Distributing users according to their LDAP groups on multiple cache peers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Distributing users according to their LDAP groups on multiple cache peers

Silamael Darkomen
Hello,

Is there any possibility to distribute a bunch of users to different
cache peers based on the user group in LDAP?

For older versions this was possible by using the slow external ACL
first for evaluation in the http_access clause and latter using the slow
external ACLs again in the cache_peer_access option.

With the update from 4.9 to 4.10 this behavior seems to be broken.

Thanks for any hints!

-- Matthias
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Distributing users according to their LDAP groups on multiple cache peers

Amos Jeffries
Administrator
On 7/04/20 6:19 pm, Silamael Darkomen wrote:

> Hello,
>
> Is there any possibility to distribute a bunch of users to different
> cache peers based on the user group in LDAP?
>
> For older versions this was possible by using the slow external ACL
> first for evaluation in the http_access clause and latter using the slow
> external ACLs again in the cache_peer_access option.
>
> With the update from 4.9 to 4.10 this behavior seems to be broken.


That trick has never been properly consistent. It relies on the first
entry not being pushed out of cache before the second check. Under any
type of load it starts to fail.


In current Squid you can have the helper deliver group=blah and use the
note ACL type to check it in the fast checks. It works reliably, and
with multiple groups.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Distributing users according to their LDAP groups on multiple cache peers

Silamael Darkomen
Hello Amos,

Thank you for your quick reply.
Could you perhaps give me a short configuration example, how this should
lool like?

Thank you very much!

-- Matthias

On 07.04.2020 09:01, Amos Jeffries wrote:

> On 7/04/20 6:19 pm, Silamael Darkomen wrote:
>> Hello,
>>
>> Is there any possibility to distribute a bunch of users to different
>> cache peers based on the user group in LDAP?
>>
>> For older versions this was possible by using the slow external ACL
>> first for evaluation in the http_access clause and latter using the slow
>> external ACLs again in the cache_peer_access option.
>>
>> With the update from 4.9 to 4.10 this behavior seems to be broken.
>
>
> That trick has never been properly consistent. It relies on the first
> entry not being pushed out of cache before the second check. Under any
> type of load it starts to fail.
>
>
> In current Squid you can have the helper deliver group=blah and use the
> note ACL type to check it in the fast checks. It works reliably, and
> with multiple groups.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Distributing users according to their LDAP groups on multiple cache peers

Alex Rousskov
In reply to this post by Amos Jeffries
On 4/7/20 3:01 AM, Amos Jeffries wrote:

> On 7/04/20 6:19 pm, Silamael Darkomen wrote:
>> Hello,
>>
>> Is there any possibility to distribute a bunch of users to different
>> cache peers based on the user group in LDAP?
>>
>> For older versions this was possible by using the slow external ACL
>> first for evaluation in the http_access clause and latter using the slow
>> external ACLs again in the cache_peer_access option.
>>
>> With the update from 4.9 to 4.10 this behavior seems to be broken.
>
>
> That trick has never been properly consistent. It relies on the first
> entry not being pushed out of cache before the second check. Under any
> type of load it starts to fail.
>
>
> In current Squid you can have the helper deliver group=blah and use the
> note ACL type to check it in the fast checks. It works reliably, and
> with multiple groups.

I agree with Amos, but want to add that there are no known new breakages
of that unreliable "cache and reuse external ACL results" approach. If
you can use this suspected regression as an excuse to implement a more
reliable scheme, please follow Amos' advice. Otherwise, perhaps there is
a regression bug we should fix.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Distributing users according to their LDAP groups on multiple cache peers

Amos Jeffries
Administrator
In reply to this post by Silamael Darkomen
On 8/04/20 1:48 am, Silamael Darkomen wrote:
> Hello Amos,
>
> Thank you for your quick reply.
> Could you perhaps give me a short configuration example, how this should
> lool like?
>


It would be something like this:

 acl groupCheck external ...
 acl groupFoo note group foo

 http_access allow groupCheck
 ...
 cache_peer_access fooBar allow groupFoo


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Distributing users according to their LDAP groups on multiple cache peers

Silamael Darkomen
On 07.04.2020 16:52, Amos Jeffries wrote:

> It would be something like this:
>
>  acl groupCheck external ...
>  acl groupFoo note group foo
>
>  http_access allow groupCheck
>  ...
>  cache_peer_access fooBar allow groupFoo
>
>
> Amos

Hi Amos,

Thank you again for the quick reply, seems to work for us :)

Cheers,
Matthias
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users