Hello guys,
I need a help.
I have a Squid server where the users are acessing the Internet
without authetication, and I have configured the Squid to authenticate
with Active Directory and it is working fine in the Lab environment,
but when I tryed to use during the business time I have some problems
that I guess to be just hardware limitation, but I am not sure about
that and maybe I can get a better configuration than this.
I have tried to use the follow conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 20 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type wbinfo_group_helper %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
acl proxy_users external wbinfo_group_helper proxy_users
acl users_AD proxy_auth REQUIRED
http_access allow user_AD proxy_users
http_access deny all
When I use the conf like that I got the follow error message:
aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected.
aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected.
aclMatchExternal: 'wbinfo_group_helper' queue overload. Request rejected.
WARNING: All ntlmauthenticator processes are busy.
and some users could authenticate on the AD but others had problem.
I incresed the numbers of childrens for the auth_ntlm and
external_acl gradually until the error has gone:
( I have about 4000 users).
auth_param ntlm children 50
auth_param basic children 50
external_acl_type wbinfo_group_helper ttl=900 children=125 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
The problem after that was that de CPU utilization went to 100%, and
he users got stucked due access performace. The average proccess
number of the server went to 400. I have tryed something to decrease
the CPU utilization, as stripped the header of wbinfo, and took of
logging, but without success.
I would like to understand de parameters in the line
of external_acl_type. Should I use children command or concurrency ?
What is the diference ? And how ttl parameter works ?
So, I did a fallback and I wonder if I can solve it
changing my configuration.
Thanks in advance for any help.
Rodrigo D.
Received on Mon Oct 04 2004 - 12:25:25 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:01 MST