You absolutely right! Thank's.
2013/10/6 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
> On 6/10/2013 10:27 p.m., Kirill Kamyshnikov wrote:
>>
>> external_acl_type ldap_users ipv4 ttl=20 concurrency=10
>> children-max=20 children-startup=5 %LOGIN
>> /usr/lib/squid3/ext_ldap_group_acl -d -R -P -b "o=garant" -v 3 -f
>> "(&(cn=%v)(groupMembership=%g))" -s sub ldap.site
>>
>>
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(826) aclMatchExternal:
>> ldap_users check user authenticated.
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(832) aclMatchExternal:
>> ldap_users user is authenticated.
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(856) aclMatchExternal:
>> ldap_users("kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant") =
>> lookup needed
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(858) aclMatchExternal:
>> "kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": entry=@0,
>> age=0
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(861) aclMatchExternal:
>> "kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": queueing a
>> call.
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(863) aclMatchExternal:
>> "kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": return -1.
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(1451) Start: fg lookup
>> in 'ldap_users' for 'kam
>> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant'
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(1506) Start:
>> externalAclLookup: looking up for 'kam
>> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' in 'ldap_users'.
>> 2013/10/06 13:15:15.737 kid1| external_acl.cc(1516) Start:
>> externalAclLookup: will wait for the result of 'kam
>> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' in 'ldap_users'
>> (ch=0x7f8497088d38).
>> ext_ldap_group_acl.cc(726): pid=4159 :group filter
>> '(&(cn=0)(groupMembership=kam))', searchbase 'o=garant'
>> ext_ldap_group_acl: WARNING: LDAP search error 'Invalid DN syntax'
>> ext_ldap_group_acl.cc(587): pid=4159 :Connected OK
>> ext_ldap_group_acl.cc(726): pid=4159 :group filter
>> '(&(cn=0)(groupMembership=kam))', searchbase 'o=garant'
>> ext_ldap_group_acl: WARNING: LDAP search error 'Invalid DN syntax'
>> ext_ldap_group_acl.cc(726): pid=4159 :group filter
>>
>> '(&(cn=0)(groupMembership=cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant))',
>> searchbase 'o=garant'
>> 2013/10/06 13:15:15.742 kid1| external_acl.cc(1367)
>> externalAclHandleReply: externalAclHandleReply: reply="ERR "
>> 2013/10/06 13:15:15.742 kid1| external_acl.cc(1276)
>> external_acl_cache_add: external_acl_cache_add: Adding 'kam
>> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' = DENIED
>>
>> Why cn=0?
>
>
> Because the lookup was sent on concurrency channel number 0.
>
> Hint: the helper does not support concurrency=10
>
>
>
>> Check from command line:
>> kam@april3:/etc/squid3# /usr/lib/squid3/ext_ldap_group_acl -d -R -P -b
>> "o=garant" -v 3 -f "(&(cn=%v)(groupMembership=%g))" -s sub ldap.site
>> kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant
>> ext_ldap_group_acl.cc(587): pid=4227 :Connected OK
>> ext_ldap_group_acl.cc(726): pid=4227 :group filter
>>
>> '(&(cn=kam)(groupMembership=cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant))',
>> searchbase 'o=garant'
>> OK
>
>
> See, it works if you omit the concurrency channel number from the input.
>
> Amos
