On 30.10.2015 22:13, Jeremy Allison wrote:> On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote: >> Dear Samba users and developers, >> >> we had the idea of storing S/MIME certificates in the Samba 4 LDAP. >> In the Windows Active Directory Users and Computers tool I can use the >> "Published Certificates" tab to add a certificate to a user account. >> >> As Mozilla Thunderbird requests the "userCertificate;binary" attribute >> of a user when sending encrypted mail, the LDAP response is empty. >> >> This behaviour is different from a Windows 2008 R2 AD. >> >> I tested this with Samba from Debian 4.1.17+dfsg-2. >> Is this a missing feature or a bug? > > Not sure. Can you provide network traces of Thunderbird > trying to do this against a Samba4 AD/DC ?Here are the packet details for the search request: Lightweight Directory Access Protocol LDAPMessage searchRequest(2) "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" wholeSubtree messageID: 2 protocolOp: searchRequest (3) searchRequest baseObject: OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de scope: wholeSubtree (2) derefAliases: neverDerefAliases (0) sizeLimit: 2 timeLimit: 0 typesOnly: False Filter: (mail=martin.sofaru at lsexperts.de) filter: equalityMatch (3) equalityMatch attributeDesc: mail assertionValue: martin.sofaru at lsexperts.de attributes: 1 item AttributeDescription: usercertificate;binary [Response In: 16] Lightweight Directory Access Protocol LDAPMessage searchResEntry(2) "CN=Martin Sofaru,OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" [1 result] messageID: 2 protocolOp: searchResEntry (4) searchResEntry objectName: CN=Martin Sofaru,OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de attributes: 0 items [Response To: 15] [Time: 0.021100000 seconds] Lightweight Directory Access Protocol LDAPMessage searchResDone(2) success [1 result] messageID: 2 protocolOp: searchResDone (5) searchResDone resultCode: success (0) matchedDN: errorMessage: [Response To: 15] [Time: 0.021100000 seconds] Regards, Stefan
On Tue, 2015-11-03 at 10:21 +0100, Stefan Pietsch wrote:> On 30.10.2015 22:13, Jeremy Allison wrote: > > On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote: > > > Dear Samba users and developers, > > > > > > we had the idea of storing S/MIME certificates in the Samba 4 > > > LDAP. > > > In the Windows Active Directory Users and Computers tool I can > > > use the > > > "Published Certificates" tab to add a certificate to a user > > > account. > > > > > > As Mozilla Thunderbird requests the "userCertificate;binary" > > > attribute > > > of a user when sending encrypted mail, the LDAP response is > > > empty.This would be because we don't know about the ;binary part at the end, and just assume it is part of the attribute name.> > > This behaviour is different from a Windows 2008 R2 AD. > > > > > > I tested this with Samba from Debian 4.1.17+dfsg-2. > > > Is this a missing feature or a bug? > > > > Not sure. Can you provide network traces of Thunderbird > > trying to do this against a Samba4 AD/DC ? > > > Here are the packet details for the search request: > > Lightweight Directory Access Protocol > LDAPMessage searchRequest(2) > "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" wholeSubtree > messageID: 2 > protocolOp: searchRequest (3) > searchRequest > baseObject: > OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de > scope: wholeSubtree (2) > derefAliases: neverDerefAliases (0) > sizeLimit: 2 > timeLimit: 0 > typesOnly: False > Filter: (mail=martin.sofaru at lsexperts.de) > filter: equalityMatch (3) > equalityMatch > attributeDesc: mail > assertionValue: > martin.sofaru at lsexperts.de > attributes: 1 item > AttributeDescription: usercertificate;binary > [Response In: 16]A good description appears to be here: http://www.ldapexplorer.com/en/manual/107070400-binary-attributes.htm The fix would be a patch to source4/dsdb/samdb/ldb_modules/resolve_oids.c that would strip any ;binary suffix (as it is meaninless to samba), and a python unit test to confirm we do so correctly. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On 05.11.2015 09:18, Andrew Bartlett wrote:> On Tue, 2015-11-03 at 10:21 +0100, Stefan Pietsch wrote: >> On 30.10.2015 22:13, Jeremy Allison wrote: >>> On Fri, Oct 30, 2015 at 11:27:55AM +0100, Stefan Pietsch wrote: >>>> Dear Samba users and developers, >>>> >>>> we had the idea of storing S/MIME certificates in the Samba 4 >>>> LDAP. >>>> In the Windows Active Directory Users and Computers tool I can >>>> use the >>>> "Published Certificates" tab to add a certificate to a user >>>> account. >>>> >>>> As Mozilla Thunderbird requests the "userCertificate;binary" >>>> attribute >>>> of a user when sending encrypted mail, the LDAP response is >>>> empty. > > This would be because we don't know about the ;binary part at the end, > and just assume it is part of the attribute name. > >>>> This behaviour is different from a Windows 2008 R2 AD. >>>> >>>> I tested this with Samba from Debian 4.1.17+dfsg-2. >>>> Is this a missing feature or a bug? >>> >>> Not sure. Can you provide network traces of Thunderbird >>> trying to do this against a Samba4 AD/DC ? >> >> >> Here are the packet details for the search request: >> >> Lightweight Directory Access Protocol >> LDAPMessage searchRequest(2) >> "OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de" wholeSubtree >> messageID: 2 >> protocolOp: searchRequest (3) >> searchRequest >> baseObject: >> OU=People,OU=Users,OU=LSE,DC=corp,DC=lsexperts,DC=de >> scope: wholeSubtree (2) >> derefAliases: neverDerefAliases (0) >> sizeLimit: 2 >> timeLimit: 0 >> typesOnly: False >> Filter: (mail=martin.sofaru at lsexperts.de) >> filter: equalityMatch (3) >> equalityMatch >> attributeDesc: mail >> assertionValue: >> martin.sofaru at lsexperts.de >> attributes: 1 item >> AttributeDescription: usercertificate;binary >> [Response In: 16] > > A good description appears to be here: > > http://www.ldapexplorer.com/en/manual/107070400-binary-attributes.htm > > The fix would be a patch to > source4/dsdb/samdb/ldb_modules/resolve_oids.c that would strip any > ;binary suffix (as it is meaninless to samba), and a python unit test > to confirm we do so correctly.Dear developers, are you able to prepare a patch for this? Should I open a bug in Bugzilla? Regards, Stefan