MozillaZine

Retrieving S/MIME certificates from LDAP server

Discussion of bugs in Mozilla Thunderbird
dones27
 
Posts: 2
Joined: September 20th, 2006, 7:06 am

Post Posted September 20th, 2006, 7:38 am

We use Thunderbird as our email client and currently beta testing using smart cards for email encryption. We are experiencing an issue with Thunderbird when trying to retireve user certificates from our ldap server. TB does not always find the certificates. We ran a trace and got mixed results. TB did not consistently ask for the certificate (see trace results below).

According to this KB article http://kb.mozillazine.org/Getting_an_SMIME_certificate/ Thunderbird does not support retrieving a users S/MIME certificate from an LDAP server. Is this true and will it be supported anytime soon?

Trace results when TB found user certificate from ldap:

LDAPMessage searchResEntry(2) "cn=XXXXXXX,ou=XXXXXX,o=XXXXXXXX,c=XX" [2 results]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: cn=cn=XXXXXXX,ou=XXXXXX,o=XXXXXXXX,c=XX
attributes: 1 item
Item usercertificate;binary
type: usercertificate;binary
vals: 1 item
Item: 308203843082026CA00302010202043EC3F26D300D06092A...
Response To: 14
Time: 0.949704000 seconds


When it fails to get the certificate it is not asking the LDAP server for it, see trace below.

LDAPMessage searchResEntry(2) "cn=XXXXXXXXXX,ou=XXXXX,o=XXXXXXXXXXXXX,c=XX" [2 results]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: cn=XXXXXXX,ou=XXXXXX,o=XXXXXXXX,c=XX
attributes: 2 items
Item mail
type: mail
vals: 1 item
XXXXXX@XXX.XXX.XXX
Item cn
type: cn
vals: 1 item
XXXXX X. XXXXXXX
Response To: 2029
Time: 1.075632000 seconds

Saambedi Faated
 
Posts: 3
Joined: November 30th, 2006, 6:09 pm
Location: New York

Post Posted November 30th, 2006, 6:31 pm

Any response to this?
I'm using TB 1.5.0.8 on Windows XP and Linux and I'm experiencing the same problem... only the cert is never retrieved. LDAP is OpenLdap 2.2.13.

Outlook clients are able to query the ldap server and retrive the certificates without issue: (from ldap logs)
Nov 30 19:29:11 ldaphostname slapd[4538]: conn=6562 op=1 SRCH base="dc=replaceddomain,dc=com" scope=2 deref=3 filter="(&(mail=*)(|(mail=scott*)(|(cn=scott*)(|(sn=scott*)(givenName=scott*)))))"
Nov 30 19:29:11 ldaphostname slapd[4538]: conn=6562 op=1 SRCH attr=cn commonName mail postalAddress roleOccupant displayName display-name sn surname co organizationName o givenName title ou organizationalUnitName department physicalDeliveryOfficeName telephoneNumber userCertificate;binary userSMIMECertificate;binary user-cert;binary

Thunderbird seems to query for everything but the certificate: (from ldap logs)
Nov 30 20:19:39 ldaphostname slapd[4538]: conn=6670 op=2 SRCH base="ou=users,dc=replaceddomain,dc=com" scope=2 deref=0 filter="(|(mail=*scott*)(cn=*scott*)(givenName=*scott*)(sn=*scott*))"
Nov 30 20:19:39 ldaphostname slapd[4538]: conn=6670 op=2 SRCH attr=company o title modifytimestamp mozillaCustom4 custom4 mozillaHomeUrl homeurl mozillaCustom2 custom2 mozillaHomeCountryName department departmentnumber ou orgunit mobile cellphone carphone mozillaHomeState mozillaCustom1 custom1 mozillaNickname xmozillanickname mozillaWorkUrl workurl fax facsimiletelephonenumber st region telephoneNumber mozillaHomeStreet mozillaSecondEmail xmozillasecondemail nsAIMid nscpaimscreenname street streetaddress postOfficeBox l locality homePhone description notes cn commonname givenName mozillaHomePostalCode mozillaHomeLocalityName mozillaCustom3 custom3 mozillaWorkStreet2 mozillaUseHtmlMail xmozillausehtmlmail mozillaHomeStreet2 postalCode zip c countryname pager pagerphone mail sn surname birthyear

The preceding was returned with the LDAP search. There was no subsequent query when I hit <send>. Only the error message:
"You specified encryption for this message, but the application failed to find an encryption certificate for username@domainname.com"

Incidentally, the Autocomplete from the "To:" line doesn't seem to work either.

tanstaafl
Moderator

User avatar
 
Posts: 45888
Joined: July 30th, 2003, 5:06 pm

Post Posted November 30th, 2006, 7:34 pm

Your best bet is to search the mozilla bugzilla database and find a bug report about it. If its fixed in a branch or trunk build typically there will be a comment to that effect in the bug report. If you can't find one I suggest you file a bug report.

