diff --git a/ACL b/ACL
new file mode 100644
index 0000000..064b9d2
--- /dev/null
+++ b/ACL
@@ -0,0 +1,26 @@
+ACLs are:
+
+  acl subject object attributes access;
+
+subject and object are LDAP search filter expressions.
+attributes is a comma separates list of attributes.
+access says what accesses are allowed or disallowed in a chmod-like
+syntax.
+
+As an abbreviation, you can use '*' to mean '(objectClass=*)' for
+subject or object, and you can use '*' to mean 'all attributes' in
+attributes.
+
+Example:
+
+  acl (dn=cn=root,o=fefe,c=de) (objectClass=*) * +rwdR
+
+
+
+ACLs can have some redundancy in them, so we want to find filter strings
+in ACLs that are the same, and then only evaluate them once.  So we need
+to write the ACLs to disk like this:
+
+  uint32 filters;
+  uint32 offsets_to_filters_in_scan_ldapsearchfilter_format[filters];
+  
diff --git a/Makefile b/Makefile
index 39eff70..fa0715e 100644
--- a/Makefile
+++ b/Makefile
@@ -102,7 +102,8 @@ scan_ldapbindresponse.o: scan_ldapbindresponse.c asn1.h ldap.h
 scan_ldapmessage.o: scan_ldapmessage.c asn1.h ldap.h
 scan_ldapsearchfilter.o: scan_ldapsearchfilter.c asn1.h ldap.h
 scan_ldapsearchrequest.o: scan_ldapsearchrequest.c asn1.h ldap.h
-scan_ldapstring.o: scan_ldapstring.c
+scan_ldapstring.o: scan_ldapstring.c asn1.h ldap.h
+scan_ldapresult.o: scan_ldapresult.c asn1.h ldap.h
 
 ldif_parse.o: ldif_parse.c strduptab.h strstorage.h ldif.h
 
diff --git a/acl.c b/acl.c
index a7885b9..8e954e5 100644
--- a/acl.c
+++ b/acl.c
@@ -25,6 +25,7 @@
 #include <byte.h>
 #include <mmap.h>
 #include <case.h>
+#include <ldap.h>
 
 const char Any[]="*";
 const char Self[]="self";
@@ -39,9 +40,8 @@ enum {
 };
 
 struct assertion {
-  const char* attr;
-  uint32 where;
-  const char* what;
+  char* filterstring;
+  struct Filter* f;
   struct assertion* sameas;
 };
 
@@ -83,47 +83,44 @@ int skipws(buffer* in) {
 }
 
 int parseacldn(buffer* in,struct assertion* a) {
-  int r;
+  int r,l;
   /* possible forms:
 	*	-> "dn", Any
         dn:*foo -> "dn", "*foo" */
+  byte_zero(a,sizeof(*a));
   a->sameas=0;
   if ((r=skipws(in))!=1) return r;
   stralloc_zero(&x);
-  do {
-    r=buffer_get_token_sa(in,&x," \t",2);
-    if (r!=1) return r;
-    if (x.len>0 && x.s[x.len-1]=='\\') {
-      x.s[--x.len]=' ';
-      continue;
+  l=0;
+  for (;;) {
+    char tmp;
+    r=buffer_getc(in,&tmp);
+    if (r!=1) return 0;
+    if (!stralloc_append(&x,&tmp)) return 0;
+    if (tmp=='(') ++l;
+    if (tmp==')') {
+      --l;
+      if (l==0) break;
     }
-  } while (x.len==0);
-  stralloc_chop(&x);
-  if (!stralloc_0(&x)) return -1;
-  r=byte_chr(x.s,x.len,':');
-  if (x.s[r]==':') {
-    x.s[r]=0;
-    if (str_equal(x.s,"dn")) {
-      a->attr=Dn;
-      a->what=strdup(x.s+r+1);
-      if (!a->what) return -1;
-    } else {
-      a->attr=malloc(x.len);
-      if (!a->attr) return -1;
-      byte_copy((char*)a->attr,x.len,x.s);
-      a->what=a->attr+r+1;
+    if (stralloc_equals(&x,"*")) {
+      a->filterstring=Any;
+      return 1;
     }
-  } else {
-    a->attr=Dn;
-    if (str_equal(x.s,"*"))
-      a->what=Any;
-    else if (str_equal(x.s,"self"))
-      a->what=Self;
-    else {
-      a->what=strdup(x.s);
-      if (!a->what) return -1;
+    if (stralloc_equals(&x,"self")) {
+      a->filterstring=Self;
+      return 1;
     }
   }
+  if (x.len+1<x.len) return 0;	/* catch integer overflow */
+  a->filterstring=malloc(x.len+1);
+  byte_copy(a->filterstring,x.len,x.s);
+  a->filterstring[x.len]=0;
+
+  if (scan_ldapsearchfilterstring(a->filterstring,&a->f) != x.len) {
+    free_ldapsearchfilter(a->f);
+    return 0;
+  }
+
   return 1;
 }
 
@@ -199,9 +196,8 @@ static int parseacl(buffer* in,struct acl* a) {
 
 static void fold(struct assertion* a,struct assertion* b) {
   if (a->sameas || b->sameas) return;
-  if (a->attr==b->attr || str_equal(a->attr,b->attr))
-    if (a->what==b->what || str_equal(a->what,b->what))
-      b->sameas=a;
+  if (!strcmp(a->filterstring,b->filterstring))
+    b->sameas=a;
 }
 
 static void optimize(struct acl* a) {
@@ -240,6 +236,8 @@ int readacls(const char* filename) {
   return 0;
 }
 
+#if 0
+
 /* given a DN a (logged in as DN b), we need to quickly find out what
  * kind of permissions we have for an attribute c.  To make this extra
  * quick, I'm only comparing DNs if the rule
@@ -353,14 +351,6 @@ struct assertion {
   }
 }
 
-#if 0
-void dumpacls() {
-  struct acl* a;
-  for (a=root; a; a=a->next) {
-    printf("\n--=[ record at %p ]=--\n",a);
-    printf("%s=%s %s=%s %s\n",a->login.attr,a->login.what,a->target.attr,a->target.what,a->attrib);
-  }
-}
 #endif
 
 #ifdef MAIN
@@ -369,8 +359,7 @@ int main() {
   char* map=mmap_read("data",&filelen);
 
   if (readacls("acls")==-1) die(1,"readacls failed");
-//  dumpacls();
-  acl_offsets(map,filelen);
+//  acl_offsets(map,filelen);
   return 0;
 }
 #endif
diff --git a/acls b/acls
index ac3d0d0..8c85e17 100644
--- a/acls
+++ b/acls
@@ -1,8 +1,8 @@
 # root@fefe.de can do everything
-acl dn:cn=root,o=fefe,c=de * * +rwdR;
+acl (dn=cn=root,o=fefe,c=de) * * +rwdR;
 # noone can read userPassword
 acl * * userPassword -r;
 # but everyone can authenticate using it
 acl * self * +a;
 # admins at fefe.de can write in their tree
-acl dn:*ou=admin,o=fefe,c=de dn:*,o=fefe,c=de * +rwdR;
+acl (dn=*ou=admin,o=fefe,c=de) (dn=*,o=fefe,c=de) * +rwdR;
diff --git a/asn1.h b/asn1.h
index f3ed82c..6e4e413 100644
--- a/asn1.h
+++ b/asn1.h
@@ -24,29 +24,29 @@ enum asn1_tag {
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 tag */
-int fmt_asn1tag(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,unsigned long tag);
+unsigned int fmt_asn1tag(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,unsigned long tag);
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 length */
-int fmt_asn1length(char* dest,unsigned long l);
+unsigned int fmt_asn1length(char* dest,unsigned long l);
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 INTEGER.  This only does the payload, not the tag
  * and length headers! */
-int fmt_asn1intpayload(char* dest,unsigned long l);
+unsigned int fmt_asn1intpayload(char* dest,unsigned long l);
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 INTEGER.  This only does the payload, not the tag
  * and length headers! */
-int fmt_asn1sintpayload(char* dest,signed long l);
+unsigned int fmt_asn1sintpayload(char* dest,signed long l);
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 INTEGER or ENUMERATED. */
-int fmt_asn1int(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l);
+unsigned int fmt_asn1int(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l);
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 INTEGER or ENUMERATED. */
-int fmt_asn1sint(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,signed long l);
+unsigned int fmt_asn1sint(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,signed long l);
 
 /* write any data type that does not require transformation in the least
  * amount of bytes, return number of bytes */
@@ -54,11 +54,11 @@ int fmt_asn1sint(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1
 /* does not wrote the payload itself, just the header!  First construct
  * the sequence/octet string so you know the length, then use
  * fmt_asn1transparent to write the header before it */
-int fmt_asn1transparent(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l);
+unsigned int fmt_asn1transparent(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l);
 
 /* write string in least amount of bytes, return number of bytes */
 /* as used in ASN.1 OCTET STRING. */
-int fmt_asn1string(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,const char* c,unsigned long l);
+unsigned int fmt_asn1string(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,const char* c,unsigned long l);
 
 /* write ASN.1 OCTET STRING */
 #define fmt_asn1OCTETSTRING(dest,c,l) fmt_asn1string(dest,UNIVERSAL,PRIMITIVE,OCTET_STRING,c,l)
@@ -85,32 +85,32 @@ int fmt_asn1string(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum as
  *   the return value is the number of bytes parsed or 0 for parse error */
 
 /* parse ASN.1 tag into a tag class, tag type and tag number */
-int scan_asn1tag(const char* src,const char* max,
+unsigned int scan_asn1tag(const char* src,const char* max,
 		 enum asn1_tagclass* tc,enum asn1_tagtype* tt, unsigned long* tag);
 
 /* parse ASN.1 length */
-int scan_asn1length(const char* src,const char* max,unsigned long* length);
+unsigned int scan_asn1length(const char* src,const char* max,unsigned long* length);
 
 /* parse ASN.1 integer with tag and length */
-int scan_asn1int(const char* src,const char* max,
+unsigned int scan_asn1int(const char* src,const char* max,
 		 enum asn1_tagclass* tc,enum asn1_tagtype* tt, unsigned long* tag,
 		 long* l);
 
 /* parse raw integer (payload after tag and length); internal helper */
-int scan_asn1rawint(const char* src,const char* max,unsigned int len,long* i);
+unsigned int scan_asn1rawint(const char* src,const char* max,unsigned int len,long* i);
 
 /* parse string with tag and length.
  * Points s to the first byte in the string, and writes the length of
  * the string to l. */
-int scan_asn1string(const char* src,const char* max,
+unsigned int scan_asn1string(const char* src,const char* max,
 		    enum asn1_tagclass* tc,enum asn1_tagtype* tt,unsigned long* tag,
 		    const char** s,unsigned long* l);
 
 /* the following expect a specific universal type and return a parse
  * error if the tag does not match that type */
-int scan_asn1BOOLEAN(const char* src,const char* max,unsigned long* l);
-int scan_asn1INTEGER(const char* src,const char* max,signed long* l);
-int scan_asn1ENUMERATED(const char* src,const char* max,unsigned long* l);
-int scan_asn1STRING(const char* src,const char* max,const char** s,unsigned long* l);
-int scan_asn1SEQUENCE(const char* src,const char* max,unsigned long* len);
-int scan_asn1SET(const char* src,const char* max,unsigned long* len);
+unsigned int scan_asn1BOOLEAN(const char* src,const char* max,unsigned long* l);
+unsigned int scan_asn1INTEGER(const char* src,const char* max,signed long* l);
+unsigned int scan_asn1ENUMERATED(const char* src,const char* max,unsigned long* l);
+unsigned int scan_asn1STRING(const char* src,const char* max,const char** s,unsigned long* l);
+unsigned int scan_asn1SEQUENCE(const char* src,const char* max,unsigned long* len);
+unsigned int scan_asn1SET(const char* src,const char* max,unsigned long* len);
diff --git a/fmt_asn1int.c b/fmt_asn1int.c
index d28f34e..718af7f 100644
--- a/fmt_asn1int.c
+++ b/fmt_asn1int.c
@@ -1,7 +1,7 @@
 #include <asn1.h>
 
-int fmt_asn1int(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l) {
-  int len,tmp;
+unsigned int fmt_asn1int(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l) {
+  unsigned int len,tmp;
   /* first the tag */
   if (!dest) return fmt_asn1tag(0,tc,tt,tag)+1+fmt_asn1intpayload(0,l);
   len=fmt_asn1tag(dest,tc,tt,tag);
diff --git a/fmt_asn1intpayload.c b/fmt_asn1intpayload.c
index 317ae79..2f4b8e8 100644
--- a/fmt_asn1intpayload.c
+++ b/fmt_asn1intpayload.c
@@ -1,16 +1,16 @@
 #include <asn1.h>
 
-int fmt_asn1intpayload(char* dest,unsigned long l) {
-  int needed=sizeof l;
-  int i;
-  int fixup;
+unsigned int fmt_asn1intpayload(char* dest,unsigned long l) {
+  unsigned int needed=sizeof l;
+  unsigned int i;
+  unsigned int fixup;
   for (i=1; i<needed; ++i) {
     if (!(l>>(i*8)))
       break;
   }
   fixup=(l>>((i-1)*8))&0x80 ? 1 : 0;
   if (dest) {
-    int j=i;
+    unsigned int j=i;
     if (fixup) *dest++=0;
     while (j) {
       --j;
diff --git a/fmt_asn1length.c b/fmt_asn1length.c
index 2ebe9a6..7c1a0d4 100644
--- a/fmt_asn1length.c
+++ b/fmt_asn1length.c
@@ -2,7 +2,7 @@
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 length */
-int fmt_asn1length(char* dest,unsigned long l) {
+unsigned int fmt_asn1length(char* dest,unsigned long l) {
   /* encoding is either l%128 or (0x80+number of bytes,bytes) */
   int needed=(sizeof l);
   int i;
diff --git a/fmt_asn1sint.c b/fmt_asn1sint.c
index 7043bae..af8a022 100644
--- a/fmt_asn1sint.c
+++ b/fmt_asn1sint.c
@@ -1,7 +1,7 @@
 #include <asn1.h>
 
-int fmt_asn1sint(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,signed long l) {
-  int len,tmp;
+unsigned int fmt_asn1sint(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,signed long l) {
+  unsigned int len,tmp;
   /* first the tag */
   if (!dest) return fmt_asn1tag(0,tc,tt,tag)+1+fmt_asn1intpayload(0,l);
   len=fmt_asn1tag(dest,tc,tt,tag);
diff --git a/fmt_asn1sintpayload.c b/fmt_asn1sintpayload.c
index c8815c1..4443b77 100644
--- a/fmt_asn1sintpayload.c
+++ b/fmt_asn1sintpayload.c
@@ -1,8 +1,8 @@
 #include <asn1.h>
 
-int fmt_asn1sintpayload(char* dest,signed long l) {
-  int needed=sizeof l;
-  int i;
+unsigned int fmt_asn1sintpayload(char* dest,signed long l) {
+  unsigned int needed=sizeof l;
+  unsigned int i;
   signed long tmp=0x7f;
   if (l>=0) return fmt_asn1intpayload(dest,l);
   for (i=1; i<needed; ++i) {
diff --git a/fmt_asn1string.c b/fmt_asn1string.c
index f6885df..7f459b2 100644
--- a/fmt_asn1string.c
+++ b/fmt_asn1string.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 #include "byte.h"
 
-int fmt_asn1string(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,const char* c,unsigned long l) {
+unsigned int fmt_asn1string(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,const char* c,unsigned long l) {
   int len;
   len=fmt_asn1transparent(dest,tc,tt,tag,l);
   if (dest) byte_copy(dest+len,l,c);
diff --git a/fmt_asn1tag.c b/fmt_asn1tag.c
index a08b3c2..b1f1484 100644
--- a/fmt_asn1tag.c
+++ b/fmt_asn1tag.c
@@ -2,7 +2,7 @@
 
 /* write int in least amount of bytes, return number of bytes */
 /* as used in ASN.1 tags */
-int fmt_asn1tag(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,unsigned long l) {
+unsigned int fmt_asn1tag(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,unsigned long l) {
   /* encoding is either l%128 or (0x1f,...) */
   int needed=(sizeof l)*7/8;
   int i;
diff --git a/fmt_asn1transparent.c b/fmt_asn1transparent.c
index d7576c5..4a162d2 100644
--- a/fmt_asn1transparent.c
+++ b/fmt_asn1transparent.c
@@ -1,8 +1,8 @@
 #include "asn1.h"
 #include "byte.h"
 
-int fmt_asn1transparent(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l) {
-  int len,tmp;
+unsigned int fmt_asn1transparent(char* dest,enum asn1_tagclass tc,enum asn1_tagtype tt,enum asn1_tag tag,unsigned long l) {
+  unsigned int len,tmp;
   /* first the tag */
   len=fmt_asn1tag(dest,tc,tt,tag);
   tmp=fmt_asn1length(dest?dest+len:dest,l);
diff --git a/fmt_ldapadl.c b/fmt_ldapadl.c
index 5f4fb8e..cc3544d 100644
--- a/fmt_ldapadl.c
+++ b/fmt_ldapadl.c
@@ -25,10 +25,10 @@ static int doit(char* dest,struct AttributeDescriptionList* adl,int seq) {
   return sum;
 }
 
-int fmt_ldapadl(char* dest,struct AttributeDescriptionList* adl) {
+unsigned int fmt_ldapadl(char* dest,struct AttributeDescriptionList* adl) {
   return doit(dest,adl,1);
 }
 
-int fmt_ldapavl(char* dest,struct AttributeDescriptionList* adl) {
+unsigned int fmt_ldapavl(char* dest,struct AttributeDescriptionList* adl) {
   return doit(dest,adl,0);
 }
diff --git a/fmt_ldapava.c b/fmt_ldapava.c
index fc44ce2..b1990b1 100644
--- a/fmt_ldapava.c
+++ b/fmt_ldapava.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 #include "ldap.h"
 
-int fmt_ldapava(char* dest,struct AttributeValueAssertion* a) {
+unsigned int fmt_ldapava(char* dest,struct AttributeValueAssertion* a) {
   long sum,l;
   sum=fmt_ldapstring(dest,&a->desc);
   if (dest) dest+=sum;
diff --git a/fmt_ldapbindrequest.c b/fmt_ldapbindrequest.c
index a4ec88f..f6c27f5 100644
--- a/fmt_ldapbindrequest.c
+++ b/fmt_ldapbindrequest.c
@@ -3,9 +3,9 @@
 #include "ldap.h"
 #include "str.h"
 
-int fmt_ldapbindrequest(char* dest,long version,char* name,char* simple) {
-  int l,sum;
-  int nlen=str_len(name);
+unsigned int fmt_ldapbindrequest(char* dest,long version,char* name,char* simple) {
+  unsigned int l,sum;
+  unsigned int nlen=str_len(name);
   sum=l=fmt_asn1INTEGER(dest,version);
   if (dest) dest+=l;
   l=fmt_asn1OCTETSTRING(dest,name,nlen);
diff --git a/fmt_ldapmessage.c b/fmt_ldapmessage.c
index be87a39..9eb5531 100644
--- a/fmt_ldapmessage.c
+++ b/fmt_ldapmessage.c
@@ -1,8 +1,8 @@
 #include "asn1.h"
 #include "ldap.h"
 
