[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

[Amos Jeffries]

On 04/03/2026 19:33, Andrey K wrote:
> Hello, Amos,
> 
> Thanks for the information.
> 
> Canyou alsotellme:
> 1. Is it possible to use a macro in the annotate_client ACL to copy HTTP 
> request notes to a TCP connection? Something like:
> acl annotate_groups annotate_client groups=%{group}note
> 

That is not supported. Which is what I meant by these having to be 
configured manually. You need an ACL to match the group note, and 
another to set the new note, repeated for each group name you want to 
link between the transactions.


> 2. How do you think, should we process the "group" attribute at the 
> connection state level as we do with the "clt_conn_tag"? I think this 
> can be easily implemented in the UpdateRequestNotes() function (src/ 
> HttpRequest.cc) by simply copying and pasting a few lines of code:

This is not great since group is not limited to Negotiate and NTLM 
authentication types. Other auth schemes have group only being valid on 
one HTTP transaction.


I would suggest having a new access control directive that permits or 
denies annotations to be mapped when the CONNECT is bumped. That would 
allow any existing annotation of the CONNECT transaction to be applied 
as a connection-annotation for the bump'ed request.

HTH
Amos