inWebo LDAP Proxy v1.6.0 installation and configuration

Release note 1.6 (September, 2021)

  • Optimization of the send notification mechanism

  • Adding an optional Heartbeat to detect network failures

  • New parameters to optimize HTTPS API communications

  • Adding TLS 1.2


The inWebo LDAP proxy allows you to add strong authentication via the inWebo service.

Its role is to transmit the LDAP requests to the LDAP server. When a Bind request from the LDAP server is returned successfully, a PUSH request is sent to the inWebo server. The user is then prompted to authenticate (PIN code, fingerprint, etc) on his previously registered device.

If the authentication is successful, the LDAP proxy finalizes the Bind request and the user is authenticated.



The machine hosting the proxy must have:

  • Access to the LDAP server that will be connected to the inWebo proxy

  • Internet access to reach the inWebo API


Windows or Linux

  • 64-bit environment

  • Java 8 64 bits for the version without JRE or OpenJDK 8 64 bits


  • .P12 certificate and passphrase from local Authority


For Linux operating systems

Retrieve the Linux version:  proxy-ldap-packaging-X.Y.Z-linux64.tar.gz

  1. Unpack the archive

  2. Create the config/ file from the file

  3. Complete the config/ file (see below)

  4. Start the proxy

Version using the JRE installed on the system

1 bin/

Version using built-in JRE

1 bin/

inWebo proxy service start and stop

If your LDAP proxy listens for services numbered under 1024, you must start the proxy service with a root / administrator user.

Launching the Proxy service in background mode
1 sudo ./ &
Stopping the Proxy service
1 sudo ./

Proxy installation as a Linux service (requires administrator rights)

  1. Edit bin/iw_ldap_proxy by replacing

    1. @iw_ldap_proxy_installation_dir@ by the path of the installation directory

    2. @iw_ldap_proxy_user@ by the user who runs the program

  2. Installation

    1 sudo cp bin/iw_ldap_proxy /etc/init.d/
  3. Start the proxy

    1 sudo /etc/init.d/iw_ldap_proxy start
  4. Stop the proxy

    1 sudo /etc/init.d/iw_ldap_proxy stop

For Windows operating systems

Retrieve the Windows version:

  1. Unpack the archive

  2. Create the config/ file from the file

  3. Complete the config/ file (see below)

  4. Start the proxy

Version using the JRE installed on the system

1 bin/run.bat

Version using the built-in JRE

1 bin/run_standalone.bat

Proxy installation as a Windows service (requires administrator rights)


.NET Framework 4.0


1 bin\ldap_proxy_service.exe install

Service start         

1 sc start "inWebo LDAP proxy"

Service stop

1 sc stop "inWebo LDAP proxy"

Uninstalling the service

1 bin\ldap_proxy_service.exe uninstall

Service settings

When installing the LDAP proxy service on Windows, no automatic restart is set on the service.

Windows service recovery settings (requires administrator rights)

For security reasons, it is important to configure the service to be restarted by default as this will prevent some incidents.
This can be done directly with ldap_proxy_service.exe in the service section of Windows, in the recovery tab of the service.

Tests and troubleshooting inWebo LDAP Proxy Configuration

2 additional commands are included for Linux and Windows:

Testing Push and inWebo certificate in command line

1 run_standalone -doPush <login_inWebo>

Allows you to test directly the push Authentication of an inWebo login for your service and see if you are correctly notified with the current inWebo configuration (serviceID, inWebo Certificate, Passphrase)

1 run_standalone -validateConfiguration <DN>(ex: run_standalone -validateConfiguration CN=Administrator,CN=Users,DC=Domain,DC=test)

will allow you to test if the LDAP configuration and the Bind command are successful

How to configure your LDAP authentication

This application is used to transfer LDAP search/authentication request to the real authentication LDAP and if accepted it will send an additional authentication request in HTTPS to the inWebo platform.
This additional request is based on the user attribute defined in the proxy LDAP configuration and retrieved from the user profile (uid, cn, samAccount, userPrincipleName)

Creating the LDAP credentials (DN) for Binding requests on LDAP server

To bind the LDAPproxy to the target LDAP server it is recommended to indicate or even create a whitelisted DN/Account used to search the LDAP.
ex: CN=ReadOnly,CN=Users,DC=domain,DC=test

This profile will be used as credentials with the LDAP and should not trigger inWebo push authentication each time you send a request tio the LDAP server.

Modifying file of your LDAP proxy / Minimal Configuration

ldap.proxy.port=389 (the service number of the proxy LDAP is listening to accept requests/ default ) (IP address or Name of the LDAP server to send the request to)
ldap.port=389 (the service number of the proxy LDAP is listening to accept requests/ default ) ( your inWebo service ID)
inwebo.service.certificate.path=C:\ProxyLDAP\inWebo_Certificate12 or./proxyLDAP/inWebo_Certificate12 (the path of the inWebo P12 certificate generated by your inWebo Administration console) 
inwebo.service.certificate.passphrase=PASSPHRASE (the password/passphrase of the inWebo certificate)

Whitelisting the LDAP credentials (DN) in the


This configuration should be replicated on the Appliance/authentication server that will send the request to the LDAP proxy

Modifying the Appliance / authentication portal to send requests to your LDAP proxy

When configuring the LDAP server on your Appliance / Authentication portal

if an existing configuration already exists to authenticate on the LDAP server, you can duplicate and only replace the IP Address by the address of the LDAP proxy. 
Be sure to verify that the LDAP Credentials (DN) / used by this appliance are whitelisted on the LDAP proxy.

Creating the Appliance / authentication portal configuration to send request to your LDAP proxy 

if there is no existing profile, you have to indicate the following information:

  • you have to indicate a new LDAP authentication server:
    the IP address of the LDAP proxy

  • the LDAP proxy service number (as indicated previously)

  • the Base DN of the LDAP server ex: DC=domain,DC=test

  • the group DN of the LDAP users if existing  ex: CN=inWebo,OU=New_York,

  • the LDAP credentials DN used previously (ldap.proxy.whitelist.dn)  CN=ReadOnly,CN=Users,DC=domain,DC=test
    with the corresponding password

Summary of configuration items to modify

Additional parameters for inWebo LDAP Proxy v1.6.0

In the LDAP proxy configuration section, you can now set additional parameters

Transport Layer Security (TLS) Parameters 

  • For sending requests to the LDAP proxy: ldap.proxy.cipher.protocol

  • and when forwarding the request to the LDAP:  proxy.cipher.protocol

Possible values:
  • Automatic choice of JVM: "TLS"

  • Protocol TLS v1: TLSv1

  • Protocol TLS v1.1: TLSv1.1

  • Protocol TLS v1.2: TLSv1.2

Managing LDAP requests timeouts 

You can now set timeout values for requests

For the Request timeout between the LDAP proxy and the LDAP server

Value in ms. Default 0 ( no timeout )
Setting: ldap.proxy.request.timeout

If a response is not received from the Directory Server within the timeout period, then the operation will be abandoned and an Exception error result returned.
A timeout setting of 0 disables operation timeout limits

For the Request timeout between the LDAP client and the LDAP proxy

Value in ms. Default 10000 ( 10sc )
Setting: ldap.proxy.connect.timeout

If a connection is not established within the timeout period (incl. SSL negotiation, initial bind request, and/or heart-beat), then an Exception error result will be returned.
The default operation timeout is 10 seconds and a timeout setting of 0 causes the OS connect timeout to be used.

When the timeout value is exceeded

  • An error is returned when the connection failed
    "Authentication to LDAP failed : < information>"

  • The error is logged in the LDAP Proxy log file

Managing application threads and HTTP connection pool

To configure the number of threads allowed by the proxy LDAP app

  • ldap.proxy.selector.thread.count :
    The number of simultaneous request that the LDAP proxy can perform. The default value is depending of the hardware (It's the maximum between 2 and the available processors / 2 )

To configure the HTTP connection pool

  • inwebo.client.http.timeout : (the default value is 30 seconds)
    Read timeout interval and connect timeout interval, in milliseconds. A value of zero 0 is equivalent to an interval of infinity.

