TLS cant connect ldap+freeradius+novell

Martin G kapten_kanelbulle at hotmail.com
Thu Jul 19 18:05:22 CEST 2007


Subject of the novell-server-certificate is : O = WIFITREE
OU = Organizational CA
And thats no FQDN!?
(I exported it from the novell as an .der and extracted it to see the 
subject, maby wrong way to do it? i havent exported the private key with 
either the .b64 or the .der and that shouldnt matter ?)

*output from novell*
Subject name: OU=Organizational CA.O=WIFITREE
Issuer name: OU=Organizational CA.O=WIFITREE
Effective date: den 22 oktober 2005 23:04:08
Expiration date:  den 22 oktober 2015 23:04:08
Certificate status: Valid

Any idea how to type the FQDN !? :(

(Thx for all the good answers this far!)

/Mr G


>From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
>Reply-To: FreeRadius users mailing list 
><freeradius-users at lists.freeradius.org>
>To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>Subject: Re: TLS cant connect ldap+freeradius+novell
>Date: Thu, 19 Jul 2007 17:51:24 +0200
>
>Hmmmmm.
>
>Martin G wrote:
> > Sorry, when i tried to rehash my certificate, id changed its path, but 
>now
> > its back and i got a new output from my ldapsearch-command:
> >
> > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou
> > =adm,ou=malmo,o=wifi "cn=lotta"
> > ldap_initialize( ldap://10.10.0.11 )
> > ldap_start_tls: Connect error (-11)
> >         additional info: TLS: hostname does not match CN in peer 
>certificate
>
>What is the CN in the SubjectDN of the ldap servers certificate? Is it a 
>FQDN?
>
>If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS
>server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
>
>Is above warning going away?
>
> > filter: cn=lotta
> > requesting: All userApplication attributes
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <ou=adm,ou=malmo,o=wifi> with scope subtree
> > # filter: cn=lotta
> > # requesting: ALL
> > #
> >
> > # lotta, ADM, MALMO, WIFI
> > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI
> > zenzfdVersion::
>
>Something is at least working. It's not SSL secured though.
>
>...
> >
> > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the
> > TLSCertificateFile and TLSCertificateKeyFile from the 
>/etc/ldap/sldap.conf
> > as i did forget before.
>
>slapd.conf is the config file of the openldap *server*. Messing with this
>file should not change anything. Or was that a typo?
>
> > Do i need to convert the certificate to .pem and how if the c_rehash 
>dont
> > work?
>
>If tls_cacertdir is not set, then don't use c_rehash.
>
>Set tls_cacertfile to a single ASCII file containing all PEM formatted CA
>certificates of the CA certificate chain that is needed to validate your
>ldap servers certificate. Concatenate these PEM formatted CA certs into 
>this
>single ASCII file.
>
>And I forgot, set ldap_debug to -1 in the radius config file.
>
>Don't send your ldap servers password in log files ;-)
>
>...
> > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: server = "10.10.0.11"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: port = 389
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: net_timeout = 1
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: timeout = 4
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: timelimit = 3
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: identity = "cn=admin,o=wifi"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_mode = no
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: start_tls = yes
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertfile =
> > "/etc/freeradius/certs
> > /WIFITREE_CA.b64"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertdir = "(null)"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_certfile = "(null)"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_keyfile = "(null)"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_randfile = "(null)"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_require_cert = "allow"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: password = "novell"
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: basedn = 
>"ou=adm,ou=malmo,o=wifi"
>...
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_debug = 0
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_connections_number = 5
> > Tue Jul 10 12:35:00 2007 : Debug:  ldap: compare_check_items = no
>
>--
>Beste Gruesse / Kind Regards
>
>Reimer Karlsen-Masur
>
>DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
>--
>Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
>DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
>Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


><< smime.p7s >>




>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




More information about the Freeradius-Users mailing list