Dear Squid Community/Support Team,
I am currently configuring Squid with Kerberos authentication and LDAP
group-based access control. However, I am encountering persistent issues, and I
would greatly appreciate your guidance. Below are the details of my
configuration and the errors I am facing.
________________________________
Error Logs
The following errors repeatedly appear in the Squid logs:
2025/01/03 19:35:40 kid1| Starting new helpers
2025/01/03 19:35:40 kid1| helperOpenServers: Starting 1/5
'ext_kerberos_ldap_group_acl' processes
support_sasl.cc(276): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Local error
support_ldap.cc(1086): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Local error
support_ldap.cc(1172): pid=70855 :2025/01/03 19:35:40| kerberos_ldap_group:
ERROR: Error while binding to ldap server with Username/Password: Encoding error
(ext_kerberos_ldap_group_acl): ../../../../libraries/liblber/io.c:108:
ber_write: Assertion `buf != NULL' failed.
2025/01/03 19:35:41 kid1| WARNING: external_acl_type #Hlpr7 exited
2025/01/03 19:35:41 kid1| Too few external_acl_type processes are running (need
1/5)
________________________________
Current Configuration
Kerberos Authentication
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/ubuntuserver.demo.local
auth_param negotiate children 10
auth_param negotiate keep_alive on
External ACL for LDAP Groups
external_acl_type kerberos_ldap_group ttl=3600 negative_ttl=3600 %LOGIN
/usr/lib/squid/ext_kerberos_ldap_group_acl \
-P HTTP/ubuntuserver.demo.local@DEMO.LOCAL \
-D demo.local \
-b DC=demo,DC=local \
-l ldap://dc.demo.local \
-g
FullAccess@DEMO.LOCAL:Restricted@DEMO.LOCAL:Filtered@DEMO.LOCAL:Blocked@DEMO.LOCAL
ACL Definitions
acl FullAccess external kerberos_ldap_group FullAccess@DEMO.LOCAL
acl Restricted external kerberos_ldap_group Restricted@DEMO.LOCAL
acl Filtered external kerberos_ldap_group Filtered@DEMO.LOCAL
acl Blocked external kerberos_ldap_group Blocked@DEMO.LOCAL
acl allowed_sites dstdomain .benedictuspoort.be .smartschool.be .microsoft.com
acl bad_sites dstdomain .adult.com .gambling.com
Access Rules
http_access allow FullAccess
http_access allow Restricted allowed_sites
http_access deny Restricted
http_access deny Blocked
http_access deny Filtered bad_sites
http_access allow Filtered
http_access deny all
Proxy Settings
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
________________________________
What I Have Tried
* Verified that the Kerberos keytab is up-to-date and matches the Key
Version Number (msDS-KeyVersionNumber) in Active Directory.
* Tested LDAP queries using ldapsearch with both simple and GSSAPI
bindings, which work intermittently.
* Checked Squid logs and confirmed that Kerberos tickets are being issued
successfully using kinit and klist.
Despite these efforts, the ext_kerberos_ldap_group_acl helper is unable to bind
to the LDAP server, and the Squid service keeps restarting helpers.
________________________________
Request for Assistance
Could you please provide guidance on:
1. Debugging the ext_kerberos_ldap_group_acl helper?
2. Ensuring compatibility between Kerberos and LDAP for group-based access
control?
3. Any potential misconfigurations or missing steps in my setup?
Thank you in advance for your assistance. I look forward to your
recommendations.
Kind regards,
Enfal gok
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
