[Samba] S/MIME certificates in Samba 4 LDAP
stefan.pietsch at lsexperts.de
Thu Nov 19 10:15:56 UTC 2015
On 05.11.2015 09:18, Andrew Bartlett wrote:
> On Tue, 2015-11-03 at 10:21 +0100, Stefan Pietsch wrote:
>> On 30.10.2015 22:13, Jeremy Allison wrote:
>>> On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote:
>>>> Dear Samba users and developers,
>>>> we had the idea of storing S/MIME certificates in the Samba 4
>>>> In the Windows Active Directory Users and Computers tool I can
>>>> use the
>>>> "Published Certificates" tab to add a certificate to a user
>>>> As Mozilla Thunderbird requests the "userCertificate;binary"
>>>> of a user when sending encrypted mail, the LDAP response is
> This would be because we don't know about the ;binary part at the end,
> and just assume it is part of the attribute name.
>>>> This behaviour is different from a Windows 2008 R2 AD.
>>>> I tested this with Samba from Debian 4.1.17+dfsg-2.
>>>> Is this a missing feature or a bug?
>>> Not sure. Can you provide network traces of Thunderbird
>>> trying to do this against a Samba4 AD/DC ?
>> Here are the packet details for the search request:
>> Lightweight Directory Access Protocol
>> LDAPMessage searchRequest(2)
>> "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" wholeSubtree
>> messageID: 2
>> protocolOp: searchRequest (3)
>> scope: wholeSubtree (2)
>> derefAliases: neverDerefAliases (0)
>> sizeLimit: 2
>> timeLimit: 0
>> typesOnly: False
>> Filter: (mail=martin.sofaru at lsexperts.de)
>> filter: equalityMatch (3)
>> attributeDesc: mail
>> martin.sofaru at lsexperts.de
>> attributes: 1 item
>> AttributeDescription: usercertificate;binary
>> [Response In: 16]
> A good description appears to be here:
> The fix would be a patch to
> source4/dsdb/samdb/ldb_modules/resolve_oids.c that would strip any
> ;binary suffix (as it is meaninless to samba), and a python unit test
> to confirm we do so correctly.
are you able to prepare a patch for this? Should I open a bug in Bugzilla?
More information about the samba