This plugin allows certain users to assume the identity of another user. A privileged user first logs in with its real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms.
This plugin should not be used on production instance, prefer ContextSwitching plugin.
Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated.
- Use rule: Rule to allow/deny users to impersonate or define which users may use this plugin.
- Identities use rule: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users
- Unrestricted users rule: Rule to define which users can assume
Identities use ruleis bypassed.
- Hidden attributes: Attributes not displayed
- Skip empty values: Do not use empty profile attributes
- Merge spoofed and real SSO groups: Can be useful for
administrators to keep higher privileges. “Special rule” field can
be used to set SSO groups to merge if exist in real session.
separatoris used. By example :
su; admins; anonymous
You HAVE TO modify REMOTE_USER to log both real AND spoofed uid.
Set a macro like this :
$real__user ? "$real__user/$_user" : "$_user/$_user"
General Parameters > Logs > REMOTE_USER with
Both spoofed and real session attributes can be used to set access rules, groups or macros.
By example :
$real_uid && $real_uid eq 'dwho' or
$real_groups && $real_groups =~ /\bsu\b/
Keep in mind that real session is computed first. Afterward, if access
is granted, impersonated session is computed with real and spoofed
session attributes if Impersonation is allowed.
real_ attributes are computed by second authentication process.
To avoid Perl warnings, you have to prefix regex with
By example, to prevent impersonation as ‘dwho’ set Identities use rule like :
$uid ne 'dwho'
impersonationPrefix is used to rename user’s real profile attributes.
You can set real attributes prefix (‘real_’ by default) by editing
lemonldap-ng.ini in section [portal]:
[portal] impersonationPrefix = real_