inWebo Active Directory Sync 2.0

Introduction

inWebo Technologies designs solutions – for strong 2-factor authentication and transaction sealing – that allow you to address these risks.

This document describes how to use « inWebo Directory Sync » (IWDS).

General principle

IWDS is a Java application allowing any inWebo service administrator to do bulk creation, modification and deletion of inWebo users and groups, based on input data taken from an LDAP directory or a csv file.

IWDS also works in batch mode. In this case, it is installed on a server and launched periodically, using a Task Scheduler (Linux cron or Windows Task Scheduler).

Important: IWDS will not write anything in your LDAP directory. It will only read.

The synchronization is made of four steps.

If group synchronization is not activated the steps are:

  1. Getting inWebo users
  2. Getting LDAP users
  3. Computing a “Diff” between LDAP user list and inWebo user list. This outputs a list of transactions required to synchronize your LDAP server(s) with inWebo
  4. Synchronizing (apply diff): executing the transactions created by the “Diff”

If group synchronization is activated, the steps are:

  1. Getting inWebo objects (users, roles, groups and group memberships)
  2. Getting LDAP objects (users, groups and group memberships)
  3. Computing a diff between LDAP users and inWebo users and between LDAP group memberships and inWebo group memberships. “This outputs” a list of transactions required to synchronize your LDAP server(s) with inWebo
  4. Synchronizing (apply diff): executing the transactions created by the “Diff”

If group synchronization is activated, it is mandatory to set the mapping between LDAP groups and inWebo groups before computing the diff and synchronizing otherwise IWDS is not able to determine which inWebo group LDAP users should be added to. This mapping can be set either using IWDS GUI or by adding the appropriate file in the configuration directory (see Configuration File Format section below).

Upgrade from version 1.x to version 2.x

Backup you current IWDS data before installing

Before upgrading IWDS to version 2.x it is highly recommended to make a backup of your current IWDS data, i.e. of your IWDS configuration directory. Do it for each of your configuration directory if you are using several configurations.

You will then be able to reuse those directories with version 2.x

Refresh your IWDS data after installation

Once IWDS 2.x is installed and the configuration directory is defined, it is mandatory to “refresh” your inWebo and LDAP user data as the format of the files used to store these data changes with version 2.x.

User data files produced by previous versions of IWDS can no longer be used to make a “Diff” or do a “Sync”.

Batch mode updated

Beside the format of user data files, version 2.x also features slight changes in the way IWDS operates in batch mode. Please check the “Batch mode” version of the manual for more information.

Installation and Initial Configuration

Prerequisites: Java JRE version 7 or later

For Windows, IWDS is shipped as an executable file. Installation has no particular option other than choosing the configuration and output directory.

Choosing the configuration directory

At first launch, IWDS will let you choose a working directory for configuration, log and output files.

3 subfolders are created in this directory:

  • Configuration files are stored in the “conf” subfolder
  • Output files are stored in the “out” subfolder
  • Log files are stored in the “log” subfolder

If you are not an administrator on your computer, please avoid protected folders such as « Program Files ».

Select inWebo Certificate

You need to select a certificate file. You will be automatically prompted for it at first launch. If not, go to “inWebo” > “inWebo Parameters”.

You can get a certificate file from the InWebo Administration Console. Make sure you download it in .p12 format.

inWebo Parameters and Operations

We assume here that you have already set your inWebo service configuration using inWebo administration console, i.e. set user groups and roles if required.

Configure inWebo Parameters

Go to “inWebo” > “inWebo Parameters”.

In this panel you can set the path to inWebo Certificate. You can also set the following parameters:

  • Delay between 2 queries: sets the delay (in milliseconds) between two requests to inWebo Servers.
  • Maximum query size: sets the maximum number of users retrieved per request. This parameter should be between 0 and 100.
  • Activate group synchronization: turns on group synchronization between LDAP and inWebo

Important: any operation related to group synchronization in IWDS requires the above parameter to be turned on.

When you are done, click on “Save inWebo Settings”.

Connect to inWebo Servers

Go to “inWebo” > “inWebo Connection” and click on “Connection”.

You will be prompted for the certificate Password. Enter the password you have defined when you created the certificate in inWebo Administration Console.

Retrieve inWebo Objects

This is the 1st step (out of 4) of the synchronization process.

Important: a connection to inWebo servers is required before retrieving objects.

Go to “inWebo” > “inWebo Objects”.

Click on “Retrieve objects”.

After a successful retrieval on inWebo servers, the result is saved to files and displayed in a new panel.

The two first tabs of this new panel display the list of inWebo users and expired inWebo users (objects are read from two result files: inwebo.xml and expired.xml, located in the “out” subfolder of the configuration directory).

If group synchronization is activated, inWebo group memberships, groups and custom roles are listed in 3 additional tabs (objects are read from three result files: iwgroupmemberships.xml, iwgroups.xml and iwroles.xml, located in the “out” subfolder of the configuration directory).

LDAP Source Parameters and Operations

Configure LDAP Connections

This panel allows you to configure the connection(s) to your LDAP server(s).

Go to “LDAP Sources” > “LDAP Connection”.

Required parameters are:

  • Name: the name you give to your LDAP source. Spaces are not allowed
  • Host: IP address or Domain name of your LDAP server
  • Port: LDAP port. Usually 389 or 33389
  • Base DN: Base DN to use for the LDAP connection
  • Use SSL: Whether to use LDAPS or not. The “port” parameter will move to 483 if you use LDAPS
  • Connection Type: LDAP authentication mode (Simple or anonymous)
  • User: LDAP user for connection purposes
  • Password: LDAP password for the user mentioned above

When you are done, click on “Save Changes”. You can test the connection using the “Test Connection” button.

You can add as many LDAP connections as you need. If you have configured several connections, you can set one of these as the “default” connection.

Configure LDAP Search Parameters

This panel allows you to configure the way IWDS will retrieve your users in your LDAP directory.

Go to “LDAP Sources” > “LDAP Search Parameters”.

LDAP Parameters

This first part of panel allows you to:

- Configure the attributes to use to retrieve your LDAP users:

  • LDAP Attribute for login. E.g.: samaccountname for Active Directory
  • LDAP Attribute for firstname. E.g.: givenname
  • LDAP Attribute for name. E.g.: sn
  • LDAP Attribute for email : E.g.: mail

- Configure the base DN of the 3 LDAP user groups mapped with the 3 user roles defined in each and every inWebo service (inWebo user, inWebo manager and inWebo administrator):

  • User group base DN. ex: CN=inwebo-users,DC=example,DC=com
  • Manager group base DN. ex: CN=inwebo-managers,DC=example,DC=com
  • Admin group base DN. ex: CN=inwebo-admins,DC=example,DC=com

Please make sure you enter fully qualified LDAP DNs.

LDAP Advanced Parameters

In this second part of the configuration panel, you may set advanced parameters according to your needs:

  • Search by attribute: tells IWDS to retrieve LDAP users in the groups your defined via a specific user attribute (typically the “memberOf” attribute on Active Directory)
  • Attribute: sets the “Search by attribute” user attribute (by default it is set to “memberOf”)
  • Search by group membership: tells IWDS to directly retrieve the users that are members of the groups your defined
  • Group membership attribute: sets the LDAP attribute defining the group membership (by default it is set to “member”)
  • Recurse sub-groups: tells IWDS to recurse sub-groups during the search
  • Maximum recurse depth: sets the number of sub-groups levels to parse recursively
  • Person Request Filter: sets the filter to apply on LDAP members to identify persons (by default it is set to “objectClass=Person”)
  • Group Request Filter: sets the filter to apply on LDAP members to identify groups (by default it is set to “objectClass=Group”)
  • Use Active Directory “UserAccountControl”: allows to use the UAC properties retrieved from an AD user (password expired, accound disabled) to determine the user inWebo account activation status
  • Enable paging of LDAP queries
  • Maximum query size: if paging is enabled sets how many users IWDS will request per page
  • Delay between 2 queries: delay (in ms) between 2 LDAP page requests

When you are done, click on “Save Changes”.

Configure LDAP Group Mapping

This panel allows you to configure the mapping between your LDAP groups and the inWebo groups you created for your service in inWebo administration console. This mapping will be used during the “Diff” and the “Sync” operations.

Go to “LDAP Sources” > “LDAP Group Mapping”.

To add a group, simply enter its LDAP name, e.g. “test” (no need to enter its fully qualified DN). Then map this group to an inWebo group with a role. This role can be either the inWebo basic user role (roleid 0) or any of the custom user role configured in the service.

The inWebo basic user role is selected by default. You may add as many LDAP groups as required.

When you are done, click on “Save Changes”.

List LDAP Objects

This is the 2nd step (out of 4) of the synchronization process.

Go to “LDAP Sources” > “LDAP Objects”.

Click on “Retrieve objects”.

After a successful retrieval on your LDAP server, the result is saved to files and displayed in a new panel.

The first tab of this new panel displays the list of your LDAP users (objects are read from result files <LDAP source name>_ldap.xml located in the “out” subfolder of the configuration directory).

If group synchronization is activated, the LDAP group memberships are listed in a second panel (objects are read from result files <LDAP source name>_.xml located in the “out” subfolder of the configuration directory).

Synchronization

Make Diff

This is the 3rd step (out of 4) of the synchronization process.

At this step, IWDS computes the differences between existing InWebo objects and LDAP objects and outputs the list of the changes to apply in order to have your inWebo service synched with your LDAP directory.

This calculation is performed according to a chosen synchronization rule set.

This operation is done locally, without any modification done to your InWebo service.

Go to “Synchronization” > “Synchronize”.

Click on the “Make Diff” button to compute the differences.

The correlation between LDAP users and inWebo users is done on the login field (case insensitive).

After a successful computing, the result is written to “Diff” files and is displayed in a new panel. This result consists in a list of transactions. A transaction can be of type:

  • inWebo user create (loginCreate)
  • inWebo user update (loginUpdate)
  • inWebo user delete (loginDelete)
  • Add user to an inWebo group (groupMembershipCreate)
  • Update user in an inWebo group (groupMembershipUpdate)
  • Delete user from an inWebo group (groupMembershipDelete)

The first tab of this new panel shows the user related transactions (transactions are read from file diff.xml located in the “out” subfolder of the configuration directory. If you make a “Diff” in command line / batch mode, you can change the name of the diff file).

If group synchronization is activated, the second tab of the panel shows the group membership related transactions (transactions are read from file diff_grp.xml located in the “out” subfolder of the configuration directory).

Synchronize

This is the last step (out of 4) of the synchronization process.

The “Sync” task takes the output of the “Diff”, and applies the transactions one by one. The result of these operations is fetched and written to result files.

Go to “Synchronization” > “Synchronize”.

Click on the “Synchronize” button to launch the synchronization.

If synchronization is successful, the result is displayed in a new panel. The first tab of this new panel shows the result of user related transactions (read from result.xml file located in the “out” subfolder of the configuration directory).

If group synchronization is activated, the second tab of the panel shows the result of group membership related transactions (read from result_grp.xml file located in the “out” subfolder of the configuration directory).

Synchronization Rules

You can parameter the way the synchronization is performed by defining synchronization rule sets.

Go to “Synchronization” > “Synchronization Rules”.

The following parameters can be set within a given rule set:

  • Rule Name: name of the rule set
  • Send activation code to new users by email: select one of the three options
  • Resend activation code for “Pending” users : yes or no
  • Language: language used to send emails
  • Delete “Expired” users: yes or no
  • Keep inWebo users' status (whatever their status, activated or not activated, on LDAP server side): yes or no
  • Synchronize “Managers”: yes or no
  • Synchronize “Administrators”: yes or no
  • Synchronize Groups: yes or no

You can choose whether Managers and Admins are synchronized or not. If not, you can manage them directly in inWebo Administration Console.

The “Synchronize Groups” parameter does not activate the group synchronization in IWDS. It only tells IWDS to ignore group synchronization if this rule is in use and has no effect is group synchronization is not activated (see inWebo Parameters).

When you are done, click on “Save Changes”.

Options

Proxy settings

This panel allows you to add proxy parameters if your connection requires such parameters:

  • Direct connection: no proxy (this is the default configuration).
  • Use browser parameters: use proxy settings of your default browser.
  • Use proxy server:
    • Address: host name or IP address of the proxy
    • Port: port of the proxy
    • Use Authentication: you can turn on or off user authentication
      • User: user name used for proxy authentication
      • Password: password for proxy authentication

When you are done, click on “Save Changes”.

Log Files

On this panel you can display the log files stored in the “log” subfolder of IWDS configuration directory.

You can also delete any of the log files listed in this panel.

Batch mode

We assume here that your inWebo and LDAP parameters have already been set in IWDS.

The 4 steps of the synchronization process can be executed with IWDS in command line or batch mode:

  1. Retrieve InWebo objects
  2. Retrieve LDAP objects
  3. Make Diff (compute changes)
  4. Synchronize (apply diff)

If group synchronization is activated, it is mandatory to set the mapping between LDAP groups and inWebo groups before computing the diff and synchronizing. If not set, IWDS is not able to determine which inWebo group LDAP users should be added to. This mapping can be set either using IWDS GUI or by adding the appropriate file in the configuration directory (see Configuration File Format section below).

Usage

Iwds.jar com.inwebo.Iwds [[options]] [[action]]

Available Actions

getinwebo | getldap | diff | sync

Action « getinwebo »

Use this action to retrieve inWebo objects.

Action

getinwebo

Options

-w, --wsdl                              WSDL file (full path to inWebo WSDL file)

-C, --cert                              inWebo API certificate (full path to certificate file - PKS12 format)

-p, --pass                              Certificate password

-b, --basedir                           Path of a directory containing out and conf subfolders- option

-c, --config                            inWebo Properties file name - option

-f, --find <logins|groups|roles|all>    Scope of inWebo search - option (if not specified set to "all")

-v, --verbose                           Print logs on system output - option

Command samples

With required arguments only:

java -cp Iwds.jar com.inwebo.Iwds --cert <path to your cert>/<your cert>.p12 --pass <your cert password> --wsdl ConsoleAdmin.wsdl getinwebo

With more arguments:

java -cp Iwds.jar com.inwebo.Iwds --config inwebo.properties --cert <path to your cert>/<your cert>.p12 --pass < your cert password > --wsdl ConsoleAdmin.wsdl –-find logins getinwebo

Action « getldap »

Use this action to Retrieve LDAP objects.

Action

Getldap

Options

-b, --basedir                     Path of a directory containing out and conf subfolders - option

-L, --ldap                        Name of an LDAP source - option

-c, --config                      LDAP Properties file name - option

-o, --out                         Destination file name - option (e.g. ldap.xml)

-f, --find <users|groups|all>     Scope of LDAP search - option (if not specified set to "all")

-v, --verbose                     Print logs on system output - option

Command samples

Without arguments. In this case IWDS uses the default LDAP source name and the current configuration directory:

java -cp Iwds.jar com.inwebo.Iwds getldap

With arguments, using the –ldap option:

java -cp Iwds.jar com.inwebo.Iwds –-ldap <LDAP source name> getldap

With arguments, using the –config option:

java -cp Iwds.jar com.inwebo.Iwds –-config ldap_<LDAP source name>.properties --out <LDAP source name>_ldap.xml --find users getldap

Important: do not use the –ladp and –config options simultaneously.

Action « diff »

This command compares objects retrieved by “getinwebo” and “getldap” actions and computes a list of transactions to execute to synchronize your LDAP server(s) with inWebo. This computation is based on a selected synchronization rule set and relies on the group mapping (if group synchronization is activated).

When executed, this command determines the list of inWebo objects (users and user group memberships) to be created, updated and deleted. The “Diff” outputs the list of these transactions in XML files. These XML “Diff” files are later used by the “Sync” command that actually performs the synchronization.

At this step, no modification is applied to your InWebo service.

Action

diff

Options

-r, --ruleset                       File containing diff rules

-L, --ldap                          Comma separated list of LDAP source names - option

-s, --source                        Comma separated list of LDAP user files - option

-b, --basedir                       Path of a directory containing out and conf subfolders - option

-I, --inwebo                        File containing inWebo users - option

-E, --inexpired                     File containing inWebo expired users - option

-o, --out                           Destination file - option (e.g. diff.xml)

-v, --verbose                       Print logs on system output - option

Command samples

With required arguments only. In this case, only the rule set must be declared. The default LDAP source name is used as well as the latest LDAP and inWebo object files found in the current “out” subfolder of IWDS directory:

java -cp Iwds.jar com.inwebo.Iwds -r rules_<rule name>.properties diff

With more arguments, using the –ldap option:

java -cp Iwds.jar com.inwebo.Iwds -r rules_<rule name>.properties --ldap <LDAP source name> diff

With more arguments using the –source option:

java -cp Iwds.jar com.inwebo.Iwds -r rules_<rule name>.properties --source <LDAP source name>_ldap.xml --inwebo inwebo.xml --inexpired expired.xml --out diff.xml diff

Important: do not use the –ladp and –source options simultaneously.

Action « sync »

This action executes the transactions computed by the “Diff” command to synchronize your LDAP server(s) with your inWebo service

  1. Loads “Diff” files
  2. Connects to inWebo servers
  3. Executes transactions one by one
  4. Captures the result

Action

sync

Options

-w, --wsdl                         WSDL file (full path to inWebo WSDL file)

-C, --cert                         inWebo API certificate (full path to certificate file - PKS12 format)

-p, --pass                         Certificate password

-b, --basedir                      Path of a directory containing out and conf subfolders - option

-c, --config                       Properties file - option (inWebo properties file name)

-i, --in                           Diff input file - option (file containing result of action diff)

-dl, --del-limit                   Max no. user delete operations allowed before stopping the synch - option

-v, --verbose                      Print logs on system output - option

Command samples

With required arguments only:

java -cp Iwds.jar com.inwebo.Iwds --cert <path to your cert>/<your cert>.p12 --pass <your cert password> --wsdl ConsoleAdmin.wsdl sync

With more arguments:

java -cp Iwds.jar com.inwebo.Iwds --config .inwebo.properties --cert <path to your cert>/<your cert>.p12 --pass <your cert password> --wsdl ConsoleAdmin.wsdl --in diff.xml --del-limit 500 sync

Configuration File Format

All these files are located in the “conf” subfolder of your IWDS configuration folder.

File “inwebo.properties”

Parameter name Description
user_id Must be equal to 0. Do not change
certificate_file Path to the certificate file. You can get this file from InWebo Admin Console.
delay Delay (in milliseconds) between 2 requests to inWebo Servers. Do not change this parameter (delay=500)
max_size Maximum number of users downloaded in one request. This parameter should be between 0 and 100.
If you have more than 100 users, IWDS makes several requests sequentially.

File “ldap.properties”

If generated by the GUI, this file is named ldap_<LDAP source name>.properties.

