LDAPviewer

LDAPviewer (LV) Project

LDAPviewer is a Java based browser, editor and DIT manipulation utility for LDAP and DSML enabled Servers. It is based on a fork of JXPlorer (substantially refactored) and will be Open Sourced (subject to conditions defined by its License) on a public repository prior to full release.

Release History.

Detailed functionality and on-line help.

LDAPviewer Goals and Objectives

LDAP is not an easy system to work with. Knowledge thresholds tend to be very high even for casual usage such as simple data viewing, editing or browsing. The DN display format tends to look ugly or complex and even the casual user can quickly be exposed to huge numeric strings (OIDs) that make even IPv6 addresses look quaintly simple. In many respects this has limited the widespread use of LDAP outside a relatively narrow field of implementation, such as single sign-on and authentication, where its relative complexity, and ugliness, is offset by the reward of increased security management and where few casual users dare to tread.

This is unfortunate since LDAP has huge potential outside of these narrow fields of implementation.

Aquisition of LDAP knowledge can be a difficult journey with vast amounts of complex technical information being thrown indiscriminately at, and consequently tending to overwhelm, the new user.

Starting Point

The LDAPviewer (LV) Project was started with the following, user specific, sets of objectives:

End User - Casual User Objectives.

The LDAP interface that is conventially presented to the end user tends to look complex (or ugly as you prefer) or, at a mimimum, daunting to all but hardened professionals. In many cases this has tended to limit the implementation of LDAP, even in such historically slam dunk-application such as white page extensions, to basic authentication.

  1. Provide a high quality LDAP/DSML Viewer or Browser with an easy to use (intuitive) interface that hides as much LDAP detail as practical.

  2. Provide data display and editing options tailored to the end-user using a familiar HTML-form style interface (other formats are available for the more experienced user). HTML-forms can substitute sensible terminology (why should the user enter data in a field labelled sn if Family Name or Surname is more commmonly understood in a local context), add explantory text in-situ, limit displayed attributes, provide visual clues (color and images) and a host of other features. While LDAPviewer provides a number of forms for common objectClasses these would typically be used as a basis for customization by site administrators for distribution to particular classes of end users.

  3. Provide Connection Profiles as a means of storing connection information for reuse. Connection Profiles, as well as containing connection information can also be used to tailor or limit access to specific features or data sets. LDAP Access becomes point and click on named Connection Profile(s).

  4. Allow site administrators to create Connection Profiles that can be locally distributed with LDAPviewer requiring the casual, or task-specific, user to simply select a site-specific named Connection Profile(s) and (optionally) enter any required credentials. Note: The Connection Profile includes the base DN such that tailored views (virtual DITs) and minimal access permissions are required for selected user groups or individual users. LDAPviewer cannot, and therefore will not, attempt to access below the base DN.

  5. Provide a rich set of HTML template features (using standard HTML with LDAPviwer specific extensions) that allow administrators to build and distribute HTML forms tailored to end user access.

  6. Return attribute sets and searches can be saved as named items and distributed locally with LDAPviewer.

  7. Plug-in architecture. LDAPviewer is designed to host locally developed (or site specific) plug-ins that can further simplify end user access.

Learning Tool Objectives

LDAP has a high knowledge threshold. This both acts as a barrier to more widespread usage and increases investment in implementation due to extended learning lead times. LDAPviewer attempts to reduce this unedifying right of passage to a minimum.

  1. Drill down features (mostly invoked by right clicking) to allow display of ASN.1 definitions and other information about selected LDAP objects.

  2. The LDAP schema can be explored like a conventional DIT.

  3. A standard Help feature which provides both LDAPviewer functional information and basic LDAP information. A Help Info feature allows custom access to technical or extended documentation. Learn while using and exploring is the target philosophy.

  4. Searches can be written manually or using a Search Constructor which can significantly simplify construction of compound searches. Search results are displayed in a separate Tree structure thus allowing creation of Virtual DITs which can be navigated, edited and manipulated. LDIF export may be used to save (any RDN can be modified during LDIF export) and load virtual DITs to create standalone DITs.

  5. Connection Profiles may be configured to display concurrent access to 1 to 5 DITs (Primary, Search, Schema, rootDSE and Secondary). The Secondary DIT can be configured for the same DIT, using differemt access permissions, for another DIT on the same server including the configuration and monitoring services offered by a mumber of LDAP servers.

LDAP Administrators and Developer Objectives

Administrators or LDAP developers have typically undergone the painful LDAP learning phase and have accumulated knowledge of various tools (GUI and command line) that will let them do their job effectively. The critical factor here is how efficient such tools are.

  1. LDAP object syntax and current support state may be viewed by name, OID or right-clicking in an editor. LDAPviewer maintains a cumulative set of objects based on all connected servers.

  2. Connection Profiles may be optionally configured to display concurrent access to the RootDSE including any necessary credential information.

  3. Editing changes may be actioned immediately or saved as a modify LDIF for archival or subsequent application to, for example, a live server.

  4. Searches may entered manually or by using a Search constructor. Compound searches may be constructed using a unique tabular format from individual expressions and/or combining existing searches and saved as named entities for subsequent re-use.

  5. Search results are displayed in a separate Search DIT (a virtual DIT) and navigated independently. Return attribute lists, alias dereferencing and Referral handing can be uniquely configured. LDIF operations in the Search DIT use the properties defined for the search.

  6. LDIF export operations allow the DN to be modified during export.

  7. Entries and branches may be cut, copied or pasted at will.

  8. Connection Profiles may be optionally configured to display concurrent access to a Secondary DIT supporting configuration or monitoring features (such as those of OpenLDAP, ApacheDS and others). The DN to access these features, together with any necessary credential information, is captured in the Connection Profile and provides maximum flexibility for a wide range of LDAP servers.

  9. The Secondary DIT feature may also be used to support any other service on the same host as the Primary DIT, for example concurrent access to a second DIT or a another DIT view based on a different base DN, or using different credential information to test ACL/ACI/ACP sets.

  10. Multiple windows may be opened to provide concurrent access to multiple servers.

  11. Schema and Schemax (schema extension) files may be used to supply extended site specific information on the use or limitation of any particular attribute or objectClass and specifically to local custom objects.

  12. Standard help files use HTML format and may be edited locally with site specific content. An administrators HTML Help kit provides the help files (using Apache SSI includes and an expansion utility) to allow easy replacement of styling and textual context for site specific use.

  13. Security files of type .pem, .der, .crt, .pfx, .pb7, .p12 and others may be analyzed in text, binary and ASN.1 format.

  14. LDAP, LDAPS (TLS/SSL) and StartTLS options may be configured.

  15. TLS Certificates may be optionally validated using the normal Java Trusted keystore, a user defined keystore, manually or certificate validation may be bypassed entirely. These options allow diagnosis of TLS/Certificate problems or use of non-standard certificates during testing or even live operation if appropriate.

© LV Project 2016. Creative Commons Attribution 4.0 International License.