On Mon, Jan 21, 2013 at 01:59:14PM +0200, Eren Türkay wrote:
I debugged the problem using the network analyzer and realized that Outlook 2011 requests awkward attribute names suffixed with the word ';binary'. When searching, it requests these attributes below along with standard ones:
- userSMIMECertificate;binary
- userCertificate;binary
- thumbnailPhoto;binary
- jpegPhoto;binary
Since these attributes are not present in my tree (though I have 'normal' ones without a suffix), they are not sent to outlook client so photos are not shown.
The ';binary' part is an attribute option: see section 2.5 of RFC4512 for the general syntax, and RFC4522 for more detail on the 'binary' option. It basically means that the value should be transferred in X.500 BER encoding rather than an LDAP-specific encoding.
RFC4522 notes that there are known inconsistencies in deployed implementations of the binary option, and it make no attempt to resolve them. This suggests that it could be difficult to use the option reliably.
RFC4512 says:
An attribute description with an unrecognized attribute type is to be treated as unrecognized. Servers SHALL treat an attribute description with an unrecognized attribute option as unrecognized.
... so 'binary' being not recognised is just like 'jpegPhoto' being not recognised.
I suspect that 'binary' *is* recognised, just not in combination with all of those attributes:
userCertificate MUST be requested and transferred with the binary option (RFC4523).
userSMIMECertificate must also use binary (RFC2798)
jpegPhoto has syntax 1.3.6.1.4.1.1466.115.121.1.28 which is an LDAP specific wrapper for the JPEG File Interchange Format. There is no standardised X.500 encoding for this, so it is likely that most LDAP servers would treat 'jpegPhoto;binary' as unrecognised.
thumbnailPhoto is a Microsoft-defined attribute so you would need to find their definition document to work out what is allowed.
I, then, tried to change my compatibility schema to use 'thumbnailPhoto;binary', but I got an error stating that the attribute name is not valid. OpenLDAP does not seem to accept ';' character in attribute names.
Quite right too. ';' introduces the attribute options. You cannot use it in the name of an attribute type.
Probably, AD accepts ';' character in attribute names and outlook 2011 works with AD. Apart from not seeing photos, you cannot send encrypted e-mail using outlook because you cannot send a user certificate with openldap (';binary' suffix). So, if you try to use current openldap with outlook, you will miss 2 features, encryption on photos. I'm not sure if ';binary' suffix is done on purpose to make other LDAP servers work with outlook harder.
It is correct on these two:
- userSMIMECertificate;binary - userCertificate;binary
... and probably a coding error on these:
- thumbnailPhoto;binary - jpegPhoto;binary
I suspect AD does not check the attribute options very carefully in this case (or maybe it has the same coding error).
Is there any workaround for it? Being able to include ';' in attribute name will probably fix the problem but I don't know if ';' is acceptable in LDAP standard.
I have not tested with certificates stored in OpenLDAP but from reading the standards I would expect the above usage to work.
The binary options on the photos are simply wrong, so not sure what to suggest here. Can you persuade Outlook to request those attributes without the binary option? I know Outlook does have some options that you can set for what gets requested.
Andrew