xref: /titanic_52/usr/src/lib/libsldap/common/ns_config.c (revision 434c5a0685e933e08f535e85a50e4ba7e6816d38)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * libsldap - library side configuration components
 * Routines to manage the config structure
 */

#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <strings.h>
#include <libintl.h>
#include <locale.h>
#include <thread.h>
#include <synch.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <ctype.h>
#include <crypt.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <syslog.h>
#include <netdb.h>
#include <sys/systeminfo.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <limits.h>
#include "ns_sldap.h"
#include "ns_internal.h"
#include "ns_cache_door.h"
#include "ns_connmgmt.h"

#pragma fini(__s_api_shutdown_conn_mgmt, \
	_free_config, __ns_ldap_doorfd_close)

static mutex_t		ns_parse_lock = DEFAULTMUTEX;
static mutex_t		ns_loadrefresh_lock = DEFAULTMUTEX;
static ns_config_t	*current_config = NULL;

static int		cache_server = FALSE;
extern thread_key_t	ns_cmgkey;

/*
 * Parameter Index Type validation routines
 */
static int
__s_val_postime(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf);
static int
__s_val_basedn(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf);

static int
__s_val_binddn(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf);

static int
__s_val_bindpw(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf);

static int
__s_val_serverList(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf);

/*
 * Forward declarations
 */

static ns_parse_status
verify_value(ns_config_t *cfg, char *name, char *value, char *errstr);

static int
set_default_value(ns_config_t *configptr, char *name, char *value,
	ns_ldap_error_t **error);

static void
set_curr_config(ns_config_t *ptr);

static int
__door_getldapconfig(char **buffer, int *buflen, ns_ldap_error_t **error);

static ns_config_t *
SetDoorInfo(char *buffer, ns_ldap_error_t **errorp);

static boolean_t
timetorefresh(ns_config_t *cfg);

static ns_config_t *
LoadCacheConfiguration(ns_config_t *, ns_ldap_error_t **error);

static void **
dupParam(ns_param_t *ptr);

static time_t
conv_time(char *s);

/*
 * Structures used in enum <-> string mapping routines
 */

static ns_enum_map ns_auth_enum_v1[] = {
	{ ENUM2INT(NS_LDAP_EA_NONE), "NS_LDAP_AUTH_NONE" },
	{ ENUM2INT(NS_LDAP_EA_SIMPLE), "NS_LDAP_AUTH_SIMPLE" },
	{ ENUM2INT(NS_LDAP_EA_SASL_CRAM_MD5), "NS_LDAP_AUTH_SASL_CRAM_MD5" },
	{ -1, NULL },
};

static ns_enum_map ns_auth_enum_v2[] = {
	{ ENUM2INT(NS_LDAP_EA_NONE), "none" },
	{ ENUM2INT(NS_LDAP_EA_SIMPLE), "simple" },
	{ ENUM2INT(NS_LDAP_EA_SASL_CRAM_MD5), "sasl/CRAM-MD5" },
	{ ENUM2INT(NS_LDAP_EA_SASL_DIGEST_MD5), "sasl/DIGEST-MD5" },
	{ ENUM2INT(NS_LDAP_EA_SASL_DIGEST_MD5_INT),
			"sasl/DIGEST-MD5:auth-int" },
	{ ENUM2INT(NS_LDAP_EA_SASL_DIGEST_MD5_CONF),
			"sasl/DIGEST-MD5:auth-conf" },
	{ ENUM2INT(NS_LDAP_EA_SASL_EXTERNAL), "sasl/EXTERNAL" },
	{ ENUM2INT(NS_LDAP_EA_SASL_GSSAPI), "sasl/GSSAPI" },
	{ ENUM2INT(NS_LDAP_EA_TLS_NONE), "tls:none" },
	{ ENUM2INT(NS_LDAP_EA_TLS_SIMPLE), "tls:simple" },
	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_CRAM_MD5), "tls:sasl/CRAM-MD5" },
	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_DIGEST_MD5), "tls:sasl/DIGEST-MD5" },
	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_DIGEST_MD5_INT),
			"tls:sasl/DIGEST-MD5:auth-int" },
	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_DIGEST_MD5_CONF),
			"tls:sasl/DIGEST-MD5:auth-conf" },
	{ ENUM2INT(NS_LDAP_EA_TLS_SASL_EXTERNAL), "tls:sasl/EXTERNAL" },
	{ -1, NULL },
};

	/* V1 ONLY */
static ns_enum_map ns_sec_enum_v1[] = {
	{ ENUM2INT(NS_LDAP_TLS_NONE), "NS_LDAP_SEC_NONE" },
	{ -1, NULL },
};

	/* V2 ONLY */
static ns_enum_map ns_cred_enum_v2[] = {
	{ ENUM2INT(NS_LDAP_CRED_ANON), "anonymous" },
	{ ENUM2INT(NS_LDAP_CRED_PROXY), "proxy" },
	{ ENUM2INT(NS_LDAP_CRED_SELF), "self" },
	{ -1, NULL },
};

static ns_enum_map ns_ref_enum_v1[] = {
	{ ENUM2INT(NS_LDAP_FOLLOWREF), "NS_LDAP_FOLLOWREF" },
	{ ENUM2INT(NS_LDAP_NOREF), "NS_LDAP_NOREF" },
	{ -1, NULL },
};

static ns_enum_map ns_ref_enum_v2[] = {
	{ ENUM2INT(NS_LDAP_FOLLOWREF), "TRUE" },
	{ ENUM2INT(NS_LDAP_NOREF), "FALSE" },
	{ -1, NULL },
};

static ns_enum_map ns_scope_enum_v1[] = {
	{ ENUM2INT(NS_LDAP_SCOPE_BASE), "NS_LDAP_SCOPE_BASE" },
	{ ENUM2INT(NS_LDAP_SCOPE_ONELEVEL), "NS_LDAP_SCOPE_ONELEVEL" },
	{ ENUM2INT(NS_LDAP_SCOPE_SUBTREE), "NS_LDAP_SCOPE_SUBTREE" },
	{ -1, NULL },
};

static ns_enum_map ns_scope_enum_v2[] = {
	{ ENUM2INT(NS_LDAP_SCOPE_BASE), "base" },
	{ ENUM2INT(NS_LDAP_SCOPE_ONELEVEL), "one" },
	{ ENUM2INT(NS_LDAP_SCOPE_SUBTREE), "sub" },
	{ -1, NULL },
};

static ns_enum_map ns_pref_enum[] = {
	{ ENUM2INT(NS_LDAP_PREF_FALSE), "NS_LDAP_FALSE" },
	{ ENUM2INT(NS_LDAP_PREF_TRUE), "NS_LDAP_TRUE" },
	{ -1, NULL },
};

static ns_enum_map ns_shadow_update_enum[] = {
	{ ENUM2INT(NS_LDAP_ENABLE_SHADOW_UPDATE_FALSE), "FALSE" },
	{ ENUM2INT(NS_LDAP_ENABLE_SHADOW_UPDATE_TRUE), "TRUE" },
	{ -1, NULL },
};

static int	ns_def_auth_v1[] = {
	ENUM2INT(NS_LDAP_EA_NONE),
	0
};

static int	ns_def_auth_v2[] = {
	ENUM2INT(NS_LDAP_EA_NONE),
	0
};

static int	ns_def_cred_v1[] = {
	ENUM2INT(NS_LDAP_CRED_PROXY),
	0
};

static int	ns_def_cred_v2[] = {
	ENUM2INT(NS_LDAP_CRED_ANON),
	0
};

/*
 * The next macro places an integer in the first sizeof(int) bytes of a
 * void pointer location. For 32-bit, it is the same as "(void *) i". It
 * is used to solve a problem found during 64-bit testing.  The problem
 * was that for a configuration parameter such as NS_LDAP_SEARCH_REF_P,
 * which is of type INT and has defined default value, an int
 * variable(ns_param.ns_pu.i) defined inside an union(ns_pu) structure, is
 * used to access the defined default value. This requires the default
 * value to be in the first sizeof(int) bytes of the union element.  If
 * just using "(void *) intval" to declare the default value in the
 * following defconfig[] structure, the intval data will be placed is the
 * last sizeof(int) bytes. In which case, when accessing via ns_pu_i in
 * a 64-bit system, ZERO will be returned as the default value, not the
 * defined one.
 *
 * Note since amd64 is little-endian, the problem is not an issue.
 * INT2VOIDPTR will just leave the data (i) unchanged.
 */
#if defined(__amd64)
#define	INT2VOIDPTR(i)	(void *)i
#else
#define	INT2VOIDPTR(i)	\
	(void *)(((long)(i))<<(8*(sizeof (void *) - sizeof (int))))
#endif
/*
 * The default configuration table
 * Version 1 entries are first, V2 entries follow.
 */
static ns_default_config defconfig[] = {
	/* optional V1 profile */
	{"NS_LDAP_FILE_VERSION", NS_LDAP_FILE_VERSION_P,
		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		NULL,	/* No version number defined in V1 */
		{ CHARPTR, 0, (void *)NS_LDAP_VERSION_1 },
		NULL, NULL },

	/* ---------- V1 profile ---------- */
	{"NS_LDAP_BINDDN", NS_LDAP_BINDDN_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		_P1_BINDDN,
		{ CHARPTR, 0, NULL },
		__s_val_binddn, NULL },

	{"NS_LDAP_BINDPASSWD", NS_LDAP_BINDPASSWD_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		_P1_BINDPASSWORD,
		{ CHARPTR, 0, NULL },
		__s_val_bindpw, NULL },

	{"NS_LDAP_SERVERS", NS_LDAP_SERVERS_P,
		SERVERCONFIG,	ARRAYCP,	FALSE,	NS_LDAP_V1,
		_P1_SERVERS,
		{ ARRAYCP, 0, NULL },
		__s_val_serverList, NULL },

	{"NS_LDAP_SEARCH_BASEDN", NS_LDAP_SEARCH_BASEDN_P,
		SERVERCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		_P1_SEARCHBASEDN,
		{ CHARPTR, 0, NULL },
		__s_val_basedn, NULL },

	{"NS_LDAP_AUTH", NS_LDAP_AUTH_P,
		CLIENTCONFIG,	ARRAYAUTH,	FALSE,	NS_LDAP_V1,
		_P1_AUTHMETHOD,
		{ ARRAYAUTH, 1, (void *)&ns_def_auth_v1[0] },
		NULL, ns_auth_enum_v1 },

	{"NS_LDAP_TRANSPORT_SEC", NS_LDAP_TRANSPORT_SEC_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
		_P1_TRANSPORTSECURITY,
		{ INT, 0, INT2VOIDPTR(NS_LDAP_TLS_NONE) },
		NULL, ns_sec_enum_v1 },

	{"NS_LDAP_SEARCH_REF", NS_LDAP_SEARCH_REF_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
		_P1_SEARCHREFERRAL,
		{ INT, 0, INT2VOIDPTR(NS_LDAP_FOLLOWREF) },
		NULL, ns_ref_enum_v1 },

	{"NS_LDAP_DOMAIN", NS_LDAP_DOMAIN_P,
		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		NULL,	/* not defined in the Profile */
		{ CHARPTR, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_EXP", NS_LDAP_EXP_P,
		SERVERCONFIG,	TIMET,		TRUE,	NS_LDAP_V1,
		NULL,	/* initialized by code to time+NS_LDAP_CACHETTL */
		{ INT, 0, 0 },
		NULL, NULL },

	{"NS_LDAP_CERT_PATH", NS_LDAP_CERT_PATH_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		_P1_CERTIFICATEPATH,
		{ CHARPTR, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_CERT_PASS", NS_LDAP_CERT_PASS_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		_P1_CERTIFICATEPASSWORD,
		{ CHARPTR, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_SEARCH_DN", NS_LDAP_SEARCH_DN_P,
		CLIENTCONFIG,	SSDLIST,	FALSE,	NS_LDAP_V1,
		_P1_DATASEARCHDN,
		{ SSDLIST, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_SEARCH_SCOPE", NS_LDAP_SEARCH_SCOPE_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
		_P1_SEARCHSCOPE,
		{ INT, 0, INT2VOIDPTR(NS_LDAP_SCOPE_ONELEVEL) },
		NULL, ns_scope_enum_v1 },

	{"NS_LDAP_SEARCH_TIME", NS_LDAP_SEARCH_TIME_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
		_P1_SEARCHTIMELIMIT,
		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_SEARCH_TIMEOUT) },
		NULL, NULL },

	{"NS_LDAP_SERVER_PREF", NS_LDAP_SERVER_PREF_P,
		CLIENTCONFIG,	ARRAYCP,	FALSE,	NS_LDAP_V1,
		_P1_PREFERREDSERVER,
		{ ARRAYCP, 0, NULL },
		__s_val_serverList, NULL },

	{"NS_LDAP_PREF_ONLY", NS_LDAP_PREF_ONLY_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
		_P1_PREFERREDSERVERONLY,
		{ INT, 0, INT2VOIDPTR(NS_LDAP_PREF_FALSE) },
		NULL, ns_pref_enum },

	{"NS_LDAP_CACHETTL", NS_LDAP_CACHETTL_P,
		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		_P1_CACHETTL,
		{ CHARPTR, 0, (void *)EXP_DEFAULT_TTL },
		__s_val_postime, NULL },

	{"NS_LDAP_PROFILE", NS_LDAP_PROFILE_P,
		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V1,
		_P_CN,
		{ CHARPTR, 0, (void *)DEFAULTCONFIGNAME },
		NULL, NULL },

	{"NS_LDAP_BIND_TIME", NS_LDAP_BIND_TIME_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V1,
		_P1_BINDTIMELIMIT,
		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_BIND_TIMEOUT) },
		NULL, NULL },

	/* This configuration option is not visible in V1 */
	{"NS_LDAP_CREDENTIAL_LEVEL", NS_LDAP_CREDENTIAL_LEVEL_P,
		CLIENTCONFIG,	ARRAYCRED,	TRUE,	NS_LDAP_V1,
		NULL,	/* No version defined in V1 */
		{ ARRAYCRED, 0, (void *)&ns_def_cred_v1[0] },
		NULL, NULL },

	/* ---------- V2 profile ---------- */
	{"NS_LDAP_FILE_VERSION", NS_LDAP_FILE_VERSION_P,
		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		NULL,	/* No version number defined in V1 */
		{ CHARPTR, 0, (void *)NS_LDAP_VERSION_2 },
		NULL, NULL },

	{"NS_LDAP_BINDDN", NS_LDAP_BINDDN_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		NULL,	/* not defined in the Profile */
		{ CHARPTR, 0, NULL },
		__s_val_binddn, NULL },

	{"NS_LDAP_BINDPASSWD", NS_LDAP_BINDPASSWD_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		NULL,	/* not defined in the Profile */
		{ CHARPTR, 0, NULL },
		__s_val_bindpw, NULL },

	{"NS_LDAP_ENABLE_SHADOW_UPDATE", NS_LDAP_ENABLE_SHADOW_UPDATE_P,
		CREDCONFIG,	INT,	TRUE,	NS_LDAP_V2,
		NULL,	/* not defined in the Profile */
		{ INT, 0, INT2VOIDPTR(NS_LDAP_ENABLE_SHADOW_UPDATE_FALSE) },
		NULL, ns_shadow_update_enum },

	{"NS_LDAP_ADMIN_BINDDN", NS_LDAP_ADMIN_BINDDN_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		NULL,	/* not defined in the Profile */
		{ CHARPTR, 0, NULL },
		__s_val_binddn, NULL },

	{"NS_LDAP_ADMIN_BINDPASSWD", NS_LDAP_ADMIN_BINDPASSWD_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		NULL,	/* not defined in the Profile */
		{ CHARPTR, 0, NULL },
		__s_val_bindpw, NULL },

	{"NS_LDAP_EXP", NS_LDAP_EXP_P,
		SERVERCONFIG,	TIMET,		TRUE,	NS_LDAP_V2,
		NULL,	/* initialized by code to time+NS_LDAP_CACHETTL */
		{ INT, 0, 0 },
		NULL, NULL },

	{"NS_LDAP_SERVER_PREF", NS_LDAP_SERVER_PREF_P,
		CLIENTCONFIG,	SERVLIST,	FALSE,	NS_LDAP_V2,
		_P2_PREFERREDSERVER,
		{ SERVLIST, 0, NULL },
		__s_val_serverList, NULL },

	{"NS_LDAP_SERVERS", NS_LDAP_SERVERS_P,
		SERVERCONFIG,	SERVLIST,	FALSE,	NS_LDAP_V2,
		_P2_DEFAULTSERVER,
		{ SERVLIST, 0, NULL },
		__s_val_serverList, NULL },

	{"NS_LDAP_SEARCH_BASEDN", NS_LDAP_SEARCH_BASEDN_P,
		SERVERCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		_P2_SEARCHBASEDN,
		{ CHARPTR, 0, NULL },
		__s_val_basedn, NULL },

	{"NS_LDAP_SEARCH_SCOPE", NS_LDAP_SEARCH_SCOPE_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
		_P2_SEARCHSCOPE,
		{ INT, 0, INT2VOIDPTR(NS_LDAP_SCOPE_ONELEVEL) },
		NULL, ns_scope_enum_v2 },

	{"NS_LDAP_AUTH", NS_LDAP_AUTH_P,
		CLIENTCONFIG,	ARRAYAUTH,	FALSE,	NS_LDAP_V2,
		_P2_AUTHMETHOD,
		{ ARRAYAUTH, 2, (void *)&ns_def_auth_v2[0] },
		NULL, ns_auth_enum_v2 },

	{"NS_LDAP_CREDENTIAL_LEVEL", NS_LDAP_CREDENTIAL_LEVEL_P,
		CLIENTCONFIG,	ARRAYCRED,	FALSE,	NS_LDAP_V2,
		_P2_CREDENTIALLEVEL,
		{ ARRAYCRED, 0, (void *)&ns_def_cred_v2[0] },
		NULL, ns_cred_enum_v2 },

	{"NS_LDAP_SERVICE_SEARCH_DESC", NS_LDAP_SERVICE_SEARCH_DESC_P,
		CLIENTCONFIG,	SSDLIST,	FALSE,	NS_LDAP_V2,
		_P2_SERVICESEARCHDESC,
		{ SSDLIST, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_SEARCH_TIME", NS_LDAP_SEARCH_TIME_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
		_P2_SEARCHTIMELIMIT,
		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_SEARCH_TIMEOUT) },
		NULL, NULL },

	{"NS_LDAP_BIND_TIME", NS_LDAP_BIND_TIME_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
		_P2_BINDTIMELIMIT,
		{ INT, 0, INT2VOIDPTR(NS_DEFAULT_BIND_TIMEOUT) },
		NULL, NULL },

	{"NS_LDAP_SEARCH_REF", NS_LDAP_SEARCH_REF_P,
		CLIENTCONFIG,	INT,		TRUE,	NS_LDAP_V2,
		_P2_FOLLOWREFERRALS,
		{ INT, 0, INT2VOIDPTR(NS_LDAP_FOLLOWREF) },
		NULL, ns_ref_enum_v2 },

	{"NS_LDAP_CACHETTL", NS_LDAP_CACHETTL_P,
		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		_P2_PROFILETTL,
		{ CHARPTR, 0, (void *)EXP_DEFAULT_TTL },
		__s_val_postime, NULL },

	{"NS_LDAP_ATTRIBUTEMAP", NS_LDAP_ATTRIBUTEMAP_P,
		CLIENTCONFIG,	ATTRMAP,	FALSE,	NS_LDAP_V2,
		_P2_ATTRIBUTEMAP,
		{ ATTRMAP, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_OBJECTCLASSMAP", NS_LDAP_OBJECTCLASSMAP_P,
		CLIENTCONFIG,	OBJMAP,		FALSE,	NS_LDAP_V2,
		_P2_OBJECTCLASSMAP,
		{ OBJMAP, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_PROFILE", NS_LDAP_PROFILE_P,
		CLIENTCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		_P_CN,
		{ CHARPTR, 0, (void *)DEFAULTCONFIGNAME },
		NULL, NULL },

	{"NS_LDAP_SERVICE_AUTH_METHOD", NS_LDAP_SERVICE_AUTH_METHOD_P,
		CLIENTCONFIG,	SAMLIST,	FALSE,	NS_LDAP_V2,
		_P2_SERVICEAUTHMETHOD,
		{ SAMLIST, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_SERVICE_CRED_LEVEL", NS_LDAP_SERVICE_CRED_LEVEL_P,
		CLIENTCONFIG,	SCLLIST,	FALSE,	NS_LDAP_V2,
		_P2_SERVICECREDLEVEL,
		{ SCLLIST, 0, NULL },
		NULL, NULL },

	{"NS_LDAP_HOST_CERTPATH", NS_LDAP_HOST_CERTPATH_P,
		CREDCONFIG,	CHARPTR,	TRUE,	NS_LDAP_V2,
		NULL,	/* not defined in the Profile */
		{ CHARPTR, 0, (void *)NSLDAPDIRECTORY },
		NULL, NULL },

	/* array terminator [not an entry] */
	{NULL, NS_LDAP_FILE_VERSION_P,
		CLIENTCONFIG,	NS_UNKNOWN,	TRUE,	NULL,
		NULL,
		{ NS_UNKNOWN, 0, NULL },
		NULL, NULL },
};

static char *
__getdomainname()
{
	/*
	 * The sysinfo man page recommends using a buffer size
	 * of 257 bytes. MAXHOSTNAMELEN is 256. So add 1 here.
	 */
	char	buf[MAXHOSTNAMELEN + 1];
	int	status;

	status = sysinfo(SI_SRPC_DOMAIN, buf, MAXHOSTNAMELEN);
	if (status < 0)
		return (NULL);
	/* error: not enough space to hold returned value */
	if (status > sizeof (buf))
		return (NULL);
	return (strdup(buf));
}

void
__ns_ldap_setServer(int set)
{
	cache_server = set;
}

static boolean_t
timetorefresh(ns_config_t *cfg)
{
	struct timeval	tp;
	static time_t	expire = 0;

	if (cfg == NULL || gettimeofday(&tp, NULL) == -1)
		return (B_TRUE);

	if (cfg->paramList[NS_LDAP_EXP_P].ns_ptype == TIMET)
		expire = cfg->paramList[NS_LDAP_EXP_P].ns_tm;
	else
		return (B_TRUE);

	return (expire != 0 && tp.tv_sec > expire);
}

int
__s_get_enum_value(ns_config_t *ptr, char *value, ParamIndexType i)
{
	register ns_enum_map	*mapp;
	char			*pstart = value;
	char			*pend;
	int			len;

	if (pstart == NULL)
		return (-1);

	/* skip leading spaces */
	while (*pstart == SPACETOK)
		pstart++;
	/* skip trailing spaces */
	pend = pstart + strlen(pstart) - 1;
	for (; pend >= pstart && *pend == SPACETOK; pend--)
		;
	len = pend - pstart + 1;
	if (len == 0)
		return (-1);

	switch (i) {
	case NS_LDAP_AUTH_P:
		if (ptr->version == NS_LDAP_V1)
			mapp = &ns_auth_enum_v1[0];
		else
			mapp = &ns_auth_enum_v2[0];
		break;
	case NS_LDAP_TRANSPORT_SEC_P:
		return (-1);
	case NS_LDAP_SEARCH_SCOPE_P:
		if (ptr->version == NS_LDAP_V1)
			mapp = &ns_scope_enum_v1[0];
		else
			mapp = &ns_scope_enum_v2[0];
		break;
	case NS_LDAP_SEARCH_REF_P:
		if (ptr->version == NS_LDAP_V1)
			mapp = &ns_ref_enum_v1[0];
		else
			mapp = &ns_ref_enum_v2[0];
		break;
	case NS_LDAP_PREF_ONLY_P:
		mapp = &ns_pref_enum[0];
		break;
	case NS_LDAP_ENABLE_SHADOW_UPDATE_P:
		mapp = &ns_shadow_update_enum[0];
		break;
	case NS_LDAP_CREDENTIAL_LEVEL_P:
		if (ptr->version == NS_LDAP_V1)
			return (-1);
		else
			mapp = &ns_cred_enum_v2[0];
		break;
	case NS_LDAP_SERVICE_AUTH_METHOD_P:
		mapp = &ns_auth_enum_v2[0];
		break;
	case NS_LDAP_SERVICE_CRED_LEVEL_P:
		mapp = &ns_cred_enum_v2[0];
		break;
	default:
		return (-1);
	}

	for (; mapp->name != NULL; mapp++) {
		if (strncasecmp(pstart, mapp->name, len) == 0 &&
		    (strlen(mapp->name) == len)) {
			return (mapp->value);
		}
	}
	return (-1);
}

char *
__s_get_auth_name(ns_config_t *ptr, AuthType_t type)
{
	register ns_enum_map	*mapp;

	if (ptr->version == NS_LDAP_V1)
		mapp = &ns_auth_enum_v1[0];
	else
		mapp = &ns_auth_enum_v2[0];

	for (; mapp->name != NULL; mapp++) {
		if (type == INT2AUTHENUM(mapp->value)) {
			return (mapp->name);
		}
	}
	return ("Unknown AuthType_t type specified");
}


char *
__s_get_security_name(ns_config_t *ptr, TlsType_t type)
{
	register ns_enum_map	*mapp;

	if (ptr->version == NS_LDAP_V1) {
		mapp = &ns_sec_enum_v1[0];

		for (; mapp->name != NULL; mapp++) {
			if (type == INT2SECENUM(mapp->value)) {
				return (mapp->name);
			}
		}
	}
	return ("Unknown TlsType_t type specified");
}


char *
__s_get_scope_name(ns_config_t *ptr, ScopeType_t type)
{
	register ns_enum_map	*mapp;

	if (ptr->version == NS_LDAP_V1)
		mapp = &ns_scope_enum_v1[0];
	else
		mapp = &ns_scope_enum_v2[0];

	for (; mapp->name != NULL; mapp++) {
		if (type == INT2SCOPEENUM(mapp->value)) {
			return (mapp->name);
		}
	}
	return ("Unknown ScopeType_t type specified");
}


char *
__s_get_pref_name(PrefOnly_t type)
{
	register ns_enum_map	*mapp = &ns_pref_enum[0];

	for (; mapp->name != NULL; mapp++) {
		if (type == INT2PREFONLYENUM(mapp->value)) {
			return (mapp->name);
		}
	}
	return ("Unknown PrefOnly_t type specified");
}

char *
__s_get_searchref_name(ns_config_t *ptr, SearchRef_t type)
{
	register ns_enum_map	*mapp;

	if (ptr->version == NS_LDAP_V1)
		mapp = &ns_ref_enum_v1[0];
	else
		mapp = &ns_ref_enum_v2[0];

	for (; mapp->name != NULL; mapp++) {
		if (type == INT2SEARCHREFENUM(mapp->value)) {
			return (mapp->name);
		}
	}
	return ("Unknown SearchRef_t type specified");
}

char *
__s_get_shadowupdate_name(enableShadowUpdate_t type)
{
	register ns_enum_map	*mapp;

	mapp = &ns_shadow_update_enum[0];

	for (; mapp->name != NULL; mapp++) {
		if (type == INT2SHADOWUPDATENUM(mapp->value)) {
			return (mapp->name);
		}
	}
	return ("Unknown enableShadowUpdate_t type specified");
}

static char *
__s_get_credlvl_name(ns_config_t *ptr, CredLevel_t type)
{
	register ns_enum_map	*mapp;

	if (ptr->version == NS_LDAP_V2) {
		mapp = &ns_cred_enum_v2[0];
		for (; mapp->name != NULL; mapp++) {
			if (type == INT2CREDLEVELENUM(mapp->value)) {
				return (mapp->name);
			}
		}
	}
	return ("Unknown CredLevel_t type specified");
}

static void
destroy_param(ns_config_t *ptr, ParamIndexType type)
{
	int	i, j;
	char	**ppc;

	if (ptr == NULL)
		return;

	/*
	 * This routine is not lock protected because
	 * the config param it may be destroying is not
	 * necessarily THE config.  Mutex protect elsewhere.
	 */
	switch (ptr->paramList[type].ns_ptype) {
	case CHARPTR:
		if (ptr->paramList[type].ns_pc) {
			free(ptr->paramList[type].ns_pc);
			ptr->paramList[type].ns_pc = NULL;
		}
		break;
	case SAMLIST:
	case SCLLIST:
	case SSDLIST:
	case ARRAYCP:
	case SERVLIST:
		if (ptr->paramList[type].ns_ppc) {
			ppc = ptr->paramList[type].ns_ppc;
			j = ptr->paramList[type].ns_acnt;
			for (i = 0; i < j && ppc[i] != NULL; i++) {
				free((void *)ppc[i]);
			}
			free((void *)ppc);
			ptr->paramList[type].ns_ppc = NULL;
		}
		break;
	case ARRAYAUTH:
	case ARRAYCRED:
		if (ptr->paramList[type].ns_pi) {
			free(ptr->paramList[type].ns_pi);
			ptr->paramList[type].ns_pi = NULL;
		}
		break;
	case INT:
		ptr->paramList[type].ns_i = 0;
		break;
	case ATTRMAP:
		break;
	case OBJMAP:
		break;
	default:
		break;
	}
	ptr->paramList[type].ns_ptype = NS_UNKNOWN;
}

static void
destroy_config(ns_config_t *ptr)
{
	ParamIndexType	i;

	if (ptr != NULL) {
		if (ptr == current_config)
			current_config = NULL;
		if (ptr->domainName != NULL)
			free(ptr->domainName);
			ptr->domainName = NULL;
		for (i = 0; i <= LAST_VALUE; i++) {
			destroy_param(ptr, i);
		}
		__s_api_destroy_hash(ptr);
		free(ptr);
	}
}

/*
 * Marks the ns_config_t to be deleted and then releases it. (If no other
 * caller is using, then __s_api_release_config will destroy it.)
 *
 * Note that __s_api_destroy_config should only be called if the caller has
 * created the ns_config_t with __s_api_create_config (with the exception
 * of set_curr_config). The ns_config_t should be private to the caller.
 *
 * This function should not be called with the current_config except by
 * set_curr_config which locks ns_parse_lock to ensure that no thread
 * will be waiting on current_config->config_mutex. This ensures that
 * no caller with be waiting on cfg->config_mutex while it is being
 * destroyed by __s_api_release_config.
 */

void
__s_api_destroy_config(ns_config_t *cfg)
{
	if (cfg != NULL) {
		(void) mutex_lock(&cfg->config_mutex);
		cfg->delete = TRUE;
		(void) mutex_unlock(&cfg->config_mutex);
		__s_api_release_config(cfg);
	}
}


/*
 * Increment the configuration use count by one - assumes ns_parse_lock has
 * been obtained.
 */

static ns_config_t *
get_curr_config_unlocked(ns_config_t *cfg, boolean_t global)
{
	ns_config_t *ret;

	ret = cfg;
	if (cfg != NULL) {
		(void) mutex_lock(&cfg->config_mutex);
		/*
		 * allow access to per connection management (non-global)
		 * config so operations on connection being closed can still
		 * be completed
		 */
		if (cfg->delete && global == B_TRUE)
			ret = NULL;
		else
			cfg->nUse++;
		(void) mutex_unlock(&cfg->config_mutex);
	}
	return (ret);
}

/*
 * set_curr_config_global sets the current global config to the
 * specified ns_config_t. Note that this function is similar
 * to the project private function __s_api_init_config_global
 * except that it does not release the new ns_config_t.
 */
static void
set_curr_config_global(ns_config_t *ptr)
{
	ns_config_t	*cfg;
	ns_config_t	*cur_cfg;

	(void) mutex_lock(&ns_parse_lock);
	cur_cfg = current_config;
	cfg = get_curr_config_unlocked(cur_cfg, B_TRUE);
	if (cfg != ptr) {
		__s_api_destroy_config(cfg);
		current_config = ptr;
	}
	(void) mutex_unlock(&ns_parse_lock);
}


/*
 * set_curr_config sets the current config or the per connection
 * management one to the specified ns_config_t. Note that this function
 * is similar to the project private function __s_api_init_config
 * except that it does not release the new ns_config_t. Also note
 * that if there's no per connection management one to set, the
 * global current config will be set.
 */

static void
set_curr_config(ns_config_t *ptr)
{
	ns_config_t	*cfg;
	ns_config_t	*cur_cfg;
	ns_conn_mgmt_t	*cmg;
	int		rc;

	rc = thr_getspecific(ns_cmgkey, (void **)&cmg);

	/* set the per connection management config if possible */
	if (rc == 0 && cmg != NULL && cmg->config != NULL) {
		(void) mutex_lock(&cmg->cfg_lock);
		cur_cfg = cmg->config;
		cfg = get_curr_config_unlocked(cur_cfg, B_FALSE);
		if (cfg != ptr) {
			__s_api_destroy_config(cfg);
			cmg->config = ptr;
		}
		(void) mutex_unlock(&cmg->cfg_lock);
		return;
	}

	/* else set the global current config */
	set_curr_config_global(ptr);
}

/*
 * Decrements the ns_config_t usage count by one. Delete if delete flag
 * is set and no other callers are using.
 */

void
__s_api_release_config(ns_config_t *cfg)
{
	if (cfg != NULL) {
		(void) mutex_lock(&cfg->config_mutex);
		cfg->nUse--;
		if (cfg->nUse == 0 && cfg->delete) {
			destroy_config(cfg);
		} else
			(void) mutex_unlock(&cfg->config_mutex);
	}
}

/*
 * __s_api_init_config function destroys the previous global configuration
 * sets the new global configuration and then releases it
 */
void
__s_api_init_config_global(ns_config_t *ptr)
{
	set_curr_config_global(ptr);
	__s_api_release_config(ptr);
}

/*
 * __s_api_init_config function destroys the previous configuration
 * sets the new configuration and then releases it. The configuration
 * may be the global one or the per connection management one.
 */
void
__s_api_init_config(ns_config_t *ptr)
{
	set_curr_config(ptr);
	__s_api_release_config(ptr);
}


/*
 * Create an ns_config_t, set the usage count to one
 */

ns_config_t *
__s_api_create_config(void)
{
	ns_config_t	*ret;
	ret = (ns_config_t *)calloc(1, sizeof (ns_config_t));
	if (ret == NULL)
		return (NULL);

	ret->domainName = __getdomainname();
	if (ret->domainName == NULL) {
		free(ret);
		return (NULL);
	}
	ret->version = NS_LDAP_V1;
	(void) mutex_init(&ret->config_mutex, USYNC_THREAD, NULL);
	ret->nUse = 1;
	ret->delete = B_FALSE;
	return (ret);
}

/*
 * __s_api_get_default_config_global returns the current global config
 */
ns_config_t *
__s_api_get_default_config_global(void)
{
	ns_config_t	*cfg;
	ns_config_t	*cur_cfg;

	(void) mutex_lock(&ns_parse_lock);
	cur_cfg = current_config;
	cfg = get_curr_config_unlocked(cur_cfg, B_TRUE);
	(void) mutex_unlock(&ns_parse_lock);

	return (cfg);
}

/*
 * __s_api_get_default_config returns the current global config or the
 * per connection management one.
 */
ns_config_t *
__s_api_get_default_config(void)
{
	ns_config_t	*cfg;
	ns_config_t	*cur_cfg;
	ns_conn_mgmt_t	*cmg;
	int		rc;

	rc = thr_getspecific(ns_cmgkey, (void **)&cmg);

	/* get the per connection management config if available */
	if (rc == 0 && cmg != NULL && cmg->config != NULL) {
		(void) mutex_lock(&cmg->cfg_lock);
		cur_cfg = cmg->config;
		cfg = get_curr_config_unlocked(cur_cfg, B_FALSE);
		(void) mutex_unlock(&cmg->cfg_lock);
		return (cfg);
	}

	/* else get the global current config */
	return (__s_api_get_default_config_global());
}

static char *
stripdup(const char *instr)
{
	char	*pstart = (char *)instr;
	char	*pend, *ret;
	int	len;

	if (pstart == NULL)
		return (NULL);
	/* remove leading spaces */
	while (*pstart == SPACETOK)
		pstart++;
	/* remove trailing spaces */
	pend = pstart + strlen(pstart) - 1;
	for (; pend >= pstart && *pend == SPACETOK; pend--)
		;
	len = pend - pstart + 1;
	if ((ret = malloc(len + 1)) == NULL)
		return (NULL);
	if (len != 0) {
		(void) strncpy(ret, pstart, len);
	}
	ret[len] = '\0';
	return (ret);
}

/*
 * Note that __s_api_crosscheck is assumed to be called with an ns_config_t
 * that is properly protected - so that it will not change during the
 * duration of the call
 */

/* Size of errstr needs to be MAXERROR */
ns_parse_status
__s_api_crosscheck(ns_config_t *ptr, char *errstr, int check_dn)
{
	int		value, j;
	time_t		tm;
	const char	*str, *str1;
	int		i, cnt;
	int		self, gssapi;

	if (ptr == NULL)
		return (NS_SUCCESS);

	/* check for no server specified */
	if (ptr->paramList[NS_LDAP_SERVERS_P].ns_ppc == NULL) {
		if (ptr->version == NS_LDAP_V1) {
			str = NULL_OR_STR(__s_api_get_configname(
			    NS_LDAP_SERVERS_P));
			(void) snprintf(errstr, MAXERROR,
			    gettext("Configuration Error: No entry for "
			    "'%s' found"), str);
			return (NS_PARSE_ERR);
		} else if (ptr->paramList[NS_LDAP_SERVER_PREF_P].ns_ppc ==
		    NULL) {
			str = NULL_OR_STR(__s_api_get_configname(
			    NS_LDAP_SERVERS_P));
			str1 = NULL_OR_STR(__s_api_get_configname(
			    NS_LDAP_SERVER_PREF_P));
			(void) snprintf(errstr, MAXERROR,
			    gettext("Configuration Error: "
			    "Neither '%s' nor '%s' is defined"), str, str1);
			return (NS_PARSE_ERR);
		}
	}
	if (ptr->paramList[NS_LDAP_CERT_PASS_P].ns_pc != NULL &&
	    ptr->paramList[NS_LDAP_CERT_PATH_P].ns_pc == NULL) {
			str = NULL_OR_STR(__s_api_get_configname(
			    NS_LDAP_CERT_PASS_P));
			str1 = NULL_OR_STR(__s_api_get_configname(
			    NS_LDAP_CERT_PATH_P));
			(void) snprintf(errstr, MAXERROR,
			gettext("Configuration Error: %s specified "
			    "but no value for '%s' found"), str, str1);
		return (NS_PARSE_ERR);
	}
	if (ptr->paramList[NS_LDAP_CERT_PASS_P].ns_pc == NULL &&
	    ptr->paramList[NS_LDAP_CERT_PATH_P].ns_pc != NULL) {
			str = NULL_OR_STR(__s_api_get_configname(
			    NS_LDAP_CERT_PATH_P));
			str1 = NULL_OR_STR(__s_api_get_configname(
			    NS_LDAP_CERT_PASS_P));
			(void) snprintf(errstr, MAXERROR,
			gettext("Configuration Error: %s specified "
			    "but no value for '%s' found"), str, str1);
		return (NS_PARSE_ERR);
	}
	/* check if search basedn has been specified */
	if (ptr->paramList[NS_LDAP_SEARCH_BASEDN_P].ns_ppc == NULL) {
		str = NULL_OR_STR(__s_api_get_configname(
		    NS_LDAP_SEARCH_BASEDN_P));
		(void) snprintf(errstr, MAXERROR,
		    gettext("Configuration Error: No entry for "
		    "'%s' found"), str);
		return (NS_PARSE_ERR);
	}

	if (check_dn) {
	    /* check for auth value....passwd/bindn if necessary */

		for (j = 0; ptr->paramList[NS_LDAP_AUTH_P].ns_pi != NULL &&
		    ptr->paramList[NS_LDAP_AUTH_P].ns_pi[j] != NULL; j++) {
		value = ptr->paramList[NS_LDAP_AUTH_P].ns_pi[j];
		switch (value) {
		case NS_LDAP_EA_SIMPLE:
		case NS_LDAP_EA_SASL_CRAM_MD5:
		case NS_LDAP_EA_SASL_DIGEST_MD5:
		case NS_LDAP_EA_SASL_DIGEST_MD5_INT:
		case NS_LDAP_EA_SASL_DIGEST_MD5_CONF:
		case NS_LDAP_EA_TLS_SIMPLE:
		case NS_LDAP_EA_TLS_SASL_CRAM_MD5:
		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5:
		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_INT:
		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_CONF:
			if (ptr->paramList[NS_LDAP_BINDDN_P].ns_ppc == NULL) {
				str = NULL_OR_STR(__s_api_get_configname(
				    NS_LDAP_BINDDN_P));
				(void) snprintf(errstr, MAXERROR,
				gettext("Configuration Error: No entry for "
				    "'%s' found"), str);
				return (NS_PARSE_ERR);
			}
			if (ptr->paramList[NS_LDAP_BINDPASSWD_P].ns_ppc
			    == NULL) {
				str = NULL_OR_STR(__s_api_get_configname(
				    NS_LDAP_BINDPASSWD_P));
				(void) snprintf(errstr, MAXERROR,
				gettext("Configuration Error: No entry for "
				    "'%s' found"), str);
				return (NS_PARSE_ERR);
			}
			break;
		}
		}
	}

	/*
	 * If NS_LDAP_CACHETTL is not specified,
	 * init NS_LDAP_EXP_P here. Otherwise,
	 * ldap_cachemgr will never refresh the profile.
	 * Set it to current time + default
	 * NS_LDAP_CACHETTL
	 */
	if (ptr->paramList[NS_LDAP_CACHETTL_P].ns_pc == NULL) {
		tm = conv_time(
		    defconfig[NS_LDAP_CACHETTL_P].defval.ns_pc);
		ptr->paramList[NS_LDAP_EXP_P].ns_ptype = TIMET;
		if (tm != 0) {
			tm += time(NULL);
		}
		ptr->paramList[NS_LDAP_EXP_P].ns_tm = tm;
	}
	/*
	 * If credential level self is defined, there should be
	 * at least an auth method sasl/GSSAPI and vice versa.
	 */
	self = 0;
	cnt = ptr->paramList[NS_LDAP_CREDENTIAL_LEVEL_P].ns_acnt;
	for (i = 0; i < cnt; i++) {
		if (ptr->paramList[NS_LDAP_CREDENTIAL_LEVEL_P].ns_pi[i] ==
		    NS_LDAP_CRED_SELF)
			self++;
	}
	gssapi = 0;
	cnt = ptr->paramList[NS_LDAP_AUTH_P].ns_acnt;
	for (i = 0; i < cnt; i++) {
		if (ptr->paramList[NS_LDAP_AUTH_P].ns_pi[i] ==
		    NS_LDAP_EA_SASL_GSSAPI)
			gssapi++;
	}
	if (gssapi == 0 && self > 0) {
		(void) snprintf(errstr, MAXERROR,
		    gettext("Configuration Error: "
		    "Credential level self requires "
		    "authentication method sasl/GSSAPI"));
		return (NS_PARSE_ERR);
	}
	if (gssapi > 0 && self == 0) {
		(void) snprintf(errstr, MAXERROR,
		    gettext("Configuration Error: "
		    "Authentication method sasl/GSSAPI "
		    "requires credential level self"));
		return (NS_PARSE_ERR);
	}
	return (NS_SUCCESS);
}


int
__s_api_get_type(const char *value, ParamIndexType *type)
{
	int	i;

	for (i = 0; defconfig[i].name != NULL; i++) {
		if (strcasecmp(defconfig[i].name, value) == 0) {
			*type = defconfig[i].index;
			return (0);
		}
	}
	return (-1);
}

