[squid-users] change between squid 3.1 and 3.3.8

Amos Jeffries squid3 at treenet.co.nz
Mon Apr 25 18:25:49 UTC 2016 

On 26/04/2016 4:41 a.m., TRIFILETTI Frank (Adjoint au chef du DO Sud-Est
/ Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET wrote:
> Hello Amos,
> 
> thanks for your answer
> 
> my answer in the body of the message below
> 
> Frank
> 
> Le 23/04/2016 05:29, "> Amos Jeffries (par Internet, dépôt
> squid-users-bounces at lists.squid-cache.org)" a écrit :
>> On 23/04/2016 2:40 a.m., FTRIF wrote:
>>> Hello,
>>> i have a problem using /usr/lib/squid3/ext_ldap_group_acl which
>>> appears in
>>> 3.3.8
>>>
>>> i have a ldap attribut called InternetAccess which contains the value
>>> "ACCESSINTER"
>>>
>>> i want to make an ACL to authorize such people to surf on the net by
>>> using a
>>> ldap_group, built with the people who had the value ACCESSINTER in
>>> the ldap
>>> attribut called InternetAccess
>>>
>>> in command line it works both with squid 3.1 and 3.3.8, the answer is
>>> OK:
>>>
>>> /usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f
>>> "(&(objectclass=person)(InternetAccess=%a)(uid=%u))" myLdapDNSname
>>>
>>> fk.tf ACCESSINTER
>>> ext_ldap_group_acl.cc(587): pid=25599 :Connected OK
>>> ext_ldap_group_acl.cc(726): pid=25599 :group filter
>>> '(&(objectclass=person)(InternetAccess=ACCESSINTER)(uid=fk.tf))',
>>> searchbase
>>> 'dc=eq,dc=fr'
>>> OK
>>
>> Use '%g' macro for group. It will not to collide with URL-encoding of
>> the parameters.
>>
> 
> in the squid.conf i forget indicate that i have a line
> acl profil_ACCESSINTERNET external ldap_group ACCESSINTER
> 
> in command line i replace %a by '%g' in command line but it doesn't work
> only if i put %g
> 
> but in squid.conf i put '%g' instead of %a and i have the same result
> with in the cache.log
> 
> 2016/04/25 18:17:25.835| Acl.cc(319) checklistMatches:
> ACL::checklistMatches: checking 'profil_ACCESSINTERNET'
> 2016/04/25 18:17:25.835| external_acl.cc(793) aclMatchExternal:
> acl="ldap_group"
> 2016/04/25 18:17:25.835| external_acl.cc(822) aclMatchExternal: No
> helper entry available
> 2016/04/25 18:17:25.835| external_acl.cc(826) aclMatchExternal:
> ldap_group check user authenticated.
> 2016/04/25 18:17:25.835| external_acl.cc(832) aclMatchExternal:
> ldap_group user is authenticated.
> 2016/04/25 18:17:25.835| external_acl.cc(856) aclMatchExternal:
> ldap_group("fk.tf ACCESSINTER") = lookup needed
> 2016/04/25 18:17:25.835| external_acl.cc(858) aclMatchExternal: "fk.tf
> ACCESSINTER": entry=@0, age=0
> 2016/04/25 18:17:25.835| external_acl.cc(861) aclMatchExternal: "fk.tf
> ACCESSINTER": queueing a call.
> 2016/04/25 18:17:25.835| external_acl.cc(863) aclMatchExternal: "fk.tf
> ACCESSINTER": return -1.
> 2016/04/25 18:17:25.835| Acl.cc(321) checklistMatches:
> ACL::ChecklistMatches: result for 'profil_ACCESSINTERNET' is -1

These lines are important:

> 2016/04/25 18:17:25.835| Acl.cc(346) matches: profil_ACCESSINTERNET
> needs async lookup
> 2016/04/25 18:17:25.835| Acl.cc(354) matches: profil_ACCESSINTERNET
> result is false
> 2016/04/25 18:30:36.709| Checklist.cc(275) matchNode: 0x7ffdc7f66fb0
> matched=0 async=1 finished=0
> 2016/04/25 18:30:36.709| Checklist.cc(146) markFinished: 0x7ffdc7f66fb0
> answer DUNNO for async required but prohibited
> 2016/04/25 18:30:36.709| Checklist.cc(308) matchNode: 0x7ffdc7f66fb0
> DUNNO because cannot async
> 2016/04/25 18:30:36.709| FilledChecklist.cc(77) ~ACLFilledChecklist:
> ACLFilledChecklist destroyed 0x7ffdc7f66fb0
> 2016/04/25 18:30:36.709| Checklist.cc(334) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7ffdc7f66fb0
> 2016/04/25 18:30:36.709| Checklist.cc(153) preCheck: 0x7ffdc7f66fb0
> checking fast rules
> 2016/04/25 18:30:36.709| Checklist.cc(414) fastCheck: aclCheckFast:
> list: 0x56353080b548
> 
> is it these last lines indicate the followup where the helper responds
> you asked for ?

Better. Those lines are saying you are using the group lookup in an
access control list which cannot do group lookups or any other kind of
delayed (async) data lookup.

The answer is needed immediately by the access control and all Squid has
to work with is DUNNO / "insufficient data".

See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>

> 
> if not which type of text i have to search ?
> 
> my debug_options 28,9 82,9 84,9
> section 82 External AC
> section 84 Helper process maintenance
> section 28 Access Control
> 

Okay.

The -d parameter on the helper command line for Squid helpers produces
their internal debug.


Amos

More information about the squid-users mailing list