Hi,
> The helpers should not notice any difference from what I know and have
> experienced.
>
> However, maybe your helper tries to use /dev/tty for some reason.
> Helpers should not use /dev/tty, but this is the only possible
> difference I can estimate between daemon mode and no daemon mode.
>
> Helpers should only use stdin/stdout/stderr (stderr for error logging
> only).
i finally found why my expire-helper was crashing! When started from a
root-shell using "/usr/local/squid/sbin/squid -N -d 1 -D" the PATH was
set to include /usr/local/bin. Thus the helper did not crash, since gawk
and ldapsearch were in PATH.
When started from "/usr/local/squid/bin/RunCache &", /usr/local/bin was
not in PATH - i suppose because its not in the .profile of the squid-user.
So the helper crashed because it couldn't find gawk and ldapsearch.
Adding /usr/local/bin to PATH in the expire-helper prevented it from
crashing.
I'm not exactly shure why this happened, since in either case the effective
UID should have been the squid-user, shouldn't it?
Nonetheless for anyone interested here's, the helper (although not
beautiful, but i works ;-) ) + the necessary entries in squid.conf
Regards,
Frank
############ begin expire.sh ##############################!/usr/bin/bash
PATH=$PATH:/usr/local/bin
E_BADARGS=65
print_usage ()
{
echo "Usage: `basename $0` options"
echo "Options: -D binddn : DN to bind to server with"
echo " -b basedn : base DN"
echo " -h host : LDAP server"
echo " -f filter : LDAP search filter containing %u for username"
echo " -l limit : keyword for limit grace logins attribute
(default: loginGraceLogin)"
echo " -r remain : keyword for remaining grace logins attribute
(default: loginGraceRemain)"
exit $E_BADARGS
}
LDAPSEARCH=`which ldapsearch`
if [[ $LDAPSEARCH = no* ]]
then
echo "Error: ldapsearch not found!"
exit 1
fi
AWK=`which gawk`
if [[ $AWK = no* ]]
then
echo "Error: awk not found!"
exit 1
fi
SED=`which sed`
if [[ $SED = no* ]]
then
echo "Error: sed not found!"
exit 1
fi
if [ "$#" -eq 0 -o "$#" -lt 8 ]
then
print_usage
fi
while getopts "D:b:h:f:l:r:" option
do
case $option in
D) BINDDN=$OPTARG;;
b) BASEDN=$OPTARG;;
h) HOST=$OPTARG;;
f) FILTER=$OPTARG;;
l) LIMIT=$OPTARG;;
r) REMAIN=$OPTARG;;
*) print_usage;;
esac
done
if [[ $FILTER != *\%u* ]]
then
echo "Error: no %u found in search filter"
exit $E_BADARGS
fi
if [ "$LIMIT" == "" ]
then
LIMIT="loginGraceLimit"
fi
if [ "$REMAIN" == "" ]
then
REMAIN="loginGraceRemain"
fi
while read USER
do
if [ "$USER" != "" ]
then
NEWFILTER=`echo $FILTER | $SED s/%u/$USER/`
$LDAPSEARCH -D $BINDDN -b $BASEDN -h $HOST "$NEWFILTER" | \
$AWK -v limit="$LIMIT" -v remain="$REMAIN" '{ \
if ( $0 ~ limit ) { vallimit=$2 }; \
if ( $0 ~ remain ) { valremain=$2 } \
} \
END { \
if ( valremain != "" && vallimit != "" ) { \
if ( valremain == vallimit ) { print "OK" } \
else { print "ERR" } \
} \
else { print "ERR" } \
}'
else
echo "ERR"
fi
done
exit 0
############ end expire.sh ##############################
############ begin squid.conf #############################
external_acl_type passwd-expired-external ttl=5 concurrency=5 %LOGIN
<path-to>/expire.sh -D <binddn> -b <basedn>\
-h <ldap-server> -f <ldap-search-filter>
acl passwd-expired external passwd-expired-external
http_access deny !passwd-expired
deny_info ERR_PASSWD_EXPIRED passwd-expired
############ end squid.conf ##############################
-- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!Received on Fri Jun 27 2003 - 00:14:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:39 MST