Hello! I exported the .b64 and used a program do decrypt the .b64 into a .pem and put it in my /etc/freeradius/certs/WIFITREE_CA.pem then edited the /etc/ldap/ldap.conf /etc/ldap/slapd.conf and /etc/freeradius/radius.conf to point at the new .pem cert. I connected to the novell-server and inspected what ports the ldap used and its running on unencrypted 389 and encrypted port 636. My ldapconf now looks like: BASE: ou=adm,ou=malmo,o=wifi URI ldap://10.10.0.11 ldap://10.10.0.11 TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem TLS_REQCERT demand ldap_version 3 port 636 ssl start_tls ssl on ------ when i use the line ldapsearch -vvv -H ldap://10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" i recieve: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) But if i take away the -Z attribute, i get: ldapsearch -vvv -H ldap://10.10.0.11 -x -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=adm,ou=malmo,o=wifi> with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QWdlbnREYX RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaW9uPjxWZXJX0ZVRpbWU+MTE0OTUwMTY4MjwvVmV yV3JpdGVUaW1lPjwvQWdlbnREXRhPg== zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage sasDefaultLoginSequence: ------No default------ uid: lotta givenName: lotta fullName: lotta whatever Language: ENGLISH sn: whatever passwordUniqueRequired: FALSE passwordRequired: TRUE passwordMinimumLength: 5 passwordExpirationTime: 20070815131928Z passwordExpirationInterval: 3456000 passwordAllowChange: TRUE objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top objectClass: radiusprofile loginTime: 20070723095349Z loginGraceRemaining: 6 loginGraceLimit: 6 cn: lotta ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights] ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration ACL: 2#entry#[Root]#networkAddress # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 im not very good at certificates or ldap at all, but in my eyes, it seems to work un-encrypted and not when i trie with the encryption. So it would be either the port 636 or the certificate!? And the novell tells me that the 636 port is used to accept encrypted questions. Might it be a fault when i tried to decrypt the WIFITREE_CA.b64 to WIFITREE_CA.pem? Any other idears? (is there a nice/easy way to do it in linux? i downloaded a windowsprogram and ftp:ed it to the linux-server) (the freeradius also tells me like before that it cant get a tls-connection) Thx for all help this far!! /Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Fri, 20 Jul 2007 11:03:43 +0200
Hi.
Martin G wrote:
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA
Well, that looks like the SubjectDN of your Novell CA certificate. You need to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM format into the file referenced by option tls_cacertfile.
And thats no FQDN!?
No.
(I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?)
You do *not* need the private key of your novell CA cert or your novell ldap server cert on your FreeRADIUS server.
*output from novell*
This looks like a selfsigned root-CA certificate:
Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid
Any idea how to type the FQDN !? :(
You need to get a PEM formatted copy of this CA certificate (w/o private key) and put that to the file referenced by option tls_cacertfile.
And for ldapsearch put this certificate into /etc/ldap/ldap.conf as
TLS_CACERT /etc/ldap/novell-ca-cert.pem
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/