SQUID authorization using kerberos helper and two domain controllers.
-
Hi, guys.
I'm using SQUID with ext_kerberos_ldap_group_acl helper to authorize users from a single Active Directory domain. I've two replicating domain controllers in my environment. Everything works fine for me, but it seems that helper connects to just first controller (DC1). When my DC1 goes offline clients in LAN aren't able to use proxy for Internet connection. Sometimes pages endlessly try to load, sometimes users get authorization prompts from browsers. When DC1 is back, everything works fine again.
Here is how I execute helper in SQUID config:
external_acl_type my_acl ttl=300 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -l ldap://MYDOMAIN.LOCAL:389 -u MYUSER@MYDOMAIN.LOCAL -p MYPASSWORD -g MYGROUP@MYDOMAIN.LOCAL -D MYDOMAIN.LOCALTried to run it directly from command line with debug option and manually specify username to check:
ext_kerberos_ldap_group_acl -d -l ldap://MYDOMAIN.LOCAL:389 -u MYUSER@MYDOMAIN.LOCAL -p MYPASSWORD -g MYGROUP@MYDOMAIN.LOCAL -D MYDOMAIN.LOCAL MYUSER2it successfuly finds and resolves my DCs, then I see errors in log:
support_ldap.cc(942): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Setting up connection to ldap server DC1.MYDOMAIN.LOCAL:389 support_ldap.cc(953): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(259): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server support_ldap.cc(957): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Setting up connection to ldap server DC2.MYDOMAIN.LOCAL:389 support_ldap.cc(953): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(259): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server support_ldap.cc(957): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(942): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Setting up connection to ldap server MYDOMAIN.LOCAL:389 support_ldap.cc(953): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(259): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server support_ldap.cc(957): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(979): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Error during initialisation of ldap connection: No error: 0Then it connects using my LDAP url:
support_ldap.cc(1023): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Bind to ldap server with Username/Password support_ldap.cc(1035): pid=24008 :2018/06/28 12:54:19| kerberos_ldap_group: DEBUG: Successfully set up connection to ldap server DC1.MYDOMAIN.LOCAL:389Then queries AD and returns "OK".
I also tried not to use "-l" option in kerberos helper and specify domain controllers directly using "-S":
ext_kerberos_ldap_group_acl -d -S 192.168.0.1:192.168.0.2 -u MYUSER@MYDOMAIN.LOCAL -p MYPASSWORD -g MYGROUP@MYDOMAIN.LOCAL -D MYDOMAIN.LOCALGot similar errors:
Could not set LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP serverThe result of query is "ERR".
So I have two questions:
- How can I failover queries across two DCs?
- Why am I getting errors when binding with SASL/GSSAPI?
Thanks!