Thank you Jonathon. I will have to look at doing it via LDAP. I was just
trying to do it via a local JSON file. Is that the entirety of your
surrogate config?
Thank you,
Matt
On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
> Not sure if this helps, but we use impersonation with LDAP and we did not
> have to use a groovy script. We are on 6.5.8. Here's an example of our
> configuration:
>
> cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server>
> cas.authn.surrogate.ldap.base-dn=.....
> # this filter gets the attributes of the account being impersonated
> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
> ={0})))
> cas.authn.surrogate.ldap.bind-dn=<bind_dn>
> cas.authn.surrogate.ldap.bind-credential=<bind_pwd>
> cas.authn.surrogate.ldap.use-start-tls=true
>
> # this is the format of the group that a person has to be in
> # in order to impersonate the 'surrogate'
> cas.custom.properties.surrogate-format=cn=group-{surrogate}
> # this builds the list of authorized accounts for impersonation
> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(isMemberOf
> =${cas.custom.properties.surrogate-format}))
> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
> # this extracts the 'friendly' name of the account to be impersonated
> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
>
> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <[email protected]> wrote:
>
>> I am using only LDAP (AD) as my attribute repository.
>>
>>
>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>>
>> I am trying to get it to resolved the impersonated users attributes, but
>> no luck.
>>
>> It appears that I have to have a groovy script:
>> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>>
>> Here is my config so far:
>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
>> cas.authn.surrogate.principal.attribute-resolution-enabled=true
>> cas.authn.surrogate.principal.active-attribute-repository-ids=core
>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>>
>> If I do need the groovy script, which since it appears to be required,
>> what should it be doing? Any examples?
>>
>> I can login and the impersonation works, but without attributes it's
>> pretty useless.
>>
>> Thank you,
>> Matt
>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
> Jonathon Taylor
> Information Security Office
> [email protected]
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a03242f3-b7ca-4eae-9314-f31346f7a7a0n%40apereo.org.
