sys: also try loading kadm5 libraries by SONAME

[emilburzo]

Changes

Adds reading the SONAME from each library's unversioned .so symlink at build time via goblin, embeds the SONAMEs as KADMIN_BUILD_*_SONAMES env vars, and tries them first in find_library.

SONAME lookups go through the ldconfig cache, which resolves against the runtime packages without needing the dev-package symlinks.

The existing path-based and unversioned-name fallbacks are kept, so any setup that works today keeps working.

Why?

To avoid requiring dev packages at runtime.

Why? (longer)

find_library constructs dlopen paths as format!("{}/lib{}.so", path, library) and the fallback path uses the unversioned lib*.so directly.

On Debian/Ubuntu those unversioned .so files ship *only in the dev packages: krb5-multidev and heimdal-multidev.

The runtime packages (libkadm5clnt-mit12, libkadm5clnt7t64-heimdal, ...) ship only the SONAME-versioned files (libkadm5clnt_mit.so.12, libkadm5clnt.so.7, ...)

---

Verification notes

I ran through these to make sure everything works, noting them here if needed in the future, feel free to skip reading.

• Spin up a new docker container: docker run -it --rm ubuntu:24.04 bash
• Install the dev packages: apt install krb5-multidev heimdal-multidev libkrb5-dev
• (Download the project and setup Rust)
• Build: cargo build --features log 2>&1 and check the SONAMEs are discovered:

warning: kadmin@0.7.1: Found MIT Kerberos kadm5-client. Includes: {"/usr/include/mit-krb5"}. Links: {"/usr/lib/x86_64-linux-gnu/mit-krb5"}. Libraries: {"kadm5clnt_mit"}. SONAMEs: {"libkadm5clnt_mit.so.12"}
warning: kadmin@0.7.1: Found MIT Kerberos kadm5-server. Includes: {"/usr/include/mit-krb5"}. Links: {"/usr/lib/x86_64-linux-gnu/mit-krb5"}. Libraries: {"kadm5srv_mit"}. SONAMEs: {"libkadm5srv_mit.so.12"}
warning: kadmin@0.7.1: Found Heimdal Kerberos kadm5-client. Includes: {"/usr/include/heimdal"}. Links: {"/usr/lib/x86_64-linux-gnu/heimdal"}. Libraries: {"kadm5clnt"}. SONAMEs: {"libkadm5clnt.so.7"}
warning: kadmin@0.7.1: Found Heimdal Kerberos kadm5-server. Includes: {"/usr/include/heimdal"}. Links: {"/usr/lib/x86_64-linux-gnu/heimdal"}. Libraries: {"kadm5srv"}. SONAMEs: {"libkadm5srv.so.8"}

• Run the tests and check the trace logs:
  • cargo test --features log --no-run
  • RUST_LOG=trace target/debug/deps/kadmin-* --nocapture sys::tests:: 2>&1 | grep -v DEBUG

running 4 tests
[TRACE kadmin::sys] Trying to load library at path libkadm5srv.so.8
[TRACE kadmin::sys] Successfully loaded library at libkadm5srv.so.8
test sys::tests::library_load_heimdal_server ... ok
[TRACE kadmin::sys] Trying to load library at path libkadm5clnt.so.7
[TRACE kadmin::sys] Successfully loaded library at libkadm5clnt.so.7
test sys::tests::library_load_heimdal_client ... ok
[TRACE kadmin::sys] Trying to load library at path libkadm5clnt_mit.so.12
[TRACE kadmin::sys] Successfully loaded library at libkadm5clnt_mit.so.12
test sys::tests::library_load_mit_client ... ok
[TRACE kadmin::sys] Trying to load library at path libkadm5srv_mit.so.12
[TRACE kadmin::sys] Successfully loaded library at libkadm5srv_mit.so.12
test sys::tests::library_load_mit_server ... ok

• Remove the dev packages: apt-get purge -y krb5-multidev heimdal-multidev libkrb5-dev, removing the unversioned .so files
• Re-run the tests and check the trace logs:
  • RUST_LOG=trace target/debug/deps/kadmin-* --nocapture sys::tests:: 2>&1 | grep -v DEBUG

running 4 tests
[TRACE kadmin::sys] Trying to load library at path libkadm5srv.so.8
[TRACE kadmin::sys] Successfully loaded library at libkadm5srv.so.8
test sys::tests::library_load_heimdal_server ... ok
[TRACE kadmin::sys] Trying to load library at path libkadm5clnt.so.7
[TRACE kadmin::sys] Successfully loaded library at libkadm5clnt.so.7
test sys::tests::library_load_heimdal_client ... ok
[TRACE kadmin::sys] Trying to load library at path libkadm5clnt_mit.so.12
[TRACE kadmin::sys] Successfully loaded library at libkadm5clnt_mit.so.12
test sys::tests::library_load_mit_client ... ok
[TRACE kadmin::sys] Trying to load library at path libkadm5srv_mit.so.12
[TRACE kadmin::sys] Successfully loaded library at libkadm5srv_mit.so.12
test sys::tests::library_load_mit_server ... ok

[Copilot]

Pull request overview

This PR improves runtime dynamic loading of kadm5 libraries by preferring the libraries’ ELF SONAMEs (discovered at build time) before falling back to path-based and unversioned .so names, reducing the need for dev-package symlinks at runtime (notably on Debian/Ubuntu).

Changes:

• Build-time SONAME discovery via goblin and embedding into KADMIN_BUILD_*_SONAMES env vars.
• Runtime loader updated to try discovered SONAMEs first, then existing path/unversioned fallbacks.
• Added goblin (and transitive deps) for build script ELF parsing.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
build.rs	Discovers SONAMEs from unversioned .so and exports them as build-time env vars.
src/sys.rs	Tries SONAME-based dlopen first in find_library, keeping existing fallbacks.
Cargo.toml	Adds goblin as a build-dependency for SONAME parsing.
Cargo.lock	Locks goblin and its transitive dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.