Added plugin class for displayName in aeDept entries.
Plugin class for aeDept uses displayName in select lists.
Support for new attribute aeDisplayNameGroups.
Added filter part for excluding zone pub in rights group DNs.
Aligned HTML templates with upstream.
Fixed issues with memberUID attribute not being removed
in case of absent member values.
1.2.68
Release Date: 2016-08-05
Plugin class attribute DistinguishedName.ref_attrs can now
have additional element for specifying the object class of referring
entries.
New plugin class attribute LDAPSyntax.simpleSanitizers can
be used to define a series of simple one-argument functions (e.g.
str.lower or similar) which are applied in method
LDAPSyntax.simpleSanitizers.sanitizeInput().
Note that more complex plugin classes likely do not call this though.
Search continuations (referrals) are now simply ignored when processing
possible parent zone entries in plugin class for associatedDomain.
Registered plugin class for uidNumber and
gidNumber also for object class aeService.
More links for searching aeHost.
1.2.66
Release Date: 2016-07-16
Registered defaultObjectCategory with plugin class for
objectCategory and added ref_attrs to that class.
New host-/backend-specific parameter
addform_parent_attrs
allows to define a list of attributes which must be readable in the
parent entry for a LDIF template to be displayed.
Default plugin class for aePerson is now based on
DynamicDNSelectList.
Added support for aeDept entries.
Added plugin class for auto-generating uniqueIdentifier
attribute value in aePerson entries.
Added plugin class for attribute manager in
aePerson entries.
Updated/improved HTML and LDIF templates.
Fixed login template selection during re-login.
1.2.63
Release Date: 2016-06-27
Fall-back for empty DN in base plugin class
DynamicValueSelectList.
Use (objectClass=*) as default when empty filter was input to
bulk modification.
1.2.62
Release Date: 2016-06-23
Serious security fix:
Previous StartTLS is now correctly honored in
login form hidden parameters.
When displaying the available LDIF templates after [New entry] the
superior entries are now displayed with HTML templates snippets defined
with host-/backend-specific parameter
inputform_supentrytemplate.
Added new LDIF template for Æ-DIR primary user account
with AUX class inetLocalMailRecipient for mailbox users.
1.2.61
Release Date: 2016-06-21
Added config presets, plugin classes and templates for new Æ-DIR
aeDept
schema.
Search continuations (referrals) are now simply ignored when generating
search root select list.
1.2.57
Release Date: 2016-06-07
Search continuations (referrals) are now simply ignored during bulk
modification.
Updates for Æ-DIR:
Added plugin class for new attribute aeHost.
Added specific plugin classes for attribute cn in
entries of structural object classes aeZone,
aeGroup, aeSrvGroup and aeSudoRule
to let deployments attach specific regex patterns.
Increased maxlength for LDAP filter string in expert search
form to 1200 chars.
1.2.45
Release Date: 2015-12-28
Updated work-around in syntax class Boolean for handling lower-case attribute values.
(I hate LDAP servers not sticking to
standards!)
CSS and markup improvements for printable output.
Plugin class for pwdChangedTime now strictly reads
referenced ppolicy entry with filter (objectClass=pwdPolicy).
Plugin class for namingContexts:
Now also registered for OpenDJ attributes
ds-private-naming-contexts and ds-cfg-base-dn.
Now displays link to search accompanying OpenDJ's backend
configuration entries beneath cn=Backends,cn=config.
Now displays link to search accompanying OpenLDAP or OpenDJ backend
monitoring entry beneath cn=monitor.
1.2.44
Release Date: 2015-12-16
New plugin class for olcPPolicyDefault checks whether
attribute value references existing pwdPolicy entry.
Plugin class for namingContexts also registered for
attribute olcSuffix used by OpenLDAP's back-config.
Plugin class for auditContext also registered for
attribute olcAccessLogDB used by OpenLDAP's back-config.
When displaying a single entry the same search_filter and
no_cache argument is now used when additionally reading
potentially hidden operational attributes.
Usage of host-/backend-specific parameter requested_attrs has
changed when displaying a single entry:
Only attributes which were not read with prior search operation and
which are part of the subschema are really used when additionally
reading potentially hidden operational attributes.
If Python modules
stdnum
and vatnumber
are installed then function vatnumber.check_vat() is used
to check values in attribute euVATId instead of regex check.
1.2.43
Release Date: 2015-12-08
Fixed regression for determining whether only partial search results
were retrieved. mailto: links were not displayed.
New plugin class GroupEntryDN registered for various
combinations of DN-valued attributes and structural object classes
mainly for search group members by memberOf:
attribute
object class
entryDN
groupOfNames
entryDN
groupOfEntries
distinguishedName
group (MS AD)
entryDN
aeGroup (used as base class)
Plugin class for namingContexts now displays
link into tree browser.
New plugin class for OpenLDAP rootDSE attributes
configContext and monitorContext.
Plugin class for memberOf now also registered for OpenDJ's
attribute isMemberOf.
Attribute krbMaxRenewableAge also registered with plugin
class Timespan.
Added plugin module for the FreeIPA
which does not contain much yet though.
Added some HTML templates for displaying entries in OpenLDAP's accesslog.
1.2.42
Release Date: 2015-11-28
Fixed regression in plugin class method
Boolean._sorted_select_options().
General clean-up and many typos fixed in various HTML templates.
Added separate read HTML templates for OpenLDAP's cn=config.
Special installation receipt for Debian Jessie (sigh!).
Changed shee-bang lines to explicitly invoke python2.7
to avoid issues with distributions changing the default Python version.
1.2.41
Release Date: 2015-11-09
Updates to reflect new OATH-LDAP schema:
Updated HTML templates
New plugin class for oathSecret displays shared secret as
base32-encoded string.
OID renumbering
Removed registrations for OATH init attributes.
1.2.40
Release Date: 2015-11-02
Modifications to HTML templates for OATH-LDAP to reflect new schema.
1.2.39
Release Date: 2015-10-22
Relaxed regex pattern in plugin class for oathTokenIdentifier.
New method DynamicValueSelectList_determineFilter() allows
custom implementations to determine the search filter used when
searching/reading entries.
Modifications to OATH-LDAP plugin module and HTML templates to reflect
new schema version.
1.2.38
Release Date: 2015-08-15
Only write LDAPSession.__dict__ to error log
if there is a valid LDAPSession instance.
Improved output for empty results and errors when locating
LDAP servers with DNS queries.
When searching in OpenLDAP's accesslog DB for Æ-DIR changes
the DN is changed to trigger correct configuration cascade.
Small modifications to plugin module for Æ-DIR.
Plugin class for attribute mail now automagically encodes
and decodes non-ASCII chars in the domain part as
IDNA.
Plugin class for attribute reqEntryUUID does not display
a search link in search result listing anymore.
Fixed UnicodeError when presenting re-login form during
handling ldap.INSUFFICIENT_ACCESS.
1.2.37
Release Date: 2015-08-01
Cache is internally flushed on each simple bind. Likely there was no
relevant impact though.
Plugin class for associatedDomain now also catches and
ignores formerly unhandled IndexError exception.
In case of an unhandled exception a pretty-printable view of
LDAPSession.__dict__ is written to the error log.
1.2.36
Release Date: 2015-07-24
[Read] links are always displayed in the middle area after
adding/modifying an entry.
Fixed regression with missing last entry when displaying all entries.
1.2.35
Release Date: 2015-07-19
DN matching rules added to advanced search form.
New plugin class for attribute entryDN and object class
aeZone shows links to OpenLDAP's accesslog DB if available.
When displaying sshPublicKey with an invalid key
the paramiko.SSHException is caught and an
error message is displayed inline.
1.2.34
Release Date: 2015-07-13
OpenLDAP-specific plugin class for olcRootDN does not throw
unhandled exception on entries without olcSuffix anymore.
There are now configuration preset instances available in
web2ldapcnf.hosts re-usable for several configuration items
in web2ldapcnf.hosts.ldap_def:
New host-/backend-specific parameter
bulkmod_delold to
work-around issues with LDAP servers (e.g
OpenLDAP) hitting internal constraints if delold=0
is used.
Set of ignored attributes when modifying an entry now also handles
correctly attributes not present in subschema (e.g. OpenLDAP's
entryCSN).
Added attributes entryDN, entryCSN and
collectiveAttributeSubentries to the hard-coded list of
attributes always ignored when processing add/modify input.
If Relax Rules Control is enabled the input form is forced to be table
form instead of template form. Also an additional warning is displayed.
1.2.27
Release Date: 2015-05-15
Corrected DIT structure rules in Æ-DIR supplemental schema.
Set maxLen for plugin classes of dc and
associatedDomain etc. according to clarifications in
RFC 2181.
Separate plugin class for cNAMERecord to restrict input to
one value.
Code cleaning in LDAPSession.bind() etc. to allow subclasses
to easily override new method LDAPSession.getBindDN().
Relaxed determining input size for Integer input fields,
especially for entering time span strings.
1.2.26
Release Date: 2015-04-30
Exception ldap.UNAVAILABLE_CRITICAL_EXTENSION now simply
ignored when reading rootDSE.
New base plugin classes NotBefore and NotAfter
used in plugin modules aedir and sudoers.
Some minor improvements to default CSS theme.
1.2.25
Release Date: 2015-04-19
Cleaned up building the set of ignored attributes when modifying an
entry. This fixes a regression with Relax Rules control enabled.
More search links when displaying DNS/DHCP related attributes.
data URI scheme
(see RFC 2397)
is now used when image data is less than treshold set in class
attribute Image.inline_maxlen (currently 630 bytes).
Cleaned up method GeneralizedTime.displayValue() to correctly
call base class method for fall-back.
New plugin class for pwdAccountLockedTime.
1.2.24
Release Date: 2015-03-19
Registered attribute type sudoUser with plugin
class w2lapp.schema.plugins.sudoers.SudoUserGroup and
structural object class aeSudoRule.
Some small changes to HTML templates for Æ-DIR.
Registered attribute type sambaDomainName with syntax class
DirectoryString and structural object class sambaDomain.
Fixed exception when determining form value for sambaSID in
sambaDomain entry.
Added LDIF template for a DNS zone entry with more zone-related
attributes (SOA, NS etc.) which uses associatedDomain for
forming the RDN.
Fixed exception when generating additional links for
aeUser/entryDN in case attribute auditContext is
not readable.
1.2.23
Release Date: 2015-03-13
Fake paging of search results also works now if the LDAP server does
not return a size-limit LDAP result code (e.g. W2K12 AD DS).
Registered attribute type msExchMailboxGuid with plugin
class MsAdGUID.
The example configuration files for Apache were split into 2.2 and 2.4
variants which are used in Debian and openSUSE installation instructions.
Code cleaning when generating additional links for memberOf
for general schema and for Æ-DIR.
Work-arounds for interop issues with W2K12 AD DS:
Graceful handling of non-DN authz name in group administration
because of Who Am I? returning non-DN result which cannot be mapped
to DN by internal authz-DN search.
Graceful handling of Who Am I? returning None as result.
1.2.22
Release Date: 2015-03-01
Removed HTML tag attribute autofocus from all HTML templates
because it interferes the hidden skip navigation links.
Added krbCanonicalName to Kerberos search form template.
Eliminated hard-coded DNs in plugin module for Æ-DIR.
Added LDIF template for X.509 CA entries based on
applicationProcess and pkiCA.
Added to top section template:
<meta name="referrer" content="no-referrer">
<meta name="viewport" ...> for mobile displays
Added specific search form template for MS AD (see search context menu).
Stricter IA5 String validation.
Added read and input form HTML template for inetLocalMailRecipient.
1.2.21
Release Date: 2015-02-10
Unnecessary <br> tags are avoided when generating input forms.
Fixed/improved DNS RR search links in plugin class for
dhcpOption and dhcpStatements.
Plugin class registration for attribute types can now be limited to
certain structural object classes. This is backward-compatible and does
not affect existing plugin modules.
New mix-in plugin class w2lapp.schema.syntaxes.ComposedAttribute
composes attributes values from other attribute values within an entry.
Obviously this only works for single value attributes.
New plugin module w2lapp.schema.plugins.inetorgperson
with plugin classes derived from ComposedAttribute
generating values for attributes cn and displayValue.
Added HTML templates for posixGroup.
Added skip navigation links to top of page to ease jumping to content
and menu areas
(see WAI quick ref.).
Merged Æ-DIR customization:
New plugin module w2lapp.schema.plugins.aedir
LDIF and HTML templates
Example configuration
1.2.20
Release Date: 2015-02-06
Compacted LDAP connection info in [ConnInfo].
