[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 24 13:33:31 UTC 2026

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25/03/2026 00:05, Andrey K wrote:
> Hello Alex,
> 
>  > I would suggest using "clt_conn_tag" annotation for that purpose. That
>  > annotation was specifically added to address similar use cases.
>  >
>  > If really needed, your helper can send both "group" and "clt_conn_tag"
>  > annotations. The latter should be copied to subsequent requests received
>  > on the same client-Squid connection.
> 
> I conducted several tests and found that when the authentication helper 
> returns multiple groups in the 'clt_conn_tag' attributes, all of them 
> are available only during the initial CONNECT transaction. In subsequent 
> transactions, only the first group remains available.
> 

Definitely a bug.

Every clt_conn_tag should be added to the client<->Squid TCP connection, 
after which every transaction on that connection should be able to see them.


Cheers
Amos

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list