ext_ldap_group_acl problem

Kirill Kamyshnikov <kirill.kamyshnikov@xxxxxxxxx> · Fri, 4 Oct 2013 15:38:26 +0400

I can't get group from ldap

in config
==
external_acl_type ldap_users ttl=320 ipv4 %LOGIN
/usr/lib/squid3/ext_ldap_group_acl -d -R -P -b "o=site" -v 3 -f
"(&(cn=%v)(groupMembership=%g))" -s sub ldap.site

root@april3:/etc/squid3# /usr/lib/squid3/ext_ldap_group_acl -d -R -P
-b "o=site" -v 3 -f "(&(cn=%v)(groupMembership=%g))" -s sub ldap.site
user cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=site
ext_ldap_group_acl.cc(587): pid=9990 :Connected OK
ext_ldap_group_acl.cc(726): pid=9990 :group filter
'(&(cn=user)(groupMembership=cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=site))',
searchbase 'o=site'
OK

But I can't use this ACL in access section
==
acl fullaccess_users    external ldap_users
cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=site
http_access allow fullaccess

cache.log (debug_oprion 82,9 84,9)
====
2013/10/04 15:29:10.371 kid1| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'fullaccess_users'
2013/10/04 15:29:10.371 kid1| external_acl.cc(793) aclMatchExternal:
acl="ldap_users"
2013/10/04 15:29:10.371 kid1| external_acl.cc(822) aclMatchExternal:
No helper entry available
2013/10/04 15:29:10.371 kid1| external_acl.cc(826) aclMatchExternal:
ldap_users check user authenticated.
2013/10/04 15:29:10.371 kid1| external_acl.cc(832) aclMatchExternal:
ldap_users user is authenticated.
2013/10/04 15:29:10.371 kid1| external_acl.cc(856) aclMatchExternal:
ldap_users("user cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=site") =
lookup needed
2013/10/04 15:29:10.371 kid1| external_acl.cc(858) aclMatchExternal:
"user cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=site": entry=@0, age=0
2013/10/04 15:29:10.371 kid1| external_acl.cc(861) aclMatchExternal:
"user cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=site": queueing a
call.
2013/10/04 15:29:10.371 kid1| external_acl.cc(863) aclMatchExternal:
"user cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=site": return -1.
2013/10/04 15:29:10.371 kid1| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'fullaccess_users' is -1
2013/10/04 15:29:10.371 kid1| Acl.cc(346) matches: fullaccess_users
needs async lookup
2013/10/04 15:29:10.371 kid1| Acl.cc(354) matches: !fullaccess_users
result is false

root@april3:/etc/squid3# ls -lah /usr/lib/squid3/ext_ldap_group_acl
-rwsr-sr-x 1 proxy root 26K Jul 22 03:31 /usr/lib/squid3/ext_ldap_group_acl

Help please.

Best regards,
Kirill