Re: TLS cant connect ldap+freeradius+novell
Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command: ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=adm,ou=malmo,o=wifi> with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: PD94bWwgdmVyc2lvbj0iMS4fSe34FNvZGluZz0iVVRGLTgiPz48QWdlbnREYX RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaWwAffwawFWZXJXcml0ZVRpbWU+MTE0OTUwMTY4MjwvVmV yV3JpdGVUaW1lPjwvQwfAwREYXRhPg== zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage sasDefaultLoginSequence: ------No default------ uid: lotta givenName: lotta fullName: lotta whatever Language: ENGLISH sn: whatever passwordUniqueRequired: FALSE passwordRequired: TRUE passwordMinimumLength: 5 passwordExpirationTime: 20070815131928Z passwordExpirationInterval: 3456000 passwordAllowChange: TRUE objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top objectClass: radiusprofile loginTime: 20070719121749Z loginGraceRemaining: 6 loginGraceLimit: 6 cn: lotta ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights] ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration ACL: 2#entry#[Root]#networkAddress # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before. Do i need to convert the certificate to .pem and how if the c_rehash dont work? I paste the new output from the freeradius -XXX -A if it might help... freeradius -XXX -A Tue Jul 10 12:35:00 2007 : Info: Starting - reading configuration files ... Tue Jul 10 12:35:00 2007 : Debug: reread_config: reading radiusd.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/prox y.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/clie nts.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/snmp ..conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/eap. conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/sql. conf Tue Jul 10 12:35:00 2007 : Debug: main: prefix = "/usr" Tue Jul 10 12:35:00 2007 : Debug: main: localstatedir = "/var" Tue Jul 10 12:35:00 2007 : Debug: main: logdir = "/var/log/freeradius" Tue Jul 10 12:35:00 2007 : Debug: main: libdir = "/usr/lib/freeradius" Tue Jul 10 12:35:00 2007 : Debug: main: radacctdir = "/var/log/freeradius/radac ct" Tue Jul 10 12:35:00 2007 : Debug: main: hostname_lookups = no Tue Jul 10 12:35:00 2007 : Debug: main: max_request_time = 30 Tue Jul 10 12:35:00 2007 : Debug: main: cleanup_delay = 5 Tue Jul 10 12:35:00 2007 : Debug: main: max_requests = 1024 Tue Jul 10 12:35:00 2007 : Debug: main: delete_blocked_requests = 0 Tue Jul 10 12:35:00 2007 : Debug: main: port = 0 Tue Jul 10 12:35:00 2007 : Debug: main: allow_core_dumps = no Tue Jul 10 12:35:00 2007 : Debug: main: log_stripped_names = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_file = "/var/log/freeradius/radius. log" Tue Jul 10 12:35:00 2007 : Debug: main: log_auth = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_auth_badpass = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_auth_goodpass = yes Tue Jul 10 12:35:00 2007 : Debug: main: pidfile = "/var/run/freeradius/freeradi us.pid" Tue Jul 10 12:35:00 2007 : Debug: main: user = "freerad" Tue Jul 10 12:35:00 2007 : Debug: main: group = "freerad" Tue Jul 10 12:35:00 2007 : Debug: main: usercollide = no Tue Jul 10 12:35:00 2007 : Debug: main: lower_user = "no" Tue Jul 10 12:35:00 2007 : Debug: main: lower_pass = "no" Tue Jul 10 12:35:00 2007 : Debug: main: nospace_user = "no" Tue Jul 10 12:35:00 2007 : Debug: main: nospace_pass = "no" Tue Jul 10 12:35:00 2007 : Debug: main: checkrad = "/usr/sbin/checkrad" Tue Jul 10 12:35:00 2007 : Debug: main: proxy_requests = yes Tue Jul 10 12:35:00 2007 : Debug: proxy: retry_delay = 5 Tue Jul 10 12:35:00 2007 : Debug: proxy: retry_count = 3 Tue Jul 10 12:35:00 2007 : Debug: proxy: synchronous = no Tue Jul 10 12:35:00 2007 : Debug: proxy: default_fallback = yes Tue Jul 10 12:35:00 2007 : Debug: proxy: dead_time = 120 Tue Jul 10 12:35:00 2007 : Debug: proxy: post_proxy_authorize = no Tue Jul 10 12:35:00 2007 : Debug: proxy: wake_all_if_all_dead = no Tue Jul 10 12:35:00 2007 : Debug: security: max_attributes = 200 Tue Jul 10 12:35:00 2007 : Debug: security: reject_delay = 1 Tue Jul 10 12:35:00 2007 : Debug: security: status_server = no Tue Jul 10 12:35:00 2007 : Debug: main: debug_level = 0 Tue Jul 10 12:35:00 2007 : Debug: read_config_files: reading dictionary Tue Jul 10 12:35:00 2007 : Debug: read_config_files: reading naslist Tue Jul 10 12:35:00 2007 : Info: Using deprecated naslist file. Support for thi s will go away soon. Tue Jul 10 12:35:00 2007 : Debug: read_config_files: reading clients Tue Jul 10 12:35:00 2007 : Debug: read_config_files: reading realms Tue Jul 10 12:35:00 2007 : Debug: radiusd: entering modules setup Tue Jul 10 12:35:00 2007 : Debug: Module: Library search path is /usr/lib/freera dius Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded exec Tue Jul 10 12:35:00 2007 : Debug: exec: wait = yes Tue Jul 10 12:35:00 2007 : Debug: exec: program = "(null)" Tue Jul 10 12:35:00 2007 : Debug: exec: input_pairs = "request" Tue Jul 10 12:35:00 2007 : Debug: exec: output_pairs = "(null)" Tue Jul 10 12:35:00 2007 : Debug: exec: packet_type = "(null)" Tue Jul 10 12:35:00 2007 : Info: rlm_exec: Wait=yes but no output defined. Did y ou mean output=none? Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated exec (exec) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded expr Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated expr (expr) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded PAP Tue Jul 10 12:35:00 2007 : Debug: pap: encryption_scheme = "crypt" Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated pap (pap) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded CHAP Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated chap (chap) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded MS-CHAP Tue Jul 10 12:35:00 2007 : Debug: mschap: use_mppe = yes Tue Jul 10 12:35:00 2007 : Debug: mschap: require_encryption = no Tue Jul 10 12:35:00 2007 : Debug: mschap: require_strong = no Tue Jul 10 12:35:00 2007 : Debug: mschap: with_ntdomain_hack = no Tue Jul 10 12:35:00 2007 : Debug: mschap: passwd = "(null)" Tue Jul 10 12:35:00 2007 : Debug: mschap: ntlm_auth = "(null)" Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated mschap (mschap) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded System Tue Jul 10 12:35:00 2007 : Debug: unix: cache = no Tue Jul 10 12:35:00 2007 : Debug: unix: passwd = "(null)" Tue Jul 10 12:35:00 2007 : Debug: unix: shadow = "/etc/shadow" Tue Jul 10 12:35:00 2007 : Debug: unix: group = "(null)" Tue Jul 10 12:35:00 2007 : Debug: unix: radwtmp = "/var/log/freeradius/radwtmp" Tue Jul 10 12:35:00 2007 : Debug: unix: usegroup = no Tue Jul 10 12:35:00 2007 : Debug: unix: cache_reload = 600 Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated unix (unix) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = "/etc/freeradius/certs /WIFITREE_CA.b64" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = "ou=adm,ou=malmo,o=wifi" Tue Jul 10 12:35:00 2007 : Debug: ldap: filter = "(cn=%{Stripped-User-Name:-%{U ser-Name}})" Tue Jul 10 12:35:00 2007 : Debug: ldap: base_filter = "(objectclass=radiusprofi le)" Tue Jul 10 12:35:00 2007 : Debug: ldap: default_profile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: profile_attribute = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: password_header = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: password_attribute = "nspmPassword" Tue Jul 10 12:35:00 2007 : Debug: ldap: access_attr = "dialupAccess" Tue Jul 10 12:35:00 2007 : Debug: ldap: groupname_attribute = "cn" Tue Jul 10 12:35:00 2007 : Debug: ldap: groupmembership_filter = "(|(&(objectCl ass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniq uemember=%{Ldap-UserDn})))" Tue Jul 10 12:35:00 2007 : Debug: ldap: groupmembership_attribute = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: dictionary_mapping = "/etc/freeradius/l dap.attrmap" Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no Tue Jul 10 12:35:00 2007 : Debug: ldap: access_attr_used_for_allow = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: do_xlat = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: edir_account_policy_check = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: set_auth_type = yes Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-G roup Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIU S $GENERIC$ Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIU S $GENERIC$ Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusCallingStationId mapped t o RADIUS Calling-Station-Id Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM- Password Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT- Password Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB- Account-CTRL-TEXT Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusExpiration mapped to RADI US Expiration Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RA DIUS NAS-IP-Address Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusServiceType mapped to RAD IUS Service-Type Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RAD IUS Framed-Route Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedRouting mapped to R ADIUS Framed-Routing Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIU S Framed-MTU Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RAD IUS Login-IP-Host Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusLoginService mapped to RA DIUS Login-Service Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RA DIUS Login-TCP-Port Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADI US Callback-Id Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped t o RADIUS Framed-IPX-Network Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Cl ass Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RAD IUS Idle-Timeout Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RA DIUS Login-LAT-Node Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to R ADIUS