IMPORTANT

Please read the following page : Important IWDS installation recommendations
Be sure to follow these recommendations to avoid future troubles during an LDAP incident or synchronization.

Prerequisite

Java JRE version 8 (TLS 1.2 default version) and higher

For Windows, IWDS is shipped as an executable file. Installation has no particular option other than choosing the configuration and output directory.

IWDS is available for download HERE

Choosing the configuration directory

At first launch, IWDS will let you choose a working directory for configuration, log and output files.

3 subfolders are created in this directory:

  • Configuration files are stored in the “conf” subfolder

  • Output files are stored in the “out” subfolder

  • Log files are stored in the “log” subfolder

If you are not an administrator on your computer, please avoid protected folders such as « Program Files ».

Select inWebo Certificate

You need to select a certificate file. You will be automatically prompted for it at first launch. If not, go to “inWebo” > “inWebo Parameters”.

You can get a certificate file from the InWebo Administration Console. Make sure you download it in .p12 format.

Parameters and Operations - inWebo

We assume here that you have already set your inWebo service configuration using inWebo administration console, i.e. set user groups and roles if required.

Configure inWebo Parameters

Go to “inWebo” > “inWebo Parameters”.

In this panel you can set the path to inWebo Certificate. You can also set the following parameters:

  • Delay between 2 queries: sets the delay (in milliseconds) between two requests to inWebo Servers.

  • Maximum query size: sets the maximum number of users retrieved per request. This parameter should be between 0 and 100.

  • Activate group synchronization: turns on group synchronization between LDAP and inWebo

Important: any operation related to group synchronization in IWDS requires the above parameter to be turned on.

When you are done, click on “Save inWebo Settings”.

Connect to inWebo Servers

Go to “inWebo” > “inWebo Connection” and click on “Connection”.

You will be prompted for the certificate Password. Enter the password you have defined when you created the certificate in inWebo Administration Console.

Retrieve inWebo Objects

This is the 1st step (out of 4) of the synchronization process.

Important: a connection to inWebo servers is required before retrieving objects.

Click on “Retrieve objects”.

After a successful retrieval on inWebo servers, the result is saved to files and displayed in a new panel.

The two first tabs of this new panel display the list of inWebo users and expired inWebo users (objects are read from two result files: inwebo.xml and expired.xml, located in the “out” subfolder of the configuration directory).

If group synchronization is activated, inWebo group memberships, groups and custom roles are listed in 3 additional tabs (objects are read from three result files: iwgroupmemberships.xml, iwgroups.xml and iwroles.xml, located in the “out” subfolder of the configuration directory).

Parameters and Operations - LDAP Source

Configure LDAP Connections

Go to “LDAP Sources” > “LDAP Connection”. This panel allows you to configure the connection(s) to your LDAP server(s).

Required parameters are:

  • Name: the name you give to your LDAP source. Spaces are not allowed

  • Host: IP address or Domain name of your LDAP server

  • Port: LDAP port. Usually 389 or 3389

  • Base DN: Base DN to use for the LDAP connection

  • Use SSL: Whether to use LDAPS or not. The “port” parameter will move to 636 if you use LDAPS

  • Connection Type: LDAP authentication mode (Simple or anonymous)

  • User: LDAP user for connection purposes

  • Password: LDAP password for the user mentioned above

When you are done, click on “Save Changes”. You can test the connection using the “Test Connection” button.

You can add as many LDAP connections as you need. If you have configured several connections, you can set one of these as the “default” connection.

Multiple LDAP sources warning

If you have configured several LDAP sources, please make sure every sources are selected as input at the 3rd step "diff" calculation, either in GUI mode or in BATCH mode. 

Configure LDAP Search Parameters

Go to “LDAP Sources” > “LDAP Search Parameters”. This panel allows you to configure the way IWDS will retrieve your users in your LDAP directory.

LDAP Parameters

This first part of panel allows you to:

  • Configure the attributes to use to retrieve your LDAP users:

  • LDAP Attribute for login. E.g.: samaccountname for Active Directory

  • LDAP Attribute for firstname. E.g.: givenname

  • LDAP Attribute for name. E.g.: sn

  • LDAP Attribute for email : E.g.: mail

  • LDAP Attribute for alternative login. E.g. userPrincipalName for Active Directory

  • Configure the base DN of the 3 LDAP user groups mapped with the 3 user roles defined in each and every inWebo service (inWebo user, inWebo manager and inWebo administrator):

  • User group base DN. ex: CN=inwebo-users,DC=example,DC=com

  • Manager group base DN. ex: CN=inwebo-managers,DC=example,DC=com

  • Admin group base DN. ex: CN=inwebo-admins,DC=example,DC=com

Please make sure you enter fully qualified LDAP DNs.

LDAP Advanced Parameters

In this second part of the configuration panel, you may set advanced parameters according to your needs:

  • Search by attribute: tells IWDS to retrieve LDAP users in the groups you defined via a specific user attribute (typically the “memberOf” attribute on Active Directory)

  • Attribute: sets the “Search by attribute” user attribute (by default it is set to “memberOf”)

  • Search by group membership: tells IWDS to directly retrieve the users that are members of the groups you defined

  • Group membership attribute: sets the LDAP attribute defining the group membership (by default it is set to “member”)

  • Recurse sub-groups: tells IWDS to recurse sub-groups during the search

  • Maximum recurse depth: sets the maximum number of sub-groups/groups to parse recursively during the search

Warning: the name of the source LDAP parameter “Maximum recurse depth” is misleading. It is not the depth in the LDAP tree but the number of group elements that are associated with it.

For consistency with the API reasons the name of the parameter cannot be modified.

  • Person Request Filter: sets the filter to apply on LDAP members to identify persons (by default it is set to “objectClass=Person”)

  • Group Request Filter: sets the filter to apply on LDAP members to identify groups (by default it is set to “objectClass=Group”)

  • Use Active Directory “UserAccountControl”: allows to use the UAC properties retrieved from an AD user (password expired, accound disabled) to determine the user inWebo account activation status

  • Enable paging of LDAP queries

  • Maximum query size: if paging is enabled sets how many users IWDS will request per page

  • Delay between 2 queries: delay (in ms) between 2 LDAP page requests

When you are done, click on “Save Changes”.

Configure LDAP Group Mapping

Go to “LDAP Sources” > “LDAP Group Mapping”.

This panel allows you to configure the mapping between your LDAP groups and the inWebo groups you created for your service in inWebo administration console. This mapping will be used during the “Diff” and the “Sync” operations.

To add a group, simply enter its LDAP name, e.g. “test” (no need to enter its fully qualified DN). Then map this group to an inWebo group with a role. This role can be either the inWebo basic user role (roleid 0) or any of the custom user role configured in the service.

The inWebo basic user role is selected by default. You may add as many LDAP groups as required.

When you are done, click on “Save Changes”.

List LDAP Objects

This is the 2nd step (out of 4) of the synchronization process.

Go to “LDAP Sources” > “LDAP Objects”.

Click on “Retrieve objects”.

After a successful retrieval on your LDAP server, the result is saved to files and displayed in a new panel.

The first tab of this new panel displays the list of your LDAP users (objects are read from result files <LDAP source name>_ldap.xml located in the “out” subfolder of the configuration directory).

If group synchronization is activated, the LDAP group memberships are listed in a second panel (objects are read from result files <LDAP source name>_.xml located in the “out” subfolder of the configuration directory).

Importing Users with a .CSV file

If you have unregistered users, you can still mass import them using a .CSV file

This a basic text file formatted using semi-colon ; as separator.

Here is the format of the CSV file to create:

login;name;firstname;email;role;status[;lang]
loginuser1;name1;firstname1;user1@test.com;0;0
loginuser2;name2;firstname2;user2@test.com;0;0
loginuser3;name3;firstname3;user3@test.com;0;0
....
XML

Role possible values:

  • 0: user

  • 1: manager of the service (can create, modify and delete users)

  • 2: administrator of the service (can also modify parameters of the service in the Administration Console)

status possible values:

  • 0: “login is active”

  • 1: “login is blocked” (authentication requests will be rejected)

lang possible values:

  • fr → French

  • en → English

Note that the “lang” column is optional - the default value is “en”.

Synchronization

Make Diff

This is the 3rd step (out of 4) of the synchronization process.

At this step, IWDS computes the differences between existing InWebo objects and LDAP objects and outputs the list of the changes to apply in order to have your inWebo service synchronized with your LDAP directory.

This calculation is performed according to a chosen synchronization rule set.

This operation is done locally, without any modification done to your InWebo service.

Go to “Synchronization” > “Synchronize”.

Click on the “Make Diff” button to compute the differences.

The correlation between LDAP users and inWebo users is done on the login field (case insensitive).

