xref: /titanic_44/usr/src/cmd/sendmail/libsm/ldap.c (revision 7800901e60d340b6af88e94a2149805dcfcaaf56)
17c478bd9Sstevel@tonic-gate /*
2*7800901eSjbeck  * Copyright (c) 2001-2007 Sendmail, Inc. and its suppliers.
37c478bd9Sstevel@tonic-gate  *      All rights reserved.
47c478bd9Sstevel@tonic-gate  *
57c478bd9Sstevel@tonic-gate  * By using this file, you agree to the terms and conditions set
67c478bd9Sstevel@tonic-gate  * forth in the LICENSE file which can be found at the top level of
77c478bd9Sstevel@tonic-gate  * the sendmail distribution.
87c478bd9Sstevel@tonic-gate  */
97c478bd9Sstevel@tonic-gate 
107c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
117c478bd9Sstevel@tonic-gate 
12058561cbSjbeck /* some "deprecated" calls are used, e.g., ldap_get_values() */
13058561cbSjbeck #define LDAP_DEPRECATED	1
14058561cbSjbeck 
157c478bd9Sstevel@tonic-gate #include <sm/gen.h>
16*7800901eSjbeck SM_RCSID("@(#)$Id: ldap.c,v 1.80 2007/10/12 00:19:44 ca Exp $")
177c478bd9Sstevel@tonic-gate 
187c478bd9Sstevel@tonic-gate #if LDAPMAP
197c478bd9Sstevel@tonic-gate # include <sys/types.h>
207c478bd9Sstevel@tonic-gate # include <errno.h>
217c478bd9Sstevel@tonic-gate # include <setjmp.h>
227c478bd9Sstevel@tonic-gate # include <stdlib.h>
237c478bd9Sstevel@tonic-gate # include <unistd.h>
247c478bd9Sstevel@tonic-gate 
257c478bd9Sstevel@tonic-gate # include <sm/bitops.h>
267c478bd9Sstevel@tonic-gate # include <sm/clock.h>
277c478bd9Sstevel@tonic-gate # include <sm/conf.h>
287c478bd9Sstevel@tonic-gate # include <sm/debug.h>
297c478bd9Sstevel@tonic-gate # include <sm/errstring.h>
307c478bd9Sstevel@tonic-gate # include <sm/ldap.h>
317c478bd9Sstevel@tonic-gate # include <sm/string.h>
327c478bd9Sstevel@tonic-gate #  ifdef EX_OK
337c478bd9Sstevel@tonic-gate #   undef EX_OK			/* for SVr4.2 SMP */
347c478bd9Sstevel@tonic-gate #  endif /* EX_OK */
357c478bd9Sstevel@tonic-gate # include <sm/sysexits.h>
367c478bd9Sstevel@tonic-gate 
377c478bd9Sstevel@tonic-gate SM_DEBUG_T SmLDAPTrace = SM_DEBUG_INITIALIZER("sm_trace_ldap",
387c478bd9Sstevel@tonic-gate 	"@(#)$Debug: sm_trace_ldap - trace LDAP operations $");
397c478bd9Sstevel@tonic-gate 
407c478bd9Sstevel@tonic-gate static void	ldaptimeout __P((int));
417c478bd9Sstevel@tonic-gate static bool	sm_ldap_has_objectclass __P((SM_LDAP_STRUCT *, LDAPMessage *, char *));
427c478bd9Sstevel@tonic-gate static SM_LDAP_RECURSE_ENTRY *sm_ldap_add_recurse __P((SM_LDAP_RECURSE_LIST **, char *, int, SM_RPOOL_T *));
437c478bd9Sstevel@tonic-gate 
447c478bd9Sstevel@tonic-gate /*
457c478bd9Sstevel@tonic-gate **  SM_LDAP_CLEAR -- set default values for SM_LDAP_STRUCT
467c478bd9Sstevel@tonic-gate **
477c478bd9Sstevel@tonic-gate **	Parameters:
487c478bd9Sstevel@tonic-gate **		lmap -- pointer to SM_LDAP_STRUCT to clear
497c478bd9Sstevel@tonic-gate **
507c478bd9Sstevel@tonic-gate **	Returns:
517c478bd9Sstevel@tonic-gate **		None.
527c478bd9Sstevel@tonic-gate **
537c478bd9Sstevel@tonic-gate */
547c478bd9Sstevel@tonic-gate 
55445f2479Sjbeck #if _FFR_LDAP_VERSION
56445f2479Sjbeck # if defined(LDAP_VERSION_MAX) && _FFR_LDAP_VERSION > LDAP_VERSION_MAX
57445f2479Sjbeck     ERROR FFR_LDAP_VERSION > _LDAP_VERSION_MAX
58445f2479Sjbeck # endif /* defined(LDAP_VERSION_MAX) && _FFR_LDAP_VERSION > LDAP_VERSION_MAX */
59445f2479Sjbeck # if defined(LDAP_VERSION_MIN) && _FFR_LDAP_VERSION < LDAP_VERSION_MIN
60445f2479Sjbeck     ERROR FFR_LDAP_VERSION < _LDAP_VERSION_MIN
61445f2479Sjbeck # endif /* defined(LDAP_VERSION_MIN) && _FFR_LDAP_VERSION < LDAP_VERSION_MIN */
62445f2479Sjbeck # define SM_LDAP_VERSION_DEFAULT	_FFR_LDAP_VERSION
63445f2479Sjbeck #else /* _FFR_LDAP_VERSION */
64445f2479Sjbeck # define SM_LDAP_VERSION_DEFAULT	0
65445f2479Sjbeck #endif /* _FFR_LDAP_VERSION */
66445f2479Sjbeck 
677c478bd9Sstevel@tonic-gate void
687c478bd9Sstevel@tonic-gate sm_ldap_clear(lmap)
697c478bd9Sstevel@tonic-gate 	SM_LDAP_STRUCT *lmap;
707c478bd9Sstevel@tonic-gate {
717c478bd9Sstevel@tonic-gate 	if (lmap == NULL)
727c478bd9Sstevel@tonic-gate 		return;
737c478bd9Sstevel@tonic-gate 
747c478bd9Sstevel@tonic-gate 	lmap->ldap_host = NULL;
757c478bd9Sstevel@tonic-gate 	lmap->ldap_port = LDAP_PORT;
767c478bd9Sstevel@tonic-gate 	lmap->ldap_uri = NULL;
77445f2479Sjbeck 	lmap->ldap_version = SM_LDAP_VERSION_DEFAULT;
787c478bd9Sstevel@tonic-gate 	lmap->ldap_deref = LDAP_DEREF_NEVER;
797c478bd9Sstevel@tonic-gate 	lmap->ldap_timelimit = LDAP_NO_LIMIT;
807c478bd9Sstevel@tonic-gate 	lmap->ldap_sizelimit = LDAP_NO_LIMIT;
817c478bd9Sstevel@tonic-gate # ifdef LDAP_REFERRALS
827c478bd9Sstevel@tonic-gate 	lmap->ldap_options = LDAP_OPT_REFERRALS;
837c478bd9Sstevel@tonic-gate # else /* LDAP_REFERRALS */
847c478bd9Sstevel@tonic-gate 	lmap->ldap_options = 0;
857c478bd9Sstevel@tonic-gate # endif /* LDAP_REFERRALS */
867c478bd9Sstevel@tonic-gate 	lmap->ldap_attrsep = '\0';
877c478bd9Sstevel@tonic-gate 	lmap->ldap_binddn = NULL;
887c478bd9Sstevel@tonic-gate 	lmap->ldap_secret = NULL;
897c478bd9Sstevel@tonic-gate 	lmap->ldap_method = LDAP_AUTH_SIMPLE;
907c478bd9Sstevel@tonic-gate 	lmap->ldap_base = NULL;
917c478bd9Sstevel@tonic-gate 	lmap->ldap_scope = LDAP_SCOPE_SUBTREE;
927c478bd9Sstevel@tonic-gate 	lmap->ldap_attrsonly = LDAPMAP_FALSE;
937c478bd9Sstevel@tonic-gate 	lmap->ldap_timeout.tv_sec = 0;
947c478bd9Sstevel@tonic-gate 	lmap->ldap_timeout.tv_usec = 0;
957c478bd9Sstevel@tonic-gate 	lmap->ldap_ld = NULL;
967c478bd9Sstevel@tonic-gate 	lmap->ldap_filter = NULL;
977c478bd9Sstevel@tonic-gate 	lmap->ldap_attr[0] = NULL;
987c478bd9Sstevel@tonic-gate 	lmap->ldap_attr_type[0] = SM_LDAP_ATTR_NONE;
997c478bd9Sstevel@tonic-gate 	lmap->ldap_attr_needobjclass[0] = NULL;
1007c478bd9Sstevel@tonic-gate 	lmap->ldap_res = NULL;
1017c478bd9Sstevel@tonic-gate 	lmap->ldap_next = NULL;
1027c478bd9Sstevel@tonic-gate 	lmap->ldap_pid = 0;
103058561cbSjbeck 	lmap->ldap_multi_args = false;
1047c478bd9Sstevel@tonic-gate }
1057c478bd9Sstevel@tonic-gate 
1067c478bd9Sstevel@tonic-gate /*
1077c478bd9Sstevel@tonic-gate **  SM_LDAP_START -- actually connect to an LDAP server
1087c478bd9Sstevel@tonic-gate **
1097c478bd9Sstevel@tonic-gate **	Parameters:
1107c478bd9Sstevel@tonic-gate **		name -- name of map for debug output.
1117c478bd9Sstevel@tonic-gate **		lmap -- the LDAP map being opened.
1127c478bd9Sstevel@tonic-gate **
1137c478bd9Sstevel@tonic-gate **	Returns:
1147c478bd9Sstevel@tonic-gate **		true if connection is successful, false otherwise.
1157c478bd9Sstevel@tonic-gate **
1167c478bd9Sstevel@tonic-gate **	Side Effects:
1177c478bd9Sstevel@tonic-gate **		Populates lmap->ldap_ld.
