Also does it return the surrogate users attributes, or the authenticated
users attributes?
Thank you,
Matt
On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote:
> Thank you Jonathon. I will have to look at doing it via LDAP. I was just
> trying to do it via a local JSON file. Is that the entirety of your
> surrogate config?
>
> Thank you,
> Matt
>
> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote:
>
>> Not sure if this helps, but we use impersonation with LDAP and we did not
>> have to use a groovy script. We are on 6.5.8. Here's an example of our
>> configuration:
>>
>> cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server>
>> cas.authn.surrogate.ldap.base-dn=.....
>> # this filter gets the attributes of the account being impersonated
>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn
>> ={0})))
>> cas.authn.surrogate.ldap.bind-dn=<bind_dn>
>> cas.authn.surrogate.ldap.bind-credential=<bind_pwd>
>> cas.authn.surrogate.ldap.use-start-tls=true
>>
>> # this is the format of the group that a person has to be in
>> # in order to impersonate the 'surrogate'
>> cas.custom.properties.surrogate-format=cn=group-{surrogate}
>> # this builds the list of authorized accounts for impersonation
>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})(isMemberOf
>> =${cas.custom.properties.surrogate-format}))
>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf
>> # this extracts the 'friendly' name of the account to be impersonated
>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+)
>>
>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <[email protected]> wrote:
>>
>>> I am using only LDAP (AD) as my attribute repository.
>>>
>>>
>>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution
>>>
>>> I am trying to get it to resolved the impersonated users attributes, but
>>> no luck.
>>>
>>> It appears that I have to have a groovy script:
>>> cas.authn.surrogate.principal.principal-transformation.groovy.location=
>>>
>>> Here is my config so far:
>>>
>>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json
>>> cas.authn.surrogate.principal.attribute-resolution-enabled=true
>>> cas.authn.surrogate.principal.active-attribute-repository-ids=core
>>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last
>>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true
>>>
>>> If I do need the groovy script, which since it appears to be required,
>>> what should it be doing? Any examples?
>>>
>>> I can login and the impersonation works, but without attributes it's
>>> pretty useless.
>>>
>>> Thank you,
>>> Matt
>>>
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org
>>>
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> Jonathon Taylor
>> Information Security Office
>> [email protected]
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c65cc1de-a66a-4919-90e7-0f721344dbafn%40apereo.org.
