User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; FDM) Build Identifier: 3.0 b3pre, 188.8.131.52 as well When trying to send S/MIME encrypted e-mail, fething usercertificate from LDAP server based on Apache DS v. 1.5.4, Thunderbird send usercerificate;binary search request, but recieve just usercertificate and return "Sending of message failed....apllication failed to find an encryption certificate of user...." Problem described in Apache DS bug report: https://issues.apache.org/jira/browse/DIRSERVER-1198 Reproducible: Always Steps to Reproduce: 1. Install S/MIME signing and encryption certificates for current user 2. Add external LDAP and search base of externel Apache DS LDAP holding user entries both - email and usercertificates 3. Try to send encypted mail to other users Actual Results: Thunderbird finds users and their e-mail adrresses in external LDAP, trying to fetch attribute usercertificate;binary , recieves attribute usercertificate= (sniffed by Microsoft Network Monitor 3.2), but fails to recognize certificate and write "Sending of message failed....apllication failed to find an encryption certificate of user...." Expected Results: Find certificate from external LDAP, encrypt and send e-mail, as it does with OpenLDAP, when recieves attribute usercertificate;binary=...
This relates to RFC 4523 [Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates] (http://www.rfc-editor.org/rfc/rfc4523.txt) which says: ==== 2.1. Certificate Due to changes made to the definition of a Certificate through time, no LDAP-specific encoding is defined for this syntax. Values of this syntax SHOULD be encoded using Distinguished Encoding Rules (DER) [X.690] and MUST only be transferred using the ;binary transfer option [RFC4522]; that is, by requesting and returning values using attribute descriptions such as "userCertificate;binary". As values of this syntax contain digitally signed data, values of this syntax and the form of each value MUST be preserved as presented. ==== According to the issues.apache.org bug, it looks like the Apache directory server is not compliant with the RFC. I would suggest using a directory server that implements this spec correctly, such as Project 389: http://directory.fedoraproject.org/ (This used to be the Netscape DS, and is also the basis for the Red Hat Directory Server).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.