Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

Hi Eliezer,

Thank you for response. I tried to put your command:
squid3 debug_options ALL,1 28,4 29,6 82,6

But for me is not clear where data will appear?

In cache.log:

2013/11/12 21:12:00 kid1| Starting new basicauthenticator helpers...
2013/11/12 21:12:00 kid1| helperOpenServers: Starting 1/20 'basic_ldap_auth'
processes
2013/11/12 21:12:00 kid1| WARNING: external ACL 'memberof' queue overload.
Request rejected 'administrator InternetAccess'.

in syslog:
Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: will start 1 kids
Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: (squid-1) process 1885
started

Further, I use package from ubuntu 13.10:
http://packages.ubuntu.com/search?lang=en&suite=saucy&searchon=names&keywords=squid3

I do not use extern repository at all.

And the output from squid3 -v:

root_at_ubuntu:~# squid3 -v
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu'
'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
 -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2'
'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security'

Thank you.

-----Oorspronkelijk bericht-----
From: Eliezer Croitoru
Sent: Tuesday, November 12, 2013 8:28 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload

Hey,

I do not know this warning but you can try to add a verbose log using:
debug_options ALL,1 28,4 29,6 82,6

The above logs will show what comes and goes inside squid and from the
external_acl to squid.
are you using the basic auth from ubuntu or self compiled?
Also if you can get the output of "squid -v".

Thanks,
Eliezer

On 11/12/2013 06:33 PM, Andrey ‪ wrote:
> Hi everyone
>
> During configuration of LDAP basic and group authentication methods by
> Squid, a came across this error (/var/log/squid3/cache.log):
>
>
>
> Code:
> WARNING: external ACL 'memberof' queue overload. Request rejected
> 'administrator InternetAccess'.For basic authentication I use following
> piece of code:
>
>
>
> Code:
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -P -R -u cn
> -b "cn=Users,dc=dot,dc=lan" ubuntu.dot.lan
> auth_param basic realm ubuntu.dot.lanThe test shows:
>
> Administrator Pa77w0rd
>
> OK.
>
> For LDAP groups I use this:
>
>
>
> Code:
> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
> -P -R -K -b "dc=dot,dc=lan" -f
> "(&(cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan))" -D
> nslcd-service_at_dot.lan -w "Pa77w0rd" -h ubuntu.dot.lan
> The test shows:
>
> Administrator InternetAccess
>
> OK
>
>
> My ACL list has following rules:
>
>
> Code:
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl LDAP_Auth proxy_auth REQUIRED
> acl ClientNet src 192.168.1.135
> acl Block_site url_regex -i fb vk youtube
> acl InetAccess external memberof InternetAccess
>
> And my Access/deny rules are:
>
>
> Code:
> http_access allow localhost manager
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny Block_site
> http_access allow InetAccess
> http_access deny !LDAP_Auth
> http_access allow ClientNet
> http_access deny all
>
> Where is the problem? How to solve it?
>
> Thank you.
Received on Tue Nov 12 2013 - 20:19:54 MST