userSMIMECertificate;binary:: Not Allow?

This topic has 2 replies, 2 voices, and was last updated 3 years ago by yavis73.

  • Author
    Posts
  • #26564
     yavis73
    Participant

    Hi,
    I want to use inetorgperson to manage user entry.
    I want to enter a certificate and userSMIMECertificate using LDIF.
    Certificates Attribute ( userCertificate;binary:: ) are fine.

    But userSMIMECertificate (userSMIMECertificate;binary::) is not work. (err = 17)
    message="Entry cn=Test01,dc=com can not be added because BER encoding of usersmimecertificate;binary attribute is not supported" etime=0

    The RFC2315 is supposed to use an ;binary option but it doesn’t work as expected.

    What’s wrong?

    Forgerock DS 6.5.2

    Tested with the following LDIF file, the LDIF is backed up in Sun DS5.2.
    This is exactly the process by which want to replace from Sun DS 5.2 server.
    This is a problem I found in an data migration.
    Should I remove and put the; binary option?

    dn: cn=Test01,dc=com
    objectClass: top
    objectClass: inetOrgPerson
    cn: Test01
    sn: 001
    userCertificate;binary:: MIIFYDCCBEigAwIBAgIUJk5AwyAMSaDcNh9rlEXF8TITpzYwDQYJ
     KoZIhvcNAQELBQAwUDELMAkGA1UEBhMCS1IxHDAaBgNVBAoME0dvdmVybm1lbnQgb2YgS29yZWEx
     DTALBgNVBAsMBEdQS0kxFDASBgNVBAMMC0NBMTMxMTAwMDAxMB4XDTE2MTEyOTA2MDkxM1oXDTE5
     MDMwMTE0NTk1OVowgYUxCzAJBgNVBAYTAktSMRwwGgYDVQQKDBNHb3Zlcm5tZW50IG9mIEtvcmVh
     MS0wKwYDVQQLDCTsoJXrtoDsoITsnpDrrLjshJzsnKDthrXqtIDrpqzshLzthLAxDzANBgNVBAsM
     BnBlb3BsZTEYMBYGA1UEAwwPOTk57KCV7ZW06rSAMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
     MIIBCgKCAQEArsypiWbeelpUTjXl839JKh1P3KemZCtswp44+rDelENxuDX7Wm3w7E8mzrHbrO3j
     cIYWBoAKAQdaYRs2weBaJJtttxSccurdiYyFw0FamSIP4IKLVIBkvXGgXcQcDjFC64WKgAYxh+Ba
     Gh5Bqn8uOp2kwBnprrT8RwDDUBSUZlhbdGdWcdRqkdfTatB51CepFl3ZLKGqhCvXCYK2TZ4ymFUn
     BiERLS1IrTmHj4tdaHGUFw7sbEpUKGaPsjTyBrV1npAJF2rNiI3XYZibc4oWmo5h4BC9Ws5SV321
     c9srXsF0h+RT8UKXAkZo8UTENOpd4tMaeLzMXMw7r1uOVWsOmQIDAQABo4IB+jCCAfYweQYDVR0j
     BHIwcIAUkqR4F7GqLxnYKz+5sysjFYPVlzWhVKRSMFAxCzAJBgNVBAYTAktSMRwwGgYDVQQKDBNH
     b3Zlcm5tZW50IG9mIEtvcmVhMQ0wCwYDVQQLDARHUEtJMRQwEgYDVQQDDAtHUEtJUm9vdENBMYIC
     JxIwHQYDVR0OBBYEFLNHc/nIxEO2976lfP4OkeWeR2dZMA4GA1UdDwEB/wQEAwIEMDAWBgNVHSAE
     DzANMAsGCSqDGoaNIQICATBoBgNVHREEYTBfoF0GCSqDGoyaRAoBAaBQME4MCeygle2VtOq0gDBB
     MD8GCiqDGoyaRAoBAQEwMTALBglghkgBZQMEAgGgIgQgWlQlR7bx4S+3FaICPN3FPXuMdsItEse6
     KAopBQE8gkMwgY8GA1UdHwSBhzCBhDCBgaB/oH2Ge2xkYXA6Ly9jZW4uZGlyLmdvLmtyOjM4OS9j
     bj1jcmwxcDFkcDI1MTEsY249Q0ExMzExMDAwMDEsb3U9R1BLSSxvPUdvdmVybm1lbnQgb2YgS29y
     ZWEsYz1LUj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTA2BggrBgEFBQcBAQQqMCgw
     JgYIKwYBBQUHMAGGGmh0dHA6Ly9ndmEuZ3BraS5nby5rcjo4MDAwMA0GCSqGSIb3DQEBCwUAA4IB
     AQAzsNXrZFeDBJglix7A3GRwVwlFqb4tbFnMxRx/+W0NcxTxGbqrQeuXrBoY+Mxx68/p0xAcjhi9
     +7oJxIwy+FVzTVGt+ja4Y4UvxtOswk+KZF/71PWkntwiWLGe/bNmn80P3Dx964zhyAiQeEfDEFjD
     AKBCHkVB35aHB9cEIrqASJWd+A6UwRuwT2IyiHiC3U1KxIWjPeqXuujxxzXI7uCK16jRypHlyFUM
