[squid-users] ext_kerberos_ldap_group_acl problem

Mon Aug 29 08:11:12 UTC 2016

Hello Markus, 

No, im not useing the latest from trunk Atm i use the ( by debian testing ) supplied 3.5.19.

If you want me test test something, im happy to do that for you. 

Best regards, 

Louis

Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Markus Moeller
Verzonden: zaterdag 27 augustus 2016 16:38
Aan: squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem

Hi  Louis,

    I made lately a change in how the SSL certifcate verification is done.  Did you use the latest version from trunk ?  Also set the variable TLS_CACERTFILE in your startup script (e.g. export TLS_CACERTFILE=/etc/mydir/cas.pem ). I do not read any ldap.conf file for this yet.

Markus

"L.P.H. van Belle" <belle at bazuin.nl> wrote in message news:vmime.57beabe1.6a01.3a47ad2737b8db71 at ms249-lin-003.rotterdam.bazuin.nl...

Hai, 

I’ve added the needed upn, setup the _ldaps in the dns zones, thats ok now. 

The last part, here i need some help.

support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc1.internal.domain.tld:636

support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

support_ldap.cc(942): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Setting up connection to ldap server samba-dc2.internal.domain.tld:636

support_ldap.cc(786): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set SSL defaults

support_ldap.cc(531): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Enable server certificate check for ldap server.

support_ldap.cc(544): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable through setting environment variable TLS_CACERTFILE)

support_ldap.cc(800): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server

support_ldap.cc(953): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI

support_sasl.cc(276): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

support_ldap.cc(957): pid=26693 :2016/08/25 08:52:33| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server

I tried to set 

TLS_CACERTFILE in ldap.conf, didnt work, so dont know how to fix this or there to put these variables. 

I need a user to connect to the ldap.  Hi have that one in place. 

I just can find how to put this in this line so i can test this out, but i can only authenticate if the TLS_CACERTFILE is set correctly. 

Any suggestions here? 

Greetz, 

Louis

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160829/06d53cde/attachment.html>