TLS cant connect ldap+freeradius+novell

Martin G kapten_kanelbulle at hotmail.com
Mon Jul 23 11:39:10 CEST 2007 

Hello!

I exported the .b64 and used a program do decrypt the .b64 into a .pem and 
put it in my /etc/freeradius/certs/WIFITREE_CA.pem then edited the 
/etc/ldap/ldap.conf /etc/ldap/slapd.conf and /etc/freeradius/radius.conf to 
point at the new .pem cert.

I connected to the novell-server and inspected what ports the ldap used and 
its running on unencrypted 389 and encrypted port 636.

My ldapconf now looks like:
BASE: ou=adm,ou=malmo,o=wifi
URI ldap://10.10.0.11 ldap://10.10.0.11
TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem
TLS_REQCERT demand
ldap_version 3
port 636
ssl start_tls
ssl on

------

when i use the line ldapsearch -vvv -H ldap://10.10.0.11 -x -Z -b 
ou=adm,ou=malmo,o=wifi "cn=lotta" i recieve:
ldap_initialize( ldap://10.10.0.11 )
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)

But if i take away the -Z attribute, i get:
ldapsearch -vvv -H ldap://10.10.0.11 -x -b ou=adm,ou=malmo,o=wifi "cn=lotta"
ldap_initialize( ldap://10.10.0.11 )
filter: cn=lotta
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=adm,ou=malmo,o=wifi> with scope subtree
# filter: cn=lotta
# requesting: ALL
#

# lotta, ADM, MALMO, WIFI
dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI
zenzfdVersion:: 
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QWdlbnREYX
RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaW9uPjxWZXJX0ZVRpbWU+MTE0OTUwMTY4MjwvVmV
yV3JpdGVUaW1lPjwvQWdlbnREXRhPg==
zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage
sasDefaultLoginSequence: ------No default------
uid: lotta
givenName: lotta
fullName: lotta whatever
Language: ENGLISH
sn: whatever
passwordUniqueRequired: FALSE
passwordRequired: TRUE
passwordMinimumLength: 5
passwordExpirationTime: 20070815131928Z
passwordExpirationInterval: 3456000
passwordAllowChange: TRUE
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: radiusprofile
loginTime: 20070723095349Z
loginGraceRemaining: 6
loginGraceLimit: 6
cn: lotta
ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights]
ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript
ACL: 2#entry#[Public]#messageServer
ACL: 2#entry#[Root]#groupMembership
ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration
ACL: 2#entry#[Root]#networkAddress

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

im not very good at certificates or ldap at all, but in my eyes, it seems to 
work un-encrypted and not when i trie with the encryption. So it would be 
either the port 636 or the certificate!?
And the novell tells me that the 636 port is used to accept encrypted 
questions.
Might it be a fault when i tried to decrypt the WIFITREE_CA.b64 to 
WIFITREE_CA.pem?

Any other idears?
(is there a nice/easy way to do it in linux? i downloaded a windowsprogram 
and ftp:ed it to the linux-server)

(the freeradius also tells me like before that it cant get a tls-connection)


Thx for all help this far!!

/Mr G

>From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
>Reply-To: FreeRadius users mailing list 
><freeradius-users at lists.freeradius.org>
>To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>Subject: Re: TLS cant connect ldap+freeradius+novell
>Date: Fri, 20 Jul 2007 11:03:43 +0200
>
>Hi.
>
>Martin G wrote:
> > Subject of the novell-server-certificate is : O = WIFITREE
> > OU = Organizational CA
>
>Well, that looks like the SubjectDN of your Novell CA certificate. You need
>to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM
>format into the file referenced by option tls_cacertfile.
>
> > And thats no FQDN!?
>
>No.
>
> > (I exported it from the novell as an .der and extracted it to see the
> > subject, maby wrong way to do it? i havent exported the private key with
> > either the .b64 or the .der and that shouldnt matter ?)
>
>You do *not* need the private key of your novell CA cert or your novell 
>ldap
>server cert on your FreeRADIUS server.
>
> > *output from novell*
>
>This looks like a selfsigned root-CA certificate:
>
> > Subject name: OU=Organizational CA.O=WIFITREE
> > Issuer name: OU=Organizational CA.O=WIFITREE
> > Effective date: den 22 oktober 2005 23:04:08
> > Expiration date:  den 22 oktober 2015 23:04:08
> > Certificate status: Valid
> >
> > Any idea how to type the FQDN !? :(
>
>You need to get a PEM formatted copy of this CA certificate (w/o private
>key) and put that to the file referenced by option tls_cacertfile.
>
>And for ldapsearch put this certificate into /etc/ldap/ldap.conf as
>
>TLS_CACERT      /etc/ldap/novell-ca-cert.pem
>
>--
>Beste Gruesse / Kind Regards
>
>Reimer Karlsen-Masur
>
>DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
>--
>Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
>DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
>Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


><< smime.p7s >>




>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

More information about the Freeradius-Users mailing list