TLS cant connect ldap+freeradius+novell

Martin G kapten_kanelbulle at hotmail.com
Thu Jul 19 16:40:34 CEST 2007


Thx for the reply!

Iv tried removing "port" and "tls_mode" from my radius.conf and hade 
"tls_start = yes" set.

The tls_certfile and tls_keyfile is now commented away #.

I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64

Id tried to use "c_rehash ." in that directory but the rehash dont find my 
cert, only other certs in that path who is made into strange names.
Can i force it to pick my .b64 certificate or can i convert it in any other 
way? (after the certs turned into funny names from c_rehash, its just to 
rename them, if it starts to work with the right certificate?)

The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b 
ou=adm,ou=malmo,o=wifi "cn=lotta"
is:

ldap_initialize( ldap://10.10.0.11 )
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)

Did i miss anything or is the only thing left now, to get a .pem 
certificate?

/Mr G

>From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
>Reply-To: FreeRadius users mailing list 
><freeradius-users at lists.freeradius.org>
>To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>Subject: Re: TLS cant connect ldap+freeradius+novell
>Date: Thu, 19 Jul 2007 16:06:46 +0200
>
>Hi.
>
>Martin G wrote:
> > Hello!
> >
> > Im new to both this mailinglist and to novell/linux/ldap/freeradius but 
>iv
> > tried my best to install a radius/ldap linuxserver to pass on
> > radius-requests from a Aruba-controller to our novell-server.
> >
> > IPs:
> > Novell 10.10.0.11
> > Aruba 10.10.0.28
> > Linux (freeradius+ldap) 10.10.0.132
> >
> > Iv tried to change tls_mode, port and tls_start on and off a couple of 
>times
> > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 
>-x
> > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta"
> > i recieve "TLS: hostname does not match CN in peer certificate".
>
>At least this means that your ldap server understands STARTTLS on the
>standard ldap port.
>
>So in FreeRADIUS ldap config section you should *not* set port and tls_mode
>options at all.
>
>You should set start_tls=yes though.
>
>
>
>As for the ldap server certificate name mismatch
>
> > So i have some thoughts about the certificate, but iv exported the
> > selfsigned novell-certificate from the novellserver and verifyed it. But 
>im
> > not sure how to use a "client-certificate" on the linux.
> >
> > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a
> > radius-request, the aruba gets a timeout and the linuxserver tells me 
>the
> > following logg:
>
>Now for the certificates. Since your ldap server is using a server
>certificate you must configure FreeRADIUS to trust the issuing CA.
>
>Since identity and password are set it seems you do not use SSL client
>authentication to authenticate the FreeRADIUS server (acting as ldap 
>client)
>at the ldap server.
>
>Hence don't set tls_certfile and tls_keyfile options.
>
>Either use tls_cacertfile xor tlc_cacertdir option.
>
>If using former, put in all the CA certificate chain validating the ldap
>servers certificate in PEM format. Concatenate the CA certs into the file
>named by this option.
>
>If using the latter, put all CA certs of the chain validating the ldap
>servers certificate in PEM format with .pem file extension into that
>directory. cd into this directory and execute
>
># c_rehash .
>
>to build some symlinks. The dot (.) for the current directory seems vital.
>c_rehash is a tool that comes with openssl.
>
>Be aware that the openldap client configuration file on the system or for
>that user running FreeRADIUS is being used. That is ~/.ldap.conf or system
>wide something like /etc/openldap/ldap.conf or what ever fits your FS 
>layout
>and ldap installation on the FreeRADIUS server.
>
>To ease ldap debugging within FreeRADIUS set "loglevel -1" in the ldap.conf
>file. Debugging output is to be found in files configured by syslogd more
>than likely in /var/log/messages or similar.
>
>HTH & good luck
>
>--
>Beste Gruesse / Kind Regards
>
>Reimer Karlsen-Masur
>
>DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
>--
>Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
>DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
>Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


><< smime.p7s >>




>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




More information about the Freeradius-Users mailing list