[squid-users] Error determining LDAP server type: Timed out
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 9 08:19:43 UTC 2025
On 8/04/25 06:42, Reinhard Westerholt wrote:
> Hello everybody,
>
> I have configured Squid to use Kerberos authentication and employed
> ext_kerberos_ldap_group_acl to limit HTTP access. This setup works fine
> in most cases. However, randomly (and rarely), there seems to be an
> issue with the LDAP query, causing the Active Directory groups to fail
> to resolve, which subsequently denies user access. When this occurs, the
> issue persists for about an hour. I suspect this might be due to caching
> or TTL.
Very likely.
>
> Here is a relevant part of the configuration:
>
> auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s
> HTTP/server.fqdn at domain
> auth_param negotiate children 500
> auth_param negotiate keep_alive on
>
> external_acl_type INetAccess ttl=3600 children-max=1000 %LOGIN /usr/lib/
> squid/ext_kerberos_ldap_group_acl -g "INetAccess" -a -i -l ldap://
> server.fqdn:389 -D "DOMAIN"
There you have it " ttl=3600 " (ie 1 hour, in seconds). If this is the
only TTL configured it will be used for both OK and ERR results.
...
>
> I manually attempted to retrieve the subschemasubentry using ldapsearch.
> As far as I can see, there is no issue, or I could not reproduce the
> problem manually via ldapsearch.
>
> Does anyone have any ideas on how to further debug this issue?
> Additionally, are there any recommendations regarding the TTL value? If
> I reduce the TTL, the duration of the issue might be shorter for
> individual users.
There are three alternatives to changing "ttl=" itself.
In order of my recommendation:
1) Avoiding the external helper entirely if you can.
The auth helper you are using should be providing Squid with a list of
the group SSID's the logged in user is a member of. With those, Squid
can use the 'note' type ACL to check the groups quickly instead of
needing a separate helper lookup.
Like so:
acl INetAccess note group ...[SSID]...
2) Setting "grace=" which will attempt the re-lookup before the TTL
finishes. That way Squid will use the already cached value at the exact
time the failure occurs, and may be able to re-try the failed lookup at
least once before it has any effects.
This grace= option should ideally be only a few seconds and must be
strictly less than both ttl= and negative-ttl= values.
3) Add a shorter value for the ERR results with "negative-ttl=".
Just be aware that lowering either of these TTL values will impact
transaction speed for all the traffic where the user is (ttl=), or not
(negative-ttl=) a member of that group.
HTH
Amos
More information about the squid-users
mailing list