[squid-users] squid_ldap_group

From: Gonzalo Morera <gmorera_at_novell.com>
Date: Mon, 31 Jan 2011 08:45:34 +0000

Hi all

After getting familiar with the squid_ldap_auth, i'm still having some issues with squid_ldpa_groups.
I'm getting familiar with squid acl ( i've been working last years with novell bordermanager what is quiet different) and i can not make it work
I've got two groups, internet_r and internet_nr.

I'm using a pl file to allows users with the novell client installed, transparently access internet. That works fine as the pl scrip gets the network ip address of the client. But, with no novell client install, the default ldap_auth method has to be used, so users get a log in page to enter name and password. After done it, same page appears and after 3 times and access denied is seen. No matter if i use a user on group internet_r (with access) or internet _nr ( no access) the results are the same. THe login page keeps returning till the access denied. so i'm doing something wrong with squid_ldap_group and acl.
Looking at lan traces, i saw nothing and access.log file showed no errors, only the url user wanted to go. Var/log/message showed as well no indication of any error. So how can i see in more details what is happening?

This is my squid.conf

#Recommended minimum configuration:

auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=squid,o=laboratorio -w novell -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#Default:
# none
#external_acl_type directory_group %LOGIN /usr/sbin/squid_ldap_group -R -b "ou=servicios,o=laboratorio" -D "cn=admin,o=laboratorio" -w "synergy" -f (&(objectClass=person)(uid=%v)(groupMembership=cn=%a,ou=servicios,o=laboratorio))" -h 192.168.0.205 -p 389
#
external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl
#
#este vale external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -R -b "o=laboratorio" -D "cn=squid,o=laboratorio" -w "novell" -f (&(objectClass=inetOrgPerson)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389

external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D cn=squid,o=laboratorio -w "novell" -b o=laboratorio -s sub -f "(&(objectClass=User)(cn=%u)(groupMembership=%g))" -h 192.168.0.205 -p 389

Message looks good when loading:

Jan 27 12:26:59 oes2sp1 squid[11312]: Squid Parent: child process 11314 started
Jan 27 12:26:59 oes2sp1 squid[11314]: Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu...
Jan 27 12:26:59 oes2sp1 squid[11314]: Process ID 11314
Jan 27 12:26:59 oes2sp1 squid[11314]: With 4096 file descriptors available
Jan 27 12:26:59 oes2sp1 squid[11314]: DNS Socket created at 0.0.0.0, port 32788, FD 6
Jan 27 12:26:59 oes2sp1 squid[11314]: Adding nameserver 192.168.0.26 from /etc/resolv.conf
Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 8 'squidGuard' processes
Jan 27 12:26:59 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_auth' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_edir_iplookup.pl' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: helperOpenServers: Starting 5 'squid_ldap_group' processes
Jan 27 12:27:00 oes2sp1 squid[11314]: User-Agent logging is disabled.
Jan 27 12:27:00 oes2sp1 squid[11314]: Referer logging is disabled.
Jan 27 12:27:01 oes2sp1 squid[11314]: Unlinkd pipe opened on FD 34
Jan 27 12:27:01 oes2sp1 squid[11314]: Swap maxSize 1048576 KB, estimated 80659 objects
Jan 27 12:27:01 oes2sp1 squid[11314]: Target number of buckets: 4032
Jan 27 12:27:01 oes2sp1 squid[11314]: Using 8192 Store buckets
Jan 27 12:27:01 oes2sp1 squid[11314]: Max Mem size: 102400 KB
Jan 27 12:27:01 oes2sp1 squid[11314]: Max Swap size: 1048576 KB
Jan 27 12:27:01 oes2sp1 squid[11314]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
Jan 27 12:27:01 oes2sp1 squid[11314]: Rebuilding storage in /var/cache/squid (DIRTY)
Jan 27 12:27:01 oes2sp1 squid[11314]: Using Least Load store dir selection
Jan 27 12:27:01 oes2sp1 squid[11314]: Set Current Directory to /var/cache/squid
Jan 27 12:27:01 oes2sp1 squid[11314]: Loaded Icons.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting HTTP connections at 0.0.0.0, port 3128, FD 36.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting ICP messages at 0.0.0.0, port 3130, FD 37.
Jan 27 12:27:01 oes2sp1 squid[11314]: HTCP Disabled.
Jan 27 12:27:01 oes2sp1 squid[11314]: Accepting SNMP messages on port 3401, FD 38.
Jan 27 12:27:01 oes2sp1 squid[11314]: WCCP Disabled.
Jan 27 12:27:02 oes2sp1 squid[11314]: Ready to serve requests.
Jan 27 12:27:02 oes2sp1 squid[11314]: Done reading /var/cache/squid swaplog (1864 entries)
Jan 27 12:27:02 oes2sp1 squid[11314]: Finished rebuilding storage from disk.
Jan 27 12:27:02 oes2sp1 squid[11314]: 1864 Entries scanned
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Invalid entries.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 With invalid flags.
Jan 27 12:27:02 oes2sp1 squid[11314]: 1864 Objects loaded.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Objects expired.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Objects cancelled.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Duplicate URLs purged.
Jan 27 12:27:02 oes2sp1 squid[11314]: 0 Swapfile clashes avoided.
Jan 27 12:27:02 oes2sp1 squid[11314]: Took 1.7 seconds (1096.5 objects/sec).
Jan 27 12:27:02 oes2sp1 squid[11314]: Beginning Validation Procedure
Jan 27 12:27:02 oes2sp1 squid[11314]: Completed Validation Procedure
Jan 27 12:27:02 oes2sp1 squid[11314]: Validated 1864 Entries
Jan 27 12:27:02 oes2sp1 squid[11314]: store_swap_size = 27684k
Jan 27 12:27:03 oes2sp1 squid[11314]: storeLateRelease: released 0 objects

Thanks a lot

gonzalo
Received on Mon Jan 31 2011 - 08:45:44 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 31 2011 - 12:00:04 MST