[squid-users] change between squid 3.1 and 3.3.8

TRIFILETTI Frank (Adjoint au chef du DO Sud-Est / Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET Frank.Trifiletti at developpement-durable.gouv.fr
Mon May 2 14:07:34 UTC 2016 

Hello Amos,

i have this error in my cache.log (no helper entry available)

2016/05/02 14:35:37.732| external_acl.cc(793) aclMatchExternal: acl="ldap_group"
2016/05/02 14:35:37.732| external_acl.cc(822) aclMatchExternal: No helper entry 
available
2016/05/02 14:35:37.732| external_acl.cc(826) aclMatchExternal: ldap_group check 
user authenticated.
2016/05/02 14:35:37.732| external_acl.cc(832) aclMatchExternal: ldap_group user 
is authenticated.
2


and i read you link
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>

in my squid.conf i use a slow ACLs (external)
with one SLOW access clauses (http_access) and another one which is FAST access 
clauses (cache_peer_access)

but i made another test with the same squid.conf with squid 3.1.20 on an Ubuntu 
12.04.5 LTS it works (no DUNNO error in cache.log)

but it doesn't with squid 3.3.8 on an Ubuntu 14.04.4 LTS

the only differencies are the change of the external helper use :

1/in squid 3.3
	/usr/lib/squid3/digest_file_auth
for squid 3.1
	/usr/lib/squid3/basic_ldap_auth
2/in squid 3.3
	/usr/lib/squid3/ext_ldap_group_acl
for squid 3.1
	/usr/lib/squid3/squid_ldap_group

with same parameters, the point 1 for authentification works both 3.1 and 3.3
and for the ldap_group request

in squid 3.3
external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -d 
-b dc=eq,dc=fr -f "(&(objectclass=person)(mineqAccesInternet=%g)(uid=%u))" 
myldapserver

in squid 3.1
external_acl_type ldap_group ipv4 %LOGIN /usr/lib/squid3/squid_ldap_group -d -b 
dc=eq,dc=fr -f "(&(objectclass=person)(mineqAccesInternet=%g)(uid=%u))" myldapserver


thanks for reading me

Frank


Le 25/04/2016 20:25, "> Amos Jeffries (par Internet, dépôt 
squid-users-bounces at lists.squid-cache.org)" a écrit :
> On 26/04/2016 4:41 a.m., TRIFILETTI Frank (Adjoint au chef du DO Sud-Est
> / Chef du groupe expertise technique) - SG/SPSSI/CPII/DOSE/ET wrote:
>> Hello Amos,
>>
>> thanks for your answer
>>
>> my answer in the body of the message below
>>
>> Frank
>>
>> Le 23/04/2016 05:29, "> Amos Jeffries (par Internet, dépôt
>> squid-users-bounces at lists.squid-cache.org)" a écrit :
>>> On 23/04/2016 2:40 a.m., FTRIF wrote:
>>>> Hello,
>>>> i have a problem using /usr/lib/squid3/ext_ldap_group_acl which
>>>> appears in
>>>> 3.3.8
>>>>
>>>> i have a ldap attribut called InternetAccess which contains the value
>>>> "ACCESSINTER"
>>>>
>>>> i want to make an ACL to authorize such people to surf on the net by
>>>> using a
>>>> ldap_group, built with the people who had the value ACCESSINTER in
>>>> the ldap
>>>> attribut called InternetAccess
>>>>
>>>> in command line it works both with squid 3.1 and 3.3.8, the answer is
>>>> OK:
>>>>
>>>> /usr/lib/squid3/ext_ldap_group_acl -d -b dc=eq,dc=fr -f
>>>> "(&(objectclass=person)(InternetAccess=%a)(uid=%u))" myLdapDNSname
>>>>
>>>> fk.tf ACCESSINTER
>>>> ext_ldap_group_acl.cc(587): pid=25599 :Connected OK
>>>> ext_ldap_group_acl.cc(726): pid=25599 :group filter
>>>> '(&(objectclass=person)(InternetAccess=ACCESSINTER)(uid=fk.tf))',
>>>> searchbase
>>>> 'dc=eq,dc=fr'
>>>> OK
>>>
>>> Use '%g' macro for group. It will not to collide with URL-encoding of
>>> the parameters.
>>>
>>
>> in the squid.conf i forget indicate that i have a line
>> acl profil_ACCESSINTERNET external ldap_group ACCESSINTER
>>
>> in command line i replace %a by '%g' in command line but it doesn't work
>> only if i put %g
>>
>> but in squid.conf i put '%g' instead of %a and i have the same result
>> with in the cache.log
>>
>> 2016/04/25 18:17:25.835| Acl.cc(319) checklistMatches:
>> ACL::checklistMatches: checking 'profil_ACCESSINTERNET'
>> 2016/04/25 18:17:25.835| external_acl.cc(793) aclMatchExternal:
>> acl="ldap_group"
>> 2016/04/25 18:17:25.835| external_acl.cc(822) aclMatchExternal: No
>> helper entry available
>> 2016/04/25 18:17:25.835| external_acl.cc(826) aclMatchExternal:
>> ldap_group check user authenticated.
>> 2016/04/25 18:17:25.835| external_acl.cc(832) aclMatchExternal:
>> ldap_group user is authenticated.
>> 2016/04/25 18:17:25.835| external_acl.cc(856) aclMatchExternal:
>> ldap_group("fk.tf ACCESSINTER") = lookup needed
>> 2016/04/25 18:17:25.835| external_acl.cc(858) aclMatchExternal: "fk.tf
>> ACCESSINTER": entry=@0, age=0
>> 2016/04/25 18:17:25.835| external_acl.cc(861) aclMatchExternal: "fk.tf
>> ACCESSINTER": queueing a call.
>> 2016/04/25 18:17:25.835| external_acl.cc(863) aclMatchExternal: "fk.tf
>> ACCESSINTER": return -1.
>> 2016/04/25 18:17:25.835| Acl.cc(321) checklistMatches:
>> ACL::ChecklistMatches: result for 'profil_ACCESSINTERNET' is -1
>
> These lines are important:
>
>> 2016/04/25 18:17:25.835| Acl.cc(346) matches: profil_ACCESSINTERNET
>> needs async lookup
>> 2016/04/25 18:17:25.835| Acl.cc(354) matches: profil_ACCESSINTERNET
>> result is false
>> 2016/04/25 18:30:36.709| Checklist.cc(275) matchNode: 0x7ffdc7f66fb0
>> matched=0 async=1 finished=0
>> 2016/04/25 18:30:36.709| Checklist.cc(146) markFinished: 0x7ffdc7f66fb0
>> answer DUNNO for async required but prohibited
>> 2016/04/25 18:30:36.709| Checklist.cc(308) matchNode: 0x7ffdc7f66fb0
>> DUNNO because cannot async
>> 2016/04/25 18:30:36.709| FilledChecklist.cc(77) ~ACLFilledChecklist:
>> ACLFilledChecklist destroyed 0x7ffdc7f66fb0
>> 2016/04/25 18:30:36.709| Checklist.cc(334) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0x7ffdc7f66fb0
>> 2016/04/25 18:30:36.709| Checklist.cc(153) preCheck: 0x7ffdc7f66fb0
>> checking fast rules
>> 2016/04/25 18:30:36.709| Checklist.cc(414) fastCheck: aclCheckFast:
>> list: 0x56353080b548
>>
>> is it these last lines indicate the followup where the helper responds
>> you asked for ?
>
> Better. Those lines are saying you are using the group lookup in an
> access control list which cannot do group lookups or any other kind of
> delayed (async) data lookup.
>
> The answer is needed immediately by the access control and all Squid has
> to work with is DUNNO / "insufficient data".
>
> See <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>
>
>>
>> if not which type of text i have to search ?
>>
>> my debug_options 28,9 82,9 84,9
>> section 82 External AC
>> section 84 Helper process maintenance
>> section 28 Access Control
>>
>
> Okay.
>
> The -d parameter on the helper command line for Squid helpers produces
> their internal debug.
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list