TLS cant connect ldap+freeradius+novell

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Jul 19 16:57:34 CEST 2007


Hm

fiddling with parameters in the FreeRADIUS config files should not change
any behavior of ldapsearch. ldapsearch depends on ldap.conf config file.

Did you turn on ldap client debugging by setting "loglevel -1" in the
~/.ldap.conf file for the user that is executing ldapsearch? Or if
~/.ldap.conf does not exist, did you turn it on in /etc/openldap/ldap.conf
or wherever your system ldap clients expects its config file to be?

Martin G wrote:
> Thx for the reply!
> 
> Iv tried removing "port" and "tls_mode" from my radius.conf and hade 
> "tls_start = yes" set.
> 
> The tls_certfile and tls_keyfile is now commented away #.
> 
> I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64

Is this file of ASCII type and does it read about like

-------- BEGIN CERTIFICATE ------
Base64 blob
-------- END CERTIFICATE ------

?

That is the correct format, i.e. PEM.

Is there more than one certificate in the file?

If it is binary, then its DER format. In this case you could try

openssl x509 -inform DER -in WIFITREE_CA.b64 -out WIFITREE_CA.pem

> Id tried to use "c_rehash ." in that directory but the rehash dont find my 
> cert, only other certs in that path who is made into strange names.
> Can i force it to pick my .b64 certificate or can i convert it in any other 
> way? (after the certs turned into funny names from c_rehash, its just to 
> rename them, if it starts to work with the right certificate?)
> 
> The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b 
> ou=adm,ou=malmo,o=wifi "cn=lotta"
> is:
> 
> ldap_initialize( ldap://10.10.0.11 )
> ldap_start_tls: Connect error (-11)
> ldap_result: Can't contact LDAP server (-1)
> 
> Did i miss anything or is the only thing left now, to get a .pem 
> certificate?
-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/5c11e2f0/attachment.bin>


More information about the Freeradius-Users mailing list