See the roadmap for features which will
be added in the future.
Feature requests can be made through the
Runs on Unix-derived OS (e.g. Linux, FreeBSD, Solaris etc.)
and Windows 32-bit platforms.
Runs multi-threaded either as stand-alone web server or as
Highly configurable on a per-host/-backend basis.
Comfortable web interface for unexperienced users.
If the user does something wrong a tersely error
message is given which is most times based on the
info field returned by the LDAP server. If it makes sense
the user can retry immediately his/her action with corrected input
parameters. One has to emphasize that no other web interface
provides such a tolerant error handling in its user interface.
Configuring the search root is most times unnecessary.
Support for file upload of binary attributes, e.g.
jpegPhoto or userCertificate.
Efficient browsing in directory trees with paged
displaying of search results. Honors attributes
hasSubordinates, numSubordinates and
subordinateCount if available for determining
if entries have subordinate entries.
Displays JPEG pictures in-line with reasonable performance
by smart caching.
Universal title attribute added to a lot of HTML tags
to have sort of a bubble-help in browsers which support that.
Attributes containing DNs, URLs or mail addresses are shown as
links. DNs can be followed within web2ldap by simply
pressing the link.
If an error occurs during adding or modifying entries
the user can edit and re-submit his input data.
Trys to be friendly to
all browsers by producing simple, but well-formed HTML 4.01
Recursive deletion of directory trees.
Three different search forms:
- Static search form based on customizable HTML template.
- Build search filter by choosing options from select lists.
- Direct use of LDAP filter expressions.
User-friendly handling of LDAPv3 referrals with
reconnecting directly to referred host after presenting
a login form to the user
(see RFC 3296).
OIDs in RootDSE attributes are displayed with name and description.
Some (configurable) quick-buttons for common actions.
Process LDIF input even with URL support (if configured).
Many Output Formats
HTML templates can be used for displaying LDAP entries.
HTML header can be configured to include colors, background pictures
ID params in main HTML tags for using Cascaded Style Sheets (CSS).
Printer-friendly HTML output of search results
based on a configurable HTML template string.
Support for vCards - users of common browsers
can easily add entries to their local address books.
Bulk downloading of directory data as
LDIF or LDIFv1
(see RFC 2849).
Bulk downloading of directory data as DSMLv1
(XML namespace for directory data).
Comma-separated values (CSV with semicolon as separator)
Excel worksheet file
Plug-in modules/classes for specific handling of attributes/syntaxes.
The following plug-in modules currently exist:
mainly LDAP syntaxes defined for
with simple select lists and not tested
||For MS AD and Samba 4
||Class which can dump BER objects as ASN.1 with module pisces
||for dynamic entries defined in RFC 2589
||Various attributes with dynamic select lists
||for DNS RR entries like defined in dnsdomain2.schema
||Various syntaxes found in draft-sermersheim-nds-ldap-schema
||for attributes defined eduPerson
||Some small syntax quirks for Entrust PKI schema
||Some small quirks for Exchange 5.5
||Some small quirks for IBM Directory Server
||for heimdal and MIT Kerberos schema
||LDAP-based naming service
||for attributes in Lotus Domino's LDAP service
||Microsoft System Services for Unix 3.0
||NIS attributes (see also RFC 2307)
||mainly some configuration attributes used in OpenDS
||some attributes used in OpenLDAP for configuration and accesslog (see also draft-chu-ldap-logschema)
||Multi-line fields for PGP keys
||for attributes defined in RFC 1274
||for attributes defined in draft-ietf-pkix-ldap-pkc-schema
||for attributes defined in draft-behera-ldap-password-policy
||Various quirks for very misbehaving servers
||for Samba 3
||for attributes defined in SCHAC
||for attributes defined for subentries (see RFC 3672)
||covering central password policy configuration attributes defined in draft-vchu-ldap-pwd-policy
||for attributes defined in VPIM (see RFC 4237)
||for attributes available on real X.500 DSAs
Advanced LDAP features
- Schema support
Full LDAPv3 sub schema sub entry support when displaying
an entry or input form with required and allowed attributes.
Built-in schema browser displays all forward and backward references
to other schema elements as links for all supported schema elements
and allows a simple wildcard search by OID or NAME
Supported and used schema attributes:
Schema support has reasonable performance since
caching of parsed sub schema sub entries is done.
Full support for inherited schema elements (object classes
and attribute types).
Fall-back to a local schema definition in configuration stored in
LDIF file (for e.g. LDAPv2 servers).
Special handling of collective attributes.
- Write Access
Support for adding, modifying, deleting entries, deleting sub trees
and renaming entries.
Schema-aware to provide schema-matching input forms
Octet strings can be directly edited as hex-bytes.
Plug-in classes implement specific input fields for many vendor-specific attributes.
Configurable LDIF templates for new entries.
Automatic search for missing parent entries if adding of an entry fails
with "no such object".
(for reducing the same old boring questions on the LDAP-related
mailing lists ;-).
Input values for some attributes/syntaxes (e.g. jpegPhoto, certificates and CRLs)
are automagically converted to the right format.
- Password attributes
Password Modify Extended Operation (see RFC 3062)
Generating client-hashed userPassword values (see also
Synced setting of userPassword and Samba NT password attribute
(support for old LAN manager hash was dropped in 1.1).
Attribute shadowLastChange set if an entry has object
Resetting the password attribute
unicodePwd in MS AD.
Removing various password-related attributes is supported even when
the values are not visible (write-only access). Relax Rules Control
can be used to remove operational attributes.
- Group administration feature
Convenient, secure and efficient way to add/remove an entry
to/from a group entry. Many common group object classes are
Even large groups (>100000 members) are handled with
reasonable performance. Security problems even with distributed
management are avoided by "just doing it right".
- posixGroup (see RFC 2307)
- accessGroup (found in IBM SecureWay)
- LDAP connection handling
Automatically determine the protocol version and features
supported by the LDAP server. Falls back to reasonable defaults
if features are not available.
- LDAP URLs
It it possible to directly use LDAP URLs (see
to reference LDAP entries and LDAP search results. Example:
Note: Although most LDAP URLs will work you should use URL-quoted LDAP URLs.
- Root DSE
Uses namingContexts attribute from RootDSE to
determine appropriate search root automatically.
- LDAPv3 Referrals
Displays new login mask to
repeat current action after chasing a referral.
Search continuations are displayed.
- Locating LDAP service
Try to locate a LDAP host for a specific domain, dc-style DN
or e-mail address (see
Well known DNS aliases (kinda primitive anyway)
LDAPv3 Referrals (knowledge references)
Locate LDAP host via SRV RR (see also
This is automatically done if e.g a LDAP URL does not contain
a host name but a dc-style DN or if an error response was received
with error code NO_SUCH_OBJECT (somewhat inspired by
- LDAPv3 extended controls
- Manage DSA IT mode
For editing referral entries
(see RFC 3296).
Two different controls for searching subentries
(see RFC 3672
- Relax Rules Control (formerly Manage DIT control)
For editing operational attributes
- Tree Delete
deletion of whole subtrees with a single DeleteRequest (see
- Assertion Control
is used when sending a modify request
if the seems to support it to prevent the server to process the
request if the entry has been changed in between
(see RFC 4528).
is used to generate the assertion filter.
- Password policy
Displaying password warnings and guide the user to change the password (see
- Authorization Identity Controls
Retrieving the authorization identity from a bind operation
(see RFC 3829).
- Read Entry Control
Retrieving DN and attribute entryUUID when adding/renaming
an entry (see RFC 4527).
- Session Tracking Control
The client's IP address, the server name and the LDAPObject
instance hash is sent to the LDAP server for debugging
- OpenLDAP's no-op search control
Count of all search results is retrieved by using OpenLDAP's no-op search control
in case only partial search results were returned
(see OpenLDAP ITS#6598).
- Don't Use Copy control
Is used if found in rootDSE attribute supportedControl
when reading an entry before presenting modification input form.
OIDs from RFC 6171
and OpenLDAP experimental are supported.
- LDAPv3 extended operations
provides transport layer security with TLS
(see RFC 4513).
- "Who am I?"
this operation shows which bind-DN is in effect e.g. when using SASL bind
(see RFC 4532).
- Password Modify Extended Operation
for server-side password setting
(see RFC 3062).
- Refresh Dynamic Entry Extended Operation
for server-side refreshing of a dynamic entry
(see RFC 2589).
- LDAPv3 extensions
- All Operational Attributes
Request the server to return all operational attributes in a search response.
(See rootDSE attribute supportedFeatures, OID 184.108.40.206.4.1.4220.127.116.11,
see also RFC 3673)
Advanced HTTP options
Downloading of binary attributes with appropriate mapping
to MIME types.
Optionally use gzip-encoding for saving network bandwidth if client
Accept-Encoding: gzip in the HTTP header.
Optionally use the right character set for output according to the
Accept-Charset sent by the HTTP client.
Please also check out the security page.
Support for SASL bind.
Default configuration is quite strict. If you see this paradigm
violated somewhere in a distributed package of web2ldap please
let me know.
Since the user logs in and opens a persistent LDAP connection
storing or passing around passwords is not necessary.
Security mechanisms to avoid hijacking web sessions.
Maximum number of currently used web sessions can be limited.
Smart login with automatic completion of bind DN.
Nice displaying of X.509 certificates and CRLs stored in the directory
including all X.509v3 extensions with links to e.g. CRL distribution points,
policy documents etc.
SASL login mechanisms
||Password-based challenge-response mechs: use short user name in login form, not the bind-DN
||is supported but not recommended unless SSL/TLS is used
Usable for LDAPS,
End-user authentication is only meaningful if the web2ldap
is started in stand-lone mode as a personal client.
Usable for Kerberos V authentication. User authentication is only
meaningful if the web2ldap is started in stand-lone mode as a personal
client and the user obtained a TGT from the KDC before
(with command-line tool kinit).