Client-side customization considerations
For simplifying usage of web2ldap for end-users the LDAP administrator
can utilize many customization options. Please make yourself
comfortable how to specify
host-/backend-specific parameters with the cascaded configuration
since that saves you a lot of configuration work.
You can construct bookmarks and make them available on a simple web page
which makes certain functions in web2ldap more easily accessible. Or you can
add the LDAP URLs with an appropriate description to the select list presented
on the front page by adding them to the list specified with
ldap_uri_list.
For the ease of use web2ldap displays LDAP URLs containing also the simple bind
information (in LDAP URL extension bindname). You can copy these LDAP
URLs to your clipboard and simple append them as query string to the web2ldap URL
(separated by a question mark).
Examples for bookmarks:
- Search user accounts (here entries with object class account) anonymously
-
http://web2ldap.example.com:1760/web2ldap?ldap://directory.example.com/ou=Users,dc=example,dc=com??sub?(objectClass=account)
- Adding a new user entry but with enforcing a login with bind-DN
uid=fred,ou=Users,dc=example,dc=com
before
-
http://web2ldap.example.com:1760/web2ldap/addform?ldap://directory.example.com/ou=Users,dc=example,dc=com????bindname=uid%3Dfred%2Cou%3DUsers%2Cdc%3Dexample%2Cdc%3Dcom
- Set a password for a certain user (again after a login)
-
http://web2ldap.example.com:1760/web2ldap/passwd?ldap://directory.example.com/uid=anna,ou=Users,dc=example,dc=com????bindname=uid%3Dfred%2Cou%3DUsers%2Cdc%3Dexample%2Cdc%3Dcom
HTML templates for guiding users
You can specify HTML snippets in template files for certain things.
HTML templates can be are chosen based on language configuration in your browser.
- Displaying single entries
-
You can assign HTML templates to object classes with parameter
read_template
which specify how to display the entry's data of this particular object class.
See files etc/web2ldap/templates/read_*.html as examples.
Attributes not covered by the display template(s) will
be shown as raw table at the bottom.
- Search input form
-
Parameter searchform_template
allows to specify a HTML template defining input fields for search parameters.
- Entry input forms
-
Parameter input_template
allows to specify HTML templates for object classes used in the input
form when adding new entries or editing existing entries.
- Login forms
-
Set login_template
to customize the login input form. Consider setting
login_default_mech
if you have specific policy for the LDAP bind mechanism used.
LDIF templates for quickly add entries you need often
With parameter
addform_entry_templates you can define a set of LDIF-based templates
for a kind of entries you have to add very often.
See files etc/web2ldap/templates/add_*.ldif as examples.
Plug-in classes for syntaxes and/or attribute types
web2ldap internally handles many aspects of displaying attribute
values or input fields with the help of Python classes (derived from
w2lapp.schema.syntaxes.LDAPSyntax) registered for LDAP syntax OIDs
and/or attribute types.
Plug-in classes have access to various data:
- attribute type and one of the values are direct class attributes
- LDAP connection object for sending additional queries
- DN of the entry
- whole entry (schema-aware instance of ldaputil.schema.Entry
There are already various base classes available quite handy for implementing
- Client-side regex-checking of valid attribute values
- Static or dynamic select classes
Look into files pylib/w2lapp/schema/plugins/*.py for examples.
Best pratice is to stuff self-implemented custom classes in a module in
directory etc/web2ldap/web2ldapcnf/plugins/
and import this
module in file etc/web2ldap/web2ldapcnf/plugins/__init__.py
.
Order of the import-statements is significant.
Server-side configuration
You can also influence how the user interacts with your LDAP directory via web2ldap
by configuring things in the server.
Schema design
- Syntaxes
-
specify the syntax to which attribute values must comply. If you choose
finer-grained syntaxes web2ldap displays input fields and conducts
syntax validation appropriate for that syntax (e.g. TRUE/FALSE select field
for syntax Boolean).
- Attribute types
-
For some attribute types web2ldap has already special handler classes
(e.g. attribute type mail).
- Object classes
-
are the type(s) of an entry and specify which attributes can be used
within an entry. web2ldap uses this to display the input entry form (table format)
indicating required and allowed attributes.
- DIT content rules
-
specify which auxiliary object classes are
allowed for a structural object class. This is used by web2ldap to display
the allowed auxiliary object classes in the object class select form.
- Name forms
-
specify how to form the RDN for a new entry to be added. If a name form
applies web2ldap displays a select list for choosing a RDN string template.
- DIT structure rules
-
specify which structural object classes are
allowed in a certain part of the DIT. This is used by web2ldap to display
the allowed structural object classes in the object class select form.