Hi Eliezer,
yes it's working i got following lines related to LDAP in log:
2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking
localhost
2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'localhost'
2013/11/13 00:47:28.348| Ip.cc(560) match: aclIpMatchIp:
'192.168.1.135:54208' NOT found
2013/11/13 00:47:28.348| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'localhost' is 0
2013/11/13 00:47:28.348| Acl.cc(354) matches: localhost result is false
2013/11/13 00:47:28.348| Checklist.cc(275) matchNode: 0x7f655bf98768
matched=0 async=0 finished=0
2013/11/13 00:47:28.348| Checklist.cc(299) matchNode: 0x7f655bf98768 simple
mismatch
2013/11/13 00:47:28.348| Checklist.cc(160) checkAccessList: 0x7f655bf98768
checking 'http_access deny !LDAP_Auth'
2013/11/13 00:47:28.348| Acl.cc(336) matches: ACLList::matches: checking
!LDAP_Auth
2013/11/13 00:47:28.348| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'LDAP_Auth'
2013/11/13 00:47:28.348| UserRequest.cc(360) authenticate: No connection
authentication type
2013/11/13 00:47:28.348| UserRequest.cc(115) UserRequest: initialised
request 0x7f655bf97520
2013/11/13 00:47:28.348| User.cc(67) User: Initialised auth_user
'0x7f655bf95200'.
2013/11/13 00:47:28.348| User.cc(153) ~User: Freeing auth_user
'0x7f655bf95200'.
2013/11/13 00:47:28.348| UserRequest.cc(93) valid: Validated.
Auth::UserRequest '0x7f655bf97520'.
2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated.
Auth::UserRequest '0x7f655bf97520'.
2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated.
Auth::UserRequest '0x7f655bf97520'.
2013/11/13 00:47:28.349| Acl.cc(259) cacheMatchAcl: ACL::cacheMatchAcl:
cache hit on acl 'LDAP_Auth' (0x7f655bc40a70)
2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'LDAP_Auth' is 1
2013/11/13 00:47:28.349| Acl.cc(354) matches: !LDAP_Auth result is false
2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768
matched=0 async=0 finished=0
2013/11/13 00:47:28.349| Checklist.cc(299) matchNode: 0x7f655bf98768 simple
mismatch
2013/11/13 00:47:28.349| Checklist.cc(160) checkAccessList: 0x7f655bf98768
checking 'http_access deny !InetAccess'
2013/11/13 00:47:28.349| Acl.cc(336) matches: ACLList::matches: checking
!InetAccess
2013/11/13 00:47:28.349| Acl.cc(319) checklistMatches:
ACL::checklistMatches: checking 'InetAccess'
2013/11/13 00:47:28.349| external_acl.cc(826) aclMatchExternal: memberof
check user authenticated.
2013/11/13 00:47:28.349| external_acl.cc(832) aclMatchExternal: memberof
user is authenticated.
2013/11/13 00:47:28.349| external_acl.cc(856) aclMatchExternal:
memberof("administrator InternetAccess") = lookup needed
2013/11/13 00:47:28.349| external_acl.cc(858) aclMatchExternal:
"administrator InternetAccess": entry=@0, age=0
2013/11/13 00:47:28.349| WARNING: external ACL 'memberof' queue overload.
Request rejected 'administrator InternetAccess'.
2013/11/13 00:47:28.349| Checklist.cc(146) markFinished: 0x7f655bf98768
answer DUNNO for aclMatchExternal exception
2013/11/13 00:47:28.349| Acl.cc(321) checklistMatches:
ACL::ChecklistMatches: result for 'InetAccess' is -1
2013/11/13 00:47:28.349| Acl.cc(354) matches: !InetAccess result is false
2013/11/13 00:47:28.349| Checklist.cc(275) matchNode: 0x7f655bf98768
matched=0 async=0 finished=1
2013/11/13 00:47:28.349| Checklist.cc(294) matchNode: 0x7f655bf98768
exception: DUNNO
2013/11/13 00:47:28.349| Checklist.cc(88) matchNonBlocking:
ACLChecklist::check: 0x7f655bf98768 match found, calling back with DUNNO
2013/11/13 00:47:28.349| Checklist.cc(182) checkCallback:
ACLChecklist::checkCallback: 0x7f655bf98768 answer=DUNNO
2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7fff35ef82a0
2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0
2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7fff35ef82a0
2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7fff35ef82a0
2013/11/13 00:47:28.349| UserRequest.cc(93) valid: Validated.
Auth::UserRequest '0x7f655bf97520'.
2013/11/13 00:47:28.349| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7f655bf98768
2013/11/13 00:47:28.349| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7f655bf98768
2013/11/13 00:47:28.350| FilledChecklist.cc(77) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7f655bf98768
2013/11/13 00:47:28.350| Checklist.cc(334) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7f655bf98768
2013/11/13 00:47:28.350| UserRequest.cc(121) ~UserRequest: freeing request
0x7f655bf97520
But it is far from understanding for me. I see many HEX based addresses,
what they are mean is not clear.
Thank you.
-----Oorspronkelijk bericht-----
From: Eliezer Croitoru
Sent: Tuesday, November 12, 2013 9:55 PM
To: Andrey ; squid-users_at_squid-cache.org
Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
external ACL 'memberof' queue overload
Hey Andrey,
You should add the "debug_options X" at squid.conf.
then reconfigure squid
then the lots of lines will appear in cache.log.
Eliezer
On 11/12/2013 10:19 PM, Andrey wrote:
> Hi Eliezer,
>
> Thank you for response. I tried to put your command:
> squid3 debug_options ALL,1 28,4 29,6 82,6
>
> But for me is not clear where data will appear?
>
> In cache.log:
>
> 2013/11/12 21:12:00 kid1| Starting new basicauthenticator helpers...
> 2013/11/12 21:12:00 kid1| helperOpenServers: Starting 1/20
> 'basic_ldap_auth' processes
> 2013/11/12 21:12:00 kid1| WARNING: external ACL 'memberof' queue
> overload. Request rejected 'administrator InternetAccess'.
>
> in syslog:
> Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: will start 1 kids
> Nov 12 21:11:20 ubuntu squid3[1883]: Squid Parent: (squid-1) process
> 1885 started
>
> Further, I use package from ubuntu 13.10:
> http://packages.ubuntu.com/search?lang=en&suite=saucy&searchon=names&keywords=squid3
>
>
> I do not use extern repository at all.
>
> And the output from squid3 -v:
>
> root_at_ubuntu:~# squid3 -v
> Squid Cache: Version 3.3.8
> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--disable-silent-rules' '--datadir=/usr/share/squid3'
> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline'
> '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
> '--enable-removal-policies=lru,heap' '--enable-delay-pools'
> '--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
> '--enable-follow-x-forwarded-for'
> '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
> '--enable-auth-digest=file,LDAP'
> '--enable-auth-negotiate=kerberos,wrapper'
> '--enable-auth-ntlm=fake,smb_lm'
> '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
> '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
> '--enable-icmp' '--enable-zph-qos' '--enable-ecap'
> '--disable-translation' '--with-swapdir=/var/spool/squid3'
> '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
> '--with-filedescriptors=65536' '--with-large-files'
> '--with-default-user=proxy' '--enable-linux-netfilter'
> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
> 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
> 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security'
>
> Thank you.
>
>
> -----Oorspronkelijk bericht----- From: Eliezer Croitoru
> Sent: Tuesday, November 12, 2013 8:28 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING:
> external ACL 'memberof' queue overload
>
> Hey,
>
> I do not know this warning but you can try to add a verbose log using:
> debug_options ALL,1 28,4 29,6 82,6
>
> The above logs will show what comes and goes inside squid and from the
> external_acl to squid.
> are you using the basic auth from ubuntu or self compiled?
> Also if you can get the output of "squid -v".
>
> Thanks,
> Eliezer
>
> On 11/12/2013 06:33 PM, Andrey wrote:
>> Hi everyone
>>
>> During configuration of LDAP basic and group authentication methods by
>> Squid, a came across this error (/var/log/squid3/cache.log):
>>
>>
>>
>> Code:
>> WARNING: external ACL 'memberof' queue overload. Request rejected
>> 'administrator InternetAccess'.For basic authentication I use following
>> piece of code:
>>
>>
>>
>> Code:
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -P -R -u cn
>> -b "cn=Users,dc=dot,dc=lan" ubuntu.dot.lan
>> auth_param basic realm ubuntu.dot.lanThe test shows:
>>
>> Administrator Pa77w0rd
>>
>> OK.
>>
>> For LDAP groups I use this:
>>
>>
>>
>> Code:
>> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
>> -P -R -K -b "dc=dot,dc=lan" -f
>> "(&(cn=%v)(memberOf=cn=%a,cn=Users,dc=dot,dc=lan))" -D
>> nslcd-service_at_dot.lan -w "Pa77w0rd" -h ubuntu.dot.lan
>> The test shows:
>>
>> Administrator InternetAccess
>>
>> OK
>>
>>
>> My ACL list has following rules:
>>
>>
>> Code:
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl LDAP_Auth proxy_auth REQUIRED
>> acl ClientNet src 192.168.1.135
>> acl Block_site url_regex -i fb vk youtube
>> acl InetAccess external memberof InternetAccess
>>
>> And my Access/deny rules are:
>>
>>
>> Code:
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access deny Block_site
>> http_access allow InetAccess
>> http_access deny !LDAP_Auth
>> http_access allow ClientNet
>> http_access deny all
>>
>> Where is the problem? How to solve it?
>>
>> Thank you.
>
Received on Tue Nov 12 2013 - 23:58:14 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 13 2013 - 12:00:03 MST