[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

Alex Rousskov rousskov at measurement-factory.com
Wed Mar 4 14:18:28 UTC 2026

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] peek vs stare on step1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2026-03-03 07:06, Andrey K wrote:

> I use negotiate_kerberos_auth helper and it sets the AD groups list in a 
> group annotation attribute.
> It works well, but thisattributeis not availableinthe 
> subsequentrequestsinan ssl-bumpedconnection (it is available only in the 
> first CONNECT request).
> Is it possible to make this attribute persistent in the current SSL 
> connection? I would like to use groups from this attribute to authorize 
> users using only "note"-type ACLs, no external helpers involved.

I would suggest using "clt_conn_tag" annotation for that purpose. That 
annotation was specifically added to address similar use cases.

If really needed, your helper can send both "group" and "clt_conn_tag" 
annotations. The latter should be copied to subsequent requests received 
on the same client-Squid connection.

HTH,

Alex.

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] peek vs stare on step1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list