List of currently available features

Running Mode

User Interface

Many Output Formats


Plug-in modules/classes for specific handling of attributes/syntaxes. The following plug-in modules currently exist in directory web2ldap/w2lapp/schema/plugins/:

Module nameDescription
acp133 mainly LDAP syntaxes defined for ACP 133 with simple select lists, but could not tested
activedirectory For MS AD and Samba 4
aedir powerful plugin classes for maintaining Æ-DIR
apple support for Apple Open Directory
asn1objects Class which can dump BER objects as pretty-printed ASN.1
dds for dynamic entries defined in RFC 2589
dhcp for ISC dhcpd with LDAP backend
dns for DNS RR entries like defined in dnsdomain2.schema
edirectory Various syntaxes found in draft-sermersheim-nds-ldap-schema
eduperson for attributes defined eduPerson
entrust Some small syntax quirks for Entrust PKI schema
exchange Some small quirks for Exchange 5.5
freeipa Some small quirks for FreeIPA
groups handles DN attributes related to groups
h350 for H.350 attributes defined in RFC 3944
ibmds Some small quirks for IBM Directory Server
inetorgperson Plugin classes solely registered for composing certain attributes used with inetOrgPerson (see RFC 2798).
krb5 for heimdal and MIT Kerberos schema
ldapns LDAP-based naming service
lotusdomino for attributes in Lotus Domino's LDAP service
msperson See stroeder.com.schema
mssfu30 Microsoft System Services for Unix 3.0
nis NIS attributes (see also RFC 2307)
oath Attributes used with OATH-LDAP
opends mainly some configuration attributes used in OpenDJ (formerly known as OpenDS)
openldap some attributes used in OpenLDAP for back-config and slapo-accesslog (see also draft-chu-ldap-logschema)
pgpkeysrv Multi-line fields for PGP keys
pilotperson for attributes defined in RFC 1274
pkcschema for attributes defined in draft-ietf-pkix-ldap-pkc-schema
ppolicy for attributes defined in draft-behera-ldap-password-policy
quirks Various quirks for very misbehaving servers
samba for Samba 3
schac for attributes defined in SCHAC
subentries for attributes defined for subentries (see RFC 3672)
vchupwdpolicy covering central password policy configuration attributes defined in draft-vchu-ldap-pwd-policy
vpim for attributes defined in VPIM (see RFC 4237)
x500dsa for attributes available on real X.500 DSAs

Advanced LDAP features

Schema support
  • Full LDAPv3 sub schema sub entry support when displaying an entry or input form with required and allowed attributes.
  • Built-in schema browser displays all forward and backward references to other schema elements as links for all supported schema elements and allows a simple wildcard search by OID or NAME patterns.
  • Supported and used schema attributes:
    • attributeTypes
    • dITContentRules
    • ldapSyntaxes
    • matchingRuleUse
    • matchingRules
    • objectClasses
    • dITStructureRules
    • nameForms
  • Schema support has reasonable performance since caching of parsed sub schema sub entries is done.
  • Full support for inherited schema elements (object classes and attribute types).
  • Fall-back to a local schema definition in configuration stored in LDIF file used in case the subschema subentry is inaccessible.
  • Special handling of collective attributes.
Write Access
  • Support for adding, modifying, deleting entries, deleting sub trees and renaming entries.
  • Schema-aware to provide schema-matching input forms for add/modify.
  • Octet strings can be directly edited as hex-bytes.
  • Plug-in classes implement specific input fields for many vendor-specific attributes.
  • Configurable LDIF templates for new entries.
  • Input values for some attributes/syntaxes (e.g. jpegPhoto, certificates and CRLs) are automagically converted to the right format.
Password attributes
  • Password Modify Extended Operation (see RFC 3062)
  • Generating client-hashed userPassword values (see also draft-stroeder-hashed-userpassword-values).
  • Synced setting of userPassword and Samba NT password attribute (support for old LAN manager hash was dropped in 1.1).
  • Attribute shadowLastChange set if an entry has object class shadowAccount.
  • Resetting the password attribute unicodePwd in MS AD.
  • Removing various password-related attributes is supported even when the values are not visible (write-only access). Relax Rules Control can be used to remove operational attributes.
Group administration feature
Convenient, secure and efficient way to add/remove an entry to/from a group entry. Many common group object classes are automagically supported: Even large groups (>100000 members) are handled with reasonable performance. Security problems even with distributed management are avoided by "just doing it right".
LDAP connection handling
Automatically determine the protocol version and features supported by the LDAP server. Falls back to reasonable defaults if features are not available.
It it possible to directly use LDAP URLs (see RFC 4516) to reference LDAP entries and LDAP search results. Example: http://demo.web2ldap.de:1760/web2ldap/ldapurl?ldap://ldap.openldap.org/dc=openldap,dc=org Note: Although most LDAP URLs will work you should use URL-quoted LDAP URLs.
Root DSE
  • Uses attribute namingContexts from RootDSE to determine appropriate search root automatically.
LDAPv3 Referrals
  • Displays new login mask to repeat current action after chasing a referral.
  • Search continuations are displayed.
Locating LDAP service
Try to locate a LDAP host for a specific domain, dc-style DN (RFC 2247, RFC 2377) or e-mail address (see draft-ietf-ldapext-ldap-taxonomy).
  • Well known DNS aliases (kinda primitive anyway)
  • LDAPv3 Referrals (knowledge references)
  • Locate LDAP host via SRV RR (see also RFC 2782). This is automatically done if e.g a LDAP URL does not contain a host name but a dc-style DN or if an error response was received with error code NO_SUCH_OBJECT (somewhat inspired by RFC 3088).
allowed* attributes
Some attributes provided by MS Active Directory and partially by OpenLDAP's slapo-allowed are used:
  • allowedAttributesEffective to determine writeable attributes when displaying entry input form for modification
  • allowedChildClasses to determine suitable object classes for child entries when displaying object class select form during adding new entry
LDAPv3 extended controls
Manage DSA IT mode
For editing referral entries (see RFC 3296).
Two different controls for searching subentries (see RFC 3672 and draft-ietf-ldup-subentry-07)
Relax Rules Control (formerly Manage DIT control)
For editing operational attributes (see draft-zeilenga-ldap-relax).
Tree Delete
deletion of whole subtrees with a single DeleteRequest (see draft-armijo-ldap-treedelete).
Assertion Control
is used when sending a modify request if the seems to support it to prevent the server to process the request if the entry has been changed in between (see RFC 4528). Host-specific parameter modify_constant_attrs is used to generate the assertion filter.
Password policy
Displaying password warnings and guide the user to change the password (see draft-behera-ldap-password-policy).
Read Entry Control
Retrieving DN and attribute entryUUID when adding/renaming an entry (see RFC 4527).
Session Tracking Control
The client's IP address, the server name and the LDAPObject instance hash is sent to the LDAP server for debugging (see draft-wahl-ldap-session).
OpenLDAP's no-op search control
Count of all search results is retrieved by using OpenLDAP's no-op search control in case only partial search results were returned (see OpenLDAP ITS#6598).
Don't Use Copy control
Is used if found in rootDSE attribute supportedControl when reading an entry before presenting modification input form. OIDs from RFC 6171 and OpenLDAP experimental are supported.
LDAPv3 extended operations
provides transport layer security with TLS (see RFC 4513).
"Who am I?"
this operation shows which bind-DN is in effect e.g. when using SASL bind (see RFC 4532).
Password Modify Extended Operation
for server-side password setting (see RFC 3062).
Refresh Dynamic Entry Extended Operation
for server-side refreshing of a dynamic entry (see RFC 2589).
LDAPv3 extensions
All Operational Attributes
Request the server to return all operational attributes in a search response. (See rootDSE attribute supportedFeatures, OID, see also RFC 3673)

Advanced HTTP options


SASL login mechanisms

Supported Mechanism(s)Remark
DIGEST-MD5, CRAM-MD5 Password-based challenge-response mechs: use short user name in login form, not the bind-DN
PLAIN is supported but not recommended unless SSL/TLS is used
EXTERNAL Usable for LDAPS, StartTLS or LDAPI connections. End-user authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client.
GSSAPI Usable for Kerberos V authentication. User authentication is only meaningful if the web2ldap is started in stand-lone mode as a personal client and the user obtained a TGT from the KDC before (with command-line tool kinit).