How to add custom fields in UMC for Outlook detectable S/MIME public keys

Hi,

I successfully added a custom attribute using Domain → LDAP directory for user S/MIME certificates (attribute userSMIMECertificate). I used syntax class “Upload”. When issuing udm users/user help, it shows up in tab contact, group business as expected. But in UMC, the web GUI, it does not show up. When using syntax class “Base64Upload” I get an upload widget but I cannot remove uploaded certificates.

However, Outlook does not find the attribute when accessing the “LDAP” at port 389. I checked Samba’s LDAP using Apache Directory Service, and it showed no attribute userSMIMECertificate. So, I guess, after all it’s just the s4-connector not knowing how to sync an extended attribute.

What’s the current workaround for getting extended attributes from OpenLDAP to Samba 4 LDAP? Using Apache Directory Studio, I also found out that userSMIMECertificate and userCertificate require the objectClass inetOrgPerson. Users in OpenLDAP do have this objectClass while users in Samba do not. Is there a way to ensure schema conformity before synchronising attributes like userSMIMECertificate?

And while we are at this topic: Do I use userSMIMECertificate or userCertificate for publishing public keys? I didn’t get userCertificate to work as it requires ;binary parameter when modifying the entry and I don’t know how to tell UCS to do it this way.


Best regards from Hoppegarten-Hönow by Berlin
Masin Al-Dujaili

Well, nobody could answer yet.

But here are some findings:

  1. Outlook queries both userCertificate;binary as well as userSMIMECertificate;binary, so I guess one of those will do.
  2. While querying the Samba AD requires only the login name, OpenLDAP requires the full DN of the user.
  1. Outlook is content with userCertificate;binary in LDAP. But the s4-connector seems to remove it on sync.
  2. Samba AD does not allow userCertificate;binary in user records because they are not of objectClass inetOrgPerson (or any other objectClass allowing this attribute), slapd user records already are of this objectClass.
  3. Manually adding the objectClass inetOrgPerson to user records in Samba AD doesn’t seem to have weird side effects.
Mastodon