CAS 6.6.7 with… implementation "org.apereo.cas:cas-server-support-surrogate-webflow" implementation "org.apereo.cas:cas-server-support-surrogate-authentication-ldap"
relevant configuration: cas.authn.surrogate.ldap.search-filter=(&(uid={0})(memberOf=canSurrogate)) cas.authn.surrogate.ldap.member-attribute-name=naueduimpersonationallowed cas.authn.surrogate.ldap.surrogate-search-filter=uid={0} Surrogate appears to be available to all authenticating users to surrogate as any other user, regardless of the success/failure of either ‘cas.authn.surrogate.ldap.search-filter’ or ‘cas.authn.surrogate.ldap.member-attribute-name’ configurations. Can anyone confirm Surrogate working in CAS 6.6.7 or comment on our configuration & erroneous outcome? Note: All LDAP connections, DNs and attributes, are working as expected. With TRACE logging enabled, we see… For: [cas.authn.surrogate.ldap.search-filter] we see the LDAP search with no results, but then it just continues and executes the surrogate search for the casuser, 2023-04-17 16:58:54,627 -0700 DEBUG [org.apereo.cas.authentication.SurrogateAuthenticationPostProcessor] - <Authenticated [SurrogatePrincipal(primary=SimplePrincipal(id=casuser, attributes={naueducriticalmessagingredirect=[TRUE]}), surrogate=SimplePrincipal(id=theSurrogate, attributes={}))] will be checked for surrogate eligibility next for [theSurrogate]...> 2023-04-17 16:58:54,635 -0700 DEBUG [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] - <Using search filter to find eligible accounts: [[org.ldaptive.FilterTemplate@-1904898323::filter=(&(uid={0})( memberOf=canSurrogate)), parameters={0=casuser}]]> 2023-04-17 16:58:54,716 -0700 DEBUG [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] - <LDAP response: [org.ldaptive.SearchResponse@1700373068::messageID=5, controls=[], resultCode=SUCCESS, matchedDN=, diagnosticMessage=, referralURLs=[], entries=[], references=[]]> 2023-04-17 16:58:54,716 -0700 WARN [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] - <LDAP response is not found or does not contain a result entry for [casuser]> 2023-04-17 16:58:54,717 -0700 DEBUG [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] - <Using search filter to locate surrogate accounts for [casuser]: [[org.ldaptive.FilterTemplate@-2008181007::filter=uid={0}, parameters={0=casuser}]]> 2023-04-17 16:58:54,796 -0700 DEBUG [org.apereo.cas.util.LdapUtils] - <Constructed LDAP search filter [uid=casuser]> 2023-04-17 16:58:54,810 -0700 DEBUG [org.apereo.cas.authentication.surrogate.SurrogateLdapAuthenticationService] - <LDAP response: XXXXXexcludedXXXXX We do not see ANY log lines regarding the [cas.authn.surrogate.ldap.member-attribute-name] configuration. The ‘casuser’ has no attribute as defined on their DN, let alone one specified for the surrogate user, so is also expected to fail as a surrogate. Side note: We were hoping to use Surrogate to allow a small set of users impersonate _any_ user on a [TEST] CAS environment. I had hoped to use ‘cas.authn.surrogate.ldap.member-attribute-name’ with (existence) a TRUE set, but now understand that without the matching REGEX config, it’s just supposed to look for the surrogate user string in the attribute (ie. ‘theSurrogate’). We then tried using ‘cas.authn.surrogate.ldap.search-filter’ as a pass fail for surrogate ability, which also does not appear to work as expected. Regardless, trying to understand what we’re missing in our config and if we can even achieve what we’re needing out of the box. Much thanks in advance, — Raymond Walker Software Systems Engineer Lead ITS Northern Arizona University -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BYAPR18MB2632F99B625E9716AA8F1FC8989D9%40BYAPR18MB2632.namprd18.prod.outlook.com.