[squid-users] change between squid 3.1 and 3.3.8

TRIFILETTI Frank (Adjoint au chef du DO Sud-Est / Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET Frank.Trifiletti at developpement-durable.gouv.fr
Mon Apr 25 16:41:55 UTC 2016 

Hello Amos,

thanks for your answer

my answer in the body of the message below

Frank

Le 23/04/2016 05:29, "> Amos Jeffries (par Internet, dépôt 
squid-users-bounces at lists.squid-cache.org)" a écrit :
> On 23/04/2016 2:40 a.m., FTRIF wrote:
>> Hello,
>> i have a problem using /usr/lib/squid3/ext_ldap_group_acl which appears in
>> 3.3.8
>>
>> i have a ldap attribut called InternetAccess which contains the value
>> "ACCESSINTER"
>>
>> i want to make an ACL to authorize such people to surf on the net by using a
>> ldap_group, built with the people who had the value ACCESSINTER in the ldap
>> attribut called InternetAccess
>>
>> in command line it works both with squid 3.1 and 3.3.8, the answer is OK:
>>
>> /usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f
>> "(&(objectclass=person)(InternetAccess=%a)(uid=%u))" myLdapDNSname
>>
>> fk.tf ACCESSINTER
>> ext_ldap_group_acl.cc(587): pid=25599 :Connected OK
>> ext_ldap_group_acl.cc(726): pid=25599 :group filter
>> '(&(objectclass=person)(InternetAccess=ACCESSINTER)(uid=fk.tf))', searchbase
>> 'dc=eq,dc=fr'
>> OK
>
> Use '%g' macro for group. It will not to collide with URL-encoding of
> the parameters.
>

in the squid.conf i forget indicate that i have a line
acl profil_ACCESSINTERNET external ldap_group ACCESSINTER

in command line i replace %a by '%g' in command line but it doesn't work only if 
i put %g

but in squid.conf i put '%g' instead of %a and i have the same result with in 
the cache.log

2016/04/25 18:17:25.835| Acl.cc(319) checklistMatches: ACL::checklistMatches: 
checking 'profil_ACCESSINTERNET'
2016/04/25 18:17:25.835| external_acl.cc(793) aclMatchExternal: acl="ldap_group"
2016/04/25 18:17:25.835| external_acl.cc(822) aclMatchExternal: No helper entry 
available
2016/04/25 18:17:25.835| external_acl.cc(826) aclMatchExternal: ldap_group check 
user authenticated.
2016/04/25 18:17:25.835| external_acl.cc(832) aclMatchExternal: ldap_group user 
is authenticated.
2016/04/25 18:17:25.835| external_acl.cc(856) aclMatchExternal: 
ldap_group("fk.tf ACCESSINTER") = lookup needed
2016/04/25 18:17:25.835| external_acl.cc(858) aclMatchExternal: "fk.tf 
ACCESSINTER": entry=@0, age=0
2016/04/25 18:17:25.835| external_acl.cc(861) aclMatchExternal: "fk.tf 
ACCESSINTER": queueing a call.
2016/04/25 18:17:25.835| external_acl.cc(863) aclMatchExternal: "fk.tf 
ACCESSINTER": return -1.
2016/04/25 18:17:25.835| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: 
result for 'profil_ACCESSINTERNET' is -1
2016/04/25 18:17:25.835| Acl.cc(346) matches: profil_ACCESSINTERNET needs async 
lookup
2016/04/25 18:17:25.835| Acl.cc(354) matches: profil_ACCESSINTERNET result is false
2016/04/25 18:30:36.709| Checklist.cc(275) matchNode: 0x7ffdc7f66fb0 matched=0 
async=1 finished=0
2016/04/25 18:30:36.709| Checklist.cc(146) markFinished: 0x7ffdc7f66fb0 answer 
DUNNO for async required but prohibited
2016/04/25 18:30:36.709| Checklist.cc(308) matchNode: 0x7ffdc7f66fb0 DUNNO 
because cannot async
2016/04/25 18:30:36.709| FilledChecklist.cc(77) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(334) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7ffdc7f66fb0
2016/04/25 18:30:36.709| Checklist.cc(153) preCheck: 0x7ffdc7f66fb0 checking 
fast rules
2016/04/25 18:30:36.709| Checklist.cc(414) fastCheck: aclCheckFast: list: 
0x56353080b548

is it these last lines indicate the followup where the helper responds you asked 
for ?

if not which type of text i have to search ?

my debug_options 28,9 82,9 84,9
section 82 External AC
section 84 Helper process maintenance
section 28 Access Control



>>
>> but in the squid.conf v3.3.8, i put the line below  :
>>
>> external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl
>> -d -b dc=eq,dc=fr -f "(&(objectclass=person)(InternetAccess=%a)(uid=%u))"
>> myLdapDNSname
>>
>> it don't work and in my cache.log i found :
>>
> <snip>
>> 779298:2016/04/22 15:56:40.335| external_acl.cc(861) aclMatchExternal:
>> "fk.tf ACCESSINTER": queueing a call.
>> 779299:2016/04/22 15:56:40.335| external_acl.cc(863) aclMatchExternal:
>> "fk.tf ACCESSINTER": return -1.
>
> That is sending the lookup. Now Squid awaits the helper response.
>
>
>>
>> It's work in squid 3.1 with the external acl called "squid_ldap_group"
>> instead of "ext_ldap_group_acl"
>>
>> perhaps i used something in 3.1 which was a bug corrected in 3.3 ?
>>
>
> There is no sign of any problem in that log snippet. Can you find the
> followup where the helper responds?
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list