Problem with authentication against FreeIPA

Daniel Osielczak d.osielczak at improvedigital.com
Mon Oct 21 14:00:55 CEST 2019


Thanks Alan,

the error is a bit misleading I guess.

[13:53:39] root at freeradius:~ # rpm -q --whatprovides /usr/lib64/freeradius/rlm_ldap.so
freeradius-ldap-3.0.19-2.el7.x86_64

Given that the package comes from the NetworkRadius repo, I don't think there is a easy way around it (other than building the library with SASL enabled, which adds quite a burden to maintenance).

Thanks for all the help,
Daniel
________________________________
From: Freeradius-Users <freeradius-users-bounces+d.osielczak=improvedigital.com at lists.freeradius.org> on behalf of Alan DeKok <aland at deployingradius.com>
Sent: Monday, October 21, 2019 13:47
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Problem with authentication against FreeIPA

On Oct 21, 2019, at 6:04 AM, Daniel Osielczak via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote
>
> I got it to work but there is a weird issue with SASL:
>
> ++++++++
> rlm_ldap: libldap vendor: OpenLDAP, version: 20448
> rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
> rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
> /etc/raddb/mods-enabled/ldap[5]: Configuration item 'sasl.mech' not supported.  Linked libldap does not provide ldap_sasl_interactive_bind function
> /etc/raddb/mods-enabled/ldap[5]: Instantiation failed for module "ldap"
> +++++++++
>
> This is by no means a deal-braker in our current setup so I continue to use radius without SALS but I find it odd, especially that both libldaps (the CentOS one and the NetworkRADIUS one) actually provide this function.

  The message really means that SASL was not found when rlm_ldap was built.  It doesn't really matter if libldap provides a ldap_sasl_interactive_bind function, as it's hard for rlm_ldap to determine that at run-time.

> Any idea why that is?

  rlm_ldap has to be built with SASL support.  See the output of configure as to why it's not building with SASL support.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list