[389-devel] Please review: Reduce the number of DN normalization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reduce the number of DN normalization

. Replacing SLAPI_TARGET_DN with SLAPI_TARGET_SDN (also its macros,
  e.g., SLAPI_SEARCH_TARGET_SDN and SLAPI_ADD_TARGET_SDN).
. Replacing the type of SLAPI_MODRDN_NEWSUPERIOR from (char *) to
  (Slapi_DN *), as well.
. Replacing slapi_dn_normalization_ext call with generating Slapi_DN
  APIs (e.g., slapi_sdn_new_dn_...) as much as possible and stash it
  in pblock using SLAPI_TARGET_SDN.
. When a normalized DN string is needed, get it using slapi_sdn_get_[n]dn
  from the stashed Slapi_DN.
. Introduced a new field to Slapi_DN.
  "udn" for the original DN; "dn" is a normalized DN; "ndn" is a case-
  ignored normalized DN.
  Taking advantage of the knowledge of the stage of the DN, call the
  most efficient DN creating API (e.g., slapi_sdn_new_dn_... vs.
  slapi_sdn_new_normdn_... vs. slapi_sdn_new_ndn_...)

Others
. Replacing inefficient array assignment with memset (acl.c) and
  memcpy (idl_common.c).
. Fixing invalid memory access in LASDnsBuild (lib/libaccess/lasdns.cpp).
. Even if Slapi_counter is disabled, the server is allowed to start
  (back-ldbm/cache.c).
. Fixing compiler warnings.

Sorry, it's huge...
>From a074b7b3ef0ea495aeb88cb552b96c781eb7b2d1 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@xxxxxxxxxx>
Date: Mon, 10 Oct 2011 10:04:13 -0700
Subject: [PATCH] Reduce the number of DN normalization

. Replacing SLAPI_TARGET_DN with SLAPI_TARGET_SDN (also its macros,
  e.g., SLAPI_SEARCH_TARGET_SDN and SLAPI_ADD_TARGET_SDN).
. Replacing the type of SLAPI_MODRDN_NEWSUPERIOR from (char *) to
  (Slapi_DN *), as well.
. Replacing slapi_dn_normalization_ext call with generating Slapi_DN
  APIs (e.g., slapi_sdn_new_dn_...) as much as possible and stash it
  in pblock using SLAPI_TARGET_SDN.
. When a normalized DN string is needed, get it using slapi_sdn_get_[n]dn
  from the stashed Slapi_DN.
. Introduced a new field to Slapi_DN.
  "udn" for the original DN; "dn" is a normalized DN; "ndn" is a case-
  ignored normalized DN.
  Taking advantage of the knowledge of the stage of the DN, call the
  most efficient DN creating API (e.g., slapi_sdn_new_dn_... vs.
  slapi_sdn_new_normdn_... vs. slapi_sdn_new_ndn_...)

Others
. Replacing inefficient array assignment with memset (acl.c) and
  memcpy (idl_common.c).
. Fixing invalid memory access in LASDnsBuild (lib/libaccess/lasdns.cpp).
. Even if Slapi_counter is disabled, the server is allowed to start
  (back-ldbm/cache.c).
. Fixing compiler warnings.
---
 ldap/servers/plugins/acctpolicy/acct_plugin.c      |   11 +-
 ldap/servers/plugins/acl/acl.c                     |   46 +--
 ldap/servers/plugins/acl/acl.h                     |    2 +-
 ldap/servers/plugins/acl/acl_ext.c                 |    8 +-
 ldap/servers/plugins/acl/acleffectiverights.c      |    9 +-
 ldap/servers/plugins/acl/acllas.c                  |   32 +-
 ldap/servers/plugins/acl/acllist.c                 |   43 +-
 ldap/servers/plugins/acl/aclparse.c                |   20 +-
 ldap/servers/plugins/acl/aclplugin.c               |    8 +-
 ldap/servers/plugins/automember/automember.c       |   90 ++---
 ldap/servers/plugins/chainingdb/cb_add.c           |   29 +-
 ldap/servers/plugins/chainingdb/cb_bind.c          |   61 ++--
 ldap/servers/plugins/chainingdb/cb_compare.c       |   46 ++-
 ldap/servers/plugins/chainingdb/cb_controls.c      |    6 +-
 ldap/servers/plugins/chainingdb/cb_delete.c        |   43 ++-
 ldap/servers/plugins/chainingdb/cb_instance.c      |   24 +-
 ldap/servers/plugins/chainingdb/cb_modify.c        |   55 ++--
 ldap/servers/plugins/chainingdb/cb_modrdn.c        |   37 +-
 ldap/servers/plugins/chainingdb/cb_search.c        |  123 ++++---
 ldap/servers/plugins/chainingdb/cb_utils.c         |    2 +-
 ldap/servers/plugins/cos/cos_cache.c               |    6 +-
 ldap/servers/plugins/dna/dna.c                     |   62 ++-
 ldap/servers/plugins/linkedattrs/linked_attrs.c    |   40 ++-
 ldap/servers/plugins/linkedattrs/linked_attrs.h    |    2 +-
 ldap/servers/plugins/memberof/memberof.c           |   10 +-
 ldap/servers/plugins/mep/mep.c                     |  151 ++++----
 ldap/servers/plugins/pam_passthru/pam_passthru.h   |    2 +-
 ldap/servers/plugins/pam_passthru/pam_ptconfig.c   |    2 +-
 ldap/servers/plugins/pam_passthru/pam_ptimpl.c     |   16 +-
 ldap/servers/plugins/pam_passthru/pam_ptpreop.c    |    9 +-
 ldap/servers/plugins/passthru/passthru.h           |    4 +-
 ldap/servers/plugins/passthru/ptbind.c             |    6 +-
 ldap/servers/plugins/passthru/ptconn.c             |    8 +-
 ldap/servers/plugins/passthru/ptpreop.c            |   17 +-
 ldap/servers/plugins/referint/referint.c           |   17 +-
 ldap/servers/plugins/replication/cl4_api.c         |    2 +-
 ldap/servers/plugins/replication/cl5_api.c         |   80 ++--
 ldap/servers/plugins/replication/cl5_test.c        |    2 +-
 ldap/servers/plugins/replication/legacy_consumer.c |   14 +-
 ldap/servers/plugins/replication/repl.h            |    2 +-
 ldap/servers/plugins/replication/repl5.h           |    2 +
 ldap/servers/plugins/replication/repl5_agmt.c      |   11 +-
 ldap/servers/plugins/replication/repl5_agmtlist.c  |   22 +-
 .../plugins/replication/repl5_inc_protocol.c       |   12 +-
 ldap/servers/plugins/replication/repl5_init.c      |    4 +-
 .../servers/plugins/replication/repl5_mtnode_ext.c |   13 +-
 ldap/servers/plugins/replication/repl5_plugins.c   |    2 +-
 ldap/servers/plugins/replication/repl5_replica.c   |    8 +-
 .../plugins/replication/repl5_replica_config.c     |    8 +-
 ldap/servers/plugins/replication/repl_bind.c       |    6 +-
 ldap/servers/plugins/replication/repl_compare.c    |   17 +-
 ldap/servers/plugins/replication/repl_connext.c    |    2 +-
 ldap/servers/plugins/replication/repl_extop.c      |   25 +-
 ldap/servers/plugins/replication/replutil.c        |    2 +-
 ldap/servers/plugins/replication/urp.c             |   60 ++--
 .../plugins/replication/windows_protocol_util.c    |   34 +-
 ldap/servers/plugins/retrocl/retrocl_po.c          |    8 +-
 ldap/servers/plugins/roles/roles_cache.c           |   10 +-
 ldap/servers/plugins/statechange/statechange.c     |   19 +-
 ldap/servers/plugins/uiduniq/7bit.c                |   39 ++-
 ldap/servers/plugins/uiduniq/uid.c                 |  135 ++++----
 ldap/servers/plugins/views/views.c                 |   11 +-
 ldap/servers/slapd/add.c                           |   68 ++--
 ldap/servers/slapd/auditlog.c                      |   25 +-
 ldap/servers/slapd/back-ldbm/cache.c               |    4 +-
 ldap/servers/slapd/back-ldbm/dblayer.c             |    2 -
 ldap/servers/slapd/back-ldbm/dn2entry.c            |   27 +-
 ldap/servers/slapd/back-ldbm/findentry.c           |   18 +-
 ldap/servers/slapd/back-ldbm/id2entry.c            |   20 +-
 ldap/servers/slapd/back-ldbm/idl_common.c          |    6 +-
 ldap/servers/slapd/back-ldbm/import-threads.c      |   74 ++--
 ldap/servers/slapd/back-ldbm/instance.c            |    1 +
 ldap/servers/slapd/back-ldbm/ldbm_add.c            |   45 ++-
 ldap/servers/slapd/back-ldbm/ldbm_config.c         |   30 ++-
 ldap/servers/slapd/back-ldbm/ldbm_delete.c         |   16 +-
 ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c       |    4 +-
 .../servers/slapd/back-ldbm/ldbm_instance_config.c |   21 +-
 ldap/servers/slapd/back-ldbm/ldbm_modify.c         |    2 +-
 ldap/servers/slapd/back-ldbm/ldbm_modrdn.c         |  111 +++---
 ldap/servers/slapd/back-ldbm/ldbm_search.c         |   87 +++--
 ldap/servers/slapd/back-ldbm/ldif2ldbm.c           |   32 +-
 ldap/servers/slapd/back-ldbm/misc.c                |    3 +-
 ldap/servers/slapd/back-ldbm/vlv_srch.c            |    2 +-
 ldap/servers/slapd/bind.c                          |   79 ++---
 ldap/servers/slapd/bulk_import.c                   |   39 +--
 ldap/servers/slapd/compare.c                       |   36 +-
 ldap/servers/slapd/delete.c                        |   77 ++--
 ldap/servers/slapd/dn.c                            |  403 ++++++++++++++------
 ldap/servers/slapd/dse.c                           |   98 ++----
 ldap/servers/slapd/entry.c                         |  142 +++++---
 ldap/servers/slapd/extendop.c                      |   21 +-
 ldap/servers/slapd/fedse.c                         |    2 +-
 ldap/servers/slapd/libglobs.c                      |    5 +-
 ldap/servers/slapd/main.c                          |   32 ++-
 ldap/servers/slapd/mapping_tree.c                  |   24 +-
 ldap/servers/slapd/modify.c                        |   78 ++---
 ldap/servers/slapd/modrdn.c                        |  239 ++++++------
 ldap/servers/slapd/operation.c                     |   25 +-
 ldap/servers/slapd/opshared.c                      |  120 ++++---
 ldap/servers/slapd/passwd_extop.c                  |  140 +++----
 ldap/servers/slapd/pblock.c                        |   35 +-
 ldap/servers/slapd/plugin.c                        |   80 ++--
 ldap/servers/slapd/plugin_acl.c                    |   19 +-
 ldap/servers/slapd/plugin_internal_op.c            |   99 +++---
 ldap/servers/slapd/plugin_syntax.c                 |   10 +-
 ldap/servers/slapd/proxyauth.c                     |    4 +-
 ldap/servers/slapd/psearch.c                       |   64 ++--
 ldap/servers/slapd/pw.c                            |   17 +-
 ldap/servers/slapd/pw_retry.c                      |   36 ++-
 ldap/servers/slapd/rdn.c                           |   20 +-
 ldap/servers/slapd/referral.c                      |   21 +-
 ldap/servers/slapd/result.c                        |   10 +-
 ldap/servers/slapd/saslbind.c                      |   25 +-
 ldap/servers/slapd/search.c                        |   42 +--
 ldap/servers/slapd/slap.h                          |    5 +-
 ldap/servers/slapd/slapi-plugin.h                  |  235 ++++++++++--
 ldap/servers/slapd/slapi-private.h                 |    8 +-
 ldap/servers/slapd/task.c                          |   54 +++-
 ldap/servers/slapd/tools/ldclt/ldapfct.c           |    5 +-
 lib/libaccess/lasdns.cpp                           |    8 +-
 120 files changed, 2556 insertions(+), 1996 deletions(-)

diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
index 6d9edb3..5969bec 100644
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -32,7 +32,7 @@ Hewlett-Packard Development Company, L.P.
   login time plus the limit to decide whether to deny the bind.
 */
 static int
-acct_inact_limit( Slapi_PBlock *pb, char *dn, Slapi_Entry *target_entry, acctPolicy *policy )
+acct_inact_limit( Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, acctPolicy *policy )
 {
 	char *lasttimestr = NULL;
 	time_t lim_t, last_t, cur_t;
@@ -153,7 +153,7 @@ done:
 int
 acct_bind_preop( Slapi_PBlock *pb )
 {
-	char *dn = NULL;
+	const char *dn = NULL;
 	Slapi_DN *sdn = NULL;
 	Slapi_Entry *target_entry = NULL;
 	int rc = 0; /* Optimistic default */
@@ -167,20 +167,19 @@ acct_bind_preop( Slapi_PBlock *pb )
 	plugin_id = get_identity();
 
 	/* This does not give a copy, so don't free it */
-	if( slapi_pblock_get( pb, SLAPI_BIND_TARGET, &dn ) != 0 ) {
+	if( slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn ) != 0 ) {
 		slapi_log_error( SLAPI_LOG_FATAL, PRE_PLUGIN_NAME,
 			"Error retrieving target DN\n" );
 		rc = -1;
 		goto done;
 	}
+	dn = slapi_sdn_get_dn(sdn);
 
 	/* The plugin wouldn't get called for anonymous binds but let's check */
 	if ( dn == NULL ) {
 		goto done;
 	}
 
-	sdn = slapi_sdn_new_dn_byref( dn );
-
 	ldrc = slapi_search_internal_get_entry( sdn, NULL, &target_entry,
 		plugin_id );
 
@@ -222,8 +221,6 @@ done:
 
 	slapi_entry_free( target_entry );
 
-	slapi_sdn_free( &sdn );
-
 	free_acctpolicy( &policy );
 
 	slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 2794694..0e440aa 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -95,8 +95,8 @@ static void print_access_control_summary( char * source,
 									char *attr,
 									const char *edn,
 									aclResultReason_t *acl_reason);
-static int check_rdn_access( Slapi_PBlock *pb,Slapi_Entry *e, char * newrdn,
-						int access);
+static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, 
+                             const char * newrdn, int access);
 
 
 /*
@@ -117,7 +117,9 @@ acl_access_allowed_modrdn(
 	)
 {
 	int retCode ;
-	char *newrdn, *oldrdn;
+	char *newrdn;
+	const char *oldrdn;
+	Slapi_DN *target_sdn = NULL;
 	int deleteoldrdn = 0;
 
 	/*
@@ -134,9 +136,8 @@ acl_access_allowed_modrdn(
 	}
 
 	/* Now get the new rdn attribute name and value */
-
-	slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &oldrdn );
-    slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
+	slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &target_sdn );
+	slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
 
 	/* Check can add the new naming attribute */
 	retCode = check_rdn_access( pb, e, newrdn, ACLPB_SLAPI_ACL_WRITE_ADD) ;
@@ -149,6 +150,7 @@ acl_access_allowed_modrdn(
 	/* Check can delete the new naming attribute--if required */
 	slapi_pblock_get( pb, SLAPI_MODRDN_DELOLDRDN, &deleteoldrdn );
 	if ( deleteoldrdn ) {
+		oldrdn = slapi_sdn_get_dn(target_sdn);
 		retCode = check_rdn_access( pb, e, oldrdn, ACLPB_SLAPI_ACL_WRITE_DEL) ;
 		if ( retCode != LDAP_SUCCESS ) {
 			slapi_log_error( SLAPI_LOG_ACL, plugin_name,
@@ -164,7 +166,7 @@ acl_access_allowed_modrdn(
  * Test if have access to make the first rdn of dn in entry e.
 */
  
-static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, char *dn,
+static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn,
 						int access) {
 	
 	char **dns;
@@ -320,7 +322,7 @@ acl_access_allowed(
 	TNF_PROBE_0_DEBUG(acl_skipaccess_end,"ACL","");
 
 
-	/* Get the bindDN */
+	/* Get the bindDN (normalized & case-ignored) */
 	slapi_pblock_get ( pb, SLAPI_REQUESTOR_DN, &clientDn );
 
 	/* Initialize aclpb */
@@ -486,7 +488,7 @@ acl_access_allowed(
 		
 		TNF_PROBE_0_DEBUG(acl_aciscan_start,"ACL","");
 		slapi_sdn_done ( aclpb->aclpb_curr_entry_sdn );
-		slapi_sdn_set_dn_byval ( aclpb->aclpb_curr_entry_sdn, n_edn );
+		slapi_sdn_set_ndn_byval ( aclpb->aclpb_curr_entry_sdn, n_edn );
 		acllist_aciscan_update_scan ( aclpb, n_edn ); 
 		TNF_PROBE_0_DEBUG(acl_aciscan_end,"ACL","");
 
@@ -1064,16 +1066,14 @@ acl_read_access_allowed_on_entry (
 				 * which was found in the entry and that attribute is
 				 * now in aclpb_Evalattr
 				*/
-				aclpb->aclpb_state |= 
-					ACLPB_ACCESS_ALLOWED_USERATTR;
+				aclpb->aclpb_state |= ACLPB_ACCESS_ALLOWED_USERATTR;
 			} else {
 #endif /* DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES */
 				/*
 				 * Access was granted to _an_ attribute in the entry and that
 				 * attribute is now in aclpb_Evalattr
 				*/
-				aclpb->aclpb_state |= 
-					ACLPB_ACCESS_ALLOWED_ON_A_ATTR;
+				aclpb->aclpb_state |= ACLPB_ACCESS_ALLOWED_ON_A_ATTR;
 #ifdef DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES
 			}
 #endif /* DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES */
@@ -1084,8 +1084,8 @@ acl_read_access_allowed_on_entry (
 		} else {
 			/* try the next one */
 			attr_type = NULL;
-#ifdef DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES
-			if (attr_index >= 0) { 
+#ifdef DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES 
+			if (attr_index >= 0) {
 				attr_type = attrs[attr_index++];
 			} else {
 #endif /* DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES */
@@ -1544,7 +1544,7 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
 	Slapi_DN		*e_sdn;
 	aclUserGroup	*ugroup = NULL;
 	
-	e_sdn = slapi_sdn_new_ndn_byval ( n_dn );
+	e_sdn = slapi_sdn_new_normdn_byval ( n_dn );
 	/* Before we proceed, Let's first check if we are changing any groups.
 	** If we are, then we need to change the signature
 	*/
@@ -1834,7 +1834,6 @@ acl__scan_for_acis(Acl_PBlock *aclpb, int *err)
 	int				allow_handle;
 	int				gen_allow_handle = ACI_MAX_ELEVEL+1;
 	int				gen_deny_handle = ACI_MAX_ELEVEL+1;
-	int				i;
 	PRUint32		cookie;
 	
 	TNF_PROBE_0_DEBUG(acl__scan_for_acis_start,"ACL","");
@@ -1847,20 +1846,18 @@ acl__scan_for_acis(Acl_PBlock *aclpb, int *err)
 			aclpb->aclpb_handles_index[0] != -1 ) {
 			int kk = 0;
 			while ( kk < ACLPB_MAX_SELECTED_ACLS && aclpb->aclpb_handles_index[kk] != -1 ) {
-				slapi_log_error(SLAPI_LOG_ACL, plugin_name, "Using ACL Cointainer:%d for evaluation\n", kk);
+				slapi_log_error(SLAPI_LOG_ACL, plugin_name, "Using ACL Container:%d for evaluation\n", kk);
 				kk++;
 			}
 	}
-		
+
 	memset (&errp, 0, sizeof(NSErr_t));
 	*err = ACL_FALSE;
 	aclpb->aclpb_num_deny_handles = -1;
 	aclpb->aclpb_num_allow_handles = -1;
-	for (i=0; i <= ACI_MAX_ELEVEL; i++) {
-		aclpb->aclpb_deny_handles [i] = NULL;
-		aclpb->aclpb_allow_handles [i] = NULL;
-	}
-		
+	memset(aclpb->aclpb_deny_handles, 0, sizeof(aci_t *)*(ACI_MAX_ELEVEL+1));
+	memset(aclpb->aclpb_allow_handles, 0, sizeof(aci_t *)*(ACI_MAX_ELEVEL+1));
+
 	/* Check the signature. If it has changed, start fresh */
 	if ( aclpb->aclpb_signature != acl_signature ) {
 		slapi_log_error (SLAPI_LOG_ACL, plugin_name, 
@@ -1871,7 +1868,6 @@ acl__scan_for_acis(Acl_PBlock *aclpb, int *err)
 	attr_matched = ACL_FALSE;
 	deny_handle = 0;
 	allow_handle = 0;
-	i = 0;
 
 	aclpb->aclpb_stat_acllist_scanned++;
 	aci = acllist_get_first_aci ( aclpb, &cookie );
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index 0d97769..8747de1 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -838,7 +838,7 @@ void		aclutil_print_resource( struct acl_pblock *aclpb, char *right , char *attr
 char *		aclutil_expand_paramString ( char *str, Slapi_Entry *e );
 
 
-void		acllist_init_scan (Slapi_PBlock *pb, int scope, char *base);
+void		acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base);
 aci_t * 	acllist_get_first_aci (Acl_PBlock *aclpb, PRUint32 *cookie );
 aci_t * 	acllist_get_next_aci ( Acl_PBlock *aclpb, aci_t *curraci, PRUint32 *cookie );
 aci_t *		acllist_get_aci_new ();
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index 61d8dd1..df7d1ed 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -658,7 +658,7 @@ error:
 
 /* Initializes the aclpb */
 void 
-acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_from_aclcb)
+acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy_from_aclcb)
 {
 	struct acl_cblock	*aclcb = NULL;
 	char				*authType;
@@ -685,8 +685,8 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_
 	aclpb->aclpb_state = ACLPB_INITIALIZED;
 
 	/* We make an anonymous user a non null dn which is empty */
-	if (dn && *dn != '\0' ) 
-		slapi_sdn_set_ndn_byval ( aclpb->aclpb_authorization_sdn, dn );
+	if (ndn && *ndn != '\0' ) 
+		slapi_sdn_set_ndn_byval ( aclpb->aclpb_authorization_sdn, ndn );
 	else
 		slapi_sdn_set_ndn_byval ( aclpb->aclpb_authorization_sdn, "" );
 
@@ -716,7 +716,7 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *dn, int copy_
 	slapi_pblock_get ( pb, SLAPI_CONN_CERT, &aclpb->aclpb_clientcert );
 
 	/* See if the we have already a cached info about user's group */
-	aclg_init_userGroup ( aclpb, dn, 0 /* get lock */ );
+	aclg_init_userGroup ( aclpb, ndn, 0 /* get lock */ );
 
 	slapi_pblock_get( pb, SLAPI_BE_MAXNESTLEVEL, &aclpb->aclpb_max_nesting_level );
 	slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c
index b596c8f..9b47dbc 100644
--- a/ldap/servers/plugins/acl/acleffectiverights.c
+++ b/ldap/servers/plugins/acl/acleffectiverights.c
@@ -284,6 +284,7 @@ _ger_parse_control (
 		slapi_ch_free_string(&orig);
 		*subjectndn = normed;
 	}
+	slapi_dn_ignore_case(*subjectndn);
 	return LDAP_SUCCESS;
 }
 
@@ -839,7 +840,8 @@ _ger_generate_template_entry (
 	char *object = NULL;
 	char *superior = NULL;
 	char *p = NULL;
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
 	char *dntype = NULL;
 	int siz = 0;
 	int len = 0;
@@ -856,8 +858,6 @@ _ger_generate_template_entry (
 		rc = LDAP_SUCCESS;
 		goto bailout;
 	}
-	/* get the target dn where the template entry is located */
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
 	for (i = 0; gerattrs && gerattrs[i]; i++)
 	{
 		object = strchr(gerattrs[i], '@');
@@ -907,6 +907,9 @@ _ger_generate_template_entry (
 			siz += strlen(attrs[i]) + 4 + 20;
 		}
 	}
+	/* get the target dn where the template entry is located */
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
 	if (dn)
 	{
 		/* dn: <attr>=<template_name>,<dn>\n\0 */
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index e08c70c..0fcd163 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -671,19 +671,17 @@ DS_LASUserDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 					break;
 				}
 				if (rc == ACL_ERR) {
-			   		slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
-			    			"DS_LASUserDnEval:Error in matching patteren(%s)\n",
-			     			user);
+					slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
+							"DS_LASUserDnEval:Error in matching patteren(%s)\n",
+							user);
 				}
 				slapi_filter_free(f,1);
 			} else {
 				/* Must be a simple dn then */
-				char *normed = NULL;
-				size_t dnlen = 0;
-				rc = slapi_dn_normalize_ext(user, 0, &normed, &dnlen);
-				if (rc == 0) { /* user passed in; not terminated */
-					*(normed + dnlen) = '\0';
-				} else if (rc < 0) { /* normalization failed, user the original */
+				char *normed = slapi_create_dn_string("%s", user);
+				if (NULL == normed) {
+					slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+						"DS_LASUserDnEval:Error in normalizing dn(%s)\n", user);
 					normed = user;
 				}
 				rc = slapi_utf8casecmp((ACLUCHP)lasinfo.clientDn, (ACLUCHP)normed);
@@ -2375,7 +2373,7 @@ static int
 acllas__handle_group_entry (Slapi_Entry* e, void *callback_data)
 {
 	struct eval_info	*info;
- 	Slapi_Attr		*currAttr, *nextAttr;
+	Slapi_Attr		*currAttr, *nextAttr;
 	char			*n_dn = NULL, *attrType;
 	int				n;
 	int				i;
@@ -2383,7 +2381,7 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data)
 	info = (struct eval_info *) callback_data;
 	info->result = ACL_FALSE;
  
- 	if (e == NULL) {
+	if (e == NULL) {
 		return 0;
 	}
 
@@ -2397,14 +2395,14 @@ acllas__handle_group_entry (Slapi_Entry* e, void *callback_data)
 		Slapi_Value *sval = NULL;
 		const struct berval		*attrVal;
 
- 		if ((strcasecmp (attrType, type_member) == 0) ||
- 				(strcasecmp (attrType, type_uniquemember) == 0 ))  {
+		if ((strcasecmp (attrType, type_member) == 0) ||
+		    (strcasecmp (attrType, type_uniquemember) == 0 ))  {
 
 			i = slapi_attr_first_value ( currAttr,&sval );
 			while ( i != -1 ) {
 				struct member_info	*groupMember = NULL;
 				attrVal = slapi_value_get_berval ( sval );
-				n_dn = slapi_create_dn_string( attrVal->bv_val );
+				n_dn = slapi_create_dn_string( "%s", attrVal->bv_val );
 				if (NULL == n_dn) {
 					slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
 						"acllas__handle_group_entry: Invalid syntax: %s\n",
@@ -3598,9 +3596,9 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
 	}
 	/* else - rawdn normalized in place */
 	normed = slapi_ch_smprintf("%s%s%s%s%s", 
-			 (prefix_len==LDAP_URL_prefix_len)?
-			  LDAP_URL_prefix_core:LDAPS_URL_prefix_core,
-							   hostport?hostport:"", dn, p?"?":"",p?p+1:"");
+	                           (prefix_len==LDAP_URL_prefix_len)?
+	                           LDAP_URL_prefix_core:LDAPS_URL_prefix_core,
+	                           hostport?hostport:"", dn, p?"?":"",p?p+1:"");
 	if (p) {
 		*p = Q; /* put the Q back in rawdn which will un-null terminate the DN part */
 	}
diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c
index b95baac..c3ce351 100644
--- a/ldap/servers/plugins/acl/acllist.c
+++ b/ldap/servers/plugins/acl/acllist.c
@@ -597,7 +597,7 @@ static void free_targetattrfilters( Targetattrfilter ***attrFilterArray) {
 
 /* SEARCH */
 void
-acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
+acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base)
 {
 	Acl_PBlock			*aclpb;
 	int					i;
@@ -625,7 +625,7 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
 
 	/* If base is NULL - it means we are going to go thru all the ACLs
 	 * This is needed when we do anonymous profile generation.
- 	 */
+	 */
 	if ( NULL == base ) {
 		return;
 	}
@@ -638,22 +638,28 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
 	index = 0;
 	aclpb->aclpb_search_base = slapi_ch_strdup ( base );
 
-	while (basedn ) {
+	while (basedn) {
 		char		*tmp = NULL;
 		
-		slapi_sdn_set_ndn_byref ( aclpb->aclpb_aclContainer->acic_sdn, basedn );
+		slapi_sdn_set_normdn_byref(aclpb->aclpb_aclContainer->acic_sdn, basedn);
 
-		root = (AciContainer *) avl_find( acllistRoot, 
-									(caddr_t) aclpb->aclpb_aclContainer, 
-									(IFP) __acllist_aciContainer_node_cmp);
+		root = (AciContainer *) avl_find(acllistRoot, 
+		                                 (caddr_t) aclpb->aclpb_aclContainer, 
+		                                 (IFP) __acllist_aciContainer_node_cmp);
 		if ( index >= ACLPB_MAX_SELECTED_ACLS -2 ) {
 			aclpb->aclpb_handles_index[0] = -1;
 			slapi_ch_free ( (void **) &basedn);
 			break;
-		} else  if ( NULL != root ) {
+		} else if ( NULL != root ) {
 			aclpb->aclpb_base_handles_index[index++] = root->acic_index;
 			aclpb->aclpb_base_handles_index[index] = -1;
-		} 
+		} else if ( NULL == root ) {
+			/* slapi_dn_parent returns the "parent" dn syntactically.
+			 * Most likely, basedn is above suffix (e.g., dn=com).
+			 * Thus, no need to make it FATAL. */
+			slapi_log_error ( SLAPI_LOG_ACL, plugin_name, 
+			                  "Failed to find root for base: %s \n", basedn );
+		}
 		tmp = slapi_dn_parent ( basedn );
 		slapi_ch_free ( (void **) &basedn);
 		basedn = tmp;
@@ -679,11 +685,12 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, char *base)
  * the given operation.
 */
 
+/* edn is normalized & case-ignored */
 void 
 acllist_aciscan_update_scan (  Acl_PBlock *aclpb, char *edn )
 {
 
-	int		i, index = 0;
+	int		index = 0;
 	char		*basedn = NULL;
 	AciContainer	*root;
 	int is_not_search_base = 1;
@@ -700,15 +707,13 @@ acllist_aciscan_update_scan (  Acl_PBlock *aclpb, char *edn )
 	 * This stuff is only used if it's a search operation.
 	 */
 	if ( aclpb->aclpb_search_base ) {
-	 	while ( aclpb->aclpb_base_handles_index[index] != -1 &&
-				index < ACLPB_MAX_SELECTED_ACLS -2 ) {
-			aclpb->aclpb_handles_index[index] = 
-				aclpb->aclpb_base_handles_index[index];
-			index++;
-		}
 		if ( strcasecmp ( edn, aclpb->aclpb_search_base) == 0) {
 			is_not_search_base = 0;
 		}
+		for (index = 0; (aclpb->aclpb_base_handles_index[index] != -1) && 
+		                (index < ACLPB_MAX_SELECTED_ACLS - 2); index++) ;
+		memcpy(aclpb->aclpb_handles_index, aclpb->aclpb_base_handles_index,
+		       sizeof(int) * index);
 	}
 	aclpb->aclpb_handles_index[index] = -1;
 
@@ -760,11 +765,6 @@ acllist_aciscan_update_scan (  Acl_PBlock *aclpb, char *edn )
 	}
 
 	acllist_done_aciContainer ( aclpb->aclpb_aclContainer );
-	i = 0;
-	while ( i < ACLPB_MAX_SELECTED_ACLS && aclpb->aclpb_handles_index[i]  != -1 ) {
-		i++;
-	}
-
 }
 
 aci_t *
@@ -889,6 +889,7 @@ acllist_acicache_WRITE_LOCK( )
 }
 
 /* This routine must be called with the acicache write lock taken */
+/* newdn is normalized & case-ignored */
 int
 acllist_moddn_aci_needsLock ( Slapi_DN *oldsdn, char *newdn )
 {
diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
index a137db9..a0e950f 100644
--- a/ldap/servers/plugins/acl/aclparse.c
+++ b/ldap/servers/plugins/acl/aclparse.c
@@ -533,8 +533,7 @@ __aclp__copy_normalized_str (char *src, char *endsrc, char *start,
 {
 	char *p = NULL;
 	int rc = -1; 
-	char *dn = NULL;
-	size_t dnlen = 0;
+	const char *dn = NULL;
 
 	p = PL_strnstr(src, LDAP_URL_prefix, endsrc - src);
 	if (p) {
@@ -553,6 +552,8 @@ __aclp__copy_normalized_str (char *src, char *endsrc, char *start,
 	rc = 0;
 	if (p && strlen(p) > 0) {
 		size_t len = 0;
+		Slapi_DN sdn = {0};
+		char bak;
 		/* strip the string starting from ? */
 		char *q = PL_strnchr(p, '?', endsrc - p);
 		if (q) {
@@ -560,18 +561,17 @@ __aclp__copy_normalized_str (char *src, char *endsrc, char *start,
 		} else {
 			len = endsrc - p;
 		}
+		bak = *(p + len);
+		*(p + len) = '\0';
 		/* Normalize the value of userdn and append it to ret_str */
-		rc = slapi_dn_normalize_ext(p, len, &dn, &dnlen);
-		if (rc < 0) {
-			return rc;
-		}
+		slapi_sdn_init_dn_byref(&sdn, p);
+		dn = slapi_sdn_get_dn(&sdn);
 		/* append up to ldap(s):/// */
 		aclutil_str_append_ext(dest, destlen, start, p - start);
 		/* append the DN part */
-		aclutil_str_append_ext(dest, destlen, dn, dnlen);
-		if (rc > 0) { /* if rc == 0, p is passed in */
-			slapi_ch_free_string(&dn);
-		}
+		aclutil_str_append_ext(dest, destlen, dn, strlen(dn));
+		slapi_sdn_done(&sdn);
+		*(p + len) = bak;
 		if (q) {
 			/* append the rest from '?' */
 			aclutil_str_append_ext(dest, destlen, q, endsrc - q);
diff --git a/ldap/servers/plugins/acl/aclplugin.c b/ldap/servers/plugins/acl/aclplugin.c
index 66ef707..ecd1e11 100644
--- a/ldap/servers/plugins/acl/aclplugin.c
+++ b/ldap/servers/plugins/acl/aclplugin.c
@@ -135,7 +135,8 @@ static int
 aclplugin_preop_search ( Slapi_PBlock *pb )
 {
 	int 		scope;
-	char		*base = NULL;
+	const char	*base = NULL;
+	Slapi_DN	*sdn = NULL;
 	int			optype;
 	int			isRoot;
 	int			rc = 0;
@@ -151,7 +152,8 @@ aclplugin_preop_search ( Slapi_PBlock *pb )
 		return rc;
 	}
 
-	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &sdn );
+	base = slapi_sdn_get_dn(sdn);
 	/* For anonymous client  doing search nothing needs to be set up */
 	if ( optype == SLAPI_OPERATION_SEARCH && aclanom_is_client_anonymous ( pb )  &&
 			! slapi_dn_issuffix( base, "cn=monitor") ) {
@@ -244,7 +246,7 @@ aclplugin_preop_common( Slapi_PBlock *pb )
 		slapi_log_error( SLAPI_LOG_ACL, plugin_name,
 				"proxied authorization dn is (%s)\n", proxy_dn );
 		acl_init_aclpb ( pb, aclpb, proxy_dn, 1 );
-		aclpb = acl_new_proxy_aclpb (pb );
+		aclpb = acl_new_proxy_aclpb ( pb );
 		acl_init_aclpb ( pb, aclpb, dn, 0 );
 		slapi_ch_free ( (void **) &proxy_dn );
 		
diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
index 2e1d496..125f4be 100644
--- a/ldap/servers/plugins/automember/automember.c
+++ b/ldap/servers/plugins/automember/automember.c
@@ -92,10 +92,10 @@ static void automember_free_config_entry(struct configEntry ** entry);
 /*
  * helpers
  */
-static char *automember_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *automember_get_sdn(Slapi_PBlock *pb);
 static Slapi_DN *automember_get_config_area();
 static void automember_set_config_area(Slapi_DN *sdn);
-static int automember_dn_is_config(char *dn);
+static int automember_dn_is_config(Slapi_DN *sdn);
 static int automember_oktodo(Slapi_PBlock *pb);
 static int automember_isrepl(Slapi_PBlock *pb);
 static void automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e);
@@ -275,7 +275,7 @@ automember_postop_init(Slapi_PBlock *pb)
 static int
 automember_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *plugindn = NULL;
     char *config_area = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -298,14 +298,14 @@ automember_start(Slapi_PBlock * pb)
     /*
      * Get the plug-in target dn from the system
      * and store it for future use. */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &plugindn);
+    if (NULL == plugindn || 0 == strlen(slapi_sdn_get_dn(plugindn))) {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_start: unable to retrieve plugin dn\n");
         return -1;
     }
 
-    automember_set_plugin_sdn(slapi_sdn_new_dn_byref(plugindn));
+    automember_set_plugin_sdn(slapi_sdn_dup(plugindn));
 
     /* Set the alternate config area if one is defined. */
     slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area);
@@ -804,28 +804,19 @@ automember_delete_config()
     return;
 }
 
-
-/*
- * Helper functions
- */
-static char *
-automember_get_dn(Slapi_PBlock * pb)
+static Slapi_DN *
+automember_get_sdn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
-                    "--> automember_get_dn\n");
+                    "--> automember_get_sdn\n");
 
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
-        slapi_log_error(SLAPI_LOG_FATAL, AUTOMEMBER_PLUGIN_SUBSYSTEM,
-                        "automember_get_dn: failed to get dn of changed entry");
-        goto bail;
-    }
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
 
-  bail:
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
-                    "<-- automember_get_dn\n");
+                    "<-- automember_get_sdn\n");
 
-    return dn;
+    return sdn;
 }
 
 void
@@ -846,20 +837,17 @@ automember_get_config_area()
  * Checks if dn is an auto membership config entry.
  */
 static int
-automember_dn_is_config(char *dn)
+automember_dn_is_config(Slapi_DN *sdn)
 {
     int ret = 0;
-    Slapi_DN *sdn = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "--> automember_dn_is_config\n");
 
-    if (dn == NULL) {
+    if (sdn == NULL) {
         goto bail;
     }
 
-    sdn = slapi_sdn_new_dn_byref(dn);
-
     /* If an alternate config area is configured, treat it's child
      * entries as config entries.  If the alternate config area is
      * not configured, treat children of the top-level plug-in
@@ -877,7 +865,6 @@ automember_dn_is_config(char *dn)
     }
 
 bail:
-    slapi_sdn_free(&sdn);
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "<-- automember_dn_is_config\n");
 
@@ -1579,7 +1566,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn,
 static int
 automember_pre_op(Slapi_PBlock * pb, int modop)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     Slapi_Entry *e = 0;
     Slapi_Mods *smods = 0;
     LDAPMod **mods;
@@ -1594,10 +1581,10 @@ automember_pre_op(Slapi_PBlock * pb, int modop)
     if (!g_plugin_started)
         goto bail;
 
-    if (0 == (dn = automember_get_dn(pb)))
+    if (0 == (sdn = automember_get_sdn(pb)))
         goto bail;
 
-    if (automember_dn_is_config(dn)) {
+    if (automember_dn_is_config(sdn)) {
         /* Validate config changes, but don't apply them.
          * This allows us to reject invalid config changes
          * here at the pre-op stage.  Applying the config
@@ -1609,10 +1596,8 @@ automember_pre_op(Slapi_PBlock * pb, int modop)
         } else if (LDAP_CHANGETYPE_MODIFY == modop) {
             /* Fetch the entry being modified so we can
              * create the resulting entry for validation. */
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
-            if (tmp_dn) {
-                slapi_search_internal_get_entry(tmp_dn, 0, &e, automember_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
+            if (sdn) {
+                slapi_search_internal_get_entry(sdn, 0, &e, automember_get_plugin_id());
                 free_entry = 1;
             }
 
@@ -1692,7 +1677,7 @@ automember_mod_pre_op(Slapi_PBlock * pb)
 static int
 automember_mod_post_op(Slapi_PBlock *pb)
 {
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "--> automember_mod_post_op\n");
@@ -1702,9 +1687,9 @@ automember_mod_post_op(Slapi_PBlock *pb)
         goto bail;
     }
 
-    if (automember_oktodo(pb) && (dn = automember_get_dn(pb))) {
+    if (automember_oktodo(pb) && (sdn = automember_get_sdn(pb))) {
         /* Check if the config is being modified and reload if so. */
-        if (automember_dn_is_config(dn)) {
+        if (automember_dn_is_config(sdn)) {
             automember_load_config();
         }
     }
@@ -1720,7 +1705,7 @@ static int
 automember_add_post_op(Slapi_PBlock *pb)
 {
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     struct configEntry *config = NULL;
     PRCList *list = NULL;
 
@@ -1732,14 +1717,15 @@ automember_add_post_op(Slapi_PBlock *pb)
         return 0;
 
     /* Reload config if a config entry was added. */
-    if ((dn = automember_get_dn(pb))) {
-        if (automember_dn_is_config(dn)) {
+    if ((sdn = automember_get_sdn(pb))) {
+        if (automember_dn_is_config(sdn)) {
             automember_load_config();
         }
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_add_post_op: Error "
                         "retrieving dn\n");
+        goto bail;
     }
 
     /* If replication, just bail. */
@@ -1777,7 +1763,7 @@ automember_add_post_op(Slapi_PBlock *pb)
                 config = (struct configEntry *)list;
 
                 /* Does the entry meet scope and filter requirements? */
-                if (slapi_dn_issuffix(dn, config->scope) &&
+                if (slapi_dn_issuffix(slapi_sdn_get_dn(sdn), config->scope) &&
                     (slapi_filter_test_simple(e, config->filter) == 0)) {
                     /* Find out what membership changes are needed and make them. */
                     automember_update_membership(config, e);
@@ -1791,9 +1777,9 @@ automember_add_post_op(Slapi_PBlock *pb)
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_add_post_op: Error "
-                        "retrieving post-op entry %s\n", dn);
+                        "retrieving post-op entry %s\n", slapi_sdn_get_dn(sdn));
     }
-
+bail:
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "<-- automember_add_post_op\n");
 
@@ -1808,7 +1794,7 @@ automember_add_post_op(Slapi_PBlock *pb)
 static int
 automember_del_post_op(Slapi_PBlock *pb)
 {
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                     "--> automember_del_post_op\n");
@@ -1819,8 +1805,8 @@ automember_del_post_op(Slapi_PBlock *pb)
     }
 
     /* Reload config if a config entry was deleted. */
-    if ((dn = automember_get_dn(pb))) {
-        if (automember_dn_is_config(dn))
+    if ((sdn = automember_get_sdn(pb))) {
+        if (automember_dn_is_config(sdn))
             automember_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -1843,8 +1829,8 @@ automember_del_post_op(Slapi_PBlock *pb)
 static int
 automember_modrdn_post_op(Slapi_PBlock *pb)
 {
-    char *old_dn = NULL;
-    char *new_dn = NULL;
+    Slapi_DN *old_sdn = NULL;
+    Slapi_DN *new_sdn = NULL;
     Slapi_Entry *post_e = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -1859,7 +1845,7 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
      * config entries. */
     slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &post_e);
     if (post_e) {
-        new_dn = slapi_entry_get_ndn(post_e);
+        new_sdn = slapi_entry_get_sdn(post_e);
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
                         "automember_modrdn_post_op: Error "
@@ -1867,8 +1853,8 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
         return 0;
     }
 
-    if ((old_dn = automember_get_dn(pb))) {
-        if (automember_dn_is_config(old_dn) || automember_dn_is_config(new_dn))
+    if ((old_sdn = automember_get_sdn(pb))) {
+        if (automember_dn_is_config(old_sdn) || automember_dn_is_config(new_sdn))
             automember_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
diff --git a/ldap/servers/plugins/chainingdb/cb_add.c b/ldap/servers/plugins/chainingdb/cb_add.c
index 501865a..116ac92 100644
--- a/ldap/servers/plugins/chainingdb/cb_add.c
+++ b/ldap/servers/plugins/chainingdb/cb_add.c
@@ -65,41 +65,44 @@ chaining_back_add ( Slapi_PBlock *pb )
 	char         		**referrals=NULL;
 	LDAPMod			** mods;
 	LDAPMessage		* res;
-	char 			*dn,* matched_msg, *error_msg;
+	char 			* matched_msg, *error_msg;
+	const char		*dn = NULL;
+	Slapi_DN		*sdn = NULL;
 	char			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
 	cb_outgoing_conn	*cnx;
 	
 	if ( (rc=cb_forward_operation(pb)) != LDAP_SUCCESS ) {
-               	cb_send_ldap_result( pb, rc, NULL, "Remote data access disabled", 0, NULL );
+		cb_send_ldap_result( pb, rc, NULL, "Remote data access disabled", 0, NULL );
 		return -1;
 	}
 
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
 	cb = cb_get_instance(be);
 
 	/* Update monitor info */
 	cb_update_monitor_info(pb,cb,SLAPI_OPERATION_ADD);
 
 	/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
 	  return -1;
-        }
+	}
 
+	slapi_pblock_get( pb, SLAPI_ADD_TARGET_SDN, &sdn );
+	slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &e );
 
- 	slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn );
-        slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &e );
+	dn = slapi_sdn_get_dn(sdn);
 
 	/* Check local access controls */
 	if (cb->local_acl && !cb->associated_be_is_disabled) {
 		char * errbuf=NULL;
-        	rc = cb_access_allowed (pb, e, NULL, NULL, SLAPI_ACL_ADD, &errbuf);
-   		if ( rc != LDAP_SUCCESS ) {
-                	cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
-                	slapi_ch_free((void **)&errbuf);
+		rc = cb_access_allowed (pb, e, NULL, NULL, SLAPI_ACL_ADD, &errbuf);
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+			slapi_ch_free((void **)&errbuf);
 			return -1;
 		}
-        }
+	}
 
 	/* Build LDAPMod from the SLapi_Entry */
 	cb_eliminate_illegal_attributes(cb,e);
diff --git a/ldap/servers/plugins/chainingdb/cb_bind.c b/ldap/servers/plugins/chainingdb/cb_bind.c
index 0d46b7a..edc45f3 100644
--- a/ldap/servers/plugins/chainingdb/cb_bind.c
+++ b/ldap/servers/plugins/chainingdb/cb_bind.c
@@ -47,10 +47,11 @@ cb_free_bervals( struct berval **bvs );
 
 
 static int
-cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
-        struct berval *creds, LDAPControl **reqctrls,
-        char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
-        LDAPControl ***resctrlsp , int * status);
+cb_sasl_bind_once_s( cb_conn_pool *pool, const char *dn, int method, 
+                     char * mechanism, struct berval *creds, 
+                     LDAPControl **reqctrls, char **matcheddnp, 
+                     char **errmsgp, struct berval ***refurlsp,
+                     LDAPControl ***resctrlsp , int * status);
 
 /*
  * Attempt to chain a bind request off to "srvr." We return an LDAP error
@@ -67,17 +68,18 @@ cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
 
 static int
 cb_sasl_bind_s(Slapi_PBlock * pb, cb_conn_pool *pool, int tries,
-        char *dn, int method,char * mechanism, struct berval *creds, LDAPControl **reqctrls,
-        char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
-        LDAPControl ***resctrlsp ,int *status) {
-
+               const char *dn, int method,char * mechanism, 
+               struct berval *creds, LDAPControl **reqctrls,
+               char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
+               LDAPControl ***resctrlsp ,int *status)
+{
     int         rc;
  
     do {
          /* check to see if operation has been abandoned...*/
 
-	if (LDAP_AUTH_SIMPLE!=method)
-		return LDAP_AUTH_METHOD_NOT_SUPPORTED;
+    if (LDAP_AUTH_SIMPLE!=method)
+        return LDAP_AUTH_METHOD_NOT_SUPPORTED;
 
         if ( slapi_op_abandoned( pb )) {
             rc = LDAP_USER_CANCELLED;
@@ -91,10 +93,11 @@ cb_sasl_bind_s(Slapi_PBlock * pb, cb_conn_pool *pool, int tries,
 }
 
 static int
-cb_sasl_bind_once_s( cb_conn_pool *pool, char *dn, int method, char * mechanism,
-        struct berval *creds, LDAPControl **reqctrls,
-        char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
-        LDAPControl ***resctrlsp , int * status )
+cb_sasl_bind_once_s( cb_conn_pool *pool, const char *dn, int method, 
+                     char * mechanism, struct berval *creds, 
+                     LDAPControl **reqctrls, char **matcheddnp, 
+                     char **errmsgp, struct berval ***refurlsp,
+                     LDAPControl ***resctrlsp , int * status )
 {
     int                 rc, msgid;
     char                **referrals;
@@ -225,18 +228,20 @@ release_and_return:
 }
 
 int
-chainingdb_bind( Slapi_PBlock *pb ) {
+chainingdb_bind( Slapi_PBlock *pb )
+{
 
 	int 			status=LDAP_SUCCESS;
 	int 			allocated_errmsg;
 	int 			rc=LDAP_SUCCESS;
 	cb_backend_instance 	*cb;
 	Slapi_Backend		*be;
-	char                    *dn;
-        int                     method;
-        struct berval           *creds, **urls;
+	const char      *dn = NULL;
+	Slapi_DN        *sdn = NULL;
+	int                     method;
+	struct berval           *creds, **urls;
 	char 			*matcheddn,*errmsg;
-    	LDAPControl         	**reqctrls, **resctrls, **ctrls;
+	LDAPControl         	**reqctrls, **resctrls, **ctrls;
 	char 			* mechanism;
 	int 			freectrls=1;
 	int 			bind_retry;
@@ -258,16 +263,18 @@ chainingdb_bind( Slapi_PBlock *pb ) {
 	if (ctrls)
 		ldap_controls_free(ctrls);
 
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
-        slapi_pblock_get( pb, SLAPI_BIND_TARGET, &dn );
-        slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn );
+	slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method );
 	slapi_pblock_get( pb, SLAPI_BIND_SASLMECHANISM, &mechanism);
-        slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds );
-        slapi_pblock_get( pb, SLAPI_REQCONTROLS, &reqctrls );
-        cb = cb_get_instance(be);
+	slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds );
+	slapi_pblock_get( pb, SLAPI_REQCONTROLS, &reqctrls );
+	cb = cb_get_instance(be);
 
-	if ( NULL == dn ) 
-		dn="";
+	if ( NULL == sdn ) {
+		sdn = slapi_sdn_new_ndn_byval("");
+	}
+	dn = slapi_sdn_get_ndn(sdn);
 
         /* always allow noauth simple binds */
         if (( method == LDAP_AUTH_SIMPLE) && creds->bv_len == 0 ) {
diff --git a/ldap/servers/plugins/chainingdb/cb_compare.c b/ldap/servers/plugins/chainingdb/cb_compare.c
index ccbc175..512ce75 100644
--- a/ldap/servers/plugins/chainingdb/cb_compare.c
+++ b/ldap/servers/plugins/chainingdb/cb_compare.c
@@ -63,29 +63,33 @@ chaining_back_compare ( Slapi_PBlock *pb )
 	LDAP 			*ld=NULL;
 	char         		**referrals=NULL;
 	LDAPMessage		* res;
-	char 			*type,*dn,* matched_msg, *error_msg;
+	char 			*type, *matched_msg, *error_msg;
+	const char 		*dn = NULL;
+	Slapi_DN		*sdn = NULL; 
 	char 			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
 	cb_outgoing_conn	*cnx;
 
-        if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
-        	cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
-                return -1;
-        }
+	if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
+		cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
+		return -1;
+	}
 
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
 	cb = cb_get_instance(be);
 
-        cb_update_monitor_info(pb,cb,SLAPI_OPERATION_COMPARE);
+	cb_update_monitor_info(pb,cb,SLAPI_OPERATION_COMPARE);
 
 	/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
-                return -1;
-        }
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+		return -1;
+	}
+
+	slapi_pblock_get( pb, SLAPI_COMPARE_TARGET_SDN, &sdn );
+	slapi_pblock_get( pb, SLAPI_COMPARE_TYPE, &type );
+	slapi_pblock_get( pb, SLAPI_COMPARE_VALUE, &bval );
 
-        slapi_pblock_get( pb, SLAPI_COMPARE_TARGET, &dn );
-        slapi_pblock_get( pb, SLAPI_COMPARE_TYPE, &type );
-        slapi_pblock_get( pb, SLAPI_COMPARE_VALUE, &bval );
+	dn = slapi_sdn_get_dn(sdn);
 
 	/* 
 	 * Check local acls
@@ -96,17 +100,17 @@ chaining_back_compare ( Slapi_PBlock *pb )
 
 	if (checkacl) {
 		char * errbuf=NULL;
-          	Slapi_Entry *te = slapi_entry_alloc();
-          	slapi_entry_set_dn(te,slapi_ch_strdup(dn));
-          	rc = cb_access_allowed (pb, te, type, bval, SLAPI_ACL_COMPARE,&errbuf);
-          	slapi_entry_free(te);
+		Slapi_Entry *te = slapi_entry_alloc();
+		slapi_entry_set_dn(te, slapi_ch_strdup(dn)); /* dn: passin */
+		rc = cb_access_allowed (pb, te, type, bval, SLAPI_ACL_COMPARE,&errbuf);
+		slapi_entry_free(te);
 
-   		if ( rc != LDAP_SUCCESS ) {
-                	cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
 			slapi_ch_free((void **) &errbuf);
 			return 1;
 		}
-        }
+	}
 
 	/*
 	 * Grab a connection handle
diff --git a/ldap/servers/plugins/chainingdb/cb_controls.c b/ldap/servers/plugins/chainingdb/cb_controls.c
index da2d283..f079901 100644
--- a/ldap/servers/plugins/chainingdb/cb_controls.c
+++ b/ldap/servers/plugins/chainingdb/cb_controls.c
@@ -201,9 +201,9 @@ int cb_update_controls( Slapi_PBlock * pb,
                 char * requestorCopy=NULL;
 
                 rootdn=cb_get_rootdn();
-                slapi_pblock_get( pb, SLAPI_REQUESTOR_DN, &requestor );
-                requestorCopy=slapi_ch_strdup(requestor);
-                slapi_dn_normalize_case(requestorCopy);
+                slapi_pblock_get( pb, SLAPI_REQUESTOR_NDN, &requestor );
+                requestorCopy = slapi_ch_strdup(requestor);
+                slapi_dn_ignore_case(requestorCopy);
 
                 if (!strcmp( requestorCopy, rootdn )) {    /* UTF8- aware */
                     slapi_log_error( SLAPI_LOG_PLUGIN,CB_PLUGIN_SUBSYSTEM,
diff --git a/ldap/servers/plugins/chainingdb/cb_delete.c b/ldap/servers/plugins/chainingdb/cb_delete.c
index 992f606..72b5e25 100644
--- a/ldap/servers/plugins/chainingdb/cb_delete.c
+++ b/ldap/servers/plugins/chainingdb/cb_delete.c
@@ -62,27 +62,30 @@ chaining_back_delete ( Slapi_PBlock *pb )
 	LDAP 			*ld=NULL;
 	char         		**referrals=NULL;
 	LDAPMessage		* res;
-	char 			*dn,* matched_msg, *error_msg;
+	const char 		*dn = NULL;
+	Slapi_DN		*sdn = NULL;
+	char 			*matched_msg, *error_msg;
 	char			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
 	cb_outgoing_conn	*cnx;
 
-        if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
-                cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
-                return -1;
-        }
+	if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
+		cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
+		return -1;
+	}
 
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
 	cb = cb_get_instance(be);
 
-        cb_update_monitor_info(pb,cb,SLAPI_OPERATION_DELETE);
+	cb_update_monitor_info(pb,cb,SLAPI_OPERATION_DELETE);
 
 	/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
-                return -1;
-        }
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+		return -1;
+	}
 
- 	slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn );
+	slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
 
 	/* 
 	 * Check local acls
@@ -90,17 +93,17 @@ chaining_back_delete ( Slapi_PBlock *pb )
 
 	if (cb->local_acl && !cb->associated_be_is_disabled) {
 		char * errbuf=NULL;
-          	Slapi_Entry *te = slapi_entry_alloc();
-	  	slapi_entry_set_dn(te,slapi_ch_strdup(dn));
-       	  	rc = cb_access_allowed (pb, te, NULL, NULL, SLAPI_ACL_DELETE,&errbuf);
-	  	slapi_entry_free(te);
+		Slapi_Entry *te = slapi_entry_alloc();
+		slapi_entry_set_dn(te, slapi_ch_strdup(dn)); /* dn: passin */
+		rc = cb_access_allowed (pb, te, NULL, NULL, SLAPI_ACL_DELETE,&errbuf);
+		slapi_entry_free(te);
 
-   		if ( rc != LDAP_SUCCESS ) {
-                	cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
-                	slapi_ch_free((void **)&errbuf);
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+			slapi_ch_free((void **)&errbuf);
 			return -1;
 		}
-        }
+	}
 
 	/*
 	 * Grab a connection handle
diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c b/ldap/servers/plugins/chainingdb/cb_instance.c
index 145d5a3..9a33916 100644
--- a/ldap/servers/plugins/chainingdb/cb_instance.c
+++ b/ldap/servers/plugins/chainingdb/cb_instance.c
@@ -850,9 +850,9 @@ static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int
 
 	if (apply) {
 
-	        slapi_rwlock_wrlock(inst->rwl_config_lock);
+		slapi_rwlock_wrlock(inst->rwl_config_lock);
 		if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
-	    		( phase != CB_CONFIG_PHASE_STARTUP )) {
+		    ( phase != CB_CONFIG_PHASE_STARTUP )) {
 
 			/* Dynamic modif   */
 			/* Free user later */
@@ -862,10 +862,11 @@ static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int
 			rc=CB_REOPEN_CONN;
 		}
 
-		inst->pool->binddn=slapi_ch_strdup((char *) value);
+		/* normalize and ignore the case */
+		inst->pool->binddn = slapi_create_dn_string_case("%s", (char *)value);
+		/* not normalized */
 		inst->pool->binddn2=slapi_ch_strdup((char *) value);
-		slapi_dn_normalize_case(inst->pool->binddn);
-	        slapi_rwlock_unlock(inst->rwl_config_lock);
+		slapi_rwlock_unlock(inst->rwl_config_lock);
 	} else {
 
 		/* Security check */
@@ -877,19 +878,18 @@ static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int
 		char * theValueCopy = NULL;
 
 		if (value) {
-			theValueCopy=slapi_ch_strdup((char *) value);
-			slapi_dn_normalize_case(theValueCopy);
+			theValueCopy = slapi_create_dn_string_case("%s", (char *) value);
 		}
 
 		slapi_rwlock_rdlock(inst->rwl_config_lock);
-                if (inst->impersonate && theValueCopy && 
-                        !strcmp(theValueCopy,rootdn)) {	/* UTF8-aware. See cb_get_dn() */
-                        rc=LDAP_UNWILLING_TO_PERFORM; 
+		if (inst->impersonate && theValueCopy && 
+		    !strcmp(theValueCopy,rootdn)) {	/* UTF8-aware. See cb_get_dn() */
+			rc=LDAP_UNWILLING_TO_PERFORM; 
 			if (errorbuf) {
 				PR_snprintf(errorbuf,SLAPI_DSE_RETURNTEXT_SIZE, "value %s not allowed",rootdn);
 			}
-                }
-                slapi_rwlock_unlock(inst->rwl_config_lock);
+		}
+		slapi_rwlock_unlock(inst->rwl_config_lock);
 
 		slapi_ch_free((void **)&theValueCopy);
 		slapi_ch_free((void **)&rootdn);
diff --git a/ldap/servers/plugins/chainingdb/cb_modify.c b/ldap/servers/plugins/chainingdb/cb_modify.c
index fcfb310..e660e5c 100644
--- a/ldap/servers/plugins/chainingdb/cb_modify.c
+++ b/ldap/servers/plugins/chainingdb/cb_modify.c
@@ -65,51 +65,54 @@ chaining_back_modify ( Slapi_PBlock *pb )
 	char         		**referrals=NULL;
 	LDAPMod			** mods;
 	LDAPMessage		* res;
-	char 			*dn,* matched_msg, *error_msg;
+	const char 		*dn = NULL;
+	Slapi_DN		*sdn = NULL;
+	char 			*matched_msg, *error_msg;
 	char 			*cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
 	cb_outgoing_conn	*cnx;
 