1187c478bd9Sstevel@tonic-gate */
1197c478bd9Sstevel@tonic-gate 
1207c478bd9Sstevel@tonic-gate static jmp_buf	LDAPTimeout;
1217c478bd9Sstevel@tonic-gate 
1227c478bd9Sstevel@tonic-gate #define SM_LDAP_SETTIMEOUT(to)						\
1237c478bd9Sstevel@tonic-gate do									\
1247c478bd9Sstevel@tonic-gate {									\
1257c478bd9Sstevel@tonic-gate 	if (to != 0)							\
1267c478bd9Sstevel@tonic-gate 	{								\
1277c478bd9Sstevel@tonic-gate 		if (setjmp(LDAPTimeout) != 0)				\
1287c478bd9Sstevel@tonic-gate 		{							\
1297c478bd9Sstevel@tonic-gate 			errno = ETIMEDOUT;				\
1307c478bd9Sstevel@tonic-gate 			return false;					\
1317c478bd9Sstevel@tonic-gate 		}							\
1327c478bd9Sstevel@tonic-gate 		ev = sm_setevent(to, ldaptimeout, 0);			\
1337c478bd9Sstevel@tonic-gate 	}								\
1347c478bd9Sstevel@tonic-gate } while (0)
1357c478bd9Sstevel@tonic-gate 
1367c478bd9Sstevel@tonic-gate #define SM_LDAP_CLEARTIMEOUT()						\
1377c478bd9Sstevel@tonic-gate do									\
1387c478bd9Sstevel@tonic-gate {									\
1397c478bd9Sstevel@tonic-gate 	if (ev != NULL)							\
1407c478bd9Sstevel@tonic-gate 		sm_clrevent(ev);					\
1417c478bd9Sstevel@tonic-gate } while (0)
1427c478bd9Sstevel@tonic-gate 
1437c478bd9Sstevel@tonic-gate bool
1447c478bd9Sstevel@tonic-gate sm_ldap_start(name, lmap)
1457c478bd9Sstevel@tonic-gate 	char *name;
1467c478bd9Sstevel@tonic-gate 	SM_LDAP_STRUCT *lmap;
1477c478bd9Sstevel@tonic-gate {
1487c478bd9Sstevel@tonic-gate 	int bind_result;
1497c478bd9Sstevel@tonic-gate 	int save_errno = 0;
1507c478bd9Sstevel@tonic-gate 	char *id;
1517c478bd9Sstevel@tonic-gate 	SM_EVENT *ev = NULL;
1527c478bd9Sstevel@tonic-gate 	LDAP *ld = NULL;
1537c478bd9Sstevel@tonic-gate 
1547c478bd9Sstevel@tonic-gate 	if (sm_debug_active(&SmLDAPTrace, 2))
1557c478bd9Sstevel@tonic-gate 		sm_dprintf("ldapmap_start(%s)\n", name == NULL ? "" : name);
1567c478bd9Sstevel@tonic-gate 
1577c478bd9Sstevel@tonic-gate 	if (lmap->ldap_host != NULL)
1587c478bd9Sstevel@tonic-gate 		id = lmap->ldap_host;
1597c478bd9Sstevel@tonic-gate 	else if (lmap->ldap_uri != NULL)
1607c478bd9Sstevel@tonic-gate 		id = lmap->ldap_uri;
1617c478bd9Sstevel@tonic-gate 	else
1627c478bd9Sstevel@tonic-gate 		id = "localhost";
1637c478bd9Sstevel@tonic-gate 
1647c478bd9Sstevel@tonic-gate 	if (sm_debug_active(&SmLDAPTrace, 9))
1657c478bd9Sstevel@tonic-gate 	{
1667c478bd9Sstevel@tonic-gate 		/* Don't print a port number for LDAP URIs */
1677c478bd9Sstevel@tonic-gate 		if (lmap->ldap_uri != NULL)
1687c478bd9Sstevel@tonic-gate 			sm_dprintf("ldapmap_start(%s)\n", id);
1697c478bd9Sstevel@tonic-gate 		else
1707c478bd9Sstevel@tonic-gate 			sm_dprintf("ldapmap_start(%s, %d)\n", id,
1717c478bd9Sstevel@tonic-gate 				   lmap->ldap_port);
1727c478bd9Sstevel@tonic-gate 	}
1737c478bd9Sstevel@tonic-gate 
1747c478bd9Sstevel@tonic-gate 	if (lmap->ldap_uri != NULL)
1757c478bd9Sstevel@tonic-gate 	{
1767c478bd9Sstevel@tonic-gate #if SM_CONF_LDAP_INITIALIZE
1777c478bd9Sstevel@tonic-gate 		/* LDAP server supports URIs so use them directly */
1787c478bd9Sstevel@tonic-gate 		save_errno = ldap_initialize(&ld, lmap->ldap_uri);
1797c478bd9Sstevel@tonic-gate #else /* SM_CONF_LDAP_INITIALIZE */
1807c478bd9Sstevel@tonic-gate 		int err;
1817c478bd9Sstevel@tonic-gate 		LDAPURLDesc *ludp = NULL;
1827c478bd9Sstevel@tonic-gate 
1837c478bd9Sstevel@tonic-gate 		/* Blast apart URL and use the ldap_init/ldap_open below */
1847c478bd9Sstevel@tonic-gate 		err = ldap_url_parse(lmap->ldap_uri, &ludp);
1857c478bd9Sstevel@tonic-gate 		if (err != 0)
1867c478bd9Sstevel@tonic-gate 		{
1877c478bd9Sstevel@tonic-gate 			errno = err + E_LDAPURLBASE;
1887c478bd9Sstevel@tonic-gate 			return false;
1897c478bd9Sstevel@tonic-gate 		}
1907c478bd9Sstevel@tonic-gate 		lmap->ldap_host = sm_strdup_x(ludp->lud_host);
1917c478bd9Sstevel@tonic-gate 		if (lmap->ldap_host == NULL)
1927c478bd9Sstevel@tonic-gate 		{
1937c478bd9Sstevel@tonic-gate 			save_errno = errno;
1947c478bd9Sstevel@tonic-gate 			ldap_free_urldesc(ludp);
1957c478bd9Sstevel@tonic-gate 			errno = save_errno;
1967c478bd9Sstevel@tonic-gate 			return false;
1977c478bd9Sstevel@tonic-gate 		}
1987c478bd9Sstevel@tonic-gate 		lmap->ldap_port = ludp->lud_port;
1997c478bd9Sstevel@tonic-gate 		ldap_free_urldesc(ludp);
2007c478bd9Sstevel@tonic-gate #endif /* SM_CONF_LDAP_INITIALIZE */
2017c478bd9Sstevel@tonic-gate 	}
2027c478bd9Sstevel@tonic-gate 
2037c478bd9Sstevel@tonic-gate 	if (ld == NULL)
2047c478bd9Sstevel@tonic-gate 	{
2057c478bd9Sstevel@tonic-gate # if USE_LDAP_INIT
2067c478bd9Sstevel@tonic-gate 		ld = ldap_init(lmap->ldap_host, lmap->ldap_port);
2077c478bd9Sstevel@tonic-gate 		save_errno = errno;
2087c478bd9Sstevel@tonic-gate # else /* USE_LDAP_INIT */
2097c478bd9Sstevel@tonic-gate 		/*
2107c478bd9Sstevel@tonic-gate 		**  If using ldap_open(), the actual connection to the server
2117c478bd9Sstevel@tonic-gate 		**  happens now so we need the timeout here.  For ldap_init(),
2127c478bd9Sstevel@tonic-gate 		**  the connection happens at bind time.
2137c478bd9Sstevel@tonic-gate 		*/
2147c478bd9Sstevel@tonic-gate 
2157c478bd9Sstevel@tonic-gate 		SM_LDAP_SETTIMEOUT(lmap->ldap_timeout.tv_sec);
2167c478bd9Sstevel@tonic-gate 		ld = ldap_open(lmap->ldap_host, lmap->ldap_port);
2177c478bd9Sstevel@tonic-gate 		save_errno = errno;
2187c478bd9Sstevel@tonic-gate 
2197c478bd9Sstevel@tonic-gate 		/* clear the event if it has not sprung */
2207c478bd9Sstevel@tonic-gate 		SM_LDAP_CLEARTIMEOUT();
2217c478bd9Sstevel@tonic-gate # endif /* USE_LDAP_INIT */
2227c478bd9Sstevel@tonic-gate 	}
2237c478bd9Sstevel@tonic-gate 
2247c478bd9Sstevel@tonic-gate 	errno = save_errno;
2257c478bd9Sstevel@tonic-gate 	if (ld == NULL)
2267c478bd9Sstevel@tonic-gate 		return false;
2277c478bd9Sstevel@tonic-gate 
2287c478bd9Sstevel@tonic-gate 	sm_ldap_setopts(ld, lmap);
2297c478bd9Sstevel@tonic-gate 
2307c478bd9Sstevel@tonic-gate # if USE_LDAP_INIT
2317c478bd9Sstevel@tonic-gate 	/*
2327c478bd9Sstevel@tonic-gate 	**  If using ldap_init(), the actual connection to the server
2337c478bd9Sstevel@tonic-gate 	**  happens at ldap_bind_s() so we need the timeout here.
2347c478bd9Sstevel@tonic-gate 	*/
2357c478bd9Sstevel@tonic-gate 
2367c478bd9Sstevel@tonic-gate 	SM_LDAP_SETTIMEOUT(lmap->ldap_timeout.tv_sec);
2377c478bd9Sstevel@tonic-gate # endif /* USE_LDAP_INIT */
2387c478bd9Sstevel@tonic-gate 
2397c478bd9Sstevel@tonic-gate # ifdef LDAP_AUTH_KRBV4
2407c478bd9Sstevel@tonic-gate 	if (lmap->ldap_method == LDAP_AUTH_KRBV4 &&
2417c478bd9Sstevel@tonic-gate 	    lmap->ldap_secret != NULL)
2427c478bd9Sstevel@tonic-gate 	{
2437c478bd9Sstevel@tonic-gate 		/*
2447c478bd9Sstevel@tonic-gate 		**  Need to put ticket in environment here instead of
2457c478bd9Sstevel@tonic-gate 		**  during parseargs as there may be different tickets
2467c478bd9Sstevel@tonic-gate 		**  for different LDAP connections.
2477c478bd9Sstevel@tonic-gate 		*/
2487c478bd9Sstevel@tonic-gate 
2497c478bd9Sstevel@tonic-gate 		(void) putenv(lmap->ldap_secret);
2507c478bd9Sstevel@tonic-gate 	}
2517c478bd9Sstevel@tonic-gate # endif /* LDAP_AUTH_KRBV4 */
2527c478bd9Sstevel@tonic-gate 
2537c478bd9Sstevel@tonic-gate 	bind_result = ldap_bind_s(ld, lmap->ldap_binddn,
2547c478bd9Sstevel@tonic-gate 				  lmap->ldap_secret, lmap->ldap_method);
2557c478bd9Sstevel@tonic-gate 
2567c478bd9Sstevel@tonic-gate # if USE_LDAP_INIT
2577c478bd9Sstevel@tonic-gate 	/* clear the event if it has not sprung */
2587c478bd9Sstevel@tonic-gate 	SM_LDAP_CLEARTIMEOUT();
2597c478bd9Sstevel@tonic-gate # endif /* USE_LDAP_INIT */
2607c478bd9Sstevel@tonic-gate 
2617c478bd9Sstevel@tonic-gate 	if (bind_result != LDAP_SUCCESS)
2627c478bd9Sstevel@tonic-gate 	{
2637c478bd9Sstevel@tonic-gate 		errno = bind_result + E_LDAPBASE;
2647c478bd9Sstevel@tonic-gate 		return false;
2657c478bd9Sstevel@tonic-gate 	}
2667c478bd9Sstevel@tonic-gate 
2677c478bd9Sstevel@tonic-gate 	/* Save PID to make sure only this PID closes the LDAP connection */
2687c478bd9Sstevel@tonic-gate 	lmap->ldap_pid = getpid();
2697c478bd9Sstevel@tonic-gate 	lmap->ldap_ld = ld;
2707c478bd9Sstevel@tonic-gate 	return true;
2717c478bd9Sstevel@tonic-gate }
2727c478bd9Sstevel@tonic-gate 
2737c478bd9Sstevel@tonic-gate /* ARGSUSED */
2747c478bd9Sstevel@tonic-gate static void
2757c478bd9Sstevel@tonic-gate ldaptimeout(unused)
2767c478bd9Sstevel@tonic-gate 	int unused;
2777c478bd9Sstevel@tonic-gate {
2787c478bd9Sstevel@tonic-gate 	/*
2797c478bd9Sstevel@tonic-gate 	**  NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER.  DO NOT ADD
2807c478bd9Sstevel@tonic-gate 	**	ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE
2817c478bd9Sstevel@tonic-gate 	**	DOING.
2827c478bd9Sstevel@tonic-gate 	*/
2837c478bd9Sstevel@tonic-gate 
2847c478bd9Sstevel@tonic-gate 	errno = ETIMEDOUT;
2857c478bd9Sstevel@tonic-gate 	longjmp(LDAPTimeout, 1);
2867c478bd9Sstevel@tonic-gate }
2877c478bd9Sstevel@tonic-gate 
2887c478bd9Sstevel@tonic-gate /*
289058561cbSjbeck **  SM_LDAP_SEARCH_M -- initiate multi-key LDAP search
2907c478bd9Sstevel@tonic-gate **
2917c478bd9Sstevel@tonic-gate **	Initiate an LDAP search, return the msgid.
2927c478bd9Sstevel@tonic-gate **	The calling function must collect the results.
2937c478bd9Sstevel@tonic-gate **
2947c478bd9Sstevel@tonic-gate **	Parameters:
2957c478bd9Sstevel@tonic-gate **		lmap -- LDAP map information
296058561cbSjbeck **		argv -- key vector of substitutions in LDAP filter
297058561cbSjbeck **		        NOTE: argv must have SM_LDAP_ARGS elements to prevent
298058561cbSjbeck **			      out of bound array references
2997c478bd9Sstevel@tonic-gate **
3007c478bd9Sstevel@tonic-gate **	Returns:
301058561cbSjbeck **		<0 on failure (SM_LDAP_ERR*), msgid on success
3027c478bd9Sstevel@tonic-gate **
3037c478bd9Sstevel@tonic-gate */
3047c478bd9Sstevel@tonic-gate 
3057c478bd9Sstevel@tonic-gate int
306058561cbSjbeck sm_ldap_search_m(lmap, argv)
3077c478bd9Sstevel@tonic-gate 	SM_LDAP_STRUCT *lmap;
308058561cbSjbeck 	char **argv;
3097c478bd9Sstevel@tonic-gate {
3107c478bd9Sstevel@tonic-gate 	int msgid;
3117c478bd9Sstevel@tonic-gate 	char *fp, *p, *q;
3127c478bd9Sstevel@tonic-gate 	char filter[LDAPMAP_MAX_FILTER + 1];
3137c478bd9Sstevel@tonic-gate 
314058561cbSjbeck 	SM_REQUIRE(lmap != NULL);
315058561cbSjbeck 	SM_REQUIRE(argv != NULL);
316058561cbSjbeck 	SM_REQUIRE(argv[0] != NULL);
317058561cbSjbeck 
3187c478bd9Sstevel@tonic-gate 	memset(filter, '\0', sizeof filter);
3197c478bd9Sstevel@tonic-gate 	fp = filter;
3207c478bd9Sstevel@tonic-gate 	p = lmap->ldap_filter;
3217c478bd9Sstevel@tonic-gate 	while ((q = strchr(p, '%')) != NULL)
3227c478bd9Sstevel@tonic-gate 	{
323058561cbSjbeck 		char *key;
324058561cbSjbeck 
325058561cbSjbeck 		if (lmap->ldap_multi_args)
326058561cbSjbeck 		{
327058561cbSjbeck #if SM_LDAP_ARGS < 10
328058561cbSjbeck # ERROR _SM_LDAP_ARGS must be 10
329058561cbSjbeck #endif /* SM_LDAP_ARGS < 10 */
330058561cbSjbeck 			if (q[1] == 's')
331058561cbSjbeck 				key = argv[0];
332058561cbSjbeck 			else if (q[1] >= '0' && q[1] <= '9')
333058561cbSjbeck 			{
334058561cbSjbeck 				key = argv[q[1] - '0'];
335058561cbSjbeck 				if (key == NULL)
336058561cbSjbeck 				{
337058561cbSjbeck # if SM_LDAP_ERROR_ON_MISSING_ARGS
338058561cbSjbeck 					return SM_LDAP_ERR_ARG_MISS;
339058561cbSjbeck # else /* SM_LDAP_ERROR_ON_MISSING_ARGS */
340058561cbSjbeck 					key = "";
341058561cbSjbeck # endif /* SM_LDAP_ERROR_ON_MISSING_ARGS */
342058561cbSjbeck 				}
343058561cbSjbeck 			}
344058561cbSjbeck 			else
345058561cbSjbeck 				key = NULL;
346058561cbSjbeck 		}
347058561cbSjbeck 		else
348058561cbSjbeck 			key = argv[0];
349058561cbSjbeck 
3507c478bd9Sstevel@tonic-gate 		if (q[1] == 's')
3517c478bd9Sstevel@tonic-gate 		{
3527c478bd9Sstevel@tonic-gate 			(void) sm_snprintf(fp, SPACELEFT(filter, fp),
3537c478bd9Sstevel@tonic-gate 					   "%.*s%s", (int) (q - p), p, key);
3547c478bd9Sstevel@tonic-gate 			fp += strlen(fp);
3557c478bd9Sstevel@tonic-gate 			p = q + 2;
3567c478bd9Sstevel@tonic-gate 		}
357058561cbSjbeck 		else if (q[1] == '0' ||
358058561cbSjbeck 			 (lmap->ldap_multi_args && q[1] >= '0' && q[1] <= '9'))
3597c478bd9Sstevel@tonic-gate 		{
3607c478bd9Sstevel@tonic-gate 			char *k = key;
3617c478bd9Sstevel@tonic-gate 
3627c478bd9Sstevel@tonic-gate 			(void) sm_snprintf(fp, SPACELEFT(filter, fp),
3637c478bd9Sstevel@tonic-gate 					   "%.*s", (int) (q - p), p);
3647c478bd9Sstevel@tonic-gate 			fp += strlen(fp);
3657c478bd9Sstevel@tonic-gate 			p = q + 2;
3667c478bd9Sstevel@tonic-gate 
3677c478bd9Sstevel@tonic-gate 			/* Properly escape LDAP special characters */
3687c478bd9Sstevel@tonic-gate 			while (SPACELEFT(filter, fp) > 0 &&
3697c478bd9Sstevel@tonic-gate 			       *k != '\0')
3707c478bd9Sstevel@tonic-gate 			{
3717c478bd9Sstevel@tonic-gate 				if (*k == '*' || *k == '(' ||
3727c478bd9Sstevel@tonic-gate 				    *k == ')' || *k == '\\')
3737c478bd9Sstevel@tonic-gate 				{
3747c478bd9Sstevel@tonic-gate 					(void) sm_strlcat(fp,
3757c478bd9Sstevel@tonic-gate 						       (*k == '*' ? "\\2A" :
3767c478bd9Sstevel@tonic-gate 							(*k == '(' ? "\\28" :
3777c478bd9Sstevel@tonic-gate 							 (*k == ')' ? "\\29" :
3787c478bd9Sstevel@tonic-gate 							  (*k == '\\' ? "\\5C" :
3797c478bd9Sstevel@tonic-gate 							   "\00")))),
3807c478bd9Sstevel@tonic-gate 						SPACELEFT(filter, fp));
3817c478bd9Sstevel@tonic-gate 					fp += strlen(fp);
3827c478bd9Sstevel@tonic-gate 					k++;
3837c478bd9Sstevel@tonic-gate 				}
3847c478bd9Sstevel@tonic-gate 				else
3857c478bd9Sstevel@tonic-gate 					*fp++ = *k++;
3867c478bd9Sstevel@tonic-gate 			}
3877c478bd9Sstevel@tonic-gate 		}
3887c478bd9Sstevel@tonic-gate 		else
3897c478bd9Sstevel@tonic-gate 		{
3907c478bd9Sstevel@tonic-gate 			(void) sm_snprintf(fp, SPACELEFT(filter, fp),
3917c478bd9Sstevel@tonic-gate 				"%.*s", (int) (q - p + 1), p);
3927c478bd9Sstevel@tonic-gate 			p = q + (q[1] == '%' ? 2 : 1);
3937c478bd9Sstevel@tonic-gate 			fp += strlen(fp);
3947c478bd9Sstevel@tonic-gate 		}
3957c478bd9Sstevel@tonic-gate 	}
3967c478bd9Sstevel@tonic-gate 	(void) sm_strlcpy(fp, p, SPACELEFT(filter, fp));
3977c478bd9Sstevel@tonic-gate 	if (sm_debug_active(&SmLDAPTrace, 20))
3987c478bd9Sstevel@tonic-gate 		sm_dprintf("ldap search filter=%s\n", filter);
3997c478bd9Sstevel@tonic-gate 
4007c478bd9Sstevel@tonic-gate 	lmap->ldap_res = NULL;
4017c478bd9Sstevel@tonic-gate 	msgid = ldap_search(lmap->ldap_ld, lmap->ldap_base,
4027c478bd9Sstevel@tonic-gate 			    lmap->ldap_scope, filter,
4037c478bd9Sstevel@tonic-gate 			    (lmap->ldap_attr[0] == NULL ? NULL :
4047c478bd9Sstevel@tonic-gate 			     lmap->ldap_attr),
4057c478bd9Sstevel@tonic-gate 			    lmap->ldap_attrsonly);
4067c478bd9Sstevel@tonic-gate 	return msgid;
4077c478bd9Sstevel@tonic-gate }
4087c478bd9Sstevel@tonic-gate 
4097c478bd9Sstevel@tonic-gate /*
410058561cbSjbeck **  SM_LDAP_SEARCH -- initiate LDAP search
411058561cbSjbeck **
412058561cbSjbeck **	Initiate an LDAP search, return the msgid.
413058561cbSjbeck **	The calling function must collect the results.
414058561cbSjbeck **	Note this is just a wrapper into sm_ldap_search_m()
415058561cbSjbeck **
416058561cbSjbeck **	Parameters:
417058561cbSjbeck **		lmap -- LDAP map information
418058561cbSjbeck **		key -- key to substitute in LDAP filter
419058561cbSjbeck **
420058561cbSjbeck **	Returns:
421058561cbSjbeck **		<0 on failure, msgid on success
422058561cbSjbeck **
423058561cbSjbeck */
424058561cbSjbeck 
425058561cbSjbeck int
426058561cbSjbeck sm_ldap_search(lmap, key)
427058561cbSjbeck 	SM_LDAP_STRUCT *lmap;
428058561cbSjbeck 	char *key;
429058561cbSjbeck {
430058561cbSjbeck 	char *argv[SM_LDAP_ARGS];
431058561cbSjbeck 
432058561cbSjbeck 	memset(argv, '\0', sizeof argv);
433058561cbSjbeck 	argv[0] = key;
434058561cbSjbeck 	return sm_ldap_search_m(lmap, argv);
435058561cbSjbeck }
436058561cbSjbeck 
437058561cbSjbeck /*
4387c478bd9Sstevel@tonic-gate **  SM_LDAP_HAS_OBJECTCLASS -- determine if an LDAP entry is part of a
4397c478bd9Sstevel@tonic-gate **			       particular objectClass
4407c478bd9Sstevel@tonic-gate **
4417c478bd9Sstevel@tonic-gate **	Parameters:
4427c478bd9Sstevel@tonic-gate **		lmap -- pointer to SM_LDAP_STRUCT in use
4437c478bd9Sstevel@tonic-gate **		entry -- current LDAP entry struct
4447c478bd9Sstevel@tonic-gate **		ocvalue -- particular objectclass in question.
4457c478bd9Sstevel@tonic-gate **			   may be of form (fee|foo|fum) meaning
4467c478bd9Sstevel@tonic-gate **			   any entry can be part of either fee,
4477c478bd9Sstevel@tonic-gate **			   foo or fum objectclass
4487c478bd9Sstevel@tonic-gate **
4497c478bd9Sstevel@tonic-gate **	Returns:
4507c478bd9Sstevel@tonic-gate **		true if item has that objectClass
4517c478bd9Sstevel@tonic-gate */
4527c478bd9Sstevel@tonic-gate 
4537c478bd9Sstevel@tonic-gate static bool
4547c478bd9Sstevel@tonic-gate sm_ldap_has_objectclass(lmap, entry, ocvalue)
4557c478bd9Sstevel@tonic-gate 	SM_LDAP_STRUCT *lmap;
4567c478bd9Sstevel@tonic-gate 	LDAPMessage *entry;
4577c478bd9Sstevel@tonic-gate 	char *ocvalue;
4587c478bd9Sstevel@tonic-gate {
4597c478bd9Sstevel@tonic-gate 	char **vals = NULL;
4607c478bd9Sstevel@tonic-gate 	int i;
4617c478bd9Sstevel@tonic-gate 
4627c478bd9Sstevel@tonic-gate 	if (ocvalue == NULL)
4637c478bd9Sstevel@tonic-gate 		return false;
4647c478bd9Sstevel@tonic-gate 
4657c478bd9Sstevel@tonic-gate 	vals = ldap_get_values(lmap->ldap_ld, entry, "objectClass");
4667c478bd9Sstevel@tonic-gate 	if (vals == NULL)
4677c478bd9Sstevel@tonic-gate 		return false;
4687c478bd9Sstevel@tonic-gate 
4697c478bd9Sstevel@tonic-gate 	for (i = 0; vals[i] != NULL; i++)
4707c478bd9Sstevel@tonic-gate 	{
4717c478bd9Sstevel@tonic-gate 		char *p;
4727c478bd9Sstevel@tonic-gate 		char *q;
4737c478bd9Sstevel@tonic-gate 
4747c478bd9Sstevel@tonic-gate 		p = q = ocvalue;
4757c478bd9Sstevel@tonic-gate 		while (*p != '\0')
4767c478bd9Sstevel@tonic-gate 		{
4777c478bd9Sstevel@tonic-gate 			while (*p != '\0' && *p != '|')
4787c478bd9Sstevel@tonic-gate 				p++;
4797c478bd9Sstevel@tonic-gate 
4807c478bd9Sstevel@tonic-gate 			if ((p - q) == strlen(vals[i]) &&
4817c478bd9Sstevel@tonic-gate 			    sm_strncasecmp(vals[i], q, p - q) == 0)
4827c478bd9Sstevel@tonic-gate 			{
4837c478bd9Sstevel@tonic-gate 				ldap_value_free(vals);
4847c478bd9Sstevel@tonic-gate 				return true;
4857c478bd9Sstevel@tonic-gate 			}
4867c478bd9Sstevel@tonic-gate 
4877c478bd9Sstevel@tonic-gate 			while (*p == '|')
4887c478bd9Sstevel@tonic-gate 				p++;
4897c478bd9Sstevel@tonic-gate 			q = p;
4907c478bd9Sstevel@tonic-gate 		}
4917c478bd9Sstevel@tonic-gate 	}
4927c478bd9Sstevel@tonic-gate 
4937c478bd9Sstevel@tonic-gate 	ldap_value_free(vals);
4947c478bd9Sstevel@tonic-gate 	return false;
4957c478bd9Sstevel@tonic-gate }
4967c478bd9Sstevel@tonic-gate 
4977c478bd9Sstevel@tonic-gate /*
4987c478bd9Sstevel@tonic-gate **  SM_LDAP_RESULTS -- return results from an LDAP lookup in result
4997c478bd9Sstevel@tonic-gate **
5007c478bd9Sstevel@tonic-gate **	Parameters:
5017c478bd9Sstevel@tonic-gate **		lmap -- pointer to SM_LDAP_STRUCT in use
5027c478bd9Sstevel@tonic-gate **		msgid -- msgid returned by sm_ldap_search()
5037c478bd9Sstevel@tonic-gate **		flags -- flags for the lookup
5047c478bd9Sstevel@tonic-gate **		delim -- delimiter for result concatenation
5057c478bd9Sstevel@tonic-gate **		rpool -- memory pool for storage
5067c478bd9Sstevel@tonic-gate **		result -- return string
5077c478bd9Sstevel@tonic-gate **		recurse -- recursion list
5087c478bd9Sstevel@tonic-gate **
5097c478bd9Sstevel@tonic-gate **	Returns:
5107c478bd9Sstevel@tonic-gate **		status (sysexit)
5117c478bd9Sstevel@tonic-gate */
5127c478bd9Sstevel@tonic-gate 
5137c478bd9Sstevel@tonic-gate # define SM_LDAP_ERROR_CLEANUP()				\
5147c478bd9Sstevel@tonic-gate {								\
5157c478bd9Sstevel@tonic-gate 	if (lmap->ldap_res != NULL)				\
5167c478bd9Sstevel@tonic-gate 	{							\
5177c478bd9Sstevel@tonic-gate 		ldap_msgfree(lmap->ldap_res);			\
5187c478bd9Sstevel@tonic-gate 		lmap->ldap_res = NULL;				\
5197c478bd9Sstevel@tonic-gate 	}							\
5207c478bd9Sstevel@tonic-gate 	(void) ldap_abandon(lmap->ldap_ld, msgid);		\
5217c478bd9Sstevel@tonic-gate }
5227c478bd9Sstevel@tonic-gate 
5237c478bd9Sstevel@tonic-gate static SM_LDAP_RECURSE_ENTRY *
5247c478bd9Sstevel@tonic-gate sm_ldap_add_recurse(top, item, type, rpool)
5257c478bd9Sstevel@tonic-gate 	SM_LDAP_RECURSE_LIST **top;
5267c478bd9Sstevel@tonic-gate 	char *item;
5277c478bd9Sstevel@tonic-gate 	int type;
5287c478bd9Sstevel@tonic-gate 	SM_RPOOL_T *rpool;
5297c478bd9Sstevel@tonic-gate {
5307c478bd9Sstevel@tonic-gate 	int n;
5317c478bd9Sstevel@tonic-gate 	int m;
5327c478bd9Sstevel@tonic-gate 	int p;
5337c478bd9Sstevel@tonic-gate 	int insertat;
5347c478bd9Sstevel@tonic-gate 	int moveb;
5357c478bd9Sstevel@tonic-gate 	int oldsizeb;
5367c478bd9Sstevel@tonic-gate 	int rc;
5377c478bd9Sstevel@tonic-gate 	SM_LDAP_RECURSE_ENTRY *newe;
5387c478bd9Sstevel@tonic-gate 	SM_LDAP_RECURSE_ENTRY **olddata;
5397c478bd9Sstevel@tonic-gate 
5407c478bd9Sstevel@tonic-gate 	/*
5417c478bd9Sstevel@tonic-gate 	**  This code will maintain a list of
5427c478bd9Sstevel@tonic-gate 	**  SM_LDAP_RECURSE_ENTRY structures
5437c478bd9Sstevel@tonic-gate 	**  in ascending order.
5447c478bd9Sstevel@tonic-gate 	*/
5457c478bd9Sstevel@tonic-gate 
5467c478bd9Sstevel@tonic-gate 	if (*top == NULL)
5477c478bd9Sstevel@tonic-gate 	{
5487c478bd9Sstevel@tonic-gate 		/* Allocate an initial SM_LDAP_RECURSE_LIST struct */
5497c478bd9Sstevel@tonic-gate 		*top = sm_rpool_malloc_x(rpool, sizeof **top);
550058561cbSjbeck 		(*top)->lrl_cnt = 0;
551058561cbSjbeck 		(*top)->lrl_size = 0;
552058561cbSjbeck 		(*top)->lrl_data = NULL;
5537c478bd9Sstevel@tonic-gate 	}
5547c478bd9Sstevel@tonic-gate 
555058561cbSjbeck 	if ((*top)->lrl_cnt >= (*top)->lrl_size)
5567c478bd9Sstevel@tonic-gate 	{
5577c478bd9Sstevel@tonic-gate 		/* Grow the list of SM_LDAP_RECURSE_ENTRY ptrs */
558058561cbSjbeck 		olddata = (*top)->lrl_data;
559058561cbSjbeck 		if ((*top)->lrl_size == 0)
5607c478bd9Sstevel@tonic-gate 		{
5617c478bd9Sstevel@tonic-gate 			oldsizeb = 0;
562058561cbSjbeck 			(*top)->lrl_size = 256;
5637c478bd9Sstevel@tonic-gate 		}
5647c478bd9Sstevel@tonic-gate 		else
5657c478bd9Sstevel@tonic-gate 		{
566058561cbSjbeck 			oldsizeb = (*top)->lrl_size * sizeof *((*top)->lrl_data);
567058561cbSjbeck 			(*top)->lrl_size *= 2;
5687c478bd9Sstevel@tonic-gate 		}
569058561cbSjbeck 		(*top)->lrl_data = sm_rpool_malloc_x(rpool,
570058561cbSjbeck 						    (*top)->lrl_size * sizeof *((*top)->lrl_data));
5717c478bd9Sstevel@tonic-gate 		if (oldsizeb > 0)
572058561cbSjbeck 			memcpy((*top)->lrl_data, olddata, oldsizeb);
5737c478bd9Sstevel@tonic-gate 	}
5747c478bd9Sstevel@tonic-gate 
5757c478bd9Sstevel@tonic-gate 	/*
5767c478bd9Sstevel@tonic-gate 	**  Binary search/insert item:type into list.
5777c478bd9Sstevel@tonic-gate 	**  Return current entry pointer if already exists.
5787c478bd9Sstevel@tonic-gate 	*/
5797c478bd9Sstevel@tonic-gate 
5807c478bd9Sstevel@tonic-gate 	n = 0;
581058561cbSjbeck 	m = (*top)->lrl_cnt - 1;
5827c478bd9Sstevel@tonic-gate 	if (m < 0)
5837c478bd9Sstevel@tonic-gate 		insertat = 0;
5847c478bd9Sstevel@tonic-gate 	else
5857c478bd9Sstevel@tonic-gate 		insertat = -1;
5867c478bd9Sstevel@tonic-gate 
5877c478bd9Sstevel@tonic-gate 	while (insertat == -1)
5887c478bd9Sstevel@tonic-gate 	{
5897c478bd9Sstevel@tonic-gate 		p = (m + n) / 2;
5907c478bd9Sstevel@tonic-gate 
591058561cbSjbeck 		rc = sm_strcasecmp(item, (*top)->lrl_data[p]->lr_search);
5927c478bd9Sstevel@tonic-gate 		if (rc == 0)
593058561cbSjbeck 			rc = type - (*top)->lrl_data[p]->lr_type;
5947c478bd9Sstevel@tonic-gate 
5957c478bd9Sstevel@tonic-gate 		if (rc < 0)
5967c478bd9Sstevel@tonic-gate 			m = p - 1;
5977c478bd9Sstevel@tonic-gate 		else if (rc > 0)
5987c478bd9Sstevel@tonic-gate 			n = p + 1;
5997c478bd9Sstevel@tonic-gate 		else
600058561cbSjbeck 			return (*top)->lrl_data[p];
6017c478bd9Sstevel@tonic-gate 
6027c478bd9Sstevel@tonic-gate 		if (m == -1)
6037c478bd9Sstevel@tonic-gate 			insertat = 0;
604058561cbSjbeck 		else if (n >= (*top)->lrl_cnt)
605058561cbSjbeck 			insertat = (*top)->lrl_cnt;
6067c478bd9Sstevel@tonic-gate 		else if (m < n)
6077c478bd9Sstevel@tonic-gate 			insertat = m + 1;
6087c478bd9Sstevel@tonic-gate 	}
6097c478bd9Sstevel@tonic-gate 
6107c478bd9Sstevel@tonic-gate 	/*
6117c478bd9Sstevel@tonic-gate 	** Not found in list, make room
6127c478bd9Sstevel@tonic-gate 	** at insert point and add it.
6137c478bd9Sstevel@tonic-gate 	*/
6147c478bd9Sstevel@tonic-gate 
6157c478bd9Sstevel@tonic-gate 	newe = sm_rpool_malloc_x(rpool, sizeof *newe);
6167c478bd9Sstevel@tonic-gate 	if (newe != NULL)
6177c478bd9Sstevel@tonic-gate 	{
618058561cbSjbeck 		moveb = ((*top)->lrl_cnt - insertat) * sizeof *((*top)->lrl_data);
6197c478bd9Sstevel@tonic-gate 		if (moveb > 0)
620058561cbSjbeck 			memmove(&((*top)->lrl_data[insertat + 1]),
621058561cbSjbeck 				&((*top)->lrl_data[insertat]),
6227c478bd9Sstevel@tonic-gate 				moveb);
6237c478bd9Sstevel@tonic-gate 
6247c478bd9Sstevel@tonic-gate 		newe->lr_search = sm_rpool_strdup_x(rpool, item);
6257c478bd9Sstevel@tonic-gate 		newe->lr_type = type;
6267c478bd9Sstevel@tonic-gate 		newe->lr_ludp = NULL;
6277c478bd9Sstevel@tonic-gate 		newe->lr_attrs = NULL;
6287c478bd9Sstevel@tonic-gate 		newe->lr_done = false;
6297c478bd9Sstevel@tonic-gate 
630058561cbSjbeck 		((*top)->lrl_data)[insertat] = newe;
631058561cbSjbeck 		(*top)->lrl_cnt++;
6327c478bd9Sstevel@tonic-gate 	}
6337c478bd9Sstevel@tonic-gate 	return newe;
6347c478bd9Sstevel@tonic-gate }
6357c478bd9Sstevel@tonic-gate 
6367c478bd9Sstevel@tonic-gate int
6377c478bd9Sstevel@tonic-gate sm_ldap_results(lmap, msgid, flags, delim, rpool, result,
6387c478bd9Sstevel@tonic-gate 		resultln, resultsz, recurse)
6397c478bd9Sstevel@tonic-gate 	SM_LDAP_STRUCT *lmap;
6407c478bd9Sstevel@tonic-gate 	int msgid;
6417c478bd9Sstevel@tonic-gate 	int flags;
6427c478bd9Sstevel@tonic-gate 	int delim;
6437c478bd9Sstevel@tonic-gate 	SM_RPOOL_T *rpool;
6447c478bd9Sstevel@tonic-gate 	char **result;
6457c478bd9Sstevel@tonic-gate 	int *resultln;
6467c478bd9Sstevel@tonic-gate 	int *resultsz;
6477c478bd9Sstevel@tonic-gate 	SM_LDAP_RECURSE_LIST *recurse;
6487c478bd9Sstevel@tonic-gate {
6497c478bd9Sstevel@tonic-gate 	bool toplevel;
6507c478bd9Sstevel@tonic-gate 	int i;
6517c478bd9Sstevel@tonic-gate 	int statp;
6527c478bd9Sstevel@tonic-gate 	int vsize;
6537c478bd9Sstevel@tonic-gate 	int ret;
6547c478bd9Sstevel@tonic-gate 	int save_errno;
6557c478bd9Sstevel@tonic-gate 	char *p;
6567c478bd9Sstevel@tonic-gate 	SM_LDAP_RECURSE_ENTRY *rl;
6577c478bd9Sstevel@tonic-gate 
6587c478bd9Sstevel@tonic-gate 	/* Are we the top top level of the search? */
6597c478bd9Sstevel@tonic-gate 	toplevel = (recurse == NULL);
6607c478bd9Sstevel@tonic-gate 
6617c478bd9Sstevel@tonic-gate 	/* Get results */
6627c478bd9Sstevel@tonic-gate 	statp = EX_NOTFOUND;
6637c478bd9Sstevel@tonic-gate 	while ((ret = ldap_result(lmap->ldap_ld, msgid, 0,
6647c478bd9Sstevel@tonic-gate 				  (lmap->ldap_timeout.tv_sec == 0 ? NULL :
6657c478bd9Sstevel@tonic-gate 				   &(lmap->ldap_timeout)),
6667c478bd9Sstevel@tonic-gate 				  &(lmap->ldap_res))) == LDAP_RES_SEARCH_ENTRY)
6677c478bd9Sstevel@tonic-gate 	{
6687c478bd9Sstevel@tonic-gate 		LDAPMessage *entry;
6697c478bd9Sstevel@tonic-gate 
6707c478bd9Sstevel@tonic-gate 		/* If we don't want multiple values and we have one, break */
6717c478bd9Sstevel@tonic-gate 		if ((char) delim == '\0' &&
6727c478bd9Sstevel@tonic-gate 		    !bitset(SM_LDAP_SINGLEMATCH, flags) &&
6737c478bd9Sstevel@tonic-gate 		    *result != NULL)
6747c478bd9Sstevel@tonic-gate 			break;
6757c478bd9Sstevel@tonic-gate 
6767c478bd9Sstevel@tonic-gate 		/* Cycle through all entries */
6777c478bd9Sstevel@tonic-gate 		for (entry = ldap_first_entry(lmap->ldap_ld, lmap->ldap_res);
6787c478bd9Sstevel@tonic-gate 		     entry != NULL;
6797c478bd9Sstevel@tonic-gate 		     entry = ldap_next_entry(lmap->ldap_ld, lmap->ldap_res))
6807c478bd9Sstevel@tonic-gate 		{
6817c478bd9Sstevel@tonic-gate 			BerElement *ber;
6827c478bd9Sstevel@tonic-gate 			char *attr;
6837c478bd9Sstevel@tonic-gate 			char **vals = NULL;
6847c478bd9Sstevel@tonic-gate 			char *dn;
6857c478bd9Sstevel@tonic-gate 
6867c478bd9Sstevel@tonic-gate 			/*
6877c478bd9Sstevel@tonic-gate 			**  If matching only and found an entry,
6887c478bd9Sstevel@tonic-gate 			**  no need to spin through attributes
6897c478bd9Sstevel@tonic-gate 			*/
6907c478bd9Sstevel@tonic-gate 
6917c478bd9Sstevel@tonic-gate 			if (bitset(SM_LDAP_MATCHONLY, flags))
6927c478bd9Sstevel@tonic-gate 			{
6937c478bd9Sstevel@tonic-gate 				statp = EX_OK;
6947c478bd9Sstevel@tonic-gate 				continue;
6957c478bd9Sstevel@tonic-gate 			}
6967c478bd9Sstevel@tonic-gate 
69749218d4fSjbeck #if _FFR_LDAP_SINGLEDN
69849218d4fSjbeck 			if (bitset(SM_LDAP_SINGLEDN, flags) && *result != NULL)
69949218d4fSjbeck 			{
70049218d4fSjbeck 				/* only wanted one match */
70149218d4fSjbeck 				SM_LDAP_ERROR_CLEANUP();
70249218d4fSjbeck 				errno = ENOENT;
70349218d4fSjbeck 				return EX_NOTFOUND;
70449218d4fSjbeck 			}
70549218d4fSjbeck #endif /* _FFR_LDAP_SINGLEDN */
70649218d4fSjbeck 
7077c478bd9Sstevel@tonic-gate 			/* record completed DN's to prevent loops */
7087c478bd9Sstevel@tonic-gate 			dn = ldap_get_dn(lmap->ldap_ld, entry);
7097c478bd9Sstevel@tonic-gate 			if (dn == NULL)
7107c478bd9Sstevel@tonic-gate 			{
7117c478bd9Sstevel@tonic-gate 				save_errno = sm_ldap_geterrno(lmap->ldap_ld);
7127c478bd9Sstevel@tonic-gate 				save_errno += E_LDAPBASE;
7137c478bd9Sstevel@tonic-gate 				SM_LDAP_ERROR_CLEANUP();
7147c478bd9Sstevel@tonic-gate 				errno = save_errno;
7157c478bd9Sstevel@tonic-gate 				return EX_TEMPFAIL;
7167c478bd9Sstevel@tonic-gate 			}
7177c478bd9Sstevel@tonic-gate 
7187c478bd9Sstevel@tonic-gate 			rl = sm_ldap_add_recurse(&recurse, dn,
7197c478bd9Sstevel@tonic-gate 						 SM_LDAP_ATTR_DN,
7207c478bd9Sstevel@tonic-gate 						 rpool);
7217c478bd9Sstevel@tonic-gate 
7227c478bd9Sstevel@tonic-gate 			if (rl == NULL)
7237c478bd9Sstevel@tonic-gate 			{
7247c478bd9Sstevel@tonic-gate 				ldap_memfree(dn);
7257c478bd9Sstevel@tonic-gate 				SM_LDAP_ERROR_CLEANUP();
7267c478bd9Sstevel@tonic-gate 				errno = ENOMEM;
7277c478bd9Sstevel@tonic-gate 				return EX_OSERR;
7287c478bd9Sstevel@tonic-gate 			}
7297c478bd9Sstevel@tonic-gate 			else if (rl->lr_done)
7307c478bd9Sstevel@tonic-gate 			{
7317c478bd9Sstevel@tonic-gate 				/* already on list, skip it */
7327c478bd9Sstevel@tonic-gate 				ldap_memfree(dn);
7337c478bd9Sstevel@tonic-gate 				continue;
7347c478bd9Sstevel@tonic-gate 			}
7357c478bd9Sstevel@tonic-gate 			ldap_memfree(dn);
7367c478bd9Sstevel@tonic-gate 
7377c478bd9Sstevel@tonic-gate # if !defined(LDAP_VERSION_MAX) && !defined(LDAP_OPT_SIZELIMIT)
7387c478bd9Sstevel@tonic-gate 			/*
7397c478bd9Sstevel@tonic-gate 			**  Reset value to prevent lingering
7407c478bd9Sstevel@tonic-gate 			**  LDAP_DECODING_ERROR due to
7417c478bd9Sstevel@tonic-gate 			**  OpenLDAP 1.X's hack (see below)
7427c478bd9Sstevel@tonic-gate 			*/
7437c478bd9Sstevel@tonic-gate 
7447c478bd9Sstevel@tonic-gate 			lmap->ldap_ld->ld_errno = LDAP_SUCCESS;
7457c478bd9Sstevel@tonic-gate # endif /* !defined(LDAP_VERSION_MAX) !defined(LDAP_OPT_SIZELIMIT) */
7467c478bd9Sstevel@tonic-gate 
7477c478bd9Sstevel@tonic-gate 			for (attr = ldap_first_attribute(lmap->ldap_ld, entry,
7487c478bd9Sstevel@tonic-gate 							 &ber);
7497c478bd9Sstevel@tonic-gate 			     attr != NULL;
7507c478bd9Sstevel@tonic-gate 			     attr = ldap_next_attribute(lmap->ldap_ld, entry,
7517c478bd9Sstevel@tonic-gate 							ber))
7527c478bd9Sstevel@tonic-gate 			{
7537c478bd9Sstevel@tonic-gate 				char *tmp, *vp_tmp;
7547c478bd9Sstevel@tonic-gate 				int type;
7557c478bd9Sstevel@tonic-gate 				char *needobjclass = NULL;
7567c478bd9Sstevel@tonic-gate 
7577c478bd9Sstevel@tonic-gate 				type = SM_LDAP_ATTR_NONE;
7587c478bd9Sstevel@tonic-gate 				for (i = 0; lmap->ldap_attr[i] != NULL; i++)
7597c478bd9Sstevel@tonic-gate 				{
7607c478bd9Sstevel@tonic-gate 					if (sm_strcasecmp(lmap->ldap_attr[i],
7617c478bd9Sstevel@tonic-gate 							  attr) == 0)
7627c478bd9Sstevel@tonic-gate 					{
7637c478bd9Sstevel@tonic-gate 						type = lmap->ldap_attr_type[i];
7647c478bd9Sstevel@tonic-gate 						needobjclass = lmap->ldap_attr_needobjclass[i];
7657c478bd9Sstevel@tonic-gate 						break;
7667c478bd9Sstevel@tonic-gate 					}
7677c478bd9Sstevel@tonic-gate 				}
7687c478bd9Sstevel@tonic-gate 
7697c478bd9Sstevel@tonic-gate 				if (bitset(SM_LDAP_USE_ALLATTR, flags) &&
7707c478bd9Sstevel@tonic-gate 				    type == SM_LDAP_ATTR_NONE)
7717c478bd9Sstevel@tonic-gate 				{
7727c478bd9Sstevel@tonic-gate 					/* URL lookups specify attrs to use */
7737c478bd9Sstevel@tonic-gate 					type = SM_LDAP_ATTR_NORMAL;
7747c478bd9Sstevel@tonic-gate 					needobjclass = NULL;
7757c478bd9Sstevel@tonic-gate 				}
7767c478bd9Sstevel@tonic-gate 
7777c478bd9Sstevel@tonic-gate 				if (type == SM_LDAP_ATTR_NONE)
7787c478bd9Sstevel@tonic-gate 				{
7797c478bd9Sstevel@tonic-gate 					/* attribute not requested */
7807c478bd9Sstevel@tonic-gate 					ldap_memfree(attr);
7817c478bd9Sstevel@tonic-gate 					SM_LDAP_ERROR_CLEANUP();
7827c478bd9Sstevel@tonic-gate 					errno = EFAULT;
7837c478bd9Sstevel@tonic-gate 					return EX_SOFTWARE;
7847c478bd9Sstevel@tonic-gate 				}
7857c478bd9Sstevel@tonic-gate 
7867c478bd9Sstevel@tonic-gate 				/*
7877c478bd9Sstevel@tonic-gate 				**  For recursion on a particular attribute,
7887c478bd9Sstevel@tonic-gate 				**  we may need to see if this entry is
7897c478bd9Sstevel@tonic-gate 				**  part of a particular objectclass.
7907c478bd9Sstevel@tonic-gate 				**  Also, ignore objectClass attribute.
7917c478bd9Sstevel@tonic-gate 				**  Otherwise we just ignore this attribute.
7927c478bd9Sstevel@tonic-gate 				*/
7937c478bd9Sstevel@tonic-gate 
7947c478bd9Sstevel@tonic-gate 				if (type == SM_LDAP_ATTR_OBJCLASS ||
7957c478bd9Sstevel@tonic-gate 				    (needobjclass != NULL &&
7967c478bd9Sstevel@tonic-gate 				     !sm_ldap_has_objectclass(lmap, entry,
7977c478bd9Sstevel@tonic-gate 							      needobjclass)))
7987c478bd9Sstevel@tonic-gate 				{
7997c478bd9Sstevel@tonic-gate 					ldap_memfree(attr);
8007c478bd9Sstevel@tonic-gate 					continue;
8017c478bd9Sstevel@tonic-gate 				}
8027c478bd9Sstevel@tonic-gate 
8037c478bd9Sstevel@tonic-gate 				if (lmap->ldap_attrsonly == LDAPMAP_FALSE)
8047c478bd9Sstevel@tonic-gate 				{
8057c478bd9Sstevel@tonic-gate 					vals = ldap_get_values(lmap->ldap_ld,
8067c478bd9Sstevel@tonic-gate 							       entry,
8077c478bd9Sstevel@tonic-gate 							       attr);
8087c478bd9Sstevel@tonic-gate 					if (vals == NULL)
8097c478bd9Sstevel@tonic-gate 					{
8107c478bd9Sstevel@tonic-gate 						save_errno = sm_ldap_geterrno(lmap->ldap_ld);
8117c478bd9Sstevel@tonic-gate 						if (save_errno == LDAP_SUCCESS)
8127c478bd9Sstevel@tonic-gate 						{
8137c478bd9Sstevel@tonic-gate 							ldap_memfree(attr);
8147c478bd9Sstevel@tonic-gate 							continue;
8157c478bd9Sstevel@tonic-gate 						}
8167c478bd9Sstevel@tonic-gate 
8177c478bd9Sstevel@tonic-gate 						/* Must be an error */
8187c478bd9Sstevel@tonic-gate 						save_errno += E_LDAPBASE;
8197c478bd9Sstevel@tonic-gate 						ldap_memfree(attr);
8207c478bd9Sstevel@tonic-gate 						SM_LDAP_ERROR_CLEANUP();
8217c478bd9Sstevel@tonic-gate 						errno = save_errno;
8227c478bd9Sstevel@tonic-gate 						return EX_TEMPFAIL;
8237c478bd9Sstevel@tonic-gate 					}
8247c478bd9Sstevel@tonic-gate 				}
8257c478bd9Sstevel@tonic-gate 
8267c478bd9Sstevel@tonic-gate 				statp = EX_OK;
8277c478bd9Sstevel@tonic-gate 
8287c478bd9Sstevel@tonic-gate # if !defined(LDAP_VERSION_MAX) && !defined(LDAP_OPT_SIZELIMIT)
8297c478bd9Sstevel@tonic-gate 				/*
8307c478bd9Sstevel@tonic-gate 				**  Reset value to prevent lingering
8317c478bd9Sstevel@tonic-gate 				**  LDAP_DECODING_ERROR due to
8327c478bd9Sstevel@tonic-gate 				**  OpenLDAP 1.X's hack (see below)
8337c478bd9Sstevel@tonic-gate 				*/
8347c478bd9Sstevel@tonic-gate 
8357c478bd9Sstevel@tonic-gate 				lmap->ldap_ld->ld_errno = LDAP_SUCCESS;
8367c478bd9Sstevel@tonic-gate # endif /* !defined(LDAP_VERSION_MAX) !defined(LDAP_OPT_SIZELIMIT) */
8377c478bd9Sstevel@tonic-gate 
8387c478bd9Sstevel@tonic-gate 				/*
8397c478bd9Sstevel@tonic-gate 				**  If matching only,
8407c478bd9Sstevel@tonic-gate 				**  no need to spin through entries
8417c478bd9Sstevel@tonic-gate 				*/
8427c478bd9Sstevel@tonic-gate 
8437c478bd9Sstevel@tonic-gate 				if (bitset(SM_LDAP_MATCHONLY, flags))
8447c478bd9Sstevel@tonic-gate 				{
8457c478bd9Sstevel@tonic-gate 					if (lmap->ldap_attrsonly == LDAPMAP_FALSE)
8467c478bd9Sstevel@tonic-gate 						ldap_value_free(vals);
8477c478bd9Sstevel@tonic-gate 					ldap_memfree(attr);
8487c478bd9Sstevel@tonic-gate 					continue;
8497c478bd9Sstevel@tonic-gate 				}
8507c478bd9Sstevel@tonic-gate 
8517c478bd9Sstevel@tonic-gate 				/*
8527c478bd9Sstevel@tonic-gate 				**  If we don't want multiple values,
8537c478bd9Sstevel@tonic-gate 				**  return first found.
8547c478bd9Sstevel@tonic-gate 				*/
8557c478bd9Sstevel@tonic-gate 
8567c478bd9Sstevel@tonic-gate 				if ((char) delim == '\0')
8577c478bd9Sstevel@tonic-gate 				{
8587c478bd9Sstevel@tonic-gate 					if (*result != NULL)
8597c478bd9Sstevel@tonic-gate 					{
8607c478bd9Sstevel@tonic-gate 						/* already have a value */
8617c478bd9Sstevel@tonic-gate 						if (bitset(SM_LDAP_SINGLEMATCH,
8627c478bd9Sstevel@tonic-gate 							   flags))
8637c478bd9Sstevel@tonic-gate 						{
8647c478bd9Sstevel@tonic-gate 							/* only wanted one match */
8657c478bd9Sstevel@tonic-gate 							SM_LDAP_ERROR_CLEANUP();
8667c478bd9Sstevel@tonic-gate 							errno = ENOENT;
8677c478bd9Sstevel@tonic-gate 							return EX_NOTFOUND;
8687c478bd9Sstevel@tonic-gate 						}
8697c478bd9Sstevel@tonic-gate 						break;
8707c478bd9Sstevel@tonic-gate 					}
8717c478bd9Sstevel@tonic-gate 
8727c478bd9Sstevel@tonic-gate 					if (lmap->ldap_attrsonly == LDAPMAP_TRUE)
8737c478bd9Sstevel@tonic-gate 					{
8747c478bd9Sstevel@tonic-gate 						*result = sm_rpool_strdup_x(rpool,
8757c478bd9Sstevel@tonic-gate 									    attr);
8767c478bd9Sstevel@tonic-gate 						ldap_memfree(attr);
8777c478bd9Sstevel@tonic-gate 						break;
8787c478bd9Sstevel@tonic-gate 					}
8797c478bd9Sstevel@tonic-gate 
8807c478bd9Sstevel@tonic-gate 					if (vals[0] == NULL)
8817c478bd9Sstevel@tonic-gate 					{
8827c478bd9Sstevel@tonic-gate 						ldap_value_free(vals);
8837c478bd9Sstevel@tonic-gate 						ldap_memfree(attr);
8847c478bd9Sstevel@tonic-gate 						continue;
8857c478bd9Sstevel@tonic-gate 					}
8867c478bd9Sstevel@tonic-gate 
8877c478bd9Sstevel@tonic-gate 					vsize = strlen(vals[0]) + 1;
8887c478bd9Sstevel@tonic-gate 					if (lmap->ldap_attrsep != '\0')
8897c478bd9Sstevel@tonic-gate 						vsize += strlen(attr) + 1;
8907c478bd9Sstevel@tonic-gate 					*result = sm_rpool_malloc_x(rpool,
8917c478bd9Sstevel@tonic-gate 								    vsize);
8927c478bd9Sstevel@tonic-gate 					if (lmap->ldap_attrsep != '\0')
8937c478bd9Sstevel@tonic-gate 						sm_snprintf(*result, vsize,
8947c478bd9Sstevel@tonic-gate 							    "%s%c%s",
8957c478bd9Sstevel@tonic-gate 							    attr,
8967c478bd9Sstevel@tonic-gate 							    lmap->ldap_attrsep,
8977c478bd9Sstevel@tonic-gate 							    vals[0]);
8987c478bd9Sstevel@tonic-gate 					else
8997c478bd9Sstevel@tonic-gate 						sm_strlcpy(*result, vals[0],
9007c478bd9Sstevel@tonic-gate 							   vsize);
9017c478bd9Sstevel@tonic-gate 					ldap_value_free(vals);
9027c478bd9Sstevel@tonic-gate 					ldap_memfree(attr);
9037c478bd9Sstevel@tonic-gate 					break;
9047c478bd9Sstevel@tonic-gate 				}
9057c478bd9Sstevel@tonic-gate 
9067c478bd9Sstevel@tonic-gate 				/* attributes only */
9077c478bd9Sstevel@tonic-gate 				if (lmap->ldap_attrsonly == LDAPMAP_TRUE)
9087c478bd9Sstevel@tonic-gate 				{
9097c478bd9Sstevel@tonic-gate 					if (*result == NULL)
9107c478bd9Sstevel@tonic-gate 						*result = sm_rpool_strdup_x(rpool,
9117c478bd9Sstevel@tonic-gate 									    attr);
9127c478bd9Sstevel@tonic-gate 					else
9137c478bd9Sstevel@tonic-gate 					{
9147c478bd9Sstevel@tonic-gate 						if (bitset(SM_LDAP_SINGLEMATCH,
9157c478bd9Sstevel@tonic-gate 							   flags) &&
9167c478bd9Sstevel@tonic-gate 						    *result != NULL)
9177c478bd9Sstevel@tonic-gate 						{
9187c478bd9Sstevel@tonic-gate 							/* only wanted one match */
9197c478bd9Sstevel@tonic-gate 							SM_LDAP_ERROR_CLEANUP();
9207c478bd9Sstevel@tonic-gate 							errno = ENOENT;
9217c478bd9Sstevel@tonic-gate 							return EX_NOTFOUND;
9227c478bd9Sstevel@tonic-gate 						}
9237c478bd9Sstevel@tonic-gate 
9247c478bd9Sstevel@tonic-gate 						vsize = strlen(*result) +
9257c478bd9Sstevel@tonic-gate 							strlen(attr) + 2;
9267c478bd9Sstevel@tonic-gate 						tmp = sm_rpool_malloc_x(rpool,
9277c478bd9Sstevel@tonic-gate 									vsize);
9287c478bd9Sstevel@tonic-gate 						(void) sm_snprintf(tmp,
9297c478bd9Sstevel@tonic-gate 							vsize, "%s%c%s",
9307c478bd9Sstevel@tonic-gate 							*result, (char) delim,
9317c478bd9Sstevel@tonic-gate 							attr);
9327c478bd9Sstevel@tonic-gate 						*result = tmp;
9337c478bd9Sstevel@tonic-gate 					}
9347c478bd9Sstevel@tonic-gate 					ldap_memfree(attr);
9357c478bd9Sstevel@tonic-gate 					continue;
9367c478bd9Sstevel@tonic-gate 				}
9377c478bd9Sstevel@tonic-gate 
9387c478bd9Sstevel@tonic-gate 				/*
9397c478bd9Sstevel@tonic-gate 				**  If there is more than one, munge then
9407c478bd9Sstevel@tonic-gate 				**  into a map_coldelim separated string.
9417c478bd9Sstevel@tonic-gate 				**  If we are recursing we may have an entry
9427c478bd9Sstevel@tonic-gate 				**  with no 'normal' values to put in the
9437c478bd9Sstevel@tonic-gate 				**  string.
9447c478bd9Sstevel@tonic-gate 				**  This is not an error.
9457c478bd9Sstevel@tonic-gate 				*/
9467c478bd9Sstevel@tonic-gate 
9477c478bd9Sstevel@tonic-gate 				if (type == SM_LDAP_ATTR_NORMAL &&
9487c478bd9Sstevel@tonic-gate 				    bitset(SM_LDAP_SINGLEMATCH, flags) &&
9497c478bd9Sstevel@tonic-gate 				    *result != NULL)
9507c478bd9Sstevel@tonic-gate 				{
9517c478bd9Sstevel@tonic-gate 					/* only wanted one match */
9527c478bd9Sstevel@tonic-gate 					SM_LDAP_ERROR_CLEANUP();
9537c478bd9Sstevel@tonic-gate 					errno = ENOENT;
9547c478bd9Sstevel@tonic-gate 					return EX_NOTFOUND;
9557c478bd9Sstevel@tonic-gate 				}
9567c478bd9Sstevel@tonic-gate 
9577c478bd9Sstevel@tonic-gate 				vsize = 0;
9587c478bd9Sstevel@tonic-gate 				for (i = 0; vals[i] != NULL; i++)
9597c478bd9Sstevel@tonic-gate 				{
9607c478bd9Sstevel@tonic-gate 					if (type == SM_LDAP_ATTR_DN ||
9617c478bd9Sstevel@tonic-gate 					    type == SM_LDAP_ATTR_FILTER ||
9627c478bd9Sstevel@tonic-gate 					    type == SM_LDAP_ATTR_URL)
9637c478bd9Sstevel@tonic-gate 					{
9647c478bd9Sstevel@tonic-gate 						/* add to recursion */
9657c478bd9Sstevel@tonic-gate 						if (sm_ldap_add_recurse(&recurse,
9667c478bd9Sstevel@tonic-gate 									vals[i],
9677c478bd9Sstevel@tonic-gate 									type,
9687c478bd9Sstevel@tonic-gate 									rpool) == NULL)
9697c478bd9Sstevel@tonic-gate 						{
9707c478bd9Sstevel@tonic-gate 							SM_LDAP_ERROR_CLEANUP();
9717c478bd9Sstevel@tonic-gate 							errno = ENOMEM;
9727c478bd9Sstevel@tonic-gate 							return EX_OSERR;
9737c478bd9Sstevel@tonic-gate 						}
9747c478bd9Sstevel@tonic-gate 						continue;
9757c478bd9Sstevel@tonic-gate 					}
9767c478bd9Sstevel@tonic-gate 
9777c478bd9Sstevel@tonic-gate 					vsize += strlen(vals[i]) + 1;
9787c478bd9Sstevel@tonic-gate 					if (lmap->ldap_attrsep != '\0')
9797c478bd9Sstevel@tonic-gate 						vsize += strlen(attr) + 1;
9807c478bd9Sstevel@tonic-gate 				}
9817c478bd9Sstevel@tonic-gate 
9827c478bd9Sstevel@tonic-gate 				/*
9837c478bd9Sstevel@tonic-gate 				**  Create/Append to string any normal
9847c478bd9Sstevel@tonic-gate 				**  attribute values.  Otherwise, just free
9857c478bd9Sstevel@tonic-gate 				**  memory and move on to the next
9867c478bd9Sstevel@tonic-gate 				**  attribute in this entry.
9877c478bd9Sstevel@tonic-gate 				*/
9887c478bd9Sstevel@tonic-gate 
9897c478bd9Sstevel@tonic-gate 				if (type == SM_LDAP_ATTR_NORMAL && vsize > 0)
9907c478bd9Sstevel@tonic-gate 				{
9917c478bd9Sstevel@tonic-gate 					char *pe;
9927c478bd9Sstevel@tonic-gate 
9937c478bd9Sstevel@tonic-gate 					/* Grow result string if needed */
9947c478bd9Sstevel@tonic-gate 					if ((*resultln + vsize) >= *resultsz)
9957c478bd9Sstevel@tonic-gate 					{
9967c478bd9Sstevel@tonic-gate 						while ((*resultln + vsize) >= *resultsz)
9977c478bd9Sstevel@tonic-gate 						{
9987c478bd9Sstevel@tonic-gate 							if (*resultsz == 0)
9997c478bd9Sstevel@tonic-gate 								*resultsz = 1024;
10007c478bd9Sstevel@tonic-gate 							else
10017c478bd9Sstevel@tonic-gate 								*resultsz *= 2;
10027c478bd9Sstevel@tonic-gate 						}
10037c478bd9Sstevel@tonic-gate 
10047c478bd9Sstevel@tonic-gate 						vp_tmp = sm_rpool_malloc_x(rpool, *resultsz);
10057c478bd9Sstevel@tonic-gate 						*vp_tmp = '\0';
10067c478bd9Sstevel@tonic-gate 
10077c478bd9Sstevel@tonic-gate 						if (*result != NULL)
10087c478bd9Sstevel@tonic-gate 							sm_strlcpy(vp_tmp,
10097c478bd9Sstevel@tonic-gate 								   *result,
10107c478bd9Sstevel@tonic-gate 								   *resultsz);
10117c478bd9Sstevel@tonic-gate 						*result = vp_tmp;
10127c478bd9Sstevel@tonic-gate 					}
10137c478bd9Sstevel@tonic-gate 
10147c478bd9Sstevel@tonic-gate 					p = *result + *resultln;
10157c478bd9Sstevel@tonic-gate 					pe = *result + *resultsz;
10167c478bd9Sstevel@tonic-gate 
10177c478bd9Sstevel@tonic-gate 					for (i = 0; vals[i] != NULL; i++)
10187c478bd9Sstevel@tonic-gate 					{
10197c478bd9Sstevel@tonic-gate 						if (*resultln > 0 &&
10207c478bd9Sstevel@tonic-gate 						    p < pe)
10217c478bd9Sstevel@tonic-gate 							*p++ = (char) delim;
10227c478bd9Sstevel@tonic-gate 
10237c478bd9Sstevel@tonic-gate 						if (lmap->ldap_attrsep != '\0')
10247c478bd9Sstevel@tonic-gate 						{
10257c478bd9Sstevel@tonic-gate 							p += sm_strlcpy(p, attr,
10267c478bd9Sstevel@tonic-gate 									pe - p);
10277c478bd9Sstevel@tonic-gate 							if (p < pe)
10287c478bd9Sstevel@tonic-gate 								*p++ = lmap->ldap_attrsep;
10297c478bd9Sstevel@tonic-gate 						}
10307c478bd9Sstevel@tonic-gate 
10317c478bd9Sstevel@tonic-gate 						p += sm_strlcpy(p, vals[i],
10327c478bd9Sstevel@tonic-gate 								pe - p);
10337c478bd9Sstevel@tonic-gate 						*resultln = p - (*result);
10347c478bd9Sstevel@tonic-gate 						if (p >= pe)
10357c478bd9Sstevel@tonic-gate 						{
10367c478bd9Sstevel@tonic-gate 							/* Internal error: buffer too small for LDAP values */
10377c478bd9Sstevel@tonic-gate 							SM_LDAP_ERROR_CLEANUP();
10387c478bd9Sstevel@tonic-gate 							errno = ENOMEM;
10397c478bd9Sstevel@tonic-gate 							return EX_OSERR;
10407c478bd9Sstevel@tonic-gate 						}
10417c478bd9Sstevel@tonic-gate 					}
10427c478bd9Sstevel@tonic-gate 				}
10437c478bd9Sstevel@tonic-gate 
10447c478bd9Sstevel@tonic-gate 				ldap_value_free(vals);
10457c478bd9Sstevel@tonic-gate 				ldap_memfree(attr);
10467c478bd9Sstevel@tonic-gate 			}
10477c478bd9Sstevel@tonic-gate 			save_errno = sm_ldap_geterrno(lmap->ldap_ld);
10487c478bd9Sstevel@tonic-gate 
10497c478bd9Sstevel@tonic-gate 			/*
10507c478bd9Sstevel@tonic-gate 			**  We check save_errno != LDAP_DECODING_ERROR since
10517c478bd9Sstevel@tonic-gate 			**  OpenLDAP 1.X has a very ugly *undocumented*
10527c478bd9Sstevel@tonic-gate 			**  hack of returning this error code from
10537c478bd9Sstevel@tonic-gate 			**  ldap_next_attribute() if the library freed the
10547c478bd9Sstevel@tonic-gate 			**  ber attribute.  See:
10557c478bd9Sstevel@tonic-gate 			**  http://www.openldap.org/lists/openldap-devel/9901/msg00064.html
10567c478bd9Sstevel@tonic-gate 			*/
10577c478bd9Sstevel@tonic-gate 
10587c478bd9Sstevel@tonic-gate 			if (save_errno != LDAP_SUCCESS &&
10597c478bd9Sstevel@tonic-gate 			    save_errno != LDAP_DECODING_ERROR)
10607c478bd9Sstevel@tonic-gate 			{
10617c478bd9Sstevel@tonic-gate 				/* Must be an error */
10627c478bd9Sstevel@tonic-gate 				save_errno += E_LDAPBASE;
10637c478bd9Sstevel@tonic-gate 				SM_LDAP_ERROR_CLEANUP();
10647c478bd9Sstevel@tonic-gate 				errno = save_errno;
10657c478bd9Sstevel@tonic-gate 				return EX_TEMPFAIL;
10667c478bd9Sstevel@tonic-gate 			}
10677c478bd9Sstevel@tonic-gate 
10687c478bd9Sstevel@tonic-gate 			/* mark this DN as done */
10697c478bd9Sstevel@tonic-gate 			rl->lr_done = true;
10707c478bd9Sstevel@tonic-gate 			if (rl->lr_ludp != NULL)
10717c478bd9Sstevel@tonic-gate 			{
10727c478bd9Sstevel@tonic-gate 				ldap_free_urldesc(rl->lr_ludp);
10737c478bd9Sstevel@tonic-gate 				rl->lr_ludp = NULL;
10747c478bd9Sstevel@tonic-gate 			}
10757c478bd9Sstevel@tonic-gate 			if (rl->lr_attrs != NULL)
10767c478bd9Sstevel@tonic-gate 			{
10777c478bd9Sstevel@tonic-gate 				free(rl->lr_attrs);
10787c478bd9Sstevel@tonic-gate 				rl->lr_attrs = NULL;
10797c478bd9Sstevel@tonic-gate 			}
10807c478bd9Sstevel@tonic-gate 
10817c478bd9Sstevel@tonic-gate 			/* We don't want multiple values and we have one */
10827c478bd9Sstevel@tonic-gate 			if ((char) delim == '\0' &&
10837c478bd9Sstevel@tonic-gate 			    !bitset(SM_LDAP_SINGLEMATCH, flags) &&
10847c478bd9Sstevel@tonic-gate 			    *result != NULL)
10857c478bd9Sstevel@tonic-gate 				break;
10867c478bd9Sstevel@tonic-gate 		}
10877c478bd9Sstevel@tonic-gate 		save_errno = sm_ldap_geterrno(lmap->ldap_ld);
10887c478bd9Sstevel@tonic-gate 		if (save_errno != LDAP_SUCCESS &&
10897c478bd9Sstevel@tonic-gate 		    save_errno != LDAP_DECODING_ERROR)
10907c478bd9Sstevel@tonic-gate 		{
10917c478bd9Sstevel@tonic-gate 			/* Must be an error */
10927c478bd9Sstevel@tonic-gate 			save_errno += E_LDAPBASE;
10937c478bd9Sstevel@tonic-gate 			SM_LDAP_ERROR_CLEANUP();
10947c478bd9Sstevel@tonic-gate 			errno = save_errno;
10957c478bd9Sstevel@tonic-gate 			return EX_TEMPFAIL;
10967c478bd9Sstevel@tonic-gate 		}
10977c478bd9Sstevel@tonic-gate 		ldap_msgfree(lmap->ldap_res);
10987c478bd9Sstevel@tonic-gate 		lmap->ldap_res = NULL;
10997c478bd9Sstevel@tonic-gate 	}
11007c478bd9Sstevel@tonic-gate 
11017c478bd9Sstevel@tonic-gate 	if (ret == 0)
11027c478bd9Sstevel@tonic-gate 		save_errno = ETIMEDOUT;
11037c478bd9Sstevel@tonic-gate 	else
11047c478bd9Sstevel@tonic-gate 		save_errno = sm_ldap_geterrno(lmap->ldap_ld);
11057c478bd9Sstevel@tonic-gate 	if (save_errno != LDAP_SUCCESS)
11067c478bd9Sstevel@tonic-gate 	{
11077c478bd9Sstevel@tonic-gate 		statp = EX_TEMPFAIL;
11087c478bd9Sstevel@tonic-gate 		switch (save_errno)
11097c478bd9Sstevel@tonic-gate 		{
11107c478bd9Sstevel@tonic-gate #ifdef LDAP_SERVER_DOWN
11117c478bd9Sstevel@tonic-gate 		  case LDAP_SERVER_DOWN:
11127c478bd9Sstevel@tonic-gate #endif /* LDAP_SERVER_DOWN */
11137c478bd9Sstevel@tonic-gate 		  case LDAP_TIMEOUT:
1114*7800901eSjbeck 		  case ETIMEDOUT:
11157c478bd9Sstevel@tonic-gate 		  case LDAP_UNAVAILABLE:
11167c478bd9Sstevel@tonic-gate 
11177c478bd9Sstevel@tonic-gate 			/*
11187c478bd9Sstevel@tonic-gate 			**  server disappeared,
11197c478bd9Sstevel@tonic-gate 			**  try reopen on next search
11207c478bd9Sstevel@tonic-gate 			*/
11217c478bd9Sstevel@tonic-gate 
11227c478bd9Sstevel@tonic-gate 			statp = EX_RESTART;
11237c478bd9Sstevel@tonic-gate 			break;
11247c478bd9Sstevel@tonic-gate 		}
1125*7800901eSjbeck 		if (ret != 0)
11267c478bd9Sstevel@tonic-gate 			save_errno += E_LDAPBASE;
11277c478bd9Sstevel@tonic-gate 		SM_LDAP_ERROR_CLEANUP();
11287c478bd9Sstevel@tonic-gate 		errno = save_errno;
11297c478bd9Sstevel@tonic-gate 		return statp;
11307c478bd9Sstevel@tonic-gate 	}
11317c478bd9Sstevel@tonic-gate 
11327c478bd9Sstevel@tonic-gate 	if (lmap->ldap_res != NULL)
11337c478bd9Sstevel@tonic-gate 	{
11347c478bd9Sstevel@tonic-gate 		ldap_msgfree(lmap->ldap_res);
11357c478bd9Sstevel@tonic-gate 		lmap->ldap_res = NULL;
11367c478bd9Sstevel@tonic-gate 	}
11377c478bd9Sstevel@tonic-gate 
11387c478bd9Sstevel@tonic-gate 	if (toplevel)
11397c478bd9Sstevel@tonic-gate 	{
11407c478bd9Sstevel@tonic-gate 		int rlidx;
11417c478bd9Sstevel@tonic-gate 
11427c478bd9Sstevel@tonic-gate 		/*
11437c478bd9Sstevel@tonic-gate 		**  Spin through the built-up recurse list at the top
11447c478bd9Sstevel@tonic-gate 		**  of the recursion.  Since new items are added at the
11457c478bd9Sstevel@tonic-gate 		**  end of the shared list, we actually only ever get
11467c478bd9Sstevel@tonic-gate 		**  one level of recursion before things pop back to the
11477c478bd9Sstevel@tonic-gate 		**  top.  Any items added to the list during that recursion
11487c478bd9Sstevel@tonic-gate 		**  will be expanded by the top level.
11497c478bd9Sstevel@tonic-gate 		*/
11507c478bd9Sstevel@tonic-gate 
1151058561cbSjbeck 		for (rlidx = 0; recurse != NULL && rlidx < recurse->lrl_cnt;
1152058561cbSjbeck 		     rlidx++)
11537c478bd9Sstevel@tonic-gate 		{
11547c478bd9Sstevel@tonic-gate 			int newflags;
11557c478bd9Sstevel@tonic-gate 			int sid;
11567c478bd9Sstevel@tonic-gate 			int status;
11577c478bd9Sstevel@tonic-gate 
1158058561cbSjbeck 			rl = recurse->lrl_data[rlidx];
11597c478bd9Sstevel@tonic-gate 
11607c478bd9Sstevel@tonic-gate 			newflags = flags;
11617c478bd9Sstevel@tonic-gate 			if (rl->lr_done)
11627c478bd9Sstevel@tonic-gate 			{
11637c478bd9Sstevel@tonic-gate 				/* already expanded */
11647c478bd9Sstevel@tonic-gate 				continue;
11657c478bd9Sstevel@tonic-gate 			}
11667c478bd9Sstevel@tonic-gate 
11677c478bd9Sstevel@tonic-gate 			if (rl->lr_type == SM_LDAP_ATTR_DN)
11687c478bd9Sstevel@tonic-gate 			{
11697c478bd9Sstevel@tonic-gate 				/* do DN search */
11707c478bd9Sstevel@tonic-gate 				sid = ldap_search(lmap->ldap_ld,
11717c478bd9Sstevel@tonic-gate 						  rl->lr_search,
11727c478bd9Sstevel@tonic-gate 						  lmap->ldap_scope,
11737c478bd9Sstevel@tonic-gate 						  "(objectClass=*)",
11747c478bd9Sstevel@tonic-gate 						  (lmap->ldap_attr[0] == NULL ?
11757c478bd9Sstevel@tonic-gate 						   NULL : lmap->ldap_attr),
11767c478bd9Sstevel@tonic-gate 						  lmap->ldap_attrsonly);
11777c478bd9Sstevel@tonic-gate 			}
11787c478bd9Sstevel@tonic-gate 			else if (rl->lr_type == SM_LDAP_ATTR_FILTER)
11797c478bd9Sstevel@tonic-gate 			{
11807c478bd9Sstevel@tonic-gate 				/* do new search */
11817c478bd9Sstevel@tonic-gate 				sid = ldap_search(lmap->ldap_ld,
11827c478bd9Sstevel@tonic-gate 						  lmap->ldap_base,
11837c478bd9Sstevel@tonic-gate 						  lmap->ldap_scope,
11847c478bd9Sstevel@tonic-gate 						  rl->lr_search,
11857c478bd9Sstevel@tonic-gate 						  (lmap->ldap_attr[0] == NULL ?
11867c478bd9Sstevel@tonic-gate 						   NULL : lmap->ldap_attr),
11877c478bd9Sstevel@tonic-gate 						  lmap->ldap_attrsonly);
11887c478bd9Sstevel@tonic-gate 			}
11897c478bd9Sstevel@tonic-gate 			else if (rl->lr_type == SM_LDAP_ATTR_URL)
11907c478bd9Sstevel@tonic-gate 			{
11917c478bd9Sstevel@tonic-gate 				/* Parse URL */
11927c478bd9Sstevel@tonic-gate 				sid = ldap_url_parse(rl->lr_search,
11937c478bd9Sstevel@tonic-gate 						     &rl->lr_ludp);
11947c478bd9Sstevel@tonic-gate 
11957c478bd9Sstevel@tonic-gate 				if (sid != 0)
11967c478bd9Sstevel@tonic-gate 				{
11977c478bd9Sstevel@tonic-gate 					errno = sid + E_LDAPURLBASE;
11987c478bd9Sstevel@tonic-gate 					return EX_TEMPFAIL;
11997c478bd9Sstevel@tonic-gate 				}
12007c478bd9Sstevel@tonic-gate 
12017c478bd9Sstevel@tonic-gate 				/* We need to add objectClass */
12027c478bd9Sstevel@tonic-gate 				if (rl->lr_ludp->lud_attrs != NULL)
12037c478bd9Sstevel@tonic-gate 				{
12047c478bd9Sstevel@tonic-gate 					int attrnum = 0;
12057c478bd9Sstevel@tonic-gate 
12067c478bd9Sstevel@tonic-gate 					while (rl->lr_ludp->lud_attrs[attrnum] != NULL)
12077c478bd9Sstevel@tonic-gate 					{
12087c478bd9Sstevel@tonic-gate 						if (strcasecmp(rl->lr_ludp->lud_attrs[attrnum],
12097c478bd9Sstevel@tonic-gate 							       "objectClass") == 0)
12107c478bd9Sstevel@tonic-gate 						{
12117c478bd9Sstevel@tonic-gate 							/* already requested */
12127c478bd9Sstevel@tonic-gate 							attrnum = -1;
12137c478bd9Sstevel@tonic-gate 							break;
12147c478bd9Sstevel@tonic-gate 						}
12157c478bd9Sstevel@tonic-gate 						attrnum++;
12167c478bd9Sstevel@tonic-gate 					}
12177c478bd9Sstevel@tonic-gate 
12187c478bd9Sstevel@tonic-gate 					if (attrnum >= 0)
12197c478bd9Sstevel@tonic-gate 					{
12207c478bd9Sstevel@tonic-gate 						int i;
12217c478bd9Sstevel@tonic-gate 
12227c478bd9Sstevel@tonic-gate 						rl->lr_attrs = (char **)malloc(sizeof(char *) * (attrnum + 2));
12237c478bd9Sstevel@tonic-gate 						if (rl->lr_attrs == NULL)
12247c478bd9Sstevel@tonic-gate 						{
12257c478bd9Sstevel@tonic-gate 							save_errno = errno;
12267c478bd9Sstevel@tonic-gate 							ldap_free_urldesc(rl->lr_ludp);
12277c478bd9Sstevel@tonic-gate 							errno = save_errno;
12287c478bd9Sstevel@tonic-gate 							return EX_TEMPFAIL;
12297c478bd9Sstevel@tonic-gate 						}
12307c478bd9Sstevel@tonic-gate 						for (i = 0 ; i < attrnum; i++)
12317c478bd9Sstevel@tonic-gate 						{
12327c478bd9Sstevel@tonic-gate 							rl->lr_attrs[i] = rl->lr_ludp->lud_attrs[i];
12337c478bd9Sstevel@tonic-gate 						}
12347c478bd9Sstevel@tonic-gate 						rl->lr_attrs[i++] = "objectClass";
12357c478bd9Sstevel@tonic-gate 						rl->lr_attrs[i++] = NULL;
12367c478bd9Sstevel@tonic-gate 					}
12377c478bd9Sstevel@tonic-gate 				}
12387c478bd9Sstevel@tonic-gate 
12397c478bd9Sstevel@tonic-gate 				/*
12407c478bd9Sstevel@tonic-gate 				**  Use the existing connection
12417c478bd9Sstevel@tonic-gate 				**  for this search.  It really
12427c478bd9Sstevel@tonic-gate 				**  should use lud_scheme://lud_host:lud_port/
12437c478bd9Sstevel@tonic-gate 				**  instead but that would require
12447c478bd9Sstevel@tonic-gate 				**  opening a new connection.
12457c478bd9Sstevel@tonic-gate 				**  This should be fixed ASAP.
