"libldap is using GnuTLS, while FreeRADIUS is using OpenSSL" ????
Alan DeKok
alan.dekok at inkbridge.io
Thu Dec 4 16:04:19 UTC 2025
On Dec 4, 2025, at 3:45 AM, Marc Fradin <marc.fradin at imt-atlantique.fr> wrote:
> I just installed : *Ubuntu *24.04.2 LTS" and *FreeRADIUS *Version 3.2.5
>
> We use our LDAP directory for authentication using the `userpasswd` field, which is encoded in SCYPT (EAP/TTLS/PAP).
>
> Everything works fine, but it's impossible to perform "LDAP over TLS or SSL" (start_tls = yes in module ldap )
That is an unfortunately common problem.
> Here's the error message :
> *!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
> !! There may be random issues with TLS connections due to this conflict.
> !! The server may also crash.
> *
>
> * !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information.*
>
> How can I fix ? Should I install another library like `libldap`?
Your choices are:
* don't use TLS with libldap (not really recommended)
* set up a local "stunnel" connection from the FreeRADIUS machine to the machine running LDAP, and use that for the LDAP connections.
* switch libldap to one which uses OpenSSL. You might be able to download it from https://ltb-project.org/download.html
I don't know why so many distributions insist on using GnuTLS. It simply does not do the same things as OpenSSL. Any application which needs a full-featured TLS library cannot use GnuTLS. It's really only good for "doing TLS" without much of any policies or features.
Alan DeKok.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20251204/f66d4faf/attachment.sig>
More information about the Freeradius-Users
mailing list