xref: /onnv-gate/usr/src/lib/libsldap/common/ns_common.c (revision 12969:9fda0aeb1cb6)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 */


#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <libintl.h>
#include <ctype.h>

#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <syslog.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <netdir.h>
#include <lber.h>
#include <ldap.h>

#include "ns_sldap.h"
#include "ns_internal.h"
#include "ns_cache_door.h"

#define	UDP	"/dev/udp"
#define	MAXIFS	32

struct ifinfo {
	struct in_addr addr, netmask;
};

static ns_service_map ns_def_map[] = {
	{ "passwd",	"ou=people,",		NULL },
	{ "shadow",	"ou=people,",		"passwd" },
	{ "user_attr",	"ou=people,",		"passwd" },
	{ "audit_user",	"ou=people,",		"passwd" },
	{ "group",	"ou=group,",		NULL },
	{ "rpc",	"ou=rpc,",		NULL },
	{ "project",	"ou=projects,",		NULL },
	{ "protocols",	"ou=protocols,",	NULL },
	{ "networks",	"ou=networks,",		NULL },
	{ "netmasks",	"ou=networks,",		"networks" },
	{ "netgroup",	"ou=netgroup,",		NULL },
	{ "aliases",	"ou=aliases,",		NULL },
	{ "Hosts",	"ou=Hosts,",		NULL },
	{ "ipnodes",	"ou=Hosts,",		"hosts" },
	{ "Services",	"ou=Services,",		NULL },
	{ "bootparams",	"ou=ethers,",		"ethers" },
	{ "ethers",	"ou=ethers,",		NULL },
	{ "auth_attr",	"ou=SolarisAuthAttr,",	NULL },
	{ "prof_attr",	"ou=SolarisProfAttr,",	NULL },
	{ "exec_attr",	"ou=SolarisProfAttr,",	"prof_attr" },
	{ "profile",	"ou=profile,",		NULL },
	{ "printers",	"ou=printers,",		NULL },
	{ "automount",	"",			NULL },
	{ "tnrhtp",	"ou=ipTnet,",		NULL },
	{ "tnrhdb",	"ou=ipTnet,",		"tnrhtp" },
	{ NULL, NULL, NULL }
};


static char ** parseDN(const char *val, const char *service);
static char ** sortServerNet(char **srvlist);
static char ** sortServerPref(char **srvlist, char **preflist,
		boolean_t flag, int version, int *error);

/*
 * FUNCTION:	s_api_printResult
 *	Given a ns_ldap_result structure print it.
 */
int
__s_api_printResult(ns_ldap_result_t *result)
{

	ns_ldap_entry_t	*curEntry;
	int		i, j, k = 0;

#ifdef DEBUG
	(void) fprintf(stderr, "__s_api_printResult START\n");
#endif
	(void) printf("--------------------------------------\n");
	if (result == NULL) {
		(void) printf("No result\n");
		return (0);
	}
	(void) printf("entries_count %d\n", result->entries_count);
	curEntry = result->entry;
	for (i = 0; i < result->entries_count; i++) {

		(void) printf("entry %d has attr_count = %d \n", i,
		    curEntry->attr_count);
		for (j = 0; j < curEntry->attr_count; j++) {
			(void) printf("entry %d has attr_pair[%d] = %s \n",
			    i, j, curEntry->attr_pair[j]->attrname);
			for (k = 0; k < 20 &&
			    curEntry->attr_pair[j]->attrvalue[k]; k++)
				(void) printf("entry %d has attr_pair[%d]->"
				    "attrvalue[%d] = %s \n", i, j, k,
				    curEntry->attr_pair[j]->attrvalue[k]);
		}
		(void) printf("\n--------------------------------------\n");
		curEntry = curEntry->next;
	}
	return (1);
}

/*
 * FUNCTION:	__s_api_getSearchScope
 *
 *	Retrieve the search scope for ldap search from the config module.
 *
 * RETURN VALUES:	NS_LDAP_SUCCESS, NS_LDAP_CONFIG
 * INPUT:		NONE
 * OUTPUT:		searchScope, errorp
 */
int
__s_api_getSearchScope(
	int *searchScope,
	ns_ldap_error_t **errorp)
{

	char		errmsg[MAXERROR];
	void		**paramVal = NULL;
	int		rc = 0;
	int		scope = 0;

#ifdef DEBUG
	(void) fprintf(stderr, "__s_api_getSearchScope START\n");
#endif
	if (*searchScope == 0) {
		if ((rc = __ns_ldap_getParam(NS_LDAP_SEARCH_SCOPE_P,
		    &paramVal, errorp)) != NS_LDAP_SUCCESS) {
			return (rc);
		}
		if (paramVal && *paramVal)
			scope = * (int *)(*paramVal);
		else
			scope = NS_LDAP_SCOPE_ONELEVEL;
		(void) __ns_ldap_freeParam(&paramVal);
	} else {
		scope = *searchScope;
	}

	switch (scope) {

		case	NS_LDAP_SCOPE_ONELEVEL:
			*searchScope = LDAP_SCOPE_ONELEVEL;
			break;
		case	NS_LDAP_SCOPE_BASE:
			*searchScope = LDAP_SCOPE_BASE;
			break;
		case	NS_LDAP_SCOPE_SUBTREE:
			*searchScope = LDAP_SCOPE_SUBTREE;
			break;
		default:
			(void) snprintf(errmsg, sizeof (errmsg),
			    gettext("Invalid search scope!"));
			MKERROR(LOG_ERR, *errorp, NS_CONFIG_FILE,
			    strdup(errmsg), NS_LDAP_CONFIG);
			return (NS_LDAP_CONFIG);
	}

	return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:	__ns_ldap_dupAuth
 *
 *	Duplicates an authentication structure.
 *
 * RETURN VALUES:	copy of authp or NULL on error
 * INPUT:		authp
 */
ns_cred_t *
__ns_ldap_dupAuth(const ns_cred_t *authp)
{
	ns_cred_t *ap;

#ifdef DEBUG
	(void) fprintf(stderr, "__ns_ldap_dupAuth START\n");
#endif
	if (authp == NULL)
		return (NULL);

	ap = (ns_cred_t *)calloc(1, sizeof (ns_cred_t));
	if (ap == NULL)
		return (NULL);

	if (authp->hostcertpath) {
		ap->hostcertpath = strdup(authp->hostcertpath);
		if (ap->hostcertpath == NULL) {
			free(ap);
			return (NULL);
		}
	}
	if (authp->cred.unix_cred.userID) {
		ap->cred.unix_cred.userID =
		    strdup(authp->cred.unix_cred.userID);
		if (ap->cred.unix_cred.userID == NULL) {
			(void) __ns_ldap_freeCred(&ap);
			return (NULL);
		}
	}
	if (authp->cred.unix_cred.passwd) {
		ap->cred.unix_cred.passwd =
		    strdup(authp->cred.unix_cred.passwd);
		if (ap->cred.unix_cred.passwd == NULL) {
			(void) __ns_ldap_freeCred(&ap);
			return (NULL);
		}
	}
	if (authp->cred.cert_cred.nickname) {
		ap->cred.cert_cred.nickname =
		    strdup(authp->cred.cert_cred.nickname);
		if (ap->cred.cert_cred.nickname == NULL) {
			(void) __ns_ldap_freeCred(&ap);
			return (NULL);
		}
	}
	ap->auth.type = authp->auth.type;
	ap->auth.tlstype = authp->auth.tlstype;
	ap->auth.saslmech = authp->auth.saslmech;
	ap->auth.saslopt = authp->auth.saslopt;
	return (ap);
}

/*
 * FUNCTION:	__ns_ldap_freeUnixCred
 *
 *	Frees all the memory associated with a UnixCred_t structure.
 *
 * RETURN VALUES:	NS_LDAP_INVALID_PARAM, NS_LDAP_SUCCESS
 * INPUT:		UnixCred
 */
int
__ns_ldap_freeUnixCred(UnixCred_t ** credp)
{
	UnixCred_t *ap;

#ifdef DEBUG
	(void) fprintf(stderr, "__ns_ldap_freeUnixCred START\n");
#endif
	if (credp == NULL || *credp == NULL)
		return (NS_LDAP_INVALID_PARAM);

	ap = *credp;
	if (ap->userID) {
		(void) memset(ap->userID, 0, strlen(ap->userID));
		free(ap->userID);
	}

	if (ap->passwd) {
		(void) memset(ap->passwd, 0, strlen(ap->passwd));
		free(ap->passwd);
	}

	free(ap);
	*credp = NULL;
	return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:	__ns_ldap_freeCred
 *
 *	Frees all the memory associated with a ns_cred_t structure.
 *
 * RETURN VALUES:	NS_LDAP_INVALID_PARAM, NS_LDAP_SUCCESS
 * INPUT:		ns_cred_t
 */
int
__ns_ldap_freeCred(ns_cred_t ** credp)
{
	ns_cred_t *ap;

