Re: TLS cant connect ldap+freeradius+novell
Hi Martin, If you already do not have it working, here are the steps that got mine to work, 1) Login to Novell iManager and under Roles and Tasks -> LDAP options -> View Ldap Servers -> Click on server -> Connections -> make sure "SSL Certificate IP" is the server cert and "Client Certificate - Not Requested" 2) Now if you click on Novell Certificate Access -> Server Certificates -> Expand "SSL Certificate IP" , it shows that its signed by Organizational CA 3) Click Novell Certificate Server -> Configure Certificate Authority -> Click Certificates Tab -> Select "Organizational CA" -> Export and follow steps and download the cert to a file say "cert.pfx" 4) Open cygwin (since i use edir on windoz) and do openssl pkcs12 -in ~/Desktop/cert.pfx -nocerts -nodes -out ~/Desktop/edir_ca_key.pem openssl pkcs12 -in ~/Desktop/cert.pfx -clcerts -nokeys -out ~/Desktop/edir_ca_cert.pem cat ~/Desktop/edir_ca_cert.pem ~/Desktop/edir_ca_key.pem > ~/Desktop/edir.pem 5) Copy edir.pem to the radius server under say /certs/edir/edir.pem 6) My module looks like: #make sure the ip is the same ip as in the CN of the CA cert ldap ldap1{ # edir server = 192.168.1.40 port = 636 dictionary_mapping = ${raddbdir}/ldap.attrmap basedn = "o=engineering" identity = "cn=admin,o=domain" password = "*" password_attribute = nspmPassword edir_account_policy_check = yes filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" start_tls = no tls_cacertfile = /certs/edir/edir.pem tls_certfile = /certs/edir/client.pem tls_keyfile =/certs/edir/client.pem tls_require_cert = "demand" #tls_mode = yes ldap_connections_number = 5 timeout = 5 timelimit = 3 net_timeout =1 } Good luck :) Yogesh. On 7/19/07, Martin G <[EMAIL PROTECTED]> wrote: > Hello! > > Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv > tried my best to install a radius/ldap linuxserver to pass on > radius-requests from a Aruba-controller to our novell-server. > > IPs: > Novell 10.10.0.11 > Aruba 10.10.0.28 > Linux (freeradius+ldap) 10.10.0.132 > > Iv tried to change tls_mode, port and tls_start on and off a couple of times > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" > i recieve "TLS: hostname does not match CN in peer certificate". > > So i have some thoughts about the certificate, but iv exported the > selfsigned novell-certificate from the novellserver and verifyed it. But im > not sure how to use a "client-certificate" on the linux. > > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a > radius-request, the aruba gets a timeout and the linuxserver tells me the > following logg: > > Tue Jul 10 11:32:28 2007 : Info: Starting - reading configuration files ... > Tue Jul 10 11:32:28 2007 : Debug: reread_config: reading radiusd.conf > Tue Jul 10 11:32:28 2007 : Debug: Config: including file: > /etc/freeradius/proxy.conf > Tue Jul 10 11:32:28 2007 : Debug: Config: including file: > /etc/freeradius/clients.conf > Tue Jul 10 11:32:28 2007 : Debug: Config: including file: > /etc/freeradius/snmp.conf > Tue Jul 10 11:32:28 2007 : Debug: Config: including file: > /etc/freeradius/eap.conf > Tue Jul 10 11:32:28 2007 : Debug: Config: including file: > /etc/freeradius/sql.conf > Tue Jul 10 11:32:28 2007 : Debug: main: prefix = "/usr" > Tue Jul 10 11:32:28 2007 : Debug: main: localstatedir = "/var" > Tue Jul 10 11:32:28 2007 : Debug: main: logdir = "/var/log/freeradius" > Tue Jul 10 11:32:28 2007 : Debug: main: libdir = "/usr/lib/freeradius" > Tue Jul 10 11:32:28 2007 : Debug: main: radacctdir = > "/var/log/freeradius/radacct" > Tue Jul 10 11:32:28 2007 : Debug: main: hostname_lookups = no > Tue Jul 10 11:32:28 2007 : Debug: main: max_request_time = 30 > Tue Jul 10 11:32:28 2007 : Debug: main: cleanup_delay = 5 > Tue Jul 10 11:32:28 2007 : Debug: main: max_requests = 1024 > Tue Jul 10 11:32:28 2007 : Debug: main: delete_blocked_requests = 0 > Tue Jul 10 11:32:28 2007 : Debug: main: port = 0 > Tue Jul 10 11:32:28 2007 : Debug: main: allow_core_dumps = no > Tue Jul 10 11:32:28 2007 : Debug: main: log_stripped_names = yes > Tue Jul 10 11:32:28 2007 : Debug: main: log_file = > "/var/log/freeradius/radius.log" > Tue Jul 10 11:32:28 2007 : Debug: main: log_auth = yes > Tue Jul 10 11:32:28 2007 : Debug: main: log_auth_badpass = yes > Tue Jul 10 11:32:28 2007 : Debug: main: log_auth_goodpass = yes > Tue Jul 10 11:32:28 2007 : Debug: main: pidfile = > "/var/run/freeradius/freeradius.pid" > Tue Jul 10 11:32:28 2007 : Debug: main: user = "freerad" > Tue Jul 10 11:32:28 2007 : Debug: main: group = "freerad" > Tue Jul 10 11:32:28 2007 :
Re: TLS cant connect ldap+freeradius+novell
ldapsearch -vvv -H ldap://nw1.system.wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://nw1.system.wifi ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) [EMAIL PROTECTED]:/etc/freeradius/certs# And works without -Z :( Can it have something to do with our IP-change after we installed the novell / novellCA ? Its the correct ip to the server, but can the CA/certificate take damage in a IP-change? (The root-cert is exported AFTER the IP-change, but the CA-services was installed BEFORE the change). The hosts-file seems to be needed cause else i dont think that the linux-freeradius can map the nw1.system.wifi to an IP. /Mr G >From: "Jorgen Rosink" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: "FreeRadius users mailing list" >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Mon, 23 Jul 2007 12:39:58 +0200 > >On 7/23/07, Jorgen Rosink <[EMAIL PROTECTED]> wrote: > > On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > > > > > If thats some kind of help!? > > > > There's a step-by-step howto on the Novell site: > > > > http://www.novell.com/documentation/edir_radius/index.html > > > > The section: > > > > Configuring the FreeRADIUS Server to Integrate with eDirectory -> > > Modifying the LDAP Module > > > > seems pretty self-explainary, follow the instructions, they do work ! > > > > Try to understand the difference between TLS and SSL, > > http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes > > debugging the encryption stuff much easier. > > > > Good luck ! > >Ow, I forgot to say this: > >* You're connecting to the LDAP server with an IP address: > >URI ldap://10.10.0.11 ldap://10.10.0.11 > >* But the LDAP server is using a DNS based certificate: > >"Transport Layer Security (TLS / SSL)" >Server Certificate:"SSL CertificateDNS" > > >Try to change that one to "SSL CertificateIP" or connect to LDAP from >FreeRadius with a FQDN, don't care about host files. Certificate >validation doesn't care about host files, it cares about the Common >Name... >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Iv tried to follow that guide. Iv got the Imanager on the same server as the RADIUS iManager plug-in and then by default iManager is configurated with SSL/TLS. But it still dont answers my questions from the linux-computer who does ldapsearch s, exept when i do it uncrypted. /Mr G >From: "Jorgen Rosink" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: "FreeRadius users mailing list" >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Mon, 23 Jul 2007 12:30:06 +0200 > >On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > > > If thats some kind of help!? > >There's a step-by-step howto on the Novell site: > >http://www.novell.com/documentation/edir_radius/index.html > >The section: > >Configuring the FreeRADIUS Server to Integrate with eDirectory -> >Modifying the LDAP Module > >seems pretty self-explainary, follow the instructions, they do work ! > >Try to understand the difference between TLS and SSL, >http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes >debugging the encryption stuff much easier. > >Good luck ! >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
On 7/23/07, Jorgen Rosink <[EMAIL PROTECTED]> wrote: > On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > > > If thats some kind of help!? > > There's a step-by-step howto on the Novell site: > > http://www.novell.com/documentation/edir_radius/index.html > > The section: > > Configuring the FreeRADIUS Server to Integrate with eDirectory -> > Modifying the LDAP Module > > seems pretty self-explainary, follow the instructions, they do work ! > > Try to understand the difference between TLS and SSL, > http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes > debugging the encryption stuff much easier. > > Good luck ! Ow, I forgot to say this: * You're connecting to the LDAP server with an IP address: URI ldap://10.10.0.11 ldap://10.10.0.11 * But the LDAP server is using a DNS based certificate: "Transport Layer Security (TLS / SSL)" Server Certificate:"SSL CertificateDNS" Try to change that one to "SSL CertificateIP" or connect to LDAP from FreeRadius with a FQDN, don't care about host files. Certificate validation doesn't care about host files, it cares about the Common Name... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Ok, sounds good. I run Netware v 5.70.33 and that seems to have edirectory version 8.7.3.x I got a tab on novell with Ldap-connection. "Transport Layer Security (TLS / SSL)" Server Certificate:"SSL CertificateDNS" Client Certificate: **Not Requested** / Requested / Required Trusted Root Containers: TRUSTrootOU.Security ( ) Require TLS for all operations (not checked) ( ) Enable and require mutual authentication (not checked) Ports (x) Enable Encrypted Port Port: 636 (x) Enable Non-Encrypted Port Port: 389 If thats some kind of help!? /Mr G From: "Jorgen Rosink" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: "FreeRadius users mailing list" Subject: Re: TLS cant connect ldap+freeradius+novell Date: Mon, 23 Jul 2007 11:47:45 +0200 On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > I connected to the novell-server and inspected what ports the ldap used and > its running on unencrypted 389 and encrypted port 636. > > My ldapconf now looks like: > BASE: ou=adm,ou=malmo,o=wifi > URI ldap://10.10.0.11 ldap://10.10.0.11 > TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem > TLS_REQCERT demand > ldap_version 3 > port 636 > ssl start_tls > ssl on You're trying to use "start_tls", TLS connections are started on the (unencrypted) port 389 and are "upgraded" to a secure connection on the same port. So probably you don't have TLS support with your LDAP server (you need at least eDirectory 8.7 for what I know). Learn your LDAP server to talk TLS (by upgrading it), or initiate connections on the SSL port (636) and not the TLS one... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Need a brain boost? Recharge with a stimulating game. Play now! http://club.live.com/home.aspx?icid=club_hotmailtextlink1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > If thats some kind of help!? There's a step-by-step howto on the Novell site: http://www.novell.com/documentation/edir_radius/index.html The section: Configuring the FreeRADIUS Server to Integrate with eDirectory -> Modifying the LDAP Module seems pretty self-explainary, follow the instructions, they do work ! Try to understand the difference between TLS and SSL, http://en.wikipedia.org/wiki/Transport_Layer_Security, this makes debugging the encryption stuff much easier. Good luck ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
On 7/23/07, Martin G <[EMAIL PROTECTED]> wrote: > I connected to the novell-server and inspected what ports the ldap used and > its running on unencrypted 389 and encrypted port 636. > > My ldapconf now looks like: > BASE: ou=adm,ou=malmo,o=wifi > URI ldap://10.10.0.11 ldap://10.10.0.11 > TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem > TLS_REQCERT demand > ldap_version 3 > port 636 > ssl start_tls > ssl on You're trying to use "start_tls", TLS connections are started on the (unencrypted) port 389 and are "upgraded" to a secure connection on the same port. So probably you don't have TLS support with your LDAP server (you need at least eDirectory 8.7 for what I know). Learn your LDAP server to talk TLS (by upgrading it), or initiate connections on the SSL port (636) and not the TLS one... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Iv now got the "10.10.0.11 nw1.system.wifi" in my /etc/hosts file. I logged on to the novell-server and paged me to the ldap-connections-page. The server uses 389 for unencrypted connections and 636 for encrypted connections with ldap. When i use: openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state I get very very much information.. anything i shall look for !? maby attach as a file here!? When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3 I get: CONNECTED(0003) and nothing more. When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp I get the same "CONNECTED(0003). Any useful information!? Seems like it can connect on both the ports. /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Fri, 20 Jul 2007 11:14:46 +0200 > > >Martin G wrote: > > Iv found the following on the novellserver (CA-service): > > Distinguished name: WIFITREE CA.Security > > Host server: NW1.SYSTEM.WIFI > >Well this looks like the novell ldap server certifivate. > > > "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? > >Yes. > > > I added the info in all kinds of sorts in my hosts-file to the novell-ip >on > > the linux-server but still no progress :( Still: > >Put > >10.10.0.11 nw1.system.wifi > >into the /etc/hosts file > > > ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi > > "cn=lotta" > > ldap_initialize( ldap://wifi ) > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer >certificate > > filter: cn=lotta > > requesting: All userApplication attributes > > > > Any good idea!? > >Does your ldap server do ldaps on e.g. port 636? > >To get the ldap server certificate and mybe the CA chain validating this >certificate you could try > ># openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state > >If your ldap server does not do ldaps try > ># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state >-starttls pop3 > >or > ># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state >-starttls smtp > >I expect this does not work since openssl s_client does not (yet) support >starttls option with ldap protocol. But give it a whirl, maybe you get back >something useful. > >Or enable ldaps on port 636 on your ldap server and try the top most >openssl command from this mail. > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hello! I exported the .b64 and used a program do decrypt the .b64 into a .pem and put it in my /etc/freeradius/certs/WIFITREE_CA.pem then edited the /etc/ldap/ldap.conf /etc/ldap/slapd.conf and /etc/freeradius/radius.conf to point at the new .pem cert. I connected to the novell-server and inspected what ports the ldap used and its running on unencrypted 389 and encrypted port 636. My ldapconf now looks like: BASE: ou=adm,ou=malmo,o=wifi URI ldap://10.10.0.11 ldap://10.10.0.11 TLS_CACERT /etc/freeradius/certs/WIFITREE_CA.pem TLS_REQCERT demand ldap_version 3 port 636 ssl start_tls ssl on -- when i use the line ldapsearch -vvv -H ldap://10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" i recieve: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) But if i take away the -Z attribute, i get: ldapsearch -vvv -H ldap://10.10.0.11 -x -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QWdlbnREYX RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaW9uPjxWZXJX0ZVRpbWU+MTE0OTUwMTY4MjwvVmV yV3JpdGVUaW1lPjwvQWdlbnREXRhPg== zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage sasDefaultLoginSequence: --No default-- uid: lotta givenName: lotta fullName: lotta whatever Language: ENGLISH sn: whatever passwordUniqueRequired: FALSE passwordRequired: TRUE passwordMinimumLength: 5 passwordExpirationTime: 20070815131928Z passwordExpirationInterval: 3456000 passwordAllowChange: TRUE objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top objectClass: radiusprofile loginTime: 20070723095349Z loginGraceRemaining: 6 loginGraceLimit: 6 cn: lotta ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights] ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration ACL: 2#entry#[Root]#networkAddress # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 im not very good at certificates or ldap at all, but in my eyes, it seems to work un-encrypted and not when i trie with the encryption. So it would be either the port 636 or the certificate!? And the novell tells me that the 636 port is used to accept encrypted questions. Might it be a fault when i tried to decrypt the WIFITREE_CA.b64 to WIFITREE_CA.pem? Any other idears? (is there a nice/easy way to do it in linux? i downloaded a windowsprogram and ftp:ed it to the linux-server) (the freeradius also tells me like before that it cant get a tls-connection) Thx for all help this far!! /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Fri, 20 Jul 2007 11:03:43 +0200 > >Hi. > >Martin G wrote: > > Subject of the novell-server-certificate is : O = WIFITREE > > OU = Organizational CA > >Well, that looks like the SubjectDN of your Novell CA certificate. You need >to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM >format into the file referenced by option tls_cacertfile. > > > And thats no FQDN!? > >No. > > > (I exported it from the novell as an .der and extracted it to see the > > subject, maby wrong way to do it? i havent exported the private key with > > either the .b64 or the .der and that shouldnt matter ?) > >You do *not* need the private key of your novell CA cert or your novell >ldap >server cert on your FreeRADIUS server. > > > *output from novell* > >This looks like a selfsigned root-CA certificate: > > > Subject name: OU=Organizational CA.O=WIFITREE > > Issuer name: OU=Organizational CA.O=WIFITREE > > Effective date: den 22 oktober 2005 23:04:08 > > Expiration date: den 22 oktober 2015 23:04:08 > > Certificate status: Valid > > > > Any idea how to type the FQDN !? :( > >You need to get a PEM formatted copy of this CA certificate (w/o private >key) and put that to the file referenced by option tls_cacertfile. > >And for ldapsearch put this certificate into /etc/ldap/ldap.conf as > >TLS_CACERT /etc/ldap/novell-ca-cert.pem > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >
Re: TLS cant connect ldap+freeradius+novell
Martin G wrote: > Iv found the following on the novellserver (CA-service): > Distinguished name: WIFITREE CA.Security > Host server: NW1.SYSTEM.WIFI Well this looks like the novell ldap server certifivate. > "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? Yes. > I added the info in all kinds of sorts in my hosts-file to the novell-ip on > the linux-server but still no progress :( Still: Put 10.10.0.11 nw1.system.wifi into the /etc/hosts file > ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi > "cn=lotta" > ldap_initialize( ldap://wifi ) > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer certificate > filter: cn=lotta > requesting: All userApplication attributes > > Any good idea!? Does your ldap server do ldaps on e.g. port 636? To get the ldap server certificate and mybe the CA chain validating this certificate you could try # openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state If your ldap server does not do ldaps try # openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3 or # openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp I expect this does not work since openssl s_client does not (yet) support starttls option with ldap protocol. But give it a whirl, maybe you get back something useful. Or enable ldaps on port 636 on your ldap server and try the top most openssl command from this mail. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hi. Martin G wrote: > Subject of the novell-server-certificate is : O = WIFITREE > OU = Organizational CA Well, that looks like the SubjectDN of your Novell CA certificate. You need to put this CA certificate (no the pkcs#12/.p12 or the private key) in PEM format into the file referenced by option tls_cacertfile. > And thats no FQDN!? No. > (I exported it from the novell as an .der and extracted it to see the > subject, maby wrong way to do it? i havent exported the private key with > either the .b64 or the .der and that shouldnt matter ?) You do *not* need the private key of your novell CA cert or your novell ldap server cert on your FreeRADIUS server. > *output from novell* This looks like a selfsigned root-CA certificate: > Subject name: OU=Organizational CA.O=WIFITREE > Issuer name: OU=Organizational CA.O=WIFITREE > Effective date: den 22 oktober 2005 23:04:08 > Expiration date: den 22 oktober 2015 23:04:08 > Certificate status: Valid > > Any idea how to type the FQDN !? :( You need to get a PEM formatted copy of this CA certificate (w/o private key) and put that to the file referenced by option tls_cacertfile. And for ldapsearch put this certificate into /etc/ldap/ldap.conf as TLS_CACERT /etc/ldap/novell-ca-cert.pem -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still: ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes Any good idea!? (iv added the novell-servers dns-ip to the ifconfig-dns of the linux also, but no help from that either). /Mr G >>Any idea how to type the FQDN !? :( > >Well if this was your server: > >>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > >FQDN would be: messenger.msn.click-url.com > >Ivan Kalik >Kalik Informatika ISP > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html >From: "Martin G" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: freeradius-users@lists.freeradius.org >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 18:05:22 +0200 > >Subject of the novell-server-certificate is : O = WIFITREE >OU = Organizational CA >And thats no FQDN!? >(I exported it from the novell as an .der and extracted it to see the >subject, maby wrong way to do it? i havent exported the private key with >either the .b64 or the .der and that shouldnt matter ?) > >*output from novell* >Subject name: OU=Organizational CA.O=WIFITREE >Issuer name: OU=Organizational CA.O=WIFITREE >Effective date: den 22 oktober 2005 23:04:08 >Expiration date: den 22 oktober 2015 23:04:08 >Certificate status: Valid > >Any idea how to type the FQDN !? :( > >(Thx for all the good answers this far!) > >/Mr G > > > >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> > >Reply-To: FreeRadius users mailing list > > > >To: FreeRadius users mailing list > >Subject: Re: TLS cant connect ldap+freeradius+novell > >Date: Thu, 19 Jul 2007 17:51:24 +0200 > > > >Hm. > > > >Martin G wrote: > > > Sorry, when i tried to rehash my certificate, id changed its path, but > >now > > > its back and i got a new output from my ldapsearch-command: > > > > > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > > > =adm,ou=malmo,o=wifi "cn=lotta" > > > ldap_initialize( ldap://10.10.0.11 ) > > > ldap_start_tls: Connect error (-11) > > > additional info: TLS: hostname does not match CN in peer > >certificate > > > >What is the CN in the SubjectDN of the ldap servers certificate? Is it a > >FQDN? > > > >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS > >server can't find the FQDN. Try to call ldapsearch with -h FQDN option. > > > >Is above warning going away? > > > > > filter: cn=lotta > > > requesting: All userApplication attributes > > > # extended LDIF > > > # > > > # LDAPv3 > > > # base with scope subtree > > > # filter: cn=lotta > > > # requesting: ALL > > > # > > > > > > # lotta, ADM, MALMO, WIFI > > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > > > zenzfdVersion:: > > > >Something is at least working. It's not SSL secured though. > > > >... > > > > > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed >the > > > TLSCertificateFile and TLSCertificateKeyFile from the > >/etc/ldap/sldap.conf > > > as i did forget before. > > > >slapd.conf is the config file of the openldap *server*. Messing with this > >file should not change anything. Or was that a typo? > > > > > Do i need to convert the certificate to .pem and how if the c_rehash > >dont > > > work? > > > >If tls_cacertdir is not set, then don't use c_rehash. > > > >Set tls_cacertfile to a single ASCII file containing all PEM formatted CA > >certificates of the CA certificate chain that is needed to validate your > >ldap servers certificate. Concatenate these PEM formatted CA certs into > >this > >single ASCII file. > > > >And I forgot, set ldap_debug to -1 in the radius config file. > > > >Don't send your ldap servers password in log files ;-) > > > >... > > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > > &g
Re: TLS cant connect ldap+freeradius+novell
>Any idea how to type the FQDN !? :( Well if this was your server: >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ FQDN would be: messenger.msn.click-url.com Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?) *output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid Any idea how to type the FQDN !? :( (Thx for all the good answers this far!) /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 17:51:24 +0200 > >Hm. > >Martin G wrote: > > Sorry, when i tried to rehash my certificate, id changed its path, but >now > > its back and i got a new output from my ldapsearch-command: > > > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > > =adm,ou=malmo,o=wifi "cn=lotta" > > ldap_initialize( ldap://10.10.0.11 ) > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer >certificate > >What is