6 files changed, 754 insertions, 0 deletions
diff --git a/lib/ldaputil/examples/Certmap.mak b/lib/ldaputil/examples/Certmap.mak
new file mode 100644
index 00000000..618db42b
--- /dev/null
+++ b/lib/ldaputil/examples/Certmap.mak
@@ -0,0 +1,254 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+# Microsoft Developer Studio Generated NMAKE File, Format Version 4.20
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
+
+!IF "$(CFG)" == ""
+CFG=Certmap - Win32 Debug
+!MESSAGE No configuration specified.  Defaulting to Certmap - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "Certmap - Win32 Release" && "$(CFG)" !=\
+ "Certmap - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE on this makefile
+!MESSAGE by defining the macro CFG on the command line.  For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "Certmap.mak" CFG="Certmap - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "Certmap - Win32 Release" (based on\
+ "Win32 (x86) Dynamic-Link Library")
+!MESSAGE "Certmap - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+################################################################################
+# Begin Project
+# PROP Target_Last_Scanned "Certmap - Win32 Debug"
+CPP=cl.exe
+RSC=rc.exe
+MTL=mktyplib.exe
+
+!IF  "$(CFG)" == "Certmap - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Target_Dir ""
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "$(OUTDIR)\Certmap.dll"
+
+CLEAN : 
+	-@erase "$(INTDIR)\init.obj"
+	-@erase "$(INTDIR)\plugin.obj"
+	-@erase "$(OUTDIR)\Certmap.dll"
+	-@erase "$(OUTDIR)\Certmap.exp"
+	-@erase "$(OUTDIR)\Certmap.lib"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MT /W3 /GX /O2 /I "c:\netscape\suitespot\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /YX /c
+CPP_PROJ=/nologo /MT /W3 /GX /O2 /I "c:\netscape\suitespot\include" /D "WIN32"\
+ /D "NDEBUG" /D "_WINDOWS" /Fp"$(INTDIR)/Certmap.pch" /YX /Fo"$(INTDIR)/" /c 
+CPP_OBJS=.\Release/
+CPP_SBRS=.\.
+# ADD BASE MTL /nologo /D "NDEBUG" /win32
+# ADD MTL /nologo /D "NDEBUG" /win32
+MTL_PROJ=/nologo /D "NDEBUG" /win32 
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+BSC32_FLAGS=/nologo /o"$(OUTDIR)/Certmap.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /machine:I386
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib\
+ odbccp32.lib /nologo /subsystem:windows /dll /incremental:no\
+ /pdb:"$(OUTDIR)/Certmap.pdb" /machine:I386 /out:"$(OUTDIR)/Certmap.dll"\
+ /implib:"$(OUTDIR)/Certmap.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\init.obj" \
+	"$(INTDIR)\plugin.obj" \
+	"C:\Netscape\SuiteSpot\lib\nsldap32v10.lib"
+
+"$(OUTDIR)\Certmap.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ELSEIF  "$(CFG)" == "Certmap - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Target_Dir ""
+OUTDIR=.\Debug
+INTDIR=.\Debug
+
+ALL : "$(OUTDIR)\Certmap.dll"
+
+CLEAN : 
+	-@erase "$(INTDIR)\init.obj"
+	-@erase "$(INTDIR)\plugin.obj"
+	-@erase "$(INTDIR)\vc40.idb"
+	-@erase "$(INTDIR)\vc40.pdb"
+	-@erase "$(OUTDIR)\Certmap.dll"
+	-@erase "$(OUTDIR)\Certmap.exp"
+	-@erase "$(OUTDIR)\Certmap.ilk"
+	-@erase "$(OUTDIR)\Certmap.lib"
+	-@erase "$(OUTDIR)\Certmap.pdb"
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c
+# ADD CPP /nologo /MTd /W3 /Gm /GX /Zi /Od /I "c:\netscape\suitespot\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /YX /c
+CPP_PROJ=/nologo /MTd /W3 /Gm /GX /Zi /Od /I "c:\netscape\suitespot\include" /D\
+ "WIN32" /D "_DEBUG" /D "_WINDOWS" /Fp"$(INTDIR)/Certmap.pch" /YX\
+ /Fo"$(INTDIR)/" /Fd"$(INTDIR)/" /c 
+CPP_OBJS=.\Debug/
+CPP_SBRS=.\.
+# ADD BASE MTL /nologo /D "_DEBUG" /win32
+# ADD MTL /nologo /D "_DEBUG" /win32
+MTL_PROJ=/nologo /D "_DEBUG" /win32 
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+BSC32_FLAGS=/nologo /o"$(OUTDIR)/Certmap.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:windows /dll /debug /machine:I386
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib\
+ advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib\
+ odbccp32.lib /nologo /subsystem:windows /dll /incremental:yes\
+ /pdb:"$(OUTDIR)/Certmap.pdb" /debug /machine:I386 /out:"$(OUTDIR)/Certmap.dll"\
+ /implib:"$(OUTDIR)/Certmap.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\init.obj" \
+	"$(INTDIR)\plugin.obj" \
+	"C:\Netscape\SuiteSpot\lib\nsldap32v10.lib"
+
+"$(OUTDIR)\Certmap.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+
+!ENDIF 
+
+.c{$(CPP_OBJS)}.obj:
+   $(CPP) $(CPP_PROJ) $<  
+
+.cpp{$(CPP_OBJS)}.obj:
+   $(CPP) $(CPP_PROJ) $<  
+
+.cxx{$(CPP_OBJS)}.obj:
+   $(CPP) $(CPP_PROJ) $<  
+
+.c{$(CPP_SBRS)}.sbr:
+   $(CPP) $(CPP_PROJ) $<  
+
+.cpp{$(CPP_SBRS)}.sbr:
+   $(CPP) $(CPP_PROJ) $<  
+
+.cxx{$(CPP_SBRS)}.sbr:
+   $(CPP) $(CPP_PROJ) $<  
+
+################################################################################
+# Begin Target
+
+# Name "Certmap - Win32 Release"
+# Name "Certmap - Win32 Debug"
+
+!IF  "$(CFG)" == "Certmap - Win32 Release"
+
+!ELSEIF  "$(CFG)" == "Certmap - Win32 Debug"
+
+!ENDIF 
+
+################################################################################
+# Begin Source File
+
+SOURCE=.\plugin.c
+DEP_CPP_PLUGI=\
+	".\plugin.h"\
+	"c:\netscape\suitespot\include\certmap.h"\
+	"c:\netscape\suitespot\include\lber.h"\
+	"c:\netscape\suitespot\include\ldap.h"\
+	{$(INCLUDE)}"\sys\types.h"\
+	
+
+"$(INTDIR)\plugin.obj" : $(SOURCE) $(DEP_CPP_PLUGI) "$(INTDIR)"
+
+
+# End Source File
+################################################################################
+# Begin Source File
+
+SOURCE=.\init.c
+DEP_CPP_INIT_=\
+	".\plugin.h"\
+	"c:\netscape\suitespot\include\certmap.h"\
+	"c:\netscape\suitespot\include\lber.h"\
+	"c:\netscape\suitespot\include\ldap.h"\
+	{$(INCLUDE)}"\sys\types.h"\
+	
+
+"$(INTDIR)\init.obj" : $(SOURCE) $(DEP_CPP_INIT_) "$(INTDIR)"
+
+
+# End Source File
+################################################################################
+# Begin Source File
+
+SOURCE=C:\Netscape\SuiteSpot\lib\nsldap32v10.lib
+
+!IF  "$(CFG)" == "Certmap - Win32 Release"
+
+!ELSEIF  "$(CFG)" == "Certmap - Win32 Debug"
+
+!ENDIF 
+
+# End Source File
+# End Target
+# End Project
+################################################################################
diff --git a/lib/ldaputil/examples/Makefile b/lib/ldaputil/examples/Makefile
new file mode 100644
index 00000000..4e8b1b4e
--- /dev/null
+++ b/lib/ldaputil/examples/Makefile
@@ -0,0 +1,91 @@
+#
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+#
+# Makefile for certmap example program.
+#
+
+#
+# Please set the ARCH variable to one of the following:
+# SOLARIS, IRIX, HPUX
+#
+ARCH = 
+
+
+#
+# Please set the SROOT to be same as your server root
+#
+SROOT = 
+
+#
+# Uncomment the following if you need the debug build
+#
+#COMMON_DEFS = -g
+
+ifndef ARCH
+arch:
+	@echo "Please edit the Makefile and set the variable: ARCH"
+	@exit 1
+endif
+
+ifndef SROOT
+sroot:
+	@echo "Please edit the Makefile and set the server root variable: SROOT"
+	@exit 1
+endif
+
+ifeq ($(ARCH), SOLARIS)
+CC_CMD = cc -DSOLARIS -D_REENTRANT
+LD_SHAREDCMD = ld -G
+endif
+
+ifeq ($(ARCH), IRIX)
+CC_CMD = cc
+LD_SHAREDCMD = ld -32 -shared
+endif
+
+ifeq ($(ARCH), HPUX)
+  BIN = certmap.sl
+else
+  BIN = certmap.so
+endif
+
+OBJS = init.o plugin.o
+
+INCLUDE_FLAGS=-I. -I$(SROOT)/include
+
+INC_FILES = \
+	$(SROOT)/include/certmap.h \
+	$(SROOT)/include/ldap.h \
+	$(SROOT)/include/lber.h
+
+all: $(BIN)
+
+$(INC_FILES):
+	@echo
+	@echo "To extend the Certificate to LDAP entry mapping by"
+	@echo "writing your own functions, you need to download the"
+	@echo "Certmap API (version 1.0) and LDAP SDK (version 1.0)."
+	@echo "Please download these from http://???"
+	@echo "Make sure the following files exist:"
+	@echo "\t$(SROOT)/include/certmap.h"
+	@echo "\t$(SROOT)/include/ldap.h"
+	@echo "\t$(SROOT)/include/lber.h"
+	@echo
+	@exit 1
+
+$(BIN):	$(INC_FILES) $(OBJS)
+	$(LD_SHAREDCMD) $(OBJS) -o $@ $(EXTRA_LDDEFINES)
+
+certmap.dll: $(OBJS)
+	$(LD_SHAREDCMD) $(OBJS) -o $@ $(EXTRA_LDDEFINES)
+
+.c.o:
+	$(CC_CMD) $(COMMON_DEFS) $(INCLUDE_FLAGS) -c $< 
+
+clean:
+	rm -f $(OBJS) certmap.so $(EXTRA_CLEAN)
diff --git a/lib/ldaputil/examples/README b/lib/ldaputil/examples/README
new file mode 100644
index 00000000..626ef2c9
--- /dev/null
+++ b/lib/ldaputil/examples/README
@@ -0,0 +1,97 @@
+# BEGIN COPYRIGHT BLOCK
+# Copyright 2001 Sun Microsystems, Inc.
+# Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+#
+
+This directory contains an example program to demonstrate
+writing plugins using the "Certificate to LDAP Mapping" API.
+Please read the "Managing Netscape Servers" manual to find out
+about how certificate to ldap mapping can be configured using
+the <ServerRoot>/userdb/certmap.conf file.  Also refer to the
+"Certificate to LDAP Mapping API" documentation to find out
+about the various API functions and how you can write your
+plugin.
+
+This example demonstrate use of most of the API functions.  It
+defines a mapping function, a search function, and a verify
+function.  Read the API doc to learn about these functions.
+The init.c file also contains an init function which sets the
+mapping, search and verify functions.
+
+The Mapping Function 
+-------------------- 
+
+The mapping function extracts the attributes "CN", "E", "O" and
+"C" from the certificate's subject DN using the function
+ldapu_get_cert_ava_val.  If the attributes "C" doesn't exists
+then it defaults to "US".  It then gets the value of a custom
+certmap.conf property "defaultOU" using the function
+ldapu_certmap_info_attrval.  This demonstrates how you can have
+your own custom properties defined in the certmap.conf file.
+The mapping function then returns an ldapdn of the form:
+"cn=<name>, ou=<defaultOU>, o=<o>, c=<c>".
+
+If the "E" attribute has a value, it returns a filter
+"mail=<e>".  Finally, the mapping function frees the structures
+returned by some of the API functions it called.
+
+
+The Search Function
+-------------------
+
+The search function calls a dummy function to get the
+certificate's serial number.  It then does a subtree search in
+the entire directory for the filter 
+"certSerialNumber=<serial No.>".  If this fails, it calls the
+default search function.  This demonstrates how you can use the
+default functions in your custom functions.
+
+The Verify Function
+-------------------
+
+The verify function returns LDAPU_SUCCESS if only one entry was
+returned by the search function.  Otherwise, it returns
+LDAPU_CERT_VERIFY_FUNCTION_FAILED.
+
+
+Error Reporting
+---------------
+
+To report errors/warning, there is a function defined called
+plugin_ereport.  This function demonstrates how to get the
+subject DN and the issuer DN from the certificate.
+
+Build Procedure
+---------------
+On UNIX: Edit the Makefile, and set the variables ARCH & SROOT
+according to the comments in the Makefile.  Download LDAP SDK
+from the Netscape's DevEdge site and make the ldap include
+files available in <SROOT>/include.  Copy the
+../include/certmap.h file to the <SROOT>/include directory.
+Use 'gmake' to build the plugin.  A shared library plugin.so
+(plugin.sl on HP) will be created in the current directory.
+
+On NT:  Execute the following command:
+NMAKE /f "Certmap.mak" CFG="Certmap - Win32 Debug"
+Certmap.dll will be created in the Debug subdirectory.
+
+Certmap.conf Configuration
+--------------------------
+Save a copy of certmap.conf file.
+Change the certmap.conf file as follows:
+
+certmap default default
+default:defaultOU   marketing
+default:library	    <path to the shared library>
+default:InitFn	    plugin_init_fn
+
+
+After experimenting with this example, restore the old copy of
+certmap.conf file.  Or else, set the certmap.conf file as follows:
+
+certmap default default
+default:DNComps	    
+default:FilterComps	e, mail, uid
+default:VerifyCert	on
diff --git a/lib/ldaputil/examples/init.c b/lib/ldaputil/examples/init.c
new file mode 100644
index 00000000..fc606dd9
--- /dev/null
+++ b/lib/ldaputil/examples/init.c
@@ -0,0 +1,40 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "certmap.h"		/* Public Certmap API */
+#include "plugin.h"		/* must define extern "C" functions */
+
+
+NSAPI_PUBLIC int plugin_init_fn (void *certmap_info, const char *issuerName,
+				 const char *issuerDN, const char *libname)
+{
+    static int initialized = 0;
+    int rv;
+
+    /* Make sure CertmapDLLInit is initialized only once */
+    if (!initialized) {
+#ifdef WIN32
+	CertmapDLLInit(rv, libname);
+	
+	if (rv != LDAPU_SUCCESS) return rv;
+#endif
+        initialized = 1;
+    }
+    
+    fprintf(stderr, "plugin_init_fn called.\n");
+    ldapu_set_cert_mapfn(issuerDN, plugin_mapping_fn);
+    ldapu_set_cert_verifyfn(issuerDN, plugin_verify_fn);
+
+    if (!default_searchfn) 
+	default_searchfn = ldapu_get_cert_searchfn(issuerDN);
+
+    ldapu_set_cert_searchfn(issuerDN, plugin_search_fn);
+    return LDAPU_SUCCESS;
+}
diff --git a/lib/ldaputil/examples/plugin.c b/lib/ldaputil/examples/plugin.c
new file mode 100644
index 00000000..4e4adfaf
--- /dev/null
+++ b/lib/ldaputil/examples/plugin.c
@@ -0,0 +1,239 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "certmap.h"		/* Public Certmap API */
+#include "plugin.h"		/* must define extern "C" functions */
+
+#ifdef WIN32
+CertmapDLLInitFnTbl		/* Initialize Certmap Function Table */
+#endif
+
+CertSearchFn_t default_searchfn = 0;
+
+
+/* plugin_ereport -
+   This function prints an error message to stderr.  It prints the issuerDN
+   and subjectDN alongwith the given message.
+   */
+static void plugin_ereport (const char *msg, void *cert)
+{
+    int rv;
+    char *subjectDN;
+    char *issuerDN;
+    char *default_subjectDN = "Failed to get the subject DN";
+    char *default_issuerDN = "Failed to get the issuer DN";
+
+    rv = ldapu_get_cert_subject_dn(cert, &subjectDN);
+
+    if (rv != LDAPU_SUCCESS || !subjectDN) {
+	subjectDN = default_subjectDN;
+    }
+
+    rv = ldapu_get_cert_issuer_dn(cert, &issuerDN);
+
+    if (rv != LDAPU_SUCCESS || !issuerDN) {
+	issuerDN = default_issuerDN;
+    }
+
+    fprintf(stderr, "%s. Issuer: %s, Subject: %s\n", msg, issuerDN,
+	    subjectDN);
+
+    if (default_subjectDN != subjectDN) ldapu_free(subjectDN);
+    if (default_issuerDN != issuerDN) ldapu_free(issuerDN);
+}
+
+
+/* plugin_mapping_fn -
+   This mapping function extracts "CN", "O" and "C" attributes from the
+   subject DN to form ldapDN.  It inserts "ou=<defaultOU>" between the
+   "CN" and the "O" attr-value pair.  The <defaultOU> can be configured in
+   the certmap.conf config file.
+   If the "C" attr is absent, it defaults to "US".
+   It extracts the "E" attribute to form the filter.
+   */
+int plugin_mapping_fn (void *cert, LDAP *ld, void *certmap_info,
+		       char **ldapDN, char **filter)
+{
+    char **cn_val;		/* get this from the cert */
+    char **o_val;		/* get this from the cert */
+    char **c_val;		/* get this from the cert */
+    char **e_val;		/* get this from the cert */
+    char *ou_val;		/* get this from the config file */
+    int len;
+    int rv;
+
+    fprintf(stderr, "plugin_mapping_fn called.\n");
+
+    rv = ldapu_get_cert_ava_val(cert, LDAPU_SUBJECT_DN, "CN", &cn_val);
+
+    if (rv != LDAPU_SUCCESS || !cn_val) {
+	plugin_ereport("plugin_mapping_fn: Failed to extract \"CN\" from the cert", cert);
+	return LDAPU_CERT_MAP_FUNCTION_FAILED;
+    }
+
+    rv = ldapu_get_cert_ava_val(cert, LDAPU_SUBJECT_DN, "O", &o_val);
+
+    if (rv != LDAPU_SUCCESS || !o_val) {
+	plugin_ereport("plugin_mapping_fn: Failed to extract \"O\" from the cert", cert);
+	return LDAPU_CERT_MAP_FUNCTION_FAILED;
+    }
+
+    rv = ldapu_get_cert_ava_val(cert, LDAPU_SUBJECT_DN, "C", &c_val);
+
+    if (rv != LDAPU_SUCCESS || !c_val) {
+	plugin_ereport("plugin_mapping_fn: Failed to extract \"C\" from the cert", cert);
+    }
+
+    rv = ldapu_get_cert_ava_val(cert, LDAPU_SUBJECT_DN, "E", &e_val);
+
+    if (rv != LDAPU_SUCCESS || !e_val) {
+	/* Don't return error -- just print the warning */
+	plugin_ereport("plugin_mapping_fn: Failed to extract \"E\" from the cert", cert);
+    }
+
+    /* Get the "OU" from the "defaultOU" property from the config file */
+    rv = ldapu_certmap_info_attrval(certmap_info, "defaultOU", &ou_val);
+
+    if (rv != LDAPU_SUCCESS || !ou_val) {
+	plugin_ereport("plugin_mapping_fn: Failed to get \"defaultOU\" from the configuration", cert);
+	return LDAPU_CERT_MAP_FUNCTION_FAILED;
+    }
+
+    len = strlen("cn=, ou=, o=, c=") + strlen(cn_val[0]) + strlen(ou_val) +
+	strlen(o_val[0]) + (c_val ? strlen(c_val[0]) : strlen("US")) + 1;
+    *ldapDN = (char *)ldapu_malloc(len);
+
+    if (!*ldapDN) {
+	plugin_ereport("plugin_mapping_fn: Ran out of memory", cert);
+	return LDAPU_CERT_MAP_FUNCTION_FAILED;
+    }
+
+    if (e_val) {
+	len = strlen("mail=") + strlen(e_val[0]) + 1;
+	*filter = (char *)ldapu_malloc(len);
+
+	if (!*filter) {
+	    free(*ldapDN);
+	    plugin_ereport("plugin_mapping_fn: Ran out of memory", cert);
+	    return LDAPU_CERT_MAP_FUNCTION_FAILED;
+	}
+	sprintf(*filter, "mail=%s", e_val[0]);
+    }
+    else {
+	*filter = 0;
+    }
+
+    sprintf(*ldapDN, "cn=%s, ou=%s, o=%s, c=%s", cn_val[0], ou_val,
+	    o_val[0], c_val ? c_val[0] : "US");
+
+    ldapu_free_cert_ava_val(cn_val);
+    ldapu_free_cert_ava_val(o_val);
+    ldapu_free_cert_ava_val(c_val);
+    ldapu_free_cert_ava_val(e_val);
+    ldapu_free(ou_val);
+
+    fprintf(stderr, "plugin_mapping_fn Returned:\n\tldapDN: \"%s\"\n\tfilter: \"%s\"\n",
+	    *ldapDN, *filter ? *filter : "<NULL>");
+
+    return LDAPU_SUCCESS;
+}
+
+
+int plugin_cert_serial_number (void *cert)
+{
+    /* Just a stub function.  You can get the DER encoded cert by using the
+       function ldapu_get_cert_der:
+       */
+    unsigned char *derCert;
+    unsigned int len;
+    int rv;
+    int sno;
+
+    rv = ldapu_get_cert_der(cert, &derCert, &len);
+
+    /* extract the serial number from derCert */
+    sno = 43534754;		/* a fake value for now */
+
+    ldapu_free((char *)derCert);
+
+    return sno;
+}
+
+/* plugin_search_fn -
+   This function first does a search based on the cert's serial number.
+   If that fails, it calls the default search function.
+   */
+int plugin_search_fn (void *cert, LDAP *ld, void *certmap_info,
+		      const char *suffix,
+		      const char *ldapdn, const char *filter,
+		      const char **attrs, LDAPMessage **res)
+{
+    int rv;
+    char snoFilter[256];
+
+    fprintf(stderr, "plugin_search_fn called.\n");
+    sprintf(snoFilter, "certSerialNumber=%d",
+	    plugin_cert_serial_number(cert));
+
+    /* Search the entire LDAP tree for "certSerialNumber=<serial No.>" */
+    rv = ldap_search_s(ld, suffix, LDAP_SCOPE_SUBTREE, snoFilter,
+		       (char **)attrs, 0, res);
+
+    /* ldap_search_s returns LDAP_SUCCESS (rather than LDAPU_SUCCESS)
+       if there is no error but there may not be any matching entries.
+       */
+    if (rv == LDAP_SUCCESS) {
+	/* There was no error but check if any entries matched */
+	int numEntries = ldap_count_entries(ld, *res);
+
+	if (numEntries > 0) {
+	    /* at least one entry matched */
+	    /* change the return value to LDAPU_SUCCESS from LDAP_SUCCESS */
+	    rv = LDAPU_SUCCESS;
+	}
+	else {
+	    /* Try the default search function */
+	    rv = (*default_searchfn)(cert, ld, certmap_info, suffix, ldapdn,
+				     filter, attrs, res);
+	}
+    }
+
+    /* It's ok to return the error code from ldap_search_s */
+    return rv;
+}
+
+/*
+  plugin_verify_fn -
+  This function returns success if only one entry exists in 'res'.
+  */
+int plugin_verify_fn (void *cert, LDAP *ld, void *certmap_info,
+		      LDAPMessage *res, LDAPMessage **entry)
+{
+    int rv;
+    int numEntries;
+
+    fprintf(stderr, "plugin_verify_fn called.\n");
+    numEntries = ldap_count_entries(ld, res);
+
+    if (numEntries == 1) {
+	*entry = ldap_first_entry(ld, res);
+	rv = LDAPU_SUCCESS;
+    }
+    else {
+	plugin_ereport("plugin_verify_fn: Failing because multiple entries matched.",
+		       cert);
+	*entry = 0;
+	rv = LDAPU_CERT_VERIFY_FUNCTION_FAILED;
+    }
+
+    return rv;
+}
+
+
diff --git a/lib/ldaputil/examples/plugin.h b/lib/ldaputil/examples/plugin.h
new file mode 100644
index 00000000..f73ab377
--- /dev/null
+++ b/lib/ldaputil/examples/plugin.h
@@ -0,0 +1,33 @@
+/** BEGIN COPYRIGHT BLOCK
+ * Copyright 2001 Sun Microsystems, Inc.
+ * Portions copyright 1999, 2001-2003 Netscape Communications Corporation.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+#ifndef _CERTMAP_PLUGIN_H
+#define _CERTMAP_PLUGIN_H
+
+extern CertSearchFn_t default_searchfn;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern int plugin_mapping_fn (void *cert, LDAP *ld, void *certmap_info,
+			      char **ldapDN, char **filter);
+
+extern int plugin_search_fn (void *cert, LDAP *ld, void *certmap_info,
+			     const char *basedn,
+			     const char *dn, const char *filter,
+			     const char **attrs, LDAPMessage **res);
+
+extern int plugin_verify_fn (void *cert, LDAP *ld, void *certmap_info,
+			     LDAPMessage *res, LDAPMessage **entry);
+
+NSAPI_PUBLIC int plugin_init_fn (void *certmap_info, const char *issuerName,
+				 const char *issuerDN, const char *dllname);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _CERTMAP_PLUGIN_H */