Thx for the reply! Iv tried removing "port" and "tls_mode" from my radius.conf and hade "tls_start = yes" set.
The tls_certfile and tls_keyfile is now commented away #. I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64 Id tried to use "c_rehash ." in that directory but the rehash dont find my cert, only other certs in that path who is made into strange names. Can i force it to pick my .b64 certificate or can i convert it in any other way? (after the certs turned into funny names from c_rehash, its just to rename them, if it starts to work with the right certificate?) The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" is: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) Did i miss anything or is the only thing left now, to get a .pem certificate? /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list ><freeradius-users@lists.freeradius.org> >To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 16:06:46 +0200 > >Hi. > >Martin G wrote: > > Hello! > > > > Im new to both this mailinglist and to novell/linux/ldap/freeradius but >iv > > tried my best to install a radius/ldap linuxserver to pass on > > radius-requests from a Aruba-controller to our novell-server. > > > > IPs: > > Novell 10.10.0.11 > > Aruba 10.10.0.28 > > Linux (freeradius+ldap) 10.10.0.132 > > > > Iv tried to change tls_mode, port and tls_start on and off a couple of >times > > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 >-x > > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" > > i recieve "TLS: hostname does not match CN in peer certificate". > >At least this means that your ldap server understands STARTTLS on the >standard ldap port. > >So in FreeRADIUS ldap config section you should *not* set port and tls_mode >options at all. > >You should set start_tls=yes though. > > > >As for the ldap server certificate name mismatch > > > So i have some thoughts about the certificate, but iv exported the > > selfsigned novell-certificate from the novellserver and verifyed it. But >im > > not sure how to use a "client-certificate" on the linux. > > > > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a > > radius-request, the aruba gets a timeout and the linuxserver tells me >the > > following logg: > >Now for the certificates. Since your ldap server is using a server >certificate you must configure FreeRADIUS to trust the issuing CA. > >Since identity and password are set it seems you do not use SSL client >authentication to authenticate the FreeRADIUS server (acting as ldap >client) >at the ldap server. > >Hence don't set tls_certfile and tls_keyfile options. > >Either use tls_cacertfile xor tlc_cacertdir option. > >If using former, put in all the CA certificate chain validating the ldap >servers certificate in PEM format. Concatenate the CA certs into the file >named by this option. > >If using the latter, put all CA certs of the chain validating the ldap >servers certificate in PEM format with .pem file extension into that >directory. cd into this directory and execute > ># c_rehash . > >to build some symlinks. The dot (.) for the current directory seems vital. >c_rehash is a tool that comes with openssl. > >Be aware that the openldap client configuration file on the system or for >that user running FreeRADIUS is being used. That is ~/.ldap.conf or system >wide something like /etc/openldap/ldap.conf or what ever fits your FS >layout >and ldap installation on the FreeRADIUS server. > >To ease ldap debugging within FreeRADIUS set "loglevel -1" in the ldap.conf >file. Debugging output is to be found in files configured by syslogd more >than likely in /var/log/messages or similar. > >HTH & good luck > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html