xref: /illumos-gate/usr/src/lib/libsldap/common/ns_config.c (revision 24b9abbad58fdd63dad716fd35a99a7944c4e3eb)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * libsldap - library side configuration components
30  * Routines to manage the config structure
31  */
32 
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <stddef.h>
36 #include <string.h>
37 #include <strings.h>
38 #include <libintl.h>
39 #include <locale.h>
40 #include <thread.h>
41 #include <synch.h>
42 #include <errno.h>
43 #include <unistd.h>
44 #include <fcntl.h>
45 #include <ctype.h>
46 #include <crypt.h>
47 #include <arpa/inet.h>
48 #include <sys/types.h>
49 #include <sys/stat.h>
50 #include <syslog.h>
51 #include <netdb.h>
52 #include <sys/systeminfo.h>
53 #include <sys/mman.h>
54 #include <sys/time.h>
55 #include <limits.h>
56 #include "ns_sldap.h"
57 #include "ns_internal.h"
58 #include "ns_cache_door.h"
59 #include "ns_connmgmt.h"
60 
61 #pragma fini(__s_api_free_sessionPool, __s_api_shutdown_conn_mgmt, \
62 	_free_config, __ns_ldap_doorfd_close)
63 
64 static mutex_t		ns_parse_lock = DEFAULTMUTEX;
65 static mutex_t		ns_loadrefresh_lock = DEFAULTMUTEX;
66 static ns_config_t	*current_config = NULL;
67 
68 static int		cache_server = FALSE;
69 extern thread_key_t	ns_cmgkey;
70 
71 /*
72  * Parameter Index Type validation routines
73  */
74 static int
75 __s_val_postime(ParamIndexType i, ns_default_config *def,
76 		ns_param_t *param, char *errbuf);
77 static int
78 __s_val_basedn(ParamIndexType i, ns_default_config *def,
79 		ns_param_t *param, char *errbuf);
80 
81 static int
82 __s_val_binddn(ParamIndexType i, ns_default_config *def,
83 		ns_param_t *param, char *errbuf);
84 
85 static int
86 __s_val_bindpw(ParamIndexType i, ns_default_config *def,
87 		ns_param_t *param, char *errbuf);
88 
89 static int
90 __s_val_serverList(ParamIndexType i, ns_default_config *def,
91 		ns_param_t *param, char *errbuf);
92 
93 /*
94  * Forward declarations
95  */
96 
97 static ns_parse_status
98 verify_value(ns_config_t *cfg, char *name, char *value, char *errstr);
99 
100 static int
101 set_default_value(ns_config_t *configptr, char *name, char *value,
102 	ns_ldap_error_t **error);
103 
104 static void
105 set_curr_config(ns_config_t *ptr);
106 
107 static int
108 __door_getldapconfig(char **buffer, int *buflen, ns_ldap_error_t **error);
109 
110 static ns_config_t *
111 SetDoorInfo(char *buffer, ns_ldap_error_t **errorp);
112 
113 static boolean_t
114 timetorefresh(ns_config_t *cfg);
115 
116 static ns_config_t *
117 LoadCacheConfiguration(ns_config_t *, ns_ldap_error_t **error);
118 
119 static void **
120 dupParam(ns_param_t *ptr);
121 
122 static time_t
123 conv_time(char *s);
124 
125 /*
126  * Structures used in enum <-> string mapping routines
127  */
128 
129 static ns_enum_map ns_auth_enum_v1[] = {
130 	{ ENUM2INT(NS_LDAP_EA_NONE), "NS_LDAP_AUTH_NONE" },
131 	{ ENUM2INT(NS_LDAP_EA_SIMPLE), "NS_LDAP_AUTH_SIMPLE" },
132 	{ ENUM2INT(NS_LDAP_EA_SASL_CRAM_MD5), "NS_LDAP_AUTH_SASL_CRAM_MD5" },
133 	{ -1, NULL },
134 };
135 
136 static ns_enum_map ns_auth_enum_v2[] = {
137 	{ ENUM2INT(NS_LDAP_EA_NONE), "none" },
138 	{ ENUM2INT(NS_LDAP_EA_SIMPLE), "simple" },
139 	{ ENUM2INT(NS_LDAP_EA_SASL_CRAM_MD5), "sasl/CRAM-MD5" },
140 	{ ENUM2INT(NS_LDAP_EA_SASL_DIGEST_MD5), "sasl/DIGEST-MD5" },
141 	{ ENUM2INT(NS_LDAP_EA_SASL_DIGEST_MD5_INT),
142 			"sasl/DIGEST-MD5:auth-int" },
143 	{ ENUM2INT(NS_LDAP_EA_SASL_DIGEST_MD5_CONF),
144 			"sasl/DIGEST-MD5:auth-conf" },
145 	{ ENUM2INT(NS_LDAP_EA_SASL_EXTERNAL), "sasl/EXTERNAL" },
146 	{ ENUM2INT(NS_LDAP_EA_SASL_GSSAPI), "sasl/GSSAPI" },
147 	{ ENUM2INT(NS_LDAP_EA_TLS_NONE), "tls:none" },
148 	{ ENUM2INT(NS_LDAP_EA_TLS_SIMPLE), "tls:simple" },
149 	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_CRAM_MD5), "tls:sasl/CRAM-MD5" },
150 	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_DIGEST_MD5), "tls:sasl/DIGEST-MD5" },
151 	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_DIGEST_MD5_INT),
152 			"tls:sasl/DIGEST-MD5:auth-int" },
153 	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_DIGEST_MD5_CONF),
154 			"tls:sasl/DIGEST-MD5:auth-conf" },
155 	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_EXTERNAL), "tls:sasl/EXTERNAL" },
156 	{ -1, NULL },
157 };
158 
159 	/* V1 ONLY */
160 static ns_enum_map ns_sec_enum_v1[] = {
161 	{ ENUM2INT(NS_LDAP_TLS_NONE), "NS_LDAP_SEC_NONE" },
162 	{ -1, NULL },
163 };
164 
165 	/* V2 ONLY */
166 static ns_enum_map ns_cred_enum_v2[] = {
167 	{ ENUM2INT(NS_LDAP_CRED_ANON), "anonymous" },
168 	{ ENUM2INT(NS_LDAP_CRED_PROXY), "proxy" },
169 	{ ENUM2INT(NS_LDAP_CRED_SELF), "self" },
170 	{ -1, NULL },
171 };
172 
173 static ns_enum_map ns_ref_enum_v1[] = {
174 	{ ENUM2INT(NS_LDAP_FOLLOWREF), "NS_LDAP_FOLLOWREF" },
175 	{ ENUM2INT(NS_LDAP_NOREF), "NS_LDAP_NOREF" },
176 	{ -1, NULL },
177 };
178 
179 static ns_enum_map ns_ref_enum_v2[] = {
180 	{ ENUM2INT(NS_LDAP_FOLLOWREF), "TRUE" },
181 	{ ENUM2INT(NS_LDAP_NOREF), "FALSE" },
182 	{ -1, NULL },
183 };
184 
185 static ns_enum_map ns_scope_enum_v1[] = {
186 	{ ENUM2INT(NS_LDAP_SCOPE_BASE), "NS_LDAP_SCOPE_BASE" },
187 	{ ENUM2INT(NS_LDAP_SCOPE_ONELEVEL), "NS_LDAP_SCOPE_ONELEVEL" },
188 	{ ENUM2INT(NS_LDAP_SCOPE_SUBTREE), "NS_LDAP_SCOPE_SUBTREE" },
189 	{ -1, NULL },
190 };
191 
192 static ns_enum_map ns_scope_enum_v2[] = {
193 	{ ENUM2INT(NS_LDAP_SCOPE_BASE), "base" },
194 	{ ENUM2INT(NS_LDAP_SCOPE_ONELEVEL), "one" },
195 	{ ENUM2INT(NS_LDAP_SCOPE_SUBTREE), "sub" },
196 	{ -1, NULL },
197 };
198 
199 static ns_enum_map ns_pref_enum[] = {
200 	{ ENUM2INT(NS_LDAP_PREF_FALSE), "NS_LDAP_FALSE" },
201 	{ ENUM2INT(NS_LDAP_PREF_TRUE), "NS_LDAP_TRUE" },
202 	{ -1, NULL },
203 };
204 
205 static int	ns_def_auth_v1[] = {
206 	ENUM2INT(NS_LDAP_EA_NONE),
207 	0
208 };
209 
210 static int	ns_def_auth_v2[] = {
211 	ENUM2INT(NS_LDAP_EA_NONE),
212 	0
213 };
214 
215 static int	ns_def_cred_v1[] = {
216 	ENUM2INT(NS_LDAP_CRED_PROXY),
217 	0
218 };
219 
220 static int	ns_def_cred_v2[] = {
221 	ENUM2INT(NS_LDAP_CRED_ANON),
222 	0
223 };
224 
225 /*
226  * The next macro places an integer in the first sizeof(int) bytes of a
227  * void pointer location. For 32-bit, it is the same as "(void *) i". It
228  * is used to solve a problem found during 64-bit testing.  The problem
229  * was that for a configuration parameter such as NS_LDAP_SEARCH_REF_P,
230  * which is of type INT and has defined default value, an int
231  * variable(ns_param.ns_pu.i) defined inside an union(ns_pu) structure, is
232  * used to access the defined default value. This requires the default
233  * value to be in the first sizeof(int) bytes of the union element.  If
234  * just using "(void *) intval" to declare the default value in the
235  * following defconfig[] structure, the intval data will be placed is the
236  * last sizeof(int) bytes. In which case, when accessing via ns_pu_i in
237  * a 64-bit system, ZERO will be returned as the default value, not the
238  * defined one.
239  *
240  * Note since amd64 is little-endian, the problem is not an issue.
241  * INT2VOIDPTR will just leave the data (i) unchanged.
242  */
243 #if defined(__amd64)
244 #define	INT2VOIDPTR(i)	(void *)i
245 #else
246 #define	INT2VOIDPTR(i)	\
247 	(void *)(((long)(i))<<(8*(sizeof (void *) - sizeof (int))))
248 #endif
249 /*
250  * The default configuration table
251  * Version 1 entries are first, V2 entries follow.
252  */
253 static ns_default_config defconfig[] = {
254 	/* optional V1 profile */
255 	{"NS_LDAP_FILE_VERSION", NS_LDAP_FILE_VERSION_P,
256 		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
257 		NULL,	/* No version number defined in V1 */
258 		{ CHARPTR, 0, (void *)NS_LDAP_VERSION_1 },
259 		NULL, NULL },
260 
261 	/* ---------- V1 profile ---------- */
262 	{"NS_LDAP_BINDDN", NS_LDAP_BINDDN_P,
263 		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
264 		_P1_BINDDN,
265 		{ CHARPTR, 0, NULL },
266 		__s_val_binddn, NULL },
267 
268 	{"NS_LDAP_BINDPASSWD", NS_LDAP_BINDPASSWD_P,
269 		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
270 		_P1_BINDPASSWORD,
271 		{ CHARPTR, 0, NULL },
272 		__s_val_bindpw, NULL },
273 
274 	{"NS_LDAP_SERVERS", NS_LDAP_SERVERS_P,
275 		SERVERCONFIG,	ARRAYCP,	FALSE,	NS_LDAP_V1,
276 		_P1_SERVERS,
277 		{ ARRAYCP, 0, NULL },
278 		__s_val_serverList, NULL },
279 
280 	{"NS_LDAP_SEARCH_BASEDN", NS_LDAP_SEARCH_BASEDN_P,
281 		SERVERCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
282 		_P1_SEARCHBASEDN,
283 		{ CHARPTR, 0, NULL },
284 		__s_val_basedn, NULL },
285 
286 	{"NS_LDAP_AUTH", NS_LDAP_AUTH_P,
287 		CLIENTCONFIG,	ARRAYAUTH,	FALSE,	NS_LDAP_V1,
288 		_P1_AUTHMETHOD,
289 		{ ARRAYAUTH, 1, (void *)&ns_def_auth_v1[0] },
290 		NULL, ns_auth_enum_v1 },
291 
292 	{"NS_LDAP_TRANSPORT_SEC", NS_LDAP_TRANSPORT_SEC_P,
293 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
294 		_P1_TRANSPORTSECURITY,
295 		{ INT, 0, INT2VOIDPTR(NS_LDAP_TLS_NONE) },
296 		NULL, ns_sec_enum_v1 },
297 
298 	{"NS_LDAP_SEARCH_REF", NS_LDAP_SEARCH_REF_P,
299 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
300 		_P1_SEARCHREFERRAL,
301 		{ INT, 0, INT2VOIDPTR(NS_LDAP_FOLLOWREF) },
302 		NULL, ns_ref_enum_v1 },
303 
304 	{"NS_LDAP_DOMAIN", NS_LDAP_DOMAIN_P,
305 		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
306 		NULL,	/* not defined in the Profile */
307 		{ CHARPTR, 0, NULL },
308 		NULL, NULL },
309 
310 	{"NS_LDAP_EXP", NS_LDAP_EXP_P,
311 		SERVERCONFIG,	TIMET,		TRUE,	NS_LDAP_V1,
312 		NULL,	/* initialized by code to time+NS_LDAP_CACHETTL */
313 		{ INT, 0, 0 },
314 		NULL, NULL },
315 
316 	{"NS_LDAP_CERT_PATH", NS_LDAP_CERT_PATH_P,
317 		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
318 		_P1_CERTIFICATEPATH,
319 		{ CHARPTR, 0, NULL },
320 		NULL, NULL },
321 
322 	{"NS_LDAP_CERT_PASS", NS_LDAP_CERT_PASS_P,
323 		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
324 		_P1_CERTIFICATEPASSWORD,
325 		{ CHARPTR, 0, NULL },
326 		NULL, NULL },
327 
328 	{"NS_LDAP_SEARCH_DN", NS_LDAP_SEARCH_DN_P,
329 		CLIENTCONFIG,	SSDLIST,	FALSE,	NS_LDAP_V1,
330 		_P1_DATASEARCHDN,
331 		{ SSDLIST, 0, NULL },
332 		NULL, NULL },
333 
334 	{"NS_LDAP_SEARCH_SCOPE", NS_LDAP_SEARCH_SCOPE_P,
335 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
336 		_P1_SEARCHSCOPE,
337 		{ INT, 0, INT2VOIDPTR(NS_LDAP_SCOPE_ONELEVEL) },
338 		NULL, ns_scope_enum_v1 },
339 
340 	{"NS_LDAP_SEARCH_TIME", NS_LDAP_SEARCH_TIME_P,
341 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
342 		_P1_SEARCHTIMELIMIT,
343 		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_SEARCH_TIMEOUT) },
344 		NULL, NULL },
345 
346 	{"NS_LDAP_SERVER_PREF", NS_LDAP_SERVER_PREF_P,
347 		CLIENTCONFIG,	ARRAYCP,	FALSE,	NS_LDAP_V1,
348 		_P1_PREFERREDSERVER,
349 		{ ARRAYCP, 0, NULL },
350 		__s_val_serverList, NULL },
351 
352 	{"NS_LDAP_PREF_ONLY", NS_LDAP_PREF_ONLY_P,
353 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
354 		_P1_PREFERREDSERVERONLY,
355 		{ INT, 0, INT2VOIDPTR(NS_LDAP_PREF_FALSE) },
356 		NULL, ns_pref_enum },
357 
358 	{"NS_LDAP_CACHETTL", NS_LDAP_CACHETTL_P,
359 		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
360 		_P1_CACHETTL,
361 		{ CHARPTR, 0, (void *)EXP_DEFAULT_TTL },
362 		__s_val_postime, NULL },
363 
364 	{"NS_LDAP_PROFILE", NS_LDAP_PROFILE_P,
365 		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
366 		_P_CN,
367 		{ CHARPTR, 0, (void *)DEFAULTCONFIGNAME },
368 		NULL, NULL },
369 
370 	{"NS_LDAP_BIND_TIME", NS_LDAP_BIND_TIME_P,
371 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
372 		_P1_BINDTIMELIMIT,
373 		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_BIND_TIMEOUT) },
374 		NULL, NULL },
375 
376 	/* This configuration option is not visible in V1 */
377 	{"NS_LDAP_CREDENTIAL_LEVEL", NS_LDAP_CREDENTIAL_LEVEL_P,
378 		CLIENTCONFIG,	ARRAYCRED,	TRUE,	NS_LDAP_V1,
379 		NULL,	/* No version defined in V1 */
380 		{ ARRAYCRED, 0, (void *)&ns_def_cred_v1[0] },
381 		NULL, NULL },
382 
383 	/* ---------- V2 profile ---------- */
384 	{"NS_LDAP_FILE_VERSION", NS_LDAP_FILE_VERSION_P,
385 		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
386 		NULL,	/* No version number defined in V1 */
387 		{ CHARPTR, 0, (void *)NS_LDAP_VERSION_2 },
388 		NULL, NULL },
389 
390 	{"NS_LDAP_BINDDN", NS_LDAP_BINDDN_P,
391 		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
392 		NULL,	/* not defined in the Profile */
393 		{ CHARPTR, 0, NULL },
394 		__s_val_binddn, NULL },
395 	{"NS_LDAP_BINDPASSWD", NS_LDAP_BINDPASSWD_P,
396 		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
397 		NULL,	/* not defined in the Profile */
398 		{ CHARPTR, 0, NULL },
399 		__s_val_bindpw, NULL },
400 	{"NS_LDAP_EXP", NS_LDAP_EXP_P,
401 		SERVERCONFIG,	TIMET,		TRUE,	NS_LDAP_V2,
402 		NULL,	/* initialized by code to time+NS_LDAP_CACHETTL */
403 		{ INT, 0, 0 },
404 		NULL, NULL },
405 
406 	{"NS_LDAP_SERVER_PREF", NS_LDAP_SERVER_PREF_P,
407 		CLIENTCONFIG,	SERVLIST,	FALSE,	NS_LDAP_V2,
408 		_P2_PREFERREDSERVER,
409 		{ SERVLIST, 0, NULL },
410 		__s_val_serverList, NULL },
411 
412 	{"NS_LDAP_SERVERS", NS_LDAP_SERVERS_P,
413 		SERVERCONFIG,	SERVLIST,	FALSE,	NS_LDAP_V2,
414 		_P2_DEFAULTSERVER,
415 		{ SERVLIST, 0, NULL },
416 		__s_val_serverList, NULL },
417 
418 	{"NS_LDAP_SEARCH_BASEDN", NS_LDAP_SEARCH_BASEDN_P,
419 		SERVERCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
420 		_P2_SEARCHBASEDN,
421 		{ CHARPTR, 0, NULL },
422 		__s_val_basedn, NULL },
423 
424 	{"NS_LDAP_SEARCH_SCOPE", NS_LDAP_SEARCH_SCOPE_P,
425 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
426 		_P2_SEARCHSCOPE,
427 		{ INT, 0, INT2VOIDPTR(NS_LDAP_SCOPE_ONELEVEL) },
428 		NULL, ns_scope_enum_v2 },
429 
430 	{"NS_LDAP_AUTH", NS_LDAP_AUTH_P,
431 		CLIENTCONFIG,	ARRAYAUTH,	FALSE,	NS_LDAP_V2,
432 		_P2_AUTHMETHOD,
433 		{ ARRAYAUTH, 2, (void *)&ns_def_auth_v2[0] },
434 		NULL, ns_auth_enum_v2 },
435 
436 	{"NS_LDAP_CREDENTIAL_LEVEL", NS_LDAP_CREDENTIAL_LEVEL_P,
437 		CLIENTCONFIG,	ARRAYCRED,	FALSE,	NS_LDAP_V2,
438 		_P2_CREDENTIALLEVEL,
439 		{ ARRAYCRED, 0, (void *)&ns_def_cred_v2[0] },
440 		NULL, ns_cred_enum_v2 },
441 
442 	{"NS_LDAP_SERVICE_SEARCH_DESC", NS_LDAP_SERVICE_SEARCH_DESC_P,
443 		CLIENTCONFIG,	SSDLIST,	FALSE,	NS_LDAP_V2,
444 		_P2_SERVICESEARCHDESC,
445 		{ SSDLIST, 0, NULL },
446 		NULL, NULL },
447 
448 	{"NS_LDAP_SEARCH_TIME", NS_LDAP_SEARCH_TIME_P,
449 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
450 		_P2_SEARCHTIMELIMIT,
451 		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_SEARCH_TIMEOUT) },
452 		NULL, NULL },
453 
454 	{"NS_LDAP_BIND_TIME", NS_LDAP_BIND_TIME_P,
455 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
456 		_P2_BINDTIMELIMIT,
457 		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_BIND_TIMEOUT) },
458 		NULL, NULL },
459 
460 	{"NS_LDAP_SEARCH_REF", NS_LDAP_SEARCH_REF_P,
461 		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
462 		_P2_FOLLOWREFERRALS,
463 		{ INT, 0, INT2VOIDPTR(NS_LDAP_FOLLOWREF) },
464 		NULL, ns_ref_enum_v2 },
465 
466 	{"NS_LDAP_CACHETTL", NS_LDAP_CACHETTL_P,
467 		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
468 		_P2_PROFILETTL,
469 		{ CHARPTR, 0, (void *)EXP_DEFAULT_TTL },
470 		__s_val_postime, NULL },
471 
472 	{"NS_LDAP_ATTRIBUTEMAP", NS_LDAP_ATTRIBUTEMAP_P,
473 		CLIENTCONFIG,	ATTRMAP,	FALSE,	NS_LDAP_V2,
474 		_P2_ATTRIBUTEMAP,
475 		{ ATTRMAP, 0, NULL },
476 		NULL, NULL },
477 
478 	{"NS_LDAP_OBJECTCLASSMAP", NS_LDAP_OBJECTCLASSMAP_P,
479 		CLIENTCONFIG,	OBJMAP,		FALSE,	NS_LDAP_V2,
480 		_P2_OBJECTCLASSMAP,
481 		{ OBJMAP, 0, NULL },
482 		NULL, NULL },
483 
484 	{"NS_LDAP_PROFILE", NS_LDAP_PROFILE_P,
485 		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
486 		_P_CN,
487 		{ CHARPTR, 0, (void *)DEFAULTCONFIGNAME },
488 		NULL, NULL },
489 
490 	{"NS_LDAP_SERVICE_AUTH_METHOD", NS_LDAP_SERVICE_AUTH_METHOD_P,
491 		CLIENTCONFIG,	SAMLIST,	FALSE,	NS_LDAP_V2,
492 		_P2_SERVICEAUTHMETHOD,
493 		{ SAMLIST, 0, NULL },
494 		NULL, NULL },
495 
496 	{"NS_LDAP_SERVICE_CRED_LEVEL", NS_LDAP_SERVICE_CRED_LEVEL_P,
497 		CLIENTCONFIG,	SCLLIST,	FALSE,	NS_LDAP_V2,
498 		_P2_SERVICECREDLEVEL,
499 		{ SCLLIST, 0, NULL },
500 		NULL, NULL },
501 
502 	{"NS_LDAP_HOST_CERTPATH", NS_LDAP_HOST_CERTPATH_P,
503 		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
504 		NULL,	/* not defined in the Profile */
505 		{ CHARPTR, 0, (void *)NSLDAPDIRECTORY },
506 		NULL, NULL },
507 
508 	/* array terminator [not an entry] */
509 	{NULL, NS_LDAP_FILE_VERSION_P,
510 		CLIENTCONFIG,	NS_UNKNOWN,	TRUE,	NULL,
511 		NULL,
512 		{ NS_UNKNOWN, 0, NULL },
513 		NULL, NULL },
514 };
515 
516 static char *
517 __getdomainname()
518 {
519 	/*
520 	 * The sysinfo man page recommends using a buffer size
521 	 * of 257 bytes. MAXHOSTNAMELEN is 256. So add 1 here.
