xref: /titanic_51/usr/src/lib/nsswitch/ldap/common/getnetgrent.c (revision ca8831321cd1248e5854314755ea80564a1a68b3)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */


#include <syslog.h>
#include "ldap_common.h"

/* netgroup attributes filters */
#define	_N_TRIPLE		"nisnetgrouptriple"
#define	_N_MEMBER		"membernisnetgroup"

#define	PRINT_VAL(a)		(((a).argc == 0) || ((a).argv == NULL) || \
				    ((a).argv[0] == NULL)) ? "*" : (a).argv[0]
#define	ISNULL(a)		(a == NULL ? "<NULL>" : a)
#define	MAX_DOMAIN_LEN		1024
#define	MAX_TRIPLE_LEN		(MAXHOSTNAMELEN + LOGNAME_MAX + \
					MAX_DOMAIN_LEN + 5)

#define	_F_SETMEMBER		"(&(objectClass=nisNetGroup)(cn=%s))"
#define	_F_SETMEMBER_SSD	"(&(%%s)(cn=%s))"

#define	N_HASH		257
#define	COMMA		','

static const char *netgrent_attrs[] = {
	_N_TRIPLE,
	_N_MEMBER,
	(char *)NULL
};

typedef struct netgroup_name {
	char *name;
	struct netgroup_name *next;
	struct netgroup_name *next_hash;
} netgroup_name_t;

typedef struct {
	netgroup_name_t *hash_list[N_HASH];
	netgroup_name_t *to_do;
	netgroup_name_t *done;
} netgroup_table_t;

typedef struct {
	ns_ldap_result_t *results;
	ns_ldap_entry_t *entry;
	char **attrs;
	char *netgroup;
	netgroup_table_t tab;
} getnetgrent_cookie_t;

typedef struct {
	struct nss_innetgr_args *ia;
	const char *ssd_filter;
	const char *netgrname;
	const char *membername;
	netgroup_table_t tab;
} innetgr_cookie_t;

typedef unsigned int hash_t;

static hash_t
get_hash(const char *s)
{
	unsigned int sum = 0;
	unsigned int i;

	for (i = 0; s[i] != '\0'; i++)
		sum += ((unsigned char *)s)[i];

	return ((sum + i) % N_HASH);
}

/*
 * Adds a name to the netgroup table
 *
 * Returns
 *	0 if successfully added or already present
 *	-1 if memory allocation error or NULL netgroup_table_t
 *         from caller.
 */

static int
add_netgroup_name(const char *name, netgroup_table_t *tab)
{
	hash_t		h;
	netgroup_name_t	*ng;
	netgroup_name_t	*ng_new;

	if (tab == NULL) {
		/*
		 * Should never happen. But if it does,
		 * that's an error condition.
		 */
		return (-1);
	}
	if (name == NULL || *name == '\0') {
		/* no name to add means success */
		return (0);
	}

	h = get_hash(name);
	ng = tab->hash_list[h];

	while (ng != NULL) {
		if (strcmp(name, ng->name) == 0)
			break;
		ng = ng->next_hash;
	}

	if (ng == NULL) {
		ng_new = (netgroup_name_t *)
		    calloc(1, sizeof (netgroup_name_t));
		if (ng_new == NULL)
			return (-1);
		ng_new->name = strdup(name);
		if (ng_new->name == NULL) {
			free(ng_new);
			return (-1);
		}
		ng_new->next_hash = tab->hash_list[h];
		tab->hash_list[h] = ng_new;
		ng_new->next = tab->to_do;
		tab->to_do = ng_new;
	}
	return (0);
}

static netgroup_name_t *
get_next_netgroup(netgroup_table_t *tab)
{
	netgroup_name_t *ng;

	if (tab == NULL)
		return (NULL);

	ng = tab->to_do;
	if (ng != NULL) {
		tab->to_do = ng->next;
		ng->next = tab->done;
		tab->done = ng;
	}
	return (ng);
}

static void
free_netgroup_table(netgroup_table_t *tab)
{
	netgroup_name_t *ng, *next;

	if (tab == NULL)
		return;

	for (ng = tab->to_do; ng != NULL; ng = next) {
		if (ng->name != NULL)
			free(ng->name);
		next = ng->next;
		free(ng);
	}

	for (ng = tab->done; ng != NULL; ng = next) {
		if (ng->name != NULL)
			free(ng->name);
		next = ng->next;
		free(ng);
	}
	(void) memset(tab, 0, sizeof (*tab));
}

/*
 * domain comparing routine
 * 	n1: See if n1 is n2 or an ancestor of it
 * 	n2: (in string terms, n1 is a suffix of n2)
 * Returns ZERO for success, -1 for failure.
 */
static int
domcmp(const char *n1, const char *n2)
{
#define	PASS	0
#define	FAIL	-1

	size_t		l1, l2;

	if ((n1 == NULL) || (n2 == NULL))
		return (FAIL);

	l1 = strlen(n1);
	l2 = strlen(n2);

	/* Turn a blind eye to the presence or absence of trailing periods */
	if (l1 != 0 && n1[l1 - 1] == '.') {
		--l1;
	}
	if (l2 != 0 && n2[l2 - 1] == '.') {
		--l2;
	}
	if (l1 > l2) {		/* Can't be a suffix */
		return (FAIL);
	} else if (l1 == 0) {	/* Trivially a suffix; */
				/* (do we want this case?) */
		return (PASS);
	}
	/* So 0 < l1 <= l2 */
	if (l1 < l2 && n2[l2 - l1 - 1] != '.') {
		return (FAIL);
	}
	if (strncasecmp(n1, &n2[l2 - l1], l1) == 0) {
		return (PASS);
	} else {
		return (FAIL);
	}
}

static int
split_triple(char *triple, char **hostname, char **username, char **domain)
{
	int	i, syntax_err;
	char	*splittriple[3];
	char	*p = triple;

#ifdef	DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: split_triple]\n");
#endif	/* DEBUG */

	if (triple == NULL)
		return (-1);

	p++;
	syntax_err = 0;
	for (i = 0; i < 3; i++) {
		char	*start;
		char	*limit;
		const char	*terminators = ",) \t";

		if (i == 2) {
			/* Don't allow comma */
			terminators++;
		}
		while (isspace(*p)) {
			p++;
		}
		start = p;
		limit = strpbrk(start, terminators);
		if (limit == 0) {
			syntax_err++;
			break;
		}
		p = limit;
		while (isspace(*p)) {
			p++;
		}
		if (*p == terminators[0]) {
			/*
			 * Successfully parsed this name and
			 * the separator after it (comma or
			 * right paren); leave p ready for
			 * next parse.
			 */
			p++;
			if (start == limit) {
				/* Wildcard */
				splittriple[i] = NULL;
			} else {
				*limit = '\0';
				splittriple[i] = start;
			}
		} else {
			syntax_err++;
			break;
		}
	}

	if (syntax_err != 0)
		return (-1);

	*hostname = splittriple[0];
	*username = splittriple[1];
	*domain = splittriple[2];

	return (0);
}

/*
 * Test membership in triple
 *	return 0 = no match
 *	return 1 = match
 */

static int
match_triple_entry(struct nss_innetgr_args *ia, const ns_ldap_entry_t *entry)
{
	int	ndomains;
	char	**pdomains;
	int	nhost;
	char	**phost;
	int	nusers;
	char	**pusers;
	char	**attr;
	char	triple[MAX_TRIPLE_LEN];
	char	*tuser, *thost, *tdomain;
	int	i;
	char	*current, *limit;
	int	pulen, phlen;
	char	*pusers0, *phost0;

	nhost = ia->arg[NSS_NETGR_MACHINE].argc;
	phost = (char **)ia->arg[NSS_NETGR_MACHINE].argv;
	if (phost == NULL || *phost == NULL) {
		nhost = 0;
	} else {
		phost0 = phost[0];
		phlen = strlen(phost0);
#ifdef DEBUG
		syslog(LOG_DEBUG, "nss_ldap: match_triple_entry: "
		    "entering with host: %s", phost0 ? phost0 : "");
#endif
	}
	nusers = ia->arg[NSS_NETGR_USER].argc;
	pusers = (char **)ia->arg[NSS_NETGR_USER].argv;
	if (pusers == NULL || *pusers == NULL) {
		nusers = 0;
	} else {
		pusers0 = pusers[0];
		pulen = strlen(pusers0);
#ifdef DEBUG
		syslog(LOG_DEBUG, "nss_ldap: match_triple_entry: "
		    "entering with user: %s", pusers0 ? pusers0 : "");
#endif
	}
	ndomains = ia->arg[NSS_NETGR_DOMAIN].argc;
	pdomains = (char **)ia->arg[NSS_NETGR_DOMAIN].argv;
	if (pdomains == NULL || *pdomains == NULL)
		ndomains = 0;
#ifdef DEBUG
	else
		syslog(LOG_DEBUG, "nss_ldap: match_triple_entry: "
		    "entering with domain: %s", pdomains[0] ? pdomains[0] : "");
#endif

	attr = __ns_ldap_getAttr(entry, _N_TRIPLE);
	if (attr == NULL || *attr == NULL)
		return (0);

#ifdef DEBUG
	syslog(LOG_DEBUG, "nss_ldap: match_triple_entry: "
	    "(nusers: %d, nhost:%d, ndomains: %d)",
	    nusers, nhost, ndomains);
#endif

	/* Special cases for speedup */
	if (nusers == 1 && nhost == 0 && ndomains == 0) {
		/* Special case for finding a single user in a netgroup */
		for (; *attr; attr++) {
			/* jump to first comma and check next character */
			current = *attr;
#ifdef DEBUG
			syslog(LOG_DEBUG, "nss_ldap: match_triple_entry: "
			    "current is: %s", current);
#endif
			if ((current = strchr(current, COMMA)) == NULL)
				continue;
			current++;

			/* skip whitespaces */
			while (isspace(*current))
				current++;

			/* if user part is null, then treat as wildcard */
			if (*current == COMMA)
				return (1);

			/* compare first character */
			if (*pusers0 != *current)
				continue;

			/* limit username to COMMA */
			if ((limit = strchr(current, COMMA)) == NULL)
				continue;
			*limit = '\0';

			/* remove blanks before COMMA */
			if ((limit = strpbrk(current, " \t")) != NULL)
				*limit = '\0';

			/* compare size of username */
			if (pulen != strlen(current)) {
				continue;
			}

			/* do actual compare */
			if (strncmp(pusers0, current, pulen) == 0) {
				return (1);
			} else {
				continue;
			}
		}
	} else if (nusers == 0 && nhost == 1 && ndomains == 0) {
		/* Special case for finding a single host in a netgroup */
		for (; *attr; attr++) {

			/* jump to first character and check */
			current = *attr;
#ifdef DEBUG
			syslog(LOG_DEBUG, "nss_ldap: match_triple_entry: "
			    "current is: %s", current);
#endif
			current++;

			/* skip whitespaces */
			while (isspace(*current))
				current++;

			/* if host part is null, then treat as wildcard */
			if (*current == COMMA)
				return (1);

			/* limit hostname to COMMA */
			if ((limit = strchr(current, COMMA)) == NULL)
				continue;
			*limit = '\0';

			/* remove blanks before COMMA */
			if ((limit = strpbrk(current, " \t")) != NULL)
				*limit = '\0';

			/* compare size of hostname */
			if (phlen != strlen(current)) {
				continue;
			}

			/* do actual compare */
			if (strncasecmp(phost0, current, phlen) == 0) {
				return (1);
			} else {
				continue;
			}
		}
	} else {
		for (; *attr; attr++) {
			if (strlcpy(triple, *attr,
			    sizeof (triple)) >= sizeof (triple))
				continue;
#ifdef DEBUG
			syslog(LOG_DEBUG, "nss_ldap: match_triple_entry: "
			    "triple is: %s", triple);
#endif
			if (split_triple(triple, &thost, &tuser, &tdomain) != 0)
				continue;
			if (thost != NULL && *thost != '\0' && nhost != 0) {
				for (i = 0; i < nhost; i++)
					if (strcasecmp(thost, phost[i]) == 0)
						break;
				if (i == nhost)
					continue;
			}
			if (tuser != NULL && *tuser != '\0' && nusers != 0) {
				for (i = 0; i < nusers; i++)
					if (strcmp(tuser, pusers[i]) == 0)
						break;
				if (i == nusers)
					continue;
			}
			if (tdomain != NULL && *tdomain != '\0' &&
			    ndomains != 0) {
				for (i = 0; i < ndomains; i++)
					if (domcmp(tdomain, pdomains[i]) == 0)
						break;
				if (i == ndomains)
					continue;
			}
			return (1);
		}
	}

	return (0);
}

static int
match_triple(struct nss_innetgr_args *ia, ns_ldap_result_t *result)
{
	ns_ldap_entry_t	*entry;

	for (entry = result->entry; entry != NULL; entry = entry->next)
		if (match_triple_entry(ia, entry) == 1)
			return (1);

	return (0);
}

static int
add_netgroup_member_entry(ns_ldap_entry_t *entry, netgroup_table_t *tab)
{
	char		**attrs;
	char		**a;

	attrs = __ns_ldap_getAttr(entry, _N_MEMBER);
	if (attrs == NULL || *attrs == NULL)
		return (0);

	for (a = attrs; *a != NULL; a++) {}

	do {
		a--;
		if (add_netgroup_name(*a, tab) != 0)
			return (-1);
	} while (a > attrs);
	return (0);
}

static int
add_netgroup_member(ns_ldap_result_t *result, netgroup_table_t *tab)
{
	ns_ldap_entry_t	*entry;
	int		ret = 0;

	for (entry = result->entry; entry != NULL; entry = entry->next) {
		ret = add_netgroup_member_entry(entry, tab);
		if (ret != 0)
			break;
	}
	return (ret);
}

/*
 * top_down_search checks only checks the netgroup specified in netgrname
 */
static nss_status_t
top_down_search(struct nss_innetgr_args *ia, char *netgrname)
{
	char			searchfilter[SEARCHFILTERLEN];
	char			name[SEARCHFILTERLEN];
	char			userdata[SEARCHFILTERLEN];
	ns_ldap_result_t	*result = NULL;
	ns_ldap_error_t		*error = NULL;
	int			rc;
	nss_status_t		status = NSS_NOTFOUND;
	nss_status_t		status1;
	netgroup_table_t	tab;
	netgroup_name_t		*ng;
	int			ret;

	(void) memset(&tab, 0, sizeof (tab));

	if (add_netgroup_name(netgrname, &tab) != 0)
		return ((nss_status_t)NSS_NOTFOUND);

	while ((ng = get_next_netgroup(&tab)) != NULL) {
#ifdef DEBUG
		syslog(LOG_DEBUG, "nss_ldap: top_down_search: netgroup  loop "
		    "(ng->name: %s)", ng->name ? ng->name : "null !");
#endif
		if (_ldap_filter_name(name, ng->name, sizeof (name)) != 0)
			break;
		ret = snprintf(searchfilter, sizeof (searchfilter),
		    _F_SETMEMBER, name);
		if (ret >= sizeof (searchfilter) || ret < 0)
			break;

		ret = snprintf(userdata, sizeof (userdata), _F_SETMEMBER_SSD,
		    name);
		if (ret >= sizeof (userdata) || ret < 0)
			break;

		/* searching for current netgroup name entry */
		rc = __ns_ldap_list(_NETGROUP, searchfilter,
		    _merge_SSD_filter, netgrent_attrs, NULL, 0, &result,
		    &error, NULL, userdata);

		if (error != NULL) {
			status1 = switch_err(rc, error);
			if (status1 == NSS_TRYAGAIN) {
				(void) __ns_ldap_freeError(&error);
				free_netgroup_table(&tab);
				return (status1);
			}
		}

		(void) __ns_ldap_freeError(&error);
		if (rc == NS_LDAP_SUCCESS) {
			if (match_triple(ia, result) == 1) {
				/* We found a match */
				ia->status = NSS_NETGR_FOUND;
				status = NSS_SUCCESS;
#ifdef DEBUG
				syslog(LOG_DEBUG, "nss_ldap: top_down_search: "
				    "found match");
#endif
				break;
			}

			/*
			 * No match found. Check for membernisnetgroup
			 * in result and if yes, start again with those.
			 */
			rc = add_netgroup_member(result, &tab);
			if (rc != 0)
				break;
		} else if (rc != NS_LDAP_NOTFOUND) {
			break;
		}
		(void) __ns_ldap_freeResult(&result);
	}

	(void) __ns_ldap_freeResult(&result);
	free_netgroup_table(&tab);
	return (status);
}

/*
 * __netgr_in checks only checks the netgroup specified in ngroup
 */
static nss_status_t
__netgr_in(void *a, char *netgrname)
{
	struct nss_innetgr_args	*ia = (struct nss_innetgr_args *)a;
	nss_status_t		status = NSS_NOTFOUND;

#ifdef DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: netgr_in]\n");
	(void) fprintf(stdout, "\tmachine: argc[%d]='%s' user: "
	    "argc[%d]='%s',\n\tdomain:argc[%d]='%s' "
	    "netgroup: argc[%d]='%s'\n",
	    NSS_NETGR_MACHINE,
	    PRINT_VAL(ia->arg[NSS_NETGR_MACHINE]),
	    NSS_NETGR_USER,
	    PRINT_VAL(ia->arg[NSS_NETGR_USER]),
	    NSS_NETGR_DOMAIN,
	    PRINT_VAL(ia->arg[NSS_NETGR_DOMAIN]),
	    NSS_NETGR_N,
	    PRINT_VAL(ia->arg[NSS_NETGR_N]));
	(void) fprintf(stdout, "\tgroups='%s'\n", netgrname);
#endif	/* DEBUG */

	ia->status = NSS_NETGR_NO;

	if (netgrname == NULL)
		return (status);

	return (top_down_search(ia, netgrname));
}

/*ARGSUSED0*/
static nss_status_t
netgr_in(ldap_backend_ptr be, void *a)
{
	struct nss_innetgr_args	*ia = (struct nss_innetgr_args *)a;
	int	i;
	nss_status_t	rc = (nss_status_t)NSS_NOTFOUND;

	ia->status = NSS_NETGR_NO;
	for (i = 0; i < ia->groups.argc; i++) {
		rc = __netgr_in(a, ia->groups.argv[i]);
		if (ia->status == NSS_NETGR_FOUND)
			return (NSS_SUCCESS);
	}
	return (rc);
}

/*
 *
 */

static nss_status_t
getnetgr_ldap_setent(ldap_backend_ptr be, void *a)
{
	const char	*netgroup = (const char *) a;
	getnetgrent_cookie_t	*cookie;

#ifdef	DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: getnetgr_ldap_setent]\n");
#endif	/* DEBUG */

	cookie = (getnetgrent_cookie_t *)be->netgroup_cookie;
	if (cookie != NULL && cookie->netgroup != NULL) {
		/* is this another set on the same netgroup */
		if (strcmp(cookie->netgroup, netgroup) == 0)
			return ((nss_status_t)NSS_SUCCESS);
	}

	return (NSS_NOTFOUND);
}

static void
free_getnetgrent_cookie(getnetgrent_cookie_t **cookie)
{
	getnetgrent_cookie_t *p = *cookie;

#ifdef DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: free_getnetgrent_cookie]\n");
#endif	/* DEBUG */

	if (p == NULL)
		return;

	(void) __ns_ldap_freeResult(&p->results);
	free_netgroup_table(&p->tab);
	free(p->netgroup);
	free(p);
	*cookie = NULL;
}

/*ARGSUSED1*/
static nss_status_t
getnetgr_ldap_endent(ldap_backend_ptr be, void *a)
{

#ifdef	DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: getnetgr_ldap_endent]\n");
#endif	/* DEBUG */

	free_getnetgrent_cookie((getnetgrent_cookie_t **)&be->netgroup_cookie);

	return ((nss_status_t)NSS_NOTFOUND);
}


/*ARGSUSED1*/
static nss_status_t
getnetgr_ldap_destr(ldap_backend_ptr be, void *a)
{

#ifdef	DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: getnetgr_ldap_destr]\n");
#endif	/* DEBUG */

	free_getnetgrent_cookie((getnetgrent_cookie_t **)&be->netgroup_cookie);
	free(be);

	return ((nss_status_t)NSS_NOTFOUND);
}


static nss_status_t
getnetgr_ldap_getent(ldap_backend_ptr be, void *a)
{
	struct nss_getnetgrent_args	*args;
	getnetgrent_cookie_t	*p;
	char			searchfilter[SEARCHFILTERLEN];
	char			userdata[SEARCHFILTERLEN];
	char			name[SEARCHFILTERLEN];
	int			rc;
	ns_ldap_result_t	*result = NULL;
	ns_ldap_error_t		*error = NULL;
	char			**attrs;
	char			*hostname, *username, *domain;
	char			*buffer;
	nss_status_t		status = NSS_SUCCESS;
	netgroup_name_t		*ng;
	int			ret;

#ifdef	DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: getnetgr_ldap_getent]\n");
#endif	/* DEBUG */

	args = (struct nss_getnetgrent_args *)a;

	args->status = NSS_NETGR_NO;

	p = (getnetgrent_cookie_t *)be->netgroup_cookie;
	if (p == NULL)
		return ((nss_status_t)NSS_SUCCESS);

	for (;;) {
		/*
		 * Search through each netgroup consecutively: only search
		 * next netgroup when results from previous netgroup are
		 * processed.
		 * Needed for nested netgroup (memberNisNetgroup attributes).
		 */
		if (p->results == NULL) {
			if ((ng = get_next_netgroup(&p->tab)) != NULL) {
				if (_ldap_filter_name(name, ng->name,
				    sizeof (name)) != 0)
					break;

				ret = snprintf(searchfilter,
				    sizeof (searchfilter),
				    _F_SETMEMBER, name);
				if (ret >= sizeof (searchfilter) || ret < 0)
					break;

#ifdef DEBUG
				syslog(LOG_DEBUG, "nss_ldap: "
				    "getnetgr_ldap_getent: "
				    "netgroup name: %s", name);
#endif
				ret = snprintf(userdata, sizeof (userdata),
				    _F_SETMEMBER_SSD, name);
				if (ret >= sizeof (userdata) || ret < 0)
					break;

				result = NULL;
				rc = __ns_ldap_list(_NETGROUP, searchfilter,
				    _merge_SSD_filter, netgrent_attrs, NULL,
				    0, &result, &error, NULL, userdata);
				(void) __ns_ldap_freeError(&error);

				if (rc == NS_LDAP_SUCCESS && result != NULL) {
					p->results = result;
				} else {
#ifdef DEBUG
					syslog(LOG_DEBUG, "nss_ldap: "
					    "getnetgr_ldap_getent: "
					    "__ns_ldap_list() returned %d "
					    "(result: 0x%x)", rc, result);
#endif
					/*
					 * Will exit when no more netgroup
					 * to search and no more p->results
					 * to process.
					 */
					(void) __ns_ldap_freeResult(&result);
				}
			} else { /* no more netgroup to process */
				/*
				 * If no more results to process, and since
				 * there's no more netgroup to process either,
				 * then it's time to break and exit the for
				 * loop.
				 */
#ifdef DEBUG
				syslog(LOG_DEBUG, "nss_ldap: "
				    "getnetgr_ldap_getent: no more netgroup "
				    "to process, p->results: 0x%x",
				    p->results);
#endif
				if (p->results == NULL)
					break;
			}
		}
		if (p->results == NULL)
			continue;

		if (p->entry == NULL)
			p->entry = p->results->entry;

		if (p->entry == NULL)
			continue;

		if (p->attrs == NULL) {
			attrs = __ns_ldap_getAttr(p->entry, _N_TRIPLE);
			if (attrs != NULL && *attrs != NULL)
				p->attrs = attrs;
		}

		if (p->attrs != NULL) {
			attrs = p->attrs;
			buffer = args->buffer;

			if (strlcpy(buffer, *attrs, args->buflen) >=
			    args->buflen) {
				status = NSS_STR_PARSE_ERANGE;
				break;
			}

			rc = split_triple(buffer, &hostname, &username,
			    &domain);
			attrs++;
			if (attrs != NULL && *attrs != NULL)
				p->attrs = attrs;
			else
				p->attrs = NULL;
			if (rc == 0) {
				args->retp[NSS_NETGR_MACHINE] = hostname;
				args->retp[NSS_NETGR_USER] = username;
				args->retp[NSS_NETGR_DOMAIN] = domain;
				args->status = NSS_NETGR_FOUND;
#ifdef DEBUG
				syslog(LOG_DEBUG, "nss_ldap: "
				    "getnetgr_ldap_getent: found triple "
				    "(%s, %s, %s), 0x%x to process",
				    hostname ? hostname : "",
				    username ? username : "",
				    domain ? domain : "",
				    p->attrs);
#endif
				if (p->attrs != NULL)
					break;
			}
		}

		if (p->attrs == NULL) {
			rc = add_netgroup_member_entry(p->entry, &p->tab);
			if (rc != 0) {
				args->status = NSS_NETGR_NO;
				break;
			}

			p->entry = p->entry->next;
			if (p->entry == NULL)
				(void) __ns_ldap_freeResult(&p->results);
			if (args->status == NSS_NETGR_FOUND)
				break;
		}
	}

	return (status);
}

static ldap_backend_op_t getnetgroup_ops[] = {
	getnetgr_ldap_destr,
	getnetgr_ldap_endent,
	getnetgr_ldap_setent,
	getnetgr_ldap_getent,
};

/*
 *
 */

static nss_status_t
netgr_set(ldap_backend_ptr be, void *a)
{
	struct nss_setnetgrent_args	*args =
	    (struct nss_setnetgrent_args *)a;
	ldap_backend_ptr		get_be;
	getnetgrent_cookie_t		*p;

#ifdef DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: netgr_set]\n");
	(void) fprintf(stdout,
	    "\targs->netgroup: %s\n", ISNULL(args->netgroup));
#endif /* DEBUG */

	if (args->netgroup == NULL)
		return ((nss_status_t)NSS_NOTFOUND);

	free_getnetgrent_cookie((getnetgrent_cookie_t **)&be->netgroup_cookie);
	p = (getnetgrent_cookie_t *)calloc(1, sizeof (getnetgrent_cookie_t));
	if (p == NULL)
		return ((nss_status_t)NSS_NOTFOUND);
	p->netgroup = strdup(args->netgroup);
	if (p->netgroup == NULL) {
		free(p);
		return ((nss_status_t)NSS_NOTFOUND);
	}
	if (add_netgroup_name(args->netgroup, &p->tab) == -1) {
		free_getnetgrent_cookie(&p);
		return ((nss_status_t)NSS_NOTFOUND);
	}

	/* now allocate and return iteration backend structure */
	if ((get_be = (ldap_backend_ptr)malloc(sizeof (*get_be))) == NULL)
		return (NSS_UNAVAIL);
	get_be->ops = getnetgroup_ops;
	get_be->nops = sizeof (getnetgroup_ops) / sizeof (getnetgroup_ops[0]);
	get_be->tablename = NULL;
	get_be->attrs = netgrent_attrs;
	get_be->result = NULL;
	get_be->ldapobj2str = NULL;
	get_be->setcalled = 1;
	get_be->filter = NULL;
	get_be->toglue = NULL;
	get_be->enumcookie = NULL;
	get_be->netgroup_cookie = p;
	args->iterator = (nss_backend_t *)get_be;

	(void) __ns_ldap_freeResult(&be->result);

	return (NSS_SUCCESS);
}


/*ARGSUSED1*/
static nss_status_t
netgr_ldap_destr(ldap_backend_ptr be, void *a)
{

#ifdef	DEBUG
	(void) fprintf(stdout, "\n[getnetgrent.c: netgr_ldap_destr]\n");
#endif	/* DEBUG */

	(void) _clean_ldap_backend(be);

	return ((nss_status_t)NSS_NOTFOUND);
}




static ldap_backend_op_t netgroup_ops[] = {
	netgr_ldap_destr,
	0,
	0,
	0,
	netgr_in,		/*	innetgr()	*/
	netgr_set		/*	setnetgrent()	*/
};


/*
 * _nss_ldap_netgroup_constr is where life begins. This function calls the
 * generic ldap constructor function to define and build the abstract data
 * types required to support ldap operations.
 */

/*ARGSUSED0*/
nss_backend_t *
_nss_ldap_netgroup_constr(const char *dummy1, const char *dummy2,
			const char *dummy3)
{

#ifdef	DEBUG
	(void) fprintf(stdout,
	    "\n[getnetgrent.c: _nss_ldap_netgroup_constr]\n");
#endif	/* DEBUG */

	return ((nss_backend_t *)_nss_ldap_constr(netgroup_ops,
	    sizeof (netgroup_ops)/sizeof (netgroup_ops[0]), _NETGROUP,
	    netgrent_attrs, NULL));
}