TLS cant connect ldap+freeradius+novell

Martin G kapten_kanelbulle at hotmail.com
Mon Jul 23 13:04:13 CEST 2007


ldapsearch -vvv -H ldap://nw1.system.wifi -x -Z -b ou=adm,ou=malmo,o=wifi 
"cn=lotta"
ldap_initialize( ldap://nw1.system.wifi )
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)
root at NS-ubuntu:/etc/freeradius/certs#

And works without -Z :(

Can it have something to do with our IP-change after we installed the novell 
/ novellCA ?
Its the correct ip to the server, but can the CA/certificate take damage in 
a IP-change?

(The root-cert is exported AFTER the IP-change, but the CA-services was 
installed BEFORE the change).

The hosts-file seems to be needed cause else i dont think that the 
linux-freeradius can map the nw1.system.wifi to an IP.

/Mr G

>From: "Jorgen Rosink" <jrosink at gmail.com>
>Reply-To: FreeRadius users mailing list 
><freeradius-users at lists.freeradius.org>
>To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
>Subject: Re: TLS cant connect ldap+freeradius+novell
>Date: Mon, 23 Jul 2007 12:39:58 +0200
>
>On 7/23/07, Jorgen Rosink <jrosink at gmail.com> wrote:
> > On 7/23/07, Martin G <kapten_kanelbulle at hotmail.com> wrote:
> >
> > > If thats some kind of help!?
> >
> > There's a step-by-step howto on the Novell site:
> >
> > http://www.novell.com/documentation/edir_radius/index.html
> >
> > The section:
> >
> > Configuring the FreeRADIUS Server to Integrate with eDirectory ->
> > Modifying the LDAP Module
> >
> > seems pretty self-explainary, follow the instructions, they do work !
> >
> > Try to understand the difference between TLS and SSL,
> > http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes
> > debugging the encryption stuff much easier.
> >
> > Good luck !
>
>Ow, I forgot to say this:
>
>* You're connecting to the LDAP server with an IP address:
>
>URI ldap://10.10.0.11 ldap://10.10.0.11
>
>* But the LDAP server is using a DNS based certificate:
>
>"Transport Layer Security (TLS / SSL)"
>Server Certificate:    "SSL CertificateDNS"
>
>
>Try to change that one to "SSL CertificateIP" or connect to LDAP from
>FreeRadius with a FQDN, don't care about host files. Certificate
>validation doesn't care about host files, it cares about the Common
>Name...
>-
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




More information about the Freeradius-Users mailing list