> -----Original Message----- > From: Mike Brentlinger [mailto:msbrentlinger@xxxxxxxxx] > Sent: Wednesday, June 01, 2005 1:57 PM > To: Chris Robertson > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: [squid-users] external_acl_type ttl not working? or not as I understand? > > On 6/1/05, Chris Robertson <crobertson@xxxxxxx> wrote: >>> -----Original Message----- >>> From: Mike Brentlinger [mailto:msbrentlinger@xxxxxxxxx] >>> Sent: Wednesday, June 01, 2005 10:23 AM >>> To: squid-users@xxxxxxxxxxxxxxx >>> Subject: [squid-users] external_acl_type ttl not working? or not as I >>> understand? >>> >>> >>> Im trying to conjure up a replacement to novell border manager + >>> client trust for transpartent auth in a novell environment. there are >>> some squid proxy auth things it seems, however they require that the >>> user be prompted to enter a user+pass... not really ideal. instead >>> users should not have to think about logging on. i know ident can be >>> spoofed but for this test its not a huge issue so got the following to >>> work on squid 2.5 stable 5: >>> >>> external_acl_type ldap_lookup ttl=120 %IDENT /tmp/ldaplookup.pl >>> acl group1 external ldap_lookup >>> http_access allow group1 >>> >>> where /tmp/ldaplookup.pl is >>> #!/usr/bin/perl >>> $|=1; >>> while ( 1 == 1 ) { >>> $input = <STDIN>; >>> chomp($input); >>> open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member >>> |' or die "Can't ldapsearch :$!"; >>> $found = 0; >>> $fullusername = ''; >>> while (<LDAPSEARCH>) { >>> #print "$_"; >>> if ($_ =~ /cn=$input,/i) { >>> $found = 1; >>> /member: (.*)/i; >>> $fullusername = $1; >>> last; >>> }; >>> } >>> if ($found == 0){ >>> print 'ERR ERROR="'.$input.' not a valid internet user"'."\n"; >>> } else { >>> print 'OK USER="'.$fullusername.' authorized internet user"'."\n"; >>> }; >>> }; >>> >>> >>> and my client is running >>> http://ftp.tdcnorge.no/pub/windows/Identd/Identd-1.1.0.zip >>> >>> >>> everything works except the ttl isnt as I thought... eg: my client >>> tries to hit a page, squid ident requests my client, which responds, >>> then squid uses my script to see if that user name is in the >>> "internet" group as retured from my ldap search. if the users in the >>> group the page is served, if not, they get access denied. >>> >>> so my question is this... if i imediately shut down my identd on my >>> client, squid starts denying access immediately. a net sniff shows >>> that squid is doing an ident query for every access request. I would >>> have expected with the ttl=120 that squid wouldnt query until 2 >>> minutes later. this seems like a lot of needless ident traffic and >>> when i start piling on users ill be doing more ident and ldap lookups >>> than web proxying. >>> >>> I suppose I just misunderstand the ttl option. is there anyway to get >>> squid to only ask for this ident auth at some specified timeout and >>> not for every page request? >>> >>> any help would be greatly appreciated. >> >> The TTL value specified is how long Squid caches the result for the external >> ACL. So (as it stands now) if you authenticate, and then shut down the LDAP >> server (or revoke the account), you'll be able to continue surfing for two >> minutes. Move the ident lookup to the Perl script, and you should see a >> reduction in network traffic. >> >> Chris >> > Chris, > Thanks for the reply. to make sure I understand correctly...... youre > saying something like the following would only do a single idnet query > and ldap lookup every 2 mins... and in-between squid would just > remember for the duration of the ttl that %SRC has access ? > > > external_acl_type lookup ttl=120 %SRC /tmp/lookup.pl > acl group1 external lookup > http_access allow group1 > > > where /tmp/lookup.pl is > > #!/usr/bin/perl > while ( 1 == 1 ) { > $input = <STDIN>; #client ip from squid > $ident_rtn_name = return of some func doing an ident query to > client for a username > open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member|' ; > $found = 0; > $fullusername = ''; > while (<LDAPSEARCH>) { > if ($_ =~ /cn=$ident_rtn_name,/i) { > $found = 1; > /member: (.*)/i; > $fullusername = $1; > last; > }; > } > if ($found == 0){ > print 'ERR ERROR="'.$ident_rtn_name.' not a valid internet user"'."\n"; > } else { > print 'OK USER="'.$fullusername.' authorized internet user"'."\n"; > }; > }; > > > -- > msb That is what I am saying. Whether I am correct or not is the big question. :o) FWIW, I have a high level of confidence in my assertion. Chris
