- Runs on Unix-derived OS (e.g. Linux, FreeBSD, Solaris etc.).
- Runs either stand-alone (built-in web server) or accessed via WSGI-enabled web server.
- Highly configurable on a per-host/-backend basis.
- Correctly handles non-ASCII chars (display and input).
- If the user does something wrong a tersely error message is given which is most times based on the info field returned by the LDAP server. If it makes sense the user can retry immediately his/her action with corrected input parameters.
- Configuring the search root is most times unnecessary.
- Support for file upload of binary attributes, e.g. jpegPhoto or userCertificate.
- Efficient browsing in directory trees with paged displaying of search results. Honors attributes hasSubordinates, numSubordinates and subordinateCount if available for determining if entries have subordinate entries.
- Displays JPEG pictures in-line with reasonable performance by short-term caching.
- Universal title attribute added to a lot of HTML tags to have sort of a bubble-help in browsers which support that.
- Attributes containing DNs, URLs or mail addresses are shown as links. DNs can be followed within web2ldap by simply pressing the link.
- If an error occurs during adding or modifying entries the user can edit and re-submit his input data.
- Tries to be friendly to all browsers by producing simple, but well-formed HTML 5.
- Recursive deletion of directory trees.
Three different search forms:
- Static search form based on customizable HTML template.
- Build search filter by choosing options from select lists.
- Direct use of LDAP filter expressions.
- User-friendly handling of LDAPv3 referrals with reconnecting directly to referred host after presenting a login form to the user (see RFC 3296).
- OIDs in RootDSE attributes are displayed with name and description.
- Some (configurable) quick-buttons for common actions.
- Process LDIF input even with URL support (if configured).
Many Output Formats
- HTML templates can be used for displaying LDAP entries.
- HTML head section can be configured to include colors, background pictures or logos.
- ID params in main HTML tags for using Cascaded Style Sheets (CSS).
- Printer-friendly HTML output of search results based on a configurable HTML template string.
- Support for vCards - users of common browsers can easily add entries to their local address books.
Bulk downloading of directory data as
- LDIF or LDIFv1 (see RFC 2849).
- Comma-separated values (CSV with semicolon as separator)
- Excel worksheet file
Plug-in modules/classes for specific handling of attributes/syntaxes. The following plug-in modules currently exist in directory web2ldap/w2lapp/schema/plugins/:
|acp133||mainly LDAP syntaxes defined for ACP 133 with simple select lists, but could not tested|
|activedirectory||For MS AD and Samba 4|
|aedir||powerful plugin classes for maintaining Æ-DIR|
|apple||support for Apple Open Directory|
|asn1objects||Class which can dump BER objects as pretty-printed ASN.1|
|dds||for dynamic entries defined in RFC 2589|
|dhcp||for ISC dhcpd with LDAP backend|
|dns||for DNS RR entries like defined in dnsdomain2.schema|
|edirectory||Various syntaxes found in draft-sermersheim-nds-ldap-schema|
|eduperson||for attributes defined eduPerson|
|entrust||Some small syntax quirks for Entrust PKI schema|
|exchange||Some small quirks for Exchange 5.5|
|freeipa||Some small quirks for FreeIPA|
|groups||handles DN attributes related to groups|
|h350||for H.350 attributes defined in RFC 3944|
|ibmds||Some small quirks for IBM Directory Server|
|inetorgperson||Plugin classes solely registered for composing certain attributes used with inetOrgPerson (see RFC 2798).|
|krb5||for heimdal and MIT Kerberos schema|
|ldapns||LDAP-based naming service|
|lotusdomino||for attributes in Lotus Domino's LDAP service|
|mssfu30||Microsoft System Services for Unix 3.0|
|nis||NIS attributes (see also RFC 2307)|
|oath||Attributes used with OATH-LDAP|
|opends||mainly some configuration attributes used in OpenDJ (formerly known as OpenDS)|
|openldap||some attributes used in OpenLDAP for back-config and slapo-accesslog (see also draft-chu-ldap-logschema)|
|pgpkeysrv||Multi-line fields for PGP keys|
|pilotperson||for attributes defined in RFC 1274|
|pkcschema||for attributes defined in draft-ietf-pkix-ldap-pkc-schema|
|ppolicy||for attributes defined in draft-behera-ldap-password-policy|
|quirks||Various quirks for very misbehaving servers|
|samba||for Samba 3|
|schac||for attributes defined in SCHAC|
|subentries||for attributes defined for subentries (see RFC 3672)|
|vchupwdpolicy||covering central password policy configuration attributes defined in draft-vchu-ldap-pwd-policy|
|vpim||for attributes defined in VPIM (see RFC 4237)|
|x500dsa||for attributes available on real X.500 DSAs|
Advanced LDAP features
- Schema support
- Full LDAPv3 sub schema sub entry support when displaying an entry or input form with required and allowed attributes.
- Built-in schema browser displays all forward and backward references to other schema elements as links for all supported schema elements and allows a simple wildcard search by OID or NAME patterns.
Supported and used schema attributes:
- Schema support has reasonable performance since caching of parsed sub schema sub entries is done.
- Full support for inherited schema elements (object classes and attribute types).
- Fall-back to a local schema definition in configuration stored in LDIF file (for e.g. LDAPv2 servers).
- Special handling of collective attributes.
- Write Access
- Support for adding, modifying, deleting entries, deleting sub trees and renaming entries.
- Schema-aware to provide schema-matching input forms for add/modify.
- Octet strings can be directly edited as hex-bytes.
- Plug-in classes implement specific input fields for many vendor-specific attributes.
- Configurable LDIF templates for new entries.
- Automatic search for missing parent entries if adding of an entry fails with "no such object". (for reducing the same old boring questions on the LDAP-related mailing lists ;-).
- Input values for some attributes/syntaxes (e.g. jpegPhoto, certificates and CRLs) are automagically converted to the right format.
- Password attributes
- Password Modify Extended Operation (see RFC 3062)
- Generating client-hashed userPassword values (see also draft-stroeder-hashed-userpassword-values).
- Synced setting of userPassword and Samba NT password attribute (support for old LAN manager hash was dropped in 1.1).
- Attribute shadowLastChange set if an entry has object class shadowAccount.
- Resetting the password attribute unicodePwd in MS AD.
- Removing various password-related attributes is supported even when the values are not visible (write-only access). Relax Rules Control can be used to remove operational attributes.
- Group administration feature
- Convenient, secure and efficient way to add/remove an entry to/from a group entry. Many common group object classes are automagically supported:
- LDAP connection handling
- Automatically determine the protocol version and features supported by the LDAP server. Falls back to reasonable defaults if features are not available.
- LDAP URLs
It it possible to directly use LDAP URLs (see
to reference LDAP entries and LDAP search results. Example:
http://demo.web2ldap.de:1760/web2ldap/ldapurl?ldap://ldap.openldap.org/dc=openldap,dc=orgNote: Although most LDAP URLs will work you should use URL-quoted LDAP URLs.
- Root DSE
- Uses namingContexts attribute from RootDSE to determine appropriate search root automatically.
- LDAPv3 Referrals
- Displays new login mask to repeat current action after chasing a referral.
- Search continuations are displayed.
- Locating LDAP service
Try to locate a LDAP host for a specific domain, dc-style DN
or e-mail address (see
- Well known DNS aliases (kinda primitive anyway)
- LDAPv3 Referrals (knowledge references)
- Locate LDAP host via SRV RR (see also RFC 2782). This is automatically done if e.g a LDAP URL does not contain a host name but a dc-style DN or if an error response was received with error code NO_SUCH_OBJECT (somewhat inspired by RFC 3088).
- allowed* attributes
- Some attributes provided by MS Active Directory and partially by OpenLDAP's slapo-allowed are used:
- LDAPv3 extended controls
- Manage DSA IT mode
- For editing referral entries (see RFC 3296).
- Two different controls for searching subentries (see RFC 3672 and draft-ietf-ldup-subentry-07)
- Relax Rules Control (formerly Manage DIT control)
- For editing operational attributes (see draft-zeilenga-ldap-relax).
- Tree Delete
- deletion of whole subtrees with a single DeleteRequest (see draft-armijo-ldap-treedelete).
- Assertion Control
- is used when sending a modify request if the seems to support it to prevent the server to process the request if the entry has been changed in between (see RFC 4528). Host-specific parameter modify_constant_attrs is used to generate the assertion filter.
- Password policy
- Displaying password warnings and guide the user to change the password (see draft-behera-ldap-password-policy).
- Read Entry Control
- Retrieving DN and attribute entryUUID when adding/renaming an entry (see RFC 4527).
- Session Tracking Control
- The client's IP address, the server name and the LDAPObject instance hash is sent to the LDAP server for debugging (see draft-wahl-ldap-session).
- OpenLDAP's no-op search control
- Count of all search results is retrieved by using OpenLDAP's no-op search control in case only partial search results were returned (see OpenLDAP ITS#6598).
- Don't Use Copy control
- Is used if found in rootDSE attribute supportedControl when reading an entry before presenting modification input form. OIDs from RFC 6171 and OpenLDAP experimental are supported.
- LDAPv3 extended operations
- provides transport layer security with TLS (see RFC 4513).
- "Who am I?"
- this operation shows which bind-DN is in effect e.g. when using SASL bind (see RFC 4532).
- Password Modify Extended Operation
- for server-side password setting (see RFC 3062).
- Refresh Dynamic Entry Extended Operation
- for server-side refreshing of a dynamic entry (see RFC 2589).
- LDAPv3 extensions
- All Operational Attributes
- Request the server to return all operational attributes in a search response. (See rootDSE attribute supportedFeatures, OID 220.127.116.11.4.1.418.104.22.168, see also RFC 3673)
Advanced HTTP options
- Downloading of binary attributes with appropriate mapping to MIME types.
Optionally use the right character set for output according to the
Accept-Charsetsent by the HTTP client.
- Support for SASL bind.
- Default configuration is quite strict.
- Since the user logs in and opens a persistent LDAP connection storing or passing around passwords is not necessary.
- Security mechanisms to avoid hijacking web sessions.
- Maximum number of currently used web sessions can be limited.
- Smart login with automatic completion of bind DN.
SASL login mechanisms
|DIGEST-MD5, CRAM-MD5||Password-based challenge-response mechs: use short user name in login form, not the bind-DN|
|PLAIN||is supported but not recommended unless SSL/TLS is used|
|EXTERNAL||Usable for LDAPS, StartTLS or LDAPI connections. End-user authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client.|
|GSSAPI||Usable for Kerberos V authentication. User authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client and the user obtained a TGT from the KDC before (with command-line tool kinit).|