522 	 */
523 	char	buf[MAXHOSTNAMELEN + 1];
524 	int	status;
525 
526 	status = sysinfo(SI_SRPC_DOMAIN, buf, MAXHOSTNAMELEN);
527 	if (status < 0)
528 		return (NULL);
529 	/* error: not enough space to hold returned value */
530 	if (status > sizeof (buf))
531 		return (NULL);
532 	return (strdup(buf));
533 }
534 
535 void
536 __ns_ldap_setServer(int set)
537 {
538 	cache_server = set;
539 }
540 
541 static boolean_t
542 timetorefresh(ns_config_t *cfg)
543 {
544 	struct timeval	tp;
545 	static time_t	expire = 0;
546 
547 	if (cfg == NULL || gettimeofday(&tp, NULL) == -1)
548 		return (B_TRUE);
549 
550 	if (cfg->paramList[NS_LDAP_EXP_P].ns_ptype == TIMET)
551 		expire = cfg->paramList[NS_LDAP_EXP_P].ns_tm;
552 	else
553 		return (B_TRUE);
554 
555 	return (expire != 0 && tp.tv_sec > expire);
556 }
557 
558 int
559 __s_get_enum_value(ns_config_t *ptr, char *value, ParamIndexType i)
560 {
561 	register ns_enum_map	*mapp;
562 	char			*pstart = value;
563 	char			*pend;
564 	int			len;
565 
566 	if (pstart == NULL)
567 		return (-1);
568 
569 	/* skip leading spaces */
570 	while (*pstart == SPACETOK)
571 		pstart++;
572 	/* skip trailing spaces */
573 	pend = pstart + strlen(pstart) - 1;
574 	for (; pend >= pstart && *pend == SPACETOK; pend--)
575 		;
576 	len = pend - pstart + 1;
577 	if (len == 0)
578 		return (-1);
579 
580 	switch (i) {
581 	case NS_LDAP_AUTH_P:
582 		if (ptr->version == NS_LDAP_V1)
583 			mapp = &ns_auth_enum_v1[0];
584 		else
585 			mapp = &ns_auth_enum_v2[0];
586 		break;
587 	case NS_LDAP_TRANSPORT_SEC_P:
588 		return (-1);
589 	case NS_LDAP_SEARCH_SCOPE_P:
590 		if (ptr->version == NS_LDAP_V1)
591 			mapp = &ns_scope_enum_v1[0];
592 		else
593 			mapp = &ns_scope_enum_v2[0];
594 		break;
595 	case NS_LDAP_SEARCH_REF_P:
596 		if (ptr->version == NS_LDAP_V1)
597 			mapp = &ns_ref_enum_v1[0];
598 		else
599 			mapp = &ns_ref_enum_v2[0];
600 		break;
601 	case NS_LDAP_PREF_ONLY_P:
602 		mapp = &ns_pref_enum[0];
603 		break;
604 	case NS_LDAP_CREDENTIAL_LEVEL_P:
605 		if (ptr->version == NS_LDAP_V1)
606 			return (-1);
607 		else
608 			mapp = &ns_cred_enum_v2[0];
609 		break;
610 	case NS_LDAP_SERVICE_AUTH_METHOD_P:
611 		mapp = &ns_auth_enum_v2[0];
612 		break;
613 	case NS_LDAP_SERVICE_CRED_LEVEL_P:
614 		mapp = &ns_cred_enum_v2[0];
615 		break;
616 	default:
617 		return (-1);
618 	}
619 
620 	for (; mapp->name != NULL; mapp++) {
621 		if (strncasecmp(pstart, mapp->name, len) == 0 &&
622 		    (strlen(mapp->name) == len)) {
623 			return (mapp->value);
624 		}
625 	}
626 	return (-1);
627 }
628 
629 char *
630 __s_get_auth_name(ns_config_t *ptr, AuthType_t type)
631 {
632 	register ns_enum_map	*mapp;
633 
634 	if (ptr->version == NS_LDAP_V1)
635 		mapp = &ns_auth_enum_v1[0];
636 	else
637 		mapp = &ns_auth_enum_v2[0];
638 
639 	for (; mapp->name != NULL; mapp++) {
640 		if (type == INT2AUTHENUM(mapp->value)) {
641 			return (mapp->name);
642 		}
643 	}
644 	return ("Unknown AuthType_t type specified");
645 }
646 
647 
648 char *
649 __s_get_security_name(ns_config_t *ptr, TlsType_t type)
650 {
651 	register ns_enum_map	*mapp;
652 
653 	if (ptr->version == NS_LDAP_V1) {
654 		mapp = &ns_sec_enum_v1[0];
655 
656 		for (; mapp->name != NULL; mapp++) {
657 			if (type == INT2SECENUM(mapp->value)) {
658 				return (mapp->name);
659 			}
660 		}
661 	}
662 	return ("Unknown TlsType_t type specified");
663 }
664 
665 
666 char *
667 __s_get_scope_name(ns_config_t *ptr, ScopeType_t type)
668 {
669 	register ns_enum_map	*mapp;
670 
671 	if (ptr->version == NS_LDAP_V1)
672 		mapp = &ns_scope_enum_v1[0];
673 	else
674 		mapp = &ns_scope_enum_v2[0];
675 
676 	for (; mapp->name != NULL; mapp++) {
677 		if (type == INT2SCOPEENUM(mapp->value)) {
678 			return (mapp->name);
679 		}
680 	}
681 	return ("Unknown ScopeType_t type specified");
682 }
683 
684 
685 char *
686 __s_get_pref_name(PrefOnly_t type)
687 {
688 	register ns_enum_map	*mapp = &ns_pref_enum[0];
689 
690 	for (; mapp->name != NULL; mapp++) {
691 		if (type == INT2PREFONLYENUM(mapp->value)) {
692 			return (mapp->name);
693 		}
694 	}
695 	return ("Unknown PrefOnly_t type specified");
696 }
697 
698 char *
699 __s_get_searchref_name(ns_config_t *ptr, SearchRef_t type)
700 {
701 	register ns_enum_map	*mapp;
702 
703 	if (ptr->version == NS_LDAP_V1)
704 		mapp = &ns_ref_enum_v1[0];
705 	else
706 		mapp = &ns_ref_enum_v2[0];
707 
708 	for (; mapp->name != NULL; mapp++) {
709 		if (type == INT2SEARCHREFENUM(mapp->value)) {
710 			return (mapp->name);
711 		}
712 	}
713 	return ("Unknown SearchRef_t type specified");
714 }
715 
716 static char *
717 __s_get_credlvl_name(ns_config_t *ptr, CredLevel_t type)
718 {
719 	register ns_enum_map	*mapp;
720 
721 	if (ptr->version == NS_LDAP_V2) {
722 		mapp = &ns_cred_enum_v2[0];
723 		for (; mapp->name != NULL; mapp++) {
724 			if (type == INT2CREDLEVELENUM(mapp->value)) {
725 				return (mapp->name);
726 			}
727 		}
728 	}
729 	return ("Unknown CredLevel_t type specified");
730 }
731 
732 static void
733 destroy_param(ns_config_t *ptr, ParamIndexType type)
734 {
735 	int	i, j;
736 	char	**ppc;
737 
738 	if (ptr == NULL)
739 		return;
740 
741 	/*
742 	 * This routine is not lock protected because
743 	 * the config param it may be destroying is not
744 	 * necessarily THE config.  Mutex protect elsewhere.
745 	 */
746 	switch (ptr->paramList[type].ns_ptype) {
747 	case CHARPTR:
748 		if (ptr->paramList[type].ns_pc) {
749 			free(ptr->paramList[type].ns_pc);
750 			ptr->paramList[type].ns_pc = NULL;
751 		}
752 		break;
753 	case SAMLIST:
754 	case SCLLIST:
755 	case SSDLIST:
756 	case ARRAYCP:
757 	case SERVLIST:
758 		if (ptr->paramList[type].ns_ppc) {
759 			ppc = ptr->paramList[type].ns_ppc;
760 			j = ptr->paramList[type].ns_acnt;
761 			for (i = 0; i < j && ppc[i] != NULL; i++) {
762 				free((void *)ppc[i]);
763 			}
764 			free((void *)ppc);
765 			ptr->paramList[type].ns_ppc = NULL;
766 		}
767 		break;
768 	case ARRAYAUTH:
769 	case ARRAYCRED:
770 		if (ptr->paramList[type].ns_pi) {
771 			free(ptr->paramList[type].ns_pi);
772 			ptr->paramList[type].ns_pi = NULL;
773 		}
774 		break;
775 	case INT:
776 		ptr->paramList[type].ns_i = 0;
777 		break;
778 	case ATTRMAP:
779 		break;
780 	case OBJMAP:
781 		break;
782 	default:
783 		break;
784 	}
785 	ptr->paramList[type].ns_ptype = NS_UNKNOWN;
786 }
787 
788 static void
789 destroy_config(ns_config_t *ptr)
790 {
791 	ParamIndexType	i;
792 
793 	if (ptr != NULL) {
794 		if (ptr == current_config)
795 			current_config = NULL;
796 		if (ptr->domainName != NULL)
797 			free(ptr->domainName);
798 			ptr->domainName = NULL;
799 		for (i = 0; i <= LAST_VALUE; i++) {
800 			destroy_param(ptr, i);
801 		}
802 		__s_api_destroy_hash(ptr);
803 		free(ptr);
804 	}
805 }
806 
807 /*
808  * Marks the ns_config_t to be deleted and then releases it. (If no other
809  * caller is using, then __s_api_release_config will destroy it.)
810  *
811  * Note that __s_api_destroy_config should only be called if the caller has
812  * created the ns_config_t with __s_api_create_config (with the exception
813  * of set_curr_config). The ns_config_t should be private to the caller.
814  *
815  * This function should not be called with the current_config except by
816  * set_curr_config which locks ns_parse_lock to ensure that no thread
817  * will be waiting on current_config->config_mutex. This ensures that
818  * no caller with be waiting on cfg->config_mutex while it is being
819  * destroyed by __s_api_release_config.
820  */
821 
822 void
823 __s_api_destroy_config(ns_config_t *cfg)
824 {
825 	if (cfg != NULL) {
826 		(void) mutex_lock(&cfg->config_mutex);
827 		cfg->delete = TRUE;
828 		(void) mutex_unlock(&cfg->config_mutex);
829 		__s_api_release_config(cfg);
830 	}
831 }
832 
833 
834 /*
835  * Increment the configuration use count by one - assumes ns_parse_lock has
836  * been obtained.
837  */
838 
839 static ns_config_t *
840 get_curr_config_unlocked(ns_config_t *cfg, boolean_t global)
841 {
842 	ns_config_t *ret;
843 
844 	ret = cfg;
845 	if (cfg != NULL) {
846 		(void) mutex_lock(&cfg->config_mutex);
847 		/*
848 		 * allow access to per connection management (non-global)
849 		 * config so operations on connection being closed can still
850 		 * be completed
851 		 */
852 		if (cfg->delete && global == B_TRUE)
853 			ret = NULL;
854 		else
855 			cfg->nUse++;
856 		(void) mutex_unlock(&cfg->config_mutex);
857 	}
858 	return (ret);
859 }
860 
861 /*
862  * set_curr_config_global sets the current global config to the
863  * specified ns_config_t. Note that this function is similar
864  * to the project private function __s_api_init_config_global
865  * except that it does not release the new ns_config_t.
866  */
867 static void
868 set_curr_config_global(ns_config_t *ptr)
869 {
870 	ns_config_t	*cfg;
871 	ns_config_t	*cur_cfg;
872 
873 	(void) mutex_lock(&ns_parse_lock);
874 	cur_cfg = current_config;
875 	cfg = get_curr_config_unlocked(cur_cfg, B_TRUE);
876 	if (cfg != ptr) {
877 		__s_api_destroy_config(cfg);
878 		current_config = ptr;
879 	}
880 	(void) mutex_unlock(&ns_parse_lock);
881 }
882 
883 
884 /*
885  * set_curr_config sets the current config or the per connection
886  * management one to the specified ns_config_t. Note that this function
887  * is similar to the project private function __s_api_init_config
888  * except that it does not release the new ns_config_t. Also note
889  * that if there's no per connection management one to set, the
890  * global current config will be set.
891  */
892 
893 static void
894 set_curr_config(ns_config_t *ptr)
895 {
896 	ns_config_t	*cfg;
897 	ns_config_t	*cur_cfg;
898 	ns_conn_mgmt_t	*cmg;
899 	int		rc;
900 
901 	rc = thr_getspecific(ns_cmgkey, (void **)&cmg);
902 
903 	/* set the per connection management config if possible */
904 	if (rc == 0 && cmg != NULL && cmg->config != NULL) {
905 		(void) mutex_lock(&cmg->cfg_lock);
906 		cur_cfg = cmg->config;
907 		cfg = get_curr_config_unlocked(cur_cfg, B_FALSE);
908 		if (cfg != ptr) {
909 			__s_api_destroy_config(cfg);
910 			cmg->config = ptr;
911 		}
912 		(void) mutex_unlock(&cmg->cfg_lock);
913 		return;
914 	}
915 
916 	/* else set the global current config */
917 	set_curr_config_global(ptr);
918 }
919 
920 /*
921  * Decrements the ns_config_t usage count by one. Delete if delete flag
922  * is set and no other callers are using.
923  */
924 
925 void
926 __s_api_release_config(ns_config_t *cfg)
927 {
928 	if (cfg != NULL) {
929 		(void) mutex_lock(&cfg->config_mutex);
930 		cfg->nUse--;
931 		if (cfg->nUse == 0 && cfg->delete) {
932 			destroy_config(cfg);
933 		} else
934 			(void) mutex_unlock(&cfg->config_mutex);
935 	}
936 }
937 
938 /*
939  * __s_api_init_config function destroys the previous global configuration
940  * sets the new global configuration and then releases it
941  */
942 void
943 __s_api_init_config_global(ns_config_t *ptr)
944 {
945 	set_curr_config_global(ptr);
946 	__s_api_release_config(ptr);
947 }
948 
949 /*
950  * __s_api_init_config function destroys the previous configuration
951  * sets the new configuration and then releases it. The configuration
952  * may be the global one or the per connection management one.
953  */
954 void
955 __s_api_init_config(ns_config_t *ptr)
956 {
957 	set_curr_config(ptr);
958 	__s_api_release_config(ptr);
959 }
960 
961 
962 /*
963  * Create an ns_config_t, set the usage count to one
964  */
965 
966 ns_config_t *
967 __s_api_create_config(void)
968 {
969 	ns_config_t	*ret;
970 	ret = (ns_config_t *)calloc(1, sizeof (ns_config_t));
971 	if (ret == NULL)
972 		return (NULL);
973 
974 	ret->domainName = __getdomainname();
975 	if (ret->domainName == NULL) {
976 		free(ret);
977 		return (NULL);
978 	}
979 	ret->version = NS_LDAP_V1;
980 	(void) mutex_init(&ret->config_mutex, USYNC_THREAD, NULL);
981 	ret->nUse = 1;
982 	ret->delete = B_FALSE;
983 	return (ret);
984 }
985 
986 /*
987  * __s_api_get_default_config_global returns the current global config
988  */
989 ns_config_t *
990 __s_api_get_default_config_global(void)
991 {
992 	ns_config_t	*cfg;
993 	ns_config_t	*cur_cfg;
994 
995 	(void) mutex_lock(&ns_parse_lock);
996 	cur_cfg = current_config;
997 	cfg = get_curr_config_unlocked(cur_cfg, B_TRUE);
998 	(void) mutex_unlock(&ns_parse_lock);
999 
1000 	return (cfg);
1001 }
1002 
1003 /*
1004  * __s_api_get_default_config returns the current global config or the
1005  * per connection management one.
1006  */
1007 ns_config_t *
1008 __s_api_get_default_config(void)
1009 {
1010 	ns_config_t	*cfg;
1011 	ns_config_t	*cur_cfg;
1012 	ns_conn_mgmt_t	*cmg;
1013 	int		rc;
1014 
1015 	rc = thr_getspecific(ns_cmgkey, (void **)&cmg);
1016 
1017 	/* get the per connection management config if available */
1018 	if (rc == 0 && cmg != NULL && cmg->config != NULL) {
1019 		(void) mutex_lock(&cmg->cfg_lock);
1020 		cur_cfg = cmg->config;
1021 		cfg = get_curr_config_unlocked(cur_cfg, B_FALSE);
1022 		(void) mutex_unlock(&cmg->cfg_lock);
1023 		return (cfg);
1024 	}
1025 
1026 	/* else get the global current config */
1027 	return (__s_api_get_default_config_global());
1028 }
1029 
1030 static char *
1031 stripdup(const char *instr)
1032 {
1033 	char	*pstart = (char *)instr;
1034 	char	*pend, *ret;
1035 	int	len;
1036 
1037 	if (pstart == NULL)
1038 		return (NULL);
1039 	/* remove leading spaces */
1040 	while (*pstart == SPACETOK)
1041 		pstart++;
1042 	/* remove trailing spaces */
1043 	pend = pstart + strlen(pstart) - 1;
1044 	for (; pend >= pstart && *pend == SPACETOK; pend--)
1045 		;
1046 	len = pend - pstart + 1;
1047 	if ((ret = malloc(len + 1)) == NULL)
1048 		return (NULL);
1049 	if (len != 0) {
1050 		(void) strncpy(ret, pstart, len);
1051 	}
1052 	ret[len] = '\0';
1053 	return (ret);
1054 }
1055 
1056 /*
1057  * Note that __s_api_crosscheck is assumed to be called with an ns_config_t
1058  * that is properly protected - so that it will not change during the
1059  * duration of the call
1060  */
1061 
1062 /* Size of errstr needs to be MAXERROR */
1063 ns_parse_status
1064 __s_api_crosscheck(ns_config_t *ptr, char *errstr, int check_dn)
1065 {
1066 	int		value, j;
1067 	time_t		tm;
1068 	const char	*str, *str1;
1069 	int		i, cnt;
1070 	int		self, gssapi;
1071 
1072 	if (ptr == NULL)
1073 		return (NS_SUCCESS);
1074 
1075 	/* check for no server specified */
1076 	if (ptr->paramList[NS_LDAP_SERVERS_P].ns_ppc == NULL) {
1077 		if (ptr->version == NS_LDAP_V1) {
1078 			str = NULL_OR_STR(__s_api_get_configname(
1079 			    NS_LDAP_SERVERS_P));
1080 			(void) snprintf(errstr, MAXERROR,
1081 			    gettext("Configuration Error: No entry for "
1082 			    "'%s' found"), str);
1083 			return (NS_PARSE_ERR);
1084 		} else if (ptr->paramList[NS_LDAP_SERVER_PREF_P].ns_ppc ==
1085 		    NULL) {
1086 			str = NULL_OR_STR(__s_api_get_configname(
1087 			    NS_LDAP_SERVERS_P));
1088 			str1 = NULL_OR_STR(__s_api_get_configname(
1089 			    NS_LDAP_SERVER_PREF_P));
1090 			(void) snprintf(errstr, MAXERROR,
1091 			    gettext("Configuration Error: "
1092 			    "Neither '%s' nor '%s' is defined"), str, str1);
1093 			return (NS_PARSE_ERR);
1094 		}
1095 	}
1096 	if (ptr->paramList[NS_LDAP_CERT_PASS_P].ns_pc != NULL &&
1097 	    ptr->paramList[NS_LDAP_CERT_PATH_P].ns_pc == NULL) {
1098 			str = NULL_OR_STR(__s_api_get_configname(
1099 			    NS_LDAP_CERT_PASS_P));
1100 			str1 = NULL_OR_STR(__s_api_get_configname(
1101 			    NS_LDAP_CERT_PATH_P));
1102 			(void) snprintf(errstr, MAXERROR,
1103 			gettext("Configuration Error: %s specified "
1104 			    "but no value for '%s' found"), str, str1);
1105 		return (NS_PARSE_ERR);
1106 	}
1107 	if (ptr->paramList[NS_LDAP_CERT_PASS_P].ns_pc == NULL &&
1108 	    ptr->paramList[NS_LDAP_CERT_PATH_P].ns_pc != NULL) {
1109 			str = NULL_OR_STR(__s_api_get_configname(
1110 			    NS_LDAP_CERT_PATH_P));
1111 			str1 = NULL_OR_STR(__s_api_get_configname(
1112 			    NS_LDAP_CERT_PASS_P));
1113 			(void) snprintf(errstr, MAXERROR,
1114 			gettext("Configuration Error: %s specified "
1115 			    "but no value for '%s' found"), str, str1);
1116 		return (NS_PARSE_ERR);
1117 	}
1118 	/* check if search basedn has been specified */
1119 	if (ptr->paramList[NS_LDAP_SEARCH_BASEDN_P].ns_ppc == NULL) {
1120 		str = NULL_OR_STR(__s_api_get_configname(
1121 		    NS_LDAP_SEARCH_BASEDN_P));
1122 		(void) snprintf(errstr, MAXERROR,
1123 		    gettext("Configuration Error: No entry for "
1124 		    "'%s' found"), str);
1125 		return (NS_PARSE_ERR);
1126 	}
1127 
1128 	if (check_dn) {
1129 	    /* check for auth value....passwd/bindn if necessary */
1130 
1131 		for (j = 0; ptr->paramList[NS_LDAP_AUTH_P].ns_pi != NULL &&
1132 		    ptr->paramList[NS_LDAP_AUTH_P].ns_pi[j] != NULL; j++) {
1133 		value = ptr->paramList[NS_LDAP_AUTH_P].ns_pi[j];
1134 		switch (value) {
1135 		case NS_LDAP_EA_SIMPLE:
1136 		case NS_LDAP_EA_SASL_CRAM_MD5:
1137 		case NS_LDAP_EA_SASL_DIGEST_MD5:
1138 		case NS_LDAP_EA_SASL_DIGEST_MD5_INT:
1139 		case NS_LDAP_EA_SASL_DIGEST_MD5_CONF:
1140 		case NS_LDAP_EA_TLS_SIMPLE:
1141 		case NS_LDAP_EA_TLS_SASL_CRAM_MD5:
1142 		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5:
1143 		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_INT:
1144 		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_CONF:
1145 			if (ptr->paramList[NS_LDAP_BINDDN_P].ns_ppc == NULL) {
1146 				str = NULL_OR_STR(__s_api_get_configname(
1147 				    NS_LDAP_BINDDN_P));
1148 				(void) snprintf(errstr, MAXERROR,
1149 				gettext("Configuration Error: No entry for "
1150 				    "'%s' found"), str);
1151 				return (NS_PARSE_ERR);
1152 			}
1153 			if (ptr->paramList[NS_LDAP_BINDPASSWD_P].ns_ppc
1154 			    == NULL) {
1155 				str = NULL_OR_STR(__s_api_get_configname(
1156 				    NS_LDAP_BINDPASSWD_P));
1157 				(void) snprintf(errstr, MAXERROR,
1158 				gettext("Configuration Error: No entry for "
1159 				    "'%s' found"), str);
1160 				return (NS_PARSE_ERR);
1161 			}
1162 			break;
1163 		}
1164 		}
1165 	}
1166 
1167 	/*
1168 	 * If NS_LDAP_CACHETTL is not specified,
1169 	 * init NS_LDAP_EXP_P here. Otherwise,
1170 	 * ldap_cachemgr will never refresh the profile.
1171 	 * Set it to current time + default
1172 	 * NS_LDAP_CACHETTL
1173 	 */
1174 	if (ptr->paramList[NS_LDAP_CACHETTL_P].ns_pc == NULL) {
1175 		tm = conv_time(
1176 		    defconfig[NS_LDAP_CACHETTL_P].defval.ns_pc);
1177 		ptr->paramList[NS_LDAP_EXP_P].ns_ptype = TIMET;
1178 		if (tm != 0) {
1179 			tm += time(NULL);
1180 		}
1181 		ptr->paramList[NS_LDAP_EXP_P].ns_tm = tm;
1182 	}
1183 	/*
1184 	 * If credential level self is defined, there should be
1185 	 * at least an auth method sasl/GSSAPI and vice versa.
1186 	 */
1187 	self = 0;
1188 	cnt = ptr->paramList[NS_LDAP_CREDENTIAL_LEVEL_P].ns_acnt;
1189 	for (i = 0; i < cnt; i++) {
1190 		if (ptr->paramList[NS_LDAP_CREDENTIAL_LEVEL_P].ns_pi[i] ==
1191 		    NS_LDAP_CRED_SELF)
1192 			self++;
1193 	}
1194 	gssapi = 0;
1195 	cnt = ptr->paramList[NS_LDAP_AUTH_P].ns_acnt;
1196 	for (i = 0; i < cnt; i++) {
1197 		if (ptr->paramList[NS_LDAP_AUTH_P].ns_pi[i] ==
1198 		    NS_LDAP_EA_SASL_GSSAPI)
1199 			gssapi++;
1200 	}
1201 	if (gssapi == 0 && self > 0) {
1202 		(void) snprintf(errstr, MAXERROR,
1203 		    gettext("Configuration Error: "
1204 		    "Credential level self requires "
1205 		    "authentication method sasl/GSSAPI"));
1206 		return (NS_PARSE_ERR);
1207 	}
1208 	if (gssapi > 0 && self == 0) {
1209 		(void) snprintf(errstr, MAXERROR,
1210 		    gettext("Configuration Error: "
1211 		    "Authentication method sasl/GSSAPI "
1212 		    "requires credential level self"));
1213 		return (NS_PARSE_ERR);
1214 	}
1215 	return (NS_SUCCESS);
1216 }
1217 
1218 
1219 int
1220 __s_api_get_type(const char *value, ParamIndexType *type)
1221 {
1222 	int	i;
1223 
1224 	for (i = 0; defconfig[i].name != NULL; i++) {
1225 		if (strcasecmp(defconfig[i].name, value) == 0) {
1226 			*type = defconfig[i].index;
1227 			return (0);
1228 		}
1229 	}
1230 	return (-1);
1231 }
1232 
1233 /*
1234  * Externally defined version of get_type.
1235  * Includes extra error checking
1236  */
1237 
1238 int
1239 __ns_ldap_getParamType(const char *value, ParamIndexType *type)
1240 {
1241 	if (value == NULL || type == NULL)
1242 		return (-1);
1243 	return (__s_api_get_type(value, type));
1244 }
1245 
1246 int
1247 __s_api_get_versiontype(ns_config_t *ptr, char *value, ParamIndexType *type)
1248 {
1249 	ns_version_t	ver;
1250 	int		i;
1251 
1252 	if (ptr == NULL)
1253 		return (-1);
1254 
1255 	ver = ptr->version;
1256 
1257 	for (i = 0; defconfig[i].name != NULL; i++) {
1258 		if (strcasecmp(defconfig[i].name, value) == 0) {
1259 			if (defconfig[i].version == ver) {
1260 				*type = defconfig[i].index;
1261 				return (0);
1262 			}
1263 		}
1264 	}
1265 	return (-1);
1266 }
1267 
1268 int
1269 __s_api_get_profiletype(char *value, ParamIndexType *type)
1270 {
1271 	int	i;
1272 
1273 	for (i = 0; defconfig[i].name != NULL; i++) {
1274 		if (defconfig[i].profile_name == NULL)
1275 			continue;
1276 		if (strcasecmp(defconfig[i].profile_name, value) == 0) {
1277 			*type = defconfig[i].index;
1278 			return (0);
1279 		}
1280 	}
1281 	return (-1);
1282 }
1283 
1284 int
1285 __s_api_get_configtype(ParamIndexType type)
1286 {
1287 	int i;
1288 
1289 	for (i = 0; defconfig[i].name != NULL; i++) {
1290 		if (defconfig[i].index == type) {
1291 			return (defconfig[i].config_type);
1292 		}
1293 	}
1294 	return (-1);
1295 }
1296 
1297 const char *
1298 __s_api_get_configname(ParamIndexType type)
1299 {
1300 	int i;
1301 
1302 	for (i = 0; defconfig[i].name != NULL; i++) {
1303 		if (defconfig[i].index == type) {
1304 			if (defconfig[i].name[0] == '\0')
1305 				return (NULL);
1306 			else
1307 				return (defconfig[i].name);
1308 		}
1309 	}
1310 	return (NULL);
1311 }
1312 
1313 static ns_default_config *
1314 get_defconfig(ns_config_t *ptr, ParamIndexType type)
1315 {
1316 	ns_version_t	ver;
1317 	int		i;
1318 
1319 	ver = ptr->version;
1320 
1321 	for (i = 0; defconfig[i].name != NULL; i++) {
1322 		if (defconfig[i].index == type &&
1323 		    defconfig[i].version == ver) {
1324 			return (&defconfig[i]);
1325 		}
1326 	}
1327 	return (NULL);
1328 }
1329 
1330 static int
1331 set_default_value(ns_config_t *configptr, char *name,
1332 			char *value, ns_ldap_error_t **error)
1333 {
1334 	ParamIndexType	i;
1335 	int		ret;
1336 	char		errstr[MAXERROR];
1337 
1338 	if (__s_api_get_type(name, &i) < 0) {
1339 		(void) snprintf(errstr, sizeof (errstr), gettext(
1340 		    "Illegal type name (%s).\n"), name);
1341 		MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX, strdup(errstr),
1342 		    NULL);
1343 		return (NS_LDAP_CONFIG);
1344 	}
1345 
1346 	if (i != NS_LDAP_SERVERS_P &&
1347 	    i != NS_LDAP_SERVICE_AUTH_METHOD_P &&
1348 	    i != NS_LDAP_SERVICE_CRED_LEVEL_P &&
1349 	    i != NS_LDAP_SERVICE_SEARCH_DESC_P &&
1350 	    i != NS_LDAP_SERVER_PREF_P &&
1351 	    i != NS_LDAP_SEARCH_DN_P) {
1352 		if (configptr->paramList[i].ns_ptype != NS_UNKNOWN) {
1353 			destroy_param(configptr, i);
1354 		}
1355 	}
1356 
1357 	ret = __ns_ldap_setParamValue(configptr, i, value, error);
1358 	return (ret);
1359 }
1360 
1361 
1362 /*
1363  * Initialize config to a default state
1364  * By default leave configuration empty
1365  * getParam will automatically get the
1366  * appropriate default value if none exists
1367  */
1368 
1369 void
1370 __ns_ldap_default_config()
1371 {
1372 	ns_config_t	*ptr;
1373 
1374 	ptr = __s_api_create_config();
1375 	if (ptr == NULL)
1376 		return;
1377 
1378 	set_curr_config(ptr);
1379 	__s_api_release_config(ptr);
1380 }
1381 
1382 /*
1383  * Get the current configuration pointer and return it.
1384  * If necessary initialize or refresh the current
1385  * configuration as applicable. If global is set, returns
1386  * the global one.
1387  */
1388 
1389 static ns_config_t *
1390 loadrefresh_config(boolean_t global)
1391 {
1392 	ns_config_t		*cfg;
1393 	ns_config_t		*new_cfg;
1394 	ns_ldap_error_t		*errorp;
1395 
1396 	/* We want to refresh only one configuration at a time */
1397 	(void) mutex_lock(&ns_loadrefresh_lock);
1398 	if (global == B_TRUE)
1399 		cfg = __s_api_get_default_config_global();
1400 	else
1401 		cfg = __s_api_get_default_config();
1402 
1403 	/* (re)initialize configuration if necessary */
1404 	if (!__s_api_isStandalone() && timetorefresh(cfg)) {
1405 		new_cfg = LoadCacheConfiguration(cfg, &errorp);
1406 		if (new_cfg != NULL && new_cfg != cfg) {
1407 			__s_api_release_config(cfg);
1408 			if (global == B_TRUE)
1409 				set_curr_config_global(new_cfg);
1410 			else
1411 				set_curr_config(new_cfg);
1412 			cfg = new_cfg;
1413 		}
1414 		if (errorp != NULL)
1415 			(void) __ns_ldap_freeError(&errorp);
1416 	}
1417 	(void) mutex_unlock(&ns_loadrefresh_lock);
1418 	return (cfg);
1419 }
1420 
1421 /*
1422  * Get the current global configuration pointer and return it.
1423  * If necessary initialize or refresh the current
1424  * configuration as applicable.
1425  */
1426 
1427 ns_config_t *
1428 __s_api_loadrefresh_config_global()
1429 {
1430 	return (loadrefresh_config(B_TRUE));
1431 }
1432 
1433 /*
1434  * Get the current configuration pointer and return it.
1435  * If necessary initialize or refresh the current
1436  * configuration as applicable. The configuration may
1437  * be the global one or the per connection management one.
1438  */
1439 
1440 ns_config_t *
1441 __s_api_loadrefresh_config()
1442 {
1443 	return (loadrefresh_config(B_FALSE));
1444 }
1445 
1446 /*
1447  * In general this routine is not very usefull. Individual routines can be
1448  * created to do this job.  Once that is done, this function can be removed.
1449  * Size of errstr buffer needs to be MAXERROR.
1450  */
1451 static ns_parse_status
1452 verify_value(ns_config_t *cfg, char *name, char *value, char *errstr)
1453 {
1454 	ParamIndexType	index = 0;
1455 	int		found = 0, j;
1456 	char		*ptr = NULL, *strptr = NULL, buffer[BUFSIZE];
1457 	char		*rest;
1458 	ns_default_config	*def = NULL;
1459 
1460 	if (__s_api_get_type(name, &index) != 0) {
1461 		(void) snprintf(errstr, MAXERROR,
1462 		    gettext("Unknown keyword encountered '%s'."), name);
1463 		return (NS_PARSE_ERR);
1464 	}
1465 
1466 	def = get_defconfig(cfg, index);
1467 
1468 	/* eat up beginning quote, if any */
1469 	while (value != NULL && (*value == QUOTETOK || *value == SPACETOK))
1470 		value++;
1471 
1472 	/* eat up space/quote at end of value */
1473 	if (strlen(value) > 0)
1474 		ptr = value + strlen(value) - 1;
1475 	else
1476 		ptr = value;
1477 	for (; ptr != value && (*ptr == SPACETOK || *ptr == QUOTETOK); ptr--) {
1478 		*ptr = '\0';
1479 	}
1480 
1481 	switch (index) {
1482 	case NS_LDAP_EXP_P:
1483 	case NS_LDAP_CACHETTL_P:
1484 	case NS_LDAP_CERT_PATH_P:
1485 	case NS_LDAP_CERT_PASS_P:
1486 	case NS_LDAP_CERT_NICKNAME_P:
1487 	case NS_LDAP_BINDDN_P:
1488 	case NS_LDAP_BINDPASSWD_P:
1489 	case NS_LDAP_DOMAIN_P:
1490 	case NS_LDAP_SEARCH_BASEDN_P:
1491 	case NS_LDAP_SEARCH_TIME_P:
1492 	case NS_LDAP_PROFILE_P:
1493 	case NS_LDAP_AUTH_P:
1494 	case NS_LDAP_SEARCH_SCOPE_P:
1495 	case NS_LDAP_CREDENTIAL_LEVEL_P:
1496 	case NS_LDAP_SERVICE_SEARCH_DESC_P:
1497 	case NS_LDAP_BIND_TIME_P:
1498 	case NS_LDAP_ATTRIBUTEMAP_P:
1499 	case NS_LDAP_OBJECTCLASSMAP_P:
1500 	case NS_LDAP_SERVICE_AUTH_METHOD_P:
1501 	case NS_LDAP_SERVICE_CRED_LEVEL_P:
1502 	case NS_LDAP_HOST_CERTPATH_P:
1503 		break;
1504 	case NS_LDAP_SEARCH_DN_P:
1505 		/* depreciated because of service descriptors */
1506 		/* Parse as appropriate at descriptor create time */
1507 		break;
1508 	case NS_LDAP_FILE_VERSION_P:
1509 		if (value != NULL &&
1510 		    strcasecmp(value, NS_LDAP_VERSION_1) != 0 &&
1511 		    strcasecmp(value, NS_LDAP_VERSION_2) != 0) {
1512 			(void) snprintf(errstr, MAXERROR,
1513 			    gettext("Version mismatch, expected "
1514 			    "cache version '%s' or '%s' but "
1515 			    "encountered version '%s'."),
1516 			    NS_LDAP_VERSION_1,
1517 			    NS_LDAP_VERSION_2, value);
1518 				return (NS_PARSE_ERR);
1519 		}
1520 		break;
1521 	case NS_LDAP_SERVERS_P:
1522 	case NS_LDAP_SERVER_PREF_P:
1523 		(void) strcpy(buffer, value);
1524 		strptr = strtok_r(buffer, ",", &rest);
1525 		while (strptr != NULL) {
1526 			char	*tmp = NULL;
1527 			tmp = stripdup(strptr);
1528 			if (tmp == NULL || (strchr(tmp, ' ') != NULL)) {
1529 				(void) snprintf(errstr, MAXERROR,
1530 				    gettext("Invalid parameter values "
1531 				    "'%s' specified for keyword '%s'."),
1532 				    tmp, name);
1533 				free(tmp);
1534 				return (NS_PARSE_ERR);
1535 			}
1536 			free(tmp);
1537 			strptr = strtok_r(NULL, ",", &rest);
1538 		}
1539 		break;
1540 	default:
1541 		found = 0; j = 0;
1542 		while (def->allowed != NULL &&
1543 		    def->allowed[j].name != NULL && j < DEFMAX) {
1544 			if (strcmp(def->allowed[j].name,
1545 			    value) == 0) {
1546 				found = 1;
1547 				break;
1548 			}
1549 			j++;
1550 		}
1551 		if (!found) {
1552 			(void) snprintf(errstr, MAXERROR,
1553 			    gettext("Invalid option specified for "
1554 			    "'%s' keyword. '%s' is not a recognized "
1555 			    "keyword value."), name, value);
1556 			return (NS_PARSE_ERR);
1557 		}
1558 	}
1559 
1560 	return (NS_SUCCESS);
1561 }
1562 
1563 void
1564 __s_api_split_key_value(char *buffer, char **name, char **value)
1565 {
1566 	char	*ptr;
1567 
1568 	*name = buffer;
1569 	/* split into name value pair */
1570 	if ((ptr = strchr(buffer, TOKENSEPARATOR)) != NULL) {
1571 		*ptr = '\0';
1572 		ptr++;
1573 		/* trim whitespace */
1574 		while (*ptr == SPACETOK)
1575 			ptr++;
1576 		*value = ptr;
1577 	}
1578 }
1579 
1580 /*
1581  * Set a parameter value in a generic configuration structure
1582  * Assume any necessary locks are in place.  This routine would
1583  * be better named: __ns_ldap_translateString2Param
1584  *
1585  * This routine translates external string format into internal
1586  * param format and saves the result in the param table.
1587  */
1588 int
1589 __ns_ldap_setParamValue(ns_config_t *ptr, const ParamIndexType type,
1590 		const void *data, ns_ldap_error_t **error)
1591 {
1592 	ns_default_config	*def = NULL;
1593 	ns_param_t		conf;
1594 	ns_mapping_t		*map, *rmap;
1595 	int			i, j, len;
1596 	char			*cp, *cp2, *end;
1597 	char			*tcp = NULL;
1598 	char			errstr[2 * MAXERROR];
1599 	char			tbuf[100], *ptbuf;
1600 	char			*sid, *origA, **mapA;
1601 	char			**attr;
1602 	time_t			tm;
1603 	int 			free_memory, exitrc;
1604 	char			**p;
1605 
1606 	/* Find ParamIndexType default configuration data */
1607 	def = get_defconfig(ptr, type);
1608 	if (def == NULL) {
1609 		(void) snprintf(errstr, sizeof (errstr),
1610 		    gettext("Unable to set value: "
1611 		    "invalid ParamIndexType (%d)"), type);
1612 		MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX, strdup(errstr),
1613 		    NULL);
1614 		return (NS_LDAP_CONFIG);
1615 	}
1616 
1617 	(void) memset(&conf, 0, sizeof (conf));
1618 
1619 	/* data is actually const char */
1620 	cp = (char *)data;
1621 
1622 	/* eat up beginning quote, if any */
1623 	while (cp && (*cp == QUOTETOK || *cp == SPACETOK))
1624 		cp++;
1625 
1626 	/* eat up space/quote at end of value */
1627 	end = cp2 = cp + strlen(cp) - 1;
1628 	for (; cp2 > cp && (*cp2 == SPACETOK || *cp2 == QUOTETOK); cp2--)
1629 		;
1630 	/* data is const, must duplicate */
1631 	if (cp2 != end) {
1632 		tcp = (char *)calloc((int)(cp2 - cp + 2), sizeof (char));
1633 		if (tcp == NULL)
1634 			return (NS_LDAP_MEMORY);
1635 		end = cp2;
1636 		cp2 = tcp;
1637 		while (cp <= end) {
1638 			*cp2++ = *cp++;
1639 		}
1640 		*cp2 = '\0';
1641 		cp = tcp;
1642 	}
1643 
1644 	/* Parse data according to type */
1645 	switch (def->data_type) {
1646 	case INT:
1647 		switch (def->index) {
1648 		case NS_LDAP_PREF_ONLY_P:
1649 		case NS_LDAP_SEARCH_REF_P:
1650 		case NS_LDAP_SEARCH_SCOPE_P:
1651 			i = __s_get_enum_value(ptr, cp, def->index);
1652 			if (i < 0) {
1653 				(void) snprintf(errstr, sizeof (errstr),
1654 				    gettext("Unable to set value: "
1655 				    "invalid %s (%d)"), def->name,
1656 				    def->index);
1657 				MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
1658 				    strdup(errstr), NULL);
1659 				if (tcp != NULL)
1660 					free(tcp);
1661 				return (NS_LDAP_CONFIG);
1662 			}
1663 			conf.ns_i = i;
1664 			break;
1665 		case NS_LDAP_TRANSPORT_SEC_P:	/* ignore TRANSPORT_SEC */
1666 			break;
1667 		default:
1668 			cp2 = cp;
1669 			if ((*cp2 == '+') || (*cp2 == '-'))
1670 				cp2++;
1671 			for (/* empty */; *cp2; cp2++) {
1672 				if (isdigit(*cp2))
1673 					continue;
1674 
1675 				(void) snprintf(errstr, sizeof (errstr),
1676 				    gettext("Unable to set value: "
1677 				    "invalid %s (%d)"), def->name,
1678 				    def->index);
1679 				MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
1680 				    strdup(errstr), NULL);
1681 				if (tcp != NULL)
1682 					free(tcp);
1683 				return (NS_LDAP_CONFIG);
1684 			}
1685 			i = atoi(cp);
1686 			conf.ns_i = i;
1687 			break;
1688 		}
1689 		break;
1690 	case TIMET:
1691 		/* Do nothing with a TIMET.  Initialize it below */
1692 		break;
1693 	case CHARPTR:
1694 		conf.ns_pc = (char *)strdup(cp);
1695 		if (conf.ns_pc == NULL) {
1696 			if (tcp != NULL)
1697 				free(tcp);
1698 			return (NS_LDAP_MEMORY);
1699 		}
1700 		break;
1701 	case SAMLIST:
1702 		/* first check to see if colon (:) is there */
1703 		if ((strchr(cp, COLONTOK)) == NULL) {
1704 			(void) snprintf(errstr, sizeof (errstr),
1705 			    gettext("Unable to set value: "
1706 			    "invalid serviceAuthenticationMethod (%s)"),
1707 			    cp);
1708 			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
1709 			    strdup(errstr), NULL);
1710 			if (tcp != NULL)
1711 				free(tcp);
1712 			return (NS_LDAP_CONFIG);
1713 		}
1714 		/* Appends an entry to the existing list */
1715 		if (ptr->paramList[type].ns_ptype != SAMLIST) {
1716 			conf.ns_ppc = (char **)calloc(2, sizeof (char *));
1717 			if (conf.ns_ppc == NULL) {
1718 				if (tcp != NULL)
1719 					free(tcp);
1720 				return (NS_LDAP_MEMORY);
1721 			}
1722 			conf.ns_acnt = 1;
1723 			conf.ns_ppc[0] = (char *)strdup(cp);
1724 			if (conf.ns_ppc[0] == NULL) {
1725 				free(conf.ns_ppc);
1726 				if (tcp != NULL)
1727 					free(tcp);
1728 				return (NS_LDAP_MEMORY);
1729 			}
1730 		} else {
1731 			char *dp, *dpend;
1732 			int fnd = 0;
1733 
1734 			/* Attempt to replace if possible */
1735 			dpend = strchr(cp, COLONTOK);
1736 			len = dpend - cp;
1737 			dp = (char *)malloc(len+1);
1738 			if (dp == NULL) {
1739 				if (tcp != NULL)
1740 					free(tcp);
1741 				return (NS_LDAP_MEMORY);
1742 			}
1743 			(void) strlcpy(dp, cp, len+1);
1744 			fnd = 0;
1745 			for (j = 0; j < ptr->paramList[type].ns_acnt; j++) {
1746 				dpend = strchr(ptr->paramList[type].ns_ppc[j],
1747 				    COLONTOK);
1748 				if (dpend == NULL)
1749 					continue;
1750 				i = dpend - ptr->paramList[type].ns_ppc[j];
1751 				if (i != len)
1752 					continue;
1753 				if (strncmp(ptr->paramList[type].ns_ppc[j],
1754 				    dp, len) == 0) {
1755 					conf.ns_acnt =
1756 					    ptr->paramList[type].ns_acnt;
1757 					conf.ns_ppc =
1758 					    ptr->paramList[type].ns_ppc;
1759 					ptr->paramList[type].ns_ppc = NULL;
1760 					free(conf.ns_ppc[j]);
1761 					conf.ns_ppc[j] = (char *)strdup(cp);
1762 					if (conf.ns_ppc[j] == NULL) {
1763 						free(dp);
1764 						__s_api_free2dArray
1765 						    (conf.ns_ppc);
1766 						if (tcp != NULL)
1767 							free(tcp);
1768 						return (NS_LDAP_MEMORY);
1769 					}
1770 					fnd = 1;
1771 					break;
1772 				}
1773 			}
1774 			free(dp);
1775 
1776 			if (fnd)
1777 				break;	/* Replaced completed */
1778 
1779 			/* Append */
1780 			len = ptr->paramList[type].ns_acnt + 1;
1781 			if (len > 1) {
1782 				p = (char **)dupParam(&ptr->paramList[type]);
1783 				if (p == NULL) {
1784 					if (tcp != NULL)
1785 						free(tcp);
1786 					return (NS_LDAP_MEMORY);
1787 				}
1788 			} else
1789 				p = NULL;
1790 			conf.ns_ppc =
1791 			    (char **)realloc(p, (len+1) * sizeof (char *));
1792 			if (conf.ns_ppc == NULL) {
1793 				__s_api_free2dArray(p);
1794 				if (tcp != NULL)
1795 					free(tcp);
1796 				return (NS_LDAP_MEMORY);
1797 			}
1798 			conf.ns_acnt = len;
1799 			conf.ns_ppc[len-1] = (char *)strdup(cp);
1800 			if (conf.ns_ppc[len-1] == NULL) {
1801 				__s_api_free2dArray(conf.ns_ppc);
1802 				if (tcp != NULL)
1803 					free(tcp);
1804 				return (NS_LDAP_MEMORY);
1805 			}
1806 			conf.ns_ppc[len] = NULL;
1807 		}
1808 		break;
1809 	case SCLLIST:
1810 		/* first check to see if colon (:) is there */
1811 		if ((strchr(cp, COLONTOK)) == NULL) {
1812 			(void) snprintf(errstr, sizeof (errstr),
1813 			    gettext("Unable to set value: "
1814 			    "invalid serviceCredentialLevel (%s)"),
1815 			    cp);
1816 			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
1817 			    strdup(errstr), NULL);
1818 			if (tcp != NULL)
1819 				free(tcp);
1820 			return (NS_LDAP_CONFIG);
1821 		}
1822 		/* Appends an entry to the existing list */
1823 		if (ptr->paramList[type].ns_ptype != SCLLIST) {
1824 			conf.ns_ppc = (char **)calloc(2, sizeof (char *));
1825 			if (conf.ns_ppc == NULL) {
1826 				if (tcp != NULL)
1827 					free(tcp);
1828 				return (NS_LDAP_MEMORY);
1829 			}
1830 			conf.ns_acnt = 1;
1831 			conf.ns_ppc[0] = (char *)strdup(cp);
1832 			if (conf.ns_ppc[0] == NULL) {
1833 				free(conf.ns_ppc);
1834 				if (tcp != NULL)
1835 					free(tcp);
1836 				return (NS_LDAP_MEMORY);
1837 			}
1838 		} else {
1839 			char *dp, *dpend;
1840 			int fnd = 0;
1841 
1842 			/* Attempt to replace if possible */
1843 			dpend = strchr(cp, COLONTOK);
1844 			len = dpend - cp;
1845 			dp = (char *)malloc(len+1);
1846 			if (dp == NULL) {
1847 				if (tcp != NULL)
1848 					free(tcp);
1849 				return (NS_LDAP_MEMORY);
1850 			}
1851 			(void) strlcpy(dp, cp, len+1);
1852 			fnd = 0;
1853 			for (j = 0; j < ptr->paramList[type].ns_acnt; j++) {
1854 				dpend = strchr(ptr->paramList[type].ns_ppc[j],
1855 				    COLONTOK);
1856 				if (dpend == NULL)
1857 					continue;
1858 				i = dpend - ptr->paramList[type].ns_ppc[j];
1859 				if (i != len)
1860 					continue;
1861 				if (strncmp(ptr->paramList[type].ns_ppc[j],
1862 				    dp, len) == 0) {
1863 					conf.ns_acnt =
1864 					    ptr->paramList[type].ns_acnt;
1865 					conf.ns_ppc =
1866 					    ptr->paramList[type].ns_ppc;
1867 					ptr->paramList[type].ns_ppc = NULL;
1868 					free(conf.ns_ppc[j]);
1869 					conf.ns_ppc[j] = (char *)strdup(cp);
1870 					if (conf.ns_ppc[j] == NULL) {
1871 						free(dp);
1872 						__s_api_free2dArray
1873 						    (conf.ns_ppc);
1874 						if (tcp != NULL)
1875 							free(tcp);
1876 						return (NS_LDAP_MEMORY);
1877 					}
1878 					fnd = 1;
1879 					break;
1880 				}
1881 			}
1882 			free(dp);
1883 
1884 			if (fnd)
1885 				break;	/* Replaced completed */
1886 
1887 			/* Append */
1888 			len = ptr->paramList[type].ns_acnt + 1;
1889 			if (len > 1) {
1890 				p = (char **)dupParam(&ptr->paramList[type]);
1891 				if (p == NULL) {
1892 					if (tcp != NULL)
1893 						free(tcp);
1894 					return (NS_LDAP_MEMORY);
1895 				}
1896 			} else
1897 				p = NULL;
1898 			conf.ns_ppc =
1899 			    (char **)realloc(p, (len+1) * sizeof (char *));
1900 			if (conf.ns_ppc == NULL) {
1901 				__s_api_free2dArray(p);
1902 				if (tcp != NULL)
1903 					free(tcp);
1904 				return (NS_LDAP_MEMORY);
1905 			}
1906 			conf.ns_acnt = len;
1907 			conf.ns_ppc[len-1] = (char *)strdup(cp);
1908 			if (conf.ns_ppc[len-1] == NULL) {
1909 				__s_api_free2dArray(conf.ns_ppc);
1910 				if (tcp != NULL)
1911 					free(tcp);
1912 				return (NS_LDAP_MEMORY);
1913 			}
1914 			conf.ns_ppc[len] = NULL;
1915 		}
1916 		break;
1917 	case SSDLIST:
1918 		/*
1919 		 * first check to see if colon (:) is there,
1920 		 * if so, make sure the serviceId is specified,
1921 		 * i.e., colon is not the first character
1922 		 */
1923 		if ((strchr(cp, COLONTOK)) == NULL || *cp == COLONTOK) {
1924 			(void) snprintf(errstr, sizeof (errstr),
1925 			    gettext("Unable to set value: "
1926 			    "invalid serviceSearchDescriptor (%s)"),
1927 			    cp);
1928 			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
1929 			    strdup(errstr), NULL);
1930 			if (tcp != NULL)
1931 				free(tcp);
1932 			return (NS_LDAP_CONFIG);
1933 		}
1934 		/* Appends an entry to the existing list */
1935 		if (ptr->paramList[type].ns_ptype != SSDLIST) {
1936 			conf.ns_ppc = (char **)calloc(2, sizeof (char *));
1937 			if (conf.ns_ppc == NULL) {
1938 				if (tcp != NULL)
1939 					free(tcp);
1940 				return (NS_LDAP_MEMORY);
1941 			}
1942 			conf.ns_acnt = 1;
1943 			conf.ns_ppc[0] = (char *)strdup(cp);
1944 			if (conf.ns_ppc[0] == NULL) {
1945 				free(conf.ns_ppc);
1946 				if (tcp != NULL)
1947 					free(tcp);
1948 				return (NS_LDAP_MEMORY);
1949 			}
1950 		} else {
1951 			char *dp, *dpend;
1952 			int fnd = 0;
1953 
1954 			/* Attempt to replace if possible */
1955 			dpend = strchr(cp, COLONTOK);
1956 			len = dpend - cp;
1957 			dp = (char *)malloc(len+1);
1958 			if (dp == NULL) {
1959 				if (tcp != NULL)
1960 					free(tcp);
1961 				return (NS_LDAP_MEMORY);
1962 			}
1963 			(void) strlcpy(dp, cp, len+1);
1964 			fnd = 0;
1965 			for (j = 0; j < ptr->paramList[type].ns_acnt; j++) {
1966 				dpend = strchr(ptr->paramList[type].ns_ppc[j],
1967 				    COLONTOK);
1968 				if (dpend == NULL)
1969 					continue;
1970 				i = dpend - ptr->paramList[type].ns_ppc[j];
1971 				if (i != len)
1972 					continue;
1973 				if (strncmp(ptr->paramList[type].ns_ppc[j],
1974 				    dp, len) == 0) {
1975 					conf.ns_acnt =
1976 					    ptr->paramList[type].ns_acnt;
1977 					conf.ns_ppc =
1978 					    ptr->paramList[type].ns_ppc;
1979 					ptr->paramList[type].ns_ppc = NULL;
1980 					free(conf.ns_ppc[j]);
1981 					conf.ns_ppc[j] = (char *)strdup(cp);
1982 					if (conf.ns_ppc[j] == NULL) {
1983 						free(dp);
1984 						__s_api_free2dArray
1985 						    (conf.ns_ppc);
1986 						if (tcp != NULL)
1987 							free(tcp);
1988 						return (NS_LDAP_MEMORY);
1989 					}
1990 					fnd = 1;
1991 					break;
1992 				}
1993 			}
1994 			free(dp);
1995 
1996 			if (fnd)
1997 				break;	/* Replaced completed */
1998 
1999 			/* Append */
2000 			len = ptr->paramList[type].ns_acnt + 1;
2001 			if (len > 1) {
2002 				p = (char **)dupParam(&ptr->paramList[type]);
2003 				if (p == NULL) {
2004 					if (tcp != NULL)
2005 						free(tcp);
2006 					return (NS_LDAP_MEMORY);
2007 				}
2008 			} else
2009 				p = NULL;
2010 			conf.ns_ppc =
2011 			    (char **)realloc(p, (len+1) * sizeof (char *));
2012 			if (conf.ns_ppc == NULL) {
2013 				__s_api_free2dArray(p);
2014 				if (tcp != NULL)
2015 					free(tcp);
2016 				return (NS_LDAP_MEMORY);
2017 			}
2018 			conf.ns_acnt = len;
2019 			conf.ns_ppc[len-1] = (char *)strdup(cp);
2020 			if (conf.ns_ppc[len-1] == NULL) {
2021 				__s_api_free2dArray(conf.ns_ppc);
2022 				if (tcp != NULL)
2023 					free(tcp);
2024 				return (NS_LDAP_MEMORY);
2025 			}
2026 			conf.ns_ppc[len] = NULL;
2027 		}
2028 		break;
2029 	case ARRAYCP:
2030 		len = 0;
2031 		for (cp2 = cp; *cp2; cp2++) {
2032 			if (*cp2 == COMMATOK)
2033 				len++;
2034 		}
2035 		if (cp != cp2)
2036 			len++;
2037 		if (len == 0) {
2038 			conf.ns_ppc = (char **)NULL;
2039 			conf.ns_acnt = 0;
2040 			break;
2041 		}
2042 		conf.ns_ppc = (char **)calloc(len + 1, sizeof (char *));
2043 		if (conf.ns_ppc == NULL) {
2044 			if (tcp != NULL)
2045 				free(tcp);
2046 			return (NS_LDAP_MEMORY);
2047 		}
2048 		conf.ns_acnt = len;
2049 		i = 0;
2050 		for (cp2 = cp; *cp2; cp2++) {
2051 			if (*cp2 == COMMATOK) {
2052 				j = cp2 - cp + 1;
2053 				conf.ns_ppc[i] = (char *)malloc(j + 1);
2054 				if (conf.ns_ppc[i] == NULL) {
2055 					__s_api_free2dArray(conf.ns_ppc);
2056 					if (tcp != NULL)
2057 						free(tcp);
2058 					return (NS_LDAP_MEMORY);
2059 				}
2060 				(void) strlcpy(conf.ns_ppc[i], cp, j);
2061 				cp = cp2+1;
2062 				while (*cp == SPACETOK || *cp == COMMATOK)
2063 					cp++;
2064 				cp2 = cp - 1;
2065 				i++;
2066 			}
2067 		}
2068 		j = cp2 - cp + 1;
2069 		conf.ns_ppc[i] = (char *)malloc(j + 1);
2070 		if (conf.ns_ppc[i] == NULL) {
2071 			__s_api_free2dArray(conf.ns_ppc);
2072 			if (tcp != NULL)
2073 				free(tcp);
2074 			return (NS_LDAP_MEMORY);
2075 		}
2076 		(void) strlcpy(conf.ns_ppc[i], cp, j);
2077 		break;
2078 	case SERVLIST:
2079 		len = 0;
2080 		for (cp2 = cp; *cp2; cp2++) {
2081 			if (*cp2 == SPACETOK || *cp2 == COMMATOK) {
2082 				len++;
2083 				for (; *(cp2 + 1) == SPACETOK ||
2084 				    *(cp2 +1) == COMMATOK; cp2++)
2085 					;
2086 			}
2087 		}
2088 		if (cp != cp2)
2089 			len++;
2090 		if (len == 0) {
2091 			conf.ns_ppc = (char **)NULL;
2092 			conf.ns_acnt = 0;
2093 			break;
2094 		}
2095 		conf.ns_ppc = (char **)calloc(len + 1, sizeof (char *));
2096 		if (conf.ns_ppc == NULL) {
2097 			if (tcp != NULL)
2098 				free(tcp);
2099 			return (NS_LDAP_MEMORY);
2100 		}
2101 		conf.ns_acnt = len;
2102 		i = 0;
2103 		for (cp2 = cp; *cp2; cp2++) {
2104 			if (*cp2 == SPACETOK || *cp2 == COMMATOK) {
2105 				j = cp2 - cp + 1;
2106 				conf.ns_ppc[i] = (char *)malloc(j + 1);
2107 				if (conf.ns_ppc[i] == NULL) {
2108 					__s_api_free2dArray(conf.ns_ppc);
2109 					if (tcp != NULL)
2110 						free(tcp);
2111 					return (NS_LDAP_MEMORY);
2112 				}
2113 				(void) strlcpy(conf.ns_ppc[i], cp, j);
2114 				cp = cp2+1;
2115 				while (*cp == SPACETOK || *cp == COMMATOK)
2116 					cp++;
2117 				cp2 = cp - 1;
2118 				i++;
2119 			}
2120 		}
2121 		j = cp2 - cp + 1;
2122 		conf.ns_ppc[i] = (char *)malloc(j + 1);
2123 		if (conf.ns_ppc[i] == NULL) {
2124 			__s_api_free2dArray(conf.ns_ppc);
2125 			if (tcp != NULL)
2126 				free(tcp);
2127 			return (NS_LDAP_MEMORY);
2128 		}
2129 		(void) strlcpy(conf.ns_ppc[i], cp, j);
2130 		break;
2131 	case ARRAYAUTH:
2132 		len = 0;
2133 		for (cp2 = cp; *cp2; cp2++) {
2134 			if (*cp2 == SEMITOK || *cp2 == COMMATOK)
2135 				len++;
2136 		}
2137 		if (cp != cp2)
2138 			len++;
2139 		if (len == 0) {
2140 			conf.ns_pi = (int *)NULL;
2141 			conf.ns_acnt = 0;
2142 			break;
2143 		}
2144 		conf.ns_pi = (int *)calloc(len + 1, sizeof (int));
2145 		if (conf.ns_pi == NULL) {
2146 			if (tcp != NULL)
2147 				free(tcp);
2148 			return (NS_LDAP_MEMORY);
2149 		}
2150 		conf.ns_acnt = len;
2151 		i = 0;
2152 		for (cp2 = cp; *cp2; cp2++) {
2153 			if (*cp2 == SEMITOK || *cp2 == COMMATOK) {
2154 				j = cp2 - cp + 1;
2155 				if (j > sizeof (tbuf)) {
2156 					j = -1;
2157 					ptbuf = cp;
2158 				} else {
2159 					(void) strlcpy(tbuf, cp, j);
2160 					j = __s_get_enum_value(ptr, tbuf,
2161 					    def->index);
2162 					ptbuf = tbuf;
2163 				}
2164 				if (j < 0) {
2165 					(void) snprintf(errstr, sizeof (errstr),
2166 					    gettext("Unable to set value: "
2167 					    "invalid "
2168 					    "authenticationMethod (%s)"),
2169 					    ptbuf);
2170 					MKERROR(LOG_ERR, *error,
2171 					    NS_CONFIG_SYNTAX,
2172 					    strdup(errstr), NULL);
2173 					free(conf.ns_pi);
2174 					if (tcp != NULL)
2175 						free(tcp);
2176 					return (NS_LDAP_CONFIG);
2177 				}
2178 				conf.ns_pi[i] = j;
2179 				cp = cp2+1;
2180 				i++;
2181 			}
2182 		}
2183 		j = cp2 - cp + 1;
2184 		if (j > sizeof (tbuf)) {
2185 			j = -1;
2186 			ptbuf = cp;
2187 		} else {
2188 			(void) strlcpy(tbuf, cp, j);
2189 			j = __s_get_enum_value(ptr, tbuf, def->index);
2190 			ptbuf = tbuf;
2191 		}
2192 		if (j < 0) {
2193 			(void) snprintf(errstr, sizeof (errstr),
2194 			    gettext("Unable to set value: "
2195 			    "invalid authenticationMethod (%s)"), ptbuf);
2196 			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
2197 			    strdup(errstr), NULL);
2198 			if (tcp != NULL)
2199 				free(tcp);
2200 			return (NS_LDAP_CONFIG);
2201 		}
2202 		conf.ns_pi[i] = j;
2203 		break;
2204 	case ARRAYCRED:
2205 		len = 0;
2206 		for (cp2 = cp; *cp2; cp2++) {
2207 			if (*cp2 == SPACETOK)
2208 				len++;
2209 		}
2210 		if (cp != cp2)
2211 			len++;
2212 		if (len == 0) {
2213 			conf.ns_pi = (int *)NULL;
2214 			conf.ns_acnt = 0;
2215 			break;
2216 		}
2217 		conf.ns_pi = (int *)calloc(len + 1, sizeof (int));
2218 		if (conf.ns_pi == NULL) {
2219 			if (tcp != NULL)
2220 				free(tcp);
2221 			return (NS_LDAP_MEMORY);
2222 		}
2223 		conf.ns_acnt = len;
2224 		i = 0;
2225 		for (cp2 = cp; *cp2; cp2++) {
2226 			if (*cp2 == SPACETOK) {
2227 				j = cp2 - cp + 1;
2228 				if (j > sizeof (tbuf)) {
2229 					j = -1;
2230 					ptbuf = cp;
2231 				} else {
2232 					(void) strlcpy(tbuf, cp, j);
2233 					j = __s_get_enum_value(ptr, tbuf,
2234 					    def->index);
2235 					ptbuf = tbuf;
2236 				}
2237 				if (j < 0) {
2238 					(void) snprintf(errstr, sizeof (errstr),
2239 					    gettext("Unable to set value: "
2240 					    "invalid credentialLevel (%s)"),
2241 					    ptbuf);
2242 					MKERROR(LOG_ERR, *error,
2243 					    NS_CONFIG_SYNTAX,
2244 					    strdup(errstr), NULL);
2245 					free(conf.ns_pi);
2246 					if (tcp != NULL)
2247 						free(tcp);
2248 					return (NS_LDAP_CONFIG);
2249 				}
2250 				conf.ns_pi[i] = j;
2251 				cp = cp2+1;
2252 				i++;
2253 			}
2254 		}
2255 		j = cp2 - cp + 1;
2256 		if (j > sizeof (tbuf)) {
2257 			j = -1;
2258 			ptbuf = cp;
2259 		} else {
2260 			(void) strlcpy(tbuf, cp, j);
2261 			j = __s_get_enum_value(ptr, tbuf, def->index);
2262 			ptbuf = tbuf;
2263 		}
2264 		if (j < 0) {
2265 			(void) snprintf(errstr, sizeof (errstr),
2266 			    gettext("Unable to set value: "
2267 			    "invalid credentialLevel (%s)"), ptbuf);
2268 			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
2269 			    strdup(errstr), NULL);
2270 			if (tcp != NULL)
2271 				free(tcp);
2272 			return (NS_LDAP_CONFIG);
2273 		}
2274 		conf.ns_pi[i] = j;
2275 		break;
2276 	case ATTRMAP:
2277 	case OBJMAP:
2278 		i = __s_api_parse_map(cp, &sid, &origA, &mapA);
2279 		if (i != NS_HASH_RC_SUCCESS) {
2280 			if (i == NS_HASH_RC_NO_MEMORY) {
2281 				exitrc = NS_LDAP_MEMORY;
2282 			} else {
2283 				(void) snprintf(errstr, sizeof (errstr),
2284 				gettext("Unable to set value: "
2285 				"invalid schema mapping (%s)"), cp);
2286 				exitrc = NS_LDAP_CONFIG;
2287 				MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
2288 				    strdup(errstr), NULL);
2289 			}
2290 			if (tcp)
2291 				free(tcp);
2292 			return (exitrc);
2293 		}
2294 
2295 		/*
2296 		 * Add reverse map first.
2297 		 * There could be more than one.
2298 		 */
2299 		for (attr = mapA; *attr; attr++) {
2300 
2301 			free_memory = 1;
2302 			exitrc = NS_LDAP_MEMORY;
2303 
2304 			rmap = (ns_mapping_t *)calloc(1,
2305 			    sizeof (ns_mapping_t));
2306 			if (rmap) {
2307 				rmap->service = strdup(sid);
2308 				if (rmap->service) {
2309 					rmap->orig = strdup(*attr);
2310 					if (rmap->orig) {
2311 						rmap->map = (char **)calloc(2,
2312 						    sizeof (char *));
2313 						if (rmap->map) {
2314 							(rmap->map)[0] =
2315 							    strdup(origA);
2316 							if ((rmap->map)[0])
2317 								free_memory = 0;
2318 						}
2319 					}
2320 				}
2321 			}
2322 
2323 			if (free_memory == 0) {
2324 				if (def->data_type == ATTRMAP) {
2325 					rmap->type = NS_ATTR_MAP;
2326 					i = __s_api_add_map2hash(ptr,
2327 					    NS_HASH_RAMAP, rmap);
2328 				} else {
2329 					rmap->type = NS_OBJ_MAP;
2330 					i = __s_api_add_map2hash(ptr,
2331 					    NS_HASH_ROMAP, rmap);
2332 				}
2333 
2334 				if (i != NS_HASH_RC_SUCCESS) {
2335 					switch (i) {
2336 					case NS_HASH_RC_CONFIG_ERROR:
2337 						exitrc = NS_LDAP_INTERNAL;
2338 						(void) snprintf(errstr,
2339 						    sizeof (errstr),
2340 						    gettext(
2341 						    "Unable to set value: "
2342 						    "no configuration info "
2343 						    "for schema map "
2344 						    "update (%s)"), cp);
2345 						MKERROR(LOG_ERR, *error,
2346 						    NS_LDAP_INTERNAL,
2347 						    strdup(errstr),
2348 						    NULL);
2349 						break;
2350 					case NS_HASH_RC_EXISTED:
2351 						exitrc = NS_LDAP_CONFIG;
2352 						(void) snprintf(errstr,
2353 						    sizeof (errstr),
2354 						    gettext(
2355 						    "Unable to set value: "
2356 						    "schema map "
2357 						    "already existed for "
2358 						    "(%s, %s)."),
2359 						    *attr, origA);
2360 						MKERROR(LOG_ERR, *error,
2361 						    NS_CONFIG_SYNTAX,
2362 						    strdup(errstr),
2363 						    NULL);
2364 						break;
2365 					case NS_HASH_RC_NO_MEMORY:
2366 						exitrc = NS_LDAP_MEMORY;
2367 						break;
2368 					}
2369 					free_memory = 1;
2370 				}
2371 			}
2372 
2373 			if (free_memory) {
2374 				if (tcp)
2375 					free(tcp);
2376 				free(sid);
2377 				free(origA);
2378 				__s_api_free2dArray(mapA);
2379 				if (rmap) {
2380 					if (rmap->service)
2381 						free(rmap->service);
2382 					if (rmap->orig)
2383 						free(rmap->orig);
2384 					if (rmap->map) {
2385 						if ((rmap->map)[0])
2386 							free((rmap->map)[0]);
2387 						free(rmap->map);
2388 					}
2389 					free(rmap);
2390 				}
2391 				return (exitrc);
2392 			}
2393 		}
2394 
2395 		/*
2396 		 * For performance gain,
2397 		 * add a "schema mapping existed" indicator
2398 		 * for the given service if not already added.