     MTW52HQz48j8L1BiheUo4uk4qEcqr+3BmjWkAkQSdTwiv1Bk7v80xV5JO9yN438pOxWpt+RBIdyZ
     +Zw0qbUXCHT+UpQiWOD3Iewe+MiyoASfP2YeyK3I
    userSMIMECertificate;binary:: MIIHhjCCBm6gAwIBAgIUJk4+EmjtxCCETRLB8mb3Cn2LT2w
     wDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCS1IxHDAaBgNVBAoME0dvdmVybm1lbnQgb2YgS29
     yZWExDTALBgNVBAsMBEdQS0kxFDASBgNVBAMMC0NBMTMxMTAwMDAxMB4XDTE2MTEyOTA2MDkxM1o
     XDTE5MDMwMTE0NTk1OVowgYUxCzAJBgNVBAYTAktSMRwwGgYDVQQKDBNHb3Zlcm5tZW50IG9mIEt
     vcmVhMS0wKwYDVQQLDCTsoJXrtoDsoITsnpDrrLjshJzsnKDthrXqtIDrpqzshLzthLAxDzANBgN
     VBAsMBnBlb3BsZTEYMBYGA1UEAwwPOTk57KCV7ZW06rSAMDAxMIIDSDCCAjsGCCqDGoyaRAEVMII
     CLQKCAQEAuTSntn7h4QRGHkk9A9c8IDhTLVTu2n9n6lLHIwHLllzq5j9eRJiitftTV1G3DH9OUmQ
     ypTMa4qFrO35XinMezP9E06Y4x9K2qmGauh/dZwf+l95nZYgKycV8JWa5eh1GaiJ7AqU6VWsbmmz
     2mGM9ujF2CCbjRD22/T3SznB9zgAWQCKKlWnQz6Vd6gqdhrESsScHBdy5Dfw4a4M0YSzkqU0V/Wa
     gFW0P5Bm2QTbILLJEN/Md1/Nc1Cn4CfDHvwsVy+4a5bsnwbxyIdZYfc6PL1w7RYu2GTTFdICOHeu
     WGXQ93YYGm/aMbzqdJMQ0ZWc5TBiC7KTp2iJ54BdtyAa+2wIhALH3V6Myu3PV3HhOVOyYOsumH4x
     6IPeaegy2VH5cQtd7AoIBAQCDsm1NJq2dviUbuiOvWKfUpf5DGyKmAdoDB3GEdylwenTkK8Eh2Rf
     puUkn5savNfV+oDEh7VYaz60GwV13fMGBQ+7h48IBUXexhPjqznX6x7QP8eRYEvWfyuSWOPRZVoK
     +4h7bYXiD5M6BeOc6JufG2kD9zIA2hTMN+RGcPR3gNqkCL6CWRgzY2A4xdW7JKII2sL67h5WA1TU
     5ymEHd6sXeQpUKPgWrSj19IFnxDONA6UVAX0nWRBKU2dO2xPEqxVePHkHaItPxfuDIxtjL/sE7d0
     TBX9dtTSXAIncocMPdMVd3myet6GZPpnjHo2d12KiG8ZdUXhIU8yEuXEQMmOiA4IBBQACggEAWFi
     dkWXnOP+NPAzz64KalbPJZeNbJdIIz4A82ZaYjnkgi9R5tGd//9i/v2y+/Ag9jAFGsKS2kJWiHEN
     p8fGbMi7Z2Ekc+OiCI8Kq27JME9W/GAQNpXkC63IH6xvkucOAnOL4XeT65EXCZpdi7k3bszB6QuI
     72yTsEoDY3iO2Fzg4K+uJLY7HIiN9SIz0ZESSB9WZ979Nnke0GYqFPWYHnMe7AsC/0JY/5KxvAI5
     0HG+sRP8Fdo7WcAUkB7MU8ShXyQzCGInmJRe6ku4xJG1VDnbHS2KBsUdeGVJi23LkF9pUWVXsh8Z
     E2qKxCd8SP8c4OtPdxQw3JZWV4UvZiyGPJqOCAfowggH2MHkGA1UdIwRyMHCAFJKkeBexqi8Z2Cs
     /ubMrIxWD1Zc1oVSkUjBQMQswCQYDVQQGEwJLUjEcMBoGA1UECgwTR292ZXJubWVudCBvZiBLb3J
     lYTENMAsGA1UECwwER1BLSTEUMBIGA1UEAwwLR1BLSVJvb3RDQTGCAicSMB0GA1UdDgQWBBTzbx7
     72CT3LMsU6UHCz+ivCcfiKDAOBgNVHQ8BAf8EBAMCBsAwFgYDVR0gBA8wDTALBgkqgxqGjSECAgE
     waAYDVR0RBGEwX6BdBgkqgxqMmkQKAQGgUDBODAnsoJXtlbTqtIAwQTA/BgoqgxqMmkQKAQEBMDE
     wCwYJYIZIAWUDBAIBoCIEIFpUJUe28eEvtxWiAjzdxT17jHbCLRLHuigKKQUBPIJDMIGPBgNVHR8
     EgYcwgYQwgYGgf6B9hntsZGFwOi8vY2VuLmRpci5nby5rcjozODkvY249Y3JsMXAxZHAyNTExLGN
     uPUNBMTMxMTAwMDAxLG91PUdQS0ksbz1Hb3Zlcm5tZW50IG9mIEtvcmVhLGM9S1I/Y2VydGlmaWN
     hdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnkwNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHR
     wOi8vZ3ZhLmdwa2kuZ28ua3I6ODAwMDANBgkqhkiG9w0BAQsFAAOCAQEAW+5jTn71bDgr1kXylEo
     1vKnsqnI9GeOy3/5cKRifQDv4QX9IUR8gEP6zjT7rlDFxryuSBzMOQTCrzYJQN5oZcJxxFXgDZTC
     MFLl7r2UlH9tNrg8NxY3AdohdP0/3bR/hR4U+whz36A4jRnDJXrtPgm/TDE93+9Q/SYgfivUuXpG
     19yQQYf0bwxP20cIo+fcE0CE1wd14QbxYr0OtSTEA+1Og5ra4PHdu/yIKMJETBjHGXIht1qec8mm
     OZN0vuW5l8sZbqt9BO5Cs/zrqt8vUKHFYti4yNsB6BLlKr5f0HjVsUD0GuwX+Sd+V/Stp9RJSIJd
     YFnK//5TyYCuqx6pc1g==
    
    • This topic was modified 3 years ago by yavis73.
    • This topic was modified 3 years ago by yavis73.
    #26567
     Chris Ridd
    Participant

    I can reproduce this. Attempting to add the entry results in:

    # The LDAP modify request failed: 17 (Undefined Attribute Type)
    # Additional Information:  Entry cn=test,dc=example,dc=com can not be added because BER encoding of userSMIMECertificate;binary attribute is not supported
    

    Removing the “;binary” from the attribute descriptions (keep the “::”!) works.

    I think the definition of the attribute in RFC 2798 is no longer compliant with LDAPv3. RFC 4517 removed the definition of the 1.3.6.1.4.1.1466.115.121.1.5 Binary syntax used by userSMIMECertificate. RFC 4517 Annex B:

    12. The Binary syntax has been removed because it was not adequately
    specified, implementations with different incompatible
    interpretations exist, and it was confused with the ;binary
    transfer encoding.

    We do not have a Binary syntax implementation in our code.

    If you need to keep using the “;binary” transfer encoding in your application, try changing the definition of the attribute to use the 1.3.6.1.4.1.1466.115.121.1.8 syntax. It wouldn’t be quite correct, but it may let you progress with your migration.

    • This reply was modified 3 years ago by Chris Ridd.
    #26584
     yavis73
    Participant

    Oh … Thank you for your answer.

    I would like to test it with your suggested method.

    Thank you again.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?