On 11/12/2013 11:02 p.m., Dmitry Melekhov wrote: > Hello! > > Just tried to install 3.4.1 to production. > Users complain that need to do reauth after some timeout. > > Parts of config: > > external_acl_type LdapGroup children-max=30 children-startup=10 > concurrency=0 ttl=600 negative_ttl=10 grace=0 protocol=2.5 %LOGIN > /usr/sbin/sq > uid_ldap_group -v 3 -h 127.0.0.1 -b "o=company,c=RU" -B > "org=company,ou=People,o=company,c=RU" -f "(&(cn=%g)(memberUid=%u))" -F > "(&(objectClass=acc > ount)(uid=%s))" -s sub > > > and > > auth_param basic program /usr/sbin/squid_ldapauth > auth_param basic credentialsttl 600 seconds > auth_param basic children 10 > auth_param basic realm Squid proxy-caching web server > #auth_param basic casesensitive on > auth_param basic casesensitive off > > I see following in my logs, firefox doesn't ask me for auth info though: > 1386754087.151 2 192.168.22.229 TCP_DENIED/407 6701 GET > http://www.rbc.ru/? dm HIER_NONE/- text/html > 1386754810.393 2 192.168.22.229 TCP_DENIED/407 6702 GET > http://www.rbc.ru/? dm HIER_NONE/- text/html > 1386755534.579 2 192.168.22.229 TCP_DENIED/407 6702 GET > http://www.rbc.ru/? dm HIER_NONE/- text/html > > > as far as I remember, there was such problem in 3.2, or something like > this, so I installed 3.3 before it was released- this was acl problem. > > Some changes were introduced in 3.4 ? Or I need to reconfigure something? Try setting grace period to a value larger than 0. The grace period is a short time before the credentials TTL expires when they can be looked up at the helper for validity without needing to block the client request or send an immediate pass/fail result to the access control. ** there was a bug in this for some 3.2-3.3 releases. If you are using the auth check in a fast-type access control the TTL expiry will cause a fail result after the credentials have expired even if the helper lookup will some time later produce a valid/success result. Grace allows that lookup to be started before the TTL is over and hopefully the credentials next TTL can be assigned before the old one expires. Amos