#ifdef DEBUG
	(void) fprintf(stderr, "__ns_ldap_freeCred START\n");
#endif
	if (credp == NULL || *credp == NULL)
		return (NS_LDAP_INVALID_PARAM);

	ap = *credp;
	if (ap->hostcertpath) {
		(void) memset(ap->hostcertpath, 0,
		    strlen(ap->hostcertpath));
		free(ap->hostcertpath);
	}

	if (ap->cred.unix_cred.userID) {
		(void) memset(ap->cred.unix_cred.userID, 0,
		    strlen(ap->cred.unix_cred.userID));
		free(ap->cred.unix_cred.userID);
	}

	if (ap->cred.unix_cred.passwd) {
		(void) memset(ap->cred.unix_cred.passwd, 0,
		    strlen(ap->cred.unix_cred.passwd));
		free(ap->cred.unix_cred.passwd);
	}

	if (ap->cred.cert_cred.nickname) {
		(void) memset(ap->cred.cert_cred.nickname, 0,
		    strlen(ap->cred.cert_cred.nickname));
		free(ap->cred.cert_cred.nickname);
	}

	free(ap);
	*credp = NULL;
	return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:	__s_api_is_auth_matched
 *
 *	Compare an authentication structure.
 *
 * RETURN VALUES:	B_TRUE if matched, B_FALSE otherwise.
 * INPUT:		auth1, auth2
 */
boolean_t
__s_api_is_auth_matched(const ns_cred_t *auth1,
    const ns_cred_t *auth2)
{
	if ((auth1->auth.type != auth2->auth.type) ||
	    (auth1->auth.tlstype != auth2->auth.tlstype) ||
	    (auth1->auth.saslmech != auth2->auth.saslmech) ||
	    (auth1->auth.saslopt != auth2->auth.saslopt))
		return (B_FALSE);

	if ((((auth1->auth.type == NS_LDAP_AUTH_SASL) &&
	    ((auth1->auth.saslmech == NS_LDAP_SASL_CRAM_MD5) ||
	    (auth1->auth.saslmech == NS_LDAP_SASL_DIGEST_MD5))) ||
	    (auth1->auth.type == NS_LDAP_AUTH_SIMPLE)) &&
	    ((auth1->cred.unix_cred.userID == NULL) ||
	    (auth1->cred.unix_cred.passwd == NULL) ||
	    ((strcasecmp(auth1->cred.unix_cred.userID,
	    auth2->cred.unix_cred.userID) != 0)) ||
	    ((strcmp(auth1->cred.unix_cred.passwd,
	    auth2->cred.unix_cred.passwd) != 0))))
		return (B_FALSE);

	return (B_TRUE);
}

/*
 * FUNCTION:	__s_api_getDNs
 *
 *	Retrieves the default base dn for the given
 *	service.
 *
 * RETURN VALUES:	NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_CONFIG
 * INPUT:		service
 * OUTPUT:		DN, error
 */
typedef int (*pf)(const char *, char **, ns_ldap_error_t **);
int
__s_api_getDNs(
	char *** DN,
	const char *service,
	ns_ldap_error_t ** error)
{

	void	**paramVal = NULL;
	char	**dns = NULL;
	int	rc = 0;
	int	i, len;
	pf	prepend_auto2dn = __s_api_prepend_automountmapname_to_dn;

#ifdef DEBUG
	(void) fprintf(stderr, "__s_api_getDNs START\n");
#endif
	if ((rc = __ns_ldap_getParam(NS_LDAP_SEARCH_BASEDN_P,
	    &paramVal, error)) != NS_LDAP_SUCCESS) {
		return (rc);
	}
	if (!paramVal) {
		char errmsg[MAXERROR];

		(void) snprintf(errmsg, sizeof (errmsg),
		    gettext("BaseDN not defined"));
		MKERROR(LOG_ERR, *error, NS_CONFIG_FILE, strdup(errmsg),
		    NS_LDAP_CONFIG);
		return (NS_LDAP_CONFIG);
	}

	dns = (char **)calloc(2, sizeof (char *));
	if (dns == NULL) {
		(void) __ns_ldap_freeParam(&paramVal);
		return (NS_LDAP_MEMORY);
	}

	if (service == NULL) {
		dns[0] = strdup((char *)*paramVal);
		if (dns[0] == NULL) {
			(void) __ns_ldap_freeParam(&paramVal);
			free(dns);
			return (NS_LDAP_MEMORY);
		}
	} else {
		for (i = 0; ns_def_map[i].service != NULL; i++) {
			if (strcasecmp(service,
			    ns_def_map[i].service) == 0) {

				len = strlen((char *)*paramVal) +
				    strlen(ns_def_map[i].rdn) + 1;
				dns[0] = (char *)
				    calloc(len, sizeof (char));
				if (dns[0] == NULL) {
					(void) __ns_ldap_freeParam(
					    &paramVal);
					free(dns);
					return (NS_LDAP_MEMORY);
				}
				(void) strcpy(dns[0],
				    ns_def_map[i].rdn);
				(void) strcat(dns[0],
				    (char *)*paramVal);
				break;
			}
		}
		if (ns_def_map[i].service == NULL) {
			char *p = (char *)*paramVal;
			char *buffer = NULL;
			int  buflen = 0;

			if (strchr(service, '=') == NULL) {
			    /* automount entries */
				if (strncasecmp(service, "auto_", 5) == 0) {
					buffer = strdup(p);
					if (!buffer) {
						free(dns);
						(void) __ns_ldap_freeParam(
						    &paramVal);
						return (NS_LDAP_MEMORY);
					}
					/* shorten name to avoid cstyle error */
					rc = prepend_auto2dn(
					    service, &buffer, error);
					if (rc != NS_LDAP_SUCCESS) {
						free(dns);
						free(buffer);
						(void) __ns_ldap_freeParam(
						    &paramVal);
						return (rc);
					}
				} else {
				/* strlen("nisMapName")+"="+","+'\0' = 13 */
					buflen = strlen(service) + strlen(p) +
					    13;
					buffer = (char *)malloc(buflen);
					if (buffer == NULL) {
						free(dns);
						(void) __ns_ldap_freeParam(
						    &paramVal);
						return (NS_LDAP_MEMORY);
					}
					(void) snprintf(buffer, buflen,
					    "nisMapName=%s,%s", service, p);
				}
			} else {
				buflen = strlen(service) + strlen(p) + 2;
				buffer = (char *)malloc(buflen);
				if (buffer == NULL) {
					free(dns);
					(void) __ns_ldap_freeParam(&paramVal);
					return (NS_LDAP_MEMORY);
				}
				(void) snprintf(buffer, buflen,
				    "%s,%s", service, p);
			}
			dns[0] = buffer;
		}
	}

	(void) __ns_ldap_freeParam(&paramVal);
	*DN = dns;
	return (NS_LDAP_SUCCESS);
}
/*
 * FUNCTION:	__s_api_get_search_DNs_v1
 *
 *	Retrieves the list of search DNS from the V1 profile for the given
 *	service.
 *
 * RETURN VALUES:	NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_CONFIG
 * INPUT:		service
 * OUTPUT:		DN, error
 */
int
__s_api_get_search_DNs_v1(
	char *** DN,
	const char *service,
	ns_ldap_error_t ** error)
{

	void	**paramVal = NULL;
	void	**temptr = NULL;
	char	**dns = NULL;
	int	rc = 0;

	if ((rc = __ns_ldap_getParam(NS_LDAP_SEARCH_DN_P,
	    &paramVal, error)) != NS_LDAP_SUCCESS) {
		return (rc);
	}

	if (service && paramVal) {
		for (temptr = paramVal; *temptr != NULL; temptr++) {
			dns = parseDN((const char *)(*temptr),
			    (const char *)service);
			if (dns != NULL)
				break;
		}
	}

	(void) __ns_ldap_freeParam(&paramVal);
	*DN = dns;
	return (NS_LDAP_SUCCESS);

}
/*
 * FUNCTION:	parseDN
 *
 *	Parse a special formated list(val) into an array of char *.
 *
 * RETURN VALUE:	A char * pointer to the new list of dns.
 * INPUT:		val, service
 */
static char **
parseDN(
	const char *val,
	const char *service)
{

	size_t		len = 0;
	size_t		slen = 0;
	char		**retVal = NULL;
	const char	*temptr;
	char		*temptr2;
	const char	*valend;
	int 		valNo = 0;
	int		valSize = 0;
	int		i;
	char		*SSD_service = NULL;

#ifdef DEBUG
	(void) fprintf(stderr, "parseDN START\n");
#endif
	if (val == NULL || *val == '\0')
		return (NULL);
	if (service == NULL || *service == '\0')
		return (NULL);

	len = strlen(val);
	slen = strlen(service);
	if (strncasecmp(val, service, slen) != 0) {
		/*
		 * This routine is only called
		 * to process V1 profile and
		 * for V1 profile, map service
		 * to the corresponding SSD_service
		 * which is associated with a
		 * real container in the LDAP directory
		 * tree, e.g., map "shadow" to
		 * "password". See function
		 * __s_api_get_SSD_from_SSDtoUse_service
		 * for similar service to SSD_service
		 * mapping handling for V2 profile.
		 */
		for (i = 0; ns_def_map[i].service != NULL; i++) {
			if (ns_def_map[i].SSDtoUse_service &&
			    strcasecmp(service,
			    ns_def_map[i].service) == 0) {
				SSD_service =
				    ns_def_map[i].SSDtoUse_service;
				break;
			}
		}

		if (SSD_service == NULL)
			return (NULL);

		slen = strlen(SSD_service);
		if (strncasecmp(val, SSD_service, slen) != 0)
			return (NULL);
	}

	temptr = val + slen;
	while (*temptr == SPACETOK || *temptr == TABTOK)
		temptr++;
	if (*temptr != COLONTOK)
		return (NULL);

	while (*temptr) {
		temptr2 = strchr(temptr, OPARATOK);
		if (temptr2 == NULL)
			break;
		temptr2++;
		temptr2 = strchr(temptr2, CPARATOK);
		if (temptr2 == NULL)
			break;
		valNo++;
		temptr = temptr2+1;
	}

	retVal = (char **)calloc(valNo +1, sizeof (char *));
	if (retVal == NULL)
		return (NULL);

	temptr = val;
	valend = val+len;

	for (i = 0; (i < valNo) && (temptr < valend); i++) {
		temptr = strchr(temptr, OPARATOK);
		if (temptr == NULL) {
			__s_api_free2dArray(retVal);
			return (NULL);
		}
		temptr++;
		temptr2 = strchr(temptr, CPARATOK);
		if (temptr2 == NULL) {
			__s_api_free2dArray(retVal);
			return (NULL);
		}
		valSize = temptr2 - temptr;

		retVal[i] = (char *)calloc(valSize + 1, sizeof (char));
		if (retVal[i] == NULL) {
			__s_api_free2dArray(retVal);
			return (NULL);
		}
		(void) strncpy(retVal[i], temptr, valSize);
		retVal[i][valSize] = '\0';
		temptr = temptr2 + 1;
	}

	return (retVal);
}


/*
 * __s_api_get_local_interfaces
 *
 * Returns a pointer to an array of addresses and netmasks of all interfaces
 * configured on the system.
 *
 * NOTE: This function is very IPv4 centric.
 */
static struct ifinfo *
__s_api_get_local_interfaces()
{
	struct ifconf		ifc;
	struct ifreq		ifreq, *ifr;
	struct ifinfo		*localinfo;
	struct in_addr		netmask;
	struct sockaddr_in	*sin;
	void			*buf = NULL;
	int			fd = 0;
	int			numifs = 0;
	int			i, n = 0;

	if ((fd = open(UDP, O_RDONLY)) < 0)
		return ((struct ifinfo *)NULL);

	if (ioctl(fd, SIOCGIFNUM, (char *)&numifs) < 0) {
		numifs = MAXIFS;
	}

	buf = malloc(numifs * sizeof (struct ifreq));
	if (buf == NULL) {
		(void) close(fd);
		return ((struct ifinfo *)NULL);
	}
	ifc.ifc_len = numifs * (int)sizeof (struct ifreq);
	ifc.ifc_buf = buf;
	if (ioctl(fd, SIOCGIFCONF, (char *)&ifc) < 0) {
		(void) close(fd);
		free(buf);
		buf = NULL;
		return ((struct ifinfo *)NULL);
	}
	ifr = (struct ifreq *)buf;
	numifs = ifc.ifc_len/(int)sizeof (struct ifreq);
	localinfo = (struct ifinfo *)malloc((numifs + 1) *
	    sizeof (struct ifinfo));
	if (localinfo == NULL) {
		(void) close(fd);
		free(buf);
		buf = NULL;
		return ((struct ifinfo *)NULL);
	}

	for (i = 0, n = numifs; n > 0; n--, ifr++) {
		uint_t ifrflags;

		ifreq = *ifr;
		if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifreq) < 0)
			continue;

		ifrflags = ifreq.ifr_flags;
		if (((ifrflags & IFF_UP) == 0) ||
		    (ifr->ifr_addr.sa_family != AF_INET))
			continue;

		if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifreq) < 0)
			continue;
		netmask = ((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr;

		if (ioctl(fd, SIOCGIFADDR, (char *)&ifreq) < 0)
			continue;

		sin = (struct sockaddr_in *)&ifreq.ifr_addr;

		localinfo[i].addr = sin->sin_addr;
		localinfo[i].netmask = netmask;
		i++;
	}
	localinfo[i].addr.s_addr = 0;

	free(buf);
	buf = NULL;
	(void) close(fd);
	return (localinfo);
}


/*
 * __s_api_samenet(char *, struct ifinfo *)
 *
 * Returns 1 if address is on the same subnet of the array of addresses
 * passed in.
 *
 * NOTE: This function is only valid for IPv4 addresses.
 */
static int
__s_api_IPv4sameNet(char *addr, struct ifinfo *ifs)
{
	int		answer = 0;

	if (addr && ifs) {
		char		*addr_raw;
		unsigned long	iaddr;
		int		i;

		if ((addr_raw = strdup(addr)) != NULL) {
			char	*s;

			/* Remove port number. */
			if ((s = strchr(addr_raw, ':')) != NULL)
				*s = '\0';

			iaddr = inet_addr(addr_raw);

			/* Loop through interface list to find match. */
			for (i = 0; ifs[i].addr.s_addr != 0; i++) {
				if ((iaddr & ifs[i].netmask.s_addr) ==
				    (ifs[i].addr.s_addr &
				    ifs[i].netmask.s_addr))
					answer++;
			}
			free(addr_raw);
		}
	}

	return (answer);
}

/*
 * FUNCTION:	__s_api_getServers
 *
 *	Retrieve a list of ldap servers from the config module.
 *
 * RETURN VALUE:	NS_LDAP_SUCCESS, NS_LDAP_CONFIG, NS_LDAP_MEMORY
 * INPUT:		NONE
 * OUTPUT:		servers, error
 */
int
__s_api_getServers(
		char *** servers,
		ns_ldap_error_t ** error)
{
	void	**paramVal = NULL;
	char	errmsg[MAXERROR];
	char	**sortServers = NULL;
	char	**netservers = NULL;
	int	rc = 0, err = NS_LDAP_CONFIG, version = 1;
	const 	char	*str, *str1;

#ifdef DEBUG
	(void) fprintf(stderr, "__s_api_getServers START\n");
#endif
	*servers = NULL;
	/* get profile version number */
	if ((rc = __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P,
	    &paramVal, error)) != NS_LDAP_SUCCESS)
		return (rc);

	if (paramVal == NULL || *paramVal == NULL) {
		(void) snprintf(errmsg, sizeof (errmsg),
		    gettext("No file version"));
		MKERROR(LOG_INFO, *error, NS_CONFIG_FILE, strdup(errmsg),
		    NS_LDAP_CONFIG);
		return (NS_LDAP_CONFIG);
	}

	if (strcasecmp((char *)*paramVal, NS_LDAP_VERSION_1) == 0)
		version = 1;
	else if (strcasecmp((char *)*paramVal, NS_LDAP_VERSION_2) == 0)
		version = 2;

	(void) __ns_ldap_freeParam(&paramVal);
	paramVal = NULL;

	if ((rc = __ns_ldap_getParam(NS_LDAP_SERVERS_P,
	    &paramVal, error)) != NS_LDAP_SUCCESS)
		return (rc);

	/*
	 * For version 2, default server list could be
	 * empty.
	 */
	if ((paramVal == NULL || (char *)*paramVal == NULL) &&
	    version == 1) {
		str = NULL_OR_STR(__s_api_get_configname(NS_LDAP_SERVERS_P));
		(void) snprintf(errmsg, sizeof (errmsg),
		    gettext("Unable to retrieve the '%s' list"), str);
		MKERROR(LOG_WARNING, *error, NS_CONFIG_FILE, strdup(errmsg),
		    NS_LDAP_CONFIG);
		return (NS_LDAP_CONFIG);
	}

	/*
	 * Get server address(es) and go through them.
	 */
	*servers = (char **)paramVal;
	paramVal = NULL;

	/* Sort servers based on network. */
	if (*servers) {
		netservers = sortServerNet(*servers);
		if (netservers) {
			free(*servers);
			*servers = netservers;
		} else {
			return (NS_LDAP_MEMORY);
		}
	}

	/* Get preferred server list and sort servers based on that. */
	if ((rc = __ns_ldap_getParam(NS_LDAP_SERVER_PREF_P,
	    &paramVal, error)) != NS_LDAP_SUCCESS) {
		if (*servers)
			__s_api_free2dArray(*servers);
		*servers = NULL;
		return (rc);
	}

	if (paramVal != NULL) {
		char **prefServers;
		void **val = NULL;

		if ((rc =  __ns_ldap_getParam(NS_LDAP_PREF_ONLY_P,
		    &val, error)) != NS_LDAP_SUCCESS) {
				if (*servers)
					__s_api_free2dArray(*servers);
				*servers = NULL;
			(void) __ns_ldap_freeParam(&paramVal);
			return (rc);
		}

		prefServers = (char **)paramVal;
		paramVal = NULL;
		if (prefServers) {
			if (val != NULL && (*val) != NULL &&
			    *(int *)val[0] == 1)
				sortServers = sortServerPref(*servers,
				    prefServers, B_FALSE, version,
				    &err);
			else
				sortServers = sortServerPref(*servers,
				    prefServers, B_TRUE, version,
				    &err);
			if (sortServers) {
				if (*servers)
					free(*servers);
				*servers = NULL;
				free(prefServers);
				prefServers = NULL;
				*servers = sortServers;
			} else {
				if (*servers)
					__s_api_free2dArray(*servers);
				*servers = NULL;
				__s_api_free2dArray(prefServers);
				prefServers = NULL;
			}
		}
		(void) __ns_ldap_freeParam(&val);
	}
	(void) __ns_ldap_freeParam(&paramVal);

	if (*servers == NULL) {
		if (err == NS_LDAP_CONFIG) {
		str = NULL_OR_STR(__s_api_get_configname(
		    NS_LDAP_SERVERS_P));
		str1 = NULL_OR_STR(__s_api_get_configname(
		    NS_LDAP_SERVER_PREF_P));
			(void) snprintf(errmsg, sizeof (errmsg),
			    gettext("Unable to generate a new server list "
			    "based on '%s' and/or '%s'"), str, str1);
			MKERROR(LOG_WARNING, *error, NS_CONFIG_FILE,
			    strdup(errmsg), err);
			return (err);
		}
		return (NS_LDAP_MEMORY);
	}

	return (NS_LDAP_SUCCESS);

}

/*
 * FUNCTION:	sortServerNet
 *	Sort the serverlist based on the distance from client as long
 *	as the list only contains IPv4 addresses.  Otherwise do nothing.
 */
static char **
sortServerNet(char **srvlist)
{
	int		count = 0;
	int		all = 0;
	int		ipv4only = 1;
	struct ifinfo	*ifs = __s_api_get_local_interfaces();
	char		**tsrvs;
	char		**psrvs, **retsrvs;

	/* Sanity check. */
	if (srvlist == NULL || srvlist[0] == NULL)
		return (NULL);

	/* Count the number of servers to sort. */
	for (count = 0; srvlist[count] != NULL; count++) {
		if (!__s_api_isipv4(srvlist[count]))
			ipv4only = 0;
	}
	count++;

	/* Make room for the returned list of servers. */
	retsrvs = (char **)calloc(count, sizeof (char *));
	if (retsrvs == NULL) {
		free(ifs);
		ifs = NULL;
		return (NULL);
	}

	retsrvs[count - 1] = NULL;

	/* Make a temporary list of servers. */
	psrvs = (char **)calloc(count, sizeof (char *));
	if (psrvs == NULL) {
		free(ifs);
		ifs = NULL;
		free(retsrvs);
		retsrvs = NULL;
		return (NULL);
	}

	/* Filter servers on the same subnet */
	tsrvs = srvlist;
	while (*tsrvs) {
		if (ipv4only && __s_api_IPv4sameNet(*tsrvs, ifs)) {
			psrvs[all] = *tsrvs;
			retsrvs[all++] = *(tsrvs);
		}
		tsrvs++;
	}

	/* Filter remaining servers. */
	tsrvs = srvlist;
	while (*tsrvs) {
		char	**ttsrvs = psrvs;

		while (*ttsrvs) {
			if (strcmp(*tsrvs, *ttsrvs) == 0)
				break;
			ttsrvs++;
		}

		if (*ttsrvs == NULL)
			retsrvs[all++] = *(tsrvs);
		tsrvs++;
	}

	free(ifs);
	ifs = NULL;
	free(psrvs);
	psrvs = NULL;

	return (retsrvs);
}

/*
 * FUNCTION:	sortServerPref
 *	Sort the serverlist based on the preferred server list.
 *
 * The sorting algorithm works as follows:
 *
 * If version 1, if flag is TRUE, find all the servers in both preflist
 * and srvlist, then append other servers in srvlist to this list
 * and return the list.
 * If flag is FALSE, just return srvlist.
 * srvlist can not be empty.
 *
 * If version 2, append all the servers in srvlist
 * but not in preflist to preflist, and return the merged list.
 * If srvlist is empty, just return preflist.
 * If preflist is empty, just return srvlist.
 */
static char **
sortServerPref(char **srvlist, char **preflist,
		boolean_t flag, int version, int *error)
{
	int		i, scount = 0, pcount = 0;
	int		all = 0, dup = 0;
	char		**tsrvs;
	char		**retsrvs;
	char		**dupsrvs;

	/* Count the number of servers to sort. */
	if (srvlist && srvlist[0])
		for (i = 0; srvlist[i] != NULL; i++)
			scount++;

	/* Sanity check. */
	if (scount == 0 && version == 1) {
		*error = NS_LDAP_CONFIG;
		return (NULL);
	}

	/* Count the number of preferred servers */
	if (preflist && preflist[0])
		for (i = 0; preflist[i] != NULL; i++)
			pcount++;

	/* Sanity check. */
	if (scount == 0 && pcount == 0) {
		*error = NS_LDAP_CONFIG;
		return (NULL);
	}

	/* Make room for the returned list of servers */
	retsrvs = (char **)calloc(scount + pcount + 1, sizeof (char *));
	if (retsrvs == NULL) {
		*error = NS_LDAP_MEMORY;
		return (NULL);
	}

	/*
	 * if the preferred server list is empty,
	 * just return a copy of the server list
	 */
	if (pcount == 0) {
		tsrvs = srvlist;
		while (*tsrvs)
			retsrvs[all++] = *(tsrvs++);
		return (retsrvs);
	}
	all = 0;

	/*
	 * if the server list is empty,
	 * just return a copy of the preferred server list
	 */
	if (scount == 0) {
		tsrvs = preflist;
		while (*tsrvs)
			retsrvs[all++] = *(tsrvs++);
		return (retsrvs);
	}
	all = 0;

	/* Make room for the servers whose memory needs to be freed */
	dupsrvs = (char **)calloc(scount + pcount + 1, sizeof (char *));
	if (dupsrvs == NULL) {
		free(retsrvs);
		*error = NS_LDAP_MEMORY;
		return (NULL);
	}

	/*
	 * If version 1,
	 * throw out preferred servers not on server list.
	 * If version 2, make a copy of the preferred server list.
	 */
	if (version == 1) {
		tsrvs = preflist;
		while (*tsrvs) {
			char	**ttsrvs = srvlist;

			while (*ttsrvs) {
				if (strcmp(*tsrvs, *(ttsrvs)) == 0)
					break;
				ttsrvs++;
			}
			if (*ttsrvs != NULL)
				retsrvs[all++] = *tsrvs;
			else
				dupsrvs[dup++] = *tsrvs;
			tsrvs++;
		}
	} else {
		tsrvs = preflist;
		while (*tsrvs)
			retsrvs[all++] = *(tsrvs++);
	}
	/*
	 * If version 1,
	 * if PREF_ONLY is false, we append the non-preferred servers
	 * to bottom of list.
	 * For version 2, always append.
	 */
	if (flag == B_TRUE || version != 1) {

		tsrvs = srvlist;
		while (*tsrvs) {
			char	**ttsrvs = preflist;

			while (*ttsrvs) {
				if (strcmp(*tsrvs, *ttsrvs) == 0) {
					break;
				}
				ttsrvs++;
			}
			if (*ttsrvs == NULL)
				retsrvs[all++] = *tsrvs;
			else
				dupsrvs[dup++] = *tsrvs;
			tsrvs++;
		}
	}

	/* free memory for duplicate servers */
	if (dup) {
		for (tsrvs = dupsrvs; *tsrvs; tsrvs++)
			free(*tsrvs);
	}
	free(dupsrvs);

	return (retsrvs);
}

/*
 * FUNCTION:	__s_api_removeBadServers
 *	Contacts the ldap cache manager for marking the
 *	problem servers as down, so that the server is
 *	not contacted until the TTL expires.
 */
void
__s_api_removeBadServers(char ** Servers)
{

	char	**host;

	if (Servers == NULL)
		return;

	for (host = Servers; *host != NULL; host++) {
		if (__s_api_removeServer(*host) < 0) {
			/*
			 * Couldn't remove server from
			 * server list. Log a warning.
			 */
			syslog(LOG_WARNING, "libsldap: could "
			    "not remove %s from servers list", *host);
		}
	}
}

/*
 * FUNCTION:	__s_api_free2dArray
 */
void
__s_api_free2dArray(char ** inarray)
{

	char	**temptr;

	if (inarray == NULL)
		return;

	for (temptr = inarray; *temptr != NULL; temptr++) {
		free(*temptr);
	}
	free(inarray);
}

