Iv now got the "10.10.0.11 nw1.system.wifi" in my /etc/hosts file. I logged on to the novell-server and paged me to the ldap-connections-page. The server uses 389 for unencrypted connections and 636 for encrypted connections with ldap. When i use: openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state I get very very much information.. anything i shall look for !? maby attach as a file here!? When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3 I get: CONNECTED(00000003) and nothing more. When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp I get the same "CONNECTED(00000003). Any useful information!? Seems like it can connect on both the ports. /Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Fri, 20 Jul 2007 11:14:46 +0200
Martin G wrote:
Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI
Well this looks like the novell ldap server certifivate.
"NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?
Yes.
I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still:
Put
10.10.0.11 nw1.system.wifi
into the /etc/hosts file
ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes
Any good idea!?
Does your ldap server do ldaps on e.g. port 636?
To get the ldap server certificate and mybe the CA chain validating this certificate you could try
# openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state
If your ldap server does not do ldaps try
# openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3
or
# openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp
I expect this does not work since openssl s_client does not (yet) support starttls option with ldap protocol. But give it a whirl, maybe you get back something useful.
Or enable ldaps on port 636 on your ldap server.... and try the top most openssl command from this mail.
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/