Network RADIUS packages and LDAP/SASL
Alan DeKok
aland at deployingradius.com
Wed Oct 26 14:29:25 UTC 2022
On Oct 26, 2022, at 9:57 AM, Adam Bishop via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I'm working on rebuilding our internal RADIUS systems, using the Network RADIUS packages rather than our own.
>
> Our LDAP configuration uses SASL to authenticate to 389ds via a UNIX socket - works OK on RHEL 7.
>
> The RHEL 8 hosts though (with the LTB packages) fail with:
>
> ...
> rlm_ldap: libldap vendor: OpenLDAP, version: 20459
> Configuration item 'sasl.mech' not supported. Linked libldap does not provide ldap_sasl_interactive_bind function
> ...
>
> As far as I can tell, the ltb LDAP does export that symbol:
>
> # nm -gD /usr/local/openldap/lib64/libldap.so | grep ldap_sasl_interactive_bind
> 0000000000017760 T ldap_sasl_interactive_bind
> 00000000000178c0 T ldap_sasl_interactive_bind_s
>
> So I'm guessing that the ltb libldap isn't being linked at runtime?
The error from FreeRADIUS is a *build* error. i.e. at build time, the build determined that libldap didn't have ldap_sasl_interactive_bind. And then refuses to even use it.
What happens at run time doesn't matter, because FreeRADIUS isn't even trying to use that function.
> If that's the case, is there a way to configure FreeRADIUS to use the ltb versions, or do I need to start overriding LD_PRELOAD_PATH/hand edit ld.conf?
> I'm not 100% sure how it would be linking at the moment, as I don't see the ltb so's in the output of ldconfig.
You'll need to rebuild FreeRADIUS.
> Or am I just completely wrong and the ltb packages don't support SASL :)
It looks like they don't.
Sometimes libraries have "stub" symbols which don't work. :(
Alan DeKok.
More information about the Freeradius-Users
mailing list