Thank you Jonathon. On Monday, November 14, 2022 at 10:16:12 PM UTC-5 Jonathon Taylor wrote:
> Hi Matt, > > That is the entirety of our surrogate configuration. CAS will return the > surrogate user attributes, not the authenticated user. > > Jonathon > > On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon <[email protected]> wrote: > >> Also does it return the surrogate users attributes, or the authenticated >> users attributes? >> >> Thank you, >> Matt >> >> On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote: >> >>> Thank you Jonathon. I will have to look at doing it via LDAP. I was just >>> trying to do it via a local JSON file. Is that the entirety of your >>> surrogate config? >>> >>> Thank you, >>> Matt >>> >>> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote: >>> >>>> Not sure if this helps, but we use impersonation with LDAP and we did >>>> not have to use a groovy script. We are on 6.5.8. Here's an example of >>>> our configuration: >>>> >>>> cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server> >>>> cas.authn.surrogate.ldap.base-dn=..... >>>> # this filter gets the attributes of the account being impersonated >>>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn >>>> ={0}))) >>>> cas.authn.surrogate.ldap.bind-dn=<bind_dn> >>>> cas.authn.surrogate.ldap.bind-credential=<bind_pwd> >>>> cas.authn.surrogate.ldap.use-start-tls=true >>>> >>>> # this is the format of the group that a person has to be in >>>> # in order to impersonate the 'surrogate' >>>> cas.custom.properties.surrogate-format=cn=group-{surrogate} >>>> # this builds the list of authorized accounts for impersonation >>>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})( >>>> isMemberOf=${cas.custom.properties.surrogate-format})) >>>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf >>>> # this extracts the 'friendly' name of the account to be impersonated >>>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+) >>>> >>>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <[email protected]> >>>> wrote: >>>> >>>>> I am using only LDAP (AD) as my attribute repository. >>>>> >>>>> >>>>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution >>>>> >>>>> I am trying to get it to resolved the impersonated users attributes, >>>>> but no luck. >>>>> >>>>> It appears that I have to have a groovy script: >>>>> cas.authn.surrogate.principal.principal-transformation.groovy.location= >>>>> >>>>> Here is my config so far: >>>>> >>>>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json >>>>> cas.authn.surrogate.principal.attribute-resolution-enabled=true >>>>> cas.authn.surrogate.principal.active-attribute-repository-ids=core >>>>> >>>>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last >>>>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true >>>>> >>>>> If I do need the groovy script, which since it appears to be required, >>>>> what should it be doing? Any examples? >>>>> >>>>> I can login and the impersonation works, but without attributes it's >>>>> pretty useless. >>>>> >>>>> Thank you, >>>>> Matt >>>>> >>>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org >>>>> >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> >>>> -- >>>> Jonathon Taylor >>>> Information Security Office >>>> [email protected] >>>> >>> > > -- > Jonathon Taylor > Information Security Office > [email protected] > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e180d6e6-67c7-4d6d-80d3-4ae0f176143dn%40apereo.org.
