Search squid archive

Re: Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Eliezer,

I use this LDAP group helper with following options:

external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl -P -R -K -b "dc=dot,dc=lan" -f "(&(cn=%v)(memberOf=cn=%g,cn=Users,dc=dot,dc=lan))" -D nslcd-service@xxxxxxx -w "Pa77w0rd" -h ubuntu.dot.lan

As you advised me I followed
http://wiki.squid-cache.org/KnowledgeBase/DebugSections
And the new line in squid.conf is:
debug_options 82,9 84,9
So it is now only about helpers.

I reed once the
http://www.squid-cache.org/Versions/v3/3.3/cfgman/external_acl_type.html
And already tried to put ttl=50 with no luck. With children-* I put everything on 50 also with no luck.

Logs
I found strange behaviour in log, which shows up in startup:
2013/11/13 15:24:01.051| WARNING: Cannot run '/usr/lib/squid3/ext_ldap_group_acl' process.
What is wrong here?
My cache.log during request:
2013/11/13 15:28:19.027| helper.cc(1180) GetFirstAvailable: GetFirstAvailable: Running servers 0
2013/11/13 15:28:19.027| Starting new basicauthenticator helpers...
2013/11/13 15:28:19.027| helperOpenServers: Starting 1/20 'basic_ldap_auth' processes 2013/11/13 15:28:19.034| helper.cc(1180) GetFirstAvailable: GetFirstAvailable: Running servers 1 2013/11/13 15:28:19.035| helper.cc(1322) helperDispatch: helperDispatch: Request sent to basicauthenticator #1, 23 bytes 2013/11/13 15:28:19.035| helper.cc(1180) GetFirstAvailable: GetFirstAvailable: Running servers 1 2013/11/13 15:28:19.035| helper.cc(1213) GetFirstAvailable: GetFirstAvailable: Least-loaded helper is overloaded! 2013/11/13 15:28:19.035| helper.cc(418) helperSubmit: helperSubmit: administrator Pa77w0rd

2013/11/13 15:28:19.090| helper.cc(901) helperHandleRead: helperHandleRead: 3 bytes from basicauthenticator #1 2013/11/13 15:28:19.091| helper.cc(910) helperHandleRead: helperHandleRead: 'OK
'
2013/11/13 15:28:19.091| helper.cc(926) helperHandleRead: helperHandleRead: end of reply found 2013/11/13 15:28:19.091| external_acl.cc(793) aclMatchExternal: acl="memberof" 2013/11/13 15:28:19.091| external_acl.cc(822) aclMatchExternal: No helper entry available 2013/11/13 15:28:19.091| external_acl.cc(826) aclMatchExternal: memberof check user authenticated. 2013/11/13 15:28:19.091| external_acl.cc(832) aclMatchExternal: memberof user is authenticated. 2013/11/13 15:28:19.091| external_acl.cc(856) aclMatchExternal: memberof("administrator InternetAccess") = lookup needed 2013/11/13 15:28:19.091| external_acl.cc(858) aclMatchExternal: "administrator InternetAccess": entry=@0, age=0 2013/11/13 15:28:19.091| WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'. 2013/11/13 15:28:19.092| helper.cc(1180) GetFirstAvailable: GetFirstAvailable: Running servers 1





-----Oorspronkelijk bericht----- From: Eliezer Croitoru
Sent: Wednesday, November 13, 2013 12:15 PM
To: Andrey ‪ ; squid-users@xxxxxxxxxxxxxxx
Subject: Re: Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

Hey,

On 11/13/2013 06:25 AM, Andrey ‪ wrote:
I did. All LDAP related logs info is in previous message. However I do
not understand what all this codes means.

Those messages shows us what happens inside squid in order to understand
the reason of what causing the problem.
you can see about the meaning of each log "number" here:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

but all the hexes and surrounding stuff is irrelevant.
What is important is that for now:
2013/11/13 00:47:28.349| WARNING: external ACL 'memberof' queue
overload. Request rejected 'administrator InternetAccess'.
2013/11/13 00:47:28.349| Checklist.cc(146) markFinished: 0x7f655bf98768
answer DUNNO for aclMatchExternal exception
2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'InetAccess' is -1


It means that the external_acl helper is not doing his job based on
either mismatch of settings or wrong function.
It will be clear once you stop squid and then:
1. enter the right debug_options in squid.conf.
2. start tapping the logs using "tail -f /var/log/squid/cache.log"
3. start squid
4. do only one or two request on squid.
5. share the logs.

If you think there is private information in it you can send it to me
via personal email or strip any private data.

I do not know what is the helper that your are using but you are missing
some parameters from squid.conf to allow the helper work without problem.
You should consider looking at:
http://www.squid-cache.org/Versions/v3/3.3/cfgman/external_acl_type.html

and especially at the related "children" settings.

Eliezer







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux