Impersonation plugin¶
This plugin allows certain users to assume the identity of another user. A privileged user first logs in with its real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms.
Attention
This plugin should not be used on production instance, prefer ContextSwitching plugin.
Configuration¶
Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated.
Parameters:
Use rule: Rule to allow/deny users to impersonate or define which users may use this plugin.
Identities use rule: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users
Unrestricted users rule: Rule to define which users can assume ALL users.
Identities use rule
is bypassed.Hidden attributes: Attributes not displayed
Skip empty values: Do not use empty profile attributes
Merge spoofed and real SSO groups: Can be useful for administrators to keep higher privileges. “Special rule” field can be used to set SSO groups to merge if exist in real session. Multivalue
separator
is used. By example :su; admins; anonymous
Danger
You HAVE TO modify REMOTE_USER to log both real AND spoofed uid.
Set a macro like this :
_whatToTrace
->$real__user ? "$real__user/$_user" : "$_user/$_user"
and set General Parameters > Logs > REMOTE_USER
with _whatToTrace
Attention
Both spoofed and real session attributes can be used to set access rules, groups or macros.
By example : $real_uid && $real_uid eq 'dwho'
or $real_groups && $real_groups =~ /\bsu\b/
Keep in mind that real session is computed first. Afterward, if access
is granted, impersonated session is computed with real and spoofed
session attributes if Impersonation is allowed.
So, real_
attributes are computed by second authentication process.
To avoid Perl warnings, you have to prefix regex with $real_var &&
.
Attention
By example, to prevent impersonation as ‘dwho’ set Identities use rule like :
$uid ne 'dwho'
impersonationPrefix is used to rename user’s real profile attributes.
You can set real attributes prefix (‘real_’ by default) by editing
lemonldap-ng.ini
in section [portal]:
[portal]
impersonationPrefix = real_