On 6/10/2013 10:27 p.m., Kirill Kamyshnikov wrote:
external_acl_type ldap_users ipv4 ttl=20 concurrency=10
children-max=20 children-startup=5 %LOGIN
/usr/lib/squid3/ext_ldap_group_acl -d -R -P -b "o=garant" -v 3 -f
"(&(cn=%v)(groupMembership=%g))" -s sub ldap.site
2013/10/06 13:15:15.737 kid1| external_acl.cc(826) aclMatchExternal:
ldap_users check user authenticated.
2013/10/06 13:15:15.737 kid1| external_acl.cc(832) aclMatchExternal:
ldap_users user is authenticated.
2013/10/06 13:15:15.737 kid1| external_acl.cc(856) aclMatchExternal:
ldap_users("kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant") =
lookup needed
2013/10/06 13:15:15.737 kid1| external_acl.cc(858) aclMatchExternal:
"kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": entry=@0,
age=0
2013/10/06 13:15:15.737 kid1| external_acl.cc(861) aclMatchExternal:
"kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": queueing a
call.
2013/10/06 13:15:15.737 kid1| external_acl.cc(863) aclMatchExternal:
"kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": return -1.
2013/10/06 13:15:15.737 kid1| external_acl.cc(1451) Start: fg lookup
in 'ldap_users' for 'kam
cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant'
2013/10/06 13:15:15.737 kid1| external_acl.cc(1506) Start:
externalAclLookup: looking up for 'kam
cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' in 'ldap_users'.
2013/10/06 13:15:15.737 kid1| external_acl.cc(1516) Start:
externalAclLookup: will wait for the result of 'kam
cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' in 'ldap_users'
(ch=0x7f8497088d38).
ext_ldap_group_acl.cc(726): pid=4159 :group filter
'(&(cn=0)(groupMembership=kam))', searchbase 'o=garant'
ext_ldap_group_acl: WARNING: LDAP search error 'Invalid DN syntax'
ext_ldap_group_acl.cc(587): pid=4159 :Connected OK
ext_ldap_group_acl.cc(726): pid=4159 :group filter
'(&(cn=0)(groupMembership=kam))', searchbase 'o=garant'
ext_ldap_group_acl: WARNING: LDAP search error 'Invalid DN syntax'
ext_ldap_group_acl.cc(726): pid=4159 :group filter
'(&(cn=0)(groupMembership=cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant))',
searchbase 'o=garant'
2013/10/06 13:15:15.742 kid1| external_acl.cc(1367)
externalAclHandleReply: externalAclHandleReply: reply="ERR "
2013/10/06 13:15:15.742 kid1| external_acl.cc(1276)
external_acl_cache_add: external_acl_cache_add: Adding 'kam
cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' = DENIED
Why cn=0?
Because the lookup was sent on concurrency channel number 0.
Hint: the helper does not support concurrency=10
Check from command line:
kam@april3:/etc/squid3# /usr/lib/squid3/ext_ldap_group_acl -d -R -P -b
"o=garant" -v 3 -f "(&(cn=%v)(groupMembership=%g))" -s sub ldap.site
kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant
ext_ldap_group_acl.cc(587): pid=4227 :Connected OK
ext_ldap_group_acl.cc(726): pid=4227 :group filter
'(&(cn=kam)(groupMembership=cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant))',
searchbase 'o=garant'
OK
See, it works if you omit the concurrency channel number from the input.
Amos
