[squid-users] Too many AD group and squid kerberos auth problem
Amos Jeffries
squid3 at treenet.co.nz
Tue Aug 30 15:15:25 UTC 2016
On 30/08/2016 11:05 p.m., alberto wrote:
> Hi all,
> I have a squid3 installation with kerberos ldap groups authentication.
> Everything works like a charm except for one of my user that belongs to too
> many groups (more than 50): this user can not browse any site because of
> authentication problem.
> I always see TCP_DENIED/407 in the squid log file for that user.
The Squid<->helper protocol in Squid-3 is not able to handle very long
lists of groups being returned by the helper. We have a fix in Squid-4,
but it is too large and destabilizing to backport.
You may want to try the latest 4.0 daily snapshot, or 4.0.14 release
which will be coming out as soon as I can find the time to package it.
If Squid-4 does not resolve the issue then the problem is likely to be
the large size of the Negotiate token in HTTP headers. There is no
guarantee that any HTTP header longer than 8000 bytes will be able to be
transmitted. Squid also has a 64KB header length limit at present which
may be applicable.
Amos
More information about the squid-users
mailing list