[squid-users] squid_ldap_group false negatives

From: Eugene M. Zheganin <eugene_at_zhegan.in>
Date: Wed, 07 Dec 2011 14:44:30 +0600


I'm using the squid_ldap_group external ACL to control AD users access
to the Internet.
Recently I got a problem: on some machines squid_ldap_group gives false
negative result.

Consider using emz is a member of 'Internet Users - Crystal' (and ofc
he's never removed).

It looks like:

2011/12/06 13:49:30.255| ACLChecklist::preCheck: 0x802797a18 checking
'http_access allow ad-internet-users'
2011/12/06 13:49:30.255| ACLList::matches: checking ad-internet-users
2011/12/06 13:49:30.255| ACL::checklistMatches: checking 'ad-internet-users'
2011/12/06 13:49:30.255| aclMatchExternal: ldap_group("emz
Internet%20Users%20-%20Crystal") = lookup needed
2011/12/06 13:49:30.255| aclMatchExternal: "emz
Internet%20Users%20-%20Crystal": entry=@0, age=0
2011/12/06 13:49:30.255| aclMatchExternal: "emz
Internet%20Users%20-%20Crystal": queueing a call.
2011/12/06 13:49:30.255| aclMatchExternal: "emz
Internet%20Users%20-%20Crystal": return -1.
2011/12/06 13:49:30.255| ACL::ChecklistMatches: result for
'ad-internet-users' is -1
2011/12/06 13:49:30.255| ACLList::matches: result is false
2011/12/06 13:49:30.255| aclmatchAclList: 0x802797a18 returning false
(AND list entry failed to match)

This happens like one in 30-50 times, making it not that serious; but
it's still a problem.

However, running squid_ldap_group in a shell-script separately from
squid, I cannot reproduce this bug. Can it be because of the fact that
squid caches the results from helpers ?

I can also tell that this is happening only on squids > 3.1.12, because
I have a couple of machines with 3.1.12 and 3.1.11 and I don't have this
issue with them.

Is there any way to further localize this issue, before filling a bug
report ?


Received on Wed Dec 07 2011 - 08:44:41 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 07 2011 - 12:00:02 MST