Moving NSCP Directory Server from DirectoryBranch to TRUNK, initial drop. (foxworth)ldapserver7x

10 files changed, 1362 insertions, 0 deletions

diff --git a/include/ldaputil/cert.h b/include/ldaputil/cert.h
new file mode 100644
index 00000000..4dac8f05
--- /dev/null
+++ b/include/ldaputil/cert.h
@@ -0,0 +1,27 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_CERT_H
+#define _LDAPU_CERT_H
+
+#ifndef NSAPI_PUBLIC
+#ifdef XP_WIN32
+#define NSAPI_PUBLIC __declspec(dllexport)
+#else
+#define NSAPI_PUBLIC 
+#endif
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+NSAPI_PUBLIC int ldapu_get_cert (void *SSLendpoint, void **cert);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LDAPU_CERT_H */
diff --git a/include/ldaputil/certmap.h b/include/ldaputil/certmap.h
new file mode 100644
index 00000000..921cbd06
--- /dev/null
+++ b/include/ldaputil/certmap.h
@@ -0,0 +1,124 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_CERTMAP_H
+#define _LDAPU_CERTMAP_H
+
+#ifndef INTLDAPU
+#define INTLDAPU
+#endif /* INTLDAPU */
+
+#include "extcmap.h"
+
+enum {
+    LDAPU_STR_FILTER_DEFAULT,
+    LDAPU_STR_FILTER_USER,
+    LDAPU_STR_FILTER_GROUP,
+    LDAPU_STR_FILTER_MEMBER,
+    LDAPU_STR_FILTER_MEMBER_RECURSE,
+    LDAPU_STR_ATTR_USER,
+    LDAPU_STR_ATTR_CERT,
+    LDAPU_STR_ATTR_CERT_NOSUBTYPE,
+    LDAPU_STR_MAX_INDEX
+};
+
+static char *ldapu_strings[] = {
+    "objectclass=*",		/* LDAPU_STR_DEFAULT */
+    "uid=%s",			/* LDAPU_STR_FILTER_USER */
+    "(& (cn=%s) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))", /* LDAPU_STR_FILTER_GROUP */
+    "(| (uniquemember=%s) (member=%s))",	/* LDAPU_STR_FILTER_MEMBER */
+    "(& %s (| (objectclass=groupofuniquenames) (objectclass=groupofnames))", /* LDAPU_STR_FILTER_MEMBER_RECURSE */
+    "uid",			/* LDAPU_STR_ATTR_USER */
+    "userCertificate;binary",	/* LDAPU_STR_ATTR_CERT */
+    "userCertificate"	/* LDAPU_STR_ATTR_CERT_NOSUBTYPE */
+};
+    
+typedef struct {
+    char *str;
+    int size;
+    int len;
+} LDAPUStr_t;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+NSAPI_PUBLIC int ldapu_cert_to_ldap_entry (void *cert, LDAP *ld,
+					   const char *basedn,
+					   LDAPMessage **res);
+
+NSAPI_PUBLIC int ldapu_set_cert_mapfn (const char *issuerDN,
+				       CertMapFn_t mapfn);
+
+
+NSAPI_PUBLIC CertMapFn_t ldapu_get_cert_mapfn (const char *issuerDN);
+
+NSAPI_PUBLIC int ldapu_set_cert_searchfn (const char *issuerDN,
+					  CertSearchFn_t searchfn);
+
+
+NSAPI_PUBLIC CertSearchFn_t ldapu_get_cert_searchfn (const char *issuerDN);
+
+NSAPI_PUBLIC int ldapu_set_cert_verifyfn (const char *issuerDN,
+					  CertVerifyFn_t verifyFn);
+
+NSAPI_PUBLIC CertVerifyFn_t ldapu_get_cert_verifyfn (const char *issuerDN);
+
+
+NSAPI_PUBLIC int ldapu_get_cert_subject_dn (void *cert, char **subjectDN);
+
+
+NSAPI_PUBLIC int ldapu_get_cert_issuer_dn (void *cert, char **issuerDN);
+
+
+NSAPI_PUBLIC int ldapu_get_cert_ava_val (void *cert, int which_dn,
+					 const char *attr, char ***val);
+
+
+NSAPI_PUBLIC int ldapu_free_cert_ava_val (char **val);
+
+
+NSAPI_PUBLIC int ldapu_get_cert_der (void *cert, unsigned char **derCert,
+				     unsigned int *len);
+
+
+NSAPI_PUBLIC int ldapu_issuer_certinfo (const char *issuerDN,
+					void **certmap_info);
+
+
+NSAPI_PUBLIC int ldapu_certmap_info_attrval (void *certmap_info,
+					     const char *attr, char **val);
+
+
+NSAPI_PUBLIC char *ldapu_err2string (int err);
+
+/* Keep the old fn for backward compatibility */
+NSAPI_PUBLIC void ldapu_free_old (char *ptr);
+
+
+NSAPI_PUBLIC void *ldapu_malloc (int size);
+
+
+NSAPI_PUBLIC char *ldapu_strdup (const char *ptr);
+
+
+NSAPI_PUBLIC void *ldapu_realloc (void *ptr, int size);
+
+
+NSAPI_PUBLIC void ldapu_free (void *ptr);
+
+
+NSAPI_PUBLIC int ldapu_string_set (const int type, const char *filter);
+
+
+NSAPI_PUBLIC const char *ldapu_string_get (const int type);
+
+NSAPI_PUBLIC int ldaputil_exit ();
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LDAPU_CERTMAP_H */
diff --git a/include/ldaputil/dbconf.h b/include/ldaputil/dbconf.h
new file mode 100644
index 00000000..3556c36e
--- /dev/null
+++ b/include/ldaputil/dbconf.h
@@ -0,0 +1,91 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_DBCONF_H
+#define _LDAPU_DBCONF_H
+
+#include <stdio.h>
+
+#ifndef NSAPI_PUBLIC
+#ifdef XP_WIN32
+#define NSAPI_PUBLIC __declspec(dllexport)
+#else
+#define NSAPI_PUBLIC 
+#endif
+#endif
+
+typedef struct dbconf_propval {
+    char *prop;			    /* Property name */
+    char *val;			    /* Property value */
+    struct dbconf_propval *next;    /* Pointer to the next prop-val pair */
+} DBPropVal_t;
+
+typedef struct dbconf_dbinfo {
+    char *dbname;		/* Database name */
+    char *url;			/* Database URL */
+    DBPropVal_t *firstprop;	/* pointer to first property-value pair */
+    DBPropVal_t *lastprop;	/* pointer to last property-value pair */
+    struct dbconf_dbinfo *next;	/* pointer to next db info */
+} DBConfDBInfo_t;
+
+typedef struct {
+    DBConfDBInfo_t *firstdb;	/* pointer to first db info */
+    DBConfDBInfo_t *lastdb;	/* pointer to last db info */
+} DBConfInfo_t;
+
+#define DBCONF_DEFAULT_DBNAME "default"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+NSAPI_PUBLIC extern int dbconf_read_default_dbinfo (const char *file,
+						    DBConfDBInfo_t **db_info);
+NSAPI_PUBLIC extern int dbconf_read_config_file (const char *file,
+						 DBConfInfo_t **conf_info);
+
+NSAPI_PUBLIC extern int ldapu_dbinfo_attrval (DBConfDBInfo_t *db_info,
+					      const char *attr, char **val);
+
+NSAPI_PUBLIC extern void dbconf_free_confinfo (DBConfInfo_t *conf_info);
+NSAPI_PUBLIC extern void dbconf_free_dbinfo (DBConfDBInfo_t *db_info);
+
+extern void dbconf_free_propval (DBPropVal_t *propval);
+
+extern void dbconf_print_confinfo (DBConfInfo_t *conf_info);
+extern void dbconf_print_dbinfo (DBConfDBInfo_t *db_info);
+extern void dbconf_print_propval (DBPropVal_t *propval);
+
+
+NSAPI_PUBLIC int dbconf_output_db_directive (FILE *fp, const char *dbname,
+				       const char *url);
+
+NSAPI_PUBLIC int dbconf_output_propval (FILE *fp, const char *dbname,
+				  const char *prop, const char *val,
+				  const int encoded);
+
+/* Following functions are required by certmap.c file */
+extern int dbconf_read_config_file_sub (const char *file,
+					const char *directive,
+					const int directive_len,
+					DBConfInfo_t **conf_info_out);
+
+extern int dbconf_read_default_dbinfo_sub (const char *file,
+					   const char *directive,
+					   const int directive_len,
+					   DBConfDBInfo_t **db_info_out);
+
+NSAPI_PUBLIC int dbconf_get_dbnames (const char *dbmap, char ***dbnames, int *cnt);
+
+NSAPI_PUBLIC int dbconf_free_dbnames (char **dbnames);
+
+
+extern int ldapu_strcasecmp (const char *s1, const char *s2); 
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LDAPU_DBCONF_H */
diff --git a/include/ldaputil/encode.h b/include/ldaputil/encode.h
new file mode 100644
index 00000000..6cc7729e
--- /dev/null
+++ b/include/ldaputil/encode.h
@@ -0,0 +1,29 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_ENCODE_H
+#define _LDAPU_ENCODE_H
+
+#ifndef NSAPI_PUBLIC
+#ifdef XP_WIN32
+#define NSAPI_PUBLIC __declspec(dllexport)
+#else
+#define NSAPI_PUBLIC 
+#endif
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+NSAPI_PUBLIC extern char *dbconf_encodeval(const char *val);
+
+NSAPI_PUBLIC extern char *dbconf_decodeval (const char *val);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LDAPU_ENCODE_H */
diff --git a/include/ldaputil/errors.h b/include/ldaputil/errors.h
new file mode 100644
index 00000000..de6f893d
--- /dev/null
+++ b/include/ldaputil/errors.h
@@ -0,0 +1,108 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_ERRORS_H
+#define _LDAPU_ERRORS_H
+
+#ifndef NSAPI_PUBLIC
+#ifdef XP_WIN32
+#define NSAPI_PUBLIC __declspec(dllexport)
+#else
+#define NSAPI_PUBLIC 
+#endif
+#endif
+
+#ifdef DBG_PRINT
+#include <stdio.h>
+#define DBG_PRINT1(x) fprintf(stderr, x)
+#define DBG_PRINT2(x,y) fprintf(stderr, x, y)
+#define DBG_PRINT3(x,y,z) fprintf(stderr, x, y, z)
+#define DBG_PRINT4(x,y,z,a) fprintf(stderr, x, y, z, a)
+#else
+#define DBG_PRINT1(x) 
+#define DBG_PRINT2(x,y) 
+#define DBG_PRINT3(x,y,z) 
+#define DBG_PRINT4(x,y,z,a) 
+#endif
+
+/* Common error codes */
+#define LDAPU_ERR_NOT_IMPLEMENTED	     -1000
+#define LDAPU_ERR_INTERNAL		     -1001
+/* #define LDAPU_SUCCESS	0 */	    /* defined in extcmap.h */
+/* #define LDAPU_FAILED		-1 */	    /* defined in extcmap.h */
+/* #define LDAPU_CERT_MAP_FUNCTION_FAILED    -2 *//* defined in extcmap.h */
+/* #define LDAPU_CERT_VERIFY_FUNCTION_FAILED -3 *//* defined in extcmap.h */
+/* #define LDAPU_CERT_VERIFY_FUNCTION_FAILED -4 *//* defined in extcmap.h */
+/* #define LDAPU_CERT_MAP_INITFN_FAILED      -5 *//* defined in extcmap.h */
+
+/* Error codes returned by ldapdb.c */
+#define LDAPU_ERR_OUT_OF_MEMORY		     -110
+#define LDAPU_ERR_URL_INVALID_PREFIX	     -112
+#define LDAPU_ERR_URL_NO_BASEDN		     -113
+#define LDAPU_ERR_URL_PARSE_FAILED	     -114
+    
+#define LDAPU_ERR_LDAP_INIT_FAILED	     -120
+#define LDAPU_ERR_LCACHE_INIT_FAILED	     -121 
+#define LDAPU_ERR_LDAP_SET_OPTION_FAILED     -122 
+#define LDAPU_ERR_NO_DEFAULT_CERTDB          -123
+
+/* Errors returned by dbconf.c */
+#define LDAPU_ERR_CANNOT_OPEN_FILE	     -141
+#define LDAPU_ERR_DBNAME_IS_MISSING	     -142
+#define LDAPU_ERR_PROP_IS_MISSING	     -143
+#define LDAPU_ERR_DIRECTIVE_IS_MISSING	     -145
+#define LDAPU_ERR_NOT_PROPVAL		     -146
+#define LDAPU_ATTR_NOT_FOUND		     -147
+
+/* Error codes returned by certmap.c */
+#define LDAPU_ERR_NO_ISSUERDN_IN_CERT	     -181
+#define LDAPU_ERR_NO_ISSUERDN_IN_CONFIG_FILE -182
+#define LDAPU_ERR_CERTMAP_INFO_MISSING	     -183
+#define LDAPU_ERR_MALFORMED_SUBJECT_DN	     -184
+#define LDAPU_ERR_MAPPED_ENTRY_NOT_FOUND     -185
+#define LDAPU_ERR_UNABLE_TO_LOAD_PLUGIN	     -186
+#define LDAPU_ERR_MISSING_INIT_FN_IN_LIB     -187
+#define LDAPU_ERR_MISSING_INIT_FN_IN_CONFIG  -188
+#define LDAPU_ERR_CERT_VERIFY_FAILED	     -189
+#define LDAPU_ERR_CERT_VERIFY_NO_CERTS	     -190
+#define LDAPU_ERR_MISSING_LIBNAME	     -191
+#define LDAPU_ERR_MISSING_INIT_FN_NAME	     -192
+
+#define LDAPU_ERR_EMPTY_LDAP_RESULT	     -193
+#define LDAPU_ERR_MULTIPLE_MATCHES	     -194
+#define LDAPU_ERR_MISSING_RES_ENTRY	     -195
+#define LDAPU_ERR_MISSING_UID_ATTR	     -196
+#define LDAPU_ERR_WRONG_ARGS		     -197
+#define LDAPU_ERR_RENAME_FILE_FAILED	     -198
+
+#define LDAPU_ERR_MISSING_VERIFYCERT_VAL     -199
+#define LDAPU_ERR_CANAME_IS_MISSING	     -200
+#define LDAPU_ERR_CAPROP_IS_MISSING	     -201
+#define LDAPU_ERR_UNKNOWN_CERT_ATTR	     -202
+#define LDAPU_ERR_INVALID_ARGUMENT	     -203
+#define LDAPU_ERR_INVALID_SUFFIX	     -204
+
+/* Error codes returned by cert.c */
+#define LDAPU_ERR_EXTRACT_SUBJECTDN_FAILED  -300
+#define LDAPU_ERR_EXTRACT_ISSUERDN_FAILED   -301
+#define LDAPU_ERR_EXTRACT_DERCERT_FAILED    -302
+
+/* Error codes returned by ldapauth.c */
+#define LDAPU_ERR_CIRCULAR_GROUPS	    -400
+#define LDAPU_ERR_INVALID_STRING	    -401
+#define LDAPU_ERR_INVALID_STRING_INDEX	    -402
+#define LDAPU_ERR_MISSING_ATTR_VAL	    -403
