[squid-users] Distributing users according to their LDAP groups on multiple cache peers

Alex Rousskov rousskov at measurement-factory.com
Tue Apr 7 14:17:52 UTC 2020

On 4/7/20 3:01 AM, Amos Jeffries wrote:
> On 7/04/20 6:19 pm, Silamael Darkomen wrote:
>> Hello,
>> Is there any possibility to distribute a bunch of users to different
>> cache peers based on the user group in LDAP?
>> For older versions this was possible by using the slow external ACL
>> first for evaluation in the http_access clause and latter using the slow
>> external ACLs again in the cache_peer_access option.
>> With the update from 4.9 to 4.10 this behavior seems to be broken.
> That trick has never been properly consistent. It relies on the first
> entry not being pushed out of cache before the second check. Under any
> type of load it starts to fail.
> In current Squid you can have the helper deliver group=blah and use the
> note ACL type to check it in the fast checks. It works reliably, and
> with multiple groups.

I agree with Amos, but want to add that there are no known new breakages
of that unreliable "cache and reuse external ACL results" approach. If
you can use this suspected regression as an excuse to implement a more
reliable scheme, please follow Amos' advice. Otherwise, perhaps there is
a regression bug we should fix.


More information about the squid-users mailing list