[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Andrey K
ankor2023 at gmail.com
Thu Mar 5 13:30:58 UTC 2026
Amos and Alex, thank you for the information.
Kind regards,
Ankor.
чт, 5 мар. 2026 г. в 10:23, Amos Jeffries <squid3 at treenet.co.nz>:
> On 04/03/2026 19:33, Andrey K wrote:
> > Hello, Amos,
> >
> > Thanks for the information.
> >
> > Canyou alsotellme:
> > 1. Is it possible to use a macro in the annotate_client ACL to copy HTTP
> > request notes to a TCP connection? Something like:
> > acl annotate_groups annotate_client groups=%{group}note
> >
>
> That is not supported. Which is what I meant by these having to be
> configured manually. You need an ACL to match the group note, and
> another to set the new note, repeated for each group name you want to
> link between the transactions.
>
>
> > 2. How do you think, should we process the "group" attribute at the
> > connection state level as we do with the "clt_conn_tag"? I think this
> > can be easily implemented in the UpdateRequestNotes() function (src/
> > HttpRequest.cc) by simply copying and pasting a few lines of code:
>
> This is not great since group is not limited to Negotiate and NTLM
> authentication types. Other auth schemes have group only being valid on
> one HTTP transaction.
>
>
> I would suggest having a new access control directive that permits or
> denies annotations to be mapped when the CONNECT is bumped. That would
> allow any existing annotation of the CONNECT transaction to be applied
> as a connection-annotation for the bump'ed request.
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20260305/02fd5e75/attachment.htm>
More information about the squid-users
mailing list