Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?)
*output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid Any idea how to type the FQDN !? :( (Thx for all the good answers this far!) /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list ><freeradius-users@lists.freeradius.org> >To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 17:51:24 +0200 > >Hmmmmm. > >Martin G wrote: > > Sorry, when i tried to rehash my certificate, id changed its path, but >now > > its back and i got a new output from my ldapsearch-command: > > > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > > =adm,ou=malmo,o=wifi "cn=lotta" > > ldap_initialize( ldap://10.10.0.11 ) > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer >certificate > >What is the CN in the SubjectDN of the ldap servers certificate? Is it a >FQDN? > >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS >server can't find the FQDN. Try to call ldapsearch with -h FQDN option. > >Is above warning going away? > > > filter: cn=lotta > > requesting: All userApplication attributes > > # extended LDIF > > # > > # LDAPv3 > > # base <ou=adm,ou=malmo,o=wifi> with scope subtree > > # filter: cn=lotta > > # requesting: ALL > > # > > > > # lotta, ADM, MALMO, WIFI > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > > zenzfdVersion:: > >Something is at least working. It's not SSL secured though. > >... > > > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the > > TLSCertificateFile and TLSCertificateKeyFile from the >/etc/ldap/sldap.conf > > as i did forget before. > >slapd.conf is the config file of the openldap *server*. Messing with this >file should not change anything. Or was that a typo? > > > Do i need to convert the certificate to .pem and how if the c_rehash >dont > > work? > >If tls_cacertdir is not set, then don't use c_rehash. > >Set tls_cacertfile to a single ASCII file containing all PEM formatted CA >certificates of the CA certificate chain that is needed to validate your >ldap servers certificate. Concatenate these PEM formatted CA certs into >this >single ASCII file. > >And I forgot, set ldap_debug to -1 in the radius config file. > >Don't send your ldap servers password in log files ;-) > >... > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no > > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = > > "/etc/freeradius/certs > > /WIFITREE_CA.b64" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = >"ou=adm,ou=malmo,o=wifi" >... > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html