Re: [squid-users] external_acl

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 07 Oct 2013 00:11:24 +1300

On 6/10/2013 10:27 p.m., Kirill Kamyshnikov wrote:
> external_acl_type ldap_users ipv4 ttl=20 concurrency=10
> children-max=20 children-startup=5 %LOGIN
> /usr/lib/squid3/ext_ldap_group_acl -d -R -P -b "o=garant" -v 3 -f
> "(&(cn=%v)(groupMembership=%g))" -s sub ldap.site
>
>
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(826) aclMatchExternal:
> ldap_users check user authenticated.
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(832) aclMatchExternal:
> ldap_users user is authenticated.
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(856) aclMatchExternal:
> ldap_users("kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant") =
> lookup needed
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(858) aclMatchExternal:
> "kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": entry=@0,
> age=0
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(861) aclMatchExternal:
> "kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": queueing a
> call.
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(863) aclMatchExternal:
> "kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant": return -1.
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(1451) Start: fg lookup
> in 'ldap_users' for 'kam
> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant'
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(1506) Start:
> externalAclLookup: looking up for 'kam
> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' in 'ldap_users'.
> 2013/10/06 13:15:15.737 kid1| external_acl.cc(1516) Start:
> externalAclLookup: will wait for the result of 'kam
> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' in 'ldap_users'
> (ch=0x7f8497088d38).
> ext_ldap_group_acl.cc(726): pid=4159 :group filter
> '(&(cn=0)(groupMembership=kam))', searchbase 'o=garant'
> ext_ldap_group_acl: WARNING: LDAP search error 'Invalid DN syntax'
> ext_ldap_group_acl.cc(587): pid=4159 :Connected OK
> ext_ldap_group_acl.cc(726): pid=4159 :group filter
> '(&(cn=0)(groupMembership=kam))', searchbase 'o=garant'
> ext_ldap_group_acl: WARNING: LDAP search error 'Invalid DN syntax'
> ext_ldap_group_acl.cc(726): pid=4159 :group filter
> '(&(cn=0)(groupMembership=cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant))',
> searchbase 'o=garant'
> 2013/10/06 13:15:15.742 kid1| external_acl.cc(1367)
> externalAclHandleReply: externalAclHandleReply: reply="ERR "
> 2013/10/06 13:15:15.742 kid1| external_acl.cc(1276)
> external_acl_cache_add: external_acl_cache_add: Adding 'kam
> cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant' = DENIED
>
> Why cn=0?

Because the lookup was sent on concurrency channel number 0.

Hint: the helper does not support concurrency=10

> Check from command line:
> kam_at_april3:/etc/squid3# /usr/lib/squid3/ext_ldap_group_acl -d -R -P -b
> "o=garant" -v 3 -f "(&(cn=%v)(groupMembership=%g))" -s sub ldap.site
> kam cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant
> ext_ldap_group_acl.cc(587): pid=4227 :Connected OK
> ext_ldap_group_acl.cc(726): pid=4227 :group filter
> '(&(cn=kam)(groupMembership=cn=fullaccess_users,ou=Proxy,ou=SERVICE,o=Garant))',
> searchbase 'o=garant'
> OK

See, it works if you omit the concurrency channel number from the input.

Amos
Received on Sun Oct 06 2013 - 11:11:38 MDT

This archive was generated by hypermail 2.2.0 : Sun Oct 06 2013 - 12:00:03 MDT