
    			}
    		}
    		if(	pTargetTree->val == 0 || 
@@ -2943,22 +2922,15 @@ static int cos_cache_index_all(cosCache *pCache)
while(pAttrVal)
    			{
-					int rc = 0;
-					char *dnval = NULL;
-					size_t dnlen = 0;
-					rc = slapi_dn_normalize_ext(pAttrVal->val, 0,
-												&dnval, &dnlen);
-					if (rc < 0) {
+					char *normed = slapi_create_dn_string("%s", pAttrVal->val);
+					if (normed) {
+						slapi_ch_free_string(&pAttrVal->val);
+						pAttrVal->val = normed;
+					} else {
    					LDAPDebug(LDAP_DEBUG_ANY, 
    						"cos_cache_index_all: failed to normalize dn %s. "
    						"Processing the pre normalized dn.\n", 
    						pAttrVal->val, 0, 0);
-					} else if (rc == 0) {
-						/* passed in. not terminated */
-						*(dnval + dnlen) = '\0';
-					} else {
-						slapi_ch_free_string(&pAttrVal->val);
-						pAttrVal->val = dnval;
    				}
    				pCache->ppTemplateList[tmpindex] = pAttrVal->val;
@@ -3356,7 +3328,8 @@ bail:
 */
 void cos_cache_change_notify(Slapi_PBlock *pb)
 {
-	char *dn;
+	const char *dn;
+	Slapi_DN *sdn = NULL;
    int do_update = 0;
    struct slapi_entry *e;
         Slapi_Backend *be=NULL;
@@ -3372,11 +3345,12 @@ void cos_cache_change_notify(Slapi_PBlock *pb)
    	goto bail;
/* need to work out if a cache rebuild is necessary */
-	if(slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ))
+	if(slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ))
    {
    	LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_change_notify: failed to get dn of changed entry",0,0,0);
    	goto bail;
    }
+	dn = slapi_sdn_get_dn(sdn);
slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &rc);
    if (0 != rc) {
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 2f4dd02..858a0d7 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -172,7 +172,7 @@ static PRCList *dna_global_config = NULL;
 static Slapi_RWLock *g_dna_cache_lock;
static void *_PluginID = NULL;
-static char *_PluginDN = NULL;
+static const char *_PluginDN = NULL;
static int g_plugin_started = 0;
@@ -227,6 +227,7 @@ static int dna_load_host_port();
  *
  */
 static char *dna_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *dna_get_sdn(Slapi_PBlock * pb);
 static int dna_dn_is_config(char *dn);
 static int dna_get_next_value(struct configEntry * config_entry,
                                  char **next_value_ret);
@@ -330,12 +331,12 @@ void *getPluginID()
     return _PluginID;
 }
-void setPluginDN(char *pluginDN)
+void setPluginDN(const char *pluginDN)
 {
     _PluginDN = pluginDN;
 }
-char *getPluginDN()
+const char *getPluginDN()
 {
     return _PluginDN;
 }
@@ -489,7 +490,8 @@ dna_exop_init(Slapi_PBlock * pb)
 static int
 dna_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *pluginsdn = NULL;
+	const char *plugindn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
                     "--> dna_start\n");
@@ -513,12 +515,13 @@ dna_start(Slapi_PBlock * pb)
     *	and store it for future use. This should avoid
     *	hardcoding of DN's in the code.
     */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &pluginsdn);
+    if (NULL == pluginsdn || 0 == slapi_sdn_get_ndn_len(pluginsdn)) {
         slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
                         "dna_start: had to use hard coded config dn\n");
         plugindn = DNA_DN;
     } else {
+        plugindn = slapi_sdn_get_dn(pluginsdn);
         slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
                         "dna_start: config at %s\n", plugindn);
@@ -857,12 +860,17 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
         Slapi_DN *sdn = NULL;
         char *normdn = NULL;
-        sdn = slapi_sdn_new_dn_byref(value);
+        sdn = slapi_sdn_new_dn_passin(value);
-        if (sdn) {
-            slapi_search_internal_get_entry(sdn, NULL, &shared_e, getPluginID());
-            slapi_sdn_free(&sdn);
+        if (!sdn) {
+            slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
+                            "dna_parse_config_entry: Unable to create "
+                            "slapi_dn (%s)\n", value);
+            ret = DNA_FAILURE;
+            slapi_ch_free_string(&value);
+            goto bail;
         }
+        slapi_search_internal_get_entry(sdn, NULL, &shared_e, getPluginID());
/* Make sure that the shared config entry exists. */
         if (!shared_e) {
@@ -872,23 +880,23 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
                             "dna_parse_config_entry: Unable to locate "
                             "shared configuration entry (%s)\n", value);
             ret = DNA_FAILURE;
-            slapi_ch_free_string(&value);
+            slapi_sdn_free(&sdn);
             goto bail;
         } else {
             slapi_entry_free(shared_e);
             shared_e = NULL;
         }
-        normdn = slapi_create_dn_string("%s", value);
+        normdn = (char *)slapi_sdn_get_dn(sdn);
         if (NULL == normdn) {
             slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
                             "dna_parse_config_entry: failed to normalize dn: "
                             "%s\n", value);
             ret = DNA_FAILURE;
-            slapi_ch_free_string(&value);
+            slapi_sdn_free(&sdn);
             goto bail;
         }
-        entry->shared_cfg_base = normdn;
+        entry->shared_cfg_base = slapi_ch_strdup(normdn);
/* We prepend the host & port of this instance as a
          * multi-part RDN for the shared config entry. */
@@ -900,7 +908,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
                             "%s=%s+%s=%s,%s", DNA_HOSTNAME,
                             hostname, DNA_PORTNUM, portnum, value);
             ret = DNA_FAILURE;
-            slapi_ch_free_string(&value);
+            slapi_sdn_free(&sdn);
             goto bail;
         }
         entry->shared_cfg_dn = normdn;
@@ -908,7 +916,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
         slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM,
                         "----------> %s [%s]\n", DNA_SHARED_CFG_DN,
                         entry->shared_cfg_base);
-        slapi_ch_free_string(&value);
+        slapi_sdn_free(&sdn);
     }
value = slapi_entry_attr_get_charptr(e, DNA_THRESHOLD);
@@ -1725,11 +1733,11 @@ bail:
static char *dna_get_dn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
                     "--> dna_get_dn\n");
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
+    if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn)) {
         slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
                         "dna_get_dn: failed to get dn of changed entry");
         goto bail;
@@ -1739,7 +1747,20 @@ static char *dna_get_dn(Slapi_PBlock * pb)
     slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
                     "<-- dna_get_dn\n");
-    return dn;
+    return (char *)slapi_sdn_get_dn(sdn);
+}
+
+static Slapi_DN *
+dna_get_sdn(Slapi_PBlock * pb)
+{
+    Slapi_DN *sdn = 0;
+    slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
+                    "--> dna_get_sdn\n");
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
+                    "<-- dna_get_sdn\n");
+
+    return sdn;
 }
/* config check
@@ -2785,10 +2806,9 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype)
          *
          slapi_pblock_get( pb, SLAPI_MODIFY_EXISTING_ENTRY, &e);
          */
-        Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
+        Slapi_DN *tmp_dn = dna_get_sdn(pb);
         if (tmp_dn) {
             slapi_search_internal_get_entry(tmp_dn, 0, &e, getPluginID());
-            slapi_sdn_free(&tmp_dn);
             free_entry = 1;
         }
diff --git a/ldap/servers/plugins/linkedattrs/fixup_task.c b/ldap/servers/plugins/linkedattrs/fixup_task.c
index d550570..d5d0b14 100644
--- a/ldap/servers/plugins/linkedattrs/fixup_task.c
+++ b/ldap/servers/plugins/linkedattrs/fixup_task.c
@@ -279,7 +279,7 @@ static int
 linked_attrs_remove_backlinks_callback(Slapi_Entry *e, void *callback_data)
 {
     int rc = 0;
-    char *dn = slapi_entry_get_dn(e);
+    Slapi_DN *sdn = slapi_entry_get_sdn(e);
     char *type = (char *)callback_data;
     Slapi_PBlock *pb = slapi_pblock_new();
     char *val[1];
@@ -298,11 +298,11 @@ linked_attrs_remove_backlinks_callback(Slapi_Entry *e, void *callback_data)
slapi_log_error(SLAPI_LOG_PLUGIN, LINK_PLUGIN_SUBSYSTEM,
                     "Removing backpointer attribute (%s) from entry (%s)\n",
-                    type, dn);
+                    type, slapi_sdn_get_dn(sdn));
/* Perform the operation. */
-    slapi_modify_internal_set_pb(pb, dn, mods, 0, 0,
-                                 linked_attrs_get_plugin_id(), 0);
+    slapi_modify_internal_set_pb_ext(pb, sdn, mods, 0, 0,
+                                     linked_attrs_get_plugin_id(), 0);
     slapi_modify_internal_pb(pb);
slapi_pblock_destroy(pb);
@@ -339,6 +339,7 @@ linked_attrs_add_backlinks_callback(Slapi_Entry *e, void *callback_data)
     for (i = 0; targets && targets[i]; ++i) {
         char *targetdn = (char *)targets[i];
         int perform_update = 0;
+        Slapi_DN *targetsdn = slapi_sdn_new_dn_byref(targetdn);
if (config->scope) {
             /* Check if the target is within the scope. */
@@ -348,14 +349,12 @@ linked_attrs_add_backlinks_callback(Slapi_Entry *e, void *callback_data)
              * and see if the target is in the same backend. */
             Slapi_Backend *be = NULL;
             Slapi_DN *linksdn = slapi_sdn_new_dn_byref(linkdn);
-            Slapi_DN *targetsdn = slapi_sdn_new_dn_byref(targetdn);
if ((be = slapi_be_select(linksdn))) {
                 perform_update = slapi_sdn_issuffix(targetsdn, slapi_be_getsuffix(be, 0));
             }
slapi_sdn_free(&linksdn);
-            slapi_sdn_free(&targetsdn);
         }
if (perform_update) {
@@ -364,13 +363,14 @@ linked_attrs_add_backlinks_callback(Slapi_Entry *e, void *callback_data)
                             linkdn, targetdn);
/* Perform the modify operation. */
-            slapi_modify_internal_set_pb(pb, targetdn, mods, 0, 0,
-                                         linked_attrs_get_plugin_id(), 0);
+            slapi_modify_internal_set_pb_ext(pb, targetsdn, mods, 0, 0,
+                                             linked_attrs_get_plugin_id(), 0);
             slapi_modify_internal_pb(pb);
/* Initialize the pblock so we can reuse it. */
             slapi_pblock_init(pb);
         }
+        slapi_sdn_free(&targetsdn);
     }
slapi_ch_array_free(targets);
diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.c b/ldap/servers/plugins/linkedattrs/linked_attrs.c
index 75df753..5c6d462 100644
--- a/ldap/servers/plugins/linkedattrs/linked_attrs.c
+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.c
@@ -94,6 +94,7 @@ static void linked_attrs_free_config_entry(struct configEntry ** entry);
  * helpers
  */
 static char *linked_attrs_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *linked_attrs_get_sdn(Slapi_PBlock * pb);
 static int linked_attrs_dn_is_config(char *dn);
 static void linked_attrs_find_config(const char *dn, const char *type,
     struct configEntry **config);
@@ -152,9 +153,9 @@ linked_attrs_get_plugin_id()
 }
void
-linked_attrs_set_plugin_dn(char *pluginDN)
+linked_attrs_set_plugin_dn(const char *pluginDN)
 {
-    _PluginDN = pluginDN;
+    _PluginDN = (char *)pluginDN;
 }
char *
@@ -281,7 +282,7 @@ linked_attrs_postop_init(Slapi_PBlock *pb)
 static int
 linked_attrs_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *plugindn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
                     "--> linked_attrs_start\n");
@@ -303,14 +304,14 @@ linked_attrs_start(Slapi_PBlock * pb)
     /*
      * Get the plug-in target dn from the system
      * and store it for future use. */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &plugindn);
+    if (NULL == plugindn || 0 == slapi_sdn_get_ndn_len(plugindn)) {
         slapi_log_error(SLAPI_LOG_PLUGIN, LINK_PLUGIN_SUBSYSTEM,
                         "linked_attrs_start: unable to retrieve plugin dn\n");
         return -1;
     }
-    linked_attrs_set_plugin_dn(plugindn);
+    linked_attrs_set_plugin_dn(slapi_sdn_get_dn(plugindn));
/*
      * Load the config cache
@@ -540,7 +541,7 @@ linked_attrs_parse_config_entry(Slapi_Entry * e, int apply)
         char *syntaxoid = NULL;
         Slapi_Attr *attr = slapi_attr_new();
-	/* Set this first so we free it if we encounter an error */
+        /* Set this first so we free it if we encounter an error */
         entry->managedtype = value;
/* Gather some information about this attribute. */
@@ -816,21 +817,36 @@ linked_attrs_delete_config()
 static char *
 linked_attrs_get_dn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    const char *dn = 0;
+    Slapi_DN *sdn = NULL;
     slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
                     "--> linked_attrs_get_dn\n");
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
+    if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn)) {
         slapi_log_error(SLAPI_LOG_FATAL, LINK_PLUGIN_SUBSYSTEM,
                         "linked_attrs_get_dn: failed to get dn of changed entry");
         goto bail;
     }
+    dn = slapi_sdn_get_dn(sdn);
bail:
     slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
                     "<-- linked_attrs_get_dn\n");
-    return dn;
+    return (char *)dn;
+}
+
+static Slapi_DN *
+linked_attrs_get_sdn(Slapi_PBlock * pb)
+{
+    Slapi_DN *sdn = 0;
+    slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
+                    "--> linked_attrs_get_sdn\n");
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
+                    "<-- linked_attrs_get_sdn\n");
+
+    return sdn;
 }
/*
@@ -1406,6 +1422,7 @@ linked_attrs_mod_backpointers(char *linkdn, char *type,
     {
         int perform_update = 0;
         const char *targetdn = slapi_value_get_string(targetval);
+        Slapi_DN *targetsdn = slapi_sdn_new_dn_byref(targetdn);
/* If we have a scope, only update the target if it is within
          * the scope.  If we don't have a scope, only update the target
@@ -1415,14 +1432,12 @@ linked_attrs_mod_backpointers(char *linkdn, char *type,
         } else {
             Slapi_Backend *be = NULL;
             Slapi_DN *linksdn = slapi_sdn_new_dn_byref(linkdn);
-            Slapi_DN *targetsdn = slapi_sdn_new_dn_byref(targetdn);
if ((be = slapi_be_select(linksdn))) {
                 perform_update = slapi_sdn_issuffix(targetsdn, slapi_be_getsuffix(be, 0));
             }
slapi_sdn_free(&linksdn);
-            slapi_sdn_free(&targetsdn);
         }
if (perform_update) {
@@ -1432,13 +1447,14 @@ linked_attrs_mod_backpointers(char *linkdn, char *type,
                             linkdn, targetdn);
/* Perform the modify operation. */
-            slapi_modify_internal_set_pb(mod_pb, targetdn, mods, 0, 0,
-                                         linked_attrs_get_plugin_id(), 0);
+            slapi_modify_internal_set_pb_ext(mod_pb, targetsdn, mods, 0, 0,
+                                             linked_attrs_get_plugin_id(), 0);
             slapi_modify_internal_pb(mod_pb);
/* Initialize the pblock so we can reuse it. */
             slapi_pblock_init(mod_pb);
         }
+        slapi_sdn_free(&targetsdn);
i = slapi_valueset_next_value(targetvals, i, &targetval);
     }
@@ -1488,10 +1504,10 @@ linked_attrs_pre_op(Slapi_PBlock * pb, int modop)
         } else {
             /* Fetch the entry being modified so we can
              * create the resulting entry for validation. */
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
+            /* int free_sdn = 0; */
+            Slapi_DN *tmp_dn = linked_attrs_get_sdn(pb);
             if (tmp_dn) {
                 slapi_search_internal_get_entry(tmp_dn, 0, &e, linked_attrs_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
                 free_entry = 1;
             }
diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.h b/ldap/servers/plugins/linkedattrs/linked_attrs.h
index c6e6347..8dfb4f0 100644
--- a/ldap/servers/plugins/linkedattrs/linked_attrs.h
+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.h
@@ -127,7 +127,7 @@ void linked_attrs_unlock();
  */
 void linked_attrs_set_plugin_id(void *pluginID);
 void *linked_attrs_get_plugin_id();
-void linked_attrs_set_plugin_dn(char *pluginDN);
+void linked_attrs_set_plugin_dn(const char *pluginDN);
 char *linked_attrs_get_plugin_dn();
/*
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index c2d87bb..9956dfe 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -494,8 +494,8 @@ int memberof_del_dn_type_callback(Slapi_Entry *e, void *callback_data)
    mod.mod_type = ((memberof_del_dn_data *)callback_data)->type;
    mod.mod_values = val;
-	slapi_modify_internal_set_pb(
-		mod_pb, slapi_entry_get_dn(e),
+	slapi_modify_internal_set_pb_ext(
+		mod_pb, slapi_entry_get_sdn(e),
    	mods, 0, 0,
    	memberof_get_plugin_id(), 0);
@@ -752,8 +752,8 @@ int memberof_replace_dn_type_callback(Slapi_Entry *e, void *callback_data)
    addmod.mod_type = ((replace_dn_data *)callback_data)->type;
    addmod.mod_values = addval;
-	slapi_modify_internal_set_pb(
-		mod_pb, slapi_entry_get_dn(e),
+	slapi_modify_internal_set_pb_ext(
+		mod_pb, slapi_entry_get_sdn(e),
    	mods, 0, 0,
    	memberof_get_plugin_id(), 0);
@@ -1051,11 +1051,13 @@ bail:
  */
 char *memberof_getdn(Slapi_PBlock *pb)
 {
-	char *dn = 0;
+	const char *dn = 0;
+	Slapi_DN *sdn = NULL;
-	slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-	
-	return dn;
+	slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+	dn = slapi_sdn_get_dn(sdn);	
+
+	return (char *)dn;
 }
/*
@@ -2385,6 +2387,7 @@ int memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
 {
    int rc = 0;
    char *dn = slapi_entry_get_dn(e);
+	Slapi_DN *sdn = slapi_entry_get_sdn(e);
    struct fix_memberof_callback_data *cb_data = (struct fix_memberof_callback_data *)callback_data;
    MemberOfConfig *config = cb_data->config;
    memberof_del_dn_data del_data = {0, config->memberof_attr, cb_data->txn};
@@ -2420,8 +2423,8 @@ int memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
    	mods[0] = slapi_mod_get_ldapmod_passout(smod);
    	mods[1] = 0;
-		slapi_modify_internal_set_pb(
-			mod_pb, dn, mods, 0, 0,
+		slapi_modify_internal_set_pb_ext(
+			mod_pb, sdn, mods, 0, 0,
    		memberof_get_plugin_id(), 0);
slapi_pblock_set(mod_pb, SLAPI_TXN, cb_data->txn);
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index 0241cd3..237ef91 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -94,11 +94,11 @@ static void mep_free_config_entry(struct configEntry ** entry);
 /*
  * helpers
  */
-static char *mep_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *mep_get_sdn(Slapi_PBlock * pb);
 static Slapi_DN *mep_get_config_area();
 static void mep_set_config_area(Slapi_DN *sdn);
-static int mep_dn_is_config(char *dn);
-static int mep_dn_is_template(char *dn);
+static int mep_dn_is_config(Slapi_DN *sdn);
+static int mep_dn_is_template(const char *dn);
 static void mep_find_config(Slapi_Entry *e, struct configEntry **config);
 static void mep_find_config_by_template_dn(const char *template_dn,
     struct configEntry **config);
@@ -109,7 +109,7 @@ static Slapi_Entry *mep_create_managed_entry(struct configEntry *config,
 static void mep_add_managed_entry(struct configEntry *config,
     Slapi_Entry *origin);
 static void mep_rename_managed_entry(Slapi_Entry *origin,
-    char *new_dn, char *old_dn);
+    Slapi_DN *new_dn, Slapi_DN *old_dn);
 static Slapi_Mods *mep_get_mapped_mods(struct configEntry *config,
     Slapi_Entry *origin, char **mapped_dn);
 static int mep_parse_mapped_attr(char *mapping, Slapi_Entry *origin,
@@ -289,7 +289,7 @@ mep_postop_init(Slapi_PBlock *pb)
 static int
 mep_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *plugindn = NULL;
     char *config_area = NULL;
slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -312,14 +312,14 @@ mep_start(Slapi_PBlock * pb)
     /*
      * Get the plug-in target dn from the system
      * and store it for future use. */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &plugindn);
+    if (NULL == plugindn || 0 == slapi_sdn_get_ndn_len(plugindn)) {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_start: unable to retrieve plugin dn\n");
         return -1;
     }
-    mep_set_plugin_sdn(slapi_sdn_new_dn_byref(plugindn));
+    mep_set_plugin_sdn(slapi_sdn_dup(plugindn));
/* Set the alternate config area if one is defined. */
     slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area);
@@ -434,8 +434,10 @@ mep_load_config()
         /* Find the config entries beneath our plugin entry. */
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_load_config: Looking for config entries "
-                        "beneath "%s".\n", slapi_sdn_get_ndn(mep_get_plugin_sdn()));
-        slapi_search_internal_set_pb(search_pb, slapi_sdn_get_ndn(mep_get_plugin_sdn()),
+                        "beneath "%s".\n",
+                         slapi_sdn_get_ndn(mep_get_plugin_sdn()));
+        slapi_search_internal_set_pb(search_pb,
+                                     slapi_sdn_get_ndn(mep_get_plugin_sdn()),
                                      LDAP_SCOPE_SUBTREE, "objectclass=*",
                                      NULL, 0, NULL, NULL, mep_get_plugin_id(), 0);
     }
@@ -769,24 +771,17 @@ mep_delete_config()
 /*
  * Helper functions
  */
-static char *
-mep_get_dn(Slapi_PBlock * pb)
+static Slapi_DN *
+mep_get_sdn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
-                    "--> mep_get_dn\n");
-
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
-        slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
-                        "mep_get_dn: failed to get dn of changed entry");
-        goto bail;
-    }
-
-  bail:
+                    "--> mep_get_sdn\n");
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
-                    "<-- mep_get_dn\n");
+                    "<-- mep_get_sdn\n");
-    return dn;
+    return sdn;
 }
static void
@@ -807,20 +802,17 @@ mep_get_config_area()
  * Checks if dn is a managed entries config entry.
  */
 static int
-mep_dn_is_config(char *dn)
+mep_dn_is_config(Slapi_DN *sdn)
 {
     int ret = 0;
-    Slapi_DN *sdn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
                     "--> mep_dn_is_config\n");
-    if (dn == NULL) {
+    if (sdn == NULL) {
         goto bail;
     }
-    sdn = slapi_sdn_new_dn_byref(dn);
-
     /* If an alternate config area is configured, treat it's child
      * entries as config entries.  If the alternate config area is
      * not configured, treat children of the top-level plug-in
@@ -838,7 +830,6 @@ mep_dn_is_config(char *dn)
     }
bail:
-    slapi_sdn_free(&sdn);
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
                     "<-- mep_dn_is_config\n");
@@ -851,7 +842,7 @@ bail:
  * Checks if dn is a managed entries template.
  */
 static int
-mep_dn_is_template(char *dn)
+mep_dn_is_template(const char *dn)
 {
     int ret = 0;
     PRCList *list = NULL;
@@ -1139,7 +1130,7 @@ mep_create_managed_entry(struct configEntry *config, Slapi_Entry *origin)
/* Create the DN using the mapped RDN value
          * and the base specified in the config. */
-        dn = slapi_create_dn_string("%s=%s,%s", rdn_type, rdn_val, config->managed_base);
+        dn = slapi_ch_smprintf("%s=%s,%s", rdn_type, rdn_val, config->managed_base);
slapi_ch_free_string(&rdn_val);
@@ -1259,8 +1250,9 @@ mep_add_managed_entry(struct configEntry *config,
             slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                     "Adding %s pointer to "%s" in entry "%s"\n.",
                     MEP_MANAGED_ENTRY_TYPE, managed_dn, slapi_entry_get_dn(origin));
-            slapi_modify_internal_set_pb(mod_pb, slapi_entry_get_dn(origin),
-                                         mods, 0, 0, mep_get_plugin_id(), 0);
+            slapi_modify_internal_set_pb_ext(mod_pb, 
+                                            slapi_entry_get_sdn(origin),
+                                            mods, 0, 0, mep_get_plugin_id(), 0);
             slapi_modify_internal_pb(mod_pb);
             slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
@@ -1283,8 +1275,9 @@ mep_add_managed_entry(struct configEntry *config,
  * Renames a managed entry and updates the pointer in the
  * origin entry.
  */
-static void mep_rename_managed_entry(Slapi_Entry *origin,
-    char *new_dn, char *old_dn)
+static void
+mep_rename_managed_entry(Slapi_Entry *origin,
+                         Slapi_DN *new_dn, Slapi_DN *old_dn)
 {
     Slapi_RDN *srdn = slapi_rdn_new();
     Slapi_PBlock *mep_pb = slapi_pblock_new();
@@ -1299,10 +1292,10 @@ static void mep_rename_managed_entry(Slapi_Entry *origin,
     }
/* Create new RDN */
-    slapi_rdn_set_dn(srdn, new_dn);
+    slapi_rdn_set_dn(srdn, slapi_sdn_get_ndn(new_dn));
/* Rename the managed entry. */
-    slapi_rename_internal_set_pb(mep_pb, old_dn,
+    slapi_rename_internal_set_pb_ext(mep_pb, old_dn,
                                  slapi_rdn_get_rdn(srdn),
                                  NULL, 1, NULL, NULL, mep_get_plugin_id(), 0);
     slapi_modrdn_internal_pb(mep_pb);
@@ -1311,14 +1304,14 @@ static void mep_rename_managed_entry(Slapi_Entry *origin,
     if (result != LDAP_SUCCESS) {
         slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
                     "mep_rename_managed_entry: Unable to rename managed "
-                    "entry "%s" to "%s" (%s).\n", old_dn,
-                    new_dn, ldap_err2string(result));
+                    "entry "%s" to "%s" (%s).\n", slapi_sdn_get_dn(old_dn),
+                    slapi_sdn_get_dn(new_dn), ldap_err2string(result));
     } else {
         /* Clear out the pblock for reuse. */
         slapi_pblock_init(mep_pb);
/* Update the link to the managed entry in the origin entry. */
-        vals[0] = new_dn;
+        vals[0] = (char *)slapi_sdn_get_dn(new_dn);
         vals[1] = 0;
         mod.mod_op = LDAP_MOD_REPLACE;
         mod.mod_type = MEP_MANAGED_ENTRY_TYPE;
@@ -1331,8 +1324,8 @@ static void mep_rename_managed_entry(Slapi_Entry *origin,
                 "mep_rename_managed_entry: Updating %s pointer to "
                 ""%s" in entry "%s"\n.", MEP_MANAGED_ENTRY_TYPE,
                 vals[0], slapi_entry_get_dn(origin));
-        slapi_modify_internal_set_pb(mep_pb, slapi_entry_get_dn(origin), mods,
-                                     0, 0, mep_get_plugin_id(), 0);
+        slapi_modify_internal_set_pb_ext(mep_pb, slapi_entry_get_sdn(origin),
+                                         mods, 0, 0, mep_get_plugin_id(), 0);
         slapi_modify_internal_pb(mep_pb);
         slapi_pblock_get(mep_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
@@ -1742,7 +1735,7 @@ mep_is_mapped_attr(Slapi_Entry *template, char *type)
 static int
 mep_pre_op(Slapi_PBlock * pb, int modop)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = NULL;
     Slapi_Entry *e = 0;
     Slapi_Mods *smods = 0;
     LDAPMod **mods;
@@ -1762,10 +1755,10 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
     /* See if we're calling ourselves. */
     slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &caller_id);
-    if (0 == (dn = mep_get_dn(pb)))
+    if (0 == (sdn = mep_get_sdn(pb)))
         goto bail;
-    if (mep_dn_is_config(dn)) {
+    if (mep_dn_is_config(sdn)) {
         /* Validate config changes, but don't apply them.
          * This allows us to reject invalid config changes
          * here at the pre-op stage.  Applying the config
@@ -1777,10 +1770,8 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
         } else if (LDAP_CHANGETYPE_MODIFY == modop) {
             /* Fetch the entry being modified so we can
              * create the resulting entry for validation. */
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
-            if (tmp_dn) {
-                slapi_search_internal_get_entry(tmp_dn, 0, &e, mep_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
+            if (sdn) {
+                slapi_search_internal_get_entry(sdn, 0, &e, mep_get_plugin_id());
                 free_entry = 1;
             }
@@ -1829,11 +1820,10 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
             goto bail;
         }
-        mep_find_config_by_template_dn(dn, &config);
+        mep_find_config_by_template_dn(slapi_sdn_get_dn(sdn), &config);
         if (config) {
             Slapi_Entry *test_entry = NULL;
             struct configEntry *config_copy = NULL;
-            Slapi_DN *tmp_dn = NULL;
config_copy = (struct configEntry *)slapi_ch_calloc(1, sizeof(struct configEntry));
@@ -1860,12 +1850,9 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
                 ret = LDAP_UNWILLING_TO_PERFORM;
                 break;
             case LDAP_CHANGETYPE_MODIFY: 
-                tmp_dn = slapi_sdn_new_dn_byref(dn);
-
                 /* Fetch the existing template entry. */
-                if (tmp_dn) {
-                    slapi_search_internal_get_entry(tmp_dn, 0, &e, mep_get_plugin_id());
-                    slapi_sdn_free(&tmp_dn);
+                if (sdn) {
+                    slapi_search_internal_get_entry(sdn, 0, &e, mep_get_plugin_id());
                     free_entry = 1;
                 }
@@ -1920,7 +1907,6 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
          * this plugin. */
         if (((modop == LDAP_CHANGETYPE_DELETE) || (modop == LDAP_CHANGETYPE_MODDN) ||
             (modop == LDAP_CHANGETYPE_MODIFY)) && (caller_id != mep_get_plugin_id())) {
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
             Slapi_Entry *origin_e = NULL;
             Slapi_Mod *smod = NULL;
             Slapi_Mod *next_mod = NULL;
@@ -1928,14 +1914,13 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
             Slapi_DN *origin_sdn = NULL;
/* Fetch the target entry. */
-            if (tmp_dn) {
+            if (sdn) {
                 /* Free any existing entry so we don't leak it. */
                 if (e && free_entry) {
                     slapi_entry_free(e);
                 }
-                slapi_search_internal_get_entry(tmp_dn, 0, &e, mep_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
+                slapi_search_internal_get_entry(sdn, 0, &e, mep_get_plugin_id());
                 free_entry = 1;
             }
@@ -2070,7 +2055,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
     Slapi_Mods *smods = NULL;
     Slapi_PBlock *mep_pb = NULL;
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     char *managed_dn = NULL;
     Slapi_DN *managed_sdn = NULL;
     char *mapped_dn = NULL;
@@ -2085,9 +2070,9 @@ mep_mod_post_op(Slapi_PBlock *pb)
     if (!g_plugin_started)
         return 0;
-    if (mep_oktodo(pb) && (dn = mep_get_dn(pb))) {
+    if (mep_oktodo(pb) && (sdn = mep_get_sdn(pb))) {
         /* First check if the config or a template is being modified. */
-        if (mep_dn_is_config(dn) || mep_dn_is_template(dn)) {
+        if (mep_dn_is_config(sdn) || mep_dn_is_template(slapi_sdn_get_dn(sdn))) {
             mep_load_config();
         }
@@ -2143,7 +2128,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
                         slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
                                     "mep_mod_post_op: Unable to update mapped "
                                     "attributes from origin entry "%s" in managed "
-                                    "entry "%s" (%s).\n", dn, managed_dn,
+                                    "entry "%s" (%s).\n", slapi_sdn_get_dn(sdn), managed_dn,
                                     ldap_err2string(result));
                     }
@@ -2157,7 +2142,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
                     managed_sdn = slapi_sdn_new_dn_byref(managed_dn);
if (slapi_sdn_compare(managed_sdn, mapped_sdn) != 0) {
-                        mep_rename_managed_entry(e, mapped_dn, managed_dn);
+                        mep_rename_managed_entry(e, mapped_sdn, managed_sdn);
                     }
slapi_sdn_free(&mapped_sdn);
@@ -2166,7 +2151,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
             } else {
                 slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
                         "mep_mod_post_op: Unable to find config for origin "
-                        "entry "%s".\n", dn);
+                        "entry "%s".\n", slapi_sdn_get_dn(sdn));
             }
slapi_ch_free_string(&managed_dn);
@@ -2187,7 +2172,7 @@ static int
 mep_add_post_op(Slapi_PBlock *pb)
 {
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     struct configEntry *config = NULL;
slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -2198,8 +2183,8 @@ mep_add_post_op(Slapi_PBlock *pb)
         return 0;
/* Reload config if a config entry was added. */
-    if ((dn = mep_get_dn(pb))) {
-        if (mep_dn_is_config(dn)) {
+    if ((sdn = mep_get_sdn(pb))) {
+        if (mep_dn_is_config(sdn)) {
             mep_load_config();
         }
     } else {
@@ -2241,7 +2226,7 @@ mep_add_post_op(Slapi_PBlock *pb)
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_add_post_op: Error "
-                        "retrieving post-op entry %s\n", dn);
+                        "retrieving post-op entry %s\n", slapi_sdn_get_dn(sdn));
     }
slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -2253,8 +2238,8 @@ mep_add_post_op(Slapi_PBlock *pb)
 static int
 mep_del_post_op(Slapi_PBlock *pb)
 {
-    char *dn = NULL;
     Slapi_Entry *e = NULL;
+    Slapi_DN *sdn = NULL;
slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
                     "--> mep_del_post_op\n");
@@ -2265,8 +2250,8 @@ mep_del_post_op(Slapi_PBlock *pb)
     }
/* Reload config if a config entry was deleted. */
-    if ((dn = mep_get_dn(pb))) {
-        if (mep_dn_is_config(dn))
+    if ((sdn = mep_get_sdn(pb))) {
+        if (mep_dn_is_config(sdn))
             mep_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
@@ -2299,7 +2284,7 @@ mep_del_post_op(Slapi_PBlock *pb)
             slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                             "mep_del_post_op: Deleting managed entry "
                             ""%s" due to deletion of origin entry "
-                            ""%s".\n ", managed_dn, dn);
+                            ""%s".\n ", managed_dn, slapi_sdn_get_dn(sdn));
             slapi_delete_internal_set_pb(mep_pb, managed_dn, NULL,
                                          NULL, mep_get_plugin_id(), 0);
             slapi_delete_internal_pb(mep_pb);
@@ -2310,7 +2295,7 @@ mep_del_post_op(Slapi_PBlock *pb)
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_del_post_op: Error "
-                        "retrieving pre-op entry %s\n", dn);
+                        "retrieving pre-op entry %s\n", slapi_sdn_get_dn(sdn));
     }
slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -2322,8 +2307,9 @@ mep_del_post_op(Slapi_PBlock *pb)
 static int
 mep_modrdn_post_op(Slapi_PBlock *pb)
 {
-    char *old_dn = NULL;
-    char *new_dn = NULL;
+    const char *new_dn = NULL;
+    Slapi_DN *old_sdn = NULL;
+    Slapi_DN *new_sdn = NULL;
     Slapi_Entry *post_e = NULL;
     char *managed_dn = NULL;
     struct configEntry *config = NULL;
@@ -2340,7 +2326,8 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
      * config entries. */
     slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &post_e);
     if (post_e) {
-        new_dn = slapi_entry_get_ndn(post_e);
+        new_sdn = slapi_entry_get_sdn(post_e);
+        new_dn = slapi_sdn_get_dn(new_sdn);
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_modrdn_post_op: Error "
@@ -2348,8 +2335,8 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
         return 0;
     }
-    if ((old_dn = mep_get_dn(pb))) {
-        if (mep_dn_is_config(old_dn) || mep_dn_is_config(new_dn))
+    if ((old_sdn = mep_get_sdn(pb))) {
+        if (mep_dn_is_config(old_sdn) || mep_dn_is_config(new_sdn))
             mep_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
@@ -2398,7 +2385,7 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
             slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                     "mep_modrdn_post_op: Removing managed entry "%s" "
                     "since origin entry "%s" was moved out of scope.\n",
-                    managed_dn, old_dn);
+                    managed_dn, slapi_sdn_get_dn(old_sdn));
             slapi_delete_internal_set_pb (mep_pb, managed_dn, NULL, NULL,
                                           mep_get_plugin_id(), 0);
             slapi_delete_internal_pb(mep_pb);
@@ -2428,8 +2415,8 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
                     "mep_modrdn_post_op: Removing %s pointer and %s "
                     "objectclass from entry "%s".\n",
                     MEP_MANAGED_ENTRY_TYPE, MEP_ORIGIN_OC, new_dn);
-            slapi_modify_internal_set_pb(mep_pb, new_dn, mods, 0, 0,
-                                         mep_get_plugin_id(), 0);
+            slapi_modify_internal_set_pb_ext(mep_pb, new_sdn, mods, 0, 0,
+                                             mep_get_plugin_id(), 0);
             slapi_modify_internal_pb(mep_pb);
             slapi_pblock_get(mep_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
@@ -2442,7 +2429,7 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
             }
         } else {
             /* Update backlink to new origin DN in managed entry. */
-            vals[0] = new_dn;
+            vals[0] = (char *)new_dn;
             vals[1] = 0;
             mod.mod_op = LDAP_MOD_REPLACE;
             mod.mod_type = MEP_MANAGED_BY_TYPE;
@@ -2498,8 +2485,11 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
                                     "mep_modrdn_post_op: Renaming managed entry "
                                     ""%s" to "%s" due to rename of origin "
                                     "entry "%s".\n ", managed_dn,
-                                    slapi_entry_get_dn(new_managed_entry), old_dn);
-                    mep_rename_managed_entry(post_e, slapi_entry_get_dn(new_managed_entry), managed_dn);
+                                    slapi_entry_get_dn(new_managed_entry),
+                                    slapi_sdn_get_dn(old_sdn));
+                    mep_rename_managed_entry(post_e,
+                                    slapi_entry_get_sdn(new_managed_entry),
+                                    managed_sdn);
                 }
/* Update all of the mapped attributes
@@ -2513,7 +2503,8 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
                     slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                             "mep_modrdn_post_op: Updating mapped attributes "
                             "in entry "%s"\n.", managed_dn);
-                    slapi_modify_internal_set_pb(mep_pb, slapi_entry_get_dn(new_managed_entry),
+                    slapi_modify_internal_set_pb_ext(mep_pb,
+                                    slapi_entry_get_sdn(new_managed_entry),
                                     slapi_mods_get_ldapmods_byref(smods), 0, 0,
                                     mep_get_plugin_id(), 0);
                     slapi_modify_internal_pb(mep_pb);
diff --git a/ldap/servers/plugins/pam_passthru/pam_passthru.h b/ldap/servers/plugins/pam_passthru/pam_passthru.h
index 6a9d332..748c2f1 100644
--- a/ldap/servers/plugins/pam_passthru/pam_passthru.h
+++ b/ldap/servers/plugins/pam_passthru/pam_passthru.h
@@ -129,7 +129,7 @@ void * pam_passthruauth_get_plugin_identity();
  */
 int pam_passthru_config( Slapi_Entry *config_e );
 Pam_PassthruConfig *pam_passthru_get_config( void );
-int pam_passthru_check_suffix(Pam_PassthruConfig *cfg, char *binddn);
+int pam_passthru_check_suffix(Pam_PassthruConfig *cfg, const char *binddn);
/*
  * pam_ptimpl.c
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptconfig.c b/ldap/servers/plugins/pam_passthru/pam_ptconfig.c
index beff65d..bde2ef6 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptconfig.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptconfig.c
@@ -538,7 +538,7 @@ pam_passthru_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Ent
 }
int
-pam_passthru_check_suffix(Pam_PassthruConfig *cfg, char *binddn)
+pam_passthru_check_suffix(Pam_PassthruConfig *cfg, const char *binddn)
 {
    Slapi_DN *comp_dn;
    Pam_PassthruSuffix *try;
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptimpl.c b/ldap/servers/plugins/pam_passthru/pam_ptimpl.c
index 662239f..2aedec7 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptimpl.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptimpl.c
@@ -91,7 +91,7 @@ struct my_pam_conv_str {
  * Get the PAM identity from the value of the leftmost RDN in the BIND DN.
  */
 static char *
-derive_from_bind_dn(Slapi_PBlock *pb, char *binddn, MyStrBuf *pam_id)
+derive_from_bind_dn(Slapi_PBlock *pb, const char *binddn, MyStrBuf *pam_id)
 {
    Slapi_RDN *rdn;
    char *type = NULL;
@@ -106,7 +106,8 @@ derive_from_bind_dn(Slapi_PBlock *pb, char *binddn, MyStrBuf *pam_id)
 }
static char *
-derive_from_bind_entry(Slapi_PBlock *pb, char *binddn, MyStrBuf *pam_id, char *map_ident_attr, int *locked)
+derive_from_bind_entry(Slapi_PBlock *pb, const char *binddn, 
+                       MyStrBuf *pam_id, char *map_ident_attr, int *locked)
 {
    char buf[BUFSIZ];
    Slapi_Entry *entry = NULL;
@@ -264,7 +265,8 @@ do_one_pam_auth(
 )
 {
    MyStrBuf pam_id;
-	char *binddn = NULL;
+	const char *binddn = NULL;
+	Slapi_DN *bindsdn = NULL;
    int rc;
    int retcode = LDAP_SUCCESS;
    pam_handle_t *pam_handle;
@@ -274,7 +276,13 @@ do_one_pam_auth(
    char *errmsg = NULL; /* free with PR_smprintf_free */
    int locked = 0;
-	slapi_pblock_get( pb, SLAPI_BIND_TARGET, &binddn );
+	slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &bindsdn );
+	if (NULL == bindsdn) {
+		errmsg = PR_smprintf("Null bind dn");
+		retcode = LDAP_OPERATIONS_ERROR;
+		goto done; /* skip the pam stuff */
+	}
+	binddn = slapi_sdn_get_dn(bindsdn);
if (method == PAMPT_MAP_METHOD_RDN) {
    	derive_from_bind_dn(pb, binddn, &pam_id);
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
index 9e14c26..d726017 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
@@ -165,10 +165,12 @@ static int
 pam_passthru_bindpreop( Slapi_PBlock *pb )
 {
     int rc, method;
-    char *normbinddn, *errmsg = NULL;
+    const char *normbinddn;
+    char *errmsg = NULL;
+    Slapi_DN *bindsdn = NULL;
     Pam_PassthruConfig	*cfg;
     struct berval	*creds;
-	int retcode = PAM_PASSTHRU_OP_NOT_HANDLED;
+    int retcode = PAM_PASSTHRU_OP_NOT_HANDLED;
PAM_PASSTHRU_ASSERT( pb != NULL );
@@ -179,12 +181,13 @@ pam_passthru_bindpreop( Slapi_PBlock *pb )
      * retrieve parameters for bind operation
      */
     if ( slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method ) != 0 ||
-		 slapi_pblock_get( pb, SLAPI_BIND_TARGET, &normbinddn ) != 0 ||
+		 slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &bindsdn ) != 0 ||
    	 slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds ) != 0 ) {
    	slapi_log_error( SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
    					 "<= not handled (unable to retrieve bind parameters)\n" );
    	return retcode;
     }
+    normbinddn = slapi_sdn_get_dn(bindsdn);
/*
      * We only handle simple bind requests that include non-NULL binddn and
diff --git a/ldap/servers/plugins/passthru/passthru.h b/ldap/servers/plugins/passthru/passthru.h
index ac19849..e0421ac 100644
--- a/ldap/servers/plugins/passthru/passthru.h
+++ b/ldap/servers/plugins/passthru/passthru.h
@@ -136,7 +136,7 @@ typedef struct passthruconfig {
  * ptbind.c:
  */
 int passthru_simple_bind_s( Slapi_PBlock *pb, PassThruServer *srvr, int tries,
-	char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
+	const char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
    char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
    LDAPControl ***resctrlsp );
@@ -149,7 +149,7 @@ PassThruConfig *passthru_get_config( void );
 /*
  * ptconn.c:
  */
-int passthru_dn2server( PassThruConfig *cfg, char *normdn,
+int passthru_dn2server( PassThruConfig *cfg, const char *normdn,
    PassThruServer **srvrp );
 int passthru_get_connection( PassThruServer *srvr, LDAP **ldp );
 void passthru_release_connection( PassThruServer *srvr, LDAP *ld, int dispose );
diff --git a/ldap/servers/plugins/passthru/ptbind.c b/ldap/servers/plugins/passthru/ptbind.c
index 063ba15..efbc896 100644
--- a/ldap/servers/plugins/passthru/ptbind.c
+++ b/ldap/servers/plugins/passthru/ptbind.c
@@ -48,7 +48,7 @@
 #include "passthru.h"
static int
-passthru_simple_bind_once_s( PassThruServer *srvr, char *dn,
+passthru_simple_bind_once_s( PassThruServer *srvr, const char *dn,
    struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
    char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
    LDAPControl ***resctrlsp );
@@ -68,7 +68,7 @@ passthru_simple_bind_once_s( PassThruServer *srvr, char *dn,
  */
 int
 passthru_simple_bind_s( Slapi_PBlock *pb, PassThruServer *srvr, int tries,
-	char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
+	const char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
    char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
    LDAPControl ***resctrlsp )
 {
@@ -102,7 +102,7 @@ passthru_simple_bind_s( Slapi_PBlock *pb, PassThruServer *srvr, int tries,
  * like passthru_simple_bind_s() but only makes one attempt.
  */
 static int
-passthru_simple_bind_once_s( PassThruServer *srvr, char *dn,
+passthru_simple_bind_once_s( PassThruServer *srvr, const char *dn,
    struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
    char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
    LDAPControl ***resctrlsp )
diff --git a/ldap/servers/plugins/passthru/ptconn.c b/ldap/servers/plugins/passthru/ptconn.c
index 1001c98..a3e2bd2 100644
--- a/ldap/servers/plugins/passthru/ptconn.c
+++ b/ldap/servers/plugins/passthru/ptconn.c
@@ -50,7 +50,7 @@
 /*
  * function prototypes
  */
-static int dn_is_underneath_suffix( PassThruSuffix *suffix, char *normdn,
+static int dn_is_underneath_suffix( PassThruSuffix *suffix, const char *normdn,
     int dnlen );
 static void close_and_dispose_connection( PassThruConnection *conn );
 static void check_for_stale_connections( PassThruServer *srvr );
@@ -107,7 +107,7 @@ static void check_for_stale_connections( PassThruServer *srvr );
  *	LDAP_NO_SUCH_OBJECT	let this server handle the bind.
  */
 int
-passthru_dn2server( PassThruConfig *cfg, char *normdn, PassThruServer **srvrp )
+passthru_dn2server( PassThruConfig *cfg, const char *normdn, PassThruServer **srvrp )
 {
     PassThruServer	*ptsrvr;
     PassThruSuffix	*ptsuffix;
@@ -360,7 +360,7 @@ passthru_close_all_connections( PassThruConfig *cfg )
  * return non-zero value if normdn falls underneath a suffix
  */
 static int
-dn_is_underneath_suffix( PassThruSuffix *suffix, char *normdn, int dnlen )
+dn_is_underneath_suffix( PassThruSuffix *suffix, const char *normdn, int dnlen )
 {
     PASSTHRU_ASSERT( suffix != NULL );
     PASSTHRU_ASSERT( normdn != NULL );
@@ -368,7 +368,7 @@ dn_is_underneath_suffix( PassThruSuffix *suffix, char *normdn, int dnlen )
return ( suffix->ptsuffix_len <= dnlen &&
        slapi_UTF8CASECMP( suffix->ptsuffix_normsuffix,
-	    normdn + ( dnlen - suffix->ptsuffix_len )) == 0 );
+	    (char *)normdn + ( dnlen - suffix->ptsuffix_len )) == 0 );
 }
diff --git a/ldap/servers/plugins/passthru/ptpreop.c b/ldap/servers/plugins/passthru/ptpreop.c
index e566c64..1f73cf1 100644
--- a/ldap/servers/plugins/passthru/ptpreop.c
+++ b/ldap/servers/plugins/passthru/ptpreop.c
@@ -149,7 +149,9 @@ static int
 passthru_bindpreop( Slapi_PBlock *pb )
 {
     int			rc, method, freeresctrls=1;
-    char		*normbinddn, *matcheddn;
+    char		*matcheddn;
+    const char	*normbinddn = NULL;
+    Slapi_DN	*sdn = NULL;
     char		*libldap_errmsg, *pr_errmsg, *errmsg;
     PassThruConfig	*cfg;
     PassThruServer	*srvr;
@@ -165,14 +167,15 @@ passthru_bindpreop( Slapi_PBlock *pb )
      * retrieve parameters for bind operation
      */
     if ( slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method ) != 0 ||
-	    slapi_pblock_get( pb, SLAPI_BIND_TARGET, &normbinddn ) != 0 ||
-	    slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds ) != 0 ) {
-	slapi_log_error( SLAPI_LOG_FATAL, PASSTHRU_PLUGIN_SUBSYSTEM,
-		"<= not handled (unable to retrieve bind parameters)\n" );
-	return( PASSTHRU_OP_NOT_HANDLED );
+        slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn ) != 0 ||
+        slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds ) != 0 ) {
+        slapi_log_error( SLAPI_LOG_FATAL, PASSTHRU_PLUGIN_SUBSYSTEM,
+                     "<= not handled (unable to retrieve bind parameters)\n" );
+        return( PASSTHRU_OP_NOT_HANDLED );
     }
+    normbinddn = slapi_sdn_get_dn(sdn);
     if ( normbinddn == NULL ) {
-	normbinddn = "";
+        normbinddn = "";
     }
/*
diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c
index 8b3ac75..57ee6df 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -77,10 +77,10 @@ int referint_postop_del( Slapi_PBlock *pb );
 int referint_postop_modrdn( Slapi_PBlock *pb ); 
 int referint_postop_start( Slapi_PBlock *pb);
 int referint_postop_close( Slapi_PBlock *pb);
-int update_integrity(char **argv, char *origDN, char *newrDN, char *newsuperior, int logChanges, void *txn);
+int update_integrity(char **argv, Slapi_DN *sDN, char *newrDN, Slapi_DN *newsuperior, int logChanges, void *txn);
 void referint_thread_func(void *arg);
 int  GetNextLine(char *dest, int size_dest, PRFileDesc *stream);
-void writeintegritylog(char *logfilename, char *dn, char *newrdn, char *newsuperior);
+void writeintegritylog(char *logfilename, Slapi_DN *sdn, char *newrdn, Slapi_DN *newsuperior);
 int my_fgetc(PRFileDesc *stream);
/* global thread control stuff */
@@ -157,7 +157,7 @@ referint_postop_init( Slapi_PBlock *pb )
 int
 referint_postop_del( Slapi_PBlock *pb )
 {
-	char	*dn;
+	Slapi_DN *sdn = NULL;
    int rc;
    int oprc;
    char **argv;
@@ -168,7 +168,7 @@ referint_postop_del( Slapi_PBlock *pb )
    void *txn = NULL;
if ( slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &isrepop ) != 0  ||
-		 slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn ) != 0  ||
+		 slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdn ) != 0  ||
         slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0  ||
         slapi_pblock_get(pb, SLAPI_TXN, &txn) != 0) 
         {
@@ -215,10 +215,10 @@ referint_postop_del( Slapi_PBlock *pb )
    	}else if(delay == 0){
    	  /* no delay */
    	  /* call function to update references to entry */
-		  rc = update_integrity(argv, dn, NULL, NULL, logChanges, txn);
+		  rc = update_integrity(argv, sdn, NULL, NULL, logChanges, txn);
    	}else{
    	  /* write the entry to integrity log */
-		  writeintegritylog(argv[1],dn, NULL, NULL);
+		  writeintegritylog(argv[1], sdn, NULL, NULL);
    	  rc = 0;
    	}
    } else {
@@ -234,9 +234,9 @@ referint_postop_del( Slapi_PBlock *pb )
 int
 referint_postop_modrdn( Slapi_PBlock *pb )
 {
-	char	*dn;
+	Slapi_DN *sdn = NULL;
    char	*newrdn;
-	char	*newsuperior;
+	Slapi_DN *newsuperior;
    int oprc;
    int rc;
    char **argv;
@@ -247,9 +247,9 @@ referint_postop_modrdn( Slapi_PBlock *pb )
    void *txn = NULL;
if ( slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &isrepop ) != 0  ||
-		 slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &dn ) != 0 ||
+		 slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &sdn ) != 0 ||
    	 slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn ) != 0 ||
-		 slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior ) != 0 ||
+		 slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperior ) != 0 ||
    	 slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 ||
    	 slapi_pblock_get(pb, SLAPI_TXN, &txn) != 0) {
@@ -299,11 +299,12 @@ referint_postop_modrdn( Slapi_PBlock *pb )
      rc = 0;
    }else if(delay == 0){
      /* no delay */
- 	  /* call function to update references to entry */
-	  rc = update_integrity(argv, dn, newrdn, newsuperior, logChanges, txn);
+	  /* call function to update references to entry */
+	  rc = update_integrity(argv, sdn, newrdn,
+	                        newsuperior, logChanges, txn);
    }else{
      /* write the entry to integrity log */
-	  writeintegritylog(argv[1],dn, newrdn, newsuperior);
+	  writeintegritylog(argv[1], sdn, newrdn, newsuperior);
      rc = 0;
    }
@@ -331,7 +332,7 @@ int isFatalSearchError(int search_result)
 }
static int
-_do_modify(Slapi_PBlock *mod_pb, const char *entryDN, LDAPMod **mods, void *txn)
+_do_modify(Slapi_PBlock *mod_pb, Slapi_DN *entrySDN, LDAPMod **mods, void *txn)
 {
     int rc = 0;
@@ -340,8 +341,8 @@ _do_modify(Slapi_PBlock *mod_pb, const char *entryDN, LDAPMod **mods, void *txn)
     slapi_pblock_set(mod_pb, SLAPI_TXN, txn);
/* Use internal operation API */
-    slapi_modify_internal_set_pb(mod_pb, entryDN, mods, NULL, NULL,
-                                 referint_plugin_identity, 0);
+    slapi_modify_internal_set_pb_ext(mod_pb, entrySDN, mods, NULL, NULL,
+                                     referint_plugin_identity, 0);
     slapi_modify_internal_pb(mod_pb);
     slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
@@ -352,13 +353,12 @@ _do_modify(Slapi_PBlock *mod_pb, const char *entryDN, LDAPMod **mods, void *txn)
  * update one attribute value per _do_modify
  */
 static int
-_update_one_per_mod(const char *entryDN, /* DN of the searched entry */
-                    Slapi_Attr *attr,    /* referred attribute */
+_update_one_per_mod(Slapi_DN *entrySDN,      /* DN of the searched entry */
+                    Slapi_Attr *attr,        /* referred attribute */
                     char *attrName,
-                    char *origDN,        /* original DN that was modified */
-                    char *norm_origDN,   /* normalized original DN */
-                    char *newRDN,        /* new RDN from modrdn */
-                    char *newsuperior,   /* new superior from modrdn */
+                    const char *origDN,      /* original DN that was modified */
+                    char *newRDN,            /* new RDN from modrdn */
+                    const char *newsuperior, /* new superior from modrdn */
                     Slapi_PBlock *mod_pb, void *txn)
 {
     LDAPMod *list_of_mods[3];
@@ -374,7 +374,7 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */
     if (NULL == newRDN && NULL == newsuperior) {
         /* in delete mode */
         /* delete old dn so set that up */
-        values_del[0] = origDN;
+        values_del[0] = (char *)origDN;
         values_del[1] = NULL;
         attribute1.mod_type = attrName;
         attribute1.mod_op = LDAP_MOD_DELETE;
@@ -382,11 +382,11 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */
         list_of_mods[0] = &attribute1;
         /* terminate list of mods. */
         list_of_mods[1] = NULL;
-        rc = _do_modify(mod_pb, entryDN, list_of_mods, txn);
+        rc = _do_modify(mod_pb, entrySDN, list_of_mods, txn);
         if (rc) {
             slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
                 "_update_one_value: entry %s: deleting "%s: %s" failed (%d)"
-                "\n", entryDN, attrName, origDN, rc);
+                "\n", slapi_sdn_get_dn(entrySDN), attrName, origDN, rc);
         }
     } else {
         /* in modrdn mode */
@@ -400,7 +400,7 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */
             newRDN = dnParts[0];
         }
         if (newsuperior) {
-            superior = (const char *)newsuperior;
+            superior = newsuperior;
         } else {
             /* no need to free superior */
             superior = slapi_dn_find_parent(origDN);
@@ -443,7 +443,7 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */
             }
             /* else: (rc < 0) Ignore the DN normalization error for now. */
-            p = PL_strstr(sval, norm_origDN);
+            p = PL_strstr(sval, origDN);
             if (p == sval) {
                 /* (case 1) */
                 values_del[0] = sval;
@@ -460,12 +460,13 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */
                 attribute2.mod_values = values_add;
                 list_of_mods[1] = &attribute2;
                 list_of_mods[2] = NULL;
-                rc = _do_modify(mod_pb, entryDN, list_of_mods, txn);
+                rc = _do_modify(mod_pb, entrySDN, list_of_mods, txn);
                 if (rc) {
                     slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
                         "_update_one_value: entry %s: replacing "%s: %s" "
                         "with "%s: %s" failed (%d)\n",
-                        entryDN, attrName, origDN, attrName, newDN, rc);
+                        slapi_sdn_get_dn(entrySDN), attrName, 
+                        origDN, attrName, newDN, rc);
                 }
             } else if (p) {
                 char bak;
@@ -489,12 +490,12 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */
                 attribute2.mod_values = values_add;
                 list_of_mods[1] = &attribute2;
                 list_of_mods[2] = NULL;
-                rc = _do_modify(mod_pb, entryDN, list_of_mods, txn);
+                rc = _do_modify(mod_pb, entrySDN, list_of_mods, txn);
                 if (rc) {
                     slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
                         "_update_one_value: entry %s: replacing "%s: %s" "
                         "with "%s: %s" failed (%d)\n",
-                        entryDN, attrName, sval, attrName, newvalue, rc);
+                        slapi_sdn_get_dn(entrySDN), attrName, sval, attrName, newvalue, rc);
                 }
                 slapi_ch_free_string(&newvalue);
             } 
@@ -517,13 +518,12 @@ _update_one_per_mod(const char *entryDN, /* DN of the searched entry */
  * update multiple attribute values per _do_modify
  */
 static int
-_update_all_per_mod(const char *entryDN, /* DN of the searched entry */
-                    Slapi_Attr *attr,    /* referred attribute */
+_update_all_per_mod(Slapi_DN *entrySDN,      /* DN of the searched entry */
+                    Slapi_Attr *attr,        /* referred attribute */
                     char *attrName,
-                    char *origDN,        /* original DN that was modified */
-                    char *norm_origDN,   /* normalized original DN */
-                    char *newRDN,        /* new RDN from modrdn */
-                    char *newsuperior,   /* new superior from modrdn */
+                    const char *origDN,      /* original DN that was modified */
+                    char *newRDN,            /* new RDN from modrdn */
+                    const char *newsuperior, /* new superior from modrdn */
                     Slapi_PBlock *mod_pb, void *txn)
 {
     Slapi_Mods *smods = NULL;
@@ -543,7 +543,7 @@ _update_all_per_mod(const char *entryDN, /* DN of the searched entry */
         LDAPMod attribute1;
/* delete old dn so set that up */
-        values_del[0] = origDN;
+        values_del[0] = (char *)origDN;
         values_del[1] = NULL;
         attribute1.mod_type = attrName;
         attribute1.mod_op = LDAP_MOD_DELETE;
@@ -551,11 +551,11 @@ _update_all_per_mod(const char *entryDN, /* DN of the searched entry */
         mods[0] = &attribute1;
         /* terminate list of mods. */
         mods[1] = NULL;
-        rc = _do_modify(mod_pb, entryDN, mods, txn);
+        rc = _do_modify(mod_pb, entrySDN, mods, txn);
         if (rc) {
             slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
                 "_update_one_value: entry %s: deleting "%s: %s" failed (%d)"
-                "\n", entryDN, attrName, origDN, rc);
+                "\n", slapi_sdn_get_dn(entrySDN), attrName, origDN, rc);
         }
     } else {
         /* in modrdn mode */
@@ -569,7 +569,7 @@ _update_all_per_mod(const char *entryDN, /* DN of the searched entry */
             newRDN = dnParts[0];
         }
         if (newsuperior) {
-            superior = (const char *)newsuperior;
+            superior = newsuperior;
         } else {
             /* no need to free superior */
             superior = slapi_dn_find_parent(origDN);
@@ -615,7 +615,7 @@ _update_all_per_mod(const char *entryDN, /* DN of the searched entry */
             }
             /* else: (rc < 0) Ignore the DN normalization error for now. */
-            p = PL_strstr(sval, norm_origDN);
+            p = PL_strstr(sval, origDN);
             if (p == sval) {
                 /* (case 1) */
                 slapi_mods_add_string(smods, LDAP_MOD_DELETE, attrName, sval);
@@ -632,11 +632,11 @@ _update_all_per_mod(const char *entryDN, /* DN of the searched entry */
             /* else: value does not include the modified DN.  Ignore it. */
             slapi_ch_free_string(&sval);
         }
-        rc = _do_modify(mod_pb, entryDN, slapi_mods_get_ldapmods_byref(smods), txn);
+        rc = _do_modify(mod_pb, entrySDN, slapi_mods_get_ldapmods_byref(smods), txn);
         if (rc) {
             slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
                         "_update_all_value: entry %s failed (%d)\n",
-                        entryDN, rc);
+                        slapi_sdn_get_dn(entrySDN), rc);
         }
/* cleanup memory allocated for dnParts and newDN */
@@ -652,8 +652,9 @@ _update_all_per_mod(const char *entryDN, /* DN of the searched entry */
 }
int
-update_integrity(char **argv, char *origDN,
-                 char *newrDN, char *newsuperior, int logChanges, void *txn)
+update_integrity(char **argv, Slapi_DN *origSDN,
+                 char *newrDN, Slapi_DN *newsuperior, 
+                 int logChanges, void *txn)
 {
     Slapi_PBlock *search_result_pb = NULL;
     Slapi_PBlock *mod_pb = slapi_pblock_new();
@@ -664,9 +665,9 @@ update_integrity(char **argv, char *origDN,
     char *filter = NULL;
     int i, j;
     const char *search_base = NULL;
-    char *norm_origDN = NULL;
-    size_t dnlen = 0;
     int rc;
+    size_t len = slapi_sdn_get_ndn_len(origSDN);
+    const char *origDN = slapi_sdn_get_dn(origSDN);
if ( argv == NULL ) {
         slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
@@ -677,16 +678,6 @@ update_integrity(char **argv, char *origDN,
/* for now, just putting attributes to keep integrity on in conf file,
        until resolve the other timing mode issue */
-  
-    rc = slapi_dn_normalize_case_ext(origDN, 0,  &norm_origDN, &dnlen);
-    if (rc == 0) { /* origDN is passed in; not terminated */
-        *(norm_origDN + dnlen) = '\0';
-        norm_origDN = slapi_ch_strdup(norm_origDN);
-    } else if (rc < 0) {
-        /* Ignore the DN normalization error for now. */
-        norm_origDN = slapi_ch_strdup(origDN);
-    }
-
     search_result_pb = slapi_pblock_new();
/* Search each namingContext in turn */
@@ -698,8 +689,8 @@ update_integrity(char **argv, char *origDN,
         for(i = 3; argv[i] != NULL; i++)
         {
             char buf[BUFSIZ];
-            size_t len = strlen(origDN);
-            filter = slapi_ch_smprintf("(%s=*%s)", argv[i], escape_filter_value(origDN, len, buf));
+            filter = slapi_ch_smprintf("(%s=*%s)", argv[i],
+                                    escape_filter_value(origDN, len, buf));
             if ( filter ) {
                 /* Need only the current attribute and its subtypes */
                 char *attrs[2];
@@ -758,18 +749,16 @@ update_integrity(char **argv, char *origDN,
                                  */
                                 if (nval > 128) {
                                     rc = _update_one_per_mod(
-                                              slapi_entry_get_dn(search_entries[j]),
-                                              attr, attrName,
-                                              origDN, norm_origDN,
-                                              newrDN, newsuperior,
-                                              mod_pb, txn);
+                                         slapi_entry_get_sdn(search_entries[j]),
+                                         attr, attrName, origDN, newrDN, 
+                                         slapi_sdn_get_dn(newsuperior),
+                                         mod_pb, txn);
                                 } else {
                                     rc = _update_all_per_mod(
-                                              slapi_entry_get_dn(search_entries[j]),
-                                              attr, attrName,
-                                              origDN, norm_origDN,
-                                              newrDN, newsuperior,
-                                              mod_pb, txn);
+                                         slapi_entry_get_sdn(search_entries[j]),
+                                         attr, attrName, origDN, newrDN, 
+                                         slapi_sdn_get_dn(newsuperior),
+                                         mod_pb, txn);
                                 }
                                 /* Should we stop if one modify returns an error? */
                             }
@@ -798,8 +787,6 @@ update_integrity(char **argv, char *origDN,
     rc = 0;
free_and_return:
-    slapi_ch_free_string(&norm_origDN);
- 
     /* free filter and search_results_pb */
     slapi_ch_free_string(&filter);
@@ -900,7 +887,9 @@ referint_thread_func(void *arg)
     int no_changes;
     char delimiter[]="\t\n";
     char *ptoken;
-    char *tmpdn, *tmprdn, *tmpsuperior;
+	Slapi_DN *sdn = NULL;
+    char *tmprdn;
+    Slapi_DN *tmpsuperior = NULL;
     int logChanges=0;
    char * iter = NULL;
@@ -960,8 +949,7 @@ referint_thread_func(void *arg)
while( GetNextLine(thisline, MAX_LINE, prfd) ){
        ptoken = ldap_utf8strtok_r(thisline, delimiter, &iter);
-	    tmpdn = slapi_ch_calloc(strlen(ptoken) + 1, sizeof(char));
-	    strcpy(tmpdn, ptoken);
+		sdn = slapi_sdn_new_dn_byref(ptoken);
ptoken = ldap_utf8strtok_r (NULL, delimiter, &iter);
        if(!strcasecmp(ptoken, "NULL")) {
@@ -974,14 +962,15 @@ referint_thread_func(void *arg)
        if (!strcasecmp(ptoken, "NULL")) {
            tmpsuperior = NULL;
        } else {
-	        tmpsuperior = slapi_ch_smprintf("%s", ptoken);
+	        tmpsuperior = slapi_sdn_new_dn_byref(ptoken);
        }
-	    update_integrity(plugin_argv, tmpdn, tmprdn, tmpsuperior, logChanges, NULL);
+	    update_integrity(plugin_argv, sdn, tmprdn,
+	                     tmpsuperior, logChanges, NULL);
-	    slapi_ch_free_string(&tmpdn);
+	    slapi_sdn_free(&sdn);
        slapi_ch_free_string(&tmprdn);
-	    slapi_ch_free_string(&tmpsuperior);
+	    slapi_sdn_free(&tmpsuperior);
    }
PR_Close(prfd);
@@ -1094,7 +1083,8 @@ GetNextLine(char *dest, int size_dest, PRFileDesc *stream) {
 }
void
-writeintegritylog(char *logfilename, char *dn, char *newrdn, char *newsuperior)
+writeintegritylog(char *logfilename, Slapi_DN *sdn, 
+                  char *newrdn, Slapi_DN *newsuperior)
 {
     PRFileDesc *prfd;
     char buffer[MAX_LINE];
@@ -1123,7 +1113,7 @@ writeintegritylog(char *logfilename, char *dn, char *newrdn, char *newsuperior)
      */
/* add length of dn +  4(two tabs, a newline, and terminating \0) */
-    len_to_write = strlen(dn) + 4;
+    len_to_write = slapi_sdn_get_ndn_len(sdn) + 4;
if(newrdn == NULL)
     {
@@ -1139,7 +1129,7 @@ writeintegritylog(char *logfilename, char *dn, char *newrdn, char *newsuperior)
         len_to_write += 4;
     }else{
         /* add the length of the newsuperior */
-        len_to_write += strlen(newsuperior);
+        len_to_write += slapi_sdn_get_ndn_len(newsuperior);
     }
if(len_to_write > MAX_LINE )
@@ -1150,9 +1140,10 @@ writeintegritylog(char *logfilename, char *dn, char *newrdn, char *newsuperior)
                          " to update references to this entry.\n");
     }else{
        PR_snprintf(buffer, MAX_LINE, "%s\t%s\t%s\t\n", 
-				   dn,
+				   slapi_sdn_get_dn(sdn),
    			   (newrdn != NULL) ? newrdn : "NULL",
-				   (newsuperior != NULL) ? newsuperior : "NULL");
+				   (newsuperior != NULL) ? slapi_sdn_get_dn(newsuperior) :
+				                           "NULL");
         if (PR_Write(prfd,buffer,strlen(buffer)) < 0){
            slapi_log_error(SLAPI_LOG_FATAL,REFERINT_PLUGIN_SUBSYSTEM,
           " writeintegritylog: PR_Write failed : The disk"
diff --git a/ldap/servers/plugins/replication/cl4_api.c b/ldap/servers/plugins/replication/cl4_api.c
index c7d0ce0..ab72793 100644
--- a/ldap/servers/plugins/replication/cl4_api.c
+++ b/ldap/servers/plugins/replication/cl4_api.c
@@ -533,7 +533,7 @@ static int _cl4ResolveTargetDN (Slapi_Entry *entry, Slapi_DN **newTargetDN)
    if (strcasecmp (changetype, "add") == 0) /* this is add operation - we have rawdn */
    	slapi_sdn_set_dn_byref (targetSDN, targetdn);	
    else
-		slapi_sdn_set_ndn_byref (targetSDN, targetdn);
+		slapi_sdn_set_normdn_byref (targetSDN, targetdn);
/* read the entry to which the change was applied */
    rc = _cl4GetTargetEntry (targetSDN, uniqueid, &targetEntry);
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
index c360444..2a834d7 100644
--- a/ldap/servers/plugins/replication/cl5_api.c
+++ b/ldap/servers/plugins/replication/cl5_api.c
@@ -1060,7 +1060,7 @@ cl5ImportLDIF (const char *clDir, const char *ldifFile, Object **replicas)
                         "cl5ImportLDIF: "
                         "failed to write operation to the changelog: "
                         "type: %lu, dn: %s\n",
-                        op.operation_type, op.target_address.dn);
+                        op.operation_type, REPL_GET_DN(&op.target_address));
                 slapi_ch_free_string(&replGen);
                 operation_parameters_done (&op);
                 goto done;
@@ -1080,7 +1080,7 @@ cl5ImportLDIF (const char *clDir, const char *ldifFile, Object **replicas)
                         "cl5ImportLDIF: "
                         "failed to write operation to the changelog: "
                         "type: %lu, dn: %s\n",
-                        op.operation_type, op.target_address.dn);
+                        op.operation_type, REPL_GET_DN(&op.target_address));
                 object_release (replica_obj);
                 slapi_ch_free_string(&replGen);
    			operation_parameters_done (&op);
@@ -2150,7 +2150,7 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
    									}
    									break;
-		case SLAPI_OPERATION_MODIFY:	size += strlen (op->target_address.dn) + 1;
+		case SLAPI_OPERATION_MODIFY:	size += REPL_GET_DN_LEN(&op->target_address) + 1;
    									/* Need larger buffer for the encrypted changelog */
    									if (s_cl5Desc.clcrypt_handle) {
    										size += (_cl5GetModsSize (op->p.p_modify.modify_mods) * (1 + BACK_CRYPT_OUTBUFF_EXTLEN));
@@ -2159,11 +2159,11 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
    									}
    									break;
-		case SLAPI_OPERATION_MODRDN:	size += strlen (op->target_address.dn) + 1;
+		case SLAPI_OPERATION_MODRDN:	size += REPL_GET_DN_LEN(&op->target_address) + 1;
    									/* 1 for deleteoldrdn */
    									size += strlen (op->p.p_modrdn.modrdn_newrdn) + 2; 
-										if (op->p.p_modrdn.modrdn_newsuperior_address.dn)
-											size += strlen (op->p.p_modrdn.modrdn_newsuperior_address.dn) + 1;
+										if (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address))
+											size += REPL_GET_DN_LEN(&op->p.p_modrdn.modrdn_newsuperior_address) + 1;
    									else
    										size ++; /* for NULL char */
    									if (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid)
@@ -2178,7 +2178,7 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
    									}
    									break;
-		case SLAPI_OPERATION_DELETE:	size += strlen (op->target_address.dn) + 1;
+		case SLAPI_OPERATION_DELETE:	size += REPL_GET_DN_LEN(&op->target_address) + 1;
    									break;
    }
@@ -2218,20 +2218,20 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
    									ldap_mods_free (add_mods, 1);
    									break;
-		case SLAPI_OPERATION_MODIFY:	_cl5WriteString (op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODIFY:	_cl5WriteString (REPL_GET_DN(&op->target_address), &pos);
    									_cl5WriteMods (op->p.p_modify.modify_mods, &pos);
    									break;
-		case SLAPI_OPERATION_MODRDN:	_cl5WriteString (op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODRDN:	_cl5WriteString (REPL_GET_DN(&op->target_address), &pos);
    									_cl5WriteString (op->p.p_modrdn.modrdn_newrdn, &pos);
    									*pos = (PRUint8)op->p.p_modrdn.modrdn_deloldrdn;	 
    									pos ++;
-										_cl5WriteString (op->p.p_modrdn.modrdn_newsuperior_address.dn, &pos);
+										_cl5WriteString (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address), &pos);
    									_cl5WriteString (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid, &pos);
    									_cl5WriteMods (op->p.p_modrdn.modrdn_mods, &pos);
    									break;
-		case SLAPI_OPERATION_DELETE:	_cl5WriteString (op->target_address.dn, &pos);
+		case SLAPI_OPERATION_DELETE:	_cl5WriteString (REPL_GET_DN(&op->target_address), &pos);
    									break;
    }
    
@@ -2319,27 +2319,31 @@ cl5DBData2Entry (const char *data, PRUint32 len, CL5Entry *entry)
    	case SLAPI_OPERATION_ADD:		_cl5ReadString (&op->p.p_add.parentuniqueid, &pos);
    		/* richm: need to free parentuniqueid */
    									_cl5ReadString (&rawDN, &pos);
-										op->target_address.dn = rawDN;
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
    									/* convert mods to entry */
    									rc = _cl5ReadMods (&add_mods, &pos);
    									slapi_mods2entry (&(op->p.p_add.target_entry), rawDN, add_mods);
    									ldap_mods_free (add_mods, 1);
    									break;
-		case SLAPI_OPERATION_MODIFY:    _cl5ReadString (&op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODIFY:    _cl5ReadString (&rawDN, &pos);
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
    									rc = _cl5ReadMods (&op->p.p_modify.modify_mods, &pos);
    									break;
-		case SLAPI_OPERATION_MODRDN:	_cl5ReadString (&op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODRDN:	_cl5ReadString (&rawDN, &pos);
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
    									_cl5ReadString (&op->p.p_modrdn.modrdn_newrdn, &pos);
    									op->p.p_modrdn.modrdn_deloldrdn = *pos;	 
    									pos ++;
-										_cl5ReadString (&op->p.p_modrdn.modrdn_newsuperior_address.dn, &pos);
+										_cl5ReadString (&rawDN, &pos);
+										op->p.p_modrdn.modrdn_newsuperior_address.sdn = slapi_sdn_new_dn_passin(rawDN);
    									_cl5ReadString (&op->p.p_modrdn.modrdn_newsuperior_address.uniqueid, &pos);
    									rc = _cl5ReadMods (&op->p.p_modrdn.modrdn_mods, &pos);
    									break;
-		case SLAPI_OPERATION_DELETE:	_cl5ReadString (&op->target_address.dn, &pos);
+		case SLAPI_OPERATION_DELETE:	_cl5ReadString (&rawDN, &pos);
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
    									rc = CL5_SUCCESS;
    									break;
@@ -4210,7 +4214,7 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
    										"_cl5Operation2LDIF(MODIFY): mods are NULL\n");
    									return CL5_BAD_FORMAT;
    								 }
-									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (op->target_address.dn));
+									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), REPL_GET_DN_LEN(&op->target_address));
    								 l = make_changes_string(op->p.p_modify.modify_mods, NULL);
    								 len += LDIF_SIZE_NEEDED(strlen (T_CHANGESTR), l->ls_len);
    								 break;
@@ -4220,15 +4224,15 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
    										"_cl5Operation2LDIF(MODRDN): mods are NULL\n");
    									return CL5_BAD_FORMAT;
    								 }
-									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (op->target_address.dn));
+									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), REPL_GET_DN_LEN(&op->target_address));
    								 len += LDIF_SIZE_NEEDED(strlen (T_NEWRDNSTR), 
    														 strlen (op->p.p_modrdn.modrdn_newrdn));
    								 strDeleteOldRDN = (op->p.p_modrdn.modrdn_deloldrdn ? "true" : "false");
    								 len += LDIF_SIZE_NEEDED(strlen (T_DRDNFLAGSTR),
    														 strlen (strDeleteOldRDN));
-									 if (op->p.p_modrdn.modrdn_newsuperior_address.dn)
+									 if (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address))
    									len += LDIF_SIZE_NEEDED(strlen (T_NEWSUPERIORDNSTR),
-													strlen (op->p.p_modrdn.modrdn_newsuperior_address.dn));
+													REPL_GET_DN_LEN(&op->p.p_modrdn.modrdn_newsuperior_address));
    								 if (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid)
    									len += LDIF_SIZE_NEEDED(strlen (T_NEWSUPERIORIDSTR),
    												strlen (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid));
@@ -4236,12 +4240,12 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
    								 len += LDIF_SIZE_NEEDED(strlen (T_CHANGESTR), l->ls_len);
    								 break;
-		case SLAPI_OPERATION_DELETE: if (NULL == op->target_address.dn) {
+		case SLAPI_OPERATION_DELETE: if (NULL == REPL_GET_DN(&op->target_address)) {
    									slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, 
    										"_cl5Operation2LDIF(DELETE): target dn is NULL\n");
    									return CL5_BAD_FORMAT;
    								 }
-									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (op->target_address.dn));
+									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), REPL_GET_DN_LEN(&op->target_address));
    								 break;	
    	
    	default:					 slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, 
@@ -4277,21 +4281,21 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
    									slapi_ch_free ((void**)&rawDN);
    									break;
-		case SLAPI_OPERATION_MODIFY:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, op->target_address.dn, 
-																strlen (op->target_address.dn), 0);
+		case SLAPI_OPERATION_MODIFY:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, REPL_GET_DN(&op->target_address), 
+																REPL_GET_DN_LEN(&op->target_address), 0);
    									slapi_ldif_put_type_and_value_with_options(&buff, T_CHANGESTR, l->ls_buf, l->ls_len, 0);
    									break;
-		case SLAPI_OPERATION_MODRDN:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, op->target_address.dn, 
-																strlen (op->target_address.dn), 0);
+		case SLAPI_OPERATION_MODRDN:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, REPL_GET_DN(&op->target_address), 
+																REPL_GET_DN_LEN(&op->target_address), 0);
    									slapi_ldif_put_type_and_value_with_options(&buff, T_NEWRDNSTR, op->p.p_modrdn.modrdn_newrdn,
    					  										strlen (op->p.p_modrdn.modrdn_newrdn), 0);
    									slapi_ldif_put_type_and_value_with_options(&buff, T_DRDNFLAGSTR, strDeleteOldRDN, 
    															strlen (strDeleteOldRDN), 0);
-										if (op->p.p_modrdn.modrdn_newsuperior_address.dn)							
+										if (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address))
    										slapi_ldif_put_type_and_value_with_options(&buff, T_NEWSUPERIORDNSTR, 
-																op->p.p_modrdn.modrdn_newsuperior_address.dn, 
-																strlen (op->p.p_modrdn.modrdn_newsuperior_address.dn), 0);
+																REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address),
+																REPL_GET_DN_LEN(&op->p.p_modrdn.modrdn_newsuperior_address), 0);
    									if (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid)							
    										slapi_ldif_put_type_and_value_with_options(&buff, T_NEWSUPERIORIDSTR, 
    															op->p.p_modrdn.modrdn_newsuperior_address.uniqueid, 
@@ -4299,8 +4303,8 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
    									slapi_ldif_put_type_and_value_with_options(&buff, T_CHANGESTR, l->ls_buf, l->ls_len, 0);
    									break;
-		case SLAPI_OPERATION_DELETE:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, op->target_address.dn, 
-										strlen (op->target_address.dn), 0);
+		case SLAPI_OPERATION_DELETE:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, REPL_GET_DN(&op->target_address), 
+										REPL_GET_DN_LEN(&op->target_address), 0);
    									break;	  
    }
@@ -4377,10 +4381,10 @@ _cl5LDIF2Operation (char *ldifEntry, slapi_operation_parameters *op, char **repl
    		if (op->operation_type == SLAPI_OPERATION_ADD)
    		{
    			rawDN = slapi_ch_strdup (value.bv_val);
-				op->target_address.dn = slapi_ch_strdup(rawDN);
+				op->target_address.sdn = slapi_sdn_new_dn_byval(rawDN);
    		}
    		else
-				op->target_address.dn = slapi_ch_strdup (value.bv_val);
+				op->target_address.sdn = slapi_sdn_new_dn_byval(value.bv_val);
    	}
    	else if (strncasecmp (type.bv_val, T_PARENTIDSTR, type.bv_len) == 0)
    	{
@@ -4396,7 +4400,7 @@ _cl5LDIF2Operation (char *ldifEntry, slapi_operation_parameters *op, char **repl
    	}
    	else if (strncasecmp (type.bv_val, T_NEWSUPERIORDNSTR, type.bv_len) == 0)
    	{
-			op->p.p_modrdn.modrdn_newsuperior_address.dn = slapi_ch_strdup (value.bv_val);
+			op->p.p_modrdn.modrdn_newsuperior_address.sdn = slapi_sdn_new_dn_byval(value.bv_val);
    	}		
    	else if (strncasecmp (type.bv_val, T_NEWSUPERIORIDSTR, type.bv_len) == 0)
    	{
@@ -4507,7 +4511,7 @@ static int _cl5WriteOperationTxn(const char *replName, const char *replGen,
    {
    	slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, 
    					"_cl5WriteOperationTxn: failed to get db file for target dn (%s)", 
-						op->target_address.dn);
+						REPL_GET_DN(&op->target_address));
    	return CL5_OBJSET_ERROR;
    }
@@ -4907,7 +4911,7 @@ static int _cl5GetOperation (Object *replica, slapi_operation_parameters *op)
case DB_NOTFOUND:	slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, 
    								"_cl5GetOperation: operation for csn (%s) is not found in db that should contain dn (%s)\n",
-									csnStr, op->target_address.dn);
+									csnStr, REPL_GET_DN(&op->target_address));
    						rc = CL5_NOTFOUND;
    						goto done;
@@ -6151,7 +6155,7 @@ static Object* _cl5GetReplica (const slapi_operation_parameters *op, const char*
PR_ASSERT (op && replGen);
-    sdn = slapi_sdn_new_dn_byref(op->target_address.dn);
+    sdn = op->target_address.sdn;
replObj = replica_get_replica_from_dn (sdn);
     if (replObj)
@@ -6169,8 +6173,6 @@ static Object* _cl5GetReplica (const slapi_operation_parameters *op, const char*
slapi_ch_free ((void**)&newGen);
     }
-
-    slapi_sdn_free (&sdn);
return replObj;
 }
diff --git a/ldap/servers/plugins/replication/cl5_test.c b/ldap/servers/plugins/replication/cl5_test.c
index 91cdef2..4bb83a7 100644
--- a/ldap/servers/plugins/replication/cl5_test.c
+++ b/ldap/servers/plugins/replication/cl5_test.c
@@ -838,7 +838,7 @@ static int  populateChangelogOp ()
     pb = slapi_pblock_new ();
     cur_time = time (NULL);
     PR_snprintf (newrdn, sizeof(newrdn), "cn=renamed%s", ctime(&cur_time));
-    slapi_rename_internal_set_pb (pb, dn, newrdn, NULL, 1, NULL, NULL,
+    slapi_rename_internal_set_pb_ext (pb, dn, newrdn, NULL, 1, NULL, NULL,
     					          repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0);
     slapi_modrdn_internal_pb (pb);
     slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
diff --git a/ldap/servers/plugins/replication/legacy_consumer.c b/ldap/servers/plugins/replication/legacy_consumer.c
index a65c5e6..2440ce7 100644
--- a/ldap/servers/plugins/replication/legacy_consumer.c
+++ b/ldap/servers/plugins/replication/legacy_consumer.c
@@ -96,13 +96,14 @@ Slapi_RWLock *legacy_consumer_config_lock = NULL;
 static PRBool
 target_is_a_replica_root(Slapi_PBlock *pb, const Slapi_DN **root)
 {
-	char *dn;
-	Slapi_DN *sdn;
-	PRBool return_value;
+	Slapi_DN *sdn = NULL;
+	PRBool return_value = PR_FALSE;
    Object *repl_obj;
-	slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-	sdn = slapi_sdn_new_dn_byref(dn);
+	slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+	if (NULL == sdn) {
+		return return_value;
+	}
    repl_obj = replica_get_replica_from_dn(sdn);
    if (NULL != repl_obj)
    {
@@ -116,7 +117,6 @@ target_is_a_replica_root(Slapi_PBlock *pb, const Slapi_DN **root)
    	*root = NULL;
    	return_value = PR_FALSE;
    }
-	slapi_sdn_free(&sdn);
    return return_value;
 }
@@ -492,7 +492,7 @@ legacy_consumer_read_config ()
int
-legacy_consumer_is_replicationdn(char *dn)
+legacy_consumer_is_replicationdn(const char *dn)
 {
    int return_value = 0; /* Assume not */
diff --git a/ldap/servers/plugins/replication/repl.h b/ldap/servers/plugins/replication/repl.h
index ca0fe05..433be34 100644
--- a/ldap/servers/plugins/replication/repl.h
+++ b/ldap/servers/plugins/replication/repl.h
@@ -405,7 +405,7 @@ int modrdn2reple( Slapi_Entry *e, char *newrdn, int deloldrdn, LDAPMod **ldm );
/* In legacy_consumer.c */
 void process_legacy_cf(Slapi_PBlock *pb);
-int legacy_consumer_is_replicationdn(char *dn);
+int legacy_consumer_is_replicationdn(const char *dn);
 int legacy_consumer_is_replicationpw(struct berval *creds);
 int legacy_consumer_config_init();
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 79465e4..ac2cd88 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -134,6 +134,9 @@
 #define MAX_NUM_OF_MASTERS		64
 #define REPL_SESSION_ID_SIZE	64
+#define REPL_GET_DN(addrp) slapi_sdn_get_dn((addrp)->sdn)
+#define REPL_GET_DN_LEN(addrp) slapi_sdn_get_ndn_len((addrp)->sdn)
+
 /* Attribute names for replication agreement attributes */
 extern const char *type_nsds5ReplicaHost;
 extern const char *type_nsds5ReplicaPort;
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index 61aa9ba..f1f114b 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -1729,8 +1729,7 @@ agmt_notify_change(Repl_Agmt *agmt, Slapi_PBlock *pb)
    if (NULL != pb)
    {
    	/* Is the entry within our replicated area? */
-		char *target_dn;
-		Slapi_DN *target_sdn;
+		Slapi_DN *target_sdn = NULL;
    	int change_is_relevant = 0;
PR_ASSERT(NULL != agmt);
@@ -1741,8 +1740,11 @@ agmt_notify_change(Repl_Agmt *agmt, Slapi_PBlock *pb)
    		return;
    	}
-		slapi_pblock_get(pb, SLAPI_TARGET_DN, &target_dn);
-		target_sdn = slapi_sdn_new_dn_byref(target_dn); /* XXX see if you can avoid allocating this */
+		slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
+		if (NULL == target_sdn) {
+			PR_Unlock(agmt->lock);
+			return;
+		}
if (slapi_sdn_issuffix(target_sdn, agmt->replarea))
    	{
@@ -1799,7 +1801,6 @@ agmt_notify_change(Repl_Agmt *agmt, Slapi_PBlock *pb)
    		}
    	}
    	PR_Unlock(agmt->lock);
-		slapi_sdn_free(&target_sdn);
    	if (change_is_relevant)
    	{
    		/* Notify the protocol that a change has occurred */
@@ -1856,7 +1857,7 @@ agmt_replica_init_done (const Repl_Agmt *agmt)
    mod.mod_type = (char*)type_nsds5ReplicaInitialize;
     mod.mod_bvalues = NULL;
    
-    slapi_modify_internal_set_pb(pb, slapi_sdn_get_dn (agmt->dn), mods, NULL/* controls */, 
+    slapi_modify_internal_set_pb_ext(pb, agmt->dn, mods, NULL/* controls */, 
           NULL/* uniqueid */, repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0/* flags */);
     slapi_modify_internal_pb (pb);
@@ -1949,7 +1950,7 @@ agmt_update_consumer_ruv (Repl_Agmt *ra)
         mods[1] = (LDAPMod *)slapi_mod_get_ldapmod_byref(&smod_last_modified);
         mods[2] = NULL;
-        slapi_modify_internal_set_pb (pb, (char*)slapi_sdn_get_dn(ra->dn), mods, NULL, NULL, 
+        slapi_modify_internal_set_pb_ext (pb, ra->dn, mods, NULL, NULL, 
                                       repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0);
         slapi_modify_internal_pb (pb);
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index 8cc2cc3..8a98c21 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -184,10 +184,10 @@ agmtlist_add_callback(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *entryAfter,
rc = add_new_agreement(e);
    if (0 != rc) {
-		char *dn;
-		slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
+		Slapi_DN *sdn = NULL;
+		slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
    	slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_add_callback: "
-			"Can't start agreement "%s"\n", dn);
+			"Can't start agreement "%s"\n", slapi_sdn_get_dn(sdn));
    	*returncode = LDAP_UNWILLING_TO_PERFORM;
    	return SLAPI_DSE_CALLBACK_ERROR;
    }
@@ -200,7 +200,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
    int *returncode, char *returntext, void *arg)
 {
    int i;
-    char *dn;
    Slapi_DN *sdn = NULL;
    int start_initialize = 0, stop_initialize = 0, cancel_initialize = 0;
     int update_the_schedule = 0;	/* do we need to update the repl sched? */
@@ -224,13 +223,18 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
         goto done;
     }
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-	sdn= slapi_sdn_new_dn_byref(dn);
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    if (NULL == sdn) {
+        slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, 
+                        "agmtlist_modify_callback: NULL target dn\n");
+        goto done;
+    }
    agmt = agmtlist_get_by_agmt_name(sdn);
    if (NULL == agmt)
    {
    	slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: received "
-			"a modification for unknown replication agreement "%s"\n", dn);
+			"a modification for unknown replication agreement "%s"\n", 
+			slapi_sdn_get_dn(sdn));
    	goto done;
    }
@@ -277,7 +281,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
if (strcasecmp (val, "start") == 0)
                 {                        
-			        start_initialize = 1;
+                    start_initialize = 1;
                 }
                 else if (strcasecmp (val, "stop") == 0)
                 {
@@ -528,8 +532,6 @@ done:
    	agmtlist_release_agmt(agmt);
    }
-    if (sdn)
-	    slapi_sdn_free(&sdn);
    return rc;
 }
diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c
index 0e05973..274a069 100644
--- a/ldap/servers/plugins/replication/repl5_inc_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c
@@ -1423,7 +1423,7 @@ replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op, int *m
    	slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
    		"%s: replay_update: Sending %s operation (dn="%s" csn=%s)\n",
    		agmt_get_long_name(prp->agmt),
-			op2string(op->operation_type), op->target_address.dn, csn_str);
+			op2string(op->operation_type), REPL_GET_DN(&op->target_address), csn_str);
    	/* What type of operation is it? */
    	switch (op->operation_type)
    	{
@@ -1448,7 +1448,7 @@ replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op, int *m
    			{
    				repl5_strip_fractional_mods(prp->agmt,entryattrs);
    			}
-				return_value = conn_send_add(prp->conn, op->target_address.dn,
+				return_value = conn_send_add(prp->conn, REPL_GET_DN(&op->target_address),
    				entryattrs, update_control, message_id);
    			ldap_mods_free(entryattrs, 1);
    		}
@@ -1460,18 +1460,18 @@ replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op, int *m
    		{
    			repl5_strip_fractional_mods(prp->agmt,op->p.p_modify.modify_mods);
    		}
-			return_value = conn_send_modify(prp->conn, op->target_address.dn,
+			return_value = conn_send_modify(prp->conn, REPL_GET_DN(&op->target_address),
    			op->p.p_modify.modify_mods, update_control, message_id);
    		break;
    	case SLAPI_OPERATION_DELETE:
-			return_value = conn_send_delete(prp->conn, op->target_address.dn,
+			return_value = conn_send_delete(prp->conn, REPL_GET_DN(&op->target_address),
    			update_control, message_id);
    		break;
    	case SLAPI_OPERATION_MODRDN:
    		/* XXXggood need to pass modrdn mods in update control! */
-			return_value = conn_send_rename(prp->conn, op->target_address.dn,
+			return_value = conn_send_rename(prp->conn, REPL_GET_DN(&op->target_address),
    			op->p.p_modrdn.modrdn_newrdn,
-				op->p.p_modrdn.modrdn_newsuperior_address.dn,
+				REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address),
    			op->p.p_modrdn.modrdn_deloldrdn,
    			update_control, message_id);
    		break;
diff --git a/ldap/servers/plugins/replication/repl5_init.c b/ldap/servers/plugins/replication/repl5_init.c
index 883c3e6..4e2464c 100644
--- a/ldap/servers/plugins/replication/repl5_init.c
+++ b/ldap/servers/plugins/replication/repl5_init.c
@@ -338,8 +338,8 @@ multimaster_betxnpostop_init( Slapi_PBlock *pb )
    	slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&multimasterbetxnpostopdesc ) != 0 ||
    	slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN, (void *) multimaster_betxnpostop_modrdn ) != 0 ||
    	slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN, (void *) multimaster_betxnpostop_delete ) != 0 ||
-		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_ADD_FN, (void *) multimaster_betxnpostop_modrdn ) != 0 ||
-		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, (void *) multimaster_betxnpostop_delete ) != 0 )
+		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_ADD_FN, (void *) multimaster_betxnpostop_add ) != 0 ||
+		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, (void *) multimaster_betxnpostop_modify ) != 0 )
    {
    	slapi_log_error( SLAPI_LOG_PLUGIN, repl_plugin_name, "multimaster_betxnpostop_init failed\n" );
    	rc= -1;
diff --git a/ldap/servers/plugins/replication/repl5_mtnode_ext.c b/ldap/servers/plugins/replication/repl5_mtnode_ext.c
index 3043624..dd0d261 100644
--- a/ldap/servers/plugins/replication/repl5_mtnode_ext.c
+++ b/ldap/servers/plugins/replication/repl5_mtnode_ext.c
@@ -197,20 +197,19 @@ replica_get_replica_from_dn (const Slapi_DN *dn)
Object *replica_get_replica_for_op (Slapi_PBlock *pb)
 {
-    char *dn;
-    Slapi_DN *sdn;
+    Slapi_DN *sdn = NULL;
     Object *repl_obj = NULL;
if (pb)
     {
         /* get replica generation for this operation */
-        slapi_pblock_get (pb, SLAPI_TARGET_DN, &dn);
-        sdn = slapi_sdn_new_dn_byref(dn);
+        slapi_pblock_get (pb, SLAPI_TARGET_SDN, &sdn);
+        if (NULL == sdn) {
+            goto bail;
+        }
         repl_obj = replica_get_replica_from_dn (sdn);
-
-        slapi_sdn_free (&sdn);
     }
-
+bail:
     return repl_obj;
 }
diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
index a036b0a..a0d45fb 100644
--- a/ldap/servers/plugins/replication/repl5_plugins.c
+++ b/ldap/servers/plugins/replication/repl5_plugins.c
@@ -1079,7 +1079,7 @@ write_changelog_and_ruv (Slapi_PBlock *pb)
         		slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
    				"write_changelog_and_ruv: can't add a change for "
    				"%s (uniqid: %s, optype: %lu) to changelog csn %s\n",
-					op_params->target_address.dn,
+					REPL_GET_DN(&op_params->target_address),
    				op_params->target_address.uniqueid,
    				op_params->operation_type,
    				csn_as_string(op_params->csn, PR_FALSE, csn_str));
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index 2a24f3e..acb7d1f 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -1858,13 +1858,14 @@ static char*
 _replica_get_config_dn (const Slapi_DN *root)
 {
     char *dn;
+    /* "cn=mapping tree,cn=config" */
     const char *mp_base = slapi_get_mapping_tree_config_root ();
PR_ASSERT (root);
/* This function converts the old style DN to the new style. */
-    dn = slapi_create_dn_string("%s,cn="%s",%s", 
-                                REPLICA_RDN, slapi_sdn_get_dn (root), mp_base);
+    dn = slapi_ch_smprintf("%s,cn="%s",%s", 
+                           REPLICA_RDN, slapi_sdn_get_dn (root), mp_base);
     return dn;
 }
@@ -2328,9 +2329,9 @@ replica_write_ruv (Replica *r)
    pb = slapi_pblock_new();
/* replica name never changes so it is ok to reference it outside the lock */
-	slapi_modify_internal_set_pb(
+	slapi_modify_internal_set_pb_ext(
    	pb,
-		slapi_sdn_get_dn(r->repl_root), /* only used to select be */
+		r->repl_root, /* only used to select be */
    	mods,
    	NULL, /* controls */
    	RUV_STORAGE_ENTRY_UNIQUEID,
@@ -3079,11 +3080,11 @@ replica_remove_legacy_attr (const Slapi_DN *repl_root_sdn, const char *attr)
     ctrls[1] = NULL;
/* remove copiedFrom/copyingFrom first */
-    slapi_modify_internal_set_pb (pb, slapi_sdn_get_dn (repl_root_sdn), 
-                                  slapi_mods_get_ldapmods_passout (&smods), ctrls, 
-								  NULL /*uniqueid */, 
-                                  repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION) , 
-                                  0 /* operation_flags */);
+    slapi_modify_internal_set_pb_ext (pb, repl_root_sdn, 
+                                      slapi_mods_get_ldapmods_passout (&smods),
+                                      ctrls, NULL /*uniqueid */, 
+                                      repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION) , 
+                                      0 /* operation_flags */);
slapi_modify_internal_pb (pb);
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
@@ -3120,7 +3121,7 @@ replica_log_ruv_elements_nolock (const Replica *r)
            special target dn */
         memset (&op_params, 0, sizeof (op_params));
         op_params.operation_type = SLAPI_OPERATION_DELETE;
-        op_params.target_address.dn = START_ITERATION_ENTRY_DN;
+        op_params.target_address.sdn = slapi_sdn_new_dn_byval(START_ITERATION_ENTRY_DN);
         op_params.target_address.uniqueid = START_ITERATION_ENTRY_UNIQUEID;
         op_params.csn = csn;
         repl_gen = ruv_get_replica_generation (ruv);
@@ -3132,6 +3133,7 @@ replica_log_ruv_elements_nolock (const Replica *r)
             rc = -1;
slapi_ch_free ((void**)&repl_gen);
+        slapi_sdn_free(&op_params.target_address.sdn);
         csn_free (&csn);
     }
@@ -3221,9 +3223,9 @@ replica_replace_ruv_tombstone(Replica *r)
     mods [2] = NULL;
     pb = slapi_pblock_new();
-    slapi_modify_internal_set_pb(
+    slapi_modify_internal_set_pb_ext(
         pb,
-        (char*)slapi_sdn_get_dn (r->repl_root), /* only used to select be */
+        r->repl_root, /* only used to select be */
         mods,
         NULL, /* controls */
         RUV_STORAGE_ENTRY_UNIQUEID,
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index e31078f..eb23c21 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -871,6 +871,7 @@ replica_task_done(Replica *replica)
 {
     int rc = LDAP_OPERATIONS_ERROR;
     char *replica_dn = NULL;
+    Slapi_DN *replica_sdn = NULL;
     Slapi_PBlock *pb = NULL;
     LDAPMod *mods [2];
     LDAPMod mod;
@@ -878,13 +879,14 @@ replica_task_done(Replica *replica)
         return rc;
     }
     /* dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config */
-    replica_dn = slapi_create_dn_string("%s,cn="%s",%s",
-                                    REPLICA_RDN,
-                                    slapi_sdn_get_dn(replica_get_root(replica)),
-                                    CONFIG_BASE);
+    replica_dn = slapi_ch_smprintf("%s,cn="%s",%s",
+                                   REPLICA_RDN,
+                                   slapi_sdn_get_dn(replica_get_root(replica)),
+                                   CONFIG_BASE);
     if (NULL == replica_dn) {
         return rc;
     }
+	replica_sdn = slapi_sdn_new_dn_passin(replica_dn);
     pb = slapi_pblock_new();
     mods[0] = &mod;
     mods[1] = NULL;
@@ -892,7 +894,7 @@ replica_task_done(Replica *replica)
     mod.mod_type = (char *)TASK_ATTR;
     mod.mod_bvalues = NULL;
-    slapi_modify_internal_set_pb(pb, replica_dn, mods, NULL/* controls */, 
+    slapi_modify_internal_set_pb_ext(pb, replica_sdn, mods, NULL/* controls */, 
                       NULL/* uniqueid */, 
                       repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION),
                       0/* flags */);
@@ -908,7 +910,7 @@ replica_task_done(Replica *replica)
     }
slapi_pblock_destroy (pb);
-    slapi_ch_free_string(&replica_dn);
+    slapi_sdn_free(&replica_sdn);
return rc;
 }
diff --git a/ldap/servers/plugins/replication/repl5_updatedn_list.c b/ldap/servers/plugins/replication/repl5_updatedn_list.c
index 8cdb8d5..e8ab027 100644
--- a/ldap/servers/plugins/replication/repl5_updatedn_list.c
+++ b/ldap/servers/plugins/replication/repl5_updatedn_list.c
@@ -208,7 +208,7 @@ static int
 convert_to_string(Slapi_DN *dn, void *arg)
 {
    struct list_to_string_data *data = (struct list_to_string_data *)arg;
-	int newlen = strlen(slapi_sdn_get_dn(dn)) + strlen(data->delimiter) + 1;
+	int newlen = slapi_sdn_get_ndn_len(dn) + strlen(data->delimiter) + 1;
    if (data->string) {
    	newlen += strlen(data->string);
    	data->string = slapi_ch_realloc(data->string, newlen);
diff --git a/ldap/servers/plugins/replication/repl_bind.c b/ldap/servers/plugins/replication/repl_bind.c
index a7eb78c..dbc77a6 100644
--- a/ldap/servers/plugins/replication/repl_bind.c
+++ b/ldap/servers/plugins/replication/repl_bind.c
@@ -51,13 +51,15 @@ int
 legacy_preop_bind( Slapi_PBlock *pb )
 {
     int return_value = 0;
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
    struct berval *cred = NULL;
    int method;
slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
-	slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn);
+	slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);
    slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &cred);
+	dn = slapi_sdn_get_dn(sdn);
if (LDAP_AUTH_SIMPLE == method)
    {
diff --git a/ldap/servers/plugins/replication/repl_compare.c b/ldap/servers/plugins/replication/repl_compare.c
index acb0d69..3e1878d 100644
--- a/ldap/servers/plugins/replication/repl_compare.c
+++ b/ldap/servers/plugins/replication/repl_compare.c
@@ -48,16 +48,20 @@ int
 legacy_preop_compare( Slapi_PBlock *pb )
 {
    int is_replicated_operation = 0;
-	char *compare_base = NULL;
    struct berval **referral = NULL;
    int return_code = 0;
-	Slapi_DN *basesdn;
+	Slapi_DN *basesdn = NULL;
slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation);
-	slapi_pblock_get(pb, SLAPI_COMPARE_TARGET, &compare_base);
-	basesdn= slapi_sdn_new_dn_byref(compare_base);
-    referral = get_data_source(pb, basesdn, 1, NULL);
-	slapi_sdn_free(&basesdn);
+	slapi_pblock_get(pb, SLAPI_COMPARE_TARGET_SDN, &basesdn);
+	if (NULL == basesdn) {
+		slapi_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,
+				               "Null target DN", 0, NULL );
+
+		return_code = 1;	/* return 1 to prevent further search processing */
+		goto bail;
+	}
+	referral = get_data_source(pb, basesdn, 1, NULL);
    if (NULL != referral && !is_replicated_operation)
    {
    	/*
@@ -68,5 +72,6 @@ legacy_preop_compare( Slapi_PBlock *pb )
    	return_code = 1;	/* return 1 to prevent further search processing */
    }
    slapi_ch_free((void**)&referral);
+bail:
    return return_code;
 }
diff --git a/ldap/servers/plugins/replication/repl_connext.c b/ldap/servers/plugins/replication/repl_connext.c
index 0b46c5e..2969b15 100644
--- a/ldap/servers/plugins/replication/repl_connext.c
+++ b/ldap/servers/plugins/replication/repl_connext.c
@@ -97,7 +97,7 @@ void consumer_connection_extension_destructor (void *ext, void *object, void *pa
    			if (NULL != repl_root_sdn)
    			{
    				slapi_pblock_set(pb, SLAPI_CONNECTION, connext->connection);
-					slapi_pblock_set(pb, SLAPI_TARGET_DN, (void*)slapi_sdn_get_dn(repl_root_sdn));
+					slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void*)repl_root_sdn);
    				slapi_pblock_get(pb, SLAPI_CONN_ID, &connid);
    				slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
    								"Aborting total update in progress for replicated "
diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
index ffbf2a9..2ff3627 100644
--- a/ldap/servers/plugins/replication/repl_extop.c
+++ b/ldap/servers/plugins/replication/repl_extop.c
@@ -947,7 +947,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb)
    	 * But what do we do if mapping tree could not be updated ? */
/* start the bulk import */
-        slapi_pblock_set (pb, SLAPI_TARGET_DN, repl_root);
+        slapi_pblock_set (pb, SLAPI_TARGET_SDN, repl_root_sdn);
         rc = slapi_start_bulk_import (pb);
         if (rc != LDAP_SUCCESS)
         {
@@ -1090,10 +1090,8 @@ send_response:
    slapi_ch_free((void **)&replicacsnstr);
/* repl_root_sdn */
-	if (NULL != repl_root_sdn)
-	{
-		slapi_sdn_free(&repl_root_sdn);
-	}
+	slapi_sdn_free(&repl_root_sdn);
+
    if (NSDS50_REPL_REPLICA_READY != response)
    {
    	/*
@@ -1163,6 +1161,7 @@ multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)
 {
    int return_value = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED;
    char *repl_root = NULL;
+	Slapi_DN *repl_root_sdn = NULL;
    BerElement *resp_bere = NULL;
    struct berval *resp_bval = NULL;
    ber_int_t response;
@@ -1208,8 +1207,16 @@ multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)
    			   enabled again */
    			replica_set_state_flag(r, REPLICA_TOTAL_IN_PROGRESS, PR_TRUE /* clear  flag */);
-                slapi_pblock_set (pb, SLAPI_TARGET_DN, repl_root);
-				slapi_stop_bulk_import (pb); 
+                /* slapi_pblock_set (pb, SLAPI_TARGET_DN, repl_root); */
+                /* Verify that repl_root names a valid replicated area */
+                if ((repl_root_sdn = slapi_sdn_new_dn_byref(repl_root)) == NULL)
+                {
+                    response = NSDS50_REPL_INTERNAL_ERROR;
+                    goto send_response;
+                }
+                slapi_pblock_set (pb, SLAPI_TARGET_SDN, repl_root_sdn);
+
+                slapi_stop_bulk_import (pb);
/* ONREPL - this is a bit of a hack. Once bulk import is finished,
                    the replication function that responds to backend state change 
@@ -1273,7 +1280,7 @@ multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)
    		goto free_and_return; 
    	}
    }
-
+send_response:
    /* Send the response code */
    if ((resp_bere = der_alloc()) == NULL)
    {
@@ -1291,6 +1298,8 @@ free_and_return:
    /* repl_root */
    slapi_ch_free((void **)&repl_root);
+	slapi_sdn_free(&repl_root_sdn);
+
    /* BerElement */
    if (NULL != resp_bere)
    {
diff --git a/ldap/servers/plugins/replication/replutil.c b/ldap/servers/plugins/replication/replutil.c
index b828a2a..3eec20a 100644
--- a/ldap/servers/plugins/replication/replutil.c
+++ b/ldap/servers/plugins/replication/replutil.c
@@ -523,7 +523,7 @@ IsValidOperation (const slapi_operation_parameters *op)
         return PR_FALSE;
     }
-    if (op->target_address.dn == NULL)
+    if (op->target_address.sdn == NULL)
     {
         slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, 
    					"IsValidOperation: NULL entry DN\n");
@@ -1007,7 +1007,7 @@ repl_enable_chain_on_update(Slapi_DN *suffix)
     slapi_mods smods;
    int operation_result;
    Slapi_PBlock *pb= slapi_pblock_new();
-	char *mtnnodedn;
+	Slapi_DN *mtnnodesdn;
slapi_mods_init(&smods,2);
@@ -1016,10 +1016,10 @@ repl_enable_chain_on_update(Slapi_DN *suffix)
    slapi_mods_add_string(&smods, LDAP_MOD_ADD, "nsslapd-distribution-funct", "repl_chain_on_update");
/* need DN of mapping tree node here */
-	mtnnodedn = slapi_get_mapping_tree_node_configdn(suffix);
-	slapi_modify_internal_set_pb(
+	mtnnodesdn = slapi_get_mapping_tree_node_configsdn(suffix);
+	slapi_modify_internal_set_pb_ext(
    	pb,
-		mtnnodedn,
+		mtnnodesdn,
    	slapi_mods_get_ldapmods_byref(&smods), /* JCM cast */
    	NULL, /*Controls*/
    	NULL, /*uniqueid*/
@@ -1028,7 +1028,7 @@ repl_enable_chain_on_update(Slapi_DN *suffix)
slapi_modify_internal_pb(pb); 
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &operation_result);
-	slapi_ch_free_string(&mtnnodedn);
+	slapi_sdn_free(&mtnnodesdn);
    slapi_pblock_destroy(pb);
    switch(operation_result)
    {
@@ -1051,7 +1051,7 @@ repl_disable_chain_on_update(Slapi_DN *suffix)
     slapi_mods smods;
    int operation_result;
    Slapi_PBlock *pb= slapi_pblock_new();
-	char *mtnnodedn;
+	Slapi_DN *mtnnodesdn;
slapi_mods_init(&smods,2);
@@ -1059,10 +1059,10 @@ repl_disable_chain_on_update(Slapi_DN *suffix)
    slapi_mods_add_modbvps(&smods, LDAP_MOD_DELETE, "nsslapd-distribution-funct", NULL);
/* need DN of mapping tree node here */
-	mtnnodedn = slapi_get_mapping_tree_node_configdn(suffix);
-	slapi_modify_internal_set_pb(
+	mtnnodesdn = slapi_get_mapping_tree_node_configsdn(suffix);
+	slapi_modify_internal_set_pb_ext(
    	pb,
-		mtnnodedn,
+		mtnnodesdn,
    	slapi_mods_get_ldapmods_byref(&smods), /* JCM cast */
    	NULL, /*Controls*/
    	NULL, /*uniqueid*/
@@ -1071,7 +1071,7 @@ repl_disable_chain_on_update(Slapi_DN *suffix)
slapi_modify_internal_pb(pb); 
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &operation_result);
-	slapi_ch_free_string(&mtnnodedn);
+	slapi_sdn_free(&mtnnodesdn);
    slapi_pblock_destroy(pb);
    switch(operation_result)
    {
diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c
index 9410423..1328996 100644
--- a/ldap/servers/plugins/replication/urp.c
+++ b/ldap/servers/plugins/replication/urp.c
@@ -55,11 +55,10 @@ extern int slapi_log_urp;
 static int urp_add_resolve_parententry (Slapi_PBlock *pb, char *sessionid, Slapi_Entry *entry, Slapi_Entry *parententry, CSN *opcsn);
 static int urp_annotate_dn (char *sessionid, Slapi_Entry *entry, CSN *opcsn, const char *optype);
 static int urp_naming_conflict_removal (Slapi_PBlock *pb, char *sessionid, CSN *opcsn, const char *optype);
-static int mod_namingconflict_attr (const char *uniqueid, const char*entrydn, const char *conflictdn, CSN *opcsn);
+static int mod_namingconflict_attr (const char *uniqueid, const Slapi_DN *entrysdn, const Slapi_DN *conflictsdn, CSN *opcsn);
 static int del_replconflict_attr (Slapi_Entry *entry, CSN *opcsn, int opflags);
 static char *get_dn_plus_uniqueid(char *sessionid,const char *olddn,const char *uniqueid);
 static char *get_rdn_plus_uniqueid(char *sessionid,const char *olddn,const char *uniqueid);
-static void set_pblock_dn (Slapi_PBlock* pb,int pblock_parameter,char *newdn);
 static int is_suffix_entry (Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_DN **parenddn);
/*
@@ -122,7 +121,8 @@ urp_add_operation( Slapi_PBlock *pb )
    char sessionid[REPL_SESSION_ID_SIZE];
    int r;
    int op_result= 0;
-    int rc= 0; /* OK */
+	int rc= 0; /* OK */
+	Slapi_DN *sdn = NULL;
if ( slapi_op_abandoned(pb) )
    {
@@ -206,8 +206,14 @@ urp_add_operation( Slapi_PBlock *pb )
    			 */
    			slapi_value_set_string (*vals, buf);
    		}
-			slapi_entry_set_dn (addentry,slapi_ch_strdup(newdn));
-			set_pblock_dn(pb,SLAPI_ADD_TARGET,newdn); /* consumes newdn */
+			/* slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn); */
+			slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+			slapi_sdn_free(&sdn);
+
+			slapi_entry_set_normdn(addentry, newdn); /* dn: passin */
+
+			sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(addentry));
+			slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, sdn);
rdn = slapi_rdn_new_sdn ( slapi_entry_get_sdn_const(addentry) );
    		slapi_log_error (slapi_log_urp, sessionid,
@@ -265,7 +271,6 @@ urp_modrdn_operation( Slapi_PBlock *pb )
    Slapi_Entry *parent_entry;
     Slapi_Entry *new_parent_entry;
    Slapi_DN *newsuperior = NULL;
-	char *newsuperiordn;
    Slapi_DN *parentdn = NULL;
    Slapi_Entry *target_entry;
     Slapi_Entry *existing_entry;
@@ -273,8 +278,8 @@ urp_modrdn_operation( Slapi_PBlock *pb )
    CSN *opcsn= NULL;
    char *op_uniqueid = NULL;
    const char *existing_uniqueid = NULL;
-	const char *target_dn;
-	const char *existing_dn;
+	const Slapi_DN *target_sdn;
+	const Slapi_DN *existing_sdn;
    char *newrdn;
    char sessionid[REPL_SESSION_ID_SIZE];
    int r;
@@ -314,12 +319,12 @@ urp_modrdn_operation( Slapi_PBlock *pb )
    }
/* The DN CSN is older than the Operation CSN. Apply the operation */
-	target_dn = slapi_entry_get_dn_const ( target_entry);
+	target_sdn = slapi_entry_get_sdn_const (target_entry);
    slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
    slapi_pblock_get(pb, SLAPI_TARGET_UNIQUEID, &op_uniqueid);
    	slapi_pblock_get(pb, SLAPI_MODRDN_PARENT_ENTRY, &parent_entry);
    	slapi_pblock_get(pb, SLAPI_MODRDN_NEWPARENT_ENTRY, &new_parent_entry);
-	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiordn);
+	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperior);
if ( is_tombstone_entry (target_entry) )
    {
@@ -366,7 +371,7 @@ urp_modrdn_operation( Slapi_PBlock *pb )
         */
existing_uniqueid = slapi_entry_get_uniqueid (existing_entry);
-		existing_dn = slapi_entry_get_dn_const ( existing_entry);
+		existing_sdn = slapi_entry_get_sdn_const ( existing_entry);
/*
    	 * Dismiss the operation if the existing entry is the same as the target one.
@@ -412,8 +417,8 @@ urp_modrdn_operation( Slapi_PBlock *pb )
    							  Unique ID already in RDN - Change to Lost and Found entry */
    			goto bailout;
    		}
-			mod_namingconflict_attr (op_uniqueid, target_dn, existing_dn, opcsn);
-			set_pblock_dn (pb, SLAPI_MODRDN_NEWRDN, newrdn_with_uniqueid); 
+			mod_namingconflict_attr (op_uniqueid, target_sdn, existing_sdn, opcsn);
+			slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, newrdn_with_uniqueid); 
    		slapi_log_error(slapi_log_urp, sessionid,
    				"Naming conflict MODRDN. Rename target entry to %s\n",
    				newrdn_with_uniqueid );
@@ -474,12 +479,12 @@ urp_modrdn_operation( Slapi_PBlock *pb )
/* The new superior entry doesn't exist */
-		slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiordn);
-		if(newsuperiordn == NULL)
+		slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperior);
+		if(newsuperior == NULL)
    	{
    		/* (new_parent_entry==NULL && newsuperiordn==NULL)
    		 * This is ok - SLAPI_MODRDN_NEWPARENT_ENTRY will
-			 * only be set if SLAPI_MODRDN_NEWSUPERIOR was
+			 * only be set if SLAPI_MODRDN_NEWSUPERIOR_SDN was
    		 * suplied by the client. If it wasn't, we're just
    		 * changing the RDN of the entry. In that case,
    		 * if the entry exists, its parent won't change
@@ -491,10 +496,9 @@ urp_modrdn_operation( Slapi_PBlock *pb )
    		goto bailout;
    	}
-		newsuperior= slapi_sdn_new_dn_byval(newsuperiordn);
-
-		if((0 == slapi_sdn_compare (slapi_entry_get_sdn(parent_entry), newsuperior)) || 
-				is_suffix_dn (pb, newsuperior, &parentdn) )
+		if((0 == slapi_sdn_compare(slapi_entry_get_sdn(parent_entry),
+		                           newsuperior)) || 
+		   is_suffix_dn (pb, newsuperior, &parentdn) )
    	{
    		/*
    		 * The new superior is the same as the current one, or
@@ -521,7 +525,8 @@ urp_modrdn_operation( Slapi_PBlock *pb )
    		 * admin intercession
    		 */
    		slapi_log_error( SLAPI_LOG_FATAL, sessionid,
-				 "Parent %s couldn't be found, nor recreated as a glue entry\n", newsuperiordn );
+				 "Parent %s couldn't be found, nor recreated as a glue entry\n",
+				 slapi_sdn_get_dn(newsuperior) );
    		op_result= LDAP_OPERATIONS_ERROR;
    		slapi_pblock_set(pb, SLAPI_RESULT_CODE, &op_result);
    		rc = -1;
@@ -542,8 +547,6 @@ bailout:
    }
    if ( parentdn )
    	slapi_sdn_free(&parentdn);
-	if ( newsuperior )
-		slapi_sdn_free(&newsuperior);
     return rc;
 }
@@ -761,9 +764,9 @@ urp_fixup_rename_entry (Slapi_Entry *entry, const char *newrdn, int opflags)
     * Must mark this operation as replicated,
     * so that the frontend doesn't add extra attributes.
     */
-	slapi_rename_internal_set_pb (
+	slapi_rename_internal_set_pb_ext (
    				newpb,
-					slapi_entry_get_dn_const (entry),
+					slapi_entry_get_sdn_const (entry),
    				newrdn, /*NewRDN*/
    				NULL, /*NewSuperior*/
    				0, /* !Delete Old RDNS */
@@ -815,7 +818,7 @@ urp_fixup_delete_entry (const char *uniqueid, const char *dn, CSN *opcsn, int op
 }
int
-urp_fixup_modify_entry (const char *uniqueid, const char *dn, CSN *opcsn, Slapi_Mods *smods, int opflags)
+urp_fixup_modify_entry (const char *uniqueid, const Slapi_DN *sdn, CSN *opcsn, Slapi_Mods *smods, int opflags)
 {
    Slapi_PBlock *newpb;
    Slapi_Operation *op;
@@ -823,9 +826,9 @@ urp_fixup_modify_entry (const char *uniqueid, const char *dn, CSN *opcsn, Slapi_
newpb = slapi_pblock_new();
    		
-	slapi_modify_internal_set_pb (
+	slapi_modify_internal_set_pb_ext (
    		newpb,
-			dn,
+			sdn,
    		slapi_mods_get_ldapmods_byref (smods),
    		NULL, /* Controls */
    		uniqueid,
@@ -852,6 +855,7 @@ urp_add_resolve_parententry (Slapi_PBlock *pb, char *sessionid, Slapi_Entry *ent
    char *newdn = NULL;
    int ldap_rc;
    int rc = 0;
+	Slapi_DN *sdn = NULL;
if( is_suffix_entry (pb, entry, &parentdn) )
    {
@@ -928,8 +932,15 @@ urp_add_resolve_parententry (Slapi_PBlock *pb, char *sessionid, Slapi_Entry *ent
     */
    add_rdn = slapi_rdn_new_dn(slapi_entry_get_dn_const (entry));
    newdn = slapi_dn_plus_rdn(slapi_entry_get_dn_const (parententry), slapi_rdn_get_rdn(add_rdn));
-	slapi_entry_set_dn ( entry,slapi_ch_strdup(newdn));
-	set_pblock_dn (pb,SLAPI_ADD_TARGET,newdn); /* consumes newdn */
+	slapi_entry_set_normdn ( entry, newdn );
+
+	/* slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn); */
+	slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
+
+	sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(entry));
+	slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, sdn);
+
    slapi_log_error ( slapi_log_urp, sessionid,
    		"Parent was renamed. Renamed the child to %s\n", newdn );
    rc= slapi_setbit_int(rc,SLAPI_RTN_BIT_FETCH_EXISTING_DN_ENTRY);
@@ -957,15 +968,17 @@ urp_annotate_dn (char *sessionid, Slapi_Entry *entry, CSN *opcsn, const char *op
    int op_result;
    char *newrdn;
    const char *uniqueid;
+	const Slapi_DN *basesdn;
    const char *basedn;
    char ebuf[BUFSIZ];
uniqueid = slapi_entry_get_uniqueid (entry);
-	basedn = slapi_entry_get_ndn (entry);
+	basesdn = slapi_entry_get_sdn_const (entry);
+	basedn = slapi_entry_get_dn_const (entry);
    newrdn = get_rdn_plus_uniqueid ( sessionid, basedn, uniqueid );
    if(newrdn!=NULL)
    {
-		mod_namingconflict_attr (uniqueid, basedn, basedn, opcsn);
+		mod_namingconflict_attr (uniqueid, basesdn, basesdn, opcsn);
    	op_result = urp_fixup_rename_entry ( entry, newrdn, 0 );
    	switch(op_result)
    	{
@@ -1094,7 +1107,7 @@ urp_get_min_naming_conflict_entry ( Slapi_PBlock *pb, char *sessionid, CSN *opcs
    }
done:
-	slapi_ch_free((void **)&parent_dn);
+	slapi_ch_free_string(&parent_dn);
    if (filter) {
    	PR_smprintf_free(filter);
    }
@@ -1240,15 +1253,6 @@ get_rdn_plus_uniqueid(char *sessionid, const char *olddn, const char *uniqueid)
    return newrdn;
 }
-static void
-set_pblock_dn (Slapi_PBlock* pb,int pblock_parameter,char *newdn)
-{
-	char *olddn;
-	slapi_pblock_get( pb, pblock_parameter, &olddn );
-	slapi_ch_free((void**)&olddn);
-	slapi_pblock_set( pb, pblock_parameter, newdn );
-}
-
 static int
 is_suffix_entry ( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_DN **parentdn )
 {
@@ -1272,15 +1276,18 @@ is_suffix_dn ( Slapi_PBlock *pb, const Slapi_DN *dn, Slapi_DN **parentdn )
 }
static int
-mod_namingconflict_attr (const char *uniqueid, const char *entrydn, const char *conflictdn, CSN *opcsn)
+mod_namingconflict_attr (const char *uniqueid, const Slapi_DN *entrysdn,
+                         const Slapi_DN *conflictsdn, CSN *opcsn)
 {
    Slapi_Mods smods;
    char buf[BUFSIZ];
    int op_result;
-	PR_snprintf (buf, sizeof(buf), "%s %s", REASON_ANNOTATE_DN, conflictdn);
+	PR_snprintf (buf, sizeof(buf), "%s %s",
+	             REASON_ANNOTATE_DN, slapi_sdn_get_dn(conflictsdn));
    slapi_mods_init (&smods, 2);
-	if ( strncmp (entrydn, SLAPI_ATTR_UNIQUEID, strlen(SLAPI_ATTR_UNIQUEID)) != 0 )
+	if ( strncmp (slapi_sdn_get_dn(entrysdn), SLAPI_ATTR_UNIQUEID,
+	     strlen(SLAPI_ATTR_UNIQUEID)) != 0 )
    {
    	slapi_mods_add (&smods, LDAP_MOD_ADD, ATTR_NSDS5_REPLCONFLICT, strlen(buf), buf);
    }
@@ -1293,7 +1300,7 @@ mod_namingconflict_attr (const char *uniqueid, const char *entrydn, const char *
    	 */
    	slapi_mods_add (&smods, LDAP_MOD_REPLACE, ATTR_NSDS5_REPLCONFLICT, strlen(buf), buf);
    }
-	op_result = urp_fixup_modify_entry (uniqueid, entrydn, opcsn, &smods, 0);
+	op_result = urp_fixup_modify_entry (uniqueid, entrysdn, opcsn, &smods, 0);
    slapi_mods_done (&smods);
    return op_result;
 }
@@ -1308,13 +1315,13 @@ del_replconflict_attr (Slapi_Entry *entry, CSN *opcsn, int opflags)
    {
    	Slapi_Mods smods;
    	const char *uniqueid;
-		const char *entrydn;
+		const Slapi_DN *entrysdn;
uniqueid = slapi_entry_get_uniqueid (entry);
-		entrydn = slapi_entry_get_dn_const (entry);
+		entrysdn = slapi_entry_get_sdn_const (entry);
    	slapi_mods_init (&smods, 2);
    	slapi_mods_add (&smods, LDAP_MOD_DELETE, ATTR_NSDS5_REPLCONFLICT, 0, NULL);
-		op_result = urp_fixup_modify_entry (uniqueid, entrydn, opcsn, &smods, opflags);
+		op_result = urp_fixup_modify_entry (uniqueid, entrysdn, opcsn, &smods, opflags);
    	slapi_mods_done (&smods);
    }
    return op_result;
diff --git a/ldap/servers/plugins/replication/urp.h b/ldap/servers/plugins/replication/urp.h
index ff4d51a..2ca7ad2 100644
--- a/ldap/servers/plugins/replication/urp.h
+++ b/ldap/servers/plugins/replication/urp.h
@@ -60,7 +60,7 @@ int urp_post_modrdn_operation( Slapi_PBlock *pb );
 int urp_fixup_add_entry (Slapi_Entry *e, const char *target_uniqueid, const char *parentuniqueid, CSN *opcsn, int opflags);
 int urp_fixup_delete_entry (const char *uniqueid, const char *dn, CSN *opcsn, int opflags);
 int urp_fixup_rename_entry (Slapi_Entry *entry, const char *newrdn, int opflags);
-int urp_fixup_modify_entry (const char *uniqueid, const char *dn, CSN *opcsn, Slapi_Mods *smods, int opflags);
+int urp_fixup_modify_entry (const char *uniqueid, const Slapi_DN *sdn, CSN *opcsn, Slapi_Mods *smods, int opflags);
int is_suffix_dn (Slapi_PBlock *pb, const Slapi_DN *dn, Slapi_DN **parenddn);
diff --git a/ldap/servers/plugins/replication/urp_glue.c b/ldap/servers/plugins/replication/urp_glue.c
index 15b29d4..e51712c 100644
--- a/ldap/servers/plugins/replication/urp_glue.c
+++ b/ldap/servers/plugins/replication/urp_glue.c
@@ -96,11 +96,13 @@ entry_to_glue(char *sessionid, const Slapi_Entry* entry, const char *reason, CSN
 {
    int op_result = 0;
    const char *dn;
+	const Slapi_DN *sdn;
    char ebuf[BUFSIZ];
     slapi_mods smods;
    Slapi_Attr *attr;
dn = slapi_entry_get_dn_const (entry);
+	sdn = slapi_entry_get_sdn_const (entry);
    slapi_mods_init(&smods, 4);
    /*
      richm: sometimes the entry is already a glue entry (how did that happen?)
@@ -133,7 +135,7 @@ entry_to_glue(char *sessionid, const Slapi_Entry* entry, const char *reason, CSN
if (slapi_mods_get_num_mods(&smods) > 0)
    {
-		op_result = urp_fixup_modify_entry (NULL, dn, opcsn, &smods, 0);
+		op_result = urp_fixup_modify_entry (NULL, sdn, opcsn, &smods, 0);
    	if (op_result == LDAP_SUCCESS)
    	{
    		slapi_log_error (slapi_log_urp, repl_plugin_name,
diff --git a/ldap/servers/plugins/replication/urp_tombstone.c b/ldap/servers/plugins/replication/urp_tombstone.c
index e183cb1..6dd9a2a 100644
--- a/ldap/servers/plugins/replication/urp_tombstone.c
+++ b/ldap/servers/plugins/replication/urp_tombstone.c
@@ -181,7 +181,7 @@ tombstone_to_glue (
     */
    addingentry = slapi_entry_dup(tombstoneentry);
    addingdn = slapi_sdn_get_dn(tombstonedn);
-	slapi_entry_set_dn(addingentry,slapi_ch_strdup(addingdn)); /* consumes DN */
+	slapi_entry_set_sdn(addingentry, tombstonedn);
if (!slapi_entry_attr_hasvalue(addingentry, ATTR_NSDS5_REPLCONFLICT, reason))
    {
@@ -227,7 +227,9 @@ entry_to_tombstone ( Slapi_PBlock *pb, Slapi_Entry *entry )
     */
    slapi_mods_add ( &smods, LDAP_MOD_DELETE, ATTR_NSDS5_REPLCONFLICT, 0, NULL );
-	op_result = urp_fixup_modify_entry (uniqueid, slapi_entry_get_dn_const (entry), opcsn, &smods, 0);
+	op_result = urp_fixup_modify_entry (uniqueid, 
+	                                    slapi_entry_get_sdn_const (entry),
+	                                    opcsn, &smods, 0);
    slapi_mods_done ( &smods );
/*
diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c
index 9205393..f2bda92 100644
--- a/ldap/servers/plugins/replication/windows_connection.c
+++ b/ldap/servers/plugins/replication/windows_connection.c
@@ -552,7 +552,7 @@ windows_LDAPMessage2Entry(Repl_Connection *conn, LDAPMessage * msg, int attrsonl
    	slapi_entry_free(e);
    	return NULL;
    }
-	slapi_entry_set_dn( rawentry, slapi_ch_strdup(slapi_entry_get_dn(e)) );
+	slapi_entry_set_sdn( rawentry, slapi_entry_get_sdn(e) );
for ( a = ldap_first_attribute( ld, msg, &ber ); a!=NULL; a=ldap_next_attribute( ld, msg, ber ) ) 
    {
diff --git a/ldap/servers/plugins/replication/windows_private.c b/ldap/servers/plugins/replication/windows_private.c
index f36814b..6c19e4a 100644
--- a/ldap/servers/plugins/replication/windows_private.c
+++ b/ldap/servers/plugins/replication/windows_private.c
@@ -772,7 +772,6 @@ windows_private_save_dirsync_cookie(const Repl_Agmt *ra)
 {
    Dirsync_Private *dp = NULL;
     Slapi_PBlock *pb = NULL;
-    const char* dn = NULL;
    Slapi_DN* sdn = NULL;
    int rc = 0;
    Slapi_Mods *mods = NULL;
@@ -788,12 +787,12 @@ windows_private_save_dirsync_cookie(const Repl_Agmt *ra)
pb = slapi_pblock_new ();
-	mods = windows_private_get_cookie_mod(dp, LDAP_MOD_REPLACE);
-   	sdn = slapi_sdn_dup( agmt_get_dn_byref(ra) );
-	dn = slapi_sdn_get_dn(sdn);
+    mods = windows_private_get_cookie_mod(dp, LDAP_MOD_REPLACE);
+    sdn = slapi_sdn_dup( agmt_get_dn_byref(ra) );
-    slapi_modify_internal_set_pb (pb, dn, slapi_mods_get_ldapmods_byref(mods), NULL, NULL, 
-                                  repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0);
+    slapi_modify_internal_set_pb_ext (pb, sdn, 
+            slapi_mods_get_ldapmods_byref(mods), NULL, NULL, 
+            repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0);
     slapi_modify_internal_pb (pb);
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
@@ -802,8 +801,9 @@ windows_private_save_dirsync_cookie(const Repl_Agmt *ra)
     {	/* try again, but as an add instead */
    	slapi_mods_free(&mods);
    	mods = windows_private_get_cookie_mod(dp, LDAP_MOD_ADD);
-		slapi_modify_internal_set_pb (pb, dn, slapi_mods_get_ldapmods_byref(mods), NULL, NULL, 
-                                      repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0);
+		slapi_modify_internal_set_pb_ext (pb, sdn,
+		        slapi_mods_get_ldapmods_byref(mods), NULL, NULL, 
+		        repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0);
    	slapi_modify_internal_pb (pb);
    
    	slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c
index 771475b..eb7fd00 100644
--- a/ldap/servers/plugins/replication/windows_protocol_util.c
+++ b/ldap/servers/plugins/replication/windows_protocol_util.c
@@ -1296,8 +1296,9 @@ process_replay_rename(Private_Repl_Protocol *prp,
    				remote_subtree?remote_subtree:"empty");
    	goto bail;
    }
+	/* newparent is already normzlized; just ignore the case */
    norm_newparent = slapi_ch_strdup(newparent);
-	slapi_dn_normalize_case(norm_newparent);
+	slapi_dn_ignore_case(norm_newparent);
    p = strstr(norm_newparent, local_subtree);
    if (NULL == p) {
    	slapi_log_error(SLAPI_LOG_FATAL, windows_repl_plugin_name,
@@ -1389,7 +1390,7 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
    	
    LDAPDebug( LDAP_DEBUG_TRACE, "=> windows_replay_update\n", 0, 0, 0 );
-	local_dn = slapi_sdn_new_dn_byref( op->target_address.dn );
+	local_dn = slapi_sdn_dup( op->target_address.sdn );
/* Since we have the target uniqueid in the op structure, let's
     * fetch the local entry here using it. We do not want to search
@@ -1415,7 +1416,8 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
    				"%s: windows_replay_update: failed to fetch local entry "
    				"for %s operation dn="%s"\n",
    				agmt_get_long_name(prp->agmt),
-					op2string(op->operation_type), op->target_address.dn);
+					op2string(op->operation_type), 
+					REPL_GET_DN(&op->target_address));
    			goto error;
    		}
    		op->operation_type = SLAPI_OPERATION_DELETE;
@@ -1427,12 +1429,14 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
    			slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
    				"%s: windows_replay_update: failed to fetch local entry for %s operation dn="%s"\n",
    				agmt_get_long_name(prp->agmt),
-					op2string(op->operation_type), op->target_address.dn);
+					op2string(op->operation_type), 
+					REPL_GET_DN(&op->target_address));
    		} else {
    			slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
    				"%s: windows_replay_update: Looking at %s operation local dn="%s" (%s)\n",
    				agmt_get_long_name(prp->agmt),
-					op2string(op->operation_type), op->target_address.dn, "ours");
+					op2string(op->operation_type), 
+					REPL_GET_DN(&op->target_address), "ours");
    		}
    		/* Just bail on this change.  We don't want to do any
    		 * further checks since we don't have a local entry. */
@@ -1450,7 +1454,8 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
    slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
    	"%s: windows_replay_update: Looking at %s operation local dn="%s" (%s,%s,%s)\n",
    	agmt_get_long_name(prp->agmt),
-		op2string(op->operation_type), op->target_address.dn, is_ours ? "ours" : "not ours", 
+		op2string(op->operation_type), 
+		REPL_GET_DN(&op->target_address), is_ours ? "ours" : "not ours", 
    	is_user ? "user" : "not user", is_group ? "group" : "not group");
if (is_ours && (is_user || is_group) ) {
@@ -1463,14 +1468,16 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
    			"%s: windows_replay_update: failed map dn for %s operation dn="%s""
    			"rc=%d remote_dn = [%s]\n",
    			agmt_get_long_name(prp->agmt),
-				op2string(op->operation_type), op->target_address.dn,
+				op2string(op->operation_type), 
+				REPL_GET_DN(&op->target_address),
    			rc, remote_dn ? slapi_sdn_get_dn(remote_dn) : "(null)");
    		goto error;
    	}
    	slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
    		"%s: windows_replay_update: Processing %s operation local dn="%s" remote dn="%s"\n",
    		agmt_get_long_name(prp->agmt),
-			op2string(op->operation_type), op->target_address.dn, slapi_sdn_get_dn(remote_dn));
+			op2string(op->operation_type), 
+			REPL_GET_DN(&op->target_address), slapi_sdn_get_dn(remote_dn));
    	switch (op->operation_type) {
    	case SLAPI_OPERATION_ADD:
    		return_value = process_replay_add(prp,op->p.p_add.target_entry,local_entry,local_dn,remote_dn,is_user,missing_entry,&password);
@@ -1584,7 +1591,7 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
    		{
    		return_value = process_replay_rename(prp, local_entry, local_dn,
    							op->p.p_modrdn.modrdn_newrdn,
-								op->p.p_modrdn.modrdn_newsuperior_address.dn,
+								REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address),
    							op->p.p_modrdn.modrdn_deloldrdn,
    							is_user, is_group);
    		if (CONN_OPERATION_FAILED == return_value) {
@@ -4446,6 +4453,7 @@ windows_update_local_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,
    Slapi_PBlock *pb = NULL;
    int do_modify = 0;
    char *newsuperior = NULL;
+	Slapi_DN newsuperior_sdn;
    const char *newrdn = NULL;
    int is_user = 0, is_group = 0;
    const char *newdn = NULL;
@@ -4467,8 +4475,8 @@ windows_update_local_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,
/* Compare the local and mapped RDNs if it is a group */
    /* If they don't match, set it to newrdn. */
-	if (is_group && strcmp(slapi_sdn_get_ndn(slapi_entry_get_sdn(local_entry)),
-					slapi_sdn_get_ndn(mapped_sdn))) {
+	if (is_group && strcmp(slapi_entry_get_ndn(local_entry),
+	                       slapi_sdn_get_ndn(mapped_sdn))) {
    	newdn = slapi_sdn_get_dn(mapped_sdn);
    	slapi_rdn_set_dn(&rdn, newdn);
    	newrdn = slapi_rdn_get_rdn(&rdn);
@@ -4494,13 +4502,15 @@ windows_update_local_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,
    	slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name, "renaming entry "%s" - "
    			"(newrdn: "%s", newsuperior: "%s"\n", newdn,
    			newrdn ? newrdn:"NULL", newsuperior ? newsuperior:"NULL");
-		slapi_rename_internal_set_pb (pb,
-				   slapi_sdn_get_dn(slapi_entry_get_sdn(local_entry)),
-				   newrdn, newsuperior, 1 /* delete old RDNS */,
+		slapi_sdn_init_dn_byref(&newsuperior_sdn, newsuperior);
+		slapi_rename_internal_set_pb_ext (pb,
+				   slapi_entry_get_sdn(local_entry),
+				   newrdn, &newsuperior_sdn, 1 /* delete old RDNS */,
    			   NULL /* controls */, NULL /* uniqueid */,
    			   repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0);
    	slapi_modrdn_internal_pb (pb);
    	slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &retval);
+		slapi_sdn_done(&newsuperior_sdn);
    	slapi_pblock_destroy (pb);
    	if (LDAP_SUCCESS != retval) {
    		slapi_log_error(SLAPI_LOG_FATAL, windows_repl_plugin_name,
@@ -4541,12 +4551,14 @@ windows_update_local_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,
    	if (pb)
    	{
    		char dnbuf[BUFSIZ];
-			const char *dn = slapi_sdn_get_dn(slapi_entry_get_sdn_const(local_entry));
+			const char *dn = slapi_entry_get_dn_const(local_entry);
    		slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,
    			"modifying entry: %s\n", escape_string(dn, dnbuf));
-			slapi_modify_internal_set_pb (pb, slapi_entry_get_ndn(local_entry), slapi_mods_get_ldapmods_byref(&smods), NULL, NULL,
-					repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0);
-			slapi_modify_internal_pb (pb);		
+			slapi_modify_internal_set_pb_ext (pb,
+			    slapi_entry_get_sdn(local_entry),
+			    slapi_mods_get_ldapmods_byref(&smods), NULL, NULL,
+			    repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0);
+			slapi_modify_internal_pb (pb);
    		slapi_pblock_get (pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
    		if (rc) 
    		{
@@ -4564,7 +4576,7 @@ windows_update_local_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,
    } else
    {
    	char dnbuf[BUFSIZ];
-		const char *dn = slapi_sdn_get_dn(slapi_entry_get_sdn_const(local_entry));
+		const char *dn = slapi_entry_get_dn_const(local_entry);
    	slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,
    		"no mods generated for local entry: %s\n", escape_string(dn, dnbuf));
    }
diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
index 96be617..29ce79f 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -567,7 +567,7 @@ int retrocl_postob (Slapi_PBlock *pb,int optype)
     Slapi_Operation     *op = NULL;
     LDAPMod		**modrdn_mods = NULL;
     char *newrdn = NULL;
-    char *newsuperior = NULL;
+    Slapi_DN *newsuperior = NULL;
     Slapi_Backend *be = NULL;
     time_t curtime;
     int rc;
@@ -641,7 +641,7 @@ int retrocl_postob (Slapi_PBlock *pb,int optype)
     	(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
     	(void)slapi_pblock_get( pb, SLAPI_MODRDN_DELOLDRDN, &flag );
     	(void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &modrdn_mods );
-	(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior); 
+    	(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperior ); 
     	break;
     }
@@ -649,9 +649,7 @@ int retrocl_postob (Slapi_PBlock *pb,int optype)
     /* check if we should log change to retro changelog, and
      * if so, do it here */
     write_replog_db( pb, optype, dn, log_m, flag, curtime, te,
-		     newrdn, modrdn_mods, newsuperior );
+		     newrdn, modrdn_mods, slapi_sdn_get_dn(newsuperior) );
return 0;
 }
-
-
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
index 912185d..83d3292 100644
--- a/ldap/servers/plugins/roles/roles_cache.c
+++ b/ldap/servers/plugins/roles/roles_cache.c
@@ -785,7 +785,8 @@ static int roles_cache_is_role_entry(struct slapi_entry *entry)
 */
 void roles_cache_change_notify(Slapi_PBlock *pb)
 {
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
    struct slapi_entry *e = NULL;
    struct slapi_entry *pre = NULL;
    struct slapi_entry *entry = NULL;
@@ -814,10 +815,10 @@ void roles_cache_change_notify(Slapi_PBlock *pb)
    	return;
    }
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-    if( dn == NULL )
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    if( sdn == NULL )
     {
-		return;
+        return;
     }
slapi_pblock_get (pb, SLAPI_OPERATION, &pb_operation);
@@ -932,6 +933,7 @@ if ( e != NULL )
if ( top_suffix != NULL )
    	{
+			dn = slapi_sdn_get_dn(sdn);
    		roles_cache_trigger_update_role( slapi_ch_strdup(dn), entry,
    									top_suffix,
    									operation);
diff --git a/ldap/servers/plugins/statechange/statechange.c b/ldap/servers/plugins/statechange/statechange.c
index 3489fba..0653eed 100644
--- a/ldap/servers/plugins/statechange/statechange.c
+++ b/ldap/servers/plugins/statechange/statechange.c
@@ -232,7 +232,8 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
 {
    SCNotify *notify = head; 
    int execute;
-	char *dn = NULL;
+	Slapi_DN *sdn = NULL;
+	char *ndn = NULL;
    struct slapi_entry *e_before = NULL;
    struct slapi_entry *e_after = NULL;
@@ -246,13 +247,13 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
    slapi_lock_mutex(buffer_lock);
    if(head)
    {
-		if(slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ))
-		{
-			slapi_log_error( SLAPI_LOG_FATAL, SCN_PLUGIN_SUBSYSTEM, "statechange_post_op: failed to get dn of changed entry");
+		slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+		if (NULL == sdn) {
+			slapi_log_error( SLAPI_LOG_FATAL, SCN_PLUGIN_SUBSYSTEM, 
+			         "statechange_post_op: failed to get dn of changed entry" );
    		goto bail;
    	}
-
-		slapi_dn_normalize( dn );
+		ndn = (char *)slapi_sdn_get_ndn(sdn);
slapi_pblock_get( pb, SLAPI_ENTRY_PRE_OP, &e_before );
    	slapi_pblock_get( pb, SLAPI_ENTRY_POST_OP, &e_after );
@@ -264,7 +265,7 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
    		/* first dn */
    		if(notify->dn)
    		{
-				if(0 != slapi_dn_issuffix(dn, notify->dn))
+				if(0 != slapi_dn_issuffix(ndn, notify->dn))
    				execute = 1;
    		}
    		else
@@ -290,9 +291,9 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
    		if(execute)
    		{
    			if(e_after)
-					(notify->func)(e_after, dn, modtype, pb, notify->caller_data);
+					(notify->func)(e_after, ndn, modtype, pb, notify->caller_data);
    			else
-					(notify->func)(e_before, dn, modtype, pb, notify->caller_data);
+					(notify->func)(e_before, ndn, modtype, pb, notify->caller_data);
    		}
notify = notify->next;
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index f6120d6..3e0b921 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -233,13 +233,14 @@ preop_add(Slapi_PBlock *pb)
     int argc;
     char **argv;
     char **attrName;
-    char *dn;
+    const char *dn;
+    Slapi_DN *sdn = NULL;
     Slapi_Entry *e;
     Slapi_Attr *attr;
     char **firstSubtree;
     char **subtreeDN;
     int subtreeCnt;
-	int is_replicated_operation;
+    int is_replicated_operation;
/*
      * Get the arguments
@@ -263,9 +264,11 @@ preop_add(Slapi_PBlock *pb)
     /*
      * Get the target DN for this add operation
      */
-    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
     if (err) { result = op_error(50); break; }
+    dn = slapi_sdn_get_dn(sdn);
+
 #ifdef DEBUG
     slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, "ADD target=%s\n", dn);
 #endif
@@ -278,7 +281,7 @@ preop_add(Slapi_PBlock *pb)
     if (err) { result = op_error(51); break; }
for ( firstSubtree = argv; strcmp(*firstSubtree, ",") != 0; 
-	firstSubtree++, argc--) {}
+          firstSubtree++, argc--) {}
     firstSubtree++;
     argc--;
@@ -304,7 +307,7 @@ preop_add(Slapi_PBlock *pb)
        * the target DN is a subnode in the tree.
        */
       for( subtreeDN=firstSubtree, subtreeCnt=argc ;subtreeCnt > 0;
-  	subtreeCnt--,subtreeDN++)
+           subtreeCnt--,subtreeDN++)
       {
         /*
          * issuffix determines whether the target is under the
@@ -378,7 +381,8 @@ preop_modify(Slapi_PBlock *pb)
     LDAPMod **mods;
     LDAPMod **firstMods;
     LDAPMod *mod;
-    char *target;
+    const char *target;
+	Slapi_DN *target_sdn = NULL;
     char **firstSubtree;
     char **subtreeDN;
     int subtreeCnt;
@@ -407,9 +411,10 @@ preop_modify(Slapi_PBlock *pb)
     if (err) { result = op_error(10); break; }
/* Get the target DN */
-    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET, &target);
+    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET_SDN, &target_sdn);
     if (err) { result = op_error(11); break; }
+    target = slapi_sdn_get_dn(target_sdn);
     /*
      * Look for managed trees that include the target
      * Arguments before "," are the 7-bit clean attribute names.  Arguemnts
@@ -538,14 +543,14 @@ preop_modrdn(Slapi_PBlock *pb)
     int argc;
     char **argv;
     char **attrName;
-    char *target;
-    char *superior;
+    Slapi_DN *target_sdn = NULL;
+    Slapi_DN *superior;
     char *rdn; 
     Slapi_Attr *attr;
     char **firstSubtree;
     char **subtreeDN;
     int subtreeCnt;
-	int is_replicated_operation;
+    int is_replicated_operation;
/*
      * Get the arguments
@@ -567,11 +572,11 @@ preop_modrdn(Slapi_PBlock *pb)
     }
/* Get the DN of the entry being renamed */
-    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &target);
+    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &target_sdn);
     if (err) { result = op_error(22); break; }
/* Get superior value - unimplemented in 3.0 DS */
-    err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &superior);
+    err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &superior);
     if (err) { result = op_error(20); break; }
/*
@@ -579,7 +584,7 @@ preop_modrdn(Slapi_PBlock *pb)
      * its current level in the tree.  Use the target DN for
      * determining which managed tree this belongs to
      */
-    if (!superior) superior = target;
+    if (!superior) superior = target_sdn;
/* Get the new RDN - this has the attribute values */
     err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -649,7 +654,7 @@ preop_modrdn(Slapi_PBlock *pb)
          * issuffix determines whether the target is under the
          * subtree *subtreeDN
          */
-        if (slapi_dn_issuffix(superior, *subtreeDN))
+        if (slapi_dn_issuffix(slapi_sdn_get_dn(superior), *subtreeDN))
         {
 #ifdef DEBUG
           slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
@@ -692,6 +697,7 @@ NS7bitAttr_Init(Slapi_PBlock *pb)
     int argc;
     char **argv;
+
     /* Declare plugin version */
     err = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION,
             SLAPI_PLUGIN_VERSION_01);
@@ -716,8 +722,11 @@ NS7bitAttr_Init(Slapi_PBlock *pb)
     if (argc == 0) { err = -1; break; }
     argv++; argc--;
-    for(;argc > 0;argc--, argv++)
-        slapi_dn_normalize_case(*argv);
+    for(;argc > 0;argc--, argv++) {
+        char *normdn = slapi_create_dn_string_case("%s", *argv);
+        slapi_ch_free_string(argv);
+        *argv = normdn;
+    }
/* Provide descriptive information */
     err = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION,
diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c
index 92eefa0..8bd5e17 100644
--- a/ldap/servers/plugins/uiduniq/uid.c
+++ b/ldap/servers/plugins/uiduniq/uid.c
@@ -340,28 +340,18 @@ search_one_berval(const char *baseDN, const char *attrName,
        */
       for(;*entries;entries++)
       {
-        char *dn = slapi_entry_get_dn(*entries);
-
-        /*
-         * DNs are returned in the original value used to insert
-         * the entry.  This must be "normalized" for comparison.
-         *
-         * This normalization is done "in-place" (modifying the value
-         * in the entry).  This is OK, since this is the only user
-         * of this copy of the entry.
-         */
-        slapi_dn_normalize_case(dn);
+        char *ndn = slapi_entry_get_ndn(*entries); /* get the normalized dn */
#ifdef DEBUG
         slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
-          "SEARCH entry dn=%s\n", dn);
+          "SEARCH entry dn=%s\n", ndn);
 #endif
/*
          * It is a Constraint Violation if any entry is found, unless
          * the entry is the target entry (if any).
          */
-        if (!target || strcmp(dn, target) != 0)
+        if (!target || strcmp(ndn, target) != 0)
         {
           result = LDAP_CONSTRAINT_VIOLATION;
           break;
@@ -557,7 +547,8 @@ preop_add(Slapi_PBlock *pb)
     int err;
     char *markerObjectClass = NULL;
     char *requiredObjectClass = NULL;
-    char *dn;
+    const char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     int isupdatedn;
     Slapi_Entry *e;
     Slapi_Attr *attr;
@@ -582,7 +573,7 @@ preop_add(Slapi_PBlock *pb)
         if (UNTAGGED_PARAMETER == result)
         {
           slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, 
-		"ADD parameter untagged: %s\n", attrName);
+                          "ADD parameter untagged: %s\n", attrName);
           result = LDAP_SUCCESS;
           /* Statically defined subtrees to monitor */
           err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGC, &argc);
@@ -599,9 +590,11 @@ preop_add(Slapi_PBlock *pb)
     /*
      * Get the target DN for this add operation
      */
-    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
     if (err) { result = uid_op_error(51); break; }
+    dn = slapi_sdn_get_dn(sdn);
+
 #ifdef DEBUG
     slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, "ADD target=%s\n", dn);
 #endif
@@ -636,7 +629,7 @@ preop_add(Slapi_PBlock *pb)
         if (NULL != markerObjectClass)
         {
           /* Subtree defined by location of marker object class */
-                result = findSubtreeAndSearch(dn, attrName, attr, NULL,
+                result = findSubtreeAndSearch((char *)dn, attrName, attr, NULL,
                                               requiredObjectClass, dn,
                                               markerObjectClass);
         } else
@@ -710,7 +703,8 @@ preop_modify(Slapi_PBlock *pb)
     int modcount = 0;
     int ii;
     LDAPMod *mod;
-    char *dn;
+    const char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     int isupdatedn;
     int argc;
     char **argv = NULL;
@@ -763,53 +757,57 @@ preop_modify(Slapi_PBlock *pb)
     /* find out how many mods meet this criteria */
     for(;*mods;mods++)
     {
-	mod = *mods;
-	if ((slapi_attr_type_cmp(mod->mod_type, attrName, 1) == 0) && /* mod contains target attr */
-	    (mod->mod_op & LDAP_MOD_BVALUES) && /* mod is bval encoded (not string val) */
-	    (mod->mod_bvalues && mod->mod_bvalues[0]) && /* mod actually contains some values */
-	    (SLAPI_IS_MOD_ADD(mod->mod_op) || /* mod is add */
-	     SLAPI_IS_MOD_REPLACE(mod->mod_op))) /* mod is replace */
-	{
-	  addMod(&checkmods, &checkmodsCapacity, &modcount, mod);
-	}
+        mod = *mods;
+        if ((slapi_attr_type_cmp(mod->mod_type, attrName, 1) == 0) && /* mod contains target attr */
+            (mod->mod_op & LDAP_MOD_BVALUES) && /* mod is bval encoded (not string val) */
+            (mod->mod_bvalues && mod->mod_bvalues[0]) && /* mod actually contains some values */
+            (SLAPI_IS_MOD_ADD(mod->mod_op) || /* mod is add */
+             SLAPI_IS_MOD_REPLACE(mod->mod_op))) /* mod is replace */
+        {
+          addMod(&checkmods, &checkmodsCapacity, &modcount, mod);
+        }
     }
     if (modcount == 0) {
-	break; /* no mods to check, we are done */
+        break; /* no mods to check, we are done */
     }
/* Get the target DN */
-    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET_SDN, &sdn);
     if (err) { result = uid_op_error(11); break; }
-        /*
-         * Check if it has the required object class
-         */
-        if (requiredObjectClass &&
-                !(spb = dnHasObjectClass(dn, requiredObjectClass))) { break; }
+    dn = slapi_sdn_get_dn(sdn);
+    /*
+     * Check if it has the required object class
+     */
+    if (requiredObjectClass &&
+        !(spb = dnHasObjectClass(dn, requiredObjectClass))) {
+        break;
+    }
-        /*
-         * Passed all the requirements - this is an operation we
-         * need to enforce uniqueness on. Now find all parent entries
-         * with the marker object class, and do a search for each one.
-         */
-		/*
-		 * stop checking at first mod that fails the check
-		 */
-		for (ii = 0; (result == 0) && (ii < modcount); ++ii)
-		{
-			mod = checkmods[ii];
-			if (NULL != markerObjectClass)
-			{
-				/* Subtree defined by location of marker object class */
-                result = findSubtreeAndSearch(dn, attrName, NULL, mod->mod_bvalues,
-                                              requiredObjectClass, dn, markerObjectClass);
-			} else
-			{
-				/* Subtrees listed on invocation line */
-				result = searchAllSubtrees(argc, argv, attrName, NULL,
-                                                           mod->mod_bvalues, requiredObjectClass, dn);
-			}
-		}
+    /*
+     * Passed all the requirements - this is an operation we
+     * need to enforce uniqueness on. Now find all parent entries
+     * with the marker object class, and do a search for each one.
+     */
+    /*
+     * stop checking at first mod that fails the check
+     */
+    for (ii = 0; (result == 0) && (ii < modcount); ++ii)
+    {
+        mod = checkmods[ii];
+        if (NULL != markerObjectClass)
+        {
+            /* Subtree defined by location of marker object class */
+            result = findSubtreeAndSearch((char *)dn, attrName, NULL, 
+                                          mod->mod_bvalues, requiredObjectClass,
+                                          dn, markerObjectClass);
+        } else
+        {
+            /* Subtrees listed on invocation line */
+            result = searchAllSubtrees(argc, argv, attrName, NULL,
+                                       mod->mod_bvalues, requiredObjectClass, dn);
+        }
+    }
   END
slapi_ch_free((void **)&checkmods);
@@ -846,7 +844,6 @@ preop_modrdn(Slapi_PBlock *pb)
 {
   int result = LDAP_SUCCESS;
   Slapi_Entry *e = NULL;
-  Slapi_DN *sdn = NULL;
   Slapi_Value *sv_requiredObjectClass = NULL;
   char *errtext = NULL;
   char *attrName = NULL;
@@ -860,8 +857,9 @@ preop_modrdn(Slapi_PBlock *pb)
     int err;
     char *markerObjectClass=NULL;
     char *requiredObjectClass=NULL;
-    char *dn;
-    char *superior;
+    const char *dn = NULL;
+    Slapi_DN *sdn = NULL;
+    Slapi_DN *superior;
     char *rdn;
     int deloldrdn = 0;
     int isupdatedn;
@@ -907,14 +905,13 @@ preop_modrdn(Slapi_PBlock *pb)
     }
/* Get the DN of the entry being renamed */
-    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn);
     if (err) { result = uid_op_error(31); break; }
-    /* Create a Slapi_DN to use for searching. */
-    sdn = slapi_sdn_new_dn_byref(dn);
+    dn = slapi_sdn_get_dn(sdn);
/* Get superior value - unimplemented in 3.0/4.0/5.0 DS */
-    err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &superior);
+    err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &superior);
     if (err) { result = uid_op_error(32); break; }
/*
@@ -922,7 +919,7 @@ preop_modrdn(Slapi_PBlock *pb)
      * its current level in the tree.  Use the target DN for
      * determining which managed tree this belongs to
      */
-    if (!superior) superior = dn;
+    if (!superior) superior = sdn;
/* Get the new RDN - this has the attribute values */
     err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -949,7 +946,7 @@ preop_modrdn(Slapi_PBlock *pb)
     }
/* Apply the rename operation to the dummy entry. */
-    err = slapi_entry_rename(e, rdn, deloldrdn, superior);
+    err = slapi_entry_rename(e, rdn, deloldrdn, slapi_sdn_get_dn(superior));
     if (err != LDAP_SUCCESS) { result = uid_op_error(36); break; }
/*
@@ -983,7 +980,6 @@ preop_modrdn(Slapi_PBlock *pb)
         }
   END
   /* Clean-up */
-  slapi_sdn_free(&sdn);
   slapi_value_free(&sv_requiredObjectClass);
   if (e) slapi_entry_free(e);
@@ -1048,8 +1044,11 @@ NSUniqueAttr_Init(Slapi_PBlock *pb)
     if (argc < 1) { err = -1; break; }
     argv++; argc--;
-    for(;argc > 0;argc--, argv++)
-        slapi_dn_normalize_case(*argv);
+    for(;argc > 0;argc--, argv++) {
+        char *normdn = slapi_create_dn_string_case("%s", *argv);
+        slapi_ch_free_string(argv);
+        *argv = normdn;
+    }
/* Provide descriptive information */
     err = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION,
diff --git a/ldap/servers/plugins/views/views.c b/ldap/servers/plugins/views/views.c
index 6ec0246..48b6803 100644
--- a/ldap/servers/plugins/views/views.c
+++ b/ldap/servers/plugins/views/views.c
@@ -1683,6 +1683,7 @@ static int view_search_rewrite_callback(Slapi_PBlock *pb)
    int scope = 0;
    int set_scope = LDAP_SCOPE_SUBTREE;
    viewEntry *theView = 0;
+	Slapi_DN *basesdn = NULL;
#ifdef _VIEW_DEBUG_FILTERS
    char outFilter_str[1024];
@@ -1711,7 +1712,8 @@ static int view_search_rewrite_callback(Slapi_PBlock *pb)
    	goto end;
/* if base of the search is a view */
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &basesdn);
+	base = (char *)slapi_sdn_get_dn(basesdn);
/* Read lock the cache */
    views_read_lock();
@@ -1763,8 +1765,11 @@ static int view_search_rewrite_callback(Slapi_PBlock *pb)
    /* rewrite search scope and base*/
    slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &set_scope);
-	base = slapi_ch_strdup(theView->pSearch_base);
-	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, base);
+	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &basesdn);
+	slapi_sdn_free(&basesdn);
+
+	basesdn = slapi_sdn_new_dn_byval(theView->pSearch_base);
+	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, basesdn);
/* concatenate the filters */
    
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 19a7690..cc712de 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -116,8 +116,7 @@ do_add( Slapi_PBlock *pb )
    /* get the name */
    {
    	char *rawdn = NULL;
-		char *dn = NULL;
-		size_t dnlen = 0;
+		Slapi_DN mysdn;
    	if ( ber_scanf( ber, "{a", &rawdn ) == LBER_ERROR ) {
    		slapi_ch_free_string(&rawdn);
    		LDAPDebug( LDAP_DEBUG_ANY,
@@ -140,20 +139,20 @@ do_add( Slapi_PBlock *pb )
    			return;
    		}
    	}
-		rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-		if (rc < 0) {
-			op_shared_log_error_access(pb, "ADD", rawdn?rawdn:"", "invalid dn");
-			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid dn", 0, NULL);
-			slapi_ch_free_string(&rawdn);
+		slapi_sdn_init_dn_passin(&mysdn, rawdn);
+		if (rawdn && (strlen(rawdn) > 0) &&
+		    (NULL == slapi_sdn_get_dn(&mysdn))) {
+			/* normalization failed */
+			op_shared_log_error_access(pb, "ADD", rawdn, "invalid dn");
+			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+			                 "invalid dn", 0, NULL);
+			slapi_sdn_done(&mysdn);
    		return;
-		} else if (rc > 0) {
-			slapi_ch_free_string(&rawdn);
-		} else { /* rc == 0; rawdn is passed in; not null terminated */
-			*(dn + dnlen) = '\0';
    	}
    	e = slapi_entry_alloc();
-		slapi_entry_init(e,dn,NULL); /* Responsibility for DN is passed to the Entry. */
+		/* Responsibility for DN is passed to the Entry. */
+		slapi_entry_init_ext(e, &mysdn, NULL);
+		slapi_sdn_done(&mysdn);
    }
    LDAPDebug( LDAP_DEBUG_ARGS, "	do_add: dn (%s)\n", slapi_entry_get_dn_const(e), 0, 0 );
@@ -338,7 +337,7 @@ slapi_add_entry_internal(Slapi_Entry *e, LDAPControl **controls, int dummy)
/*  This is new style API to issue internal add operation.
    pblock should contain the following data (can be set via call to slapi_add_internal_set_pb):
-	SLAPI_TARGET_DN		set to dn of the new entry
+	SLAPI_TARGET_SDN	set to sdn of the new entry
    SLAPI_CONTROLS_ARG	set to request controls if present
    SLAPI_ADD_ENTRY		set to Slapi_Entry to add
    Beware: The entry is consumed. */
@@ -458,6 +457,7 @@ static void op_shared_add (Slapi_PBlock *pb)
    char *proxystr = NULL;
    int proxy_err = LDAP_SUCCESS;
    char *errtext = NULL;
+	Slapi_DN *sdn = NULL;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
    slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e);
@@ -532,7 +532,7 @@ static void op_shared_add (Slapi_PBlock *pb)
    		goto done;
    	}
    
-		slapi_pblock_set(pb, SLAPI_TARGET_DN, (void*)slapi_sdn_get_ndn(operation_get_target_spec (operation)));
+		slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void*)operation_get_target_spec (operation));
    	send_referrals_from_entry(pb,referral);
    	slapi_entry_free(referral);
    	goto done;
@@ -547,16 +547,16 @@ static void op_shared_add (Slapi_PBlock *pb)
    		present_values= attr_get_present_values(attr);
/* Set the backend in the pblock.  The slapi_access_allowed function
-                         * needs this set to work properly. */
-                        slapi_pblock_set( pb, SLAPI_BACKEND, slapi_be_select( slapi_entry_get_sdn_const(e) ) );
+			 * needs this set to work properly. */
+			slapi_pblock_set( pb, SLAPI_BACKEND, slapi_be_select( slapi_entry_get_sdn_const(e) ) );
/* Check ACI before checking password syntax */
    		if ( (err = slapi_access_allowed(pb, e, SLAPI_USERPWD_ATTR, NULL,
-                                     SLAPI_ACL_ADD)) != LDAP_SUCCESS) {
-                                send_ldap_result(pb, err, NULL,
-                                              "Insufficient 'add' privilege to the "
-                                              "'userPassword' attribute", 0, NULL);
-                                goto done;
+			                                 SLAPI_ACL_ADD)) != LDAP_SUCCESS) {
+			    send_ldap_result(pb, err, NULL,
+			                     "Insufficient 'add' privilege to the "
+			                     "'userPassword' attribute", 0, NULL);
+			    goto done;
    		}
/* check password syntax */
@@ -657,21 +657,23 @@ static void op_shared_add (Slapi_PBlock *pb)
     * plugins.
     */
    
-	slapi_pblock_set(pb, SLAPI_ADD_TARGET, 
-					 (char*)slapi_sdn_get_ndn(slapi_entry_get_sdn_const(e)));
-	if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_ADD_FN : 
-							SLAPI_PLUGIN_PRE_ADD_FN) == 0)
+	sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(e));
+	slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, (void *)sdn);
+	if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_ADD_FN :
+	                        SLAPI_PLUGIN_PRE_ADD_FN) == 0)
    {
    	int	rc;
    	Slapi_Entry	*ec;
-		char *add_target_dn;
+		Slapi_DN *add_target_sdn = NULL;
slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
    	set_db_default_result_handlers(pb);
    	/* because be_add frees the entry */
    	ec = slapi_entry_dup(e);
-		add_target_dn= slapi_ch_strdup(slapi_sdn_get_ndn(slapi_entry_get_sdn_const(ec)));
-    	slapi_pblock_set(pb, SLAPI_ADD_TARGET, add_target_dn);
+		add_target_sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(ec));
+		slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+		slapi_sdn_free(&sdn);
+		slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, add_target_sdn);
    	
    	if (be->be_add != NULL)
    	{
@@ -717,9 +719,9 @@ static void op_shared_add (Slapi_PBlock *pb)
    	plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_ADD_FN : 
    						SLAPI_PLUGIN_POST_ADD_FN);
    	slapi_entry_free(ec);
-    	slapi_pblock_get(pb, SLAPI_ADD_TARGET, &add_target_dn);
-		slapi_ch_free((void**)&add_target_dn);
    }
+	slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
done:
    if (be)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 3cca975..d000550 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -57,13 +57,14 @@ char	*attr_deleteoldrdn	= ATTR_DELETEOLDRDN;
 char	*attr_modifiersname = ATTR_MODIFIERSNAME;
/* Forward Declarations */
-static void write_audit_file( int optype, char *dn, void *change, int flag, time_t curtime );
+static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t curtime );
void
 write_audit_log_entry( Slapi_PBlock *pb )
 {
     time_t curtime;
-    char *dn;
+    Slapi_DN *sdn;
+    const char *dn;
     void *change;
    int flag = 0;
    Operation *op;
@@ -75,27 +76,13 @@ write_audit_log_entry( Slapi_PBlock *pb )
    }
slapi_pblock_get( pb, SLAPI_OPERATION, &op );
-    slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+    slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
     switch ( operation_get_type(op) )
    {
     case SLAPI_OPERATION_MODIFY:
        slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change );
     	break;
-    case SLAPI_OPERATION_ADD:
-	    {
-    	/*
-    	 * For adds, we want the unnormalized dn, so we can preserve
-    	 * spacing, case, when replicating it.
-    	 */
-        Slapi_Entry *te = NULL;
-    	slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &change );
-    	te = (Slapi_Entry *)change;
-    	if ( NULL != te )
-		{
-    	    dn = slapi_entry_get_dn( te );
-    	}
-		}
-    	break;
     case SLAPI_OPERATION_DELETE:
    	{
    	char * deleterDN = NULL;
@@ -129,7 +116,7 @@ write_audit_log_entry( Slapi_PBlock *pb )
 static void
 write_audit_file(
     int			optype,
-    char		*dn,
+    const char	*dn,
     void		*change,
     int			flag,
     time_t		curtime
diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c
index 2c25483..796ca7a 100644
--- a/ldap/servers/slapd/auth.c
+++ b/ldap/servers/slapd/auth.c
@@ -81,30 +81,17 @@ slapu_search_s( LDAP* ld, const char* rawbaseDN, int scope, const char* filter,
     int err = LDAP_NO_SUCH_OBJECT;
     Slapi_PBlock* pb = NULL;
     LDAPControl **ctrls;
-    char *baseDN = slapi_ch_strdup(rawbaseDN);
-    char *normDN = NULL;
-    size_t dnlen = 0;
-
-    err = slapi_dn_normalize_ext(baseDN, 0, &normDN, &dnlen);
-    if (err < 0) {
-        err = LDAP_INVALID_DN_SYNTAX;
-        LDAPDebug (LDAP_DEBUG_TRACE, "<= slapu_search_s %i\n", err, 0, 0);
-        return err;
-    } else if (err == 0) { /* baseDN is passed in; not terminated */
-        *(normDN + dnlen) = '\0';
-    } else {
-        slapi_ch_free_string(&baseDN);
-        baseDN = normDN;
-    }
+    Slapi_DN *sdn = slapi_sdn_new_dn_byval(rawbaseDN);
+    char *baseDN = slapi_sdn_get_dn(sdn);
if (ld != internal_ld) {
         err = ldap_search_ext_s(ld, baseDN, scope, filter, attrs, attrsonly,
                                 NULL, NULL, NULL, -1, result);
-        slapi_ch_free_string(&baseDN);
+        slapi_sdn_free(&sdn);
         return err;
     }
     LDAPDebug (LDAP_DEBUG_TRACE, "=> slapu_search_s ("%s", %i, %s)\n",
-	       baseDN, scope, filter);
+               baseDN, scope, filter);
     if (filter == NULL) filter = "objectclass=*";
/* use new internal search API */
@@ -138,7 +125,7 @@ slapu_search_s( LDAP* ld, const char* rawbaseDN, int scope, const char* filter,
    LDAPDebug (LDAP_DEBUG_ANY, "slapi_search_internal ("%s", %i, %s) NULL\n",
    	   escape_string( (char*)baseDN, ebuf ), scope, escape_string( (char*)filter, fbuf ));
     }
-    slapi_ch_free_string(&baseDN);
+    slapi_sdn_free(&sdn);
     *result = (LDAPMessage*)pb;
     LDAPDebug (LDAP_DEBUG_TRACE, "<= slapu_search_s %i\n", err, 0, 0);
     return err;
@@ -534,19 +521,10 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData)
if (clientDN != NULL) {
         char ebuf[ BUFSIZ ];
-        int rc = 0;
-        char *normedDN = NULL;
-        size_t dnlen = 0;
-
-        rc = slapi_dn_normalize_ext(clientDN, 0, &normedDN, &dnlen);
-        if (rc < 0) {
-            /* ignoring the normalization error, use the pre normalized DN */
-        } else if (rc == 0) { /* clientDN is passed in; not terminated */
-            *(normedDN + dnlen) = '\0';
-        } else {
-            slapi_ch_free_string(&clientDN);
-            clientDN = normedDN;
-        }
+        Slapi_DN *sdn = NULL;
+        sdn = slapi_sdn_new_dn_passin(clientDN);
+        clientDN = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+        slapi_sdn_free(&sdn);
         slapi_log_access (LDAP_DEBUG_STATS, 
                           "conn=%" NSPRIu64 " SSL client bound as %s\n",
                           conn->c_connid, escape_string( clientDN, ebuf ));
diff --git a/ldap/servers/slapd/back-ldbm/ancestorid.c b/ldap/servers/slapd/back-ldbm/ancestorid.c
index 1e90871..15fb7e0 100644
--- a/ldap/servers/slapd/back-ldbm/ancestorid.c
+++ b/ldap/servers/slapd/back-ldbm/ancestorid.c
@@ -717,8 +717,8 @@ static int ldbm_ancestorid_index_update(
 {
     DB *db = NULL;
     int allids = IDL_INSERT_NORMAL;
-    Slapi_DN dn = {0};
-    Slapi_DN nextdn = {0};
+    Slapi_DN sdn;
+    Slapi_DN nextsdn;
     struct attrinfo *ai = NULL;
     ID node_id, sub_id;
     idl_iterator iter;
@@ -733,36 +733,38 @@ static int ldbm_ancestorid_index_update(
         goto out;
     }
-    slapi_sdn_copy(low, &dn);
+    slapi_sdn_init(&sdn);
+    slapi_sdn_init(&nextsdn);
+    slapi_sdn_copy(low, &sdn);
if (include_low == 0) {
-        if (slapi_sdn_compare(&dn, high) == 0) {
+        if (slapi_sdn_compare(&sdn, high) == 0) {
             goto out;
         }
         /* Get the next highest DN */
-        slapi_sdn_get_parent(&dn, &nextdn);
-        slapi_sdn_copy(&nextdn, &dn);
+        slapi_sdn_get_parent(&sdn, &nextsdn);
+        slapi_sdn_copy(&nextsdn, &sdn);
     }
/* Iterate up through the tree */
     do {
-        if (slapi_sdn_isempty(&dn)) {
+        if (slapi_sdn_isempty(&sdn)) {
             break;
         }
/* Have we reached the high node? */
-        if (include_high == 0 && slapi_sdn_compare(&dn, high) == 0) {
+        if (include_high == 0 && slapi_sdn_compare(&sdn, high) == 0) {
             break;
         }
/* Get the id for that DN */
         if (entryrdn_get_switch()) { /* subtree-rename: on */
             node_id = 0;
-            err = entryrdn_index_read(be, &dn, &node_id, txn);
+            err = entryrdn_index_read(be, &sdn, &node_id, txn);
             if (err) {
                 if (DB_NOTFOUND != err) {
                     ldbm_nasty(sourcefile,13141,err);
-                    LDAPDebug1Arg(LDAP_DEBUG_ANY, "entryrdn_index_read(%s)\n", slapi_sdn_get_dn(&dn));
+                    LDAPDebug1Arg(LDAP_DEBUG_ANY, "entryrdn_index_read(%s)\n", slapi_sdn_get_dn(&sdn));
                     ret = err;
                 }
                 break;
@@ -770,8 +772,8 @@ static int ldbm_ancestorid_index_update(
         } else {
             IDList *idl = NULL;
             struct berval ndnv;
-            ndnv.bv_val = (void*)slapi_sdn_get_ndn(&dn);
-            ndnv.bv_len = slapi_sdn_get_ndn_len(&dn);
+            ndnv.bv_val = (void*)slapi_sdn_get_ndn(&sdn);
+            ndnv.bv_len = slapi_sdn_get_ndn_len(&sdn);
             err = 0;
             idl = index_read(be, LDBM_ENTRYDN_STR, indextype_EQUALITY, &ndnv, txn, &err);
             if (idl == NULL) {
@@ -807,19 +809,19 @@ static int ldbm_ancestorid_index_update(
         }
/* Have we reached the high node? */
-        if (slapi_sdn_compare(&dn, high) == 0) {
+        if (slapi_sdn_compare(&sdn, high) == 0) {
             break;
         }
/* Get the next highest DN */
-        slapi_sdn_get_parent(&dn, &nextdn);
-        slapi_sdn_copy(&nextdn, &dn);
+        slapi_sdn_get_parent(&sdn, &nextsdn);
+        slapi_sdn_copy(&nextsdn, &sdn);
} while (ret == 0);
out:
-    slapi_sdn_done(&dn);
-    slapi_sdn_done(&nextdn);
+    slapi_sdn_done(&sdn);
+    slapi_sdn_done(&nextsdn);
/* Release the ancestorid file */
     if (db != NULL) {
@@ -856,7 +858,8 @@ int ldbm_ancestorid_index_entry(
  * If common is non-null then the common suffix of left and right
  * is returned in *common.
  */
-int slapi_sdn_suffix_cmp(
+static int 
+_sdn_suffix_cmp(
     const Slapi_DN *left, 
     const Slapi_DN *right, 
     Slapi_DN *common
@@ -870,12 +873,24 @@ int slapi_sdn_suffix_cmp(
     rdns1 = slapi_ldap_explode_dn(slapi_sdn_get_ndn(left), 0);
     rdns2 = slapi_ldap_explode_dn(slapi_sdn_get_ndn(right), 0);
-    for(count1 = 0; rdns1[count1]!=NULL; count1++){
+    if (NULL == rdns1) {
+        if (NULL == rdns2) {
+            ret = 0;
+        } else {
+            ret = 1;
+        }
+        goto out;
+    } else {
+        if (NULL == rdns2) {
+            ret = -1;
+            goto out;
+        }
     }
+
+    for(count1 = 0; rdns1[count1]!=NULL; count1++) ;
     count1--;
-    for(count2 = 0; rdns2[count2]!=NULL; count2++){
-    }
+    for(count2 = 0; rdns2[count2]!=NULL; count2++) ;
     count2--;
while (count1 >= 0 && count2 >= 0) {
@@ -922,11 +937,11 @@ int slapi_sdn_suffix_cmp(
     LDAPDebug(LDAP_DEBUG_TRACE, "common suffix <%s>\n",
               slapi_sdn_get_dn(common), 0, 0);
- out:
+out:
     slapi_ldap_value_free(rdns1);
     slapi_ldap_value_free(rdns2);
-    LDAPDebug(LDAP_DEBUG_TRACE, "slapi_sdn_suffix_cmp(<%s>, <%s>) => %d\n",
+    LDAPDebug(LDAP_DEBUG_TRACE, "_sdn_suffix_cmp(<%s>, <%s>) => %d\n",
               slapi_sdn_get_dn(left), slapi_sdn_get_dn(right), ret);
return ret;
@@ -942,15 +957,17 @@ int ldbm_ancestorid_move_subtree(
 )
 {
     int ret = 0;
-    Slapi_DN commondn = {0};
+    Slapi_DN commonsdn;
+
+    slapi_sdn_init(&commonsdn);
     /* Determine the common ancestor */
-    (void)slapi_sdn_suffix_cmp(olddn, newdn, &commondn);
+    (void)_sdn_suffix_cmp(olddn, newdn, &commonsdn);
/* Delete from old ancestors */
     ret = ldbm_ancestorid_index_update(be, 
                                        olddn,
-                                       &commondn,
+                                       &commonsdn,
                                        0,
                                        0,
                                        id,
@@ -962,7 +979,7 @@ int ldbm_ancestorid_move_subtree(
     /* Add to new ancestors */
     ret = ldbm_ancestorid_index_update(be, 
                                        newdn,
-                                       &commondn,
+                                       &commonsdn,
                                        0,
                                        0,
                                        id,
@@ -971,7 +988,7 @@ int ldbm_ancestorid_move_subtree(
                                        txn);
out:
-    slapi_sdn_done(&commondn);
+    slapi_sdn_done(&commonsdn);
     return ret;
 }
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
index 0e5804c..7f7d0ca 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
@@ -2815,7 +2815,6 @@ int
 dblayer_remove_env(struct ldbminfo *li)
 {
     DB_ENV *env = NULL;
-    dblayer_private *priv = NULL;
     char *home_dir = NULL;
     int rc = db_env_create(&env, 0);
     if (rc) {
@@ -2827,7 +2826,6 @@ dblayer_remove_env(struct ldbminfo *li)
         LDAPDebug0Args(LDAP_DEBUG_ANY, "ERROR -- No ldbm info is given\n");
         return -1;
     }
-    priv = (dblayer_private *)li->li_dblayer_private;
home_dir = dblayer_get_home_dir(li, NULL);
     if (home_dir) {
diff --git a/ldap/servers/slapd/back-ldbm/dn2entry.c b/ldap/servers/slapd/back-ldbm/dn2entry.c
index 4d6dc7c..99a9f47 100644
--- a/ldap/servers/slapd/back-ldbm/dn2entry.c
+++ b/ldap/servers/slapd/back-ldbm/dn2entry.c
@@ -182,13 +182,11 @@ dn2ancestor(
         Slapi_DN ancestorndn;
         const char *ptr;
-        /* assign ancestordn to the parent of the given dn - ancestordn will contain
-           the "raw" unnormalized DN from the caller, so we can give back the DN
-           in the same format as we received it */
+        /* assign ancestordn to the parent of the given dn */
         ptr = slapi_dn_find_parent(slapi_sdn_get_dn(sdn));
         /* assign the ancestordn dn pointer to the parent of dn from sdn - sdn "owns"
            the memory, but ancestordn points to it */
-        slapi_sdn_set_dn_byref(ancestordn, ptr); /* free any previous contents */
+        slapi_sdn_set_normdn_byref(ancestordn, ptr); /* free any previous contents */
         /* now, do the same for the normalized version */
         /* ancestorndn holds the normalized version for iteration purposes and
            because dn2entry needs the normalized dn */
@@ -221,7 +219,7 @@ dn2ancestor(
                 slapi_sdn_set_ndn_byref(&ancestorndn, ptr); /* wipe out the previous contents */
                 /* now do the same for the unnormalized one */
                 ptr = slapi_dn_find_parent(slapi_sdn_get_dn(ancestordn));
-                slapi_sdn_set_dn_byref(ancestordn, ptr); /* wipe out the previous contents */
+                slapi_sdn_set_normdn_byref(ancestordn, ptr); /* wipe out the previous contents */
             }
         }
@@ -256,17 +254,20 @@ get_copy_of_entry(Slapi_PBlock *pb, const entry_address *addr, back_txn *txn, in
    }
    else
    {
-		Slapi_DN sdn;
-		slapi_sdn_init_dn_byref (&sdn, addr->dn); /* We assume that the DN is not normalized */
-		entry = dn2entry( be, &sdn, txn, &err );
-		slapi_sdn_done (&sdn);
+		if (addr->sdn) {
+			entry = dn2entry( be, addr->sdn, txn, &err );
+		} else {
+			err = 1;
+		}
    }
    if ( 0 != err && DB_NOTFOUND != err )
    {
    	if(must_exist)
    	{
-			LDAPDebug( LDAP_DEBUG_ANY, "Operation error fetching %s (%s), error %d.\n", 
-				       addr->dn, (addr->uniqueid==NULL?"null":addr->uniqueid), err );
+			LDAPDebug( LDAP_DEBUG_ANY,
+			           "Operation error fetching %s (%s), error %d.\n", 
+			           addr->sdn?slapi_sdn_get_dn(addr->sdn):"Null DN",
+			           (addr->uniqueid==NULL?"null":addr->uniqueid), err );
    	}
    	if ( LDAP_INVALID_DN_SYNTAX == err ) {
    		rc = LDAP_INVALID_DN_SYNTAX; /* respect the error */
@@ -280,9 +281,9 @@ get_copy_of_entry(Slapi_PBlock *pb, const entry_address *addr, back_txn *txn, in
    	if(entry!=NULL)
    	{
    		ldbm_instance *inst;
-	    	slapi_pblock_set( pb, plock_parameter, slapi_entry_dup(entry->ep_entry));
+			slapi_pblock_set( pb, plock_parameter, slapi_entry_dup(entry->ep_entry));
    		inst = (ldbm_instance *) be->be_instance_info;
-		    CACHE_RETURN( &inst->inst_cache, &entry );
+			CACHE_RETURN( &inst->inst_cache, &entry );
    	}
    }
    /* JCMREPL - Free the backentry? */
diff --git a/ldap/servers/slapd/back-ldbm/findentry.c b/ldap/servers/slapd/back-ldbm/findentry.c
index 9c076f8..b739ab1 100644
--- a/ldap/servers/slapd/back-ldbm/findentry.c
+++ b/ldap/servers/slapd/back-ldbm/findentry.c
@@ -170,14 +170,15 @@ find_entry_internal_dn(
     */
    if (!really_internal) {
    	struct backentry *me;
-		Slapi_DN ancestordn= {0};
-		me= dn2ancestor(pb->pb_backend,sdn,&ancestordn,txn,&err);
+		Slapi_DN ancestorsdn;
+		slapi_sdn_init(&ancestorsdn);
+		me= dn2ancestor(pb->pb_backend,sdn,&ancestorsdn,txn,&err);
    	if ( !managedsait && me != NULL ) {
    		/* if the entry is a referral send the referral */
-			if(check_entry_for_referral(pb, me->ep_entry, (char*)slapi_sdn_get_dn(&ancestordn), "find_entry_internal_dn"))
+			if(check_entry_for_referral(pb, me->ep_entry, (char*)slapi_sdn_get_dn(&ancestorsdn), "find_entry_internal_dn"))
    		{
    			CACHE_RETURN( &inst->inst_cache, &me );
-				slapi_sdn_done(&ancestordn);
+				slapi_sdn_done(&ancestorsdn);
    			return( NULL );
    		}
    		/* else fall through to no such object */
@@ -187,8 +188,8 @@ find_entry_internal_dn(
    	slapi_send_ldap_result( pb, ( 0 == err || DB_NOTFOUND == err ) ?
    		LDAP_NO_SUCH_OBJECT : ( LDAP_INVALID_DN_SYNTAX == err ) ?
    		LDAP_INVALID_DN_SYNTAX : LDAP_OPERATIONS_ERROR,
-			(char*)slapi_sdn_get_dn(&ancestordn), NULL, 0, NULL );
-		slapi_sdn_done(&ancestordn);
+			(char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL );
+		slapi_sdn_done(&ancestorsdn);
    	CACHE_RETURN( &inst->inst_cache, &me );
    }
@@ -276,17 +277,21 @@ find_entry_internal(
    }
    else
    {
-		Slapi_DN sdn;
-		struct backentry *entry;
+		struct backentry *entry = NULL;
-		slapi_sdn_init_dn_ndn_byref (&sdn, addr->dn); /* normalized by front end */
    	LDAPDebug( LDAP_DEBUG_TRACE, "=> find_entry_internal (dn=%s) lock %d\n",
-				   addr->dn, lock, 0 );
-		entry = find_entry_internal_dn (pb, be, &sdn, lock, txn, really_internal);
-		slapi_sdn_done (&sdn);
+		           slapi_sdn_get_dn(addr->sdn), lock, 0 );
+		if (addr->sdn) {
+			entry = find_entry_internal_dn (pb, be, addr->sdn, 
+			                                lock, txn, really_internal);
+		} else {
+			LDAPDebug0Args( LDAP_DEBUG_ANY,
+			                "find_entry_internal: Null target dn\n" );
+		}
+
+		LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= find_entry_internal\n" );
    	return entry;
    }
-	
 }
struct backentry *
diff --git a/ldap/servers/slapd/back-ldbm/id2entry.c b/ldap/servers/slapd/back-ldbm/id2entry.c
index 12e2951..bd51a7f 100644
--- a/ldap/servers/slapd/back-ldbm/id2entry.c
+++ b/ldap/servers/slapd/back-ldbm/id2entry.c
@@ -358,40 +358,40 @@ id2entry( backend *be, ID id, back_txn *txn, int *err  )
             /* data.dptr may not include rdn: ..., try "dn: ..." */
             ee = slapi_str2entry( data.dptr, SLAPI_STR2ENTRY_NO_ENTRYDN );
         } else {
-            char *dn = NULL;
+            char *normdn = NULL;
             struct backdn *bdn = dncache_find_id(&inst->inst_dncache, id);
             if (bdn) {
-                dn = slapi_ch_strdup(slapi_sdn_get_dn(bdn->dn_sdn));
+                normdn = slapi_ch_strdup(slapi_sdn_get_dn(bdn->dn_sdn));
                 slapi_log_error(SLAPI_LOG_CACHE, ID2ENTRY,
-                                "dncache_find_id returned: %s\n", dn);
+                                "dncache_find_id returned: %s\n", normdn);
                 CACHE_RETURN(&inst->inst_dncache, &bdn);
             } else {
                 Slapi_DN *sdn = NULL;
-                rc = entryrdn_lookup_dn(be, rdn, id, &dn, txn);
+                rc = entryrdn_lookup_dn(be, rdn, id, &normdn, txn);
                 if (rc) {
                     slapi_log_error(SLAPI_LOG_TRACE, ID2ENTRY,
                                     "id2entry: entryrdn look up failed "
                                     "(rdn=%s, ID=%d)\n", rdn, id);
                     /* Try rdn as dn. Could be RUV. */
-                    dn = slapi_ch_strdup(rdn);
+                    normdn = slapi_ch_strdup(rdn);
                 }
-                sdn = slapi_sdn_new_dn_byval((const char *)dn);
+                sdn = slapi_sdn_new_normdn_byval((const char *)normdn);
                 bdn = backdn_init(sdn, id, 0);
                 if (CACHE_ADD( &inst->inst_dncache, bdn, NULL )) {
                     backdn_free(&bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, ID2ENTRY,
-                                    "%s is already in the dn cache\n", dn);
+                                    "%s is already in the dn cache\n", normdn);
                 } else {
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, ID2ENTRY,
                                     "entryrdn_lookup_dn returned: %s, "
-                                    "and set to dn cache (id %d)\n", dn, id);
+                                    "and set to dn cache (id %d)\n", normdn, id);
                 }
             }
-            ee = slapi_str2entry_ext( (const char *)dn, data.dptr, 
+            ee = slapi_str2entry_ext( (const char *)normdn, data.dptr, 
                                       SLAPI_STR2ENTRY_NO_ENTRYDN );
             slapi_ch_free_string(&rdn);
-            slapi_ch_free_string(&dn);
+            slapi_ch_free_string(&normdn);
         }
     } else {
         ee = slapi_str2entry( data.dptr, 0 );
diff --git a/ldap/servers/slapd/back-ldbm/idl_common.c b/ldap/servers/slapd/back-ldbm/idl_common.c
index 593a036..f04f8de 100644
--- a/ldap/servers/slapd/back-ldbm/idl_common.c
+++ b/ldap/servers/slapd/back-ldbm/idl_common.c
@@ -133,7 +133,7 @@ idl_append_extend(IDList **orig_idl, ID id)
    IDList *idl = *orig_idl;
if (idl == NULL) {
-		idl = idl_alloc(1);
+		idl = idl_alloc(32); /* used to be 0 */
    	idl_append(idl, id);
*orig_idl = idl;
@@ -151,9 +151,7 @@ idl_append_extend(IDList **orig_idl, ID id)
    	}
    	/* copy over the existing contents */
    	idl_new->b_nids = idl->b_nids;
-		for (x = 0; x < idl->b_nids;x++) {
-			idl_new->b_ids[x] = idl->b_ids[x];
-		}
+		memcpy(idl_new->b_ids, idl->b_ids, sizeof(ID) * idl->b_nids);
    	idl_free(idl);
    	idl = idl_new;
    }
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index 207c470..e95d32f 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -521,6 +521,7 @@ import_producer(void *param)
         if (!(str2entry_flags & SLAPI_STR2ENTRY_INCLUDE_VERSION_STR) &&
             entryrdn_get_switch()) { /* subtree-rename: on */
             char *dn = NULL;
+            char *normdn = NULL;
             int rc = 0; /* estr should start with "dn: " or "dn:: " */
             if (strncmp(estr, "dn: ", 4) &&
                 NULL == strstr(estr, "\ndn: ") && /* in case comments precedes
@@ -541,8 +542,11 @@ import_producer(void *param)
                 FREE(estr);
                 continue;
             }
-            e = slapi_str2entry_ext(dn, estr, flags|SLAPI_STR2ENTRY_NO_ENTRYDN);
+            normdn = slapi_create_dn_string("%s", dn);
             slapi_ch_free_string(&dn);
+            e = slapi_str2entry_ext(normdn, estr, 
+                                    flags|SLAPI_STR2ENTRY_NO_ENTRYDN);
+            slapi_ch_free_string(&normdn);
         } else {
             e = slapi_str2entry(estr, flags);
         }
@@ -1038,16 +1042,16 @@ index_producer(void *param)
                     }
                 }
             } else {
-                char *dn = NULL;
+                char *normdn = NULL;
                 struct backdn *bdn = 
                                   dncache_find_id(&inst->inst_dncache, temp_id);
                 if (bdn) {
                     /* don't free dn */
-                    dn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
+                    normdn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                 } else {
                     Slapi_DN *sdn = NULL;
-                    rc = entryrdn_lookup_dn(be, rdn, temp_id, &dn, NULL);
+                    rc = entryrdn_lookup_dn(be, rdn, temp_id, &normdn, NULL);
                     if (rc) {
                         /* We cannot use the entryrdn index;
                          * Compose dn from the entries in id2entry */
@@ -1090,21 +1094,21 @@ index_producer(void *param)
                                 continue;
                             }
                         }
-                        dn = slapi_ch_smprintf("%s%s%s",
+                        normdn = slapi_ch_smprintf("%s%s%s",
                                                rdn, pdn?",":"", pdn?pdn:"");
                         slapi_ch_free_string(&pdn);
                     }
                     /* dn is not dup'ed in slapi_sdn_new_dn_byref.
                      * It's set to bdn and put in the dn cache. */
-                    sdn = slapi_sdn_new_dn_byref(dn);
+                    sdn = slapi_sdn_new_normdn_byref(normdn);
                     bdn = backdn_init(sdn, temp_id, 0);
                     CACHE_ADD( &inst->inst_dncache, bdn, NULL );
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, "ldbm2index",
                                     "entryrdn_lookup_dn returned: %s, "
-                                    "and set to dn cache\n", dn);
+                                    "and set to dn cache\n", normdn);
                 }
-                e = slapi_str2entry_ext(dn, data.dptr, 
+                e = slapi_str2entry_ext(normdn, data.dptr, 
                                         SLAPI_STR2ENTRY_NO_ENTRYDN);
                 slapi_ch_free_string(&rdn);
             }
@@ -1283,7 +1287,7 @@ upgradedn_producer(void *param)
     struct upgradedn_attr *ud_ptr = NULL;
     Slapi_Attr *ud_attr = NULL;
     char *ecopy = NULL;
-    char *dn = NULL;
+    const char *normdn = NULL;
/* vars for Berkeley DB */
     DB_ENV *env = NULL;
@@ -1384,7 +1388,7 @@ upgradedn_producer(void *param)
         ecopy = (char *)slapi_ch_malloc(data.dsize + 1);
         memcpy(ecopy, data.dptr, data.dsize);
         *(ecopy + data.dsize) = '\0';
-        dn = NULL;
+        normdn = NULL;
         doit = 0;
         if (entryrdn_get_switch()) {
             char *rdn = NULL;
@@ -1400,10 +1404,11 @@ upgradedn_producer(void *param)
                                   dncache_find_id(&inst->inst_dncache, temp_id);
                 if (bdn) {
                     /* don't free dn */
-                    dn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
+                    normdn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                 } else {
-                    rc = entryrdn_lookup_dn(be, rdn, temp_id, &dn, NULL);
+                    rc = entryrdn_lookup_dn(be, rdn, temp_id,
+                                            (char **)&normdn, NULL);
                     if (rc) {
                         /* We cannot use the entryrdn index;
                          * Compose dn from the entries in id2entry */
@@ -1446,21 +1451,21 @@ upgradedn_producer(void *param)
                                 continue;
                             }
                         }
-                        dn = slapi_ch_smprintf("%s%s%s",
+                        normdn = slapi_ch_smprintf("%s%s%s",
                                                rdn, pdn?",":"", pdn?pdn:"");
                         slapi_ch_free_string(&pdn);
                     }
                     /* dn is not dup'ed in slapi_sdn_new_dn_byref.
                      * It's set to bdn and put in the dn cache. */
-                    sdn = slapi_sdn_new_dn_byref(dn);
+                    sdn = slapi_sdn_new_normdn_byref(normdn);
                     bdn = backdn_init(sdn, temp_id, 0);
                     CACHE_ADD( &inst->inst_dncache, bdn, NULL );
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, "ldbm2index",
                                     "entryrdn_lookup_dn returned: %s, "
-                                    "and set to dn cache\n", dn);
+                                    "and set to dn cache\n", normdn);
                 }
-                e = slapi_str2entry_ext(dn, data.dptr, 
+                e = slapi_str2entry_ext(normdn, data.dptr, 
                                         SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT);
                 slapi_ch_free_string(&rdn);
             }
@@ -1485,23 +1490,13 @@ upgradedn_producer(void *param)
          * SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT
          * -- normalize it with the new format
          */
-        if (!dn) {
-            get_value_from_string((const char *)ecopy, "dn", &dn);
+        if (!normdn) {
+            get_value_from_string((const char *)ecopy, "dn", (char **)&normdn);
         }
-        if (dn) {
-            char *dest = NULL;
-            size_t dest_len = 0;
-
-            rc = slapi_dn_normalize_ext(dn, strlen(dn), &dest, &dest_len);
-            if (rc > 0) {
-                slapi_ch_free_string(&dn);
-                dn = dest;
-            } else {
-                *(dn + dest_len) = '\0'; /* src is passed in; 
-                                             it's possible dn_len < dest_len */
-            }
+        if (normdn) {
             slapi_sdn_done(&(e->e_sdn));
-            slapi_sdn_init_dn_passin(&(e->e_sdn), dn);
+            slapi_sdn_init_dn_passin(&(e->e_sdn), normdn);
+            normdn = slapi_sdn_get_dn(&(e->e_sdn));
         }
/* From here, e != NULL */
@@ -1559,7 +1554,7 @@ upgradedn_producer(void *param)
                 if (rc) {
                     LDAPDebug(LDAP_DEBUG_ANY, "%s: Failed to add rdn values "
                               "to an entry: %s (id %lu)\n",
-                              inst->inst_name, dn, (u_long)temp_id);
+                              inst->inst_name, normdn, (u_long)temp_id);
                     slapi_entry_free(e); e = NULL;
                     continue;
                 }
@@ -1636,7 +1631,7 @@ upgradedn_producer(void *param)
                                 LDAPDebug(LDAP_DEBUG_ANY,
                                           "%s: Failed to add rdn values "
                                           "to an entry: %s (id %lu)\n",
-                                          inst->inst_name, dn, (u_long)temp_id);
+                                          inst->inst_name, normdn, (u_long)temp_id);
                                 slapi_entry_free(e); e = NULL;
                                 continue;
                             }
@@ -2251,12 +2246,11 @@ import_foreman(void *param)
                 char *new_dn = NULL;
                 char *orig_dn = 
                       slapi_ch_strdup(slapi_entry_get_dn(fi->entry->ep_entry));
-                int rc = 0;
                 nsuniqueid = attrlist_find(fi->entry->ep_entry->e_attrs,
                                            "nsuniqueid");
                 if (nsuniqueid) {
                     Slapi_Value *uival = NULL;
-                    rc = slapi_attr_first_value(nsuniqueid, &uival);
+                    slapi_attr_first_value(nsuniqueid, &uival);
                     uuidstr = slapi_value_get_string(uival);
                 } else {
                     import_log_notice(job, "ERROR: Failed to get nsUniqueId "
@@ -3453,9 +3447,8 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
 {
     int rc = -1;
     struct backdn *bdn = NULL;
-    struct ldbminfo  *li = NULL;
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    char *normdn = NULL;
if (!entryrdn_get_switch()) { /* entryrdn specific function */
         return rc;
@@ -3466,7 +3459,6 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
                         NULL==inst?"inst":"srdn");
         return rc;
     }
-    li = inst->inst_li;
/* first, try the dn cache */
     bdn = dncache_find_id(&inst->inst_dncache, id);
@@ -3563,8 +3555,8 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
             }
         }
-        dn = NULL;
-        rc = slapi_rdn_get_dn(&mysrdn, &dn);
+        normdn = NULL;
+        rc = slapi_rdn_get_dn(&mysrdn, &normdn);
         if (rc) {
             LDAPDebug2Args( LDAP_DEBUG_ANY,
                                 "import_get_and_add_parent_rdns: "
@@ -3572,7 +3564,7 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
                                 "from Slapi_RDN\n", rdn, id);
             goto bail;
         }
-        e = slapi_str2entry_ext(dn, data.dptr, SLAPI_STR2ENTRY_NO_ENTRYDN);
+        e = slapi_str2entry_ext(normdn, data.dptr, SLAPI_STR2ENTRY_NO_ENTRYDN);
         (*curr_entry)++;
         rc = index_set_entry_to_fifo(info, e, id, total_id, *curr_entry);
         if (rc) {
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
index c8be27a..08218ad 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -874,7 +874,7 @@ index_read_ext_allids(
    	(0 == PL_strcasecmp(basetype, LDBM_ENTRYDN_STR))) {
    	int rc = 0;
    	ID id = 0;
-		Slapi_DN sdn = {0};
+		Slapi_DN sdn;
/* We don't need these values... */
    	index_free_prefix( prefix );
diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c
index 74a01a8..0217e96 100644
--- a/ldap/servers/slapd/back-ldbm/instance.c
+++ b/ldap/servers/slapd/back-ldbm/instance.c
@@ -141,6 +141,7 @@ int ldbm_instance_create(backend *be, char *name)
     goto done;
error:
+    slapi_ch_free_string(&inst->inst_name);
     slapi_ch_free((void**)&inst);
done:
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index 5ade337..0fd612b 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -79,7 +79,7 @@ ldbm_back_add( Slapi_PBlock *pb )
    backend *be;
    struct ldbminfo *li;
    ldbm_instance *inst;
-	char *dn = NULL;
+	const char *dn = NULL;
    Slapi_Entry	*e = NULL;
    struct backentry *tombstoneentry = NULL;
    struct backentry *addingentry = NULL;
@@ -105,7 +105,7 @@ ldbm_back_add( Slapi_PBlock *pb )
    int addingentry_id_assigned= 0;
    int addingentry_in_cache= 0;
    int tombstone_in_cache= 0;
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
    Slapi_DN parentsdn;
    Slapi_Operation *operation;
    int dblock_acquired= 0;
@@ -134,7 +134,6 @@ ldbm_back_add( Slapi_PBlock *pb )
    inst = (ldbm_instance *) be->be_instance_info;
    	
