This section describes the parameters related to specific LDAP
hosts/backends.
[addform_entry_templates]
[binddnsearch]
[boundas_template]
[description]
[groupadm_defs]
[groupadm_filterstr_template]
[groupadm_optgroup_bounds]
[input_template]
[login_template]
[modify_constant_attrs]
[naming_contexts]
[passwd_genchars]
[passwd_genlength]
[passwd_hashtypes]
[passwd_modlist]
[passwd_template]
[print_cols]
[print_template]
[read_operationalattrstemplate]
[read_tablemaxcount]
[read_template]
[rename_supsearchurl]
[rename_template]
[requested_attrs]
[schema_supplement]
[schema_uri]
[search_attrs]
[searchform_filterstr_size]
[searchform_search_root_url]
[searchform_template]
[searchoptions_template]
[search_resultsperpage]
[search_tablistattrs]
[search_tdtemplate]
[session_track_control]
[ssl_minlevel]
[ssl_valid_dn]
[ssl_valid_idn]
[starttls]
[timeout]
[tls_options]
[top_template]
[vcard_template]
ldap_uri_list
List of LDAP URLs which will appear in the default select list
of the login form. It may contain either strings (only a LDAP URL)
or 2-tuples of strings containing LDAP URL and description.
Example:
ldap_uri_list = [
'ldap://localhost',
('ldap://ldap.openldap.org',u"OpenLDAP's demo server"),
]
restricted_ldap_uri_list
If non-zero (or True) gateway access is restricted to the
LDAP servers specified in ldap_uri_list.
Note that the check is case sensitive (because of possibly case-sensitive
path names of Unix domain sockets for LDAPI)!
Default in source distribution: 1 (restriction enabled)
ldap_def
This is a string-keyed dictionary (Python data structure)
which holds all options specific for certain LDAP hosts or backends(
naming contexts). The values of the dictionary ldap_def
are of the simple class Web2LDAPConfig which is instantiated
via key word arguments
Cascaded configuration
Any configuration parameter in the
dictionary web2ldapcnf.hosts.ldap_def is retrieved by looking
at all dictionary items with string-keys
'ldap://ldap_host/ldap_basedn',
'ldap:///ldap_basedn',
'ldap://ldap_host' and
'_'
in this particular order. All those string-key MUST
be valid LDAP URLs except for the default section which is
marked by a single underscore.
This allows to hold several database backends on the same host with
the same DNS name. It also shortens the ldap_def dictionary by
avoiding having to repeat same options for every server and
makes browsing of completely unconfigured hosts easy.
Configuration Example
ldap_def = {
'_': Web2LDAPConfig(
# Default fall-back options
),
'ldap://nldap.com': Web2LDAPConfig(
# Per-host options for host nldap.com
),
'ldap:///dc=openldap,dc=org': Web2LDAPConfig(
# Options for naming context dc=openldap,dc=org
# regardless on which server
),
'ldap://localhost/dc=stroeder,dc=com': Web2LDAPConfig(
# Options dictionary entries for backend
# on host localhost with naming context dc=stroeder,dc=com
)
}
Now each parameter is described. A system default value is assumed
if the parameter was not defined at all (no dictionary key
parameter). Most times this default value simply switches
off a certain behaviour.
- addform_entry_templates
-
This parameter allows to define a set of LDIF templates for new
entries each with a short descriptive identifier. The identifiers
are shown in a radio button field after choosing [New entry] from
the main menu.
This is a dictionary with free-form identifiers as key and path
names of the LDIF template files as value.
- Default:
{}
- Example (the variant with
os.path.join(web2ldapcnf.templates_dir,..)
automatically
determines the standard template directory):
-
addform_entry_templates={
'Person':os.path.join(web2ldapcnf.templates_dir,'add_person.ldif'),
'My User Account':'/home/web2ldap/lib/add_myuser.ldif'),
},
- binddnsearch
-
Search filter template for smart login. Occurences of
%s are substituted by the string the user entered.
Note:
Think about using indexed attributes here! A bad filter
template can be a performance hog.
- Default:
'(uid=%s)'
- Example:
-
- boundas_template
-
HTML template strings used to bind name in the status section
on top of page depending on the object class of an entry.
This is a dictionary with object class names as key and
HTML templates strings as value.
If no matching template is found most times the bind-DN is displayed.
- Default:
{}
- description
-
Textual description of the host or backend which is displayed in the
status area at top of the window.
- Default:
''
- Example:
-
'My nifty LDAP server for user accounts'
- login_template
-
HTML template file for the input fields of a Login Form.
The HTML document must not contain HTML <head> section,
<body> or <html> tags and uses
Python's Format String Syntax to reference the different
dynamically generated input fields etc.
- Default:
''
- Example:
-
login_template=os.path.join(web2ldapcnf.templates_dir,'login.html')
- modify_constant_attrs
-
List of names of attribute types which are supposed to be constant during
editing an entry and are usually not edited by the user (only modified by DSA).
If at least one value of these attributes was changed
during editing the entry and submitting the new data modifying the entry
will fail with an error message to prevent conflicts of concurrent
modifications
- Default:
['createTimestamp','modifyTimestamp','creatorsName','modifiersName']
- Example:
-
modify_constant_attrs=['entryCSN','entryDN','entryUUID','createTimestamp','modifyTimestamp','creatorsName','modifiersName','uSNChanged','uSNCreated','whenChanged','whenCreated']
- naming_contexts
-
List of fake namingContexts values used in case this
attribute could not be read from the server's root DSE.
- Default:
- None
- groupadm_defs
-
Dictionary containing definitions about group entries
storing members in multi-valued member attributes. This is
used in the group admin mask. The dictionary's keys are
the name of the group entry object classes. The dictionary
values are 2-tuples representing the name of the multi-valued
member attribute in the group entry and the attribute type name
of the user attribute which is put to/removed from the group entry.
- Default:
{}
- Example:
-
groupadm_defs={
'groupOfNames': ('member',None),
'groupOfUniqueNames': ('uniqueMember',None),
'rfc822MailGroup': ('mail','mail'),
'mailGroup': ('mgrprfc822mailmember','mail'),
'accessGroup': ('member',None),
'posixGroup': ('memberUid','uid'),
},
- groupadm_filterstr_template
-
String template which allows to restrict the groups displayed
in left select list in the group administration dialogue.
The mandantory, single occurence of %s is replaced
by the group search filter generated based on
groupadm_defs.
- Default:
r'(|%s)'
- groupadm_optgroup_bounds
-
2-tuple defining the DN component slice to use to generate the
<optgroup> in select lists of the group administration.
This allows to limit the length (width) of the select list
in case of long group entry DNs.
- Default (use direct parent DN):
(1,None)
- More examples:
-
(None,-3)
- last three DN components
(2,None)
- strip first two components
(2,-1)
- strip first two and one last DN components
- passwd_hashtypes
-
List of strings specifying the allowed password-hash types.
Valid values of implemented hashing schemes are:
- '' (empty string)
- no hashing, plain text
- 'crypt'
- Unix crypt algorithm (with salt like used with Unix passwd)
- 'md5'
- MD5 hash
- 'smd5'
- salted MD5 hash
- 'sha'
- SHA-1 hash
- 'ssha'
- salted SHA-1 hash
The hash-based encodings require the appropriate Python modules to be
installed on your system. The presence of the modules is automatically
detected and the displayed select list shows the available
password hash-types.
- Default:
[]
- Example (allow only salted MD5 and salted SHA-1):
'passwd_hashtypes':['smd5','ssha']
- passwd_modlist
-
Allows to extend the modification list to be sent along with a modify
request or after a password modify extended operation. Read und understand
python-ldap docs for details about the data structure.
- Default:
[]
- Example:
-
passwd_modlist=[]
- passwd_template
-
HTML template file for the input fields of a change password form.
The HTML document must not contain HTML <head> section,
<body> or <html> tags and uses
Python's Format String Syntax to reference the different
dynamically generated input fields etc.
- Default:
''
- Example:
-
passwd_template=os.path.join(web2ldapcnf.templates_dir,'passwd.html')
- print_cols
-
Number of columns for printable output.
- Default:
'4'
- print_template
-
HTML template files for printing table entries. This is a dictionary
with object class names as key and path names of HTML template files
as value.
- Default:
None
- Example:
-
print_template={
# 'object class':'pathname of printable HTML template file'
'person':os.path.join(web2ldapcnf.templates_dir,'print_person.html'),
'organization':os.path.join(web2ldapcnf.templates_dir,'print_organization.html'),
'organizationalUnit':os.path.join(web2ldapcnf.templates_dir,'print_organizationalUnit.html'),
},
- read_operationalattrstemplate
-
Path name of a HTML template file for displaying operational
attributes at the bottom when displaying a single entry.
- Default:
''
- read_tablemaxcount
-
Dictionary with attribute types as keys defining maximum count of
attribute values to be displayed when displaying a single entry.
- Default:
{}
- Example:
-
read_tablemaxcount={
'member':100,
'allowedAttributes':2,
'allowedAttributesEffective':2,
'allowedChildClasses':2,
'allowedChildClassesEffective':2,
'allowedChildClassesEffective':2,
},
- read_template
-
Dictionary defining HTML templates for displaying entries
of certain object classes.
- Default:
{}
- Example:
-
read_template={
# 'object class':'pathname of HTML template file'
'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
'organizationalPerson':os.path.join(web2ldapcnf.templates_dir,'read_inetOrgPerson.html'),
'organization':os.path.join(web2ldapcnf.templates_dir,'read_organization.html'),
'posixAccount':os.path.join(web2ldapcnf.templates_dir,'read_posixAccount.html'),
},
- input_template
-
Dictionary defining HTML templates with input forms for entries
of certain object classes. The input form templates of all matching
object classes are displayed.
See files etc/web2ldap/templates/inputform_*.html as examples.
- Default:
{}
- Example:
-
input_template={
'inetOrgPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_inetOrgPerson.html'),
'posixAccount':os.path.join(web2ldapcnf.templates_dir,'inputform_posixAccount.html'),
'msPerson':os.path.join(web2ldapcnf.templates_dir,'inputform_msPerson.html'),
},
- passwd_genchars
-
Unicode string containing all characters to be used
when generating passwords.
- passwd_genlength
-
Integer which specifies the length of generated passwords.
- Default:
12
- requested_attrs
-
List of attribute type names which are explicitly requested when
doing a search/read or modify operation. This is meant for accessing
operational attributes which the LDAP server does not return
without being asked for them.
- Default:
[]
- rename_supsearchurl
-
Dictionary with named LDAP URLs (without hostport portion) each specifying how to search
for a new superior DN of a rename operation. The DNs of the search results are
displayed as select list. The attrs portion is ignored.
If not set or empty string a normal input field is displayed.
- Default:
''
- Example:
-
rename_supsearchurl={
u'Search for organizational units':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organizationalUnit)',
u'Search for organizations':'ldap:///dc=stroeder,dc=de??sub?(objectClass=organization)',
},
- rename_template
-
HTML template file for the input fields of a Rename Form.
The HTML document must not contain HTML <head> section,
<body> or <html> tags and uses
Python's Format String Syntax to reference the different
dynamically generated input fields etc.
- Default:
''
- Example:
-
rename_template=os.path.join(web2ldapcnf.templates_dir,'rename.html')
- schema_strictcheck
-
Whether to apply strict checks during subschema parsing. Some LDAP
servers with buggy schema like eDirectory or Fedora/389 DS requite
False here.
Don't set to False if you also use
schema_supplement because errors will be
possibly ignored leading to unwanted behaviour.
- schema_supplement
-
LDIF file with additiona subschema attributes to be added to the
subschema subentry read from the server. This can be used to add
schema descriptions to the sub schema used by web2ldap not supported
by the LDAP server itself (e.g. DIT structure rules and name forms).
- schema_uri
-
URI pointing to fake sub schema sub entry.
If schema_uri is a LDAP URL an LDAP server is queried directly.
Otherwise schema_uri is assumed to point to a LDIF file.
- Default:
- None
- search_attrs
-
Attribute types which should be present in search attribute type select
list of advanced search form.
- Default:
['cn','mail']
- Example:
-
search_attrs = ['cn','mail','o','ou','st','uid','telephonenumber','description']
- searchform_bases
-
List/tuple of search bases to be added to the select list of search bases displayed in the search form.
- Default:
()
- Example:
-
searchform_bases=(
'..',
'ou=Bizness,dc=example,dc=com',
'ou=Friends,dc=example,dc=com'
)
- searchform_search_root_url
-
String with a LDAP URL (without hostport portion) which specifies how to search
for additional search bases to be displayed as select list in the search form.
The DNs of the search results are displayed as select list. The attrs portion is ignored.
- Default:
''
- Example:
-
searchform_search_root_url='ldap:///dc=example,dc=com??sub?(|(objectClass=organization)(objectClass=organizationalUnit))'
- search_resultsperpage
-
Integer which specifies the number of results shown per page.
This affects the select list of the search form and displaying
results of a search without prior use of a search form.
- Default:
10
- search_tablistattrs
-
- Default:
[]
- search_tdtemplate
-
HTML template strings used to display entries in the table
of search results depending on the object class of an entry.
This is a dictionary with object class names as key and
HTML templates strings as value.
- Default:
{}
- searchform_filterstr_size
-
Size of the input field for filter string input field in the expert search form.
- Default:
90
- searchform_template
-
This has to be a dictionary which specifies a set of named template files.
The name _ (underscore) specifies a default template.
- Default:
''
- Example:
-
searchform_template= {
u'_':os.path.join(web2ldapcnf.templates_dir,'searchform_Base.html'),
u'Users':os.path.join(web2ldapcnf.templates_dir,'searchform_users.html'),
u'Orga':os.path.join(web2ldapcnf.templates_dir,'searchform_orga.html'),
u'Persons':os.path.join(web2ldapcnf.templates_dir,'searchform_persons.html'),
},
- searchoptions_template
-
HTML template file for search options.
The HTML document must not contain HTML <head> section,
<body> or <html> tags and uses
Python's Format String Syntax to reference the different
dynamically generated input fields etc.
- Default:
- none
- session_track_control
-
If non-zero the session tracking control
(see draft-wahl-ldap-session)
is sent along to the LDAP server with each LDAP request
which is handy for debugging in combination with setting
ldap_trace_level.
Think twice!
This reveals the client's IP address, your server name and the LDAPObject instance hash
to the LDAP server.
- Default:
0
- ssl_minlevel
-
Defines the minimum required SSL security level for accessing
this host/backend through the web2ldap gateway.
- Default:
0
- ssl_valid_dn
-
Regex describing the valid subject DNs of client certificates.
- Default:
''
- ssl_valid_idn
-
Regex describing the valid DNs of issuer certificates
of valid client certificates.
- Default:
''
- starttls
-
Integer defining whether StartTLS should not be used
(value 0), StartTLS should be tried (value 1) or use
of StartTLS is mandantory (value 2) for connecting
to this server. Does only make sense per server.
- Default:
0
- top_template
-
HTML template file for whole TopSection on top of page based on
Python's Format String Syntax.
- tls_options
-
Dictionary for specifying arbitrary TLS-related LDAP options
(see section TLS OPTIONS on OpenLDAP's man page
ldap_get_option(3).
Which options are really available on your system depends on your
python-ldap and OpenLDAP build).
- Default:
{}
- Example:
-
tls_options={
ldap.OPT_X_TLS_REQUIRE_CERT:ldap.OPT_X_TLS_DEMAND,
# File containing all the trusted root CA certs
ldap.OPT_X_TLS_CACERTFILE:os.path.join(web2ldapcnf.etc_dir,'web2ldap','ssl','crt','trusted-certs.crt'),
ldap.OPT_X_TLS_CIPHER_SUITE:'ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:!RC4-SHA:!ADH:!LOW:!EXP:!NULL',
ldap.OPT_X_TLS_PROTOCOL_MIN:2,
ldap.OPT_X_TLS_CRLCHECK:ldap.OPT_X_TLS_CRL_PEER,
ldap.OPT_X_TLS_CRLFILE:os.path.join(web2ldapcnf.etc_dir,'web2ldap','ssl','crt','peers.crl'),
},
- timeout
-
Timeout value for LDAP operations on seconds. -1 switches
off timeout handling.
- Default:
-1
- vcard_template
-
HTML template files for vCard downloading. This is a dictionary
with object class names as key and path names of vCard template files
as value.
- Default:
{}