xref: /illumos-gate/usr/src/lib/libsldap/common/ns_connmgmt.c (revision e1dd0a2f3a26050d1f183c1cafae42c4e3a0b57e)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

#include <string.h>
#include <errno.h>
#include <syslog.h>
#include <procfs.h>
#include <unistd.h>
#include <fcntl.h>
#include <libintl.h>
#include <atomic.h>
#include <pthread.h>
#include <sys/mman.h>
#include <time.h>
#include "solaris-int.h"
#include "ns_connmgmt.h"
#include "ns_cache_door.h"
#include "ns_internal.h"

/*
 * Access (reference, shutdown, or reload) the current connection
 * management control structure conn_mgmt_t.
 */
#define	NS_CONN_MGMT_OP_REF		1
#define	NS_CONN_MGMT_OP_SHUTDOWN	2
#define	NS_CONN_MGMT_OP_RELOAD_CONFIG	3
#define	NS_CONN_MGMT_OP_NEW_CONFIG	4
#define	NS_CONN_MGMT_OP_LIB_INIT	5

static ns_conn_mgmt_t *access_conn_mgmt(int);
static ns_conn_mgmt_t *release_conn_mgmt(ns_conn_mgmt_t *, boolean_t);
static int close_conn_mt(ns_conn_mt_t *, int, ns_ldap_error_t **,
	ns_conn_user_t *);
static int close_conn_mt_when_nouser(ns_conn_mt_t *cm);
void shutdown_all_conn_mt(ns_conn_mgmt_t *cmg);
static int conn_signal(ns_conn_mt_t *);
static int conn_wait(ns_conn_mt_t *, ns_conn_user_t *);
static void close_conn_mt_by_procchg(ns_conn_mt_t *cm, int rc, char *errmsg);
static ns_conn_mgmt_t *proc_server_change(ns_server_status_change_t *chg,
	ns_conn_mgmt_t  *cmg);
static void get_preferred_servers(boolean_t, boolean_t, ns_conn_mgmt_t *);
static void start_thread();

static ns_conn_mgmt_t	*ns_connmgmt = NULL;
static ns_conn_mgmt_t	*ns_connmgmt_parent = NULL;
static mutex_t		ns_connmgmt_lock = DEFAULTMUTEX;
static boolean_t	ns_connmgmt_shutting_down = B_FALSE;

#define	NS_CONN_MSG_NO_CONN_MGMT gettext( \
	"libsldap: unable to allocate the connection management control")
#define	NS_CONN_MSG_NO_MTC_KEY gettext( \
	"libsldap: unable to allocate the TSD key for per-thread ldap error")
#define	NS_CONN_MSG_NO_CMG_KEY gettext( \
	"libsldap: unable to allocate the TSD key for connection management")
#define	NS_CONN_MSG_SHUTDOWN gettext("libsldap: library is being unloaded")
#define	NS_CONN_MSG_RELOADED gettext( \
	"libsldap: configuration has been reloaded")
#define	NS_CONN_MSG_SHUTDOWN_RELOADED gettext( \
	"libsldap: library unloaded or configuration has been reloaded")
#define	NS_CONN_MSG_BAD_CACHEMGR_DATA gettext( \
	"libsldap: received incorrect data from ldap_cachemgr")
#define	NS_CONN_MSG_MEMORY_ERROR gettext( \
	"libsldap: unable to allocate memory")
#define	NS_CONN_MSG_NO_PROCCHG_THREAD gettext( \
	"libsldap: unable to start the server monitor thread (%s)")
#define	NS_CONN_MSG_DOWN_FROM_CACHEMGR gettext( \
	"libsldap: server down reported by ldap_cachemgr")

static int ns_conn_free = 1;
#define	NS_CONN_UNLOCK_AND_FREE(free, cm, cmg)  \
{ \
	(void) mutex_unlock(&(cm)->lock);	\
	if (free == 1)	\
		cmg = free_conn_mt((cm), 1); \
	if (cmg != NULL) \
		(void) mutex_unlock(&(cmg)->lock); \
}

#define	NS_CONN_CHECK_ABORT_AND_LOCK(cmg, cu, errp) \
{ \
	char *msg = NULL; \
	(void) mutex_lock(&(cmg)->lock); \
	if ((cmg)->shutting_down == B_TRUE) \
		msg = NS_CONN_MSG_SHUTDOWN; \
	else if ((cmg)->cfg_reloaded == B_TRUE)  \
		msg = NS_CONN_MSG_RELOADED; \
	if (msg != NULL) { \
		(*errp) = __s_api_make_error(NS_LDAP_OP_FAILED, msg); \
		(void) mutex_unlock(&(cmg)->lock); \
		return (NS_LDAP_OP_FAILED); \
	} \
}

/*
 * TSD keys ns_mtckey and ns_cmgkey are for sharing ldap connections
 * and their associated connection management structure among
 * multiple threads. The pointers to the per-thread ldap error
 * information and the connection management structure are
 * saved in ns_mtckey and ns_cmgkey.
 */
thread_key_t ns_mtckey = THR_ONCE_KEY;
thread_key_t ns_cmgkey = THR_ONCE_KEY;

/* Per thread LDAP error resides in thread-specific data (ns_mtckey) */
struct ldap_error {
	int	le_errno;
	char	*le_matched;
	char	*le_errmsg;
};

/* NULL struct ldap_error */
static struct ldap_error ldap_error_NULL = { LDAP_SUCCESS, NULL, NULL};

/* destructor: free the ldap error data in the thread specific area */
static void
ns_mtckey_cleanup(void *key) {
	struct ldap_error *le = (struct ldap_error *)key;

	if (le == NULL)
		return;
	if (le->le_matched != NULL) {
		ldap_memfree(le->le_matched);
	}
	if (le->le_errmsg != NULL) {
		ldap_memfree(le->le_errmsg);
	}
	free(le);
}

/* Free/detach the thread specific data structures */
static void
conn_tsd_free() {
	void	*tsd = NULL;
	int	rc;

	/* free the per-thread ldap error info */
	rc = thr_getspecific(ns_mtckey, &tsd);
	if (rc == 0 && tsd != NULL)
		ns_mtckey_cleanup(tsd);
	(void) thr_setspecific(ns_mtckey, NULL);

	/* detach the connection management control */
	(void) thr_setspecific(ns_cmgkey, NULL);
}

/* per-thread callback function for allocating a mutex */
static void *
ns_mutex_alloc(void)
{
	mutex_t *mutexp = NULL;

	if ((mutexp = malloc(sizeof (mutex_t))) != NULL) {
		if (mutex_init(mutexp, USYNC_THREAD, NULL) != 0) {
			free(mutexp);
			mutexp = NULL;
		}
	}
	return (mutexp);
}

/* per-thread callback function for freeing a mutex */
static void
ns_mutex_free(void *mutexp)
{
	(void) mutex_destroy((mutex_t *)mutexp);
	free(mutexp);
}

/*
 * Function for setting up thread-specific data
 * where per thread LDAP error and the pointer
 * to the active connection management control
 * are stored.
 */
static int
conn_tsd_setup(ns_conn_mgmt_t *cmg)
{
	void	*tsd;
	int	rc;

	rc = thr_setspecific(ns_cmgkey, cmg);
	if (rc != 0) /* must be ENOMEM */
		return (-1);

	/* return success if the ns_mtckey TSD is already set */
	rc = thr_getspecific(ns_mtckey, &tsd);
	if (rc == 0 && tsd != NULL)
		return (0);

	/* allocate and set the ns_mtckey TSD */
	tsd = (void *) calloc(1, sizeof (struct ldap_error));
	if (tsd == NULL)
		return (-1);
	rc = thr_setspecific(ns_mtckey, tsd);
	if (rc != 0) { /* must be ENOMEM */
		free(tsd);
		return (-1);
	}
	return (0);
}

/* Callback function for setting the per thread LDAP error */
/*ARGSUSED*/
static void
set_ld_error(int err, char *matched, char *errmsg, void *dummy)
{
	struct ldap_error	*le;
	int			eno;

	if ((eno = thr_getspecific(ns_mtckey, (void **)&le)) != 0) {
		syslog(LOG_ERR, gettext(
		    "libsldap: set_ld_error: thr_getspecific failed (%s)."),
		    strerror(eno));
		return;
	}

	/* play safe, do nothing if TSD pointer is NULL */
	if (le == NULL) {
		syslog(LOG_INFO, gettext(
		    "libsldap: set_ld_error: TSD pointer is NULL."));
		return;
	}

	le->le_errno = err;

	if (le->le_matched != NULL) {
		ldap_memfree(le->le_matched);
		le->le_matched = NULL;
	}
	le->le_matched = matched;

	if (le->le_errmsg != NULL) {
		ldap_memfree(le->le_errmsg);
		le->le_errmsg = NULL;
	}
	le->le_errmsg = errmsg;
}

/* check and allocate the thread-specific data for using a MT connection */
static int
conn_tsd_check(ns_conn_mgmt_t *cmg)
{
	if (conn_tsd_setup(cmg) != 0)
		return (NS_LDAP_MEMORY);

	return (NS_LDAP_SUCCESS);
}

/* Callback function for getting the per thread LDAP error */
/*ARGSUSED*/
static int
get_ld_error(char **matched, char **errmsg, void *dummy)
{
	struct ldap_error	*le;
	int			eno;

	if ((eno = thr_getspecific(ns_mtckey, (void **)&le)) != 0) {
		syslog(LOG_ERR, gettext(
		    "libsldap: get_ld_error: thr_getspecific failed (%s)"),
		    strerror(eno));
		return (eno);
	}

	/* play safe, return NULL error data, if TSD pointer is NULL */
	if (le == NULL)
		le = &ldap_error_NULL;

	if (matched != NULL) {
		*matched = le->le_matched;
	}
	if (errmsg != NULL) {
		*errmsg = le->le_errmsg;
	}
	return (le->le_errno);
}

/* Callback function for setting per thread errno */
static void
set_errno(int err)
{
	errno = err;
}

/* Callback function for getting per thread errno */
static int
get_errno(void)
{
	return (errno);
}

/* set up an ldap session 'ld' for sharing among multiple threads */
static int
setup_mt_conn(LDAP *ld)
{

	struct ldap_thread_fns		tfns;
	struct ldap_extra_thread_fns	extrafns;
	int				rc;

	/*
	 * Set the function pointers for dealing with mutexes
	 * and error information
	 */
	(void) memset(&tfns, '\0', sizeof (struct ldap_thread_fns));
	tfns.ltf_mutex_alloc = (void *(*)(void)) ns_mutex_alloc;
	tfns.ltf_mutex_free = (void (*)(void *)) ns_mutex_free;
	tfns.ltf_mutex_lock = (int (*)(void *)) mutex_lock;
	tfns.ltf_mutex_unlock = (int (*)(void *)) mutex_unlock;
	tfns.ltf_get_errno = get_errno;
	tfns.ltf_set_errno = set_errno;
	tfns.ltf_get_lderrno = get_ld_error;
	tfns.ltf_set_lderrno = set_ld_error;
	tfns.ltf_lderrno_arg = NULL;

	/*
	 * Set up the ld to use those function pointers
	 */
	rc = ldap_set_option(ld, LDAP_OPT_THREAD_FN_PTRS,
	    (void *) &tfns);
	if (rc < 0) {
		syslog(LOG_INFO, gettext("libsldap: ldap_set_option "
		"(LDAP_OPT_THREAD_FN_PTRS)"));
		return (0);
	}

	/*
	 * Set the function pointers for working with semaphores
	 */
	(void) memset(&extrafns, '\0',
	    sizeof (struct ldap_extra_thread_fns));
	extrafns.ltf_threadid_fn = (void * (*)(void))thr_self;
	extrafns.ltf_mutex_trylock = NULL;
	extrafns.ltf_sema_alloc = NULL;
	extrafns.ltf_sema_free = NULL;
	extrafns.ltf_sema_wait = NULL;
	extrafns.ltf_sema_post = NULL;

	/* Set up the ld to use those function pointers */
	rc = ldap_set_option(ld, LDAP_OPT_EXTRA_THREAD_FN_PTRS,
	    (void *) &extrafns);
	if (rc < 0) {
		syslog(LOG_INFO, gettext("libsldap: ldap_set_option "
		"(LDAP_OPT_EXTRA_THREAD_FN_PTRS)"));
		return (0);
	}

	return (1);
}

/* set up an MT connection for sharing among multiple threads */
static int
setup_mt_ld(LDAP *ld, ns_conn_mgmt_t *cmg)
{
	thread_t	t = thr_self();

	/* set up the per-thread data for using the MT connection */
	if (conn_tsd_setup(cmg) == -1) {
		syslog(LOG_WARNING,
		    gettext("libsldap: tid= %d: unable to set up TSD\n"), t);
		return (-1);
	}

	if (setup_mt_conn(ld) == 0) {
		/* multiple threads per connection not supported */
		syslog(LOG_WARNING, gettext("libsldap: tid= %d: multiple "
		    "threads per connection not supported\n"), t);
		conn_tsd_free();
		return (-1);
	}
	return (0);
}

/*
 * Check name and UID of process, if it is nscd.
 *
 * Input:
 *   pid	: PID of checked process
 *   check_uid	: check if UID == 0
 * Output:
 *   B_TRUE	: nscd detected
 *   B_FALSE	: nscd not confirmed
 */
static boolean_t
check_nscd_proc(pid_t pid, boolean_t check_uid)
{
	psinfo_t	pinfo;
	char		fname[MAXPATHLEN];
	ssize_t		ret;
	int		fd;

	if (snprintf(fname, MAXPATHLEN, "/proc/%d/psinfo", pid) > 0) {
		if ((fd = open(fname,  O_RDONLY)) >= 0) {
			ret = read(fd, &pinfo, sizeof (psinfo_t));
			(void) close(fd);
			if ((ret == sizeof (psinfo_t)) &&
			    (strcmp(pinfo.pr_fname, "nscd") == 0)) {
				if (check_uid && (pinfo.pr_uid != 0))
					return (B_FALSE);
				return (B_TRUE);
			}
		}
	}
	return (B_FALSE);
}

/*
 * Check if this process is peruser nscd.
 */
boolean_t
__s_api_peruser_proc(void)
{
	pid_t		my_ppid;
	static mutex_t	nscdLock = DEFAULTMUTEX;
	static pid_t	checkedPpid = (pid_t)-1;
	static boolean_t isPeruserNscd = B_FALSE;

	my_ppid = getppid();

	/*
	 * Already checked before for this process? If yes, return cached
	 * response.
	 */
	if (my_ppid == checkedPpid) {
		return (isPeruserNscd);
	}

	(void) mutex_lock(&nscdLock);

	/* Check once more incase another thread has just complete this. */
	if (my_ppid == checkedPpid) {
		(void) mutex_unlock(&nscdLock);
		return (isPeruserNscd);
	}

	/* Reinitialize to be sure there is no residue after fork. */
	isPeruserNscd = B_FALSE;

	/* Am I the nscd process? */
	if (check_nscd_proc(getpid(), B_FALSE)) {
		/* Is my parent the nscd process with UID == 0. */
		isPeruserNscd = check_nscd_proc(my_ppid, B_TRUE);
	}

	/* Remeber for whom isPeruserNscd is. */
	checkedPpid = my_ppid;

	(void) mutex_unlock(&nscdLock);
	return (isPeruserNscd);
}

/*
 * Check if this process is main nscd.
 */
boolean_t
__s_api_nscd_proc(void)
{
	pid_t		my_pid;
	static mutex_t	nscdLock = DEFAULTMUTEX;
	static pid_t	checkedPid = (pid_t)-1;
	static boolean_t isMainNscd = B_FALSE;

	/*
	 * Don't bother checking if this process isn't root, this cannot
	 * be main nscd.
	 */
	if (getuid() != 0)
		return (B_FALSE);

	my_pid = getpid();

	/*
	 * Already checked before for this process? If yes, return cached
	 * response.
	 */
	if (my_pid == checkedPid) {
		return (isMainNscd);
	}

	(void) mutex_lock(&nscdLock);

	/* Check once more incase another thread has just done this. */
	if (my_pid == checkedPid) {
		(void) mutex_unlock(&nscdLock);
		return (isMainNscd);
	}

	/*
	 * Am I the nscd process? UID is already checked, not needed from
	 * psinfo.
	 */
	isMainNscd = check_nscd_proc(my_pid, B_FALSE);

	/* Remeber for whom isMainNscd is. */
	checkedPid = my_pid;

	(void) mutex_unlock(&nscdLock);
	return (isMainNscd);
}

/*
 * initialize a connection management control structure conn_mgmt_t
 */
ns_conn_mgmt_t *
init_conn_mgmt()
{
	ns_conn_mgmt_t	*cmg;

	cmg = (ns_conn_mgmt_t *)calloc(1, sizeof (*cmg));
	if (cmg == NULL) {
		syslog(LOG_ERR, NS_CONN_MSG_NO_CONN_MGMT);
		return (NULL);
	}

	/* is this process nscd or peruser nscd ? */
	cmg->is_nscd = __s_api_nscd_proc();
	cmg->is_peruser_nscd = __s_api_peruser_proc();

	/*
	 * assume the underlying libldap allows multiple threads sharing
	 * the same ldap connection (MT connection)
	 */
	cmg->ldap_mt = B_TRUE;
	/* state is inactive until MT connection is required/requested */
	cmg->state = NS_CONN_MGMT_INACTIVE;

	(void) mutex_init(&cmg->lock, USYNC_THREAD, NULL);
	(void) mutex_init(&cmg->cfg_lock, USYNC_THREAD, NULL);
	cmg->pid = getpid();

	/* for nscd or peruser nscd, MT connection is required */
	if (cmg->is_nscd == B_TRUE || cmg->is_peruser_nscd == B_TRUE)
		cmg->state = NS_CONN_MGMT_ACTIVE;

	/*
	 * reference (or initialize) the current Native LDAP configuration and
	 * if in nscd process, make it never refreshed
	 */
	cmg->config = __s_api_get_default_config_global();
	if (cmg->config == NULL)
		cmg->config = __s_api_loadrefresh_config_global();
	if (cmg->config != NULL) {
		/*
		 * main nscd get config change notice from ldap_cachemgr
		 * so won't times out and refresh the config
		 */
		if (cmg->is_nscd  == B_TRUE)
			(cmg->config)->paramList[NS_LDAP_EXP_P].ns_tm = 0;
		cmg->cfg_cookie = cmg->config->config_cookie;
	}

	return (cmg);
}

static void
mark_shutdown_or_reoladed(int op)
{
	ns_conn_mgmt_t	*cmg = ns_connmgmt;

	(void) mutex_lock(&cmg->lock);
	if (op == NS_CONN_MGMT_OP_SHUTDOWN)
		cmg->shutting_down = B_TRUE;
	else
		cmg->cfg_reloaded = B_TRUE;
	atomic_inc_uint(&cmg->ref_cnt);
	cmg->state = NS_CONN_MGMT_DETACHED;

	if (op == NS_CONN_MGMT_OP_RELOAD_CONFIG)
		__s_api_init_config_global(NULL);

	(void) mutex_unlock(&cmg->lock);
}

/*
 * Return a pointer to the current connection management. If
 * it has not been created, or is requested to recreate, then
 * create and return the pointer. It is possible, the current
 * one is created by the parent before fork, create a new
 * one too in such a case.
 */
static ns_conn_mgmt_t *
get_current_conn_mgmt(int op)
{
	ns_conn_mgmt_t	*cmg = ns_connmgmt;
	static pid_t	checked_pid = (pid_t)-1;
	pid_t		mypid;

	mypid = getpid();
	if (cmg == NULL || checked_pid != mypid) {
		checked_pid = mypid;

		/*
		 * if current conn_mgmt not created yet or is from parent
		 * or is requested to recreate, create it
		 */
		if (cmg == NULL || cmg->pid != mypid) {
			if (cmg != NULL) {
				/*
				 * We don't want to free the conn_mgmt
				 * allocated by the parent, since
				 * there may be ldap connections
				 * still being used. So leave it
				 * alone but keep it referenced,
				 * so that it will not be flagged
				 * as a piece of leaked memory.
				 */
				ns_connmgmt_parent = cmg;
				/*
				 * avoid lint warning; does not
				 * change the conn_mgmt in parent
				 */
				ns_connmgmt_parent->state =
				    NS_CONN_MGMT_DETACHED;
			}
			ns_connmgmt = init_conn_mgmt();
			cmg = ns_connmgmt;
			/*
			 * ensure it will not be destroyed until explicitly
			 * shut down or reloaded
			 */
			if (op == NS_CONN_MGMT_OP_REF)
				atomic_inc_uint(&cmg->ref_cnt);
		}
	}

	return (cmg);
}

static ns_conn_mgmt_t *
access_conn_mgmt(int op)
{
	ns_conn_mgmt_t	*cmg = NULL;
	ns_conn_mgmt_t	*cmg_prev;

	(void) mutex_lock(&ns_connmgmt_lock);

	/*
	 * connection management is not available when the libsldap is being
	 * unloaded or shut down
	 */
	if (ns_connmgmt_shutting_down == B_TRUE) {
		(void) mutex_unlock(&ns_connmgmt_lock);
		return (NULL);
	}

	if (op == NS_CONN_MGMT_OP_SHUTDOWN) {
		ns_connmgmt_shutting_down = B_TRUE;
		if (ns_connmgmt != NULL) {
			cmg = ns_connmgmt;
			mark_shutdown_or_reoladed(op);
			ns_connmgmt = NULL;
		}
		(void) mutex_unlock(&ns_connmgmt_lock);
		return (cmg);
	}

	if (op == NS_CONN_MGMT_OP_RELOAD_CONFIG ||
	    op == NS_CONN_MGMT_OP_NEW_CONFIG) {
		cmg_prev = ns_connmgmt;
		mark_shutdown_or_reoladed(op);
		/*
		 * the previous cmg (cmg_prev) will be freed later
		 * when its ref count reaches zero
		 */
		ns_connmgmt = NULL;
	}

	cmg = get_current_conn_mgmt(op);
	if (cmg == NULL) {
		(void) mutex_unlock(&ns_connmgmt_lock);
		return (NULL);
	}

	atomic_inc_uint(&cmg->ref_cnt);
	if (op == NS_CONN_MGMT_OP_RELOAD_CONFIG ||
	    op == NS_CONN_MGMT_OP_NEW_CONFIG)
		cmg = cmg_prev;
	else { /* op is  NS_CONN_MGMT_OP_REF  or NS_CONN_MGMT_OP_LIB_INIT */
		if (cmg->config == NULL)
			cmg->config = __s_api_get_default_config();
	}

	(void) mutex_unlock(&ns_connmgmt_lock);
	return (cmg);
}

/*
 * free a connection management control
 */
static void
free_conn_mgmt(ns_conn_mgmt_t *cmg)
{
	union {
		ldap_data_t	s_d;
		char		s_b[1024];
	} space;
	ldap_data_t	*sptr;
	int		ndata;
	int		adata;
	int		rc;
	ldap_get_chg_cookie_t cookie;

	if (cmg == NULL)
		return;
	cookie = cmg->cfg_cookie;

	__s_api_free2dArray(cmg->pservers);
	/* destroy the previous config or release the current one */
	if (cmg->config != NULL) {
		if (cmg->state == NS_CONN_MGMT_DETACHED)
			__s_api_destroy_config(cmg->config);
		else
			__s_api_release_config(cmg->config);
	}

	/* stop the server status/config-change monitor thread */
	if (cmg->procchg_started == B_TRUE) {
		if (cmg->procchg_tid != thr_self()) {
			if (cmg->procchg_door_call == B_TRUE) {
				adata = sizeof (ldap_call_t) + 1;
				ndata = sizeof (space);
				space.s_d.ldap_call.ldap_callnumber =
				    GETSTATUSCHANGE;
				space.s_d.ldap_call.ldap_u.get_change.op =
				    NS_STATUS_CHANGE_OP_STOP;
				space.s_d.ldap_call.ldap_u.get_change.cookie =
				    cookie;
				sptr = &space.s_d;
				rc = __ns_ldap_trydoorcall(&sptr, &ndata,
				    &adata);
				if (rc != NS_CACHE_SUCCESS)
					syslog(LOG_INFO,
					    gettext("libsldap: "
					    "free_conn_mgmt():"
					    " stopping door call "
					    " GETSTATUSCHANGE failed "
					    " (rc = %d)"), rc);
			}
			(void) pthread_cancel(cmg->procchg_tid);
			cmg->procchg_started = B_FALSE;
		}
	}

	free(cmg);
}

static ns_conn_mgmt_t *
release_conn_mgmt(ns_conn_mgmt_t *cmg, boolean_t unlock_cmg)
{
	if (cmg == NULL)
		return (NULL);
	if (atomic_dec_uint_nv(&cmg->ref_cnt) == 0) {
		if (cmg->state == NS_CONN_MGMT_DETACHED) {
			if (unlock_cmg == B_TRUE)
				(void) mutex_unlock(&cmg->lock);
			free_conn_mgmt(cmg);
			return (NULL);
		} else {
			syslog(LOG_WARNING,
			    gettext("libsldap: connection management "
			    " has a refcount of zero but the state "
			    " is not DETACHED (%d)"), cmg->state);
			cmg = NULL;
		}
	}
	return (cmg);
}

/*
 * exposed function for initializing a connection management control structure
 */
ns_conn_mgmt_t *
__s_api_conn_mgmt_init()
{
	if (thr_keycreate_once(&ns_mtckey, ns_mtckey_cleanup) != 0) {
		syslog(LOG_WARNING, NS_CONN_MSG_NO_MTC_KEY);
		return (NULL);
	}

	if (thr_keycreate_once(&ns_cmgkey, NULL) != 0) {
		syslog(LOG_WARNING, NS_CONN_MSG_NO_CMG_KEY);
		return (NULL);
	}

	return (access_conn_mgmt(NS_CONN_MGMT_OP_LIB_INIT));
}

/* initialize a connection user */
ns_conn_user_t *
__s_api_conn_user_init(int type, void *userinfo, boolean_t referral)
{
	ns_conn_user_t	*cu;
	ns_conn_mgmt_t	*cmg;

	/* delete the reference to the previously used conn_mgmt */
	(void) thr_setspecific(ns_cmgkey, NULL);

	cmg = access_conn_mgmt(NS_CONN_MGMT_OP_REF);
	if (cmg == NULL)
		return (NULL);

	if (cmg->state != NS_CONN_MGMT_ACTIVE &&
	    cmg->state != NS_CONN_MGMT_INACTIVE) {
		atomic_dec_uint(&cmg->ref_cnt);
		return (NULL);
	}

	cu = (ns_conn_user_t *)calloc(1, sizeof (*cu));
	if (cu == NULL) {
		atomic_dec_uint(&cmg->ref_cnt);
		return (NULL);
	}

	cu->type = type;
	cu->state = NS_CONN_USER_ALLOCATED;
	cu->tid = thr_self();
	cu->userinfo = userinfo;
	cu->referral = referral;
	cu->ns_rc = NS_LDAP_SUCCESS;
	cu->conn_mgmt = cmg;

	(void) conn_tsd_setup(cmg);

	return (cu);
}

/*
 * Free the resources used by a connection user.
 * The caller should ensure this conn_user is
 * not associated with any conn_mt, i.e.,
 * not in any conn_mt's linked list of conn_users.
 * The caller needs to free the userinfo member
 * as well.
 */
void
__s_api_conn_user_free(ns_conn_user_t *cu)
{
	ns_conn_mgmt_t	*cmg;

	if (cu == NULL)
		return;

	cu->state = NS_CONN_USER_FREED;
	if (cu->ns_error != NULL)
		(void) __ns_ldap_freeError(&cu->ns_error);

	cmg = cu->conn_mgmt;
	conn_tsd_free();
	(void) release_conn_mgmt(cmg, B_FALSE);
	(void) free(cu);
}

/*
 * Initialize an MT connection control structure
 * that will be used to represent an ldap connection
 * to be shared among multiple threads and to hold
 * and manage all the conn_users using the ldap
 * connection.
 */
static ns_conn_mt_t *
init_conn_mt(ns_conn_mgmt_t *cmg, ns_ldap_error_t **ep)
{
	ns_conn_mt_t	*cm;
	ns_conn_mgmt_t	*cmg_a;

	cm = (ns_conn_mt_t *)calloc(1, sizeof (*cm));
	if (cm == NULL) {
		if (ep != NULL)
			*ep = __s_api_make_error(NS_LDAP_MEMORY, NULL);
		return (NULL);
	}

	cmg_a = access_conn_mgmt(NS_CONN_MGMT_OP_REF);
	if (cmg_a != cmg) {
		if (cmg_a != NULL) {
			(void) release_conn_mgmt(cmg_a, B_FALSE);
			if (ep != NULL)
				*ep = __s_api_make_error(NS_LDAP_OP_FAILED,
				    NS_CONN_MSG_SHUTDOWN_RELOADED);
		}
		return (NULL);
	}

	(void) mutex_init(&cm->lock, USYNC_THREAD, NULL);
	cm->state = NS_CONN_MT_CONNECTING;
	cm->tid = thr_self();
	cm->pid = getpid();
	cm->next = NULL;
	cm->cu_head = NULL;
	cm->cu_tail = NULL;
	cm->conn = NULL;
	cm->conn_mgmt = cmg;

	return (cm);
}

/*
 * Free an MT connection control structure, assume conn_mgmt is locked.
 * 'unlock_cmg' is passed to release_conn_mgmt() to indicate the
 * cmg needs to be unlocked or not.
 */
static ns_conn_mgmt_t *
free_conn_mt(ns_conn_mt_t *cm, int unlock_cmg)
{
	ns_conn_mgmt_t	*cmg;

	if (cm == NULL)
		return (NULL);
	if (cm->ns_error != NULL)
		(void) __ns_ldap_freeError(&cm->ns_error);
	if (cm->conn != NULL) {
		if (cm->conn->ld != NULL)
			(void) ldap_unbind(cm->conn->ld);
		__s_api_freeConnection(cm->conn);
	}
	cmg = cm->conn_mgmt;
	free(cm);
	return (release_conn_mgmt(cmg, unlock_cmg));
}

/* add a connection user to an MT connection */
static void
add_cu2cm(ns_conn_user_t *cu, ns_conn_mt_t *cm)
{

	if (cm->cu_head == NULL) {
		cm->cu_head = cu;
		cm->cu_tail = cu;
	} else {
		cm->cu_tail->next = cu;
		cm->cu_tail = cu;
	}
	cm->cu_cnt++;
}

/* add an MT connection to the connection management */
static void
add_cm2cmg(ns_conn_mt_t *cm, ns_conn_mgmt_t *cmg)
{
	/*
	 * add connection opened for WRITE to top of list
	 * for garbage collection purpose. This is to
	 * ensure the connection will be closed after a
	 * certain amount of time (60 seconds).
	 */
	if (cmg->cm_head == NULL) {
		cmg->cm_head = cm;
		cmg->cm_tail = cm;
	} else {
		if (cm->opened_for == NS_CONN_USER_WRITE) {
			cm->next = cmg->cm_head;
			cmg->cm_head = cm;
		} else {
			cmg->cm_tail->next = cm;
			cmg->cm_tail = cm;
		}
	}
	cmg->cm_cnt++;
}

/* delete a connection user from an MT connection */
static void
del_cu4cm(ns_conn_user_t *cu, ns_conn_mt_t *cm)
{
	ns_conn_user_t *pu, *u;

	if (cu == NULL || cm->cu_head == NULL || cm->cu_cnt == 0)
		return;

	/* only one conn_user on list */
	if (cm->cu_head == cm->cu_tail) {
		if (cu == cm->cu_head) {
			cm->cu_head = cm->cu_tail = NULL;
			cm->cu_cnt = 0;
			cu->next = NULL;
		}
		return;
	}

	/* more than one and cu is the first one */
	if (cu == cm->cu_head) {
		cm->cu_head = cu->next;
		cm->cu_cnt--;
		cu->next = NULL;
		return;
	}

	pu = cm->cu_head;
	for (u = cm->cu_head->next; u; u = u->next) {
		if (cu == u)
			break;
		pu = u;
	}
	if (pu != cm->cu_tail) {
		pu->next = cu->next;
		if (pu->next == NULL)
			cm->cu_tail = pu;
		cm->cu_cnt--;
		cu->next = NULL;
	} else {
		syslog(LOG_INFO, gettext(
		    "libsldap: del_cu4cm(): connection user not found"));
	}
}

/* delete an MT connection from the connection management control structure */
static void
del_cm4cmg(ns_conn_mt_t *cm, ns_conn_mgmt_t *cmg)
{
	ns_conn_mt_t *pm, *m;

	if (cm == NULL || cmg->cm_head == NULL || cmg->cm_cnt == 0)
		return;

	/* only one conn_mt on list */
	if (cmg->cm_head == cmg->cm_tail) {
		if (cm == cmg->cm_head) {
			cmg->cm_head = cmg->cm_tail = NULL;
			cmg->cm_cnt = 0;
			cm->next = NULL;
		}
		return;
	}

	/* more than one and cm is the first one */
	if (cm == cmg->cm_head) {
		cmg->cm_head = cm->next;
		cmg->cm_cnt--;
		cm->next = NULL;
		return;
	}

	pm = cmg->cm_head;
	for (m = cmg->cm_head->next; m; m = m->next) {
		if (cm == m)
			break;
		pm = m;
	}
	if (pm != cmg->cm_tail) {
		pm->next = cm->next;
		if (pm->next == NULL)
			cmg->cm_tail = pm;
		cmg->cm_cnt--;
		cm->next = NULL;
	} else {
		syslog(LOG_INFO, gettext(
		    "libsldap: del_cm4cmg(): MT connection not found"));
	}
}

/*
 * compare to see if the server and credential for authentication match
 * those used by an MT connection
 */
static boolean_t
is_server_cred_matched(const char *server, const ns_cred_t *cred,
	ns_conn_mt_t *cm)
{
	Connection	*cp = cm->conn;

	/* check server first */
	if (server != NULL && *server != 0) {
		if (strcasecmp(server, cp->serverAddr) != 0)
			return (B_FALSE);
	}

	if (cred == NULL)
		return (B_TRUE);

	/* then check cred */
	return (__s_api_is_auth_matched(cp->auth, cred));
}

/*
 * Wait until a pending MT connection becomes available.
 * Return 1 if so, 0 if error.
 *
 * Assume the current conn_mgmt and the input conn_mt
 * are locked.
 */
static int
wait_for_conn_mt(ns_conn_user_t *cu, ns_conn_mt_t *cm)
{

	cu->state = NS_CONN_USER_WAITING;
	add_cu2cm(cu, cm);
	cu->conn_mt = cm;

	(void) mutex_unlock(&cm->lock);
	/*
	 * It could take some time so we don't want to hold
	 * cm->conn_mgmt across the wait
	 */
	(void) mutex_unlock(&(cm->conn_mgmt)->lock);

	(void) mutex_lock(&cm->lock);
	/* check one more time see if need to wait */
	if (cm->state == NS_CONN_MT_CONNECTING) {
		(void) conn_wait(cm, cu);

		/* cm->lock is locked again at this point */

		cu->state = NS_CONN_USER_WOKEUP;
	}

	if (cm->state == NS_CONN_MT_CONNECTED)
		return (1);
	else {
		del_cu4cm(cu, cm);
		cu->conn_mt = NULL;
		cu->bad_mt_conn = B_FALSE;
		return (0);
	}
}

/*
 * Check and see if the input MT connection '*cm' should be closed.
 * In two cases, it should be closed. If a preferred server is
 * found to be up when ldap_cachemgr is queried and reported back.
 * Or when the server being used for the connection is found to
 * be down. Return B_FALSE if the connection is not closed (or not marked
 * to be closed), otherwise unlock mutex (*cm)->lock and return B_TRUE.
 * This function assumes conn_mgmt cmg and conn_mt *cm are locked.
 */
static boolean_t
check_and_close_conn(ns_conn_mgmt_t *cmg, ns_conn_mt_t **cm,
	ns_conn_user_t *cu) {

	int rc;
	int j;
	int svridx = -1;
	int upidx = -1;
	int free_cm;
	ns_server_info_t sinfo;
	ns_ldap_error_t *errorp = NULL;

	/*
	 * check only if preferred servers are defined
	 */
	if (cmg->pservers_loaded == B_FALSE)
		get_preferred_servers(B_FALSE, B_FALSE, cmg);
	if (cmg->pservers == NULL)
		return (B_FALSE);

	/*
	 * ask ldap_cachemgr for the first available server
	 */
	rc = __s_api_requestServer(NS_CACHE_NEW, NULL,
	    &sinfo, &errorp, NS_CACHE_ADDR_IP);
	if (rc != NS_LDAP_SUCCESS || sinfo.server == NULL) {
		(void) __ns_ldap_freeError(&errorp);
		return (B_FALSE);
	}

	/*
	 * Did ldap_cachemgr return a preferred server ?
	 */
	for (j = 0; cmg->pservers[j] != NULL; j++) {
		if (strcasecmp(sinfo.server, cmg->pservers[j]) != 0)
			continue;
		upidx = j;
		break;
	}

	/*
	 * Is the server being used a preferred one ?
	 */
	for (j = 0; cmg->pservers[j] != NULL; j++) {
		if (strcasecmp(cmg->pservers[j], (*cm)->conn->serverAddr) != 0)
			continue;
		svridx = j;
		break;
	}

	/*
	 * Need to fall back to a down-but-now-up preferred server ?
	 * A preferred server falls back to a more preferred one.
	 * A regular one falls back to any preferred ones. So if
	 * both are preferred ones and same index, or both
	 * are not preferred ones, then no need to close the
	 * connection.
	 */
	if ((upidx == -1 && svridx == -1) ||
	    (upidx != -1 && svridx != -1 && upidx == svridx)) {
		__s_api_free_server_info(&sinfo);
		return (B_FALSE);
	}

	/*
	 * otherwise, 4 cases, all may need to close the connection:
	 * For case 1 and 2, both servers are preferred ones:
	 * 1. ldap_cachemgr returned a better one to use (upidx < svridx)
	 * 2. the server being used is down (upidx > svridx)
	 * 3. ldap_cachemgr returned a preferred one, but the server
	 *    being used is not, so need to fall back to the preferred server
	 * 4. ldap_cachemgr returned a non-preferred one, but the server
	 *    being used is a preferred one, so it must be down (since
	 *    ldap_cachemgr always returns a preferred one when possible).
	 * For case 1 & 3, close the READ connection when no user uses it.
	 * For 2 and 4, close the connection with error rc, LDAP_SERVER_DOWN.
	 */
	if (upidx != -1 && (svridx == -1 || upidx < svridx)) { /* case 1 & 3 */
		/* fallback does not make sense for WRITE/referred connection */
		if ((*cm)->opened_for == NS_CONN_USER_WRITE ||
		    (*cm)->referral == B_TRUE) {
			__s_api_free_server_info(&sinfo);
			return (B_FALSE);
		}
		free_cm = close_conn_mt_when_nouser(*cm);
		if (cmg->shutting_down == B_FALSE)
			cu->retry = B_TRUE;
	} else {
		ns_ldap_error_t *ep;
		ep = __s_api_make_error(LDAP_SERVER_DOWN,
		    NS_CONN_MSG_DOWN_FROM_CACHEMGR);
		/* cu has not been attached to cm yet, use NULL as cu pointer */
		free_cm = close_conn_mt(*cm, LDAP_SERVER_DOWN, &ep, NULL);
		if (cmg->shutting_down == B_FALSE)
			cu->retry = B_TRUE;
		(void) __ns_ldap_freeError(&ep);
	}

	(void) mutex_unlock(&(*cm)->lock);
	if (free_cm == 1) {
		(void) free_conn_mt(*cm, 0);
		*cm = NULL;
	}

	__s_api_free_server_info(&sinfo);

	return (B_TRUE);
}

/*
 * Check to see if a conn_mt matches the connection criteria from
 * a conn_user. Return B_TRUE if yes, B_FALSE, otherwise. The input
 * conn_mt pointer (*cmt) may be freed and *cmt will be set to NULL
 * to indicate so.
 * conn_mt *cmt and conn_mgmt cm->conn_mgmt are assumed locked.
 * cm->lock is unlocked at exit if rc is B_FALSE.
 */
static boolean_t
match_conn_mt(ns_conn_user_t *cu, ns_conn_mt_t **cmt,
	ns_conn_mt_state_t st, const char *server,
	const ns_cred_t *cred)
{
	boolean_t	matched = B_FALSE;
	boolean_t	drop_conn;
	int		free_cm = 0;
	ns_conn_mt_t	*cm = *cmt;
	ns_conn_mgmt_t	*cmg = cm->conn_mgmt;

	if (cm->state != st || cm->close_when_nouser  == B_TRUE ||
	    cm->detached == B_TRUE || cm->pid != getpid() ||
	    cm->referral != cu->referral) {
		(void) mutex_unlock(&cm->lock);
		return (B_FALSE);
	}

	/*
	 * if a conn_mt opened for WRITE is idle
	 * long enough, then close it. To improve
	 * the performance of applications, such
	 * as ldapaddent, a WRITE connection is
	 * given a short time to live in the
	 * connection pool, expecting the write
	 * requests to come in a quick succession.
	 * To save resource, the connection will
	 * be closed if idle more than 60 seconds.
	 */
	if (cm->opened_for == NS_CONN_USER_WRITE &&
	    cu->type != NS_CONN_USER_WRITE && cm->cu_cnt == 0 &&
	    ((time(NULL) - cm->access_time) > 60)) {
		/*
		 * NS_LDAP_INTERNAL is irrelevant here. There no
		 * conn_user to consume the rc
		 */
		free_cm = close_conn_mt(cm, NS_LDAP_INTERNAL, NULL, NULL);
		(void) mutex_unlock(&cm->lock);
		if (free_cm == 1) {
			(void) free_conn_mt(cm, 0);
			*cmt = NULL;
		}
		return (B_FALSE);
	}

	switch (cu->type) {
	case NS_CONN_USER_SEARCH:
	case NS_CONN_USER_GETENT:
		if (cm->opened_for == NS_CONN_USER_SEARCH ||
		    cm->opened_for == NS_CONN_USER_GETENT)
			matched = B_TRUE;
		break;

	case NS_CONN_USER_WRITE:
		if (cm->opened_for == NS_CONN_USER_WRITE)
			matched = B_TRUE;
		break;

	default:
		matched = B_FALSE;
		break;
	}

	if (matched == B_TRUE && ((server != NULL || cred != NULL) &&
	    is_server_cred_matched(server, cred, cm) == B_FALSE))
		matched = B_FALSE;

	if (matched != B_FALSE) {
		/*
		 * Check and drop the 'connected' connection if
		 * necessary. Main nscd gets status changes from
		 * the ldap_cachemgr daemon directly via the
		 * GETSTATUSCHANGE door call, the standalone
		 * function works in a no ldap_cachemgr environment,
		 * so no need to check and drop connections.
		 */
		if (cm->state == NS_CONN_MT_CONNECTED &&
		    cmg->is_nscd == B_FALSE && !__s_api_isStandalone()) {
			drop_conn = check_and_close_conn(cmg, &cm, cu);
			if (drop_conn == B_TRUE) {
				if (cm == NULL)
					*cmt = NULL;
				return (B_FALSE);
			}
		}

		/* check if max. users using or waiting for the connection */
		if ((cm->state == NS_CONN_MT_CONNECTED &&
		    cm->cu_max != NS_CONN_MT_USER_NO_MAX &&
		    cm->cu_cnt >= cm->cu_max) ||
		    (cm->state == NS_CONN_MT_CONNECTING &&
		    cm->cu_max != NS_CONN_MT_USER_NO_MAX &&
		    cm->waiter_cnt >= cm->cu_max - 1))
			matched = B_FALSE;
	}

	if (matched == B_FALSE)
		(void) mutex_unlock(&cm->lock);

	return (matched);
}

/*
 * obtain an MT connection from the connection management for a conn_user
 *
 * Input:
 *   server	: server name or IP address
 *   flags	: libsldap API flags
 *   cred	: pointer to the user credential
 *   cu		: pointer to the conn_user structure
 * Output:
 *   session	: hold pointer to the Connection structure
 *   errorp	: hold pointer to error info (ns_ldap_error_t)
 */
int
__s_api_conn_mt_get(const char *server, const int flags, const ns_cred_t *cred,
	Connection **session, ns_ldap_error_t **errorp, ns_conn_user_t *cu)
{
	int		rc;
	int		i;
	ns_conn_mt_t	*cn;
	ns_conn_mt_state_t st;
	ns_conn_mgmt_t	*cmg;

	if (errorp == NULL || cu == NULL || session == NULL)
		return (NS_LDAP_INVALID_PARAM);

	*session = NULL;
	cmg = cu->conn_mgmt;

	/*
	 * for pam_ldap, always try opening a new connection
	 */
	if (cu->type == NS_CONN_USER_AUTH)
		return (NS_LDAP_NOTFOUND);

	/* if need a new conn, then don't reuse */
	if (flags & NS_LDAP_NEW_CONN)
		return (NS_LDAP_NOTFOUND);

	if (flags & NS_LDAP_KEEP_CONN)
		cu->keep_conn = B_TRUE;

	/*
	 * We want to use MT connection only if keep-connection flag is
	 * set or if MT was requested (or active)
	 */
	if (!((cmg->state == NS_CONN_MGMT_INACTIVE &&
	    cu->keep_conn == B_TRUE) || cmg->state == NS_CONN_MGMT_ACTIVE))
		return (NS_LDAP_NOTFOUND);

	/* MT connection will be used now (if possible/available) */
	cu->use_mt_conn = B_TRUE;

	NS_CONN_CHECK_ABORT_AND_LOCK(cmg, cu, errorp);

	/* first look for a connection already open */
	st = NS_CONN_MT_CONNECTED;
	cu->state = NS_CONN_USER_FINDING;
	for (i = 0; i < 2; i++) {
		for (cn = cmg->cm_head; cn; cn = cn->next) {
			(void) mutex_lock(&cn->lock);
			rc = match_conn_mt(cu, &cn, st, server, cred);
			if (rc == B_FALSE && cn != NULL) /* not found */
				continue;
			if (cn == NULL) { /* not found and cn freed */
				/*
				 * as the conn_mt list could
				 * be different due to cn's
				 * deletion, scan the entire
				 * conn_mt list again
				 */
				st = NS_CONN_MT_CONNECTED;
				i = -1;
				break;
			}

			/* return a connected one if found */
			if (cn->state == NS_CONN_MT_CONNECTED) {
				*session = cn->conn;
				add_cu2cm(cu, cn);
				cu->conn_mt = cn;
				cu->state = NS_CONN_USER_CONNECTED;
				(void) mutex_unlock(&cn->lock);
				(void) mutex_unlock(&cmg->lock);
				return (NS_LDAP_SUCCESS);
			}

			/*
			 * if cn is not connecting, or allow only
			 * one user, skip it
			 */
			if (cn->state != NS_CONN_MT_CONNECTING ||
			    cn->cu_max == 1) {
				(void) mutex_unlock(&cn->lock);
				continue;
			}

			/* wait for the connecting conn_mt */
			if (wait_for_conn_mt(cu, cn) != 1) {
				/*
				 * NS_LDAP_NOTFOUND signals that the function
				 * __s_api_check_libldap_MT_conn_support()
				 * detected that the lower libldap library
				 * does not support MT connection, so return
				 * NS_LDAP_NOTFOUND to let the caller to
				 * open a non-MT conneciton. Otherwise,
				 * connect error occurred, return
				 * NS_CONN_USER_CONNECT_ERROR
				 */
				if (cn->ns_rc != NS_LDAP_NOTFOUND)
					cu->state = NS_CONN_USER_CONNECT_ERROR;
				else {
					cu->state = NS_CONN_USER_FINDING;
					cu->use_mt_conn = B_FALSE;
				}
				(void) mutex_unlock(&cn->lock);

				/* cmg->lock unlocked by wait_for_conn_mt() */

				return (cn->ns_rc);
			}

			/* return the newly available conn_mt */
			*session = cn->conn;
			cu->state = NS_CONN_USER_CONNECTED;
			(void) mutex_unlock(&cn->lock);

			/* cmg->lock unlocked by wait_for_conn_mt() */

			return (NS_LDAP_SUCCESS);
		}

		/* next, look for a connecting conn_mt */
		if (i == 0)
			st = NS_CONN_MT_CONNECTING;
	}

	/* no connection found, start opening one */
	cn = init_conn_mt(cmg, errorp);
	if (cn == NULL) {
		(void) mutex_unlock(&cmg->lock);
		return ((*errorp)->status);
	}
	cu->conn_mt = cn;
	cn->opened_for = cu->type;
	cn->referral = cu->referral;
	if (cmg->ldap_mt == B_TRUE)
		cn->cu_max = NS_CONN_MT_USER_MAX;
	else
		cn->cu_max = 1;
	add_cm2cmg(cn, cmg);
	(void) mutex_unlock(&cmg->lock);

	return (NS_LDAP_NOTFOUND);
}


/*
 * add an MT connection to the connection management
 *
 * Input:
 *   con	: pointer to the Connection info
 *   cu		: pointer to the conn_user structure
 * Output:
 *   ep		: hold pointer to error info (ns_ldap_error_t)
 */
int
__s_api_conn_mt_add(Connection *con, ns_conn_user_t *cu, ns_ldap_error_t **ep)
{
	ns_conn_mgmt_t	*cmg = cu->conn_mgmt;
	ns_conn_mt_t	*cm = cu->conn_mt;

	/* if the conn_mgmt is being shut down, return error */
	NS_CONN_CHECK_ABORT_AND_LOCK(cmg, cu, ep);

	/*
	 * start the change monitor thread only if it
	 * hasn't been started and the process is the
	 * main nscd (not peruser nscd)
	 */
	if (cmg->procchg_started == B_FALSE && cmg->is_nscd == B_TRUE) {
		start_thread(cmg);
		cmg->procchg_started = B_TRUE;
	}
	(void) mutex_lock(&cm->lock);
	cm->conn = con;
	cm->state = NS_CONN_MT_CONNECTED;
	cm->pid = getpid();
	cm->create_time = time(NULL);
	cm->access_time = cm->create_time;
	cm->opened_for = cu->type;
	add_cu2cm(cu, cm);
	cu->conn_mt = cm;
	cu->state = NS_CONN_USER_CONNECTED;
	if (cmg->ldap_mt == B_TRUE)
		cm->cu_max = NS_CONN_MT_USER_MAX;
	else
		cm->cu_max = 1;

	/* wake up the waiters if any */
	(void) conn_signal(cm);

	(void) mutex_unlock(&cm->lock);
	(void) mutex_unlock(&cmg->lock);

	return (NS_LDAP_SUCCESS);
}

/*
 * return an MT connection to the pool when a conn user is done usint it
 *
 * Input:
 *   cu		: pointer to the conn_user structure
 * Output:	NONE
 */
void
__s_api_conn_mt_return(ns_conn_user_t *cu)
{
	ns_conn_mt_t	*cm;
	ns_conn_mgmt_t	*cmg;

	if (cu == NULL || cu->use_mt_conn == B_FALSE)
		return;
	cm = cu->conn_mt;
	if (cm == NULL)
		return;
	cmg = cu->conn_mgmt;

	(void) mutex_lock(&cm->lock);
	del_cu4cm(cu, cm);
	cu->state = NS_CONN_USER_DISCONNECTED;
	cu->conn_mt = NULL;
	cu->bad_mt_conn = B_FALSE;

	/*
	 *  if this MT connection is no longer needed, or not usable, and
	 * no more conn_user uses it, then close it.
	 */

	if ((cm->close_when_nouser == B_TRUE ||
	    cm->state != NS_CONN_MT_CONNECTED) && cm->cu_cnt == 0) {
		(void) mutex_unlock(&cm->lock);
		(void) mutex_lock(&cmg->lock);
		(void) mutex_lock(&cm->lock);
		del_cm4cmg(cm, cmg);
		/* use ns_conn_free (instead of 1) to avoid lint warning */
		NS_CONN_UNLOCK_AND_FREE(ns_conn_free, cm, cmg);
	} else {
		if (cm->state == NS_CONN_MT_CONNECTED && cm->cu_cnt == 0 &&
		    cm->conn != NULL && cm->conn->ld != NULL) {
			struct timeval	zerotime;
			LDAPMessage	*res;

			zerotime.tv_sec = zerotime.tv_usec = 0L;
			/* clean up remaining results just in case */
			while (ldap_result(cm->conn->ld, LDAP_RES_ANY,
			    LDAP_MSG_ALL, &zerotime, &res) > 0) {
				if (res != NULL)
					(void) ldap_msgfree(res);
			}
		}
		(void) mutex_unlock(&cm->lock);
	}
}

/* save error info (rc and ns_ldap_error_t) in the conn_mt */
static void
err2cm(ns_conn_mt_t *cm, int rc, ns_ldap_error_t **errorp) {
	ns_ldap_error_t	*ep;

	cm->ns_rc = rc;
	cm->ns_error = NULL;
	if (errorp != NULL && *errorp != NULL) {
		ep = __s_api_copy_error(*errorp);
		if (ep == NULL)
			cm->ns_rc = NS_LDAP_MEMORY;
		else
			cm->ns_error = ep;
	}
}

/* copy error info (rc and ns_ldap_error_t) from conn_mt to conn_user */
static void
err_from_cm(ns_conn_user_t *cu, ns_conn_mt_t *cm) {
	ns_ldap_error_t	*ep;

	cu->ns_rc = cm->ns_rc;
	if (cu->ns_error != NULL)
		(void) __ns_ldap_freeError(&cu->ns_error);
	cu->ns_error = NULL;
	if (cm->ns_rc != NS_LDAP_SUCCESS && cm->ns_error != NULL) {
		ep = __s_api_copy_error(cm->ns_error);
		if (ep == NULL)
			cu->ns_rc = NS_LDAP_MEMORY;
		else
			cu->ns_error = ep;
	}
}

/* copy error info (rc and ns_ldap_error_t) from caller to conn_user */
static void
err_from_caller(ns_conn_user_t *cu, int rc, ns_ldap_error_t **errorp) {

	cu->ns_rc = rc;
	if (errorp != NULL) {
		if (cu->ns_error != NULL)
			(void) __ns_ldap_freeError(&cu->ns_error);
		cu->ns_error = *errorp;
		*errorp = NULL;
	} else
		cu->ns_error = NULL;
}

/*
 * remove an MT connection from the connection management when failed to open
 *
 * Input:
 *   cu		: pointer to the conn_user structure
 *   rc		: error code
 *   errorp	: pointer to pointer to error info (ns_ldap_error_t)
 * Output:
 *   errorp	: set to NULL, if none NULL cm, callers do not need to free it
 */
void
__s_api_conn_mt_remove(ns_conn_user_t *cu, int rc, ns_ldap_error_t **errorp)
{
	ns_conn_mgmt_t	*cmg;
	ns_conn_mt_t	*cm;
	int		free_cm = 0;

	if (cu == NULL || cu->use_mt_conn == B_FALSE)
		return;
	if ((cm = cu->conn_mt) == NULL)
		return;
	cmg = cu->conn_mgmt;

	(void) mutex_lock(&cmg->lock);
	(void) mutex_lock(&cm->lock);
	if (cm->state != NS_CONN_MT_CONNECT_ERROR) {
		cm->state = NS_CONN_MT_CONNECT_ERROR;
		cm->ns_rc = rc;
		if (errorp != NULL) {
			cm->ns_error = *errorp;
			*errorp = NULL;
		}
	}

	/* all the conn_users share the same error rc and ns_ldap_error_t */
	err_from_cm(cu, cm);
	/* wake up the waiters if any */
	(void) conn_signal(cm);

	del_cu4cm(cu, cm);
	cu->conn_mt = NULL;
	cu->bad_mt_conn = B_FALSE;
	if (cm->cu_cnt == 0) {
		del_cm4cmg(cm, cmg);
		free_cm = 1;
	}

	NS_CONN_UNLOCK_AND_FREE(free_cm, cm, cmg);
}

/*
 * check to see if the underlying libldap supports multi-threaded client
 * (MT connections)
 */
int
__s_api_check_libldap_MT_conn_support(ns_conn_user_t *cu, LDAP *ld,
	ns_ldap_error_t **ep)
{
	int		rc;
	ns_conn_mgmt_t	*cmg;

	/* if no need to check, just return success */
	if (cu->conn_mt == NULL || cu->use_mt_conn == B_FALSE)
		return (NS_LDAP_SUCCESS);

	cmg = cu->conn_mgmt;
	rc = setup_mt_ld(ld, cmg);

	if (cmg->do_mt_conn == B_FALSE) {
		/*
		 * If the conn_mgmt is being shut down, return error.
		 * if cmg is usable, cmg->lock will be locked. Otherwise,
		 * this function will return with rc NS_LDAP_OP_FAILED.
		 */
		NS_CONN_CHECK_ABORT_AND_LOCK(cmg, cu, ep);
		if (cmg->do_mt_conn == B_FALSE) {
			if (rc < 0)
				cmg->ldap_mt = B_FALSE;
			else {
				cmg->ldap_mt = B_TRUE;
				if (cmg->is_nscd  == B_TRUE ||
				    cmg->is_peruser_nscd == B_TRUE) {
					cmg->do_mt_conn = B_TRUE;
					cmg->state = NS_CONN_MGMT_ACTIVE;
				}
			}
		}
		(void) mutex_unlock(&cmg->lock);
	}

	if (rc < 0)
		__s_api_conn_mt_remove(cu, NS_LDAP_NOTFOUND, NULL);
	return (NS_LDAP_SUCCESS);
}

/*
 * Close an MT connection.
 * Assume cm not null and locked, assume conn_mgmt is also locked.
 * Return -1 if error, 1 if the cm should be freed, otherwise 0.
 */
static int
close_conn_mt(ns_conn_mt_t *cm, int rc, ns_ldap_error_t **errorp,
	ns_conn_user_t *cu)
{
	ns_conn_mgmt_t	*cmg = cm->conn_mgmt;
	ns_conn_mt_t	*m;
	ns_conn_user_t	*u;

	if ((cm->state != NS_CONN_MT_CONNECTED && cm->state !=
	    NS_CONN_MT_CLOSING) || cmg->cm_head == NULL || cmg->cm_cnt == 0)
		return (-1);

	/* if the conn_mt is not in the MT connection pool, nothing to do */
	for (m = cmg->cm_head; m; m = m->next) {
		if (cm == m)
			break;
	}
	if (m == NULL)
		return (-1);

	if (cm->state == NS_CONN_MT_CONNECTED) { /* first time in here */
		cm->state = NS_CONN_MT_CLOSING;
		/*
		 * If more cu exist to consume the error info, copy
		 * it to the cm. If the caller calls on behalf of
		 * a cu, cu won't be NULL. Check to see if there's
		 * more cu that needs the error info. If caller does
		 * not have a specific cu attached to it (e.g.,
		 * shutdown_all_conn_mt()), cu is NULL, check if at
		 * least one cu exists.
		 */
		if ((cu != NULL && cm->cu_cnt > 1) ||
		    (cu == NULL && cm->cu_cnt > 0)) {
			err2cm(cm, rc, errorp);
			/* wake up waiter (conn_user) if any */
			(void) conn_signal(cm);
		}

		/* for each conn_user using the conn_mt, set bad_mt_conn flag */
		if (cm->cu_head != NULL) {
			for (u = cm->cu_head; u; u = u->next) {
				u->bad_mt_conn = B_TRUE;
				if (cmg->shutting_down == B_FALSE)
					u->retry = B_TRUE;
			}
		}
	}

	/* detach the conn_mt if no more conn_user left */
	if ((cu != NULL && cm->cu_cnt == 1) ||
	    (cu == NULL && cm->cu_cnt ==  0)) {
		del_cm4cmg(cm, cmg);
		cm->detached = B_TRUE;
		return (1);
	}

	return (0);
}

/*
 * An MT connection becomes bad, close it and free resources.
 * This function is called with a ns_conn_user_t representing
 * a user of the MT connection.
 *
 * Input:
 *   cu		: pointer to the conn_user structure
 *   rc		: error code
 *   errorp	: pointer to pointer to error info (ns_ldap_error_t)
 * Output:
 *   errorp	: set to NULL (if no error), callers do not need to free it
 */
void
__s_api_conn_mt_close(ns_conn_user_t *cu, int rc, ns_ldap_error_t **errorp)
{
	ns_conn_mgmt_t	*cmg;
	ns_conn_mt_t	*cm;
	int		free_cm = 0;

	if (cu == NULL || cu->use_mt_conn == B_FALSE)
		return;

	if (cu->state != NS_CONN_USER_CONNECTED || (cm = cu->conn_mt) == NULL)
		return;
	cmg = cu->conn_mgmt;

	(void) mutex_lock(&cmg->lock);
	(void) mutex_lock(&cm->lock);

	/* close the MT connection if possible */
	free_cm = close_conn_mt(cm, rc, errorp, cu);
	if (free_cm == -1) { /* error case */
		(void) mutex_unlock(&cm->lock);
		(void) mutex_unlock(&cmg->lock);
		return;
	}

	if (rc != NS_LDAP_SUCCESS) { /* error info passed in, use it */
		err_from_caller(cu, rc, errorp);
	} else { /* error not passed in, use those saved in the conn_mt */
		err_from_cm(cu, cm);
	}

	/* detach the conn_user from the conn_mt */
	del_cu4cm(cu, cm);
	cu->conn_mt = NULL;
	cu->bad_mt_conn = B_FALSE;
	if (cmg->shutting_down == B_FALSE)
		cu->retry = B_TRUE;
	NS_CONN_UNLOCK_AND_FREE(free_cm, cm, cmg);
}

/*
 * Close an MT connection when the associated server is known to be
 * down. This function is called with a ns_conn_mt_t representing
 * the MT connection. That is, the caller is not a conn_user
 * thread but rather the procchg thread.
 */
static void
close_conn_mt_by_procchg(ns_conn_mt_t *cm, int rc, char *errmsg)
{
	ns_conn_mgmt_t	*cmg;
	int		free_cm = 0;
	ns_ldap_error_t	*ep;

	if (cm == NULL)
		return;
	cmg = cm->conn_mgmt;

	ep = (ns_ldap_error_t *)calloc(1, sizeof (*ep));
	if (ep != NULL) {
		ep->status = rc;
		if (errmsg != NULL)
			ep->message =  strdup(errmsg); /* OK if returns NULL */
	}

	(void) mutex_lock(&cmg->lock);
	(void) mutex_lock(&cm->lock);

	/* close the MT connection if possible */
	free_cm = close_conn_mt(cm, LDAP_SERVER_DOWN, &ep, NULL);
	if (free_cm == -1) { /* error case */
		(void) mutex_unlock(&cm->lock);
		(void) mutex_unlock(&cmg->lock);
		return;
	}
	(void) __ns_ldap_freeError(&ep);

	NS_CONN_UNLOCK_AND_FREE(free_cm, cm, cmg);
}

/*
 * Close an MT connection when there is a better server to connect to.
 * Mark the connection as to-be-closed-when-no-one-using so that
 * any outstanding ldap operations can run to completion.
 * Assume that both the conn_mt and conn_mgmt are locked.
 * Return 1 if the conn_mt should be freed.
 */
static int
close_conn_mt_when_nouser(ns_conn_mt_t *cm)
{
	int		free_cm = 0;

	if (cm->cu_cnt == 0) {
		del_cm4cmg(cm, cm->conn_mgmt);
		free_cm = 1;
	} else {
		cm->close_when_nouser = B_TRUE;
	}

	return (free_cm);
}

/*
 * Retrieve the configured preferred server list.
 * This function locked the conn_mgmt and does not
 * unlock at exit.
 */
static void
get_preferred_servers(boolean_t lock, boolean_t reload, ns_conn_mgmt_t *cmg)
{
	ns_ldap_error_t *errorp = NULL;
	void		**pservers = NULL;

	if (lock == B_TRUE)
		(void) mutex_lock(&cmg->lock);

	/* if already done, and no reload, then return */
	if (cmg->pservers_loaded == B_TRUE && reload == B_FALSE)
		return;

	if (cmg->pservers != NULL) {
		(void) __ns_ldap_freeParam((void ***)&cmg->pservers);
		cmg->pservers = NULL;
	}

	if (__ns_ldap_getParam(NS_LDAP_SERVER_PREF_P,
	    &pservers, &errorp) == NS_LDAP_SUCCESS) {
		cmg->pservers = (char **)pservers;
		cmg->pservers_loaded = B_TRUE;
	} else {
		(void) __ns_ldap_freeError(&errorp);
		(void) __ns_ldap_freeParam(&pservers);
	}
}

/*
 * This function handles the config or server status change notification
 * from the ldap_cachemgr.
 */
static ns_conn_mgmt_t *
proc_server_change(ns_server_status_change_t *chg, ns_conn_mgmt_t  *cmg)
{
	int		cnt, i, j, k, n;
	boolean_t	loop = B_TRUE;
	boolean_t	cmg_locked = B_FALSE;
	char 		*s;
	ns_conn_mt_t	*cm;
	ns_conn_mgmt_t	*ocmg;

	/* if config changed, reload the configuration */
	if (chg->config_changed == B_TRUE) {
		/* reload the conn_mgmt and Native LDAP config */
		ocmg = access_conn_mgmt(NS_CONN_MGMT_OP_RELOAD_CONFIG);
		shutdown_all_conn_mt(ocmg);
		/* release the one obtained from access_conn_mgmt(RELOAD) */
		(void) release_conn_mgmt(ocmg, B_FALSE);
		/* release the one obtained when ocmg was created */
		(void) release_conn_mgmt(ocmg, B_FALSE);
		return (ocmg);
	}

	if ((cnt = chg->num_server) == 0)
		return (cmg);

	/* handle down servers first */
	for (i = 0; i < cnt; i++) {

		if (chg->changes[i] != NS_SERVER_DOWN)
			continue;
		s = chg->servers[i];

		/*
		 * look for a CONNECTED MT connection using
		 * the same server s, and close it
		 */
		while (loop) {
			if (cmg_locked == B_FALSE) {
				(void) mutex_lock(&cmg->lock);
				cmg_locked = B_TRUE;
			}
			for (cm = cmg->cm_head; cm; cm = cm->next) {
				(void) mutex_lock(&cm->lock);

				if (cm->state == NS_CONN_MT_CONNECTED &&
				    cm->conn != NULL &&
				    strcasecmp(cm->conn->serverAddr, s) == 0) {
					(void) mutex_unlock(&cm->lock);
					break;
				}

				(void) mutex_unlock(&cm->lock);
			}
			if (cm != NULL) {
				(void) mutex_unlock(&cmg->lock);
				cmg_locked = B_FALSE;
				close_conn_mt_by_procchg(cm, LDAP_SERVER_DOWN,
				    NS_CONN_MSG_DOWN_FROM_CACHEMGR);
				/*
				 * Process the next cm using server s.
				 * Start from the head of the cm linked
				 * list again, as the cm list may change
				 * after close_conn_mt_by_procchg() is done.
				 */
				continue;
			}

			/*
			 * No (more) MT connection using the down server s.
			 * Process the next server on the list.
			 */
			break;
		} /* while loop */
	}

	/*
	 * Next handle servers whose status changed to up.
	 * Get the preferred server list first if not done yet.
	 * get_preferred_servers() leaves conn_mgmt locked.
	 */
	get_preferred_servers(cmg_locked == B_FALSE ? B_TRUE : B_FALSE,
	    B_FALSE, cmg);
	cmg_locked = B_TRUE;
	/*
	 * if no preferred server configured, we don't switch MT connection
	 * to a more preferred server (i.e., fallback), so just return
	 */
	if (cmg->pservers == NULL) {
		(void) mutex_unlock(&cmg->lock);
		return (cmg);
	}

	/* for each server that is up now */
	for (i = 0; i < cnt; i++) {
		if (chg->changes[i] != NS_SERVER_UP)
			continue;
		s = chg->servers[i];

		/*
		 * look for a CONNECTED MT connection which uses
		 * a server less preferred than s, and treat it
		 * as 'fallback needed' by calling
		 * close_conn_mt_when_nouser()
		 */
		k = -1;
		loop = B_TRUE;
		while (loop) {
			if (cmg_locked == B_FALSE) {
				(void) mutex_lock(&cmg->lock);
				cmg_locked = B_TRUE;
			}

			/* Is s a preferred server ? */
			if (k == -1) {
				for (j = 0; cmg->pservers[j] != NULL; j++) {
					if (strcasecmp(cmg->pservers[j],
					    s) == 0) {
						k = j;
						break;
					}
				}
			}
			/* skip s if not a preferred server */
			if (k == -1) {
				break;
			}

			/* check each MT connection */
			for (cm = cmg->cm_head; cm; cm = cm->next) {
				(void) mutex_lock(&cm->lock);
				/*
				 * Find an MT connection that is connected and
				 * not marked, but leave WRITE or REFERRAL
				 * connections alone, since fallback does not
				 * make sense for them.
				 */
				if (cm->state == NS_CONN_MT_CONNECTED &&
				    cm->close_when_nouser == B_FALSE &&
				    cm->conn != NULL && cm->opened_for !=
				    NS_CONN_USER_WRITE &&
				    cm->referral == B_FALSE) {
					n = -1;
					/*
					 * j < k ??? should we close
					 * an active MT that is using s ?
					 * ie could s went down and up
					 * again, but cm is bound prior to
					 * the down ? Play safe here,
					 * and check j <= k.
					 */
					for (j = 0; j <= k; j++) {
						if (strcasecmp(
						    cm->conn->serverAddr,
						    cmg->pservers[j]) == 0) {
							n = j;
							break;
						}
					}
					/*
					 * s is preferred, if its location
					 * in the preferred server list is
					 * ahead of that of the server
					 * used by the cm (i.e., no match
					 * found before s)
					 */
					if (n == -1) { /* s is preferred */
						int fr = 0;
						fr = close_conn_mt_when_nouser(
						    cm);
						NS_CONN_UNLOCK_AND_FREE(fr,
						    cm, cmg);
						cmg_locked = B_FALSE;
						/*
						 * break, not continue,
						 * because we need to
						 * check the entire cm
						 * list again. The call
						 * above may change the
						 * cm list.
						 */
						break;
					}
				}
				(void) mutex_unlock(&cm->lock);
			}
			/* if no (more) cm using s, check next server */
			if (cm == NULL)
				loop = B_FALSE;
		} /* while loop */
	}
	if (cmg_locked == B_TRUE)
		(void) mutex_unlock(&cmg->lock);
	return (cmg);
}

/* Shut down all MT connection managed by the connection management */
void
shutdown_all_conn_mt(ns_conn_mgmt_t  *cmg)
{
	ns_ldap_error_t	*ep;
	ns_conn_mt_t	*cm;
	int		free_cm = 0;
	boolean_t	done = B_FALSE;

	ep = (ns_ldap_error_t *)calloc(1, sizeof (*ep));
	if (ep != NULL) { /* if NULL, not a problem */
		/* OK if returns NULL */
		ep->message = strdup(NS_CONN_MSG_SHUTDOWN_RELOADED);
	}

	(void) mutex_lock(&cmg->lock);
	while (cmg->cm_head != NULL && done == B_FALSE) {
		for (cm = cmg->cm_head; cm; cm = cm->next) {
			(void) mutex_lock(&cm->lock);
			if (cm->next == NULL)
				done = B_TRUE;
			/* shut down each conn_mt, ignore errors */
			free_cm = close_conn_mt(cm, LDAP_OTHER, &ep, NULL);
			(void) mutex_unlock(&cm->lock);
			if (free_cm == 1) {
				(void) free_conn_mt(cm, 0);
				/*
				 * conn_mt may change, so start from
				 * top of list again
				 */
				break;
			}
		}
	}
	(void) mutex_unlock(&cmg->lock);
	(void) __ns_ldap_freeError(&ep);
}

/* free all the resources used by the connection management */
void
__s_api_shutdown_conn_mgmt()
{
	ns_conn_mgmt_t	*cmg;

	cmg = access_conn_mgmt(NS_CONN_MGMT_OP_SHUTDOWN);
	if (cmg == NULL) /* already being SHUT done */
		return;

	(void) shutdown_all_conn_mt(cmg);
	(void) release_conn_mgmt(cmg, B_FALSE);

	/* then destroy the conn_mgmt */
	(void) release_conn_mgmt(cmg, B_FALSE);
}


/*
 * reinitialize the libsldap connection management after
 * receiving a new native LDAP configuration from ldap_cachemgr
 */
void
__s_api_reinit_conn_mgmt_new_config(ns_config_t *new_cfg)
{
	ns_conn_mgmt_t	*cmg;
	ns_conn_mgmt_t	*ocmg;

	cmg = access_conn_mgmt(NS_CONN_MGMT_OP_REF);
	if (cmg == NULL)
		return;
	if (cmg->config == new_cfg || cmg->state == NS_CONN_MGMT_DETACHED) {
		(void) release_conn_mgmt(cmg, B_FALSE);
		return;
	}

	/* reload the conn_mgmt and native LDAP config */
	ocmg = access_conn_mgmt(NS_CONN_MGMT_OP_NEW_CONFIG);
	if (ocmg == cmg)
		shutdown_all_conn_mt(ocmg);
	/* release the one obtained from access_conn_mgmt(RELOAD) */
	(void) release_conn_mgmt(ocmg, B_FALSE);
	/* release the one obtained when ocmg was created */
	(void) release_conn_mgmt(ocmg, B_FALSE);
	/* release the one obtained when this function is entered */
	(void) release_conn_mgmt(cmg, B_FALSE);
}

/*
 * Prepare to retry ldap search operation if needed.
 * Return 1 if retry is needed, otherwise 0.
 * If first time in, return 1. If not, return 1 if:
 * - not a NS_CONN_USER_GETENT conn_user AND
 * - have not retried 3 times yet AND
 * - previous search failed AND
 * - the retry flag is set in the ns_conn_user_t or config was reloaded
 */
int
__s_api_setup_retry_search(ns_conn_user_t **conn_user,
	ns_conn_user_type_t type, int *try_cnt, int *rc,
	ns_ldap_error_t **errorp)
{
	boolean_t	retry;
	ns_conn_user_t	*cu = *conn_user;
	ns_conn_mgmt_t	*cmg;

	if (*try_cnt > 0 && cu != NULL) {
		/*
		 * if called from firstEntry(), keep conn_mt for
		 * the subsequent getnext requests
		 */
		if (cu->type == NS_CONN_USER_GETENT && *rc == NS_LDAP_SUCCESS)
			return (0);
		cmg = cu->conn_mgmt;
		retry = cu->retry;
		if (cu->conn_mt != NULL)
			__s_api_conn_mt_return(cu);
		if (cmg != NULL && cmg->cfg_reloaded == B_TRUE)
			retry = B_TRUE;
		__s_api_conn_user_free(cu);
		*conn_user = NULL;

		if (*rc == NS_LDAP_SUCCESS || retry != B_TRUE)
			return (0);
	}

	*try_cnt = *try_cnt + 1;
	if (*try_cnt > NS_LIST_TRY_MAX)
		return (0);

