[Fed-Talk] Keychain Access and "Search Directory Services for Certificates"?
[Fed-Talk] Keychain Access and "Search Directory Services for Certificates"?
- Subject: [Fed-Talk] Keychain Access and "Search Directory Services for Certificates"?
- From: "Levine, Jason (NIH/NCI) [E]" <email@hidden>
- Date: Thu, 2 Oct 2008 13:19:27 -0400
- Thread-topic: Keychain Access and "Search Directory Services for Certificates"?
This morning, someone here at the NIH noticed the pref in Keychain Access to
"Search Directory Services for Certificates", and sparked an internal
conversation that has left us all scratching our heads for *any* idea of how
this works. Can anyone shed light on exactly how Keychain Access uses
configured directory services for cert lookups?
A few bits of data from our internal conversations:
1. Checking this preference adds a new keychain to the list, "Directory
Services", that is locked and that is unable to be unlocked -- clicking the
lock does nothing. I'm unclear if this is meaningful at all, but throw it
out there.
2. When a user types a search into the search field in Keychain Access, a
query is sent out to any and all directory services (as configured in
Directory Utility) for that search string. In my own testing, this includes
our NIH Active Directory server which is configured on my test machine as an
LDAP service (rather than as an Active Directory server).
3. When the LDAP query takes place, the "correct" objects are returned --
e.g., searching for my username returns my AD object -- and this includes
the attributes "userSMIMECertificate" and "userCertificate". But this
appears not to matter; Keychain Access either finds these attributes not to
its liking or is looking for some *other* attributes, because that object
and those certs never show up in the search return. (This was all verified
via packet sniffing on the wire, and decoding the LDAP queries and replies.)
Any thoughts? Is there *any* documentation available about this?
Jason
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden