CAS 6.6.7
with…
implementation "org.apereo.cas:cas-server-support-surrogate-webflow"
implementation "org.apereo.cas:cas-server-support-surrogate-authentication-ldap"
relevant configuration:
cas.authn.surrogate.ldap.search-filter=(&(uid={0})(memberOf=canSurrogate))
cas.authn.surrogate.ldap.member-attribute-name=naueduimpersonationallowed
cas.authn.surrogate.ldap.surrogate-search-filter=uid={0}
Surrogate appears to be available to all authenticating users to surrogate as
any other user, regardless of the success/failure of either
‘cas.authn.surrogate.ldap.search-filter’ or
‘cas.authn.surrogate.ldap.member-attribute-name’ configurations.
Can anyone confirm Surrogate working in CAS 6.6.7 or comment on our
configuration & erroneous outcome?
Note: All LDAP connections, DNs and attributes, are working as expected.
With TRACE logging enabled, we see…
For: [cas.authn.surrogate.ldap.search-filter] we see the LDAP search with no
results, but then it just continues and executes the surrogate search for the
casuser,
2023-04-17 16:58:54,627 -0700 DEBUG
[org.apereo.cas.authentication.SurrogateAuthenticationPostProcessor] -
<Authenticated [SurrogatePrincipal(primary=SimplePrincipal(id=casuser,
attributes={naueducriticalmessagingredirect=[TRUE]}),
surrogate=SimplePrincipal(id=theSurrogate, attributes={}))] will be checked for
surrogate eligibility next for [theSurrogate]...>
2023-04-17 16:58:54,635 -0700 DEBUG
[org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] -
<Using search filter to find eligible accounts:
[[org.ldaptive.FilterTemplate@-1904898323::filter=(&(uid={0})(
memberOf=canSurrogate)), parameters={0=casuser}]]>
2023-04-17 16:58:54,716 -0700 DEBUG
[org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] -
<LDAP response: [org.ldaptive.SearchResponse@1700373068::messageID=5,
controls=[], resultCode=SUCCESS, matchedDN=, diagnosticMessage=,
referralURLs=[], entries=[], references=[]]>
2023-04-17 16:58:54,716 -0700 WARN
[org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] -
<LDAP response is not found or does not contain a result entry for [casuser]>
2023-04-17 16:58:54,717 -0700 DEBUG
[org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] -
<Using search filter to locate surrogate accounts for [casuser]:
[[org.ldaptive.FilterTemplate@-2008181007::filter=uid={0},
parameters={0=casuser}]]>
2023-04-17 16:58:54,796 -0700 DEBUG [org.apereo.cas.util.LdapUtils] -
<Constructed LDAP search filter [uid=casuser]>
2023-04-17 16:58:54,810 -0700 DEBUG
[org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] -
<LDAP response: XXXXXexcludedXXXXX
We do not see ANY log lines regarding the
[cas.authn.surrogate.ldap.member-attribute-name] configuration.
The ‘casuser’ has no attribute as defined on their DN, let alone one specified
for the surrogate user, so is also expected to fail as a surrogate.
Side note: We were hoping to use Surrogate to allow a small set of users
impersonate _any_ user on a [TEST] CAS environment. I had hoped to use
‘cas.authn.surrogate.ldap.member-attribute-name’ with (existence) a TRUE set,
but now understand that without the matching REGEX config, it’s just supposed
to look for the surrogate user string in the attribute (ie. ‘theSurrogate’). We
then tried using ‘cas.authn.surrogate.ldap.search-filter’ as a pass fail for
surrogate ability, which also does not appear to work as expected. Regardless,
trying to understand what we’re missing in our config and if we can even
achieve what we’re needing out of the box.
Much thanks in advance,
—
Raymond Walker
Software Systems Engineer Lead
ITS Northern Arizona University
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BYAPR18MB2632F99B625E9716AA8F1FC8989D9%40BYAPR18MB2632.namprd18.prod.outlook.com.
