Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?) *output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid Any idea how to type the FQDN !? :( (Thx for all the good answers this far!) /Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 17:51:24 +0200
Hmmmmm.
Martin G wrote:
Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command:
ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN?
If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
Is above warning going away?
filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=adm,ou=malmo,o=wifi> with scope subtree # filter: cn=lotta # requesting: ALL #
# lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion::
Something is at least working. It's not SSL secured though.
...
Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the
/etc/ldap/sldap.conf
as i did forget before.
slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo?
Do i need to convert the certificate to .pem and how if the c_rehash dont work?
If tls_cacertdir is not set, then don't use c_rehash.
Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file.
And I forgot, set ldap_debug to -1 in the radius config file.
Don't send your ldap servers password in log files ;-)
...
Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = "/etc/freeradius/certs /WIFITREE_CA.b64" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = "ou=adm,ou=malmo,o=wifi" ... Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/