xref: /titanic_51/usr/src/lib/libsldap/common/ns_connect.c (revision 4e9cfc9a015e8ca7d41f7d018c74dc8a692305b3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <stdlib.h>
29 #include <stdio.h>
30 #include <errno.h>
31 #include <string.h>
32 #include <synch.h>
33 #include <time.h>
34 #include <libintl.h>
35 #include <thread.h>
36 #include <syslog.h>
37 #include <sys/mman.h>
38 #include <nsswitch.h>
39 #include <nss_dbdefs.h>
40 #include "solaris-priv.h"
41 #include "solaris-int.h"
42 #include "ns_sldap.h"
43 #include "ns_internal.h"
44 #include "ns_cache_door.h"
45 #include "ldappr.h"
46 #include <sys/stat.h>
47 #include <fcntl.h>
48 #include <procfs.h>
49 #include <unistd.h>
50 
51 extern unsigned int _sleep(unsigned int);
52 extern int ldap_sasl_cram_md5_bind_s(LDAP *, char *, struct berval *,
53 		LDAPControl **, LDAPControl **);
54 extern int ldapssl_install_gethostbyaddr(LDAP *ld, const char *skip);
55 
56 static int openConnection(LDAP **, const char *, const ns_cred_t *,
57 		int, ns_ldap_error_t **, int, int);
58 static void
59 _DropConnection(ConnectionID cID, int flag, int fini);
60 /*
61  * sessionLock, wait4session, sessionTid
62  * are variables to synchronize the creation/retrieval of a connection.
63  * MTperCon is a flag to enable/disable multiple threads sharing the same
64  * connection.
65  * sessionPoolLock is a mutex lock for the connection pool.
66  * sharedConnNumber is the number of sharable connections in the pool.
67  * sharedConnNumberLock is a mutex for sharedConnNumber.
68  */
69 static mutex_t	sessionLock = DEFAULTMUTEX;
70 static int	wait4session = 0;
71 static thread_t sessionTid = 0;
72 int	MTperConn = 1;
73 static rwlock_t sessionPoolLock = DEFAULTRWLOCK;
74 
75 static Connection **sessionPool = NULL;
76 static int sessionPoolSize = 0;
77 static int sharedConnNumber = 0;
78 static mutex_t sharedConnNumberLock = DEFAULTMUTEX;
79 
80 
81 static mutex_t	nscdLock = DEFAULTMUTEX;
82 static int	nscdChecked = 0;
83 static pid_t	checkedPid = -1;
84 static int	isNscd = 0;
85 /*
86  * SSF values are for SASL integrity & privacy.
87  * JES DS5.2 does not support this feature but DS6 does.
88  * The values between 0 and 65535 can work with both server versions.
89  */
90 #define	MAX_SASL_SSF	65535
91 #define	MIN_SASL_SSF	0
92 
93 /* Number of hostnames to allocate memory for */
94 #define	NUMTOMALLOC	32
95 /*
96  * ns_mtckey is for sharing a ldap connection among multiple
97  * threads; created by ns_ldap_init() in ns_init.c
98  */
99 extern thread_key_t ns_mtckey;
100 
101 /* Per thread LDAP error resides in thread-specific data. */
102 struct ldap_error {
103 	int	le_errno;
104 	char	*le_matched;
105 	char	*le_errmsg;
106 };
107 
108 static struct ldap_error ldap_error_NULL = { LDAP_SUCCESS, NULL, NULL};
109 
110 /* destructor */
111 void
112 ns_tsd_cleanup(void *key) {
113 	struct ldap_error *le = (struct ldap_error *)key;
114 
115 	if (le == NULL)
116 		return;
117 	if (le->le_matched != NULL) {
118 		ldap_memfree(le->le_matched);
119 	}
120 	if (le->le_errmsg != NULL) {
121 		ldap_memfree(le->le_errmsg);
122 	}
123 	free(le);
124 }
125 
126 /* Callback function for allocating a mutex */
127 static void *
128 ns_mutex_alloc(void)
129 {
130 	mutex_t *mutexp = NULL;
131 
132 	if ((mutexp = malloc(sizeof (mutex_t))) != NULL) {
133 		if (mutex_init(mutexp, USYNC_THREAD, NULL) != 0) {
134 			free(mutexp);
135 			mutexp = NULL;
136 		}
137 	}
138 	return (mutexp);
139 }
140 
141 /* Callback function for freeing a mutex */
142 static void
143 ns_mutex_free(void *mutexp)
144 {
145 	(void) mutex_destroy((mutex_t *)mutexp);
146 	free(mutexp);
147 }
148 
149 /*
150  * Function for setting up thread-specific data
151  * where per thread LDAP error is stored
152  */
153 static int
154 tsd_setup()
155 {
156 	void	*tsd;
157 	int	rc;
158 
159 	/* return success if TSD already set */
160 	rc = thr_getspecific(ns_mtckey, &tsd);
161 	if (rc == 0 && tsd != NULL)
162 		return (0);
163 
164 	/* allocate and set TSD */
165 	tsd = (void *) calloc(1, sizeof (struct ldap_error));
166 	if (tsd == NULL)
167 		return (-1);
168 	rc = thr_setspecific(ns_mtckey, tsd);
169 	if (rc != 0) { /* must be ENOMEM */
170 		free(tsd);
171 		return (-1);
172 	}
173 	return (0);
174 
175 
176 }
177 
178 /* Callback function for setting the per thread LDAP error */
179 /*ARGSUSED*/
180 static void
181 set_ld_error(int err, char *matched, char *errmsg, void *dummy)
182 {
183 	struct ldap_error	*le;
184 
185 	if (thr_getspecific(ns_mtckey, (void **)&le) != 0) {
186 		syslog(LOG_ERR, "set_ld_error: thr_getspecific failed. errno"
187 		    " %d", errno);
188 		return;
189 	}
190 
191 	/* play safe, do nothing if TSD pointer is NULL */
192 	if (le == NULL)
193 		return;
194 
195 	le->le_errno = err;
196 	if (le->le_matched != NULL) {
197 		ldap_memfree(le->le_matched);
198 	}
199 	le->le_matched = matched;
200 	if (le->le_errmsg != NULL) {
201 		ldap_memfree(le->le_errmsg);
202 	}
203 	le->le_errmsg = errmsg;
204 }
205 
206 int
207 /* check and allocate the thread-specific data for using a shared connection */
208 __s_api_check_MTC_tsd()
209 {
210 	if (tsd_setup() != 0)
211 		return (NS_LDAP_MEMORY);
212 
213 	return (NS_LDAP_SUCCESS);
214 }
215 
216 /* Callback function for getting the per thread LDAP error */
217 /*ARGSUSED*/
218 static int
219 get_ld_error(char **matched, char **errmsg, void *dummy)
220 {
221 	struct ldap_error	*le;
222 
223 	if (thr_getspecific(ns_mtckey, (void **)&le) != 0) {
224 		syslog(LOG_ERR, "get_ld_error: thr_getspecific failed. errno"
225 		    " %d", errno);
226 		return (errno);
227 	}
228 
229 	/* play safe, return NULL error data, if TSD pointer is NULL */
230 	if (le == NULL)
231 		le = &ldap_error_NULL;
232 
233 	if (matched != NULL) {
234 		*matched = le->le_matched;
235 	}
236 	if (errmsg != NULL) {
237 		*errmsg = le->le_errmsg;
238 	}
239 	return (le->le_errno);
240 }
241 
242 /* Callback function for setting per thread errno */
243 static void
244 set_errno(int err)
245 {
246 	errno = err;
247 }
248 
249 /* Callback function for getting per thread errno */
250 static int
251 get_errno(void)
252 {
253 	return (errno);
254 }
255 
256 /*
257  * set up to allow multiple threads to use the same ldap connection
258  */
259 static int
260 setup_mt_conn(LDAP *ld)
261 {
262 
263 	struct ldap_thread_fns		tfns;
264 	struct ldap_extra_thread_fns	extrafns;
265 	int				rc;
266 
267 	/*
268 	 * Set the function pointers for dealing with mutexes
269 	 * and error information
270 	 */
271 	(void) memset(&tfns, '\0', sizeof (struct ldap_thread_fns));
272 	tfns.ltf_mutex_alloc = (void *(*)(void)) ns_mutex_alloc;
273 	tfns.ltf_mutex_free = (void (*)(void *)) ns_mutex_free;
274 	tfns.ltf_mutex_lock = (int (*)(void *)) mutex_lock;
275 	tfns.ltf_mutex_unlock = (int (*)(void *)) mutex_unlock;
276 	tfns.ltf_get_errno = get_errno;
277 	tfns.ltf_set_errno = set_errno;
278 	tfns.ltf_get_lderrno = get_ld_error;
279 	tfns.ltf_set_lderrno = set_ld_error;
280 	tfns.ltf_lderrno_arg = NULL;
281 
282 	/*
283 	 * Set up this session to use those function pointers
284 	 */
285 	rc = ldap_set_option(ld, LDAP_OPT_THREAD_FN_PTRS,
286 	    (void *) &tfns);
287 	if (rc < 0) {
288 		syslog(LOG_WARNING, "libsldap: ldap_set_option "
289 		"(LDAP_OPT_THREAD_FN_PTRS)");
290 		return (-1);
291 	}
292 
293 	/*
294 	 * Set the function pointers for working with semaphores
295 	 */
296 	(void) memset(&extrafns, '\0',
297 	    sizeof (struct ldap_extra_thread_fns));
298 	extrafns.ltf_threadid_fn = (void * (*)(void))thr_self;
299 	extrafns.ltf_mutex_trylock = NULL;
300 	extrafns.ltf_sema_alloc = NULL;
301 	extrafns.ltf_sema_free = NULL;
302 	extrafns.ltf_sema_wait = NULL;
303 	extrafns.ltf_sema_post = NULL;
304 
305 	/* Set up this session to use those function pointers */
306 	rc = ldap_set_option(ld, LDAP_OPT_EXTRA_THREAD_FN_PTRS,
307 	    (void *) &extrafns);
308 	if (rc < 0) {
309 		syslog(LOG_WARNING, "libsldap: ldap_set_option "
310 		"(LDAP_OPT_EXTRA_THREAD_FN_PTRS)");
311 		return (-1);
312 	}
313 
314 	return (0);
315 }
316 
317 static void
318 ns_setup_mt_conn_and_tsd(LDAP *ld) {
319 	thread_t t = thr_self();
320 	void *tsd;
321 	/* set up to share this connection among threads */
322 	if (MTperConn == 1) {
323 		if (tsd_setup() == -1) {
324 			syslog(LOG_ERR, "tid= %d: unable "
325 				"to set up TSD\n", t);
326 		} else {
327 			if (setup_mt_conn(ld) == -1) {
328 			/* multiple threads per connection not supported */
329 				syslog(LOG_ERR, "tid= %d: multiple "
330 					"threads per connection not "
331 					"supported\n", t);
332 				(void) thr_getspecific(ns_mtckey, &tsd);
333 				ns_tsd_cleanup(tsd);
334 				(void) thr_setspecific(ns_mtckey, NULL);
335 				MTperConn = 0;
336 			}
337 		}
338 	}
339 }
340 
341 /*
342  * Check /proc/PID/psinfo to see if this process is nscd
343  * If it is, treat connection as NS_LDAP_KEEP_CONN, to reduce
344  * constant reconnects for many operations.
345  * A more complete solution is to develop true connection pooling.
346  * However, this is much better than a new connection for every request.
347  */
348 static int
349 nscd_proc()
350 {
351 	pid_t		my_pid;
352 	psinfo_t	pinfo;
353 	char		fname[BUFSIZ];
354 	int		ret;
355 	int		fd;
356 
357 	/* Don't bother checking if this process isn't root. */
358 	/* It can't be nscd */
359 	if (getuid() != 0)
360 		return (0);
361 
362 	my_pid = getpid();
363 	if (nscdChecked && (my_pid == checkedPid)) {
364 		return (isNscd);
365 	}
366 	(void) mutex_lock(&nscdLock);
367 	if (nscdChecked && (my_pid == checkedPid)) {
368 		(void) mutex_unlock(&nscdLock);
369 		return (isNscd);
370 	}
371 	nscdChecked = 1;
372 	checkedPid = my_pid;
373 	isNscd = 0;
374 	if (snprintf(fname, BUFSIZ, "/proc/%d/psinfo", my_pid) != 0) {
375 		if ((fd = open(fname,  O_RDONLY)) > 0) {
376 			ret = read(fd, &pinfo, sizeof (psinfo_t));
377 			(void) close(fd);
378 			if (ret == sizeof (psinfo_t) &&
379 			    (strcmp(pinfo.pr_fname, "nscd") == 0)) {
380 				/* process runs as root and is named nscd */
381 				/* that's good enough for now */
382 				isNscd = 1;
383 			}
384 		}
385 	}
386 	(void) mutex_unlock(&nscdLock);
387 	return (isNscd);
388 }
389 
390 /*
391  * This function requests a server from the cache manager through
392  * the door functionality
393  */
394 
395 static int
396 __s_api_requestServer(const char *request, const char *server,
397 	ns_server_info_t *ret, ns_ldap_error_t **error,  const char *addrType)
398 {
399 	union {
400 		ldap_data_t	s_d;
401 		char		s_b[DOORBUFFERSIZE];
402 	} space;
403 	ldap_data_t	*sptr;
404 	int		ndata;
405 	int		adata;
406 	char		errstr[MAXERROR];
407 	const char	*ireq;
408 	char		*rbuf, *ptr, *rest;
409 	char		*dptr;
410 	char		**mptr, **mptr1, **cptr, **cptr1;
411 	int		mcnt, ccnt;
412 	char		**servers;
413 	int		rc, len;
414 
415 	if (ret == NULL || error == NULL) {
416 		return (NS_LDAP_OP_FAILED);
417 	}
418 	(void) memset(ret, 0, sizeof (ns_server_info_t));
419 	*error = NULL;
420 
421 	(void) memset(space.s_b, 0, DOORBUFFERSIZE);
422 
423 	if (request == NULL)
424 		ireq = NS_CACHE_NEW;
425 	else
426 		ireq = request;
427 
428 	adata = (sizeof (ldap_call_t) + strlen(ireq) + strlen(addrType) + 1);
429 	if (server != NULL) {
430 		adata += strlen(DOORLINESEP) + 1;
431 		adata += strlen(server) + 1;
432 	}
433 	ndata = sizeof (space);
434 	len = sizeof (space) - sizeof (space.s_d.ldap_call.ldap_callnumber);
435 	space.s_d.ldap_call.ldap_callnumber = GETLDAPSERVER;
436 	if (strlcpy(space.s_d.ldap_call.ldap_u.domainname, ireq, len) >= len)
437 		return (NS_LDAP_MEMORY);
438 	if (strlcat(space.s_d.ldap_call.ldap_u.domainname, addrType, len) >=
439 	    len)
440 		return (NS_LDAP_MEMORY);
441 	if (server != NULL) {
442 		if (strlcat(space.s_d.ldap_call.ldap_u.domainname,
443 		    DOORLINESEP, len) >= len)
444 			return (NS_LDAP_MEMORY);
445 		if (strlcat(space.s_d.ldap_call.ldap_u.domainname, server,
446 		    len) >= len)
447 			return (NS_LDAP_MEMORY);
448 	}
449 	sptr = &space.s_d;
450 
451 	switch (__ns_ldap_trydoorcall(&sptr, &ndata, &adata)) {
452 	case SUCCESS:
453 		break;
454 	/* this case is for when the $mgr is not running, but ldapclient */
455 	/* is trying to initialize things */
456 	case NOSERVER:
457 		/* get first server from config list unavailable otherwise */
458 		servers = NULL;
459 		rc = __s_api_getServers(&servers, error);
460 		if (rc != NS_LDAP_SUCCESS) {
461 			if (servers != NULL) {
462 				__s_api_free2dArray(servers);
463 				servers = NULL;
464 			}
465 			return (rc);
466 		}
467 		if (servers == NULL || servers[0] == NULL) {
468 			__s_api_free2dArray(servers);
469 			servers = NULL;
470 			(void) sprintf(errstr,
471 			    gettext("No server found in configuration"));
472 			MKERROR(LOG_ERR, *error, NS_CONFIG_NODEFAULT,
473 			    strdup(errstr), NULL);
474 			return (NS_LDAP_CONFIG);
475 		}
476 		ret->server = strdup(servers[0]);
477 		if (ret->server == NULL) {
478 			__s_api_free2dArray(servers);
479 			return (NS_LDAP_MEMORY);
480 		}
481 		ret->saslMechanisms = NULL;
482 		ret->controls = NULL;
483 		__s_api_free2dArray(servers);
484 		servers = NULL;
485 		return (NS_LDAP_SUCCESS);
486 	case NOTFOUND:
487 	default:
488 		return (NS_LDAP_OP_FAILED);
489 	}
490 
491 	/* copy info from door call return structure here */
492 	rbuf =  space.s_d.ldap_ret.ldap_u.config;
493 
494 	/* Get the host */
495 	ptr = strtok_r(rbuf, DOORLINESEP, &rest);
496 	if (ptr == NULL) {
497 		(void) sprintf(errstr, gettext("No server returned from "
498 		    "ldap_cachemgr"));
499 		MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR,
500 		    strdup(errstr), NULL);
501 		return (NS_LDAP_OP_FAILED);
502 	}
503 	ret->server = strdup(ptr);
504 	if (ret->server == NULL) {
505 		return (NS_LDAP_MEMORY);
506 	}
507 	/* Get the host FQDN format */
508 	if (strcmp(addrType, NS_CACHE_ADDR_HOSTNAME) == 0) {
509 		ptr = strtok_r(NULL, DOORLINESEP, &rest);
510 		if (ptr == NULL) {
511 			(void) sprintf(errstr, gettext("No server FQDN format "
512 			    "returned from ldap_cachemgr"));
513 			MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR,
514 			    strdup(errstr), NULL);
515 			free(ret->server);
516 			ret->server = NULL;
517 			return (NS_LDAP_OP_FAILED);
518 		}
519 		ret->serverFQDN = strdup(ptr);
520 		if (ret->serverFQDN == NULL) {
521 			free(ret->server);
522 			ret->server = NULL;
523 			return (NS_LDAP_MEMORY);
524 		}
525 	}
526 
527 	/* get the Supported Controls/SASL mechs */
528 	mptr = NULL;
529 	mcnt = 0;
530 	cptr = NULL;
531 	ccnt = 0;
532 	for (; ; ) {
533 		ptr = strtok_r(NULL, DOORLINESEP, &rest);
534 		if (ptr == NULL)
535 			break;
536 		if (strncasecmp(ptr, _SASLMECHANISM,
537 		    _SASLMECHANISM_LEN) == 0) {
538 			dptr = strchr(ptr, '=');
539 			if (dptr == NULL)
540 				continue;
541 			dptr++;
542 			mptr1 = (char **)realloc((void *)mptr,
543 			    sizeof (char *) * (mcnt+2));
544 			if (mptr1 == NULL) {
545 				__s_api_free2dArray(mptr);
546 				if (sptr != &space.s_d) {
547 					(void) munmap((char *)sptr, ndata);
548 				}
549 				__s_api_free2dArray(cptr);
550 				__s_api_free_server_info(ret);
551 				return (NS_LDAP_MEMORY);
552 			}
553 			mptr = mptr1;
554 			mptr[mcnt] = strdup(dptr);
555 			if (mptr[mcnt] == NULL) {
556 				if (sptr != &space.s_d) {
557 					(void) munmap((char *)sptr, ndata);
558 				}
559 				__s_api_free2dArray(cptr);
560 				cptr = NULL;
561 				__s_api_free2dArray(mptr);
562 				mptr = NULL;
563 				__s_api_free_server_info(ret);
564 				return (NS_LDAP_MEMORY);
565 			}
566 			mcnt++;
567 			mptr[mcnt] = NULL;
568 		}
569 		if (strncasecmp(ptr, _SUPPORTEDCONTROL,
570 		    _SUPPORTEDCONTROL_LEN) == 0) {
571 			dptr = strchr(ptr, '=');
572 			if (dptr == NULL)
573 				continue;
574 			dptr++;
575 			cptr1 = (char **)realloc((void *)cptr,
576 			    sizeof (char *) * (ccnt+2));
577 			if (cptr1 == NULL) {
578 				if (sptr != &space.s_d) {
579 					(void) munmap((char *)sptr, ndata);
580 				}
581 				__s_api_free2dArray(cptr);
582 				__s_api_free2dArray(mptr);
583 				mptr = NULL;
584 				__s_api_free_server_info(ret);
585 				return (NS_LDAP_MEMORY);
586 			}
587 			cptr = cptr1;
588 			cptr[ccnt] = strdup(dptr);
589 			if (cptr[ccnt] == NULL) {
590 				if (sptr != &space.s_d) {
591 					(void) munmap((char *)sptr, ndata);
592 				}
593 				__s_api_free2dArray(cptr);
594 				cptr = NULL;
595 				__s_api_free2dArray(mptr);
596 				mptr = NULL;
597 				__s_api_free_server_info(ret);
598 				return (NS_LDAP_MEMORY);
599 			}
600 			ccnt++;
601 			cptr[ccnt] = NULL;
602 		}
603 	}
604 	if (mptr != NULL) {
605 		ret->saslMechanisms = mptr;
606 	}
607 	if (cptr != NULL) {
608 		ret->controls = cptr;
609 	}
610 
611 
612 	/* clean up door call */
613 	if (sptr != &space.s_d) {
614 		(void) munmap((char *)sptr, ndata);
615 	}
616 	*error = NULL;
617 
618 	return (NS_LDAP_SUCCESS);
619 }
620 
621 
622 /*
623  * printCred(): prints the credential structure
624  */
625 static void
626 printCred(int pri, const ns_cred_t *cred)
627 {
628 	thread_t	t = thr_self();
629 
630 	if (cred == NULL) {
631 		syslog(LOG_ERR, "tid= %d: printCred: cred is NULL\n", t);
632 		return;
633 	}
634 
635 	syslog(pri, "tid= %d: AuthType=%d", t, cred->auth.type);
636 	syslog(pri, "tid= %d: TlsType=%d", t, cred->auth.tlstype);
637 	syslog(pri, "tid= %d: SaslMech=%d", t, cred->auth.saslmech);
638 	syslog(pri, "tid= %d: SaslOpt=%d", t, cred->auth.saslopt);
639 	if (cred->hostcertpath)
640 		syslog(pri, "tid= %d: hostCertPath=%s\n",
641 		    t, cred->hostcertpath);
642 	if (cred->cred.unix_cred.userID)
643 		syslog(pri, "tid= %d: userID=%s\n",
644 		    t, cred->cred.unix_cred.userID);
645 #ifdef DEBUG
646 	if (cred->cred.unix_cred.passwd)
647 		syslog(pri, "tid= %d: passwd=%s\n",
648 		    t, cred->cred.unix_cred.passwd);
649 #endif
650 }
651 
652 /*
653  * printConnection(): prints the connection structure
654  */
655 static void
656 printConnection(int pri, Connection *con)
657 {
658 	thread_t	t = thr_self();
659 
660 	if (con == NULL)
661 		return;
662 
663 	syslog(pri, "tid= %d: connectionID=%d\n", t, con->connectionId);
664 	syslog(pri, "tid= %d: shared=%d\n", t, con->shared);
665 	syslog(pri, "tid= %d: usedBit=%d\n", t, con->usedBit);
666 	syslog(pri, "tid= %d: threadID=%d\n", t, con->threadID);
667 	if (con->serverAddr) {
668 		syslog(pri, "tid= %d: serverAddr=%s\n",
669 		    t, con->serverAddr);
670 	}
671 	printCred(pri, con->auth);
672 }
673 
674 
675 
676 /*
677  * addConnection(): set up a connection so that it can be shared
678  * among multiple threads and then insert the connection in the
679  * connection list.
680  * Returns: -1 = failure, new Connection ID = success
681  *
682  * This function could exit with sessionLock locked. It will be
683  * be unlocked in __s_api_getConnection() when it exits without getting a
684  * connection.
685  */
686 static int
687 addConnection(Connection *con)
688 {
689 	int i, noMTperC = 0;
690 	thread_t t = thr_self();
691 	struct ldap_thread_fns tfns;
692 	void *tsd;
693 
694 	if (!con)
695 		return (-1);
696 
697 	syslog(LOG_DEBUG, "tid= %d: Adding connection (serverAddr=%s)",
698 	    t, con->serverAddr);
699 
700 	if (MTperConn == 1) {
701 		/*
702 		 * Make sure ld has proper thread functions and tsd
703 		 * is set up.
704 		 */
705 		(void) memset(&tfns, 0, sizeof (struct ldap_thread_fns));
706 		/*
707 		 * ldap_init sets ltf_get_lderrno and ltf_set_lderrno to NULLs.
708 		 * It's supposed to be overwritten by ns_setup_mt_conn_and_tsd.
709 		 */
710 		if (ldap_get_option(con->ld, LDAP_OPT_THREAD_FN_PTRS,
711 		    (void *)&tfns) != 0 ||
712 		    tfns.ltf_get_lderrno != get_ld_error ||
713 		    tfns.ltf_set_lderrno != set_ld_error) {
714 			MTperConn = 0;
715 			noMTperC = 1;
716 		} else {
717 			if (thr_getspecific(ns_mtckey, &tsd) != 0 ||
718 			    tsd == NULL)
719 				noMTperC = 1;
720 		}
721 
722 	} else {
723 		noMTperC = 1;
724 	}
725 
726 	(void) rw_wrlock(&sessionPoolLock);
727 	if (sessionPool == NULL) {
728 		sessionPoolSize = SESSION_CACHE_INC;
729 		sessionPool = calloc(sessionPoolSize,
730 		    sizeof (struct connection **));
731 		if (!sessionPool) {
732 			(void) rw_unlock(&sessionPoolLock);
733 			return (-1);
734 		}
735 
736 		syslog(LOG_DEBUG, "tid= %d: Initialized sessionPool", t);
737 	}
738 	for (i = 0; (i < sessionPoolSize) && (sessionPool[i] != NULL); ++i)
739 		;
740 	if (i == sessionPoolSize) {
741 		/* run out of array, need to increase sessionPool */
742 		Connection **cl;
743 		cl = (Connection **) realloc(sessionPool,
744 		    (sessionPoolSize + SESSION_CACHE_INC) *
745 		    sizeof (Connection *));
746 		if (!cl) {
747 			(void) rw_unlock(&sessionPoolLock);
748 			return (-1);
749 		}
750 		(void) memset(cl + sessionPoolSize, 0,
751 		    SESSION_CACHE_INC * sizeof (struct connection *));
752 		sessionPool = cl;
753 		sessionPoolSize += SESSION_CACHE_INC;
754 		syslog(LOG_DEBUG, "tid: %d: Increased "
755 		    "sessionPoolSize to: %d\n",
756 		    t, sessionPoolSize);
757 	}
758 	sessionPool[i] = con;
759 	if (noMTperC == 0) {
760 		con->shared++;
761 		con->pid = getpid();
762 		(void) mutex_lock(&sharedConnNumberLock);
763 		sharedConnNumber++;
764 		(void) mutex_unlock(&sharedConnNumberLock);
765 	} else
766 		con->usedBit = B_TRUE;
767 
768 	(void) rw_unlock(&sessionPoolLock);
769 
770 	con->connectionId = i + CONID_OFFSET;
771 
772 	syslog(LOG_DEBUG, "tid= %d: Connection added [%d]\n",
773 	    t, i);
774 	printConnection(LOG_DEBUG, con);
775 
776 	/*
777 	 * A connection can be shared now, unlock
778 	 * the session mutex and let other
779 	 * threads try to use this connection or
780 	 * get their own.
781 	 */
782 	if (wait4session != 0 && sessionTid == thr_self()) {
783 		wait4session = 0;
784 		sessionTid = 0;
785 		syslog(LOG_DEBUG, "tid= %d: unlocking sessionLock\n", t);
786 		(void) mutex_unlock(&sessionLock);
787 	}
788 
789 	return (i + CONID_OFFSET);
790 }
791 
792 /*
793  * See if the specified session matches a currently available
794  */
795 
796 static int
797 findConnectionById(int flags, const ns_cred_t *auth, ConnectionID cID,
798 	Connection **conp)
799 {
800 	Connection *cp;
801 	int id;
802 
803 	if ((conp == NULL) || (auth == NULL) || cID < CONID_OFFSET)
804 		return (-1);
805 
806 	/* if a new connection is requested, no need to continue */
807 	if (flags & NS_LDAP_NEW_CONN)
808 		return (-1);
809 
810 	*conp = NULL;
811 	if (sessionPool == NULL)
812 		return (-1);
813 	id = cID - CONID_OFFSET;
814 	if (id < 0 || id >= sessionPoolSize)
815 		return (-1);
816 
817 	(void) rw_rdlock(&sessionPoolLock);
818 	if (sessionPool[id] == NULL) {
819 		(void) rw_unlock(&sessionPoolLock);
820 		return (-1);
821 	}
822 	cp = sessionPool[id];
823 
824 	/*
825 	 * Make sure the connection has the same type of authentication method
826 	 */
827 	if ((cp->usedBit) ||
828 	    (cp->notAvail) ||
829 	    (cp->auth->auth.type != auth->auth.type) ||
830 	    (cp->auth->auth.tlstype != auth->auth.tlstype) ||
831 	    (cp->auth->auth.saslmech != auth->auth.saslmech) ||
832 	    (cp->auth->auth.saslopt != auth->auth.saslopt)) {
833 		(void) rw_unlock(&sessionPoolLock);
834 		return (-1);
835 	}
836 	if ((((cp->auth->auth.type == NS_LDAP_AUTH_SASL) &&
837 	    ((cp->auth->auth.saslmech == NS_LDAP_SASL_CRAM_MD5) ||
838 	    (cp->auth->auth.saslmech == NS_LDAP_SASL_DIGEST_MD5))) ||
839 	    (cp->auth->auth.type == NS_LDAP_AUTH_SIMPLE)) &&
840 	    ((cp->auth->cred.unix_cred.userID == NULL) ||
841 	    (strcasecmp(cp->auth->cred.unix_cred.userID,
842 	    auth->cred.unix_cred.userID) != 0))) {
843 		(void) rw_unlock(&sessionPoolLock);
844 		return (-1);
845 	}
846 
847 	/* An existing connection is found but it needs to be reset */
848 	if (flags & NS_LDAP_NEW_CONN) {
849 		(void) rw_unlock(&sessionPoolLock);
850 		DropConnection(cID, 0);
851 		return (-1);
852 	}
853 	/* found an available connection */
854 	cp->usedBit = B_TRUE;
855 	(void) rw_unlock(&sessionPoolLock);
856 	cp->threadID = thr_self();
857 	*conp = cp;
858 	return (cID);
859 }
860 
861 /*
862  * findConnection(): find an available connection from the list
863  * that matches the criteria specified in Connection structure.
864  * If serverAddr is NULL, then find a connection to any server
865  * as long as it matches the rest of the parameters.
866  * Returns: -1 = failure, the Connection ID found = success.
867  *
868  * This function could exit with sessionLock locked. It will be
869  * be unlocked in addConnection() when this thread adds the connection
870  * to the pool or in __s_api_getConnection() when it exits without getting a
871  * connection.
872  */
873 #define	TRY_TIMES	10
874 static int
875 findConnection(int flags, const char *serverAddr,
876 	const ns_cred_t *auth, Connection **conp)
877 {
878 	Connection *cp;
879 	int i, j, conn_server_index, up_server_index, drop_conn;
880 	int rc;
881 	int try;
882 	ns_server_info_t sinfo;
883 	ns_ldap_error_t *errorp = NULL;
884 	char **servers;
885 	void **paramVal = NULL;
886 #ifdef DEBUG
887 	thread_t t = thr_self();
888 #endif /* DEBUG */
889 
890 	if (auth == NULL || conp == NULL)
891 		return (-1);
892 	*conp = NULL;
893 
894 	/* if a new connection is requested, no need to continue */
895 	if (flags & NS_LDAP_NEW_CONN)
896 		return (-1);
897 
898 #ifdef DEBUG
899 	(void) fprintf(stderr, "tid= %d: Find connection\n", t);
900 	(void) fprintf(stderr, "tid= %d: Looking for ....\n", t);
901 	if (serverAddr && *serverAddr)
902 		(void) fprintf(stderr, "tid= %d: serverAddr=%s\n",
903 		    t, serverAddr);
904 	else
905 		(void) fprintf(stderr, "tid= %d: serverAddr=NULL\n", t);
906 	printCred(LOG_DEBUG, auth);
907 	fflush(stderr);
908 #endif /* DEBUG */
909 
910 	/*
911 	 * If multiple threads per connection not supported,
912 	 * no sessionPool means no connection
913 	 */
914 	(void) rw_rdlock(&sessionPoolLock);
915 	if (MTperConn == 0 && sessionPool == NULL) {
916 		(void) rw_unlock(&sessionPoolLock);
917 		return (-1);
918 	}
919 
920 	/*
921 	 * If no sharable connections in cache, then serialize the opening
922 	 * of connections. Make sure only one is being opened
923 	 * at a time. Otherwise, we may end up with more
924 	 * connections than we want (if multiple threads get
925 	 * here at the same time)
926 	 */
927 	(void) mutex_lock(&sharedConnNumberLock);
928 	if (sessionPool == NULL || (sharedConnNumber == 0 && MTperConn == 1)) {
929 		(void) mutex_unlock(&sharedConnNumberLock);
930 		(void) rw_unlock(&sessionPoolLock);
931 		(void) mutex_lock(&sessionLock);
932 		(void) mutex_lock(&sharedConnNumberLock);
933 		if (sessionPool == NULL || (sharedConnNumber == 0 &&
934 		    MTperConn == 1)) {
935 			(void) mutex_unlock(&sharedConnNumberLock);
936 			wait4session = 1;
937 			sessionTid = thr_self();
938 #ifdef DEBUG
939 			(void) fprintf(stderr, "tid= %d: get "
940 			    "connection ... \n", t);
941 			fflush(stderr);
942 #endif /* DEBUG */
943 			/*
944 			 * Exit with sessionLock locked. It will be
945 			 * be unlocked in addConnection() when this
946 			 * thread adds the connection to the pool or
947 			 * in __s_api_getConnection() when it exits
948 			 * without getting a connection.
949 			 */
950 			return (-1);
951 		}
952 
953 #ifdef DEBUG
954 		(void) fprintf(stderr, "tid= %d: shareable connections "
955 		    "exist\n", t);
956 		fflush(stderr);
957 #endif /* DEBUG */
958 		(void) mutex_unlock(&sharedConnNumberLock);
959 		/*
960 		 * There are sharable connections, check to see if
961 		 * one can be shared.
962 		 */
963 		(void) mutex_unlock(&sessionLock);
964 		(void) rw_rdlock(&sessionPoolLock);
965 	} else
966 		(void) mutex_unlock(&sharedConnNumberLock);
967 
968 	try = 0;
969 	check_again:
970 
971 	for (i = 0; i < sessionPoolSize; ++i) {
972 		if (sessionPool[i] == NULL)
973 			continue;
974 		cp = sessionPool[i];
975 #ifdef DEBUG
976 		(void) fprintf(stderr, "tid= %d: checking connection "
977 		    "[%d] ....\n", t, i);
978 		printConnection(LOG_DEBUG, cp);
979 #endif /* DEBUG */
980 		if ((cp->usedBit) || (cp->notAvail) ||
981 		    (cp->auth->auth.type != auth->auth.type) ||
982 		    (cp->auth->auth.tlstype != auth->auth.tlstype) ||
983 		    (cp->auth->auth.saslmech != auth->auth.saslmech) ||
984 		    (cp->auth->auth.saslopt != auth->auth.saslopt) ||
985 		    (serverAddr && *serverAddr &&
986 		    (strcasecmp(serverAddr, cp->serverAddr) != 0)))
987 			continue;
988 		if ((((cp->auth->auth.type == NS_LDAP_AUTH_SASL) &&
989 		    ((cp->auth->auth.saslmech == NS_LDAP_SASL_CRAM_MD5) ||
990 		    (cp->auth->auth.saslmech == NS_LDAP_SASL_DIGEST_MD5))) ||
991 		    (cp->auth->auth.type == NS_LDAP_AUTH_SIMPLE)) &&
992 		    ((cp->auth->cred.unix_cred.userID == NULL) ||
993 		    (cp->auth->cred.unix_cred.passwd == NULL) ||
994 		    ((strcasecmp(cp->auth->cred.unix_cred.userID,
995 		    auth->cred.unix_cred.userID) != 0)) ||
996 		    ((strcmp(cp->auth->cred.unix_cred.passwd,
997 		    auth->cred.unix_cred.passwd) != 0))))
998 				continue;
999 		if (!(serverAddr && *serverAddr)) {
1000 			/*
1001 			 * Get preferred server list.
1002 			 * When preferred servers are merged with default
1003 			 * servers (S_LDAP_SERVER_P) by __s_api_getServer,
1004 			 * preferred servers are copied sequencially.
1005 			 * The order should be the same as the order retrieved
1006 			 * by __ns_ldap_getParam.
1007 			 */
1008 			if ((rc = __ns_ldap_getParam(NS_LDAP_SERVER_PREF_P,
1009 			    &paramVal, &errorp)) != NS_LDAP_SUCCESS) {
1010 				(void) __ns_ldap_freeError(&errorp);
1011 				(void) __ns_ldap_freeParam(&paramVal);
1012 				(void) rw_unlock(&sessionPoolLock);
1013 				return (-1);
1014 			}
1015 			servers = (char **)paramVal;
1016 			/*
1017 			 * Do fallback only if preferred servers are defined.
1018 			 */
1019 			if (servers != NULL) {
1020 				/*
1021 				 * Find the 1st available server
1022 				 */
1023 				rc = __s_api_requestServer(NS_CACHE_NEW, NULL,
1024 				    &sinfo, &errorp, NS_CACHE_ADDR_IP);
1025 				if (rc != NS_LDAP_SUCCESS) {
1026 					/*
1027 					 * Drop the connection.
1028 					 * Pass 1 to fini so it won't be locked
1029 					 * inside _DropConnection
1030 					 */
1031 					_DropConnection(
1032 					    cp->connectionId,
1033 					    NS_LDAP_NEW_CONN, 1);
1034 					(void) rw_unlock(
1035 					    &sessionPoolLock);
1036 					(void) __ns_ldap_freeError(&errorp);
1037 					(void) __ns_ldap_freeParam(
1038 					    (void ***)&servers);
1039 					return (-1);
1040 				}
1041 
1042 				if (sinfo.server) {
1043 					/*
1044 					 * Test if cp->serverAddr is a
1045 					 * preferred server.
1046 					 */
1047 					conn_server_index = -1;
1048 					for (j = 0; servers[j] != NULL; j++) {
1049 						if (strcasecmp(servers[j],
1050 						    cp->serverAddr) == 0) {
1051 							conn_server_index = j;
1052 							break;
1053 						}
1054 					}
1055 					/*
1056 					 * Test if sinfo.server is a preferred
1057 					 * server.
1058 					 */
1059 					up_server_index = -1;
1060 					for (j = 0; servers[j] != NULL; j++) {
1061 						if (strcasecmp(sinfo.server,
1062 						    servers[j]) == 0) {
1063 							up_server_index = j;
1064 							break;
1065 						}
1066 					}
1067 
1068 					/*
1069 					 * The following code is to fall back
1070 					 * to preferred servers if servers
1071 					 * are previously down but are up now.
1072 					 * If cp->serverAddr is a preferred
1073 					 * server, it falls back to the servers
1074 					 * ahead of it. If cp->serverAddr is
1075 					 * not a preferred server, it falls
1076 					 * back to any of preferred servers
1077 					 * returned by ldap_cachemgr.
1078 					 */
1079 					if (conn_server_index >= 0 &&
1080 					    up_server_index >= 0) {
1081 						/*
1082 						 * cp->serverAddr and
1083 						 * sinfo.server are preferred
1084 						 * servers.
1085 						 */
1086 						if (up_server_index ==
1087 						    conn_server_index)
1088 							/*
1089 							 * sinfo.server is the
1090 							 * same as
1091 							 * cp->serverAddr.
1092 							 * Keep the connection.
1093 							 */
1094 							drop_conn = 0;
1095 						else
1096 							/*
1097 							 * 1.
1098 							 * up_server_index <
1099 							 * conn_server_index
1100 							 *
1101 							 * sinfo is ahead of
1102 							 * cp->serverAddr in
1103 							 * Need to fall back.
1104 							 * 2.
1105 							 * up_server_index >
1106 							 * conn_server_index
1107 							 * cp->serverAddr is
1108 							 * down. Drop it.
1109 							 */
1110 							drop_conn = 1;
1111 					} else if (conn_server_index >= 0 &&
1112 					    up_server_index == -1) {
1113 						/*
1114 						 * cp->serverAddr is a preferred
1115 						 * server but sinfo.server is
1116 						 * not. Preferred servers are
1117 						 * ahead of default servers.
1118 						 * This means cp->serverAddr is
1119 						 * down. Drop it.
1120 						 */
1121 						drop_conn = 1;
1122 					} else if (conn_server_index == -1 &&
1123 					    up_server_index >= 0) {
1124 						/*
1125 						 * cp->serverAddr is not a
1126 						 * preferred server but
1127 						 * sinfo.server is.
1128 						 * Fall back.
1129 						 */
1130 						drop_conn = 1;
1131 					} else {
1132 						/*
1133 						 * Both index are -1
1134 						 * cp->serverAddr and
1135 						 * sinfo.server are not
1136 						 * preferred servers.
1137 						 * No fallback.
1138 						 */
1139 						drop_conn = 0;
1140 					}
1141 					if (drop_conn) {
1142 						/*
1143 						 * Drop the connection so the
1144 						 * new conection can fall back
1145 						 * to a new server later.
