[squid-users] Configuring multiple hosts in LDAP URIs and using DN

Thu, 24 Jul 2025 07:39:30 -0700 

Hi,
Thanks for the tip about the reverse DNS. I now have the Kerberos/Negotiate auth working now that the reverse DNS lookup matches. 


For HA/resiliency I'd like to be able to point the fallback LDAP basic 
auth + group lookup at multiple AD/LDAP servers.



I notice both basic_ldap_auth and ext_ldap_group_acl use the -H flag for 
LDAP URIs but I've been having problems getting it to work with anything 
other than a single named host. Specifying multiple hosts e.g. -H 
ldap://server1.domain:389 ldap://server2.domain:389 appears to work for 
a while but eventually starts failing with 'couldn't connect to LDAP 
server' errors and it appears to always hit the 1st named host.


I've also tried using a DN as described in the ldapsearch documentation:


"              Specify  URI(s)  referring to the ldap server(s); a list 
of URI,
              separated by whitespace or commas is expected; only the  
proto‐
              col/host/port  fields  are  allowed.   As  an exception,  
if no
              host/port is specified, but a DN is, the DN is used to  
look  up
              the  corresponding  host(s) using the DNS SRV records, 
according
              to RFC 2782.  The DN must be a non-empty sequence of 
AVAs  whose
              attribute  type  is "dc" (domain component), and must be 
escaped

              according to RFC 2396"


This works if I use ldapsearch e.g.


ldapsearch -b "dc=ed,dc=ac,dc=uk" -D "CN=squiduser,DC=domain,DC=local" 
-y /etc/squid/ldap_password 
"(&(objectClass=person)(sAMAccountName=mcairney))" -Z -H 
ldap:///dc%3Ddomain%2Cdc%3Dlocal



But if I use this LDAP URI with basic_ldap_auth I get  'Could not 
Activate TLS connection' errors and no clues in the logs/debug output.



Is this a known limitation of the squid utilities? If so, what are other 
people doing to provide HA/failover with their LDAP hosts (the only 
examples I can find in man pages/tutorials are the straightforward 
single LDAP host scenario).



Kind regards,

Mark


--
/****************************

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk

*******************************/

The University of Edinburgh is a charitable body, registered in Scotland, with 
registration number SC005336.

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users














    











					Reply via email to