Wednesday, December 24, 2008, 3:25:20 PM, Sergey wrote:
> Wednesday, December 24, 2008, 2:50:50 PM, Sergey wrote:
>> Hello.
>> It seems delay pools don't work in my configuration. I use
>> squid_ldap_auth to authenticate users in Active Directory:
>> auth_param basic program /usr/local/libexec/squid/squid_ldap_auth \
>> -R -b "DC=test,DC=com" -D "unix@xxxxxxxx" -w xxx -f "sAMAccountName=%s" 1.1.1.1
>> and
>> external_acl_type active_directory_group ttl=60 %LOGIN
>> /usr/local/libexec/squid/squid_ldap_group \
>> -R -b "DC=test,DC=com" -D "unix@xxxxxxxx" -w xxx \
>> -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Proxy,OU=Internet
>> Services,DC=test,DC=com))" 1.1.1.1
>> These are external ACLs for delay pools in config file:
>> acl ad_speed_128k external active_directory_group speed_128k
>> acl ad_speed_256k external active_directory_group speed_256k
>> acl ad_speed_512k external active_directory_group speed_512k
>> And to use different outgoing channels:
>> acl ad_channel_1 external active_directory_group channel_1
>> acl ad_channel_2 external active_directory_group channel_2
>> acl ad_channel_3 external active_directory_group channel_3
>> http_access allow ad_channel_1
>> http_access allow ad_channel_2
>> http_access allow ad_channel_3
>> I've configured Squid to use different outgoing channel for different
>> groups:
>> tcp_outgoing_address 192.168.252.5 ad_channel_2
>> tcp_outgoing_address 192.168.252.9 ad_channel_3
>> And limit speed for other groups:
>> delay_pools 3
>> delay_class 1 2
>> delay_class 2 2
>> delay_class 3 2
>> delay_access 1 allow ad_speed_128k
>> delay_access 1 deny all
>> delay_access 2 allow ad_speed_256k
>> delay_access 2 deny all
>> delay_access 3 allow ad_speed_512k
>> delay_access 3 deny all
>> delay_parameters 1 128000/128000 16000/16000
>> delay_parameters 2 256000/256000 32000/32000
>> delay_parameters 3 512000/512000 64000/64000
>> And when I add some user to speed_128k and channel_2 AD groups, he
>> uses 2nd channel as expected, but delay pools don't apply to it.
>> What is wrong?
>> If required I can past whole my config.
>> Thanks!
> I just found that if I give access using ad_speed_128k, ad_speed_256k
> and ad_speed_512k groups
> http_access allow ad_speed_128k
> http_access allow ad_speed_256k
> http_access allow ad_speed_512k
> delay pools work as expected, but splitting by different channels does
> not work.
> Any ideas?
Well, looks like I've found an answer - Squid does not check user in
AD group (external ACL) when it processes delay pools.
According to logs, on http_access stage:
2008/12/25 01:04:49| aclMatchExternal: active_directory_group("sergey.kobzar channel_2") = lookup needed
2008/12/25 01:04:49| aclMatchAclList: no match, returning 0
2008/12/25 01:04:49| externalAclLookup: lookup in 'active_directory_group' for 'sergey.kobzar channel_2'
2008/12/25 01:04:49| externalAclHandleReply: reply="OK"
2008/12/25 01:04:49| external_acl_cache_add: Adding 'sergey.kobzar channel_2' = 1
2008/12/25 01:04:49| aclCheck: checking 'http_access allow ad_channel_2'
It's OK, but when Squid processes delay pools:
2008/12/25 01:04:49| aclMatchAclList: checking ad_speed_128k
2008/12/25 01:04:49| aclMatchAcl: checking 'acl ad_speed_128k external active_directory_group speed_128k'
2008/12/25 01:04:49| aclMatchExternal: acl="active_directory_group"
2008/12/25 01:04:49| aclMatchExternal: active_directory_group("sergey.kobzar speed_128k") = lookup needed
2008/12/25 01:04:49| aclMatchAclList: no match, returning 0
2008/12/25 01:04:49| aclMatchAclList: checking all
2008/12/25 01:04:49| aclMatchAcl: checking 'acl all src all'
...
it does not do lookup.
But:
# /usr/local/libexec/squid/squid_ldap_group -R -b "DC=test,DC=com" -D
"unix@xxxxxxxx" -w xxx -f "(&(sAMAccountName=sergey.kobzar)(memberOf=CN=speed_128k,OU=Proxy,OU=Internet Services,DC=test,DC=com))" 1.1.1.1
sergey.kobzar speed_128k
OK
Any ideas?
--
Sergey
