Hi Raymond,
I can confirm that surrogate works for us in 6.6.7. I *think* that maybe
you have these two properties reversed:
cas.authn.surrogate.ldap.search-filter=(&(uid={0})(memberOf=canSurrogate))
cas.authn.surrogate.ldap.surrogate-search-filter=uid={0}
We have:
cas.authn.surrogate.ldap.search-filter=(&(objectClass=person)(uid={0}))
cas.authn.surrogate.ldap.surrogate-search-filter=(&(uid={user})(memberOf
=${ourCustomSurrogateGroups}))
On Wed, Apr 19, 2023 at 2:42 AM 'Raymond Drew Walker' via CAS Community <
cas-user@apereo.org> wrote:
> CAS 6.6.7
>
> with…
>
> implementation "org.apereo.cas:cas-server-support-surrogate-webflow"
>
> implementation
> "org.apereo.cas:cas-server-support-surrogate-authentication-ldap"
>
>
>
> relevant configuration:
>
> cas.authn.surrogate.ldap.search-filter=(&(uid={0})(memberOf=canSurrogate))
>
> cas.authn.surrogate.ldap.member-attribute-name=naueduimpersonationallowed
>
> cas.authn.surrogate.ldap.surrogate-search-filter=uid={0}
>
>
>
> Surrogate appears to be available to all authenticating users to surrogate
> as any other user, regardless of the success/failure of either
> ‘cas.authn.surrogate.ldap.search-filter’ or
> ‘cas.authn.surrogate.ldap.member-attribute-name’ configurations.
>
> Can anyone confirm Surrogate working in CAS 6.6.7 or comment on our
> configuration & erroneous outcome?
>
>
>
> Note: All LDAP connections, DNs and attributes, are working as expected.
>
>
>
> With TRACE logging enabled, we see…
>
> For: [cas.authn.surrogate.ldap.search-filter] we see the LDAP search with
> no results, but then it just continues and executes the surrogate search
> for the casuser,
>
>
>
> 2023-04-17 16:58:54,627 -0700 DEBUG
> [org.apereo.cas.authentication.SurrogateAuthenticationPostProcessor] -
> <Authenticated [SurrogatePrincipal(primary=SimplePrincipal(id=casuser,
> attributes={naueducriticalmessagingredirect=[TRUE]}),
> surrogate=SimplePrincipal(id=theSurrogate, attributes={}))] will be checked
> for surrogate eligibility next for [theSurrogate]...>
>
> 2023-04-17 16:58:54,635 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <Using search filter to find eligible accounts:
> [[org.ldaptive.FilterTemplate@-1904898323::filter=(&(uid={0})(
> memberOf=canSurrogate)), parameters={0=casuser}]]>
>
> 2023-04-17 16:58:54,716 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <LDAP response: [org.ldaptive.SearchResponse@1700373068::messageID=5,
> controls=[], resultCode=SUCCESS, matchedDN=, diagnosticMessage=,
> referralURLs=[], entries=[], references=[]]>
>
> 2023-04-17 16:58:54,716 -0700 WARN
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <LDAP response is not found or does not contain a result entry for
> [casuser]>
>
> 2023-04-17 16:58:54,717 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <Using search filter to locate surrogate accounts for [casuser]:
> [[org.ldaptive.FilterTemplate@-2008181007::filter=uid={0},
> parameters={0=casuser}]]>
>
> 2023-04-17 16:58:54,796 -0700 DEBUG [org.apereo.cas.util.LdapUtils] -
> <Constructed LDAP search filter [uid=casuser]>
>
> 2023-04-17 16:58:54,810 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <LDAP response: XXXXXexcludedXXXXX
>
>
>
> We do not see ANY log lines regarding the
> [cas.authn.surrogate.ldap.member-attribute-name] configuration.
>
> The ‘casuser’ has no attribute as defined on their DN, let alone one
> specified for the surrogate user, so is also expected to fail as a
> surrogate.
>
>
>
> Side note: We were hoping to use Surrogate to allow a small set of users
> impersonate _*any*_ user on a [TEST] CAS environment. I had hoped to use
> ‘cas.authn.surrogate.ldap.member-attribute-name’ with (existence) a TRUE
> set, but now understand that without the matching REGEX config, it’s just
> supposed to look for the surrogate user string in the attribute (ie.
> ‘theSurrogate’). We then tried using
> ‘cas.authn.surrogate.ldap.search-filter’ as a pass fail for surrogate
> ability, which also does not appear to work as expected. Regardless, trying
> to understand what we’re missing in our config and if we can even achieve
> what we’re needing out of the box.
>
>
>
> Much thanks in advance,
>
> —
>
> Raymond Walker
> Software Systems Engineer Lead
> ITS Northern Arizona University
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/BYAPR18MB2632F99B625E9716AA8F1FC8989D9%40BYAPR18MB2632.namprd18.prod.outlook.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/BYAPR18MB2632F99B625E9716AA8F1FC8989D9%40BYAPR18MB2632.namprd18.prod.outlook.com?utm_medium=email&utm_source=footer>
> .
>
--
Jonathon Taylor
Information Security Office
jonath...@berkeley.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo96ok_SAHNg4PmbvizRGmOQV_H9N8ymmfP4moeViwTwMQ%40mail.gmail.com.
