In General, the issue is resolved. It wasn't the helper, and in curve setup freeipa. Is there some kind of compat mode, it is not clear what is needed. So... When migrating to freeipa c openldap I have openfire did not want there users to drag - supposedly they zadavayte (which is true because users in freeipa are stored in two branches -
). I'm on the same server, this mode is disabled. Somehow become helper on this server only the GID of the user to verify the ownership and all other groups were ignored, even though ldapsearch worked fine. Where mode is enabled everything is OK. A proper ldap filter for openfire I didn't - too lazy. Simply stated:
/lib64/squid/ext_kerberos_ldap_group_acl -a-g inet_full@ -D fs.lan -S "dc.fs.lan dc2.fs.lan dc4.fs.lan"
As I understand it, getting the ERR on the first server, the helper climbs down the list. The other 2 work properly, then everything is fine. Maybe later will make openfire with ipa-compat-manage enable to work.