RE: [squid-users] Squid not communicating with Helper Processes
Hi Amos, I didn't know that "fast" checks don't trigger external lookups. Thank you for clarifing this. Greets Christian > Date: Tue, 29 Nov 2011 00:30:01 +1300 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Squid not communicating with Helper Processes > > On 28/11/2011 11:29 p.m., Christian Zink wrote: > > Finally i've got it! > > After searching in the buglist i found a case describing Problems if you > > use both authentication and external helpers. > > So i tried to disable authentication and use only squid_ldap_group external > > helper: > > > > auth_param digest program /usr/lib64/squid/digest_ldap_auth -H > > ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv" -u "uid" -A > > "userPassword" -D "uid=digestreader,dc=drv,dc=drv" -W > > "/etc/squid/digestreader_cred" > > auth_param digest children 1 > > auth_param digest realm Proxy > > #acl ldap proxy_auth REQUIRED > > external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H > > ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f > > (&(memberuid=%u)(cn=%g)) -D uid=digestreader,dc=drv,dc=drv -w digestpw > > -dacl ldap_download > > external ldap_group downloadacl ldap_browse > > external ldap_group browse > > cache_peer 10.10.1.254 parent 9986 0 no-query no-digest name=download.proxy > > cache_peer_access download.proxy deny !ldap_download > > cache_peer 10.10.1.254 parent 9985 0 no-query no-digest name=browse.proxy > > cache_peer_access browse.proxy allow ldap_browse > > http_access allow ldap_download > > http_access allow ldap_browse > > > > And voila, not only ldap group check worked, but it also still needed > > authentication first! I don't know if its a bug, or intended ... but if you > > use "acl ldap proxy_auth REQUIRED" there will be no other requestto an > > external helper again ... without it it works as desired. In my eyes maybe > > its a feature to also authenticate if i use external_helper,but it should > > also work with this acl. Perhaps someone could explain the ideas behind > > this. > > It is exactly what you configured within th eSquid Access Control > designs. %LOGIN means " authenticated username". Implying that one must > be logged in for the ACL to be tested. When possible Squid will lookup > requirements for ACL tests, such as this username. > > The difference between the above working config and the earlier failing > config. Is that in the "failing" one you are allowing the user > http_access depending only on them having valid credentials (of any user > in any group). Then deciding the peer based on group check. The > cache_peer_access is a "fast" category check which cannot wait for > external ACL to do the group lookup. So the group is not known by > cache_peer_access, and cannot wiat to find it --> prevented all peers > being used. > > Since you dropped "http_access allow ldap" Squid can now reach the > "http_access allow ldap_download" line which performs group lookup and > stores the results for the cache_peer_access to use. > > > Since you are controlling things based on groups rather than username > the only use your config has for ACL "ldap", is in a deny ACL rejecting > bad logins. For example: > # reject failed logins > http_access deny !ldap > # permit either one of several allowed groups > http_access allow ldap_download > http_access allow ldap_browse > > > Amos > > >> > >> > >> Hi, > >> i have a strange problem driving me mad. I set up a fresh RHEL 6.1 System > >> and installedLDAP and Squid. I want do authenticate users and contol the > >> internet access depending on groups. > >> Ldap auth with digest_ldap_auth works fine, but i can't get the > >> squid_ldap_group helper to work. > >> My conf: > >> #debug_options ALL,9debug_options ALL,1 28,3 82,9 84,9 > >> hosts_file /etc/hosts > >> acl manager proto cache_objectacl localhost src 127.0.0.1/32 > >> acl SSL_ports port 443 563 888 7002 8443 1 > >> acl Safe_ports port 80 # http > >> acl Safe_ports port 21 # ftp > >> acl Safe_ports port 443 # https > >> acl Safe_ports port 70 # gopher > >> acl Safe_ports port 210 # wais > >> acl Safe_ports port 1025-65535 # unregistered ports > >> acl Safe_ports port 280 # http-mgmt > >> acl Safe_ports port 488 # gss-http > >> acl
Re: [squid-users] Squid not communicating with Helper Processes
On 28/11/2011 11:29 p.m., Christian Zink wrote: Finally i've got it! After searching in the buglist i found a case describing Problems if you use both authentication and external helpers. So i tried to disable authentication and use only squid_ldap_group external helper: auth_param digest program /usr/lib64/squid/digest_ldap_auth -H ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv" -u "uid" -A "userPassword" -D "uid=digestreader,dc=drv,dc=drv" -W "/etc/squid/digestreader_cred" auth_param digest children 1 auth_param digest realm Proxy #acl ldap proxy_auth REQUIRED external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f (&(memberuid=%u)(cn=%g)) -D uid=digestreader,dc=drv,dc=drv -w digestpw -dacl ldap_download external ldap_group downloadacl ldap_browse external ldap_group browse cache_peer 10.10.1.254 parent 9986 0 no-query no-digest name=download.proxy cache_peer_access download.proxy deny !ldap_download cache_peer 10.10.1.254 parent 9985 0 no-query no-digest name=browse.proxy cache_peer_access browse.proxy allow ldap_browse http_access allow ldap_download http_access allow ldap_browse And voila, not only ldap group check worked, but it also still needed authentication first! I don't know if its a bug, or intended ... but if you use "acl ldap proxy_auth REQUIRED" there will be no other requestto an external helper again ... without it it works as desired. In my eyes maybe its a feature to also authenticate if i use external_helper,but it should also work with this acl. Perhaps someone could explain the ideas behind this. It is exactly what you configured within th eSquid Access Control designs. %LOGIN means " authenticated username". Implying that one must be logged in for the ACL to be tested. When possible Squid will lookup requirements for ACL tests, such as this username. The difference between the above working config and the earlier failing config. Is that in the "failing" one you are allowing the user http_access depending only on them having valid credentials (of any user in any group). Then deciding the peer based on group check. The cache_peer_access is a "fast" category check which cannot wait for external ACL to do the group lookup. So the group is not known by cache_peer_access, and cannot wiat to find it --> prevented all peers being used. Since you dropped "http_access allow ldap" Squid can now reach the "http_access allow ldap_download" line which performs group lookup and stores the results for the cache_peer_access to use. Since you are controlling things based on groups rather than username the only use your config has for ACL "ldap", is in a deny ACL rejecting bad logins. For example: # reject failed logins http_access deny !ldap # permit either one of several allowed groups http_access allow ldap_download http_access allow ldap_browse Amos Hi, i have a strange problem driving me mad. I set up a fresh RHEL 6.1 System and installedLDAP and Squid. I want do authenticate users and contol the internet access depending on groups. Ldap auth with digest_ldap_auth works fine, but i can't get the squid_ldap_group helper to work. My conf: #debug_options ALL,9debug_options ALL,1 28,3 82,9 84,9 hosts_file /etc/hosts acl manager proto cache_objectacl localhost src 127.0.0.1/32 acl SSL_ports port 443 563 888 7002 8443 1 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker> acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT> http_access allow manager localhost http_access deny manager> http_access deny !Safe_ports http_access deny CONNECT !SSL_ports auth_param digest program /usr/lib64/squid/digest_ldap_auth -H ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv" -u "uid" -A "userPassword" -D "uid=digestreader,dc=drv,dc=drv" -W "/etc/squid/digestreader_cred" auth_param digest children 1 auth_param digest realm Proxy acl ldap proxy_auth REQUIRED #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f (&(memberuid=%u)(cn=%g)) -D uid=digestreader,dc=drv,dc=drv -W "/etc/squid/digestreader_cred" external_acl_type ldap_group children=1 %LOGIN /usr/lib64/squid/test.sh acl ldap_download external ldap_group download acl ldap_browse external ldap_group browse cache_peer 10.10.1.254 parent 9986 0 no-query no-digest name=download.proxy cache_peer_access download.proxy allow ldap_download cache_peer 10.10.1.254 parent 9985 0 no-query no-digest name=browse.proxy cache_peer_access browse.proxy allow browse http_access
RE: [squid-users] Squid not communicating with Helper Processes
Finally i've got it!
After searching in the buglist i found a case describing Problems if you use
both authentication and external helpers.
So i tried to disable authentication and use only squid_ldap_group external
helper:
auth_param digest program /usr/lib64/squid/digest_ldap_auth -H
ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv" -u "uid" -A "userPassword"
-D "uid=digestreader,dc=drv,dc=drv" -W "/etc/squid/digestreader_cred"
auth_param digest children 1
auth_param digest realm Proxy
#acl ldap proxy_auth REQUIRED
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H
ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f (&(memberuid=%u)(cn=%g)) -D
uid=digestreader,dc=drv,dc=drv -w digestpw -dacl ldap_download
external ldap_group downloadacl ldap_browse
external ldap_group browse
cache_peer 10.10.1.254 parent 9986 0 no-query no-digest name=download.proxy
cache_peer_access download.proxy deny !ldap_download
cache_peer 10.10.1.254 parent 9985 0 no-query no-digest name=browse.proxy
cache_peer_access browse.proxy allow ldap_browse
http_access allow ldap_download
http_access allow ldap_browse
And voila, not only ldap group check worked, but it also still needed
authentication first! I don't know if its a bug, or intended ... but if you use
"acl ldap proxy_auth REQUIRED" there will be no other requestto an external
helper again ... without it it works as desired. In my eyes maybe its a feature
to also authenticate if i use external_helper,but it should also work with this
acl. Perhaps someone could explain the ideas behind this.
Greets Christian Zink
> From: bigboyfore...@hotmail.com
> To: squid-users@squid-cache.org
> Date: Thu, 24 Nov 2011 10:36:52 +0100
> Subject: [squid-users] Squid not communicating with Helper Processes
>
>
> Hi,
> i have a strange problem driving me mad. I set up a fresh RHEL 6.1 System and
> installedLDAP and Squid. I want do authenticate users and contol the internet
> access depending on groups.
> Ldap auth with digest_ldap_auth works fine, but i can't get
> the squid_ldap_group helper to work.
> My conf:
> #debug_options ALL,9debug_options ALL,1 28,3 82,9 84,9
> hosts_file /etc/hosts
> acl manager proto cache_objectacl localhost src 127.0.0.1/32
> acl SSL_ports port 443 563 888 7002 8443 1
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker> acl Safe_ports port 777
> # multiling http
> acl CONNECT method CONNECT> http_access allow manager localhost
> http_access deny manager> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> auth_param digest program /usr/lib64/squid/digest_ldap_auth -H
> ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv" -u "uid" -A
> "userPassword" -D "uid=digestreader,dc=drv,dc=drv" -W
> "/etc/squid/digestreader_cred"
> auth_param digest children 1
> auth_param digest realm Proxy
> acl ldap proxy_auth REQUIRED
>
> #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H
> ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f (&(memberuid=%u)(cn=%g))
> -D uid=digestreader,dc=drv,dc=drv -W "/etc/squid/digestreader_cred"
> external_acl_type ldap_group children=1 %LOGIN /usr/lib64/squid/test.sh
> acl ldap_download external ldap_group download
> acl ldap_browse external ldap_group browse
>
> cache_peer 10.10.1.254 parent 9986 0 no-query no-digest name=download.proxy
> cache_peer_access download.proxy allow ldap_download
> cache_peer 10.10.1.254 parent 9985 0 no-query no-digest name=browse.proxy
> cache_peer_access browse.proxy allow browse
>
> http_access allow ldap> http_access deny all
> http_port 8086
>
> The Problem:
> Squid doesnt talk to the Helper Processes! That's all i can see in logs:
> 2011/11/23 17:07:34.219| ACLChecklist::preCheck: 0x7fff8c40cc70 checking
> 'cache_peer_access download.proxy allow ldap_download'
> 2011/11/23 17:07:34.219| ACLList::matches: checking ldap_download
> 2011/11/23 17:07:34.219| ACL::checklistMatches: checking 'ldap_download'
> 2011/11/23 17:07:34.219| aclMatchExternal: acl="ldap_group"
> 2011/11/23 17:07:34.219| aclMatchExternal: ldap_group("v990493 download") =
> lookup needed
> 2011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": entry=@0, age=0
> 2011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": queueing a
> call.
