Wallix Bastion LDAP configuration

Created by Bruno Prigent
Last updated: Feb 26, 2020 by Erwan Le Sech

This integration add inWebo MFA to an existing Wallix AD integration. User will authenticate by providing his AD credentials then he will receive a notification on his inWebo Authenticator application installed on his mobile or desktop.

Wallix Bastion configuration

Create an external AD authentication source

In "Configuration/External Authentication" menu click "Add an authentication". Most of parameters values are the same as if you were directly targeting an Active Directory or LDAP.

Make sure you provide a Distinguished Name for the "User" parameter, entering only a login will not work properly.

With version <6.2

Select "LDAP-AD" and enter your inWebo ldap-proxy IP and port. 

With version >= 6.2

Select "LDAP" and enter your inWebo ldap-proxy IP and port. Set a 30 seconds timeout or more so your users will have time to validate the MFA notification.


Create an AD domain

In "Configuration/LDAP/AD domains" menu click "Add a domain".

If you deploy on a production infrastructure, make sur the AD ldap domain name is not already used. For testing you can use any value you want (test.com), then you'll have to login to the bastion using sAMAccountName@test.com as username.

With version <6.2

With version >=6.2


Create a user group

In "Users/Groups" menu click "Add a group"

Back in AD domain configuration check the group is by default assigned to your AD users or make sure this group is associated with the LDAP group you want to map.


Create a ressource group

In "Resources/Groups" menu, click "Add a group".

Add authorization

In "Authorizations/Manage Authorizations" menu, click "Add an authorization"


Change the default ldap timeout

With version <6.2

In "Configuration/Configuration Options" menu, select "WabEngine"

Change "Ldap auth timeout" value to 60.0. This will give 60 seconds to your users to answer a push authentication.

With version >=6.2

The ldap timeout is set on each External authentication (See above)


inWebo LDAP Proxy configuration

inWebo LDAP Proxy installation and configuration guide is here: inWebo LDAP Proxy v1.0.0, installation and configuration

Configure your ldap proxy with

  • certificat path and its passphrase
  • inWebo service ID
  • Ldap server IP and port
  • whitelist DN : provide the DN for the read only account configured on the "external AD authentication source"
  • login attribute : sAMAccountName and userPrincipalName are often used when integrating with AD but you can change it to something more relevant to your architecture

Typical configuration sample