Login-LAT-Group Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mappe d to RADIUS Framed-AppleTalk-Link Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork ma pped to RADIUS Framed-AppleTalk-Network Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mappe d to RADIUS Framed-AppleTalk-Zone Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIU S Port-Limit Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RA DIUS Login-LAT-Port Tue Jul 10 12:35:00 2007 : Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RA DIUS Reply-Message Tue Jul 10 12:35:00 2007 : Debug: conns: 0x81457f8 Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated ldap (ldap) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded eap Tue Jul 10 12:35:00 2007 : Debug: eap: default_eap_type = "md5" Tue Jul 10 12:35:00 2007 : Debug: eap: timer_expire = 60 Tue Jul 10 12:35:00 2007 : Debug: eap: ignore_unknown_eap_types = no Tue Jul 10 12:35:00 2007 : Debug: eap: cisco_accounting_username_bug = no Tue Jul 10 12:35:00 2007 : Debug: rlm_eap: Loaded and initialized type md5 Tue Jul 10 12:35:00 2007 : Debug: rlm_eap: Loaded and initialized type leap Tue Jul 10 12:35:00 2007 : Debug: gtc: challenge = "Password: " Tue Jul 10 12:35:00 2007 : Debug: gtc: auth_type = "PAP" Tue Jul 10 12:35:00 2007 : Debug: rlm_eap: Loaded and initialized type gtc Tue Jul 10 12:35:00 2007 : Debug: mschapv2: with_ntdomain_hack = no Tue Jul 10 12:35:00 2007 : Debug: rlm_eap: Loaded and initialized type mschapv2 Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated eap (eap) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded preprocess Tue Jul 10 12:35:00 2007 : Debug: preprocess: huntgroups = "/etc/freeradius/hun tgroups" Tue Jul 10 12:35:00 2007 : Debug: preprocess: hints = "/etc/freeradius/hints" Tue Jul 10 12:35:00 2007 : Debug: preprocess: with_ascend_hack = no Tue Jul 10 12:35:00 2007 : Debug: preprocess: ascend_channels_per_line = 23 Tue Jul 10 12:35:00 2007 : Debug: preprocess: with_ntdomain_hack = no Tue Jul 10 12:35:00 2007 : Debug: preprocess: with_specialix_jetstream_hack = n o Tue Jul 10 12:35:00 2007 : Debug: preprocess: with_cisco_vsa_hack = no Tue Jul 10 12:35:00 2007 : Debug: preprocess: with_alvarion_vsa_hack = no Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated preprocess (preprocess) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded realm Tue Jul 10 12:35:00 2007 : Debug: realm: format = "suffix" Tue Jul 10 12:35:00 2007 : Debug: realm: delimiter = "@" Tue Jul 10 12:35:00 2007 : Debug: realm: ignore_default = no Tue Jul 10 12:35:00 2007 : Debug: realm: ignore_null = no Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated realm (suffix) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded files Tue Jul 10 12:35:00 2007 : Debug: files: usersfile = "/etc/freeradius/users" Tue Jul 10 12:35:00 2007 : Debug: files: acctusersfile = "/etc/freeradius/acct_ users" Tue Jul 10 12:35:00 2007 : Debug: files: preproxy_usersfile = "/etc/freeradius/ preproxy_users" Tue Jul 10 12:35:00 2007 : Debug: files: compat = "no" Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated files (files) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded Acct-Unique-Session-Id Tue Jul 10 12:35:00 2007 : Debug: acct_unique: key = "User-Name, Acct-Session-I d, NAS-IP-Address, Client-IP-Address, NAS-Port" Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated acct_unique (acct_unique) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded detail Tue Jul 10 12:35:00 2007 : Debug: detail: detailfile = "/var/log/freeradius/rad acct/%{Client-IP-Address}/detail-%Y%m%d" Tue Jul 10 12:35:00 2007 : Debug: detail: detailperm = 384 Tue Jul 10 12:35:00 2007 : Debug: detail: dirperm = 493 Tue Jul 10 12:35:00 2007 : Debug: detail: locking = no Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated detail (detail) Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded radutmp Tue Jul 10 12:35:00 2007 : Debug: radutmp: filename = "/var/log/freeradius/radu tmp" Tue Jul 10 12:35:00 2007 : Debug: radutmp: username = "%{User-Name}" Tue Jul 10 12:35:00 2007 : Debug: radutmp: case_sensitive = yes Tue Jul 10 12:35:00 2007 : Debug: radutmp: check_with_nas = yes Tue Jul 10 12:35:00 2007 : Debug: radutmp: perm = 384 Tue Jul 10 12:35:00 2007 : Debug: radutmp: callerid = yes Tue Jul 10 12:35:00 2007 : Debug: Module: Instantiated radutmp (radutmp) Tue Jul 10 12:35:00 2007 : Debug: Listening on authentication *:1812 Tue Jul 10 12:35:00 2007 : Debug: Listening on accounting *:1813 Tue Jul 10 12:35:00 2007 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.10.0.28:32795, id=47, length=112 NAS-IP-Address = 10.10.0.29 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "lotta" User-Password = "******" Calling-Station-Id = "000000000000" Called-Station-Id = "000B86600DB2" Aruba-Essid-Name = "" Aruba-Location-Id = "0.0.0" Tue Jul 10 12:35:36 2007 : Debug: Processing the authorize section of radiusd. conf Tue Jul 10 12:35:36 2007 : Debug: modcall: entering group authorize for request 0 Tue Jul 10 12:35:36 2007 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 0 Tue Jul 10 12:35:36 2007 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 0 Tue Jul 10 12:35:36 2007 : Debug: modcall[authorize]: module "preprocess" retu rns ok for request 0 Tue Jul 10 12:35:36 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 0 Tue Jul 10 12:35:39 2007 : Debug: Discarding duplicate request from client local host:32795 - ID: 47 0 Tue Jul 10 12:35:39 2007 : Debug: --- Walking the entire request list ---urns no Tue Jul 10 12:35:39 2007 : Debug: Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.10.0.28:32795, id=47, length=112_ms Tue Jul 10 12:35:41 2007 : Debug: Discarding duplicate request from client local host:32795 - ID: 47 2007 : Debug: modsingle[authorize]: returned from mschap ( Tue Jul 10 12:35:41 2007 : Debug: --- Walking the entire request list --- Tue Jul 10 12:35:41 2007 : Debug: Waking up in 1 seconds...ule "mschap" returns Tue Jul 10 12:35:42 2007 : Debug: --- Walking the entire request list --- Tue Jul 10 12:35:42 2007 : Debug: Cleaning up request 0 ID 47 with timestamp 469 360f8for request 0 Tue Jul 10 12:35:42 2007 : Debug: Nothing to do. Sleeping until we see a reques t.oking up realm NULL rad_recv: Access-Request packet from host 10.10.0.28:32795, id=47, length=112 Tue Jul NAS-IP-Address = 10.10.0.29 modsingle[authorize]: returned from suffix ( rlm_realNAS-Port = 0st 0 Tue Jul NAS-Port-Type = Wireless-802.11call[authorize]: module "suffix" returns noop forUser-Name = "lotta" Tue Jul User-Password = "******"g: modsingle[authorize]: calling eap (rlm_eap) for requCalling-Station-Id = "000000000000" Tue Jul Called-Station-Id = "000B86600DB2"p: No EAP-Message, not doing EAP Tue Jul Aruba-Essid-Name = ""bug: modsingle[authorize]: returned from eap (rlm _eap) foAruba-Location-Id = "0.0.0" Tue Jul 10 12:35:43 2007 : Debug: Processing the authorize section of radiusd. confr request 0 Tue Jul 10 12:35:43 2007 : Debug: modcall: entering group authorize for request 1s) for request 0 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 1Debug: modsingle[authorize]: returned from files (r Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 1 modcall[authorize]: module "files" returns o Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "preprocess" retu rns ok for request 12007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 15:36 2007 : Debug: rlm_ldap: - authorize Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 1 Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "chap" returns no op for request 1:36 2007 : Debug: radius_xlat: 'ou=adm,ou=malmo,o=wifi' Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 1 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 1: Debug: rlm_ldap: (re)connect to 10.10.0.11:389, authe Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 16 2007 : Debug: rlm_ldap: setting TLS CACert File to /etc/free Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 16 2007 : Debug: rlm_ldap: starting TLS Tue Jul 10 12:35:43 2007 : Debug: rlm_realm: No '@' in User-Name = "lotta", looking up realm NULL007 : Error: rlm_ldap: could not start TLS Connect error Tue Jul 10 12:35:43 2007 : Debug: rlm_realm: No such realm "NULL"iled Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 1 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 1t 0 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1t 0 Tue Jul 10 12:35:43 2007 : Debug: rlm_eap: No EAP-Message, not doing EAPs fail Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 1 2007 : Debug: Finished request 0 Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "eap" returns noo p for request 15:36 2007 : Debug: --- Walking the entire request list --- Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 1Request packet from host 10.10.0.28:32795, id=47, length=112 Tue Jul 10 12:35:43 2007 : Debug: users: Matched entry DEFAULT at line 152 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 1 Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "files" returns o k for request 1 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap ) for request 1 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: - authorize Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: performing user authorization for lo tta Tue Jul 10 12:35:43 2007 : Debug: radius_xlat: '(cn=lotta)' Tue Jul 10 12:35:43 2007 : Debug: radius_xlat: 'ou=adm,ou=malmo,o=wifi' Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: attempting LDAP reconnection Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: (re)connect to 10.10.0.11:389, authe ntication 0 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: setting TLS CACert File to /etc/free radius/certs/WIFITREE_CA.b64 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: starting TLS Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_start_tls_s() Tue Jul 10 12:35:43 2007 : Error: rlm_ldap: could not start TLS Connect error Tue Jul 10 12:35:43 