Parameter nameDescription
nameThe name you give to your LDAP directory. Spaces are not allowed
authtypeLDAP authentication mode (Simple or anonymous)
hostIP address or Domain name of your LDAP directory
portLDAP port. Usually 389
secureyes / no. Whether to use LDAPS or not. The ‘port’ parameter is moved to 483 if you use LDAPS
ldapuserLDAP user for connection purposes
ldappasswordLDAP password for the user mentioned above
basednBase DN to use for the LDAP connection
loginattrLDAP attribute IWDS looks for to retrieve user login
firstnameattrLDAP attribute IWDS looks for to retrieve user First Name
lastnameattrLDAP attribute IWDS looks for to retrieve user Name
emailattrLDAP attribute IWDS looks for to retrieve user Email
usergroupdnLDAP DN of the group containing InWebo Users
managergroupdnLDAP DN of the group containing InWebo Managers
admingroupdnLDAP DN of the group containing InWebo Administrators
searchbyattrTells IWDS to retrieve LDAP users in the groups your defined via a specific user attribute (typically the “memberOf” attribute on Active Directory)
searchattrSets attribute for user attribute based search
searchbygrpmbTells IWDS to directly retrieve the users that are members of the groups your defined
grpmbattrSets attribute for group membership based search
maxdepthThe number of sub-groups levels to parse recursively
filter_groupSets the filter to apply on LDAP members to identify groups
filter_personSets the filter to apply on LDAP members to identify persons
useaduacallows to use the UAC properties retrieved from an AD user to determine the user inWebo account activation status
enableldappagingActivation / Deactivation of LDAP paging
querypagesizeIWDS can use LDAP paging. This parameter sets how many users IWDS proceeds per page.
querydelayDelay (in ms) between 2 LDAP page requests
filterLDAP filter for your requests. Example : « objectClass\=Person », to filter out Computers (deprecated – replace by filter_person and filter_group)
recursegroupsSet to ‘False’ if you have Active Directory. ‘True’ otherwise (deprecated)
supportmemberofSet to ‘True’ if you have Active Directory. ‘False’ otherwise (deprecated – replaced by searchbyattr)
grpattr(deprecated – replace by grpmbattr)

Sample file

name=My LDAP

host=xxxx

port=3389

ldapuser=xxxx

ldappassword=xxxx

authtype=simple

secure=no

basedn=DC=adfs,DC=inwebo,DC=com

usergroupdn=cn=inwebo-users,CN=Users,DC=adfs,DC=inwebo,DC=com

managergroupdn=CN=inwebo-managers,CN=Users,DC=adfs,DC=inwebo,DC=com

admingroupdn=CN=inwebo-admins,CN=Users,DC=adfs,DC=inwebo,DC=com

firstnameattr=givenName

lastnameattr=sn

loginattr=samaccountname

emailattr=mail

searchbygrpmb=true

grpmbattr=member

searchbyattr=false

searchattr=memberOf

maxdepth=10

filter_person=objectClass=Person

filter_group=objectClass=Group

useaduac=yes

enableldappaging=yes

querypagesize=100

querydelay=1000

NB: “\\” are used to escape special chars. They are automatically added by IWDS GUI.

If a user belongs to the “User” group, his “status” is set to “not blocked” during the synchronization. If not, it is set to “blocked”.

If a user belongs to “Manager” or “Administrator” group, his “role” is accordingly set during the synchronization.

File “rules.properties”

If generated by the GUI, it is named rules_<rule set name>.properties.

Parameter nameDescription
managersynchroPossible value: “yes” or “no”
If set to “no”, managers configured in your inWebo service will not be modified or deleted.
adminsynchroPossible value: “yes” or “no”
If set to “no”, administrators configured in your inWebo service will not be modified or deleted.
groupsynchroPossible value: “yes” or “no”
If set to “no”, group memberships will not be handled during the “Sync”
resendactivationlinkPossible value: “yes” or “no”
If set to “yes”, pending users will be receive a new activation email.
sendcodebymailPossible value: “yes”, “no” or “link”
If set to “yes”, newly created users will receive an email with an activation link. The email is sent by inWebo servers.
If set to “link”, a long code with a three weeks lifetime is returned by inWebo servers per created user. These long codes can be used to create activation links. They are available in the XML output.
If set to “no”, a 15 minutes lifetime activation code is returned by inWebo servers per user created. These codes can be directly used to activate any inWebo authentication tool. They are available in the XML output.
langPossible value: “EN” or “FR”
deleteexpiredPossible value: “yes” or “no”
keepinwebostatusPossible value: “yes” or “no”.
If a user was blocked by a Manager using the Admin Console, IWDS can let this status unchanged (“yes”), or set it back to the value taken from LDAP (“no”). Default is “yes”.

Group Mapping Configuration File

This XML file is used to map LDAP user groups to inWebo user groups. It can be either generated in GUI mode using IWDS console or by any other mean, as long as the following file structure is respected.

The filename must have the following form:

ldapgroups_mapping_<LDAP source name>.properties.

A mapping file only associates one LDAP source groups to inWebo groups.

If you have several LDAP sources configured, one mapping for each source is required.

Parameter nameDescription
ldap-groupnameName of the LDAP group as it appears in your LDAP directory. Case sensitive.
inwebo-groupnameName of the inWebo group as it appears in the iwgroups.xml file generated after getting inWebo objects with IWDS or in inWebo administration console
inwebo-groupidID of the inWebo group as it appears in the iwgroups.xml file generated after getting inWebo objects with IWDS or in inWebo administration console
inwebo-rolenameName of the inWebo role as it appears in the iwroles.xml file generated after getting inWebo objects with IWDS or in inWebo administration console
inwebo-roleidID of the inWebo role as it appears in the iwroles.xml file generated after getting inWebo objects with IWDS or in inWebo administration console

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>

<ldap-group-mappings>

<ldap-group-mapping>

<ldap-groupname>HelpDesk</ldap-groupname>

<inwebo-groupname>HelpDesk</inwebo-groupname>

<inwebo-groupid>1</inwebo-groupid>

<inwebo-rolename>operator</inwebo-rolename>

<inwebo-roleid>131</inwebo-roleid>

</ldap-group-mapping>

...

</ldap-group-mappings>

Output File Format

All these files are located in the “out” subfolder of your IWDS configuration folder.

inWebo user file

File name: inwebo.xml

Sample file

<?xml version="1.0"?>

<inwebo-users>

<user>

<id>148083</id>

<login>john</login>

<status>0</status>

<role>0</role>

<firstname>John</firstname>

<name>Doe</name>

<mail></mail>

<extrafields></extrafields>

<code>ok</code>

<createdby>1</createdby>

</user>

...

</inwebo-users>

The “status” field indicates whether authentication requests for this user are accepted or not. If status is set to 1, user is blocked. If set to 0, user is not blocked.

The “role” field indicates the role of the user in the service:

  • 0: User (basic inWebo user)
  • 1: Manager of the service
  • 2: Administrator of the service

The “code” tells if the user is active, pending or expired.

Important: Logins having “code” field set to “expired” are not listed in this file. They appear in a separate file namely expired.xml. This file has the same structure as inwebo.xml file.

The “createdby” field tells if the user was last created or modified by the Admin Console or the API (e.g. IWDS). By default, IWDS does not delete users created by the Admin Console. Nevertheless, if a user is found both in InWebo users and LDAP users, IWDS will update it. This means that, after next synchronization, the user will be seen as “created by the API”.

inWebo groupmembership file

File name: iwgroupmemberships.xml

Sample file

<?xml version="1.0"?>

<inwebo-group-memberships>

<membership>

<groupid>1</groupid>

<groupname>HelpDesk</groupname>

<loginid>148083</loginid>

<login>john</login>

<roleid>131</roleid>

<rolename>operator<rolename>

</membership>

...

</inwebo-group-memberships>

inWebo group file

File name: iwgroups.xml

This file lists the user groups configured in your inWebo service.

Sample file

<?xml version="1.0"?>

<inwebo-groups>

<group>

<groupid>1</groupid>

<name>HelpDesk</name>

</group>

...

</inwebo-groups>

inWebo role file

File name: iwroles.xml

This file lists the custom user roles configured in your inWebo service.

Sample file

<?xml version="1.0"?>

<inwebo-roles>

<role>

<roleid>131</roleid>

<name>operator</name>

</role>

...

</inwebo-roles>

LDAP user file

If generated by the GUI, it is named <LDAP source name>_ldap.xml.

This file lists the LDAP users retrieved on a given LDAP server (source).

Sample file

<?xml version="1.0"?>

<ldap-users>

<user>

<login>john</login>

<status>0</status>

<role>0</role>

<firstname>John</firstname>

<name>Doe</name>

<mail>jdoe@client.com</mail>

<extrafields></extrafields>

</user>

<user>

<login>alice</login>

<status>0</status>

<role>0</role>

<firstname>Alice</firstname>

<name>Nine</name>

<mail>anine@client.com</mail>

<extrafields></extrafields>

</user>

...

</ldap-users>

LDAP group membership file

If generated by the GUI, it is named <LDAP source name> _ldapgrpmb.xml.

This file lists the LDAP group memberships retrieved on a given LDAP server (source).

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>

<ldap-group-memberships>

<ldap-group-membership>

<login>john</login>

<ldap-groupname>HelpDesk</ldap-groupname>

</ldap-group-membership>

<ldap-group-membership>

<login>alice</login>

<ldap-groupname>HelpDesk</ldap-groupname>

</ldap-group-membership

...

</ldap-group-memberships>

User Diff file

If generated by the GUI, it is named diff.xml.

This file lists the user transactions to be executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>

<transactions>

<loginCreate>

<transactionid>1</transactionid>

<input>

<login>alice</login>

<status>0</status>

<role>0</role>

<firstname>Alice</firstname>

<name>Nine</name>

<mail>anine@client.com</mail>

<lang>en</lang>

<extrafields></extrafields>

<codetype>1</codetype>

</input>

</loginCreate>

...

</transactions>

The “codetype” field indicates the chose method to send the activation code to the newly created inWebo user (do not send code, send an activation code per email, send an activation link via email).

Group Diff file

If generated by the GUI, it is named diff_grp.xml.

This file lists the group membership transactions to be executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>

<transactions>

<groupMembershipCreate>

<transactionid>1</transactionid>

<input>

<loginid>0</loginid>

<login>alice</login>

<groupid>131</groupid>

<groupname>HelpDesk</groupname>

<roleid>131</roleid>

<rolename>operator</rolename>

<login-is-new>1</login-is-new>

</input>

</groupMembershipCreate>

...

</transactions>

User Synchronization result file

Name of the file: result.xml.

This file lists the user transactions executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>

<transactions>

<transaction>

<transactionid>1</transactionid>

<type>loginCreate</type>

<input>

<login>alice</login>

<status>0</status>

<role>0</role>

<firstname>Alice</firstname>

<name>Nine</name>

<mail>anine@client.com</mail>

<extrafields></extrafields>

</input>

<output>

<err>OK</err>

<loginid>152993</loginid>

<code>306664750</code>

</output>

<done>1</done>

<timestamp>1415281897431</timestamp>

</transaction>

...

</transactions>

Group Membership synchronization result file

Name of the file: result_grp.xml.

This file lists the user transactions executed by the “Sync” action.

Sample file

<?xml version="1.0" encoding="iso-8859-1"?>

<transactions>

<transaction>

<transactionid>1</transactionid>

<type>groupMembershipCreate</type>

<input>

<login>alice</login>

<loginid>152993</loginid>

<login-is-new>1</login-is-new>

<groupname>HelpDesk</groupname>

<groupid>1</groupid>

<rolename>operator</rolename>

<roleid>131</roleid>

</input>

<output>

<err>OK</err>

</output>

<done>1</done>

<timestamp>1415281900133</timestamp>

</transaction>

...

</transactions>