Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI
"NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still: ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes Any good idea!? (iv added the novell-servers dns-ip to the ifconfig-dns of the linux also, but no help from that either). /Mr G >>Any idea how to type the FQDN !? :( > >Well if this was your server: > >>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > >FQDN would be: messenger.msn.click-url.com > >Ivan Kalik >Kalik Informatika ISP > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html >From: "Martin G" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list ><freeradius-users@lists.freeradius.org> >To: freeradius-users@lists.freeradius.org >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 18:05:22 +0200 > >Subject of the novell-server-certificate is : O = WIFITREE >OU = Organizational CA >And thats no FQDN!? >(I exported it from the novell as an .der and extracted it to see the >subject, maby wrong way to do it? i havent exported the private key with >either the .b64 or the .der and that shouldnt matter ?) > >*output from novell* >Subject name: OU=Organizational CA.O=WIFITREE >Issuer name: OU=Organizational CA.O=WIFITREE >Effective date: den 22 oktober 2005 23:04:08 >Expiration date: den 22 oktober 2015 23:04:08 >Certificate status: Valid > >Any idea how to type the FQDN !? :( > >(Thx for all the good answers this far!) > >/Mr G > > > >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> > >Reply-To: FreeRadius users mailing list > ><freeradius-users@lists.freeradius.org> > >To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> > >Subject: Re: TLS cant connect ldap+freeradius+novell > >Date: Thu, 19 Jul 2007 17:51:24 +0200 > > > >Hmmmmm. > > > >Martin G wrote: > > > Sorry, when i tried to rehash my certificate, id changed its path, but > >now > > > its back and i got a new output from my ldapsearch-command: > > > > > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > > > =adm,ou=malmo,o=wifi "cn=lotta" > > > ldap_initialize( ldap://10.10.0.11 ) > > > ldap_start_tls: Connect error (-11) > > > additional info: TLS: hostname does not match CN in peer > >certificate > > > >What is the CN in the SubjectDN of the ldap servers certificate? Is it a > >FQDN? > > > >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS > >server can't find the FQDN. Try to call ldapsearch with -h FQDN option. > > > >Is above warning going away? > > > > > filter: cn=lotta > > > requesting: All userApplication attributes > > > # extended LDIF > > > # > > > # LDAPv3 > > > # base <ou=adm,ou=malmo,o=wifi> with scope subtree > > > # filter: cn=lotta > > > # requesting: ALL > > > # > > > > > > # lotta, ADM, MALMO, WIFI > > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > > > zenzfdVersion:: > > > >Something is at least working. It's not SSL secured though. > > > >... > > > > > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed >the > > > TLSCertificateFile and TLSCertificateKeyFile from the > >/etc/ldap/sldap.conf > > > as i did forget before. > > > >slapd.conf is the config file of the openldap *server*. Messing with this > >file should not change anything. Or was that a typo? > > > > > Do i need to convert the certificate to .pem and how if the c_rehash > >dont > > > work? > > > >If tls_cacertdir is not set, then don't use c_rehash. > > > >Set tls_cacertfile to a single ASCII file containing all PEM formatted CA > >certificates of the CA certificate chain that is needed to validate your > >ldap servers certificate. Concatenate these PEM formatted CA certs into > >this > >single ASCII file. > > > >And I forgot, set ldap_debug to -1 in the radius config file. > > > >Don't send your ldap servers password in log files ;-) > > > >... > > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = > > > "/etc/freeradius/certs > > > /WIFITREE_CA.b64" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = > >"ou=adm,ou=malmo,o=wifi" > >... > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no > > > >-- > >Beste Gruesse / Kind Regards > > > >Reimer Karlsen-Masur > > > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki > >-- > >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 > >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 > >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 > > > ><< smime.p7s >> > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > >_________________________________________________________________ >Express yourself instantly with MSN Messenger! Download today it's FREE! >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html