Problem with authentication against FreeIPA

Daniel Osielczak d.osielczak at
Mon Oct 21 14:00:55 CEST 2019

Thanks Alan,

the error is a bit misleading I guess.

[13:53:39] root at freeradius:~ # rpm -q --whatprovides /usr/lib64/freeradius/

Given that the package comes from the NetworkRadius repo, I don't think there is a easy way around it (other than building the library with SASL enabled, which adds quite a burden to maintenance).

Thanks for all the help,
From: Freeradius-Users < at> on behalf of Alan DeKok <aland at>
Sent: Monday, October 21, 2019 13:47
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Problem with authentication against FreeIPA

On Oct 21, 2019, at 6:04 AM, Daniel Osielczak via Freeradius-Users <freeradius-users at> wrote
> I got it to work but there is a weird issue with SASL:
> ++++++++
> rlm_ldap: libldap vendor: OpenLDAP, version: 20448
> rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
> rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
> /etc/raddb/mods-enabled/ldap[5]: Configuration item 'sasl.mech' not supported.  Linked libldap does not provide ldap_sasl_interactive_bind function
> /etc/raddb/mods-enabled/ldap[5]: Instantiation failed for module "ldap"
> +++++++++
> This is by no means a deal-braker in our current setup so I continue to use radius without SALS but I find it odd, especially that both libldaps (the CentOS one and the NetworkRADIUS one) actually provide this function.

  The message really means that SASL was not found when rlm_ldap was built.  It doesn't really matter if libldap provides a ldap_sasl_interactive_bind function, as it's hard for rlm_ldap to determine that at run-time.

> Any idea why that is?

  rlm_ldap has to be built with SASL support.  See the output of configure as to why it's not building with SASL support.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list