web2ldap - Configuration

This document describes the Python module directory web2ldapcnf/ which resides in the system configuration directory sets configuration options for various aspects.

Note:
The configuration itself is a Python module and therefore you have to provide a syntactically correct module and correct configuration parameters. You can mess up web2ldap completely by writing sh** into this module.
Please refer to the Python docs on details about the Python syntax itself.

The configuration module is divided into different sub-modules:

__init__.py

Initialization module for the directory module. Simply do not touch this.

misc.py

Options needed in any running-mode.

standalone.py

Options only needed when running as stand-alone web server.

cgibin.py

Options only needed when running as CGI-BIN script under the control of a web server.

hosts.py

Options specific for certain LDAP hosts.

This section describes the parameter which influence the basic behaviour of web2ldap.

Basic options

pylibdirs

A list of strings with the full pathnames of directories containing the required Python modules.

Example:

pylibdirs = ['/usr/local/web2ldap/pylib','/usr/local/python/ldapmodule']

ldif_maxbytes

Maximum length of LDIF data in the <TEXTAREA> of addform/modifyform

input_maxattrs

Maximum count of input attribute fields in addform/modifyform

input_maxfieldlen

Maximum length of attribute data input fields in addform/modifyform

max_searchparams

maximum count of search parameters in advanced search form

Example:

max_searchparams=9

search_attrsonly

There are some situations where web2ldap just wants to get the attributes of an entry and not the data itself for saving bandwidth. However some LDAP hosts (e.g. Notes Domino 4.61) have problems with such an attribute-only request, they won't return any matches for a search. If you experience this problems (no matching entry) set this to 0.

Example:

search_attrsonly=1

search_attrs

Attributes which should be present in attribute select list of advanced search form.

Example:

search_attrs = ['cn','mail','o','ou','st','uid','telephonenumber','description']

ldap_knownattr

Dictionary for defining user-friendly names of attributes types.

Example:

ldap_knownattr = { 'c':'Country', 'sn':'Surname', 'givenname':'Given Name', 'uid':'User ID' }

ldap_binaryattr

This Python dictionary maps attributes to MIME-types and sets attribute names.

Example:

      ldap_binaryattr = {
	  'certificate;binary':('Client certificate','application/x-x509-email-cert'),
	  'jpegphoto':('Photograph','image/jpeg'),
	}
    

ldap_browsermimetypes

Some browsers are more equal than others ;-) and therefore needs extra mapping of MIME-types.

Example:

    ldap_browsermimetypes = {
	'certificaterevocationlist;binary': {
	  'MSIE':'application/pkix-crl'
	}
      }
    

dumpasn1cfg

Path name to file dumpasn1.cfg needed for displaying names of OIDs in certificates.

HTML and HTTP options

print_rawutf8

UTF-8 data is printed as is and charset is set to utf-8 in HTTP header. This speeds up displaying dramatically! The browser has to set the required HTTP header and your web server has to set the environment variable.

0

Never

1

if the browser sends Accept-Charset: utf-8 in HTTP header and the web server sets HTTP_ACCEPT_CHARSET environment variable

2

Always

Example:

print_rawutf8=1

gzip_level

The HTTP body can be sent compressed py gzip if this parameter is set to a non-zero compressing level, the HTTP client sends Accept-Encoding: gzip in HTTP request header and the web server sets HTTP_ACCEPT_CHARSET environment variable. This also needs zlibmodule which is automatically detected.
Note: This might speed things up if the server's CPU rather fast compared to the network link. Even with large search results you won't gain much by choosing gzip level higher than 1.

Example:

gzip_level=1

html_head

Additional information in <HEAD></HEAD> section, e.g. CSS definitions or links. Do not put <TITLE> tags in here!

Example (note the preceding r for Python raw string!):

      html_head = r"""
	<LINK
	  rel=stylesheet
	  type="text/css"
	  href="http://www.web2ldap.de/css/readandgreen.css"
	>
      """
    

html_bodybegin

Rudimental configuration for <BODY>-tag. There should be at least <BODY> written here.

Example (note the preceding r for Python raw string!):

      html_bodybegin = r"""
      <BODY LINK="Red" VLINK="Maroon" BGCOLOR="#fffffe">
      """
    

Security options

You should think about these parameters a little bit longer...

script_method

This is the HTTP method for submitting forms Use POST to avoid security problems with usernames and passwords to be stored in URLs (-> web server logs). GET is quite handy for debugging and works CGIHTTPServer.py.

Example:

script_method = 'POST'

sec_expire

You can set sec_expire to define the amount of time (in seconds) the data is valid in the browser (HTTP header Expires: is set).
Note: If you're doing modifications you might get a very nasty behaviour if the pages are cached by your browser.

Example:

sec_expire = 600

sec_reqlevel_default

You can specify the required security level for each host and each command. This default is chosen if there's no definition for a specific host and command.
Set this to 2 if you are using SSL web server with client certificates.
Set to 1 if you use SSL connections.
Set to 0 if all LDAP data you are handling through this gateway is public.

Example:

sec_reqlevel_default = 2

sec_sslacceptedciphers

Specifies a list of strings with the acceptable symmetric key ciphers to reach at least security level 1. See also http://www.apache-ssl.org/docs.html and the ApacheSSL run-time directives SSLBanCipher, SSLRequireCipher, SSLRequiredCiphers or similar options in your SSL capable web server.

Example (accepts only strong ciphers):

sec_sslacceptedciphers = [
'IDEA-CBC-SHA','RC4-MD5','RC4-SHA','IDEA-CBC-MD5',
'DES-CBC3-SHA','DH-DSS-DES-CBC3-SHA','DH-RSA-DES-CBC3-SHA',
'EDH-DSS-DES-CBC3-SHA','EDH-RSA-DES-CBC3-SHA','ADH-RC4-MD5',
'ADH-DES-CBC3-SHA','FZA-RC4-SHA','RC2-CBC-MD5','DES-CBC3-MD5'
]

run_username

User account name to setuid after being started as root. This options might be overriden by command-line option -u.

server_admin

Contact mail address of the server admin when running stand-alone.

server_signature

This is the server's signature which can be appended to every HTML page. You can use a dictionary string-formatting of all environment vars.

Example:

server_signature = """

%(SERVER_SOFTWARE)s at %(SERVER_NAME)s Port %(SERVER_PORT)s

"""

access_allowed

List of accepted address/net mask strings of accepted client addresses.

Example for accepting all client IP addresses:

access_allowed = ['0.0.0.0/0.0.0.0']

Example for accepting only clients from loopback network:

access_allowed = ['127.0.0.1/255.0.0.0']

Path names

access_log

Path name of access log file.

error_log

Path name of error log file.

debug_log

Path name of debug log file. stdout and stderr are redirected to this file for redirecting debug messages of underlying modules.

document_root

Where the static documents reside.

mime_types

Path name of IANA mime.types file.

SSL

ssl_Engine

Set on for having SSL support. If off the options in this section are not needed. This options might be overriden by command-line option -s.

ssl_Protocols

List of supported protocols (up to now only ['sslv23'] works with Netscape).

ssl_debug

Set to 'on' for debugging messages from M2Crypto module.

ssl_CertificateFile

Server Certificate: Point SSLCertificateFile at a PEM encoded certificate. If the certificate is encrypted, then you will be prompted for a pass phrase.

ssl_CertificateKeyFile

Server Private Key: If the key is not combined with the certificate, use this directive to point at the key file.

ssl_CACertificatePath or ssl_CACertificateFile

Certificate Authority (CA): Set the CA certificate verification path where to find CA certificates for client authentication or alternatively one huge file containing all of them (file must be PEM encoded)
Note: Inside SSLCACertificatePath you need hash symlinks to point to the certificate files. Use the provided Makefile to update the hash symlinks after changes.

ssl_VerifyClient

Client Authentication (Type): Client certificate verification type and depth. Types are none (0), optional (1), require (3).

ssl_VerifyDepth

Depth is a number which specifies how deeply to verify the certificate issuer chain before deciding the certificate is not valid.

ssl_randfile

File with random data to seed PRNG (you won't need that on Linux since /dev/urandom is used there).

Up to now there are no options in this section.

This section describes the parameter which are related to specific LDAP hosts. The per-host configuration is a Python dictionary with the host:port as key.

ldap_host_list

List of LDAP hosts which will appear in the default select list of the login form. A list containing only one host results in a normal input field with the host set as default.

Example:

      ldap_host_list = [
	'nldap.com',
	'ldap.surfnet.nl'
      ]
    

ldap_def

This is a string-keyed dictionary (special Python data structure) which holds all options specific for certain LDAP hosts.

Example:

      ldap_def = {

	'nldap.com': {
	  # Per-host options dictionary entries for nldap.com
	},

	'ldap.surfnet.nl': {
	  # Per-host options dictionary entries for ldap.surfnet.nl
	}

      }
    

Per-host options dictionary