I'm trying set external acl that check against database if authenticated user is overcuote, for that I try to configure acl rule as:
external_acl_type CHECKOVERCUOTE ttl=3600 negative_ttl=10 children-max=5 children-startup=2 %LOGIN /usr/lib/squid/ext_sql_session_acl --dsn "DBI:mysql:database=squidmgr" --user squidmgr --password dbpassword --table "proxy_usuario" --uidcol "identificador" --usercol "identificador" --cond "overcuote = 1" --debug
acl OVERCUOTE external CHECKOVERCUOTE
And use OVERCUOTE acl as:
http_access allow CONNECT SSL_ports !dominios_parciales usuarios_internet macs_red_local red_local !OVERCUOTE
http_access allow !dominios_parciales usuarios_internet macs_red_local red_local !OVERCUOTE
The problem is that the external acl always returns ERR because it doesn't take the authenticated user to compare it in the database query. The param for ther query is empty.
The debug info result:
Looking the source code of ext_sql_session_acl it take $uid from $_[0] argument of perl script call, and I try set it from authenticated user in squid.
UPDATE:
The problem was that the concurrency directive was missing in external_acl_type, leaving it as follows:
external_acl_type CHECKOVERCUOTE concurrency=100 ttl=3600 negative_ttl=10 children-max=5 children-startup=2 %LOGIN /usr/lib/squid/ext_sql_session_acl --dsn "DBI:mysql:database=squidmgr" --user squidmgr --password dbpassword --table "proxy_usuario" --uidcol "identificador" --usercol "identificador" --cond "overcuote = 1" --debug.
Now, I see that the parameter to the query formed by ext_sql_session_acl is a concatenation of uidcol and ' - ', the solution for me was create in database another field named squid_user_identifier that store the same value of identifier col followed by ' - '. This way the query generated by ext_sql_session_acl match with the squid authenticated user.
