Hi, I have RHEL7, freeradius-3.0.11-1.el7.x86_64.rpm, freeradius-ldap-3.0.11-1.el7.x86_64.rpm (built myself, using the very helpful documentation here: http://wiki.freeradius.org/guide/Red-Hat-FAQ) Currently I am using a 389ds ldap on another host without ssl, but I'm planning to change to ssl. ldd rlm_ldap.so linux-vdso.so.1 => (0x00007ffd5f51e000) libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f734d771000) libc.so.6 => /lib64/libc.so.6 (0x00007f734d3b0000) liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f734d1a0000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f734cf86000) libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f734cd69000) libssl3.so => /lib64/libssl3.so (0x00007f734cb26000) libsmime3.so => /lib64/libsmime3.so (0x00007f734c8ff000) libnss3.so => /lib64/libnss3.so (0x00007f734c5d9000) libnssutil3.so => /lib64/libnssutil3.so (0x00007f734c3ac000) libplds4.so => /lib64/libplds4.so (0x00007f734c1a8000) libplc4.so => /lib64/libplc4.so (0x00007f734bfa3000) libnspr4.so => /lib64/libnspr4.so (0x00007f734bd64000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f734bb48000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f734b944000) /lib64/ld-linux-x86-64.so.2 (0x00007f734dbe3000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f734b70c000) libz.so.1 => /lib64/libz.so.1 (0x00007f734b4f6000) librt.so.1 => /lib64/librt.so.1 (0x00007f734b2ed000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f734b0ea000) Looks like I have to rebuild my freeradius-ldap too to use openssl right? The RedHat documentation on the freeradius site doesn't say anything about how to switch to openssl. Are there any pointers how to do this? Yours: Laszlo On 05/10/2016 10:48 PM, Alan DeKok wrote:
On May 10, 2016, at 4:44 PM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Ok, ldd against rlm_ldap.so gives
rlm_ldap.so: ... libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26 (0x00007f7e47947000) ..
Ugh. I wouldn't be surprised if that was it.
Both GnuTLS and NSS provide compatibility layers for OpenSSL. But.... they're *compatibility* layers, not 100% emulators.
The solution is ensure that all libraries and applications use the same SSL library. Since FreeRADIUS *can't* be ported to GnuTLS / NSS, then LDAP, etc. has to be build with OpenSSL.
OpenSSL just provides more functionality than the other libraries. We would lose a lot of features if we tried to use them.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html