Chris,
Thanks for the reply. to make sure I understand correctly...... youre
saying something like the following would only do a single idnet query
and ldap lookup every 2 mins... and in-between squid would just
remember for the duration of the ttl that %SRC has access ?
external_acl_type lookup ttl=120 %SRC /tmp/lookup.pl
acl group1 external lookup
http_access allow group1
where /tmp/lookup.pl is
#!/usr/bin/perl
while ( 1 == 1 ) {
$input = <STDIN>; #client ip from squid
$ident_rtn_name = return of some func doing an ident query to
client for a username
open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member|' ;
$found = 0;
$fullusername = '';
while (<LDAPSEARCH>) {
if ($_ =~ /cn=$ident_rtn_name,/i) {
$found = 1;
/member: (.*)/i;
$fullusername = $1;
last;
};
}
if ($found == 0){
print 'ERR ERROR="'.$ident_rtn_name.' not a valid internet user"'."\n";
} else {
print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
};
};
On 6/1/05, Chris Robertson <crobertson@xxxxxxx> wrote:
> > -----Original Message-----
> > From: Mike Brentlinger [mailto:msbrentlinger@xxxxxxxxx]
> > Sent: Wednesday, June 01, 2005 10:23 AM
> > To: squid-users@xxxxxxxxxxxxxxx
> > Subject: [squid-users] external_acl_type ttl not working? or not as I
> > understand?
> >
> >
> > Im trying to conjure up a replacement to novell border manager +
> > client trust for transpartent auth in a novell environment. there are
> > some squid proxy auth things it seems, however they require that the
> > user be prompted to enter a user+pass... not really ideal. instead
> > users should not have to think about logging on. i know ident can be
> > spoofed but for this test its not a huge issue so got the following to
> > work on squid 2.5 stable 5:
> >
> > external_acl_type ldap_lookup ttl=120 %IDENT /tmp/ldaplookup.pl
> > acl group1 external ldap_lookup
> > http_access allow group1
> >
> > where /tmp/ldaplookup.pl is
> > #!/usr/bin/perl
> > $|=1;
> > while ( 1 == 1 ) {
> > $input = <STDIN>;
> > chomp($input);
> > open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member
> > |' or die "Can't ldapsearch :$!";
> > $found = 0;
> > $fullusername = '';
> > while (<LDAPSEARCH>) {
> > #print "$_";
> > if ($_ =~ /cn=$input,/i) {
> > $found = 1;
> > /member: (.*)/i;
> > $fullusername = $1;
> > last;
> > };
> > }
> > if ($found == 0){
> > print 'ERR ERROR="'.$input.' not a valid internet user"'."\n";
> > } else {
> > print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
> > };
> > };
> >
> >
> > and my client is running
> > http://ftp.tdcnorge.no/pub/windows/Identd/Identd-1.1.0.zip
> >
> >
> > everything works except the ttl isnt as I thought... eg: my client
> > tries to hit a page, squid ident requests my client, which responds,
> > then squid uses my script to see if that user name is in the
> > "internet" group as retured from my ldap search. if the users in the
> > group the page is served, if not, they get access denied.
> >
> > so my question is this... if i imediately shut down my identd on my
> > client, squid starts denying access immediately. a net sniff shows
> > that squid is doing an ident query for every access request. I would
> > have expected with the ttl=120 that squid wouldnt query until 2
> > minutes later. this seems like a lot of needless ident traffic and
> > when i start piling on use
rs ill be doing more ident and ldap lookups
> > than web proxying.
> >
> > I suppose I just misunderstand the ttl option. is there anyway to get
> > squid to only ask for this ident auth at some specified timeout and
> > not for every page request?
> >
> > any help would be greatly appreciated.
>
> The TTL value specified is how long Squid caches the result for the external
> ACL. So (as it stands now) if you authenticate, and then shut down the LDAP
> server (or revoke the account), you'll be able to continue surfing for two
> minutes. Move the ident lookup to the Perl script, and you should see a
> reduction in network traffic.
>
> Chris
>
--
msb
