Added plugin class for displayName in aeDept entries.
Plugin class for aeDept uses displayName in select lists.
Support for new attribute aeDisplayNameGroups.
Added filter part for excluding zone pub in rights group DNs.
Aligned HTML templates with upstream.
Fixed issues with memberUID attribute not being removed
in case of absent member values.
Release Date: 2016-08-05
Plugin class attribute DistinguishedName.ref_attrs can now
have additional element for specifying the object class of referring
New plugin class attribute LDAPSyntax.simpleSanitizers can
be used to define a series of simple one-argument functions (e.g.
str.lower or similar) which are applied in method
Note that more complex plugin classes likely do not call this though.
Search continuations (referrals) are now simply ignored when processing
possible parent zone entries in plugin class for associatedDomain.
Default plugin class for aePerson is now based on
Added support for aeDept entries.
Added plugin class for auto-generating uniqueIdentifier
attribute value in aePerson entries.
Added plugin class for attribute manager in
Updated/improved HTML and LDIF templates.
Fixed login template selection during re-login.
Release Date: 2016-06-27
Fall-back for empty DN in base plugin class
Use (objectClass=*) as default when empty filter was input to
Release Date: 2016-06-23
Serious security fix:
Previous StartTLS is now correctly honored in
login form hidden parameters.
When displaying the available LDIF templates after [New entry] the
superior entries are now displayed with HTML templates snippets defined
with host-/backend-specific parameter
Added new LDIF template for Æ-DIR primary user account
with AUX class inetLocalMailRecipient for mailbox users.
Release Date: 2016-06-21
Added config presets, plugin classes and templates for new Æ-DIR
Increased maxlength for LDAP filter string in expert search
form to 1200 chars.
Release Date: 2015-12-28
Updated work-around in syntax class Boolean for handling lower-case attribute values.
(I hate LDAP servers not sticking to
CSS and markup improvements for printable output.
Plugin class for pwdChangedTime now strictly reads
referenced ppolicy entry with filter (objectClass=pwdPolicy).
Plugin class for namingContexts:
Now also registered for OpenDJ attributes
ds-private-naming-contexts and ds-cfg-base-dn.
Now displays link to search accompanying OpenDJ's backend
configuration entries beneath cn=Backends,cn=config.
Now displays link to search accompanying OpenLDAP or OpenDJ backend
monitoring entry beneath cn=monitor.
Release Date: 2015-12-16
New plugin class for olcPPolicyDefault checks whether
attribute value references existing pwdPolicy entry.
Plugin class for namingContexts also registered for
attribute olcSuffix used by OpenLDAP's back-config.
Plugin class for auditContext also registered for
attribute olcAccessLogDB used by OpenLDAP's back-config.
When displaying a single entry the same search_filter and
no_cache argument is now used when additionally reading
potentially hidden operational attributes.
Usage of host-/backend-specific parameter requested_attrs has
changed when displaying a single entry:
Only attributes which were not read with prior search operation and
which are part of the subschema are really used when additionally
reading potentially hidden operational attributes.
If Python modules
are installed then function vatnumber.check_vat() is used
to check values in attribute euVATId instead of regex check.
Release Date: 2015-12-08
Fixed regression for determining whether only partial search results
were retrieved. mailto: links were not displayed.
New plugin class GroupEntryDN registered for various
combinations of DN-valued attributes and structural object classes
mainly for search group members by memberOf:
group (MS AD)
aeGroup (used as base class)
Plugin class for namingContexts now displays
link into tree browser.
New plugin class for OpenLDAP rootDSE attributes
configContext and monitorContext.
Plugin class for memberOf now also registered for OpenDJ's
Attribute krbMaxRenewableAge also registered with plugin
Added plugin module for the FreeIPA
which does not contain much yet though.
Added some HTML templates for displaying entries in OpenLDAP's accesslog.
Release Date: 2015-11-28
Fixed regression in plugin class method
General clean-up and many typos fixed in various HTML templates.
Added separate read HTML templates for OpenLDAP's cn=config.
Special installation receipt for Debian Jessie (sigh!).
Changed shee-bang lines to explicitly invoke python2.7
to avoid issues with distributions changing the default Python version.
Uniqueness checks performed when registering plugin classes:
Syntax class oid must not re-used.
An exception is raised in this case which gives details about the
A warning is written to stderr when overriding a
formerly registered plugin class for an attribute type.
Fixed a couple of misregistrations of plugin classes.
A warning is written to stderr during startup when importing
site-specific configuration module web2ldapcnf.local fails.
Release Date: 2015-01-30
All remote IP addresses ever getting a session are counted.
The code maintaining session ID and remote IP associations was cleaned up.
Standard search form templates were overhauled. Redundant templates were
removed and more specific templates added (NIS, DNS, DHCP).
Empty search attribute type is simply ignored.
User interface of enabling/disabling extended controls was overhauled:
Controls can now be enabled/disabled with one click
(no separate <form>).
Per default only controls known in rootDSE are listed.
The list can be expanded with one click though.
Unknown controls are displayed striked instead of an X in a
separate table column. This also saves horizontal space.
Removed errornous handling of Values Sort Control.
Release Date: 2015-01-27
Fixed again generating input form values for associatedDomain.
Plugin class for associatedDomain now displays links to
search matching A RR entries for reverse DNS RR entries
Fixed regression when displaying error message in schema viewer.
New plugin classes for attribute types member and
Release Date: 2015-01-25
Implemented per remote IP session limits additionally to the global limit.
This requires new global parameter
to be set in your configuration.
OctetString values are now displayed as a proper hex-dump
with offset and ASCII excerpt.
Registered more Kerberos attribute types with Timespan
Fixed some small issues found with pychecker.
Release Date: 2015-01-22
Fixed plugin class registration bug which could lead to
Major changes to displaying of search results:
Detailed view of search parameters and the export form is provided
at end of page. An intra-document link points to that section.
Mainly this saves vertical space at top of page.
An equivalent ldapsearch command-line is generated based
on the search parameters which is only compatible with OpenLDAP's
command-line tool though.
Some minor fixes in HTML markup.
More minor improvements in DIT browser.
Start of main <div> and top anchor are now part of
This makes the top link always work independent of the CSS layout.
Small HTML fixes here and there.
Release Date: 2015-01-21
Added workaround in DIT browser for servers which return search results
for one-level search below an empty root DN.
Limits/error handling of DIT browser more robust now
DIT_MAX_LEVELS is now enforced in DIT browser.
For the current selected DN the link is now for collapsing the sub-tree
(simply browse from parent entry).
Intra-document links are displayed in "Syntax check failed"
which point to the attribute's input field. This is helpful for the
user if HTML templates are used for input names without mentioning real
Some minor improvements to default CSS theme.
For all [Up] and [Down] links the advanced search form is used now.
Release Date: 2015-01-20
Added basic DIT browser reachable with [Tree] in main menu.
This is a rather useless feature if you have more than a handful of
entries. But many people seem to be keen to waste their time clicking
around in their web browser instead of using a proper search.
Release Date: 2015-01-19
Some minor changes to default CSS theme especially for smaller displays.
Fixed various subtle UnicodeError exceptions,
added more related assertions.
Release Date: 2015-01-18
Fixed UnicodeError exception when adding entries below a DN
with non-ASCII chars.
Finally a new default CSS theme was made (overdue for 1.2.x).
Hope you like it.
The old 1.1 CSS theme can still be found in file
Added plugin class for sSHFPRecord.
Schema viewer now points to advanced search form for searching by
attribute type existence or object class.
When generating select fields for attribute types unnecessary sorting
is avoided, value uniqueness is ensured and sorting is done
All input HTML templates now make extensive use of <fieldset> and
<legend> tags instead of sub headings to group related input fields.
Release Date: 2015-01-15
Fixed unhandled exception when displaying dhcpStatement
value with no space-separated value.
Fixed generating input form values for associatedDomain.
Fixed/improved some HTML search form templates.