/*
 * Externally defined version of get_type.
 * Includes extra error checking
 */

int
__ns_ldap_getParamType(const char *value, ParamIndexType *type)
{
	if (value == NULL || type == NULL)
		return (-1);
	return (__s_api_get_type(value, type));
}

int
__s_api_get_versiontype(ns_config_t *ptr, char *value, ParamIndexType *type)
{
	ns_version_t	ver;
	int		i;

	if (ptr == NULL)
		return (-1);

	ver = ptr->version;

	for (i = 0; defconfig[i].name != NULL; i++) {
		if (strcasecmp(defconfig[i].name, value) == 0) {
			if (defconfig[i].version == ver) {
				*type = defconfig[i].index;
				return (0);
			}
		}
	}
	return (-1);
}

int
__s_api_get_profiletype(char *value, ParamIndexType *type)
{
	int	i;

	for (i = 0; defconfig[i].name != NULL; i++) {
		if (defconfig[i].profile_name == NULL)
			continue;
		if (strcasecmp(defconfig[i].profile_name, value) == 0) {
			*type = defconfig[i].index;
			return (0);
		}
	}
	return (-1);
}

int
__s_api_get_configtype(ParamIndexType type)
{
	int i;

	for (i = 0; defconfig[i].name != NULL; i++) {
		if (defconfig[i].index == type) {
			return (defconfig[i].config_type);
		}
	}
	return (-1);
}

const char *
__s_api_get_configname(ParamIndexType type)
{
	int i;

	for (i = 0; defconfig[i].name != NULL; i++) {
		if (defconfig[i].index == type) {
			if (defconfig[i].name[0] == '\0')
				return (NULL);
			else
				return (defconfig[i].name);
		}
	}
	return (NULL);
}

static ns_default_config *
get_defconfig(ns_config_t *ptr, ParamIndexType type)
{
	ns_version_t	ver;
	int		i;

	ver = ptr->version;

	for (i = 0; defconfig[i].name != NULL; i++) {
		if (defconfig[i].index == type &&
		    defconfig[i].version == ver) {
			return (&defconfig[i]);
		}
	}
	return (NULL);
}

static int
set_default_value(ns_config_t *configptr, char *name,
			char *value, ns_ldap_error_t **error)
{
	ParamIndexType	i;
	int		ret;
	char		errstr[MAXERROR];

	if (__s_api_get_type(name, &i) < 0) {
		(void) snprintf(errstr, sizeof (errstr), gettext(
		    "Illegal type name (%s).\n"), name);
		MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX, strdup(errstr),
		    NULL);
		return (NS_LDAP_CONFIG);
	}

	if (i != NS_LDAP_SERVERS_P &&
	    i != NS_LDAP_SERVICE_AUTH_METHOD_P &&
	    i != NS_LDAP_SERVICE_CRED_LEVEL_P &&
	    i != NS_LDAP_SERVICE_SEARCH_DESC_P &&
	    i != NS_LDAP_SERVER_PREF_P &&
	    i != NS_LDAP_SEARCH_DN_P) {
		if (configptr->paramList[i].ns_ptype != NS_UNKNOWN) {
			destroy_param(configptr, i);
		}
	}

	ret = __ns_ldap_setParamValue(configptr, i, value, error);
	return (ret);
}


/*
 * Initialize config to a default state
 * By default leave configuration empty
 * getParam will automatically get the
 * appropriate default value if none exists
 */

void
__ns_ldap_default_config()
{
	ns_config_t	*ptr;

	ptr = __s_api_create_config();
	if (ptr == NULL)
		return;

	set_curr_config(ptr);
	__s_api_release_config(ptr);
}

/*
 * Get the current configuration pointer and return it.
 * If necessary initialize or refresh the current
 * configuration as applicable. If global is set, returns
 * the global one.
 */

static ns_config_t *
loadrefresh_config(boolean_t global)
{
	ns_config_t		*cfg;
	ns_config_t		*new_cfg;
	ns_ldap_error_t		*errorp;

	/* We want to refresh only one configuration at a time */
	(void) mutex_lock(&ns_loadrefresh_lock);
	if (global == B_TRUE)
		cfg = __s_api_get_default_config_global();
	else
		cfg = __s_api_get_default_config();

	/* (re)initialize configuration if necessary */
	if (!__s_api_isStandalone() && timetorefresh(cfg)) {
		new_cfg = LoadCacheConfiguration(cfg, &errorp);
		if (new_cfg != NULL && new_cfg != cfg) {
			__s_api_release_config(cfg);
			if (global == B_TRUE)
				set_curr_config_global(new_cfg);
			else
				set_curr_config(new_cfg);
			cfg = new_cfg;
		}
		if (errorp != NULL)
			(void) __ns_ldap_freeError(&errorp);
	}
	(void) mutex_unlock(&ns_loadrefresh_lock);
	return (cfg);
}

/*
 * Get the current global configuration pointer and return it.
 * If necessary initialize or refresh the current
 * configuration as applicable.
 */

ns_config_t *
__s_api_loadrefresh_config_global()
{
	return (loadrefresh_config(B_TRUE));
}

/*
 * Get the current configuration pointer and return it.
 * If necessary initialize or refresh the current
 * configuration as applicable. The configuration may
 * be the global one or the per connection management one.
 */

ns_config_t *
__s_api_loadrefresh_config()
{
	return (loadrefresh_config(B_FALSE));
}

/*
 * In general this routine is not very usefull. Individual routines can be
 * created to do this job.  Once that is done, this function can be removed.
 * Size of errstr buffer needs to be MAXERROR.
 */
static ns_parse_status
verify_value(ns_config_t *cfg, char *name, char *value, char *errstr)
{
	ParamIndexType	index = 0;
	int		found = 0, j;
	char		*ptr = NULL, *strptr = NULL, buffer[BUFSIZE];
	char		*rest;
	ns_default_config	*def = NULL;

	if (__s_api_get_type(name, &index) != 0) {
		(void) snprintf(errstr, MAXERROR,
		    gettext("Unknown keyword encountered '%s'."), name);
		return (NS_PARSE_ERR);
	}

	def = get_defconfig(cfg, index);

	/* eat up beginning quote, if any */
	while (value != NULL && (*value == QUOTETOK || *value == SPACETOK))
		value++;

	/* eat up space/quote at end of value */
	if (strlen(value) > 0)
		ptr = value + strlen(value) - 1;
	else
		ptr = value;
	for (; ptr != value && (*ptr == SPACETOK || *ptr == QUOTETOK); ptr--) {
		*ptr = '\0';
	}

	switch (index) {
	case NS_LDAP_EXP_P:
	case NS_LDAP_CACHETTL_P:
	case NS_LDAP_CERT_PATH_P:
	case NS_LDAP_CERT_PASS_P:
	case NS_LDAP_CERT_NICKNAME_P:
	case NS_LDAP_BINDDN_P:
	case NS_LDAP_BINDPASSWD_P:
	case NS_LDAP_ADMIN_BINDDN_P:
	case NS_LDAP_ADMIN_BINDPASSWD_P:
	case NS_LDAP_DOMAIN_P:
	case NS_LDAP_SEARCH_BASEDN_P:
	case NS_LDAP_SEARCH_TIME_P:
	case NS_LDAP_PROFILE_P:
	case NS_LDAP_AUTH_P:
	case NS_LDAP_SEARCH_SCOPE_P:
	case NS_LDAP_CREDENTIAL_LEVEL_P:
	case NS_LDAP_SERVICE_SEARCH_DESC_P:
	case NS_LDAP_BIND_TIME_P:
	case NS_LDAP_ATTRIBUTEMAP_P:
	case NS_LDAP_OBJECTCLASSMAP_P:
	case NS_LDAP_SERVICE_AUTH_METHOD_P:
	case NS_LDAP_SERVICE_CRED_LEVEL_P:
	case NS_LDAP_HOST_CERTPATH_P:
		break;
	case NS_LDAP_SEARCH_DN_P:
		/* depreciated because of service descriptors */
		/* Parse as appropriate at descriptor create time */
		break;
	case NS_LDAP_FILE_VERSION_P:
		if (value != NULL &&
		    strcasecmp(value, NS_LDAP_VERSION_1) != 0 &&
		    strcasecmp(value, NS_LDAP_VERSION_2) != 0) {
			(void) snprintf(errstr, MAXERROR,
			    gettext("Version mismatch, expected "
			    "cache version '%s' or '%s' but "
			    "encountered version '%s'."),
			    NS_LDAP_VERSION_1,
			    NS_LDAP_VERSION_2, value);
				return (NS_PARSE_ERR);
		}
		break;
	case NS_LDAP_SERVERS_P:
	case NS_LDAP_SERVER_PREF_P:
		(void) strcpy(buffer, value);
		strptr = strtok_r(buffer, ",", &rest);
		while (strptr != NULL) {
			char	*tmp = NULL;
			tmp = stripdup(strptr);
			if (tmp == NULL || (strchr(tmp, ' ') != NULL)) {
				(void) snprintf(errstr, MAXERROR,
				    gettext("Invalid parameter values "
				    "'%s' specified for keyword '%s'."),
				    tmp, name);
				free(tmp);
				return (NS_PARSE_ERR);
			}
			free(tmp);
			strptr = strtok_r(NULL, ",", &rest);
		}
		break;
	default:
		found = 0; j = 0;
		while (def->allowed != NULL &&
		    def->allowed[j].name != NULL && j < DEFMAX) {
			if (strcmp(def->allowed[j].name,
			    value) == 0) {
				found = 1;
				break;
			}
			j++;
		}
		if (!found) {
			(void) snprintf(errstr, MAXERROR,
			    gettext("Invalid option specified for "
			    "'%s' keyword. '%s' is not a recognized "
			    "keyword value."), name, value);
			return (NS_PARSE_ERR);
		}
	}

	return (NS_SUCCESS);
}

void
__s_api_split_key_value(char *buffer, char **name, char **value)
{
	char	*ptr;

	*name = buffer;
	/* split into name value pair */
	if ((ptr = strchr(buffer, TOKENSEPARATOR)) != NULL) {
		*ptr = '\0';
		ptr++;
		/* trim whitespace */
		while (*ptr == SPACETOK)
			ptr++;
		*value = ptr;
	}
}

/*
 * Set a parameter value in a generic configuration structure
 * Assume any necessary locks are in place.  This routine would
 * be better named: __ns_ldap_translateString2Param
 *
 * This routine translates external string format into internal
 * param format and saves the result in the param table.
 */
int
__ns_ldap_setParamValue(ns_config_t *ptr, const ParamIndexType type,
		const void *data, ns_ldap_error_t **error)
{
	ns_default_config	*def = NULL;
	ns_param_t		conf;
	ns_mapping_t		*map, *rmap;
	int			i, j, len;
	char			*cp, *cp2, *end;
	char			*tcp = NULL;
	char			errstr[2 * MAXERROR];
	char			tbuf[100], *ptbuf;
	char			*sid, *origA, **mapA;
	char			**attr;
	time_t			tm;
	int 			free_memory, exitrc;
	char			**p;

	/* Find ParamIndexType default configuration data */
	def = get_defconfig(ptr, type);
	if (def == NULL) {
		(void) snprintf(errstr, sizeof (errstr),
		    gettext("Unable to set value: "
		    "invalid ParamIndexType (%d)"), type);
		MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX, strdup(errstr),
		    NULL);
		return (NS_LDAP_CONFIG);
	}

	(void) memset(&conf, 0, sizeof (conf));

	/* data is actually const char */
	cp = (char *)data;

	/* eat up beginning quote, if any */
	while (cp && (*cp == QUOTETOK || *cp == SPACETOK))
		cp++;

	/* eat up space/quote at end of value */
	end = cp2 = cp + strlen(cp) - 1;
	for (; cp2 > cp && (*cp2 == SPACETOK || *cp2 == QUOTETOK); cp2--)
		;
	/* data is const, must duplicate */
	if (cp2 != end) {
		tcp = (char *)calloc((int)(cp2 - cp + 2), sizeof (char));
		if (tcp == NULL)
			return (NS_LDAP_MEMORY);
		end = cp2;
		cp2 = tcp;
		while (cp <= end) {
			*cp2++ = *cp++;
		}
		*cp2 = '\0';
		cp = tcp;
	}

	/* Parse data according to type */
	switch (def->data_type) {
	case INT:
		switch (def->index) {
		case NS_LDAP_PREF_ONLY_P:
		case NS_LDAP_SEARCH_REF_P:
		case NS_LDAP_SEARCH_SCOPE_P:
		case NS_LDAP_ENABLE_SHADOW_UPDATE_P:
			i = __s_get_enum_value(ptr, cp, def->index);
			if (i < 0) {
				(void) snprintf(errstr, sizeof (errstr),
				    gettext("Unable to set value: "
				    "invalid %s (%d)"), def->name,
				    def->index);
				MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
				    strdup(errstr), NULL);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_CONFIG);
			}
			conf.ns_i = i;
			break;
		case NS_LDAP_TRANSPORT_SEC_P:	/* ignore TRANSPORT_SEC */
			break;
		default:
			cp2 = cp;
			if ((*cp2 == '+') || (*cp2 == '-'))
				cp2++;
			for (/* empty */; *cp2; cp2++) {
				if (isdigit(*cp2))
					continue;

				(void) snprintf(errstr, sizeof (errstr),
				    gettext("Unable to set value: "
				    "invalid %s (%d)"), def->name,
				    def->index);
				MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
				    strdup(errstr), NULL);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_CONFIG);
			}
			i = atoi(cp);
			conf.ns_i = i;
			break;
		}
		break;
	case TIMET:
		/* Do nothing with a TIMET.  Initialize it below */
		break;
	case CHARPTR:
		conf.ns_pc = (char *)strdup(cp);
		if (conf.ns_pc == NULL) {
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_MEMORY);
		}
		break;
	case SAMLIST:
		/* first check to see if colon (:) is there */
		if ((strchr(cp, COLONTOK)) == NULL) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Unable to set value: "
			    "invalid serviceAuthenticationMethod (%s)"),
			    cp);
			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_CONFIG);
		}
		/* Appends an entry to the existing list */
		if (ptr->paramList[type].ns_ptype != SAMLIST) {
			conf.ns_ppc = (char **)calloc(2, sizeof (char *));
			if (conf.ns_ppc == NULL) {
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_acnt = 1;
			conf.ns_ppc[0] = (char *)strdup(cp);
			if (conf.ns_ppc[0] == NULL) {
				free(conf.ns_ppc);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
		} else {
			char *dp, *dpend;
			int fnd = 0;

			/* Attempt to replace if possible */
			dpend = strchr(cp, COLONTOK);
			len = dpend - cp;
			dp = (char *)malloc(len+1);
			if (dp == NULL) {
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			(void) strlcpy(dp, cp, len+1);
			fnd = 0;
			for (j = 0; j < ptr->paramList[type].ns_acnt; j++) {
				dpend = strchr(ptr->paramList[type].ns_ppc[j],
				    COLONTOK);
				if (dpend == NULL)
					continue;
				i = dpend - ptr->paramList[type].ns_ppc[j];
				if (i != len)
					continue;
				if (strncmp(ptr->paramList[type].ns_ppc[j],
				    dp, len) == 0) {
					conf.ns_acnt =
					    ptr->paramList[type].ns_acnt;
					conf.ns_ppc =
					    ptr->paramList[type].ns_ppc;
					ptr->paramList[type].ns_ppc = NULL;
					free(conf.ns_ppc[j]);
					conf.ns_ppc[j] = (char *)strdup(cp);
					if (conf.ns_ppc[j] == NULL) {
						free(dp);
						__s_api_free2dArray
						    (conf.ns_ppc);
						if (tcp != NULL)
							free(tcp);
						return (NS_LDAP_MEMORY);
					}
					fnd = 1;
					break;
				}
			}
			free(dp);

			if (fnd)
				break;	/* Replaced completed */

			/* Append */
			len = ptr->paramList[type].ns_acnt + 1;
			if (len > 1) {
				p = (char **)dupParam(&ptr->paramList[type]);
				if (p == NULL) {
					if (tcp != NULL)
						free(tcp);
					return (NS_LDAP_MEMORY);
				}
			} else
				p = NULL;
			conf.ns_ppc =
			    (char **)realloc(p, (len+1) * sizeof (char *));
			if (conf.ns_ppc == NULL) {
				__s_api_free2dArray(p);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_acnt = len;
			conf.ns_ppc[len-1] = (char *)strdup(cp);
			if (conf.ns_ppc[len-1] == NULL) {
				__s_api_free2dArray(conf.ns_ppc);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_ppc[len] = NULL;
		}
		break;
	case SCLLIST:
		/* first check to see if colon (:) is there */
		if ((strchr(cp, COLONTOK)) == NULL) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Unable to set value: "
			    "invalid serviceCredentialLevel (%s)"),
			    cp);
			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_CONFIG);
		}
		/* Appends an entry to the existing list */
		if (ptr->paramList[type].ns_ptype != SCLLIST) {
			conf.ns_ppc = (char **)calloc(2, sizeof (char *));
			if (conf.ns_ppc == NULL) {
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_acnt = 1;
			conf.ns_ppc[0] = (char *)strdup(cp);
			if (conf.ns_ppc[0] == NULL) {
				free(conf.ns_ppc);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
		} else {
			char *dp, *dpend;
			int fnd = 0;

			/* Attempt to replace if possible */
			dpend = strchr(cp, COLONTOK);
			len = dpend - cp;
			dp = (char *)malloc(len+1);
			if (dp == NULL) {
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			(void) strlcpy(dp, cp, len+1);
			fnd = 0;
			for (j = 0; j < ptr->paramList[type].ns_acnt; j++) {
				dpend = strchr(ptr->paramList[type].ns_ppc[j],
				    COLONTOK);
				if (dpend == NULL)
					continue;
				i = dpend - ptr->paramList[type].ns_ppc[j];
				if (i != len)
					continue;
				if (strncmp(ptr->paramList[type].ns_ppc[j],
				    dp, len) == 0) {
					conf.ns_acnt =
					    ptr->paramList[type].ns_acnt;
					conf.ns_ppc =
					    ptr->paramList[type].ns_ppc;
					ptr->paramList[type].ns_ppc = NULL;
					free(conf.ns_ppc[j]);
					conf.ns_ppc[j] = (char *)strdup(cp);
					if (conf.ns_ppc[j] == NULL) {
						free(dp);
						__s_api_free2dArray
						    (conf.ns_ppc);
						if (tcp != NULL)
							free(tcp);
						return (NS_LDAP_MEMORY);
					}
					fnd = 1;
					break;
				}
			}
			free(dp);

			if (fnd)
				break;	/* Replaced completed */

			/* Append */
			len = ptr->paramList[type].ns_acnt + 1;
			if (len > 1) {
				p = (char **)dupParam(&ptr->paramList[type]);
				if (p == NULL) {
					if (tcp != NULL)
						free(tcp);
					return (NS_LDAP_MEMORY);
				}
			} else
				p = NULL;
			conf.ns_ppc =
			    (char **)realloc(p, (len+1) * sizeof (char *));
			if (conf.ns_ppc == NULL) {
				__s_api_free2dArray(p);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_acnt = len;
			conf.ns_ppc[len-1] = (char *)strdup(cp);
			if (conf.ns_ppc[len-1] == NULL) {
				__s_api_free2dArray(conf.ns_ppc);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_ppc[len] = NULL;
		}
		break;
	case SSDLIST:
		/*
		 * first check to see if colon (:) is there,
		 * if so, make sure the serviceId is specified,
		 * i.e., colon is not the first character
		 */
		if ((strchr(cp, COLONTOK)) == NULL || *cp == COLONTOK) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Unable to set value: "
			    "invalid serviceSearchDescriptor (%s)"),
			    cp);
			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_CONFIG);
		}
		/* Appends an entry to the existing list */
		if (ptr->paramList[type].ns_ptype != SSDLIST) {
			conf.ns_ppc = (char **)calloc(2, sizeof (char *));
			if (conf.ns_ppc == NULL) {
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_acnt = 1;
			conf.ns_ppc[0] = (char *)strdup(cp);
			if (conf.ns_ppc[0] == NULL) {
				free(conf.ns_ppc);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
		} else {
			char *dp, *dpend;
			int fnd = 0;

			/* Attempt to replace if possible */
			dpend = strchr(cp, COLONTOK);
			len = dpend - cp;
			dp = (char *)malloc(len+1);
			if (dp == NULL) {
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			(void) strlcpy(dp, cp, len+1);
			fnd = 0;
			for (j = 0; j < ptr->paramList[type].ns_acnt; j++) {
				dpend = strchr(ptr->paramList[type].ns_ppc[j],
				    COLONTOK);
				if (dpend == NULL)
					continue;
				i = dpend - ptr->paramList[type].ns_ppc[j];
				if (i != len)
					continue;
				if (strncmp(ptr->paramList[type].ns_ppc[j],
				    dp, len) == 0) {
					conf.ns_acnt =
					    ptr->paramList[type].ns_acnt;
					conf.ns_ppc =
					    ptr->paramList[type].ns_ppc;
					ptr->paramList[type].ns_ppc = NULL;
					free(conf.ns_ppc[j]);
					conf.ns_ppc[j] = (char *)strdup(cp);
					if (conf.ns_ppc[j] == NULL) {
						free(dp);
						__s_api_free2dArray
						    (conf.ns_ppc);
						if (tcp != NULL)
							free(tcp);
						return (NS_LDAP_MEMORY);
					}
					fnd = 1;
					break;
				}
			}
			free(dp);

			if (fnd)
				break;	/* Replaced completed */

			/* Append */
			len = ptr->paramList[type].ns_acnt + 1;
			if (len > 1) {
				p = (char **)dupParam(&ptr->paramList[type]);
				if (p == NULL) {
					if (tcp != NULL)
						free(tcp);
					return (NS_LDAP_MEMORY);
				}
			} else
				p = NULL;
			conf.ns_ppc =
			    (char **)realloc(p, (len+1) * sizeof (char *));
			if (conf.ns_ppc == NULL) {
				__s_api_free2dArray(p);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_acnt = len;
			conf.ns_ppc[len-1] = (char *)strdup(cp);
			if (conf.ns_ppc[len-1] == NULL) {
				__s_api_free2dArray(conf.ns_ppc);
				if (tcp != NULL)
					free(tcp);
				return (NS_LDAP_MEMORY);
			}
			conf.ns_ppc[len] = NULL;
		}
		break;
	case ARRAYCP:
		len = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == COMMATOK)
				len++;
		}
		if (cp != cp2)
			len++;
		if (len == 0) {
			conf.ns_ppc = (char **)NULL;
			conf.ns_acnt = 0;
			break;
		}
		conf.ns_ppc = (char **)calloc(len + 1, sizeof (char *));
		if (conf.ns_ppc == NULL) {
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_MEMORY);
		}
		conf.ns_acnt = len;
		i = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == COMMATOK) {
				j = cp2 - cp + 1;
				conf.ns_ppc[i] = (char *)malloc(j + 1);
				if (conf.ns_ppc[i] == NULL) {
					__s_api_free2dArray(conf.ns_ppc);
					if (tcp != NULL)
						free(tcp);
					return (NS_LDAP_MEMORY);
				}
				(void) strlcpy(conf.ns_ppc[i], cp, j);
				cp = cp2+1;
				while (*cp == SPACETOK || *cp == COMMATOK)
					cp++;
				cp2 = cp - 1;
				i++;
			}
		}
		j = cp2 - cp + 1;
		conf.ns_ppc[i] = (char *)malloc(j + 1);
		if (conf.ns_ppc[i] == NULL) {
			__s_api_free2dArray(conf.ns_ppc);
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_MEMORY);
		}
		(void) strlcpy(conf.ns_ppc[i], cp, j);
		break;
	case SERVLIST:
		len = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == SPACETOK || *cp2 == COMMATOK) {
				len++;
				for (; *(cp2 + 1) == SPACETOK ||
				    *(cp2 +1) == COMMATOK; cp2++)
					;
			}
		}
		if (cp != cp2)
			len++;
		if (len == 0) {
			conf.ns_ppc = (char **)NULL;
			conf.ns_acnt = 0;
			break;
		}
		conf.ns_ppc = (char **)calloc(len + 1, sizeof (char *));
		if (conf.ns_ppc == NULL) {
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_MEMORY);
		}
		conf.ns_acnt = len;
		i = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == SPACETOK || *cp2 == COMMATOK) {
				j = cp2 - cp + 1;
				conf.ns_ppc[i] = (char *)malloc(j + 1);
				if (conf.ns_ppc[i] == NULL) {
					__s_api_free2dArray(conf.ns_ppc);
					if (tcp != NULL)
						free(tcp);
					return (NS_LDAP_MEMORY);
				}
				(void) strlcpy(conf.ns_ppc[i], cp, j);
				cp = cp2+1;
				while (*cp == SPACETOK || *cp == COMMATOK)
					cp++;
				cp2 = cp - 1;
				i++;
			}
		}
		j = cp2 - cp + 1;
		conf.ns_ppc[i] = (char *)malloc(j + 1);
		if (conf.ns_ppc[i] == NULL) {
			__s_api_free2dArray(conf.ns_ppc);
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_MEMORY);
		}
		(void) strlcpy(conf.ns_ppc[i], cp, j);
		break;
	case ARRAYAUTH:
		len = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == SEMITOK || *cp2 == COMMATOK)
				len++;
		}
		if (cp != cp2)
			len++;
		if (len == 0) {
			conf.ns_pi = (int *)NULL;
			conf.ns_acnt = 0;
			break;
		}
		conf.ns_pi = (int *)calloc(len + 1, sizeof (int));
		if (conf.ns_pi == NULL) {
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_MEMORY);
		}
		conf.ns_acnt = len;
		i = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == SEMITOK || *cp2 == COMMATOK) {
				j = cp2 - cp + 1;
				if (j > sizeof (tbuf)) {
					j = -1;
					ptbuf = cp;
				} else {
					(void) strlcpy(tbuf, cp, j);
					j = __s_get_enum_value(ptr, tbuf,
					    def->index);
					ptbuf = tbuf;
				}
				if (j < 0) {
					(void) snprintf(errstr, sizeof (errstr),
					    gettext("Unable to set value: "
					    "invalid "
					    "authenticationMethod (%s)"),
					    ptbuf);
					MKERROR(LOG_ERR, *error,
					    NS_CONFIG_SYNTAX,
					    strdup(errstr), NULL);
					free(conf.ns_pi);
					if (tcp != NULL)
						free(tcp);
					return (NS_LDAP_CONFIG);
				}
				conf.ns_pi[i] = j;
				cp = cp2+1;
				i++;
			}
		}
		j = cp2 - cp + 1;
		if (j > sizeof (tbuf)) {
			j = -1;
			ptbuf = cp;
		} else {
			(void) strlcpy(tbuf, cp, j);
			j = __s_get_enum_value(ptr, tbuf, def->index);
			ptbuf = tbuf;
		}
		if (j < 0) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Unable to set value: "
			    "invalid authenticationMethod (%s)"), ptbuf);
			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_CONFIG);
		}
		conf.ns_pi[i] = j;
		break;
	case ARRAYCRED:
		len = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == SPACETOK)
				len++;
		}
		if (cp != cp2)
			len++;
		if (len == 0) {
			conf.ns_pi = (int *)NULL;
			conf.ns_acnt = 0;
			break;
		}
		conf.ns_pi = (int *)calloc(len + 1, sizeof (int));
		if (conf.ns_pi == NULL) {
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_MEMORY);
		}
		conf.ns_acnt = len;
		i = 0;
		for (cp2 = cp; *cp2; cp2++) {
			if (*cp2 == SPACETOK) {
				j = cp2 - cp + 1;
				if (j > sizeof (tbuf)) {
					j = -1;
					ptbuf = cp;
				} else {
					(void) strlcpy(tbuf, cp, j);
					j = __s_get_enum_value(ptr, tbuf,
					    def->index);
					ptbuf = tbuf;
				}
				if (j < 0) {
					(void) snprintf(errstr, sizeof (errstr),
					    gettext("Unable to set value: "
					    "invalid credentialLevel (%s)"),
					    ptbuf);
					MKERROR(LOG_ERR, *error,
					    NS_CONFIG_SYNTAX,
					    strdup(errstr), NULL);
					free(conf.ns_pi);
					if (tcp != NULL)
						free(tcp);
					return (NS_LDAP_CONFIG);
				}
				conf.ns_pi[i] = j;
				cp = cp2+1;
				i++;
			}
		}
		j = cp2 - cp + 1;
		if (j > sizeof (tbuf)) {
			j = -1;
			ptbuf = cp;
		} else {
			(void) strlcpy(tbuf, cp, j);
			j = __s_get_enum_value(ptr, tbuf, def->index);
			ptbuf = tbuf;
		}
		if (j < 0) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Unable to set value: "
			    "invalid credentialLevel (%s)"), ptbuf);
			MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
			if (tcp != NULL)
				free(tcp);
			return (NS_LDAP_CONFIG);
		}
		conf.ns_pi[i] = j;
		break;
	case ATTRMAP:
	case OBJMAP:
		i = __s_api_parse_map(cp, &sid, &origA, &mapA);
		if (i != NS_HASH_RC_SUCCESS) {
			if (i == NS_HASH_RC_NO_MEMORY) {
				exitrc = NS_LDAP_MEMORY;
			} else {
				(void) snprintf(errstr, sizeof (errstr),
				gettext("Unable to set value: "
				"invalid schema mapping (%s)"), cp);
				exitrc = NS_LDAP_CONFIG;
				MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX,
				    strdup(errstr), NULL);
			}
			if (tcp)
				free(tcp);
			return (exitrc);
		}

		/*
		 * Add reverse map first.
		 * There could be more than one.
		 */
		for (attr = mapA; *attr; attr++) {

			free_memory = 1;
			exitrc = NS_LDAP_MEMORY;

			rmap = (ns_mapping_t *)calloc(1,
			    sizeof (ns_mapping_t));
			if (rmap) {
				rmap->service = strdup(sid);
				if (rmap->service) {
					rmap->orig = strdup(*attr);
					if (rmap->orig) {
						rmap->map = (char **)calloc(2,
						    sizeof (char *));
						if (rmap->map) {
							(rmap->map)[0] =
							    strdup(origA);
							if ((rmap->map)[0])
								free_memory = 0;
						}
					}
				}
			}

			if (free_memory == 0) {
				if (def->data_type == ATTRMAP) {
					rmap->type = NS_ATTR_MAP;
					i = __s_api_add_map2hash(ptr,
					    NS_HASH_RAMAP, rmap);
				} else {
					rmap->type = NS_OBJ_MAP;
					i = __s_api_add_map2hash(ptr,
					    NS_HASH_ROMAP, rmap);
				}

				if (i != NS_HASH_RC_SUCCESS) {
					switch (i) {
					case NS_HASH_RC_CONFIG_ERROR:
						exitrc = NS_LDAP_INTERNAL;
						(void) snprintf(errstr,
						    sizeof (errstr),
						    gettext(
						    "Unable to set value: "
						    "no configuration info "
						    "for schema map "
						    "update (%s)"), cp);
						MKERROR(LOG_ERR, *error,
						    NS_LDAP_INTERNAL,
						    strdup(errstr),
						    NULL);
						break;
					case NS_HASH_RC_EXISTED:
						exitrc = NS_LDAP_CONFIG;
						(void) snprintf(errstr,
						    sizeof (errstr),
						    gettext(
						    "Unable to set value: "
						    "schema map "
						    "already existed for "
						    "(%s, %s)."),
						    *attr, origA);
						MKERROR(LOG_ERR, *error,
						    NS_CONFIG_SYNTAX,
						    strdup(errstr),
						    NULL);
						break;
					case NS_HASH_RC_NO_MEMORY:
						exitrc = NS_LDAP_MEMORY;
						break;
					}
					free_memory = 1;
				}
			}

			if (free_memory) {
				if (tcp)
					free(tcp);
				free(sid);
				free(origA);
				__s_api_free2dArray(mapA);
				if (rmap) {
					if (rmap->service)
						free(rmap->service);
					if (rmap->orig)
						free(rmap->orig);
					if (rmap->map) {
						if ((rmap->map)[0])
							free((rmap->map)[0]);
						free(rmap->map);
					}
					free(rmap);
				}
				return (exitrc);
			}
		}

		/*
		 * For performance gain,
		 * add a "schema mapping existed" indicator
		 * for the given service if not already added.
		 * This dummy map needs not be removed, if
		 * the next real map add operation fails.
		 * since the caller, e.g. ldap_cachemgr.
		 * should exit anyway.
		 */
		free_memory = 1;
		exitrc = NS_LDAP_MEMORY;

		map = (ns_mapping_t *)calloc(1,
		    sizeof (ns_mapping_t));
		if (map) {
			map->service = strdup(sid);
			if (map->service) {
				map->orig = strdup(
				    NS_HASH_SCHEMA_MAPPING_EXISTED);
				if (map->orig) {
					map->map = (char **)calloc(2,
					    sizeof (char *));
					if (map->map) {
						(map->map)[0] =
						    strdup(sid);
						if ((map->map)[0])
							free_memory = 0;
					}
				}
			}
		}

		if (free_memory == 0) {
			map->type = NS_ATTR_MAP;
			/*
			 * add to reverse map,
			 * so that "ldapclient list"
			 * would not show it
			 */
			i = __s_api_add_map2hash(ptr,
			    NS_HASH_RAMAP, map);

			/*
			 * ignore "map already existed" error,
			 * just need one per service.
			 * Need however to free memory allocated
			 * for map.
			 */
			if (i != NS_HASH_RC_SUCCESS &&
			    i != NS_HASH_RC_EXISTED) {
				switch (i) {
				case NS_HASH_RC_CONFIG_ERROR:
					exitrc = NS_LDAP_INTERNAL;
					(void) snprintf(errstr,
					    sizeof (errstr),
					    gettext(
					    "Unable to set value: "
					    "no configuration info "
					    "for schema map "
					    "update (%s)"), cp);
					MKERROR(LOG_ERR, *error,
					    NS_LDAP_INTERNAL,
					    strdup(errstr),
					    NULL);
					break;
				case NS_HASH_RC_NO_MEMORY:
					exitrc = NS_LDAP_MEMORY;
					break;
				}
				free_memory = 1;
			} else if (i == NS_HASH_RC_EXISTED) {
				if (map->service)
					free(map->service);
				if (map->orig)
					free(map->orig);
				if (map->map) {
					if ((map->map)[0])
						free((map->map)[0]);
					free(map->map);
				}
				free(map);
				map = NULL;
			}
		}

		if (free_memory) {
			if (tcp)
				free(tcp);
			free(sid);
			free(origA);
			__s_api_free2dArray(mapA);
			if (map) {
				if (map->service)
					free(map->service);
				if (map->orig)
					free(map->orig);
				if (map->map) {
					if ((map->map)[0])
						free((map->map)[0]);
					free(map->map);
				}
				free(map);
			}
			return (exitrc);
		}

		/*
		 * add the real schema map
		 */
		free_memory = 1;
		exitrc = NS_LDAP_MEMORY;
		map = (ns_mapping_t *)calloc(1, sizeof (ns_mapping_t));
		if (map) {
			map->service = sid;
			map->orig = origA;
			map->map = mapA;

			if (def->data_type == ATTRMAP) {
				map->type = NS_ATTR_MAP;
				i = __s_api_add_map2hash(ptr,
				    NS_HASH_AMAP, map);
			} else {
				map->type = NS_OBJ_MAP;
				i = __s_api_add_map2hash(ptr,
				    NS_HASH_OMAP, map);
			}

			if (i != NS_HASH_RC_SUCCESS) {
				switch (i) {
				case NS_HASH_RC_CONFIG_ERROR:
					exitrc = NS_LDAP_INTERNAL;
					(void) snprintf(errstr,
					    sizeof (errstr),
					    gettext(
					    "Unable to set value: "
					    "no configuration info "
					    "for schema map "
					    "update (%s)"), cp);
					MKERROR(LOG_ERR, *error,
					    NS_LDAP_INTERNAL,
					    strdup(errstr),
					    NULL);
					break;
				case NS_HASH_RC_EXISTED:
					exitrc = NS_LDAP_CONFIG;
					(void) snprintf(errstr,
					    sizeof (errstr),
					    gettext(
					    "Unable to set value: "
					    "schema map "
					    "already existed for "
					    "'%s'."), origA);
					MKERROR(LOG_ERR, *error,
					    NS_CONFIG_SYNTAX,
					    strdup(errstr),
					    NULL);
					break;
				case NS_HASH_RC_NO_MEMORY:
					exitrc = NS_LDAP_MEMORY;
					break;
				}
				free_memory = 1;
			} else
				free_memory = 0;
		}

		if (free_memory) {
			if (tcp)
				free(tcp);
			free(sid);
			free(origA);
			__s_api_free2dArray(mapA);
			if (map)
				free(map);
			return (exitrc);
		}

		break;
	default:
		/* This should never happen. */
		(void) snprintf(errstr, sizeof (errstr),
		    gettext("Unable to set value: invalid configuration "
		    "type (%d)"), def->data_type);
		MKERROR(LOG_ERR, *error, NS_CONFIG_SYNTAX, strdup(errstr),
		    NULL);
		if (tcp != NULL)
			free(tcp);
		return (NS_LDAP_CONFIG);
	}
	conf.ns_ptype = def->data_type;
	if (tcp != NULL)
		free(tcp);

	/* Individually written verify routines here can replace */
	/* verify_value.  Verify conf (data) as appropriate here */
	if (def->ns_verify != NULL) {
		if ((*def->ns_verify)(type, def, &conf, errstr) != NS_SUCCESS) {
			ns_param_t sav_conf;

			(void) snprintf(errstr, sizeof (errstr),
			    gettext("%s"), errstr);
			MKERROR(LOG_WARNING, *error, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);

			sav_conf = ptr->paramList[type];
			ptr->paramList[type] = conf;
			destroy_param(ptr, type);
			ptr->paramList[type] = sav_conf;

			return (NS_LDAP_CONFIG);
		}
	}

	/* post evaluate the data */

	/*
	 * if this is for setting a password,
	 * encrypt the password first.
	 * NOTE evalue() is smart and will just return
	 * the value passed if it is already encrypted.
	 *
	 * Init NS_LDAP_EXP_P here when CACHETTL is updated
	 */
	if (type == NS_LDAP_BINDPASSWD_P ||
	    type == NS_LDAP_ADMIN_BINDPASSWD_P) {
		cp = conf.ns_pc;
		cp2 = evalue((char *)cp);
		conf.ns_pc = cp2;
		free(cp);
		cp = NULL;
	} else if (type == NS_LDAP_FILE_VERSION_P) {
		ptr->version = NS_LDAP_V1;
		if (strcasecmp(conf.ns_pc, NS_LDAP_VERSION_2) == 0) {
			ptr->version = NS_LDAP_V2;
		}
	} else if (type == NS_LDAP_CACHETTL_P) {
		cp = conf.ns_pc;
		tm = conv_time(cp);
		ptr->paramList[NS_LDAP_EXP_P].ns_ptype = TIMET;
		if (tm != 0) {
			tm += time(NULL);
		}
		ptr->paramList[NS_LDAP_EXP_P].ns_tm = tm;
	}

	/* Everything checks out move new values into param */
	destroy_param(ptr, type);
	/* Assign new/updated value into paramList */
	ptr->paramList[type] = conf;

	return (NS_LDAP_SUCCESS);
}


/*
 * Set a parameter value in the 'config' configuration structure
 * Lock as appropriate
 */

int
__ns_ldap_setParam(const ParamIndexType type,
		const void *data, ns_ldap_error_t **error)
{
	ns_ldap_error_t		*errorp;
	int			ret;
	char			errstr[2 * MAXERROR];
	ns_config_t		*cfg;
	ns_config_t		*cfg_g = (ns_config_t *)-1;
	ns_config_t		*new_cfg;
	boolean_t		reinit_connmgmt = B_FALSE;

	/* We want to refresh only one configuration at a time */
	(void) mutex_lock(&ns_loadrefresh_lock);
	cfg = __s_api_get_default_config();

	if (cache_server == TRUE) {
		if (cfg == NULL) {
			__ns_ldap_default_config();
			cfg = __s_api_get_default_config();
			if (cfg == NULL) {
				(void) mutex_unlock(&ns_loadrefresh_lock);
				return (NS_LDAP_MEMORY);
			}
		}
	} else {
		/*
		 * This code always return error here on client side,
		 * this needs to change once libsldap is used by more
		 * applications that need to set parameters.
		 */
		(void) snprintf(errstr, sizeof (errstr),
		    gettext("Unable to set parameter from a client in "
		    "__ns_ldap_setParam()"));
		MKERROR(LOG_WARNING, *error, NS_CONFIG_SYNTAX, strdup(errstr),
		    NULL);
		if (cfg != NULL)
			__s_api_release_config(cfg);
		(void) mutex_unlock(&ns_loadrefresh_lock);
		return (NS_LDAP_CONFIG);
	}

	/* (re)initialize configuration if necessary */
	if (!__s_api_isStandalone() &&
	    cache_server == FALSE && timetorefresh(cfg))
		cfg_g = __s_api_get_default_config_global();
	/* only (re)initialize the global configuration */
	if (cfg == cfg_g) {
		if (cfg_g != NULL)
			__s_api_release_config(cfg_g);
		new_cfg = LoadCacheConfiguration(cfg, &errorp);
		if (new_cfg != cfg)
			__s_api_release_config(cfg);
		if (new_cfg == NULL) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Unable to load configuration '%s' "
			    "('%s')."), NSCONFIGFILE,
			    errorp != NULL && errorp->message != NULL ?
			    errorp->message : "");
			MKERROR(LOG_WARNING, *error, NS_CONFIG_NOTLOADED,
			    strdup(errstr), NULL);
			if (errorp != NULL)
				(void) __ns_ldap_freeError(&errorp);
			(void) mutex_unlock(&ns_loadrefresh_lock);
			return (NS_LDAP_CONFIG);
		}
		if (new_cfg != cfg) {
			set_curr_config_global(new_cfg);
			cfg = new_cfg;
			reinit_connmgmt = B_TRUE;
		}
	}
	(void) mutex_unlock(&ns_loadrefresh_lock);

	if (reinit_connmgmt == B_TRUE)
		__s_api_reinit_conn_mgmt_new_config(cfg);

	/* translate input and save in the parameter list */
	ret = __ns_ldap_setParamValue(cfg, type, data, error);

	__s_api_release_config(cfg);

	return (ret);
}


/*
 * Make a copy of a parameter entry
 */

static void **
dupParam(ns_param_t *ptr)
{
	int		count, i;
	void		**dupdata, *ret;
	int		*intptr;
	char		*cp, tmbuf[32];
	static time_t	expire = 0;
	ns_auth_t	*ap;

	switch (ptr->ns_ptype) {
	case ARRAYAUTH:
	case ARRAYCRED:
	case SAMLIST:
	case SCLLIST:
	case SSDLIST:
	case SERVLIST:
	case ARRAYCP:
		count = ptr->ns_acnt;
		if (count == 0)
			return (NULL);
		break;
	case CHARPTR:
	case INT:
	case TIMET:
		count = 1;
	}

	dupdata = (void **)calloc((count + 1), sizeof (void *));
	if (dupdata == NULL)
		return (NULL);

	switch (ptr->ns_ptype) {
	case ARRAYAUTH:
		for (i = 0; i < count; i++) {
			ap = __s_api_AuthEnumtoStruct(
			    (EnumAuthType_t)ptr->ns_pi[i]);
			if (ap == NULL) {
				free(dupdata);
				return (NULL);
			}
			dupdata[i] = ap;
		}
		break;
	case ARRAYCRED:
		for (i = 0; i < count; i++) {
			intptr = (int *)malloc(sizeof (int));
			if (intptr == NULL) {
				free(dupdata);
				return (NULL);
			}
			dupdata[i] = (void *)intptr;
			*intptr = ptr->ns_pi[i];
		}
		break;
	case SAMLIST:
	case SCLLIST:
	case SSDLIST:
	case SERVLIST:
	case ARRAYCP:
		for (i = 0; i < count; i++) {
			ret = (void *)strdup(ptr->ns_ppc[i]);
			if (ret == NULL) {
				free(dupdata);
				return (NULL);
			}
			dupdata[i] = ret;
		}
		break;
	case CHARPTR:
		if (ptr->ns_pc == NULL) {
			free(dupdata);
			return (NULL);
		}
		ret = (void *)strdup(ptr->ns_pc);
		if (ret == NULL) {
			free(dupdata);
			return (NULL);
		}
		dupdata[0] = ret;
		break;
	case INT:
		intptr = (int *)malloc(sizeof (int));
		if (intptr == NULL) {
			free(dupdata);
			return (NULL);
		}
		*intptr = ptr->ns_i;
		dupdata[0] = (void *)intptr;
		break;
	case TIMET:
		expire = ptr->ns_tm;
		tmbuf[31] = '\0';
		cp = lltostr((long)expire, &tmbuf[31]);
		ret = (void *)strdup(cp);
		if (ret == NULL) {
			free(dupdata);
			return (NULL);
		}
		dupdata[0] = ret;
		break;
	}
	return (dupdata);
}

int
__ns_ldap_freeParam(void ***data)
{
	void	**tmp;
	int	i = 0;

	if (*data == NULL)
		return (NS_LDAP_SUCCESS);

	for (i = 0, tmp = *data; tmp[i] != NULL; i++)
		free(tmp[i]);

	free(*data);

	*data = NULL;

	return (NS_LDAP_SUCCESS);
}

/*
 * Get the internal format for a parameter value.  This
 * routine makes a copy of an internal param value from
 * the currently active parameter list and returns it.
 */

int
__ns_ldap_getParam(const ParamIndexType Param,
		void ***data, ns_ldap_error_t **error)
{
	char			errstr[2 * MAXERROR];
	ns_ldap_error_t		*errorp;
	ns_default_config	*def;
	ns_config_t		*cfg;
	ns_config_t		*cfg_g = (ns_config_t *)-1;
	ns_config_t		*new_cfg;
	boolean_t		reinit_connmgmt = B_FALSE;

	if (data == NULL)
		return (NS_LDAP_INVALID_PARAM);

	*data = NULL;

	/* We want to refresh only one configuration at a time */
	(void) mutex_lock(&ns_loadrefresh_lock);
	cfg = __s_api_get_default_config();

