Hi Raymond,
I can confirm that surrogate works for us in 6.6.7. I *think* that maybe
you have these two properties reversed:
cas.authn.surrogate.ldap.search-filter=(&(uid={0})(memberOf=canSurrogate))
cas.authn.surrogate.ldap.surrogate-search-filter=uid={0}
We have:
cas.authn.surrogate.ldap.search-filter=(&(objectClass=person)(uid={0}))
cas.authn.surrogate.ldap.surrogate-search-filter=(&(uid={user})(memberOf
=${ourCustomSurrogateGroups}))
On Wed, Apr 19, 2023 at 2:42 AM 'Raymond Drew Walker' via CAS Community <
[email protected]> wrote:
> CAS 6.6.7
>
> with…
>
> implementation "org.apereo.cas:cas-server-support-surrogate-webflow"
>
> implementation
> "org.apereo.cas:cas-server-support-surrogate-authentication-ldap"
>
>
>
> relevant configuration:
>
> cas.authn.surrogate.ldap.search-filter=(&(uid={0})(memberOf=canSurrogate))
>
> cas.authn.surrogate.ldap.member-attribute-name=naueduimpersonationallowed
>
> cas.authn.surrogate.ldap.surrogate-search-filter=uid={0}
>
>
>
> Surrogate appears to be available to all authenticating users to surrogate
> as any other user, regardless of the success/failure of either
> ‘cas.authn.surrogate.ldap.search-filter’ or
> ‘cas.authn.surrogate.ldap.member-attribute-name’ configurations.
>
> Can anyone confirm Surrogate working in CAS 6.6.7 or comment on our
> configuration & erroneous outcome?
>
>
>
> Note: All LDAP connections, DNs and attributes, are working as expected.
>
>
>
> With TRACE logging enabled, we see…
>
> For: [cas.authn.surrogate.ldap.search-filter] we see the LDAP search with
> no results, but then it just continues and executes the surrogate search
> for the casuser,
>
>
>
> 2023-04-17 16:58:54,627 -0700 DEBUG
> [org.apereo.cas.authentication.SurrogateAuthenticationPostProcessor] -
> <Authenticated [SurrogatePrincipal(primary=SimplePrincipal(id=casuser,
> attributes={naueducriticalmessagingredirect=[TRUE]}),
> surrogate=SimplePrincipal(id=theSurrogate, attributes={}))] will be checked
> for surrogate eligibility next for [theSurrogate]...>
>
> 2023-04-17 16:58:54,635 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <Using search filter to find eligible accounts:
> [[org.ldaptive.FilterTemplate@-1904898323::filter=(&(uid={0})(
> memberOf=canSurrogate)), parameters={0=casuser}]]>
>
> 2023-04-17 16:58:54,716 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <LDAP response: [org.ldaptive.SearchResponse@1700373068::messageID=5,
> controls=[], resultCode=SUCCESS, matchedDN=, diagnosticMessage=,
> referralURLs=[], entries=[], references=[]]>
>
> 2023-04-17 16:58:54,716 -0700 WARN
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <LDAP response is not found or does not contain a result entry for
> [casuser]>
>
> 2023-04-17 16:58:54,717 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <Using search filter to locate surrogate accounts for [casuser]:
> [[org.ldaptive.FilterTemplate@-2008181007::filter=uid={0},
> parameters={0=casuser}]]>
>
> 2023-04-17 16:58:54,796 -0700 DEBUG [org.apereo.cas.util.LdapUtils] -
> <Constructed LDAP search filter [uid=casuser]>
>
> 2023-04-17 16:58:54,810 -0700 DEBUG
> [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService]
> - <LDAP response: XXXXXexcludedXXXXX
>
>
>
> We do not see ANY log lines regarding the
> [cas.authn.surrogate.ldap.member-attribute-name] configuration.
>
> The ‘casuser’ has no attribute as defined on their DN, let alone one
> specified for the surrogate user, so is also expected to fail as a
> surrogate.
>
>
>
> Side note: We were hoping to use Surrogate to allow a small set of users
> impersonate _*any*_ user on a [TEST] CAS environment. I had hoped to use
> ‘cas.authn.surrogate.ldap.member-attribute-name’ with (existence) a TRUE
> set, but now understand that without the matching REGEX config, it’s just
> supposed to look for the surrogate user string in the attribute (ie.
> ‘theSurrogate’). We then tried using
> ‘cas.authn.surrogate.ldap.search-filter’ as a pass fail for surrogate
> ability, which also does not appear to work as expected. Regardless, trying
> to understand what we’re missing in our config and if we can even achieve
> what we’re needing out of the box.
>
>
>
> Much thanks in advance,
>
> —
>
> Raymond Walker
> Software Systems Engineer Lead
> ITS Northern Arizona University
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/BYAPR18MB2632F99B625E9716AA8F1FC8989D9%40BYAPR18MB2632.namprd18.prod.outlook.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/BYAPR18MB2632F99B625E9716AA8F1FC8989D9%40BYAPR18MB2632.namprd18.prod.outlook.com?utm_medium=email&utm_source=footer>
> .
>
--
Jonathon Taylor
Information Security Office
[email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo96ok_SAHNg4PmbvizRGmOQV_H9N8ymmfP4moeViwTwMQ%40mail.gmail.com.
