The function send_ldap_extended_response() takes as its second-to-last argument a long long result_code, but the infrastructure for handling LDAP extended operations in ldap_extended() restricts them to an int.
I don't think there's any risk or bug here, this is just type correctness. Index: ldape.c =================================================================== RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v retrieving revision 1.18 diff -u -r1.18 ldape.c --- ldape.c 2 Nov 2013 13:31:51 -0000 1.18 +++ ldape.c 12 Dec 2014 22:27:49 -0000 @@ -39,7 +39,7 @@ struct imsg *imsg); static void ldape_needfd(struct imsgev *iev); -int ldap_starttls(struct request *req); +long long ldap_starttls(struct request *req); void send_ldap_extended_response(struct conn *conn, int msgid, unsigned long type, long long result_code, @@ -279,7 +279,7 @@ return ldap_respond(req, LDAP_COMPARE_FALSE); } -int +long long ldap_starttls(struct request *req) { if ((req->conn->listener->flags & F_STARTTLS) == 0) { @@ -294,12 +294,13 @@ int ldap_extended(struct request *req) { - int i, rc = LDAP_PROTOCOL_ERROR; + int i; + long long rc = LDAP_PROTOCOL_ERROR; char *oid = NULL; struct ber_element *ext_val = NULL; struct { const char *oid; - int (*fn)(struct request *); + long long (*fn)(struct request *); } extended_ops[] = { { "1.3.6.1.4.1.1466.20037", ldap_starttls }, { NULL }