/*
 * FUNCTION:	__s_api_cp2dArray
 */
char **
__s_api_cp2dArray(char **inarray)
{
	char	**newarray;
	char	 **ttarray, *ret;
	int	count;

	if (inarray == NULL)
		return (NULL);

	for (count = 0; inarray[count] != NULL; count++)
		;

	newarray = (char **)calloc(count + 1, sizeof (char *));
	if (newarray == NULL)
		return (NULL);

	ttarray = newarray;
	for (; *inarray; inarray++) {
		*(ttarray++) = ret = strdup(*inarray);
		if (ret == NULL) {
			__s_api_free2dArray(newarray);
			return (NULL);
		}
	}
	return (newarray);
}

/*
 * FUNCTION:	__s_api_isCtrlSupported
 *	Determines if the passed control is supported by the LDAP sever.
 * RETURNS:	NS_LDAP_SUCCESS if yes, NS_LDAP_OP_FAIL if not.
 */
int
__s_api_isCtrlSupported(Connection *con, char *ctrlString)
{
	char		**ctrl;
	int		len;

	len = strlen(ctrlString);
	for (ctrl = con->controls; ctrl && *ctrl; ctrl++) {
		if (strncasecmp(*ctrl, ctrlString, len) == 0)
			return (NS_LDAP_SUCCESS);
	}
	return (NS_LDAP_OP_FAILED);
}

/*
 * FUNCTION:	__s_api_toFollowReferrals
 *	Determines if need to follow referral for an SLDAP API.
 * RETURN VALUES:	NS_LDAP_SUCCESS, NS_LDAP_INVALID_PARAM, or
 *			other rc from __ns_ldap_getParam()
 * INPUT:		flags
 * OUTPUT:		toFollow, errorp
 */
int
__s_api_toFollowReferrals(const int flags,
	int *toFollow,
	ns_ldap_error_t **errorp)
{
	void		**paramVal = NULL;
	int		rc = 0;
	int		iflags = 0;

#ifdef DEBUG
	(void) fprintf(stderr, "__s_api_toFollowReferrals START\n");
#endif

	/* Either NS_LDAP_NOREF or NS_LDAP_FOLLOWREF not both */
	if ((flags & (NS_LDAP_NOREF | NS_LDAP_FOLLOWREF)) ==
	    (NS_LDAP_NOREF | NS_LDAP_FOLLOWREF)) {
		return (NS_LDAP_INVALID_PARAM);
	}

	/*
	 * if the NS_LDAP_NOREF or NS_LDAP_FOLLOWREF is set
	 * this will take precendence over the values specified
	 * in the configuration file
	 */
	if (flags & (NS_LDAP_NOREF | NS_LDAP_FOLLOWREF)) {
			iflags = flags;
	} else {
		rc = __ns_ldap_getParam(NS_LDAP_SEARCH_REF_P,
		    &paramVal, errorp);
		if (rc != NS_LDAP_SUCCESS)
			return (rc);
		if (paramVal == NULL || *paramVal == NULL) {
			(void) __ns_ldap_freeParam(&paramVal);
			if (*errorp)
				(void) __ns_ldap_freeError(errorp);
			*toFollow = TRUE;
			return (NS_LDAP_SUCCESS);
		}
		iflags = (* (int *)(*paramVal));
		(void) __ns_ldap_freeParam(&paramVal);
	}

	if (iflags & NS_LDAP_NOREF)
		*toFollow = FALSE;
	else
		*toFollow = TRUE;

	return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:	__s_api_addRefInfo
 *	Insert a referral info into a referral info list.
 * RETURN VALUES:	NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_OP_FAILED
 * INPUT:		LDAP URL, pointer to the referral info list,
 *                      search baseDN, search scope, search filter,
 *                      previous connection
 */
int
__s_api_addRefInfo(ns_referral_info_t **head, char *url,
			char *baseDN, int *scope,
			char *filter, LDAP *ld)
{
	char			errmsg[MAXERROR], *tmp;
	ns_referral_info_t	*ref, *tmpref;
	LDAPURLDesc		*ludp = NULL;
	int			hostlen;
	char *ld_defhost = NULL;

#ifdef DEBUG
	(void) fprintf(stderr, "__s_api_addRefInfo START\n");
#endif

	/* sanity check */
	if (head == NULL)
		return (NS_LDAP_OP_FAILED);

	/*
	 * log error and return NS_LDAP_SUCCESS
	 * if one of the following:
	 * 1. non-LDAP URL
	 * 2. LDAP URL which can not be parsed
	 */
	if (!ldap_is_ldap_url(url) ||
	    ldap_url_parse_nodn(url, &ludp) != 0) {
		(void) snprintf(errmsg, MAXERROR, "%s: %s",
		    gettext("Invalid or non-LDAP URL when"
		    " processing referrals URL"),
		    url);
		syslog(LOG_ERR, "libsldap: %s", errmsg);
		if (ludp)
				ldap_free_urldesc(ludp);
		return (NS_LDAP_SUCCESS);
	}

	ref = (ns_referral_info_t *)calloc(1,
	    sizeof (ns_referral_info_t));
	if (ref == NULL) {
		ldap_free_urldesc(ludp);
		return (NS_LDAP_MEMORY);
	}

	/*
	 * we do have a valid URL and we were able to parse it
	 * however, we still need to find out what hostport to
	 * use if none were provided in the LDAP URL
	 * (e.g., ldap:///...)
	 */
	if ((ludp->lud_port == 0) && (ludp->lud_host == NULL)) {
		if (ld == NULL) {
			(void) snprintf(errmsg, MAXERROR, "%s: %s",
			    gettext("no LDAP handle when"
			    " processing referrals URL"),
			    url);
			syslog(LOG_WARNING, "libsldap: %s", errmsg);
			ldap_free_urldesc(ludp);
			free(ref);
			return (NS_LDAP_SUCCESS);
		} else {
			(void) ldap_get_option(ld, LDAP_OPT_HOST_NAME,
			    &ld_defhost);
			if (ld_defhost == NULL) {
				(void) snprintf(errmsg, MAXERROR, "%s: %s",
				    gettext("not able to retrieve default "
				    "host when processing "
				    "referrals URL"),
				    url);
				syslog(LOG_WARNING, "libsldap: %s", errmsg);
				ldap_free_urldesc(ludp);
				free(ref);
				return (NS_LDAP_SUCCESS);
			} else {
				ref->refHost = strdup(ld_defhost);
				if (ref->refHost == NULL) {
					ldap_free_urldesc(ludp);
					free(ref);
					return (NS_LDAP_MEMORY);
				}
			}
		}
	} else {
		/*
		 * add 4 here:
		 * 1 for the last '\0'.
		 * 1 for host and prot separator ":"
		 * and "[" & "]" for possible ipV6 addressing
		 */
		hostlen = strlen(ludp->lud_host) +
		    sizeof (MAXPORTNUMBER_STR) + 4;
		ref->refHost = (char *)malloc(hostlen);
		if (ref->refHost == NULL) {
			ldap_free_urldesc(ludp);
			free(ref);
			return (NS_LDAP_MEMORY);
		}

		if (ludp->lud_port != 0) {
			/*
			 * serverAddr = host:port
			 * or
			 * if host is an IPV6 address
			 * [host]:port
			 */
			tmp = strstr(url, ludp->lud_host);
			if (tmp && (tmp > url) && *(tmp - 1) == '[') {
				(void) snprintf(ref->refHost, hostlen,
				    "[%s]:%d",
				    ludp->lud_host,
				    ludp->lud_port);
			} else {
				(void) snprintf(ref->refHost, hostlen,
				    "%s:%d",
				    ludp->lud_host,
				    ludp->lud_port);
			}
		} else {
			/* serverAddr = host */
			(void) snprintf(ref->refHost, hostlen, "%s",
			    ludp->lud_host);
		}
	}

	if (ludp->lud_dn) {
		ref->refDN = strdup(ludp->lud_dn);
		if (ref->refDN == NULL) {
			ldap_free_urldesc(ludp);
			free(ref->refHost);
			free(ref);
			return (NS_LDAP_MEMORY);
		}
	} else {
		if (baseDN) {
			ref->refDN = strdup(baseDN);
			if (ref->refDN == NULL) {
				ldap_free_urldesc(ludp);
				free(ref->refHost);
				free(ref);
				return (NS_LDAP_MEMORY);
			}
		}
	}

	if (filter)
		ref->refFilter = strdup(filter);
	else if (ludp->lud_filter)
		ref->refFilter = strdup(ludp->lud_filter);
	else
		ref->refFilter = strdup("");

	if (ref->refFilter == NULL) {
		ldap_free_urldesc(ludp);
		free(ref->refHost);
		if (ref->refDN)
			free(ref->refDN);
		free(ref);
		return (NS_LDAP_MEMORY);
	}

	/*
	 * If the scope is specified in the URL use it.
	 * Note if the scope is missing in the URL, ldap_url_parse_nodn()
	 * returns the scope BASE. We need to check that the scope of BASE
	 * is actually present in the URL.
	 * If the scope is missing in the URL then use the passed-in
	 * scope.
	 * If there is no passed-in scope, then use the scope SUBTREE.
	 */
	if (ludp->lud_dn && ludp->lud_scope != LDAP_SCOPE_BASE)
		ref->refScope = ludp->lud_scope;
	else if (ludp->lud_dn && strstr(url, "?base"))
		ref->refScope = LDAP_SCOPE_BASE;
	else if (scope)
		ref->refScope = *scope;
	else
		ref->refScope = LDAP_SCOPE_SUBTREE;

	ref->next = NULL;

	ldap_free_urldesc(ludp);

	/* insert the referral info */
	if (*head) {
		for (tmpref = *head; tmpref->next; tmpref = tmpref->next)
			;
		tmpref->next = ref;
	} else
		*head = ref;

	return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:	__s_api_deleteRefInfo
 *	Delete a referral info list.
 * INPUT:		pointer to the referral info list
 */
void
__s_api_deleteRefInfo(ns_referral_info_t *head)
{
	ns_referral_info_t	*ref, *tmp;

#ifdef DEBUG
	(void) fprintf(stderr, "__s_api_deleteRefInfo START\n");
#endif

	for (ref = head; ref; ) {
		if (ref->refHost)
			free(ref->refHost);
		if (ref->refDN)
			free(ref->refDN);
		if (ref->refFilter)
			free(ref->refFilter);
		tmp = ref->next;
		free(ref);
		ref = tmp;
	}

}

/*
 * FUNCTION:	__s_api_get_SSD_from_SSDtoUse_service
 *
 *	Retrieves the Service Search Descriptors which should be used for
 *	the given service. For example, return all the "passwd" SSDs for
 *	service "shadow" if no SSD is defined for service "shadow" and
 *	no filter component is defined in all the "passwd" SSDs. This idea
 *	of sharing the SSDs defined for some other service is to reduce the
 *	configuration complexity. For a service, which does not have its own
 *	entries in the LDAP directory, SSD for it is useless, and should not
 *	be set. But since this service must share the container with at least
 *	one other service which does have it own entries, the SSD for
 *	this other service will be shared by this service.
 *	This other service is called the SSD-to-use service.
 *	The static data structure, ns_def_map[], in this file
 *	defines the SSD-to-use service for all the services supported.
 *
 * RETURN VALUES:	NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_INVALID_PARAM
 * INPUT:		service
 * OUTPUT:		*SSDlist, *errorp if error
 */
int
__s_api_get_SSD_from_SSDtoUse_service(const char *service,
		ns_ldap_search_desc_t ***SSDlist,
		ns_ldap_error_t **errorp)
{
	int 			i, rc;
	int 			found = FALSE;
	int 			filter_found = FALSE;
	char			*SSD_service = NULL;
	char			errmsg[MAXERROR];
	ns_ldap_search_desc_t	**sdlist;
	int			auto_service = FALSE;

#ifdef DEBUG
	(void) fprintf(stderr,
	    "__s_api_get_SSD_from_SSDtoUse_service START\n");
#endif

	if (SSDlist == NULL || errorp == NULL)
		return (NS_LDAP_INVALID_PARAM);

	*SSDlist = NULL;
	*errorp = NULL;

	if (service == NULL)
		return (NS_LDAP_SUCCESS);

	if (strncasecmp(service, "auto_", 5) == 0)
		auto_service = TRUE;

	/*
	 * First try to return the configured SSDs for the input server
	 */
	rc = __ns_ldap_getSearchDescriptors(service, SSDlist, errorp);
	if (rc != NS_LDAP_SUCCESS)
		return (rc);
	else {
		if (*SSDlist != NULL)
			return (NS_LDAP_SUCCESS);
	}

	/*
	 * If service == auto_* and SSD is not found,
	 * then try automount to see if there is an SSD
	 * for automount.
	 */

	if (auto_service) {
		rc = __ns_ldap_getSearchDescriptors(
		    "automount", SSDlist, errorp);
		if (rc != NS_LDAP_SUCCESS)
			return (rc);
		else {
			if (*SSDlist != NULL) {
				/*
				 * If SSDlist is found,
				 * prepend automountMapName to the basedn
				 * in the SSDlist
				 *
				 */
				rc = __s_api_prepend_automountmapname(
				    service,
				    SSDlist,
				    errorp);

				if (rc != NS_LDAP_SUCCESS) {
					(void) __ns_ldap_freeSearchDescriptors(
					    SSDlist);
					*SSDlist = NULL;
				}

				return (rc);
			}
		}
	}

	/*
	 * Find the SSDtoUse service.
	 * If none found, flag "found" remains FALSE.
	 */
	for (i = 0; ns_def_map[i].service != NULL; i++) {
		if (ns_def_map[i].SSDtoUse_service &&
		    strcasecmp(service,
		    ns_def_map[i].service) == 0) {
			found = TRUE;
			SSD_service = ns_def_map[i].SSDtoUse_service;
			break;
		}
	}

	if (!found)
		return (NS_LDAP_SUCCESS);

	/*
	 * return the SSDs for SSD_service only if no optional filter
	 * component is defined in the SSDs
	 */
	rc = __ns_ldap_getSearchDescriptors(SSD_service,
	    SSDlist, errorp);
	if (rc != NS_LDAP_SUCCESS) {
		return (rc);
	} else {
		if (*SSDlist == NULL)
			return (NS_LDAP_SUCCESS);

		/* check to see if filter defined in SSD */
		for (sdlist = *SSDlist; *sdlist; sdlist++) {
			if ((*sdlist)->filter &&
			    strlen((*sdlist)->filter) > 0) {
				filter_found = TRUE;
				break;
			}
		}
		if (filter_found) {
			(void) __ns_ldap_freeSearchDescriptors(SSDlist);
			*SSDlist = NULL;
			(void) snprintf(errmsg, sizeof (errmsg),
			    gettext("Service search descriptor for "
			    "service '%s' contains filter, "
			    "which can not be used for "
			    "service '%s'."),
			    SSD_service, service);
			MKERROR(LOG_WARNING, *errorp, NS_CONFIG_FILE,
			    strdup(errmsg), NS_LDAP_CONFIG);
			return (NS_LDAP_CONFIG);
		}

	}
	return (NS_LDAP_SUCCESS);
}


/*
 * verify addr is an IPv4 address with the optional [:portno]
 * RFC2373 & RFC2732 & RFC2396
 */
int
__s_api_isipv4(char *addr)
{
	int i, seg, digit, port;

	if (!addr)
		return (0);

	digit = seg = port = 0;

	for (i = 0; i < strlen(addr); i++) {
		if (isdigit(addr[i])) {
			digit++;
			continue;
		}
		if (addr[i] == '.') {
			if (digit > 3 || digit == 0)
				return (0);
			digit = 0;
			seg++;
			continue;
		}
		if (addr[i] == ':') {
			if (digit > 3)
				return (0);
			port++;
			digit = 0;
			seg++;
			continue;
		}
		return (0);
	}

	if ((seg == 3 && port == 0 && digit > 0 && digit < 4) ||
	    (seg == 4 && port == 1 && digit > 0))
		return (1);

	return (0);
}


/*
 * verify addr is an IPv6 address with the optional [IPv6]:portno
 * RFC2373 & RFC2732 & RFC2396
 */
int
__s_api_isipv6(char *addr)
{
	int i, col, digit, port, dc, tc;
	char *laddr, *c1, *s;

	if (!addr)
		return (0);

	s = addr;
	laddr = NULL;
	digit = col = port = 0;
	if (addr[0] == '[') {
		laddr = strdup(addr);
		if (!laddr)
			return (0);
		c1 = strchr(laddr, ']');
		/* only 1 ']' should be in an addr */
		if (!c1 || (strchr(c1+1, ']')))
			goto bad;
		switch (c1[1]) {
			case ':':
				port++;
				for (i = 2; i < strlen(c1); i++) {
					if (!isdigit(c1[i]))
						goto bad;
					digit++;
				}
				if (!digit)
					goto bad;
				c1[0] = '\0';
				break;
			case '\0':
				c1[0] = '\0';
				break;
			default:
				goto bad;
		}
		s = &laddr[1];
	}

	digit = dc = tc = 0;
	for (i = 0; i < strlen(s); i++) {
		if (isxdigit(s[i])) {
			if (digit == 0)
				dc = i;
			digit++;
			col = 0;
			continue;
		}
		if (s[i] == ':') {
			tc++;
			if ((col > 1) || (i && !col && !digit))
				goto bad;
			digit = 0;
			col++;
			continue;
		}
		if (s[i] == '.') {
			if (__s_api_isipv4(&s[dc]) && tc)
				goto good;
			else
				goto bad;
		}
		goto bad;
	}

good:
	free(laddr);
	return (1);
bad:
	free(laddr);
	return (0);
}


/*
 * verify addr is a valid hostname with the optional [:portno]
 * RFC2373 & RFC2732 & RFC2396
 */
int
__s_api_ishost(char *addr)
{
	int i, seg, alpha, digit, port;

	if (!addr)
		return (0);

	alpha = digit = seg = port = 0;

