samba - Nov 2015 - S/MIME certificates in Samba 4 LDAP

On 30.10.2015 22:13, Jeremy Allison wrote:
> On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote:
>> Dear Samba users and developers,
>>
>> we had the idea of storing S/MIME certificates in the Samba 4 LDAP.
>> In the Windows Active Directory Users and Computers tool I can use the
>> "Published Certificates" tab to add a certificate to a user
account.
>>
>> As Mozilla Thunderbird requests the "userCertificate;binary"
attribute
>> of a user when sending encrypted mail, the LDAP response is empty.
>>
>> This behaviour is different from a Windows 2008 R2 AD.
>>
>> I tested this with Samba from Debian 4.1.17+dfsg-2.
>> Is this a missing feature or a bug?
> 
> Not sure. Can you provide network traces of Thunderbird
> trying to do this against a Samba4 AD/DC ?

Here are the packet details for the search request:

Lightweight Directory Access Protocol
    LDAPMessage searchRequest(2)
"OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" wholeSubtree
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject:
OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 2
                timeLimit: 0
                typesOnly: False
                Filter: (mail=martin.sofaru at lsexperts.de)
                    filter: equalityMatch (3)
                        equalityMatch
                            attributeDesc: mail
                            assertionValue: martin.sofaru at lsexperts.de
                attributes: 1 item
                    AttributeDescription: usercertificate;binary
        [Response In: 16]


Lightweight Directory Access Protocol
    LDAPMessage searchResEntry(2) "CN=Martin
Sofaru,OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" [1 result]
        messageID: 2
        protocolOp: searchResEntry (4)
            searchResEntry
                objectName: CN=Martin
Sofaru,OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de
                attributes: 0 items
        [Response To: 15]
        [Time: 0.021100000 seconds]
Lightweight Directory Access Protocol
    LDAPMessage searchResDone(2) success [1 result]
        messageID: 2
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: success (0)
                matchedDN:
                errorMessage:
        [Response To: 15]
        [Time: 0.021100000 seconds]




Regards,
Stefan

On Tue, 2015-11-03 at 10:21 +0100, Stefan Pietsch wrote:
> On 30.10.2015 22:13, Jeremy Allison wrote:
> > On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote:
> > > Dear Samba users and developers,
> > > 
> > > we had the idea of storing S/MIME certificates in the Samba 4
> > > LDAP.
> > > In the Windows Active Directory Users and Computers tool I can
> > > use the
> > > "Published Certificates" tab to add a certificate to a
user
> > > account.
> > > 
> > > As Mozilla Thunderbird requests the
"userCertificate;binary"
> > > attribute
> > > of a user when sending encrypted mail, the LDAP response is
> > > empty.
This would be because we don't know about the ;binary part at the end,
and just assume it is part of the attribute name.
> > > This behaviour is different from a Windows 2008 R2 AD.
> > > 
> > > I tested this with Samba from Debian 4.1.17+dfsg-2.
> > > Is this a missing feature or a bug?
> > 
> > Not sure. Can you provide network traces of Thunderbird
> > trying to do this against a Samba4 AD/DC ?
> 
> 
> Here are the packet details for the search request:
> 
> Lightweight Directory Access Protocol
>     LDAPMessage searchRequest(2)
> "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de"
wholeSubtree
>         messageID: 2
>         protocolOp: searchRequest (3)
>             searchRequest
>                 baseObject:
> OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de
>                 scope: wholeSubtree (2)
>                 derefAliases: neverDerefAliases (0)
>                 sizeLimit: 2
>                 timeLimit: 0
>                 typesOnly: False
>                 Filter: (mail=martin.sofaru at lsexperts.de)
>                     filter: equalityMatch (3)
>                         equalityMatch
>                             attributeDesc: mail
>                             assertionValue: 
> martin.sofaru at lsexperts.de
>                 attributes: 1 item
>                     AttributeDescription: usercertificate;binary
>         [Response In: 16]
A good description appears to be here:

http://www.ldapexplorer.com/en/manual/107070400-binary-attributes.htm

The fix would be a patch to
source4/dsdb/samdb/ldb_modules/resolve_oids.c that would strip any
;binary suffix (as it is meaninless to samba), and a python unit test
to confirm we do so correctly.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 05.11.2015 09:18, Andrew Bartlett wrote:
> On Tue, 2015-11-03 at 10:21 +0100, Stefan Pietsch wrote:
>> On 30.10.2015 22:13, Jeremy Allison wrote:
>>> On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote:
>>>> Dear Samba users and developers,
>>>>
>>>> we had the idea of storing S/MIME certificates in the Samba 4
>>>> LDAP.
>>>> In the Windows Active Directory Users and Computers tool I can
>>>> use the
>>>> "Published Certificates" tab to add a certificate to
a user
>>>> account.
>>>>
>>>> As Mozilla Thunderbird requests the
"userCertificate;binary"
>>>> attribute
>>>> of a user when sending encrypted mail, the LDAP response is
>>>> empty.
> 
> This would be because we don't know about the ;binary part at the end,
> and just assume it is part of the attribute name.
> 
>>>> This behaviour is different from a Windows 2008 R2 AD.
>>>>
>>>> I tested this with Samba from Debian 4.1.17+dfsg-2.
>>>> Is this a missing feature or a bug?
>>>
>>> Not sure. Can you provide network traces of Thunderbird
>>> trying to do this against a Samba4 AD/DC ?
>>
>>
>> Here are the packet details for the search request:
>>
>> Lightweight Directory Access Protocol
>>     LDAPMessage searchRequest(2)
>> "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de"
wholeSubtree
>>         messageID: 2
>>         protocolOp: searchRequest (3)
>>             searchRequest
>>                 baseObject:
>> OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de
>>                 scope: wholeSubtree (2)
>>                 derefAliases: neverDerefAliases (0)
>>                 sizeLimit: 2
>>                 timeLimit: 0
>>                 typesOnly: False
>>                 Filter: (mail=martin.sofaru at lsexperts.de)
>>                     filter: equalityMatch (3)
>>                         equalityMatch
>>                             attributeDesc: mail
>>                             assertionValue: 
>> martin.sofaru at lsexperts.de
>>                 attributes: 1 item
>>                     AttributeDescription: usercertificate;binary
>>         [Response In: 16]
> 
> A good description appears to be here:
> 
> http://www.ldapexplorer.com/en/manual/107070400-binary-attributes.htm
> 
> The fix would be a patch to
> source4/dsdb/samdb/ldb_modules/resolve_oids.c that would strip any
> ;binary suffix (as it is meaninless to samba), and a python unit test
> to confirm we do so correctly.
Dear developers,

are you able to prepare a patch for this? Should I open a bug in Bugzilla?


Regards,
Stefan