List of currently available features

See the roadmap for features which will be added in the future.

Feature requests can be made through the feedback form.

Running Mode

User Interface

Many Output Formats


Plug-in modules/classes for specific handling of attributes/syntaxes. The following plug-in modules currently exist in directory pylib/w2lapp/schema/plugins/:

Module nameDescription
acp133 mainly LDAP syntaxes defined for ACP 133 with simple select lists and not tested
activedirectory For MS AD and Samba 4
aedir powerful plugin classes for maintaining Æ-DIR
apple support for Apple Open Directory
asn1objects Class which can dump BER objects as ASN.1 with module pisces
dds for dynamic entries defined in RFC 2589
dhcp Various attributes with dynamic select lists
dns for DNS RR entries like defined in dnsdomain2.schema
edirectory Various syntaxes found in draft-sermersheim-nds-ldap-schema
eduperson for attributes defined eduPerson
entrust Some small syntax quirks for Entrust PKI schema
exchange Some small quirks for Exchange 5.5
freeipa Some small quirks for FreeIPA
groups handles DN attributes related to groups
h350 for H.350 attributes defined in RFC 3944
ibmds Some small quirks for IBM Directory Server
inetorgperson Plugin classes solely registered for composing certain attributes used with inetOrgPerson (see RFC 2798).
krb5 for heimdal and MIT Kerberos schema
ldapns LDAP-based naming service
lotusdomino for attributes in Lotus Domino's LDAP service
msperson See stroeder.com.schema
mssfu30 Microsoft System Services for Unix 3.0
nis NIS attributes (see also RFC 2307)
oath Attributes used with OATH-LDAP
opends mainly some configuration attributes used in OpenDJ (formerly known as OpenDS)
openldap some attributes used in OpenLDAP for back-config and slapo-accesslog (see also draft-chu-ldap-logschema)
pgpkeysrv Multi-line fields for PGP keys
pilotperson for attributes defined in RFC 1274
pkcschema for attributes defined in draft-ietf-pkix-ldap-pkc-schema
ppolicy for attributes defined in draft-behera-ldap-password-policy
quirks Various quirks for very misbehaving servers
samba for Samba 3
schac for attributes defined in SCHAC
subentries for attributes defined for subentries (see RFC 3672)
vchupwdpolicy covering central password policy configuration attributes defined in draft-vchu-ldap-pwd-policy
vpim for attributes defined in VPIM (see RFC 4237)
x500dsa for attributes available on real X.500 DSAs

Advanced LDAP features

Schema support
Write Access
Password attributes
Group administration feature
Convenient, secure and efficient way to add/remove an entry to/from a group entry. Many common group object classes are automagically supported: Even large groups (>100000 members) are handled with reasonable performance. Security problems even with distributed management are avoided by "just doing it right".
LDAP connection handling
Automatically determine the protocol version and features supported by the LDAP server. Falls back to reasonable defaults if features are not available.
It it possible to directly use LDAP URLs (see RFC 4516) to reference LDAP entries and LDAP search results. Example: http://demo.web2ldap.de:1760/web2ldap/ldapurl?ldap://ldap.openldap.org/dc=openldap,dc=org Note: Although most LDAP URLs will work you should use URL-quoted LDAP URLs.
Root DSE
LDAPv3 Referrals
Locating LDAP service
Try to locate a LDAP host for a specific domain, dc-style DN (RFC 2247, RFC 2377) or e-mail address (see draft-ietf-ldapext-ldap-taxonomy).
allowed* attributes
Some attributes provided by MS Active Directory and partially by OpenLDAP's slapo-allowed are used:
LDAPv3 extended controls
Manage DSA IT mode
For editing referral entries (see RFC 3296).
Two different controls for searching subentries (see RFC 3672 and draft-ietf-ldup-subentry-07)
Relax Rules Control (formerly Manage DIT control)
For editing operational attributes (see draft-zeilenga-ldap-relax).
Tree Delete
deletion of whole subtrees with a single DeleteRequest (see draft-armijo-ldap-treedelete).
Assertion Control
is used when sending a modify request if the seems to support it to prevent the server to process the request if the entry has been changed in between (see RFC 4528). Host-specific parameter modify_constant_attrs is used to generate the assertion filter.
Password policy
Displaying password warnings and guide the user to change the password (see draft-behera-ldap-password-policy).
Authorization Identity Controls
Retrieving the authorization identity from a bind operation (see RFC 3829).
Read Entry Control
Retrieving DN and attribute entryUUID when adding/renaming an entry (see RFC 4527).
Session Tracking Control
The client's IP address, the server name and the LDAPObject instance hash is sent to the LDAP server for debugging (see draft-wahl-ldap-session).
OpenLDAP's no-op search control
Count of all search results is retrieved by using OpenLDAP's no-op search control in case only partial search results were returned (see OpenLDAP ITS#6598).
Don't Use Copy control
Is used if found in rootDSE attribute supportedControl when reading an entry before presenting modification input form. OIDs from RFC 6171 and OpenLDAP experimental are supported.
LDAPv3 extended operations
provides transport layer security with TLS (see RFC 4513).
"Who am I?"
this operation shows which bind-DN is in effect e.g. when using SASL bind (see RFC 4532).
Password Modify Extended Operation
for server-side password setting (see RFC 3062).
Refresh Dynamic Entry Extended Operation
for server-side refreshing of a dynamic entry (see RFC 2589).
LDAPv3 extensions
All Operational Attributes
Request the server to return all operational attributes in a search response. (See rootDSE attribute supportedFeatures, OID, see also RFC 3673)

Advanced HTTP options


Please also check out the security page.

SASL login mechanisms

Supported Mechanism(s)Remark
DIGEST-MD5, CRAM-MD5 Password-based challenge-response mechs: use short user name in login form, not the bind-DN
PLAIN is supported but not recommended unless SSL/TLS is used
EXTERNAL Usable for LDAPS, StartTLS or LDAPI connections. End-user authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client.
GSSAPI Usable for Kerberos V authentication. User authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client and the user obtained a TGT from the KDC before (with command-line tool kinit).