Fix ITS#1843, don't deref NULL string in ldap_pvt_str2upper

[openldap] / libraries / libldap / getdn.c
diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c

index 5f3ce02d8e057fd45df7be7486d17e24d68c8309..4dd2279ee5fd0ab31748b52fb4eca7e39aa5c5cf 100644 (file)
--- a/libraries/libldap/getdn.c
+++ b/libraries/libldap/getdn.c
@@ -1,6 +1,6 @@
  /* $OpenLDAP$ */
  /*
- * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
   * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   */
  /*  Portions
@@ -20,17 +20,15 @@
  #include <ac/time.h>
  
  #include "ldap-int.h"
+#include "ldap_schema.h"
  
  /* extension to UFN that turns trailing "dc=value" rdns in DNS style,
   * e.g. "ou=People,dc=openldap,dc=org" => "People, openldap.org" */
  #define DC_IN_UFN
-/* #define PRETTY_ESCAPE */
-
-/* from libraries/libldap/schema.c */
-extern char * parse_numericoid(const char **sp, int *code, const int flags);
+#define PRETTY_ESCAPE
  
  /* parsing/printing routines */
-static int str2strval( const char *str, struct berval *val, 
+static int str2strval( const char *str, ber_len_t stoplen, struct berval *val, 
                 const char **next, unsigned flags, unsigned *retFlags );
  static int DCE2strval( const char *str, struct berval *val, 
                 const char **next, unsigned flags );
@@ -86,12 +84,15 @@ ldap_get_dn( LDAP *ld, LDAPMessage *entry )
         char            *dn;
         BerElement      tmp;
  
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_get_dn\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_get_dn\n", 0, 0, 0 );
+#endif
  
-       if ( entry == NULL ) {
-               ld->ld_errno = LDAP_PARAM_ERROR;
-               return( NULL );
-       }
+       assert( ld != NULL );
+       assert( LDAP_VALID(ld) );
+       assert( entry != NULL );
  
         tmp = *entry->lm_ber;   /* struct copy */
         if ( ber_scanf( &tmp, "{a" /*}*/, &dn ) == LBER_ERROR ) {
@@ -110,10 +111,14 @@ ldap_dn2ufn( LDAP_CONST char *dn )
  {
         char    *out = NULL;
  
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_dn2ufn\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_dn2ufn\n", 0, 0, 0 );
+#endif
  
         ( void )ldap_dn_normalize( dn, LDAP_DN_FORMAT_LDAP, 
-                                  &out, LDAP_DN_FORMAT_UFN );
+               &out, LDAP_DN_FORMAT_UFN );
         
         return( out );
  }
@@ -129,7 +134,11 @@ ldap_explode_dn( LDAP_CONST char *dn, int notypes )
         int     iRDN;
         unsigned flag = notypes ? LDAP_DN_FORMAT_UFN : LDAP_DN_FORMAT_LDAPV3;
         
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_explode_dn\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_explode_dn\n", 0, 0, 0 );
+#endif
  
         if ( ldap_str2dn( dn, &tmpDN, LDAP_DN_FORMAT_LDAP ) 
                         != LDAP_SUCCESS ) {
@@ -169,14 +178,18 @@ ldap_explode_rdn( LDAP_CONST char *rdn, int notypes )
         const char      *p;
         int             iAVA;
         
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_explode_rdn\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_explode_rdn\n", 0, 0, 0 );
+#endif
  
         /*
          * we only parse the first rdn
          * FIXME: we prefer efficiency over checking if the _ENTIRE_
          * dn can be parsed
          */
-       if ( ldap_str2rdn( rdn, &tmpRDN, &p, LDAP_DN_FORMAT_LDAP ) 
+       if ( ldap_str2rdn( rdn, &tmpRDN, (char **) &p, LDAP_DN_FORMAT_LDAP ) 
                         != LDAP_SUCCESS ) {
                 return( NULL );
         }
@@ -250,7 +263,11 @@ ldap_dn2dcedn( LDAP_CONST char *dn )
  {
         char    *out = NULL;
  
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_dn2dcedn\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_dn2dcedn\n", 0, 0, 0 );
+#endif
  
         ( void )ldap_dn_normalize( dn, LDAP_DN_FORMAT_LDAP, 
                                    &out, LDAP_DN_FORMAT_DCE );
@@ -263,7 +280,11 @@ ldap_dcedn2dn( LDAP_CONST char *dce )
  {
         char    *out = NULL;
  
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_dcedn2dn\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_dcedn2dn\n", 0, 0, 0 );
+#endif
  
         ( void )ldap_dn_normalize( dce, LDAP_DN_FORMAT_DCE, &out, LDAP_DN_FORMAT_LDAPV3 );
  
@@ -275,7 +296,11 @@ ldap_dn2ad_canonical( LDAP_CONST char *dn )
  {
         char    *out = NULL;
  
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_dn2ad_canonical\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_dn2ad_canonical\n", 0, 0, 0 );
+#endif
  
         ( void )ldap_dn_normalize( dn, LDAP_DN_FORMAT_LDAP, 
                        &out, LDAP_DN_FORMAT_AD_CANONICAL );
@@ -301,12 +326,17 @@ ldap_dn2ad_canonical( LDAP_CONST char *dn )
   *     LDAP_DN_FORMAT_AD_CANONICAL     (?)
   */
  int
-ldap_dn_normalize( const char *dnin, unsigned fin, char **dnout, unsigned fout )
+ldap_dn_normalize( LDAP_CONST char *dnin,
+       unsigned fin, char **dnout, unsigned fout )
  {
         int     rc;
         LDAPDN  *tmpDN = NULL;
  
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ENTRY, "ldap_dn_normalize\n" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "ldap_dn_normalize\n", 0, 0, 0 );
+#endif
  
         assert( dnout );
  
@@ -353,25 +383,21 @@ ldap_dn_normalize( const char *dnin, unsigned fin, char **dnout, unsigned fout )
   */
  #define LDAP_DN_ASCII_SPACE(c) \
         ( (c) == ' ' || (c) == '\t' || (c) == '\n' || (c) == '\r' )
-#define LDAP_DN_ASCII_LOWER(c)         ( (c) >= 'a' && (c) <= 'z' )
-#define LDAP_DN_ASCII_UPPER(c)         ( (c) >= 'A' && (c) <= 'Z' )
-#define LDAP_DN_ASCII_ALPHA(c) \
-       ( LDAP_DN_ASCII_LOWER(c) || LDAP_DN_ASCII_UPPER(c) )
-#define LDAP_DN_ASCII_DIGIT(c)         ( (c) >= '0' && (c) <= '9' )
-#define LDAP_DN_ASCII_LCASE_HEXALPHA(c)        ( (c) >= 'a' && (c) <= 'f' )
-#define LDAP_DN_ASCII_UCASE_HEXALPHA(c)        ( (c) >= 'A' && (c) <= 'F' )
-#define LDAP_DN_ASCII_HEXDIGIT(c) \
-       ( LDAP_DN_ASCII_DIGIT(c) \
-         || LDAP_DN_ASCII_LCASE_HEXALPHA(c) \
-         || LDAP_DN_ASCII_UCASE_HEXALPHA(c) )
-#define LDAP_DN_ASCII_ALNUM(c) \
-       ( LDAP_DN_ASCII_ALPHA(c) || LDAP_DN_ASCII_DIGIT(c) )
+#define LDAP_DN_ASCII_LOWER(c)         LDAP_LOWER(c)
+#define LDAP_DN_ASCII_UPPER(c)         LDAP_UPPER(c)
+#define LDAP_DN_ASCII_ALPHA(c)         LDAP_ALPHA(c)
+
+#define LDAP_DN_ASCII_DIGIT(c)         LDAP_DIGIT(c)
+#define LDAP_DN_ASCII_LCASE_HEXALPHA(c)        LDAP_HEXLOWER(c)
+#define LDAP_DN_ASCII_UCASE_HEXALPHA(c)        LDAP_HEXUPPER(c)
+#define LDAP_DN_ASCII_HEXDIGIT(c)      LDAP_HEX(c)
+#define LDAP_DN_ASCII_ALNUM(c)         LDAP_ALNUM(c)
  #define LDAP_DN_ASCII_PRINTABLE(c)     ( (c) >= ' ' && (c) <= '~' )
  
  /* attribute type */
-#define LDAP_DN_OID_LEADCHAR(c)                ( LDAP_DN_ASCII_DIGIT(c) )
-#define LDAP_DN_DESC_LEADCHAR(c)       ( LDAP_DN_ASCII_ALPHA(c) )
-#define LDAP_DN_DESC_CHAR(c)           ( LDAP_DN_ASCII_ALNUM(c) || (c) == '-' )
+#define LDAP_DN_OID_LEADCHAR(c)                LDAP_DIGIT(c)
+#define LDAP_DN_DESC_LEADCHAR(c)       LDAP_ALPHA(c)
+#define LDAP_DN_DESC_CHAR(c)           LDAP_LDH(c)
  #define LDAP_DN_LANG_SEP(c)            ( (c) == ';' )
  #define LDAP_DN_ATTRDESC_CHAR(c) \
         ( LDAP_DN_DESC_CHAR(c) || LDAP_DN_LANG_SEP(c) )
@@ -389,10 +415,12 @@ ldap_dn_normalize( const char *dnin, unsigned fin, char **dnout, unsigned fout )
  #define LDAP_DN_NE(c) \
         ( LDAP_DN_RDN_SEP_V2(c) || LDAP_DN_AVA_SEP(c) \
           || LDAP_DN_QUOTES(c) || (c) == '<' || (c) == '>' )
+#define LDAP_DN_MAYESCAPE(c) \
+       ( LDAP_DN_ESCAPE(c) || LDAP_DN_NE(c) \
+         || LDAP_DN_ASCII_SPACE(c) || LDAP_DN_OCTOTHORPE(c) )
  #define LDAP_DN_NEEDESCAPE(c) \
         ( LDAP_DN_ESCAPE(c) || LDAP_DN_NE(c) )
-#define LDAP_DN_NEEDESCAPE_LEAD(c) \
-       ( LDAP_DN_ASCII_SPACE(c) || LDAP_DN_OCTOTHORPE(c) || LDAP_DN_NE(c) )
+#define LDAP_DN_NEEDESCAPE_LEAD(c)     LDAP_DN_MAYESCAPE(c)
  #define LDAP_DN_NEEDESCAPE_TRAIL(c) \
         ( LDAP_DN_ASCII_SPACE(c) || LDAP_DN_NEEDESCAPE(c) )
  #define LDAP_DN_WILLESCAPE_CHAR(c) \
@@ -463,7 +491,7 @@ ldap_dn_normalize( const char *dnin, unsigned fin, char **dnout, unsigned fout )
  #define        LDAP_DC_ATTR    "dc"
  #define        LDAP_DC_ATTRU   "DC"
  #define LDAP_DN_IS_RDN_DC( r ) \
-       ( (r) && (r)[0][0] && !(r)[1] \
+       ( (r) && (r)[0][0] && !(r)[0][1] \
           && ((r)[0][0]->la_flags == LDAP_AVA_STRING) \
           && ((r)[0][0]->la_attr.bv_len == 2) \
           && (((r)[0][0]->la_attr.bv_val[0] == LDAP_DC_ATTR[0]) \
@@ -505,14 +533,18 @@ ldapava_new( const struct berval *attr, const struct berval *val,
         assert( attr );
         assert( val );
  
-       ava = LDAP_MALLOC( sizeof( LDAPAVA ) );
+       ava = LDAP_MALLOC( sizeof( LDAPAVA ) + attr->bv_len + 1 );
         
         /* should we test it? */
         if ( ava == NULL ) {
                 return( NULL );
         }
  
-       ava->la_attr = *attr;
+       ava->la_attr.bv_len = attr->bv_len;
+       ava->la_attr.bv_val = (char *)(ava+1);
+       AC_MEMCPY( ava->la_attr.bv_val, attr->bv_val, attr->bv_len );
+       ava->la_attr.bv_val[attr->bv_len] = '\0';
+
         ava->la_value = *val;
         ava->la_flags = flags;
  
@@ -533,8 +565,11 @@ ldap_avafree( LDAPAVA *ava )
         assert( ava->la_private == NULL );
  #endif
  
-       free( ava->la_attr.bv_val );
-       free( ava->la_value.bv_val );
+#if 0
+       /* la_attr is now contiguous with ava, not freed separately */
+       LDAP_FREE( ava->la_attr.bv_val );
+#endif
+       LDAP_FREE( ava->la_value.bv_val );
  
         LDAP_FREE( ava );
  }
@@ -585,22 +620,51 @@ ldap_dnfree( LDAPDN *dn )
   * and readable as soon as it works as expected.
   */
  
-#define        TMP_SLOTS       256
+/*
+ * Default sizes of AVA and RDN static working arrays; if required
+ * the are dynamically resized.  The values can be tuned in case
+ * of special requirements (e.g. very deep DN trees or high number 
+ * of AVAs per RDN).
+ */
+#define        TMP_AVA_SLOTS   8
+#define        TMP_RDN_SLOTS   32
+
+int
+ldap_str2dn( LDAP_CONST char *str, LDAPDN **dn, unsigned flags )
+{
+       struct berval   bv;
+
+       assert( str );
+
+       bv.bv_len = strlen( str );
+       bv.bv_val = (char *) str;
+       
+       return ldap_bv2dn( &bv, dn, flags );
+}
  
  int
-ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
+ldap_bv2dn( struct berval *bv, LDAPDN **dn, unsigned flags )
  {
         const char      *p;
-       int             rc = LDAP_INVALID_DN_SYNTAX;
+       int             rc = LDAP_DECODING_ERROR;
         int             nrdns = 0;
  
         LDAPDN          *newDN = NULL;
-       LDAPRDN         *newRDN = NULL, *tmpDN[TMP_SLOTS];
+       LDAPRDN         *newRDN = NULL, *tmpDN_[TMP_RDN_SLOTS], **tmpDN = tmpDN_;
+       int             num_slots = TMP_RDN_SLOTS;
+       char            *str = bv->bv_val;
+       char            *end = str + bv->bv_len;
         
-       assert( str );
+       assert( bv );
+       assert( bv->bv_val );
         assert( dn );
  
-       Debug( LDAP_DEBUG_TRACE, "=> ldap_str2dn(%s,%u)\n%s", str, flags, "" );
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ARGS, "ldap_bv2dn(%s,%u)\n%s", 
+               str, flags, "" ));
+#else
+       Debug( LDAP_DEBUG_TRACE, "=> ldap_bv2dn(%s,%u)\n%s", str, flags, "" );
+#endif
  
         *dn = NULL;
  
@@ -614,14 +678,20 @@ ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
         /* unsupported in str2dn */
         case LDAP_DN_FORMAT_UFN:
         case LDAP_DN_FORMAT_AD_CANONICAL:
-               return( LDAP_INVALID_DN_SYNTAX );
+               return LDAP_PARAM_ERROR;
  
+       case LDAP_DN_FORMAT_LBER:
         default:
-               return( LDAP_OTHER );
+               return LDAP_PARAM_ERROR;
         }
  
-       if ( str[ 0 ] == '\0' ) {
-               return( LDAP_SUCCESS );
+       if ( bv->bv_len == 0 ) {
+               return LDAP_SUCCESS;
+       }
+
+       if( memchr( bv->bv_val, '\0', bv->bv_len ) != NULL ) {
+               /* value must have embedded NULs */
+               return LDAP_DECODING_ERROR;
         }
  
         p = str;
@@ -635,7 +705,12 @@ ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
                         goto parsing_error;
                 }
                 p++;
-               
+
+       /*
+        * actually we do not want to accept by default the DCE form,
+        * we do not want to auto-detect it
+        */
+#if 0
         } else if ( LDAP_DN_LDAP( flags ) ) {
                 /*
                  * if dn starts with '/' let's make it a DCE dn
@@ -644,13 +719,16 @@ ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
                         flags |= LDAP_DN_FORMAT_DCE;
                         p++;
                 }
+#endif
         }
  
-       for ( ; p[ 0 ]; p++ ) {
-               LDAPDN          *dn;
+       for ( ; p < end; p++ ) {
                 int             err;
+               struct berval   tmpbv;
+               tmpbv.bv_len = bv->bv_len - ( p - str );
+               tmpbv.bv_val = (char *)p;
                 
-               err = ldap_str2rdn( p, &newRDN, &p, flags );
+               err = ldap_bv2rdn( &tmpbv, &newRDN, (char **) &p, flags );
                 if ( err != LDAP_SUCCESS ) {
                         goto parsing_error;
                 }
@@ -658,11 +736,11 @@ ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
                 /* 
                  * We expect a rdn separator
                  */
-               if ( p[ 0 ] ) {
+               if ( p < end && p[ 0 ] ) {
                         switch ( LDAP_DN_FORMAT( flags ) ) {
                         case LDAP_DN_FORMAT_LDAPV3:
                                 if ( !LDAP_DN_RDN_SEP( p[ 0 ] ) ) {
-                                       rc = LDAP_OTHER;
+                                       rc = LDAP_DECODING_ERROR;
                                         goto parsing_error;
                                 }
                                 break;
@@ -670,14 +748,14 @@ ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
                         case LDAP_DN_FORMAT_LDAP:
                         case LDAP_DN_FORMAT_LDAPV2:
                                 if ( !LDAP_DN_RDN_SEP_V2( p[ 0 ] ) ) {
-                                       rc = LDAP_OTHER;
+                                       rc = LDAP_DECODING_ERROR;
                                         goto parsing_error;
                                 }
                                 break;
         
                         case LDAP_DN_FORMAT_DCE:
                                 if ( !LDAP_DN_RDN_SEP_DCE( p[ 0 ] ) ) {
-                                       rc = LDAP_OTHER;
+                                       rc = LDAP_DECODING_ERROR;
                                         goto parsing_error;
                                 }
                                 break;
@@ -688,9 +766,33 @@ ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
                 tmpDN[nrdns++] = newRDN;
                 newRDN = NULL;
  
-               assert (nrdns < TMP_SLOTS);
+               /*
+                * make the static RDN array dynamically rescalable
+                */
+               if ( nrdns == num_slots ) {
+                       LDAPRDN **tmp;
+
+                       if ( tmpDN == tmpDN_ ) {
+                               tmp = LDAP_MALLOC( num_slots * 2 * sizeof( LDAPRDN * ) );
+                               if ( tmp == NULL ) {
+                                       rc = LDAP_NO_MEMORY;
+                                       goto parsing_error;
+                               }
+                               AC_MEMCPY( tmp, tmpDN, num_slots * sizeof( LDAPRDN * ) );
+
+                       } else {
+                               tmp = LDAP_REALLOC( tmpDN, num_slots * 2 * sizeof( LDAPRDN * ) );
+                               if ( tmp == NULL ) {
+                                       rc = LDAP_NO_MEMORY;
+                                       goto parsing_error;
+                               }
+                       }
+
+                       tmpDN = tmp;
+                       num_slots *= 2;
+               }
                                 
-               if ( p[ 0 ] == '\0' ) {
+               if ( p >= end || p[ 0 ] == '\0' ) {
                         /* 
                          * the DN is over, phew
                          */
@@ -702,7 +804,7 @@ ldap_str2dn( const char *str, LDAPDN **dn, unsigned flags )
                         } else {
                                 int i;
  
-                               newDN[0] = (LDAPRDN **)newDN+1;
+                               newDN[0] = (LDAPRDN **)(newDN+1);
  
                                 if ( LDAP_DN_DCE( flags ) ) {
                                         /* add in reversed order */
@@ -724,12 +826,22 @@ parsing_error:;
                 ldap_rdnfree( newRDN );
         }
  
-       for (nrdns-- ;nrdns>=0; nrdns-- )
+       for ( nrdns-- ;nrdns >= 0; nrdns-- ) {
                 ldap_rdnfree( tmpDN[nrdns] );
+       }
  
  return_result:;
  
-       Debug( LDAP_DEBUG_TRACE, "<= ldap_str2dn(%s,%u)=%d\n", str, flags, rc );
+       if ( tmpDN != tmpDN_ ) {
+               LDAP_FREE( tmpDN );
+       }
+
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_RESULTS, "<= ldap_bv2dn(%s,%u)=%d\n", 
+               str, flags, rc ));
+#else
+       Debug( LDAP_DEBUG_TRACE, "<= ldap_bv2dn(%s,%u)=%d\n", str, flags, rc );
+#endif
         *dn = newDN;
         
         return( rc );
@@ -744,12 +856,29 @@ return_result:;
   * corresponds to the rdn separator or to '\0' in case the string is over.
   */
  int
-ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
+ldap_str2rdn( LDAP_CONST char *str, LDAPRDN **rdn,
+       char **n_in, unsigned flags )
  {
+       struct berval   bv;
+
+       assert( str );
+       assert( str[ 0 ] != '\0' );     /* FIXME: is this required? */
+
+       bv.bv_len = strlen( str );
+       bv.bv_val = (char *) str;
+
+       return ldap_bv2rdn( &bv, rdn, n_in, flags );
+}
+
+int
+ldap_bv2rdn( struct berval *bv, LDAPRDN **rdn,
+       char **n_in, unsigned flags )
+{
+       const char      **n = (const char **) n_in;
         const char      *p;
         int             navas = 0;
         int             state = B4AVA;
-       int             rc = LDAP_INVALID_DN_SYNTAX;
+       int             rc = LDAP_DECODING_ERROR;
         int             attrTypeEncoding = LDAP_AVA_STRING, 
                         attrValueEncoding = LDAP_AVA_STRING;
  
@@ -757,13 +886,20 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
         struct berval   attrValue = { 0, NULL };
  
         LDAPRDN         *newRDN = NULL;
-       LDAPAVA         *tmpRDN[TMP_SLOTS];
+       LDAPAVA         *tmpRDN_[TMP_AVA_SLOTS], **tmpRDN = tmpRDN_;
+       int             num_slots = TMP_AVA_SLOTS;
+
+       char            *str;
+       ber_len_t       stoplen;
         
-       assert( str );
+       assert( bv );
+       assert( bv->bv_len );
+       assert( bv->bv_val );
         assert( rdn || flags & LDAP_DN_SKIP );
         assert( n );
  
-       Debug( LDAP_DEBUG_TRACE, "=> ldap_str2rdn(%s,%u)\n%s", str, flags, "" );
+       str = bv->bv_val;
+       stoplen = bv->bv_len;
  
         if ( rdn ) {
                 *rdn = NULL;
@@ -780,14 +916,21 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
         /* unsupported in str2dn */
         case LDAP_DN_FORMAT_UFN:
         case LDAP_DN_FORMAT_AD_CANONICAL:
-               return( LDAP_INVALID_DN_SYNTAX );
+               return LDAP_PARAM_ERROR;
  
+       case LDAP_DN_FORMAT_LBER:
         default:
-               return( LDAP_OTHER );
+               return LDAP_PARAM_ERROR;
         }
  
-       if ( str[ 0 ] == '\0' ) {
-               return( LDAP_SUCCESS );
+       if ( bv->bv_len == 0 ) {
+               return LDAP_SUCCESS;
+
+       }
+
+       if( memchr( bv->bv_val, '\0', bv->bv_len ) != NULL ) {
+               /* value must have embedded NULs */
+               return LDAP_DECODING_ERROR;
         }
  
         p = str;
@@ -878,23 +1021,14 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
                 
                 case B4OIDATTRTYPE: {
                         int             err = LDAP_SUCCESS;
-                       char            *type;
                         
-                       type = parse_numericoid( &p, &err, 0 );
-                       if ( type == NULL ) {
-                               goto parsing_error;
-                       }
+                       attrType.bv_val = ldap_int_parse_numericoid( &p, &err,
+                               LDAP_SCHEMA_SKIP);
  
-                       if ( flags & LDAP_DN_SKIP ) {
-                               /*
-                                * FIXME: hack for skipping a rdn; 
-                                * need a cleaner solution
-                                */
-                               LDAP_FREE( type );
-
-                       } else {
-                               ber_str2bv( type, 0, 0, &attrType );
+                       if ( err != LDAP_SUCCESS ) {
+                               goto parsing_error;
                         }
+                       attrType.bv_len = p - attrType.bv_val;
  
                         attrTypeEncoding = LDAP_AVA_BINARY;
  
@@ -961,11 +1095,7 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
                                 break;
                         }
  
-                       attrType.bv_val = LDAP_STRNDUP( startPos, len );
-                       if ( attrType.bv_val == NULL ) {
-                               rc = LDAP_NO_MEMORY;
-                               goto parsing_error;
-                       }
+                       attrType.bv_val = (char *)startPos;
                         attrType.bv_len = len;
  
                         break;
@@ -1049,7 +1179,12 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
                          * here STRING means RFC 2253 string
                          * FIXME: what about DCE strings? 
                          */
-                       state = B4STRINGVALUE;
+                       if ( !p[ 0 ] ) {
+                               /* empty value */
+                               state = GOTAVA;
+                       } else {
+                               state = B4STRINGVALUE;
+                       }
                         break;
  
                 case B4BINARYVALUE:
@@ -1064,7 +1199,8 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
                         switch ( LDAP_DN_FORMAT( flags ) ) {
                         case LDAP_DN_FORMAT_LDAP:
                         case LDAP_DN_FORMAT_LDAPV3:
-                               if ( str2strval( p, &attrValue, &p, flags, 
+                               if ( str2strval( p, stoplen - ( p - str ),
+                                                       &attrValue, &p, flags, 
                                                         &attrValueEncoding ) ) {
                                         goto parsing_error;
                                 }
@@ -1113,13 +1249,41 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
                                  */
                                 ava = ldapava_new( &attrType, &attrValue, 
                                                 attrValueEncoding );
+                               
                                 if ( ava == NULL ) {
                                         rc = LDAP_NO_MEMORY;
                                         goto parsing_error;
                                 }
                                 tmpRDN[navas++] = ava;
  
-                               assert(navas < TMP_SLOTS);
+                               attrValue.bv_val = NULL;
+                               attrValue.bv_len = 0;
+
+                               /*
+                                * prepare room for new AVAs if needed
+                                */
+                               if (navas == num_slots) {
+                                       LDAPAVA **tmp;
+                                       
+                                       if ( tmpRDN == tmpRDN_ ) {
+                                               tmp = LDAP_MALLOC( num_slots * 2 * sizeof( LDAPAVA * ) );
+                                               if ( tmp == NULL ) {
+                                                       rc = LDAP_NO_MEMORY;
+                                                       goto parsing_error;
+                                               }
+                                               AC_MEMCPY( tmp, tmpRDN, num_slots * sizeof( LDAPAVA * ) );
+
+                                       } else {
+                                               tmp = LDAP_REALLOC( tmpRDN, num_slots * 2 * sizeof( LDAPAVA * ) );
+                                               if ( tmp == NULL ) {
+                                                       rc = LDAP_NO_MEMORY;
+                                                       goto parsing_error;
+                                               }
+                                       }
+
+                                       tmpRDN = tmp;
+                                       num_slots *= 2;
+                               }
                         }
                         
                         /* 
@@ -1157,7 +1321,7 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
                                         } else {
                                                 int i;
  
-                                               newRDN[0] = (LDAPAVA**) newRDN+1;
+                                               newRDN[0] = (LDAPAVA**)(newRDN+1);
  
                                                 for (i=0; i<navas; i++)
                                                         newRDN[0][i] = tmpRDN[i];
@@ -1183,24 +1347,25 @@ ldap_str2rdn( const char *str, LDAPRDN **rdn, const char **n, unsigned flags )
                         goto parsing_error;
                 }
         }
+       *n = p;
         
  parsing_error:;
         /* They are set to NULL after they're used in an AVA */
-       if ( attrType.bv_val ) {
-               free( attrType.bv_val );
-       }
  
         if ( attrValue.bv_val ) {
                 free( attrValue.bv_val );
         }
  
-       for (navas-- ; navas>=0; navas-- )
+       for ( navas-- ; navas >= 0; navas-- ) {
                 ldap_avafree( tmpRDN[navas] );
+       }
  
  return_result:;
  
-       Debug( LDAP_DEBUG_TRACE, "<= ldap_str2rdn(%*s)=%d\n", 
-                       *n - p, str, rc );
+       if ( tmpRDN != tmpRDN_ ) {
+               LDAP_FREE( tmpRDN );
+       }
+
         if ( rdn ) {
                 *rdn = newRDN;
         }
@@ -1214,26 +1379,24 @@ return_result:;
   * '\' + HEXPAIR(p) -> unhex(p)
   */
  static int
-str2strval( const char *str, struct berval *val, const char **next, unsigned flags, unsigned *retFlags )
+str2strval( const char *str, ber_len_t stoplen, struct berval *val, const char **next, unsigned flags, unsigned *retFlags )
  {
-       const char      *p, *startPos, *endPos = NULL;
-       ber_len_t       len, escapes, unescapes;
+       const char      *p, *end, *startPos, *endPos = NULL;
+       ber_len_t       len, escapes;
  
         assert( str );
         assert( val );
         assert( next );
  
         *next = NULL;
-
-       for ( startPos = p = str, escapes = 0, unescapes = 0; p[ 0 ]; p++ ) {
+       end = str + stoplen;
+       for ( startPos = p = str, escapes = 0; p < end; p++ ) {
                 if ( LDAP_DN_ESCAPE( p[ 0 ] ) ) {
                         p++;
                         if ( p[ 0 ] == '\0' ) {
                                 return( 1 );
                         }
-                       if ( ( p == startPos + 1 && LDAP_DN_NEEDESCAPE_LEAD( p[ 0 ] ) )
-                                       || ( LDAP_DN_VALUE_END( p[ 1 ] ) && LDAP_DN_NEEDESCAPE_TRAIL( p[ 0 ] ) )
-                                       || LDAP_DN_NEEDESCAPE( p[ 0 ] ) ) {
+                       if ( LDAP_DN_MAYESCAPE( p[ 0 ] ) ) {
                                 escapes++;
                                 continue;
                         }
@@ -1260,14 +1423,18 @@ str2strval( const char *str, struct berval *val, const char **next, unsigned fla
                                 return( 1 );
                         }
                         /* 
-                        * FIXME: we allow escaping 
+                        * we do not allow escaping 
                          * of chars that don't need 
                          * to and do not belong to 
-                        * HEXDIGITS (we also allow
-                        * single hexdigit; maybe we 
-                        * shouldn't).
+                        * HEXDIGITS
                          */
-                       unescapes++;
+                       return( 1 );
+
+               } else if (!LDAP_DN_ASCII_PRINTABLE( p[ 0 ] ) ) {
+                       if ( p[ 0 ] == '\0' ) {
+                               return( 1 );
+                       }
+                       *retFlags = LDAP_AVA_NONPRINTABLE;
  
                 } else if ( ( LDAP_DN_LDAP( flags ) && LDAP_DN_VALUE_END_V2( p[ 0 ] ) ) 
                                 || ( LDAP_DN_LDAPV3( flags ) && LDAP_DN_VALUE_END( p[ 0 ] ) ) ) {
@@ -1310,11 +1477,17 @@ str2strval( const char *str, struct berval *val, const char **next, unsigned fla
         /*
          * FIXME: test memory?
          */
-       len = ( endPos ? endPos : p ) - startPos - escapes - unescapes;
+       len = ( endPos ? endPos : p ) - startPos - escapes;
         val->bv_len = len;
  
-       if ( escapes == 0 && unescapes == 0 ) {
-               val->bv_val = LDAP_STRNDUP( startPos, len );
+       if ( escapes == 0 ) {
+               if ( *retFlags == LDAP_AVA_NONPRINTABLE ) {
+                       val->bv_val = LDAP_MALLOC( len + 1 );
+                       AC_MEMCPY( val->bv_val, startPos, len );
+                       val->bv_val[ len ] = '\0';
+               } else {
+                       val->bv_val = LDAP_STRNDUP( startPos, len );
+               }
  
         } else {
                 ber_len_t       s, d;
@@ -1323,9 +1496,7 @@ str2strval( const char *str, struct berval *val, const char **next, unsigned fla
                 for ( s = 0, d = 0; d < len; ) {
                         if ( LDAP_DN_ESCAPE( startPos[ s ] ) ) {
                                 s++;
-                               if ( ( s == 0 && LDAP_DN_NEEDESCAPE_LEAD( startPos[ s ] ) )
-                                               || ( s == len - 1 && LDAP_DN_NEEDESCAPE_TRAIL( startPos[ s ] ) )
-                                               || LDAP_DN_NEEDESCAPE( startPos[ s ] ) ) {
+                               if ( LDAP_DN_MAYESCAPE( startPos[ s ] ) ) {
                                         val->bv_val[ d++ ] = 
                                                 startPos[ s++ ];
                                         
@@ -1337,12 +1508,8 @@ str2strval( const char *str, struct berval *val, const char **next, unsigned fla
                                         s += 2;
                                         
                                 } else {
-                                       /*
-                                        * we allow escaping of chars
-                                        * that do not need to 
-                                        */
-                                       val->bv_val[ d++ ] = 
-                                               startPos[ s++ ];
+                                       /* we should never get here */
+                                       assert( 0 );
                                 }
  
                         } else {
@@ -1351,7 +1518,7 @@ str2strval( const char *str, struct berval *val, const char **next, unsigned fla
                 }
  
                 val->bv_val[ d ] = '\0';
-               assert( strlen( val->bv_val ) == len );
+               assert( d == len );
         }
  
         return( 0 );
@@ -1585,7 +1752,7 @@ quotedIA52strval( const char *str, struct berval *val, const char **next, unsign
         }
  
         len = endPos - startPos - escapes;
-       assert( len >= 0 );
+       assert( endPos >= startPos + escapes );
         val->bv_len = len;
         if ( escapes == 0 ) {
                 val->bv_val = LDAP_STRNDUP( startPos, len );
@@ -1821,8 +1988,18 @@ strval2strlen( struct berval *val, unsigned flags, ber_len_t *len )
                 return( 0 );
         }
  
-       for ( l = 0, p = val->bv_val; p[ 0 ]; p += cl ) {
-               cl = LDAP_UTF8_CHARLEN( p );
+       for ( l = 0, p = val->bv_val; p < val->bv_val + val->bv_len; p += cl ) {
+
+               /* 
+                * escape '%x00' 
+                */
+               if ( p[ 0 ] == '\0' ) {
+                       cl = 1;
+                       l += 3;
+                       continue;
+               }
+
+               cl = LDAP_UTF8_CHARLEN2( p, cl );
                 if ( cl == 0 ) {
                         /* illegal utf-8 char! */
                         return( -1 );
@@ -1831,7 +2008,7 @@ strval2strlen( struct berval *val, unsigned flags, ber_len_t *len )
                         ber_len_t cnt;
  
                         for ( cnt = 1; cnt < cl; cnt++ ) {
-                               if ( ( p[ cnt ] & 0x80 ) == 0x00 ) {
+                               if ( ( p[ cnt ] & 0xc0 ) != 0x80 ) {
                                         return( -1 );
                                 }
                         }
@@ -1841,7 +2018,11 @@ strval2strlen( struct berval *val, unsigned flags, ber_len_t *len )
                                 || ( p == val->bv_val && LDAP_DN_NEEDESCAPE_LEAD( p[ 0 ] ) )
                                 || ( !p[ 1 ] && LDAP_DN_NEEDESCAPE_TRAIL( p[ 0 ] ) ) ) {
  #ifdef PRETTY_ESCAPE
+#if 0
                         if ( LDAP_DN_WILLESCAPE_HEX( flags, p[ 0 ] ) ) {
+#else
+                       if ( LDAP_DN_WILLESCAPE_CHAR( p[ 0 ] ) ) {
+#endif
  
                                 /* 
                                  * there might be some chars we want 
@@ -1890,7 +2071,26 @@ strval2str( struct berval *val, char *str, unsigned flags, ber_len_t *len )
          * of the value
          */
         for ( s = 0, d = 0, end = val->bv_len - 1; s < val->bv_len; ) {
-               ber_len_t       cl = LDAP_UTF8_CHARLEN( &val->bv_val[ s ] );
+               ber_len_t       cl;
+
+               /* 
+                * escape '%x00' 
+                */
+               if ( val->bv_val[ s ] == '\0' ) {
+                       cl = 1;
+                       str[ d++ ] = '\\';
+                       str[ d++ ] = '0';
+                       str[ d++ ] = '0';
+                       s++;
+                       continue;
+               }
+               
+               /*
+                * The length was checked in strval2strlen();
+                * LDAP_UTF8_CHARLEN() should suffice
+                */
+               cl = LDAP_UTF8_CHARLEN2( &val->bv_val[ s ], cl );
+               assert( cl > 0 );
                 
                 /* 
                  * there might be some chars we want to escape in form
@@ -1898,7 +2098,11 @@ strval2str( struct berval *val, char *str, unsigned flags, ber_len_t *len )
                  */
                 if ( ( cl > 1 && !LDAP_DN_IS_PRETTY( flags ) ) 
  #ifdef PRETTY_ESCAPE
+#if 0
                                 || LDAP_DN_WILLESCAPE_HEX( flags, val->bv_val[ s ] ) 
+#else
+                               || LDAP_DN_WILLESCAPE_CHAR( val->bv_val[ s ] ) 
+#endif
  #else /* ! PRETTY_ESCAPE */
                                 || LDAP_DN_NEEDESCAPE( val->bv_val[ s ] )
                                 || ( d == 0 && LDAP_DN_NEEDESCAPE_LEAD( val->bv_val[ s ] ) )
@@ -2247,7 +2451,7 @@ dn2domain( LDAPDN *dn, struct berval *bv, int pos, int *iRDN )
                         l += ava->la_value.bv_len;
  
                 } else {
-                       AC_MEMCPY( str + ava->la_value.bv_len + 1, bv->bv_val, l);
+                       AC_MEMCPY( str + ava->la_value.bv_len + 1, bv->bv_val + pos, l);
                         AC_MEMCPY( str, ava->la_value.bv_val, 
                                         ava->la_value.bv_len );
                         str[ ava->la_value.bv_len ] = '.';
@@ -2612,6 +2816,10 @@ ldap_rdn2str( LDAPRDN *rdn, char **str, unsigned flags )
  
         assert( str );
  
+       if((flags & LDAP_DN_FORMAT_MASK) == LDAP_DN_FORMAT_LBER) {
+               return LDAP_PARAM_ERROR;
+       }
+
         rc = ldap_rdn2bv( rdn, &bv, flags );
         *str = bv.bv_val;
         return rc;
@@ -2640,36 +2848,36 @@ ldap_rdn2bv( LDAPRDN *rdn, struct berval *bv, unsigned flags )
         switch ( LDAP_DN_FORMAT( flags ) ) {
         case LDAP_DN_FORMAT_LDAPV3:
                 if ( rdn2strlen( rdn, flags, &l, strval2strlen ) ) {
-                       return( LDAP_OTHER );
+                       return LDAP_DECODING_ERROR;
                 }
                 break;
  
         case LDAP_DN_FORMAT_LDAPV2:
                 if ( rdn2strlen( rdn, flags, &l, strval2IA5strlen ) ) {
-                       return( LDAP_OTHER );
+                       return LDAP_DECODING_ERROR;
                 }
                 break;
  
         case LDAP_DN_FORMAT_UFN:
                 if ( rdn2UFNstrlen( rdn, flags, &l ) ) {
-                       return( LDAP_OTHER );
+                       return LDAP_DECODING_ERROR;
                 }
                 break;
  
         case LDAP_DN_FORMAT_DCE:
                 if ( rdn2DCEstrlen( rdn, flags, &l ) ) {
-                       return( LDAP_OTHER );
+                       return LDAP_DECODING_ERROR;
                 }
                 break;
  
         case LDAP_DN_FORMAT_AD_CANONICAL:
                 if ( rdn2ADstrlen( rdn, flags, &l ) ) {
-                       return( LDAP_OTHER );
+                       return LDAP_DECODING_ERROR;
                 }
                 break;
  
         default:
-               return( LDAP_INVALID_DN_SYNTAX );
+               return LDAP_PARAM_ERROR;
         }
  
         bv->bv_val = LDAP_MALLOC( l + 1 );
@@ -2702,18 +2910,18 @@ ldap_rdn2bv( LDAPRDN *rdn, struct berval *bv, unsigned flags )
  
         default:
                 /* need at least one of the previous */
-               return( LDAP_OTHER );
+               return LDAP_PARAM_ERROR;
         }
  
         if ( rc ) {
                 ldap_memfree( bv->bv_val );
-               return( LDAP_OTHER );
+               return rc;
         }
  
         bv->bv_len = l - back;
         bv->bv_val[ bv->bv_len ] = '\0';
  
-       return( LDAP_SUCCESS );
+       return LDAP_SUCCESS;
  }
  
  /*
@@ -2735,6 +2943,10 @@ int ldap_dn2str( LDAPDN *dn, char **str, unsigned flags )
  
         assert( str );
  
+       if((flags & LDAP_DN_FORMAT_MASK) == LDAP_DN_FORMAT_LBER) {
+               return LDAP_PARAM_ERROR;
+       }
+       
         rc = ldap_dn2bv( dn, &bv, flags );
         *str = bv.bv_val;
         return rc;
@@ -2743,7 +2955,7 @@ int ldap_dn2str( LDAPDN *dn, char **str, unsigned flags )
  int ldap_dn2bv( LDAPDN *dn, struct berval *bv, unsigned flags )
  {
         int             iRDN;
-       int             rc = LDAP_OTHER;
+       int             rc = LDAP_ENCODING_ERROR;
         ber_len_t       len, l;
  
         /* stringifying helpers for LDAPv3/LDAPv2 */
@@ -2751,11 +2963,15 @@ int ldap_dn2bv( LDAPDN *dn, struct berval *bv, unsigned flags )
         int ( *sv2s ) ( struct berval *v, char *s, unsigned f, ber_len_t *l );
  
         assert( bv );
-
         bv->bv_len = 0;
         bv->bv_val = NULL;
  
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_ARGS, "=> ldap_dn2bv(%u)\n%s%s", 
+               flags, "", "" ));
+#else
         Debug( LDAP_DEBUG_TRACE, "=> ldap_dn2bv(%u)\n%s%s", flags, "", "" );
+#endif
  
         /* 
          * a null dn means an empty dn string 
@@ -2770,13 +2986,13 @@ int ldap_dn2bv( LDAPDN *dn, struct berval *bv, unsigned flags )
         case LDAP_DN_FORMAT_LDAPV3:
                 sv2l = strval2strlen;
                 sv2s = strval2str;
-               goto got_funcs;
  
+               if( 0 ) {
         case LDAP_DN_FORMAT_LDAPV2:
-               sv2l = strval2IA5strlen;
-               sv2s = strval2IA5str;
-got_funcs:
-               
+                       sv2l = strval2IA5strlen;
+                       sv2s = strval2IA5str;
+               }
+
                 for ( iRDN = 0, len = 0; dn[ 0 ][ iRDN ]; iRDN++ ) {
                         ber_len_t       rdnl;
                         LDAPRDN         *rdn = dn[ 0 ][ iRDN ];
@@ -2819,7 +3035,6 @@ got_funcs:
                 break;
  
         case LDAP_DN_FORMAT_UFN: {
-
                 /*
                  * FIXME: quoting from RFC 1781:
                  *
@@ -2934,11 +3149,10 @@ got_funcs:
  #endif /* DC_IN_UFN */
                 
                 rc = LDAP_SUCCESS;
-               break;
-       }
  
-       case LDAP_DN_FORMAT_DCE:
+       } break;
  
+       case LDAP_DN_FORMAT_DCE:
                 for ( iRDN = 0, len = 0; dn[ 0 ][ iRDN ]; iRDN++ ) {
                         ber_len_t       rdnl;
                         LDAPRDN         *rdn = dn[ 0 ][ iRDN ];
@@ -2977,7 +3191,6 @@ got_funcs:
                 break;
  
         case LDAP_DN_FORMAT_AD_CANONICAL: {
-               
                 /*
                  * Sort of UFN for DCE DNs: a slash ('/') separated
                  * global->local DN with no types; strictly speaking,
@@ -3034,7 +3247,7 @@ got_funcs:
                         if ( flags & LDAP_DN_PEDANTIC ) {
                                 LDAP_FREE( bv->bv_val );
                                 bv->bv_val = NULL;
-                               rc = LDAP_INVALID_DN_SYNTAX;
+                               rc = LDAP_ENCODING_ERROR;
                                 break;
                         }
  
@@ -3059,16 +3272,210 @@ got_funcs:
                 bv->bv_val[ bv->bv_len ] = '\0';
  
                 rc = LDAP_SUCCESS;
-               break;
-       }
+       } break;
  
         default:
-               return( LDAP_INVALID_DN_SYNTAX );
-
+               return LDAP_PARAM_ERROR;
         }
  
-       Debug( LDAP_DEBUG_TRACE, "<= ldap_dn2bv(%s,%u)=%d\n", bv->bv_val, flags, rc );
+#ifdef NEW_LOGGING
+       LDAP_LOG (( "getdn", LDAP_LEVEL_RESULTS, "<= ldap_dn2bv(%s,%u)=%d\n", 
+               bv->bv_val, flags, rc ));
+#else
+       Debug( LDAP_DEBUG_TRACE, "<= ldap_dn2bv(%s,%u)=%d\n",
+               bv->bv_val, flags, rc );
+#endif
+
  return_results:;
         return( rc );
  }
  
+#ifdef HAVE_TLS
+#include <openssl/x509.h>
+#include <openssl/err.h>
+
+/* Convert a structured DN from an X.509 certificate into an LDAPV3 DN.
+ * x509_name must be an (X509_NAME *). If func is non-NULL, the
+ * constructed DN will use numeric OIDs to identify attributeTypes,
+ * and the func() will be invoked to rewrite the DN with the given
+ * flags.
+ *
+ * Otherwise the DN will use shortNames as defined in the OpenSSL
+ * library.
+ *
+ * It's preferable to let slapd do the OID to attributeType mapping,
+ * because the OpenSSL tables are known to have many typos in versions
+ * up to (at least) 0.9.6c. However, the LDAP client has no schema tables,
+ * so we're forced to use OpenSSL's mapping there.
+ *  -- Howard Chu 2002-04-18
+ */
+
+int
+ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+       unsigned flags )
+{
+       LDAPDN  *newDN;
+       LDAPRDN *newRDN;
+       LDAPAVA *newAVA, *baseAVA;
+       X509_NAME_ENTRY *ne;
+       ASN1_OBJECT *obj;
+       ASN1_STRING *str;
+       char oids[8192], *oidptr = oids, *oidbuf = NULL;
+       void *ptrs[2048];
+       int i, j, k = 0, navas, nrdns, rc = LDAP_SUCCESS;
+       int set = -1;
+       size_t dnsize, oidrem = sizeof(oids), oidsize = 0;
+       int csize;
+
+       struct berval   Val;
+
+       assert( bv );
+       bv->bv_len = 0;
+       bv->bv_val = NULL;
+
+       /* Get the number of AVAs. This is not necessarily the same as
+        * the number of RDNs.
+        */
+       navas = X509_NAME_entry_count( x509_name );
+
+       /* Get the last element, to see how many RDNs there are */
+       ne = X509_NAME_get_entry( x509_name, navas - 1 );
+       nrdns = ne->set + 1;
+
+       /* Allocate the DN/RDN/AVA stuff as a single block */    
+       dnsize = sizeof(LDAPDN) + sizeof(LDAPRDN *) * (nrdns+1);
+       dnsize += sizeof(LDAPRDN) * nrdns + sizeof(LDAPAVA *) * (navas+nrdns);
+       dnsize += sizeof(LDAPAVA) * navas;
+       if (dnsize > sizeof(ptrs)) {
+               newDN = (LDAPDN *)LDAP_MALLOC( dnsize );
+               if ( newDN == NULL )
+                       return LDAP_NO_MEMORY;
+       } else {
+               newDN = (LDAPDN *)ptrs;
+       }
+       
+       newDN[0] = (LDAPRDN**)(newDN+1);
+       newDN[0][nrdns] = NULL;
+       newRDN = (LDAPRDN*)(newDN[0] + nrdns+1);
+       newAVA = (LDAPAVA*)(newRDN + navas + nrdns*2);
+       baseAVA = newAVA;
+
+       /* Retrieve RDNs in reverse order; LDAP is backwards from X.500. */
+       for ( i = nrdns - 1, j = 0; i >= 0; i-- ) {
+               ne = X509_NAME_get_entry( x509_name, i );
+               obj = X509_NAME_ENTRY_get_object( ne );
+               str = X509_NAME_ENTRY_get_data( ne );
+
+               /* If set changed, move to next RDN */
+               if ( set != ne->set ) {
+                       /* If this is not the first time, end the
+                        * previous RDN and advance.
+                        */
+                       if ( j > 0 ) {
+                               newRDN[0][k] = NULL;
+                               newRDN = (LDAPRDN*)(newRDN[0]+k+1);
+                       }
+                       newDN[0][j++] = newRDN;
+
+                       newRDN[0] = (LDAPAVA**)(newRDN+1);
+                       k = 0;
+                       set = ne->set;
+               }
+               newAVA->la_private = NULL;
+               newAVA->la_flags = LDAP_AVA_STRING;
+
+               if ( !func ) {
+                       int n = OBJ_obj2nid( obj );
+
+                       if (n == NID_undef)
+                               goto get_oid;
+                       newAVA->la_attr.bv_val = (char *)OBJ_nid2sn( n );
+                       newAVA->la_attr.bv_len = strlen( newAVA->la_attr.bv_val );
+               } else {
+get_oid:               newAVA->la_attr.bv_val = oidptr;
+                       newAVA->la_attr.bv_len = OBJ_obj2txt( oidptr, oidrem, obj, 1 );
+                       oidptr += newAVA->la_attr.bv_len + 1;
+                       oidrem -= newAVA->la_attr.bv_len + 1;
+
+                       /* Running out of OID buffer space? */
+                       if (oidrem < 128) {
+                               if ( oidsize == 0 ) {
+                                       oidsize = sizeof(oids) * 2;
+                                       oidrem = oidsize;
+                                       oidbuf = LDAP_MALLOC( oidsize );
+                                       if ( oidbuf == NULL ) goto nomem;
+                                       oidptr = oidbuf;
+                               } else {
+                                       char *old = oidbuf;
+                                       oidbuf = LDAP_REALLOC( oidbuf, oidsize*2 );
+                                       if ( oidbuf == NULL ) goto nomem;
+                                       /* Buffer moved! Fix AVA pointers */
+                                       if ( old != oidbuf ) {
+                                               LDAPAVA *a;
+                                               long dif = oidbuf - old;
+
+                                               for (a=baseAVA; a<=newAVA; a++){
+                                                       if (a->la_attr.bv_val >= old &&
+                                                               a->la_attr.bv_val <= (old + oidsize))
+                                                               a->la_attr.bv_val += dif;
+                                               }
+                                       }
+                                       oidptr = oidbuf + oidsize - oidrem;
+                                       oidrem += oidsize;
+                                       oidsize *= 2;
+                               }
+                       }
+               }
+               Val.bv_val = str->data;
+               Val.bv_len = str->length;
+               switch( str->type ) {
+               case V_ASN1_UNIVERSALSTRING:
+                       /* This uses 32-bit ISO 10646-1 */
+                       csize = 4; goto to_utf8;
+               case V_ASN1_BMPSTRING:
+                       /* This uses 16-bit ISO 10646-1 */
+                       csize = 2; goto to_utf8;
+               case V_ASN1_T61STRING:
+                       /* This uses 8-bit, assume ISO 8859-1 */
+                       csize = 1;
+to_utf8:               rc = ldap_ucs_to_utf8s( &Val, csize, &newAVA->la_value );
+                       if (rc != LDAP_SUCCESS) goto nomem;
+                       newAVA->la_flags = LDAP_AVA_NONPRINTABLE;
+                       break;
+               case V_ASN1_UTF8STRING:
+                       newAVA->la_flags = LDAP_AVA_NONPRINTABLE;
+                       /* This is already in UTF-8 encoding */
+               case V_ASN1_IA5STRING:
+               case V_ASN1_PRINTABLESTRING:
+                       /* These are always 7-bit strings */
+                       ber_dupbv( &newAVA->la_value, &Val );
+               default:
+                       ;
+               }
+               newRDN[0][k] = newAVA;
+               newAVA++;
+               k++;
+       }
+       newRDN[0][k] = NULL;
+
+       if ( func ) {
+               rc = func( newDN, flags );
+               if ( rc != LDAP_SUCCESS )
+                       goto nomem;
+       }
+
+       rc = ldap_dn2bv( newDN, bv, LDAP_DN_FORMAT_LDAPV3 );
+
+nomem:
+       for (;baseAVA < newAVA; baseAVA++) {
+               LDAP_FREE( baseAVA->la_value.bv_val );
+       }
+
+       if ( oidsize != 0 )
+               LDAP_FREE( oidbuf );
+       if ( newDN != (LDAPDN*) ptrs )
+               LDAP_FREE( newDN );
+       return rc;
+}
+#endif /* HAVE_TLS */
+