FreeRadius Fun

After upgrading a system from Fedora Core 1 to Fedora Core 2 I noticed that FreeRadius was unable to bind to any LDAP tree. Whenever FreeRadius’s rlm_ldap would attempt to bind to the tree it would segfault deep inside OpenLDAP whenever it called certain sasl functions.

FreeRadius 0.9.3 and other versions are needlessly linked against libsasl (provided by cyrus-sasl) in their rlm_ldap module. rlm_ldap does not need to be linked against libsasl as it makes no calls to the library and OpenLDAP, which does use libsasl, is already linked against it. This needless linking creates a problem because in many modern distributions (such as Fedora Core 2) the openldap libraries link against a different version of libsasl then the “default” newer libsasl. The two versions of libsasl are not drop in replacements for each other and have differing APIs. This leads to guaranteed segfaults when code in openldap calls the incorrect version of libsasl which was happening on a recently upgraded Radius server at work.

The problem and solution is discussed in FreeRadius Bug #73 (symptoms of the problem appear in Red Hat’s bugzilla as bug #124688).

To fix the problem you must modify the configure.in file in the rlm_ldap build directory and remove the unneeded libsasl dependency. The following commands (run from the base of the freeradius-0.9.3 source directory) should fix the issue and be fairly version independent:

cd src/modules/rlm_ldap
mv configure.in configure.in.old
sed "s/AC_SMART_CHECK_LIB(sasl, sasl_encode)//" configure.in.old > configure.in
autoconf-2.13 -l ../../..

After running this you should be able to run the configure script for the entire source tree and compile FreeRadius. The resulting executables and rlm_ldap shared object file should not be linked against libsasl.

Those wishing to generate custom RPMS with the above fix for Fedora Core 2 will want to grab a copy of freeradius-0.9.3-4.src.rpm from your local Fedora Core 2 mirror. “Install” the source RPM by using the “rpm -Uvh freeradius-0.9.3-4.src.rpm” command. You should have a /usr/src/redhat/SPECS/freeradius.spec file. Edit this file and add the above lines below the last %patch directive in the %pre section. You should add autoconf213 to the BuildRequires space delimited list. You may also wish to add an “Epoch: 1” line towards the top of the file to bump up the epoch so future automated updates don’t overwrite your custom file. At this point a “rpmbuild -bb /usr/src/redhat/SPECS/freeradius.spec” and some time are all that is needed to build the required RPMs. (Watch the output towards the end for the filenames of the newly created RPMs.)