the CN in the SubjectDN of the ldap servers certificate? Is it a >FQDN? > >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS >server can't find the FQDN. Try to call ldapsearch with -h FQDN option. > >Is above warning going away? > > > filter: cn=lotta > > requesting: All userApplication attributes > > # extended LDIF > > # > > # LDAPv3 > > # base with scope subtree > > # filter: cn=lotta > > # requesting: ALL > > # > > > > # lotta, ADM, MALMO, WIFI > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > > zenzfdVersion:: > >Something is at least working. It's not SSL secured though. > >... > > > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the > > TLSCertificateFile and TLSCertificateKeyFile from the >/etc/ldap/sldap.conf > > as i did forget before. > >slapd.conf is the config file of the openldap *server*. Messing with this >file should not change anything. Or was that a typo? > > > Do i need to convert the certificate to .pem and how if the c_rehash >dont > > work? > >If tls_cacertdir is not set, then don't use c_rehash. > >Set tls_cacertfile to a single ASCII file containing all PEM formatted CA >certificates of the CA certificate chain that is needed to validate your >ldap servers certificate. Concatenate these PEM formatted CA certs into >this >single ASCII file. > >And I forgot, set ldap_debug to -1 in the radius config file. > >Don't send your ldap servers password in log files ;-) > >... > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no > > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = > > "/etc/freeradius/certs > > /WIFITREE_CA.b64" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = >"ou=adm,ou=malmo,o=wifi" >... > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hm. Martin G wrote: > Sorry, when i tried to rehash my certificate, id changed its path, but now > its back and i got a new output from my ldapsearch-command: > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > =adm,ou=malmo,o=wifi "cn=lotta" > ldap_initialize( ldap://10.10.0.11 ) > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer certificate What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN? If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option. Is above warning going away? > filter: cn=lotta > requesting: All userApplication attributes > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: cn=lotta > # requesting: ALL > # > > # lotta, ADM, MALMO, WIFI > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > zenzfdVersion:: Something is at least working. It's not SSL secured though. ... > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the > TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf > as i did forget before. slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo? > Do i need to convert the certificate to .pem and how if the c_rehash dont > work? If tls_cacertdir is not set, then don't use c_rehash. Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file. And I forgot, set ldap_debug to -1 in the radius config file. Don't send your ldap servers password in log files ;-) ... > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = > "/etc/freeradius/certs > /WIFITREE_CA.b64" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" > Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" > Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = "ou=adm,ou=malmo,o=wifi" ... > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 > Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
o k for request 1 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: calling ldap (rlm_ldap ) for request 1 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: - authorize Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: performing user authorization for lo tta Tue Jul 10 12:35:43 2007 : Debug: radius_xlat: '(cn=lotta)' Tue Jul 10 12:35:43 2007 : Debug: radius_xlat: 'ou=adm,ou=malmo,o=wifi' Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: attempting LDAP reconnection Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: (re)connect to 10.10.0.11:389, authe ntication 0 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: setting TLS CACert File to /etc/free radius/certs/WIFITREE_CA.b64 Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: starting TLS Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_start_tls_s() Tue Jul 10 12:35:43 2007 : Error: rlm_ldap: could not start TLS Connect error Tue Jul 10 12:35:43 2007 : Error: rlm_ldap: (re)connection attempt failed Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: search failed Tue Jul 10 12:35:43 2007 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Jul 10 12:35:43 2007 : Debug: modsingle[authorize]: returned from ldap (rl m_ldap) for request 1 Tue Jul 10 12:35:43 2007 : Debug: modcall[authorize]: module "ldap" returns fa il for request 1 Tue Jul 10 12:35:43 2007 : Debug: modcall: leaving group authorize (returns fail ) for request 1 Tue Jul 10 12:35:43 2007 : Debug: Finished request 1 Tue Jul 10 12:35:43 2007 : Debug: Going to the next request Tue Jul 10 12:35:43 2007 : Debug: --- Walking the entire request list --- Tue Jul 10 12:35:43 2007 : Debug: Waking up in 6 seconds... Tue Jul 10 12:35:49 2007 : Debug: --- Walking the entire request list --- Tue Jul 10 12:35:49 2007 : Debug: Cleaning up request 1 ID 47 with timestamp 469 360ff Tue Jul 10 12:35:49 2007 : Debug: Nothing to do. Sleeping until we see a reques t. /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 16:57:34 +0200 > >Hm > >fiddling with parameters in the FreeRADIUS config files should not change >any behavior of ldapsearch. ldapsearch depends on ldap.conf config file. > >Did you turn on ldap client debugging by setting "loglevel -1" in the >~/.ldap.conf file for the user that is executing ldapsearch? Or if >~/.ldap.conf does not exist, did you turn it on in /etc/openldap/ldap.conf >or wherever your system ldap clients expects its config file to be? > >Martin G wrote: > > Thx for the reply! > > > > Iv tried removing "port" and "tls_mode" from my radius.conf and hade > > "tls_start = yes" set. > > > > The tls_certfile and tls_keyfile is now commented away #. > > > > I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64 > >Is this file of ASCII type and does it read about like > > BEGIN CERTIFICATE -- >Base64 blob > END CERTIFICATE -- > >? > >That is the correct format, i.e. PEM. > >Is there more than one certificate in the file? > >If it is binary, then its DER format. In this case you could try > >openssl x509 -inform DER -in WIFITREE_CA.b64 -out WIFITREE_CA.pem > > > Id tried to use "c_rehash ." in that directory but the rehash dont find >my > > cert, only other certs in that path who is made into strange names. > > Can i force it to pick my .b64 certificate or can i convert it in any >other > > way? (after the certs turned into funny names from c_rehash, its just to > > rename them, if it starts to work with the right certificate?) > > > > The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b > > ou=adm,ou=malmo,o=wifi "cn=lotta" > > is: > > > > ldap_initialize( ldap://10.10.0.11 ) > > ldap_start_tls: Connect error (-11) > > ldap_result: Can't contact LDAP server (-1) > > > > Did i miss anything or is the only thing left now, to get a .pem > > certificate? >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hm fiddling with parameters in the FreeRADIUS config files should not change any behavior of ldapsearch. ldapsearch depends on ldap.conf config file. Did you turn on ldap client debugging by setting "loglevel -1" in the ~/.ldap.conf file for the user that is executing ldapsearch? Or if ~/.ldap.conf does not exist, did you turn it on in /etc/openldap/ldap.conf or wherever your system ldap clients expects its config file to be? Martin G wrote: > Thx for the reply! > > Iv tried removing "port" and "tls_mode" from my radius.conf and hade > "tls_start = yes" set. > > The tls_certfile and tls_keyfile is now commented away #. > > I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64 Is this file of ASCII type and does it read about like BEGIN CERTIFICATE -- Base64 blob END CERTIFICATE -- ? That is the correct format, i.e. PEM. Is there more than one certificate in the file? If it is binary, then its DER format. In this case you could try openssl x509 -inform DER -in WIFITREE_CA.b64 -out WIFITREE_CA.pem > Id tried to use "c_rehash ." in that directory but the rehash dont find my > cert, only other certs in that path who is made into strange names. > Can i force it to pick my .b64 certificate or can i convert it in any other > way? (after the certs turned into funny names from c_rehash, its just to > rename them, if it starts to work with the right certificate?) > > The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b > ou=adm,ou=malmo,o=wifi "cn=lotta" > is: > > ldap_initialize( ldap://10.10.0.11 ) > ldap_start_tls: Connect error (-11) > ldap_result: Can't contact LDAP server (-1) > > Did i miss anything or is the only thing left now, to get a .pem > certificate? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Thx for the reply! Iv tried removing "port" and "tls_mode" from my radius.conf and hade "tls_start = yes" set. The tls_certfile and tls_keyfile is now commented away #. I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64 Id tried to use "c_rehash ." in that directory but the rehash dont find my cert, only other certs in that path who is made into strange names. Can i force it to pick my .b64 certificate or can i convert it in any other way? (after the certs turned into funny names from c_rehash, its just to rename them, if it starts to work with the right certificate?) The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" is: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) Did i miss anything or is the only thing left now, to get a .pem certificate? /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 16:06:46 +0200 > >Hi. > >Martin G wrote: > > Hello! > > > > Im new to both this mailinglist and to novell/linux/ldap/freeradius but >iv > > tried my best to install a radius/ldap linuxserver to pass on > > radius-requests from a Aruba-controller to our novell-server. > > > > IPs: > > Novell 10.10.0.11 > > Aruba 10.10.0.28 > > Linux (freeradius+ldap) 10.10.0.132 > > > > Iv tried to change tls_mode, port and tls_start on and off a couple of >times > > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 >-x > > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" > > i recieve "TLS: hostname does not match CN in peer certificate". > >At least this means that your ldap server understands STARTTLS on the >standard ldap port. > >So in FreeRADIUS ldap config section you should *not* set port and tls_mode >options at all. > >You should set start_tls=yes though. > > > >As for the ldap server certificate name mismatch > > > So i have some thoughts about the certificate, but iv exported the > > selfsigned novell-certificate from the novellserver and verifyed it. But >im > > not sure how to use a "client-certificate" on the linux. > > > > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a > > radius-request, the aruba gets a timeout and the linuxserver tells me >the > > following logg: > >Now for the certificates. Since your ldap server is using a server >certificate you must configure FreeRADIUS to trust the issuing CA. > >Since identity and password are set it seems you do not use SSL client >authentication to authenticate the FreeRADIUS server (acting as ldap >client) >at the ldap server. > >Hence don't set tls_certfile and tls_keyfile options. > >Either use tls_cacertfile xor tlc_cacertdir option. > >If using former, put in all the CA certificate chain validating the ldap >servers certificate in PEM format. Concatenate the CA certs into the file >named by this option. > >If using the latter, put all CA certs of the chain validating the ldap >servers certificate in PEM format with .pem file extension into that >directory. cd into this directory and execute > ># c_rehash . > >to build some symlinks. The dot (.) for the current directory seems vital. >c_rehash is a tool that comes with openssl. > >Be aware that the openldap client configuration file on the system or for >that user running FreeRADIUS is being used. That is ~/.ldap.conf or system >wide something like /etc/openldap/ldap.conf or what ever fits your FS >layout >and ldap installation on the FreeRADIUS server. > >To ease ldap debugging within FreeRADIUS set "loglevel -1" in the ldap.conf >file. Debugging output is to be found in files configured by syslogd more >than likely in /var/log/messages or similar. > >HTH & good luck > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hi. Martin G wrote: > Hello! > > Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv > tried my best to install a radius/ldap linuxserver to pass on > radius-requests from a Aruba-controller to our novell-server. > > IPs: > Novell 10.10.0.11 > Aruba 10.10.0.28 > Linux (freeradius+ldap) 10.10.0.132 > > Iv tried to change tls_mode, port and tls_start on and off a couple of times > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" > i recieve "TLS: hostname does not match CN in peer certificate". At least this means that your ldap server understands STARTTLS on the standard ldap port. So in FreeRADIUS ldap config section you should *not* set port and tls_mode options at all. You should set start_tls=yes though. As for the ldap server certificate name mismatch > So i have some thoughts about the certificate, but iv exported the > selfsigned novell-certificate from the novellserver and verifyed it. But im > not sure how to use a "client-certificate" on the linux. > > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a > radius-request, the aruba gets a timeout and the linuxserver tells me the > following logg: Now for the certificates. Since your ldap server is using a server certificate you must configure FreeRADIUS to trust the issuing CA. Since identity and password are set it seems you do not use SSL client authentication to authenticate the FreeRADIUS server (acting as ldap client) at the ldap server. Hence don't set tls_certfile and tls_keyfile options. Either use tls_cacertfile xor tlc_cacertdir option. If using former, put in all the CA certificate chain validating the ldap servers certificate in PEM format. Concatenate the CA certs into the file named by this option. If using the latter, put all CA certs of the chain validating the ldap servers certificate in PEM format with .pem file extension into that directory. cd into this directory and execute # c_rehash . to build some symlinks. The dot (.) for the current directory seems vital. c_rehash is a tool that comes with openssl. Be aware that the openldap client configuration file on the system or for that user running FreeRADIUS is being used. That is ~/.ldap.conf or system wide something like /etc/openldap/ldap.conf or what ever fits your FS layout and ldap installation on the FreeRADIUS server. To ease ldap debugging within FreeRADIUS set "loglevel -1" in the ldap.conf file. Debugging output is to be found in files configured by syslogd more than likely in /var/log/messages or similar. HTH & good luck -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html