Problem with authentication against FreeIPA
d.osielczak at improvedigital.com
Mon Oct 21 12:04:51 CEST 2019
I got it to work but there is a weird issue with SASL:
rlm_ldap: libldap vendor: OpenLDAP, version: 20448
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
/etc/raddb/mods-enabled/ldap: Configuration item 'sasl.mech' not supported. Linked libldap does not provide ldap_sasl_interactive_bind function
/etc/raddb/mods-enabled/ldap: Instantiation failed for module "ldap"
This is by no means a deal-braker in our current setup so I continue to use radius without SALS but I find it odd, especially that both libldaps (the CentOS one and the NetworkRADIUS one) actually provide this function.
[12:02:56] root at freeradius:~ # ldd /usr/lib64/freeradius/rlm_ldap.so | grep libldap
libldap-2.4.so.2 => /usr/local/openldap/lib64/libldap-2.4.so.2 (0x00007fae85d98000)
[12:03:12] root at freeradius:~ # readelf -a -W /usr/local/openldap/lib64/libldap-2.4.so.2 | grep ldap_sasl_interactive_bind
0000000000248e60 000000fa00000007 R_X86_64_JUMP_SLOT 00000000000178a0 ldap_sasl_interactive_bind + 0
250: 00000000000178a0 375 FUNC GLOBAL DEFAULT 12 ldap_sasl_interactive_bind
643: 0000000000017a20 253 FUNC GLOBAL DEFAULT 12 ldap_sasl_interactive_bind_s
930: 0000000000017a20 253 FUNC GLOBAL DEFAULT 12 ldap_sasl_interactive_bind_s
1071: 00000000000178a0 375 FUNC GLOBAL DEFAULT 12 ldap_sasl_interactive_bind
Any idea why that is?
From: Matthew Newton <mcn at freeradius.org>
Sent: Thursday, August 22, 2019 12:27
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Daniel Osielczak <d.osielczak at improvedigital.com>
Subject: Re: Problem with authentication against FreeIPA
On Thu, 2019-08-22 at 06:41 +0000, Daniel Osielczak via Freeradius-
> FreeRADIUS Version 3.0.13
> rlm_ldap (ldap): Connecting to ldap://ipa1.domain:389
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> (0) ldap: Using user DN from request "uid=newldaptest,cn=users,cn=accounts,dc=domain"
> (0) ldap: Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> (0) ldap: ERROR: Bind with uid=newldaptest,cn=users,cn=accounts,dc=domain to ldap://ipa1.domain:389 failed: Local error
Looks like you're using CentOS/RHEL, which has ldap compiled against
NSS. That breaks things with FreeRADIUS (compiled against OpenSSL).
Try installing the FreeRADIUS packages from
https://packages.networkradius.com/ and follow the instructions on that
page to install the LDAP libraries from the LTB project instead, which
are compiled against OpenSSL.
More information about the Freeradius-Users