Hi All,
Recently we installed a new squid proxy (squid-2.5.STABLE12-18.9 on
SuSe 10) with LDAP authentication. Earleier we had a squid proxy with
ldap authentication. That time, both LDAP and squid were running on
the same server and everything was fine. Now we installed a new linux
server and moved the squid service to it. LDAP is running on a
different server. Many users are now complaining that they are not
able to browse. Ever since I migrated all users to this new proxy
server, we are getting the following errors in /var/log/message file.
The same messages are displayed in /var/log/squid/cache.log
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal:
'restrictedaccess' queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'deniedaccess'
queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal:
'restrictedaccess' queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'deniedaccess'
queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal:
'restrictedaccess' queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'deniedaccess'
queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: 'fullaccess'
queue overload. Request rejected.
In cache.log these lines are also displayed.
WARNING: All deniedaccess processes are busy.
2009/02/17 11:34:40| WARNING: up to 5 pending requests queued
2009/02/17 11:34:40| Consider increasing the number of deniedaccess
processes to at least 10 in your config file.
2009/02/17 11:34:44| aclMatchExternal: 'fullaccess' queue overload.
Request rejected.
2009/02/17 11:34:44| aclMatchExternal: 'restrictedaccess' queue
overload. Request rejected.
2009/02/17 11:34:44| aclMatchExternal: 'deniedaccess' queue overload.
Request rejected.
Here is my external acl definition.
#eDir full Internet access
external_acl_type fullaccess %LOGIN /usr/sbin/squid_ldap_group -d -b
"o=org" -B "o=org" -D "cn=squidproxy,ou=services,o=org" -w "" -s sub
-h 10.10.10.3 -f "(&(objectclass=groupOfNames)(cn=%a))" -F
"(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxyfullaccess,ou=groups,ou=services,o=org))"
-Z
#eDir deny Internet access
external_acl_type deniedaccess %LOGIN /usr/sbin/squid_ldap_group -d -b
"o=org" -B "o=org" -D "cn=squidproxy,ou=services,o=org" -w "pass" -s
sub -h 10.10.10.3 -f "(&(objectclass=groupOfNames)(cn=%a))" -F
"(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxydenyaccess,ou=groups,ou=services,o=org))"
-Z
#eDir limited Internet access
external_acl_type restrictedaccess %LOGIN /usr/sbin/squid_ldap_group
-d -b "o=org" -B "o=org" -D "cn=squidproxy,ou=services,o=org" -w
"pass" -s sub -h 10.10.10.3 -f "(&(objectclass=groupOfNames)(cn=%a))"
-F "(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxylimitaccess,ou=groups,ou=services,o=org))"
-Z
This was the same configuration we had in our earlier setup and it was
working fine. Please suggest me what should be the root cause for this
and help me in resolving this.
Thanks in Advance,
Vinukaimal
Received on Tue Feb 17 2009 - 11:13:37 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 17 2009 - 12:00:02 MST