Outlook for iOS 文档似乎表明可以配置外部 LDAP 地址来搜索 SMIME 公钥证书:https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/smime-outlook-for-ios-and-android#ldap-support-for-certificate-lookup
我们有一个外部 LDAP 目录,它可以在 Outlook for Windows 客户端以及 MaaS360 的 iOS 电子邮件客户端中完美运行。当我们尝试使用 Intune 应用配置策略指定同一个目录时,我们可以在 Outlook for iOS 中看到该目录,但尝试发送加密电子邮件失败,并显示“检测到无效收件人”,因此 Outlook for iOS 显然无法为收件人返回正确的公钥。
深入研究 Outlook for iOS 服务 API 日志,看起来绑定成功,但搜索失败并返回“NoSuchObject”,有什么想法为什么这不起作用吗?
<request>
<AccountId>4352</AccountId>
<LogTime>2023-09-21T00:48:00.875Z</LogTime>
<RequestId>16589</RequestId>
<RequestGuid>{992A7273-570B-F944-B00C-EAD372D5979F}</RequestGuid>
<CommandId>LdapSearch</CommandId>
<Tag>hx_8zv05k</Tag>
<Username></Username>
<Server>fakedirectory.contoso.com</Server>
<Port>636</Port>
<SslScheme>SecureFromStart</SslScheme>
<Content>
<BindRequest>
<Tag>808464432</Tag>
<RequestId>0</RequestId>
<MessageId>1</MessageId>
<LdapProtocolOp>BindRequest</LdapProtocolOp>
<LdapVersion>3</LdapVersion>
<Username></Username>
<AuthenticationChoice>Simple</AuthenticationChoice>
</BindRequest>
<BindResponse>
<Tag>808464432</Tag>
<RequestId>0</RequestId>
<MessageId>1</MessageId>
<LdapProtocolOp>BindResponse</LdapProtocolOp>
<LdapResult>
<LdapResultCode>Success</LdapResultCode>
<MatchedDN>Pii</MatchedDN>
<DiagnosticMessage></DiagnosticMessage>
<Referrals />
</LdapResult>
</BindResponse>
<BindRequest>
<Tag>808464432</Tag>
<RequestId>0</RequestId>
<MessageId>2</MessageId>
<LdapProtocolOp>BindRequest</LdapProtocolOp>
<LdapVersion>3</LdapVersion>
<Username></Username>
<AuthenticationChoice>Simple</AuthenticationChoice>
</BindRequest>
<BindResponse>
<Tag>808464432</Tag>
<RequestId>0</RequestId>
<MessageId>2</MessageId>
<LdapProtocolOp>BindResponse</LdapProtocolOp>
<LdapResult>
<LdapResultCode>Success</LdapResultCode>
<MatchedDN>Pii</MatchedDN>
<DiagnosticMessage></DiagnosticMessage>
<Referrals />
</LdapResult>
</BindResponse>
<SearchRequest>
<Tag>4246338630</Tag>
<RequestId>16589</RequestId>
<MessageId>3</MessageId>
<LdapProtocolOp>SearchRequest</LdapProtocolOp>
<BaseObject>Pii</BaseObject>
<Scope>WholeSubtree</Scope>
<DerefAliases>DerefAlways</DerefAliases>
<SizeLimit>0</SizeLimit>
<TimeLimit>30</TimeLimit>
<TypesOnly>0</TypesOnly>
<Or>
<EqualityMatch>
<AttributeDescription>mail</AttributeDescription>
<AssertionValue>Pii</AssertionValue>
</EqualityMatch>
<EqualityMatch>
<AttributeDescription>rfc822Mailbox</AttributeDescription>
<AssertionValue>Pii</AssertionValue>
</EqualityMatch>
<EqualityMatch>
<AttributeDescription>mailNickName</AttributeDescription>
<AssertionValue>Pii</AssertionValue>
</EqualityMatch>
<EqualityMatch>
<AttributeDescription>sAMAccountName</AttributeDescription>
<AssertionValue>Pii</AssertionValue>
</EqualityMatch>
<EqualityMatch>
<AttributeDescription>proxyAddresses</AttributeDescription>
<AssertionValue>Pii</AssertionValue>
</EqualityMatch>
</Or>
<AttributeValues>
<AttributeValue>Pii</AttributeValue>
<AttributeValue>Pii</AttributeValue>
<AttributeValue>Pii</AttributeValue>
<AttributeValue>Pii</AttributeValue>
<AttributeValue>Pii</AttributeValue>
<AttributeValue>Pii</AttributeValue>
</AttributeValues>
</SearchRequest>
<SearchResultDoneResponse>
<Tag>808464432</Tag>
<RequestId>0</RequestId>
<MessageId>3</MessageId>
<LdapProtocolOp>SearchResultDoneResponse</LdapProtocolOp>
<LdapResult>
<LdapResultCode>NoSuchObject</LdapResultCode>
<MatchedDN>Pii</MatchedDN>
<DiagnosticMessage></DiagnosticMessage>
<Referrals />
</LdapResult>
</SearchResultDoneResponse>
<LdapMessage>
<Tag>808464432</Tag>
<RequestId>0</RequestId>
<MessageId>4</MessageId>
<LdapProtocolOp>UnbindRequest</LdapProtocolOp>
</LdapMessage>
</Content>
<Duration>315 msecs</Duration>
<QuitTag>7bwka</QuitTag>
<EndTag>c7n0o</EndTag>
<StatusCode>NoSuchObject</StatusCode>
<DisconnectReason>ServerClosed</DisconnectReason>
</request>
答案1
Success即使没有任何结果,过滤器不匹配任何内容的搜索查询仍会返回。
NoSuchObject另一方面,这意味着搜索根据不存在——<BaseObject>指向一个不存在的条目,因此根本无处可寻。(响应的<MatchedDN>将包括 DN 的一部分,即做过匹配。)
由于实际值已被过滤掉,您需要检查 LDAP 服务器的日志来确定提交了哪个基本 DN。