Moving NSCP Directory Server from DirectoryBranch to TRUNK, initial drop. (foxworth)ldapserver7x

11 files changed, 1756 insertions, 0 deletions

diff --git a/lib/ldaputil/utest/Makefile b/lib/ldaputil/utest/Makefile
new file mode 100644
index 00000000..e6f2e5c6
--- /dev/null
+++ b/lib/ldaputil/utest/Makefile
@@ -0,0 +1,117 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+#
+# Makefile for ldaputil unit test.
+#
+MCOM_ROOT=../../../..
+MODULE=LibLdapUtil
+
+OBJDEST=.
+UTESTDEST=utest
+
+include ../../../nsconfig.mk
+
+MODULE_CFLAGS=-I$(NSROOT)/include
+ 
+include $(INCLUDE_DEPENDS)
+
+TESTFLAGS = -DUTEST -DDBG_PRINT -DDONT_USE_LDAP_SSL
+
+CC=CC
+PURIFY=
+
+CSRC = stubs.c
+CPPSRC = auth.cpp
+TSRC = authtest
+SRC  = $(CSRC) $(CPPSRC) $(TSRC)
+XSRC = ../ldapauth.c ../ldapdb.c ../errors.c ../dbconf.c ../certmap.c ../ldapauth.c ../init.c ../encode.c
+
+COBJ = $(CPPSRC:%.cpp=%.o) $(CSRC:%.c=%.o)
+XOBJ = $(XSRC:../%.c=../utest/%.o) 
+
+ifeq ($(ARCH), WINNT)
+  BINS=./auth.exe
+  LDAP_LIBLINK = $(addprefix $(LDAP_LIBPATH)/, $(addsuffix .lib, $(LDAP_LIBNAMES)))
+  XLIBS = ${LDAP_LIBLINK}
+  LOCAL_LINK_EXE = link -OUT:"$@" /MAP  $(ARCH_LINK_DEBUG) $(LCFLAGS) /NOLOGO \
+		 /PDB:NONE /INCREMENTAL:NO /SUBSYSTEM:windows $(XLIBS)
+else
+  BINS = auth
+  LDAP_LIBLINK = -L$(LDAP_LIBPATH) $(addprefix -l, ${LDAP_SOLIB_NAMES})
+endif
+
+ifeq ($(ARCH), SOLARIS)
+  XLIBS = -R$(LDAP_LIBPATH) ${LDAP_LIBLINK} $(LIBNSPR) $(LIBSEC) -lthread -lposix4 -lsocket -lnsl -ldl
+else
+  ifeq ($(ARCH), IRIX)
+    XLIBS = ${LDAP_LIBLINK} $(LIBNSPR) $(LIBSEC)
+  else
+    ifeq ($(ARCH), WINNT)
+      echo "XLIBS = ${XLIBS}"
+    else
+      #Other UNIX platforms
+      XLIBS = -R$(LDAP_LIBPATH) ${LDAP_LIBLINK} $(LIBNSPR) $(LIBSEC) -lthread -lposix4 -lsocket -lnsl -ldl
+    endif
+  endif
+endif
+
+PLUGIN = plugin.so
+
+all:	$(LIBLDAP) $(COBJ) $(TSRC) ${BINS} $(PLUGIN)
+	./authtest 2> test.out
+	diff test.out test.ref
+	@echo
+	@echo "The unit test is passed if there is no diff output, and the"
+	@echo "Purify window shows no errors and 0 bytes leaked."
+	@echo
+	@echo "Run - gmake coverage - manually to get code coverage analysis."
+	@echo
+
+auth:	$(XOBJ) $(COBJ)
+	$(PURIFY) $(CC) $(XLIBS) $^ -o $@
+
+auth.exe:	$(XOBJ) $(COBJ)
+	$(PURIFY) $(LOCAL_LINK_EXE) $(XOBJ) $(COBJ) ${XLIBS}
+
+testcert:	testcert.o $(XOBJ) ../utest/cert.o
+	$(PURIFY) $(CC) $(XLIBS) $^ -o $@
+
+%.o:%.c
+	$(PURIFY) $(CC) -c $(CFLAGS) $(TESTFLAGS) $(MCC_INCLUDE) $< -o $@
+
+../utest/%.o:../%.c
+	$(PURIFY) $(CC) -c $(CFLAGS) $(TESTFLAGS) $(MCC_INCLUDE) -I.. $< -o $(OBJDEST)/$*.o
+
+../utest/%.o:../%.cpp
+	$(PURIFY) $(CC) -c $(CFLAGS) $(TESTFLAGS) $(MCC_INCLUDE) -I.. $< -o $(OBJDEST)/$*.o
+
+PLUGIN_INC = ./include
+
+$(PLUGIN_INC):
+	mkdir -p include
+
+certmap.h: ../../../include/ldaputil/extcmap.h
+	\rm -rf $(PLUGIN_INC)/$@
+	cp $^ $(PLUGIN_INC)/$@
+
+ldap.h: $(LDAP_INCLUDE)/ldap.h
+	\rm -rf $(PLUGIN_INC)/$@
+	cp $^ $(PLUGIN_INC)/$@
+
+lber.h: $(LDAP_INCLUDE)/lber.h
+	\rm -rf $(PLUGIN_INC)/$@
+	cp $^ $(PLUGIN_INC)/$@
+
+example.o: example.c $(PLUGIN_INC) certmap.h ldap.h lber.h
+	$(CC) -c -I$(PLUGIN_INC) $*.c -o $(OBJDEST)/$*.o
+
+plugin.o: plugin.c $(PLUGIN_INC) certmap.h ldap.h lber.h
+	$(PURIFY) $(CC) -c -I. -I$(PLUGIN_INC) $*.c -o $(OBJDEST)/$*.o
+
+$(PLUGIN): plugin.o
+	$(LINK_DLL) $^
diff --git a/lib/ldaputil/utest/auth.cpp b/lib/ldaputil/utest/auth.cpp
new file mode 100644
index 00000000..e952f742
--- /dev/null
+++ b/lib/ldaputil/utest/auth.cpp
@@ -0,0 +1,574 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+
+#include <prinit.h>		// for PR_Init
+#include <prpriv.h>		// for PR_Exit
+#include <ldaputil/certmap.h>
+#include <ldaputil/init.h>
+#include <ldaputil/ldapdb.h>
+#include <ldaputil/ldapauth.h>
+#include <ldaputil/dbconf.h>
+#include <ldaputil/ldaputil.h>
+#include <ldap.h>
+
+static const char* dllname = "plugin.so";
+
+char *global_issuer_dn = "o=Netscape Communications, c=US";
+
+#define NSPR_INIT(Program) (PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 8))
+
+static int ldapu_certinfo_save_test (const char *fname, const char *old_fname)
+{
+    int rv;
+
+    /* Read the original certmap config file first */
+    rv = ldaputil_init(old_fname, dllname, NULL, NULL, NULL);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_save_test failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+	return rv;
+    }
+
+    rv = ldapu_certinfo_save(fname, old_fname, "certmap.tmp");
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_save_test failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+    }
+
+    return rv;
+}
+
+static int ldapu_certinfo_delete_test (const char *fname, const char *old_fname)
+{
+    int rv;
+
+    /* Read the original certmap config file first */
+    rv = ldaputil_init(old_fname, dllname, NULL, NULL, NULL);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_delete_test failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+	return rv;
+    }
+
+    /* rv = ldapu_certinfo_delete("o=Ace Industry, c=US"); */
+    rv = ldapu_certinfo_delete("o=Netscape Communications, c=US");
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_delete failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+	return rv;
+    }
+
+    rv = ldapu_certinfo_save(fname, old_fname, "certmap.tmp");
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_delete_test failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+    }
+
+    return rv;
+}
+
+static int ldapu_certinfo_new_test (const char *fname, const char *old_fname)
+{
+    int rv;
+    LDAPUPropValList_t *propval_list;
+    LDAPUPropVal_t *propval;
+
+    /* Read the original certmap config file first */
+    rv = ldaputil_init(old_fname, dllname, NULL, NULL, NULL);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_new_test failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+	return rv;
+    }
+
+    /* Setup propval_list */
+    rv = ldapu_list_alloc(&propval_list);
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    rv = ldapu_propval_alloc("prop1", "val1", &propval);
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    rv = ldapu_list_add_info(propval_list, propval);
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    rv = ldapu_propval_alloc("prop2", "val2", &propval);
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    rv = ldapu_list_add_info(propval_list, propval);
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    rv = ldapu_propval_alloc("prop3", 0, &propval);
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    rv = ldapu_list_add_info(propval_list, propval);
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    rv = ldapu_certinfo_modify("newmap", "o=Mcom Communications, c=US",
+			       propval_list);
+
+    ldapu_propval_list_free(propval_list);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_delete failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+	return rv;
+    }
+
+    rv = ldapu_certinfo_save(fname, old_fname, "certmap.tmp");
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "ldapu_certinfo_new_test failed.  Reason: %s\n",
+		ldapu_err2string(rv));
+    }
+
+    return rv;
+}
+
+static int get_dbnames_test (const char *mapfile)
+{
+    char **names;
+    int cnt;
+    int rv;
+    int i;
+
+    rv = dbconf_get_dbnames(mapfile, &names, &cnt);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "get_dbnames_test failed. Reason: %s\n",
+		ldapu_err2string(rv));
+    }
+    else {
+	for(i = 0; i < cnt; i++) {
+	    fprintf(stderr, "\tdbname[%d] = \"%s\"\n", 
+		    i, names[i]);
+	}
+    }
+
+    dbconf_free_dbnames(names);
+
+    return rv;
+}
+
+static int case_ignore_strcmp (const char *s1, const char *s2)
+{
+    int ls1, ls2;		/* tolower values of chars in s1 & s2 resp. */
+
+    if (!s1) return !s2 ? 0 : 0-tolower(*s2);
+    else if (!s2) return tolower(*s1);
+
+    while(*s1 && *s2 && (ls1 = tolower(*s1)) == (ls2 = tolower(*s2))) { s1++; s2++; }
+
+    if (!*s1)
+	return *s2 ? 0-tolower(*s2) : 0;
+    else if (!*s2)
+	return tolower(*s1);
+    else
+	return ls1 - ls2;
+}
+
+#define STRCASECMP3(s1, s2, rv) \
+{ \
+    int i = case_ignore_strcmp(s1, s2); \
+    fprintf(stderr, "strcasecmp(\"%s\", \"%s\")\t=\t%d\t%s\tExpected: %d\n", \
+	    s1 ? s1 : "<NULL>", s2 ? s2 : "<NULL>", \
+	    i, i == rv ? "SUCCESS" : "FAILED", rv); \
+}
+
+#ifndef XP_WIN32
+#define STRCASECMP(s1, s2) STRCASECMP3(s1, s2, strcasecmp(s1, s2))
+#else
+#define STRCASECMP(s1, s2) STRCASECMP3(s1, s2, case_ignore_strcmp(s1, s2))
+#endif
+
+static void strcasecmp_test ()
+{
+    STRCASECMP3(0, "aBcD", 0-tolower('a'));
+    STRCASECMP3(0, 0, 0);
+    STRCASECMP3("aBcD", 0, tolower('a'));
+
+    STRCASECMP("AbCd", "aBcD");
+    STRCASECMP("AbCd", "abcd");
+    STRCASECMP("ABCD", "ABCD");
+    STRCASECMP("abcd", "abcd");
+
+    STRCASECMP("AbCd", "aBcD3");
+    STRCASECMP("AbCd", "abcd3");
+    STRCASECMP("ABCD", "ABCD3");
+    STRCASECMP("abcd", "abcd3");
+			      
+    STRCASECMP("AbCd1", "aBcD");
+    STRCASECMP("AbCd2", "abcd");
+    STRCASECMP("ABCDX", "ABCD");
+    STRCASECMP("abcdY", "abcd");
+
+    STRCASECMP("AbCd5", "aBcD1");
+    STRCASECMP("AbCd5", "abcd1");
+    STRCASECMP("ABCD5", "ABCD1");
+    STRCASECMP("abcd5", "abcd1");
+			       
+    STRCASECMP("AbCd2", "aBcDp");
+    STRCASECMP("AbCd2", "abcdQ");
+    STRCASECMP("ABCD2", "ABCDr");
+    STRCASECMP("abcd2", "abcdS");
+}
+
+static int certmap_tests (const char *config_file) { return 0; }
+
+static int read_config_test (const char *config_file, const char *dbname,
+			     const char *url,
+			     const char *binddn, const char *bindpw)
+{
+    int rv;
+    DBConfDBInfo_t *db_info;
+    char *dn;
+    char *pw;
+
+    rv = dbconf_read_default_dbinfo(config_file, &db_info);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "config_test failed: %s\n",
+		ldapu_err2string(rv));
+	return LDAPU_FAILED;
+    }
+
+    if (strcmp(db_info->dbname, dbname) ||
+	strcmp(db_info->url, url)) {
+	fprintf(stderr, "config_test failed: %s\n",
+		"first line in config file is wrong");
+	return LDAPU_FAILED;
+    }
+
+    if ((ldapu_dbinfo_attrval(db_info, "binddn", &dn) != LDAPU_SUCCESS) ||
+	(ldapu_dbinfo_attrval(db_info, "bindpw", &pw) != LDAPU_SUCCESS))
+    {
+	fprintf(stderr, "config_test failed: %s\n",
+		"properties are missing");
+	return LDAPU_FAILED;
+    }
+
+    if (strcmp(dn, binddn) ||
+	strcmp(pw, bindpw)) {
+	fprintf(stderr, "config_test failed: %s\n",
+		"property values are wrong");
+	return LDAPU_FAILED;
+    }
+
+    fprintf(stderr, "binddn from config file: \"%s\"\n", dn);
+    fprintf(stderr, "bindpw from config file: \"%s\"\n", pw);
+
+    /* cleanup */
+    dbconf_free_dbinfo(db_info);
+    free(dn);
+    free(pw);
+
+    return LDAPU_SUCCESS;
+}
+
+static int config_test (const char *binddn, const char *bindpw)
+{
+    char *config_file = "config_out.conf";
+    FILE *fp = fopen(config_file, "w");
+    const char *dbname = "default";
+    const char *url = "file:/foobar/path";
+    int rv;
+
+    if (!fp) return LDAPU_FAILED;
+
+    dbconf_output_db_directive(fp, dbname, url);
+    dbconf_output_propval(fp, dbname, "binddn", binddn, 0);
+    dbconf_output_propval(fp, dbname, "bindpw", bindpw, 1);
+
+    fclose(fp);
+
+    fprintf(stderr, "Config file written: %s\n", config_file);
+
+    rv = read_config_test(config_file, dbname, url, binddn, bindpw);
+
+    return rv;
+}
+
+static int
+compare_groupid(const void *arg, const char *group, const int len)
+{
+    auto const char* groupid = (const char*)arg;
+    auto int err = LDAPU_FAILED;
+    if (len == strlen (groupid) && !strncasecmp (groupid, group, len)) {
+	err = LDAPU_SUCCESS;
+    }
+    return err;
+}
+
+static int
+compare_group(LDAP* directory, LDAPMessage* entry, void* set)
+{
+    auto int err = LDAPU_FAILED;
+    auto char** vals = ldap_get_values (directory, entry, "CN");
+    if (vals) {
+	auto char** val;
+	for (val = vals; *val; ++val) {
+	    if (!strcasecmp (*val, (char*)set)) {
+		err = LDAPU_SUCCESS;
+		break;
+	    }
+	}
+	ldap_value_free (vals);
+    }
+    return err;
+}
+
+int perform_test (int argc, char *argv[])
+{
+    int test_type;
+    int retval = LDAPU_SUCCESS;
+    DBConfDBInfo_t *db_info;
+    LDAPDatabase_t *ldb;
+    LDAP *ld;
+    char *dbmap_file = "dblist.conf";
+    char *binddn = 0;
+    char *bindpw = 0;
+    char *basedn;
+    int retry = 1;
+    int rv;
+
+    fprintf(stderr, "\nStart of test: ./auth %s \"%s\" \"%s\"\n",
+	    argv[1], argv[2], argv[3]);
+
+    rv = dbconf_read_default_dbinfo(dbmap_file, &db_info);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "Error reading dbmap file \"%s\".  Reason: %s\n",
+		dbmap_file, ldapu_err2string(rv));
+	return rv;
+    }
+
+    ldapu_dbinfo_attrval (db_info, LDAPU_ATTR_BINDDN, &binddn);
+    ldapu_dbinfo_attrval (db_info, LDAPU_ATTR_BINDPW, &bindpw);
+
+    rv = ldapu_url_parse (db_info->url, binddn, bindpw, &ldb);
+    free(binddn);
+    free(bindpw);
+
+    if (rv != LDAPU_SUCCESS) {
+	fprintf(stderr, "Error parsing ldap url \"%s\".  Reason: %s\n",
+		db_info->url, ldapu_err2string(rv));
+	return rv;
+    }
+
+    basedn = ldb->basedn;
+
+    test_type = atoi(argv[1]);
+
+    retry = 1;
+
+    while(retry) {
+	retry = 0;
+
+	rv = ldapu_ldap_init_and_bind (ldb);
+
+	if (rv != LDAPU_SUCCESS) {
+	    fprintf(stderr, "Error initializing connection to LDAP.  Reason: %s\n",
+		    ldapu_err2string(rv));
+	    return rv;
+	}
+
+	ld = ldb->ld;
+
+	switch(test_type) {
+	case 1:
+	    fprintf(stderr, "\nuserdn:\t\t\"%s\"\ngroupdn:\t\"%s\"\n",
+		    argv[2], argv[3]);
+	    retval = ldapu_auth_userdn_groupdn(ld, argv[2], argv[3], basedn);
+	    break;
+
+	case 2:
+	    fprintf(stderr, "\nuid:\t\t\"%s\"\ngroupdn:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_uid_groupdn(ld, argv[2], argv[3], basedn);
+	    break;
+
+	case 3:
+	    fprintf(stderr, "\nuid:\t\t\"%s\"\ngroupid:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_uid_groupid(ld, argv[2], argv[3], basedn);
+	    break;
+
+	case 4:
+	    fprintf(stderr, "\nuserdn:\t\t\"%s\"\ngroupid:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_userdn_groupid(ld, argv[2], argv[3], basedn);
+	    break;
+
+	case 5:
+	    fprintf(stderr, "\nuserdn:\t\t\"%s\"\nattrFilter:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_userdn_attrfilter(ld, argv[2], argv[3]);
+	    break;
+
+	case 6:
+	    fprintf(stderr, "\nuid:\t\t\"%s\"\nattrFilter:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_uid_attrfilter(ld, argv[2], argv[3], basedn);
+	    break;
+
+	case 7:
+	    fprintf(stderr, "\nuserdn:\t\t\"%s\"\npassword:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_userdn_password(ld, argv[2], argv[3]);
+	    break;
+
+	case 8:
+	    fprintf(stderr, "\nuid:\t\t\"%s\"\npassword:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_uid_password(ld, argv[2], argv[3], basedn);
+	    break;
+
+	case 9: {
+	    /* plugin test */
+	    LDAPMessage *entry = 0;
+	    LDAPMessage *res = 0;
+
+	    fprintf(stderr, "Cert Map issuer DN: \"%s\"\n", argv[2]);
+	    fprintf(stderr, "Cert Map subject DN: \"%s\"\n", argv[3]);
+	    retval = ldaputil_init("certmap.conf", dllname, NULL, NULL, NULL);
+
+	    if (retval != LDAPU_SUCCESS) {
+		fprintf(stderr, "Cert Map info test failed.  Reason: %s\n",
+			ldapu_err2string(retval));
+		break;
+	    }
+
+	    if (*(argv[2]))
+		global_issuer_dn = argv[2];
+	    else
+		global_issuer_dn = 0;
+
+	    retval = ldapu_cert_to_ldap_entry(argv[3], ld, ldb->basedn, &res);
+
+	    if (retval == LDAPU_SUCCESS) {
+		char *dn;
+
+		entry = ldap_first_entry(ld, res);
+		dn = ldap_get_dn(ld, entry);
+		fprintf(stderr, "Matched entry to cert: \"%s\"\n", dn);
+		ldap_memfree(dn);
+	    }
+	    else if (retval == LDAPU_FAILED) {
+		/* Not an error but couldn't map the cert */
+	    }
+	    else {
+		fprintf(stderr, "Cert Map info test failed.  Reason: %s\n",
+			ldapu_err2string(retval));
+		break;
+	    }
+
+	    /* TEMPORARY -- when & how to free the entry */
+	    if (res) ldap_msgfree(res);
+
+	    break;
+	} /* case 9 */
+
+	case 10:
+	    if ((retval = config_test(argv[2], argv[3])) == LDAPU_SUCCESS) {
+		fprintf(stderr, "Config file test succeeded\n");
+	    }
+	    else {
+		fprintf(stderr, "Config file test failed\n");
+	    }
+	    break;
+
+	case 11:
+	    retval = get_dbnames_test(argv[2]);
+	    break;
+
+	case 12:
+	    retval = ldapu_certinfo_save_test(argv[2], argv[3]);
+	    break;
+
+	case 13:
+	    retval = ldapu_certinfo_delete_test(argv[2], argv[3]);
+	    break;
+
+	case 14:
+	    retval = ldapu_certinfo_new_test(argv[2], argv[3]);
+	    break;
+
+	case 15:
+	    fprintf(stderr, "\nuserdn:\t\t\"%s\"\ngroupid:\t\"%s\"\n", argv[2], argv[3]);
+	    {
+		auto LDAPU_DNList_t* userDNs = ldapu_DNList_alloc();
+		ldapu_DNList_add(userDNs, argv[2]);
+		retval = ldapu_auth_usercert_groups(ld, basedn, userDNs, NULL,
+						    argv[3], compare_group, 30, NULL);
+		ldapu_DNList_free(userDNs);
+	    }
+	    break;
+
+	case 16:
+	    fprintf(stderr, "\nuserCert:\t\"%s\"\ngroupid:\t\"%s\"\n", argv[2], argv[3]);
+	    retval = ldapu_auth_usercert_groupids(ld, NULL/*userDN*/, argv[2], argv[3],
+						  compare_groupid, basedn, NULL/*group_out*/);
+	    break;
+
+	} /* switch */
+
+	if (retval == LDAP_SERVER_DOWN) {
+	    /* retry */
+	    retry = 1;
+	    ldb->ld = 0;
+	}
+	else if (retval == LDAPU_SUCCESS) {
+	    fprintf(stderr, "Authentication succeeded.\n");
+	}
+	else {
+	    fprintf(stderr, "Authentication failed.\n");
+	}
+    }
+
+    /* cleanup */
+//     ldapu_free_LDAPDatabase_t(ldb);
+//     dbconf_free_dbinfo(db_info);
+//     ldaputil_exit();
+    return retval;
+}
+
+int main (int argc, char *argv[])
+{
+    int rv;
+
+    NSPR_INIT("auth");
+
+    if (argc != 4) {
+        fprintf(stderr, "argc = %d\n", argc);
+	fprintf(stderr, "usage: %s test_type user_dn group_dn\n", argv[0]);
+	fprintf(stderr, "\t%s 1 <userdn> <groupdn>\n", argv[0]);
+	fprintf(stderr, "\t%s 2 <uid> <groupdn>\n", argv[0]);
+	fprintf(stderr, "\t%s 3 <uid> <groupid>\n", argv[0]);
+	fprintf(stderr, "\t%s 4 <userdn> <groupid>\n", argv[0]);
+	fprintf(stderr, "\t%s 5 <userdn> <attrFilter>\n", argv[0]);
+	fprintf(stderr, "\t%s 6 <uid> <attrFilter>\n", argv[0]);
+	fprintf(stderr, "\t%s 7 <userdn> <password>\n", argv[0]);
+	fprintf(stderr, "\t%s 8 <uid> <password>\n", argv[0]);
+	fprintf(stderr, "\t%s 9 <certmap.conf> <subjectDN>\n", argv[0]);
+	fprintf(stderr, "\t%s 10 <binddn> <bindpw>\n", argv[0]);
+	fprintf(stderr, "\t%s 11 <dbmap> <ignore>\n", argv[0]);
+	fprintf(stderr, "\t%s 12 <newconfig> <oldconfig> ... to test save\n", argv[0]);
+	fprintf(stderr, "\t%s 13 <newconfig> <oldconfig> ... to test delete\n", argv[0]);
+	fprintf(stderr, "\t%s 14 <newconfig> <oldconfig> ... to test add\n", argv[0]);
+	fprintf(stderr, "\t%s 15 <userdn> <groupid>\n", argv[0]);
+	fprintf(stderr, "\t%s 16 <userCertDescription> <groupid>\n", argv[0]);
+	exit(LDAP_PARAM_ERROR);
+    }
+
+    rv = perform_test(argc, argv);
+    /*    PR_Exit(); */
+
+    return rv;
+}
+
diff --git a/lib/ldaputil/utest/authtest b/lib/ldaputil/utest/authtest
new file mode 100755
index 00000000..c713349b
--- /dev/null
+++ b/lib/ldaputil/utest/authtest
@@ -0,0 +1,106 @@
+#!/bin/ksh
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+# setup for test
+USERDN="cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+USER2DN="cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+
+UID="hmiller"
+U2ID="scarter"
+
+GROUPDN="cn=Directory Administrators, o=Ace Industry, c=US"
+GROUPID="Directory Administrators"
+
+ATTRFILTER="mail=hmiller@aceindustry.com"
+ATTR2FILTER="mail=scarter@aceindustry.com"
+
+function check_result {
+  echo "\nStart of test: $1 $2 \"$3\" \"$4\""
+  if ( `$1 $2 "$3" "$4"` ) then
+    if [ $5 == "fail" ]; then
+      echo "**** Test Failed ****";
+    else
+      echo "Test Succeeded";
+    fi
+  else
+    if [ $5 == "fail" ]; then
+      echo "Test Succeeded";
+    else
+      echo "**** Test Failed ****";
+    fi
+  fi
+}
+
+function must_fail {
+  check_result $1 $2 "$3" "$4" "fail";
+}
+
+function must_succeed {
+  check_result $1 $2 "$3" "$4" "success";
+}
+
+# test for <userdn> <groupdn>
+must_succeed ./auth 1 "${USERDN}" "${GROUPDN}"
+must_fail ./auth 1 "${USER2DN}" "${GROUPDN}"
+
+# test for <uid> <groupdn>
+must_succeed ./auth 2 "${UID}" "${GROUPDN}"
+must_fail ./auth 2 "${U2ID}" "${GROUPDN}"
+
+# test for <uid> <groupid>
+must_succeed ./auth 3 "${UID}" "${GROUPID}"
+must_fail ./auth 3 "${U2ID}" "${GROUPID}"
+
+# test for <userdn> <groupid>
+must_succeed ./auth 4 "${USERDN}" "${GROUPID}"
+must_fail ./auth 4 "${USER2DN}" "${GROUPID}"
+must_succeed ./auth 15 "${USERDN}" "${GROUPID}"
+must_fail ./auth 15 "${USER2DN}" "${GROUPID}"
+must_succeed ./auth 16 "{${USERDN}" "${GROUPID}"
+must_fail ./auth 16 "{${USER2DN}" "${GROUPID}"
+
+# test for <userdn> <attrFilter>
+must_succeed ./auth 5 "${USERDN}" "${ATTRFILTER}"
+must_fail ./auth 5 "${USERDN}" "${ATTR2FILTER}"
+must_fail ./auth 5 "${USER2DN}" "${ATTRFILTER}"
+
+# test for <uid> <attrFilter>
+must_succeed ./auth 6 "${UID}" "${ATTRFILTER}"
+must_fail ./auth 6 "${UID}" "${ATTR2FILTER}"
+must_fail ./auth 6 "${U2ID}" "${ATTRFILTER}"
+
+# test for <userdn> <password>
+must_succeed ./auth 7 "${USERDN}" "hillock"
+must_fail ./auth 7 "${USERDN}" "garbage"
+
+# test for <uid> <password>
+must_succeed ./auth 8 "${UID}" "hillock"
+must_fail ./auth 8 "${UID}" "garbage"
+
+#test for cert to ldap entry mapping
+must_succeed ./auth 9 "o=Ace Industry, c=US" "cn=Kirsten Vaughan, ou=Human Resources, o=Ace Industry, c=US"
+#must_fail ./auth 9 "default" "cn=Kirsten Vaughan, o=Ace Industry, c=US"
+
+# test for encode/decode bindpw
+must_succeed ./auth 10 "cn=Foo Bar, o=Netscape Communication, c=US" "foobar"
+
+# test for reading dbnames from dbswitch.conf file
+must_succeed ./auth 11 dblist.conf ignore
+
+# test for saving certmap info
+must_succeed ./auth 12 certmap.new certmap.conf
+cat certmap.conf certmap.new 1>&2
+
+# test for delete certmap info
+must_succeed ./auth 13 certmap.new certmap.conf
+cat certmap.conf certmap.new 1>&2
+
+# test for add certmap info
+must_succeed ./auth 14 certmap.new certmap.conf
+cat certmap.conf certmap.new 1>&2
+
diff --git a/lib/ldaputil/utest/certmap.conf b/lib/ldaputil/utest/certmap.conf
new file mode 100644
index 00000000..53ab6fca
--- /dev/null
+++ b/lib/ldaputil/utest/certmap.conf
@@ -0,0 +1,36 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+
+# Comments before any certmap directive - line 1
+# Comments before any certmap directive - line 2
+
+# Comments before any certmap directive - line 3
+# Comments before any certmap directive - line 4
+# Comments before any certmap directive - line 5
+
+
+# Comments before any certmap directive - line 6
+
+certmap default default
+#default:DNComps o,    ou    ,c
+#default:FilterComps cn
+
+
+certmap default1 o=Netscape Communications, c=US
+default1:library ./plugin.so
+default1:InitFn plugin_init_fn
+default1:DNComps  ou o c
+default1:FilterComps l
+#default1:verifycert
+
+# Following line has trailing spaces
+certmap default2 o=Ace Industry, c=US    
+default2:InitFn plugin_init_fn
+default2:DNComps cn o ou c
+default2:FilterComps l
+default2:verifycert on
diff --git a/lib/ldaputil/utest/dblist.conf b/lib/ldaputil/utest/dblist.conf
new file mode 100644
index 00000000..c38580ac
--- /dev/null
+++ b/lib/ldaputil/utest/dblist.conf
@@ -0,0 +1,15 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+
+directory default ldap://:3334/o=Airius.com
+directory default1 ldap:///o=Ace Industry, c=US
+directory default2 ldap:///o=Ace Industry, c=US
+directory default3 ldap:///o=Ace Industry, c=US
+directory default4 ldap:///o=Ace Industry, c=US
+directory default5 ldap:///o=Ace Industry, c=US
+directory default6 ldap:///o=Ace Industry, c=US
diff --git a/lib/ldaputil/utest/example.c b/lib/ldaputil/utest/example.c
new file mode 100644
index 00000000..185fbe51
--- /dev/null
+++ b/lib/ldaputil/utest/example.c
@@ -0,0 +1,116 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <stdio.h>
+
+#include <certmap.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* The init function must be defined extern "C" if using a C++ compiler */
+int plugin_init_fn (void *certmap_info, const char *issuerName,
+		    const char *issuerDN);
+
+#ifdef __cplusplus
+}
+#endif
+
+
+static int extract_ldapdn_and_filter (const char *subjdn, void *certmap_info,
+				      char **ldapDN, char **filter)
+{
+    /* extract the ldapDN and filter from subjdn */