1146 						 * Pass 1 to fini so it won't
1147 						 * be locked inside
1148 						 * _DropConnection
1149 						 */
1150 						_DropConnection(
1151 						    cp->connectionId,
1152 						    NS_LDAP_NEW_CONN, 1);
1153 						(void) rw_unlock(
1154 						    &sessionPoolLock);
1155 						(void) __ns_ldap_freeParam(
1156 						    (void ***)&servers);
1157 						__s_api_free_server_info(
1158 						    &sinfo);
1159 						return (-1);
1160 					} else {
1161 						/*
1162 						 * Keep the connection
1163 						 */
1164 						(void) __ns_ldap_freeParam(
1165 						    (void ***)&servers);
1166 						__s_api_free_server_info(
1167 						    &sinfo);
1168 					}
1169 				} else {
1170 					(void) rw_unlock(&sessionPoolLock);
1171 					syslog(LOG_WARNING, "libsldap: Null "
1172 					    "sinfo.server from "
1173 					    "__s_api_requestServer");
1174 					(void) __ns_ldap_freeParam(
1175 					    (void ***)&servers);
1176 					return (-1);
1177 				}
1178 			}
1179 		}
1180 
1181 		/* found an available connection */
1182 		if (MTperConn == 0)
1183 			cp->usedBit = B_TRUE;
1184 		else {
1185 			/*
1186 			 * if connection was established in a different
1187 			 * process, drop it and get a new one
1188 			 */
1189 			if (cp->pid != getpid()) {
1190 				(void) rw_unlock(&sessionPoolLock);
1191 				DropConnection(cp->connectionId,
1192 				    NS_LDAP_NEW_CONN);
1193 
1194 				goto get_conn;
1195 			}
1196 			/* allocate TSD for per thread ldap error */
1197 			rc = tsd_setup();
1198 
1199 			/* if we got TSD, this connection is shared */
1200 			if (rc != -1)
1201 				cp->shared++;
1202 			else if (cp->shared == 0) {
1203 				cp->usedBit = B_TRUE;
1204 				cp->threadID = thr_self();
1205 				(void) rw_unlock(&sessionPoolLock);
1206 				return (-1);
1207 			}
1208 		}
1209 		(void) rw_unlock(&sessionPoolLock);
1210 
1211 		*conp = cp;
1212 #ifdef DEBUG
1213 		(void) fprintf(stderr, "tid= %d: Connection found "
1214 		    "cID=%d, shared =%d\n", t, i, cp->shared);
1215 		fflush(stderr);
1216 #endif /* DEBUG */
1217 		return (i + CONID_OFFSET);
1218 	}
1219 
1220 	get_conn:
1221 
1222 	(void) rw_unlock(&sessionPoolLock);
1223 
1224 	/*
1225 	 * If multiple threads per connection not supported,
1226 	 * we are done, just return -1 to tell the caller to
1227 	 * proceed with opening a connection
1228 	 */
1229 	if (MTperConn == 0)
1230 		return (-1);
1231 
1232 	/*
1233 	 * No connection can be shared, test to see if
1234 	 * one is being opened. If trylock returns
1235 	 * EBUSY then it is, so wait until the opening
1236 	 * is done and try to see if the new connection
1237 	 * can be shared.
1238 	 */
1239 	rc = mutex_trylock(&sessionLock);
1240 	if (rc == EBUSY) {
1241 		(void) mutex_lock(&sessionLock);
1242 		(void) mutex_unlock(&sessionLock);
1243 		(void) rw_rdlock(&sessionPoolLock);
1244 #ifdef DEBUG
1245 		(void) fprintf(stderr, "tid= %d: check session "
1246 		    "pool again\n", t);
1247 		fflush(stderr);
1248 #endif /* DEBUG */
1249 		if (try < TRY_TIMES) {
1250 			try++;
1251 			goto check_again;
1252 		} else {
1253 			syslog(LOG_WARNING, "libsldap: mutex_trylock "
1254 			    "%d times. Stop.", TRY_TIMES);
1255 			(void) rw_unlock(&sessionPoolLock);
1256 			return (-1);
1257 		}
1258 	} else if (rc == 0) {
1259 		/*
1260 		 * No connection can be shared, none being opened,
1261 		 * exit with sessionLock locked to open one. The
1262 		 * mutex will be unlocked in addConnection() when
1263 		 * this thread adds the new connection to the pool
1264 		 * or in __s_api_getConnection() when it exits
1265 		 * without getting a connection.
1266 		 */
1267 		wait4session = 1;
1268 		sessionTid = thr_self();
1269 #ifdef DEBUG
1270 		(void) fprintf(stderr, "tid= %d: no connection found, "
1271 		    "none being opened, get connection ...\n", t);
1272 		fflush(stderr);
1273 #endif /* DEBUG */
1274 		return (-1);
1275 	} else {
1276 		syslog(LOG_WARNING, "libsldap: mutex_trylock unexpected "
1277 		    "error %d", rc);
1278 		return (-1);
1279 	}
1280 }
1281 
1282 /*
1283  * Free a Connection structure
1284  */
1285 static void
1286 freeConnection(Connection *con)
1287 {
1288 	if (con == NULL)
1289 		return;
1290 	if (con->serverAddr)
1291 		free(con->serverAddr);
1292 	if (con->auth)
1293 		(void) __ns_ldap_freeCred(&(con->auth));
1294 	if (con->saslMechanisms) {
1295 		__s_api_free2dArray(con->saslMechanisms);
1296 	}
1297 	if (con->controls) {
1298 		__s_api_free2dArray(con->controls);
1299 	}
1300 	free(con);
1301 }
1302 
1303 /*
1304  * Find a connection matching the passed in criteria.  If an open
1305  * connection with that criteria exists use it, otherwise open a
1306  * new connection.
1307  * Success: returns the pointer to the Connection structure
1308  * Failure: returns NULL, error code and message should be in errorp
1309  */
1310 
1311 static int
1312 makeConnection(Connection **conp, const char *serverAddr,
1313 	const ns_cred_t *auth, ConnectionID *cID, int timeoutSec,
1314 	ns_ldap_error_t **errorp, int fail_if_new_pwd_reqd,
1315 	int nopasswd_acct_mgmt, int flags, char ***badsrvrs)
1316 {
1317 	Connection *con = NULL;
1318 	ConnectionID id;
1319 	char errmsg[MAXERROR];
1320 	int rc, exit_rc = NS_LDAP_SUCCESS;
1321 	ns_server_info_t sinfo;
1322 	char *hReq, *host = NULL;
1323 	LDAP *ld = NULL;
1324 	int passwd_mgmt = 0;
1325 	int totalbad = 0; /* Number of servers contacted unsuccessfully */
1326 	short	memerr = 0; /* Variable for tracking memory allocation */
1327 	char *serverAddrType = NULL, **bindHost = NULL;
1328 
1329 
1330 	if (conp == NULL || errorp == NULL || auth == NULL)
1331 		return (NS_LDAP_INVALID_PARAM);
1332 	*errorp = NULL;
1333 	*conp = NULL;
1334 	(void) memset(&sinfo, 0, sizeof (sinfo));
1335 
1336 	if ((wait4session == 0 || sessionTid != thr_self()) &&
1337 	    (id = findConnection(flags, serverAddr, auth, &con)) != -1) {
1338 		/* connection found in cache */
1339 #ifdef DEBUG
1340 		(void) fprintf(stderr, "tid= %d: connection found in "
1341 		    "cache %d\n", thr_self(), id);
1342 		fflush(stderr);
1343 #endif /* DEBUG */
1344 		*cID = id;
1345 		*conp = con;
1346 		return (NS_LDAP_SUCCESS);
1347 	}
1348 
1349 	if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI) {
1350 		serverAddrType = NS_CACHE_ADDR_HOSTNAME;
1351 		bindHost = &sinfo.serverFQDN;
1352 	} else {
1353 		serverAddrType = NS_CACHE_ADDR_IP;
1354 		bindHost = &sinfo.server;
1355 	}
1356 
1357 	if (serverAddr) {
1358 		rc = __s_api_requestServer(NS_CACHE_NEW, serverAddr,
1359 		    &sinfo, errorp, serverAddrType);
1360 		if (rc != NS_LDAP_SUCCESS || sinfo.server == NULL) {
1361 			(void) snprintf(errmsg, sizeof (errmsg),
1362 			gettext("makeConnection: unable to get "
1363 			"server information for %s"), serverAddr);
1364 			syslog(LOG_ERR, "libsldap: %s", errmsg);
1365 			return (NS_LDAP_OP_FAILED);
1366 		}
1367 		rc = openConnection(&ld, *bindHost, auth, timeoutSec, errorp,
1368 		    fail_if_new_pwd_reqd, passwd_mgmt);
1369 		if (rc == NS_LDAP_SUCCESS || rc ==
1370 		    NS_LDAP_SUCCESS_WITH_INFO) {
1371 			exit_rc = rc;
1372 			goto create_con;
1373 		} else {
1374 			return (rc);
1375 		}
1376 	}
1377 
1378 	/* No cached connection, create one */
1379 	for (; ; ) {
1380 		if (host == NULL)
1381 			hReq = NS_CACHE_NEW;
1382 		else
1383 			hReq = NS_CACHE_NEXT;
1384 		rc = __s_api_requestServer(hReq, host, &sinfo, errorp,
1385 		    serverAddrType);
1386 		if ((rc != NS_LDAP_SUCCESS) || (sinfo.server == NULL) ||
1387 		    (host && (strcasecmp(host, sinfo.server) == 0))) {
1388 			/* Log the error */
1389 			if (*errorp) {
1390 				(void) snprintf(errmsg, sizeof (errmsg),
1391 				"%s: (%s)", gettext("makeConnection: "
1392 				"unable to make LDAP connection, "
1393 				"request for a server failed"),
1394 				    (*errorp)->message);
1395 				syslog(LOG_ERR, "libsldap: %s", errmsg);
1396 			}
1397 
1398 			__s_api_free_server_info(&sinfo);
1399 			if (host)
1400 				free(host);
1401 			return (NS_LDAP_OP_FAILED);
1402 		}
1403 		if (host)
1404 			free(host);
1405 		host = strdup(sinfo.server);
1406 		if (host == NULL) {
1407 			__s_api_free_server_info(&sinfo);
1408 			return (NS_LDAP_MEMORY);
1409 		}
1410 
1411 		/* check if server supports password management */
1412 		passwd_mgmt = __s_api_contain_passwd_control_oid(
1413 		    sinfo.controls);
1414 		/* check if server supports password less account mgmt */
1415 		if (nopasswd_acct_mgmt &&
1416 		    !__s_api_contain_account_usable_control_oid(
1417 		    sinfo.controls)) {
1418 			syslog(LOG_WARNING, "libsldap: server %s does not "
1419 			    "provide account information without password",
1420 			    host);
1421 			free(host);
1422 			__s_api_free_server_info(&sinfo);
1423 			return (NS_LDAP_OP_FAILED);
1424 		}
1425 		/* make the connection */
1426 		rc = openConnection(&ld, *bindHost, auth, timeoutSec, errorp,
1427 		    fail_if_new_pwd_reqd, passwd_mgmt);
1428 		/* if success, go to create connection structure */
1429 		if (rc == NS_LDAP_SUCCESS ||
1430 		    rc == NS_LDAP_SUCCESS_WITH_INFO) {
1431 			exit_rc = rc;
1432 			break;
1433 		}
1434 
1435 		/*
1436 		 * If not able to reach the server, inform the ldap
1437 		 * cache manager that the server should be removed
1438 		 * from its server list. Thus, the manager will not
1439 		 * return this server on the next get-server request
1440 		 * and will also reduce the server list refresh TTL,
1441 		 * so that it will find out sooner when the server
1442 		 * is up again.
1443 		 */
1444 		if (rc == NS_LDAP_INTERNAL && *errorp != NULL) {
1445 			if ((*errorp)->status == LDAP_CONNECT_ERROR ||
1446 			    (*errorp)->status == LDAP_SERVER_DOWN) {
1447 				/* Reset memory allocation error */
1448 				memerr = 0;
1449 				/*
1450 				 * We contacted a server that we could
1451 				 * not either authenticate to or contact.
1452 				 * If it is due to authentication, then
1453 				 * we need to try the server again. So,
1454 				 * do not remove the server yet, but
1455 				 * add it to the bad server list.
1456 				 * The caller routine will remove
1457 				 * the servers if:
1458 				 *	a). A good server is found or
1459 				 *	b). All the possible methods
1460 				 *	    are tried without finding
1461 				 *	    a good server
1462 				 */
1463 				if (*badsrvrs == NULL) {
1464 					if (!(*badsrvrs = (char **)malloc
1465 					    (sizeof (char *) * NUMTOMALLOC))) {
1466 						memerr = 1;
1467 					}
1468 				/* Allocate memory in chunks of NUMTOMALLOC */
1469 				} else if ((totalbad % NUMTOMALLOC) ==
1470 				    NUMTOMALLOC - 1) {
1471 					char **tmpptr;
1472 					if (!(tmpptr = (char **)realloc(
1473 					    *badsrvrs,
1474 					    (sizeof (char *) * NUMTOMALLOC *
1475 					    ((totalbad/NUMTOMALLOC) + 2))))) {
1476 						memerr = 1;
1477 					} else {
1478 						*badsrvrs = tmpptr;
1479 					}
1480 				}
1481 				/*
1482 				 * Store host only if there were no unsuccessful
1483 				 * memory allocations above
1484 				 */
1485 				if (!memerr &&
1486 				    !((*badsrvrs)[totalbad++] = strdup(host))) {
1487 					memerr = 1;
1488 					totalbad--;
1489 				}
1490 				(*badsrvrs)[totalbad] = NULL;
1491 			}
1492 		}
1493 
1494 		/* else, cleanup and go for the next server */
1495 		__s_api_free_server_info(&sinfo);
1496 
1497 		/* Return if we had memory allocation errors */
1498 		if (memerr)
1499 			return (NS_LDAP_MEMORY);
1500 		if (*errorp) {
1501 			/*
1502 			 * If openConnection() failed due to
1503 			 * password policy, or invalid credential,
1504 			 * keep *errorp and exit
1505 			 */
1506 			if ((*errorp)->pwd_mgmt.status != NS_PASSWD_GOOD ||
1507 			    (*errorp)->status == LDAP_INVALID_CREDENTIALS) {
1508 				free(host);
1509 				return (rc);
1510 			} else {
1511 				(void) __ns_ldap_freeError(errorp);
1512 				*errorp = NULL;
1513 			}
1514 		}
1515 	}
1516 
1517 create_con:
1518 	/* we have created ld, setup con structure */
1519 	if (host)
1520 		free(host);
1521 	if ((con = calloc(1, sizeof (Connection))) == NULL) {
1522 		__s_api_free_server_info(&sinfo);
1523 		/*
1524 		 * If password control attached in **errorp,
1525 		 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
1526 		 * free the error structure
1527 		 */
1528 		if (*errorp) {
1529 			(void) __ns_ldap_freeError(errorp);
1530 			*errorp = NULL;
1531 		}
1532 		return (NS_LDAP_MEMORY);
1533 	}
1534 
1535 	con->serverAddr = sinfo.server; /* Store original format */
1536 	if (sinfo.serverFQDN != NULL) {
1537 		free(sinfo.serverFQDN);
1538 		sinfo.serverFQDN = NULL;
1539 	}
1540 	con->saslMechanisms = sinfo.saslMechanisms;
1541 	con->controls = sinfo.controls;
1542 
1543 	con->auth = __ns_ldap_dupAuth(auth);
1544 	if (con->auth == NULL) {
1545 		free(con);
1546 		/*
1547 		 * If password control attached in **errorp,
1548 		 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
1549 		 * free the error structure
1550 		 */
1551 		if (*errorp) {
1552 			(void) __ns_ldap_freeError(errorp);
1553 			*errorp = NULL;
1554 		}
1555 		return (NS_LDAP_MEMORY);
1556 	}
1557 
1558 	con->threadID = thr_self();
1559 	con->pid = getpid();
1560 
1561 	con->ld = ld;
1562 	if ((id = addConnection(con)) == -1) {
1563 		freeConnection(con);
1564 		/*
1565 		 * If password control attached in **errorp,
1566 		 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
1567 		 * free the error structure
1568 		 */
1569 		if (*errorp) {
1570 			(void) __ns_ldap_freeError(errorp);
1571 			*errorp = NULL;
1572 		}
1573 		return (NS_LDAP_MEMORY);
1574 	}
1575 #ifdef DEBUG
1576 	(void) fprintf(stderr, "tid= %d: connection added into "
1577 	    "cache %d\n", thr_self(), id);
1578 	fflush(stderr);
1579 #endif /* DEBUG */
1580 	*cID = id;
1581 	*conp = con;
1582 	return (exit_rc);
1583 }
1584 
1585 /*
1586  * Return the specified connection to the pool.  If necessary
1587  * delete the connection.