    /* sdn & parentsdn need to be initialized before "goto *_return" */
-	slapi_sdn_init(&sdn);
    slapi_sdn_init(&parentsdn);
    
    /* Get rid of ldbm backend attributes that you are not allowed to specify yourself */
@@ -195,17 +194,21 @@ ldbm_back_add( Slapi_PBlock *pb )
    	{
    		/* Check if an entry with the intended uniqueid already exists. */
    		done_with_pblock_entry(pb,SLAPI_ADD_EXISTING_UNIQUEID_ENTRY); /* Could be through this multiple times */
-			addr.dn = addr.udn = NULL;
+			addr.udn = NULL;
+			addr.sdn = NULL;
    		addr.uniqueid = (char*)slapi_entry_get_uniqueid(e); /* jcm -  cast away const */
    		ldap_result_code= get_copy_of_entry(pb, &addr, &txn, SLAPI_ADD_EXISTING_UNIQUEID_ENTRY, !is_replicated_operation);
    	}
    	if(slapi_isbitset_int(rc,SLAPI_RTN_BIT_FETCH_EXISTING_DN_ENTRY))
    	{
-			slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn );
-			if (NULL == dn)
+			slapi_pblock_get( pb, SLAPI_ADD_TARGET_SDN, &sdn );
+			if (NULL == sdn)
    		{
+				LDAPDebug0Args(LDAP_DEBUG_ANY,
+				               "ldbm_back_add: Null target dn\n");
    			goto error_return;
    		}
+			dn = slapi_sdn_get_dn(sdn);
    		ldap_result_code = slapi_dn_syntax_check(pb, dn, 1);
    		if (ldap_result_code)
    		{
@@ -213,11 +216,10 @@ ldbm_back_add( Slapi_PBlock *pb )
    			slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
    			goto error_return;
    		}
-			slapi_sdn_set_dn_byref(&sdn, dn);
-			slapi_sdn_get_backend_parent(&sdn,&parentsdn,pb->pb_backend);
+			slapi_sdn_get_backend_parent(sdn, &parentsdn, pb->pb_backend);
    		/* Check if an entry with the intended DN already exists. */
    		done_with_pblock_entry(pb,SLAPI_ADD_EXISTING_DN_ENTRY); /* Could be through this multiple times */
-			addr.dn = dn;
+			addr.sdn = sdn;
    		addr.udn = NULL;
    		addr.uniqueid = NULL;
    		ldap_result_code= get_copy_of_entry(pb, &addr, &txn, SLAPI_ADD_EXISTING_DN_ENTRY, !is_replicated_operation);
@@ -233,7 +235,7 @@ ldbm_back_add( Slapi_PBlock *pb )
    	   slapi_isbitset_int(rc,SLAPI_RTN_BIT_FETCH_PARENT_ENTRY))
    	{
    		done_with_pblock_entry(pb,SLAPI_ADD_PARENT_ENTRY); /* Could be through this multiple times */
-			addr.dn = (char*)slapi_sdn_get_dn (&parentsdn); /* get_copy_of_entry assumes the DN is not normalized */
+			addr.sdn = &parentsdn;
    		addr.udn = NULL;
    		addr.uniqueid = operation->o_params.p.p_add.parentuniqueid;
    		ldap_result_code= get_copy_of_entry(pb, &addr, &txn, SLAPI_ADD_PARENT_ENTRY, !is_replicated_operation);
@@ -273,7 +275,7 @@ ldbm_back_add( Slapi_PBlock *pb )
     */
    if(have_parent_address(&parentsdn, operation->o_params.p.p_add.parentuniqueid))
    {
-		addr.dn = (char*)slapi_sdn_get_dn (&parentsdn);
+		addr.sdn = &parentsdn;
    	addr.udn = NULL;
    	addr.uniqueid = operation->o_params.p.p_add.parentuniqueid;
    	parententry = find_entry2modify_only(pb,be,&addr,&txn);
@@ -311,10 +313,11 @@ ldbm_back_add( Slapi_PBlock *pb )
    		if ( !managedsait && !is_tombstone_operation )
    		{
    			int err= 0;
-				Slapi_DN ancestordn= {0};
+				Slapi_DN ancestorsdn;
    			struct backentry *ancestorentry;
-				ancestorentry= dn2ancestor(pb->pb_backend,&sdn,&ancestordn,&txn,&err);
-				slapi_sdn_done(&ancestordn);
+				slapi_sdn_init(&ancestorsdn);
+				ancestorentry= dn2ancestor(pb->pb_backend,sdn,&ancestorsdn,&txn,&err);
+				slapi_sdn_done(&ancestorsdn);
    			if ( ancestorentry != NULL )
    			{
    				int sentreferral= check_entry_for_referral(pb, ancestorentry->ep_entry, backentry_get_ndn(ancestorentry), "ldbm_back_add");
@@ -355,7 +358,8 @@ ldbm_back_add( Slapi_PBlock *pb )
    	 * When we resurect a tombstone we must use its UniqueID
    	 * to find the tombstone entry and lock it down in the cache.
    	 */
-		addr.dn = addr.udn = NULL;
+		addr.udn = NULL;
+		addr.sdn = NULL;
    	addr.uniqueid = (char *)slapi_entry_get_uniqueid(e); /* jcm - cast away const */
    	tombstoneentry = find_entry2modify( pb, be, &addr, &txn );
    	if ( tombstoneentry==NULL )
@@ -368,7 +372,7 @@ ldbm_back_add( Slapi_PBlock *pb )
    	addingentry = backentry_dup( tombstoneentry );
    	if ( addingentry==NULL )
    	{
-		   	ldap_result_code= LDAP_OPERATIONS_ERROR;
+			ldap_result_code= LDAP_OPERATIONS_ERROR;
    		goto error_return;
    	}
    	/*
@@ -378,9 +382,12 @@ ldbm_back_add( Slapi_PBlock *pb )
    	 * The entry comes back to life as a Glue entry, so we add the
    	 * magic objectclass.
    	 */
-		slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn );
-		slapi_sdn_set_dn_byref(&sdn, dn);
-		slapi_entry_set_dn(addingentry->ep_entry, slapi_ch_strdup(dn)); /* The DN is passed into the entry. */
+		if (NULL == sdn) {
+			LDAPDebug0Args(LDAP_DEBUG_ANY, "ldbm_back_add: Null target dn\n");
+			goto error_return;
+		}
+		dn = slapi_sdn_get_dn(sdn);
+		slapi_entry_set_sdn(addingentry->ep_entry, sdn); /* The DN is passed into the entry. */
    	/* LPREPL: the DN is normalized...Somehow who should get a not normalized one */
    	addingentry->ep_id = slapi_entry_attr_get_ulong(addingentry->ep_entry,"entryid");
    	slapi_entry_attr_delete(addingentry->ep_entry, SLAPI_ATTR_VALUE_PARENT_UNIQUEID);
@@ -541,19 +548,20 @@ ldbm_back_add( Slapi_PBlock *pb )
    	{
    		/* Here means that we didn't find the parent */
    		int err = 0;
-			Slapi_DN ancestordn= {0};
+			Slapi_DN ancestorsdn;
    		struct backentry *ancestorentry;
LDAPDebug( LDAP_DEBUG_TRACE,
    			"parent does not exist, pdn = %s\n",
    			slapi_sdn_get_dn(&parentsdn), 0, 0 );
-			ancestorentry = dn2ancestor(be, &parentsdn, &ancestordn, &txn, &err );
+			slapi_sdn_init(&ancestorsdn);
+			ancestorentry = dn2ancestor(be, &parentsdn, &ancestorsdn, &txn, &err );
    		CACHE_RETURN( &inst->inst_cache, &ancestorentry );
ldap_result_code= LDAP_NO_SUCH_OBJECT;
-			ldap_result_matcheddn= slapi_ch_strdup((char *)slapi_sdn_get_dn(&ancestordn)); /* jcm - cast away const. */
-			slapi_sdn_done(&ancestordn);
+			ldap_result_matcheddn= slapi_ch_strdup((char *)slapi_sdn_get_dn(&ancestorsdn)); /* jcm - cast away const. */
+			slapi_sdn_done(&ancestorsdn);
    		goto error_return;
    	}
    	ldap_result_code = plugin_call_acl_plugin (pb, e, NULL, NULL, SLAPI_ACL_ADD, 
@@ -742,7 +750,11 @@ ldbm_back_add( Slapi_PBlock *pb )
    			}
    			goto error_return; 
    		}
-			retval = index_addordel_string(be,SLAPI_ATTR_NSCP_ENTRYDN,slapi_sdn_get_ndn(&sdn),addingentry->ep_id,BE_INDEX_DEL,&txn);
+			retval = index_addordel_string(be,
+			                               SLAPI_ATTR_NSCP_ENTRYDN,
+			                               slapi_sdn_get_ndn(sdn),
+			                               addingentry->ep_id,
+			                               BE_INDEX_DEL, &txn);
    		if (DB_LOCK_DEADLOCK == retval) {
    			LDAPDebug( LDAP_DEBUG_ARGS, "add 4 DB_LOCK_DEADLOCK\n", 0, 0, 0 );
    			/* Retry txn */
@@ -1011,7 +1023,6 @@ common_return:
    {
    	slapi_send_ldap_result( pb, ldap_result_code, ldap_result_matcheddn, ldap_result_message, 0, NULL );
    }
-	slapi_sdn_done(&sdn);
    slapi_sdn_done(&parentsdn);
    slapi_ch_free( (void**)&ldap_result_matcheddn );
    slapi_ch_free( (void**)&errbuf );
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 558e1e9..b179591 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -1344,20 +1344,21 @@ void ldbm_config_setup_default(struct ldbminfo *li)
     }
 }
-void
+int
 ldbm_config_read_instance_entries(struct ldbminfo *li, const char *backend_type)
 {
     Slapi_PBlock *tmp_pb;
     Slapi_Entry **entries = NULL;
     char *basedn = NULL;
+    int rc = 0;
/* Construct the base dn of the subtree that holds the instance entries. */
     basedn = slapi_create_dn_string("cn=%s,cn=plugins,cn=config", backend_type);
     if (NULL == basedn) {
         LDAPDebug1Arg(LDAP_DEBUG_ANY,
                       "ldbm_config_read_instance_entries: "
-                      "failed create backend dn for %s\n", backend_type);
-        return;
+                      "failed to create backend dn for %s\n", backend_type);
+        return 1;
     }
/* Do a search of the subtree containing the instance entries */
@@ -1368,13 +1369,24 @@ ldbm_config_read_instance_entries(struct ldbminfo *li, const char *backend_type)
     if (entries!=NULL) {
         int i;
         for (i=0; entries[i]!=NULL; i++) {
-            ldbm_instance_add_instance_entry_callback(NULL, entries[i], NULL, NULL, NULL, li);
+            rc = ldbm_instance_add_instance_entry_callback(NULL,
+                                             entries[i], NULL, NULL, NULL, li);
+            if (SLAPI_DSE_CALLBACK_ERROR == rc) {
+                LDAPDebug1Arg(LDAP_DEBUG_ANY,
+                      "ldbm_config_read_instance_entries: "
+                      "failed to add instance entry %s\n", 
+                      slapi_entry_get_dn_const(entries[i]));
+                break;
+            }
+            rc = 0;
         }
     }
slapi_free_search_results_internal(tmp_pb);
     slapi_pblock_destroy(tmp_pb);
     slapi_ch_free_string(&basedn);
+
+    return rc;
 }
/* Reads in any config information held in the dse for the ldbm plugin.  
@@ -1453,7 +1465,13 @@ int ldbm_config_load_dse_info(struct ldbminfo *li)
/* Find all the instance entries and create a Slapi_Backend and an
      * ldbm_instance for each */
-    ldbm_config_read_instance_entries(li, li->li_plugin->plg_name);
+    rval = ldbm_config_read_instance_entries(li, li->li_plugin->plg_name);
+    if (rval) {
+        LDAPDebug0Args(LDAP_DEBUG_ANY,
+                       "ldbm_config_load_dse_info: "
+                       "failed to read instance entries\n");
+        goto bail;
+    }
/* setup the dse callback functions for the ldbm backend config entry */
     slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP, dn,
@@ -1473,7 +1491,7 @@ int ldbm_config_load_dse_info(struct ldbminfo *li)
     if (NULL == dn) {
         LDAPDebug1Arg(LDAP_DEBUG_ANY,
                       "ldbm_config_load_dse_info: "
-                      "failed create monitor dn for %s\n",
+                      "failed to create monitor dn for %s\n",
                       li->li_plugin->plg_name); 
         rval = 1;
         goto bail;
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
index 40aed48..c1f1142 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
@@ -76,6 +76,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
    int ldap_result_code= LDAP_SUCCESS;
    char *ldap_result_message= NULL;
    Slapi_DN sdn;
+	Slapi_DN *sdnp = NULL;
    char *e_uniqueid = NULL;
    Slapi_DN *nscpEntrySDN = NULL;
    int dblock_acquired= 0;
@@ -97,13 +98,13 @@ ldbm_back_delete( Slapi_PBlock *pb )
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
    slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
-	slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn );
+	slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdnp );
    slapi_pblock_get( pb, SLAPI_TARGET_ADDRESS, &addr);
    slapi_pblock_get( pb, SLAPI_TXN, (void**)&parent_txn );
    slapi_pblock_get( pb, SLAPI_OPERATION, &operation );
    slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation );
    
-	/* sdn & parentsdn need to be initialized before "goto *_return */
+	/* sdn needs to be initialized before "goto *_return */
    slapi_sdn_init(&sdn);
/* dblayer_txn_init needs to be called before "goto error_return" */
@@ -122,7 +123,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
    	/* retval is -1 */
    	goto error_return;
    }
-	ldap_result_code = slapi_dn_syntax_check(pb, addr->dn, 1);
+	ldap_result_code = slapi_dn_syntax_check(pb, slapi_sdn_get_dn(sdnp), 1);
    if (ldap_result_code)
    {
    	ldap_result_code = LDAP_INVALID_DN_SYNTAX;
@@ -137,7 +138,10 @@ ldbm_back_delete( Slapi_PBlock *pb )
    
