Search squid archive

Re: Squid not communicating with Helper Processes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24/11/2011 10:36 p.m., Christian Zink wrote:
Hi,
i have a strange problem driving me mad. I set up a fresh RHEL 6.1 System and installedLDAP and Squid. I want do authenticate users and contol the internet access depending on groups. Ldap auth with digest_ldap_auth works fine, but i can't get the squid_ldap_group helper to work.
My conf:

(your mailer seems to have mangled the config somewhat badly. re-formatted while snipping).

auth_param      digest program /usr/lib64/squid/digest_ldap_auth -H ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv" -u "uid" -A "userPassword" -D "uid=digestreader,dc=drv,dc=drv" -W "/etc/squid/digestreader_cred"

external_acl_type ldap_group children=1 %LOGIN /usr/lib64/squid/test.sh

The Problem:
Squid doesnt talk to the Helper Processes! That's all i can see in logs:
2011/11/23 17:07:34.219| ACLChecklist::preCheck: 0x7fff8c40cc70 checking 'cache_peer_access download.proxy allow ldap_download'2011/11/23 17:07:34.219| ACLList::matches: checking ldap_download2011/11/23 17:07:34.219| ACL::checklistMatches: checking 'ldap_download'2011/11/23 17:07:34.219| aclMatchExternal: acl="ldap_group"2011/11/23 17:07:34.219| aclMatchExternal: ldap_group("v990493 download") = lookup needed2011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": entry=@0, age=02011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": queueing a call.2011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": return -1.2011/11/23 17:07:34.219| ACL::ChecklistMatches: result for 'ldap_download' is -12011/11/23 17:07:34.219| aclmatchAclList: 0x7fff8c40cc70 returning false (AND list entry failed to match)2011/11/23 17:07:34.219| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0

While this is repeated endlessly i straced the helper Process ... nothing! I also wrote a dummy Helper, also nothing.Tcpdump on localhost i see the packets from digest_ldap_auth to ldap. Squids talking to digest_ldap_auth over Unix Pipe, that works, and form digest_ldap_auth to ldap over 127.0.0.1 works to,but not from Squid to the Helper although there is an TCP Connection:
squid      1858     squid    8u     IPv6              47834      0t0        UDP *:54597squid      1858     squid   14u     IPv6              47840      0t0        TCP [::1]:38965->[::1]:45367 (ESTABLISHED)squid      1858     squid   15u     IPv6              47842      0t0        TCP *:d-s-n (LISTEN)test.sh   10617     squid    0u     IPv6              47841      0t0        TCP [::1]:45367->[::1]:38965 (ESTABLISHED)test.sh   10617     squid    1u     IPv6              47841      0t0        TCP [::1]:45367->[::1]:38965 (ESTABLISHED)


What i tried so far:
- the squid_ldap_group works on the shell, piping Username&  Group result in OK/ERR depending on the ldap group membership- no activity in strace on squid_ldap_group, but on digest_ldap_auth- no Packets seen with tcpdump on localhost, except from digest_ldap_auth- tried many different options of external_acl_type ...- no iptables active&  SELinux Permissive
Probably it's a really simple solution, like an internal acl not allowing network access to localhost, but i can't see it and its driving me nuts !!!!

So contact to a server on IPv4 localhost works. But packets never make it to a helper listening on IPv6 localhost. It looks like an overly restrictive IPv6 firewall block to me.

If you can fix those IPv6 firewall rules you may find other things around the OS start working better as well. As a workaround if that is not possible, you can try adding the external_acl_type directive option "ipv4".

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux