Re: [squid-users] ad-query result cached in squid?

On Wed, 03 Mar 2010 22:38:36 +0100, Thomas Klein
<mailinglist-postfixbuch_at_online.de> wrote:
> Mike Ely schrieb:
>> On 3/3/10 12:37 PM, "Thomas Klein" <mailinglist-postfixbuch_at_online.de>
>> wrote:
>>
>>
>>> Hello Squid-Admins,
>>>
>>> i'm in the first steps on installing squid in a network of a customer.
>>> Squid asks one of the domain controllers to authenticate the users via
>>> ntlm. I have three groups of users in the AD to regulate the internet
>>> access. This works so far.
>>>
>>> The only buggy thing is, if i remove a user completely from all
groups,
>>> the access over squid should be no longer possible. But it seems that
>>> squid is caching the result of the query in any way (or another
>>> component, that did the query perhaps?), because if i remove a user
from
>>> all groups, the access is still possible through squid. If i wait for,
>>> lets say one or a half hour, the removal of the user from the group
gets
>>> recognized, and the access is no more possible.
>>> Is there a variable for setting this value, how long a query is
cached?
>>> A reboot and a restart of squid does not change anything.
>>>
>>> Thanks for a short answer & regards
>>> Thomas
>>>
>>>
>>
>> How many domain controllers are there in this network? What you are
>> experiencing may just be a case of slow propagation between DCs.
>>
>> Cheers,
>> Mike
>>
>>
> Hmm... i have two domain controllers (at the same location) and i did
> the changes of the group members on the same DC, that is queried from
> Squid. In another AD-forest tree are 5 domain controllers (different
> locations), but i think they aren't queried by squid.
>
> best regards
> Thomas

Credentials may be stored in squid memory, but a restart erases that.
Your test has already proven it's not a Squid issue directly, but
something else in the network caching the details. Possibly it may be
re-seeding Squid and extending the period, but thats as close as it gets.

Amos
Received on Wed Mar 03 2010 - 22:05:36 MST