Changes 1.1.x

History of released versions

1.8 / 1.7 / 1.6 / 1.5 / 1.4 / 1.3 / 1.2 / 1.1 / 1.0 / 0.16 / 0.15 / 0.14 / 0.13 / 0.12 / 0.11 / 0.10 / 0.9 / 0.8 / 0.7 / Ancient / Overview


Release Date: 2013-12-15

New features/enhancements
  • Group administration UI now generates <select> tags with enclosed <optgroup> tags with parent DN of group DN as label. This is very helpful if same group names are used in different subtrees.
Security fixes
  • Fixed possible XSS flaw when displaying group DN and entry data in group administration UI.
Bugs fixed
  • More robust attribute value auto-generation in plugin class w2lapp.schema.plugins.posixautogen.HomeDirectory.homeDirectoryTemplate.
  • More robust parsing of attribute olcSyncrepl.


Release Date: 2013-11-23

New features/enhancements
  • Added/registered plugin classes for the following MIT Kerberos attributes:
    • krbPwdPolicyReference
    • krbPwdLockoutDuration
    • krbMinPwdLife
    • krbMaxPwdLife
Bugs fixed
  • Fixed LDAP filter in plugin class for krbTicketPolicyReference.
  • Cache for auditContext attribute not flushed.
  • Gracefully handle server explicitly not allowing simple bind requests.


Release Date: 2013-10-27

Bugs fixed
  • Fixed Python 2.6 compatibility issued in
  • Registered more MS AD attributes with plugin class Binary.
  • Exception ldap.STRONG_AUTH_REQUIRED is ignored when reading rootDSE.


Release Date: 2013-09-25

Bugs fixed
  • Fixed handling search option "exists".


Release Date: 2013-09-19

Bugs fixed
  • Fixed regression in w2lapp.passwd caused by overzealous code cleaning in 1.1.44.
  • Fixed LDAP URL handling to old behaviour.


Release Date: 2013-09-16

New features/enhancements
  • New plugin class for OpenLDAP's back-config attribute olcSyncrepl parses the syncrepl statement and shows clickable link based on LDAP URL.
  • Hostname is displayed on the monitor page. This is useful if behind a reverse proxy or load-balancer.
Bugs fixed
  • Error messages in case of LDAP URL parsing error are now properly escaped.
  • Fixed LDAP URL handling to old behaviour.
Code cleaning
  • Several hints/issues fixed found with pychecker.


Release Date: 2013-09-01

New features/enhancements
  • Improved HTML layout when displaying certificate/CRL.
  • Certificate/CRL viewer now displays OID names also for deeply nested X.500 Name (DNs).
  • CRL viewer now displays CRLReason extension.
  • New plugin module w2lapp.schema.plugins.x509 now contains all the cert/CRL plugin classes and new stub classes for all the LDAP syntaxes defined in RFC 4523.
Bugs fixed
  • Fixed using module pisces.asn1 really optionally (regression introduced in 1.1.42).
  • Fixed Unicode issue in plugin class for Lotus Domino/LDAP attribute dominoCertificate.
  • Added work-around for UnicodeDecodeError if buggy LDAP server (Lotus Domino/LDAP 7.x) returns diagnosticMessage with non-ASCII characters as ISO-8859-1 (Latin1).
Code cleaning
  • New syntax class w2lapp.schema.syntaxes.CSN registered for OpenLDAP attribute types contextCSN, entryCSN and namingCSN.


Release Date: 2013-08-31

New features/enhancements
  • Additional search roots can be dynamically searched with search parameters specified by searchform_search_root_url
  • Some basic support for displaying crlEntryExtensions.
Bugs fixed
  • The formerly used type of the entry input form is correctly used when representing the input form in case of an error.
  • Fixed displaying an error message for noSuchObject with a matchedDN containing non-ASCII characters.
  • Fixed determining the possible DIT structure rules for a DN containing non-ASCII characters.
  • PEM to DER conversion for certificates and CRLs now uses a more liberal parsing function to deal with various delimiter texts for CA certs.
  • Added a work-around to parse a broken CRL without nextUpdate attribute.


Release Date: 2013-08-13

New features/enhancements
  • If attribute numSubordinates is present but numAllSubordinates is missing values of numSubordinates are summed up to determine the number of all entries in a subtree (e.g. when displaying the delete form).
Code cleaning


Release Date: 2013-07-18

Bugs fixed
  • Fixed regression with missing >= filter part in plugin class for pwdExpireWarning.


Release Date: 2013-07-16

Bugs fixed
  • When generating links to advanced search form with missing form parameters reasonable defaults are set now.
  • Fixed several regressions in search parameter handling.


Release Date: 2013-07-15

New features/enhancements
  • Advanced search form handling was improved:
    • Table layout.
    • Buttons [+] and [-] extend/shortens search parameter list.
    • Matching rules can be specified.
    • Whenever appropriate the user is redirected back to advanced search form.
    • Various plugin classes now display link to advanced search form instead of simple LDAP filter in expert search form.
  • Error message and fall-back to advanced search form in case IOError is raised during loading template file referenced by searchform_template.
  • DIT content rules referencing an attribute type are listed when displaying the attribute type in schema viewer.
  • Directly referencing object classes and inherited object classes are displayed separately when displaying the attribute type in schema viewer.
  • No-op search control used to determine number of subordinate entries when presenting deletion input form.
  • In case of ldap.FILTER_ERROR being caught the erroneous filter is displayed.
Bugs fixed
  • Better error handling in case of invalid certificate/CRLs values.
Code cleaning
  • OpenLDAP's no-op search now isolated in new method MyLDAPObject.noop_search_st().
  • Some code clean-up in w2lapp.searchform.


Release Date: 2013-06-25

New features/enhancements
  • New class attrs LDAPSyntax.searchSep/readSep/fieldSep used consequently everywhere through class This enables plugin classes to control how multiple attribute values are separated.
  • Search form parameter filterstr can now be multi-valued and its values are always evaluated along with the other form parameters from basic/advanced search form. This allows to define search form templates with arbitrary additional filters to be combined with user's input in the search form.
  • OpenLDAP's no-op search control is now sent with tight timeout (5 sec) to not overwhelm the server in case many entries have to be checked.
Bugs fixed
  • Corrected determining server name in standalone mode.
  • Fixed Unicode handling of attribute type names when displaying password attributes after changing them.
  • Fixed issue with multiple delsid form parameter sent after re-login.


Release Date: 2013-06-18

Dropped features
  • Syncing password attributes of ancient Samba 2 schema is not supported anymore. Use Samba 3 instead.
  • Removed inline Javascript frame-buster in favour of sending secure values for HTTP header X-Content-Security-Policy (see Content Security Policy (CSP)). You can add an reference to an external Javascript source file to the template file referenced by html_begin_template.
New features/enhancements
  • Plugin class for pwdChangedTime now displays that a password will never expire.
  • New host-specific parameter passwd_modlist allows to set a custom initial password attribute modification list.
  • New global configuration parameter http_headers allows to define a static dictionary of HTTP headers in the configuration to be sent to the browser in any case.
  • New session ID is generated when login is performed to prevent session fixation attacks.
Bugs fixed
  • Fixed exception plugin class for pwdChangedTime in case the referended password policy entry does not contain pwdMaxAge.
  • Fixed UnicodeError in plugin class DynamicDNSelectList.


Release Date: 2013-05-28

New features/enhancements
  • Some improvements to searching for schema elements in the schema viewer.
  • Also absolute date/time of password expiry timestamp is displayed in plugin class for pwdChangedTime.
  • New small plugin module for FreeRADIUS/LDAP schema.
Bugs fixed
  • More robust version number check in sbin/
  • Timestamp seconds now converted to long integer before transforming it to readable representation to eliminate unnecessary strings in output due to float rounding.
  • The user name taken from login form is now correctly escaped before adding it into a LDAP filter.


Release Date: 2013-05-22

New features/enhancements
  • New plugin class for attribute pwdChangedTime.
Bugs fixed
  • Fixed Unicode issue in plugin class Timespan.
  • Fixed Unicode issue in module w2lapp.schema.plugin.ppolicy.


Release Date: 2013-05-17

New features/enhancements
  • All group modifications are displayed.
  • New plugin classes for MS AD attributes:
    • GUIDs (objectGUID, parentGUID, rightsGuid, siteGUID)
    • msDS-SupportedEncryptionTypes
  • New plugin classes for pwdExpireWarning and pwdMaxAge display search links.
  • It's now possible to search for arbitrary OctetString values.
  • If host-specific parameter search_attrs is not set or an empty list all attribute types are displayed in attribute select list in advanced search form.
Bugs fixed
  • If a only a single char * or + is given as attribute list this is no longer treated as a real single attribute when reading an entry.


Release Date: 2013-05-10

New features/enhancements
  • New plugin class w2lapp.schema.syntaxes.Timespan displays time spans as hours, minutes, seconds used for:
    • pwdMinAge
    • pwdMaxAge
    • pwdExpireWarning
    • entryTTL
  • Time before password expiration displayed as hours, minutes, seconds.
  • When submitting several group modifications all failed attempts are collected and displayed with LDAP error information after processing all group modifications.
Bugs fixed
  • Better handling of LDAPError exceptions in case the LDAP server does not support "Who am I?". Especially occurred as problem with SASL/GSSAPI bind.
  • Plugin class DNSDomain lower-cases input values before applying the IDNA encoding.


Release Date: 2013-02-16

New features/enhancements
  • The number of revoked certs is displayed when displaying a CRL.
  • New plugin class for NIS attribute macAddress which sanitizes user input and does reg-ex checking.
  • New plugin module for sudo-ldap.
  • Plugin class for memberURL now strips white-spaces from input values.
Bugs fixed
  • Small fix for displaying LDAP error messages.
  • Fixed handling of class attributes valuePrefix and valueSuffix in plugin class DynamicValueSelectList.
  • Work-around for LDAP URLs with bad search filter passed in as QUERY_STRING in the URL.


Release Date: 2013-01-19

New features/enhancements
  • The "Who am I?" extended operation is now always used to detect bind-DN rewriting also in case of simple bind.
  • Some more plugin classes in module w2lapp.schema.plugins.pgpkeysrv.
Bugs fixed
  • More liberal regex pattern for sambaAcctFlags.
  • Fixed an exception caused by empty strings in an attribute list when reading an entry.


Release Date: 2013-01-07

New features/enhancements
  • Schema viewer now displays direct links to DIT content rules referencing the object class displayed.
  • @ character in form parameter search_attrs is now expanded at the client-side to a set of attribute type names. So this works also with LDAP servers not supporting RFC 4529 and it's usable when exporting entries to a table-based format (CSV or Excel).
Bugs fixed
  • Fixed reading attribute gidNumber of sambaGroupMapping entry when generating attribute value for sambaSID.


Release Date: 2012-12-27

Installation and Configuration changes
  • Python module netaddr can be used as alternate implementation of required classes IPAddress and IPNetwork.
New features/enhancements
  • Error message is displayed in HTML output if there is an string format error in HTML template which caused TypeError internally.
  • New HTML templates for Samba3 LDAP schema.
  • Values for attributes sambaSID are auto-generated if empty.
  • New or existing plugin classes registered for attribute types in Samba3 LDAP schema:
    • sambaDomainName
    • sambaHomeDrive
    • sambaLogonToChgPwd
    • sambaPrimaryGroupSID
Bugs fixed
  • Work-around for missing form field if ldapsession.PasswordPolicyException is caught and w2lapp.passwd.PasswdForm() is invoked directly.
  • @ character is now allowed in form parameter search_attrs to correctly support RFC 4529.


Release Date: 2012-12-07

New features/enhancements
Bugs fixed
  • Fixed Unicode issue in w2lapp.schema.syntaxes.SelectList which affected all classes derived from that.
  • Added dummy value for attribute LDAPSyntax.oid to various base plugin classes to avoid false registration under some circumstances.


Release Date: 2012-12-05

Installation and Configuration changes
  • Semantics of global configuration parameter session_limit slightly changed. It now defines the time-span after which a new session ID is generated.
New features/enhancements
  • Better error message in case ldap.NO_SUCH_OBJECT was raised when adding entry.
  • Display matchedDN if present in LDAPError exception (e.g. ldap.NO_SUCH_OBJECT).
  • New plugin class for OpenDS/OpenDJ attribute ds-cfg-alternate-bind-dn auto-fills incomplete RDNs based on entry.
  • New plugin class for attribute x509issuer defined in draft-ietf-pkix-ldap-pkc-schema makes it easier to find CA certs in a directory using that schema.
  • When displaying single attribute a new work-around tries to locate cert/CRL attributes which have ;binary transfer type even though the form parameter read_attr (derived from LDAP URL) did not contain it.
  • New plugin class for IP host and network addresses also used for NIS attribute types ipHostNumber and ipNetworkNumber.
  • New or existing plugin classes registered for attribute types in ISC DHCP LDAP schema:
    • dhcpAssignedToClient
    • dhcpDnsStatus
    • dhcpReservedForClient
    • dhcpNetMask
    • dhcpRange
Bugs fixed
  • Fixed escaping attribute values when constructing search filter in plugin class w2lapp.schema.plugins.nis.


Release Date: 2012-10-28

New features/enhancements
  • New host-/backend-specific passwd_template for specifying a template for change password form.
  • After the admin changing another entry's password a link is displayed which can be sent to the user for him/her changing own password immediately if the checkbox in the password form was selected.
  • Added refresh meta tag to <head> section which instructs the browser to automatically redirect to the [Connect] page after session expiration.
  • LDAPSession.who is now set to the DN returned by reading the user entry after bind.
  • Values for attribute memberUid are automatically checked whether an posixAccount entry exists containing the same value in the uid attribute if MemberUID.ldap_url contains a LDAP URL.
  • When setting password of an entry templates defined with host-specific parameter boundas_template are also used to show a more descriptive user name if possible.
  • Added support for retrieving count of all search results by using OpenLDAP's no-op search control (see OpenLDAP ITS#6598).
  • When a user changes own password and chooses to let web2ldap generate it the new password is shown in re-login form message.


Release Date: 2012-08-25

Installation changes
The following changes to local system installation are required:
New features/enhancements
  • Better support for IPv6 (except running in stand-alone mode).
  • A link in context menu displayed with search results allows quick negation of search filter.
  • Plugin class DynamicValueSelectList now has class attributes valuePrefix and valueSuffix for automatically adding a prefix and/or suffix to attribute values derived from a LDAP search.
  • If applying templates in input form would result in duplicate input fields for the same attribute only the first template containing the attribute is used.
  • The status line text displayed behind Bound as: is now based on attributes in the user's entry and a HTML template snippet defined by new host-specific parameter boundas_template.
Bugs fixed
  • Fixed displaying LDAP URLs pointing to remote servers.
  • Plugin classes for dynamic DN or value select lists no longer search for referenced data when called with argument commandbutton=0.
  • DynamicValueSelectList._determineSearchDN does not return DN ending with a comma anymore.
  • A NameError caused by a bug in M2Crypto is caught can ignored.


Release Date: 2012-06-26

New features/enhancements
  • Subject and issuer DN output of M2Crypto is now decoded to UTF-8 strings so non-ASCII chars are not displayed hex-escaped.
Bugs fixed
  • Fixed order of module import in start scripts for different run modes.


Release Date: 2012-06-22

New features/enhancements
  • Using tree delete control is not default in case OpenLDAP was detected as LDAP server.
  • New plugin class for attribute type memberUrl checks various values in the LDAP URL and sends a dummy search to provoke server-side errors to check validity of LDAP URL.
  • LDAP URLs now have more handy links attached depending whether hostport part is empty or not.
Bugs fixed
  • No links are shown in search results by the plugin class for dynamically generated select lists.


Release Date: 2012-06-17

New features/enhancements
  • [Locate] now allows searching in DNS for internationalized domain names (see RFC 3490).
  • Exception ldap.schema.subentry.SubschemaError is now caught and the locally installed fall-back subschema is used.
  • Plugin classes Binary and CertificateRevocationList now display byte count for the attribute value.
Bugs fixed
  • When decoding/encoding DNS names domain components are processed separately to more strictly follow guidelines in RFC 3490.
  • Cleaned up input and error handling in [Locate].
  • ValueError caught and displayed inline in case module M2Crypto is not able to correctly extract notBefore/notAfter attributes from certificates.


Release Date: 2012-06-07

New features/enhancements
  • Added new values in OID registry and MS AD plugin module for Windows 2012 Server.
Bugs fixed
  • Reverted the behaviour when binding to the server. The whole connection is dropped but reconnecting is done by calling ReconnectLDAPObject.reconnect() (python-ldap 2.4.10 recommended for this).
  • Again fixed UnicodeDecodeError when displaying SASL information in [ConnInfo].
  • The rootDSE is now read after bind before trying to look up user's entry (e.g. by SASL user name after GSSAPI to MS AD).


Release Date: 2012-05-31

New features/enhancements
  • Template variable text_scriptname now available for connect_template.
  • New plugin classes for OpenDS/OpenDJ attribute ds-cfg-account-status-notification-type.
  • Registered OpenDS/OpenDJ attribute ds-cfg-public-key-certificate with plugin class Certificate.
  • In the schema viewer some texts containing multiple spaces and line feeds are now displayed as continuous flowed text with line breaks.
Bugs fixed
  • Parentheses are now allowed in local part of e-mail addresses (attribute mail etc).
  • Some small fixes when receiving kill signals.
  • Fixed UnicodeDecodeError when displaying SASL information in [ConnInfo].
Code cleaning
  • Some updates to plug-in classes based on w2lapp.schema.syntaxes.SelectList.
  • w2lapp.schema.syntaxes.Boolean now based on w2lapp.schema.syntaxes.SelectList. Still some small issues with the falsely lower-cased Boolean attribute values in OpenDS/OpenDJ (read more...).
  • Some clean-ups when displaying texts with line breaks.


Release Date: 2012-05-19

New features/enhancements
  • Added more values for Exchange to w2lapp.schema.plugins.activedirectory.ObjectVersion but plugin class now behaves like Integer class except when displaying attribute values.
  • SASL information now displayed with API constant names in [ConnInfo].
  • New plugin classes for OpenDS/OpenDJ which display static select list in the entry input form for the following attributes:
    • ds-cfg-certificate-validation-policy
    • ds-cfg-default-root-privilege-name
    • ds-cfg-ssl-cipher-suite
    • ds-cfg-ssl-protocol
    • ds-privilege-name
Bugs fixed
  • Fixed displaying hex cert serial number.
  • Fixed displaying attribute ds-sync-hist if modification value is not human-readable.
  • Plugin class for pwdPolicySubentry now also searches for entries with object class ds-cfg-password-policy.


Release Date: 2012-05-13

New features/enhancements
  • Relaxed validation of form parameter add_template. Thus any Unicode character is now allowed in description part of addform_entry_templates.
Bugs fixed
  • Fixed switching input forms if set of attribute types known as writeable is empty and thus nonePseudoValue;x-web2ldap-None was passed in.
  • Better error handling if something goes wrong when parsing LDIF templates.


Release Date: 2012-05-06

New features/enhancements
  • Session tracking control is sent along to the LDAP server with each LDAP request (see draft-wahl-ldap-session) if host-/backend-specific parameter session_track_control is non-zero.
  • For OpenDS / OpenDJ:
    • New plugin classes which displays dynamic select list in the entry input form for the following attributes:
      • ds-cfg-certificate-mapper
      • ds-cfg-key-manager-provider
      • ds-cfg-trust-manager-provider
    • New plugin classes which displays static select list in the entry input form for the following attributes:
      • ds-cfg-disabled-privilege
      • ds-cfg-etime-resolution
      • ds-cfg-ssl-client-auth-policy
      • ds-cfg-security-level
    • Registered attribute ds-cfg-identity-mapper with appropriate plugin class.
  • If Python module M2Crypto is installed:
    • Basic information of X.509 certificates is displayed when viewing the LDAP entry.
    • If module pisces is not installed the textual OpenSSL output is displayed as detailed certificate view. Does not work for CRLs yet.
Bugs fixed
  • Added another work-around for invalid read entry control values received from older OpenLDAP servers:
    IndexError is now caught when extracting attribute entryUUID from the post read control value when renaming an entry.


Release Date: 2012-05-02

Bugs fixed
  • Plugin class BitArrayInteger now has method formValue() which generates the correct form value in the entry input form even when the input field is locked.
  • AD-specific plugin class LogonHours now has method formValue() which generates the correct form value in the entry input form.
  • If the entry input form is generated again after an input error the set of writable attributes is preserved.


Release Date: 2012-04-30

New features/enhancements
  • New plugin MS AD classes for editing schema references to ClassSchema and attributeSchema entries within MS AD schema configuration container.
  • New plugin class for attribute demailMaxAuthLevel used for DE-Mail.
  • Values from OpenDS/OpenDJ's rootDSE attribute ds-private-naming-contexts are now added to set of available naming contexts which makes it also possible to define backend-specific parameters for those.
Bugs fixed
  • Plugin class for MS AD attribute groupType now based on BitArrayInteger allowing all possible combinations of bit flags.
  • Fixed splitting RDN in case of equal sign in attribute values when generating the entry input form.
  • Fixed displaying select in connect form when server description contains non-ASCII chars.


Release Date: 2012-04-21

New features/enhancements
  • Version number displayed along with exception log.
  • Named placeholders are now used with Python's Format String Syntax for login form templates.
    You have re-edit your own customized login forms!
  • Template for input form also used when renaming an entry (new host-/backend-specific parameter rename_template).
  • The begin of the HTML output is now read from an external template configured with global parameter html_begin. Parameters html_bodybegin and html_head are not used anymore.
  • The initial connect form is now read from an external template configured with global parameter connect_template.
  • The status area is now read from an external template (new host-/backend-specific parameter status_template).
  • DNS SRV RR lookup now extended to non-standard used with DE-Mail.
Bugs fixed
  • LDAPSyntaxValueError exceptions raised during sanitizing user's input are now caught and appropriate error message is displayed.


Release Date: 2012-04-16

New features/enhancements
  • When determining language-specific template file names the subtags of the values in Accept-charset header are now ignored.
  • Input field for search_attrs is now always present in search options part of every type of search form. Therefore host-/backend-specific parameter searchform_attrs_size not needed anymore.
  • New plugin class for displaying OpenDS/OpenDJ attribute ds-sync-hist.
  • New attribute reqEntryUUID also alternatively used when searching in OpenLDAP's 2.4.31+ accesslog database. Also added specific plugin class for this attribute. (See motivation for this in OpenLDAP's ITS#6656).
  • A work-around for older OpenLDAP bug (see ITS#6899) makes it possible to enable the Read Entry Control (see RFC 4527) with all OpenLDAP versions.
  • Added new experimental plugin class w2lapp.schema.plugins.posixautogen.AutogenGIDNumber which autogenerates input value for attribute gidNumber in posixGroup entries.
Bugs fixed
  • Fixed sub-classing for plugin class KrbPrincipalType.
  • Fixed searching for superior entries when renaming entries and entry is governed by DIT structure rule.
  • Fixed plugin class AutogenUIDNumber to ignore search continuations (LDAP referrals).
  • Fixed behaviour in case a password change is required after password reset.


Release Date: 2012-04-04

New features/enhancements
  • New plugin class for LDAP syntax Control used in OpenLDAP's accesslog DB for attributes reqControls and reqRespControls which prints out some more information.
  • Added NO_AUTH_DATA_REQUIRED and PARTIAL_SECRETS_ACCOUNT to UserAccountControl.flag_desc_table.
  • Plugin class BitArrayInteger now sets the columns of the <textarea> input field to the maximum needed length.
Bugs fixed
  • Fixed use of host-/backend-specific login_template during initial connect to a LDAP server.


Release Date: 2012-03-27

Bugs fixed
  • Fix for validating uniqueMember attribute values.
  • Fix for handling default values based in base plugin class OnOffFlag.
  • Fixed some typos in HTML template for OpenLDAP's cn=config.


Release Date: 2012-03-23

New features/enhancements
  • Registered various attribute types of OpenLDAP's cn=config with plugin class MultilineText.
Bugs fixed
  • LDAP referrals are now ignored when searching option entries in plugin class DynamicValueSelectList.
  • LDAP referrals are now ignored when searching superior entry for informational messages.


Release Date: 2012-03-21

New features/enhancements
  • More templates for OpenLDAP's cn=config.
Bugs fixed
  • Fixed regression in schema viewer when displaying schema element trees of derived object classes and attribute types.
  • Fixed regression when displaying login form during referral chasing.


Release Date: 2012-03-16

New features/enhancements
  • Various enhancements for accessing and displaying changelog data used e.g. by OpenDS/OpenDJ.
  • The exact result or LDAPError message of "Who am I?" extended operation is displayed in [ConnInfo].
Bugs fixed
  • Display link to connection entries in Monitor backend also if there is no accesslog database attached...
  • Some compliance fixes in HTML markup to make W3C validator happy.


Release Date: 2012-03-14

New features/enhancements
  • New host-/backend-specific configuration parameter read_tablemaxcount allows to define multi-valued attributes for which only a maximum count of attribute values are displayed. Klicking on [Raw] in the context menu will expand all attribute values at once.
  • If attribute monitorContext is present in rootDSE a link for searching own or a user's LDAP connections in the monitor database is displayed in the context menu of [ConnInfo] and when displaying a single entry.
Bugs fixed
  • Also ldap.PROTOCOL_ERROR and ldap.SERVER_DOWN are ignored if starttls is set to 1.


Release Date: 2012-03-09

Dropped features
  • Support for LDAPv2 connections was dropped to speed up connecting to the server. A first anonymous bind request for testing whether a valid LDAPv3 connection was established is not needed anymore (see also RFC 3494).
New features/enhancements
  • Python's Format String Syntax is now used for login form templates. This allows to simply remove placeholders for unneeded input fields.
    Caveat: If you have customized login forms you have to rework your templates to use this new syntax.
  • New host-/backend-specific configuration parameter searchoptions_template allows to define the input fields for search base, scope etc.
  • Schema viewer explicitly displays USAGE of attribute types.
  • Initial connect and bind was optimized to avoid reading rootDSE and subschema subentry twice.
  • Some more templates translated to German.
Bugs fixed
  • Fixed a regression introduced in 1.1.4 which made it impossible to use encrypted connections (LDAPS or LDAP w/StartTLS) for non-anonymous bind.
  • When displaying an input form ldap.INSUFFICIENT_ACCESS is ignored when reading the superior entry which is only for informational use anyway.
  • If first preferred language is en then the standard HTML templates are used now. The ones shipped with source distribution are considered to be the English templates.
  • Corrected false translations in various HTML templates.


Release Date: 2012-03-01

New features/enhancements
  • A new SSL/TLS context is always initialized for each LDAP connection.
Bugs fixed
  • Fixed validation of attribute values of LDAP syntax Generalized Time to also allow fraction and time zone offset as defined in RFC 4517.
  • Fix for leap years in age calculation in plugin classes for attribute types msPerson::dateOfBirth and schacDateOfBirth.


Release Date: 2012-02-27

New features/enhancements
  • Form parameter search_attr now accepts comma-separated list of attribute types which all are added to the LDAP filter with the accompanying search_string as assertion value.
  • New host-/backend-specific configuration parameter groupadm_filterstr_template allows to influence the set of group entries shown in group administration dialogue.
Bugs fixed
  • When editing an entry in the LDIF input field existing values of binary/non-human-readable attributes (e.g. jpegPhoto or userCertificate;binary) are sent as changed if the input LDIF did not change the values.


Release Date: 2012-02-25

New features/enhancements
  • Search assertion values are normalized via plugin classes if the accompanying search_mode is not a substring search.
Bugs fixed
  • Fixed a regression bug which accidentally deleted binary/non-human-readable attributes (e.g. jpegPhoto or userCertificate;binary) when modifying an entry.
  • Stricter regex pattern for checking values of LDAP syntax OID.


Release Date: 2012-02-22

New features/enhancements
  • Plugin classes for attribute msPerson::dateOfBirth and schacDateOfBirth now display the age of a person.
  • Stricter checks in plugin classes for birthday-related attribute types msPerson::dateOfBirth, schacDateOfBirth and schacYearOfBirth enforce birthday to be in the past.
  • New plugin module w2lapp.schema.plugins.opensshlpk for OpenSSH-LPK.
  • The schema viewer now displays the internally used plugin class for LDAP syntaxes and attribute types. This eases finding plugin class registration errors.
  • Added new experimental plugin module w2lapp.schema.plugins.posixautogen which autogenerates some input values for posixAccount entries (currently only uidNumber and homeDirectory).
    Make sure you understand what it does internally before enabling it in production!
Bugs fixed
  • LDAPI connections are now also correctly displayed as secured in [ConnInfo].
  • When modifying an entry the modify list now also includes auto-generated attributes.


Release Date: 2012-02-16

Installation and Configuration changes
The following changes to local system installation are required:
New features/enhancements
  • New plugin base class PropertiesSelectList allows to maintain a select list (value/description pairs) in common properties files which are also subject to language-variant resolution like the HTML templates. See for example use.
  • Support for various boolean flag LDAPv3 extended controls with a nicer user interface.
  • Delta modification is smarter now when diffing multi-valued attributes leading to smaller modification lists.
  • If the DN of the user's entry could be determined after successful bind this user entry is read and stored in the LDAPSession instance for determining further user preferences and login data.
  • Added support for setting SHA-2 hash password values at the client-side (schemes {SHA256}, {SSHA256}, etc.).
  • Added plugin module for Apple-specific attribute types.
  • Experimental CSV and Excel export without any formatting parameters.
  • The following HTTP headers are always sent to avoid security/privacy problems:
    X-Content-Type-Options: nosniff Switch off MIME-type guessing in MS IE 8+
    X-XSS-Protection: 0 Cross-Site Scripting Protection for MS IE
    X-DNS-Prefetch-Control: off Switch off DNS prefetching
    Strict-Transport-Security: max-age=15768000 ; includeSubDomains Enforce use of HTTPS at browser-side, but only sent when application was accessed via HTTPS (see RFC 6797)
    X-Frame-Options: DENY Deny use of frames completely to avoid click-jacking (see The X-Frame-Options response header)
  • The search form now contains a select field for a modification time interval. This automatically extends the filter string restricting the results by attributes createTimestamp and modifyTimestamp relative to the current time.
  • The line dn: in LDIF templates can now optionally also contain a whole distinguished name, not only a RDN. In this case the DN portion after the RDN is interpreted as base DN under which the new entry is to be added.
  • New method GeneralizedTime.sanitizeInput() converts to a correct timestamp if only a date without time part was given as input.
  • The Assertion Control is used when sending a modify request if the seems to support it to prevent the server to process the request if the entry has been changed in between (see RFC 4528). Host-specific parameter modify_constant_attrs is used to generate the assertion filter.
  • Group administration now handles limits more gracefully.
  • Partial search results are returned in exported data (LDIF, DSML, CSV, Excel) even if an administrative limit was hit.
  • Deleting attributes from an entry is now much more flexible in the UI and can be done with appropriate LDAPv3 ext. controls. One use-case is removing operational password policy attributes which cannot be edited in the normal input form.
  • Additional LDAPv3 ext. controls can be also used when deleting entries.
  • Added refreshing dynamic entry with extended operation (see RFC 2589).
  • Password policy control sent and received for displaying password warnings and guide the user to change the password (see draft-behera-ldap-password-policy).
  • Added support for Authorization Identity Request and Response Controls (see RFC 3829).
Dropped features
  • Support for setting the old and insecure LAN manager password hash attribute lmPassword/sambaLMPassword along with the userPassword was dropped.
  • Support for running as SCGIServer was removed since nobody (including me) ever used it.
Changes in the UI
  • Output is now HTML5.
  • New style sheet(s) which look much better now.
  • When adding/modifying an entry some information of the superior entry is displayed if inputform_supentrytemplate is defined. This is user-friendly especially when the superior DN does not contain attribute values easily recognizable by humans.
  • The connection type (LDAP, LDAP with StartTLS ext.op., LDAPS or LDAPI) can now be specified in the connection form.
  • Specifying LDAP options/controls was moved from [ConnInfo] into a separate module accessible via extra entry in the main menu.
  • When generating the object class select form the operational attribute allowedChildClasses (e.g. available on MS AD) is now honoured to determine which STRUCTURAL object classes are allowed for the new subordinate entry.
  • When generating the input form vendor-specific operational attributes are now honoured to determine whether an attribute is writeable by the bound user. Otherwise only a read-only hidden field is displayed.
    Tested with MS AD and OpenLDAP overlay slapo-allowed (see also ITS#4730).
  • The schema browser is now directly accessible via extra entry in the main menu.
  • Some improvements for setting the password of an user entry:
    • Hash settings are not displayed when changing unicodePwd on MS AD
    • If the user changes his own password he can enter old password for servers which need that (e.g. MS AD or Novell eDirectory). A modify list with ldap.MOD_DEL and ldap.MOD_ADD is generated then instead of ldap.MOD_REPLACE.
  • LDAP URLs shown in the UI now have SASL and StartTLS parameters set which were used during connect and last login. This makes it easier for the user to generate bookmark URLs containing StartTLS and SASL bind information.
  • LDAP URL extension x-saslmech is now taken as default for the bind mechanism select list in the login form.
  • [More] and [Fewer] in the advanced search form are now submit buttons and thus user's input entered in the search form so far is preserved. Empty user input is simply ignored and the advanced search form is displayed again.
  • In the monitor web page the LDAP connections are now displayed as table.
  • The list of requested attributes when displaying a single entry can now be altered in a simple input form below the displayed entry. This is handy for attributes which have to be explicitly requested to be returned by the server.
  • The submit button [Search] is now on top of all types of search forms.
  • Fingerprint based on SHA-256 is now displayed for displayed X.509 certificates.
  • When catching ldap.SERVER_DOWN a real error message is now shown instead of just redirecting to the start page. The user has to manually go to the [Connect] page.
  • [ConnInfo] now shows LDAP connection start time and duration.
  • Advanced search form now shows the attribute type's description from the subschema as title in the option value.
  • If the user does not enter a new password in the change password input form a new password is randomly generated and displayed to the user. Length and valid chars of generated passwords can be configured by host-specific parameters passwd_genlength and passwd_genchars.
  • Specific error message text for numeric codes returned by MS AD is displayed in case of ldap.INVALID_CREDENTIALS being raised.
  • Group administration now allows to enter a (partial) group name to limit the number of groups found.
  • The password change dialogue has a new input field for enforcing a password change after reset. This sets various attributes depending on what's detected in the subschema (draft-behera-ldap-password-policy, MS AD).
  • The password context menu now contains a link for removing password-related attributes from an entry.
Bugs fixed
  • Fixed behaviour when Relax Rules Control is in effect.
  • Fixed regex-checking for attribute pgpKey.
  • Processing of .ldaprc or ldap.conf is now explicitly switched off by setting environment variable LDAPNOINIT=1.
  • Fixed setting cert validation option for StartTLS ext.op. or LDAPS.
  • DESC fields of schema elements are now properly handled as UTF-8 and escaped.
  • Search filter string is now passed through login form (in case of intermediate login before searching is needed).
  • Attributes are now correctly displayed when parameter search_tdtemplate is in effect no matter of the case of attribute type name.
Security fixes
  • [ConnInfo]: All values coming from HTTP headers are now fully escaped to avoid XSS attacks based on manipulated HTTP headers.
  • More escaping when displaying error messages from untrusted sources to avoid XSS attacks by manipulated LDAP servers.
Code cleaning
  • Support for psyco was dropped since the project seems to be unmaintained.
  • Many changes/fixes towards a more consequent use of Unicode objects.
  • Completely reworked control parameter handling in [Params] for setting controls (formerly in [ConnInfo].
  • Deprecated module sets is not imported anymore.
  • Removed unused functions in module msbase.
  • Removed unused functions in module ldaputil.base.
  • New submodule ldaputil.extldapurl.
  • Consequent use of BooleanType with values True and False where appropriate.
  • Dropped support for reading cn=config attribute database on old LDAPv2 Umich servers.
  • Caching was removed from class ldap.LDAPSession and is now solely done in class ldapsession.LDAPObject. Uncaching single entries is now more reliable in new method ldapsession.LDAPObject.uncache_entry().
  • Consistent use of module hashlib in Python's standard lib also for MD4 so no need for installing additional modules for MD4 anymore.
  • Cleaned up inconsistent use of tabs and spaces (runs with python -tt now).
  • Dropped configuration parameter web2ldapcnf.misc.print_rawutf8 since all browsers accept UTF-8 today.