Not sure if this helps, but we use impersonation with LDAP and we did not
have to use a groovy script. We are on 6.5.8. Here's an example of our
configuration:
cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server>
cas.authn.surrogate.ldap.base-dn=.....
# this filter gets the attributes of the account being impersonated
cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn={0})))
cas.authn.surrogate.ldap.bind-dn=<bind_dn>
cas.authn.surrogate.ldap.bind-credential=<bind_pwd>
cas.authn.surrogate.ldap.use-start-tls=true
# this is the format of the group that a person has to be in
# in order to impersonate the 'surrogate'
cas.custom.properties.surrogate-format=cn=group-{surrogate}
# this builds the list of authorized accounts for impersonation
cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(isMemberOf
=${cas.custom.properties.surrogate-format}))
cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
# this extracts the 'friendly' name of the account to be impersonated
cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <magor...@hacc.edu> wrote:
> I am using only LDAP (AD) as my attribute repository.
>
>
> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>
> I am trying to get it to resolved the impersonated users attributes, but
> no luck.
>
> It appears that I have to have a groovy script:
> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>
> Here is my config so far:
> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
> cas.authn.surrogate.principal.attribute-resolution-enabled=true
> cas.authn.surrogate.principal.active-attribute-repository-ids=core
> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>
> If I do need the groovy script, which since it appears to be required,
> what should it be doing? Any examples?
>
> I can login and the impersonation works, but without attributes it's
> pretty useless.
>
> Thank you,
> Matt
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
Jonathon Taylor
Information Security Office
jonath...@berkeley.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo-%3DKj7yYNJXhEf3osjjth68%3DUOKPwTZrfaSRc2LhAN_1g%40mail.gmail.com.