+    /* You can also use the ldapu_certmap_info_attrval function to get value
+       of a config file parameter for the certmap_info. */
+    return LDAPU_SUCCESS;
+}
+
+static int plugin_mapping_fn (void *cert, LDAP *ld, void *certmap_info,
+			      char **ldapDN, char **filter)
+{
+    char *subjdn;
+    int rv;
+
+    fprintf(stderr, "plugin_mapping_fn called.\n");
+    rv = ldapu_get_cert_subject_dn(cert, &subjdn);
+
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    *ldapDN = 0;
+    *filter = 0;
+
+    rv = extract_ldapdn_and_filter(subjdn, certmap_info, ldapDN, filter);
+
+    if (rv != LDAPU_SUCCESS) {
+	/* This function must return LDAPU_FAILED or
+	   LDAPU_CERT_MAP_FUNCTION_FAILED on error */
+	return LDAPU_CERT_MAP_FUNCTION_FAILED;
+    }
+
+    return LDAPU_SUCCESS;
+}
+
+static int plugin_cmp_certs (void *subject_cert,
+			     void *entry_cert_binary,
+			     unsigned long entry_cert_len)
+{
+    /* compare the certs */
+    return LDAPU_SUCCESS;
+}
+
+static int plugin_verify_fn (void *cert, LDAP *ld, void *certmap_info,
+			     LDAPMessage *res, LDAPMessage **entry_out)
+{
+    LDAPMessage *entry;
+    struct berval **bvals;
+    char *cert_attr = "userCertificate;binary";
+    int i;
+    int rv;
+
+    fprintf(stderr, "plugin_verify_fn called.\n");
+    *entry_out = 0;
+
+    for (entry = ldap_first_entry(ld, res); entry != NULL;
+	 entry = ldap_next_entry(ld, entry))
+    {
+	if ((bvals = ldap_get_values_len(ld, entry, cert_attr)) == NULL) {
+	    rv = LDAPU_CERT_VERIFY_FUNCTION_FAILED;
+	    /* Maybe one of the remaining entries will match */
+	    continue;
+	}
+
+	for ( i = 0; bvals[i] != NULL; i++ ) {
+	    rv = plugin_cmp_certs (cert,
+				   bvals[i]->bv_val,
+				   bvals[i]->bv_len);
+
+	    if (rv == LDAPU_SUCCESS) {
+		break;
+	    }
+	}
+
+	ldap_value_free_len(bvals);
+
+	if (rv == LDAPU_SUCCESS) {
+	    *entry_out = entry;
+	    break;
+	}
+    }
+
+    return rv;
+}
+
+int plugin_init_fn (void *certmap_info, const char *issuerName,
+		    const char *issuerDN)
+{
+    fprintf(stderr, "plugin_init_fn called.\n");
+    ldapu_set_cert_mapfn(issuerDN, plugin_mapping_fn);
+    ldapu_set_cert_verifyfn(issuerDN, plugin_verify_fn);
+    return LDAPU_SUCCESS;
+}
+
diff --git a/lib/ldaputil/utest/plugin.c b/lib/ldaputil/utest/plugin.c
new file mode 100644
index 00000000..29f7765b
--- /dev/null
+++ b/lib/ldaputil/utest/plugin.c
@@ -0,0 +1,115 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+
+#include <plugin.h>		/* must define extern "C" functions */
+#include <certmap.h>		/* Public Certmap API */
+
+static CertSearchFn_t default_searchfn = 0;
+
+static int plugin_attr_val (void *cert, int which_dn, const char *attr)
+{
+    char **val;
+    int rv = ldapu_get_cert_ava_val(cert, which_dn, attr, &val);
+    char **attr_val = val;	/* preserve the pointer for free */
+
+    if (rv != LDAPU_SUCCESS || !val) {
+	fprintf(stderr, "\t%s: *** Failed ***\n", attr);
+    }
+    else if (!*val) {
+	fprintf(stderr, "\t%s: *** Empty ***\n", attr);
+    }
+    else {
+	fprintf(stderr, "\t%s: \"%s\"", attr, *val++);
+	while(*val) {
+	    fprintf(stderr, ", \"%s\"", *val++);
+	}
+	fprintf(stderr, "\n");
+    }
+
+    ldapu_free_cert_ava_val(attr_val);
+
+    return LDAPU_SUCCESS;
+}
+
+static int plugin_mapping_fn (void *cert, LDAP *ld, void *certmap_info,
+			      char **ldapDN, char **filter)
+{
+    char *subjdn;
+    char *issuerDN;
+    char *ptr;
+    char *comma;
+
+    fprintf(stderr, "plugin_mapping_fn called.\n");
+    ldapu_get_cert_subject_dn(cert, &subjdn);
+    ldapu_get_cert_issuer_dn(cert, &issuerDN);
+
+    fprintf(stderr, "Value of attrs from subject DN & issuer DN:\n");
+    fprintf(stderr, "\tCert: \"%s\"\n", (char *)cert);
+    fprintf(stderr, "\tsubjdn: \"%s\"\n", subjdn);
+    plugin_attr_val(cert, LDAPU_SUBJECT_DN, "cn");
+    plugin_attr_val(cert, LDAPU_SUBJECT_DN, "ou");
+    plugin_attr_val(cert, LDAPU_SUBJECT_DN, "o");
+    plugin_attr_val(cert, LDAPU_SUBJECT_DN, "c");
+    fprintf(stderr, "\tissuerDN: \"%s\"\n", issuerDN);
+    plugin_attr_val(cert, LDAPU_ISSUER_DN, "cn");
+    plugin_attr_val(cert, LDAPU_ISSUER_DN, "ou");
+    plugin_attr_val(cert, LDAPU_ISSUER_DN, "o");
+    plugin_attr_val(cert, LDAPU_ISSUER_DN, "c");
+
+    if (subjdn && *subjdn) {
+	comma = ptr = strchr(subjdn, ',');
+
+	while(*ptr == ',' || isspace(*ptr)) ptr++;
+	*ldapDN = strdup(ptr);
+
+	/* Set filter to the first AVA in the subjdn */
+	*filter = subjdn;
+	*comma = 0;
+    }
+    else {
+	*ldapDN = 0;
+	*filter = 0;
+    }
+
+    return LDAPU_SUCCESS;
+}
+
+static int plugin_search_fn (void *cert, LDAP *ld, void *certmap_info,
+			     const char *basedn,
+			     const char *dn, const char *filter,
+			     const char **attrs, LDAPMessage **res)
+{
+    fprintf(stderr, "plugin_search_fn called.\n");
+    return (*default_searchfn)(cert, ld, certmap_info, basedn, dn, filter,
+			       attrs, res);
+}
+
+static int plugin_verify_fn (void *cert, LDAP *ld, void *certmap_info,
+			     LDAPMessage *res, LDAPMessage **entry)
+{
+    fprintf(stderr, "plugin_verify_fn called.\n");
+    *entry = ldap_first_entry(ld, res);
+    return LDAPU_SUCCESS;
+}
+
+int plugin_init_fn (void *certmap_info, const char *issuerName,
+		    const char *issuerDN)
+{
+    fprintf(stderr, "plugin_init_fn called.\n");
+    ldapu_set_cert_mapfn(issuerDN, plugin_mapping_fn);
+    ldapu_set_cert_verifyfn(issuerDN, plugin_verify_fn);
+
+    if (!default_searchfn) 
+	default_searchfn = ldapu_get_cert_searchfn(issuerDN);
+
+    ldapu_set_cert_searchfn(issuerDN, plugin_search_fn);
+    return LDAPU_SUCCESS;
+}
+
diff --git a/lib/ldaputil/utest/plugin.h b/lib/ldaputil/utest/plugin.h
new file mode 100644
index 00000000..124a121a
--- /dev/null
+++ b/lib/ldaputil/utest/plugin.h
@@ -0,0 +1,20 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _CERTMAP_PLUGIN_H
+#define _CERTMAP_PLUGIN_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern int plugin_init_fn (void *certmap_info, const char *issuerName,
+			   const char *issuerDN);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _CERTMAP_PLUGIN_H */
diff --git a/lib/ldaputil/utest/stubs.c b/lib/ldaputil/utest/stubs.c
new file mode 100644
index 00000000..03717331
--- /dev/null
+++ b/lib/ldaputil/utest/stubs.c
@@ -0,0 +1,107 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#include <ctype.h> /* isspace */
+#include <string.h>
+#include <stdio.h> /* sprintf */
+#include <stdlib.h> /* malloc */
+
+#include <ldap.h>
+#include <ldaputil/certmap.h>
+#include <ldaputil/cert.h>
+#include <ldaputil/errors.h>
+
+#define BIG_LINE 1024
+
+NSAPI_PUBLIC int ldapu_get_cert_subject_dn (void *cert_in, char **subjectDN)
+{
+    char *cert = (char *)cert_in;
+
+    *subjectDN = strdup((char *)cert);
+    return *subjectDN ? LDAPU_SUCCESS : LDAPU_FAILED;
+}
+
+NSAPI_PUBLIC int ldapu_get_cert_issuer_dn (void *cert, char **issuerDN)
+{
+    extern char *global_issuer_dn;
+    /* TEMPORARY  -- not implemented yet*/
+    *issuerDN = global_issuer_dn ? strdup(global_issuer_dn) : 0;
+    return LDAPU_SUCCESS;
+}
+
+/* A stub to remove link errors -- ignore SSL */
+LDAP *ldapssl_init (const char *host, int port, int secure)
+{
+    LDAP *ld = 0;
+
+    if ((ld = ldap_init(host, port)) == NULL) {
+	fprintf(stderr, "ldap_init: Failed to initialize connection");
+	return(0);
+    }
+
+    return ld;
+}
+
+NSAPI_PUBLIC int ldapu_get_cert_ava_val (void *cert_in, int which_dn,
+					 const char *attr, char ***val_out)
+{
+    int rv;
+    char *cert_dn;
+    char **ptr;
+    char **val;
+    char *dnptr;
+    char attr_eq1[BIG_LINE];
+    char attr_eq2[BIG_LINE];
+    char *comma;
+
+    *val_out = 0;
+
+    if (which_dn == LDAPU_SUBJECT_DN)
+	rv = ldapu_get_cert_subject_dn(cert_in, &cert_dn);
+    else if (which_dn == LDAPU_ISSUER_DN)
+	rv = ldapu_get_cert_issuer_dn(cert_in, &cert_dn);
+    else
+	return LDAPU_ERR_INVALID_ARGUMENT;
+
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    val = (char **)malloc(32*sizeof(char *));
+
+    if (!val) return LDAPU_ERR_OUT_OF_MEMORY;
+
+    ptr = val;
+    sprintf(attr_eq1, "%s =", attr);
+    sprintf(attr_eq2, "%s=", attr);
+
+    while(cert_dn &&
+	  ((dnptr = strstr(cert_dn, attr_eq1)) ||
+	   (dnptr = strstr(cert_dn, attr_eq2))))
+    {
+	dnptr = strchr(dnptr, '=');
+	dnptr++;
+	while(isspace(*dnptr)) dnptr++;
+	comma = strchr(dnptr, ',');
+
+	if (comma) {
+	    *ptr = (char *)malloc((comma-dnptr+1)*sizeof(char));
+	    strncpy(*ptr, dnptr, (comma-dnptr));
+	    (*ptr++)[comma-dnptr] = 0;
+	}
+	else {
+	    *ptr++ = strdup(dnptr);
+	}
+	cert_dn = comma;
+    }
+
+    *ptr = 0;
+    *val_out = val;
+    return LDAPU_SUCCESS;
+}
+
+NSAPI_PUBLIC int ldapu_get_cert_der (void *cert_in, unsigned char **der,
+				     unsigned int *len)
+{
+    return LDAPU_FAILED;
+}
diff --git a/lib/ldaputil/utest/stubs.cpp b/lib/ldaputil/utest/stubs.cpp
new file mode 100644
index 00000000..92e6f978
--- /dev/null
+++ b/lib/ldaputil/utest/stubs.cpp
@@ -0,0 +1,102 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#include <ctype.h> /* isspace */
+#include <string.h>
+#include <stdio.h> /* sprintf */
+#include <stdlib.h> /* malloc */
+
+#include <ldaputil/ldaputil.h>
+#include <ldaputil/cert.h>
+#include <ldaputil/errors.h>
+#include "../ldaputili.h"
+
+#define BIG_LINE 1024
+
+NSAPI_PUBLIC int ldapu_get_cert_subject_dn (void *cert_in, char **subjectDN)
+{
+    char *cert = (char *)cert_in;
+
+    *subjectDN = strdup((char *)cert);
+    return *subjectDN ? LDAPU_SUCCESS : LDAPU_FAILED;
+}
+
+NSAPI_PUBLIC int ldapu_get_cert_issuer_dn (void *cert, char **issuerDN)
+{
+    /* TEMPORARY  -- not implemented yet*/
+    *issuerDN = strdup("o=Netscape Communications, c=US");
+    return *issuerDN ? LDAPU_SUCCESS : LDAPU_FAILED;
+}
+
+NSAPI_PUBLIC int ldapu_get_cert_ava_val (void *cert_in, int which_dn,
+					 const char *attr, char ***val_out)
+{
+    int rv;
+    char *cert_dn;
+    char **ptr;
+    char **val;
+    char *dnptr;
+    char attr_eq1[BIG_LINE];
+    char attr_eq2[BIG_LINE];
+    char *comma;
+
+    *val_out = 0;
+
+    if (which_dn == LDAPU_SUBJECT_DN)
+	rv = ldapu_get_cert_subject_dn(cert_in, &cert_dn);
+    else if (which_dn == LDAPU_ISSUER_DN)
+	rv = ldapu_get_cert_issuer_dn(cert_in, &cert_dn);
+    else
+	return LDAPU_ERR_INVALID_ARGUMENT;
+
+    if (rv != LDAPU_SUCCESS) return rv;
+
+    val = (char **)malloc(32*sizeof(char *));
+
+    if (!val) return LDAPU_ERR_OUT_OF_MEMORY;
+
+    ptr = val;
+    sprintf(attr_eq1, "%s =", attr);
+    sprintf(attr_eq2, "%s=", attr);
+
+    while(cert_dn &&
+	  ((dnptr = strstr(cert_dn, attr_eq1)) ||
+	   (dnptr = strstr(cert_dn, attr_eq2))))
+    {
+	dnptr = strchr(dnptr, '=');
+	dnptr++;
+	while(isspace(*dnptr)) dnptr++;
+	comma = strchr(dnptr, ',');
+
+	if (comma) {
+	    *ptr = (char *)malloc((comma-dnptr+1)*sizeof(char));
+	    strncpy(*ptr, dnptr, (comma-dnptr));
+	    (*ptr++)[comma-dnptr] = 0;
+	}
+	else {
+	    *ptr++ = strdup(dnptr);
+	}
+	cert_dn = comma;
+    }
+
+    *ptr = 0;
+    *val_out = val;
+    return LDAPU_SUCCESS;
+}
+
+NSAPI_PUBLIC int ldapu_get_cert_der (void *cert_in, unsigned char **der,
+				     unsigned int *len)
+{
+    return LDAPU_FAILED;
+}
+
+int
+ldapu_member_certificate_match (void* cert, const char* desc)
+{
+    if (!strcasecmp ((char*)cert, desc)) {
+	return LDAPU_SUCCESS;
+    }
+    return LDAPU_FAILED;
+}
diff --git a/lib/ldaputil/utest/test.ref b/lib/ldaputil/utest/test.ref
new file mode 100644
index 00000000..fae39056
--- /dev/null
+++ b/lib/ldaputil/utest/test.ref
@@ -0,0 +1,448 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+
+Start of test: ./auth 1 "cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US" "cn=Directory Administrators, o=Ace Industry, c=US"
+
+userdn:		"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+groupdn:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US) (member=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+Authentication succeeded.
+
+Start of test: ./auth 1 "cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US" "cn=Directory Administrators, o=Ace Industry, c=US"
+
+userdn:		"cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+groupdn:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+ldap_search_s: Entry not found
+Find parent groups of "cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US)) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 2 "hmiller" "cn=Directory Administrators, o=Ace Industry, c=US"
+
+uid:		"hmiller"
+groupdn:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	base:	"o=Ace Industry, c=US"
+	filter:	"uid=hmiller"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US) (member=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+Authentication succeeded.
+
+Start of test: ./auth 2 "scarter" "cn=Directory Administrators, o=Ace Industry, c=US"
+
+uid:		"scarter"
+groupdn:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	base:	"o=Ace Industry, c=US"
+	filter:	"uid=scarter"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+ldap_search_s: Entry not found
+Find parent groups of "cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US)) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 3 "hmiller" "Directory Administrators"
+
+uid:		"hmiller"
+groupid:	"Directory Administrators"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (cn=Directory Administrators) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"o=Ace Industry, c=US"
+	filter:	"uid=hmiller"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US) (member=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+Authentication succeeded.
+
+Start of test: ./auth 3 "scarter" "Directory Administrators"
+
+uid:		"scarter"
+groupid:	"Directory Administrators"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (cn=Directory Administrators) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"o=Ace Industry, c=US"
+	filter:	"uid=scarter"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+ldap_search_s: Entry not found
+Find parent groups of "cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US)) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 4 "cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US" "Directory Administrators"
+
+userdn:		"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+groupid:	"Directory Administrators"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (cn=Directory Administrators) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US) (member=cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+Authentication succeeded.
+
+Start of test: ./auth 4 "cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US" "Directory Administrators"
+
+userdn:		"cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+groupid:	"Directory Administrators"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (cn=Directory Administrators) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	base:	"cn=Directory Administrators, o=Ace Industry, c=US"
+	filter:	"(| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US))"
+	scope:	"LDAP_SCOPE_BASE"
+ldap_search_s: Entry not found
+Find parent groups of "cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (| (uniquemember=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US) (member=cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US)) (| (objectclass=groupofuniquenames) (objectclass=groupofnames)))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 5 "cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US" "mail=hmiller@aceindustry.com"
+
+userdn:		"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+attrFilter:	"mail=hmiller@aceindustry.com"
+	base:	"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+	filter:	"mail=hmiller@aceindustry.com"
+	scope:	"LDAP_SCOPE_BASE"
+Authentication succeeded.
+
+Start of test: ./auth 5 "cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US" "mail=scarter@aceindustry.com"
+
+userdn:		"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+attrFilter:	"mail=scarter@aceindustry.com"
+	base:	"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+	filter:	"mail=scarter@aceindustry.com"
+	scope:	"LDAP_SCOPE_BASE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 5 "cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US" "mail=hmiller@aceindustry.com"
+
+userdn:		"cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+attrFilter:	"mail=hmiller@aceindustry.com"
+	base:	"cn=Sam Carter, ou=Accounting, o=Ace Industry, c=US"
+	filter:	"mail=hmiller@aceindustry.com"
+	scope:	"LDAP_SCOPE_BASE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 6 "hmiller" "mail=hmiller@aceindustry.com"
+
+uid:		"hmiller"
+attrFilter:	"mail=hmiller@aceindustry.com"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (uid=hmiller) (mail=hmiller@aceindustry.com))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+Authentication succeeded.
+
+Start of test: ./auth 6 "hmiller" "mail=scarter@aceindustry.com"
+
+uid:		"hmiller"
+attrFilter:	"mail=scarter@aceindustry.com"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (uid=hmiller) (mail=scarter@aceindustry.com))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 6 "scarter" "mail=hmiller@aceindustry.com"
+
+uid:		"scarter"
+attrFilter:	"mail=hmiller@aceindustry.com"
+	base:	"o=Ace Industry, c=US"
+	filter:	"(& (uid=scarter) (mail=hmiller@aceindustry.com))"
+	scope:	"LDAP_SCOPE_SUBTREE"
+ldap_search_s: Entry not found
+Authentication failed.
+
+Start of test: ./auth 7 "cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US" "hillock"
+
+userdn:		"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+password:	"hillock"
+	userdn:	"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+	password:	"hillock"
+Authentication succeeded.
+
+Start of test: ./auth 7 "cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US" "garbage"
+
+userdn:		"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+password:	"garbage"
+	userdn:	"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+	password:	"garbage"
+ldap_simple_bind_s: Invalid credentials
+Authentication failed.
+
+Start of test: ./auth 8 "hmiller" "hillock"
+
+uid:		"hmiller"
+password:	"hillock"
+	base:	"o=Ace Industry, c=US"
+	filter:	"uid=hmiller"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	userdn:	"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+	password:	"hillock"
+Authentication succeeded.
+
+Start of test: ./auth 8 "hmiller" "garbage"
+
+uid:		"hmiller"
+password:	"garbage"
+	base:	"o=Ace Industry, c=US"
+	filter:	"uid=hmiller"
+	scope:	"LDAP_SCOPE_SUBTREE"
+	userdn:	"cn=Harry Miller, ou=Human Resources, o=Ace Industry, c=US"
+	password:	"garbage"
+ldap_simple_bind_s: Invalid credentials
+Authentication failed.
+
+Start of test: ./auth 9 "o=Ace Industry, c=US" "cn=Kirsten Vaughan, ou=Human Resources, o=Ace Industry, c=US"
+Cert Map issuer DN: "o=Ace Industry, c=US"
+Cert Map subject DN: "cn=Kirsten Vaughan, ou=Human Resources, o=Ace Industry, c=US"
+plugin_init_fn called.
+plugin_init_fn called.
+plugin_mapping_fn called.
+Value of attrs from subject DN & issuer DN:
+	Cert: "cn=Kirsten Vaughan, ou=Human Resources, o=Ace Industry, c=US"
+	subjdn: "cn=Kirsten Vaughan, ou=Human Resources, o=Ace Industry, c=US"
+	cn: "Kirsten Vaughan"
+	ou: "Human Resources"
+	o: "Ace Industry"
+	c: "US"
+	issuerDN: "o=Ace Industry, c=US"
+	cn: *** Empty ***
+	ou: *** Empty ***
+	o: "Ace Industry"
+	c: "US"
+plugin_search_fn called.
+	base:	"ou=Human Resources, o=Ace Industry, c=US"
+	filter:	"cn=Kirsten Vaughan"
+	scope:	"LDAP_SCOPE_BASE"
+ldap_search_s: Entry not found
+	base:	"ou=Human Resources, o=Ace Industry, c=US"
+	filter:	"cn=Kirsten Vaughan"
+	scope:	"LDAP_SCOPE_SUBTREE"
+plugin_verify_fn called.
+Matched entry to cert: "cn=Kirsten Vaughan, ou=Human Resources, o=Ace Industry, c=US"
+Authentication succeeded.
+
+Start of test: ./auth 10 "cn=Foo Bar, o=Netscape Communication, c=US" "foobar"
+Config file written: config_out.conf
+binddn from config file: "cn=Foo Bar, o=Netscape Communication, c=US"
+bindpw from config file: "foobar"
+Config file test succeeded
+Authentication succeeded.
+
+Start of test: ./auth 11 "dblist.conf" "ignore"
+	dbname[0] = "default"
+	dbname[1] = "default1"
+	dbname[2] = "default2"
+	dbname[3] = "default3"
+	dbname[4] = "default4"
+	dbname[5] = "default5"
+	dbname[6] = "default6"
+Authentication succeeded.
+
+Start of test: ./auth 12 "certmap.new" "certmap.conf"
+plugin_init_fn called.
+plugin_init_fn called.
+Authentication succeeded.
+
+# Comments before any certmap directive - line 1
+# Comments before any certmap directive - line 2
+
+# Comments before any certmap directive - line 3
+# Comments before any certmap directive - line 4
+# Comments before any certmap directive - line 5
+
+
+# Comments before any certmap directive - line 6
+
+certmap default default
+#default:DNComps o,    ou    ,c
+#default:FilterComps cn
+
+
+certmap default1 o=Netscape Communications, c=US
+default1:library ./plugin.so
+default1:InitFn plugin_init_fn
+default1:DNComps  ou o c
+default1:FilterComps l
+#default1:verifycert
+
+# Following line has trailing spaces
+certmap default2 o=Ace Industry, c=US    
+default2:InitFn plugin_init_fn
+default2:DNComps cn o ou c
+default2:FilterComps l
+default2:verifycert on
+
+# Comments before any certmap directive - line 1
+# Comments before any certmap directive - line 2
+
+# Comments before any certmap directive - line 3
+# Comments before any certmap directive - line 4
+# Comments before any certmap directive - line 5
+
+
+# Comments before any certmap directive - line 6
+
+certmap default default
+
+certmap default1 o=Netscape Communications, c=US
+default1:library ./plugin.so
+default1:InitFn plugin_init_fn
+default1:DNComps ou o c
+default1:FilterComps l
+
+certmap default2 o=Ace Industry, c=US
+default2:InitFn plugin_init_fn
+default2:DNComps cn o ou c
+default2:FilterComps l
+default2:verifycert on
+
+
+Start of test: ./auth 13 "certmap.new" "certmap.conf"
+plugin_init_fn called.
+plugin_init_fn called.
+Authentication succeeded.
+
+# Comments before any certmap directive - line 1
+# Comments before any certmap directive - line 2
+
+# Comments before any certmap directive - line 3
+# Comments before any certmap directive - line 4
+# Comments before any certmap directive - line 5
+
+
+# Comments before any certmap directive - line 6
+
+certmap default default
+#default:DNComps o,    ou    ,c
+#default:FilterComps cn
+
+
+certmap default1 o=Netscape Communications, c=US
+default1:library ./plugin.so
+default1:InitFn plugin_init_fn
+default1:DNComps  ou o c
+default1:FilterComps l
+#default1:verifycert
+
+# Following line has trailing spaces
+certmap default2 o=Ace Industry, c=US    
+default2:InitFn plugin_init_fn
+default2:DNComps cn o ou c
+default2:FilterComps l
+default2:verifycert on
+
+# Comments before any certmap directive - line 1
+# Comments before any certmap directive - line 2
+
+# Comments before any certmap directive - line 3
+# Comments before any certmap directive - line 4
+# Comments before any certmap directive - line 5
+
+
+# Comments before any certmap directive - line 6
+
+certmap default default
+
+certmap default2 o=Ace Industry, c=US
+default2:InitFn plugin_init_fn
+default2:DNComps cn o ou c
+default2:FilterComps l
+default2:verifycert on
+
+
+Start of test: ./auth 14 "certmap.new" "certmap.conf"
+plugin_init_fn called.
+plugin_init_fn called.
+Authentication succeeded.
+
+# Comments before any certmap directive - line 1
+# Comments before any certmap directive - line 2
+
+# Comments before any certmap directive - line 3
+# Comments before any certmap directive - line 4
+# Comments before any certmap directive - line 5
+
+
+# Comments before any certmap directive - line 6
+
+certmap default default
+#default:DNComps o,    ou    ,c
+#default:FilterComps cn
+
+
+certmap default1 o=Netscape Communications, c=US
+default1:library ./plugin.so
+default1:InitFn plugin_init_fn
+default1:DNComps  ou o c
+default1:FilterComps l
+#default1:verifycert
+
+# Following line has trailing spaces
+certmap default2 o=Ace Industry, c=US    
+default2:InitFn plugin_init_fn
+default2:DNComps cn o ou c
+default2:FilterComps l
+default2:verifycert on
+
+# Comments before any certmap directive - line 1
+# Comments before any certmap directive - line 2
+
+# Comments before any certmap directive - line 3
+# Comments before any certmap directive - line 4
+# Comments before any certmap directive - line 5
+
+
+# Comments before any certmap directive - line 6
+
+certmap default default
+
+certmap default1 o=Netscape Communications, c=US
+default1:library ./plugin.so
+default1:InitFn plugin_init_fn
+default1:DNComps ou o c
+default1:FilterComps l
+
+certmap default2 o=Ace Industry, c=US
+default2:InitFn plugin_init_fn
+default2:DNComps cn o ou c
+default2:FilterComps l
+default2:verifycert on
+
+certmap newmap o=Mcom Communications, c=US
+newmap:prop1 val1
+newmap:prop2 val2
+newmap:prop3 
+