[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Alex Rousskov
rousskov at measurement-factory.com
Tue Mar 24 12:53:19 UTC 2026
On 2026-03-24 07:05, Andrey K wrote:
> I conducted several tests and found that when the authentication helper
> returns multiple groups in the 'clt_conn_tag' attributes, all of them
> are available only during the initial CONNECT transaction. In subsequent
> transactions, only the first group remains available.
>
> Details:
> I'm tracking 'clt_conn_tag' via logs:
> logformat my-squid %rm group=%note{group}
> clt_conn_tag=%note{clt_conn_tag}
> Example of the BasicAuth-helper:
> #!/bin/bash
> while read -r user pass; do
> echo "OK user=user1 group=group1 group=group2 clt_conn_tag=group1
> clt_conn_tag=group2"
> done
>
> Single curl request logs:
> CONNECT group=group1,group2 clt_conn_tag=group1,group2
> GET group=- clt_conn_tag=group1
>
> Is this the expected behaviour?
Kind of. It is difficult for me to give you a clear "yes" or "no" answer
because Squid behavior in this area is poorly documented and some
implementation bugs probably still remain after several rounds of fixes.
However, I can suggest the following adjustments as the next step:
1. Adjust the helper to return a single clt_conn_tag key=value pair:
OK user=user1 group=group1 group=group2 clt_conn_tag=group1,group2
2. Adjust your note ACLs to add "-m" flag as needed. Search for "acl
aclname note" and "-m" in squid.conf.documented for more information.
HTH,
Alex.
>> On Mar 4, 2026, at 23:23, Amos Jeffries <squid3 at treenet.co.nz
>> <mailto:squid3 at treenet.co.nz>> wrote:
>>
>> On 04/03/2026 19:33, Andrey K wrote:
>>> Hello, Amos,
>>> Thanks for the information.
>>> Canyou alsotellme:
>>> 1. Is it possible to use a macro in the annotate_client ACL to
>>> copy HTTP request notes to a TCP connection? Something like:
>>> acl annotate_groups annotate_client groups=%{group}note
>>
>> That is not supported. Which is what I meant by these having to be
>> configured manually. You need an ACL to match the group note, and
>> another to set the new note, repeated for each group name you want
>> to link between the transactions.
>>
>>
>>> 2. How do you think, should we process the "group" attribute at
>>> the connection state level as we do with the "clt_conn_tag"? I
>>> think this can be easily implemented in the UpdateRequestNotes()
>>> function (src/ HttpRequest.cc) by simply copying and pasting a
>>> few lines of code:
>>
>> This is not great since group is not limited to Negotiate and NTLM
>> authentication types. Other auth schemes have group only being
>> valid on one HTTP transaction.
>>
>>
>> I would suggest having a new access control directive that permits
>> or denies annotations to be mapped when the CONNECT is bumped.
>> That would allow any existing annotation of the CONNECT
>> transaction to be applied as a connection-annotation for the
>> bump'ed request.
>>
>> HTH
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> <mailto:squid-users at lists.squid-cache.org>
>> https://lists.squid-cache.org/listinfo/squid-users
>> <https://lists.squid-cache.org/listinfo/squid-users>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> https://lists.squid-cache.org/listinfo/squid-users
> <https://lists.squid-cache.org/listinfo/squid-users>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list