12467c478bd9Sstevel@tonic-gate 				*/
12477c478bd9Sstevel@tonic-gate 
12487c478bd9Sstevel@tonic-gate 				sid = ldap_search(lmap->ldap_ld,
12497c478bd9Sstevel@tonic-gate 						  rl->lr_ludp->lud_dn,
12507c478bd9Sstevel@tonic-gate 						  rl->lr_ludp->lud_scope,
12517c478bd9Sstevel@tonic-gate 						  rl->lr_ludp->lud_filter,
12527c478bd9Sstevel@tonic-gate 						  rl->lr_attrs,
12537c478bd9Sstevel@tonic-gate 						  lmap->ldap_attrsonly);
12547c478bd9Sstevel@tonic-gate 
12557c478bd9Sstevel@tonic-gate 				/* Use the attributes specified by URL */
12567c478bd9Sstevel@tonic-gate 				newflags |= SM_LDAP_USE_ALLATTR;
12577c478bd9Sstevel@tonic-gate 			}
12587c478bd9Sstevel@tonic-gate 			else
12597c478bd9Sstevel@tonic-gate 			{
12607c478bd9Sstevel@tonic-gate 				/* unknown or illegal attribute type */
12617c478bd9Sstevel@tonic-gate 				errno = EFAULT;
12627c478bd9Sstevel@tonic-gate 				return EX_SOFTWARE;
12637c478bd9Sstevel@tonic-gate 			}
12647c478bd9Sstevel@tonic-gate 
12657c478bd9Sstevel@tonic-gate 			/* Collect results */
12667c478bd9Sstevel@tonic-gate 			if (sid == -1)
12677c478bd9Sstevel@tonic-gate 			{
12687c478bd9Sstevel@tonic-gate 				save_errno = sm_ldap_geterrno(lmap->ldap_ld);
12697c478bd9Sstevel@tonic-gate 				statp = EX_TEMPFAIL;
12707c478bd9Sstevel@tonic-gate 				switch (save_errno)
12717c478bd9Sstevel@tonic-gate 				{
12727c478bd9Sstevel@tonic-gate #ifdef LDAP_SERVER_DOWN
12737c478bd9Sstevel@tonic-gate 				  case LDAP_SERVER_DOWN:
12747c478bd9Sstevel@tonic-gate #endif /* LDAP_SERVER_DOWN */
12757c478bd9Sstevel@tonic-gate 				  case LDAP_TIMEOUT:
1276*7800901eSjbeck 				  case ETIMEDOUT:
12777c478bd9Sstevel@tonic-gate 				  case LDAP_UNAVAILABLE:
12787c478bd9Sstevel@tonic-gate 
12797c478bd9Sstevel@tonic-gate 					/*
12807c478bd9Sstevel@tonic-gate 					**  server disappeared,
12817c478bd9Sstevel@tonic-gate 					**  try reopen on next search
12827c478bd9Sstevel@tonic-gate 					*/
12837c478bd9Sstevel@tonic-gate 
12847c478bd9Sstevel@tonic-gate 					statp = EX_RESTART;
12857c478bd9Sstevel@tonic-gate 					break;
12867c478bd9Sstevel@tonic-gate 				}
12877c478bd9Sstevel@tonic-gate 				errno = save_errno + E_LDAPBASE;
12887c478bd9Sstevel@tonic-gate 				return statp;
12897c478bd9Sstevel@tonic-gate 			}
12907c478bd9Sstevel@tonic-gate 
12917c478bd9Sstevel@tonic-gate 			status = sm_ldap_results(lmap, sid, newflags, delim,
12927c478bd9Sstevel@tonic-gate 						 rpool, result, resultln,
12937c478bd9Sstevel@tonic-gate 						 resultsz, recurse);
12947c478bd9Sstevel@tonic-gate 			save_errno = errno;
12957c478bd9Sstevel@tonic-gate 			if (status != EX_OK && status != EX_NOTFOUND)
12967c478bd9Sstevel@tonic-gate 			{
12977c478bd9Sstevel@tonic-gate 				errno = save_errno;
12987c478bd9Sstevel@tonic-gate 				return status;
12997c478bd9Sstevel@tonic-gate 			}
13007c478bd9Sstevel@tonic-gate 
13017c478bd9Sstevel@tonic-gate 			/* Mark as done */
13027c478bd9Sstevel@tonic-gate 			rl->lr_done = true;
13037c478bd9Sstevel@tonic-gate 			if (rl->lr_ludp != NULL)
13047c478bd9Sstevel@tonic-gate 			{
13057c478bd9Sstevel@tonic-gate 				ldap_free_urldesc(rl->lr_ludp);
13067c478bd9Sstevel@tonic-gate 				rl->lr_ludp = NULL;
13077c478bd9Sstevel@tonic-gate 			}
13087c478bd9Sstevel@tonic-gate 			if (rl->lr_attrs != NULL)
13097c478bd9Sstevel@tonic-gate 			{
13107c478bd9Sstevel@tonic-gate 				free(rl->lr_attrs);
13117c478bd9Sstevel@tonic-gate 				rl->lr_attrs = NULL;
13127c478bd9Sstevel@tonic-gate 			}
13137c478bd9Sstevel@tonic-gate 
13147c478bd9Sstevel@tonic-gate 			/* Reset rlidx as new items may have been added */
13157c478bd9Sstevel@tonic-gate 			rlidx = -1;
13167c478bd9Sstevel@tonic-gate 		}
13177c478bd9Sstevel@tonic-gate 	}
13187c478bd9Sstevel@tonic-gate 	return statp;
13197c478bd9Sstevel@tonic-gate }
13207c478bd9Sstevel@tonic-gate 
13217c478bd9Sstevel@tonic-gate /*
13227c478bd9Sstevel@tonic-gate **  SM_LDAP_CLOSE -- close LDAP connection
13237c478bd9Sstevel@tonic-gate **
13247c478bd9Sstevel@tonic-gate **	Parameters:
13257c478bd9Sstevel@tonic-gate **		lmap -- LDAP map information
13267c478bd9Sstevel@tonic-gate **
13277c478bd9Sstevel@tonic-gate **	Returns:
13287c478bd9Sstevel@tonic-gate **		None.
13297c478bd9Sstevel@tonic-gate **
13307c478bd9Sstevel@tonic-gate */
13317c478bd9Sstevel@tonic-gate 
13327c478bd9Sstevel@tonic-gate void
13337c478bd9Sstevel@tonic-gate sm_ldap_close(lmap)
13347c478bd9Sstevel@tonic-gate 	SM_LDAP_STRUCT *lmap;
13357c478bd9Sstevel@tonic-gate {
13367c478bd9Sstevel@tonic-gate 	if (lmap->ldap_ld == NULL)
13377c478bd9Sstevel@tonic-gate 		return;
13387c478bd9Sstevel@tonic-gate 
13397c478bd9Sstevel@tonic-gate 	if (lmap->ldap_pid == getpid())
13407c478bd9Sstevel@tonic-gate 		ldap_unbind(lmap->ldap_ld);
13417c478bd9Sstevel@tonic-gate 	lmap->ldap_ld = NULL;
13427c478bd9Sstevel@tonic-gate 	lmap->ldap_pid = 0;
13437c478bd9Sstevel@tonic-gate }
13447c478bd9Sstevel@tonic-gate 
13457c478bd9Sstevel@tonic-gate /*
13467c478bd9Sstevel@tonic-gate **  SM_LDAP_SETOPTS -- set LDAP options
13477c478bd9Sstevel@tonic-gate **
13487c478bd9Sstevel@tonic-gate **	Parameters:
13497c478bd9Sstevel@tonic-gate **		ld -- LDAP session handle
13507c478bd9Sstevel@tonic-gate **		lmap -- LDAP map information
13517c478bd9Sstevel@tonic-gate **
13527c478bd9Sstevel@tonic-gate **	Returns:
13537c478bd9Sstevel@tonic-gate **		None.
13547c478bd9Sstevel@tonic-gate **
13557c478bd9Sstevel@tonic-gate */
13567c478bd9Sstevel@tonic-gate 
13577c478bd9Sstevel@tonic-gate void
13587c478bd9Sstevel@tonic-gate sm_ldap_setopts(ld, lmap)
13597c478bd9Sstevel@tonic-gate 	LDAP *ld;
13607c478bd9Sstevel@tonic-gate 	SM_LDAP_STRUCT *lmap;
13617c478bd9Sstevel@tonic-gate {
13627c478bd9Sstevel@tonic-gate # if USE_LDAP_SET_OPTION
13637c478bd9Sstevel@tonic-gate 	if (lmap->ldap_version != 0)
13647c478bd9Sstevel@tonic-gate 	{
13657c478bd9Sstevel@tonic-gate 		ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
13667c478bd9Sstevel@tonic-gate 				&lmap->ldap_version);
13677c478bd9Sstevel@tonic-gate 	}
13687c478bd9Sstevel@tonic-gate 	ldap_set_option(ld, LDAP_OPT_DEREF, &lmap->ldap_deref);
13697c478bd9Sstevel@tonic-gate 	if (bitset(LDAP_OPT_REFERRALS, lmap->ldap_options))
13707c478bd9Sstevel@tonic-gate 		ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
13717c478bd9Sstevel@tonic-gate 	else
13727c478bd9Sstevel@tonic-gate 		ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
13737c478bd9Sstevel@tonic-gate 	ldap_set_option(ld, LDAP_OPT_SIZELIMIT, &lmap->ldap_sizelimit);
13747c478bd9Sstevel@tonic-gate 	ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &lmap->ldap_timelimit);
1375*7800901eSjbeck # if _FFR_LDAP_NETWORK_TIMEOUT && defined(LDAP_OPT_NETWORK_TIMEOUT)
1376*7800901eSjbeck 	ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &lmap->ldap_networktmo);
1377*7800901eSjbeck # endif /* _FFR_LDAP_NETWORK_TIMEOUT && defined(LDAP_OPT_NETWORK_TIMEOUT) */
13787c478bd9Sstevel@tonic-gate #  ifdef LDAP_OPT_RESTART
13797c478bd9Sstevel@tonic-gate 	ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
13807c478bd9Sstevel@tonic-gate #  endif /* LDAP_OPT_RESTART */
13817c478bd9Sstevel@tonic-gate # else /* USE_LDAP_SET_OPTION */
13827c478bd9Sstevel@tonic-gate 	/* From here on in we can use ldap internal timelimits */
13837c478bd9Sstevel@tonic-gate 	ld->ld_deref = lmap->ldap_deref;
13847c478bd9Sstevel@tonic-gate 	ld->ld_options = lmap->ldap_options;
13857c478bd9Sstevel@tonic-gate 	ld->ld_sizelimit = lmap->ldap_sizelimit;
13867c478bd9Sstevel@tonic-gate 	ld->ld_timelimit = lmap->ldap_timelimit;
13877c478bd9Sstevel@tonic-gate # endif /* USE_LDAP_SET_OPTION */
13887c478bd9Sstevel@tonic-gate }
13897c478bd9Sstevel@tonic-gate 
13907c478bd9Sstevel@tonic-gate /*
13917c478bd9Sstevel@tonic-gate **  SM_LDAP_GETERRNO -- get ldap errno value
13927c478bd9Sstevel@tonic-gate **
13937c478bd9Sstevel@tonic-gate **	Parameters:
13947c478bd9Sstevel@tonic-gate **		ld -- LDAP session handle
13957c478bd9Sstevel@tonic-gate **
13967c478bd9Sstevel@tonic-gate **	Returns:
13977c478bd9Sstevel@tonic-gate **		LDAP errno.
13987c478bd9Sstevel@tonic-gate **
13997c478bd9Sstevel@tonic-gate */
14007c478bd9Sstevel@tonic-gate 
14017c478bd9Sstevel@tonic-gate int
14027c478bd9Sstevel@tonic-gate sm_ldap_geterrno(ld)
14037c478bd9Sstevel@tonic-gate 	LDAP *ld;
14047c478bd9Sstevel@tonic-gate {
14057c478bd9Sstevel@tonic-gate 	int err = LDAP_SUCCESS;
14067c478bd9Sstevel@tonic-gate 
14077c478bd9Sstevel@tonic-gate # if defined(LDAP_VERSION_MAX) && LDAP_VERSION_MAX >= 3
14087c478bd9Sstevel@tonic-gate 	(void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
14097c478bd9Sstevel@tonic-gate # else /* defined(LDAP_VERSION_MAX) && LDAP_VERSION_MAX >= 3 */
14107c478bd9Sstevel@tonic-gate #  ifdef LDAP_OPT_SIZELIMIT
14117c478bd9Sstevel@tonic-gate 	err = ldap_get_lderrno(ld, NULL, NULL);
14127c478bd9Sstevel@tonic-gate #  else /* LDAP_OPT_SIZELIMIT */
14137c478bd9Sstevel@tonic-gate 	err = ld->ld_errno;
14147c478bd9Sstevel@tonic-gate 
14157c478bd9Sstevel@tonic-gate 	/*
14167c478bd9Sstevel@tonic-gate 	**  Reset value to prevent lingering LDAP_DECODING_ERROR due to
14177c478bd9Sstevel@tonic-gate 	**  OpenLDAP 1.X's hack (see above)
14187c478bd9Sstevel@tonic-gate 	*/
14197c478bd9Sstevel@tonic-gate 
14207c478bd9Sstevel@tonic-gate 	ld->ld_errno = LDAP_SUCCESS;
14217c478bd9Sstevel@tonic-gate #  endif /* LDAP_OPT_SIZELIMIT */
14227c478bd9Sstevel@tonic-gate # endif /* defined(LDAP_VERSION_MAX) && LDAP_VERSION_MAX >= 3 */
14237c478bd9Sstevel@tonic-gate 	return err;
14247c478bd9Sstevel@tonic-gate }
14257c478bd9Sstevel@tonic-gate # endif /* LDAPMAP */
1426