Changes 1.2.x
History of released versions
1.8 / 1.7 / 1.6 / 1.5 / 1.4 / 1.3 / 1.2 / 1.1 / 1.0 / 0.16 / 0.15 / 0.14 / 0.13 / 0.12 / 0.11 / 0.10 / 0.9 / 0.8 / 0.7 / Ancient / Overview
1.2.101
Release Date: 2018-02-09
- Added more key types to regex pattern for checking sshPublicKey attribute values.
- Updated plugin module for Æ-DIR.
1.2.100
Release Date: 2017-12-29
- New plugin class for handling JSON attribute values.
-
Added more plugin classes for
OATH-LDAP attributes:
- oathOTPLength
- oathEncKey (JWK)
- oathTokenPIN (JWE)
1.2.99
Release Date: 2017-12-17
- Security fix for stand-alone mode: Do not send error response with body including untrusted input.
-
Code cleaning:
- Absolute imports used everywhere (see PEP 328).
- Fixed minor bugs found by pylint.
- Moved HTTP handler class for stand-alone mode to module w2lapp.handler.
- Removed dead code, unused imports and unused variables found with pylint.
- Removed backward compatibility kludge for module ipaddr because it is unmaintained for years.
- Updated plugin module for Æ-DIR.
1.2.98
Release Date: 2017-11-20
- Disabled plugin module for Æ-DIR in default configuration because it requires a fairly recent release version of python-ldap not available on some platforms.
- Avoid using internal variables of python-ldap which are subject to change in python-ldap release 2.5.2+.
1.2.97
Release Date: 2017-11-12
- Dropped support for DSMLv1 export because python-ldap 2.5.x will not contain module dsml anymore.
1.2.96
Release Date: 2017-11-11
- Updated plugin module for Æ-DIR to support new attribute aeExpiryStatus.
- Updated HTML templates for Æ-DIR.
- # for increment was added to known modification types in plugin class for attribute reqMod.
- Fixed missing UTF-8 encoding step in plugin class AutogenNumber (which auto-generates uidNumber and gidNumber values).
1.2.95
Release Date: 2017-09-21
- Allow max. length 300 chars in input field of attribute reqMod in basic search form.
- Added HTML templates for mailboxRelatedObject.
1.2.94
Release Date: 2017-09-10
- Plugin class for bit array integer values (e.g. userAccountControl) now also directly accepts Integer values input.
- Fixed attribute value check regression in plugin class for sshPublicKey.
1.2.93
Release Date: 2017-08-08
-
Changes in plugin class for sshPublicKey:
- Fingerprints now exactly match ssh-keygen output.
- SHA-512 fingerprint is displayed.
- If paramiko is installed the key size is checked against minimum key size specified in dict ParamikoSshPublicKey.min_key_size.
- Relaxed regex pattern to accept empty key comment.
1.2.92
Release Date: 2017-07-20
- Fixed too strict assert statement when using Password Modify ext.op.
1.2.91
Release Date: 2017-07-13
- Fixed caching regressions.
- Fixed wrong usage of unicode and str arguments in Æ-DIR plugin module.
1.2.90
Release Date: 2017-07-11
- Implemented caching response controls with encoded request control strings in cache key args.
- Use new API args for response controls caching in Æ-DIR plugin class for member attribute.
1.2.89
Release Date: 2017-06-28
- Removed obsolete summary attribute from <table> tags in all HTML templates.
- Aligned Æ-DIR HTML templates and plugin module with upstream.
- User input for form parameter search_attrs is now sanitized to also accept space chars as separator.
- Removed code for certificate/CRL text dump viewer based on M2Crypto.
- Fixed displaying invalid and non-Unicode reqMod values (like a single colon).
1.2.88
Release Date: 2017-05-15
- Slightly improved error message when no valid LDIF templates are found.
- Display [Monitor] link only if accessing monitor page is allowed for remote IP address.
- Added new class attribute LDAPSession.sessionStartTime for internal use.
- In connect and login HTML templates the value of {value_currenttime} is UTC timestamp string of current time.
1.2.87
Release Date: 2017-05-04
- The input form now highlights invalid attribute values.
- Enabled controls are now always shown in parameter information even if not known in rootDSE.
- Fixed syntax check in MS AD plugin class for logonHours.
1.2.86
Release Date: 2017-04-22
- New internal utility functions for composing filters.
- Updated plugin module and HTML templates for Æ-DIR.
1.2.85
Release Date: 2017-04-17
- Re-factored use of class w2lapp.handler.AppHandler.
- Fixed an Unicode-related debugging assertion.
- File extension ".pub" is used when exporting sshPublicKey attribute value.
- Fixed handling of [-] <button> in input form in case only empty values of a certain attribute type were present.
- Added new general config parameter web2ldapcnf.good_redirect_targets.
- Updates in plugin module for Æ-DIR.
1.2.84
Release Date: 2017-04-11
- Registered rfc822MailMember with RFC822Address plugin class.
- Updated fallback schema file.
- Updates to plugin module for Æ-DIR.
- When displaying raw table view of single entry the <h1> heading now is the displayName or cn or RDN in this order followed by the entry's full distinguished name.
- Added input field in basic search form template for attribute entryDN with matching rule select input.
- Some minor modifications to default style-sheet.
- Removed scroll-to-top link from all HTML templates.
- Fixed handling of [-] <button> in input form in case only one value of a certain attribute type was left.
1.2.83
Release Date: 2017-03-18
- [+] and [-] <button>s now have formaction attribute to directly navigate to the input field with anchor.
-
Improvements for MS Active Directory:
- Added work-around for objectClass declaration with NO-USER-APP.