    inst = (ldbm_instance *) be->be_instance_info;
-	slapi_sdn_init_dn_byref(&sdn,dn);
+	if (NULL == sdnp) {
+		slapi_sdn_init_normdn_byref(&sdn, dn);
+		sdnp = &sdn;
+	}
/* The dblock serializes writes to the database,
     * which reduces deadlocking in the db code,
@@ -318,13 +322,13 @@ ldbm_back_delete( Slapi_PBlock *pb )
        Slapi_DN parentsdn;
slapi_sdn_init(&parentsdn);
-		slapi_sdn_get_backend_parent(&sdn,&parentsdn,pb->pb_backend);
+		slapi_sdn_get_backend_parent(sdnp, &parentsdn, pb->pb_backend);
     	if ( !slapi_sdn_isempty(&parentsdn) )
    	{
     		struct backentry *parent = NULL;
    		entry_address parent_addr;
-			parent_addr.dn = (char*)slapi_sdn_get_dn (&parentsdn);
+			parent_addr.sdn = &parentsdn;
    		parent_addr.uniqueid = NULL;
     		parent = find_entry2modify_only(pb,be,&parent_addr,&txn);
     		if (NULL != parent) {
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
index 2f1e648..54f22a3 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
@@ -445,7 +445,7 @@ entryrdn_rename_subtree(backend *be,
         slapi_log_error(SLAPI_LOG_FATAL, ENTRYRDN_TAG,
                 "entryrdn_rename_subtree: Param error: Empty %s\n",
                 NULL==be?"backend":NULL==oldsdn?"old dn":
-                (NULL==mynewsrdn&&NULL==mynewsupsdn)?"new dn and new superior":
+                (NULL==newsrdn&&NULL==newsupsdn)?"new dn and new superior":
                 0==id?"id":"unknown");
         goto bail;
     }
@@ -1015,7 +1015,6 @@ entryrdn_lookup_dn(backend *be,
     char *nrdn = NULL;
     size_t nrdn_len = 0;
     ID workid = id; /* starting from the given id */
-    ID previd = id;
     rdn_elem *elem = NULL;
     int maybesuffix = 0;
@@ -1111,7 +1110,6 @@ retry_get1:
         }
/* Iterate over the duplicates to get the direct child's ID */
-        previd = workid;
         workid = 0;
         if (maybesuffix) {
             /* it is a suffix, indeed.  done. */
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
index 7709cfb..88b20d0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
@@ -773,8 +773,8 @@ ldbm_instance_modify_config_entry_callback(Slapi_PBlock *pb, Slapi_Entry* entryB
             if (strcasecmp(attr_name, CONFIG_INSTANCE_SUFFIX) == 0) {
                 /* naughty naughty, we don't allow this */
                 rc = LDAP_UNWILLING_TO_PERFORM;
-		PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
-			"Can't change the root suffix of a backend");
+                PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+                            "Can't change the root suffix of a backend");
                 LDAPDebug(LDAP_DEBUG_ANY,
                           "ldbm: modify attempted to change the root suffix "
                           "of a backend (which is not allowed)\n",
@@ -841,10 +841,13 @@ static int ldbm_instance_generate(struct ldbminfo *li, char *instance_name,
     new_be = slapi_be_new(LDBM_DATABASE_TYPE_NAME /* type */, instance_name, 
                           0 /* public */, 1 /* do log changes */);
     new_be->be_database = li->li_plugin;
-    ldbm_instance_create(new_be, instance_name);
+    rc = ldbm_instance_create(new_be, instance_name);
+    if (rc) {
+        goto bail;
+    }
ldbm_instance_config_load_dse_info(new_be->be_instance_info);
-    rc = ldbm_instance_create_default_indexes(new_be);
+    ldbm_instance_create_default_indexes(new_be);
/* if USN plugin is enabled, set slapi_counter */
     if (plugin_enabled("USN", li->li_identity) && ldbm_back_isinitialized()) {
@@ -867,7 +870,7 @@ static int ldbm_instance_generate(struct ldbminfo *li, char *instance_name,
     if (ret_be != NULL) {
         *ret_be = new_be;
     }
-
+bail:
     return rc;
 }
@@ -881,7 +884,13 @@ ldbm_instance_postadd_instance_entry_callback(Slapi_PBlock *pb, Slapi_Entry* ent
     int rval = 0;
parse_ldbm_instance_entry(entryBefore, &instance_name);
-    ldbm_instance_generate(li, instance_name, &be);
+    rval = ldbm_instance_generate(li, instance_name, &be);
+    if (rval) {
+        LDAPDebug(LDAP_DEBUG_ANY,
+            "ldbm_instance_postadd_instance_entry_callback: "
+            "ldbm_instance_generate (%s) failed (%d)\n",
+            instance_name, rval, 0);
+    }
inst = ldbm_instance_find_by_name(li, instance_name);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index ff2fc97..1a85e14 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -244,7 +244,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
    {
    	goto error_return;
    }
-	ldap_result_code = slapi_dn_syntax_check(pb, addr->dn, 1);
+	ldap_result_code = slapi_dn_syntax_check(pb, slapi_sdn_get_dn(addr->sdn), 1);
    if (ldap_result_code)
    {
    	ldap_result_code = LDAP_INVALID_DN_SYNTAX;
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index bcbe9c7..493e476 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -90,10 +90,10 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     IDList *children= NULL;
     struct backentry **child_entries = NULL;
     struct backdn **child_dns = NULL;
-    Slapi_DN dn_olddn = {0};
-    Slapi_DN dn_newdn = {0};
-    Slapi_DN dn_newrdn = {0};
-    Slapi_DN dn_newsuperiordn = {0};
+    Slapi_DN *sdn = NULL;
+    Slapi_DN dn_newdn;
+    Slapi_DN dn_newrdn;
+    Slapi_DN *dn_newsuperiordn = NULL;
     Slapi_DN dn_parentdn;
     int rc;
     int isroot;
@@ -109,15 +109,15 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     entry_address *old_addr;
     entry_address oldparent_addr;
     entry_address *newsuperior_addr;
-    char *dn;
     char ebuf[BUFSIZ];
     CSN *opcsn = NULL;
/* sdn & parentsdn need to be initialized before "goto *_return" */
     slapi_sdn_init(&dn_newdn);
+    slapi_sdn_init(&dn_newrdn);
     slapi_sdn_init(&dn_parentdn);
-    slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &dn );
+    slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &sdn );
     slapi_pblock_get( pb, SLAPI_BACKEND, &be);
     slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
     slapi_pblock_get( pb, SLAPI_TXN, (void**)&parent_txn );
@@ -127,6 +127,12 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     is_ruv = operation_is_flag_set(operation, OP_FLAG_REPL_RUV);
     is_fixup_operation = operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP);
+    if (NULL == sdn) {
+        slapi_send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                                "Null target DN", 0, NULL );
+        return( -1 );
+    } 
+
     /* dblayer_txn_init needs to be called before "goto error_return" */
     dblayer_txn_init(li,&txn);
     /* the calls to search for entries require the parent txn if any
@@ -140,23 +146,21 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
inst = (ldbm_instance *) be->be_instance_info;
     {
-        char *newrdn, *newsuperiordn;
+        char *newrdn/* , *newsuperiordn */;
         slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
-        slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiordn );
-        slapi_sdn_init_dn_byref(&dn_olddn,dn);
-        slapi_sdn_init_dn_byref(&dn_newrdn,newrdn);
-        slapi_sdn_init_dn_byref(&dn_newsuperiordn,newsuperiordn);
-        slapi_sdn_get_parent(&dn_olddn,&dn_parentdn);
+        slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &dn_newsuperiordn );
+        slapi_sdn_init_normdn_byref(&dn_newrdn, newrdn);
+        /* slapi_sdn_init_normdn_byref(&dn_newsuperiordn, newsuperiordn); */
+        slapi_sdn_get_parent(sdn, &dn_parentdn);
     }
/* if old and new superior are equals, newsuperior should not be set
      * Here we have to reset newsuperiordn in order to save processing and 
      * avoid later deadlock when trying to fetch twice the same entry
      */
-    if (slapi_sdn_compare(&dn_newsuperiordn, &dn_parentdn) == 0)
+    if (slapi_sdn_compare(dn_newsuperiordn, &dn_parentdn) == 0)
     {
-        slapi_sdn_done(&dn_newsuperiordn);
-        slapi_sdn_init_dn_byref(&dn_newsuperiordn,NULL);
+        slapi_sdn_done(dn_newsuperiordn);
     }
/* 
@@ -164,7 +168,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
      * Replicated Operations are allowed to change the superior
      */
     if ( !entryrdn_get_switch() &&
-         (!is_replicated_operation && !slapi_sdn_isempty(&dn_newsuperiordn))) 
+         (!is_replicated_operation && !slapi_sdn_isempty(dn_newsuperiordn))) 
     {
         slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
                       "server does not support moving of entries", 0, NULL );
@@ -213,14 +217,15 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
/* see if an entry with the new name already exists */
             done_with_pblock_entry(pb,SLAPI_MODRDN_EXISTING_ENTRY); /* Could be through this multiple times */
-            slapi_sdn_done(&dn_newrdn);
             slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
-            slapi_sdn_init_dn_byref(&dn_newrdn,newrdn);
-            newdn= moddn_get_newdn(pb,&dn_olddn,&dn_newrdn,&dn_newsuperiordn);
+            slapi_sdn_init_normdn_byref(&dn_newrdn, newrdn);
+            newdn= moddn_get_newdn(pb,sdn, &dn_newrdn, dn_newsuperiordn);
             slapi_sdn_set_dn_passin(&dn_newdn,newdn);
-            new_addr.dn = (char*)slapi_sdn_get_ndn (&dn_newdn);
+            new_addr.sdn = &dn_newdn;
+            new_addr.udn = NULL;
             /* check dn syntax on newdn */
-            ldap_result_code = slapi_dn_syntax_check(pb, new_addr.dn, 1);
+            ldap_result_code = slapi_dn_syntax_check(pb,
+                                           (char *)slapi_sdn_get_ndn(&dn_newdn), 1);
             if (ldap_result_code)
             {
                 ldap_result_code = LDAP_INVALID_DN_SYNTAX;
@@ -241,23 +246,22 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         {
             /* find and lock the old parent entry */
             done_with_pblock_entry(pb,SLAPI_MODRDN_PARENT_ENTRY); /* Could be through this multiple times */
-            oldparent_addr.dn = (char*)slapi_sdn_get_ndn (&dn_parentdn);
+            oldparent_addr.sdn = &dn_parentdn;
             oldparent_addr.uniqueid = NULL;            
             ldap_result_code= get_copy_of_entry(pb, &oldparent_addr, &txn, SLAPI_MODRDN_PARENT_ENTRY, !is_replicated_operation);
         }
/* <new superior> */
-        if(slapi_sdn_get_ndn(&dn_newsuperiordn)!=NULL &&
+        if(slapi_sdn_get_ndn(dn_newsuperiordn)!=NULL &&
            slapi_isbitset_int(rc,SLAPI_RTN_BIT_FETCH_NEWPARENT_ENTRY))
         {
             /* find and lock the new parent entry */
             done_with_pblock_entry(pb,SLAPI_MODRDN_NEWPARENT_ENTRY); /* Could be through this multiple times */
             /* Check that this really is a new superior, 
              * and not the same old one. Compare parentdn & newsuperior */
-            if (slapi_sdn_compare(&dn_newsuperiordn, &dn_parentdn) == 0)
+            if (slapi_sdn_compare(dn_newsuperiordn, &dn_parentdn) == 0)
             {
-                slapi_sdn_done(&dn_newsuperiordn);
-                slapi_sdn_init_dn_byref(&dn_newsuperiordn,NULL);
+                slapi_sdn_done(dn_newsuperiordn);
             }
             else
             {
@@ -271,7 +275,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
                 }
                 else
                 {
-                    my_addr.dn = (char *)slapi_sdn_get_ndn (&dn_newsuperiordn);
+                    my_addr.sdn = dn_newsuperiordn;
                     my_addr.uniqueid = NULL;
                     newsuperior_addr = &my_addr;
                 }
@@ -329,7 +333,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         if((entry != NULL) && 
             /* allow modrdn even if the src dn and dest dn are identical */
            (0 != slapi_sdn_compare((const Slapi_DN *)&dn_newdn,
-                                   (const Slapi_DN *)&dn_olddn)))
+                                   (const Slapi_DN *)sdn)))
         {
             ldap_result_code= LDAP_ALREADY_EXISTS;
             goto error_return;
@@ -337,13 +341,13 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     }
/* Fetch and lock the parent of the entry that is moving */
-    oldparent_addr.dn = (char*)slapi_sdn_get_dn (&dn_parentdn);
+    oldparent_addr.sdn = &dn_parentdn;
     oldparent_addr.uniqueid = NULL;            
     parententry = find_entry2modify_only( pb, be, &oldparent_addr, &txn );
     modify_init(&parent_modify_context,parententry);
/* Fetch and lock the new parent of the entry that is moving */            
-    if(slapi_sdn_get_ndn(&dn_newsuperiordn)!=NULL)
+    if(slapi_sdn_get_ndn(dn_newsuperiordn) != NULL)
     {
         slapi_pblock_get (pb, SLAPI_MODRDN_NEWSUPERIOR_ADDRESS, &newsuperior_addr);
         newparententry = find_entry2modify_only( pb, be, newsuperior_addr, &txn );
@@ -376,37 +380,46 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
      * instead.  Otherwise, a ModRDN operation will potentially change an
      * entry's entire DN (at least with respect to case and spacing).
      */
-    slapi_sdn_copy( slapi_entry_get_sdn_const( e->ep_entry ), &dn_olddn );
+    slapi_sdn_copy( slapi_entry_get_sdn_const( e->ep_entry ), sdn );
+    slapi_pblock_set( pb, SLAPI_MODRDN_TARGET_SDN, sdn );
     if (newparententry != NULL) {
         /* don't forget we also want to preserve case of new superior */
-        slapi_sdn_copy(slapi_entry_get_sdn_const(newparententry->ep_entry), &dn_newsuperiordn);
+        if (NULL == dn_newsuperiordn) {
+            dn_newsuperiordn = slapi_sdn_dup(
+                           slapi_entry_get_sdn_const(newparententry->ep_entry));
+        } else {
+            slapi_sdn_copy(slapi_entry_get_sdn_const(newparententry->ep_entry),
+                           dn_newsuperiordn);
+        }
+        slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, dn_newsuperiordn );
     }
     slapi_sdn_set_dn_passin(&dn_newdn,
-            moddn_get_newdn(pb, &dn_olddn, &dn_newrdn, &dn_newsuperiordn));
+                        moddn_get_newdn(pb, sdn, &dn_newrdn, dn_newsuperiordn));
/* Check that we're allowed to add an entry below the new superior */
     if ( newparententry == NULL )
     {
         /* There may not be a new parent because we don't intend there to be one. */
-        if(slapi_sdn_get_ndn(&dn_newsuperiordn)!=NULL)
+        if(slapi_sdn_get_ndn(dn_newsuperiordn)!=NULL)
         {
             /* If the new entry is to be a suffix, and we're root, then it's OK that the new parent doesn't exist */
-            if(!(slapi_dn_isbesuffix(pb,slapi_sdn_get_ndn(&dn_newdn)) && isroot))
+            if (!(slapi_be_issuffix(pb->pb_backend, &dn_newdn)) && isroot)
             {
                 /* Here means that we didn't find the parent */
                 int err = 0;
-                Slapi_DN ancestordn = {0};
+                Slapi_DN ancestorsdn;
                 struct backentry *ancestorentry;
-                ancestorentry= dn2ancestor(be,&dn_newdn,&ancestordn,&txn,&err);
+				slapi_sdn_init(&ancestorsdn);
+                ancestorentry= dn2ancestor(be,&dn_newdn,&ancestorsdn,&txn,&err);
                 CACHE_RETURN( &inst->inst_cache, &ancestorentry );
-                ldap_result_matcheddn= slapi_ch_strdup((char *) slapi_sdn_get_dn(&ancestordn));
+                ldap_result_matcheddn= slapi_ch_strdup((char *) slapi_sdn_get_dn(&ancestorsdn));
                 ldap_result_code= LDAP_NO_SUCH_OBJECT;
                 LDAPDebug( LDAP_DEBUG_TRACE, "ldbm_back_modrdn: New superior "
                             "does not exist matched %s, newsuperior = %s\n", 
                             ldap_result_matcheddn == NULL ? "NULL" :
                             ldap_result_matcheddn,
-                            slapi_sdn_get_ndn(&dn_newsuperiordn), 0 );
-                slapi_sdn_done(&ancestordn);
+                            slapi_sdn_get_ndn(dn_newsuperiordn), 0 );
+                slapi_sdn_done(&ancestorsdn);
                 goto error_return;
                }
         }
@@ -426,7 +439,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     if ( parententry == NULL )
     {
         /* If the entry a suffix, and we're root, then it's OK that the parent doesn't exist */
-        if(!(slapi_dn_isbesuffix(pb,slapi_sdn_get_ndn(&dn_olddn)) && isroot))
+        if (!(slapi_be_issuffix(pb->pb_backend, sdn)) && isroot)
         {
             /* Here means that we didn't find the parent */
             ldap_result_matcheddn = "NULL";
@@ -485,7 +498,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     if (( cache_add_tentative( &inst->inst_cache, ec, NULL ) != 0 ) &&
         /* allow modrdn even if the src dn and dest dn are identical */
         ( 0 != slapi_sdn_compare((const Slapi_DN *)&dn_newdn,
-                                 (const Slapi_DN *)&dn_olddn)) )
+                                 (const Slapi_DN *)sdn)) )
     {
         /* somebody must've created it between dn2entry() and here */
         /* JCMREPL - Hmm... we can't permit this to happen...? */
@@ -498,7 +511,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     {
         slapi_mods_init(&smods_generated,4);
         slapi_mods_init(&smods_generated_wsi,4);
-        ldap_result_code = moddn_newrdn_mods(pb, slapi_sdn_get_ndn(&dn_olddn),
+        ldap_result_code = moddn_newrdn_mods(pb, slapi_sdn_get_ndn(sdn),
                             ec, &smods_generated_wsi, is_replicated_operation);
         if (ldap_result_code != LDAP_SUCCESS) {
             if (ldap_result_code == LDAP_UNWILLING_TO_PERFORM)
@@ -519,7 +532,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         /*
          * Update parentid if we have a new superior.
          */
-        if(slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL) {
+        if(slapi_sdn_get_dn(dn_newsuperiordn)!=NULL) {
             char buf[40]; /* Enough for an ID */
if (parententry != NULL) {
@@ -619,7 +632,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
      * If the entry has a new superior then the subordinate count
      * of the parents must be updated.
      */    
-    if(slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL)
+    if(slapi_sdn_get_dn(dn_newsuperiordn)!=NULL)
     {
         /* 
          * Update the subordinate count of the parents to reflect the moved child.
@@ -652,12 +665,12 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         /* JCM - This is where the subtree lock will appear */
         if (entryrdn_get_switch()) /* subtree-rename: on */
         {
-            children = moddn_get_children(&txn, pb, be, e, &dn_olddn,
+            children = moddn_get_children(&txn, pb, be, e, sdn,
                                           &child_entries, &child_dns);
         }
         else
         {
-            children = moddn_get_children(&txn, pb, be, e, &dn_olddn,
+            children = moddn_get_children(&txn, pb, be, e, sdn,
                                           &child_entries, NULL);
         }
@@ -781,7 +794,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
                 }
             }
         }
-        if (slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL)
+        if (slapi_sdn_get_dn(dn_newsuperiordn)!=NULL)
         {
             /* Push out the db modifications from the parent entry */
             retval = modify_update_all(be, pb, &parent_modify_context, &txn);
@@ -826,8 +839,8 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         /*
          * Update ancestorid index.
          */
-        if (slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL) {
-            retval = ldbm_ancestorid_move_subtree(be, &dn_olddn, &dn_newdn, e->ep_id, children, &txn);
+        if (slapi_sdn_get_dn(dn_newsuperiordn)!=NULL) {
+            retval = ldbm_ancestorid_move_subtree(be, sdn, &dn_newdn, e->ep_id, children, &txn);
             if (retval != 0) {
                 if (retval == DB_LOCK_DEADLOCK) continue;
                 if (retval == DB_RUNRECOVERY || LDBM_OS_ERR_IS_DISKFULL(retval))
@@ -844,9 +857,8 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         {
             Slapi_RDN newsrdn;
             slapi_rdn_init_sdn(&newsrdn, (const Slapi_DN *)&dn_newdn);
-            rc = entryrdn_rename_subtree(be,
-                                         (const Slapi_DN *)&dn_olddn, &newsrdn,
-                                         (const Slapi_DN *)&dn_newsuperiordn,
+            rc = entryrdn_rename_subtree(be, (const Slapi_DN *)sdn, &newsrdn,
+                                         (const Slapi_DN *)dn_newsuperiordn,
                                          e->ep_id, &txn);
             slapi_rdn_done(&newsrdn);
             if (rc) {
@@ -861,7 +873,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
          */
         if (!entryrdn_get_switch() && children) /* subtree-rename: off */
         {
-            retval= moddn_rename_children(&txn, pb, be, children, &dn_olddn,
+            retval= moddn_rename_children(&txn, pb, be, children, sdn,
                                          &dn_newdn, child_entries);
         }
         if (DB_LOCK_DEADLOCK == retval)
@@ -1100,10 +1112,8 @@ common_return:
     if (ldap_result_matcheddn && 0 != strcmp(ldap_result_matcheddn, "NULL"))
         slapi_ch_free((void**)&ldap_result_matcheddn);
     idl_free(children);
-    slapi_sdn_done(&dn_olddn);
     slapi_sdn_done(&dn_newdn);
     slapi_sdn_done(&dn_newrdn);
-    slapi_sdn_done(&dn_newsuperiordn);
     slapi_sdn_done(&dn_parentdn);
     modify_term(&parent_modify_context,be);
     modify_term(&newparent_modify_context,be);
@@ -1118,7 +1128,8 @@ common_return:
     slapi_ch_free((void**)&errbuf);
     if (retval == 0 && opcsn != NULL && !is_fixup_operation)
     {
-        slapi_pblock_set(pb, SLAPI_URP_NAMING_COLLISION_DN, slapi_ch_strdup (dn));
+        slapi_pblock_set(pb, SLAPI_URP_NAMING_COLLISION_DN, 
+                         slapi_ch_strdup(slapi_sdn_get_dn(sdn)));
     }
     if (pb->pb_conn)
     {
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index 66ec886..91b0280 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -159,7 +159,6 @@ ldbm_back_search_cleanup(Slapi_PBlock *pb,
                          int ldap_result,
                          char* ldap_result_description,
                          int function_result,
-                         Slapi_DN *sdn,
                          struct vlv_request *vlv_request_control,
                          struct backentry *e)
 {
@@ -192,7 +191,6 @@ ldbm_back_search_cleanup(Slapi_PBlock *pb,
             delete_search_result_set(&sr);
         }
     }
-    slapi_sdn_done(sdn);
     if (vlv_request_control)
     {
         berval_done(&vlv_request_control->value);
@@ -218,8 +216,8 @@ ldbm_back_search( Slapi_PBlock *pb )
     struct ldbminfo *li;
     struct backentry *e;
     IDList *candidates= NULL;
-    char *base;
-    Slapi_DN basesdn;
+    const char *base;
+    Slapi_DN *basesdn = NULL;
     int scope;
     LDAPControl **controls = NULL;
     Slapi_Operation *operation;
@@ -254,7 +252,7 @@ ldbm_back_search( Slapi_PBlock *pb )
     slapi_pblock_get( pb, SLAPI_BACKEND, &be );
     slapi_pblock_get( pb, SLAPI_OPERATION, &operation);
     slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
-    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base );
+    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &basesdn );
     slapi_pblock_get( pb, SLAPI_TARGET_ADDRESS, &addr);
     slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
     slapi_pblock_get( pb, SLAPI_REQCONTROLS, &controls );
@@ -263,7 +261,13 @@ ldbm_back_search( Slapi_PBlock *pb )
inst = (ldbm_instance *) be->be_instance_info;
-    slapi_sdn_init_dn_ndn_byref(&basesdn,base);  /* normalized by front end*/
+    if (NULL == basesdn) {
+        slapi_send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                               "Null target DN", 0, NULL );
+        return( -1 );
+    }
+    base = slapi_sdn_get_dn(basesdn);
+
     /* Initialize the result set structure here because we need to use it during search processing */
     /* Beware that if we exit this routine sideways, we might leak this structure */
     sr = new_search_result_set( NULL, 0, 
@@ -285,8 +289,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 /* Badly formed SORT control */
                 return ldbm_back_search_cleanup(pb, li, sort_control, 
                                 LDAP_PROTOCOL_ERROR, "Sort Control", 
-                                SLAPI_FAIL_GENERAL, &basesdn, 
-                                NULL, NULL);
+                                SLAPI_FAIL_GENERAL, NULL, NULL);
             }
             /* set this operation includes the server side sorting */
             operation->o_flags |= OP_FLAG_SERVER_SIDE_SORTING;
@@ -303,8 +306,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 {
                     /* Badly formed VLV control */
                     return ldbm_back_search_cleanup(pb, li, sort_control,
-                                r, "VLV Control", 
-                                SLAPI_FAIL_GENERAL, &basesdn, 
+                                r, "VLV Control", SLAPI_FAIL_GENERAL, 
                                 &vlv_request_control, NULL);
                 }
                 {
@@ -325,8 +327,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     {
                         /* Client isn't allowed to do this. */
                         return ldbm_back_search_cleanup(pb, li, sort_control, 
-                                    r, "VLV Control", 
-                                    SLAPI_FAIL_GENERAL, &basesdn, 
+                                    r, "VLV Control", SLAPI_FAIL_GENERAL, 
                                     &vlv_request_control, NULL);
                     }
                 }
@@ -341,8 +342,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 /* Can't have a VLV control without a SORT control */
                 return ldbm_back_search_cleanup(pb, li, sort_control, 
                                 LDAP_SORT_CONTROL_MISSING, "VLV Control", 
-                                SLAPI_FAIL_GENERAL, &basesdn, 
-                                &vlv_request_control, NULL);
+                                SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
         }
     }
@@ -395,15 +395,13 @@ ldbm_back_search( Slapi_PBlock *pb )
             {
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                             LDAP_UNWILLING_TO_PERFORM, ctrlstr,
-                            SLAPI_FAIL_GENERAL, &basesdn, 
-                            &vlv_request_control, NULL);
+                            SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
             else
             {
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                             LDAP_VIRTUAL_LIST_VIEW_ERROR, ctrlstr,
-                            SLAPI_FAIL_GENERAL, &basesdn, 
-                            &vlv_request_control, NULL);
+                            SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
         }
         else
@@ -418,8 +416,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 sort_make_sort_response_control(pb, LDAP_UNWILLING_TO_PERFORM, NULL);
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                             LDAP_UNAVAILABLE_CRITICAL_EXTENSION, ctrlstr,
-                            SLAPI_FAIL_GENERAL, &basesdn, 
-                            &vlv_request_control, NULL);
+                            SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
             else /* vlv and sorting are not critical, so ignore the control */
             {
@@ -453,7 +450,7 @@ ldbm_back_search( Slapi_PBlock *pb )
         {
             /* error or referral sent by find_entry */
             return ldbm_back_search_cleanup(pb, li, sort_control, 
-                            -1, NULL, 1, &basesdn, &vlv_request_control, NULL);
+                            -1, NULL, 1, &vlv_request_control, NULL);
         }
     }
@@ -478,21 +475,20 @@ ldbm_back_search( Slapi_PBlock *pb )
          */    
         if ((NULL != controls) && (sort) && (vlv)) {
             /* This candidate list is for vlv, no need for sort only. */
-            switch (vlv_search_build_candidate_list(pb, &basesdn, &vlv_rc,
+            switch (vlv_search_build_candidate_list(pb, basesdn, &vlv_rc,
                                                     sort_control,
                                                     (vlv ? &vlv_request_control : NULL),
                                                     &candidates, &vlv_response_control)) {
             case VLV_ACCESS_DENIED:
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                                                 vlv_rc, "VLV Control",
-                                                SLAPI_FAIL_GENERAL, &basesdn,
+                                                SLAPI_FAIL_GENERAL, 
                                                 &vlv_request_control, e);
             case VLV_BLD_LIST_FAILED:
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                                                 vlv_response_control.result,
                                                 NULL, SLAPI_FAIL_GENERAL,
-                                                &basesdn, &vlv_request_control,
-                                                e);
+                                                &vlv_request_control, e);
case LDAP_SUCCESS:
                 /* Log to the access log the particulars of this sort request */
@@ -513,7 +509,6 @@ ldbm_back_search( Slapi_PBlock *pb )
                                                     LDAP_OPERATIONS_ERROR,
                                                     "Sort Response Control",
                                                     SLAPI_FAIL_GENERAL,
-                                                    &basesdn,
                                                     &vlv_request_control, e);
                 }
             }
@@ -526,7 +521,7 @@ ldbm_back_search( Slapi_PBlock *pb )
             {
                 /* Error result sent by build_candidate_list */
                 return ldbm_back_search_cleanup(pb, li, sort_control, -1,
-                                                NULL, rc, &basesdn,
+                                                NULL, rc, 
                                                 &vlv_request_control, e);
             }
             /*
@@ -559,7 +554,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 IDList *idl = NULL;
                 Slapi_Filter *filter = NULL;
                 slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter );
-                r = vlv_filter_candidates(be, pb, candidates, &basesdn,
+                r = vlv_filter_candidates(be, pb, candidates, basesdn,
                                           scope, filter, &idl,
                                           lookthrough_limit, time_up);
                 if(r == 0)
@@ -570,7 +565,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 else
                 {
                     return ldbm_back_search_cleanup(pb, li, sort_control,
-                                                    r, NULL, -1, &basesdn,
+                                                    r, NULL, -1, 
                                                     &vlv_request_control, e);
                 }
             }
@@ -589,7 +584,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     return ldbm_back_search_cleanup(pb, li, sort_control,
                                              LDAP_PROTOCOL_ERROR,
                                              "Sort Response Control", -1,
-                                             &basesdn, &vlv_request_control, e);
+                                             &vlv_request_control, e);
                 }
               }
               else
@@ -630,7 +625,6 @@ ldbm_back_search( Slapi_PBlock *pb )
                     return ldbm_back_search_cleanup(pb, li, sort_control,
                                                     LDAP_PROTOCOL_ERROR,
                                                     "Sort Control", -1,
-                                                    &basesdn,
                                                     &vlv_request_control, e);
                 case LDAP_UNWILLING_TO_PERFORM:  /* Too hard */
                 case LDAP_OPERATIONS_ERROR:  /* Operation error */
@@ -673,7 +667,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     return ldbm_back_search_cleanup(pb, li, sort_control,
                                              (abandoned?-1:LDAP_PROTOCOL_ERROR),
                                              "Sort Response Control", -1,
-                                             &basesdn, &vlv_request_control, e);
+                                             &vlv_request_control, e);
                 }
               }
             }
@@ -700,7 +694,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     {
                         return ldbm_back_search_cleanup(pb, li, sort_control,
                                                     vlv_response_control.result,
-                                                    NULL, -1, &basesdn,
+                                                    NULL, -1, 
                                                     &vlv_request_control, e);
                     }
                 }
@@ -720,7 +714,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                                              (abandoned?-1:LDAP_PROTOCOL_ERROR),
                                              "VLV Response Control", -1,
-                                             &basesdn, &vlv_request_control, e);
+                                             &vlv_request_control, e);
             }
             /* Log the VLV operation */
             vlv_print_access_log(pb,&vlv_request_control,&vlv_response_control);
@@ -783,7 +777,7 @@ ldbm_back_search( Slapi_PBlock *pb )
     /* Fix for bugid #394184, SD, 05 Jul 00 */
     /* tmp_err == -1: no error */
     return ldbm_back_search_cleanup(pb, li, sort_control, tmp_err, tmp_desc,
-                                    (tmp_err  == -1 ? 0 : -1), &basesdn,
+                                    (tmp_err  == -1 ? 0 : -1), 
                                     &vlv_request_control, NULL);
     /* end Fix for bugid #394184 */
 }
@@ -1205,7 +1199,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
     int                    managedsait;
     Slapi_Attr             *attr;
     Slapi_Filter           *filter;
-    char                   *base;
+    const char             *base;
     back_search_result_set *sr;
     ID                     id;
     struct backentry       *e;
@@ -1214,7 +1208,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
     int                    tlimit, llimit, slimit, isroot;
     struct berval          **urls = NULL;
     int                    err;
-    Slapi_DN               basesdn = {0};
+    Slapi_DN               *basesdn = NULL;
     char                   *target_uniqueid;
     int                    rc = 0; 
     int                    estimate = 0; /* estimated search result count */
@@ -1225,7 +1219,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
     slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
     slapi_pblock_get( pb, SLAPI_MANAGEDSAIT, &managedsait );
     slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter );
-    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base );
+    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &basesdn );
     slapi_pblock_get( pb, SLAPI_NENTRIES, &nentries );
     slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &slimit );
     slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &tlimit );
@@ -1240,6 +1234,13 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
         goto bail;
     }
+    if (NULL == basesdn) {
+        slapi_send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                               "Null target DN", 0, NULL );
+        return( -1 );
+    }
+    base = slapi_sdn_get_dn(basesdn);
+
     if (sr->sr_current_sizelimit >= 0) {
         /* 
          * sr_current_sizelimit contains the current sizelimit.
@@ -1254,7 +1255,10 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
inst = (ldbm_instance *) be->be_instance_info;
-    slapi_sdn_init_dn_ndn_byref(&basesdn,base); /* normalized by front end */
+    if (NULL == basesdn) {
+        basesdn = slapi_sdn_new_normdn_byref(base);
+        slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, basesdn);
+    }
     /* Return to the cache the entry we handed out last time */
     /* If we are using the extension, the front end will tell
      * us when to do this so we don't do it now */
@@ -1399,7 +1403,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
                 char ebuf[ BUFSIZ ];
                 LDAPDebug( LDAP_DEBUG_ANY, "null ref in (%s)\n", escape_string( backentry_get_ndn(e), ebuf ), 0, 0 );
             }
-            else if ( slapi_sdn_scope_test( backentry_get_sdn(e), &basesdn, scope ))
+            else if ( slapi_sdn_scope_test( backentry_get_sdn(e), basesdn, scope ))
             {
                 if ( use_extension ) {
                     slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, e );
@@ -1473,7 +1477,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
              * just forget about it, since we don't want to return anything at all. */
          {
              if ( slapi_uniqueIDCompareString(target_uniqueid, e->ep_entry->e_uniqueid) ||
-                  slapi_sdn_scope_test( backentry_get_sdn(e), &basesdn, scope ))
+                  slapi_sdn_scope_test( backentry_get_sdn(e), basesdn, scope ))
              {
                  /* check size limit */
                  if ( slimit >= 0 )
@@ -1540,7 +1544,6 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
         }
     }
 bail:
-    slapi_sdn_done(&basesdn);
     return rc;
 }
diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
index 4427a43..f6c3ce6 100644
--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
@@ -137,29 +137,18 @@ int ldbm_back_fetch_incl_excl(Slapi_PBlock *pb, char ***include,
                               char ***exclude)
 {
     char **pb_incl, **pb_excl;
-    char subtreeDn[BUFSIZ];
-    char *normSubtreeDn;
-    int i;
slapi_pblock_get(pb, SLAPI_LDIF2DB_INCLUDE, &pb_incl);
     slapi_pblock_get(pb, SLAPI_LDIF2DB_EXCLUDE, &pb_excl);
+    if ((NULL == include) || (NULL == exclude)) {
+        return 0;
+    }
     *include = *exclude = NULL;
-    /* normalize */
-    if (pb_excl) {
-        for (i = 0; pb_excl[i]; i++) {
-            PL_strncpyz(subtreeDn, pb_excl[i], sizeof(subtreeDn));
-            normSubtreeDn = slapi_dn_normalize_case(subtreeDn);
-            charray_add(exclude, slapi_ch_strdup(normSubtreeDn));
-        }
-    }
-    if (pb_incl) {
-        for (i = 0; pb_incl[i]; i++) {
-            PL_strncpyz(subtreeDn, pb_incl[i], sizeof(subtreeDn));
-            normSubtreeDn = slapi_dn_normalize_case(subtreeDn);
-            charray_add(include, slapi_ch_strdup(normSubtreeDn));
-        }
-    }
+    /* pb_incl/excl are both normalized */
+    *exclude = slapi_ch_array_dup(pb_excl);
+    *include = slapi_ch_array_dup(pb_incl);
+
     return (pb_incl || pb_excl);
 }
@@ -250,7 +239,8 @@ int add_op_attrs(Slapi_PBlock *pb, struct ldbminfo *li, struct backentry *ep,
          * caller via the status parameter.
          */
         if (entryrdn_get_switch()) { /* subtree-rename: on */
-            Slapi_DN sdn = {0};;
+            Slapi_DN sdn;
+            slapi_sdn_init(&sdn);
             slapi_sdn_set_dn_byval(&sdn, pdn);
             err = entryrdn_index_read(be, &sdn, &pid, NULL);
             slapi_sdn_done(&sdn);
@@ -656,8 +646,10 @@ int ldbm_back_ldif2ldbm( Slapi_PBlock *pb )
         /* initialize UniqueID generator - must be done once backends are started
            and event queue is initialized but before plugins are started */
         /* This dn is normalize. */
-        Slapi_DN *sdn = slapi_sdn_new_dn_byval ("cn=uniqueid generator,cn=config");
-        int rc = uniqueIDGenInit (NULL, sdn, 0 /* use single thread mode */);
+        Slapi_DN *sdn = 
+                 slapi_sdn_new_ndn_byref ("cn=uniqueid generator,cn=config");
+        int rc = uniqueIDGenInit (NULL, sdn /*const*/,
+                                  0 /* use single thread mode */);
         slapi_sdn_free (&sdn);
         if (rc != UID_SUCCESS) {
             LDAPDebug( LDAP_DEBUG_ANY,
@@ -783,9 +775,10 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err)
     IDList *idltotal = NULL, *idltmp;
     back_txn *txn = NULL;
     struct berval bv;
-    Slapi_DN sdn = {0}; /* Valid only if entryrdn_get_switch is true */
+    Slapi_DN sdn; /* Used only if entryrdn_get_switch is true */
*err = 0;
+    slapi_sdn_init(&sdn);
     /* for each subtree spec... */
     for (i = 0; include[i]; i++) {
         IDList *idl = NULL;
@@ -794,6 +787,7 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err)
         char *nextdn = NULL;
         int matched = 0;
         int issubsuffix = 0;
+
         /*
          * avoid a case that an include suffix is applied to the backend of 
          * its sub suffix 
@@ -848,7 +842,6 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err)
         if (entryrdn_get_switch()) { /* subtree-rename: on */
             slapi_sdn_set_dn_byval(&sdn, include[i]);
             *err = entryrdn_index_read(be, &sdn, &id, NULL);
-            slapi_sdn_done(&sdn);
             if (*err) {
                 if (DB_NOTFOUND == *err) {
                     LDAPDebug2Args(LDAP_DEBUG_ANY,
@@ -861,6 +854,7 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err)
                                    "Reading %s failed on entryrdn; %d\n",
                                    include[i], *err );
                 }
+                slapi_sdn_done(&sdn);
                 continue;
             }
         } else {
@@ -895,6 +889,7 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err)
         } else {
             *err = ldbm_ancestorid_read(be, txn, id, &idl);
         }
+        slapi_sdn_done(&sdn);
         if (idl == NULL) {
             if (DB_NOTFOUND == *err) {
                 LDAPDebug(LDAP_DEBUG_ANY,
@@ -924,7 +919,7 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err)
             idl_free(idl);
             idltotal = idltmp;
         }
-    }
+    } /* for (i = 0; include[i]; i++) */
return idltotal;
 }
@@ -1423,7 +1418,6 @@ ldbm_back_ldbm2ldif( Slapi_PBlock *pb )
         ep = backentry_alloc();
         if (entryrdn_get_switch()) {
             char *rdn = NULL;
-            int rc = 0;
/* rdn is allocated in get_value_from_string */
             rc = get_value_from_string((const char *)data.dptr, "rdn", &rdn);
@@ -1900,9 +1894,9 @@ ldbm_back_ldbm2index(Slapi_PBlock *pb)
/* create suffix list */
         for (vlvidx = 0; vlvidx < numvlv; vlvidx++) {
-            char *s = slapi_ch_strdup(slapi_sdn_get_dn(vlvIndex_getBase(pvlv[vlvidx])));
-
-            s = slapi_dn_normalize_case(s);
+            char *s = 
+             slapi_ch_strdup(slapi_sdn_get_ndn(vlvIndex_getBase(pvlv[vlvidx])));
+            /* 's' is passed in */
             charray_add(&suffix_list, s);
         }
         idl = ldbm_fetch_subtrees(be, suffix_list, &err);
@@ -3448,8 +3442,7 @@ bail:
  * Update old DN format in entrydn and the leaf attr value to the new one
  *
  * The implementation would be similar to the upgradedb for new idl.
- * Scan each entry, checking the entrydn value with the result of 
- * slapi_dn_normalize_ext_case(dn).
+ * Scan each entry, checking the entrydn value with the normalized dn.
  * If they don't match,
  *   replace the old entrydn value with the new one in the entry 
  *   in id2entry.db4.
diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c
index 6e350c9..78f1ed3 100644
--- a/ldap/servers/slapd/back-ldbm/misc.c
+++ b/ldap/servers/slapd/back-ldbm/misc.c
@@ -425,7 +425,8 @@ ldbm_txn_ruv_modify_context( Slapi_PBlock *pb, modify_context *mc )
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
-    bentry_addr.dn = NULL;
+    bentry_addr.sdn = NULL;
+    bentry_addr.udn = NULL;
     bentry_addr.uniqueid = uniqueid;
/* Note: if we find the bentry, it will stay locked until someone calls
diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c
index c160507..d7e28c1 100644
--- a/ldap/servers/slapd/back-ldbm/vlv_srch.c
+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c
@@ -189,7 +189,7 @@ vlvSearch_init(struct vlvSearch* p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm
             slapi_pblock_set(pb, SLAPI_PLUGIN, inst->inst_be->be_database);
             slapi_pblock_get(pb, SLAPI_TXN, &txn.back_txn_txn);
-            addr.dn = (char*)slapi_sdn_get_ndn (p->vlv_base);
+            addr.sdn = p->vlv_base;
             addr.uniqueid = NULL;
             e = find_entry( pb, inst->inst_be, &addr, &txn );
             /* Check to see if the entry is absent. If it is, mark this search
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 9670de2..12d6650 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -124,12 +124,13 @@ do_bind( Slapi_PBlock *pb )
     int		auth_response_requested = 0;
     int		pw_response_requested = 0;
     char		*rawdn = NULL;
-    char		*dn = NULL, *saslmech = NULL;
+    const char	*dn = NULL;
+    char		*saslmech = NULL;
     struct berval	cred = {0};
     Slapi_Backend		*be = NULL;
     ber_tag_t ber_rc;
     int rc = 0;
-    Slapi_DN sdn;
+    Slapi_DN *sdn = NULL;
     Slapi_Entry *referral;
     char errorbuf[BUFSIZ];
     char **supported, **pmech;
@@ -137,8 +138,6 @@ do_bind( Slapi_PBlock *pb )
     Slapi_Entry *bind_target_entry = NULL;
     int auto_bind = 0;
     int minssf = 0;
-    char *test_bind_dn = NULL;
-    size_t dnlen = 0;
LDAPDebug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
@@ -174,7 +173,7 @@ do_bind( Slapi_PBlock *pb )
         return;
     }
     /* Check if we should be performing strict validation. */
-    if (config_get_dn_validate_strict()) { 
+    if (rawdn && config_get_dn_validate_strict()) { 
         /* check that the dn is formatted correctly */
         rc = slapi_dn_syntax_check(pb, rawdn, 1);
         if (rc) { /* syntax check failed */
@@ -186,27 +185,21 @@ do_bind( Slapi_PBlock *pb )
             return;
         }
     }
-    rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-    if (rc < 0) {
-        op_shared_log_error_access(pb, "BIND", rawdn?rawdn:"",
-                                   "invalid bind dn");
-        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-                         NULL, "invalid bind dn", 0, NULL);
-        slapi_ch_free_string(&rawdn);
+    sdn = slapi_sdn_new_dn_passin(rawdn);
+    dn = slapi_sdn_get_dn(sdn);
+    if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+        /* normalization failed */
+        op_shared_log_error_access(pb, "BIND", rawdn, "invalid bind dn");
+        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                         "invalid bind dn", 0, NULL);
+        slapi_sdn_free(&sdn);
         return;
-    } else if (rc > 0) { /* if rc == 0, rawdn is passed in */
-        slapi_ch_free_string(&rawdn);
-    } else { /* rc == 0; rawdn is passed in; not null terminated */
-        *(dn + dnlen) = '\0';
     }
-
-    slapi_sdn_init_dn_passin(&sdn, dn);
-
     LDAPDebug( LDAP_DEBUG_TRACE, "BIND dn="%s" method=%d version=%d\n",
-               dn, method, version );
+               dn?dn:"empty", method, version );
/* target spec is used to decide which plugins are applicable for the operation */
-    operation_set_target_spec (pb->pb_op, &sdn);
+    operation_set_target_spec (pb->pb_op, sdn);
switch ( method ) {
     case LDAP_AUTH_SASL:
@@ -214,7 +207,7 @@ do_bind( Slapi_PBlock *pb )
             LDAPDebug( LDAP_DEBUG_ANY,
                        "got SASL credentials from LDAPv2 client\n",
                        0, 0, 0 );
-            log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "SASL credentials only in LDAPv3");
+            log_bind_access (pb, dn?dn:"empty", method, version, saslmech, "SASL credentials only in LDAPv3");
             send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                               "SASL credentials only in LDAPv3", 0, NULL );
             goto free_and_return;
@@ -243,7 +236,7 @@ do_bind( Slapi_PBlock *pb )
                 "LDAPv2-style kerberos authentication received "
                 "on LDAPv3 connection.";
             LDAPDebug( LDAP_DEBUG_ANY, kmsg, 0, 0, 0 );
-            log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, kmsg);
+            log_bind_access (pb, dn?dn:"empty", method, version, saslmech, kmsg);
             send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                               kmsg, 0, NULL );
             goto free_and_return;
@@ -256,7 +249,7 @@ do_bind( Slapi_PBlock *pb )
         }
         break;
     default:
-        log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "Unknown bind method");
+        log_bind_access (pb, dn?dn:"empty", method, version, saslmech, "Unknown bind method");
         send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                           "Unknown bind method", 0, NULL );
         goto free_and_return;
@@ -265,7 +258,7 @@ do_bind( Slapi_PBlock *pb )
         LDAPDebug( LDAP_DEBUG_ANY,
                    "ber_scanf failed (op=Bind; params=Credentials)\n",
                    0, 0, 0 );
-        log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "decoding error");
+        log_bind_access (pb, dn?dn:"empty", method, version, saslmech, "decoding error");
         send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                           "decoding error", 0, NULL );
         goto free_and_return;
@@ -284,7 +277,7 @@ do_bind( Slapi_PBlock *pb )
if (( err = get_ldapmessage_controls( pb, ber, &reqctrls ))
             != 0 ) {
-            log_bind_access (pb, slapi_sdn_get_dn (&sdn), method,
+            log_bind_access (pb, dn?dn:"empty", method,
                              version, saslmech, "failed to parse LDAP controls");
             send_ldap_result( pb, err, NULL, NULL, 0, NULL );
             goto free_and_return;
@@ -316,8 +309,8 @@ do_bind( Slapi_PBlock *pb )
         {
             auto_bind = 1; /* flag the bind method */
             dn = slapi_ch_strdup(pb->pb_conn->c_dn);
-            slapi_sdn_done(&sdn);
-            slapi_sdn_init_dn_passin(&sdn,dn);
+            slapi_sdn_free(&sdn);
+            sdn = slapi_sdn_new_dn_passin(dn);
         }
     }
 #endif /* ENABLE_AUTOBIND */
@@ -330,7 +323,7 @@ do_bind( Slapi_PBlock *pb )
     pb->pb_conn->c_needpw = 0;
     PR_Unlock( pb->pb_conn->c_mutex );
-    log_bind_access(pb, dn, method, version, saslmech, NULL);
+    log_bind_access(pb, dn?dn:"empty", method, version, saslmech, NULL);
switch ( version ) {
     case LDAP_VERSION2:
@@ -372,9 +365,9 @@ do_bind( Slapi_PBlock *pb )
                version, method, dn );
     pb->pb_conn->c_ldapversion = version;
-    isroot = slapi_dn_isroot( slapi_sdn_get_ndn(&sdn) );
+    isroot = slapi_dn_isroot( slapi_sdn_get_ndn(sdn) );
     slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
-    slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void*)slapi_sdn_get_ndn(&sdn) );
+    slapi_pblock_set( pb, SLAPI_BIND_TARGET_SDN, (void*)sdn );
     slapi_pblock_set( pb, SLAPI_BIND_METHOD, &method );
     slapi_pblock_set( pb, SLAPI_BIND_SASLMECHANISM, saslmech );
     slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, &cred );
@@ -613,9 +606,9 @@ do_bind( Slapi_PBlock *pb )
             slapi_value_init_berval(&cv,&cred);
/* right dn and passwd - authorize */
-            if ( is_root_dn_pw( slapi_sdn_get_ndn(&sdn), &cv )) {
+            if ( is_root_dn_pw( slapi_sdn_get_ndn(sdn), &cv )) {
                 bind_credentials_set( pb->pb_conn, SLAPD_AUTH_SIMPLE,
-                                      slapi_ch_strdup( slapi_sdn_get_ndn(&sdn) ),
+                                      slapi_ch_strdup( slapi_sdn_get_ndn(sdn) ),
                                       NULL, NULL, NULL , NULL);
/* right dn, wrong passwd - reject with invalid creds */
@@ -635,7 +628,7 @@ do_bind( Slapi_PBlock *pb )
             if ( auth_response_requested ) {
                 slapi_add_auth_response_control( pb,
                                            ( cred.bv_len == 0 ) ? "" :
-                                           slapi_sdn_get_ndn(&sdn));
+                                           slapi_sdn_get_ndn(sdn));
             }
             send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL );
@@ -687,7 +680,7 @@ do_bind( Slapi_PBlock *pb )
/* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */
             if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
-                bind_target_entry = get_entry(pb,  slapi_sdn_get_ndn(&sdn));
+                bind_target_entry = get_entry(pb,  slapi_sdn_get_ndn(sdn));
                 rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1);
             }
@@ -730,11 +723,11 @@ do_bind( Slapi_PBlock *pb )
                     if(!auto_bind)
                         bind_credentials_set( pb->pb_conn,
                                           authtype, slapi_ch_strdup(
-                                              slapi_sdn_get_ndn(&sdn)),
+                                              slapi_sdn_get_ndn(sdn)),
                                           NULL, NULL, NULL, bind_target_entry );
                     if ( auth_response_requested ) {
                         slapi_add_auth_response_control( pb,
-                                                   slapi_sdn_get_ndn(&sdn));
+                                                   slapi_sdn_get_ndn(sdn));
                     }
                 } else {	/* anonymous */
                     /* set bind creds here so anonymous limits are set */
@@ -803,16 +796,12 @@ do_bind( Slapi_PBlock *pb )
  free_and_return:;
     if (be)
         slapi_be_Unlock(be);
-    slapi_pblock_get(pb, SLAPI_BIND_TARGET, &test_bind_dn);
-    if (test_bind_dn != slapi_sdn_get_ndn(&sdn)) {
-        /* set in sasl bind or some other bind plugin */
-        slapi_ch_free_string(&test_bind_dn);
-    }
-    slapi_sdn_done(&sdn);
+    slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);
+    slapi_sdn_free(&sdn);
     slapi_ch_free_string( &saslmech );
     slapi_ch_free( (void **)&cred.bv_val );
-	if ( bind_target_entry != NULL )
-		slapi_entry_free(bind_target_entry);
+    if ( bind_target_entry != NULL )
+        slapi_entry_free(bind_target_entry);
 }
diff --git a/ldap/servers/slapd/bulk_import.c b/ldap/servers/slapd/bulk_import.c
index 717ff47..cb35988 100644
--- a/ldap/servers/slapd/bulk_import.c
+++ b/ldap/servers/slapd/bulk_import.c
@@ -67,7 +67,7 @@ static int process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e);
    SLAPI_CONNECTION -- connection over which bulk import is coming
    SLAPI_BACKEND -- the backend being imported 
    or 
-   SLAPI_TARGET_DN that contains root of the imported area.   
+   SLAPI_TARGET_SDN that contains root of the imported area.   
    The function returns LDAP_SUCCESS or LDAP error code 
 */
@@ -80,7 +80,7 @@ int slapi_start_bulk_import (Slapi_PBlock *pb)
    SLAPI_CONNECTION -- connection over which bulk import is coming
    SLAPI_BACKEND -- the backend being imported 
    or 
-   SLAPI_TARGET_DN that contains root of the imported area.   
+   SLAPI_TARGET_SDN that contains root of the imported area.   
    The function returns LDAP_SUCCESS or LDAP error code 
 */
 int slapi_stop_bulk_import (Slapi_PBlock *pb)
@@ -103,9 +103,7 @@ process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e)
 {
     int rc;
     Slapi_Backend *be = NULL;
-    char *dn = NULL;
-    Slapi_DN sdn;
-    const Slapi_DN *target_sdn = NULL;
+    Slapi_DN *target_sdn = NULL;
if (pb == NULL)
     {
@@ -125,29 +123,27 @@ process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e)
         /* try to get dn to select backend */
         if (e)
         {
-            target_sdn = slapi_entry_get_sdn_const (e);
-            be = slapi_be_select (target_sdn);
+            target_sdn = slapi_entry_get_sdn(e);
         }
         else
         {
-			slapi_sdn_init(&sdn);
-            slapi_pblock_get (pb, SLAPI_TARGET_DN, &dn);
-            if (dn)
-            {
-                slapi_sdn_init_dn_byref(&sdn, dn);
-                be = slapi_be_select (&sdn);
-				target_sdn = &sdn;
+            slapi_pblock_get (pb, SLAPI_TARGET_SDN, &target_sdn);
+            if (NULL == target_sdn) {
+                slapi_log_error(SLAPI_LOG_FATAL, NULL,
+                                "process_bulk_import_op: NULL target sdn\n");
+                return LDAP_OPERATIONS_ERROR;
             }
         }
+        be = slapi_be_select (target_sdn);
if (be) 
         {
-			if (state == SLAPI_BI_STATE_START && (!slapi_be_issuffix(be, target_sdn)))
-			{
-            	slapi_log_error(SLAPI_LOG_FATAL, NULL,
-				 	"process_bulk_import_op: wrong backend suffix\n");
-            	return LDAP_OPERATIONS_ERROR;    
-			}
+            if (state == SLAPI_BI_STATE_START && (!slapi_be_issuffix(be, target_sdn)))
+            {
+                slapi_log_error(SLAPI_LOG_FATAL, NULL,
+                     "process_bulk_import_op: wrong backend suffix\n");
+                return LDAP_OPERATIONS_ERROR;    
+            }
             slapi_pblock_set (pb, SLAPI_BACKEND, be);
         }
         else
@@ -155,9 +151,6 @@ process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e)
             slapi_log_error(SLAPI_LOG_FATAL, NULL, "process_bulk_import_op: NULL backend\n");
             return LDAP_OPERATIONS_ERROR;    
         }        
-
-		if (NULL == e)
-            slapi_sdn_done (&sdn);
     }
if (be->be_wire_import == NULL)
diff --git a/ldap/servers/slapd/charray.c b/ldap/servers/slapd/charray.c
index 30c64ac..1bb084f 100644
--- a/ldap/servers/slapd/charray.c
+++ b/ldap/servers/slapd/charray.c
@@ -472,3 +472,24 @@ charray_get_index(char **array, char *s)
     }
     return -1;
 }
+
+int
+charray_normdn_add(char ***chararray, char *dn, char *errstr)
+{
+    int rc = 0;
+    size_t len = 0;
+    char *normdn = NULL;
+    rc = slapi_dn_normalize_ext(dn, 0, &normdn, &len);
+    if (rc < 0) {
+        LDAPDebug2Args(LDAP_DEBUG_ANY, "Invalid dn: "%s" %s\n",
+                       dn, errstr?errstr:"");
+        return rc;
+    } else if (0 == rc) {
+        /* rc == 0; optarg_extawdn is passed in; 
+         * not null terminated */
+        *(dn + len) = '\0';
+        normdn = slapi_ch_strdup(dn);
+    }
+    charray_add(chararray, slapi_dn_ignore_case(normdn));
+    return rc;
+}
diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c
index 578d826..b5b28fb 100644
--- a/ldap/servers/slapd/compare.c
+++ b/ldap/servers/slapd/compare.c
@@ -66,8 +66,7 @@ do_compare( Slapi_PBlock *pb )
 {
    BerElement	*ber = pb->pb_op->o_ber;
    char		*rawdn = NULL;
-	char		*dn = NULL;
-	size_t		 len = 0;
+	const char	*dn = NULL;
    struct ava	ava = {0};
    Slapi_Backend		*be = NULL;
    int		err;
@@ -118,18 +117,16 @@ do_compare( Slapi_PBlock *pb )
    		return;
    	}
    }
-	err = slapi_dn_normalize_ext(rawdn, 0, &dn, &len);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "CMP", rawdn?rawdn:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-						 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free((void **) &rawdn);
-		return;
-	} else if (err > 0) { /* if rc == 0, rawdn is passed in */
-		slapi_ch_free((void **) &rawdn);
-	} else { /* rc == 0; rawdn is passed in; not null terminated */
-		*(dn + len) = '\0';
-	}
+	slapi_sdn_init_dn_passin(&sdn, rawdn);
+	dn = slapi_sdn_get_dn(&sdn);
+    if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+        /* normalization failed */
+        op_shared_log_error_access(pb, "CMP", rawdn, "invalid dn");
+        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                         "invalid dn", 0, NULL);
+        slapi_sdn_done(&sdn);
+        return;
+    }
    /*
     * in LDAPv3 there can be optional control extensions on
     * the end of an LDAPMessage. we need to read them in and
@@ -139,19 +136,17 @@ do_compare( Slapi_PBlock *pb )
    	send_ldap_result( pb, err, NULL, NULL, 0, NULL );
    	goto free_and_return;
    }
-	slapi_sdn_init_dn_passin(&sdn,dn);
-    dn = NULL; /* do not free - sdn owns it now */
/* target spec is used to decide which plugins are applicable for the operation */
    operation_set_target_spec (pb->pb_op, &sdn);
LDAPDebug( LDAP_DEBUG_ARGS, "do_compare: dn (%s) attr (%s)\n",
-	    dn, ava.ava_type, 0 );
+	    rawdn, ava.ava_type, 0 );
slapi_log_access( LDAP_DEBUG_STATS,
        "conn=%" NSPRIu64 " op=%d CMP dn="%s" attr="%s"\n",
        pb->pb_conn->c_connid, pb->pb_op->o_opid,
-	    escape_string( dn, ebuf ), ava.ava_type );
+	    escape_string( rawdn, ebuf ), ava.ava_type );
/*
     * We could be serving multiple database backends.  Select the
@@ -188,7 +183,9 @@ do_compare( Slapi_PBlock *pb )
    	isroot = pb->pb_op->o_isroot;
slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
-		slapi_pblock_set( pb, SLAPI_COMPARE_TARGET, (void*)slapi_sdn_get_ndn(&sdn) );
+		/* EXCEPTION: compare target does not allocate memory. */
+		/* target never be modified by plugins. */
+		slapi_pblock_set( pb, SLAPI_COMPARE_TARGET_SDN, (void*)&sdn );
    	slapi_pblock_set( pb, SLAPI_COMPARE_TYPE, ava.ava_type);
    	slapi_pblock_set( pb, SLAPI_COMPARE_VALUE, &ava.ava_value );
    	/*
@@ -216,6 +213,5 @@ free_and_return:;
    if (be)
    	slapi_be_Unlock(be);
    slapi_sdn_done(&sdn);
-    slapi_ch_free_string(&dn);
    ava_done( &ava );
 }
diff --git a/ldap/servers/slapd/delete.c b/ldap/servers/slapd/delete.c
index fa7dbe3..693efa1 100644
--- a/ldap/servers/slapd/delete.c
+++ b/ldap/servers/slapd/delete.c
@@ -72,8 +72,6 @@ do_delete( Slapi_PBlock *pb )
    Slapi_Operation *operation;
    BerElement	*ber;
    char	    *rawdn = NULL;
-	char	    *dn = NULL;
-	size_t		dnlen = 0;
    int			err = 0;
LDAPDebug( LDAP_DEBUG_TRACE, "do_delete\n", 0, 0, 0 );
@@ -107,22 +105,9 @@ do_delete( Slapi_PBlock *pb )
    						"strict: invalid dn");
    		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
    						 NULL, "invalid dn", 0, NULL);
-			slapi_ch_free_string(&rawdn);
    		goto free_and_return;
    	}
    }
-	err = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "DEL", rawdn?rawdn:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-						 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free_string(&rawdn);
-		goto free_and_return;
-	} else if (err > 0) { /* if err == 0, rawdn is passed in */
-		slapi_ch_free_string(&rawdn);
-	} else { /* err == 0; rawdn is passed in; not null terminated */
-		*(dn + dnlen) = '\0';
-	}
/*
     * in LDAPv3 there can be optional control extensions on
@@ -130,20 +115,20 @@ do_delete( Slapi_PBlock *pb )
     * pass them to the backend.
     */
    if ( (err = get_ldapmessage_controls( pb, ber, NULL )) != 0 ) {
-		op_shared_log_error_access (pb, "DEL", dn, "decoding error");
+		op_shared_log_error_access (pb, "DEL", rawdn, "decoding error");
    	send_ldap_result( pb, err, NULL, NULL, 0, NULL );
    	goto free_and_return;
    }
-	LDAPDebug( LDAP_DEBUG_ARGS, "do_delete: dn (%s)\n", dn, 0, 0 );
-			
+	LDAPDebug1Arg( LDAP_DEBUG_ARGS, "do_delete: dn (%s)\n", rawdn );
+
    slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot );
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn);
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, rawdn);
op_shared_delete (pb);
free_and_return:;
-	slapi_ch_free ((void**)&dn);
+	slapi_ch_free ((void**)&rawdn);
 }
/* This function is used to issue internal delete operation
@@ -158,7 +143,7 @@ slapi_delete_internal(const char *idn, LDAPControl **controls, int dummy)
     int             opresult;
pblock_init (&pb);
-    	
+
     slapi_delete_internal_set_pb (&pb, idn, controls, NULL, plugin_get_default_component_id(), 0);
delete_internal_pb (&pb);
@@ -201,22 +186,26 @@ int slapi_delete_internal_pb (Slapi_PBlock *pb)
 }
/* Initialize a pblock for a call to slapi_delete_internal_pb() */
-void slapi_delete_internal_set_pb (Slapi_PBlock *pb, const char *dn, LDAPControl **controls, const char *uniqueid, 
-								   Slapi_ComponentId *plugin_identity, int operation_flags)
+void
+slapi_delete_internal_set_pb (Slapi_PBlock *pb,
+                              const char *rawdn,
+                              LDAPControl **controls, const char *uniqueid, 
+                              Slapi_ComponentId *plugin_identity, 
+                              int operation_flags)
 {  
    Operation *op;
    PR_ASSERT (pb != NULL);
-	if (pb == NULL || dn == NULL)
+	if (pb == NULL || rawdn == NULL)
    {
    	slapi_log_error(SLAPI_LOG_FATAL, NULL, 
    					"slapi_delete_internal_set_pb: NULL parameter\n");
    	return;
    }
-    op = internal_operation_new(SLAPI_OPERATION_DELETE,operation_flags);
+	op = internal_operation_new(SLAPI_OPERATION_DELETE,operation_flags);
    slapi_pblock_set(pb, SLAPI_OPERATION, op);
-	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)dn);
-    slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)rawdn);
+	slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
    if (uniqueid)
    {
    	slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
@@ -259,11 +248,12 @@ static int delete_internal_pb (Slapi_PBlock *pb)
static void op_shared_delete (Slapi_PBlock *pb)
 {
-	char	      	*dn;
+	char			*rawdn = NULL;
+	const char		*dn = NULL;
    Slapi_Backend	*be = NULL;
    char			ebuf[ BUFSIZ ];
    int				internal_op;
-	Slapi_DN		sdn;
+	Slapi_DN		*sdn = NULL;
    Slapi_Operation *operation;
    Slapi_Entry *referral;
    Slapi_Entry	*ecopy = NULL;
@@ -274,15 +264,23 @@ static void op_shared_delete (Slapi_PBlock *pb)
    int		proxy_err = LDAP_SUCCESS;
    char		*errtext = NULL;
-	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn);
+	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &rawdn);
    slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
    internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
-	slapi_sdn_init_dn_byref(&sdn,dn);
-	slapi_pblock_set(pb, SLAPI_DELETE_TARGET, (void*)slapi_sdn_get_ndn (&sdn));
+	sdn = slapi_sdn_new_dn_byval(rawdn);
+	dn = slapi_sdn_get_dn(sdn);
+	slapi_pblock_set(pb, SLAPI_DELETE_TARGET_SDN, (void*)sdn);
+	if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+		/* normalization failed */
+		op_shared_log_error_access(pb, "DEL", rawdn, "invalid dn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
+		                 NULL, "invalid dn", 0, NULL);
+		goto free_and_return;
+	}
/* target spec is used to decide which plugins are applicable for the operation */
-	operation_set_target_spec (operation, &sdn);
+	operation_set_target_spec (operation, sdn);
/* get the proxy auth dn if the proxy auth control is present */
    proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
@@ -299,7 +297,7 @@ static void op_shared_delete (Slapi_PBlock *pb)
    		slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d DEL dn="%s"%s\n",
    						pb->pb_conn->c_connid, 
    						pb->pb_op->o_opid,
-							escape_string(dn, ebuf),
+							escape_string(slapi_sdn_get_dn(sdn), ebuf),
    						proxystr ? proxystr: "");
    	}
    	else
@@ -307,7 +305,7 @@ static void op_shared_delete (Slapi_PBlock *pb)
    		slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d DEL dn="%s"%s\n",
    						LOG_INTERNAL_OP_CON_ID,
    						LOG_INTERNAL_OP_OP_ID,
-							escape_string(dn, ebuf),
+							escape_string(slapi_sdn_get_dn(sdn), ebuf),
    						proxystr ? proxystr: "");
    	}
    }
@@ -398,6 +396,7 @@ free_and_return:
    	slapi_be_Unlock(be);
    }
    {
+		char *coldn = NULL;
    	Slapi_Entry *epre = NULL, *eparent = NULL;
    	slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &epre);
    	slapi_pblock_get(pb, SLAPI_DELETE_GLUE_PARENT_ENTRY, &eparent);
@@ -408,10 +407,12 @@ free_and_return:
    	}
    	slapi_entry_free(epre);
    	slapi_entry_free(eparent);
+		slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &coldn);
+		slapi_ch_free_string(&coldn);
    }
-	slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &dn);
-	slapi_ch_free((void **)&dn);
-	slapi_sdn_done(&sdn);
+
+	slapi_pblock_get(pb, SLAPI_DELETE_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
    slapi_ch_free_string(&proxydn);
    slapi_ch_free_string(&proxystr);
 }
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 1912f70..e5b9db9 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -190,7 +190,6 @@ substr_dn_normalize_orig( char *dn, char *end )
    char		*d = NULL;
    char 		*s = NULL;
    char		*typestart = NULL;
-	char		*rdnbegin = NULL;
    char		*lastesc = NULL;
    int		gotesc = 0;
    int		state = B4TYPE;
@@ -231,7 +230,6 @@ substr_dn_normalize_orig( char *dn, char *end )
    			value_separator = NULL;
    			value = d;
    			state = ( *s == '"' ) ? INQUOTEDVALUE : INVALUE1ST;
-				rdnbegin = d;
    			lastesc = NULL;
    			*d++ = *s;
    		}
@@ -545,6 +543,9 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len)
             rc = 0;
         }
     }
+    if (0 == src_len) { /* src == "" */
+        goto bail;
+    }
ends = src + src_len;
     endd = *dest + *dest_len;
@@ -1041,7 +1042,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len)
             break;
         default:
             LDAPDebug( LDAP_DEBUG_ANY,
-                "slapi_dn_normalize - unknown state %d\n", state, 0, 0 );
+                "slapi_dn_normalize_ext - unknown state %d\n", state, 0, 0 );
             break;
         }
     }
@@ -1116,6 +1117,39 @@ slapi_create_dn_string(const char *fmt, ...)
     return dest;
 }
+char *
+slapi_create_rdn_value(const char *fmt, ...)
+{
+    char *src = NULL;
+    char *dest = NULL;
+    size_t dest_len = 0;
+    va_list ap;
+    int rc = 0;
+    char *dnfmt;
+
+    if (NULL == fmt) {
+        return NULL;
+    }
+
+    dnfmt = slapi_ch_smprintf("cn=%s", fmt);
+    va_start(ap, fmt);
+    src = PR_vsmprintf(dnfmt, ap);
+    va_end(ap);
+    slapi_ch_free_string(&dnfmt);
+
+    rc = slapi_dn_normalize_ext(src, strlen(src), &dest, &dest_len);
+    if (rc == 0) { /* src is passed in. */
+        *(dest + dest_len) = '\0';
+        dest = slapi_ch_strdup(dest + 3);
+    } else if (rc > 0) {
+        char *odest = dest;
+        dest = slapi_ch_strdup(dest + 3);
+        slapi_ch_free_string(&odest);
+    }
+    slapi_ch_free_string(&src);
+    return dest;
+}
+
 /*
  * Append previous AV to the attribute value array if multivalued RDN.
  * We use a stack based array at first and if we overflow that, we
@@ -1370,12 +1404,13 @@ dn_ignore_case_to_end( char *dn, char *end )
  * slapi_dn_normalize_case - put dn into a canonical form suitable for storing
  * in a hash database.  this involves normalizing the case as well as
  * the format.  the dn is normalized in place as well as returned.
+ * (DEPRECATED)
  */
char *
 slapi_dn_normalize_case( char *dn )
 {
-	/* normalize format */
+	/* normalize format (DEPRECATED) noop */
    slapi_dn_normalize( dn );
/* normalize case */
@@ -1698,6 +1733,9 @@ PR_DEFINE_COUNTER(slapi_sdn_counter_dn_exist);
 PR_DEFINE_COUNTER(slapi_sdn_counter_ndn_created);
 PR_DEFINE_COUNTER(slapi_sdn_counter_ndn_deleted);
 PR_DEFINE_COUNTER(slapi_sdn_counter_ndn_exist);
+PR_DEFINE_COUNTER(slapi_sdn_counter_udn_created);
+PR_DEFINE_COUNTER(slapi_sdn_counter_udn_deleted);
+PR_DEFINE_COUNTER(slapi_sdn_counter_udn_exist);
static void
 sdn_create_counters()
@@ -1711,12 +1749,16 @@ sdn_create_counters()
    PR_CREATE_COUNTER(slapi_sdn_counter_ndn_created,"Slapi_DN","internal_ndn_created","");
    PR_CREATE_COUNTER(slapi_sdn_counter_ndn_deleted,"Slapi_DN","internal_ndn_deleted","");
    PR_CREATE_COUNTER(slapi_sdn_counter_ndn_exist,"Slapi_DN","internal_ndn_exist","");
+	PR_CREATE_COUNTER(slapi_sdn_counter_udn_created,"Slapi_DN","internal_udn_created","");
+	PR_CREATE_COUNTER(slapi_sdn_counter_udn_deleted,"Slapi_DN","internal_udn_deleted","");
+	PR_CREATE_COUNTER(slapi_sdn_counter_udn_exist,"Slapi_DN","internal_udn_exist","");
    counters_created= 1;
 }
#define FLAG_ALLOCATED 0
 #define FLAG_DN 1
 #define FLAG_NDN 2
+#define FLAG_UDN 3
Slapi_DN *
 slapi_sdn_new()
@@ -1730,10 +1772,18 @@ slapi_sdn_new()
     return sdn;
 }
+/*
+ * WARNING:
+ * Do not call slapi_sdn_init and its sibling APIs against Slapi_DN 
+ * allocated by slapi_sdn_new.  slapi_sdn_init clears all bits in the flag. 
+ * If sdn is allocated by slapi_sdn_new, the FLAG_ALLOCATED bit is cleared 
+ * and slapi_sdn_free won't free Slapi_DN.
+ */
 Slapi_DN *
 slapi_sdn_init(Slapi_DN *sdn)
 {
     sdn->flag= 0;
+    sdn->udn= NULL;
     sdn->dn= NULL;
     sdn->ndn= NULL;
    sdn->ndn_len=0;
@@ -1748,7 +1798,7 @@ Slapi_DN *
 slapi_sdn_init_dn_byref(Slapi_DN *sdn,const char *dn)
 {
     slapi_sdn_init(sdn);
-    slapi_sdn_set_dn_byref(sdn,dn);
+    slapi_sdn_set_dn_byref(sdn, dn);
    return sdn;
 }
@@ -1768,20 +1818,33 @@ slapi_sdn_init_dn_passin(Slapi_DN *sdn,const char *dn)
    return sdn;
 }
-/* use when dn is normalized previously */
+/* use when dn is already normalized (but case is yet touched) */
 Slapi_DN *
-slapi_sdn_init_dn_ndn_byref(Slapi_DN *sdn,const char *dn) {
-	  slapi_sdn_init(sdn);
-	  slapi_sdn_set_dn_byref(sdn,dn);
-	  /* slapi_sdn_set_ndn_byref nulls out dn set in above statement */
-	  sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_NDN);
-      sdn->ndn= dn;
-	  if(dn == NULL) {
-		  sdn->ndn_len=0;
-	  } else {
-	   sdn->ndn_len=strlen(dn);
-	  }
-	  return sdn;
+slapi_sdn_init_normdn_byref(Slapi_DN *sdn, const char *dn)
+{
+    slapi_sdn_init(sdn);
+    if(dn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(dn);
+        sdn->dn = dn;
+    }
+    return sdn;
+}
+
+/* use when dn is already normalized (but case is yet touched) */
+Slapi_DN *
+slapi_sdn_init_normdn_passin(Slapi_DN *sdn, const char *dn)
+{
+    slapi_sdn_init(sdn);
+    if(dn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(dn);
+        sdn->dn = dn;
+        sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+    }
+    return sdn;
 }
Slapi_DN *
@@ -1789,7 +1852,7 @@ slapi_sdn_init_ndn_byref(Slapi_DN *sdn,const char *dn)
 {
     slapi_sdn_init(sdn);
     slapi_sdn_set_ndn_byref(sdn,dn);
-	return sdn;
+    return sdn;
 }
Slapi_DN *
@@ -1797,7 +1860,7 @@ slapi_sdn_init_ndn_byval(Slapi_DN *sdn,const char *dn)
 {
     slapi_sdn_init(sdn);
     slapi_sdn_set_ndn_byval(sdn,dn);
-	return sdn;
+    return sdn;
 }
Slapi_DN *
@@ -1845,16 +1908,46 @@ slapi_sdn_new_ndn_byref(const char *ndn)
     return sdn;
 }
+/* use when dn is already normalized */
+Slapi_DN *
+slapi_sdn_new_normdn_byref(const char *normdn)
+{
+    Slapi_DN *sdn = slapi_sdn_new();
+    slapi_sdn_set_normdn_byref(sdn, normdn);
+    SDN_DUMP( sdn, "slapi_sdn_new_normdn_byref");
+    return sdn;
+}
+
+/* use when dn is already normalized */
+Slapi_DN *
+slapi_sdn_new_normdn_passin(const char *normdn)
+{
+    Slapi_DN *sdn = slapi_sdn_new();
+    slapi_sdn_set_normdn_passin(sdn, normdn);
+    SDN_DUMP( sdn, "slapi_sdn_new_normdn_passin");
+    return sdn;
+}
+
+/* use when dn is already normalized */
+Slapi_DN *
+slapi_sdn_new_normdn_byval(const char *normdn)
+{
+    Slapi_DN *sdn = slapi_sdn_new();
+    slapi_sdn_set_normdn_byval(sdn, normdn);
+    SDN_DUMP( sdn, "slapi_sdn_new_normdn_byval");
+    return sdn;
+}
+
 Slapi_DN *
 slapi_sdn_set_dn_byval(Slapi_DN *sdn, const char *dn)
 {
     slapi_sdn_done(sdn);
-    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_DN);
+    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_UDN);
    if(dn!=NULL)
    {
-		sdn->dn= slapi_ch_strdup(dn);
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+		sdn->udn= slapi_ch_strdup(dn);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_created);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_exist);
    }
     return sdn;
 }
@@ -1863,8 +1956,8 @@ Slapi_DN *
 slapi_sdn_set_dn_byref(Slapi_DN *sdn, const char *dn)
 {
     slapi_sdn_done(sdn);
-    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_DN);
-    sdn->dn= dn;
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_UDN);
+    sdn->udn= dn;
     return sdn;
 }
@@ -1872,17 +1965,64 @@ Slapi_DN *
 slapi_sdn_set_dn_passin(Slapi_DN *sdn, const char *dn)
 {
     slapi_sdn_done(sdn);
-    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_DN);
-    sdn->dn= dn;
+    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_UDN);
+    sdn->udn= dn;
    if(dn!=NULL)
    {
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_created);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_exist);
    }
     return sdn;
 }
Slapi_DN *
+slapi_sdn_set_normdn_byref(Slapi_DN *sdn, const char *normdn)
+{
+    slapi_sdn_done(sdn);
+    sdn->flag = slapi_unsetbit_uchar(sdn->flag, FLAG_DN);
+    sdn->dn = normdn;
+    if(normdn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(normdn);
+    }
+    return sdn;
+}
+
+Slapi_DN *
+slapi_sdn_set_normdn_passin(Slapi_DN *sdn, const char *normdn)
+{
+    slapi_sdn_done(sdn);
+    sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+    sdn->dn = normdn;
+    if(normdn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(normdn);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+    }
+    return sdn;
+}
+
+Slapi_DN *
+slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *normdn)
+{
+    slapi_sdn_done(sdn);
+    sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+    if(normdn == NULL) {
+        sdn->dn = slapi_ch_strdup(normdn);
+        sdn->ndn_len = 0;
+    } else {
+        sdn->dn = slapi_ch_strdup(normdn);
+        sdn->ndn_len = strlen(normdn);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+    }
+    return sdn;
+}
+
+Slapi_DN *
 slapi_sdn_set_ndn_byval(Slapi_DN *sdn, const char *ndn)
 {
     slapi_sdn_done(sdn);
@@ -1925,7 +2065,7 @@ slapi_sdn_set_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn)
    else
    {
    	/* NewDN= NewRDN + OldParent */
-		char *parentdn= slapi_dn_parent(sdn->dn);
+		char *parentdn = slapi_dn_parent(slapi_sdn_get_dn(sdn));
    	char *newdn = slapi_ch_smprintf("%s,%s", rawrdn, parentdn);
    	slapi_ch_free((void**)&parentdn);
    	slapi_sdn_set_dn_passin(sdn,newdn);
@@ -1939,7 +2079,7 @@ slapi_sdn_set_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn)
 Slapi_DN *
 slapi_sdn_add_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn)
 {
-	const char *rawrdn= slapi_rdn_get_rdn(rdn);
+	const char *rawrdn = slapi_rdn_get_rdn(rdn);
     if(slapi_sdn_isempty(sdn))
    {
    	slapi_sdn_set_dn_byval(sdn,rawrdn);
@@ -1972,7 +2112,7 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parentdn)
    	/* NewDN= OldRDN + NewParent */
    	Slapi_RDN rdn;
    	const char *rawrdn;
-		slapi_rdn_init_dn(&rdn,sdn->dn);
+		slapi_rdn_init_dn(&rdn, slapi_sdn_get_dn(sdn));
    	rawrdn= slapi_rdn_get_rdn(&rdn);
        if(slapi_sdn_isempty(parentdn))
    	{
@@ -1980,12 +2120,9 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parentdn)
    	}
    	else
    	{
-			char *newdn;
-			newdn= slapi_ch_malloc(strlen(rawrdn)+1+strlen(parentdn->dn)+1);
-			strcpy( newdn, rawrdn );
-			strcat( newdn, "," );
-			strcat( newdn, parentdn->dn );
-			slapi_sdn_set_dn_passin(sdn,newdn);
+			char *newdn = 
+			    slapi_ch_smprintf("%s,%s", rawrdn, slapi_sdn_get_dn(parentdn));
+			slapi_sdn_set_dn_passin(sdn, newdn);
    	}
    	slapi_rdn_done(&rdn);
    }
@@ -2005,7 +2142,6 @@ slapi_sdn_done(Slapi_DN *sdn)
         if(slapi_isbitset_uchar(sdn->flag,FLAG_DN))
         {
             slapi_ch_free((void**)&(sdn->dn));
-            sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_DN);
             PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_deleted);
             PR_DECREMENT_COUNTER(slapi_sdn_counter_dn_exist);
         }
@@ -2014,22 +2150,36 @@ slapi_sdn_done(Slapi_DN *sdn)
             sdn->dn= NULL;
         }
     }
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_DN);
     if(sdn->ndn!=NULL)
     {
         if(slapi_isbitset_uchar(sdn->flag,FLAG_NDN))
         {
             slapi_ch_free((void**)&(sdn->ndn));
-            sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_NDN);
-			sdn->ndn_len=0;
             PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_deleted);
             PR_DECREMENT_COUNTER(slapi_sdn_counter_ndn_exist);
         }
         else
         {
             sdn->ndn= NULL;
-			sdn->ndn_len=0;
         }
     }
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_NDN);
+    sdn->ndn_len=0;
+    if(sdn->udn!=NULL)
+    {
+        if(slapi_isbitset_uchar(sdn->flag,FLAG_UDN))
+        {
+            slapi_ch_free((void**)&(sdn->udn));
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_deleted);
+            PR_DECREMENT_COUNTER(slapi_sdn_counter_udn_exist);
+        }
+        else
+        {
+            sdn->udn= NULL;
+        }
+    }
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_UDN);
 }
void
@@ -2037,9 +2187,11 @@ slapi_sdn_free(Slapi_DN **sdn)
 {
    if(sdn!=NULL && *sdn!=NULL)
    {
+	    int is_allocated = 0;
        SDN_DUMP( *sdn, "slapi_sdn_free");
+	    is_allocated = slapi_isbitset_uchar((*sdn)->flag, FLAG_ALLOCATED);
        slapi_sdn_done(*sdn);
-	    if(slapi_isbitset_uchar((*sdn)->flag,FLAG_ALLOCATED))
+	    if(is_allocated)
        {
            slapi_ch_free((void**)sdn);
            PR_INCREMENT_COUNTER(slapi_sdn_counter_deleted);
@@ -2051,43 +2203,75 @@ slapi_sdn_free(Slapi_DN **sdn)
 const char *
 slapi_sdn_get_dn(const Slapi_DN *sdn)
 {
-    return (sdn->dn!=NULL ? sdn->dn : sdn->ndn);
+    if (NULL == sdn) {
+        return NULL;
+    }
+    if (sdn->dn) {
+        return sdn->dn;
+    } else if (sdn->ndn) {
+        return sdn->ndn;
+    } else if (sdn->udn) {
+        char *udn = slapi_ch_strdup(sdn->udn);
+        char *normed = NULL;
+        size_t dnlen = 0;
+        Slapi_DN *ncsdn = (Slapi_DN*)sdn; /* non-const Slapi_DN */
+        int rc = slapi_dn_normalize_ext(udn, 0, &normed, &dnlen);
+        if (rc == 0) { /* udn is passed in */
+            *(normed + dnlen) = '\0';
+            ncsdn->dn = normed;
+            ncsdn->ndn_len = dnlen;
+            ncsdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+        } else if (rc > 0) { /* rc > 0 */
+            slapi_ch_free_string(&udn);
+            ncsdn->dn = normed;
+            ncsdn->ndn_len = dnlen;
+            ncsdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+        }
+        /* else (rc < 0); normzlization failed. return NULL */
+        return sdn->dn;
+    } else {
+        return NULL;
+    }
 }
const char *
 slapi_sdn_get_ndn(const Slapi_DN *sdn)
 {
-    if(sdn->ndn==NULL)
-    {
-        if(sdn->dn!=NULL)
-        {
-            char *p= slapi_ch_strdup(sdn->dn);
-            char *normed = NULL;
-            size_t dnlen = 0;
-            int rc = 0;
-
-            Slapi_DN *ncsdn= (Slapi_DN*)sdn; /* non-const Slapi_DN */
-            rc = slapi_dn_normalize_case_ext(p, 0, &normed, &dnlen);
-            if (rc < 0) {
-                /* we give up, just set dn to ndn */
-                slapi_dn_ignore_case(p); /* ignore case */
-                ncsdn->ndn = p;
-                ncsdn->ndn_len = strlen(p);
-            } else if (rc == 0) { /* p is passed in */
-                *(normed + dnlen) = '\0';
-                ncsdn->ndn = normed;
-                ncsdn->ndn_len = dnlen;
-            } else { /* rc > 0 */
-                slapi_ch_free_string(&p);
-                ncsdn->ndn = normed;
-                ncsdn->ndn_len = dnlen;
-            }
-            ncsdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_NDN);
-            PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_created);
-            PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_exist);
-        }
+    if (NULL == sdn) {
+        return NULL;
+    }
+    if (sdn->ndn) {
+        return sdn->ndn;
+    } else if (sdn->dn || sdn->udn) {
+        Slapi_DN *ncsdn = (Slapi_DN*)sdn; /* non-const Slapi_DN */
+        char *ndn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+        slapi_dn_ignore_case(ndn); /* ignore case */
+        ncsdn->ndn = ndn;
+        ncsdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_NDN);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_created);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_exist);
+        return ndn;
+    } else {
+        return NULL;
+    }
+}
+
+const char *
+slapi_sdn_get_udn(const Slapi_DN *sdn)
+{
+    if (sdn->udn) {
+        return sdn->udn;
+    } else if (sdn->dn) {
+        return sdn->dn;
+    } else if (sdn->ndn) {
+        return sdn->ndn;
+    } else {
+        return NULL;
     }
-    return sdn->ndn;
 }
void
@@ -2123,52 +2307,45 @@ Slapi_DN *
 slapi_sdn_dup(const Slapi_DN *sdn)
 {
    Slapi_DN *tmp;
-    SDN_DUMP( sdn, "slapi_sdn_dup");
-    tmp=slapi_sdn_new_dn_byval(slapi_sdn_get_dn(sdn));
-	/* can't use slapi_set_ndn_byval -- it nulls the dn */
-	tmp->flag= slapi_setbit_uchar(tmp->flag,FLAG_NDN);
-	if(sdn->ndn!=NULL)
-	{
-		tmp->ndn= slapi_ch_strdup(sdn->ndn);
-		tmp->ndn_len=sdn->ndn_len;
-	} else tmp->ndn=NULL;
+	SDN_DUMP( sdn, "slapi_sdn_dup");
+	tmp = slapi_sdn_new_normdn_byval(slapi_sdn_get_dn(sdn));
    return tmp;
 }
void
 slapi_sdn_copy(const Slapi_DN *from, Slapi_DN *to)
 {
-    SDN_DUMP( from, "slapi_sdn_copy from");
-    SDN_DUMP( to, "slapi_sdn_copy to");
+	SDN_DUMP( from, "slapi_sdn_copy from");
+	SDN_DUMP( to, "slapi_sdn_copy to");
    slapi_sdn_done(to);
-	slapi_sdn_set_dn_byval(to,slapi_sdn_get_dn(from));
+	slapi_sdn_set_normdn_byval(to, slapi_sdn_get_dn(from));
 }
int
 slapi_sdn_compare( const Slapi_DN *sdn1, const Slapi_DN *sdn2 )
 {
-    int rc;
-    const char *ndn1= slapi_sdn_get_ndn(sdn1);
-    const char *ndn2= slapi_sdn_get_ndn(sdn2);
+	int rc;
+	const char *ndn1= slapi_sdn_get_ndn(sdn1);
+	const char *ndn2= slapi_sdn_get_ndn(sdn2);
    if(ndn1==ndn2)
    {
        rc= 0;
    }
    else
    {
-	    if(ndn1==NULL)
+		if(ndn1==NULL)
    	{
    	    rc= -1;
    	}
    	else
    	{
-    	    if(ndn2==NULL)
-    		{
-    		    rc= 1;
-    		}
-    		else
-    		{
-                rc= strcmp(ndn1,ndn2);
+			if(ndn2==NULL)
+			{
+				rc= 1;
+			}
+			else
+			{
+				rc= strcmp(ndn1,ndn2);
    		}
    	}
    }
@@ -2176,22 +2353,25 @@ slapi_sdn_compare( const Slapi_DN *sdn1, const Slapi_DN *sdn2 )
 }
int
-slapi_sdn_isempty( const Slapi_DN *sdn)
+slapi_sdn_isempty(const Slapi_DN *sdn)
 {
-    const char *dn= slapi_sdn_get_dn(sdn);
+	const char *dn = NULL;
+	if (sdn) {
+		dn = slapi_sdn_get_dn(sdn);
+	}
    return (dn==NULL || dn[0]=='\0');
 }
int
 slapi_sdn_issuffix(const Slapi_DN *sdn, const Slapi_DN *suffixsdn)
 {
-    int rc;
-    const char *dn= slapi_sdn_get_ndn(sdn);
+	int rc;
+	const char *dn= slapi_sdn_get_ndn(sdn);
    const char *suffixdn= slapi_sdn_get_ndn(suffixsdn);
    if(dn!=NULL && suffixdn!=NULL)
    {
-    	int dnlen = slapi_sdn_get_ndn_len(sdn);
-        int suffixlen= slapi_sdn_get_ndn_len(suffixsdn);
+		int dnlen = slapi_sdn_get_ndn_len(sdn);
+		int suffixlen= slapi_sdn_get_ndn_len(suffixsdn);
    	if (dnlen<suffixlen)
    	{
    	    rc= 0;
@@ -2203,9 +2383,8 @@ slapi_sdn_issuffix(const Slapi_DN *sdn, const Slapi_DN *suffixsdn)
    			return ( 1 );
    		}
-        	rc= ( (strcasecmp(suffixdn, dn+dnlen-suffixlen)==0)
-					&& ( (dnlen == suffixlen)
-						 || DNSEPARATOR(dn[dnlen-suffixlen-1])) );
+			rc = (((dnlen == suffixlen) || DNSEPARATOR(dn[dnlen-suffixlen-1]))
+			      && (strcasecmp(suffixdn, dn+dnlen-suffixlen)==0));
    	}
    }
    else
@@ -2219,11 +2398,11 @@ slapi_sdn_issuffix(const Slapi_DN *sdn, const Slapi_DN *suffixsdn)
 int
 slapi_sdn_get_ndn_len(const Slapi_DN *sdn)
 {
-    int r= 0;
-	(void)slapi_sdn_get_ndn(sdn); /* does the normalization if needed */
-	if(sdn->ndn!=NULL)
+    int r = 0;
+	(void)slapi_sdn_get_dn(sdn); /* does the normalization if needed */
+	if(sdn->dn || sdn->ndn)
    {
-		r= sdn->ndn_len;	
+		r = sdn->ndn_len;	
    }
    return r;
 }
@@ -2296,7 +2475,7 @@ slapi_sdn_scope_test( const Slapi_DN *dn, const Slapi_DN *base, int scope )
  * build the new dn of an entry for moddn operations
  */
 char *
-slapi_moddn_get_newdn(Slapi_DN *dn_olddn, char *newrdn, char *newsuperiordn)
+slapi_moddn_get_newdn(Slapi_DN *dn_olddn, const char *newrdn, const char *newsuperiordn)
 {
     char *newdn;
    
