Re: [squid-users] Re: Re: Re: squid_ldap_group against nested groups/Ous

From: Eugene M. Zheganin <emz_at_norma.perm.ru>
Date: Sat, 13 Nov 2010 14:30:18 +0500

  Hi.

On 05.11.2010 21:01, Markus Moeller wrote:
> Hi
>
> I get the same successful results on 64 bit FreeBSD 8.0.
>
> $ uname -a
> FreeBSD freebsd-80-64.freebsd.home 8.0-RELEASE FreeBSD 8.0-RELEASE #0:
> Sat Nov 21 15:02:08 UTC 2009
> root_at_mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>
> $ ldd squid_kerb_ldap
> squid_kerb_ldap:
> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800652000)
> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x80075b000)
> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800860000)
> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8009cd000)
> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x800b0c000)
> libcrypto.so.6 => /lib/libcrypto.so.6 (0x800c0e000)
> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x800ea6000)
> libroken.so.10 => /usr/lib/libroken.so.10 (0x801025000)
> libcrypt.so.5 => /lib/libcrypt.so.5 (0x801136000)
> libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x80124f000)
> liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x801390000)
> libc.so.7 => /lib/libc.so.7 (0x80149d000)
> libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8016d7000)
> libssl.so.6 => /usr/lib/libssl.so.6 (0x8017ef000)
>
> Is it possible that you have another kerberos package installed ? How
> does your ldd look ? I installed a standard freebsd 8.0 84 bit plus
> ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.0-RELEASE/packages/net/openldap-sasl-client-2.4.18.tbz
> for ldap with sasl support.
>
First of all, sorry for a delayed answer, I'm not of that kind of
persons that ask for help and never read answers. I had a couple of
harsh weeks with crashes and late working. :)

Yes, I have multiple krb5 installations on machines where the build
didn't succeed due to incompatible types, you were right. Also I have
updated the production proxy that was on FreeBSD 7.2 to 8.1 (and had a
harsh week due to wonderful em(4) issue, fixed in -STABLE), but now the
building on this machine is fine, except one warning that can be easily
fixed by removing -Werror (once again, why -Werror ?).

If you're interested the warning is about:

[...]
gcc -DHAVE_CONFIG_H -I. -I/usr/include -I/usr/local/include -g -O2
-Wall -Wno-unknown-pragmas -Wextra -Wcomment -Wpointer-arith
-Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -Wdeclaration-after-statement -Wshadow -MT
support_group.o -MD -MP -MF .deps/support_group.Tpo -c -o
support_group.o support_group.c
support_group.c: In function 'utf8dup':
support_group.c:43: warning: declaration of 'dup' shadows a global
declaration
/usr/include/unistd.h:330: warning: shadowed declaration is here
[...]

So, the build succeed, helper doesn't crash on startup, but now I have
problems connecting to ldap servers.
I saw in your reply that you are using the KDC on a SuSe linux. I'm
using KDC on Windows 2003/2008, and it does work just perfect with
squid_ldap_group (but I really miss nested groups :)).

Debug looks like:

===Cut===
# ./squid_kerb_group.sh
2010/11/13 14:26:21| squid_kerb_ldap: Starting version 1.2.1a
2010/11/13 14:26:21| squid_kerb_ldap: Group list
Internet%20Users%20-%20Proxy1@
2010/11/13 14:26:21| squid_kerb_ldap: Group
Internet%20Users%20-%20Proxy1 Domain
2010/11/13 14:26:21| squid_kerb_ldap: Netbios list SOFTLAB_at_NORMA.COM
2010/11/13 14:26:21| squid_kerb_ldap: Netbios name SOFTLAB Domain NORMA.COM
emz_at_norma.com
2010/11/13 14:26:25| squid_kerb_ldap: Got User: emz Domain: NORMA.COM
2010/11/13 14:26:25| squid_kerb_ldap: User domain loop: group_at_domain
Internet%20Users%20-%20Proxy1@
2010/11/13 14:26:25| squid_kerb_ldap: Default domain loop: group_at_domain
Internet%20Users%20-%20Proxy1@
2010/11/13 14:26:25| squid_kerb_ldap: Found group_at_domain
Internet%20Users%20-%20Proxy1@
2010/11/13 14:26:25| squid_kerb_ldap: Setup Kerberos credential cache
2010/11/13 14:26:25| squid_kerb_ldap: Get default keytab file name
2010/11/13 14:26:25| squid_kerb_ldap: Got default keytab file name
/usr/local/etc/squid/HTTP.keytab
2010/11/13 14:26:25| squid_kerb_ldap: Get principal name from keytab
/usr/local/etc/squid/HTTP.keytab
2010/11/13 14:26:25| squid_kerb_ldap: Keytab entry has realm name: NORMA.COM
2010/11/13 14:26:25| squid_kerb_ldap: Found principal name:
HTTP/proxy-wizard.norma.com._at_NORMA.COM
2010/11/13 14:26:25| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_17129
2010/11/13 14:26:25| squid_kerb_ldap: Got principal name
HTTP/proxy-wizard.norma.com._at_NORMA.COM
2010/11/13 14:26:26| squid_kerb_ldap: Stored credentials
2010/11/13 14:26:26| squid_kerb_ldap: Initialise ldap connection
2010/11/13 14:26:26| squid_kerb_ldap: Canonicalise ldap server name for
domain NORMA.COM
2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
record to spb-dc.norma.com
2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
record to sad-srv.norma.com
2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
record to hq-gc.norma.com
2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
record to hq-dc.norma.com
2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
record to nb-dc.norma.com
2010/11/13 14:26:26| squid_kerb_ldap: Resolved SRV _ldap._tcp.NORMA.COM
record to sam-dc.norma.com
2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 1 of NORMA.COM to
192.168.3.34
2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 2 of NORMA.COM to
192.168.3.45
2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 3 of NORMA.COM to
192.168.3.34
2010/11/13 14:26:26| squid_kerb_ldap: Resolved address 4 of NORMA.COM to
192.168.3.45
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 5 of NORMA.COM to
192.168.3.34
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 6 of NORMA.COM to
192.168.3.45
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 7 of NORMA.COM to
192.168.92.189
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 8 of NORMA.COM to
192.168.92.189
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 9 of NORMA.COM to
192.168.92.189
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 10 of NORMA.COM
to 192.168.0.9
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 11 of NORMA.COM
to 192.168.173.3
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 12 of NORMA.COM
to 192.168.180.3
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 13 of NORMA.COM
to 192.168.0.9
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 14 of NORMA.COM
to 192.168.173.3
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 15 of NORMA.COM
to 192.168.180.3
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 16 of NORMA.COM
to 192.168.0.9
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 17 of NORMA.COM
to 192.168.173.3
2010/11/13 14:26:27| squid_kerb_ldap: Resolved address 18 of NORMA.COM
to 192.168.180.3
2010/11/13 14:26:27| squid_kerb_ldap: Sorted ldap server names for
domain NORMA.COM:
2010/11/13 14:26:27| squid_kerb_ldap: Host: sad-srv.norma.com Port: 389
Priority: 0 Weight: 100
2010/11/13 14:26:27| squid_kerb_ldap: Host: hq-gc.norma.com Port: 389
Priority: 0 Weight: 100
2010/11/13 14:26:27| squid_kerb_ldap: Host: hq-dc.norma.com Port: 389
Priority: 0 Weight: 100
2010/11/13 14:26:27| squid_kerb_ldap: Host: nb-dc.norma.com Port: 389
Priority: 0 Weight: 100
2010/11/13 14:26:27| squid_kerb_ldap: Host: sam-dc.norma.com Port: 389
Priority: 0 Weight: 100
2010/11/13 14:26:27| squid_kerb_ldap: Host: spb-dc.norma.com Port: 389
Priority: 0 Weight: 100
2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.92.189 Port: -1
Priority: -1 Weight: -1
2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.0.9 Port: -1
Priority: -1 Weight: -1
2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.173.3 Port: -1
Priority: -1 Weight: -1
2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.3.34 Port: -1
Priority: -1 Weight: -1
2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.3.45 Port: -1
Priority: -1 Weight: -1
2010/11/13 14:26:27| squid_kerb_ldap: Host: 192.168.180.3 Port: -1
Priority: -1 Weight: -1
2010/11/13 14:26:27| squid_kerb_ldap: Setting up connection to ldap
server sad-srv.norma.com:389
2010/11/13 14:26:27| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:28| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:28| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:28| squid_kerb_ldap: Setting up connection to ldap
server hq-gc.norma.com:389
2010/11/13 14:26:28| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap
server hq-dc.norma.com:389
2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap
server nb-dc.norma.com:389
2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:29| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:29| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:29| squid_kerb_ldap: Setting up connection to ldap
server sam-dc.norma.com:389
2010/11/13 14:26:29| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:30| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:30| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:30| squid_kerb_ldap: Setting up connection to ldap
server spb-dc.norma.com:389
2010/11/13 14:26:30| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:30| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:30| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:30| squid_kerb_ldap: Setting up connection to ldap
server 192.168.92.189:389
2010/11/13 14:26:30| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:31| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:31| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:31| squid_kerb_ldap: Setting up connection to ldap
server 192.168.0.9:389
2010/11/13 14:26:31| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:31| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:31| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:31| squid_kerb_ldap: Setting up connection to ldap
server 192.168.173.3:389
2010/11/13 14:26:31| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:32| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:32| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:32| squid_kerb_ldap: Setting up connection to ldap
server 192.168.3.34:389
2010/11/13 14:26:32| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:32| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:32| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:32| squid_kerb_ldap: Setting up connection to ldap
server 192.168.3.45:389
2010/11/13 14:26:32| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:33| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:33| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:33| squid_kerb_ldap: Setting up connection to ldap
server 192.168.180.3:389
2010/11/13 14:26:33| squid_kerb_ldap: Bind to ldap server with SASL/GSSAPI
2010/11/13 14:26:33| squid_kerb_ldap: ldap_sasl_interactive_bind_s
error: Local error
2010/11/13 14:26:33| squid_kerb_ldap: Error while binding to ldap server
with SASL/GSSAPI: Local error
2010/11/13 14:26:33| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2010/11/13 14:26:33| squid_kerb_ldap: Error during initialisation of
ldap connection: Bad file descriptor
2010/11/13 14:26:33| squid_kerb_ldap: User emz is not member of
group_at_domain Internet%20Users%20-%20Proxy1@
2010/11/13 14:26:33| squid_kerb_ldap: Default group loop: group_at_domain
Internet%20Users%20-%20Proxy1@
ERR
2010/11/13 14:26:33| squid_kerb_ldap: ERR
===Cut===

I'm using openldap-client built with sasl support too.
Any thought on what I'm doing wrong ?

Thanks.

Eugene.
Received on Sat Nov 13 2010 - 09:30:41 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 15 2010 - 12:00:02 MST