-        if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
-                cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
-                return -1;
-        }
+	if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
+		cb_send_ldap_result( pb, rc, NULL, "Chaining forbidden", 0, NULL );
+		return -1;
+	}
 
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
 	cb = cb_get_instance(be);
 
-        cb_update_monitor_info(pb,cb,SLAPI_OPERATION_MODIFY);
+	cb_update_monitor_info(pb,cb,SLAPI_OPERATION_MODIFY);
 
 	/* Check wether the chaining BE is available or not */
-        if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
-                return -1;
-        }
+	if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
+		return -1;
+	}
 
- 	slapi_pblock_get( pb, SLAPI_MODIFY_TARGET, &dn );
+	slapi_pblock_get( pb, SLAPI_MODIFY_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
 
 	if (cb_debug_on()) {
-        	slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,"modify: target:<%s>\n",dn);
+		slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,"modify: target:<%s>\n",dn);
 	}
 
 
 	ctrls=serverctrls=NULL;
-        slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
-        slapi_pblock_get( pb, SLAPI_REQCONTROLS, &ctrls );
+	slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
+	slapi_pblock_get( pb, SLAPI_REQCONTROLS, &ctrls );
 
 	/* Check acls				*/
 	
 	if ( cb->local_acl && !cb->associated_be_is_disabled ) {
-                char * errbuf=NULL;
-                Slapi_Entry *te = slapi_entry_alloc();
-                slapi_entry_set_dn(te,slapi_ch_strdup(dn));
-       		rc = slapi_acl_check_mods( pb, te, mods, &errbuf);
-                slapi_entry_free(te);
-
-                if ( rc != LDAP_SUCCESS ) {
-                        cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
-                        slapi_ch_free((void **)&errbuf);
-                        return -1;
-                }
+		char * errbuf=NULL;
+		Slapi_Entry *te = slapi_entry_alloc();
+		slapi_entry_set_dn(te, slapi_ch_strdup(dn)); /* dn: passin */
+		rc = slapi_acl_check_mods( pb, te, mods, &errbuf);
+		slapi_entry_free(te);
+
+		if ( rc != LDAP_SUCCESS ) {
+			cb_send_ldap_result( pb, rc, NULL, errbuf, 0, NULL );
+			slapi_ch_free((void **)&errbuf);
+			return -1;
+		}
 	}
 
 
diff --git a/ldap/servers/plugins/chainingdb/cb_modrdn.c b/ldap/servers/plugins/chainingdb/cb_modrdn.c
index 2efff02..4707610 100644
--- a/ldap/servers/plugins/chainingdb/cb_modrdn.c
+++ b/ldap/servers/plugins/chainingdb/cb_modrdn.c
@@ -60,13 +60,16 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
 	LDAPControl 		**ctrls, **serverctrls;
 	int 			rc,parse_rc,msgid,i;
 	LDAP 			*ld=NULL;
-	char         		**referrals=NULL;
+	char			**referrals=NULL;
 	LDAPMessage		* res;
-	char 			* matched_msg, *error_msg,* pdn, *newdn, *dn;
+	char 			* matched_msg, *error_msg,* pdn, *newdn;
+	char 			*dn = NULL;
+	Slapi_DN		*sdn = NULL;
 	int 			deleteoldrdn=0;
-	char 			* newsuperior, *newrdn;
+	Slapi_DN 		*newsuperior;
+	char 			*newrdn;
 	char			* cnxerrbuf=NULL;
-   	time_t 			endtime;
+	time_t 			endtime;
 	cb_outgoing_conn	* cnx;
 
         if ( LDAP_SUCCESS != (rc=cb_forward_operation(pb) )) {
@@ -75,26 +78,29 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
         }
 
         slapi_pblock_get( pb, SLAPI_BACKEND, &be );
-	cb = cb_get_instance(be);
+        cb = cb_get_instance(be);
 
         cb_update_monitor_info(pb,cb,SLAPI_OPERATION_MODRDN);
 
-	/* Check wether the chaining BE is available or not */
+        /* Check wether the chaining BE is available or not */
         if ( cb_check_availability( cb, pb ) == FARMSERVER_UNAVAILABLE ){
                 return -1;
         }
 
-	newsuperior=newdn=newrdn=dn=NULL;
-  	slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &dn );
+        newsuperior = NULL; 
+        newdn = newrdn = dn = NULL;
+        slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &sdn );
         slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
         slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior );
         slapi_pblock_get( pb, SLAPI_MODRDN_DELOLDRDN, &deleteoldrdn );
 
-	/*
-	 * Construct the new dn
-	 */
+        dn = (char *)slapi_sdn_get_dn(sdn);
 
-	dn = slapi_dn_normalize_case(dn);
+        /*
+         * Construct the new dn
+         */
+        /* dn is normalized; just ignore the case */
+        dn = slapi_dn_ignore_case(dn);
         if ( (pdn = slapi_dn_parent( dn )) != NULL ) {
                 /* parent + rdn + separator(s) + null */
                 newdn = (char *) slapi_ch_malloc( strlen( pdn ) + strlen( newrdn ) + 3 );
@@ -102,7 +108,7 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
                 strcat( newdn, "," );
                 strcat( newdn, pdn );
 
-        	slapi_ch_free((void **)&pdn );
+                slapi_ch_free((void **)&pdn );
 
         } else {
                 newdn = slapi_ch_strdup( newrdn );
@@ -125,7 +131,7 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
 
 		char * errbuf=NULL;
           	Slapi_Entry *te = slapi_entry_alloc();
-          	slapi_entry_set_dn(te,slapi_ch_strdup(dn));
+          	slapi_entry_set_dn(te,slapi_ch_strdup(dn)); /* dn: passin */
        	  	rc = cb_access_allowed (pb, te, NULL, NULL, SLAPI_ACL_WRITE,&errbuf);
           	slapi_entry_free(te);
 
@@ -183,7 +189,8 @@ chaining_back_modrdn ( Slapi_PBlock *pb )
 	 * Send LDAP operation to the remote host
 	 */
 
-	rc = ldap_rename ( ld,dn,newrdn,newsuperior,deleteoldrdn,ctrls,NULL,&msgid);
+	rc = ldap_rename ( ld, dn, newrdn, slapi_sdn_get_dn(newsuperior),
+	                   deleteoldrdn, ctrls, NULL, &msgid );
 
 	if ( NULL != ctrls)
                 ldap_controls_free(ctrls);
diff --git a/ldap/servers/plugins/chainingdb/cb_search.c b/ldap/servers/plugins/chainingdb/cb_search.c
index a16ed4c..763de4b 100644
--- a/ldap/servers/plugins/chainingdb/cb_search.c
+++ b/ldap/servers/plugins/chainingdb/cb_search.c
@@ -58,41 +58,45 @@ chainingdb_build_candidate_list ( Slapi_PBlock *pb )
 
 	Slapi_Backend		* be;
 	Slapi_Operation		* op;
-	char 			*target, *filter;
+	char 			*filter;
+	const char		*target = NULL;
+	Slapi_DN		*target_sdn = NULL;
 	int			scope,attrsonly,sizelimit,timelimit,rc,searchreferral;
 	char 			**attrs=NULL;
 	LDAPControl 		**controls=NULL;		
 	LDAPControl 		**ctrls=NULL;		
-        LDAP                    *ld=NULL;
-	cb_backend_instance 	*cb = NULL;
+	LDAP				*ld=NULL;
+	cb_backend_instance	*cb = NULL;
 	cb_searchContext 	*ctx=NULL;
 	struct timeval		timeout;
 	time_t			optime;
 	int 			doit,parse_rc;
- 	LDAPMessage 		*res=NULL;
-        char                    *matched_msg,*error_msg;
-        LDAPControl             **serverctrls=NULL;
-        char                    **referrals=NULL;
+	LDAPMessage 		*res=NULL;
+	char                    *matched_msg,*error_msg;
+	LDAPControl             **serverctrls=NULL;
+	char                    **referrals=NULL;
 	char			*cnxerrbuf=NULL;
 	time_t 			endbefore=0;
 	time_t			endtime;
 	cb_outgoing_conn	*cnx;
 
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
 	cb = cb_get_instance(be);
 
-        slapi_pblock_get( pb, SLAPI_OPERATION, &op );
-        slapi_pblock_get( pb, SLAPI_SEARCH_STRFILTER, &filter );
-        slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
-        slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
-        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &target );
+	slapi_pblock_get( pb, SLAPI_OPERATION, &op );
+	slapi_pblock_get( pb, SLAPI_SEARCH_STRFILTER, &filter );
+	slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
+	slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &target_sdn );
 
-        if ( LDAP_SUCCESS != (parse_rc=cb_forward_operation(pb) )) {
+	target = slapi_sdn_get_dn(target_sdn);
+
+	if ( LDAP_SUCCESS != (parse_rc=cb_forward_operation(pb) )) {
 
 		/* Don't return errors */
 
 		if (cb_debug_on()) {
-        		slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
+			slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
 			"local search: base:<%s> scope:<%s> filter:<%s>\n",target,
 			scope==LDAP_SCOPE_SUBTREE?"SUBTREE":scope==LDAP_SCOPE_ONELEVEL ? "ONE-LEVEL" : "BASE" , filter);
 		}
@@ -135,28 +139,28 @@ chainingdb_build_candidate_list ( Slapi_PBlock *pb )
 
 	if (( scope != LDAP_SCOPE_BASE ) && ( searchreferral )) {
 
-		int 			i;
-                struct  berval          bv,*bvals[2];
-                Slapi_Entry 		** aciArray=(Slapi_Entry **) slapi_ch_malloc(2*sizeof(Slapi_Entry *));
-		Slapi_Entry 		*anEntry = slapi_entry_alloc();
+		int i;
+		struct berval bv,*bvals[2];
+		Slapi_Entry ** aciArray=(Slapi_Entry **) slapi_ch_malloc(2*sizeof(Slapi_Entry *));
+		Slapi_Entry *anEntry = slapi_entry_alloc();
 
-                slapi_entry_set_dn(anEntry,slapi_ch_strdup(target));
+		slapi_entry_set_dn(anEntry,slapi_ch_strdup(target));
 
-                bvals[1]=NULL;
-                bvals[0]=&bv;
-                bv.bv_val="referral";
+		bvals[1]=NULL;
+		bvals[0]=&bv;
+		bv.bv_val="referral";
 		bv.bv_len=strlen(bv.bv_val);
-                slapi_entry_add_values( anEntry, "objectclass", bvals);
+		slapi_entry_add_values( anEntry, "objectclass", bvals);
 
-        	slapi_rwlock_rdlock(cb->rwl_config_lock);
+		slapi_rwlock_rdlock(cb->rwl_config_lock);
 		for (i=0; cb->url_array && cb->url_array[i]; i++) {
 			char * anUrl = slapi_ch_smprintf("%s%s",cb->url_array[i],target);
-                	bv.bv_val=anUrl;
+			                                 bv.bv_val=anUrl;
 			bv.bv_len=strlen(bv.bv_val);
-                	slapi_entry_attr_merge( anEntry, "ref", bvals);
+			slapi_entry_attr_merge( anEntry, "ref", bvals);
 			slapi_ch_free((void **)&anUrl);
 		}
-        	slapi_rwlock_unlock(cb->rwl_config_lock);
+		slapi_rwlock_unlock(cb->rwl_config_lock);
 		
 		aciArray[0]=anEntry;
 		aciArray[1]=NULL;
@@ -442,12 +446,13 @@ int
 chainingdb_next_search_entry ( Slapi_PBlock *pb )
 { 
 
-	char 			*target;
+	const char	*target = NULL;
+	Slapi_DN	*target_sdn = NULL;
 	int			sizelimit, timelimit;
 	int			rc, parse_rc, retcode;
 	int			i, attrsonly;
 	time_t			optime;
- 	LDAPMessage 		*res=NULL;
+	LDAPMessage 		*res=NULL;
 	char 			*matched_msg,*error_msg;
 	cb_searchContext 	*ctx=NULL;
 	Slapi_Entry 		*entry;
@@ -459,13 +464,15 @@ chainingdb_next_search_entry ( Slapi_PBlock *pb )
 
 	matched_msg=error_msg=NULL;
 
-        slapi_pblock_get( pb, SLAPI_SEARCH_RESULT_SET, &ctx );
-        slapi_pblock_get( pb, SLAPI_BACKEND, &be );
-    	slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
-        slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit );
-        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &target );
-        slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
-        slapi_pblock_get( pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly );
+	slapi_pblock_get( pb, SLAPI_SEARCH_RESULT_SET, &ctx );
+	slapi_pblock_get( pb, SLAPI_BACKEND, &be );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
+	slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit );
+	slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &target_sdn );
+	slapi_pblock_get( pb, SLAPI_OPINITIATED_TIME, &optime );
+	slapi_pblock_get( pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly );
+
+	target = slapi_sdn_get_dn(target_sdn);
 
 	cb = cb_get_instance(be);
 
@@ -656,22 +663,22 @@ chainingdb_next_search_entry ( Slapi_PBlock *pb )
 		case LDAP_RES_SEARCH_REFERENCE:
 
 			/* The server sent a search reference encountered during the 
-            		 * search operation. 
+			 * search operation. 
 			 */
 		
 			/* heart-beat management */
-       			if (cb->max_idle_time>0)
-	       			endtime=current_time() + cb->max_idle_time;
+			if (cb->max_idle_time>0)
+				endtime=current_time() + cb->max_idle_time;
 
 			parse_rc = ldap_parse_reference( ctx->ld, res, &referrals, NULL, 1 );
-         		if ( parse_rc != LDAP_SUCCESS ) {
-	               		cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, 
-					ldap_err2string( parse_rc ), 0, NULL);
+			if ( parse_rc != LDAP_SUCCESS ) {
+				cb_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, 
+				                     ldap_err2string( parse_rc ), 0, NULL);
 				cb_release_op_connection(cb->pool,ctx->ld,CB_LDAP_CONN_ERROR(parse_rc));
 				slapi_ch_free((void **)&ctx);
 
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,NULL);
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,NULL);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,NULL);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,NULL);
 				return -1;
 			}
 
@@ -681,27 +688,27 @@ chainingdb_next_search_entry ( Slapi_PBlock *pb )
 
 			{
 
-   				struct  berval          bv;
+				struct  berval          bv;
 				int 			i;
-                		struct  berval          *bvals[2];
-                		Slapi_Entry *anEntry = slapi_entry_alloc();
-                		slapi_entry_set_dn(anEntry,slapi_ch_strdup(target));
+				struct  berval          *bvals[2];
+				Slapi_Entry *anEntry = slapi_entry_alloc();
+				slapi_entry_set_dn(anEntry,slapi_ch_strdup(target));
 
-                		bvals[1]=NULL;
-                		bvals[0]=&bv;
+				bvals[1]=NULL;
+				bvals[0]=&bv;
 
-                		bv.bv_val="referral";
-                		bv.bv_len=strlen(bv.bv_val);
-                		slapi_entry_add_values( anEntry, "objectclass", bvals);
+				bv.bv_val="referral";
+				bv.bv_len=strlen(bv.bv_val);
+				slapi_entry_add_values( anEntry, "objectclass", bvals);
 
 				for (i=0;referrals[i] != NULL; i++) {
-                			bv.bv_val=referrals[i];
+					bv.bv_val=referrals[i];
 					bv.bv_len=strlen(bv.bv_val);
-                			slapi_entry_add_values( anEntry, "ref", bvals);
+					slapi_entry_add_values( anEntry, "ref", bvals);
 				}
 
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,ctx);
-        			slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,anEntry);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_SET,ctx);
+				slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY,anEntry);
 				cb_set_acl_policy(pb);
 			}
 
diff --git a/ldap/servers/plugins/chainingdb/cb_utils.c b/ldap/servers/plugins/chainingdb/cb_utils.c
index 3b0123c..2492226 100644
--- a/ldap/servers/plugins/chainingdb/cb_utils.c
+++ b/ldap/servers/plugins/chainingdb/cb_utils.c
@@ -50,7 +50,7 @@ char * cb_get_rootdn() {
 	if (ret == NULL) 
 		ret = slapi_ch_strdup(CB_DIRECTORY_MANAGER_DN);
 	if (ret)
-		slapi_dn_normalize_case(ret);	/* UTF8-aware */
+		slapi_dn_ignore_case(ret);	/* UTF8-aware */
 	return ret;
 }
 
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index bfb585e..85474f7 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -3356,7 +3356,8 @@ bail:
 */
 void cos_cache_change_notify(Slapi_PBlock *pb)
 {
-	char *dn;
+	const char *dn;
+	Slapi_DN *sdn = NULL;
 	int do_update = 0;
 	struct slapi_entry *e;
         Slapi_Backend *be=NULL;
@@ -3372,11 +3373,12 @@ void cos_cache_change_notify(Slapi_PBlock *pb)
 		goto bail;
 
 	/* need to work out if a cache rebuild is necessary */
-	if(slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ))
+	if(slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ))
 	{
 		LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_change_notify: failed to get dn of changed entry",0,0,0);
 		goto bail;
 	}
+	dn = slapi_sdn_get_dn(sdn);
 
 	slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &rc);
 	if (0 != rc) {
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 2f4dd02..177897a 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -172,7 +172,7 @@ static PRCList *dna_global_config = NULL;
 static Slapi_RWLock *g_dna_cache_lock;
 
 static void *_PluginID = NULL;
-static char *_PluginDN = NULL;
+static const char *_PluginDN = NULL;
 
 static int g_plugin_started = 0;
 
@@ -227,6 +227,7 @@ static int dna_load_host_port();
  *
  */
 static char *dna_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *dna_get_sdn(Slapi_PBlock * pb);
 static int dna_dn_is_config(char *dn);
 static int dna_get_next_value(struct configEntry * config_entry,
                                  char **next_value_ret);
@@ -330,12 +331,12 @@ void *getPluginID()
     return _PluginID;
 }
 
-void setPluginDN(char *pluginDN)
+void setPluginDN(const char *pluginDN)
 {
     _PluginDN = pluginDN;
 }
 
-char *getPluginDN()
+const char *getPluginDN()
 {
     return _PluginDN;
 }
@@ -489,7 +490,8 @@ dna_exop_init(Slapi_PBlock * pb)
 static int
 dna_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *pluginsdn = NULL;
+	const char *plugindn = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
                     "--> dna_start\n");
@@ -513,12 +515,13 @@ dna_start(Slapi_PBlock * pb)
 	 *	and store it for future use. This should avoid
 	 *	hardcoding of DN's in the code.
 	 */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &pluginsdn);
+    if (NULL == pluginsdn || 0 == strlen(slapi_sdn_get_dn(pluginsdn))) {
         slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
                         "dna_start: had to use hard coded config dn\n");
         plugindn = DNA_DN;
     } else {
+        plugindn = slapi_sdn_get_dn(pluginsdn);
         slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
                         "dna_start: config at %s\n", plugindn);
 
@@ -857,12 +860,17 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
         Slapi_DN *sdn = NULL;
         char *normdn = NULL;
 
-        sdn = slapi_sdn_new_dn_byref(value);
+        sdn = slapi_sdn_new_dn_passin(value);
 
-        if (sdn) {
-            slapi_search_internal_get_entry(sdn, NULL, &shared_e, getPluginID());
-            slapi_sdn_free(&sdn);
+        if (!sdn) {
+            slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
+                            "dna_parse_config_entry: Unable to create "
+                            "slapi_dn (%s)\n", value);
+            ret = DNA_FAILURE;
+            slapi_ch_free_string(&value);
+            goto bail;
         }
+        slapi_search_internal_get_entry(sdn, NULL, &shared_e, getPluginID());
 
         /* Make sure that the shared config entry exists. */
         if (!shared_e) {
@@ -872,23 +880,23 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
                             "dna_parse_config_entry: Unable to locate "
                             "shared configuration entry (%s)\n", value);
             ret = DNA_FAILURE;
-            slapi_ch_free_string(&value);
+            slapi_sdn_free(&sdn);
             goto bail;
         } else {
             slapi_entry_free(shared_e);
             shared_e = NULL;
         }
 
-        normdn = slapi_create_dn_string("%s", value);
+        normdn = (char *)slapi_sdn_get_dn(sdn);
         if (NULL == normdn) {
             slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
                             "dna_parse_config_entry: failed to normalize dn: "
                             "%s\n", value);
             ret = DNA_FAILURE;
-            slapi_ch_free_string(&value);
+            slapi_sdn_free(&sdn);
             goto bail;
         }
-        entry->shared_cfg_base = normdn;
+        entry->shared_cfg_base = slapi_ch_strdup(normdn);
 
         /* We prepend the host & port of this instance as a
          * multi-part RDN for the shared config entry. */
@@ -900,7 +908,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
                             "%s=%s+%s=%s,%s", DNA_HOSTNAME,
                             hostname, DNA_PORTNUM, portnum, value);
             ret = DNA_FAILURE;
-            slapi_ch_free_string(&value);
+            slapi_sdn_free(&sdn);
             goto bail;
         }
         entry->shared_cfg_dn = normdn;
@@ -908,7 +916,7 @@ dna_parse_config_entry(Slapi_Entry * e, int apply)
         slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM,
                         "----------> %s [%s]\n", DNA_SHARED_CFG_DN,
                         entry->shared_cfg_base);
-        slapi_ch_free_string(&value);
+        slapi_sdn_free(&sdn);
     }
 
     value = slapi_entry_attr_get_charptr(e, DNA_THRESHOLD);
@@ -1725,11 +1733,11 @@ bail:
 
 static char *dna_get_dn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
                     "--> dna_get_dn\n");
 
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
+    if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn)) {
         slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
                         "dna_get_dn: failed to get dn of changed entry");
         goto bail;
@@ -1739,7 +1747,20 @@ static char *dna_get_dn(Slapi_PBlock * pb)
     slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
                     "<-- dna_get_dn\n");
 
-    return dn;
+    return (char *)slapi_sdn_get_dn(sdn);
+}
+
+static Slapi_DN *
+dna_get_sdn(Slapi_PBlock * pb)
+{
+    Slapi_DN *sdn = 0;
+    slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
+                    "--> dna_get_sdn\n");
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM,
+                    "<-- dna_get_sdn\n");
+
+    return sdn;
 }
 
 /* config check
@@ -2785,10 +2806,9 @@ static int dna_pre_op(Slapi_PBlock * pb, int modtype)
          *
          slapi_pblock_get( pb, SLAPI_MODIFY_EXISTING_ENTRY, &e);
          */
-        Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
+        Slapi_DN *tmp_dn = dna_get_sdn(pb);
         if (tmp_dn) {
             slapi_search_internal_get_entry(tmp_dn, 0, &e, getPluginID());
-            slapi_sdn_free(&tmp_dn);
             free_entry = 1;
         }
 
diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.c b/ldap/servers/plugins/linkedattrs/linked_attrs.c
index 75df753..99c254e 100644
--- a/ldap/servers/plugins/linkedattrs/linked_attrs.c
+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.c
@@ -94,6 +94,7 @@ static void linked_attrs_free_config_entry(struct configEntry ** entry);
  * helpers
  */
 static char *linked_attrs_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *linked_attrs_get_sdn(Slapi_PBlock * pb);
 static int linked_attrs_dn_is_config(char *dn);
 static void linked_attrs_find_config(const char *dn, const char *type,
     struct configEntry **config);
@@ -152,9 +153,9 @@ linked_attrs_get_plugin_id()
 }
 
 void
-linked_attrs_set_plugin_dn(char *pluginDN)
+linked_attrs_set_plugin_dn(const char *pluginDN)
 {
-    _PluginDN = pluginDN;
+    _PluginDN = (char *)pluginDN;
 }
 
 char *
@@ -281,7 +282,7 @@ linked_attrs_postop_init(Slapi_PBlock *pb)
 static int
 linked_attrs_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *plugindn = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
                     "--> linked_attrs_start\n");
@@ -303,14 +304,14 @@ linked_attrs_start(Slapi_PBlock * pb)
     /*
      * Get the plug-in target dn from the system
      * and store it for future use. */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &plugindn);
+    if (NULL == plugindn || 0 == strlen(slapi_sdn_get_dn(plugindn))) {
         slapi_log_error(SLAPI_LOG_PLUGIN, LINK_PLUGIN_SUBSYSTEM,
                         "linked_attrs_start: unable to retrieve plugin dn\n");
         return -1;
     }
 
-    linked_attrs_set_plugin_dn(plugindn);
+    linked_attrs_set_plugin_dn(slapi_sdn_get_dn(plugindn));
 
     /*
      * Load the config cache
@@ -540,7 +541,7 @@ linked_attrs_parse_config_entry(Slapi_Entry * e, int apply)
         char *syntaxoid = NULL;
         Slapi_Attr *attr = slapi_attr_new();
 
-	/* Set this first so we free it if we encounter an error */
+        /* Set this first so we free it if we encounter an error */
         entry->managedtype = value;
 
         /* Gather some information about this attribute. */
@@ -816,21 +817,36 @@ linked_attrs_delete_config()
 static char *
 linked_attrs_get_dn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    const char *dn = 0;
+    Slapi_DN *sdn = NULL;
     slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
                     "--> linked_attrs_get_dn\n");
 
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
+    if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn)) {
         slapi_log_error(SLAPI_LOG_FATAL, LINK_PLUGIN_SUBSYSTEM,
                         "linked_attrs_get_dn: failed to get dn of changed entry");
         goto bail;
     }
+    dn = slapi_sdn_get_dn(sdn);
 
   bail:
     slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
                     "<-- linked_attrs_get_dn\n");
 
-    return dn;
+    return (char *)dn;
+}
+
+static Slapi_DN *
+linked_attrs_get_sdn(Slapi_PBlock * pb)
+{
+    Slapi_DN *sdn = 0;
+    slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
+                    "--> linked_attrs_get_sdn\n");
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
+                    "<-- linked_attrs_get_sdn\n");
+
+    return sdn;
 }
 
 /*
@@ -1488,10 +1504,10 @@ linked_attrs_pre_op(Slapi_PBlock * pb, int modop)
         } else {
             /* Fetch the entry being modified so we can
              * create the resulting entry for validation. */
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
+            /* int free_sdn = 0; */
+            Slapi_DN *tmp_dn = linked_attrs_get_sdn(pb);
             if (tmp_dn) {
                 slapi_search_internal_get_entry(tmp_dn, 0, &e, linked_attrs_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
                 free_entry = 1;
             }
 
diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.h b/ldap/servers/plugins/linkedattrs/linked_attrs.h
index c6e6347..8dfb4f0 100644
--- a/ldap/servers/plugins/linkedattrs/linked_attrs.h
+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.h
@@ -127,7 +127,7 @@ void linked_attrs_unlock();
  */
 void linked_attrs_set_plugin_id(void *pluginID);
 void *linked_attrs_get_plugin_id();
-void linked_attrs_set_plugin_dn(char *pluginDN);
+void linked_attrs_set_plugin_dn(const char *pluginDN);
 char *linked_attrs_get_plugin_dn();
 
 /*
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index c2d87bb..0f3849c 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -1051,11 +1051,13 @@ bail:
  */
 char *memberof_getdn(Slapi_PBlock *pb)
 {
-	char *dn = 0;
+	const char *dn = 0;
+	Slapi_DN *sdn = NULL;
 
-	slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-	
-	return dn;
+	slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+	dn = slapi_sdn_get_dn(sdn);	
+
+	return (char *)dn;
 }
 
 /*
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index 0241cd3..1396b9c 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -94,11 +94,11 @@ static void mep_free_config_entry(struct configEntry ** entry);
 /*
  * helpers
  */
-static char *mep_get_dn(Slapi_PBlock * pb);
+static Slapi_DN *mep_get_sdn(Slapi_PBlock * pb);
 static Slapi_DN *mep_get_config_area();
 static void mep_set_config_area(Slapi_DN *sdn);
-static int mep_dn_is_config(char *dn);
-static int mep_dn_is_template(char *dn);
+static int mep_dn_is_config(Slapi_DN *sdn);
+static int mep_dn_is_template(const char *dn);
 static void mep_find_config(Slapi_Entry *e, struct configEntry **config);
 static void mep_find_config_by_template_dn(const char *template_dn,
     struct configEntry **config);
@@ -109,7 +109,7 @@ static Slapi_Entry *mep_create_managed_entry(struct configEntry *config,
 static void mep_add_managed_entry(struct configEntry *config,
     Slapi_Entry *origin);
 static void mep_rename_managed_entry(Slapi_Entry *origin,
-    char *new_dn, char *old_dn);
+    Slapi_DN *new_dn, Slapi_DN *old_dn);
 static Slapi_Mods *mep_get_mapped_mods(struct configEntry *config,
     Slapi_Entry *origin, char **mapped_dn);
 static int mep_parse_mapped_attr(char *mapping, Slapi_Entry *origin,
@@ -289,7 +289,7 @@ mep_postop_init(Slapi_PBlock *pb)
 static int
 mep_start(Slapi_PBlock * pb)
 {
-    char *plugindn = NULL;
+    Slapi_DN *plugindn = NULL;
     char *config_area = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -312,14 +312,14 @@ mep_start(Slapi_PBlock * pb)
     /*
      * Get the plug-in target dn from the system
      * and store it for future use. */
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn);
-    if (NULL == plugindn || 0 == strlen(plugindn)) {
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &plugindn);
+    if (NULL == plugindn || 0 == strlen(slapi_sdn_get_dn(plugindn))) {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_start: unable to retrieve plugin dn\n");
         return -1;
     }
 
-    mep_set_plugin_sdn(slapi_sdn_new_dn_byref(plugindn));
+    mep_set_plugin_sdn(slapi_sdn_dup(plugindn));
 
     /* Set the alternate config area if one is defined. */
     slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area);
@@ -434,8 +434,10 @@ mep_load_config()
         /* Find the config entries beneath our plugin entry. */
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_load_config: Looking for config entries "
-                        "beneath \"%s\".\n", slapi_sdn_get_ndn(mep_get_plugin_sdn()));
-        slapi_search_internal_set_pb(search_pb, slapi_sdn_get_ndn(mep_get_plugin_sdn()),
+                        "beneath \"%s\".\n",
+                         slapi_sdn_get_ndn(mep_get_plugin_sdn()));
+        slapi_search_internal_set_pb(search_pb,
+                                     slapi_sdn_get_ndn(mep_get_plugin_sdn()),
                                      LDAP_SCOPE_SUBTREE, "objectclass=*",
                                      NULL, 0, NULL, NULL, mep_get_plugin_id(), 0);
     }
@@ -769,24 +771,17 @@ mep_delete_config()
 /*
  * Helper functions
  */
-static char *
-mep_get_dn(Slapi_PBlock * pb)
+static Slapi_DN *
+mep_get_sdn(Slapi_PBlock * pb)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = 0;
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
-                    "--> mep_get_dn\n");
-
-    if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn)) {
-        slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
-                        "mep_get_dn: failed to get dn of changed entry");
-        goto bail;
-    }
-
-  bail:
+                    "--> mep_get_sdn\n");
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
-                    "<-- mep_get_dn\n");
+                    "<-- mep_get_sdn\n");
 
-    return dn;
+    return sdn;
 }
 
 static void
@@ -807,20 +802,17 @@ mep_get_config_area()
  * Checks if dn is a managed entries config entry.
  */
 static int
-mep_dn_is_config(char *dn)
+mep_dn_is_config(Slapi_DN *sdn)
 {
     int ret = 0;
-    Slapi_DN *sdn = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
                     "--> mep_dn_is_config\n");
 
-    if (dn == NULL) {
+    if (sdn == NULL) {
         goto bail;
     }
 
-    sdn = slapi_sdn_new_dn_byref(dn);
-
     /* If an alternate config area is configured, treat it's child
      * entries as config entries.  If the alternate config area is
      * not configured, treat children of the top-level plug-in
@@ -838,7 +830,6 @@ mep_dn_is_config(char *dn)
     }
 
 bail:
-    slapi_sdn_free(&sdn);
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
                     "<-- mep_dn_is_config\n");
 
@@ -851,7 +842,7 @@ bail:
  * Checks if dn is a managed entries template.
  */
 static int
-mep_dn_is_template(char *dn)
+mep_dn_is_template(const char *dn)
 {
     int ret = 0;
     PRCList *list = NULL;
@@ -1139,7 +1130,7 @@ mep_create_managed_entry(struct configEntry *config, Slapi_Entry *origin)
 
         /* Create the DN using the mapped RDN value
          * and the base specified in the config. */
-        dn = slapi_create_dn_string("%s=%s,%s", rdn_type, rdn_val, config->managed_base);
+        dn = slapi_ch_smprintf("%s=%s,%s", rdn_type, rdn_val, config->managed_base);
 
         slapi_ch_free_string(&rdn_val);
 
@@ -1283,8 +1274,9 @@ mep_add_managed_entry(struct configEntry *config,
  * Renames a managed entry and updates the pointer in the
  * origin entry.
  */
-static void mep_rename_managed_entry(Slapi_Entry *origin,
-    char *new_dn, char *old_dn)
+static void
+mep_rename_managed_entry(Slapi_Entry *origin,
+                         Slapi_DN *new_dn, Slapi_DN *old_dn)
 {
     Slapi_RDN *srdn = slapi_rdn_new();
     Slapi_PBlock *mep_pb = slapi_pblock_new();
@@ -1299,10 +1291,10 @@ static void mep_rename_managed_entry(Slapi_Entry *origin,
     }
 
     /* Create new RDN */
-    slapi_rdn_set_dn(srdn, new_dn);
+    slapi_rdn_set_dn(srdn, slapi_sdn_get_ndn(new_dn));
 
     /* Rename the managed entry. */
-    slapi_rename_internal_set_pb(mep_pb, old_dn,
+    slapi_rename_internal_set_pb_ext(mep_pb, old_dn,
                                  slapi_rdn_get_rdn(srdn),
                                  NULL, 1, NULL, NULL, mep_get_plugin_id(), 0);
     slapi_modrdn_internal_pb(mep_pb);
@@ -1311,14 +1303,14 @@ static void mep_rename_managed_entry(Slapi_Entry *origin,
     if (result != LDAP_SUCCESS) {
         slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
                     "mep_rename_managed_entry: Unable to rename managed "
-                    "entry \"%s\" to \"%s\" (%s).\n", old_dn,
-                    new_dn, ldap_err2string(result));
+                    "entry \"%s\" to \"%s\" (%s).\n", slapi_sdn_get_dn(old_dn),
+                    slapi_sdn_get_dn(new_dn), ldap_err2string(result));
     } else {
         /* Clear out the pblock for reuse. */
         slapi_pblock_init(mep_pb);
 
         /* Update the link to the managed entry in the origin entry. */
-        vals[0] = new_dn;
+        vals[0] = (char *)slapi_sdn_get_dn(new_dn);
         vals[1] = 0;
         mod.mod_op = LDAP_MOD_REPLACE;
         mod.mod_type = MEP_MANAGED_ENTRY_TYPE;
@@ -1742,7 +1734,7 @@ mep_is_mapped_attr(Slapi_Entry *template, char *type)
 static int
 mep_pre_op(Slapi_PBlock * pb, int modop)
 {
-    char *dn = 0;
+    Slapi_DN *sdn = NULL;
     Slapi_Entry *e = 0;
     Slapi_Mods *smods = 0;
     LDAPMod **mods;
@@ -1762,10 +1754,10 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
     /* See if we're calling ourselves. */
     slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &caller_id);
 
-    if (0 == (dn = mep_get_dn(pb)))
+    if (0 == (sdn = mep_get_sdn(pb)))
         goto bail;
 
-    if (mep_dn_is_config(dn)) {
+    if (mep_dn_is_config(sdn)) {
         /* Validate config changes, but don't apply them.
          * This allows us to reject invalid config changes
          * here at the pre-op stage.  Applying the config
@@ -1777,10 +1769,8 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
         } else if (LDAP_CHANGETYPE_MODIFY == modop) {
             /* Fetch the entry being modified so we can
              * create the resulting entry for validation. */
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
-            if (tmp_dn) {
-                slapi_search_internal_get_entry(tmp_dn, 0, &e, mep_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
+            if (sdn) {
+                slapi_search_internal_get_entry(sdn, 0, &e, mep_get_plugin_id());
                 free_entry = 1;
             }
 
@@ -1829,11 +1819,10 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
             goto bail;
         }
 
-        mep_find_config_by_template_dn(dn, &config);
+        mep_find_config_by_template_dn(slapi_sdn_get_dn(sdn), &config);
         if (config) {
             Slapi_Entry *test_entry = NULL;
             struct configEntry *config_copy = NULL;
-            Slapi_DN *tmp_dn = NULL;
 
             config_copy = (struct configEntry *)slapi_ch_calloc(1, sizeof(struct configEntry));
 
@@ -1860,12 +1849,9 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
                 ret = LDAP_UNWILLING_TO_PERFORM;
                 break;
             case LDAP_CHANGETYPE_MODIFY: 
-                tmp_dn = slapi_sdn_new_dn_byref(dn);
-
                 /* Fetch the existing template entry. */
-                if (tmp_dn) {
-                    slapi_search_internal_get_entry(tmp_dn, 0, &e, mep_get_plugin_id());
-                    slapi_sdn_free(&tmp_dn);
+                if (sdn) {
+                    slapi_search_internal_get_entry(sdn, 0, &e, mep_get_plugin_id());
                     free_entry = 1;
                 }
 
@@ -1920,7 +1906,6 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
          * this plugin. */
         if (((modop == LDAP_CHANGETYPE_DELETE) || (modop == LDAP_CHANGETYPE_MODDN) ||
             (modop == LDAP_CHANGETYPE_MODIFY)) && (caller_id != mep_get_plugin_id())) {
-            Slapi_DN *tmp_dn = slapi_sdn_new_dn_byref(dn);
             Slapi_Entry *origin_e = NULL;
             Slapi_Mod *smod = NULL;
             Slapi_Mod *next_mod = NULL;
@@ -1928,14 +1913,13 @@ mep_pre_op(Slapi_PBlock * pb, int modop)
             Slapi_DN *origin_sdn = NULL;
 
             /* Fetch the target entry. */
-            if (tmp_dn) {
+            if (sdn) {
                 /* Free any existing entry so we don't leak it. */
                 if (e && free_entry) {
                     slapi_entry_free(e);
                 }
 
-                slapi_search_internal_get_entry(tmp_dn, 0, &e, mep_get_plugin_id());
-                slapi_sdn_free(&tmp_dn);
+                slapi_search_internal_get_entry(sdn, 0, &e, mep_get_plugin_id());
                 free_entry = 1;
             }
 
@@ -2070,7 +2054,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
     Slapi_Mods *smods = NULL;
     Slapi_PBlock *mep_pb = NULL;
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     char *managed_dn = NULL;
     Slapi_DN *managed_sdn = NULL;
     char *mapped_dn = NULL;
@@ -2085,9 +2069,9 @@ mep_mod_post_op(Slapi_PBlock *pb)
     if (!g_plugin_started)
         return 0;
 
-    if (mep_oktodo(pb) && (dn = mep_get_dn(pb))) {
+    if (mep_oktodo(pb) && (sdn = mep_get_sdn(pb))) {
         /* First check if the config or a template is being modified. */
-        if (mep_dn_is_config(dn) || mep_dn_is_template(dn)) {
+        if (mep_dn_is_config(sdn) || mep_dn_is_template(slapi_sdn_get_dn(sdn))) {
             mep_load_config();
         }
 
@@ -2143,7 +2127,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
                         slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
                                     "mep_mod_post_op: Unable to update mapped "
                                     "attributes from origin entry \"%s\" in managed "
-                                    "entry \"%s\" (%s).\n", dn, managed_dn,
+                                    "entry \"%s\" (%s).\n", slapi_sdn_get_dn(sdn), managed_dn,
                                     ldap_err2string(result));
                     }
 
@@ -2157,7 +2141,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
                     managed_sdn = slapi_sdn_new_dn_byref(managed_dn);
 
                     if (slapi_sdn_compare(managed_sdn, mapped_sdn) != 0) {
-                        mep_rename_managed_entry(e, mapped_dn, managed_dn);
+                        mep_rename_managed_entry(e, mapped_sdn, managed_sdn);
                     }
 
                     slapi_sdn_free(&mapped_sdn);
@@ -2166,7 +2150,7 @@ mep_mod_post_op(Slapi_PBlock *pb)
             } else {
                 slapi_log_error(SLAPI_LOG_FATAL, MEP_PLUGIN_SUBSYSTEM,
                         "mep_mod_post_op: Unable to find config for origin "
-                        "entry \"%s\".\n", dn);
+                        "entry \"%s\".\n", slapi_sdn_get_dn(sdn));
             }
 
             slapi_ch_free_string(&managed_dn);
@@ -2187,7 +2171,7 @@ static int
 mep_add_post_op(Slapi_PBlock *pb)
 {
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     struct configEntry *config = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -2198,8 +2182,8 @@ mep_add_post_op(Slapi_PBlock *pb)
         return 0;
 
     /* Reload config if a config entry was added. */
-    if ((dn = mep_get_dn(pb))) {
-        if (mep_dn_is_config(dn)) {
+    if ((sdn = mep_get_sdn(pb))) {
+        if (mep_dn_is_config(sdn)) {
             mep_load_config();
         }
     } else {
@@ -2241,7 +2225,7 @@ mep_add_post_op(Slapi_PBlock *pb)
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_add_post_op: Error "
-                        "retrieving post-op entry %s\n", dn);
+                        "retrieving post-op entry %s\n", slapi_sdn_get_dn(sdn));
     }
 
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -2253,8 +2237,8 @@ mep_add_post_op(Slapi_PBlock *pb)
 static int
 mep_del_post_op(Slapi_PBlock *pb)
 {
-    char *dn = NULL;
     Slapi_Entry *e = NULL;
+    Slapi_DN *sdn = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
                     "--> mep_del_post_op\n");
@@ -2265,8 +2249,8 @@ mep_del_post_op(Slapi_PBlock *pb)
     }
 
     /* Reload config if a config entry was deleted. */
-    if ((dn = mep_get_dn(pb))) {
-        if (mep_dn_is_config(dn))
+    if ((sdn = mep_get_sdn(pb))) {
+        if (mep_dn_is_config(sdn))
             mep_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
@@ -2299,7 +2283,7 @@ mep_del_post_op(Slapi_PBlock *pb)
             slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                             "mep_del_post_op: Deleting managed entry "
                             "\"%s\" due to deletion of origin entry "
-                            "\"%s\".\n ", managed_dn, dn);
+                            "\"%s\".\n ", managed_dn, slapi_sdn_get_dn(sdn));
             slapi_delete_internal_set_pb(mep_pb, managed_dn, NULL,
                                          NULL, mep_get_plugin_id(), 0);
             slapi_delete_internal_pb(mep_pb);
@@ -2310,7 +2294,7 @@ mep_del_post_op(Slapi_PBlock *pb)
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_del_post_op: Error "
-                        "retrieving pre-op entry %s\n", dn);
+                        "retrieving pre-op entry %s\n", slapi_sdn_get_dn(sdn));
     }
 
     slapi_log_error(SLAPI_LOG_TRACE, MEP_PLUGIN_SUBSYSTEM,
@@ -2322,8 +2306,9 @@ mep_del_post_op(Slapi_PBlock *pb)
 static int
 mep_modrdn_post_op(Slapi_PBlock *pb)
 {
-    char *old_dn = NULL;
-    char *new_dn = NULL;
+    const char *new_dn = NULL;
+    Slapi_DN *old_sdn = NULL;
+    Slapi_DN *new_sdn = NULL;
     Slapi_Entry *post_e = NULL;
     char *managed_dn = NULL;
     struct configEntry *config = NULL;
@@ -2340,7 +2325,8 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
      * config entries. */
     slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &post_e);
     if (post_e) {
-        new_dn = slapi_entry_get_ndn(post_e);
+        new_sdn = slapi_entry_get_sdn(post_e);
+        new_dn = slapi_sdn_get_dn(new_sdn);
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                         "mep_modrdn_post_op: Error "
@@ -2348,8 +2334,8 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
         return 0;
     }
 
-    if ((old_dn = mep_get_dn(pb))) {
-        if (mep_dn_is_config(old_dn) || mep_dn_is_config(new_dn))
+    if ((old_sdn = mep_get_sdn(pb))) {
+        if (mep_dn_is_config(old_sdn) || mep_dn_is_config(new_sdn))
             mep_load_config();
     } else {
         slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
@@ -2398,7 +2384,7 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
             slapi_log_error(SLAPI_LOG_PLUGIN, MEP_PLUGIN_SUBSYSTEM,
                     "mep_modrdn_post_op: Removing managed entry \"%s\" "
                     "since origin entry \"%s\" was moved out of scope.\n",
-                    managed_dn, old_dn);
+                    managed_dn, slapi_sdn_get_dn(old_sdn));
             slapi_delete_internal_set_pb (mep_pb, managed_dn, NULL, NULL,
                                           mep_get_plugin_id(), 0);
             slapi_delete_internal_pb(mep_pb);
@@ -2442,7 +2428,7 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
             }
         } else {
             /* Update backlink to new origin DN in managed entry. */
-            vals[0] = new_dn;
+            vals[0] = (char *)new_dn;
             vals[1] = 0;
             mod.mod_op = LDAP_MOD_REPLACE;
             mod.mod_type = MEP_MANAGED_BY_TYPE;
@@ -2498,8 +2484,11 @@ mep_modrdn_post_op(Slapi_PBlock *pb)
                                     "mep_modrdn_post_op: Renaming managed entry "
                                     "\"%s\" to \"%s\" due to rename of origin "
                                     "entry \"%s\".\n ", managed_dn,
-                                    slapi_entry_get_dn(new_managed_entry), old_dn);
-                    mep_rename_managed_entry(post_e, slapi_entry_get_dn(new_managed_entry), managed_dn);
+                                    slapi_entry_get_dn(new_managed_entry),
+                                    slapi_sdn_get_dn(old_sdn));
+                    mep_rename_managed_entry(post_e,
+                                    slapi_entry_get_sdn(new_managed_entry),
+                                    managed_sdn);
                 }
 
                 /* Update all of the mapped attributes
diff --git a/ldap/servers/plugins/pam_passthru/pam_passthru.h b/ldap/servers/plugins/pam_passthru/pam_passthru.h
index 6a9d332..748c2f1 100644
--- a/ldap/servers/plugins/pam_passthru/pam_passthru.h
+++ b/ldap/servers/plugins/pam_passthru/pam_passthru.h
@@ -129,7 +129,7 @@ void * pam_passthruauth_get_plugin_identity();
  */
 int pam_passthru_config( Slapi_Entry *config_e );
 Pam_PassthruConfig *pam_passthru_get_config( void );
-int pam_passthru_check_suffix(Pam_PassthruConfig *cfg, char *binddn);
+int pam_passthru_check_suffix(Pam_PassthruConfig *cfg, const char *binddn);
 
 /*
  * pam_ptimpl.c
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptconfig.c b/ldap/servers/plugins/pam_passthru/pam_ptconfig.c
index beff65d..bde2ef6 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptconfig.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptconfig.c
@@ -538,7 +538,7 @@ pam_passthru_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Ent
 }
 
 int
-pam_passthru_check_suffix(Pam_PassthruConfig *cfg, char *binddn)
+pam_passthru_check_suffix(Pam_PassthruConfig *cfg, const char *binddn)
 {
 	Slapi_DN *comp_dn;
 	Pam_PassthruSuffix *try;
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptimpl.c b/ldap/servers/plugins/pam_passthru/pam_ptimpl.c
index 662239f..2aedec7 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptimpl.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptimpl.c
@@ -91,7 +91,7 @@ struct my_pam_conv_str {
  * Get the PAM identity from the value of the leftmost RDN in the BIND DN.
  */
 static char *
-derive_from_bind_dn(Slapi_PBlock *pb, char *binddn, MyStrBuf *pam_id)
+derive_from_bind_dn(Slapi_PBlock *pb, const char *binddn, MyStrBuf *pam_id)
 {
 	Slapi_RDN *rdn;
 	char *type = NULL;
@@ -106,7 +106,8 @@ derive_from_bind_dn(Slapi_PBlock *pb, char *binddn, MyStrBuf *pam_id)
 }
 
 static char *
-derive_from_bind_entry(Slapi_PBlock *pb, char *binddn, MyStrBuf *pam_id, char *map_ident_attr, int *locked)
+derive_from_bind_entry(Slapi_PBlock *pb, const char *binddn, 
+                       MyStrBuf *pam_id, char *map_ident_attr, int *locked)
 {
 	char buf[BUFSIZ];
 	Slapi_Entry *entry = NULL;
@@ -264,7 +265,8 @@ do_one_pam_auth(
 )
 {
 	MyStrBuf pam_id;
-	char *binddn = NULL;
+	const char *binddn = NULL;
+	Slapi_DN *bindsdn = NULL;
 	int rc;
 	int retcode = LDAP_SUCCESS;
 	pam_handle_t *pam_handle;
@@ -274,7 +276,13 @@ do_one_pam_auth(
 	char *errmsg = NULL; /* free with PR_smprintf_free */
 	int locked = 0;
 
-	slapi_pblock_get( pb, SLAPI_BIND_TARGET, &binddn );
+	slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &bindsdn );
+	if (NULL == bindsdn) {
+		errmsg = PR_smprintf("Null bind dn");
+		retcode = LDAP_OPERATIONS_ERROR;
+		goto done; /* skip the pam stuff */
+	}
+	binddn = slapi_sdn_get_dn(bindsdn);
 
 	if (method == PAMPT_MAP_METHOD_RDN) {
 		derive_from_bind_dn(pb, binddn, &pam_id);
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
index 9e14c26..d726017 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
@@ -165,10 +165,12 @@ static int
 pam_passthru_bindpreop( Slapi_PBlock *pb )
 {
     int rc, method;
-    char *normbinddn, *errmsg = NULL;
+    const char *normbinddn;
+    char *errmsg = NULL;
+    Slapi_DN *bindsdn = NULL;
     Pam_PassthruConfig	*cfg;
     struct berval	*creds;
-	int retcode = PAM_PASSTHRU_OP_NOT_HANDLED;
+    int retcode = PAM_PASSTHRU_OP_NOT_HANDLED;
 
     PAM_PASSTHRU_ASSERT( pb != NULL );
 
@@ -179,12 +181,13 @@ pam_passthru_bindpreop( Slapi_PBlock *pb )
      * retrieve parameters for bind operation
      */
     if ( slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method ) != 0 ||
-		 slapi_pblock_get( pb, SLAPI_BIND_TARGET, &normbinddn ) != 0 ||
+		 slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &bindsdn ) != 0 ||
 		 slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds ) != 0 ) {
 		slapi_log_error( SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
 						 "<= not handled (unable to retrieve bind parameters)\n" );
 		return retcode;
     }
+    normbinddn = slapi_sdn_get_dn(bindsdn);
 
     /*
      * We only handle simple bind requests that include non-NULL binddn and
diff --git a/ldap/servers/plugins/passthru/passthru.h b/ldap/servers/plugins/passthru/passthru.h
index ac19849..e0421ac 100644
--- a/ldap/servers/plugins/passthru/passthru.h
+++ b/ldap/servers/plugins/passthru/passthru.h
@@ -136,7 +136,7 @@ typedef struct passthruconfig {
  * ptbind.c:
  */
 int passthru_simple_bind_s( Slapi_PBlock *pb, PassThruServer *srvr, int tries,
-	char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
+	const char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
 	char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
 	LDAPControl ***resctrlsp );
 
@@ -149,7 +149,7 @@ PassThruConfig *passthru_get_config( void );
 /*
  * ptconn.c:
  */
-int passthru_dn2server( PassThruConfig *cfg, char *normdn,
+int passthru_dn2server( PassThruConfig *cfg, const char *normdn,
 	PassThruServer **srvrp );
 int passthru_get_connection( PassThruServer *srvr, LDAP **ldp );
 void passthru_release_connection( PassThruServer *srvr, LDAP *ld, int dispose );
diff --git a/ldap/servers/plugins/passthru/ptbind.c b/ldap/servers/plugins/passthru/ptbind.c
index 063ba15..efbc896 100644
--- a/ldap/servers/plugins/passthru/ptbind.c
+++ b/ldap/servers/plugins/passthru/ptbind.c
@@ -48,7 +48,7 @@
 #include "passthru.h"
 
 static int
-passthru_simple_bind_once_s( PassThruServer *srvr, char *dn,
+passthru_simple_bind_once_s( PassThruServer *srvr, const char *dn,
 	struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
 	char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
 	LDAPControl ***resctrlsp );
@@ -68,7 +68,7 @@ passthru_simple_bind_once_s( PassThruServer *srvr, char *dn,
  */
 int
 passthru_simple_bind_s( Slapi_PBlock *pb, PassThruServer *srvr, int tries,
-	char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
+	const char *dn, struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
 	char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
 	LDAPControl ***resctrlsp )
 {
@@ -102,7 +102,7 @@ passthru_simple_bind_s( Slapi_PBlock *pb, PassThruServer *srvr, int tries,
  * like passthru_simple_bind_s() but only makes one attempt.
  */
 static int
-passthru_simple_bind_once_s( PassThruServer *srvr, char *dn,
+passthru_simple_bind_once_s( PassThruServer *srvr, const char *dn,
 	struct berval *creds, LDAPControl **reqctrls, int *lderrnop,
 	char **matcheddnp, char **errmsgp, struct berval ***refurlsp,
 	LDAPControl ***resctrlsp )
diff --git a/ldap/servers/plugins/passthru/ptconn.c b/ldap/servers/plugins/passthru/ptconn.c
index 1001c98..a3e2bd2 100644
--- a/ldap/servers/plugins/passthru/ptconn.c
+++ b/ldap/servers/plugins/passthru/ptconn.c
@@ -50,7 +50,7 @@
 /*
  * function prototypes
  */
-static int dn_is_underneath_suffix( PassThruSuffix *suffix, char *normdn,
+static int dn_is_underneath_suffix( PassThruSuffix *suffix, const char *normdn,
     int dnlen );
 static void close_and_dispose_connection( PassThruConnection *conn );
 static void check_for_stale_connections( PassThruServer *srvr );
@@ -107,7 +107,7 @@ static void check_for_stale_connections( PassThruServer *srvr );
  *	LDAP_NO_SUCH_OBJECT	let this server handle the bind.
  */
 int
-passthru_dn2server( PassThruConfig *cfg, char *normdn, PassThruServer **srvrp )
+passthru_dn2server( PassThruConfig *cfg, const char *normdn, PassThruServer **srvrp )
 {
     PassThruServer	*ptsrvr;
     PassThruSuffix	*ptsuffix;
@@ -360,7 +360,7 @@ passthru_close_all_connections( PassThruConfig *cfg )
  * return non-zero value if normdn falls underneath a suffix
  */
 static int
-dn_is_underneath_suffix( PassThruSuffix *suffix, char *normdn, int dnlen )
+dn_is_underneath_suffix( PassThruSuffix *suffix, const char *normdn, int dnlen )
 {
     PASSTHRU_ASSERT( suffix != NULL );
     PASSTHRU_ASSERT( normdn != NULL );
@@ -368,7 +368,7 @@ dn_is_underneath_suffix( PassThruSuffix *suffix, char *normdn, int dnlen )
 
     return ( suffix->ptsuffix_len <= dnlen &&
 	    slapi_UTF8CASECMP( suffix->ptsuffix_normsuffix,
-	    normdn + ( dnlen - suffix->ptsuffix_len )) == 0 );
+	    (char *)normdn + ( dnlen - suffix->ptsuffix_len )) == 0 );
 }
 
 
diff --git a/ldap/servers/plugins/passthru/ptpreop.c b/ldap/servers/plugins/passthru/ptpreop.c
index e566c64..1f73cf1 100644
--- a/ldap/servers/plugins/passthru/ptpreop.c
+++ b/ldap/servers/plugins/passthru/ptpreop.c
@@ -149,7 +149,9 @@ static int
 passthru_bindpreop( Slapi_PBlock *pb )
 {
     int			rc, method, freeresctrls=1;
-    char		*normbinddn, *matcheddn;
+    char		*matcheddn;
+    const char	*normbinddn = NULL;
+    Slapi_DN	*sdn = NULL;
     char		*libldap_errmsg, *pr_errmsg, *errmsg;
     PassThruConfig	*cfg;
     PassThruServer	*srvr;
@@ -165,14 +167,15 @@ passthru_bindpreop( Slapi_PBlock *pb )
      * retrieve parameters for bind operation
      */
     if ( slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method ) != 0 ||
-	    slapi_pblock_get( pb, SLAPI_BIND_TARGET, &normbinddn ) != 0 ||
-	    slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds ) != 0 ) {
-	slapi_log_error( SLAPI_LOG_FATAL, PASSTHRU_PLUGIN_SUBSYSTEM,
-		"<= not handled (unable to retrieve bind parameters)\n" );
-	return( PASSTHRU_OP_NOT_HANDLED );
+        slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn ) != 0 ||
+        slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &creds ) != 0 ) {
+        slapi_log_error( SLAPI_LOG_FATAL, PASSTHRU_PLUGIN_SUBSYSTEM,
+                     "<= not handled (unable to retrieve bind parameters)\n" );
+        return( PASSTHRU_OP_NOT_HANDLED );
     }
+    normbinddn = slapi_sdn_get_dn(sdn);
     if ( normbinddn == NULL ) {
-	normbinddn = "";
+        normbinddn = "";
     }
 
     /*
diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c
index e22a018..d89a048 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -144,6 +144,7 @@ int
 referint_postop_del( Slapi_PBlock *pb )
 {
 	char	*dn;
+	Slapi_DN *sdn = NULL;
 	int rc;
 	int oprc;
 	char **argv;
@@ -153,13 +154,14 @@ referint_postop_del( Slapi_PBlock *pb )
 	int isrepop = 0;
 
 	if ( slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &isrepop ) != 0  ||
-		 slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn ) != 0  ||
+		 slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdn ) != 0  ||
 	     slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0) 
         {
             slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM,
                              "referint_postop_del: could not get parameters\n" );
             return( -1 );
         }
+        dn = (char *)slapi_sdn_get_dn(sdn);
 
         /* this plugin should only execute if the delete was successful
 		   and this is not a replicated op
@@ -219,8 +221,9 @@ int
 referint_postop_modrdn( Slapi_PBlock *pb )
 {
 	char	*dn;
+	Slapi_DN *sdn = NULL;
 	char	*newrdn;
-	char	*newsuperior;
+	Slapi_DN *newsuperior;
 	int oprc;
 	int rc;
 	char **argv;
@@ -230,7 +233,7 @@ referint_postop_modrdn( Slapi_PBlock *pb )
 	int isrepop = 0;
 
 	if ( slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &isrepop ) != 0  ||
-		 slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &dn ) != 0 ||
+		 slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &sdn ) != 0 ||
 		 slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn ) != 0 ||
 		 slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior ) != 0 ||
 		 slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 ){
@@ -239,6 +242,7 @@ referint_postop_modrdn( Slapi_PBlock *pb )
 		    "referint_postop_modrdn: could not get parameters\n" );
 		return( -1 );
 	}
+	dn = (char *)slapi_sdn_get_dn(sdn);
 
 	/* this plugin should only execute if the delete was successful 
 	   and this is not a replicated op
@@ -281,11 +285,12 @@ referint_postop_modrdn( Slapi_PBlock *pb )
 	  rc = 0;
 	}else if(delay == 0){
 	  /* no delay */
- 	  /* call function to update references to entry */
-	  rc = update_integrity(argv, dn, newrdn, newsuperior, logChanges);
+	  /* call function to update references to entry */
+	  rc = update_integrity(argv, dn, newrdn, 
+	                        slapi_sdn_get_dn(newsuperior), logChanges);
 	}else{
 	  /* write the entry to integrity log */
-	  writeintegritylog(argv[1],dn, newrdn, newsuperior);
+	  writeintegritylog(argv[1], dn, newrdn, slapi_sdn_get_dn(newsuperior));
 	  rc = 0;
 	}
 
diff --git a/ldap/servers/plugins/replication/cl4_api.c b/ldap/servers/plugins/replication/cl4_api.c
index c7d0ce0..ab72793 100644
--- a/ldap/servers/plugins/replication/cl4_api.c
+++ b/ldap/servers/plugins/replication/cl4_api.c
@@ -533,7 +533,7 @@ static int _cl4ResolveTargetDN (Slapi_Entry *entry, Slapi_DN **newTargetDN)
 	if (strcasecmp (changetype, "add") == 0) /* this is add operation - we have rawdn */
 		slapi_sdn_set_dn_byref (targetSDN, targetdn);	
 	else
-		slapi_sdn_set_ndn_byref (targetSDN, targetdn);
+		slapi_sdn_set_normdn_byref (targetSDN, targetdn);
 
 	/* read the entry to which the change was applied */
 	rc = _cl4GetTargetEntry (targetSDN, uniqueid, &targetEntry);
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
index c360444..99b3674 100644
--- a/ldap/servers/plugins/replication/cl5_api.c
+++ b/ldap/servers/plugins/replication/cl5_api.c
@@ -1060,7 +1060,7 @@ cl5ImportLDIF (const char *clDir, const char *ldifFile, Object **replicas)
                         "cl5ImportLDIF: "
                         "failed to write operation to the changelog: "
                         "type: %lu, dn: %s\n",
-                        op.operation_type, op.target_address.dn);
+                        op.operation_type, REPL_GET_DN(&op.target_address));
                 slapi_ch_free_string(&replGen);
                 operation_parameters_done (&op);
                 goto done;
@@ -1080,7 +1080,7 @@ cl5ImportLDIF (const char *clDir, const char *ldifFile, Object **replicas)
                         "cl5ImportLDIF: "
                         "failed to write operation to the changelog: "
                         "type: %lu, dn: %s\n",
-                        op.operation_type, op.target_address.dn);
+                        op.operation_type, REPL_GET_DN(&op.target_address));
                 object_release (replica_obj);
                 slapi_ch_free_string(&replGen);
 				operation_parameters_done (&op);
@@ -2150,7 +2150,7 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
 										}
 										break;
 
-		case SLAPI_OPERATION_MODIFY:	size += strlen (op->target_address.dn) + 1;
+		case SLAPI_OPERATION_MODIFY:	size += strlen (REPL_GET_DN(&op->target_address)) + 1;
 										/* Need larger buffer for the encrypted changelog */
 										if (s_cl5Desc.clcrypt_handle) {
 											size += (_cl5GetModsSize (op->p.p_modify.modify_mods) * (1 + BACK_CRYPT_OUTBUFF_EXTLEN));
@@ -2159,11 +2159,11 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
 										}
 										break;
 
-		case SLAPI_OPERATION_MODRDN:	size += strlen (op->target_address.dn) + 1;
+		case SLAPI_OPERATION_MODRDN:	size += strlen (REPL_GET_DN(&op->target_address)) + 1;
 										/* 1 for deleteoldrdn */
 										size += strlen (op->p.p_modrdn.modrdn_newrdn) + 2; 
-										if (op->p.p_modrdn.modrdn_newsuperior_address.dn)
-											size += strlen (op->p.p_modrdn.modrdn_newsuperior_address.dn) + 1;
+										if (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address))
+											size += strlen (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address)) + 1;
 										else
 											size ++; /* for NULL char */
 										if (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid)
@@ -2178,7 +2178,7 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
 										}
 										break;
 
-		case SLAPI_OPERATION_DELETE:	size += strlen (op->target_address.dn) + 1;
+		case SLAPI_OPERATION_DELETE:	size += strlen (REPL_GET_DN(&op->target_address)) + 1;
 										break;
 	}	
 
@@ -2218,20 +2218,20 @@ static int _cl5Entry2DBData (const CL5Entry *entry, char **data, PRUint32 *len)
 										ldap_mods_free (add_mods, 1);
 										break;
 
-		case SLAPI_OPERATION_MODIFY:	_cl5WriteString (op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODIFY:	_cl5WriteString (REPL_GET_DN(&op->target_address), &pos);
 										_cl5WriteMods (op->p.p_modify.modify_mods, &pos);
 										break;
 
-		case SLAPI_OPERATION_MODRDN:	_cl5WriteString (op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODRDN:	_cl5WriteString (REPL_GET_DN(&op->target_address), &pos);
 										_cl5WriteString (op->p.p_modrdn.modrdn_newrdn, &pos);
 										*pos = (PRUint8)op->p.p_modrdn.modrdn_deloldrdn;	 
 										pos ++;
-										_cl5WriteString (op->p.p_modrdn.modrdn_newsuperior_address.dn, &pos);
+										_cl5WriteString (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address), &pos);
 										_cl5WriteString (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid, &pos);
 										_cl5WriteMods (op->p.p_modrdn.modrdn_mods, &pos);
 										break;
 
-		case SLAPI_OPERATION_DELETE:	_cl5WriteString (op->target_address.dn, &pos);
+		case SLAPI_OPERATION_DELETE:	_cl5WriteString (REPL_GET_DN(&op->target_address), &pos);
 										break;
 	}
 	
@@ -2319,27 +2319,31 @@ cl5DBData2Entry (const char *data, PRUint32 len, CL5Entry *entry)
 		case SLAPI_OPERATION_ADD:		_cl5ReadString (&op->p.p_add.parentuniqueid, &pos);
 			/* richm: need to free parentuniqueid */
 										_cl5ReadString (&rawDN, &pos);
-										op->target_address.dn = rawDN;
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
 										/* convert mods to entry */
 										rc = _cl5ReadMods (&add_mods, &pos);
 										slapi_mods2entry (&(op->p.p_add.target_entry), rawDN, add_mods);
 										ldap_mods_free (add_mods, 1);
 										break;
 
-		case SLAPI_OPERATION_MODIFY:    _cl5ReadString (&op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODIFY:    _cl5ReadString (&rawDN, &pos);
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
 										rc = _cl5ReadMods (&op->p.p_modify.modify_mods, &pos);
 										break;
 
-		case SLAPI_OPERATION_MODRDN:	_cl5ReadString (&op->target_address.dn, &pos);
+		case SLAPI_OPERATION_MODRDN:	_cl5ReadString (&rawDN, &pos);
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
 										_cl5ReadString (&op->p.p_modrdn.modrdn_newrdn, &pos);
 										op->p.p_modrdn.modrdn_deloldrdn = *pos;	 
 										pos ++;
-										_cl5ReadString (&op->p.p_modrdn.modrdn_newsuperior_address.dn, &pos);
+										_cl5ReadString (&rawDN, &pos);
+										op->p.p_modrdn.modrdn_newsuperior_address.sdn = slapi_sdn_new_dn_passin(rawDN);
 										_cl5ReadString (&op->p.p_modrdn.modrdn_newsuperior_address.uniqueid, &pos);
 										rc = _cl5ReadMods (&op->p.p_modrdn.modrdn_mods, &pos);
 										break;
 
-		case SLAPI_OPERATION_DELETE:	_cl5ReadString (&op->target_address.dn, &pos);
+		case SLAPI_OPERATION_DELETE:	_cl5ReadString (&rawDN, &pos);
+										op->target_address.sdn = slapi_sdn_new_dn_passin(rawDN);
 										rc = CL5_SUCCESS;
 										break;
 
@@ -4210,7 +4214,7 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
 											"_cl5Operation2LDIF(MODIFY): mods are NULL\n");
 										return CL5_BAD_FORMAT;
 									 }
-									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (op->target_address.dn));
+									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (REPL_GET_DN(&op->target_address)));
 									 l = make_changes_string(op->p.p_modify.modify_mods, NULL);
 									 len += LDIF_SIZE_NEEDED(strlen (T_CHANGESTR), l->ls_len);
 									 break;
@@ -4220,15 +4224,15 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
 											"_cl5Operation2LDIF(MODRDN): mods are NULL\n");
 										return CL5_BAD_FORMAT;
 									 }
-									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (op->target_address.dn));
+									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (REPL_GET_DN(&op->target_address)));
 									 len += LDIF_SIZE_NEEDED(strlen (T_NEWRDNSTR), 
 															 strlen (op->p.p_modrdn.modrdn_newrdn));
 									 strDeleteOldRDN = (op->p.p_modrdn.modrdn_deloldrdn ? "true" : "false");
 									 len += LDIF_SIZE_NEEDED(strlen (T_DRDNFLAGSTR),
 															 strlen (strDeleteOldRDN));
-									 if (op->p.p_modrdn.modrdn_newsuperior_address.dn)
+									 if (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address))
 										len += LDIF_SIZE_NEEDED(strlen (T_NEWSUPERIORDNSTR),
-													strlen (op->p.p_modrdn.modrdn_newsuperior_address.dn));
+													strlen (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address)));
 									 if (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid)
 										len += LDIF_SIZE_NEEDED(strlen (T_NEWSUPERIORIDSTR),
 													strlen (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid));
@@ -4236,12 +4240,12 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
 									 len += LDIF_SIZE_NEEDED(strlen (T_CHANGESTR), l->ls_len);
 									 break;		  
 
-		case SLAPI_OPERATION_DELETE: if (NULL == op->target_address.dn) {
+		case SLAPI_OPERATION_DELETE: if (NULL == REPL_GET_DN(&op->target_address)) {
 										slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, 
 											"_cl5Operation2LDIF(DELETE): target dn is NULL\n");
 										return CL5_BAD_FORMAT;
 									 }
-									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (op->target_address.dn));
+									 len += LDIF_SIZE_NEEDED(strlen (T_DNSTR), strlen (REPL_GET_DN(&op->target_address)));
 									 break;	
 		
 		default:					 slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, 
@@ -4277,21 +4281,21 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
 										slapi_ch_free ((void**)&rawDN);
 										break;
 
-		case SLAPI_OPERATION_MODIFY:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, op->target_address.dn, 
-																strlen (op->target_address.dn), 0);
+		case SLAPI_OPERATION_MODIFY:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, REPL_GET_DN(&op->target_address), 
+																strlen (REPL_GET_DN(&op->target_address)), 0);
 										slapi_ldif_put_type_and_value_with_options(&buff, T_CHANGESTR, l->ls_buf, l->ls_len, 0);
 										break;
 
-		case SLAPI_OPERATION_MODRDN:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, op->target_address.dn, 
-																strlen (op->target_address.dn), 0);
+		case SLAPI_OPERATION_MODRDN:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, REPL_GET_DN(&op->target_address), 
+																strlen (REPL_GET_DN(&op->target_address)), 0);
 										slapi_ldif_put_type_and_value_with_options(&buff, T_NEWRDNSTR, op->p.p_modrdn.modrdn_newrdn,
 						  										strlen (op->p.p_modrdn.modrdn_newrdn), 0);
 										slapi_ldif_put_type_and_value_with_options(&buff, T_DRDNFLAGSTR, strDeleteOldRDN, 
 																strlen (strDeleteOldRDN), 0);
-										if (op->p.p_modrdn.modrdn_newsuperior_address.dn)							
+										if (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address))
 											slapi_ldif_put_type_and_value_with_options(&buff, T_NEWSUPERIORDNSTR, 
-																op->p.p_modrdn.modrdn_newsuperior_address.dn, 
-																strlen (op->p.p_modrdn.modrdn_newsuperior_address.dn), 0);
+																REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address),
+																strlen (REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address)), 0);
 										if (op->p.p_modrdn.modrdn_newsuperior_address.uniqueid)							
 											slapi_ldif_put_type_and_value_with_options(&buff, T_NEWSUPERIORIDSTR, 
 																op->p.p_modrdn.modrdn_newsuperior_address.uniqueid, 
@@ -4299,8 +4303,8 @@ static int _cl5Operation2LDIF (const slapi_operation_parameters *op, const char
 										slapi_ldif_put_type_and_value_with_options(&buff, T_CHANGESTR, l->ls_buf, l->ls_len, 0);
 										break;	
 
-		case SLAPI_OPERATION_DELETE:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, op->target_address.dn, 
-										strlen (op->target_address.dn), 0);
+		case SLAPI_OPERATION_DELETE:	slapi_ldif_put_type_and_value_with_options(&buff, T_DNSTR, REPL_GET_DN(&op->target_address), 
+										strlen (REPL_GET_DN(&op->target_address)), 0);
 										break;	  
 	}
 
@@ -4377,10 +4381,10 @@ _cl5LDIF2Operation (char *ldifEntry, slapi_operation_parameters *op, char **repl
 			if (op->operation_type == SLAPI_OPERATION_ADD)
 			{
 				rawDN = slapi_ch_strdup (value.bv_val);
-				op->target_address.dn = slapi_ch_strdup(rawDN);
+				op->target_address.sdn = slapi_sdn_new_dn_byval(rawDN);
 			}
 			else
-				op->target_address.dn = slapi_ch_strdup (value.bv_val);
+				op->target_address.sdn = slapi_sdn_new_dn_byval(value.bv_val);
 		}
 		else if (strncasecmp (type.bv_val, T_PARENTIDSTR, type.bv_len) == 0)
 		{
@@ -4396,7 +4400,7 @@ _cl5LDIF2Operation (char *ldifEntry, slapi_operation_parameters *op, char **repl
 		}
 		else if (strncasecmp (type.bv_val, T_NEWSUPERIORDNSTR, type.bv_len) == 0)
 		{
-			op->p.p_modrdn.modrdn_newsuperior_address.dn = slapi_ch_strdup (value.bv_val);
+			op->p.p_modrdn.modrdn_newsuperior_address.sdn = slapi_sdn_new_dn_byval(value.bv_val);
 		}		
 		else if (strncasecmp (type.bv_val, T_NEWSUPERIORIDSTR, type.bv_len) == 0)
 		{
@@ -4507,7 +4511,7 @@ static int _cl5WriteOperationTxn(const char *replName, const char *replGen,
 	{
 		slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, 
 						"_cl5WriteOperationTxn: failed to get db file for target dn (%s)", 
-						op->target_address.dn);
+						REPL_GET_DN(&op->target_address));
 		return CL5_OBJSET_ERROR;
 	}
 
@@ -4907,7 +4911,7 @@ static int _cl5GetOperation (Object *replica, slapi_operation_parameters *op)
 
 		case DB_NOTFOUND:	slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, 
 									"_cl5GetOperation: operation for csn (%s) is not found in db that should contain dn (%s)\n",
-									csnStr, op->target_address.dn);
+									csnStr, REPL_GET_DN(&op->target_address));
 							rc = CL5_NOTFOUND;
 							goto done;
 
@@ -6151,7 +6155,7 @@ static Object* _cl5GetReplica (const slapi_operation_parameters *op, const char*
 
     PR_ASSERT (op && replGen);
 
-    sdn = slapi_sdn_new_dn_byref(op->target_address.dn);
+    sdn = op->target_address.sdn;
     
     replObj = replica_get_replica_from_dn (sdn);
     if (replObj)
@@ -6169,8 +6173,6 @@ static Object* _cl5GetReplica (const slapi_operation_parameters *op, const char*
 
         slapi_ch_free ((void**)&newGen);
     }
-
-    slapi_sdn_free (&sdn);
     
     return replObj;
 }
diff --git a/ldap/servers/plugins/replication/cl5_test.c b/ldap/servers/plugins/replication/cl5_test.c
index 91cdef2..4bb83a7 100644
--- a/ldap/servers/plugins/replication/cl5_test.c
+++ b/ldap/servers/plugins/replication/cl5_test.c
@@ -838,7 +838,7 @@ static int  populateChangelogOp ()
     pb = slapi_pblock_new ();
     cur_time = time (NULL);
     PR_snprintf (newrdn, sizeof(newrdn), "cn=renamed%s", ctime(&cur_time));
-    slapi_rename_internal_set_pb (pb, dn, newrdn, NULL, 1, NULL, NULL,
+    slapi_rename_internal_set_pb_ext (pb, dn, newrdn, NULL, 1, NULL, NULL,
 	 					          repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0);
     slapi_modrdn_internal_pb (pb);
     slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
diff --git a/ldap/servers/plugins/replication/legacy_consumer.c b/ldap/servers/plugins/replication/legacy_consumer.c
index a65c5e6..2440ce7 100644
--- a/ldap/servers/plugins/replication/legacy_consumer.c
+++ b/ldap/servers/plugins/replication/legacy_consumer.c
@@ -96,13 +96,14 @@ Slapi_RWLock *legacy_consumer_config_lock = NULL;
 static PRBool
 target_is_a_replica_root(Slapi_PBlock *pb, const Slapi_DN **root)
 {
-	char *dn;
-	Slapi_DN *sdn;
-	PRBool return_value;
+	Slapi_DN *sdn = NULL;
+	PRBool return_value = PR_FALSE;
 	Object *repl_obj;
 
-	slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-	sdn = slapi_sdn_new_dn_byref(dn);
+	slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+	if (NULL == sdn) {
+		return return_value;
+	}
 	repl_obj = replica_get_replica_from_dn(sdn);
 	if (NULL != repl_obj)
 	{
@@ -116,7 +117,6 @@ target_is_a_replica_root(Slapi_PBlock *pb, const Slapi_DN **root)
 		*root = NULL;
 		return_value = PR_FALSE;
 	}
-	slapi_sdn_free(&sdn);
 	return return_value;
 }
 
@@ -492,7 +492,7 @@ legacy_consumer_read_config ()
 
 
 int
-legacy_consumer_is_replicationdn(char *dn)
+legacy_consumer_is_replicationdn(const char *dn)
 {
 	int return_value = 0; /* Assume not */
 
diff --git a/ldap/servers/plugins/replication/repl.h b/ldap/servers/plugins/replication/repl.h
index ca0fe05..433be34 100644
--- a/ldap/servers/plugins/replication/repl.h
+++ b/ldap/servers/plugins/replication/repl.h
@@ -405,7 +405,7 @@ int modrdn2reple( Slapi_Entry *e, char *newrdn, int deloldrdn, LDAPMod **ldm );
 
 /* In legacy_consumer.c */
 void process_legacy_cf(Slapi_PBlock *pb);
-int legacy_consumer_is_replicationdn(char *dn);
+int legacy_consumer_is_replicationdn(const char *dn);
 int legacy_consumer_is_replicationpw(struct berval *creds);
 int legacy_consumer_config_init();
 
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 79465e4..b0c95d2 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -134,6 +134,8 @@
 #define MAX_NUM_OF_MASTERS		64
 #define REPL_SESSION_ID_SIZE	64
 
+#define REPL_GET_DN(addrp) slapi_sdn_get_dn((addrp)->sdn)
+
 /* Attribute names for replication agreement attributes */
 extern const char *type_nsds5ReplicaHost;
 extern const char *type_nsds5ReplicaPort;
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index 61aa9ba..7bcec79 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -1729,8 +1729,7 @@ agmt_notify_change(Repl_Agmt *agmt, Slapi_PBlock *pb)
 	if (NULL != pb)
 	{
 		/* Is the entry within our replicated area? */
-		char *target_dn;
-		Slapi_DN *target_sdn;
+		Slapi_DN *target_sdn = NULL;
 		int change_is_relevant = 0;
 
 		PR_ASSERT(NULL != agmt);
@@ -1741,8 +1740,11 @@ agmt_notify_change(Repl_Agmt *agmt, Slapi_PBlock *pb)
 			return;
 		}
 
-		slapi_pblock_get(pb, SLAPI_TARGET_DN, &target_dn);
-		target_sdn = slapi_sdn_new_dn_byref(target_dn); /* XXX see if you can avoid allocating this */
+		slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
+		if (NULL == target_sdn) {
+			PR_Unlock(agmt->lock);
+			return;
+		}
 
 		if (slapi_sdn_issuffix(target_sdn, agmt->replarea))
 		{
@@ -1799,7 +1801,6 @@ agmt_notify_change(Repl_Agmt *agmt, Slapi_PBlock *pb)
 			}
 		}
 		PR_Unlock(agmt->lock);
-		slapi_sdn_free(&target_sdn);
 		if (change_is_relevant)
 		{
 			/* Notify the protocol that a change has occurred */
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index 8cc2cc3..8a98c21 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -184,10 +184,10 @@ agmtlist_add_callback(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *entryAfter,
 
 	rc = add_new_agreement(e);
 	if (0 != rc) {
-		char *dn;
-		slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
+		Slapi_DN *sdn = NULL;
+		slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
 		slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_add_callback: "
-			"Can't start agreement \"%s\"\n", dn);
+			"Can't start agreement \"%s\"\n", slapi_sdn_get_dn(sdn));
 		*returncode = LDAP_UNWILLING_TO_PERFORM;
 		return SLAPI_DSE_CALLBACK_ERROR;
 	}
@@ -200,7 +200,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
 	int *returncode, char *returntext, void *arg)
 {
 	int i;
-    char *dn;
 	Slapi_DN *sdn = NULL;
 	int start_initialize = 0, stop_initialize = 0, cancel_initialize = 0;
     int update_the_schedule = 0;	/* do we need to update the repl sched? */
@@ -224,13 +223,18 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
         goto done;
     }
 
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-	sdn= slapi_sdn_new_dn_byref(dn);
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    if (NULL == sdn) {
+        slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, 
+                        "agmtlist_modify_callback: NULL target dn\n");
+        goto done;
+    }
 	agmt = agmtlist_get_by_agmt_name(sdn);
 	if (NULL == agmt)
 	{
 		slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: received "
-			"a modification for unknown replication agreement \"%s\"\n", dn);
+			"a modification for unknown replication agreement \"%s\"\n", 
+			slapi_sdn_get_dn(sdn));
 		goto done;
 	}
 
@@ -277,7 +281,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
             
                 if (strcasecmp (val, "start") == 0)
                 {                        
-			        start_initialize = 1;
+                    start_initialize = 1;
                 }
                 else if (strcasecmp (val, "stop") == 0)
                 {
@@ -528,8 +532,6 @@ done:
 		agmtlist_release_agmt(agmt);
 	}
 
-    if (sdn)
-	    slapi_sdn_free(&sdn);
 	return rc;
 }
 
diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c
index 0e05973..274a069 100644
--- a/ldap/servers/plugins/replication/repl5_inc_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c
@@ -1423,7 +1423,7 @@ replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op, int *m
 		slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 			"%s: replay_update: Sending %s operation (dn=\"%s\" csn=%s)\n",
 			agmt_get_long_name(prp->agmt),
-			op2string(op->operation_type), op->target_address.dn, csn_str);
+			op2string(op->operation_type), REPL_GET_DN(&op->target_address), csn_str);
 		/* What type of operation is it? */
 		switch (op->operation_type)
 		{
@@ -1448,7 +1448,7 @@ replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op, int *m
 				{
 					repl5_strip_fractional_mods(prp->agmt,entryattrs);
 				}
-				return_value = conn_send_add(prp->conn, op->target_address.dn,
+				return_value = conn_send_add(prp->conn, REPL_GET_DN(&op->target_address),
 					entryattrs, update_control, message_id);
 				ldap_mods_free(entryattrs, 1);
 			}
@@ -1460,18 +1460,18 @@ replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op, int *m
 			{
 				repl5_strip_fractional_mods(prp->agmt,op->p.p_modify.modify_mods);
 			}
-			return_value = conn_send_modify(prp->conn, op->target_address.dn,
+			return_value = conn_send_modify(prp->conn, REPL_GET_DN(&op->target_address),
 				op->p.p_modify.modify_mods, update_control, message_id);
 			break;
 		case SLAPI_OPERATION_DELETE:
-			return_value = conn_send_delete(prp->conn, op->target_address.dn,
+			return_value = conn_send_delete(prp->conn, REPL_GET_DN(&op->target_address),
 				update_control, message_id);
 			break;
 		case SLAPI_OPERATION_MODRDN:
 			/* XXXggood need to pass modrdn mods in update control! */
-			return_value = conn_send_rename(prp->conn, op->target_address.dn,
+			return_value = conn_send_rename(prp->conn, REPL_GET_DN(&op->target_address),
 				op->p.p_modrdn.modrdn_newrdn,
-				op->p.p_modrdn.modrdn_newsuperior_address.dn,
+				REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address),
 				op->p.p_modrdn.modrdn_deloldrdn,
 				update_control, message_id);
 			break;
diff --git a/ldap/servers/plugins/replication/repl5_init.c b/ldap/servers/plugins/replication/repl5_init.c
index 883c3e6..4e2464c 100644
--- a/ldap/servers/plugins/replication/repl5_init.c
+++ b/ldap/servers/plugins/replication/repl5_init.c
@@ -338,8 +338,8 @@ multimaster_betxnpostop_init( Slapi_PBlock *pb )
 		slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&multimasterbetxnpostopdesc ) != 0 ||
 		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN, (void *) multimaster_betxnpostop_modrdn ) != 0 ||
 		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN, (void *) multimaster_betxnpostop_delete ) != 0 ||
-		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_ADD_FN, (void *) multimaster_betxnpostop_modrdn ) != 0 ||
-		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, (void *) multimaster_betxnpostop_delete ) != 0 )
+		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_ADD_FN, (void *) multimaster_betxnpostop_add ) != 0 ||
+		slapi_pblock_set( pb, SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, (void *) multimaster_betxnpostop_modify ) != 0 )
 	{
 		slapi_log_error( SLAPI_LOG_PLUGIN, repl_plugin_name, "multimaster_betxnpostop_init failed\n" );
 		rc= -1;
diff --git a/ldap/servers/plugins/replication/repl5_mtnode_ext.c b/ldap/servers/plugins/replication/repl5_mtnode_ext.c
index 3043624..dd0d261 100644
--- a/ldap/servers/plugins/replication/repl5_mtnode_ext.c
+++ b/ldap/servers/plugins/replication/repl5_mtnode_ext.c
@@ -197,20 +197,19 @@ replica_get_replica_from_dn (const Slapi_DN *dn)
 
 Object *replica_get_replica_for_op (Slapi_PBlock *pb)
 {
-    char *dn;
-    Slapi_DN *sdn;
+    Slapi_DN *sdn = NULL;
     Object *repl_obj = NULL;
 
     if (pb)
     {
         /* get replica generation for this operation */
-        slapi_pblock_get (pb, SLAPI_TARGET_DN, &dn);
-        sdn = slapi_sdn_new_dn_byref(dn);
+        slapi_pblock_get (pb, SLAPI_TARGET_SDN, &sdn);
+        if (NULL == sdn) {
+            goto bail;
+        }
         repl_obj = replica_get_replica_from_dn (sdn);
-
-        slapi_sdn_free (&sdn);
     }
-
+bail:
     return repl_obj;
 }
 
diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
index a036b0a..a0d45fb 100644
--- a/ldap/servers/plugins/replication/repl5_plugins.c
+++ b/ldap/servers/plugins/replication/repl5_plugins.c
@@ -1079,7 +1079,7 @@ write_changelog_and_ruv (Slapi_PBlock *pb)
         		slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
 					"write_changelog_and_ruv: can't add a change for "
 					"%s (uniqid: %s, optype: %lu) to changelog csn %s\n",
-					op_params->target_address.dn,
+					REPL_GET_DN(&op_params->target_address),
 					op_params->target_address.uniqueid,
 					op_params->operation_type,
 					csn_as_string(op_params->csn, PR_FALSE, csn_str));
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index 2a24f3e..b749848 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -1858,13 +1858,14 @@ static char*
 _replica_get_config_dn (const Slapi_DN *root)
 {
     char *dn;
+    /* "cn=mapping tree,cn=config" */
     const char *mp_base = slapi_get_mapping_tree_config_root ();
 
     PR_ASSERT (root);
 
     /* This function converts the old style DN to the new style. */
-    dn = slapi_create_dn_string("%s,cn=\"%s\",%s", 
-                                REPLICA_RDN, slapi_sdn_get_dn (root), mp_base);
+    dn = slapi_ch_smprintf("%s,cn=\"%s\",%s", 
+                           REPLICA_RDN, slapi_sdn_get_dn (root), mp_base);
     return dn;
 }
 
@@ -3120,7 +3121,7 @@ replica_log_ruv_elements_nolock (const Replica *r)
            special target dn */
         memset (&op_params, 0, sizeof (op_params));
         op_params.operation_type = SLAPI_OPERATION_DELETE;
-        op_params.target_address.dn = START_ITERATION_ENTRY_DN;
+        op_params.target_address.sdn = slapi_sdn_new_dn_byval(START_ITERATION_ENTRY_DN);
         op_params.target_address.uniqueid = START_ITERATION_ENTRY_UNIQUEID;
         op_params.csn = csn;
         repl_gen = ruv_get_replica_generation (ruv);
@@ -3132,6 +3133,7 @@ replica_log_ruv_elements_nolock (const Replica *r)
             rc = -1;
 
         slapi_ch_free ((void**)&repl_gen);
+        slapi_sdn_free(&op_params.target_address.sdn);
         csn_free (&csn);
     }
 
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index e31078f..9b36e0d 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -878,10 +878,10 @@ replica_task_done(Replica *replica)
         return rc;
     }
     /* dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config */
-    replica_dn = slapi_create_dn_string("%s,cn=\"%s\",%s",
-                                    REPLICA_RDN,
-                                    slapi_sdn_get_dn(replica_get_root(replica)),
-                                    CONFIG_BASE);
+    replica_dn = slapi_ch_smprintf("%s,cn=\"%s\",%s",
+                                   REPLICA_RDN,
+                                   slapi_sdn_get_dn(replica_get_root(replica)),
+                                   CONFIG_BASE);
     if (NULL == replica_dn) {
         return rc;
     }
diff --git a/ldap/servers/plugins/replication/repl_bind.c b/ldap/servers/plugins/replication/repl_bind.c
index a7eb78c..dbc77a6 100644
--- a/ldap/servers/plugins/replication/repl_bind.c
+++ b/ldap/servers/plugins/replication/repl_bind.c
@@ -51,13 +51,15 @@ int
 legacy_preop_bind( Slapi_PBlock *pb )
 {
     int return_value = 0;
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
 	struct berval *cred = NULL;
 	int method;
     
 	slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method);
-	slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn);
+	slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);
 	slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &cred);
+	dn = slapi_sdn_get_dn(sdn);
 
 	if (LDAP_AUTH_SIMPLE == method)
 	{
diff --git a/ldap/servers/plugins/replication/repl_compare.c b/ldap/servers/plugins/replication/repl_compare.c
index acb0d69..3e1878d 100644
--- a/ldap/servers/plugins/replication/repl_compare.c
+++ b/ldap/servers/plugins/replication/repl_compare.c
@@ -48,16 +48,20 @@ int
 legacy_preop_compare( Slapi_PBlock *pb )
 {
 	int is_replicated_operation = 0;
-	char *compare_base = NULL;
 	struct berval **referral = NULL;
 	int return_code = 0;
-	Slapi_DN *basesdn;
+	Slapi_DN *basesdn = NULL;
 
 	slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation);
-	slapi_pblock_get(pb, SLAPI_COMPARE_TARGET, &compare_base);
-	basesdn= slapi_sdn_new_dn_byref(compare_base);
-    referral = get_data_source(pb, basesdn, 1, NULL);
-	slapi_sdn_free(&basesdn);
+	slapi_pblock_get(pb, SLAPI_COMPARE_TARGET_SDN, &basesdn);
+	if (NULL == basesdn) {
+		slapi_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL,
+				               "Null target DN", 0, NULL );
+
+		return_code = 1;	/* return 1 to prevent further search processing */
+		goto bail;
+	}
+	referral = get_data_source(pb, basesdn, 1, NULL);
 	if (NULL != referral && !is_replicated_operation)
 	{
 		/*
@@ -68,5 +72,6 @@ legacy_preop_compare( Slapi_PBlock *pb )
 		return_code = 1;	/* return 1 to prevent further search processing */
 	}
 	slapi_ch_free((void**)&referral);
+bail:
 	return return_code;
 }
diff --git a/ldap/servers/plugins/replication/repl_connext.c b/ldap/servers/plugins/replication/repl_connext.c
index 0b46c5e..2969b15 100644
--- a/ldap/servers/plugins/replication/repl_connext.c
+++ b/ldap/servers/plugins/replication/repl_connext.c
@@ -97,7 +97,7 @@ void consumer_connection_extension_destructor (void *ext, void *object, void *pa
 				if (NULL != repl_root_sdn)
 				{
 					slapi_pblock_set(pb, SLAPI_CONNECTION, connext->connection);
-					slapi_pblock_set(pb, SLAPI_TARGET_DN, (void*)slapi_sdn_get_dn(repl_root_sdn));
+					slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void*)repl_root_sdn);
 					slapi_pblock_get(pb, SLAPI_CONN_ID, &connid);
 					slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 									"Aborting total update in progress for replicated "
diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
index ffbf2a9..2ff3627 100644
--- a/ldap/servers/plugins/replication/repl_extop.c
+++ b/ldap/servers/plugins/replication/repl_extop.c
@@ -947,7 +947,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb)
 		 * But what do we do if mapping tree could not be updated ? */
 
 		/* start the bulk import */
-        slapi_pblock_set (pb, SLAPI_TARGET_DN, repl_root);
+        slapi_pblock_set (pb, SLAPI_TARGET_SDN, repl_root_sdn);
         rc = slapi_start_bulk_import (pb);
         if (rc != LDAP_SUCCESS)
         {
@@ -1090,10 +1090,8 @@ send_response:
 	slapi_ch_free((void **)&replicacsnstr);
 
 	/* repl_root_sdn */
-	if (NULL != repl_root_sdn)
-	{
-		slapi_sdn_free(&repl_root_sdn);
-	}
+	slapi_sdn_free(&repl_root_sdn);
+
 	if (NSDS50_REPL_REPLICA_READY != response)
 	{
 		/*
@@ -1163,6 +1161,7 @@ multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)
 {
 	int return_value = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED;
 	char *repl_root = NULL;
+	Slapi_DN *repl_root_sdn = NULL;
 	BerElement *resp_bere = NULL;
 	struct berval *resp_bval = NULL;
 	ber_int_t response;
@@ -1208,8 +1207,16 @@ multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)
 				   enabled again */
 				replica_set_state_flag(r, REPLICA_TOTAL_IN_PROGRESS, PR_TRUE /* clear  flag */);
 
-                slapi_pblock_set (pb, SLAPI_TARGET_DN, repl_root);
-				slapi_stop_bulk_import (pb); 
+                /* slapi_pblock_set (pb, SLAPI_TARGET_DN, repl_root); */
+                /* Verify that repl_root names a valid replicated area */
+                if ((repl_root_sdn = slapi_sdn_new_dn_byref(repl_root)) == NULL)
+                {
+                    response = NSDS50_REPL_INTERNAL_ERROR;
+                    goto send_response;
+                }
+                slapi_pblock_set (pb, SLAPI_TARGET_SDN, repl_root_sdn);
+
+                slapi_stop_bulk_import (pb); 
 
                 /* ONREPL - this is a bit of a hack. Once bulk import is finished,
                    the replication function that responds to backend state change 
@@ -1273,7 +1280,7 @@ multimaster_extop_EndNSDS50ReplicationRequest(Slapi_PBlock *pb)
 			goto free_and_return; 
 		}
 	}
-
+send_response:
 	/* Send the response code */
 	if ((resp_bere = der_alloc()) == NULL)
 	{
@@ -1291,6 +1298,8 @@ free_and_return:
 	/* repl_root */
 	slapi_ch_free((void **)&repl_root);
 
+	slapi_sdn_free(&repl_root_sdn);
+
 	/* BerElement */
 	if (NULL != resp_bere)
 	{
diff --git a/ldap/servers/plugins/replication/replutil.c b/ldap/servers/plugins/replication/replutil.c
index b828a2a..d0fc1cc 100644
--- a/ldap/servers/plugins/replication/replutil.c
+++ b/ldap/servers/plugins/replication/replutil.c
@@ -523,7 +523,7 @@ IsValidOperation (const slapi_operation_parameters *op)
         return PR_FALSE;
     }
 
-    if (op->target_address.dn == NULL)
+    if (op->target_address.sdn == NULL)
     {
         slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, 
 						"IsValidOperation: NULL entry DN\n");
diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c
index 9410423..c611277 100644
--- a/ldap/servers/plugins/replication/urp.c
+++ b/ldap/servers/plugins/replication/urp.c
@@ -59,7 +59,6 @@ static int mod_namingconflict_attr (const char *uniqueid, const char*entrydn, co
 static int del_replconflict_attr (Slapi_Entry *entry, CSN *opcsn, int opflags);
 static char *get_dn_plus_uniqueid(char *sessionid,const char *olddn,const char *uniqueid);
 static char *get_rdn_plus_uniqueid(char *sessionid,const char *olddn,const char *uniqueid);
-static void set_pblock_dn (Slapi_PBlock* pb,int pblock_parameter,char *newdn);
 static int is_suffix_entry (Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_DN **parenddn);
 
 /*
@@ -122,7 +121,8 @@ urp_add_operation( Slapi_PBlock *pb )
 	char sessionid[REPL_SESSION_ID_SIZE];
 	int r;
 	int op_result= 0;
-    int rc= 0; /* OK */
+	int rc= 0; /* OK */
+	Slapi_DN *sdn = NULL;
 
 	if ( slapi_op_abandoned(pb) )
 	{
@@ -206,8 +206,14 @@ urp_add_operation( Slapi_PBlock *pb )
 				 */
 				slapi_value_set_string (*vals, buf);
 			}
-			slapi_entry_set_dn (addentry,slapi_ch_strdup(newdn));
-			set_pblock_dn(pb,SLAPI_ADD_TARGET,newdn); /* consumes newdn */
+			/* slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn); */
+			slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+			slapi_sdn_free(&sdn);
+
+			slapi_entry_set_normdn(addentry, newdn); /* dn: passin */
+
+			sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(addentry));
+			slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, sdn);
 
 			rdn = slapi_rdn_new_sdn ( slapi_entry_get_sdn_const(addentry) );
 			slapi_log_error (slapi_log_urp, sessionid,
@@ -265,7 +271,6 @@ urp_modrdn_operation( Slapi_PBlock *pb )
 	Slapi_Entry *parent_entry;
     Slapi_Entry *new_parent_entry;
 	Slapi_DN *newsuperior = NULL;
-	char *newsuperiordn;
 	Slapi_DN *parentdn = NULL;
 	Slapi_Entry *target_entry;
     Slapi_Entry *existing_entry;
@@ -319,7 +324,7 @@ urp_modrdn_operation( Slapi_PBlock *pb )
 	slapi_pblock_get(pb, SLAPI_TARGET_UNIQUEID, &op_uniqueid);
    	slapi_pblock_get(pb, SLAPI_MODRDN_PARENT_ENTRY, &parent_entry);
    	slapi_pblock_get(pb, SLAPI_MODRDN_NEWPARENT_ENTRY, &new_parent_entry);
-	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiordn);
+	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior);
 
 	if ( is_tombstone_entry (target_entry) )
 	{
@@ -413,7 +418,7 @@ urp_modrdn_operation( Slapi_PBlock *pb )
 				goto bailout;
 			}
 			mod_namingconflict_attr (op_uniqueid, target_dn, existing_dn, opcsn);
-			set_pblock_dn (pb, SLAPI_MODRDN_NEWRDN, newrdn_with_uniqueid); 
+			slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, newrdn_with_uniqueid); 
 			slapi_log_error(slapi_log_urp, sessionid,
 					"Naming conflict MODRDN. Rename target entry to %s\n",
 					newrdn_with_uniqueid );
@@ -474,8 +479,8 @@ urp_modrdn_operation( Slapi_PBlock *pb )
 
 		/* The new superior entry doesn't exist */
 
-		slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiordn);
-		if(newsuperiordn == NULL)
+		slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior);
+		if(newsuperior == NULL)
 		{
 			/* (new_parent_entry==NULL && newsuperiordn==NULL)
 			 * This is ok - SLAPI_MODRDN_NEWPARENT_ENTRY will
@@ -491,10 +496,9 @@ urp_modrdn_operation( Slapi_PBlock *pb )
 			goto bailout;
 		}
 
-		newsuperior= slapi_sdn_new_dn_byval(newsuperiordn);
-
-		if((0 == slapi_sdn_compare (slapi_entry_get_sdn(parent_entry), newsuperior)) || 
-				is_suffix_dn (pb, newsuperior, &parentdn) )
+		if((0 == slapi_sdn_compare(slapi_entry_get_sdn(parent_entry),
+		                           newsuperior)) || 
+		   is_suffix_dn (pb, newsuperior, &parentdn) )
 		{
 			/*
 			 * The new superior is the same as the current one, or
@@ -521,7 +525,8 @@ urp_modrdn_operation( Slapi_PBlock *pb )
 			 * admin intercession
 			 */
 			slapi_log_error( SLAPI_LOG_FATAL, sessionid,
-				 "Parent %s couldn't be found, nor recreated as a glue entry\n", newsuperiordn );
+				 "Parent %s couldn't be found, nor recreated as a glue entry\n",
+				 slapi_sdn_get_dn(newsuperior) );
 			op_result= LDAP_OPERATIONS_ERROR;
 			slapi_pblock_set(pb, SLAPI_RESULT_CODE, &op_result);
 			rc = -1;
@@ -542,8 +547,6 @@ bailout:
 	}
 	if ( parentdn )
 		slapi_sdn_free(&parentdn);
-	if ( newsuperior )
-		slapi_sdn_free(&newsuperior);
     return rc;
 }
 
@@ -761,9 +764,9 @@ urp_fixup_rename_entry (Slapi_Entry *entry, const char *newrdn, int opflags)
 	 * Must mark this operation as replicated,
 	 * so that the frontend doesn't add extra attributes.
 	 */
-	slapi_rename_internal_set_pb (
+	slapi_rename_internal_set_pb_ext (
 					newpb,
-					slapi_entry_get_dn_const (entry),
+					slapi_entry_get_sdn_const (entry),
 					newrdn, /*NewRDN*/
 					NULL, /*NewSuperior*/
 					0, /* !Delete Old RDNS */
@@ -852,6 +855,7 @@ urp_add_resolve_parententry (Slapi_PBlock *pb, char *sessionid, Slapi_Entry *ent
 	char *newdn = NULL;
 	int ldap_rc;
 	int rc = 0;
+	Slapi_DN *sdn = NULL;
 
 	if( is_suffix_entry (pb, entry, &parentdn) )
 	{
@@ -928,8 +932,15 @@ urp_add_resolve_parententry (Slapi_PBlock *pb, char *sessionid, Slapi_Entry *ent
 	 */
 	add_rdn = slapi_rdn_new_dn(slapi_entry_get_dn_const (entry));
 	newdn = slapi_dn_plus_rdn(slapi_entry_get_dn_const (parententry), slapi_rdn_get_rdn(add_rdn));
-	slapi_entry_set_dn ( entry,slapi_ch_strdup(newdn));
-	set_pblock_dn (pb,SLAPI_ADD_TARGET,newdn); /* consumes newdn */
+	slapi_entry_set_normdn ( entry, newdn );
+
+	/* slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn); */
+	slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
+
+	sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(entry));
+	slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, sdn);
+
 	slapi_log_error ( slapi_log_urp, sessionid,
 			"Parent was renamed. Renamed the child to %s\n", newdn );
 	rc= slapi_setbit_int(rc,SLAPI_RTN_BIT_FETCH_EXISTING_DN_ENTRY);
@@ -1240,15 +1251,6 @@ get_rdn_plus_uniqueid(char *sessionid, const char *olddn, const char *uniqueid)
 	return newrdn;
 }
 
-static void
-set_pblock_dn (Slapi_PBlock* pb,int pblock_parameter,char *newdn)
-{
-	char *olddn;
-	slapi_pblock_get( pb, pblock_parameter, &olddn );
-	slapi_ch_free((void**)&olddn);
-	slapi_pblock_set( pb, pblock_parameter, newdn );
-}
-
 static int
 is_suffix_entry ( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_DN **parentdn )
 {
diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c
index 771475b..7e61ff4 100644
--- a/ldap/servers/plugins/replication/windows_protocol_util.c
+++ b/ldap/servers/plugins/replication/windows_protocol_util.c
@@ -1296,8 +1296,9 @@ process_replay_rename(Private_Repl_Protocol *prp,
 					remote_subtree?remote_subtree:"empty");
 		goto bail;
 	}
+	/* newparent is already normzlized; just ignore the case */
 	norm_newparent = slapi_ch_strdup(newparent);
-	slapi_dn_normalize_case(norm_newparent);
+	slapi_dn_ignore_case(norm_newparent);
 	p = strstr(norm_newparent, local_subtree);
 	if (NULL == p) {
 		slapi_log_error(SLAPI_LOG_FATAL, windows_repl_plugin_name,
@@ -1389,7 +1390,7 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
 		
 	LDAPDebug( LDAP_DEBUG_TRACE, "=> windows_replay_update\n", 0, 0, 0 );
 
-	local_dn = slapi_sdn_new_dn_byref( op->target_address.dn );
+	local_dn = slapi_sdn_dup( op->target_address.sdn );
 
 	/* Since we have the target uniqueid in the op structure, let's
 	 * fetch the local entry here using it. We do not want to search
@@ -1415,7 +1416,8 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
 					"%s: windows_replay_update: failed to fetch local entry "
 					"for %s operation dn=\"%s\"\n",
 					agmt_get_long_name(prp->agmt),
-					op2string(op->operation_type), op->target_address.dn);
+					op2string(op->operation_type), 
+					REPL_GET_DN(&op->target_address));
 				goto error;
 			}
 			op->operation_type = SLAPI_OPERATION_DELETE;
@@ -1427,12 +1429,14 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
 				slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
 					"%s: windows_replay_update: failed to fetch local entry for %s operation dn=\"%s\"\n",
 					agmt_get_long_name(prp->agmt),
-					op2string(op->operation_type), op->target_address.dn);
+					op2string(op->operation_type), 
+					REPL_GET_DN(&op->target_address));
 			} else {
 				slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 					"%s: windows_replay_update: Looking at %s operation local dn=\"%s\" (%s)\n",
 					agmt_get_long_name(prp->agmt),
-					op2string(op->operation_type), op->target_address.dn, "ours");
+					op2string(op->operation_type), 
+					REPL_GET_DN(&op->target_address), "ours");
 			}
 			/* Just bail on this change.  We don't want to do any
 			 * further checks since we don't have a local entry. */
@@ -1450,7 +1454,8 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
 	slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 		"%s: windows_replay_update: Looking at %s operation local dn=\"%s\" (%s,%s,%s)\n",
 		agmt_get_long_name(prp->agmt),
-		op2string(op->operation_type), op->target_address.dn, is_ours ? "ours" : "not ours", 
+		op2string(op->operation_type), 
+		REPL_GET_DN(&op->target_address), is_ours ? "ours" : "not ours", 
 		is_user ? "user" : "not user", is_group ? "group" : "not group");
 
 	if (is_ours && (is_user || is_group) ) {
@@ -1463,14 +1468,16 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
 				"%s: windows_replay_update: failed map dn for %s operation dn=\"%s\""
 				"rc=%d remote_dn = [%s]\n",
 				agmt_get_long_name(prp->agmt),
-				op2string(op->operation_type), op->target_address.dn,
+				op2string(op->operation_type), 
+				REPL_GET_DN(&op->target_address),
 				rc, remote_dn ? slapi_sdn_get_dn(remote_dn) : "(null)");
 			goto error;
 		}
 		slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 			"%s: windows_replay_update: Processing %s operation local dn=\"%s\" remote dn=\"%s\"\n",
 			agmt_get_long_name(prp->agmt),
-			op2string(op->operation_type), op->target_address.dn, slapi_sdn_get_dn(remote_dn));
+			op2string(op->operation_type), 
+			REPL_GET_DN(&op->target_address), slapi_sdn_get_dn(remote_dn));
 		switch (op->operation_type) {
 		case SLAPI_OPERATION_ADD:
 			return_value = process_replay_add(prp,op->p.p_add.target_entry,local_entry,local_dn,remote_dn,is_user,missing_entry,&password);
@@ -1584,7 +1591,7 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op
 			{
 			return_value = process_replay_rename(prp, local_entry, local_dn,
 								op->p.p_modrdn.modrdn_newrdn,
-								op->p.p_modrdn.modrdn_newsuperior_address.dn,
+								REPL_GET_DN(&op->p.p_modrdn.modrdn_newsuperior_address),
 								op->p.p_modrdn.modrdn_deloldrdn,
 								is_user, is_group);
 			if (CONN_OPERATION_FAILED == return_value) {
@@ -4446,6 +4453,7 @@ windows_update_local_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,
 	Slapi_PBlock *pb = NULL;
 	int do_modify = 0;
 	char *newsuperior = NULL;
+	Slapi_DN newsuperior_sdn;
 	const char *newrdn = NULL;
 	int is_user = 0, is_group = 0;
 	const char *newdn = NULL;
@@ -4494,13 +4502,15 @@ windows_update_local_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,
 		slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name, "renaming entry \"%s\" - "
 				"(newrdn: \"%s\", newsuperior: \"%s\"\n", newdn,
 				newrdn ? newrdn:"NULL", newsuperior ? newsuperior:"NULL");
-		slapi_rename_internal_set_pb (pb,
-				   slapi_sdn_get_dn(slapi_entry_get_sdn(local_entry)),
-				   newrdn, newsuperior, 1 /* delete old RDNS */,
+		slapi_sdn_init_dn_byref(&newsuperior_sdn, newsuperior);
+		slapi_rename_internal_set_pb_ext (pb,
+				   slapi_entry_get_sdn(local_entry),
+				   newrdn, &newsuperior_sdn, 1 /* delete old RDNS */,
 				   NULL /* controls */, NULL /* uniqueid */,
 				   repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), 0);
 		slapi_modrdn_internal_pb (pb);
 		slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &retval);
+		slapi_sdn_done(&newsuperior_sdn);
 		slapi_pblock_destroy (pb);
 		if (LDAP_SUCCESS != retval) {
 			slapi_log_error(SLAPI_LOG_FATAL, windows_repl_plugin_name,
diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
index 96be617..bacb02a 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -567,7 +567,7 @@ int retrocl_postob (Slapi_PBlock *pb,int optype)
     Slapi_Operation     *op = NULL;
     LDAPMod		**modrdn_mods = NULL;
     char *newrdn = NULL;
-    char *newsuperior = NULL;
+    Slapi_DN *newsuperior = NULL;
     Slapi_Backend *be = NULL;
     time_t curtime;
     int rc;
@@ -641,7 +641,7 @@ int retrocl_postob (Slapi_PBlock *pb,int optype)
     	(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
     	(void)slapi_pblock_get( pb, SLAPI_MODRDN_DELOLDRDN, &flag );
     	(void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &modrdn_mods );
-	(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior); 
+    	(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior ); 
     	break;
     }
 
@@ -649,9 +649,7 @@ int retrocl_postob (Slapi_PBlock *pb,int optype)
     /* check if we should log change to retro changelog, and
      * if so, do it here */
     write_replog_db( pb, optype, dn, log_m, flag, curtime, te,
-		     newrdn, modrdn_mods, newsuperior );
+		     newrdn, modrdn_mods, slapi_sdn_get_dn(newsuperior) );
 
     return 0;
 }
-
-
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
index 912185d..83d3292 100644
--- a/ldap/servers/plugins/roles/roles_cache.c
+++ b/ldap/servers/plugins/roles/roles_cache.c
@@ -785,7 +785,8 @@ static int roles_cache_is_role_entry(struct slapi_entry *entry)
 */
 void roles_cache_change_notify(Slapi_PBlock *pb)
 {
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
 	struct slapi_entry *e = NULL;
 	struct slapi_entry *pre = NULL;
 	struct slapi_entry *entry = NULL;
@@ -814,10 +815,10 @@ void roles_cache_change_notify(Slapi_PBlock *pb)
 		return;
 	}
 
-    slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
-    if( dn == NULL )
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+    if( sdn == NULL )
     {
-		return;
+        return;
     }
 
 	slapi_pblock_get (pb, SLAPI_OPERATION, &pb_operation);
@@ -932,6 +933,7 @@ if ( e != NULL )
 
 		if ( top_suffix != NULL )
 		{
+			dn = slapi_sdn_get_dn(sdn);
 			roles_cache_trigger_update_role( slapi_ch_strdup(dn), entry,
 										top_suffix,
 										operation);
diff --git a/ldap/servers/plugins/statechange/statechange.c b/ldap/servers/plugins/statechange/statechange.c
index 3489fba..0653eed 100644
--- a/ldap/servers/plugins/statechange/statechange.c
+++ b/ldap/servers/plugins/statechange/statechange.c
@@ -232,7 +232,8 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
 {
 	SCNotify *notify = head; 
 	int execute;
-	char *dn = NULL;
+	Slapi_DN *sdn = NULL;
+	char *ndn = NULL;
 	struct slapi_entry *e_before = NULL;
 	struct slapi_entry *e_after = NULL;
 
@@ -246,13 +247,13 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
 	slapi_lock_mutex(buffer_lock);
 	if(head)
 	{
-		if(slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ))
-		{
-			slapi_log_error( SLAPI_LOG_FATAL, SCN_PLUGIN_SUBSYSTEM, "statechange_post_op: failed to get dn of changed entry");
+		slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+		if (NULL == sdn) {
+			slapi_log_error( SLAPI_LOG_FATAL, SCN_PLUGIN_SUBSYSTEM, 
+			         "statechange_post_op: failed to get dn of changed entry" );
 			goto bail;
 		}
-
-		slapi_dn_normalize( dn );
+		ndn = (char *)slapi_sdn_get_ndn(sdn);
 
 		slapi_pblock_get( pb, SLAPI_ENTRY_PRE_OP, &e_before );
 		slapi_pblock_get( pb, SLAPI_ENTRY_POST_OP, &e_after );
@@ -264,7 +265,7 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
 			/* first dn */
 			if(notify->dn)
 			{
-				if(0 != slapi_dn_issuffix(dn, notify->dn))
+				if(0 != slapi_dn_issuffix(ndn, notify->dn))
 					execute = 1;
 			}
 			else
@@ -290,9 +291,9 @@ static int statechange_post_op( Slapi_PBlock *pb, int modtype )
 			if(execute)
 			{
 				if(e_after)
-					(notify->func)(e_after, dn, modtype, pb, notify->caller_data);
+					(notify->func)(e_after, ndn, modtype, pb, notify->caller_data);
 				else
-					(notify->func)(e_before, dn, modtype, pb, notify->caller_data);
+					(notify->func)(e_before, ndn, modtype, pb, notify->caller_data);
 			}
 
 			notify = notify->next;
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index f6120d6..737c762 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -233,13 +233,14 @@ preop_add(Slapi_PBlock *pb)
     int argc;
     char **argv;
     char **attrName;
-    char *dn;
+    const char *dn;
+    Slapi_DN *sdn = NULL;
     Slapi_Entry *e;
     Slapi_Attr *attr;
     char **firstSubtree;
     char **subtreeDN;
     int subtreeCnt;
-	int is_replicated_operation;
+    int is_replicated_operation;
 
     /*
      * Get the arguments
@@ -263,9 +264,11 @@ preop_add(Slapi_PBlock *pb)
     /*
      * Get the target DN for this add operation
      */
-    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
     if (err) { result = op_error(50); break; }
 
+    dn = slapi_sdn_get_dn(sdn);
+
 #ifdef DEBUG
     slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, "ADD target=%s\n", dn);
 #endif
@@ -278,7 +281,7 @@ preop_add(Slapi_PBlock *pb)
     if (err) { result = op_error(51); break; }
 
     for ( firstSubtree = argv; strcmp(*firstSubtree, ",") != 0; 
-	firstSubtree++, argc--) {}
+          firstSubtree++, argc--) {}
     firstSubtree++;
     argc--;
 
@@ -304,7 +307,7 @@ preop_add(Slapi_PBlock *pb)
        * the target DN is a subnode in the tree.
        */
       for( subtreeDN=firstSubtree, subtreeCnt=argc ;subtreeCnt > 0;
-  	subtreeCnt--,subtreeDN++)
+           subtreeCnt--,subtreeDN++)
       {
         /*
          * issuffix determines whether the target is under the
@@ -378,7 +381,8 @@ preop_modify(Slapi_PBlock *pb)
     LDAPMod **mods;
     LDAPMod **firstMods;
     LDAPMod *mod;
-    char *target;
+    const char *target;
+	Slapi_DN *target_sdn = NULL;
     char **firstSubtree;
     char **subtreeDN;
     int subtreeCnt;
@@ -407,9 +411,10 @@ preop_modify(Slapi_PBlock *pb)
     if (err) { result = op_error(10); break; }
 
     /* Get the target DN */
-    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET, &target);
+    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET_SDN, &target_sdn);
     if (err) { result = op_error(11); break; }
 
+    target = slapi_sdn_get_dn(target_sdn);
     /*
      * Look for managed trees that include the target
      * Arguments before "," are the 7-bit clean attribute names.  Arguemnts
@@ -538,14 +543,14 @@ preop_modrdn(Slapi_PBlock *pb)
     int argc;
     char **argv;
     char **attrName;
-    char *target;
-    char *superior;
+    Slapi_DN *target_sdn = NULL;
+    Slapi_DN *superior;
     char *rdn; 
     Slapi_Attr *attr;
     char **firstSubtree;
     char **subtreeDN;
     int subtreeCnt;
-	int is_replicated_operation;
+    int is_replicated_operation;
 
     /*
      * Get the arguments
@@ -567,7 +572,7 @@ preop_modrdn(Slapi_PBlock *pb)
     }
 
     /* Get the DN of the entry being renamed */
-    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &target);
+    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &target_sdn);
     if (err) { result = op_error(22); break; }
 
     /* Get superior value - unimplemented in 3.0 DS */
@@ -579,7 +584,7 @@ preop_modrdn(Slapi_PBlock *pb)
      * its current level in the tree.  Use the target DN for
      * determining which managed tree this belongs to
      */
-    if (!superior) superior = target;
+    if (!superior) superior = target_sdn;
 
     /* Get the new RDN - this has the attribute values */
     err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -649,7 +654,7 @@ preop_modrdn(Slapi_PBlock *pb)
          * issuffix determines whether the target is under the
          * subtree *subtreeDN
          */
-        if (slapi_dn_issuffix(superior, *subtreeDN))
+        if (slapi_dn_issuffix(slapi_sdn_get_dn(superior), *subtreeDN))
         {
 #ifdef DEBUG
           slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
@@ -692,6 +697,7 @@ NS7bitAttr_Init(Slapi_PBlock *pb)
     int argc;
     char **argv;
 
+
     /* Declare plugin version */
     err = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION,
             SLAPI_PLUGIN_VERSION_01);
@@ -716,8 +722,11 @@ NS7bitAttr_Init(Slapi_PBlock *pb)
     if (argc == 0) { err = -1; break; }
     argv++; argc--;
 
-    for(;argc > 0;argc--, argv++)
-        slapi_dn_normalize_case(*argv);
+    for(;argc > 0;argc--, argv++) {
+        char *normdn = slapi_create_dn_string_case("%s", *argv);
+        slapi_ch_free_string(argv);
+        *argv = normdn;
+    }
 
     /* Provide descriptive information */
     err = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION,
diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c
index 92eefa0..9e83009 100644
--- a/ldap/servers/plugins/uiduniq/uid.c
+++ b/ldap/servers/plugins/uiduniq/uid.c
@@ -340,28 +340,18 @@ search_one_berval(const char *baseDN, const char *attrName,
        */
       for(;*entries;entries++)
       {
-        char *dn = slapi_entry_get_dn(*entries);
-
-        /*
-         * DNs are returned in the original value used to insert
-         * the entry.  This must be "normalized" for comparison.
-         *
-         * This normalization is done "in-place" (modifying the value
-         * in the entry).  This is OK, since this is the only user
-         * of this copy of the entry.
-         */
-        slapi_dn_normalize_case(dn);
+        char *ndn = slapi_entry_get_ndn(*entries); /* get the normalized dn */
 
 #ifdef DEBUG
         slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
-          "SEARCH entry dn=%s\n", dn);
+          "SEARCH entry dn=%s\n", ndn);
 #endif
 
         /*
          * It is a Constraint Violation if any entry is found, unless
          * the entry is the target entry (if any).
          */
-        if (!target || strcmp(dn, target) != 0)
+        if (!target || strcmp(ndn, target) != 0)
         {
           result = LDAP_CONSTRAINT_VIOLATION;
           break;
@@ -557,7 +547,8 @@ preop_add(Slapi_PBlock *pb)
     int err;
     char *markerObjectClass = NULL;
     char *requiredObjectClass = NULL;
-    char *dn;
+    const char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     int isupdatedn;
     Slapi_Entry *e;
     Slapi_Attr *attr;
@@ -582,7 +573,7 @@ preop_add(Slapi_PBlock *pb)
         if (UNTAGGED_PARAMETER == result)
         {
           slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, 
-		"ADD parameter untagged: %s\n", attrName);
+                          "ADD parameter untagged: %s\n", attrName);
           result = LDAP_SUCCESS;
           /* Statically defined subtrees to monitor */
           err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGC, &argc);
@@ -599,9 +590,11 @@ preop_add(Slapi_PBlock *pb)
     /*
      * Get the target DN for this add operation
      */
-    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
     if (err) { result = uid_op_error(51); break; }
 
+    dn = slapi_sdn_get_dn(sdn);
+
 #ifdef DEBUG
     slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, "ADD target=%s\n", dn);
 #endif
@@ -636,7 +629,7 @@ preop_add(Slapi_PBlock *pb)
         if (NULL != markerObjectClass)
         {
           /* Subtree defined by location of marker object class */
-                result = findSubtreeAndSearch(dn, attrName, attr, NULL,
+                result = findSubtreeAndSearch((char *)dn, attrName, attr, NULL,
                                               requiredObjectClass, dn,
                                               markerObjectClass);
         } else
@@ -710,7 +703,8 @@ preop_modify(Slapi_PBlock *pb)
     int modcount = 0;
     int ii;
     LDAPMod *mod;
-    char *dn;
+    const char *dn = NULL;
+    Slapi_DN *sdn = NULL;
     int isupdatedn;
     int argc;
     char **argv = NULL;
@@ -763,53 +757,57 @@ preop_modify(Slapi_PBlock *pb)
     /* find out how many mods meet this criteria */
     for(;*mods;mods++)
     {
-	mod = *mods;
-	if ((slapi_attr_type_cmp(mod->mod_type, attrName, 1) == 0) && /* mod contains target attr */
-	    (mod->mod_op & LDAP_MOD_BVALUES) && /* mod is bval encoded (not string val) */
-	    (mod->mod_bvalues && mod->mod_bvalues[0]) && /* mod actually contains some values */
-	    (SLAPI_IS_MOD_ADD(mod->mod_op) || /* mod is add */
-	     SLAPI_IS_MOD_REPLACE(mod->mod_op))) /* mod is replace */
-	{
-	  addMod(&checkmods, &checkmodsCapacity, &modcount, mod);
-	}
+        mod = *mods;
+        if ((slapi_attr_type_cmp(mod->mod_type, attrName, 1) == 0) && /* mod contains target attr */
+            (mod->mod_op & LDAP_MOD_BVALUES) && /* mod is bval encoded (not string val) */
+            (mod->mod_bvalues && mod->mod_bvalues[0]) && /* mod actually contains some values */
+            (SLAPI_IS_MOD_ADD(mod->mod_op) || /* mod is add */
+             SLAPI_IS_MOD_REPLACE(mod->mod_op))) /* mod is replace */
+        {
+          addMod(&checkmods, &checkmodsCapacity, &modcount, mod);
+        }
     }
     if (modcount == 0) {
-	break; /* no mods to check, we are done */
+        break; /* no mods to check, we are done */
     }
 
     /* Get the target DN */
-    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_MODIFY_TARGET_SDN, &sdn);
     if (err) { result = uid_op_error(11); break; }
 
-        /*
-         * Check if it has the required object class
-         */
-        if (requiredObjectClass &&
-                !(spb = dnHasObjectClass(dn, requiredObjectClass))) { break; }
+    dn = slapi_sdn_get_dn(sdn);
+    /*
+     * Check if it has the required object class
+     */
+    if (requiredObjectClass &&
+        !(spb = dnHasObjectClass(dn, requiredObjectClass))) {
+        break;
+    }
 
-        /*
-         * Passed all the requirements - this is an operation we
-         * need to enforce uniqueness on. Now find all parent entries
-         * with the marker object class, and do a search for each one.
-         */
-		/*
-		 * stop checking at first mod that fails the check
-		 */
-		for (ii = 0; (result == 0) && (ii < modcount); ++ii)
-		{
-			mod = checkmods[ii];
-			if (NULL != markerObjectClass)
-			{
-				/* Subtree defined by location of marker object class */
-                result = findSubtreeAndSearch(dn, attrName, NULL, mod->mod_bvalues,
-                                              requiredObjectClass, dn, markerObjectClass);
-			} else
-			{
-				/* Subtrees listed on invocation line */
-				result = searchAllSubtrees(argc, argv, attrName, NULL,
-                                                           mod->mod_bvalues, requiredObjectClass, dn);
-			}
-		}
+    /*
+     * Passed all the requirements - this is an operation we
+     * need to enforce uniqueness on. Now find all parent entries
+     * with the marker object class, and do a search for each one.
+     */
+    /*
+     * stop checking at first mod that fails the check
+     */
+    for (ii = 0; (result == 0) && (ii < modcount); ++ii)
+    {
+        mod = checkmods[ii];
+        if (NULL != markerObjectClass)
+        {
+            /* Subtree defined by location of marker object class */
+            result = findSubtreeAndSearch((char *)dn, attrName, NULL, 
+                                          mod->mod_bvalues, requiredObjectClass,
+                                          dn, markerObjectClass);
+        } else
+        {
+            /* Subtrees listed on invocation line */
+            result = searchAllSubtrees(argc, argv, attrName, NULL,
+                                       mod->mod_bvalues, requiredObjectClass, dn);
+        }
+    }
   END
 
   slapi_ch_free((void **)&checkmods);
@@ -846,7 +844,6 @@ preop_modrdn(Slapi_PBlock *pb)
 {
   int result = LDAP_SUCCESS;
   Slapi_Entry *e = NULL;
-  Slapi_DN *sdn = NULL;
   Slapi_Value *sv_requiredObjectClass = NULL;
   char *errtext = NULL;
   char *attrName = NULL;
@@ -860,8 +857,9 @@ preop_modrdn(Slapi_PBlock *pb)
     int err;
     char *markerObjectClass=NULL;
     char *requiredObjectClass=NULL;
-    char *dn;
-    char *superior;
+    const char *dn = NULL;
+    Slapi_DN *sdn = NULL;
+    Slapi_DN *superior;
     char *rdn;
     int deloldrdn = 0;
     int isupdatedn;
@@ -907,11 +905,10 @@ preop_modrdn(Slapi_PBlock *pb)
     }
 
     /* Get the DN of the entry being renamed */
-    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &dn);
+    err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn);
     if (err) { result = uid_op_error(31); break; }
 
-    /* Create a Slapi_DN to use for searching. */
-    sdn = slapi_sdn_new_dn_byref(dn);
+    dn = slapi_sdn_get_dn(sdn);
 
     /* Get superior value - unimplemented in 3.0/4.0/5.0 DS */
     err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &superior);
@@ -922,7 +919,7 @@ preop_modrdn(Slapi_PBlock *pb)
      * its current level in the tree.  Use the target DN for
      * determining which managed tree this belongs to
      */
-    if (!superior) superior = dn;
+    if (!superior) superior = sdn;
 
     /* Get the new RDN - this has the attribute values */
     err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -949,7 +946,7 @@ preop_modrdn(Slapi_PBlock *pb)
     }
 
     /* Apply the rename operation to the dummy entry. */
-    err = slapi_entry_rename(e, rdn, deloldrdn, superior);
+    err = slapi_entry_rename(e, rdn, deloldrdn, slapi_sdn_get_dn(superior));
     if (err != LDAP_SUCCESS) { result = uid_op_error(36); break; }
 
         /*
@@ -983,7 +980,6 @@ preop_modrdn(Slapi_PBlock *pb)
         }
   END
   /* Clean-up */
-  slapi_sdn_free(&sdn);
   slapi_value_free(&sv_requiredObjectClass);
   if (e) slapi_entry_free(e);
 
@@ -1048,8 +1044,11 @@ NSUniqueAttr_Init(Slapi_PBlock *pb)
     if (argc < 1) { err = -1; break; }
     argv++; argc--;
 
-    for(;argc > 0;argc--, argv++)
-        slapi_dn_normalize_case(*argv);
+    for(;argc > 0;argc--, argv++) {
+        char *normdn = slapi_create_dn_string_case("%s", *argv);
+        slapi_ch_free_string(argv);
+        *argv = normdn;
+    }
 
     /* Provide descriptive information */
     err = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION,
diff --git a/ldap/servers/plugins/views/views.c b/ldap/servers/plugins/views/views.c
index 6ec0246..48b6803 100644
--- a/ldap/servers/plugins/views/views.c
+++ b/ldap/servers/plugins/views/views.c
@@ -1683,6 +1683,7 @@ static int view_search_rewrite_callback(Slapi_PBlock *pb)
 	int scope = 0;
 	int set_scope = LDAP_SCOPE_SUBTREE;
 	viewEntry *theView = 0;
+	Slapi_DN *basesdn = NULL;
 
 #ifdef _VIEW_DEBUG_FILTERS
 	char outFilter_str[1024];
@@ -1711,7 +1712,8 @@ static int view_search_rewrite_callback(Slapi_PBlock *pb)
 		goto end;
 
 	/* if base of the search is a view */
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &basesdn);
+	base = (char *)slapi_sdn_get_dn(basesdn);
 
 	/* Read lock the cache */
 	views_read_lock();
@@ -1763,8 +1765,11 @@ static int view_search_rewrite_callback(Slapi_PBlock *pb)
 	/* rewrite search scope and base*/
 	slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &set_scope);
 
-	base = slapi_ch_strdup(theView->pSearch_base);
-	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, base);
+	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &basesdn);
+	slapi_sdn_free(&basesdn);
+
+	basesdn = slapi_sdn_new_dn_byval(theView->pSearch_base);
+	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, basesdn);
 
 	/* concatenate the filters */
 	
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 0bf6ef0..eba97b7 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -116,8 +116,7 @@ do_add( Slapi_PBlock *pb )
 	/* get the name */
 	{
 		char *rawdn = NULL;
-		char *dn = NULL;
-		size_t dnlen = 0;
+		Slapi_DN mysdn = {0};
 		if ( ber_scanf( ber, "{a", &rawdn ) == LBER_ERROR ) {
 			slapi_ch_free_string(&rawdn);
 			LDAPDebug( LDAP_DEBUG_ANY,
@@ -140,20 +139,20 @@ do_add( Slapi_PBlock *pb )
 				return;
 			}
 		}
-		rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-		if (rc < 0) {
-			op_shared_log_error_access(pb, "ADD", rawdn?rawdn:"", "invalid dn");
-			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid dn", 0, NULL);
-			slapi_ch_free_string(&rawdn);
+		slapi_sdn_init_dn_passin(&mysdn, rawdn);
+		if (rawdn && (strlen(rawdn) > 0) &&
+		    (NULL == slapi_sdn_get_dn(&mysdn))) {
+			/* normalization failed */
+			op_shared_log_error_access(pb, "ADD", rawdn, "invalid dn");
+			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+			                 "invalid dn", 0, NULL);
+			slapi_sdn_done(&mysdn);
 			return;
-		} else if (rc > 0) {
-			slapi_ch_free_string(&rawdn);
-		} else { /* rc == 0; rawdn is passed in; not null terminated */
-			*(dn + dnlen) = '\0';
 		}
 		e = slapi_entry_alloc();
-		slapi_entry_init(e,dn,NULL); /* Responsibility for DN is passed to the Entry. */
+		/* Responsibility for DN is passed to the Entry. */
+		slapi_entry_init_ext(e, &mysdn, NULL);
+		slapi_sdn_done(&mysdn);
 	}
 	LDAPDebug( LDAP_DEBUG_ARGS, "	do_add: dn (%s)\n", slapi_entry_get_dn_const(e), 0, 0 );
 
@@ -338,7 +337,7 @@ slapi_add_entry_internal(Slapi_Entry *e, LDAPControl **controls, int dummy)
 
 /*  This is new style API to issue internal add operation.
 	pblock should contain the following data (can be set via call to slapi_add_internal_set_pb):
-	SLAPI_TARGET_DN		set to dn of the new entry
+	SLAPI_TARGET_SDN	set to sdn of the new entry
 	SLAPI_CONTROLS_ARG	set to request controls if present
 	SLAPI_ADD_ENTRY		set to Slapi_Entry to add
 	Beware: The entry is consumed. */
@@ -458,6 +457,7 @@ static void op_shared_add (Slapi_PBlock *pb)
 	char *proxystr = NULL;
 	int proxy_err = LDAP_SUCCESS;
 	char *errtext = NULL;
+	Slapi_DN *sdn = NULL;
 
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
 	slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e);
@@ -532,7 +532,7 @@ static void op_shared_add (Slapi_PBlock *pb)
 			goto done;
 		}
 	
-		slapi_pblock_set(pb, SLAPI_TARGET_DN, (void*)slapi_sdn_get_ndn(operation_get_target_spec (operation)));
+		slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void*)operation_get_target_spec (operation));
 		send_referrals_from_entry(pb,referral);
 		slapi_entry_free(referral);
 		goto done;
@@ -547,16 +547,16 @@ static void op_shared_add (Slapi_PBlock *pb)
 			present_values= attr_get_present_values(attr);
 
 			/* Set the backend in the pblock.  The slapi_access_allowed function
-                         * needs this set to work properly. */
-                        slapi_pblock_set( pb, SLAPI_BACKEND, slapi_be_select( slapi_entry_get_sdn_const(e) ) );
+			 * needs this set to work properly. */
+			slapi_pblock_set( pb, SLAPI_BACKEND, slapi_be_select( slapi_entry_get_sdn_const(e) ) );
 
 			/* Check ACI before checking password syntax */
 			if ( (err = slapi_access_allowed(pb, e, SLAPI_USERPWD_ATTR, NULL,
-                                     SLAPI_ACL_ADD)) != LDAP_SUCCESS) {
-                                send_ldap_result(pb, err, NULL,
-                                              "Insufficient 'add' privilege to the "
-                                              "'userPassword' attribute", 0, NULL);
-                                goto done;
+			                                 SLAPI_ACL_ADD)) != LDAP_SUCCESS) {
+			    send_ldap_result(pb, err, NULL,
+			                     "Insufficient 'add' privilege to the "
+			                     "'userPassword' attribute", 0, NULL);
+			    goto done;
 			}
 
 			/* check password syntax */
@@ -657,30 +657,30 @@ static void op_shared_add (Slapi_PBlock *pb)
 	 * plugins.
 	 */
 	
-	slapi_pblock_set(pb, SLAPI_ADD_TARGET, 
-					 (char*)slapi_sdn_get_ndn(slapi_entry_get_sdn_const(e)));
-	if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_ADD_FN : 
-							SLAPI_PLUGIN_PRE_ADD_FN) == 0)
+	sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(e));
+	slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, (void *)sdn);
+	if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_ADD_FN :
+	                        SLAPI_PLUGIN_PRE_ADD_FN) == 0)
 	{
 		int	rc;
 		Slapi_Entry	*ec;
-		char *add_target_dn;
+		Slapi_DN *add_target_sdn = NULL;
 
 		slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
 		set_db_default_result_handlers(pb);
-
 		/* Remove the unhashed password pseudo-attribute
 		   from the entry before duplicating the entry */
 
 		if (unhashed_password_vals)
 		{
-			slapi_entry_delete_values(e, pwdtype, NULL);			
+			slapi_entry_delete_values(e, pwdtype, NULL);
 		}
-
 		/* because be_add frees the entry */
 		ec = slapi_entry_dup(e);
-		add_target_dn= slapi_ch_strdup(slapi_sdn_get_ndn(slapi_entry_get_sdn_const(ec)));
-    	slapi_pblock_set(pb, SLAPI_ADD_TARGET, add_target_dn);
+		add_target_sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(ec));
+		slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+		slapi_sdn_free(&sdn);
+		slapi_pblock_set(pb, SLAPI_ADD_TARGET_SDN, add_target_sdn);
 		
 		if (be->be_add != NULL)
 		{
@@ -734,9 +734,9 @@ static void op_shared_add (Slapi_PBlock *pb)
 		plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_ADD_FN : 
 							SLAPI_PLUGIN_POST_ADD_FN);
 		slapi_entry_free(ec);
-    	slapi_pblock_get(pb, SLAPI_ADD_TARGET, &add_target_dn);
-		slapi_ch_free((void**)&add_target_dn);
 	}
+	slapi_pblock_get(pb, SLAPI_ADD_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
 
 done:
 	if (be)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 3cca975..d000550 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -57,13 +57,14 @@ char	*attr_deleteoldrdn	= ATTR_DELETEOLDRDN;
 char	*attr_modifiersname = ATTR_MODIFIERSNAME;
 
 /* Forward Declarations */
-static void write_audit_file( int optype, char *dn, void *change, int flag, time_t curtime );
+static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t curtime );
 
 void
 write_audit_log_entry( Slapi_PBlock *pb )
 {
     time_t curtime;
-    char *dn;
+    Slapi_DN *sdn;
+    const char *dn;
     void *change;
 	int flag = 0;
 	Operation *op;
@@ -75,27 +76,13 @@ write_audit_log_entry( Slapi_PBlock *pb )
 	}
 
 	slapi_pblock_get( pb, SLAPI_OPERATION, &op );
-    slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+    slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
     switch ( operation_get_type(op) )
 	{
     case SLAPI_OPERATION_MODIFY:
 	    slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change );
     	break;
-    case SLAPI_OPERATION_ADD:
-	    {
-    	/*
-    	 * For adds, we want the unnormalized dn, so we can preserve
-    	 * spacing, case, when replicating it.
-    	 */
-        Slapi_Entry *te = NULL;
-    	slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &change );
-    	te = (Slapi_Entry *)change;
-    	if ( NULL != te )
-		{
-    	    dn = slapi_entry_get_dn( te );
-    	}
-		}
-    	break;
     case SLAPI_OPERATION_DELETE:
 		{
 		char * deleterDN = NULL;
@@ -129,7 +116,7 @@ write_audit_log_entry( Slapi_PBlock *pb )
 static void
 write_audit_file(
     int			optype,
-    char		*dn,
+    const char	*dn,
     void		*change,
     int			flag,
     time_t		curtime
diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c
index ff9921a..3d09bb3 100644
--- a/ldap/servers/slapd/back-ldbm/cache.c
+++ b/ldap/servers/slapd/back-ldbm/cache.c
@@ -536,7 +536,9 @@ int cache_init(struct cache *cache, size_t maxsize, long maxentries, int type)
     } else {
         LDAPDebug0Args(LDAP_DEBUG_ANY, 
                       "cache_init: slapi counter is not available.\n");
-        return 0;
+        cache->c_cursize = NULL;
+        cache->c_hits = NULL;
+        cache->c_tries = NULL;
     }
     cache->c_lruhead = cache->c_lrutail = NULL;
     cache_make_hashes(cache, type);
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
index 0e5804c..7f7d0ca 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
@@ -2815,7 +2815,6 @@ int
 dblayer_remove_env(struct ldbminfo *li)
 {
     DB_ENV *env = NULL;
-    dblayer_private *priv = NULL;
     char *home_dir = NULL;
     int rc = db_env_create(&env, 0);
     if (rc) {
@@ -2827,7 +2826,6 @@ dblayer_remove_env(struct ldbminfo *li)
         LDAPDebug0Args(LDAP_DEBUG_ANY, "ERROR -- No ldbm info is given\n");
         return -1;
     }
-    priv = (dblayer_private *)li->li_dblayer_private;
 
     home_dir = dblayer_get_home_dir(li, NULL);
     if (home_dir) {
diff --git a/ldap/servers/slapd/back-ldbm/dn2entry.c b/ldap/servers/slapd/back-ldbm/dn2entry.c
index 4d6dc7c..99a9f47 100644
--- a/ldap/servers/slapd/back-ldbm/dn2entry.c
+++ b/ldap/servers/slapd/back-ldbm/dn2entry.c
@@ -182,13 +182,11 @@ dn2ancestor(
         Slapi_DN ancestorndn;
         const char *ptr;
 
-        /* assign ancestordn to the parent of the given dn - ancestordn will contain
-           the "raw" unnormalized DN from the caller, so we can give back the DN
-           in the same format as we received it */
+        /* assign ancestordn to the parent of the given dn */
         ptr = slapi_dn_find_parent(slapi_sdn_get_dn(sdn));
         /* assign the ancestordn dn pointer to the parent of dn from sdn - sdn "owns"
            the memory, but ancestordn points to it */
-        slapi_sdn_set_dn_byref(ancestordn, ptr); /* free any previous contents */
+        slapi_sdn_set_normdn_byref(ancestordn, ptr); /* free any previous contents */
         /* now, do the same for the normalized version */
         /* ancestorndn holds the normalized version for iteration purposes and
            because dn2entry needs the normalized dn */
@@ -221,7 +219,7 @@ dn2ancestor(
                 slapi_sdn_set_ndn_byref(&ancestorndn, ptr); /* wipe out the previous contents */
                 /* now do the same for the unnormalized one */
                 ptr = slapi_dn_find_parent(slapi_sdn_get_dn(ancestordn));
-                slapi_sdn_set_dn_byref(ancestordn, ptr); /* wipe out the previous contents */
+                slapi_sdn_set_normdn_byref(ancestordn, ptr); /* wipe out the previous contents */
             }
         }
 
@@ -256,17 +254,20 @@ get_copy_of_entry(Slapi_PBlock *pb, const entry_address *addr, back_txn *txn, in
 	}
 	else
 	{
-		Slapi_DN sdn;
-		slapi_sdn_init_dn_byref (&sdn, addr->dn); /* We assume that the DN is not normalized */
-		entry = dn2entry( be, &sdn, txn, &err );
-		slapi_sdn_done (&sdn);
+		if (addr->sdn) {
+			entry = dn2entry( be, addr->sdn, txn, &err );
+		} else {
+			err = 1;
+		}
 	}
 	if ( 0 != err && DB_NOTFOUND != err )
 	{
 		if(must_exist)
 		{
-			LDAPDebug( LDAP_DEBUG_ANY, "Operation error fetching %s (%s), error %d.\n", 
-				       addr->dn, (addr->uniqueid==NULL?"null":addr->uniqueid), err );
+			LDAPDebug( LDAP_DEBUG_ANY,
+			           "Operation error fetching %s (%s), error %d.\n", 
+			           addr->sdn?slapi_sdn_get_dn(addr->sdn):"Null DN",
+			           (addr->uniqueid==NULL?"null":addr->uniqueid), err );
 		}
 		if ( LDAP_INVALID_DN_SYNTAX == err ) {
 			rc = LDAP_INVALID_DN_SYNTAX; /* respect the error */
@@ -280,9 +281,9 @@ get_copy_of_entry(Slapi_PBlock *pb, const entry_address *addr, back_txn *txn, in
 		if(entry!=NULL)
 		{
 			ldbm_instance *inst;
-	    	slapi_pblock_set( pb, plock_parameter, slapi_entry_dup(entry->ep_entry));
+			slapi_pblock_set( pb, plock_parameter, slapi_entry_dup(entry->ep_entry));
 			inst = (ldbm_instance *) be->be_instance_info;
-		    CACHE_RETURN( &inst->inst_cache, &entry );
+			CACHE_RETURN( &inst->inst_cache, &entry );
 		}
 	}
 	/* JCMREPL - Free the backentry? */
diff --git a/ldap/servers/slapd/back-ldbm/findentry.c b/ldap/servers/slapd/back-ldbm/findentry.c
index 9c076f8..d1cee86 100644
--- a/ldap/servers/slapd/back-ldbm/findentry.c
+++ b/ldap/servers/slapd/back-ldbm/findentry.c
@@ -276,17 +276,21 @@ find_entry_internal(
 	}
 	else
 	{
-		Slapi_DN sdn;
-		struct backentry *entry;
+		struct backentry *entry = NULL;
 
-		slapi_sdn_init_dn_ndn_byref (&sdn, addr->dn); /* normalized by front end */
 		LDAPDebug( LDAP_DEBUG_TRACE, "=> find_entry_internal (dn=%s) lock %d\n",
-				   addr->dn, lock, 0 );
-		entry = find_entry_internal_dn (pb, be, &sdn, lock, txn, really_internal);
-		slapi_sdn_done (&sdn);
+		           slapi_sdn_get_dn(addr->sdn), lock, 0 );
+		if (addr->sdn) {
+			entry = find_entry_internal_dn (pb, be, addr->sdn, 
+			                                lock, txn, really_internal);
+		} else {
+			LDAPDebug0Args( LDAP_DEBUG_ANY,
+			                "find_entry_internal: Null target dn\n" );
+		}
+
+		LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= find_entry_internal\n" );
 		return entry;
 	}
-	
 }
 
 struct backentry *
diff --git a/ldap/servers/slapd/back-ldbm/id2entry.c b/ldap/servers/slapd/back-ldbm/id2entry.c
index 432f80a..bfea99e 100644
--- a/ldap/servers/slapd/back-ldbm/id2entry.c
+++ b/ldap/servers/slapd/back-ldbm/id2entry.c
@@ -373,40 +373,40 @@ id2entry( backend *be, ID id, back_txn *txn, int *err  )
             /* data.dptr may not include rdn: ..., try "dn: ..." */
             ee = slapi_str2entry( data.dptr, SLAPI_STR2ENTRY_NO_ENTRYDN );
         } else {
-            char *dn = NULL;
+            char *normdn = NULL;
             struct backdn *bdn = dncache_find_id(&inst->inst_dncache, id);
             if (bdn) {
-                dn = slapi_ch_strdup(slapi_sdn_get_dn(bdn->dn_sdn));
+                normdn = slapi_ch_strdup(slapi_sdn_get_dn(bdn->dn_sdn));
                 slapi_log_error(SLAPI_LOG_CACHE, ID2ENTRY,
-                                "dncache_find_id returned: %s\n", dn);
+                                "dncache_find_id returned: %s\n", normdn);
                 CACHE_RETURN(&inst->inst_dncache, &bdn);
             } else {
                 Slapi_DN *sdn = NULL;
-                rc = entryrdn_lookup_dn(be, rdn, id, &dn, txn);
+                rc = entryrdn_lookup_dn(be, rdn, id, &normdn, txn);
                 if (rc) {
                     slapi_log_error(SLAPI_LOG_TRACE, ID2ENTRY,
                                     "id2entry: entryrdn look up failed "
                                     "(rdn=%s, ID=%d)\n", rdn, id);
                     /* Try rdn as dn. Could be RUV. */
-                    dn = slapi_ch_strdup(rdn);
+                    normdn = slapi_ch_strdup(rdn);
                 }
-                sdn = slapi_sdn_new_dn_byval((const char *)dn);
+                sdn = slapi_sdn_new_normdn_byval((const char *)normdn);
                 bdn = backdn_init(sdn, id, 0);
                 if (CACHE_ADD( &inst->inst_dncache, bdn, NULL )) {
                     backdn_free(&bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, ID2ENTRY,
-                                    "%s is already in the dn cache\n", dn);
+                                    "%s is already in the dn cache\n", normdn);
                 } else {
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, ID2ENTRY,
                                     "entryrdn_lookup_dn returned: %s, "
-                                    "and set to dn cache (id %d)\n", dn, id);
+                                    "and set to dn cache (id %d)\n", normdn, id);
                 }
             }
-            ee = slapi_str2entry_ext( (const char *)dn, data.dptr, 
+            ee = slapi_str2entry_ext( (const char *)normdn, data.dptr, 
                                       SLAPI_STR2ENTRY_NO_ENTRYDN );
             slapi_ch_free_string(&rdn);
-            slapi_ch_free_string(&dn);
+            slapi_ch_free_string(&normdn);
         }
     } else {
         ee = slapi_str2entry( data.dptr, 0 );
diff --git a/ldap/servers/slapd/back-ldbm/idl_common.c b/ldap/servers/slapd/back-ldbm/idl_common.c
index 593a036..f04f8de 100644
--- a/ldap/servers/slapd/back-ldbm/idl_common.c
+++ b/ldap/servers/slapd/back-ldbm/idl_common.c
@@ -133,7 +133,7 @@ idl_append_extend(IDList **orig_idl, ID id)
 	IDList *idl = *orig_idl;
 
 	if (idl == NULL) {
-		idl = idl_alloc(1);
+		idl = idl_alloc(32); /* used to be 0 */
 		idl_append(idl, id);
 
 		*orig_idl = idl;
@@ -151,9 +151,7 @@ idl_append_extend(IDList **orig_idl, ID id)
 		}
 		/* copy over the existing contents */
 		idl_new->b_nids = idl->b_nids;
-		for (x = 0; x < idl->b_nids;x++) {
-			idl_new->b_ids[x] = idl->b_ids[x];
-		}
+		memcpy(idl_new->b_ids, idl->b_ids, sizeof(ID) * idl->b_nids);
 		idl_free(idl);
 		idl = idl_new;
 	}
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index 207c470..e95d32f 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -521,6 +521,7 @@ import_producer(void *param)
         if (!(str2entry_flags & SLAPI_STR2ENTRY_INCLUDE_VERSION_STR) &&
             entryrdn_get_switch()) { /* subtree-rename: on */
             char *dn = NULL;
+            char *normdn = NULL;
             int rc = 0; /* estr should start with "dn: " or "dn:: " */
             if (strncmp(estr, "dn: ", 4) &&
                 NULL == strstr(estr, "\ndn: ") && /* in case comments precedes
@@ -541,8 +542,11 @@ import_producer(void *param)
                 FREE(estr);
                 continue;
             }
-            e = slapi_str2entry_ext(dn, estr, flags|SLAPI_STR2ENTRY_NO_ENTRYDN);
+            normdn = slapi_create_dn_string("%s", dn);
             slapi_ch_free_string(&dn);
+            e = slapi_str2entry_ext(normdn, estr, 
+                                    flags|SLAPI_STR2ENTRY_NO_ENTRYDN);
+            slapi_ch_free_string(&normdn);
         } else {
             e = slapi_str2entry(estr, flags);
         }
@@ -1038,16 +1042,16 @@ index_producer(void *param)
                     }
                 }
             } else {
-                char *dn = NULL;
+                char *normdn = NULL;
                 struct backdn *bdn = 
                                   dncache_find_id(&inst->inst_dncache, temp_id);
                 if (bdn) {
                     /* don't free dn */
-                    dn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
+                    normdn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                 } else {
                     Slapi_DN *sdn = NULL;
-                    rc = entryrdn_lookup_dn(be, rdn, temp_id, &dn, NULL);
+                    rc = entryrdn_lookup_dn(be, rdn, temp_id, &normdn, NULL);
                     if (rc) {
                         /* We cannot use the entryrdn index;
                          * Compose dn from the entries in id2entry */
@@ -1090,21 +1094,21 @@ index_producer(void *param)
                                 continue;
                             }
                         }
-                        dn = slapi_ch_smprintf("%s%s%s",
+                        normdn = slapi_ch_smprintf("%s%s%s",
                                                rdn, pdn?",":"", pdn?pdn:"");
                         slapi_ch_free_string(&pdn);
                     }
                     /* dn is not dup'ed in slapi_sdn_new_dn_byref.
                      * It's set to bdn and put in the dn cache. */
-                    sdn = slapi_sdn_new_dn_byref(dn);
+                    sdn = slapi_sdn_new_normdn_byref(normdn);
                     bdn = backdn_init(sdn, temp_id, 0);
                     CACHE_ADD( &inst->inst_dncache, bdn, NULL );
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, "ldbm2index",
                                     "entryrdn_lookup_dn returned: %s, "
-                                    "and set to dn cache\n", dn);
+                                    "and set to dn cache\n", normdn);
                 }
-                e = slapi_str2entry_ext(dn, data.dptr, 
+                e = slapi_str2entry_ext(normdn, data.dptr, 
                                         SLAPI_STR2ENTRY_NO_ENTRYDN);
                 slapi_ch_free_string(&rdn);
             }
@@ -1283,7 +1287,7 @@ upgradedn_producer(void *param)
     struct upgradedn_attr *ud_ptr = NULL;
     Slapi_Attr *ud_attr = NULL;
     char *ecopy = NULL;
-    char *dn = NULL;
+    const char *normdn = NULL;
 
     /* vars for Berkeley DB */
     DB_ENV *env = NULL;
@@ -1384,7 +1388,7 @@ upgradedn_producer(void *param)
         ecopy = (char *)slapi_ch_malloc(data.dsize + 1);
         memcpy(ecopy, data.dptr, data.dsize);
         *(ecopy + data.dsize) = '\0';
-        dn = NULL;
+        normdn = NULL;
         doit = 0;
         if (entryrdn_get_switch()) {
             char *rdn = NULL;
@@ -1400,10 +1404,11 @@ upgradedn_producer(void *param)
                                   dncache_find_id(&inst->inst_dncache, temp_id);
                 if (bdn) {
                     /* don't free dn */
-                    dn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
+                    normdn = (char *)slapi_sdn_get_dn(bdn->dn_sdn);
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                 } else {
-                    rc = entryrdn_lookup_dn(be, rdn, temp_id, &dn, NULL);
+                    rc = entryrdn_lookup_dn(be, rdn, temp_id,
+                                            (char **)&normdn, NULL);
                     if (rc) {
                         /* We cannot use the entryrdn index;
                          * Compose dn from the entries in id2entry */
@@ -1446,21 +1451,21 @@ upgradedn_producer(void *param)
                                 continue;
                             }
                         }
-                        dn = slapi_ch_smprintf("%s%s%s",
+                        normdn = slapi_ch_smprintf("%s%s%s",
                                                rdn, pdn?",":"", pdn?pdn:"");
                         slapi_ch_free_string(&pdn);
                     }
                     /* dn is not dup'ed in slapi_sdn_new_dn_byref.
                      * It's set to bdn and put in the dn cache. */
-                    sdn = slapi_sdn_new_dn_byref(dn);
+                    sdn = slapi_sdn_new_normdn_byref(normdn);
                     bdn = backdn_init(sdn, temp_id, 0);
                     CACHE_ADD( &inst->inst_dncache, bdn, NULL );
                     CACHE_RETURN(&inst->inst_dncache, &bdn);
                     slapi_log_error(SLAPI_LOG_CACHE, "ldbm2index",
                                     "entryrdn_lookup_dn returned: %s, "
-                                    "and set to dn cache\n", dn);
+                                    "and set to dn cache\n", normdn);
                 }
-                e = slapi_str2entry_ext(dn, data.dptr, 
+                e = slapi_str2entry_ext(normdn, data.dptr, 
                                         SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT);
                 slapi_ch_free_string(&rdn);
             }
@@ -1485,23 +1490,13 @@ upgradedn_producer(void *param)
          * SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT
          * -- normalize it with the new format
          */
-        if (!dn) {
-            get_value_from_string((const char *)ecopy, "dn", &dn);
+        if (!normdn) {
+            get_value_from_string((const char *)ecopy, "dn", (char **)&normdn);
         }
-        if (dn) {
-            char *dest = NULL;
-            size_t dest_len = 0;
-
-            rc = slapi_dn_normalize_ext(dn, strlen(dn), &dest, &dest_len);
-            if (rc > 0) {
-                slapi_ch_free_string(&dn);
-                dn = dest;
-            } else {
-                *(dn + dest_len) = '\0'; /* src is passed in; 
-                                             it's possible dn_len < dest_len */
-            }
+        if (normdn) {
             slapi_sdn_done(&(e->e_sdn));
-            slapi_sdn_init_dn_passin(&(e->e_sdn), dn);
+            slapi_sdn_init_dn_passin(&(e->e_sdn), normdn);
+            normdn = slapi_sdn_get_dn(&(e->e_sdn));
         }
 
         /* From here, e != NULL */
@@ -1559,7 +1554,7 @@ upgradedn_producer(void *param)
                 if (rc) {
                     LDAPDebug(LDAP_DEBUG_ANY, "%s: Failed to add rdn values "
                               "to an entry: %s (id %lu)\n",
-                              inst->inst_name, dn, (u_long)temp_id);
+                              inst->inst_name, normdn, (u_long)temp_id);
                     slapi_entry_free(e); e = NULL;
                     continue;
                 }
@@ -1636,7 +1631,7 @@ upgradedn_producer(void *param)
                                 LDAPDebug(LDAP_DEBUG_ANY,
                                           "%s: Failed to add rdn values "
                                           "to an entry: %s (id %lu)\n",
-                                          inst->inst_name, dn, (u_long)temp_id);
+                                          inst->inst_name, normdn, (u_long)temp_id);
                                 slapi_entry_free(e); e = NULL;
                                 continue;
                             }
@@ -2251,12 +2246,11 @@ import_foreman(void *param)
                 char *new_dn = NULL;
                 char *orig_dn = 
                       slapi_ch_strdup(slapi_entry_get_dn(fi->entry->ep_entry));
-                int rc = 0;
                 nsuniqueid = attrlist_find(fi->entry->ep_entry->e_attrs,
                                            "nsuniqueid");
                 if (nsuniqueid) {
                     Slapi_Value *uival = NULL;
-                    rc = slapi_attr_first_value(nsuniqueid, &uival);
+                    slapi_attr_first_value(nsuniqueid, &uival);
                     uuidstr = slapi_value_get_string(uival);
                 } else {
                     import_log_notice(job, "ERROR: Failed to get nsUniqueId "
@@ -3453,9 +3447,8 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
 {
     int rc = -1;
     struct backdn *bdn = NULL;
-    struct ldbminfo  *li = NULL;
     Slapi_Entry *e = NULL;
-    char *dn = NULL;
+    char *normdn = NULL;
 
     if (!entryrdn_get_switch()) { /* entryrdn specific function */
         return rc;
@@ -3466,7 +3459,6 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
                         NULL==inst?"inst":"srdn");
         return rc;
     }
-    li = inst->inst_li;
 
     /* first, try the dn cache */
     bdn = dncache_find_id(&inst->inst_dncache, id);
@@ -3563,8 +3555,8 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
             }
         }
 
-        dn = NULL;
-        rc = slapi_rdn_get_dn(&mysrdn, &dn);
+        normdn = NULL;
+        rc = slapi_rdn_get_dn(&mysrdn, &normdn);
         if (rc) {
             LDAPDebug2Args( LDAP_DEBUG_ANY,
                                 "import_get_and_add_parent_rdns: "
@@ -3572,7 +3564,7 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
                                 "from Slapi_RDN\n", rdn, id);
             goto bail;
         }
-        e = slapi_str2entry_ext(dn, data.dptr, SLAPI_STR2ENTRY_NO_ENTRYDN);
+        e = slapi_str2entry_ext(normdn, data.dptr, SLAPI_STR2ENTRY_NO_ENTRYDN);
         (*curr_entry)++;
         rc = index_set_entry_to_fifo(info, e, id, total_id, *curr_entry);
         if (rc) {
diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c
index 74a01a8..0217e96 100644
--- a/ldap/servers/slapd/back-ldbm/instance.c
+++ b/ldap/servers/slapd/back-ldbm/instance.c
@@ -141,6 +141,7 @@ int ldbm_instance_create(backend *be, char *name)
     goto done;
 
 error:
+    slapi_ch_free_string(&inst->inst_name);
     slapi_ch_free((void**)&inst);
 
 done:
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index 5ade337..d2e89a9 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -79,7 +79,7 @@ ldbm_back_add( Slapi_PBlock *pb )
 	backend *be;
 	struct ldbminfo *li;
 	ldbm_instance *inst;
-	char *dn = NULL;
+	const char *dn = NULL;
 	Slapi_Entry	*e = NULL;
 	struct backentry *tombstoneentry = NULL;
 	struct backentry *addingentry = NULL;
@@ -105,7 +105,7 @@ ldbm_back_add( Slapi_PBlock *pb )
 	int addingentry_id_assigned= 0;
 	int addingentry_in_cache= 0;
 	int tombstone_in_cache= 0;
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
 	Slapi_DN parentsdn;
 	Slapi_Operation *operation;
 	int dblock_acquired= 0;
@@ -134,7 +134,6 @@ ldbm_back_add( Slapi_PBlock *pb )
 	inst = (ldbm_instance *) be->be_instance_info;
 		
 	/* sdn & parentsdn need to be initialized before "goto *_return" */
-	slapi_sdn_init(&sdn);
 	slapi_sdn_init(&parentsdn);
 	
 	/* Get rid of ldbm backend attributes that you are not allowed to specify yourself */
@@ -195,17 +194,21 @@ ldbm_back_add( Slapi_PBlock *pb )
 		{
 			/* Check if an entry with the intended uniqueid already exists. */
 			done_with_pblock_entry(pb,SLAPI_ADD_EXISTING_UNIQUEID_ENTRY); /* Could be through this multiple times */
-			addr.dn = addr.udn = NULL;
+			addr.udn = NULL;
+			addr.sdn = NULL;
 			addr.uniqueid = (char*)slapi_entry_get_uniqueid(e); /* jcm -  cast away const */
 			ldap_result_code= get_copy_of_entry(pb, &addr, &txn, SLAPI_ADD_EXISTING_UNIQUEID_ENTRY, !is_replicated_operation);
 		}
 		if(slapi_isbitset_int(rc,SLAPI_RTN_BIT_FETCH_EXISTING_DN_ENTRY))
 		{
-			slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn );
-			if (NULL == dn)
+			slapi_pblock_get( pb, SLAPI_ADD_TARGET_SDN, &sdn );
+			if (NULL == sdn)
 			{
+				LDAPDebug0Args(LDAP_DEBUG_ANY,
+				               "ldbm_back_add: Null target dn\n");
 				goto error_return;
 			}
+			dn = slapi_sdn_get_dn(sdn);
 			ldap_result_code = slapi_dn_syntax_check(pb, dn, 1);
 			if (ldap_result_code)
 			{
@@ -213,11 +216,10 @@ ldbm_back_add( Slapi_PBlock *pb )
 				slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
 				goto error_return;
 			}
-			slapi_sdn_set_dn_byref(&sdn, dn);
-			slapi_sdn_get_backend_parent(&sdn,&parentsdn,pb->pb_backend);
+			slapi_sdn_get_backend_parent(sdn, &parentsdn, pb->pb_backend);
 			/* Check if an entry with the intended DN already exists. */
 			done_with_pblock_entry(pb,SLAPI_ADD_EXISTING_DN_ENTRY); /* Could be through this multiple times */
-			addr.dn = dn;
+			addr.sdn = sdn;
 			addr.udn = NULL;
 			addr.uniqueid = NULL;
 			ldap_result_code= get_copy_of_entry(pb, &addr, &txn, SLAPI_ADD_EXISTING_DN_ENTRY, !is_replicated_operation);
@@ -233,7 +235,7 @@ ldbm_back_add( Slapi_PBlock *pb )
 		   slapi_isbitset_int(rc,SLAPI_RTN_BIT_FETCH_PARENT_ENTRY))
 		{
 			done_with_pblock_entry(pb,SLAPI_ADD_PARENT_ENTRY); /* Could be through this multiple times */
-			addr.dn = (char*)slapi_sdn_get_dn (&parentsdn); /* get_copy_of_entry assumes the DN is not normalized */
+			addr.sdn = &parentsdn;
 			addr.udn = NULL;
 			addr.uniqueid = operation->o_params.p.p_add.parentuniqueid;
 			ldap_result_code= get_copy_of_entry(pb, &addr, &txn, SLAPI_ADD_PARENT_ENTRY, !is_replicated_operation);
@@ -273,7 +275,7 @@ ldbm_back_add( Slapi_PBlock *pb )
 	 */
 	if(have_parent_address(&parentsdn, operation->o_params.p.p_add.parentuniqueid))
 	{
-		addr.dn = (char*)slapi_sdn_get_dn (&parentsdn);
+		addr.sdn = &parentsdn;
 		addr.udn = NULL;
 		addr.uniqueid = operation->o_params.p.p_add.parentuniqueid;
 		parententry = find_entry2modify_only(pb,be,&addr,&txn);
@@ -313,7 +315,7 @@ ldbm_back_add( Slapi_PBlock *pb )
 				int err= 0;
 				Slapi_DN ancestordn= {0};
 				struct backentry *ancestorentry;
-				ancestorentry= dn2ancestor(pb->pb_backend,&sdn,&ancestordn,&txn,&err);
+				ancestorentry= dn2ancestor(pb->pb_backend,sdn,&ancestordn,&txn,&err);
 				slapi_sdn_done(&ancestordn);
 				if ( ancestorentry != NULL )
 				{
@@ -355,7 +357,8 @@ ldbm_back_add( Slapi_PBlock *pb )
 		 * When we resurect a tombstone we must use its UniqueID
 		 * to find the tombstone entry and lock it down in the cache.
 		 */
-		addr.dn = addr.udn = NULL;
+		addr.udn = NULL;
+		addr.sdn = NULL;
 		addr.uniqueid = (char *)slapi_entry_get_uniqueid(e); /* jcm - cast away const */
 		tombstoneentry = find_entry2modify( pb, be, &addr, &txn );
 		if ( tombstoneentry==NULL )
@@ -368,7 +371,7 @@ ldbm_back_add( Slapi_PBlock *pb )
 		addingentry = backentry_dup( tombstoneentry );
 		if ( addingentry==NULL )
 		{
-		   	ldap_result_code= LDAP_OPERATIONS_ERROR;
+			ldap_result_code= LDAP_OPERATIONS_ERROR;
 			goto error_return;
 		}
 		/*
@@ -378,8 +381,11 @@ ldbm_back_add( Slapi_PBlock *pb )
 		 * The entry comes back to life as a Glue entry, so we add the
 		 * magic objectclass.
 		 */
-		slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn );
-		slapi_sdn_set_dn_byref(&sdn, dn);
+		if (NULL == sdn) {
+			LDAPDebug0Args(LDAP_DEBUG_ANY, "ldbm_back_add: Null target dn\n");
+			goto error_return;
+		}
+		dn = slapi_sdn_get_dn(sdn);
 		slapi_entry_set_dn(addingentry->ep_entry, slapi_ch_strdup(dn)); /* The DN is passed into the entry. */
 		/* LPREPL: the DN is normalized...Somehow who should get a not normalized one */
 		addingentry->ep_id = slapi_entry_attr_get_ulong(addingentry->ep_entry,"entryid");
@@ -742,7 +748,11 @@ ldbm_back_add( Slapi_PBlock *pb )
 				}
 				goto error_return; 
 			}
-			retval = index_addordel_string(be,SLAPI_ATTR_NSCP_ENTRYDN,slapi_sdn_get_ndn(&sdn),addingentry->ep_id,BE_INDEX_DEL,&txn);
+			retval = index_addordel_string(be,
+			                               SLAPI_ATTR_NSCP_ENTRYDN,
+			                               slapi_sdn_get_ndn(sdn),
+			                               addingentry->ep_id,
+			                               BE_INDEX_DEL, &txn);
 			if (DB_LOCK_DEADLOCK == retval) {
 				LDAPDebug( LDAP_DEBUG_ARGS, "add 4 DB_LOCK_DEADLOCK\n", 0, 0, 0 );
 				/* Retry txn */
@@ -1011,7 +1021,6 @@ common_return:
 	{
 		slapi_send_ldap_result( pb, ldap_result_code, ldap_result_matcheddn, ldap_result_message, 0, NULL );
 	}
-	slapi_sdn_done(&sdn);
 	slapi_sdn_done(&parentsdn);
 	slapi_ch_free( (void**)&ldap_result_matcheddn );
 	slapi_ch_free( (void**)&errbuf );
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 83dbddd..c9ad9b6 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -1344,20 +1344,21 @@ void ldbm_config_setup_default(struct ldbminfo *li)
     }
 }
 
-void
+int
 ldbm_config_read_instance_entries(struct ldbminfo *li, const char *backend_type)
 {
     Slapi_PBlock *tmp_pb;
     Slapi_Entry **entries = NULL;
     char *basedn = NULL;
+    int rc = 0;
 
     /* Construct the base dn of the subtree that holds the instance entries. */
     basedn = slapi_create_dn_string("cn=%s,cn=plugins,cn=config", backend_type);
     if (NULL == basedn) {
         LDAPDebug1Arg(LDAP_DEBUG_ANY,
                       "ldbm_config_read_instance_entries: "
-                      "failed create backend dn for %s\n", backend_type);
-        return;
+                      "failed to create backend dn for %s\n", backend_type);
+        return 1;
     }
 
     /* Do a search of the subtree containing the instance entries */
@@ -1368,13 +1369,24 @@ ldbm_config_read_instance_entries(struct ldbminfo *li, const char *backend_type)
     if (entries!=NULL) {
         int i;
         for (i=0; entries[i]!=NULL; i++) {
-            ldbm_instance_add_instance_entry_callback(NULL, entries[i], NULL, NULL, NULL, li);
+            rc = ldbm_instance_add_instance_entry_callback(NULL,
+                                             entries[i], NULL, NULL, NULL, li);
+            if (SLAPI_DSE_CALLBACK_ERROR == rc) {
+                LDAPDebug1Arg(LDAP_DEBUG_ANY,
+                      "ldbm_config_read_instance_entries: "
+                      "failed to add instance entry %s\n", 
+                      slapi_entry_get_dn_const(entries[i]));
+                break;
+            }
+            rc = 0;
         }
     }
 
     slapi_free_search_results_internal(tmp_pb);
     slapi_pblock_destroy(tmp_pb);
     slapi_ch_free_string(&basedn);
+
+    return rc;
 }
 
 /* Reads in any config information held in the dse for the ldbm plugin.  
@@ -1453,7 +1465,13 @@ int ldbm_config_load_dse_info(struct ldbminfo *li)
     
     /* Find all the instance entries and create a Slapi_Backend and an
      * ldbm_instance for each */
-    ldbm_config_read_instance_entries(li, li->li_plugin->plg_name);
+    rval = ldbm_config_read_instance_entries(li, li->li_plugin->plg_name);
+    if (rval) {
+        LDAPDebug0Args(LDAP_DEBUG_ANY,
+                       "ldbm_config_load_dse_info: "
+                       "failed to read instance entries\n");
+        goto bail;
+    }
 
     /* setup the dse callback functions for the ldbm backend config entry */
     slapi_config_register_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP, dn,
@@ -1473,7 +1491,7 @@ int ldbm_config_load_dse_info(struct ldbminfo *li)
     if (NULL == dn) {
         LDAPDebug1Arg(LDAP_DEBUG_ANY,
                       "ldbm_config_load_dse_info: "
-                      "failed create monitor dn for %s\n",
+                      "failed to create monitor dn for %s\n",
                       li->li_plugin->plg_name); 
         rval = 1;
         goto bail;
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
index 40aed48..c1f1142 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
@@ -76,6 +76,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
 	int ldap_result_code= LDAP_SUCCESS;
 	char *ldap_result_message= NULL;
 	Slapi_DN sdn;
+	Slapi_DN *sdnp = NULL;
 	char *e_uniqueid = NULL;
 	Slapi_DN *nscpEntrySDN = NULL;
 	int dblock_acquired= 0;
@@ -97,13 +98,13 @@ ldbm_back_delete( Slapi_PBlock *pb )
 
 	slapi_pblock_get( pb, SLAPI_BACKEND, &be);
 	slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
-	slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn );
+	slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdnp );
 	slapi_pblock_get( pb, SLAPI_TARGET_ADDRESS, &addr);
 	slapi_pblock_get( pb, SLAPI_TXN, (void**)&parent_txn );
 	slapi_pblock_get( pb, SLAPI_OPERATION, &operation );
 	slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation );
 	
-	/* sdn & parentsdn need to be initialized before "goto *_return */
+	/* sdn needs to be initialized before "goto *_return */
 	slapi_sdn_init(&sdn);
 
 	/* dblayer_txn_init needs to be called before "goto error_return" */
@@ -122,7 +123,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
 		/* retval is -1 */
 		goto error_return;
 	}
-	ldap_result_code = slapi_dn_syntax_check(pb, addr->dn, 1);
+	ldap_result_code = slapi_dn_syntax_check(pb, slapi_sdn_get_dn(sdnp), 1);
 	if (ldap_result_code)
 	{
 		ldap_result_code = LDAP_INVALID_DN_SYNTAX;
@@ -137,7 +138,10 @@ ldbm_back_delete( Slapi_PBlock *pb )
 	
 	inst = (ldbm_instance *) be->be_instance_info;
 
-	slapi_sdn_init_dn_byref(&sdn,dn);
+	if (NULL == sdnp) {
+		slapi_sdn_init_normdn_byref(&sdn, dn);
+		sdnp = &sdn;
+	}
 
 	/* The dblock serializes writes to the database,
 	 * which reduces deadlocking in the db code,
@@ -318,13 +322,13 @@ ldbm_back_delete( Slapi_PBlock *pb )
 	    Slapi_DN parentsdn;
 
 		slapi_sdn_init(&parentsdn);
-		slapi_sdn_get_backend_parent(&sdn,&parentsdn,pb->pb_backend);
+		slapi_sdn_get_backend_parent(sdnp, &parentsdn, pb->pb_backend);
     	if ( !slapi_sdn_isempty(&parentsdn) )
 		{
     		struct backentry *parent = NULL;
 			entry_address parent_addr;
 
-			parent_addr.dn = (char*)slapi_sdn_get_dn (&parentsdn);
+			parent_addr.sdn = &parentsdn;
 			parent_addr.uniqueid = NULL;
     		parent = find_entry2modify_only(pb,be,&parent_addr,&txn);
     		if (NULL != parent) {
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
index 2f1e648..54f22a3 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
@@ -445,7 +445,7 @@ entryrdn_rename_subtree(backend *be,
         slapi_log_error(SLAPI_LOG_FATAL, ENTRYRDN_TAG,
                 "entryrdn_rename_subtree: Param error: Empty %s\n",
                 NULL==be?"backend":NULL==oldsdn?"old dn":
-                (NULL==mynewsrdn&&NULL==mynewsupsdn)?"new dn and new superior":
+                (NULL==newsrdn&&NULL==newsupsdn)?"new dn and new superior":
                 0==id?"id":"unknown");
         goto bail;
     }
@@ -1015,7 +1015,6 @@ entryrdn_lookup_dn(backend *be,
     char *nrdn = NULL;
     size_t nrdn_len = 0;
     ID workid = id; /* starting from the given id */
-    ID previd = id;
     rdn_elem *elem = NULL;
     int maybesuffix = 0;
 
@@ -1111,7 +1110,6 @@ retry_get1:
         }
     
         /* Iterate over the duplicates to get the direct child's ID */
-        previd = workid;
         workid = 0;
         if (maybesuffix) {
             /* it is a suffix, indeed.  done. */
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
index 7709cfb..88b20d0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
@@ -773,8 +773,8 @@ ldbm_instance_modify_config_entry_callback(Slapi_PBlock *pb, Slapi_Entry* entryB
             if (strcasecmp(attr_name, CONFIG_INSTANCE_SUFFIX) == 0) {
                 /* naughty naughty, we don't allow this */
                 rc = LDAP_UNWILLING_TO_PERFORM;
-		PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
-			"Can't change the root suffix of a backend");
+                PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+                            "Can't change the root suffix of a backend");
                 LDAPDebug(LDAP_DEBUG_ANY,
                           "ldbm: modify attempted to change the root suffix "
                           "of a backend (which is not allowed)\n",
@@ -841,10 +841,13 @@ static int ldbm_instance_generate(struct ldbminfo *li, char *instance_name,
     new_be = slapi_be_new(LDBM_DATABASE_TYPE_NAME /* type */, instance_name, 
                           0 /* public */, 1 /* do log changes */);
     new_be->be_database = li->li_plugin;
-    ldbm_instance_create(new_be, instance_name);
+    rc = ldbm_instance_create(new_be, instance_name);
+    if (rc) {
+        goto bail;
+    }
 
     ldbm_instance_config_load_dse_info(new_be->be_instance_info);
-    rc = ldbm_instance_create_default_indexes(new_be);
+    ldbm_instance_create_default_indexes(new_be);
 
     /* if USN plugin is enabled, set slapi_counter */
     if (plugin_enabled("USN", li->li_identity) && ldbm_back_isinitialized()) {
@@ -867,7 +870,7 @@ static int ldbm_instance_generate(struct ldbminfo *li, char *instance_name,
     if (ret_be != NULL) {
         *ret_be = new_be;
     }
-
+bail:
     return rc;
 }
 
@@ -881,7 +884,13 @@ ldbm_instance_postadd_instance_entry_callback(Slapi_PBlock *pb, Slapi_Entry* ent
     int rval = 0;
 
     parse_ldbm_instance_entry(entryBefore, &instance_name);
-    ldbm_instance_generate(li, instance_name, &be);
+    rval = ldbm_instance_generate(li, instance_name, &be);
+    if (rval) {
+        LDAPDebug(LDAP_DEBUG_ANY,
+            "ldbm_instance_postadd_instance_entry_callback: "
+            "ldbm_instance_generate (%s) failed (%d)\n",
+            instance_name, rval, 0);
+    }
 
     inst = ldbm_instance_find_by_name(li, instance_name);
 
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index ff2fc97..1a85e14 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -244,7 +244,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
 	{
 		goto error_return;
 	}
-	ldap_result_code = slapi_dn_syntax_check(pb, addr->dn, 1);
+	ldap_result_code = slapi_dn_syntax_check(pb, slapi_sdn_get_dn(addr->sdn), 1);
 	if (ldap_result_code)
 	{
 		ldap_result_code = LDAP_INVALID_DN_SYNTAX;
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index bcbe9c7..fa2f046 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -90,10 +90,10 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     IDList *children= NULL;
     struct backentry **child_entries = NULL;
     struct backdn **child_dns = NULL;
-    Slapi_DN dn_olddn = {0};
+    Slapi_DN *sdn = NULL;
     Slapi_DN dn_newdn = {0};
     Slapi_DN dn_newrdn = {0};
-    Slapi_DN dn_newsuperiordn = {0};
+    Slapi_DN *dn_newsuperiordn = NULL;
     Slapi_DN dn_parentdn;
     int rc;
     int isroot;
@@ -109,7 +109,6 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     entry_address *old_addr;
     entry_address oldparent_addr;
     entry_address *newsuperior_addr;
-    char *dn;
     char ebuf[BUFSIZ];
     CSN *opcsn = NULL;
 
@@ -117,7 +116,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     slapi_sdn_init(&dn_newdn);
     slapi_sdn_init(&dn_parentdn);
     
-    slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &dn );
+    slapi_pblock_get( pb, SLAPI_MODRDN_TARGET_SDN, &sdn );
     slapi_pblock_get( pb, SLAPI_BACKEND, &be);
     slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
     slapi_pblock_get( pb, SLAPI_TXN, (void**)&parent_txn );
@@ -127,6 +126,12 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     is_ruv = operation_is_flag_set(operation, OP_FLAG_REPL_RUV);
     is_fixup_operation = operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP);
 
+    if (NULL == sdn) {
+        slapi_send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                                "Null target DN", 0, NULL );
+        return( -1 );
+    } 
+
     /* dblayer_txn_init needs to be called before "goto error_return" */
     dblayer_txn_init(li,&txn);
     /* the calls to search for entries require the parent txn if any
@@ -140,23 +145,21 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
 
     inst = (ldbm_instance *) be->be_instance_info;
     {
-        char *newrdn, *newsuperiordn;
+        char *newrdn/* , *newsuperiordn */;
         slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
-        slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiordn );
-        slapi_sdn_init_dn_byref(&dn_olddn,dn);
-        slapi_sdn_init_dn_byref(&dn_newrdn,newrdn);
-        slapi_sdn_init_dn_byref(&dn_newsuperiordn,newsuperiordn);
-        slapi_sdn_get_parent(&dn_olddn,&dn_parentdn);
+        slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &dn_newsuperiordn );
+        slapi_sdn_init_normdn_byref(&dn_newrdn, newrdn);
+        /* slapi_sdn_init_normdn_byref(&dn_newsuperiordn, newsuperiordn); */
+        slapi_sdn_get_parent(sdn, &dn_parentdn);
     }
     
     /* if old and new superior are equals, newsuperior should not be set
      * Here we have to reset newsuperiordn in order to save processing and 
      * avoid later deadlock when trying to fetch twice the same entry
      */
-    if (slapi_sdn_compare(&dn_newsuperiordn, &dn_parentdn) == 0)
+    if (slapi_sdn_compare(dn_newsuperiordn, &dn_parentdn) == 0)
     {
-        slapi_sdn_done(&dn_newsuperiordn);
-        slapi_sdn_init_dn_byref(&dn_newsuperiordn,NULL);
+        slapi_sdn_done(dn_newsuperiordn);
     }
 
     /* 
@@ -164,7 +167,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
      * Replicated Operations are allowed to change the superior
      */
     if ( !entryrdn_get_switch() &&
-         (!is_replicated_operation && !slapi_sdn_isempty(&dn_newsuperiordn))) 
+         (!is_replicated_operation && !slapi_sdn_isempty(dn_newsuperiordn))) 
     {
         slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
                       "server does not support moving of entries", 0, NULL );
@@ -213,14 +216,15 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
 
             /* see if an entry with the new name already exists */
             done_with_pblock_entry(pb,SLAPI_MODRDN_EXISTING_ENTRY); /* Could be through this multiple times */
-            slapi_sdn_done(&dn_newrdn);
             slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
-            slapi_sdn_init_dn_byref(&dn_newrdn,newrdn);
-            newdn= moddn_get_newdn(pb,&dn_olddn,&dn_newrdn,&dn_newsuperiordn);
+            slapi_sdn_init_normdn_byref(&dn_newrdn, newrdn);
+            newdn= moddn_get_newdn(pb,sdn, &dn_newrdn, dn_newsuperiordn);
             slapi_sdn_set_dn_passin(&dn_newdn,newdn);
-            new_addr.dn = (char*)slapi_sdn_get_ndn (&dn_newdn);
+            new_addr.sdn = &dn_newdn;
+            new_addr.udn = NULL;
             /* check dn syntax on newdn */
-            ldap_result_code = slapi_dn_syntax_check(pb, new_addr.dn, 1);
+            ldap_result_code = slapi_dn_syntax_check(pb,
+                                           (char *)slapi_sdn_get_ndn(&dn_newdn), 1);
             if (ldap_result_code)
             {
                 ldap_result_code = LDAP_INVALID_DN_SYNTAX;
@@ -241,23 +245,22 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         {
             /* find and lock the old parent entry */
             done_with_pblock_entry(pb,SLAPI_MODRDN_PARENT_ENTRY); /* Could be through this multiple times */
-            oldparent_addr.dn = (char*)slapi_sdn_get_ndn (&dn_parentdn);
+            oldparent_addr.sdn = &dn_parentdn;
             oldparent_addr.uniqueid = NULL;            
             ldap_result_code= get_copy_of_entry(pb, &oldparent_addr, &txn, SLAPI_MODRDN_PARENT_ENTRY, !is_replicated_operation);
         }
 
         /* <new superior> */
-        if(slapi_sdn_get_ndn(&dn_newsuperiordn)!=NULL &&
+        if(slapi_sdn_get_ndn(dn_newsuperiordn)!=NULL &&
            slapi_isbitset_int(rc,SLAPI_RTN_BIT_FETCH_NEWPARENT_ENTRY))
         {
             /* find and lock the new parent entry */
             done_with_pblock_entry(pb,SLAPI_MODRDN_NEWPARENT_ENTRY); /* Could be through this multiple times */
             /* Check that this really is a new superior, 
              * and not the same old one. Compare parentdn & newsuperior */
-            if (slapi_sdn_compare(&dn_newsuperiordn, &dn_parentdn) == 0)
+            if (slapi_sdn_compare(dn_newsuperiordn, &dn_parentdn) == 0)
             {
-                slapi_sdn_done(&dn_newsuperiordn);
-                slapi_sdn_init_dn_byref(&dn_newsuperiordn,NULL);
+                slapi_sdn_done(dn_newsuperiordn);
             }
             else
             {
@@ -271,7 +274,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
                 }
                 else
                 {
-                    my_addr.dn = (char *)slapi_sdn_get_ndn (&dn_newsuperiordn);
+                    my_addr.sdn = dn_newsuperiordn;
                     my_addr.uniqueid = NULL;
                     newsuperior_addr = &my_addr;
                 }
@@ -329,7 +332,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         if((entry != NULL) && 
             /* allow modrdn even if the src dn and dest dn are identical */
            (0 != slapi_sdn_compare((const Slapi_DN *)&dn_newdn,
-                                   (const Slapi_DN *)&dn_olddn)))
+                                   (const Slapi_DN *)sdn)))
         {
             ldap_result_code= LDAP_ALREADY_EXISTS;
             goto error_return;
@@ -337,13 +340,13 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     }
 
     /* Fetch and lock the parent of the entry that is moving */
-    oldparent_addr.dn = (char*)slapi_sdn_get_dn (&dn_parentdn);
+    oldparent_addr.sdn = &dn_parentdn;
     oldparent_addr.uniqueid = NULL;            
     parententry = find_entry2modify_only( pb, be, &oldparent_addr, &txn );
     modify_init(&parent_modify_context,parententry);
 
     /* Fetch and lock the new parent of the entry that is moving */            
-    if(slapi_sdn_get_ndn(&dn_newsuperiordn)!=NULL)
+    if(slapi_sdn_get_ndn(dn_newsuperiordn) != NULL)
     {
         slapi_pblock_get (pb, SLAPI_MODRDN_NEWSUPERIOR_ADDRESS, &newsuperior_addr);
         newparententry = find_entry2modify_only( pb, be, newsuperior_addr, &txn );
@@ -376,22 +379,30 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
      * instead.  Otherwise, a ModRDN operation will potentially change an
      * entry's entire DN (at least with respect to case and spacing).
      */
-    slapi_sdn_copy( slapi_entry_get_sdn_const( e->ep_entry ), &dn_olddn );
+    slapi_sdn_copy( slapi_entry_get_sdn_const( e->ep_entry ), sdn );
+    slapi_pblock_set( pb, SLAPI_MODRDN_TARGET_SDN, sdn );
     if (newparententry != NULL) {
         /* don't forget we also want to preserve case of new superior */
-        slapi_sdn_copy(slapi_entry_get_sdn_const(newparententry->ep_entry), &dn_newsuperiordn);
+        if (NULL == dn_newsuperiordn) {
+            dn_newsuperiordn = slapi_sdn_dup(
+                           slapi_entry_get_sdn_const(newparententry->ep_entry));
+        } else {
+            slapi_sdn_copy(slapi_entry_get_sdn_const(newparententry->ep_entry),
+                           dn_newsuperiordn);
+        }
+        slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR, dn_newsuperiordn );
     }
     slapi_sdn_set_dn_passin(&dn_newdn,
-            moddn_get_newdn(pb, &dn_olddn, &dn_newrdn, &dn_newsuperiordn));
+                        moddn_get_newdn(pb, sdn, &dn_newrdn, dn_newsuperiordn));
 
     /* Check that we're allowed to add an entry below the new superior */
     if ( newparententry == NULL )
     {
         /* There may not be a new parent because we don't intend there to be one. */
-        if(slapi_sdn_get_ndn(&dn_newsuperiordn)!=NULL)
+        if(slapi_sdn_get_ndn(dn_newsuperiordn)!=NULL)
         {
             /* If the new entry is to be a suffix, and we're root, then it's OK that the new parent doesn't exist */
-            if(!(slapi_dn_isbesuffix(pb,slapi_sdn_get_ndn(&dn_newdn)) && isroot))
+            if (!(slapi_be_issuffix(pb->pb_backend, &dn_newdn)) && isroot)
             {
                 /* Here means that we didn't find the parent */
                 int err = 0;
@@ -405,7 +416,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
                             "does not exist matched %s, newsuperior = %s\n", 
                             ldap_result_matcheddn == NULL ? "NULL" :
                             ldap_result_matcheddn,
-                            slapi_sdn_get_ndn(&dn_newsuperiordn), 0 );
+                            slapi_sdn_get_ndn(dn_newsuperiordn), 0 );
                 slapi_sdn_done(&ancestordn);
                 goto error_return;
                }
@@ -426,7 +437,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     if ( parententry == NULL )
     {
         /* If the entry a suffix, and we're root, then it's OK that the parent doesn't exist */
-        if(!(slapi_dn_isbesuffix(pb,slapi_sdn_get_ndn(&dn_olddn)) && isroot))
+        if (!(slapi_be_issuffix(pb->pb_backend, sdn)) && isroot)
         {
             /* Here means that we didn't find the parent */
             ldap_result_matcheddn = "NULL";
@@ -485,7 +496,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     if (( cache_add_tentative( &inst->inst_cache, ec, NULL ) != 0 ) &&
         /* allow modrdn even if the src dn and dest dn are identical */
         ( 0 != slapi_sdn_compare((const Slapi_DN *)&dn_newdn,
-                                 (const Slapi_DN *)&dn_olddn)) )
+                                 (const Slapi_DN *)sdn)) )
     {
         /* somebody must've created it between dn2entry() and here */
         /* JCMREPL - Hmm... we can't permit this to happen...? */
@@ -498,7 +509,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
     {
         slapi_mods_init(&smods_generated,4);
         slapi_mods_init(&smods_generated_wsi,4);
-        ldap_result_code = moddn_newrdn_mods(pb, slapi_sdn_get_ndn(&dn_olddn),
+        ldap_result_code = moddn_newrdn_mods(pb, slapi_sdn_get_ndn(sdn),
                             ec, &smods_generated_wsi, is_replicated_operation);
         if (ldap_result_code != LDAP_SUCCESS) {
             if (ldap_result_code == LDAP_UNWILLING_TO_PERFORM)
@@ -519,7 +530,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         /*
          * Update parentid if we have a new superior.
          */
-        if(slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL) {
+        if(slapi_sdn_get_dn(dn_newsuperiordn)!=NULL) {
             char buf[40]; /* Enough for an ID */
             
             if (parententry != NULL) {
@@ -619,7 +630,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
      * If the entry has a new superior then the subordinate count
      * of the parents must be updated.
      */    
-    if(slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL)
+    if(slapi_sdn_get_dn(dn_newsuperiordn)!=NULL)
     {
         /* 
          * Update the subordinate count of the parents to reflect the moved child.
@@ -652,12 +663,12 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         /* JCM - This is where the subtree lock will appear */
         if (entryrdn_get_switch()) /* subtree-rename: on */
         {
-            children = moddn_get_children(&txn, pb, be, e, &dn_olddn,
+            children = moddn_get_children(&txn, pb, be, e, sdn,
                                           &child_entries, &child_dns);
         }
         else
         {
-            children = moddn_get_children(&txn, pb, be, e, &dn_olddn,
+            children = moddn_get_children(&txn, pb, be, e, sdn,
                                           &child_entries, NULL);
         }
 
@@ -781,7 +792,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
                 }
             }
         }
-        if (slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL)
+        if (slapi_sdn_get_dn(dn_newsuperiordn)!=NULL)
         {
             /* Push out the db modifications from the parent entry */
             retval = modify_update_all(be, pb, &parent_modify_context, &txn);
@@ -826,8 +837,8 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         /*
          * Update ancestorid index.
          */
-        if (slapi_sdn_get_dn(&dn_newsuperiordn)!=NULL) {
-            retval = ldbm_ancestorid_move_subtree(be, &dn_olddn, &dn_newdn, e->ep_id, children, &txn);
+        if (slapi_sdn_get_dn(dn_newsuperiordn)!=NULL) {
+            retval = ldbm_ancestorid_move_subtree(be, sdn, &dn_newdn, e->ep_id, children, &txn);
             if (retval != 0) {
                 if (retval == DB_LOCK_DEADLOCK) continue;
                 if (retval == DB_RUNRECOVERY || LDBM_OS_ERR_IS_DISKFULL(retval))
@@ -844,9 +855,8 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
         {
             Slapi_RDN newsrdn;
             slapi_rdn_init_sdn(&newsrdn, (const Slapi_DN *)&dn_newdn);
-            rc = entryrdn_rename_subtree(be,
-                                         (const Slapi_DN *)&dn_olddn, &newsrdn,
-                                         (const Slapi_DN *)&dn_newsuperiordn,
+            rc = entryrdn_rename_subtree(be, (const Slapi_DN *)sdn, &newsrdn,
+                                         (const Slapi_DN *)dn_newsuperiordn,
                                          e->ep_id, &txn);
             slapi_rdn_done(&newsrdn);
             if (rc) {
@@ -861,7 +871,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
          */
         if (!entryrdn_get_switch() && children) /* subtree-rename: off */
         {
-            retval= moddn_rename_children(&txn, pb, be, children, &dn_olddn,
+            retval= moddn_rename_children(&txn, pb, be, children, sdn,
                                          &dn_newdn, child_entries);
         }
         if (DB_LOCK_DEADLOCK == retval)
@@ -1100,10 +1110,8 @@ common_return:
     if (ldap_result_matcheddn && 0 != strcmp(ldap_result_matcheddn, "NULL"))
         slapi_ch_free((void**)&ldap_result_matcheddn);
     idl_free(children);
-    slapi_sdn_done(&dn_olddn);
     slapi_sdn_done(&dn_newdn);
     slapi_sdn_done(&dn_newrdn);
-    slapi_sdn_done(&dn_newsuperiordn);
     slapi_sdn_done(&dn_parentdn);
     modify_term(&parent_modify_context,be);
     modify_term(&newparent_modify_context,be);
@@ -1118,7 +1126,8 @@ common_return:
     slapi_ch_free((void**)&errbuf);
     if (retval == 0 && opcsn != NULL && !is_fixup_operation)
     {
-        slapi_pblock_set(pb, SLAPI_URP_NAMING_COLLISION_DN, slapi_ch_strdup (dn));
+        slapi_pblock_set(pb, SLAPI_URP_NAMING_COLLISION_DN, 
+                         slapi_ch_strdup(slapi_sdn_get_dn(sdn)));
     }
     if (pb->pb_conn)
     {
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index 66ec886..91b0280 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -159,7 +159,6 @@ ldbm_back_search_cleanup(Slapi_PBlock *pb,
                          int ldap_result,
                          char* ldap_result_description,
                          int function_result,
-                         Slapi_DN *sdn,
                          struct vlv_request *vlv_request_control,
                          struct backentry *e)
 {
@@ -192,7 +191,6 @@ ldbm_back_search_cleanup(Slapi_PBlock *pb,
             delete_search_result_set(&sr);
         }
     }
-    slapi_sdn_done(sdn);
     if (vlv_request_control)
     {
         berval_done(&vlv_request_control->value);
@@ -218,8 +216,8 @@ ldbm_back_search( Slapi_PBlock *pb )
     struct ldbminfo *li;
     struct backentry *e;
     IDList *candidates= NULL;
-    char *base;
-    Slapi_DN basesdn;
+    const char *base;
+    Slapi_DN *basesdn = NULL;
     int scope;
     LDAPControl **controls = NULL;
     Slapi_Operation *operation;
@@ -254,7 +252,7 @@ ldbm_back_search( Slapi_PBlock *pb )
     slapi_pblock_get( pb, SLAPI_BACKEND, &be );
     slapi_pblock_get( pb, SLAPI_OPERATION, &operation);
     slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
-    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base );
+    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &basesdn );
     slapi_pblock_get( pb, SLAPI_TARGET_ADDRESS, &addr);
     slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
     slapi_pblock_get( pb, SLAPI_REQCONTROLS, &controls );
@@ -263,7 +261,13 @@ ldbm_back_search( Slapi_PBlock *pb )
 
     inst = (ldbm_instance *) be->be_instance_info;
 
-    slapi_sdn_init_dn_ndn_byref(&basesdn,base);  /* normalized by front end*/
+    if (NULL == basesdn) {
+        slapi_send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                               "Null target DN", 0, NULL );
+        return( -1 );
+    }
+    base = slapi_sdn_get_dn(basesdn);
+
     /* Initialize the result set structure here because we need to use it during search processing */
     /* Beware that if we exit this routine sideways, we might leak this structure */
     sr = new_search_result_set( NULL, 0, 
@@ -285,8 +289,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 /* Badly formed SORT control */
                 return ldbm_back_search_cleanup(pb, li, sort_control, 
                                 LDAP_PROTOCOL_ERROR, "Sort Control", 
-                                SLAPI_FAIL_GENERAL, &basesdn, 
-                                NULL, NULL);
+                                SLAPI_FAIL_GENERAL, NULL, NULL);
             }
             /* set this operation includes the server side sorting */
             operation->o_flags |= OP_FLAG_SERVER_SIDE_SORTING;
@@ -303,8 +306,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 {
                     /* Badly formed VLV control */
                     return ldbm_back_search_cleanup(pb, li, sort_control,
-                                r, "VLV Control", 
-                                SLAPI_FAIL_GENERAL, &basesdn, 
+                                r, "VLV Control", SLAPI_FAIL_GENERAL, 
                                 &vlv_request_control, NULL);
                 }
                 {
@@ -325,8 +327,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     {
                         /* Client isn't allowed to do this. */
                         return ldbm_back_search_cleanup(pb, li, sort_control, 
-                                    r, "VLV Control", 
-                                    SLAPI_FAIL_GENERAL, &basesdn, 
+                                    r, "VLV Control", SLAPI_FAIL_GENERAL, 
                                     &vlv_request_control, NULL);
                     }
                 }
@@ -341,8 +342,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 /* Can't have a VLV control without a SORT control */
                 return ldbm_back_search_cleanup(pb, li, sort_control, 
                                 LDAP_SORT_CONTROL_MISSING, "VLV Control", 
-                                SLAPI_FAIL_GENERAL, &basesdn, 
-                                &vlv_request_control, NULL);
+                                SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
         }
     }
@@ -395,15 +395,13 @@ ldbm_back_search( Slapi_PBlock *pb )
             {
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                             LDAP_UNWILLING_TO_PERFORM, ctrlstr,
-                            SLAPI_FAIL_GENERAL, &basesdn, 
-                            &vlv_request_control, NULL);
+                            SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
             else
             {
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                             LDAP_VIRTUAL_LIST_VIEW_ERROR, ctrlstr,
-                            SLAPI_FAIL_GENERAL, &basesdn, 
-                            &vlv_request_control, NULL);
+                            SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
         }
         else
@@ -418,8 +416,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 sort_make_sort_response_control(pb, LDAP_UNWILLING_TO_PERFORM, NULL);
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                             LDAP_UNAVAILABLE_CRITICAL_EXTENSION, ctrlstr,
-                            SLAPI_FAIL_GENERAL, &basesdn, 
-                            &vlv_request_control, NULL);
+                            SLAPI_FAIL_GENERAL, &vlv_request_control, NULL);
             }
             else /* vlv and sorting are not critical, so ignore the control */
             {
@@ -453,7 +450,7 @@ ldbm_back_search( Slapi_PBlock *pb )
         {
             /* error or referral sent by find_entry */
             return ldbm_back_search_cleanup(pb, li, sort_control, 
-                            -1, NULL, 1, &basesdn, &vlv_request_control, NULL);
+                            -1, NULL, 1, &vlv_request_control, NULL);
         }
     }
 
@@ -478,21 +475,20 @@ ldbm_back_search( Slapi_PBlock *pb )
          */    
         if ((NULL != controls) && (sort) && (vlv)) {
             /* This candidate list is for vlv, no need for sort only. */
-            switch (vlv_search_build_candidate_list(pb, &basesdn, &vlv_rc,
+            switch (vlv_search_build_candidate_list(pb, basesdn, &vlv_rc,
                                                     sort_control,
                                                     (vlv ? &vlv_request_control : NULL),
                                                     &candidates, &vlv_response_control)) {
             case VLV_ACCESS_DENIED:
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                                                 vlv_rc, "VLV Control",
-                                                SLAPI_FAIL_GENERAL, &basesdn,
+                                                SLAPI_FAIL_GENERAL, 
                                                 &vlv_request_control, e);
             case VLV_BLD_LIST_FAILED:
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                                                 vlv_response_control.result,
                                                 NULL, SLAPI_FAIL_GENERAL,
-                                                &basesdn, &vlv_request_control,
-                                                e);
+                                                &vlv_request_control, e);
                 
             case LDAP_SUCCESS:
                 /* Log to the access log the particulars of this sort request */
@@ -513,7 +509,6 @@ ldbm_back_search( Slapi_PBlock *pb )
                                                     LDAP_OPERATIONS_ERROR,
                                                     "Sort Response Control",
                                                     SLAPI_FAIL_GENERAL,
-                                                    &basesdn,
                                                     &vlv_request_control, e);
                 }
             }
@@ -526,7 +521,7 @@ ldbm_back_search( Slapi_PBlock *pb )
             {
                 /* Error result sent by build_candidate_list */
                 return ldbm_back_search_cleanup(pb, li, sort_control, -1,
-                                                NULL, rc, &basesdn,
+                                                NULL, rc, 
                                                 &vlv_request_control, e);
             }
             /*
@@ -559,7 +554,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 IDList *idl = NULL;
                 Slapi_Filter *filter = NULL;
                 slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter );
-                r = vlv_filter_candidates(be, pb, candidates, &basesdn,
+                r = vlv_filter_candidates(be, pb, candidates, basesdn,
                                           scope, filter, &idl,
                                           lookthrough_limit, time_up);
                 if(r == 0)
@@ -570,7 +565,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 else
                 {
                     return ldbm_back_search_cleanup(pb, li, sort_control,
-                                                    r, NULL, -1, &basesdn,
+                                                    r, NULL, -1, 
                                                     &vlv_request_control, e);
                 }
             }
@@ -589,7 +584,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     return ldbm_back_search_cleanup(pb, li, sort_control,
                                              LDAP_PROTOCOL_ERROR,
                                              "Sort Response Control", -1,
-                                             &basesdn, &vlv_request_control, e);
+                                             &vlv_request_control, e);
                 }
               }
               else
@@ -630,7 +625,6 @@ ldbm_back_search( Slapi_PBlock *pb )
                     return ldbm_back_search_cleanup(pb, li, sort_control,
                                                     LDAP_PROTOCOL_ERROR,
                                                     "Sort Control", -1,
-                                                    &basesdn,
                                                     &vlv_request_control, e);
                 case LDAP_UNWILLING_TO_PERFORM:  /* Too hard */
                 case LDAP_OPERATIONS_ERROR:  /* Operation error */
@@ -673,7 +667,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     return ldbm_back_search_cleanup(pb, li, sort_control,
                                              (abandoned?-1:LDAP_PROTOCOL_ERROR),
                                              "Sort Response Control", -1,
-                                             &basesdn, &vlv_request_control, e);
+                                             &vlv_request_control, e);
                 }
               }
             }
@@ -700,7 +694,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                     {
                         return ldbm_back_search_cleanup(pb, li, sort_control,
                                                     vlv_response_control.result,
-                                                    NULL, -1, &basesdn,
+                                                    NULL, -1, 
                                                     &vlv_request_control, e);
                     }
                 }
@@ -720,7 +714,7 @@ ldbm_back_search( Slapi_PBlock *pb )
                 return ldbm_back_search_cleanup(pb, li, sort_control,
                                              (abandoned?-1:LDAP_PROTOCOL_ERROR),
                                              "VLV Response Control", -1,
-                                             &basesdn, &vlv_request_control, e);
+                                             &vlv_request_control, e);
             }
             /* Log the VLV operation */
             vlv_print_access_log(pb,&vlv_request_control,&vlv_response_control);
@@ -783,7 +777,7 @@ ldbm_back_search( Slapi_PBlock *pb )
     /* Fix for bugid #394184, SD, 05 Jul 00 */
     /* tmp_err == -1: no error */
     return ldbm_back_search_cleanup(pb, li, sort_control, tmp_err, tmp_desc,
-                                    (tmp_err  == -1 ? 0 : -1), &basesdn,
+                                    (tmp_err  == -1 ? 0 : -1), 
                                     &vlv_request_control, NULL);
     /* end Fix for bugid #394184 */
 }
@@ -1205,7 +1199,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
     int                    managedsait;
     Slapi_Attr             *attr;
     Slapi_Filter           *filter;
-    char                   *base;
+    const char             *base;
     back_search_result_set *sr;
     ID                     id;
     struct backentry       *e;
@@ -1214,7 +1208,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
     int                    tlimit, llimit, slimit, isroot;
     struct berval          **urls = NULL;
     int                    err;
-    Slapi_DN               basesdn = {0};
+    Slapi_DN               *basesdn = NULL;
     char                   *target_uniqueid;
     int                    rc = 0; 
     int                    estimate = 0; /* estimated search result count */
@@ -1225,7 +1219,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
     slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope );
     slapi_pblock_get( pb, SLAPI_MANAGEDSAIT, &managedsait );
     slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter );
-    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base );
+    slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &basesdn );
     slapi_pblock_get( pb, SLAPI_NENTRIES, &nentries );
     slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &slimit );
     slapi_pblock_get( pb, SLAPI_SEARCH_TIMELIMIT, &tlimit );
@@ -1240,6 +1234,13 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
         goto bail;
     }
 
+    if (NULL == basesdn) {
+        slapi_send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                               "Null target DN", 0, NULL );
+        return( -1 );
+    }
+    base = slapi_sdn_get_dn(basesdn);
+
     if (sr->sr_current_sizelimit >= 0) {
         /* 
          * sr_current_sizelimit contains the current sizelimit.
@@ -1254,7 +1255,10 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
     
     inst = (ldbm_instance *) be->be_instance_info;
 
-    slapi_sdn_init_dn_ndn_byref(&basesdn,base); /* normalized by front end */
+    if (NULL == basesdn) {
+        basesdn = slapi_sdn_new_normdn_byref(base);
+        slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, basesdn);
+    }
     /* Return to the cache the entry we handed out last time */
     /* If we are using the extension, the front end will tell
      * us when to do this so we don't do it now */
@@ -1399,7 +1403,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
                 char ebuf[ BUFSIZ ];
                 LDAPDebug( LDAP_DEBUG_ANY, "null ref in (%s)\n", escape_string( backentry_get_ndn(e), ebuf ), 0, 0 );
             }
-            else if ( slapi_sdn_scope_test( backentry_get_sdn(e), &basesdn, scope ))
+            else if ( slapi_sdn_scope_test( backentry_get_sdn(e), basesdn, scope ))
             {
                 if ( use_extension ) {
                     slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, e );
@@ -1473,7 +1477,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
              * just forget about it, since we don't want to return anything at all. */
          {
              if ( slapi_uniqueIDCompareString(target_uniqueid, e->ep_entry->e_uniqueid) ||
-                  slapi_sdn_scope_test( backentry_get_sdn(e), &basesdn, scope ))
+                  slapi_sdn_scope_test( backentry_get_sdn(e), basesdn, scope ))
              {
                  /* check size limit */
                  if ( slimit >= 0 )
@@ -1540,7 +1544,6 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension )
         }
     }
 bail:
-    slapi_sdn_done(&basesdn);
     return rc;
 }
 
diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
index 4427a43..21b00fe 100644
--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
@@ -137,29 +137,18 @@ int ldbm_back_fetch_incl_excl(Slapi_PBlock *pb, char ***include,
                               char ***exclude)
 {
     char **pb_incl, **pb_excl;
-    char subtreeDn[BUFSIZ];
-    char *normSubtreeDn;
-    int i;
 
     slapi_pblock_get(pb, SLAPI_LDIF2DB_INCLUDE, &pb_incl);
     slapi_pblock_get(pb, SLAPI_LDIF2DB_EXCLUDE, &pb_excl);
+    if ((NULL == include) || (NULL == exclude)) {
+        return 0;
+    }
     *include = *exclude = NULL;
 
-    /* normalize */
-    if (pb_excl) {
-        for (i = 0; pb_excl[i]; i++) {
-            PL_strncpyz(subtreeDn, pb_excl[i], sizeof(subtreeDn));
-            normSubtreeDn = slapi_dn_normalize_case(subtreeDn);
-            charray_add(exclude, slapi_ch_strdup(normSubtreeDn));
-        }
-    }
-    if (pb_incl) {
-        for (i = 0; pb_incl[i]; i++) {
-            PL_strncpyz(subtreeDn, pb_incl[i], sizeof(subtreeDn));
-            normSubtreeDn = slapi_dn_normalize_case(subtreeDn);
-            charray_add(include, slapi_ch_strdup(normSubtreeDn));
-        }
-    }
+    /* pb_incl/excl are both normalized */
+    *exclude = slapi_ch_array_dup(pb_excl);
+    *include = slapi_ch_array_dup(pb_incl);
+
     return (pb_incl || pb_excl);
 }
 
@@ -1423,7 +1412,6 @@ ldbm_back_ldbm2ldif( Slapi_PBlock *pb )
         ep = backentry_alloc();
         if (entryrdn_get_switch()) {
             char *rdn = NULL;
-            int rc = 0;
     
             /* rdn is allocated in get_value_from_string */
             rc = get_value_from_string((const char *)data.dptr, "rdn", &rdn);
@@ -1900,9 +1888,9 @@ ldbm_back_ldbm2index(Slapi_PBlock *pb)
 
         /* create suffix list */
         for (vlvidx = 0; vlvidx < numvlv; vlvidx++) {
-            char *s = slapi_ch_strdup(slapi_sdn_get_dn(vlvIndex_getBase(pvlv[vlvidx])));
-
-            s = slapi_dn_normalize_case(s);
+            char *s = 
+             slapi_ch_strdup(slapi_sdn_get_ndn(vlvIndex_getBase(pvlv[vlvidx])));
+            /* 's' is passed in */
             charray_add(&suffix_list, s);
         }
         idl = ldbm_fetch_subtrees(be, suffix_list, &err);
diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c
index 6e350c9..78f1ed3 100644
--- a/ldap/servers/slapd/back-ldbm/misc.c
+++ b/ldap/servers/slapd/back-ldbm/misc.c
@@ -425,7 +425,8 @@ ldbm_txn_ruv_modify_context( Slapi_PBlock *pb, modify_context *mc )
 
     slapi_pblock_get( pb, SLAPI_BACKEND, &be);
 
-    bentry_addr.dn = NULL;
+    bentry_addr.sdn = NULL;
+    bentry_addr.udn = NULL;
     bentry_addr.uniqueid = uniqueid;
 
     /* Note: if we find the bentry, it will stay locked until someone calls
diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c
index c160507..d7e28c1 100644
--- a/ldap/servers/slapd/back-ldbm/vlv_srch.c
+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c
@@ -189,7 +189,7 @@ vlvSearch_init(struct vlvSearch* p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm
             slapi_pblock_set(pb, SLAPI_PLUGIN, inst->inst_be->be_database);
             slapi_pblock_get(pb, SLAPI_TXN, &txn.back_txn_txn);
 
-            addr.dn = (char*)slapi_sdn_get_ndn (p->vlv_base);
+            addr.sdn = p->vlv_base;
             addr.uniqueid = NULL;
             e = find_entry( pb, inst->inst_be, &addr, &txn );
             /* Check to see if the entry is absent. If it is, mark this search
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 9670de2..12d6650 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -124,12 +124,13 @@ do_bind( Slapi_PBlock *pb )
     int		auth_response_requested = 0;
     int		pw_response_requested = 0;
     char		*rawdn = NULL;
-    char		*dn = NULL, *saslmech = NULL;
+    const char	*dn = NULL;
+    char		*saslmech = NULL;
     struct berval	cred = {0};
     Slapi_Backend		*be = NULL;
     ber_tag_t ber_rc;
     int rc = 0;
-    Slapi_DN sdn;
+    Slapi_DN *sdn = NULL;
     Slapi_Entry *referral;
     char errorbuf[BUFSIZ];
     char **supported, **pmech;
@@ -137,8 +138,6 @@ do_bind( Slapi_PBlock *pb )
     Slapi_Entry *bind_target_entry = NULL;
     int auto_bind = 0;
     int minssf = 0;
-    char *test_bind_dn = NULL;
-    size_t dnlen = 0;
 
     LDAPDebug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 );
 
@@ -174,7 +173,7 @@ do_bind( Slapi_PBlock *pb )
         return;
     }
     /* Check if we should be performing strict validation. */
-    if (config_get_dn_validate_strict()) { 
+    if (rawdn && config_get_dn_validate_strict()) { 
         /* check that the dn is formatted correctly */
         rc = slapi_dn_syntax_check(pb, rawdn, 1);
         if (rc) { /* syntax check failed */
@@ -186,27 +185,21 @@ do_bind( Slapi_PBlock *pb )
             return;
         }
     }
-    rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-    if (rc < 0) {
-        op_shared_log_error_access(pb, "BIND", rawdn?rawdn:"",
-                                   "invalid bind dn");
-        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-                         NULL, "invalid bind dn", 0, NULL);
-        slapi_ch_free_string(&rawdn);
+    sdn = slapi_sdn_new_dn_passin(rawdn);
+    dn = slapi_sdn_get_dn(sdn);
+    if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+        /* normalization failed */
+        op_shared_log_error_access(pb, "BIND", rawdn, "invalid bind dn");
+        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                         "invalid bind dn", 0, NULL);
+        slapi_sdn_free(&sdn);
         return;
-    } else if (rc > 0) { /* if rc == 0, rawdn is passed in */
-        slapi_ch_free_string(&rawdn);
-    } else { /* rc == 0; rawdn is passed in; not null terminated */
-        *(dn + dnlen) = '\0';
     }
-
-    slapi_sdn_init_dn_passin(&sdn, dn);
-
     LDAPDebug( LDAP_DEBUG_TRACE, "BIND dn=\"%s\" method=%d version=%d\n",
-               dn, method, version );
+               dn?dn:"empty", method, version );
 
     /* target spec is used to decide which plugins are applicable for the operation */
-    operation_set_target_spec (pb->pb_op, &sdn);
+    operation_set_target_spec (pb->pb_op, sdn);
 
     switch ( method ) {
     case LDAP_AUTH_SASL:
@@ -214,7 +207,7 @@ do_bind( Slapi_PBlock *pb )
             LDAPDebug( LDAP_DEBUG_ANY,
                        "got SASL credentials from LDAPv2 client\n",
                        0, 0, 0 );
-            log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "SASL credentials only in LDAPv3");
+            log_bind_access (pb, dn?dn:"empty", method, version, saslmech, "SASL credentials only in LDAPv3");
             send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                               "SASL credentials only in LDAPv3", 0, NULL );
             goto free_and_return;
@@ -243,7 +236,7 @@ do_bind( Slapi_PBlock *pb )
                 "LDAPv2-style kerberos authentication received "
                 "on LDAPv3 connection.";
             LDAPDebug( LDAP_DEBUG_ANY, kmsg, 0, 0, 0 );
-            log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, kmsg);
+            log_bind_access (pb, dn?dn:"empty", method, version, saslmech, kmsg);
             send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                               kmsg, 0, NULL );
             goto free_and_return;
@@ -256,7 +249,7 @@ do_bind( Slapi_PBlock *pb )
         }
         break;
     default:
-        log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "Unknown bind method");
+        log_bind_access (pb, dn?dn:"empty", method, version, saslmech, "Unknown bind method");
         send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                           "Unknown bind method", 0, NULL );
         goto free_and_return;
@@ -265,7 +258,7 @@ do_bind( Slapi_PBlock *pb )
         LDAPDebug( LDAP_DEBUG_ANY,
                    "ber_scanf failed (op=Bind; params=Credentials)\n",
                    0, 0, 0 );
-        log_bind_access (pb, slapi_sdn_get_dn (&sdn), method, version, saslmech, "decoding error");
+        log_bind_access (pb, dn?dn:"empty", method, version, saslmech, "decoding error");
         send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
                           "decoding error", 0, NULL );
         goto free_and_return;
@@ -284,7 +277,7 @@ do_bind( Slapi_PBlock *pb )
 
         if (( err = get_ldapmessage_controls( pb, ber, &reqctrls ))
             != 0 ) {
-            log_bind_access (pb, slapi_sdn_get_dn (&sdn), method,
+            log_bind_access (pb, dn?dn:"empty", method,
                              version, saslmech, "failed to parse LDAP controls");
             send_ldap_result( pb, err, NULL, NULL, 0, NULL );
             goto free_and_return;
@@ -316,8 +309,8 @@ do_bind( Slapi_PBlock *pb )
         {
             auto_bind = 1; /* flag the bind method */
             dn = slapi_ch_strdup(pb->pb_conn->c_dn);
-            slapi_sdn_done(&sdn);
-            slapi_sdn_init_dn_passin(&sdn,dn);
+            slapi_sdn_free(&sdn);
+            sdn = slapi_sdn_new_dn_passin(dn);
         }
     }
 #endif /* ENABLE_AUTOBIND */
@@ -330,7 +323,7 @@ do_bind( Slapi_PBlock *pb )
     pb->pb_conn->c_needpw = 0;
     PR_Unlock( pb->pb_conn->c_mutex );
 
-    log_bind_access(pb, dn, method, version, saslmech, NULL);
+    log_bind_access(pb, dn?dn:"empty", method, version, saslmech, NULL);
 
     switch ( version ) {
     case LDAP_VERSION2:
@@ -372,9 +365,9 @@ do_bind( Slapi_PBlock *pb )
                version, method, dn );
     pb->pb_conn->c_ldapversion = version;
 
-    isroot = slapi_dn_isroot( slapi_sdn_get_ndn(&sdn) );
+    isroot = slapi_dn_isroot( slapi_sdn_get_ndn(sdn) );
     slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
-    slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void*)slapi_sdn_get_ndn(&sdn) );
+    slapi_pblock_set( pb, SLAPI_BIND_TARGET_SDN, (void*)sdn );
     slapi_pblock_set( pb, SLAPI_BIND_METHOD, &method );
     slapi_pblock_set( pb, SLAPI_BIND_SASLMECHANISM, saslmech );
     slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, &cred );
@@ -613,9 +606,9 @@ do_bind( Slapi_PBlock *pb )
             slapi_value_init_berval(&cv,&cred);
 
             /* right dn and passwd - authorize */
-            if ( is_root_dn_pw( slapi_sdn_get_ndn(&sdn), &cv )) {
+            if ( is_root_dn_pw( slapi_sdn_get_ndn(sdn), &cv )) {
                 bind_credentials_set( pb->pb_conn, SLAPD_AUTH_SIMPLE,
-                                      slapi_ch_strdup( slapi_sdn_get_ndn(&sdn) ),
+                                      slapi_ch_strdup( slapi_sdn_get_ndn(sdn) ),
                                       NULL, NULL, NULL , NULL);
 
             /* right dn, wrong passwd - reject with invalid creds */
@@ -635,7 +628,7 @@ do_bind( Slapi_PBlock *pb )
             if ( auth_response_requested ) {
                 slapi_add_auth_response_control( pb,
                                            ( cred.bv_len == 0 ) ? "" :
-                                           slapi_sdn_get_ndn(&sdn));
+                                           slapi_sdn_get_ndn(sdn));
             }
             send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL );
 
@@ -687,7 +680,7 @@ do_bind( Slapi_PBlock *pb )
 
             /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */
             if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
-                bind_target_entry = get_entry(pb,  slapi_sdn_get_ndn(&sdn));
+                bind_target_entry = get_entry(pb,  slapi_sdn_get_ndn(sdn));
                 rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1);
             }
 
@@ -730,11 +723,11 @@ do_bind( Slapi_PBlock *pb )
                     if(!auto_bind)
                         bind_credentials_set( pb->pb_conn,
                                           authtype, slapi_ch_strdup(
-                                              slapi_sdn_get_ndn(&sdn)),
+                                              slapi_sdn_get_ndn(sdn)),
                                           NULL, NULL, NULL, bind_target_entry );
                     if ( auth_response_requested ) {
                         slapi_add_auth_response_control( pb,
-                                                   slapi_sdn_get_ndn(&sdn));
+                                                   slapi_sdn_get_ndn(sdn));
                     }
                 } else {	/* anonymous */
                     /* set bind creds here so anonymous limits are set */
@@ -803,16 +796,12 @@ do_bind( Slapi_PBlock *pb )
  free_and_return:;
     if (be)
         slapi_be_Unlock(be);
-    slapi_pblock_get(pb, SLAPI_BIND_TARGET, &test_bind_dn);
-    if (test_bind_dn != slapi_sdn_get_ndn(&sdn)) {
-        /* set in sasl bind or some other bind plugin */
-        slapi_ch_free_string(&test_bind_dn);
-    }
-    slapi_sdn_done(&sdn);
+    slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);
+    slapi_sdn_free(&sdn);
     slapi_ch_free_string( &saslmech );
     slapi_ch_free( (void **)&cred.bv_val );
-	if ( bind_target_entry != NULL )
-		slapi_entry_free(bind_target_entry);
+    if ( bind_target_entry != NULL )
+        slapi_entry_free(bind_target_entry);
 }
 
 
diff --git a/ldap/servers/slapd/bulk_import.c b/ldap/servers/slapd/bulk_import.c
index 717ff47..cb35988 100644
--- a/ldap/servers/slapd/bulk_import.c
+++ b/ldap/servers/slapd/bulk_import.c
@@ -67,7 +67,7 @@ static int process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e);
    SLAPI_CONNECTION -- connection over which bulk import is coming
    SLAPI_BACKEND -- the backend being imported 
    or 
-   SLAPI_TARGET_DN that contains root of the imported area.   
+   SLAPI_TARGET_SDN that contains root of the imported area.   
    The function returns LDAP_SUCCESS or LDAP error code 
 */
 
@@ -80,7 +80,7 @@ int slapi_start_bulk_import (Slapi_PBlock *pb)
    SLAPI_CONNECTION -- connection over which bulk import is coming
    SLAPI_BACKEND -- the backend being imported 
    or 
-   SLAPI_TARGET_DN that contains root of the imported area.   
+   SLAPI_TARGET_SDN that contains root of the imported area.   
    The function returns LDAP_SUCCESS or LDAP error code 
 */
 int slapi_stop_bulk_import (Slapi_PBlock *pb)
@@ -103,9 +103,7 @@ process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e)
 {
     int rc;
     Slapi_Backend *be = NULL;
-    char *dn = NULL;
-    Slapi_DN sdn;
-    const Slapi_DN *target_sdn = NULL;
+    Slapi_DN *target_sdn = NULL;
 
     if (pb == NULL)
     {
@@ -125,29 +123,27 @@ process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e)
         /* try to get dn to select backend */
         if (e)
         {
-            target_sdn = slapi_entry_get_sdn_const (e);
-            be = slapi_be_select (target_sdn);
+            target_sdn = slapi_entry_get_sdn(e);
         }
         else
         {
-			slapi_sdn_init(&sdn);
-            slapi_pblock_get (pb, SLAPI_TARGET_DN, &dn);
-            if (dn)
-            {
-                slapi_sdn_init_dn_byref(&sdn, dn);
-                be = slapi_be_select (&sdn);
-				target_sdn = &sdn;
+            slapi_pblock_get (pb, SLAPI_TARGET_SDN, &target_sdn);
+            if (NULL == target_sdn) {
+                slapi_log_error(SLAPI_LOG_FATAL, NULL,
+                                "process_bulk_import_op: NULL target sdn\n");
+                return LDAP_OPERATIONS_ERROR;
             }
         }
+        be = slapi_be_select (target_sdn);
         
         if (be) 
         {
-			if (state == SLAPI_BI_STATE_START && (!slapi_be_issuffix(be, target_sdn)))
-			{
-            	slapi_log_error(SLAPI_LOG_FATAL, NULL,
-				 	"process_bulk_import_op: wrong backend suffix\n");
-            	return LDAP_OPERATIONS_ERROR;    
-			}
+            if (state == SLAPI_BI_STATE_START && (!slapi_be_issuffix(be, target_sdn)))
+            {
+                slapi_log_error(SLAPI_LOG_FATAL, NULL,
+                     "process_bulk_import_op: wrong backend suffix\n");
+                return LDAP_OPERATIONS_ERROR;    
+            }
             slapi_pblock_set (pb, SLAPI_BACKEND, be);
         }
         else
@@ -155,9 +151,6 @@ process_bulk_import_op (Slapi_PBlock *pb, int state, Slapi_Entry *e)
             slapi_log_error(SLAPI_LOG_FATAL, NULL, "process_bulk_import_op: NULL backend\n");
             return LDAP_OPERATIONS_ERROR;    
         }        
-
-		if (NULL == e)
-            slapi_sdn_done (&sdn);
     }
 
     if (be->be_wire_import == NULL)
diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c
index 578d826..b5b28fb 100644
--- a/ldap/servers/slapd/compare.c
+++ b/ldap/servers/slapd/compare.c
@@ -66,8 +66,7 @@ do_compare( Slapi_PBlock *pb )
 {
 	BerElement	*ber = pb->pb_op->o_ber;
 	char		*rawdn = NULL;
-	char		*dn = NULL;
-	size_t		 len = 0;
+	const char	*dn = NULL;
 	struct ava	ava = {0};
 	Slapi_Backend		*be = NULL;
 	int		err;
@@ -118,18 +117,16 @@ do_compare( Slapi_PBlock *pb )
 			return;
 		}
 	}
-	err = slapi_dn_normalize_ext(rawdn, 0, &dn, &len);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "CMP", rawdn?rawdn:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-						 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free((void **) &rawdn);
-		return;
-	} else if (err > 0) { /* if rc == 0, rawdn is passed in */
-		slapi_ch_free((void **) &rawdn);
-	} else { /* rc == 0; rawdn is passed in; not null terminated */
-		*(dn + len) = '\0';
-	}
+	slapi_sdn_init_dn_passin(&sdn, rawdn);
+	dn = slapi_sdn_get_dn(&sdn);
+    if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+        /* normalization failed */
+        op_shared_log_error_access(pb, "CMP", rawdn, "invalid dn");
+        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+                         "invalid dn", 0, NULL);
+        slapi_sdn_done(&sdn);
+        return;
+    }
 	/*
 	 * in LDAPv3 there can be optional control extensions on
 	 * the end of an LDAPMessage. we need to read them in and
@@ -139,19 +136,17 @@ do_compare( Slapi_PBlock *pb )
 		send_ldap_result( pb, err, NULL, NULL, 0, NULL );
 		goto free_and_return;
 	}
-	slapi_sdn_init_dn_passin(&sdn,dn);
-    dn = NULL; /* do not free - sdn owns it now */
 
 	/* target spec is used to decide which plugins are applicable for the operation */
 	operation_set_target_spec (pb->pb_op, &sdn);
 
 	LDAPDebug( LDAP_DEBUG_ARGS, "do_compare: dn (%s) attr (%s)\n",
-	    dn, ava.ava_type, 0 );
+	    rawdn, ava.ava_type, 0 );
 
 	slapi_log_access( LDAP_DEBUG_STATS,
 	    "conn=%" NSPRIu64 " op=%d CMP dn=\"%s\" attr=\"%s\"\n",
 	    pb->pb_conn->c_connid, pb->pb_op->o_opid,
-	    escape_string( dn, ebuf ), ava.ava_type );
+	    escape_string( rawdn, ebuf ), ava.ava_type );
 
 	/*
 	 * We could be serving multiple database backends.  Select the
@@ -188,7 +183,9 @@ do_compare( Slapi_PBlock *pb )
 		isroot = pb->pb_op->o_isroot;
 
 		slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
-		slapi_pblock_set( pb, SLAPI_COMPARE_TARGET, (void*)slapi_sdn_get_ndn(&sdn) );
+		/* EXCEPTION: compare target does not allocate memory. */
+		/* target never be modified by plugins. */
+		slapi_pblock_set( pb, SLAPI_COMPARE_TARGET_SDN, (void*)&sdn );
 		slapi_pblock_set( pb, SLAPI_COMPARE_TYPE, ava.ava_type);
 		slapi_pblock_set( pb, SLAPI_COMPARE_VALUE, &ava.ava_value );
 		/*
@@ -216,6 +213,5 @@ free_and_return:;
 	if (be)
 		slapi_be_Unlock(be);
 	slapi_sdn_done(&sdn);
-    slapi_ch_free_string(&dn);
 	ava_done( &ava );
 }
diff --git a/ldap/servers/slapd/delete.c b/ldap/servers/slapd/delete.c
index fa7dbe3..693efa1 100644
--- a/ldap/servers/slapd/delete.c
+++ b/ldap/servers/slapd/delete.c
@@ -72,8 +72,6 @@ do_delete( Slapi_PBlock *pb )
 	Slapi_Operation *operation;
 	BerElement	*ber;
 	char	    *rawdn = NULL;
-	char	    *dn = NULL;
-	size_t		dnlen = 0;
 	int			err = 0;
 
 	LDAPDebug( LDAP_DEBUG_TRACE, "do_delete\n", 0, 0, 0 );
@@ -107,22 +105,9 @@ do_delete( Slapi_PBlock *pb )
 							"strict: invalid dn");
 			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
 							 NULL, "invalid dn", 0, NULL);
-			slapi_ch_free_string(&rawdn);
 			goto free_and_return;
 		}
 	}
-	err = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "DEL", rawdn?rawdn:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-						 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free_string(&rawdn);
-		goto free_and_return;
-	} else if (err > 0) { /* if err == 0, rawdn is passed in */
-		slapi_ch_free_string(&rawdn);
-	} else { /* err == 0; rawdn is passed in; not null terminated */
-		*(dn + dnlen) = '\0';
-	}
 
 	/*
 	 * in LDAPv3 there can be optional control extensions on
@@ -130,20 +115,20 @@ do_delete( Slapi_PBlock *pb )
 	 * pass them to the backend.
 	 */
 	if ( (err = get_ldapmessage_controls( pb, ber, NULL )) != 0 ) {
-		op_shared_log_error_access (pb, "DEL", dn, "decoding error");
+		op_shared_log_error_access (pb, "DEL", rawdn, "decoding error");
 		send_ldap_result( pb, err, NULL, NULL, 0, NULL );
 		goto free_and_return;
 	}
 
-	LDAPDebug( LDAP_DEBUG_ARGS, "do_delete: dn (%s)\n", dn, 0, 0 );
-			
+	LDAPDebug1Arg( LDAP_DEBUG_ARGS, "do_delete: dn (%s)\n", rawdn );
+
 	slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot );
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn);
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, rawdn);
 
 	op_shared_delete (pb);
 
 free_and_return:;
-	slapi_ch_free ((void**)&dn);
+	slapi_ch_free ((void**)&rawdn);
 }
 
 /* This function is used to issue internal delete operation
@@ -158,7 +143,7 @@ slapi_delete_internal(const char *idn, LDAPControl **controls, int dummy)
     int             opresult;
 
     pblock_init (&pb);
-    	
+
     slapi_delete_internal_set_pb (&pb, idn, controls, NULL, plugin_get_default_component_id(), 0);
 
 	delete_internal_pb (&pb);
@@ -201,22 +186,26 @@ int slapi_delete_internal_pb (Slapi_PBlock *pb)
 }
 
 /* Initialize a pblock for a call to slapi_delete_internal_pb() */
-void slapi_delete_internal_set_pb (Slapi_PBlock *pb, const char *dn, LDAPControl **controls, const char *uniqueid, 
-								   Slapi_ComponentId *plugin_identity, int operation_flags)
+void
+slapi_delete_internal_set_pb (Slapi_PBlock *pb,
+                              const char *rawdn,
+                              LDAPControl **controls, const char *uniqueid, 
+                              Slapi_ComponentId *plugin_identity, 
+                              int operation_flags)
 {  
 	Operation *op;
 	PR_ASSERT (pb != NULL);
-	if (pb == NULL || dn == NULL)
+	if (pb == NULL || rawdn == NULL)
 	{
 		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
 						"slapi_delete_internal_set_pb: NULL parameter\n");
 		return;
 	}
 
-    op = internal_operation_new(SLAPI_OPERATION_DELETE,operation_flags);
+	op = internal_operation_new(SLAPI_OPERATION_DELETE,operation_flags);
 	slapi_pblock_set(pb, SLAPI_OPERATION, op);
-	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)dn);
-    slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)rawdn);
+	slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
 	if (uniqueid)
 	{
 		slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
@@ -259,11 +248,12 @@ static int delete_internal_pb (Slapi_PBlock *pb)
 
 static void op_shared_delete (Slapi_PBlock *pb)
 {
-	char	      	*dn;
+	char			*rawdn = NULL;
+	const char		*dn = NULL;
 	Slapi_Backend	*be = NULL;
 	char			ebuf[ BUFSIZ ];
 	int				internal_op;
-	Slapi_DN		sdn;
+	Slapi_DN		*sdn = NULL;
 	Slapi_Operation *operation;
 	Slapi_Entry *referral;
 	Slapi_Entry	*ecopy = NULL;
@@ -274,15 +264,23 @@ static void op_shared_delete (Slapi_PBlock *pb)
 	int		proxy_err = LDAP_SUCCESS;
 	char		*errtext = NULL;
 
-	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn);
+	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &rawdn);
 	slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
 	internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
 
-	slapi_sdn_init_dn_byref(&sdn,dn);
-	slapi_pblock_set(pb, SLAPI_DELETE_TARGET, (void*)slapi_sdn_get_ndn (&sdn));
+	sdn = slapi_sdn_new_dn_byval(rawdn);
+	dn = slapi_sdn_get_dn(sdn);
+	slapi_pblock_set(pb, SLAPI_DELETE_TARGET_SDN, (void*)sdn);
+	if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+		/* normalization failed */
+		op_shared_log_error_access(pb, "DEL", rawdn, "invalid dn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
+		                 NULL, "invalid dn", 0, NULL);
+		goto free_and_return;
+	}
 
 	/* target spec is used to decide which plugins are applicable for the operation */
-	operation_set_target_spec (operation, &sdn);
+	operation_set_target_spec (operation, sdn);
 
 	/* get the proxy auth dn if the proxy auth control is present */
 	proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
@@ -299,7 +297,7 @@ static void op_shared_delete (Slapi_PBlock *pb)
 			slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d DEL dn=\"%s\"%s\n",
 							pb->pb_conn->c_connid, 
 							pb->pb_op->o_opid,
-							escape_string(dn, ebuf),
+							escape_string(slapi_sdn_get_dn(sdn), ebuf),
 							proxystr ? proxystr: "");
 		}
 		else
@@ -307,7 +305,7 @@ static void op_shared_delete (Slapi_PBlock *pb)
 			slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d DEL dn=\"%s\"%s\n",
 							LOG_INTERNAL_OP_CON_ID,
 							LOG_INTERNAL_OP_OP_ID,
-							escape_string(dn, ebuf),
+							escape_string(slapi_sdn_get_dn(sdn), ebuf),
 							proxystr ? proxystr: "");
 		}
 	}
@@ -398,6 +396,7 @@ free_and_return:
 		slapi_be_Unlock(be);
 	}
 	{
+		char *coldn = NULL;
 		Slapi_Entry *epre = NULL, *eparent = NULL;
 		slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &epre);
 		slapi_pblock_get(pb, SLAPI_DELETE_GLUE_PARENT_ENTRY, &eparent);
@@ -408,10 +407,12 @@ free_and_return:
 		}
 		slapi_entry_free(epre);
 		slapi_entry_free(eparent);
+		slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &coldn);
+		slapi_ch_free_string(&coldn);
 	}
-	slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &dn);
-	slapi_ch_free((void **)&dn);
-	slapi_sdn_done(&sdn);
+
+	slapi_pblock_get(pb, SLAPI_DELETE_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
 	slapi_ch_free_string(&proxydn);
 	slapi_ch_free_string(&proxystr);
 }
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 1912f70..e5b9db9 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -190,7 +190,6 @@ substr_dn_normalize_orig( char *dn, char *end )
 	char		*d = NULL;
 	char 		*s = NULL;
 	char		*typestart = NULL;
-	char		*rdnbegin = NULL;
 	char		*lastesc = NULL;
 	int		gotesc = 0;
 	int		state = B4TYPE;
@@ -231,7 +230,6 @@ substr_dn_normalize_orig( char *dn, char *end )
 				value_separator = NULL;
 				value = d;
 				state = ( *s == '"' ) ? INQUOTEDVALUE : INVALUE1ST;
-				rdnbegin = d;
 				lastesc = NULL;
 				*d++ = *s;
 			}
@@ -545,6 +543,9 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len)
             rc = 0;
         }
     }
+    if (0 == src_len) { /* src == "" */
+        goto bail;
+    }
 
     ends = src + src_len;
     endd = *dest + *dest_len;
@@ -1041,7 +1042,7 @@ slapi_dn_normalize_ext(char *src, size_t src_len, char **dest, size_t *dest_len)
             break;
         default:
             LDAPDebug( LDAP_DEBUG_ANY,
-                "slapi_dn_normalize - unknown state %d\n", state, 0, 0 );
+                "slapi_dn_normalize_ext - unknown state %d\n", state, 0, 0 );
             break;
         }
     }
@@ -1116,6 +1117,39 @@ slapi_create_dn_string(const char *fmt, ...)
     return dest;
 }
 
+char *
+slapi_create_rdn_value(const char *fmt, ...)
+{
+    char *src = NULL;
+    char *dest = NULL;
+    size_t dest_len = 0;
+    va_list ap;
+    int rc = 0;
+    char *dnfmt;
+
+    if (NULL == fmt) {
+        return NULL;
+    }
+
+    dnfmt = slapi_ch_smprintf("cn=%s", fmt);
+    va_start(ap, fmt);
+    src = PR_vsmprintf(dnfmt, ap);
+    va_end(ap);
+    slapi_ch_free_string(&dnfmt);
+
+    rc = slapi_dn_normalize_ext(src, strlen(src), &dest, &dest_len);
+    if (rc == 0) { /* src is passed in. */
+        *(dest + dest_len) = '\0';
+        dest = slapi_ch_strdup(dest + 3);
+    } else if (rc > 0) {
+        char *odest = dest;
+        dest = slapi_ch_strdup(dest + 3);
+        slapi_ch_free_string(&odest);
+    }
+    slapi_ch_free_string(&src);
+    return dest;
+}
+
 /*
  * Append previous AV to the attribute value array if multivalued RDN.
  * We use a stack based array at first and if we overflow that, we
@@ -1370,12 +1404,13 @@ dn_ignore_case_to_end( char *dn, char *end )
  * slapi_dn_normalize_case - put dn into a canonical form suitable for storing
  * in a hash database.  this involves normalizing the case as well as
  * the format.  the dn is normalized in place as well as returned.
+ * (DEPRECATED)
  */
 
 char *
 slapi_dn_normalize_case( char *dn )
 {
-	/* normalize format */
+	/* normalize format (DEPRECATED) noop */
 	slapi_dn_normalize( dn );
 
 	/* normalize case */
@@ -1698,6 +1733,9 @@ PR_DEFINE_COUNTER(slapi_sdn_counter_dn_exist);
 PR_DEFINE_COUNTER(slapi_sdn_counter_ndn_created);
 PR_DEFINE_COUNTER(slapi_sdn_counter_ndn_deleted);
 PR_DEFINE_COUNTER(slapi_sdn_counter_ndn_exist);
+PR_DEFINE_COUNTER(slapi_sdn_counter_udn_created);
+PR_DEFINE_COUNTER(slapi_sdn_counter_udn_deleted);
+PR_DEFINE_COUNTER(slapi_sdn_counter_udn_exist);
 
 static void
 sdn_create_counters()
@@ -1711,12 +1749,16 @@ sdn_create_counters()
 	PR_CREATE_COUNTER(slapi_sdn_counter_ndn_created,"Slapi_DN","internal_ndn_created","");
 	PR_CREATE_COUNTER(slapi_sdn_counter_ndn_deleted,"Slapi_DN","internal_ndn_deleted","");
 	PR_CREATE_COUNTER(slapi_sdn_counter_ndn_exist,"Slapi_DN","internal_ndn_exist","");
+	PR_CREATE_COUNTER(slapi_sdn_counter_udn_created,"Slapi_DN","internal_udn_created","");
+	PR_CREATE_COUNTER(slapi_sdn_counter_udn_deleted,"Slapi_DN","internal_udn_deleted","");
+	PR_CREATE_COUNTER(slapi_sdn_counter_udn_exist,"Slapi_DN","internal_udn_exist","");
 	counters_created= 1;
 }
 
 #define FLAG_ALLOCATED 0
 #define FLAG_DN 1
 #define FLAG_NDN 2
+#define FLAG_UDN 3
 
 Slapi_DN *
 slapi_sdn_new()
@@ -1730,10 +1772,18 @@ slapi_sdn_new()
     return sdn;
 }
 
+/*
+ * WARNING:
+ * Do not call slapi_sdn_init and its sibling APIs against Slapi_DN 
+ * allocated by slapi_sdn_new.  slapi_sdn_init clears all bits in the flag. 
+ * If sdn is allocated by slapi_sdn_new, the FLAG_ALLOCATED bit is cleared 
+ * and slapi_sdn_free won't free Slapi_DN.
+ */
 Slapi_DN *
 slapi_sdn_init(Slapi_DN *sdn)
 {
     sdn->flag= 0;
+    sdn->udn= NULL;
     sdn->dn= NULL;
     sdn->ndn= NULL;
 	sdn->ndn_len=0;
@@ -1748,7 +1798,7 @@ Slapi_DN *
 slapi_sdn_init_dn_byref(Slapi_DN *sdn,const char *dn)
 {
     slapi_sdn_init(sdn);
-    slapi_sdn_set_dn_byref(sdn,dn);
+    slapi_sdn_set_dn_byref(sdn, dn);
 	return sdn;
 }
 
@@ -1768,20 +1818,33 @@ slapi_sdn_init_dn_passin(Slapi_DN *sdn,const char *dn)
 	return sdn;
 }
 
-/* use when dn is normalized previously */
+/* use when dn is already normalized (but case is yet touched) */
 Slapi_DN *
-slapi_sdn_init_dn_ndn_byref(Slapi_DN *sdn,const char *dn) {
-	  slapi_sdn_init(sdn);
-	  slapi_sdn_set_dn_byref(sdn,dn);
-	  /* slapi_sdn_set_ndn_byref nulls out dn set in above statement */
-	  sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_NDN);
-      sdn->ndn= dn;
-	  if(dn == NULL) {
-		  sdn->ndn_len=0;
-	  } else {
-	   sdn->ndn_len=strlen(dn);
-	  }
-	  return sdn;
+slapi_sdn_init_normdn_byref(Slapi_DN *sdn, const char *dn)
+{
+    slapi_sdn_init(sdn);
+    if(dn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(dn);
+        sdn->dn = dn;
+    }
+    return sdn;
+}
+
+/* use when dn is already normalized (but case is yet touched) */
+Slapi_DN *
+slapi_sdn_init_normdn_passin(Slapi_DN *sdn, const char *dn)
+{
+    slapi_sdn_init(sdn);
+    if(dn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(dn);
+        sdn->dn = dn;
+        sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+    }
+    return sdn;
 }
 
 Slapi_DN *
@@ -1789,7 +1852,7 @@ slapi_sdn_init_ndn_byref(Slapi_DN *sdn,const char *dn)
 {
     slapi_sdn_init(sdn);
     slapi_sdn_set_ndn_byref(sdn,dn);
-	return sdn;
+    return sdn;
 }
 
 Slapi_DN *
@@ -1797,7 +1860,7 @@ slapi_sdn_init_ndn_byval(Slapi_DN *sdn,const char *dn)
 {
     slapi_sdn_init(sdn);
     slapi_sdn_set_ndn_byval(sdn,dn);
-	return sdn;
+    return sdn;
 }
 
 Slapi_DN *
@@ -1845,16 +1908,46 @@ slapi_sdn_new_ndn_byref(const char *ndn)
     return sdn;
 }
 
+/* use when dn is already normalized */
+Slapi_DN *
+slapi_sdn_new_normdn_byref(const char *normdn)
+{
+    Slapi_DN *sdn = slapi_sdn_new();
+    slapi_sdn_set_normdn_byref(sdn, normdn);
+    SDN_DUMP( sdn, "slapi_sdn_new_normdn_byref");
+    return sdn;
+}
+
+/* use when dn is already normalized */
+Slapi_DN *
+slapi_sdn_new_normdn_passin(const char *normdn)
+{
+    Slapi_DN *sdn = slapi_sdn_new();
+    slapi_sdn_set_normdn_passin(sdn, normdn);
+    SDN_DUMP( sdn, "slapi_sdn_new_normdn_passin");
+    return sdn;
+}
+
+/* use when dn is already normalized */
+Slapi_DN *
+slapi_sdn_new_normdn_byval(const char *normdn)
+{
+    Slapi_DN *sdn = slapi_sdn_new();
+    slapi_sdn_set_normdn_byval(sdn, normdn);
+    SDN_DUMP( sdn, "slapi_sdn_new_normdn_byval");
+    return sdn;
+}
+
 Slapi_DN *
 slapi_sdn_set_dn_byval(Slapi_DN *sdn, const char *dn)
 {
     slapi_sdn_done(sdn);
-    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_DN);
+    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_UDN);
 	if(dn!=NULL)
 	{
-		sdn->dn= slapi_ch_strdup(dn);
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+		sdn->udn= slapi_ch_strdup(dn);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_created);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_exist);
 	}
     return sdn;
 }
@@ -1863,8 +1956,8 @@ Slapi_DN *
 slapi_sdn_set_dn_byref(Slapi_DN *sdn, const char *dn)
 {
     slapi_sdn_done(sdn);
-    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_DN);
-    sdn->dn= dn;
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_UDN);
+    sdn->udn= dn;
     return sdn;
 }
 
@@ -1872,17 +1965,64 @@ Slapi_DN *
 slapi_sdn_set_dn_passin(Slapi_DN *sdn, const char *dn)
 {
     slapi_sdn_done(sdn);
-    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_DN);
-    sdn->dn= dn;
+    sdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_UDN);
+    sdn->udn= dn;
 	if(dn!=NULL)
 	{
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
-	    PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_created);
+	    PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_exist);
 	}
     return sdn;
 }
 
 Slapi_DN *
+slapi_sdn_set_normdn_byref(Slapi_DN *sdn, const char *normdn)
+{
+    slapi_sdn_done(sdn);
+    sdn->flag = slapi_unsetbit_uchar(sdn->flag, FLAG_DN);
+    sdn->dn = normdn;
+    if(normdn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(normdn);
+    }
+    return sdn;
+}
+
+Slapi_DN *
+slapi_sdn_set_normdn_passin(Slapi_DN *sdn, const char *normdn)
+{
+    slapi_sdn_done(sdn);
+    sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+    sdn->dn = normdn;
+    if(normdn == NULL) {
+        sdn->ndn_len = 0;
+    } else {
+        sdn->ndn_len = strlen(normdn);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+    }
+    return sdn;
+}
+
+Slapi_DN *
+slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *normdn)
+{
+    slapi_sdn_done(sdn);
+    sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+    if(normdn == NULL) {
+        sdn->dn = slapi_ch_strdup(normdn);
+        sdn->ndn_len = 0;
+    } else {
+        sdn->dn = slapi_ch_strdup(normdn);
+        sdn->ndn_len = strlen(normdn);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+    }
+    return sdn;
+}
+
+Slapi_DN *
 slapi_sdn_set_ndn_byval(Slapi_DN *sdn, const char *ndn)
 {
     slapi_sdn_done(sdn);
@@ -1925,7 +2065,7 @@ slapi_sdn_set_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn)
 	else
 	{
 		/* NewDN= NewRDN + OldParent */
-		char *parentdn= slapi_dn_parent(sdn->dn);
+		char *parentdn = slapi_dn_parent(slapi_sdn_get_dn(sdn));
 		char *newdn = slapi_ch_smprintf("%s,%s", rawrdn, parentdn);
 		slapi_ch_free((void**)&parentdn);
 		slapi_sdn_set_dn_passin(sdn,newdn);
@@ -1939,7 +2079,7 @@ slapi_sdn_set_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn)
 Slapi_DN *
 slapi_sdn_add_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn)
 {
-	const char *rawrdn= slapi_rdn_get_rdn(rdn);
+	const char *rawrdn = slapi_rdn_get_rdn(rdn);
     if(slapi_sdn_isempty(sdn))
 	{
 		slapi_sdn_set_dn_byval(sdn,rawrdn);
@@ -1972,7 +2112,7 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parentdn)
 		/* NewDN= OldRDN + NewParent */
 		Slapi_RDN rdn;
 		const char *rawrdn;
-		slapi_rdn_init_dn(&rdn,sdn->dn);
+		slapi_rdn_init_dn(&rdn, slapi_sdn_get_dn(sdn));
 		rawrdn= slapi_rdn_get_rdn(&rdn);
 	    if(slapi_sdn_isempty(parentdn))
 		{
@@ -1980,12 +2120,9 @@ slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parentdn)
 		}
 		else
 		{
-			char *newdn;
-			newdn= slapi_ch_malloc(strlen(rawrdn)+1+strlen(parentdn->dn)+1);
-			strcpy( newdn, rawrdn );
-			strcat( newdn, "," );
-			strcat( newdn, parentdn->dn );
-			slapi_sdn_set_dn_passin(sdn,newdn);
+			char *newdn = 
+			    slapi_ch_smprintf("%s,%s", rawrdn, slapi_sdn_get_dn(parentdn));
+			slapi_sdn_set_dn_passin(sdn, newdn);
 		}
 		slapi_rdn_done(&rdn);
 	}
@@ -2005,7 +2142,6 @@ slapi_sdn_done(Slapi_DN *sdn)
         if(slapi_isbitset_uchar(sdn->flag,FLAG_DN))
         {
             slapi_ch_free((void**)&(sdn->dn));
-            sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_DN);
             PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_deleted);
             PR_DECREMENT_COUNTER(slapi_sdn_counter_dn_exist);
         }
@@ -2014,22 +2150,36 @@ slapi_sdn_done(Slapi_DN *sdn)
             sdn->dn= NULL;
         }
     }
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_DN);
     if(sdn->ndn!=NULL)
     {
         if(slapi_isbitset_uchar(sdn->flag,FLAG_NDN))
         {
             slapi_ch_free((void**)&(sdn->ndn));
-            sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_NDN);
-			sdn->ndn_len=0;
             PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_deleted);
             PR_DECREMENT_COUNTER(slapi_sdn_counter_ndn_exist);
         }
         else
         {
             sdn->ndn= NULL;
-			sdn->ndn_len=0;
         }
     }
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_NDN);
+    sdn->ndn_len=0;
+    if(sdn->udn!=NULL)
+    {
+        if(slapi_isbitset_uchar(sdn->flag,FLAG_UDN))
+        {
+            slapi_ch_free((void**)&(sdn->udn));
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_udn_deleted);
+            PR_DECREMENT_COUNTER(slapi_sdn_counter_udn_exist);
+        }
+        else
+        {
+            sdn->udn= NULL;
+        }
+    }
+    sdn->flag= slapi_unsetbit_uchar(sdn->flag,FLAG_UDN);
 }
 
 void
@@ -2037,9 +2187,11 @@ slapi_sdn_free(Slapi_DN **sdn)
 {
 	if(sdn!=NULL && *sdn!=NULL)
 	{
+	    int is_allocated = 0;
 	    SDN_DUMP( *sdn, "slapi_sdn_free");
+	    is_allocated = slapi_isbitset_uchar((*sdn)->flag, FLAG_ALLOCATED);
 	    slapi_sdn_done(*sdn);
-	    if(slapi_isbitset_uchar((*sdn)->flag,FLAG_ALLOCATED))
+	    if(is_allocated)
 	    {
 	        slapi_ch_free((void**)sdn);
 	        PR_INCREMENT_COUNTER(slapi_sdn_counter_deleted);
@@ -2051,43 +2203,75 @@ slapi_sdn_free(Slapi_DN **sdn)
 const char *
 slapi_sdn_get_dn(const Slapi_DN *sdn)
 {
-    return (sdn->dn!=NULL ? sdn->dn : sdn->ndn);
+    if (NULL == sdn) {
+        return NULL;
+    }
+    if (sdn->dn) {
+        return sdn->dn;
+    } else if (sdn->ndn) {
+        return sdn->ndn;
+    } else if (sdn->udn) {
+        char *udn = slapi_ch_strdup(sdn->udn);
+        char *normed = NULL;
+        size_t dnlen = 0;
+        Slapi_DN *ncsdn = (Slapi_DN*)sdn; /* non-const Slapi_DN */
+        int rc = slapi_dn_normalize_ext(udn, 0, &normed, &dnlen);
+        if (rc == 0) { /* udn is passed in */
+            *(normed + dnlen) = '\0';
+            ncsdn->dn = normed;
+            ncsdn->ndn_len = dnlen;
+            ncsdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+        } else if (rc > 0) { /* rc > 0 */
+            slapi_ch_free_string(&udn);
+            ncsdn->dn = normed;
+            ncsdn->ndn_len = dnlen;
+            ncsdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_created);
+            PR_INCREMENT_COUNTER(slapi_sdn_counter_dn_exist);
+        }
+        /* else (rc < 0); normzlization failed. return NULL */
+        return sdn->dn;
+    } else {
+        return NULL;
+    }
 }
 
 const char *
 slapi_sdn_get_ndn(const Slapi_DN *sdn)
 {
-    if(sdn->ndn==NULL)
-    {
-        if(sdn->dn!=NULL)
-        {
-            char *p= slapi_ch_strdup(sdn->dn);
-            char *normed = NULL;
-            size_t dnlen = 0;
-            int rc = 0;
-
-            Slapi_DN *ncsdn= (Slapi_DN*)sdn; /* non-const Slapi_DN */
-            rc = slapi_dn_normalize_case_ext(p, 0, &normed, &dnlen);
-            if (rc < 0) {
-                /* we give up, just set dn to ndn */
-                slapi_dn_ignore_case(p); /* ignore case */
-                ncsdn->ndn = p;
-                ncsdn->ndn_len = strlen(p);
-            } else if (rc == 0) { /* p is passed in */
-                *(normed + dnlen) = '\0';
-                ncsdn->ndn = normed;
-                ncsdn->ndn_len = dnlen;
-            } else { /* rc > 0 */
-                slapi_ch_free_string(&p);
-                ncsdn->ndn = normed;
-                ncsdn->ndn_len = dnlen;
-            }
-            ncsdn->flag= slapi_setbit_uchar(sdn->flag,FLAG_NDN);
-            PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_created);
-            PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_exist);
-        }
+    if (NULL == sdn) {
+        return NULL;
+    }
+    if (sdn->ndn) {
+        return sdn->ndn;
+    } else if (sdn->dn || sdn->udn) {
+        Slapi_DN *ncsdn = (Slapi_DN*)sdn; /* non-const Slapi_DN */
+        char *ndn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+        slapi_dn_ignore_case(ndn); /* ignore case */
+        ncsdn->ndn = ndn;
+        ncsdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_NDN);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_created);
+        PR_INCREMENT_COUNTER(slapi_sdn_counter_ndn_exist);
+        return ndn;
+    } else {
+        return NULL;
+    }
+}
+
+const char *
+slapi_sdn_get_udn(const Slapi_DN *sdn)
+{
+    if (sdn->udn) {
+        return sdn->udn;
+    } else if (sdn->dn) {
+        return sdn->dn;
+    } else if (sdn->ndn) {
+        return sdn->ndn;
+    } else {
+        return NULL;
     }
-    return sdn->ndn;
 }
 
 void
@@ -2123,52 +2307,45 @@ Slapi_DN *
 slapi_sdn_dup(const Slapi_DN *sdn)
 {
 	Slapi_DN *tmp;
-    SDN_DUMP( sdn, "slapi_sdn_dup");
-    tmp=slapi_sdn_new_dn_byval(slapi_sdn_get_dn(sdn));
-	/* can't use slapi_set_ndn_byval -- it nulls the dn */
-	tmp->flag= slapi_setbit_uchar(tmp->flag,FLAG_NDN);
-	if(sdn->ndn!=NULL)
-	{
-		tmp->ndn= slapi_ch_strdup(sdn->ndn);
-		tmp->ndn_len=sdn->ndn_len;
-	} else tmp->ndn=NULL;
+	SDN_DUMP( sdn, "slapi_sdn_dup");
+	tmp = slapi_sdn_new_normdn_byval(slapi_sdn_get_dn(sdn));
 	return tmp;
 }
 
 void
 slapi_sdn_copy(const Slapi_DN *from, Slapi_DN *to)
 {
-    SDN_DUMP( from, "slapi_sdn_copy from");
-    SDN_DUMP( to, "slapi_sdn_copy to");
+	SDN_DUMP( from, "slapi_sdn_copy from");
+	SDN_DUMP( to, "slapi_sdn_copy to");
 	slapi_sdn_done(to);
-	slapi_sdn_set_dn_byval(to,slapi_sdn_get_dn(from));
+	slapi_sdn_set_normdn_byval(to, slapi_sdn_get_dn(from));
 }
 
 int
 slapi_sdn_compare( const Slapi_DN *sdn1, const Slapi_DN *sdn2 )
 {
-    int rc;
-    const char *ndn1= slapi_sdn_get_ndn(sdn1);
-    const char *ndn2= slapi_sdn_get_ndn(sdn2);
+	int rc;
+	const char *ndn1= slapi_sdn_get_ndn(sdn1);
+	const char *ndn2= slapi_sdn_get_ndn(sdn2);
 	if(ndn1==ndn2)
 	{
 	    rc= 0;
 	}
 	else
 	{
-	    if(ndn1==NULL)
+		if(ndn1==NULL)
 		{
 		    rc= -1;
 		}
 		else
 		{
-    	    if(ndn2==NULL)
-    		{
-    		    rc= 1;
-    		}
-    		else
-    		{
-                rc= strcmp(ndn1,ndn2);
+			if(ndn2==NULL)
+			{
+				rc= 1;
+			}
+			else
+			{
+				rc= strcmp(ndn1,ndn2);
 			}
 		}
 	}
@@ -2176,22 +2353,25 @@ slapi_sdn_compare( const Slapi_DN *sdn1, const Slapi_DN *sdn2 )
 }
 
 int
-slapi_sdn_isempty( const Slapi_DN *sdn)
+slapi_sdn_isempty(const Slapi_DN *sdn)
 {
-    const char *dn= slapi_sdn_get_dn(sdn);
+	const char *dn = NULL;
+	if (sdn) {
+		dn = slapi_sdn_get_dn(sdn);
+	}
 	return (dn==NULL || dn[0]=='\0');
 }
 
 int
 slapi_sdn_issuffix(const Slapi_DN *sdn, const Slapi_DN *suffixsdn)
 {
-    int rc;
-    const char *dn= slapi_sdn_get_ndn(sdn);
+	int rc;
+	const char *dn= slapi_sdn_get_ndn(sdn);
 	const char *suffixdn= slapi_sdn_get_ndn(suffixsdn);
 	if(dn!=NULL && suffixdn!=NULL)
 	{
-    	int dnlen = slapi_sdn_get_ndn_len(sdn);
-        int suffixlen= slapi_sdn_get_ndn_len(suffixsdn);
+		int dnlen = slapi_sdn_get_ndn_len(sdn);
+		int suffixlen= slapi_sdn_get_ndn_len(suffixsdn);
 		if (dnlen<suffixlen)
 		{
 		    rc= 0;
@@ -2203,9 +2383,8 @@ slapi_sdn_issuffix(const Slapi_DN *sdn, const Slapi_DN *suffixsdn)
 				return ( 1 );
 			}
 
-        	rc= ( (strcasecmp(suffixdn, dn+dnlen-suffixlen)==0)
-					&& ( (dnlen == suffixlen)
-						 || DNSEPARATOR(dn[dnlen-suffixlen-1])) );
+			rc = (((dnlen == suffixlen) || DNSEPARATOR(dn[dnlen-suffixlen-1]))
+			      && (strcasecmp(suffixdn, dn+dnlen-suffixlen)==0));
 		}
 	}
 	else
@@ -2219,11 +2398,11 @@ slapi_sdn_issuffix(const Slapi_DN *sdn, const Slapi_DN *suffixsdn)
 int
 slapi_sdn_get_ndn_len(const Slapi_DN *sdn)
 {
-    int r= 0;
-	(void)slapi_sdn_get_ndn(sdn); /* does the normalization if needed */
-	if(sdn->ndn!=NULL)
+    int r = 0;
+	(void)slapi_sdn_get_dn(sdn); /* does the normalization if needed */
+	if(sdn->dn || sdn->ndn)
 	{
-		r= sdn->ndn_len;	
+		r = sdn->ndn_len;	
 	}
 	return r;
 }
@@ -2296,7 +2475,7 @@ slapi_sdn_scope_test( const Slapi_DN *dn, const Slapi_DN *base, int scope )
  * build the new dn of an entry for moddn operations
  */
 char *
-slapi_moddn_get_newdn(Slapi_DN *dn_olddn, char *newrdn, char *newsuperiordn)
+slapi_moddn_get_newdn(Slapi_DN *dn_olddn, const char *newrdn, const char *newsuperiordn)
 {
     char *newdn;
 	
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index e3bfb18..727e999 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -1426,18 +1426,17 @@ dse_delete_entry(struct dse* pdse, Slapi_PBlock *pb, const Slapi_Entry *e)
 int
 dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from this function! */
 {
-	char *dn; /* The bind DN */
 	int	method; /* The bind method */
 	struct berval *cred; /* The bind credentials */
 	Slapi_Value **bvals; 
     struct dse* pdse;
 	Slapi_Attr *attr;
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
 	Slapi_Entry *ec= NULL;
 
 	/*Get the parameters*/
 	if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-		slapi_pblock_get( pb, SLAPI_BIND_TARGET, &dn ) < 0 ||
+		slapi_pblock_get( pb, SLAPI_BIND_TARGET_SDN, &sdn ) < 0 ||
 		slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method ) < 0 ||
 		slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &cred ) < 0){
 		slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
@@ -1456,13 +1455,10 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
 		return( SLAPI_BIND_FAIL );
 	}
 
-	/* Find the entry that the person is attempting to bind as */
-	slapi_sdn_init_dn_byref(&sdn,dn);
-    ec = dse_get_entry_copy(pdse,&sdn,DSE_USE_LOCK);
+    ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
     if ( ec == NULL )
 	{
 		slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
 		return( SLAPI_BIND_FAIL );
 	}
 
@@ -1475,7 +1471,6 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
 		{
 			slapi_send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL );
 			slapi_entry_free(ec);
-			slapi_sdn_done(&sdn);
 			return SLAPI_BIND_FAIL;
 		}
 		bvals= attr_get_present_values( attr );
@@ -1485,7 +1480,6 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
 		{
 			slapi_send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL );
 			slapi_entry_free(ec);
-			slapi_sdn_done(&sdn);
 			value_done(&cv);
 			return SLAPI_BIND_FAIL;
 		}
@@ -1496,11 +1490,9 @@ dse_bind( Slapi_PBlock *pb ) /* JCM There should only be one exit point from thi
 	default:
 		slapi_send_ldap_result( pb, LDAP_STRONG_AUTH_NOT_SUPPORTED, NULL, "auth method not supported", 0, NULL );
 		slapi_entry_free(ec);
-		slapi_sdn_done(&sdn);
 		return SLAPI_BIND_FAIL;
 	}
 	slapi_entry_free(ec);
-	slapi_sdn_done(&sdn);
 	/* success:  front end will send result */
 	return SLAPI_BIND_SUCCESS;
 }
@@ -1647,7 +1639,6 @@ do_dse_search(struct dse* pdse, Slapi_PBlock *pb, int scope, const Slapi_DN *bas
 int
 dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from this function! */
 {
-    char *base; /*Base of the search*/
     int scope; /*Scope of the search*/
     Slapi_Filter *filter; /*The filter*/
     char **attrs; /*Attributes*/
@@ -1657,7 +1648,7 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     int returncode= LDAP_SUCCESS;
     int isrootdse= 0;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
-	Slapi_DN basesdn;
+	Slapi_DN *basesdn = NULL;
 	int estimate = 0; /* estimated search result set size */
 
     /* 
@@ -1666,7 +1657,7 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
      * more or less directly from the client.
      */
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET, &base ) < 0 ||
+        slapi_pblock_get( pb, SLAPI_SEARCH_TARGET_SDN, &basesdn ) < 0 ||
         slapi_pblock_get( pb, SLAPI_SEARCH_SCOPE, &scope ) < 0 ||
         slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter ) < 0 ||
         slapi_pblock_get( pb, SLAPI_SEARCH_ATTRS, &attrs ) < 0 ||
@@ -1675,27 +1666,23 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
         return(-1);
     }
-
-	slapi_sdn_init_dn_byref(&basesdn,base);
-	
     /*
      * Sadly the root dse is still a special case.  We must not allow
      * acl checks on it, or allow onelevel or subtree searches on it.
      */
-    isrootdse= slapi_sdn_isempty(&basesdn);
+    isrootdse= slapi_sdn_isempty(basesdn);
 
     switch(scope)
     {
     case LDAP_SCOPE_BASE:
         {
 		Slapi_Entry *baseentry= NULL;
-	    baseentry = dse_get_entry_copy(pdse,&basesdn,DSE_USE_LOCK);
+	    baseentry = dse_get_entry_copy(pdse, basesdn, DSE_USE_LOCK);
         if ( baseentry == NULL )
         {
             slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
 			slapi_log_error(SLAPI_LOG_PLUGIN,"dse_search", "node %s was not found\n",
-								 slapi_sdn_get_dn(&basesdn));
-			slapi_sdn_done(&basesdn);
+								 slapi_sdn_get_dn(basesdn));
             return -1;
         }
         /* 
@@ -1726,14 +1713,13 @@ dse_search(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     case LDAP_SCOPE_SUBTREE:
         if(!isrootdse)
         {
-            estimate = do_dse_search(pdse, pb, scope, &basesdn, filter, attrs, attrsonly);
+            estimate = do_dse_search(pdse, pb, scope, basesdn, filter, attrs, attrsonly);
         }
         break;
     }
 	slapi_pblock_set (pb, SLAPI_SEARCH_RESULT_SET_SIZE_ESTIMATE, &estimate);
 
     /* Search is done, send LDAP_SUCCESS */
-	slapi_sdn_done(&basesdn);
     return 0;
 }
 
@@ -1756,19 +1742,19 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 {
     int	err; /*House keeping stuff*/
     LDAPMod **mods; /*Used to apply the modifications*/
-    char *dn; /*Storage for the dn*/
     char *errbuf = NULL; /* To get error back */
     struct dse* pdse;
     Slapi_Entry *ec= NULL;
     Slapi_Entry *ecc= NULL;
     int returncode= LDAP_SUCCESS;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
 	int dont_write_file = 0; /* default */
 
 	PR_ASSERT(pb);
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_MODIFY_TARGET, &dn ) < 0 ||
+        /* slapi_pblock_get( pb, SLAPI_MODIFY_TARGET, &dn ) < 0 || */
+        slapi_pblock_get( pb, SLAPI_MODIFY_TARGET_SDN, &sdn ) < 0 ||
         slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods ) < 0 || (NULL == pdse))
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
@@ -1780,14 +1766,11 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         return( -1 );
     }
 
-	slapi_sdn_init_dn_byref(&sdn,dn);
-
     /* Find the entry we are about to modify. */
-    ec = dse_get_entry_copy(pdse,&sdn,DSE_USE_LOCK);
+    ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
     if ( ec == NULL )
     {
         slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
 
@@ -1797,7 +1780,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     {
         slapi_send_ldap_result( pb, err, NULL, errbuf, 0, NULL );
         if (errbuf)  slapi_ch_free ((void**)&errbuf);
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
 
@@ -1817,7 +1799,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         {
         /* Error occured in the callback -- return error code from callback */
         slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
-		slapi_sdn_done(&sdn);
 		return dse_modify_return( -1, ec, ecc );
         }
 
@@ -1825,7 +1806,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
         {
         /* Callback says don't apply the changes -- return Success */
 		slapi_send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
 		return dse_modify_return( 0, ec, ecc );
         }
 
@@ -1861,7 +1841,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 		{
 			/* entry_apply_mods() failed above, so return an error now */
             slapi_send_ldap_result( pb, err, NULL, NULL, 0, NULL );
-			slapi_sdn_done(&sdn);
             return dse_modify_return( -1, ec, ecc );
 		}
         break;
@@ -1875,7 +1854,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 
 	slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_OBJECT_CLASS_VIOLATION, NULL, errtext, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
 
@@ -1886,7 +1864,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 
         slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, errtext, 0, NULL );
-        slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
 
@@ -1895,7 +1872,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     if (dse_replace_entry( pdse, ecc, !dont_write_file, DSE_USE_LOCK )!=0 )
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_modify_return( -1, ec, ecc );
     }
     slapi_pblock_set( pb, SLAPI_ENTRY_POST_OP, slapi_entry_dup(ecc) ); /* JCM - When does this get free'd? */
@@ -1904,7 +1880,6 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 
     slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
 
-	slapi_sdn_done(&sdn);
     return dse_modify_return(0, ec, ecc);
 }
 
@@ -1922,7 +1897,6 @@ dse_add_return( int rv, Slapi_Entry *e)
 int
 dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this function! */
 {
-    char *dn = NULL;
     Slapi_Entry *e; /*The new entry to add*/
 	Slapi_Entry *e_copy = NULL; /* copy of added entry */
     char *errbuf = NULL;
@@ -1932,14 +1906,14 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
     struct dse* pdse;
     int returncode= LDAP_SUCCESS;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
-	Slapi_DN sdn;
+	Slapi_DN *sdn = NULL;
 	Slapi_DN parent;
 
     /*
      * Get the database, the dn and the entry to add
      */
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_ADD_TARGET, &dn ) < 0 ||
+        slapi_pblock_get( pb, SLAPI_ADD_TARGET_SDN, &sdn ) < 0 ||
         slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &e ) < 0 || (NULL == pdse))
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
@@ -1951,8 +1925,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
         return( error );
     }
 
-	slapi_sdn_init_dn_byref(&sdn,dn);
-
     /*
      * Check to make sure the entry passes the schema check
      */
@@ -1963,7 +1935,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
 				"dse_add: entry failed schema check\n", 0, 0, 0 );
 	slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_OBJECT_CLASS_VIOLATION, NULL, errtext, 0, NULL );
-		slapi_sdn_done(&sdn);
         return error;
     }
 
@@ -1975,7 +1946,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
                                 "dse_add: entry failed syntax check\n", 0, 0, 0 );
         slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &errtext);
         slapi_send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, errtext, 0, NULL );
-        slapi_sdn_done(&sdn);
         return error;
     }
 
@@ -1983,7 +1953,7 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
      * Attempt to find this dn.
      */
     {
-        Slapi_Entry *existingentry= dse_get_entry_copy( pdse, &sdn, DSE_USE_LOCK );
+        Slapi_Entry *existingentry= dse_get_entry_copy( pdse, sdn, DSE_USE_LOCK );
         if(existingentry!=NULL)
         {
             /*
@@ -1991,7 +1961,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
              * whose dn matches dn, so tell the user and return
              */
             slapi_send_ldap_result( pb, LDAP_ALREADY_EXISTS, NULL, NULL, 0, NULL );
-			slapi_sdn_done(&sdn);
 			slapi_entry_free(existingentry);
 			return dse_add_return(error, NULL);
         }
@@ -2003,7 +1972,7 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
      * add the entry.
      */
 	slapi_sdn_init(&parent);
-	slapi_sdn_get_parent(&sdn,&parent);
+	slapi_sdn_get_parent(sdn, &parent);
     if ( !slapi_sdn_isempty(&parent) )
     {
 	    Slapi_Entry *parententry= NULL;
@@ -2012,7 +1981,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
         {
             slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
             LDAPDebug( SLAPI_DSE_TRACELEVEL, "dse_add: parent does not exist\n", 0, 0, 0 );
-			slapi_sdn_done(&sdn);
 			slapi_sdn_done(&parent);
 			return dse_add_return(error, NULL);
         }
@@ -2023,7 +1991,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
             LDAPDebug( SLAPI_DSE_TRACELEVEL, "dse_add: no access to parent\n", 0, 0, 0 );
             slapi_send_ldap_result( pb, rc, NULL, NULL, 0, NULL );
             slapi_ch_free((void**)&errbuf);
-			slapi_sdn_done(&sdn);
 			slapi_sdn_done(&parent);
 			return dse_add_return(rc, NULL);
         }
@@ -2037,7 +2004,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
         {
             LDAPDebug( SLAPI_DSE_TRACELEVEL, "dse_add: no parent and not root\n", 0, 0, 0 );
             slapi_send_ldap_result( pb, LDAP_INSUFFICIENT_ACCESS, NULL, NULL, 0, NULL );
-			slapi_sdn_done(&sdn);
 			slapi_sdn_done(&parent);
 			return dse_add_return(error, NULL);
         }
@@ -2060,7 +2026,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
 			NULL, &returncode, returntext)!=SLAPI_DSE_CALLBACK_OK)
     {
         slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
-		slapi_sdn_done(&sdn);
 		return dse_add_return(error, NULL);
     }
 
@@ -2069,7 +2034,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
     if ( dse_add_entry_pb(pdse, e_copy, pb) != 0)
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
 		return dse_add_return(error, NULL);
     }
 	/* The postop must be called after the write lock is released. */
@@ -2083,9 +2047,6 @@ dse_add(Slapi_PBlock *pb) /* JCM There should only be one exit point from this f
 	/* entry has been freed, so make sure no one tries to use it later */
 	slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
 
-    /* Free the dn, and return */
-	slapi_sdn_done(&sdn);
-
 	return dse_add_return(rc, e);
 }
 
@@ -2104,40 +2065,37 @@ dse_delete_return( int rv, Slapi_Entry *ec)
 int
 dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from this function! */
 {
-    char *dn = NULL;
     int rc= -1;
-	int dont_write_file = 0;	/* default */
+    int dont_write_file = 0;	/* default */
     struct dse* pdse = NULL;
     int returncode= LDAP_SUCCESS;
     char returntext[SLAPI_DSE_RETURNTEXT_SIZE]= "";
     char *entry_str = "entry";
     char *errbuf = NULL;
-	char *attrs[2] =  { NULL, NULL };
-	Slapi_DN sdn;
-	Slapi_Entry *ec = NULL; /* copy of entry to delete */
+    char *attrs[2] =  { NULL, NULL };
+    Slapi_DN *sdn = NULL;
+    Slapi_Entry *ec = NULL; /* copy of entry to delete */
 
     /*
      * Get the database and the dn
      */
     if (slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &pdse ) < 0 ||
-        slapi_pblock_get( pb, SLAPI_DELETE_TARGET, &dn ) < 0 || (pdse == NULL))
+        slapi_pblock_get( pb, SLAPI_DELETE_TARGET_SDN, &sdn ) < 0 ||
+        (pdse == NULL))
     {
         slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
         return rc;
     }
 
-	slapi_pblock_get(pb, SLAPI_DSE_DONT_WRITE_WHEN_ADDING, &dont_write_file);
-	if ( !dont_write_file && dse_check_for_readonly_error(pb,pdse)) {
+    slapi_pblock_get(pb, SLAPI_DSE_DONT_WRITE_WHEN_ADDING, &dont_write_file);
+    if ( !dont_write_file && dse_check_for_readonly_error(pb,pdse)) {
         return( rc );
     }
 
-	slapi_sdn_init_dn_byref(&sdn,dn);
-
-    ec= dse_get_entry_copy( pdse, &sdn, DSE_USE_LOCK );
+    ec= dse_get_entry_copy( pdse, sdn, DSE_USE_LOCK );
     if (ec == NULL)
     {
         slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
 
@@ -2147,7 +2105,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     if(dse_numsubordinates(ec)>0)
     {
         slapi_send_ldap_result( pb, LDAP_NOT_ALLOWED_ON_NONLEAF, NULL, NULL, 0, NULL );
-		slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
 
@@ -2161,7 +2118,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     {
         slapi_send_ldap_result( pb, returncode, NULL, NULL, 0, NULL );
         slapi_ch_free ( (void**)&errbuf );
-		slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
 
@@ -2175,7 +2131,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
     else
     {
         slapi_send_ldap_result( pb, returncode, NULL, NULL, 0, NULL );
-        slapi_sdn_done(&sdn);
         return dse_delete_return( rc, ec );
     }
 
@@ -2183,7 +2138,6 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
 
     slapi_send_ldap_result( pb, returncode, NULL, returntext, 0, NULL );
 	slapi_pblock_set( pb, SLAPI_ENTRY_PRE_OP, slapi_entry_dup( ec ));
-	slapi_sdn_done(&sdn);
     return dse_delete_return(0, ec);
 }
 
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 9e0f0fb..3b2c410 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -269,18 +269,22 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
 					normdn = 
 						slapi_dn_normalize_original(slapi_ch_strdup(rawdn));
 				} else {
-					normdn = slapi_create_dn_string("%s", rawdn);
-					if (NULL == normdn) {
-						LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-							  		"str2entry_fast: Invalid DN: %s\n", rawdn);
-						slapi_entry_free( e );
-						if (freeval) slapi_ch_free_string(&value.bv_val);
-						e = NULL;
-						goto done;
+					if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+						normdn = slapi_ch_strdup(rawdn);
+					} else {
+						normdn = slapi_create_dn_string("%s", rawdn);
+						if (NULL == normdn) {
+							LDAPDebug1Arg(LDAP_DEBUG_TRACE,
+							     "str2entry_fast: Invalid DN: %s\n", rawdn);
+							slapi_entry_free( e );
+							if (freeval) slapi_ch_free_string(&value.bv_val);
+							e = NULL;
+							goto done;
+						}
 					}
 				}
 				/* normdn is consumed in e */
-				slapi_entry_set_dn(e, normdn);
+				slapi_entry_set_normdn(e, normdn);
 			}
 			if ( NULL == slapi_entry_get_rdn_const( e )) {
 				if (normdn) {
@@ -291,14 +295,19 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
 						normdn = 
 							slapi_dn_normalize_original(slapi_ch_strdup(rawdn));
 					} else {
-						normdn = slapi_create_dn_string("%s", rawdn);
-						if (NULL == normdn) {
-							LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-							  		"str2entry_fast: Invalid DN: %s\n", rawdn);
-							slapi_entry_free( e );
-							if (freeval) slapi_ch_free_string(&value.bv_val);
-							e = NULL;
-							goto done;
+						if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+							normdn = slapi_ch_strdup(rawdn);
+						} else {
+							normdn = slapi_create_dn_string("%s", rawdn);
+							if (NULL == normdn) {
+								LDAPDebug1Arg(LDAP_DEBUG_TRACE,
+								    "str2entry_fast: Invalid DN: %s\n", rawdn);
+								slapi_entry_free( e );
+								if (freeval) 
+								    slapi_ch_free_string(&value.bv_val);
+								e = NULL;
+								goto done;
+							}
 						}
 					}
 					/* normdn is just referred in slapi_entry_set_rdn. */
@@ -338,7 +347,7 @@ str2entry_fast( const char *rawdn, char *s, int flags, int read_stateinfo )
 				goto done;
 			}
 			/* normdn is consumed in e */
-			slapi_entry_set_dn(e, normdn);
+			slapi_entry_set_normdn(e, normdn);
 
 			/* the memory below was not allocated by the slapi_ch_ functions */
 			if (freeval) slapi_ch_free_string(&value.bv_val);
@@ -802,34 +811,42 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
 
 		if ( rawdn ) {
 			if ( NULL == slapi_entry_get_dn_const(e) ) {
-				normdn = slapi_create_dn_string("%s", rawdn);
-				if (NULL == normdn) {
-					LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-							  "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
-					slapi_entry_free( e );
-					if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
-					csn_free(&attributedeletioncsn);
-					csn_free(&maxcsn);
-					return NULL;
-				}
-				/* normdn is consumed in e */
-				slapi_entry_set_dn(e, normdn);
-			}
-			if ( NULL == slapi_entry_get_rdn_const(e) ) {
-				if (normdn) {
-					/* normdn is just referred in slapi_entry_set_rdn. */
-					slapi_entry_set_rdn(e, normdn);
+				if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+					normdn = slapi_ch_strdup(rawdn);
 				} else {
 					normdn = slapi_create_dn_string("%s", rawdn);
 					if (NULL == normdn) {
 						LDAPDebug1Arg(LDAP_DEBUG_TRACE,
-						         "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
+						    "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
 						slapi_entry_free( e );
 						if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
 						csn_free(&attributedeletioncsn);
 						csn_free(&maxcsn);
 						return NULL;
 					}
+				}
+				/* normdn is consumed in e */
+				slapi_entry_set_normdn(e, normdn);
+			}
+			if ( NULL == slapi_entry_get_rdn_const(e) ) {
+				if (normdn) {
+					/* normdn is just referred in slapi_entry_set_rdn. */
+					slapi_entry_set_rdn(e, normdn);
+				} else {
+					if (flags & SLAPI_STR2ENTRY_DN_NORMALIZED) {
+						normdn = slapi_ch_strdup(rawdn);
+					} else {
+						normdn = slapi_create_dn_string("%s", rawdn);
+						if (NULL == normdn) {
+						LDAPDebug1Arg(LDAP_DEBUG_TRACE,
+							     "str2entry_dupcheck: Invalid DN: %s\n", rawdn);
+							slapi_entry_free( e );
+							if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
+							csn_free(&attributedeletioncsn);
+							csn_free(&maxcsn);
+							return NULL;
+						}
+					}
 					/* normdn is just referred in slapi_entry_set_rdn. */
 					slapi_entry_set_rdn(e, normdn);
 					slapi_ch_free_string(&normdn);
@@ -859,7 +876,7 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
 				goto free_and_return;
 			}
 			/* normdn is consumed in e */
-			slapi_entry_set_dn(e, normdn);
+			slapi_entry_set_normdn(e, normdn);
 			/* the memory below was not allocated by the slapi_ch_ functions */
 			if (freeval) slapi_ch_free_string(&bvvalue.bv_val);
 		    continue;
@@ -1374,19 +1391,19 @@ slapi_str2entry( char *s, int flags )
  * NOTE: the first arg "dn" should have been normalized before passing.
  */
 Slapi_Entry *
-slapi_str2entry_ext( const char *dn, char *s, int flags )
+slapi_str2entry_ext( const char *normdn, char *s, int flags )
 {
 	Slapi_Entry *e;
 	int read_stateinfo= ~( flags & SLAPI_STR2ENTRY_IGNORE_STATE );
 
-	if (NULL == dn)
+	if (NULL == normdn)
 	{
 		return slapi_str2entry( s, flags );
 	}
 
 	LDAPDebug( LDAP_DEBUG_ARGS,
 			"slapi_str2entry_ext: flags=0x%x, dn=\"%s\", entry=\"%.50s...\"\n",
-			flags, dn, s );
+			flags, normdn, s );
 
 
 	/*
@@ -1397,11 +1414,13 @@ slapi_str2entry_ext( const char *dn, char *s, int flags )
 	if ( 0 != ( flags & SLAPI_STR2ENTRY_NOT_WELL_FORMED_LDIF ) ||
 			0 != ( flags & ~SLAPI_STRENTRY_FLAGS_HANDLED_BY_STR2ENTRY_FAST ))
 	{
-	    e= str2entry_dupcheck( dn, s, flags, read_stateinfo );
+	    e = str2entry_dupcheck( normdn, s, 
+	                    flags|SLAPI_STR2ENTRY_DN_NORMALIZED, read_stateinfo );
 	}
 	else
 	{
-	    e= str2entry_fast( dn, s, flags, read_stateinfo );
+	    e = str2entry_fast( normdn, s, 
+	                    flags|SLAPI_STR2ENTRY_DN_NORMALIZED, read_stateinfo );
 	}
 	if (!e)
 		return e;	/* e == NULL */
@@ -1914,15 +1933,30 @@ void
 slapi_entry_init(Slapi_Entry *e, char *dn, Slapi_Attr *a)
 {
     slapi_sdn_set_dn_passin(slapi_entry_get_sdn(e), dn);
-	e->e_uniqueid= NULL;
+    e->e_uniqueid= NULL;
+    e->e_attrs= a;
+    e->e_dncsnset= NULL;
+    e->e_maxcsn= NULL;
+    e->e_deleted_attrs= NULL;
+    e->e_virtual_attrs= NULL;
+    e->e_virtual_watermark= 0;
+    e->e_virtual_lock= slapi_new_rwlock();
+    e->e_flags= 0;
+}
+
+void
+slapi_entry_init_ext(Slapi_Entry *e, Slapi_DN *sdn, Slapi_Attr *a)
+{
+	slapi_sdn_copy(sdn, slapi_entry_get_sdn(e));
+    e->e_uniqueid= NULL;
     e->e_attrs= a;
     e->e_dncsnset= NULL;
     e->e_maxcsn= NULL;
-	e->e_deleted_attrs= NULL;
-	e->e_virtual_attrs= NULL;
-	e->e_virtual_watermark= 0;
-	e->e_virtual_lock= slapi_new_rwlock();
-	e->e_flags= 0;
+    e->e_deleted_attrs= NULL;
+    e->e_virtual_attrs= NULL;
+    e->e_virtual_watermark= 0;
+    e->e_virtual_lock= slapi_new_rwlock();
+    e->e_flags= 0;
 }
 
 void
@@ -2155,6 +2189,12 @@ slapi_entry_set_dn( Slapi_Entry *e, char *dn )
     slapi_sdn_set_dn_passin(slapi_entry_get_sdn(e),dn);
 }
 
+void
+slapi_entry_set_normdn( Slapi_Entry *e, char *dn )
+{
+    slapi_sdn_set_normdn_passin(slapi_entry_get_sdn(e), dn);
+}
+
 /*
  * WARNING - The DN is copied.
  *           The DN could be dn or RDN.
@@ -3139,18 +3179,18 @@ slapi_entry_rename(Slapi_Entry *e, const char *newrdn, int deleteoldrdn, const c
     /* Build new DN.  If newsuperior is set, just use "newrdn,newsuperior".  If
      * newsuperior is not set, need to add newrdn to old superior. */
     if (newsuperior) {
-        newdn = slapi_ch_smprintf("%s,%s", newrdn, newsuperior);
+        newdn = slapi_create_dn_string("%s,%s", newrdn, newsuperior);
     } else {
         char *oldsuperior = NULL;
 
         oldsuperior = slapi_dn_parent(olddn);
-        newdn = slapi_ch_smprintf("%s,%s", newrdn, oldsuperior);
+        newdn = slapi_create_dn_string("%s,%s", newrdn, oldsuperior);
 
         slapi_ch_free_string(&oldsuperior);
     }
 
     /* Set the new DN in the entry.  This hands off the memory used by newdn to the entry. */
-    slapi_entry_set_dn(e, newdn);
+    slapi_entry_set_normdn(e, newdn);
 
     /* Set the RDN in the entry. */
     slapi_entry_set_rdn(e, newdn);
diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c
index 17b2f7b..8f25b27 100644
--- a/ldap/servers/slapd/extendop.c
+++ b/ldap/servers/slapd/extendop.c
@@ -54,8 +54,7 @@ static void extop_handle_import_start(Slapi_PBlock *pb, char *extoid,
                                       struct berval *extval)
 {
     char *orig = NULL;
-    char *suffix = NULL;
-    size_t dnlen = 0;
+    const char *suffix = NULL;
     Slapi_DN *sdn = NULL;
     Slapi_Backend *be = NULL;
     struct berval bv;
@@ -84,28 +83,16 @@ static void extop_handle_import_start(Slapi_PBlock *pb, char *extoid,
             return;
         }
     }
-    ret = slapi_dn_normalize_ext(orig, 0, &suffix, &dnlen);
-    if (ret < 0) {
-        LDAPDebug1Arg(LDAP_DEBUG_ANY,
-                      "extop_handle_import_start: invalid suffix\n", orig);
-        send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
-                         "invalid suffix", 0, NULL);
-        return;
-    } else if (ret > 0) {
-        slapi_ch_free_string(&orig);
-    } else { /* ret == 0; orig is passed in; not null terminated */
-        *(suffix + dnlen) = '\0';
-    }
-    sdn = slapi_sdn_new_dn_byval(suffix);
+    sdn = slapi_sdn_new_dn_passin(orig);
     if (!sdn) {
         LDAPDebug(LDAP_DEBUG_ANY,
                   "extop_handle_import_start: out of memory\n", 0, 0, 0);
         send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL);
         return;
     }
+	suffix = slapi_sdn_get_dn(sdn);
     /*    be = slapi_be_select(sdn); */
     be = slapi_mapping_tree_find_backend_for_sdn(sdn);
-    slapi_sdn_free(&sdn);
     if (be == NULL || be == defbackend_get_backend()) {
         /* might be instance name instead of suffix */
         be = slapi_be_select_by_instance_name(suffix);
@@ -191,7 +178,7 @@ static void extop_handle_import_start(Slapi_PBlock *pb, char *extoid,
               "Bulk import: begin import on '%s'.\n", suffix, 0, 0);
 
 out:
-    slapi_ch_free((void **)&suffix);
+    slapi_sdn_free(&sdn);
     return;
 }
 
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 8a61e72..ab94628 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -1562,7 +1562,7 @@ internal_add_helper(Slapi_Entry *e, int dont_write_file)
 	slapi_add_entry_internal_set_pb(&newpb, e, NULL,
 									plugin_get_default_component_id(),
 									plugin_actions);
-	slapi_pblock_set(&newpb, SLAPI_TARGET_DN, (void*)slapi_entry_get_dn_const(e));
+	slapi_pblock_set(&newpb, SLAPI_TARGET_SDN, (void*)slapi_entry_get_sdn_const(e));
 	slapi_pblock_set(&newpb, SLAPI_DSE_DONT_WRITE_WHEN_ADDING,
 					 (void *)&dont_write_file);
 	slapi_pblock_get(&newpb, SLAPI_OPERATION, &op);
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 928d648..b9beafb 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1489,8 +1489,9 @@ int config_set_anon_limits_dn( const char *attrname, char *value, char *errorbuf
         CFG_LOCK_WRITE(slapdFrontendConfig);
 
         slapi_ch_free ( (void **) &(slapdFrontendConfig->anon_limits_dn) );
-        slapdFrontendConfig->anon_limits_dn = slapi_ch_strdup ( value );
-         CFG_UNLOCK_WRITE(slapdFrontendConfig);
+        slapdFrontendConfig->anon_limits_dn = 
+                                       slapi_create_dn_string("%s", value);
+        CFG_UNLOCK_WRITE(slapdFrontendConfig);
   }
   return retVal;
 }
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 059cf33..fa3b6aa 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -1644,14 +1644,38 @@ process_command_line(int argc, char **argv, char *myname,
 			break;
 		case 's':       /* which suffix to include in import/export */
 			{
-			    char *s=  slapi_dn_normalize ( slapi_ch_strdup(optarg_ext) );
-			    charray_add(&db2ldif_include,s);
+				char *s = NULL;
+				size_t len = 0;
+				int rc = slapi_dn_normalize_ext(optarg_ext, 0, &s, &len);
+				if (rc < 0) {
+					fprintf(stderr, "Invalid dn: -s %s\n", optarg_ext);
+					usage(myname, *extraname);
+					exit(1);
+				} else if (0 == rc) {
+					/* rc == 0; optarg_extawdn is passed in; 
+					 * not null terminated */
+					*(optarg_ext + len) = '\0';
+					s = slapi_ch_strdup(optarg_ext);
+				}
+			    charray_add(&db2ldif_include, slapi_dn_ignore_case(s));
 			}
 			break;
 		case 'x':       /* which suffix to exclude in import/export */
 			{
-			    char *s= slapi_dn_normalize ( slapi_ch_strdup(optarg_ext) );
-			    charray_add(&db2ldif_exclude,s);
+				char *s = NULL;
+				size_t len = 0;
+				int rc = slapi_dn_normalize_ext(optarg_ext, 0, &s, &len);
+				if (rc < 0) {
+					fprintf(stderr, "Invalid dn: -x %s\n", optarg_ext);
+					usage(myname, *extraname);
+					exit(1);
+				} else if (0 == rc) {
+					/* rc == 0; optarg_extawdn is passed in; 
+					 * not null terminated */
+					*(optarg_ext + len) = '\0';
+					s = slapi_ch_strdup(optarg_ext);
+				}
+			    charray_add(&db2ldif_exclude, slapi_dn_ignore_case(s));
 			}
 			break;
 		case 'r':       /* db2ldif for replication */
diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
index cc007df..580accc 100644
--- a/ldap/servers/slapd/mapping_tree.c
+++ b/ldap/servers/slapd/mapping_tree.c
@@ -386,8 +386,7 @@ get_parent_from_entry(Slapi_Entry * entry)
                 *ptr = '\0';
             }
         }
-        parent_sdn = 
-                slapi_sdn_new_dn_passin(slapi_create_dn_string("%s", parent));
+        parent_sdn = slapi_sdn_new_dn_passin(slapi_ch_smprintf("%s", parent));
         slapi_ch_free_string(&origparent);
     }
     
@@ -433,7 +432,7 @@ get_subtree_from_entry(Slapi_Entry * entry)
                 *ptr = '\0';
             }
         }
-        subtree = slapi_sdn_new_dn_passin(slapi_create_dn_string("%s", cn));
+        subtree = slapi_sdn_new_dn_passin(slapi_ch_smprintf("%s", cn));
         slapi_ch_free_string(&origcn);
     }
     
@@ -2128,8 +2127,7 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
     Slapi_Backend * be;
     Slapi_Entry * referral;
     int scope = LDAP_SCOPE_BASE;
-    Slapi_DN sdn;
-    char *base;
+    Slapi_DN *sdn = NULL;
     int flag_partial_result = 0;
     int op_type;
     
@@ -2142,8 +2140,11 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
     }
 
     /* get the operational parameters */
-    slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
-    slapi_sdn_init_dn_ndn_byref(&sdn, base); /* normalized in opshared.c */
+    slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+    if (NULL == sdn) {
+        slapi_log_error(SLAPI_LOG_FATAL, NULL, "Error: Null target DN");
+        return LDAP_OPERATIONS_ERROR;
+    }
     slapi_pblock_get(pb, SLAPI_OPERATION, &op);
     target_sdn = operation_get_target_spec (op);
     slapi_pblock_get(pb, SLAPI_OPERATION_TYPE, &op_type);
@@ -2188,8 +2189,8 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
             /* flag we have problems at least on part of the tree */
             flag_partial_result = 1;
         }
-        else if ( ( ((!slapi_sdn_issuffix(&sdn, slapi_mtn_get_dn(node))
-            && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), &sdn))) 
+        else if ( ( ((!slapi_sdn_issuffix(sdn, slapi_mtn_get_dn(node))
+            && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), sdn))) 
             || ((node_list == mapping_tree_root) && node->mtn_private
             && (scope != LDAP_SCOPE_BASE)) )
                     && (!be || strncmp(be->be_name, "default", 8)))
@@ -2238,7 +2239,6 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
                      &referral, errorbuf, scope);
     }
     mtn_unlock();
-    slapi_sdn_done(&sdn);
     be_list[be_index] = NULL;
     referral_list[referral_index] = NULL;
 
@@ -2839,8 +2839,8 @@ slapi_get_mapping_tree_node_configdn (const Slapi_DN *root)
         return NULL;
 
     /* This function converts the old DN style to the new one. */
-    dn = slapi_create_dn_string("cn=\"%s\",%s", 
-                                slapi_sdn_get_dn(root), MAPPING_TREE_BASE_DN);
+    dn = slapi_ch_smprintf("cn=\"%s\",%s", 
+                           slapi_sdn_get_ndn(root), MAPPING_TREE_BASE_DN);
     if (NULL == dn) {
         LDAPDebug1Arg(LDAP_DEBUG_ANY,
                       "slapi_get_mapping_tree_node_configdn: "
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 219ac72..6e70347 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -138,7 +138,7 @@ do_modify( Slapi_PBlock *pb )
 	int				ignored_some_mods = 0;
 	int				has_password_mod = 0; /* number of password mods */
 	char				*old_pw = NULL;	/* remember the old password */
-	char				*dn = NULL;
+	char				*rawdn = NULL;
 
 	LDAPDebug( LDAP_DEBUG_TRACE, "do_modify\n", 0, 0, 0 );
 
@@ -168,8 +168,6 @@ do_modify( Slapi_PBlock *pb )
 	 */
 
     {
-		char *rawdn = NULL;
-		size_t dnlen = 0;
 		int rc = 0;
     	if ( ber_scanf( ber, "{a", &rawdn ) == LBER_ERROR )
     	{
@@ -193,24 +191,12 @@ do_modify( Slapi_PBlock *pb )
 				return;
 			}
 		}
-		rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-		if (rc < 0) {
-			op_shared_log_error_access(pb, "MOD", rawdn?rawdn:"", "invalid dn");
-			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-								 NULL, "invalid dn", 0, NULL);
-			slapi_ch_free((void **) &rawdn);
-			return;
-		} else if (rc > 0) { /* if rc == 0, rawdn is passed in */
-			slapi_ch_free_string(&rawdn);
-		} else { /* rc == 0; rawdn is passed in; not null terminated */
-			*(dn + dnlen) = '\0';
-		}
 	}
 
-	LDAPDebug( LDAP_DEBUG_ARGS, "do_modify: dn (%s)\n", dn, 0, 0 );
+	LDAPDebug( LDAP_DEBUG_ARGS, "do_modify: dn (%s)\n", rawdn, 0, 0 );
 
 	slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot);
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn ); 
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, rawdn ); 
 
 	/* collect modifications & save for later */
 	slapi_mods_init(&smods, 0);
@@ -227,7 +213,7 @@ do_modify( Slapi_PBlock *pb )
 		if ( ber_scanf( ber, "{i{a[V]}}", &mod_op, &type,
 		    &mod->mod_bvalues ) == LBER_ERROR )
 		{
-			op_shared_log_error_access (pb, "MOD", dn, "decoding error");
+			op_shared_log_error_access (pb, "MOD", rawdn, "decoding error");
 			send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
 							  "decoding error", 0, NULL );
 			ber_bvecfree(mod->mod_bvalues);
@@ -240,7 +226,7 @@ do_modify( Slapi_PBlock *pb )
 		if ( !mod->mod_type || !*mod->mod_type ) {
 			char ebuf[BUFSIZ];
 			PR_snprintf (ebuf, BUFSIZ, "invalid type '%s'", type);
-			op_shared_log_error_access (pb, "MOD", dn, ebuf);
+			op_shared_log_error_access (pb, "MOD", rawdn, ebuf);
 			send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL );
 			slapi_ch_free((void **)&type);
 			ber_bvecfree(mod->mod_bvalues);
@@ -254,7 +240,7 @@ do_modify( Slapi_PBlock *pb )
 		    mod->mod_op != LDAP_MOD_DELETE &&
 		    mod->mod_op != LDAP_MOD_REPLACE )
 		{
-			op_shared_log_error_access (pb, "MOD", dn, "unrecognized modify operation");
+			op_shared_log_error_access (pb, "MOD", rawdn, "unrecognized modify operation");
 			send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
 							  "unrecognized modify operation", 0, NULL );
 			ber_bvecfree(mod->mod_bvalues);
@@ -267,7 +253,7 @@ do_modify( Slapi_PBlock *pb )
 		    && mod->mod_op != LDAP_MOD_DELETE
 		    && mod->mod_op != LDAP_MOD_REPLACE )
 		{
-			op_shared_log_error_access (pb, "MOD", dn, "no values given");
+			op_shared_log_error_access (pb, "MOD", rawdn, "no values given");
 			send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
 							  "no values given", 0, NULL );
 			ber_bvecfree(mod->mod_bvalues);
@@ -317,7 +303,7 @@ do_modify( Slapi_PBlock *pb )
 		if ( ( len == 0 ) && ( 0 == smods.num_elements ) && !ignored_some_mods ) {
 			/* ok - empty modify - allow empty modifies */
 		} else if ( len != -1 ) {
-			op_shared_log_error_access (pb, "MOD", dn, "decoding error");
+			op_shared_log_error_access (pb, "MOD", rawdn, "decoding error");
 			send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "decoding error", 0, NULL );
 			goto free_and_return;
 		}
@@ -326,7 +312,7 @@ do_modify( Slapi_PBlock *pb )
 #else
 	if ( tag != LBER_END_OF_SEQORSET )
 	{
-		op_shared_log_error_access (pb, "MOD", dn, "decoding error");
+		op_shared_log_error_access (pb, "MOD", rawdn, "decoding error");
 		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "decoding error", 0, NULL );
 		goto free_and_return;
 	} 
@@ -335,7 +321,7 @@ do_modify( Slapi_PBlock *pb )
 	/* decode the optional controls - put them in the pblock */
 	if ( (err = get_ldapmessage_controls( pb, ber, NULL )) != 0 )
 	{
-		op_shared_log_error_access (pb, "MOD", dn, "failed to decode LDAP controls");
+		op_shared_log_error_access (pb, "MOD", rawdn, "failed to decode LDAP controls");
 		send_ldap_result( pb, err, NULL, NULL, 0, NULL );
 		goto free_and_return;
 	}
@@ -362,7 +348,7 @@ do_modify( Slapi_PBlock *pb )
 		pb->pb_conn->c_needpw && pw_change == 0 )
 	{
 		(void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
-		op_shared_log_error_access (pb, "MOD", dn, "need new password");
+		op_shared_log_error_access (pb, "MOD", rawdn, "need new password");
 		send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL );
 		goto free_and_return;
 	}
@@ -387,7 +373,7 @@ do_modify( Slapi_PBlock *pb )
 	ldap_mods_free (mods, 1 /* Free the Array and the Elements */);
 
 free_and_return:;
-	slapi_ch_free ((void**)&dn);
+	slapi_ch_free ((void**)&rawdn);
 	slapi_mods_done(&smods);
 }
 
