Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Keychain Access and "Search Directory Services for Certificates"?

On Oct 2, 2008, at 3:30 PM, Levine, Jason (NIH/NCI) [E] wrote:
Agreed — what I, and my NIH colleagues, don’t understand is if that wiring is to be done at our end or at Apple’s.  As far as we can tell, setting up our AD server as an LDAP directory service causes Keychain Access to query it — but we have no clue what attributes it’s looking for.  And whatever it’s doing, it’s not receiving replies that tell it that there are valid certs attached to the return objects, even though the userCertificate and userSMIMECertificate attributes are returned attached to those objects.

So is this something that we can fix at our end, or is this a bug/flaw/missing piece in the architecture of Keychain Access querying directory services for certs?  (And I have to ask: are there any directory services that Keychain Access can successfully query?  I’m excluding .Mac here, since that service is governed by its own preference check box — I’m talking about directory services that are included by virtue of the “Search Directory Services for Certificates” checkbox being selected.)

Jason

Jason,

By design, the “Search Directory Services for Certificates” will attempt to pull certs from any LDAP Accessible server configured on the Mac by way of the userCertificate and userSMIMECertificate attributes as you noted.  Currently, there is an outstanding regression that is blocking the successful gathering/parsing of those certificates for use by services like Mail (for S/MIME).  This is a regression in the LDAP DL (Data Library) component (/System/Library/Security/ldapdl.bundle) which would require a fix on Apple's end.  There is no tweaking you can do on your end to make this work against any other server right now unfortunately.  Enhancements would also need to be made to extend this to every DS type supported by Mac OS X.

- Shawn
_____________________________________________________
Shawn Geddis    Security Consulting Engineer    Apple Enterprise

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden
References: 
 >Re: [Fed-Talk] Keychain Access and "Search Directory Services for Certificates"? (From: "Levine, Jason (NIH/NCI) [E]" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.