[squid-users] I need a help with user permissions credentials

Thu Oct 9 13:55:29 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/10/2014 2:28 a.m., Juan Manuel Perrote wrote:
> 
> I have a Squid Cache: Version 3.1.19, on Ubuntu 12.04.2 LTS.
> 
> We use external authentification on ldap repository on a remote
> machine
> 
> #********************************#********************************#********************************
>
> 
> 
> #********************************
> 
> #REGLA VALIDACION LDAP
> 
> #********************************
> 
> #Esto indica el numero de procesos de autentificacion 
> (notienevalorpredeterminado).
> 
> auth_param basic children 5
> 
> #Especifica el numero de procesos redirector para desovar
> 
> redirect_children 5
> 
> #Valido el usuario
> 
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -b 
> "ou=Users,dc=vs-zmaster,dc=policia,dc=rionegro,dc=gov,dc=ar" -f
> "uid=%s" -h 10.11.37.2 -v 3
> 
> auth_param basic realm Policia de Rio Negro
> 
> #Validar grupos
> 
> external_acl_type ldap_group %LOGIN
> /usr/lib/squid3/squid_ldap_group -b 
> "ou=Groups,dc=vs-zmaster,dc=policia,dc=rionegro,dc=gov,dc=ar" -f 
> "(&(memberUid=%u)(cn=%g)(objectClass=posixGroup))" -h 10.11.37.2 -v
> 3
> 
> #especifica el tiempo de usuario y contrasenia valido
> externamente.
> 
> auth_param basic casesensitive on
> 
> auth_param basic credentialsttl 280 minutes
> 
> authenticate_ttl 60 minutes
> 
> #********************************#********************************#********************************
>
> 
> 
> The problem is that when I change the user group on ldap to other
> user group (with differents permission) squid not refresh the
> change so until 1hs or more, the change are not reflect on real
> time. The same goes if change the password user, the user still
> navigating for a while.

Your configuration says "credentialsttl 280 minutes". That means Squid
only checks for username/password changes once every 4hrs 40min.

There is no TTL configured for external_acl_type helper. Meaning Squid
uses the default TTL and groups are only checked every 1hr.

> 
> The changes are not reflected immediately.
> 
> But if a reload the squid service, the change take effect

That depends on what you mean by "reload".

 * If you are restarting the service it completely shuts down and then
starts again. The credentials cache is stored only in volatile memory
and gets erased on shutdown or restart.

* If you are reconfiguring (reload the config), the memory and thus
credentials cache is retained.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUNpPRAAoJELJo5wb/XPRjZMwIAIAp1WdNCnjVvxuuEcemR2k8
yXKrMUkQ5uFKUbqQfVCsg5YdorgC/gkBatk06KqyMiBYbksAYvG45kUNtUVnKUkU
+5gRgQR+Gmx59V1+BYqVZu8qLaWWg0NNX7C2iOP70SsD7IYECfi5uxbUUz3yLCia
19c6Y2iSqu0f4iWUGJEArVLvpJgoblhcgtVan9aOK77uzYVIpma/MFdl/lQZ8QST
/wclWIOlIVU3j7Dw3cBZr/tHuzhFKt2WnYKFcb+8elUaL5OQzsTEpkxvnB2n25Ci
pmtfBDQXvzbiThPbBWHaZ1oPMPVSIn6iLrmaxukgqxk48w5H3mjta34uP1p28NY=
=R+0F
-----END PGP SIGNATURE-----