hosts.py

The configuration module directory web2ldapcnf/

This section describes the parameters related to specific LDAP hosts/backends.

[addform_entry_templates] [binddnsearch] [boundas_template] [description] [groupadm_defs] [groupadm_filterstr_template] [groupadm_optgroup_bounds] [input_template] [login_template] [modify_constant_attrs] [naming_contexts] [passwd_genchars] [passwd_genlength] [passwd_hashtypes] [passwd_modlist] [passwd_template] [print_cols] [print_template] [read_operationalattrstemplate] [read_tablemaxcount] [read_template] [rename_supsearchurl] [rename_template] [requested_attrs] [schema_supplement] [schema_uri] [search_attrs] [searchform_filterstr_size] [searchform_search_root_url] [searchform_template] [searchoptions_template] [search_resultsperpage] [search_tablistattrs] [search_tdtemplate] [session_track_control] [ssl_minlevel] [ssl_valid_dn] [ssl_valid_idn] [starttls] [timeout] [tls_options] [top_template] [vcard_template]

ldap_uri_list

List of LDAP URLs which will appear in the default select list of the login form. It may contain either strings (only a LDAP URL) or 2-tuples of strings containing LDAP URL and description.

Example:

ldap_uri_list = [
  'ldap://localhost',
  ('ldap://ldap.openldap.org',u"OpenLDAP's demo server"),
]
  

restricted_ldap_uri_list

If non-zero (or True) gateway access is restricted to the LDAP servers specified in ldap_uri_list. Note that the check is case sensitive (because of possibly case-sensitive path names of Unix domain sockets for LDAPI)!
Default in source distribution: 1 (restriction enabled)

ldap_def

This is a string-keyed dictionary (Python data structure) which holds all options specific for certain LDAP hosts or backends( naming contexts). The values of the dictionary ldap_def are of the simple class Web2LDAPConfig which is instantiated via key word arguments

Cascaded configuration

Any configuration parameter in the dictionary web2ldapcnf.hosts.ldap_def is retrieved by looking at all dictionary items with string-keys

  1. 'ldap://ldap_host/ldap_basedn',
  2. 'ldap:///ldap_basedn',
  3. 'ldap://ldap_host' and
  4. '_'

in this particular order. All those string-key MUST be valid LDAP URLs except for the default section which is marked by a single underscore.
This allows to hold several database backends on the same host with the same DNS name. It also shortens the ldap_def dictionary by avoiding having to repeat same options for every server and makes browsing of completely unconfigured hosts easy.

Configuration Example

ldap_def = {

  '_': Web2LDAPConfig(
    # Default fall-back options
  ),

  'ldap://nldap.com': Web2LDAPConfig(
    # Per-host options for host nldap.com
  ),

  'ldap:///dc=openldap,dc=org': Web2LDAPConfig(
    # Options for naming context dc=openldap,dc=org
    # regardless on which server
  ),

  'ldap://localhost/dc=stroeder,dc=com': Web2LDAPConfig(
    # Options dictionary entries for backend
    # on host localhost with naming context dc=stroeder,dc=com
  )

}
  
Now each parameter is described. A system default value is assumed if the parameter was not defined at all (no dictionary key parameter). Most times this default value simply switches off a certain behaviour.
addform_entry_templates
This parameter allows to define a set of LDIF templates for new entries each with a short descriptive identifier. The identifiers are shown in a radio button field after choosing [New entry] from the main menu.
This is a dictionary with free-form identifiers as key and path names of the LDIF template files as value.
Default:
{}
Example (the variant with os.path.join(web2ldapcnf.templates_dir,..) automatically determines the standard template directory):
addform_entry_templates={
  'Person':os.path.join(web2ldapcnf.templates_dir,'add_person.ldif'),
  'My User Account':'/home/web2ldap/lib/add_myuser.ldif'),
},
          
binddnsearch
Search filter template for smart login. Occurences of %s are substituted by the string the user entered.
Note:
Think about using indexed attributes here! A bad filter template can be a performance hog.
Default:
'(uid=%s)'
Example:
boundas_template
HTML template strings used to bind name in the status section on top of page depending on the object class of an entry. This is a dictionary with object class names as key and HTML templates strings as value.
If no matching template is found most times the bind-DN is displayed.
Default:
{}
description
Textual description of the host or backend which is displayed in the status area at top of the window.
Default:
''
Example:
'My nifty LDAP server for user accounts'
login_template
HTML template file for the input fields of a Login Form. The HTML document must not contain HTML <head> section, <body> or <html> tags and uses Python's Format String Syntax to reference the different dynamically generated input fields etc.
Default:
''
Example:
login_template=os.path.join(web2ldapcnf.templates_dir,'login.html')
modify_constant_attrs
List of names of attribute types which are supposed to be constant during editing an entry and are usually not edited by the user (only modified by DSA).
If at least one value of these attributes was changed during editing the entry and submitting the new data modifying the entry will fail with an error message to prevent conflicts of concurrent modifications
Default:
['createTimestamp','modifyTimestamp','creatorsName','modifiersName']
Example:
modify_constant_attrs=['entryCSN','entryDN','entryUUID','createTimestamp','modifyTimestamp','creatorsName','modifiersName','uSNChanged','uSNCreated','whenChanged','whenCreated']
naming_contexts
List of fake namingContexts values used in case this attribute could not be read from the server's root DSE.
Default:
None
groupadm_defs
Dictionary containing definitions about group entries storing members in multi-valued member attributes. This is used in the group admin mask. The dictionary's keys are the name of the group entry object classes. The dictionary values are 2-tuples representing the name of the multi-valued member attribute in the group entry and the attribute type name of the user attribute which is put to/removed from the group entry.
Default:
{}
Example:
groupadm_defs={
  'groupOfNames':       ('member',None),
  'groupOfUniqueNames': ('uniqueMember',None),
  'rfc822MailGroup':    ('mail','mail'),
  'mailGroup':          ('mgrprfc822mailmember','mail'),
  'accessGroup':        ('member',None),
  'posixGroup':         ('memberUid','uid'),
},
          
groupadm_filterstr_template
String template which allows to restrict the groups displayed in left select list in the group administration dialogue. The mandantory, single occurence of %s is replaced by the group search filter generated based on groupadm_defs.
Default:
r'(|%s)'
groupadm_optgroup_bounds
2-tuple defining the DN component slice to use to generate the <optgroup> in select lists of the group administration. This allows to limit the length (width) of the select list in case of long group entry DNs.
Default (use direct parent DN):
(1,None)
More examples:
(None,-3)
last three DN components
(2,None)
strip first two components
(2,-1)
strip first two and one last DN components
passwd_hashtypes
List of strings specifying the allowed password-hash types. Valid values of implemented hashing schemes are:
'' (empty string)
no hashing, plain text
'crypt'
Unix crypt algorithm (with salt like used with Unix passwd)
'md5'
MD5 hash
'smd5'
salted MD5 hash
'sha'
SHA-1 hash
'ssha'
salted SHA-1 hash
The hash-based encodings require the appropriate Python modules to be installed on your system. The presence of the modules is automatically detected and the displayed select list shows the available password hash-types.
Default:
[]
Example (allow only salted MD5 and salted SHA-1):
'passwd_hashtypes':['smd5','ssha']
passwd_modlist
Allows to extend the modification list to be sent along with a modify request or after a password modify extended operation. Read und understand python-ldap docs for details about the data structure.
Default:
[]
Example:
passwd_modlist=[]
passwd_template
HTML template file for the input fields of a change password form. The HTML document must not contain HTML <head> section, <body> or <html> tags and uses Python's Format String Syntax to reference the different dynamically generated input fields etc.
Default:
''
Example:
passwd_template=os.path.join(web2ldapcnf.templates_dir,'passwd.html')
Number of columns for printable output.
Default:
'4'
HTML template files for printing table entries. This is a dictionary with object class names as key and path names of HTML template files as value.
Default:
None
Example:
print_template={
  # 'object class':'pathname of printable HTML template file'
  'person':os.path.join(web2ldapcnf.templates_dir,'print_person.html'),
  'organization':os.path.join(web2ldapcnf.templates_dir,'print_organization.html'),
  'organizationalUnit':os.path.join(web2ldapcnf.templates_dir,'print_organizationalUnit.html'),
},
          
read_operationalattrstemplate
Path name of a HTML template file for displaying operational attributes at the bottom when displaying a single entry.
Default:
''
read_tablemaxcount
Dictionary with attribute types as keys defining maximum count of attribute values to be displayed when displaying a single entry.
Default:
{}
Example:
read_tablemaxcount={
  'member':100,
  'allowedAttributes':2,
  'allowedAttributesEffective':2,
  'allowedChildClasses':2,
  'allowedChildClassesEffective':2,
  'allowedChildClassesEffective':2,
},
          
read_template
Dictionary defining HTML templates for displaying entries of certain object classes.
Default:
{}
Example:
read_template={
  # 'object class':'pathname of HTML template file'
  'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
  'organizationalPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
  'organization':os.path.join(web2ldapcnf.templates_dir,'read_organization.html'),
  'posixAccount':os.path.join(web2ldapcnf.templates_dir,'read_posixAccount.html'),
},
          
input_template
Dictionary defining HTML templates with input forms for entries of certain object classes. The input form templates of all matching object classes are displayed. See files etc/web2ldap/templates/inputform_*.html as examples.
Default:
{}
Example:
input_template={
  'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_inetOrgPerson.html'),
  'posixAccount':os.path.join(web2ldapcnf.templates_dir,'inputform_posixAccount.html'),
  'msPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_msPerson.html'),
},
          
passwd_genchars
Unicode string containing all characters to be used when generating passwords.
passwd_genlength
Integer which specifies the length of generated passwords.
Default:
12
requested_attrs
List of attribute type names which are explicitly requested when doing a search/read or modify operation. This is meant for accessing operational attributes which the LDAP server does not return without being asked for them.
Default:
[]
rename_supsearchurl
Dictionary with named LDAP URLs (without hostport portion) each specifying how to search for a new superior DN of a rename operation. The DNs of the search results are displayed as select list. The attrs portion is ignored. If not set or empty string a normal input field is displayed.
Default:
''
Example:
rename_supsearchurl={
  u'Search for organizational units':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organizationalUnit)',
  u'Search for organizations':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organization)',
},
          
rename_template
HTML template file for the input fields of a Rename Form. The HTML document must not contain HTML <head> section, <body> or <html> tags and uses Python's Format String Syntax to reference the different dynamically generated input fields etc.
Default:
''
Example:
rename_template=os.path.join(web2ldapcnf.templates_dir,'rename.html')
schema_strictcheck
Whether to apply strict checks during subschema parsing. Some LDAP servers with buggy schema like eDirectory or Fedora/389 DS requite False here.
Don't set to False if you also use schema_supplement because errors will be possibly ignored leading to unwanted behaviour.
schema_supplement
LDIF file with additiona subschema attributes to be added to the subschema subentry read from the server. This can be used to add schema descriptions to the sub schema used by web2ldap not supported by the LDAP server itself (e.g. DIT structure rules and name forms).
schema_uri
URI pointing to fake sub schema sub entry. If schema_uri is a LDAP URL an LDAP server is queried directly. Otherwise schema_uri is assumed to point to a LDIF file.
Default:
None
search_attrs
Attribute types which should be present in search attribute type select list of advanced search form.
Default:
['cn','mail']
Example:
search_attrs = ['cn','mail','o','ou','st','uid','telephonenumber','description']
searchform_bases
List/tuple of search bases to be added to the select list of search bases displayed in the search form.
Default:
()
Example:
searchform_bases=(
  '..',
  'ou=Bizness,dc=example,dc=com',
  'ou=Friends,dc=example,dc=com'
)
          
searchform_search_root_url
String with a LDAP URL (without hostport portion) which specifies how to search for additional search bases to be displayed as select list in the search form. The DNs of the search results are displayed as select list. The attrs portion is ignored.
Default:
''
Example:
searchform_search_root_url='ldap:///dc=example,dc=com??sub?(|(objectClass=organization)(objectClass=organizationalUnit))'
search_resultsperpage
Integer which specifies the number of results shown per page. This affects the select list of the search form and displaying results of a search without prior use of a search form.
Default:
10
search_tablistattrs
Default:
[]
search_tdtemplate
HTML template strings used to display entries in the table of search results depending on the object class of an entry. This is a dictionary with object class names as key and HTML templates strings as value.
Default:
{}
searchform_filterstr_size
Size of the input field for filter string input field in the expert search form.
Default:
90
searchform_template
This has to be a dictionary which specifies a set of named template files. The name _ (underscore) specifies a default template.
Default:
''
Example:
searchform_template= {
  u'_':os.path.join(web2ldapcnf.templates_dir,'searchform_Base.html'),
  u'Users':os.path.join(web2ldapcnf.templates_dir,'searchform_users.html'),
  u'Orga':os.path.join(web2ldapcnf.templates_dir,'searchform_orga.html'),
  u'Persons':os.path.join(web2ldapcnf.templates_dir,'searchform_persons.html'),
},
          
searchoptions_template
HTML template file for search options. The HTML document must not contain HTML <head> section, <body> or <html> tags and uses Python's Format String Syntax to reference the different dynamically generated input fields etc.
Default:
none
session_track_control
If non-zero the session tracking control (see draft-wahl-ldap-session) is sent along to the LDAP server with each LDAP request which is handy for debugging in combination with setting ldap_trace_level.
Think twice!
This reveals the client's IP address, your server name and the LDAPObject instance hash to the LDAP server.
Default:
0
ssl_minlevel
Defines the minimum required SSL security level for accessing this host/backend through the web2ldap gateway.
Default:
0
ssl_valid_dn
Regex describing the valid subject DNs of client certificates.
Default:
''
ssl_valid_idn
Regex describing the valid DNs of issuer certificates of valid client certificates.
Default:
''
starttls
Integer defining whether StartTLS should not be used (value 0), StartTLS should be tried (value 1) or use of StartTLS is mandantory (value 2) for connecting to this server. Does only make sense per server.
Default:
0
top_template
HTML template file for whole TopSection on top of page based on Python's Format String Syntax.
tls_options
Dictionary for specifying arbitrary TLS-related LDAP options (see section TLS OPTIONS on OpenLDAP's man page ldap_get_option(3). Which options are really available on your system depends on your python-ldap and OpenLDAP build).
Default:
{}
Example:
tls_options={
  ldap.OPT_X_TLS_REQUIRE_CERT:ldap.OPT_X_TLS_DEMAND,
  # File containing all the trusted root CA certs
  ldap.OPT_X_TLS_CACERTFILE:os.path.join(web2ldapcnf.etc_dir,'web2ldap','ssl','crt','trusted-certs.crt'),
  ldap.OPT_X_TLS_CIPHER_SUITE:'ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:!RC4-SHA:!ADH:!LOW:!EXP:!NULL',
  ldap.OPT_X_TLS_PROTOCOL_MIN:2,
  ldap.OPT_X_TLS_CRLCHECK:ldap.OPT_X_TLS_CRL_PEER,
  ldap.OPT_X_TLS_CRLFILE:os.path.join(web2ldapcnf.etc_dir,'web2ldap','ssl','crt','peers.crl'),
},
        
timeout
Timeout value for LDAP operations on seconds. -1 switches off timeout handling.
Default:
-1
vcard_template
HTML template files for vCard downloading. This is a dictionary with object class names as key and path names of vCard template files as value.
Default:
{}