Re: External ACL and Delay Pools

"Sergey A. Kobzar" <sergey.kobzar@xxxxxxx> · Wed, 24 Dec 2008 15:25:20 +0200

Wednesday, December 24, 2008, 2:50:50 PM, Sergey wrote:

> Hello.

> It seems delay pools don't work in my configuration. I use
> squid_ldap_auth to authenticate users in Active Directory:

> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth \
>   -R -b "DC=test,DC=com" -D "unix@xxxxxxxx" -w xxx -f "sAMAccountName=%s" 1.1.1.1

> and

> external_acl_type active_directory_group ttl=60 %LOGIN
> /usr/local/libexec/squid/squid_ldap_group \
>   -R -b "DC=test,DC=com" -D "unix@xxxxxxxx" -w xxx \
>   -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Proxy,OU=Internet
> Services,DC=test,DC=com))" 1.1.1.1

> These are external ACLs for delay pools in config file:

> acl ad_speed_128k external active_directory_group speed_128k
> acl ad_speed_256k external active_directory_group speed_256k
> acl ad_speed_512k external active_directory_group speed_512k

> And to use different outgoing channels:

> acl ad_channel_1 external active_directory_group channel_1
> acl ad_channel_2 external active_directory_group channel_2
> acl ad_channel_3 external active_directory_group channel_3

> http_access allow ad_channel_1
> http_access allow ad_channel_2
> http_access allow ad_channel_3

> I've configured Squid to use different outgoing channel for different
> groups:

> tcp_outgoing_address 192.168.252.5 ad_channel_2
> tcp_outgoing_address 192.168.252.9 ad_channel_3

> And limit speed for other groups:

> delay_pools 3

> delay_class 1 2
> delay_class 2 2
> delay_class 3 2

> delay_access 1 allow ad_speed_128k
> delay_access 1 deny all
> delay_access 2 allow ad_speed_256k
> delay_access 2 deny all
> delay_access 3 allow ad_speed_512k
> delay_access 3 deny all

> delay_parameters 1 128000/128000 16000/16000
> delay_parameters 2 256000/256000 32000/32000
> delay_parameters 3 512000/512000 64000/64000

> And when I add some user to speed_128k and channel_2 AD groups, he
> uses 2nd channel as expected, but delay pools don't apply to it.

> What is wrong?

> If required I can past whole my config.

> Thanks!

I just found that if I give access using ad_speed_128k, ad_speed_256k
and ad_speed_512k groups

http_access allow ad_speed_128k
http_access allow ad_speed_256k
http_access allow ad_speed_512k

delay pools work as expected, but splitting by different channels does
not work.

Any ideas?

-- 
Sergey