On 20/06/2016 9:21 p.m., Nilesh Gavali wrote: > Thanks Eliezer for reply. > Its is working now for be perfectly with below command with -d option > gives helpful debug info to troubleshoot. > > external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P -R > -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f > "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))" > -h abcd.gov.in -s sub -v 3 -d > > Currently I have configure squid with AD kerberos auth. also url access > restricted based on AD group membership. > > Now I observed, is that when I add any user to one of the AD group which > allowed in squid. it is not accepting the changes until I restart the > squid service. Your external_acl_type has a 1 hour response cache. Meaning it will take a minimum of 1 hour for any changes to the AD group settings to be passed on to Squid. > > auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s > HTTP/proxy02.abcd.gov.in@xxxxxxxxxxx > auth_param negotiate children 10 > auth_param negotiate keep_alive on > auth_param basic credentialsttl 2 hours NP: settings for Basic authentication do not have any affect on non-Basic types of authentication. There is no TTL for Kerberos user credentials. They are valid for as long as the TCP connection to the proxy is open. Any change in the Kerberos security tokens sent by the client after authentication is completed will terminate/close the TCP connection. > > external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P -R > -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f > "(&(objectclass=person)(userPrincipalName=%u)(memberof=cn=%g,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))" > -h abcd.gov.in -s sub -v 3 -d > Since your helper names were outdated 6 years ago I assume you are using Squid-3.1 or older: <http://www.squid-cache.org/Versions/v3/3.1/cfgman/external_acl_type.html> Note the default values for ttl= , negative_ttl=, and grace= Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