Multiple LDAP sources warning

If you have configured several LDAP sources, please make sure every sources are selected as input at this "diff" calculation step. 
In the GUI, multiselection can be done either with CTRL key+clicks or SHIFT key+clicks

After a successful computing, the result is written to “Diff” files and is displayed in a new panel. This result consists in a list of transactions. A transaction can be of type:

  • inWebo user create (loginCreate)

  • inWebo user update (loginUpdate)

  • inWebo user delete (loginDelete)

  • Add user to an inWebo group (groupMembershipCreate)

  • Update user in an inWebo group (groupMembershipUpdate)

  • Delete user from an inWebo group (groupMembershipDelete)

The first tab of this new panel shows the user related transactions (transactions are read from file diff.xml located in the “out” subfolder of the configuration directory. If you make a “Diff” in command line / batch mode, you can change the name of the diff file).

If group synchronization is activated, the second tab of the panel shows the group membership related transactions (transactions are read from file diff_grp.xml located in the “out” subfolder of the configuration directory).

Synchronize

This is the last step (out of 4) of the synchronization process.

The “Sync” task takes the output of the “Diff”, and applies the transactions one by one. The result of these operations is fetched and written to result files.

Go to “Synchronization” > “Synchronize”.

Click on the “Synchronize” button to launch the synchronization.

If synchronization is successful, the result is displayed in a new panel. The first tab of this new panel shows the result of user related transactions (read from result.xml file located in the “out” subfolder of the configuration directory).

If group synchronization is activated, the second tab of the panel shows the result of group membership related transactions (read from result_grp.xml file located in the “out” subfolder of the configuration directory).

Synchronization Rules

You can parameter the way the synchronization is performed by defining synchronization rule sets.

Go to “Synchronization” > “Synchronization Rules”.

The following parameters can be set within a given rule set:

  • Rule Name: name of the rule set

  • Send activation code to new users by email: select one of the three options

  • Resend activation code for “Pending” users : yes or no

  • Language: language used to send emails

  • Delete “Expired” users: yes or no

  • Keep inWebo users' status (whatever their status, activated or not activated, on LDAP server side): yes or no

  • Synchronize “Managers”: yes or no

  • Synchronize “Administrators”: yes or no

  • Synchronize Groups: yes or no

You can choose whether Managers and Admins are synchronized or not. If not, you can manage them directly in inWebo Administration Console.

The “Synchronize Groups” parameter does not activate the group synchronization in IWDS. It only tells IWDS to ignore group synchronization if this rule is in use and has no effect is group synchronization is not activated (see inWebo Parameters).

When you are done, click on “Save Changes”.

Delete operation

  • In graphical mode, the synchronization operation is blocked if it is about to delete more than 25 users. You will be prompted to use command line mode to avoid unwanted mass users deletion.

  • In command line mode, if you want to force the “Sync” operation that is deleting more than 25 users, you should:

  1. Check that the list of users to be deleted is correct and not the result of an error or an erroneous behavior of the directory.

    To do this, after a "diff" operation, consult the file '<IWDS_installation_directory>\work\out\diff.xml ' , and check the list of the 'loginDelete' type transactions:

    <loginDelete>&#xd;
    		<transactionid>1</transactionid>&#xd;
    		<input>&#xd;
    				<loginid>xxxxx</loginid>&#xd;
    				<login>xxxxx</login>&#xd;
    				<login2>xxxxx</login2>&#xd;
    				<name>xxxxx</name>&#xd;
    				<firstname>xxxxx</firstname>&#xd;
    				<mail>xxxxx@xxxxx.xxx</mail>&#xd;
    		</input>&#xd;
    </loginDelete>&#xd;
    CODE
  2. Execute the “Sync” action specifying the --del-limit the parameter. This parameter defines the maximum number of users that can be deleted during the operation. ( See Action “sync” > “-dl, --del-limit" option). For example, if you set the limit to 50 users, this means that any sync operation deleting more than 50 users will be blocked. Here is the command line example for sync action set with a 50 users delete limit:

    cd <répertoire d’installation de IWDS>
    java -cp Iwds.jar com.inwebo.Iwds --del-limit 100 --cert <nom du fichier certificat>.p12 --pass <Mot de passe du certificat> --wsdl ConsoleAdmin.wsdl sync
    
    CODE

Please, note that the default value of the -dl, --del-limit option is 25.

The provisioning_id parameter

This parameter is available in IWDS version 2.4 and higher.

The provisioning_id parameter specifies the user provisioning source. It is useful if you have multiple provisioning sources or/and multiple IWDS instance .

You can specify the provisioning source ID in the IWDS configuration file conf/inwebo.properties (See Configuration File section below). If you don’t specify any value for provisioning_id in conf/inwebo.properties, then the default value 1is used.

