Search squid archive

Re: change between squid 3.1 and 3.3.8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Amos,

i have this error in my cache.log (no helper entry available)

2016/05/02 14:35:37.732| external_acl.cc(793) aclMatchExternal: acl="ldap_group"
2016/05/02 14:35:37.732| external_acl.cc(822) aclMatchExternal: No helper entry available 2016/05/02 14:35:37.732| external_acl.cc(826) aclMatchExternal: ldap_group check user authenticated. 2016/05/02 14:35:37.732| external_acl.cc(832) aclMatchExternal: ldap_group user is authenticated.
2


and i read you link
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>

in my squid.conf i use a slow ACLs (external)
with one SLOW access clauses (http_access) and another one which is FAST access clauses (cache_peer_access)

but i made another test with the same squid.conf with squid 3.1.20 on an Ubuntu 12.04.5 LTS it works (no DUNNO error in cache.log)

but it doesn't with squid 3.3.8 on an Ubuntu 14.04.4 LTS

the only differencies are the change of the external helper use :

1/in squid 3.3
	/usr/lib/squid3/digest_file_auth
for squid 3.1
	/usr/lib/squid3/basic_ldap_auth
2/in squid 3.3
	/usr/lib/squid3/ext_ldap_group_acl
for squid 3.1
	/usr/lib/squid3/squid_ldap_group

with same parameters, the point 1 for authentification works both 3.1 and 3.3
and for the ldap_group request

in squid 3.3
external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f "(&(objectclass=person)(mineqAccesInternet=%g)(uid=%u))" myldapserver

in squid 3.1
external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/squid_ldap_group -d -b dc=eq,dc=fr -f "(&(objectclass=person)(mineqAccesInternet=%g)(uid=%u))" myldapserver


thanks for reading me

Frank


Le 25/04/2016 20:25, "> Amos Jeffries (par Internet, dépôt squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx)" a écrit :
On 26/04/2016 4:41 a.m., TRIFILETTI Frank (Adjoint au chef du DO Sud-Est
/ Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET wrote:
Hello Amos,

thanks for your answer

my answer in the body of the message below

Frank

Le 23/04/2016 05:29, "> Amos Jeffries (par Internet, dépôt
squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx)" a écrit :
On 23/04/2016 2:40 a.m., FTRIF wrote:
Hello,
i have a problem using /usr/lib/squid3/ext_ldap_group_acl which
appears in
3.3.8

i have a ldap attribut called InternetAccess which contains the value
"ACCESSINTER"

i want to make an ACL to authorize such people to surf on the net by
using a
ldap_group, built with the people who had the value ACCESSINTER in
the ldap
attribut called InternetAccess

in command line it works both with squid 3.1 and 3.3.8, the answer is
OK:

/usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f
"(&(objectclass=person)(InternetAccess=%a)(uid=%u))" myLdapDNSname

fk.tf ACCESSINTER
ext_ldap_group_acl.cc(587): pid=25599 :Connected OK
ext_ldap_group_acl.cc(726): pid=25599 :group filter
'(&(objectclass=person)(InternetAccess=ACCESSINTER)(uid=fk.tf))',
searchbase
'dc=eq,dc=fr'
OK

Use '%g' macro for group. It will not to collide with URL-encoding of
the parameters.


in the squid.conf i forget indicate that i have a line
acl profil_ACCESSINTERNET external ldap_group ACCESSINTER

in command line i replace %a by '%g' in command line but it doesn't work
only if i put %g

but in squid.conf i put '%g' instead of %a and i have the same result
with in the cache.log

2016/04/25 18:17:25.835| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'profil_ACCESSINTERNET'
2016/04/25 18:17:25.835| external_acl.cc(793) aclMatchExternal:
acl="ldap_group"
2016/04/25 18:17:25.835| external_acl.cc(822) aclMatchExternal: No
helper entry available
2016/04/25 18:17:25.835| external_acl.cc(826) aclMatchExternal:
ldap_group check user authenticated.
2016/04/25 18:17:25.835| external_acl.cc(832) aclMatchExternal:
ldap_group user is authenticated.
2016/04/25 18:17:25.835| external_acl.cc(856) aclMatchExternal:
ldap_group("fk.tf ACCESSINTER") = lookup needed
2016/04/25 18:17:25.835| external_acl.cc(858) aclMatchExternal: "fk.tf
ACCESSINTER": entry=@0, age=0
2016/04/25 18:17:25.835| external_acl.cc(861) aclMatchExternal: "fk.tf
ACCESSINTER": queueing a call.
2016/04/25 18:17:25.835| external_acl.cc(863) aclMatchExternal: "fk.tf
ACCESSINTER": return -1.
2016/04/25 18:17:25.835| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'profil_ACCESSINTERNET' is -1

These lines are important:

2016/04/25 18:17:25.835| Acl.cc(346) matches: profil_ACCESSINTERNET
needs async lookup
2016/04/25 18:17:25.835| Acl.cc(354) matches: profil_ACCESSINTERNET
result is false
2016/04/25 18:30:36.709| Checklist.cc(275) matchNode: 0x7ffdc7f66fb0
matched=0 async=1 finished=0
2016/04/25 18:30:36.709| Checklist.cc(146) markFinished: 0x7ffdc7f66fb0
answer DUNNO for async required but prohibited
2016/04/25 18:30:36.709| Checklist.cc(308) matchNode: 0x7ffdc7f66fb0
DUNNO because cannot async
2016/04/25 18:30:36.709| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(153) preCheck: 0x7ffdc7f66fb0
checking fast rules
2016/04/25 18:30:36.709| Checklist.cc(414) fastCheck: aclCheckFast:
list: 0x56353080b548

is it these last lines indicate the followup where the helper responds
you asked for ?

Better. Those lines are saying you are using the group lookup in an
access control list which cannot do group lookups or any other kind of
delayed (async) data lookup.

The answer is needed immediately by the access control and all Squid has
to work with is DUNNO / "insufficient data".

See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>


if not which type of text i have to search ?

my debug_options 28,9 82,9 84,9
section 82 External AC
section 84 Helper process maintenance
section 28 Access Control


Okay.

The -d parameter on the helper command line for Squid helpers produces
their internal debug.


Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux