Features
List of currently available features
Running Mode
- Runs on Unix-derived OS (e.g. Linux, FreeBSD, Solaris etc.).
- Runs either stand-alone (built-in web server) or accessed via WSGI-enabled web server.
- Highly configurable on a per-host/-backend basis.
User Interface
- Correctly handles non-ASCII chars (display and input).
- If the user does something wrong a tersely error message is given which is most times based on the info field returned by the LDAP server. If it makes sense the user can retry immediately his/her action with corrected input parameters.
- Configuring the search root is most times unnecessary.
- Support for file upload of binary attributes, e.g. jpegPhoto or userCertificate.
- Efficient browsing in directory trees with paged displaying of search results. Honors attributes hasSubordinates, numSubordinates and subordinateCount if available for determining if entries have subordinate entries.
- Displays JPEG pictures in-line with reasonable performance by short-term caching.
- Universal title attribute added to a lot of HTML tags to have sort of a bubble-help in browsers which support that.
- Attributes containing DNs, URLs or mail addresses are shown as links. DNs can be followed within web2ldap by simply pressing the link.
- If an error occurs during adding or modifying entries the user can edit and re-submit his input data.
- Tries to be friendly to all browsers by producing simple, but well-formed HTML 5.
- Recursive deletion of directory trees.
-
Three different search forms:
- Basic
- Static search form based on customizable HTML template.
- Advanced
- Build search filter by choosing options from select lists.
- Expert
- Direct use of LDAP filter expressions.
- User-friendly handling of LDAPv3 referrals with reconnecting directly to referred host after presenting a login form to the user (see RFC 3296).
- OIDs in RootDSE attributes are displayed with name and description.
- Some (configurable) quick-buttons for common actions.
- Process LDIF input even with URL support (if configured).
Many Output Formats
- HTML templates can be used for displaying LDAP entries.
- HTML head section can be configured to include colors, background pictures or logos.
- ID params in main HTML tags for using Cascaded Style Sheets (CSS).
- Printer-friendly HTML output of search results based on a configurable HTML template string.
- Support for vCards - users of common browsers can easily add entries to their local address books.
-
Bulk downloading of directory data as
- LDIF or LDIFv1 (see RFC 2849).
- Comma-separated values (CSV with semicolon as separator)
- Excel worksheet file
Plug-ins
Plug-in modules/classes for specific handling of attributes/syntaxes. The following plug-in modules currently exist in directory web2ldap/w2lapp/schema/plugins/:
Module name | Description |
---|---|
acp133 | mainly LDAP syntaxes defined for ACP 133 with simple select lists, but could not tested |
activedirectory | For MS AD and Samba 4 |
aedir | powerful plugin classes for maintaining Æ-DIR |
apple | support for Apple Open Directory |
asn1objects | Class which can dump BER objects as pretty-printed ASN.1 |
dds | for dynamic entries defined in RFC 2589 |
dhcp | for ISC dhcpd with LDAP backend |
dns | for DNS RR entries like defined in dnsdomain2.schema |
edirectory | Various syntaxes found in draft-sermersheim-nds-ldap-schema |
eduperson | for attributes defined eduPerson |
entrust | Some small syntax quirks for Entrust PKI schema |
exchange | Some small quirks for Exchange 5.5 |
freeipa | Some small quirks for FreeIPA |
groups | handles DN attributes related to groups |
h350 | for H.350 attributes defined in RFC 3944 |
ibmds | Some small quirks for IBM Directory Server |
inetorgperson | Plugin classes solely registered for composing certain attributes used with inetOrgPerson (see RFC 2798). |
krb5 | for heimdal and MIT Kerberos schema |
ldapns | LDAP-based naming service |
lotusdomino | for attributes in Lotus Domino's LDAP service |
msperson | See stroeder.com.schema |
mssfu30 | Microsoft System Services for Unix 3.0 |
nis | NIS attributes (see also RFC 2307) |
oath | Attributes used with OATH-LDAP |
opends | mainly some configuration attributes used in OpenDJ (formerly known as OpenDS) |
openldap | some attributes used in OpenLDAP for back-config and slapo-accesslog (see also draft-chu-ldap-logschema) |
pgpkeysrv | Multi-line fields for PGP keys |
pilotperson | for attributes defined in RFC 1274 |
pkcschema | for attributes defined in draft-ietf-pkix-ldap-pkc-schema |
ppolicy | for attributes defined in draft-behera-ldap-password-policy |
quirks | Various quirks for very misbehaving servers |
samba | for Samba 3 |
schac | for attributes defined in SCHAC |
subentries | for attributes defined for subentries (see RFC 3672) |
vchupwdpolicy | covering central password policy configuration attributes defined in draft-vchu-ldap-pwd-policy |
vpim | for attributes defined in VPIM (see RFC 4237) |
x500dsa | for attributes available on real X.500 DSAs |
Advanced LDAP features
- Schema support
-
- Full LDAPv3 sub schema sub entry support when displaying an entry or input form with required and allowed attributes.
- Built-in schema browser displays all forward and backward references to other schema elements as links for all supported schema elements and allows a simple wildcard search by OID or NAME patterns.
-
Supported and used schema attributes:
- attributeTypes
- dITContentRules
- ldapSyntaxes
- matchingRuleUse
- matchingRules
- objectClasses
- dITStructureRules
- nameForms
- Schema support has reasonable performance since caching of parsed sub schema sub entries is done.
- Full support for inherited schema elements (object classes and attribute types).
- Fall-back to a local schema definition in configuration stored in LDIF file used in case the subschema subentry is inaccessible.
- Special handling of collective attributes.
- Write Access
-
- Support for adding, modifying, deleting entries, deleting sub trees and renaming entries.
- Schema-aware to provide schema-matching input forms for add/modify.
- Octet strings can be directly edited as hex-bytes.
- Plug-in classes implement specific input fields for many vendor-specific attributes.
- Configurable LDIF templates for new entries.
- Input values for some attributes/syntaxes (e.g. jpegPhoto, certificates and CRLs) are automagically converted to the right format.
- Password attributes
-
- Password Modify Extended Operation (see RFC 3062)
- Generating client-hashed userPassword values (see also draft-stroeder-hashed-userpassword-values).
- Synced setting of userPassword and Samba NT password attribute (support for old LAN manager hash was dropped in 1.1).
- Attribute shadowLastChange set if an entry has object class shadowAccount.
- Resetting the password attribute unicodePwd in MS AD.
- Removing various password-related attributes is supported even when the values are not visible (write-only access). Relax Rules Control can be used to remove operational attributes.
- Group administration feature
-
Convenient, secure and efficient way to add/remove an entry
to/from a group entry. Many common group object classes are
automagically supported:
- groupOfNames
- groupOfUniqueNames
- rfc822MailGroup
- mailGroup
- posixGroup (see RFC 2307)
- groupOfEntries (see draft-findlay-ldap-groupofentries)
- accessGroup (found in IBM SecureWay)
- LDAP connection handling
- Automatically determine the protocol version and features supported by the LDAP server. Falls back to reasonable defaults if features are not available.
- LDAP URLs
-
It it possible to directly use LDAP URLs (see
RFC 4516)
to reference LDAP entries and LDAP search results. Example:
http://demo.web2ldap.de:1760/web2ldap/ldapurl?ldap://ldap.openldap.org/dc=openldap,dc=org
Note: Although most LDAP URLs will work you should use URL-quoted LDAP URLs. - Root DSE
-
- Uses attribute namingContexts from RootDSE to determine appropriate search root automatically.
- LDAPv3 Referrals
-
- Displays new login mask to repeat current action after chasing a referral.
- Search continuations are displayed.
- Locating LDAP service
-
Try to locate a LDAP host for a specific domain, dc-style DN
(RFC 2247,
RFC 2377)
or e-mail address (see
draft-ietf-ldapext-ldap-taxonomy).
- Well known DNS aliases (kinda primitive anyway)
- LDAPv3 Referrals (knowledge references)
- Locate LDAP host via SRV RR (see also RFC 2782). This is automatically done if e.g a LDAP URL does not contain a host name but a dc-style DN or if an error response was received with error code NO_SUCH_OBJECT (somewhat inspired by RFC 3088).
- allowed* attributes
-
Some attributes provided by MS Active Directory and partially by
OpenLDAP's slapo-allowed are used:
- allowedAttributesEffective to determine writeable attributes when displaying entry input form for modification
- allowedChildClasses to determine suitable object classes for child entries when displaying object class select form during adding new entry
- LDAPv3 extended controls
-
- Manage DSA IT mode
- For editing referral entries (see RFC 3296).
- Subentries
- Two different controls for searching subentries (see RFC 3672 and draft-ietf-ldup-subentry-07)
- Relax Rules Control (formerly Manage DIT control)
- For editing operational attributes (see draft-zeilenga-ldap-relax).
- Tree Delete
- deletion of whole subtrees with a single DeleteRequest (see draft-armijo-ldap-treedelete).
- Assertion Control
- is used when sending a modify request if the seems to support it to prevent the server to process the request if the entry has been changed in between (see RFC 4528). Host-specific parameter modify_constant_attrs is used to generate the assertion filter.
- Password policy
- Displaying password warnings and guide the user to change the password (see draft-behera-ldap-password-policy).
- Read Entry Control
- Retrieving DN and attribute entryUUID when adding/renaming an entry (see RFC 4527).
- Session Tracking Control
- The client's IP address, the server name and the LDAPObject instance hash is sent to the LDAP server for debugging (see draft-wahl-ldap-session).
- OpenLDAP's no-op search control
- Count of all search results is retrieved by using OpenLDAP's no-op search control in case only partial search results were returned (see OpenLDAP ITS#6598).
- Don't Use Copy control
- Is used if found in rootDSE attribute supportedControl when reading an entry before presenting modification input form. OIDs from RFC 6171 and OpenLDAP experimental are supported.
- LDAPv3 extended operations
-
- StartTLS
- provides transport layer security with TLS (see RFC 4513).
- "Who am I?"
- this operation shows which bind-DN is in effect e.g. when using SASL bind (see RFC 4532).
- Password Modify Extended Operation
- for server-side password setting (see RFC 3062).
- Refresh Dynamic Entry Extended Operation
- for server-side refreshing of a dynamic entry (see RFC 2589).
- LDAPv3 extensions
-
- All Operational Attributes
- Request the server to return all operational attributes in a search response. (See rootDSE attribute supportedFeatures, OID 1.3.6.1.4.1.4203.1.5.1, see also RFC 3673)
Advanced HTTP options
- Downloading of binary attributes with appropriate mapping to MIME types.
-
Optionally use the right character set for output according to the
HTTP header
Accept-Charset
sent by the HTTP client.
Security
- Support for SASL bind.
- Default configuration is quite strict.
- Since the user logs in and opens a persistent LDAP connection storing or passing around passwords is not necessary.
- Security mechanisms to avoid hijacking web sessions.
- Maximum number of currently used web sessions can be limited.
- Smart login with automatic completion of bind DN.
SASL login mechanisms
Supported Mechanism(s) | Remark |
---|---|
DIGEST-MD5, CRAM-MD5 | Password-based challenge-response mechs: use short user name in login form, not the bind-DN |
PLAIN | is supported but not recommended unless SSL/TLS is used |
EXTERNAL | Usable for LDAPS, StartTLS or LDAPI connections. End-user authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client. |
GSSAPI | Usable for Kerberos V authentication. User authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client and the user obtained a TGT from the KDC before (with command-line tool kinit). |