[squid-users] I need a help with user permissions credentials

Juan Manuel Perrote jmperrote at policia.rionegro.gov.ar
Thu Oct 9 14:10:11 UTC 2014


El 09/10/2014 10:55, Amos Jeffries escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/10/2014 2:28 a.m., Juan Manuel Perrote wrote:
>> I have a Squid Cache: Version 3.1.19, on Ubuntu 12.04.2 LTS.
>>
>> We use external authentification on ldap repository on a remote
>> machine
>>
>> #********************************#********************************#********************************
>>
>>
>>
>> #********************************
>>
>> #REGLA VALIDACION LDAP
>>
>> #********************************
>>
>> #Esto indica el numero de procesos de autentificacion
>> (notienevalorpredeterminado).
>>
>> auth_param basic children 5
>>
>> #Especifica el numero de procesos redirector para desovar
>>
>> redirect_children 5
>>
>> #Valido el usuario
>>
>> auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
>> "ou=Users,dc=vs-zmaster,dc=policia,dc=rionegro,dc=gov,dc=ar" -f
>> "uid=%s" -h 10.11.37.2 -v 3
>>
>> auth_param basic realm Policia de Rio Negro
>>
>> #Validar grupos
>>
>> external_acl_type ldap_group %LOGIN
>> /usr/lib/squid3/squid_ldap_group -b
>> "ou=Groups,dc=vs-zmaster,dc=policia,dc=rionegro,dc=gov,dc=ar" -f
>> "(&(memberUid=%u)(cn=%g)(objectClass=posixGroup))" -h 10.11.37.2 -v
>> 3
>>
>> #especifica el tiempo de usuario y contrasenia valido
>> externamente.
>>
>> auth_param basic casesensitive on
>>
>> auth_param basic credentialsttl 280 minutes
>>
>> authenticate_ttl 60 minutes
>>
>> #********************************#********************************#********************************
>>
>>
>>
>> The problem is that when I change the user group on ldap to other
>> user group (with differents permission) squid not refresh the
>> change so until 1hs or more, the change are not reflect on real
>> time. The same goes if change the password user, the user still
>> navigating for a while.
> Your configuration says "credentialsttl 280 minutes". That means Squid
> only checks for username/password changes once every 4hrs 40min.
>
> There is no TTL configured for external_acl_type helper. Meaning Squid
> uses the default TTL and groups are only checked every 1hr.
>
>> The changes are not reflected immediately.
>>
>> But if a reload the squid service, the change take effect
> That depends on what you mean by "reload".
>
>   * If you are restarting the service it completely shuts down and then
> starts again. The credentials cache is stored only in volatile memory
> and gets erased on shutdown or restart.
>
> * If you are reconfiguring (reload the config), the memory and thus
> credentials cache is retained.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUNpPRAAoJELJo5wb/XPRjZMwIAIAp1WdNCnjVvxuuEcemR2k8
> yXKrMUkQ5uFKUbqQfVCsg5YdorgC/gkBatk06KqyMiBYbksAYvG45kUNtUVnKUkU
> +5gRgQR+Gmx59V1+BYqVZu8qLaWWg0NNX7C2iOP70SsD7IYECfi5uxbUUz3yLCia
> 19c6Y2iSqu0f4iWUGJEArVLvpJgoblhcgtVan9aOK77uzYVIpma/MFdl/lQZ8QST
> /wclWIOlIVU3j7Dw3cBZr/tHuzhFKt2WnYKFcb+8elUaL5OQzsTEpkxvnB2n25Ci
> pmtfBDQXvzbiThPbBWHaZ1oPMPVSIn6iLrmaxukgqxk48w5H3mjta34uP1p28NY=
> =R+0F
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Hello Amos I do "service squid reload"

It is correct, that I need do that for refresh the change made on ldap 
repository ?

Because we have a callcenter that made the change on users permissions 
or groups on a ldap application interface, but they can't restart the 
proxy before make the changes. We do that.


regards,
Juan Manuel.




More information about the squid-users mailing list