RE: [squid-users] external_acl_type ttl not working? or not as I understand?

> -----Original Message-----
> From: Mike Brentlinger [mailto:msbrentlinger@gmail.com]
> Sent: Wednesday, June 01, 2005 1:57 PM
> To: Chris Robertson
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] external_acl_type ttl not working? or not as I
understand?
>
> On 6/1/05, Chris Robertson <crobertson@gci.com> wrote:
>>> -----Original Message-----
>>> From: Mike Brentlinger [mailto:msbrentlinger@gmail.com]
>>> Sent: Wednesday, June 01, 2005 10:23 AM
>>> To: squid-users@squid-cache.org
>>> Subject: [squid-users] external_acl_type ttl not working? or not as I
>>> understand?
>>>
>>>
>>> Im trying to conjure up a replacement to novell border manager +
>>> client trust for transpartent auth in a novell environment. there are
>>> some squid proxy auth things it seems, however they require that the
>>> user be prompted to enter a user+pass... not really ideal. instead
>>> users should not have to think about logging on. i know ident can be
>>> spoofed but for this test its not a huge issue so got the following to
>>> work on squid 2.5 stable 5:
>>>
>>> external_acl_type ldap_lookup ttl=120 %IDENT /tmp/ldaplookup.pl
>>> acl group1 external ldap_lookup
>>> http_access allow group1
>>>
>>> where /tmp/ldaplookup.pl is
>>> #!/usr/bin/perl
>>> $|=1;
>>> while ( 1 == 1 ) {
>>> $input = <STDIN>;
>>> chomp($input);
>>> open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member
>>> |' or die "Can't ldapsearch :$!";
>>> $found = 0;
>>> $fullusername = '';
>>> while (<LDAPSEARCH>) {
>>> #print "$_";
>>> if ($_ =~ /cn=$input,/i) {
>>> $found = 1;
>>> /member: (.*)/i;
>>> $fullusername = $1;
>>> last;
>>> };
>>> }
>>> if ($found == 0){
>>> print 'ERR ERROR="'.$input.' not a valid internet user"'."\n";
>>> } else {
>>> print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
>>> };
>>> };
>>>
>>>
>>> and my client is running
>>> http://ftp.tdcnorge.no/pub/windows/Identd/Identd-1.1.0.zip
>>>
>>>
>>> everything works except the ttl isnt as I thought... eg: my client
>>> tries to hit a page, squid ident requests my client, which responds,
>>> then squid uses my script to see if that user name is in the
>>> "internet" group as retured from my ldap search. if the users in the
>>> group the page is served, if not, they get access denied.
>>>
>>> so my question is this... if i imediately shut down my identd on my
>>> client, squid starts denying access immediately. a net sniff shows
>>> that squid is doing an ident query for every access request. I would
>>> have expected with the ttl=120 that squid wouldnt query until 2
>>> minutes later. this seems like a lot of needless ident traffic and
>>> when i start piling on users ill be doing more ident and ldap lookups
>>> than web proxying.
>>>
>>> I suppose I just misunderstand the ttl option. is there anyway to get
>>> squid to only ask for this ident auth at some specified timeout and
>>> not for every page request?
>>>
>>> any help would be greatly appreciated.
>>
>> The TTL value specified is how long Squid caches the result for the
external
>> ACL. So (as it stands now) if you authenticate, and then shut down the
LDAP
>> server (or revoke the account), you'll be able to continue surfing for
two
>> minutes. Move the ident lookup to the Perl script, and you should see a
>> reduction in network traffic.
>>
>> Chris
>>
> Chris,
> Thanks for the reply. to make sure I understand correctly...... youre
> saying something like the following would only do a single idnet query
> and ldap lookup every 2 mins... and in-between squid would just
> remember for the duration of the ttl that %SRC has access ?
>
>
> external_acl_type lookup ttl=120 %SRC /tmp/lookup.pl
> acl group1 external lookup
> http_access allow group1
>
>
> where /tmp/lookup.pl is
>
> #!/usr/bin/perl
> while ( 1 == 1 ) {
> $input = <STDIN>; #client ip from squid
> $ident_rtn_name = return of some func doing an ident query to
> client for a username
> open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member|' ;
> $found = 0;
> $fullusername = '';
> while (<LDAPSEARCH>) {
> if ($_ =~ /cn=$ident_rtn_name,/i) {
> $found = 1;
> /member: (.*)/i;
> $fullusername = $1;
> last;
> };
> }
> if ($found == 0){
> print 'ERR ERROR="'.$ident_rtn_name.' not a valid internet
user"'."\n";
> } else {
> print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
> };
> };
>
>
> --
> msb

That is what I am saying. Whether I am correct or not is the big question.
:o) FWIW, I have a high level of confidence in my assertion.

Chris
Received on Wed Jun 01 2005 - 16:21:58 MDT