[squid-users] Too many AD group and squid kerberos auth problem

[alberto]

Hi all,
I have a squid3 installation with kerberos ldap groups authentication.
Everything works like a charm except for one of my user that belongs to too
many groups (more than 50): this user can not browse any site because of
authentication problem.
I always see TCP_DENIED/407 in the squid log file for that user.

Is there a parameter that I can change in the squid.conf file to increase
the number of groups allowed during authentication?
FYI I'm on Debian Jessie and using this kerberos configuration

====squid.conf snippet=======

################## Kerberos Auth ###################
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth  -s
GSS_C_NO_NAME -i
auth_param negotiate children 10
auth_param negotiate keep_alive off

################# External_acl_type ########################
#internet ALL
external_acl_type kgrp_all ttl=60 negative_ttl=60 %LOGIN
 /usr/lib/squid3/ext_kerberos_ldap_group_acl -i -g "DL Internet
ALL at EXAMPLE.LCL" -D EXAMPLE.LCL -S example.lcl at EXAMPLE.LCL -m 10 -b
"OU=InternetAccess,OU=Groups,OU=Users &
Groups,OU=Inet,OU=Root,DC=EXAMPLE,DC=LCL"  -D EXAMPLE.LCL -N
EXAMPLE at EXAMPLE.LCL

################# Basic Auth ########################
auth_param basic program /usr/lib/squid3/basic_ldap_auth -D
srvc_squid at example.lcl -W /etc/squid3/ldappwd.txt -h "example.lcl" -b
"OU=root,DC=EXAMPLE,DC=LCL" -s sub -f
(&(objectClass=Person)(sAMAccountName=%s))
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute


Thank you for your help,
Alberto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160830/3d2d28fd/attachment.html>