2399 		 * This dummy map needs not be removed, if
2400 		 * the next real map add operation fails.
2401 		 * since the caller, e.g. ldap_cachemgr.
2402 		 * should exit anyway.
2403 		 */
2404 		free_memory = 1;
2405 		exitrc = NS_LDAP_MEMORY;
2406 
2407 		map = (ns_mapping_t *)calloc(1,
2408 		    sizeof (ns_mapping_t));
2409 		if (map) {
2410 			map->service = strdup(sid);
2411 			if (map->service) {
2412 				map->orig = strdup(
2413 				    NS_HASH_SCHEMA_MAPPING_EXISTED);
2414 				if (map->orig) {
2415 					map->map = (char **)calloc(2,
2416 					    sizeof (char *));
2417 					if (map->map) {
2418 						(map->map)[0] =
2419 						    strdup(sid);
2420 						if ((map->map)[0])
2421 							free_memory = 0;
2422 					}
2423 				}
2424 			}
2425 		}
2426 
2427 		if (free_memory == 0) {
2428 			map->type = NS_ATTR_MAP;
2429 			/*
2430 			 * add to reverse map,
2431 			 * so that "ldapclient list"
2432 			 * would not show it
2433 			 */
2434 			i = __s_api_add_map2hash(ptr,
2435 			    NS_HASH_RAMAP, map);
2436 
2437 			/*
2438 			 * ignore "map already existed" error,
2439 			 * just need one per service.
2440 			 * Need however to free memory allocated
2441 			 * for map.
2442 			 */
2443 			if (i != NS_HASH_RC_SUCCESS &&
2444 			    i != NS_HASH_RC_EXISTED) {
2445 				switch (i) {
2446 				case NS_HASH_RC_CONFIG_ERROR:
2447 					exitrc = NS_LDAP_INTERNAL;
2448 					(void) snprintf(errstr,
2449 					    sizeof (errstr),
2450 					    gettext(
2451 					    "Unable to set value: "
2452 					    "no configuration info "
2453 					    "for schema map "
2454 					    "update (%s)"), cp);
2455 					MKERROR(LOG_ERR, *error,
2456 					    NS_LDAP_INTERNAL,
2457 					    strdup(errstr),
2458 					    NULL);
2459 					break;
2460 				case NS_HASH_RC_NO_MEMORY:
2461 					exitrc = NS_LDAP_MEMORY;
2462 					break;
2463 				}
2464 				free_memory = 1;
2465 			} else if (i == NS_HASH_RC_EXISTED) {
2466 				if (map->service)
2467 					free(map->service);
2468 				if (map->orig)
2469 					free(map->orig);
2470 				if (map->map) {
2471 					if ((map->map)[0])
2472 						free((map->map)[0]);
2473 					free(map->map);
2474 				}
2475 				free(map);
2476 				map = NULL;
2477 			}
2478 		}
2479 
2480 		if (free_memory) {
2481 			if (tcp)
2482 				free(tcp);
2483 			free(sid);
2484 			free(origA);
2485 			__s_api_free2dArray(mapA);
2486 			if (map) {
2487 				if (map->service)
2488 					free(map->service);
2489 				if (map->orig)
2490 					free(map->orig);
2491 				if (map->map) {
2492 					if ((map->map)[0])
2493 						free((map->map)[0]);
2494 					free(map->map);
2495 				}
2496 				free(map);
2497 			}
2498 			return (exitrc);
2499 		}
2500 
2501 		/*
2502 		 * add the real schema map
2503 		 */
2504 		free_memory = 1;
2505 		exitrc = NS_LDAP_MEMORY;
2506 		map = (ns_mapping_t *)calloc(1, sizeof (ns_mapping_t));
2507 		if (map) {
2508 			map->service = sid;
2509 			map->orig = origA;
2510 			map->map = mapA;
2511 
2512 			if (def->data_type == ATTRMAP) {
2513 				map->type = NS_ATTR_MAP;
2514 				i = __s_api_add_map2hash(ptr,
2515 				    NS_HASH_AMAP, map);
2516 			} else {
2517 				map->type = NS_OBJ_MAP;
2518 				i = __s_api_add_map2hash(ptr,
2519 				    NS_HASH_OMAP, map);
2520 			}
2521 
2522 			if (i != NS_HASH_RC_SUCCESS) {
2523 				switch (i) {
2524 				case NS_HASH_RC_CONFIG_ERROR:
2525 					exitrc = NS_LDAP_INTERNAL;
2526 					(void) snprintf(errstr,
2527 					    sizeof (errstr),
2528 					    gettext(
2529 					    "Unable to set value: "
2530 					    "no configuration info "
2531 					    "for schema map "
2532 					    "update (%s)"), cp);
2533 					MKERROR(LOG_ERR, *error,
2534 					    NS_LDAP_INTERNAL,
2535 					    strdup(errstr),
2536 					    NULL);
2537 					break;
2538 				case NS_HASH_RC_EXISTED:
2539 					exitrc = NS_LDAP_CONFIG;
2540 					(void) snprintf(errstr,
2541 					    sizeof (errstr),
2542 					    gettext(
2543 					    "Unable to set value: "
2544 					    "schema map "
2545 					    "already existed for "
2546 					    "'%s'."), origA);
2547 					MKERROR(LOG_ERR, *error,
2548 					    NS_CONFIG_SYNTAX,
2549 					    strdup(errstr),
2550 					    NULL);
2551 					break;
2552 				case NS_HASH_RC_NO_MEMORY:
2553 					exitrc = NS_LDAP_MEMORY;
2554 					break;
2555 				}
2556 				free_memory = 1;
2557 			} else
2558 				free_memory = 0;
2559 		}
2560 
2561 		if (free_memory) {
2562 			if (tcp)
2563 				free(tcp);
2564 			free(sid);
2565 			free(origA);
2566 			__s_api_free2dArray(mapA);
2567 			if (map)
2568 				free(map);
2569 			return (exitrc);
2570 		}
2571 
2572 		break;
2573 	default:
2574 		/* This should never happen. */
2575 		(void) snprintf(errstr, sizeof (errstr),
2576 		    gettext("Unable to set value: invalid configuration "
2577 		    "type (%d)"), def->data_type);
2578 		MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX, strdup(errstr),
2579 		    NULL);
2580 		if (tcp != NULL)
2581 			free(tcp);
2582 		return (NS_LDAP_CONFIG);
2583 	}
2584 	conf.ns_ptype = def->data_type;
2585 	if (tcp != NULL)
2586 		free(tcp);
2587 
2588 	/* Individually written verify routines here can replace */
2589 	/* verify_value.  Verify conf (data) as appropriate here */
2590 	if (def->ns_verify != NULL) {
2591 		if ((*def->ns_verify)(type, def, &conf, errstr) != NS_SUCCESS) {
2592 			ns_param_t sav_conf;
2593 
2594 			(void) snprintf(errstr, sizeof (errstr),
2595 			    gettext("%s"), errstr);
2596 			MKERROR(LOG_WARNING, *error, NS_CONFIG_SYNTAX,
2597 			    strdup(errstr), NULL);
2598 
2599 			sav_conf = ptr->paramList[type];
2600 			ptr->paramList[type] = conf;
2601 			destroy_param(ptr, type);
2602 			ptr->paramList[type] = sav_conf;
2603 
2604 			return (NS_LDAP_CONFIG);
2605 		}
2606 	}
2607 
2608 	/* post evaluate the data */
2609 
2610 	/*
2611 	 * if this is for setting a password,
2612 	 * encrypt the password first.
2613 	 * NOTE evalue() is smart and will just return
2614 	 * the value passed if it is already encrypted.
2615 	 *
2616 	 * Init NS_LDAP_EXP_P here when CACHETTL is updated
2617 	 */
2618 	if (type == NS_LDAP_BINDPASSWD_P) {
2619 		cp = conf.ns_pc;
2620 		cp2 = evalue((char *)cp);
2621 		conf.ns_pc = cp2;
2622 		free(cp);
2623 		cp = NULL;
2624 	} else if (type == NS_LDAP_FILE_VERSION_P) {
2625 		ptr->version = NS_LDAP_V1;
2626 		if (strcasecmp(conf.ns_pc, NS_LDAP_VERSION_2) == 0) {
2627 			ptr->version = NS_LDAP_V2;
2628 		}
2629 	} else if (type == NS_LDAP_CACHETTL_P) {
2630 		cp = conf.ns_pc;
2631 		tm = conv_time(cp);
2632 		ptr->paramList[NS_LDAP_EXP_P].ns_ptype = TIMET;
2633 		if (tm != 0) {
2634 			tm += time(NULL);
2635 		}
2636 		ptr->paramList[NS_LDAP_EXP_P].ns_tm = tm;
2637 	}
2638 
2639 	/* Everything checks out move new values into param */
2640 	destroy_param(ptr, type);
2641 	/* Assign new/updated value into paramList */
2642 	ptr->paramList[type] = conf;
2643 
2644 	return (NS_LDAP_SUCCESS);
2645 }
2646 
2647 
2648 /*
2649  * Set a parameter value in the 'config' configuration structure
2650  * Lock as appropriate
2651  */
2652 
2653 int
2654 __ns_ldap_setParam(const ParamIndexType type,
2655 		const void *data, ns_ldap_error_t **error)
2656 {
2657 	ns_ldap_error_t		*errorp;
2658 	int			ret;
2659 	char			errstr[2 * MAXERROR];
2660 	ns_config_t		*cfg;
2661 	ns_config_t		*cfg_g = (ns_config_t *)-1;
2662 	ns_config_t		*new_cfg;
2663 	boolean_t		reinit_connmgmt = B_FALSE;
2664 
2665 	/* We want to refresh only one configuration at a time */
2666 	(void) mutex_lock(&ns_loadrefresh_lock);
2667 	cfg = __s_api_get_default_config();
2668 
2669 	if (cache_server == TRUE) {
2670 		if (cfg == NULL) {
2671 			__ns_ldap_default_config();
2672 			cfg = __s_api_get_default_config();
2673 			if (cfg == NULL) {
2674 				(void) mutex_unlock(&ns_loadrefresh_lock);
2675 				return (NS_LDAP_MEMORY);
2676 			}
2677 		}
2678 	} else {
2679 		/*
2680 		 * This code always return error here on client side,
2681 		 * this needs to change once libsldap is used by more
2682 		 * applications that need to set parameters.
2683 		 */
2684 		(void) snprintf(errstr, sizeof (errstr),
2685 		    gettext("Unable to set parameter from a client in "
2686 		    "__ns_ldap_setParam()"));
2687 		MKERROR(LOG_WARNING, *error, NS_CONFIG_SYNTAX, strdup(errstr),
2688 		    NULL);
2689 		if (cfg != NULL)
2690 			__s_api_release_config(cfg);
2691 		(void) mutex_unlock(&ns_loadrefresh_lock);
2692 		return (NS_LDAP_CONFIG);
2693 	}
2694 
2695 	/* (re)initialize configuration if necessary */
2696 	if (!__s_api_isStandalone() &&
2697 	    cache_server == FALSE && timetorefresh(cfg))
2698 		cfg_g = __s_api_get_default_config_global();
2699 	/* only (re)initialize the global configuration */
2700 	if (cfg == cfg_g) {
2701 		if (cfg_g != NULL)
2702 			__s_api_release_config(cfg_g);
2703 		new_cfg = LoadCacheConfiguration(cfg, &errorp);
2704 		if (new_cfg != cfg)
2705 			__s_api_release_config(cfg);
2706 		if (new_cfg == NULL) {
2707 			(void) snprintf(errstr, sizeof (errstr),
2708 			    gettext("Unable to load configuration '%s' "
2709 			    "('%s')."), NSCONFIGFILE,
2710 			    errorp != NULL && errorp->message != NULL ?
2711 			    errorp->message : "");
2712 			MKERROR(LOG_WARNING, *error, NS_CONFIG_NOTLOADED,
2713 			    strdup(errstr), NULL);
2714 			if (errorp != NULL)
2715 				(void) __ns_ldap_freeError(&errorp);
2716 			(void) mutex_unlock(&ns_loadrefresh_lock);
2717 			return (NS_LDAP_CONFIG);
2718 		}
2719 		if (new_cfg != cfg) {
2720 			set_curr_config_global(new_cfg);
2721 			cfg = new_cfg;
2722 			reinit_connmgmt = B_TRUE;
2723 		}
2724 	}
2725 	(void) mutex_unlock(&ns_loadrefresh_lock);
2726 
2727 	if (reinit_connmgmt == B_TRUE)
2728 		__s_api_reinit_conn_mgmt_new_config(cfg);
2729 
2730 	/* translate input and save in the parameter list */
2731 	ret = __ns_ldap_setParamValue(cfg, type, data, error);
2732 
2733 	__s_api_release_config(cfg);
2734 
2735 	return (ret);
2736 }
2737 
2738 
2739 /*
2740  * Make a copy of a parameter entry
2741  */
2742 
2743 static void **
2744 dupParam(ns_param_t *ptr)
2745 {
2746 	int		count, i;
2747 	void		**dupdata, *ret;
2748 	int		*intptr;
2749 	char		*cp, tmbuf[32];
2750 	static time_t	expire = 0;
2751 	ns_auth_t	*ap;
2752 
2753 	switch (ptr->ns_ptype) {
2754 	case ARRAYAUTH:
2755 	case ARRAYCRED:
2756 	case SAMLIST:
2757 	case SCLLIST:
2758 	case SSDLIST:
2759 	case SERVLIST:
2760 	case ARRAYCP:
2761 		count = ptr->ns_acnt;
2762 		if (count == 0)
2763 			return (NULL);
2764 		break;
2765 	case CHARPTR:
2766 	case INT:
2767 	case TIMET:
2768 		count = 1;
2769 	}
2770 
2771 	dupdata = (void **)calloc((count + 1), sizeof (void *));
2772 	if (dupdata == NULL)
2773 		return (NULL);
2774 
2775 	switch (ptr->ns_ptype) {
2776 	case ARRAYAUTH:
2777 		for (i = 0; i < count; i++) {
2778 			ap = __s_api_AuthEnumtoStruct(
2779 			    (EnumAuthType_t)ptr->ns_pi[i]);
2780 			if (ap == NULL) {
2781 				free(dupdata);
2782 				return (NULL);
2783 			}
2784 			dupdata[i] = ap;
2785 		}
2786 		break;
2787 	case ARRAYCRED:
2788 		for (i = 0; i < count; i++) {
2789 			intptr = (int *)malloc(sizeof (int));
2790 			if (intptr == NULL) {
2791 				free(dupdata);
2792 				return (NULL);
2793 			}
2794 			dupdata[i] = (void *)intptr;
2795 			*intptr = ptr->ns_pi[i];
2796 		}
2797 		break;
2798 	case SAMLIST:
2799 	case SCLLIST:
2800 	case SSDLIST:
2801 	case SERVLIST:
2802 	case ARRAYCP:
2803 		for (i = 0; i < count; i++) {
2804 			ret = (void *)strdup(ptr->ns_ppc[i]);
2805 			if (ret == NULL) {
2806 				free(dupdata);
2807 				return (NULL);
2808 			}
2809 			dupdata[i] = ret;
2810 		}
2811 		break;
2812 	case CHARPTR:
2813 		if (ptr->ns_pc == NULL) {
2814 			free(dupdata);
2815 			return (NULL);
2816 		}
2817 		ret = (void *)strdup(ptr->ns_pc);
2818 		if (ret == NULL) {
2819 			free(dupdata);
2820 			return (NULL);
2821 		}
2822 		dupdata[0] = ret;
2823 		break;
2824 	case INT:
2825 		intptr = (int *)malloc(sizeof (int));
2826 		if (intptr == NULL) {
2827 			free(dupdata);
2828 			return (NULL);
2829 		}
2830 		*intptr = ptr->ns_i;
2831 		dupdata[0] = (void *)intptr;
2832 		break;
2833 	case TIMET:
2834 		expire = ptr->ns_tm;
2835 		tmbuf[31] = '\0';
2836 		cp = lltostr((long)expire, &tmbuf[31]);
2837 		ret = (void *)strdup(cp);
2838 		if (ret == NULL) {
2839 			free(dupdata);
2840 			return (NULL);
2841 		}
2842 		dupdata[0] = ret;
2843 		break;
2844 	}
2845 	return (dupdata);
2846 }
2847 
2848 int
2849 __ns_ldap_freeParam(void ***data)
2850 {
2851 	void	**tmp;
2852 	int	i = 0;
2853 
2854 	if (*data == NULL)
2855 		return (NS_LDAP_SUCCESS);
2856 
2857 	for (i = 0, tmp = *data; tmp[i] != NULL; i++)
2858 		free(tmp[i]);
2859 
2860 	free(*data);
2861 
2862 	*data = NULL;
2863 
2864 	return (NS_LDAP_SUCCESS);
2865 }
2866 
2867 /*
2868  * Get the internal format for a parameter value.  This
2869  * routine makes a copy of an internal param value from
2870  * the currently active parameter list and returns it.
2871  */
2872 
2873 int
2874 __ns_ldap_getParam(const ParamIndexType Param,
2875 		void ***data, ns_ldap_error_t **error)
2876 {
2877 	char			errstr[2 * MAXERROR];
2878 	ns_ldap_error_t		*errorp;
2879 	ns_default_config	*def;
2880 	ns_config_t		*cfg;
2881 	ns_config_t		*cfg_g = (ns_config_t *)-1;
2882 	ns_config_t		*new_cfg;
2883 	boolean_t		reinit_connmgmt = B_FALSE;
2884 
2885 	if (data == NULL)
2886 		return (NS_LDAP_INVALID_PARAM);
2887 
2888 	*data = NULL;
2889 
2890 	/* We want to refresh only one configuration at a time */
2891 	(void) mutex_lock(&ns_loadrefresh_lock);
2892 	cfg = __s_api_get_default_config();
2893 
2894 	/* (re)initialize configuration if necessary */
2895 	if (!__s_api_isStandalone() &&
2896 	    cache_server == FALSE && timetorefresh(cfg))
2897 		cfg_g = __s_api_get_default_config_global();
2898 	/* only (re)initialize the global configuration */
2899 	if (cfg == cfg_g) {
2900 		if (cfg_g != NULL)
2901 			__s_api_release_config(cfg_g);
2902 		new_cfg = LoadCacheConfiguration(cfg, &errorp);
2903 		if (new_cfg != cfg)
2904 			__s_api_release_config(cfg);
2905 		if (new_cfg == NULL) {
2906 			(void) snprintf(errstr, sizeof (errstr),
2907 			    gettext("Unable to load configuration "
2908 			    "'%s' ('%s')."),
2909 			    NSCONFIGFILE,
2910 			    errorp != NULL && errorp->message != NULL ?
2911 			    errorp->message : "");
2912 			MKERROR(LOG_WARNING, *error, NS_CONFIG_NOTLOADED,
2913 			    strdup(errstr), NULL);
2914 			if (errorp != NULL)
2915 				(void) __ns_ldap_freeError(&errorp);
2916 			(void) mutex_unlock(&ns_loadrefresh_lock);
2917 			return (NS_LDAP_CONFIG);
2918 		}
2919 		if (new_cfg != cfg) {
2920 			set_curr_config_global(new_cfg);
2921 			cfg = new_cfg;
2922 			reinit_connmgmt = B_TRUE;
2923 		}
2924 	}
2925 	(void) mutex_unlock(&ns_loadrefresh_lock);
2926 
2927 	if (reinit_connmgmt == B_TRUE)
2928 		__s_api_reinit_conn_mgmt_new_config(cfg);
2929 
2930 	if (cfg == NULL) {
2931 		(void) snprintf(errstr, sizeof (errstr),
2932 		    gettext("No configuration information available."));
2933 		MKERROR(LOG_ERR, *error, NS_CONFIG_NOTLOADED,
2934 		    strdup(errstr), NULL);
2935 		return (NS_LDAP_CONFIG);
2936 	}
2937 
2938 	if (Param == NS_LDAP_DOMAIN_P) {
2939 		*data = (void **)calloc(2, sizeof (void *));
2940 		if (*data == NULL) {
2941 			__s_api_release_config(cfg);
2942 			return (NS_LDAP_MEMORY);
2943 		}
2944 		(*data)[0] = (void *)strdup(cfg->domainName);
2945 		if ((*data)[0] == NULL) {
2946 			free(*data);
2947 			__s_api_release_config(cfg);
2948 			return (NS_LDAP_MEMORY);
2949 		}
2950 	} else if (cfg->paramList[Param].ns_ptype == NS_UNKNOWN) {
2951 		/* get default */
2952 		def = get_defconfig(cfg, Param);
2953 		if (def != NULL)
2954 			*data = dupParam(&def->defval);
2955 	} else {
2956 		*data = dupParam(&(cfg->paramList[Param]));
2957 	}
2958 	__s_api_release_config(cfg);
2959 
2960 	return (NS_LDAP_SUCCESS);
2961 }
2962 
2963 /*
2964  * This routine takes a parameter in internal format and
2965  * translates it into a variety of string formats for various
2966  * outputs (doors/file/ldif).  This routine would be better
2967  * named: __ns_ldap_translateParam2String
2968  */
2969 
2970 char *
2971 __s_api_strValue(ns_config_t *cfg, char *str,
2972 			int bufsz, ParamIndexType index,
2973 			ns_strfmt_t fmt)
2974 {
2975 	ns_default_config *def = NULL;
2976 	ns_param_t	*ptr;
2977 	ns_hash_t	*hptr;
2978 	ns_mapping_t	*mptr;
2979 	char		ibuf[14], *buf;
2980 	char		abuf[64], **cpp;
2981 	int		alen, count, i, sz;
2982 	int		seplen = strlen(COMMASEP) + strlen(DOORLINESEP);
2983 	int		first;
2984 
2985 	if (cfg == NULL || str == NULL)
2986 		return (NULL);
2987 
2988 	/* NS_LDAP_EXP and TRANSPORT_SEC are not exported externally */
2989 	if (index == NS_LDAP_EXP_P || index == NS_LDAP_TRANSPORT_SEC_P)
2990 		return (NULL);
2991 
2992 	/* Return nothing if the value is the default */
2993 	if (cfg->paramList[index].ns_ptype == NS_UNKNOWN)
2994 		return (NULL);
2995 
2996 	ptr = &(cfg->paramList[index]);
2997 
2998 	abuf[0] = '\0';
2999 	alen = 0;
3000 
3001 	/* get default */
3002 	def = get_defconfig(cfg, index);
3003 	if (def == NULL)
3004 		return (NULL);
3005 
3006 	switch (fmt) {
3007 	case NS_DOOR_FMT:
3008 		(void) strlcpy(abuf, def->name, sizeof (abuf));
3009 		(void) strlcat(abuf, EQUALSEP, sizeof (abuf));
3010 		break;
3011 	case NS_FILE_FMT:
3012 		(void) strlcpy(abuf, def->name, sizeof (abuf));
3013 		(void) strlcat(abuf, EQUSPSEP, sizeof (abuf));
3014 		break;
3015 	case NS_LDIF_FMT:
3016 		/* If no LDIF attr exists ignore the entry */
3017 		if (def->profile_name == NULL)
3018 			return (NULL);
3019 		(void) strlcpy(abuf, def->profile_name, sizeof (abuf));
3020 		(void) strlcat(abuf, COLSPSEP, sizeof (abuf));
3021 		break;
3022 	default:
3023 		break;
3024 	}
3025 	alen = strlen(abuf);
3026 	if (alen > bufsz)
3027 		return (NULL);
3028 
3029 	buf = str;
3030 	(void) strlcpy(buf, abuf, bufsz);
3031 
3032 	switch (ptr->ns_ptype) {
3033 	case ARRAYAUTH:
3034 		count = ptr->ns_acnt;
3035 		sz = 0;
3036 		for (i = 0; i < count; i++) {
3037 			sz += strlen(__s_get_auth_name(cfg,
3038 			    (AuthType_t)(ptr->ns_pi[i]))) + seplen;
3039 		}
3040 		sz = sz + alen + 1;
3041 		if (sz <= bufsz) {
3042 			buf = str;
3043 		} else {
3044 			buf = (char *)calloc(sz, sizeof (char));
3045 			if (buf == NULL)
3046 				return (NULL);
3047 			(void) strcpy(buf, abuf);
3048 		}
3049 		for (i = 0; i < count; i++) {
3050 			(void) strcat(buf,
3051 			    __s_get_auth_name(cfg,
3052 			    (AuthType_t)(ptr->ns_pi[i])));
3053 			if (i != count-1) {
3054 				if (cfg->version == NS_LDAP_V1)
3055 					(void) strcat(buf, COMMASEP);
3056 				else
3057 					(void) strcat(buf, SEMISEP);
3058 			}
3059 		}
3060 		break;
3061 	case ARRAYCRED:
3062 		count = ptr->ns_acnt;
3063 		sz = 0;
3064 		for (i = 0; i < count; i++) {
3065 			sz += strlen(__s_get_credlvl_name(cfg,
3066 			    (CredLevel_t)ptr->ns_pi[i])) + seplen;
3067 		}
3068 		sz = sz + alen + 1;
3069 		if (sz <= bufsz) {
3070 			buf = str;
3071 		} else {
3072 			buf = (char *)calloc(sz, sizeof (char));
3073 			if (buf == NULL)
3074 				return (NULL);
3075 			(void) strcpy(buf, abuf);
3076 		}
3077 		for (i = 0; i < count; i++) {
3078 			(void) strcat(buf,
3079 			    __s_get_credlvl_name(cfg,
3080 			    (CredLevel_t)ptr->ns_pi[i]));
3081 			if (i != count-1) {
3082 				(void) strcat(buf, SPACESEP);
3083 			}
3084 		}
3085 		break;
3086 	case SAMLIST:
3087 	case SCLLIST:
3088 	case SSDLIST:
3089 		count = ptr->ns_acnt;
3090 		sz = 0;
3091 		for (i = 0; i < count; i++) {
3092 			sz += strlen(ptr->ns_ppc[i]) + seplen;
3093 		}
3094 		sz = sz + alen + 1;
3095 		/*
3096 		 * We need to allocate buffer depending on the 'fmt' and
3097 		 * on the number of ns_ptype's present(count) as we add
3098 		 * name' or 'profile_name' and DOORLINESEP or new line
3099 		 * char to the buffer - see below.
3100 		 */
3101 		switch (fmt) {
3102 		case NS_LDIF_FMT:
3103 			sz += count * (strlen(def->profile_name)
3104 			    + strlen(COLSPSEP) + strlen("\n"));
3105 			break;
3106 		case NS_FILE_FMT:
3107 			sz += count * (strlen(def->name)
3108 			    + strlen(EQUALSEP) + strlen("\n"));
3109 			break;
3110 		case NS_DOOR_FMT:
3111 			sz += count * (strlen(def->name)
3112 			    + strlen(EQUALSEP) + strlen(DOORLINESEP));
3113 			break;
3114 		}
3115 		if (sz <= bufsz) {
3116 			buf = str;
3117 		} else {
3118 			buf = (char *)calloc(sz, sizeof (char));
3119 			if (buf == NULL)
3120 				return (NULL);
3121 			(void) strcpy(buf, abuf);
3122 		}
3123 		for (i = 0; i < count; i++) {
3124 			(void) strcat(buf, ptr->ns_ppc[i]);
3125 			if (i != count-1) {
3126 				/* Separate items */
3127 				switch (fmt) {
3128 				case NS_DOOR_FMT:
3129 					(void) strcat(buf, DOORLINESEP);
3130 					(void) strcat(buf, def->name);
3131 					(void) strcat(buf, EQUALSEP);
3132 					break;
3133 				case NS_FILE_FMT:
3134 					(void) strcat(buf, "\n");
3135 					(void) strcat(buf, def->name);
3136 					(void) strcat(buf, EQUSPSEP);
3137 					break;
3138 				case NS_LDIF_FMT:
3139 					(void) strcat(buf, "\n");
3140 					(void) strcat(buf, def->profile_name);
3141 					(void) strcat(buf, COLSPSEP);
3142 					break;
3143 				}
3144 			}
3145 		}
3146 		break;
3147 	case ARRAYCP:
3148 		count = ptr->ns_acnt;
3149 		sz = 0;
3150 		for (i = 0; i < count; i++) {
3151 			sz += strlen(ptr->ns_ppc[i]) + seplen;
3152 		}
3153 		sz = sz + alen + 1;
3154 		if (sz <= bufsz) {
3155 			buf = str;
3156 		} else {
3157 			buf = (char *)calloc(sz, sizeof (char));
3158 			if (buf == NULL)
3159 				return (NULL);
3160 			(void) strcpy(buf, abuf);
3161 		}
3162 		for (i = 0; i < count; i++) {
3163 			(void) strcat(buf, ptr->ns_ppc[i]);
3164 			if (i != count-1) {
3165 				(void) strcat(buf, COMMASEP);
3166 			}
3167 		}
3168 		break;
3169 	case SERVLIST:
3170 		count = ptr->ns_acnt;
3171 		sz = 0;
3172 		for (i = 0; i < count; i++) {
3173 			sz += strlen(ptr->ns_ppc[i]) + seplen;
3174 		}
3175 		sz = sz + alen + 1;
3176 		if (sz <= bufsz) {
3177 			buf = str;
3178 		} else {
3179 			buf = (char *)calloc(sz, sizeof (char));
3180 			if (buf == NULL)
3181 				return (NULL);
3182 			(void) strcpy(buf, abuf);
3183 		}
3184 		for (i = 0; i < count; i++) {
3185 			(void) strcat(buf, ptr->ns_ppc[i]);
3186 			if (i != count-1) {
3187 				if (fmt == NS_LDIF_FMT)
3188 					(void) strcat(buf, SPACESEP);
3189 				else
3190 					(void) strcat(buf, COMMASEP);
3191 			}
3192 		}
3193 		break;
3194 	case CHARPTR:
3195 		if (ptr->ns_pc == NULL)
3196 			break;
3197 		sz = strlen(ptr->ns_pc) + alen + 1;
3198 		if (sz > bufsz) {
3199 			buf = (char *)calloc(sz, sizeof (char));
3200 			if (buf == NULL)
3201 				return (NULL);
3202 			(void) strcpy(buf, abuf);
3203 		}
3204 		(void) strcat(buf, ptr->ns_pc);
3205 		break;
3206 	case INT:
3207 		switch (def->index) {
3208 		case NS_LDAP_PREF_ONLY_P:
3209 			(void) strcat(buf,
3210 			    __s_get_pref_name((PrefOnly_t)ptr->ns_i));
3211 			break;
3212 		case NS_LDAP_SEARCH_REF_P:
3213 			(void) strcat(buf,
3214 			    __s_get_searchref_name(cfg,
3215 			    (SearchRef_t)ptr->ns_i));
3216 			break;
3217 		case NS_LDAP_SEARCH_SCOPE_P:
3218 			(void) strcat(buf,
3219 			    __s_get_scope_name(cfg,
3220 			    (ScopeType_t)ptr->ns_i));
3221 			break;
3222 		default:
3223 			(void) snprintf(ibuf, sizeof (ibuf),
3224 			    "%d", ptr->ns_i);
3225 			(void) strcat(buf, ibuf);
3226 			break;
3227 		}
3228 		break;
3229 	case ATTRMAP:
3230 		buf[0] = '\0';
3231 		first = 1;
3232 		for (hptr = cfg->llHead; hptr; hptr = hptr->h_llnext) {
3233 			if (hptr->h_type != NS_HASH_AMAP) {
3234 				continue;
3235 			}
3236 			if (!first) {
3237 				if (fmt == NS_DOOR_FMT)
3238 					(void) strcat(buf, DOORLINESEP);
3239 				else
3240 					(void) strcat(buf, "\n");
3241 			}
3242 			mptr = hptr->h_map;
3243 			(void) strcat(buf, abuf);
3244 			(void) strcat(buf, mptr->service);
3245 			(void) strcat(buf, COLONSEP);
3246 			(void) strcat(buf, mptr->orig);
3247 			(void) strcat(buf, EQUALSEP);
3248 			for (cpp = mptr->map; cpp && *cpp; cpp++) {
3249 				if (cpp != mptr->map)
3250 					(void) strcat(buf, SPACESEP);
3251 				(void) strcat(buf, *cpp);
3252 			}
3253 			first = 0;
3254 		}
3255 		break;
3256 	case OBJMAP:
3257 		buf[0] = '\0';
3258 		first = 1;
3259 		for (hptr = cfg->llHead; hptr; hptr = hptr->h_llnext) {
3260 			if (hptr->h_type != NS_HASH_OMAP) {
3261 				continue;
3262 			}
3263 			if (!first) {
3264 				if (fmt == NS_DOOR_FMT)
3265 					(void) strcat(buf, DOORLINESEP);
3266 				else
3267 					(void) strcat(buf, "\n");
3268 			}
3269 			mptr = hptr->h_map;
3270 			(void) strcat(buf, abuf);
3271 			(void) strcat(buf, mptr->service);
3272 			(void) strcat(buf, COLONSEP);
3273 			(void) strcat(buf, mptr->orig);
3274 			(void) strcat(buf, EQUALSEP);
3275 			for (cpp = mptr->map; cpp && *cpp; cpp++) {
3276 				if (cpp != mptr->map)
3277 					(void) strcat(buf, SPACESEP);
3278 				(void) strcat(buf, *cpp);
3279 			}
3280 			first = 0;
3281 		}
3282 		break;
3283 	}
3284 	return (buf);
3285 }
3286 
3287 static int
3288 __door_getldapconfig(char **buffer, int *buflen, ns_ldap_error_t **error)
3289 {
3290 	typedef union {
3291 		ldap_data_t	s_d;
3292 		char		s_b[DOORBUFFERSIZE];
3293 	} space_t;
3294 	space_t			*space;
3295 
3296 	ldap_data_t		*sptr;
3297 	int			ndata;
3298 	int			adata;
3299 	char			errstr[MAXERROR];
3300 	char			*domainname;
3301 	ns_ldap_return_code	retCode;
3302 	ldap_config_out_t	*cfghdr;
3303 
3304 	*error = NULL;
3305 
3306 	domainname = __getdomainname();
3307 	if (domainname == NULL || buffer == NULL || buflen == NULL ||
3308 	    (strlen(domainname) >= (sizeof (space_t)
3309 	    - sizeof (space->s_d.ldap_call.ldap_callnumber)))) {
3310 		return (NS_LDAP_OP_FAILED);
3311 	}
3312 
3313 	space = (space_t *)calloc(1, sizeof (space_t));
3314 	if (space == NULL)
3315 		return (NS_LDAP_MEMORY);
3316 
3317 	adata = (sizeof (ldap_call_t) + strlen(domainname) +1);
3318 	ndata = sizeof (space_t);
3319 	space->s_d.ldap_call.ldap_callnumber = GETLDAPCONFIGV1;
3320 	(void) strcpy(space->s_d.ldap_call.ldap_u.domainname, domainname);
3321 	free(domainname);
3322 	domainname = NULL;
3323 	sptr = &space->s_d;
3324 
3325 	switch (__ns_ldap_trydoorcall(&sptr, &ndata, &adata)) {
3326 	case NS_CACHE_SUCCESS:
3327 		break;
3328 	case NS_CACHE_NOTFOUND:
3329 		(void) snprintf(errstr, sizeof (errstr),
3330 		    gettext("Door call to "
3331 		    "ldap_cachemgr failed - error: %d."),
3332 		    space->s_d.ldap_ret.ldap_errno);
3333 		MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR,
3334 		    strdup(errstr), NULL);
3335 		free(space);
3336 		return (NS_LDAP_OP_FAILED);
3337 	default:
3338 		free(space);
3339 		return (NS_LDAP_OP_FAILED);
3340 	}
3341 
3342 	retCode = NS_LDAP_SUCCESS;
3343 
3344 	/* copy info from door call to buffer here */
3345 	cfghdr = &sptr->ldap_ret.ldap_u.config_str;
3346 	*buflen = offsetof(ldap_config_out_t, config_str) +
3347 	    cfghdr->data_size + 1;
3348 	*buffer = calloc(*buflen, sizeof (char));
3349 	if (*buffer == NULL) {
3350 		retCode = NS_LDAP_MEMORY;
3351 	} else
3352 		(void) memcpy(*buffer, cfghdr, *buflen - 1);
3353 
3354 	if (sptr != &space->s_d) {
3355 		(void) munmap((char *)sptr, ndata);
3356 	}
3357 	free(space);
3358 
3359 	return (retCode);
3360 }
3361 
3362 /*
3363  * SetDoorInfo parses ldapcachemgr configuration information
3364  * and verifies that the profile is version 1 or version 2 based.
3365  * version 2 profiles must have a version number as the first profile
3366  * attribute in the configuration.
3367  */
3368 static ns_config_t *
3369 SetDoorInfo(char *buffer, ns_ldap_error_t **errorp)
3370 {
3371 	ns_config_t	*ptr;
3372 	char		errstr[MAXERROR], errbuf[MAXERROR];
3373 	char		*name, *value, valbuf[BUFSIZE];
3374 	char		*strptr;
3375 	char		*rest;
3376 	char		*bufptr = buffer;
3377 	ParamIndexType	i;
3378 	int		ret;
3379 	int		first = 1;
3380 	int		errfnd = 0;
3381 	ldap_config_out_t *cfghdr;
3382 
3383 	if (errorp == NULL)
3384 		return (NULL);
3385 	*errorp = NULL;
3386 
3387 	ptr = __s_api_create_config();
3388 	if (ptr == NULL) {
3389 		return (NULL);
3390 	}
3391 
3392 	/* get config cookie from the header */
3393 	cfghdr = (ldap_config_out_t *)bufptr;
3394 	ptr->config_cookie = cfghdr->cookie;
3395 	bufptr = (char *)cfghdr->config_str;
3396 
3397 	strptr = (char *)strtok_r(bufptr, DOORLINESEP, &rest);
3398 	for (; ; ) {
3399 		if (strptr == NULL)
3400 			break;
3401 		(void) strlcpy(valbuf, strptr, sizeof (valbuf));
3402 		__s_api_split_key_value(valbuf, &name, &value);
3403 		/* Use get_versiontype and check for V1 vs V2 prototypes */
3404 		if (__s_api_get_versiontype(ptr, name, &i) < 0) {
3405 			(void) snprintf(errstr, sizeof (errstr),
3406 			    "%s (%s)\n",
3407 			    gettext("Illegal profile entry "
3408 			    "line in configuration."),
3409 			    name);
3410 			errfnd++;
3411 		/* Write verify routines and get rid of verify_value here */
3412 		} else if (verify_value(ptr, name,
3413 		    value, errbuf) != NS_SUCCESS) {
3414 			(void) snprintf(errstr, sizeof (errstr),
3415 			    gettext("%s\n"), errbuf);
3416 			errfnd++;
3417 		} else if (!first && i == NS_LDAP_FILE_VERSION_P) {
3418 			(void) snprintf(errstr, sizeof (errstr),
3419 			    gettext("Illegal NS_LDAP_FILE_VERSION "
3420 			    "line in configuration.\n"));
3421 			errfnd++;
3422 		}
3423 		if (errfnd) {
3424 			MKERROR(LOG_ERR, *errorp, NS_CONFIG_SYNTAX,
3425 			    strdup(errstr), NULL);
3426 		} else {
3427 			ret = set_default_value(ptr, name, value, errorp);
3428 		}
3429 		if (errfnd || ret != NS_SUCCESS) {
3430 			__s_api_destroy_config(ptr);
3431 			return (NULL);
3432 		}
3433 		first = 0;
3434 
3435 		strptr = (char *)strtok_r(NULL, DOORLINESEP, &rest);
3436 	}
3437 
3438 	if (__s_api_crosscheck(ptr, errstr, B_TRUE) != NS_SUCCESS) {
3439 		__s_api_destroy_config(ptr);
3440 		MKERROR(LOG_WARNING, *errorp, NS_CONFIG_SYNTAX, strdup(errstr),
3441 		    NULL);
3442 		return (NULL);
3443 	}
3444 
3445 	return (ptr);
3446 }
3447 
3448 static ns_config_t *
3449 LoadCacheConfiguration(ns_config_t *oldcfg, ns_ldap_error_t **error)
3450 {
3451 	char		*buffer = NULL;
3452 	int		buflen = 0;
3453 	int		ret;
3454 	ns_config_t	*cfg;
3455 	ldap_config_out_t *cfghdr;
3456 	ldap_get_chg_cookie_t old_cookie;
3457 	ldap_get_chg_cookie_t new_cookie;
3458 
3459 	*error = NULL;
3460 	ret = __door_getldapconfig(&buffer, &buflen, error);
3461 
3462 	if (ret != NS_LDAP_SUCCESS) {
3463 		if (*error != NULL && (*error)->message != NULL)
3464 			syslog(LOG_WARNING, "libsldap: %s", (*error)->message);
3465 		return (NULL);
3466 	}
3467 
3468 	/* No need to reload configuration if config cookie is the same */
3469 	cfghdr = (ldap_config_out_t *)buffer;
3470 	new_cookie = cfghdr->cookie;
3471 	if (oldcfg != NULL)
3472 		old_cookie = oldcfg->config_cookie;
3473 
3474 	if (oldcfg != NULL && old_cookie.mgr_pid == new_cookie.mgr_pid &&
3475 	    old_cookie.seq_num == new_cookie.seq_num) {
3476 		free(buffer);
3477 		return (oldcfg);
3478 	}
3479 
3480 	/* now convert from door format */
3481 	cfg = SetDoorInfo(buffer, error);
3482 	free(buffer);
3483 
3484 	if (cfg == NULL && *error != NULL && (*error)->message != NULL)
3485 		syslog(LOG_WARNING, "libsldap: %s", (*error)->message);
3486 	return (cfg);
3487 }
3488 
3489 /*
3490  * converts the time string into seconds.  The time string can be specified
3491  * using one of the following time units:
3492  * 	#s (# of seconds)
3493  *	#m (# of minutes)
3494  *	#h (# of hours)
3495  *	#d (# of days)
3496  *	#w (# of weeks)
3497  * NOTE: you can only specify one the above.  No combination of the above
3498  * units is allowed.  If no unit specified, it will default to "seconds".
3499  */
3500 static time_t
3501 conv_time(char *s)
3502 {
3503 	time_t t;
3504 	char c;
3505 	int l, m;
3506 	long tot;
3507 
3508 	l = strlen(s);
3509 	if (l == 0)
3510 		return (0);
3511 	c = s[--l];
3512 	m = 0;
3513 	switch (c) {
3514 	case 'w': /* weeks */
3515 		m = 604800;
3516 		break;
3517 	case 'd': /* days */
3518 		m = 86400;
3519 		break;
3520 	case 'h': /* hours */
3521 		m = 3600;
3522 		break;
3523 	case 'm': /* minutes */
3524 		m = 60;
3525 		break;
3526 	case 's': /* seconds */
3527 		m = 1;
3528 		break;
3529 	/* the default case is set to "second" */
3530 	}
3531 	if (m != 0)
3532 		s[l] = '\0';
3533 	else
3534 		m = 1;
3535 	errno = 0;
3536 	tot = atol(s);
3537 	if ((0 == tot) && (EINVAL == errno))
3538 		return (0);
3539 	if (((LONG_MAX == tot) || (LONG_MIN == tot)) && (EINVAL == errno))
3540 		return (0);
3541 
3542 	tot = tot * m;
3543 	t = (time_t)tot;
3544 	return (t);
3545 }
3546 
3547 
3548 ns_auth_t *
3549 __s_api_AuthEnumtoStruct(const EnumAuthType_t i)
3550 {
3551 	ns_auth_t *ap;
3552 
3553 	ap = (ns_auth_t *)calloc(1, sizeof (ns_auth_t));
3554 	if (ap == NULL)
3555 		return (NULL);
3556 	switch (i) {
3557 		case NS_LDAP_EA_NONE:
3558 			break;
3559 		case NS_LDAP_EA_SIMPLE:
3560 			ap->type = NS_LDAP_AUTH_SIMPLE;
3561 			break;
3562 		case NS_LDAP_EA_SASL_CRAM_MD5:
3563 			ap->type = NS_LDAP_AUTH_SASL;
3564 			ap->saslmech = NS_LDAP_SASL_CRAM_MD5;
3565 			break;
3566 		case NS_LDAP_EA_SASL_DIGEST_MD5:
3567 			ap->type = NS_LDAP_AUTH_SASL;
3568 			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
3569 			break;
3570 		case NS_LDAP_EA_SASL_DIGEST_MD5_INT:
3571 			ap->type = NS_LDAP_AUTH_SASL;
3572 			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
3573 			ap->saslopt = NS_LDAP_SASLOPT_INT;
3574 			break;
3575 		case NS_LDAP_EA_SASL_DIGEST_MD5_CONF:
3576 			ap->type = NS_LDAP_AUTH_SASL;
3577 			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
3578 			ap->saslopt = NS_LDAP_SASLOPT_PRIV;
3579 			break;
3580 		case NS_LDAP_EA_SASL_EXTERNAL:
3581 			ap->type = NS_LDAP_AUTH_SASL;
3582 			ap->saslmech = NS_LDAP_SASL_EXTERNAL;
3583 			break;
3584 		case NS_LDAP_EA_SASL_GSSAPI:
3585 			ap->type = NS_LDAP_AUTH_SASL;
3586 			ap->saslmech = NS_LDAP_SASL_GSSAPI;
3587 			ap->saslopt = NS_LDAP_SASLOPT_INT |
3588 			    NS_LDAP_SASLOPT_PRIV;
3589 			break;
3590 		case NS_LDAP_EA_TLS_NONE:
3591 			ap->type = NS_LDAP_AUTH_TLS;
3592 			ap->tlstype = NS_LDAP_TLS_NONE;
3593 			break;
3594 		case NS_LDAP_EA_TLS_SIMPLE:
3595 			ap->type = NS_LDAP_AUTH_TLS;
3596 			ap->tlstype = NS_LDAP_TLS_SIMPLE;
3597 			break;
3598 		case NS_LDAP_EA_TLS_SASL_CRAM_MD5:
3599 			ap->type = NS_LDAP_AUTH_TLS;
3600 			ap->tlstype = NS_LDAP_TLS_SASL;
3601 			ap->saslmech = NS_LDAP_SASL_CRAM_MD5;
3602 			break;
3603 		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5:
3604 			ap->type = NS_LDAP_AUTH_TLS;
3605 			ap->tlstype = NS_LDAP_TLS_SASL;
3606 			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
3607 			break;
3608 		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_INT:
3609 			ap->type = NS_LDAP_AUTH_TLS;
3610 			ap->tlstype = NS_LDAP_TLS_SASL;
3611 			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
3612 			ap->saslopt = NS_LDAP_SASLOPT_INT;
3613 			break;
3614 		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_CONF:
3615 			ap->type = NS_LDAP_AUTH_TLS;
3616 			ap->tlstype = NS_LDAP_TLS_SASL;
3617 			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
3618 			ap->saslopt = NS_LDAP_SASLOPT_PRIV;
3619 			break;
3620 		case NS_LDAP_EA_TLS_SASL_EXTERNAL:
3621 			ap->type = NS_LDAP_AUTH_TLS;
3622 			ap->tlstype = NS_LDAP_TLS_SASL;
3623 			ap->saslmech = NS_LDAP_SASL_EXTERNAL;
3624 			break;
3625 		default:
3626 			/* should never get here */
3627 			free(ap);
3628 			return (NULL);
3629 	}
3630 	return (ap);
3631 }
3632 
3633 
3634 /*
3635  * Parameter Index Type validation routines
3636  */
3637 
3638 /* Validate a positive integer */
3639 /* Size of errbuf needs to be MAXERROR */
3640 /* ARGSUSED */
3641 static int
3642 __s_val_postime(ParamIndexType i, ns_default_config *def,
3643 		ns_param_t *param, char *errbuf)
3644 {
3645 	char	*cp;
3646 	long	tot;
3647 
3648 	if (param && param->ns_ptype == CHARPTR && param->ns_pc) {
3649 		for (cp = param->ns_pc; cp && *cp; cp++) {
3650 			if (*cp >= '0' && *cp <= '9')
3651 				continue;
3652 			switch (*cp) {
3653 			case 'w': /* weeks */
3654 			case 'd': /* days */
3655 			case 'h': /* hours */
3656 			case 'm': /* minutes */
3657 			case 's': /* seconds */
3658 				if (*(cp+1) == '\0') {
3659 					break;
3660 				}
3661 			default:
3662 				(void) strcpy(errbuf, "Illegal time value");
3663 				return (NS_PARSE_ERR);
3664 			}
3665 		}
3666 		/* Valid form:  [0-9][0-9]*[wdhms]* */
3667 		tot = atol(param->ns_pc);	/* check overflow */
3668 		if (tot >= 0)
3669 			return (NS_SUCCESS);
3670 	}
3671 	(void) snprintf(errbuf, MAXERROR,
3672 	    gettext("Illegal time value in %s"), def->name);
3673 	return (NS_PARSE_ERR);
3674 }
3675 
3676 
3677 /* Validate the Base DN */
3678 /* It can be empty (RootDSE request) or needs to have an '=' */
3679 /* Size of errbuf needs to be MAXERROR */
3680 /* ARGSUSED */
3681 static int
3682 __s_val_basedn(ParamIndexType i, ns_default_config *def,
3683 		ns_param_t *param, char *errbuf)
3684 {
3685 	if (param && param->ns_ptype == CHARPTR &&
3686 	    i == NS_LDAP_SEARCH_BASEDN_P &&
3687 	    ((param->ns_pc == NULL) || 		/* empty */
3688 	    (*(param->ns_pc) == '\0') ||		/* empty */
3689 	    (strchr(param->ns_pc, '=') != NULL)))	/* '=' */
3690 	{
3691 		return (NS_SUCCESS);
3692 	}
3693 	(void) snprintf(errbuf, MAXERROR,
3694 	    gettext("Non-existent or invalid DN in %s"),
3695 	    def->name);
3696 	return (NS_PARSE_ERR);
3697 }
3698 
3699 
3700 /* Validate the serverList */
3701 /* For each server in list, check if valid IP or hostname */
3702 /* Size of errbuf needs to be MAXERROR */
3703 /* ARGSUSED */
3704 static int
3705 __s_val_serverList(ParamIndexType i, ns_default_config *def,
3706 		ns_param_t *param, char *errbuf)
3707 {
3708 	for (i = 0; i < param->ns_acnt; i++) {
3709 		if ((__s_api_isipv4(param->ns_ppc[i])) ||
3710 		    (__s_api_isipv6(param->ns_ppc[i])) ||
3711 		    (__s_api_ishost(param->ns_ppc[i]))) {
3712 			continue;
3713 		}
3714 		/* err */
3715 		(void) snprintf(errbuf, MAXERROR,
3716 		    gettext("Invalid server (%s) in %s"),
3717 		    param->ns_ppc[i], def->name);
3718 		return (NS_PARSE_ERR);
3719 	}
3720 
3721 	return (NS_SUCCESS);
3722 }
3723 
3724 
3725 /* Check for a BINDDN */
3726 /* It can not be empty and needs to have an '=' */
3727 /* Size of errbuf needs to be MAXERROR */
3728 /* ARGSUSED */
3729 static int
3730 __s_val_binddn(ParamIndexType i, ns_default_config *def,
3731 		ns_param_t *param, char *errbuf)
3732 {
3733 	if (param && param->ns_ptype == CHARPTR &&
3734 	    i == NS_LDAP_BINDDN_P &&
3735 	    ((param->ns_pc == NULL) ||
3736 	    ((*(param->ns_pc) != '\0') &&
3737 	    (strchr(param->ns_pc, '=') != NULL)))) {
3738 		return (NS_SUCCESS);
3739 	}
3740 	(void) snprintf(errbuf, MAXERROR,
3741 	    gettext("NULL or invalid proxy bind DN"));
3742 	return (NS_PARSE_ERR);
3743 }
3744 
3745 
3746 /* Check for a BINDPASSWD */
3747 /* The string can not be NULL or empty */
3748 /* Size of errbuf needs to be MAXERROR */
3749 /* ARGSUSED */
3750 static int
3751 __s_val_bindpw(ParamIndexType i, ns_default_config *def,
3752 		ns_param_t *param, char *errbuf)
3753 {
3754 	if (param && param->ns_ptype == CHARPTR &&
3755 	    i == NS_LDAP_BINDPASSWD_P &&
3756 	    ((param->ns_pc == NULL) ||
3757 	    (*(param->ns_pc) != '\0'))) {
3758 		return (NS_SUCCESS);
3759 	}
3760 	(void) snprintf(errbuf, MAXERROR,
3761 	    gettext("NULL proxy bind password"));
3762 	return (NS_PARSE_ERR);
3763 }
3764 
3765 /*
3766  * __s_get_hostcertpath returns either the configured host certificate path
3767  * or, if none, the default host certificate path (/var/ldap). Note that this
3768  * does not use __ns_ldap_getParam because it may be called during connection
3769  * setup. This can fail due to insufficient memory.
3770  */
3771 
3772 char *
3773 __s_get_hostcertpath(void)
3774 {
3775 	ns_config_t		*cfg;
3776 	ns_param_t		*param;
3777 	char			*ret = NULL;
3778 
3779 	cfg = __s_api_get_default_config();
3780 	if (cfg != NULL) {
3781 		param = &cfg->paramList[NS_LDAP_HOST_CERTPATH_P];
3782 		if (param->ns_ptype == CHARPTR)
3783 			ret = strdup(param->ns_pc);
3784 		__s_api_release_config(cfg);
3785 	}
3786 	if (ret == NULL)
3787 		ret = strdup(NSLDAPDIRECTORY);
3788 	return (ret);
3789 }
3790 
3791 static void
3792 _free_config()
3793 {
3794 	if (current_config != NULL)
3795 		destroy_config(current_config);
3796 
3797 	current_config = NULL;
3798 }
3799