1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate  * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
3*7c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
4*7c478bd9Sstevel@tonic-gate  */
5*7c478bd9Sstevel@tonic-gate 
6*7c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
7*7c478bd9Sstevel@tonic-gate 
8*7c478bd9Sstevel@tonic-gate /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
9*7c478bd9Sstevel@tonic-gate  *
10*7c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the Netscape Public License
11*7c478bd9Sstevel@tonic-gate  * Version 1.0 (the "NPL"); you may not use this file except in
12*7c478bd9Sstevel@tonic-gate  * compliance with the NPL.  You may obtain a copy of the NPL at
13*7c478bd9Sstevel@tonic-gate  * http://www.mozilla.org/NPL/
14*7c478bd9Sstevel@tonic-gate  *
15*7c478bd9Sstevel@tonic-gate  * Software distributed under the NPL is distributed on an "AS IS" basis,
16*7c478bd9Sstevel@tonic-gate  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the NPL
17*7c478bd9Sstevel@tonic-gate  * for the specific language governing rights and limitations under the
18*7c478bd9Sstevel@tonic-gate  * NPL.
19*7c478bd9Sstevel@tonic-gate  *
20*7c478bd9Sstevel@tonic-gate  * The Initial Developer of the Original Code is Netscape
21*7c478bd9Sstevel@tonic-gate  * Communications Corporation. Portions created by Netscape are
22*7c478bd9Sstevel@tonic-gate  * Copyright (C) 1998-1999 Netscape Communications Corporation. All
23*7c478bd9Sstevel@tonic-gate  * Rights Reserved.
24*7c478bd9Sstevel@tonic-gate  *
25*7c478bd9Sstevel@tonic-gate  * Contributor(s):
26*7c478bd9Sstevel@tonic-gate  */
27*7c478bd9Sstevel@tonic-gate #include "ldap-int.h"
28*7c478bd9Sstevel@tonic-gate 
29*7c478bd9Sstevel@tonic-gate /*
30*7c478bd9Sstevel@tonic-gate  * ldap_sasl_bind - authenticate to the ldap server.  The dn, mechanism,
31*7c478bd9Sstevel@tonic-gate  * and credentials of the entry to which to bind are supplied. An LDAP
32*7c478bd9Sstevel@tonic-gate  * error code is returned and if LDAP_SUCCESS is returned *msgidp is set
33*7c478bd9Sstevel@tonic-gate  * to the id of the request initiated.
34*7c478bd9Sstevel@tonic-gate  *
35*7c478bd9Sstevel@tonic-gate  * Example:
36*7c478bd9Sstevel@tonic-gate  *	struct berval	creds;
37*7c478bd9Sstevel@tonic-gate  *	LDAPControl	**ctrls;
38*7c478bd9Sstevel@tonic-gate  *	int		err, msgid;
39*7c478bd9Sstevel@tonic-gate  *	... fill in creds with credentials ...
40*7c478bd9Sstevel@tonic-gate  *	... fill in ctrls with server controls ...
41*7c478bd9Sstevel@tonic-gate  *	err = ldap_sasl_bind( ld, "cn=manager, o=university of michigan, c=us",
42*7c478bd9Sstevel@tonic-gate  *	    "mechanismname", &creds, ctrls, NULL, &msgid );
43*7c478bd9Sstevel@tonic-gate  */
44*7c478bd9Sstevel@tonic-gate int
45*7c478bd9Sstevel@tonic-gate LDAP_CALL
ldap_sasl_bind(LDAP * ld,const char * dn,const char * mechanism,const struct berval * cred,LDAPControl ** serverctrls,LDAPControl ** clientctrls,int * msgidp)46*7c478bd9Sstevel@tonic-gate ldap_sasl_bind(
47*7c478bd9Sstevel@tonic-gate     LDAP		*ld,
48*7c478bd9Sstevel@tonic-gate     const char		*dn,
49*7c478bd9Sstevel@tonic-gate     const char		*mechanism,
50*7c478bd9Sstevel@tonic-gate     const struct berval	*cred,
51*7c478bd9Sstevel@tonic-gate     LDAPControl		**serverctrls,
52*7c478bd9Sstevel@tonic-gate     LDAPControl		**clientctrls,
53*7c478bd9Sstevel@tonic-gate     int			*msgidp
54*7c478bd9Sstevel@tonic-gate )
55*7c478bd9Sstevel@tonic-gate {
56*7c478bd9Sstevel@tonic-gate 	BerElement	*ber;
57*7c478bd9Sstevel@tonic-gate 	int		rc, simple, msgid, ldapversion;
58*7c478bd9Sstevel@tonic-gate 
59*7c478bd9Sstevel@tonic-gate 	/*
60*7c478bd9Sstevel@tonic-gate 	 * The ldapv3 bind request looks like this:
61*7c478bd9Sstevel@tonic-gate 	 *	BindRequest ::= SEQUENCE {
62*7c478bd9Sstevel@tonic-gate 	 *		version		INTEGER,
63*7c478bd9Sstevel@tonic-gate 	 *		name		DistinguishedName,	 -- who
64*7c478bd9Sstevel@tonic-gate 	 *		authentication	CHOICE {
65*7c478bd9Sstevel@tonic-gate 	 *			simple		[0] OCTET STRING, -- passwd
66*7c478bd9Sstevel@tonic-gate 	 *			sasl		[3] SaslCredentials -- v3 only
67*7c478bd9Sstevel@tonic-gate 	 *		}
68*7c478bd9Sstevel@tonic-gate 	 *	}
69*7c478bd9Sstevel@tonic-gate 	 *	SaslCredentials ::= SEQUENCE {
70*7c478bd9Sstevel@tonic-gate 	 *		mechanism	LDAPString,
71*7c478bd9Sstevel@tonic-gate 	 * 		credentials	OCTET STRING
72*7c478bd9Sstevel@tonic-gate 	 *	}
73*7c478bd9Sstevel@tonic-gate 	 * all wrapped up in an LDAPMessage sequence.
74*7c478bd9Sstevel@tonic-gate 	 */
75*7c478bd9Sstevel@tonic-gate 
76*7c478bd9Sstevel@tonic-gate 	LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_bind\n", 0, 0, 0 );
77*7c478bd9Sstevel@tonic-gate 
78*7c478bd9Sstevel@tonic-gate 	if ( msgidp == NULL ) {
79*7c478bd9Sstevel@tonic-gate 		LDAP_SET_LDERRNO( ld, LDAP_PARAM_ERROR, NULL, NULL );
80*7c478bd9Sstevel@tonic-gate                 return( LDAP_PARAM_ERROR );
81*7c478bd9Sstevel@tonic-gate 	}
82*7c478bd9Sstevel@tonic-gate 
83*7c478bd9Sstevel@tonic-gate 	simple = ( mechanism == LDAP_SASL_SIMPLE );
84*7c478bd9Sstevel@tonic-gate 	ldapversion = NSLDAPI_LDAP_VERSION( ld );
85*7c478bd9Sstevel@tonic-gate 
86*7c478bd9Sstevel@tonic-gate 	/* only ldapv3 or higher can do sasl binds */
87*7c478bd9Sstevel@tonic-gate 	if ( !simple && ldapversion < LDAP_VERSION3 ) {
88*7c478bd9Sstevel@tonic-gate 		LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL );
89*7c478bd9Sstevel@tonic-gate 		return( LDAP_NOT_SUPPORTED );