  • : (the default value is 100)
    The maximum number of connections allowed across all HTTP routes.

  • inwebo.pool.http.default.max.per.route : (the default value is 40)
    The maximum number of connections allowed for a HTTP route.

LDAP proxy Configuration settings

The following settings are in the config / file


LDAP proxy's own IP addresses and service

Listening IP addresses, used by the LDAP proxy (List of IP/hostname separated by ";" - the LDAP proxy is listening to all registered IP addresses by default)

# Listening port for the LDAP proxy

# Listening port for the LDAP proxy to handle LDAPS requests

IP addresses and service of the targeted LDAP server

# LDAP server address/hostname

# LDAP server port
# Required if ldap.proxy.port is set

# LDAPS server port

LDAPS configuration and local Keystore

# full path to a p12 certificate associated with the LDAP

# LDAP certificate passphrase

# Mode of server certificate verification
# jvm by default
# jvm : use the JVM keystore
# none : trust all server certificates
# keystore : use a specific keystore defineby ldap.ssl.certificate.keystore and ldap.ssl.certificate.passphrase

# The path of the keystore to use when ldap.ssl.certificate.verification.mode=keystore

# The keystore pass associated to ldap.ssl.certificate.keystore.path

Transport Layer Security (TLS) Parameters (new for 1.3)

# Protocol used for requesting the LDAP proxy
# default is TLS

# Protocol used by the LDAP proxy to request the LDAP
# default is TLSv1

Managing requests timeouts (new for 1.3)

# Request timeout between proxy and LDAP server ( in ms )
# default 0 ( no timeout )

# Timeout of proxy requests ( in ms )
# default 10000 ( 10sc )


Base configuration (service ID, certificate path and passphrase)

# InWebo service ID

# full path to the p12 certificate associated with the InWebo service

# inWebo certificate passphrase

LDAP Attribute on the requested User profile, used to match with the inWebo login (uid, cn, samAccount, userPrincipalName..)

can be different from initial login request

# LDAP attribute for user login (will be matched with InWebo login), # uid by default

LDAP Group, DN, conditions for inWebo Authentication

# Condition to authenticate users with InWebo
# all by default
# all : all user will be authenticated with inWebo
# none : no user will be authenticated with inWebo (transparent)
# user : user group membership. Based on the group list the user is member of
# group : user group membership. Based on the group member list

# LDAP group DN for which members will be required to authenticate with inWebo. Required if is set to "user" or "group"

# LDAP attribute for group members. Required when = group
# member by default

# LDAP attribute for group list. Required when = user
# isMemberOf by default. Use memberOf for AD

# LDAP objectClass attribute used to define a group
# groupOfNames by default

# LDAP objectClass attribute used to define a user
# person by default

# Bypass inWebo authentification for a list of users (usefull for technical accounts)
# DN list separated by ";"

# 16 characters key used to cipher logins
# No cipher by default


Additional configuration for on premise version and proxy support

# InWebo API URL
# by default

# Force ldap-proxy to contact inWebo through an http or https proxy
# HTTP proxy host used to call InWebo
# No HTTP proxy by default

# HTTP proxy port

# Use https to proxy
# false by default - http only (http://hostname:port)
# true - https only (https://hostname:port)

# HTTP proxy login - option

# HTTP proxy password - option


HeartBeat configuration to keep your LDAP connections alive

# Configures the connection factory to periodically send "heart-beat" or "keep-alive" requests to the Directory Server.
# Possible values : true | false
# default is false (no heartbeat)
# Specifies the time between successive heart-beat requests
# default 10000 (10s)
# Specifies the timeout for heart-beat requests, after which the remote Directory Server will be deemed to be unavailable
# default 3000 (3s)

Additional parameters to manage the HTTP connection pool for API calls

# HTTP timeout in second (the default value is 30 seconds)
# The maximum number of connections allowed across all HTTP routes. (the default value is 100)
# The maximum number of connections allowed for a HTTP route that has not been specified. (the default value is 40)