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index e3bfb18..727e999 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -1426,18 +1426,17 @@ dse_delete_entry(struct dse* pdse, Slapi_PBlock *pb, const Slapi_Entry *e)
 int
 dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from this function! */
 {
-	char *dn; /* The bind DN */
    int	method; /* The bind method */
    struct berval *cred; /* The bind credentials */
    Slapi_Value **bvals; 
     struct dse* pdse;
    Slapi_Attr *attr;
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
    Slapi_Entry *ec= NULL;
/*Get the parameters*/
    if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-		slapi_pblock_get( pb, SLAPI_BIND_TARGET, &dn ) < 0 ||
+		slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn ) < 0 ||
    	slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method ) < 0 ||
    	slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &cred ) < 0){
    	slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
@@ -1456,13 +1455,10 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
    	return( SLAPI_BIND_FAIL );
    }
-	/* Find the entry that the person is attempting to bind as */
-	slapi_sdn_init_dn_byref(&sdn,dn);
-    ec = dse_get_entry_copy(pdse,&sdn,DSE_USE_LOCK);
+    ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
     if ( ec == NULL )
    {
    	slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
    	return( SLAPI_BIND_FAIL );
    }
@@ -1475,7 +1471,6 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
    	{
    		slapi_send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL );
    		slapi_entry_free(ec);
-			slapi_sdn_done(&sdn);
    		return SLAPI_BIND_FAIL;
    	}
    	bvals= attr_get_present_values( attr );
@@ -1485,7 +1480,6 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
    	{
    		slapi_send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL );
    		slapi_entry_free(ec);
-			slapi_sdn_done(&sdn);
    		value_done(&cv);
    		return SLAPI_BIND_FAIL;
    	}
@@ -1496,11 +1490,9 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
    default:
    	slapi_send_ldap_result( pb, LDAP_STRONG_AUTH_NOT_SUPPORTED, NULL, "auth method not supported", 0, NULL );
    	slapi_entry_free(ec);
-		slapi_sdn_done(&sdn);
    	return SLAPI_BIND_FAIL;
    }
    slapi_entry_free(ec);
-	slapi_sdn_done(&sdn);
    /* success:  front end will send result */
    return SLAPI_BIND_SUCCESS;
 }
@@ -1647,7 +1639,6 @@ do_dse_search(struct dse* pdse, Slapi_PBlock *pb, int scope, const Slapi_DN *bas
 int
 dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from this function! */
 {
-    char *base; /*Base of the search*/
     int scope; /*Scope of the search*/
     Slapi_Filter *filter; /*The filter*/
     char **attrs; /*Attributes*/
@@ -1657,7 +1648,7 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     int returncode= LDAP_SUCCESS;
     int isrootdse= 0;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
-	Slapi_DN basesdn;
+	Slapi_DN *basesdn = NULL;
    int estimate = 0; /* estimated search result set size */
/* 
@@ -1666,7 +1657,7 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
      * more or less directly from the client.
      */
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base ) < 0 ||
+        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &basesdn ) < 0 ||
         slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope ) < 0 ||
         slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter ) < 0 ||
         slapi_pblock_get( pb, SLAPI_SEARCH_ATTRS, &attrs ) < 0 ||
@@ -1675,27 +1666,23 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
         return(-1);
     }
-
-	slapi_sdn_init_dn_byref(&basesdn,base);
-	
     /*
      * Sadly the root dse is still a special case.  We must not allow
      * acl checks on it, or allow onelevel or subtree searches on it.
      */
-    isrootdse= slapi_sdn_isempty(&basesdn);
+    isrootdse= slapi_sdn_isempty(basesdn);
switch(scope)
     {
     case LDAP_SCOPE_BASE:
         {
    	Slapi_Entry *baseentry= NULL;
-	    baseentry = dse_get_entry_copy(pdse,&basesdn,DSE_USE_LOCK);
+	    baseentry = dse_get_entry_copy(pdse, basesdn, DSE_USE_LOCK);
         if ( baseentry == NULL )
         {
             slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
    		slapi_log_error(SLAPI_LOG_PLUGIN,"dse_search", "node %s was not found\n",
-								 slapi_sdn_get_dn(&basesdn));
-			slapi_sdn_done(&basesdn);
+								 slapi_sdn_get_dn(basesdn));
             return -1;
         }
         /* 
@@ -1726,14 +1713,13 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     case LDAP_SCOPE_SUBTREE:
         if(!isrootdse)
         {
-            estimate = do_dse_search(pdse, pb, scope, &basesdn, filter, attrs, attrsonly);
+            estimate = do_dse_search(pdse, pb, scope, basesdn, filter, attrs, attrsonly);
         }
         break;
     }
    slapi_pblock_set (pb, SLAPI_SEARCH_RESULT_SET_SIZE_ESTIMATE, &estimate);
/* Search is done, send LDAP_SUCCESS */
-	slapi_sdn_done(&basesdn);
     return 0;
 }
@@ -1756,19 +1742,19 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 {
     int	err; /*House keeping stuff*/
     LDAPMod **mods; /*Used to apply the modifications*/
-    char *dn; /*Storage for the dn*/
     char *errbuf = NULL; /* To get error back */
     struct dse* pdse;
     Slapi_Entry *ec= NULL;
     Slapi_Entry *ecc= NULL;
     int returncode= LDAP_SUCCESS;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
    int dont_write_file = 0; /* default */
PR_ASSERT(pb);
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_MODIFY_TARGET, &dn ) < 0 ||
+        /* slapi_pblock_get( pb, SLAPI_MODIFY_TARGET, &dn ) < 0 || */
+        slapi_pblock_get( pb, SLAPI_MODIFY_TARGET_SDN, &sdn ) < 0 ||
         slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods ) < 0 || (NULL == pdse))
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
@@ -1780,14 +1766,11 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         return( -1 );
     }
-	slapi_sdn_init_dn_byref(&sdn,dn);
-
     /* Find the entry we are about to modify. */
-    ec = dse_get_entry_copy(pdse,&sdn,DSE_USE_LOCK);
+    ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
     if ( ec == NULL )
     {
         slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
@@ -1797,7 +1780,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     {
         slapi_send_ldap_result( pb, err, NULL, errbuf, 0, NULL );
         if (errbuf)  slapi_ch_free ((void**)&errbuf);
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
@@ -1817,7 +1799,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         {
         /* Error occured in the callback -- return error code from callback */
         slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
-		slapi_sdn_done(&sdn);
    	return dse_modify_return( -1, ec, ecc );
         }
@@ -1825,7 +1806,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         {
         /* Callback says don't apply the changes -- return Success */
    	slapi_send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
    	return dse_modify_return( 0, ec, ecc );
         }
@@ -1861,7 +1841,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
    	{
    		/* entry_apply_mods() failed above, so return an error now */
             slapi_send_ldap_result( pb, err, NULL, NULL, 0, NULL );
-			slapi_sdn_done(&sdn);
             return dse_modify_return( -1, ec, ecc );
    	}
         break;
@@ -1875,7 +1854,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_OBJECT_CLASS_VIOLATION, NULL, errtext, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
@@ -1886,7 +1864,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, errtext, 0, NULL );
-        slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
@@ -1895,7 +1872,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     if (dse_replace_entry( pdse, ecc, !dont_write_file, DSE_USE_LOCK )!=0 )
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
     slapi_pblock_set( pb, SLAPI_ENTRY_POST_OP, slapi_entry_dup(ecc) ); /* JCM - When does this get free'd? */
@@ -1904,7 +1880,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
-	slapi_sdn_done(&sdn);
     return dse_modify_return(0, ec, ecc);
 }
@@ -1922,7 +1897,6 @@ dse_add_return( int rv, Slapi_Entry *e)
 int
 dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this function! */
 {
-    char *dn = NULL;
     Slapi_Entry *e; /*The new entry to add*/
    Slapi_Entry *e_copy = NULL; /* copy of added entry */
     char *errbuf = NULL;
@@ -1932,14 +1906,14 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
     struct dse* pdse;
     int returncode= LDAP_SUCCESS;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
    Slapi_DN parent;
/*
      * Get the database, the dn and the entry to add
      */
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn ) < 0 ||
+        slapi_pblock_get( pb, SLAPI_ADD_TARGET_SDN, &sdn ) < 0 ||
         slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &e ) < 0 || (NULL == pdse))
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
@@ -1951,8 +1925,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
         return( error );
     }
-	slapi_sdn_init_dn_byref(&sdn,dn);
-
     /*
      * Check to make sure the entry passes the schema check
      */
@@ -1963,7 +1935,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
    			"dse_add: entry failed schema check\n", 0, 0, 0 );
    slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_OBJECT_CLASS_VIOLATION, NULL, errtext, 0, NULL );
-		slapi_sdn_done(&sdn);
         return error;
     }
@@ -1975,7 +1946,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
                                 "dse_add: entry failed syntax check\n", 0, 0, 0 );
         slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, errtext, 0, NULL );
-        slapi_sdn_done(&sdn);
         return error;
     }
@@ -1983,7 +1953,7 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
      * Attempt to find this dn.
      */
     {
-        Slapi_Entry *existingentry= dse_get_entry_copy( pdse, &sdn, DSE_USE_LOCK );
+        Slapi_Entry *existingentry= dse_get_entry_copy( pdse, sdn, DSE_USE_LOCK );
         if(existingentry!=NULL)
         {
             /*
@@ -1991,7 +1961,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
              * whose dn matches dn, so tell the user and return
              */
             slapi_send_ldap_result( pb, LDAP_ALREADY_EXISTS, NULL, NULL, 0, NULL );
-			slapi_sdn_done(&sdn);
    		slapi_entry_free(existingentry);
    		return dse_add_return(error, NULL);
         }
@@ -2003,7 +1972,7 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
      * add the entry.
      */
    slapi_sdn_init(&parent);
-	slapi_sdn_get_parent(&sdn,&parent);
+	slapi_sdn_get_parent(sdn, &parent);
     if ( !slapi_sdn_isempty(&parent) )
     {
        Slapi_Entry *parententry= NULL;
@@ -2012,7 +1981,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
         {
             slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
             LDAPDebug( SLAPI_DSE_TRACELEVEL, "dse_add: parent does not exist\n", 0, 0, 0 );
-			slapi_sdn_done(&sdn);
    		slapi_sdn_done(&parent);
    		return dse_add_return(error, NULL);
         }
@@ -2023,7 +1991,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
             LDAPDebug( SLAPI_DSE_TRACELEVEL, "dse_add: no access to parent\n", 0, 0, 0 );
             slapi_send_ldap_result( pb, rc, NULL, NULL, 0, NULL );
             slapi_ch_free((void**)&errbuf);
-			slapi_sdn_done(&sdn);
    		slapi_sdn_done(&parent);
    		return dse_add_return(rc, NULL);
         }
@@ -2037,7 +2004,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
         {
             LDAPDebug( SLAPI_DSE_TRACELEVEL, "dse_add: no parent and not root\n", 0, 0, 0 );
             slapi_send_ldap_result( pb, LDAP_INSUFFICIENT_ACCESS, NULL, NULL, 0, NULL );
-			slapi_sdn_done(&sdn);
    		slapi_sdn_done(&parent);
    		return dse_add_return(error, NULL);
         }
@@ -2060,7 +2026,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
    		NULL, &returncode, returntext)!=SLAPI_DSE_CALLBACK_OK)
     {
         slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
-		slapi_sdn_done(&sdn);
    	return dse_add_return(error, NULL);
     }
@@ -2069,7 +2034,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
     if ( dse_add_entry_pb(pdse, e_copy, pb) != 0)
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
    	return dse_add_return(error, NULL);
     }
    /* The postop must be called after the write lock is released. */
@@ -2083,9 +2047,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
    /* entry has been freed, so make sure no one tries to use it later */
    slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
-    /* Free the dn, and return */
-	slapi_sdn_done(&sdn);
-
    return dse_add_return(rc, e);
 }
@@ -2104,40 +2065,37 @@ dse_delete_return( int rv, Slapi_Entry *ec)
 int
 dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from this function! */
 {
-    char *dn = NULL;
     int rc= -1;
-	int dont_write_file = 0;	/* default */
+    int dont_write_file = 0;	/* default */
     struct dse* pdse = NULL;
     int returncode= LDAP_SUCCESS;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
     char *entry_str = "entry";
     char *errbuf = NULL;
-	char *attrs[2] =  { NULL, NULL };
-	Slapi_DN sdn;
-	Slapi_Entry *ec = NULL; /* copy of entry to delete */
+    char *attrs[2] =  { NULL, NULL };
+    Slapi_DN *sdn = NULL;
+    Slapi_Entry *ec = NULL; /* copy of entry to delete */
/*
      * Get the database and the dn
      */
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn ) < 0 || (pdse == NULL))
+        slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdn ) < 0 ||
+        (pdse == NULL))
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
         return rc;
     }
-	slapi_pblock_get(pb, SLAPI_DSE_DONT_WRITE_WHEN_ADDING, &dont_write_file);
-	if ( !dont_write_file && dse_check_for_readonly_error(pb,pdse)) {
+    slapi_pblock_get(pb, SLAPI_DSE_DONT_WRITE_WHEN_ADDING, &dont_write_file);
+    if ( !dont_write_file && dse_check_for_readonly_error(pb,pdse)) {
         return( rc );
     }
-	slapi_sdn_init_dn_byref(&sdn,dn);
-
-    ec= dse_get_entry_copy( pdse, &sdn, DSE_USE_LOCK );
+    ec= dse_get_entry_copy( pdse, sdn, DSE_USE_LOCK );
     if (ec == NULL)
     {
         slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
@@ -2147,7 +2105,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     if(dse_numsubordinates(ec)>0)
     {
         slapi_send_ldap_result( pb, LDAP_NOT_ALLOWED_ON_NONLEAF, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
@@ -2161,7 +2118,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     {
         slapi_send_ldap_result( pb, returncode, NULL, NULL, 0, NULL );
         slapi_ch_free ( (void**)&errbuf );
-		slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
@@ -2175,7 +2131,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     else
     {
         slapi_send_ldap_result( pb, returncode, NULL, NULL, 0, NULL );
-        slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
@@ -2183,7 +2138,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
    slapi_pblock_set( pb, SLAPI_ENTRY_PRE_OP, slapi_entry_dup( ec ));
-	slapi_sdn_done(&sdn);
     return dse_delete_return(0, ec);
 }
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 8a91e39..03f2767 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -276,18 +276,22 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
    				normdn = 
    					slapi_dn_normalize_original(slapi_ch_strdup(rawdn));
    			} else {
-					normdn = slapi_create_dn_string("%s", rawdn);
-					if (NULL == normdn) {
-						LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-							  		"str2entry_fast: Invalid DN: %s\n", rawdn);
-						slapi_entry_free( e );
-						if (freeval) slapi_ch_free_string(&value.bv_val);
-						e = NULL;
-						goto done;
+					if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+						normdn = slapi_ch_strdup(rawdn);
+					} else {
+						normdn = slapi_create_dn_string("%s", rawdn);
+						if (NULL == normdn) {
+							LDAPDebug1Arg(LDAP_DEBUG_TRACE,
+							     "str2entry_fast: Invalid DN: %s\n", rawdn);
+							slapi_entry_free( e );
+							if (freeval) slapi_ch_free_string(&value.bv_val);
+							e = NULL;
+							goto done;
+						}
    				}
    			}
    			/* normdn is consumed in e */
-				slapi_entry_set_dn(e, normdn);
+				slapi_entry_set_normdn(e, normdn);
    		}
    		if ( NULL == slapi_entry_get_rdn_const( e )) {
    			if (normdn) {
@@ -298,14 +302,19 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
    					normdn = 
    						slapi_dn_normalize_original(slapi_ch_strdup(rawdn));
    				} else {
-						normdn = slapi_create_dn_string("%s", rawdn);
-						if (NULL == normdn) {
-							LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-							  		"str2entry_fast: Invalid DN: %s\n", rawdn);
-							slapi_entry_free( e );
-							if (freeval) slapi_ch_free_string(&value.bv_val);
-							e = NULL;
-							goto done;
+						if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+							normdn = slapi_ch_strdup(rawdn);
+						} else {
+							normdn = slapi_create_dn_string("%s", rawdn);
+							if (NULL == normdn) {
+								LDAPDebug1Arg(LDAP_DEBUG_TRACE,
+								    "str2entry_fast: Invalid DN: %s\n", rawdn);
+								slapi_entry_free( e );
+								if (freeval) 
+								    slapi_ch_free_string(&value.bv_val);
+								e = NULL;
+								goto done;
+							}
    					}
    				}
    				/* normdn is just referred in slapi_entry_set_rdn. */
@@ -345,7 +354,7 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
    			goto done;
    		}
    		/* normdn is consumed in e */
-			slapi_entry_set_dn(e, normdn);
+			slapi_entry_set_normdn(e, normdn);
/* the memory below was not allocated by the slapi_ch_ functions */
    		if (freeval) slapi_ch_free_string(&value.bv_val);
@@ -429,7 +438,6 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
    		if (slapi_attr_is_dn_syntax_attr(*a)) {
    			int rc = 0;
    			char *dn_aval = NULL;
-				size_t dnlen = 0;
    			if (strict) {
    				/* check that the dn is formatted correctly */
    				rc = slapi_dn_syntax_check(NULL, value.bv_val, 1);
@@ -447,23 +455,14 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
    				dn_aval = slapi_dn_normalize_original(value.bv_val);
    				slapi_value_set(svalue, dn_aval, strlen(dn_aval));
    			} else {
-					rc = slapi_dn_normalize_ext(value.bv_val, 
-												value.bv_len, &dn_aval, &dnlen);
-					if 	(rc < 0) {
-						/* Give up normalizing the attribute value */
-						LDAPDebug2Args(LDAP_DEBUG_TRACE,
-							       "str2entry_fast: Invalid DN value: %s: %s\n",
-							       type.bv_val, value.bv_val);
-						dn_aval = value.bv_val;
-						dnlen = value.bv_len;
-					} else if (rc == 0) { /* rc == 0; valuecharptr is passed in;
-											 not null terminated */
-						*(dn_aval + dnlen) = '\0';
-					}
-					slapi_value_set(svalue, dn_aval, dnlen);
-					if (rc > 0) { /* if rc == 0, valuecharptr is passed in */
-						slapi_ch_free_string(&dn_aval);
-					}
+					Slapi_DN *sdn = slapi_sdn_new_dn_byref(value.bv_val);
+					/* Note: slapi_sdn_get_dn returns normalized DN with
+					 * case-intact. Thus, the length of dn_aval is 
+					 * slapi_sdn_get_ndn_len(sdn). */
+					dn_aval = (char *)slapi_sdn_get_dn(sdn);
+					slapi_value_set(svalue, (void *)dn_aval,
+					                slapi_sdn_get_ndn_len(sdn));
+					slapi_sdn_free(&sdn);
    			}
    		} else {
    			slapi_value_set_berval(svalue, &value);
@@ -809,34 +808,42 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
if ( rawdn ) {
    		if ( NULL == slapi_entry_get_dn_const(e) ) {
-				normdn = slapi_create_dn_string("%s", rawdn);
-				if (NULL == normdn) {
-					LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-							  "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
-					slapi_entry_free( e );
-					if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
-					csn_free(&attributedeletioncsn);
-					csn_free(&maxcsn);
-					return NULL;
-				}
-				/* normdn is consumed in e */
-				slapi_entry_set_dn(e, normdn);
-			}
-			if ( NULL == slapi_entry_get_rdn_const(e) ) {
-				if (normdn) {
-					/* normdn is just referred in slapi_entry_set_rdn. */
-					slapi_entry_set_rdn(e, normdn);
+				if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+					normdn = slapi_ch_strdup(rawdn);
    			} else {
    				normdn = slapi_create_dn_string("%s", rawdn);
    				if (NULL == normdn) {
    					LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-						         "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
+						    "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
    					slapi_entry_free( e );
    					if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
    					csn_free(&attributedeletioncsn);
    					csn_free(&maxcsn);
    					return NULL;
    				}
+				}
+				/* normdn is consumed in e */
+				slapi_entry_set_normdn(e, normdn);
+			}
+			if ( NULL == slapi_entry_get_rdn_const(e) ) {
+				if (normdn) {
+					/* normdn is just referred in slapi_entry_set_rdn. */
+					slapi_entry_set_rdn(e, normdn);
+				} else {
+					if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+						normdn = slapi_ch_strdup(rawdn);
+					} else {
+						normdn = slapi_create_dn_string("%s", rawdn);
+						if (NULL == normdn) {
+						LDAPDebug1Arg(LDAP_DEBUG_TRACE,
+							     "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
+							slapi_entry_free( e );
+							if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
+							csn_free(&attributedeletioncsn);
+							csn_free(&maxcsn);
+							return NULL;
+						}
+					}
    				/* normdn is just referred in slapi_entry_set_rdn. */
    				slapi_entry_set_rdn(e, normdn);
    				slapi_ch_free_string(&normdn);
@@ -866,7 +873,7 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
    			goto free_and_return;
    		}
    		/* normdn is consumed in e */
-			slapi_entry_set_dn(e, normdn);
+			slapi_entry_set_normdn(e, normdn);
    		/* the memory below was not allocated by the slapi_ch_ functions */
    		if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
    	    continue;
@@ -1019,8 +1026,8 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
    	sa = prev_attr;	/* For readability */
    	value= value_new(NULL, CSN_TYPE_NONE, NULL);
    	if (slapi_attr_is_dn_syntax_attr(&(sa->sa_attr))) {
-			char *dn_aval = NULL;
-			size_t dnlen = 0;
+			Slapi_DN *sdn = NULL;
+			const char *dn_aval = NULL;
    		if (strict) {
    			/* check that the dn is formatted correctly */
    			rc = slapi_dn_syntax_check(NULL, valuecharptr, 1);
@@ -1033,22 +1040,13 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
    				goto free_and_return;
    			}
    		}
-			rc = slapi_dn_normalize_ext(bvvalue.bv_val, bvvalue.bv_len, &dn_aval, &dnlen);
-			if (rc < 0) {
-				/* Give up normalizing the attribute value */
-				LDAPDebug2Args(LDAP_DEBUG_TRACE,
-							   "str2entry_dupcheck: Invalid DN value: %s: %s\n",
-							   type, valuecharptr);
-				dn_aval = valuecharptr;
-				dnlen = bvvalue.bv_len;
-			}
-			slapi_value_set(value, dn_aval, dnlen);
-			if (rc > 0) { /* if rc == 0, valuecharptr is passed in */
-				slapi_ch_free_string(&dn_aval);
-			} else if (rc == 0) { /* rc == 0; valuecharptr is passed in; 
-									 not null terminated */
-				*(dn_aval + dnlen) = '\0';
-			}
+			sdn = slapi_sdn_new_dn_byref(bvvalue.bv_val);
+			/* Note: slapi_sdn_get_dn returns the normalized DN 
+			 * with case-intact. Thus, the length of dn_aval is 
+			 * slapi_sdn_get_ndn_len(sdn). */
+			dn_aval = slapi_sdn_get_dn(sdn);
+			slapi_value_set(value, (void *)dn_aval, slapi_sdn_get_ndn_len(sdn));
+			slapi_sdn_free(&sdn);
    	} else {
    		slapi_value_set_berval(value, &bvvalue);
    	}
@@ -1381,19 +1379,19 @@ slapi_str2entry( char *s, int flags )
  * NOTE: the first arg "dn" should have been normalized before passing.
  */
 Slapi_Entry *
-slapi_str2entry_ext( const char *dn, char *s, int flags )
+slapi_str2entry_ext( const char *normdn, char *s, int flags )
 {
    Slapi_Entry *e;
    int read_stateinfo= ~( flags & SLAPI_STR2ENTRY_IGNORE_STATE );
-	if (NULL == dn)
+	if (NULL == normdn)
    {
    	return slapi_str2entry( s, flags );
    }
LDAPDebug( LDAP_DEBUG_ARGS,
    		"slapi_str2entry_ext: flags=0x%x, dn="%s", entry="%.50s..."\n",
-			flags, dn, s );
+			flags, normdn, s );
/*
@@ -1404,11 +1402,13 @@ slapi_str2entry_ext( const char *dn, char *s, int flags )
    if ( 0 != ( flags & SLAPI_STR2ENTRY_NOT_WELL_FORMED_LDIF ) ||
    		0 != ( flags & ~SLAPI_STRENTRY_FLAGS_HANDLED_BY_STR2ENTRY_FAST ))
    {
-	    e= str2entry_dupcheck( dn, s, flags, read_stateinfo );
+	    e = str2entry_dupcheck( normdn, s, 
+	                    flags|SLAPI_STR2ENTRY_DN_NORMALIZED, read_stateinfo );
    }
    else
    {
-	    e= str2entry_fast( dn, s, flags, read_stateinfo );
+	    e = str2entry_fast( normdn, s, 
+	                    flags|SLAPI_STR2ENTRY_DN_NORMALIZED, read_stateinfo );
    }
    if (!e)
    	return e;	/* e == NULL */
@@ -1941,15 +1941,30 @@ void
 slapi_entry_init(Slapi_Entry *e, char *dn, Slapi_Attr *a)
 {
     slapi_sdn_set_dn_passin(slapi_entry_get_sdn(e), dn);
-	e->e_uniqueid= NULL;
+    e->e_uniqueid= NULL;
     e->e_attrs= a;
     e->e_dncsnset= NULL;
     e->e_maxcsn= NULL;
-	e->e_deleted_attrs= NULL;
-	e->e_virtual_attrs= NULL;
-	e->e_virtual_watermark= 0;
-	e->e_virtual_lock= slapi_new_rwlock();
-	e->e_flags= 0;
+    e->e_deleted_attrs= NULL;
+    e->e_virtual_attrs= NULL;
+    e->e_virtual_watermark= 0;
+    e->e_virtual_lock= slapi_new_rwlock();
+    e->e_flags= 0;
+}
+
+void
+slapi_entry_init_ext(Slapi_Entry *e, Slapi_DN *sdn, Slapi_Attr *a)
+{
+	slapi_sdn_copy(sdn, slapi_entry_get_sdn(e));
+    e->e_uniqueid= NULL;
+    e->e_attrs= a;
+    e->e_dncsnset= NULL;
+    e->e_maxcsn= NULL;
+    e->e_deleted_attrs= NULL;
+    e->e_virtual_attrs= NULL;
+    e->e_virtual_watermark= 0;
+    e->e_virtual_lock= slapi_new_rwlock();
+    e->e_flags= 0;
 }
void
@@ -2004,10 +2019,10 @@ static size_t slapi_dn_size(Slapi_DN *sdn)
     if (sdn == NULL) return 0;
if (slapi_sdn_get_dn(sdn)) {
-        size += strlen(slapi_sdn_get_dn(sdn)) + 1;
+        size += slapi_sdn_get_ndn_len(sdn) + 1;
     }
     if (slapi_sdn_get_ndn(sdn)) {
-        size += strlen(slapi_sdn_get_ndn(sdn)) + 1;
+        size += slapi_sdn_get_ndn_len(sdn) + 1;
     }
return size;
@@ -2182,6 +2197,12 @@ slapi_entry_set_dn( Slapi_Entry *e, char *dn )
     slapi_sdn_set_dn_passin(slapi_entry_get_sdn(e),dn);
 }
+void
+slapi_entry_set_normdn( Slapi_Entry *e, char *dn )
+{
+    slapi_sdn_set_normdn_passin(slapi_entry_get_sdn(e), dn);
+}
+
 /*
  * WARNING - The DN is copied.
  *           The DN could be dn or RDN.
@@ -3166,18 +3187,18 @@ slapi_entry_rename(Slapi_Entry *e, const char *newrdn, int deleteoldrdn, const c
     /* Build new DN.  If newsuperior is set, just use "newrdn,newsuperior".  If
      * newsuperior is not set, need to add newrdn to old superior. */
     if (newsuperior) {
-        newdn = slapi_ch_smprintf("%s,%s", newrdn, newsuperior);
+        newdn = slapi_create_dn_string("%s,%s", newrdn, newsuperior);
     } else {
         char *oldsuperior = NULL;
oldsuperior = slapi_dn_parent(olddn);
-        newdn = slapi_ch_smprintf("%s,%s", newrdn, oldsuperior);
+        newdn = slapi_create_dn_string("%s,%s", newrdn, oldsuperior);
slapi_ch_free_string(&oldsuperior);
     }
/* Set the new DN in the entry.  This hands off the memory used by newdn to the entry. */
-    slapi_entry_set_dn(e, newdn);
+    slapi_entry_set_normdn(e, newdn);
/* Set the RDN in the entry. */
     slapi_entry_set_rdn(e, newdn);
@@ -3826,8 +3847,8 @@ slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **curr_entries,
                 }
                 if (0 == isfirst && force_update && testall)
                 {
-                    slapi_modify_internal_set_pb(&pb, 
-                                slapi_entry_get_dn_const(*oep),
+                    slapi_modify_internal_set_pb_ext(&pb, 
+                                slapi_entry_get_sdn_const(*oep),
                                 slapi_mods_get_ldapmods_byref(smods),
                                 NULL, NULL, plg_id, 0);
diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c
index 17b2f7b..8f25b27 100644
--- a/ldap/servers/slapd/extendop.c
+++ b/ldap/servers/slapd/extendop.c
@@ -54,8 +54,7 @@ static void extop_handle_import_start(Slapi_PBlock *pb, char *extoid,
                                       struct berval *extval)
 {
     char *orig = NULL;
-    char *suffix = NULL;
-    size_t dnlen = 0;
+    const char *suffix = NULL;
     Slapi_DN *sdn = NULL;
     Slapi_Backend *be = NULL;
     struct berval bv;
@@ -84,28 +83,16 @@ static void extop_handle_import_start(Slapi_PBlock *pb, char *extoid,
             return;
         }
     }
-    ret = slapi_dn_normalize_ext(orig, 0, &suffix, &dnlen);
-    if (ret < 0) {
-        LDAPDebug1Arg(LDAP_DEBUG_ANY,
-                      "extop_handle_import_start: invalid suffix\n", orig);
-        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
-                         "invalid suffix", 0, NULL);
-        return;
-    } else if (ret > 0) {
-        slapi_ch_free_string(&orig);
-    } else { /* ret == 0; orig is passed in; not null terminated */
-        *(suffix + dnlen) = '\0';
-    }
-    sdn = slapi_sdn_new_dn_byval(suffix);
+    sdn = slapi_sdn_new_dn_passin(orig);
     if (!sdn) {
         LDAPDebug(LDAP_DEBUG_ANY,
                   "extop_handle_import_start: out of memory\n", 0, 0, 0);
         send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL);
         return;
     }
+	suffix = slapi_sdn_get_dn(sdn);
     /*    be = slapi_be_select(sdn); */
     be = slapi_mapping_tree_find_backend_for_sdn(sdn);
-    slapi_sdn_free(&sdn);
     if (be == NULL || be == defbackend_get_backend()) {
         /* might be instance name instead of suffix */
         be = slapi_be_select_by_instance_name(suffix);
@@ -191,7 +178,7 @@ static void extop_handle_import_start(Slapi_PBlock *pb, char *extoid,
               "Bulk import: begin import on '%s'.\n", suffix, 0, 0);
out:
-    slapi_ch_free((void **)&suffix);
+    slapi_sdn_free(&sdn);
     return;
 }
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 8a61e72..ab94628 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -1562,7 +1562,7 @@ internal_add_helper(Slapi_Entry *e, int dont_write_file)
    slapi_add_entry_internal_set_pb(&newpb, e, NULL,
    								plugin_get_default_component_id(),
    								plugin_actions);
-	slapi_pblock_set(&newpb, SLAPI_TARGET_DN, (void*)slapi_entry_get_dn_const(e));
+	slapi_pblock_set(&newpb, SLAPI_TARGET_SDN, (void*)slapi_entry_get_sdn_const(e));
    slapi_pblock_set(&newpb, SLAPI_DSE_DONT_WRITE_WHEN_ADDING,
    				 (void *)&dont_write_file);
    slapi_pblock_get(&newpb, SLAPI_OPERATION, &op);
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 928d648..b9beafb 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1489,8 +1489,9 @@ int config_set_anon_limits_dn( const char *attrname, char *value, char *errorbuf
         CFG_LOCK_WRITE(slapdFrontendConfig);
slapi_ch_free ( (void **) &(slapdFrontendConfig->anon_limits_dn) );
-        slapdFrontendConfig->anon_limits_dn = slapi_ch_strdup ( value );
-         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+        slapdFrontendConfig->anon_limits_dn = 
+                                       slapi_create_dn_string("%s", value);
+        CFG_UNLOCK_WRITE(slapdFrontendConfig);
   }
   return retVal;
 }
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 059cf33..ffcdbab 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -1644,14 +1644,22 @@ process_command_line(int argc, char **argv, char *myname,
    		break;
    	case 's':       /* which suffix to include in import/export */
    		{
-			    char *s=  slapi_dn_normalize ( slapi_ch_strdup(optarg_ext) );
-			    charray_add(&db2ldif_include,s);
+				int rc = charray_normdn_add(&db2ldif_include, optarg_ext, NULL);
+				if (rc < 0) {
+					fprintf(stderr, "Invalid dn: -s %s\n", optarg_ext);
+					usage(myname, *extraname);
+					exit(1);
+				}
    		}
    		break;
    	case 'x':       /* which suffix to exclude in import/export */
    		{
-			    char *s= slapi_dn_normalize ( slapi_ch_strdup(optarg_ext) );
-			    charray_add(&db2ldif_exclude,s);
+				int rc = charray_normdn_add(&db2ldif_exclude, optarg_ext, NULL);
+				if (rc < 0) {
+					fprintf(stderr, "Invalid dn: -x %s\n", optarg_ext);
+					usage(myname, *extraname);
+					exit(1);
+				}
    		}
    		break;
    	case 'r':       /* db2ldif for replication */
diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
index cc007df..64a00bf 100644
--- a/ldap/servers/slapd/mapping_tree.c
+++ b/ldap/servers/slapd/mapping_tree.c
@@ -245,7 +245,7 @@ Slapi_DN* slapi_mtn_get_dn(mapping_tree_node *node)
/* this will turn an array of url into a referral entry */
 static Slapi_Entry *
-referral2entry(char ** url_array, const char *target)
+referral2entry(char ** url_array, Slapi_DN *target_sdn)
 {
     int i;
     struct berval bv0,bv1,*bvals[3];
@@ -255,7 +255,7 @@ referral2entry(char ** url_array, const char *target)
         return NULL;
anEntry = slapi_entry_alloc();
-    slapi_entry_set_dn(anEntry,slapi_ch_strdup(target));
+    slapi_entry_set_sdn(anEntry, target_sdn);
bvals[2]=NULL;
     bvals[1]=&bv1;
@@ -309,7 +309,7 @@ mapping_tree_node_new(Slapi_DN *dn, Slapi_Backend **be, char **backend_names, in
     node->mtn_be_states = be_states;
     node->mtn_backend_names = backend_names;
     node->mtn_referral = referral;
-    node->mtn_referral_entry = referral2entry(referral, slapi_sdn_get_dn(dn)) ;
+    node->mtn_referral_entry = referral2entry(referral, dn) ;
     node->mtn_parent = parent;
     node->mtn_children = NULL;
     node->mtn_brother = NULL;
@@ -386,8 +386,7 @@ get_parent_from_entry(Slapi_Entry * entry)
                 *ptr = '\0';
             }
         }
-        parent_sdn = 
-                slapi_sdn_new_dn_passin(slapi_create_dn_string("%s", parent));
+        parent_sdn = slapi_sdn_new_dn_passin(slapi_ch_smprintf("%s", parent));
         slapi_ch_free_string(&origparent);
     }
@@ -433,7 +432,7 @@ get_subtree_from_entry(Slapi_Entry * entry)
                 *ptr = '\0';
             }
         }
-        subtree = slapi_sdn_new_dn_passin(slapi_create_dn_string("%s", cn));
+        subtree = slapi_sdn_new_dn_passin(slapi_ch_smprintf("%s", cn));
         slapi_ch_free_string(&origcn);
     }
@@ -1240,8 +1239,7 @@ int mapping_tree_entry_modify_callback(Slapi_PBlock *pb, Slapi_Entry* entryBefor
                 mtn_free_referral_in_node(node);
                 referral = mtn_get_referral_from_entry(entryAfter);
                 node->mtn_referral = referral;
-                node->mtn_referral_entry =
-                     referral2entry(referral, slapi_sdn_get_dn(subtree));
+                node->mtn_referral_entry = referral2entry(referral, subtree);
             } else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op))
             {
                 /* it is not OK to delete the referrals if they are still
@@ -2128,8 +2126,7 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
     Slapi_Backend * be;
     Slapi_Entry * referral;
     int scope = LDAP_SCOPE_BASE;
-    Slapi_DN sdn;
-    char *base;
+    Slapi_DN *sdn = NULL;
     int flag_partial_result = 0;
     int op_type;
@@ -2142,8 +2139,11 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
     }
/* get the operational parameters */
-    slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
-    slapi_sdn_init_dn_ndn_byref(&sdn, base); /* normalized in opshared.c */
+    slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+    if (NULL == sdn) {
+        slapi_log_error(SLAPI_LOG_FATAL, NULL, "Error: Null target DN");
+        return LDAP_OPERATIONS_ERROR;
+    }
     slapi_pblock_get(pb, SLAPI_OPERATION, &op);
     target_sdn = operation_get_target_spec (op);
     slapi_pblock_get(pb, SLAPI_OPERATION_TYPE, &op_type);
@@ -2188,8 +2188,8 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
             /* flag we have problems at least on part of the tree */
             flag_partial_result = 1;
         }
-        else if ( ( ((!slapi_sdn_issuffix(&sdn, slapi_mtn_get_dn(node))
-            && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), &sdn))) 
+        else if ( ( ((!slapi_sdn_issuffix(sdn, slapi_mtn_get_dn(node))
+            && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), sdn))) 
             || ((node_list == mapping_tree_root) && node->mtn_private
             && (scope != LDAP_SCOPE_BASE)) )
                     && (!be || strncmp(be->be_name, "default", 8)))
@@ -2238,7 +2238,6 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
                      &referral, errorbuf, scope);
     }
     mtn_unlock();
-    slapi_sdn_done(&sdn);
     be_list[be_index] = NULL;
     referral_list[referral_index] = NULL;
@@ -2839,8 +2838,8 @@ slapi_get_mapping_tree_node_configdn (const Slapi_DN *root)
         return NULL;
/* This function converts the old DN style to the new one. */
-    dn = slapi_create_dn_string("cn="%s",%s", 
-                                slapi_sdn_get_dn(root), MAPPING_TREE_BASE_DN);
+    dn = slapi_ch_smprintf("cn="%s",%s", 
+                           slapi_sdn_get_ndn(root), MAPPING_TREE_BASE_DN);
     if (NULL == dn) {
         LDAPDebug1Arg(LDAP_DEBUG_ANY,
                       "slapi_get_mapping_tree_node_configdn: "
@@ -2852,6 +2851,35 @@ slapi_get_mapping_tree_node_configdn (const Slapi_DN *root)
     return dn;
 }
+Slapi_DN *
+slapi_get_mapping_tree_node_configsdn (const Slapi_DN *root)
+{
+    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
+
+    if(mapping_tree_freed){
+        /* shutdown detected */
+        return NULL;
+    }
+    if (root == NULL)
+        return NULL;
+
+    /* This function converts the old DN style to the new one. */
+    dn = slapi_ch_smprintf("cn="%s",%s", 
+                           slapi_sdn_get_dn(root), MAPPING_TREE_BASE_DN);
+    if (NULL == dn) {
+        LDAPDebug1Arg(LDAP_DEBUG_ANY,
+                      "slapi_get_mapping_tree_node_configsdn: "
+                      "failed to crate mapping tree dn for %s\n", 
+                      slapi_sdn_get_dn(root));
+        return NULL;
+    }
+
+    sdn = slapi_sdn_new_dn_passin(dn);
+
+    return sdn;
+}
+
 /* 
  * Description: this function returns root of the subtree to which the node applies
  *              
@@ -3122,13 +3150,13 @@ slapi_mtn_set_referral(const Slapi_DN *sdn, char ** referral)
     Slapi_PBlock pb;
     Slapi_Mods smods;
     int rc = LDAP_SUCCESS,i = 0, j = 0;
-    char * node_dn;
+    Slapi_DN* node_sdn;
     char **values = NULL;
     int do_modify = 0;
slapi_mods_init (&smods, 0);
-    node_dn = slapi_get_mapping_tree_node_configdn(sdn);
-    if(!node_dn){
+    node_sdn = slapi_get_mapping_tree_node_configsdn(sdn);
+    if(!node_sdn){
      /* shutdown has been detected */
         return LDAP_OPERATIONS_ERROR;
     }
@@ -3192,7 +3220,7 @@ slapi_mtn_set_referral(const Slapi_DN *sdn, char ** referral)
     if ( do_modify )
     {
         pblock_init (&pb);
-        slapi_modify_internal_set_pb (&pb, node_dn,
+        slapi_modify_internal_set_pb_ext (&pb, node_sdn,
                                 slapi_mods_get_ldapmods_byref(&smods), NULL,
                                 NULL, (void *) plugin_get_default_component_id(), 0);
         slapi_modify_internal_pb (&pb);
@@ -3202,7 +3230,7 @@ slapi_mtn_set_referral(const Slapi_DN *sdn, char ** referral)
     }
slapi_mods_done(&smods);
-    slapi_ch_free_string(&node_dn);
+    slapi_sdn_free(&node_sdn);
return rc;
 } 
@@ -3220,15 +3248,15 @@ slapi_mtn_set_state(const Slapi_DN *sdn, char *state)
     Slapi_PBlock pb;
     Slapi_Mods smods;
     int rc = LDAP_SUCCESS;
-    char * node_dn;
+    Slapi_DN *node_sdn;
     char * value;
if (NULL == state) {
         return LDAP_OPERATIONS_ERROR;
     }
-    node_dn = slapi_get_mapping_tree_node_configdn(sdn);
-    if(!node_dn){
+    node_sdn = slapi_get_mapping_tree_node_configsdn(sdn);
+    if(!node_sdn){
      /* shutdown has been detected */
         return LDAP_OPERATIONS_ERROR;
     }
@@ -3246,7 +3274,7 @@ slapi_mtn_set_state(const Slapi_DN *sdn, char *state)
     slapi_mods_init (&smods, 1);
     slapi_mods_add(&smods, LDAP_MOD_REPLACE, "nsslapd-state", strlen(state), state);
     pblock_init (&pb);
-    slapi_modify_internal_set_pb (&pb, node_dn,
+    slapi_modify_internal_set_pb_ext (&pb, node_sdn,
                             slapi_mods_get_ldapmods_byref(&smods), NULL,
                             NULL, (void *) plugin_get_default_component_id(), 0);
     slapi_modify_internal_pb (&pb);
@@ -3257,7 +3285,7 @@ slapi_mtn_set_state(const Slapi_DN *sdn, char *state)
     pblock_done(&pb);
 bail:
     slapi_ch_free_string(&value);
-    slapi_ch_free_string(&node_dn);
+    slapi_sdn_free(&node_sdn);
     return rc;
 }
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index e240237..45e55b2 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -138,7 +138,7 @@ do_modify( Slapi_PBlock *pb )
    int				ignored_some_mods = 0;
    int				has_password_mod = 0; /* number of password mods */
    char				*old_pw = NULL;	/* remember the old password */
-	char				*dn = NULL;
+	char				*rawdn = NULL;
LDAPDebug( LDAP_DEBUG_TRACE, "do_modify\n", 0, 0, 0 );
@@ -168,8 +168,6 @@ do_modify( Slapi_PBlock *pb )
     */
{
-		char *rawdn = NULL;
-		size_t dnlen = 0;
    	int rc = 0;
     	if ( ber_scanf( ber, "{a", &rawdn ) == LBER_ERROR )
     	{
@@ -193,24 +191,12 @@ do_modify( Slapi_PBlock *pb )
    			return;
    		}
    	}
-		rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-		if (rc < 0) {
-			op_shared_log_error_access(pb, "MOD", rawdn?rawdn:"", "invalid dn");
-			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-								 NULL, "invalid dn", 0, NULL);
-			slapi_ch_free((void **) &rawdn);
-			return;
-		} else if (rc > 0) { /* if rc == 0, rawdn is passed in */
-			slapi_ch_free_string(&rawdn);
-		} else { /* rc == 0; rawdn is passed in; not null terminated */
-			*(dn + dnlen) = '\0';
-		}
    }
-	LDAPDebug( LDAP_DEBUG_ARGS, "do_modify: dn (%s)\n", dn, 0, 0 );
+	LDAPDebug( LDAP_DEBUG_ARGS, "do_modify: dn (%s)\n", rawdn, 0, 0 );
slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot);
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn ); 
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, rawdn );
/* collect modifications & save for later */
    slapi_mods_init(&smods, 0);
@@ -227,7 +213,7 @@ do_modify( Slapi_PBlock *pb )
    	if ( ber_scanf( ber, "{i{a[V]}}", &mod_op, &type,
    	    &mod->mod_bvalues ) == LBER_ERROR )
    	{
-			op_shared_log_error_access (pb, "MOD", dn, "decoding error");
+			op_shared_log_error_access (pb, "MOD", rawdn, "decoding error");
    		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
    						  "decoding error", 0, NULL );
    		ber_bvecfree(mod->mod_bvalues);
@@ -240,7 +226,7 @@ do_modify( Slapi_PBlock *pb )
    	if ( !mod->mod_type || !*mod->mod_type ) {
    		char ebuf[BUFSIZ];
    		PR_snprintf (ebuf, BUFSIZ, "invalid type '%s'", type);
-			op_shared_log_error_access (pb, "MOD", dn, ebuf);
+			op_shared_log_error_access (pb, "MOD", rawdn, ebuf);
    		send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL );
    		slapi_ch_free((void **)&type);
    		ber_bvecfree(mod->mod_bvalues);
@@ -254,7 +240,7 @@ do_modify( Slapi_PBlock *pb )
    	    mod->mod_op != LDAP_MOD_DELETE &&
    	    mod->mod_op != LDAP_MOD_REPLACE )
    	{
-			op_shared_log_error_access (pb, "MOD", dn, "unrecognized modify operation");
+			op_shared_log_error_access (pb, "MOD", rawdn, "unrecognized modify operation");
    		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
    						  "unrecognized modify operation", 0, NULL );
    		ber_bvecfree(mod->mod_bvalues);
@@ -267,7 +253,7 @@ do_modify( Slapi_PBlock *pb )
    	    && mod->mod_op != LDAP_MOD_DELETE
    	    && mod->mod_op != LDAP_MOD_REPLACE )
    	{
-			op_shared_log_error_access (pb, "MOD", dn, "no values given");
+			op_shared_log_error_access (pb, "MOD", rawdn, "no values given");
    		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
    						  "no values given", 0, NULL );
    		ber_bvecfree(mod->mod_bvalues);
@@ -317,7 +303,7 @@ do_modify( Slapi_PBlock *pb )
    	if ( ( len == 0 ) && ( 0 == smods.num_elements ) && !ignored_some_mods ) {
    		/* ok - empty modify - allow empty modifies */
    	} else if ( len != -1 ) {
-			op_shared_log_error_access (pb, "MOD", dn, "decoding error");
+			op_shared_log_error_access (pb, "MOD", rawdn, "decoding error");
    		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "decoding error", 0, NULL );
    		goto free_and_return;
    	}
@@ -326,7 +312,7 @@ do_modify( Slapi_PBlock *pb )
 #else
    if ( tag != LBER_END_OF_SEQORSET )
    {
-		op_shared_log_error_access (pb, "MOD", dn, "decoding error");
+		op_shared_log_error_access (pb, "MOD", rawdn, "decoding error");
    	send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "decoding error", 0, NULL );
    	goto free_and_return;
    } 
@@ -335,7 +321,7 @@ do_modify( Slapi_PBlock *pb )
    /* decode the optional controls - put them in the pblock */
    if ( (err = get_ldapmessage_controls( pb, ber, NULL )) != 0 )
    {
-		op_shared_log_error_access (pb, "MOD", dn, "failed to decode LDAP controls");
+		op_shared_log_error_access (pb, "MOD", rawdn, "failed to decode LDAP controls");
    	send_ldap_result( pb, err, NULL, NULL, 0, NULL );
    	goto free_and_return;
    }
@@ -362,7 +348,7 @@ do_modify( Slapi_PBlock *pb )
    	pb->pb_conn->c_needpw && pw_change == 0 )
    {
    	(void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
-		op_shared_log_error_access (pb, "MOD", dn, "need new password");
+		op_shared_log_error_access (pb, "MOD", rawdn, "need new password");
    	send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL );
    	goto free_and_return;
    }
@@ -387,7 +373,7 @@ do_modify( Slapi_PBlock *pb )
    ldap_mods_free (mods, 1 /* Free the Array and the Elements */);
free_and_return:;
-	slapi_ch_free ((void**)&dn);
+	slapi_ch_free ((void**)&rawdn);
    slapi_mods_done(&smods);
 }
@@ -452,8 +438,12 @@ int slapi_modify_internal_pb (Slapi_PBlock *pb)
 }
/* Initialize a pblock for a call to slapi_modify_internal_pb() */
-void slapi_modify_internal_set_pb (Slapi_PBlock *pb, const char *dn, LDAPMod **mods, LDAPControl **controls, 
-								   const char *uniqueid, Slapi_ComponentId *plugin_identity, int operation_flags)
+void
+slapi_modify_internal_set_pb (Slapi_PBlock *pb, const char *dn, 
+                              LDAPMod **mods, LDAPControl **controls, 
+                              const char *uniqueid, 
+                              Slapi_ComponentId *plugin_identity, 
+                              int operation_flags)
 {
    Operation *op;
    PR_ASSERT (pb != NULL);
@@ -464,10 +454,40 @@ void slapi_modify_internal_set_pb (Slapi_PBlock *pb, const char *dn, LDAPMod **m
    	return;
    }
-    op= internal_operation_new(SLAPI_OPERATION_MODIFY,operation_flags);
+	op= internal_operation_new(SLAPI_OPERATION_MODIFY,operation_flags);
    slapi_pblock_set(pb, SLAPI_OPERATION, op);       
    slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)dn);
-    slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods);
+	slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods);
+	slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
+	if (uniqueid)
+	{
+		slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
+	}
+	slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
+}
+
+/* Initialize a pblock for a call to slapi_modify_internal_pb() */
+void
+slapi_modify_internal_set_pb_ext(Slapi_PBlock *pb, const Slapi_DN *sdn, 
+                              LDAPMod **mods, LDAPControl **controls, 
+                              const char *uniqueid, 
+                              Slapi_ComponentId *plugin_identity, 
+                              int operation_flags)
+{
+	Operation *op;
+	PR_ASSERT (pb != NULL);
+	if (pb == NULL || sdn == NULL || mods == NULL)
+	{
+		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
+						"slapi_modify_internal_set_pb: NULL parameter\n");
+		return;
+	}
+
+	op= internal_operation_new(SLAPI_OPERATION_MODIFY,operation_flags);
+	slapi_pblock_set(pb, SLAPI_OPERATION, op);       
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void *)slapi_sdn_get_dn(sdn));
+	slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void *)sdn);
+	slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods);
    slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
    if (uniqueid)
    {
@@ -583,8 +603,10 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
    Slapi_Entry *referral;
    Slapi_Entry	*e = NULL;
    char ebuf[BUFSIZ];
-	char *dn;
-	Slapi_DN sdn;
+	char *dn = NULL;
+	char *normdn = NULL;
+	Slapi_DN *sdn = NULL;
+	int passin_sdn = 0;
    LDAPMod	**mods, *pw_mod, **tmpmods = NULL;
    Slapi_Mods smods;
    Slapi_Mods unhashed_pw_smod;	
@@ -601,6 +623,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
    char *errtext = NULL;
slapi_pblock_get (pb, SLAPI_ORIGINAL_TARGET, &dn);
+	slapi_pblock_get (pb, SLAPI_MODIFY_TARGET_SDN, &sdn);
    slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods);
    slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &tmpmods);
    slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
@@ -608,23 +631,27 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
    internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
    slapi_pblock_get (pb, SLAPI_SKIP_MODIFIED_ATTRS, &skip_modified_attrs);
-	if (dn == NULL)
-	{
-		slapi_sdn_init_dn_byref (&sdn, "");
+	if (sdn) {
+		passin_sdn = 1;
+	} else {
+		sdn = slapi_sdn_new_dn_byval(dn);
+		slapi_pblock_set(pb, SLAPI_MODIFY_TARGET_SDN, (void*)sdn);
    }
-	else
-	{
-		slapi_sdn_init_dn_byref (&sdn, dn);
+	normdn = (char *)slapi_sdn_get_dn(sdn);
+	if (dn && (strlen(dn) > 0) && (NULL == normdn)) {
+		/* normalization failed */
+		op_shared_log_error_access(pb, "MOD", dn, "invalid dn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+		                 "invalid dn", 0, NULL);
+		goto free_and_return;
    }
-	slapi_pblock_set(pb, SLAPI_MODIFY_TARGET, (void*)slapi_sdn_get_ndn (&sdn));
-
-	slapi_mods_init_passin (&smods, mods);	
+	slapi_mods_init_passin (&smods, mods);
slapi_mods_init(&unhashed_pw_smod, 0);
/* target spec is used to decide which plugins are applicable for the operation */
-	operation_set_target_spec (pb->pb_op, &sdn);
+	operation_set_target_spec (pb->pb_op, sdn);
/* get the proxy auth dn if the proxy auth control is present */
    proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
@@ -643,7 +670,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
    		slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn="%s"%s\n",
    						 pb->pb_conn->c_connid, 
    						 pb->pb_op->o_opid,
-							 escape_string(slapi_sdn_get_dn(&sdn), ebuf),
+							 escape_string(slapi_sdn_get_dn(sdn), ebuf),
    						 proxystr ? proxystr : "");
    	}
    	else
@@ -651,7 +678,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
    		slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn="%s"%s\n",
    						 LOG_INTERNAL_OP_CON_ID,
    						 LOG_INTERNAL_OP_OP_ID,
-							 escape_string(slapi_sdn_get_dn(&sdn), ebuf),
+							 escape_string(slapi_sdn_get_dn(sdn), ebuf),
    						 proxystr ? proxystr : "");
    	}
@@ -702,8 +729,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
     * 2. If yes, then if the mods contain any passwdpolicy specific attributes.
     * 3. If yes, then it invokes corrosponding checking function.
     */
-	if ( !repl_op && !internal_op && dn &&
-		(e = get_entry(pb, slapi_dn_normalize(dn))) )
+	if ( !repl_op && !internal_op && normdn && (e = get_entry(pb, normdn)) )
    {
    	Slapi_Value target;
    	slapi_value_init(&target);
@@ -785,7 +811,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
    		valuearray_init_bervalarray(pw_mod->mod_bvalues, &va);
/* encode password */
-			pw_encodevals_ext(pb, &sdn, va);
+			pw_encodevals_ext(pb, sdn, va);
/* remove current clear value of userpassword */
    		ber_bvecfree(pw_mod->mod_bvalues);
@@ -937,13 +963,17 @@ free_and_return:
    
    if (be)
    	slapi_be_Unlock(be);
-    slapi_sdn_done(&sdn);
slapi_mods_done(&unhashed_pw_smod); /* can finalize now */
    if (unhashed_pw_attr)
    	slapi_ch_free ((void**)&unhashed_pw_attr);
slapi_ch_free_string(&proxydn);
+
+	slapi_pblock_get(pb, SLAPI_MODIFY_TARGET_SDN, &sdn);
+	if (!passin_sdn) {
+		slapi_sdn_free(&sdn);
+	}
 }
static void remove_mod (Slapi_Mods *smods, const char *type, Slapi_Mods *smod_unhashed)
diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c
index 24e444c..a7bb1a6 100644
--- a/ldap/servers/slapd/modrdn.c
+++ b/ldap/servers/slapd/modrdn.c
@@ -73,17 +73,16 @@ do_modrdn( Slapi_PBlock *pb )
    Slapi_Operation *operation;
    BerElement	*ber;
    char		*rawdn = NULL, *rawnewsuperior = NULL;
-	char		*dn = NULL, *newsuperior = NULL;
+	const char	*dn = NULL, *newsuperior = NULL;
    char		*rawnewrdn = NULL;
    char		*newrdn = NULL;
    int		err = 0, deloldrdn = 0;
    ber_len_t	len = 0;
-	size_t		dnlen = 0;
    char		*newdn = NULL;
    char		*parent = NULL;
-	Slapi_DN	sdn = {0};
-	Slapi_DN	snewdn = {0};
-	Slapi_DN	snewsuperior = {0};
+	Slapi_DN	sdn;
+	Slapi_DN	snewdn;
+	Slapi_DN	*snewsuperior = NULL;
LDAPDebug( LDAP_DEBUG_TRACE, "do_modrdn\n", 0, 0, 0 );
@@ -93,6 +92,9 @@ do_modrdn( Slapi_PBlock *pb )
    slapi_pblock_get( pb, SLAPI_OPERATION, &operation);
    ber = operation->o_ber;
+	slapi_sdn_init(&sdn);
+	slapi_sdn_init(&snewdn);
+
    /*
     * Parse the modrdn request.  It looks like this:
     *
@@ -169,34 +171,29 @@ do_modrdn( Slapi_PBlock *pb )
    		goto free_and_return;
    	}
    }
-	err = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "MODRDN", rawdn?rawdn:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free_string( &rawdn );
+	slapi_sdn_init_dn_passin(&sdn, rawdn);
+	dn = slapi_sdn_get_dn(&sdn);
+	if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+		/* normalization failed */
+		op_shared_log_error_access(pb, "MODRDN", rawdn, "invalid dn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, 
+		                 "invalid dn", 0, NULL);
    	slapi_ch_free_string( &rawnewrdn );
    	slapi_ch_free_string( &rawnewsuperior );
    	goto free_and_return;
-	} else if (err > 0) {
-		slapi_ch_free((void **) &rawdn);
-	} else { /* err == 0; rawdn is passed in; not null terminated */
-		*(dn + dnlen) = '\0';
    }
-	err = slapi_dn_normalize_ext(rawnewrdn, 0, &newrdn, &dnlen);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "MODRDN", rawnewrdn?rawnewrdn:"", 
-									"invalid new rdn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-						 NULL, "invalid new rdn", 0, NULL);
+	newrdn = slapi_create_dn_string("%s", rawnewrdn);
+	if (rawnewrdn && (NULL == newrdn)) {
+		op_shared_log_error_access(pb, "MODRDN", rawnewrdn, "invalid newrdn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX,
+		                 NULL, "invalid newrdn", 0, NULL);
    	slapi_ch_free_string( &rawnewrdn );
    	slapi_ch_free_string( &rawnewsuperior );
    	goto free_and_return;
-	} else if (err > 0) {
-		slapi_ch_free((void **) &rawnewrdn);
-	} else { /* err == 0; rawnewdn is passed in; not null terminated */
-		*(newrdn + dnlen) = '\0';
    }
+	slapi_dn_ignore_case( newrdn );
+	slapi_ch_free_string( &rawnewrdn );
+
    if (rawnewsuperior) {
    	if (config_get_dn_validate_strict()) {
    		/* check that the dn is formatted correctly */
@@ -210,19 +207,8 @@ do_modrdn( Slapi_PBlock *pb )
    			goto free_and_return;
    		}
    	}
-		err = slapi_dn_normalize_ext(rawnewsuperior, 0, &newsuperior, &dnlen);
-		if (err < 0) {
-			op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
-							"invalid new superior");
-			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid new superior", 0, NULL);
-			slapi_ch_free_string( &rawnewsuperior);
-			goto free_and_return;
-		} else if (err > 0) {
-			slapi_ch_free((void **) &rawnewsuperior);
-		} else { /* err == 0; rawnewsuperior is passed in; not terminated */
-			*(newsuperior + dnlen) = '\0';
-		}
+		snewsuperior = slapi_sdn_new_dn_passin(rawnewsuperior);
+		newsuperior = slapi_sdn_get_dn(snewsuperior);
    }
/*
@@ -230,27 +216,24 @@ do_modrdn( Slapi_PBlock *pb )
     * Note: need to check the case newrdn is given, and newsuperior
     * uses the newrdn, as well.
     */ 
-	/* Both newrdn and dn are already normalized. */
-	parent = slapi_dn_parent(dn);
+	parent = slapi_dn_parent(slapi_sdn_get_ndn(&sdn));
    newdn = slapi_ch_smprintf("%s,%s", newrdn, parent);
-	slapi_sdn_set_dn_byref(&sdn, dn);
-	slapi_sdn_set_dn_byref(&snewdn, newdn);
-	slapi_sdn_set_dn_byref(&snewsuperior, newsuperior);
-	if (0 == slapi_sdn_compare(&sdn, &snewsuperior) ||
-	    0 == slapi_sdn_compare(&snewdn, &snewsuperior)) {
-		op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
+	slapi_sdn_init_normdn_passin(&snewdn, newdn); /* newdn is normalized */
+	if (0 == slapi_sdn_compare(&sdn, snewsuperior) ||
+	    0 == slapi_sdn_compare(&snewdn, snewsuperior)) {
+		op_shared_log_error_access(pb, "MODRDN", newsuperior,
    					 "new superior is identical to the entry dn");
    	send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
    					 "new superior is identical to the entry dn", 0, NULL);
    	goto free_and_return;
    }
-	if (slapi_sdn_issuffix(&snewsuperior, &sdn) ||
-	    slapi_sdn_issuffix(&snewsuperior, &snewdn)) {
+	if (slapi_sdn_issuffix(snewsuperior, &sdn) ||
+	    slapi_sdn_issuffix(snewsuperior, &snewdn)) {
    	/* E.g.,
    	 * newsuperior: ou=sub,ou=people,dc=example,dc=com
    	 * dn: ou=people,dc=example,dc=com
    	 */
-		op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
+		op_shared_log_error_access(pb, "MODRDN", newsuperior,
    					 "new superior is descendent of the entry");
    	send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
    					 "new superior is descendent of the entry", 0, NULL);
@@ -273,24 +256,22 @@ do_modrdn( Slapi_PBlock *pb )
    		   deloldrdn );
slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot );
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn );
-	slapi_pblock_set( pb, SLAPI_MODRDN_NEWRDN, newrdn );
-	slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR, newsuperior );
+	/* dn, newrdn and newsuperior are all normalized */
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET,
+	                  (void *)slapi_sdn_get_udn(&sdn) );
+	slapi_pblock_set( pb, SLAPI_MODRDN_TARGET_SDN, &sdn );
+	slapi_pblock_set( pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn );
+	slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, (void *)snewsuperior );
    slapi_pblock_set( pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn );
-	op_shared_rename(pb, 1 /* pass in ownership of string arguments */ );
-	goto ok_return;
+	op_shared_rename(pb, 0 /* do not pass in ownership of string arguments */ );
free_and_return:
-	slapi_ch_free_string( &dn );
-	slapi_ch_free_string( &newrdn );
-	slapi_ch_free_string( &newsuperior );
-ok_return:
    slapi_sdn_done(&sdn);
+	slapi_ch_free_string(&newrdn);
+	slapi_sdn_free(&snewsuperior);
    slapi_sdn_done(&snewdn);
-	slapi_sdn_done(&snewsuperior);
    slapi_ch_free_string(&parent);
-	slapi_ch_free_string(&newdn);
return;
 }
@@ -311,20 +292,28 @@ slapi_rename_internal(const char *iodn, const char *inewrdn, const char *inewsup
     Slapi_PBlock    pb;
     Slapi_PBlock    *result_pb = NULL;
     int             opresult= 0;
+    Slapi_DN sdn;
+    Slapi_DN newsuperiorsdn;
pblock_init (&pb);
-	slapi_rename_internal_set_pb (&pb, iodn, inewrdn, inewsuperior, deloldrdn, 
-	  controls, NULL, plugin_get_default_component_id(), 0);
+    slapi_sdn_init_dn_byref(&sdn, iodn);
+    slapi_sdn_init_dn_byref(&newsuperiorsdn, inewsuperior);
+
+    slapi_rename_internal_set_pb_ext(&pb, &sdn, inewrdn, &newsuperiorsdn,
+                                     deloldrdn, controls, NULL, 
+                                     plugin_get_default_component_id(), 0);
     rename_internal_pb (&pb);
result_pb = slapi_pblock_new();
-	if (result_pb)
-	{
-		slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
-		slapi_pblock_set(result_pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
+    if (result_pb) {
+        slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
+        slapi_pblock_set(result_pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
     }
-	pblock_done(&pb);
+
+    slapi_sdn_done(&sdn);
+    slapi_sdn_done(&newsuperiorsdn);
+    pblock_done(&pb);
return result_pb;
 }
@@ -352,32 +341,39 @@ int slapi_modrdn_internal_pb (Slapi_PBlock *pb)
    return rename_internal_pb (pb);
 }
-/* Initialize a pblock for a call to slapi_modrdn_internal_pb() */
-void slapi_rename_internal_set_pb (Slapi_PBlock *pb, const char *olddn, const char *newrdn, const char *newsuperior, int deloldrdn, 
-								   LDAPControl **controls, const char *uniqueid, Slapi_ComponentId *plugin_identity, int operation_flags)
+void
+slapi_rename_internal_set_pb_ext(Slapi_PBlock *pb,
+                                 const Slapi_DN *olddn, 
+                                 const char *newrdn,  /* normalized */
+                                 const Slapi_DN *newsuperior, int deloldrdn, 
+                                 LDAPControl **controls, const char *uniqueid,
+                                 Slapi_ComponentId *plugin_identity, 
+                                 int operation_flags)
 {
-	Operation *op;
-	PR_ASSERT (pb != NULL);
-	if (pb == NULL || olddn == NULL || newrdn == NULL)
-	{
-		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
-						"slapi_rename_internal_set_pb: NULL parameter\n");
-		return;
-	}
+    Operation *op;
+    PR_ASSERT (pb != NULL);
+    if (pb == NULL || olddn == NULL || newrdn == NULL)
+    {
+        slapi_log_error(SLAPI_LOG_FATAL, NULL, 
+                        "slapi_rename_internal_set_pb: NULL parameter\n");
+        return;
+    }
-    op= internal_operation_new(SLAPI_OPERATION_MODRDN,operation_flags); 
-	slapi_pblock_set(pb, SLAPI_OPERATION, op); 
-	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)olddn);
+    op = internal_operation_new(SLAPI_OPERATION_MODRDN,operation_flags); 
+    slapi_pblock_set(pb, SLAPI_OPERATION, op); 
+    slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, 
+                     (void*)slapi_sdn_get_dn(olddn));
+    slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, (void*)olddn);
     slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void*)newrdn);
-    slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR, (void*)newsuperior);
+    slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, (void*)newsuperior);
     slapi_pblock_set(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn);
-	slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
-   	slapi_pblock_set(pb, SLAPI_MODIFY_MODS, NULL);
-	if (uniqueid)
-	{
-		slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
-	}
-	slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
+    slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
+       slapi_pblock_set(pb, SLAPI_MODIFY_MODS, NULL);
+    if (uniqueid)
+    {
+        slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
+    }
+    slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
 }
/* Helper functions */
@@ -418,18 +414,19 @@ static int rename_internal_pb (Slapi_PBlock *pb)
  * Beware: this function resets the following pblock elements that were
  * set by the caller:
  *
- *	SLAPI_MODRDN_TARGET
+ *	SLAPI_MODRDN_TARGET_SDN
  *	SLAPI_MODRDN_NEWRDN
- *	SLAPI_MODRDN_NEWSUPERIOR 
+ *	SLAPI_MODRDN_NEWSUPERIOR_SDN
  */
 static void
 op_shared_rename(Slapi_PBlock *pb, int passin_args)
 {
-	char			*dn, *newsuperior, *newrdn, *newdn = NULL;
+	char			*dn, *newrdn, *newdn = NULL;
+	const char		*newsuperior;
    char			**rdns;
    int				deloldrdn;
    Slapi_Backend	*be = NULL;
-	Slapi_DN		sdn = {0};
+	Slapi_DN		*origsdn = NULL;
    Slapi_Mods		smods;
    char			dnbuf[BUFSIZ];
    char			newrdnbuf[BUFSIZ];
@@ -443,13 +440,16 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
    char			*proxystr = NULL;
    int			proxy_err = LDAP_SUCCESS;
    char			*errtext = NULL;
+	Slapi_DN *sdn = NULL;
+	Slapi_DN *newsuperiorsdn = NULL;
slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn);
    slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
-	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior);
+	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperiorsdn);
    slapi_pblock_get(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn);
    slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
    slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
+	slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &origsdn);
    internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
/*
@@ -462,26 +462,31 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
     * that we will not free these parameters... so if passin_args is
     * zero, we need to make copies.
     *
-	 * In the case of SLAPI_MODRDN_TARGET and SLAPI_MODRDN_NEWSUPERIOR, we
-	 * replace the existing values with normalized values (because plugins
+	 * In the case of SLAPI_MODRDN_TARGET_SDN and SLAPI_MODRDN_NEWSUPERIOR_SDN,
+	 * we replace the existing values with normalized values (because plugins
     * expect these DNs to be normalized).
     */
-	if ( passin_args ) {
-		slapi_sdn_init_dn_passin(&sdn,dn);	/* freed by slapi_sdn_done() */
+
+	if (NULL == origsdn) {
+		sdn = slapi_sdn_new_dn_byval(dn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn);
+    }
+	if (passin_args) {
+		if (NULL == sdn) { /* origsdn is not NULL, so use it. */
+			sdn = origsdn;
+		}
    } else {
-		slapi_sdn_init_dn_byref(&sdn,dn);
-	}
-	if ( !passin_args ) {
-		newrdn = slapi_ch_strdup( newrdn );
-		newsuperior = slapi_ch_strdup( newsuperior );
-	}
-	if ( NULL != newsuperior ) {
-		slapi_dn_normalize_case( newsuperior );	/* normalize in place */
+		if (NULL == sdn) {
+			sdn = slapi_sdn_dup(origsdn);
+		}
+		newrdn = slapi_ch_strdup(newrdn);
+		newsuperiorsdn = slapi_sdn_dup(newsuperiorsdn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, newsuperiorsdn);
    }
-	slapi_pblock_set (pb, SLAPI_MODRDN_TARGET,
-				(void*)slapi_ch_strdup(slapi_sdn_get_ndn (&sdn)));
-	slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn );
-	slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR, (void *)newsuperior);
+	/* normdn = slapi_sdn_get_dn(sdn); */
+	newsuperior = slapi_sdn_get_dn(newsuperiorsdn);
/* get the proxy auth dn if the proxy auth control is present */
    proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
@@ -589,13 +594,13 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
    }
/* target spec is used to decide which plugins are applicable for the operation */
-	operation_set_target_spec (pb->pb_op, &sdn);
+	operation_set_target_spec (pb->pb_op, sdn);
/*
-	 * Construct the new DN (code copied from backend
+	 * Construct the new DN (code sdn from backend
     * and modified to handle newsuperior)
     */
-	newdn = slapi_moddn_get_newdn(&sdn,newrdn,newsuperior);
+	newdn = slapi_moddn_get_newdn(sdn, newrdn, newsuperior);
/*
     * We could be serving multiple database backends.  Select the
@@ -695,8 +700,20 @@ free_and_return_nolock:
    	LDAPMod **mods;
    	char	*s;
-		slapi_ch_free((void **) &newdn);
-		slapi_sdn_done(&sdn);
+		if (passin_args) {
+			if (NULL == origsdn) {
+				slapi_sdn_free(&sdn);
+			}
+		} else {
+			slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn);
+			slapi_sdn_free(&sdn);
+			slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
+			slapi_ch_free_string(&newrdn);
+			slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperiorsdn);
+			slapi_sdn_free(&newsuperiorsdn);
+		}
+		slapi_ch_free_string(&newdn);
+
    	slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy);
    	slapi_entry_free(ecopy);
    	slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse);
@@ -706,13 +723,6 @@ free_and_return_nolock:
    	slapi_ch_free_string(&proxydn);
    	slapi_ch_free_string(&proxystr);
-		/* retrieve these in case a pre- or post-op plugin has changed them */
-		slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &s);
-		slapi_ch_free((void **)&s);
-		slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &s);
-		slapi_ch_free((void **)&s);
-		slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &s);
-		slapi_ch_free((void **)&s);
    	slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &s);
    	slapi_ch_free((void **)&s);
    }
diff --git a/ldap/servers/slapd/modutil.c b/ldap/servers/slapd/modutil.c
index 82147c6..8818817 100644
--- a/ldap/servers/slapd/modutil.c
+++ b/ldap/servers/slapd/modutil.c
@@ -201,21 +201,12 @@ slapi_mods_insert_at(Slapi_Mods *smods, LDAPMod *mod, int pos)
    slapi_attr_init(&a, mod->mod_type);
    /* Check if the type of the to-be-added values has DN syntax or not. */
    if (slapi_attr_is_dn_syntax_attr(&a)) {
-		int rc = 0;
    	struct berval **mbvp = NULL;
-		char *normed = NULL;
-		size_t len = 0;
    	for (mbvp = mod->mod_bvalues; mbvp && *mbvp; mbvp++) {
-			rc = slapi_dn_normalize_ext((*mbvp)->bv_val, (*mbvp)->bv_len,
-										&normed, &len);
-			if (rc > 0) {
-				slapi_ch_free((void **)&((*mbvp)->bv_val));
-			} else if (rc == 0) { 
-				/* original is passed in; not null terminated */
-				*(normed + len) = '\0';
-			}
-			(*mbvp)->bv_val = normed;
-			(*mbvp)->bv_len = len;
+			Slapi_DN *sdn = slapi_sdn_new_dn_byref((*mbvp)->bv_val);
+			(*mbvp)->bv_val = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+			(*mbvp)->bv_len = slapi_sdn_get_ndn_len(sdn);
+			slapi_sdn_free(&sdn);
    	}
    }
    attr_done(&a);
diff --git a/ldap/servers/slapd/operation.c b/ldap/servers/slapd/operation.c
index 185723e..1479ee9 100644
--- a/ldap/servers/slapd/operation.c
+++ b/ldap/servers/slapd/operation.c
@@ -398,17 +398,17 @@ copy_mods(LDAPMod **orig_mods)
 struct slapi_operation_parameters *
 operation_parameters_dup(struct slapi_operation_parameters *sop)
 {
-	struct slapi_operation_parameters *sop_new= (struct slapi_operation_parameters *)
+	struct slapi_operation_parameters *sop_new = (struct slapi_operation_parameters *)
    	slapi_ch_malloc(sizeof(struct slapi_operation_parameters));
    memcpy(sop_new,sop,sizeof(struct slapi_operation_parameters));
-	if(sop->target_address.dn!=NULL)
-	{
-		sop_new->target_address.dn= slapi_ch_strdup(sop->target_address.dn);
-	}
    if(sop->target_address.uniqueid!=NULL)
    {
    	sop_new->target_address.uniqueid= slapi_ch_strdup(sop->target_address.uniqueid); 
    }
+	if(sop->target_address.sdn != NULL)
+	{
+		sop_new->target_address.sdn = slapi_sdn_dup(sop->target_address.sdn);
+	}
sop_new->csn= csn_dup(sop->csn);
    switch(sop->operation_type)
@@ -429,10 +429,10 @@ operation_parameters_dup(struct slapi_operation_parameters *sop)
    	{
    		sop_new->p.p_modrdn.modrdn_newrdn= slapi_ch_strdup(sop->p.p_modrdn.modrdn_newrdn);
    	}
-		if(sop->p.p_modrdn.modrdn_newsuperior_address.dn!=NULL)
+		if(sop->p.p_modrdn.modrdn_newsuperior_address.sdn!=NULL)
    	{
-			sop_new->p.p_modrdn.modrdn_newsuperior_address.dn = 
-				slapi_ch_strdup(sop->p.p_modrdn.modrdn_newsuperior_address.dn);
+			sop_new->p.p_modrdn.modrdn_newsuperior_address.sdn = 
+				slapi_sdn_dup(sop->p.p_modrdn.modrdn_newsuperior_address.sdn);
    	}
    	if(sop->p.p_modrdn.modrdn_newsuperior_address.uniqueid!=NULL)
    	{
@@ -462,8 +462,9 @@ operation_parameters_done (struct slapi_operation_parameters *sop)
 {
    if(sop!=NULL)
    {
-		slapi_ch_free((void **)&sop->target_address.dn);
    	slapi_ch_free((void **)&sop->target_address.uniqueid);
+		slapi_sdn_free(&sop->target_address.sdn);
+
    	csn_free(&sop->csn);
    	
