[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 3 13:02:08 UTC 2026

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04/03/2026 01:06, Andrey K wrote:
> Hello,
> 
> I use negotiate_kerberos_auth helper and it sets the AD groups list in a 
> group annotation attribute.
> It works well, but thisattributeis not availableinthe 
> subsequentrequestsinan ssl-bumpedconnection (it is available only in the 
> first CONNECT request).
> Is it possible to make this attribute persistent in the current SSL 
> connection? I would like to use groups from this attribute to authorize 
> users using only "note"-type ACLs, no external helpers involved.

Unfortunately Squid does not yet support ACLs using details directly 
from the tunnel's "parent" CONNECT transaction.

You can use the annotate_client ACL type to mark the from-client TCP 
connection instead of the HTTP request. Just be aware these need to be 
manually configured and thus does not scale to large number of groups.

HTH
Amos

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list