worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10271 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: adb6526dc9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'adb6526dc9'
${ noResults }
lemonldap-ng/doc/sources/admin/impersonation.rst

84 lines
2.6 KiB
Raw Blame History

Impersonation plugin
====================
This plugin allows certain users to assume the identity of another user.
A privileged user first logs in with its real account and can then
choose another profile to appear as. This feature can be especially
useful for training/learning or development platforms.
.. attention::
This plugin should not be used on production instance,
prefer :doc:`ContextSwitching plugin<contextswitching>`.
Configuration
-------------
Just enable it in the Manager (section “plugins”) by setting a rule.
Impersonation can be allowed or denied for specific users. Furthermore,
specific identities like administrators or anonymous users can be
protected from being impersonated.
- **Parameters**:
- **Use rule**: Rule to allow/deny users to impersonate or define
which users may use this plugin.
- **Identities use rule**: Rule to define which identities can be
assumed. Useful to prevent impersonation of certain sensitive
identities like CEO, administrators or anonymous/protected users
- **Unrestricted users rule**: Rule to define which users can assume
ALL users. ``Identities use rule`` is bypassed.
- **Hidden attributes**: Attributes not displayed
- **Skip empty values**: Do not use empty profile attributes
- **Merge spoofed and real SSO groups**: Can be useful for
administrators to keep higher privileges. "Special rule" field can
be used to set SSO groups to merge if exist in real session.
Multivalue ``separator`` is used. By example :
``su; admins; anonymous``
.. danger::
You HAVE TO modify **REMOTE_USER** to log both real AND
spoofed uid.
Set a macro like this :
``_whatToTrace`` -> ``$real__user ? "$real__user/$_user" : "$_user/$_user"``
and set ``General Parameters > Logs > REMOTE_USER`` with ``_whatToTrace``
.. attention::
Both spoofed and real session attributes can be used to
set access rules, groups or macros.
By example : ``$real_uid eq 'dwho'`` or ``$real_groups =~ /\bsu\b/``
Keep in mind that real session is computed first. Afterward, if access
is granted, impersonated session is computed with real and spoofed
session attributes if Impersonation is allowed.
.. attention::
By example, to prevent impersonation as 'dwho' set
**Identities use rule** like :
``$uid ne 'dwho'``
impersonationPrefix is used to rename user's real profile attributes.
You can set real attributes prefix ('real\_' by default) by editing
``lemonldap-ng.ini`` in section [portal]:
.. code-block:: ini
[portal]
impersonationPrefix = real_