Runs on Unix-derived OS (e.g. Linux, FreeBSD, Solaris etc.)
and Windows 32-bit platforms.
Runs multi-threaded either as stand-alone web server or as
Highly configurable on a per-host/-backend basis.
Comfortable web interface for unexperienced users.
If the user does something wrong a tersely error
message is given which is most times based on the
info field returned by the LDAP server. If it makes sense
the user can retry immediately his/her action with corrected input
parameters. One has to emphasize that no other web interface
provides such a tolerant error handling in its user interface.
Configuring the search root is most times unnecessary.
Support for file upload of binary attributes, e.g.
jpegPhoto or userCertificate.
Efficient browsing in directory trees with paged
displaying of search results. Honors attributes
hasSubordinates, numSubordinates and
subordinateCount if available for determining
if entries have subordinate entries.
Displays JPEG pictures in-line with reasonable performance
by smart caching.
Universal title attribute added to a lot of HTML tags
to have sort of a bubble-help in browsers which support that.
Attributes containing DNs, URLs or mail addresses are shown as
links. DNs can be followed within web2ldap by simply
pressing the link.
If an error occurs during adding or modifying entries
the user can edit and re-submit his input data.
Trys to be friendly to
all browsers by producing simple, but well-formed HTML 4.01
Recursive deletion of directory trees.
Three different search forms:
Static search form based on customizable HTML template.
Build search filter by choosing options from select lists.
Direct use of LDAP filter expressions.
User-friendly handling of LDAPv3 referrals with
reconnecting directly to referred host after presenting
a login form to the user
(see RFC 3296).
OIDs in RootDSE attributes are displayed with name and description.
Some (configurable) quick-buttons for common actions.
Process LDIF input even with URL support (if configured).
Many Output Formats
HTML templates can be used for displaying LDAP entries.
HTML header can be configured to include colors, background pictures
ID params in main HTML tags for using Cascaded Style Sheets (CSS).
Printer-friendly HTML output of search results
based on a configurable HTML template string.
Support for vCards - users of common browsers
can easily add entries to their local address books.
Even large groups (>100000 members) are handled with
reasonable performance. Security problems even with distributed
management are avoided by "just doing it right".
LDAP connection handling
Automatically determine the protocol version and features
supported by the LDAP server. Falls back to reasonable defaults
if features are not available.
It it possible to directly use LDAP URLs (see
to reference LDAP entries and LDAP search results. Example:
Note: Although most LDAP URLs will work you should use URL-quoted LDAP URLs.
Uses namingContexts attribute from RootDSE to
determine appropriate search root automatically.
Displays new login mask to
repeat current action after chasing a referral.
Locate LDAP host via SRV RR (see also
This is automatically done if e.g a LDAP URL does not contain
a host name but a dc-style DN or if an error response was received
with error code NO_SUCH_OBJECT (somewhat inspired by
is used when sending a modify request
if the seems to support it to prevent the server to process the
request if the entry has been changed in between
(see RFC 4528).
is used to generate the assertion filter.
Default configuration is quite strict. If you see this paradigm
violated somewhere in a distributed package of web2ldap please
let me know.
Since the user logs in and opens a persistent LDAP connection
storing or passing around passwords is not necessary.
Security mechanisms to avoid hijacking web sessions.
Maximum number of currently used web sessions can be limited.
Smart login with automatic completion of bind DN.
Nice displaying of X.509 certificates and CRLs stored in the directory
including all X.509v3 extensions with links to e.g. CRL distribution points,
policy documents etc.
SASL login mechanisms
Password-based challenge-response mechs: use short user name in login form, not the bind-DN
is supported but not recommended unless SSL/TLS is used
Usable for LDAPS,
End-user authentication is only meaningful if the web2ldap
is started in stand-lone mode as a personal client.
Usable for Kerberos V authentication. User authentication is only
meaningful if the web2ldap is started in stand-lone mode as a personal
client and the user obtained a TGT from the KDC before
(with command-line tool kinit).