	/* (re)initialize configuration if necessary */
	if (!__s_api_isStandalone() &&
	    cache_server == FALSE && timetorefresh(cfg))
		cfg_g = __s_api_get_default_config_global();
	/* only (re)initialize the global configuration */
	if (cfg == cfg_g) {
		if (cfg_g != NULL)
			__s_api_release_config(cfg_g);
		new_cfg = LoadCacheConfiguration(cfg, &errorp);
		if (new_cfg != cfg)
			__s_api_release_config(cfg);
		if (new_cfg == NULL) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Unable to load configuration "
			    "'%s' ('%s')."),
			    NSCONFIGFILE,
			    errorp != NULL && errorp->message != NULL ?
			    errorp->message : "");
			MKERROR(LOG_WARNING, *error, NS_CONFIG_NOTLOADED,
			    strdup(errstr), NULL);
			if (errorp != NULL)
				(void) __ns_ldap_freeError(&errorp);
			(void) mutex_unlock(&ns_loadrefresh_lock);
			return (NS_LDAP_CONFIG);
		}
		if (new_cfg != cfg) {
			set_curr_config_global(new_cfg);
			cfg = new_cfg;
			reinit_connmgmt = B_TRUE;
		}
	}
	(void) mutex_unlock(&ns_loadrefresh_lock);

	if (reinit_connmgmt == B_TRUE)
		__s_api_reinit_conn_mgmt_new_config(cfg);

	if (cfg == NULL) {
		(void) snprintf(errstr, sizeof (errstr),
		    gettext("No configuration information available."));
		MKERROR(LOG_ERR, *error, NS_CONFIG_NOTLOADED,
		    strdup(errstr), NULL);
		return (NS_LDAP_CONFIG);
	}

	if (Param == NS_LDAP_DOMAIN_P) {
		*data = (void **)calloc(2, sizeof (void *));
		if (*data == NULL) {
			__s_api_release_config(cfg);
			return (NS_LDAP_MEMORY);
		}
		(*data)[0] = (void *)strdup(cfg->domainName);
		if ((*data)[0] == NULL) {
			free(*data);
			__s_api_release_config(cfg);
			return (NS_LDAP_MEMORY);
		}
	} else if (cfg->paramList[Param].ns_ptype == NS_UNKNOWN) {
		/* get default */
		def = get_defconfig(cfg, Param);
		if (def != NULL)
			*data = dupParam(&def->defval);
	} else {
		*data = dupParam(&(cfg->paramList[Param]));
	}
	__s_api_release_config(cfg);

	return (NS_LDAP_SUCCESS);
}

/*
 * This routine takes a parameter in internal format and
 * translates it into a variety of string formats for various
 * outputs (doors/file/ldif).  This routine would be better
 * named: __ns_ldap_translateParam2String
 */

char *
__s_api_strValue(ns_config_t *cfg, ParamIndexType index, ns_strfmt_t fmt)
{
	ns_default_config *def = NULL;
	ns_param_t	*ptr;
	ns_hash_t	*hptr;
	ns_mapping_t	*mptr;
	char		ibuf[14];
	char		abuf[64], **cpp;
	int		count, i;
	boolean_t	first = B_TRUE;
	LineBuf		lbuf;
	LineBuf		*buffer = &lbuf;
	char		*retstring;
	char		*sepstr;

	if (cfg == NULL)
		return (NULL);

	/* NS_LDAP_EXP and TRANSPORT_SEC are not exported externally */
	if (index == NS_LDAP_EXP_P || index == NS_LDAP_TRANSPORT_SEC_P)
		return (NULL);

	/* Return nothing if the value is the default */
	if (cfg->paramList[index].ns_ptype == NS_UNKNOWN)
		return (NULL);

	(void) memset((char *)buffer, 0, sizeof (LineBuf));

	ptr = &(cfg->paramList[index]);

	abuf[0] = '\0';

	/* get default */
	def = get_defconfig(cfg, index);
	if (def == NULL)
		return (NULL);

	switch (fmt) {
	case NS_DOOR_FMT:
		(void) strlcpy(abuf, def->name, sizeof (abuf));
		(void) strlcat(abuf, EQUALSEP, sizeof (abuf));
		break;
	case NS_FILE_FMT:
		(void) strlcpy(abuf, def->name, sizeof (abuf));
		(void) strlcat(abuf, EQUSPSEP, sizeof (abuf));
		break;
	case NS_LDIF_FMT:
		/* If no LDIF attr exists ignore the entry */
		if (def->profile_name == NULL)
			return (NULL);
		(void) strlcpy(abuf, def->profile_name, sizeof (abuf));
		(void) strlcat(abuf, COLSPSEP, sizeof (abuf));
		break;
	default:
		break;
	}

	if (__print2buf(buffer, abuf, NULL))
		goto strValueError;

	switch (ptr->ns_ptype) {
	case ARRAYAUTH:
		count = ptr->ns_acnt;
		for (i = 0; i < count; i++) {
			sepstr = NULL;
			if (i != count-1) {
				if (cfg->version == NS_LDAP_V1) {
					sepstr = COMMASEP;
				} else {
					sepstr = SEMISEP;
				}
			}
			if (__print2buf(buffer, __s_get_auth_name(cfg,
			    (AuthType_t)(ptr->ns_pi[i])), sepstr))
				goto strValueError;
		}
		break;
	case ARRAYCRED:
		count = ptr->ns_acnt;
		for (i = 0; i < count; i++) {
			sepstr = NULL;
			if (i != count-1) {
				sepstr = SPACESEP;
			}
			if (__print2buf(buffer, __s_get_credlvl_name(cfg,
			    (CredLevel_t)ptr->ns_pi[i]), sepstr))
				goto strValueError;
		}
		break;
	case SAMLIST:
	case SCLLIST:
	case SSDLIST:
		count = ptr->ns_acnt;
		for (i = 0; i < count; i++) {
			if (__print2buf(buffer, ptr->ns_ppc[i], NULL))
				goto strValueError;

			if (i == count-1)
				continue;

			/* Separate items */
			switch (fmt) {
			case NS_DOOR_FMT:
				if (__print2buf(buffer, DOORLINESEP, NULL) ||
				    __print2buf(buffer, def->name, EQUALSEP))
					goto strValueError;
				break;
			case NS_FILE_FMT:
				if (__print2buf(buffer, "\n", NULL) ||
				    __print2buf(buffer, def->name, EQUSPSEP))
					goto strValueError;
				break;
			case NS_LDIF_FMT:
				if (__print2buf(buffer, "\n", NULL) ||
				    __print2buf(buffer, def->profile_name,
				    COLSPSEP))
					goto strValueError;
				break;
			}
		}
		break;
	case ARRAYCP:
		count = ptr->ns_acnt;
		for (i = 0; i < count; i++) {
			sepstr = NULL;
			if (i != count-1) {
				sepstr = COMMASEP;
			}
			if (__print2buf(buffer, ptr->ns_ppc[i], sepstr))
				goto strValueError;
		}
		break;
	case SERVLIST:
		count = ptr->ns_acnt;
		for (i = 0; i < count; i++) {
			sepstr = NULL;
			if (i != count-1) {
				if (fmt == NS_LDIF_FMT) {
					sepstr = SPACESEP;
				} else {
					sepstr = COMMASEP;
				}
			}
			if (__print2buf(buffer, ptr->ns_ppc[i], sepstr))
				goto strValueError;
		}
		break;
	case CHARPTR:
		if (ptr->ns_pc == NULL)
			break;
		if (__print2buf(buffer, ptr->ns_pc, NULL))
			goto strValueError;
		break;
	case INT:
		switch (def->index) {
		case NS_LDAP_PREF_ONLY_P:
			if (__print2buf(buffer,
			    __s_get_pref_name((PrefOnly_t)ptr->ns_i), NULL))
				goto strValueError;
			break;
		case NS_LDAP_SEARCH_REF_P:
			if (__print2buf(buffer, __s_get_searchref_name(cfg,
			    (SearchRef_t)ptr->ns_i), NULL))
				goto strValueError;
			break;
		case NS_LDAP_SEARCH_SCOPE_P:
			if (__print2buf(buffer,  __s_get_scope_name(cfg,
			    (ScopeType_t)ptr->ns_i), NULL))
				goto strValueError;
			break;
		case NS_LDAP_ENABLE_SHADOW_UPDATE_P:
			if (__print2buf(buffer, __s_get_shadowupdate_name(
			    (enableShadowUpdate_t)ptr->ns_i), NULL))
				goto strValueError;
			break;
		default:
			(void) snprintf(ibuf, sizeof (ibuf),
			    "%d", ptr->ns_i);
			if (__print2buf(buffer, ibuf, NULL))
				goto strValueError;
			break;
		}
		break;
	case ATTRMAP:
		for (hptr = cfg->llHead; hptr; hptr = hptr->h_llnext) {
			if (hptr->h_type != NS_HASH_AMAP) {
				continue;
			}
			if (!first) {
				/* print abuf as "separator" */
				if (fmt == NS_DOOR_FMT) {
					if (__print2buf(buffer, DOORLINESEP,
					    abuf))
						goto strValueError;
				} else {
					if (__print2buf(buffer, "\n", abuf))
						goto strValueError;
				}
			}
			mptr = hptr->h_map;
			if (__print2buf(buffer, mptr->service, COLONSEP) ||
			    __print2buf(buffer, mptr->orig, EQUALSEP))
				goto strValueError;
			for (cpp = mptr->map; cpp && *cpp; cpp++) {
				/* print *cpp as "separator" */
				sepstr = "";
				if (cpp != mptr->map)
					sepstr = SPACESEP;
				if (__print2buf(buffer, sepstr, *cpp))
					goto strValueError;
			}
			first = B_FALSE;
		}
		break;
	case OBJMAP:
		for (hptr = cfg->llHead; hptr; hptr = hptr->h_llnext) {
			if (hptr->h_type != NS_HASH_OMAP) {
				continue;
			}
			if (!first) {
				/* print abuf as "separator" */
				if (fmt == NS_DOOR_FMT) {
					if (__print2buf(buffer, DOORLINESEP,
					    abuf))
						goto strValueError;
				} else {
					if (__print2buf(buffer, "\n", abuf))
						goto strValueError;
				}
			}
			mptr = hptr->h_map;
			if (__print2buf(buffer, mptr->service, COLONSEP) ||
			    __print2buf(buffer, mptr->orig, EQUALSEP))
				goto strValueError;
			for (cpp = mptr->map; cpp && *cpp; cpp++) {
				/* print *cpp as "separator" */
				sepstr = "";
				if (cpp != mptr->map)
					sepstr = SPACESEP;
				if (__print2buf(buffer, sepstr, *cpp))
					goto strValueError;
			}
			first = B_FALSE;
		}
		break;
	}

	retstring = buffer->str;
	return (retstring);

strValueError:
	if (buffer->len > 0)
		free(buffer->str);
	return (NULL);
}

/* shared by __door_getldapconfig() and __door_getadmincred() */
int
__door_getconf(char **buffer, int *buflen, ns_ldap_error_t **error,
		    int callnumber)
{
	typedef union {
		ldap_data_t	s_d;
		char		s_b[DOORBUFFERSIZE];
	} space_t;
	space_t			*space;

	ldap_data_t		*sptr;
	int			ndata;
	int			adata;
	char			errstr[MAXERROR];
	char			*domainname;
	ns_ldap_return_code	retCode;
	ldap_config_out_t	*cfghdr;

	*error = NULL;

	domainname = __getdomainname();
	if (domainname == NULL || buffer == NULL || buflen == NULL ||
	    (strlen(domainname) >= (sizeof (space_t)
	    - sizeof (space->s_d.ldap_call.ldap_callnumber)))) {
		return (NS_LDAP_OP_FAILED);
	}

	space = (space_t *)calloc(1, sizeof (space_t));
	if (space == NULL)
		return (NS_LDAP_MEMORY);

	adata = (sizeof (ldap_call_t) + strlen(domainname) +1);
	ndata = sizeof (space_t);
	space->s_d.ldap_call.ldap_callnumber = callnumber;
	(void) strcpy(space->s_d.ldap_call.ldap_u.domainname, domainname);
	free(domainname);
	domainname = NULL;
	sptr = &space->s_d;

	switch (__ns_ldap_trydoorcall(&sptr, &ndata, &adata)) {
	case NS_CACHE_SUCCESS:
		break;
	case NS_CACHE_NOTFOUND:
		(void) snprintf(errstr, sizeof (errstr),
		    gettext("Door call to "
		    "ldap_cachemgr failed - error: %d."),
		    space->s_d.ldap_ret.ldap_errno);
		MKERROR(LOG_WARNING, *error, NS_CONFIG_CACHEMGR,
		    strdup(errstr), NULL);
		free(space);
		return (NS_LDAP_OP_FAILED);
	default:
		free(space);
		return (NS_LDAP_OP_FAILED);
	}

	retCode = NS_LDAP_SUCCESS;

	/* copy info from door call to buffer here */
	cfghdr = &sptr->ldap_ret.ldap_u.config_str;
	*buflen = offsetof(ldap_config_out_t, config_str) +
	    cfghdr->data_size + 1;
	*buffer = calloc(*buflen, sizeof (char));
	if (*buffer == NULL) {
		retCode = NS_LDAP_MEMORY;
	} else
		(void) memcpy(*buffer, cfghdr, *buflen - 1);

	if (sptr != &space->s_d) {
		(void) munmap((char *)sptr, ndata);
	}
	free(space);

	return (retCode);
}

static int
__door_getldapconfig(char **buffer, int *buflen, ns_ldap_error_t **error)
{
	return (__door_getconf(buffer, buflen, error, GETLDAPCONFIGV1));
}