2007 : Error: rlm_ldap: (re)connection attempt failed Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: search failed Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from ldap (rl m_ldap) for request 1 Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "ldap" returns fa il for request 1 Tue Jul 10 12:35:43 2007 : Debug: modcall: leaving group authorize (returns fail ) for request 1 Tue Jul 10 12:35:43 2007 : Debug: Finished request 1 Tue Jul 10 12:35:43 2007 : Debug: Going to the next request Tue Jul 10 12:35:43 2007 : Debug: --- Walking the entire request list --- Tue Jul 10 12:35:43 2007 : Debug: Waking up in 6 seconds... Tue Jul 10 12:35:49 2007 : Debug: --- Walking the entire request list --- Tue Jul 10 12:35:49 2007 : Debug: Cleaning up request 1 ID 47 with timestamp 469 360ff Tue Jul 10 12:35:49 2007 : Debug: Nothing to do. Sleeping until we see a reques t. /Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 16:57:34 +0200
Hm
fiddling with parameters in the FreeRADIUS config files should not change any behavior of ldapsearch. ldapsearch depends on ldap.conf config file.
Did you turn on ldap client debugging by setting "loglevel -1" in the ~/.ldap.conf file for the user that is executing ldapsearch? Or if ~/.ldap.conf does not exist, did you turn it on in /etc/openldap/ldap.conf or wherever your system ldap clients expects its config file to be?
Martin G wrote:
Thx for the reply!
Iv tried removing "port" and "tls_mode" from my radius.conf and hade "tls_start = yes" set.
The tls_certfile and tls_keyfile is now commented away #.
I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64
Is this file of ASCII type and does it read about like
-------- BEGIN CERTIFICATE ------ Base64 blob -------- END CERTIFICATE ------
?
That is the correct format, i.e. PEM.
Is there more than one certificate in the file?
If it is binary, then its DER format. In this case you could try
openssl x509 -inform DER -in WIFITREE_CA.b64 -out WIFITREE_CA.pem
Id tried to use "c_rehash ." in that directory but the rehash dont find my cert, only other certs in that path who is made into strange names. Can i force it to pick my .b64 certificate or can i convert it in any other way? (after the certs turned into funny names from c_rehash, its just to rename them, if it starts to work with the right certificate?)
The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" is:
ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
Did i miss anything or is the only thing left now, to get a .pem certificate? -- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Hmmmmm. Martin G wrote:
Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command:
ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN? If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option. Is above warning going away?
filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=adm,ou=malmo,o=wifi> with scope subtree # filter: cn=lotta # requesting: ALL #
# lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion::
Something is at least working. It's not SSL secured though. ...
Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before.
slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo?
Do i need to convert the certificate to .pem and how if the c_rehash dont work?
If tls_cacertdir is not set, then don't use c_rehash. Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file. And I forgot, set ldap_debug to -1 in the radius config file. Don't send your ldap servers password in log files ;-) ...
Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = "/etc/freeradius/certs /WIFITREE_CA.b64" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = "ou=adm,ou=malmo,o=wifi" ... Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no
-- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?) *output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid Any idea how to type the FQDN !? :( (Thx for all the good answers this far!) /Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 17:51:24 +0200
Hmmmmm.
Martin G wrote:
Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command:
ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN?
If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
Is above warning going away?
filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=adm,ou=malmo,o=wifi> with scope subtree # filter: cn=lotta # requesting: ALL #
# lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion::
Something is at least working. It's not SSL secured though.
...
Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the
/etc/ldap/sldap.conf
as i did forget before.
slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo?
Do i need to convert the certificate to .pem and how if the c_rehash dont work?
If tls_cacertdir is not set, then don't use c_rehash.
Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file.
And I forgot, set ldap_debug to -1 in the radius config file.
Don't send your ldap servers password in log files ;-)
...
Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = "/etc/freeradius/certs /WIFITREE_CA.b64" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = "ou=adm,ou=malmo,o=wifi" ... Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Any idea how to type the FQDN !? :(
Well if this was your server:
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
FQDN would be: messenger.msn.click-url.com Ivan Kalik Kalik Informatika ISP
Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still: ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes Any good idea!? (iv added the novell-servers dns-ip to the ifconfig-dns of the linux also, but no help from that either). /Mr G
Any idea how to type the FQDN !? :(
Well if this was your server:
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
FQDN would be: messenger.msn.click-url.com
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
From: "Martin G" <kapten_kanelbulle@hotmail.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: freeradius-users@lists.freeradius.org Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 18:05:22 +0200
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?)
*output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid
Any idea how to type the FQDN !? :(
(Thx for all the good answers this far!)
/Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 17:51:24 +0200
Hmmmmm.
Martin G wrote:
Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command:
ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate
What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN?
If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
Is above warning going away?
filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=adm,ou=malmo,o=wifi> with scope subtree # filter: cn=lotta # requesting: ALL #
# lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion::
Something is at least working. It's not SSL secured though.
...
Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed
the
TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before.
slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo?
Do i need to convert the certificate to .pem and how if the c_rehash dont work?
If tls_cacertdir is not set, then don't use c_rehash.
Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file.
And I forgot, set ldap_debug to -1 in the radius config file.
Don't send your ldap servers password in log files ;-)
...
Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = "/etc/freeradius/certs /WIFITREE_CA.b64" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = "ou=adm,ou=malmo,o=wifi" ... Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Martin G wrote:
Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI
Well this looks like the novell ldap server certifivate.
"NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?
Yes.
I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still:
Put 10.10.0.11 nw1.system.wifi into the /etc/hosts file
ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes
Any good idea!?
Does your ldap server do ldaps on e.g. port 636? To get the ldap server certificate and mybe the CA chain validating this certificate you could try # openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state If your ldap server does not do ldaps try # openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3 or # openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp I expect this does not work since openssl s_client does not (yet) support starttls option with ldap protocol. But give it a whirl, maybe you get back something useful. Or enable ldaps on port 636 on your ldap server.... and try the top most openssl command from this mail. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Iv now got the "10.10.0.11 nw1.system.wifi" in my /etc/hosts file. I logged on to the novell-server and paged me to the ldap-connections-page. The server uses 389 for unencrypted connections and 636 for encrypted connections with ldap. When i use: openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state I get very very much information.. anything i shall look for !? maby attach as a file here!? When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3 I get: CONNECTED(00000003) and nothing more. When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp I get the same "CONNECTED(00000003). Any useful information!? Seems like it can connect on both the ports. /Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Fri, 20 Jul 2007 11:14:46 +0200
Martin G wrote:
Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI
Well this looks like the novell ldap server certifivate.
"NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?
Yes.
I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still:
Put
10.10.0.11 nw1.system.wifi
into the /etc/hosts file
ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes
Any good idea!?
Does your ldap server do ldaps on e.g. port 636?
To get the ldap server certificate and mybe the CA chain validating this certificate you could try
# openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state
If your ldap server does not do ldaps try
# openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3
or
# openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp
I expect this does not work since openssl s_client does not (yet) support starttls option with ldap protocol. But give it a whirl, maybe you get back something useful.
Or enable ldaps on port 636 on your ldap server.... and try the top most openssl command from this mail.
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Hi. Martin G wrote:
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA
Well, that looks like the SubjectDN of your Novell CA certificate. You need to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM format into the file referenced by option tls_cacertfile.
And thats no FQDN!?
No.
(I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?)
You do *not* need the private key of your novell CA cert or your novell ldap server cert on your FreeRADIUS server.
