2019-04-09 22:26:40 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:impersonation< / title >
< meta name = "generator" content = "DokuWiki" / >
< meta name = "robots" content = "index,follow" / >
< meta name = "keywords" content = "documentation,2.0,impersonation" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "impersonation.html" / >
< link rel = "contents" href = "impersonation.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : i m p e r s o n a t i o n " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
< h1 class = "sectionedit1" id = "impersonation_plugin" > Impersonation plugin< / h1 >
< div class = "level1" >
< p >
2019-06-28 16:53:45 +02:00
This plugin allows certain users to assume the identity of another user. A privileged User first logs in with their real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms.
2019-04-09 22:26:40 +02:00
< / p >
< / div >
2019-06-28 16:53:45 +02:00
<!-- EDIT1 SECTION "Impersonation plugin" [1 - 303] -->
2019-04-09 22:26:40 +02:00
< h2 class = "sectionedit2" id = "configuration" > Configuration< / h2 >
< div class = "level2" >
< p >
2019-06-28 16:53:45 +02:00
Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated.
2019-04-09 22:26:40 +02:00
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > Parameters< / strong > :< / div >
< ul >
2019-06-28 16:53:45 +02:00
< li class = "level2" > < div class = "li" > < strong > Use rule< / strong > : Select which users may use this plugin< / div >
2019-04-09 22:26:40 +02:00
< / li >
2019-06-28 16:53:45 +02:00
< li class = "level2" > < div class = "li" > < strong > Identities use rule< / strong > : Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users.< / div >
2019-04-09 22:26:40 +02:00
< / li >
< li class = "level2" > < div class = "li" > < strong > Real attributes prefix< / strong > : Prefix use to rename user real profile attributes.< / div >
< / li >
< li class = "level2" > < div class = "li" > < strong > Hidden attributes< / strong > : Attributes not displayed< / div >
< / li >
< li class = "level2" > < div class = "li" > < strong > Skip empty values< / strong > : Do not use empty profile attributes< / div >
< / li >
2019-06-28 16:53:45 +02:00
< li class = "level2" > < div class = "li" > < strong > Merge spoofed and real < abbr title = "Single Sign On" > SSO< / abbr > groups< / strong > : Can be useful for administrators to keep higher privileges. “Special rule” field can be used to set < abbr title = "Single Sign On" > SSO< / abbr > groups to merge if exist in real session. Multivalue < code > separator< / code > is used. By example : < code > su; admins; anonymous< / code > < / div >
2019-04-09 22:26:40 +02:00
< / li >
< / ul >
< / li >
< / ul >
< div class = "notewarning" > You HAVE TO modify < strong > REMOTE_USER< / strong > to log both real AND spoofed uid.
< p >
2019-05-12 16:33:56 +02:00
Set a macro like this :
< / p >
< p >
2019-06-28 16:53:45 +02:00
< code > _whatToTrace -> $real__user ? " $real__user/$_user" : " $_user/$_user" < / code >
2019-04-09 22:26:40 +02:00
< / p >
< p >
and set < code > Genaral Parameters > Logs > REMOTE_USER< / code > with < code > _whatToTrace < / code >
< / p >
2019-05-12 16:33:56 +02:00
< / div > < div class = "noteimportant" > Both spoofed and real session attributes can be used to set access rules, groups or macros.
2019-04-09 22:26:40 +02:00
< p >
By example : < code > $real_uid eq ' dwho< / code > ' or < code > $real_groups =~ /\bsu\b/< / code >
< / p >
2019-05-12 16:33:56 +02:00
< p >
Keep in mind that real session is computed first. Afterward, if access is granted, impersonated session is computed with real and spoofed session attributes if Impersonation is allowed.
< / p >
2019-06-28 16:53:45 +02:00
< / div > < div class = "noteimportant" > By example, to prevent impersonation as ' dwho' set < strong > Identities use rule< / strong > like :
2019-04-09 22:26:40 +02:00
< p >
< code > $uid ne ' dwho' < / code >
< / p >
< / div >
< / div >
2019-06-28 16:53:45 +02:00
<!-- EDIT2 SECTION "Configuration" [304 - ] --> < / div >
2019-04-09 22:26:40 +02:00
< / body >
< / html >