On 2026-03-03 07:06, Andrey K wrote:
I use negotiate_kerberos_auth helper and it sets the AD groups list in a group annotation attribute. It works well, but thisattributeis not availableinthe subsequentrequestsinan ssl-bumpedconnection (it is available only in the first CONNECT request). Is it possible to make this attribute persistent in the current SSL connection? I would like to use groups from this attribute to authorize users using only "note"-type ACLs, no external helpers involved.
I would suggest using "clt_conn_tag" annotation for that purpose. That annotation was specifically added to address similar use cases.
If really needed, your helper can send both "group" and "clt_conn_tag" annotations. The latter should be copied to subsequent requests received on the same client-Squid connection.
HTH, Alex. _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
