Re: Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

Andrey ‪ <andrew_dev@xxxxxxxxxxx> · Wed, 13 Nov 2013 20:36:03 +0100

I think helper tries to access the IPv6 of the server (I'am not sure!), but 
IPv6 is disabled:
/etc/sysctl.conf

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

#Enable IPv4 forward
net.ipv4.ip_forward = 1
net.ipv4.conf_all.rp_filter=1

Here is the log without ipv4, well debug_options:82,9 84,9, I do not know 
what is meaning of FD socket (No info on inet):

2013/11/13 20:29:13| helperOpenServers: Starting 0/20 'basic_ldap_auth' 
processes
2013/11/13 20:29:13| helperOpenServers: No 'basic_ldap_auth' processes 
needed.
2013/11/13 20:29:13.689| helper.cc(1180) GetFirstAvailable: 
GetFirstAvailable: Running servers 0
2013/11/13 20:29:13.689| helperOpenServers: Starting 5/5 
'ext_ldap_group_acl' processes
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 7 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 8 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| ERROR: Failed to create helper child read FD: TCP 
[::1]
2013/11/13 20:29:13.689| WARNING: Cannot run 
'/usr/lib/squid3/ext_ldap_group_acl' process.
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 9 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 10 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| ERROR: Failed to create helper child read FD: TCP 
[::1]
2013/11/13 20:29:13.689| WARNING: Cannot run 
'/usr/lib/squid3/ext_ldap_group_acl' process.
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 11 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 12 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| ERROR: Failed to create helper child read FD: TCP 
[::1]
2013/11/13 20:29:13.689| WARNING: Cannot run 
'/usr/lib/squid3/ext_ldap_group_acl' process.
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 13 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 14 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| ERROR: Failed to create helper child read FD: TCP 
[::1]
2013/11/13 20:29:13.689| WARNING: Cannot run 
'/usr/lib/squid3/ext_ldap_group_acl' process.
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 15 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| commBind: Cannot bind socket FD 16 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.689| ERROR: Failed to create helper child read FD: TCP 
[::1]
2013/11/13 20:29:13.689| WARNING: Cannot run 
'/usr/lib/squid3/ext_ldap_group_acl' process.
2013/11/13 20:29:13.690| helper.cc(1180) GetFirstAvailable: 
GetFirstAvailable: Running servers 0
2013/11/13 20:29:13.690| commBind: Cannot bind socket FD 25 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.690| commBind: Cannot bind socket FD 26 to [::1]: (99) 
Cannot assign requested address
2013/11/13 20:29:13.690| ERROR: Failed to create helper child read FD: 
UDP[::1]
2013/11/13 20:29:36.841| helper.cc(1180) GetFirstAvailable: 
GetFirstAvailable: Running servers 0
2013/11/13 20:29:36.841| Starting new basicauthenticator helpers...
2013/11/13 20:29:36.841| helperOpenServers: Starting 1/20 'basic_ldap_auth' 
processes
2013/11/13 20:29:36.853| helper.cc(1180) GetFirstAvailable: 
GetFirstAvailable: Running servers 1
2013/11/13 20:29:36.855| helper.cc(1322) helperDispatch: helperDispatch: 
Request sent to basicauthenticator #1, 23 bytes
2013/11/13 20:29:36.856| helper.cc(1180) GetFirstAvailable: 
GetFirstAvailable: Running servers 1
2013/11/13 20:29:36.856| helper.cc(1213) GetFirstAvailable: 
GetFirstAvailable: Least-loaded helper is overloaded!
2013/11/13 20:29:36.856| helper.cc(418) helperSubmit: helperSubmit: 
administrator Pa77w0rd

2013/11/13 20:29:36.906| helper.cc(901) helperHandleRead: helperHandleRead: 
3 bytes from basicauthenticator #1
2013/11/13 20:29:36.906| helper.cc(910) helperHandleRead: helperHandleRead: 
'OK
'
2013/11/13 20:29:36.906| helper.cc(926) helperHandleRead: helperHandleRead: 
end of reply found
2013/11/13 20:29:36.907| external_acl.cc(793) aclMatchExternal: 
acl="memberof"
2013/11/13 20:29:36.907| external_acl.cc(822) aclMatchExternal: No helper 
entry available
2013/11/13 20:29:36.907| external_acl.cc(826) aclMatchExternal: memberof 
check user authenticated.
2013/11/13 20:29:36.907| external_acl.cc(832) aclMatchExternal: memberof 
user is authenticated.
2013/11/13 20:29:36.907| external_acl.cc(856) aclMatchExternal: 
memberof("administrator InternetAccess") = lookup needed
2013/11/13 20:29:36.907| external_acl.cc(858) aclMatchExternal: 
"administrator InternetAccess": entry=@0, age=0
2013/11/13 20:29:36.907| WARNING: external ACL 'memberof' queue overload. 
Request rejected 'administrator InternetAccess'.
2013/11/13 20:29:36.907| helper.cc(1180) GetFirstAvailable: 
GetFirstAvailable: Running servers 1

-----Oorspronkelijk bericht----- 
From: Eliezer Croitoru
Sent: Wednesday, November 13, 2013 7:15 PM
To: Andrey ‪ ; squid-users@xxxxxxxxxxxxxxx
Subject: Re:  Ubuntu Server 13.10. Squid 3.3.8. WARNING: 
external ACL 'memberof' queue overload

Thanks Andrey,

On 11/13/2013 07:54 PM, Andrey ‪ wrote:
I found a solution!

Problem was with IPv6.
When squid tries to run the helper he asks IPv6, which I have disabled.
Therefore, in logs appears following line of code:
WARNING: Cannot run '/usr/lib/squid3/ext_ldap_group_acl' process.

Just to get a more accurate data:
What ipv6? do the helper got an IPV6 in the request? ipv6 of the client?

Thanks,
Eliezer