This section describes the parameters related to specific LDAP
hosts/backends.
modify_constant_attrs
[addform_entry_templates]
[binddnsearch]
[description]
[groupadm_defs]
[input_template]
[link_css]
[login_default_mech]
[login_template]
[modify_constant_attrs]
[passwd_hashtypes]
[print_cols]
[print_template]
[read_operationalattrstemplate]
[read_template]
[rename_supsearchurl]
[requested_attrs]
[schema_uri]
[search_attrs]
[searchform_basesearchurl]
[search_resultsperpage]
[search_tablistattrs]
[search_tdtemplate]
[searchform_template]
[ssl_minlevel]
[ssl_valid_dn]
[ssl_valid_idn]
[starttls]
[timeout]
[tls_cacertdir]
[tls_cacertfile]
[tls_certfile]
[tls_keyfile]
[vcard_template]
List of LDAP URLs which will appear in the default select list
of the login form. It may contain either strings (only a LDAP URL)
or 2-tuples of strings containing LDAP URL and description.
Example:
ldap_uri_list = [
'ldap://localhost',
('ldap://ldap.openldap.org',u"OpenLDAP's demo server"),
]
If non-zero (or True) gateway access is restricted to the
LDAP servers specified in ldap_uri_list.
Note that the check is case sensitive (because of possibly case-sensitive
path names of Unix domain sockets for LDAPI)!
Default in source distribution: 1 (restriction enabled)
This is a string-keyed dictionary (Python data structure)
which holds all options specific for certain LDAP hosts or backends(
naming contexts). The values of the dictionary ldap_def
are of the simple class Web2LDAPConfig which is instantiated
via key word arguments
Any configuration parameter in the
dictionary web2ldapcnf.hosts.ldap_def is retrieved by looking
at all dictionary items with string-keys
'ldap://ldap_host/ldap_basedn',
'ldap:///ldap_basedn',
'ldap://ldap_host' and
'_'
in this particular order. All those string-key MUST
be valid LDAP URLs except for the default section which is
marked by a single underscore.
This allows to hold several database backends on the same host with
the same DNS name. It also shortens the ldap_def dictionary by
avoiding having to repeat same options for every server and
makes browsing of completely unconfigured hosts easy.
Configuration Example
ldap_def = {
'_': {
# Default fall-back options
},
'ldap://nldap.com': {
# Per-host options for host nldap.com
},
'ldap:///dc=openldap,dc=org': {
# Options for naming context dc=openldap,dc=org
# regardless on which server
},
'ldap://localhost/dc=stroeder,dc=com': {
# Options dictionary entries for backend
# on host localhost with naming context dc=stroeder,dc=com
}
}
Now each parameter is described. A system default value is assumed
if the parameter was not defined at all (no dictionary key
parameter). Most times this default value simply switches
off a certain behaviour.
- addform_entry_templates
-
This parameter allows to define a set of LDIF templates for new entries
each with a short descriptive identifier. The identifiers are shown
in a select input field of the object class selection form after choosing
[New entry] from the main menu as shown is this picture:

This is a dictionary with free-form identifiers as key and
path names of the LDIF template files as value.
- Default:
{}
- Example (the variant with
os.path.join(web2ldapcnf.templates_dir,..)
automatically
determines the standard template directory):
-
addform_entry_templates={
'Person':os.path.join(web2ldapcnf.templates_dir,'add_person.ldif'),
'My User Account':'/home/web2ldap/lib/add_myuser.ldif'),
},
- binddnsearch
-
Search filter template for smart login. Occurences of
%s are substituted by the string the user entered.
Note:
Think about using indexed attributes here! A bad filter
template can be a performance hog.
- Default:
'(uid=%s)'
- Example:
-
- description
-
Textual description of the host or backend which is displayed in the
status area at top of the window.
- Default:
''
- Example:
-
'My nifty LDAP server for user accounts'
- link_css
-
HTML snippet to tell the browser from where to pull various CSS files
for different media.
- Default:
''
- Example:
-
"""
<link rel="stylesheet" media="screen" href="/css/web2ldap/fixed.css">
<link rel="stylesheet" media="print, embossed" href="/css/web2ldap/print.css">
""",
- login_default_mech
-
Bind mechanism to be shown as default in the select field.
An empty string means simple bind. Otherwise the name
of the SASL mech is put here.
- Default:
''
(simple bind)
- Example for specifying SASL/DIGEST-MD5:
-
login_default_mech='DIGEST-MD5')
- login_template
-
HTML template file for the input fields of a Login Form.
The HTML document must not contain HTML <head> section,
<body> or <html> tags.
- Default:
''
- Example:
-
login_template=os.path.join(web2ldapcnf.templates_dir,'login.html')
- modify_constant_attrs
-
List of names of attribute types which are supposed to be constant during
editing an entry and are usually not edited by the user (only modified by DSA).
If at least one value of these attributes was changed
during editing the entry and submitting the new data modifying the entry
will fail with an error message to prevent conflicts of concurrent
modifications
- Default:
['createTimestamp','modifyTimestamp','creatorsName','modifiersName']
- Example:
-
modify_constant_attrs=['entryCSN','entryDN','entryUUID','createTimestamp','modifyTimestamp','creatorsName','modifiersName','uSNChanged','uSNCreated','whenChanged','whenCreated']
- groupadm_defs
-
Dictionary containing definitions about group entries
storing members in multi-valued member attributes. This is
used in the group admin mask. The dictionary's keys are
the name of the group entry object classes. The dictionary
values are 2-tuples representing the name of the multi-valued
member attribute in the group entry and the attribute type name
of the user attribute which is put to/removed from the group entry.
- Default:
{}
- Example:
-
groupadm_defs={
'groupOfNames': ('member',None),
'groupOfUniqueNames': ('uniqueMember',None),
'rfc822MailGroup': ('mail','mail'),
'mailGroup': ('mgrprfc822mailmember','mail'),
'accessGroup': ('member',None),
'posixGroup': ('memberUid','uid'),
},
- passwd_hashtypes
-
List of strings specifying the allowed password-hash types.
Valid values of implemented hashing schemes are:
- '' (empty string)
- no hashing, plain text
- 'crypt'
- Unix crypt algorithm (with salt like used with Unix passwd)
- 'md5'
- MD5 hash
- 'smd5'
- salted MD5 hash
- 'sha'
- SHA-1 hash
- 'ssha'
- salted SHA-1 hash
The hash-based encodings require the appropriate Python modules to be
installed on your system. The presence of the modules is automatically
detected and the displayed select list shows the available
password hash-types.
- Default:
[]
- Example (allow only salted MD5 and salted SHA-1):
'passwd_hashtypes':['smd5','ssha']
- print_cols
-
Number of columns for printable output.
- Default:
'4'
- print_template
-
HTML template files for printing table entries. This is a dictionary
with object class names as key and path names of HTML template files
as value.
- Default:
None
- Example:
-
print_template={
# 'object class':'pathname of printable HTML template file'
'person':os.path.join(web2ldapcnf.templates_dir,'print_person.html'),
'organization':os.path.join(web2ldapcnf.templates_dir,'print_organization.html'),
'organizationalUnit':os.path.join(web2ldapcnf.templates_dir,'print_organizationalUnit.html'),
},
- read_operationalattrstemplate
-
Path name of a HTML template file for displaying operational
attributes at the bottom when displaying a single entry.
- Default:
''
- read_template
-
Dictionary defining HTML templates for displaying entries
of certain object classes.
- Default:
{}
- Example:
-
read_template={
# 'object class':'pathname of HTML template file'
'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
'organizationalPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
'organization':os.path.join(web2ldapcnf.templates_dir,'read_organization.html'),
'posixAccount':os.path.join(web2ldapcnf.templates_dir,'read_posixAccount.html'),
},
- input_template
-
Dictionary defining HTML templates with input forms for entries
of certain object classes. The input form templates of all matching
object classes are displayed.
See files etc/web2ldap/templates/inputform_*.html as examples.
- Default:
{}
- Example:
-
input_template={
'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_inetOrgPerson.html'),
'posixAccount':os.path.join(web2ldapcnf.templates_dir,'inputform_posixAccount.html'),
'msPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_msPerson.html'),
},
- requested_attrs
-
List of attribute type names which are explicitly requested when
doing a search/read or modify operation. This is meant for accessing
operational attributes which the LDAP server does not return
without being asked for them.
- Default:
[]
- rename_supsearchurl
-
Dictionary with named LDAP URLs (without hostport portion) each specifying how to search
for a new superior DN of a rename operation. The DNs of the search results are
displayed as select list. The attrs portion is ignored.
If not set or empty string a normal input field is displayed.
- Default:
''
- Example:
-
rename_supsearchurl={
u'Search for organizational units':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organizationalUnit)',
u'Search for organizations':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organization)',
},
- schema_uri
-
URI pointing to fake sub schema sub entry.
If schema_uri is a LDAP URL an LDAP server is queried directly.
Otherwise schema_uri is assumed to point to a LDIF file.
- Default:
- None
- search_attrs
-
Attribute types which should be present in search attribute type select
list of advanced search form.
- Default:
['cn','mail']
- Example:
-
search_attrs = ['cn','mail','o','ou','st','uid','telephonenumber','description']
- searchform_bases
-
List/tuple of search bases to be added to the select list of search bases displayed in the search form.
- Default:
()
- Example:
-
searchform_bases=(
'..',
'ou=Bizness,dc=example,dc=com',
'ou=Friends,dc=example,dc=com'
)
- searchform_basesearchurl
-
String with a LDAP URL (without hostport portion) which specifies how to search
for additional search bases to be displayed as select list in the search form.
The DNs of the search results are displayed as select list. The attrs portion is ignored.
- Default:
''
- Example:
-
searchform_basesearchurl='ldap:///dc=example,dc=com??sub?(|(objectClass=organization)(objectClass=organizationalUnit))'
- search_resultsperpage
-
Integer which specifies the number of results shown per page.
This affects the select list of the search form and displaying
results of a search without prior use of a search form.
- Default:
10
- search_tablistattrs
-
- Default:
[]
- search_tdtemplate
-
HTML template strings used to display entries in the table
of search results depending on the object class of an entry.
This is a dictionary with object class names as key and
HTML templates strings as value.
- Default:
{}
- searchform_template
-
This can be either a single string with the path name of a single HTML template file for the Basic Search Form.
The HTML document must not contain HTML <head> section,
<body> or <html> tags.
If this parameter is a dictionary it specifies a set of named template files.
The name _ (underscore) specifies a default template.
- Default:
''
- Example:
-
searchform_template= {
u'_':os.path.join(web2ldapcnf.templates_dir,'searchform_Base.html'),
u'Users':os.path.join(web2ldapcnf.templates_dir,'searchform_users.html'),
u'Orga':os.path.join(web2ldapcnf.templates_dir,'searchform_orga.html'),
u'Persons':os.path.join(web2ldapcnf.templates_dir,'searchform_persons.html'),
},
- ssl_minlevel
-
Defines the minimum required SSL security level for accessing
this host/backend through the web2ldap gateway.
- Default:
0
- ssl_valid_dn
-
Regex describing the valid subject DNs of client certificates.
- Default:
''
- ssl_valid_idn
-
Regex describing the valid DNs of issuer certificates
of valid client certificates.
- Default:
''
- starttls
-
Integer defining whether StartTLS should not be used
(value 0), StartTLS should be tried (value 1) or use
of StartTLS is mandantory (value 2) for connecting
to this server. Does only make sense per server.
- Default:
0
- tls_cacertdir
-
Specifies the directory that contains certificates for all of the
Certificate Authorities that will be recognized.
- Default:
''
- tls_cacertfile
-
Specifies the file that contains certificates for all of the
Certificate Authorities that will be recognized.
- Default:
''
- tls_certfile
-
Specifies the file that contains the client certificate for
strong SSL/TLS-based authentication.
- Default:
''
- tls_keyfile
-
Specifies the file that contains the client key file for
strong SSL/TLS-based authentication.
- Default:
''
- timeout
-
Timeout value for LDAP operations on seconds. -1 switches
off timeout handling.
- Default:
-1
- vcard_template
-
HTML template files for vCard downloading. This is a dictionary
with object class names as key and path names of vCard template files
as value.
- Default:
{}