mod_psldap© Release Notes

Last Stable Release: 0.93 (20 April 2010)

• Integrated access from smartphones directly
• Mapping to contact locations using your preferred mapping provider
• Implementation of registration page shells, and registrant management / classification

The latest release of mod_psldap provides new core capabilities to support new actions to register users, add ldap attributes and client side drag and drop editing of the LDAP records to reassign records to superiors, people to managers, and members to groups. A client side form validation framework was also introduced that simplifies validation through leverage of custom attributes on the input elements.

• Fixed DocumentManager JS API to accomodate browser technology changes – mod_psldap now supports XSLT on the client without a round trip to the server to reaquire the XML and reset the default XSL
• Addition of search status update in the tree div and processing status to the record editing div in alt_index.html
• Implemented window resizing to fit content in editable forms popups
• Enabled anonymous access through the module when a user is not provided
• Implemented a Register action to force rebinding to ldap with credentials provided through the PsLDAPRegBindDN and PsLDAPRegBindPassword parameters configured in the Apache configuration for the module
• Modified the DSML_editform.xsl to transform for registration specific view provided the dn attribute on the searchResultEntry node equals ‘dc=registered’
• Added operational attributes into the attribute set returned when an LDAP search is executed, allowing visibility to entryUUID, modifyTimestamp, createTimestamp, creatorsName, among other attributes
• Eliminated potential security hole when using cookie based sessions
• Modified LDAP session persistance to pull timestamp from the operational attribute modifyTimestamp to dtermine last access time for Apache session
• Secured session cookies with HttpOnly option to reduce XSS attack risk – pending identification of browser support
• Introduced validation framework in edit tools – invokes any function set in the psvalidate attribute of an input element in the context of the input element on form validation passing the argument list identified in a comma separate string following the function name in the attribute e.g. psvalidate=’psldap_validateMinLength,7′
• Introduced 4 standard validation methods: psldap_validateMinLength, psldap_validateMaxLength, psldap_validateEMail, psldap_validatePasswordStrength,
• Fixed the configure script – the generated Makefile now provides reliable builds, installs, and bundling of the module
• Enable drag and drop movement across organizational units and managers in the explorer tree via mouse actions against the image handles on each tree node

This is a patch fix against 0.91 to address defects identified in extended testing. This is a bug fix release to address variations on the initially tested configurations and restores isolation of site specific configurations to simplify an upgrade.

• Moved common capabilities back out of DSML_sitefrags.xsl to leave that stylesheet for site specific customizations only – common capabilities are now in DSML_commonscript.xsl
• Refactored the pageHeader template with pageHeaderWithRefClass to reduce duplicate code
• Removed some hardcoded values from the DSML_vendors.xsl (enabled automatic population of the ldapDomains to all select elements with an id of ‘dn’) and made the template for servicesMgmt site specific
• Corrected minor title setting bug on commonscript XSL
• Extended vcard to include KEY, REV, PRODID, and CLASS, also fixing IM references to be compliant with RFC 4770
• Fixed generated dsml structure to better match spec – pushed searchResponse back under a batchResponse node and change mgmt and org XSL back to reference the correct XPath
• Fixed improper ServerPath inclusion in fully qualified path assembly – repairs issue with XML and XSL file parse for server side operations when recursive path link is not present

This release includes major performance improvement in transformation and finally allows for XSLT to be performed in the server. These changes were extended to allow the ability to add, edit, and delete records from handheld user agents in addition to providing single record download capabilities as specified file types (vCard now supported for download with a text/x-vcard MIME type)

• Fixes to eliminate infinite loop in the vertical wrap to ensure IE displays the card view correctly and does not hang. This is related to a change in XSL based rendering in IE, requiring deferal of the wrap function call through a timeout.
• Introduce session persistence to the LDAP store to offer an alternative to passing credentials in the cookie, replacing content instead with a session id. An additional alternative is also introduced to embed the session id in the URL
• Introduced server side XSL transformation – integrated into vcard display for the contact records and in general response handling for blackberry user agents.
• Fixed issue with poor handling of ‘&’ in dn for URL reference to jpegPhoto which was causing some transformations to fail due to incorrect XML parsing
• Completed the change to DSML response type for jpegPhoto inclusion in the stream to ensure requests from IE return a URL to the photo and not the binary stream while continuing to pass the encoded image to firefox / mozilla based browsers
• Established uniform page head elements across all pages through introduction of XSL includes and imports
• Introduced performance improvements by adding indexes in the XSL processing.
• Introduced first page customizations for handheld user agents – initially only supporting blackberry – to include suppression of JS to wrap columns in the card style. UserAgent parameter added to all xsl templates via the new DSML_sitefrags.xsl inclusion. Telephone dialing, emailing, and SMS functional within handheld devices and tested on the blackberry.
• Addition of xmlObjectTemplate parameter to ldapupdate handler and the Present action type to present XML documents directly from the server. Formerly, this was achieved by getting XML documents directly via HTTP get requests, but this did not accomodate agents – such as handheld or mobile phone browsers – that did not perform the transform via XSL.
• Addition of the dlFilename parameter to ldap update handler to allow responses to be provided with an attachment disposition whose filename correlates to the value of the parameter.

This release focuses on improving the overall end user and administrative experience by providing better visibility when issues arise during edits and segregating LDAP configuration more distinctly from the presentation layer. In addition, we have introduced the capability to move contacts under new / different organizations.

• More visible and legible status responses
• Ability to dial contacts direct with skype, chat via yahoo
• Classify and manage vendor contacts through introduction of the DSML_vendors.xsl and a new PSIndVendorAcct objectClass
• Move contacts across nodes
• Fixes to the contact photo presentation
• Segregated browser side configuration into psldap_config.js

We introduced new capabilities to dynamically render a node in the tree views leveraging the previously loaded XML.

• Fixed lack of recognition of URI search scope in ldap scope execution
• Implemented AJAX framework for Mozilla and IE Browsers and integrated with tree based transforms on alt_index.html page.
• Creation and integration of a vcard stylesheet – writes text in vcard format to new browser window.
• Updated apache module to send XML without specifying stylesheets
• Altered existing stylesheets for tree based rendering to allow for node directed processing through JS calls to transform xml nodes.
• Update of license terms under the GPL within the distribution.

• Fixed load of editable forms for dn’s containing an ‘&’
• Addressed minor defect in authorization when psldap authentication is not used.
• Addition of scope to URI based search to improve edit form link performance
• Addition of links to yahoo, aim, and skype when using the PSInd LDAP objects defined in psldap.schema

• Addition of management based tree for person records

• Fixed cache access error in Apache 2.0 related code to resolve core dump

• Addition of tree based browsing interface with edit frame.

• Addition of PsLDAPAuthFilter to allow user to add filters to acquisition of the user record during authentication.
• Separation of the disablement of authentication from authorization through the introduction of the PsLDAPEnableAuthz parameter.
• Updated user documentation

• Changed the main page to be more interactive and have fewer popups
• Changed the tabular query response template to show names on org units and orgs as well as their addresses.
• Fixed compilation error on Apache 2.X
• Addition of switch to connect to LDAP server using V3 protocol through the introduction of the PsLDAPConnectVersion parameter.
• Altered UI for creation of new records to pull the default LDAP server from the new index screen.
• Fixed menubar styling in the UI

• Implemented handling of multipart/form-data in post responses.
• Implemented updates to LDAP backing store with binary data, allowing for the setting of the jpegPhoto field in the inetOrgPerson schema.
• Fixed defect in delete handler for ldap records.

XSL/HTML Updates

• Updates to sample XSL to add links for editing visible records in table and card view.
• Fixed issue with password field in the new user XSL.
• Also added field to insert jpegPhoto when editing inetOrgPerson records.
• Allowed printing of name in table view XSL when CN is protected by accessing first and last name
• Implemented new look and feel for edit form buttons
• Set print css for the table view to style for printing
• Modified index page for XSL sample interface to create new from an input select. Tweaked the layout of the index as well to make a little more user friendly.

• Changed auth form internal redirect to send 302 response – fixes pages with relative references to other resources and authenticated directory requests.

• Resolved defect with cookie processing on authentication when the server is misconfigured
• Fixed minor syntax error in JS example files.
• Updated user documentation.

• Improve visual appeal of user interface for web access / updates to LDAP server.

• Adjust DSML_psldap.js to address IE failure to implement importNode – fixes updates to records through DSML_editform.xsl

• Enable processing of parameters sent through both GET and POST to module.
• Created mechanism to handle LDAP search, add, modify, and delete operations.
• Created DSML generation mechanism to expose new LDAP interface.
• Created XSL templates to apply to DSML to facilitate interactions through the new interfaces.

• Fixed directory and server initialization routines – feedback accounted for.

• Fixed directory and server initialization routines – untested.

• Recognized failure to provide credentials as an auth failure, allowing denial after three attempts to authenticate without credentials.
• Changed authorization handler to check for existence of user key definition and to decline authorization handling if the key is not defined. Authentication had already been checking this condition. This fixes a crash in the module.
• Addition of configuration parameter, PsLDAPEnableAuth to control whether or not A&A is enabled. Set to ‘on’ by default.
• Changed require group parsing to recognize group names with spaces when they are quoted with either single or double quotes. The type of quote used to delineate the group may not be used in the group name.

• Implemented caching array in shared memory leveraging the apache ap_mm APIs.
• Addition of caching, controlled by the PsLDAPAuthUseCache parameter, set to off by default
• Reuse of existing LDAP connections implemented in acquiring authorization data to improve overall performance in authorization phase.
• Addition of PsLDAPAuthCookieDomain. The default is to let the cookie domain default to the server domain
• Initialization code has been added for Apache 2.0 (Courtesy Gunter Knauf)
• Reorganized code to improve readability of mixed Apache 2.0 and Apache 1.3 compatible implementation

• Addition of cookie based authentication against LDAP server using forms to collect the authentication data.
• Made form data accessible to all subrequests by adding it to the subprocess_env table immediately after acquisition.
• Addition of ability to recurse up request_rec chain to acquire authentication data
• Created mechanism to identify pending changes to current record when ldap records are updated through forms (experimental – not exposed).

Initial public release, containing the following functionality:

• Functions against a secure LDAP server
• Does not require administrative access to the LDAP server
• LDAP connection configurations can be set within a base URL
• Multiple LDAP servers can be utilized for authentication
• Management of search scope for identifying user to authenticate
• Configurable user, group, and password attribute selection
• Allows password comparison in the module or in the LDAP server
• Kerberos authentication to the LDAP server
• Identifies group membership based on an attribute value in the LDAP record