389ds · minfrin · Dec 30, 2023 · Jan 23, 2024
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
@@ -46,6 +46,8 @@ attributeTypes: ( 1.3.6.1.4.1.250.1.2 NAME 'multiLineDescription' DESC 'Pilot at
 attributeTypes: ( 2.16.840.1.113730.3.1.578 NAME 'nsDS5ReplicaHost' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.579 NAME 'nsDS5ReplicaPort' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.580 NAME 'nsDS5ReplicaTransportInfo' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.595 NAME 'nsDS5ReplicaTransportUri' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.596 NAME 'nsDS5ReplicaTransportCAUri' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.581 NAME 'nsDS5ReplicaBindDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.582 NAME 'nsDS5ReplicaCredentials' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.583 NAME 'nsDS5ReplicaBindMethod' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
@@ -325,6 +327,8 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2371 NAME 'nsDS5ReplicaBootstrapBindDN'
 attributeTypes: ( 2.16.840.1.113730.3.1.2372 NAME 'nsDS5ReplicaBootstrapCredentials' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2373 NAME 'nsDS5ReplicaBootstrapBindMethod' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2374 NAME 'nsDS5ReplicaBootstrapTransportInfo' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2398 NAME 'nsDS5ReplicaBootstrapTransportUri' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2399 NAME 'nsDS5ReplicaBootstrapTransportCAUri' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2387 NAME 'nsslapd-tcp-fin-timeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2388 NAME 'nsslapd-tcp-keepalive-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2390 NAME 'nsds5ReplicaKeepAliveUpdateInterval' DESC '389 defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
@@ -342,7 +346,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape d
 objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape defined objectclass' SUP top  MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Replication configuration objectclass' SUP top  MUST ( nsDS5ReplicaRoot $  nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsDS5ReplicaBindDNGroup $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout $ nsDS5ReplicaBindDnGroupCheckInterval $ nsds5ReplicaKeepAliveUpdateInterval ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape defined objectclass' SUP top MAY ( nstombstonecsn $ nsParentUniqueId $ nscpEntryDN ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults $ nsds5ReplicaIgnoreMissingChange $ nsDS5ReplicaBootstrapBindDN $ nsDS5ReplicaBootstrapCredentials $ nsDS5ReplicaBootstrapBindMethod $ nsDS5ReplicaBootstrapTransportInfo ) X-ORIGIN 'Netscape Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaTransportUri $ nsDS5ReplicaTransportCAUri $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults $ nsds5ReplicaIgnoreMissingChange $ nsDS5ReplicaBootstrapBindDN $ nsDS5ReplicaBootstrapCredentials $ nsDS5ReplicaBootstrapBindMethod $ nsDS5ReplicaBootstrapTransportInfo $ nsDS5ReplicaBootstrapTransportUri $ nsDS5ReplicaBootstrapTransportCAUri ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )

diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
@@ -140,7 +140,9 @@
 /* Attribute names for replication agreement attributes */
 extern const char *type_nsds5ReplicaHost;
 extern const char *type_nsds5ReplicaPort;
-extern const char *type_nsds5TransportInfo;
+extern const char *type_nsds5ReplicaTransportInfo;
+extern const char *type_nsds5ReplicaTransportUri;
+extern const char *type_nsds5ReplicaTransportCAUri;
 extern const char *type_nsds5ReplicaBindDN;
 extern const char *type_nsds5ReplicaBindDNGroup;
 extern const char *type_nsds5ReplicaBindDNGroupCheckInterval;
@@ -168,6 +170,8 @@ extern const char *type_nsds5ReplicaBootstrapBindDN;
 extern const char *type_nsds5ReplicaBootstrapCredentials;
 extern const char *type_nsds5ReplicaBootstrapBindMethod;
 extern const char *type_nsds5ReplicaBootstrapTransportInfo;
+extern const char *type_nsds5ReplicaBootstrapTransportUri;
+extern const char *type_nsds5ReplicaBootstrapTransportCAUri;
 extern const char *type_replicaKeepAliveUpdateInterval;
 
 /* Attribute names for windows replication agreements */
@@ -399,6 +403,10 @@ char *agmt_get_hostname(const Repl_Agmt *ra);
 int agmt_get_port(const Repl_Agmt *ra);
 uint32_t agmt_get_transport_flags(const Repl_Agmt *ra);
 uint32_t agmt_get_bootstrap_transport_flags(const Repl_Agmt *ra);
+char **agmt_get_transport_uri(const Repl_Agmt *ra);
+char **agmt_get_bootstrap_transport_uri(const Repl_Agmt *ra);
+char **agmt_get_transport_ca_uri(const Repl_Agmt *ra);
+char **agmt_get_bootstrap_transport_ca_uri(const Repl_Agmt *ra);
 char *agmt_get_binddn(const Repl_Agmt *ra);
 char *agmt_get_bootstrap_binddn(const Repl_Agmt *ra);
 struct berval *agmt_get_credentials(const Repl_Agmt *ra);
@@ -426,6 +434,8 @@ int agmt_set_binddn_from_entry(Repl_Agmt *ra, const Slapi_Entry *e);
 int32_t agmt_set_bootstrap_binddn_from_entry(Repl_Agmt *ra, const Slapi_Entry *e);
 int agmt_set_bind_method_from_entry(Repl_Agmt *ra, const Slapi_Entry *e, PRBool bootstrap);
 int agmt_set_transportinfo_from_entry(Repl_Agmt *ra, const Slapi_Entry *e, PRBool bootstrap);
+int agmt_set_transporturi_from_entry(Repl_Agmt *ra, const Slapi_Entry *e, PRBool bootstrap);
+int agmt_set_transportcauri_from_entry(Repl_Agmt *ra, const Slapi_Entry *e, PRBool bootstrap);
 int agmt_set_port_from_entry(Repl_Agmt *ra, const Slapi_Entry *e);
 int agmt_set_host_from_entry(Repl_Agmt *ra, const Slapi_Entry *e);
 const char *agmt_get_long_name(const Repl_Agmt *ra);

diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -141,7 +141,10 @@ typedef struct repl5agmt
     struct berval *bootstrapCreds;     /* Bootstrap credentials */
     int64_t bootstrapBindmethod;       /* Bootstrap Bind Method: simple, TLS, client auth, etc */
     uint32_t bootstrapTransportFlags;  /* Bootstrap Transport Info: LDAPS, StartTLS, etc. */
-
+    char **transportUris;              /* Transport URIs: client certificates and keys */
+    char **bootstrapTransportUris;     /* Bootstap Transport URIs: client certificates and keys */
+    char **transportCAUris;            /* Transport CA URIs: client CA certificates */
+    char **bootstrapTransportCAUris;   /* Bootstap Transport CA URIs: client CA certificates */
 } repl5agmt;
 
 /* Forward declarations */
@@ -165,6 +168,8 @@ nsds5ReplicaTransportInfo - "LDAPS", "StartTLS", or may be absent ("SSL" and "TL
 nsds5ReplicaBindDN
 nsds5ReplicaCredentials
 nsds5ReplicaBindMethod - "SIMPLE" or "SSLCLIENTAUTH".
+nsds5ReplicaTransportUri - URIs of certificates and keys for TLS client authentication
+nsds5ReplicaTransportCAUri - URIs of CA certificates for TLS client authentication
 nsds5ReplicaRoot - Replicated suffix
 nsds5ReplicatedAttributeList - Fractional attrs for incremental update protocol (and total if not separately defined)
 nsds5ReplicatedAttributeListTotal - Fractional attrs for total update protocol
@@ -221,7 +226,19 @@ agmt_is_valid(Repl_Agmt *ra)
         slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_is_valid - Replication agreement \"%s\" "
                                                        " is malformed: cannot use SSLCLIENTAUTH if using plain LDAP - please "
                                                        "change %s to LDAPS or StartTLS before changing %s to use SSLCLIENTAUTH\n",
-                      slapi_sdn_get_dn(ra->dn), type_nsds5TransportInfo, type_nsds5ReplicaBindMethod);
+                      slapi_sdn_get_dn(ra->dn), type_nsds5ReplicaTransportInfo, type_nsds5ReplicaBindMethod);
+        return_value = 0;
+    }
+    if ((BINDMETHOD_SSL_CLIENTAUTH != ra->bindmethod) && (NULL != ra->transportUris)) {
+        slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_is_valid - Replication agreement \"%s\" "
+                                                       " is malformed: cannot use %s if %s is not set to SSLCLIENTAUTH\n",
+                      slapi_sdn_get_dn(ra->dn), type_nsds5ReplicaTransportUri, type_nsds5ReplicaTransportInfo);
+        return_value = 0;
+    }
+    if ((BINDMETHOD_SSL_CLIENTAUTH != ra->bindmethod) && (NULL != ra->transportCAUris)) {
+        slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_is_valid - Replication agreement \"%s\" "
+                                                       " is malformed: cannot use %s if %s is not set to SSLCLIENTAUTH\n",
+                      slapi_sdn_get_dn(ra->dn), type_nsds5ReplicaTransportCAUri, type_nsds5ReplicaTransportInfo);
         return_value = 0;
     }
     /*
@@ -310,6 +327,8 @@ agmt_new_from_entry(Slapi_Entry *e)
     /* LDAPS, StartTLS, or other transport stuff */
     ra->transport_flags = 0;
     (void)agmt_set_transportinfo_no_lock(ra, e);
+    (void)agmt_set_transporturi_from_entry(ra, e, 0);
+    (void)agmt_set_transportcauri_from_entry(ra, e, 0);
     (void)agmt_set_WaitForAsyncResults(ra, e);
 
     /* DN to use when binding. May be empty if certain SASL auth is to be used e.g. EXTERNAL GSSAPI. */
@@ -346,6 +365,8 @@ agmt_new_from_entry(Slapi_Entry *e)
     }
     ra->bootstrapTransportFlags = 0;
     (void)agmt_set_bootstrap_transportinfo_no_lock(ra, e);
+    (void)agmt_set_transporturi_from_entry(ra, e, 1);
+    (void)agmt_set_transportcauri_from_entry(ra, e, 1);
     (void)agmt_set_bootstrap_bind_method_no_lock(ra, e);
 
     /* timeout. */
@@ -618,7 +639,6 @@ agmt_new_from_pblock(Slapi_PBlock *pb)
     return agmt_new_from_entry(e);
 }
 
-
 /*
  This should never be called directly - only should be called
  as a destructor.  XXXggood this is not finished
@@ -665,6 +685,11 @@ agmt_delete(void **rap)
     slapi_ch_array_free(ra->frac_attrs_total);
     ra->frac_attr_total_defined = PR_FALSE;
 
+    slapi_ch_array_free(ra->transportUris);
+    slapi_ch_array_free(ra->transportCAUris);
+    slapi_ch_array_free(ra->bootstrapTransportUris);
+    slapi_ch_array_free(ra->bootstrapTransportCAUris);
+
     if (NULL != ra->creds) {
         ber_bvfree(ra->creds);
     }
@@ -1078,6 +1103,56 @@ agmt_get_bootstrap_bindmethod(const Repl_Agmt *ra)
     return return_value;
 }
 
+/* Returns a COPY of the uri list, remember to free it */
+char **
+agmt_get_transport_uri(const Repl_Agmt *ra)
+{
+    char **return_value;
+    PR_ASSERT(NULL != ra);
+    PR_Lock(ra->lock);
+    return_value = charray_dup(ra->transportUris);
+    PR_Unlock(ra->lock);
+    return return_value;
+}
+
+/* Returns a COPY of the uri list, remember to free it */
+char **
+agmt_get_bootstrap_transport_uri(const Repl_Agmt *ra)
+{
+    char **return_value;
+
+    PR_Lock(ra->lock);
+    return_value = charray_dup(ra->bootstrapTransportUris);
+    PR_Unlock(ra->lock);
+
+    return return_value;
+}
+
+/* Returns a COPY of the uri list, remember to free it */
+char **
+agmt_get_transport_ca_uri(const Repl_Agmt *ra)
+{
+    char **return_value;
+    PR_ASSERT(NULL != ra);
+    PR_Lock(ra->lock);
+    return_value = charray_dup(ra->transportCAUris);
+    PR_Unlock(ra->lock);
+    return return_value;
+}
+
+/* Returns a COPY of the uri list, remember to free it */
+char **
+agmt_get_bootstrap_transport_ca_uri(const Repl_Agmt *ra)
+{
+    char **return_value;
+
+    PR_Lock(ra->lock);
+    return_value = charray_dup(ra->bootstrapTransportCAUris);
+    PR_Unlock(ra->lock);
+
+    return return_value;
+}
+
 /*
  * Return a copy of the dn at the top of the replicated area.
  */
@@ -1913,7 +1988,7 @@ agmt_set_transportinfo_no_lock(Repl_Agmt *ra, const Slapi_Entry *e)
     const char *tmpstr;
     int rc = 0;
 
-    tmpstr = slapi_entry_attr_get_ref((Slapi_Entry *)e, type_nsds5TransportInfo);
+    tmpstr = slapi_entry_attr_get_ref((Slapi_Entry *)e, type_nsds5ReplicaTransportInfo);
     if (!tmpstr || !strcasecmp(tmpstr, "LDAP")) {
         ra->transport_flags = 0;
     } else if (strcasecmp(tmpstr, "SSL") == 0 || strcasecmp(tmpstr, "LDAPS") == 0) {
@@ -1990,6 +2065,106 @@ agmt_set_transportinfo_from_entry(Repl_Agmt *ra, const Slapi_Entry *e, PRBool bo
 }
 
 
+int
+agmt_set_transporturi_from_entry(Repl_Agmt *ra, const Slapi_Entry *e, PRBool bootstrap)
+{
+    int return_value = 0;
+
+    Slapi_Attr *attr;
+    Slapi_Value *sval = NULL;
+
+    char **uris = NULL;
+
+    PR_ASSERT(NULL != ra);
+    PR_Lock(ra->lock);
+    if (ra->stop_in_progress) {
+        PR_Unlock(ra->lock);
+        return return_value;
+    }
+
+    if (0 == slapi_entry_attr_find(e,
+            bootstrap ? type_nsds5ReplicaBootstrapTransportUri : type_nsds5ReplicaTransportUri, &attr)) {
+
+        int i;
+        int uri_count = 0;
+
+        /* Get a count and allocate an array for the official matching rules */
+        slapi_attr_get_numvalues(attr, &uri_count);
+        uris = (char **)slapi_ch_malloc((uri_count + 1) * sizeof(char *));
+
+        for (i = slapi_attr_first_value(attr, &sval);
+             i >= 0; i = slapi_attr_next_value(attr, i, &sval)) {
+            uris[i] = slapi_ch_strdup(slapi_value_get_string(sval));
+        }
+
+	uris[uri_count] = NULL;
+    }
+
+    if (bootstrap) {
+        slapi_ch_array_free(ra->bootstrapTransportUris);
+        ra->bootstrapTransportUris = uris;
+    } else {
+        slapi_ch_array_free(ra->transportUris);
+        ra->transportUris = uris;
+    }
+
+    PR_Unlock(ra->lock);
+    prot_notify_agmt_changed(ra->protocol, ra->long_name);
+
+    return return_value;
+}
+
+
+int
+agmt_set_transportcauri_from_entry(Repl_Agmt *ra, const Slapi_Entry *e, PRBool bootstrap)
+{
+    int return_value = 0;
+
+    Slapi_Attr *attr;
+    Slapi_Value *sval = NULL;
+
+    char **uris = NULL;
+
+    PR_ASSERT(NULL != ra);
+    PR_Lock(ra->lock);
+    if (ra->stop_in_progress) {
+        PR_Unlock(ra->lock);
+        return return_value;
+    }
+
+    if (0 == slapi_entry_attr_find(e,
+            bootstrap ? type_nsds5ReplicaBootstrapTransportCAUri : type_nsds5ReplicaTransportCAUri, &attr)) {
+
+        int i;
+        int uri_count = 0;
+
+        /* Get a count and allocate an array for the official matching rules */
+        slapi_attr_get_numvalues(attr, &uri_count);
+        uris = (char **)slapi_ch_malloc((uri_count + 1) * sizeof(char *));
+
+        for (i = slapi_attr_first_value(attr, &sval);
+             i >= 0; i = slapi_attr_next_value(attr, i, &sval)) {
+            uris[i] = slapi_ch_strdup(slapi_value_get_string(sval));
+        }
+
+        uris[uri_count] = NULL;
+    }
+
+    if (bootstrap) {
+        slapi_ch_array_free(ra->bootstrapTransportCAUris);
+        ra->bootstrapTransportCAUris = uris;
+    } else {
+        slapi_ch_array_free(ra->transportCAUris);
+        ra->transportCAUris = uris;
+    }
+
+    PR_Unlock(ra->lock);
+    prot_notify_agmt_changed(ra->protocol, ra->long_name);
+
+    return return_value;
+}
+
+
 /*
  * Set or reset the replication schedule.  Notify the protocol handler
  * that a change has been made.