Adding certificate in userSMIMECertificate attribute of inetOrgPerson

Question

I'm going to publish a certificate for my email using LDAP. I already have a LDAP up and running (AD LDS) on windows 2012. I'm going to add records using ldif file.

Here its contents

dc: dc=mysubdomain,dc=mydomain,dc=com

dn: dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: domain
dc: mydomain
dc: mysubdomain
description: Some root stuff

dn: ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: mysubdomaincertificates

dn: [email protected],ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Test Test
sn: Test
Mail: [email protected]
userSMIMECertificate: #<What to put?>

I'm stuck in compiling my ldif file. As I understand, I need to put some binary encoded in Base64 with some prefix {CERT} or something.

My questions are

1. Will this ldif file make modifications into the directory?
2. Do I have problems except userSMIMECertificate field?
   • For example I'm using dc twice in the domain object, is it ok?
   • Am I missing some other important line?
3. What is exact syntax of putting certificate content in the userSMIMECertificate? (I've made a search, but could not find the examples)

Answer 1

Here is your LDIF with the appropriate changes:

dn: dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: domain
dc: mysubdomain
description: Some root stuff

dn: ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: mysubdomaincertificates
description: Provide some descriptive text here.

dn: [email protected],ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Test Test
sn: Test
Mail: [email protected]
userSMIMECertificate: file:///path-cert-file

Answer 2

As a useful supplement to the existing answer from Terry Gardner

To avoid that your ldif depends on an external file, you might want to specify the userSMIMECertificate in such a way:

userSMIMECertificate:: Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsKCWZpbGVuY
 W1lPXNtaW1lLnA3cwpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3BrY3M3LXNpZ25hdHVyZTsK
[...]

This is basically the base64-encoded file contents.

In order to get rid of file dependencies, it's easiest to import the ldif with the file dependencies, then export the object to a new ldif. The export should create above format.