[squid-users] external_acl_type ttl not working? or not as I understand?

Im trying to conjure up a replacement to novell border manager +
client trust for transpartent auth in a novell environment. there are
some squid proxy auth things it seems, however they require that the
user be prompted to enter a user+pass... not really ideal. instead
users should not have to think about logging on. i know ident can be
spoofed but for this test its not a huge issue so got the following to
work on squid 2.5 stable 5:

  external_acl_type ldap_lookup ttl=120 %IDENT /tmp/ldaplookup.pl
  acl group1 external ldap_lookup
  http_access allow group1

where /tmp/ldaplookup.pl is
  #!/usr/bin/perl
  $|=1;
  while ( 1 == 1 ) {
    $input = <STDIN>;
    chomp($input);
    open LDAPSEARCH, 'ldapsearch -LLLxh server "(cn=Internet)" member
|' or die "Can't ldapsearch :$!";
    $found = 0;
    $fullusername = '';
    while (<LDAPSEARCH>) {
      #print "$_";
      if ($_ =~ /cn=$input,/i) {
        $found = 1;
        /member: (.*)/i;
        $fullusername = $1;
        last;
      };
    }
    if ($found == 0){
      print 'ERR ERROR="'.$input.' not a valid internet user"'."\n";
    } else {
      print 'OK USER="'.$fullusername.' authorized internet user"'."\n";
    };
  };

and my client is running
http://ftp.tdcnorge.no/pub/windows/Identd/Identd-1.1.0.zip

everything works except the ttl isnt as I thought... eg: my client
tries to hit a page, squid ident requests my client, which responds,
then squid uses my script to see if that user name is in the
"internet" group as retured from my ldap search. if the users in the
group the page is served, if not, they get access denied.

so my question is this... if i imediately shut down my identd on my
client, squid starts denying access immediately. a net sniff shows
that squid is doing an ident query for every access request. I would
have expected with the ttl=120 that squid wouldnt query until 2
minutes later. this seems like a lot of needless ident traffic and
when i start piling on users ill be doing more ident and ldap lookups
than web proxying.

I suppose I just misunderstand the ttl option. is there anyway to get
squid to only ask for this ident auth at some specified timeout and
not for every page request?

any help would be greatly appreciated.
Received on Wed Jun 01 2005 - 12:22:38 MDT