[squid-users] Assistance Required: Issues with Squid Kerberos + LDAP Group Configuration

Enfal Gok enfal.gok2004 at gmail.com
Fri Jan 3 18:40:07 UTC 2025 

Dear Squid Community/Support Team,
I am currently configuring Squid with Kerberos authentication and LDAP group-based access control. However, I am encountering persistent issues, and I would greatly appreciate your guidance. Below are the details of my configuration and the errors I am facing.
________________________________
Error Logs
The following errors repeatedly appear in the Squid logs:

2025/01/03 19:35:40 kid1| Starting new helpers
2025/01/03 19:35:40 kid1| helperOpenServers: Starting 1/5 'ext_kerberos_ldap_group_acl' processes
support_sasl.cc(276): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(1086): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Local error
support_ldap.cc(1172): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group: ERROR: Error while binding to ldap server with Username/Password: Encoding error
(ext_kerberos_ldap_group_acl): ../../../../libraries/liblber/io.c:108: ber_write: Assertion `buf != NULL' failed.
2025/01/03 19:35:41 kid1| WARNING: external_acl_type #Hlpr7 exited
2025/01/03 19:35:41 kid1| Too few external_acl_type processes are running (need 1/5)


________________________________
Current Configuration
Kerberos Authentication

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s HTTP/ubuntuserver.demo.local
auth_param negotiate children 10
auth_param negotiate keep_alive on


External ACL for LDAP Groups

external_acl_type kerberos_ldap_group ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl \
    -P HTTP/ubuntuserver.demo.local at DEMO.LOCAL \
    -D demo.local \
    -b DC=demo,DC=local \
    -l ldap://dc.demo.local \
    -g FullAccess at DEMO.LOCAL:Restricted at DEMO.LOCAL:Filtered at DEMO.LOCAL:Blocked at DEMO.LOCAL


ACL Definitions

acl FullAccess external kerberos_ldap_group FullAccess at DEMO.LOCAL
acl Restricted external kerberos_ldap_group Restricted at DEMO.LOCAL
acl Filtered external kerberos_ldap_group Filtered at DEMO.LOCAL
acl Blocked external kerberos_ldap_group Blocked at DEMO.LOCAL

acl allowed_sites dstdomain .benedictuspoort.be .smartschool.be .microsoft.com
acl bad_sites dstdomain .adult.com .gambling.com


Access Rules

http_access allow FullAccess
http_access allow Restricted allowed_sites
http_access deny Restricted
http_access deny Blocked
http_access deny Filtered bad_sites
http_access allow Filtered
http_access deny all


Proxy Settings

http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid


________________________________
What I Have Tried

  *   Verified that the Kerberos keytab is up-to-date and matches the Key Version Number (msDS-KeyVersionNumber) in Active Directory.
  *   Tested LDAP queries using ldapsearch with both simple and GSSAPI bindings, which work intermittently.
  *   Checked Squid logs and confirmed that Kerberos tickets are being issued successfully using kinit and klist.

Despite these efforts, the ext_kerberos_ldap_group_acl helper is unable to bind to the LDAP server, and the Squid service keeps restarting helpers.
________________________________
Request for Assistance
Could you please provide guidance on:

  1.  Debugging the ext_kerberos_ldap_group_acl helper?
  2.  Ensuring compatibility between Kerberos and LDAP for group-based access control?
  3.  Any potential misconfigurations or missing steps in my setup?

Thank you in advance for your assistance. I look forward to your recommendations.
Kind regards,
Enfal gok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250103/33f983d2/attachment.htm>

More information about the squid-users mailing list