web2ldap Changelog

New in version 1.2.36

July 27th, 2015
  • [Read] links are always displayed in the middle area after adding/modifying an entry.
  • Fixed regression with missing last entry when displaying all entries.

New in version 1.2.11 (January 16th, 2015)

  • Fixed unhandled exception when displaying dhcpStatement value with no space-separated value.
  • Fixed generating input form values for associatedDomain.
  • Fixed/improved some HTML search form templates.
  • Added plugin class for mXRecord.
  • Added additional safety check for invalid key string in HTML template dictionary.
  • Added example configuration snippet for accessing web2ldap running as external FastCGI responder via lighttpd.
  • Added script sbin/web2ldap_postinstall.sh which adds demon user/group, creates directories and fixes ownership/permissions.
  • Added select list plugin class for NIS attribute ipServiceProtocol.
  • Added inputform template for dNSDomain2.
  • Updated fallback schema file localschema.ldif.
  • HTTPS links are used for all IETF docs, PyPI and Google code links.
  • Added HTML templates for object classes namedObject and namedPolicy (defined in draft-stroeder-namedobject)
  • Added HTML templates for object class groupOfNames.

New in version 1.1.49 (December 16th, 2013)

  • New features/enhancements:
  • Group administration UI now generates tags with enclosed tags with parent DN of group DN as label. This is very helpful if same group names are used in different subtrees.
  • Security fixes:
  • Fixed possible XSS flaw when displaying group DN and entry data in group administration UI.
  • Bugs fixed:
  • More robust attribute value auto-generation in plugin class w2lapp.schema.plugins.posixautogen.HomeDirectory.homeDirectoryTemplate.
  • More robust parsing of attribute olcSyncrepl.

New in version 1.1.48 (November 26th, 2013)

  • New features/enhancements:
  • Added/registered plugin classes for the following MIT Kerberos attributes:
  • krbPwdPolicyReference
  • krbPwdLockoutDuration
  • krbMinPwdLife
  • krbMaxPwdLife
  • Bugs fixed:
  • Fixed LDAP filter in plugin class for krbTicketPolicyReference.
  • Cache for auditContext attribute not flushed.
  • Gracefully handle server explicitly not allowing simple bind requests.

New in version 1.1.47 (October 28th, 2013)

  • Fixed Python 2.6 compability issued in checkinst.py.
  • Registered more MS AD attributes with plugin class Binary.
  • Exception ldap.STRONG_AUTH_REQUIRED is ignored when reading rootDSE.

New in version 1.1.43 (September 2nd, 2013)

  • New features/enhancements:
  • Improved HTML layout when displaying certificate/CRL.
  • Certificate/CRL viewer now displays OID names also for deeply nested X.500 Name (DNs).
  • CRL viewer now displays CRLReason extension.
  • New plugin module w2lapp.schema.plugins.x509 now contains all the cert/CRL plugin classes and new stub classes for all the LDAP syntaxes defined in RFC 4523.
  • Bugs fixed:
  • Fixed using module pisces.asn1 really optionally (regression introduced in 1.1.42).
  • Fixed Unicode issue in plugin class for Lotus Domino/LDAP attribute dominoCertificate.
  • Added work-around for UnicodeDecodeError if buggy LDAP server (Lotus Domino/LDAP 7.x) returns diagnosticMessage with non-ASCII characters as ISO-8859-1 (Latin1).
  • Code cleaning:
  • New syntax class w2lapp.schema.syntaxes.CSN registered for OpenLDAP attribute types contextCSN, entryCSN and namingCSN.