1588  */
1589 
1590 static void
1591 _DropConnection(ConnectionID cID, int flag, int fini)
1592 {
1593 	Connection *cp;
1594 	int id;
1595 	int use_lock = !fini;
1596 #ifdef DEBUG
1597 	thread_t t = thr_self();
1598 #endif /* DEBUG */
1599 
1600 	id = cID - CONID_OFFSET;
1601 	if (id < 0 || id >= sessionPoolSize)
1602 		return;
1603 #ifdef DEBUG
1604 	(void) fprintf(stderr, "tid= %d: "
1605 	    "Dropping connection cID=%d flag=0x%x, fini = %d\n",
1606 	    t, cID, flag, fini);
1607 	fflush(stderr);
1608 #endif /* DEBUG */
1609 	if (use_lock)
1610 		(void) rw_wrlock(&sessionPoolLock);
1611 
1612 	cp = sessionPool[id];
1613 	/* sanity check before removing */
1614 	if (!cp || (!fini && !cp->shared && !cp->usedBit)) {
1615 #ifdef DEBUG
1616 		if (cp == NULL)
1617 			(void) fprintf(stderr, "tid= %d: no "
1618 			    "need to remove (fini = %d, cp = %p)\n", t,
1619 			    fini, cp);
1620 		else
1621 			(void) fprintf(stderr, "tid= %d: no "
1622 			    "need to remove (fini = %d, cp = %p, shared = %d)"
1623 			    "\n", t, fini, cp, cp->shared);
1624 		fflush(stderr);
1625 #endif /* DEBUG */
1626 		if (use_lock)
1627 			(void) rw_unlock(&sessionPoolLock);
1628 		return;
1629 	}
1630 
1631 	if (!fini &&
1632 	    ((flag & NS_LDAP_NEW_CONN) == 0) && !cp->notAvail &&
1633 	    ((flag & NS_LDAP_KEEP_CONN) ||
1634 	    (MTperConn == 0 && nscd_proc()) ||
1635 	    MTperConn)) {
1636 #ifdef DEBUG
1637 		(void) fprintf(stderr, "tid= %d: keep alive (fini = %d "
1638 		    "shared = %d)\n", t, fini, cp->shared);
1639 #endif /* DEBUG */
1640 		/* release Connection (keep alive) */
1641 		if (cp->shared)
1642 			cp->shared--;
1643 		cp->usedBit = B_FALSE;
1644 		cp->threadID = 0;	/* unmark the threadID */
1645 		if (use_lock)
1646 			(void) rw_unlock(&sessionPoolLock);
1647 	} else {
1648 		/* delete Connection (disconnect) */
1649 		if (cp->shared > 0) {
1650 #ifdef DEBUG
1651 		(void) fprintf(stderr, "tid= %d: Connection no "
1652 		    "longer available (fini = %d, shared = %d)\n",
1653 		    t, fini, cp->shared);
1654 		fflush(stderr);
1655 #endif /* DEBUG */
1656 			cp->shared--;
1657 			/*
1658 			 * Mark this connection not available and decrement
1659 			 * sharedConnNumber. There could be multiple threads
1660 			 * sharing this connection so decrement
1661 			 * sharedConnNumber only once per connection.
1662 			 */
1663 			if (cp->notAvail == 0) {
1664 				cp->notAvail = 1;
1665 				(void) mutex_lock(&sharedConnNumberLock);
1666 				sharedConnNumber--;
1667 				(void) mutex_unlock(&sharedConnNumberLock);
1668 			}
1669 		}
1670 
1671 		if (cp->shared <= 0) {
1672 #ifdef DEBUG
1673 			(void) fprintf(stderr, "tid= %d: unbind "
1674 			    "(fini = %d, shared = %d)\n",
1675 			    t, fini, cp->shared);
1676 			fflush(stderr);
1677 #endif /* DEBUG */
1678 			sessionPool[id] = NULL;
1679 			(void) ldap_unbind(cp->ld);
1680 			freeConnection(cp);
1681 		}
1682 
1683 		if (use_lock)
1684 			(void) rw_unlock(&sessionPoolLock);
1685 	}
1686 }
1687 
1688 void
1689 DropConnection(ConnectionID cID, int flag)
1690 {
1691 	_DropConnection(cID, flag, 0);
1692 }
1693 
1694 /*
1695  * This routine is called after a bind operation is
1696  * done in openConnection() to process the password
1697  * management information, if any.
1698  *
1699  * Input:
1700  *   bind_type: "simple" or "sasl/DIGEST-MD5"
1701  *   ldaprc   : ldap rc from the ldap bind operation
1702  *   controls : controls returned by the server
1703  *   errmsg   : error message from the server
1704  *   fail_if_new_pwd_reqd:
1705  *              flag indicating if connection should be open
1706  *              when password needs to change immediately
1707  *   passwd_mgmt:
1708  *              flag indicating if server supports password
1709  *              policy/management
1710  *
1711  * Output     : ns_ldap_error structure, which may contain
1712  *              password status and number of seconds until
1713  *              expired
1714  *
1715  * return rc:
1716  * NS_LDAP_EXTERNAL: error, connection should not open
1717  * NS_LDAP_SUCCESS_WITH_INFO: OK to open but password info attached
1718  * NS_LDAP_SUCCESS: OK to open connection
1719  *
1720  */
1721 
1722 static int
1723 process_pwd_mgmt(char *bind_type, int ldaprc,
1724 		LDAPControl **controls,
1725 		char *errmsg, ns_ldap_error_t **errorp,
1726 		int fail_if_new_pwd_reqd,
1727 		int passwd_mgmt)
1728 {
1729 	char		errstr[MAXERROR];
1730 	LDAPControl	**ctrl = NULL;
1731 	int		exit_rc;
1732 	ns_ldap_passwd_status_t	pwd_status = NS_PASSWD_GOOD;
1733 	int		sec_until_exp = 0;
1734 
1735 	/*
1736 	 * errmsg may be an empty string,
1737 	 * even if ldaprc is LDAP_SUCCESS,
1738 	 * free the empty string if that's the case
1739 	 */
1740 	if (errmsg &&
1741 	    (*errmsg == '\0' || ldaprc == LDAP_SUCCESS)) {
1742 		ldap_memfree(errmsg);
1743 		errmsg = NULL;
1744 	}
1745 
1746 	if (ldaprc != LDAP_SUCCESS) {
1747 		/*
1748 		 * try to map ldap rc and error message to
1749 		 * a password status
1750 		 */
1751 		if (errmsg) {
1752 			if (passwd_mgmt)
1753 				pwd_status =
1754 				    __s_api_set_passwd_status(
1755 				    ldaprc, errmsg);
1756 			ldap_memfree(errmsg);
1757 		}
1758 
1759 		(void) snprintf(errstr, sizeof (errstr),
1760 		    gettext("openConnection: "
1761 		    "%s bind failed "
1762 		    "- %s"), bind_type, ldap_err2string(ldaprc));
1763 
1764 		if (pwd_status != NS_PASSWD_GOOD) {
1765 			MKERROR_PWD_MGMT(*errorp,
1766 			    ldaprc, strdup(errstr),
1767 			    pwd_status, 0, NULL);
1768 		} else {
1769 			MKERROR(LOG_ERR, *errorp, ldaprc, strdup(errstr),
1770 			    NULL);
1771 		}
1772 		if (controls)
1773 			ldap_controls_free(controls);
1774 
1775 		return (NS_LDAP_INTERNAL);
1776 	}
1777 
1778 	/*
1779 	 * ldaprc is LDAP_SUCCESS,
1780 	 * process the password management controls, if any
1781 	 */
1782 	exit_rc = NS_LDAP_SUCCESS;
1783 	if (controls && passwd_mgmt) {
1784 		/*
1785 		 * The control with the OID
1786 		 * 2.16.840.1.113730.3.4.4 (or
1787 		 * LDAP_CONTROL_PWEXPIRED, as defined
1788 		 * in the ldap.h header file) is the
1789 		 * expired password control.
1790 		 *
1791 		 * This control is used if the server
1792 		 * is configured to require users to
1793 		 * change their passwords when first
1794 		 * logging in and whenever the
1795 		 * passwords are reset.
1796 		 *
1797 		 * If the user is logging in for the
1798 		 * first time or if the user's
1799 		 * password has been reset, the
1800 		 * server sends this control to
1801 		 * indicate that the client needs to
1802 		 * change the password immediately.
1803 		 *
1804 		 * At this point, the only operation
1805 		 * that the client can perform is to
1806 		 * change the user's password. If the
1807 		 * client requests any other LDAP
1808 		 * operation, the server sends back
1809 		 * an LDAP_UNWILLING_TO_PERFORM
1810 		 * result code with an expired
1811 		 * password control.
1812 		 *
1813 		 * The control with the OID
1814 		 * 2.16.840.1.113730.3.4.5 (or
1815 		 * LDAP_CONTROL_PWEXPIRING, as
1816 		 * defined in the ldap.h header file)
1817 		 * is the password expiration warning
1818 		 * control.
1819 		 *
1820 		 * This control is used if the server
1821 		 * is configured to expire user
1822 		 * passwords after a certain amount
1823 		 * of time.
1824 		 *
1825 		 * The server sends this control back
1826 		 * to the client if the client binds
1827 		 * using a password that will soon
1828 		 * expire.  The ldctl_value field of
1829 		 * the LDAPControl structure
1830 		 * specifies the number of seconds
1831 		 * before the password will expire.
1832 		 */
1833 		for (ctrl = controls; *ctrl; ctrl++) {
1834 
1835 			if (strcmp((*ctrl)->ldctl_oid,
1836 			    LDAP_CONTROL_PWEXPIRED) == 0) {
1837 				/*
1838 				 * if the caller wants this bind
1839 				 * to fail, set up the error info.
