Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3 Crashing ext_ldap_group_acl

    pfSense Packages
    1
    1
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fak1r
      last edited by

      Hi!

      A week trying to set up Squid 3.3.10 pkg 2.2.8, beta 3.1.20 pkg 2.1.2, 3.4 authorization for AD groups on pfSense 2.1.5.
      All set up and everything works as intended even !!!
      But the problem is that about every 2.5-3 hours, and sometimes right after you start falling off squid helper ext_ldap_group_acl.
      That tried to do:

      • Transfer line to the top of the config helper
      • Ext_ldap_group_acl run with the parameter -P and without
      • Increases the number of helper processes run to 15

      Warnings in the log:

       2015/02/05 10:27:43 kid1 | WARNING: no_suid: setuid (0): (1) Operation not permitted
WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE

      only appear in version 3.3, on the other versions do not.

      For fun, try to raise the squid 3.4 on freebsd 8.4 and pfSense 2.2, everything works smoothly, but I would not want to move until the version of the pfSense 2.2.

      Sorry for my english.

      LOGS:

      Cache.log (squid 3.3):

      
2015/02/05 10:09:05.305 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
2015/02/05 10:10:10.947 kid1| UserRequest.cc(300) authenticate: No Proxy-Auth header and no working alternative. Requesting auth header.
2015/02/05 10:11:21.328 kid1| UserRequest.cc(121) ~UserRequest: freeing request 0x299fb2e0
2015/02/05 10:17:41 kid1| Logfile: opening log /var/squid/logs/netdb.state
2015/02/05 10:17:41 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/netdb.state'
2015/02/05 10:17:41 kid1| Logfile: closing log stdio:/var/squid/logs/netdb.state
2015/02/05 10:17:41 kid1| NETDB state saved; 45 entries, 1 msec
2015/02/05 10:27:43 kid1| WARNING: ldapauth #3 exited
2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15)
2015/02/05 10:27:43 kid1| Starting new helpers
2015/02/05 10:27:43 kid1| helperOpenServers: Starting 1/15 'ext_ldap_group_acl' processes
2015/02/05 10:27:43 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:43 kid1| WARNING: ldapauth #4 exited
2015/02/05 10:27:43 kid1| Too few ldapauth processes are running (need 1/15)
2015/02/05 10:27:43 kid1| Closing HTTP port 192.168.0.17:8080
2015/02/05 10:27:43 kid1| storeDirWriteCleanLogs: Starting...
2015/02/05 10:27:43 kid1|   Finished.  Wrote 0 entries.
2015/02/05 10:27:43 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ldapauth helpers are crashing too rapidly, need help!

Squid Cache (Version 3.3.10): Terminated abnormally.
CPU Usage: 3.573 seconds = 1.340 user + 2.233 sys
Maximum Resident Size: 74752 KB
Page faults with physical i/o: 0
2015/02/05 10:27:43 kid1| Closing Pinger socket on FD 35
2015/02/05 10:27:46 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3...
2015/02/05 10:27:46 kid1| Process ID 67605
2015/02/05 10:27:46 kid1| Process Roles: worker
2015/02/05 10:27:46 kid1| With 11095 file descriptors available
2015/02/05 10:27:46 kid1| Initializing IP Cache...
2015/02/05 10:27:46 kid1| DNS Socket created at [::], FD 11
2015/02/05 10:27:46 kid1| DNS Socket created at 0.0.0.0, FD 12
2015/02/05 10:27:46 kid1| Adding domain renault-nn.ru from /etc/resolv.conf
2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.3 from /etc/resolv.conf
2015/02/05 10:27:46 kid1| Adding nameserver 192.168.0.18 from /etc/resolv.conf
2015/02/05 10:27:46 kid1| helperOpenServers: Starting 0/5 'basic_ldap_auth' processes
2015/02/05 10:27:46 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed.
2015/02/05 10:27:46 kid1| helperOpenServers: Starting 7/15 'ext_ldap_group_acl' processes
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
2015/02/05 10:27:46 kid1|  parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/ru/error-details.txt
2015/02/05 10:27:46 kid1| Unable to load default error language files. Reset to backups.
2015/02/05 10:27:46 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE
2015/02/05 10:27:46 kid1| Logfile: opening log /var/squid/logs/access.log
2015/02/05 10:27:46 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/access.log'
2015/02/05 10:27:46 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2015/02/05 10:27:46 kid1| Store logging disabled
2015/02/05 10:27:46 kid1| Swap maxSize 0 + 8192 KB, estimated 630 objects
2015/02/05 10:27:46 kid1| Target number of buckets: 31
2015/02/05 10:27:46 kid1| Using 8192 Store buckets
2015/02/05 10:27:46 kid1| Max Mem  size: 8192 KB
2015/02/05 10:27:46 kid1| Max Swap size: 0 KB
2015/02/05 10:27:46 kid1| Using Least Load store dir selection
2015/02/05 10:27:46 kid1| Current Directory is /usr/local/www
2015/02/05 10:27:46 kid1| Loaded Icons.
2015/02/05 10:27:46 kid1| HTCP Disabled.
2015/02/05 10:27:46 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2015/02/05 10:27:46 kid1| Pinger socket opened on FD 34
2015/02/05 10:27:46 kid1| NETDB state reloaded; 45 entries, 0 msec
2015/02/05 10:27:46 kid1| Squid plugin modules loaded: 0
2015/02/05 10:27:46 kid1| Adaptation support is off.
2015/02/05 10:27:46 kid1| Accepting HTTP Socket connections at local=192.168.0.17:8080 remote=[::] FD 32 flags=9
2015/02/05 10:27:46| pinger: Initialising ICMP pinger ...
2015/02/05 10:27:46| pinger: ICMP socket opened.
2015/02/05 10:27:46| pinger: ICMPv6 socket opened
2015/02/05 10:27:47 kid1| storeLateRelease: released 0 obje

      Cache.log (squid 3.4):

      
Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.228 seconds = 0.195 user + 0.033 sys
Maximum Resident Size: 53024 KB
Page faults with physical i/o: 0
2015/02/06 19:26:18 kid1| Starting Squid Cache version 3.4.11 for i386-portbld-freebsd8.4...
2015/02/06 21:36:22 kid1| WARNING: ldapauth #Hlpr0 exited
2015/02/06 21:36:22 kid1| WARNING: ldapauth #Hlpr0 exited
FATAL: The ldapauth helpers are crashing too rapidly, need help!

Squid Cache (Version 3.4.11): Terminated abnormally.
CPU Usage: 0.195 seconds = 0.097 user + 0.097 sys
Maximum Resident Size: 52320 KB
Page faults with physical i/o: 0
2015/02/06 21:36:25 kid1| Starting Squid Cache version 3.4.11 for i386-portbld-freebsd8.4...
2015/02/06 23:46:30 kid1| WARNING: ldapauth #Hlpr0 exited
2015/02/06 23:46:30 kid1| WARNING: ldapauth #Hlpr0 exited
FATAL: The ldapauth helpers are crashing too rapidly, need help!

      Squid config:

      
# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.0.17:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language ru
icon_directory /usr/pbi/squid-i386/etc/squid/icons
visible_hostname localhost
cache_mgr admin@firma.ru
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-i386/libexec/squid/pinger

logfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.0.0/24
httpd_suppress_version_string on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA

minimum_object_size 0 KB
maximum_object_size 10 KB
offline_mode off
cache allow all

# No redirector configured

#Remote proxies

# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.0.0/24
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer. 
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings

# Package Integration
#Integrations

# Custom options before auth
#Custom ACLS (Before_Auth)

auth_param basic program /usr/pbi/squid-i386/libexec/squid/basic_ldap_auth -R -v 3 -b dc=firma,dc=ru -D squid@firma.ru -w 2015 -f "sAMAccountName=%s" -u uid -h 192.168.0.3 -p 389
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 60 minutes
acl password proxy_auth REQUIRED

# Custom options after auth
external_acl_type ldapauth ttl=60 %LOGIN /usr/pbi/squid-i386/libexec/squid/ext_ldap_group_acl \
	-R -d -v 3 -b "dc=firma,dc=ru" -D squid@firma.ru -w 2015 -f \
	"(&(objectclass=user)(sAMAccountName=%v)(memberOf=CN=%a,OU=Internet,DC=firma,DC=ru))" -P 192.168.0.3:389
acl u_full external ldapauth inet_access_full
acl u_common external ldapauth inet_access_common
acl u_site_definition external ldapauth inet_access_site_definition
acl deny_sites url_regex -i "/var/squid/acl/deny_all.txt"
acl allow_sites url_regex -i "/var/squid/acl/allow_sites.txt"
acl banned_users proxy_auth_regex -i "/var/squid/acl/counter_deny.acl"
acl password proxy_auth REQUIRED
deny_info ERR_ACL_TRAFFIC_QUOTA_EXCEEDED banned_users
http_access deny banned_users
http_access deny u_common deny_sites
http_access allow u_full
http_access allow u_common
http_access allow u_site_definition allow_sites

# Default block all to be sure
http_access deny allsrc
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.