TLS cant connect ldap+freeradius+novell

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Jul 19 16:06:46 CEST 2007 

Hi.

Martin G wrote:
> Hello!
> 
> Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv 
> tried my best to install a radius/ldap linuxserver to pass on 
> radius-requests from a Aruba-controller to our novell-server.
> 
> IPs:
> Novell 10.10.0.11
> Aruba 10.10.0.28
> Linux (freeradius+ldap) 10.10.0.132
> 
> Iv tried to change tls_mode, port and tls_start on and off a couple of times 
> without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x 
> -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta"
> i recieve "TLS: hostname does not match CN in peer certificate".

At least this means that your ldap server understands STARTTLS on the
standard ldap port.

So in FreeRADIUS ldap config section you should *not* set port and tls_mode
options at all.

You should set start_tls=yes though.



As for the ldap server certificate name mismatch

> So i have some thoughts about the certificate, but iv exported the 
> selfsigned novell-certificate from the novellserver and verifyed it. But im 
> not sure how to use a "client-certificate" on the linux.
> 
> When i use "freeradius -XXX -A" on the linuxserver and i trie to do a 
> radius-request, the aruba gets a timeout and the linuxserver tells me the 
> following logg:

Now for the certificates. Since your ldap server is using a server
certificate you must configure FreeRADIUS to trust the issuing CA.

Since identity and password are set it seems you do not use SSL client
authentication to authenticate the FreeRADIUS server (acting as ldap client)
at the ldap server.

Hence don't set tls_certfile and tls_keyfile options.

Either use tls_cacertfile xor tlc_cacertdir option.

If using former, put in all the CA certificate chain validating the ldap
servers certificate in PEM format. Concatenate the CA certs into the file
named by this option.

If using the latter, put all CA certs of the chain validating the ldap
servers certificate in PEM format with .pem file extension into that
directory. cd into this directory and execute

# c_rehash .

to build some symlinks. The dot (.) for the current directory seems vital.
c_rehash is a tool that comes with openssl.

Be aware that the openldap client configuration file on the system or for
that user running FreeRADIUS is being used. That is ~/.ldap.conf or system
wide something like /etc/openldap/ldap.conf or what ever fits your FS layout
and ldap installation on the FreeRADIUS server.

To ease ldap debugging within FreeRADIUS set "loglevel -1" in the ldap.conf
file. Debugging output is to be found in files configured by syslogd more
than likely in /var/log/messages or similar.

HTH & good luck

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/c6f96b9a/attachment.bin>

More information about the Freeradius-Users mailing list