RE: Secure TLS connection between Freeradius and Openldap

2004-11-17 Thread Konstantin KABASSANOV 
Well, finally I succeeded to do what I want... The reason of the failure
was too stupid: In the radiusd.conf file, I've put the LDAP server address
in ipv4 dotted address form. Of course, freeradius does not try to resolve
it and of course the address obtained from the LDAP server certificate
does not match...

Thanks all who tried to help me.

Konstantin

>-Original Message-
>From: Konstantin KABASSANOV [mailto:[EMAIL PROTECTED]
>Sent: mardi 16 novembre 2004 15:46
>To: '[EMAIL PROTECTED]'
>Subject: Secure TLS connection between Freeradius and Openldap
>
>Hello,
>
>I'm trying to establish a secure TLS connection between a Freeradius and
>an Openldap server.
>
>The "openssl s_client -connect" command successfully establishes a
>connection to the openldap server on the mentioned port with the
following
>certificates, but when trying to bind from freeradius I have the
following
>error message:
>
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to 10.0.3.2:636, authentication 0
>rlm_ldap: setting TLS mode to 1
>rlm_ldap: setting TLS CACert File to /etc/openssl/certs/root.pem
>rlm_ldap: setting TLS CACert File to /etc/openssl/certs/
>rlm_ldap: setting TLS Require Cert to never
>rlm_ldap: setting TLS Cert File to /etc/openssl/certs/cert.pem
>rlm_ldap: setting TLS Key File to /etc/openssl/certs/key.pem
>rlm_ldap: setting TLS Key File to /etc/openssl/certs/random
>rlm_ldap: bind as cn=Manager,dc=MYDOMAIN,dc=COM/password t
>o 10.0.3.2:636
>rlm_ldap: cn=Manager,dc=MYDOMAIN,dc=COM bind to 10.0.3.2:636 fail
>ed: Can't contact LDAP server
>rlm_ldap: (re)connection attempt failed
>rlm_ldap: search failed
>
>Of course if I don't set the tls mode, the connection is ok.
>
>Any hints?
>
>
>Thanks.
>
>Konstantin
>
>_
>
>Konstantin K. KABASSANOV
>
>LIP6/CNRS
>8, rue du Capitaine Scott
>75015 Paris, France
>
>Phone: +33 (0) 1 44 27 71 26
>Fax:   +33 (0) 1 44 27 74 95
>
>E-mail: [EMAIL PROTECTED]
>Web: http://www.kabassanov.com
>_
>
>
>IMPORTANT! If you have tried to reply to this mail and you received a
>stupid message, announcing that the mail had been rejected as spam,
>please, resend your reply to the address above.
>
>The certificate used to sign this e-mail can be verified at:
>http://igc.services.cnrs.fr/CNRS-Standard/recherche.html
>
>"Too much is never enough." ( Me ;) )



smime.p7s
Description: S/MIME cryptographic signature

Secure TLS connection between Freeradius and Openldap

2004-11-16 Thread Konstantin KABASSANOV 
Hello,

I'm trying to establish a secure TLS connection between a Freeradius and
an Openldap server.

The "openssl s_client -connect" command successfully establishes a
connection to the openldap server on the mentioned port with the following
certificates, but when trying to bind from freeradius I have the following
error message:

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.3.2:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/openssl/certs/root.pem
rlm_ldap: setting TLS CACert File to /etc/openssl/certs/
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: setting TLS Cert File to /etc/openssl/certs/cert.pem
rlm_ldap: setting TLS Key File to /etc/openssl/certs/key.pem
rlm_ldap: setting TLS Key File to /etc/openssl/certs/random
rlm_ldap: bind as cn=Manager,dc=MYDOMAIN,dc=COM/password t
o 10.0.3.2:636
rlm_ldap: cn=Manager,dc=MYDOMAIN,dc=COM bind to 10.0.3.2:636 fail
ed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed

Of course if I don't set the tls mode, the connection is ok.

Any hints?


Thanks.

Konstantin

_

Konstantin K. KABASSANOV

LIP6/CNRS
8, rue du Capitaine Scott
75015 Paris, France

Phone: +33 (0) 1 44 27 71 26
Fax:   +33 (0) 1 44 27 74 95

E-mail: [EMAIL PROTECTED]
Web: http://www.kabassanov.com
_


IMPORTANT! If you have tried to reply to this mail and you received a
stupid message, announcing that the mail had been rejected as spam,
please, resend your reply to the address above.

The certificate used to sign this e-mail can be verified at:
http://igc.services.cnrs.fr/CNRS-Standard/recherche.html

"Too much is never enough." ( Me ;) )



smime.p7s
Description: S/MIME cryptographic signature