On 30/08/2016 11:05 p.m., alberto wrote: > Hi all, > I have a squid3 installation with kerberos ldap groups authentication. > Everything works like a charm except for one of my user that belongs to too > many groups (more than 50): this user can not browse any site because of > authentication problem. > I always see TCP_DENIED/407 in the squid log file for that user. The Squid<->helper protocol in Squid-3 is not able to handle very long lists of groups being returned by the helper. We have a fix in Squid-4, but it is too large and destabilizing to backport. You may want to try the latest 4.0 daily snapshot, or 4.0.14 release which will be coming out as soon as I can find the time to package it. If Squid-4 does not resolve the issue then the problem is likely to be the large size of the Negotiate token in HTTP headers. There is no guarantee that any HTTP header longer than 8000 bytes will be able to be transmitted. Squid also has a 64KB header length limit at present which may be applicable. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
