SQUID authorization using kerberos helper and two domain controllers.



  • Hi, guys.

    I'm using SQUID with ext_kerberos_ldap_group_acl helper to authorize users from a single Active Directory domain. I've two replicating domain controllers in my environment. Everything works fine for me, but it seems that helper connects to just first controller (DC1). When my DC1 goes offline clients in LAN aren't able to use proxy for Internet connection. Sometimes pages endlessly try to load, sometimes users get authorization prompts from browsers. When DC1 is back, everything works fine again.

    Here is how I execute helper in SQUID config:

    external_acl_type my_acl ttl=300 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -l ldap://MYDOMAIN.LOCAL:389 -u MYUSER@MYDOMAIN.LOCAL -p MYPASSWORD -g MYGROUP@MYDOMAIN.LOCAL -D MYDOMAIN.LOCAL
    

    Tried to run it directly from command line with debug option and manually specify username to check:

    ext_kerberos_ldap_group_acl -d -l ldap://MYDOMAIN.LOCAL:389 -u MYUSER@MYDOMAIN.LOCAL -p MYPASSWORD -g MYGROUP@MYDOMAIN.LOCAL -D MYDOMAIN.LOCAL 
    MYUSER2
    

    it successfuly finds and resolves my DCs, then I see errors in log:

    support_ldap.cc(942): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Setting up connection to ldap server DC1.MYDOMAIN.LOCAL:389
    support_ldap.cc(953): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
    support_sasl.cc(259): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server
    support_ldap.cc(957): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
    support_ldap.cc(942): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Setting up connection to ldap server DC2.MYDOMAIN.LOCAL:389
    support_ldap.cc(953): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
    support_sasl.cc(259): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server
    support_ldap.cc(957): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
    support_ldap.cc(942): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Setting up connection to ldap server MYDOMAIN.LOCAL:389
    support_ldap.cc(953): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI
    support_sasl.cc(259): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server
    support_ldap.cc(957): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
    support_ldap.cc(979): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No error: 0
    

    Then it connects using my LDAP url:

    support_ldap.cc(1023): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with Username/Password
    support_ldap.cc(1035): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Successfully set up connection to ldap server DC1.MYDOMAIN.LOCAL:389
    

    Then queries AD and returns "OK".

    I also tried not to use "-l" option in kerberos helper and specify domain controllers directly using "-S":

    ext_kerberos_ldap_group_acl -d -S 192.168.0.1:192.168.0.2 -u MYUSER@MYDOMAIN.LOCAL -p MYPASSWORD -g MYGROUP@MYDOMAIN.LOCAL -D MYDOMAIN.LOCAL
    

    Got similar errors:

    Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server
    Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
    

    The result of query is "ERR".

    So I have two questions:

    1. How can I failover queries across two DCs?
    2. Why am I getting errors when binding with SASL/GSSAPI?

    Thanks!


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy