[squid-users] Unusual behaviour when linking ACLs to delay pools

Hi all

I have a problem so strange it's almost laughable.

I'm trying to set up a site with delay pools, but I only want to
forward members of a particular Active Directory group to the delay
pool. I have an authenticator that I have used on countless sites,
which checks to see whether a given user belongs to an AD group,
nested or otherwise. When I put a user in this group and use my acl to
prevent that group from say, accessing a website, it blocks them as
expected. When I apply that same ACL against the delay pool, however,
it doesn't send members into the pool. However, if I alter the ACL to
check for membership of ANOTHER group, then they ARE sent into the
pool. Confused?

Here's my config:

-------------
external_acl_type ldap_group ttl=70 %LOGIN
/usr/local/squid/libexec/squid/squid_ldap_group.pl #custom
authenticator to check for membership of nested AD groups
auth_param basic program /usr/local/squid/libexec/squid/adauth.pl
#custom authenticator to verify a user/pass combination are correct

delay_initial_bucket_level 100
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 8000/2048

acl all src 0.0.0.0/0.0.0.0
acl validusers proxy_auth REQUIRED
acl badfiles urlpath_regex -i "/etc/squid/badfiles.txt"
acl throttled external ldap_group Internet-Throttled
acl inetallow external ldap_group Internet-Allow
acl inetdisallow external ldap_group Internet-Disallow

delay_access 1 allow throttled
delay_access 1 deny all

http_access deny throttled badfiles
--------------

So if I put a user in the group "Internet-Throttled", they won't be
sent into the pool, but will be prohibited from downloading files in
the badfiles.txt list. Group membership testing is working for the
http_access deny, but not for delay_access
But if I alter the definition of the 'throttled' acl so it refers to
members of the AD group "Internet-Allow", then all members of that
group ARE sent to the delay pool

I'm finding it hard to attribute blame anywhere. It seems to be that
it can't be the authenticator, the group, or the delay pool syntax as
they all work fine under certain circumstances.

Any advice is greatly welcomed.

Thanks
Richard
Received on Thu Aug 19 2010 - 09:46:39 MDT