This web site is not run by or formally associated with Mozilla, we're a independent user community. So its very difficult answering questions such as will something be supported soon.

Saambedi Faated
 
Posts: 3
Joined: November 30th, 2006, 6:09 pm
Location: New York

Post Posted November 30th, 2006, 8:37 pm

I just figured it out, well my problem at least. I hope it helps you. The problem turned out to be Thunderbird's Autocomplete feature not quite working for LDAP.

I went to: Tools- Account Settings, I clicked on the Composition & Addressing section of the config and in the Addressing Portion of the window, I ticked: "Use a different LDAP server" and made sure that my LDAP server was selected... (as opposed to the Global LDAP Server preference).
In addition to:
Tools - Composition - In the Addressing tab, for Address Autocompletion, I checked: Directory Server: and selected my Directory Server from the list.
Neither configuration worked alone, they both needed to be enabled.
After this step, I was able to auto-complete my e-mail address recipients and TB was able to retrieve the certs from my LDAP server:

Nov 30 22:21:59 nightcrawler slapd[4538]: conn=6898 op=2 SRCH base="ou=users,dc=replaceddomain,dc=com" scope=2 deref=0 filter="(|(cn=scott*)(mail=scott*)(sn=scott*))"
Nov 30 22:21:59 nightcrawler slapd[4538]: conn=6898 op=2 SRCH attr=cn mail
Nov 30 22:21:59 nightcrawler slapd[4538]: conn=6898 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 30 22:22:10 nightcrawler slapd[4538]: conn=6899 fd=19 ACCEPT from IP=209.123.95.13:3707 (IP=0.0.0.0:389)
Nov 30 22:22:10 nightcrawler slapd[4538]: conn=6899 op=0 BIND dn="" method=128
Nov 30 22:22:10 nightcrawler slapd[4538]: conn=6899 op=0 RESULT tag=97 err=0 text=
Nov 30 22:22:10 nightcrawler slapd[4538]: conn=6899 op=1 SRCH base="ou=users,dc=replaceddomain,dc=com" scope=2 deref=0 filter="(mail=epallarca@replaceddomain.com)"
Nov 30 22:22:10 nightcrawler slapd[4538]: conn=6899 op=1 SRCH attr=usercertificate;binary
Nov 30 22:22:10 nightcrawler slapd[4538]: conn=6899 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 30 22:22:12 nightcrawler slapd[4538]: conn=6899 op=2 UNBIND
Nov 30 22:22:12 nightcrawler slapd[4538]: conn=6899 fd=19 closed
Nov 30 22:22:14 nightcrawler slapd[4538]: conn=6900 fd=19 ACCEPT from IP=127.0.0.1:39960 (IP=0.0.0.0:389)
Nov 30 22:22:14 nightcrawler slapd[4538]: conn=6900 op=0 BIND dn="uid=myname,ou=Users,dc=replaceddomain,dc=com" method=128
Nov 30 22:22:14 nightcrawler slapd[4538]: conn=6900 op=0 BIND dn="uid=myname,ou=Users,dc=replaceddomain,dc=com" mech=SIMPLE ssf=0
Nov 30 22:22:14 nightcrawler slapd[4538]: conn=6900 op=0 RESULT tag=97 err=0 text=
Nov 30 22:22:14 nightcrawler slapd[4538]: conn=6900 op=1 UNBIND
Nov 30 22:22:14 nightcrawler slapd[4538]: conn=6900 fd=19 closed
Nov 30 22:22:17 nightcrawler slapd[4538]: conn=6898 op=3 UNBIND
Nov 30 22:22:17 nightcrawler slapd[4538]: conn=6898 fd=18 closed

dones27
 
Posts: 2
Joined: September 20th, 2006, 7:06 am

Post Posted December 1st, 2006, 10:29 am

This seemed to have fixed the certificate fetch problem I was having. It is redundant to have to set these same parameters in 2 different places especially if one will break the other if not set. Even after I set the LDAP settings in Tools/Options/Composition/Addressing, it is still quirky. I still cannot find the Security Info of the user if I only want to view it or sign the message. The only way it will work is by selecting "encrypt message" then it searches for the certificates in LDAP.

Saambedi Faated
 
Posts: 3
Joined: November 30th, 2006, 6:09 pm
Location: New York

Post Posted December 1st, 2006, 10:53 am

It's a real pain that it needs to be redundant.
And it looks like you'll only see security info on the user if you try to encrypt the message. Thunderbird only queries for attr=usercertificate;binary when "Encrypt this message" is selected. Doing a tail -f (running monitor) on your ldap log when trying with and without encrypting will prove this.

Return to Thunderbird Bugs


Who is online

Users browsing this forum: No registered users and 2 guests