TLS cant connect ldap+freeradius+novell

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Fri Jul 20 11:14:46 CEST 2007 

Martin G wrote:
> Iv found the following on the novellserver (CA-service):
> Distinguished name: WIFITREE CA.Security
> Host server: NW1.SYSTEM.WIFI

Well this looks like the novell ldap server certifivate.

> "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?

Yes.

> I added the info in all kinds of sorts in my hosts-file to the novell-ip on 
> the linux-server but still no progress :( Still:

Put

10.10.0.11      nw1.system.wifi

into the /etc/hosts file

> ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi 
> "cn=lotta"
> ldap_initialize( ldap://wifi )
> ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer certificate
> filter: cn=lotta
> requesting: All userApplication attributes
> 
> Any good idea!?

Does your ldap server do ldaps on e.g. port 636?

To get the ldap server certificate and mybe the CA chain validating this
certificate you could try

# openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state

If your ldap server does not do ldaps try

# openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state
-starttls pop3

or

# openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state
-starttls smtp

I expect this does not work since openssl s_client does not (yet) support
starttls option with ldap protocol. But give it a whirl, maybe you get back
something useful.

Or enable ldaps on port 636 on your ldap server.... and try the top most
openssl command from this mail.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070720/d968f22d/attachment.bin>

More information about the Freeradius-Users mailing list