TLS cant connect ldap+freeradius+novell

Martin G kapten_kanelbulle at hotmail.com
Mon Jul 23 11:46:54 CEST 2007


Iv now got the "10.10.0.11      nw1.system.wifi" in my /etc/hosts file.

I logged on to the novell-server and paged me to the ldap-connections-page.
The server uses 389 for unencrypted connections and 636 for encrypted 
connections with ldap.

When i use:
openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state
I get very very much information.. anything i shall look for !? maby attach 
as a file here!?

When i use:
openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state 
-starttls pop3
I get:
CONNECTED(00000003)
and nothing more.

When i use:
openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state 
-starttls smtp
I get the same "CONNECTED(00000003).

Any useful information!?
Seems like it can connect on both the ports.

/Mr G

>From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
>Reply-To: FreeRadius users mailing list 
><freeradius-users at lists.freeradius.org>
>To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>Subject: Re: TLS cant connect ldap+freeradius+novell
>Date: Fri, 20 Jul 2007 11:14:46 +0200
>
>
>Martin G wrote:
> > Iv found the following on the novellserver (CA-service):
> > Distinguished name: WIFITREE CA.Security
> > Host server: NW1.SYSTEM.WIFI
>
>Well this looks like the novell ldap server certifivate.
>
> > "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?
>
>Yes.
>
> > I added the info in all kinds of sorts in my hosts-file to the novell-ip 
>on
> > the linux-server but still no progress :( Still:
>
>Put
>
>10.10.0.11      nw1.system.wifi
>
>into the /etc/hosts file
>
> > ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi
> > "cn=lotta"
> > ldap_initialize( ldap://wifi )
> > ldap_start_tls: Connect error (-11)
> >         additional info: TLS: hostname does not match CN in peer 
>certificate
> > filter: cn=lotta
> > requesting: All userApplication attributes
> >
> > Any good idea!?
>
>Does your ldap server do ldaps on e.g. port 636?
>
>To get the ldap server certificate and mybe the CA chain validating this
>certificate you could try
>
># openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state
>
>If your ldap server does not do ldaps try
>
># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state
>-starttls pop3
>
>or
>
># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state
>-starttls smtp
>
>I expect this does not work since openssl s_client does not (yet) support
>starttls option with ldap protocol. But give it a whirl, maybe you get back
>something useful.
>
>Or enable ldaps on port 636 on your ldap server.... and try the top most
>openssl command from this mail.
>
>--
>Beste Gruesse / Kind Regards
>
>Reimer Karlsen-Masur
>
>DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
>--
>Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
>DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
>Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


><< smime.p7s >>




>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




More information about the Freeradius-Users mailing list