ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ldap_sasl_interactive_bind_s error: Can't contact LDAP server

erdosain9
Hi. Im having this problem. Im running squid on a Centos 7 container (lxc on
proxmox).

This is cache.log

support_sasl.cc(276): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server


Can somebody give me a hand???

I dont know what can be bad. This is the config:

 cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = MYDOMAIN.LAN
    dns_lookup_kdc = no
    dns_lookup_realm = no
    ticket_lifetime = 24h
    default_keytab_name = /etc/squid/PROXY.keytab

; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5


[realms]
    MYDOMAIN.LAN = {
        kdc = adw-1.mydomain.lan
        kdc = w-data2.mydomain.lan
        admin_server = adw-1.mydomain.lan
        default_domain = mydomain.lan
    }

[domain_realm]
    .mydomain.lan = MYDOMAIN.LAN
    mydomain.lan = MYDOMAIN.LAN  


SQUID.CONF
###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/[hidden email]
auth_param negotiate children 50 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param negotiate keep_alive on

external_acl_type i-restringidos %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g [hidden email]
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]



/ETC/HOSTS

[root@proxy ~]# cat /etc/hosts
127.0.0.1   localhost LXC_NAME
::1 localhost.localnet localhost
# --- END PVE ---
#
192.168.1.222 adw-1.mydomain.lan
192.168.1.107 w-data2.mydomain.lan
# --- BEGIN PVE ---
192.168.6.215 proxy.mydomain.lan proxy
# --- END PVE ---


/ETC/RESOLV.CONF
[root@proxy ~]# cat /etc/resolv.conf
# --- BEGIN PVE ---
search mydomain.lan
nameserver 192.168.1.107
nameserver 192.168.1.222
# --- END PVE ---
domain mydomain.lan


Thanks



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Yuri Voinov
Check LDAP port availability on LDAP server. On firewall it should be open.

If your LDAP is WIndows server, AFAIK, it has closed firewall by
default. I.e. all incoming connections are blocked.


20.02.2018 19:35, erdosain9 пишет:

> Hi. Im having this problem. Im running squid on a Centos 7 container (lxc on
> proxmox).
>
> This is cache.log
>
> support_sasl.cc(276): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
> ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
> support_ldap.cc(957): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
> ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
> LDAP server
>
>
> Can somebody give me a hand???
>
> I dont know what can be bad. This is the config:
>
>  cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>     default_realm = MYDOMAIN.LAN
>     dns_lookup_kdc = no
>     dns_lookup_realm = no
>     ticket_lifetime = 24h
>     default_keytab_name = /etc/squid/PROXY.keytab
>
> ; for Windows 2003
> ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
>     default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>     default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>     permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>
>
> [realms]
>     MYDOMAIN.LAN = {
>         kdc = adw-1.mydomain.lan
>         kdc = w-data2.mydomain.lan
>         admin_server = adw-1.mydomain.lan
>         default_domain = mydomain.lan
>     }
>
> [domain_realm]
>     .mydomain.lan = MYDOMAIN.LAN
>     mydomain.lan = MYDOMAIN.LAN  
>
>
> SQUID.CONF
> ###Kerberos Auth with ActiveDirectory###
> auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
> HTTP/[hidden email]
> auth_param negotiate children 50 startup=0 idle=1
> auth_param basic credentialsttl 2 hours
> auth_param negotiate keep_alive on
>
> external_acl_type i-restringidos %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
> external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
> -g [hidden email]
> external_acl_type i-limitado %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
>
>
>
> /ETC/HOSTS
>
> [root@proxy ~]# cat /etc/hosts
> 127.0.0.1   localhost LXC_NAME
> ::1 localhost.localnet localhost
> # --- END PVE ---
> #
> 192.168.1.222 adw-1.mydomain.lan
> 192.168.1.107 w-data2.mydomain.lan
> # --- BEGIN PVE ---
> 192.168.6.215 proxy.mydomain.lan proxy
> # --- END PVE ---
>
>
> /ETC/RESOLV.CONF
> [root@proxy ~]# cat /etc/resolv.conf
> # --- BEGIN PVE ---
> search mydomain.lan
> nameserver 192.168.1.107
> nameserver 192.168.1.222
> # --- END PVE ---
> domain mydomain.lan
>
>
> Thanks
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

erdosain9
Hi.
The port is open.

There is a way to have a little more log??'
Thanks



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Yuri Voinov
Of course, you, as sysadmin, should knows basics of troubleshooting,
isn't it?

If port is open, try to connect with it from proxy box via ldap client.
If it will successfully,
next step is turn on squid's debug and investigate detailed logs.

20.02.2018 20:00, erdosain9 пишет:

> Hi.
> The port is open.
>
> There is a way to have a little more log??'
> Thanks
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

erdosain9
sorry, yuri, yes is working.
i can connect via ldap and also turn on debug for investigate, and is no
error know...
but time to time, this error is happening... so... is strange.

In the other hand im getting this values with just one machine using the
squid :

Negotiate Authenticator Statistics:
program: /lib64/squid/negotiate_kerberos_auth
number active: 32 of 50 (0 shutting down)
requests sent: 66
replies received: 66
queue length: 0
avg service time: 208 msec

   ID #     FD    PID # Requests  # Replies Flags   Time Offset
Request
     21     44   2193         24         24      0.022      0 (none)
     22     61   2194          5          5      0.322      0 (none)
     23     64   2195          5          5      0.387      0 (none)
     24     70   2196          3          3      0.397      0 (none)
     25    150   2201          2          2      0.323      0 (none)
     26    151   2202          1          1      0.158      0 (none)
     27    153   2203          1          1      0.192      0 (none)
     28    155   2204          1          1      0.152      0 (none)
     29    157   2205          1          1      0.380      0 (none)
     30    159   2206          1          1      0.394      0 (none)
     31    161   2207          1          1      0.465      0 (none)
     32    163   2208          1          1      0.439      0 (none)
     33    165   2209          1          1      0.437      0 (none)
     34    167   2210          1          1      0.591      0 (none)
     35    169   2211          1          1      0.226      0 (none)
     36    171   2212          1          1      0.564      0 (none)
     37    173   2213          1          1      0.221      0 (none)
     38    175   2214          1          1      0.115      0 (none)
     39    177   2215          1          1      0.161      0 (none)
     40    179   2216          1          1      0.335      0 (none)
     41    181   2217          1          1      0.382      0 (none)
     42    154   2218          1          1      0.547      0 (none)
     43    158   2219          1          1      0.605      0 (none)
     44    162   2220          1          1      0.493      0 (none)
     45    166   2221          1          1      0.465      0 (none)
     46    170   2222          1          1      0.586      0 (none)
     47    174   2223          1          1      0.270      0 (none)
     48    178   2224          1          1      0.249      0 (none)
     49    182   2225          1          1      0.504      0 (none)
     50    184   2226          1          1      0.479      0 (none)
     51    186   2227          1          1      0.284      0 (none)
     52    188   2228          1          1      0.560      0 (none)

a little high dont you think?? avg service time: 208 msec
In the working squid some times the values go to 2500 msec..... (with 70
users)

Thanks




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ldap_sasl_interactive_bind_s error: Can't contact LDAP server

Yuri Voinov


20.02.2018 22:15, erdosain9 пишет:
> sorry, yuri, yes is working.
> i can connect via ldap and also turn on debug for investigate, and is no
> error know...
> but time to time, this error is happening... so... is strange.
No. Check your network first in this case (generally speaking better to
start troubleshooting from this).
L1/L2/L3 layer, I mean.

>
> In the other hand im getting this values with just one machine using the
> squid :
>
> Negotiate Authenticator Statistics:
> program: /lib64/squid/negotiate_kerberos_auth
> number active: 32 of 50 (0 shutting down)
> requests sent: 66
> replies received: 66
> queue length: 0
> avg service time: 208 msec
>
>    ID #     FD    PID # Requests  # Replies Flags   Time Offset
> Request
>      21     44   2193         24         24      0.022      0 (none)
>      22     61   2194          5          5      0.322      0 (none)
>      23     64   2195          5          5      0.387      0 (none)
>      24     70   2196          3          3      0.397      0 (none)
>      25    150   2201          2          2      0.323      0 (none)
>      26    151   2202          1          1      0.158      0 (none)
>      27    153   2203          1          1      0.192      0 (none)
>      28    155   2204          1          1      0.152      0 (none)
>      29    157   2205          1          1      0.380      0 (none)
>      30    159   2206          1          1      0.394      0 (none)
>      31    161   2207          1          1      0.465      0 (none)
>      32    163   2208          1          1      0.439      0 (none)
>      33    165   2209          1          1      0.437      0 (none)
>      34    167   2210          1          1      0.591      0 (none)
>      35    169   2211          1          1      0.226      0 (none)
>      36    171   2212          1          1      0.564      0 (none)
>      37    173   2213          1          1      0.221      0 (none)
>      38    175   2214          1          1      0.115      0 (none)
>      39    177   2215          1          1      0.161      0 (none)
>      40    179   2216          1          1      0.335      0 (none)
>      41    181   2217          1          1      0.382      0 (none)
>      42    154   2218          1          1      0.547      0 (none)
>      43    158   2219          1          1      0.605      0 (none)
>      44    162   2220          1          1      0.493      0 (none)
>      45    166   2221          1          1      0.465      0 (none)
>      46    170   2222          1          1      0.586      0 (none)
>      47    174   2223          1          1      0.270      0 (none)
>      48    178   2224          1          1      0.249      0 (none)
>      49    182   2225          1          1      0.504      0 (none)
>      50    184   2226          1          1      0.479      0 (none)
>      51    186   2227          1          1      0.284      0 (none)
>      52    188   2228          1          1      0.560      0 (none)
>
> a little high dont you think?? avg service time: 208 msec
> In the working squid some times the values go to 2500 msec..... (with 70
> users)
Usually squid's direct-action helpers (I mean - not client-server, like
ufdbguard) directly depends from LAN/WAN. This means, if your network
gives delay - this will mirrored in helper stats as increased service
time. As I've told - check your network.

>
> Thanks
>
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment