[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Microsoft Outlook (2011) jpegPhoto and thumbnailPhoto Suffixed With ';binary'
On Mon, Jan 21, 2013 at 01:59:14PM +0200, Eren Türkay wrote:
> I debugged the problem using the network analyzer and realized that
> Outlook 2011 requests awkward attribute names suffixed with the word
> ';binary'. When searching, it requests these attributes below along with
> standard ones:
>
> - userSMIMECertificate;binary
> - userCertificate;binary
> - thumbnailPhoto;binary
> - jpegPhoto;binary
>
> Since these attributes are not present in my tree (though I have
> 'normal' ones without a suffix), they are not sent to outlook client so
> photos are not shown.
The ';binary' part is an attribute option: see section 2.5 of
RFC4512 for the general syntax, and RFC4522 for more detail on
the 'binary' option. It basically means that the value should
be transferred in X.500 BER encoding rather than an
LDAP-specific encoding.
RFC4522 notes that there are known inconsistencies in deployed
implementations of the binary option, and it make no attempt to
resolve them. This suggests that it could be difficult to use
the option reliably.
RFC4512 says:
An attribute description with an unrecognized attribute type is to be
treated as unrecognized. Servers SHALL treat an attribute
description with an unrecognized attribute option as unrecognized.
... so 'binary' being not recognised is just like 'jpegPhoto'
being not recognised.
I suspect that 'binary' *is* recognised, just not in combination with
all of those attributes:
userCertificate MUST be requested and transferred with the
binary option (RFC4523).
userSMIMECertificate must also use binary (RFC2798)
jpegPhoto has syntax 1.3.6.1.4.1.1466.115.121.1.28 which is an
LDAP specific wrapper for the JPEG File Interchange Format.
There is no standardised X.500 encoding for this, so it is
likely that most LDAP servers would treat 'jpegPhoto;binary' as
unrecognised.
thumbnailPhoto is a Microsoft-defined attribute so you would
need to find their definition document to work out what is
allowed.
> I, then, tried to change my compatibility schema to use
> 'thumbnailPhoto;binary', but I got an error stating that the attribute
> name is not valid. OpenLDAP does not seem to accept ';' character in
> attribute names.
Quite right too. ';' introduces the attribute options. You
cannot use it in the name of an attribute type.
> Probably, AD accepts ';' character in attribute names and outlook 2011
> works with AD. Apart from not seeing photos, you cannot send encrypted
> e-mail using outlook because you cannot send a user certificate with
> openldap (';binary' suffix). So, if you try to use current openldap with
> outlook, you will miss 2 features, encryption on photos. I'm not sure if
> ';binary' suffix is done on purpose to make other LDAP
> servers work with outlook harder.
It is correct on these two:
- userSMIMECertificate;binary
- userCertificate;binary
... and probably a coding error on these:
- thumbnailPhoto;binary
- jpegPhoto;binary
I suspect AD does not check the attribute options very
carefully in this case (or maybe it has the same coding error).
> Is there any workaround for it? Being able to include ';' in attribute
> name will probably fix the problem but I don't know if ';' is acceptable
> in LDAP standard.
I have not tested with certificates stored in OpenLDAP but from
reading the standards I would expect the above usage to work.
The binary options on the photos are simply wrong, so not sure
what to suggest here. Can you persuade Outlook to request those
attributes without the binary option? I know Outlook does have
some options that you can set for what gets requested.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------