    	switch(sop->operation_type)
@@ -479,7 +480,6 @@ operation_parameters_done (struct slapi_operation_parameters *sop)
    		break;
    	case SLAPI_OPERATION_MODRDN:
    		slapi_ch_free((void **)&(sop->p.p_modrdn.modrdn_newrdn));
-			slapi_ch_free((void **)&(sop->p.p_modrdn.modrdn_newsuperior_address.dn));
    		slapi_ch_free((void **)&(sop->p.p_modrdn.modrdn_newsuperior_address.uniqueid));
    		ldap_mods_free(sop->p.p_modrdn.modrdn_mods, 1 /* Free the Array and the Elements */);
    		sop->p.p_modrdn.modrdn_mods= NULL;
@@ -504,8 +504,3 @@ void operation_parameters_free(struct slapi_operation_parameters **sop)
    	slapi_ch_free ((void**)sop);
    }
 }
-
-
-
-
-
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index 1af97c6..f2ef9cc 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -188,7 +188,9 @@ void modify_update_last_modified_attr(Slapi_PBlock *pb, Slapi_Mods *smods)
 void
 op_shared_search (Slapi_PBlock *pb, int send_result)
 {
-  char            *base, *fstr;
+  char            *base = NULL;
+  const char      *normbase = NULL;
+  char            *fstr;
   int             scope;
   Slapi_Backend   *be = NULL;
   Slapi_Backend   *be_single = NULL;
@@ -198,7 +200,8 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   char            attrlistbuf[ 1024 ], *attrliststr, **attrs = NULL;
   int             rc = 0;
   int             internal_op;
-  Slapi_DN        sdn;
+  Slapi_DN        *basesdn = NULL;
+  Slapi_DN        *sdn = NULL;
   Slapi_Operation *operation;
   Slapi_Entry     *referral = NULL;
   char            *proxydn = NULL; 
@@ -225,14 +228,30 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   int curr_search_count = 0;
   Slapi_Backend *pr_be = NULL;
   void *pr_search_result = NULL;
-  int pr_search_result_count = 0;
   int pr_reset_processing = 0;
be_list[0] = NULL;
   referral_list[0] = NULL;
/* get search parameters */
-  slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+  slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &base);
+  slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+
+  if (NULL == sdn) {
+    sdn = slapi_sdn_new_dn_byval(base);
+    slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, sdn);
+  }
+  normbase = slapi_sdn_get_dn(sdn);
+
+  if (base && (strlen(base) > 0) && (NULL == normbase)) {
+    /* normalization failed */
+    op_shared_log_error_access(pb, "SRCH", base, "invalid dn");
+    send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid dn", 0, NULL);
+    rc = -1;
+    goto free_and_return_nolock;
+  }
+  basesdn = slapi_sdn_dup(sdn);
+
   slapi_pblock_get(pb, SLAPI_SEARCH_SCOPE, &scope);
   slapi_pblock_get(pb, SLAPI_SEARCH_STRFILTER, &fstr);   
   slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &attrs);   
@@ -240,8 +259,6 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
   flag_psearch = operation_is_flag_set(operation, OP_FLAG_PS);
-  slapi_sdn_init_dn_byref(&sdn, base);
-
   /* get the proxy auth dn if the proxy auth control is present */
   proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
@@ -298,7 +315,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
           slapi_log_access(LDAP_DEBUG_STATS, fmtstr,
                            pb->pb_conn->c_connid, 
                            pb->pb_op->o_opid, 
-                           escape_string(slapi_sdn_get_dn (&sdn), ebuf),
+                           escape_string(normbase, ebuf),
                            scope, fstr, attrliststr,
                            flag_psearch ? " options=persistent" : "",
                            proxystr ? proxystr : "");
@@ -308,7 +325,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
           slapi_log_access(LDAP_DEBUG_ARGS, fmtstr,
                            LOG_INTERNAL_OP_CON_ID,
                            LOG_INTERNAL_OP_OP_ID,
-                           escape_string(slapi_sdn_get_dn (&sdn), ebuf),
+                           escape_string(normbase, ebuf),
                            scope, fstr, attrliststr,
                            flag_psearch ? " options=persistent" : "",
                            proxystr ? proxystr : "");
@@ -316,7 +333,8 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   }
/* If we encountered an error parsing the proxy control, return an error
-   * to the client.  We do this here to ensure that we log the operation first. */
+   * to the client.  We do this here to ensure that we log the operation first.
+   */
   if (proxy_err != LDAP_SUCCESS)
   {
       rc = -1;
@@ -324,10 +342,10 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
       goto free_and_return_nolock;
   }
-  slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, (void*)slapi_sdn_get_ndn (&sdn));
-
-  /* target spec is used to decide which plugins are applicable for the operation */
-  operation_set_target_spec (pb->pb_op, &sdn);
+  /* target spec is used to decide which plugins are applicable for 
+   * the operation.  basesdn is duplicated and set to target spec.
+   */
+  operation_set_target_spec (pb->pb_op, basesdn);
/* this is time to check if mapping tree specific control
    * was used to specify that we want to parse only 
@@ -352,7 +370,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
         else
         {
             /* we don't need no steenkin values */
-            Slapi_Backend *searchbe = slapi_be_select( &sdn );
+            Slapi_Backend *searchbe = slapi_be_select( sdn );
if(searchbe && searchbe != defbackend_get_backend())
             {
@@ -406,8 +424,6 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
               operation->o_flags |= OP_FLAG_PAGED_RESULTS;
               pr_be = pagedresults_get_current_be(pb->pb_conn);
               pr_search_result = pagedresults_get_search_result(pb->pb_conn);
-              pr_search_result_count =
-                             pagedresults_get_search_result_count(pb->pb_conn);
               estimate = 
                  pagedresults_get_search_result_set_size_estimate(pb->pb_conn);
               if (pagedresults_get_unindexed(pb->pb_conn)) {
@@ -501,11 +517,23 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
           goto free_and_return;
case -2: /* memory was allocated */
-            /* take note of any changes */
-          slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+          /* take note of any changes */
+          slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
           slapi_pblock_get(pb, SLAPI_SEARCH_SCOPE, &scope);
-
-          slapi_sdn_set_dn_byref(&sdn, base);
+          if (NULL == sdn) {
+              send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+                               "target dn is lost", 0, NULL);
+              rc = -1;
+              goto free_and_return;
+          }
+          if (slapi_sdn_compare(basesdn, sdn)) {
+              slapi_sdn_free(&basesdn);
+			  basesdn = operation_get_target_spec(pb->pb_op);
+              slapi_sdn_free(&basesdn);
+              basesdn = slapi_sdn_dup(sdn);
+              operation_set_target_spec (pb->pb_op, basesdn);
+          }
+          normbase = slapi_sdn_get_dn(sdn);
           break;
case -1:
@@ -551,7 +579,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   rc = -1;            /* zero backends would mean failure */
   while (be) 
   {
-    const Slapi_DN * be_suffix;
+    const Slapi_DN *be_suffix;
     int err = 0;
     Slapi_Backend   *next_be = NULL;
@@ -570,7 +598,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
      * is below another backend because in that case the 
      * such searches should sometimes succeed 
      * To allow this we therefore have to change the 
-     * SLAPI_SEARCH_TARGET parameter in the pblock
+     * SLAPI_SEARCH_TARGET_SDN parameter in the pblock
      * 
      * Also when we climb down the mapping tree we have to 
      * change ONE-LEVEL searches to BASE 
@@ -636,25 +664,27 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
       {
         if ((be_name == NULL) && (scope == LDAP_SCOPE_ONELEVEL))
         {
-                  /* one level searches 
-                   * - depending on the suffix of the backend we might have to
-                   *   do a one level search or a base search
-                   * - we might also have to change the search target 
-                   */
-          if (slapi_sdn_isparent(&sdn, be_suffix)
-              || (slapi_sdn_get_ndn_len(&sdn) == 0))
+          /* one level searches 
+           * - depending on the suffix of the backend we might have to
+           *   do a one level search or a base search
+           * - we might also have to change the search target 
+           */
+          if (slapi_sdn_isparent(basesdn, be_suffix) ||
+              (slapi_sdn_get_ndn_len(basesdn) == 0))
           {
             int tmp_scope = LDAP_SCOPE_BASE;
             slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &tmp_scope);
-            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET,
-                     (void *)slapi_sdn_get_ndn(be_suffix));
+
+            slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+            slapi_sdn_free(&sdn);
+            sdn = slapi_sdn_dup(be_suffix);
+            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, (void *)sdn);
+            normbase = slapi_sdn_get_dn(sdn);
           }
-          else if (slapi_sdn_issuffix(&sdn, be_suffix))
+          else if (slapi_sdn_issuffix(basesdn, be_suffix))
           {
             int tmp_scope = LDAP_SCOPE_ONELEVEL;
             slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &tmp_scope);
-            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET,
-                     (void *)slapi_sdn_get_ndn (&sdn));
           }
           else
             goto next_be;
@@ -662,19 +692,20 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
/* subtree searches :
          * if the search was started above the backend suffix 
-         * - temporarily set the SLAPI_SEARCH_TARGET to the 
+         * - temporarily set the SLAPI_SEARCH_TARGET_SDN to the 
          *   base of the node so that we don't get a NO SUCH OBJECT error
          * - do not change the scope
          */
         if (scope == LDAP_SCOPE_SUBTREE)
         {
-          if (slapi_sdn_issuffix(be_suffix, &sdn))
+          if (slapi_sdn_issuffix(be_suffix, basesdn))
           {
-            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET,
-                     (void *)slapi_sdn_get_ndn(be_suffix));
+            slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+            slapi_sdn_free(&sdn);
+            sdn = slapi_sdn_dup(be_suffix);
+            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, (void *)sdn);
+            normbase = slapi_sdn_get_dn(sdn);
           }
-          else
-              slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, (void *)slapi_sdn_get_ndn(&sdn));
         }
       }
@@ -886,11 +917,15 @@ free_and_return:
   else if (be_single)
     slapi_be_Unlock(be_single);
- free_and_return_nolock:
-  slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, base);
+free_and_return_nolock:
   slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc);
   index_subsys_filter_decoders_done(pb);
-  slapi_sdn_done(&sdn);
+  
+  slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+  slapi_sdn_free(&sdn);
+  slapi_sdn_free(&basesdn);
+  slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
+
   slapi_ch_free_string(&proxydn);
   slapi_ch_free_string(&proxystr);
   if (pr_reset_processing) {
@@ -1146,10 +1181,8 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result,
     {
         Slapi_Entry *gerentry = NULL;
         Slapi_Operation *operation;
-        int is_paged = 0;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
-        is_paged = operation->o_flags & OP_FLAG_PAGED_RESULTS;
         rc = be->be_next_search_entry(pb);
         if (rc < 0) 
         {
diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c
index c1f00d2..c77d3b7 100644
--- a/ldap/servers/slapd/passwd_extop.c
+++ b/ldap/servers/slapd/passwd_extop.c
@@ -145,7 +145,8 @@ passwd_modify_getEntry( const char *dn, Slapi_Entry **e2 ) {
 /* Construct Mods pblock and perform the modify operation 
  * Sets result of operation in SLAPI_PLUGIN_INTOP_RESULT 
  */
-static int passwd_apply_mods(Slapi_PBlock *pb_orig, const char *dn, Slapi_Mods *mods,
+static int 
+passwd_apply_mods(Slapi_PBlock *pb_orig, const Slapi_DN *sdn, Slapi_Mods *mods,
    LDAPControl **req_controls, LDAPControl ***resp_controls) 
 {
    Slapi_PBlock pb;
@@ -164,7 +165,7 @@ static int passwd_apply_mods(Slapi_PBlock *pb_orig, const char *dn, Slapi_Mods *
    	}
pblock_init(&pb);
-		slapi_modify_internal_set_pb (&pb, dn, 
+		slapi_modify_internal_set_pb_ext (&pb, sdn, 
    		slapi_mods_get_ldapmods_byref(mods),
    		req_controls_copy, NULL, /* UniqueID */
    		plugin_get_default_component_id(), /* PluginID */
@@ -195,7 +196,7 @@ static int passwd_apply_mods(Slapi_PBlock *pb_orig, const char *dn, Slapi_Mods *
if (ret != LDAP_SUCCESS){
    		LDAPDebug(LDAP_DEBUG_TRACE, "WARNING: passwordPolicy modify error %d on entry '%s'\n",
-				ret, dn, 0);
+				ret, slapi_sdn_get_dn(sdn), 0);
    	}
pblock_done(&pb);
@@ -212,18 +213,17 @@ static int passwd_apply_mods(Slapi_PBlock *pb_orig, const char *dn, Slapi_Mods *
 static int passwd_modify_userpassword(Slapi_PBlock *pb_orig, Slapi_Entry *targetEntry,
    const char *newPasswd, LDAPControl **req_controls, LDAPControl ***resp_controls)
 {
-	char *dn = NULL;
    int ret = 0;
    Slapi_Mods smods;
    
     LDAPDebug( LDAP_DEBUG_TRACE, "=> passwd_modify_userpassword\n", 0, 0, 0 );
    
    slapi_mods_init (&smods, 0);
-	dn = slapi_entry_get_ndn( targetEntry );
    slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, SLAPI_USERPWD_ATTR, newPasswd);
-	ret = passwd_apply_mods(pb_orig, dn, &smods, req_controls, resp_controls);
+	ret = passwd_apply_mods(pb_orig, slapi_entry_get_sdn_const(targetEntry),
+	                        &smods, req_controls, resp_controls);
slapi_mods_done(&smods);
    
@@ -238,7 +238,6 @@ static int passwd_modify_generate_basic_passwd( int passlen, char **genpasswd )
    char *data = NULL;
    char *enc = NULL;
    int datalen = LDAP_EXTOP_PASSMOD_RANDOM_BYTES;
-	int enclen = LDAP_EXTOP_PASSMOD_GEN_PASSWD_LEN + 1;
if ( genpasswd == NULL ) {
    	return LDAP_OPERATIONS_ERROR;
@@ -246,7 +245,6 @@ static int passwd_modify_generate_basic_passwd( int passlen, char **genpasswd )
if ( passlen > 0 ) {
    	datalen = passlen * 3 / 4 + 1;
-		enclen = datalen * 4; /* allocate the large enough space */
    }
data = slapi_ch_calloc( datalen, 1 );
@@ -454,10 +452,10 @@ passwd_modify_extop( Slapi_PBlock *pb )
 {
    char		*oid = NULL;
    char 		*bindDN = NULL;
+	Slapi_DN	*bindSDN = NULL;
    char		*authmethod = NULL;
    char		*rawdn = NULL;
-	char		*dn = NULL;
-	size_t		dnlen = 0;
+	const char	*dn = NULL;
    char		*otdn = NULL;
    char		*oldPasswd = NULL;
    char		*newPasswd = NULL;
@@ -582,15 +580,13 @@ passwd_modify_extop( Slapi_PBlock *pb )
    if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID )
    {
    	int rc = 0;
-		if ( ber_scanf( ber, "a", &rawdn) == LBER_ERROR )
-    		{
-    		slapi_ch_free_string(&rawdn);
-    		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "ber_scanf failed :{\n", 0, 0, 0 );
-    		errMesg = "ber_scanf failed at userID parse.\n";
-		rc = LDAP_PROTOCOL_ERROR;
-		goto free_and_return;
-    		}
+		if ( ber_scanf( ber, "a", &rawdn) == LBER_ERROR ) {
+			slapi_ch_free_string(&rawdn);
+			LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed :{\n", 0, 0, 0 );
+			errMesg = "ber_scanf failed at userID parse.\n";
+			rc = LDAP_PROTOCOL_ERROR;
+			goto free_and_return;
+		}
/* Check if we should be performing strict validation. */
    	if (config_get_dn_validate_strict()) {
@@ -605,50 +601,31 @@ passwd_modify_extop( Slapi_PBlock *pb )
    			goto free_and_return;
    		}
    	}
-		rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-		if (rc < 0) {
-			op_shared_log_error_access(pb, "EXT", rawdn?rawdn:"",
-								"invalid target dn");
-			slapi_ch_free_string(&rawdn);
-			errMesg = "invalid target dn.\n";
-			rc = LDAP_INVALID_SYNTAX;
-			goto free_and_return;
-		} else if (rc == 0) { /* rawdn is passed in, not terminated */
-			*(dn + dnlen) = '\0';
-		} else {
-			slapi_ch_free_string(&rawdn);
-		}
-		tag = ber_peek_tag( ber, &len);
+		tag = ber_peek_tag(ber, &len);
    } 
    
-	
    /* identify oldPasswd field by tags */
-	if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD )
-	{
-		if ( ber_scanf( ber, "a", &oldPasswd ) == LBER_ERROR )
-    		{
-    		slapi_ch_free_string(&oldPasswd);
-    		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "ber_scanf failed :{\n", 0, 0, 0 );
-    		errMesg = "ber_scanf failed at oldPasswd parse.\n";
-		rc = LDAP_PROTOCOL_ERROR;
-		goto free_and_return;
-    		}
+	if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD ) {
+		if ( ber_scanf( ber, "a", &oldPasswd ) == LBER_ERROR ) {
+			slapi_ch_free_string(&oldPasswd);
+			LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed :{\n", 0, 0, 0 );
+			errMesg = "ber_scanf failed at oldPasswd parse.\n";
+			rc = LDAP_PROTOCOL_ERROR;
+			goto free_and_return;
+		}
    	tag = ber_peek_tag( ber, &len);
    }
    
    /* identify newPasswd field by tags */
    if (tag ==  LDAP_EXTOP_PASSMOD_TAG_NEWPWD )
    {
-		if ( ber_scanf( ber, "a", &newPasswd ) == LBER_ERROR )
-    		{
-    		slapi_ch_free_string(&newPasswd);
-    		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "ber_scanf failed :{\n", 0, 0, 0 );
-    		errMesg = "ber_scanf failed at newPasswd parse.\n";
-		rc = LDAP_PROTOCOL_ERROR;
-		goto free_and_return;
-    		}
+		if ( ber_scanf( ber, "a", &newPasswd ) == LBER_ERROR ) {
+			slapi_ch_free_string(&newPasswd);
+			LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed :{\n", 0, 0, 0 );
+			errMesg = "ber_scanf failed at newPasswd parse.\n";
+			rc = LDAP_PROTOCOL_ERROR;
+			goto free_and_return;
+		}
    }
parse_req_done:	
@@ -659,14 +636,28 @@ parse_req_done:
    /* Get Bind DN */
    slapi_pblock_get( pb, SLAPI_CONN_DN, &bindDN );
+	/* If the connection is bound anonymously, we must refuse to process this operation. */
+	if (bindDN == NULL || *bindDN == '\0') {
+		/* Refuse the operation because they're bound anonymously */
+		errMesg = "Anonymous Binds are not allowed.\n";
+		rc = LDAP_INSUFFICIENT_ACCESS;
+		goto free_and_return;
+	}
+
    /* Find and set the target DN. */
-	if (dn && *dn != '\0') {
-		target_sdn = slapi_sdn_new_dn_byref(dn);
-		slapi_pblock_set(pb, SLAPI_TARGET_DN, dn);
-	} else if (bindDN && *bindDN != '\0') {
-		target_sdn = slapi_sdn_new_dn_byref(bindDN);
-		slapi_pblock_set(pb, SLAPI_TARGET_DN, bindDN);
+	if (rawdn && *rawdn != '\0') {
+	    target_sdn = slapi_sdn_new_dn_passin(rawdn);
+	} else { /* We already checked (bindDN && *bindDN != '\0') above  */
+	    target_sdn = bindSDN = slapi_sdn_new_normdn_byref(bindDN);
+	}
+	dn = slapi_sdn_get_ndn(target_sdn);
+	if (dn == NULL || *dn == '\0') {
+		/* Refuse the operation because they're bound anonymously */
+		errMesg = "Invalid dn.\n";
+		rc = LDAP_INVALID_DN_SYNTAX;
+		goto free_and_return;
    }
+	slapi_pblock_set(pb, SLAPI_TARGET_SDN, target_sdn);
/* Check if we need to send any referrals. */
    if (slapi_dn_write_needs_referral(target_sdn, &referrals)) {
@@ -674,14 +665,6 @@ parse_req_done:
    	goto free_and_return;
    }
-	/* If the connection is bound anonymously, we must refuse to process this operation. */
-	if (bindDN == NULL || *bindDN == '\0') {
-	 	/* Refuse the operation because they're bound anonymously */
-		errMesg = "Anonymous Binds are not allowed.\n";
-		rc = LDAP_INSUFFICIENT_ACCESS;
-		goto free_and_return;
-	}
-
    if (oldPasswd == NULL || *oldPasswd == '\0') {
    	/* If user is authenticated, they already gave their password during
    	 * the bind operation (or used sasl or client cert auth or OS creds) */
@@ -746,19 +729,7 @@ parse_req_done:
    	ber_free( response_ber, 1 );
     }
     
-	 
-	 /* Determine the target DN for this operation */
-	 /* Did they give us a DN ? */
-	 if (dn == NULL || *dn == '\0') {
-	 	/* Get the DN from the bind identity on this connection */
-		slapi_ch_free_string(&dn);
-		dn = slapi_ch_strdup(bindDN);
-		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "Missing userIdentity in request, using the bind DN instead.\n",
-		     0, 0, 0 );
-	 }
-
-	 slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn ); 
+	 slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, (void *)dn );
/* Now we have the DN, look for the entry */
     ret = passwd_modify_getEntry(dn, &targetEntry);
@@ -826,7 +797,9 @@ parse_req_done:
     * this here since the normal modify code doesn't perform this check for
     * internal operations. */
    if (!pb->pb_op->o_isroot && !pb->pb_conn->c_needpw && !pwpolicy->pw_change) {
-		Slapi_DN *bindSDN = slapi_sdn_new_dn_byref(bindDN);
+		if (NULL == bindSDN) {
+			bindSDN = slapi_sdn_new_normdn_byref(bindDN);
+		}
    	/* Is this a user modifying their own password? */
    	if (slapi_sdn_compare(bindSDN, slapi_entry_get_sdn(targetEntry))==0) {
    		if (need_pwpolicy_ctrl) {
@@ -834,10 +807,8 @@ parse_req_done:
    		}
    		errMesg = "User is not allowed to change password\n";
    		rc = LDAP_UNWILLING_TO_PERFORM;
-			slapi_sdn_free(&bindSDN);
    		goto free_and_return;
    	}
-		slapi_sdn_free(&bindSDN);
    }
/* Fetch any present request controls so we can use them when
@@ -879,8 +850,6 @@ free_and_return:
    	send_ldap_result( pb, rc, NULL, errMesg, 0, NULL );
    }
-	slapi_sdn_free(&target_sdn);
-	slapi_ch_free_string(&bindDN); /* slapi_pblock_get SLAPI_CONN_DN does strdup */
    slapi_ch_free_string(&oldPasswd);
    slapi_ch_free_string(&newPasswd);
    /* Either this is the same pointer that we allocated and set above,
@@ -888,9 +857,16 @@ free_and_return:
     * value that we need to free here */
    slapi_pblock_get( pb, SLAPI_ORIGINAL_TARGET, &otdn );
    if (otdn != dn) {
-		slapi_ch_free_string(&dn);
+		slapi_ch_free_string(&otdn);
    }
-	slapi_ch_free_string(&otdn);
+	slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
+	if (bindSDN != target_sdn) {
+		slapi_sdn_free(&bindSDN);
+	}
+	/* slapi_pblock_get SLAPI_CONN_DN does strdup */
+	slapi_ch_free_string(&bindDN);
+	slapi_sdn_free(&target_sdn);
+	slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL);
    slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, NULL );
    slapi_ch_free_string(&authmethod);
    delete_passwdPolicy(&pwpolicy);
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index d068132..3dbd828 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -1121,11 +1121,31 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
    		(*(entry_address **)value) = &(pblock->pb_op->o_params.target_address);
    	}
    	break;
-        /* should be normalized */
-	case SLAPI_TARGET_DN:
+	case SLAPI_TARGET_DN: /* DEPRECATED */
+		/* The returned value refers SLAPI_TARGET_SDN.  
+		 * It should not be freed.*/
    	if(pblock->pb_op!=NULL)
    	{
-			(*(char **)value) = pblock->pb_op->o_params.target_address.dn;
+			Slapi_DN *sdn = pblock->pb_op->o_params.target_address.sdn;
+			if (sdn) {
+				(*(char **)value) = (char *)slapi_sdn_get_dn(sdn);
+			} else {
+				(*(char **)value) = NULL;
+			}
+		}
+		else
+		{
+			return( -1 );
+		}
+		break;
+	case SLAPI_TARGET_SDN:
+		if(pblock->pb_op!=NULL)
+		{
+			(*(Slapi_DN **)value) = pblock->pb_op->o_params.target_address.sdn;
+		}
+		else
+		{
+			return( -1 );
    	}
    	break;
    case SLAPI_ORIGINAL_TARGET_DN:
@@ -1330,11 +1350,31 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
    		(*(int *)value) = pblock->pb_op->o_params.p.p_modrdn.modrdn_deloldrdn;
    	}
    	break;
-	case SLAPI_MODRDN_NEWSUPERIOR:
+	case SLAPI_MODRDN_NEWSUPERIOR: /* DEPRECATED */
    	if(pblock->pb_op!=NULL)
    	{
-			(*(char **)value) = 
-				pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.dn;
+			Slapi_DN *sdn =
+			  pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.sdn;
+			if (sdn) {
+				(*(char **)value) = (char *)slapi_sdn_get_dn(sdn);
+			} else {
+				(*(char **)value) = NULL;
+			}
+		}
+		else
+		{
+			return -1;
+		}
+		break;
+	case SLAPI_MODRDN_NEWSUPERIOR_SDN:
+		if(pblock->pb_op!=NULL)
+		{
+			(*(Slapi_DN **)value) = 
+			  pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.sdn;
+		}
+		else
+		{
+			return -1;
    	}
    	break;
    case SLAPI_MODRDN_PARENT_ENTRY:
@@ -1725,6 +1765,18 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
    	}
    	break;
+	case SLAPI_REQUESTOR_NDN:
+		/* NOTE: It's not a copy of the DN */	
+		if (pblock->pb_op != NULL)
+		{
+			char *ndn = (char*)slapi_sdn_get_ndn(&pblock->pb_op->o_sdn);
+			if(ndn == NULL)
+    				(*( char **)value ) = "";
+			else
+    				(*( char **)value ) = ndn;
+		}
+		break;
+
    case SLAPI_OPERATION_AUTHTYPE:
    	if (pblock->pb_op != NULL)
    	{
@@ -2676,10 +2728,31 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
    case SLAPI_TARGET_ADDRESS:
    	PR_ASSERT (PR_FALSE);	/* can't do this */
    	break;
-	case SLAPI_TARGET_DN:
+	case SLAPI_TARGET_DN: /* DEPRECATED */
+		/* slapi_pblock_set(pb, SLAPI_TARGET_DN, val) automatically
+		 * replaces SLAPI_TARGET_SDN.  Caller should not free the 
+		 * original SLAPI_TARGET_SDN, but the reset one here by getting
+		 * the address using slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn). */
    	if(pblock->pb_op!=NULL)
    	{
-			pblock->pb_op->o_params.target_address.dn = (char *)value;
+			Slapi_DN *sdn = pblock->pb_op->o_params.target_address.sdn;
+			slapi_sdn_free(&sdn);
+			pblock->pb_op->o_params.target_address.sdn =
+			                              slapi_sdn_new_dn_byval((char *)value);
+		}
+		else
+		{
+			return( -1 );
+		}
+		break;
+	case SLAPI_TARGET_SDN:
+		if(pblock->pb_op!=NULL)
+		{
+			pblock->pb_op->o_params.target_address.sdn = (Slapi_DN *)value;
+		}
+		else
+		{
+			return( -1 );
    	}
    	break;
    case SLAPI_ORIGINAL_TARGET_DN:
@@ -2830,10 +2903,29 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
    		pblock->pb_op->o_params.p.p_modrdn.modrdn_deloldrdn = *((int *) value);
    	}
    	break;
-	case SLAPI_MODRDN_NEWSUPERIOR:
+	case SLAPI_MODRDN_NEWSUPERIOR: /* DEPRECATED */
+		if(pblock->pb_op!=NULL)
+		{
+			Slapi_DN *sdn =
+			  pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.sdn;
+			slapi_sdn_free(&sdn);
+			pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.sdn = 
+			                              slapi_sdn_new_dn_byval((char *)value);
+		}
+		else
+		{
+			return -1;
+		}
+		break;
+	case SLAPI_MODRDN_NEWSUPERIOR_SDN:
    	if(pblock->pb_op!=NULL)
    	{
-			pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.dn = (char *) value;
+			pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.sdn =
+			                                                 (Slapi_DN *) value;
+		}
+		else
+		{
+			return -1;
    	}
    	break;
    case SLAPI_MODRDN_PARENT_ENTRY:
@@ -3456,9 +3548,7 @@ bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn,
    	if ( conn->c_dn != NULL ) {
    		if ( bind_target_entry == NULL )
    		{
-				Slapi_DN        *sdn;
-
-				sdn = slapi_sdn_new_dn_byref( conn->c_dn );			/* set */
+				Slapi_DN *sdn = slapi_sdn_new_normdn_byref( conn->c_dn );
    			reslimit_update_from_dn( conn, sdn );
    			slapi_sdn_free( &sdn );
    		} else {
@@ -3466,11 +3556,9 @@ bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn,
    		}
    	} else {
    		char *anon_dn = config_get_anon_limits_dn();
-			Slapi_DN *anon_sdn = NULL;
-
    		/* If an anonymous limits dn is set, use it to set the limits. */
    		if (anon_dn && (strlen(anon_dn) > 0)) {
-				anon_sdn = slapi_sdn_new_dn_byref( anon_dn );
+				Slapi_DN *anon_sdn = slapi_sdn_new_normdn_byref( anon_dn );
    			reslimit_update_from_dn( conn, anon_sdn );
    			slapi_sdn_free( &anon_sdn );
    		}
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index 19d6d38..52b560f 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -180,6 +180,7 @@ add_plugin_entries()
    	slapi_add_entry_internal_set_pb(&newpb, ep->e, NULL,
    									ep->plugin, plugin_actions);
    	slapi_pblock_set(&newpb, SLAPI_TARGET_DN, (void*)slapi_entry_get_dn_const(ep->e));
+		slapi_pblock_set(&newpb, SLAPI_TARGET_SDN, (void*)slapi_entry_get_sdn_const(ep->e));
    	slapi_add_internal_pb(&newpb);
    	deleteep = ep;
    	ep = ep->next;
@@ -269,16 +270,13 @@ slapi_register_plugin_ext(
    int ii = 0;
     int rc = 0;
    Slapi_Entry *e = NULL;
-	char *dn = slapi_create_dn_string("cn=%s,%s", name, PLUGIN_BASE_DN);
-	if (NULL == dn) {
-		slapi_log_error(SLAPI_LOG_FATAL, NULL,
-					"slapi_register_plugin_ext: "
-					"failed to create plugin dn (plugin name: %s)\n", name);
-		return 1;
-	}
+	char *dn = slapi_ch_smprintf("cn=%s,%s", name, PLUGIN_BASE_DN);
+	Slapi_DN *sdn = slapi_sdn_new_dn_passin(dn);
+
    e = slapi_entry_alloc();
    /* this function consumes dn */
-	slapi_entry_init(e, dn, NULL);
+	slapi_entry_init_ext(e, sdn, NULL);
+	slapi_sdn_free(&sdn);
slapi_entry_attr_set_charptr(e, "cn", name);
    slapi_entry_attr_set_charptr(e, ATTR_PLUGIN_TYPE, plugintype);
@@ -520,9 +518,6 @@ plugin_extended_op_oid2string( const char *oid )
    				}
    				break;
    			}
-				if ( p->plg_exoids[i] != NULL ) {
-					break;
-				}
    		}
    	}
    }
@@ -991,30 +986,30 @@ plugin_dependency_startall(int argc, char** argv, char *errmsg, int operation)
if(plugin_entry)
    	{
-                        /*
-                         * Pass the plugin DN in SLAPI_TARGET_DN and the plugin entry
-                         * in SLAPI_ADD_ENTRY.  For this to actually work, we need to
-                         * create an operation and include that in the pblock as well,
-                         * because these two items are stored in the operation parameters.
-                         */
-		        /* WARNING: memory leak here - op is only freed by a pblock_done,
+			/*
+			 * Pass the plugin DN in SLAPI_TARGET_SDN and the plugin entry
+			 * in SLAPI_ADD_ENTRY.  For this to actually work, we need to
+			 * create an operation and include that in the pblock as well,
+			 * because these two items are stored in the operation parameters.
+			 */
+			/* WARNING: memory leak here - op is only freed by a pblock_done,
    		   and this only happens below if the plugin is enabled - a short
    		   circuit goto bail may also cause a leak - however, since this
    		   only happens a few times at startup, this is not a very serious
    		   leak - just after the call to plugin_call_one */
-                        Operation *op = internal_operation_new(SLAPI_OPERATION_ADD, 0);
-                        slapi_pblock_set(&(config[plugin_index].pb), SLAPI_OPERATION, op);
-			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_TARGET_DN,
-							 (void*)(slapi_entry_get_dn_const(plugin_entry)));
-                        slapi_pblock_set(&(config[plugin_index].pb), SLAPI_ADD_ENTRY,
-                                        plugin_entry );
+			Operation *op = internal_operation_new(SLAPI_OPERATION_ADD, 0);
+			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_OPERATION, op);
+			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_TARGET_SDN,
+				(void*)(slapi_entry_get_sdn_const(plugin_entry)));
+			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_ADD_ENTRY,
+				plugin_entry );
/* Pass the plugin alternate config area DN in SLAPI_PLUGIN_CONFIG_AREA. */
    		value = slapi_entry_attr_get_charptr(plugin_entry, ATTR_PLUGIN_CONFIG_AREA);
    		if(value)
    		{
-                                config[plugin_index].config_area = value;
-                                value = NULL;
+				config[plugin_index].config_area = value;
+				value = NULL;
    			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_PLUGIN_CONFIG_AREA,
    						config[plugin_index].config_area);
    		}
@@ -1191,7 +1186,7 @@ plugin_dependency_startall(int argc, char** argv, char *errmsg, int operation)
    				newe = slapi_entry_dup( config[plugin_index].e );
    				slapi_add_entry_internal_set_pb(&newpb, newe, NULL,
    								plugin_get_default_component_id(), plugin_actions);
-					slapi_pblock_set(&newpb, SLAPI_TARGET_DN, (void*)slapi_entry_get_dn_const(newe));
+					slapi_pblock_set(&newpb, SLAPI_TARGET_SDN, (void*)slapi_entry_get_sdn_const(newe));
    				slapi_add_internal_pb(&newpb);
    				pblock_done(&newpb);
    				config[plugin_index].entry_created = 1;
@@ -1440,17 +1435,17 @@ plugin_call_func (struct slapdplugin *list, int operation, Slapi_PBlock *pb, int
    int count= 0;
     for (; list != NULL; list = list->plg_next)
    {
-    	IFP func = NULL;
+		IFP func = NULL;
    
-    	slapi_pblock_set (pb, SLAPI_PLUGIN, list);
-    	set_db_default_result_handlers (pb); /* JCM: What's this do? Is it needed here? */
-    	if (slapi_pblock_get (pb, operation, &func) == 0 && func != NULL &&
+	slapi_pblock_set (pb, SLAPI_PLUGIN, list);
+	set_db_default_result_handlers (pb); /* JCM: What's this do? Is it needed here? */
+	if (slapi_pblock_get (pb, operation, &func) == 0 && func != NULL &&
    		plugin_invoke_plugin_pb (list, operation, pb))
    	{
    		char *n= list->plg_name;
    		LDAPDebug( LDAP_DEBUG_TRACE, "Calling plugin '%s' #%d type %d\n", (n==NULL?"noname":n), count, operation );
    		/* counters_to_errors_log("before plugin call"); */
-    		if (( rc = func (pb)) != 0 )
+			if (( rc = func (pb)) != 0 )
    		{
    			if (SLAPI_PLUGIN_PREOPERATION == list->plg_type ||
    				SLAPI_PLUGIN_INTERNAL_PREOPERATION == list->plg_type ||
@@ -1471,16 +1466,16 @@ plugin_call_func (struct slapdplugin *list, int operation, Slapi_PBlock *pb, int
    				/* OR the result into the return value for be pre/postops */
    				return_value |= rc;
    			}
-    		}
+			}
    		/* counters_to_errors_log("after plugin call"); */
-    	}
+		}
count++;
if(call_one)
    		break;
-    }
-    return( return_value );
+	}
+	return( return_value );
 }
int
@@ -1574,9 +1569,9 @@ ldapi_init_extended_ops( void )
slapi_rwlock_wrlock(extended_ops_lock);
    charray_add(&supported_extended_ops,
-	slapi_ch_strdup(EXTOP_BULK_IMPORT_START_OID));
+	            slapi_ch_strdup(EXTOP_BULK_IMPORT_START_OID));
    charray_add(&supported_extended_ops,
-	slapi_ch_strdup(EXTOP_BULK_IMPORT_DONE_OID));
+	            slapi_ch_strdup(EXTOP_BULK_IMPORT_DONE_OID));
    /* add future supported extops here... */
    slapi_rwlock_unlock(extended_ops_lock);
 }
@@ -2147,7 +2142,9 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group,
    }
    else
    {
-		plugin->plg_name = value; /* plugin owns value's memory now, don't free */
+		/* plg_name is normalized once here */
+		plugin->plg_name = slapi_create_rdn_value("%s", value);
+		slapi_ch_free((void**)&value);
    }
if (!(value = slapi_entry_attr_get_charptr(plugin_entry, ATTR_PLUGIN_PRECEDENCE)))
@@ -2546,7 +2543,7 @@ plugin_invoke_plugin_sdn (struct slapdplugin *plugin, int operation, Slapi_PBloc
 char* plugin_get_dn (const struct slapdplugin *plugin)
 {
    char *plugindn = NULL;
-	char *pattern = "cn=%s," PLUGIN_BASE_DN;
+	char *pattern = "cn=%s," PLUGIN_BASE_DN; /* cn=plugins,cn=config */
if (plugin == NULL)	/* old plugin that does not pass identity - use default */
    	plugin = &global_default_plg;
@@ -2554,7 +2551,8 @@ char* plugin_get_dn (const struct slapdplugin *plugin)
    if (plugin->plg_name == NULL)
    	return NULL;
-	plugindn = slapi_create_dn_string(pattern, plugin->plg_name);
+	/* plg_name is normalized in plugin_setup. So, we can use smprintf */
+	plugindn = slapi_ch_smprintf(pattern, plugin->plg_name);
    if (NULL == plugindn) {
    	slapi_log_error(SLAPI_LOG_FATAL, NULL,
    				"plugin_get_dn: failed to create plugin dn "
diff --git a/ldap/servers/slapd/plugin_acl.c b/ldap/servers/slapd/plugin_acl.c
index 2dd0f71..24dcc76 100644
--- a/ldap/servers/slapd/plugin_acl.c
+++ b/ldap/servers/slapd/plugin_acl.c
@@ -138,12 +138,12 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
    int					rc = 0;
    	void				*change = NULL;
    	Slapi_Entry			*te = NULL;
-    Slapi_DN			sdn;
+    Slapi_DN			*sdn = NULL;
    Operation			*operation;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
-	(void)slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	(void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
switch ( optype ) {
      case SLAPI_OPERATION_MODIFY:
@@ -154,24 +154,29 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
    	te = (Slapi_Entry *)change;
    	if(!slapi_sdn_isempty(slapi_entry_get_sdn(te)))
    	{
-		    dn= (char*)slapi_sdn_get_ndn(slapi_entry_get_sdn(te)); /* jcm - Had to cast away const */
+			sdn = slapi_entry_get_sdn(te);
    	}
    	break;
     	  case SLAPI_OPERATION_MODRDN:
    	(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );
    	break;
-    	}
+	}
    
-	slapi_sdn_init_dn_byref (&sdn, dn);
+	if (NULL == sdn) {
+		LDAPDebug0Args ( LDAP_DEBUG_ANY, 
+		                 "plugin_call_acl_mods_update: Null target DN\n" );
+		return LDAP_INVALID_DN_SYNTAX;
+	}
+
    /* call the global plugins first and then the backend specific */
+	dn = (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */
    for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) {
-		if (plugin_invoke_plugin_sdn (p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, &sdn)){
+		if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){
    		rc = (*p->plg_acl_mods_update)(pb, optype, dn, change );
    		if ( rc != LDAP_SUCCESS ) break;
    	}
    }
-	slapi_sdn_done (&sdn);
    return rc;
 }
diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c
index c8e6000..563bc46 100644
--- a/ldap/servers/slapd/plugin_internal_op.c
+++ b/ldap/servers/slapd/plugin_internal_op.c
@@ -282,21 +282,58 @@ int slapi_seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data, plugi
    return (seq_internal_callback_pb (pb, callback_data, res_callback, srch_callback, ref_callback));
 }
-void slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base, int scope, const char *filter, char **attrs, 
-							       int attrsonly, LDAPControl **controls, const char *uniqueid, 
-								   Slapi_ComponentId *plugin_identity, int operation_flags)
+void
+slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base, 
+                              int scope, const char *filter, char **attrs, 
+                              int attrsonly, LDAPControl **controls, 
+                              const char *uniqueid, 
+                              Slapi_ComponentId *plugin_identity,
+                              int operation_flags)
 {
    Operation *op;
    if (pb == NULL || base == NULL)
    {
-        slapi_log_error(SLAPI_LOG_FATAL, NULL, 
-						"slapi_search_internal_set_pb: NULL parameter\n");
+		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
+		                "slapi_search_internal_set_pb: NULL parameter\n");
    	return;
    }
-    op= internal_operation_new(SLAPI_OPERATION_SEARCH,operation_flags);
+	op= internal_operation_new(SLAPI_OPERATION_SEARCH,operation_flags);
+	slapi_pblock_set(pb, SLAPI_OPERATION, op);
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)base);
+	slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
+	slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
+	slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
+	slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+	slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
+	if (uniqueid)
+	{
+		slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
+	}
+	slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, (void*)plugin_identity);
+}
+
+void
+slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn, 
+                                  int scope, const char *filter, char **attrs, 
+                                  int attrsonly, LDAPControl **controls, 
+                                  const char *uniqueid, 
+                                  Slapi_ComponentId *plugin_identity,
+                                  int operation_flags)
+{
+	Operation *op;
+	if (pb == NULL || sdn == NULL)
+	{
+		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
+		                "slapi_search_internal_set_pb: NULL parameter\n");
+		return;
+	}
+
+	op= internal_operation_new(SLAPI_OPERATION_SEARCH,operation_flags);
    slapi_pblock_set(pb, SLAPI_OPERATION, op);
-	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, (void*)base);
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET_DN,
+	                 (void *)slapi_sdn_get_udn(sdn));
+	slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void *)sdn);
    slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
    slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
    slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
@@ -323,7 +360,7 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type, char *att
op= internal_operation_new(SLAPI_OPERATION_SEARCH,operation_flags);
    slapi_pblock_set(pb, SLAPI_OPERATION, op);
-	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, base);
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)base );
    slapi_pblock_set(pb, SLAPI_SEQ_TYPE, &type);
    slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname);
    slapi_pblock_set(pb, SLAPI_SEQ_VAL, val);
@@ -343,19 +380,22 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
    Operation *op;
     struct callback_fn_ptrs   callback_handler_data;
     Slapi_Backend *be;
-	Slapi_DN sdn;
    char *base;
    char *attrname, *val;
+	Slapi_DN *sdn = NULL;
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)&base );
    slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls);
-    if (base == NULL) {
-    	slapi_sdn_init_dn_byval(&sdn,"");
-    } else {
-    	slapi_sdn_init_dn_byval(&sdn, base);
-    }
-    be = slapi_be_select(&sdn);
+	if (base == NULL) {
+		sdn = slapi_sdn_new_dn_byval("");
+	} else {
+		sdn = slapi_sdn_new_dn_byref(base);
+	}
+
+	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, sdn);
+
+    be = slapi_be_select(sdn);
callback_handler_data.p_res_callback         = prc;
     callback_handler_data.p_srch_entry_callback  = psec;
@@ -369,8 +409,7 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
     op->o_search_referral_handler = internal_ref_entry_callback;
    	 
    /* set target specification of the operation used to decide which plugins are called for the operation */  
-	operation_set_target_spec (op, &sdn);
-
+	operation_set_target_spec (op, sdn);
/* Normalize the attribute type and value */
    slapi_pblock_get (pb, SLAPI_SEQ_ATTRNAME, &attrname);
@@ -396,14 +435,16 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
    }
    else
    {
-    	send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL);
+		send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL);
    	rc = 0;
     }
-	slapi_ch_free((void **) &attrname);
-    slapi_ch_free((void **) &val);
-
-	slapi_sdn_done(&sdn);    
+	slapi_ch_free_string(&attrname);
+	slapi_ch_free_string(&val);
+	/* slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &normbase); */
+	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
+	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
return rc;
 }
@@ -675,10 +716,11 @@ static int search_internal_pb (Slapi_PBlock *pb)
    return 0;
 }
-static int search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data, 
-									     plugin_result_callback prc, 
-									     plugin_search_entry_callback psec, 
-									     plugin_referral_entry_callback prec)
+static int
+search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data, 
+                             plugin_result_callback prc, 
+                             plugin_search_entry_callback psec, 
+                             plugin_referral_entry_callback prec)
 {
    LDAPControl				  **controls;
    Operation                 *op;
@@ -689,8 +731,6 @@ static int search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
    char					  *ifstr;
    int						  opresult;
    int						  rc = 0;
-	char					  *original_base = 0;
-	char					  *new_base = 0;
PR_ASSERT (pb);
@@ -755,12 +795,8 @@ static int search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
     * memory so we need to keep track of
     * changed base search strings
     */
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &original_base);
-	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET_DN, slapi_ch_strdup(original_base));
-
    op_shared_search (pb, 1);
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &new_base);
     slapi_pblock_get(pb, SLAPI_SEARCH_FILTER, &filter);
done:
@@ -770,24 +806,17 @@ done:
         slapi_filter_free(filter, 1 /* recurse */);
     }
-	if(original_base != new_base)
-		slapi_ch_free_string(&new_base);
-
-	/* we strdup'd this above - need to free */
-	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &original_base);
-	slapi_ch_free_string(&original_base);
-
     return(rc);
 }
/* allow/disallow operation based of the plugin configuration */
 PRBool allow_operation (Slapi_PBlock *pb)
 {
-	char *dn = NULL;
    struct slapdplugin *plugin = NULL;
+	Slapi_DN *sdnp = NULL;
    Slapi_DN sdn;
    PRBool allow;
-        struct slapi_componentid * cid=NULL;
+	struct slapi_componentid * cid=NULL;
PR_ASSERT (pb);
    
@@ -805,17 +834,17 @@ PRBool allow_operation (Slapi_PBlock *pb)
    	return PR_FALSE;
    }
-	slapi_pblock_get (pb, SLAPI_TARGET_DN, &dn);
-	if (dn == NULL) {
-    	slapi_sdn_init_dn_byval(&sdn,"");
-    } else {
-    	slapi_sdn_init_dn_byval(&sdn, dn);
-    }
+	slapi_sdn_init(&sdn);
+	slapi_pblock_get (pb, SLAPI_TARGET_SDN, &sdnp);
+	if (NULL == sdnp) {
+		slapi_sdn_init_dn_byval(&sdn,"");
+		sdnp = &sdn;
+	}
-	allow = plugin_allow_internal_op (&sdn, plugin);
-	
-	slapi_sdn_done (&sdn);
+	allow = plugin_allow_internal_op (sdnp, plugin);
+	slapi_sdn_done(&sdn);
+	
    return allow;
 }
diff --git a/ldap/servers/slapd/plugin_syntax.c b/ldap/servers/slapd/plugin_syntax.c
index 2e357b4..adfda4a 100644
--- a/ldap/servers/slapd/plugin_syntax.c
+++ b/ldap/servers/slapd/plugin_syntax.c
@@ -282,7 +282,7 @@ plugin_call_syntax_filter_sub_sv(
  */
 int
 slapi_dn_syntax_check(
-	Slapi_PBlock *pb, char *dn, int override
+	Slapi_PBlock *pb, const char *dn, int override
 )
 {
    int ret = 0;
@@ -312,7 +312,7 @@ slapi_dn_syntax_check(
    if (dn_plugin && dn_plugin->plg_syntax_validate != NULL) {
    	/* Create a berval to pass to the validate function. */
    	if (dn) {
-			dn_bval.bv_val = dn;
+			dn_bval.bv_val = (char *)dn;
    		dn_bval.bv_len = strlen(dn);
/* Validate the value. */
@@ -459,7 +459,8 @@ slapi_mods_syntax_check(
    char errtext[ BUFSIZ ];
    char *errp = &errtext[0];
    size_t err_remaining = sizeof(errtext);
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
    LDAPMod *mod = NULL;
if (mods == NULL) {
@@ -469,7 +470,8 @@ slapi_mods_syntax_check(
if (pb != NULL) {
    	slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation);
-		slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
+		slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+		dn = slapi_sdn_get_dn(sdn);
    }
/* If syntax checking and logging are  off, or if this is a
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 0ff2296..69a7554 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -862,7 +862,7 @@ void pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change);
  * pw_retry.c
  */
 int update_pw_retry ( Slapi_PBlock *pb );
-void pw_apply_mods(const char *dn, Slapi_Mods *mods);
+void pw_apply_mods(const Slapi_DN *sdn, Slapi_Mods *mods);
 void pw_set_componentID(struct slapi_componentid * cid);
 struct slapi_componentid * pw_get_componentID();
diff --git a/ldap/servers/slapd/proxyauth.c b/ldap/servers/slapd/proxyauth.c
index 9dbcac8..2230a31 100644
--- a/ldap/servers/slapd/proxyauth.c
+++ b/ldap/servers/slapd/proxyauth.c
@@ -87,9 +87,7 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp,
   LDAPProxyAuth *spec = NULL;
   BerElement *ber = NULL;
   char *errstring = "unable to parse proxied authorization control";
-  int rc = 0;
-  char *normed = NULL;
-  size_t dnlen = 0;
+  Slapi_DN *sdn = NULL;
BEGIN
    ber_tag_t tag;
@@ -143,14 +141,11 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp,
    }
lderr = LDAP_SUCCESS;	/* got it! */
-	rc = slapi_dn_normalize_ext(spec->auth_dn, 0, &normed, &dnlen);
-	if (rc < 0) {
+	sdn = slapi_sdn_new_dn_passin(spec->auth_dn);
+	spec->auth_dn = slapi_ch_strdup(slapi_sdn_get_ndn(sdn));
+	slapi_sdn_free(&sdn);
+	if (NULL == spec->auth_dn) {
    	lderr = LDAP_INVALID_SYNTAX;
-	} else if (rc == 0) { /* spec->auth_dn is passed in; not terminated */
-		*(normed + dnlen) = '\0';
-	} else {
-		slapi_ch_free_string(&spec->auth_dn);
-		spec->auth_dn = normed;
    }
   END
diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c
index c19d34f..9fc1172 100644
--- a/ldap/servers/slapd/psearch.c
+++ b/ldap/servers/slapd/psearch.c
@@ -291,6 +291,7 @@ ps_send_results( void *arg )
    PSEQNode *peq, *peqnext;
    struct slapi_filter *filter = 0;
    char *base = NULL;
+	Slapi_DN *sdn = NULL;
    char *fstr = NULL;
    char **pbattrs = NULL;
    int conn_acq_flag = 0;
@@ -392,16 +393,16 @@ ps_send_results( void *arg )
     plugin_call_plugins( ps->ps_pblock , SLAPI_PLUGIN_POST_SEARCH_FN );
/* free things from the pblock that were not free'd in do_search() */
-	/* Free SLAPI_SEARCH_* before deleting op since those are held by op */
-    slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET, &base );
-    slapi_pblock_set( ps->ps_pblock, SLAPI_SEARCH_TARGET, NULL );
-	slapi_ch_free_string(&base);
-
    /* we strdup'd this in search.c - need to free */
    slapi_pblock_get( ps->ps_pblock, SLAPI_ORIGINAL_TARGET_DN, &base );
    slapi_pblock_set( ps->ps_pblock, SLAPI_ORIGINAL_TARGET_DN, NULL );
    slapi_ch_free_string(&base);
+	/* Free SLAPI_SEARCH_* before deleting op since those are held by op */
+	slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, &sdn );
+	slapi_pblock_set( ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, NULL );
+	slapi_sdn_free(&sdn);
+
     slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_STRFILTER, &fstr );
     slapi_pblock_set( ps->ps_pblock, SLAPI_SEARCH_STRFILTER, NULL );
    slapi_ch_free_string(&fstr);
@@ -525,8 +526,8 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
    ber_int_t chgnum )
 {
    LDAPControl *ctrl = NULL;
-    PSearch	*ps = NULL;
-    PSEQNode *pe = NULL;
+	PSearch	*ps = NULL;
+	PSEQNode *pe = NULL;
    int  matched = 0;
    const char *edn;
@@ -534,24 +535,24 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
    	return;
    }
-    if ( NULL == e ) {
+	if ( NULL == e ) {
    	/* For now, some backends such as the chaining backend do not provide a post-op entry */
    	return;
-    }
+	}
-   	PSL_LOCK_READ();
+	PSL_LOCK_READ();
    edn = slapi_entry_get_dn_const(e);
for ( ps = psearch_list ? psearch_list->pl_head : NULL; NULL != ps; ps = ps->ps_next ) {
-		Slapi_DN base;
-	    Slapi_Filter	*f;
-	    char	*basedn;
-	    int		scope;
+		char *origbase = NULL;
+		Slapi_DN *base = NULL;
+		Slapi_Filter	*f;
+		int		scope;
/* Skip the node that doesn't meet the changetype,
    	 * or is unable to use the change in ps_send_results()
    	 */
-	    if (( ps->ps_changetypes & chgtype ) == 0 ||
+		if (( ps->ps_changetypes & chgtype ) == 0 ||
    			ps->ps_pblock->pb_op == NULL ||
    			slapi_op_abandoned( ps->ps_pblock ) ) {
    		continue;
@@ -560,14 +561,18 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
    	slapi_log_error(SLAPI_LOG_CONNS, "Persistent Search",
    					"conn=%" NSPRIu64 " op=%d entry %s with chgtype %d "
    					"matches the ps changetype %d\n",
-						ps->ps_pblock->pb_conn->c_connid, ps->ps_pblock->pb_op->o_opid,
+						ps->ps_pblock->pb_conn->c_connid,
+						ps->ps_pblock->pb_op->o_opid,
    					edn, chgtype, ps->ps_changetypes);
slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_FILTER, &f );
-		slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET, &basedn );
+		slapi_pblock_get( ps->ps_pblock, SLAPI_ORIGINAL_TARGET_DN, &origbase );
+		slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, &base );
    	slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_SCOPE, &scope );
-		slapi_sdn_init_dn_byref(&base,basedn);
-
+		if (NULL == base) {
+			base = slapi_sdn_new_dn_byref(origbase);
+			slapi_pblock_set(ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, base);
+		}
/*
    	 * See if the entry meets the scope and filter criteria.
@@ -582,7 +587,7 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
    	 * to the same pblock must be done carefully--there is currently no
    	 * generic satisfactory way to do this.
    	*/
-		if ( slapi_sdn_scope_test( slapi_entry_get_sdn_const(e), &base, scope ) &&
+		if ( slapi_sdn_scope_test( slapi_entry_get_sdn_const(e), base, scope ) &&
    		 slapi_vattr_filter_test( ps->ps_pblock, e, f, 0 /* verify_access */ ) == 0 ) {
    		PSEQNode *pOldtail;
@@ -601,11 +606,11 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
    						eprev ? slapi_entry_get_dn_const(eprev) : NULL,
    						&ctrl );
    				if ( rc != LDAP_SUCCESS ) {
-				    	char ebuf[ BUFSIZ ];
+						char ebuf[ BUFSIZ ];
    	   				LDAPDebug( LDAP_DEBUG_ANY, "ps_service_persistent_searches:"
-				    	" unable to create EntryChangeNotification control for"
-				    	" entry "%s" -- control won't be sent.\n",
-				    	escape_string( slapi_entry_get_dn_const(e), ebuf), 0, 0 );
+						" unable to create EntryChangeNotification control for"
+						" entry "%s" -- control won't be sent.\n",
+						escape_string( slapi_entry_get_dn_const(e), ebuf), 0, 0 );
    				}
    			}
    			if ( ctrl ) {
@@ -618,29 +623,28 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
    		pOldtail = ps->ps_eq_tail;
    		ps->ps_eq_tail = pe;
    		if ( NULL == ps->ps_eq_head ) {
-			    ps->ps_eq_head = ps->ps_eq_tail;
+				ps->ps_eq_head = ps->ps_eq_tail;
    		}
    		else {
    			pOldtail->pe_next = ps->ps_eq_tail;
    		}
    		PR_Unlock( ps->ps_lock );
    	}
-		slapi_sdn_done(&base);
    }
PSL_UNLOCK_READ();
-    /* Were there any matches? */
-    if ( matched ) {
+	/* Were there any matches? */
+	if ( matched ) {
    	ldap_control_free( ctrl );
    	/* Turn 'em loose */
    	ps_wakeup_all();
    	LDAPDebug( LDAP_DEBUG_TRACE, "ps_service_persistent_searches: enqueued entry "
    		""%s" on %d persistent search lists\n", slapi_entry_get_dn_const(e), matched, 0 );
-    } else {
+	} else {
    	LDAPDebug( LDAP_DEBUG_TRACE, "ps_service_persistent_searches: entry "
    		""%s" not enqueued on any persistent search lists\n", slapi_entry_get_dn_const(e), 0, 0 );
-    }
+	}
}
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 61d01d9..8138d05 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -69,7 +69,7 @@
 #define GENERALIZED_TIME_LENGTH 15
static int pw_in_history(Slapi_Value **history_vals, const Slapi_Value *pw_val);
-static int update_pw_history( Slapi_PBlock *pb, char *dn, char *old_pw );
+static int update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw );
 static int check_trivial_words (Slapi_PBlock *, Slapi_Entry *, Slapi_Value **,
    	char *attrtype, int toklen, Slapi_Mods *smods );
 static int pw_boolean_str2value (const char *str);
@@ -586,8 +586,9 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) {
    Slapi_Mods	smods;
    char *timestr;
    time_t 		pw_exp_date;
-	time_t          cur_time;
-	char 		*dn;
+	time_t      cur_time;
+	const char 	*dn;
+	Slapi_DN *sdn = NULL;
    passwdPolicy *pwpolicy = NULL;
    int internal_op = 0;
    Slapi_Operation *operation = NULL;
@@ -596,13 +597,14 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) {
    internal_op = slapi_operation_is_flag_set(operation, SLAPI_OP_FLAG_INTERNAL);
cur_time = current_time();
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
    
    pwpolicy = new_passwdPolicy(pb, dn);
/* update passwordHistory */
    if ( old_pw != NULL && pwpolicy->pw_history == 1 ) {
-		update_pw_history(pb, dn, old_pw);
+		update_pw_history(pb, sdn, old_pw);
    	slapi_ch_free ( (void**)&old_pw );
    }
@@ -663,7 +665,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) {
    		}  else if (prev_exp_date == SLAPD_END_TIME) {
    		    /* Special entries' passwords never expire */
    		  slapi_ch_free((void**)&prev_exp_date_str);
-			  pw_apply_mods(dn, &smods);
+			  pw_apply_mods(sdn, &smods);
    		  slapi_mods_done(&smods);
    		  delete_passwdPolicy(&pwpolicy);
    		  return 0;
@@ -680,7 +682,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) {
    	 */
    	pw_exp_date = NOT_FIRST_TIME;
    } else {
-		pw_apply_mods(dn, &smods);
+		pw_apply_mods(sdn, &smods);
    	slapi_mods_done(&smods);
    	delete_passwdPolicy(&pwpolicy);
    	return 0;
@@ -694,7 +696,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) {
    
    slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, "passwordExpWarned", "0");
-	pw_apply_mods(dn, &smods);
+	pw_apply_mods(sdn, &smods);
    slapi_mods_done(&smods);
     if (pb->pb_conn) { /* no conn for internal op */
         /* reset c_needpw to 0 */
@@ -1061,9 +1063,9 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
}
-static 
-int update_pw_history( Slapi_PBlock *pb, char *dn, char *old_pw ) {
-
+static int
+update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw )
+{
    time_t 		t, old_t, cur_time;
    int 		i = 0, oldest = 0;
    int res;
@@ -1076,6 +1078,7 @@ int update_pw_history( Slapi_PBlock *pb, char *dn, char *old_pw ) {
    char		*history_str;
    char		*str;
    passwdPolicy *pwpolicy = NULL;
+	const char *dn = slapi_sdn_get_dn(sdn);
pwpolicy = new_passwdPolicy(pb, dn);
@@ -1134,13 +1137,13 @@ int update_pw_history( Slapi_PBlock *pb, char *dn, char *old_pw ) {
    list_of_mods[1] = NULL;
pblock_init(&mod_pb);
-	slapi_modify_internal_set_pb(&mod_pb, dn, list_of_mods, NULL, NULL, 
+	slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, 
    							 pw_get_componentID(), 0);
    slapi_modify_internal_pb(&mod_pb);
    slapi_pblock_get(&mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
    if (res != LDAP_SUCCESS){
-		LDAPDebug(LDAP_DEBUG_ANY, "WARNING: passwordPolicy modify error %d on entry '%s'\n",
-				  res, dn, 0);
+		LDAPDebug2Args(LDAP_DEBUG_ANY,
+		    "WARNING: passwordPolicy modify error %d on entry '%s'\n", res, dn);
    }
pblock_done(&mod_pb);
@@ -1253,7 +1256,8 @@ slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) {
 }
void
-pw_mod_allowchange_aci(int pw_prohibit_change) {
+pw_mod_allowchange_aci(int pw_prohibit_change)
+{
    const Slapi_DN *base;
    char		*values_mod[2];
    LDAPMod		mod;
@@ -1293,7 +1297,8 @@ pw_mod_allowchange_aci(int pw_prohibit_change) {
    			pblock_init (&pb);
    			values_mod[0] = DENY_PW_CHANGE_ACI;
    			values_mod[1] = NULL;
-				slapi_modify_internal_set_pb(&pb, slapi_sdn_get_dn(base), mods, NULL, NULL, pw_get_componentID(), 0);
+				slapi_modify_internal_set_pb_ext(&pb, base, mods, NULL, NULL,
+				                                 pw_get_componentID(), 0);
    			slapi_modify_internal_pb(&pb);
    			slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
    			if (rc == LDAP_SUCCESS){
@@ -1302,7 +1307,7 @@ pw_mod_allowchange_aci(int pw_prohibit_change) {
    				** successfully, let's update the 
    				** in-memory acl list
    				*/
-					slapi_pblock_set(&pb, SLAPI_TARGET_DN, (char*)slapi_sdn_get_dn(base) ); /* jcm: cast away const */
+					slapi_pblock_set(&pb, SLAPI_TARGET_SDN, (void *)base);
    				plugin_call_acl_mods_update (&pb, LDAP_REQ_MODIFY );
    			}
    			pblock_done(&pb);
@@ -1320,7 +1325,7 @@ add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e )
    struct berval   *bvals[2];
    Slapi_Attr     **a, **next;
    passwdPolicy *pwpolicy = NULL;
-	char *dn = slapi_entry_get_ndn(e);
+	const char *dn = slapi_entry_get_ndn(e);
    int has_allowchangetime = 0, has_expirationtime = 0;
    time_t existing_exptime = 0;
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index aa76e03..8d99879 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -63,11 +63,13 @@ need_new_pw( Slapi_PBlock *pb, long *t, Slapi_Entry *e, int pwresponse_req )
    char *passwordExpirationTime;
    char *timestring;
    char *dn;
+	const Slapi_DN *sdn;
    passwdPolicy *pwpolicy = NULL;
    int	pwdGraceUserTime = 0;
    char graceUserTime[8];
slapi_mods_init (&smods, 0);
+	sdn = slapi_entry_get_sdn_const( e );
    dn = slapi_entry_get_ndn( e );
    pwpolicy = new_passwdPolicy(pb, dn);
@@ -100,9 +102,9 @@ need_new_pw( Slapi_PBlock *pb, long *t, Slapi_Entry *e, int pwresponse_req )
    		slapi_ch_free((void **)&timestring);
    		slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, "passwordExpWarned", "0");
    		
