When the user clicks the Connect item on the File Menu or the Connect button (if the Button bar is enabled) the following window is displayed:
Four connection options are available. The first method involves selecting the Quick Connect Tab, enter the minimum necessary information and use the Connect Button.
The second method is to create a Connection Profile. This process is described in detail below.
Once one or more connection profiles have been established, the third method involves selecting the relevant Connection Profile from the list displayed and clicking the Connect button.
Note: When LDAPviewer is loaded for the first time the Profile list will be empty. Only the New button will be enabled since this is the only permissable operation involving Profiles at this stage. (Quick Connect is always available.)
Once one or more connection profiles have been established, the fourth method involves selecting the Connect Profile name from the Recent menu (File Menu).
A Connection Profile allows the user to capture and save information about a specific LDAP/DSML connection. A significant number of Options are available to control the Connection and modify the display characteristics. Most options default to expected operational values and hence can be ignored but are available to allow customization of the Profile.
A Profile may be created by clicking the New button. Alternatively, if a Profile exists which has at least some of the characteristics of the required new profile, then selecting that Profile and clicking the Copy button will create a profile with the original profile name, appended with -copy (the original Profile is unchanged). Selecting this new profile and Edit will allow the name and other details to be edited, the Rename button will only allow the profile name to be changed.
Profile Names may be 5 to 50 characters long and may not contain spaces, dots or commas.
When the new button is clicked the following window is displayed with 4 tabs. The Profile Name tab displays the Profile and allows it to be changed if required. The Connection Details tab allows entry and selection of various features defining the LDAP server, authentication method and protocol details. The Options tab allows selection of various options that control the behavior of LDAPviewer such as how it will handle Referrals and whether passwords can be saved with the profile. The More DITS tah allows the user to optionally provide concurrent access to the rootDSE and a Secondary DIT on the server such as OpenLDAP's OLC (cn=config).:
The Edit Window opens on the Profile Name tab which contains a default name which suggests that it be changed. In fact it is more than a suggestion, if the Save button is clicked without changing this name the user is gently reminded of the fact and invited to exhibit all their creativity by selecting any other name. Recall that names may be 5 - 50 characters long and cannot contain spaces, dots or commas.
When the new name has been entered select the Connection Details tab to display the next window:
You need only enter as much information as required to initiate the connection. A connection may be, depending on its complexity, accomplished using a small subset of the total information. This Window is organized into two sections: LDAP Details: describes the physical connection and Security Details allows selection of the security type and capture of any required credentials. The purpose and usage of each field is described below (left to right, top to bottom).
If authentication is required to access RootDSE (required by some servers) then the details should be entered in the Security Details section.
If authentication is required for access to any discovered DIT then, instead, enter these details in the Security Section and select (check) Display RootDSE on the Options tab, and enter the appropriate security credentials in the RootDSE Security section of the More DITs tab.
If more than a single DIT is discovered and more than one DIT requires authentication then the only solution is use a separate Connection Profile for each DIT.
When Discover DITs: is checked the value of Base DN is ignored and may be left empty.
Assuming anonymous read access to the RootDSE and the DIT(s), simply enter the Host:, click Discover DITs: followed by the Connect button.
DSMLv2 service is typically provided at a URL which consists of the Host: and suffix of the form dsml/service/at/url. Enter the full suffix in this field. LDAPviewer will open the DSMLv2 service at the URL http://hostname:port/dsml/service/at/url.
Anonymous No credentials are required (default option - though this may be changed using Preferences: User Access). The fields User DN: and Password: will be disabled since they are not required.
User+Password Credentials are required. The fields User DN: and Password: are enabled and need to be completed with the appropriate information.
Note: If this option is selected when using Protocol:LDAPv3 credentials are always sent in clear text. If a remote LDAP server is in use then these credentials may be sniffed/intercepted at any point in the network (localhost messages never appear on the network). However, if this option is selected when using Protocol:LDAPSv3 the entire session, including authentication is encrypted and passwords cannot be sniffed or intercepted.
TLS+Anonymous Credentials are not required. The fields User DN: and Password: are disabled.
By default the connection will be verified using the TLS/SSL Root and Trusted certificates available in Java (JSEE) and appropriate error messages output if errors are detected. (The certificates available to the standard Java environment may be displayed using View All Certificates on the Certificate Menu.) Additional Root and Trusted certificates may be configured in LDAPviewer (including self-signed certificates) in which case full verification of any server certificate signed by that/those CA(s) will be provided.
