Hi,
On January 14th, we installed freeradius 3.2.6 in production enviroment.
During this three weeks, service freeradius operated normally with no isuues.
Memory usage was stable around 100MB.
Before applying backport, within three weeks, memory usage could reach 1500MB.
We'll install the backport on all freeradius servers and will waiting to debian
trixie full-upgrade.
Thanks.
El 8/1/25 a las 22:45, Bernhard Schmidt escribió:
[No suele recibir correo electrónico de be...@debian.org. Descubra por qué esto
es importante en https://aka.ms/LearnAboutSenderIdentification ]
Control: affects 976991 src:freeradius
Am 08.01.25 um 13:04 schrieb ATIC Sistemas Rede:
Hi,
We've tested with freeradius 3.2.6 in preproduction enviroment.
We've installed these packages from bookworm-backports target release (*).
In debug mode (freeradius -X) we could see several warnings like this (**).
Authentication EAP-TTLS-PAP seems to work fine.
We could make an effort and test in production next week.
The memory issue manifests after several weeks; we need a guarantee of
proper functionality during this time.
The warning seems serious. Could you give us any advice about this?
(**)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I never noticed it myself (not using rlm_ldap), but it seems like an old
issue (maybe the warning is new). You can find bugs from 2020 against
openldap asking for building against openssl specifically due to
FreeRADIUS warnings.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976991
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000821
However, I'm not aware of any bug report due to this, and
https://wiki.freeradius.org/modules/Rlm_ldap#errors-with-ldap-over-tls-connections
is about building LDAP with Mozilla NSS, not with GnuTLS.
I guess switching openldap to openssl is too late before Trixie,
especially since it may as well affect other openldap reverse
dependencies that use GnuTLS.
I guess you will have to try it.
Bernhard
--
Subdirección de Infraestruturas - Sistemas de rede
Área de Tecnoloxías da Información e Comunicacións
Universidade de Santiago de Compostela
15782 Santiago de Compostela
http://www.usc.es/atic/sistemas
