[squid-users] Configuring multiple hosts in LDAP URIs and using DN

Mark Cairney Mark.Cairney at ed.ac.uk
Thu Jul 24 14:38:56 UTC 2025 

Hi,

Thanks for the tip about the reverse DNS. I now have the 
Kerberos/Negotiate auth working now that the reverse DNS lookup matches.

For HA/resiliency I'd like to be able to point the fallback LDAP basic 
auth + group lookup at multiple AD/LDAP servers.

I notice both basic_ldap_auth and ext_ldap_group_acl use the -H flag for 
LDAP URIs but I've been having problems getting it to work with anything 
other than a single named host. Specifying multiple hosts e.g. -H 
ldap://server1.domain:389 ldap://server2.domain:389 appears to work for 
a while but eventually starts failing with 'couldn't connect to LDAP 
server' errors and it appears to always hit the 1st named host.

I've also tried using a DN as described in the ldapsearch documentation:

"              Specify  URI(s)  referring to the ldap server(s); a list 
of URI,
               separated by whitespace or commas is expected; only the  
proto‐
               col/host/port  fields  are  allowed.   As  an exception,  
if no
               host/port is specified, but a DN is, the DN is used to  
look  up
               the  corresponding  host(s) using the DNS SRV records, 
according
               to RFC 2782.  The DN must be a non-empty sequence of 
AVAs  whose
               attribute  type  is "dc" (domain component), and must be 
escaped
               according to RFC 2396"


This works if I use ldapsearch e.g.

ldapsearch -b "dc=ed,dc=ac,dc=uk" -D "CN=squiduser,DC=domain,DC=local" 
-y /etc/squid/ldap_password 
"(&(objectClass=person)(sAMAccountName=mcairney))" -Z -H 
ldap:///dc%3Ddomain%2Cdc%3Dlocal

But if I use this LDAP URI with basic_ldap_auth I get  'Could not 
Activate TLS connection' errors and no clues in the logs/debug output.

Is this a known limitation of the squid utilities? If so, what are other 
people doing to provide HA/failover with their LDAP hosts (the only 
examples I can find in man pages/tutorials are the straightforward 
single LDAP host scenario).


Kind regards,

Mark


-- 
/****************************

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: Mark.Cairney at ed.ac.uk

*******************************/

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

More information about the squid-users mailing list