Re: [squid-users] external_acl_type ttl not working? or not as I understand?

From: Mike Brentlinger <msbrentlinger@dont-contact.us>
Date: Wed, 1 Jun 2005 16:56:53 -0500

Chris,
Thanks for the reply. to make sure I understand correctly...... youre
saying something like the following would only do a single idnet query
and ldap lookup every 2 mins... and in-between squid would just
remember for the duration of the ttl that %SRC has access ?

 external_acl_type lookup ttl=120 %SRC /tmp/lookup.pl
 acl group1 external lookup
 http_access allow group1

where /tmp/lookup.pl is

 #!/usr/bin/perl
  while ( 1 == 1 ) {
   $input = <STDIN>; #client ip from squid
   $ident_rtn_name = return of some func doing an ident query to
client for a username
   open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member|' ;
   $found = 0;
   $fullusername = '';
   while (<LDAPSEARCH>) {
     if ($_ =~ /cn=$ident_rtn_name,/i) {
       $found = 1;
       /member: (.*)/i;
       $fullusername = $1;
       last;
     };
   }
   if ($found == 0){
     print 'ERR ERROR="'.$ident_rtn_name.' not a valid internet user"'."\n";
   } else {
     print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
   };
 };

On 6/1/05, Chris Robertson <crobertson@gci.com> wrote:
> > -----Original Message-----
> > From: Mike Brentlinger [mailto:msbrentlinger@gmail.com]
> > Sent: Wednesday, June 01, 2005 10:23 AM
> > To: squid-users@squid-cache.org
> > Subject: [squid-users] external_acl_type ttl not working? or not as I
> > understand?
> >
> >
> > Im trying to conjure up a replacement to novell border manager +
> > client trust for transpartent auth in a novell environment. there are
> > some squid proxy auth things it seems, however they require that the
> > user be prompted to enter a user+pass... not really ideal. instead
> > users should not have to think about logging on. i know ident can be
> > spoofed but for this test its not a huge issue so got the following to
> > work on squid 2.5 stable 5:
> >
> > external_acl_type ldap_lookup ttl=120 %IDENT /tmp/ldaplookup.pl
> > acl group1 external ldap_lookup
> > http_access allow group1
> >
> > where /tmp/ldaplookup.pl is
> > #!/usr/bin/perl
> > $|=1;
> > while ( 1 == 1 ) {
> > $input = <STDIN>;
> > chomp($input);
> > open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member
> > |' or die "Can't ldapsearch :$!";
> > $found = 0;
> > $fullusername = '';
> > while (<LDAPSEARCH>) {
> > #print "$_";
> > if ($_ =~ /cn=$input,/i) {
> > $found = 1;
> > /member: (.*)/i;
> > $fullusername = $1;
> > last;
> > };
> > }
> > if ($found == 0){
> > print 'ERR ERROR="'.$input.' not a valid internet user"'."\n";
> > } else {
> > print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
> > };
> > };
> >
> >
> > and my client is running
> > http://ftp.tdcnorge.no/pub/windows/Identd/Identd-1.1.0.zip
> >
> >
> > everything works except the ttl isnt as I thought... eg: my client
> > tries to hit a page, squid ident requests my client, which responds,
> > then squid uses my script to see if that user name is in the
> > "internet" group as retured from my ldap search. if the users in the
> > group the page is served, if not, they get access denied.
> >
> > so my question is this... if i imediately shut down my identd on my
> > client, squid starts denying access immediately. a net sniff shows
> > that squid is doing an ident query for every access request. I would
> > have expected with the ttl=120 that squid wouldnt query until 2
> > minutes later. this seems like a lot of needless ident traffic and
> > when i start piling on use
rs ill be doing more ident and ldap lookups
> > than web proxying.
> >
> > I suppose I just misunderstand the ttl option. is there anyway to get
> > squid to only ask for this ident auth at some specified timeout and
> > not for every page request?
> >
> > any help would be greatly appreciated.
>
> The TTL value specified is how long Squid caches the result for the external
> ACL. So (as it stands now) if you authenticate, and then shut down the LDAP
> server (or revoke the account), you'll be able to continue surfing for two
> minutes. Move the ident lookup to the Perl script, and you should see a
> reduction in network traffic.
>
> Chris
>

-- 
 msb
Received on Wed Jun 01 2005 - 15:56:57 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT