This plugin allows us to check session attributes, access rights and transmitted headers for a specific user and URL. This can be useful for IT Ops, dev teams or administrators to debug or check rules. Plugin DISABLED by default.
Just enable it in the manager (section “plugins”).
!$anonymous
)Identities use rule
is bypassed.whatToTrace
fails. Useful
to look for sessions by mail or givenName. Let it blank to search
by whatToTrace
only.Note
By example:
* test1.example.com => Auth-User mail
Just ‘Auth-User’ and ‘mail’ headers are masked if valued.
* test2.example.com => ‘’ ALL valued headers are masked.
Unrestricted users can see the masked headers.
Note
By example:
* Search attributes => mail uid givenName
If whatToTrace
fails, sessions are searched by mail
, next
uid
if none session is found and so on…
* Display empty headers rule => $uid eq "dwho"
-> Only ‘dwho’ will
see empty headers
Note
Keep in mind that Nginx HTTP proxy module gets rid of empty headers. If the value of a header field is an empty string then this field will not be passed to a proxied server. To avoid misunderstanding, it might be useful to not display empty headers.
Attention
Be careful to not display secret attributes.
checkUser plugin hidden attributes are concatenation of
checkUserHiddenAttributes
and hiddenAttributes
. You just have to
append checkUser specific attributes.
Danger
This plugin displays ALL user session attributes except the hidden ones.
You have to restrict access to specific users (administrators, DevOps, power users and so on…) by setting an access rule like other VirtualHosts.
By example: $groups =~ /\bsu\b/
To modify persistent sessions attributes (‘_loginHistory _2fDevices
notification_’ by default), edit lemonldap-ng.ini
in [portal]
section:
[portal]
persistentSessionAttributes = _loginHistory _2fDevices notification_
When enabled, /checkuser
URL path is handled by this plugin.
Attention
With federated authentication, checkUser plugin works only if a session can be found in backend.