documentation:2.0:impersonation

Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated.

Parameters:
- Use rule:
Select which users may use this plugin
- Identities use rule: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users.
- Hidden attributes: Attributes not displayed
- Skip empty values: Do not use empty profile attributes
- Merge spoofed and real SSO groups: Can be useful for administrators to keep higher privileges. "Special rule" field can be used to set SSO groups to merge if exist in real session. Multivalue separator is used. By example : su; admins; anonymous

You HAVE TO modify REMOTE_USER to log both real AND spoofed uid.

Set a macro like this :

_whatToTrace -> $real__user ? "$real__user/$_user" : "$_user/$_user"

and set Genaral Parameters > Logs > REMOTE_USER with _whatToTrace

Both spoofed and real session attributes can be used to set access rules, groups or macros.

By example : $real_uid eq 'dwho' or $real_groups =~ /\bsu\b/

Keep in mind that real session is computed first. Afterward, if access is granted, impersonated session is computed with real and spoofed session attributes if Impersonation is allowed.

By example, to prevent impersonation as 'dwho' set Identities use rule like :

$uid ne 'dwho'

impersonationPrefix is used to rename user's real profile attributes. You can set real attributes prefix ('real_' by default) by editing lemonldap-ng.ini in section [portal]:

[portal]
impersonationPrefix = real_

Impersonation plugin

Configuration