OK got it.
The basic issue is that the helper is trying to use ip?
I am trying to understand something about the docs and about the situation.
external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-P -R -K -b "dc=dot,dc=lan" -f
"(&(cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan))" -D
nslcd-service_at_dot.lan -w "Pa77w0rd" -h ubuntu.dot.lan
Which the ext_ldap_group_acl that is provided by ? squid?
It is a helper which suppose to communicate with squid via STDIN\STDOUT
and errors STDERR.
Correct me about the above if I am wrong.
This will might help also me to understand the meaning of ipv4\ipv6 in
the docs about external_acl:
http://wiki.squid-cache.org/Features/IPv6#How_do_I_make_squid_use_IPv6_to_its_helpers.3F
I am still unsure what it tries to do but:
In linux "everything is a file" even the hardware suppose to be a file.
it is not always brought to the hands of the Admin to spare the
replacement of a very pricey devices which should be left alone with a
tested piece of internal firmware!
Else then that Linux OS uses for example 3 channels of communication
between the user terminal\screen to communicate with the user\admin.
The whole communication channel is suppose to be "one" FD and I maybe
wrong but STDIN\STDOUT\STDERR is a communication channel between a user
and the computer in a command-line interaction.
There are many other ways to do that but leave it at that.
So a FD is a way for the kernel and other sources to communicate.
It can be a FILE on disk which has read\write channels or a TCP socket
that has a read\write channel or a UDP socket which is a bit more
complex to understand how it's a communication channel since it's a
"datagram" channel.
There is also the "unix" socket which is called a *pipe* which I do not
remember right now how it works since it cannot be used by a read+write
channels in the same sec If I do remember right.
Squid as a server emulates for the software like the external_acl helper
a communication channel as it(squid) was a terminal user that is now
interacting the software\script.
So squid has STDIN\STDOUT\STDERR on a "screen" (virtual inside the
software) and then when a client sends a request squid by the ACLs rules
"consults" the helper using STDIN(for the software while STDOUT for
squid) and then consider the "offer" that correspond to the request in
STDOUT(of the software while beaning squid STDIN) and any STDERR
messages are logged into the cache.log.
So the external_acl helper is like an interviewer for each request basic
"looks" such as src-IP and\or request-url and\or other parameters
available to squid.
So as Amos suggested there is might be a miss configuration in squid
ACLs order that forces the mentioned symptoms.
The logs can help determine the state of each request and the status of
each ACL and while doing so You can see in the logs that the problem is
still there..
"2013/11/13 20:29:13.689| WARNING: Cannot run
'/usr/lib/squid3/ext_ldap_group_acl' process."
The line you see in the logs:
"2013/11/13 20:29:13.689| ERROR: Failed to create helper child read FD:
TCP [::1]"
Is a general line That you will see when the OS trying to bind some
socket what ever it is using the TCP ipv6 protocol.
Disabling the ipv6 sockets from the Linux OS\kernel is not really
possible since once it is enabled it is there unless in the next reboot
you will not load it.
(I am wrong in a case there was some changes in Linux kernel and ipv6
modules.)
There might be a chance of converting the STD channel from one channel
to a TCP channel but I am not sure that the kernel developers will apply
it so soon.
Try to force squid to bind the ipv4 of squid in http_port like:
http_port 127.0.0.1:3128
Which will might cause the comm bind error to be gone from the logs.
Here if you need me,
Eliezer
On 11/13/2013 09:36 PM, Andrey wrote:
> I think helper tries to access the IPv6 of the server (I'am not sure!),
> but IPv6 is disabled:
> /etc/sysctl.conf
>
> # Disable IPv6
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1
> net.ipv6.conf.lo.disable_ipv6 = 1
>
> #Enable IPv4 forward
> net.ipv4.ip_forward = 1
> net.ipv4.conf_all.rp_filter=1
>
> Here is the log without ipv4, well debug_options:82,9 84,9, I do not
> know what is meaning of FD socket (No info on inet):
Received on Wed Nov 13 2013 - 20:44:06 MST
This archive was generated by hypermail 2.2.0 : Thu Nov 14 2013 - 12:00:03 MST