Hi.
I'm using the squid_ldap_group external ACL to control AD users access
to the Internet.
Recently I got a problem: on some machines squid_ldap_group gives false
negative result.
Consider using emz is a member of 'Internet Users - Crystal' (and ofc
he's never removed).
It looks like:
===Cut===
2011/12/06 13:49:30.255| ACLChecklist::preCheck: 0x802797a18 checking
'http_access allow ad-internet-users'
2011/12/06 13:49:30.255| ACLList::matches: checking ad-internet-users
2011/12/06 13:49:30.255| ACL::checklistMatches: checking 'ad-internet-users'
2011/12/06 13:49:30.255| aclMatchExternal: ldap_group("emz
Internet%20Users%20-%20Crystal") = lookup needed
2011/12/06 13:49:30.255| aclMatchExternal: "emz
Internet%20Users%20-%20Crystal": entry=@0, age=0
2011/12/06 13:49:30.255| aclMatchExternal: "emz
Internet%20Users%20-%20Crystal": queueing a call.
2011/12/06 13:49:30.255| aclMatchExternal: "emz
Internet%20Users%20-%20Crystal": return -1.
2011/12/06 13:49:30.255| ACL::ChecklistMatches: result for
'ad-internet-users' is -1
2011/12/06 13:49:30.255| ACLList::matches: result is false
2011/12/06 13:49:30.255| aclmatchAclList: 0x802797a18 returning false
(AND list entry failed to match)
===Cut===
This happens like one in 30-50 times, making it not that serious; but
it's still a problem.
However, running squid_ldap_group in a shell-script separately from
squid, I cannot reproduce this bug. Can it be because of the fact that
squid caches the results from helpers ?
I can also tell that this is happening only on squids > 3.1.12, because
I have a couple of machines with 3.1.12 and 3.1.11 and I don't have this
issue with them.
Is there any way to further localize this issue, before filling a bug
report ?
Thanks.
Eugene.
Received on Wed Dec 07 2011 - 08:44:41 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 07 2011 - 12:00:02 MST