inWebo LDAP Proxy v1.0.0

The inWebo LDAP proxy allows you to add strong authentication via the InWebo service.

Its role is to transmit the LDAP requests to the LDAP server. When a Bind request from the LDAP server is returned successfully, a PUSH request is sent to the InWebo server. The user is then prompted to authenticate (PIN code, fingerprint, etc) on his previously registered device.

If the PIN is correct, the LDAP proxy finalizes the Bind request and the user is authenticated.

Prerequisite

Infrastructure

The machine hosting the proxy must have:

• Access to the LDAP server that will need to be synchronized with the inWebo proxy

• Internet access to reach the InWebo API

Software

Windows or Linux

• 64-bit environment

• JAVA 8 64 bits for the version without JRE

Installation

For Linux operating systems

Retrieve the Linux version:  proxy-ldap-packaging-X.Y.Z-linux64.tar.gz

1. Unpack the archive

2. Create the config/config.properties file from the config_to_be_completed.properties file

3. Complete the config/config.properties file (see below)

4. Start the proxy

Version using the JRE installed on the system

bin/run.sh

Version using built-in JRE

bin/run_standalone.sh

inWebo proxy service start and stop

If your LDAP proxy listens for services numbered under 1024, you must start the proxy service with a root / administrator user.

Lauching the Proxy service in background mode

sudo ./run_standalone.sh &

Stopping the Proxy service

sudo ./stop.sh

Proxy installation as a Linux service (requires administrator rights)

1. Edit bin/iw_ldap_proxy by replacing

   1. @iw_ldap_proxy_installation_dir@ by the path of the installation directory

   2. @iw_ldap_proxy_user@ by the user who runs the program

2. Installation

   BASH

   sudo cp bin/iw_ldap_proxy /etc/init.d/

3. Start the proxy

   BASH

   sudo /etc/init.d/iw_ldap_proxy start

4. Stop the proxy

   BASH

   sudo /etc/init.d/iw_ldap_proxy stop

For Windows operating systems

Retrieve the Windows version: proxy-ldap-packaging-X.Y.Z-win64.zip

1. Unpack the archive

2. Create the config/config.properties file from the config_to_be_completed.properties file

3. Complete the config/config.properties file (see below)

4. Start the proxy

Version using the JRE installed on the system

bin/run.bat 

Version using the built-in JRE

bin/run_standalone.bat

Proxy installation as a Windows service (requires administrator rights)

Installation

bin\ldap_proxy_service.exe install

Service start         

sc start iwLdapProxy_Full_JRE

Service stop

sc stop iwLdapProxy_Full_JRE

Uninstalling the service

bin\ldap_proxy_service.exe uninstall

Configuration

The following settings are in the config / config.properties file

LDAP Configuration

ldap.proxy.addresses : list of IP addresses, separated by ";", on which the LDAP proxy will listen for LDAP queries. By default, the proxy listens on the address ":: 0" (Optional)
ldap.host: the LDAP server address (Required)
ldap.proxy.port and ldap.port: the proxy port and the LDAP port to use to support LDAP requests, respectively. These 2 properties are paired
ldap.proxy.ssl.port and ldap.ssl.port: the proxy port and the LDAP port to use to support LDAPS requests, respectively. These 2 properties are paired
inwebo.service.id: the inWebo service number that will be associated with InWebo authentication (Required)
inwebo.service.certificate.path: The full path to the p12 certificate associated of the InWebo service (Required)
inwebo.service.certificate.passphrase: The certificate passphrase associated with the InWebo service (Required)
ldap.proxy.login.attribute: The name of the LDAP attribute containing the InWebo login. It is set to "uid" by default (possibly the UPN - UserPrincipalName)
ldap.proxy.do.step.up.by.type: Allow to condition the authentication via InWebo:

• user: searches the LDAP from the user if he is a member of the group that allows authentication via InWebo

• group: search LDAP from members of the group that allows authentication via InWebo

• all: authentication via InWebo for all users

• none: authentication via InWebo for no users
  Set to "all" by default

ldap.proxy.do.step.up.group.base.dn: The group DN in the LDAP containing users for whom authentication via InWebo will be enabled. Required if ldap.proxy.do.step.up.by.type is filled in to "user" or "group"
ldap.proxy.do.step.up.lookup.member.attribute: The name of the LDAP attribute that defines a member. This parameter is required when ldap.proxy.do.step.up.by.type = group. Set to "member" by default
ldap.proxy.do.step.up.lookup.ismemberof.attribute: The name of the LDAP attribute that defines group membership. This parameter is required when ldap.proxy.do.step.up.by.type = user. Fixed to "isMemberOf" by default

ldap.proxy.do.step.up.filter.group.object.class: The value of the LDAP objectClass attribute defining a group. Required, set to "groupOfNames" by default
ldap.proxy.do.step.up.filter.user.object.class: The value of the LDAP objectClass attribute that defines a user. Required, set to "person" by default
inwebo.cipher.aes.secret.key: 16 characters Key to encrypt the login. Encryption is not enabled by default
ldap.proxy.whitelist.dn : DN list, separated by ";", for which there will be no InWebo authentication, used as technical accounts to operate BIND requests. (i.e: CN=Administrator,CN=Users,DC=domain,DC=com;CN=ReadOnly,CN=Users,DC=domain,DC=com; )

inWebo HTTP API configuration

inwebo.base.url: InWebo API URL
inwebo.proxy.host: HTTP proxy IP or hostname used to make calls to the InWebo API. There is no default HTTP proxy
inwebo.proxy.port: HTTP proxy port to use
inwebo.proxy.https: Boolean which allows to switch to HTTPS mode. The possible values ​​are "true" or "false". Set to false by default (HTTP)
inwebo.proxy.username: Login associated with the HTTP proxy (do not use realm\username for NTLM, instead use the username from a domain joined server OR username@domain)
inwebo.proxy.password: Associated password