xref: /titanic_41/usr/src/cmd/nscd/nscd_switch.c (revision 4f4499478f0aa55fc93bcd8030ba3d128663ae70)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  * Copyright 2012 Milan Jurik. All rights reserved.
26  */
27 
28 #include <stdlib.h>	/* getenv() */
29 #include <assert.h>
30 #include <unistd.h>
31 #include <string.h>
32 #include <pthread.h>
33 #include <dlfcn.h>
34 #include <nss_dbdefs.h>
35 #include <exec_attr.h>
36 #include <gssapi/gssapi.h>
37 #include "nscd_door.h"
38 #include "nscd_switch.h"
39 #include "nscd_log.h"
40 #include "nscd_frontend.h"
41 
42 #pragma weak nss_search = _nss_search
43 #define	nss_search	_nss_search
44 
45 extern rwlock_t nscd_smf_service_state_lock;
46 
47 /* nscd id: main, forker, or child */
48 extern int _whoami;
49 
50 static int
51 retry_test(nss_status_t res, int n, struct __nsw_lookup_v1 *lkp)
52 {
53 	if (res != NSS_TRYAGAIN && res !=  NSS_NISSERVDNS_TRYAGAIN) {
54 		if (res == NSS_SUCCESS) {
55 			__NSW_UNPAUSE_ACTION(lkp->actions[__NSW_TRYAGAIN]);
56 			__NSW_UNPAUSE_ACTION(
57 			    lkp->actions[__NSW_NISSERVDNS_TRYAGAIN]);
58 		}
59 		return (0);
60 	}
61 
62 	if ((res == NSS_TRYAGAIN &&
63 	    lkp->actions[__NSW_TRYAGAIN] == __NSW_TRYAGAIN_FOREVER) ||
64 	    (res == NSS_NISSERVDNS_TRYAGAIN &&
65 	    lkp->actions[__NSW_NISSERVDNS_TRYAGAIN] == __NSW_TRYAGAIN_FOREVER))
66 		return (1);
67 
68 	if (res == NSS_TRYAGAIN &&
69 	    lkp->actions[__NSW_TRYAGAIN] == __NSW_TRYAGAIN_NTIMES)
70 		if (n <= lkp->max_retries)
71 			return (1);
72 		else {
73 			lkp->actions[__NSW_TRYAGAIN] = __NSW_TRYAGAIN_PAUSED;
74 			return (0);
75 		}
76 
77 	if (res == NSS_NISSERVDNS_TRYAGAIN &&
78 	    lkp->actions[__NSW_NISSERVDNS_TRYAGAIN] == __NSW_TRYAGAIN_NTIMES)
79 		if (n <= lkp->max_retries)
80 			return (1);
81 		else {
82 			lkp->actions[__NSW_NISSERVDNS_TRYAGAIN] =
83 			    __NSW_TRYAGAIN_PAUSED;
84 			return (0);
85 		}
86 
87 	return (0);
88 }
89 
90 static thread_key_t loopback_key = THR_ONCE_KEY;
91 typedef struct lb_key {
92 	int		srci;
93 	int		dbi;
94 	int		fnum;
95 	int		*lb_flagp;
96 } lb_key_t;
97 
98 static int
99 set_loopback_key(lb_key_t *key) {
100 
101 	int		rc;
102 
103 	rc = thr_keycreate_once(&loopback_key, NULL);
104 	/* set key if not already set */
105 	if (rc == 0 && pthread_getspecific(loopback_key) == NULL)
106 		rc = thr_setspecific(loopback_key, key);
107 
108 	return (rc);
109 }
110 
111 static lb_key_t *
112 get_loopback_key(void) {
113 
114 	char		*me = "get_loopback_key";
115 	lb_key_t	*k = NULL;
116 
117 	k = pthread_getspecific(loopback_key);
118 
119 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
120 	(me, "get loopback key, key = %p\n", k);
121 
122 	return (k);
123 }
124 
125 static void
126 clear_loopback_key(lb_key_t *key) {
127 
128 	char		*me = "clear_loopback_key";
129 
130 	if (loopback_key != THR_ONCE_KEY && key != NULL) {
131 		/*
132 		 * key->lb_flagp points to the location of the
133 		 * flag, check_flag, in the stack where it was
134 		 * first set; clearing the flag tells that
135 		 * stack the loopback error has been resolved
136 		 */
137 		*key->lb_flagp = 0;
138 		(void) thr_setspecific(loopback_key, NULL);
139 	}
140 
141 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
142 	(me, "key %p cleared\n", key);
143 }
144 
145 static thread_key_t initf_key = THR_ONCE_KEY;
146 
147 static int
148 set_initf_key(void *pbuf) {
149 
150 	int		rc;
151 
152 	rc = thr_keycreate_once(&initf_key, NULL);
153 	if (rc == 0)
154 		rc = thr_setspecific(initf_key, pbuf);
155 
156 	return (rc);
157 }
158 
159 static void *
160 get_initf_key(void) {
161 
162 	char		*me = "get_initf_key";
163 	void		*pbuf;
164 
165 	pbuf = pthread_getspecific(initf_key);
166 
167 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
168 	(me, "got initf pbuf, key = %p\n", pbuf);
169 
170 	return (pbuf);
171 }
172 
173 static void
174 clear_initf_key(void) {
175 
176 	char		*me = "clear_initf_key";
177 
178 	(void) thr_setspecific(initf_key, NULL);
179 
180 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
181 	(me, "initf pbuf cleared\n");
182 }
183 
184 /*
185  * Call the input initf function to extract the
186  * NSS front end parameters and examine them to
187  * determine if an NSS lookup is to be performed
188  * on a regular or a pseudo (called from compat
189  * backend) database. Then set the necessary
190  * parameters for later data structures creation
191  * and processing.
192  */
193 static nscd_rc_t
194 getparams(
195 	int			search_fnum,
196 	nss_db_initf_t		initf,
197 	nscd_nsw_params_t	*params)
198 {
199 
200 	nscd_rc_t	rc = NSCD_SUCCESS;
201 	nss_db_params_t	*p;
202 	int		j;
203 	char		*dbn;
204 	const char	*n;
205 	char		*me = "getparams";
206 
207 	p = &params->p;
208 	(void) memset(params, 0, sizeof (nscd_nsw_params_t));
209 	(*initf)(p);
210 	params->dbi = -1;
211 	params->cfgdbi = -1;
212 	params->compati = -1;
213 	params->dnsi = -1;
214 
215 	/* map database name to index */
216 	n = p->name;
217 	for (j = 0; j < NSCD_NUM_DB; j++) {
218 		dbn = NSCD_NSW_DB_NAME(j);
219 		if (*n != *dbn)
220 			continue;
221 		if (strcmp(n, dbn) == 0) {
222 			params->dbi = j;
223 			if (*n != 'h' && *n != 'i' && *n != 's' && *n != 'a')
224 				break;
225 			if (strcmp(n, NSS_DBNAM_HOSTS) == 0 &&
226 			    search_fnum == NSS_DBOP_HOSTS_BYNAME)
227 				params->dnsi = 0;
228 			else if (strcmp(n, NSS_DBNAM_IPNODES) == 0 &&
229 			    search_fnum == NSS_DBOP_IPNODES_BYNAME)
230 				params->dnsi = 1;
231 			else if (strcmp(n, NSS_DBNAM_SHADOW) == 0)
232 				params->privdb = 1;
233 			break;
234 		}
235 	}
236 
237 	/*
238 	 * use the switch policy for passwd_compat or
239 	 * group_compat?
240 	 */
241 	if (p->config_name != NULL) {
242 		n = p->config_name;
243 		for (j = 0; j < NSCD_NUM_DB; j++) {
244 			dbn = NSCD_NSW_DB_NAME(j);
245 			if (*n == *dbn) {
246 				if (strcmp(n, dbn) == 0) {
247 					params->cfgdbi = j;
248 					break;
249 				}
250 			}
251 		}
252 	}
253 
254 	/* map the database name to the pseudo database index */
255 	if (params->cfgdbi != -1) {
256 		if (strstr(p->config_name, "_compat") != NULL) {
257 			n = p->name;
258 			for (j = params->cfgdbi; j < NSCD_NUM_DB; j++) {
259 				dbn = NSCD_NSW_DB_NAME(j);
260 				if (*n == *dbn) {
261 					if (strcmp(n, dbn) == 0) {
262 						params->compati = j;
263 						break;
264 					}
265 				}
266 			}
267 		}
268 	}
269 
270 	/*
271 	 * if unsupported database, let caller determine what to do next
272 	 */
273 	if (params->dbi == -1) {
274 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
275 		(me, "unsupported database: %s\n", p->name);
276 		return (NSCD_CFG_UNSUPPORTED_SWITCH_DB);
277 	}
278 
279 	return (rc);
280 }
281 
282 static void
283 nscd_initf(nss_db_params_t	*p)
284 {
285 	nss_pheader_t		*pbuf;
286 	nssuint_t		off;
287 	nss_dbd_t		*pdbd;
288 	char			*me = "nscd_initf";
289 
290 	pbuf = (nss_pheader_t *)get_initf_key();
291 	if (pbuf == NULL) {
292 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
293 		(me, "ERROR: initf key not set\n");
294 		return;
295 	}
296 
297 	if (pbuf->dbd_len <= sizeof (nss_dbd_t)) {
298 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
299 		(me, "invalid db front params data ? dbd_len = %d\n",
300 		    pbuf->dbd_len);
301 		return;
302 	}
303 
304 	off = pbuf->dbd_off;
305 	pdbd = (nss_dbd_t *)((void *)((char *)pbuf + off));
306 
307 	p->name = (char *)pdbd + pdbd->o_name;
308 	p->config_name = (char *)pdbd + pdbd->o_config_name;
309 	p->default_config = (char *)pdbd + pdbd->o_default_config;
310 	p->flags = (enum nss_dbp_flags)pdbd->flags;
311 	(void) memcpy(&p->private, &pbuf->nscdpriv, sizeof (p->private));
312 
313 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
314 	(me, "db frontend params: name =%s, config_name = %s, "
315 	"default_config = %s, flags = %x\n", p->name,
316 	    (p->config_name && *p->config_name != '\0' ?
317 	    p->config_name : "<NOT SPECIFIED>"),
318 	    (p->default_config && *p->default_config != '\0' ?
319 	    p->default_config : "<NOT SPECIFIED>"),
320 	    p->flags);
321 }
322 
323 
324 static void
325 trace_result(
326 	int		dbi,
327 	int		srci,
328 	int		op,
329 	nss_status_t	res,
330 	nss_XbyY_args_t	*arg)
331 {
332 	char	*res_str;
333 	char	*src = "?";
334 	char	*db = "?";
335 	char	*data_str = "<NOT STRING FORMAT>";
336 	int	data_len = 0;
337 	char	*me = "trace_result";
338 
339 	switch (res) {
340 	case NSS_SUCCESS:
341 		res_str = "NSS_SUCCESS";
342 		break;
343 	case NSS_NOTFOUND:
344 		res_str = "NSS_NOTFOUND";
345 		break;
346 	case NSS_UNAVAIL:
347 		res_str = "NSS_UNAVAIL";
348 		break;
349 	case NSS_TRYAGAIN:
350 		res_str = "NSS_TRYAGAIN";
351 		break;
352 	case NSS_NISSERVDNS_TRYAGAIN:
353 		res_str = "NSS_NISSERVDNS_TRYAGAIN";
354 		break;
355 	default:
356 		res_str = "UNKNOWN STATUS";
357 		break;
358 	}
359 
360 	if (dbi != -1)
361 		db = NSCD_NSW_DB_NAME(dbi);
362 	if (srci != -1)
363 		src = NSCD_NSW_SRC_NAME(srci);
364 
365 	if (arg->buf.result == NULL) {
366 		data_str = arg->buf.buffer;
367 		data_len = arg->returnlen;
368 	}
369 
370 	if (res == NSS_SUCCESS) {
371 		_nscd_logit(me, "%s: database: %s, operation: %d, "
372 		    "source: %s returned >>%s<<, length = %d\n",
373 		    res_str, db, op, src, data_str, data_len);
374 		return;
375 	}
376 
377 	_nscd_logit(me, "%s: database: %s, operation: %d, source: %s, "
378 	    "erange= %d, herrno: %s (%d)\n",
379 	    res_str, db, op, src, arg->erange, hstrerror(arg->h_errno),
380 	    arg->h_errno);
381 }
382 
383 /*
384  * Determine if a request should be done locally in the getXbyY caller's
385  * process. Return none zero if yes, 0 otherwise. This should be called
386  * before the switch engine steps through the backends/sources.
387  * This function returns 1 if:
388  *   -- the database is exec_attr and the search_flag is GET_ALL
389  */
390 static int
391 try_local(
392 	int			dbi,
393 	void			*arg)
394 {
395 	struct nss_XbyY_args	*ap = (struct nss_XbyY_args *)arg;
396 	_priv_execattr		*ep;
397 	int			rc = 0;
398 	char			*me = "try_local";
399 
400 	if (strcmp(NSCD_NSW_DB_NAME(dbi), NSS_DBNAM_EXECATTR) == 0) {
401 		if ((ep = ap->key.attrp) != NULL && IS_GET_ALL(ep->search_flag))
402 			rc = 1;
403 	}
404 
405 	if (rc != 0) {
406 
407 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
408 		(me, "TRYLOCAL: exec_attr:GET_ALL\n");
409 	}
410 
411 	return (rc);
412 }
413 
414 /*
415  * Determine if a request should be done locally in the getXbyY caller's
416  * process. Return none zero if yes, 0 otherwise. This should be called
417  * before the switch engine invokes any backend.
418  * This function returns 1 if:
419  *   -- the database is shadow and the source is compat
420  */
421 static int
422 try_local2(
423 	int	dbi,
424 	int	srci)
425 {
426 	int	rc = 0;
427 	char	*me = "try_local2";
428 
429 	if (*NSCD_NSW_DB_NAME(dbi) == 's' &&
430 	    strcmp(NSCD_NSW_DB_NAME(dbi), NSS_DBNAM_SHADOW) == 0) {
431 		if (strcmp(NSCD_NSW_SRC_NAME(srci), "compat") == 0)
432 			rc = 1;
433 	}
434 
435 	if (rc != 0) {
436 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
437 		(me, "TRYLOCAL: database: shadow, source: %s\n",
438 		    NSCD_NSW_SRC_NAME(srci));
439 	}
440 
441 	return (rc);
442 }
443 
444 static nscd_rc_t
445 get_lib_func(void **handle, void **func, mutex_t *lock,
446 	char *lib, char *name, void **func_p)
447 {
448 	char	*me = "get_lib_func";
449 	void	*sym;
450 
451 	if (func_p != NULL && *handle != NULL && *func != NULL) {
452 		*func_p = *func;
453 		return (NSCD_SUCCESS);
454 	}
455 
456 	(void) mutex_lock(lock);
457 
458 	/* close the handle if requested */
459 	if (func_p == NULL) {
460 		if (*handle != NULL) {
461 			(void) dlclose(*handle);
462 			*handle = NULL;
463 			*func = NULL;
464 		}
465 		(void) mutex_unlock(lock);
466 		return (NSCD_SUCCESS);
467 	}
468 
469 	if (*handle != NULL && *func != NULL) {
470 		*func_p = *func;
471 		(void) mutex_unlock(lock);
472 		return (NSCD_SUCCESS);
473 	}
474 
475 	if (*handle == NULL) {
476 		*handle = dlopen(lib, RTLD_LAZY);
477 		if (*handle == NULL) {
478 			_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_ERROR)
479 			(me, "unable to dlopen %s\n", lib);
480 			(void) mutex_unlock(lock);
481 			return (NSCD_CFG_DLOPEN_ERROR);
482 		}
483 	}
484 
485 	if ((sym = dlsym(*handle, name)) == NULL) {
486 
487 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_ERROR)
488 		(me, "unable to find symbol %s:%s\n", lib, name);
489 		(void) mutex_unlock(lock);
490 		return (NSCD_CFG_DLSYM_ERROR);
491 	} else {
492 		*func_p = sym;
493 		*func = sym;
494 	}
495 
496 	(void) mutex_unlock(lock);
497 	return (NSCD_SUCCESS);
498 }
499 
500 static nscd_rc_t
501 get_libc_nss_search(void **func_p)
502 {
503 	static void	*handle = NULL;
504 	static void	*func = NULL;
505 	static mutex_t	lock = DEFAULTMUTEX;
506 
507 	return (get_lib_func(&handle, &func, &lock,
508 	    "libc.so", "nss_search", func_p));
509 }
510 
511 static nscd_rc_t
512 get_gss_func(void **func_p)
513 {
514 	static void	*handle = NULL;
515 	static void	*func = NULL;
516 	static mutex_t	lock = DEFAULTMUTEX;
517 
518 	return (get_lib_func(&handle, &func, &lock,
519 	    "libgss.so", "gss_inquire_cred", func_p));
520 }
521 
522 static nscd_rc_t
523 get_sldap_shadow_func(void **func_p)
524 {
525 	static void	*handle = NULL;
526 	static void	*func = NULL;
527 	static mutex_t	lock = DEFAULTMUTEX;
528 
529 	return (get_lib_func(&handle, &func, &lock,
530 	    "libsldap.so", "__ns_ldap_is_shadow_update_enabled",
531 	    func_p));
532 }
533 
534 /*
535  * get_dns_funcs returns pointers to gethostbyname functions in the
536  * dynamically loaded nss_dns & nss_mdns modules that return host
537  * lookup results along with the TTL value in the DNS resource
538  * records. The dnsi parameter indicates whether the lookup database
539  * is hosts(0) or ipnodes(1). The srcname parameter identifies the DNS
540  * module: dns/mdns and the function returns the address of the specific
541  * gethostbyname function in func_p variable.
542  */
543 static nscd_rc_t
544 get_dns_funcs(int dnsi, nss_status_t (**func_p)(), const char *srcname)
545 {
546 	int		si;
547 	void		**funcpp;
548 	static void	*handle[2] = { NULL, NULL };
549 	static mutex_t	func_lock[2] = { DEFAULTMUTEX, DEFAULTMUTEX };
550 	static void 	*func[2][2] = {{NULL, NULL}, {NULL, NULL}};
551 	static const char	*lib[2] = { "nss_dns.so.1", "nss_mdns.so.1" };
552 	static const char 	*func_name[2][2] =
553 		{{ "_nss_get_dns_hosts_name", "_nss_get_dns_ipnodes_name" },
554 		{ "_nss_get_mdns_hosts_name", "_nss_get_mdns_ipnodes_name" }};
555 
556 	/* source index: 0 = dns, 1 = mdns */
557 	if (strcmp(srcname, "dns") == 0)
558 		si = 0;
559 	else
560 		si = 1;
561 
562 	/*
563 	 * function index (func[si][dnsi]):
564 	 * [0,0] = dns/hosts, [0,1] = dns/ipnodes,
565 	 * [1,0] = mdns/hosts, [1,1] = mdns/ipnodes
566 	 */
567 
568 	if (dnsi < 0) { /* close handle */
569 		funcpp = NULL;
570 		(void) mutex_lock(&func_lock[si]);
571 		func[si][0] = NULL;
572 		func[si][1] = NULL;
573 		(void) mutex_unlock(&func_lock[si]);
574 	} else
575 		funcpp = (void **)func_p;
576 
577 	return (get_lib_func(&handle[si], &func[si][dnsi], &func_lock[si],
578 	    (char *)lib[si], (char *)func_name[si][dnsi], funcpp));
579 }
580 
581 static nss_status_t
582 search_dns_withttl(nscd_sw_return_t *swret, const char *srcname, int dnsi)
583 {
584 	nss_status_t	(*func)();
585 	nss_status_t	res = NSS_UNAVAIL;
586 	nscd_rc_t	rc;
587 
588 	swret->noarg = 0;
589 	if (strcmp(srcname, "dns") != 0 && strcmp(srcname, "mdns") != 0)
590 		return (NSS_ERROR);
591 
592 	rc = get_dns_funcs(dnsi, &func, srcname);
593 	if (rc == NSCD_SUCCESS) {
594 		/*
595 		 * data_len in the packed buf header may be changed
596 		 * by the dns or mdns backend, reset it just in
597 		 * case
598 		 */
599 		((nss_pheader_t *)swret->pbuf)->data_len =
600 		    swret->datalen;
601 		res = (func)(NULL, &swret->pbuf, &swret->pbufsiz);
602 	}
603 	return (res);
604 }
605 
606 /*
607  * Returns a flag to indicate if needs to fall back to the
608  * main nscd when a per-user lookup failed with rc NSS_NOTFOUND.
609  */
610 static int
611 set_fallback_flag(char *srcname, nss_status_t rc)
612 {
613 	char	*me = "set_fallback_flag";
614 	if (strcmp(srcname, "ldap") == 0 && rc == NSS_NOTFOUND) {
615 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
616 		(me, "NSS_NOTFOUND (ldap): fallback to main nscd "
617 		"may be needed\n");
618 		return (1);
619 	}
620 	return (0);
621 }
622 
623 nss_status_t
624 nss_search(nss_db_root_t *rootp, nss_db_initf_t initf, int search_fnum,
625 	void *search_args)
626 {
627 	char			*me = "nss_search";
628 	nss_status_t		res = NSS_UNAVAIL;
629 	nscd_nsw_state_t	*s = NULL;
630 	int			n_src;
631 	unsigned int		status_vec = 0;
632 	int			dbi, srci = -1;
633 	int			check_loopback = 0;
634 	int			state_thr = 0;
635 	lb_key_t		key, *k = NULL;
636 	nss_db_root_t		root_db;
637 	nscd_nsw_params_t	params;
638 	nscd_sw_return_t	*swret;
639 
640 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
641 	(me, "rootp = %p, initf = %p, search_fnum = %d, "
642 	    "search_args = %p\n", rootp, initf,
643 	    search_fnum, search_args);
644 
645 	NSCD_SW_STATS_G.lookup_request_received_g++;
646 	NSCD_SW_STATS_G.lookup_request_in_progress_g++;
647 	NSCD_SW_STATS_G.lookup_request_queued_g++;
648 
649 	/* determine db index, cfg db index, etc */
650 	if (getparams(search_fnum, initf, &params) ==
651 	    NSCD_CFG_UNSUPPORTED_SWITCH_DB) {
652 		/*
653 		 * if unsupported database and the request is from the
654 		 * the door, tell the door client to try it locally
655 		 */
656 		if (initf == nscd_initf) {
657 			res = NSS_TRYLOCAL;
658 			goto error_exit;
659 		} else { /* otherwise, let libc:nss_search() handle it */
660 			nss_status_t	(*func)();
661 
662 			if (get_libc_nss_search((void **)&func) ==
663 			    NSCD_SUCCESS)
664 				return ((func)(rootp, initf, search_fnum,
665 				    search_args));
666 			else
667 				goto error_exit;
668 		}
669 	}
670 	dbi = params.dbi;
671 
672 	/* get address of the switch engine return data area */
673 	if (initf == nscd_initf) {
674 		swret = (nscd_sw_return_t *)params.p.private;
675 		swret->srci = -1;
676 	} else {
677 		swret = NULL;
678 		params.dnsi = -1;
679 	}
680 
681 	/*
682 	 * for door request that should be processed by the client,
683 	 * send it back with status NSS_TRYLOCAL
684 	 */
685 	if (initf == nscd_initf && try_local(dbi, search_args) == 1) {
686 		res = NSS_TRYLOCAL;
687 		goto error_exit;
688 	}
689 
690 	NSCD_SW_STATS(dbi).lookup_request_received++;
691 	NSCD_SW_STATS(dbi).lookup_request_in_progress++;
692 	NSCD_SW_STATS(dbi).lookup_request_queued++;
693 
694 	/* if lookup not enabled, return NSS_UNAVAIL  */
695 	if (!(NSCD_SW_CFG_G.enable_lookup_g == nscd_true &&
696 	    NSCD_SW_CFG(dbi).enable_lookup == nscd_true)) {
697 
698 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
699 		(me, "lookup not enabled for %s\n", NSCD_NSW_DB_NAME(dbi));
700 
701 		goto error_exit;
702 	}
703 
704 	/* determine if loopback checking is configured */
705 	if (NSCD_SW_CFG_G.enable_loopback_checking_g == nscd_true &&
706 	    NSCD_SW_CFG(dbi).enable_loopback_checking == nscd_true) {
707 		check_loopback = 1;
708 
709 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
710 		(me, "loopback checking enabled for %s\n",
711 		    NSCD_NSW_DB_NAME(dbi));
712 	}
713 
714 	if (check_loopback) {
715 		k = get_loopback_key();
716 		if (k != NULL) {
717 			if (k->dbi != dbi || k->fnum != search_fnum) {
718 				clear_loopback_key(k);
719 				k = NULL;
720 			}
721 		}
722 	}
723 
724 	if (s == 0) {
725 		nscd_rc_t	rc;
726 
727 		if (check_loopback) {
728 			rc = _nscd_get_nsw_state_thread(&root_db, &params);
729 			state_thr = 1;
730 		} else
731 			rc = _nscd_get_nsw_state(&root_db, &params);
732 
733 		NSCD_SW_STATS_G.lookup_request_queued_g--;
734 		NSCD_SW_STATS(dbi).lookup_request_queued--;
735 
736 		if (rc != NSCD_SUCCESS)
737 				goto error_exit;
738 
739 		s = (nscd_nsw_state_t *)root_db.s;
740 	}
741 
742 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
743 	(me, "database = %s, config = >>%s<<\n", NSCD_NSW_DB_NAME(dbi),
744 	    (*s->nsw_cfg_p)->nsw_cfg_str);
745 
746 	for (n_src = 0;  n_src < s->max_src;  n_src++) {
747 		nss_backend_t		*be = NULL;
748 		nss_backend_op_t	funcp = NULL;
749 		struct __nsw_lookup_v1	*lkp;
750 		int			smf_state;
751 		int			n_loop = 0;
752 		int			max_retry = 10;
753 
754 		res = NSS_UNAVAIL;
755 
756 		if (n_src == 0)
757 			lkp = s->config->lookups;
758 		else
759 			lkp = lkp->next;
760 
761 		/* set the number of max. retries */
762 		if (lkp->actions[__NSW_TRYAGAIN] == __NSW_TRYAGAIN_NTIMES)
763 			max_retry = lkp->max_retries;
764 
765 		srci = (*s->nsw_cfg_p)->src_idx[n_src];
766 		if (swret != NULL)
767 			swret->srci = srci;
768 
769 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
770 		(me, "nsw source = %s\n", NSCD_NSW_SRC_NAME(srci));
771 
772 		/*
773 		 * If no privilege to look up, skip.
774 		 * 'files' requires PRIV_FILE_DAC_READ to read shadow(4) data,
775 		 * 'ldap' requires all zones privilege.
776 		 */
777 		if (params.privdb == 1 && swret != NULL) {
778 			boolean_t	(*is_shadow_update_enabled)();
779 			boolean_t	check_ldap_priv = B_FALSE;
780 
781 			if (strcmp(NSCD_NSW_SRC_NAME(srci), "ldap") == 0) {
782 				if (get_sldap_shadow_func(
783 				    (void **)&is_shadow_update_enabled) ==
784 				    NSCD_SUCCESS &&
785 				    is_shadow_update_enabled()) {
786 					check_ldap_priv = B_TRUE;
787 
788 					/*
789 					 * A peruser nscd doesn't have
790 					 * the privileges to lookup a
791 					 * private database, such as shadow,
792 					 * returns NSS_ALTRETRY to have the
793 					 * main nscd do the job.
794 					 */
795 					if (_whoami == NSCD_CHILD) {
796 						res = NSS_ALTRETRY;
797 						goto free_nsw_state;
798 					}
799 				}
800 			}
801 
802 			if ((strcmp(NSCD_NSW_SRC_NAME(srci), "files") == 0 &&
803 			    _nscd_check_client_priv(NSCD_READ_PRIV) != 0) ||
804 			    (check_ldap_priv &&
805 			    _nscd_check_client_priv(NSCD_ALL_PRIV) != 0)) {
806 				_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
807 				    NSCD_LOG_LEVEL_DEBUG)
808 				(me, "no privilege to look up, skip source\n");
809 
810 				goto next_src;
811 			}
812 		}
813 
814 		/* get state of the (backend) client service */
815 		smf_state = _nscd_get_smf_state(srci, dbi, 0);
816 
817 		/* stop if the source is one that should be TRYLOCAL */
818 		if (initf == nscd_initf &&	/* request is from the door */
819 		    (smf_state == NSCD_SVC_STATE_UNSUPPORTED_SRC ||
820 		    (smf_state == NSCD_SVC_STATE_FOREIGN_SRC &&
821 		    s->be_version_p[n_src] == NULL) ||
822 		    (params.privdb && try_local2(dbi, srci) == 1))) {
823 			_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
824 			(me, "returning TRYLOCAL ... \n");
825 			res = NSS_TRYLOCAL;
826 			goto free_nsw_state;
827 		}
828 
829 		if (check_loopback && k != NULL) {
830 
831 			if (k->srci == srci && k->dbi == dbi)
832 				if (k->fnum == search_fnum) {
833 
834 					_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
835 					    NSCD_LOG_LEVEL_DEBUG)
836 					(me, "loopback detected: "
837 					    "source = %s, database = %s "
838 					    "search fnum = %d\n",
839 					    NSCD_NSW_SRC_NAME(srci),
840 					    NSCD_NSW_DB_NAME(dbi), search_fnum);
841 
842 				NSCD_SW_STATS_G.loopback_nsw_db_skipped_g++;
843 				NSCD_SW_STATS(dbi).loopback_nsw_db_skipped++;
844 					continue;
845 				}
846 		}
847 
848 		be = s->be[n_src];
849 		if (be != NULL)
850 			funcp = NSS_LOOKUP_DBOP(be, search_fnum);
851 
852 		/* request could be from within nscd so check states again */
853 		if (be == NULL || (params.dnsi < 0 && (funcp == NULL ||
854 		    (smf_state != NSCD_SVC_STATE_UNINITED &&
855 		    smf_state != NSCD_SVC_STATE_UNSUPPORTED_SRC &&
856 		    smf_state != NSCD_SVC_STATE_FOREIGN_SRC &&
857 		    smf_state < SCF_STATE_ONLINE)))) {
858 
859 			_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
860 			    NSCD_LOG_LEVEL_DEBUG)
861 			(me, "unable to look up source %s: be = %p, "
862 			"smf state = %d, funcp = %p\n",
863 			    NSCD_NSW_SRC_NAME(srci), be, smf_state, funcp);
864 
865 			goto next_src;
866 		}
867 
868 		do {
869 			/*
870 			 * we can only retry max_retry times,
871 			 * otherwise threads may get stuck in this
872 			 * do-while loop forever
873 			 */
874 			if (n_loop > max_retry) {
875 				if (swret != NULL)
876 					res = NSS_TRYLOCAL;
877 				goto free_nsw_state;
878 			}
879 
880 			/*
881 			 * set up to prevent loopback
882 			 */
883 			if (check_loopback && k == NULL) {
884 				key.srci = srci;
885 				key.dbi = dbi;
886 				key.fnum = search_fnum;
887 				key.lb_flagp = &check_loopback;
888 				(void) set_loopback_key(&key);
889 				k = &key;
890 			}
891 
892 			_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
893 			    NSCD_LOG_LEVEL_DEBUG)
894 			(me, "looking up source = %s, loop# = %d \n",
895 			    NSCD_NSW_SRC_NAME(srci), n_loop);
896 
897 			/*
898 			 * search the backend, if hosts lookups,
899 			 * try to get the hosts data with ttl first
900 			 */
901 			if (params.dnsi >= 0) {
902 				res = search_dns_withttl(swret,
903 				    NSCD_NSW_SRC_NAME(srci), params.dnsi);
904 				/*
905 				 * if not able to get ttl, fall back
906 				 * to the regular backend call
907 				 */
908 				if (res == NSS_ERROR)
909 					res = (*funcp)(be, search_args);
910 				else {
911 					/*
912 					 * status/result are in the
913 					 * packed buffer, not
914 					 * search_args
915 					 */
916 					swret->noarg = 1;
917 				}
918 			} else
919 				res = (*funcp)(be, search_args);
920 			if (swret != NULL)
921 				swret->errnum = errno;
922 
923 			/*
924 			 * backend is not up, check and update the
925 			 * smf state table
926 			 */
927 			if (res == NSS_UNAVAIL)
928 				(void) _nscd_get_smf_state(srci, dbi, 1);
929 
930 			/*
931 			 * may need to fall back to use the main nscd
932 			 * if per-user lookup
933 			 */
934 			if (_whoami == NSCD_CHILD && swret != NULL)
935 				swret->fallback = set_fallback_flag(
936 				    NSCD_NSW_SRC_NAME(srci), res);
937 
938 			_NSCD_LOG_IF(NSCD_LOG_SWITCH_ENGINE,
939 			    NSCD_LOG_LEVEL_DEBUG) {
940 
941 				/*
942 				 * set up to trace the result/status
943 				 * of the dns/ttl lookup
944 				 */
945 				if (swret != NULL && swret->noarg == 1) {
946 					nss_pheader_t *phdr;
947 					struct nss_XbyY_args *arg;
948 					arg = (struct nss_XbyY_args *)
949 					    search_args;
950 					phdr = (nss_pheader_t *)swret->pbuf;
951 					arg->buf.buffer = (char *)phdr +
952 					    phdr->data_off;
953 					arg->returnlen = phdr->data_len;
954 					if (phdr->p_errno == ERANGE)
955 						arg->erange = 1;
956 					arg->h_errno = phdr->p_herrno;
957 				}
958 
959 				trace_result(dbi, srci, search_fnum, res,
960 				    (nss_XbyY_args_t *)search_args);
961 			}
962 
963 			n_loop++;
964 		} while (retry_test(res, n_loop, lkp));
965 
966 		next_src:
967 
968 		status_vec |= (1 << res);
969 
970 		if (__NSW_ACTION_V1(lkp, res) == __NSW_RETURN) {
971 			break;
972 		}
973 	}
974 
975 	free_nsw_state:
976 
977 	if (state_thr == 1)
978 		_nscd_put_nsw_state_thread(s);
979 	else
980 		_nscd_put_nsw_state(s);
981 	if (check_loopback && k != NULL)
982 		clear_loopback_key(k);
983 
984 	if (res != NSS_SUCCESS)
985 		goto error_exit;
986 
987 	NSCD_SW_STATS_G.lookup_request_succeeded_g++;
988 	NSCD_SW_STATS(dbi).lookup_request_succeeded++;
989 	NSCD_SW_STATS_G.lookup_request_in_progress_g--;
990 	NSCD_SW_STATS(dbi).lookup_request_in_progress--;
991 
992 	return (NSS_SUCCESS);
993 
994 	error_exit:
995 
996 	NSCD_SW_STATS_G.lookup_request_failed_g++;
997 	NSCD_SW_STATS_G.lookup_request_in_progress_g--;
998 	NSCD_SW_STATS(dbi).lookup_request_failed++;
999 	NSCD_SW_STATS(dbi).lookup_request_in_progress--;
1000 
1001 	return (res);
1002 }
1003 
1004 
1005 /* ===> get/set/endent */
1006 
1007 static void		nss_setent_u(nss_db_root_t *,
1008 				    nss_db_initf_t,
1009 				    nss_getent_t *);
1010 static nss_status_t	nss_getent_u(nss_db_root_t *,
1011 				    nss_db_initf_t,
1012 				    nss_getent_t *,
1013 				    void *);
1014 static void		nss_endent_u(nss_db_root_t *,
1015 				    nss_db_initf_t,
1016 				    nss_getent_t *);
1017 
1018 void
1019 nss_setent(nss_db_root_t *rootp, nss_db_initf_t initf,
1020 	nss_getent_t *contextpp)
1021 {
1022 	if (contextpp == 0)
1023 		return;
1024 	nss_setent_u(rootp, initf, contextpp);
1025 }
1026 
1027 nss_status_t
1028 nss_getent(nss_db_root_t *rootp, nss_db_initf_t initf, nss_getent_t *contextpp,
1029 	void *args)
1030 {
1031 	nss_status_t		status;
1032 
1033 	if (contextpp == 0) {
1034 		return (NSS_UNAVAIL);
1035 	}
1036 	status = nss_getent_u(rootp, initf, contextpp, args);
1037 	return (status);
1038 }
1039 
1040 void
1041 nss_endent(nss_db_root_t *rootp, nss_db_initf_t initf,
1042 	nss_getent_t *contextpp)
1043 {
1044 	if (contextpp == 0)
1045 		return;
1046 	nss_endent_u(rootp, initf, contextpp);
1047 }
1048 
1049 /*ARGSUSED*/
1050 static void
1051 end_iter_u(nss_db_root_t *rootp, struct nss_getent_context *contextp)
1052 {
1053 	nscd_getent_context_t	*ctx;
1054 	nscd_nsw_state_t	*s;
1055 	nss_backend_t		*be;
1056 	int			n_src;
1057 
1058 	ctx = (nscd_getent_context_t *)contextp;
1059 	s = ctx->nsw_state;
1060 	n_src = ctx->n_src;
1061 	be = ctx->be;
1062 
1063 	if (s != 0) {
1064 		if (n_src < s->max_src && be != 0) {
1065 			(void) NSS_INVOKE_DBOP(be, NSS_DBOP_ENDENT, 0);
1066 			ctx->be = 0;  /* Should be unnecessary, but hey */
1067 		}
1068 	}
1069 	ctx->n_src = 0;
1070 }
1071 
1072 static void
1073 nss_setent_u(nss_db_root_t *rootp, nss_db_initf_t initf,
1074 	nss_getent_t *contextpp)
1075 {
1076 	char			*me = "nss_setent_u";
1077 	nscd_nsw_state_t	*s;
1078 	nscd_getent_context_t	*contextp;
1079 	nscd_nsw_params_t	params;
1080 	nss_db_root_t		root;
1081 	nss_backend_t		*be;
1082 	int			n_src, i;
1083 	nscd_sw_return_t	*swret = NULL;
1084 
1085 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1086 	(me, "rootp = %p, initf = %p, contextpp = %p \n",
1087 	    rootp, initf, contextpp);
1088 
1089 	/*
1090 	 * Get the nsw db index via the initf function. If unsupported
1091 	 * database, no need to continue
1092 	 */
1093 	if (getparams(-1, initf, &params) == NSCD_CFG_UNSUPPORTED_SWITCH_DB)
1094 		return;
1095 
1096 	/* get address of the switch engine return data area */
1097 	if (initf == nscd_initf)
1098 		swret = (nscd_sw_return_t *)params.p.private;
1099 
1100 	/* if no privilege to look up, return */
1101 	if (params.privdb == 1 && swret != NULL &&
1102 	    _nscd_check_client_priv(NSCD_READ_PRIV) != 0) {
1103 
1104 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1105 		(me, "no privilege \n");
1106 		return;
1107 	}
1108 
1109 	if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) {
1110 		if ((_nscd_get_getent_ctx(contextpp, &params)) !=
1111 		    NSCD_SUCCESS) {
1112 			return;
1113 		}
1114 		contextp = (nscd_getent_context_t *)contextpp->ctx;
1115 	}
1116 	s = contextp->nsw_state;
1117 
1118 	if (s == 0) {
1119 		if (_nscd_get_nsw_state(&root, &params) !=
1120 		    NSCD_SUCCESS) {
1121 			return;
1122 		}
1123 		s = (nscd_nsw_state_t *)root.s;
1124 		contextp->nsw_state = s;
1125 
1126 	} else {
1127 		s	= contextp->nsw_state;
1128 		n_src	= contextp->n_src;
1129 		be	= contextp->be;
1130 		if (n_src == 0 && be != 0) {
1131 			/*
1132 			 * Optimization:  don't do endent, don't change
1133 			 *   backends, just do the setent.  Look Ma, no locks
1134 			 *   (nor any context that needs updating).
