See the roadmap for features which will
be added in the future.
Feature requests can be made through the
feedback form.
Running Mode
-
Runs on Unix-derived OS (e.g. Linux, FreeBSD, Solaris etc.)
and Windows 32-bit platforms.
-
Runs multi-threaded either as stand-alone web server,
FastCGI server
or as
SCGI server.
-
Highly configurable on a per-host/-backend basis.
User Interface
-
Comfortable web interface for unexperienced users.
If the user does something wrong a tersely error
message is given which is most times based on the
info field returned by the LDAP server. If it makes sense
the user can retry immediately his/her action with corrected input
parameters. One has to emphasize that no other web interface
provides such a tolerant error handling in its user interface.
-
Configuring the search root is most times unnecessary.
-
Support for file upload of binary attributes, e.g.
jpegPhoto or userCertificate.
-
Efficient browsing in directory trees with paged
displaying of search results. Honors attributes
hasSubordinates, numSubordinates and
subordinateCount if available for determining
if entries have subordinate entries.
-
Displays JPEG pictures in-line with reasonable performance
by smart caching.
-
Universal title attribute added to a lot of HTML tags
to have sort of a bubble-help in browsers which support that.
-
Attributes containing DNs, URLs or mail addresses are shown as
links. DNs can be followed within web2ldap by simply
pressing the link.
-
If an error occurs during adding or modifying entries
the user can edit and re-submit his input data.
-
Trys to be friendly to
all browsers by producing simple, but well-formed HTML 4.01
(almost strict).
-
Recursive deletion of directory trees.
-
Three different search forms:
- Basic
- Static search form based on customizable HTML template.
- Advanced
- Build search filter by choosing options from select lists.
- Expert
- Direct use of LDAP filter expressions.
-
User-friendly handling of LDAPv3 referrals with
reconnecting directly to referred host after presenting
a login form to the user
(see RFC 3296).
-
OIDs in RootDSE attributes are displayed with name and description.
-
Some (configurable) quick-buttons for common actions.
-
Process LDIF input even with URL support (if configured).
Many Output Formats
-
HTML templates can be used for displaying LDAP entries.
-
HTML header can be configured to include colors, background pictures
or logos.
-
ID params in main HTML tags for using Cascaded Style Sheets (CSS).
-
Printer-friendly HTML output of search results
based on a configurable HTML template string.
-
Support for vCards - users of common browsers
can easily add entries to their local address books.
-
Bulk downloading of directory data as LDIF or LDIFv1
(see RFC 2849).
-
Aware of UTF-8 character encoding for retrieving/storing
non US-ASCII characters.
-
Bulk downloading of directory data as DSMLv1
(XML namespace for directory data).
Plug-in modules/classes for specific handling of attributes/syntaxes.
The following plug-in modules currently exist:
- acp133
- mainly LDAP syntaxes defined for ACP 133 with simple select lists and not tested
- activedirectory
- For MS AD and Samba 4
- asn1objects
- Class which can dump BER objects as ASN.1 with module pisces
- dhcp
- Various attributes with dynamic select lists
- dirx
- Configuration attributes of Siemens DirX
- edirectory
- Various syntaxes found in draft-sermersheim-nds-ldap-schema
- eduperson
- for attributes defined eduPerson
- entrust
- Some small syntax quirks for Entrust PKI schema
- exchange
- Some small quirks for Exchange 5.5
- ibmds
- Some small quirks for IBM Directory Server
- krb5
- for heimdal and MIT Kerberos schema
- ldapns
- LDAP-based naming service
- lotusdomino
- for attributes in Lotus Domino's LDAP service
- msperson
- See stroeder.com.schema
- mssfu30
- Microsoft System Services for Unix 3.0
- nis
- NIS attributes (see also RFC 2307)
- opends
- mainly some configuration attributes used in OpenDS
- openldap
- some attributes used in OpenLDAP for configuration and accesslog (see also draft-chu-ldap-logschema)
- pgpkeysrv
- Multi-line fields for PGP keys
- pilotperson
- pkcschema
- for attributes defined in draft-ietf-pkix-ldap-pkc-schema
- ppolicy
- for attributes defined in draft-behera-ldap-password-policy
- quirks
- Various quirks for very misbehaving servers
- samba
- for Samba 3
- schac
- for attributes defined in SCHAC
- subentries
- for attributes defined for subentries (see RFC 3672)
- vchupwdpolicy
- covering central password policy configuration attributes defined in draft-vchu-ldap-pwd-policy
- vpim
- for attributes defined in VPIM (see RFC 4237)
- x500dsa
- Schema support
-
-
Full LDAPv3 sub schema sub entry support when displaying
an entry or input form with required and allowed attributes.
-
Built-in schema browser displays all forward and backward references
to other schema elements as links for all supported schema elements
and allows a simple wildcard search by OID or NAME
patterns.
-
Supported and used schema attributes:
- attributeTypes
- dITContentRules
- ldapSyntaxes
- matchingRuleUse
- matchingRules
- objectClasses
- dITStructureRules
- nameForms
-
Schema support has reasonable performance since
caching of parsed sub schema sub entries is done.
-
Full support for inherited schema elements (object classes
and attribute types).
-
Fall-back to a local schema definition in configuration stored in
LDIF file (for e.g. LDAPv2 servers).
-
Special handling of collective attributes.
- Write Access
-
-
Support for adding, modifying, deleting entries, deleting sub trees
and renaming entries.
-
Schema-aware to provide schema-matching input forms
for add/modify.
-
Octet strings can be directly edited as hex-bytes.
-
Plug-in classes implement specific input fields for many vendor-specific attributes.
-
Configurable LDIF templates for new entries.
-
Automatic search for missing parent entries if adding of an entry fails
with "no such object".
(for reducing the same old boring questions on the LDAP-related
mailing lists ;-).
-
Input values for some attributes/syntaxes (e.g. jpegPhoto, certificates and CRLs)
are automagically converted to the right format.
- Changing/Resetting passwords
-
-
Password Modify Extended Operation (see RFC 3062)
-
Client-hashed passwords (see also
RFC 2307,
schemes {crypt}, {md5}, {sha}, {smd5}, {ssha}) for setting
the userPassword attribute on Umich-derived LDAP servers
(like OpenLDAP, Netscape/IPlanet server etc.).
-
Synced setting of userPassword and Samba password
attributes.
-
Attribute shadowLastChange set if an entry has object
class shadowAccount.
-
Resetting the password attribute unicodePwd in MS AD.
- Group administration feature
-
Convenient, secure and efficient way to add/remove an entry
to/from a group entry. Many common group object classes are
automagically supported:
- groupOfNames
- groupOfUniqueNames
- rfc822MailGroup
- mailGroup
- posixGroup (see RFC 2307)
- accessGroup (found in IBM SecureWay)
Even large groups (>100000 members) are handled with
reasonable performance. Security problems even with distributed
management are avoided by "just doing it right".
- LDAP connection handling
-
Automatically determine the protocol version and features
supported by the LDAP server. Falls back to reasonable defaults
if features are not available.
- LDAP URLs
-
It it possible to directly use LDAP URLs (see
RFC 4516)
to reference LDAP entries and LDAP search results. Example:
http://demo.web2ldap.de:1760/web2ldap/ldapurl?ldap://ldap.openldap.org/dc=openldap,dc=org
Note: Although most LDAP URLs will work you should use URL-quoted LDAP URLs.
- Root DSE
-
-
Uses namingContexts attribute from RootDSE to
determine appropriate search root automatically.
- LDAPv3 Referrals
-
-
Displays new login mask to
repeat current action after chasing a referral.
-
Search continuations are displayed.
- Locating LDAP service
-
Try to locate a LDAP host for a specific domain, dc-style DN
(RFC 2247,
RFC 2377)
or e-mail address.
(see also the Internet Draft
"A Taxonomy of Methods for LDAP Clients Finding Servers"
on
LDAPEXT page)
-
Well known DNS aliases (kinda primitive anyway)
-
LDAPv3 Referrals (knowledge references)
-
Locate LDAP host via SRV RR (see also
RFC 2782).
This is automatically done if e.g a LDAP URL does not contain
a host name but a dc-style DN or if an error response was received
with error code NO_SUCH_OBJECT (somewhat inspired by
RFC 3088).
- LDAPv3 extended controls
-
- Manage DSA IT mode
-
For editing referral entries
(see RFC 3296).
- Subentries
-
Two different controls for searching subentries
(see RFC 3672
and draft-ietf-ldup-subentry-07.txt)
- Relax Rules Control (formerly Manage DIT control)
-
For editing operational attributes
(see
draft-zeilenga-ldap-relax).
- Tree Delete
-
deletion of whole subtrees with a single DeleteRequest (see
draft-armijo-ldap-treedelete).
- LDAPv3 extended operations
-
- StartTLS
-
provides transport layer security with TLS
(see RFC 4513).
- "Who am I?"
-
this operation shows which bind-DN is in effect e.g. when using SASL bind
(see RFC 4532).
- Password Modify Extended Operation
-
for server-side password setting
(see RFC 3062).
- LDAPv3 extensions
-
- All Operational Attributes
-
Request the server to return all operational attributes in a search response.
(See rootDSE attribute supportedFeatures, OID 1.3.6.1.4.1.4203.1.5.1,
see also RFC 3673)
Advanced HTTP options
-
Downloading of binary attributes with appropriate mapping
to MIME types.
-
Optionally use gzip-encoding for saving network bandwidth if client
has sent
Accept-Encoding: gzip
in the HTTP header.
-
Optionally use the right character set for output according to the
HTTP header
Accept-Charset
sent by the HTTP client.
Security
Please also check out the security page.
-
Support for SASL bind.
-
Default configuration is quite strict. If you see this paradigm
violated somewhere in a distributed package of web2ldap please
let me know.
-
Since the user logs in and opens a persistent LDAP connection
storing or passing around passwords is not necessary.
-
Security mechanisms to avoid hijacking web sessions.
-
Maximum number of currently used web sessions can be limited.
-
Smart login with automatic completion of bind DN.
-
Nice displaying of X.509 certificates and CRLs stored in the directory
including all X.509v3 extensions with links to e.g. CRL distribution points,
policy documents etc.
SASL login mechanisms
Supported Mechanism(s) | Remark |
DIGEST-MD5, CRAM-MD5 |
Password-based challenge-response mechs: use short user name in login form, not the bind-DN |
PLAIN |
is supported but not recommended unless SSL/TLS is used |
EXTERNAL |
Usable for LDAPS,
StartTLS or
LDAPI connections.
End-user authentication is only meaningful if the web2ldap
is started in stand-lone mode as a personal client.
|
GSSAPI |
Usable for Kerberos V authentication. User authentication is only
meaningful if the web2ldap is started in stand-lone mode as a personal
client and the user obtained a TGT from the KDC before
(with command-line tool kinit).
|