*output from novell*
This looks like a selfsigned root-CA certificate:
Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid
Any idea how to type the FQDN !? :(
You need to get a PEM formatted copy of this CA certificate (w/o private key) and put that to the file referenced by option tls_cacertfile. And for ldapsearch put this certificate into /etc/ldap/ldap.conf as TLS_CACERT /etc/ldap/novell-ca-cert.pem -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Hello! I exported the .b64 and used a program do decrypt the .b64 into a .pem and put it in my /etc/freeradius/certs/WIFITREE_CA.pem then edited the /etc/ldap/ldap.conf /etc/ldap/slapd.conf and /etc/freeradius/radius.conf to point at the new .pem cert. I connected to the novell-server and inspected what ports the ldap used and its running on unencrypted 389 and encrypted port 636. My ldapconf now looks like: BASE: ou=adm,ou=malmo,o=wifi URI ldap://10.10.0.11 ldap://10.10.0.11 TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem TLS_REQCERT demand ldap_version 3 port 636 ssl start_tls ssl on ------ when i use the line ldapsearch -vvv -H ldap://10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" i recieve: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) But if i take away the -Z attribute, i get: ldapsearch -vvv -H ldap://10.10.0.11 -x -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=adm,ou=malmo,o=wifi> with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QWdlbnREYX RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaW9uPjxWZXJX0ZVRpbWU+MTE0OTUwMTY4MjwvVmV yV3JpdGVUaW1lPjwvQWdlbnREXRhPg== zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage sasDefaultLoginSequence: ------No default------ uid: lotta givenName: lotta fullName: lotta whatever Language: ENGLISH sn: whatever passwordUniqueRequired: FALSE passwordRequired: TRUE passwordMinimumLength: 5 passwordExpirationTime: 20070815131928Z passwordExpirationInterval: 3456000 passwordAllowChange: TRUE objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top objectClass: radiusprofile loginTime: 20070723095349Z loginGraceRemaining: 6 loginGraceLimit: 6 cn: lotta ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights] ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration ACL: 2#entry#[Root]#networkAddress # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 im not very good at certificates or ldap at all, but in my eyes, it seems to work un-encrypted and not when i trie with the encryption. So it would be either the port 636 or the certificate!? And the novell tells me that the 636 port is used to accept encrypted questions. Might it be a fault when i tried to decrypt the WIFITREE_CA.b64 to WIFITREE_CA.pem? Any other idears? (is there a nice/easy way to do it in linux? i downloaded a windowsprogram and ftp:ed it to the linux-server) (the freeradius also tells me like before that it cant get a tls-connection) Thx for all help this far!! /Mr G
From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur@dfn-cert.de> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Fri, 20 Jul 2007 11:03:43 +0200
Hi.
Martin G wrote:
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA
Well, that looks like the SubjectDN of your Novell CA certificate. You need to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM format into the file referenced by option tls_cacertfile.
And thats no FQDN!?
No.
(I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?)
You do *not* need the private key of your novell CA cert or your novell ldap server cert on your FreeRADIUS server.
*output from novell*
This looks like a selfsigned root-CA certificate:
Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid
Any idea how to type the FQDN !? :(
You need to get a PEM formatted copy of this CA certificate (w/o private key) and put that to the file referenced by option tls_cacertfile.
And for ldapsearch put this certificate into /etc/ldap/ldap.conf as
TLS_CACERT /etc/ldap/novell-ca-cert.pem
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
<< smime.p7s >>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
On 7/23/07, Martin G <kapten_kanelbulle@hotmail.com> wrote:
I connected to the novell-server and inspected what ports the ldap used and its running on unencrypted 389 and encrypted port 636.
My ldapconf now looks like: BASE: ou=adm,ou=malmo,o=wifi URI ldap://10.10.0.11 ldap://10.10.0.11 TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem TLS_REQCERT demand ldap_version 3 port 636 ssl start_tls ssl on
You're trying to use "start_tls", TLS connections are started on the (unencrypted) port 389 and are "upgraded" to a secure connection on the same port. So probably you don't have TLS support with your LDAP server (you need at least eDirectory 8.7 for what I know). Learn your LDAP server to talk TLS (by upgrading it), or initiate connections on the SSL port (636) and not the TLS one...
Ok, sounds good. I run Netware v 5.70.33 and that seems to have edirectory version 8.7.3.x I got a tab on novell with Ldap-connection. "Transport Layer Security (TLS / SSL)" Server Certificate: "SSL CertificateDNS" Client Certificate: **Not Requested** / Requested / Required Trusted Root Containers: TRUSTrootOU.Security ( ) Require TLS for all operations (not checked) ( ) Enable and require mutual authentication (not checked) Ports (x) Enable Encrypted Port Port: 636 (x) Enable Non-Encrypted Port Port: 389 If thats some kind of help!? /Mr G
From: "Jorgen Rosink" <jrosink@gmail.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Mon, 23 Jul 2007 11:47:45 +0200
On 7/23/07, Martin G <kapten_kanelbulle@hotmail.com> wrote:
I connected to the novell-server and inspected what ports the ldap used and its running on unencrypted 389 and encrypted port 636.
My ldapconf now looks like: BASE: ou=adm,ou=malmo,o=wifi URI ldap://10.10.0.11 ldap://10.10.0.11 TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem TLS_REQCERT demand ldap_version 3 port 636 ssl start_tls ssl on
You're trying to use "start_tls", TLS connections are started on the (unencrypted) port 389 and are "upgraded" to a secure connection on the same port. So probably you don't have TLS support with your LDAP server (you need at least eDirectory 8.7 for what I know). Learn your LDAP server to talk TLS (by upgrading it), or initiate connections on the SSL port (636) and not the TLS one... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Need a brain boost? Recharge with a stimulating game. Play now! http://club.live.com/home.aspx?icid=club_hotmailtextlink1
On 7/23/07, Martin G <kapten_kanelbulle@hotmail.com> wrote:
If thats some kind of help!?
There's a step-by-step howto on the Novell site: http://www.novell.com/documentation/edir_radius/index.html The section: Configuring the FreeRADIUS Server to Integrate with eDirectory -> Modifying the LDAP Module seems pretty self-explainary, follow the instructions, they do work ! Try to understand the difference between TLS and SSL, http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes debugging the encryption stuff much easier. Good luck !
On 7/23/07, Jorgen Rosink <jrosink@gmail.com> wrote:
On 7/23/07, Martin G <kapten_kanelbulle@hotmail.com> wrote:
If thats some kind of help!?
There's a step-by-step howto on the Novell site:
http://www.novell.com/documentation/edir_radius/index.html
The section:
Configuring the FreeRADIUS Server to Integrate with eDirectory -> Modifying the LDAP Module
seems pretty self-explainary, follow the instructions, they do work !
Try to understand the difference between TLS and SSL, http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes debugging the encryption stuff much easier.
Good luck !
Ow, I forgot to say this: * You're connecting to the LDAP server with an IP address: URI ldap://10.10.0.11 ldap://10.10.0.11 * But the LDAP server is using a DNS based certificate: "Transport Layer Security (TLS / SSL)" Server Certificate: "SSL CertificateDNS" Try to change that one to "SSL CertificateIP" or connect to LDAP from FreeRadius with a FQDN, don't care about host files. Certificate validation doesn't care about host files, it cares about the Common Name...
ldapsearch -vvv -H ldap://nw1.system.wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://nw1.system.wifi ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) root@NS-ubuntu:/etc/freeradius/certs# And works without -Z :( Can it have something to do with our IP-change after we installed the novell / novellCA ? Its the correct ip to the server, but can the CA/certificate take damage in a IP-change? (The root-cert is exported AFTER the IP-change, but the CA-services was installed BEFORE the change). The hosts-file seems to be needed cause else i dont think that the linux-freeradius can map the nw1.system.wifi to an IP. /Mr G
From: "Jorgen Rosink" <jrosink@gmail.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Mon, 23 Jul 2007 12:39:58 +0200
On 7/23/07, Jorgen Rosink <jrosink@gmail.com> wrote:
On 7/23/07, Martin G <kapten_kanelbulle@hotmail.com> wrote:
If thats some kind of help!?
There's a step-by-step howto on the Novell site:
http://www.novell.com/documentation/edir_radius/index.html
The section:
Configuring the FreeRADIUS Server to Integrate with eDirectory -> Modifying the LDAP Module
seems pretty self-explainary, follow the instructions, they do work !
Try to understand the difference between TLS and SSL, http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes debugging the encryption stuff much easier.
Good luck !
Ow, I forgot to say this:
* You're connecting to the LDAP server with an IP address:
URI ldap://10.10.0.11 ldap://10.10.0.11
* But the LDAP server is using a DNS based certificate:
"Transport Layer Security (TLS / SSL)" Server Certificate: "SSL CertificateDNS"
Try to change that one to "SSL CertificateIP" or connect to LDAP from FreeRadius with a FQDN, don't care about host files. Certificate validation doesn't care about host files, it cares about the Common Name... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Iv tried to follow that guide. Iv got the Imanager on the same server as the RADIUS iManager plug-in and then by default iManager is configurated with SSL/TLS. But it still dont answers my questions from the linux-computer who does ldapsearch s, exept when i do it uncrypted. /Mr G
From: "Jorgen Rosink" <jrosink@gmail.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: TLS cant connect ldap+freeradius+novell Date: Mon, 23 Jul 2007 12:30:06 +0200
On 7/23/07, Martin G <kapten_kanelbulle@hotmail.com> wrote:
If thats some kind of help!?
There's a step-by-step howto on the Novell site:
http://www.novell.com/documentation/edir_radius/index.html
The section:
Configuring the FreeRADIUS Server to Integrate with eDirectory -> Modifying the LDAP Module
seems pretty self-explainary, follow the instructions, they do work !
Try to understand the difference between TLS and SSL, http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes debugging the encryption stuff much easier.
Good luck ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
participants (4)
-
Jorgen Rosink -
Martin G -
Reimer Karlsen-Masur, DFN-CERT -
tnt@kalik.co.yu