[squid-users] ext_kerberos_ldap_group_acl problem (Solved for me for now)

L.P.H. van Belle belle at bazuin.nl
Thu Aug 25 13:38:06 UTC 2016 

Ok, found it. 

 

So a resume for a squid 3.5.19 + samba 4.4.5, kerberos auth and kerberos groups on debian jessie. 

 

By default the package libsasl2-modules-gssapi-mit  was not installed.  

So i installed it:  apt-get install libsasl2-modules-gssapi-mit

I always install with, --no-install-recommends, here i missed this package. 

 

After installing it works fine, at least, ..  

 

This works : (SASL/GSSAPI over port 389)  

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail at REALM  -D REALM  -N group-mail at REALM 

 

But with ssl enabled.. 

SASL/GSSAPI over port 636 (ldaps)

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail at REALM  -D REALM  -N group-mail at REALM –s 

Or .. 

SASL/GSSAPI over port 636 (ldaps) without cert checks.  

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail at REALM  -D REALM  -N group-mail at REALM –s –a

 

And with also tried adding this to the /etc/default/squid 

TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt

export TLS_CACERTFILE

 

And adding the _ldaps_._tcp records the samba4/bind_dlz dns didnt help. 

(samba-tool dns add ADDC.FQDN REALM _ldaps._tcp SRV  'host.internal.domain.tld 636 0 100') 

 

The log part of the remaining errors.  

But no need to fix this for me, im putting this here so people can find it as reference. 

 

DEBUG: Set SSL defaults

DEBUG: Disable server certificate check for ldap server.

ERROR: Error while setting start_tls for ldap server: Operations error

DEBUG: Bind to ldap server with SASL/GSSAPI

ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication required

ERROR: Error while binding to ldap server with SASL/GSSAPI: Strong(er) authentication required

DEBUG: Setting up connection to ldap server hostname.internal.domain.tld:636

DEBUG: Set SSL defaults

DEBUG: Disable server certificate check for ldap server.

ERROR: Error while setting start_tls for ldap server: Operations error

DEBUG: Bind to ldap server with SASL/GSSAPI

ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication required

 

And if someone find the solution for this above, that would be nice to report here. 

 

 

Greetz, 

 

Louis

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160825/4e60fa0b/attachment.html>

More information about the squid-users mailing list