[Samba] S/MIME certificates in Samba 4 LDAP

Andrew Bartlett abartlet at samba.org
Thu Nov 19 22:21:30 UTC 2015


On Thu, 2015-11-19 at 11:15 +0100, Stefan Pietsch wrote:
> On 05.11.2015 09:18, Andrew Bartlett wrote:
> > On Tue, 2015-11-03 at 10:21 +0100, Stefan Pietsch wrote:
> > > On 30.10.2015 22:13, Jeremy Allison wrote:
> > > > On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote:
> > > > > Dear Samba users and developers,
> > > > > 
> > > > > we had the idea of storing S/MIME certificates in the Samba 4
> > > > > LDAP.
> > > > > In the Windows Active Directory Users and Computers tool I
> > > > > can
> > > > > use the
> > > > > "Published Certificates" tab to add a certificate to a user
> > > > > account.
> > > > > 
> > > > > As Mozilla Thunderbird requests the "userCertificate;binary"
> > > > > attribute
> > > > > of a user when sending encrypted mail, the LDAP response is
> > > > > empty.
> > 
> > This would be because we don't know about the ;binary part at the
> > end,
> > and just assume it is part of the attribute name.
> > 
> > > > > This behaviour is different from a Windows 2008 R2 AD.
> > > > > 
> > > > > I tested this with Samba from Debian 4.1.17+dfsg-2.
> > > > > Is this a missing feature or a bug?
> > > > 
> > > > Not sure. Can you provide network traces of Thunderbird
> > > > trying to do this against a Samba4 AD/DC ?
> > > 
> > > 
> > > Here are the packet details for the search request:
> > > 
> > > Lightweight Directory Access Protocol
> > >     LDAPMessage searchRequest(2)
> > > "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de"
> > > wholeSubtree
> > >         messageID: 2
> > >         protocolOp: searchRequest (3)
> > >             searchRequest
> > >                 baseObject:
> > > OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de
> > >                 scope: wholeSubtree (2)
> > >                 derefAliases: neverDerefAliases (0)
> > >                 sizeLimit: 2
> > >                 timeLimit: 0
> > >                 typesOnly: False
> > >                 Filter: (mail=martin.sofaru at lsexperts.de)
> > >                     filter: equalityMatch (3)
> > >                         equalityMatch
> > >                             attributeDesc: mail
> > >                             assertionValue: 
> > > martin.sofaru at lsexperts.de
> > >                 attributes: 1 item
> > >                     AttributeDescription: usercertificate;binary
> > >         [Response In: 16]
> > 
> > A good description appears to be here:
> > 
> > http://www.ldapexplorer.com/en/manual/107070400-binary-attributes.h
> > tm
> > 
> > The fix would be a patch to
> > source4/dsdb/samdb/ldb_modules/resolve_oids.c that would strip any
> > ;binary suffix (as it is meaninless to samba), and a python unit
> > test
> > to confirm we do so correctly.
> 
> Dear developers,
> 
> are you able to prepare a patch for this? Should I open a bug in
> Bugzilla?
> 

Can you give it a shot?  It really shouldn't be that hard.

You are welcome to file a bug, but I would strongly encourage you to
look into fixing it yourself, as it would be a great introduction to
coding in Samba.

I'm very happy to help and look over any patches you get.  Please post
them to samba-technical. 

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba









More information about the samba mailing list