Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The inWebo LDAP proxy allows you to add strong authentication via the InWebo service.

Its role is to transmit the LDAP requests to the LDAP server. When a Bind request from the LDAP server is returned successfully, a PUSH request is sent to the InWebo server. The user is then prompted to authenticate (PIN code, fingerprint, etc) on his previously registered device.

If the PIN is correct, the LDAP proxy finalizes the Bind request and the user is authenticated.

Drawio
simple0
zoom1
inComment0
custContentId1588592697
pageId669024307
diagramDisplayNameProxy LDAP
lbox1
contentVer1
revision2
baseUrlhttps://inwebo.atlassian.net/wiki
diagramNameProxy LDAP
width1079
links
tbstyle
height448

Prerequisite

Infrastructure

The machine hosting the proxy must have:

  • Access to the LDAP server that will need to be synchronized with the inWebo proxy
  • Internet access to reach the InWebo API

Software

Windows or Linux

  • 64-bit environment
  • JAVA 8 64 bits for the version without JRE

For LDAPS / SSL

  • .P12 certificate and passphrase from LDAP server

Installation

For Linux operating systems

Retrieve the Linux version:  proxy-ldap-packaging-X.Y.Z-linux64.tar.gz

  1. Unpack the archive
  2. Create the config/config.properties file from the config_to_be_completed.properties file
  3. Complete the config/config.properties file (see below)
  4. Start the proxy

Version using the JRE installed on the system

Code Block
languagebash
bin/run.sh

Version using built-in JRE

Code Block
languagebash
bin/run_standalone.sh

inWebo proxy service start and stop

If your LDAP proxy listens for services numbered under 1024, you must start the proxy service with a root / administrator user.

Lauching the Proxy service in background mode
Code Block
languagebash
sudo ./run_standalone.sh &
Stopping the Proxy service
Code Block
languagebash
sudo ./stop.sh

Proxy installation as a Linux service (requires administrator rights)

  1. Edit bin/iw_ldap_proxy by replacing
    1. @iw_ldap_proxy_installation_dir@ by the path of the installation directory
    2. @iw_ldap_proxy_user@ by the user who runs the program
  2. Installation

    Code Block
    languagebash
    sudo cp bin/iw_ldap_proxy /etc/init.d/


  3. Start the proxy

    Code Block
    languagebash
    sudo /etc/init.d/iw_ldap_proxy start


  4. Stop the proxy

    Code Block
    languagebash
    sudo /etc/init.d/iw_ldap_proxy stop


For Windows operating systems

Retrieve the Windows version: proxy-ldap-packaging-X.Y.Z-win64.zip

  1. Unpack the archive
  2. Create the config/config.properties file from the config_to_be_completed.properties file
  3. Complete the config/config.properties file (see below)
  4. Start the proxy

Version using the JRE installed on the system

Code Block
languagevb
bin/run.bat 

Version using the built-in JRE

Code Block
languagevb
bin/run_standalone.bat

Proxy installation as a Windows service (requires administrator rights)

Prerequisites:

.NET Framework 4.0

Installation

Code Block
languagevb
bin\ldap_proxy_service.exe install

Service start         

Code Block
languagevb
sc start "inWebo LDAP proxy"

Service stop

Code Block
languagevb
sc stop "inWebo LDAP proxy"

Uninstalling the service

Code Block
languagevb
bin\ldap_proxy_service.exe uninstall

Configuration

The following settings are in the config / config.properties file

LDAP Configuration

ldap.proxy.ssl.certificate.path=full path to a p12 certificate associated with the LDAP
ldap.proxy.ssl.certificate.passphrase=LDAP certificate passphrase

ldap.ssl.certificate.verification.mode=# Mode of server certificate verification
# jvm by default
# jvm: use the JVM keystore
# none: trust all server certificates
# keystore: use a specific keystore defined by ldap.ssl.certificate.keystore and ldap.ssl.certificate.passphrase

ldap.ssl.certificate.keystore.path=The path of the keystore to use when ldap.ssl.certificate.verification.mode=keystore
ldap.ssl.certificate.keystore.passphrase=The keystore pass associated to ldap.ssl.certificate.keystore


ldap.proxy.addresses :
list of IP addresses, separated by ";", on which the LDAP proxy will listen for LDAP queries. By default, the proxy listens on the address ":: 0" (Optional)
ldap.host
: the LDAP server address (Required)
ldap.proxy.port or ldap.port: the proxy port and the LDAP port to use to support LDAP requests.
ldap.proxy.ssl.port or ldap.ssl.port: the proxy port and the LDAP port to use to support LDAPS requests. 
inwebo.service.id: the inWebo service number that will be associated with InWebo authentication (Required)
inwebo.service.certificate.path: The full path to the p12 certificate associated of the InWebo service (Required)
inwebo.service.certificate.passphrase: The certificate passphrase associated with the InWebo service (Required)
ldap.proxy.login.attribute: The name of the LDAP attribute containing the InWebo login. It is set to "uid" by default (possibly the UPN - UserPrincipalName)
ldap.proxy.do.step.up.by.type: Allow to condition the authentication via InWebo:

  • user: searches the LDAP from the user if he is a member of the group that allows authentication via InWebo
  • group: search LDAP from members of the group that allows authentication via InWebo
  • all: authentication via InWebo for all users
  • none: authentication via InWebo for no users
    Set to "all" by default

ldap.proxy.do.step.up.group.base.dn: The group DN in the LDAP containing users for whom authentication via InWebo will be enabled. Required if ldap.proxy.do.step.up.by.type is filled in to "user" or "group"
ldap.proxy.do.step.up.lookup.member.attribute: The name of the LDAP attribute that defines a member. This parameter is required when ldap.proxy.do.step.up.by.type = group. Set to "member" by default
ldap.proxy.do.step.up.lookup.ismemberof.attribute: The name of the LDAP attribute that defines group membership. This parameter is required when ldap.proxy.do.step.up.by.type = user. Fixed to "isMemberOf" by default

ldap.proxy.do.step.up.filter.group.object.class: The value of the LDAP objectClass attribute defining a group. Required, set to "groupOfNames" by default
ldap.proxy.do.step.up.filter.user.object.class: The value of the LDAP objectClass attribute that defines a user. Required, set to "person" by default
inwebo.cipher.aes.secret.key: 16 characters Key to encrypt the login. Encryption is not enabled by default

ldap.proxy.whitelist.dn : DN list, separated by ";", for which there will be no InWebo authentication, used as technical accounts to operate BIND requests. (i.e: CN=Administrator,CN=Users,DC=domain,DC=com;CN=ReadOnly,CN=Users,DC=domain,DC=com; )

inWebo HTTP API configuration

inwebo.base.url: InWebo API URL
inwebo.proxy.host: HTTP proxy IP or hostname used to make calls to the InWebo API. There is no default HTTP proxy
inwebo.proxy.port: HTTP proxy port to use
inwebo.proxy.https: Boolean which allows to switch to HTTPS mode. The possible values ​​are "true" or "false". Set to false by default (HTTP)
inwebo.proxy.username: Login associated with the HTTP proxy (do not use realm\username for NTLM, instead use the username from a domain joined server OR username@domain)
inwebo.proxy.password: Associated password



Panel
borderColor#C5C5C5
borderWidth1

Table of Contents
stylesquare