On 16/10/18 11:09 AM, Danilo V wrote: > Hi all, > > Has anyone succeeded applying delay pools on groups from AD? > > I'm using squid 3.5.23 with basic_ldap_auth. > I initially tried to combine mapping groups with external acl type > (ext_ldap_group_acl) to delay pools. It's a trap :-( > A trap? For starters; "group" is an abstract concept buried in the depths of authentication which has nothing to do with traffic. It is a purely human scoping idea. Squid knows nothing of any "group". The external ACL type which handles such complex non-traffic things is clearly listed in the Squid FAQ (and the 'acl' directive documentation) as being a "slow" / async ACL type. Delay pools is also clearly listed as an access control which only works with "fast" category ACL types. <https://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs> > After doing more search I found about class 5 and note acl. > Has anyone a pratical implementation in this scenario? Yes several admin have done so. But with custom helpers that integrate with the new annotation system, or the Kerberos helpers that have been upgraded to integrate as well. Other helpers have not been updated yet. Your external ACL just needs to supply Squid with a "tag=XX" or "group=XX " annotation to label the transaction with whichever group matches. # login is required to do group checking... acl login proxy_auth REQUIRED http_access deny !login # the decision to allow the traffic into the proxy does group checks and adds annotations... external_acl_type group %LOGIN ... acl some_group external group XX http_access allow some_group_check # the decision of what pool(s) to apply has to work FAST - so uses the annotations already present or not present) as its decider: acl groupXX note group XX # or for older Squid acl groupXX note tag XX delay_access N allow groupXX Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