/*
 * SetDoorInfoToUnixCred parses ldapcachemgr configuration information
 * for Admin credentials.
 */
int
SetDoorInfoToUnixCred(char *buffer, ns_ldap_error_t **errorp,
	UnixCred_t **cred)
{
	UnixCred_t	*ptr;
	char		errstr[MAXERROR];
	char		*name, *value, valbuf[BUFSIZE];
	char		*bufptr = buffer;
	char		*strptr;
	char		*rest;
	ParamIndexType	index = 0;
	ldap_config_out_t	*cfghdr;

	if (errorp == NULL || cred == NULL || *cred == NULL)
		return (NS_LDAP_INVALID_PARAM);
	*errorp = NULL;

	ptr = *cred;

	cfghdr = (ldap_config_out_t *)bufptr;
	bufptr = (char *)cfghdr->config_str;

	strptr = (char *)strtok_r(bufptr, DOORLINESEP, &rest);
	for (; ; ) {
		if (strptr == NULL)
			break;
		(void) strlcpy(valbuf, strptr, sizeof (valbuf));
		__s_api_split_key_value(valbuf, &name, &value);
		if (__ns_ldap_getParamType(name, &index) != 0) {
			(void) snprintf(errstr, MAXERROR,
			    gettext("SetDoorInfoToUnixCred: "
			    "Unknown keyword encountered '%s'."), name);
			MKERROR(LOG_ERR, *errorp, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
			return (NS_LDAP_CONFIG);
		}
		switch (index) {
		case NS_LDAP_ADMIN_BINDDN_P:
			ptr->userID = (char *)strdup(value);
			break;
		case NS_LDAP_ADMIN_BINDPASSWD_P:
			ptr->passwd = (char *)strdup(value);
			break;
		default:
			(void) snprintf(errstr, MAXERROR,
			    gettext("SetDoorInfoToUnixCred: "
			    "Unknown index encountered '%d'."), index);
			MKERROR(LOG_ERR, *errorp, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
			return (NS_LDAP_CONFIG);
		}
		strptr = (char *)strtok_r(NULL, DOORLINESEP, &rest);
	}

	return (NS_LDAP_SUCCESS);
}

/*
 * SetDoorInfo parses ldapcachemgr configuration information
 * and verifies that the profile is version 1 or version 2 based.
 * version 2 profiles must have a version number as the first profile
 * attribute in the configuration.
 */
static ns_config_t *
SetDoorInfo(char *buffer, ns_ldap_error_t **errorp)
{
	ns_config_t	*ptr;
	char		errstr[MAXERROR], errbuf[MAXERROR];
	char		*name, *value, valbuf[BUFSIZE];
	char		*strptr;
	char		*rest;
	char		*bufptr = buffer;
	ParamIndexType	i;
	int		ret;
	int		first = 1;
	int		errfnd = 0;
	ldap_config_out_t *cfghdr;

	if (errorp == NULL)
		return (NULL);
	*errorp = NULL;

	ptr = __s_api_create_config();
	if (ptr == NULL) {
		return (NULL);
	}

	/* get config cookie from the header */
	cfghdr = (ldap_config_out_t *)bufptr;
	ptr->config_cookie = cfghdr->cookie;
	bufptr = (char *)cfghdr->config_str;

	strptr = (char *)strtok_r(bufptr, DOORLINESEP, &rest);
	for (; ; ) {
		if (strptr == NULL)
			break;
		(void) strlcpy(valbuf, strptr, sizeof (valbuf));
		__s_api_split_key_value(valbuf, &name, &value);
		/* Use get_versiontype and check for V1 vs V2 prototypes */
		if (__s_api_get_versiontype(ptr, name, &i) < 0) {
			(void) snprintf(errstr, sizeof (errstr),
			    "%s (%s)\n",
			    gettext("Illegal profile entry "
			    "line in configuration."),
			    name);
			errfnd++;
		/* Write verify routines and get rid of verify_value here */
		} else if (verify_value(ptr, name,
		    value, errbuf) != NS_SUCCESS) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("%s\n"), errbuf);
			errfnd++;
		} else if (!first && i == NS_LDAP_FILE_VERSION_P) {
			(void) snprintf(errstr, sizeof (errstr),
			    gettext("Illegal NS_LDAP_FILE_VERSION "
			    "line in configuration.\n"));
			errfnd++;
		}
		if (errfnd) {
			MKERROR(LOG_ERR, *errorp, NS_CONFIG_SYNTAX,
			    strdup(errstr), NULL);
		} else {
			ret = set_default_value(ptr, name, value, errorp);
		}
		if (errfnd || ret != NS_SUCCESS) {
			__s_api_destroy_config(ptr);
			return (NULL);
		}
		first = 0;

		strptr = (char *)strtok_r(NULL, DOORLINESEP, &rest);
	}

	if (__s_api_crosscheck(ptr, errstr, B_TRUE) != NS_SUCCESS) {
		__s_api_destroy_config(ptr);
		MKERROR(LOG_WARNING, *errorp, NS_CONFIG_SYNTAX, strdup(errstr),
		    NULL);
		return (NULL);
	}

	return (ptr);
}

static ns_config_t *
LoadCacheConfiguration(ns_config_t *oldcfg, ns_ldap_error_t **error)
{
	char		*buffer = NULL;
	int		buflen = 0;
	int		ret;
	ns_config_t	*cfg;
	ldap_config_out_t *cfghdr;
	ldap_get_chg_cookie_t old_cookie;
	ldap_get_chg_cookie_t new_cookie;

	*error = NULL;
	ret = __door_getldapconfig(&buffer, &buflen, error);

	if (ret != NS_LDAP_SUCCESS) {
		if (*error != NULL && (*error)->message != NULL)
			syslog(LOG_WARNING, "libsldap: %s", (*error)->message);
		return (NULL);
	}

	/* No need to reload configuration if config cookie is the same */
	cfghdr = (ldap_config_out_t *)buffer;
	new_cookie = cfghdr->cookie;
	if (oldcfg != NULL)
		old_cookie = oldcfg->config_cookie;

	if (oldcfg != NULL && old_cookie.mgr_pid == new_cookie.mgr_pid &&
	    old_cookie.seq_num == new_cookie.seq_num) {
		free(buffer);
		return (oldcfg);
	}

	/* now convert from door format */
	cfg = SetDoorInfo(buffer, error);
	free(buffer);

	if (cfg == NULL && *error != NULL && (*error)->message != NULL)
		syslog(LOG_WARNING, "libsldap: %s", (*error)->message);
	return (cfg);
}

/*
 * converts the time string into seconds.  The time string can be specified
 * using one of the following time units:
 * 	#s (# of seconds)
 *	#m (# of minutes)
 *	#h (# of hours)
 *	#d (# of days)
 *	#w (# of weeks)
 * NOTE: you can only specify one the above.  No combination of the above
 * units is allowed.  If no unit specified, it will default to "seconds".
 */
static time_t
conv_time(char *s)
{
	time_t t;
	char c;
	int l, m;
	long tot;

	l = strlen(s);
	if (l == 0)
		return (0);
	c = s[--l];
	m = 0;
	switch (c) {
	case 'w': /* weeks */
		m = 604800;
		break;
	case 'd': /* days */
		m = 86400;
		break;
	case 'h': /* hours */
		m = 3600;
		break;
	case 'm': /* minutes */
		m = 60;
		break;
	case 's': /* seconds */
		m = 1;
		break;
	/* the default case is set to "second" */
	}
	if (m != 0)
		s[l] = '\0';
	else
		m = 1;
	errno = 0;
	tot = atol(s);
	if ((0 == tot) && (EINVAL == errno))
		return (0);
	if (((LONG_MAX == tot) || (LONG_MIN == tot)) && (EINVAL == errno))
		return (0);

	tot = tot * m;
	t = (time_t)tot;
	return (t);
}


ns_auth_t *
__s_api_AuthEnumtoStruct(const EnumAuthType_t i)
{
	ns_auth_t *ap;

	ap = (ns_auth_t *)calloc(1, sizeof (ns_auth_t));
	if (ap == NULL)
		return (NULL);
	switch (i) {
		case NS_LDAP_EA_NONE:
			break;
		case NS_LDAP_EA_SIMPLE:
			ap->type = NS_LDAP_AUTH_SIMPLE;
			break;
		case NS_LDAP_EA_SASL_CRAM_MD5:
			ap->type = NS_LDAP_AUTH_SASL;
			ap->saslmech = NS_LDAP_SASL_CRAM_MD5;
			break;
		case NS_LDAP_EA_SASL_DIGEST_MD5:
			ap->type = NS_LDAP_AUTH_SASL;
			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
			break;
		case NS_LDAP_EA_SASL_DIGEST_MD5_INT:
			ap->type = NS_LDAP_AUTH_SASL;
			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
			ap->saslopt = NS_LDAP_SASLOPT_INT;
			break;
		case NS_LDAP_EA_SASL_DIGEST_MD5_CONF:
			ap->type = NS_LDAP_AUTH_SASL;
			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
			ap->saslopt = NS_LDAP_SASLOPT_PRIV;
			break;
		case NS_LDAP_EA_SASL_EXTERNAL:
			ap->type = NS_LDAP_AUTH_SASL;
			ap->saslmech = NS_LDAP_SASL_EXTERNAL;
			break;
		case NS_LDAP_EA_SASL_GSSAPI:
			ap->type = NS_LDAP_AUTH_SASL;
			ap->saslmech = NS_LDAP_SASL_GSSAPI;
			ap->saslopt = NS_LDAP_SASLOPT_INT |
			    NS_LDAP_SASLOPT_PRIV;
			break;
		case NS_LDAP_EA_TLS_NONE:
			ap->type = NS_LDAP_AUTH_TLS;
			ap->tlstype = NS_LDAP_TLS_NONE;
			break;
		case NS_LDAP_EA_TLS_SIMPLE:
			ap->type = NS_LDAP_AUTH_TLS;
			ap->tlstype = NS_LDAP_TLS_SIMPLE;
			break;
		case NS_LDAP_EA_TLS_SASL_CRAM_MD5:
			ap->type = NS_LDAP_AUTH_TLS;
			ap->tlstype = NS_LDAP_TLS_SASL;
			ap->saslmech = NS_LDAP_SASL_CRAM_MD5;
			break;
		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5:
			ap->type = NS_LDAP_AUTH_TLS;
			ap->tlstype = NS_LDAP_TLS_SASL;
			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
			break;
		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_INT:
			ap->type = NS_LDAP_AUTH_TLS;
			ap->tlstype = NS_LDAP_TLS_SASL;
			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
			ap->saslopt = NS_LDAP_SASLOPT_INT;
			break;
		case NS_LDAP_EA_TLS_SASL_DIGEST_MD5_CONF:
			ap->type = NS_LDAP_AUTH_TLS;
			ap->tlstype = NS_LDAP_TLS_SASL;
			ap->saslmech = NS_LDAP_SASL_DIGEST_MD5;
			ap->saslopt = NS_LDAP_SASLOPT_PRIV;
			break;
		case NS_LDAP_EA_TLS_SASL_EXTERNAL:
			ap->type = NS_LDAP_AUTH_TLS;
			ap->tlstype = NS_LDAP_TLS_SASL;
			ap->saslmech = NS_LDAP_SASL_EXTERNAL;
			break;
		default:
			/* should never get here */
			free(ap);
			return (NULL);
	}
	return (ap);
}


/*
 * Parameter Index Type validation routines
 */

/* Validate a positive integer */
/* Size of errbuf needs to be MAXERROR */
/* ARGSUSED */
static int
__s_val_postime(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf)
{
	char	*cp;
	long	tot;

	if (param && param->ns_ptype == CHARPTR && param->ns_pc) {
		for (cp = param->ns_pc; cp && *cp; cp++) {
			if (*cp >= '0' && *cp <= '9')
				continue;
			switch (*cp) {
			case 'w': /* weeks */
			case 'd': /* days */
			case 'h': /* hours */
			case 'm': /* minutes */
			case 's': /* seconds */
				if (*(cp+1) == '\0') {
					break;
				}
			default:
				(void) strcpy(errbuf, "Illegal time value");
				return (NS_PARSE_ERR);
			}
		}
		/* Valid form:  [0-9][0-9]*[wdhms]* */
		tot = atol(param->ns_pc);	/* check overflow */
		if (tot >= 0)
			return (NS_SUCCESS);
	}
	(void) snprintf(errbuf, MAXERROR,
	    gettext("Illegal time value in %s"), def->name);
	return (NS_PARSE_ERR);
}


/* Validate the Base DN */
/* It can be empty (RootDSE request) or needs to have an '=' */
/* Size of errbuf needs to be MAXERROR */
/* ARGSUSED */
static int
__s_val_basedn(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf)
{
	if (param && param->ns_ptype == CHARPTR &&
	    i == NS_LDAP_SEARCH_BASEDN_P &&
	    ((param->ns_pc == NULL) || 		/* empty */
	    (*(param->ns_pc) == '\0') ||		/* empty */
	    (strchr(param->ns_pc, '=') != NULL)))	/* '=' */
	{
		return (NS_SUCCESS);
	}
	(void) snprintf(errbuf, MAXERROR,
	    gettext("Non-existent or invalid DN in %s"),
	    def->name);
	return (NS_PARSE_ERR);
}


/* Validate the serverList */
/* For each server in list, check if valid IP or hostname */
/* Size of errbuf needs to be MAXERROR */
/* ARGSUSED */
static int
__s_val_serverList(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf)
{
	for (i = 0; i < param->ns_acnt; i++) {
		if ((__s_api_isipv4(param->ns_ppc[i])) ||
		    (__s_api_isipv6(param->ns_ppc[i])) ||
		    (__s_api_ishost(param->ns_ppc[i]))) {
			continue;
		}
		/* err */
		(void) snprintf(errbuf, MAXERROR,
		    gettext("Invalid server (%s) in %s"),
		    param->ns_ppc[i], def->name);
		return (NS_PARSE_ERR);
	}

	return (NS_SUCCESS);
}


/* Check for a BINDDN */
/* It can not be empty and needs to have an '=' */
/* Size of errbuf needs to be MAXERROR */
/* ARGSUSED */
static int
__s_val_binddn(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf)
{
	char *dntype;

	if (param && param->ns_ptype == CHARPTR &&
	    (i == NS_LDAP_BINDDN_P || i == NS_LDAP_ADMIN_BINDDN_P) &&
	    ((param->ns_pc == NULL) ||
	    ((*(param->ns_pc) != '\0') &&
	    (strchr(param->ns_pc, '=') != NULL)))) {
		return (NS_SUCCESS);
	}
	if (i == NS_LDAP_BINDDN_P)
		dntype = "proxy";
	else
		dntype = "update";
	(void) snprintf(errbuf, MAXERROR,
	    gettext("NULL or invalid %s bind DN"), dntype);
	return (NS_PARSE_ERR);
}


/* Check for a BINDPASSWD */
/* The string can not be NULL or empty */
/* Size of errbuf needs to be MAXERROR */
/* ARGSUSED */
static int
__s_val_bindpw(ParamIndexType i, ns_default_config *def,
		ns_param_t *param, char *errbuf)
{
	char *pwtype;

	if (param && param->ns_ptype == CHARPTR &&
	    (i == NS_LDAP_BINDPASSWD_P || i == NS_LDAP_ADMIN_BINDPASSWD_P) &&
	    ((param->ns_pc == NULL) ||
	    (*(param->ns_pc) != '\0'))) {
		return (NS_SUCCESS);
	}
	if (i == NS_LDAP_BINDPASSWD_P)
		pwtype = "proxy";
	else
		pwtype = "admin";
	(void) snprintf(errbuf, MAXERROR,
	    gettext("NULL %s bind password"), pwtype);
	return (NS_PARSE_ERR);
}

/*
 * __s_get_hostcertpath returns either the configured host certificate path
 * or, if none, the default host certificate path (/var/ldap). Note that this
 * does not use __ns_ldap_getParam because it may be called during connection
 * setup. This can fail due to insufficient memory.
 */

char *
__s_get_hostcertpath(void)
{
	ns_config_t		*cfg;
	ns_param_t		*param;
	char			*ret = NULL;

	cfg = __s_api_get_default_config();
	if (cfg != NULL) {
		param = &cfg->paramList[NS_LDAP_HOST_CERTPATH_P];
		if (param->ns_ptype == CHARPTR)
			ret = strdup(param->ns_pc);
		__s_api_release_config(cfg);
	}
	if (ret == NULL)
		ret = strdup(NSLDAPDIRECTORY);
	return (ret);
}

static void
_free_config()
{
	if (current_config != NULL)
		destroy_config(current_config);

	current_config = NULL;
}