SASL problems with spnego on 8.0-BETA4

Rick Macklem rmacklem at
Fri Sep 18 21:32:41 UTC 2009

On Fri, 18 Sep 2009, John Marshall wrote:

> On Thu, 17 Sep 2009, 21:28 +0300, George Mamalakis wrote:
>> Dear all,
>> I am trying to setup ldap with heimdal on my fbsd 8.0-BETA4 and when I
>> run ldapsearch to see if I can authenticate via GSSAPI I keep getting
>> the following error:
>> [root at ldap root]# ldapsearch  -H "ldap://" -b
>> "dc=example,dc=com"
>> SASL/GSSAPI authentication started
>> dlopen: /usr/lib/ Undefined symbol
>> ldap_sasl_interactive_bind_s: Local error (-2)
I don't know if you guys feel like experimenting, but here's what little
I know about the heimdal/gssapi setup.

When cyrus-sasl2 builds, it uses the little shell script
/usr/bin/krb5-config with the args. "--libs gssapi" to get the list of
libraries to link against. This doesn't return "-lgssapi_spnego" in the
list. (The list can be changed by editting line #96 of 

Nothing seems to link against "-lgssapi_spnego", so it's a mystery to
me how it ends up using it? (Maybe others with knowledge on how FreeBSD
loads libraries can explain it. The library is listed in /etc/gss/mech.)

GSS_C_NT_HOSTBASED_SERVICE is defined in the file gss_names.o in 
"-lgssapi", which is at the beginning of the list of libraries 
returned by "krb5-config --libs gssapi".

I'm hoping that someone who understands how libraries get loaded can
solve the puzzle, but barring that, you could try added "-lgssapi_spnego"
to line #96 of /usr/bin/krb5-config in front of "-lgssapi" and see if that
gets things to load properly?

Not much help, but I don't know how to test this stuff, rick

More information about the freebsd-stable mailing list