TLS cant connect ldap+freeradius+novell

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Jul 19 17:51:24 CEST 2007


Hmmmmm.

Martin G wrote:
> Sorry, when i tried to rehash my certificate, id changed its path, but now 
> its back and i got a new output from my ldapsearch-command:
> 
> ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou
> =adm,ou=malmo,o=wifi "cn=lotta"
> ldap_initialize( ldap://10.10.0.11 )
> ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer certificate

What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN?

If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS
server can't find the FQDN. Try to call ldapsearch with -h FQDN option.

Is above warning going away?

> filter: cn=lotta
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <ou=adm,ou=malmo,o=wifi> with scope subtree
> # filter: cn=lotta
> # requesting: ALL
> #
> 
> # lotta, ADM, MALMO, WIFI
> dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI
> zenzfdVersion:: 

Something is at least working. It's not SSL secured though.

...
> 
> Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the 
> TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf 
> as i did forget before.

slapd.conf is the config file of the openldap *server*. Messing with this
file should not change anything. Or was that a typo?

> Do i need to convert the certificate to .pem and how if the c_rehash dont 
> work?

If tls_cacertdir is not set, then don't use c_rehash.

Set tls_cacertfile to a single ASCII file containing all PEM formatted CA
certificates of the CA certificate chain that is needed to validate your
ldap servers certificate. Concatenate these PEM formatted CA certs into this
single ASCII file.

And I forgot, set ldap_debug to -1 in the radius config file.

Don't send your ldap servers password in log files ;-)

...
> Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: server = "10.10.0.11"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: port = 389
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: net_timeout = 1
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: timeout = 4
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: timelimit = 3
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: identity = "cn=admin,o=wifi"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_mode = no
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: start_tls = yes
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertfile = 
> "/etc/freeradius/certs
> /WIFITREE_CA.b64"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertdir = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_certfile = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_keyfile = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_randfile = "(null)"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_require_cert = "allow"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: password = "novell"
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: basedn = "ou=adm,ou=malmo,o=wifi"
...
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_debug = 0
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_connections_number = 5
> Tue Jul 10 12:35:00 2007 : Debug:  ldap: compare_check_items = no

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d2228bca/attachment.bin>


More information about the Freeradius-Users mailing list