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    /* NSAPI_PUBLIC extern char *ldapu_err2string(int err); */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* LDAPUTIL_LDAPU_H */
diff --git a/include/ldaputil/extcmap.h b/include/ldaputil/extcmap.h
new file mode 100644
index 00000000..fde6a4b3
--- /dev/null
+++ b/include/ldaputil/extcmap.h
@@ -0,0 +1,634 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _PUBLIC_CERTMAP_H
+#define _PUBLIC_CERTMAP_H
+
+#include <ldap.h>
+
+#ifndef NSAPI_PUBLIC
+#if defined( _WINDOWS ) || defined( _WIN32 ) || defined( XP_WIN32 )
+#define NSAPI_PUBLIC __declspec(dllexport)
+#else
+#define NSAPI_PUBLIC 
+#endif
+#endif
+
+
+#define LDAPU_ATTR_INITFN		"InitFn"
+#define LDAPU_ATTR_LIBRARY		"library"
+#define LDAPU_ATTR_DNCOMPS		"DNComps"
+#define LDAPU_ATTR_FILTERCOMPS		"FilterComps"
+#define LDAPU_ATTR_VERIFYCERT 		"VerifyCert"
+#define LDAPU_ATTR_CERTMAP_LDAP_ATTR 	"CmapLdapAttr"
+
+/* Error/Success codes */
+#define LDAPU_SUCCESS			   0
+#define LDAPU_FAILED			  -1
+#define LDAPU_CERT_MAP_FUNCTION_FAILED    -2
+#define LDAPU_CERT_SEARCH_FUNCTION_FAILED -3
+#define LDAPU_CERT_VERIFY_FUNCTION_FAILED -4
+#define LDAPU_CERT_MAP_INITFN_FAILED      -5
+
+
+/*
+ * CertMapFn_t -
+ *  This is a typedef for cert mapping function.  The mapping function is
+ *  called by the function ldapu_cert_to_ldap_entry.
+ * Parameters:
+ *  cert         -  cert to be mapped.  You can pass this to
+ *		    functions ldapu_get_cert_XYZ.
+ *  ld		 -  Handle to the connection to the directory server.
+ *  certmap_info -  This structure contains information about the 
+ *		    configuration parameters for the cert's issuer (CA).
+ *		    This structure can be passed to the function
+ *		    ldapu_certmap_info_attrval to get value for a particular
+ *		    configuration attribute (or a property).
+ *  ldapdn	 -  The mapping function should allocate memory for ldapdn
+ *		    using malloc and set this variable using the 'cert' and
+ *		    'certmap_info'.  This DN will be used for ldap lookup.
+ *  filter	 -  The mapping function should allocate memory for filter
+ *		    using malloc and set this variable using the 'cert' and
+ *		    'certmap_info'.  This will be used as ldap filter for ldap
+ *		    lookup of the ldapdn.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion (cert is mapped)
+ *  return LDAPU_FAILED there is no unexpected error but cert could not
+ *		    mapped (probably because ldap entry doesn't exist).
+ *  otherwise return LDAPU_CERT_MAP_FUNCTION_FAILED.
+ */
+typedef int (*CertMapFn_t)(void *cert, LDAP *ld, void *certmap_info,
+			   char **ldapdn, char **filter);
+
+
+/*
+ * CertSearchFn_t -
+ *  This is a typedef for cert search function.  The search function is
+ *  called by the function ldapu_cert_to_ldap_entry after calling the mapping
+ *  function.  The candidate 'dn' and 'filter' returned by the mapping
+ *  function is passed to this function.
+ *  The default search function works as follows:
+ *	1.  If the 'filter' is NULL, default it to 'objectclass=*'.
+ *	2.  If the 'dn' is non-NULL, do a base level search with the 'dn' and
+ *	    'filter'.  If it succeeds, we are done.  If there is no serious
+ *	    error (LDAP_NO_SUCH_OBJECT is not serious error yet), continue.
+ *	3.  If the 'dn' is NULL, default it to 'basedn'.
+ *	4.  Perform a 'subtree' search in LDAP for the 'dn' and the 'filter'.
+ *	5.  Return the results of the last search.
+ * Parameters:
+ *  cert         -  cert to be mapped.  You can pass this to
+ *		    functions ldapu_get_cert_XYZ.
+ *  ld		 -  Handle to the connection to the directory server.
+ *  certmap_info -  This structure contains information about the 
+ *		    configuration parameters for the cert's issuer (CA).
+ *		    This structure can be passed to the function
+ *		    ldapu_certmap_info_attrval to get value for a particular
+ *		    configuration attribute (or a property).
+ *  suffix	 -  If the ldapdn is empty then use this DN to begin the
+ *		    search.  This is the DN of the root object in LDAP
+ *		    Directory.
+ *  ldapdn	 -  candidate 'dn' returned by the mapping function.
+ *  filter	 -  returned by the mapping function.
+ *  attrs	 -  list of attributes to return from the search.  If this is
+ *		    NULL, all attributes are returned.
+ *  res		 -  result of the search which is passed to the verify
+ *		    function.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  return LDAPU_FAILED there is no unexpected error but entries matching the
+ *  'dn' and 'filter' doesn't exist.
+ *  otherwise return LDAPU_CERT_SEARCH_FUNCTION_FAILED.
+ */
+typedef int (*CertSearchFn_t)(void *cert, LDAP *ld, void *certmap_info,
+			      const char *suffix, const char *ldapdn,
+			      const char *filter, const char **attrs,
+			      LDAPMessage ***res);
+
+
+/*
+ * CertVerifyFn_t -
+ *  This is a typedef for cert verify function.  The verify function is
+ *  called by the function ldapu_cert_to_ldap_entry after the cert is
+ *  successfully mapped to ldapdn and filter, and an entry matching that
+ *  exists in the directory server.   The verify fn may get called for
+ *  multiple matched entries.  This function must go through all the entries
+ *  and check which one is appropriate.  The pointer to that entry must be
+ *  passed back in the 'LDAPMessage **entry' parameter.
+ * Parameters:
+ *  cert	 -  Original cert to be mapped.  You can pass this to
+ *		    functions ldapu_get_cert_XYZ.
+ *  ld		 -  Handle to the connection to the directory server.
+ *  certmap_info -  This structure contains information about the 
+ *		    configuration parameters for the cert's issuer (CA).
+ *		    This structure can be passed to the function
+ *		    ldapu_certmap_info_attrval to get value for a particular
+ *		    configuration attribute (or a property).
+ *  res		 -  cert is first mapped to ldapdn and filter.  'res' is the
+ *		    result of ldap search using the ldapdn and filter.
+ *		    'ld' and 'res' can be used in the calls to ldapsdk API.
+ *  entry	 -  pointer to the entry from 'res' which is the correct match
+ *		    according to the verify function.
+ *		    
+ * Return Values:
+ *  return LDAPU_SUCCESS upon successful completion (cert is verified)
+ *  return LDAPU_FAILED there is no unexpected error but cert could not
+ *			verified (probably because it was revoked).
+ *  otherwise return LDAPU_CERT_VERIFY_FUNCTION_FAILED.
+ */
+typedef int (*CertVerifyFn_t)(void *cert, LDAP *ld, void *certmap_info,
+			      LDAPMessage *res, LDAPMessage **entry);
+
+
+
+/*
+ * CertmapInitFn_t -
+ *  This is a typedef for user defined init function.  An init function can be
+ *  specified in the config file (<ServerRoot>/userdb/certmap.conf) per issuer
+ *  of a certificate.  This init function must from the user's library, also
+ *  loaded from the config file using the 'library' property.  The init
+ *  function is specified in the config file using the 'InitFn' property.
+ *  When the config file is loaded, any user defined init functions will be
+ *  called with the certmap_info pertaining to the issuer (CA).
+ * Parameters:
+ *  certmap_info -  This structure contains information about the 
+ *		    configuration parameters for the cert's issuer (CA).
+ *		    This structure can be passed to the function
+ *		    ldapu_certmap_info_attrval to get value for a particular
+ *		    configuration attribute (or a property).
+ * 
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise return LDAPU_CERT_MAP_INITFN_FAILED.  The server startup will be
+ *  aborted if the return value is not LDAPU_SUCCESS.
+ */
+typedef int (*CertMapInitFn_t)(void *certmap_info, const char *issuerName,
+			       const char *issuerDN, const char *libname);
+
+/*
+ * Refer to the description of the function ldapu_get_cert_ava_val
+ */
+enum {
+    LDAPU_SUBJECT_DN,
+    LDAPU_ISSUER_DN
+};
+
+/* ldapu_cert_to_ldap_entry */
+typedef int (*t_ldapu_cert_to_ldap_entry)(void *cert, LDAP *ld,
+					  const char *suffix,
+					  LDAPMessage **res);
+
+/* ldapu_set_cert_mapfn */
+typedef int (*t_ldapu_set_cert_mapfn)(const char *issuerDN,
+				      CertMapFn_t mapfn);
+
+/* ldapu_get_cert_mapfn */
+typedef CertMapFn_t (*t_ldapu_get_cert_mapfn) (const char *issuerDN);
+
+/* ldapu_set_cert_searchfn */
+typedef int (*t_ldapu_set_cert_searchfn) (const char *issuerDN,
+					  CertSearchFn_t searchfn);
+
+/* ldapu_get_cert_searchfn */
+typedef CertSearchFn_t (*t_ldapu_get_cert_searchfn) (const char *issuerDN);
+
+/* ldapu_set_cert_verifyfn */
+typedef int (*t_ldapu_set_cert_verifyfn) (const char *issuerDN,
+					  CertVerifyFn_t verifyFn);
+
+/* ldapu_get_cert_verifyfn */
+typedef CertVerifyFn_t (*t_ldapu_get_cert_verifyfn) (const char *issuerDN);
+
+/* ldapu_get_cert_subject_dn */
+typedef int (*t_ldapu_get_cert_subject_dn) (void *cert, char **subjectDN);
+
+/* ldapu_get_cert_issuer_dn */
+typedef int (*t_ldapu_get_cert_issuer_dn) (void *cert, char **issuerDN);
+
+/* ldapu_get_cert_ava_val */
+typedef int (*t_ldapu_get_cert_ava_val) (void *cert, int which_dn,
+					 const char *attr, char ***val);
+
+/* ldapu_free_cert_ava_val */
+typedef int (*t_ldapu_free_cert_ava_val) (char **val);
+
+/* ldapu_get_cert_der */
+typedef int (*t_ldapu_get_cert_der) (void *cert, unsigned char **derCert,
+				     unsigned int *len);
+
+/* ldapu_issuer_certinfo */
+typedef int (*t_ldapu_issuer_certinfo) (const char *issuerDN,
+					void **certmap_info);
+
+/* ldapu_certmap_info_attrval */
+typedef int (*t_ldapu_certmap_info_attrval) (void *certmap_info,
+					     const char *attr, char **val);
+
+/* ldapu_err2string */
+typedef char * (*t_ldapu_err2string) (int err);
+
+/* ldapu_free */
+typedef void (*t_ldapu_free_old) (char *ptr);
+typedef void (*t_ldapu_free) (void *ptr);
+
+/* ldapu_malloc */
+typedef void *(*t_ldapu_malloc) (int size);
+
+/* ldapu_strdup */
+typedef char *(*t_ldapu_strdup) (const char *ptr);
+
+
+typedef struct LDAPUDispatchVector LDAPUDispatchVector_t;
+struct LDAPUDispatchVector {
+    t_ldapu_cert_to_ldap_entry      f_ldapu_cert_to_ldap_entry;
+    t_ldapu_set_cert_mapfn	    f_ldapu_set_cert_mapfn;
+    t_ldapu_get_cert_mapfn	    f_ldapu_get_cert_mapfn;
+    t_ldapu_set_cert_searchfn	    f_ldapu_set_cert_searchfn;
+    t_ldapu_get_cert_searchfn	    f_ldapu_get_cert_searchfn;
+    t_ldapu_set_cert_verifyfn	    f_ldapu_set_cert_verifyfn;
+    t_ldapu_get_cert_verifyfn	    f_ldapu_get_cert_verifyfn;
+    t_ldapu_get_cert_subject_dn     f_ldapu_get_cert_subject_dn;
+    t_ldapu_get_cert_issuer_dn	    f_ldapu_get_cert_issuer_dn;
+    t_ldapu_get_cert_ava_val	    f_ldapu_get_cert_ava_val;
+    t_ldapu_free_cert_ava_val	    f_ldapu_free_cert_ava_val;
+    t_ldapu_get_cert_der	    f_ldapu_get_cert_der;
+    t_ldapu_issuer_certinfo	    f_ldapu_issuer_certinfo;
+    t_ldapu_certmap_info_attrval    f_ldapu_certmap_info_attrval;
+    t_ldapu_err2string		    f_ldapu_err2string;
+    t_ldapu_free_old		    f_ldapu_free_old;
+    t_ldapu_malloc		    f_ldapu_malloc;
+    t_ldapu_strdup		    f_ldapu_strdup;
+    t_ldapu_free		    f_ldapu_free;
+};
+
+
+#ifdef INTLDAPU
+NSAPI_PUBLIC extern LDAPUDispatchVector_t *__ldapu_table;
+#else
+typedef int (*CertMapDLLInitFn_t)(LDAPUDispatchVector_t **table);
+
+NSAPI_PUBLIC extern int CertMapDLLInitFn(LDAPUDispatchVector_t **table);
+
+extern LDAPUDispatchVector_t *__ldapu_table;
+
+#if defined( _WINDOWS ) || defined( _WIN32 ) || defined( XP_WIN32 )
+#define CertmapDLLInitFnTbl LDAPUDispatchVector_t *__ldapu_table;
+#define CertmapDLLInit(rv, libname) \
+{\
+	HANDLE h = LoadLibrary((libname)); \
+	CertMapDLLInitFn_t init_fn; \
+	if (!h) return LDAPU_CERT_MAP_INITFN_FAILED; \
+	init_fn = (CertMapDLLInitFn_t)GetProcAddress(h, "CertMapDLLInitFn"); \
+	rv = init_fn(&__ldapu_table); \
+}
+#else
+#define CertmapDLLInit(rv, libname)
+#define CertmapDLLInitFnTbl
+#endif
+
+#endif /* INTLDAPU */
+
+#ifndef INTLDAPU
+
+/*
+ * ldapu_cert_to_ldap_entry -
+ *  This function is called to map a cert to an ldap entry.  It extracts the
+ *  cert issuer information from the given cert.  The mapping function set for
+ *  the issuer (if any) or the default mapping function is called to map the
+ *  subject DN from the cert to a candidate ldap DN and filter for ldap
+ *  search.  If the mapped ldap DN is NULL, the 'basedn' passed into this
+ *  function is used as a starting place for the search.  If the mapped filter
+ *  is NULL, "objectclass=*" is used as a filter.  A base level search is
+ *  performed to see if the candidate DN exists in the LDAP database matching
+ *  the filter.  If there is no match, a scoped search (sub-tree search) is
+ *  performed.  If at least one entry matched the mapped DN and filter, the
+ *  result is passed to the appropriate verify function.  The verify function
+ *  is called only if 'VerifyCert' parameter has been set for the cert issuer
+ *  in the certmap.conf file.
+ *  If the verify function succeeds, it must return the pointer to the matched
+ *  'entry'.  If at the end, there is only one matching entry, the mapping is
+ *  successful.
+ * Parameters:
+ *  cert         -  cert to be mapped.  You can pass this to
+ *		    functions ldapu_get_cert_XYZ.
+ *  ld		 -  Handle to the connection to the directory server.
+ *  suffix	 -  If the subject dn is mapped to empty LDAP DN then use this
+ *		    DN to begin the search.  This is the DN of the root object
+ *		    in LDAP Directory.
+ *  res		 -  cert is first mapped to ldapdn and filter.  'res' is the
+ *		    result of ldap search using the ldapdn and filter.
+ *		    'ld' and 'res' can be used in the calls to ldapsdk API.
+ *		    When done with 'res', free it using ldap_msgfree(res)
+ * 
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_cert_to_ldap_entry (*__ldapu_table->f_ldapu_cert_to_ldap_entry)
+
+/*
+ * ldapu_set_cert_mapfn -
+ *  This function can be used to set the cert mapping function for the given
+ *  issuer (CA).  If the mapping information doesn't exist for the given
+ *  issuer then a new one will be created and the mapping function will be
+ *  set.  When creating the new mapping information, the default mapping
+ *  information is copied.
+ * Parameters:
+ *  issuerDN	 -  DN of the cert issuer.  This mapping function will be used
+ *		    for all certs issued by this issuer.  If the issuerDN is
+ *		    NULL, the given 'mapfn' becomes the default mapping
+ *		    function (which is used when no mapping function has been
+ *		    set for the cert's issuer).
+ *  mapfn	 -  the mapping function.  Look at the desciption of
+ *		    CertMapFn_t to find out more about the mapping functions.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_set_cert_mapfn (*__ldapu_table->f_ldapu_set_cert_mapfn)
+
+
+/*
+ * ldapu_get_cert_mapfn -
+ *  This function can be used to get the cert mapping function for the given
+ *  issuer (CA).  This will always return a non-NULL function.
+ * Parameters:
+ *  issuerDN	 -  DN of the cert issuer for which the mapping function is to
+ *		    be retrieved.  If this is NULL, default mapping function
+ *		    is returned.
+ *
+ * Return Value:
+ *  The mapping function set for the issuer is returned.  If the issuerDN is
+ *  NULL or if no specific mapping function has been set for the issuer, the
+ *  default mapping function is returned.
+ */
+#define ldapu_get_cert_mapfn (*__ldapu_table->f_ldapu_get_cert_mapfn)
+
+/*
+ * ldapu_set_cert_searchfn -
+ *  This function can be used to set the cert search function for the given
+ *  issuer (CA).
+ * Parameters:
+ *  issuerDN	 -  DN of the cert issuer.  This search function will be used
+ *		    for all certs issued by this issuer.  If the issuerDN is
+ *		    NULL, the given 'searchfn' becomes the default search
+ *		    function (which is used when no search function has been
+ *		    set for the cert's issuer).
+ *  searchfn	 -  the search function.  Look at the desciption of
+ *		    CertSearchFn_t to find out more about the search functions.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_set_cert_searchfn (*__ldapu_table->f_ldapu_set_cert_searchfn)
+
+
+/*
+ * ldapu_get_cert_searchfn -
+ *  This function can be used to get the cert search function for the given
+ *  issuer (CA).  This will always return a non-NULL function.
+ * Parameters:
+ *  issuerDN	 -  DN of the cert issuer for which the search function is to
+ *		    be retrieved.  If this is NULL, the default search
+ *		    function is returned.
+ *
+ * Return Value:
+ *  The search function set for the issuer is returned.  If the issuerDN is
+ *  NULL or if no specific search function has been set for the issuer, the
+ *  default search function is returned.
+ */
+#define ldapu_get_cert_searchfn (*__ldapu_table->f_ldapu_get_cert_searchfn)
+
+/*
+ * ldapu_set_cert_verifyfn -
+ *  This function can be used to set the cert verify function for the given
+ *  issuer (CA).  If the mapping information doesn't exist for the given
+ *  issuer then a new one will be created and the verify function will be
+ *  set.  When creating the new mapping information, the default mapping
+ *  information is copied.
+ * Parameters:
+ *  issuerDN	 -  DN of the cert issuer.  This verify function will be used
+ *		    for all certs issued by this issuer.  If the issuerDN is
+ *		    NULL, the given 'verifyFn' becomes the default verify
+ *		    function (which is used when no verify function has been
+ *		    set for the cert's issuer).
+ *  verifyFn	 -  the verify function.  Look at the desciption of
+ *		    CertMapFn_t to find out more about the verify functions.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_set_cert_verifyfn (*__ldapu_table->f_ldapu_set_cert_verifyfn)
+
+/*
+ * ldapu_get_cert_verifyfn -
+ *  This function can be used to get the cert verify function for the given
+ *  issuer (CA).  This function can return NULL when there is no applicable
+ *  verify function.
+ * Parameters:
+ *  issuerDN	 -  DN of the cert issuer for which the verify function is to
+ *		    be retrieved.  If this is NULL, default verify function
+ *		    is returned.
+ *
+ * Return Value:
+ *  The verify function set for the issuer is returned.  If the issuerDN is
+ *  NULL or if no specific verify function has been set for the issuer, the
+ *  default verify function is returned.  This function can return NULL when
+ *  there is no applicable verify function.
+ */
+#define ldapu_get_cert_verifyfn (*__ldapu_table->f_ldapu_get_cert_verifyfn)
+
+
+/*
+ * ldapu_get_cert_subject_dn -
+ *  This function can be used to get the subject DN from the cert.  Free the
+ *  subjectDN using 'free' after you are done using it.
+ * Parameters:
+ *  cert	 -  cert from which the DN is to be extracted.
+ *  subjectDN	 -  subjectDN extracted from the cert.  Free it using 'free'
+ *		    after it is no longer required.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_get_cert_subject_dn (*__ldapu_table->f_ldapu_get_cert_subject_dn)
+
+
+/*
+ * ldapu_get_cert_issuer_dn -
+ *  This function can be used to get the issuer DN from the cert.  Free the
+ *  issuerDN using 'free' after you are done using it.
+ * Parameters:
+ *  cert	 -  cert from which the DN is to be extracted.
+ *  issuerDN	 -  issuerDN extracted from the cert.  Free it using 'free'
+ *		    after it is no longer required.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_get_cert_issuer_dn (*__ldapu_table->f_ldapu_get_cert_issuer_dn)
+
+
+/*
+ * ldapu_get_cert_ava_val -
+ *  This function can be used to get value of the given attribute from either
+ *  the subject DN or the issuer DN from the cert.
+ * Parameters:
+ *  cert	 -  cert from which the values are to be extracted.
+ *  which_dn	 -  Should be either LDAPU_ISSUER_DN or LDAPU_SUBJECT_DN.
+ *  attr	 -  Should be one of "CN", "OU", "O", "C", "UID", "MAIL",
+ *		    "E", "L", and "ST".
+ *  val		 -  An array of attribute values extracted from the cert.
+ *		    There could be multiple values.  The last entry in the
+ *		    array is NULL.  You must free this array of strings after
+ *		    you are done with it (using the function
+ *		    ldapu_free_cert_ava_val).  'val' is initialized to NULL if
+ *		    there is an error.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_get_cert_ava_val (*__ldapu_table->f_ldapu_get_cert_ava_val)
+
+
+/*
+ * ldapu_free_cert_ava_val -
+ *  This function can be used to free the array returned by the
+ *  ldapu_get_cert_ava_val function.
+ * Parameters:
+ *  val		 -  An array of attribute values returned by
+ *		    ldapu_get_cert_ava_val. 
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_free_cert_ava_val (*__ldapu_table->f_ldapu_free_cert_ava_val)
+
+
+/*
+ * ldapu_get_cert_der -
+ *  This function can be used to get the original DER encoded cert for the
+ *  given cert.
+ * Parameters:
+ *  cert	 -  cert from which the original DER is to be extracted.
+ *  derCert	 -  the original DER encoded cert
+ *  len		 -  length of derCert
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_get_cert_der (*__ldapu_table->f_ldapu_get_cert_der)
+
+
+/*
+ * ldapu_issuer_certinfo -
+ *  This function can be used to get the handle on the internal structure for
+ *  the given issuer.  This handle can be passed to ldapu_certmap_info_attrval
+ *  to get configuration attribute values for the issuer.
+ * Parameters:
+ *  issuerDN	 -  DN of the issuer for whom the handle on internal structure
+ *		    is requested.  If issuerDN is NULL, the handle to the
+ *		    default configuration information is returned.
+ *  certmap_info -  This structure contains information about the 
+ *		    configuration parameters for the cert's issuer (CA).
+ *		    This structure can be passed to the function
+ *		    ldapu_certmap_info_attrval to get value for a particular
+ *		    configuration attribute (or a property).
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ *  CAUTION: DON'T FREE THE 'certmap_info' STRUCTURE.
+ */
+#define ldapu_issuer_certinfo (*__ldapu_table->f_ldapu_issuer_certinfo)
+
+
+/*
+ * ldapu_certmap_info_attrval -
+ *  This function can be used to get values for the given attribute/property
+ *  from the given certmap_info.  You can get handle on the certmap_info by
+ *  calling the ldapu_issuer_certinfo function.  Free the 'val' using 'free'
+ *  after it is no longer required.
+ * Parameters:
+ *  certmap_info -  This structure contains information about the 
+ *		    configuration parameters for the cert's issuer (CA).
+ *  attr	 -  name of the attribute/property for which the value is to
+ *		    be returned.  The attribute can be one of the attributes
+ *		    listed above (LDAPU_ATTR_XYZ).  User defined attributes
+ *		    can also be used.
+ *  val		 -  Value of the 'attr' from the 'certmap_info'.
+ *
+ * Return Value:
+ *  return LDAPU_SUCCESS upon successful completion
+ *  otherwise returns an error code that can be passed to ldapu_err2string.
+ */
+#define ldapu_certmap_info_attrval (*__ldapu_table->f_ldapu_certmap_info_attrval)
+
+
+/*
+ * ldapu_err2string -
+ *  This function can be used to print any of the ldaputil or LDAP error
+ *  code.
+ * Parameters:
+ *  err		 -  error code to be converted to printable string.
+ *
+ * Return Value:
+ *  Printable representation of the given error code.
+ */
+#define ldapu_err2string (*__ldapu_table->f_ldapu_err2string)
+
+/*
+ * ldapu_free -
+ *  This function should be used to free the memory allocated by
+ *  ldapu_* functions if the ldapu_* function doesn't have a corresponding
+ *  'free' function.  Use this function for free'ing the memory allocated by
+ *  the following functions:
+ *	ldapu_get_cert_subject_dn
+ *	ldapu_get_cert_issuer_dn
+ *	ldapu_get_cert_der
+ *	ldapu_certmap_info_attrval
+ *  To free memory allocated by ldapu_get_cert_ava_val, use
+ *  ldapu_free_cert_ava_val.  Do not free the certmap_info pointer returned by
+ *  ldapu_issuer_certinfo.
+ * Parameters:
+ *  ptr		 -  pointer returned by ldapu_get_cert_* functions.
+ */
+#define ldapu_free (*__ldapu_table->f_ldapu_free)
+
+/*
+ * ldapu_malloc -
+ *  This function is a cover function for the 'malloc' system call.  On NT, it
+ *  is best to alloc & free the memory in the same DLL.
+ * Parameters:
+ *  size	 -  size of the memory to be allocated
+ * Return Value:
+ *  same as 'malloc' -- pointer to the allocated memory or NULL on failure.
+ */
+#define ldapu_malloc (*__ldapu_table->f_ldapu_malloc)
+
+/*
+ * ldapu_strdup -
+ *  This function is a cover function for the 'strdup' system call.  On NT, it
+ *  is best to alloc & free the memory in the same DLL.
+ * Parameters:
+ *  ptr		 -  Pointer to the string to be copied
+ * Return Value:
+ *  same as 'strdup' -- pointer to the copied string or NULL on failure.
+ */
+#define ldapu_strdup (*__ldapu_table->f_ldapu_strdup)
+
+
+#endif /* !INTLDAPU */
+
+#endif /* _PUBLIC_CERTMAP_H */
diff --git a/include/ldaputil/init.h b/include/ldaputil/init.h
new file mode 100644
index 00000000..e983787b
--- /dev/null
+++ b/include/ldaputil/init.h
@@ -0,0 +1,23 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_INIT_H
+#define _LDAPU_INIT_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+NSAPI_PUBLIC extern int ldaputil_init (const char *config_file,
+				       const char *dllname,
+				       const char *serv_root,
+				       const char *serv_type,
+				       const char *serv_id);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LDAPU_INIT_H */
diff --git a/include/ldaputil/ldapauth.h b/include/ldaputil/ldapauth.h
new file mode 100644
index 00000000..d4d96bfc
--- /dev/null
+++ b/include/ldaputil/ldapauth.h
@@ -0,0 +1,94 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#ifndef LDAPU_AUTH_H
+#define LDAPU_AUTH_H
+
+#include <ldap.h>
+
+#ifndef NSAPI_PUBLIC
+#ifdef XP_WIN32
+#define NSAPI_PUBLIC __declspec(dllexport)
+#else
+#define NSAPI_PUBLIC 
+#endif
+#endif
+
+typedef int (*LDAPU_GroupCmpFn_t)(const void *groupids, const char *group,
+				  const int len);
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern int ldapu_find (LDAP *ld, const char *base, int scope,
+		       const char *filter, const char **attrs,
+		       int attrsonly, LDAPMessage **res);
+
+int ldapu_find_entire_tree (LDAP *ld, int scope,
+			    const char *filter, const char **attrs,
+			    int attrsonly, LDAPMessage ***res);
+
+extern int ldapu_auth_userdn_groupdn (LDAP *ld, const char *userdn,
+				      const char *groupdn,
+				      const char *base);
+
+extern int ldapu_auth_uid_groupdn (LDAP *ld, const char *uid,
+				   const char *groupdn, const char *base);
+
+extern int ldapu_auth_uid_groupid (LDAP *ld, const char *uid,
+				   const char *groupid, const char *base);
+
+extern int ldapu_auth_userdn_groupid (LDAP *ld,
+				      const char *userdn, const char *groupid,
+				      const char *base);
+
+extern int ldapu_auth_userdn_groupids (LDAP *ld, const char *userdn,
+				       void *groupids,
+				       LDAPU_GroupCmpFn_t grpcmpfn,
+				       const char *base,
+				       char **group_out);
+
+extern int ldapu_auth_userdn_attrfilter (LDAP *ld,
+					 const char *userdn,
+					 const char *attrfilter);
+
+extern int ldapu_auth_uid_attrfilter (LDAP *ld, const char *uid,
+				      const char *attrfilter,
+				      const char *base);
+
+extern int ldapu_auth_userdn_password (LDAP *ld,
+				       const char *userdn,
+				       const char *password);
+
+extern int ldapu_find_uid_attrs (LDAP *ld, const char *uid,
+				 const char *base, const char **attrs,
+				 int attrsonly, LDAPMessage **res);
+
+extern int ldapu_find_uid (LDAP *ld, const char *uid,
+			   const char *base, LDAPMessage **res);
+
+NSAPI_PUBLIC extern int ldapu_find_userdn (LDAP *ld, const char *uid,
+			      const char *base, char **dn);
+
+extern int ldapu_find_group_attrs (LDAP *ld, const char *groupid,
+				   const char *base, const char **attrs,
+				   int attrsonly, LDAPMessage **res);
+
+extern int ldapu_find_group (LDAP *ld, const char *groupid,
+			     const char *base, LDAPMessage **res);
+
+extern int ldapu_find_groupdn (LDAP *ld, const char *groupid,
+			       const char *base, char **dn);
+
+extern int ldapu_auth_uid_password (LDAP *ld, const char *uid,
+				    const char *password, const char *base);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* LDAPU_AUTH_H */
diff --git a/include/ldaputil/ldapdb.h b/include/ldaputil/ldapdb.h
new file mode 100644
index 00000000..13254a93
--- /dev/null
+++ b/include/ldaputil/ldapdb.h
@@ -0,0 +1,100 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_LDAPDB_H
+#define _LDAPU_LDAPDB_H
+
+#include <ldap.h>
+/* removed for LDAPSDK31 integration
+#include <lcache.h>
+*/
+#ifdef LDAPDB_THREAD_SAFE
+/* In the past, we used CRITICAL objects from lib/base/crit.cpp.
+ * Now we use PRMonitor to avoid ldapu to depend on lib/base.
+ */
+#include <prmon.h>
+#else
+#define PRMonitor void
+#endif /* LDAPDB_THREAD_SAFE */
+
+#ifndef NSAPI_PUBLIC
+#ifdef XP_WIN32
+#define NSAPI_PUBLIC __declspec(dllexport)
+#else
+#define NSAPI_PUBLIC 
+#endif
+#endif
+
+#define LDAPDB_URL_PREFIX "ldapdb:"
+#define LDAPDB_URL_PREFIX_LEN 7
+
+typedef struct {
+    int use_ssl;    /* Set to 0 in case of local LDAP cache */
+    char *host;     /* Set to 0 in case of local LDAP cache */
+    int port;	    /* Set to 0 in case of local LDAP cache */
+    char *basedn;
+    char *scope;
+    char *filter;
+    LDAP *ld;
+    char *binddn;   /* Set to 0 in case of local LDAP cache */
+    char *bindpw;   /* Set to 0 in case of local LDAP cache */
+    int bound;	    /* If 0 then not bound with binddn & bindpw */
+    PRMonitor* crit;/* to control critical sections */
+} LDAPDatabase_t;
+
+#define LDAPU_ATTR_BINDDN	"binddn"
+#define LDAPU_ATTR_BINDPW	"bindpw"
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+NSAPI_PUBLIC extern int ldapu_url_parse (const char *url, const char *binddn,
+					 const char *bindpw,
+					 LDAPDatabase_t **ldb);
+
+NSAPI_PUBLIC extern int ldapu_ldapdb_url_parse (const char *url,
+						LDAPDatabase_t **ldb);
+
+NSAPI_PUBLIC extern int ldapu_is_local_db (const LDAPDatabase_t *ldb);
+
+NSAPI_PUBLIC extern void ldapu_free_LDAPDatabase_t (LDAPDatabase_t *ldb);
+
+NSAPI_PUBLIC extern LDAPDatabase_t *ldapu_copy_LDAPDatabase_t (const LDAPDatabase_t *ldb);
+
+NSAPI_PUBLIC extern int ldapu_ldap_init (LDAPDatabase_t *ldb);
+
+NSAPI_PUBLIC extern int ldapu_ldap_init_and_bind (LDAPDatabase_t *ldb);
+
+NSAPI_PUBLIC extern int ldapu_ldap_rebind (LDAPDatabase_t *ldb);
+
+NSAPI_PUBLIC extern int ldapu_ldap_reinit_and_rebind (LDAPDatabase_t *ldb);
+
+#ifdef __cplusplus
+}
+#endif
+
+/*
+ * LDAPU_REQ --
+ * 'ld' is cached in the 'ldb' structure.  If the LDAP server goes down since
+ * it was cached, the ldap lookup commands fail with LDAP_SERVER_DOWN.  This
+ * macro can be used to rebind to the server and retry the command once if
+ * this happens.
+ */
+#define LDAPU_REQ(rv, ldb, cmd) \
+{ \
+      int numtry = 0; \
+      while(1) { \
+	  rv = cmd; \
+	  if (rv != LDAP_SERVER_DOWN || numtry++ != 0) break; \
+	  /* Server went down since our last ldap lookup ... reconnect */ \
+	  rv = ldapu_ldap_reinit_and_rebind(ldb); \
+	  if (rv != LDAPU_SUCCESS) break; \
+      } \
+}
+
+
+#endif /* LDAPUTIL_LDAPDB_H */
diff --git a/include/ldaputil/ldaputil.h b/include/ldaputil/ldaputil.h
new file mode 100644
index 00000000..f0d87c22
--- /dev/null
+++ b/include/ldaputil/ldaputil.h
@@ -0,0 +1,132 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _LDAPU_LDAPUTIL_H
+#define _LDAPU_LDAPUTIL_H
+
+#include <ldaputil/dbconf.h>
+#include <ldaputil/certmap.h>
+
+typedef struct ldapu_list_node {
+    void *info;				/* pointer to the corresponding info */
+    struct ldapu_list_node *next;	/* pointer to the next node */
+    struct ldapu_list_node *prev;	/* pointer to the prev node */
+} LDAPUListNode_t;
+
+typedef struct ldapu_list {
+    LDAPUListNode_t *head;
+    LDAPUListNode_t *tail;
+} LDAPUList_t;
+
+typedef struct {
+    char *prop;			/* property name */
+    char *val;			/* value -- only char* supported for now */
+} LDAPUPropVal_t;
+
+typedef LDAPUList_t LDAPUPropValList_t;
+
+enum {
+    COMPS_COMMENTED_OUT,
+    COMPS_EMPTY,
+    COMPS_HAS_ATTRS
+};
+
+typedef struct {
+    char *issuerName;		  /* issuer (symbolic/short) name */
+    char *issuerDN;		  /* cert issuer's DN */
+    LDAPUPropValList_t *propval;  /* pointer to the prop-val pairs list */
+    CertMapFn_t mapfn;		  /* cert to ldapdn & filter mapping func */
+    CertVerifyFn_t verifyfn;	  /* verify cert function */
+    CertSearchFn_t searchfn;	  /* search ldap entry function */
+    long dncomps;		  /* bitmask: components to form ldap dn */
+    long filtercomps;		  /* components used to form ldap filter */
+    int verifyCert;		  /* Verify the cert? */
+    char *searchAttr;		  /* LDAP attr used by the search fn */
+    int dncompsState;		  /* Empty, commented out, or attr names */
+    int filtercompsState;	  /* Empty, commented out, or attr names */
+} LDAPUCertMapInfo_t;
+
+typedef LDAPUList_t LDAPUCertMapListInfo_t;
+
+typedef void * (*LDAPUListNodeFn_t)(void *info, void *arg);
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern int certmap_read_default_certinfo (const char *file);
+
+extern int certmap_read_certconfig_file (const char *file);
+
+extern void ldapu_certinfo_free (void *certmap_info);
+
+extern void ldapu_certmap_listinfo_free (void *certmap_listinfo);
+
+extern void ldapu_propval_list_free (void *propval_list);
+
+NSAPI_PUBLIC extern int ldaputil_exit ();
+
+NSAPI_PUBLIC extern int ldapu_cert_to_user (void *cert, LDAP *ld,
+					    const char *basedn,
+					    LDAPMessage **res,
+					    char **user);
+
+NSAPI_PUBLIC extern int ldapu_certmap_init (const char *config_file,
+					    const char *libname,
+					    LDAPUCertMapListInfo_t **certmap_list,
+					    LDAPUCertMapInfo_t
+					    **certmap_default);
+
+NSAPI_PUBLIC extern int ldapu_certinfo_modify (const char *issuerName,
+					       const char *issuerDN,
+					       const LDAPUPropValList_t *propval);
+
+NSAPI_PUBLIC extern int ldapu_certinfo_delete (const char *issuerDN);
+
+NSAPI_PUBLIC extern int ldapu_certinfo_save (const char *fname,
+					     const char *old_fname,
+					     const char *tmp_fname);
+
+NSAPI_PUBLIC extern int ldapu_list_alloc (LDAPUList_t **list);
+NSAPI_PUBLIC extern int ldapu_propval_alloc (const char *prop, const char *val,
+					     LDAPUPropVal_t **propval);
+NSAPI_PUBLIC extern int ldapu_list_add_info (LDAPUList_t *list, void *info);
+
+#ifndef DONT_USE_LDAP_SSL
+#define USE_LDAP_SSL
+#endif
+
+typedef struct {
+#ifdef USE_LDAP_SSL
+    LDAP*       (LDAP_CALL LDAP_CALLBACK *ldapuV_ssl_init)         ( const char*, int, int );
+#else
+    LDAP*       (LDAP_CALL LDAP_CALLBACK *ldapuV_init)             ( const char*, int );
+#endif
+    int         (LDAP_CALL LDAP_CALLBACK *ldapuV_set_option)       ( LDAP*, int, void* );
+    int         (LDAP_CALL LDAP_CALLBACK *ldapuV_simple_bind_s)    ( LDAP*, const char*, const char* );
+    int         (LDAP_CALL LDAP_CALLBACK *ldapuV_unbind)           ( LDAP* );
+    int         (LDAP_CALL LDAP_CALLBACK *ldapuV_search_s)         ( LDAP*, const char*, int, const char*, char**, int, LDAPMessage** );
+    int         (LDAP_CALL LDAP_CALLBACK *ldapuV_count_entries)    ( LDAP*, LDAPMessage* );
+    LDAPMessage*(LDAP_CALL LDAP_CALLBACK *ldapuV_first_entry)      ( LDAP*, LDAPMessage* );
+    LDAPMessage*(LDAP_CALL LDAP_CALLBACK *ldapuV_next_entry)       ( LDAP*, LDAPMessage* );
+    int         (LDAP_CALL LDAP_CALLBACK *ldapuV_msgfree)          ( LDAP*, LDAPMessage* );
+    char*       (LDAP_CALL LDAP_CALLBACK *ldapuV_get_dn)           ( LDAP*, LDAPMessage* );
+    void        (LDAP_CALL LDAP_CALLBACK *ldapuV_memfree)          ( LDAP*, void* );
+    char*       (LDAP_CALL LDAP_CALLBACK *ldapuV_first_attribute)  ( LDAP*, LDAPMessage*, BerElement** );
+    char*       (LDAP_CALL LDAP_CALLBACK *ldapuV_next_attribute)   ( LDAP*, LDAPMessage*, BerElement* );
+    void        (LDAP_CALL LDAP_CALLBACK *ldapuV_ber_free)         ( LDAP*, BerElement*, int );
+    char**      (LDAP_CALL LDAP_CALLBACK *ldapuV_get_values)       ( LDAP*, LDAPMessage*, const char* );
+    void        (LDAP_CALL LDAP_CALLBACK *ldapuV_value_free)       ( LDAP*, char** );
+    struct berval**(LDAP_CALL LDAP_CALLBACK *ldapuV_get_values_len)( LDAP*, LDAPMessage*, const char* );
+    void           (LDAP_CALL LDAP_CALLBACK *ldapuV_value_free_len)( LDAP*, struct berval** );
+} LDAPUVTable_t;
+
+NSAPI_PUBLIC extern void ldapu_VTable_set (LDAPUVTable_t*);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LDAPU_LDAPUTIL_H */