1840 				 * If call to this function is
1841 				 * for searching the LDAP directory,
1842 				 * e.g., __ns_ldap_list(),
1843 				 * there's really no sense to
1844 				 * let a connection open and
1845 				 * then fail immediately afterward
1846 				 * on the LDAP search operation with
1847 				 * the LDAP_UNWILLING_TO_PERFORM rc
1848 				 */
1849 				pwd_status =
1850 				    NS_PASSWD_CHANGE_NEEDED;
1851 				if (fail_if_new_pwd_reqd) {
1852 					(void) snprintf(errstr,
1853 					    sizeof (errstr),
1854 					    gettext(
1855 					    "openConnection: "
1856 					    "%s bind "
1857 					    "failed "
1858 					    "- password "
1859 					    "expired. It "
1860 					    " needs to change "
1861 					    "immediately!"),
1862 					    bind_type);
1863 					MKERROR_PWD_MGMT(*errorp,
1864 					    LDAP_SUCCESS,
1865 					    strdup(errstr),
1866 					    pwd_status,
1867 					    0,
1868 					    NULL);
1869 					exit_rc = NS_LDAP_INTERNAL;
1870 				} else {
1871 					MKERROR_PWD_MGMT(*errorp,
1872 					    LDAP_SUCCESS,
1873 					    NULL,
1874 					    pwd_status,
1875 					    0,
1876 					    NULL);
1877 					exit_rc =
1878 					    NS_LDAP_SUCCESS_WITH_INFO;
1879 				}
1880 				break;
1881 			} else if (strcmp((*ctrl)->ldctl_oid,
1882 			    LDAP_CONTROL_PWEXPIRING) == 0) {
1883 				pwd_status =
1884 				    NS_PASSWD_ABOUT_TO_EXPIRE;
1885 				if ((*ctrl)->
1886 				    ldctl_value.bv_len > 0 &&
1887 				    (*ctrl)->
1888 				    ldctl_value.bv_val)
1889 					sec_until_exp =
1890 					    atoi((*ctrl)->
1891 					    ldctl_value.bv_val);
1892 				MKERROR_PWD_MGMT(*errorp,
1893 				    LDAP_SUCCESS,
1894 				    NULL,
1895 				    pwd_status,
1896 				    sec_until_exp,
1897 				    NULL);
1898 				exit_rc =
1899 				    NS_LDAP_SUCCESS_WITH_INFO;
1900 				break;
1901 			}
1902 		}
1903 	}
1904 
1905 	if (controls)
1906 		ldap_controls_free(controls);
1907 
1908 	return (exit_rc);
1909 }
1910 
1911 static int
1912 ldap_in_hosts_switch()
1913 {
1914 	enum __nsw_parse_err		pserr;
1915 	struct __nsw_switchconfig	*conf;
1916 	struct __nsw_lookup		*lkp;
1917 	const char			*name;
1918 	int				found = 0;
1919 
1920 	conf = __nsw_getconfig("hosts", &pserr);
1921 	if (conf == NULL) {
1922 		return (-1);
1923 	}
1924 
1925 	/* check for skip and count other backends */
1926 	for (lkp = conf->lookups; lkp != NULL; lkp = lkp->next) {
1927 		name = lkp->service_name;
1928 		if (strcmp(name, "ldap") == 0) {
1929 			found = 1;
1930 			break;
1931 		}
1932 	}
1933 	__nsw_freeconfig(conf);
1934 	return (found);
1935 }
1936 
1937 static int
1938 openConnection(LDAP **ldp, const char *serverAddr, const ns_cred_t *auth,
1939 	int timeoutSec, ns_ldap_error_t **errorp,
1940 	int fail_if_new_pwd_reqd, int passwd_mgmt)
1941 {
1942 	LDAP		*ld = NULL;
1943 	char		*binddn, *passwd;
1944 	char		*digest_md5_name;
1945 	const char	*s;
1946 	int		ldapVersion = LDAP_VERSION3;
1947 	int		derefOption = LDAP_DEREF_ALWAYS;
1948 	int		zero = 0;
1949 	int		rc;
1950 	char		errstr[MAXERROR];
1951 	int		errnum = 0;
1952 	LDAPMessage	*resultMsg;
1953 	int		msgId;
1954 	int		useSSL = 0, port = 0;
1955 	struct timeval	tv;
1956 	AuthType_t	bindType;
1957 	int		timeoutMilliSec = timeoutSec * 1000;
1958 	struct berval	cred;
1959 	char		*sslServerAddr;
1960 	char		*s1;
1961 	char		*errmsg, *end = NULL;
1962 	LDAPControl	**controls;
1963 	int		pwd_rc, min_ssf = MIN_SASL_SSF, max_ssf = MAX_SASL_SSF;
1964 	ns_sasl_cb_param_t	sasl_param;
1965 
1966 	*errorp = NULL;
1967 	*ldp = NULL;
1968 
1969 	switch (auth->auth.type) {
1970 		case NS_LDAP_AUTH_NONE:
1971 		case NS_LDAP_AUTH_SIMPLE:
1972 		case NS_LDAP_AUTH_SASL:
1973 			bindType = auth->auth.type;
1974 			break;
1975 		case NS_LDAP_AUTH_TLS:
1976 			useSSL = 1;
1977 			switch (auth->auth.tlstype) {
1978 				case NS_LDAP_TLS_NONE:
1979 					bindType = NS_LDAP_AUTH_NONE;
1980 					break;
1981 				case NS_LDAP_TLS_SIMPLE:
1982 					bindType = NS_LDAP_AUTH_SIMPLE;
1983 					break;
1984 				case NS_LDAP_TLS_SASL:
1985 					bindType = NS_LDAP_AUTH_SASL;
1986 					break;
1987 				default:
1988 					(void) sprintf(errstr,
1989 					gettext("openConnection: unsupported "
1990 					    "TLS authentication method "
1991 					    "(%d)"), auth->auth.tlstype);
1992 					MKERROR(LOG_WARNING, *errorp,
1993 					    LDAP_AUTH_METHOD_NOT_SUPPORTED,
1994 					    strdup(errstr), NULL);
1995 					return (NS_LDAP_INTERNAL);
1996 			}
1997 			break;
1998 		default:
1999 			(void) sprintf(errstr,
2000 			    gettext("openConnection: unsupported "
2001 			    "authentication method (%d)"), auth->auth.type);
2002 			MKERROR(LOG_WARNING, *errorp,
2003 			    LDAP_AUTH_METHOD_NOT_SUPPORTED, strdup(errstr),
2004 			    NULL);
2005 			return (NS_LDAP_INTERNAL);
2006 	}
2007 
2008 	if (useSSL) {
2009 		const char	*hostcertpath;
2010 		char		*alloc_hcp = NULL;
2011 #ifdef DEBUG
2012 		(void) fprintf(stderr, "tid= %d: +++TLS transport\n",
2013 		    thr_self());
2014 #endif /* DEBUG */
2015 
2016 		if (prldap_set_session_option(NULL, NULL,
2017 		    PRLDAP_OPT_IO_MAX_TIMEOUT,
2018 		    timeoutMilliSec) != LDAP_SUCCESS) {
2019 			(void) snprintf(errstr, sizeof (errstr),
2020 			    gettext("openConnection: failed to initialize "
2021 			    "TLS security"));
2022 			MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
2023 			    strdup(errstr), NULL);
2024 			return (NS_LDAP_INTERNAL);
2025 		}
2026 
2027 		hostcertpath = auth->hostcertpath;
2028 		if (hostcertpath == NULL) {
2029 			alloc_hcp = __s_get_hostcertpath();
2030 			hostcertpath = alloc_hcp;
2031 		}
2032 
2033 		if (hostcertpath == NULL)
2034 			return (NS_LDAP_MEMORY);
2035 
2036 		if ((rc = ldapssl_client_init(hostcertpath, NULL)) < 0) {
2037 			if (alloc_hcp)
2038 				free(alloc_hcp);
2039 			(void) snprintf(errstr, sizeof (errstr),
2040 			    gettext("openConnection: failed to initialize "
2041 			    "TLS security (%s)"),
2042 			    ldapssl_err2string(rc));
2043 			MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
2044 			    strdup(errstr), NULL);
2045 			return (NS_LDAP_INTERNAL);
2046 		}
2047 		if (alloc_hcp)
2048 			free(alloc_hcp);
2049 
2050 		/* determine if the host name contains a port number */
2051 		s = strchr(serverAddr, ']');	/* skip over ipv6 addr */
2052 		if (s == NULL)
2053 			s = serverAddr;
2054 		s = strchr(s, ':');
2055 		if (s != NULL) {
2056 			/*
2057 			 * If we do get a port number, we will try stripping
2058 			 * it. At present, referrals will always have a
2059 			 * port number.
2060 			 */
2061 			sslServerAddr = strdup(serverAddr);
2062 			if (sslServerAddr == NULL)
2063 				return (NS_LDAP_MEMORY);
2064 			s1 = strrchr(sslServerAddr, ':');
2065 			if (s1 != NULL)
2066 				*s1 = '\0';
2067 			(void) snprintf(errstr, sizeof (errstr),
2068 			    gettext("openConnection: cannot use tls with %s. "
2069 			    "Trying %s"),
2070 			    serverAddr, sslServerAddr);
2071 			syslog(LOG_ERR, "libsldap: %s", errstr);
2072 		} else
2073 			sslServerAddr = (char *)serverAddr;
2074 
2075 		ld = ldapssl_init(sslServerAddr, LDAPS_PORT, 1);
2076 
2077 		if (sslServerAddr != serverAddr)
2078 			free(sslServerAddr);
2079 
2080 		if (ld == NULL ||
2081 		    ldapssl_install_gethostbyaddr(ld, "ldap") != 0) {
2082 			(void) snprintf(errstr, sizeof (errstr),
2083 			    gettext("openConnection: failed to connect "
2084 			    "using TLS (%s)"), strerror(errno));
2085 			MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
2086 			    strdup(errstr), NULL);
2087 			return (NS_LDAP_INTERNAL);
2088 		}
2089 	} else {
2090 #ifdef DEBUG
2091 		(void) fprintf(stderr, "tid= %d: +++Unsecure transport\n",
2092 		    thr_self());
2093 #endif /* DEBUG */
2094 		port = LDAP_PORT;
2095 		if (auth->auth.saslmech == NS_LDAP_SASL_GSSAPI &&
2096 		    (end = strchr(serverAddr, ':')) != NULL) {
2097 			/*
2098 			 * The IP is converted to hostname so it's a
2099 			 * hostname:port up to this point.
2100 			 *
2101 			 * libldap passes hostname:port to the sasl layer.
2102 			 * The ldap service principal is constructed as
2103 			 * ldap/hostname:port@REALM. Kerberos authentication
2104 			 * will fail. So it needs to be parsed to construct
2105 			 * a valid principal ldap/hostname@REALM.
2106 			 *
2107 			 * For useSSL case above, it already parses port so
2108 			 * no need to parse serverAddr
2109 			 */
2110 			*end = '\0';
2111 			port = atoi(end + 1);
2112 		}
2113 
2114 		/* Warning message IF cannot connect to host(s) */
2115 		if ((ld = ldap_init((char *)serverAddr, port)) == NULL) {
2116 			char *p = strerror(errno);
2117 			MKERROR(LOG_WARNING, *errorp, LDAP_CONNECT_ERROR,
2118 			    strdup(p), NULL);
2119 			if (end)
2120 				*end = ':';
2121 			return (NS_LDAP_INTERNAL);
2122 		} else {
2123 			if (end)
2124 				*end = ':';
2125 			/* check and avoid gethostname recursion */
2126 			if (ldap_in_hosts_switch() > 0 &&
2127 			    ! __s_api_isipv4((char *)serverAddr) &&
2128 			    ! __s_api_isipv6((char *)serverAddr)) {
2129 				/* host: ldap - found, attempt to recover */
2130 				if (ldap_set_option(ld, LDAP_X_OPT_DNS_SKIPDB,
2131 				    "ldap") != 0) {
2132 					(void) snprintf(errstr, sizeof (errstr),
2133 					    gettext("openConnection: "
2134 					    "unrecoverable gethostname "
2135 					    "recursion detected "
2136 					    "in /etc/nsswitch.conf"));
2137 					MKERROR(LOG_WARNING, *errorp,
2138 					    LDAP_CONNECT_ERROR,
2139 					    strdup(errstr), NULL);
2140 					(void) ldap_unbind(ld);
2141 					return (NS_LDAP_INTERNAL);
2142 				}
2143 			}
2144 		}
2145 	}
2146 
2147 	ns_setup_mt_conn_and_tsd(ld);
2148 	(void) ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldapVersion);
2149 	(void) ldap_set_option(ld, LDAP_OPT_DEREF, &derefOption);
2150 	/*
2151 	 * set LDAP_OPT_REFERRALS to OFF.
2152 	 * This library will handle the referral itself
2153 	 * based on API flags or configuration file
2154 	 * specification. If this option is not set
2155 	 * to OFF, libldap will never pass the
2156 	 * referral info up to this library
2157 	 */
2158 	(void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
2159 	(void) ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &zero);
2160 	(void) ldap_set_option(ld, LDAP_OPT_SIZELIMIT, &zero);
2161 	/* setup TCP/IP connect timeout */
2162 	(void) ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT,
2163 	    &timeoutMilliSec);
2164 	/* retry if LDAP I/O was interrupted */
2165 	(void) ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
2166 
2167 	switch (bindType) {
2168 	case NS_LDAP_AUTH_NONE:
2169 #ifdef DEBUG
2170 		(void) fprintf(stderr, "tid= %d: +++Anonymous bind\n",
2171 		    thr_self());
2172 #endif /* DEBUG */
2173 		break;
2174 	case NS_LDAP_AUTH_SIMPLE:
2175 		binddn = auth->cred.unix_cred.userID;
2176 		passwd = auth->cred.unix_cred.passwd;
2177 		if (passwd == NULL || *passwd == '\0' ||
2178 		    binddn == NULL || *binddn == '\0') {
2179 			(void) sprintf(errstr, gettext("openConnection: "
2180 			    "missing credentials for Simple bind"));
2181 			MKERROR(LOG_WARNING, *errorp, LDAP_INVALID_CREDENTIALS,
2182 			    strdup(errstr), NULL);
2183 			(void) ldap_unbind(ld);
2184 			return (NS_LDAP_INTERNAL);
2185 		}
2186 
2187 #ifdef DEBUG
2188 		(void) fprintf(stderr, "tid= %d: +++Simple bind\n",
2189 		    thr_self());
2190 #endif /* DEBUG */
2191 		msgId = ldap_simple_bind(ld, binddn, passwd);
2192 
2193 		if (msgId == -1) {
2194 			(void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER,
2195 			    (void *)&errnum);
2196 			(void) snprintf(errstr, sizeof (errstr),
2197 			    gettext("openConnection: simple bind failed "
2198 			    "- %s"), ldap_err2string(errnum));
2199 			(void) ldap_unbind(ld);
2200 			MKERROR(LOG_WARNING, *errorp, errnum, strdup(errstr),
2201 			    NULL);
2202 			return (NS_LDAP_INTERNAL);
2203 		}
2204 
2205 		tv.tv_sec = timeoutSec;
2206 		tv.tv_usec = 0;
2207 		rc = ldap_result(ld, msgId, 0, &tv, &resultMsg);
2208 
2209 		if ((rc == -1) || (rc == 0)) {
2210 			(void) ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER,
2211 			    (void *)&errnum);
2212 			(void) snprintf(errstr, sizeof (errstr),
2213 			    gettext("openConnection: simple bind failed "
2214 			    "- %s"), ldap_err2string(errnum));
2215 			(void) ldap_msgfree(resultMsg);
2216 			(void) ldap_unbind(ld);
2217 			MKERROR(LOG_WARNING, *errorp, errnum, strdup(errstr),
2218 			    NULL);
2219 			return (NS_LDAP_INTERNAL);
2220 		}
2221 
2222 		/*
2223 		 * get ldaprc, controls, and error msg
2224 		 */
2225 		rc = ldap_parse_result(ld, resultMsg, &errnum, NULL,
2226 		    &errmsg, NULL, &controls, 1);
2227 
2228 		if (rc != LDAP_SUCCESS) {
2229 			(void) snprintf(errstr, sizeof (errstr),
2230 			    gettext("openConnection: simple bind failed "
2231 			    "- unable to parse result"));
2232 			(void) ldap_unbind(ld);
2233 			MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL,
2234 			    strdup(errstr), NULL);
2235 			return (NS_LDAP_INTERNAL);
2236 		}
2237 
2238 		/* process the password management info, if any */
2239 		pwd_rc = process_pwd_mgmt("simple",
2240 		    errnum, controls, errmsg,
2241 		    errorp,
2242 		    fail_if_new_pwd_reqd,
2243 		    passwd_mgmt);
2244 
2245 		if (pwd_rc == NS_LDAP_INTERNAL) {
2246 			(void) ldap_unbind(ld);
2247 			return (pwd_rc);
2248 		}
2249 
2250 		if (pwd_rc == NS_LDAP_SUCCESS_WITH_INFO) {
2251 			*ldp = ld;
2252 			return (pwd_rc);
2253 		}
2254 
2255 		break;
2256 	case NS_LDAP_AUTH_SASL:
2257 		if (auth->auth.saslopt != NS_LDAP_SASLOPT_NONE &&
2258 		    auth->auth.saslmech != NS_LDAP_SASL_GSSAPI) {
2259 			(void) sprintf(errstr,
2260 			    gettext("openConnection: SASL options are "
2261 			    "not supported (%d) for non-GSSAPI sasl bind"),
2262 			    auth->auth.saslopt);
2263 			MKERROR(LOG_WARNING, *errorp,
2264 			    LDAP_AUTH_METHOD_NOT_SUPPORTED,
2265 			    strdup(errstr), NULL);
2266 			(void) ldap_unbind(ld);
2267 			return (NS_LDAP_INTERNAL);
2268 		}
2269 		if (auth->auth.saslmech != NS_LDAP_SASL_GSSAPI) {
2270 			binddn = auth->cred.unix_cred.userID;
2271 			passwd = auth->cred.unix_cred.passwd;
2272 			if (passwd == NULL || *passwd == '\0' ||
2273 			    binddn == NULL || *binddn == '\0') {
2274 				(void) sprintf(errstr,
2275 				    gettext("openConnection: missing "
2276 				    "credentials for SASL bind"));
2277 				MKERROR(LOG_WARNING, *errorp,
2278 				    LDAP_INVALID_CREDENTIALS,
2279 				    strdup(errstr), NULL);
2280 				(void) ldap_unbind(ld);
2281 				return (NS_LDAP_INTERNAL);
2282 			}
2283 			cred.bv_val = passwd;
2284 			cred.bv_len = strlen(passwd);
2285 		}
2286 
2287 		switch (auth->auth.saslmech) {
2288 		case NS_LDAP_SASL_CRAM_MD5:
2289 			/*
2290 			 * NOTE: if iDS changes to support cram_md5,
2291 			 * please add password management code here.
2292 			 * Since ldap_sasl_cram_md5_bind_s does not
2293 			 * return anything that could be used to
2294 			 * extract the ldap rc/errmsg/control to
2295 			 * determine if bind failed due to password
2296 			 * policy, a new cram_md5_bind API will need
2297 			 * to be introduced. See
2298 			 * ldap_x_sasl_digest_md5_bind() and case
2299 			 * NS_LDAP_SASL_DIGEST_MD5 below for details.
2300 			 */
2301 			if ((rc = ldap_sasl_cram_md5_bind_s(ld, binddn,
2302 			    &cred, NULL, NULL)) != LDAP_SUCCESS) {
2303 				(void) ldap_get_option(ld,
2304 				    LDAP_OPT_ERROR_NUMBER, (void *)&errnum);
2305 				(void) snprintf(errstr, sizeof (errstr),
2306 				    gettext("openConnection: "
2307 				    "sasl/CRAM-MD5 bind failed - %s"),
2308 				    ldap_err2string(errnum));
2309 				MKERROR(LOG_WARNING, *errorp, errnum,
2310 				    strdup(errstr), NULL);
2311 				(void) ldap_unbind(ld);
2312 				return (NS_LDAP_INTERNAL);
2313 			}
2314 			break;
2315 		case NS_LDAP_SASL_DIGEST_MD5:
2316 			digest_md5_name = malloc(strlen(binddn) + 5);
2317 			/* 5 = strlen("dn: ") + 1 */
2318 			if (digest_md5_name == NULL) {
2319 				(void) ldap_unbind(ld);
2320 				return (NS_LDAP_MEMORY);
2321 			}
2322 			(void) strcpy(digest_md5_name, "dn: ");
2323 			(void) strcat(digest_md5_name, binddn);
2324 
2325 			tv.tv_sec = timeoutSec;
2326 			tv.tv_usec = 0;
2327 			rc = ldap_x_sasl_digest_md5_bind(ld,
2328 			    digest_md5_name, &cred, NULL, NULL,
2329 			    &tv, &resultMsg);
2330 
2331 			if (resultMsg == NULL) {
2332 				free(digest_md5_name);
2333 				(void) ldap_get_option(ld,
2334 				    LDAP_OPT_ERROR_NUMBER, (void *)&errnum);
2335 				(void) snprintf(errstr, sizeof (errstr),
2336 				    gettext("openConnection: "
2337 				    "DIGEST-MD5 bind failed - %s"),
2338 				    ldap_err2string(errnum));
2339 				(void) ldap_unbind(ld);
2340 				MKERROR(LOG_WARNING, *errorp, errnum,
2341 				    strdup(errstr), NULL);
2342 				return (NS_LDAP_INTERNAL);
2343 			}
2344 
2345 			/*
2346 			 * get ldaprc, controls, and error msg
2347 			 */
2348 			rc = ldap_parse_result(ld, resultMsg, &errnum, NULL,
2349 			    &errmsg, NULL, &controls, 1);
2350 
2351 			if (rc != LDAP_SUCCESS) {
2352 				free(digest_md5_name);
2353 				(void) snprintf(errstr, sizeof (errstr),
2354 				    gettext("openConnection: "
2355 				    "DIGEST-MD5 bind failed "
2356 				    "- unable to parse result"));
2357 				(void) ldap_unbind(ld);
2358 				MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL,
2359 				    strdup(errstr), NULL);
2360 				return (NS_LDAP_INTERNAL);
2361 			}
2362 
2363 			/* process the password management info, if any */
2364 			pwd_rc = process_pwd_mgmt("sasl/DIGEST-MD5",
2365 			    errnum, controls, errmsg,
2366 			    errorp,
2367 			    fail_if_new_pwd_reqd,
2368 			    passwd_mgmt);
2369 
2370 			if (pwd_rc == NS_LDAP_INTERNAL) {
2371 				free(digest_md5_name);
2372 				(void) ldap_unbind(ld);
2373 				return (pwd_rc);
2374 			}
2375 
2376 			if (pwd_rc == NS_LDAP_SUCCESS_WITH_INFO) {
2377 				*ldp = ld;
2378 				return (pwd_rc);
2379 			}
2380 
2381 			free(digest_md5_name);
2382 			break;
2383 		case NS_LDAP_SASL_GSSAPI:
2384 			if (sasl_gssapi_inited == 0) {
2385 				rc = __s_api_sasl_gssapi_init();
2386 				if (rc != NS_LDAP_SUCCESS) {
2387 					(void) snprintf(errstr, sizeof (errstr),
2388 					    gettext("openConnection: "
2389 					    "GSSAPI initialization "
2390 					    "failed"));
2391 					(void) ldap_unbind(ld);
2392 					MKERROR(LOG_WARNING, *errorp, rc,
2393 					    strdup(errstr), NULL);
2394 					return (rc);
2395 				}
2396 			}
2397 			(void) memset(&sasl_param, 0,
2398 			    sizeof (ns_sasl_cb_param_t));
2399 			sasl_param.authid = NULL;
2400 			sasl_param.authzid = "";
2401 			(void) ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MIN,
2402 			    (void *)&min_ssf);
2403 			(void) ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX,
2404 			    (void *)&max_ssf);
2405 
2406 			rc = ldap_sasl_interactive_bind_s(
2407 			    ld, NULL, "GSSAPI",
2408 			    NULL, NULL, LDAP_SASL_INTERACTIVE,
2409 			    __s_api_sasl_bind_callback,
2410 			    &sasl_param);
2411 
2412 			if (rc != LDAP_SUCCESS) {
2413 				(void) snprintf(errstr, sizeof (errstr),
2414 				    gettext("openConnection: "
2415 				    "GSSAPI bind failed "
2416 				    "- %d %s"), rc, ldap_err2string(rc));
2417 				(void) ldap_unbind(ld);
2418 				MKERROR(LOG_WARNING, *errorp, NS_LDAP_INTERNAL,
2419 				    strdup(errstr), NULL);
2420 				return (NS_LDAP_INTERNAL);
2421 			}
2422 
2423 			break;
2424 		default:
2425 			(void) ldap_unbind(ld);
2426 			(void) sprintf(errstr,
2427 			    gettext("openConnection: unsupported SASL "
2428 			    "mechanism (%d)"), auth->auth.saslmech);
2429 			MKERROR(LOG_WARNING, *errorp,
2430 			    LDAP_AUTH_METHOD_NOT_SUPPORTED, strdup(errstr),
2431 			    NULL);
2432 			return (NS_LDAP_INTERNAL);
2433 		}
2434 	}
2435 
2436 	*ldp = ld;
2437 	return (NS_LDAP_SUCCESS);
2438 }
2439 
2440 /*
2441  * FUNCTION:	__s_api_getDefaultAuth
2442  *
2443  *	Constructs a credential for authentication using the config module.
2444  *
2445  * RETURN VALUES:
2446  *
2447  * NS_LDAP_SUCCESS	If successful
2448  * NS_LDAP_CONFIG	If there are any config errors.
2449  * NS_LDAP_MEMORY	Memory errors.
2450  * NS_LDAP_OP_FAILED	If there are no more authentication methods so can
2451  *			not build a new authp.
2452  * NS_LDAP_INVALID_PARAM This overloaded return value means that some of the
2453  *			necessary fields of a cred for a given auth method
2454  *			are not provided.
2455  * INPUT:
2456  *
2457  * cLevel	Currently requested credential level to be tried
2458  *
2459  * aMethod	Currently requested authentication method to be tried
2460  *
2461  * OUTPUT:
2462  *
2463  * authp		authentication method to use.
2464  */
2465 static int
2466 __s_api_getDefaultAuth(
2467 	int	*cLevel,
2468 	ns_auth_t *aMethod,
2469 	ns_cred_t **authp)
2470 {
2471 	void		**paramVal = NULL;
2472 	char		*modparamVal = NULL;
2473 	int		getUid = 0;
2474 	int		getPasswd = 0;
2475 	int		getCertpath = 0;
2476 	int		rc = 0;
2477 	ns_ldap_error_t	*errorp = NULL;
2478 
2479 #ifdef DEBUG
2480 	(void) fprintf(stderr, "__s_api_getDefaultAuth START\n");
2481 #endif
2482 
2483 	if (aMethod == NULL) {
2484 		/* Require an Auth */
2485 		return (NS_LDAP_INVALID_PARAM);
2486 
2487 	}
2488 	/*
2489 	 * credential level "self" can work with auth method sasl/GSSAPI only
2490 	 */
2491 	if (cLevel && *cLevel == NS_LDAP_CRED_SELF &&
2492 	    aMethod->saslmech != NS_LDAP_SASL_GSSAPI)
2493 		return (NS_LDAP_INVALID_PARAM);
2494 
2495 	*authp = (ns_cred_t *)calloc(1, sizeof (ns_cred_t));
2496 	if ((*authp) == NULL)
2497 		return (NS_LDAP_MEMORY);
2498 
2499 	(*authp)->auth = *aMethod;
2500 
2501 	switch (aMethod->type) {
2502 		case NS_LDAP_AUTH_NONE:
2503 			return (NS_LDAP_SUCCESS);
2504 		case NS_LDAP_AUTH_SIMPLE:
2505 			getUid++;
2506 			getPasswd++;
2507 			break;
2508 		case NS_LDAP_AUTH_SASL:
2509 			if ((aMethod->saslmech == NS_LDAP_SASL_DIGEST_MD5) ||
2510 			    (aMethod->saslmech == NS_LDAP_SASL_CRAM_MD5)) {
2511 				getUid++;
2512 				getPasswd++;
2513 			} else if (aMethod->saslmech != NS_LDAP_SASL_GSSAPI) {
2514 				(void) __ns_ldap_freeCred(authp);
2515 				*authp = NULL;
2516 				return (NS_LDAP_INVALID_PARAM);
2517 			}
2518 			break;
2519 		case NS_LDAP_AUTH_TLS:
2520 			if ((aMethod->tlstype == NS_LDAP_TLS_SIMPLE) ||
2521 			    ((aMethod->tlstype == NS_LDAP_TLS_SASL) &&
2522 			    ((aMethod->saslmech == NS_LDAP_SASL_DIGEST_MD5) ||
2523 			    (aMethod->saslmech == NS_LDAP_SASL_CRAM_MD5)))) {
2524 				getUid++;
2525 				getPasswd++;
2526 				getCertpath++;
2527 			} else if (aMethod->tlstype == NS_LDAP_TLS_NONE) {
2528 				getCertpath++;
2529 			} else {
2530 				(void) __ns_ldap_freeCred(authp);
2531 				*authp = NULL;
2532 				return (NS_LDAP_INVALID_PARAM);
2533 			}
2534 			break;
2535 	}
2536 
2537 	if (getUid) {
2538 		paramVal = NULL;
2539 		if ((rc = __ns_ldap_getParam(NS_LDAP_BINDDN_P,
2540 		    &paramVal, &errorp)) != NS_LDAP_SUCCESS) {
2541 			(void) __ns_ldap_freeCred(authp);
2542 			(void) __ns_ldap_freeError(&errorp);
2543 			*authp = NULL;
2544 			return (rc);
2545 		}
2546 
2547 		if (paramVal == NULL || *paramVal == NULL) {
2548 			(void) __ns_ldap_freeCred(authp);
2549 			*authp = NULL;
2550 			return (NS_LDAP_INVALID_PARAM);
2551 		}
2552 
2553 		(*authp)->cred.unix_cred.userID = strdup((char *)*paramVal);
2554 		(void) __ns_ldap_freeParam(&paramVal);
2555 		if ((*authp)->cred.unix_cred.userID == NULL) {
2556 			(void) __ns_ldap_freeCred(authp);
2557 			*authp = NULL;
2558 			return (NS_LDAP_MEMORY);
2559 		}
2560 	}
2561 	if (getPasswd) {
2562 		paramVal = NULL;
2563 		if ((rc = __ns_ldap_getParam(NS_LDAP_BINDPASSWD_P,
2564 		    &paramVal, &errorp)) != NS_LDAP_SUCCESS) {
2565 			(void) __ns_ldap_freeCred(authp);
2566 			(void) __ns_ldap_freeError(&errorp);
2567 			*authp = NULL;
2568 			return (rc);
2569 		}
2570 
2571 		if (paramVal == NULL || *paramVal == NULL) {
2572 			(void) __ns_ldap_freeCred(authp);
2573 			*authp = NULL;
2574 			return (NS_LDAP_INVALID_PARAM);
2575 		}
2576 
2577 		modparamVal = dvalue((char *)*paramVal);
2578 		(void) __ns_ldap_freeParam(&paramVal);
2579 		if (modparamVal == NULL || (strlen((char *)modparamVal) == 0)) {
2580 			(void) __ns_ldap_freeCred(authp);
2581 			if (modparamVal != NULL)
2582 				free(modparamVal);
2583 			*authp = NULL;
2584 			return (NS_LDAP_INVALID_PARAM);
2585 		}
2586 
2587 		(*authp)->cred.unix_cred.passwd = modparamVal;
2588 	}
2589 	if (getCertpath) {
2590 		paramVal = NULL;
2591 		if ((rc = __ns_ldap_getParam(NS_LDAP_HOST_CERTPATH_P,
2592 		    &paramVal, &errorp)) != NS_LDAP_SUCCESS) {
2593 			(void) __ns_ldap_freeCred(authp);
2594 			(void) __ns_ldap_freeError(&errorp);
2595 			*authp = NULL;
2596 			return (rc);
2597 		}
2598 
2599 		if (paramVal == NULL || *paramVal == NULL) {
2600 			(void) __ns_ldap_freeCred(authp);
2601 			*authp = NULL;
2602 			return (NS_LDAP_INVALID_PARAM);
2603 		}
2604 
2605 		(*authp)->hostcertpath = strdup((char *)*paramVal);
2606 		(void) __ns_ldap_freeParam(&paramVal);
2607 		if ((*authp)->hostcertpath == NULL) {
2608 			(void) __ns_ldap_freeCred(authp);
2609 			*authp = NULL;
2610 			return (NS_LDAP_MEMORY);
2611 		}
2612 	}
2613 	return (NS_LDAP_SUCCESS);
2614 }
2615 
2616 /*
2617  * FUNCTION:	__s_api_getConnection
2618  *
2619  *	Bind to the specified server or one from the server
2620  *	list and return the pointer.
2621  *
2622  *	This function can rebind or not (NS_LDAP_HARD), it can require a
2623  *	credential or bind anonymously
2624  *
2625  *	This function follows the DUA configuration schema algorithm
2626  *
2627  * RETURN VALUES:
2628  *
2629  * NS_LDAP_SUCCESS	A connection was made successfully.
2630  * NS_LDAP_SUCCESS_WITH_INFO
2631  * 			A connection was made successfully, but with
2632  *			password management info in *errorp
2633  * NS_LDAP_INVALID_PARAM If any invalid arguments were passed to the function.
2634  * NS_LDAP_CONFIG	If there are any config errors.
2635  * NS_LDAP_MEMORY	Memory errors.
2636  * NS_LDAP_INTERNAL	If there was a ldap error.
2637  *
2638  * INPUT:
2639  *
2640  * server	Bind to this LDAP server only
2641  * flags	If NS_LDAP_HARD is set function will not return until it has
2642  *		a connection unless there is a authentication problem.
2643  *		If NS_LDAP_NEW_CONN is set the function must force a new
2644  *              connection to be created
2645  *		If NS_LDAP_KEEP_CONN is set the connection is to be kept open
2646  * auth		Credentials for bind. This could be NULL in which case
2647  *		a default cred built from the config module is used.
2648  * sessionId	cookie that points to a previous session
2649  * fail_if_new_pwd_reqd
2650  *		a flag indicating this function should fail if the passwd
2651  *		in auth needs to change immediately
2652  * nopasswd_acct_mgmt
2653  *		a flag indicating that makeConnection should check before
2654  *		binding if server supports LDAP V3 password less
2655  *		account management
2656  *
2657  * OUTPUT:
2658  *
2659  * session	pointer to a session with connection information
2660  * errorp	Set if there are any INTERNAL, or CONFIG error.
2661  */
2662 int
2663 __s_api_getConnection(
2664 	const char *server,
2665 	const int flags,
2666 	const ns_cred_t *cred,		/* credentials for bind */
2667 	ConnectionID *sessionId,
2668 	Connection **session,
2669 	ns_ldap_error_t **errorp,
2670 	int fail_if_new_pwd_reqd,
2671 	int nopasswd_acct_mgmt)
2672 {
2673 	char		errmsg[MAXERROR];
2674 	ns_auth_t	**aMethod = NULL;
2675 	ns_auth_t	**aNext = NULL;
2676 	int		**cLevel = NULL;
2677 	int		**cNext = NULL;
2678 	int		timeoutSec = NS_DEFAULT_BIND_TIMEOUT;
2679 	int		rc;
2680 	Connection	*con = NULL;
2681 	int		sec = 1;
2682 	ns_cred_t 	*authp = NULL;
2683 	ns_cred_t	anon;
2684 	int		version = NS_LDAP_V2, self_gssapi_only = 0;
2685 	void		**paramVal = NULL;
2686 	char		**badSrvrs = NULL; /* List of problem hostnames */
2687 
2688 	if ((session == NULL) || (sessionId == NULL)) {
2689 		return (NS_LDAP_INVALID_PARAM);
2690 	}
2691 	*session = NULL;
2692 
2693 	/* if we already have a session id try to reuse connection */
2694 	if (*sessionId > 0) {
2695 		rc = findConnectionById(flags, cred, *sessionId, &con);
2696 		if (rc == *sessionId && con) {
2697 			*session = con;
2698 			return (NS_LDAP_SUCCESS);
2699 		}
2700 		*sessionId = 0;
2701 	}
2702 
2703 	/* get profile version number */
2704 	if ((rc = __ns_ldap_getParam(NS_LDAP_FILE_VERSION_P,
2705 	    &paramVal, errorp)) != NS_LDAP_SUCCESS)
2706 		return (rc);
2707 	if (paramVal == NULL) {
2708 		(void) sprintf(errmsg, gettext("getConnection: no file "
2709 		    "version"));
2710 		MKERROR(LOG_WARNING, *errorp, NS_CONFIG_FILE, strdup(errmsg),
2711 		    NS_LDAP_CONFIG);
2712 		return (NS_LDAP_CONFIG);
2713 	}
2714 	if (strcasecmp((char *)*paramVal, NS_LDAP_VERSION_1) == 0)
2715 		version = NS_LDAP_V1;
2716 	(void) __ns_ldap_freeParam((void ***)&paramVal);
2717 
2718 	/* Get the bind timeout value */
2719 	(void) __ns_ldap_getParam(NS_LDAP_BIND_TIME_P, &paramVal, errorp);
2720 	if (paramVal != NULL && *paramVal != NULL) {
2721 		timeoutSec = **((int **)paramVal);
2722 		(void) __ns_ldap_freeParam(&paramVal);
2723 	}
2724 	if (*errorp)
2725 		(void) __ns_ldap_freeError(errorp);
2726 
2727 	if (cred == NULL) {
2728 		/* Get the authentication method list */
2729 		if ((rc = __ns_ldap_getParam(NS_LDAP_AUTH_P,
2730 		    (void ***)&aMethod, errorp)) != NS_LDAP_SUCCESS)
2731 			return (rc);
2732 		if (aMethod == NULL) {
2733 			aMethod = (ns_auth_t **)calloc(2, sizeof (ns_auth_t *));
2734 			if (aMethod == NULL)
2735 				return (NS_LDAP_MEMORY);
2736 			aMethod[0] = (ns_auth_t *)calloc(1, sizeof (ns_auth_t));
2737 			if (aMethod[0] == NULL) {
2738 				free(aMethod);
2739 				return (NS_LDAP_MEMORY);
2740 			}
2741 			if (version == NS_LDAP_V1)
2742 				(aMethod[0])->type = NS_LDAP_AUTH_SIMPLE;
2743 			else {
2744 				(aMethod[0])->type = NS_LDAP_AUTH_SASL;
2745 				(aMethod[0])->saslmech =
2746 				    NS_LDAP_SASL_DIGEST_MD5;
2747 				(aMethod[0])->saslopt = NS_LDAP_SASLOPT_NONE;
2748 			}
2749 		}
2750 
2751 		/* Get the credential level list */
2752 		if ((rc = __ns_ldap_getParam(NS_LDAP_CREDENTIAL_LEVEL_P,
2753 		    (void ***)&cLevel, errorp)) != NS_LDAP_SUCCESS) {
2754 			(void) __ns_ldap_freeParam((void ***)&aMethod);
2755 			return (rc);
2756 		}
2757 		if (cLevel == NULL) {
2758 			cLevel = (int **)calloc(2, sizeof (int *));
2759 			if (cLevel == NULL)
2760 				return (NS_LDAP_MEMORY);
2761 			cLevel[0] = (int *)calloc(1, sizeof (int));
2762 			if (cLevel[0] == NULL)
2763 				return (NS_LDAP_MEMORY);
2764 			if (version == NS_LDAP_V1)
2765 				*(cLevel[0]) = NS_LDAP_CRED_PROXY;
2766 			else
2767 				*(cLevel[0]) = NS_LDAP_CRED_ANON;
2768 		}
2769 	}
2770 
2771 	/* setup the anon credential for anonymous connection */
2772 	(void) memset(&anon, 0, sizeof (ns_cred_t));
2773 	anon.auth.type = NS_LDAP_AUTH_NONE;
2774 
2775 	for (; ; ) {
2776 		if (cred != NULL) {
2777 			/* using specified auth method */
2778 			rc = makeConnection(&con, server, cred,
2779 			    sessionId, timeoutSec, errorp,
2780 			    fail_if_new_pwd_reqd,
2781 			    nopasswd_acct_mgmt, flags, &badSrvrs);
2782 			/* not using bad server if credentials were supplied */
2783 			if (badSrvrs && *badSrvrs) {
2784 				__s_api_free2dArray(badSrvrs);
2785 				badSrvrs = NULL;
2786 			}
2787 			if (rc == NS_LDAP_SUCCESS ||
2788 			    rc == NS_LDAP_SUCCESS_WITH_INFO) {
2789 				*session = con;
2790 				break;
2791 			}
2792 		} else {
2793 			self_gssapi_only = __s_api_self_gssapi_only_get();
2794 			/* for every cred level */
2795 			for (cNext = cLevel; *cNext != NULL; cNext++) {
2796 				if (self_gssapi_only &&
2797 				    **cNext != NS_LDAP_CRED_SELF)
2798 					continue;
2799 				if (**cNext == NS_LDAP_CRED_ANON) {
2800 					/*
2801 					 * make connection anonymously
2802 					 * Free the down server list before
2803 					 * looping through
2804 					 */
2805 					if (badSrvrs && *badSrvrs) {
2806 						__s_api_free2dArray(badSrvrs);
2807 						badSrvrs = NULL;
2808 					}
2809 					rc = makeConnection(&con, server, &anon,
2810 					    sessionId, timeoutSec, errorp,
2811 					    fail_if_new_pwd_reqd,
2812 					    nopasswd_acct_mgmt, flags,
2813 					    &badSrvrs);
2814 					if (rc == NS_LDAP_SUCCESS ||
2815 					    rc ==
2816 					    NS_LDAP_SUCCESS_WITH_INFO) {
2817 						*session = con;
2818 						goto done;
2819 					}
2820 					continue;
2821 				}
2822 				/* for each cred level */
2823 				for (aNext = aMethod; *aNext != NULL; aNext++) {
2824 					if (self_gssapi_only &&
2825 					    (*aNext)->saslmech !=
2826 					    NS_LDAP_SASL_GSSAPI)
2827 						continue;
2828 					/*
2829 					 * self coexists with sasl/GSSAPI only
2830 					 * and non-self coexists with non-gssapi
2831 					 * only
2832 					 */
2833 					if ((**cNext == NS_LDAP_CRED_SELF &&
2834 					    (*aNext)->saslmech !=
2835 					    NS_LDAP_SASL_GSSAPI) ||
2836 					    (**cNext != NS_LDAP_CRED_SELF &&
2837 					    (*aNext)->saslmech ==
2838 					    NS_LDAP_SASL_GSSAPI))
2839 						continue;
2840 					/* make connection and authenticate */
2841 					/* with default credentials */
2842 					authp = NULL;
2843 					rc = __s_api_getDefaultAuth(*cNext,
2844 					    *aNext, &authp);
2845 					if (rc != NS_LDAP_SUCCESS) {
2846 						continue;
2847 					}
2848 					/*
2849 					 * Free the down server list before
2850 					 * looping through
2851 					 */
2852 					if (badSrvrs && *badSrvrs) {
2853 						__s_api_free2dArray(badSrvrs);
2854 						badSrvrs = NULL;
2855 					}
2856 					rc = makeConnection(&con, server, authp,
2857 					    sessionId, timeoutSec, errorp,
2858 					    fail_if_new_pwd_reqd,
2859 					    nopasswd_acct_mgmt, flags,
2860 					    &badSrvrs);
2861 					(void) __ns_ldap_freeCred(&authp);
2862 					if (rc == NS_LDAP_SUCCESS ||
2863 					    rc ==
2864 					    NS_LDAP_SUCCESS_WITH_INFO) {
2865 						*session = con;
2866 						goto done;
2867 					}
2868 				}
2869 			}
2870 		}
2871 		if (flags & NS_LDAP_HARD) {
2872 			if (sec < LDAPMAXHARDLOOKUPTIME)
2873 				sec *= 2;
2874 			_sleep(sec);
2875 		} else {
2876 			break;
2877 		}
2878 	}
2879 
2880 done:
2881 	/*
2882 	 * If unable to get a connection, and this is
2883 	 * the thread opening the shared connection,
2884 	 * unlock the session mutex and let other
2885 	 * threads try to get their own connection.
2886 	 */
2887 	if (wait4session != 0 && sessionTid == thr_self()) {
2888 		wait4session = 0;
2889 		sessionTid = 0;
2890 #ifdef DEBUG
2891 		(void) fprintf(stderr, "tid= %d: __s_api_getConnection: "
2892 		    "unlocking sessionLock \n", thr_self());
2893 		fflush(stderr);
2894 #endif /* DEBUG */
2895 		(void) mutex_unlock(&sessionLock);
2896 	}
2897 	if (self_gssapi_only && rc == NS_LDAP_SUCCESS && *session == NULL) {
2898 		/*
2899 		 * self_gssapi_only is true but no self/sasl/gssapi is
2900 		 * configured
2901 		 */
2902 		rc = NS_LDAP_CONFIG;
2903 	}
2904 
2905 	(void) __ns_ldap_freeParam((void ***)&aMethod);
2906 	(void) __ns_ldap_freeParam((void ***)&cLevel);
2907 
2908 	if (badSrvrs && *badSrvrs) {
2909 		/*
2910 		 * At this point, either we have a successful
2911 		 * connection or exhausted all the possible auths.
2912 		 * and creds. Mark the problem servers as down
2913 		 * so that the problem servers are not contacted
2914 		 * again until the refresh_ttl expires.
2915 		 */
2916 		(void) __s_api_removeBadServers(badSrvrs);
2917 		__s_api_free2dArray(badSrvrs);
2918 	}
2919 	return (rc);
2920 }
2921 
2922 #pragma fini(_free_sessionPool)
2923 static void
2924 _free_sessionPool()
2925 {
2926 	int id;
2927 
2928 	(void) rw_wrlock(&sessionPoolLock);
2929 	if (sessionPool != NULL) {
2930 		for (id = 0; id < sessionPoolSize; id++)
2931 			_DropConnection(id + CONID_OFFSET, 0, 1);
2932 		free(sessionPool);
2933 		sessionPool = NULL;
2934 		sessionPoolSize = 0;
2935 	}
2936 	(void) rw_unlock(&sessionPoolLock);
2937 }
2938