xref: /illumos-gate/usr/src/lib/libsldap/common/ns_writes.c (revision 51b02b29)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 * Copyright 2012 Milan Jurik. All rights reserved.
 */

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <libintl.h>

#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <strings.h>
#include <lber.h>
#include <ldap.h>
#include <syslog.h>
#include <stddef.h>
#include <sys/mman.h>

#include "ns_sldap.h"
#include "ns_internal.h"
#include "ns_connmgmt.h"
#include "ns_cache_door.h"

/* Additional headers for addTypedEntry Conversion routines */
#include <pwd.h>
#include <project.h>
#include <shadow.h>
#include <grp.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <rpc/rpcent.h>
#include <auth_attr.h>
#include <exec_attr.h>
#include <prof_attr.h>
#include <user_attr.h>
#include <bsm/libbsm.h>
#include <sys/tsol/tndb.h>
#include <tsol/label.h>

static int send_to_cachemgr(const char *,
    ns_ldap_attr_t **, ns_ldap_error_t **);

static int escape_str(char *, char *);

/*
 * If the rdn is a mapped attr:
 *	return NS_LDAP_SUCCESS and a new_dn.
 * If no mapped attr is found in the rdn:
 *	return NS_LDAP_SUCCESS and *new_dn == NULL
 * For example:
 *  service = abc
 *  dn =  cn=foo,dc=bar,dc=com
 *  attributeMapping: abc:cn=sn
 * Then:
 *  new_dn = sn=foo,dc=bar,dc=com
 *
 */
static int
replace_mapped_attr_in_dn(
	const char *service, const char *dn, char **new_dn)
{
	char	**mappedattr;
	char	**dnArray = NULL;
	char	*rservice;
	char	*cur = NULL;
	int	len = 0, orig_len = 0, mapped_len = 0;
	int	dn_len = 0;

	*new_dn = NULL;

	/*
	 * separate dn into individual componets
	 * e.g.
	 * "automountKey=user_01" , "automountMapName_test=auto_home", ...
	 */
	dnArray = ldap_explode_dn(dn, 0);
	if (!dnArray || !*dnArray)
		return (NS_LDAP_INVALID_PARAM);

	cur = strchr(dnArray[0], '=');
	if (!cur) {
		__s_api_free2dArray(dnArray);
		return (NS_LDAP_INVALID_PARAM);
	}
	*cur = '\0';

	/* we only check schema mapping for automount, not for auto_* */
	if (strncasecmp(service, NS_LDAP_TYPE_AUTOMOUNT,
	    sizeof (NS_LDAP_TYPE_AUTOMOUNT) - 1) == 0)
		rservice = "automount";
	else
		rservice = (char *)service;

	mappedattr = __ns_ldap_getMappedAttributes(rservice, dnArray[0]);
	if (!mappedattr || !mappedattr[0]) {
		__s_api_free2dArray(dnArray);
		if (mappedattr)
			__s_api_free2dArray(mappedattr);
		return (NS_LDAP_SUCCESS);
	}
	orig_len = strlen(dnArray[0]);

	/*
	 * The new length is *dn length + (difference between
	 * orig attr and mapped attr) + 1 ;
	 * e.g.
	 * automountKey=aa,automountMapName=auto_home,dc=foo,dc=com
	 * ==>
	 * cn=aa,automountMapName=auto_home,dc=foo,dc=com
	 */
	mapped_len = strlen(mappedattr[0]);
	dn_len = strlen(dn);
	len = dn_len - orig_len + mapped_len + 1;
	*new_dn = (char *)calloc(1, len);
	if (*new_dn == NULL) {
		__s_api_free2dArray(dnArray);
		__s_api_free2dArray(mappedattr);
		return (NS_LDAP_MEMORY);
	}

	(void) snprintf(*new_dn, len, "%s=%s", mappedattr[0], dn + orig_len +1);
	__s_api_free2dArray(dnArray);
	__s_api_free2dArray(mappedattr);

	return (NS_LDAP_SUCCESS);
}


/*
 * The following function is only used by the
 * "gecos" 1 to N attribute mapping code. It expects
 * and handle only one data/length pair.
 */
static int
init_bval_mod(
	LDAPMod *mod,
	int	mop,
	char	*mtype,
	char	*mvptr,
	int	mvlen)
{

	struct berval	**bmodval;

