Iv now got the "10.10.0.11 nw1.system.wifi" in my /etc/hosts file.
I logged on to the novell-server and paged me to the ldap-connections-page. The server uses 389 for unencrypted connections and 636 for encrypted connections with ldap. When i use: openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state I get very very much information.. anything i shall look for !? maby attach as a file here!? When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls pop3 I get: CONNECTED(00000003) and nothing more. When i use: openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state -starttls smtp I get the same "CONNECTED(00000003). Any useful information!? Seems like it can connect on both the ports. /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list ><[email protected]> >To: FreeRadius users mailing list <[email protected]> >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Fri, 20 Jul 2007 11:14:46 +0200 > > >Martin G wrote: > > Iv found the following on the novellserver (CA-service): > > Distinguished name: WIFITREE CA.Security > > Host server: NW1.SYSTEM.WIFI > >Well this looks like the novell ldap server certifivate. > > > "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? > >Yes. > > > I added the info in all kinds of sorts in my hosts-file to the novell-ip >on > > the linux-server but still no progress :( Still: > >Put > >10.10.0.11 nw1.system.wifi > >into the /etc/hosts file > > > ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi > > "cn=lotta" > > ldap_initialize( ldap://wifi ) > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer >certificate > > filter: cn=lotta > > requesting: All userApplication attributes > > > > Any good idea!? > >Does your ldap server do ldaps on e.g. port 636? > >To get the ldap server certificate and mybe the CA chain validating this >certificate you could try > ># openssl s_client -connect 10.10.0.11:636 -showcerts -debug -msg -state > >If your ldap server does not do ldaps try > ># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state >-starttls pop3 > >or > ># openssl s_client -connect 10.10.0.11:389 -showcerts -debug -msg -state >-starttls smtp > >I expect this does not work since openssl s_client does not (yet) support >starttls option with ldap protocol. But give it a whirl, maybe you get back >something useful. > >Or enable ldaps on port 636 on your ldap server.... and try the top most >openssl command from this mail. > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