@@ -583,8 +569,9 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 	Slapi_Entry *referral;
 	Slapi_Entry	*e = NULL;
 	char ebuf[BUFSIZ];
-	char *dn;
-	Slapi_DN sdn;
+	char *dn = NULL;
+	char *normdn = NULL;
+	Slapi_DN *sdn = NULL;
 	LDAPMod	**mods, *pw_mod, **tmpmods = NULL;
 	Slapi_Mods smods;
 	Slapi_Mods unhashed_pw_smod;	
@@ -608,23 +595,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 	internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
 	slapi_pblock_get (pb, SLAPI_SKIP_MODIFIED_ATTRS, &skip_modified_attrs);
 
-	if (dn == NULL)
-	{
-		slapi_sdn_init_dn_byref (&sdn, "");
-	}
-	else
-	{
-		slapi_sdn_init_dn_byref (&sdn, dn);
+	sdn = slapi_sdn_new_dn_byval(dn);
+	normdn = (char *)slapi_sdn_get_dn(sdn);
+	slapi_pblock_set(pb, SLAPI_MODIFY_TARGET_SDN, (void*)sdn);
+	if (dn && (strlen(dn) > 0) && (NULL == normdn)) {
+		/* normalization failed */
+		op_shared_log_error_access(pb, "MOD", dn, "invalid dn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL,
+		                 "invalid dn", 0, NULL);
+		goto free_and_return;
 	}
 
-	slapi_pblock_set(pb, SLAPI_MODIFY_TARGET, (void*)slapi_sdn_get_ndn (&sdn));
-
-	slapi_mods_init_passin (&smods, mods);	
+	slapi_mods_init_passin (&smods, mods);
 
 	slapi_mods_init(&unhashed_pw_smod, 0);
 
 	/* target spec is used to decide which plugins are applicable for the operation */
-	operation_set_target_spec (pb->pb_op, &sdn);
+	operation_set_target_spec (pb->pb_op, sdn);
 
 	/* get the proxy auth dn if the proxy auth control is present */
 	proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
@@ -643,7 +630,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 			slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s\n",
 							 pb->pb_conn->c_connid, 
 							 pb->pb_op->o_opid,
-							 escape_string(slapi_sdn_get_dn(&sdn), ebuf),
+							 escape_string(slapi_sdn_get_dn(sdn), ebuf),
 							 proxystr ? proxystr : "");
 		}
 		else
@@ -651,7 +638,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 			slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\"%s\n",
 							 LOG_INTERNAL_OP_CON_ID,
 							 LOG_INTERNAL_OP_OP_ID,
-							 escape_string(slapi_sdn_get_dn(&sdn), ebuf),
+							 escape_string(slapi_sdn_get_dn(sdn), ebuf),
 							 proxystr ? proxystr : "");
 		}
 
@@ -702,8 +689,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 	 * 2. If yes, then if the mods contain any passwdpolicy specific attributes.
 	 * 3. If yes, then it invokes corrosponding checking function.
 	 */
-	if ( !repl_op && !internal_op && dn &&
-		(e = get_entry(pb, slapi_dn_normalize(dn))) )
+	if ( !repl_op && !internal_op && normdn && (e = get_entry(pb, normdn)) )
 	{
 		Slapi_Value target;
 		slapi_value_init(&target);
@@ -785,7 +771,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 			valuearray_init_bervalarray(pw_mod->mod_bvalues, &va);
 
 			/* encode password */
-			pw_encodevals_ext(pb, &sdn, va);
+			pw_encodevals_ext(pb, sdn, va);
 
 			/* remove current clear value of userpassword */
 			ber_bvecfree(pw_mod->mod_bvalues);
@@ -971,12 +957,14 @@ free_and_return:
 	
 	if (be)
 		slapi_be_Unlock(be);
-    slapi_sdn_done(&sdn);
 
 	if (unhashed_pw_attr)
 		slapi_ch_free ((void**)&unhashed_pw_attr);
 
 	slapi_ch_free_string(&proxydn);
+
+	slapi_pblock_get(pb, SLAPI_MODIFY_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
 }
 
 static void remove_mod (Slapi_Mods *smods, const char *type, Slapi_Mods *smod_unhashed)
diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c
index 24e444c..8b10d73 100644
--- a/ldap/servers/slapd/modrdn.c
+++ b/ldap/servers/slapd/modrdn.c
@@ -73,17 +73,16 @@ do_modrdn( Slapi_PBlock *pb )
 	Slapi_Operation *operation;
 	BerElement	*ber;
 	char		*rawdn = NULL, *rawnewsuperior = NULL;
-	char		*dn = NULL, *newsuperior = NULL;
+	const char	*dn = NULL, *newsuperior = NULL;
 	char		*rawnewrdn = NULL;
 	char		*newrdn = NULL;
 	int		err = 0, deloldrdn = 0;
 	ber_len_t	len = 0;
-	size_t		dnlen = 0;
 	char		*newdn = NULL;
 	char		*parent = NULL;
 	Slapi_DN	sdn = {0};
 	Slapi_DN	snewdn = {0};
-	Slapi_DN	snewsuperior = {0};
+	Slapi_DN	*snewsuperior = NULL;
 
 	LDAPDebug( LDAP_DEBUG_TRACE, "do_modrdn\n", 0, 0, 0 );
 
@@ -169,34 +168,29 @@ do_modrdn( Slapi_PBlock *pb )
 			goto free_and_return;
 		}
 	}
-	err = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "MODRDN", rawdn?rawdn:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free_string( &rawdn );
+	slapi_sdn_init_dn_passin(&sdn, rawdn);
+	dn = slapi_sdn_get_dn(&sdn);
+	if (rawdn && (strlen(rawdn) > 0) && (NULL == dn)) {
+		/* normalization failed */
+		op_shared_log_error_access(pb, "MODRDN", rawdn, "invalid dn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, 
+		                 "invalid dn", 0, NULL);
 		slapi_ch_free_string( &rawnewrdn );
 		slapi_ch_free_string( &rawnewsuperior );
 		goto free_and_return;
-	} else if (err > 0) {
-		slapi_ch_free((void **) &rawdn);
-	} else { /* err == 0; rawdn is passed in; not null terminated */
-		*(dn + dnlen) = '\0';
 	}
-	err = slapi_dn_normalize_ext(rawnewrdn, 0, &newrdn, &dnlen);
-	if (err < 0) {
-		op_shared_log_error_access(pb, "MODRDN", rawnewrdn?rawnewrdn:"", 
-									"invalid new rdn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-						 NULL, "invalid new rdn", 0, NULL);
+	newrdn = slapi_create_dn_string("%s", rawnewrdn);
+	if (rawnewrdn && (NULL == newrdn)) {
+		op_shared_log_error_access(pb, "MODRDN", rawnewrdn, "invalid newrdn");
+		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX,
+		                 NULL, "invalid newrdn", 0, NULL);
 		slapi_ch_free_string( &rawnewrdn );
 		slapi_ch_free_string( &rawnewsuperior );
 		goto free_and_return;
-	} else if (err > 0) {
-		slapi_ch_free((void **) &rawnewrdn);
-	} else { /* err == 0; rawnewdn is passed in; not null terminated */
-		*(newrdn + dnlen) = '\0';
 	}
+	slapi_dn_ignore_case( newrdn );
+	slapi_ch_free_string( &rawnewrdn );
+
 	if (rawnewsuperior) {
 		if (config_get_dn_validate_strict()) {
 			/* check that the dn is formatted correctly */
@@ -210,19 +204,8 @@ do_modrdn( Slapi_PBlock *pb )
 				goto free_and_return;
 			}
 		}
-		err = slapi_dn_normalize_ext(rawnewsuperior, 0, &newsuperior, &dnlen);
-		if (err < 0) {
-			op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
-							"invalid new superior");
-			send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid new superior", 0, NULL);
-			slapi_ch_free_string( &rawnewsuperior);
-			goto free_and_return;
-		} else if (err > 0) {
-			slapi_ch_free((void **) &rawnewsuperior);
-		} else { /* err == 0; rawnewsuperior is passed in; not terminated */
-			*(newsuperior + dnlen) = '\0';
-		}
+		snewsuperior = slapi_sdn_new_dn_passin(rawnewsuperior);
+		newsuperior = slapi_sdn_get_dn(snewsuperior);
 	}
 
 	/*
@@ -230,27 +213,24 @@ do_modrdn( Slapi_PBlock *pb )
 	 * Note: need to check the case newrdn is given, and newsuperior
 	 * uses the newrdn, as well.
 	 */ 
-	/* Both newrdn and dn are already normalized. */
-	parent = slapi_dn_parent(dn);
+	parent = slapi_dn_parent(slapi_sdn_get_ndn(&sdn));
 	newdn = slapi_ch_smprintf("%s,%s", newrdn, parent);
-	slapi_sdn_set_dn_byref(&sdn, dn);
-	slapi_sdn_set_dn_byref(&snewdn, newdn);
-	slapi_sdn_set_dn_byref(&snewsuperior, newsuperior);
-	if (0 == slapi_sdn_compare(&sdn, &snewsuperior) ||
-	    0 == slapi_sdn_compare(&snewdn, &snewsuperior)) {
-		op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
+	slapi_sdn_init_normdn_passin(&snewdn, newdn); /* newdn is normalized */
+	if (0 == slapi_sdn_compare(&sdn, snewsuperior) ||
+	    0 == slapi_sdn_compare(&snewdn, snewsuperior)) {
+		op_shared_log_error_access(pb, "MODRDN", newsuperior,
 						 "new superior is identical to the entry dn");
 		send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
 						 "new superior is identical to the entry dn", 0, NULL);
 		goto free_and_return;
 	}
-	if (slapi_sdn_issuffix(&snewsuperior, &sdn) ||
-	    slapi_sdn_issuffix(&snewsuperior, &snewdn)) {
+	if (slapi_sdn_issuffix(snewsuperior, &sdn) ||
+	    slapi_sdn_issuffix(snewsuperior, &snewdn)) {
 		/* E.g.,
 		 * newsuperior: ou=sub,ou=people,dc=example,dc=com
 		 * dn: ou=people,dc=example,dc=com
 		 */
-		op_shared_log_error_access(pb, "MODRDN", rawnewsuperior,
+		op_shared_log_error_access(pb, "MODRDN", newsuperior,
 						 "new superior is descendent of the entry");
 		send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
 						 "new superior is descendent of the entry", 0, NULL);
@@ -273,24 +253,22 @@ do_modrdn( Slapi_PBlock *pb )
 			   deloldrdn );
 
 	slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot );
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn );
-	slapi_pblock_set( pb, SLAPI_MODRDN_NEWRDN, newrdn );
-	slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR, newsuperior );
+	/* dn, newrdn and newsuperior are all normalized */
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET,
+	                  (void *)slapi_sdn_get_udn(&sdn) );
+	slapi_pblock_set( pb, SLAPI_MODRDN_TARGET_SDN, &sdn );
+	slapi_pblock_set( pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn );
+	slapi_pblock_set( pb, SLAPI_MODRDN_NEWSUPERIOR, (void *)snewsuperior );
 	slapi_pblock_set( pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn );
 
-	op_shared_rename(pb, 1 /* pass in ownership of string arguments */ );
-	goto ok_return;
+	op_shared_rename(pb, 0 /* do not pass in ownership of string arguments */ );
 
 free_and_return:
-	slapi_ch_free_string( &dn );
-	slapi_ch_free_string( &newrdn );
-	slapi_ch_free_string( &newsuperior );
-ok_return:
 	slapi_sdn_done(&sdn);
+	slapi_ch_free_string(&newrdn);
+	slapi_sdn_free(&snewsuperior);
 	slapi_sdn_done(&snewdn);
-	slapi_sdn_done(&snewsuperior);
 	slapi_ch_free_string(&parent);
-	slapi_ch_free_string(&newdn);
 
 	return;
 }
@@ -311,20 +289,28 @@ slapi_rename_internal(const char *iodn, const char *inewrdn, const char *inewsup
     Slapi_PBlock    pb;
     Slapi_PBlock    *result_pb = NULL;
     int             opresult= 0;
+    Slapi_DN sdn = {0};
+    Slapi_DN newsuperiorsdn = {0};
 
     pblock_init (&pb);   
     
-	slapi_rename_internal_set_pb (&pb, iodn, inewrdn, inewsuperior, deloldrdn, 
-	  controls, NULL, plugin_get_default_component_id(), 0);
+    slapi_sdn_init_dn_byref(&sdn, iodn);
+    slapi_sdn_init_dn_byref(&newsuperiorsdn, inewsuperior);
+
+    slapi_rename_internal_set_pb_ext(&pb, &sdn, inewrdn, &newsuperiorsdn,
+                                     deloldrdn, controls, NULL, 
+                                     plugin_get_default_component_id(), 0);
     rename_internal_pb (&pb);
 
     result_pb = slapi_pblock_new();
-	if (result_pb)
-	{
-		slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
-		slapi_pblock_set(result_pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
+    if (result_pb) {
+        slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
+        slapi_pblock_set(result_pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult);
     }
-	pblock_done(&pb);
+
+    slapi_sdn_done(&sdn);
+    slapi_sdn_done(&newsuperiorsdn);
+    pblock_done(&pb);
     
     return result_pb;
 }
@@ -352,32 +338,39 @@ int slapi_modrdn_internal_pb (Slapi_PBlock *pb)
 	return rename_internal_pb (pb);
 }
 
-/* Initialize a pblock for a call to slapi_modrdn_internal_pb() */
-void slapi_rename_internal_set_pb (Slapi_PBlock *pb, const char *olddn, const char *newrdn, const char *newsuperior, int deloldrdn, 
-								   LDAPControl **controls, const char *uniqueid, Slapi_ComponentId *plugin_identity, int operation_flags)
+void
+slapi_rename_internal_set_pb_ext(Slapi_PBlock *pb,
+                                 const Slapi_DN *olddn, 
+                                 const char *newrdn,  /* normalized */
+                                 const Slapi_DN *newsuperior, int deloldrdn, 
+                                 LDAPControl **controls, const char *uniqueid,
+                                 Slapi_ComponentId *plugin_identity, 
+                                 int operation_flags)
 {
-	Operation *op;
-	PR_ASSERT (pb != NULL);
-	if (pb == NULL || olddn == NULL || newrdn == NULL)
-	{
-		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
-						"slapi_rename_internal_set_pb: NULL parameter\n");
-		return;
-	}
+    Operation *op;
+    PR_ASSERT (pb != NULL);
+    if (pb == NULL || olddn == NULL || newrdn == NULL)
+    {
+        slapi_log_error(SLAPI_LOG_FATAL, NULL, 
+                        "slapi_rename_internal_set_pb: NULL parameter\n");
+        return;
+    }
 
-    op= internal_operation_new(SLAPI_OPERATION_MODRDN,operation_flags); 
-	slapi_pblock_set(pb, SLAPI_OPERATION, op); 
-	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)olddn);
+    op = internal_operation_new(SLAPI_OPERATION_MODRDN,operation_flags); 
+    slapi_pblock_set(pb, SLAPI_OPERATION, op); 
+    slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, 
+                     (void*)slapi_sdn_get_dn(olddn));
+    slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, (void*)olddn);
     slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void*)newrdn);
     slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR, (void*)newsuperior);
     slapi_pblock_set(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn);
-	slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
-   	slapi_pblock_set(pb, SLAPI_MODIFY_MODS, NULL);
-	if (uniqueid)
-	{
-		slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
-	}
-	slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
+    slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
+       slapi_pblock_set(pb, SLAPI_MODIFY_MODS, NULL);
+    if (uniqueid)
+    {
+        slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid);
+    }
+    slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
 }
 
 /* Helper functions */
@@ -418,18 +411,19 @@ static int rename_internal_pb (Slapi_PBlock *pb)
  * Beware: this function resets the following pblock elements that were
  * set by the caller:
  *
- *	SLAPI_MODRDN_TARGET
+ *	SLAPI_MODRDN_TARGET_SDN
  *	SLAPI_MODRDN_NEWRDN
  *	SLAPI_MODRDN_NEWSUPERIOR 
  */
 static void
 op_shared_rename(Slapi_PBlock *pb, int passin_args)
 {
-	char			*dn, *newsuperior, *newrdn, *newdn = NULL;
+	char			*dn, *newrdn, *newdn = NULL;
+	const char		*newsuperior;
 	char			**rdns;
 	int				deloldrdn;
 	Slapi_Backend	*be = NULL;
-	Slapi_DN		sdn = {0};
+	Slapi_DN		*origsdn = NULL;
 	Slapi_Mods		smods;
 	char			dnbuf[BUFSIZ];
 	char			newrdnbuf[BUFSIZ];
@@ -443,13 +437,16 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
 	char			*proxystr = NULL;
 	int			proxy_err = LDAP_SUCCESS;
 	char			*errtext = NULL;
+	Slapi_DN *sdn = NULL;
+	Slapi_DN *newsuperiorsdn = NULL;
 
 	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET, &dn);
 	slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
-	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior);
+	slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiorsdn);
 	slapi_pblock_get(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn);
 	slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
+	slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &origsdn);
 	internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
 
 	/*
@@ -466,22 +463,27 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
 	 * replace the existing values with normalized values (because plugins
 	 * expect these DNs to be normalized).
 	 */
-	if ( passin_args ) {
-		slapi_sdn_init_dn_passin(&sdn,dn);	/* freed by slapi_sdn_done() */
+
+	if (NULL == origsdn) {
+		sdn = slapi_sdn_new_dn_byval(dn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn);
+    }
+	if (passin_args) {
+		if (NULL == sdn) { /* origsdn is not NULL, so use it. */
+			sdn = origsdn;
+		}
 	} else {
-		slapi_sdn_init_dn_byref(&sdn,dn);
-	}
-	if ( !passin_args ) {
-		newrdn = slapi_ch_strdup( newrdn );
-		newsuperior = slapi_ch_strdup( newsuperior );
-	}
-	if ( NULL != newsuperior ) {
-		slapi_dn_normalize_case( newsuperior );	/* normalize in place */
+		if (NULL == sdn) {
+			sdn = slapi_sdn_dup(origsdn);
+		}
+		newrdn = slapi_ch_strdup(newrdn);
+		newsuperiorsdn = slapi_sdn_dup(newsuperiorsdn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_TARGET_SDN, sdn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn);
+		slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR, newsuperiorsdn);
 	}
-	slapi_pblock_set (pb, SLAPI_MODRDN_TARGET,
-				(void*)slapi_ch_strdup(slapi_sdn_get_ndn (&sdn)));
-	slapi_pblock_set(pb, SLAPI_MODRDN_NEWRDN, (void *)newrdn );
-	slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR, (void *)newsuperior);
+	/* normdn = slapi_sdn_get_dn(sdn); */
+	newsuperior = slapi_sdn_get_dn(newsuperiorsdn);
 
 	/* get the proxy auth dn if the proxy auth control is present */
 	proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
@@ -589,13 +591,13 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
 	}
 
 	/* target spec is used to decide which plugins are applicable for the operation */
-	operation_set_target_spec (pb->pb_op, &sdn);
+	operation_set_target_spec (pb->pb_op, sdn);
 
 	/*
-	 * Construct the new DN (code copied from backend
+	 * Construct the new DN (code sdn from backend
 	 * and modified to handle newsuperior)
 	 */
-	newdn = slapi_moddn_get_newdn(&sdn,newrdn,newsuperior);
+	newdn = slapi_moddn_get_newdn(sdn, newrdn, newsuperior);
 
 	/*
 	 * We could be serving multiple database backends.  Select the
@@ -695,8 +697,20 @@ free_and_return_nolock:
 		LDAPMod **mods;
 		char	*s;
 
-		slapi_ch_free((void **) &newdn);
-		slapi_sdn_done(&sdn);
+		if (passin_args) {
+			if (NULL == origsdn) {
+				slapi_sdn_free(&sdn);
+			}
+		} else {
+			slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn);
+			slapi_sdn_free(&sdn);
+			slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &newrdn);
+			slapi_ch_free_string(&newrdn);
+			slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperiorsdn);
+			slapi_sdn_free(&newsuperiorsdn);
+		}
+		slapi_ch_free_string(&newdn);
+
 		slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy);
 		slapi_entry_free(ecopy);
 		slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse);
@@ -706,13 +720,6 @@ free_and_return_nolock:
 		slapi_ch_free_string(&proxydn);
 		slapi_ch_free_string(&proxystr);
 
-		/* retrieve these in case a pre- or post-op plugin has changed them */
-		slapi_pblock_get(pb, SLAPI_MODRDN_TARGET, &s);
-		slapi_ch_free((void **)&s);
-		slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &s);
-		slapi_ch_free((void **)&s);
-		slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR, &s);
-		slapi_ch_free((void **)&s);
 		slapi_pblock_get(pb, SLAPI_URP_NAMING_COLLISION_DN, &s);
 		slapi_ch_free((void **)&s);
 	}
diff --git a/ldap/servers/slapd/operation.c b/ldap/servers/slapd/operation.c
index 185723e..1479ee9 100644
--- a/ldap/servers/slapd/operation.c
+++ b/ldap/servers/slapd/operation.c
@@ -398,17 +398,17 @@ copy_mods(LDAPMod **orig_mods)
 struct slapi_operation_parameters *
 operation_parameters_dup(struct slapi_operation_parameters *sop)
 {
-	struct slapi_operation_parameters *sop_new= (struct slapi_operation_parameters *)
+	struct slapi_operation_parameters *sop_new = (struct slapi_operation_parameters *)
 		slapi_ch_malloc(sizeof(struct slapi_operation_parameters));
 	memcpy(sop_new,sop,sizeof(struct slapi_operation_parameters));
-	if(sop->target_address.dn!=NULL)
-	{
-		sop_new->target_address.dn= slapi_ch_strdup(sop->target_address.dn);
-	}
 	if(sop->target_address.uniqueid!=NULL)
 	{
 		sop_new->target_address.uniqueid= slapi_ch_strdup(sop->target_address.uniqueid); 
 	}
+	if(sop->target_address.sdn != NULL)
+	{
+		sop_new->target_address.sdn = slapi_sdn_dup(sop->target_address.sdn);
+	}
   
 	sop_new->csn= csn_dup(sop->csn);
 	switch(sop->operation_type)
@@ -429,10 +429,10 @@ operation_parameters_dup(struct slapi_operation_parameters *sop)
 		{
 			sop_new->p.p_modrdn.modrdn_newrdn= slapi_ch_strdup(sop->p.p_modrdn.modrdn_newrdn);
 		}
-		if(sop->p.p_modrdn.modrdn_newsuperior_address.dn!=NULL)
+		if(sop->p.p_modrdn.modrdn_newsuperior_address.sdn!=NULL)
 		{
-			sop_new->p.p_modrdn.modrdn_newsuperior_address.dn = 
-				slapi_ch_strdup(sop->p.p_modrdn.modrdn_newsuperior_address.dn);
+			sop_new->p.p_modrdn.modrdn_newsuperior_address.sdn = 
+				slapi_sdn_dup(sop->p.p_modrdn.modrdn_newsuperior_address.sdn);
 		}
 		if(sop->p.p_modrdn.modrdn_newsuperior_address.uniqueid!=NULL)
 		{
@@ -462,8 +462,9 @@ operation_parameters_done (struct slapi_operation_parameters *sop)
 {
 	if(sop!=NULL)
 	{
-		slapi_ch_free((void **)&sop->target_address.dn);
 		slapi_ch_free((void **)&sop->target_address.uniqueid);
+		slapi_sdn_free(&sop->target_address.sdn);
+
 		csn_free(&sop->csn);
 		
 		switch(sop->operation_type)
@@ -479,7 +480,6 @@ operation_parameters_done (struct slapi_operation_parameters *sop)
 			break;
 		case SLAPI_OPERATION_MODRDN:
 			slapi_ch_free((void **)&(sop->p.p_modrdn.modrdn_newrdn));
-			slapi_ch_free((void **)&(sop->p.p_modrdn.modrdn_newsuperior_address.dn));
 			slapi_ch_free((void **)&(sop->p.p_modrdn.modrdn_newsuperior_address.uniqueid));
 			ldap_mods_free(sop->p.p_modrdn.modrdn_mods, 1 /* Free the Array and the Elements */);
 			sop->p.p_modrdn.modrdn_mods= NULL;
@@ -504,8 +504,3 @@ void operation_parameters_free(struct slapi_operation_parameters **sop)
 		slapi_ch_free ((void**)sop);
 	}
 }
-
-
-
-
-
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index 1af97c6..25232b5 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -188,7 +188,9 @@ void modify_update_last_modified_attr(Slapi_PBlock *pb, Slapi_Mods *smods)
 void
 op_shared_search (Slapi_PBlock *pb, int send_result)
 {
-  char            *base, *fstr;
+  char            *base = NULL;
+  const char      *normbase = NULL;
+  char            *fstr;
   int             scope;
   Slapi_Backend   *be = NULL;
   Slapi_Backend   *be_single = NULL;
@@ -198,7 +200,8 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   char            attrlistbuf[ 1024 ], *attrliststr, **attrs = NULL;
   int             rc = 0;
   int             internal_op;
-  Slapi_DN        sdn;
+  Slapi_DN        *basesdn = NULL;
+  Slapi_DN        *sdn = NULL;
   Slapi_Operation *operation;
   Slapi_Entry     *referral = NULL;
   char            *proxydn = NULL; 
@@ -225,14 +228,27 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   int curr_search_count = 0;
   Slapi_Backend *pr_be = NULL;
   void *pr_search_result = NULL;
-  int pr_search_result_count = 0;
   int pr_reset_processing = 0;
 
   be_list[0] = NULL;
   referral_list[0] = NULL;
 
   /* get search parameters */
-  slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+  slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &base);
+
+  sdn = slapi_sdn_new_dn_byval(base);
+  normbase = slapi_sdn_get_dn(sdn);
+
+  slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, sdn);
+  if (base && (strlen(base) > 0) && (NULL == normbase)) {
+    /* normalization failed */
+    op_shared_log_error_access(pb, "SRCH", base, "invalid dn");
+    send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid dn", 0, NULL);
+    rc = -1;
+    goto free_and_return_nolock;
+  }
+  basesdn = slapi_sdn_dup(sdn);
+
   slapi_pblock_get(pb, SLAPI_SEARCH_SCOPE, &scope);
   slapi_pblock_get(pb, SLAPI_SEARCH_STRFILTER, &fstr);   
   slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &attrs);   
@@ -240,8 +256,6 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
   flag_psearch = operation_is_flag_set(operation, OP_FLAG_PS);
   
-  slapi_sdn_init_dn_byref(&sdn, base);
-
   /* get the proxy auth dn if the proxy auth control is present */
   proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext);
  
@@ -298,7 +312,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
           slapi_log_access(LDAP_DEBUG_STATS, fmtstr,
                            pb->pb_conn->c_connid, 
                            pb->pb_op->o_opid, 
-                           escape_string(slapi_sdn_get_dn (&sdn), ebuf),
+                           escape_string(normbase, ebuf),
                            scope, fstr, attrliststr,
                            flag_psearch ? " options=persistent" : "",
                            proxystr ? proxystr : "");
@@ -308,7 +322,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
           slapi_log_access(LDAP_DEBUG_ARGS, fmtstr,
                            LOG_INTERNAL_OP_CON_ID,
                            LOG_INTERNAL_OP_OP_ID,
-                           escape_string(slapi_sdn_get_dn (&sdn), ebuf),
+                           escape_string(normbase, ebuf),
                            scope, fstr, attrliststr,
                            flag_psearch ? " options=persistent" : "",
                            proxystr ? proxystr : "");
@@ -316,7 +330,8 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   }
 
   /* If we encountered an error parsing the proxy control, return an error
-   * to the client.  We do this here to ensure that we log the operation first. */
+   * to the client.  We do this here to ensure that we log the operation first.
+   */
   if (proxy_err != LDAP_SUCCESS)
   {
       rc = -1;
@@ -324,10 +339,10 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
       goto free_and_return_nolock;
   }
         
-  slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, (void*)slapi_sdn_get_ndn (&sdn));
-
-  /* target spec is used to decide which plugins are applicable for the operation */
-  operation_set_target_spec (pb->pb_op, &sdn);
+  /* target spec is used to decide which plugins are applicable for 
+   * the operation.  basesdn is duplicated and set to target spec.
+   */
+  operation_set_target_spec (pb->pb_op, basesdn);
 
   /* this is time to check if mapping tree specific control
    * was used to specify that we want to parse only 
@@ -352,7 +367,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
         else
         {
             /* we don't need no steenkin values */
-            Slapi_Backend *searchbe = slapi_be_select( &sdn );
+            Slapi_Backend *searchbe = slapi_be_select( sdn );
 
             if(searchbe && searchbe != defbackend_get_backend())
             {
@@ -406,8 +421,6 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
               operation->o_flags |= OP_FLAG_PAGED_RESULTS;
               pr_be = pagedresults_get_current_be(pb->pb_conn);
               pr_search_result = pagedresults_get_search_result(pb->pb_conn);
-              pr_search_result_count =
-                             pagedresults_get_search_result_count(pb->pb_conn);
               estimate = 
                  pagedresults_get_search_result_set_size_estimate(pb->pb_conn);
               if (pagedresults_get_unindexed(pb->pb_conn)) {
@@ -501,11 +514,23 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
           goto free_and_return;
 
         case -2: /* memory was allocated */
-            /* take note of any changes */
-          slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+          /* take note of any changes */
+          slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
           slapi_pblock_get(pb, SLAPI_SEARCH_SCOPE, &scope);
-
-          slapi_sdn_set_dn_byref(&sdn, base);
+          if (NULL == sdn) {
+              send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+                               "target dn is lost", 0, NULL);
+              rc = -1;
+              goto free_and_return;
+          }
+          if (slapi_sdn_compare(basesdn, sdn)) {
+              slapi_sdn_free(&basesdn);
+			  basesdn = operation_get_target_spec(pb->pb_op);
+              slapi_sdn_free(&basesdn);
+              basesdn = slapi_sdn_dup(sdn);
+              operation_set_target_spec (pb->pb_op, basesdn);
+          }
+          normbase = slapi_sdn_get_dn(sdn);
           break;
 
         case -1:
@@ -551,7 +576,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
   rc = -1;            /* zero backends would mean failure */
   while (be) 
   {
-    const Slapi_DN * be_suffix;
+    const Slapi_DN *be_suffix;
     int err = 0;
     Slapi_Backend   *next_be = NULL;
 
@@ -570,7 +595,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
      * is below another backend because in that case the 
      * such searches should sometimes succeed 
      * To allow this we therefore have to change the 
-     * SLAPI_SEARCH_TARGET parameter in the pblock
+     * SLAPI_SEARCH_TARGET_SDN parameter in the pblock
      * 
      * Also when we climb down the mapping tree we have to 
      * change ONE-LEVEL searches to BASE 
@@ -636,25 +661,27 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
       {
         if ((be_name == NULL) && (scope == LDAP_SCOPE_ONELEVEL))
         {
-                  /* one level searches 
-                   * - depending on the suffix of the backend we might have to
-                   *   do a one level search or a base search
-                   * - we might also have to change the search target 
-                   */
-          if (slapi_sdn_isparent(&sdn, be_suffix)
-              || (slapi_sdn_get_ndn_len(&sdn) == 0))
+          /* one level searches 
+           * - depending on the suffix of the backend we might have to
+           *   do a one level search or a base search
+           * - we might also have to change the search target 
+           */
+          if (slapi_sdn_isparent(basesdn, be_suffix) ||
+              (slapi_sdn_get_ndn_len(basesdn) == 0))
           {
             int tmp_scope = LDAP_SCOPE_BASE;
             slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &tmp_scope);
-            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET,
-                     (void *)slapi_sdn_get_ndn(be_suffix));
+
+            slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+            slapi_sdn_free(&sdn);
+            sdn = slapi_sdn_dup(be_suffix);
+            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, (void *)sdn);
+            normbase = slapi_sdn_get_dn(sdn);
           }
-          else if (slapi_sdn_issuffix(&sdn, be_suffix))
+          else if (slapi_sdn_issuffix(basesdn, be_suffix))
           {
             int tmp_scope = LDAP_SCOPE_ONELEVEL;
             slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &tmp_scope);
-            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET,
-                     (void *)slapi_sdn_get_ndn (&sdn));
           }
           else
             goto next_be;
@@ -662,19 +689,20 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
       
         /* subtree searches :
          * if the search was started above the backend suffix 
-         * - temporarily set the SLAPI_SEARCH_TARGET to the 
+         * - temporarily set the SLAPI_SEARCH_TARGET_SDN to the 
          *   base of the node so that we don't get a NO SUCH OBJECT error
          * - do not change the scope
          */
         if (scope == LDAP_SCOPE_SUBTREE)
         {
-          if (slapi_sdn_issuffix(be_suffix, &sdn))
+          if (slapi_sdn_issuffix(be_suffix, basesdn))
           {
-            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET,
-                     (void *)slapi_sdn_get_ndn(be_suffix));
+            slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+            slapi_sdn_free(&sdn);
+            sdn = slapi_sdn_dup(be_suffix);
+            slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, (void *)sdn);
+            normbase = slapi_sdn_get_dn(sdn);
           }
-          else
-              slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, (void *)slapi_sdn_get_ndn(&sdn));
         }
       }
       
@@ -886,11 +914,15 @@ free_and_return:
   else if (be_single)
     slapi_be_Unlock(be_single);
 
- free_and_return_nolock:
-  slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, base);
+free_and_return_nolock:
   slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc);
   index_subsys_filter_decoders_done(pb);
-  slapi_sdn_done(&sdn);
+  
+  slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+  slapi_sdn_free(&sdn);
+  slapi_sdn_free(&basesdn);
+  slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
+
   slapi_ch_free_string(&proxydn);
   slapi_ch_free_string(&proxystr);
   if (pr_reset_processing) {
@@ -1146,10 +1178,8 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result,
     {
         Slapi_Entry *gerentry = NULL;
         Slapi_Operation *operation;
-        int is_paged = 0;
 
         slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
-        is_paged = operation->o_flags & OP_FLAG_PAGED_RESULTS;
         rc = be->be_next_search_entry(pb);
         if (rc < 0) 
         {
diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c
index c1f00d2..a68602b 100644
--- a/ldap/servers/slapd/passwd_extop.c
+++ b/ldap/servers/slapd/passwd_extop.c
@@ -238,7 +238,6 @@ static int passwd_modify_generate_basic_passwd( int passlen, char **genpasswd )
 	char *data = NULL;
 	char *enc = NULL;
 	int datalen = LDAP_EXTOP_PASSMOD_RANDOM_BYTES;
-	int enclen = LDAP_EXTOP_PASSMOD_GEN_PASSWD_LEN + 1;
 
 	if ( genpasswd == NULL ) {
 		return LDAP_OPERATIONS_ERROR;
@@ -246,7 +245,6 @@ static int passwd_modify_generate_basic_passwd( int passlen, char **genpasswd )
 
 	if ( passlen > 0 ) {
 		datalen = passlen * 3 / 4 + 1;
-		enclen = datalen * 4; /* allocate the large enough space */
 	}
 
 	data = slapi_ch_calloc( datalen, 1 );
@@ -454,10 +452,10 @@ passwd_modify_extop( Slapi_PBlock *pb )
 {
 	char		*oid = NULL;
 	char 		*bindDN = NULL;
+	Slapi_DN	*bindSDN = NULL;
 	char		*authmethod = NULL;
 	char		*rawdn = NULL;
-	char		*dn = NULL;
-	size_t		dnlen = 0;
+	const char	*dn = NULL;
 	char		*otdn = NULL;
 	char		*oldPasswd = NULL;
 	char		*newPasswd = NULL;
@@ -582,15 +580,13 @@ passwd_modify_extop( Slapi_PBlock *pb )
 	if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID )
 	{
 		int rc = 0;
-		if ( ber_scanf( ber, "a", &rawdn) == LBER_ERROR )
-    		{
-    		slapi_ch_free_string(&rawdn);
-    		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "ber_scanf failed :{\n", 0, 0, 0 );
-    		errMesg = "ber_scanf failed at userID parse.\n";
-		rc = LDAP_PROTOCOL_ERROR;
-		goto free_and_return;
-    		}
+		if ( ber_scanf( ber, "a", &rawdn) == LBER_ERROR ) {
+			slapi_ch_free_string(&rawdn);
+			LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed :{\n", 0, 0, 0 );
+			errMesg = "ber_scanf failed at userID parse.\n";
+			rc = LDAP_PROTOCOL_ERROR;
+			goto free_and_return;
+		}
 
 		/* Check if we should be performing strict validation. */
 		if (config_get_dn_validate_strict()) {
@@ -605,50 +601,31 @@ passwd_modify_extop( Slapi_PBlock *pb )
 				goto free_and_return;
 			}
 		}
-		rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen);
-		if (rc < 0) {
-			op_shared_log_error_access(pb, "EXT", rawdn?rawdn:"",
-								"invalid target dn");
-			slapi_ch_free_string(&rawdn);
-			errMesg = "invalid target dn.\n";
-			rc = LDAP_INVALID_SYNTAX;
-			goto free_and_return;
-		} else if (rc == 0) { /* rawdn is passed in, not terminated */
-			*(dn + dnlen) = '\0';
-		} else {
-			slapi_ch_free_string(&rawdn);
-		}
-		tag = ber_peek_tag( ber, &len);
+		tag = ber_peek_tag(ber, &len);
 	} 
 	
-	
 	/* identify oldPasswd field by tags */
-	if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD )
-	{
-		if ( ber_scanf( ber, "a", &oldPasswd ) == LBER_ERROR )
-    		{
-    		slapi_ch_free_string(&oldPasswd);
-    		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "ber_scanf failed :{\n", 0, 0, 0 );
-    		errMesg = "ber_scanf failed at oldPasswd parse.\n";
-		rc = LDAP_PROTOCOL_ERROR;
-		goto free_and_return;
-    		}
+	if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD ) {
+		if ( ber_scanf( ber, "a", &oldPasswd ) == LBER_ERROR ) {
+			slapi_ch_free_string(&oldPasswd);
+			LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed :{\n", 0, 0, 0 );
+			errMesg = "ber_scanf failed at oldPasswd parse.\n";
+			rc = LDAP_PROTOCOL_ERROR;
+			goto free_and_return;
+		}
 		tag = ber_peek_tag( ber, &len);
 	}
 	
 	/* identify newPasswd field by tags */
 	if (tag ==  LDAP_EXTOP_PASSMOD_TAG_NEWPWD )
 	{
-		if ( ber_scanf( ber, "a", &newPasswd ) == LBER_ERROR )
-    		{
-    		slapi_ch_free_string(&newPasswd);
-    		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "ber_scanf failed :{\n", 0, 0, 0 );
-    		errMesg = "ber_scanf failed at newPasswd parse.\n";
-		rc = LDAP_PROTOCOL_ERROR;
-		goto free_and_return;
-    		}
+		if ( ber_scanf( ber, "a", &newPasswd ) == LBER_ERROR ) {
+			slapi_ch_free_string(&newPasswd);
+			LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed :{\n", 0, 0, 0 );
+			errMesg = "ber_scanf failed at newPasswd parse.\n";
+			rc = LDAP_PROTOCOL_ERROR;
+			goto free_and_return;
+		}
 	}
 
 parse_req_done:	
@@ -659,14 +636,28 @@ parse_req_done:
 	/* Get Bind DN */
 	slapi_pblock_get( pb, SLAPI_CONN_DN, &bindDN );
 
+	/* If the connection is bound anonymously, we must refuse to process this operation. */
+	if (bindDN == NULL || *bindDN == '\0') {
+		/* Refuse the operation because they're bound anonymously */
+		errMesg = "Anonymous Binds are not allowed.\n";
+		rc = LDAP_INSUFFICIENT_ACCESS;
+		goto free_and_return;
+	}
+
 	/* Find and set the target DN. */
-	if (dn && *dn != '\0') {
-		target_sdn = slapi_sdn_new_dn_byref(dn);
-		slapi_pblock_set(pb, SLAPI_TARGET_DN, dn);
-	} else if (bindDN && *bindDN != '\0') {
-		target_sdn = slapi_sdn_new_dn_byref(bindDN);
-		slapi_pblock_set(pb, SLAPI_TARGET_DN, bindDN);
+	if (rawdn && *rawdn != '\0') {
+	    target_sdn = slapi_sdn_new_dn_passin(rawdn);
+	} else { /* We already checked (bindDN && *bindDN != '\0') above  */
+	    target_sdn = bindSDN = slapi_sdn_new_normdn_byref(bindDN);
+	}
+	dn = slapi_sdn_get_ndn(target_sdn);
+	if (dn == NULL || *dn == '\0') {
+		/* Refuse the operation because they're bound anonymously */
+		errMesg = "Invalid dn.\n";
+		rc = LDAP_INVALID_DN_SYNTAX;
+		goto free_and_return;
 	}
+	slapi_pblock_set(pb, SLAPI_TARGET_SDN, target_sdn);
 
 	/* Check if we need to send any referrals. */
 	if (slapi_dn_write_needs_referral(target_sdn, &referrals)) {
@@ -674,14 +665,6 @@ parse_req_done:
 		goto free_and_return;
 	}
 
-	/* If the connection is bound anonymously, we must refuse to process this operation. */
-	if (bindDN == NULL || *bindDN == '\0') {
-	 	/* Refuse the operation because they're bound anonymously */
-		errMesg = "Anonymous Binds are not allowed.\n";
-		rc = LDAP_INSUFFICIENT_ACCESS;
-		goto free_and_return;
-	}
-
 	if (oldPasswd == NULL || *oldPasswd == '\0') {
 		/* If user is authenticated, they already gave their password during
 		 * the bind operation (or used sasl or client cert auth or OS creds) */
@@ -746,19 +729,7 @@ parse_req_done:
 		ber_free( response_ber, 1 );
 	 }
 	 
-	 
-	 /* Determine the target DN for this operation */
-	 /* Did they give us a DN ? */
-	 if (dn == NULL || *dn == '\0') {
-	 	/* Get the DN from the bind identity on this connection */
-		slapi_ch_free_string(&dn);
-		dn = slapi_ch_strdup(bindDN);
-		LDAPDebug( LDAP_DEBUG_ANY,
-    		    "Missing userIdentity in request, using the bind DN instead.\n",
-		     0, 0, 0 );
-	 }
-
-	 slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn ); 
+	 slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, (void *)dn ); 
 
 	 /* Now we have the DN, look for the entry */
 	 ret = passwd_modify_getEntry(dn, &targetEntry);
@@ -826,7 +797,9 @@ parse_req_done:
 	 * this here since the normal modify code doesn't perform this check for
 	 * internal operations. */
 	if (!pb->pb_op->o_isroot && !pb->pb_conn->c_needpw && !pwpolicy->pw_change) {
-		Slapi_DN *bindSDN = slapi_sdn_new_dn_byref(bindDN);
+		if (NULL == bindSDN) {
+			bindSDN = slapi_sdn_new_normdn_byref(bindDN);
+		}
 		/* Is this a user modifying their own password? */
 		if (slapi_sdn_compare(bindSDN, slapi_entry_get_sdn(targetEntry))==0) {
 			if (need_pwpolicy_ctrl) {
@@ -834,10 +807,8 @@ parse_req_done:
 			}
 			errMesg = "User is not allowed to change password\n";
 			rc = LDAP_UNWILLING_TO_PERFORM;
-			slapi_sdn_free(&bindSDN);
 			goto free_and_return;
 		}
-		slapi_sdn_free(&bindSDN);
 	}
 
 	/* Fetch any present request controls so we can use them when
@@ -879,8 +850,6 @@ free_and_return:
 		send_ldap_result( pb, rc, NULL, errMesg, 0, NULL );
 	}
 
-	slapi_sdn_free(&target_sdn);
-	slapi_ch_free_string(&bindDN); /* slapi_pblock_get SLAPI_CONN_DN does strdup */
 	slapi_ch_free_string(&oldPasswd);
 	slapi_ch_free_string(&newPasswd);
 	/* Either this is the same pointer that we allocated and set above,
@@ -888,9 +857,16 @@ free_and_return:
 	 * value that we need to free here */
 	slapi_pblock_get( pb, SLAPI_ORIGINAL_TARGET, &otdn );
 	if (otdn != dn) {
-		slapi_ch_free_string(&dn);
+		slapi_ch_free_string(&otdn);
 	}
-	slapi_ch_free_string(&otdn);
+	slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
+	if (bindSDN != target_sdn) {
+		slapi_sdn_free(&bindSDN);
+	}
+	/* slapi_pblock_get SLAPI_CONN_DN does strdup */
+	slapi_ch_free_string(&bindDN);
+	slapi_sdn_free(&target_sdn);
+	slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL);
 	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, NULL );
 	slapi_ch_free_string(&authmethod);
 	delete_passwdPolicy(&pwpolicy);
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index d068132..a3689f8 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -1121,11 +1121,10 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
 			(*(entry_address **)value) = &(pblock->pb_op->o_params.target_address);
 		}
 		break;
-        /* should be normalized */
-	case SLAPI_TARGET_DN:
+	case SLAPI_TARGET_SDN:
 		if(pblock->pb_op!=NULL)
 		{
-			(*(char **)value) = pblock->pb_op->o_params.target_address.dn;
+			(*(Slapi_DN **)value) = pblock->pb_op->o_params.target_address.sdn;
 		}
 		break;
 	case SLAPI_ORIGINAL_TARGET_DN:
@@ -1333,8 +1332,8 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
 	case SLAPI_MODRDN_NEWSUPERIOR:
 		if(pblock->pb_op!=NULL)
 		{
-			(*(char **)value) = 
-				pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.dn;
+			(*(Slapi_DN **)value) = 
+				pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.sdn;
 		}
 		break;
 	case SLAPI_MODRDN_PARENT_ENTRY:
@@ -1725,6 +1724,18 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
 		}
 		break;
 
+	case SLAPI_REQUESTOR_NDN:
+		/* NOTE: It's not a copy of the DN */	
+		if (pblock->pb_op != NULL)
+		{
+			char *ndn = (char*)slapi_sdn_get_ndn(&pblock->pb_op->o_sdn);
+			if(ndn == NULL)
+    				(*( char **)value ) = "";
+			else
+    				(*( char **)value ) = ndn;
+		}
+		break;
+
 	case SLAPI_OPERATION_AUTHTYPE:
 		if (pblock->pb_op != NULL)
 		{
@@ -2676,10 +2687,10 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
 	case SLAPI_TARGET_ADDRESS:
 		PR_ASSERT (PR_FALSE);	/* can't do this */
 		break;
-	case SLAPI_TARGET_DN:
+	case SLAPI_TARGET_SDN:
 		if(pblock->pb_op!=NULL)
 		{
-			pblock->pb_op->o_params.target_address.dn = (char *)value;
+			pblock->pb_op->o_params.target_address.sdn = (Slapi_DN *)value;
 		}
 		break;
 	case SLAPI_ORIGINAL_TARGET_DN:
@@ -2833,7 +2844,7 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
 	case SLAPI_MODRDN_NEWSUPERIOR:
 		if(pblock->pb_op!=NULL)
 		{
-			pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.dn = (char *) value;
+			pblock->pb_op->o_params.p.p_modrdn.modrdn_newsuperior_address.sdn = (Slapi_DN *) value;
 		}
 		break;
 	case SLAPI_MODRDN_PARENT_ENTRY:
@@ -3456,9 +3467,7 @@ bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn,
 		if ( conn->c_dn != NULL ) {
 			if ( bind_target_entry == NULL )
 			{
-				Slapi_DN        *sdn;
-
-				sdn = slapi_sdn_new_dn_byref( conn->c_dn );			/* set */
+				Slapi_DN *sdn = slapi_sdn_new_normdn_byref( conn->c_dn );
 				reslimit_update_from_dn( conn, sdn );
 				slapi_sdn_free( &sdn );
 			} else {
@@ -3466,11 +3475,9 @@ bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn,
 			}
 		} else {
 			char *anon_dn = config_get_anon_limits_dn();
-			Slapi_DN *anon_sdn = NULL;
-
 			/* If an anonymous limits dn is set, use it to set the limits. */
 			if (anon_dn && (strlen(anon_dn) > 0)) {
-				anon_sdn = slapi_sdn_new_dn_byref( anon_dn );
+				Slapi_DN *anon_sdn = slapi_sdn_new_normdn_byref( anon_dn );
 				reslimit_update_from_dn( conn, anon_sdn );
 				slapi_sdn_free( &anon_sdn );
 			}
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index 19d6d38..52b560f 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -180,6 +180,7 @@ add_plugin_entries()
 		slapi_add_entry_internal_set_pb(&newpb, ep->e, NULL,
 										ep->plugin, plugin_actions);
 		slapi_pblock_set(&newpb, SLAPI_TARGET_DN, (void*)slapi_entry_get_dn_const(ep->e));
+		slapi_pblock_set(&newpb, SLAPI_TARGET_SDN, (void*)slapi_entry_get_sdn_const(ep->e));
 		slapi_add_internal_pb(&newpb);
 		deleteep = ep;
 		ep = ep->next;
@@ -269,16 +270,13 @@ slapi_register_plugin_ext(
 	int ii = 0;
     int rc = 0;
 	Slapi_Entry *e = NULL;
-	char *dn = slapi_create_dn_string("cn=%s,%s", name, PLUGIN_BASE_DN);
-	if (NULL == dn) {
-		slapi_log_error(SLAPI_LOG_FATAL, NULL,
-					"slapi_register_plugin_ext: "
-					"failed to create plugin dn (plugin name: %s)\n", name);
-		return 1;
-	}
+	char *dn = slapi_ch_smprintf("cn=%s,%s", name, PLUGIN_BASE_DN);
+	Slapi_DN *sdn = slapi_sdn_new_dn_passin(dn);
+
 	e = slapi_entry_alloc();
 	/* this function consumes dn */
-	slapi_entry_init(e, dn, NULL);
+	slapi_entry_init_ext(e, sdn, NULL);
+	slapi_sdn_free(&sdn);
 
 	slapi_entry_attr_set_charptr(e, "cn", name);
 	slapi_entry_attr_set_charptr(e, ATTR_PLUGIN_TYPE, plugintype);
@@ -520,9 +518,6 @@ plugin_extended_op_oid2string( const char *oid )
 					}
 					break;
 				}
-				if ( p->plg_exoids[i] != NULL ) {
-					break;
-				}
 			}
 		}
 	}
@@ -991,30 +986,30 @@ plugin_dependency_startall(int argc, char** argv, char *errmsg, int operation)
 
 		if(plugin_entry)
 		{
-                        /*
-                         * Pass the plugin DN in SLAPI_TARGET_DN and the plugin entry
-                         * in SLAPI_ADD_ENTRY.  For this to actually work, we need to
-                         * create an operation and include that in the pblock as well,
-                         * because these two items are stored in the operation parameters.
-                         */
-		        /* WARNING: memory leak here - op is only freed by a pblock_done,
+			/*
+			 * Pass the plugin DN in SLAPI_TARGET_SDN and the plugin entry
+			 * in SLAPI_ADD_ENTRY.  For this to actually work, we need to
+			 * create an operation and include that in the pblock as well,
+			 * because these two items are stored in the operation parameters.
+			 */
+			/* WARNING: memory leak here - op is only freed by a pblock_done,
 			   and this only happens below if the plugin is enabled - a short
 			   circuit goto bail may also cause a leak - however, since this
 			   only happens a few times at startup, this is not a very serious
 			   leak - just after the call to plugin_call_one */
-                        Operation *op = internal_operation_new(SLAPI_OPERATION_ADD, 0);
-                        slapi_pblock_set(&(config[plugin_index].pb), SLAPI_OPERATION, op);
-			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_TARGET_DN,
-							 (void*)(slapi_entry_get_dn_const(plugin_entry)));
-                        slapi_pblock_set(&(config[plugin_index].pb), SLAPI_ADD_ENTRY,
-                                        plugin_entry );
+			Operation *op = internal_operation_new(SLAPI_OPERATION_ADD, 0);
+			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_OPERATION, op);
+			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_TARGET_SDN,
+				(void*)(slapi_entry_get_sdn_const(plugin_entry)));
+			slapi_pblock_set(&(config[plugin_index].pb), SLAPI_ADD_ENTRY,
+				plugin_entry );
 
 			/* Pass the plugin alternate config area DN in SLAPI_PLUGIN_CONFIG_AREA. */
 			value = slapi_entry_attr_get_charptr(plugin_entry, ATTR_PLUGIN_CONFIG_AREA);
 			if(value)
 			{
-                                config[plugin_index].config_area = value;
-                                value = NULL;
+				config[plugin_index].config_area = value;
+				value = NULL;
 				slapi_pblock_set(&(config[plugin_index].pb), SLAPI_PLUGIN_CONFIG_AREA,
 							config[plugin_index].config_area);
 			}
@@ -1191,7 +1186,7 @@ plugin_dependency_startall(int argc, char** argv, char *errmsg, int operation)
 					newe = slapi_entry_dup( config[plugin_index].e );
 					slapi_add_entry_internal_set_pb(&newpb, newe, NULL,
 									plugin_get_default_component_id(), plugin_actions);
-					slapi_pblock_set(&newpb, SLAPI_TARGET_DN, (void*)slapi_entry_get_dn_const(newe));
+					slapi_pblock_set(&newpb, SLAPI_TARGET_SDN, (void*)slapi_entry_get_sdn_const(newe));
 					slapi_add_internal_pb(&newpb);
 					pblock_done(&newpb);
 					config[plugin_index].entry_created = 1;
@@ -1440,17 +1435,17 @@ plugin_call_func (struct slapdplugin *list, int operation, Slapi_PBlock *pb, int
 	int count= 0;
     for (; list != NULL; list = list->plg_next)
 	{
-    	IFP func = NULL;
+		IFP func = NULL;
 	
-    	slapi_pblock_set (pb, SLAPI_PLUGIN, list);
-    	set_db_default_result_handlers (pb); /* JCM: What's this do? Is it needed here? */
-    	if (slapi_pblock_get (pb, operation, &func) == 0 && func != NULL &&
+	slapi_pblock_set (pb, SLAPI_PLUGIN, list);
+	set_db_default_result_handlers (pb); /* JCM: What's this do? Is it needed here? */
+	if (slapi_pblock_get (pb, operation, &func) == 0 && func != NULL &&
 			plugin_invoke_plugin_pb (list, operation, pb))
 		{
 			char *n= list->plg_name;
 			LDAPDebug( LDAP_DEBUG_TRACE, "Calling plugin '%s' #%d type %d\n", (n==NULL?"noname":n), count, operation );
 			/* counters_to_errors_log("before plugin call"); */
-    		if (( rc = func (pb)) != 0 )
+			if (( rc = func (pb)) != 0 )
 			{
 				if (SLAPI_PLUGIN_PREOPERATION == list->plg_type ||
 					SLAPI_PLUGIN_INTERNAL_PREOPERATION == list->plg_type ||
@@ -1471,16 +1466,16 @@ plugin_call_func (struct slapdplugin *list, int operation, Slapi_PBlock *pb, int
 					/* OR the result into the return value for be pre/postops */
 					return_value |= rc;
 				}
-    		}
+			}
 			/* counters_to_errors_log("after plugin call"); */
-    	}
+		}
 
 		count++;
 
 		if(call_one)
 			break;
-    }
-    return( return_value );
+	}
+	return( return_value );
 }
 
 int
@@ -1574,9 +1569,9 @@ ldapi_init_extended_ops( void )
 
 	slapi_rwlock_wrlock(extended_ops_lock);
 	charray_add(&supported_extended_ops,
-	slapi_ch_strdup(EXTOP_BULK_IMPORT_START_OID));
+	            slapi_ch_strdup(EXTOP_BULK_IMPORT_START_OID));
 	charray_add(&supported_extended_ops,
-	slapi_ch_strdup(EXTOP_BULK_IMPORT_DONE_OID));
+	            slapi_ch_strdup(EXTOP_BULK_IMPORT_DONE_OID));
 	/* add future supported extops here... */
 	slapi_rwlock_unlock(extended_ops_lock);
 }
@@ -2147,7 +2142,9 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group,
 	}
 	else
 	{
-		plugin->plg_name = value; /* plugin owns value's memory now, don't free */
+		/* plg_name is normalized once here */
+		plugin->plg_name = slapi_create_rdn_value("%s", value);
+		slapi_ch_free((void**)&value);
 	}
 
 	if (!(value = slapi_entry_attr_get_charptr(plugin_entry, ATTR_PLUGIN_PRECEDENCE)))
@@ -2546,7 +2543,7 @@ plugin_invoke_plugin_sdn (struct slapdplugin *plugin, int operation, Slapi_PBloc
 char* plugin_get_dn (const struct slapdplugin *plugin)
 {
 	char *plugindn = NULL;
-	char *pattern = "cn=%s," PLUGIN_BASE_DN;
+	char *pattern = "cn=%s," PLUGIN_BASE_DN; /* cn=plugins,cn=config */
 
 	if (plugin == NULL)	/* old plugin that does not pass identity - use default */
 		plugin = &global_default_plg;
@@ -2554,7 +2551,8 @@ char* plugin_get_dn (const struct slapdplugin *plugin)
 	if (plugin->plg_name == NULL)
 		return NULL;
 
-	plugindn = slapi_create_dn_string(pattern, plugin->plg_name);
+	/* plg_name is normalized in plugin_setup. So, we can use smprintf */
+	plugindn = slapi_ch_smprintf(pattern, plugin->plg_name);
 	if (NULL == plugindn) {
 		slapi_log_error(SLAPI_LOG_FATAL, NULL,
 					"plugin_get_dn: failed to create plugin dn "
diff --git a/ldap/servers/slapd/plugin_acl.c b/ldap/servers/slapd/plugin_acl.c
index 2dd0f71..24dcc76 100644
--- a/ldap/servers/slapd/plugin_acl.c
+++ b/ldap/servers/slapd/plugin_acl.c
@@ -138,12 +138,12 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
 	int					rc = 0;
    	void				*change = NULL;
    	Slapi_Entry			*te = NULL;
-    Slapi_DN			sdn;
+    Slapi_DN			*sdn = NULL;
 	Operation			*operation;
 
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
 
-	(void)slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	(void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
 
 	switch ( optype ) {
  	  case SLAPI_OPERATION_MODIFY:
@@ -154,24 +154,29 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
 		te = (Slapi_Entry *)change;
 		if(!slapi_sdn_isempty(slapi_entry_get_sdn(te)))
 		{
-		    dn= (char*)slapi_sdn_get_ndn(slapi_entry_get_sdn(te)); /* jcm - Had to cast away const */
+			sdn = slapi_entry_get_sdn(te);
 		}
 		break;
     	  case SLAPI_OPERATION_MODRDN:
 		(void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );
 		break;
-    	}
+	}
 	
-	slapi_sdn_init_dn_byref (&sdn, dn);
+	if (NULL == sdn) {
+		LDAPDebug0Args ( LDAP_DEBUG_ANY, 
+		                 "plugin_call_acl_mods_update: Null target DN\n" );
+		return LDAP_INVALID_DN_SYNTAX;
+	}
+
 	/* call the global plugins first and then the backend specific */
+	dn = (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */
 	for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) {
-		if (plugin_invoke_plugin_sdn (p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, &sdn)){
+		if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){
 			rc = (*p->plg_acl_mods_update)(pb, optype, dn, change );
 			if ( rc != LDAP_SUCCESS ) break;
 		}
 	}
 
-	slapi_sdn_done (&sdn);
 	return rc;
 }
 
diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c
index c8e6000..67189a4 100644
--- a/ldap/servers/slapd/plugin_internal_op.c
+++ b/ldap/servers/slapd/plugin_internal_op.c
@@ -282,21 +282,25 @@ int slapi_seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data, plugi
 	return (seq_internal_callback_pb (pb, callback_data, res_callback, srch_callback, ref_callback));
 }
 
-void slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base, int scope, const char *filter, char **attrs, 
-							       int attrsonly, LDAPControl **controls, const char *uniqueid, 
-								   Slapi_ComponentId *plugin_identity, int operation_flags)
+void
+slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base, 
+                              int scope, const char *filter, char **attrs, 
+                              int attrsonly, LDAPControl **controls, 
+                              const char *uniqueid, 
+                              Slapi_ComponentId *plugin_identity,
+                              int operation_flags)
 {
 	Operation *op;
 	if (pb == NULL || base == NULL)
 	{
-        slapi_log_error(SLAPI_LOG_FATAL, NULL, 
-						"slapi_search_internal_set_pb: NULL parameter\n");
+		slapi_log_error(SLAPI_LOG_FATAL, NULL, 
+		                "slapi_search_internal_set_pb: NULL parameter\n");
 		return;
 	}
 
-    op= internal_operation_new(SLAPI_OPERATION_SEARCH,operation_flags);
+	op= internal_operation_new(SLAPI_OPERATION_SEARCH,operation_flags);
 	slapi_pblock_set(pb, SLAPI_OPERATION, op);
-	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, (void*)base);
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)base);
 	slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
 	slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
 	slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
@@ -323,7 +327,7 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type, char *att
 
     op= internal_operation_new(SLAPI_OPERATION_SEARCH,operation_flags);
 	slapi_pblock_set(pb, SLAPI_OPERATION, op);
-	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET, base);
+	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)base );
 	slapi_pblock_set(pb, SLAPI_SEQ_TYPE, &type);
 	slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname);
 	slapi_pblock_set(pb, SLAPI_SEQ_VAL, val);
@@ -343,19 +347,22 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
 	Operation *op;
     struct callback_fn_ptrs   callback_handler_data;
     Slapi_Backend *be;
-	Slapi_DN sdn;
 	char *base;
 	char *attrname, *val;
+	Slapi_DN *sdn = NULL;
 
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &base);
+	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)&base );
 	slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls);
 
-    if (base == NULL) {
-    	slapi_sdn_init_dn_byval(&sdn,"");
-    } else {
-    	slapi_sdn_init_dn_byval(&sdn, base);
-    }
-    be = slapi_be_select(&sdn);
+	if (base == NULL) {
+		sdn = slapi_sdn_new_dn_byval("");
+	} else {
+		sdn = slapi_sdn_new_dn_byref(base);
+	}
+
+	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, sdn);
+
+    be = slapi_be_select(sdn);
 
     callback_handler_data.p_res_callback         = prc;
     callback_handler_data.p_srch_entry_callback  = psec;
@@ -369,8 +376,7 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
     op->o_search_referral_handler = internal_ref_entry_callback;
 		 
 	/* set target specification of the operation used to decide which plugins are called for the operation */  
-	operation_set_target_spec (op, &sdn);
-
+	operation_set_target_spec (op, sdn);
 
 	/* Normalize the attribute type and value */
 	slapi_pblock_get (pb, SLAPI_SEQ_ATTRNAME, &attrname);
@@ -396,14 +402,16 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
 	}
 	else
 	{
-    	send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL);
+		send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL);
 		rc = 0;
     }
 
-	slapi_ch_free((void **) &attrname);
-    slapi_ch_free((void **) &val);
-
-	slapi_sdn_done(&sdn);    
+	slapi_ch_free_string(&attrname);
+	slapi_ch_free_string(&val);
+	/* slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &normbase); */
+	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
+	slapi_sdn_free(&sdn);
+	slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
 
 	return rc;
 }
@@ -675,10 +683,11 @@ static int search_internal_pb (Slapi_PBlock *pb)
 	return 0;
 }
 
-static int search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data, 
-									     plugin_result_callback prc, 
-									     plugin_search_entry_callback psec, 
-									     plugin_referral_entry_callback prec)
+static int
+search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data, 
+                             plugin_result_callback prc, 
+                             plugin_search_entry_callback psec, 
+                             plugin_referral_entry_callback prec)
 {
 	LDAPControl				  **controls;
 	Operation                 *op;
@@ -689,8 +698,6 @@ static int search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
 	char					  *ifstr;
 	int						  opresult;
 	int						  rc = 0;
-	char					  *original_base = 0;
-	char					  *new_base = 0;
 
 	PR_ASSERT (pb);
 
@@ -755,12 +762,8 @@ static int search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
 	 * memory so we need to keep track of
 	 * changed base search strings
 	 */
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &original_base);
-	slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET_DN, slapi_ch_strdup(original_base));
-
 	op_shared_search (pb, 1);    
 
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &new_base);
     slapi_pblock_get(pb, SLAPI_SEARCH_FILTER, &filter);
 
 done:
@@ -770,24 +773,17 @@ done:
         slapi_filter_free(filter, 1 /* recurse */);
     }
 
-	if(original_base != new_base)
-		slapi_ch_free_string(&new_base);
-
-	/* we strdup'd this above - need to free */
-	slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &original_base);
-	slapi_ch_free_string(&original_base);
-
     return(rc);
 }
 
 /* allow/disallow operation based of the plugin configuration */
 PRBool allow_operation (Slapi_PBlock *pb)
 {
-	char *dn = NULL;
 	struct slapdplugin *plugin = NULL;
-	Slapi_DN sdn;
+	Slapi_DN *sdnp = NULL;
+	Slapi_DN sdn = {0};
 	PRBool allow;
-        struct slapi_componentid * cid=NULL;
+	struct slapi_componentid * cid=NULL;
 
 	PR_ASSERT (pb);
 	
@@ -805,17 +801,16 @@ PRBool allow_operation (Slapi_PBlock *pb)
 		return PR_FALSE;
 	}
 
-	slapi_pblock_get (pb, SLAPI_TARGET_DN, &dn);
-	if (dn == NULL) {
-    	slapi_sdn_init_dn_byval(&sdn,"");
-    } else {
-    	slapi_sdn_init_dn_byval(&sdn, dn);
-    }
+	slapi_pblock_get (pb, SLAPI_TARGET_SDN, &sdnp);
+	if (NULL == sdnp) {
+		slapi_sdn_init_dn_byval(&sdn,"");
+		sdnp = &sdn;
+	}
 
-	allow = plugin_allow_internal_op (&sdn, plugin);
-	
-	slapi_sdn_done (&sdn);
+	allow = plugin_allow_internal_op (sdnp, plugin);
 
+	slapi_sdn_done(&sdn);
+	
 	return allow;
 }
 
diff --git a/ldap/servers/slapd/plugin_syntax.c b/ldap/servers/slapd/plugin_syntax.c
index 2e357b4..adfda4a 100644
--- a/ldap/servers/slapd/plugin_syntax.c
+++ b/ldap/servers/slapd/plugin_syntax.c
@@ -282,7 +282,7 @@ plugin_call_syntax_filter_sub_sv(
  */
 int
 slapi_dn_syntax_check(
-	Slapi_PBlock *pb, char *dn, int override
+	Slapi_PBlock *pb, const char *dn, int override
 )
 {
 	int ret = 0;
@@ -312,7 +312,7 @@ slapi_dn_syntax_check(
 	if (dn_plugin && dn_plugin->plg_syntax_validate != NULL) {
 		/* Create a berval to pass to the validate function. */
 		if (dn) {
-			dn_bval.bv_val = dn;
+			dn_bval.bv_val = (char *)dn;
 			dn_bval.bv_len = strlen(dn);
 
 			/* Validate the value. */
@@ -459,7 +459,8 @@ slapi_mods_syntax_check(
 	char errtext[ BUFSIZ ];
 	char *errp = &errtext[0];
 	size_t err_remaining = sizeof(errtext);
-	char *dn = NULL;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
 	LDAPMod *mod = NULL;
 
 	if (mods == NULL) {
@@ -469,7 +470,8 @@ slapi_mods_syntax_check(
 
 	if (pb != NULL) {
 		slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation);
-		slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn);
+		slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+		dn = slapi_sdn_get_dn(sdn);
 	}
 
 	/* If syntax checking and logging are  off, or if this is a
diff --git a/ldap/servers/slapd/proxyauth.c b/ldap/servers/slapd/proxyauth.c
index 9dbcac8..8daa94d 100644
--- a/ldap/servers/slapd/proxyauth.c
+++ b/ldap/servers/slapd/proxyauth.c
@@ -147,10 +147,12 @@ parse_LDAPProxyAuth(struct berval *spec_ber, int version, char **errtextp,
 	if (rc < 0) {
 		lderr = LDAP_INVALID_SYNTAX;
 	} else if (rc == 0) { /* spec->auth_dn is passed in; not terminated */
-		*(normed + dnlen) = '\0';
+		*(spec->auth_dn + dnlen) = '\0';
+		slapi_dn_ignore_case(spec->auth_dn);
 	} else {
 		slapi_ch_free_string(&spec->auth_dn);
 		spec->auth_dn = normed;
+		slapi_dn_ignore_case(spec->auth_dn);
 	}
   END
 
diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c
index c19d34f..9fc1172 100644
--- a/ldap/servers/slapd/psearch.c
+++ b/ldap/servers/slapd/psearch.c
@@ -291,6 +291,7 @@ ps_send_results( void *arg )
 	PSEQNode *peq, *peqnext;
 	struct slapi_filter *filter = 0;
 	char *base = NULL;
+	Slapi_DN *sdn = NULL;
 	char *fstr = NULL;
 	char **pbattrs = NULL;
 	int conn_acq_flag = 0;
@@ -392,16 +393,16 @@ ps_send_results( void *arg )
     plugin_call_plugins( ps->ps_pblock , SLAPI_PLUGIN_POST_SEARCH_FN );
 
 	/* free things from the pblock that were not free'd in do_search() */
-	/* Free SLAPI_SEARCH_* before deleting op since those are held by op */
-    slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET, &base );
-    slapi_pblock_set( ps->ps_pblock, SLAPI_SEARCH_TARGET, NULL );
-	slapi_ch_free_string(&base);
-
 	/* we strdup'd this in search.c - need to free */
 	slapi_pblock_get( ps->ps_pblock, SLAPI_ORIGINAL_TARGET_DN, &base );
 	slapi_pblock_set( ps->ps_pblock, SLAPI_ORIGINAL_TARGET_DN, NULL );
 	slapi_ch_free_string(&base);
 
+	/* Free SLAPI_SEARCH_* before deleting op since those are held by op */
+	slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, &sdn );
+	slapi_pblock_set( ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, NULL );
+	slapi_sdn_free(&sdn);
+
     slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_STRFILTER, &fstr );
     slapi_pblock_set( ps->ps_pblock, SLAPI_SEARCH_STRFILTER, NULL );
 	slapi_ch_free_string(&fstr);
@@ -525,8 +526,8 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
 	ber_int_t chgnum )
 {
 	LDAPControl *ctrl = NULL;
-    PSearch	*ps = NULL;
-    PSEQNode *pe = NULL;
+	PSearch	*ps = NULL;
+	PSEQNode *pe = NULL;
 	int  matched = 0;
 	const char *edn;
 
@@ -534,24 +535,24 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
 		return;
 	}
 
-    if ( NULL == e ) {
+	if ( NULL == e ) {
 		/* For now, some backends such as the chaining backend do not provide a post-op entry */
 		return;
-    }
+	}
 
-   	PSL_LOCK_READ();
+	PSL_LOCK_READ();
 	edn = slapi_entry_get_dn_const(e);
 
 	for ( ps = psearch_list ? psearch_list->pl_head : NULL; NULL != ps; ps = ps->ps_next ) {
-		Slapi_DN base;
-	    Slapi_Filter	*f;
-	    char	*basedn;
-	    int		scope;
+		char *origbase = NULL;
+		Slapi_DN *base = NULL;
+		Slapi_Filter	*f;
+		int		scope;
 
 		/* Skip the node that doesn't meet the changetype,
 		 * or is unable to use the change in ps_send_results()
 		 */
-	    if (( ps->ps_changetypes & chgtype ) == 0 ||
+		if (( ps->ps_changetypes & chgtype ) == 0 ||
 				ps->ps_pblock->pb_op == NULL ||
 				slapi_op_abandoned( ps->ps_pblock ) ) {
 			continue;
@@ -560,14 +561,18 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
 		slapi_log_error(SLAPI_LOG_CONNS, "Persistent Search",
 						"conn=%" NSPRIu64 " op=%d entry %s with chgtype %d "
 						"matches the ps changetype %d\n",
-						ps->ps_pblock->pb_conn->c_connid, ps->ps_pblock->pb_op->o_opid,
+						ps->ps_pblock->pb_conn->c_connid,
+						ps->ps_pblock->pb_op->o_opid,
 						edn, chgtype, ps->ps_changetypes);
 
 		slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_FILTER, &f );
-		slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET, &basedn );
+		slapi_pblock_get( ps->ps_pblock, SLAPI_ORIGINAL_TARGET_DN, &origbase );
+		slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, &base );
 		slapi_pblock_get( ps->ps_pblock, SLAPI_SEARCH_SCOPE, &scope );
-		slapi_sdn_init_dn_byref(&base,basedn);
-
+		if (NULL == base) {
+			base = slapi_sdn_new_dn_byref(origbase);
+			slapi_pblock_set(ps->ps_pblock, SLAPI_SEARCH_TARGET_SDN, base);
+		}
 
 		/*
 		 * See if the entry meets the scope and filter criteria.
@@ -582,7 +587,7 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
 		 * to the same pblock must be done carefully--there is currently no
 		 * generic satisfactory way to do this.
 		*/
-		if ( slapi_sdn_scope_test( slapi_entry_get_sdn_const(e), &base, scope ) &&
+		if ( slapi_sdn_scope_test( slapi_entry_get_sdn_const(e), base, scope ) &&
 			 slapi_vattr_filter_test( ps->ps_pblock, e, f, 0 /* verify_access */ ) == 0 ) {
 			PSEQNode *pOldtail;
 
@@ -601,11 +606,11 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
 							eprev ? slapi_entry_get_dn_const(eprev) : NULL,
 							&ctrl );
 					if ( rc != LDAP_SUCCESS ) {
-				    	char ebuf[ BUFSIZ ];
+						char ebuf[ BUFSIZ ];
 		   				LDAPDebug( LDAP_DEBUG_ANY, "ps_service_persistent_searches:"
-				    	" unable to create EntryChangeNotification control for"
-				    	" entry \"%s\" -- control won't be sent.\n",
-				    	escape_string( slapi_entry_get_dn_const(e), ebuf), 0, 0 );
+						" unable to create EntryChangeNotification control for"
+						" entry \"%s\" -- control won't be sent.\n",
+						escape_string( slapi_entry_get_dn_const(e), ebuf), 0, 0 );
 					}
 				}
 				if ( ctrl ) {
@@ -618,29 +623,28 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch
 			pOldtail = ps->ps_eq_tail;
 			ps->ps_eq_tail = pe;
 			if ( NULL == ps->ps_eq_head ) {
-			    ps->ps_eq_head = ps->ps_eq_tail;
+				ps->ps_eq_head = ps->ps_eq_tail;
 			}
 			else {
 				pOldtail->pe_next = ps->ps_eq_tail;
 			}
 			PR_Unlock( ps->ps_lock );
 		}
-		slapi_sdn_done(&base);
 	}
 
    	PSL_UNLOCK_READ();
 
-    /* Were there any matches? */
-    if ( matched ) {
+	/* Were there any matches? */
+	if ( matched ) {
 		ldap_control_free( ctrl );
 		/* Turn 'em loose */
 		ps_wakeup_all();
 		LDAPDebug( LDAP_DEBUG_TRACE, "ps_service_persistent_searches: enqueued entry "
 			"\"%s\" on %d persistent search lists\n", slapi_entry_get_dn_const(e), matched, 0 );
-    } else {
+	} else {
 		LDAPDebug( LDAP_DEBUG_TRACE, "ps_service_persistent_searches: entry "
 			"\"%s\" not enqueued on any persistent search lists\n", slapi_entry_get_dn_const(e), 0, 0 );
-    }
+	}
 
 }
 
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 61d01d9..6ad1e0d 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -69,7 +69,7 @@
 #define GENERALIZED_TIME_LENGTH 15
 
 static int pw_in_history(Slapi_Value **history_vals, const Slapi_Value *pw_val);
-static int update_pw_history( Slapi_PBlock *pb, char *dn, char *old_pw );
+static int update_pw_history( Slapi_PBlock *pb, const char *dn, char *old_pw );
 static int check_trivial_words (Slapi_PBlock *, Slapi_Entry *, Slapi_Value **,
 		char *attrtype, int toklen, Slapi_Mods *smods );
 static int pw_boolean_str2value (const char *str);
@@ -586,8 +586,9 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) {
 	Slapi_Mods	smods;
 	char *timestr;
 	time_t 		pw_exp_date;
-	time_t          cur_time;
-	char 		*dn;
+	time_t      cur_time;
+	const char 	*dn;
+	Slapi_DN *sdn = NULL;
 	passwdPolicy *pwpolicy = NULL;
 	int internal_op = 0;
 	Slapi_Operation *operation = NULL;
@@ -596,7 +597,8 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) {
 	internal_op = slapi_operation_is_flag_set(operation, SLAPI_OP_FLAG_INTERNAL);
 
 	cur_time = current_time();
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
 	
 	pwpolicy = new_passwdPolicy(pb, dn);
 
@@ -1062,7 +1064,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
 }
 
 static 
-int update_pw_history( Slapi_PBlock *pb, char *dn, char *old_pw ) {
+int update_pw_history( Slapi_PBlock *pb, const char *dn, char *old_pw ) {
 
 	time_t 		t, old_t, cur_time;
 	int 		i = 0, oldest = 0;
@@ -1253,7 +1255,8 @@ slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) {
 }
 
 void
-pw_mod_allowchange_aci(int pw_prohibit_change) {
+pw_mod_allowchange_aci(int pw_prohibit_change)
+{
 	const Slapi_DN *base;
 	char		*values_mod[2];
 	LDAPMod		mod;
@@ -1302,7 +1305,7 @@ pw_mod_allowchange_aci(int pw_prohibit_change) {
 					** successfully, let's update the 
 					** in-memory acl list
 					*/
-					slapi_pblock_set(&pb, SLAPI_TARGET_DN, (char*)slapi_sdn_get_dn(base) ); /* jcm: cast away const */
+					slapi_pblock_set(&pb, SLAPI_TARGET_SDN, (void *)base);
 					plugin_call_acl_mods_update (&pb, LDAP_REQ_MODIFY );
 				}
 				pblock_done(&pb);
diff --git a/ldap/servers/slapd/pw_retry.c b/ldap/servers/slapd/pw_retry.c
index 573046f..d80de6f 100644
--- a/ldap/servers/slapd/pw_retry.c
+++ b/ldap/servers/slapd/pw_retry.c
@@ -124,13 +124,15 @@ int update_pw_retry ( Slapi_PBlock *pb )
 
 static
 void set_retry_cnt_and_time ( Slapi_PBlock *pb, int count, time_t cur_time ) {
-	char        *dn;
+	const char  *dn = NULL;
+	Slapi_DN    *sdn = NULL;
 	Slapi_Mods	smods;
 	time_t      reset_time;
 	char		*timestr;
 	passwdPolicy *pwpolicy = NULL;
 
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
 	pwpolicy = new_passwdPolicy(pb, dn);
 
 	slapi_mods_init(&smods, 0);
@@ -154,10 +156,12 @@ void set_retry_cnt_mods(Slapi_PBlock *pb, Slapi_Mods *smods, int count)
 	char 		*timestr;
 	time_t		unlock_time;
 	char        retry_cnt[8]; /* 1-65535 */
-	char *dn = NULL; 
+	const char *dn = NULL; 
+	Slapi_DN *sdn = NULL; 
 	passwdPolicy *pwpolicy = NULL;
 
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
 	pwpolicy = new_passwdPolicy(pb, dn);
 
 	if (smods) {
@@ -186,10 +190,12 @@ void set_retry_cnt_mods(Slapi_PBlock *pb, Slapi_Mods *smods, int count)
 
 static
 void set_retry_cnt ( Slapi_PBlock *pb, int count) {
-	char        *dn;
+	const char *dn;
+	Slapi_DN *sdn = NULL; 
 	Slapi_Mods	smods;
 	
-	slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+	dn = slapi_sdn_get_dn(sdn);
 	slapi_mods_init(&smods, 0);
 	set_retry_cnt_mods(pb, &smods, count);
 	pw_apply_mods(dn, &smods);
@@ -201,12 +207,13 @@ Slapi_Entry *get_entry ( Slapi_PBlock *pb, const char *dn)
 {
 	int             search_result = 0;
 	Slapi_Entry     *retentry = NULL;
-	Slapi_DN		sdn;
+	Slapi_DN        *target_sdn = NULL;
+	Slapi_DN        sdn = {0};
+
+	slapi_pblock_get( pb, SLAPI_TARGET_SDN, &target_sdn );
 
 	if ((dn == NULL) && pb) {
-		char *t;
-		slapi_pblock_get( pb, SLAPI_TARGET_DN, &t );
-		dn= t;
+		dn = slapi_sdn_get_dn(target_sdn);
 	}
 
 	if (dn == NULL) {
@@ -216,7 +223,14 @@ Slapi_Entry *get_entry ( Slapi_PBlock *pb, const char *dn)
 
 	slapi_sdn_init_dn_byref(&sdn, dn);
 
-	if ((search_result = slapi_search_internal_get_entry(&sdn, NULL,  &retentry, pw_get_componentID())) != LDAP_SUCCESS){
+	if (slapi_sdn_compare(&sdn, target_sdn)) { /* does not match */
+	    target_sdn = &sdn;
+	}
+
+	search_result = slapi_search_internal_get_entry(target_sdn, NULL,
+	                                                &retentry, 
+	                                                pw_get_componentID());
+	if (search_result != LDAP_SUCCESS) {
 		LDAPDebug (LDAP_DEBUG_TRACE, "WARNING: 'get_entry' can't find entry '%s', err %d\n", dn, search_result, 0);
 	}
 	slapi_sdn_done(&sdn);
diff --git a/ldap/servers/slapd/rdn.c b/ldap/servers/slapd/rdn.c
index 48d4d9e..0ec2b83 100644
--- a/ldap/servers/slapd/rdn.c
+++ b/ldap/servers/slapd/rdn.c
@@ -132,12 +132,14 @@ _slapi_rdn_init_all_dn_ext(Slapi_RDN *rdn, const Slapi_DN *sdn)
 	char **dns = NULL;
 	int rc = 1;
 
-	if (NULL == rdn || NULL == sdn)
-	{
+	if (NULL == rdn || NULL == sdn) {
 		return -1;
 	}
 
 	dn = slapi_sdn_get_dn(sdn);
+	if (NULL == dn) {
+		return -1;
+	}
 	for (; isspace(*dn) ; dn++) ;
 
 	/* Suffix is a part of mapping tree. We should not free it */
@@ -670,7 +672,19 @@ slapi_rdn_get_nrdn(Slapi_RDN *srdn)
 	}
 	if (NULL == srdn->nrdn)
 	{
-		normalize_case_helper(srdn->rdn, &srdn->nrdn);
+		if (srdn->all_nrdns && srdn->all_nrdns[0])
+		{
+			srdn->nrdn = slapi_ch_strdup(srdn->all_nrdns[0]);
+		}
+		else if (srdn->all_nrdns && srdn->all_nrdns[0])
+		{
+			srdn->nrdn = slapi_ch_strdup(srdn->all_rdns[0]);
+			slapi_dn_ignore_case(srdn->nrdn);
+		}
+		else
+		{
+			normalize_case_helper(srdn->rdn, &srdn->nrdn);
+		}
 	}
 	return (const char *)srdn->nrdn;
 }
diff --git a/ldap/servers/slapd/referral.c b/ldap/servers/slapd/referral.c
index 458da81..46ce56d 100644
--- a/ldap/servers/slapd/referral.c
+++ b/ldap/servers/slapd/referral.c
@@ -186,12 +186,13 @@ ref_adjust( Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn,
 	int is_reference )
 {
     int			i, len, scope;
+    Slapi_DN    *sdn = NULL;
     char		*p, *opdn_norm;
     struct berval	**urlscopy;
     Operation		*op;
 
     if ( NULL == urls || NULL == urls[0] ) {
-	return( NULL );
+        return( NULL );
     }
 
     PR_ASSERT( pb != NULL );
@@ -200,20 +201,20 @@ ref_adjust( Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn,
      * grab the operation target DN and operation structure.
      * if the operation is a search, get the scope as well.
      */
-    if ( slapi_pblock_get( pb, SLAPI_TARGET_DN, &p ) != 0 || p == NULL ||
-	    slapi_pblock_get( pb, SLAPI_OPERATION, &op ) != 0 || op == NULL ||
-	    ( operation_get_type(op) == SLAPI_OPERATION_SEARCH && slapi_pblock_get( pb,
-	    SLAPI_SEARCH_SCOPE, &scope ) != 0 )) {
-	LDAPDebug( LDAP_DEBUG_ANY, "ref_adjust: referrals suppressed "
-		"(could not get target DN, operation, or scope from pblock)\n",
-		0, 0, 0 );
-	return( NULL );
+    if ( slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ) != 0 || sdn == NULL ||
+         slapi_pblock_get( pb, SLAPI_OPERATION, &op ) != 0 || op == NULL ||
+         ( operation_get_type(op) == SLAPI_OPERATION_SEARCH && slapi_pblock_get( pb,
+        SLAPI_SEARCH_SCOPE, &scope ) != 0 )) {
+        LDAPDebug0Args( LDAP_DEBUG_ANY, "ref_adjust: referrals suppressed "
+                        "(could not get target DN, operation, "
+                        "or scope from pblock)\n" );
+        return( NULL );
     }
 
     /*
      * normalize the DNs we plan to compare with others later.
      */
-    opdn_norm = slapi_dn_normalize( slapi_ch_strdup( p ));
+    opdn_norm = slapi_ch_strdup( slapi_sdn_get_dn(sdn) );
 
 
     /*
diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
index 800fb39..a3fff38 100644
--- a/ldap/servers/slapd/result.c
+++ b/ldap/servers/slapd/result.c
@@ -289,8 +289,9 @@ send_ldap_result_ext(
 	int		i, rc, logit = 0;
 	ber_tag_t	tag;
 	int             flush_ber_element = 1;
-  	Slapi_Operation *operation;
-	char *dn;
+	Slapi_Operation *operation;
+	const char *dn = NULL;
+	Slapi_DN *sdn = NULL;
 	int internal_op;
 	passwdPolicy *pwpolicy = NULL;
 	
@@ -368,8 +369,9 @@ send_ldap_result_ext(
 	/* invalid password.  Update the password retry here */
 	/* put this here for now.  It could be a send_result pre-op plugin. */
 	if (err == LDAP_INVALID_CREDENTIALS) {
-		slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
-                pwpolicy = new_passwdPolicy(pb, dn);
+		slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+		dn = slapi_sdn_get_dn(sdn);
+		pwpolicy = new_passwdPolicy(pb, dn);
 		if (pwpolicy && (pwpolicy->pw_lockout == 1)) {
 			update_pw_retry ( pb );
 		}
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index f9f51df..9e5bc36 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -783,6 +783,8 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
     sasl_ssf_t *ssfp;
     char *activemech = NULL, *mech = NULL;
     char *username, *dn = NULL;
+    const char *normdn = NULL;
+    Slapi_DN *sdn = NULL;
     const char *sdata, *errstr;
     unsigned slen;
     int continuing = 0;
@@ -914,7 +916,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
         propctx = sasl_auxprop_getctx(sasl_conn);
         if (prop_getnames(propctx, dn_propnames, dnval) == 1) {
             if (dnval[0].values && dnval[0].values[0]) {
-                dn = slapi_ch_strdup(dnval[0].values[0]);
+                dn = slapi_ch_smprintf("%s", dnval[0].values[0]);
             }
         }
         if (dn == NULL) {
@@ -924,8 +926,15 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
             break;
         }
 
-        slapi_pblock_set( pb, SLAPI_BIND_TARGET, slapi_ch_strdup( dn ) );
-        /* see if we negotiated a security layer */
+        /* clean up already set TARGET */
+        slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &sdn);
+        slapi_sdn_free(&sdn);
+
+        sdn = slapi_sdn_new_dn_passin(dn);
+        normdn = slapi_sdn_get_dn(sdn);
+
+        slapi_pblock_set( pb, SLAPI_BIND_TARGET_SDN, sdn );
+
         if ((sasl_getprop(sasl_conn, SASL_SSF, 
                           (const void**)&ssfp) == SASL_OK) && (*ssfp > 0)) {
             LDAPDebug(LDAP_DEBUG_TRACE, "sasl ssf=%u\n", (unsigned)*ssfp, 0, 0);
@@ -947,7 +956,9 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
 
         /* set the connection bind credentials */
         PR_snprintf(authtype, sizeof(authtype), "%s%s", SLAPD_AUTH_SASL, mech);
-        bind_credentials_set_nolock(pb->pb_conn, authtype, dn, 
+        /* normdn is consumed by bind_credentials_set_nolock */
+        bind_credentials_set_nolock(pb->pb_conn, authtype, 
+                                    slapi_ch_strdup(normdn), 
                                     NULL, NULL, NULL, bind_target_entry);
 
         PR_Unlock(pb->pb_conn->c_mutex); /* BIG LOCK */
@@ -956,12 +967,12 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
             break;
         }
 
-        isroot = slapi_dn_isroot(dn);
+        isroot = slapi_dn_isroot(normdn);
 
         if (!isroot )
         {
             /* check if the account is locked */
-            bind_target_entry = get_entry(pb,  dn);
+            bind_target_entry = get_entry(pb,  normdn);
             if ( bind_target_entry == NULL )
             {
                 goto out;
@@ -975,7 +986,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
         slapi_pblock_get(pb, SLAPI_REQCONTROLS, &ctrls);
         if (slapi_control_present(ctrls, LDAP_CONTROL_AUTH_REQUEST, 
                                   NULL, NULL)) {
-            slapi_add_auth_response_control(pb, dn);
+            slapi_add_auth_response_control(pb, normdn);
         }
 
         if (slapi_mapping_tree_select(pb, &be, &referral, errorbuf) != LDAP_SUCCESS) {
diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index ff4de17..6da7aa0 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -79,9 +79,6 @@ do_search( Slapi_PBlock *pb )
 	int			send_entchg_controls;
 	int			changesonly = 0;
 	int			rc = -1;
-	char		*original_base = 0;
-	char		*new_base = 0;
-	size_t		baselen = 0;
 	int strict = 0;
 
 	LDAPDebug( LDAP_DEBUG_TRACE, "do_search\n", 0, 0, 0 );
@@ -138,24 +135,12 @@ do_search( Slapi_PBlock *pb )
 			return;
 		}
 	}
-	rc = slapi_dn_normalize_ext(rawbase, 0, &base, &baselen);
-	if (rc < 0) {
-		op_shared_log_error_access(pb, "SRCH", 
-							rawbase?rawbase:"", "invalid dn");
-		send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, 
-							 NULL, "invalid dn", 0, NULL);
-		slapi_ch_free((void **) &rawbase);
-		return;
-	} else if (rc > 0) { /* if rc == 0, rawbase is passed in */
-		slapi_ch_free((void **) &rawbase);
-	} else { /* rc == 0; rawbase is passed in; not null terminated */
-		*(base + baselen) = '\0';
-	}
 
 	/* If anonymous access is only allowed for searching the root DSE,
 	 * we need to reject any other anonymous search attempts. */
-	if ((slapi_sdn_get_dn(&(operation->o_sdn)) == NULL) && ((baselen != 0) || (scope != LDAP_SCOPE_BASE))
-	    && (config_get_anon_access_switch() == SLAPD_ANON_ACCESS_ROOTDSE)) {
+	if ((slapi_sdn_get_dn(&(operation->o_sdn)) == NULL) &&
+	    (scope != LDAP_SCOPE_BASE) &&
+	    (config_get_anon_access_switch() == SLAPD_ANON_ACCESS_ROOTDSE)) {
 		op_shared_log_error_access(pb, "SRCH", base?base:"", "anonymous search not allowed");
 
 		send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
@@ -178,7 +163,7 @@ do_search( Slapi_PBlock *pb )
 	&& scope != LDAP_SCOPE_SUBTREE ) {
 		log_search_access (pb, base, scope, "???", "Unknown search scope");
 		send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
-		"Unknown search scope", 0, NULL );
+		                  "Unknown search scope", 0, NULL );
 		goto free_and_return;
 	}
 	/* check and record the scope for snmp */
@@ -370,8 +355,7 @@ do_search( Slapi_PBlock *pb )
 		}
 	}
 
-	slapi_pblock_set( pb, SLAPI_SEARCH_TARGET, base );
-	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET_DN, slapi_ch_strdup(base) );
+	slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET_DN, rawbase );
 	slapi_pblock_set( pb, SLAPI_SEARCH_SCOPE, &scope );
 	slapi_pblock_set( pb, SLAPI_SEARCH_DEREF, &deref );
 	slapi_pblock_set( pb, SLAPI_SEARCH_FILTER, filter );
@@ -383,16 +367,8 @@ do_search( Slapi_PBlock *pb )
 	slapi_pblock_set( pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit );
 	slapi_pblock_set( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit );
 
-	/* plugins which play with the search may 
-	 * change the search params may allocate
-	 * memory so we need to keep track of
-	 * changed base search strings
-	 */
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &original_base);
-
 	op_shared_search (pb, psearch ? 0 : 1/* send result */);
 
-	slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &new_base);
 	slapi_pblock_get (pb, SLAPI_PLUGIN_OPRETURN, &rc);
 	slapi_pblock_get( pb, SLAPI_SEARCH_FILTER, &filter );
 	
@@ -402,10 +378,6 @@ do_search( Slapi_PBlock *pb )
 
 free_and_return:;
 	if ( !psearch || rc < 0 ) {
-		if(original_base != new_base) {
-			slapi_ch_free_string(&new_base);
-		}
-		slapi_ch_free_string(&base);
 		slapi_ch_free_string(&fstr);
 		slapi_filter_free( filter, 1 );
 		charray_free( attrs );	/* passing NULL is fine */
@@ -418,8 +390,8 @@ free_and_return:;
 			operation->o_flags &= ~OP_FLAG_PS;
 		}
 		/* we strdup'd this above - need to free */
-		slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &base);
-		slapi_ch_free_string(&base);
+		slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &rawbase);
+		slapi_ch_free_string(&rawbase);
 	}
 }
 
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 98ba79c..ea60f1f 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -586,9 +586,10 @@ typedef int (*SyntaxEnumFunc)(char **names, Slapi_PluginDesc *plugindesc,
 struct slapi_dn
 {
     unsigned char flag;
-    const char *dn; /* DN [normalized] */
+    const char *udn; /* DN [original] */
+    const char *dn;  /* Normalised DN */
     const char *ndn; /* Case Normalised DN */
-    int ndn_len; /* normalized dn length */
+    int ndn_len;     /* normalized dn length */
 };
 
 /* 
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 862a23b..5d88f22 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -710,12 +710,12 @@ int slapi_pblock_get( Slapi_PBlock *pb, int arg, void *value );
  *          in the value directly. For example:
  * \code
  *     char *target_dn = slapi_ch_strdup(some_dn);
- *     slapi_pblock_set(pb, SLAPI_TARGET_DN, target_dn);
+ *     slapi_pblock_set(pb, SLAPI_TARGET_SDN, target_sdn);
  * \endcode
  *
  * \warning or
  * \code
- *     slapi_pblock_set(pb, SLAPI_TARGET_DN, NULL);
+ *     slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL);
  * \endcode
  *
  * \warning With some compilers, you will have to cast the value argument to
@@ -801,6 +801,7 @@ void slapi_pblock_destroy( Slapi_PBlock *pb );
  *        \arg #SLAPI_STR2ENTRY_NO_SCHEMA_LOCK
  *        \arg #SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT
  *        \arg #SLAPI_STR2ENTRY_NO_ENTRYDN
+ *        \arg #SLAPI_STR2ENTRY_DN_NORMALIZED
  *
  * \return A pointer to the #Slapi_Entry structure representing the entry.
  * \return \c NULL if the string cannot be converted; for example, if no DN is
@@ -922,6 +923,15 @@ Slapi_Entry *slapi_str2entry_ext( const char *dn, char *s, int flags );
 #define SLAPI_STR2ENTRY_NO_ENTRYDN 1024
 
 /**
+ * Passed DN is already normalized.
+ *
+ * If this flag is set, str2entry assumes passed DN is already normalized.
+ *
+ * \see slapi_str2entry()
+ */
+#define SLAPI_STR2ENTRY_DN_NORMALIZED 2048
+
+/**
  * Generates a description of an entry as an LDIF string.
  *
  * This function behaves much like slapi_entry2str(); however, you can specify
@@ -1119,6 +1129,12 @@ Slapi_Entry *slapi_entry_alloc(void);
  */
 void slapi_entry_init(Slapi_Entry *e, char *dn, Slapi_Attr *a);
 
+/*
+ * Initializes the values of an entry with the Slapi_DN and attribute value 
+ * pairs you supply.
+ */
+void slapi_entry_init_ext(Slapi_Entry *e, Slapi_DN *sdn, Slapi_Attr *a);
+
 /**
  * Frees an entry, its DN, and its attributes from memory.
  *
@@ -1289,6 +1305,23 @@ const char *slapi_entry_get_nrdn_const( const Slapi_Entry *e );
 void slapi_entry_set_dn( Slapi_Entry *e, char *dn );
 
 /**
+ * Sets the normalized distinguished name (DN) of an entry.
+ *
+ * This function sets the DN pointer in the specified entry to the DN that you supply. The DN should have been normalized.
+ *
+ * \param e Entry to which you want to assign the DN.
+ * \param dn Distinguished name you want assigned to the entry.
+ * \warning The dn will be freed eventually when slapi_entry_free() is called.
+ * \warning A copy of dn should be passed. For example:
+ *
+ * \warning The old dn will be freed as a result of this call. Do not pass in
+ *          a \c NULL value.
+ * \see slapi_entry_free()
+ * \see slapi_entry_get_dn()
+ */
+void slapi_entry_set_normdn( Slapi_Entry *e, char *normdn );
+
+/**
  * Sets the relative distinguished name (RDN) of an entry.
  *
  * This function sets the RDN pointer in the specified entry to the RDN that 
@@ -1477,7 +1510,7 @@ int slapi_entry_syntax_check( Slapi_PBlock *pb, Slapi_Entry *e, int override );
  *         is also used to check if the #SLAPI_IS_REPLICATED_OPERATION flag is
  *         set.   If that flag is present, no syntax checking is performed.
  */
-int slapi_dn_syntax_check( Slapi_PBlock *pb, char *dn, int override );
+int slapi_dn_syntax_check( Slapi_PBlock *pb, const char *dn, int override );
 
 /**
  * Determines if any values being added to an entry violate the syntax rules
@@ -2180,14 +2213,14 @@ Slapi_DN *slapi_sdn_new_ndn_byval(const char *ndn);
 Slapi_DN *slapi_sdn_new_dn_byref(const char *dn);
 
 /**
- * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ * Creates a new \c Slapi_DN structure and intializes it's normalized and case ignored DN to a requested value.
  *
- * The normalized DN of the new structure will point to the same string pointed to by \c ndn.
- * The normalized DN value is passed in to the parameter by reference.
+ * The normalized and case ignored DN of the new structure will point to the same string pointed to by \c ndn.
+ * The normalized and case ignored DN value is passed in to the parameter by reference.
  *
- * \param ndn The normalized DN value to be set in the new \c Slapi_DN structure.
+ * \param ndn The normalized and case ignored DN value to be set in the new \c Slapi_DN structure.
  * \return A pointer to the newly allocated \c Slapi_DN structure with
- *         the normalized DN value set to the content of \c ndn.
+ *         the normalized and case ignored DN value set to the content of \c ndn.
  * \warning The caller is still responsible for the memory used by \c ndn.  This
  *          memory should not be freed until the returned \c Slapi_DN has been
  *          disposed of or reinitialized.
@@ -2219,6 +2252,60 @@ Slapi_DN *slapi_sdn_new_ndn_byref(const char *ndn);
 Slapi_DN *slapi_sdn_new_dn_passin(const char *dn);
 
 /**
+ * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ *
+ * The DN of the new structure will point to the same string pointed to by \c normdn.
+ * The normalized DN value is passed in to the parameter by reference.
+ *
+ * \param normdn The normalized DN value to be set in the new \c Slapi_DN structure.
+ * \return A pointer to the newly allocated \c Slapi_DN structure with
+ *         the normalized DN value set to the content of \c normdn.
+ * \warning The caller is still responsible for the memory used by \c normdn. 
+ *          This memory should not be freed until the returned \c Slapi_DN 
+ *          has been disposed of or reinitialized.
+ * \see slapi_sdn_free()
+ * \see slapi_sdn_copy()
+ * \see slapi_sdn_done()
+ */
+Slapi_DN *slapi_sdn_new_normdn_byref(const char *normdn);
+
+/**
+ * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ *
+ * The DN of the new structure will point to the same string pointed to by \c normdn.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param normdn The DN value to be set in the new \c Slapi_DN structure.
+ * \return A pointer to the newly allocated \c Slapi_DN structure with
+ *         a DN value set to the content of \c dn.
+ * \warning The caller is no longer responsible for the memory used by \c dn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_free()
+ * \see slapi_sdn_copy()
+ * \see slapi_sdn_done()
+ */
+Slapi_DN *slapi_sdn_new_normdn_passin(const char *dn);
+
+/**
+ * Creates a new \c Slapi_DN structure and intializes it's normalized DN to a requested value.
+ *
+ * The DN of the new structure will point to the duplicated string of \c normdn.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param normdn The copy of the DN value to be set in the new \c Slapi_DN structure.
+ * \return A pointer to the newly allocated \c Slapi_DN structure with
+ *         a DN value set to the content of \c dn.
+ * \warning The caller is no longer responsible for the memory used by \c dn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_free()
+ * \see slapi_sdn_copy()
+ * \see slapi_sdn_done()
+ */
+Slapi_DN *slapi_sdn_new_normdn_byval(const char *dn);
+
+/**
  * Sets a DN value in a \c Slapi_DN structure.
  *
  * The DN of the structure will point to a copy of the string pointed to by
@@ -2271,6 +2358,56 @@ Slapi_DN *slapi_sdn_set_dn_passin(Slapi_DN *sdn, const char *dn);
 /**
  * Sets a normalized DN value in a \c Slapi_DN structure.
  *
+ * The DN of the structure will point to the same string pointed to by \c normdn.
+ * The normalized DN value is passed in to the parameter by reference.
+ *
+ * \param sdn The target \c Slapi_DN structure.
+ * \param normdn The normalized DN value to be set in \c sdn.
+ * \return A pointer to the \c Slapi_DN structure containing the new DN value.
+ * \warning The caller is still responsible for the memory used by \c normdn.  
+ *          This memory should not be freed until the returned \c Slapi_DN 
+ *          has been disposed of or reinitialized.
+ * \see slapi_sdn_set_dn_byref()
+ */
+Slapi_DN *slapi_sdn_set_normdn_byref(Slapi_DN *sdn, const char *normdn);
+
+/**
+ * Sets a normalized DN value in a \c Slapi_DN structure.
+ *
+ * The DN of the structure will point to the same string pointed to by \c normdn.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param sdn The target \c Slapi_DN structure.
+ * \param normdn The normalized DN value to be set in \c sdn.
+ * \return A pointer to the \c Slapi_DN structure containing the new DN value.
+ * \warning The caller is no longer responsible for the memory used by \c normdn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_set_dn_passin()
+ */
+Slapi_DN *slapi_sdn_set_normdn_passin(Slapi_DN *sdn, const char *dn);
+
+/**
+ * Sets a normalized DN value in a \c Slapi_DN structure.
+ *
+ * The normalized DN of the structure will point to a copy of the string
+ * pointed to by \c dn.  The normalized DN value is passed in to the parameter
+ * by value.
+ * Ownership of the memory pointed to by \c normdn is tranferred to the Slapi_DN.
+ *
+ * \param sdn The target \c Slapi_DN structure.
+ * \param normdn The normalized DN value to be set in \c sdn.
+ * \return A pointer to the \c Slapi_DN structure containing the new DN value.
+ * \warning The caller is no longer responsible for the memory used by \c normdn.
+ *          This memory should not be freed directly.  It will be freed when
+ *          the \c Slapi_DN is properly disposed of.
+ * \see slapi_sdn_set_dn_passin()
+ */
+Slapi_DN *slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *dn);
+
+/**
+ * Sets a normalized and case ignored DN value in a \c Slapi_DN structure.
+ *
  * The normalized DN of the structure will point to a copy of the string
  * pointed to by \c ndn.  The normalized DN value is passed in to the parameter
  * by value.
@@ -2324,33 +2461,52 @@ void slapi_sdn_done(Slapi_DN *sdn);
 void slapi_sdn_free(Slapi_DN **sdn);
 
 /**
- * Retrieves the DN value of a \c Slapi_DN structure.
+ * Retrieves the normalized DN value of a \c Slapi_DN structure.
+ *
+ * If the structure does not contain a normalized DN yet, it will normalize
+ * the un-normalized DN and set it in the structure.
  *
  * \param sdn The \c Slapi_DN strucure containing the DN value.
  * \return A pointer to the DN value if one is set.
- * \return A pointer to the normalized DN value if one is set and no
+ * \return A pointer to the normalized and case ignored DN value if one is set and no
  *         DN value is set.
- * \return \c NULL if no DN or normalized DN value is set.
+ * \return \c NULL if no normalized DN or normalized and case ignored DN value is set.
  * \warning The pointer returned is the actual value from the structure, not a copy.
  * \see slapi_sdn_get_ndn()
+ * \see slapi_sdn_get_udn()
  */
 const char * slapi_sdn_get_dn(const Slapi_DN *sdn);
 
 /**
- * Retrieves the normalized DN value of a \c Slapi_DN structure.
+ * Retrieves the normalized and case ignored DN value of a \c Slapi_DN structure.
  *
- * If the structure does not contain a normalized DN yet, it will normalize
- * the DN and set it in the structure.
+ * If the structure does not contain a normalized and case ignored DN yet, 
+ * it will normalize and case ignore the DN and set it in the structure.
  *
- * \param sdn The \c Slapi_DN strucure containing the normalized DN value.
+ * \param sdn The \c Slapi_DN strucure containing the normalized and case ignored DN value.
  * \return The normalized DN value.
  * \return \c NULL if no DN or normalized DN value is set.
  * \warning The pointer returned is the actual value from the structure, not a copy.
  * \see slapi_sdn_get_dn()
+ * \see slapi_sdn_get_udn()
  */
 const char * slapi_sdn_get_ndn(const Slapi_DN *sdn);
 
 /**
+ * Retrieves the un-normalized DN value of a \c Slapi_DN structure.
+ *
+ * \param sdn The \c Slapi_DN strucure containing the DN value.
+ * \return A pointer to the DN value if one is set.
+ * \return A pointer to the normalized DN value if one is set and no
+ *         DN value is set.
+ * \return \c NULL if no DN or normalized DN value is set.
+ * \warning The pointer returned is the actual value from the structure, not a copy.
+ * \see slapi_sdn_get_dn()
+ * \see slapi_sdn_get_ndn()
+ */
+const char * slapi_sdn_get_udn(const Slapi_DN *sdn);
+
+/**
  * Fills in an existing \c Slapi_DN structure with the parent DN of the passed in \c Slapi_DN.
  *
  * \param sdn Pointer to the \c Slapi_DN structure containing the DN whose parent is desired.
@@ -2554,7 +2710,7 @@ Slapi_DN *slapi_sdn_set_parent(Slapi_DN *sdn, const Slapi_DN *parentdn);
  *        in \c newrdn in front of the content of this parameter.
  * \return The new DN for the entry whose previous DN was \c dn_olddn.
  */
-char * slapi_moddn_get_newdn(Slapi_DN *dn_olddn, char *newrdn, char *newsuperiordn);
+char * slapi_moddn_get_newdn(Slapi_DN *dn_olddn, const char *newrdn, const char *newsuperiordn);
 Slapi_DN *slapi_sdn_add_rdn(Slapi_DN *sdn, const Slapi_RDN *rdn);
 
 
@@ -3166,6 +3322,16 @@ char *slapi_create_dn_string(const char *fmt, ...);
 char *slapi_create_dn_string_case(const char *fmt, ...);
 
 /**
+ * Generates a valid value of RDN string
+ *
+ * \param fmt The format used to generate a value of RDN string.
+ * \param ... The arguments to generate an RDN string.
+ * \return A pointer to the generated RDN value.
+ * \return NULL if failed.
+ */
+char *slapi_create_rdn_value(const char *fmt, ...);
+
+/**
  * Converts a DN to lowercase.
  *
  * \param dn The DN to convert.
@@ -5100,10 +5266,25 @@ int slapi_add_internal_set_pb(Slapi_PBlock *pb, const char *dn,
 void slapi_modify_internal_set_pb(Slapi_PBlock *pb, const char *dn,
 	LDAPMod **mods, LDAPControl **controls, const char *uniqueid,
 	Slapi_ComponentId *plugin_identity, int operation_flags);
-void slapi_rename_internal_set_pb(Slapi_PBlock *pb, const char *olddn,
-	const char *newrdn, const char *newsuperior, int deloldrdn,
+/**
+ * Set \c Slapi_PBlock to perform modrdn/rename internally
+ *
+ * \param pblock - Slapi_PBlock to be set
+ * \param olddn - original dn to be renamed; it should have been normalized
+ * \param newrdn - new leaf rdn if any; it should have been normalized
+ * \param newsuperior - new parent dn if any; it should have been normalized
+ * \param deloldrdn \c 0 - keep original rdn \c non-zero - delete original rdn
+ * \param controls
+ * \param uniqueid
+ * \param plugin_identity
+ * \param operation_flags
+ */
+void slapi_rename_internal_set_pb_ext(Slapi_PBlock *pb,
+	const Slapi_DN *olddn, const char *newrdn,
+	const Slapi_DN *newsuperior, int deloldrdn,
 	LDAPControl **controls, const char *uniqueid,
 	Slapi_ComponentId *plugin_identity, int operation_flags);
+
 void slapi_delete_internal_set_pb(Slapi_PBlock *pb, const char *dn,
 	LDAPControl **controls, const char *uniqueid,
 	Slapi_ComponentId *plugin_identity, int operation_flags);
@@ -5810,6 +5991,7 @@ time_t slapi_current_time( void );
 /* operation */
 #define SLAPI_OPINITIATED_TIME			140
 #define SLAPI_REQUESTOR_DN			141
+#define SLAPI_REQUESTOR_NDN			156
 #define SLAPI_OPERATION_PARAMETERS		138
 #define SLAPI_OPERATION_TYPE			590
 #define SLAPI_OPERATION_AUTHTYPE		741
@@ -6083,7 +6265,8 @@ typedef struct slapi_plugindesc {
 /* arguments that are common to all operation */
 #define SLAPI_TARGET_ADDRESS			48	/* target address (dn + uniqueid) should be normalized */
 #define SLAPI_TARGET_UNIQUEID			49	/* target uniqueid of the operation */
-#define SLAPI_TARGET_DN				50	/* target dn of the operation should be normalized */
+#define SLAPI_TARGET_SDN			50	/* target sdn of the operation */
+
 #define SLAPI_REQCONTROLS			51	/* request controls */
 
 /* Copies of entry before and after add, mod, mod[r]dn operations */
@@ -6121,7 +6304,7 @@ typedef struct slapi_plugindesc {
 #define SLAPI_DESTROY_CONTENT       		59
 
 /* add arguments */
-#define SLAPI_ADD_TARGET			SLAPI_TARGET_DN
+#define SLAPI_ADD_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_ADD_ENTRY				60
 #define SLAPI_ADD_EXISTING_DN_ENTRY		61
 #define SLAPI_ADD_PARENT_ENTRY      		62
@@ -6129,7 +6312,7 @@ typedef struct slapi_plugindesc {
 #define SLAPI_ADD_EXISTING_UNIQUEID_ENTRY	64
 
 /* bind arguments */
-#define SLAPI_BIND_TARGET			SLAPI_TARGET_DN
+#define SLAPI_BIND_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_BIND_METHOD			70
 #define SLAPI_BIND_CREDENTIALS			71	/* v3 only */
 #define SLAPI_BIND_SASLMECHANISM		72	/* v3 only */
@@ -6137,24 +6320,24 @@ typedef struct slapi_plugindesc {
 #define SLAPI_BIND_RET_SASLCREDS		73	/* v3 only */
 
 /* compare arguments */
-#define SLAPI_COMPARE_TARGET			SLAPI_TARGET_DN
+#define SLAPI_COMPARE_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_COMPARE_TYPE			80
 #define SLAPI_COMPARE_VALUE			81
 
 /* delete arguments */
-#define SLAPI_DELETE_TARGET			SLAPI_TARGET_DN
+#define SLAPI_DELETE_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_DELETE_EXISTING_ENTRY		SLAPI_ADD_EXISTING_DN_ENTRY
 #define SLAPI_DELETE_GLUE_PARENT_ENTRY	SLAPI_ADD_PARENT_ENTRY
 #define SLAPI_DELETE_BEPREOP_ENTRY			SLAPI_ENTRY_PRE_OP
 #define SLAPI_DELETE_BEPOSTOP_ENTRY			SLAPI_ENTRY_POST_OP
 
 /* modify arguments */
-#define SLAPI_MODIFY_TARGET			SLAPI_TARGET_DN
+#define SLAPI_MODIFY_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_MODIFY_MODS			90
 #define SLAPI_MODIFY_EXISTING_ENTRY		SLAPI_ADD_EXISTING_DN_ENTRY
 
 /* modrdn arguments */
-#define SLAPI_MODRDN_TARGET			SLAPI_TARGET_DN
+#define SLAPI_MODRDN_TARGET_SDN		SLAPI_TARGET_SDN
 #define SLAPI_MODRDN_NEWRDN			100
 #define SLAPI_MODRDN_DELOLDRDN			101
 #define SLAPI_MODRDN_NEWSUPERIOR        	102	/* v3 only */
@@ -6172,7 +6355,7 @@ typedef struct slapi_plugindesc {
 #define SLAPI_ORIGINAL_TARGET			SLAPI_ORIGINAL_TARGET_DN
 
 /* search arguments */
-#define SLAPI_SEARCH_TARGET         SLAPI_TARGET_DN
+#define SLAPI_SEARCH_TARGET_SDN     SLAPI_TARGET_SDN
 #define SLAPI_SEARCH_SCOPE          110
 #define SLAPI_SEARCH_DEREF          111
 #define SLAPI_SEARCH_SIZELIMIT      112
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 6f1e2ca..a5f6d8e 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -376,7 +376,9 @@ Slapi_DN *slapi_sdn_init_dn_byval(Slapi_DN *sdn,const char *dn);
 Slapi_DN *slapi_sdn_init_dn_passin(Slapi_DN *sdn,const char *dn);
 Slapi_DN *slapi_sdn_init_ndn_byref(Slapi_DN *sdn,const char *dn);
 Slapi_DN *slapi_sdn_init_ndn_byval(Slapi_DN *sdn,const char *dn);
-Slapi_DN *slapi_sdn_init_dn_ndn_byref(Slapi_DN *sdn,const char *dn);
+Slapi_DN *slapi_sdn_init_normdn_byref(Slapi_DN *sdn, const char *dn);
+Slapi_DN *slapi_sdn_init_normdn_ndn_passin(Slapi_DN *sdn, const char *dn);
+Slapi_DN *slapi_sdn_init_normdn_passin(Slapi_DN *sdn, const char *dn);
 char *slapi_dn_normalize_original( char *dn );
 char *slapi_dn_normalize_case_original( char *dn );
 
@@ -520,10 +522,10 @@ int test_presence_filter( Slapi_PBlock *pb, Slapi_Entry *e, char *type,
 /* this structure allows to address entry by dn or uniqueid */
 typedef struct entry_address
 {
-	char *dn;
 	char *udn; /* unnormalized dn */	
 	char *uniqueid;	
-}entry_address;
+	Slapi_DN *sdn;
+} entry_address;
 
 /*
  * LDAP Operation input parameters.
diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
index 999d004..e3db267 100644
--- a/ldap/servers/slapd/task.c
+++ b/ldap/servers/slapd/task.c
@@ -106,6 +106,8 @@ static const char *fetch_attr(Slapi_Entry *e, const char *attrname,
 static Slapi_Entry *get_internal_entry(Slapi_PBlock *pb, char *dn);
 static void modify_internal_entry(char *dn, LDAPMod **mods);
 
+static int task_charray_normdn_add(char ***chararray, char *dn, char *type);
+
 /***********************************
  * Public Functions
  ***********************************/ 
@@ -779,13 +781,25 @@ static int task_import_add(Slapi_PBlock *pb, Slapi_Entry *e,
     if (slapi_entry_attr_find(e, "nsIncludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&include, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = task_charray_normdn_add(&include,
+                                         (char *)slapi_value_get_string(val),
+                                         "nsIncludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                return SLAPI_DSE_CALLBACK_ERROR;
+            }
         }
     }
     if (slapi_entry_attr_find(e, "nsExcludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&exclude, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = task_charray_normdn_add(&exclude, 
+                                         (char *)slapi_value_get_string(val),
+                                         "nsExcludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                return SLAPI_DSE_CALLBACK_ERROR;
+            }
         }
     }
 
@@ -1090,13 +1104,25 @@ static int task_export_add(Slapi_PBlock *pb, Slapi_Entry *e,
     if (slapi_entry_attr_find(e, "nsIncludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&include, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = task_charray_normdn_add(&include, 
+                                         (char *)slapi_value_get_string(val),
+                                         "nsIncludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                goto out;
+            }
         }
     }
     if (slapi_entry_attr_find(e, "nsExcludeSuffix", &attr) == 0) {
         for (idx = slapi_attr_first_value(attr, &val);
              idx >= 0; idx = slapi_attr_next_value(attr, idx, &val)) {
-            charray_add(&exclude, slapi_ch_strdup(slapi_value_get_string(val)));
+            rv = task_charray_normdn_add(&exclude, 
+                                         (char *)slapi_value_get_string(val),
+                                         "nsExcludeSuffix");
+            if (0 != rv) {
+                *returncode = LDAP_PARAM_ERROR;
+                goto out;
+            }
         }
     }
 
@@ -1916,3 +1942,23 @@ void task_shutdown(void)
     }
     PR_Unlock(global_task_lock);
 }
+
+static int
+task_charray_normdn_add(char ***chararray, char *dn, char *type)
+{
+    int rc = 0;
+    size_t len = 0;
+    char *normdn = NULL;
+    rc = slapi_dn_normalize_ext(dn, 0, &normdn, &len);
+    if (rc < 0) {
+        LDAPDebug(LDAP_DEBUG_ANY, "Invalid dn: %s: %s\n", type, dn, 0);
+        return rc;
+    } else if (0 == rc) {
+        /* rc == 0; optarg_extawdn is passed in; 
+         * not null terminated */
+        *(dn + len) = '\0';
+        normdn = slapi_ch_strdup(dn);
+    }
+    charray_add(chararray, slapi_dn_ignore_case(normdn));
+    return rc;
+}
diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c
index 23d0a04..4d58d88 100644
--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c
+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c
@@ -1764,10 +1764,7 @@ error:
   }
 
 done:
-  /*
-   * Normal end
-   */
-  return (0);
+  return rc;
 }
 
 
diff --git a/lib/libaccess/lasdns.cpp b/lib/libaccess/lasdns.cpp
index a81f680..6956878 100644
--- a/lib/libaccess/lasdns.cpp
+++ b/lib/libaccess/lasdns.cpp
@@ -151,6 +151,7 @@ LASDnsBuild(NSErr_t *errp, char *attr_pattern, LASDnsContext_t *context, int ali
 #else
     PRHostEnt *he, host;
 #endif
+    char *end_attr_pattern;
 
     if (attr_pattern == NULL) {
 	nserrGenerate(errp, ACLERRINVAL, ACLERR4770, ACL_Program, 1, 
@@ -172,6 +173,7 @@ LASDnsBuild(NSErr_t *errp, char *attr_pattern, LASDnsContext_t *context, int ali
         return LAS_EVAL_INVALID;
     }
 
+    end_attr_pattern = attr_pattern + strlen(attr_pattern);
     do {
 		size_t maxsize = sizeof(token);
 	/*  Get a single hostname from the pattern string	*/
@@ -183,8 +185,10 @@ LASDnsBuild(NSErr_t *errp, char *attr_pattern, LASDnsContext_t *context, int ali
         token[delimiter] = '\0';
 
         /*  Skip any white space after the token 		*/
-        attr_pattern     += delimiter;
-        attr_pattern    += strspn(attr_pattern, ", \t");
+        attr_pattern += delimiter;
+        if (attr_pattern < end_attr_pattern) {
+            attr_pattern += strspn(attr_pattern, ", \t");
+        }
 
         /*  If there's a wildcard, strip it off but leave the "."
 	 *  Can't have aliases for a wildcard pattern.
-- 
1.7.6.4

--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel

[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux