[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

[Andrey K]

Hello Alex and Amos,

I ran some more tests and would like to share the results.

It turned out that the following auth helper responses are equivalent:
  OK user=user1 group=group1 group=group2
  OK user=user1 group=group1,group2
  OK user=user1 group="group1,group2"

It also turned out that using the -m flag in the ACL note is unnecessary:
the ACL
  acl has_group2 note group group2
matches each of the three above responses.
However, the ACL
  acl has_2groups note group group1,group2
did not match any of them.

Kind regards,
    Ankor.

ср, 25 мар. 2026 г. в 06:39, Amos Jeffries <squid3 at treenet.co.nz>:

> On 25/03/2026 04:02, Alex Rousskov wrote:
> > On 2026-03-24 09:33, Amos Jeffries wrote:
> >
> >> Every clt_conn_tag should be added to the client<->Squid TCP
> >> connection, after which every transaction on that connection should be
> >> able to see them.
> >
> > The above assertion is false. Squid does not (or should not) work that
> > way since Bug 4912 fix (i.e. 2019 commit d665de37) replaced an "always
> > add" with an "always overwrite" design for most[^1] annotations,
> > including clt_conn_tag:
>
> Doh, forgot about that. Thanks Alex.
>
> Johnathan: the helper should use the comma-separated syntax Squid
> outputs in the log.
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20260325/9c1fb129/attachment-0001.htm>