usr/src/lib/libsldap/common/ns_common.c

root/usr/src/lib/libsldap/common/ns_common.c
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 */


#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <libintl.h>
#include <ctype.h>

#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <syslog.h>
#include <sys/socket.h>
#include <sys/sockio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <netdir.h>
#include <lber.h>
#include <ldap.h>

#include "ns_sldap.h"
#include "ns_internal.h"
#include "ns_cache_door.h"

#define UDP     "/dev/udp"
#define MAXIFS  32

struct ifinfo {
        struct in_addr addr, netmask;
};

static ns_service_map ns_def_map[] = {
        { "passwd",     "ou=people,",           NULL },
        { "shadow",     "ou=people,",           "passwd" },
        { "user_attr",  "ou=people,",           "passwd" },
        { "audit_user", "ou=people,",           "passwd" },
        { "group",      "ou=group,",            NULL },
        { "rpc",        "ou=rpc,",              NULL },
        { "project",    "ou=projects,",         NULL },
        { "protocols",  "ou=protocols,",        NULL },
        { "networks",   "ou=networks,",         NULL },
        { "netmasks",   "ou=networks,",         "networks" },
        { "netgroup",   "ou=netgroup,",         NULL },
        { "aliases",    "ou=aliases,",          NULL },
        { "Hosts",      "ou=Hosts,",            NULL },
        { "ipnodes",    "ou=Hosts,",            "hosts" },
        { "Services",   "ou=Services,",         NULL },
        { "bootparams", "ou=ethers,",           "ethers" },
        { "ethers",     "ou=ethers,",           NULL },
        { "auth_attr",  "ou=SolarisAuthAttr,",  NULL },
        { "prof_attr",  "ou=SolarisProfAttr,",  NULL },
        { "exec_attr",  "ou=SolarisProfAttr,",  "prof_attr" },
        { "profile",    "ou=profile,",          NULL },
        { "printers",   "ou=printers,",         NULL },
        { "automount",  "",                     NULL },
        { "tnrhtp",     "ou=ipTnet,",           NULL },
        { "tnrhdb",     "ou=ipTnet,",           "tnrhtp" },
        { NULL, NULL, NULL }
};


static char ** parseDN(const char *val, const char *service);
static char ** sortServerNet(char **srvlist);
static char ** sortServerPref(char **srvlist, char **preflist,
                boolean_t flag, int version, int *error);

/*
 * FUNCTION:    s_api_printResult
 *      Given a ns_ldap_result structure print it.
 */
int
__s_api_printResult(ns_ldap_result_t *result)
{

        ns_ldap_entry_t *curEntry;
        int             i, j, k = 0;

#ifdef DEBUG
        (void) fprintf(stderr, "__s_api_printResult START\n");
#endif
        (void) printf("--------------------------------------\n");
        if (result == NULL) {
                (void) printf("No result\n");
                return (0);
        }
        (void) printf("entries_count %d\n", result->entries_count);
        curEntry = result->entry;
        for (i = 0; i < result->entries_count; i++) {

                (void) printf("entry %d has attr_count = %d \n", i,
                    curEntry->attr_count);
                for (j = 0; j < curEntry->attr_count; j++) {
                        (void) printf("entry %d has attr_pair[%d] = %s \n",
                            i, j, curEntry->attr_pair[j]->attrname);
                        for (k = 0; k < 20 &&
                            curEntry->attr_pair[j]->attrvalue[k]; k++)
                                (void) printf("entry %d has attr_pair[%d]->"
                                    "attrvalue[%d] = %s \n", i, j, k,
                                    curEntry->attr_pair[j]->attrvalue[k]);
                }
                (void) printf("\n--------------------------------------\n");
                curEntry = curEntry->next;
        }
        return (1);
}

/*
 * FUNCTION:    __s_api_getSearchScope
 *
 *      Retrieve the search scope for ldap search from the config module.
 *
 * RETURN VALUES:       NS_LDAP_SUCCESS, NS_LDAP_CONFIG
 * INPUT:               NONE
 * OUTPUT:              searchScope, errorp
 */
int
__s_api_getSearchScope(
        int *searchScope,
        ns_ldap_error_t **errorp)
{

        char            errmsg[MAXERROR];
        void            **paramVal = NULL;
        int             rc = 0;
        int             scope = 0;

#ifdef DEBUG
        (void) fprintf(stderr, "__s_api_getSearchScope START\n");
#endif
        if (*searchScope == 0) {
                if ((rc = __ns_ldap_getParam(NS_LDAP_SEARCH_SCOPE_P,
                    &paramVal, errorp)) != NS_LDAP_SUCCESS) {
                        return (rc);
                }
                if (paramVal && *paramVal)
                        scope = * (int *)(*paramVal);
                else
                        scope = NS_LDAP_SCOPE_ONELEVEL;
                (void) __ns_ldap_freeParam(&paramVal);
        } else {
                scope = *searchScope;
        }

        switch (scope) {

                case    NS_LDAP_SCOPE_ONELEVEL:
                        *searchScope = LDAP_SCOPE_ONELEVEL;
                        break;
                case    NS_LDAP_SCOPE_BASE:
                        *searchScope = LDAP_SCOPE_BASE;
                        break;
                case    NS_LDAP_SCOPE_SUBTREE:
                        *searchScope = LDAP_SCOPE_SUBTREE;
                        break;
                default:
                        (void) snprintf(errmsg, sizeof (errmsg),
                            gettext("Invalid search scope!"));
                        MKERROR(LOG_ERR, *errorp, NS_CONFIG_FILE,
                            strdup(errmsg), NS_LDAP_CONFIG);
                        return (NS_LDAP_CONFIG);
        }

        return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:    __ns_ldap_dupAuth
 *
 *      Duplicates an authentication structure.
 *
 * RETURN VALUES:       copy of authp or NULL on error
 * INPUT:               authp
 */
ns_cred_t *
__ns_ldap_dupAuth(const ns_cred_t *authp)
{
        ns_cred_t *ap;

#ifdef DEBUG
        (void) fprintf(stderr, "__ns_ldap_dupAuth START\n");
#endif
        if (authp == NULL)
                return (NULL);

        ap = (ns_cred_t *)calloc(1, sizeof (ns_cred_t));
        if (ap == NULL)
                return (NULL);

        if (authp->hostcertpath) {
                ap->hostcertpath = strdup(authp->hostcertpath);
                if (ap->hostcertpath == NULL) {
                        free(ap);
                        return (NULL);
                }
        }
        if (authp->cred.unix_cred.userID) {
                ap->cred.unix_cred.userID =
                    strdup(authp->cred.unix_cred.userID);
                if (ap->cred.unix_cred.userID == NULL) {
                        (void) __ns_ldap_freeCred(&ap);
                        return (NULL);
                }
        }
        if (authp->cred.unix_cred.passwd) {
                ap->cred.unix_cred.passwd =
                    strdup(authp->cred.unix_cred.passwd);
                if (ap->cred.unix_cred.passwd == NULL) {
                        (void) __ns_ldap_freeCred(&ap);
                        return (NULL);
                }
        }
        if (authp->cred.cert_cred.nickname) {
                ap->cred.cert_cred.nickname =
                    strdup(authp->cred.cert_cred.nickname);
                if (ap->cred.cert_cred.nickname == NULL) {
                        (void) __ns_ldap_freeCred(&ap);
                        return (NULL);
                }
        }
        ap->auth.type = authp->auth.type;
        ap->auth.tlstype = authp->auth.tlstype;
        ap->auth.saslmech = authp->auth.saslmech;
        ap->auth.saslopt = authp->auth.saslopt;
        return (ap);
}

/*
 * FUNCTION:    __ns_ldap_freeUnixCred
 *
 *      Frees all the memory associated with a UnixCred_t structure.
 *
 * RETURN VALUES:       NS_LDAP_INVALID_PARAM, NS_LDAP_SUCCESS
 * INPUT:               UnixCred
 */
int
__ns_ldap_freeUnixCred(UnixCred_t ** credp)
{
        UnixCred_t *ap;

#ifdef DEBUG
        (void) fprintf(stderr, "__ns_ldap_freeUnixCred START\n");
#endif
        if (credp == NULL || *credp == NULL)
                return (NS_LDAP_INVALID_PARAM);

        ap = *credp;
        if (ap->userID) {
                (void) memset(ap->userID, 0, strlen(ap->userID));
                free(ap->userID);
        }

        if (ap->passwd) {
                (void) memset(ap->passwd, 0, strlen(ap->passwd));
                free(ap->passwd);
        }

        free(ap);
        *credp = NULL;
        return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:    __ns_ldap_freeCred
 *
 *      Frees all the memory associated with a ns_cred_t structure.
 *
 * RETURN VALUES:       NS_LDAP_INVALID_PARAM, NS_LDAP_SUCCESS
 * INPUT:               ns_cred_t
 */
int
__ns_ldap_freeCred(ns_cred_t ** credp)
{
        ns_cred_t *ap;

#ifdef DEBUG
        (void) fprintf(stderr, "__ns_ldap_freeCred START\n");
#endif
        if (credp == NULL || *credp == NULL)
                return (NS_LDAP_INVALID_PARAM);

        ap = *credp;
        if (ap->hostcertpath) {
                (void) memset(ap->hostcertpath, 0,
                    strlen(ap->hostcertpath));
                free(ap->hostcertpath);
        }

        if (ap->cred.unix_cred.userID) {
                (void) memset(ap->cred.unix_cred.userID, 0,
                    strlen(ap->cred.unix_cred.userID));
                free(ap->cred.unix_cred.userID);
        }

        if (ap->cred.unix_cred.passwd) {
                (void) memset(ap->cred.unix_cred.passwd, 0,
                    strlen(ap->cred.unix_cred.passwd));
                free(ap->cred.unix_cred.passwd);
        }

        if (ap->cred.cert_cred.nickname) {
                (void) memset(ap->cred.cert_cred.nickname, 0,
                    strlen(ap->cred.cert_cred.nickname));
                free(ap->cred.cert_cred.nickname);
        }

        free(ap);
        *credp = NULL;
        return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:    __s_api_is_auth_matched
 *
 *      Compare an authentication structure.
 *
 * RETURN VALUES:       B_TRUE if matched, B_FALSE otherwise.
 * INPUT:               auth1, auth2
 */
boolean_t
__s_api_is_auth_matched(const ns_cred_t *auth1,
    const ns_cred_t *auth2)
{
        if ((auth1->auth.type != auth2->auth.type) ||
            (auth1->auth.tlstype != auth2->auth.tlstype) ||
            (auth1->auth.saslmech != auth2->auth.saslmech) ||
            (auth1->auth.saslopt != auth2->auth.saslopt))
                return (B_FALSE);

        if ((((auth1->auth.type == NS_LDAP_AUTH_SASL) &&
            ((auth1->auth.saslmech == NS_LDAP_SASL_CRAM_MD5) ||
            (auth1->auth.saslmech == NS_LDAP_SASL_DIGEST_MD5))) ||
            (auth1->auth.type == NS_LDAP_AUTH_SIMPLE)) &&
            ((auth1->cred.unix_cred.userID == NULL) ||
            (auth1->cred.unix_cred.passwd == NULL) ||
            ((strcasecmp(auth1->cred.unix_cred.userID,
            auth2->cred.unix_cred.userID) != 0)) ||
            ((strcmp(auth1->cred.unix_cred.passwd,
            auth2->cred.unix_cred.passwd) != 0))))
                return (B_FALSE);

        return (B_TRUE);
}

/*
 * FUNCTION:    __s_api_getDNs
 *
 *      Retrieves the default base dn for the given
 *      service.
 *
 * RETURN VALUES:       NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_CONFIG
 * INPUT:               service
 * OUTPUT:              DN, error
 */
typedef int (*pf)(const char *, char **, ns_ldap_error_t **);
int
__s_api_getDNs(
        char *** DN,
        const char *service,
        ns_ldap_error_t ** error)
{

        void    **paramVal = NULL;
        char    **dns = NULL;
        int     rc = 0;
        int     i, len;
        pf      prepend_auto2dn = __s_api_prepend_automountmapname_to_dn;

#ifdef DEBUG
        (void) fprintf(stderr, "__s_api_getDNs START\n");
#endif
        if ((rc = __ns_ldap_getParam(NS_LDAP_SEARCH_BASEDN_P,
            &paramVal, error)) != NS_LDAP_SUCCESS) {
                return (rc);
        }
        if (!paramVal) {
                char errmsg[MAXERROR];

                (void) snprintf(errmsg, sizeof (errmsg),
                    gettext("BaseDN not defined"));
                MKERROR(LOG_ERR, *error, NS_CONFIG_FILE, strdup(errmsg),
                    NS_LDAP_CONFIG);
                return (NS_LDAP_CONFIG);
        }

        dns = (char **)calloc(2, sizeof (char *));
        if (dns == NULL) {
                (void) __ns_ldap_freeParam(&paramVal);
                return (NS_LDAP_MEMORY);
        }

        if (service == NULL) {
                dns[0] = strdup((char *)*paramVal);
                if (dns[0] == NULL) {
                        (void) __ns_ldap_freeParam(&paramVal);
                        free(dns);
                        return (NS_LDAP_MEMORY);
                }
        } else {
                for (i = 0; ns_def_map[i].service != NULL; i++) {
                        if (strcasecmp(service,
                            ns_def_map[i].service) == 0) {

                                len = strlen((char *)*paramVal) +
                                    strlen(ns_def_map[i].rdn) + 1;
                                dns[0] = (char *)
                                    calloc(len, sizeof (char));
                                if (dns[0] == NULL) {
                                        (void) __ns_ldap_freeParam(
                                            &paramVal);
                                        free(dns);
                                        return (NS_LDAP_MEMORY);
                                }
                                (void) strcpy(dns[0],
                                    ns_def_map[i].rdn);
                                (void) strcat(dns[0],
                                    (char *)*paramVal);
                                break;
                        }
                }
                if (ns_def_map[i].service == NULL) {
                        char *p = (char *)*paramVal;
                        char *buffer = NULL;
                        int  buflen = 0;

                        if (strchr(service, '=') == NULL) {
                            /* automount entries */
                                if (strncasecmp(service, "auto_", 5) == 0) {
                                        buffer = strdup(p);
                                        if (!buffer) {
                                                free(dns);
                                                (void) __ns_ldap_freeParam(
                                                    &paramVal);
                                                return (NS_LDAP_MEMORY);
                                        }
                                        /* shorten name to avoid cstyle error */
                                        rc = prepend_auto2dn(
                                            service, &buffer, error);
                                        if (rc != NS_LDAP_SUCCESS) {
                                                free(dns);
                                                free(buffer);
                                                (void) __ns_ldap_freeParam(
                                                    &paramVal);
                                                return (rc);
                                        }
                                } else {
                                /* strlen("nisMapName")+"="+","+'\0' = 13 */
                                        buflen = strlen(service) + strlen(p) +
                                            13;
                                        buffer = (char *)malloc(buflen);
                                        if (buffer == NULL) {
                                                free(dns);
                                                (void) __ns_ldap_freeParam(
                                                    &paramVal);
                                                return (NS_LDAP_MEMORY);
                                        }
                                        (void) snprintf(buffer, buflen,
                                            "nisMapName=%s,%s", service, p);
                                }
                        } else {
                                buflen = strlen(service) + strlen(p) + 2;
                                buffer = (char *)malloc(buflen);
                                if (buffer == NULL) {
                                        free(dns);
                                        (void) __ns_ldap_freeParam(&paramVal);
                                        return (NS_LDAP_MEMORY);
                                }
                                (void) snprintf(buffer, buflen,
                                    "%s,%s", service, p);
                        }
                        dns[0] = buffer;
                }
        }

        (void) __ns_ldap_freeParam(&paramVal);
        *DN = dns;
        return (NS_LDAP_SUCCESS);
}
/*
 * FUNCTION:    __s_api_get_search_DNs_v1
 *
 *      Retrieves the list of search DNS from the V1 profile for the given
 *      service.
 *
 * RETURN VALUES:       NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_CONFIG
 * INPUT:               service
 * OUTPUT:              DN, error
 */
int
__s_api_get_search_DNs_v1(
        char *** DN,
        const char *service,
        ns_ldap_error_t ** error)
{

        void    **paramVal = NULL;
        void    **temptr = NULL;
        char    **dns = NULL;
        int     rc = 0;

        if ((rc = __ns_ldap_getParam(NS_LDAP_SEARCH_DN_P,
            &paramVal, error)) != NS_LDAP_SUCCESS) {
                return (rc);
        }

        if (service && paramVal) {
                for (temptr = paramVal; *temptr != NULL; temptr++) {
                        dns = parseDN((const char *)(*temptr),
                            (const char *)service);
                        if (dns != NULL)
                                break;
                }
        }

        (void) __ns_ldap_freeParam(&paramVal);
        *DN = dns;
        return (NS_LDAP_SUCCESS);

}
/*
 * FUNCTION:    parseDN
 *
 *      Parse a special formated list(val) into an array of char *.
 *
 * RETURN VALUE:        A char * pointer to the new list of dns.
 * INPUT:               val, service
 */
static char **
parseDN(
        const char *val,
        const char *service)
{

        size_t          len = 0;
        size_t          slen = 0;
        char            **retVal = NULL;
        const char      *temptr;
        char            *temptr2;
        const char      *valend;
        int             valNo = 0;
        int             valSize = 0;
        int             i;
        char            *SSD_service = NULL;

#ifdef DEBUG
        (void) fprintf(stderr, "parseDN START\n");
#endif
        if (val == NULL || *val == '\0')
                return (NULL);
        if (service == NULL || *service == '\0')
                return (NULL);

        len = strlen(val);
        slen = strlen(service);
        if (strncasecmp(val, service, slen) != 0) {
                /*
                 * This routine is only called
                 * to process V1 profile and
                 * for V1 profile, map service
                 * to the corresponding SSD_service
                 * which is associated with a
                 * real container in the LDAP directory
                 * tree, e.g., map "shadow" to
                 * "password". See function
                 * __s_api_get_SSD_from_SSDtoUse_service
                 * for similar service to SSD_service
                 * mapping handling for V2 profile.
                 */
                for (i = 0; ns_def_map[i].service != NULL; i++) {
                        if (ns_def_map[i].SSDtoUse_service &&
                            strcasecmp(service,
                            ns_def_map[i].service) == 0) {
                                SSD_service =
                                    ns_def_map[i].SSDtoUse_service;
                                break;
                        }
                }

                if (SSD_service == NULL)
                        return (NULL);

                slen = strlen(SSD_service);
                if (strncasecmp(val, SSD_service, slen) != 0)
                        return (NULL);
        }

        temptr = val + slen;
        while (*temptr == SPACETOK || *temptr == TABTOK)
                temptr++;
        if (*temptr != COLONTOK)
                return (NULL);

        while (*temptr) {
                temptr2 = strchr(temptr, OPARATOK);
                if (temptr2 == NULL)
                        break;
                temptr2++;
                temptr2 = strchr(temptr2, CPARATOK);
                if (temptr2 == NULL)
                        break;
                valNo++;
                temptr = temptr2+1;
        }

        retVal = (char **)calloc(valNo +1, sizeof (char *));
        if (retVal == NULL)
                return (NULL);

        temptr = val;
        valend = val+len;

        for (i = 0; (i < valNo) && (temptr < valend); i++) {
                temptr = strchr(temptr, OPARATOK);
                if (temptr == NULL) {
                        __s_api_free2dArray(retVal);
                        return (NULL);
                }
                temptr++;
                temptr2 = strchr(temptr, CPARATOK);
                if (temptr2 == NULL) {
                        __s_api_free2dArray(retVal);
                        return (NULL);
                }
                valSize = temptr2 - temptr;

                retVal[i] = (char *)calloc(valSize + 1, sizeof (char));
                if (retVal[i] == NULL) {
                        __s_api_free2dArray(retVal);
                        return (NULL);
                }
                (void) strncpy(retVal[i], temptr, valSize);
                retVal[i][valSize] = '\0';
                temptr = temptr2 + 1;
        }

        return (retVal);
}


/*
 * __s_api_get_local_interfaces
 *
 * Returns a pointer to an array of addresses and netmasks of all interfaces
 * configured on the system.
 *
 * NOTE: This function is very IPv4 centric.
 */
static struct ifinfo *
__s_api_get_local_interfaces()
{
        struct ifconf           ifc;
        struct ifreq            ifreq, *ifr;
        struct ifinfo           *localinfo;
        struct in_addr          netmask;
        struct sockaddr_in      *sin;
        void                    *buf = NULL;
        int                     fd = 0;
        int                     numifs = 0;
        int                     i, n = 0;

        if ((fd = open(UDP, O_RDONLY)) < 0)
                return ((struct ifinfo *)NULL);

        if (ioctl(fd, SIOCGIFNUM, (char *)&numifs) < 0) {
                numifs = MAXIFS;
        }

        buf = malloc(numifs * sizeof (struct ifreq));
        if (buf == NULL) {
                (void) close(fd);
                return ((struct ifinfo *)NULL);
        }
        ifc.ifc_len = numifs * (int)sizeof (struct ifreq);
        ifc.ifc_buf = buf;
        if (ioctl(fd, SIOCGIFCONF, (char *)&ifc) < 0) {
                (void) close(fd);
                free(buf);
                buf = NULL;
                return ((struct ifinfo *)NULL);
        }
        ifr = (struct ifreq *)buf;
        numifs = ifc.ifc_len/(int)sizeof (struct ifreq);
        localinfo = (struct ifinfo *)malloc((numifs + 1) *
            sizeof (struct ifinfo));
        if (localinfo == NULL) {
                (void) close(fd);
                free(buf);
                buf = NULL;
                return ((struct ifinfo *)NULL);
        }

        for (i = 0, n = numifs; n > 0; n--, ifr++) {
                uint_t ifrflags;

                ifreq = *ifr;
                if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifreq) < 0)
                        continue;

                ifrflags = ifreq.ifr_flags;
                if (((ifrflags & IFF_UP) == 0) ||
                    (ifr->ifr_addr.sa_family != AF_INET))
                        continue;

                if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifreq) < 0)
                        continue;
                netmask = ((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr;

                if (ioctl(fd, SIOCGIFADDR, (char *)&ifreq) < 0)
                        continue;

                sin = (struct sockaddr_in *)&ifreq.ifr_addr;

                localinfo[i].addr = sin->sin_addr;
                localinfo[i].netmask = netmask;
                i++;
        }
        localinfo[i].addr.s_addr = 0;

        free(buf);
        buf = NULL;
        (void) close(fd);
        return (localinfo);
}


/*
 * __s_api_samenet(char *, struct ifinfo *)
 *
 * Returns 1 if address is on the same subnet of the array of addresses
 * passed in.
 *
 * NOTE: This function is only valid for IPv4 addresses.
 */
static int
__s_api_IPv4sameNet(char *addr, struct ifinfo *ifs)
{
        int             answer = 0;

        if (addr && ifs) {
                char            *addr_raw;
                unsigned long   iaddr;
                int             i;

                if ((addr_raw = strdup(addr)) != NULL) {
                        char    *s;

                        /* Remove port number. */
                        if ((s = strchr(addr_raw, ':')) != NULL)
                                *s = '\0';

                        iaddr = inet_addr(addr_raw);

                        /* Loop through interface list to find match. */
                        for (i = 0; ifs[i].addr.s_addr != 0; i++) {
                                if ((iaddr & ifs[i].netmask.s_addr) ==
                                    (ifs[i].addr.s_addr &
                                    ifs[i].netmask.s_addr))
                                        answer++;
                        }
                        free(addr_raw);
                }
        }

        return (answer);
}

/*
 * FUNCTION:    __s_api_getServers
 *
 *      Retrieve a list of ldap servers from the config module.
 *
 * RETURN VALUE:        NS_LDAP_SUCCESS, NS_LDAP_CONFIG, NS_LDAP_MEMORY
 * INPUT:               NONE
 * OUTPUT:              servers, error
 */
int
__s_api_getServers(
                char *** servers,
                ns_ldap_error_t ** error)
{
        void    **paramVal = NULL;
        char    errmsg[MAXERROR];
        char    **sortServers = NULL;
        char    **netservers = NULL;
        int     rc = 0, err = NS_LDAP_CONFIG, version = 1;
        const   char    *str, *str1;

#ifdef DEBUG
        (void) fprintf(stderr, "__s_api_getServers START\n");
#endif
        *servers = NULL;
        /* get profile version number */
        if ((rc = __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P,
            &paramVal, error)) != NS_LDAP_SUCCESS)
                return (rc);

        if (paramVal == NULL || *paramVal == NULL) {
                (void) snprintf(errmsg, sizeof (errmsg),
                    gettext("No file version"));
                MKERROR(LOG_INFO, *error, NS_CONFIG_FILE, strdup(errmsg),
                    NS_LDAP_CONFIG);
                return (NS_LDAP_CONFIG);
        }

        if (strcasecmp((char *)*paramVal, NS_LDAP_VERSION_1) == 0)
                version = 1;
        else if (strcasecmp((char *)*paramVal, NS_LDAP_VERSION_2) == 0)
                version = 2;

        (void) __ns_ldap_freeParam(&paramVal);
        paramVal = NULL;

        if ((rc = __ns_ldap_getParam(NS_LDAP_SERVERS_P,
            &paramVal, error)) != NS_LDAP_SUCCESS)
                return (rc);

        /*
         * For version 2, default server list could be
         * empty.
         */
        if ((paramVal == NULL || (char *)*paramVal == NULL) &&
            version == 1) {
                str = NULL_OR_STR(__s_api_get_configname(NS_LDAP_SERVERS_P));
                (void) snprintf(errmsg, sizeof (errmsg),
                    gettext("Unable to retrieve the '%s' list"), str);
                MKERROR(LOG_WARNING, *error, NS_CONFIG_FILE, strdup(errmsg),
                    NS_LDAP_CONFIG);
                return (NS_LDAP_CONFIG);
        }

        /*
         * Get server address(es) and go through them.
         */
        *servers = (char **)paramVal;
        paramVal = NULL;

        /* Sort servers based on network. */
        if (*servers) {
                netservers = sortServerNet(*servers);
                if (netservers) {
                        free(*servers);
                        *servers = netservers;
                } else {
                        return (NS_LDAP_MEMORY);
                }
        }

        /* Get preferred server list and sort servers based on that. */
        if ((rc = __ns_ldap_getParam(NS_LDAP_SERVER_PREF_P,
            &paramVal, error)) != NS_LDAP_SUCCESS) {
                if (*servers)
                        __s_api_free2dArray(*servers);
                *servers = NULL;
                return (rc);
        }

        if (paramVal != NULL) {
                char **prefServers;
                void **val = NULL;

                if ((rc =  __ns_ldap_getParam(NS_LDAP_PREF_ONLY_P,
                    &val, error)) != NS_LDAP_SUCCESS) {
                                if (*servers)
                                        __s_api_free2dArray(*servers);
                                *servers = NULL;
                        (void) __ns_ldap_freeParam(&paramVal);
                        return (rc);
                }

                prefServers = (char **)paramVal;
                paramVal = NULL;
                if (prefServers) {
                        if (val != NULL && (*val) != NULL &&
                            *(int *)val[0] == 1)
                                sortServers = sortServerPref(*servers,
                                    prefServers, B_FALSE, version,
                                    &err);
                        else
                                sortServers = sortServerPref(*servers,
                                    prefServers, B_TRUE, version,
                                    &err);
                        if (sortServers) {
                                if (*servers)
                                        free(*servers);
                                *servers = NULL;
                                free(prefServers);
                                prefServers = NULL;
                                *servers = sortServers;
                        } else {
                                if (*servers)
                                        __s_api_free2dArray(*servers);
                                *servers = NULL;
                                __s_api_free2dArray(prefServers);
                                prefServers = NULL;
                        }
                }
                (void) __ns_ldap_freeParam(&val);
        }
        (void) __ns_ldap_freeParam(&paramVal);

        if (*servers == NULL) {
                if (err == NS_LDAP_CONFIG) {
                str = NULL_OR_STR(__s_api_get_configname(
                    NS_LDAP_SERVERS_P));
                str1 = NULL_OR_STR(__s_api_get_configname(
                    NS_LDAP_SERVER_PREF_P));
                        (void) snprintf(errmsg, sizeof (errmsg),
                            gettext("Unable to generate a new server list "
                            "based on '%s' and/or '%s'"), str, str1);
                        MKERROR(LOG_WARNING, *error, NS_CONFIG_FILE,
                            strdup(errmsg), err);
                        return (err);
                }
                return (NS_LDAP_MEMORY);
        }

        return (NS_LDAP_SUCCESS);

}

/*
 * FUNCTION:    sortServerNet
 *      Sort the serverlist based on the distance from client as long
 *      as the list only contains IPv4 addresses.  Otherwise do nothing.
 */
static char **
sortServerNet(char **srvlist)
{
        int             count = 0;
        int             all = 0;
        int             ipv4only = 1;
        struct ifinfo   *ifs = __s_api_get_local_interfaces();
        char            **tsrvs;
        char            **psrvs, **retsrvs;

        /* Sanity check. */
        if (srvlist == NULL || srvlist[0] == NULL)
                return (NULL);

        /* Count the number of servers to sort. */
        for (count = 0; srvlist[count] != NULL; count++) {
                if (!__s_api_isipv4(srvlist[count]))
                        ipv4only = 0;
        }
        count++;

        /* Make room for the returned list of servers. */
        retsrvs = (char **)calloc(count, sizeof (char *));
        if (retsrvs == NULL) {
                free(ifs);
                ifs = NULL;
                return (NULL);
        }

        retsrvs[count - 1] = NULL;

        /* Make a temporary list of servers. */
        psrvs = (char **)calloc(count, sizeof (char *));
        if (psrvs == NULL) {
                free(ifs);
                ifs = NULL;
                free(retsrvs);
                retsrvs = NULL;
                return (NULL);
        }

        /* Filter servers on the same subnet */
        tsrvs = srvlist;
        while (*tsrvs) {
                if (ipv4only && __s_api_IPv4sameNet(*tsrvs, ifs)) {
                        psrvs[all] = *tsrvs;
                        retsrvs[all++] = *(tsrvs);
                }
                tsrvs++;
        }

        /* Filter remaining servers. */
        tsrvs = srvlist;
        while (*tsrvs) {
                char    **ttsrvs = psrvs;

                while (*ttsrvs) {
                        if (strcmp(*tsrvs, *ttsrvs) == 0)
                                break;
                        ttsrvs++;
                }

                if (*ttsrvs == NULL)
                        retsrvs[all++] = *(tsrvs);
                tsrvs++;
        }

        free(ifs);
        ifs = NULL;
        free(psrvs);
        psrvs = NULL;

        return (retsrvs);
}

/*
 * FUNCTION:    sortServerPref
 *      Sort the serverlist based on the preferred server list.
 *
 * The sorting algorithm works as follows:
 *
 * If version 1, if flag is TRUE, find all the servers in both preflist
 * and srvlist, then append other servers in srvlist to this list
 * and return the list.
 * If flag is FALSE, just return srvlist.
 * srvlist can not be empty.
 *
 * If version 2, append all the servers in srvlist
 * but not in preflist to preflist, and return the merged list.
 * If srvlist is empty, just return preflist.
 * If preflist is empty, just return srvlist.
 */
static char **
sortServerPref(char **srvlist, char **preflist,
                boolean_t flag, int version, int *error)
{
        int             i, scount = 0, pcount = 0;
        int             all = 0, dup = 0;
        char            **tsrvs;
        char            **retsrvs;
        char            **dupsrvs;

        /* Count the number of servers to sort. */
        if (srvlist && srvlist[0])
                for (i = 0; srvlist[i] != NULL; i++)
                        scount++;

        /* Sanity check. */
        if (scount == 0 && version == 1) {
                *error = NS_LDAP_CONFIG;
                return (NULL);
        }

        /* Count the number of preferred servers */
        if (preflist && preflist[0])
                for (i = 0; preflist[i] != NULL; i++)
                        pcount++;

        /* Sanity check. */
        if (scount == 0 && pcount == 0) {
                *error = NS_LDAP_CONFIG;
                return (NULL);
        }

        /* Make room for the returned list of servers */
        retsrvs = (char **)calloc(scount + pcount + 1, sizeof (char *));
        if (retsrvs == NULL) {
                *error = NS_LDAP_MEMORY;
                return (NULL);
        }

        /*
         * if the preferred server list is empty,
         * just return a copy of the server list
         */
        if (pcount == 0) {
                tsrvs = srvlist;
                while (*tsrvs)
                        retsrvs[all++] = *(tsrvs++);
                return (retsrvs);
        }
        all = 0;

        /*
         * if the server list is empty,
         * just return a copy of the preferred server list
         */
        if (scount == 0) {
                tsrvs = preflist;
                while (*tsrvs)
                        retsrvs[all++] = *(tsrvs++);
                return (retsrvs);
        }
        all = 0;

        /* Make room for the servers whose memory needs to be freed */
        dupsrvs = (char **)calloc(scount + pcount + 1, sizeof (char *));
        if (dupsrvs == NULL) {
                free(retsrvs);
                *error = NS_LDAP_MEMORY;
                return (NULL);
        }

        /*
         * If version 1,
         * throw out preferred servers not on server list.
         * If version 2, make a copy of the preferred server list.
         */
        if (version == 1) {
                tsrvs = preflist;
                while (*tsrvs) {
                        char    **ttsrvs = srvlist;

                        while (*ttsrvs) {
                                if (strcmp(*tsrvs, *(ttsrvs)) == 0)
                                        break;
                                ttsrvs++;
                        }
                        if (*ttsrvs != NULL)
                                retsrvs[all++] = *tsrvs;
                        else
                                dupsrvs[dup++] = *tsrvs;
                        tsrvs++;
                }
        } else {
                tsrvs = preflist;
                while (*tsrvs)
                        retsrvs[all++] = *(tsrvs++);
        }
        /*
         * If version 1,
         * if PREF_ONLY is false, we append the non-preferred servers
         * to bottom of list.
         * For version 2, always append.
         */
        if (flag == B_TRUE || version != 1) {

                tsrvs = srvlist;
                while (*tsrvs) {
                        char    **ttsrvs = preflist;

                        while (*ttsrvs) {
                                if (strcmp(*tsrvs, *ttsrvs) == 0) {
                                        break;
                                }
                                ttsrvs++;
                        }
                        if (*ttsrvs == NULL)
                                retsrvs[all++] = *tsrvs;
                        else
                                dupsrvs[dup++] = *tsrvs;
                        tsrvs++;
                }
        }

        /* free memory for duplicate servers */
        if (dup) {
                for (tsrvs = dupsrvs; *tsrvs; tsrvs++)
                        free(*tsrvs);
        }
        free(dupsrvs);

        return (retsrvs);
}

/*
 * FUNCTION:    __s_api_removeBadServers
 *      Contacts the ldap cache manager for marking the
 *      problem servers as down, so that the server is
 *      not contacted until the TTL expires.
 */
void
__s_api_removeBadServers(char ** Servers)
{

        char    **host;

        if (Servers == NULL)
                return;

        for (host = Servers; *host != NULL; host++) {
                if (__s_api_removeServer(*host) < 0) {
                        /*
                         * Couldn't remove server from
                         * server list. Log a warning.
                         */
                        syslog(LOG_WARNING, "libsldap: could "
                            "not remove %s from servers list", *host);
                }
        }
}

/*
 * FUNCTION:    __s_api_free2dArray
 */
void
__s_api_free2dArray(char ** inarray)
{

        char    **temptr;

        if (inarray == NULL)
                return;

        for (temptr = inarray; *temptr != NULL; temptr++) {
                free(*temptr);
        }
        free(inarray);
}

/*
 * FUNCTION:    __s_api_cp2dArray
 */
char **
__s_api_cp2dArray(char **inarray)
{
        char    **newarray;
        char     **ttarray, *ret;
        int     count;

        if (inarray == NULL)
                return (NULL);

        for (count = 0; inarray[count] != NULL; count++)
                ;

        newarray = (char **)calloc(count + 1, sizeof (char *));
        if (newarray == NULL)
                return (NULL);

        ttarray = newarray;
        for (; *inarray; inarray++) {
                *(ttarray++) = ret = strdup(*inarray);
                if (ret == NULL) {
                        __s_api_free2dArray(newarray);
                        return (NULL);
                }
        }
        return (newarray);
}

/*
 * FUNCTION:    __s_api_isCtrlSupported
 *      Determines if the passed control is supported by the LDAP sever.
 * RETURNS:     NS_LDAP_SUCCESS if yes, NS_LDAP_OP_FAIL if not.
 */
int
__s_api_isCtrlSupported(Connection *con, char *ctrlString)
{
        char            **ctrl;
        int             len;

        len = strlen(ctrlString);
        for (ctrl = con->controls; ctrl && *ctrl; ctrl++) {
                if (strncasecmp(*ctrl, ctrlString, len) == 0)
                        return (NS_LDAP_SUCCESS);
        }
        return (NS_LDAP_OP_FAILED);
}

/*
 * FUNCTION:    __s_api_toFollowReferrals
 *      Determines if need to follow referral for an SLDAP API.
 * RETURN VALUES:       NS_LDAP_SUCCESS, NS_LDAP_INVALID_PARAM, or
 *                      other rc from __ns_ldap_getParam()
 * INPUT:               flags
 * OUTPUT:              toFollow, errorp
 */
int
__s_api_toFollowReferrals(const int flags,
        int *toFollow,
        ns_ldap_error_t **errorp)
{
        void            **paramVal = NULL;
        int             rc = 0;
        int             iflags = 0;

#ifdef DEBUG
        (void) fprintf(stderr, "__s_api_toFollowReferrals START\n");
#endif

        /* Either NS_LDAP_NOREF or NS_LDAP_FOLLOWREF not both */
        if ((flags & (NS_LDAP_NOREF | NS_LDAP_FOLLOWREF)) ==
            (NS_LDAP_NOREF | NS_LDAP_FOLLOWREF)) {
                return (NS_LDAP_INVALID_PARAM);
        }

        /*
         * if the NS_LDAP_NOREF or NS_LDAP_FOLLOWREF is set
         * this will take precendence over the values specified
         * in the configuration file
         */
        if (flags & (NS_LDAP_NOREF | NS_LDAP_FOLLOWREF)) {
                        iflags = flags;
        } else {
                rc = __ns_ldap_getParam(NS_LDAP_SEARCH_REF_P,
                    &paramVal, errorp);
                if (rc != NS_LDAP_SUCCESS)
                        return (rc);
                if (paramVal == NULL || *paramVal == NULL) {
                        (void) __ns_ldap_freeParam(&paramVal);
                        if (*errorp)
                                (void) __ns_ldap_freeError(errorp);
                        *toFollow = TRUE;
                        return (NS_LDAP_SUCCESS);
                }
                iflags = (* (int *)(*paramVal));
                (void) __ns_ldap_freeParam(&paramVal);
        }

        if (iflags & NS_LDAP_NOREF)
                *toFollow = FALSE;
        else
                *toFollow = TRUE;

        return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:    __s_api_addRefInfo
 *      Insert a referral info into a referral info list.
 * RETURN VALUES:       NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_OP_FAILED
 * INPUT:               LDAP URL, pointer to the referral info list,
 *                      search baseDN, search scope, search filter,
 *                      previous connection
 */
int
__s_api_addRefInfo(ns_referral_info_t **head, char *url,
                        char *baseDN, int *scope,
                        char *filter, LDAP *ld)
{
        char                    errmsg[MAXERROR], *tmp;
        ns_referral_info_t      *ref, *tmpref;
        LDAPURLDesc             *ludp = NULL;
        int                     hostlen;
        char *ld_defhost = NULL;

#ifdef DEBUG
        (void) fprintf(stderr, "__s_api_addRefInfo START\n");
#endif

        /* sanity check */
        if (head == NULL)
                return (NS_LDAP_OP_FAILED);

        /*
         * log error and return NS_LDAP_SUCCESS
         * if one of the following:
         * 1. non-LDAP URL
         * 2. LDAP URL which can not be parsed
         */
        if (!ldap_is_ldap_url(url) ||
            ldap_url_parse_nodn(url, &ludp) != 0) {
                (void) snprintf(errmsg, MAXERROR, "%s: %s",
                    gettext("Invalid or non-LDAP URL when"
                    " processing referrals URL"),
                    url);
                syslog(LOG_ERR, "libsldap: %s", errmsg);
                if (ludp)
                                ldap_free_urldesc(ludp);
                return (NS_LDAP_SUCCESS);
        }

        ref = (ns_referral_info_t *)calloc(1,
            sizeof (ns_referral_info_t));
        if (ref == NULL) {
                ldap_free_urldesc(ludp);
                return (NS_LDAP_MEMORY);
        }

        /*
         * we do have a valid URL and we were able to parse it
         * however, we still need to find out what hostport to
         * use if none were provided in the LDAP URL
         * (e.g., ldap:///...)
         */
        if ((ludp->lud_port == 0) && (ludp->lud_host == NULL)) {
                if (ld == NULL) {
                        (void) snprintf(errmsg, MAXERROR, "%s: %s",
                            gettext("no LDAP handle when"
                            " processing referrals URL"),
                            url);
                        syslog(LOG_WARNING, "libsldap: %s", errmsg);
                        ldap_free_urldesc(ludp);
                        free(ref);
                        return (NS_LDAP_SUCCESS);
                } else {
                        (void) ldap_get_option(ld, LDAP_OPT_HOST_NAME,
                            &ld_defhost);
                        if (ld_defhost == NULL) {
                                (void) snprintf(errmsg, MAXERROR, "%s: %s",
                                    gettext("not able to retrieve default "
                                    "host when processing "
                                    "referrals URL"),
                                    url);
                                syslog(LOG_WARNING, "libsldap: %s", errmsg);
                                ldap_free_urldesc(ludp);
                                free(ref);
                                return (NS_LDAP_SUCCESS);
                        } else {
                                ref->refHost = strdup(ld_defhost);
                                if (ref->refHost == NULL) {
                                        ldap_free_urldesc(ludp);
                                        free(ref);
                                        return (NS_LDAP_MEMORY);
                                }
                        }
                }
        } else {
                /*
                 * add 4 here:
                 * 1 for the last '\0'.
                 * 1 for host and prot separator ":"
                 * and "[" & "]" for possible ipV6 addressing
                 */
                hostlen = strlen(ludp->lud_host) +
                    sizeof (MAXPORTNUMBER_STR) + 4;
                ref->refHost = (char *)malloc(hostlen);
                if (ref->refHost == NULL) {
                        ldap_free_urldesc(ludp);
                        free(ref);
                        return (NS_LDAP_MEMORY);
                }

                if (ludp->lud_port != 0) {
                        /*
                         * serverAddr = host:port
                         * or
                         * if host is an IPV6 address
                         * [host]:port
                         */
                        tmp = strstr(url, ludp->lud_host);
                        if (tmp && (tmp > url) && *(tmp - 1) == '[') {
                                (void) snprintf(ref->refHost, hostlen,
                                    "[%s]:%d",
                                    ludp->lud_host,
                                    ludp->lud_port);
                        } else {
                                (void) snprintf(ref->refHost, hostlen,
                                    "%s:%d",
                                    ludp->lud_host,
                                    ludp->lud_port);
                        }
                } else {
                        /* serverAddr = host */
                        (void) snprintf(ref->refHost, hostlen, "%s",
                            ludp->lud_host);
                }
        }

        if (ludp->lud_dn) {
                ref->refDN = strdup(ludp->lud_dn);
                if (ref->refDN == NULL) {
                        ldap_free_urldesc(ludp);
                        free(ref->refHost);
                        free(ref);
                        return (NS_LDAP_MEMORY);
                }
        } else {
                if (baseDN) {
                        ref->refDN = strdup(baseDN);
                        if (ref->refDN == NULL) {
                                ldap_free_urldesc(ludp);
                                free(ref->refHost);
                                free(ref);
                                return (NS_LDAP_MEMORY);
                        }
                }
        }

        if (filter)
                ref->refFilter = strdup(filter);
        else if (ludp->lud_filter)
                ref->refFilter = strdup(ludp->lud_filter);
        else
                ref->refFilter = strdup("");

        if (ref->refFilter == NULL) {
                ldap_free_urldesc(ludp);
                free(ref->refHost);
                if (ref->refDN)
                        free(ref->refDN);
                free(ref);
                return (NS_LDAP_MEMORY);
        }

        /*
         * If the scope is specified in the URL use it.
         * Note if the scope is missing in the URL, ldap_url_parse_nodn()
         * returns the scope BASE. We need to check that the scope of BASE
         * is actually present in the URL.
         * If the scope is missing in the URL then use the passed-in
         * scope.
         * If there is no passed-in scope, then use the scope SUBTREE.
         */
        if (ludp->lud_dn && ludp->lud_scope != LDAP_SCOPE_BASE)
                ref->refScope = ludp->lud_scope;
        else if (ludp->lud_dn && strstr(url, "?base"))
                ref->refScope = LDAP_SCOPE_BASE;
        else if (scope)
                ref->refScope = *scope;
        else
                ref->refScope = LDAP_SCOPE_SUBTREE;

        ref->next = NULL;

        ldap_free_urldesc(ludp);

        /* insert the referral info */
        if (*head) {
                for (tmpref = *head; tmpref->next; tmpref = tmpref->next)
                        ;
                tmpref->next = ref;
        } else
                *head = ref;

        return (NS_LDAP_SUCCESS);
}

/*
 * FUNCTION:    __s_api_deleteRefInfo
 *      Delete a referral info list.
 * INPUT:               pointer to the referral info list
 */
void
__s_api_deleteRefInfo(ns_referral_info_t *head)
{
        ns_referral_info_t      *ref, *tmp;

#ifdef DEBUG
        (void) fprintf(stderr, "__s_api_deleteRefInfo START\n");
#endif

        for (ref = head; ref; ) {
                if (ref->refHost)
                        free(ref->refHost);
                if (ref->refDN)
                        free(ref->refDN);
                if (ref->refFilter)
                        free(ref->refFilter);
                tmp = ref->next;
                free(ref);
                ref = tmp;
        }

}

/*
 * FUNCTION:    __s_api_get_SSD_from_SSDtoUse_service
 *
 *      Retrieves the Service Search Descriptors which should be used for
 *      the given service. For example, return all the "passwd" SSDs for
 *      service "shadow" if no SSD is defined for service "shadow" and
 *      no filter component is defined in all the "passwd" SSDs. This idea
 *      of sharing the SSDs defined for some other service is to reduce the
 *      configuration complexity. For a service, which does not have its own
 *      entries in the LDAP directory, SSD for it is useless, and should not
 *      be set. But since this service must share the container with at least
 *      one other service which does have it own entries, the SSD for
 *      this other service will be shared by this service.
 *      This other service is called the SSD-to-use service.
 *      The static data structure, ns_def_map[], in this file
 *      defines the SSD-to-use service for all the services supported.
 *
 * RETURN VALUES:       NS_LDAP_SUCCESS, NS_LDAP_MEMORY, NS_LDAP_INVALID_PARAM
 * INPUT:               service
 * OUTPUT:              *SSDlist, *errorp if error
 */
int
__s_api_get_SSD_from_SSDtoUse_service(const char *service,
                ns_ldap_search_desc_t ***SSDlist,
                ns_ldap_error_t **errorp)
{
        int                     i, rc;
        int                     found = FALSE;
        int                     filter_found = FALSE;
        char                    *SSD_service = NULL;
        char                    errmsg[MAXERROR];
        ns_ldap_search_desc_t   **sdlist;
        int                     auto_service = FALSE;

#ifdef DEBUG
        (void) fprintf(stderr,
            "__s_api_get_SSD_from_SSDtoUse_service START\n");
#endif

        if (SSDlist == NULL || errorp == NULL)
                return (NS_LDAP_INVALID_PARAM);

        *SSDlist = NULL;
        *errorp = NULL;

        if (service == NULL)
                return (NS_LDAP_SUCCESS);

        if (strncasecmp(service, "auto_", 5) == 0)
                auto_service = TRUE;

        /*
         * First try to return the configured SSDs for the input server
         */
        rc = __ns_ldap_getSearchDescriptors(service, SSDlist, errorp);
        if (rc != NS_LDAP_SUCCESS)
                return (rc);
        else {
                if (*SSDlist != NULL)
                        return (NS_LDAP_SUCCESS);
        }

        /*
         * If service == auto_* and SSD is not found,
         * then try automount to see if there is an SSD
         * for automount.
         */

        if (auto_service) {
                rc = __ns_ldap_getSearchDescriptors(
                    "automount", SSDlist, errorp);
                if (rc != NS_LDAP_SUCCESS)
                        return (rc);
                else {
                        if (*SSDlist != NULL) {
                                /*
                                 * If SSDlist is found,
                                 * prepend automountMapName to the basedn
                                 * in the SSDlist
                                 *
                                 */
                                rc = __s_api_prepend_automountmapname(
                                    service,
                                    SSDlist,
                                    errorp);

                                if (rc != NS_LDAP_SUCCESS) {
                                        (void) __ns_ldap_freeSearchDescriptors(
                                            SSDlist);
                                        *SSDlist = NULL;
                                }

                                return (rc);
                        }
                }
        }

        /*
         * Find the SSDtoUse service.
         * If none found, flag "found" remains FALSE.
         */
        for (i = 0; ns_def_map[i].service != NULL; i++) {
                if (ns_def_map[i].SSDtoUse_service &&
                    strcasecmp(service,
                    ns_def_map[i].service) == 0) {
                        found = TRUE;
                        SSD_service = ns_def_map[i].SSDtoUse_service;
                        break;
                }
        }

        if (!found)
                return (NS_LDAP_SUCCESS);

        /*
         * return the SSDs for SSD_service only if no optional filter
         * component is defined in the SSDs
         */
        rc = __ns_ldap_getSearchDescriptors(SSD_service,
            SSDlist, errorp);
        if (rc != NS_LDAP_SUCCESS) {
                return (rc);
        } else {
                if (*SSDlist == NULL)
                        return (NS_LDAP_SUCCESS);

                /* check to see if filter defined in SSD */
                for (sdlist = *SSDlist; *sdlist; sdlist++) {
                        if ((*sdlist)->filter &&
                            strlen((*sdlist)->filter) > 0) {
                                filter_found = TRUE;
                                break;
                        }
                }
                if (filter_found) {
                        (void) __ns_ldap_freeSearchDescriptors(SSDlist);
                        *SSDlist = NULL;
                        (void) snprintf(errmsg, sizeof (errmsg),
                            gettext("Service search descriptor for "
                            "service '%s' contains filter, "
                            "which can not be used for "
                            "service '%s'."),
                            SSD_service, service);
                        MKERROR(LOG_WARNING, *errorp, NS_CONFIG_FILE,
                            strdup(errmsg), NS_LDAP_CONFIG);
                        return (NS_LDAP_CONFIG);
                }

        }
        return (NS_LDAP_SUCCESS);
}


/*
 * verify addr is an IPv4 address with the optional [:portno]
 * RFC2373 & RFC2732 & RFC2396
 */
int
__s_api_isipv4(char *addr)
{
        int i, seg, digit, port;

        if (!addr)
                return (0);

        digit = seg = port = 0;

        for (i = 0; i < strlen(addr); i++) {
                if (isdigit(addr[i])) {
                        digit++;
                        continue;
                }
                if (addr[i] == '.') {
                        if (digit > 3 || digit == 0)
                                return (0);
                        digit = 0;
                        seg++;
                        continue;
                }
                if (addr[i] == ':') {
                        if (digit > 3)
                                return (0);
                        port++;
                        digit = 0;
                        seg++;
                        continue;
                }
                return (0);
        }

        if ((seg == 3 && port == 0 && digit > 0 && digit < 4) ||
            (seg == 4 && port == 1 && digit > 0))
                return (1);

        return (0);
}


/*
 * verify addr is an IPv6 address with the optional [IPv6]:portno
 * RFC2373 & RFC2732 & RFC2396
 */
int
__s_api_isipv6(char *addr)
{
        int i, col, digit, port, dc, tc;
        char *laddr, *c1, *s;

        if (!addr)
                return (0);

        s = addr;
        laddr = NULL;
        digit = col = port = 0;
        if (addr[0] == '[') {
                laddr = strdup(addr);
                if (!laddr)
                        return (0);
                c1 = strchr(laddr, ']');
                /* only 1 ']' should be in an addr */
                if (!c1 || (strchr(c1+1, ']')))
                        goto bad;
                switch (c1[1]) {
                        case ':':
                                port++;
                                for (i = 2; i < strlen(c1); i++) {
                                        if (!isdigit(c1[i]))
                                                goto bad;
                                        digit++;
                                }
                                if (!digit)
                                        goto bad;
                                c1[0] = '\0';
                                break;
                        case '\0':
                                c1[0] = '\0';
                                break;
                        default:
                                goto bad;
                }
                s = &laddr[1];
        }

        digit = dc = tc = 0;
        for (i = 0; i < strlen(s); i++) {
                if (isxdigit(s[i])) {
                        if (digit == 0)
                                dc = i;
                        digit++;
                        col = 0;
                        continue;
                }
                if (s[i] == ':') {
                        tc++;
                        if ((col > 1) || (i && !col && !digit))
                                goto bad;
                        digit = 0;
                        col++;
                        continue;
                }
                if (s[i] == '.') {
                        if (__s_api_isipv4(&s[dc]) && tc)
                                goto good;
                        else
                                goto bad;
                }
                goto bad;
        }

good:
        free(laddr);
        return (1);
bad:
        free(laddr);
        return (0);
}


/*
 * verify addr is a valid hostname with the optional [:portno]
 * RFC2373 & RFC2732 & RFC2396
 */
int
__s_api_ishost(char *addr)
{
        int i, seg, alpha, digit, port;

        if (!addr)
                return (0);

        alpha = digit = seg = port = 0;

        /* must start with alpha character */
        if (!isalpha(addr[0]))
                return (0);

        for (i = 0; i < strlen(addr); i++) {
                if (isalpha(addr[i]) || (i && addr[i] == '-')) {
                        alpha++;
                        continue;
                }
                if (isdigit(addr[i])) {
                        digit++;
                        continue;
                }
                if (addr[i] == '.') {
                        if (!alpha && !digit)
                                return (0);
                        alpha = digit = 0;
                        seg++;
                        continue;
                }
                if (addr[i] == ':') {
                        if (!alpha && !digit)
                                return (0);
                        alpha = digit = 0;
                        port++;
                        seg++;
                        continue;
                }
                return (0);
        }

        if ((port == 0 && (seg || alpha || digit)) ||
            (port == 1 && alpha == 0 && digit))
                return (1);

        return (0);
}


/*
 * Prepend automountMapName=auto_xxx to the basedn
 * in the SSDlist
 */

int __s_api_prepend_automountmapname(
        const char *service,
        ns_ldap_search_desc_t ***SSDlist,
        ns_ldap_error_t **errorp)
{
        int                     i, rc;
        ns_ldap_search_desc_t   ** ssdlist = NULL;

        if (service == NULL || SSDlist == NULL || *SSDlist == NULL)
                return (NS_LDAP_INVALID_PARAM);

        ssdlist = *SSDlist;

        for (i = 0; ssdlist[i] != NULL; i++) {
                rc = __s_api_prepend_automountmapname_to_dn(
                    service, &ssdlist[i]->basedn, errorp);

                if (rc != NS_LDAP_SUCCESS)
                        return (rc);
        }

        return (NS_LDAP_SUCCESS);
}


/*
 * Prepend automountMapName=auto_xxx to the DN
 * Construct a string of
 * "automountMapName=auto_xxx,dn"
 *
 * If automountMapName is mapped to some other attribute,
 * then use the mapping in the setup.
 *
 * If a version 1 profile is in use, use nisMapName for
 * backward compatibility (i.e. "nisMapName=auto_xxx,dn").
 */

int
__s_api_prepend_automountmapname_to_dn(
        const char *service,
        char **dn,
        ns_ldap_error_t **errorp)
{
        int rc, len_s = 0, len_d = 0, len = 0;
        char *buffer = NULL;
        char *default_automountmapname = "automountMapName";
        char *automountmapname = NULL;
        char **mappedattrs = NULL;
        char errstr[MAXERROR];
        void **paramVal = NULL;

        if (service == NULL || dn == NULL || *dn == NULL)
                return (NS_LDAP_INVALID_PARAM);

        rc = __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P, &paramVal, errorp);
        if (rc != NS_LDAP_SUCCESS || !paramVal || !*paramVal) {
                if (paramVal)
                        (void) __ns_ldap_freeParam(&paramVal);
                return (rc);
        }
        if (strcasecmp(*paramVal, NS_LDAP_VERSION_1) == 0) {
                automountmapname = strdup("nisMapName");
                (void) __ns_ldap_freeParam(&paramVal);
                if (automountmapname == NULL) {
                        return (NS_LDAP_MEMORY);
                }
        } else {
                (void) __ns_ldap_freeParam(&paramVal);

                /* Find mapped attribute name of auto_xxx first */
                mappedattrs = __ns_ldap_getMappedAttributes(
                    service, default_automountmapname);
                /*
                 * if mapped attribute name of auto_xxx is not found,
                 * find the mapped attribute name of automount
                 */

                if (mappedattrs == NULL)
                        mappedattrs = __ns_ldap_getMappedAttributes(
                        "automount", default_automountmapname);

                /*
                 * if mapped attr is not found, use the default automountmapname
                 */

                if (mappedattrs == NULL) {
                        automountmapname = strdup(default_automountmapname);
                        if (automountmapname == NULL)
                                return (NS_LDAP_MEMORY);
                } else {
                        if (mappedattrs[0] != NULL) {
                                /*
                                 * Copy it from the mapped attr list
                                 * Assume it's 1 to 1 mapping
                                 * 1 to n does not make sense
                                 */
                                automountmapname = strdup(mappedattrs[0]);
                                __s_api_free2dArray(mappedattrs);
                                if (automountmapname == NULL) {
                                        return (NS_LDAP_MEMORY);
                                }
                        } else {

                                /*
                                 * automountmapname is mapped to an empty string
                                 */

                                __s_api_free2dArray(mappedattrs);

                                (void) sprintf(errstr,
                                    gettext(
                                    "Attribute automountMapName is "
                                    "mapped to an empty string.\n"));

                                MKERROR(LOG_WARNING, *errorp, NS_CONFIG_SYNTAX,
                                    strdup(errstr), NS_LDAP_MEMORY);

                                return (NS_LDAP_CONFIG);
                        }
                }
        }

        len_s = strlen(service);
        len_d  = strlen(*dn);
        /* automountMapName + "=" + service + "," + dn + '\0' */
        len = strlen(automountmapname) + 1 + len_s + 1 + len_d + 1;
        buffer = (char *)malloc(len);
        if (buffer == NULL) {
                free(automountmapname);
                return (NS_LDAP_MEMORY);
        }

        (void) snprintf(buffer, len, "%s=%s,%s",
            automountmapname, service, *dn);

        buffer[len-1] = '\0';

        free(automountmapname);

        /* free the original dn */
        (void) free(*dn);

        *dn = buffer;

        return (NS_LDAP_SUCCESS);
}

/*
 * Map the LDAP error code and error message from LDAP server
 * to a password status used for password aging/management.
 */
ns_ldap_passwd_status_t
__s_api_set_passwd_status(int errnum, char *errmsg)
{
        syslog(LOG_DEBUG, "libsldap: got LDAP errnum %d & message: %s ", errnum,
            (errmsg != NULL) ? errmsg : "error msg not available");
        if (errmsg) {
                if (errnum ==
                    LDAP_INVALID_CREDENTIALS) {
                        /*
                         * case 1 (Bind):
                         * password expired
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_EXPIRED))
                                return (NS_PASSWD_EXPIRED);
                }

                if (errnum ==
                    LDAP_UNWILLING_TO_PERFORM) {
                        /*
                         * case 1.1 (Bind):
                         * password expired
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_EXPIRED))
                                return (NS_PASSWD_EXPIRED);

                        /*
                         * case 2 (Bind):
                         * Account inactivated
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_ACCT_INACTIVATED))
                                return (NS_PASSWD_EXPIRED);


                        /*
                         * case 3 (Modify passwd):
                         * the user is not allow to change
                         * password; only admin can change it
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_CHANGE_NOT_ALLOW))
                                return (NS_PASSWD_CHANGE_NOT_ALLOWED);
                }

                if (errnum ==
                    LDAP_CONSTRAINT_VIOLATION) {
                        /*
                         * case 4 (Bind):
                         * the user account is locked due to
                         * too many login failures.
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_MAXTRIES))
                                return (NS_PASSWD_RETRY_EXCEEDED);
                        /*
                         * case 5 (Modify passwd):
                         * syntax error: the new password
                         * has length less than defined
                         * minimum
                         * Not true anymore with strong password
                         * policies on LDAP server: errmsg that
                         * contain NS_PWDERR_INVALID_SYNTAX may
                         * have different meanings.
                         * To keep compatibility with older password
                         * policy, check if errmsg is strictly equal
                         * to NS_PWDERR_INVALID_SYNTAX and if yes only,
                         * return NS_PASSWD_TOO_SHORT.
                         */
                        if (strcmp(errmsg,
                            NS_PWDERR_INVALID_SYNTAX) == 0)
                                return (NS_PASSWD_TOO_SHORT);
                        if (strstr(errmsg,
                            NS_PWDERR_INVALID_SYNTAX))
                                return (NS_PASSWD_INVALID_SYNTAX);
                        /*
                         * case 6 (Modify passwd):
                         * trivial password: same value as
                         * that of attribute cn, sn, or uid ...
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_TRIVIAL_PASSWD))
                                return (NS_PASSWD_INVALID_SYNTAX);
                        /*
                         * case 7 (Modify passwd):
                         * re-use one of the old passwords
                         * in history list
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_IN_HISTORY))
                                return (NS_PASSWD_IN_HISTORY);
                        /*
                         * case 8 (Modify passwd):
                         * password not allowed to be
                         * changed yet; within minimum
                         * age
                         */
                        if (strstr(errmsg,
                            NS_PWDERR_WITHIN_MIN_AGE))
                                return (NS_PASSWD_WITHIN_MIN_AGE);
                }

        }

        return (NS_PASSWD_GOOD);
}

/*
 * Determine if the input OID list contains
 * one of the password control OIDs, which are:
 * LDAP_CONTROL_PWEXPIRED: 2.16.840.1.113730.3.4.4
 * LDAP_CONTROL_PWEXPIRING: 2.16.840.1.113730.3.4.5.
 * If yes, return 1, if no, 0.
 */
int
__s_api_contain_passwd_control_oid(char **oids)
{
        char **oid;

        if (oids == NULL)
                return (0);

        for (oid = oids; *oid; oid++) {
                if (strcmp(*oid, LDAP_CONTROL_PWEXPIRED) == 0 ||
                    strcmp(*oid, LDAP_CONTROL_PWEXPIRING) == 0) {
                        return (1);
                }
        }

        return (0);
}

/*
 * Determine if the input OID list contains LDAP V3 password less
 * account management control OID, which is:
 * NS_LDAP_ACCOUNT_USABLE_CONTROL:1.3.6.1.4.1.42.2.27.9.5.8
 * If yes, return 1, if no, 0.
 */
int
__s_api_contain_account_usable_control_oid(char **oids)
{
        char **oid;

        if (oids == NULL)
                return (0);

        for (oid = oids; *oid; oid++) {
                if (strcmp(*oid, NS_LDAP_ACCOUNT_USABLE_CONTROL) == 0) {
                        return (1);
                }
        }

        return (0);
}

/*
 * For some databases in name switch, the name and aliases are saved
 * as "cn". When the "cn" valuse are retrieved, there is no distinction
 * which is  the name and which is(are) aliase(s).
 * This function is to parse RDN and find the value of the "cn" and
 * then find the matching value in "cn" attribute.
 * Also see RFC 2307 section 5.6.
 *
 * Input -
 *  entry:      An LDAP entry
 *  attrptr:    A attribute which value appears in RDN
 *              This should be "cn" for the name switch for now.
 *  case_ignore:    0 Case sensitive comparison on the attribute value
 *                  1 Case insensitive comparison
 *
 * Return -
 *              The value of an attrbute which is used as canonical name
 *              This is read only and the caller should not try to free it.
 *              If it's a NULL, it could be either an RDN parsing error
 *              or RDN value does not match any existing "cn" values.
 *              e.g.
 *              dn: cn=xx+ipserviceprotocol=udp,......
 *              cn: aa
 *              cn: bb
 *
 * Note:
 *  Although the name switch/ldap's  rdn is in "cn=xx" or "cn=xx+..."
 * format, this function makes no such assumption. If the DN
 * is saved as "dn: yy=...+sn=my_canocical_name, ..", then it can still work.
 * The comments use "cn" as an example only.
 *
 */
typedef int (*cmpfunc)(const char *, const char *);

char *
__s_api_get_canonical_name(ns_ldap_entry_t *entry, ns_ldap_attr_t *attrptr,
                        int case_ignore) {
        uint_t                  i;
        char                    *token, *lasts, *value = NULL;
        char                    **rdn = NULL, **attrs = NULL, **values = NULL;
        char                    *rdn_attr_value = NULL;
        cmpfunc                 cmp;

        if (entry == NULL || attrptr == NULL)
                return (NULL);

        /* "values" is read-only */
        if ((values = __ns_ldap_getAttr(entry, "dn")) == NULL ||
            values[0] == NULL)
                return (NULL);

        if ((rdn = ldap_explode_dn(values[0], 0)) == NULL ||
            rdn[0] == NULL)
                return (NULL);

        if ((attrs = ldap_explode_rdn(rdn[0], 0)) == NULL) {
                ldap_value_free(rdn);
                return (NULL);
        }
        /* Assume the rdn is normalized */
        for (i = 0; attrs[i] != NULL; i++) {
                /* parse attribute name and value, get attribute name first */
                if ((token = strtok_r(attrs[i], "=", &lasts)) == NULL) {
                        goto cleanup;
                }
                if (strcasecmp(token, attrptr->attrname) == 0) {
                        /* get value */
                        rdn_attr_value = lasts;
                        break;
                }
        }
        if (rdn_attr_value) {
                if (case_ignore)
                        cmp = strcasecmp;
                else
                        cmp = strcmp;
                /*
                 * After parsing RDN and find the matching attribute in RDN,
                 * match rdn value with values in "cn".
                 */
                for (i = 0; i < attrptr->value_count; i++) {
                        if (attrptr->attrvalue[i] &&
                            (*cmp)(rdn_attr_value,
                            attrptr->attrvalue[i]) == 0) {
                                /* RDN "cn" value matches the "cn" value */
                                value = attrptr->attrvalue[i];
                                break;
                        }
                }
        }
cleanup:
        ldap_value_free(rdn);
        ldap_value_free(attrs);

        return (value);
}

/*
 * This function requests a server to be removed from
 * the cache manager maintained server list. This is
 * done via the door functionality.
 * Returns 0 if OK, else a negative value.
 */

int
__s_api_removeServer(const char *server)
{
        union {
                ldap_data_t     s_d;
                char            s_b[DOORBUFFERSIZE];
        } space;

        ns_server_info_t                r, *ret = &r;
        const char              *ireq;
        ldap_data_t             *sptr;
        int                     ndata;
        int                     adata;
        int                     len;
        int                     rc;
        ns_ldap_error_t         *error = NULL;

        if (server == NULL)
                return (-1);

        ireq = NS_CACHE_NORESP;

        if (__s_api_isStandalone()) {
                /*
                 * Remove 'server' from the standalone server list.
                 * __s_api_findRootDSE() is the standalone version
                 * of getldap_get_serverInfo() used in ldap_cachemgr.
                 * Request NS_CACHE_NORESP indicates 'server' should
                 * be removed.
                 */
                if (__s_api_findRootDSE(ireq,
                    server,
                    NS_CACHE_ADDR_IP,
                    NULL,
                    &error) != NS_LDAP_SUCCESS) {
                        syslog(LOG_WARNING,
                            "libsldap (\"standalone\" mode): "
                            " Unable to remove %s - %s",
                            server,
                            error != NULL && error->message != NULL ?
                            error->message : " no error info");
                        if (error != NULL) {
                                (void) __ns_ldap_freeError(&error);
                        }

                        return (NS_CACHE_NOSERVER);
                }

                return (0);
        }

        (void) memset(ret, 0, sizeof (ns_server_info_t));
        (void) memset(space.s_b, 0, DOORBUFFERSIZE);

        adata = (sizeof (ldap_call_t) + strlen(ireq) +
            strlen(NS_CACHE_ADDR_IP) + 1);
        adata += strlen(DOORLINESEP) + 1;
        adata += strlen(server) + 1;

        ndata = sizeof (space);
        space.s_d.ldap_call.ldap_callnumber = GETLDAPSERVER;
        len = sizeof (space) - sizeof (space.s_d.ldap_call.ldap_callnumber);
        if (strlcpy(space.s_d.ldap_call.ldap_u.domainname, ireq, len) >= len)
                return (-1);
        if (strlcat(space.s_d.ldap_call.ldap_u.domainname,
            NS_CACHE_ADDR_IP, len) >= len)
                return (-1);
        if (strlcat(space.s_d.ldap_call.ldap_u.domainname, DOORLINESEP, len) >=
            len)
                return (-1);
        if (strlcat(space.s_d.ldap_call.ldap_u.domainname, server, len) >= len)
                return (-1);
        sptr = &space.s_d;

        /* try to remove the server via the door interface */
        rc = __ns_ldap_trydoorcall(&sptr, &ndata, &adata);

        /* clean up the door call */
        if (sptr != &space.s_d) {
                (void) munmap((char *)sptr, ndata);
        }

        return (rc);
}

void
__s_api_free_server_info(ns_server_info_t *sinfo) {
        if (sinfo->server) {
                free(sinfo->server);
                sinfo->server = NULL;
        }
        if (sinfo->serverFQDN) {
                free(sinfo->serverFQDN);
                sinfo->serverFQDN = NULL;
        }
        __s_api_free2dArray(sinfo->saslMechanisms);
        sinfo->saslMechanisms = NULL;
        __s_api_free2dArray(sinfo->controls);
        sinfo->controls = NULL;
}

/*
 * Create an ns_ldap_error structure, set status to 'rc',
 * and copy in the error message 'msg'.
 */
ns_ldap_error_t *
__s_api_make_error(int rc, char *msg) {
        ns_ldap_error_t *ep;

        ep = (ns_ldap_error_t *)calloc(1, sizeof (*ep));
        if (ep == NULL)
                return (NULL);

        ep->status = rc;
        if (msg != NULL)
                ep->message =  strdup(msg); /* OK if ep->message is NULL */

        return (ep);
}

/*
 * Make a copy of the input ns_ldap_error.
 */
ns_ldap_error_t *
__s_api_copy_error(ns_ldap_error_t *errorp) {
        ns_ldap_error_t *ep;
        char            *msg;

        if (errorp == NULL)
                return (NULL);

        ep = (ns_ldap_error_t *)malloc(sizeof (*ep));
        if (ep != NULL) {
                *ep = *errorp;
                if (ep->message != NULL) {
                        msg = strdup(ep->message);
                        if (msg == NULL) {
                                free(ep);
                                ep = NULL;
                        } else
                                ep->message = msg;
                }
        }
        return (ep);
}
Illumos
