LDAPviewer
LDAPviewer is an Open Source browser to access LDAP and DSML enabled Servers. (Information about the LV Project goals and objectives.)
LDAPviewer is written in Java and requires a minimum of Java 1.7 (JRE/JDK 7) to run. The integrated HTML Help system will be invoked if Java 1.8 or higher (JRE/JDK 8+) is detected when the application is loaded. A standalone browser will be loaded if Help is invoked (from the Help menu) on systems with a Java version prior to 1.8 (< JRE 8).
LDAPviewer Release Notes describing current functionality or restrictions.
LDAPviewer FAQs may answer some questions about LDAPviewer or may help in troubleshooting LDAP Server access issues.
LDAPviewer provides a number of basic and advanced features:
- Support of LDAPv3, LDAPSv3, LDAPv2 and DSMLv2 connections.
- LDAP server access may use one-time Quick Connect (minimal data entry) or a permanent Connection Profile.
- Connection Profiles save frequently used connection details allowing for a one-click connection:
- Profiles control all aspects of the connection and the associated user environment.
- Unlimited Profiles may be created.
- Profile names allow 5 to 50 characters enabling descriptive names.
- Recent menu (5 - 10 items) alows rapid access to commonly used Profiles.
- LDAPviewer will not attempt to read below the user defined Base DN, meaning that minimal user permissions are required to access partial DIT views.
- Discover DITs feature allows all DITs in the server to be displayed in a single tree structure (credentials may be supplied where access to rootDSE is restricted).
- Flexible definition of DSML connection paths.
- Access security type maintained in Profile.
- Passwords/Credentials may be optionally saved with the Profile (in base64 format) or entered when the Connection Profile is activated.
- The Profile stores any required TLS Certificate validation policy.
- Profiles control concurrent display of the RootDSE (including capture of any required security credentials).
- Profiles control concurrent display of a Secondary DIT such as a second DIT, the Primary DIT with different security privileges or configuration/monitoring services offered by many LDAP servers ((including capture of any required security credentials)).
- Profiles capture Alias Dereferencing behaviour, Referral handling, tree sort order and returned attributes.
- Menu items allow run-time modification of Alias Dereferencing, Referral handling and returned attributes.
- Security. LDAPviewer supports:
- Anonymous (no credentials).
- Simple authentication (user DN and password).
- TLS/SSL with Anonymous (no credentials).
- TLS/SSL with simple authentication (User DN and password).
- TLS/SSL Mutual Authentication (Client and Server certificate) with Anonymous (no credentials).
- TLS/SSL Mutual Authentication (Client and Server certificate) with simple authentication (User DN and password).
- Kerberos/GSSAPI (SASL).
- TLS/SSL support:
- LDAPS or StartTLS modes supported.
- Server Certificate Validation:
- Full validation - uses standard Java Trusted Keystore.
- User validation - use a defined User's Trusted Keystore for certificate validation.
- User inspection - Manually inspection of incoming certificates and accept or reject connection.
- All certificates - accept any certificate without validation.
- All Server Certificate Validation methods may be used with or without Mutual Authentication (Client Certificate/key pairs).
- Security Controls and Accessories:
- Creation and management of User's Trusted Keystore for certificate validation as an alternative to the Java Trusted Keystore.
- Creation and management of Client Keystore for certificate/key pairs used in Mutual authentication.
- Browsing of all X.509 certificates in Trusted repositories (Keystores) on the user platform.
- Detailed inspection of any selected X.509 certificates.
- Inspection and analysis of security files (info, text, hex and ASN.1 formats) of a range of file types such as .pem, .der, .pfx, .p12, .p7, .cer, .crt, .p8.
- Extraction and saving of X.509 certificates from multiple sources (security file, incoming via TLS).
- DIT structures are displayed in a tree format within DIT Tabs.
- Up to 5 user selectable DIT Tabs may be simultaneously open to a single server allowing rapid switching between various views:
- Primary DIT Tab: tree structure with click to expand (or jump to bookmark) from the user's base DN (default operation)
- Search DIT Tab: tree structure with click to expand from the search result base (default operation).
- Schema DIT Tab: tree structure of the server's subschema with user inspection of attributeTypes, objectClasses, matchingRules and ldapSyntaxes collection (default on LDAPv3 and LDAPSv3 connections only)
- rootDSE DIT Tab: display of rootDSE entry (optional by user configuration, credentials are configurable if required for access).
- Secondary DIT Tab: Primarility designed to allow access to an On-Line Control DIT (such as OpnLDAP's cn=config service) however, due to its flexibility (a Base DN and credentials) it may be also be used to access a Secondary DIT (optional by user configuration).
- Schema handling:
- LDAPviewer reads the schema from any LDAP V3 compliant server.
- A Schema DIT allows inspection and navigation withing the colections for attributes, objectclasses, matchingRules and ldapSyntaxes.
- LDAPviewer will read standard .schema files added to the applications /schemas directory.
- LDAPviewer supports an extended .schemax format which allows additional text describing implementation specific usage of both standard and custom attributes or objectClasses.
- .schemax files uses an extended object syntax to indicate special editing considerations for any attribute, such as masking the display.
- LDAPviewer is distributed with an objects.schemax file that documents the functionality of supportedControls, supportedFeatures and supportedExtensions as well as other objects used on common LDAP servers such as MS AD, OpenLDAP, 389DS.
- LDAPviewer is distributed with standard .schema files available with most LDAP server distributions.
- DIT Entries are displayed in a Viewer Panel that provides either or both (user selectable) HTML Editor and Table Editor Tabs with single click swap where both are present.
- Right clicking any object in the Table or HTML Editor will show its full definition (including elements from any SUPerior objects) and in the case of objectClasses all MUST and MAY attributes identified by objectClass (in the case of SUPerior hierarchies).
- Additional text describing any object including detailed usage or limitations may be added by the user as a simple HTML fragment.
- Editing entries may use the Table Editor or HTML Editor.
- In both HTML and Table Editors specialized editors are invoked during edit operations for:
- Password editing including support of PLAIN, MD5, SMD5, SHA and SSHA alogithms for those attributes that support it.
- JPEG (jpegPhoto) image editing including loading and saving of images
- Postal Address editing
- Generalized time editing
- Expanded space for editing long (> 100 character) strings (cut and paste service)
- Audio editing including loading, playing and saving of audio clips
- X.509 Certificate inspection and manipulation
- Generic editing of raw binary fields using a base-64 format
- User friendly editing of olcSyncrepl (directory replication) attributes for OpenLDAP OLC (cn=config) including selection of editable skeleton configurations.
- Security attributes (currently only OpenLDAP cn=config OLC) are edited as a group rather than as single values. Copy, Cut and Paste and clause layout formatting are designed to make it easier to generate error free security parameters. Any number of ACLs/ACPs/ACIs may be read, edited and any number written back in a single group operation.
- Plugin attribute editors may be added for specific attributes or to override existing editors.
- Table Editor provides:
- Addition, deletion and editing of attribute values - including the automatic invokation of specialized editors for certain attributes or syntax types.
- Non-mandatory attributes may be deleted.
- Naming attributes may be edited, added or deleted (user is prompted before DN renaming).
- An Entry may be cloned as the basis of a new entry.
- A New Entry may be created based user selected objectClass(es).
- An Entry's structural objectClass may be changed. Appropriate attribute changes (addition and deletions) are automatically handled including any new mandatory attributes.
- Addition of new STRUCTURAL or AUXILIARY objectClasses to an existing Entry. New Attribites are automatically made available and new mandatory attributes are indicated.
- An Entry may be restored to its original (pre-edit) state.
- Edit changes can be saved as an LDIF.
- An Entry may be deleted.
- An attribute or objectclass's ASN.1 Syntax may be inspected.
- The user may toggle between the Table Editor(Table View) and the HTML Editor (HTML View) as required.
- Navigating in the DIT Tree from one Entry to another will trigger an automatic prompt if edits have not been saved to the LDAP server.
- HTML Editor provides:
- Addition, deletion and editing of attribute values - including the automatic invokation of specialized editors for certain attributes or syntax types.
- Non-mandatory attributes may be deleted.
- An Entry may be cloned as the basis of a new entry.
- A New Entry may be created based user selected objectClass(es).
- An Entry may be restored to its original (pre-edit) state.
- An Entry may be deleted.
- An attribute or objectclass's ASN.1 Syntax may be inspected.
- Note: A feature not supported by the HTML Editor may be invoked by simply toggling to the Table Editor and returning when the operation has been completed.
- HTML Editing is performed withing HTML Templates (HTML Forms).
- HTML Templates (HTML Forms):
- HTML Templates may be denoted as general purpose or objectClass specific simply by placing them in a particular directory.
- HTML Templates may be either Editing Templates, New Entry Templates or Display Templates.
- Editing Templates use standard HTML Forms to define those attributes that may be edited, providing filtering to limit a user's view of an Entry to only those Attributes they are authorized to edit (this is over and above any server configured ACLs or access permissions).
- If classic table-style HTML Forms layout is used the left hand descriptive fields may or may not include the LDAP attribute name or may consist only of appropriately descriptive, multi-line, text.
- SELECT/OPTION tags may be used to limit field entry choice, eliminate spelling or other data entry errors.
- INPUT 'hidden' tags may be used to add required fields.
- HTML styling features may be used to provide visual clues.
- Standard HTML Menu Blocks (using text or graphics) may be created to provide web-style hyperlink navigation between multiple HTML Templates.
- Editing and New Entry Templates may provide default attribute values.
- LDAPviewer is distributed with HTML Edit Templates to cover many standard objectClasses including OpenLDAP's cn=config service.
- LDAPviewer is distributed with HTML New Entry Templates to cover many standard objectClasses including OpenLDAP's cn=config feature.
- LDIF Support:
- Entries, partial DITs (from this DN down) and complete DITs may be Exported to an LDIF file.
- LDIF Export automatically ensures that the full objectClass hierarchy for every objectClass in an Entry are written to the LDIF thus allowing the LDIF to be imported into to those LDAP servers which require the full objectClass hierarchy.
- LDIF Export allows the user to optionally rename the base DN of each LDIF entry. Thus, an LDIF exported from, say, dc=example,dc=com could be renamed and written to the LDIF as, say, o=example,c=us. Changes are applied to all saved entry (principal) DN's.
- LDIF Import supports both DIT creation and DIT modification including changeType modRDN and modDN types.
- LDIF Import supports all LDIF types including <file formats for importing audio and image types.
- LDIF Export when invoked in the Search DIT uses alias deferencing, referral handling and return attributes defined in the search operation, thus allowing virtual DITs to be saved (and subsequently imported if required).
- The Table editor allows entry edits to be saved as a type modify LDIF for subsequent application to, say, a live server or as an achival record.
- Entry Manipulation in DIT Tree:
- Entries or Branches may be copied and pasted (renamimg prompts occur if DN clashes result).
- Entries or Branches may be cut and pasted
- Entries and Branches may be renamed in the tree.
- Entries may be Drag'n Dropped in the DIT Tree.
- Entries (or branches) may be deleted in the DIT Tab.
- Bookmarks may be saved and provide rapid navigation to specific DNs.
- Searching:
- Search results are displayed in a separate DIT Tab (creating a virtual DIT).
- Subsequent navigation in the Search DIT uses deferencing, referral handling and return attributes defined in the original search.
- Quick Search Bar provides for simple searches.
- The Search Constructor allows single filters to be saved as named searches for subsequent single click use.
- The Search Constructor allows single filters to be combined using AND, OR or NOT and then saved as named searches for subsequent single click use.
- The Search Constructor may combine existing named searches using AND, OR or NOT to create complex filters which can then be saved as named searches for subsequent single click use.
- Alias dereferencing options are saved with the Search Filter.
- Return attribute lists may be saved as named lists and added to any Search Filter.
- Named Searches can be invoked from a single click on the Search menu.
- LDIF Export (Entry or Tree) operations invoked while in the Search DIT will use deferencing, referral handling and return attributes defined in the search operation, thus allowing virtual DITs to be saved (and subsequently imported if required).
- LDAPviewer provides a number of Help features:
- The Help feature requires a minimum of Java 1.8 (JRE/JDK 8).
- Help may be invoked from the Help menu or the Help button available on Windows except the most trivial message windows.
- Help windows are always non-modal meaning they can be left open during Window usage.
- Help windows include a left hand menu to enable navigation to any required topic.
- An Htmlkit allows the user to replace or edit the text of any HTML Help page.
- Help Info allows the user to add an HTML file that provide additional text describing an attribute or its configuration. If the file exists an Info button is displayed in specialized editors which will open the user supplied file.
- HTML fragments may be supplied that will be added to any LDAP object definition display.