web2ldap - hosts.py

The configuration module directory web2ldapcnf/
General
<Download> <Features> <Roadmap> <News> <Demo> <Related>
Support
<Commercial> <Feedback> <FAQ>
Documentation
<Installing> <Customizing UI> <Configuration> <Compability> <Security> <Changes> <Files>

This section describes the parameters related to specific LDAP hosts/backends.

modify_constant_attrs [addform_entry_templates] [binddnsearch] [description] [groupadm_defs] [input_template] [link_css] [login_default_mech] [login_template] [modify_constant_attrs] [passwd_hashtypes] [print_cols] [print_template] [read_operationalattrstemplate] [read_template] [rename_supsearchurl] [requested_attrs] [schema_uri] [search_attrs] [searchform_basesearchurl] [search_resultsperpage] [search_tablistattrs] [search_tdtemplate] [searchform_template] [ssl_minlevel] [ssl_valid_dn] [ssl_valid_idn] [starttls] [timeout] [tls_cacertdir] [tls_cacertfile] [tls_certfile] [tls_keyfile] [vcard_template]

ldap_uri_list

List of LDAP URLs which will appear in the default select list of the login form. It may contain either strings (only a LDAP URL) or 2-tuples of strings containing LDAP URL and description.

Example:

ldap_uri_list = [
  'ldap://localhost',
  ('ldap://ldap.openldap.org',u"OpenLDAP's demo server"),
]
  

restricted_ldap_uri_list

If non-zero (or True) gateway access is restricted to the LDAP servers specified in ldap_uri_list. Note that the check is case sensitive (because of possibly case-sensitive path names of Unix domain sockets for LDAPI)!
Default in source distribution: 1 (restriction enabled)

ldap_def

This is a string-keyed dictionary (Python data structure) which holds all options specific for certain LDAP hosts or backends( naming contexts). The values of the dictionary ldap_def are of the simple class Web2LDAPConfig which is instantiated via key word arguments

Cascaded configuration

Any configuration parameter in the dictionary web2ldapcnf.hosts.ldap_def is retrieved by looking at all dictionary items with string-keys

  1. 'ldap://ldap_host/ldap_basedn',
  2. 'ldap:///ldap_basedn',
  3. 'ldap://ldap_host' and
  4. '_'

in this particular order. All those string-key MUST be valid LDAP URLs except for the default section which is marked by a single underscore.
This allows to hold several database backends on the same host with the same DNS name. It also shortens the ldap_def dictionary by avoiding having to repeat same options for every server and makes browsing of completely unconfigured hosts easy.

Configuration Example

ldap_def = {

  '_': {
    # Default fall-back options
  },

  'ldap://nldap.com': {
    # Per-host options for host nldap.com
  },

  'ldap:///dc=openldap,dc=org': {
    # Options for naming context dc=openldap,dc=org
    # regardless on which server
  },

  'ldap://localhost/dc=stroeder,dc=com': {
    # Options dictionary entries for backend
    # on host localhost with naming context dc=stroeder,dc=com
  }

}
  
Now each parameter is described. A system default value is assumed if the parameter was not defined at all (no dictionary key parameter). Most times this default value simply switches off a certain behaviour.
addform_entry_templates
This parameter allows to define a set of LDIF templates for new entries each with a short descriptive identifier. The identifiers are shown in a select input field of the object class selection form after choosing [New entry] from the main menu as shown is this picture:

select input field based on addform_entry_templates

This is a dictionary with free-form identifiers as key and path names of the LDIF template files as value.
Default:
{}
Example (the variant with os.path.join(web2ldapcnf.templates_dir,..) automatically determines the standard template directory):
addform_entry_templates={
  'Person':os.path.join(web2ldapcnf.templates_dir,'add_person.ldif'),
  'My User Account':'/home/web2ldap/lib/add_myuser.ldif'),
},
	  
binddnsearch
Search filter template for smart login. Occurences of %s are substituted by the string the user entered.
Note:
Think about using indexed attributes here! A bad filter template can be a performance hog.
Default:
'(uid=%s)'
Example:
description
Textual description of the host or backend which is displayed in the status area at top of the window.
Default:
''
Example:
'My nifty LDAP server for user accounts'
link_css
HTML snippet to tell the browser from where to pull various CSS files for different media.
Default:
''
Example:
"""
<link rel="stylesheet" media="screen" href="/css/web2ldap/fixed.css">
<link rel="stylesheet" media="print, embossed" href="/css/web2ldap/print.css">
""",
login_default_mech
Bind mechanism to be shown as default in the select field. An empty string means simple bind. Otherwise the name of the SASL mech is put here.
Default:
'' (simple bind)
Example for specifying SASL/DIGEST-MD5:
login_default_mech='DIGEST-MD5')
login_template
HTML template file for the input fields of a Login Form. The HTML document must not contain HTML <head> section, <body> or <html> tags.
Default:
''
Example:
login_template=os.path.join(web2ldapcnf.templates_dir,'login.html')
modify_constant_attrs
List of names of attribute types which are supposed to be constant during editing an entry and are usually not edited by the user (only modified by DSA).
If at least one value of these attributes was changed during editing the entry and submitting the new data modifying the entry will fail with an error message to prevent conflicts of concurrent modifications
Default:
['createTimestamp','modifyTimestamp','creatorsName','modifiersName']
Example:
modify_constant_attrs=['entryCSN','entryDN','entryUUID','createTimestamp','modifyTimestamp','creatorsName','modifiersName','uSNChanged','uSNCreated','whenChanged','whenCreated']
groupadm_defs
Dictionary containing definitions about group entries storing members in multi-valued member attributes. This is used in the group admin mask. The dictionary's keys are the name of the group entry object classes. The dictionary values are 2-tuples representing the name of the multi-valued member attribute in the group entry and the attribute type name of the user attribute which is put to/removed from the group entry.
Default:
{}
Example:
groupadm_defs={
  'groupOfNames':       ('member',None),
  'groupOfUniqueNames': ('uniqueMember',None),
  'rfc822MailGroup':    ('mail','mail'),
  'mailGroup':          ('mgrprfc822mailmember','mail'),
  'accessGroup':        ('member',None),
  'posixGroup':         ('memberUid','uid'),
},
          
passwd_hashtypes
List of strings specifying the allowed password-hash types. Valid values of implemented hashing schemes are:
'' (empty string)
no hashing, plain text
'crypt'
Unix crypt algorithm (with salt like used with Unix passwd)
'md5'
MD5 hash
'smd5'
salted MD5 hash
'sha'
SHA-1 hash
'ssha'
salted SHA-1 hash
The hash-based encodings require the appropriate Python modules to be installed on your system. The presence of the modules is automatically detected and the displayed select list shows the available password hash-types.
Default:
[]
Example (allow only salted MD5 and salted SHA-1):
'passwd_hashtypes':['smd5','ssha']
print_cols
Number of columns for printable output.
Default:
'4'
print_template
HTML template files for printing table entries. This is a dictionary with object class names as key and path names of HTML template files as value.
Default:
None
Example:
print_template={
  # 'object class':'pathname of printable HTML template file'
  'person':os.path.join(web2ldapcnf.templates_dir,'print_person.html'),
  'organization':os.path.join(web2ldapcnf.templates_dir,'print_organization.html'),
  'organizationalUnit':os.path.join(web2ldapcnf.templates_dir,'print_organizationalUnit.html'),
},
          
read_operationalattrstemplate
Path name of a HTML template file for displaying operational attributes at the bottom when displaying a single entry.
Default:
''
read_template
Dictionary defining HTML templates for displaying entries of certain object classes.
Default:
{}
Example:
read_template={
  # 'object class':'pathname of HTML template file'
  'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
  'organizationalPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
  'organization':os.path.join(web2ldapcnf.templates_dir,'read_organization.html'),
  'posixAccount':os.path.join(web2ldapcnf.templates_dir,'read_posixAccount.html'),
},
          
input_template
Dictionary defining HTML templates with input forms for entries of certain object classes. The input form templates of all matching object classes are displayed. See files etc/web2ldap/templates/inputform_*.html as examples.
Default:
{}
Example:
input_template={
  'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_inetOrgPerson.html'),
  'posixAccount':os.path.join(web2ldapcnf.templates_dir,'inputform_posixAccount.html'),
  'msPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_msPerson.html'),
},
          
requested_attrs
List of attribute type names which are explicitly requested when doing a search/read or modify operation. This is meant for accessing operational attributes which the LDAP server does not return without being asked for them.
Default:
[]
rename_supsearchurl
Dictionary with named LDAP URLs (without hostport portion) each specifying how to search for a new superior DN of a rename operation. The DNs of the search results are displayed as select list. The attrs portion is ignored. If not set or empty string a normal input field is displayed.
Default:
''
Example:
rename_supsearchurl={
  u'Search for organizational units':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organizationalUnit)',
  u'Search for organizations':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organization)',
},
          
schema_uri
URI pointing to fake sub schema sub entry. If schema_uri is a LDAP URL an LDAP server is queried directly. Otherwise schema_uri is assumed to point to a LDIF file.
Default:
None
search_attrs
Attribute types which should be present in search attribute type select list of advanced search form.
Default:
['cn','mail']
Example:
search_attrs = ['cn','mail','o','ou','st','uid','telephonenumber','description']
searchform_bases
List/tuple of search bases to be added to the select list of search bases displayed in the search form.
Default:
()
Example:
searchform_bases=(
  '..',
  'ou=Bizness,dc=example,dc=com',
  'ou=Friends,dc=example,dc=com'
)
          
searchform_basesearchurl
String with a LDAP URL (without hostport portion) which specifies how to search for additional search bases to be displayed as select list in the search form. The DNs of the search results are displayed as select list. The attrs portion is ignored.
Default:
''
Example:
searchform_basesearchurl='ldap:///dc=example,dc=com??sub?(|(objectClass=organization)(objectClass=organizationalUnit))'
search_resultsperpage
Integer which specifies the number of results shown per page. This affects the select list of the search form and displaying results of a search without prior use of a search form.
Default:
10
search_tablistattrs
Default:
[]
search_tdtemplate
HTML template strings used to display entries in the table of search results depending on the object class of an entry. This is a dictionary with object class names as key and HTML templates strings as value.
Default:
{}
searchform_template
This can be either a single string with the path name of a single HTML template file for the Basic Search Form. The HTML document must not contain HTML <head> section, <body> or <html> tags. If this parameter is a dictionary it specifies a set of named template files. The name _ (underscore) specifies a default template.
Default:
''
Example:
searchform_template= {
  u'_':os.path.join(web2ldapcnf.templates_dir,'searchform_Base.html'),
  u'Users':os.path.join(web2ldapcnf.templates_dir,'searchform_users.html'),
  u'Orga':os.path.join(web2ldapcnf.templates_dir,'searchform_orga.html'),
  u'Persons':os.path.join(web2ldapcnf.templates_dir,'searchform_persons.html'),
},
          
ssl_minlevel
Defines the minimum required SSL security level for accessing this host/backend through the web2ldap gateway.
Default:
0
ssl_valid_dn
Regex describing the valid subject DNs of client certificates.
Default:
''
ssl_valid_idn
Regex describing the valid DNs of issuer certificates of valid client certificates.
Default:
''
starttls
Integer defining whether StartTLS should not be used (value 0), StartTLS should be tried (value 1) or use of StartTLS is mandantory (value 2) for connecting to this server. Does only make sense per server.
Default:
0
tls_cacertdir
Specifies the directory that contains certificates for all of the Certificate Authorities that will be recognized.
Default:
''
tls_cacertfile
Specifies the file that contains certificates for all of the Certificate Authorities that will be recognized.
Default:
''
tls_certfile
Specifies the file that contains the client certificate for strong SSL/TLS-based authentication.
Default:
''
tls_keyfile
Specifies the file that contains the client key file for strong SSL/TLS-based authentication.
Default:
''
timeout
Timeout value for LDAP operations on seconds. -1 switches off timeout handling.
Default:
-1
vcard_template
HTML template files for vCard downloading. This is a dictionary with object class names as key and path names of vCard template files as value.
Default:
{}

www.nosoftwarepatents.com