[squid-users] Error determining LDAP server type: Timed out

Reinhard Westerholt reinhard.westerholt at gmail.com
Mon Apr 7 18:42:51 UTC 2025 

Hello everybody,

I have configured Squid to use Kerberos authentication and employed
ext_kerberos_ldap_group_acl to limit HTTP access. This setup works fine in
most cases. However, randomly (and rarely), there seems to be an issue with
the LDAP query, causing the Active Directory groups to fail to resolve,
which subsequently denies user access. When this occurs, the issue persists
for about an hour. I suspect this might be due to caching or TTL.

Here is a relevant part of the configuration:

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/server.fqdn at domain
auth_param negotiate children 500
auth_param negotiate keep_alive on

external_acl_type INetAccess ttl=3600 children-max=1000 %LOGIN
/usr/lib/squid/ext_kerberos_ldap_group_acl -g "INetAccess" -a -i -l
ldap://server.fqdn:389 -D "DOMAIN"


The debug output from `ext_kerberos_ldap_group_acl` appears as follows when
the error occurs:
support_resolv.cc(445): pid=2574238 :2025/04/07 13:49:52|
kerberos_ldap_group: DEBUG: Host: DOMAIN Port: -1 Priority: -2 Weight: -2
support_ldap.cc(1066): pid=2574238 :2025/04/07 13:49:52|
kerberos_ldap_group: DEBUG: Setting up connection to LDAP server
server.fqdn:389
support_ldap.cc(1079): pid=2574238 :2025/04/07 13:49:52|
kerberos_ldap_group: DEBUG: Bind to LDAP server with SASL/GSSAPI
support_ldap.cc(1097): pid=2574238 :2025/04/07 13:49:55|
kerberos_ldap_group: DEBUG: Successfully initialized connection to LDAP
server server.fqdn:389
support_ldap.cc(314): pid=2574238 :2025/04/07 13:49:55|
kerberos_ldap_group: DEBUG: Search LDAP server with bind path "" and
filter: (objectclass=*)
support_ldap.cc(336): pid=2574238 :2025/04/07 13:50:25|
kerberos_ldap_group: DEBUG: Did not find LDAP entry for subschemasubentry
support_ldap.cc(339): pid=2574238 :2025/04/07 13:50:25|
kerberos_ldap_group: DEBUG: Determined LDAP server not as an Active
Directory server
support_ldap.cc(1213): pid=2574238 :2025/04/07 13:50:25|
kerberos_ldap_group: ERROR: Error determining LDAP server type: Timed out


I manually attempted to retrieve the subschemasubentry using ldapsearch. As
far as I can see, there is no issue, or I could not reproduce the problem
manually via ldapsearch.

Does anyone have any ideas on how to further debug this issue?
Additionally, are there any recommendations regarding the TTL value? If I
reduce the TTL, the duration of the issue might be shorter for individual
users.

Thanks in advance.

Kind regards,
Reinhard Westerholt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250407/9fbba259/attachment.htm>

More information about the squid-users mailing list