Not sure if this helps, but we use impersonation with LDAP and we did not
have to use a groovy script. We are on 6.5.8. Here's an example of our
configuration:
cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server>
cas.authn.surrogate.ldap.base-dn=.....
# this filter gets the attributes of the account being impersonated
cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn={0})))
cas.authn.surrogate.ldap.bind-dn=<bind_dn>
cas.authn.surrogate.ldap.bind-credential=<bind_pwd>
cas.authn.surrogate.ldap.use-start-tls=true
# this is the format of the group that a person has to be in
# in order to impersonate the 'surrogate'
cas.custom.properties.surrogate-format=cn=group-{surrogate}
# this builds the list of authorized accounts for impersonation
cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(isMemberOf
=${cas.custom.properties.surrogate-format}))
cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
# this extracts the 'friendly' name of the account to be impersonated
cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <[email protected]> wrote:
> I am using only LDAP (AD) as my attribute repository.
>
>
> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>
> I am trying to get it to resolved the impersonated users attributes, but
> no luck.
>
> It appears that I have to have a groovy script:
> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>
> Here is my config so far:
> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
> cas.authn.surrogate.principal.attribute-resolution-enabled=true
> cas.authn.surrogate.principal.active-attribute-repository-ids=core
> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>
> If I do need the groovy script, which since it appears to be required,
> what should it be doing? Any examples?
>
> I can login and the impersonation works, but without attributes it's
> pretty useless.
>
> Thank you,
> Matt
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
Jonathon Taylor
Information Security Office
[email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo-%3DKj7yYNJXhEf3osjjth68%3DUOKPwTZrfaSRc2LhAN_1g%40mail.gmail.com.
