[CentOS] Freeradius, openldap and TLS
patrick at laimbock.com
Fri Apr 15 09:29:13 UTC 2016
On 15-04-16 00:39, Andrew Daviel wrote:
> We have a freeradius server using LDAP authentication against openldap.
> We have had freeradius-3.0.4-6 on CentOS 7 successfully communicating
> with openldap-servers-2.3.43 on CentOS 5.
> We need some features in freeradius-3.0.12. When I build that on CentOS
> 6, it initially works, but then develops TLS errors.
> We can search and authenticate against the LDAP server with Apache, and
> with ldapsearch using ldaps:// URLs and with start_tls.
> If I ask the freeradius community, I am told unequivocally to use
> OpenSSL not NSS.
You will hear the same thing from the OpenLDAP Community and will be
asked to first verify the issue on the latest OpenLDAP with OpenSSL (no
NSS). Even the latest RHEL7/CentOS7 OpenLDAP packages are behind and
lack a lot of important bugfixes. If you use (are going to use) MDB
(highly recommended) or replication then you'll definitely need to use
the latest OpenLDAP version (with OpenSSL, no NSS).
The OpenLDAP Community usually recommends the free OpenLDAP RPM packages
built with OpenSSL from http://ltb-project.org or to get supported
packages from http://www.symas.com also built with OpenSSL.
More information about the CentOS