Try this as well. https://fawnoos.com/2018/05/07/cas-impersonation-authn/
-Jeff On Wed, Nov 23, 2022 at 8:21 PM Matthew Gordon <[email protected]> wrote: > Thank you Jonathon. > > On Monday, November 14, 2022 at 10:16:12 PM UTC-5 Jonathon Taylor wrote: > >> Hi Matt, >> >> That is the entirety of our surrogate configuration. CAS will return the >> surrogate user attributes, not the authenticated user. >> >> Jonathon >> >> On Tue, Nov 8, 2022 at 12:37 PM Matthew Gordon <[email protected]> wrote: >> >>> Also does it return the surrogate users attributes, or the authenticated >>> users attributes? >>> >>> Thank you, >>> Matt >>> >>> On Monday, November 7, 2022 at 3:55:38 PM UTC-5 Matthew Gordon wrote: >>> >>>> Thank you Jonathon. I will have to look at doing it via LDAP. I was >>>> just trying to do it via a local JSON file. Is that the entirety of your >>>> surrogate config? >>>> >>>> Thank you, >>>> Matt >>>> >>>> On Monday, October 31, 2022 at 12:51:47 PM UTC-4 Jonathon Taylor wrote: >>>> >>>>> Not sure if this helps, but we use impersonation with LDAP and we did >>>>> not have to use a groovy script. We are on 6.5.8. Here's an example of >>>>> our configuration: >>>>> >>>>> cas.authn.surrogate.ldap.ldap-url=ldap://<ldap_server> >>>>> cas.authn.surrogate.ldap.base-dn=..... >>>>> # this filter gets the attributes of the account being impersonated >>>>> cas.authn.surrogate.ldap.search-filter=(&(objectClass=eduPerson)(|(cn >>>>> ={0}))) >>>>> cas.authn.surrogate.ldap.bind-dn=<bind_dn> >>>>> cas.authn.surrogate.ldap.bind-credential=<bind_pwd> >>>>> cas.authn.surrogate.ldap.use-start-tls=true >>>>> >>>>> # this is the format of the group that a person has to be in >>>>> # in order to impersonate the 'surrogate' >>>>> cas.custom.properties.surrogate-format=cn=group-{surrogate} >>>>> # this builds the list of authorized accounts for impersonation >>>>> cas.authn.surrogate.ldap.surrogate-search-filter=(&(cn={user})( >>>>> isMemberOf=${cas.custom.properties.surrogate-format})) >>>>> cas.authn.surrogate.ldap.member-attribute-name=isMemberOf >>>>> # this extracts the 'friendly' name of the account to be impersonated >>>>> cas.authn.surrogate.ldap.member-attribute-value-regex=cn=group-([^,]+) >>>>> >>>>> On Fri, Oct 28, 2022 at 12:43 PM Matthew Gordon <[email protected]> >>>>> wrote: >>>>> >>>>>> I am using only LDAP (AD) as my attribute repository. >>>>>> >>>>>> >>>>>> https://apereo.github.io/cas/6.5.x/authentication/Surrogate-Authentication.html#surrogate-principal-resolution >>>>>> >>>>>> I am trying to get it to resolved the impersonated users attributes, >>>>>> but no luck. >>>>>> >>>>>> It appears that I have to have a groovy script: >>>>>> cas.authn.surrogate.principal.principal-transformation.groovy.location= >>>>>> >>>>>> Here is my config so far: >>>>>> >>>>>> cas.authn.surrogate.json.location=file:/etc/cas/config/impersonations.json >>>>>> cas.authn.surrogate.principal.attribute-resolution-enabled=true >>>>>> cas.authn.surrogate.principal.active-attribute-repository-ids=core >>>>>> >>>>>> cas.authn.surrogate.principal.principal-resolution-conflict-strategy=last >>>>>> cas.authn.surrogate.principal.principal-resolution-failure-fatal=true >>>>>> >>>>>> If I do need the groovy script, which since it appears to be >>>>>> required, what should it be doing? Any examples? >>>>>> >>>>>> I can login and the impersonation works, but without attributes it's >>>>>> pretty useless. >>>>>> >>>>>> Thank you, >>>>>> Matt >>>>>> >>>>>> >>>>>> -- >>>>>> - Website: https://apereo.github.io/cas >>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ec4d3ed-8cd8-4e32-96d6-81cb48d9fcecn%40apereo.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> >>>>> -- >>>>> Jonathon Taylor >>>>> Information Security Office >>>>> [email protected] >>>>> >>>> >> >> -- >> Jonathon Taylor >> Information Security Office >> [email protected] >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/e180d6e6-67c7-4d6d-80d3-4ae0f176143dn%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e180d6e6-67c7-4d6d-80d3-4ae0f176143dn%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOSiZp4YqdS-y_Vp%3DwkCxuRSpH%2BOBLUUze2pa-JJishV5w%40mail.gmail.com.