Added plugin class for mXRecord.
Added additional safety check for invalid key string in HTML template
Added example configuration snippet for accessing web2ldap running as
external FastCGI responder via lighttpd.
Added script sbin/web2ldap_postinstall.sh which adds demon
user/group, creates directories and fixes ownership/permissions.
Added select list plugin class for NIS attribute ipServiceProtocol.
Added inputform template for dNSDomain2.
Updated fallback schema file localschema.ldif.
links are used for all IETF docs, PyPI and Google code links.
Old separate TLS configuration parameters were obsoleted by new parameter
Implemented multi-session cookie handling with cross-checking
against web2ldap's session ID to prevent attacks in
case web server's access logs is not kept confidential.
Cookie usage is enabled by setting
to a non-zero cookie value length.
Now more TLS options can be set by using the more flexible
Input form entry data now processed in different steps to give
plugin classes access to more attributes in the different stages.
Especially there's a new method LDAPSyntax.transmute()
which has guaranteed access to the whole entry and will be called
several times if needed to make composing attributes values possible.
The sequence of keys used to determine HTML templates from
is now first the single STRUCTURAL object class
followed by all non-STRUCTURAL object classes.
New context menu item [Clone] when displaying a single entry
leads to add form being displayed with the old entry used as
HTTP headers pre-configured with
are now consequently used for every HTTP response generated.
Bulk modification/moving of entries derived from search results.
New context menu item [Bulk modify] is shown when displaying search results.
Bulk deleting of entries derived from search results.
New context menu item [Delete] is shown when displaying search results.
New host-/backend-specific configuration parameter
allows to extend the subschema with the content of a locally
installed LDIF file.
Monitor page now shows maximum of concurrent sessions and how
many sessions were removed after timeout in the session counter
New host-/backend-specific configuration parameter
allows to set list of fake namingContexts values.
When starting in stand-alone mode the hostname in command-line
option -l is now fully honored to determine
SERVER_NAME and thus the cookie domain.
This works around a cookie issue with Google Chrome etc.
when listening just on 127.0.0.1. You can now add e.g.
localhost.localdomain to your /etc/hosts and set the
hostname with -l.
Plugin classes SelectList and friends now support
additional option title. In particular DynamicValueSelectList
looks for attributes description or info to
determine the option title.
Former configuration template files/snippets defined with
status_template, html_begin_template and
link_css are now all consolidated in one HTML template
The redirect page can also be defined with a HTML template file referenced by
"Don't Use Copy" control is used if readable in rootDSE
attribute supportedControl when reading an entry before
presenting modification input form.
OIDs from RFC 6171
and OpenLDAP experimental are supported.
Support for normally unused parameter web2ldapcnf.misc.sec_expire
was removed also due to security issues with setting it to non-zero value.
Host-/backend-specific parameter now login_default_mech
obsolete. You can specify a default login mechanism in the HTML
template referenced by
Changes in the UI
Full bookmark links are now generated and added as link to
<head> section and in the displayed status area.
When choosing [Modify] from the context menu the entry input form
is shown directly.
The entry input form now provides [+] and [-] buttons for easier
input handling of multi-valued attributes.
The entry input form now provides a button [Classes] for changing
the set of chosen object classes.
New plugin class AuthzDN additionally displays a
description of the referenced entry. Registered for the
following attribute types:
If the user submitted a search form without assertion values the
same search form is re-displayed now.
When displaying search results the context menu now has a new
menu item [Modify Search] which allows to edit the search input
in an advanced search form if base or advanced search form was
No context menu anymore displayed along with input form for new entry.
When adding a new entry two different forms are available for
choosing the object classes:
Displays a radio button list to choose from pre-configured
Displays multi-select lists for choosing the object classes
mailto: links only displayed along with search
results if not only partial results were retrieved. Adding a
mail address more than once is avoided.
Better error handling when exporting data to e.g. avoid HTML
error messages appearing in LDIF export.
More graceful handling of errors when accessing a LDAP server
with very paranoid security settings (no anon bind, explicit
bind required, etc.).