- New plugin class for msDS-ReplAttributeMetaData.
- Registered nTSecurityDescriptor with Binary syntax class.
- Added HTTP header Referrer-Policy with value "no-referrer" to default values of web2ldapcnf.http_headers.
- SASL hostname canonicalization is disabled in case GSSAPI is used and the underlying modules/libs support that.
- Link [DNS lookup] in main menu of entry page is only shown if pydns is really installed.
- Small updates to plugin module for Æ-DIR.
1.2.82
Release Date: 2017-03-01
-
Also suppress [+] and [-] buttons for plugin classes with
maxValues = 1
.
1.2.81
Release Date: 2017-02-23
- New plugin class method and class attribute for displaying multi-value buttons [+] and [-] in entry input form which allows overriding behaviour in derived plugin classes.
- [+] and [-] buttons are not shown for attribute memberUid in aeGroup entries.
- Refactored displaying referencing DNs of aeGroup entries in Æ-DIR.
1.2.80
Release Date: 2017-02-12
- Aligned Æ-DIR HTML templates and plugin module with upstream.
- Changed HTML markup to correctly display LDIF change record after modifying an entry.
1.2.79
Release Date: 2016-12-08
- Use attribute name for objectClass instead of OID when processing input form.
- New base plugin class LDAPv3ResultCode also used for attribute reqResult.
- New plugin class for OATH-LDAP attributes oathSuccessResultCode and oathFailureResultCode.
1.2.78
Release Date: 2016-12-02
-
Fixed regression when processing input form introduced with
1.2.77 by modified process workflow:
- Read normal input fields into entry dict
- Sanitize all attribute values one-by-one
- Add LDIF input into entry dict
- Transmute attribute value lists
1.2.77
Release Date: 2016-11-29
- Fixed UnicodeError when displaying error message for unreadable LDIF template.
- When processing entry input form the attribute objectClass is now added first to the entry to correctly trigger plugin classes registered on structural object class in sanitize step.
- Fixed HTML templates for namedObject and namedPolicy.
1.2.76
Release Date: 2016-11-18
-
Improved plugin class for associatedDomain:
- Automatically generate attribute value after submitting input form
- Display link for searching SOA RR entry.
- Plugin definitions/classes for new OATH-LDAP attributes.
- New plugin module and HTML templates for msPwdResetPolicy.
-
Updates for Æ-DIR:
- Always generate correct select list in plugin class for aeNwDevice reference.
- Aligned HTML templates with upstream.
- New plugin classes related to new object classes and attribute types.
1.2.75
Release Date: 2016-11-02
- Corrected NIS search form template not to use sub-string search on attributes lacking SUBSTR in standard schema definition.
- Empty option value in select lists now have language-neutral option text "-/-".
- Setting the plugin class attribute SelectList.input_fallback = False avoids the fall-back to normal input field.
-
Updates for Æ-DIR:
- Gracefully handle missing paramiko module in plugin module for Æ-DIR which caused ImportError to be raised during startup.
- Aligned plugin module for Æ-DIR with upstream zone schema modifications.
1.2.74
Release Date: 2016-10-13
- LDAP error insufficientAccess is now also ignored when checking list of parent entry's attributes for a LDIF template to be displayed.
- Added SSL_CLIENT_VERIFY and SSL_SECURE_RENEG to web2ldapcnf.session_checkvars.
- Ignore empty attribute values when building assertion filter.
-
Updates for Æ-DIR:
- New UID/GID generation scheme
- aePerson entries for select list are searched with aeNotBefore and aeNotAfter in filter
1.2.73
Release Date: 2016-09-26
- Better error handling in case DNS SRV lookup does not return results.
-
Updates for Æ-DIR:
- Better handling of aeDept linking constraints in aeZone and aeGroup entries.
- Different CSS styles aeStatus values.
1.2.72
Release Date: 2016-09-22
- Better regex pattern for sshPublicKey.
-
Updates for Æ-DIR:
- gidNumber values are now generated after submitting the input form (in AEGIDNumber.transmute()) to reduce likelihood of hitting unique constraint.
- Separate plugin classes for sshPublicKey in aeUser and aeService entries.
1.2.71
Release Date: 2016-09-16
- Truly optional import of module pwd for fixing an import regression on Windows since release 1.2.51.
1.2.70
Release Date: 2016-08-13
- Registered password policy attributes pwdFailureCountInterval and pwdLockoutDuration with plugin class Timespan.
-
Updates for Æ-DIR:
- Reformatted HTML templates for aeSrvGroup entries.
- Added plugin class for aeVisibleGroups which automatically adds all groups referenced in aeLoginGroups and aeDisplayNameGroups.
- Plugin class for manager with simple dynamic select list.
- Aligned HTML templates with upstream.
1.2.69
Release Date: 2016-08-08
- Re-factored attribute deletion in function ldaputil.modlist2.modifyModlist().
- When generating an entry from form input empty attribute lists are now removed after transmute() step.
-
Updates for Æ-DIR:
- Added plugin class for displayName in aeDept entries.
- Plugin class for aeDept uses displayName in select lists.
- Support for new attribute aeDisplayNameGroups.
- Added filter part for excluding zone pub in rights group DNs.
- Aligned HTML templates with upstream.
- Fixed issues with memberUid attribute not being removed in case of absent member values.
1.2.68
Release Date: 2016-08-05
- Plugin class attribute DistinguishedName.ref_attrs can now have additional element for specifying the object class of referring entries.
- New plugin class attribute LDAPSyntax.simpleSanitizers can be used to define a series of simple one-argument functions (e.g. str.lower or similar) which are applied in method LDAPSyntax.sanitizeInput(). Note that more complex plugin classes likely do not call this though.
- Search continuations (referrals) are now simply ignored when processing possible parent zone entries in plugin class for associatedDomain.
-
Updates for Æ-DIR:
- Better support for attribute aeDept.
- By default plugin class for aeTicketId now strips and upper-cases input value.
1.2.67
Release Date: 2016-07-29
- Better error handling for invalid LDIF templates.
- Added missing trailing separator line in a LDIF template for organizationalUnit.
-
Updates for Æ-DIR:
- Registered plugin class for uidNumber and gidNumber also for object class aeService.
- More links for searching aeHost.
1.2.66
Release Date: 2016-07-16
- Registered defaultObjectCategory with plugin class for objectCategory and added ref_attrs to that class.
- New host-/backend-specific parameter addform_parent_attrs allows to define a list of attributes which must be readable in the parent entry for a LDIF template to be displayed.
-
Updates for Æ-DIR:
- Plugin class for sudoUser now excludes special role groups.
- Better error handling in case of empty or invalid aeStatus value.
1.2.65
Release Date: 2016-07-08
- [Bind as] link now creates new session to be used in a new browser tab.
-
Updates for Æ-DIR:
- For better security uidNumber / gidNumber assignment is now the same to avoid accidental global GID usage.
- Added plugin classes for mail attribute handling in aePerson and primary aeUser entries.
- Plugin class for attribute aePerson now searches aePerson entry based on own current aeStatus.
- Improved/restructured plugin classes for attributes aeProxyFor and aeSrvGroup.
- Enforce rules for aeStatus related to validity period.
1.2.64
Release Date: 2016-07-03
-
Updates for Æ-DIR:
- Restructured parent plugin classes.
- Default plugin class for aePerson is now based on DynamicDNSelectList.
- Added support for aeDept entries.
- Added plugin class for auto-generating uniqueIdentifier attribute value in aePerson entries.
- Added plugin class for attribute manager in aePerson entries.
- Updated/improved HTML and LDIF templates.
- Fixed login template selection during re-login.
1.2.63
Release Date: 2016-06-27
- Fall-back for empty DN in base plugin class DynamicValueSelectList.
- Use (objectClass=*) as default when empty filter was input to bulk modification.
1.2.62
Release Date: 2016-06-23
-
Serious security fix:
Previous StartTLS is now correctly honored in login form hidden parameters. - When displaying the available LDIF templates after [New entry] the superior entries are now displayed with HTML templates snippets defined with host-/backend-specific parameter inputform_supentrytemplate.
- Added new LDIF template for Æ-DIR primary user account with AUX class inetLocalMailRecipient for mailbox users.
1.2.61
Release Date: 2016-06-21
- Added config presets, plugin classes and templates for new Æ-DIR aeDept schema.
- Other small improvements for Æ-DIR.
1.2.60
Release Date: 2016-06-17
- Added config presets, plugin classes and templates for new Æ-DIR aeTag schema.
1.2.59
Release Date: 2016-06-13
- Disabled registering cn with plugin classes in module w2lapp.schema.plugins.inetorgperson in default configuration.
- Some small fixes and updates to various Æ-DIR templates.
1.2.58
Release Date: 2016-06-08
- Fixed parent plugin class for cn in aeZone entries.
- Added plugin class for attribute showInAddressBook (MS AD).
- Fixed spawn-web2ldap.fcgi to really use vars set.
- Slightly improved sample configuration for nginx.
- Search continuations (referrals) are now simply ignored when generating search root select list.
1.2.57
Release Date: 2016-06-07
- Search continuations (referrals) are now simply ignored during bulk modification.
-
Updates for Æ-DIR:
- Added plugin class for new attribute aeHost.
- Added specific plugin classes for attribute cn in entries of structural object classes aeZone, aeGroup, aeSrvGroup and aeSudoRule to let deployments attach specific regex patterns.
- Refactored handling command-line parameter -u and/or configuration stand-alone demon parameter run_username.
1.2.56
Release Date: 2016-05-09
- Fixed regression in plugin class for uid in aeUser entries.
- Fix for truly optional handling of objectClass in rootDSE when modifying an entry.
- Updated HTML templates for aePerson.
1.2.55
Release Date: 2016-05-02
- New approach for generating fixed-length uid values in aeUser entries.
- Slightly refactored plugin classes for (LDAP) URLs.
- New plugin class for attribute altServer.
1.2.54
Release Date: 2016-04-28
- Plugin class for attribute host in aeHost now checks forward DNS entries (AEHostname.host_lookup=1) and reverse (AEHostname.host_lookup=2).
- Plugin class for attribute cn in aeHost now derives attribute values from left-most label in attribute host.
1.2.53
Release Date: 2016-04-27
- Registered AD attribute type dNSHostName with plugin class DNSDomain.
- Fixed searching LDAP operations sent by a aeUser in accesslog DB.
- Fixed setting search root in plugin class for reqSession.
1.2.52
Release Date: 2016-04-15
-
Updates for Æ-DIR:
- Modifications due to new aeGroup naming conventions.
- LDAPSession derivative class AEDirLDAPSession for mapping username to short bind-DN form.
1.2.51
Release Date: 2016-04-13
- Added more process information to monitor page (PID, PPID, UID, etc.).
-
Updates for Æ-DIR:
- Removed obsolete attributes from configuration files.
- Fixed typo in boundas_template.
- Improved consistent maintenance of memberUid attribute values in hybrid groups (aeGroup).
- New plugin class for cn in aeHost entries.
- New plugin class for entryDN in aeHost entries shows links to search all aeHost and Service entries within at least in one common aeSrvGroup.
- New plugin class for entryDN in aeSrvGroup entries shows links to search all aeHost and aeService member entries.
1.2.50
Release Date: 2016-04-07
- As a work-around a single object class without object class description in the subschema is always treated like STRUCTURAL when choosing templates.
-
New plugin classes for Æ-DIR:
attribute object class host aeHost displayName aePerson manager aePerson
1.2.49
Release Date: 2016-04-06
- Small fixes in templates and plugin module for Æ-DIR.
1.2.48
Release Date: 2016-03-30
- Reconnect counter is displayed along with LDAP connection information.
- No extra <a> tag for the intra-document links in tree viewer.
- Fixed UnicodeError when handling malformed RDN input during adding new entry.
- Gracefully handle LDAPSession.whoami() returning None.
1.2.47
Release Date: 2016-02-02
- Fixed regression since release 1.2.46 which raised exception when uncaching an entry after using LDAP modify extended operation.
1.2.46
Release Date: 2016-01-15
-
Fixes when using Assertion Control:
- Filter string now correctly encoded.
- Added better work-around for OpenLDAP (see also ITS#6916).
- Cleaned up and improved uncaching LDAP entries.
- Removed obsolete configuration parameter searchform_filterstr_size.
- Increased maxlength for LDAP filter string in expert search form to 1200 chars.
1.2.45
Release Date: 2015-12-28
-
Updated work-around in syntax class Boolean for handling lower-case attribute values.
(I hate LDAP servers not sticking to standards!) - CSS and markup improvements for printable output.
- Plugin class for pwdChangedTime now strictly reads referenced ppolicy entry with filter (objectClass=pwdPolicy).
-
Plugin class for namingContexts:
- Now also registered for OpenDJ attributes ds-private-naming-contexts and ds-cfg-base-dn.
- Now displays link to search accompanying OpenDJ's backend configuration entries beneath cn=Backends,cn=config.
- Now displays link to search accompanying OpenLDAP or OpenDJ backend monitoring entry beneath cn=monitor.
1.2.44
Release Date: 2015-12-16
- New plugin class for olcPPolicyDefault checks whether attribute value references existing pwdPolicy entry.
- Plugin class for namingContexts also registered for attribute olcSuffix used by OpenLDAP's back-config.
- Plugin class for auditContext also registered for attribute olcAccessLogDB used by OpenLDAP's back-config.
- When displaying a single entry the same search_filter and no_cache argument is now used when additionally reading potentially hidden operational attributes.
-
Usage of host-/backend-specific parameter requested_attrs has
changed when displaying a single entry:
Only attributes which were not read with prior search operation and which are part of the subschema are really used when additionally reading potentially hidden operational attributes. -
If Python modules
stdnum
and vatnumber
are installed then function
vatnumber.check_vat()
is used to check values in attribute euVATId instead of regex check.
1.2.43
Release Date: 2015-12-08
-
Fixed regression for determining whether only partial search results
were retrieved.
mailto:
links were not displayed. -
New plugin class GroupEntryDN registered for various
combinations of DN-valued attributes and structural object classes
mainly for search group members by memberOf:
attribute object class entryDN groupOfNames entryDN groupOfEntries distinguishedName group (MS AD) entryDN aeGroup (used as base class) - Plugin class for namingContexts now displays link into tree browser.
- New plugin class for OpenLDAP rootDSE attributes configContext and monitorContext.
- Plugin class for memberOf now also registered for OpenDJ's attribute isMemberOf.
- Attribute krbMaxRenewableAge also registered with plugin class Timespan.
- Added plugin module for the FreeIPA which does not contain much yet though.
- Added some HTML templates for displaying entries in OpenLDAP's accesslog.
1.2.42
Release Date: 2015-11-28
- Fixed regression in plugin class method Boolean._sorted_select_options().
- General clean-up and many typos fixed in various HTML templates.
- Added separate read HTML templates for OpenLDAP's cn=config.
- Special installation receipt for Debian Jessie (sigh!).
- Changed shee-bang lines to explicitly invoke python2.7 to avoid issues with distributions changing the default Python version.
1.2.41
Release Date: 2015-11-09
-
Updates to reflect new OATH-LDAP schema:
- Updated HTML templates
- New plugin class for oathSecret displays shared secret as base32-encoded string.
- OID renumbering
- Removed registrations for OATH init attributes.
1.2.40
Release Date: 2015-11-02
- Modifications to HTML templates for OATH-LDAP to reflect new schema.
1.2.39
Release Date: 2015-10-22
- Relaxed regex pattern in plugin class for oathTokenIdentifier.
- New method DynamicValueSelectList_determineFilter() allows custom implementations to determine the search filter used when searching/reading entries.
- Modifications to OATH-LDAP plugin module and HTML templates to reflect new schema version.
1.2.38
Release Date: 2015-08-15
- Only write LDAPSession.__dict__ to error log if there is a valid LDAPSession instance.
- Improved output for empty results and errors when locating LDAP servers with DNS queries.
- When searching in OpenLDAP's accesslog DB for Æ-DIR changes the DN is changed to trigger correct configuration cascade.
- Small modifications to plugin module for Æ-DIR.
- Plugin class for attribute mail now automagically encodes and decodes non-ASCII chars in the domain part as IDNA.
- Plugin class for attribute reqEntryUUID does not display a search link in search result listing anymore.
- Fixed UnicodeError when presenting re-login form during handling ldap.INSUFFICIENT_ACCESS.
1.2.37
Release Date: 2015-08-01
- Cache is internally flushed on each simple bind. Likely there was no relevant impact though.
- Plugin class for associatedDomain now also catches and ignores formerly unhandled IndexError exception.
- In case of an unhandled exception a pretty-printable view of LDAPSession.__dict__ is written to the error log.
