On 8/2/2012 9:24 AM, Eugene M. Zheganin wrote:
> Hi.
>
> On 01.08.2012 23:02, Markus Moeller wrote:
>> Hi Eugene,
>>
>> Are all 12 groups for the same control ? If so you can use -g
>> Group1:Group2:Group3:.....
>>
> No, I map them to different acls, and then those acls are used to
> restrict various levels of the access.
>
> Like:
>
> (it was)
> external_acl_type ldap_group [...]
>
> acl ad-internet-users external ldap_group
> "/usr/local/etc/squid/ad-internet-users.acl"
> acl ad-privileged external ldap_group
> "/usr/local/etc/squid/ad-privileged-users.acl"
> acl ad-icq-only external ldap_group "/usr/local/etc/squid/ad-icq-only.acl"
> acl ad-no-icq external ldap_group "/usr/local/etc/squid/ad-no-icq.acl"
>
> http_access allow ad-internet-users something
> http_access deny ad-internet-users something1
> http_access allow ad-privileges something1
>
> and so on.
>
> Eugene.
how long is the list?
and what is the proxy load \ requests per sec ?
cache on the external_acl helper can be very effective and will take
most of the load if the ttl is well tuned.
i dont really know about ad environment that these kind of groups are
being changed in less then a day so just extend the ldap helper ttl to
more then 60 secs and then most of the acls will may be slow on the
first acl hit but on the next it will be much faster.
Regards,
Eliezer
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.ilReceived on Fri Aug 03 2012 - 06:05:19 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 03 2012 - 12:00:03 MDT