[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

[Amos Jeffries]

On 26/03/2026 00:55, Andrey K wrote:
> 
> Hello Alex and Amos,
> 
> I ran some more tests and would like to share the results.
> 
> It turned out that the following auth helper responses are equivalent:
>    OK user=user1 group=group1 group=group2
>    OK user=user1 group=group1,group2
>    OK user=user1 group="group1,group2"
> 

As Alex pointed out "group" key name has special handling that 
essentially converts the first line into the second.

The difference of output is more important for the clt_conn_tag use 
where the first line would mark the connection with 
"clt_conn_tag=group1", then immediately replace it with 
"clt_conn_tag=group2".

Double-quotes as used on the third line are supported to allow 
whitespace and \-escaped characters to exist within values. As used 
above line 2 and 3 are exactly the same - the annotation value is a 
comma-delimited list of group names.


> It also turned out that using the -m flag in the ACL note is 
> unnecessary: the ACL
>    acl has_group2 note group group2
> matches each of the three above responses.

Because all three cases add a note "group=group2".

Again the special case for "group"  key name has changed line #1 to mean 
the same as the others.


> However, the ACL
>    acl has_2groups note group group1,group2
> did not match any of them.

Nod. ',' is a delimiter for notes with a list of values.
The ACL tests each value separately against the squid.conf value.


Cheers
Amos