90*7c478bd9Sstevel@tonic-gate 	}
91*7c478bd9Sstevel@tonic-gate 
92*7c478bd9Sstevel@tonic-gate 	LDAP_MUTEX_LOCK( ld, LDAP_MSGID_LOCK );
93*7c478bd9Sstevel@tonic-gate 	msgid = ++ld->ld_msgid;
94*7c478bd9Sstevel@tonic-gate 	LDAP_MUTEX_UNLOCK( ld, LDAP_MSGID_LOCK );
95*7c478bd9Sstevel@tonic-gate 
96*7c478bd9Sstevel@tonic-gate 	if ( dn == NULL )
97*7c478bd9Sstevel@tonic-gate 		dn = "";
98*7c478bd9Sstevel@tonic-gate 
99*7c478bd9Sstevel@tonic-gate 	if ( ld->ld_cache_on && ld->ld_cache_bind != NULL ) {
100*7c478bd9Sstevel@tonic-gate 		LDAP_MUTEX_LOCK( ld, LDAP_CACHE_LOCK );
101*7c478bd9Sstevel@tonic-gate 		if ( (rc = (ld->ld_cache_bind)( ld, msgid, LDAP_REQ_BIND, dn,
102*7c478bd9Sstevel@tonic-gate 		    cred, LDAP_AUTH_SASL )) != 0 ) {
103*7c478bd9Sstevel@tonic-gate 			*msgidp = rc;
104*7c478bd9Sstevel@tonic-gate 			LDAP_MUTEX_UNLOCK( ld, LDAP_CACHE_LOCK );
105*7c478bd9Sstevel@tonic-gate 			return( LDAP_SUCCESS );
106*7c478bd9Sstevel@tonic-gate 		}
107*7c478bd9Sstevel@tonic-gate 		LDAP_MUTEX_UNLOCK( ld, LDAP_CACHE_LOCK );
108*7c478bd9Sstevel@tonic-gate 	}
109*7c478bd9Sstevel@tonic-gate 
110*7c478bd9Sstevel@tonic-gate 	/* create a message to send */
111*7c478bd9Sstevel@tonic-gate 	if (( rc = nsldapi_alloc_ber_with_options( ld, &ber ))
112*7c478bd9Sstevel@tonic-gate 	    != LDAP_SUCCESS ) {
113*7c478bd9Sstevel@tonic-gate 		return( rc );
114*7c478bd9Sstevel@tonic-gate 	}
115*7c478bd9Sstevel@tonic-gate 
116*7c478bd9Sstevel@tonic-gate 	/* fill it in */
117*7c478bd9Sstevel@tonic-gate 	if ( simple ) {		/* simple bind; works in LDAPv2 or v3 */
118*7c478bd9Sstevel@tonic-gate 		struct berval	tmpcred;
119*7c478bd9Sstevel@tonic-gate 
120*7c478bd9Sstevel@tonic-gate 		if ( cred == NULL ) {
121*7c478bd9Sstevel@tonic-gate 			tmpcred.bv_val = "";
122*7c478bd9Sstevel@tonic-gate 			tmpcred.bv_len = 0;
123*7c478bd9Sstevel@tonic-gate 			cred = &tmpcred;
124*7c478bd9Sstevel@tonic-gate 		}
125*7c478bd9Sstevel@tonic-gate 		rc = ber_printf( ber, "{it{isto}", msgid, LDAP_REQ_BIND,
126*7c478bd9Sstevel@tonic-gate 		    ldapversion, dn, LDAP_AUTH_SIMPLE, cred->bv_val,
127*7c478bd9Sstevel@tonic-gate 		    (int)cred->bv_len /* XXX lossy cast */ );
128*7c478bd9Sstevel@tonic-gate 
129*7c478bd9Sstevel@tonic-gate 	} else {		/* SASL bind; requires LDAPv3 or better */
130*7c478bd9Sstevel@tonic-gate 		if ( cred == NULL ) {
131*7c478bd9Sstevel@tonic-gate 			rc = ber_printf( ber, "{it{ist{s}}", msgid,
132*7c478bd9Sstevel@tonic-gate 			    LDAP_REQ_BIND, ldapversion, dn, LDAP_AUTH_SASL,
133*7c478bd9Sstevel@tonic-gate 			    mechanism );
134*7c478bd9Sstevel@tonic-gate 		} else {
135*7c478bd9Sstevel@tonic-gate 			rc = ber_printf( ber, "{it{ist{so}}", msgid,
136*7c478bd9Sstevel@tonic-gate 			    LDAP_REQ_BIND, ldapversion, dn, LDAP_AUTH_SASL,
137*7c478bd9Sstevel@tonic-gate 			    mechanism, cred->bv_val,
138*7c478bd9Sstevel@tonic-gate 			    (int)cred->bv_len /* XXX lossy cast */ );
139*7c478bd9Sstevel@tonic-gate 		}
140*7c478bd9Sstevel@tonic-gate 	}
141*7c478bd9Sstevel@tonic-gate 
142*7c478bd9Sstevel@tonic-gate 	if ( rc == -1 ) {
143*7c478bd9Sstevel@tonic-gate 		LDAP_SET_LDERRNO( ld, LDAP_ENCODING_ERROR, NULL, NULL );
144*7c478bd9Sstevel@tonic-gate 		ber_free( ber, 1 );
145*7c478bd9Sstevel@tonic-gate 		return( LDAP_ENCODING_ERROR );
146*7c478bd9Sstevel@tonic-gate 	}
147*7c478bd9Sstevel@tonic-gate 
148*7c478bd9Sstevel@tonic-gate 	if ( (rc = nsldapi_put_controls( ld, serverctrls, 1, ber ))
149*7c478bd9Sstevel@tonic-gate 	    != LDAP_SUCCESS ) {
150*7c478bd9Sstevel@tonic-gate 		ber_free( ber, 1 );
151*7c478bd9Sstevel@tonic-gate 		return( rc );
152*7c478bd9Sstevel@tonic-gate 	}
153*7c478bd9Sstevel@tonic-gate 
154*7c478bd9Sstevel@tonic-gate 	/* send the message */
155*7c478bd9Sstevel@tonic-gate 	rc = nsldapi_send_initial_request( ld, msgid, LDAP_REQ_BIND,
156*7c478bd9Sstevel@tonic-gate 		(char *)dn, ber );
157*7c478bd9Sstevel@tonic-gate 	*msgidp = rc;
158*7c478bd9Sstevel@tonic-gate 	return( rc < 0 ? LDAP_GET_LDERRNO( ld, NULL, NULL ) : LDAP_SUCCESS );
159*7c478bd9Sstevel@tonic-gate }
160*7c478bd9Sstevel@tonic-gate 
161*7c478bd9Sstevel@tonic-gate /*
162*7c478bd9Sstevel@tonic-gate  * ldap_sasl_bind_s - bind to the ldap server using sasl authentication
163*7c478bd9Sstevel@tonic-gate  * The dn, mechanism, and credentials of the entry to which to bind are
164*7c478bd9Sstevel@tonic-gate  * supplied.  LDAP_SUCCESS is returned upon success, the ldap error code
165*7c478bd9Sstevel@tonic-gate  * otherwise.
166*7c478bd9Sstevel@tonic-gate  *
167*7c478bd9Sstevel@tonic-gate  * Example:
168*7c478bd9Sstevel@tonic-gate  *	struct berval	creds;
169*7c478bd9Sstevel@tonic-gate  *	... fill in creds with credentials ...
170*7c478bd9Sstevel@tonic-gate  *	ldap_sasl_bind_s( ld, "cn=manager, o=university of michigan, c=us",
171*7c478bd9Sstevel@tonic-gate  *	    "mechanismname", &creds )
172*7c478bd9Sstevel@tonic-gate  */
173*7c478bd9Sstevel@tonic-gate int
174*7c478bd9Sstevel@tonic-gate LDAP_CALL
ldap_sasl_bind_s(LDAP * ld,const char * dn,const char * mechanism,const struct berval * cred,LDAPControl ** serverctrls,LDAPControl ** clientctrls,struct berval ** servercredp)175*7c478bd9Sstevel@tonic-gate ldap_sasl_bind_s(
176*7c478bd9Sstevel@tonic-gate     LDAP		*ld,
177*7c478bd9Sstevel@tonic-gate     const char		*dn,
178*7c478bd9Sstevel@tonic-gate     const char		*mechanism,
179*7c478bd9Sstevel@tonic-gate     const struct berval	*cred,
180*7c478bd9Sstevel@tonic-gate     LDAPControl		**serverctrls,
181*7c478bd9Sstevel@tonic-gate     LDAPControl		**clientctrls,
182*7c478bd9Sstevel@tonic-gate     struct berval	**servercredp
183*7c478bd9Sstevel@tonic-gate )
184*7c478bd9Sstevel@tonic-gate {
185*7c478bd9Sstevel@tonic-gate 	int		err, msgid;
186*7c478bd9Sstevel@tonic-gate 	LDAPMessage	*result;
187*7c478bd9Sstevel@tonic-gate 
188*7c478bd9Sstevel@tonic-gate 	LDAPDebug( LDAP_DEBUG_TRACE, "ldap_sasl_bind_s\n", 0, 0, 0 );
189*7c478bd9Sstevel@tonic-gate 
190*7c478bd9Sstevel@tonic-gate 	if ( NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3 ) {
191*7c478bd9Sstevel@tonic-gate 		LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL );
192*7c478bd9Sstevel@tonic-gate 		return( LDAP_NOT_SUPPORTED );
193*7c478bd9Sstevel@tonic-gate 	}
194*7c478bd9Sstevel@tonic-gate 
195*7c478bd9Sstevel@tonic-gate 	if ( ( err = ldap_sasl_bind( ld, dn, mechanism, cred, serverctrls,
196*7c478bd9Sstevel@tonic-gate 	    clientctrls, &msgid )) != LDAP_SUCCESS )
197*7c478bd9Sstevel@tonic-gate 		return( err );
198*7c478bd9Sstevel@tonic-gate 
199*7c478bd9Sstevel@tonic-gate 	if ( ldap_result( ld, msgid, 1, (struct timeval *) 0, &result ) == -1 )
200*7c478bd9Sstevel@tonic-gate 		return( LDAP_GET_LDERRNO( ld, NULL, NULL ) );
201*7c478bd9Sstevel@tonic-gate 
202*7c478bd9Sstevel@tonic-gate 	err = ldap_parse_sasl_bind_result( ld, result, servercredp, 0 );
203*7c478bd9Sstevel@tonic-gate 	if (err != LDAP_SUCCESS  && err != LDAP_SASL_BIND_IN_PROGRESS) {
204*7c478bd9Sstevel@tonic-gate 		ldap_msgfree( result );
205*7c478bd9Sstevel@tonic-gate 		return( err );
206*7c478bd9Sstevel@tonic-gate 	}
207*7c478bd9Sstevel@tonic-gate 
208*7c478bd9Sstevel@tonic-gate 	return( ldap_result2error( ld, result, 1 ) );
209*7c478bd9Sstevel@tonic-gate }
210*7c478bd9Sstevel@tonic-gate 
211*7c478bd9Sstevel@tonic-gate 
212*7c478bd9Sstevel@tonic-gate /* returns an LDAP error code that indicates if parse succeeded or not */
213*7c478bd9Sstevel@tonic-gate int
214*7c478bd9Sstevel@tonic-gate LDAP_CALL
ldap_parse_sasl_bind_result(LDAP * ld,LDAPMessage * res,struct berval ** servercredp,int freeit)215*7c478bd9Sstevel@tonic-gate ldap_parse_sasl_bind_result(
216*7c478bd9Sstevel@tonic-gate     LDAP		*ld,
217*7c478bd9Sstevel@tonic-gate     LDAPMessage		*res,
218*7c478bd9Sstevel@tonic-gate     struct berval	**servercredp,
219*7c478bd9Sstevel@tonic-gate     int			freeit
220*7c478bd9Sstevel@tonic-gate )
221*7c478bd9Sstevel@tonic-gate {
222*7c478bd9Sstevel@tonic-gate 	BerElement	ber;
223*7c478bd9Sstevel@tonic-gate 	int		rc, err;
224*7c478bd9Sstevel@tonic-gate 	ber_int_t	along;
225*7c478bd9Sstevel@tonic-gate 	ber_len_t	len;
226*7c478bd9Sstevel@tonic-gate 	char		*m, *e;
227*7c478bd9Sstevel@tonic-gate 
228*7c478bd9Sstevel@tonic-gate 	LDAPDebug( LDAP_DEBUG_TRACE, "ldap_parse_sasl_bind_result\n", 0, 0, 0 );
229*7c478bd9Sstevel@tonic-gate 
230*7c478bd9Sstevel@tonic-gate 	/*
231*7c478bd9Sstevel@tonic-gate 	 * the ldapv3 SASL bind response looks like this:
232*7c478bd9Sstevel@tonic-gate 	 *
233*7c478bd9Sstevel@tonic-gate 	 *	BindResponse ::= [APPLICATION 1] SEQUENCE {
234*7c478bd9Sstevel@tonic-gate 	 *		COMPONENTS OF LDAPResult,
235*7c478bd9Sstevel@tonic-gate 	 *		serverSaslCreds [7] OCTET STRING OPTIONAL
236*7c478bd9Sstevel@tonic-gate 	 *	}
237*7c478bd9Sstevel@tonic-gate 	 *
238*7c478bd9Sstevel@tonic-gate 	 * all wrapped up in an LDAPMessage sequence.
239*7c478bd9Sstevel@tonic-gate 	 */
240*7c478bd9Sstevel@tonic-gate 
241*7c478bd9Sstevel@tonic-gate 	if ( !NSLDAPI_VALID_LDAP_POINTER( ld ) ||
242*7c478bd9Sstevel@tonic-gate 	    !NSLDAPI_VALID_LDAPMESSAGE_BINDRESULT_POINTER( res )) {
243*7c478bd9Sstevel@tonic-gate 		return( LDAP_PARAM_ERROR );
244*7c478bd9Sstevel@tonic-gate 	}
245*7c478bd9Sstevel@tonic-gate 
246*7c478bd9Sstevel@tonic-gate 	/* only ldapv3 or higher can do sasl binds */
247*7c478bd9Sstevel@tonic-gate 	if ( NSLDAPI_LDAP_VERSION( ld ) < LDAP_VERSION3 ) {
248*7c478bd9Sstevel@tonic-gate 		LDAP_SET_LDERRNO( ld, LDAP_NOT_SUPPORTED, NULL, NULL );
249*7c478bd9Sstevel@tonic-gate 		return( LDAP_NOT_SUPPORTED );
250*7c478bd9Sstevel@tonic-gate 	}
251*7c478bd9Sstevel@tonic-gate 
252*7c478bd9Sstevel@tonic-gate 	if ( servercredp != NULL ) {
253*7c478bd9Sstevel@tonic-gate 		*servercredp = NULL;
254*7c478bd9Sstevel@tonic-gate 	}
255*7c478bd9Sstevel@tonic-gate 
256*7c478bd9Sstevel@tonic-gate 	ber = *(res->lm_ber);	/* struct copy */
257*7c478bd9Sstevel@tonic-gate 
258*7c478bd9Sstevel@tonic-gate 	/* skip past message id, matched dn, error message ... */
259*7c478bd9Sstevel@tonic-gate 	rc = ber_scanf( &ber, "{iaa}", &along, &m, &e );
260*7c478bd9Sstevel@tonic-gate 
261*7c478bd9Sstevel@tonic-gate 	if ( rc != LBER_ERROR &&
262*7c478bd9Sstevel@tonic-gate 	    ber_peek_tag( &ber, &len ) == LDAP_TAG_SASL_RES_CREDS ) {
263*7c478bd9Sstevel@tonic-gate 		rc = ber_get_stringal( &ber, servercredp );
264*7c478bd9Sstevel@tonic-gate 	}
265*7c478bd9Sstevel@tonic-gate 
266*7c478bd9Sstevel@tonic-gate 	if ( freeit ) {
267*7c478bd9Sstevel@tonic-gate 		ldap_msgfree( res );
268*7c478bd9Sstevel@tonic-gate 	}
269*7c478bd9Sstevel@tonic-gate 
270*7c478bd9Sstevel@tonic-gate 	if ( rc == LBER_ERROR ) {
271*7c478bd9Sstevel@tonic-gate 		err = LDAP_DECODING_ERROR;
272*7c478bd9Sstevel@tonic-gate 	} else {
273*7c478bd9Sstevel@tonic-gate 		err = (int) along;
274*7c478bd9Sstevel@tonic-gate 	}
275*7c478bd9Sstevel@tonic-gate 
276*7c478bd9Sstevel@tonic-gate 	LDAP_SET_LDERRNO( ld, err, m, e );
277*7c478bd9Sstevel@tonic-gate 	/* this is a little kludge for the 3.0 Barracuda/hammerhead relese */
278*7c478bd9Sstevel@tonic-gate 	/* the docs state that the return is either LDAP_DECODING_ERROR */
279*7c478bd9Sstevel@tonic-gate 	/* or LDAP_SUCCESS.  Here we match the docs...  it's cleaner in 3.1 */
280*7c478bd9Sstevel@tonic-gate 
281*7c478bd9Sstevel@tonic-gate 	if ( LDAP_DECODING_ERROR == err ) {
282*7c478bd9Sstevel@tonic-gate 		return (LDAP_DECODING_ERROR);
283*7c478bd9Sstevel@tonic-gate 	} else {
284*7c478bd9Sstevel@tonic-gate 		return( LDAP_SUCCESS );
285*7c478bd9Sstevel@tonic-gate 	}
286*7c478bd9Sstevel@tonic-gate }
287