When creating an account with API SOAP, the provisioning_id value can be specified in the loginCreateBySource API SOAP (see User Management with SOAP API - loginCreateBySource ). It will update the “Created By” value.

To see the users provisioning sources, go to your IWDS interface > InWebo Objects section > inWebo Users tab. Look at the "Created by" column values:

  • Console → Created by the administration console (provisioning_id=0)

  • Source #1 → Created by IWDS (default value) (provisioning_id=1)

  • Source #{provisioning_idvalue} → Created by another provisioning source. (provisioning_id={value})

When you specify the provisioning_id, make sure that the value does not conflict with any other provisioning source or any other IWDS instance.

Options

Proxy settings

This panel allows you to add proxy parameters if your connection requires such parameters:

  • Direct connection: no proxy (this is the default configuration).

  • Use browser parameters: use proxy settings of your default browser.

  • Use proxy server:

    • Address: host name or IP address of the proxy

    • Port: port of the proxy

    • Use Authentication: you can turn on or off user authentication

      • User: user name used for proxy authentication

      • Password: password for proxy authentication

When you are done, click on “Save Changes”.

Log Files

On this panel you can display the log files stored in the “log” subfolder of IWDS configuration directory.

You can also delete any of the log files listed in this panel.

Batch mode

We assume here that your inWebo and LDAP parameters have already been set in IWDS.

The 4 steps of the synchronization process can be executed with IWDS in command line or batch mode:

  1. Retrieve InWebo objects

  2. Retrieve LDAP objects

  3. Make Diff (compute changes)

  4. Synchronize (apply diff)

If group synchronization is activated, it is mandatory to set the mapping between LDAP groups and inWebo groups before computing the diff and synchronizing. If not set, IWDS is not able to determine which inWebo group LDAP users should be added to. This mapping can be set either using IWDS GUI or by adding the appropriate file in the configuration directory (see Configuration File Format section below).

Usage

Iwds.jar com.inwebo.Iwds [[options]] [[action]]
CODE

Available Actions

getinwebo | getldap | diff | sync
CODE

Action « getinwebo »

Use this action to retrieve inWebo objects.

Action

getinwebo
CODE

Options

-w, --wsdl                              WSDL file (full path to inWebo WSDL file)
-C, --cert                              inWebo API certificate (full path to certificate file - PKS12 format)
-p, --pass                              Certificate password
-b, --basedir                           Path of a directory containing out and conf subfolders- option
-c, --config                            inWebo Properties file name - option
-f, --find <logins|groups|roles|all>    Scope of inWebo search - option (if not specified set to "all")
-v, --verbose                           Print logs on system output - option
CODE

Command samples

With required arguments only:

java -cp Iwds.jar com.inwebo.Iwds --cert <path to your cert>/<your cert>.p12 --pass <your cert password> --wsdl ConsoleAdmin.wsdl getinwebo
CODE

With more arguments:

java -cp Iwds.jar com.inwebo.Iwds --config inwebo.properties --cert <path to your cert>/<your cert>.p12 --pass < your cert password > --wsdl ConsoleAdmin.wsdl –-find logins getinwebo
CODE

Action « getldap »

Use this action to Retrieve LDAP objects.

Action

Getldap
CODE

Options

-b, --basedir                     Path of a directory containing out and conf subfolders - option
-L, --ldap                        Name of an LDAP source - option
-c, --config                      LDAP Properties file name - option
-o, --out                         Destination file name - option (e.g. ldap.xml)
-f, --find <users|groups|all>     Scope of LDAP search - option (if not specified set to "all")
-v, --verbose                     Print logs on system output - option
CODE

Command samples

Without arguments. In this case IWDS uses the default LDAP source name and the current configuration directory:

java -cp Iwds.jar com.inwebo.Iwds getldap
CODE

With arguments, using the –ldap option:

java -cp Iwds.jar com.inwebo.Iwds –-ldap <LDAP source name> getldap
CODE

With arguments, using the –config option:

java -cp Iwds.jar com.inwebo.Iwds –-config ldap_<LDAP source name>.properties --out <LDAP source name>_ldap.xml --find users getldap
CODE

Important: do not use the –ladp and –config options simultaneously.

Action « diff »

This command compares objects retrieved by “getinwebo” and “getldap” actions and computes a list of transactions to execute to synchronize your LDAP server(s) with inWebo. This computation is based on a selected synchronization rule set and relies on the group mapping (if group synchronization is activated).

When executed, this command determines the list of inWebo objects (users and user group memberships) to be created, updated and deleted. The “Diff” outputs the list of these transactions in XML files. These XML “Diff” files are later used by the “Sync” command that actually performs the synchronization.

At this step, no modification is applied to your InWebo service.

Multiple LDAP sources warning

WARNING: if you have configured several LDAP sources, please make sure every sources are selected as input at this "diff" calculation step.
In batch mode, each sources must be entered separated by a comma.

Action

diff
CODE

Options

-r, --ruleset                       File containing diff rules
-L, --ldap                          Comma separated list of LDAP source names - option
-s, --source                        Comma separated list of LDAP user files - option
-b, --basedir                       Path of a directory containing out and conf subfolders - option
-I, --inwebo                        File containing inWebo users - option
-E, --inexpired                     File containing inWebo expired users - option
-o, --out                           Destination file - option (e.g. diff.xml)
-v, --verbose                       Print logs on system output - option
CODE

Command samples

With required arguments only. In this case, only the rule set must be declared. The default LDAP source name is used as well as the latest LDAP and inWebo object files found in the current “out” subfolder of IWDS directory:

java -cp Iwds.jar com.inwebo.Iwds -r rules_<rule name>.properties diff
CODE

With more arguments, using the –ldap option:

java -cp Iwds.jar com.inwebo.Iwds -r rules_<rule name>.properties --ldap <LDAP source name>[,<LDAP source name 2>,....] diff
CODE

With more arguments using the –source option:

java -cp Iwds.jar com.inwebo.Iwds -r rules_<rule name>.properties --source <LDAP source name>_ldap.xml[,<LDAP source name 2>_ldap.xml,....] --inwebo inwebo.xml --inexpired expired.xml --out diff.xml diff
CODE

IMPORTANT

Do not use the –ladp and –source options simultaneously.

Action « sync »

This action executes the transactions computed by the “Diff” command to synchronize your LDAP server(s) with your inWebo service

  1. Loads “Diff” files

  2. Connects to inWebo servers

  3. Executes transactions one by one

  4. Captures the result

Action

sync
CODE

Options

-w, --wsdl                         WSDL file (full path to inWebo WSDL file)
-C, --cert                         inWebo API certificate (full path to certificate file - PKS12 format)
-p, --pass                         Certificate password
-b, --basedir                      Path of a directory containing out and conf subfolders - option
-c, --config                       Properties file - option (inWebo properties file name)
-i, --in                           Diff input file - option (file containing result of action diff)
-dl, --del-limit                   Max no. user delete operations allowed before stopping the synch - option (default 25 for IWDS 2.1.15 and above version)
-v, --verbose                      Print logs on system output - option
CODE

Command samples

With required arguments only:

java -cp Iwds.jar com.inwebo.Iwds --cert <path to your cert>/<your cert>.p12 --pass <your cert password> --wsdl ConsoleAdmin.wsdl sync
CODE

With more arguments:

java -cp Iwds.jar com.inwebo.Iwds --config inwebo.properties --cert <path to your cert>/<your cert>.p12 --pass <your cert password> --wsdl ConsoleAdmin.wsdl --in diff.xml --del-limit 30 sync

CODE

IMPORTANT

Please read the following page to avoid loosing accounts during sync : Important IWDS installation recommendations and update procedure
Be sure to follow these recommendations to avoid future troubles during an LDAP incident or synchronization.

As of version 2.1.15, the dl option is applied by default to 25, to disable it, you must specify the follwing parameter -dl 0

Configuration File

All these files are located in the “conf” subfolder of your IWDS configuration folder.

File “inwebo.properties”

Parameter name

Description

user_id

Must be equal to 0. Do not change

certificate_file

Path to the certificate file. You can get this file from InWebo Admin Console.

delay

Delay (in milliseconds) between 2 requests to inWebo Servers. Do not change this parameter (delay=500)

max_size

Maximum number of users downloaded in one request. This parameter should be between 0 and 100.
If you have more than 100 users, IWDS makes several requests sequentially.

provisioning_id

Define the provisioning source ID. It may be useful if you have multiple provisioning sources or several IWDS instances.

The value must be greater than or equal to 1. If not specified, the default value is 1.

File “ldap.properties”

If generated by the GUI, this file is named ldap_<LDAP source name>.properties.

Parameter name

Description

name

The name you give to your LDAP directory. Spaces are not allowed

authtype

LDAP authentication mode (Simple or anonymous)

host

IP address or Domain name of your LDAP directory

port

LDAP port. Usually 389

secure

yes / no. Whether to use LDAPS or not. The ‘port’ parameter is moved to 483 if you use LDAPS

ldapuser

LDAP user for connection purposes

ldappassword

LDAP password for the user mentioned above

basedn

Base DN to use for the LDAP connection

loginattr

LDAP attribute IWDS looks for to retrieve user login

login2attr

LDAP attribute IWDS looks for to retrieve user alternate login

firstnameattr

LDAP attribute IWDS looks for to retrieve user First Name

lastnameattr

LDAP attribute IWDS looks for to retrieve user Name

emailattr

LDAP attribute IWDS looks for to retrieve user Email

usergroupdn

LDAP DN of the group containing InWebo Users

managergroupdn

LDAP DN of the group containing InWebo Managers

admingroupdn

LDAP DN of the group containing InWebo Administrators

searchbyattr

Tells IWDS to retrieve LDAP users in the groups your defined via a specific user attribute (typically the “memberOf” attribute on Active Directory)

searchattr

Sets attribute for user attribute based search

searchbygrpmb

Tells IWDS to directly retrieve the users that are members of the groups your defined

grpmbattr

Sets attribute for group membership based search

maxdepth

The number of sub-groups levels to parse recursively

filter_group

Sets the filter to apply on LDAP members to identify groups

filter_person

Sets the filter to apply on LDAP members to identify persons

useaduac

allows to use the UAC properties retrieved from an AD user to determine the user inWebo account activation status

enableldappaging

Activation / Deactivation of LDAP paging

querypagesize

IWDS can use LDAP paging. This parameter sets how many users IWDS proceeds per page.

querydelay

Delay (in ms) between 2 LDAP page requests

filter

LDAP filter for your requests. Example : « objectClass\=Person », to filter out Computers (deprecated – replace by filter_person and filter_group)

recursegroups

Set to ‘False’ if you have Active Directory. ‘True’ otherwise (deprecated)

supportmemberof

Set to ‘True’ if you have Active Directory. ‘False’ otherwise (deprecated – replaced by searchbyattr)

grpattr

(deprecated – replace by grpmbattr)

Sample file

name=My LDAP
host=xxxx
port=3389
ldapuser=xxxx
ldappassword=xxxx
authtype=simple
secure=no
basedn=DC=adfs,DC=inwebo,DC=com
usergroupdn=cn=inwebo-users,CN=Users,DC=adfs,DC=inwebo,DC=com
managergroupdn=CN=inwebo-managers,CN=Users,DC=adfs,DC=inwebo,DC=com
admingroupdn=CN=inwebo-admins,CN=Users,DC=adfs,DC=inwebo,DC=com
firstnameattr=givenName
lastnameattr=sn
loginattr=samaccountname
login2attr=UPN
emailattr=mail
searchbygrpmb=true
grpmbattr=member
searchbyattr=false
searchattr=memberOf
maxdepth=10
filter_person=objectClass=Person
filter_group=objectClass=Group
useaduac=yes
enableldappaging=yes
querypagesize=100
querydelay=1000
CODE

NB: “\\” are used to escape special chars. They are automatically added by IWDS GUI.

If a user belongs to the “User” group or "Manager" group, his “status” is set to “not blocked” during the synchronization. If not, it is set to “blocked”.

If a user belongs to “Administrator” group, his “role” is accordingly set during the synchronization and his “status” is set to “blocked”.

File “rules.properties”

If generated by the GUI, it is named rules_<rule set name>.properties.

Parameter name

Description

managersynchro

Possible value: “yes” or “no”
If set to “no”, managers configured in your inWebo service will not be modified or deleted.

adminsynchro

Possible value: “yes” or “no”
If set to “no”, administrators configured in your inWebo service will not be modified or deleted.

groupsynchro

Possible value: “yes” or “no”
If set to “no”, group memberships will not be handled during the “Sync”

resendactivationlink

Possible value: “yes” or “no”
If set to “yes”, pending users will be receive a new activation email.

sendcodebymail

Possible value: “yes”, “no” or “link”
If set to “yes”, newly created users will receive an email with an activation link. The email is sent by inWebo servers.
If set to “link”, a long code with a three weeks lifetime is returned by inWebo servers per created user. These long codes can be used to create activation links. They are available in the XML output.
If set to “no”, a 15 minutes lifetime activation code is returned by inWebo servers per user created. These codes can be directly used to activate any inWebo authentication tool. They are available in the XML output.

lang

Possible value: “EN” or “FR”

deleteexpired

Possible value: “yes” or “no”

keepinwebostatus

Possible value: “yes” or “no”.
If a user was blocked by a Manager using the Admin Console, IWDS can let this status unchanged (“yes”), or set it back to the value taken from LDAP (“no”). Default is “yes”.

Group Mapping Configuration File

This XML file is used to map LDAP user groups to inWebo user groups. It can be either generated in GUI mode using IWDS console or by any other mean, as long as the following file structure is respected.

The filename must have the following form:

ldapgroups_mapping_<LDAP source name>.properties.

A mapping file only associates one LDAP source groups to inWebo groups.

If you have several LDAP sources configured, one mapping for each source is required.

Parameter name

Description

ldap-groupname

Name of the LDAP group as it appears in your LDAP directory. Case sensitive.

inwebo-groupname

Name of the inWebo group as it appears in the iwgroups.xml file generated after getting inWebo objects with IWDS or in inWebo administration console

inwebo-groupid

ID of the inWebo group as it appears in the iwgroups.xml file generated after getting inWebo objects with IWDS or in inWebo administration console

inwebo-rolename

Name of the inWebo role as it appears in the iwroles.xml file generated after getting inWebo objects with IWDS or in inWebo administration console

inwebo-roleid

ID of the inWebo role as it appears in the iwroles.xml file generated after getting inWebo objects with IWDS or in inWebo administration console

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>
<ldap-group-mappings>
	<ldap-group-mapping>
		<ldap-groupname>HelpDesk</ldap-groupname>
		<inwebo-groupname>HelpDesk</inwebo-groupname>
		<inwebo-groupid>1</inwebo-groupid>
		<inwebo-rolename>operator</inwebo-rolename>
		<inwebo-roleid>131</inwebo-roleid>
	</ldap-group-mapping>
	...
</ldap-group-mappings>
CODE

Output File Format

All these files are located in the “out” subfolder of your IWDS configuration folder.

inWebo user file

File name: inwebo.xml

Sample file

<?xml version="1.0"?>
<inwebo-users>
	<user>
		<id>148083</id>
		<login>john</login>
		<login2></login2>
		<status>0</status>
		<role>0</role>
		<firstname>John</firstname>
		<name>Doe</name>
		<mail></mail>
		<extrafields></extrafields>
		<code>ok</code>
		<createdby>1</createdby>
	</user>
	...
</inwebo-users>
CODE

The “status” field indicates whether authentication requests for this user are accepted or not. If status is set to 1, user is blocked. If set to 0, user is not blocked.

The “role” field indicates the role of the user in the service:

  • 0: User (basic inWebo user)

  • 1: Manager of the service

  • 2: Administrator of the service

The “code” tells if the user is active, pending or expired.

Important: Logins having “code” field set to “expired” are not listed in this file. They appear in a separate file namely expired.xml. This file has the same structure as inwebo.xml file.

The “createdby” field tells if the user was last created or modified by the Admin Console or the API (e.g. IWDS). By default, IWDS does not delete users created by the Admin Console. Nevertheless, if a user is found both in InWebo users and LDAP users, IWDS will update it. This means that, after next synchronization, the user will be seen as “created by the API”.

inWebo groupmembership file

File name: iwgroupmemberships.xml

Sample file

<?xml version="1.0"?>
<inwebo-group-memberships>
	<membership>
		<groupid>1</groupid>
		<groupname>HelpDesk</groupname>
		<loginid>148083</loginid>
		<login>john</login>
		<roleid>131</roleid>
		<rolename>operator<rolename>
	</membership>
	...
</inwebo-group-memberships>
CODE

inWebo group file

File name: iwgroups.xml

This file lists the user groups configured in your inWebo service.

Sample file

<?xml version="1.0"?>
<inwebo-groups>
	<group>
		<groupid>1</groupid>
		<name>HelpDesk</name>
	</group>
	...
</inwebo-groups>
CODE

inWebo role file

File name: iwroles.xml

This file lists the custom user roles configured in your inWebo service.

Sample file

<?xml version="1.0"?>
<inwebo-roles>
	<role>
		<roleid>131</roleid>
		<name>operator</name>
	</role>
	...
</inwebo-roles>
CODE

LDAP user file

If generated by the GUI, it is named <LDAP source name>_ldap.xml.

This file lists the LDAP users retrieved on a given LDAP server (source).

Sample file

<?xml version="1.0"?>
<ldap-users>
	<user>
		<login>john</login>
		<login2></login2>
		<status>0</status>
		<role>0</role>
		<firstname>John</firstname>
		<name>Doe</name>
		<mail>jdoe@client.com</mail>
		<extrafields></extrafields>
	</user>
	<user>
		<login>alice</login>
		<login2></login2>
		<status>0</status>
		<role>0</role>
		<firstname>Alice</firstname>
		<name>Nine</name>
		<mail>anine@client.com</mail>
		<extrafields></extrafields>
	</user>
	...
</ldap-users>
CODE

LDAP group membership file

If generated by the GUI, it is named <LDAP source name> _ldapgrpmb.xml.

This file lists the LDAP group memberships retrieved on a given LDAP server (source).

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>
<ldap-group-memberships>
	<ldap-group-membership>
		<login>john</login>
		<ldap-groupname>HelpDesk</ldap-groupname>
	</ldap-group-membership>
	<ldap-group-membership>
		<login>alice</login>
		<ldap-groupname>HelpDesk</ldap-groupname>
	</ldap-group-membership>
	...
</ldap-group-memberships>
CODE

User Diff file

If generated by the GUI, it is named diff.xml.

This file lists the user transactions to be executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>
<transactions>
	<loginCreate>
	<transactionid>1</transactionid>
	<input>
		<login>alice</login>
		<login2></login2>
		<status>0</status>
		<role>0</role>
		<firstname>Alice</firstname>
		<name>Nine</name>
		<mail>anine@client.com</mail>
		<lang>en</lang>
		<extrafields></extrafields>
		<codetype>1</codetype>
	</input>
	</loginCreate>
	...
</transactions>
CODE

The “codetype” field indicates the chose method to send the activation code to the newly created inWebo user (do not send code, send an activation code per email, send an activation link via email).

Group Diff file

If generated by the GUI, it is named diff_grp.xml.

This file lists the group membership transactions to be executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>
<transactions>
	<groupMembershipCreate>
		<transactionid>1</transactionid>
		<input>
			<loginid>0</loginid>
			<login>alice</login>
			<groupid>131</groupid>
			<groupname>HelpDesk</groupname>
			<roleid>131</roleid>
			<rolename>operator</rolename>
			<login-is-new>1</login-is-new>
		</input>
	</groupMembershipCreate>
	...
</transactions>
CODE

User Synchronization result file

Name of the file: result.xml.

This file lists the user transactions executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>
<transactions>
	<transaction>
		<transactionid>1</transactionid>
		<type>loginCreate</type>
		<input>
			<login>alice</login>
			<login2></login2>
			<status>0</status>
			<role>0</role>
			<firstname>Alice</firstname>
			<name>Nine</name>
			<mail>anine@client.com</mail>
			<extrafields></extrafields>
		</input>
		<output>
			<err>OK</err>
			<loginid>152993</loginid>
			<code>306664750</code>
		</output>
		<done>1</done>
		<timestamp>1415281897431</timestamp>
	</transaction>
	...
</transactions>
CODE

Group Membership synchronization result file

Name of the file: result_grp.xml.

This file lists the user transactions executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>
<transactions>
	<transaction>
		<transactionid>1</transactionid>
		<type>groupMembershipCreate</type>
		<input>
			<login>alice</login>
			<login2></login2>
			<loginid>152993</loginid>
			<login-is-new>1</login-is-new>
			<groupname>HelpDesk</groupname>
			<groupid>1</groupid>
			<rolename>operator</rolename>
			<roleid>131</roleid>
		</input>
		<output>
			<err>OK</err>
		</output>
		<done>1</done>
		<timestamp>1415281900133</timestamp>
	</transaction>
	...
</transactions>
CODE

OpenLDAP specific settings

If using IWDS with OpenLDAP, you may encounter an exception when retrieving LDAP objects. To avoid this situation, uncheck the "Enable paging of LDAP queries" parameter in the "LDAP Search Parameters > Advanced parameters" panel, or manually set enableldappaging to no in the LDAP properties file.

How to force IWDS to use TLS version to 1.2 in scripts

IWDS uses Java version 1.8 which natively supports TLS 1.2 and uses it by default, but in some environments cypher must be forced in Java to use TLS 1.2 at startup.

For Windows and Linux

Scripts must include the additional option -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 to be added in each java command line.

  • Example for Linux

java  -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -cp /product/inWebo/Iwds.jar com.inwebo.Iwds --ldap LDAP.PATH -v -b /product/inWebo getldap
CODE
  • Example for Windows / Powershell

$javaPath = "C:\java\openlogic-openjdk-jre-8u262-b10-win-64\bin\Java.exe"Set-Alias java $javaPath

java -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -cp "C:\inWebo\Iwds.jar" com.inwebo.Iwds -b "C:\inWebo" -w "C:\IWDSsync\ConsoleAdmin.wsdl" -C "C:\inWebo\Certificate.p12" -p PASSWORD -v getinwebo
POWERSHELL

Download

IWDS is available for download HERE

Back to top of page