[squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

Andrey K ankor2023 at gmail.com
Thu Mar 26 13:51:26 UTC 2026

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, Amos,

Thank you for clarifying.

I've opened a PR (https://github.com/squid-cache/squid/pull/2395) for the
negotiate_kerberos_auth helper to support custom annotation attributes for
PAC groups. The output format has been changed to a single key with
comma-separated values. This allows using attributes like clt_conn_tag to
annotate connections.

Kind regards,
    Ankor.



чт, 26 мар. 2026 г. в 01:03, Amos Jeffries <squid3 at treenet.co.nz>:

> On 26/03/2026 00:55, Andrey K wrote:
> >
> > Hello Alex and Amos,
> >
> > I ran some more tests and would like to share the results.
> >
> > It turned out that the following auth helper responses are equivalent:
> >    OK user=user1 group=group1 group=group2
> >    OK user=user1 group=group1,group2
> >    OK user=user1 group="group1,group2"
> >
>
> As Alex pointed out "group" key name has special handling that
> essentially converts the first line into the second.
>
> The difference of output is more important for the clt_conn_tag use
> where the first line would mark the connection with
> "clt_conn_tag=group1", then immediately replace it with
> "clt_conn_tag=group2".
>
> Double-quotes as used on the third line are supported to allow
> whitespace and \-escaped characters to exist within values. As used
> above line 2 and 3 are exactly the same - the annotation value is a
> comma-delimited list of group names.
>
>
> > It also turned out that using the -m flag in the ACL note is
> > unnecessary: the ACL
> >    acl has_group2 note group group2
> > matches each of the three above responses.
>
> Because all three cases add a note "group=group2".
>
> Again the special case for "group"  key name has changed line #1 to mean
> the same as the others.
>
>
> > However, the ACL
> >    acl has_2groups note group group1,group2
> > did not match any of them.
>
> Nod. ',' is a delimiter for notes with a list of values.
> The ACL tests each value separately against the squid.conf value.
>
>
> Cheers
> Amos
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20260326/9a0eae5d/attachment.htm>

Previous message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Next message (by thread): [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list