[squid-users] ext_kerberos_ldap_group_acl problem (Solved for me for now)
L.P.H. van Belle
belle at bazuin.nl
Thu Aug 25 13:38:06 UTC 2016
Ok, found it.
So a resume for a squid 3.5.19 + samba 4.4.5, kerberos auth and kerberos groups on debian jessie.
By default the package libsasl2-modules-gssapi-mit was not installed.
So i installed it: apt-get install libsasl2-modules-gssapi-mit
I always install with, --no-install-recommends, here i missed this package.
After installing it works fine, at least, ..
This works : (SASL/GSSAPI over port 389)
/usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail at REALM -D REALM -N group-mail at REALM
But with ssl enabled..
SASL/GSSAPI over port 636 (ldaps)
/usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail at REALM -D REALM -N group-mail at REALM –s
Or ..
SASL/GSSAPI over port 636 (ldaps) without cert checks.
/usr/lib/squid3/ext_kerberos_ldap_group_acl -g group-mail at REALM -D REALM -N group-mail at REALM –s –a
And with also tried adding this to the /etc/default/squid
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE
And adding the _ldaps_._tcp records the samba4/bind_dlz dns didnt help.
(samba-tool dns add ADDC.FQDN REALM _ldaps._tcp SRV 'host.internal.domain.tld 636 0 100')
The log part of the remaining errors.
But no need to fix this for me, im putting this here so people can find it as reference.
DEBUG: Set SSL defaults
DEBUG: Disable server certificate check for ldap server.
ERROR: Error while setting start_tls for ldap server: Operations error
DEBUG: Bind to ldap server with SASL/GSSAPI
ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication required
ERROR: Error while binding to ldap server with SASL/GSSAPI: Strong(er) authentication required
DEBUG: Setting up connection to ldap server hostname.internal.domain.tld:636
DEBUG: Set SSL defaults
DEBUG: Disable server certificate check for ldap server.
ERROR: Error while setting start_tls for ldap server: Operations error
DEBUG: Bind to ldap server with SASL/GSSAPI
ERROR: ldap_sasl_interactive_bind_s error: Strong(er) authentication required
And if someone find the solution for this above, that would be nice to report here.
Greetz,
Louis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160825/4e60fa0b/attachment.html>
More information about the squid-users
mailing list