Re: squid_kerb_ldap - Could not set LDAP_OPT_X_SASL_SECPROPS

["Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>]

Hi

  I assume you use openldap on your freebsd build. Can you try from the 
command line:

#  kinit -kt /usr/local/etc/HTTP.keytab 
HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL
#  ldapsearch -d 999 -H ldap://pollux.m-tisiz.local:389 -Y GSSAPI -O 
"maxssf=56" -b dc=M-TISIZ,dc=LOCAL -s sub "(samaccountname=antec)"

and send me the output ?

Regards
Markus


"Подшивалов Антон" <support@xxxxxxxxxxxxxxxxx> wrote in message 
news:95378ca7accc17ee30ecf07a71c9b6b2@xxxxxxxxxxxxxxxxx...
> Hello!
> I use:
> proxy# uname -a
> FreeBSD proxy.m-tisiz.local 8.3-RELEASE-p1 FreeBSD 8.3-RELEASE-p1 #0: Wed 
> May 23 22:56:59 MSK 2012 
> ant@freebsd.m-tisiz.local:/usr/obj/usr/src/sys/AnteC_kernel  i386
>
> I try to authenticate squid user by Active Directory. But have some error 
> when use  squid_kerb_ldap external helper:
>
> proxy# /usr/local/libexec/squid/squid_kerb_ldap -d -D M-TISIZ.LOCAL -g 
> inet_users@
> 2012/11/23 16:04:20| squid_kerb_ldap: Starting version 1.2.2
> 2012/11/23 16:04:20| squid_kerb_ldap: Group list inet_users@
> 2012/11/23 16:04:20| squid_kerb_ldap: Group inet_users  Domain
> 2012/11/23 16:04:20| squid_kerb_ldap: Netbios list NULL
> 2012/11/23 16:04:20| squid_kerb_ldap: No netbios names defined.
> 2012/11/23 16:04:20| squid_kerb_ldap: ldap server list NULL
> 2012/11/23 16:04:20| squid_kerb_ldap: No ldap servers defined.
> antec
> 2012/11/23 16:04:23| squid_kerb_ldap: Got User: antec set default domain: 
> M-TISIZ.LOCAL
> 2012/11/23 16:04:23| squid_kerb_ldap: Got User: antec Domain: 
> M-TISIZ.LOCAL
> 2012/11/23 16:04:23| squid_kerb_ldap: User domain loop: group@domain 
> inet_users@
> 2012/11/23 16:04:23| squid_kerb_ldap: Default domain loop: group@domain 
> inet_users@
> 2012/11/23 16:04:23| squid_kerb_ldap: Found group@domain inet_users@
> 2012/11/23 16:04:23| squid_kerb_ldap: Setup Kerberos credential cache
> 2012/11/23 16:04:23| squid_kerb_ldap: Get default keytab file name
> 2012/11/23 16:04:23| squid_kerb_ldap: Got default keytab file name 
> /usr/local/etc/HTTP.keytab
> 2012/11/23 16:04:23| squid_kerb_ldap: Get principal name from keytab 
> /usr/local/etc/HTTP.keytab
> 2012/11/23 16:04:23| squid_kerb_ldap: Keytab entry has realm name: 
> M-TISIZ.LOCAL
> 2012/11/23 16:04:23| squid_kerb_ldap: Found principal name: 
> HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL
> 2012/11/23 16:04:23| squid_kerb_ldap: Set credential cache to 
> MEMORY:squid_ldap_16670
> 2012/11/23 16:04:23| squid_kerb_ldap: Got principal name 
> HTTP/proxy.m-tisiz.local@M-TISIZ.LOCAL
> 2012/11/23 16:04:23| squid_kerb_ldap: Stored credentials
> 2012/11/23 16:04:23| squid_kerb_ldap: Initialise ldap connection
> 2012/11/23 16:04:23| squid_kerb_ldap: Canonicalise ldap server name for 
> domain M-TISIZ.LOCAL
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved SRV 
> _ldap._tcp.M-TISIZ.LOCAL record to altair.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved SRV 
> _ldap._tcp.M-TISIZ.LOCAL record to pollux.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved address 1 of M-TISIZ.LOCAL 
> to altair.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved address 2 of M-TISIZ.LOCAL 
> to pollux.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved address 3 of M-TISIZ.LOCAL 
> to altair.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved address 4 of M-TISIZ.LOCAL 
> to pollux.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved address 5 of M-TISIZ.LOCAL 
> to altair.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Resolved address 6 of M-TISIZ.LOCAL 
> to pollux.m-tisiz.local
> 2012/11/23 16:04:23| squid_kerb_ldap: Adding M-TISIZ.LOCAL to list
> 2012/11/23 16:04:23| squid_kerb_ldap: Sorted ldap server names for domain 
> M-TISIZ.LOCAL:
> 2012/11/23 16:04:23| squid_kerb_ldap: Host: pollux.m-tisiz.local Port: 389 
> Priority: 0 Weight: 100
> 2012/11/23 16:04:23| squid_kerb_ldap: Host: altair.m-tisiz.local Port: 389 
> Priority: 0 Weight: 100
> 2012/11/23 16:04:23| squid_kerb_ldap: Host: M-TISIZ.LOCAL Port: -1 
> Priority: -2 Weight: -2
> 2012/11/23 16:04:23| squid_kerb_ldap: Setting up connection to ldap server 
> pollux.m-tisiz.local:389
> 2012/11/23 16:04:23| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2012/11/23 16:04:23| squid_kerb_ldap: Could not set 
> LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server
> 2012/11/23 16:04:23| squid_kerb_ldap: Error while binding to ldap server 
> with SASL/GSSAPI: Can't contact LDAP server
> 2012/11/23 16:04:23| squid_kerb_ldap: Setting up connection to ldap server 
> altair.m-tisiz.local:389
> 2012/11/23 16:04:23| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2012/11/23 16:04:23| squid_kerb_ldap: Could not set 
> LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server
> 2012/11/23 16:04:23| squid_kerb_ldap: Error while binding to ldap server 
> with SASL/GSSAPI: Can't contact LDAP server
> 2012/11/23 16:04:23| squid_kerb_ldap: Setting up connection to ldap server 
> M-TISIZ.LOCAL:389
> 2012/11/23 16:04:23| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
> 2012/11/23 16:04:23| squid_kerb_ldap: Could not set 
> LDAP_OPT_X_SASL_SECPROPS: maxssf=56: Can't contact LDAP server
> 2012/11/23 16:04:23| squid_kerb_ldap: Error while binding to ldap server 
> with SASL/GSSAPI: Can't contact LDAP server
> 2012/11/23 16:04:23| squid_kerb_ldap: Error during initialisation of ldap 
> connection: No such file or directory
> 2012/11/23 16:04:23| squid_kerb_ldap: Error during initialisation of ldap 
> connection: No such file or directory
> 2012/11/23 16:04:23| squid_kerb_ldap: User antec is not member of 
> group@domain inet_users@
> 2012/11/23 16:04:23| squid_kerb_ldap: Default group loop: group@domain 
> inet_users@
> ERR
>
> I try many other options by squid_kerb_ldap but no lack.
> Squid with this helper also can'not  authenticate users, with same error.
> Please help solve this error.
>
> Best regard AnteC.