1135 			 */
1136 			(void) NSS_INVOKE_DBOP(be, NSS_DBOP_SETENT, 0);
1137 			return;
1138 		}
1139 		if (n_src < s->max_src && be != 0) {
1140 			(void) NSS_INVOKE_DBOP(be, NSS_DBOP_ENDENT, 0);
1141 			contextp->be = 0;	/* Play it safe */
1142 		}
1143 	}
1144 	for (n_src = 0, be = 0; n_src < s->max_src &&
1145 	    (be = s->be[n_src]) == 0; n_src++) {
1146 		;
1147 	}
1148 
1149 	contextp->n_src	= n_src;
1150 	contextp->be	= be;
1151 
1152 	if (be == 0) {
1153 		/* Things are broken enough that we can't do setent/getent */
1154 		nss_endent_u(rootp, initf, contextpp);
1155 		return;
1156 	}
1157 
1158 	/*
1159 	 * make sure all the backends are supported
1160 	 */
1161 	for (i = 0; i < s->max_src; i++) {
1162 		int	st, srci;
1163 
1164 		if (s->be[i] == NULL)
1165 			continue;
1166 
1167 		srci = (*s->nsw_cfg_p)->src_idx[i];
1168 		st = _nscd_get_smf_state(srci, params.dbi, 1);
1169 		if (st == NSCD_SVC_STATE_UNSUPPORTED_SRC ||
1170 		    (st == NSCD_SVC_STATE_FOREIGN_SRC &&
1171 		    s->be_version_p[i] == NULL && initf == nscd_initf) ||
1172 		    st == NSCD_SVC_STATE_UNINITED ||
1173 		    (params.privdb &&
1174 		    try_local2(params.dbi, srci) == 1)) {
1175 			nss_endent_u(rootp, initf, contextpp);
1176 
1177 			_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
1178 			    NSCD_LOG_LEVEL_DEBUG)
1179 			(me, "backend (%s) not available (state = %d)\n",
1180 			    NSCD_NSW_SRC_NAME(srci), st);
1181 
1182 			return;
1183 		}
1184 	}
1185 
1186 	(void) NSS_INVOKE_DBOP(be, NSS_DBOP_SETENT, 0);
1187 }
1188 
1189 nss_status_t
1190 nss_getent_u(nss_db_root_t *rootp, nss_db_initf_t initf,
1191 	nss_getent_t *contextpp, void *args)
1192 {
1193 	char			*me = "nss_getent_u";
1194 	nscd_nsw_state_t	*s;
1195 	nscd_getent_context_t	*contextp;
1196 	int			n_src;
1197 	nss_backend_t		*be;
1198 
1199 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1200 	(me, "rootp = %p, initf = %p, contextpp = %p, args = %p\n",
1201 	    rootp, initf, contextpp, args);
1202 
1203 	if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) {
1204 		nss_setent_u(rootp, initf, contextpp);
1205 		if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) {
1206 			/* Give up */
1207 			_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
1208 			    NSCD_LOG_LEVEL_ERROR)
1209 			(me, "not able to obtain getent context ... give up\n");
1210 
1211 			return (NSS_UNAVAIL);
1212 		}
1213 	}
1214 
1215 	s	= contextp->nsw_state;
1216 	n_src	= contextp->n_src;
1217 	be	= contextp->be;
1218 
1219 	if (s == 0) {
1220 		/*
1221 		 * We've done an end_iter() and haven't done nss_setent()
1222 		 * or nss_endent() since;  we should stick in this state
1223 		 * until the caller invokes one of those two routines.
1224 		 */
1225 		return (NSS_SUCCESS);
1226 	}
1227 
1228 	while (n_src < s->max_src) {
1229 		nss_status_t		res;
1230 		struct __nsw_lookup_v1	*lkp = NULL;
1231 		int			n;
1232 
1233 		/* get the nsw config for the current source */
1234 		lkp = s->config->lookups;
1235 		for (n = 0; n < n_src; n++)
1236 			lkp = lkp->next;
1237 
1238 		if (be == 0) {
1239 			/* If it's null it's a bug, but let's play safe */
1240 			res = NSS_UNAVAIL;
1241 		} else {
1242 			_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
1243 			    NSCD_LOG_LEVEL_DEBUG)
1244 			(me, "database: %s, backend: %s, nsswitch config: %s\n",
1245 			    NSCD_NSW_DB_NAME(s->dbi),
1246 			    lkp->service_name,
1247 			    (*s->nsw_cfg_p)->nsw_cfg_str);
1248 
1249 			res = NSS_INVOKE_DBOP(be, NSS_DBOP_GETENT, args);
1250 		}
1251 
1252 		if (__NSW_ACTION_V1(lkp, res) == __NSW_RETURN) {
1253 			if (res != __NSW_SUCCESS) {
1254 				end_iter_u(rootp,
1255 				    (struct nss_getent_context *)contextp);
1256 			}
1257 			return (res);
1258 		}
1259 		(void) NSS_INVOKE_DBOP(be, NSS_DBOP_ENDENT, 0);
1260 		do {
1261 			n_src++;
1262 		} while (n_src < s->max_src &&
1263 		    (be = s->be[n_src]) == 0);
1264 		if (be == 0) {
1265 			/*
1266 			 * This is the case where we failed to get the backend
1267 			 * for the last source. We exhausted all sources.
1268 			 */
1269 			nss_endent_u(rootp, initf, contextpp);
1270 			return (NSS_NOTFOUND);
1271 		}
1272 		contextp->n_src	= n_src;
1273 		contextp->be	= be;
1274 		(void) NSS_INVOKE_DBOP(be, NSS_DBOP_SETENT, 0);
1275 	}
1276 	/* Got to the end of the sources without finding another entry */
1277 	end_iter_u(rootp, (struct nss_getent_context *)contextp);
1278 	return (NSS_SUCCESS);
1279 	/* success is either a successful entry or end of the sources */
1280 }
1281 
1282 /*ARGSUSED*/
1283 void
1284 nss_endent_u(nss_db_root_t *rootp, nss_db_initf_t initf,
1285 	nss_getent_t *contextpp)
1286 {
1287 	char			*me = "nss_endent_u";
1288 	nscd_getent_context_t	*contextp;
1289 
1290 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1291 	(me, "rootp = %p, initf = %p, contextpp = %p \n",
1292 	    rootp, initf, contextpp);
1293 
1294 	if ((contextp = (nscd_getent_context_t *)contextpp->ctx) == 0) {
1295 		/* nss_endent() on an unused context is a no-op */
1296 		return;
1297 	}
1298 
1299 	if (_nscd_is_getent_ctx_in_use(contextp) == 0) {
1300 		end_iter_u(rootp, (struct nss_getent_context *)contextp);
1301 		_nscd_put_getent_ctx(contextp);
1302 		contextpp->ctx = NULL;
1303 	}
1304 }
1305 
1306 /*
1307  * _nss_db_state_destr() and nss_delete() do nothing in nscd
1308  * but is needed to make the caller (below nscd) happy
1309  */
1310 /*ARGSUSED*/
1311 void
1312 _nss_db_state_destr(struct nss_db_state *s)
1313 {
1314 	/* nsw state in nscd is always reused, so do nothing here */
1315 }
1316 
1317 /*ARGSUSED*/
1318 void
1319 nss_delete(nss_db_root_t *rootp)
1320 {
1321 	/*
1322 	 * the only resource kept tracked by the nss_db_root_t
1323 	 * is the nsw state which is always reused and no need
1324 	 * to be freed. So just return.
1325 	 */
1326 }
1327 
1328 /*
1329  * Start of nss_psearch/nss_psetent()/nss_pgetent()/nss_pendent()
1330  * buffers switch entry points
1331  */
1332 
1333 /*
1334  * nss_psearch opens a packed structure header, assembles a local
1335  * nss_XbyY_args_t structure and calls the local copy of nss_search.
1336  * The return data is assembled in "files native format" in the
1337  * return buffer location.  Status if packed back up with the buffer
1338  * and the whole wad is returned to the cache or the client.
1339  */
1340 
1341 void
1342 nss_psearch(void *buffer, size_t length)
1343 {
1344 	/* inputs */
1345 	nss_db_initf_t		initf;
1346 	int			dbop;
1347 	int			rc;
1348 	nss_XbyY_args_t		arg;
1349 	nss_status_t		status;
1350 	nscd_sw_return_t	swret = { 0 }, *swrp = &swret;
1351 	nss_pheader_t		*pbuf = (nss_pheader_t *)buffer;
1352 	char			*me = "nss_psearch";
1353 
1354 	if (buffer == NULL || length == 0) {
1355 		NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT);
1356 		return;
1357 	}
1358 
1359 	status = nss_packed_arg_init(buffer, length,
1360 	    NULL, &initf, &dbop, &arg);
1361 	if (status != NSS_SUCCESS) {
1362 		NSCD_SET_STATUS(pbuf, status, -1);
1363 		return;
1364 	}
1365 
1366 	/*
1367 	 * pass the address of the return data area
1368 	 * for the switch engine to return its own data
1369 	 */
1370 	(void) memcpy(&pbuf->nscdpriv, &swrp, sizeof (swrp));
1371 	swret.pbuf = buffer;
1372 	swret.pbufsiz = length;
1373 	swret.datalen = pbuf->data_len;
1374 
1375 	/*
1376 	 * use the generic nscd_initf for all database lookups
1377 	 * (the TSD key is the pointer to the packed header)
1378 	 */
1379 	rc = set_initf_key(pbuf);
1380 	if (rc != 0) {
1381 		NSCD_SET_STATUS(pbuf, NSS_UNAVAIL, EINVAL);
1382 		return;
1383 	}
1384 	initf = nscd_initf;
1385 
1386 	/* Perform local search and pack results into return buffer */
1387 	/* nscd's search ignores db_root */
1388 	status = nss_search(NULL, initf, dbop, &arg);
1389 
1390 	/*
1391 	 * If status is NSS_NOTFOUND and ldap also returned
1392 	 * NSS_NOTFOUND, it is possible that the user does
1393 	 * not have a credential, so check and see if
1394 	 * needs to return NSS_ALTRETRY to let the main
1395 	 * nscd get a chance to process the lookup
1396 	 */
1397 	if (swret.fallback == 1 && status == NSS_NOTFOUND) {
1398 		OM_uint32	(*func)();
1399 		OM_uint32	stat;
1400 		nscd_rc_t	rc;
1401 
1402 		rc = get_gss_func((void **)&func);
1403 		if (rc == NSCD_SUCCESS) {
1404 			if (func(&stat, GSS_C_NO_CREDENTIAL,
1405 			    NULL, NULL, NULL, NULL) != GSS_S_COMPLETE) {
1406 
1407 				_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
1408 				    NSCD_LOG_LEVEL_DEBUG)
1409 			(me, "NSS_ALTRETRY: fallback to main nscd needed\n");
1410 
1411 				status = NSS_ALTRETRY;
1412 			}
1413 		}
1414 	}
1415 
1416 	NSCD_SET_STATUS(pbuf, status, -1);
1417 	errno = swret.errnum;
1418 
1419 	/*
1420 	 * Move result/status from args to packed buffer only if
1421 	 * arg was being used and rc from the switch engine is not
1422 	 * NSS_TRYLOCAL.
1423 	 */
1424 	if (!swret.noarg && status != NSS_TRYLOCAL)
1425 		nss_packed_set_status(buffer, length, status,  &arg);
1426 
1427 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1428 	(me, "switch engine result: source is %s, status %d, "
1429 	"herrno is %d, errno is %s\n",
1430 	    (swret.srci != -1) ? NSCD_NSW_SRC_NAME(swret.srci) : "<NOTSET>",
1431 	    pbuf->p_status, pbuf->p_herrno, strerror(pbuf->p_errno));
1432 
1433 	/* clear the TSD key used by the generic initf */
1434 	clear_initf_key();
1435 	pbuf->nscdpriv = 0;
1436 }
1437 
1438 static void
1439 nscd_map_contextp(void *buffer, nss_getent_t *contextp,
1440     nssuint_t **cookie_num_p, nssuint_t **seqnum_p, int setent)
1441 {
1442 	nss_pheader_t		*pbuf = (nss_pheader_t *)buffer;
1443 	nssuint_t		off;
1444 	nscd_getent_context_t	*ctx;
1445 	char			*me = "nscd_map_contextp";
1446 	nscd_getent_p1_cookie_t	*cookie;
1447 
1448 	if (buffer == NULL) {
1449 		NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT);
1450 		return;
1451 	}
1452 
1453 	off = pbuf->key_off;
1454 	cookie = (nscd_getent_p1_cookie_t *)((void *)((char *)buffer + off));
1455 	if (seqnum_p != NULL)
1456 		*seqnum_p = &cookie->p1_seqnum;
1457 
1458 	/*
1459 	 * if called by nss_psetent, and the passed in cookie number
1460 	 * is NSCD_NEW_COOKIE, then there is no cookie yet, return a
1461 	 * pointer pointing to where the cookie number will be stored.
1462 	 * Also because there is no cookie to validate, just return
1463 	 * success.
1464 	 *
1465 	 * On the other hand, if a cookie number is passed in, we need
1466 	 * to validate the cookie number before returning.
1467 	 */
1468 	if (cookie_num_p != NULL)
1469 		*cookie_num_p = &cookie->p1_cookie_num;
1470 	if (setent == 1 && cookie->p1_cookie_num == NSCD_NEW_COOKIE) {
1471 		NSCD_SET_STATUS_SUCCESS(pbuf);
1472 		return;
1473 	}
1474 
1475 	/*
1476 	 * If the sequence number and start time match nscd's p0 cookie,
1477 	 * then either setent was done twice in a row or this is the
1478 	 * first getent after the setent, return success as well.
1479 	 */
1480 	if (cookie->p1_seqnum == NSCD_P0_COOKIE_SEQNUM) {
1481 		nscd_getent_p0_cookie_t *p0c =
1482 		    (nscd_getent_p0_cookie_t *)cookie;
1483 		if (p0c->p0_time == _nscd_get_start_time()) {
1484 			NSCD_SET_STATUS_SUCCESS(pbuf);
1485 			return;
1486 		}
1487 	}
1488 
1489 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1490 	(me, "cookie # = %lld,  sequence # = %lld\n",
1491 	    cookie->p1_cookie_num, cookie->p1_seqnum);
1492 
1493 	ctx = _nscd_is_getent_ctx(cookie->p1_cookie_num);
1494 
1495 	if (ctx == NULL) {
1496 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1497 		(me, "No matching context found (cookie number: %lld)\n",
1498 		    cookie->p1_cookie_num);
1499 
1500 		NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT);
1501 		return;
1502 	}
1503 
1504 	/* if not called by nss_psetent, verify sequence number */
1505 	if (setent != 1 && ctx->seq_num !=
1506 	    (nscd_seq_num_t)cookie->p1_seqnum) {
1507 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1508 		(me, "invalid sequence # (%lld)\n", cookie->p1_seqnum);
1509 
1510 		_nscd_free_ctx_if_aborted(ctx);
1511 		NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT);
1512 		return;
1513 	}
1514 
1515 	contextp->ctx = (struct nss_getent_context *)ctx;
1516 
1517 	NSCD_SET_STATUS_SUCCESS(pbuf);
1518 }
1519 
1520 void
1521 nss_psetent(void *buffer, size_t length, pid_t pid)
1522 {
1523 	nss_getent_t		context = { 0 };
1524 	nss_getent_t		*contextp = &context;
1525 	nssuint_t		*cookie_num_p;
1526 	nssuint_t		*seqnum_p;
1527 	nss_pheader_t		*pbuf = (nss_pheader_t *)buffer;
1528 	nscd_getent_p0_cookie_t *p0c;
1529 	char			*me = "nss_psetent";
1530 
1531 	if (buffer == NULL || length == 0) {
1532 		NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT);
1533 		return;
1534 	}
1535 
1536 	/*
1537 	 * If this is a per-user nscd, and the user does not have
1538 	 * the necessary credential, return NSS_TRYLOCAL, so the
1539 	 * setent/getent can be done locally in the process of the
1540 	 * setent call
1541 	 */
1542 	if (_whoami == NSCD_CHILD) {
1543 		OM_uint32	(*func)();
1544 		OM_uint32	stat;
1545 		nscd_rc_t	rc;
1546 
1547 		rc = get_gss_func((void **)&func);
1548 		if (rc == NSCD_SUCCESS) {
1549 			if (func(&stat, GSS_C_NO_CREDENTIAL,
1550 			    NULL, NULL, NULL, NULL) != GSS_S_COMPLETE) {
1551 
1552 				_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE,
1553 				    NSCD_LOG_LEVEL_DEBUG)
1554 			(me, "NSS_TRYLOCAL: fallback to caller process\n");
1555 				NSCD_SET_STATUS(pbuf, NSS_TRYLOCAL, 0);
1556 				return;
1557 			}
1558 		}
1559 	}
1560 
1561 	/* check cookie number */
1562 	nscd_map_contextp(buffer, contextp, &cookie_num_p, &seqnum_p, 1);
1563 	if (NSCD_STATUS_IS_NOT_OK(pbuf))
1564 		return;
1565 
1566 	/* set cookie number and sequence number */
1567 	p0c = (nscd_getent_p0_cookie_t *)cookie_num_p;
1568 	if (contextp->ctx ==  NULL) {
1569 		/*
1570 		 * first setent (no existing getent context),
1571 		 * return a p0 cookie
1572 		 */
1573 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1574 		(me, "first setent, no getent context yet\n");
1575 	} else {
1576 		/*
1577 		 * doing setent on an existing getent context,
1578 		 * release resources allocated and return a
1579 		 * p0 cookie
1580 		 */
1581 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1582 		(me, "setent resetting sequence number = %lld\n",  *seqnum_p);
1583 
1584 		if (_nscd_is_getent_ctx_in_use((nscd_getent_context_t *)
1585 		    contextp->ctx) == 0) {
1586 			/*
1587 			 * context not in use, release the backend and
1588 			 * return the context to the pool
1589 			 */
1590 			end_iter_u(NULL, contextp->ctx);
1591 			_nscd_put_getent_ctx(
1592 			    (nscd_getent_context_t *)contextp->ctx);
1593 			contextp->ctx = NULL;
1594 		}
1595 	}
1596 
1597 	p0c->p0_pid = pid;
1598 	p0c->p0_time = _nscd_get_start_time();
1599 	p0c->p0_seqnum = NSCD_P0_COOKIE_SEQNUM;
1600 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1601 	(me, "returning a p0 cookie: pid = %ld, time = %ld, seq #= %llx\n",
1602 	    p0c->p0_pid, p0c->p0_time, p0c->p0_seqnum);
1603 
1604 	NSCD_SET_STATUS(pbuf, NSS_SUCCESS, 0);
1605 }
1606 
1607 static void
1608 delayed_setent(nss_pheader_t *pbuf, nss_db_initf_t initf,
1609 	nss_getent_t *contextp, nssuint_t *cookie_num_p,
1610 	nssuint_t *seqnum_p, pid_t pid)
1611 {
1612 	nscd_getent_context_t	*ctx;
1613 	nscd_sw_return_t	swret = { 0 }, *swrp = &swret;
1614 	char			*me = "delayed_setent";
1615 
1616 	/*
1617 	 * check credential
1618 	 */
1619 	_nscd_APP_check_cred(pbuf, &pid, "NSCD_DELAYED_SETENT",
1620 	    NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_ERROR);
1621 	if (NSCD_STATUS_IS_NOT_OK(pbuf)) {
1622 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1623 		(me, "invalid credential\n");
1624 		return;
1625 	}
1626 
1627 	/*
1628 	 * pass the packed header buffer pointer to nss_setent
1629 	 */
1630 	(void) memcpy(&pbuf->nscdpriv, &swrp, sizeof (swrp));
1631 	swret.pbuf = pbuf;
1632 
1633 	/* Perform local setent and set context */
1634 	nss_setent(NULL, initf, contextp);
1635 
1636 	/* insert cookie info into packed buffer header */
1637 	ctx = (nscd_getent_context_t *)contextp->ctx;
1638 	if (ctx != NULL) {
1639 		*cookie_num_p = ctx->cookie_num;
1640 		*seqnum_p = ctx->seq_num;
1641 		ctx->pid = pid;
1642 	} else {
1643 		/*
1644 		 * not able to allocate a getent context, the
1645 		 * client should try the enumeration locally
1646 		 */
1647 		*cookie_num_p = NSCD_LOCAL_COOKIE;
1648 		*seqnum_p = 0;
1649 
1650 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1651 		(me, "NSS_TRYLOCAL: cookie # = %lld,  sequence # = %lld\n",
1652 		    *cookie_num_p, *seqnum_p);
1653 		NSCD_SET_STATUS(pbuf, NSS_TRYLOCAL, 0);
1654 		return;
1655 	}
1656 
1657 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1658 	(me, "NSS_SUCCESS: cookie # = %lld,  sequence # = %lld\n",
1659 	    ctx->cookie_num, ctx->seq_num);
1660 
1661 	NSCD_SET_STATUS(pbuf, NSS_SUCCESS, 0);
1662 }
1663 
1664 void
1665 nss_pgetent(void *buffer, size_t length)
1666 {
1667 	/* inputs */
1668 	nss_db_initf_t		initf;
1669 	nss_getent_t		context = { 0 };
1670 	nss_getent_t		*contextp = &context;
1671 	nss_XbyY_args_t		arg = { 0};
1672 	nss_status_t		status;
1673 	nssuint_t		*cookie_num_p;
1674 	nssuint_t		*seqnum_p;
1675 	nscd_getent_context_t	*ctx;
1676 	int			rc;
1677 	nss_pheader_t		*pbuf = (nss_pheader_t *)buffer;
1678 	char			*me = "nss_pgetent";
1679 
1680 	if (buffer == NULL || length == 0) {
1681 		NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT);
1682 		return;
1683 	}
1684 
1685 	/* verify the cookie passed in */
1686 	nscd_map_contextp(buffer, contextp, &cookie_num_p, &seqnum_p, 0);
1687 	if (NSCD_STATUS_IS_NOT_OK(pbuf))
1688 		return;
1689 
1690 	/*
1691 	 * use the generic nscd_initf for all the getent requests
1692 	 * (the TSD key is the pointer to the packed header)
1693 	 */
1694 	rc = set_initf_key(pbuf);
1695 	if (rc != 0) {
1696 		NSCD_SET_STATUS(pbuf, NSS_UNAVAIL, EINVAL);
1697 		return;
1698 	}
1699 	initf = nscd_initf;
1700 
1701 	/* if no context yet, get one */
1702 	if (contextp->ctx ==  NULL) {
1703 		nscd_getent_p0_cookie_t *p0c =
1704 		    (nscd_getent_p0_cookie_t *)cookie_num_p;
1705 
1706 		delayed_setent(pbuf, initf, contextp, cookie_num_p,
1707 		    seqnum_p, p0c->p0_pid);
1708 		if (NSCD_STATUS_IS_NOT_OK(pbuf)) {
1709 			clear_initf_key();
1710 			return;
1711 		}
1712 	}
1713 
1714 	status = nss_packed_context_init(buffer, length,
1715 	    NULL, &initf, &contextp, &arg);
1716 	if (status != NSS_SUCCESS) {
1717 		clear_initf_key();
1718 		_nscd_free_ctx_if_aborted(
1719 		    (nscd_getent_context_t *)contextp->ctx);
1720 		NSCD_SET_STATUS(pbuf, status, -1);
1721 		return;
1722 	}
1723 
1724 	/* Perform local search and pack results into return buffer */
1725 	status = nss_getent(NULL, initf, contextp, &arg);
1726 	NSCD_SET_STATUS(pbuf, status, -1);
1727 	nss_packed_set_status(buffer, length, status,  &arg);
1728 
1729 	/* increment sequence number in the buffer and nscd context */
1730 	if (status == NSS_SUCCESS) {
1731 		ctx = (nscd_getent_context_t *)contextp->ctx;
1732 		ctx->seq_num++;
1733 		*seqnum_p = ctx->seq_num;
1734 		*cookie_num_p = ctx->cookie_num;
1735 
1736 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1737 		(me, "getent OK, new sequence # = %lld, len = %lld,"
1738 		    " data = >>%s<<\n", *seqnum_p,
1739 		    pbuf->data_len, (char *)buffer + pbuf->data_off);
1740 
1741 		_nscd_free_ctx_if_aborted(ctx);
1742 	} else {
1743 		/* release the resources used */
1744 		ctx = (nscd_getent_context_t *)contextp->ctx;
1745 		if (ctx != NULL && _nscd_is_getent_ctx_in_use(ctx) == 0) {
1746 			_nscd_put_getent_ctx(ctx);
1747 			contextp->ctx = NULL;
1748 		}
1749 		_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1750 		(me, "getent failed, status = %d, sequence # = %lld\n",
1751 		    status, *seqnum_p);
1752 	}
1753 
1754 	/* clear the TSD key used by the generic initf */
1755 	clear_initf_key();
1756 }
1757 
1758 void
1759 nss_pendent(void *buffer, size_t length)
1760 {
1761 	nss_getent_t		context = { 0 };
1762 	nss_getent_t		*contextp = &context;
1763 	nssuint_t		*seqnum_p;
1764 	nssuint_t		*cookie_num_p;
1765 	nss_pheader_t		*pbuf = (nss_pheader_t *)buffer;
1766 	char			*me = "nss_pendent";
1767 
1768 	if (buffer == NULL || length == 0) {
1769 		NSCD_SET_STATUS(pbuf, NSS_ERROR, EFAULT);
1770 		return;
1771 	}
1772 
1773 	/* map the contextp from the cookie information */
1774 	nscd_map_contextp(buffer, contextp, &cookie_num_p, &seqnum_p, 0);
1775 	if (NSCD_STATUS_IS_NOT_OK(pbuf))
1776 		return;
1777 
1778 	if (contextp->ctx == NULL)
1779 		return;
1780 
1781 	_NSCD_LOG(NSCD_LOG_SWITCH_ENGINE, NSCD_LOG_LEVEL_DEBUG)
1782 	(me, "endent, cookie = %lld, sequence # = %lld\n",
1783 	    *cookie_num_p, *seqnum_p);
1784 
1785 	/* Perform local endent and reset context */
1786 	nss_endent(NULL, NULL, contextp);
1787 
1788 	NSCD_SET_STATUS(pbuf, NSS_SUCCESS, 0);
1789 }
1790 
1791 /*ARGSUSED*/
1792 void
1793 nss_pdelete(void *buffer, size_t length)
1794 {
1795 	nss_pheader_t	*pbuf = (nss_pheader_t *)buffer;
1796 
1797 	/* unnecessary, kept for completeness */
1798 	NSCD_SET_STATUS_SUCCESS(pbuf);
1799 }
1800