-			pw_apply_mods(dn, &smods);
+			pw_apply_mods(sdn, &smods);
    	} else if (pwpolicy->pw_lockout == 1) {
-			pw_apply_mods(dn, &smods);
+			pw_apply_mods(sdn, &smods);
    	}
    	slapi_mods_done(&smods);
    	delete_passwdPolicy(&pwpolicy);
@@ -148,7 +150,7 @@ skip:
    		} 
    		slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
    	}
-		pw_apply_mods(dn, &smods);
+		pw_apply_mods(sdn, &smods);
    	slapi_mods_done(&smods);
    	delete_passwdPolicy(&pwpolicy);
    	return ( 0 );
@@ -171,7 +173,7 @@ skip:
    		sprintf ( graceUserTime, "%d", pwdGraceUserTime );
    		slapi_mods_add_string(&smods, LDAP_MOD_REPLACE,
    			"passwordGraceUserTime", graceUserTime);	
-			pw_apply_mods(dn, &smods);
+			pw_apply_mods(sdn, &smods);
    		slapi_mods_done(&smods);
    		if (pwresponse_req) {
    			/* check for "changeafterreset" condition */
@@ -214,7 +216,7 @@ skip:
    			pb->pb_op->o_opid, SLAPD_DISCONNECT_UNBIND, 0);
    	}
    	/* Apply current modifications */
-		pw_apply_mods(dn, &smods);
+		pw_apply_mods(sdn, &smods);
    	slapi_mods_done(&smods);
    	delete_passwdPolicy(&pwpolicy);
    	return (-1);
@@ -261,7 +263,7 @@ skip:
    		*t = (long)diff_t; /* jcm: had to cast double to long */
    	}
    		
-		pw_apply_mods(dn, &smods);
+		pw_apply_mods(sdn, &smods);
    	slapi_mods_done(&smods);
    	if (pwresponse_req) {
    		/* check for "changeafterreset" condition */
@@ -281,7 +283,7 @@ skip:
    	return (2);
    }
-	pw_apply_mods(dn, &smods);
+	pw_apply_mods(sdn, &smods);
    slapi_mods_done(&smods);
    /* Leftover from "changeafterreset" condition */
    if (pb->pb_conn->c_needpw == 1) {
diff --git a/ldap/servers/slapd/pw_retry.c b/ldap/servers/slapd/pw_retry.c
index 573046f..9c801ad 100644
--- a/ldap/servers/slapd/pw_retry.c
+++ b/ldap/servers/slapd/pw_retry.c
@@ -124,13 +124,15 @@ int update_pw_retry ( Slapi_PBlock *pb )
static
 void set_retry_cnt_and_time ( Slapi_PBlock *pb, int count, time_t cur_time ) {
-	char        *dn;
+	const char  *dn = NULL;
+	Slapi_DN    *sdn = NULL;
    Slapi_Mods	smods;
    time_t      reset_time;
    char		*timestr;
    passwdPolicy *pwpolicy = NULL;
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
    pwpolicy = new_passwdPolicy(pb, dn);
slapi_mods_init(&smods, 0);
@@ -144,7 +146,7 @@ void set_retry_cnt_and_time ( Slapi_PBlock *pb, int count, time_t cur_time ) {
set_retry_cnt_mods(pb, &smods, count);
    
-	pw_apply_mods(dn, &smods);
+	pw_apply_mods(sdn, &smods);
    slapi_mods_done(&smods);
    delete_passwdPolicy(&pwpolicy);
 }
@@ -154,10 +156,12 @@ void set_retry_cnt_mods(Slapi_PBlock *pb, Slapi_Mods *smods, int count)
    char 		*timestr;
    time_t		unlock_time;
    char        retry_cnt[8]; /* 1-65535 */
-	char *dn = NULL; 
+	const char *dn = NULL; 
+	Slapi_DN *sdn = NULL; 
    passwdPolicy *pwpolicy = NULL;
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
    pwpolicy = new_passwdPolicy(pb, dn);
if (smods) {
@@ -185,14 +189,15 @@ void set_retry_cnt_mods(Slapi_PBlock *pb, Slapi_Mods *smods, int count)
 }
static
-void set_retry_cnt ( Slapi_PBlock *pb, int count) {
-	char        *dn;
+void set_retry_cnt ( Slapi_PBlock *pb, int count)
+{
+	Slapi_DN *sdn = NULL; 
    Slapi_Mods	smods;
    
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
    slapi_mods_init(&smods, 0);
    set_retry_cnt_mods(pb, &smods, count);
-	pw_apply_mods(dn, &smods);
+	pw_apply_mods(sdn, &smods);
    slapi_mods_done(&smods);
 }
@@ -201,12 +206,13 @@ Slapi_Entry *get_entry ( Slapi_PBlock *pb, const char *dn)
 {
    int             search_result = 0;
    Slapi_Entry     *retentry = NULL;
-	Slapi_DN		sdn;
+	Slapi_DN        *target_sdn = NULL;
+	Slapi_DN        sdn;
+
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &target_sdn );
if ((dn == NULL) && pb) {
-		char *t;
-		slapi_pblock_get( pb, SLAPI_TARGET_DN, &t );
-		dn= t;
+		dn = slapi_sdn_get_dn(target_sdn);
    }
if (dn == NULL) {
@@ -216,7 +222,14 @@ Slapi_Entry *get_entry ( Slapi_PBlock *pb, const char *dn)
slapi_sdn_init_dn_byref(&sdn, dn);
-	if ((search_result = slapi_search_internal_get_entry(&sdn, NULL,  &retentry, pw_get_componentID())) != LDAP_SUCCESS){
+	if (slapi_sdn_compare(&sdn, target_sdn)) { /* does not match */
+	    target_sdn = &sdn;
+	}
+
+	search_result = slapi_search_internal_get_entry(target_sdn, NULL,
+	                                                &retentry, 
+	                                                pw_get_componentID());
+	if (search_result != LDAP_SUCCESS) {
    	LDAPDebug (LDAP_DEBUG_TRACE, "WARNING: 'get_entry' can't find entry '%s', err %d\n", dn, search_result, 0);
    }
    slapi_sdn_done(&sdn);
@@ -224,7 +237,8 @@ bail:
    return retentry;
 }
-void pw_apply_mods(const char *dn, Slapi_Mods *mods) 
+void
+pw_apply_mods(const Slapi_DN *sdn, Slapi_Mods *mods) 
 {
    Slapi_PBlock pb;
    int res;
@@ -234,7 +248,7 @@ void pw_apply_mods(const char *dn, Slapi_Mods *mods)
    	pblock_init(&pb);
    	/* We don't want to overwrite the modifiersname, etc. attributes,
    	 * so we set a flag for this operation */
-		slapi_modify_internal_set_pb (&pb, dn, 
+		slapi_modify_internal_set_pb_ext (&pb, sdn, 
    				  slapi_mods_get_ldapmods_byref(mods),
    				  NULL, /* Controls */
    				  NULL, /* UniqueID */
@@ -244,8 +258,9 @@ void pw_apply_mods(const char *dn, Slapi_Mods *mods)
    	
    	slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
    	if (res != LDAP_SUCCESS){
-			LDAPDebug(LDAP_DEBUG_ANY, "WARNING: passwordPolicy modify error %d on entry '%s'\n",
-					  res, dn, 0);
+			LDAPDebug2Args(LDAP_DEBUG_ANY,
+			        "WARNING: passwordPolicy modify error %d on entry '%s'\n",
+					res, slapi_sdn_get_dn(sdn));
    	}
    	
    	pblock_done(&pb);
diff --git a/ldap/servers/slapd/rdn.c b/ldap/servers/slapd/rdn.c
index 48d4d9e..c9f6386 100644
--- a/ldap/servers/slapd/rdn.c
+++ b/ldap/servers/slapd/rdn.c
@@ -132,12 +132,14 @@ _slapi_rdn_init_all_dn_ext(Slapi_RDN *rdn, const Slapi_DN *sdn)
    char **dns = NULL;
    int rc = 1;
-	if (NULL == rdn || NULL == sdn)
-	{
+	if (NULL == rdn || NULL == sdn) {
    	return -1;
    }
dn = slapi_sdn_get_dn(sdn);
+	if (NULL == dn) {
+		return -1;
+	}
    for (; isspace(*dn) ; dn++) ;
/* Suffix is a part of mapping tree. We should not free it */
@@ -227,13 +229,14 @@ int
 slapi_rdn_init_all_dn(Slapi_RDN *rdn, const char *dn)
 {
    int rc = 0; /* success */
-	Slapi_DN sdn = {0};
+	Slapi_DN sdn;
if (NULL == rdn || NULL == dn)
    {
    	return -1;
    }
    slapi_rdn_init(rdn);
+	slapi_sdn_init(&sdn);
    slapi_sdn_set_dn_byval(&sdn, dn);
    rc = _slapi_rdn_init_all_dn_ext(rdn, (const Slapi_DN *)&sdn);
    slapi_sdn_done(&sdn);
@@ -670,7 +673,19 @@ slapi_rdn_get_nrdn(Slapi_RDN *srdn)
    }
    if (NULL == srdn->nrdn)
    {
-		normalize_case_helper(srdn->rdn, &srdn->nrdn);
+		if (srdn->all_nrdns && srdn->all_nrdns[0])
+		{
+			srdn->nrdn = slapi_ch_strdup(srdn->all_nrdns[0]);
+		}
+		else if (srdn->all_rdns && srdn->all_rdns[0])
+		{
+			srdn->nrdn = slapi_ch_strdup(srdn->all_rdns[0]);
+			slapi_dn_ignore_case(srdn->nrdn);
+		}
+		else
+		{
+			normalize_case_helper(srdn->rdn, &srdn->nrdn);
+		}
    }
    return (const char *)srdn->nrdn;
 }
diff --git a/ldap/servers/slapd/referral.c b/ldap/servers/slapd/referral.c
index 458da81..b704f86 100644
--- a/ldap/servers/slapd/referral.c
+++ b/ldap/servers/slapd/referral.c
@@ -186,12 +186,13 @@ ref_adjust( Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn,
    int is_reference )
 {
     int			i, len, scope;
+    Slapi_DN    *sdn = NULL;
     char		*p, *opdn_norm;
     struct berval	**urlscopy;
     Operation		*op;
if ( NULL == urls || NULL == urls[0] ) {
-	return( NULL );
+        return( NULL );
     }
PR_ASSERT( pb != NULL );
@@ -200,20 +201,20 @@ ref_adjust( Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn,
      * grab the operation target DN and operation structure.
      * if the operation is a search, get the scope as well.
      */
-    if ( slapi_pblock_get( pb, SLAPI_TARGET_DN, &p ) != 0 || p == NULL ||
-	    slapi_pblock_get( pb, SLAPI_OPERATION, &op ) != 0 || op == NULL ||
-	    ( operation_get_type(op) == SLAPI_OPERATION_SEARCH && slapi_pblock_get( pb,
-	    SLAPI_SEARCH_SCOPE, &scope ) != 0 )) {
-	LDAPDebug( LDAP_DEBUG_ANY, "ref_adjust: referrals suppressed "
-		"(could not get target DN, operation, or scope from pblock)\n",
-		0, 0, 0 );
-	return( NULL );
+    if ( slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ) != 0 || sdn == NULL ||
+         slapi_pblock_get( pb, SLAPI_OPERATION, &op ) != 0 || op == NULL ||
+         ( operation_get_type(op) == SLAPI_OPERATION_SEARCH && slapi_pblock_get( pb,
+        SLAPI_SEARCH_SCOPE, &scope ) != 0 )) {
+        LDAPDebug0Args( LDAP_DEBUG_ANY, "ref_adjust: referrals suppressed "
+                        "(could not get target DN, operation, "
+                        "or scope from pblock)\n" );
+        return( NULL );
     }
/*
      * normalize the DNs we plan to compare with others later.
      */
-    opdn_norm = slapi_dn_normalize( slapi_ch_strdup( p ));
+    opdn_norm = slapi_ch_strdup( slapi_sdn_get_dn(sdn) );
/*
@@ -355,7 +356,7 @@ adjust_referral_basedn( char **urlp, const Slapi_DN *refsdn,
    		 * Prepend the portion of the operation DN that does not match
    		 * the ref container DN to the referral baseDN.
    		 */
-			add_len = strlen( opdn_norm ) - strlen( slapi_sdn_get_ndn(refsdn) );
+			add_len = strlen( opdn_norm ) - slapi_sdn_get_ndn_len( refsdn );
    		cur_len = strlen( *urlp );
    		/* + 7 because we keep extra space in case we add ??base */
    		*urlp = slapi_ch_realloc( *urlp, cur_len + add_len + 7 );
@@ -377,7 +378,7 @@ adjust_referral_basedn( char **urlp, const Slapi_DN *refsdn,
    		add_len = strlen(opdn_norm);
    		p = opdn_norm;
    	} else {
-			add_len = strlen(slapi_sdn_get_ndn(refsdn));
+			add_len = slapi_sdn_get_ndn_len(refsdn);
    		p = (char *)slapi_sdn_get_ndn(refsdn);
    	}
    	
diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
index 800fb39..a3fff38 100644
--- a/ldap/servers/slapd/result.c
+++ b/ldap/servers/slapd/result.c
@@ -289,8 +289,9 @@ send_ldap_result_ext(
    int		i, rc, logit = 0;
    ber_tag_t	tag;
    int             flush_ber_element = 1;
-  	Slapi_Operation *operation;
-	char *dn;
+	Slapi_Operation *operation;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
    int internal_op;
    passwdPolicy *pwpolicy = NULL;
    
@@ -368,8 +369,9 @@ send_ldap_result_ext(
    /* invalid password.  Update the password retry here */
    /* put this here for now.  It could be a send_result pre-op plugin. */
    if (err == LDAP_INVALID_CREDENTIALS) {
-		slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
-                pwpolicy = new_passwdPolicy(pb, dn);
+		slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+		dn = slapi_sdn_get_dn(sdn);
+		pwpolicy = new_passwdPolicy(pb, dn);
    	if (pwpolicy && (pwpolicy->pw_lockout == 1)) {
    		update_pw_retry ( pb );
    	}
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index f9f51df..9e5bc36 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -783,6 +783,8 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
     sasl_ssf_t *ssfp;
     char *activemech = NULL, *mech = NULL;
     char *username, *dn = NULL;
+    const char *normdn = NULL;
+    Slapi_DN *sdn = NULL;
     const char *sdata, *errstr;
     unsigned slen;
     int continuing = 0;
@@ -914,7 +916,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
         propctx = sasl_auxprop_getctx(sasl_conn);
         if (prop_getnames(propctx, dn_propnames, dnval) == 1) {
             if (dnval[0].values && dnval[0].values[0]) {
-                dn = slapi_ch_strdup(dnval[0].values[0]);
+                dn = slapi_ch_smprintf("%s", dnval[0].values[0]);
             }
         }
         if (dn == NULL) {
@@ -924,8 +926,15 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
             break;
         }
-        slapi_pblock_set( pb, SLAPI_BIND_TARGET, slapi_ch_strdup( dn ) );
-        /* see if we negotiated a security layer */
+        /* clean up already set TARGET */
+        slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);
+        slapi_sdn_free(&sdn);
+
+        sdn = slapi_sdn_new_dn_passin(dn);
+        normdn = slapi_sdn_get_dn(sdn);
+
+        slapi_pblock_set( pb, SLAPI_BIND_TARGET_SDN, sdn );
+
         if ((sasl_getprop(sasl_conn, SASL_SSF, 
                           (const void**)&ssfp) == SASL_OK) && (*ssfp > 0)) {
             LDAPDebug(LDAP_DEBUG_TRACE, "sasl ssf=%u\n", (unsigned)*ssfp, 0, 0);
@@ -947,7 +956,9 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
/* set the connection bind credentials */
         PR_snprintf(authtype, sizeof(authtype), "%s%s", SLAPD_AUTH_SASL, mech);
-        bind_credentials_set_nolock(pb->pb_conn, authtype, dn, 
+        /* normdn is consumed by bind_credentials_set_nolock */
+        bind_credentials_set_nolock(pb->pb_conn, authtype, 
+                                    slapi_ch_strdup(normdn), 
                                     NULL, NULL, NULL, bind_target_entry);
PR_Unlock(pb->pb_conn->c_mutex); /* BIG LOCK */
@@ -956,12 +967,12 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
             break;
         }
-        isroot = slapi_dn_isroot(dn);
+        isroot = slapi_dn_isroot(normdn);
if (!isroot )
         {
             /* check if the account is locked */
-            bind_target_entry = get_entry(pb,  dn);
+            bind_target_entry = get_entry(pb,  normdn);
             if ( bind_target_entry == NULL )
             {
                 goto out;
@@ -975,7 +986,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
         slapi_pblock_get(pb, SLAPI_REQCONTROLS, &ctrls);
         if (slapi_control_present(ctrls, LDAP_CONTROL_AUTH_REQUEST, 
                                   NULL, NULL)) {
-            slapi_add_auth_response_control(pb, dn);
+            slapi_add_auth_response_control(pb, normdn);
         }
if (slapi_mapping_tree_select(pb, &be, &referral, errorbuf) != LDAP_SUCCESS) {
diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index ff4de17..6da7aa0 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -79,9 +79,6 @@ do_search( Slapi_PBlock *pb )
    int			send_entchg_controls;
    int			changesonly = 0;
    int			rc = -1;
-	char		*original_base = 0;
-	char		*new_base = 0;
-	size_t		baselen = 0;
    int strict = 0;
LDAPDebug( LDAP_DEBUG_TRACE, "do_search\n", 0, 0, 0 );
@@ -138,24 +135,12 @@ do_search( Slapi_PBlock *pb )
    		return;
    	}
    }
-	rc = slapi_dn_normalize_ext(rawbase, 0, &base, &baselen);
-	if (rc < 0) {
-		op_shared_log_error_access(pb, "SRCH", 
-							rawbase?rawbase:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free((void **) &rawbase);
-		return;
-	} else if (rc > 0) { /* if rc == 0, rawbase is passed in */
-		slapi_ch_free((void **) &rawbase);
-	} else { /* rc == 0; rawbase is passed in; not null terminated */
-		*(base + baselen) = '\0';
-	}
/* If anonymous access is only allowed for searching the root DSE,
     * we need to reject any other anonymous search attempts. */
-	if ((slapi_sdn_get_dn(&(operation->o_sdn)) == NULL) && ((baselen != 0) || (scope != LDAP_SCOPE_BASE))
-	    && (config_get_anon_access_switch() == SLAPD_ANON_ACCESS_ROOTDSE)) {
+	if ((slapi_sdn_get_dn(&(operation->o_sdn)) == NULL) &&
+	    (scope != LDAP_SCOPE_BASE) &&
+	    (config_get_anon_access_switch() == SLAPD_ANON_ACCESS_ROOTDSE)) {
    	op_shared_log_error_access(pb, "SRCH", base?base:"", "anonymous search not allowed");
send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
@@ -178,7 +163,7 @@ do_search( Slapi_PBlock *pb )
    && scope != LDAP_SCOPE_SUBTREE ) {
    	log_search_access (pb, base, scope, "???", "Unknown search scope");
    	send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
-		"Unknown search scope", 0, NULL );
+		                  "Unknown search scope", 0, NULL );
    	goto free_and_return;
    }
    /* check and record the scope for snmp */
@@ -370,8 +355,7 @@ do_search( Slapi_PBlock *pb )
    	}
    }
-	slapi_pblock_set( pb, SLAPI_SEARCH_TARGET, base );
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET_DN, slapi_ch_strdup(base) );
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET_DN, rawbase );
    slapi_pblock_set( pb, SLAPI_SEARCH_SCOPE, &scope );
    slapi_pblock_set( pb, SLAPI_SEARCH_DEREF, &deref );
    slapi_pblock_set( pb, SLAPI_SEARCH_FILTER, filter );
@@ -383,16 +367,8 @@ do_search( Slapi_PBlock *pb )
    slapi_pblock_set( pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit );
    slapi_pblock_set( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
-	/* plugins which play with the search may 
-	 * change the search params may allocate
-	 * memory so we need to keep track of
-	 * changed base search strings
-	 */
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &original_base);
-
    op_shared_search (pb, psearch ? 0 : 1/* send result */);
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &new_base);
    slapi_pblock_get (pb, SLAPI_PLUGIN_OPRETURN, &rc);
    slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter );
    
@@ -402,10 +378,6 @@ do_search( Slapi_PBlock *pb )
free_and_return:;
    if ( !psearch || rc < 0 ) {
-		if(original_base != new_base) {
-			slapi_ch_free_string(&new_base);
-		}
-		slapi_ch_free_string(&base);
    	slapi_ch_free_string(&fstr);
    	slapi_filter_free( filter, 1 );
    	charray_free( attrs );	/* passing NULL is fine */
@@ -418,8 +390,8 @@ free_and_return:;
    		operation->o_flags &= ~OP_FLAG_PS;
    	}
    	/* we strdup'd this above - need to free */
-		slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &base);
-		slapi_ch_free_string(&base);
+		slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &rawbase);
+		slapi_ch_free_string(&rawbase);
    }
 }
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 3a54564..acf7bbd 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -586,9 +586,10 @@ typedef int (*SyntaxEnumFunc)(char **names, Slapi_PluginDesc *plugindesc,
 struct slapi_dn
 {
     unsigned char flag;
-    const char *dn; /* DN [normalized] */
+    const char *udn; /* DN [original] */
+    const char *dn;  /* Normalised DN */
     const char *ndn; /* Case Normalised DN */
-    int ndn_len; /* normalized dn length */
+    int ndn_len;     /* normalized dn length */
 };
/* 
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index c63e312..a27f8b1 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -710,13 +710,13 @@ int slapi_pblock_get( Slapi_PBlock *pb, int arg, void *value );
  *          <tt>char **arrays</tt>, <tt>#Slapi_Backend *</tt>, etc.), you can pass
  *          in the value directly. For example:
  * \code
- *     char *target_dn = slapi_ch_strdup(some_dn);
- *     slapi_pblock_set(pb, SLAPI_TARGET_DN, target_dn);
+ *     Slapi_DN *target_sdn = slapi_sdn_dup(some_sdn);
+ *     slapi_pblock_set(pb, SLAPI_TARGET_SDN, target_sdn);
  * \endcode
  *
  * \warning or
  * \code
- *     slapi_pblock_set(pb, SLAPI_TARGET_DN, NULL);
+ *     slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL);
  * \endcode
  *
  * \warning With some compilers, you will have to cast the value argument to
@@ -802,6 +802,7 @@ void slapi_pblock_destroy( Slapi_PBlock *pb );
  *        \arg #SLAPI_STR2ENTRY_NO_SCHEMA_LOCK
  *        \arg #SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT
  *        \arg #SLAPI_STR2ENTRY_NO_ENTRYDN
+ *        \arg #SLAPI_STR2ENTRY_DN_NORMALIZED
  *
  * \return A pointer to the #Slapi_Entry structure representing the entry.
  * \return \c NULL if the string cannot be converted; for example, if no DN is
@@ -923,6 +924,15 @@ Slapi_Entry *slapi_str2entry_ext( const char *dn, char *s, int flags );
 #define SLAPI_STR2ENTRY_NO_ENTRYDN 1024
/**
+ * Passed DN is already normalized.
+ *
+ * If this flag is set, str2entry assumes passed DN is already normalized.
+ *
+ * \see slapi_str2entry()
+ */
+#define SLAPI_STR2ENTRY_DN_NORMALIZED 2048
+
+/**
  * Generates a description of an entry as an LDIF string.
  *
  * This function behaves much like slapi_entry2str(); however, you can specify
@@ -1120,6 +1130,12 @@ Slapi_Entry *slapi_entry_alloc(void);
  */
 void slapi_entry_init(Slapi_Entry *e, char *dn, Slapi_Attr *a);
+/*
+ * Initializes the values of an entry with the Slapi_DN and attribute value 
+ * pairs you supply.
+ */
+void slapi_entry_init_ext(Slapi_Entry *e, Slapi_DN *sdn, Slapi_Attr *a);
+
 /**
  * Frees an entry, its DN, and its attributes from memory.
  *
@@ -1290,6 +1306,23 @@ const char *slapi_entry_get_nrdn_const( const Slapi_Entry *e );
 void slapi_entry_set_dn( Slapi_Entry *e, char *dn );
/**
+ * Sets the normalized distinguished name (DN) of an entry.
+ *
+ * This function sets the DN pointer in the specified entry to the DN that you supply. The DN should have been normalized.
+ *
+ * \param e Entry to which you want to assign the DN.
+ * \param dn Distinguished name you want assigned to the entry.
+ * \warning The dn will be freed eventually when slapi_entry_free() is called.
+ * \warning A copy of dn should be passed. For example:
+ *
+ * \warning The old dn will be freed as a result of this call. Do not pass in
+ *          a \c NULL value.
+ * \see slapi_entry_free()
+ * \see slapi_entry_get_dn()
+ */
+void slapi_entry_set_normdn( Slapi_Entry *e, char *normdn );
+
+/**
  * Sets the relative distinguished name (RDN) of an entry.
  *
  * This function sets the RDN pointer in the specified entry to the RDN that 
@@ -1478,7 +1511,7 @@ int slapi_entry_syntax_check( Slapi_PBlock *pb, Slapi_Entry *e, int override );
  *         is also used to check if the #SLAPI_IS_REPLICATED_OPERATION flag is
  *         set.   If that flag is present, no syntax checking is performed.
  */
-int slapi_dn_syntax_check( Slapi_PBlock *pb, char *dn, int override );
+int slapi_dn_syntax_check( Slapi_PBlock *pb, const char *dn, int override );
/**
  * Determines if any values being added to an entry violate the syntax rules
@@ -2181,14 +2214,14 @@ Slapi_DN *slapi_sdn_new_ndn_byval(const char *ndn);
 Slapi_DN *slapi_sdn_new_dn_byref(const char *dn);
/**
- * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ * Creates a new \c Slapi_DN structure and intializes it's normalized and case ignored DN to a requested value.
  *
- * The normalized DN of the new structure will point to the same string pointed to by \c ndn.
- * The normalized DN value is passed in to the parameter by reference.
+ * The normalized and case ignored DN of the new structure will point to the same string pointed to by \c ndn.
+ * The normalized and case ignored DN value is passed in to the parameter by reference.
  *
- * \param ndn The normalized DN value to be set in the new \c Slapi_DN structure.
+ * \param ndn The normalized and case ignored DN value to be set in the new \c Slapi_DN structure.
  * \return A pointer to the newly allocated \c Slapi_DN structure with
- *         the normalized DN value set to the content of \c ndn.
+ *         the normalized and case ignored DN value set to the content of \c ndn.
  * \warning The caller is still responsible for the memory used by \c ndn.  This
  *          memory should not be freed until the returned \c Slapi_DN has been
  *          disposed of or reinitialized.
@@ -2220,6 +2253,60 @@ Slapi_DN *slapi_sdn_new_ndn_byref(const char *ndn);
 Slapi_DN *slapi_sdn_new_dn_passin(const char *dn);
/**
+ * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ *
+ * The DN of the new structure will point to the same string pointed to by \c normdn.
+ * The normalized DN value is passed in to the parameter by reference.
+ *
+ * \param normdn The normalized DN value to be set in the new \c Slapi_DN structure.
+ * \return A pointer to the newly allocated \c Slapi_DN structure with
+ *         the normalized DN value set to the content of \c normdn.
+ * \warning The caller is still responsible for the memory used by \c normdn. 
+ *          This memory should not be freed until the returned \c Slapi_DN 
+ *          has been disposed of or reinitialized.
+ * \see slapi_sdn_free()
+ * \see slapi_sdn_copy()
+ * \see slapi_sdn_done()
+ */
+Slapi_DN *slapi_sdn_new_normdn_byref(const char *normdn);
+
+/**
+ * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ *
+ * The DN of the new structure will point to the same string pointed to by \c normdn.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param normdn The DN value to be set in the new \c Slapi_DN structure.
+ * \return A pointer to the newly allocated \c Slapi_DN structure with
+ *         a DN value set to the content of \c dn.
+ * \warning The caller is no longer responsible for the memory used by \c dn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_free()
+ * \see slapi_sdn_copy()
+ * \see slapi_sdn_done()
+ */
+Slapi_DN *slapi_sdn_new_normdn_passin(const char *dn);
+
+/**
+ * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ *
+ * The DN of the new structure will point to the duplicated string of \c normdn.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param normdn The copy of the DN value to be set in the new \c Slapi_DN structure.
+ * \return A pointer to the newly allocated \c Slapi_DN structure with
+ *         a DN value set to the content of \c dn.
+ * \warning The caller is no longer responsible for the memory used by \c dn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_free()
+ * \see slapi_sdn_copy()
+ * \see slapi_sdn_done()
+ */
+Slapi_DN *slapi_sdn_new_normdn_byval(const char *dn);
+
+/**
  * Sets a DN value in a \c Slapi_DN structure.
  *
  * The DN of the structure will point to a copy of the string pointed to by
@@ -2272,6 +2359,56 @@ Slapi_DN *slapi_sdn_set_dn_passin(Slapi_DN *sdn, const char *dn);
 /**
  * Sets a normalized DN value in a \c Slapi_DN structure.
  *
+ * The DN of the structure will point to the same string pointed to by \c normdn.
+ * The normalized DN value is passed in to the parameter by reference.
+ *
+ * \param sdn The target \c Slapi_DN structure.
+ * \param normdn The normalized DN value to be set in \c sdn.
+ * \return A pointer to the \c Slapi_DN structure containing the new DN value.
+ * \warning The caller is still responsible for the memory used by \c normdn.  
+ *          This memory should not be freed until the returned \c Slapi_DN 
+ *          has been disposed of or reinitialized.
+ * \see slapi_sdn_set_dn_byref()
+ */
+Slapi_DN *slapi_sdn_set_normdn_byref(Slapi_DN *sdn, const char *normdn);
+
+/**
+ * Sets a normalized DN value in a \c Slapi_DN structure.
+ *
+ * The DN of the structure will point to the same string pointed to by \c normdn.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param sdn The target \c Slapi_DN structure.
+ * \param normdn The normalized DN value to be set in \c sdn.
+ * \return A pointer to the \c Slapi_DN structure containing the new DN value.
+ * \warning The caller is no longer responsible for the memory used by \c normdn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_set_dn_passin()
+ */
+Slapi_DN *slapi_sdn_set_normdn_passin(Slapi_DN *sdn, const char *dn);
+
+/**
+ * Sets a normalized DN value in a \c Slapi_DN structure.
+ *
+ * The normalized DN of the structure will point to a copy of the string
+ * pointed to by \c dn.  The normalized DN value is passed in to the parameter
+ * by value.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param sdn The target \c Slapi_DN structure.
+ * \param normdn The normalized DN value to be set in \c sdn.
+ * \return A pointer to the \c Slapi_DN structure containing the new DN value.
+ * \warning The caller is no longer responsible for the memory used by \c normdn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_set_dn_passin()
+ */
+Slapi_DN *slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *dn);
+
+/**
+ * Sets a normalized and case ignored DN value in a \c Slapi_DN structure.
+ *
  * The normalized DN of the structure will point to a copy of the string
  * pointed to by \c ndn.  The normalized DN value is passed in to the parameter
  * by value.
@@ -2325,33 +2462,52 @@ void slapi_sdn_done(Slapi_DN *sdn);
 void slapi_sdn_free(Slapi_DN **sdn);
/**
- * Retrieves the DN value of a \c Slapi_DN structure.
+ * Retrieves the normalized DN value of a \c Slapi_DN structure.
+ *
+ * If the structure does not contain a normalized DN yet, it will normalize
+ * the un-normalized DN and set it in the structure.
  *
  * \param sdn The \c Slapi_DN strucure containing the DN value.
  * \return A pointer to the DN value if one is set.
- * \return A pointer to the normalized DN value if one is set and no
+ * \return A pointer to the normalized and case ignored DN value if one is set and no
  *         DN value is set.
- * \return \c NULL if no DN or normalized DN value is set.
+ * \return \c NULL if no normalized DN or normalized and case ignored DN value is set.
  * \warning The pointer returned is the actual value from the structure, not a copy.
  * \see slapi_sdn_get_ndn()
+ * \see slapi_sdn_get_udn()
  */
 const char * slapi_sdn_get_dn(const Slapi_DN *sdn);
/**
- * Retrieves the normalized DN value of a \c Slapi_DN structure.
+ * Retrieves the normalized and case ignored DN value of a \c Slapi_DN structure.
  *
- * If the structure does not contain a normalized DN yet, it will normalize
- * the DN and set it in the structure.
+ * If the structure does not contain a normalized and case ignored DN yet, 
+ * it will normalize and case ignore the DN and set it in the structure.
  *
- * \param sdn The \c Slapi_DN strucure containing the normalized DN value.
+ * \param sdn The \c Slapi_DN strucure containing the normalized and case ignored DN value.
  * \return The normalized DN value.
  * \return \c NULL if no DN or normalized DN value is set.
  * \warning The pointer returned is the actual value from the structure, not a copy.
  * \see slapi_sdn_get_dn()
+ * \see slapi_sdn_get_udn()
  */
 const char * slapi_sdn_get_ndn(const Slapi_DN *sdn);
/**
+ * Retrieves the un-normalized DN value of a \c Slapi_DN structure.
+ *
+ * \param sdn The \c Slapi_DN strucure containing the DN value.
+ * \return A pointer to the DN value if one is set.
+ * \return A pointer to the normalized DN value if one is set and no
+ *         DN value is set.
+ * \return \c NULL if no DN or normalized DN value is set.
+ * \warning The pointer returned is the actual value from the structure, not a copy.
+ * \see slapi_sdn_get_dn()
+ * \see slapi_sdn_get_ndn()
+ */
+const char * slapi_sdn_get_udn(const Slapi_DN *sdn);
+
+/**
  * Fills in an existing \c Slapi_DN structure with the parent DN of the passed in \c Slapi_DN.
  *
  * \param sdn Pointer to the \c Slapi_DN structure containing the DN whose parent is desired.
@@ -2555,7 +2711,7 @@ Slapi_DN *slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parentdn);
  *        in \c newrdn in front of the content of this parameter.
  * \return The new DN for the entry whose previous DN was \c dn_olddn.
  */
-char * slapi_moddn_get_newdn(Slapi_DN *dn_olddn, char *newrdn, char *newsuperiordn);
+char * slapi_moddn_get_newdn(Slapi_DN *dn_olddn, const char *newrdn, const char *newsuperiordn);
 Slapi_DN *slapi_sdn_add_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn);
@@ -3167,6 +3323,16 @@ char *slapi_create_dn_string(const char *fmt, ...);
 char *slapi_create_dn_string_case(const char *fmt, ...);
/**
+ * Generates a valid value of RDN string
+ *
+ * \param fmt The format used to generate a value of RDN string.
+ * \param ... The arguments to generate an RDN string.
+ * \return A pointer to the generated RDN value.
+ * \return NULL if failed.
+ */
+char *slapi_create_rdn_value(const char *fmt, ...);
+
+/**
  * Converts a DN to lowercase.
  *
  * \param dn The DN to convert.
@@ -5092,6 +5258,10 @@ void slapi_search_internal_set_pb(Slapi_PBlock *pb, const char *base,
    int scope, const char *filter, char **attrs, int attrsonly,
    LDAPControl **controls, const char *uniqueid,
    Slapi_ComponentId *plugin_identity, int operation_flags);
+void slapi_search_internal_set_pb_ext(Slapi_PBlock *pb, Slapi_DN *sdn,
+	int scope, const char *filter, char **attrs, int attrsonly,
+	LDAPControl **controls, const char *uniqueid,
+	Slapi_ComponentId *plugin_identity, int operation_flags);
 void slapi_add_entry_internal_set_pb(Slapi_PBlock *pb, Slapi_Entry *e,
    LDAPControl **controls, Slapi_ComponentId *plugin_identity,
    int operation_flags);
@@ -5101,10 +5271,28 @@ int slapi_add_internal_set_pb(Slapi_PBlock *pb, const char *dn,
 void slapi_modify_internal_set_pb(Slapi_PBlock *pb, const char *dn,
    LDAPMod **mods, LDAPControl **controls, const char *uniqueid,
    Slapi_ComponentId *plugin_identity, int operation_flags);
-void slapi_rename_internal_set_pb(Slapi_PBlock *pb, const char *olddn,
-	const char *newrdn, const char *newsuperior, int deloldrdn,
+void slapi_modify_internal_set_pb_ext(Slapi_PBlock *pb, const Slapi_DN *sdn,
+	LDAPMod **mods, LDAPControl **controls, const char *uniqueid,
+	Slapi_ComponentId *plugin_identity, int operation_flags);
+/**
+ * Set \c Slapi_PBlock to perform modrdn/rename internally
+ *
+ * \param pblock - Slapi_PBlock to be set
+ * \param olddn - original dn to be renamed; it should have been normalized
+ * \param newrdn - new leaf rdn if any; it should have been normalized
+ * \param newsuperior - new parent dn if any; it should have been normalized
+ * \param deloldrdn \c 0 - keep original rdn \c non-zero - delete original rdn
+ * \param controls
+ * \param uniqueid
+ * \param plugin_identity
+ * \param operation_flags
+ */
+void slapi_rename_internal_set_pb_ext(Slapi_PBlock *pb,
+	const Slapi_DN *olddn, const char *newrdn,
+	const Slapi_DN *newsuperior, int deloldrdn,
    LDAPControl **controls, const char *uniqueid,
    Slapi_ComponentId *plugin_identity, int operation_flags);
+
 void slapi_delete_internal_set_pb(Slapi_PBlock *pb, const char *dn,
    LDAPControl **controls, const char *uniqueid,
    Slapi_ComponentId *plugin_identity, int operation_flags);
@@ -5811,6 +5999,7 @@ time_t slapi_current_time( void );
 /* operation */
 #define SLAPI_OPINITIATED_TIME			140
 #define SLAPI_REQUESTOR_DN			141
+#define SLAPI_REQUESTOR_NDN			156
 #define SLAPI_OPERATION_PARAMETERS		138
 #define SLAPI_OPERATION_TYPE			590
 #define SLAPI_OPERATION_AUTHTYPE		741
@@ -6084,7 +6273,10 @@ typedef struct slapi_plugindesc {
 /* arguments that are common to all operation */
 #define SLAPI_TARGET_ADDRESS			48	/* target address (dn + uniqueid) should be normalized */
 #define SLAPI_TARGET_UNIQUEID			49	/* target uniqueid of the operation */
-#define SLAPI_TARGET_DN				50	/* target dn of the operation should be normalized */
+#define SLAPI_TARGET_DN  50 /* DEPRECATED.  target dn of the operation.
+                               It actually points DN in SLAPI_TARGET_SDN. */
+#define SLAPI_TARGET_SDN 47 /* target sdn of the operation */
+
 #define SLAPI_REQCONTROLS			51	/* request controls */
/* Copies of entry before and after add, mod, mod[r]dn operations */
@@ -6122,7 +6314,8 @@ typedef struct slapi_plugindesc {
 #define SLAPI_DESTROY_CONTENT       		59
/* add arguments */
-#define SLAPI_ADD_TARGET			SLAPI_TARGET_DN
+#define SLAPI_ADD_TARGET			SLAPI_TARGET_DN /* DEPRECATED */
+#define SLAPI_ADD_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_ADD_ENTRY				60
 #define SLAPI_ADD_EXISTING_DN_ENTRY		61
 #define SLAPI_ADD_PARENT_ENTRY      		62
@@ -6130,7 +6323,8 @@ typedef struct slapi_plugindesc {
 #define SLAPI_ADD_EXISTING_UNIQUEID_ENTRY	64
/* bind arguments */
-#define SLAPI_BIND_TARGET			SLAPI_TARGET_DN
+#define SLAPI_BIND_TARGET			SLAPI_TARGET_DN /* DEPRECATED */
+#define SLAPI_BIND_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_BIND_METHOD			70
 #define SLAPI_BIND_CREDENTIALS			71	/* v3 only */
 #define SLAPI_BIND_SASLMECHANISM		72	/* v3 only */
@@ -6138,27 +6332,32 @@ typedef struct slapi_plugindesc {
 #define SLAPI_BIND_RET_SASLCREDS		73	/* v3 only */
/* compare arguments */
-#define SLAPI_COMPARE_TARGET			SLAPI_TARGET_DN
+#define SLAPI_COMPARE_TARGET			SLAPI_TARGET_DN /* DEPRECATED */
+#define SLAPI_COMPARE_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_COMPARE_TYPE			80
 #define SLAPI_COMPARE_VALUE			81
/* delete arguments */
-#define SLAPI_DELETE_TARGET			SLAPI_TARGET_DN
+#define SLAPI_DELETE_TARGET			SLAPI_TARGET_DN /* DEPRECATED */
+#define SLAPI_DELETE_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_DELETE_EXISTING_ENTRY		SLAPI_ADD_EXISTING_DN_ENTRY
 #define SLAPI_DELETE_GLUE_PARENT_ENTRY	SLAPI_ADD_PARENT_ENTRY
 #define SLAPI_DELETE_BEPREOP_ENTRY			SLAPI_ENTRY_PRE_OP
 #define SLAPI_DELETE_BEPOSTOP_ENTRY			SLAPI_ENTRY_POST_OP
/* modify arguments */
-#define SLAPI_MODIFY_TARGET			SLAPI_TARGET_DN
+#define SLAPI_MODIFY_TARGET			SLAPI_TARGET_DN /* DEPRECATED */
+#define SLAPI_MODIFY_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_MODIFY_MODS			90
 #define SLAPI_MODIFY_EXISTING_ENTRY		SLAPI_ADD_EXISTING_DN_ENTRY
/* modrdn arguments */
-#define SLAPI_MODRDN_TARGET			SLAPI_TARGET_DN
+#define SLAPI_MODRDN_TARGET			SLAPI_TARGET_DN /* DEPRECATED */
+#define SLAPI_MODRDN_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_MODRDN_NEWRDN			100
 #define SLAPI_MODRDN_DELOLDRDN			101
 #define SLAPI_MODRDN_NEWSUPERIOR        	102	/* v3 only */
+#define SLAPI_MODRDN_NEWSUPERIOR_SDN        103	/* v3 only */
 #define SLAPI_MODRDN_EXISTING_ENTRY     	SLAPI_ADD_EXISTING_DN_ENTRY
 #define SLAPI_MODRDN_PARENT_ENTRY       	104
 #define SLAPI_MODRDN_NEWPARENT_ENTRY    	105
@@ -6173,7 +6372,8 @@ typedef struct slapi_plugindesc {
 #define SLAPI_ORIGINAL_TARGET			SLAPI_ORIGINAL_TARGET_DN
/* search arguments */
-#define SLAPI_SEARCH_TARGET         SLAPI_TARGET_DN
+#define SLAPI_SEARCH_TARGET     	SLAPI_TARGET_DN /* DEPRECATED */
+#define SLAPI_SEARCH_TARGET_SDN     SLAPI_TARGET_SDN
 #define SLAPI_SEARCH_SCOPE          110
 #define SLAPI_SEARCH_DEREF          111
 #define SLAPI_SEARCH_SIZELIMIT      112
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index bedc9f5..2b717a0 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -376,7 +376,9 @@ Slapi_DN *slapi_sdn_init_dn_byval(Slapi_DN *sdn,const char *dn);
 Slapi_DN *slapi_sdn_init_dn_passin(Slapi_DN *sdn,const char *dn);
 Slapi_DN *slapi_sdn_init_ndn_byref(Slapi_DN *sdn,const char *dn);
 Slapi_DN *slapi_sdn_init_ndn_byval(Slapi_DN *sdn,const char *dn);
-Slapi_DN *slapi_sdn_init_dn_ndn_byref(Slapi_DN *sdn,const char *dn);
+Slapi_DN *slapi_sdn_init_normdn_byref(Slapi_DN *sdn, const char *dn);
+Slapi_DN *slapi_sdn_init_normdn_ndn_passin(Slapi_DN *sdn, const char *dn);
+Slapi_DN *slapi_sdn_init_normdn_passin(Slapi_DN *sdn, const char *dn);
 char *slapi_dn_normalize_original( char *dn );
 char *slapi_dn_normalize_case_original( char *dn );
@@ -520,10 +522,10 @@ int test_presence_filter( Slapi_PBlock *pb, Slapi_Entry *e, char *type,
 /* this structure allows to address entry by dn or uniqueid */
 typedef struct entry_address
 {
-	char *dn;
    char *udn; /* unnormalized dn */	
    char *uniqueid;	
-}entry_address;
+	Slapi_DN *sdn;
+} entry_address;
/*
  * LDAP Operation input parameters.
@@ -671,6 +673,7 @@ void slapi_send_ldap_result_from_pb( Slapi_PBlock *pb);
 typedef struct mt_node mapping_tree_node;
 mapping_tree_node *slapi_get_mapping_tree_node_by_dn(const Slapi_DN *dn);
 char* slapi_get_mapping_tree_node_configdn(const Slapi_DN *root);
+Slapi_DN* slapi_get_mapping_tree_node_configsdn(const Slapi_DN *root);
 const Slapi_DN* slapi_get_mapping_tree_node_root(const mapping_tree_node *node);
 const char* slapi_get_mapping_tree_config_root ();
 Slapi_Backend *slapi_mapping_tree_find_backend_for_sdn(Slapi_DN *sdn);
@@ -812,7 +815,7 @@ char ** cool_charray_dup( char **a );
 void cool_charray_free( char **array );
 void charray_subtract( char **a, char **b, char ***c );
 int charray_get_index(char **array, char *s);
-
+int charray_normdn_add(char ***chararray, char *dn, char *errstr);
/******************************************************************************
  * value array routines.
diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
index 999d004..6d60775 100644
--- a/ldap/servers/slapd/task.c
+++ b/ldap/servers/slapd/task.c
@@ -779,13 +779,25 @@ static int task_import_add(Slapi_PBlock *pb, Slapi_Entry *e,
     if (slapi_entry_attr_find(e, "nsIncludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&include, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = charray_normdn_add(&include,
+                                    (char *)slapi_value_get_string(val),
+                                    "nsIncludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                return SLAPI_DSE_CALLBACK_ERROR;
+            }
         }
     }
     if (slapi_entry_attr_find(e, "nsExcludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&exclude, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = charray_normdn_add(&exclude, 
+                                    (char *)slapi_value_get_string(val),
+                                    "nsExcludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                return SLAPI_DSE_CALLBACK_ERROR;
+            }
         }
     }
@@ -1090,13 +1102,25 @@ static int task_export_add(Slapi_PBlock *pb, Slapi_Entry *e,
     if (slapi_entry_attr_find(e, "nsIncludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&include, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = charray_normdn_add(&include, 
+                                    (char *)slapi_value_get_string(val),
+                                    "nsIncludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                goto out;
+            }
         }
     }
     if (slapi_entry_attr_find(e, "nsExcludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&exclude, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = charray_normdn_add(&exclude, 
+                                    (char *)slapi_value_get_string(val),
+                                    "nsExcludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                goto out;
+            }
         }
     }
diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c
index 23d0a04..4d58d88 100644
--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c
+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c
@@ -1764,10 +1764,7 @@ error:
   }
done:
-  /*
-   * Normal end
-   */
-  return (0);
+  return rc;
 }
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index 5cb2711..b91ec12 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -439,24 +439,18 @@ normalize_mods2bvals(const LDAPMod **mods)
                  mbvp && *mbvp; mbvp++, normmbvp++)
             {
                 if (is_dn_syntax) {
-                    int rc = 0;
-                    char *normed = NULL;
-                    size_t dnlen = 0;
-
-                    rc = slapi_dn_normalize_ext((*mbvp)->bv_val, 
-                                                (*mbvp)->bv_len,
-                                                &normed, &dnlen);
-                    if (rc < 0) { /* normalization failed; use the original */
-                        *normmbvp = ber_bvdup(*mbvp);
-                    } else if (rc == 0) { /* if rc == 0, value is passed in */
-                        *(normed + dnlen) = '\0';
-                        *normmbvp = ber_bvdup(*mbvp);
-                    } else {
+                    Slapi_DN *sdn = slapi_sdn_new_dn_byref((*mbvp)->bv_val);
+                    if (slapi_sdn_get_dn(sdn)) {
                         *normmbvp = 
                         (struct berval *)slapi_ch_malloc(sizeof(struct berval));
-                        (*normmbvp)->bv_val = normed;
-                        (*normmbvp)->bv_len = dnlen;
+                        (*normmbvp)->bv_val = 
+                                  slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+                        (*normmbvp)->bv_len = slapi_sdn_get_ndn_len(sdn);
+                    } else {
+                        /* normalization failed; use the original */
+                        *normmbvp = ber_bvdup(*mbvp);
                     }
+                    slapi_sdn_free(&sdn);
                 } else {
                     *normmbvp = ber_bvdup(*mbvp);
                 }
@@ -474,26 +468,21 @@ normalize_mods2bvals(const LDAPMod **mods)
                 vlen = strlen(*mvp);
if (is_dn_syntax) {
-                    int rc = 0;
-                    char *normed = NULL;
-                    size_t dnlen = 0;
-                    rc = slapi_dn_normalize_ext(*mvp, vlen,
-                                                &normed, &dnlen);
-                    if (rc < 0) { /* normalization failed; use the original */
+                    Slapi_DN *sdn = slapi_sdn_new_dn_byref(*mvp);
+                    if (slapi_sdn_get_dn(sdn)) {
+                        *normmbvp = 
+                        (struct berval *)slapi_ch_malloc(sizeof(struct berval));
+                        (*normmbvp)->bv_val = 
+                                  slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+                        (*normmbvp)->bv_len = slapi_sdn_get_ndn_len(sdn);
+                    } else {
+                         /* normalization failed; use the original */
                         (*normmbvp)->bv_val = slapi_ch_malloc(vlen + 1);
                         memcpy((*normmbvp)->bv_val, *mvp, vlen);
                         (*normmbvp)->bv_val[vlen] = '\0';
                         (*normmbvp)->bv_len = vlen;
-                    } else if (rc == 0) { /* if rc == 0, value is passed in */
-                        *(normed + dnlen) = '\0';
-                        (*normmbvp)->bv_val = slapi_ch_strdup(normed);
-                        (*normmbvp)->bv_len = dnlen;
-                    } else {
-                        *normmbvp = 
-                        (struct berval *)slapi_ch_malloc(sizeof(struct berval));
-                        (*normmbvp)->bv_val = normed;
-                        (*normmbvp)->bv_len = dnlen;
                     }
+                    slapi_sdn_free(&sdn);
                 } else {
                     (*normmbvp)->bv_val = slapi_ch_malloc(vlen + 1);
                     memcpy((*normmbvp)->bv_val, *mvp, vlen);
diff --git a/ldap/servers/slapd/uuid.c b/ldap/servers/slapd/uuid.c
index 4a3ec8e..03244de 100644
--- a/ldap/servers/slapd/uuid.c
+++ b/ldap/servers/slapd/uuid.c
@@ -655,14 +655,13 @@ static int add_state_entry ()
    struct berval	val;
    Slapi_Entry		*e;
    Slapi_PBlock	*pb = NULL;
-	const char *dn = slapi_sdn_get_ndn (_state.configDN);
    int rt;
vals[0] = &val;
    vals[1] = NULL;
e = slapi_entry_alloc();
-	slapi_entry_set_dn(e, slapi_ch_strdup(dn));
+	slapi_entry_set_sdn(e, _state.configDN);
/* Set the objectclass attribute */
    val.bv_val = "top";
diff --git a/ldap/servers/slapd/value.c b/ldap/servers/slapd/value.c
index 1faf31a..2817eaf 100644
--- a/ldap/servers/slapd/value.c
+++ b/ldap/servers/slapd/value.c
@@ -313,7 +313,7 @@ slapi_value_set( Slapi_Value *value, void *val, unsigned long len)
 {
    struct berval bv;
    bv.bv_len= len;
-	bv.bv_val= (void*)val; /* We cast away the const, but we're not going to change anything */
+	bv.bv_val= val; /* We cast away the const, but we're not going to change anything */
    slapi_value_set_berval( value, &bv);
    return value;
 }
@@ -570,26 +570,21 @@ value_dump( const Slapi_Value *value, const char *text)
 int
 value_normalize_value(Slapi_Value *value)
 {
-	char *normval = NULL;
-	size_t len = 0;
+	Slapi_DN *sdn = NULL;
    int rc = 0;
if (NULL == value) {
-		return 0;
+		return rc;
    }
-	rc = slapi_dn_normalize_ext(value->bv.bv_val, value->bv.bv_len,
-								&normval, &len);
-	if (rc < 0) {
-		return 1;
-	} else if (rc > 0) {	/* if rc == 0, the original value is passed in */
-		slapi_ch_free_string(&value->bv.bv_val);
-	} else { /* rc == 0; original is passed in; not null terminated */
-		/* since bvalue, no need to terminate with null, tho */
-		*(normval + len) = '\0';
+	sdn = slapi_sdn_new_dn_passin(value->bv.bv_val);
+	if (slapi_sdn_get_dn(sdn)) {
+		value->bv.bv_val = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+		value->bv.bv_len = slapi_sdn_get_ndn_len(sdn);
+	} else {
+		rc = 1;
    }
-	value->bv.bv_val = normval;
-	value->bv.bv_len = len;
+	slapi_sdn_free(&sdn);
-	return 0;
+	return rc;
 }
diff --git a/lib/libaccess/lasdns.cpp b/lib/libaccess/lasdns.cpp
index a81f680..6956878 100644
--- a/lib/libaccess/lasdns.cpp
+++ b/lib/libaccess/lasdns.cpp
@@ -151,6 +151,7 @@ LASDnsBuild(NSErr_t *errp, char *attr_pattern, LASDnsContext_t *context, int ali
 #else
     PRHostEnt *he, host;
 #endif
+    char *end_attr_pattern;
if (attr_pattern == NULL) {
    nserrGenerate(errp, ACLERRINVAL, ACLERR4770, ACL_Program, 1, 
@@ -172,6 +173,7 @@ LASDnsBuild(NSErr_t *errp, char *attr_pattern, LASDnsContext_t *context, int ali
         return LAS_EVAL_INVALID;
     }
+    end_attr_pattern = attr_pattern + strlen(attr_pattern);
     do {
    	size_t maxsize = sizeof(token);
    /*  Get a single hostname from the pattern string	*/
@@ -183,8 +185,10 @@ LASDnsBuild(NSErr_t *errp, char *attr_pattern, LASDnsContext_t *context, int ali
         token[delimiter] = '\0';
/*  Skip any white space after the token 		*/
-        attr_pattern     += delimiter;
-        attr_pattern    += strspn(attr_pattern, ", \t");
+        attr_pattern += delimiter;
+        if (attr_pattern < end_attr_pattern) {
+            attr_pattern += strspn(attr_pattern, ", \t");
+        }
/*  If there's a wildcard, strip it off but leave the "."
     *  Can't have aliases for a wildcard pattern.

    