El 09/10/2014 10:55, Amos Jeffries escribió:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/10/2014 2:28 a.m., Juan Manuel Perrote wrote:
I have a Squid Cache: Version 3.1.19, on Ubuntu 12.04.2 LTS.
We use external authentification on ldap repository on a remote
machine
#********************************#********************************#********************************
#********************************
#REGLA VALIDACION LDAP
#********************************
#Esto indica el numero de procesos de autentificacion
(notienevalorpredeterminado).
auth_param basic children 5
#Especifica el numero de procesos redirector para desovar
redirect_children 5
#Valido el usuario
auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
"ou=Users,dc=vs-zmaster,dc=policia,dc=rionegro,dc=gov,dc=ar" -f
"uid=%s" -h 10.11.37.2 -v 3
auth_param basic realm Policia de Rio Negro
#Validar grupos
external_acl_type ldap_group %LOGIN
/usr/lib/squid3/squid_ldap_group -b
"ou=Groups,dc=vs-zmaster,dc=policia,dc=rionegro,dc=gov,dc=ar" -f
"(&(memberUid=%u)(cn=%g)(objectClass=posixGroup))" -h 10.11.37.2 -v
3
#especifica el tiempo de usuario y contrasenia valido
externamente.
auth_param basic casesensitive on
auth_param basic credentialsttl 280 minutes
authenticate_ttl 60 minutes
#********************************#********************************#********************************
The problem is that when I change the user group on ldap to other
user group (with differents permission) squid not refresh the
change so until 1hs or more, the change are not reflect on real
time. The same goes if change the password user, the user still
navigating for a while.
Your configuration says "credentialsttl 280 minutes". That means Squid
only checks for username/password changes once every 4hrs 40min.
There is no TTL configured for external_acl_type helper. Meaning Squid
uses the default TTL and groups are only checked every 1hr.
The changes are not reflected immediately.
But if a reload the squid service, the change take effect
That depends on what you mean by "reload".
* If you are restarting the service it completely shuts down and then
starts again. The credentials cache is stored only in volatile memory
and gets erased on shutdown or restart.
* If you are reconfiguring (reload the config), the memory and thus
credentials cache is retained.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUNpPRAAoJELJo5wb/XPRjZMwIAIAp1WdNCnjVvxuuEcemR2k8
yXKrMUkQ5uFKUbqQfVCsg5YdorgC/gkBatk06KqyMiBYbksAYvG45kUNtUVnKUkU
+5gRgQR+Gmx59V1+BYqVZu8qLaWWg0NNX7C2iOP70SsD7IYECfi5uxbUUz3yLCia
19c6Y2iSqu0f4iWUGJEArVLvpJgoblhcgtVan9aOK77uzYVIpma/MFdl/lQZ8QST
/wclWIOlIVU3j7Dw3cBZr/tHuzhFKt2WnYKFcb+8elUaL5OQzsTEpkxvnB2n25Ci
pmtfBDQXvzbiThPbBWHaZ1oPMPVSIn6iLrmaxukgqxk48w5H3mjta34uP1p28NY=
=R+0F
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Hello Amos I do "service squid reload"
It is correct, that I need do that for refresh the change made on ldap
repository ?
Because we have a callcenter that made the change on users permissions
or groups on a ldap application interface, but they can't restart the
proxy before make the changes. We do that.
regards,
Juan Manuel.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
