xref: /illumos-gate/usr/src/lib/libnisdb/yptol/dit_access_utils.c (revision a87701e9)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2015 Gary Mills
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 */

/*
 * DESCRIPTION:	Contains dit_access interface support functions.
 */
#include <sys/systeminfo.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#include <unistd.h>
#include <stdlib.h>
#include <syslog.h>
#include <ndbm.h>
#include <strings.h>
#include <errno.h>
#include <ctype.h>
#include "../ldap_util.h"
#include "../ldap_map.h"
#include "../ldap_parse.h"
#include "../ldap_structs.h"
#include "../ldap_val.h"
#include "../ldap_ruleval.h"
#include "../ldap_op.h"
#include "../ldap_attr.h"
#include "../ldap_nisdbquery.h"
#include "../nisdb_mt.h"
#include "shim.h"
#include "yptol.h"
#include "dit_access_utils.h"

#define	YPMULTI		"YP_MULTI_"
#define	YPMULTISZ	9		/* == strlen(YPMULTI) */

/*
 * Returns 'map,domain.'
 */
char *
getFullMapName(char *map, char *domain) {
	char	*myself = "getFullMapName";
	char	*objPath;
	if (map == 0 || domain == 0) {
		return (0);
	}
	objPath =  scat(myself, T, scat(myself, F, map, ","),
		scat(myself, F, domain, "."));

	return (objPath);
}

/*
 * Convert string to __nis_value_t
 */
__nis_value_t *stringToValue(char *dptr, int dsize) {
	char		*myself = "stringToValue";
	char		*emptystr = "";
	__nis_value_t	*val;

	if ((val = am(myself, sizeof (*val))) == 0) {
		return (0);
	}

	val->type = vt_string;
	val->repeat = 0;
	val->numVals = 1;
	if ((val->val = am(myself, sizeof (val->val[0]))) == 0) {
		sfree(val);
		return (0);
	}

	/*
	 * Null strings or strings with length 0 are treated
	 * as empty strings with length 1
	 */
	if (dptr == 0 || dsize <= 0) {
		dptr = emptystr;
		dsize = 1;
	}

	val->val->length = dsize;
	if (dptr[dsize - 1] != '\0') {
		val->val->length = dsize + 1;
	}

	val->val->value = am(myself, val->val->length);
	if (val->val->value == 0) {
		freeValue(val, 1);
		return (0);
	}
	(void) memcpy(val->val->value, dptr, dsize);

	return (val);
}

/*
 * Returns an array of rule-values corresponding to the
 * splitfields.
 */
__nis_rule_value_t *
processSplitField(__nis_table_mapping_t *sf, __nis_value_t *inVal,
			int *nv, int *statP) {

	char			*sepset;
	__nis_rule_value_t	*rvq;
	__nis_value_t		**valA, *tempVal;
	int			i, j, res, numVals, oldlen, count;
	char			*str, *oldstr;

	/* sf will be non NULL */

	if (inVal == 0 || inVal->type != vt_string) {
		*statP =  MAP_PARAM_ERROR;
		return (0);
	}

	/* Get the separator list */
	sepset = sf->separatorStr;

	/* Initialize rule-value */
	rvq = 0;
	count = 0;

	if ((tempVal = stringToValue(inVal->val->value,
			inVal->val->length)) == 0) {
		*statP = MAP_NO_MEMORY;
		return (0);
	}

	str = oldstr = tempVal->val->value;
	oldlen = tempVal->val->length;

	while (str) {
		tempVal->val->value = str;
		tempVal->val->length = strlen(str) + 1;

		/* Loop to check which format matches str */
		for (i = 0; i <= sf->numSplits; i++) {
			valA = matchMappingItem(sf->e[i].element.match.fmt,
				tempVal, &numVals, sepset, &str);
			if (valA == 0) {
				/* The format didn't match. Try the next one */
				continue;
			}

			/*
			 * If we are here means we had a match.
			 * Each new set of values obtained from the match is
			 * added to a new rule-value. This is to preserve the
			 * the distinction between each set.
			 */
			rvq = growRuleValue(count, count + 1, rvq, 0);
			if (rvq == 0) {
				*statP = MAP_INTERNAL_ERROR;
				for (j = 0; j < numVals; j++)
					freeValue(valA[j], 1);
				sfree(valA);
				tempVal->val->value = oldstr;
				tempVal->val->length = oldlen;
				freeValue(tempVal, 1);
				return (0);
			}
			count++;

			for (j = 0; j < numVals; j++) {
				res = addCol2RuleValue(vt_string,
					sf->e[i].element.match.item[j].name,
					valA[j]->val->value,
					valA[j]->val->length,
					&rvq[count - 1]);
				if (res == -1) {
					*statP = MAP_INTERNAL_ERROR;
					for (; j < numVals; j++)
						freeValue(valA[j], 1);
					sfree(valA);
					tempVal->val->value = oldstr;
					tempVal->val->length = oldlen;
					freeValue(tempVal, 1);
					freeRuleValue(rvq, count);
					return (0);
				}
				freeValue(valA[j], 1);
			}
			sfree(valA);

			/*
			 * Since we had a match, break out of this loop
			 * to parse remainder of str
			 */
			break;
		}

		/* Didn't find any match, so get out of the loop */
		if (i > sf->numSplits) {
			str = 0;
			break;
		}

		/* Skip the separators before looping back */
		if (str) {
			str = str + strspn(str, sepset);
			if (*str == '\0')
				break;
		}
	}

	tempVal->val->value = oldstr;
	tempVal->val->length = oldlen;
	freeValue(tempVal, 1);

	if (str == 0) {
		freeRuleValue(rvq, count);
		return (0);
	}

	if (nv != 0)
		*nv = count;

	return (rvq);
}

/*
 * Convert the datum to an array of RuleValues
 */
__nis_rule_value_t *
datumToRuleValue(datum *key, datum *value, __nis_table_mapping_t *t,
			int *nv, char *domain, bool_t readonly, int *statP) {

	__nis_rule_value_t	*rvq, *subrvq, *newrvq;
	__nis_value_t		*val;
	__nis_value_t		**valA;
	__nis_table_mapping_t	*sf;
	int			valueLen, comLen, numVals, nr, count = 1;
	int			i, j, k, l;
	char			*ipaddr, *ipvalue;

	/*  At this point, 't' is always non NULL */

	/* Initialize rule-value */
	if ((rvq = initRuleValue(1, 0)) == 0) {
		*statP = MAP_INTERNAL_ERROR;
		return (0);
	}

	/* Add domainname to rule-value */
	if (addCol2RuleValue(vt_string, N2LDOMAIN, domain, strlen(domain),
						rvq)) {
		freeRuleValue(rvq, 1);
		*statP = MAP_INTERNAL_ERROR;
		return (0);
	}

	/* Handle key */
	if (key != 0) {
		/* Add field=value pair for N2LKEY */
		i = addCol2RuleValue(vt_string, N2LKEY, key->dptr, key->dsize,
						rvq);

		/* For readonly, add field=value pair for N2LSEARCHKEY */
		if (readonly == TRUE && i == 0) {
			i = addCol2RuleValue(vt_string, N2LSEARCHKEY, key->dptr,
						key->dsize, rvq);
		}
		if (i) {
			freeRuleValue(rvq, 1);
			*statP = MAP_INTERNAL_ERROR;
			return (0);
		}

		/* Add field=value pairs for IP addresses */
		if (checkIPaddress(key->dptr, key->dsize, &ipaddr) > 0) {
			/* If key is IPaddress, use preferred format */
			ipvalue = ipaddr;
			valueLen = strlen(ipaddr);
			i = addCol2RuleValue(vt_string, N2LIPKEY, ipvalue,
						valueLen, rvq);
		} else {
			/* If not, use original value for N2LSEARCHIPKEY */
			ipaddr = 0;
			ipvalue = key->dptr;
			valueLen = key->dsize;
			i = 0;
		}

		if (readonly == TRUE && i == 0) {
			i = addCol2RuleValue(vt_string, N2LSEARCHIPKEY, ipvalue,
								valueLen, rvq);
		}
		sfree(ipaddr);
		if (i) {
			freeRuleValue(rvq, 1);
			*statP = MAP_INTERNAL_ERROR;
			return (0);
		}
	}

	/* Handle datum value */
	if (value != 0 && t->e) {
		valueLen = value->dsize;
		/*
		 * Extract the comment, if any, and add it to
		 * the rule-value.
		 */
		if (t->commentChar != '\0') {
			/*
			 * We loop on value->dsize because value->dptr
			 * may not be NULL-terminated.
			 */
			for (i = 0; i < value->dsize; i++) {
				if (value->dptr[i] == t->commentChar) {
					valueLen = i;
					comLen = value->dsize - i - 1;
					if (comLen == 0)
						break;
					if (addCol2RuleValue(vt_string,
						N2LCOMMENT, value->dptr + i + 1,
						comLen, rvq)) {
						freeRuleValue(rvq, 1);
						*statP = MAP_INTERNAL_ERROR;
						return (0);
					}
					break;
				}
			}
		}

		/* Skip trailing whitespaces */
		for (; valueLen > 0 && (value->dptr[valueLen - 1] == ' ' ||
			value->dptr[valueLen - 1] == '\t'); valueLen--);

		/*
		 * At this point valueLen is the effective length of
		 * the data. Convert value into __nis_value_t so that
		 * we can use the matchMappingItem function to break it
		 * into fields.
		 */
		if ((val = stringToValue(value->dptr, valueLen)) == 0) {
			freeRuleValue(rvq, 1);
			*statP = MAP_NO_MEMORY;
			return (0);
		}

		/* Perform namefield match */
		valA = matchMappingItem(t->e->element.match.fmt, val,
							&numVals, 0, 0);
		if (valA == 0) {
			freeValue(val, 1);
			freeRuleValue(rvq, 1);
			*statP = MAP_NAMEFIELD_MATCH_ERROR;
			return (0);
		}

		/* We don't need val anymore, so free it */
		freeValue(val, 1);

		/*
		 * Since matchMappingItem only returns us an array of
		 * __nis_value_t's, we need to associate each value
		 * in the array with the corresponding item name.
		 * This code assumes that numVals will be less than or
		 * equal to the number of item names associated with
		 * the format.
		 * These name=value pairs are added to rvq.
		 */
		for (i = 0, *statP = SUCCESS; i < numVals; i++) {
			for (j = 0; j < count; j++) {
				if (addCol2RuleValue(vt_string,
					t->e->element.match.item[i].name,
					valA[i]->val->value,
					valA[i]->val->length, &rvq[j])) {
					*statP = MAP_INTERNAL_ERROR;
					break;
				}
			}
			if (*statP == MAP_INTERNAL_ERROR)
				break;

			/*
			 * Check if splitField exists for the field.
			 * Since splitfields are also stored as mapping
			 * structures, we need to get the hash table entry
			 * corresponding to the splitfield name
			 */
			sf = mappingFromMap(t->e->element.match.item[i].name,
					domain, statP);
			if (*statP == MAP_NO_MEMORY)
				break;
			*statP = SUCCESS;
			if (sf == 0)
				continue;

			/*
			 * Process and add splitFields to rule-value rvq
			 */
			subrvq = processSplitField(sf, valA[i], &nr, statP);

			if (subrvq == 0) {
				/* statP would have been set */
				break;
			}

			/*
			 * We merge 'count' rule-values in rvq with 'nr'
			 * rule-values from subrvq to give us a whopping
			 * 'count * nr' rule-values
			 */

			/* Initialize the new rule-value array */
			if ((newrvq = initRuleValue(count * nr, 0)) == 0) {
				*statP = MAP_INTERNAL_ERROR;
				freeRuleValue(subrvq, nr);
				break;
			}

			for (j = 0, l = 0; j < nr; j++) {
				for (k = 0; k < count; k++, l++) {
					if ((mergeRuleValue(&newrvq[l],
							&rvq[k]) == -1) ||
							(mergeRuleValue(
							&newrvq[l],
							&subrvq[j]) == -1)) {
						*statP = MAP_INTERNAL_ERROR;
						for (i = 0; i < numVals; i++)
							freeValue(valA[i], 1);
						sfree(valA);
						freeRuleValue(rvq, count);
						freeRuleValue(newrvq,
								count * nr);
						freeRuleValue(subrvq, nr);
						return (0);
					}
				}
			}

			freeRuleValue(rvq, count);
			rvq = newrvq;
			count = l;
			freeRuleValue(subrvq, nr);

		}

		/* We don't need valA anymore, so free it */
		for (i = 0; i < numVals; i++)
			freeValue(valA[i], 1);
		sfree(valA);

		if (*statP != SUCCESS) {
			freeRuleValue(rvq, count);
			return (0);
		}

	} /* if value */

	if (nv != 0)
		*nv = count;
	return (rvq);

}

/*
 * Generate name=values pairs for splitfield names
 *
 * Consider Example:
 *	nisLDAPnameFields club:
 *			("%s %s %s", name, code, members)
 *	nisLDAPsplitField members:
 *			("(%s,%s,%s)", host, user, domain),
 *			("%s", group)
 * On entry,
 * - rv is an array of numVals rule-values each containing
 * name=value pairs for names occuring in nisLDAPsplitField.
 * (i.e host, user, domain, group)
 * - trv contains name=value pairs for names occuring in
 * nisLDAPnameFields. (i.e name, code but not members)
 *
 * For every name in nisLDAPnamefields that is a splitfield,
 * this function applies the data in rv to the corresponding
 * splitfield formats (accessed thru t), to generate a single
 * string value for the corresponding splitfield (members).
 * This new name=value pair is then added to trv.
 * Besides, any uninitialized namefield names are set to empty strings.
 */
suc_code
addSplitFieldValues(__nis_table_mapping_t *t, __nis_rule_value_t *rv,
			__nis_rule_value_t *trv, int numVals, char *domain) {
	__nis_table_mapping_t	*sf;
	__nis_value_t		*val;
	int			i, j, k, nitems, res, statP;
	char			*str, *tempstr;
	char			delim[2] = {0, 0};
	char			*emptystr = "";
	char			*myself = "addSplitFieldValues";

	if (trv == 0)
		return (MAP_INTERNAL_ERROR);

	if (t->e == 0)
		return (SUCCESS);

	nitems = t->e->element.match.numItems;

	/*
	 * Procedure:
	 * - Check each name in nisLDAPnamefield
	 * - if it's a splifield, construct its value and add it to trv
	 * - if not, check if it has a value
	 * - if not, add empty string
	 */
	for (i = 0, sf = 0; i < nitems; i++) {
		if (rv) {
			/*
			 * str will eventually contain the single string
			 * value for the corresponding  splitfield.
			 * No point initializing str if rv == 0 because
			 * splitfield cannot be constructed without rv.
			 * So, only initialized here.
			 */
			str = 0;

			/* Check if it's a splitfield name */
			sf = mappingFromMap(t->e->element.match.item[i].name,
				domain, &statP);

			/*
			 * Return only incase of memory allocation failure.
			 * The other error case (MAP_NO_MAPPING_EXISTS),
			 * indicates that the item name is not a splitfieldname
			 * i.e it's a namefieldname. This case is handled by
			 * the following if (sf == 0)
			 */
			if (statP == MAP_NO_MEMORY)
				return (statP);
		}

		if (sf == 0) {
			/*
			 * Not a splitfield name. Verify if it has a value
			 */
			if (findVal(t->e->element.match.item[i].name,
				trv, mit_nisplus) == 0) {
				/* if not, use empty string */
				res = addCol2RuleValue(vt_string,
					t->e->element.match.item[i].name,
					emptystr, 0, trv);
				if (res == -1) {
					return (MAP_INTERNAL_ERROR);
				}
			}
			/*
			 * If rv == 0 then sf == 0 so we will continue here
			 * i.e. does not matter that str is not yet set up.
			 */
			continue;
		}

		/* Code to construct a single value */

		/* Use the first separator character as the delimiter */
		delim[0] = sf->separatorStr[0];

		for (j = 0; j < numVals; j++) {
			/* sf->numSplits is zero-based */
			for (k = 0; k <= sf->numSplits; k++) {
				val = getMappingFormatArray(
					sf->e[k].element.match.fmt, &rv[j],
					fa_item,
					sf->e[k].element.match.numItems,
					sf->e[k].element.match.item);
				if (val == 0)
					continue;
				if (val->numVals > 0) {
					if (str) {
						tempstr = scat(myself,
							0, str, delim);
						sfree(str);
						if (tempstr)
							str = tempstr;
						else {
							freeValue(val, 1);
							return (MAP_NO_MEMORY);
						}
					}
					tempstr = scat(myself, 0, str,
						val->val->value);
					sfree(str);
					if (tempstr)
						str = tempstr;
					else {
						freeValue(val, 1);
						return (MAP_NO_MEMORY);
					}
				}
				freeValue(val, 1);
			}
		}
		if (str == 0)
			str = emptystr;

		res = addCol2RuleValue(vt_string,
				t->e->element.match.item[i].name,
				str, strlen(str), trv);

		if (str != emptystr)
			sfree(str);

		if (res == -1) {
			return (MAP_INTERNAL_ERROR);
		}
	}

	return (SUCCESS);
}

/*
 * Updates 'rv' with NIS name=value pairs suitable to
 * construct datum from namefield information.
 * Some part based on createNisPlusEntry (from ldap_nisdbquery.c)
 * This code assumes that from a given LDAP entry, applying the
 * mapping rules, would give us one or more NIS entries, differing
 * only in key.
 */
suc_code
buildNISRuleValue(__nis_table_mapping_t *t, __nis_rule_value_t *rv,
					char *domain) {
	int			r, i, j, k, l, nrq, res, len;
	int			numItems, splitname, count, statP;
	__nis_value_t		*rval;
	__nis_mapping_item_t	*litem;
	__nis_mapping_rule_t	*rl;
	__nis_rule_value_t	*rvq;
	char			*value, *emptystr = "";

	statP = SUCCESS;

	/* Initialize default base */
	__nisdb_get_tsd()->searchBase = t->objectDN->read.base;

	/* Initialize rule-value rvq */
	rvq = 0;
	count = 0;

	/* Add domainname to rule-value */
	if (addCol2RuleValue(vt_string, N2LDOMAIN, domain, strlen(domain),
						rv)) {
		return (MAP_INTERNAL_ERROR);
	}

	for (r = 0; r < t->numRulesFromLDAP; r++) {
		rl = t->ruleFromLDAP[r];

		/* Set escapeFlag if RHS is "dn" to remove escape chars */
		if (rl->rhs.numElements == 1 &&
			rl->rhs.element->type == me_item &&
			rl->rhs.element->element.item.type == mit_ldap &&
			strcasecmp(rl->rhs.element->element.item.name, "dn")
									== 0) {
				__nisdb_get_tsd()->escapeFlag = '2';
		}

		rval = buildRvalue(&rl->rhs, mit_ldap, rv, NULL);

		/* Reset escapeFlag */
		__nisdb_get_tsd()->escapeFlag = '\0';

		if (rval == 0) {
			continue;
		}

		if (rval->numVals <= 0) {
			/* Treat as invalid */
			freeValue(rval, 1);
			continue;
		}

		litem = buildLvalue(&rl->lhs, &rval, &numItems);
		if (litem == 0) {
			/* This will take care of numItems == 0 */
			freeValue(rval, 1);
			continue;
		}

		if (rval->numVals > 1) {
			if (numItems == 1 && litem->repeat)
				nrq = rval->numVals;
			else if (numItems > 1 && rval->repeat)
				nrq = 1 + ((rval->numVals-1)/numItems);
			else
				nrq = 1;
		} else
			nrq = 1;

		/* Set splitname if splitfield names are specified */
		for (i = 0; i < numItems; i++) {
			if (strcasecmp(litem[i].name, N2LKEY) == 0 ||
				strcasecmp(litem[i].name, N2LIPKEY) == 0 ||
				strcasecmp(litem[i].name, N2LCOMMENT) == 0)
				continue;
			for (j = 0; j < t->numColumns; j++) {
				if (strcmp(litem[i].name, t->column[j]) == 0)
					break;
			}
			if (j == t->numColumns)
				break;
		}

		splitname = (i < numItems)?1:0;

		for (j = 0; j < nrq; j++) {
			if (splitname == 1) {
				/*
				 * Put every value of splitfieldname in a new
				 * rule-value. Helps generating splitfields.
				 */
				rvq = growRuleValue(count, count + 1, rvq, 0);
				if (rvq == 0) {
					freeRuleValue(rvq, count);
					freeValue(rval, 1);
					freeMappingItem(litem, numItems);
					return (MAP_INTERNAL_ERROR);
				}
				count++;
			}

			for (k = j % nrq, l = 0; l < numItems; k += nrq, l++) {
				/* If we run out of values, use empty strings */
				if (k >= rval->numVals) {
					value = emptystr;
					len = 0;
				} else {
					value = rval->val[k].value;
					len = rval->val[k].length;
				}
				res = (splitname == 1)?addCol2RuleValue(
					vt_string, litem[l].name, value,
					len, &rvq[count - 1]):0;
				if (res != -1)
					res = addCol2RuleValue(vt_string,
						litem[l].name, value, len, rv);
				if (res == -1) {
					freeRuleValue(rvq, count);
					freeValue(rval, 1);
					freeMappingItem(litem, numItems);
					return (MAP_INTERNAL_ERROR);
				}
			}
		}
		freeValue(rval, 1);
		rval = 0;
		freeMappingItem(litem, numItems);
		litem = 0;
		numItems = 0;
	} /* for r < t->numRulesFromLDAP */

	statP = addSplitFieldValues(t, rvq, rv, count, domain);

	if (rvq)
		freeRuleValue(rvq, count);

	if (verifyIndexMatch(t, 0, rv, 0, 0) == 0)
		return (MAP_INDEXLIST_ERROR);
	return (statP);

} /* end of buildNISRuleValue */

/*
 * Convert rule-value to datum using namefield information
 */
datum *
ruleValueToDatum(__nis_table_mapping_t *t, __nis_rule_value_t *rv, int *statP) {
	__nis_value_t	*val;
	datum		*value;
	char		*str, *cstr, commentSep[3] = {' ', 0, 0};
	char		*myself = "ruleValueToDatum";

