Re: [squid-users] cant build squid 3.3.5 with external_acl_helper ldap_group on CentOS 6.4 64bits

hey Ricardo.

GOOD and Thanks!
I have seen this issue before but didn't had much time to handle it.
So now the ldap helper works fine??
If I understand right there is something odd about the helpers code
which forces the admin to use more helpers then it used to be in 2.7 and
3.1.

How about testing it and making sure it's a *bug* and file a bug
together on it?

Why do you use couple rock store caches if they are all available to all
the workers?

Eliezer

On 6/3/2013 8:15 PM, Ricardo Klein wrote:
> Hi Eliezer,
>
> I ended up making some changes on my /etc/init.d/squid to force
> pidfiles exclusion on /var/run/squid, because when I restart squid it
> does not always kill that files (but it end all processes).
>
> My new packages now have the init.d script with that changes and I
> have uploaded them here:
> http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.src.rpm
> http://webfiles.klein.inf.br/centos/squid-3.3.5-2.el6.x86_64.rpm
> And, my selinux policyes too:
> http://webfiles.klein.inf.br/centos/squid_selinuxpolicy.tar.bz2 if you
> use any RHEL flavor.
>
> Btw, I have good performance when added some optins on
> ext_ldap_group_acl (children-max=50 children-startup=25
> children-idle=25), and here is all the interesting part about it:
> #### SQUID.CONF parts ####
> cache_mem 2048 MB
> workers 6
> cache_dir rock /var/spool/squid/cache1 4096 max-size=31000
> swap-timeout=1000 max-swap-rate=100
> cache_dir rock /var/spool/squid/cache2 4096 max-size=31000
> swap-timeout=1000 max-swap-rate=100
> cache_dir rock /var/spool/squid/cache3 4096 max-size=31000
> swap-timeout=1000 max-swap-rate=100
> cache_dir rock /var/spool/squid/cache4 4096 max-size=31000
> swap-timeout=1000 max-swap-rate=100
> cache_dir rock /var/spool/squid/cache5 4096 max-size=31000
> swap-timeout=1000 max-swap-rate=100
> cache_dir rock /var/spool/squid/cache6 4096 max-size=31000
> swap-timeout=1000 max-swap-rate=100
>
> cache_replacement_policy heap LFUDA
>
> logfile_daemon /usr/lib64/squid/log_file_daemon
> access_log daemon:/var/log/squid/access.log squid
>
> auth_param basic credentialsttl 20 minutes
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
>
> external_acl_type ldap_group children-max=50 children-startup=25
> children-idle=25 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -S -R
> -b "DC=MYDOMAIN,DC=local" -D
> "CN=squid,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local" -w
> MYPASSWORD -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,OU=Internet,OU=Infra-estrutura,DC=MYDOMAIN,DC=local))"
> -h <IPADDRESS>
>
> authenticate_ttl 600 seconds
> #### /SQUID.CONF parts ####
>
> Anyway, I still have some errors like this one when using more then 2
> workers (but squid still working):
>
> Squid Cache (Version 3.3.5): Terminated abnormally.
> CPU Usage: 0.068 seconds = 0.054 user + 0.014 sys
> Maximum Resident Size: 76000 KB
> Page faults with physical i/o: 0
> FATAL: Ipc::Mem::Segment::open failed to
> shm_open(/squid-squid-page-pool.shm): (2) No such file or directory
>
> I am going to test it in production to see how it perform and tell you here ok?
> --
> Att...
>
> Ricardo Felipe Klein
> klein.rfk_at_gmail.com
>
>
> On Mon, Jun 3, 2013 at 9:37 AM, Ricardo Klein <klein.rfk_at_gmail.com> wrote:
>> Eliezer,
>>
>> you didnt compiled LDAP_group external acl, see your ./configure line:
>> '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group'
>>
>> My:
>> --enable-external-acl-helpers="file_userip,LDAP_group,kerberos_ldap_group,session,unix_group,wbinfo_group"
>>
>> But I will try to rebuild your package with LDAP_group enabled
>> --
>> Att...
>>
>> Ricardo Felipe Klein
>> klein.rfk_at_gmail.com
>>
>>
>> On Mon, Jun 3, 2013 at 8:53 AM, Ricardo Klein <klein.rfk_at_gmail.com> wrote:
>>> Eliezer,
>>>
>>> You mean change permissions on /dev/shm? It is already "world writeable"
>>> [root_at_theroutertwo ~]# ll /dev/shm
>>> total 0
>>> drwxrwxrwt. 2 root root 40 Jun 1 12:16 .
>>>
>>> (maybe I am doing the hole shm thing wrong)
>>>
>>> Btw I will test your package this morning (it is monday morning here in
>>> Brazil now) and tell you how it goes.
>>>
>>> --
>>> Att...
>>>
>>> Ricardo Felipe Klein
>>> klein.rfk_at_gmail.com
>>>
>>>
>>> On Mon, Jun 3, 2013 at 7:58 AM, Eliezer Croitoru <eliezer_at_ngtech.co.il>
>>> wrote:
>>>>
>>>> Yes it works.
>>>> If you need some SHM thing just change the ownership of the directory.
>>>> it will solve most of the problems.
>>>> If there is some SPEC expert here I will be happy to get some help to do
>>>> this change in the SPEC file instead of doing it manually.
>>>>
>>>> Eliezer
>>>>
>>>>
>>>> On 6/1/2013 11:50 PM, Ricardo Klein wrote:
>>>>>
>>>>> Eliezer,
>>>>>
>>>>> nice, you already have the package I need... Did you package works
>>>>> with ldap_group external acl?
>>>>> I will try it and check if your package works with my conf, this SHM
>>>>> error is driving me crazy.
>>>>> --
>>>>> Att...
>>>>>
>>>>> Ricardo Felipe Klein
>>>>> klein.rfk_at_gmail.com
>>>>>
>>>>>
>>>>> On Sat, Jun 1, 2013 at 5:28 PM, Eliezer Croitoru <eliezer_at_ngtech.co.il>
>>>>> wrote:
>>>>>>
>>>>>> Hey Ricardo,
>>>>>>
>>>>>> If you can build an RPM and store it it will be helpful for many people.
>>>>>> it will also add redundancy to my RPM and an alternative to mine.
>>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/
>>>>>> if you want the SRPM this is where mine is stored:
>>>>>> http://www1.ngtech.co.il/rpm/centos/6/x86_64/SRPM/
>>>>>>
>>>>>> Eliezer
>>>>>>
>>>>>>
>>>>>> On 6/1/2013 3:01 PM, Ricardo Klein wrote:
>>>>>>>
>>>>>>>
>>>>>>> Amos,
>>>>>>>
>>>>>>> great thanks, I will fix this mess I did in the ./configure and try
>>>>>>> again. If I can build an RPM package for CentOS 6.4 (and it should
>>>>>>> work in RHEL 6.4 too) there is any interest I put this in somewhere
>>>>>>> people can download it?
>>>>>>> --
>>>>>>> Att...
>>>>>>>
>>>>>>> Ricardo Felipe Klein
>>>>>>> klein.rfk_at_gmail.com
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Jun 1, 2013 at 12:39 AM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/06/2013 7:40 a.m., Ricardo Klein wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi there,
>>>>>>>>>
>>>>>>>>> I am trying to build squid on CentOS 6.4 64bits with
>>>>>>>>> external_acl_helper "ldap_group", but my ./configure log says:
>>>>>>>>> configure: external acl helper ldap_group ... found but cannot be
>>>>>>>>> built
>>>>>>>>> I have fired a but in the bugtrack, but, if any of you know what is
>>>>>>>>> wrong, please tell me so I can cancel that bugtracker.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The script detecting external-acl-helpers entries has a bug displaying
>>>>>>>> the
>>>>>>>> wrong message for the error. It will report "found but cannot be
>>>>>>>> built"
>>>>>>>> for
>>>>>>>> both the found and not-found error cases. In your situation I believe
>>>>>>>> the
>>>>>>>> helpers as named cannot be found at all due to incorrect ./configure
>>>>>>>> options.
>>>>>>>>
>>>>>>>> Details inline with your options...
>>>>>>>>
>>>>>>>>
>>>>>>>>> Here is my ./configure options:
>>>>>>>>> ./configure \
>>>>>>>>> --prefix=/usr \
>>>>>>>>> --exec-prefix=/usr \
>>>>>>>>> --bindir=/usr/bin \
>>>>>>>>> --sbindir=/usr/sbin \
>>>>>>>>> --sysconfdir=/etc \
>>>>>>>>> --datadir=/usr/share \
>>>>>>>>> --includedir=/usr/include \
>>>>>>>>> --libdir=/usr/lib64 \
>>>>>>>>> --libexecdir=/usr/libexec \
>>>>>>>>> --sharedstatedir=/var/lib \
>>>>>>>>> --mandir=/usr/share/man \
>>>>>>>>> --infodir=/usr/share/info \
>>>>>>>>> --enable-internal-dns \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> internal-dns is enabeld by default. You can omit this.
>>>>>>>>
>>>>>>>>
>>>>>>>>> --disable-strict-error-checking \
>>>>>>>>> --exec_prefix=/usr \
>>>>>>>>> --libexecdir=/usr/lib64/squid \
>>>>>>>>> --localstatedir=/var \
>>>>>>>>> --datadir=/usr/share/squid \
>>>>>>>>> --sysconfdir=/etc/squid \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> You already specified several of the above batch of options (datadir,
>>>>>>>> sysconfdir, libexecdir) with different values. This may cause
>>>>>>>> unexpected
>>>>>>>> results when installing.
>>>>>>>> And "--exec_prefix" does not exist. There is a different
>>>>>>>> "--exec-prefix"
>>>>>>>> option earlier which will be used ... so more unexpected results when
>>>>>>>> installing.
>>>>>>>>
>>>>>>>>> --with-logdir=$LOCALSTATEDIR/log/squid \
>>>>>>>>> --with-pidfile=$LOCALSTATEDIR/run/squid.pid \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> --disable-dependency-tracking \
>>>>>>>>> --enable-arp-acl \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "--enable-arp-acl" does not exit. The replacement --enable-eui is
>>>>>>>> already
>>>>>>>> enabled by default, so all you need do is to remove the above option.
>>>>>>>>
>>>>>>>>> --enable-follow-x-forwarded-for \
>>>>>>>>> --enable-auth \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NP: auth is enabled by default, and when omitted will be auto-enabled
>>>>>>>> by
>>>>>>>> the
>>>>>>>> below helpers options anyway. You can omit "--enable-auth" entirely.
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,squid_radius_auth
>>>>>>>>> --enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth \
>>>>>>>>> --enable-digest-auth-helpers=password,ldap,eDirectory \
>>>>>>>>> --enable-negotiate-auth-helpers=squid_kerb_auth \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The auth build options underwent a major change in the squid-3.2
>>>>>>>> series.
>>>>>>>> --enable-X-auth-helpers options no longer exist.
>>>>>>>> Squid ./configure script is ignoring the above auth helper options and
>>>>>>>> using
>>>>>>>> the default versions of the new --enable-auth-X options.
>>>>>>>>
>>>>>>>> For example your basic auth helpers line should be:
>>>>>>>>
>>>>>>>>
>>>>>>>> --enable-auth-basic="LDAP,MSNT,NCSA,PAM,SMB,NIS,getpwnam,MSNT-multi-domain,SASL,DB,RADIUS"
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> You are not getting build problems with the auth helpers because the
>>>>>>>> entire
>>>>>>>> configure --enable-* option name changed and the broken ones above are
>>>>>>>> ignored in favour of the auto-detected helpers.
>>>>>>>> The external-acl-helpers option however did not change, so you hit
>>>>>>>> error
>>>>>>>> messages trying to build the differently named helpers.
>>>>>>>>
>>>>>>>> Run "ls -1 helpers/*/" to see all the new helper names. Note that the
>>>>>>>> list
>>>>>>>> here is case sensitive.
>>>>>>>>
>>>>>>>>
>>>>>>>>> --enable-cache-digests \
>>>>>>>>> --enable-cachemgr-hostname=localhost \
>>>>>>>>> --enable-delay-pools \
>>>>>>>>> --enable-epoll \
>>>>>>>>> --enable-icap-client \
>>>>>>>>> --enable-ident-lookups \
>>>>>>>>> --enable-linux-netfilter \
>>>>>>>>> --enable-referer-log \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --enable-referer-log no longer exists. It is a built-in squid.conf
>>>>>>>> logformat
>>>>>>>> type instead now.
>>>>>>>>
>>>>>>>>> --enable-removal-policies=heap,lru \
>>>>>>>>> --enable-snmp \
>>>>>>>>> --enable-ssl \
>>>>>>>>> --enable-storeio=aufs,diskd,ufs \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NP: with 3.2 and later you probably want to build "rock" cache type as
>>>>>>>> well.
>>>>>>>>
>>>>>>>>> --enable-useragent-log \
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --enable-useragent-log no longer exists. It is a built-in squid.conf
>>>>>>>> logformat type instead now.
>>>>>>>>
>>>>>>>>
>>>>>>>>> --enable-wccpv2 \
>>>>>>>>> --enable-esi \
>>>>>>>>> --with-aio \
>>>>>>>>> --with-default-user=squid \
>>>>>>>>> --with-filedescriptors=30000 \
>>>>>>>>> --with-dl \
>>>>>>>>> --with-openssl \
>>>>>>>>> --with-pthreads
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Amos
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>
Received on Tue Jun 04 2013 - 06:56:00 MDT