hey Ricardo. GOOD and Thanks! I have seen this issue before but didn't had much time to handle it. So now the ldap helper works fine??If I understand right there is something odd about the helpers code which forces the admin to use more helpers then it used to be in 2.7 and 3.1.
How about testing it and making sure it's a *bug* and file a bug together on it?
Why do you use couple rock store caches if they are all available to all the workers?
Eliezer On 6/3/2013 8:15 PM, Ricardo Klein wrote:
Hi Eliezer, I ended up making some changes on my /etc/init.d/squid to force pidfiles exclusion on /var/run/squid, because when I restart squid it does not always kill that files (but it end all processes). My new packages now have the init.d script with that changes and I have uploaded them here: http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.src.rpm http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.x86_64.rpm And, my selinux policyes too: http://webfiles.klein.inf.br/centos/squid_selinuxpolicy.tar.bz2 if you use any RHEL flavor. Btw, I have good performance when added some optins on ext_ldap_group_acl (children-max=50 children-startup=25 children-idle=25), and here is all the interesting part about it: #### SQUID.CONF parts #### cache_mem 2048 MB workers 6 cache_dir rock /var/spool/squid/cache1 4096 max-size=31000 swap-timeout=1000 max-swap-rate=100 cache_dir rock /var/spool/squid/cache2 4096 max-size=31000 swap-timeout=1000 max-swap-rate=100 cache_dir rock /var/spool/squid/cache3 4096 max-size=31000 swap-timeout=1000 max-swap-rate=100 cache_dir rock /var/spool/squid/cache4 4096 max-size=31000 swap-timeout=1000 max-swap-rate=100 cache_dir rock /var/spool/squid/cache5 4096 max-size=31000 swap-timeout=1000 max-swap-rate=100 cache_dir rock /var/spool/squid/cache6 4096 max-size=31000 swap-timeout=1000 max-swap-rate=100 cache_replacement_policy heap LFUDA logfile_daemon /usr/lib64/squid/log_file_daemon access_log daemon:/var/log/squid/access.log squid auth_param basic credentialsttl 20 minutes auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic external_acl_type ldap_group children-max=50 children-startup=25 children-idle=25 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -S -R -b "DC=MYDOMAIN,DC=local" -D "CN=squid,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local" -w MYPASSWORD -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local))" -h <IPADDRESS> authenticate_ttl 600 seconds #### /SQUID.CONF parts #### Anyway, I still have some errors like this one when using more then 2 workers (but squid still working): Squid Cache (Version 3.3.5): Terminated abnormally. CPU Usage: 0.068 seconds = 0.054 user + 0.014 sys Maximum Resident Size: 76000 KB Page faults with physical i/o: 0 FATAL: Ipc::Mem::Segment::open failed to shm_open(/squid-squid-page-pool.shm): (2) No such file or directory I am going to test it in production to see how it perform and tell you here ok? -- Att... Ricardo Felipe Klein klein.rfk@xxxxxxxxx On Mon, Jun 3, 2013 at 9:37 AM, Ricardo Klein <klein.rfk@xxxxxxxxx> wrote:Eliezer, you didnt compiled LDAP_group external acl, see your ./configure line: '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' My: --enable-external-acl-helpers="file_userip,LDAP_group,kerberos_ldap_group,session,unix_group,wbinfo_group" But I will try to rebuild your package with LDAP_group enabled -- Att... Ricardo Felipe Klein klein.rfk@xxxxxxxxx On Mon, Jun 3, 2013 at 8:53 AM, Ricardo Klein <klein.rfk@xxxxxxxxx> wrote:Eliezer, You mean change permissions on /dev/shm? It is already "world writeable" [root@theroutertwo ~]# ll /dev/shm total 0 drwxrwxrwt. 2 root root 40 Jun 1 12:16 . (maybe I am doing the hole shm thing wrong) Btw I will test your package this morning (it is monday morning here in Brazil now) and tell you how it goes. -- Att... Ricardo Felipe Klein klein.rfk@xxxxxxxxx On Mon, Jun 3, 2013 at 7:58 AM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:Yes it works. If you need some SHM thing just change the ownership of the directory. it will solve most of the problems. If there is some SPEC expert here I will be happy to get some help to do this change in the SPEC file instead of doing it manually. Eliezer On 6/1/2013 11:50 PM, Ricardo Klein wrote:Eliezer, nice, you already have the package I need... Did you package works with ldap_group external acl? I will try it and check if your package works with my conf, this SHM error is driving me crazy. -- Att... Ricardo Felipe Klein klein.rfk@xxxxxxxxx On Sat, Jun 1, 2013 at 5:28 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:Hey Ricardo, If you can build an RPM and store it it will be helpful for many people. it will also add redundancy to my RPM and an alternative to mine. http://www1.ngtech.co.il/rpm/centos/6/x86_64/ if you want the SRPM this is where mine is stored: http://www1.ngtech.co.il/rpm/centos/6/x86_64/SRPM/ Eliezer On 6/1/2013 3:01 PM, Ricardo Klein wrote:Amos, great thanks, I will fix this mess I did in the ./configure and try again. If I can build an RPM package for CentOS 6.4 (and it should work in RHEL 6.4 too) there is any interest I put this in somewhere people can download it? -- Att... Ricardo Felipe Klein klein.rfk@xxxxxxxxx On Sat, Jun 1, 2013 at 12:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:On 1/06/2013 7:40 a.m., Ricardo Klein wrote:Hi there, I am trying to build squid on CentOS 6.4 64bits with external_acl_helper "ldap_group", but my ./configure log says: configure: external acl helper ldap_group ... found but cannot be built I have fired a but in the bugtrack, but, if any of you know what is wrong, please tell me so I can cancel that bugtracker.The script detecting external-acl-helpers entries has a bug displaying the wrong message for the error. It will report "found but cannot be built" for both the found and not-found error cases. In your situation I believe the helpers as named cannot be found at all due to incorrect ./configure options. Details inline with your options...Here is my ./configure options: ./configure \ --prefix=/usr \ --exec-prefix=/usr \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --datadir=/usr/share \ --includedir=/usr/include \ --libdir=/usr/lib64 \ --libexecdir=/usr/libexec \ --sharedstatedir=/var/lib \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --enable-internal-dns \internal-dns is enabeld by default. You can omit this.--disable-strict-error-checking \ --exec_prefix=/usr \ --libexecdir=/usr/lib64/squid \ --localstatedir=/var \ --datadir=/usr/share/squid \ --sysconfdir=/etc/squid \You already specified several of the above batch of options (datadir, sysconfdir, libexecdir) with different values. This may cause unexpected results when installing. And "--exec_prefix" does not exist. There is a different "--exec-prefix" option earlier which will be used ... so more unexpected results when installing.--with-logdir=$LOCALSTATEDIR/log/squid \ --with-pidfile=$LOCALSTATEDIR/run/squid.pid \--disable-dependency-tracking \ --enable-arp-acl \"--enable-arp-acl" does not exit. The replacement --enable-eui is already enabled by default, so all you need do is to remove the above option.--enable-follow-x-forwarded-for \ --enable-auth \NP: auth is enabled by default, and when omitted will be auto-enabled by the below helpers options anyway. You can omit "--enable-auth" entirely.--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,squid_radius_auth --enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth \ --enable-digest-auth-helpers=password,ldap,eDirectory \ --enable-negotiate-auth-helpers=squid_kerb_auth \The auth build options underwent a major change in the squid-3.2 series. --enable-X-auth-helpers options no longer exist. Squid ./configure script is ignoring the above auth helper options and using the default versions of the new --enable-auth-X options. For example your basic auth helpers line should be: --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,NIS,getpwnam,MSNT-multi-domain,SASL,DB,RADIUS"--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_groupYou are not getting build problems with the auth helpers because the entire configure --enable-* option name changed and the broken ones above are ignored in favour of the auto-detected helpers. The external-acl-helpers option however did not change, so you hit error messages trying to build the differently named helpers. Run "ls -1 helpers/*/" to see all the new helper names. Note that the list here is case sensitive.--enable-cache-digests \ --enable-cachemgr-hostname=localhost \ --enable-delay-pools \ --enable-epoll \ --enable-icap-client \ --enable-ident-lookups \ --enable-linux-netfilter \ --enable-referer-log \--enable-referer-log no longer exists. It is a built-in squid.conf logformat type instead now.--enable-removal-policies=heap,lru \ --enable-snmp \ --enable-ssl \ --enable-storeio=aufs,diskd,ufs \NP: with 3.2 and later you probably want to build "rock" cache type as well.--enable-useragent-log \--enable-useragent-log no longer exists. It is a built-in squid.conf logformat type instead now.--enable-wccpv2 \ --enable-esi \ --with-aio \ --with-default-user=squid \ --with-filedescriptors=30000 \ --with-dl \ --with-openssl \ --with-pthreadsAmos