The method of TLS/SSL (X.509) certificate validation is controlled by the TLS option which is only visible when either LDAPSv3 is selected in Protocol or a TLS option is selected in the Access Type field.
TLS+Client+Anonymous Credentials are not required. The fields User DN: and Password: are disabled.
All server authentication processing when using this option is identical to TLS+Anonymous above.
This option will send a client (X.509) certificate in a process that is sometimes referred to as Mutual Authentication. This option is only effective when a Client Keystore has been configured. (If a Client Keystore is not configured when a connection is made using a Profile containing this option then TLS+Anonymous will be assumed, that is, no Client certificate will be sent.) The LDAP server must have been configured to support this service which includes making available one or more Trusted or Root/Intermediate certificates to enable the transmitted client certificate to be validated by the LDAP server.
TLS+User+Password Credentials are required. The fields User DN: and Password: are enabled and need to be completed with the appropriate information. With this option the TLS service is established before credentials are sent and hence credentials cannot be sniffed on the network.
By default the connection will be verified using the TLS/SSL Root and Trusted certificates available in Java (JSEE) and appropriate error messages output if errors are detected. (The certificates available to the standard Java environment may be displayed using View All Certificates on the Certificate Menu.) Additional Root and Trusted certificates may be configured in LDAPviewer (including self-signed certificates) in which case full verification of any server certificate signed by that/those CA(s) will be provided.
The method of TLS/SSL (X.509) certificate validation is controlled by the TLS option which is only visible when either LDAPSv3 is selected in Protocol or a TLS option is selected in the Access Type field.
TLS+Client+User+Password Credentials are required. The fields User DN: and Password: are enabled and need to be completed with the appropriate information. With this option the TLS service is established before credentials are sent and hence credentials cannot be sniffed on the network.
All server authentication processing when using this option is identical to TLS+User+Password above.
This option will send a client (X.509) certificate in a process that is sometimes referred to as Mutual Authentication. This option is only effective when a Client Keystore has been configured. (If a Client Keystore is not configured when a connection is made using a Profile containing this option then TLS+User+Password will be assumed, that is, no Client certificate will be sent.) The LDAP server must have been configured to support this service which includes making available one or more Trusted or Root/Intermediate certificates to enable the transmitted client certificate to be validated by the LDAP server.
Read Only: LDAPviewer provides the ability to lock the server access interface into a 'read-only' mode to prevent accidental modification of the DIT. This is in addition to (and does not replace) any permissions applied by the server. Checking the box will invoke the LDAP server access interface read-only mode and disallow all modification operations. Leaving the box unchecked means that modification permissions are determined entirely by the LDAP/DSML server.
Note: The User DN: and Password: fields are enabled only if required. This is determined by the users selection of Access Type and Save in Profile.
TLS: The TLS entry is only visible if either the Protocol: is LDAPSv3 or any Access Type using TLS is selected, at all other times it is irrelevant and therefore not displayed.
Selecting the Check button indicates that any certificate received from the LDAP Host will be verified using the standard Java Trusted KeyStore. (The contents of the Java Trusted Keystore may be inspected by using the View All Certs item from the Certificates menu.) If the root and any intermediate certificates associated with the LDAP Server's certificate are not present in the standard Java Trusted KeyStore then the connection will fail with an appropriate message. (Certificates may be imported in the standard Java Trusted KeyStore using the Import Cert button of the View or Import Certificate item of the Certificates menu.)
Selecting the Any button indicates that LDAPviewer will accept any certificate from the LDAP Server. No attempt will be made to authenticate or validate the received certificate. The session will be secured using the public key contained in the supplied certificate. This mode may be useful where the server is using non-standard certificates (such as self-signed certificates) or where the standard Java Trusted Certificate KeyStore does not contain the relevant root and/or intermediate certificates. Caution: Using this mode where the LDAP Server is unknown may lead to security breaches and is not recomended.
Selecting the User button indicates that the LDAP Server's certificate will be displayed to the user, where any of it attributes may be inspected, and the session will proceed only if accepted by the user, if rejected the connection will be terminated. (Example of Certificate Acceptance Window.)
Selecting the KS button indicates that verification of the LDAP Server's certificate will use only the user's configured Trusted KeyStore. (Configuration of the Trusted KeyStore uses the Manage User's Trusted Keystore item of the Certificates menu.
The default value is Check but this may be modified using the Preferences item on the Options menu.
In many cases the information entered in the Connection Details Window is sufficient. Clicking Save, selecting the newly created Profile and clicking Connect will initiate the connection. Futher options are available to customize LDAPviewer behavior and selecting the Options tab will display the following window:
The Options Tab controls a number of features that affect the behavior of the LDAP/DSML connection. Each field is described (Left to Right, Top to Bottom).
Passwords: This option determines how LDAPviewer handles passwords. If Save in Profile is unchecked (the default - this can be changed in Preferences (Options Menu)) passwords will not be saved in the Profile and all Password fields in the Connection Windows will be disabled. Whenever the user invokes a connection they will be prompted for all necessary passwords which will be discarded on Disconnect (File Menu) or when a new connection is made.
If Save in Profile is checked all Password fields will be enabled and the passwords will be saved in the Connection Profile file in base64 format. Warning: Base64 is not an encryption method and any password saved in this format can be trivially converted to clear text. It is intended to provide what is frequently called over-the-shoulder security, that is, a casual observer will never see a clear text password. However, if there is any requirement for more than casual observer protection the password(s) should not be saved in the Connection Profile (uncheck Save in Profile).
If the user intially opted to save passwords (Save in Profile was checked) and subsequently decides not to do so (Save in Profile is unchecked) then all previously saved passwords will be deleted from the Profile.
If the user opts to save passwords (Save in Profile is checked) but does not enter a password then, when the profile is saved, they will be prompted to enter a valid (non-blank) password.
Attribute Types: Defines the attributes to be returned on all read Entry operations and may be used to define a unique attribute set for the profile.
Note: Attributes are generically classified as user (they contain user data and depending on ACL permissions are typically editable) or operational (they contain data created and used by the LDAP server and are never editable by the user).
By default the drop-down menu provides three options:
If the user has defined one or more Return Attributes Named Lists (using the Search menu) then these are also displayed in the drop-down menu and may be selected. If the Return Attribute Named List is modified the changes will be reflected on the next connection which uses the named list.
Note: The HTML Editor uses the user attribute objectClass to select appropriate templates. If only Operational attributes are selected or the attribute objectClass is not ncluded in the returned attributes then the default HTML template will be used to display the entry.
If either of the above options is checked then the More DITs tab should be selected to display the following window:
Note: This tab is only relevant if either Show RootDSE or Show Secondary has been checked. This example window reflects Show Secondary checked, Show RootDSE unchecked, and Save in Profile unchecked. Depending on the user selected options more or less fields may be enabled.
The fields are described in detail (left to right, top to bottom).:
When the Save button is clicked the Connection Profile is saved in the users application directory. (For the location of Profiles.) The files are in host OS text format.
Clicking the Cancel button will dismiss the current window with no action taken.
Clicking the Edit button will open the selected Connection Profile at the Connect Details tab to allow editing of the various connection details. However, as part of the editing sequence the user may select the Profile Name tab and change the Connection Profile name. When the Save button is clicked the old profile is deleted and the Connection Profile is saved under the new name. If the new name clashes with an existing Connection Profile name then, when the Save button is clicked, the user will be prompted to create a unique name for this profile.
When the Copy button is clicked the currently selected Connection Profile is copied (the existing Connection Profile is unchanged) and a new Connection Profile created using the name of the selected Connection Profile with -copy appended. Thus, if a Connection Profile with the name my-connection was selected then after the copy operation a new profile with the name my-connection-copy will be created and saved.
When the Delete button is clicked the currently selected Connection Profile will be deleted. The user will be prompted to confirm this operation and may choose to delete the profile or to cancel the operation.
When the Rename button is clicked the Connection Profile will be opened at the Profile Name tab. As well as changing the name of the Connection Profile any other edits may be make at the same time using any of the other tabs. On clicking the Save button the profile will be saved under the new Connection Profile name (any name clash will cause a user propmpt) and the old Connection Profile will be deleted.
When the Connect button is clicked an LDAP/DSML connection will be initiated depending on the context. If the Quick Connect tab has been selected then these connection details will be used (the Connect window will disappear). If the Profiles tab has been selected then the currently selected Connection Profile will be used to initiate the connection (the Connect window will disappear). If no profile has been selected the Connect operation will be silently ignored and the Connect window will remain open.
© LV Project 2016. Creative Commons Attribution 4.0 International License.