On 8/04/25 06:42, Reinhard Westerholt wrote:
Hello everybody,
I have configured Squid to use Kerberos authentication and employed
ext_kerberos_ldap_group_acl to limit HTTP access. This setup works fine
in most cases. However, randomly (and rarely), there seems to be an
issue with the LDAP query, causing the Active Directory groups to fail
to resolve, which subsequently denies user access. When this occurs, the
issue persists for about an hour. I suspect this might be due to caching
or TTL.
Very likely.
Here is a relevant part of the configuration:
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/server.fqdn@domain
auth_param negotiate children 500
auth_param negotiate keep_alive on
external_acl_type INetAccess ttl=3600 children-max=1000 %LOGIN /usr/lib/
squid/ext_kerberos_ldap_group_acl -g "INetAccess" -a -i -l ldap://
server.fqdn:389 -D "DOMAIN"
There you have it " ttl=3600 " (ie 1 hour, in seconds). If this is the
only TTL configured it will be used for both OK and ERR results.
...
I manually attempted to retrieve the subschemasubentry using ldapsearch.
As far as I can see, there is no issue, or I could not reproduce the
problem manually via ldapsearch.
Does anyone have any ideas on how to further debug this issue?
Additionally, are there any recommendations regarding the TTL value? If
I reduce the TTL, the duration of the issue might be shorter for
individual users.
There are three alternatives to changing "ttl=" itself.
In order of my recommendation:
1) Avoiding the external helper entirely if you can.
The auth helper you are using should be providing Squid with a list of
the group SSID's the logged in user is a member of. With those, Squid
can use the 'note' type ACL to check the groups quickly instead of
needing a separate helper lookup.
Like so:
acl INetAccess note group ...[SSID]...
2) Setting "grace=" which will attempt the re-lookup before the TTL
finishes. That way Squid will use the already cached value at the exact
time the failure occurs, and may be able to re-try the failed lookup at
least once before it has any effects.
This grace= option should ideally be only a few seconds and must be
strictly less than both ttl= and negative-ttl= values.
3) Add a shorter value for the ERR results with "negative-ttl=".
Just be aware that lowering either of these TTL values will impact
transaction speed for all the traffic where the user is (ttl=), or not
(negative-ttl=) a member of that group.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
