Ldap searches don't seem to honour connect_timeout

Tornoci Laszlo torlasz at xenia.sote.hu
Wed May 11 10:17:32 CEST 2016


I have RHEL7, freeradius-3.0.11-1.el7.x86_64.rpm, 
freeradius-ldap-3.0.11-1.el7.x86_64.rpm (built myself, using the very 
helpful documentation here: http://wiki.freeradius.org/guide/Red-Hat-FAQ)

Currently I am using a 389ds ldap on another host without ssl, but I'm 
planning to change to ssl.

ldd rlm_ldap.so
         linux-vdso.so.1 =>  (0x00007ffd5f51e000)
         libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f734d771000)
         libc.so.6 => /lib64/libc.so.6 (0x00007f734d3b0000)
         liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f734d1a0000)
         libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f734cf86000)
         libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f734cd69000)
         libssl3.so => /lib64/libssl3.so (0x00007f734cb26000)
         libsmime3.so => /lib64/libsmime3.so (0x00007f734c8ff000)
         libnss3.so => /lib64/libnss3.so (0x00007f734c5d9000)
         libnssutil3.so => /lib64/libnssutil3.so (0x00007f734c3ac000)
         libplds4.so => /lib64/libplds4.so (0x00007f734c1a8000)
         libplc4.so => /lib64/libplc4.so (0x00007f734bfa3000)
         libnspr4.so => /lib64/libnspr4.so (0x00007f734bd64000)
         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f734bb48000)
         libdl.so.2 => /lib64/libdl.so.2 (0x00007f734b944000)
         /lib64/ld-linux-x86-64.so.2 (0x00007f734dbe3000)
         libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f734b70c000)
         libz.so.1 => /lib64/libz.so.1 (0x00007f734b4f6000)
         librt.so.1 => /lib64/librt.so.1 (0x00007f734b2ed000)
         libfreebl3.so => /lib64/libfreebl3.so (0x00007f734b0ea000)

Looks like I have to rebuild my freeradius-ldap too to use openssl 
right? The RedHat documentation on the freeradius site doesn't say 
anything about how to switch to openssl. Are there any pointers how to 
do this?

Yours: Laszlo

On 05/10/2016 10:48 PM, Alan DeKok wrote:
> On May 10, 2016, at 4:44 PM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
>> Ok, ldd against rlm_ldap.so gives
>> rlm_ldap.so:
>> ...
>>        libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26 (0x00007f7e47947000)
>>  ..
>   Ugh.  I wouldn't be surprised if that was it.
>   Both GnuTLS and NSS provide compatibility layers for OpenSSL.  But.... they're *compatibility* layers, not 100% emulators.
>   The solution is ensure that all libraries and applications use the same SSL library.  Since FreeRADIUS *can't* be ported to GnuTLS / NSS, then LDAP, etc. has to be build with OpenSSL.
>   OpenSSL just provides more functionality than the other libraries.  We would lose a lot of features if we tried to use them.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list