Hello Amos,
i have this error in my cache.log (no helper entry available)
2016/05/02 14:35:37.732| external_acl.cc(793) aclMatchExternal: acl="ldap_group"
2016/05/02 14:35:37.732| external_acl.cc(822) aclMatchExternal: No helper entry
available
2016/05/02 14:35:37.732| external_acl.cc(826) aclMatchExternal: ldap_group check
user authenticated.
2016/05/02 14:35:37.732| external_acl.cc(832) aclMatchExternal: ldap_group user
is authenticated.
2
and i read you link
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>
in my squid.conf i use a slow ACLs (external)
with one SLOW access clauses (http_access) and another one which is FAST access
clauses (cache_peer_access)
but i made another test with the same squid.conf with squid 3.1.20 on an Ubuntu
12.04.5 LTS it works (no DUNNO error in cache.log)
but it doesn't with squid 3.3.8 on an Ubuntu 14.04.4 LTS
the only differencies are the change of the external helper use :
1/in squid 3.3
/usr/lib/squid3/digest_file_auth
for squid 3.1
/usr/lib/squid3/basic_ldap_auth
2/in squid 3.3
/usr/lib/squid3/ext_ldap_group_acl
for squid 3.1
/usr/lib/squid3/squid_ldap_group
with same parameters, the point 1 for authentification works both 3.1 and 3.3
and for the ldap_group request
in squid 3.3
external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -d
-b dc=eq,dc=fr -f "(&(objectclass=person)(mineqAccesInternet=%g)(uid=%u))"
myldapserver
in squid 3.1
external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/squid_ldap_group -d -b
dc=eq,dc=fr -f "(&(objectclass=person)(mineqAccesInternet=%g)(uid=%u))" myldapserver
thanks for reading me
Frank
Le 25/04/2016 20:25, "> Amos Jeffries (par Internet, dépôt
squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx)" a écrit :
On 26/04/2016 4:41 a.m., TRIFILETTI Frank (Adjoint au chef du DO Sud-Est
/ Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET wrote:
Hello Amos,
thanks for your answer
my answer in the body of the message below
Frank
Le 23/04/2016 05:29, "> Amos Jeffries (par Internet, dépôt
squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx)" a écrit :
On 23/04/2016 2:40 a.m., FTRIF wrote:
Hello,
i have a problem using /usr/lib/squid3/ext_ldap_group_acl which
appears in
3.3.8
i have a ldap attribut called InternetAccess which contains the value
"ACCESSINTER"
i want to make an ACL to authorize such people to surf on the net by
using a
ldap_group, built with the people who had the value ACCESSINTER in
the ldap
attribut called InternetAccess
in command line it works both with squid 3.1 and 3.3.8, the answer is
OK:
/usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f
"(&(objectclass=person)(InternetAccess=%a)(uid=%u))" myLdapDNSname
fk.tf ACCESSINTER
ext_ldap_group_acl.cc(587): pid=25599 :Connected OK
ext_ldap_group_acl.cc(726): pid=25599 :group filter
'(&(objectclass=person)(InternetAccess=ACCESSINTER)(uid=fk.tf))',
searchbase
'dc=eq,dc=fr'
OK
Use '%g' macro for group. It will not to collide with URL-encoding of
the parameters.
in the squid.conf i forget indicate that i have a line
acl profil_ACCESSINTERNET external ldap_group ACCESSINTER
in command line i replace %a by '%g' in command line but it doesn't work
only if i put %g
but in squid.conf i put '%g' instead of %a and i have the same result
with in the cache.log
2016/04/25 18:17:25.835| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'profil_ACCESSINTERNET'
2016/04/25 18:17:25.835| external_acl.cc(793) aclMatchExternal:
acl="ldap_group"
2016/04/25 18:17:25.835| external_acl.cc(822) aclMatchExternal: No
helper entry available
2016/04/25 18:17:25.835| external_acl.cc(826) aclMatchExternal:
ldap_group check user authenticated.
2016/04/25 18:17:25.835| external_acl.cc(832) aclMatchExternal:
ldap_group user is authenticated.
2016/04/25 18:17:25.835| external_acl.cc(856) aclMatchExternal:
ldap_group("fk.tf ACCESSINTER") = lookup needed
2016/04/25 18:17:25.835| external_acl.cc(858) aclMatchExternal: "fk.tf
ACCESSINTER": entry=@0, age=0
2016/04/25 18:17:25.835| external_acl.cc(861) aclMatchExternal: "fk.tf
ACCESSINTER": queueing a call.
2016/04/25 18:17:25.835| external_acl.cc(863) aclMatchExternal: "fk.tf
ACCESSINTER": return -1.
2016/04/25 18:17:25.835| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'profil_ACCESSINTERNET' is -1
These lines are important:
2016/04/25 18:17:25.835| Acl.cc(346) matches: profil_ACCESSINTERNET
needs async lookup
2016/04/25 18:17:25.835| Acl.cc(354) matches: profil_ACCESSINTERNET
result is false
2016/04/25 18:30:36.709| Checklist.cc(275) matchNode: 0x7ffdc7f66fb0
matched=0 async=1 finished=0
2016/04/25 18:30:36.709| Checklist.cc(146) markFinished: 0x7ffdc7f66fb0
answer DUNNO for async required but prohibited
2016/04/25 18:30:36.709| Checklist.cc(308) matchNode: 0x7ffdc7f66fb0
DUNNO because cannot async
2016/04/25 18:30:36.709| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(153) preCheck: 0x7ffdc7f66fb0
checking fast rules
2016/04/25 18:30:36.709| Checklist.cc(414) fastCheck: aclCheckFast:
list: 0x56353080b548
is it these last lines indicate the followup where the helper responds
you asked for ?
Better. Those lines are saying you are using the group lookup in an
access control list which cannot do group lookups or any other kind of
delayed (async) data lookup.
The answer is needed immediately by the access control and all Squid has
to work with is DUNNO / "insufficient data".
See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>
if not which type of text i have to search ?
my debug_options 28,9 82,9 84,9
section 82 External AC
section 84 Helper process maintenance
section 28 Access Control
Okay.
The -d parameter on the helper command line for Squid helpers produces
their internal debug.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