	*conn_user = __s_api_conn_user_init(type, NULL, B_FALSE);
	if (*conn_user == NULL) {
		if (*try_cnt == 1) { /* first call before any retry */
			*rc = NS_LDAP_MEMORY;
			*errorp = NULL;
		}
		/* for 1+ try, use previous rc and errorp */
		return (0);
	}

	/* free ldap_error_t from previous search */
	if (*try_cnt > 1 && rc != NS_LDAP_SUCCESS && *errorp != NULL)
		(void) __ns_ldap_freeError(errorp);

	return (1);
}

/* prepare to get the next entry for an enumeration */
int
__s_api_setup_getnext(ns_conn_user_t *cu, int *ns_err,
	ns_ldap_error_t **errorp)
{
	int rc;
	ns_conn_mgmt_t	*cmg;

	/*
	 * if using an MT connection, ensure the thread-specific data are set,
	 * but if the MT connection is no longer good, return the error saved.
	 */
	if (cu->conn_mt != NULL && (cmg = cu->conn_mgmt) != NULL) {

		if (cu->bad_mt_conn ==  B_TRUE) {
			__s_api_conn_mt_close(cu, 0, NULL);
			*ns_err = cu->ns_rc;
			*errorp = cu->ns_error;
			cu->ns_error = NULL;
			return (*ns_err);
		}

		rc = conn_tsd_check(cmg);
		if (rc != NS_LDAP_SUCCESS) {
			*errorp = NULL;
			return (rc);
		}
	}

	return (NS_LDAP_SUCCESS);
}

/* wait for an MT connection to become available */
static int
conn_wait(ns_conn_mt_t *conn_mt, ns_conn_user_t *conn_user)
{
	ns_conn_waiter_t	mywait;
	ns_conn_waiter_t	*head = &conn_mt->waiter;

	(void) cond_init(&(mywait.waitcv), USYNC_THREAD, 0);
	mywait.key = conn_user;
	mywait.signaled = 0;
	mywait.next = head->next;
	mywait.prev = head;
	if (mywait.next)
		mywait.next->prev = &mywait;
	head->next = &mywait;
	atomic_inc_uint(&conn_mt->waiter_cnt);

	while (!mywait.signaled)
		(void) cond_wait(&(mywait.waitcv), &conn_mt->lock);
	if (mywait.prev)
		mywait.prev->next = mywait.next;
	if (mywait.next)
		mywait.next->prev = mywait.prev;
	return (0);
}

/* signal that an MT connection is now available */
static int
conn_signal(ns_conn_mt_t *conn_mt)
{
	int			c = 0;
	ns_conn_waiter_t	*head = &conn_mt->waiter;
	ns_conn_waiter_t	*tmp = head->next;

	while (tmp) {
		(void) cond_signal(&(tmp->waitcv));
		tmp->signaled = 1;
		atomic_dec_uint(&conn_mt->waiter_cnt);
		c++;
		tmp = tmp->next;
	}

	return (c);
}

/*
 * wait and process the server status and/or config change notification
 * from ldap_cachemgr
 */
static void *
get_server_change(void *arg)
{
	union {
		ldap_data_t	s_d;
		char		s_b[DOORBUFFERSIZE];
	} space;
	ldap_data_t	*sptr = &space.s_d;
	int		ndata;
	int		adata;
	char		*ptr;
	int		ds_cnt;
	int		door_rc;
	int		which;
	int		retry = 0;
	boolean_t	loop = B_TRUE;
	char		*c, *oc;
	int		dslen = strlen(DOORLINESEP);
	char		dsep = DOORLINESEP_CHR;
	char		chg_data[DOORBUFFERSIZE];
	char		**servers = NULL;
	boolean_t	getchg_not_supported = B_FALSE;
	ns_conn_mgmt_t	*ocmg = (ns_conn_mgmt_t *)arg;
	ns_conn_mgmt_t	*cmg;
	ns_server_status_t *status = NULL;
	ns_server_status_change_t chg = { 0 };
	ldap_get_change_out_t *get_chg;
	ldap_get_chg_cookie_t cookie;
	ldap_get_chg_cookie_t new_cookie;

	cmg = access_conn_mgmt(NS_CONN_MGMT_OP_REF);
	if (cmg != ocmg)
		thr_exit(NULL);
	/* cmg is locked before called */
	cmg->procchg_tid = thr_self();

	/* make sure the thread specific data are set */
	(void) conn_tsd_setup(cmg);
	cookie = cmg->cfg_cookie;

	while (loop) {

		if (chg.servers != NULL)
			free(chg.servers);
		if (chg.changes != NULL)
			free(chg.changes);
		if (sptr != &space.s_d)
			(void) munmap((char *)sptr, sizeof (space));

		/*
		 * If the attached conn_mgmt has been deleted,
		 * then exit. The new conn_mgmt will starts it
		 * own monitor thread later. If libsldap is being
		 * unloaded or configuration reloaded, OR
		 * ldap_cachemgr rejected the GETSTATUSCHANGE door
		 * call, then exit as well.
		 */
		if (cmg == NULL || cmg->state == NS_CONN_MGMT_DETACHED ||
		    getchg_not_supported == B_TRUE) {

			if (cmg != NULL) {
				cmg->procchg_started = B_FALSE;
				(void) release_conn_mgmt(cmg, B_FALSE);
			}

			conn_tsd_free();
			thr_exit(NULL);
		}

		(void) memset(space.s_b, 0, DOORBUFFERSIZE);
		(void) memset(&chg, 0, sizeof (chg));
		adata = sizeof (ldap_call_t) + 1;
		ndata = sizeof (space);
		space.s_d.ldap_call.ldap_callnumber = GETSTATUSCHANGE;
		space.s_d.ldap_call.ldap_u.get_change.op =
		    NS_STATUS_CHANGE_OP_START;
		space.s_d.ldap_call.ldap_u.get_change.cookie = cookie;
		sptr = &space.s_d;
		door_rc = __ns_ldap_trydoorcall_getfd();
		cmg->procchg_door_call = B_TRUE;
		if (release_conn_mgmt(cmg, B_FALSE) == NULL) {
			conn_tsd_free();
			thr_exit(NULL);
		}

		if (door_rc == NS_CACHE_SUCCESS)
			door_rc = __ns_ldap_trydoorcall_send(&sptr, &ndata,
			    &adata);

		/*
		 * Check and see if the conn_mgmt is still current.
		 * If not, no need to continue.
		 */
		cmg = access_conn_mgmt(NS_CONN_MGMT_OP_REF);
		if (cmg != NULL)
			cmg->procchg_door_call = B_FALSE;
		if (cmg != ocmg) {
			if (cmg != NULL) {
				cmg->procchg_started = B_FALSE;
				(void) release_conn_mgmt(cmg, B_FALSE);
			}
			conn_tsd_free();
			thr_exit(NULL);
		}

		if (door_rc != NS_CACHE_SUCCESS) {
			if (door_rc == NS_CACHE_NOSERVER) {
				if (retry++ > 10)
					getchg_not_supported = B_TRUE;
				else {
					/*
					 * ldap_cachemgr may be down, give
					 * it time to restart
					 */
					(void) sleep(2);
				}
			} else if (door_rc == NS_CACHE_NOTFOUND)
				getchg_not_supported = B_TRUE;
			continue;
		} else
			retry = 0;

		/* copy info from door call return structure */
		get_chg =  &sptr->ldap_ret.ldap_u.changes;
		ptr = get_chg->data;
		/* configuration change ? */
		if (get_chg->type == NS_STATUS_CHANGE_TYPE_CONFIG) {
			chg.config_changed = B_TRUE;
			cmg = proc_server_change(&chg, cmg);
			continue;
		}

		/* server status changes ? */
		if (get_chg->type == NS_STATUS_CHANGE_TYPE_SERVER) {
			/*
			 * first check cookies, if don't match, config
			 * has changed
			 */
			new_cookie = get_chg->cookie;
			if (new_cookie.mgr_pid != cookie.mgr_pid ||
			    new_cookie.seq_num != cookie.seq_num) {
				chg.config_changed = B_TRUE;
				cmg = proc_server_change(&chg, cmg);
				continue;
			}

			(void) strlcpy(chg_data, ptr, sizeof (chg_data));
			chg.num_server = get_chg->server_count;

			servers = (char **)calloc(chg.num_server,
			    sizeof (char *));
			if (servers == NULL) {
				syslog(LOG_INFO, NS_CONN_MSG_MEMORY_ERROR);
				continue;
			}
			status = (ns_server_status_t *)calloc(chg.num_server,
			    sizeof (int));
			if (status == NULL) {
				syslog(LOG_INFO, NS_CONN_MSG_MEMORY_ERROR);
				free(servers);
				continue;
			}
			ds_cnt = 0;
			which = 0;
			oc = ptr;
			for (c = ptr; which != 2; c++) {
				/* look for DOORLINESEP or end of string */
				if (*c != dsep && *c != '\0')
					continue;
				if (*c == dsep) { /* DOORLINESEP */
					*c = '\0'; /* current value */
					c += dslen; /* skip to next value */
				}
				if (which == 0) { /* get server info */
					servers[ds_cnt] = oc;
					oc = c;
					which = 1; /* get status next */
					continue;
				}
				/* which == 1, get up/down status */
				if (strcmp(NS_SERVER_CHANGE_UP, oc) == 0) {
					status[ds_cnt] = NS_SERVER_UP;
				} else if (strcmp(NS_SERVER_CHANGE_DOWN,
				    oc) == 0)
					status[ds_cnt] = NS_SERVER_DOWN;
				else {
					syslog(LOG_INFO,
					    NS_CONN_MSG_BAD_CACHEMGR_DATA);
					continue;
				}
				oc = c;
				ds_cnt++;
				if (*c == '\0')
					which = 2; /* exit the loop */
				else
					which = 0; /* get server info next */
			}
			chg.servers = servers;
			chg.changes = status;
			cmg = proc_server_change(&chg, cmg);
			continue;
		}
	}

	return (NULL);
}

/* start the thread handling the change notification from ldap_cachemgr */
static void
start_thread(ns_conn_mgmt_t *cmg) {

	int		errnum;

	/*
	 * start a thread to get and process config and server status changes
	 */
	if (thr_create(NULL, NULL, get_server_change,
	    (void *)cmg, THR_DETACHED, NULL) != 0) {
		errnum = errno;
		syslog(LOG_WARNING, NS_CONN_MSG_NO_PROCCHG_THREAD,
		    strerror(errnum));
	}
}