[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP 2.0.1, netscape and userSMIMEcertificate



Hi,

I tried to convince netscape to use a 2.0.1 server in order
to store and retrieve S/MIME-Certificates and I ran into
some problems. First, netscape was not able to store a
certificate because the server complained that "binary" is
not allowed for the userSMIMEcertificate attribute. After
changing the syntax of this attribute to
1.3.6.1.4.1.1466.115.121.1.8 the server and netscape were
happy and the certificate (or whatever netscape sends there)
was stored. Now I wonder if there is any reason why the syntax
1.3.6.1.4.1.1466.115.121.1.5 has no SLAP_SYNTAX_BINARY flag
but the other one has. Around line 2296 in schema_init.c
one can find:

 {"( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' " X_BINARY X_NOT_H_R ")",
         SLAP_SYNTAX_BER, berValidate, NULL, NULL},
....
 {"( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' "
         X_BINARY X_NOT_H_R ")",
         SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL},

If the above is correct than the inetorgperson.schema is at fault
or netscape is doing something wrong. I can't tell. For now I
changed the schema. BTW, if I ask for the schema via the "cn=schema"
DN I get back 1.3.6.1.4.1.1466.115.121.1.5 as the syntax for the
userSMIMEcertificate attribute, which is even more confusing.

The next problem was to read back the certificate from the server with
netscape. Netscape always asks for the attribute "userSMIMEcertificate;binary"
which obviously doesn't exist because the attribute's name is
"userSMIMEcertificate" and "binary" is just the encoding. This time I
would blame netscape for being wrong but I had to find a solution.
In order to make netscape happy I added a small hack to search.c
which simply strips the ";binary" qualifier from the attribute name. This is
the patch:

*** search.c.orig3      Tue Sep 12 20:16:45 2000
--- search.c    Wed Sep 13 19:09:28 2000
***************
*** 134,139 ****
--- 134,150 ----
                goto return_results;
        }
  
+       /* YYYY to make netscape work */
+       if ( attrs != NULL ) {
+               for ( i = 0; attrs[i] != NULL; i++ ) {
+                       char *a;
+ 
+                       if ((a = strstr(attrs[i], ";binary")) != NULL) {
+                               *a = '\0';
+                       }
+               }
+       }
+ 
        if( (rc = get_ctrls( conn, op, 1 )) != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_ANY, "do_search: get_ctrls failed\n", 0, 0, 0 );
                goto return_results;

If really netscape is guilty then this probably shouldn't go into the
official source but it can help others who try to do the same.

Karsten.