Search squid archive

Re: Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I found a solution!

Problem was with IPv6.
When squid tries to run the helper he asks IPv6, which I have disabled. Therefore, in logs appears following line of code:
WARNING: Cannot run '/usr/lib/squid3/ext_ldap_group_acl' process.

As far as I have good understanding of the process, squid do not stop to restart the helper. Therefore in logs appears: WARNING: external ACL 'memberof' queue overload. Request rejected 'administrator InternetAccess'

The solution is to put the ipv4 flag in front of %LOGIN just like this:

external_acl_type memberof ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -P -R -K -b "dc=dot,dc=lan" -f "(&(cn=%v)(memberOf=cn=%g,cn=Users,dc=dot,dc=lan))" -D nslcd-service@xxxxxxx -w "Pa77w0rd" -h ubuntu.dot.lan

Thank you everyone. Special thanks to Eliezer. The debug_options is very helpful ;)

references:
http://squid-web-proxy-cache.1019090.n4.nabble.com/external-acl-td4662446.html~
http://squid-web-proxy-cache.1019090.n4.nabble.com/Starting-helpers-with-ipv6-disabled-td4660978.html

-----Oorspronkelijk bericht----- From: Andrey ‪
Sent: Wednesday, November 13, 2013 3:34 PM
To: Eliezer Croitoru ; squid-users@xxxxxxxxxxxxxxx
Subject: Re: Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

Hi Eliezer,

I use this LDAP group helper with following options:

external_acl_type memberof %LOGIN
/usr/lib/squid3/ext_ldap_group_acl -P -R -K -b "dc=dot,dc=lan" -f
"(&(cn=%v)(memberOf=cn=%g,cn=Users,dc=dot,dc=lan))" -D
nslcd-service@xxxxxxx -w "Pa77w0rd" -h ubuntu.dot.lan

As you advised me I followed
http://wiki.squid-cache.org/KnowledgeBase/DebugSections
And the new line in squid.conf is:
debug_options 82,9 84,9
So it is now only about helpers.

I reed once the
http://www.squid-cache.org/Versions/v3/3.3/cfgman/external_acl_type.html
And already tried to put ttl=50 with no luck. With children-* I put
everything on 50 also with no luck.

Logs
I found strange behaviour in log, which shows up in startup:
2013/11/13 15:24:01.051| WARNING: Cannot run
'/usr/lib/squid3/ext_ldap_group_acl' process.
What is wrong here?
My cache.log during request:
2013/11/13 15:28:19.027| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 0
2013/11/13 15:28:19.027| Starting new basicauthenticator helpers...
2013/11/13 15:28:19.027| helperOpenServers: Starting 1/20 'basic_ldap_auth'
processes
2013/11/13 15:28:19.034| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2013/11/13 15:28:19.035| helper.cc(1322) helperDispatch: helperDispatch:
Request sent to basicauthenticator #1, 23 bytes
2013/11/13 15:28:19.035| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2013/11/13 15:28:19.035| helper.cc(1213) GetFirstAvailable:
GetFirstAvailable: Least-loaded helper is overloaded!
2013/11/13 15:28:19.035| helper.cc(418) helperSubmit: helperSubmit:
administrator Pa77w0rd

2013/11/13 15:28:19.090| helper.cc(901) helperHandleRead: helperHandleRead:
3 bytes from basicauthenticator #1
2013/11/13 15:28:19.091| helper.cc(910) helperHandleRead: helperHandleRead:
'OK
'
2013/11/13 15:28:19.091| helper.cc(926) helperHandleRead: helperHandleRead:
end of reply found
2013/11/13 15:28:19.091| external_acl.cc(793) aclMatchExternal:
acl="memberof"
2013/11/13 15:28:19.091| external_acl.cc(822) aclMatchExternal: No helper
entry available
2013/11/13 15:28:19.091| external_acl.cc(826) aclMatchExternal: memberof
check user authenticated.
2013/11/13 15:28:19.091| external_acl.cc(832) aclMatchExternal: memberof
user is authenticated.
2013/11/13 15:28:19.091| external_acl.cc(856) aclMatchExternal:
memberof("administrator InternetAccess") = lookup needed
2013/11/13 15:28:19.091| external_acl.cc(858) aclMatchExternal:
"administrator InternetAccess": entry=@0, age=0
2013/11/13 15:28:19.091| WARNING: external ACL 'memberof' queue overload.
Request rejected 'administrator InternetAccess'.
2013/11/13 15:28:19.092| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 1





-----Oorspronkelijk bericht----- From: Eliezer Croitoru
Sent: Wednesday, November 13, 2013 12:15 PM
To: Andrey ‪ ; squid-users@xxxxxxxxxxxxxxx
Subject: Re:  Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload

Hey,

On 11/13/2013 06:25 AM, Andrey ‪ wrote:
I did. All LDAP related logs info is in previous message. However I do
not understand what all this codes means.

Those messages shows us what happens inside squid in order to understand
the reason of what causing the problem.
you can see about the meaning of each log "number" here:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

but all the hexes and surrounding stuff is irrelevant.
What is important is that for now:
2013/11/13 00:47:28.349| WARNING: external ACL 'memberof' queue
overload. Request rejected 'administrator InternetAccess'.
2013/11/13 00:47:28.349| Checklist.cc(146) markFinished: 0x7f655bf98768
answer DUNNO for aclMatchExternal exception
2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'InetAccess' is -1


It means that the external_acl helper is not doing his job based on
either mismatch of settings or wrong function.
It will be clear once you stop squid and then:
1. enter the right debug_options in squid.conf.
2. start tapping the logs using "tail -f /var/log/squid/cache.log"
3. start squid
4. do only one or two request on squid.
5. share the logs.

If you think there is private information in it you can send it to me
via personal email or strip any private data.

I do not know what is the helper that your are using but you are missing
some parameters from squid.conf to allow the helper work without problem.
You should consider looking at:
http://www.squid-cache.org/Versions/v3/3.3/cfgman/external_acl_type.html

and especially at the related "children" settings.

Eliezer







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux