使用 NoSuchObject 从 Outlook for iOS 进行外部 LDAP SMIME 公钥搜索失败

使用 NoSuchObject 从 Outlook for iOS 进行外部 LDAP SMIME 公钥搜索失败

Outlook for iOS 文档似乎表明可以配置外部 LDAP 地址来搜索 SMIME 公钥证书:https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/smime-outlook-for-ios-and-android#ldap-support-for-certificate-lookup

我们有一个外部 LDAP 目录,它可以在 Outlook for Windows 客户端以及 MaaS360 的 iOS 电子邮件客户端中完美运行。当我们尝试使用 Intune 应用配置策略指定同一个目录时,我们可以在 Outlook for iOS 中看到该目录,但尝试发送加密电子邮件失败,并显示“检测到无效收件人”,因此 Outlook for iOS 显然无法为收件人返回正确的公钥。

深入研究 Outlook for iOS 服务 API 日志,看起来绑定成功,但搜索失败并返回“NoSuchObject”,有什么想法为什么这不起作用吗?

<request>
  <AccountId>4352</AccountId>
  <LogTime>2023-09-21T00:48:00.875Z</LogTime>
  <RequestId>16589</RequestId>
  <RequestGuid>{992A7273-570B-F944-B00C-EAD372D5979F}</RequestGuid>
  <CommandId>LdapSearch</CommandId>
  <Tag>hx_8zv05k</Tag>
  <Username></Username>
  <Server>fakedirectory.contoso.com</Server>
  <Port>636</Port>
  <SslScheme>SecureFromStart</SslScheme>
  <Content>
    <BindRequest>
      <Tag>808464432</Tag>
      <RequestId>0</RequestId>
      <MessageId>1</MessageId>
      <LdapProtocolOp>BindRequest</LdapProtocolOp>
      <LdapVersion>3</LdapVersion>
      <Username></Username>
      <AuthenticationChoice>Simple</AuthenticationChoice>
    </BindRequest>
    <BindResponse>
      <Tag>808464432</Tag>
      <RequestId>0</RequestId>
      <MessageId>1</MessageId>
      <LdapProtocolOp>BindResponse</LdapProtocolOp>
      <LdapResult>
        <LdapResultCode>Success</LdapResultCode>
        <MatchedDN>Pii</MatchedDN>
        <DiagnosticMessage></DiagnosticMessage>
        <Referrals />
      </LdapResult>
    </BindResponse>
    <BindRequest>
      <Tag>808464432</Tag>
      <RequestId>0</RequestId>
      <MessageId>2</MessageId>
      <LdapProtocolOp>BindRequest</LdapProtocolOp>
      <LdapVersion>3</LdapVersion>
      <Username></Username>
      <AuthenticationChoice>Simple</AuthenticationChoice>
    </BindRequest>
    <BindResponse>
      <Tag>808464432</Tag>
      <RequestId>0</RequestId>
      <MessageId>2</MessageId>
      <LdapProtocolOp>BindResponse</LdapProtocolOp>
      <LdapResult>
        <LdapResultCode>Success</LdapResultCode>
        <MatchedDN>Pii</MatchedDN>
        <DiagnosticMessage></DiagnosticMessage>
        <Referrals />
      </LdapResult>
    </BindResponse>
    <SearchRequest>
      <Tag>4246338630</Tag>
      <RequestId>16589</RequestId>
      <MessageId>3</MessageId>
      <LdapProtocolOp>SearchRequest</LdapProtocolOp>
      <BaseObject>Pii</BaseObject>
      <Scope>WholeSubtree</Scope>
      <DerefAliases>DerefAlways</DerefAliases>
      <SizeLimit>0</SizeLimit>
      <TimeLimit>30</TimeLimit>
      <TypesOnly>0</TypesOnly>
      <Or>
        <EqualityMatch>
          <AttributeDescription>mail</AttributeDescription>
          <AssertionValue>Pii</AssertionValue>
        </EqualityMatch>
        <EqualityMatch>
          <AttributeDescription>rfc822Mailbox</AttributeDescription>
          <AssertionValue>Pii</AssertionValue>
        </EqualityMatch>
        <EqualityMatch>
          <AttributeDescription>mailNickName</AttributeDescription>
          <AssertionValue>Pii</AssertionValue>
        </EqualityMatch>
        <EqualityMatch>
          <AttributeDescription>sAMAccountName</AttributeDescription>
          <AssertionValue>Pii</AssertionValue>
        </EqualityMatch>
        <EqualityMatch>
          <AttributeDescription>proxyAddresses</AttributeDescription>
          <AssertionValue>Pii</AssertionValue>
        </EqualityMatch>
      </Or>
      <AttributeValues>
        <AttributeValue>Pii</AttributeValue>
        <AttributeValue>Pii</AttributeValue>
        <AttributeValue>Pii</AttributeValue>
        <AttributeValue>Pii</AttributeValue>
        <AttributeValue>Pii</AttributeValue>
        <AttributeValue>Pii</AttributeValue>
      </AttributeValues>
    </SearchRequest>
    <SearchResultDoneResponse>
      <Tag>808464432</Tag>
      <RequestId>0</RequestId>
      <MessageId>3</MessageId>
      <LdapProtocolOp>SearchResultDoneResponse</LdapProtocolOp>
      <LdapResult>
        <LdapResultCode>NoSuchObject</LdapResultCode>
        <MatchedDN>Pii</MatchedDN>
        <DiagnosticMessage></DiagnosticMessage>
        <Referrals />
      </LdapResult>
    </SearchResultDoneResponse>
    <LdapMessage>
      <Tag>808464432</Tag>
      <RequestId>0</RequestId>
      <MessageId>4</MessageId>
      <LdapProtocolOp>UnbindRequest</LdapProtocolOp>
    </LdapMessage>
  </Content>
  <Duration>315 msecs</Duration>
  <QuitTag>7bwka</QuitTag>
  <EndTag>c7n0o</EndTag>
  <StatusCode>NoSuchObject</StatusCode>
  <DisconnectReason>ServerClosed</DisconnectReason>
</request>

答案1

Success即使没有任何结果,过滤器不匹配任何内容的搜索查询仍会返回。

NoSuchObject另一方面,这意味着搜索根据不存在——<BaseObject>指向一个不存在的条目,因此根本无处可寻。(响应的<MatchedDN>将包括 DN 的一部分,即做过匹配。)

由于实际值已被过滤掉,您需要检查 LDAP 服务器的日志来确定提交了哪个基本 DN。

相关内容