web2ldap - misc.py

The configuration module for general options

General: <Download> <News> <Demo> <Related>
Support: <Commercial> <Feedback> <FAQ>
Documentation: <Features> <Installing> <Configuration> <Compability> <Security> <Changes> <Files> <Roadmap>

This document describes the parameter which influence the basic behaviour of web2ldap.

[gzip_level] [html_bodybegin] [html_head] [input_maxattrs] [input_maxfieldlen] [ldap_binaryattr] [ldap_browsermimetypes] [ldap_knownattr] [ldap_trace_level] [ldif_maxbytes] [ldif_url_schemes] [max_searchparams] [pylibdirs] [search_attrs] [search_attrsonly] [sec_expire] [sec_reqlevel_default] [sec_sslacceptedciphers] [session_checkvars] [session_relogin] [session_remove] [print_rawutf8]

pylibdirs

A list of strings with the full pathnames of directories containing the required Python modules.

Example:


      pylibdirs = ['/usr/local/web2ldap/pylib','/usr/local/python/ldapmodule']

ldif_maxbytes

Maximum length (in bytes) of LDIF data in the <textarea> of addform/modifyform.

ldif_url_schemes

List of strings which specifies the URL schemes to process in LDIF input (marker :< in LDIF notation, see RFC 2849).
Think twice!!!
This can be a security nightmare! Every resource addressable by URL which is accessible by the system running web2ldap can be revealed. Usually you MUST not allow file if others can access your web2ldap installation and you MUST not allow any URL retrieval when running at a security border (like somewhere at firewall border).
If unsure leave as empty list to ignore all URLs in LDIF.
Once again. This is the safe setting:


      ldif_url_schemes = []

input_maxattrs

Maximum count of input attribute fields in addform/modifyform

input_maxfieldlen

Maximum length of attribute data input fields in addform/modifyform

max_searchparams

Maximum count of search parameters in advanced search form.

Example:


      max_searchparams=9

search_attrsonly

There are some situations where web2ldap just wants to determine the existing attribute types of an entry and not the data itself for saving bandwidth.
However some LDAP hosts (e.g. Notes Domino 4.61 and prior versions) have problems with such an search requesting only attribute types, they won't return any matches for a search. If you experience this problems (no matching entry) set this to 0.

Example:


      search_attrsonly=1

search_attrs

Attribute types which should be present in search attribute type select list of advanced search form.

Example:


      search_attrs = ['cn','mail','o','ou','st','uid','telephonenumber','description']

ldap_knownattr

Dictionary for defining user-friendly names of attributes types.

Example:


       ldap_knownattr = {
	 'c':'Country',
	 'sn':'Surname',
	 'givenname':'Given Name',
	 'uid':'User ID'
       }

ldap_trace_level

Trace output of the LDAP connection can be written to error output. Set to non-zero if you want debug your LDAP connection. Warning! Passwords (credentials) are written to this trace log! If unsure leave zero! Only set to non-zero for testing purposes and if you have protected logs!

ldap_binaryattr

This Python dictionary maps attributes to MIME-types and sets attribute names.

Example:

      ldap_binaryattr = {
	  'certificate;binary':('Client certificate','application/x-x509-email-cert'),
	  'jpegphoto':('Photograph','image/jpeg'),
	}

ldap_browsermimetypes

Some browsers are more equal than others ;-) and therefore needs extra mapping of MIME-types.

Format:

ldap_browsermimetypes = {
  ('browsername','browserversion'):{  
    'attrtype':'mime_type' 
  },
  'browsername':{
    'attrtype':'mime_type'
  },
}

dumpasn1cfg

Path name to file dumpasn1.cfg needed for displaying names of OIDs of attribute types in subject and issuer name of certificates.

HTML and HTTP options

print_rawutf8

UTF-8 data is printed as is and charset is set to utf-8 in HTTP header. This speeds up displaying dramatically! The browser has to set the required HTTP header and your web server has to set the environment variable.

0: Never
1: if the browser sends Accept-Charset: utf-8 in HTTP header and the web server sets HTTP_ACCEPT_CHARSET environment variable
2: Always

Example:


      print_rawutf8=1

gzip_level

The HTTP body can be sent compressed with gzip algorithm if this parameter is set to a non-zero compressing level, the HTTP client sends Accept-Encoding: gzip in the HTTP request header and the web server sets HTTP_ACCEPT_CHARSET environment variable. This also needs zlibmodule which is automatically detected.
Note:
This might speed things up if the server's CPU rather fast compared to the network link. Even with large search results you won't gain much by choosing gzip level higher than 1.

Example:


      gzip_level=1

html_head

Additional information in <HEAD></HEAD> section, e.g. CSS definitions or links. Do not put <TITLE> tags in here!

Example (note the preceding r for Python raw string!):

      html_head = r"""
	<LINK
	  rel=stylesheet
	  type="text/css"
	  href="http://www.web2ldap.de/css/readandgreen.css"
	>
      """

html_bodybegin

Rudimental configuration for <BODY>-tag. There should be at least <BODY> written here.

Example (note the preceding r for Python raw string!):

      html_bodybegin = r"""
      <BODY LINK="Red" VLINK="Maroon" BGCOLOR="#fffffe">
      """

Security options

You should think about these parameters a little bit longer...

session_relogin

Amount of time in seconds after which inactive sessions will be expired and the user will be prompted for a relogin.

session_remove

Amount of time in seconds after which inactive sessions will be expired and the session data is removed silently without the possibility to relogin.

session_checkvars

List of environment variables assumed to be constant throughout web sessions with the same ID if existent. These env vars are cross-checked each time when restoring an web session to reduce the risk of session-hijacking.
Note: REMOTE_ADDR and REMOTE_HOST might not be constant if the client access comes through a network of web proxy siblings.

sec_expire

You can set sec_expire to define the amount of time (in seconds) the data is valid in the browser (HTTP header Expires: is set).
Note: If you're doing modifications you might get a very nasty behaviour if the pages are cached by your browser.

Example:


      sec_expire = 600

sec_reqlevel_default

You can specify the required security level for each host and each command. This default is chosen if there's no definition for a specific host and command.
Set this to 2 if you are using SSL web server with client certificates.
Set to 1 if you use SSL connections.
Set to 0 if all LDAP data you are handling through this gateway is public.

Example:


      sec_reqlevel_default = 2

sec_sslacceptedciphers

Specifies a list of strings with the acceptable symmetric key ciphers to reach at least security level 1. See also http://www.apache-ssl.org/docs.html and the ApacheSSL run-time directives SSLBanCipher, SSLRequireCipher, SSLRequiredCiphers or similar options in your SSL capable web server.

Example (accepts only strong ciphers):


      sec_sslacceptedciphers = [

	  'IDEA-CBC-SHA','RC4-MD5','RC4-SHA','IDEA-CBC-MD5',

	  'DES-CBC3-SHA','DH-DSS-DES-CBC3-SHA','DH-RSA-DES-CBC3-SHA',

	  'EDH-DSS-DES-CBC3-SHA','EDH-RSA-DES-CBC3-SHA','ADH-RC4-MD5',

	  'ADH-DES-CBC3-SHA','FZA-RC4-SHA','RC2-CBC-MD5','DES-CBC3-MD5'

	]

print_rawutf8

Integer which defines if UTF-8 is used as character set.

0	ISO-8859-1 is used in any case
1	If the browser sends utf-8 in Accept-charset header and the web server sets HTTP_ACCEPT_CHARSET environment the used character set is negotiated. UTF-8 is preferred.
2	UTF-8 is always used no matter what the browser sends.