>Perhapse the fact that Kerberos works with anonymous binary blobs? no >username in sight. You have to pardon me, I am not familiar enough with the inner workings of Kerberos to understand what a binary blob is wrt to Kerberos:) >Or if not that, something in the elided section "<...>". I omitted it as it worked from the cli, but possibly something in the syntax when used in the conf file is wrong (wrapped intentionally here)? external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=LDAP,CN=Users,DC=domain,DC=local" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,CN=Users,DC=domain,DC=local))" -h 10.0.0.2 >The bare http_access logic is fine but assumes the LDAP group helper can >handle what Kerberos uses for a username. Is there a way to show what the helper is doing in the log file? Thanks Amos, jlc
