Apache Directory Server LDAP usercertificate attribute for S/MIME not supported, seems working only with usercertificate;binary response



10 years ago
9 years ago


(Reporter: rihards, Unassigned)


Firefox Tracking Flags

(Not tracked)





10 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; FDM)
Build Identifier: 3.0 b3pre, as well

When trying to send S/MIME encrypted e-mail, fething usercertificate from LDAP server based on Apache DS v. 1.5.4, Thunderbird send usercerificate;binary search request, but recieve just usercertificate and return "Sending of message failed....apllication failed to find an encryption certificate of user...."
Problem described in Apache DS bug report: https://issues.apache.org/jira/browse/DIRSERVER-1198 

Reproducible: Always

Steps to Reproduce:
1. Install S/MIME signing and encryption certificates for current user
2. Add external LDAP and search base of externel Apache DS LDAP holding user entries both - email and usercertificates
3. Try to send encypted mail to other users
Actual Results:  
Thunderbird finds users and their e-mail adrresses in external LDAP, trying to fetch attribute usercertificate;binary , recieves attribute usercertificate= (sniffed by Microsoft Network Monitor 3.2), but fails to recognize certificate and write "Sending of message failed....apllication failed to find an encryption certificate of user...."

Expected Results:  
Find certificate from external LDAP, encrypt and send e-mail, as it does with OpenLDAP, when recieves attribute usercertificate;binary=...

Comment 1

9 years ago
This relates to RFC 4523 [Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates] (http://www.rfc-editor.org/rfc/rfc4523.txt) which says:
2.1.  Certificate
   Due to changes made to the definition of a Certificate through time,
   no LDAP-specific encoding is defined for this syntax.  Values of this
   syntax SHOULD be encoded using Distinguished Encoding Rules (DER)
   [X.690] and MUST only be transferred using the ;binary transfer
   option [RFC4522]; that is, by requesting and returning values using
   attribute descriptions such as "userCertificate;binary".

   As values of this syntax contain digitally signed data, values of
   this syntax and the form of each value MUST be preserved as

According to the issues.apache.org bug, it looks like the Apache directory server is not compliant with the RFC.

I would suggest using a directory server that implements this spec correctly, such as Project 389:
http://directory.fedoraproject.org/ (This used to be the Netscape DS, and is also the basis for the Red Hat Directory Server).
Last Resolved: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.