RE: [squid-users] external_acl_type ttl not working? or not as I understand?

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 1 Jun 2005 12:30:24 -0800

> -----Original Message-----
> From: Mike Brentlinger [mailto:msbrentlinger@gmail.com]
> Sent: Wednesday, June 01, 2005 10:23 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] external_acl_type ttl not working? or not as I
> understand?
>
>
> Im trying to conjure up a replacement to novell border manager +
> client trust for transpartent auth in a novell environment. there are
> some squid proxy auth things it seems, however they require that the
> user be prompted to enter a user+pass... not really ideal. instead
> users should not have to think about logging on. i know ident can be
> spoofed but for this test its not a huge issue so got the following to
> work on squid 2.5 stable 5:
>
> external_acl_type ldap_lookup ttl=120 %IDENT /tmp/ldaplookup.pl
> acl group1 external ldap_lookup
> http_access allow group1
>
> where /tmp/ldaplookup.pl is
> #!/usr/bin/perl
> $|=1;
> while ( 1 == 1 ) {
> $input = <STDIN>;
> chomp($input);
> open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member
> |' or die "Can't ldapsearch :$!";
> $found = 0;
> $fullusername = '';
> while (<LDAPSEARCH>) {
> #print "$_";
> if ($_ =~ /cn=$input,/i) {
> $found = 1;
> /member: (.*)/i;
> $fullusername = $1;
> last;
> };
> }
> if ($found == 0){
> print 'ERR ERROR="'.$input.' not a valid internet user"'."\n";
> } else {
> print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
> };
> };
>
>
> and my client is running
> http://ftp.tdcnorge.no/pub/windows/Identd/Identd-1.1.0.zip
>
>
> everything works except the ttl isnt as I thought... eg: my client
> tries to hit a page, squid ident requests my client, which responds,
> then squid uses my script to see if that user name is in the
> "internet" group as retured from my ldap search. if the users in the
> group the page is served, if not, they get access denied.
>
> so my question is this... if i imediately shut down my identd on my
> client, squid starts denying access immediately. a net sniff shows
> that squid is doing an ident query for every access request. I would
> have expected with the ttl=120 that squid wouldnt query until 2
> minutes later. this seems like a lot of needless ident traffic and
> when i start piling on users ill be doing more ident and ldap lookups
> than web proxying.
>
> I suppose I just misunderstand the ttl option. is there anyway to get
> squid to only ask for this ident auth at some specified timeout and
> not for every page request?
>
> any help would be greatly appreciated.

The TTL value specified is how long Squid caches the result for the external
ACL. So (as it stands now) if you authenticate, and then shut down the LDAP
server (or revoke the account), you'll be able to continue surfing for two
minutes. Move the ident lookup to the Perl script, and you should see a
reduction in network traffic.

Chris
Received on Wed Jun 01 2005 - 14:30:35 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT