TLS cant connect ldap+freeradius+novell

Martin G kapten_kanelbulle at hotmail.com
Thu Jul 19 20:11:01 CEST 2007 

Iv found the following on the novellserver (CA-service):
Distinguished name: WIFITREE CA.Security
Host server: NW1.SYSTEM.WIFI

"NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?
I added the info in all kinds of sorts in my hosts-file to the novell-ip on 
the linux-server but still no progress :( Still:

ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi 
"cn=lotta"
ldap_initialize( ldap://wifi )
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match CN in peer certificate
filter: cn=lotta
requesting: All userApplication attributes

Any good idea!?
(iv added the novell-servers dns-ip to the ifconfig-dns of the linux also, 
but no help from that either).

/Mr G

>>Any idea how to type the FQDN !? :(
>
>Well if this was your server:
>
>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>FQDN would be: messenger.msn.click-url.com
>
>Ivan Kalik
>Kalik Informatika ISP
>
>- List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html




>From: "Martin G" <kapten_kanelbulle at hotmail.com>
>Reply-To: FreeRadius users mailing list 
><freeradius-users at lists.freeradius.org>
>To: freeradius-users at lists.freeradius.org
>Subject: Re: TLS cant connect ldap+freeradius+novell
>Date: Thu, 19 Jul 2007 18:05:22 +0200
>
>Subject of the novell-server-certificate is : O = WIFITREE
>OU = Organizational CA
>And thats no FQDN!?
>(I exported it from the novell as an .der and extracted it to see the
>subject, maby wrong way to do it? i havent exported the private key with
>either the .b64 or the .der and that shouldnt matter ?)
>
>*output from novell*
>Subject name: OU=Organizational CA.O=WIFITREE
>Issuer name: OU=Organizational CA.O=WIFITREE
>Effective date: den 22 oktober 2005 23:04:08
>Expiration date:  den 22 oktober 2015 23:04:08
>Certificate status: Valid
>
>Any idea how to type the FQDN !? :(
>
>(Thx for all the good answers this far!)
>
>/Mr G
>
>
> >From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
> >Reply-To: FreeRadius users mailing list
> ><freeradius-users at lists.freeradius.org>
> >To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> >Subject: Re: TLS cant connect ldap+freeradius+novell
> >Date: Thu, 19 Jul 2007 17:51:24 +0200
> >
> >Hmmmmm.
> >
> >Martin G wrote:
> > > Sorry, when i tried to rehash my certificate, id changed its path, but
> >now
> > > its back and i got a new output from my ldapsearch-command:
> > >
> > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou
> > > =adm,ou=malmo,o=wifi "cn=lotta"
> > > ldap_initialize( ldap://10.10.0.11 )
> > > ldap_start_tls: Connect error (-11)
> > >         additional info: TLS: hostname does not match CN in peer
> >certificate
> >
> >What is the CN in the SubjectDN of the ldap servers certificate? Is it a
> >FQDN?
> >
> >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS
> >server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
> >
> >Is above warning going away?
> >
> > > filter: cn=lotta
> > > requesting: All userApplication attributes
> > > # extended LDIF
> > > #
> > > # LDAPv3
> > > # base <ou=adm,ou=malmo,o=wifi> with scope subtree
> > > # filter: cn=lotta
> > > # requesting: ALL
> > > #
> > >
> > > # lotta, ADM, MALMO, WIFI
> > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI
> > > zenzfdVersion::
> >
> >Something is at least working. It's not SSL secured though.
> >
> >...
> > >
> > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed 
>the
> > > TLSCertificateFile and TLSCertificateKeyFile from the
> >/etc/ldap/sldap.conf
> > > as i did forget before.
> >
> >slapd.conf is the config file of the openldap *server*. Messing with this
> >file should not change anything. Or was that a typo?
> >
> > > Do i need to convert the certificate to .pem and how if the c_rehash
> >dont
> > > work?
> >
> >If tls_cacertdir is not set, then don't use c_rehash.
> >
> >Set tls_cacertfile to a single ASCII file containing all PEM formatted CA
> >certificates of the CA certificate chain that is needed to validate your
> >ldap servers certificate. Concatenate these PEM formatted CA certs into
> >this
> >single ASCII file.
> >
> >And I forgot, set ldap_debug to -1 in the radius config file.
> >
> >Don't send your ldap servers password in log files ;-)
> >
> >...
> > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: server = "10.10.0.11"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: port = 389
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: net_timeout = 1
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: timeout = 4
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: timelimit = 3
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: identity = "cn=admin,o=wifi"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_mode = no
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: start_tls = yes
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertfile =
> > > "/etc/freeradius/certs
> > > /WIFITREE_CA.b64"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertdir = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_certfile = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_keyfile = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_randfile = "(null)"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_require_cert = "allow"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: password = "novell"
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: basedn =
> >"ou=adm,ou=malmo,o=wifi"
> >...
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_debug = 0
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_connections_number = 5
> > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: compare_check_items = no
> >
> >--
> >Beste Gruesse / Kind Regards
> >
> >Reimer Karlsen-Masur
> >
> >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
> >--
> >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
> >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
> >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
>
>
> ><< smime.p7s >>
>
>
>
>
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today it's FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

More information about the Freeradius-Users mailing list