I'm currently trying to build an simple LDAP server using https://github.com/nmcclain/ldap to serve mail clients (primarily Outlook) with an address book containing S/MIME Certificates.
So far the part regarding the "normal" LDAP attributes like sn, mail, displayName etc. work, but I struggle to get userCertificate;binary to work.
Using the ldap-debugger from https://github.com/pingidentity/ldapsdk/releases all looks good compared to a reference MS AD Server. I get the same response
Example from an AD:
LDAP Message:
Message ID: 785
Search Request Protocol Op:
Base DN: CN=user,OU=adresses,DC=local,DC=org
Scope: BASE
Dereference Policy: ALWAYS
Size Limit: 100
Time Limit: 100
Types Only: false
Filter: (objectClass=*)
Requested Attributes:
cn
commonName
mail
roleOccupant
display-name
displayname
sn
surname
co
organizationName
o
givenName
legacyExchangeDN
objectClass
uid
mailNickname
title
company
physicalDeliveryOfficeName
telephoneNumber
otherTelephone
otherHomePhone
info
userCertificate;binary
user-cert;binary
userSMIMECertificate;binary
TextEncodedORaddress
otherMailbox
proxyAddresses
msExchHomeServerName
secretary
Telephone-Assistant
Telephone-Office2
ou
organizationalUnitName
department
l
postalCode
st
postalAddress
streetAddress
homephone
initials
mobile
facsimileTelephoneNumber
pager
[07/March/2022:13:08:10 +0100] conn=6 from="0:0:0:0:0:0:0:1:56415" to="0:0:0:0:0:0:0:1:33389"
LDAP Message:
Message ID: 785
Search Result Entry Protocol Op:
dn: CN=user,OU=adresses,DC=local,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user
displayName: user
sn: user
company: company
mail: [email protected]
givenName: user
userCertificate;binary:: MIIIvz...H5z/w7QDTxupw=
Example from my LDAP Server:
LDAP Message:
Message ID: 648
Search Request Protocol Op:
Base DN: CN=user,OU=adresses,DC=local,DC=org
Scope: BASE
Dereference Policy: ALWAYS
Size Limit: 100
Time Limit: 100
Types Only: false
Filter: (objectClass=*)
Requested Attributes:
cn
commonName
mail
roleOccupant
display-name
displayname
sn
surname
co
organizationName
o
givenName
legacyExchangeDN
objectClass
uid
mailNickname
title
company
physicalDeliveryOfficeName
telephoneNumber
otherTelephone
otherHomePhone
info
userCertificate;binary
user-cert;binary
userSMIMECertificate;binary
TextEncodedORaddress
otherMailbox
proxyAddresses
msExchHomeServerName
secretary
Telephone-Assistant
Telephone-Office2
ou
organizationalUnitName
department
l
postalCode
st
postalAddress
streetAddress
homephone
initials
mobile
facsimileTelephoneNumber
pager
[07/March/2022:11:42:11 +0100] conn=6 from="0:0:0:0:0:0:0:1:58508" to="0:0:0:0:0:0:0:1:33389"
LDAP Message:
Message ID: 648
Search Result Entry Protocol Op:
dn: CN=user,OU=adresses,DC=local,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
uid: 3
cn: user
displayName: user
sn: user
company: user
mail: [email protected]
givenName: [email protected]
userCertificate;binary: MIIIfzCC...VLjPjJlyMMA==
However, I don't see the userCertificate in Outlook.
The value of userCertificate is the result of
openssl x509 -in user_public_cert.cer -inform DER
minus the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" line as mentioned here https://unix.stackexchange.com/questions/431944/problems-with-ldap-usercertificate-attribute This results in a base64 encoded string of the certificate.
However, if a capture the network traffic using Wireshark I get a clean decoded certificate with the MS AD Server and a "BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:16(SEQUENCE) but found class:APPLICATION(1) tag:9" to my server.
As far as I can tell DER should be a subset of BER that's why I assumed the openssl result should be enough.
Now I think I have to encode the base64 string again in BER. If this is right, how would I go about doing that?
The ldap.EntryAttribute looks currently like this
&ldap.EntryAttribute{"userCertificate;binary", []string{cert}},
where cert is a string from the database.