Re: Question about OpenLDAP modules

Tue, 28 Oct 2025 07:28:31 -0700 

Dino Edwards wrote:
> Hello,
> 
>  
> 
> Hoping someone can help me with this issue I’m having. I’m building OpenLDAP 
> from source using the following command:
> 
>  
> 
> ./configure --prefix=/usr/local \
> 
>       --with-tls \
> 
>       --with-cyrus-sasl \
> 
>       --enable-overlays \
> 
>       --enable-modules \
> 
>       --enable-argon2 \
> 
>       --enable-remoteauth && \
> 
>     make depend && make -j$(nproc) && make install && \
> 
>     ldconfig
> 
>  
> 
> It looks like it builds correctly, however I’m not seeing the remoteauth.la 
> or remoteauth.so module under /usr/local/libexec/openldap directory. I’m only 
> seeing
> the argon2.so and argon2.la. When I bootstrap the server with the following 
> it doesn’t throw any errors:

Probably you're seeing an argon2 left over from some other build. When you just 
use "--enable-remoteauth" it defaults
to a static build, not a dynamic module. So there is no remoteauth.la to 
install, the code is just part of the slapd
binary.
> 
>  
> 
> modulepath /usr/local/libexec/openldap
> 
> moduleload back_mdb.la
> 
> moduleload argon2.la
> 
> moduleload remoteauth.la
> 
>  
> 
> The weird thing is that when I run this command it shows the installed 
> modules with remoteauth being one of them:
> 
>  
> 
> ldapsearch -Y EXTERNAL -H "$LDAPI_URI" -b "cn=module{0},cn=config" 
> olcModuleLoad
> 
> SASL/EXTERNAL authentication started
> 
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> 
> SASL SSF: 0
> 
> # extended LDIF
> 
> #
> 
> # LDAPv3
> 
> # base <cn=module{0},cn=config> with scope subtree
> 
> # filter: (objectclass=*)
> 
> # requesting: olcModuleLoad
> 
> #
> 
>  
> 
> # module{0}, config
> 
> dn: cn=module{0},cn=config
> 
> olcModuleLoad: {0}back_mdb.la
> 
> olcModuleLoad: {1}argon2.la
> 
> olcModuleLoad: {2}remoteauth.la
> 
>  
> 
> # search result
> 
> search: 2
> 
> result: 0 Success
> 
>  
> 
> # numResponses: 2
> 
> # numEntries: 1
> 
>  
> 
> So, I’m not sure how it’s loading remoteauth.la since it’s not present under 
> the /usr/local/libexec/openldap directory. As a matter of fact, it doesn’t 
> seem to
> be anywhere on the file system.

It's not really loading remoteauth. The moduleload command knows if a module 
was built statically and
just silently succeeds for those. It works that way to allow easy migration 
between builds with static vs dynamic modules.
> 
>  
> 
> I tried authenticating a user using remoteauth to a remote AD directory and 
> it didn’t seem to work. In all fairness, I’m not sure if I was doing it 
> correctly.
> 
>  
> 
> Thanks in advance
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to