Hi all,
I have a squid3 installation with kerberos ldap groups authentication.
Everything works like a charm except for one of my user that belongs to too many groups (more than 50): this user can not browse any site because of authentication problem.
I always see TCP_DENIED/407 in the squid log file for that user.
Is there a parameter that I can change in the squid.conf file to increase the number of groups allowed during authentication?
FYI I'm on Debian Jessie and using this kerberos configuration
====squid.conf snippet=======
################## Kerberos Auth ###################
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s GSS_C_NO_NAME -i
auth_param negotiate children 10
auth_param negotiate keep_alive off
################# External_acl_type ########################
#internet ALL
external_acl_type kgrp_all ttl=60 negative_ttl=60 %LOGIN /usr/lib/squid3/ext_kerberos_ldap_group_acl -i -g "DL Internet ALL@xxxxxxxxxxx" -D EXAMPLE.LCL -S example.lcl@xxxxxxxxxxx -m 10 -b "OU=InternetAccess,OU=Groups,OU=Users & Groups,OU=Inet,OU=Root,DC=EXAMPLE,DC=LCL" -D EXAMPLE.LCL -N EXAMPLE@xxxxxxxxxxx
################# Basic Auth ########################
auth_param basic program /usr/lib/squid3/basic_ldap_auth -D srvc_squid@xxxxxxxxxxx -W /etc/squid3/ldappwd.txt -h "example.lcl" -b "OU=root,DC=EXAMPLE,DC=LCL" -s sub -f (&(objectClass=Person)(sAMAccountName=%s))
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
Thank you for your help,
Alberto
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
