This plugin allows certain users to assume the identity of another user. A privileged user first logs in with its real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms.
Attention
This plugin should not be used on production instance, prefer ContextSwitching plugin.
Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated.
Danger
You HAVE TO modify REMOTE_USER to log both real AND spoofed uid.
Set a macro like this :
_whatToTrace -> $real__user ? "$real__user/$_user" : "$_user/$_user"
and set General Parameters > Logs > REMOTE_USER with _whatToTrace
Attention
Both spoofed and real session attributes can be used to set access rules, groups or macros.
By example : $real_uid && $real_uid eq 'dwho' or $real_groups && $real_groups =~ /\bsu\b/
Keep in mind that real session is computed first. Afterward, if access is granted, impersonated session is computed with real and spoofed session attributes if Impersonation is allowed. So, real_ attributes are computed by second authentication process. To avoid Perl warnings, you have to prefix regex with $real_var &&.
Attention
By example, to prevent impersonation as ‘dwho’ set Identities use rule like :
$uid ne 'dwho'
impersonationPrefix is used to rename user’s real profile attributes. You can set real attributes prefix (‘real_’ by default) by editing lemonldap-ng.ini in section [portal]:
[portal]
impersonationPrefix = real_