Hello,
I'm using squid_kerb_ldap (via external_acl_type) to authenticate via kerberos
and authorize access via ldap groups.
This seems to work. Partly anyway. My problem is:
Most of the traffic is authorized as shown in the access.log file which shows
GETs and CONNECTs using the respective kerberos id (user@DOMAIN) but some GETs
and CONNECTs lack that kerberos id (-) and consequently fail (TCP_DENIED).
I tested if an earlier ACL might prevent those transfers from being allowed by
inserting an ACL right before the external_acl_type to allow all transfers from
the host I was using. This didn't show any TCP_DENIEDs.
I also wondered if the browser could be at fault (not requesting each GET with
the respective kerberos id) so I changed from Firefox to Chromium. The
behaviour was identical.
Can anyone think of a reason for this behaviour or another way to debug for the
cause?
