[Samba] S/MIME certificates in Samba 4 LDAP
Andrew Bartlett
abartlet at samba.org
Thu Nov 5 08:18:42 UTC 2015
On Tue, 2015-11-03 at 10:21 +0100, Stefan Pietsch wrote:
> On 30.10.2015 22:13, Jeremy Allison wrote:
> > On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote:
> > > Dear Samba users and developers,
> > >
> > > we had the idea of storing S/MIME certificates in the Samba 4
> > > LDAP.
> > > In the Windows Active Directory Users and Computers tool I can
> > > use the
> > > "Published Certificates" tab to add a certificate to a user
> > > account.
> > >
> > > As Mozilla Thunderbird requests the "userCertificate;binary"
> > > attribute
> > > of a user when sending encrypted mail, the LDAP response is
> > > empty.
This would be because we don't know about the ;binary part at the end,
and just assume it is part of the attribute name.
> > > This behaviour is different from a Windows 2008 R2 AD.
> > >
> > > I tested this with Samba from Debian 4.1.17+dfsg-2.
> > > Is this a missing feature or a bug?
> >
> > Not sure. Can you provide network traces of Thunderbird
> > trying to do this against a Samba4 AD/DC ?
>
>
> Here are the packet details for the search request:
>
> Lightweight Directory Access Protocol
> LDAPMessage searchRequest(2)
> "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" wholeSubtree
> messageID: 2
> protocolOp: searchRequest (3)
> searchRequest
> baseObject:
> OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de
> scope: wholeSubtree (2)
> derefAliases: neverDerefAliases (0)
> sizeLimit: 2
> timeLimit: 0
> typesOnly: False
> Filter: (mail=martin.sofaru at lsexperts.de)
> filter: equalityMatch (3)
> equalityMatch
> attributeDesc: mail
> assertionValue:
> martin.sofaru at lsexperts.de
> attributes: 1 item
> AttributeDescription: usercertificate;binary
> [Response In: 16]
A good description appears to be here:
http://www.ldapexplorer.com/en/manual/107070400-binary-attributes.htm
The fix would be a patch to
source4/dsdb/samdb/ldb_modules/resolve_oids.c that would strip any
;binary suffix (as it is meaninless to samba), and a python unit test
to confirm we do so correctly.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list