web2ldap - the configuration file web2ldapcnf.py
Page last modified:
This document describes the Python module web2ldapcnf.py which
resides in the CGI-BIN directory where web2ldap.py itself is located
and sets configuration options for various aspects.
Note:
The configuration itself is a Python module and therefore
you have to provide a syntactically correct module and correct
configuration parameters. You can mess up web2ldap completely
by writing sh** into this module.
Please refer to the Python docs on details about the Python syntax itself.
Global parameters
This section describes the parameter which influence the
basic behaviour of web2ldap.
Basic options
-
pylibdirs
-
A list of strings with the full pathnames of directories
containing the required Python modules.
Example:
pylibdirs = ['/usr/local/web2ldap/pylib','/usr/local/python/ldapmodule']
-
ldap_host_list
-
List of LDAP hosts which will appear in the
default select list of the login form.
A list containing only one host results in a normal
input field with the host set as default.
Example:
ldap_host_list = [
'nldap.com',
'ldap.surfnet.nl'
]
-
print_rawutf8
-
UTF-8 data is printed as is and charset is set to utf-8 in HTTP header.
This speeds up displaying dramatically! The browser has to set the
required HTTP header and your web server has to set the
environment variable.
- 0
- Never
- 1
-
if the browser sends utf-8 in HTTP header and the web server sets
HTTP_ACCEPT_CHARSET environment variable
- 2
- Always
Example:
print_rawutf8=1
-
search_attrsonly
-
There are some situations where web2ldap just wants to get the
attributes of an entry and not the data itself for saving bandwidth.
However some LDAP hosts (e.g. Notes Domino 4.61) have problems with
such an attribute-only request, they won't return any matches for a search.
If you experience this problems (no matching entry) set this to 0.
Example:
search_attrsonly=1
-
search_attr
-
Dictionary with attributes known by name.
This affects the attribute select
list in the search form and displaying attribute names.
Example:
search_attr = {
'Common Name':'cn',
'E-Mail':'mail',
'User ID':'uid'
}
-
max_searchparams
-
maximum count of search parameters in search form
Example:
max_searchparams=9
-
vcard_property
-
This sets the mapping of LDAP to vCard attributes
See
http://developer.netscape.com:80/docs/manuals/dsgw_html/dsgwparm.htm
for a more detailed description of the vCard attributes.
Example:
vcard_property = {
'fn':('cis',['cn']),
'n':('cis',['sn','givenname']),
'tel;pager':('cis',['mobile']),
'tel;cell':('cis',['mobile']),
'tel;fax':('cis',['facsimiletelephonenumber']),
'tel;home':('cis',['homephone']),
'tel;work':('cis',['telephonenumber']),
'url':('cis',['labeleduri']),
'org':('cis',['o','ou']),
'email;internet':('cis',['mail']),
'title':('cis',['title']),
'role':('cis',['role']),
'adr':('mls',['streetaddress','l','postalcode']),
'note':('mls',['description'])
}
-
ldap_binaryattr
-
This Python dictionary maps attributes to MIME-types and
sets attribute names.
Example:
ldap_binaryattr = {
'certificate;binary':('Client certificate','application/x-x509-email-cert'),
'jpegphoto':('Photograph','image/jpeg'),
}
-
ldap_browsermimetypes
-
Some browsers are more equal than others ;-) and therefore needs
extra mapping of MIME-types.
Example:
ldap_browsermimetypes = {
'certificaterevocationlist;binary': {
'MSIE':'application/pkix-crl'
}
}
-
html_head
-
Additional information in <HEAD></HEAD> section, e.g. CSS definitions
or links. Do not put <TITLE> tags in here!
Example (note the preceding r for Python raw string!):
html_head = r"""
<LINK
rel=stylesheet
type="text/css"
href="http://sites.inka.de/ms/css/web2ldap.css"
>
"""
-
html_bodybegin
-
Rudimental configuration for <BODY>-tag.
There should be at least <BODY> written here.
Example (note the preceding r for Python raw string!):
html_bodybegin = r"""
<BODY LINK="Red" VLINK="Maroon" BGCOLOR="#fffffe">
"""
Security options
You should think about these parameters a little bit longer...
-
script_method
-
This is the HTTP method for submitting forms
Use POST to avoid security problems with usernames and passwords
to be stored in URLs (-> web server logs).
GET is quite handy for debugging and works CGIHTTPServer.py.
Example:
script_method = 'POST'
-
sec_expire
-
If sec_expire is 0 there will be sent 'Pragma: no-cache' in the HTTP header.
However this might be quite uncomfortable for the user while pressing the
browser's back button. You can set sec_expire to define the amount of
time the data is valid in the browser.
Example:
sec_expire = 600
-
sec_reqlevel_default
-
You can specify the required security level for each host and each command.
This default is chosen if there's no definition for a specific
host and command.
Set this to 2 if you are using SSL web server with client certificates.
Set to 1 if you use SSL connections.
Set to 0 if all LDAP data you are handling through this gateway is public.
Example:
sec_reqlevel_default = 2
-
sec_sslacceptedciphers
-
Specifies a list of strings with the acceptable symmetric key ciphers to
reach at least security level 1.
See also
http://www.apache-ssl.org/docs.html and the ApacheSSL
run-time directives SSLBanCipher, SSLRequireCipher, SSLRequiredCiphers
or similar options in your SSL capable web server.
Example (accepts only strong ciphers):
sec_sslacceptedciphers = [
'IDEA-CBC-SHA','RC4-MD5','RC4-SHA','IDEA-CBC-MD5',
'DES-CBC3-SHA','DH-DSS-DES-CBC3-SHA','DH-RSA-DES-CBC3-SHA',
'EDH-DSS-DES-CBC3-SHA','EDH-RSA-DES-CBC3-SHA','ADH-RC4-MD5',
'ADH-DES-CBC3-SHA','FZA-RC4-SHA','RC2-CBC-MD5','DES-CBC3-MD5'
]
Per-host parameters
This section describes the parameter which are related to
specific LDAP hosts. The per-host configuration is a Python
dictionary with the host:port as key.