Problem with authentication against FreeIPA

Daniel Osielczak d.osielczak at improvedigital.com
Mon Oct 21 12:04:51 CEST 2019 

Hi Matthew,

I got it to work but there is a weird issue with SASL:

++++++++
rlm_ldap: libldap vendor: OpenLDAP, version: 20448
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
/etc/raddb/mods-enabled/ldap[5]: Configuration item 'sasl.mech' not supported.  Linked libldap does not provide ldap_sasl_interactive_bind function
/etc/raddb/mods-enabled/ldap[5]: Instantiation failed for module "ldap"
+++++++++

This is by no means a deal-braker in our current setup so I continue to use radius without SALS but I find it odd, especially that both libldaps (the CentOS one and the NetworkRADIUS one) actually provide this function.

+++++++++
[12:02:56] root at freeradius:~ # ldd /usr/lib64/freeradius/rlm_ldap.so | grep libldap
libldap-2.4.so.2 => /usr/local/openldap/lib64/libldap-2.4.so.2 (0x00007fae85d98000)

[12:03:12] root at freeradius:~ # readelf -a -W /usr/local/openldap/lib64/libldap-2.4.so.2 | grep ldap_sasl_interactive_bind
0000000000248e60  000000fa00000007 R_X86_64_JUMP_SLOT     00000000000178a0 ldap_sasl_interactive_bind + 0
   250: 00000000000178a0   375 FUNC    GLOBAL DEFAULT   12 ldap_sasl_interactive_bind
   643: 0000000000017a20   253 FUNC    GLOBAL DEFAULT   12 ldap_sasl_interactive_bind_s
   930: 0000000000017a20   253 FUNC    GLOBAL DEFAULT   12 ldap_sasl_interactive_bind_s
  1071: 00000000000178a0   375 FUNC    GLOBAL DEFAULT   12 ldap_sasl_interactive_bind
+++++++++

Any idea why that is?

Best regards,
Daniel


________________________________
From: Matthew Newton <mcn at freeradius.org>
Sent: Thursday, August 22, 2019 12:27
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Daniel Osielczak <d.osielczak at improvedigital.com>
Subject: Re: Problem with authentication against FreeIPA

On Thu, 2019-08-22 at 06:41 +0000, Daniel Osielczak via Freeradius-
Users wrote:
> FreeRADIUS Version 3.0.13
...
> rlm_ldap (ldap): Connecting to ldap://ipa1.domain:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
...
> (0) ldap: Using user DN from request "uid=newldaptest,cn=users,cn=accounts,dc=domain"
> (0) ldap: Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> (0) ldap: ERROR: Bind with uid=newldaptest,cn=users,cn=accounts,dc=domain to ldap://ipa1.domain:389 failed: Local error

Looks like you're using CentOS/RHEL, which has ldap compiled against
NSS. That breaks things with FreeRADIUS (compiled against OpenSSL).

Try installing the FreeRADIUS packages from
https://packages.networkradius.com/ and follow the instructions on that
page to install the LDAP libraries from the LTB project instead, which
are compiled against OpenSSL.

--
Matthew

More information about the Freeradius-Users mailing list