On Fri, 9 Jan 2004, PONCIN Louis wrote: > In fact we have 26 LDAP groups > > 1) > At first, we started the following processes > 2004/01/08 17:11:56| helperOpenServers: Starting 10 'squid_ldap_auth' > processes > 2004/01/08 17:11:57| helperOpenServers: Starting 5 'squid_ldap_group' > processes > > And we got this in the cache.log > 2004/01/08 17:12:01| FD 58 Closing HTTP connection
This is on shutdown. > 2004/01/08 17:12:01| externalAclLookup: 'ldapgroup' queue overload > 2004/01/08 17:12:01| externalAclLookup: 'ldapgroup' queue overload What Squid version? > 2) > Thus we decided to start a few more processes (50 squid_ldap_auth and 15 > squid_ldap_group) > > At this time a couple of users that where formerly denied the internet > access were allowed to have the access. But some of the people that > could access the web before were then denied it ? Should not happen, unless as indicated earlier if a request to squid_ldap_group exceeded 256 characters. > 3) > Finally, we intended to set only a limited number of LDAP group (4-5) in > the squid.conf > acl group_Internet external ldapgroup GR-I-group1 GR-I-group2 > GR-I-group3 GR-I-group4 > > Here we have had absolutely no pb to authentify the users and grant the > access rights. > > =====> > Our questions are : > a)Is there a ratio of processes numbers between > - the number of potential users > - the number of squid_ldap_auth processes > - the number of squid_ldap_group processes > - the number of groups we have in our squid.conf No, but as I said, the more groups you have, the longer squid_ldap_group will require on each lookup, and the busier your LDAP server will be. > b) Is there a maximum LDAP groups we can search through ? The sum of all groups plus login name must not exceed 256 characers (including space separator characters and newline). Regards Henrik