	/* dup attribute name */
	mod->mod_type = strdup(mtype);
	if (mod->mod_type == NULL)
		return (-1);

	/*
	 * assume single value,
	 * since only one value/length pair passed in
	 */
	bmodval = (struct berval **)calloc(2, sizeof (struct berval *));
	if (bmodval == NULL) {
		free(mod->mod_type);
		mod->mod_type = NULL;
		return	(-1);
	}
	bmodval[0] = (struct berval *)calloc(1, sizeof (struct berval));
	if (bmodval[0] == NULL) {
		free(mod->mod_type);
		mod->mod_type = NULL;
		free(bmodval);
		return	(-1);
	}

	/* set pointer to data */
	bmodval[0]->bv_val = mvptr;

	/* set length */
	bmodval[0]->bv_len = mvlen;

	/*
	 * turn on the BVALUE bit to indicate
	 * that the length of data is supplied
	 */
	mod->mod_op = mop | LDAP_MOD_BVALUES;

	mod->mod_bvalues = bmodval;

	return	(0);
}

static void
freeModList(LDAPMod **mods)
{
	int i, j;
	int name_is_oc;

	if (mods == NULL)
		return;

	for (i = 0; mods[i]; i++) {

		/* free attribute name */
		name_is_oc = FALSE;
		if (mods[i]->mod_type) {
			if (strcasecmp(mods[i]->mod_type, "objectclass") == 0)
				name_is_oc = TRUE;
			free(mods[i]->mod_type);
		}

		if (mods[i]->mod_bvalues == NULL)
			continue;
		/*
		 * LDAP_MOD_BVALUES is only set by
		 * the "gecos" 1 to N attribute mapping
		 * code, and the attribute is single valued.
		 */
		if (mods[i]->mod_op & LDAP_MOD_BVALUES) {
			if (mods[i]->mod_bvalues[0])
				free(mods[i]->mod_bvalues[0]);
		} else {
			if (name_is_oc) {
				/*
				 * only values for the "objectclass"
				 * were dupped using strdup.
				 * other attribute values were
				 * not dupped, but via pointer
				 * assignment. So here the
				 * values for "objectclass"
				 * is freed one by one,
				 * but the values for other
				 * attributes need not be freed.
				 */
				for (j = 0; mods[i]->mod_values[j]; j++)
					free(mods[i]->mod_values[j]);
			}

		}
		free(mods[i]->mod_bvalues);
	}

	/* modlist */
	free((char *)(mods[0]));
	free(mods);
}

static LDAPMod **
__s_api_makeModListCount(
	const char *service,
	const ns_ldap_attr_t * const *attr,
	const int mod_op,
	const int count,
	const int flags)
{
	LDAPMod		**mods, *modlist;
	char		**modval;
	char		**mapping;
	int		i;
	int		j;
	int		k, rc, vlen;
	char		*c, *comma1 = NULL, *comma2 = NULL;
	int		schema_mapping_existed = FALSE;
	int		auto_service = FALSE;


	/*
	 * add 2 for "gecos" 1 to up to 3 attribute mapping
	 */
	mods = (LDAPMod **)calloc((count + 3), sizeof (LDAPMod *));
	if (mods == NULL) {
		return (NULL);
	}
	/*
	 * add 2 for "gecos" 1 to up to 3 attribute mapping
	 */
	modlist = (LDAPMod *)calloc(count + 2, sizeof (LDAPMod));
	if (modlist == NULL) {
		free(mods);
		return (NULL);
	}

	if (service != NULL && strncasecmp(service, NS_LDAP_TYPE_AUTOMOUNT,
	    sizeof (NS_LDAP_TYPE_AUTOMOUNT) - 1) == 0)
		auto_service = TRUE;

	/*
	 * see if schema mapping existed for the given service
	 */
	mapping = __ns_ldap_getOrigAttribute(service,
	    NS_HASH_SCHEMA_MAPPING_EXISTED);
	if (mapping) {
		schema_mapping_existed = TRUE;
		__s_api_free2dArray(mapping);
		mapping = NULL;
	}

	for (i = 0, k = 0; k < count && attr[k] != NULL; i++, k++) {
		mods[i] = &modlist[i];
		mods[i]->mod_op = mod_op;
		/*
		 * Perform attribute mapping if necessary.
		 */
		if (schema_mapping_existed && (flags & NS_LDAP_NOMAP) == 0) {
			mapping = __ns_ldap_getMappedAttributes(service,
			    attr[k]->attrname);
		} else
			mapping = NULL;

		if (mapping == NULL && auto_service &&
		    (flags & NS_LDAP_NOMAP) == 0) {
			/*
			 * if service == auto_xxx and
			 * no mapped attribute is found
			 * and NS_LDAP_NOMAP is not set
			 * then try automount's mapped attribute
			 */
			mapping = __ns_ldap_getMappedAttributes("automount",
			    attr[k]->attrname);
		}

		if (mapping == NULL) {
			mods[i]->mod_type = strdup(attr[k]->attrname);
			if (mods[i]->mod_type == NULL)
				goto free_memory;
		} else {
			/*
			 * 1 to N attribute mapping is only done for "gecos",
			 * and only 1 to 3 mapping.
			 * nine cases here:
			 *
			 * A. attrMap=passwd:gecos=a
			 *    1. gecos="xx,yy,zz" -> a="xx,yy,zz"
			 *    2. gecos="xx,yy" -> a="xx,yy"
			 *    3. gecos="xx" -> a="xx"
			 *
			 * B. attrMap=passwd:gecos=a b
			 *    4. gecos="xx,yy,zz" -> a="xx" b="yy,zz"
			 *    5. gecos="xx,yy" -> a="xx" b="yy"
			 *    6. gecos="xx" -> a="xx"
			 *
			 * C. attrMap=passwd:gecos=a b c
			 *    7. gecos="xx,yy,zz" -> a="xx" b="yy" c="zz"
			 *    8. gecos="xx,yy" -> a="xx" b="yy"
			 *    9. gecos="xx" -> a="xx"
			 *
			 * This can be grouped as:
			 *
			 * c1 cases: 1,2,3,6,9
			 *    if ((attrMap=passwd:gecos=a) ||
			 *		(no "," in gecos value))
			 *	same as other no-mapping attributes,
			 *	no special processing needed
			 *    else
			 *
			 * c2 cases: 4,5,8
			 *    if ((attrMap=passwd:gecos=a b) ||
			 *	(only one "," in gecos value))
			 *	a=xx b=yy[,...]
			 *    else
			 *
			 * c3 case: 7
			 *    a=xx b=yy c=...
			 *
			 * notes: in case c2 and c3, ... could still contain ","
			 */
			if (strcasecmp(service, "passwd") == 0 &&
			    strcasecmp(attr[k]->attrname, "gecos") == 0 &&
			    mapping[1] && attr[k]->attrvalue[0] &&
			    (comma1 = strchr(attr[k]->attrvalue[0],
			    COMMATOK)) != NULL) {

			/* is there a second comma? */
			if (*(comma1 + 1) != '\0')
				comma2 = strchr(comma1 + 1, COMMATOK);

			/*
			 * Process case c2 or c3.
			 * case c2: mapped to two attributes or just
			 * one comma
			 */
			if (mapping[2] == NULL || comma2 == NULL) {
				/* case c2 */

				/*
				 * int mod structure for the first attribute
				 */
				vlen = comma1 - attr[k]->attrvalue[0];
				c = attr[k]->attrvalue[0];

				if (vlen > 0 && c) {
					rc = init_bval_mod(mods[i], mod_op,
					    mapping[0], c, vlen);
					if (rc != 0)
						goto free_memory;
				} else {
					/* don't leave a hole in mods array */
					mods[i] = NULL;
					i--;
				}


				/*
				 * init mod structure for the 2nd attribute
				 */
				if (*(comma1 + 1) == '\0') {
					__s_api_free2dArray(mapping);
					mapping = NULL;
					continue;
				}

				i++;
				mods[i] = &modlist[i];

				/*
				 * get pointer to data.
				 * Skip leading spaces.
				 */
				for (c = comma1 + 1; *c == SPACETOK; c++) {
					/* empty */
				}

				/* get data length */
				vlen = strlen(attr[k]->attrvalue[0]) -
				    (c - attr[k]->attrvalue[0]);

				if (vlen > 0 && c) {
					rc = init_bval_mod(mods[i], mod_op,
					    mapping[1], c, vlen);
					if (rc != 0)
						goto free_memory;
				} else {
					/* don't leave a hole in mods array */
					mods[i] = NULL;
					i--;
				}

				/* done with the mapping array */
				__s_api_free2dArray(mapping);
				mapping = NULL;

				continue;
			} else {
				/* case c3 */

				/*
				 * int mod structure for the first attribute
				 */
				vlen = comma1 - attr[k]->attrvalue[0];
				c = attr[k]->attrvalue[0];

				if (vlen > 0 && c) {
					rc = init_bval_mod(mods[i], mod_op,
					    mapping[0], c, vlen);
					if (rc != 0)
						goto free_memory;
				} else {
					/* don't leave a hole in mods array */
					mods[i] = NULL;
					i--;
				}

				/*
				 * init mod structure for the 2nd attribute
				 */
				i++;
				mods[i] = &modlist[i];

				/*
				 * get pointer to data.
				 * Skip leading spaces.
				 */
				for (c = comma1 + 1; *c == SPACETOK; c++) {
					/* empty */
				};

				/* get data length */
				vlen = comma2 - c;

				if (vlen > 0 && c) {
					rc = init_bval_mod(mods[i], mod_op,
					    mapping[1], c, vlen);
					if (rc != 0)
						goto free_memory;
				} else {
					/* don't leave a hole in mods array */
					mods[i] = NULL;
					i--;
				}

				/*
				 * init mod structure for the 3rd attribute
				 */
				if (*(comma2 + 1) == '\0') {
					__s_api_free2dArray(mapping);
					mapping = NULL;
					continue;
				}

				i++;
				mods[i] = &modlist[i];
				/*
				 * get pointer to data.
				 * Skip leading spaces.
				 */
				for (c = comma2 + 1; *c == SPACETOK; c++) {
					/* empty */
				}

				/* get data length */
				vlen = strlen(attr[k]->attrvalue[0]) -
				    (c - attr[k]->attrvalue[0]);

				if (vlen > 0 && c) {
					rc = init_bval_mod(mods[i], mod_op,
					    mapping[2], c, vlen);
					if (rc != 0)
						goto free_memory;
				} else {
					/* don't leave a hole in mods array */
					mods[i] = NULL;
					i--;
				}

				/* done with the mapping array */
				__s_api_free2dArray(mapping);
				mapping = NULL;

				continue;
				}
			}

			/* case c1 */
			mods[i]->mod_type = strdup(mapping[0]);
			if (mods[i]->mod_type == NULL) {
				goto free_memory;
			}
			__s_api_free2dArray(mapping);
			mapping = NULL;
		}

		modval = (char **)calloc(attr[k]->value_count+1,
		    sizeof (char *));
		if (modval == NULL)
			goto free_memory;
		/*
		 * Perform objectclass mapping.
		 * Note that the values for the "objectclass" attribute
		 * will be dupped using strdup. Values for other
		 * attributes will be referenced via pointer
		 * assignments.
		 */
		if (strcasecmp(mods[i]->mod_type, "objectclass") == 0) {
			for (j = 0; j < attr[k]->value_count; j++) {
				if (schema_mapping_existed &&
				    (flags & NS_LDAP_NOMAP) == 0)
					mapping =
					    __ns_ldap_getMappedObjectClass(
					    service, attr[k]->attrvalue[j]);
				else
					mapping = NULL;

				if (mapping == NULL && auto_service &&
				    (flags & NS_LDAP_NOMAP) == 0)
					/*
					 * if service == auto_xxx and
					 * no mapped objectclass is found
					 * then try automount
					 */
					mapping =
					    __ns_ldap_getMappedObjectClass(
					    "automount", attr[k]->attrvalue[j]);

				if (mapping && mapping[0]) {
					/* assume single mapping */
					modval[j] = strdup(mapping[0]);
				} else {
					modval[j] = strdup(attr[k]->
					    attrvalue[j]);
				}
				if (modval[j] == NULL)
					goto free_memory;
			}
		} else {
			for (j = 0; j < attr[k]->value_count; j++) {
				/* ASSIGN NOT COPY */
				modval[j] = attr[k]->attrvalue[j];
			}
		}
		mods[i]->mod_values = modval;
	}

	return (mods);

free_memory:
	freeModList(mods);
	if (mapping)
	__s_api_free2dArray(mapping);

	return (NULL);

}

static LDAPMod **
__s_api_makeModList(
	const char *service,
	const ns_ldap_attr_t * const *attr,
	const int mod_op,
	const int flags)
{
	ns_ldap_attr_t	**aptr = (ns_ldap_attr_t **)attr;
	int		count = 0;

	if (aptr == NULL)
		return (NULL);

	/* count number of attributes */
	while (*aptr++)
		count++;

	return (__s_api_makeModListCount(service, attr, mod_op, count, flags));
}

static void
__s_cvt_freeEntryRdn(ns_ldap_entry_t **entry, char **rdn)
{
	if (*entry != NULL) {
		__ns_ldap_freeEntry(*entry);
		*entry = NULL;
	}
	if (*rdn != NULL) {
		free(*rdn);
		*rdn = NULL;
	}
}

/*
 * This state machine performs one or more LDAP add/delete/modify
 * operations to configured LDAP servers.
 */
static int
write_state_machine(
	int		ldap_op,
	char		*dn,
	LDAPMod		**mods,
	const ns_cred_t *cred,
	const int	flags,
	ns_ldap_error_t ** errorp)
{
	ConnectionID    connectionId = -1;
	Connection	*conp = NULL;
	LDAPMessage	*res;
	char		*target_dn = NULL;
	char		errstr[MAXERROR];
	int		rc = NS_LDAP_SUCCESS;
	int		return_rc = NS_LDAP_SUCCESS;
	int		followRef = FALSE;
	int		target_dn_allocated = FALSE;
	int		len;
	int		msgid;
	int		Errno;
	boolean_t	from_get_lderrno = B_FALSE;
	int		always = 1;
	char		*err, *errmsg = NULL;
	/* referrals returned by the LDAP operation */
	char		**referrals = NULL;
	/*
	 * list of referrals used by the state machine, built from
	 * the referrals variable above
	 */
	ns_referral_info_t *ref_list = NULL;
	/* current referral */
	ns_referral_info_t *current_ref = NULL;
	ns_write_state_t state = W_INIT, new_state, err_state = W_INIT;
	int		do_not_fail_if_new_pwd_reqd = 0;
	ns_ldap_passwd_status_t	pwd_status = NS_PASSWD_GOOD;
	int		passwd_mgmt = 0;
	int		i = 0;
	int		ldap_error;
	int		nopasswd_acct_mgmt = 0;
	ns_conn_user_t	*conn_user = NULL;

	while (always) {
		switch (state) {
		case W_EXIT:
			/* return the MT connection and free the conn user */
			if (conn_user != NULL) {
				if (conn_user->use_mt_conn == B_TRUE) {
					if (conn_user->ns_error != NULL) {
						*errorp = conn_user->ns_error;
						conn_user->ns_error = NULL;
						return_rc = conn_user->ns_rc;
					}
					if (conn_user->conn_mt != NULL)
						__s_api_conn_mt_return(
						    conn_user);
				}
				__s_api_conn_user_free(conn_user);
			}

			if (connectionId > -1)
				DropConnection(connectionId, NS_LDAP_NEW_CONN);
			if (ref_list)
				__s_api_deleteRefInfo(ref_list);
			if (target_dn && target_dn_allocated)
				free(target_dn);
			return (return_rc);
		case W_INIT:
			/* see if need to follow referrals */
			rc = __s_api_toFollowReferrals(flags,
			    &followRef, errorp);
			if (rc != NS_LDAP_SUCCESS) {
				return_rc = rc;
				new_state = W_ERROR;
				break;
			}
			len = strlen(dn);
			if (dn[len-1] == COMMATOK)
				rc = __s_api_append_default_basedn(
				    dn, &target_dn, &target_dn_allocated,
				    errorp);
			else
				target_dn = dn;
			if (rc != NS_LDAP_SUCCESS) {
				return_rc = rc;
				new_state = W_ERROR;
			}
			else
				new_state = GET_CONNECTION;
			break;
		case GET_CONNECTION:
			/* identify self as a write user */
			conn_user = __s_api_conn_user_init(NS_CONN_USER_WRITE,
			    NULL, B_FALSE);
			rc = __s_api_getConnection(NULL,
			    flags, cred, &connectionId, &conp, errorp,
			    do_not_fail_if_new_pwd_reqd, nopasswd_acct_mgmt,
			    conn_user);

			/*
			 * If password control attached
			 * in *errorp,
			 * e.g. rc == NS_LDAP_SUCCESS_WITH_INFO,
			 * free the error structure (we do not need
			 * the password management info).
			 * Reset rc to NS_LDAP_SUCCESS.
			 */
			if (rc == NS_LDAP_SUCCESS_WITH_INFO) {
				(void) __ns_ldap_freeError(errorp);
				*errorp = NULL;
				rc = NS_LDAP_SUCCESS;
			}

			if (rc != NS_LDAP_SUCCESS) {
				return_rc = rc;
				new_state = W_ERROR;
				break;
			}
			if (followRef)
				new_state = SELECT_OPERATION_ASYNC;
			else
				new_state = SELECT_OPERATION_SYNC;
			break;
		case SELECT_OPERATION_SYNC:
			if (ldap_op == LDAP_REQ_ADD)
				new_state = DO_ADD_SYNC;
			else if (ldap_op == LDAP_REQ_DELETE)
				new_state = DO_DELETE_SYNC;
			else if (ldap_op == LDAP_REQ_MODIFY)
				new_state = DO_MODIFY_SYNC;
			break;
		case SELECT_OPERATION_ASYNC:
			if (ldap_op == LDAP_REQ_ADD)
				new_state = DO_ADD_ASYNC;
			else if (ldap_op == LDAP_REQ_DELETE)
				new_state = DO_DELETE_ASYNC;
			else if (ldap_op == LDAP_REQ_MODIFY)
				new_state = DO_MODIFY_ASYNC;
			break;
		case DO_ADD_SYNC:
			rc = ldap_add_ext_s(conp->ld, target_dn,
			    mods, NULL, NULL);
			new_state = GET_RESULT_SYNC;
			break;
		case DO_DELETE_SYNC:
			rc = ldap_delete_ext_s(conp->ld, target_dn,
			    NULL, NULL);
			new_state = GET_RESULT_SYNC;
			break;
		case DO_MODIFY_SYNC:
			rc = ldap_modify_ext_s(conp->ld, target_dn,
			    mods, NULL, NULL);
			new_state = GET_RESULT_SYNC;
			break;
		case DO_ADD_ASYNC:
			rc = ldap_add_ext(conp->ld, target_dn,
			    mods, NULL, NULL, &msgid);
			new_state = GET_RESULT_ASYNC;
			break;
		case DO_DELETE_ASYNC:
			rc = ldap_delete_ext(conp->ld, target_dn,
			    NULL, NULL, &msgid);
			new_state = GET_RESULT_ASYNC;
			break;
		case DO_MODIFY_ASYNC:
			rc = ldap_modify_ext(conp->ld, target_dn,
			    mods, NULL, NULL, &msgid);
			new_state = GET_RESULT_ASYNC;
			break;
		case GET_RESULT_SYNC:
			if (rc != LDAP_SUCCESS) {
				Errno = rc;
				(void) ldap_get_lderrno(conp->ld,
				    NULL, &errmsg);

				/*
				 * No need to deal with the error message if
				 * it's an empty string.
				 */
				if (errmsg != NULL && *errmsg == '\0')
					errmsg = NULL;

				if (errmsg != NULL) {
					/*
					 * ldap_get_lderrno does not expect
					 * errmsg to be freed after use, while
					 * ldap_parse_result below does, so set
					 * a flag to indicate source.
					 */
					from_get_lderrno = B_TRUE;
				}

				new_state = W_LDAP_ERROR;
			} else {
				return_rc = NS_LDAP_SUCCESS;
				new_state = W_EXIT;
			}
			break;
		case GET_RESULT_ASYNC:
			rc = ldap_result(conp->ld, msgid, 1,
			    (struct timeval *)NULL, &res);
			/* if no server response, set Errno */
			if (rc == -1) {
				(void) ldap_get_option(conp->ld,
				    LDAP_OPT_ERROR_NUMBER, &Errno);
				new_state = W_LDAP_ERROR;
				break;
			}
			if (rc == LDAP_RES_ADD || rc == LDAP_RES_MODIFY ||
			    rc == LDAP_RES_DELETE) {
				new_state = PARSE_RESULT;
				break;
			} else {
				return_rc = rc;
				new_state = W_ERROR;
			}
			break;
		case PARSE_RESULT:
			/*
			 * need Errno, referrals, error msg,
			 * and the last "1" is to free
			 * the result (res)
			 */
			rc = ldap_parse_result(conp->ld, res, &Errno,
			    NULL, &errmsg, &referrals, NULL, 1);
			/*
			 * free errmsg if it is an empty string
			 */
			if (errmsg && *errmsg == '\0') {
				ldap_memfree(errmsg);
				errmsg = NULL;
			}
			/*
			 * If we received referral data, process
			 * it if:
			 * - we are configured to follow referrals
			 * - and not already in referral mode (to keep
			 *   consistency with search_state_machine()
			 *   which follows 1 level of referrals only;
			 *   see proc_result_referrals() and
			 *   proc_search_references().
			 */
			if (Errno == LDAP_REFERRAL && followRef && !ref_list) {
				for (i = 0; referrals[i] != NULL; i++) {
					/* add to referral list */
					rc = __s_api_addRefInfo(&ref_list,
					    referrals[i], NULL, NULL, NULL,
					    conp->ld);
					if (rc != NS_LDAP_SUCCESS) {
						__s_api_deleteRefInfo(ref_list);
						ref_list = NULL;
						break;
					}
				}
				ldap_value_free(referrals);
				if (ref_list == NULL) {
					if (rc != NS_LDAP_MEMORY)
						rc = NS_LDAP_INTERNAL;
					return_rc = rc;
					new_state = W_ERROR;
				} else {
					new_state = GET_REFERRAL_CONNECTION;
					current_ref = ref_list;
				}
				if (errmsg) {
					ldap_memfree(errmsg);
					errmsg = NULL;
				}
				break;
			}
			if (Errno != LDAP_SUCCESS) {
				new_state = W_LDAP_ERROR;
			} else {
				return_rc = NS_LDAP_SUCCESS;
				new_state = W_EXIT;
			}
			break;
		case GET_REFERRAL_CONNECTION:
			/*
			 * since we are starting over,
			 * discard the old error info
			 */
			return_rc = NS_LDAP_SUCCESS;
			if (*errorp)
				(void) __ns_ldap_freeError(errorp);
			if (connectionId > -1)
				DropConnection(connectionId, NS_LDAP_NEW_CONN);

			/* set it up to use a referral connection */
			if (conn_user != NULL) {
				/*
				 * If an MT connection is being used,
				 * return it to the pool.
				 */
				if (conn_user->conn_mt != NULL)
					__s_api_conn_mt_return(conn_user);

				conn_user->referral = B_TRUE;
			}
			rc = __s_api_getConnection(current_ref->refHost,