New in version 1.1.37 (June 25th, 2013)

  • New features/enhancements:
  • New class attrs LDAPSyntax.searchSep/readSep/fieldSep used consequently everywhere through class w2lapp.read.DisplayEntry. This enables plugin classes to control how multiple attribute values are separated.
  • Search form parameter filterstr can now be multi-valued and its values are always evaluated along with the other form parameters from basic/advanced search form. This allows to define search form templates with arbitrary additional filters to be combined with user's input in the search form.
  • OpenLDAP's no-op search control is now sent with tight timeout (5 sec) to not overwhelm the server in case many entries have to be checked.
  • Bugs fixed:
  • Corrected determining server name in standalone mode.
  • Fixed Unicode handling of attribute type names when displaying password attributes after changing them.
  • Fixed issue with multiple delsid form parameter sent after re-login.

New in version 1.1.33 (May 21st, 2013)

  • New features/enhancements:
  • All group modifications are displayed.
  • New plugin classes for MS AD attributes:
  • GUIDs (objectGUID, parentGUID, rightsGuid, siteGUID)
  • msDS-SupportedEncryptionTypes
  • New plugin classes for pwdExpireWarning and pwdMaxAge display search links.
  • It's now possible to search for arbitrary OctetString values.
  • If host-specific parameter search_attrs is not set or an empty list all attribute types are displayed in attribute select list in advanced search form.
  • Bugs fixed:
  • If a only a single char * or + is given as attribute list this is no longer treated as a real single attribute when reading an entry.

New in version 1.1.32 (May 11th, 2013)

  • New features/enhancements:
  • New plugin class w2lapp.schema.syntaxes.Timespan displays time spans as hours, minutes, seconds used for:
  • pwdMinAge
  • pwdMaxAge
  • pwdExpireWarning
  • entryTTL
  • Time before password expiration displayed as hours, minutes, seconds.
  • When submitting several group modifications all failed attempts are collected and displayed with LDAP error information after processing all group modifications.
  • Bugs fixed:
  • Better handling of LDAPError exceptions in case the LDAP server does not support "Who am I?". Especially occured as problem with SASL/GSSAPI bind.
  • Plugin class DNSDomain lower-cases input values before applying the IDNA encoding.

New in version 1.1.31 (February 18th, 2013)

  • New features/enhancements:
  • The number of revoked certs is displayed when displaying a CRL.
  • New plugin class for NIS attribute macAddress which sanitizes user input and does reg-ex checking.
  • New plugin module for sudo-ldap.
  • Plugin class for memberURL now strips white-spaces from input values.
  • Bugs fixed:
  • Small fix for displaying LDAP error messages.
  • Fixed handling of class attributes valuePrefix and valueSuffix in plugin class DynamicValueSelectList.
  • Work-around for LDAP URLs with bad search filter passed in as QUERY_STRING in the URL.

New in version 1.1.30 (January 21st, 2013)

  • New features/enhancements:
  • The "Who am I?" extended operation is now always used to detect bind-DN rewriting also in case of simple bind.
  • Some more plugin classes in module w2lapp.schema.plugins.pgpkeysrv.
  • Bugs fixed:
  • More liberal regex pattern for sambaAcctFlags.
  • Fixed an exception caused by empty strings in an attribute list when reading an entry.

New in version 1.1.28 (December 28th, 2012)

  • Installation and Configuration changes:
  • Python module netaddr can be used as alternate implementation of required classes IPAddress and IPNetwork.
  • New features/enhancements:
  • Error message is displayed in HTML output if there is an string format error in HTML template which caused TypeError internally.
  • New HTML templates for Samba3 LDAP schema.
  • Values for attributes sambaSID are auto-generated if empty.
  • New or existing plugin classes registered for attribute types in Samba3 LDAP schema:
  • sambaDomainName
  • sambaHomeDrive
  • sambaLogonToChgPwd
  • sambaPrimaryGroupSID
  • Bugs fixed:
  • Work-around for missing form field if ldapsession.PasswordPolicyException is caught and w2lapp.passwd.PasswdForm() is invoked directly.
  • @ character is now allowed in form parameter search_attrs to correctly support RFC 4529.

New in version 1.1.26 (December 8th, 2012)

  • New features/enhancements:
  • Declared new plugin class for attribute type x509keyUsage
  • Bugs fixed:
  • Fixed Unicode issue in w2lapp.schema.syntaxes.SelectList which affected all classes derived from that.
  • Added dummy value for attribute LDAPSyntax.oid to various base plugin classes to avoid false registration under some circumstances.

New in version 1.1.22 (June 23rd, 2012)

  • Using the tree delete control is no longer the default when OpenLDAP is detected as the LDAP server. A new plugin class was added for attribute type memberUrl, which checks various values in the LDAP URL.
  • LDAP URLs are now displayed with better links when there is an empty hostport part. Better error handling was provided for cases of invalid subschema subentries.
  • Some enhancements and fixes were made regarding DNS SRV lookups for internationalized domains.

New in version 1.1.16 (May 7th, 2012)

  • This version adds several plugin classes for OpenDS/OpenDJ servers, adds support for session tracking control, adds workarounds for buggy LDAP server versions, and fixes some plugin classes for MS AD.

New in version 1.1.10 (March 28th, 2012)

  • Fixes for validating uniqueMember attribute values.
  • Registers various attribute types of OpenLDAP's cn=config with the plugin class MultilineText.
  • Some small fixes for plugin classes and referral handling.

New in version 1.1.8 (March 22nd, 2012)

  • More templates for OpenLDAP's cn=config and OpenDJ's changelog.
  • Some other small fixes.

New in version 1.1.5 (March 10th, 2012)

  • A regression regarding setting SSL/TLS options has been fixed.
  • Several fixes and more translations for HTML templates have been added.

New in version 1.1.2 (February 27th, 2012)

  • Search assertion values are normalized via plugin classes if the accompanying search_mode is not a substring search.
  • This release fixes a regression bug that accidentally deleted binary/non-human-readable attributes (e.g. jpegPhoto or userCertificate;binary) when modifying an entry.
  • There is a stricter regex pattern for checking values of LDAP syntax OID.

New in version 1.1.0 (February 17th, 2012)

  • This is a final release containing a few fixes for certificate upload and LDAP SRV RR lookups.

New in version 1.1.0 RC2 (February 4th, 2012)

  • This version fixes a NAME alias problem for AUX classes in DIT content rules.
  • It has a more robust implementation of the dynamic select plugin class, and better validation of time and date inputs using the module datetime.

New in version 1.1.0 RC1 (January 30th, 2012)

  • This is the first release candidate, with several fixes.

New in version 1.1.0 Alpha 54 (November 17th, 2011)

  • The search root is now an independent form parameter.
  • Additional LDAPv3 ext. controls can be also used when deleting entries and attributes, which is used for specific use-cases like account unlocking.
  • The password change UI has a new input field for enforcing a password change after reset.
  • There are more improvements and fixes.

New in version 1.1.0 Alpha 48 (October 26th, 2011)

  • The pre-configured section for OpenLDAP's cn=Monitor displays search results more nicely now.
  • More consequent handling is made of search attributes when searching entries for various output formats and generating the LDAP URL of the search.
  • The new plugin base class PropertiesSelectList lets you define option value-text pairs for select lists in simple property files.
  • There are more user-friendly error messages in the connect dialogue.
  • Improvements to group administration allow handling many groups and searching for groups.
  • More CSS themes and various small fixes have been added.

New in version 1.1.0 Alpha 41 (October 3rd, 2011)

  • Improved HTML templates.
  • Many small fixes and improvements.

New in version 1.1.0 Alpha 33 (June 24th, 2011)

  • This version adds experimental CSV export.
  • If the new password field is empty in the password change input form, the new password is randomly generated and displayed.
  • More Unicode-related code cleaning.
  • An attribute value in the user input is now preserved when re-displaying the input form in case of a syntax error.
  • Attribute lists in LDAP URLs are now preserved in case of re-login.

New in version 1.1.0 Alpha 30 (June 5th, 2011)

  • Many fixes and improvements.

New in version 1.1.0 Alpha 28 (February 21st, 2011)

  • Small fixes

New in version 1.1.0 Alpha 25 (September 29th, 2010)

  • Even more fixes were made for non-obvious XSS attacks.

New in version 1.0.29 (August 9th, 2009)

  • Note: This is the last release guaranteed to support Python 2.3!
  • For various reasons you should seriously consider to upgrade your local Python installation.
  • Various code-cleaning regarding a more consequent distinction of UnicodeType and StringType data.
  • Multiple space characters in DNs and attribute values are now correctly displayed.
  • Added a fall-back behaviour for older Python versions when registering T.61 codecs.
  • In expert search form the HTML attribute maxlength is now set to the same values like specified for form parameters search_filterstr and search_attrs.
  • If no values are entered into the advanced search form no search request with invalid filter is sent to the LDAP server anymore. Instead an error message is displayed.
  • Fix for the group administration: Caching is now disabled when searching group entries the current entry is member of.
  • When generating the assertion filter for detecting intermediate changes to edited entries all NON-ASCII chars are now quoted. E.g. with eDirectory cross-checking with binary attribute GUID falsely prevented an entry to be modified.
  • If the template file for a login form could be be read (exception IOError) an error message is displayed to the user.
  • Improvements to plug-in modules/classes:
  • New base class NullTerminatedDirectoryString and registered eDirectory attribute type extensionInfo with that.
  • New class for eDirectory attribute type indexDefinition.
  • Tabs in XML data are now expanded so it looks much nicer.
  • Registered more DirXML-related attribute types with plugin class XmlValue.

New in version 1.0.25 (July 19th, 2009)

  • Serious security fix: After another bind operation StartTLS was disabled. Uumpf!
  • Some small fixes/improvements for plugin classes for Novell eDirectory.

New in version 1.0.23 (July 15th, 2009)

  • Cache hit ratio is displayed in [ConnInfo].
  • Added plugin class for OpenLDAP's accesslog attribute reqResult.
  • The global default in the source distribution for tls_cacertfile is now set to < web2ldap-root-dir >/etc/web2ldap/ssl/crt/trusted-certs.crt. There you can put all trusted ASCII-armored CA certificate files (so-called PEM format).
  • The LDAP URLs used QUERY_STRING or in ldap_uri_list can now have the extension x-starttls which indicates that StartTLS extended operation should be used. For security reasons the maximum value of host-/backend-specific parameter starttls and x-starttls is used.
  • Fixed an attribute type name aliasing issue when displaying the table input form during modifying an entry.
  • Optional usage of StartTLS ext.op. is more gracefully handled if the LDAP server does not support but it.

New in version 1.0.22 (July 2nd, 2009)

  • Removed debug print statement.

New in version 1.0.21 (June 30th, 2009)

  • More robust conversion of ldap.LDAPError exceptions to error message texts.
  • Peter Gutmann's dumpasn1.cfg was updated and the new format is supported now.
  • Improvements to handling of DIT structure rules and name forms:
  • Small improvements for determining the governing structure rule of an entry at client-side if attribute governingStructureRule is not available. Still not perfect I suspect...
  • Fixed searching and displaying DIT structure rules (which have no class attribute oid) in the schema viewer.
  • If several name forms result in a single RDN template string then this particular RDN template is only shown once in the RDN select list.
  • Improvements to plug-in modules/classes:
  • AD-specific plug-in class for attribute types objectSID and sIDHistory now accepts SDDL representation as user input instead of hex-dump data.
  • Added more well-known SID to AD-specific plugin class OtherSID.
  • New AD-specific plugin classes for attribute types domainRID and objectClassCategory.
  • New base plugin class DumpASN1CfgOID for OIDs registered in Peter Gutmann's dumpasn1.cfg.
  • New plugin module pkcschema for draft-ietf-pkix-ldap-pkc-schema.
  • New plugin class for attribute type authorizedService which implements a select list for IANA GSSAPI/Kerberos/SASL Service names.
  • New base plugin class for XML data (requires Python 2.5+).
  • New plugin class for attribute type XmlData used in eDirectory/DirXML.

New in version 1.0.20 (April 22nd, 2009)

  • When displaying information for an OID in rootDSE the values are now properly HTML-escaped.
  • New plug-in module for MS SFU with a class for attribute type msSFU30NisDomain.
  • Small change to search result caching.
  • Slightly better work-around for the non-compliant multiple values in attribute structuralObjectClass in W2K8 MS AD.
  • The schema viewer now correctly passes the current DN around no matter whether there's a MS AD schema entry to reference or not.
  • New base plug-in class for SCHAC URNs.

New in version 1.0.18 (April 9th, 2009)

  • Attribute objectClass is never ignored when generating modification list even if a misbehaving DSA (e.g. W2K8 MS AD) declares this attribute as NO-USER-MODIFICATION.
  • Object class top is filtered from attribute structuralObjectClass if a misbehaving DSA (e.g. W2K8 MS AD) falsely added it.
  • Several updates for AD-specific plugin classes for W2K8 AD.
  • Function ldaputil.modlist2.modifyModlist() now catches KeyError exception if an attribute type was not found in subschema and treats this attribute type like one without an equality matching rule.
  • During a long-lasting recursive delete there's an empty string written to the outgoing data stream for keeping the connection to the user's web browser open. Otherwise e.g. Apache's mod_fcgid (or mod_fastcgi) reported an internal server error 500.
  • The time needed for a recursive delete is displayed.
  • Simple select-list plug-in base class YesNoIntegerFlag where 0 means No and 1 means Yes.
  • Domino-specific plugin classes for the following attribute types:
  • AvailableForDirSync
  • EncryptIncomingMail
  • CheckPassword
  • MailServer
  • Fixed regex pattern for Domino attribute types dominoCertificate etc.

New in version 1.0.17 (March 31st, 2009)

  • New AD-specific plugin classes for attribute types objectSID and tokenGroups*. The latter displays a search link for searching the accompanying group entry by SID or displays the name of e.g. BUILTIN groups (well-known SIDs).
  • New/improved Samba-specific plugin classes:
  • sambaGroupType static select field
  • sambaForceLogoff static select field
  • sambaAcctFlags decoded display, regex checking
  • sambaSID regex checking
  • sambaSIDList displays a search link
  • Many corrections in HTML output for errors found with tidy.
  • Update of LDIF file with local fall-back schema.

New in version 1.0.16 (March 27th, 2009)

  • w2lapp.schema.syntaxes.DynamicValueSelectList._doSearch() catches exception ldap.NO_SUCH_OBJECT.
  • New AD-specific plugin class for attribute type sAMAccountName which limits the length of the attribute value(s) to 20.
  • Security fix: If an invalid command was sent and is displayed it's correctly escaped now.

New in version 1.0.11 (February 22nd, 2009)

  • A fix was made in the plugin-class DynamicValueSelectList.
  • A work-around was made for a bug in OpenLDAP when generating a diff for the object class list.

New in version 1.0.9 (February 15th, 2009)

  • A fix was made for the plugin class LogonHours, which is now also registered for the attribute sambaLogonHours.

New in version 1.0.8 (February 7th, 2009)

  • This release adds more plugin classes and fixes minor interop issues.

New in version 1.0.5 (October 13th, 2008)

  • A new plugin module for Lotus Domino.
  • New plugin classes for MIT Kerberos schema.
  • A fix for a syntax error in Python 2.3.
  • Updated country codes.

New in version 1.0.0 (September 3rd, 2008)

  • Support for DIT structure rules when adding and renaming entries was added.
  • The user can now let web2ldap search for a new superior entry when renaming or moving an entry.
  • Named templates can be defined for basic search forms.
  • Wildcard search for schema elements was added.
  • A plugin-module for the draft-ietf-dhc-ldap-schema was added.
  • Several more small enhancements and fixes were made.