	/* must start with alpha character */
	if (!isalpha(addr[0]))
		return (0);

	for (i = 0; i < strlen(addr); i++) {
		if (isalpha(addr[i]) || (i && addr[i] == '-')) {
			alpha++;
			continue;
		}
		if (isdigit(addr[i])) {
			digit++;
			continue;
		}
		if (addr[i] == '.') {
			if (!alpha && !digit)
				return (0);
			alpha = digit = 0;
			seg++;
			continue;
		}
		if (addr[i] == ':') {
			if (!alpha && !digit)
				return (0);
			alpha = digit = 0;
			port++;
			seg++;
			continue;
		}
		return (0);
	}

	if ((port == 0 && (seg || alpha || digit)) ||
	    (port == 1 && alpha == 0 && digit))
		return (1);

	return (0);
}


/*
 * Prepend automountMapName=auto_xxx to the basedn
 * in the SSDlist
 */

int __s_api_prepend_automountmapname(
	const char *service,
	ns_ldap_search_desc_t ***SSDlist,
	ns_ldap_error_t **errorp)
{
	int			i, rc;
	ns_ldap_search_desc_t	** ssdlist = NULL;

	if (service == NULL || SSDlist == NULL || *SSDlist == NULL)
		return (NS_LDAP_INVALID_PARAM);

	ssdlist = *SSDlist;

	for (i = 0; ssdlist[i] != NULL; i++) {
		rc = __s_api_prepend_automountmapname_to_dn(
		    service, &ssdlist[i]->basedn, errorp);

		if (rc != NS_LDAP_SUCCESS)
			return (rc);
	}

	return (NS_LDAP_SUCCESS);
}


/*
 * Prepend automountMapName=auto_xxx to the DN
 * Construct a string of
 * "automountMapName=auto_xxx,dn"
 *
 * If automountMapName is mapped to some other attribute,
 * then use the mapping in the setup.
 *
 * If a version 1 profile is in use, use nisMapName for
 * backward compatibility (i.e. "nisMapName=auto_xxx,dn").
 */

int
__s_api_prepend_automountmapname_to_dn(
	const char *service,
	char **dn,
	ns_ldap_error_t **errorp)
{
	int rc, len_s = 0, len_d = 0, len = 0;
	char *buffer = NULL;
	char *default_automountmapname = "automountMapName";
	char *automountmapname = NULL;
	char **mappedattrs = NULL;
	char errstr[MAXERROR];
	void **paramVal = NULL;

	if (service == NULL || dn == NULL || *dn == NULL)
		return (NS_LDAP_INVALID_PARAM);

	rc = __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P, &paramVal, errorp);
	if (rc != NS_LDAP_SUCCESS || !paramVal || !*paramVal) {
		if (paramVal)
			(void) __ns_ldap_freeParam(&paramVal);
		return (rc);
	}
	if (strcasecmp(*paramVal, NS_LDAP_VERSION_1) == 0) {
		automountmapname = strdup("nisMapName");
		(void) __ns_ldap_freeParam(&paramVal);
		if (automountmapname == NULL) {
			return (NS_LDAP_MEMORY);
		}
	} else {
		(void) __ns_ldap_freeParam(&paramVal);

		/* Find mapped attribute name of auto_xxx first */
		mappedattrs = __ns_ldap_getMappedAttributes(
		    service, default_automountmapname);
		/*
		 * if mapped attribute name of auto_xxx is not found,
		 * find the mapped attribute name of automount
		 */

		if (mappedattrs == NULL)
			mappedattrs = __ns_ldap_getMappedAttributes(
			"automount", default_automountmapname);

		/*
		 * if mapped attr is not found, use the default automountmapname
		 */

		if (mappedattrs == NULL) {
			automountmapname = strdup(default_automountmapname);
			if (automountmapname == NULL)
				return (NS_LDAP_MEMORY);
		} else {
			if (mappedattrs[0] != NULL) {
				/*
				 * Copy it from the mapped attr list
				 * Assume it's 1 to 1 mapping
				 * 1 to n does not make sense
				 */
				automountmapname = strdup(mappedattrs[0]);
				__s_api_free2dArray(mappedattrs);
				if (automountmapname == NULL) {
					return (NS_LDAP_MEMORY);
				}
			} else {

				/*
				 * automountmapname is mapped to an empty string
				 */

				__s_api_free2dArray(mappedattrs);

				(void) sprintf(errstr,
				    gettext(
				    "Attribute automountMapName is "
				    "mapped to an empty string.\n"));

				MKERROR(LOG_WARNING, *errorp, NS_CONFIG_SYNTAX,
				    strdup(errstr), NS_LDAP_MEMORY);

				return (NS_LDAP_CONFIG);
			}
		}
	}

	len_s = strlen(service);
	len_d  = strlen(*dn);
	/* automountMapName + "=" + service + "," + dn + '\0' */
	len = strlen(automountmapname) + 1 + len_s + 1 + len_d + 1;
	buffer = (char *)malloc(len);
	if (buffer == NULL) {
		free(automountmapname);
		return (NS_LDAP_MEMORY);
	}

	(void) snprintf(buffer, len, "%s=%s,%s",
	    automountmapname, service, *dn);

	buffer[len-1] = '\0';

	free(automountmapname);

	/* free the original dn */
	(void) free(*dn);

	*dn = buffer;

	return (NS_LDAP_SUCCESS);
}

/*
 * Map the LDAP error code and error message from LDAP server
 * to a password status used for password aging/management.
 */
ns_ldap_passwd_status_t
__s_api_set_passwd_status(int errnum, char *errmsg)
{
	syslog(LOG_DEBUG, "libsldap: got LDAP errnum %d & message: %s ", errnum,
	    (errmsg != NULL) ? errmsg : "error msg not available");
	if (errmsg) {
		if (errnum ==
		    LDAP_INVALID_CREDENTIALS) {
			/*
			 * case 1 (Bind):
			 * password expired
			 */
			if (strstr(errmsg,
			    NS_PWDERR_EXPIRED))
				return (NS_PASSWD_EXPIRED);
		}

		if (errnum ==
		    LDAP_UNWILLING_TO_PERFORM) {
			/*
			 * case 1.1 (Bind):
			 * password expired
			 */
			if (strstr(errmsg,
			    NS_PWDERR_EXPIRED))
				return (NS_PASSWD_EXPIRED);

			/*
			 * case 2 (Bind):
			 * Account inactivated
			 */
			if (strstr(errmsg,
			    NS_PWDERR_ACCT_INACTIVATED))
				return (NS_PASSWD_EXPIRED);


			/*
			 * case 3 (Modify passwd):
			 * the user is not allow to change
			 * password; only admin can change it
			 */
			if (strstr(errmsg,
			    NS_PWDERR_CHANGE_NOT_ALLOW))
				return (NS_PASSWD_CHANGE_NOT_ALLOWED);
		}

		if (errnum ==
		    LDAP_CONSTRAINT_VIOLATION) {
			/*
			 * case 4 (Bind):
			 * the user account is locked due to
			 * too many login failures.
			 */
			if (strstr(errmsg,
			    NS_PWDERR_MAXTRIES))
				return (NS_PASSWD_RETRY_EXCEEDED);
			/*
			 * case 5 (Modify passwd):
			 * syntax error: the new password
			 * has length less than defined
			 * minimum
			 * Not true anymore with strong password
			 * policies on LDAP server: errmsg that
			 * contain NS_PWDERR_INVALID_SYNTAX may
			 * have different meanings.
			 * To keep compatibility with older password
			 * policy, check if errmsg is strictly equal
			 * to NS_PWDERR_INVALID_SYNTAX and if yes only,
			 * return NS_PASSWD_TOO_SHORT.
			 */
			if (strcmp(errmsg,
			    NS_PWDERR_INVALID_SYNTAX) == 0)
				return (NS_PASSWD_TOO_SHORT);
			if (strstr(errmsg,
			    NS_PWDERR_INVALID_SYNTAX))
				return (NS_PASSWD_INVALID_SYNTAX);
			/*
			 * case 6 (Modify passwd):
			 * trivial password: same value as
			 * that of attribute cn, sn, or uid ...
			 */
			if (strstr(errmsg,
			    NS_PWDERR_TRIVIAL_PASSWD))
				return (NS_PASSWD_INVALID_SYNTAX);
			/*
			 * case 7 (Modify passwd):
			 * re-use one of the old passwords
			 * in history list
			 */
			if (strstr(errmsg,
			    NS_PWDERR_IN_HISTORY))
				return (NS_PASSWD_IN_HISTORY);
			/*
			 * case 8 (Modify passwd):
			 * password not allowed to be
			 * changed yet; within minimum
			 * age
			 */
			if (strstr(errmsg,
			    NS_PWDERR_WITHIN_MIN_AGE))
				return (NS_PASSWD_WITHIN_MIN_AGE);
		}

