os-web-proxy-useracl // Proxy service crash after add any group rule

[evgeshah]

Latest OPNsense 18.7.9-amd64
LDAP, SSO (over Kerberos os-web-proxy-sso plugin) configured
Users log in correctly and transparently.
If I add new any user rule to os-web-proxy-useracl plugin - all good
but if i add any group rule:

and try to access to any site - squid crash

Error:
support_sasl.cc(276): pid=50035 :2018/12/13 14:49:03| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
support_ldap.cc(957): pid=50035 :2018/12/13 14:49:03| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server
...
Crash:
...
2018/12/13 16:07:31 kid1| Too few ext_group_ldap_0 processes are running (need 1/5)
2018/12/13 16:07:31 kid1| Starting new helpers
2018/12/13 16:07:31 kid1| helperOpenServers: Starting 1/5 'ext_kerberos_ldap_group_acl' processes
2018/12/13 16:07:57 kid1| WARNING: ext_group_ldap_0 #Hlpr2 exited
2018/12/13 16:07:57 kid1| Too few ext_group_ldap_0 processes are running (need 1/5)
2018/12/13 16:07:57 kid1| Closing HTTP port 192.168.XXX.YYY:3128
2018/12/13 16:07:57 kid1| storeDirWriteCleanLogs: Starting...
2018/12/13 16:07:57 kid1| Finished. Wrote 0 entries.
2018/12/13 16:07:57 kid1| Took 0.00 seconds ( 0.00 entries/sec).
FATAL: The ext_group_ldap_0 helpers are crashing too rapidly, need help!

Squid Cache (Version 3.5.28): Terminated abnormally.
CPU Usage: 0.268 seconds = 0.208 user + 0.060 sys
Maximum Resident Size: 115200 KB
Page faults with physical i/o: 7
2018/12/13 16:07:57 kid1| Closing Pinger socket on FD 23
2018/12/13 16:08:00 kid1| Set Current Directory to /var/squid/cache
2018/12/13 16:08:00 kid1| Starting Squid Cache version 3.5.28 for amd64-portbld-freebsd11.1...

[kekek2]

LDAP-connector must be properly configured and available. Squid helper can't connect to LDAP-server. You can read the documentation on SSO configuration https://www.smart-soft.ru/support/documentation/handbook/ting/proxy_auth_kerberos.html

[mimugmail]

Is there also an English version? :)

[kekek2]

No, only Russian.

[evgeshah]

Yes, I read this manual and check every step.
DNS and reverse DNS is OK
resolv.conf is ok
Time synchronized
Domain users successfully login with SSO
keytab file is ok

Maybe the problem is that in domain 3 DC, but only one can be specified in LDAP connector?

[kekek2]

"System: Access: Tester" for LDAP-connector working ok ?

[kekek2]

One DC is enough.

[evgeshah]

"System: Access: Tester" for LDAP-connector working ok ?

Yes, all ok

[evgeshah]

SSO tests:

[kekek2]

You use domain on windows server 2003 ?

[evgeshah]

You use domain on windows server 2003 ?

No. We use Windows Server 2008R2+
Domain functional level and Forest functional level - Windows Server 2008R2
In opnsense SSO i use option "Windows 2008 with AES"

[evgeshah]

I'm sorry. I closed the issue inadvertently. The problem is urgent

[AdSchellevis]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.