	/* No error yet */
	*statP = 0;

	/* Return empty datum if no namefield information available */
	if (t->e == 0) {
		if ((value = am(myself, sizeof (*value))) == 0)
			*statP = MAP_NO_MEMORY;
		return (value);
	}

	val = getMappingFormatArray(t->e->element.match.fmt, rv,
				fa_item, t->e->element.match.numItems,
				t->e->element.match.item);

	if (val && val->val && val->val->value) {
		if ((value = am(myself, sizeof (*value))) == 0) {
			*statP = MAP_NO_MEMORY;
			freeValue(val, 1);
			return (0);
		}

		/* Strip trailing whitespaces */
		cstr = (char *)val->val->value + val->val->length;
		for (; cstr >= (char *)val->val->value &&
			(*cstr == ' ' || *cstr == '\t'); *cstr-- = '\0');

		if (t->commentChar != '\0' &&
		    (str = findVal(N2LCOMMENT, rv, mit_nisplus)) != 0 &&
		    *str != '\0') {
			commentSep[1] = t->commentChar;
			cstr = scat(myself, F, commentSep, str);
			if (cstr) {
				value->dptr = scat(myself, F,
						val->val->value, cstr);
				sfree(cstr);
			}
		} else {
			value->dptr = sdup(myself, T, val->val->value);
		}
		freeValue(val, 1);
		if (value->dptr) {
			value->dsize = strlen(value->dptr);
			return (value);
		} else {
			*statP = MAP_NO_MEMORY;
			sfree(value);
			return (0);
		}
	}

	*statP = MAP_NAMEFIELD_MATCH_ERROR;
	return (0);
}

datum *
getKeyFromRuleValue(__nis_table_mapping_t *t, __nis_rule_value_t *rv, int *nv,
    int *statP, bool_t xlate_to_lcase)
{
	int	i, j, k;
	datum	*key = 0;
	char	*str;
	char	*myself = "getKeyFromRuleValue";

	/* No error yet */
	*statP = 0;

	if (rv == 0 || nv == 0)
		return (0);

	for (i = 0; i < rv->numColumns; i++) {
		if (rv->colName[i] == 0)
			continue;
		if (strcasecmp(N2LKEY, rv->colName[i]) == 0 ||
		    strcasecmp(N2LIPKEY, rv->colName[i]) == 0) {
			if ((*nv = rv->colVal[i].numVals) == 0)
				return (0);
			if ((key = am(myself, sizeof (key[0]) * *nv)) == 0) {
				*statP = MAP_NO_MEMORY;
				return (0);
			}
			for (j = 0; j < *nv; j++) {
				if ((str = rv->colVal[i].val[j].value) == 0) {
					key[j].dsize = 0;
					key[j].dptr = 0;
				} else {
					if (verifyIndexMatch(t, 0, 0,
					    rv->colName[i], str) == 0) {
						key[j].dsize = 0;
						key[j].dptr = 0;
						continue;
					}

					key[j].dsize = strlen(str);
					key[j].dptr = am(myself,
					    key[j].dsize + 1);
					if (key[j].dptr == 0) {
						*statP = MAP_NO_MEMORY;
						for (--j; j >= 0; j--)
							sfree(key[j].dptr);
						sfree(key);
						return (0);
					}

					/* transliterate key to lowercase */
					if (xlate_to_lcase == TRUE) {

						/*
						 * For multi-homed
						 * entries, skip over
						 * "YP_MULTI_" prefix.
						 */
						k = 0;
						if (strncmp(YPMULTI, str,
						    YPMULTISZ) == 0) {
							k = YPMULTISZ;
							bcopy(str, key[j].dptr,
							    YPMULTISZ);
						}
						while (k < key[j].dsize) {
							key[j].dptr[k] =
							    (char)tolower(
							    (int)(uchar_t)
							    str[k]);
							k++;
						}
					} else {
						bcopy(str, key[j].dptr,
						    key[j].dsize);
					}
				}
			}
			return (key);
		}
	}
	return (0);
}

/*
 * Get the mapping structure corresponding to `map,domain.'
 */
__nis_table_mapping_t *
mappingFromMap(char *map, char *domain, int *statP) {
	char			*mapPath;
	__nis_table_mapping_t	*t;

	/* No error yet */
	*statP = 0;

	/* Construct map,domain. */
	if ((mapPath = getFullMapName(map, domain)) == 0) {
		*statP = MAP_NO_MEMORY;
		return (0);
	}

	/* Get the hash table entry for the mapPath */
	if ((t = __nis_find_item_mt(mapPath, &ldapMappingList, 1, 0))
			== 0) {
		*statP = MAP_NO_MAPPING_EXISTS;
	}
	sfree(mapPath);
	return (t);
}

/*
 * Verify at least one key value obtained from DIT matches the search key
 * RETURNS:	 1	MATCH
 *		 0	NO MATCH
 *		-1	NO KEY FOUND
 */
static int
verifyKey(char *key, __nis_rule_value_t *rv) {
	int	i, j;
	char	*sipkey, *str;

	for (i = 0; i < rv->numColumns; i++) {
		if (rv->colName[i] == 0)
			continue;
		if (strcasecmp(N2LKEY, rv->colName[i]) == 0) {
			if (rv->colVal[i].val == 0)
				return (0);
			for (j = 0; j < rv->colVal[i].numVals; j++) {
				str = (char *)rv->colVal[i].val[j].value;
				if (str && strcmp(str, key) == 0)
					return (1);
			}
			return (0);
		} else if (strcasecmp(N2LIPKEY, rv->colName[i]) == 0) {
			if (checkIPaddress(key, strlen(key), &sipkey) > 0) {
				if (rv->colVal[i].val == 0)
					return (0);
				for (j = 0; j < rv->colVal[i].numVals; j++) {
					str = rv->colVal[i].val[j].value;
					if (str && strcmp(str, sipkey) == 0) {
						sfree(sipkey);
						return (1);
					}
				}
				sfree(sipkey);
			}
			return (0);
		}
	}
	return (-1);
}

/*
 * Read (i.e get and map) a single NIS entry from the LDAP DIT
 */
bool_t
singleReadFromDIT(char *map, char *domain, datum *key, datum *value,
							int *statP) {
	__nis_table_mapping_t	*t;
	__nis_rule_value_t	*rv_request = 0, *rv_result = 0;
	__nis_ldap_search_t	*ls;
	__nis_object_dn_t	*objectDN = NULL;
	int			i, rc, nr = 0;
	datum			*datval = 0;
	char			*skey, *str;
	char			*myself = "singleReadFromDIT";

	*statP = SUCCESS;

	if (!map || !domain || !key || !value) {
		*statP = MAP_PARAM_ERROR;
		return (FALSE);
	}


	/* Get the mapping information for the map */
	if ((t = mappingFromMap(map, domain, statP)) == 0) {
		/*
		 * No problem. We don't handle this map and domain. Maybe it's
		 * handled by a service other than NIS.
		 */
		return (FALSE);
	}

	/* NULL-terminated version of datum key for logging */
	if ((skey = am(myself, key->dsize + 1)) == 0) {
		*statP = MAP_NO_MEMORY;
		return (FALSE);
	}
	(void) memcpy(skey, key->dptr, key->dsize);

	if ((str = getFullMapName(map, domain)) == 0) {
		*statP = MAP_NO_MEMORY;
		return (FALSE);
	}

	/* For each alternate mapping */
	for (; t != 0; t = t->next) {
		/* Verify objName */
		if (strcmp(str, t->objName) != 0) {
			continue;
		}

		/* Verify if key matches the index */
		if (verifyIndexMatch(t, 0, 0, N2LKEY, skey) == 0 ||
			verifyIndexMatch(t, 0, 0, N2LIPKEY, skey) == 0)
			continue;

		/* Check if rulesFromLDAP are provided */
		if (t->numRulesFromLDAP == 0) {
			logmsg(MSG_NOTIMECHECK, LOG_INFO,
				"%s: No rulesFromLDAP information available "
				"for %s (%s)", myself, t->dbId, map);
			continue;
		}

		/* Convert key into rule-value */
		if ((rv_request = datumToRuleValue(key, 0, t, 0, domain, TRUE,
								statP)) == 0) {
			logmsg(MSG_NOTIMECHECK, LOG_ERR,
				"%s: Conversion error %d (NIS to name=value "
				"pairs) for NIS key (%s) for %s (%s)",
				myself, *statP, skey, t->dbId, map);
			continue;
		}
		/* Convert rule-value into ldap request */
		for (objectDN = t->objectDN; objectDN &&
				objectDN->read.base;
				objectDN = objectDN->next) {
			ls = createLdapRequest(t, rv_request, 0, 1, NULL,
								objectDN);
			if (ls == 0) {
				*statP = MAP_CREATE_LDAP_REQUEST_ERROR;
				logmsg(MSG_NOTIMECHECK, LOG_ERR,
					"%s: Failed to create ldapSearch "
					"request for "
					"NIS key (%s) for %s (%s) "
					"for base %s",
					myself, skey, t->dbId, map,
					objectDN->read.base);
				continue;
			}
			ls->timeout.tv_sec = SINGLE_ACCESS_TIMEOUT_SEC;
			ls->timeout.tv_usec = SINGLE_ACCESS_TIMEOUT_USEC;
			/* Query LDAP */
			nr = (ls->isDN)?0:-1;
			rv_result = ldapSearch(ls, &nr, 0, statP);
			freeLdapSearch(ls);
			if (rv_result == 0) {
				if (*statP == LDAP_NO_SUCH_OBJECT) {
					/* Entry does not exist in */
					/* the ldap server */
				}
				continue;
			}
			freeRuleValue(rv_request, 1);
			rv_request = 0;

			/* if result > 1, first match will be returned */
			if (nr > 1) {
				logmsg(MSG_NOTIMECHECK, LOG_INFO,
					"%s: %d ldapSearch results "
					"for NIS key (%s) "
					"for %s (%s) for base %s. "
					"First match will be returned ",
					myself, nr, skey, t->dbId, map,
					objectDN->read.base);
			}

			for (i = 0; i < nr; i++) {
				/* Convert LDAP data to NIS equivalents */
				*statP = buildNISRuleValue(t, &rv_result[i],
								domain);
				if (*statP == MAP_INDEXLIST_ERROR)
					continue;

				if (*statP != SUCCESS) {
					logmsg(MSG_NOTIMECHECK, LOG_WARNING,
					"%s: Conversion error %d (LDAP to "
					"name=value pairs) for NIS key (%s) "
					"for %s (%s) for base %s", myself,
					*statP, skey,
					t->dbId, map, objectDN->read.base);
					continue;
				}

			/*
			 * Check if 'key' from the ldap result matches the key
			 * provided by our caller
			 */
				if ((rc = verifyKey(skey, &rv_result[i]))
						== -1) {
					logmsg(MSG_NOTIMECHECK, LOG_INFO,
					"%s: Cannot verify key from ldap "
					"result for NIS key (%s) for %s (%s) "
					"for base %s",
					myself, skey, t->dbId, map,
					objectDN->read.base);
					continue;
				}

				if (rc == 1) {
					datval = ruleValueToDatum(t,
							&rv_result[i], statP);
					if (datval == 0) {
						logmsg(MSG_NOTIMECHECK,
						LOG_WARNING,
						"%s: Conversion error %d "
						"(name=value pairs to NIS) "
						"for NIS key (%s) for %s (%s)"
						" for base %s",
						myself,
						*statP, skey, t->dbId, map,
						objectDN->read.base);
						continue;
					}
					if (value) {
						value->dptr = datval->dptr;
						value->dsize = datval->dsize;
					}
					sfree(datval);
					sfree(skey);
					freeRuleValue(rv_result, nr);
					rv_result = 0;
					*statP = SUCCESS;

					/* Free full map name */
					sfree(str);

					return (TRUE);
				}
			}
			freeRuleValue(rv_result, nr);
			rv_result = 0;
		}   /* end of for over objectDN */

		if (rv_request != 0) {
			freeRuleValue(rv_request, 1);
			rv_request = 0;
		}
		if (rv_result != 0) {
			freeRuleValue(rv_result, nr);
			rv_result = 0;
		}
	}
	sfree(skey);
	*statP = MAP_NO_MATCHING_KEY;

	/* Free full map name */
	sfree(str);

	return (FALSE);
}


/*
 * Maps and writes a single NIS entry to the LDAP DIT
 */
int
singleWriteToDIT(char *map, char *domain, datum *key, datum *value,
						bool_t replace) {
	__nis_table_mapping_t	*t;
	__nis_rule_value_t	*rv, *frv;
	__nis_ldap_search_t	*ls;
	int			statP = SUCCESS, flag;
	int			nv, nr, i, rc, collapse;
	char			*dn = 0, *skey, *svalue, *str;
	char			*myself = "singleWriteToDIT";

	if (!map || !domain || !key || !value) {
		return (MAP_PARAM_ERROR);
	}

	/* Return SUCCESS for empty or whitespace key */
	for (i = 0; i < key->dsize && (key->dptr[i] == 0 ||
		key->dptr[i] == ' ' || key->dptr[i] == '\t'); i++);
	if (i >= key->dsize)
		return (SUCCESS);

	/* Get the mapping information for the map */
	if ((t = mappingFromMap(map, domain, &statP)) == 0) {
		/*
		 * No problem. We don't handle this map and domain. Maybe it's
		 * handled by a service other than NIS.
		 */
		return (statP);
	}

	/* NULL-terminated version of key and value for logging */
	if ((skey = am(myself, key->dsize + 1)) == 0)
		return (MAP_NO_MEMORY);
	(void) memcpy(skey, key->dptr, key->dsize);

	if ((svalue = am(myself, value->dsize + 1)) == 0) {
		sfree(skey);
		return (MAP_NO_MEMORY);
	}
	(void) memcpy(svalue, value->dptr, value->dsize);

	if ((str = getFullMapName(map, domain)) == 0) {
		sfree(skey);
		sfree(svalue);
		return (MAP_NO_MEMORY);
	}

	/* For each alternate mapping */
	for (flag = 0; t != 0; t = t->next) {
		/* Verify objName */
		if (strcmp(str, t->objName) != 0) {
			continue;
		}

		/* Verify if key matches the index */
		if (verifyIndexMatch(t, 0, 0, N2LKEY, skey) == 0 ||
			verifyIndexMatch(t, 0, 0, N2LIPKEY, skey) == 0)
			continue;

		/* Check the writespecs */
		if (t->objectDN->write.base == 0) {
			logmsg(MSG_NOTIMECHECK, LOG_INFO,
				"%s: No baseDN in writespec. Write disabled "
				"for %s (%s)", myself, t->dbId, map);
			continue;
		}

		/* Check if rulesToLDAP are provided */
		if (t->numRulesToLDAP == 0) {
			logmsg(MSG_NOTIMECHECK, LOG_INFO,
				"%s: No rulesToLDAP. Write disabled for "
				"%s (%s)", myself, t->dbId, map);
			continue;
		}

		/* Set flag to indicate write is enabled */
		flag = 1;

		/* Convert key  and value into an array of rule-values */
		if ((rv = datumToRuleValue(key, value, t, &nv, domain, FALSE,
								&statP)) == 0) {
			logmsg(MSG_NOTIMECHECK, LOG_ERR,
				"%s: Conversion error %d (NIS to name=value "
				"pairs) for NIS data (key=%s, value=%s) "
				"for %s (%s)",
				myself, statP, skey, svalue, t->dbId, map);
			sfree(skey);
			sfree(svalue);

			/* Free full map name */
			sfree(str);

			return (statP);
		}

		/* Convert NIS data to LDAP equivalents for each rule-value */
		for (i = 0; i < nv; i++) {
			/* Verify indexlist with name=value pairs */
			if (verifyIndexMatch(t, 0, &rv[i], 0, 0) == 0)
				break;

			/* Create LDAP request and LDAP name=value pairs */
			if ((ls = createLdapRequest(t, &rv[i],
			    0, 0, NULL, NULL)) == 0) {
				logmsg(MSG_NOTIMECHECK, LOG_ERR,
					"%s: Conversion error (name=value pairs"
					" to LDAP) for NIS data "
					"(key=%s, value=%s) for %s (%s)",
					myself, skey, svalue, t->dbId, map);
				freeRuleValue(rv, nv);
				sfree(skey);
				sfree(svalue);

				/* Free full map name */
				sfree(str);

				return (MAP_CREATE_LDAP_REQUEST_ERROR);
			}
			freeLdapSearch(ls);
			/* printRuleValue(&rv[i]); */
		}

		/* If i < nv then this alternate mapping isn't the one */
		if (i < nv)
			continue;

		/*
		 * Merge rule-values with the same DN so that we have
		 * one ldap write request for each DN
		 */
		nr = nv;
		frv = mergeRuleValueWithSameDN(rv, &nr);
		freeRuleValue(rv, nv);
		if (frv == 0) {
			if (nr == -1) {
				logmsg(MSG_NOTIMECHECK, LOG_ERR,
					"%s: Unable to merge LDAP write "
					"requests to same DN for NIS data "
					"(key=%s, value=%s) for %s (%s)",
					myself, skey, svalue, t->dbId, map);
				statP = MAP_INTERNAL_ERROR;
			} else if (nr == 0) {
				logmsg(MSG_NOTIMECHECK, LOG_WARNING,
					"%s: Cannot generate write DN due to "
					"missing information for NIS data "
					"(key=%s, value=%s) for %s (%s)",
					myself, skey, svalue, t->dbId, map);
				statP = MAP_NO_DN;
			}
			sfree(skey);
			sfree(svalue);

			/* Free full map name */
			sfree(str);

			return (statP);
		}

		/* Write to the LDAP server */
		for (collapse = 0, i = 0; i < nr; i++) {
			if ((dn = findVal("dn", &frv[i], mit_ldap)) != 0) {
				if (replace == FALSE) {
					/* ldap add */
					rc = ldapAdd(dn, &frv[i],
						t->objectDN->write.attrs, 0);
				} else {
					/* ldap modify with addFirst set */
					rc = ldapModify(dn, &frv[i],
						t->objectDN->write.attrs, 1);
				}

				/* if we get err=20, collapse and try again */
				if (!collapse &&
					(rc == LDAP_TYPE_OR_VALUE_EXISTS) &&
					(collapseRuleValue(&frv[i]) == 1)) {
					logmsg(MSG_NOTIMECHECK, LOG_WARNING,
						"%s: Ignoring values differing "
						"in case from NIS data (key=%s,"
						" value=%s) for (dn: %s) for "
						"%s (%s)", myself, skey,
						svalue, dn, t->dbId, map);
					collapse = 1;
					i--;
					continue;
				}

				collapse = 0;
				if (rc != LDAP_SUCCESS) {
					/* Log error */
					logmsg(MSG_NOTIMECHECK, LOG_ERR,
						"%s: %s error %d (%s) for "
						"(dn: %s) for NIS data "
						"(key=%s, value=%s) "
						"for %s (%s)",
						myself, (replace == TRUE) ?
						"ldapModify" : "ldapAdd", rc,
						ldap_err2string(rc), dn, skey,
						svalue, t->dbId, map);

					/* Dumping failed call may be useful */
					/* printRuleValue(&frv[i]); */

					/*
					 * Return the error code and let wrapper
					 * sort out if mapping should continue
					 * or abort.
					 */
					statP = rc;
					sfree(skey);
					sfree(svalue);
					freeRuleValue(frv, nr);

					/* Free full map name */
					sfree(str);

					return (statP);
				}
			}
		}

		freeRuleValue(frv, nr);
	}

	sfree(skey);
	sfree(svalue);

	/* Free full map name */
	sfree(str);

	return ((flag)?SUCCESS:MAP_WRITE_DISABLED);
}

suc_code
collapseRuleValue(__nis_rule_value_t *rv) {
	int		i, j, k, flag;

	/* Using 'val' to appease cstyle's 80 chars/line limit */
	__nis_value_t	*val;

	for (i = 0, flag = 0; i < rv->numAttrs; i++) {
		val = &rv->attrVal[i];
		for (j = 1; j < val->numVals; j++) {
			for (k = 0; k < j; k++) {
				if (val->val[j].length != val->val[k].length)
					continue;
				if (val->val[k].length == 0)
					continue;
				if (strncasecmp(val->val[j].value,
						val->val[k].value,
						val->val[j].length) != 0)
					continue;
				flag = 1;
				sfree(val->val[j].value);

#ifdef	ORDER_NOT_IMPORTANT
				val->val[j--] = val->val[--val->numVals];
#else
				/* Order needs to be maintained */
				for (k = j + 1; k < val->numVals; k++)
					val->val[k - 1] = val->val[k];
				j--;
				val->numVals--;
#endif
				break;
			}
		}
	}
	return (flag);
}

/* ObjectClass lookup table */
static struct {
	const char *attrType;
	const char *objectClass;
} oc_lookup[] = {
	{ "o",				"objectclass=organization"},
	{ "organizationname",		"objectclass=organization"},
	{ "2.5.4.10",			"objectclass=organization"},
	{ "ou",				"objectclass=organizationalunit"},
	{ "organizationalunitname",	"objectclass=organizationalunit"},
	{ "2.5.4.11",			"objectclass=organizationalunit"},
	{ "c",				"objectclass=country"},
	{ "countryname",		"objectclass=country"},
	{ "2.5.4.6",			"objectclass=country"},
	{ "dc",				"objectclass=domain"},
	{ "domaincomponent",		"objectclass=domain"},
	{ "0.9.2342.19200300.100.1.25",	"objectclass=domain"},
	{ "nismapname",			"objectclass=nismap"},
	{ "1.3.6.1.1.1.1.26",		"objectclass=nismap"},
	{ "automountmapname",		"objectclass=automountmap"},
	{ "1.3.6.1.1.1.1.31",		"objectclass=automountmap"},
	{ 0,				0}
};

/*
 * Returns the name of the objectclass to which the object
 * represented by the given 'rdn' will most likely belong to.
 * The return value is in static memory so it should not be
 * freed
 */
const char *
getObjectClass(char *rdn) {

	char *attrtype, *p;
	int len, i;

	/* Skip leading whitespaces */
	for (p = rdn; *p == ' ' || *p == '\t'; p++);
	if (*p == '\0')
		return (0);
	attrtype = p;

	/* Find '=' */
	if ((p = strchr(attrtype, '=')) == 0 || p == attrtype ||
						*(p - 1) == '\\')
		return (0);

	/*
	 * Skip trailing whitespaces in attrtype
	 * Don't worry, p won't decrease beyond attrtype
	 */
	for (--p; *p == ' ' || *p == '\t'; p--);
	len = p - attrtype + 1;

	for (i = 0; oc_lookup[i].attrType; i++)
		if (!strncasecmp(oc_lookup[i].attrType, attrtype, len))
			/* Check length is right */
			if (len == strlen(oc_lookup[i].attrType))
				return (oc_lookup[i].objectClass);

	return (0);
}

/*
 * Split 'dn' into rdn and parentdn based on the first
 * occurrence of unescaped 'comma' or 'semicolon'. rdn
 * lies on the LHS while parentdn lies on the RHS of the
 * split. If none found, then an empty string ("") is
 * assigned to parentdn
 */
int
splitDN(char *dn, char **rdn, char **parentdn) {
	char	*value, *name;
	char	*myself = "splitDN";

	if ((name = sdup(myself, T, dn)) == 0)
		return (-1);

	for (value = name; *value != '\0'; value++) {
		if (*value == ',' || *value == ';')
			if (value == name || *(value - 1) != '\\')
				break;
	}

	if (*value != '\0') {
		*value = '\0';
		value++;
	} else
		value = 0;

	if (parentdn) {
		if ((*parentdn = sdup(myself, T, value)) == 0) {
			sfree(name);
			return (-1);
		}
	}
	if (rdn)
		*rdn = name;
	else
		sfree(name);

	return (1);
}

/*
 * FUNCTION :	makeNISObject()
 *
 * DESCRIPTION: Sets up a nis Object in the DIT.
 *
 * GIVEN :
 *		Case 1: Both 'domain' and 'dn' are non-NULL
 *			Create nisDomainObject with the given information
 *		Case 2: Only 'domain' is  non-NULL
 *			Obtain the 'dn' from the nisLDAPdomainContext list
 *			Create nisDomainObject with the above information
 *		Case 3: Only 'dn' is  non-NULL
 *			Create an object with the 'dn'
 *			Here we guess the objectclass attribute, based on
 *			oc_lookup table
 *		Case 4: Both 'domain' and 'dn' are NULL
 *			Error
 *
 * RETURNS :	SUCCESS = It worked
 *		FAILURE = There was a problem.
 */
suc_code
makeNISObject(char *domain, char *dn) {
	__nis_rule_value_t	*rv;
	__nis_ldap_search_t	*ls;
	int			i, rc, nr, add_rc;
	char			*val;
	char			*myself = "makeNISObject";

	if (!dn && !domain)
		return (FAILURE);

	/*
	 * If only 'domain' name is provided, then
	 * try to find dn from the nisLDAPdomainContext
	 * list generated by the parser
	 */
	if (!dn) {
		for (i = 0; i < ypDomains.numDomains; i++) {
			if (ypDomains.domainLabels[i] == 0)
				continue;
			if (strcasecmp(domain, ypDomains.domainLabels[i])
								== 0) {
				dn = ypDomains.domains[i];
				break;
			}
		}
		if (!dn)
			return (FAILURE);
	}

	/*
	 * If only 'dn' is given, then it means that the
	 * caller simply wants to a create an entry for
	 * that 'dn'.
	 *
	 * If 'domain' is given, then check if the 'dn'
	 * has already been set up as a nis domain object.
	 * If not, see if we can make it become one.
	 */
	if (domain) {
		/*
		 * Check to see if the nis domain object has
		 * already been set up
		 */
		ls = buildLdapSearch(dn, LDAP_SCOPE_BASE, 0, 0,
			"objectclass=*", 0, 0, 0);
		if (ls == 0) {
			logmsg(MSG_NOTIMECHECK, LOG_ERR,
				"%s: Unable to create ldapSearch "
				"request for dn: %s", myself, dn);
			return (FAILURE);
		}
		nr = -1;
		rv = ldapSearch(ls, &nr, 0, &rc);
		freeLdapSearch(ls);
		if (rc == LDAP_SUCCESS) {
			val = findVal("nisDomain", rv, mit_ldap);
			if (val != NULL) {
				/*
				 * Yes, nis domain object found. Check
				 * to see if the domain names match.
				 * If so, we are done. If not, log
				 * a warning message, and return SUCCESS.
				 */
				if (strcasecmp(val, domain) == 0) {
					freeRuleValue(rv, nr);
					return (SUCCESS);
				} else {
					logmsg(MSG_NOTIMECHECK,
						LOG_WARNING,
						"%s: Entry (dn: %s) already "
						"contains a nis domain name "
						"(%s). The domain name (%s) "
						"is not added.",
						myself, dn, val, domain);
					freeRuleValue(rv, nr);
					return (SUCCESS);
				}
			} else {
				freeRuleValue(rv, nr);
				/*
				 * Entry for the 'dn' exists, but it
				 * is not a nis domain object yet.
				 * Add the nisDoamin attribute and
				 * the nisDomainObject objectclass to
				 * the entry.
				 */
				if ((rv = initRuleValue(1, 0)) == 0)
					return (FAILURE);

				if (addSAttr2RuleValue("nisDomain",
						domain, rv) == -1) {
					freeRuleValue(rv, 1);
					return (FAILURE);
				}
				rc = ldapModify(dn, rv,
					"objectclass=nisDomainObject",
					0);
				freeRuleValue(rv, 1);
				if (rc == LDAP_SUCCESS) {
					logmsg(MSG_NOTIMECHECK,
						LOG_INFO,
						"%s: entry (dn: %s) "
						"modified to be an "
						"nis domain object",
						myself, dn);
					return (SUCCESS);
				} else {
					logmsg(MSG_NOTIMECHECK,
						LOG_ERR,
						"%s: unable to modify "
						"entry (dn: %s) to be "
						"a nis domain object: "
						"ldapModify error %d (%s)",
						myself, dn, rc,
						ldap_err2string(rc));
					return (FAILURE);
				}
			}
		} else { /* search for 'dn' failed */
			freeRuleValue(rv, nr);

			/*
			 * It is OK if no such object, otherwise
			 * log an error.
			 */
			if (rc != LDAP_NO_SUCH_OBJECT) {
				logmsg(MSG_NOTIMECHECK, LOG_ERR,
					"%s: unable to retrieve "
					"entry (dn: %s): "
					"ldapSearch error %d (%s)",
					myself, dn, rc,
					ldap_err2string(rc));
				return (FAILURE);
			}
		}

		/*
		 * If the 'dn' is actually the naming context of
		 * the DIT, we should be able to make it a nis domain
		 * object without worrying about missing parent
		 * entries. If unable to add the entry for the 'dn'
		 * due to missing parent entries, fall through
		 * to create them and then add the nis domain object.
		 */
		if (addNISObject(domain, dn, &add_rc) == SUCCESS)
			return (SUCCESS);
		else if (add_rc != LDAP_NO_SUCH_OBJECT)
			return (FAILURE);
	}

	/* Create parent */
	if (addParent(dn, NULL) == FAILURE)
		return (FAILURE);

	if (addNISObject(domain, dn, NULL) == FAILURE)
		return (FAILURE);

	return (SUCCESS);
}

suc_code
addParent(char *dn, char **attr) {
	__nis_rule_value_t	*rv;
	__nis_ldap_search_t	*ls;
	int			rc, nr;
	char			*parentdn = 0, *rdn = 0;
	char			*myself = "addParent";

	/* Obtain parentdn */
	if (splitDN(dn, &rdn, &parentdn) == -1)
		return (FAILURE);
	if (!parentdn) {
		sfree(rdn);
		return (FAILURE);
	}

	/* Check if parentdn exists */
	ls = buildLdapSearch(parentdn, LDAP_SCOPE_BASE, 0, 0,
					"objectclass=*", 0, 0, 0);
	if (ls == 0) {
		logmsg(MSG_NOTIMECHECK, LOG_ERR,
			"%s: Unable to create ldapSearch request for "
			"parent (dn: %s) of (dn: %s)",
			myself, parentdn, dn);
		sfree(parentdn);
		sfree(rdn);
		return (FAILURE);
	}
	nr = -1;
	rv = ldapSearch(ls, &nr, 0, &rc);
	freeLdapSearch(ls);
	freeRuleValue(rv, nr);

	/* Create parent if it doesn't exists */
	if (rc == LDAP_NO_SUCH_OBJECT) {
		if (makeNISObject(0, parentdn) == FAILURE) {
			logmsg(MSG_NOTIMECHECK, LOG_ERR,
				"%s: Unable to create parent (dn: %s) of "
				"(dn: %s) in the DIT", myself, parentdn, dn);
			sfree(parentdn);
			sfree(rdn);
			return (FAILURE);
		}
	}
	sfree(parentdn);

	if (attr && rdn)
		*attr = (char *)getObjectClass(rdn);
	sfree(rdn);

	return (SUCCESS);
}



/*
 * FUNCTION :	is_fatal_error()
 *
 * DESCRIPTION:	Works out if a failed mapping operation should be retried.
 *
 * INPUTS :	Result code from operation
 *
 * OUTPUTS :	TRUE = Fatal error, don't retry.
 *		FALSE = Temporary error, retry.
 */
bool_t
is_fatal_error(int res)
{

	if (0 > res)
		/* An internal mapping error. Not going to go away. */
		return (TRUE);

	switch (res) {
		case (LDAP_PROTOCOL_ERROR):
		case (LDAP_TIMELIMIT_EXCEEDED):
		case (LDAP_PARTIAL_RESULTS):
		case (LDAP_BUSY):
		case (LDAP_UNAVAILABLE):
		case (LDAP_UNWILLING_TO_PERFORM):
		case (LDAP_OTHER):
		case (LDAP_SERVER_DOWN):
		case (LDAP_LOCAL_ERROR):
		case (LDAP_TIMEOUT):
		case (LDAP_NO_MEMORY):
			/* Probably worth a retry */
			return (FALSE);

		default:
			return (TRUE);
	}
}

/*
 * FUNCTION :	addNISObject()
 *
 * DESCRIPTION: Add a nis Object in the DIT.
 *
 * GIVEN :
 *		Case 1: 'dn' is NULL
 *			Error
 *		Case 2: 'domain' is non-NULL
 *			Create nisDomainObject with the given information
 *		Case 3: 'domain' is NULL
 *			Create an object with the 'dn'
 *			Here we guess the objectclass attribute, based on
 *			oc_lookup table
 *
 * RETURNS :	SUCCESS = It worked
 *		FAILURE = There was a problem. If the ldap add
 *                        operation failed, ldap_rc will be set
 *			  to the ldap error code.
 */
suc_code
addNISObject(char *domain, char *dn, int *ldap_rc) {
	__nis_rule_value_t	*rv;
	int			rc;
	char			*objClassAttrs = NULL, *attrs;
	char			*value, *svalue, *rdn = NULL;
	char			*myself = "addNISObject";

	if (!dn)
		return (FAILURE);

	if ((rv = initRuleValue(1, 0)) == 0)
		return (FAILURE);

	if (ldap_rc)
		*ldap_rc = -1;

	/*
	 * Add name=value pairs from RDN. Although this is not required
	 * for SunOne Directory Server, during openldap interoperabilty
	 * tests, it was found out that openldap server returned object
	 * class violation errors if MUST attributes were not specified
	 * explicitly.
	 */
	if (splitDN(dn, &rdn, 0) == -1)
		return (FAILURE);
	if (rdn != NULL) {
		objClassAttrs = (char *)getObjectClass(rdn);
		if (objClassAttrs == NULL) {
			sfree(rdn);
			return (FAILURE);
		}

		/*
		 * RDN can be composed of multiple name=value pairs
		 * concatenated by '+'. Hence, we need to determine each
		 * pair and add it to 'rv'
		 */
		for (value = rdn, svalue = NULL; *value != '\0'; value++) {
			if (*value == '+') {
				/* Make sure it's not escaped */
				if (value == rdn || *(value - 1) != '\\') {
					/*
					 * We are at the start of the new
					 * pair. 'svalue' now contains the
					 * value for the previous pair. Add
					 * the previous pair to 'rv'
					 */
					*value = '\0';
					if (svalue &&
					addSAttr2RuleValue(rdn, svalue, rv)
									== -1) {
						sfree(rdn);
						freeRuleValue(rv, 1);
						return (FAILURE);
					}
					svalue = NULL;
					rdn = value + 1;
					continue;
				}
			}

			if (*value == '=') {
				if (value == rdn || *(value - 1) != '\\') {
					/*
					 * 'rdn' now contains the name.
					 * Whatever follows till the next
					 * unescaped '+' or '\0' is the
					 * value for this pair.
					 */
					*value = '\0';
					svalue = value + 1;
					continue;
				}
			}
		}

		/*
		 * End of String. Add the previous name=value pair to 'rv'
		 */
		if (svalue && addSAttr2RuleValue(rdn, svalue, rv) == -1) {
			sfree(rdn);
			freeRuleValue(rv, 1);
			return (FAILURE);
		}
		sfree(rdn);
	} else /* rdn  == NULL */
		return (FAILURE);

	/* Create the entry */
	if (domain) {
		if (addSAttr2RuleValue("nisDomain", domain, rv) == -1) {
			freeRuleValue(rv, 1);
			return (FAILURE);
		}
		attrs = scat(myself, F, "objectclass=nisdomainobject,",
					objClassAttrs);
		if (!attrs) {
			freeRuleValue(rv, 1);
			return (FAILURE);
		}
		rc = ldapAdd(dn, rv, attrs, 0);
		sfree(attrs);
	} else {
		rc = ldapAdd(dn, rv, objClassAttrs, 0);
	}

	if (rc == LDAP_SUCCESS)
		logmsg(MSG_NOTIMECHECK, LOG_INFO,
				"%s: Entry (dn: %s) added to DIT",
				myself, dn);
	else if (rc == LDAP_ALREADY_EXISTS)
		/* Treat this as success */
		rc = LDAP_SUCCESS;
	else
		logmsg(MSG_NOTIMECHECK, LOG_ERR,
				"%s: ldapAdd error %d (%s) for (dn: %s)",
				myself, rc, ldap_err2string(rc), dn);

	freeRuleValue(rv, 1);
	if (ldap_rc)
		*ldap_rc = rc;
	return ((rc == LDAP_SUCCESS)?SUCCESS:FAILURE);
}