	}

	return (NS_PASSWD_GOOD);
}

/*
 * Determine if the input OID list contains
 * one of the password control OIDs, which are:
 * LDAP_CONTROL_PWEXPIRED: 2.16.840.1.113730.3.4.4
 * LDAP_CONTROL_PWEXPIRING: 2.16.840.1.113730.3.4.5.
 * If yes, return 1, if no, 0.
 */
int
__s_api_contain_passwd_control_oid(char **oids)
{
	char **oid;

	if (oids == NULL)
		return (0);

	for (oid = oids; *oid; oid++) {
		if (strcmp(*oid, LDAP_CONTROL_PWEXPIRED) == 0 ||
		    strcmp(*oid, LDAP_CONTROL_PWEXPIRING) == 0) {
			return (1);
		}
	}

	return (0);
}

/*
 * Determine if the input OID list contains LDAP V3 password less
 * account management control OID, which is:
 * NS_LDAP_ACCOUNT_USABLE_CONTROL:1.3.6.1.4.1.42.2.27.9.5.8
 * If yes, return 1, if no, 0.
 */
int
__s_api_contain_account_usable_control_oid(char **oids)
{
	char **oid;

	if (oids == NULL)
		return (0);

	for (oid = oids; *oid; oid++) {
		if (strcmp(*oid, NS_LDAP_ACCOUNT_USABLE_CONTROL) == 0) {
			return (1);
		}
	}

	return (0);
}

/*
 * For some databases in name switch, the name and aliases are saved
 * as "cn". When the "cn" valuse are retrieved, there is no distinction
 * which is  the name and which is(are) aliase(s).
 * This function is to parse RDN and find the value of the "cn" and
 * then find the matching value in "cn" attribute.
 * Also see RFC 2307 section 5.6.
 *
 * Input -
 *  entry:	An LDAP entry
 *  attrptr:	A attribute which value appears in RDN
 *		This should be "cn" for the name switch for now.
 *  case_ignore:    0 Case sensitive comparison on the attribute value
 *		    1 Case insensitive comparison
 *
 * Return -
 *		The value of an attrbute which is used as canonical name
 *		This is read only and the caller should not try to free it.
 *		If it's a NULL, it could be either an RDN parsing error
 *		or RDN value does not match any existing "cn" values.
 *		e.g.
 *		dn: cn=xx+ipserviceprotocol=udp,......
 *		cn: aa
 *		cn: bb
 *
 * Note:
 *  Although the name switch/ldap's  rdn is in "cn=xx" or "cn=xx+..."
 * format, this function makes no such assumption. If the DN
 * is saved as "dn: yy=...+sn=my_canocical_name, ..", then it can still work.
 * The comments use "cn" as an example only.
 *
 */
typedef int (*cmpfunc)(const char *, const char *);

char *
__s_api_get_canonical_name(ns_ldap_entry_t *entry, ns_ldap_attr_t *attrptr,
			int case_ignore) {
	uint_t			i;
	char			*token, *lasts, *value = NULL;
	char			**rdn = NULL, **attrs = NULL, **values = NULL;
	char			*rdn_attr_value = NULL;
	cmpfunc			cmp;

	if (entry == NULL || attrptr == NULL)
		return (NULL);

	/* "values" is read-only */
	if ((values = __ns_ldap_getAttr(entry, "dn")) == NULL ||
	    values[0] == NULL)
		return (NULL);

	if ((rdn = ldap_explode_dn(values[0], 0)) == NULL ||
	    rdn[0] == NULL)
		return (NULL);

	if ((attrs = ldap_explode_rdn(rdn[0], 0)) == NULL) {
		ldap_value_free(rdn);
		return (NULL);
	}
	/* Assume the rdn is normalized */
	for (i = 0; attrs[i] != NULL; i++) {
		/* parse attribute name and value, get attribute name first */
		if ((token = strtok_r(attrs[i], "=", &lasts)) == NULL) {
			goto cleanup;
		}
		if (strcasecmp(token, attrptr->attrname) == 0) {
			/* get value */
			rdn_attr_value = lasts;
			break;
		}
	}
	if (rdn_attr_value) {
		if (case_ignore)
			cmp = strcasecmp;
		else
			cmp = strcmp;
		/*
		 * After parsing RDN and find the matching attribute in RDN,
		 * match rdn value with values in "cn".
		 */
		for (i = 0; i < attrptr->value_count; i++) {
			if (attrptr->attrvalue[i] &&
			    (*cmp)(rdn_attr_value,
			    attrptr->attrvalue[i]) == 0) {
				/* RDN "cn" value matches the "cn" value */
				value = attrptr->attrvalue[i];
				break;
			}
		}
	}
cleanup:
	ldap_value_free(rdn);
	ldap_value_free(attrs);

	return (value);
}

/*
 * This function requests a server to be removed from
 * the cache manager maintained server list. This is
 * done via the door functionality.
 * Returns 0 if OK, else a negative value.
 */

int
__s_api_removeServer(const char *server)
{
	union {
		ldap_data_t	s_d;
		char		s_b[DOORBUFFERSIZE];
	} space;

	ns_server_info_t		r, *ret = &r;
	const char		*ireq;
	ldap_data_t		*sptr;
	int			ndata;
	int			adata;
	int			len;
	int			rc;
	ns_ldap_error_t		*error = NULL;

	if (server == NULL)
		return (-1);

	ireq = NS_CACHE_NORESP;

	if (__s_api_isStandalone()) {
		/*
		 * Remove 'server' from the standalone server list.
		 * __s_api_findRootDSE() is the standalone version
		 * of getldap_get_serverInfo() used in ldap_cachemgr.
		 * Request NS_CACHE_NORESP indicates 'server' should
		 * be removed.
		 */
		if (__s_api_findRootDSE(ireq,
		    server,
		    NS_CACHE_ADDR_IP,
		    NULL,
		    &error) != NS_LDAP_SUCCESS) {
			syslog(LOG_WARNING,
			    "libsldap (\"standalone\" mode): "
			    " Unable to remove %s - %s",
			    server,
			    error != NULL && error->message != NULL ?
			    error->message : " no error info");
			if (error != NULL) {
				(void) __ns_ldap_freeError(&error);
			}

			return (NS_CACHE_NOSERVER);
		}

		return (0);
	}

	(void) memset(ret, 0, sizeof (ns_server_info_t));
	(void) memset(space.s_b, 0, DOORBUFFERSIZE);

	adata = (sizeof (ldap_call_t) + strlen(ireq) +
	    strlen(NS_CACHE_ADDR_IP) + 1);
	adata += strlen(DOORLINESEP) + 1;
	adata += strlen(server) + 1;

	ndata = sizeof (space);
	space.s_d.ldap_call.ldap_callnumber = GETLDAPSERVER;
	len = sizeof (space) - sizeof (space.s_d.ldap_call.ldap_callnumber);
	if (strlcpy(space.s_d.ldap_call.ldap_u.domainname, ireq, len) >= len)
		return (-1);
	if (strlcat(space.s_d.ldap_call.ldap_u.domainname,
	    NS_CACHE_ADDR_IP, len) >= len)
		return (-1);
	if (strlcat(space.s_d.ldap_call.ldap_u.domainname, DOORLINESEP, len) >=
	    len)
		return (-1);
	if (strlcat(space.s_d.ldap_call.ldap_u.domainname, server, len) >= len)
		return (-1);
	sptr = &space.s_d;

	/* try to remove the server via the door interface */
	rc = __ns_ldap_trydoorcall(&sptr, &ndata, &adata);

	/* clean up the door call */
	if (sptr != &space.s_d) {
		(void) munmap((char *)sptr, ndata);
	}

	return (rc);
}

void
__s_api_free_server_info(ns_server_info_t *sinfo) {
	if (sinfo->server) {
		free(sinfo->server);
		sinfo->server = NULL;
	}
	if (sinfo->serverFQDN) {
		free(sinfo->serverFQDN);
		sinfo->serverFQDN = NULL;
	}
	__s_api_free2dArray(sinfo->saslMechanisms);
	sinfo->saslMechanisms = NULL;
	__s_api_free2dArray(sinfo->controls);
	sinfo->controls = NULL;
}

/*
 * Create an ns_ldap_error structure, set status to 'rc',
 * and copy in the error message 'msg'.
 */
ns_ldap_error_t *
__s_api_make_error(int rc, char *msg) {
	ns_ldap_error_t *ep;

	ep = (ns_ldap_error_t *)calloc(1, sizeof (*ep));
	if (ep == NULL)
		return (NULL);

	ep->status = rc;
	if (msg != NULL)
		ep->message =  strdup(msg); /* OK if ep->message is NULL */

	return (ep);
}

/*
 * Make a copy of the input ns_ldap_error.
 */
ns_ldap_error_t *
__s_api_copy_error(ns_ldap_error_t *errorp) {
	ns_ldap_error_t *ep;
	char		*msg;

	if (errorp == NULL)
		return (NULL);

	ep = (ns_ldap_error_t *)malloc(sizeof (*ep));
	if (ep != NULL) {
		*ep = *errorp;
		if (ep->message != NULL) {
			msg = strdup(ep->message);
			if (msg == NULL) {
				free(ep);
				ep = NULL;
			} else
				ep->message = msg;
		}
	}
	return (ep);
}