[CentOS] Freeradius, openldap and TLS

Fri Apr 15 09:29:13 UTC 2016
Patrick Laimbock <patrick at laimbock.com>

On 15-04-16 00:39, Andrew Daviel wrote:
>
> We have a freeradius server using LDAP authentication against openldap.
>
> We have had freeradius-3.0.4-6 on CentOS 7 successfully communicating
> with openldap-servers-2.3.43 on CentOS 5.
>
> We need some features in freeradius-3.0.12. When I build that on CentOS
> 6, it initially works, but then develops TLS errors.
>
> We can search and authenticate against the LDAP server with Apache, and
> with ldapsearch using ldaps:// URLs and with start_tls.
>
> If I ask the freeradius community, I am told unequivocally to use
> OpenSSL not NSS.

You will hear the same thing from the OpenLDAP Community and will be 
asked to first verify the issue on the latest OpenLDAP with OpenSSL (no 
NSS). Even the latest RHEL7/CentOS7 OpenLDAP packages are behind and 
lack a lot of important bugfixes. If you use (are going to use) MDB 
(highly recommended) or replication then you'll definitely need to use 
the latest OpenLDAP version (with OpenSSL, no NSS).

The OpenLDAP Community usually recommends the free OpenLDAP RPM packages 
built with OpenSSL from http://ltb-project.org or to get supported 
packages from http://www.symas.com also built with OpenSSL.

HTH,
Patrick