I found a solution!
Problem was with IPv6.
When squid tries to run the helper he asks IPv6, which I have disabled.
Therefore, in logs appears following line of code:
WARNING: Cannot run '/usr/lib/squid3/ext_ldap_group_acl' process.
As far as I have good understanding of the process, squid do not stop to
restart the helper. Therefore in logs appears:
WARNING: external ACL 'memberof' queue overload. Request rejected
'administrator InternetAccess'
The solution is to put the ipv4 flag in front of %LOGIN just like this:
external_acl_type memberof ipv4 %LOGIN
/usr/lib/squid3/ext_ldap_group_acl -P -R -K -b "dc=dot,dc=lan" -f
"(&(cn=%v)(memberOf=cn=%g,cn=Users,dc=dot,dc=lan))" -D
nslcd-service_at_dot.lan -w "Pa77w0rd" -h ubuntu.dot.lan
Thank you everyone. Special thanks to Eliezer. The debug_options is very
helpful ;)
references:
http://squid-web-proxy-cache.1019090.n4.nabble.com/external-acl-td4662446.html~
http://squid-web-proxy-cache.1019090.n4.nabble.com/Starting-helpers-with-ipv6-disabled-td4660978.html
-----Oorspronkelijk bericht-----
From: Andrey
Sent: Wednesday, November 13, 2013 3:34 PM
To: Eliezer Croitoru ; squid-users_at_squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload
Hi Eliezer,
I use this LDAP group helper with following options:
external_acl_type memberof %LOGIN
/usr/lib/squid3/ext_ldap_group_acl -P -R -K -b "dc=dot,dc=lan" -f
"(&(cn=%v)(memberOf=cn=%g,cn=Users,dc=dot,dc=lan))" -D
nslcd-service_at_dot.lan -w "Pa77w0rd" -h ubuntu.dot.lan
As you advised me I followed
http://wiki.squid-cache.org/KnowledgeBase/DebugSections
And the new line in squid.conf is:
debug_options 82,9 84,9
So it is now only about helpers.
I reed once the
http://www.squid-cache.org/Versions/v3/3.3/cfgman/external_acl_type.html
And already tried to put ttl=50 with no luck. With children-* I put
everything on 50 also with no luck.
Logs
I found strange behaviour in log, which shows up in startup:
2013/11/13 15:24:01.051| WARNING: Cannot run
'/usr/lib/squid3/ext_ldap_group_acl' process.
What is wrong here?
My cache.log during request:
2013/11/13 15:28:19.027| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 0
2013/11/13 15:28:19.027| Starting new basicauthenticator helpers...
2013/11/13 15:28:19.027| helperOpenServers: Starting 1/20 'basic_ldap_auth'
processes
2013/11/13 15:28:19.034| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2013/11/13 15:28:19.035| helper.cc(1322) helperDispatch: helperDispatch:
Request sent to basicauthenticator #1, 23 bytes
2013/11/13 15:28:19.035| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2013/11/13 15:28:19.035| helper.cc(1213) GetFirstAvailable:
GetFirstAvailable: Least-loaded helper is overloaded!
2013/11/13 15:28:19.035| helper.cc(418) helperSubmit: helperSubmit:
administrator Pa77w0rd
2013/11/13 15:28:19.090| helper.cc(901) helperHandleRead: helperHandleRead:
3 bytes from basicauthenticator #1
2013/11/13 15:28:19.091| helper.cc(910) helperHandleRead: helperHandleRead:
'OK
'
2013/11/13 15:28:19.091| helper.cc(926) helperHandleRead: helperHandleRead:
end of reply found
2013/11/13 15:28:19.091| external_acl.cc(793) aclMatchExternal:
acl="memberof"
2013/11/13 15:28:19.091| external_acl.cc(822) aclMatchExternal: No helper
entry available
2013/11/13 15:28:19.091| external_acl.cc(826) aclMatchExternal: memberof
check user authenticated.
2013/11/13 15:28:19.091| external_acl.cc(832) aclMatchExternal: memberof
user is authenticated.
2013/11/13 15:28:19.091| external_acl.cc(856) aclMatchExternal:
memberof("administrator InternetAccess") = lookup needed
2013/11/13 15:28:19.091| external_acl.cc(858) aclMatchExternal:
"administrator InternetAccess": entry=@0, age=0
2013/11/13 15:28:19.091| WARNING: external ACL 'memberof' queue overload.
Request rejected 'administrator InternetAccess'.
2013/11/13 15:28:19.092| helper.cc(1180) GetFirstAvailable:
GetFirstAvailable: Running servers 1
-----Oorspronkelijk bericht-----
From: Eliezer Croitoru
Sent: Wednesday, November 13, 2013 12:15 PM
To: Andrey ; squid-users_at_squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload
Hey,
On 11/13/2013 06:25 AM, Andrey wrote:
> I did. All LDAP related logs info is in previous message. However I do
> not understand what all this codes means.
Those messages shows us what happens inside squid in order to understand
the reason of what causing the problem.
you can see about the meaning of each log "number" here:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections
but all the hexes and surrounding stuff is irrelevant.
What is important is that for now:
2013/11/13 00:47:28.349| WARNING: external ACL 'memberof' queue
overload. Request rejected 'administrator InternetAccess'.
2013/11/13 00:47:28.349| Checklist.cc(146) markFinished: 0x7f655bf98768
answer DUNNO for aclMatchExternal exception
2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'InetAccess' is -1
It means that the external_acl helper is not doing his job based on
either mismatch of settings or wrong function.
It will be clear once you stop squid and then:
1. enter the right debug_options in squid.conf.
2. start tapping the logs using "tail -f /var/log/squid/cache.log"
3. start squid
4. do only one or two request on squid.
5. share the logs.
If you think there is private information in it you can send it to me
via personal email or strip any private data.
I do not know what is the helper that your are using but you are missing
some parameters from squid.conf to allow the helper work without problem.
You should consider looking at:
http://www.squid-cache.org/Versions/v3/3.3/cfgman/external_acl_type.html
and especially at the related "children" settings.
Eliezer
Received on Wed Nov 13 2013 - 17:53:58 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 13 2013 - 12:00:03 MST