web2ldap - Changes

History of released versions
<Download> <News> <Demo> <Related>
<Commercial> <Feedback> <FAQ>
<Features> <Installing> <Configuration> <Compability> <Security> <Changes> <Files> <Roadmap>

web2ldap 0.10.4

Release Date: 2002-03-01

Changes since 0.10.3:

  • Separate field instances are created for displaying input fields search_scope and search_resnumber in module w2lapp.searchform. This fixes running into a KeyError exception in case someone e.g. enters a malformed search filter in a LDAP URL and w2lapp.searchform.w2l_SearchForm() is called.
  • Correct handling of malformed DNs by normalizing the form parameter dn after form processing.
  • If the RDN of a new entry added is automatically derived from entry data characters special for DNs are correctly escaped.
  • Display attribute values as complete Python string representation with properly escaped HTML special chars when displaying modify list after adding or modifying an entry.
  • Several fixes for special chars used in DNs.
  • Fixed displaying no such object exception message if DN contains non-ASCII characters.

web2ldap 0.10.3

Release Date: 2002-02-17

Changes since 0.10.2:

  • Fixed race-condition in w2lapp.handler during handling expired sessions.
  • Input field length for attribute values in w2lapp.addmodifyform is now 60 chars.
  • Some more performance enhancements with determining the appropriate attribute syntax for displaying an attribute value in w2lapp.gui.DataStr().
  • No generic error handler for IOError exceptions in w2lapp.handler.HandleHTTPRequest() anymore.
  • Reordered menu items in w2lapp.gui.ContextMenuSingleEntry() to hopefully improve usability.

web2ldap 0.10.2

Release Date: 2002-02-06

Changes since 0.10.1:

  • Display quick-choose list for defining objectclasses with w2lapp.gui.W2L_Anchor() instead of w2lapp.gui.W2L_Form(). This is faster and looks more compact.
  • Fix if list of hostport parameters is passed to

web2ldap 0.10.1

Release Date: 2002-02-04

Changes since 0.10.0:

  • Fixes a bug according to host:port handling introduced in 0.10.0 just before releasing it.
  • Result type in is checked by dictionary key instead of string comparison. This should lead to increased performance when processing large search results.

web2ldap 0.10.0

Release Date: 2002-02-01

Changes since 0.9.6:

Important notices
  • A new python-ldap is required which MUST be build with the the OpenLDAP 2 libs.
    (Note: The OpenLDAP 2 libs are currently not available for Windows!)
  • The config file format for the host-/backend-specific parameters has been changed! A base Python class Web2LDAPConfig was defined. All configuration host-/backend-configurations are instances of this class. This hopefully simplifies the syntax.
  • PyWebLib 1.1.0+ required!
  • Preliminary support for StartTLS extension (see RFC 2830). New host-/backend-specific parameter starttls defined.
  • Process LDAP URL extensions bindname and X-BINDPW when executing command ldapurl. Use with care! Especially it is not recommended to add passwords to URLs!
  • URLs in LDIF input are evaluated now (see RFC 2849). One can directly include an binary data blob loadable via FTP or HTTP into an attribute of a LDAP entry (e.g. handy for adding jpegPhoto attributes). Global configuration parameter web2ldapcnf.misc.ldif_url_schemes specifies which URL schemes are processed.
    Think twice when setting this since it is a security nightmare in most cases!!!
  • Command button [Modify RDN] was renamed to command [Rename]. The new superior DN can be set if LDAPv3 is in use.
  • Added signal handler for SIGHUP which reloads configuration module web2ldapcnf.
  • Write PID of main thread to file. See new parameters web2ldapcnf.standalone.pid_file and web2ldapcnf.fastcgi.pid_file.
  • Enabling/disabling manage DSA IT mode in [ConnInfo] (see draft-zeilenga-ldap-namedref).
User Interface
  • Also display OIDs in supportedFeatures of RootDSE with description and reference to literature.
  • Default number of search results per page can be set in configuration module web2ldapcnf.hosts with new parameter search_resultsperpage.
  • Login form presents select list for specifying the search root for search requests done with smart login (new form parameter login_search_root). This enables smart login to search for user entries outside the scope of the current backend.
  • Added a generic handler for exception ldap.NO_SUCH_OBJECT which does a DNS SRV lookup for dc-style DNs. A login form for confirming the reconnect is presented to the user.
  • Output mode can be chosen in [Read] button of main menu. "Raw table" does not use HTML templates at all.
  • Hopefully improved HTML output to be more compliant to HTML 4.01 transitional =>.
  • Delete operation has three selectable modes of operation now:
    • Only this entry
    • All entries below this entry (recursive)
    • All entries including this entry (recursive)
  • Added support for deleting single binary attributes. For binary attributes a [Delete] button is shown in the raw display table of [Read]. All values are deleted at once. There is no option to delete only certain attribute values of multi-values attributes.
  • Command buttons are not generated by using <form> tags anymore. Instead most command buttons are simple links. This saves around 40% of HTML text in the search result table and is rendered much faster in common web browser. It is also more friendly to be styled by CSS definitions and saves space in the menu bars.
  • Search results are displayed as descriptive list <dl> instead as <table>.
  • In the search result list the attributes hasSubordinates (see X.501) and subordinateCount (implemented in Novell eDirectory) are used if available to determine if it does make sense to display a [Down] link.
  • The distinguished name (form parameter dn) is passed in every link. The result is a more robust behaviour when the user presses the browser's back button or opens links in new windows.
  • Removed [Password] link from main menu. User can change the password of the entry of current bind DN in [ConnInfo].
  • [ConnInfo] displays LDAP server vendor information as described in RFC 3045.
  • Attribute values used in characteristic attributes of RDN are set to read-only in the entry input form since modifying these attributes results in either an error or undefined behaviour on broken servers. They are resubmitted though to prevent the differential update deleting them.
Code cleaning and performance enhancements
  • Use os.path.join(..) instead of os.sep.join([..]).
  • Simplified getting the operational attributes by checking the presence of OID in list of attribute values of attribute supportedFeatures of the server's root DSE.
  • Rewrote building the group search filters of the [groupadm] feature.
  • Displaying attribute types with known syntax is much faster now.
  • LDAPError exceptions are now converted to human-readable HTML form by a single function.
  • Module ldaputil.ldapurl is no longer shipped with web2ldap since it was contributed to python-ldap. and renamed to ldap.ldapurl.
  • Module ldaputil.modlist is no longer shipped with web2ldap since it was contributed to python-ldap and renamed to ldap.modlist.
  • Big clean-up in w2lapp.handler regarding redundant code for LDAP connects and binds (either coming the way via LDAP URL or form input).
  • The handling of LDAP URLs and form parameters was harmonized. The extra command ldapurl is still accepted for backwards compability but is not necessary anymore. If the query string of the URL is a LDAP URL it is automagically processed that way and the parameters are derived from the LDAP URL.
  • HTTP Accept-headers are now all processed by basically the same same class pyweblib.helper.AcceptHeaderDict.
  • Hopefully simplified handling of search form parameters.
  • Recursive deletes should be much faster since unnecessary search operations are avoided if possible. It also does not consume much memory anymore since there are no list manipulations necessary anymore. Recursive deletes also honors the attributes hasSubordinates and subordinateCount if available. The new parameter delete_scope is handled exactly like search scope.
  • Cleaned up module by writing a base class for doing e.g. stream processing and pseudo-paging of LDAP entries with async searches. This module ldap.async is part of python-ldap.
  • Form input parameter in_ldif is now handled by new class w2lapp.gui.LDIFTextArea.
  • New functions w2lapp.gui.TopSection() and w2lapp.gui.SimpleMessage() used for most output of the status bar, main and context menus.
  • Cleaned up parameter mess of w2lapp.gui.CommandButton().
  • Consequently import symbols from web2ldapcnf.misc through common mechanism.
  • The distinguished name is consequently passed around to overcome inconsistencies if the user works with more than one browser window but with one session ID.
  • Negation filter (!()) is not used in [GroupAdm] anymore since negation assertions are usually very slow on most LDAP servers.
Bug fixes and work arounds
  • Explicitly request special attribute types of sub schema sub entry (necessary since e.g. OpenLDAP 2 does not return the attributes by default).
  • If a bind was not successful at all [ConnInfo] does not fail anymore. Instead a note about no proper binding occurs.
  • Exception handler for displaying known but malformed certificate extensions with a generic parsing output.
  • Send Pragma: no-cache in HTTP header and the equivalent in section <head> of HTML page to avoid browsers reusing old HTML pages with old session IDs.
  • Reimplemented caching in ldapsession.LDAPSession to fix a nasty bug with entries being not properly uncached by calling method LDAPSession.uncacheEntry(). The hierarchical cache structure with DN as first and attribute list as second level makes uncaching of an entry much easier.
  • DSML output correctly substitutes occurences of & and < with the character entities.

web2ldap 0.9.6

Release Date: 2001-09-29

Changes since 0.9.5:

Bug fixes and work arounds
  • Added a workaround for misbehaving LDAP servers (e.g. Lotus Domino) which return a single null-byte character in namingContexts attribute of RootDSE.
  • Another workaround for some weird effects if python-ldap is linked against OpenLDAP 2 libs.
  • Fixed race condition in LDAPSession.getRootDSE() which ended with namingContexts attribute having the value None instead of [] under some strange error conditions.

web2ldap 0.9.5

Release Date: 2001-09-23

Changes since 0.9.4:

Installation changes
  • Use separately distributed module PyWebLib for web session handling, form processing, some HTTP header handling and SSL-related environment. Modules cgiforms, cgisession, cgihelper and httphelper are no longer shipped with web2ldap package.
  • Use module ldapthreadlock contributed to python-ldap instead shipping own module ldapthreading.
  • Module ldif is no longer shipped since it was contributed to python-ldap ages ago.
  • Module DNS is no longer distributed within the package. Install PyDNS instead.
  • Format of host-specific parameter addform_oc_list has changed. The tuple now contains the attribute type for forming the RDN. This is pretty convenient. Use it!
  • On Posix platforms a local configuration module (etc/web2ldap in start directory) now has precedence over a system-wide configuration module (/etc/web2ldap). Also getting the configuration module from Windows-specific system directories is not possible anymore.
New features
  • Implemented very basic group managment. Make sure to check out button [Groups] in context menu of single entry display (read).
  • Added handling of binary attribute values stored as hex-byte encoding with prefix {ASN}.
User Interface
  • The bind DN (var who) is reused as default in login form if ldap.INVALID_CREDENTIALS was raised after login try.
  • New quick button in ConnInfo for accessing subschemaSubentry.
  • The old password is not requested anymore in the password input form. Instead a relogin window is provided if ldap.INSUFFICIENT_ACCESS is raised.
  • If the user has to do a new login after changing his/her password there is no menu shown anymore.
  • Added search option "exists" to advanced search form. The search string is ignored if this option is chosen.
Code cleaning and performance tuning
  • Removed unused module msshelve.
  • Removed some unnecessary module imports.
  • Separate module ldaputil.passwd is used to set the userPassword attribute instead of doing all the stuff in application module w2lpasswd.
  • Moved application modules pylib/w2l*.py to separate module package directory pylib/w2lapp/.
  • Code-cleaning concerning w2lapp.core.CleanUpThread
  • Some code-cleaning with catching referral exceptions when python-ldap is built with OpenLDAP 2.0.x.
  • Implemented new class ldaputil.ldapurlLDAPUrl which does the whole LDAP URL handling.
  • Lots of small code clean-ups, e.g. substituted lots of lambda, map(), filter function calls with list comprehensions.
  • The dumpasn1 config file is only parsed once at startup and the parsed content is held persistent => tremendous speed-up when displaying certificates and CRLs.
  • Moved creation of modlist's for modify() calls from ldapbase into new sub-module ldaputil.modlist. Functions were renamed.
Bug fixes and work arounds
  • Hopefully fixed bugs with mixed-case handling of LDIF and other input data by rewriting ldapbase.modify_modifylist().
  • Proper handling of lower-cased attribute type names of special root DSE attributes.
  • Catch all exceptions which might occur when calling DNS.ParseResolvConf() in module ldapdns and set ldapdns.dns_module_avail=0 in this case which switches off looking up SRV RRs in DNS. This is a rather crude approach which should be refined in the near future.
  • A bunch of small fixes and clean-ups for nasty things detected by PyChecker.
  • utctime.strftimeiso8601() does not rely on time.strftime() to display timestamps anymore. This makes displaying of all year values possible (not only 0..99,1900.. like enforced by time.strftime()).
  • When retrieving the root DSE "+" (ASCII 43) is used as requested attribute type for OpenLDAP 2.0.x as described in draft-zeilenga-ldap-opattrs-01.txt if the objectClass attribute of root DSE contains "OpenLDAProotDSE".
  • Fixed wrong definition of Mozilla-specific MIME type for attribute certificateRevocationList.

web2ldap 0.9.4

Release Date: 2001-06-23

Changes since 0.9.3:

  • Fixed displaying of iPAddress attribute in certificates.
  • Abandoned global configuration parameter web2ldapcnf.misc.script_method.
  • Slightly improved excpetion handling especially of logging/ignoring user-aborted connections, etc.
  • Determining appropriate charset used with browser was improved: mainly proper parsing of capability values.
  • A lookup of SRV RRs is automatically done if a LDAP URL does not contain a host name but a "dc-style" DN (a DN formed by domainComponent attributes).
  • New configuration sub-module fastcgi.
  • Some really significant performance optimizations in ldapthreading module. Former approach in method LDAPObject.result() was brain-dead and slow.
  • Web session ID is now passed around in PATH_INFO instead as a hidden form field. This means less HTML bloat and it decoupled session retrieving from form processing.
  • If ldap.NAMING_VIOLATION occurs during add the user can reedit his input.
  • Fixed smart login search with user names containing NON-ASCII chars. (sigh!)
  • Fixed wrong passing of parameters when calling function ldapbase.SmartLogin().
  • Use timeout search for smart login.

web2ldap 0.9.3

Release Date: 2001-06-08

Changes since 0.9.2:

  • Started writing a FAQ document.
  • Cleaned up determining the default RDN for adding new entry.
  • If an exception instance of type ldap.PARTIAL_RESULTS contains more than one referral LDAP URL only the first one is extracted and used. This is a workaround for the problem that multiple referral URLs were not parsed properly.
  • New method LDAPSession.isLeafEntry() is used to prevent user from submitting modrdn request on non-leaf entry.
  • If a single binary attribute is requested by command read an error message is generated if the entry does not contain this attribute (probably affects only cases where the user manually edits the URL).
  • Some modifications to nicely display attributes found in Active Directory (e.g. objectGUID, whenChanged).
  • Incompatible change to configuration dictionary web2ldapcnf.misc.ldap_browsermimetypes to make it more flexible. The format is now:
    ldap_browsermimetypes = {
  • Default MIME-types of certificates and CRLs were changed to application/pkix-cert and application/pkix-crl to be compliant to RFC 2585.
  • Extra try-except block in sends all unhandled exceptions (including exceptions raised in except statements of inner try-except block) to logging function w2lcore.log_exception().
  • Work around buggy browsers (e.g. StarOffice) which does not honour the accept-charset attribute of <form> tag and try to decode input as ISO-8859-1 if e.g. UTF-8 fails.

web2ldap 0.9.2

Release Date: 2001-05-19

Changes since 0.9.1:

  • Security fix:
    When calling ldapsession.LDAPSession.bind() the LDAPSession instance (associated with the web session) flushes all cached data, forgets all old RootDSE attributes and calls ldapsession.LDAPSession.getRootDSE() again.
  • Security fix:
    Fixed determining SSL security level and displaying certificates from SSL-related environment vars in conninfo. (works only through FastCGI)
  • Security feature:
    Reimplemented rudimental SSL-based authorization scheme for gateway use. (works only through FastCGI)
  • Fixed handling of search scope select field when a search form is displayed after the user entered an invalid search filter.
  • Send HTTP error 405 in msHTTPHandler if running stand-alone and web application is accessed with HTTP-method HEAD.
  • Adjusted some more HTTP error responses in msHTTPHandler for running stand-alone to be hopefully more compliant to RFC 2616.
  • If the user enters an incomplete RDN for a new entry containing only the attribute type (e.g. 'cn=') and the corresponding attribute value is present in the entry the new RDN is automatically formed.
  • Removed input form for command locate from entry page because too many people did not know what it means. Instead directly invoke web2ldap with URL http://[host:port]/web2ldap/locate to get the input form.

web2ldap 0.9.1

Release Date: 2001-05-15

Changes since 0.9.0:

  • Fixed a compability issue in method ldapthreading.LDAPObject.result() with versions of python-ldap based on sources prior 2000-10-19. (see the incompatible change made to python-ldap)
  • Catch an AttributeError exception when using python-ldap built with LDAP libs without caching option.
  • Running multi-threaded is also the default on non-Posix platforms (e.g. Win32) now.

web2ldap 0.9.0

Release Date: 2001-05-10

Changes since 0.8.3:

  • Most important change:
    Dropped support for running as stateless CGI-BIN or stateless mod_python handler. Instead the possible modes are running as a multi-threaded stand-alone server or as a multi-threaded FastCGI server.
    The main benefit is that LDAPObject instances are kept persistent in memory => there is no need rebind for each hit anymore. This greatly improves performance and reduces security risks since the credentials do not have to be stored at all. Other benefits are faster session database clean-ups and avoiding problems with file locking, file permissions etc.
  • Web session managment. Each LDAP connection object is tied to a session ID stored in a hidden input field.
  • Method HTTP-POST is used whereever the state of the LDAP repository is changed or a login is done (to be compliant with section 9.1 of RFC 2616).
  • Slightly improved debug log by suppressing traceback if IOError.errno==32 (user aborted connection) and printing date/time and client IP address.
  • Important security fix: Internal URL redirector.
    URLs are not displayed directly anymore. The URL points to the new urlredirect command which creates a HTML page with <meta http-equiv="refresh" content="0;..>". This avoids that the browser sends the currently viewed URL as Referer-URL which could reveal session ID and credentials to an attacker.
  • If ldap.SIZELIMIT_EXCEEDED exception is raised during a search the and the output format is table the partially received search results are displayed.
  • Default configuration module in distribution is now platform-independent and trys to set all path names relative to web2ldap directory. This makes quick-install for stand-alone mode easy on most platforms. Just extract archive and start the sbin/ script.
  • Type of audio and image attributes is automatically determined with sndhdr and imghdr modules in Python's standard lib.
  • Hopefully fixed template files for vCard. At least works with Netscape now (problem with empty attributes).
  • Single entries are now retrieved with all binary attributes and placed in a short-time cache together with other LDAP session data. This makes it possible to correctly access all multi-valued binary attributes with separate buttons or display multi-valued image attributes in-line.
  • Wrapper script for running as FastCGI server.
  • Access log for stand-alone mode in combined log format (with Referer and User-Agent header).
  • Wrapper class ldapthreading.LDAPObject around ldap.LDAPObject (mainly for thread-locking) which transforms all synchronous calls into asynchronous python-ldap calls.
  • Log unhandled exceptions in error log file with a lot of information about the aborted connection.
  • Make use of LDAP cache of LDAP libs. Two new host-/backend-specific parameters cache_timeout and cache_maxmem in configuration module web2ldapcnf.hosts.
  • User interface:
    • Inline displaying of images (attribute jpegPhoto etc.) when displaying an entry (Read).
    • <embed type=".." src=".."> for "displaying" audio attribute.
    • Nicer displaying of operational attributes when displaying a single entry by using a (language variant) HTML template file.
    • Slighly improved the HTML generation, e.g. more consequent use of <fieldset> sections, lower-cased HTML tags and attributes etc.
    • If ldap.OBJECT_CLASS_VIOLATION, ldap.OBJECT_CLASS_VIOLATION or problems with RDN occurs during add (or modify) it is now possible for the user to edit his input again.
    • If ldap.FILTER_ERROR exception is raised during a search the user can edit the search filter and re-submit it.
    • Currently viewed DN is not changed if a new entry was added. This hopefully makes it easier to repeatedly add entries below the same node.
    • A [Display All] button for immediate switching to unpaged displaying of search results.
    • OIDs in RootDSE attributes are displayed with name and description. Credits go to Norbert Klasen <> for contributing a comprehensive list.
    • More information in connection info (ConnInfo).
    • Buttons for quickly choosing default object classes of new entries. This list is configurable per host/backend.
    • Quick buttons for accessing RootDSE, CN=MONITOR and CN=CONFIG in context menu of connection info (ConnInfo).
    • New command monitor which displays general gateway statistics.
    • Improved documentation of configuration module package web2ldapcnf.
  • Bug fixes:
    • Configuration did not work properly since 0.8.0 because I dropped ldap_basedn in hidden fields. Fixed.
    • Fixed parsing of LDAP URLs. Bug was related to usage of new string methods.
    • Fixed the screwed up passwd changing.
    • Check if RDN in input is empty or RDN has wrong format before adding entry.
    • Fixed Unicode handling in ldapbase.SearchTree() (used for recursive deleting of entries).
    • Fixed displaying of missing parent entry DNs when adding an entry.
    • Many small HTML generation fixes.
    • Many, many small fixes...and probably new bugs... ;-)
    • Fixed handling of LDIF input data (was case-sensitive regarding the attribute types).
  • Code cleaning:
    • Dropped support for checking gateway use by looking at DN of the client certificates. It seems that nobody is using it and it was getting ugly (may appear again in later version).
    • A lot of connection stuff is done within ldapsession.LDAPSession objects now including storing and restoring sessions and getting RootDSE attributes like namingContexts etc.
    • LDAP sessions are wrapped in LDAPSession objects for pickling and to wrap specific details if a patched python-ldap built against OpenLDAP 2.0.x libs is in use.
    • Rewrote parts of module w2lhandler.
    • Call login form directly if password of currently used bind DN was changed.
    • The code for creating the input forms for adding and modifying entries was a complete mess. It's still not pretty...
    • The code for creating the search forms was also a complete mess.
    • w2lgui.DisplayDN now took over all weird things with displaying DNs.
    • Moved class HTTPHandler from module msHTTPServer into separate module msHTTPHandler.
    • Creating hidden fields along with buttons is simplified by new parameter hidden_fields (list of tuples) in function w2lgui.CommandButton().
    • Almost no direct calls of LDAPObject methods anymore. All necessary methods are wrapped in sort of higher level wrapper methods of LDAPSession class. This makes caching and locking feasible.
    • Handle more input field stuff with the fine cgiforms module and derived classes in module w2lgui.
    • Cleaned up function httphelper.SendHeader().

web2ldap 0.8.3

Release Date: 2001-01-28

Changes since 0.8.2:

  • Added input field for search root in connect input form.
  • Check if user trys to do ModRDN on empty DN.
  • Try to locate a LDAP host for a DN or DNS domain with various methods. See Internet Draft
    "A Taxonomy of Methods for LDAP Clients Finding Servers"
    on LDAPEXT page.
  • New parameter dir_listing_allowed for HTTP server (stand-alone mode).

web2ldap 0.8.2

Release Date: 2001-01-18

Changes since 0.8.1:

  • Code cleaning:
    • More clean-ups of exception handling in
    • Do a separate DNS lookup of LDAP host name which leads to a cleaner exception handling and error message being more meaningful to user.
    • Fixed displaying the DN of deleted entries. The parent DN was displayed instead of the entry's DN.
    • Solely use the new string methods of Python 2.0 and abandoned importing string module whereever possible.
    • Fixed displaying cRLDistributionPoints.distributionPoint.fullName as proper URL link when displaying HTML.
  • Bug fixes:
    • Display empty DN as - World - in status line.
    • Fixed building modify list when LDAP server is handling attribute types case-respecting.
    • Function ldapbase.SearchTree() properly returns list of Unicode objects now. Affects recursive deletes.
    • Fixed missing parameter when raising cgiforms.formContentLengthException.
    • Somewhat fixed handling of creating modlist's with binary attributes involved.

web2ldap 0.8.1

Release Date: 2000-12-20

Changes since 0.8.0:

  • Bug fixes:
    • Wrong regex pattern for select lists in fixed.
    • Some select fields did not use the right charset.
    • Fixed displaying displayName attribute.
    • Fixed ldapbase.SplitRDN() (affected modrdn command).
    • Default of modrdn input field was displayed as HTML.
    • Proper handling of UTF-8 characters in namingContexts attribute of RootDSE.
    • Handling of form data more robust.
    • Corrected handling of RDNs when DN has only one component.
    • Avoid any LDAP operations before first bind.

web2ldap 0.8.0

Release Date: 2000-12-02

Changes since 0.7.10:

  • Nice displaying of certificate and CRL attributes including certificate extensions if at least sub-module asn1 of Pisces is installed on the system (automatically detected). Credits go to Jeremy Hylton for his work on the ASN.1 parser and helping me understanding it.
  • New parameter web2ldapcnf.hosts.ldap_def['timeout'] for specifying a timeout (seconds) for search operations.
  • Login not longer mandantory at beginning of session. User can explictly bind after connecting to server.
  • Avoid making a LDAP connection when not necessary (e.g. when displaying add form).
  • Displayed LDAP URLs are all URL-quoted now and handling of LDAP URLs stored in attribute is more robust and smarter.
  • Some efforts were done to browse global directories in a reasonable manner.
  • Simple support for direct use of LDAP URLs (short hack):
    [web2ldap URL]/ldapurl?[LDAP URL]
    will display the entry or do a search.
  • Gracefully handling of exceptions which make a re-login of a user necessary: ldap.INSUFFICIENT_ACCESS, ldap.INVALID_CREDENTIALS, ldap.INAPPROPRIATE_AUTH etc. User can re-login and retry command.
  • Smarter handling of LDAPv3 referrals: Instead of relying on the referral handling of the underlying lib the referral exceptions are caught and the user is prompted for new bind DN / password for connecting to the referred host and repeat the action before the referral was received.
    Credits go to Konstantin Chuguev for patching python-ldap to do correct error handling when result() method is called.
  • Compability issues:
    • web2ldap now makes use of the new Unicode features introduced in recent Python versions because the handling of different character encoding is faster and cleaner.
      => You have to upgrade your Python installation at least to version 2.0.
    • For cleaner exception handling python-ldap prior to 1.8 is not longer supported since the ldap.LDAPError exception base class is used now. This affects mainly the Windows platform since I do not know of pre-compiled python-ldap version later than 1.5. Feel free to contribute!
    • Moved parameters web2ldapcnf.misc.search_attrsonly and web2ldapcnf.misc.search_attrs to web2ldapcnf.hosts.ldap_def. You have to adjust your local configuration files!
  • Code cleaning:
    • All LDAP-related strings are internally handled as Unicode string types.
    • Handle more input field stuff with the fine cgiforms module.
    • LDAP session objects. First step towards session handling with pickeable session objects.
    • Simplified many function calls into module w2lcore.
    • All exception handling of LDAP errors is done in module w2lhandler except exceptions which needs special handling in a specific context.
  • Bug fixes:
    • Correct handling of DNs with quoted comma.
    • Some code was too case-sensitive with handling attribute type names.
    • Fixed some compability issues with Python 1.6+.
    • Fixed some vCard issues. Still not perfect but usable most times.
    • Correct handling of special characters when putting together LDAP filter string (RFC 2254).
    • Fixed typo in main exception handling.

web2ldap 0.7.10

Release Date: 2000-08-27

Changes since 0.7.9:

  • Better compability and defaults for running from scratch under Win32 platform.
  • New form parameter ldap_basedn is used throughout the whole session.
  • List of possible base DNs of LDAP servers are automatically queried if a connect is done to a LDAPv3 server with namingContexts attribute set or UMich-derived LDAPv2 server and entry cn=config. User can select the search root from select list.
  • New configuration scheme: any configuration parameter in the dictionary web2ldapcnf.hosts.ldap_def is now retrieved by looking at string-key 'ldap://ldap_host/ldap_basedn', 'ldap_host', '_' ('_' is meant as the overall default) in this order. This allows to hold several database backends on the same host with the same DNS name. It also shortens the ldap_def dictionary by avoiding having to repeat same options for every server and makes browsing of completely unconfigured hosts easy. This concept should still handle your old config files correctly (except the specific changes of some variables described below!).
  • Over-featured configuration of required security level was simplified (You have to adjust your old config!).
    • No more parameter web2ldapcnf.misc.security_level_default any more. This is set in overall default in web2ldapcnf.hosts.ldap_def['_']['security_level'] now.
    • Type of dictionary parameter web2ldapcnf.hosts.ldap_def[]['security_level'] was changed to a simple integer for the required security level. Security levels which depends on a specific command might turn out to be less secure because of possible bugs in implementation/configuration.
  • vCard and printable HTML output is based on template files similar to the read_template's. This has the advantage to use different templates per object class.
    Path names of template files for vCards and printable HTML are set with parameter web2ldapcnf.hosts.ldap_def[..]['vcard_template'] and web2ldapcnf.hosts.ldap_def[..]['print_template'] (You have to adjust your old config! See example.).
  • Code cleaning:
    • moved functions for widely used HTML output from module to new module
    • moved/renamed function w2lcore.HTTPHeader() to httphelper.SendHeader()
    • Function w2lgui.CommandButton() expects UTF-8-encoded parameters now and does the conversion itself. The result is some performance loss but the code is less buggy.
    • Modules does not catch all exceptions with except: anymore.
    • Empty parameters are not ignored any more.
    • Non-existent parameters are set to None to distinguish them from empty parameters.
    • w2ldelete.DelTree() is now non-recursive.
    • Smart login is now done in ldapbase.SmartLogin() => w2lcore.LDAPSessionParams() looks nicer now.
    • Handle missing parameter ldap_dn with required flag of cgiforms.formFieldClass()
    • Some case-sensitive bugs fixed when building search result table.
  • All output of read is now wrapped by a <div id=MessageDiv></div> no matter if the output is a table or generated with a template (templates changed!).
  • New <div id=StatusDiv></div> for section with status line containing current DN, host name and bind DN above main menu.
  • Be as case-respecting as possible when displaying attribute types without being case-sensitive in attribute handling. (This fixes compability issues with upcoming OpenLDAP 2.0.)
  • Tweaked CSS files a bit but this needs more work. (Any good web designer willing to contribute?)

web2ldap 0.7.9

Release Date: 2000-08-02

Changes since 0.7.8:

  • Fixed missing import of module ldif in
  • Pass only ldif.ldif_pattern to TextAreaClass.__init__()

web2ldap 0.7.8

Release Date: 2000-07-30

Changes since 0.7.7:

  • Wrapper script for running as persistent PythonHandler under the control of the Apache module mod_python.
  • Use gzip-encoding for saving network bandwidth if client has sent Accept-Encoding: gzip in the HTTP header.
  • Improved HTTP header data. Especially date format is now conform to RFC1123.
  • New parameter standalone.run_username for defining the username for setuid() when started as root.
  • New parameter standalone.debug_log for setting path name of debugging log file. Redirect sys.stderr and sys.stdout to debug log if running detached.
  • Fixed bug with being too case-sensitive with LDIF data and input fields when modifying entries.
  • Relaxed DN regex checking for compability with quoted data in RDN-components.
  • separated HTTP server module (independent of web2ldap now)
  • Updated documentation and web pages. Still not really complete...

web2ldap 0.7.7

Release Date: 2000-07-06

Changes since 0.7.6:

  • Handle parsing of wrong LDIF data gracefully.
  • Use os.fork() to detach from console if running on Posix platform.
  • If threading is turned off the ForkingMixIn is used to run a forking server when running under Posix-platform.
  • Fixed bug: Changing objectClass attribute of an entry works again. New object classes were ignored.
  • Splitted calling the CGI-BIN and calling the stand-alone server into two different scripts cgi-bin/ and sbin/ to make a clean separation for users and package maintainers.
  • Dropped support for form parameter ldap_url. Was not used and made coding much more complicated.
  • Code cleaning:
    • All form.add() method calls are done in module now.
    • Cleaned up parameter handling.
    • Handling of search form parameters in single form field objects. Should be slightly faster.
  • Configuration module is divided into the following sub-modules:
    • various options
    • options only needed when running as stand-alone web server
    • specific parameters for different LDAP hosts
    • options only needed when running via CGI-BIN interface under the control of a web server

web2ldap 0.7.6

Release Date: 2000-06-18

Changes since 0.7.5:

  • Partial display of search result table with ->> and <<- buttons for previous and next page. The benefit is a better usability because there's not so much HTML data sent to the browser.
    Due to limitations of LDAP the search results are retrieved completely from the LDAP server up to the last result index displayed. E.g. displaying search results 201 to 210 means sending the results 1 to 200 to /dev/null.
  • Moved configuration files to separate directory (like /etc/web2ldap) for easy producing of Linux-packages. Splitted former configuration file module into directory module web2ldapcnf/ containing modules and
  • New parameter web2ldapcnf.input_maxfieldlen for specifying maximum length of input data for attributes.
  • Base search form for very simple searches (default now). The search form can be customized with a HTML template file.
  • Select base, advanced or expert search form with select list of [Search] button.
  • Search results produce handy URL links for LDAP search URLs and mailto-links for group mailings.
  • Alternate output formats (DSML, LDIF, pretty-printable) are chosen from a select list with one button now.
  • Content negotiation with HTTP_ACCEPT_LANGUAGES for serving multi-language variants of template files (only search form and read templates by now).
  • SSL-enabled when running as a stand-alone gateway (credits go to Ng Pheng Siong <> for providing the module M2Crypto). This means a lot of more parameters to configure. ;-) Please do not ask me how to create server certs etc. The OpenSSL and mod_ssl docs might be a good start for learning about this topic. ;-)
  • Improved HTML output (lower-cased, checked with tidy) - first little steps to XHTML.
  • Send \r\n in HTTP header in platform independent manner.
  • Bunch of small fixes. (still recovering from errors with the new module structure introduced in 0.7.3...).
  • The semantics of the parameter search_attr has changed. It represents the LDAP attribute name now (was userfriendly name before). Incompatible changes in configuration (see parameters web2ldapcnf.search_attr and web2ldapcnf.ldap_knownattr!!!
  • Parameter search_maxhits in ldap_def dictionary abandoned.
  • If no IP addr is given with option -l the stand-alone mode binds to INADDR_ANY for listening on all network devices available.
  • Simple address-based access control with client's IP address in stand-alone mode. See new parameter web2ldapcnf.access_allowed for defining a list of networks which are allowed access.

web2ldap 0.7.5

Release Date: 2000-04-07

Changes since 0.7.4:

  • Small fixes.
  • Display current RDN as input default when choosing modrdn.

web2ldap 0.7.4

Release Date: 2000-04-06

Changes since 0.7.3:

  • Fixed missing module import when running stand-alone.

web2ldap 0.7.3

Release Date: 2000-04-05

Changes since 0.7.2:

  • J. Stezenbach <> provided a patched version of for faster character set conversion.
  • J. Stezenbach <> provided a solution for the hanging socket when running as stand-alone and catching ErrorExitClass exception in HandleHTTPRequest().
  • All functionality is put into modules for reducing start-up latency especially when running as CGI-BIN (thanks again to J. Stezenbach <> for giving the right optimization hints).
  • Use string templates for displaying entry data in search result table (new parameters!).
  • Make asynchronous searches to behave less memory-consuming especially when downloading large amount of LDIF or DSML data.
  • New per-host parameter search_maxhits introduced to limit the number of search results displayed in search result table. This means: Behave nicer on large sites.

web2ldap 0.7.2

Release Date: 2000-02-27

Changes since 0.7.1:

  • Added button downloading DSML-formatted directory data. (Very preliminary and primitive implementation of a DSML level 1 producer. This needs testing!).
  • Fixed bug with LDIF data containing non-ASCII characters.
  • Cleaned up password setting and added support for SMD5 and SSHA hash types. Also hash types can be restricted in the per-host configuration.

web2ldap 0.7.1

Release Date: 2000-02-26

Changes since 0.7.0:

  • Stand-alone mode delivers documents from web2ldapcnf.document_root now.
  • Added attribute thumbnailphoto to web2ldapcnf.ldap_binaryattr.
  • Changed the behaviour of the [Easy Search] button:
    If the base DN is empty the current DN is displayed as default search base. This is more handy if browsing in big X.500 trees.
  • Some bug-fixes.

web2ldap 0.7.0

Release Date: 2000-02-20

Changes since 0.6.10:

  • Stand-alone mode by deriving own HTTP handler class from SimpleHTTPServer.SimpleHTTPRequestHandler. Running stand-alone speeds up things dramatically (modules are not re-imported every time).
    And yes, it's multi-threaded (needs testing!!!).
    And yes, it runs under Windows.
  • Runs under Windows now.
  • Abandoned all global variables.
  • Does not use sys.stdin or sys.stdout directly any more.
  • Function calls for the web2ldap commands through wrapper-function HandleHTTPRequest().
  • Produces correct HTTP expiring header now.
  • Make use of useful changes in module
  • New parameter web2ldapcnf.input_maxattrs.
  • New button [Login As] when displaying an entry.

web2ldap 0.6.10

Release Date: 2000-02-08

Changes since 0.6.9:

  • Two small fixes to building of modify list.
  • Fixed wrong HTML escaping in displaying of multi-line entries.

web2ldap 0.6.9

Release Date: 2000-02-07

Changes since 0.6.8:

  • Do not print [Go up] buttons for DNs above basedn.
  • Started writing documentation...
  • Fixed problems with URLs and hidden parameters based on DNs containing " quotes.
  • Modify: Leave attribute objectClass alone if it does not have to be changed and change objectClass and rest of entry in one call of modify_s().
  • Changed effect of web2ldapcnf.print_rawutf8: 0 Never, 1 Smart, 2 Always
  • Read single binary data from multi-valued attributes (not yet usable in UI).
  • New configuration parameter web2ldapcnf.ldif_maxbytes for limiting the amount of data in the LDIF input field.
  • Even more bug hunting, code cleaning and small UI enhancements.
  • Escape special HTML/Javascript characters to address security problems with scripting content described in CERT advisory CA-2000-02.

web2ldap 0.6.8

Release Date: 2000-01-29

Changes since 0.6.7:

  • Bug hunting and code cleaning.
  • Smarter main menu.
  • Graceful error handling.
  • Nice confirmation dialogue for delete.
  • Recursive delete of sub-trees.

web2ldap 0.6.7

Release Date: 2000-01-28

Changes since 0.6.6:

  • Fixed bug with download of binary attributes introduced in 0.6.5 or 0.6.6
  • New handling of SSL-related environment variables: Prefer mod_ssl style with fallback to old ApacheSSL style.

web2ldap 0.6.6

Release Date: 2000-01-25

Changes since 0.6.5:

  • You might have guessed it: Bug hunting and code cleaning!
  • Better support and example for CSS

web2ldap 0.6.5

Release Date: 2000-01-23

Changes since 0.6.4:

  • Implemented modrdn.
  • Omnipresent button bar throughout the whole UI now (including error messages).
  • Direct input of LDIF data possible during adding or modifying entries (e.g. for binary data).
  • Display attributes of entry according to the schema categories (required, allowed, not matching).
  • Minor bugfixing and code cleaning.
  • Display entries with HTML template files depending on objectClass.
  • HTML clean-up to be hopefully SGML-conform (and friendly to browsers).
  • Configuration parameters for complete <BODY> tag.
  • ID params in important HTML tags for using CSS.
  • Configuration parameters for string placed in <HEAD></HEAD> section (suitable for placing <STYLE> tags).

web2ldap 0.6.4

Release Date: 2000-01-06

Changes since 0.6.2:

  • Some minor enhancements of user interface
  • Fixed a basedn-related bug in smart login search
  • Added automatically start of if is invoked from command-line (only Unix up to now).

web2ldap 0.6.1, 0.6.2, 0.6.3

Release Date: 2000-01-04

  • bad day...

web2ldap 0.6.0

Release Date: 2000-01-03

Changes since 0.5.8:

  • started enhanced user interface

web2ldap 0.5.8

Release Date: 1999-12-29

Changes since 0.5.6:

  • some code cleaning / bug fixing
  • enhanced direct handling of UTF-8 input/output more conform to HTML4 standard
  • new feature: for each host a dictionary with DNs as keys can be created to define the default objectclass and attribute for forming DNs for subordinate entries (see example in cgi-bin/ under host This is handy in situations where unexperienced users have to add entries without knowing how to form a new DN.

web2ldap 0.5.6

Release Date: 1999-12-21

Changes since 0.5.3:

  • some code cleaning / bug fixing in login procedure
  • some small performance enhancements
  • direct output of UTF-8 if browser sends UTF-8 in HTTP_ACCEPTED_CHARSET (e.g. like Netscape Communicator 4.5x does)
  • fixed problems with being too case sensitive in modify
  • some small improvements in user interface

web2ldap 0.5.4

  • small bugfix

web2ldap 0.5.3

Release Date: 1999-12-12

Changes since 0.5.2:

  • deal with DNs containing spaces between DN components
  • fixed behaviour of accidently case sensitive attribute name handling in addform/modifyform

web2ldap 0.5.2

Release Date: 1999-11-17

Changes since 0.5.0:

  • renamed project to web2ldap
  • complete re-design of modifyform to make it possible to change objectClass attributes.
  • minor enhancements of user interface
  • some small bug fixes

ldap-client-cgi 0.5.1

Release Date: 1999-10-05

ldap-client-cgi 0.5.0

Release Date: 1999-09-27

Changes since 0.4.4

  • complete re-design of add/modify
  • client-side schema checking with appropriate input forms for required and allowed attributes
  • automatically checking for missing parent DNs if add fails with "NO SUCH OBJECT" for reducing FAQ-traffic on OpenLDAP mailing lists ;-)
  • support for setting hashed passwords ({crypt},{md5} and {sha})
  • minor enhancements of user interface
  • some small bug fixes

ldap-client-cgi 0.4.4

Release Date: 1999-09-04

Changes since 0.4.2

  • some bug fixes
  • more complete and slightly faster character conversion

ldap-client-cgi 0.4.3

Release Date: 1999-08-19

ldap-client-cgi 0.4.2

Release Date: 1999-08-18

Changes since 0.4.1

  • security fix! (forgot METHOD-parameter in a <FORM>-tag)
  • small fixes in user interface

ldap-client-cgi 0.4.1

Release Date: 1999-08-08

Changes since 0.3.1:

  • bind without input of full bind-dn (anon search seeks for complete DN first)
  • working tree traversal
  • almost every parameter configurable for each LDAP host separately
  • vCard's for easy download of addresses in address books of NS Comm. and MS IE.
  • LDIF output of search results for bulk downloading of addresses (no binary attributes up to now)
  • improvements to the user interface
  • clean login behaviour
  • minor HTML improvements

Dig DejaNews if you're interested in changes of these ancient releases...

ldap-client-cgi 0.4.0

Release Date: 1999-08-07

ldap-client-cgi 0.3.1

Release Date: 1999-07-21


Release Date: 1999-07-21

Page last modified: Friday, 01-Mar-2002 13:07:16 CET, © by Michael Ströder <>