+#endif /* HAVE_CYRUS_SASL */
+
+/* Take any sort of identity string and return a DN with the "dn:" prefix. The
+ * string returned in *dn is in its own allocated memory, and must be free'd
+ * by the calling process. -Mark Adamson, Carnegie Mellon
+ *
+ * The "dn:" prefix is no longer used anywhere inside slapd. It is only used
+ * on strings passed in directly from SASL. -Howard Chu, Symas Corp.
+ */
+
+#define SET_NONE 0
+#define SET_DN 1
+#define SET_U 2
+
+int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len,
+ char *user_realm, struct berval *dn, int flags )
+{
+ int rc, is_dn = SET_NONE, do_norm = 1;
+ struct berval dn2, *mech;
+
+ assert( conn );
+
+#ifdef NEW_LOGGING
+ LDAP_LOG( TRANSPORT, ENTRY,
+ "slap_sasl_getdn: conn %d id=%s [len=%d]\n",
+ conn->c_connid, id ? (*id ? id : "<empty>") : "NULL", len );
+#else
+ Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s [len=%d]\n",
+ id ? ( *id ? id : "<empty>" ) : "NULL", len, 0 );
+#endif
+
+ if ( !op ) {
+ op = conn->c_sasl_bindop;
+ }
+
+ dn->bv_val = NULL;
+ dn->bv_len = 0;
+
+ if ( id ) {
+ if ( len == 0 ) len = strlen( id );
+
+ /* Blatantly anonymous ID */
+ if ( len == sizeof("anonymous") - 1 &&
+ !strcasecmp( id, "anonymous" ) ) {
+ return( LDAP_SUCCESS );
+ }
+ } else {
+ len = 0;
+ }
+
+ if ( conn->c_sasl_bind_mech.bv_len ) {
+ mech = &conn->c_sasl_bind_mech;
+ } else {
+ mech = &conn->c_authmech;
+ }
+
+ /* An authcID needs to be converted to authzID form. Set the
+ * values directly into *dn; they will be normalized later. (and
+ * normalizing always makes a new copy.) An ID from a TLS certificate
+ * is already normalized, so copy it and skip normalization.
+ */
+ if( flags & SLAP_GETDN_AUTHCID ) {
+ if( bvmatch( mech, &ext_bv )) {
+ /* EXTERNAL DNs are already normalized */
+ do_norm = 0;
+ is_dn = SET_DN;
+ ber_str2bv_x( id, len, 1, dn, op->o_tmpmemctx );
+
+ } else {
+ /* convert to u:<username> form */
+ is_dn = SET_U;
+ dn->bv_val = id;
+ dn->bv_len = len;
+ }
+ }
+ if( is_dn == SET_NONE ) {
+ if( !strncasecmp( id, "u:", sizeof("u:")-1 )) {
+ is_dn = SET_U;
+ dn->bv_val = id+2;
+ dn->bv_len = len-2;
+ } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) {
+ is_dn = SET_DN;
+ dn->bv_val = id+3;
+ dn->bv_len = len-3;
+ }
+ }
+
+ /* No other possibilities from here */
+ if( is_dn == SET_NONE ) {
+ dn->bv_val = NULL;
+ dn->bv_len = 0;
+ return( LDAP_INAPPROPRIATE_AUTH );
+ }
+
+ /* Username strings */
+ if( is_dn == SET_U ) {
+ char *p;
+ struct berval realm = { 0, NULL }, c1 = *dn;
+
+ len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
+
+#if 0
+ /* username may have embedded realm name */
+ /* FIXME:
+ * userids can legally have embedded '@' chars;
+ * the realm should be set by those mechanisms
+ * that support it by means of the user_realm
+ * variable
+ */
+ if( ( realm.bv_val = strrchr( dn->bv_val, '@') ) ) {
+ char *r = realm.bv_val;
+
+ realm.bv_val++;
+ realm.bv_len = dn->bv_len - ( realm.bv_val - dn->bv_val );
+ len += sizeof( ",cn=" ) - 2;
+ c1.bv_len -= realm.bv_len + 1;
+
+ if ( strchr( dn->bv_val, '@') == r ) {
+ /* FIXME: ambiguity, is it the realm
+ * or something else? */
+ }
+
+ } else