> 2011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": return -1.
> 2011/11/23 17:07:34.219| ACL::ChecklistMatches: result for 'ldap_download' is
> -1
> 2011/11/23 17:07:34.219| aclmatchAclList: 0x7fff8c40cc70 returning false (AND
> list entry failed to match)
> 2011/11/23 17:07:34.219| aclmatchAclLis
RE: [squid-users] Squid not communicating with Helper Processes
Hi, i tested with a dummy helper bash script. #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f (&(memberuid=%u)(cn=%g)) -D uid=digestreader,dc=drv,dc=drv -w digestpw -dexternal_acl_type ldap_group children=1 %LOGIN /usr/lib64/squid/test.sh acl ldap_download external ldap_group downloadacl ldap_browse external ldap_group browse cache_peer 10.10.1.254 parent 9986 0 no-query no-digest name=download.proxycache_peer_access download.proxy allow ldap_download cache_peer 10.10.1.254 parent 9985 0 no-query no-digest name=browse.proxy cache_peer_access browse.proxy allow ldap > Date: Thu, 24 Nov 2011 01:54:54 -0800 > From: jd...@yahoo.com > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Squid not communicating with Helper Processes > > From: Christian Zink > > > #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H > > ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f (&(memberuid=%u)(cn=%g)) > > -D uid=digestreader,dc=drv,dc=drv -W > > "/etc/squid/digestreader_cred"external_acl_type ldap_group children=1 > > %LOGIN /usr/lib64/squid/test.shacl ldap_download external ldap_group > > downloadacl > > ldap_browse external ldap_group browse > > ... > > The Problem: > > Squid doesnt talk to the Helper Processes! > > Did you comment (#...) the external_acl_type line just for this post or is it > really commented? > Where do you use the 'ldap_group' acl you just created...? > > JD
RE: [squid-users] Squid not communicating with Helper Processes
Thanks for your reply. I dont knwo why it became mixed up :o
I forgot to mention that i first tries with Ipv6 disabled kernelmodule and ipv4
parameter in external_acl_type, but that didn't work eather so i enabledipv6 to
test that to.
Iptables Firewall is off, also you can see the the established TCP Connection
betweenSquid Process & Helper Process via lsof and netstat. Afaik some sort of
firewall wouldnt allow that.
squid 1858 squid 14u IPv6 47840 0t0 TCP
[::1]:38965->[::1]:45367 (ESTABLISHED)test.sh 10617 squid 0u IPv6
47841 0t0 TCP [::1]:45367->[::1]:38965
(ESTABLISHED)test.sh 10617 squid 1u IPv6 47841
0t0 TCP [::1]:45367->[::1]:38965 (ESTABLISHED)
tcp 0 0 ::1:45367 ::1:38965
VERBUNDEN 10617/bashtcp 0 0 ::1:38965 ::1:45367
VERBUNDEN 1858/(squid)
> Date: Thu, 24 Nov 2011 23:10:35 +1300
> From: squ...@treenet.co.nz
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid not communicating with Helper Processes
>
> On 24/11/2011 10:36 p.m., Christian Zink wrote:
> > Hi,
> > i have a strange problem driving me mad. I set up a fresh RHEL 6.1 System
> > and installedLDAP and Squid. I want do authenticate users and contol the
> > internet access depending on groups.
> > Ldap auth with digest_ldap_auth works fine, but i can't get the
> > squid_ldap_group helper to work.
> > My conf:
>
> (your mailer seems to have mangled the config somewhat badly.
> re-formatted while snipping).
>
> > auth_param digest program /usr/lib64/squid/digest_ldap_auth -H
> > ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv" -u "uid" -A
> > "userPassword" -D "uid=digestreader,dc=drv,dc=drv" -W
> > "/etc/squid/digestreader_cred"
>
> > external_acl_type ldap_group children=1 %LOGIN /usr/lib64/squid/test.sh
>
> > The Problem:
> > Squid doesnt talk to the Helper Processes! That's all i can see in logs:
> > 2011/11/23 17:07:34.219| ACLChecklist::preCheck: 0x7fff8c40cc70 checking
> > 'cache_peer_access download.proxy allow ldap_download'2011/11/23
> > 17:07:34.219| ACLList::matches: checking ldap_download2011/11/23
> > 17:07:34.219| ACL::checklistMatches: checking 'ldap_download'2011/11/23
> > 17:07:34.219| aclMatchExternal: acl="ldap_group"2011/11/23 17:07:34.219|
> > aclMatchExternal: ldap_group("v990493 download") = lookup needed2011/11/23
> > 17:07:34.219| aclMatchExternal: "v990493 download": entry=@0,
> > age=02011/11/23 17:07:34.219| aclMatchExternal: "v990493 download":
> > queueing a call.2011/11/23 17:07:34.219| aclMatchExternal: "v990493
> > download": return -1.2011/11/23 17:07:34.219| ACL::ChecklistMatches: result
> > for 'ldap_download' is -12011/11/23 17:07:34.219| aclmatchAclList:
> > 0x7fff8c40cc70 returning false (AND list entry failed to match)2011/11/23
> > 17:07:34.219| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0
> > lastACLResult() = 0 finished() = 0
>
> > While this is repeated endlessly i straced the helper Process ... nothing!
> > I also wrote a dummy Helper, also nothing.Tcpdump on localhost i see the
> > packets from digest_ldap_auth to ldap. Squids talking to digest_ldap_auth
> > over Unix Pipe, that works, and form digest_ldap_auth to ldap over
> > 127.0.0.1 works to,but not from Squid to the Helper although there is an
> > TCP Connection:
> > squid 1858 squid 8u IPv6 47834 0t0 UDP *:54597squid 1858 squid 14u IPv6
> > 47840 0t0 TCP [::1]:38965->[::1]:45367 (ESTABLISHED)squid 1858 squid 15u
> > IPv6 47842 0t0 TCP *:d-s-n (LISTEN)test.sh 10617 squid 0u IPv6 47841 0t0
> > TCP [::1]:45367->[::1]:38965 (ESTABLISHED)test.sh 10617 squid 1u IPv6 47841
> > 0t0 TCP [::1]:45367->[::1]:38965 (ESTABLISHED)
>
> >
> > What i tried so far:
> > - the squid_ldap_group works on the shell, piping Username& Group result in
> > OK/ERR depending on the ldap group membership- no activity in strace on
> > squid_ldap_group, but on digest_ldap_auth- no Packets seen with tcpdump on
> > localhost, except from digest_ldap_auth- tried many different options of
> > external_acl_type ...- no iptables active& SELinux Permissive
> > Probably it's a really simple solution, like an internal acl not allowing
> > network access to localhost, but i can't see it and its driving me nuts
>
> So contact to a server on IPv4 localhost works. But packets never make
> it to a helper listening on IPv6 localhost. It looks like an overly
> restrictive IPv6 firewall block to me.
>
> If you can fix those IPv6 firewall rules you may find other things
> around the OS start working better as well. As a workaround if that is
> not possible, you can try adding the external_acl_type directive option
> "ipv4".
>
> Amos
>
Re: [squid-users] Squid not communicating with Helper Processes
On 24/11/2011 10:36 p.m., Christian Zink wrote:
Hi,
i have a strange problem driving me mad. I set up a fresh RHEL 6.1 System and installedLDAP and Squid. I want do authenticate users and contol the internet access depending on groups.
Ldap auth with digest_ldap_auth works fine, but i can't get the squid_ldap_group helper to work.
My conf:
(your mailer seems to have mangled the config somewhat badly.
re-formatted while snipping).
auth_param digest program /usr/lib64/squid/digest_ldap_auth -H ldap://127.0.0.1 -v 3 -e -b "ou=0500,dc=drv,dc=drv"
-u "uid" -A "userPassword" -D "uid=digestreader,dc=drv,dc=drv" -W
"/etc/squid/digestreader_cred"
external_acl_type ldap_group children=1 %LOGIN /usr/lib64/squid/test.sh
The Problem:
Squid doesnt talk to the Helper Processes! That's all i can see in logs:
2011/11/23 17:07:34.219| ACLChecklist::preCheck: 0x7fff8c40cc70 checking 'cache_peer_access download.proxy allow
ldap_download'2011/11/23 17:07:34.219| ACLList::matches: checking ldap_download2011/11/23 17:07:34.219| ACL::checklistMatches:
checking 'ldap_download'2011/11/23 17:07:34.219| aclMatchExternal: acl="ldap_group"2011/11/23 17:07:34.219|
aclMatchExternal: ldap_group("v990493 download") = lookup needed2011/11/23 17:07:34.219| aclMatchExternal:
"v990493 download": entry=@0, age=02011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": queueing a
call.2011/11/23 17:07:34.219| aclMatchExternal: "v990493 download": return -1.2011/11/23 17:07:34.219|
ACL::ChecklistMatches: result for 'ldap_download' is -12011/11/23 17:07:34.219| aclmatchAclList: 0x7fff8c40cc70 returning false
(AND list entry failed to match)2011/11/23 17:07:34.219| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0
lastACLResult() = 0 finished() = 0
While this is repeated endlessly i straced the helper Process ... nothing! I
also wrote a dummy Helper, also nothing.Tcpdump on localhost i see the packets
from digest_ldap_auth to ldap. Squids talking to digest_ldap_auth over Unix
Pipe, that works, and form digest_ldap_auth to ldap over 127.0.0.1 works to,but
not from Squid to the Helper although there is an TCP Connection:
squid 1858 squid8u IPv6 47834 0t0UDP
*:54597squid 1858 squid 14u IPv6 47840 0t0TCP
[::1]:38965->[::1]:45367 (ESTABLISHED)squid 1858 squid 15u IPv6
47842 0t0TCP *:d-s-n (LISTEN)test.sh 10617 squid0u IPv6
47841 0t0TCP [::1]:45367->[::1]:38965 (ESTABLISHED)test.sh
10617 squid1u IPv6 47841 0t0TCP
[::1]:45367->[::1]:38965 (ESTABLISHED)
What i tried so far:
- the squid_ldap_group works on the shell, piping Username& Group result in OK/ERR
depending on the ldap group membership- no activity in strace on squid_ldap_group, but
on digest_ldap_auth- no Packets seen with tcpdump on localhost, except from
digest_ldap_auth- tried many different options of external_acl_type ...- no iptables
active& SELinux Permissive
Probably it's a really simple solution, like an internal acl not allowing
network access to localhost, but i can't see it and its driving me nuts
So contact to a server on IPv4 localhost works. But packets never make
it to a helper listening on IPv6 localhost. It looks like an overly
restrictive IPv6 firewall block to me.
If you can fix those IPv6 firewall rules you may find other things
around the OS start working better as well. As a workaround if that is
not possible, you can try adding the external_acl_type directive option
"ipv4".
Amos
Re: [squid-users] Squid not communicating with Helper Processes
From: Christian Zink > #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -H > ldap://127.0.0.1 -v 3 -b ou=groups,dc=drv,dc=drv -f (&(memberuid=%u)(cn=%g)) > -D uid=digestreader,dc=drv,dc=drv -W > "/etc/squid/digestreader_cred"external_acl_type ldap_group children=1 > %LOGIN /usr/lib64/squid/test.shacl ldap_download external ldap_group > downloadacl > ldap_browse external ldap_group browse > ... > The Problem: > Squid doesnt talk to the Helper Processes! Did you comment (#...) the external_acl_type line just for this post or is it really commented? Where do you use the 'ldap_group' acl you just created...? JD
