Re: [squid-users] Using AD groups from negotiate_kerberos_auth in ssl-bumped connections.

Tue, 03 Mar 2026 22:34:16 -0800 

Hello, Amos,

Thanks for the information.

Can you also tell me:
1. Is it possible to use a macro in the annotate_client ACL to copy HTTP
request notes to a TCP connection? Something like:
  acl annotate_groups annotate_client groups=%{group}note

2. How do you think, should we process the "group" attribute at the
connection state level as we do with the "clt_conn_tag"? I think this can
be easily implemented in the UpdateRequestNotes() function (
src/HttpRequest.cc) by simply copying and pasting a few lines of code:
void
UpdateRequestNotes(ConnStateData *csd, HttpRequest &request, NotePairs
const &helperNotes)
{
    // Tag client connection if the helper responded with clt_conn_tag=tag
or group=groups.
    const char *cltTag = "clt_conn_tag";
    if (const char *connTag = helperNotes.findFirst(cltTag)) {
        if (csd) {
            csd->notes()->remove(cltTag);
            csd->notes()->add(cltTag, connTag);
        }
    }
    const char *group = "group";
    if (const char *hlprGroup = helperNotes.findFirst(group)) {
        if (csd) {
            csd->notes()->remove(group);
            csd->notes()->add(group, hlprGroup);
        }
    }
    request.notes()->replaceOrAdd(&helperNotes);
}

вт, 3 мар. 2026 г. в 16:02, Amos Jeffries <[email protected]>:

> On 04/03/2026 01:06, Andrey K wrote:
> > Hello,
> >
> > I use negotiate_kerberos_auth helper and it sets the AD groups list in a
> > group annotation attribute.
> > It works well, but thisattributeis not availableinthe
> > subsequentrequestsinan ssl-bumpedconnection (it is available only in the
> > first CONNECT request).
> > Is it possible to make this attribute persistent in the current SSL
> > connection? I would like to use groups from this attribute to authorize
> > users using only "note"-type ACLs, no external helpers involved.
>
> Unfortunately Squid does not yet support ACLs using details directly
> from the tunnel's "parent" CONNECT transaction.
>
> You can use the annotate_client ACL type to mark the from-client TCP
> connection instead of the HTTP request. Just be aware these need to be
> manually configured and thus does not scale to large number of groups.
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> [email protected]
> https://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to