LDAP (rlm_ldap) Version 3.0.9

Scott Pickles scottpickles at yahoo.com
Mon Jul 20 19:30:48 CEST 2015 

Alan - 

When I installed the ldap module the first time, I was using the version of OpenSSL that shipped with CentOS.  But when I fired up freeradius it was still finding/reporting a heartbleed variant.  That's what lead me to install the updated version of OpenSSL manually.  I did find on the Git repository a script that will add the SSL lib path.  This seems like it should work?  I never did check the version of OpenSSL shipped with CentOS but as you mention it *should* be a non-heartbleed variant.

#!/bin/sh
#
#  The purpose of this script is to forcibly load the *correct* version
#  of OpenSSL for FreeRADIUS, when you have more than one version of OpenSSL
#  installed on your system.
#
#  You'll have to edit the directories to the correct location
#  for your local system.
#
#    $Id: e791dffc2687bdb94bfb0516fff8f4f5b4ec3670 $
#

LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/ssl/lib:/usr/local/radius/lib
LD_PRELOAD=/usr/local/ssl/lib/libcrypto.so

export LD_LIBRARY_PATH LD_PRELOAD
exec /usr/local/radius/sbin/radiusd $@
 


   

  On Monday, July 20, 2015 10:28 AM, Alan DeKok <aland at deployingradius.com> wrote:
   

 On Jul 20, 2015, at 4:26 PM, Scott Pickles via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I'm running a CentOS 7 environment and I just did a fresh install of v3.0.9 of FreeRADIUS.  I also installed version 1.0.2d of openssl so I'm not subject to heartbleed.  When I installed the ldap module, yum downloaded version 3.0.4 and also installed a heartbleed vulnerable version of openssl and broke my install.  

  Which is why you don't install manual packages on top of existing ones.  CentOS *should* have a fixed version of OpenSSL.

> I know how to patch radiusd.conf for the heartbleed vulnerability but I'd rather not.  So I removed the ldap module, re-installed openssl 1.0.2d and recompiled FreeRADIUS.  Is there a repo that will provide me with a 3.0.9 version of the ldap module?  If not, can I compile and point to my lib directory for openssl 1.0.2d instead?  Yum downloads an RPM and I don't know of a way to simply extract that, so I am looking for a way to compile from source for either version 3.0.4 or 3.0.9 if it exists.  Don't know where to look for the source(s).

  Install the OpenSSL from CentOS.  It should have the fix.  See the release notes for details.

  Alan DeKok.

More information about the Freeradius-Users mailing list