1.2.36
Release Date: 2015-07-24
- [Read] links are always displayed in the middle area after adding/modifying an entry.
- Fixed regression with missing last entry when displaying all entries.
1.2.35
Release Date: 2015-07-19
- DN matching rules added to advanced search form.
- New plugin class for attribute entryDN and object class aeZone shows links to OpenLDAP's accesslog DB if available.
- When displaying sshPublicKey with an invalid key the paramiko.SSHException is caught and an error message is displayed inline.
1.2.34
Release Date: 2015-07-13
- OpenLDAP-specific plugin class for olcRootDN does not throw unhandled exception on entries without olcSuffix anymore.
-
There are now configuration preset instances available in
web2ldapcnf.hosts re-usable for several configuration items
in web2ldapcnf.hosts.ldap_def:
- cn=config
- OpenLDAP accesslog DB (see draft-chu-ldap-logschema)
- Changelog DB (see draft-good-ldap-changelog)
- MS Active Directory
- New host-/backend-specific parameter bulkmod_delold to work-around issues with LDAP servers (e.g OpenLDAP) hitting internal constraints if delold=0 is used.
1.2.33
Release Date: 2015-07-07
- New base plugin class for IANA-registered hash algorithm OIDs.
- New base plugin class for HMAC algorithm OIDs.
- Updated LDIF and HTML templates and plugin module for new OATH-LDAP schema work.
- Plugin class DistinguishedName can now generate links for searching back-link entries by just setting class attribute ref_attrs.
1.2.32
Release Date: 2015-06-18
- Fixed regression when determining length of form value for Integer input fields.
- Added plugin module, HTML templates for OATH-LDAP.
- Removed script sbin/compile.py because compiling is better done with python -m compileall (see module compileall used with command-line).
- Unified she-bang lines in all executable Python scripts (sbin/ and fcgi/).
- HTTPS links are used for all OpenLDAP and Wikipedia links.
1.2.31
Release Date: 2015-06-09
- Excel export: Multiple attribute values are now exported as multiple lines per cell.
- Fixed regression when normalizing GeneralizedTime values introduced in release 1.2.30.
- Session Tracking Control is also sent along with bind requests and server host string does not contain double port.
1.2.30
Release Date: 2015-06-07
- Plugin class for reqSession now displays link only when argument commandbutton is True.
- Registered attributes reqStart and reqEnd with plugin class NotBefore.
-
Improvements to plugin class for GeneralizedTime:
- More datetime formats accepted when normalizing input values.
- The datetime formats are preferred over date format when normalizing input values.
-
Special input strings are normalized to datetime strings based on current time:
NOW or N current time TODAY or T today with default time YESTERDAY or Y yesterday with default time TOMORROW or T tomorrow with default time
- If DIT browser does not show results for root-level search the naming contexts are displayed with clickable links.
1.2.29
Release Date: 2015-06-06
- Tightened links displayed for auditContext. Added a search form link.
- Fixed fallback when generating a input select list for attributes which are not visible in the subschema.
- Small improvements for search form template and configuration for OpenLDAP's accesslog.
-
Context search menu action [Negate search] now...
- correctly preserves table search output format.
- strips an existing negation instead of generating double negation with (!(!(…))).
- New plugin class for reqSession displays a link for searching all audit entries with same session number.
1.2.28
Release Date: 2015-06-05
- When displaying a single entry in table format and expanding a multi-valued attribute an intra-document link points to that attribute.
- Updated fallback schema file localschema.ldif adding the H.350 schema.
- Added simple plugin module for H.350 Directory Services.
- Set of ignored attributes when modifying an entry now also handles correctly attributes not present in subschema (e.g. OpenLDAP's entryCSN).
- Added attributes entryDN, entryCSN and collectiveAttributeSubentries to the hard-coded list of attributes always ignored when processing add/modify input.
- If Relax Rules Control is enabled the input form is forced to be table form instead of template form. Also an additional warning is displayed.
1.2.27
Release Date: 2015-05-15
- Corrected DIT structure rules in Æ-DIR supplemental schema.
- Set maxLen for plugin classes of dc and associatedDomain etc. according to clarifications in RFC 2181.
- Updated fallback schema file localschema.ldif especially the FreeRADIUS and the Federated File Systems schema.
- Separate plugin class for cNAMERecord to restrict input to one value.
- Code cleaning in LDAPSession.bind() etc. to allow subclasses to easily override new method LDAPSession.getBindDN().
- Relaxed determining input size for Integer input fields, especially for entering time span strings.
1.2.26
Release Date: 2015-04-30
- Exception ldap.UNAVAILABLE_CRITICAL_EXTENSION now simply ignored when reading rootDSE.
- New base plugin classes NotBefore and NotAfter used in plugin modules aedir and sudoers.
- Some minor improvements to default CSS theme.
1.2.25
Release Date: 2015-04-19
- Cleaned up building the set of ignored attributes when modifying an entry. This fixes a regression with Relax Rules control enabled.
- More search links when displaying DNS/DHCP related attributes.
- data URI scheme (see RFC 2397) is now used when image data is less than threshold set in class attribute Image.inline_maxlen (currently 630 bytes).
- Cleaned up method GeneralizedTime.displayValue() to correctly call base class method for fall-back.
- New plugin class for pwdAccountLockedTime.
1.2.24
Release Date: 2015-03-19
- Registered attribute type sudoUser with plugin class w2lapp.schema.plugins.sudoers.SudoUserGroup and structural object class aeSudoRule.
- Some small changes to HTML templates for Æ-DIR.
- Registered attribute type sambaDomainName with syntax class DirectoryString and structural object class sambaDomain.
- Fixed exception when determining form value for sambaSID in sambaDomain entry.
- Added LDIF template for a DNS zone entry with more zone-related attributes (SOA, NS etc.) which uses associatedDomain for forming the RDN.
- Fixed exception when generating additional links for aeUser/entryDN in case attribute auditContext is not readable.
1.2.23
Release Date: 2015-03-13
- Fake paging of search results also works now if the LDAP server does not return a size-limit LDAP result code (e.g. W2K12 AD DS).
- Registered attribute type msExchMailboxGuid with plugin class MsAdGUID.
- The example configuration files for Apache were split into 2.2 and 2.4 variants which are used in Debian and openSUSE installation instructions.
- Code cleaning when generating additional links for memberOf for general schema and for Æ-DIR.
-
Work-arounds for interop issues with W2K12 AD DS:
- Graceful handling of non-DN authz name in group administration because of Who Am I? returning non-DN result which cannot be mapped to DN by internal authz-DN search.
- Graceful handling of Who Am I? returning None as result.
1.2.22
Release Date: 2015-03-01
- Removed HTML tag attribute autofocus from all HTML templates because it interferes the hidden skip navigation links.
- Added krbCanonicalName to Kerberos search form template.
- Eliminated hard-coded DNs in plugin module for Æ-DIR.
- Added LDIF template for X.509 CA entries based on applicationProcess and pkiCA.
-
Added to top section template:
- <meta name="referrer" content="no-referrer">
- <meta name="viewport" ...> for mobile displays
- Added specific search form template for MS AD (see search context menu).
- Stricter IA5 String validation.
- Added read and input form HTML template for inetLocalMailRecipient.
1.2.21
Release Date: 2015-02-10
- Unnecessary <br> tags are avoided when generating input forms.
- Fixed/improved DNS RR search links in plugin class for dhcpOption and dhcpStatements.
- Plugin class registration for attribute types can now be limited to certain structural object classes. This is backward-compatible and does not affect existing plugin modules.
- New mix-in plugin class w2lapp.schema.syntaxes.ComposedAttribute composes attributes values from other attribute values within an entry. Obviously this only works for single value attributes.
- New plugin module w2lapp.schema.plugins.inetorgperson with plugin classes derived from ComposedAttribute generating values for attributes cn and displayValue.
- Added HTML templates for posixGroup.
- Added skip navigation links to top of page to ease jumping to content and menu areas (see WAI quick ref.).
-
Merged Æ-DIR customization:
- New plugin module w2lapp.schema.plugins.aedir
- LDIF and HTML templates
- Example configuration
1.2.20
Release Date: 2015-02-06
- Compacted LDAP connection info in [ConnInfo].
- Added search form template for MIT Kerberos schema.
- Hit list of remote IPs seen displayed in monitor page.
- Added LDAP_SERVER_LAZY_COMMIT_OID as supported value-less control.
-
Uniqueness checks performed when registering plugin classes:
- Syntax class oid must not re-used. An exception is raised in this case which gives details about the parameters used.
- A warning is written to stderr when overriding a formerly registered plugin class for an attribute type.
- Fixed a couple of misregistrations of plugin classes.
- A warning is written to stderr during startup when importing site-specific configuration module web2ldapcnf.local fails.
1.2.19
Release Date: 2015-01-30
- All remote IP addresses ever getting a session are counted.
- The code maintaining session ID and remote IP associations was cleaned up.
- Standard search form templates were overhauled. Redundant templates were removed and more specific templates added (NIS, DNS, DHCP).
- Empty search attribute type is simply ignored.
-
User interface of enabling/disabling extended controls was overhauled:
- Controls can now be enabled/disabled with one click (no separate <form>).
- Per default only controls known in rootDSE are listed. The list can be expanded with one click though.
- Unknown controls are displayed striked instead of an X in a separate table column. This also saves horizontal space.
- Removed erroneous handling of Values Sort Control.
1.2.18
Release Date: 2015-01-27
- Fixed again generating input form values for associatedDomain.
- Plugin class for associatedDomain now displays links to search matching A RR entries for reverse DNS RR entries (.in-addr.arpa).
- Fixed regression when displaying error message in schema viewer.
- New plugin classes for attribute types member and memberOf.
1.2.17
Release Date: 2015-01-25
- Implemented per remote IP session limits additionally to the global limit. This requires new global parameter session_per_ip_limit to be set in your configuration.
- OctetString values are now displayed as a proper hex-dump with offset and ASCII excerpt.
- Registered more Kerberos attribute types with Timespan plugin class.
- Fixed some small issues found with pychecker.
1.2.16
Release Date: 2015-01-22
- Fixed plugin class registration bug which could lead to IOError exception.
-
Major changes to displaying of search results:
- Detailed view of search parameters and the export form is provided at end of page. An intra-document link points to that section. Mainly this saves vertical space at top of page.
- An equivalent ldapsearch command-line is generated based on the search parameters which is only compatible with OpenLDAP's command-line tool though.
- Some minor fixes in HTML markup.
- More minor improvements in DIT browser.
- Start of main <div> and top anchor are now part of top_template. This makes the top link always work independent of the CSS layout.
- Small HTML fixes here and there.
1.2.15
Release Date: 2015-01-21
- Added workaround in DIT browser for servers which return search results for one-level search below an empty root DN.
- Limits/error handling of DIT browser more robust now (ldap.ADMINLIMIT_EXCEEDED etc.).
- DIT_MAX_LEVELS is now enforced in DIT browser.
- For the current selected DN the link is now for collapsing the sub-tree (simply browse from parent entry).
- Intra-document links are displayed in "Syntax check failed" which point to the attribute's input field. This is helpful for the user if HTML templates are used for input names without mentioning real attribute names.
- Some minor improvements to default CSS theme.
- For all [Up] and [Down] links the advanced search form is used now.
1.2.14
Release Date: 2015-01-20
-
Added basic DIT browser reachable with [Tree] in main menu.
This is a rather useless feature if you have more than a handful of entries. But many people seem to be keen to waste their time clicking around in their web browser instead of using a proper search.
1.2.13
Release Date: 2015-01-19
- Some minor changes to default CSS theme especially for smaller displays.
- Fixed various subtle UnicodeError exceptions, added more related assertions.
1.2.12
Release Date: 2015-01-18
- Fixed UnicodeError exception when adding entries below a DN with non-ASCII chars.
-
Finally a new default CSS theme was made (overdue for 1.2.x).
Hope you like it.
The old 1.1 CSS theme can still be found in file white-on-green.css. - Added plugin class for sSHFPRecord.
- Schema viewer now points to advanced search form for searching by attribute type existence or object class.
- When generating select fields for attribute types unnecessary sorting is avoided, value uniqueness is ensured and sorting is done case-insensitive.
- All input HTML templates now make extensive use of <fieldset> and <legend> tags instead of sub headings to group related input fields.
1.2.11
Release Date: 2015-01-15
- Fixed unhandled exception when displaying dhcpStatement value with no space-separated value.
- Fixed generating input form values for associatedDomain.
- Fixed/improved some HTML search form templates.
- Added plugin class for mXRecord.
- Added additional safety check for invalid key string in HTML template dictionary.
- Added example configuration snippet for accessing web2ldap running as external FastCGI responder via lighttpd.
-
Added script
sbin/web2ldap_postinstall.sh
which adds demon user/group, creates directories and fixes ownership/permissions. - Added select list plugin class for NIS attribute ipServiceProtocol.
- Added inputform template for dNSDomain2.
- Updated fallback schema file localschema.ldif.
- HTTPS links are used for all IETF docs, PyPI and Google code links.
- Added HTML templates for object classes namedObject and namedPolicy (defined in draft-stroeder-namedobject)
- Added HTML templates for object class groupOfNames.
1.2.10
Release Date: 2014-12-19
- Fixed case-insensitive syntax checking of attribute dhcpHWAddress.
- Added link for search PTR RR entry when displaying attributes aRecord and aAAARecord.
- Plugin class for associatedDomain now displays link to search referencing DNS RR entries.
- Improved suggesting reasonable input values for associatedDomain based on domain entries with attributes nSRecord or sOARecord found.
- Added ssh-ed25519 to validation regex pattern for sshPublicKey.
- Plugin class for dhcpStatements and dhcpOptions now displays link to search related DNS RR entries for DHCP options host-name and fixed-address.
- Env vars HTTP_X_REAL_IP, HTTP_FORWARDED_FOR, HTTP_X_FORWARDED_FOR are derived from HTTP headers to get the real client IP address when running in stand-alone mode behind a proxy.
- Many small improvements to docs, config examples and a new wrapper script around spawn-fcgi for running as a separate FastCGI process.
- FastCGI process starts even when configured PID file cannot be written.
- Added example configuration snippet for accessing web2ldap running as external FastCGI responder via nginx.
1.2.9
Release Date: 2014-12-12
- In case something goes wrong when reading LDIF templates the name of the template is displayed in the error message.
- Importing non-standard lib modules before extending sys.path is now avoided.
- Added LDIF template for entry with object class olcModuleList (for OpenLDAP's back-config).
- Added LDIF and HTML templates for various DHCP entries / object classes.
- Added entryDN to HTML templates for structural object classes.
- Registered multi-line plugin class for dhcpOption, dhcpOptions and dhcpStatements.
- Include more LAN types in regex for dhcpHWAddress.
- Corrected installation instructions and current version number is used everywhere.
- Error message is generated for a formerly unhandled exception when object classes of an entry are completely unknown and users hits [Modify].
1.2.8
Release Date: 2014-12-01
- Added preliminary support for bulk copying entries based on search results (new checkbox in bulkmod). Use with care!
-
Slightly improved support for OpenLDAP's back-config:
- Moved templates to separate sub directory.
- Fixed/improved LDIF and HTML templates for back-hdb.
- New LDIF and HTML templates for back-mdb.
- Plugin class for olcRootDn now derives form input value from olcSuffix.
- Added value for Windows 2012R2 to plugin class for domainControllerFunctionality.
- Added some Windows 2012R2 specific control and capabilities OIDs to LDAP OID registry.
- Added plugin module for the Univention Corporate Server which does not contain much yet.
- Registered attribute types krb5PrincipalName, krb5RealmName and krb5Key with more suitable LDAP syntax classes to make values displayable.
1.2.7
Release Date: 2014-11-28
- New parameter groupadm_optgroup_bounds for defining the DN component slice to use to generate the <optgroup> in group administration.
- New plugin class for namingContexts displays link to search accompanying OpenLDAP's database configuration entries.
- Fixed unhandled exception when choosing printable output of search results.
- Small improvements to plugin class for associatedDomain.
- Added work-around to always ignore non-empty configuration value requested_attrs when cloning an entry.
1.2.6
Release Date: 2014-11-13
- Added plugin class for AD attribute lockoutTime.
- Fixed group administration exception in case attribute objectClass of group entry is not present.
- Fixed fallback to module ipaddr.
- Fixed plugin class pseudo OIDs IPHostAddress.oid and IPNetworkAddress.oid.
- Improved plugin class for dhcpRange for checking against network address specified in attributes cn/dhcpNetMask and suggesting the whole range as default value.
- Use posixAccount as default value for objectClass when searching primary member entries of a posixGroup entry by gidNumber.
1.2.5
Release Date: 2014-11-03
- Fixed various regressions with extended control form handling introduced in 1.2.2 when extending data structure in ldapparams.AVAILABLE_BOOLEAN_CONTROLS.
- Some minor HTML5 markup fixes/improvements.
1.2.4
Release Date: 2014-10-31
- Plugin class for attribute x509issuer only uses normal DN value check.
- OID values with curly braces are now normalized to dotted IETF string representation for OIDs.
- Different plugin classes for IPv4 and IPv6 host and network addresses.
- Started new plugin module for dnsdomain2.schema.
1.2.3
Release Date: 2014-10-21
- Disabled using "Don't Use Copy" control for now because it's not gracefully handled in OpenLDAP MMR setups.
1.2.2
Release Date: 2014-10-21
- Relaxed regex patterns for DNS-related attributes to allow underscore.
- ldap.PROTOCOL_ERROR is now silently ignored when trying to read the server's rootDSE.
- Fixed using the subentries extended control.
1.2.1
Release Date: 2014-10-09
- Fixed sanitizing input values in case of equality search on OctetString syntaxes.
1.2.0
Release Date: 2014-10-03
- Installation and configuration changes
-
The following changes to local system installation/configuration are
required:
- Update will break your existing installation/configuration!
- Upgrade to Python 2.7.0 or newer.
- Upgrade to python-ldap 2.4.14 or newer.
- Old separate TLS configuration parameters were obsoleted by new parameter tls_options.
- New features/enhancements
-
- Implemented multi-session cookie handling with cross-checking against web2ldap's session ID to prevent attacks in case web server's access logs is not kept confidential. Cookie usage is enabled by setting cookie_length to a non-zero cookie value length.
- Now more TLS options can be set by using the more flexible host-/backend-specific parameter tls_options.
- Input form entry data now processed in different steps to give plugin classes access to more attributes in the different stages. Especially there's a new method LDAPSyntax.transmute() which has guaranteed access to the whole entry and will be called several times if needed to make composing attributes values possible.
- The sequence of keys used to determine HTML templates from input_template and read_template is now first the single STRUCTURAL object class followed by all non-STRUCTURAL object classes.
- New context menu item [Clone] when displaying a single entry leads to add form being displayed with the old entry used as template.
- HTTP headers pre-configured with http_headers are now consequently used for every HTTP response generated.
- Bulk modification/moving of entries derived from search results. New context menu item [Bulk modify] is shown when displaying search results.
- Bulk deleting of entries derived from search results. New context menu item [Delete] is shown when displaying search results.
- New host-/backend-specific configuration parameter supplement_schema allows to extend the subschema with the content of a locally installed LDIF file.
- New host-/backend-specific configuration parameter schema_strictcheck to deal with buggy subschema in some LDAP servers (e.g. issue #47811 in 389-DS).
- Monitor page now shows maximum of concurrent sessions and how many sessions were removed after timeout in the session counter table.
- New host-/backend-specific configuration parameter naming_contexts allows to set list of fake namingContexts values.
-
When starting in stand-alone mode the hostname in command-line
option -l is now fully honored to determine
SERVER_NAME and thus the cookie domain.
This works around a cookie issue with Google Chrome etc. when listening just on 127.0.0.1. You can now add e.g. localhost.localdomain to your /etc/hosts and set the hostname with -l. - Plugin classes SelectList and friends now support additional option title. In particular DynamicValueSelectList looks for attributes description or info to determine the option title.
- Former configuration template files/snippets defined with status_template, html_begin_template and link_css are now all consolidated in one HTML template top_template.
- The redirect page can also be defined with a HTML template file referenced by redirect_template.
- Added OpenSearch example file.
- "Don't Use Copy" control is used if readable in rootDSE attribute supportedControl when reading an entry before presenting modification input form. OIDs from RFC 6171 and OpenLDAP experimental are supported.
- Dropped features
-
- Support for normally unused parameter web2ldapcnf.sec_expire was removed also due to security issues with setting it to non-zero value.
- Host-/backend-specific parameter now login_default_mech obsolete. You can specify a default login mechanism in the HTML template referenced by login_template.
- Changes in the UI
-
- Full bookmark links are now generated and added as link to <head> section and in the displayed status area.
- When choosing [Modify] from the context menu the entry input form is shown directly.
- The entry input form now provides [+] and [-] buttons for easier input handling of multi-valued attributes.
- The entry input form now provides a button [Classes] for changing the set of chosen object classes.
-
New plugin class AuthzDN additionally displays a
description of the referenced entry. Registered for the
following attribute types:
- creatorsName
- modifiersName
- reqAuthzID
- monitorConnectionAuthzDN
- If the user submitted a search form without assertion values the same search form is re-displayed now.
- When displaying search results the context menu now has a new menu item [Modify Search] which allows to edit the search input in an advanced search form if base or advanced search form was used before.
- No context menu anymore displayed along with input form for new entry.
-
When adding a new entry two different forms are available for
choosing the object classes:
-
Templates:
Displays a radio button list to choose from pre-configured LDIF templates -
Expert:
Displays multi-select lists for choosing the object classes manually.
-
Templates:
- mailto: links only displayed along with search results if not only partial results were retrieved. Adding a mail address more than once is avoided.
- Bugs fixed
-
- Better error handling when exporting data to e.g. avoid HTML error messages appearing in LDIF export.
- More graceful handling of errors when accessing a LDAP server with very paranoid security settings (no anon bind, explicit bind required, etc.).
- Security
-
- Wherever possible the class random.SystemRandom is now used for generating random stuff.