[squid-users] ext_ldap_group_acl is returned ERR when LDAP bind was fail.

[asakura at ioc.dnp.co.jp]

Hello,

I posted a question last month below. However, I haven't receivedany replies.
Does anyone want to respond to this?

Thanks in advance for any comments you might have.

I investigating source code of ext_ldap_group_acl.cc below.

helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc
571                     rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
572                     if (rc != LDAP_SUCCESS) {
573                         fprintf(stderr, PROGRAM_NAME ": WARNING: could not bind to binddn '%s'\n        ", ldap_err2string(rc));
574                         ldap_unbind(ld);
575                         ld = NULL;
576                         break;
577                     }
snip...

593         if (found)
594             SEND_OK("");
595         else {
596             SEND_ERR("");
597         }

Regards,
Kazuhiro

From: asakura at ioc.dnp.co.jp
Subject: [squid-users] ext_ldap_group_acl is returned ERR when LDAP bind was fail.
Date: Wed, 23 Mar 2016 15:08:50 +0900 (JST)

> Hello,
> 
> Thank you always for your kind support.
> 
> I would like to ask you about SEND_ERR reply of ext_ldap_group_acl.
> In our environment, squid fail ldap_bind to LDAP server sometimes.
> Then, ext_ldap_group_acl replies "ERR". So, username is registered
> in the negative_cache.
> 
> I don't want to register in the negative_cache when external_acl
> failed ldap_bind.
> I guess that to solve if ext_ldap_group_acl reply SEND_BH instead of
> SEND_ERR.
> 
> I would appreciate it if you could investigate this.
> 
> Regards,
> Kazuhiro