On 04/03/2026 01:06, Andrey K wrote:
Hello,
I use negotiate_kerberos_auth helper and it sets the AD groups list in a
group annotation attribute.
It works well, but thisattributeis not availableinthe
subsequentrequestsinan ssl-bumpedconnection (it is available only in the
first CONNECT request).
Is it possible to make this attribute persistent in the current SSL
connection? I would like to use groups from this attribute to authorize
users using only "note"-type ACLs, no external helpers involved.
Unfortunately Squid does not yet support ACLs using details directly
from the tunnel's "parent" CONNECT transaction.
You can use the annotate_client ACL type to mark the from-client TCP
connection instead of the HTTP request. Just be aware these need to be
manually configured and thus does not scale to large number of groups.
HTH
Amos
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