-int fmt_ldapmessage(char* dest,long messageid,long op,long len) {
-  int l,l2,l3;
+unsigned int fmt_ldapmessage(char* dest,long messageid,long op,long len) {
+  unsigned int l,l2,l3;
   l2=fmt_asn1INTEGER(0,messageid);
   l3=fmt_asn1transparent(0,APPLICATION,CONSTRUCTED,op,len);
   l=fmt_asn1SEQUENCE(dest,len+l2+l3);
diff --git a/fmt_ldappal.c b/fmt_ldappal.c
index 488eb51..ef4d4c5 100644
--- a/fmt_ldappal.c
+++ b/fmt_ldappal.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 #include "ldap.h"
 
-int fmt_ldappal(char* dest,struct PartialAttributeList* pal) {
+unsigned int fmt_ldappal(char* dest,struct PartialAttributeList* pal) {
 //  int l,l2,sum;
   long sum,l,l2;
   if (!pal) return 0;
diff --git a/fmt_ldapresult.c b/fmt_ldapresult.c
index 43dd58a..4fb07e8 100644
--- a/fmt_ldapresult.c
+++ b/fmt_ldapresult.c
@@ -2,9 +2,9 @@
 #include "ldap.h"
 #include "str.h"
 
-int fmt_ldapresult(char* dest,long result,char* matcheddn,char* errormessage,char* referral) {
-  int l,sum=0;
-  int nlen;
+unsigned int fmt_ldapresult(char* dest,long result,char* matcheddn,char* errormessage,char* referral) {
+  unsigned int l,sum=0;
+  unsigned int nlen;
   sum=l=fmt_asn1ENUMERATED(dest,result);
   if (dest) dest+=l;
   nlen=str_len(matcheddn);
diff --git a/fmt_ldapsearchfilter.c b/fmt_ldapsearchfilter.c
index 4c10428..f3d9c7a 100644
--- a/fmt_ldapsearchfilter.c
+++ b/fmt_ldapsearchfilter.c
@@ -27,7 +27,7 @@ int fmt_ldapsubstring(char* dest,struct Substring* s) {
   return sum;
 }
 
-int fmt_ldapsearchfilter(char* dest,struct Filter* f) {
+unsigned int fmt_ldapsearchfilter(char* dest,struct Filter* f) {
   long sum=0,tmp;
   if (!f)
     return 0;
diff --git a/fmt_ldapsearchrequest.c b/fmt_ldapsearchrequest.c
index 4eeb2b9..8389138 100644
--- a/fmt_ldapsearchrequest.c
+++ b/fmt_ldapsearchrequest.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 #include "ldap.h"
 
-int fmt_ldapsearchrequest(char* dest,struct SearchRequest* sr) {
+unsigned int fmt_ldapsearchrequest(char* dest,struct SearchRequest* sr) {
   int l,sum=0;
   sum=fmt_ldapstring(dest,&sr->baseObject);
   if (dest) dest+=sum;
diff --git a/fmt_ldapsearchresultentry.c b/fmt_ldapsearchresultentry.c
index 12e86b1..8f50e1a 100644
--- a/fmt_ldapsearchresultentry.c
+++ b/fmt_ldapsearchresultentry.c
@@ -1,8 +1,8 @@
 #include "asn1.h"
 #include "ldap.h"
 
-int fmt_ldapsearchresultentry(char* dest,struct SearchResultEntry* sre) {
-  int l,sum=0;
+unsigned int fmt_ldapsearchresultentry(char* dest,struct SearchResultEntry* sre) {
+  unsigned int l,sum=0;
   sum=fmt_ldapstring(dest,&sre->objectName);
   if (dest) dest+=sum;
   l=fmt_asn1SEQUENCE(dest,fmt_ldappal(0,sre->attributes));
diff --git a/fmt_ldapstring.c b/fmt_ldapstring.c
index 1058b84..e26f449 100644
--- a/fmt_ldapstring.c
+++ b/fmt_ldapstring.c
@@ -1,6 +1,6 @@
 #include "asn1.h"
 #include "ldap.h"
 
-int fmt_ldapstring(char* dest,struct string* s) {
+unsigned int fmt_ldapstring(char* dest,struct string* s) {
   return fmt_asn1OCTETSTRING(dest,s->s,s->l);
 }
diff --git a/ldap.h b/ldap.h
index c2536cf..a1b96a3 100644
--- a/ldap.h
+++ b/ldap.h
@@ -110,39 +110,39 @@ void freefilter(struct Filter* f);
 void freeava(struct AttributeDescriptionList* a);
 void freepal(struct PartialAttributeList* a);
 
-int scan_ldapstring(const char* src,const char* max,struct string* s);
-int scan_ldapmessage(const char* src,const char* max,
+unsigned int scan_ldapstring(const char* src,const char* max,struct string* s);
+unsigned int scan_ldapmessage(const char* src,const char* max,
 		     unsigned long* messageid,unsigned long* op,
 		     unsigned long* len);
-int scan_ldapbindrequest(const char* src,const char* max,
+unsigned int scan_ldapbindrequest(const char* src,const char* max,
 			 unsigned long* version,struct string* name,
 			 unsigned long* method);
-int scan_ldapbindresponse(const char* src,const char* max,
+unsigned int scan_ldapbindresponse(const char* src,const char* max,
 			  unsigned long* result,struct string* matcheddn,
 			  struct string* errormessage,struct string* referral);
-int scan_ldapava(const char* src,const char* max,struct AttributeValueAssertion* a);
-int scan_ldapsearchfilter(const char* src,const char* max,struct Filter** f);
-int scan_ldapsearchrequest(const char* src,const char* max,struct SearchRequest* s);
-int scan_ldapsearchresultentry(const char* src,const char* max,struct SearchResultEntry* sre);
-int scan_ldapresult(const char* src,const char* max,long* result,
+unsigned int scan_ldapava(const char* src,const char* max,struct AttributeValueAssertion* a);
+unsigned int scan_ldapsearchfilter(const char* src,const char* max,struct Filter** f);
+unsigned int scan_ldapsearchrequest(const char* src,const char* max,struct SearchRequest* s);
+unsigned int scan_ldapsearchresultentry(const char* src,const char* max,struct SearchResultEntry* sre);
+unsigned int scan_ldapresult(const char* src,const char* max,long* result,
 		    struct string* matcheddn,struct string* errormessage,
 		    struct string* referral);
-int scan_ldapmodifyrequest(const char* src,const char* max,struct ModifyRequest* m);
-int scan_ldapaddrequest(const char * src, const char * max, struct AddRequest * a);
-int scan_ldapsearchfilterstring(const char* src,struct Filter** f);
+unsigned int scan_ldapmodifyrequest(const char* src,const char* max,struct ModifyRequest* m);
+unsigned int scan_ldapaddrequest(const char * src, const char * max, struct AddRequest * a);
+unsigned int scan_ldapsearchfilterstring(const char* src,struct Filter** f);
 
-int fmt_ldapstring(char* dest,struct string* s);
-int fmt_ldapmessage(char* dest,long messageid,long op,long len);
-int fmt_ldapbindrequest(char* dest,long version,char* name,char* simple);
-int fmt_ldapsearchfilter(char* dest,struct Filter* f);
-int fmt_ldapsearchrequest(char* dest,struct SearchRequest* s);
-int fmt_ldapsearchresultentry(char* dest,struct SearchResultEntry* sre);
-int fmt_ldapresult(char* dest,long result,char* matcheddn,char* errormessage,char* referral);
-int fmt_ldappal(char* dest,struct PartialAttributeList* pal);
-int fmt_ldapava(char* dest,struct AttributeValueAssertion* a);
-int fmt_ldapadl(char* dest,struct AttributeDescriptionList* adl);
-int fmt_ldapavl(char* dest,struct AttributeDescriptionList* adl);
-int fmt_ldapmodifyrequest(char* dest,struct ModifyRequest* m);
+unsigned int fmt_ldapstring(char* dest,struct string* s);
+unsigned int fmt_ldapmessage(char* dest,long messageid,long op,long len);
+unsigned int fmt_ldapbindrequest(char* dest,long version,char* name,char* simple);
+unsigned int fmt_ldapsearchfilter(char* dest,struct Filter* f);
+unsigned int fmt_ldapsearchrequest(char* dest,struct SearchRequest* s);
+unsigned int fmt_ldapsearchresultentry(char* dest,struct SearchResultEntry* sre);
+unsigned int fmt_ldapresult(char* dest,long result,char* matcheddn,char* errormessage,char* referral);
+unsigned int fmt_ldappal(char* dest,struct PartialAttributeList* pal);
+unsigned int fmt_ldapava(char* dest,struct AttributeValueAssertion* a);
+unsigned int fmt_ldapadl(char* dest,struct AttributeDescriptionList* adl);
+unsigned int fmt_ldapavl(char* dest,struct AttributeDescriptionList* adl);
+unsigned int fmt_ldapmodifyrequest(char* dest,struct ModifyRequest* m);
 
 #define fmt_ldapbindresponse(a,b,c,d,e) fmt_ldapresult(a,b,c,d,e)
 #define fmt_ldapsearchresultdone(a,b,c,d,e) fmt_ldapresult(a,b,c,d,e)
diff --git a/scan_asn1BOOLEAN.c b/scan_asn1BOOLEAN.c
index 853a596..6041d91 100644
--- a/scan_asn1BOOLEAN.c
+++ b/scan_asn1BOOLEAN.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 
-int scan_asn1BOOLEAN(const char* src,const char* max,unsigned long* l) {
-  int tmp;
+unsigned int scan_asn1BOOLEAN(const char* src,const char* max,unsigned long* l) {
+  unsigned int tmp;
   long tag;
   enum asn1_tagclass tc;
   enum asn1_tagtype tt;
diff --git a/scan_asn1ENUMERATED.c b/scan_asn1ENUMERATED.c
index 539cd6f..36d4fc5 100644
--- a/scan_asn1ENUMERATED.c
+++ b/scan_asn1ENUMERATED.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 
-int scan_asn1ENUMERATED(const char* src,const char* max,unsigned long* l) {
-  int tmp;
+unsigned int scan_asn1ENUMERATED(const char* src,const char* max,unsigned long* l) {
+  unsigned int tmp;
   long tag;
   enum asn1_tagclass tc;
   enum asn1_tagtype tt;
diff --git a/scan_asn1INTEGER.c b/scan_asn1INTEGER.c
index b41356a..dde897d 100644
--- a/scan_asn1INTEGER.c
+++ b/scan_asn1INTEGER.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 
-int scan_asn1INTEGER(const char* src,const char* max,signed long* l) {
-  int tmp;
+unsigned int scan_asn1INTEGER(const char* src,const char* max,signed long* l) {
+  unsigned int tmp;
   long tag;
   enum asn1_tagclass tc;
   enum asn1_tagtype tt;
diff --git a/scan_asn1SEQUENCE.c b/scan_asn1SEQUENCE.c
index 545e450..763b40b 100644
--- a/scan_asn1SEQUENCE.c
+++ b/scan_asn1SEQUENCE.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 
-int scan_asn1SEQUENCE(const char* src,const char* max,unsigned long* len) {
-  int res,tmp;
+unsigned int scan_asn1SEQUENCE(const char* src,const char* max,unsigned long* len) {
+  unsigned int res,tmp;
   long tag;
   enum asn1_tagclass tc;
   enum asn1_tagtype tt;
diff --git a/scan_asn1SET.c b/scan_asn1SET.c
index 01624f6..6e9e9ce 100644
--- a/scan_asn1SET.c
+++ b/scan_asn1SET.c
@@ -1,7 +1,7 @@
 #include "asn1.h"
 
-int scan_asn1SET(const char* src,const char* max,unsigned long* len) {
-  int res,tmp;
+unsigned int scan_asn1SET(const char* src,const char* max,unsigned long* len) {
+  unsigned int res,tmp;
   long tag;
   enum asn1_tagclass tc;
   enum asn1_tagtype tt;