Added search form template for MIT Kerberos schema.
Hit list of remote IPs seen displayed in monitor page.
Uniqueness checks performed when registering plugin classes:
Syntax class oid must not re-used.
An exception is raised in this case which gives details about the
parameters used.
A warning is written to stderr when overriding a
formerly registered plugin class for an attribute type.
Fixed a couple of misregistrations of plugin classes.
A warning is written to stderr during startup when importing
site-specific configuration module web2ldapcnf.local fails.
1.2.19
Release Date: 2015-01-30
All remote IP addresses ever getting a session are counted.
The code maintaining session ID and remote IP associations was cleaned up.
Standard search form templates were overhauled. Redundant templates were
removed and more specific templates added (NIS, DNS, DHCP).
Empty search attribute type is simply ignored.
User interface of enabling/disabling extended controls was overhauled:
Controls can now be enabled/disabled with one click
(no separate <form>).
Per default only controls known in rootDSE are listed.
The list can be expanded with one click though.
Unknown controls are displayed striked instead of an X in a
separate table column. This also saves horizontal space.
Removed errornous handling of Values Sort Control.
1.2.18
Release Date: 2015-01-27
Fixed again generating input form values for associatedDomain.
Plugin class for associatedDomain now displays links to
search matching A RR entries for reverse DNS RR entries
(.in-addr.arpa).
Fixed regression when displaying error message in schema viewer.
New plugin classes for attribute types member and
memberOf.
1.2.17
Release Date: 2015-01-25
Implemented per remote IP session limits additionally to the global limit.
This requires new global parameter
session_per_ip_limit
to be set in your configuration.
OctetString values are now displayed as a proper hex-dump
with offset and ASCII excerpt.
Registered more Kerberos attribute types with Timespan
plugin class.
Fixed some small issues found with pychecker.
1.2.16
Release Date: 2015-01-22
Fixed plugin class registration bug which could lead to
IOError exception.
Major changes to displaying of search results:
Detailed view of search parameters and the export form is provided
at end of page. An intra-document link points to that section.
Mainly this saves vertical space at top of page.
An equivalent ldapsearch command-line is generated based
on the search parameters which is only compatible with OpenLDAP's
command-line tool though.
Some minor fixes in HTML markup.
More minor improvements in DIT browser.
Start of main <div> and top anchor are now part of
top_template.
This makes the top link always work independent of the CSS layout.
Small HTML fixes here and there.
1.2.15
Release Date: 2015-01-21
Added workaround in DIT browser for servers which return search results
for one-level search below an empty root DN.
Limits/error handling of DIT browser more robust now
(ldap.ADMINLIMIT_EXCEEDED etc.).
DIT_MAX_LEVELS is now enforced in DIT browser.
For the current selected DN the link is now for collapsing the sub-tree
(simply browse from parent entry).
Intra-document links are displayed in "Syntax check failed"
which point to the attribute's input field. This is helpful for the
user if HTML templates are used for input names without mentioning real
attribute names.
Some minor improvements to default CSS theme.
For all [Up] and [Down] links the advanced search form is used now.
1.2.14
Release Date: 2015-01-20
Added basic DIT browser reachable with [Tree] in main menu.
This is a rather useless feature if you have more than a handful of
entries. But many people seem to be keen to waste their time clicking
around in their web browser instead of using a proper search.
1.2.13
Release Date: 2015-01-19
Some minor changes to default CSS theme especially for smaller displays.
Fixed various subtle UnicodeError exceptions,
added more related assertions.
1.2.12
Release Date: 2015-01-18
Fixed UnicodeError exception when adding entries below a DN
with non-ASCII chars.
Finally a new default CSS theme was made (overdue for 1.2.x).
Hope you like it.
The old 1.1 CSS theme can still be found in file
white-on-green.css.
Added plugin class for sSHFPRecord.
Schema viewer now points to advanced search form for searching by
attribute type existence or object class.
When generating select fields for attribute types unnecessary sorting
is avoided, value uniqueness is ensured and sorting is done
case-insensitive.
All input HTML templates now make extensive use of <fieldset> and
<legend> tags instead of sub headings to group related input fields.
1.2.11
Release Date: 2015-01-15
Fixed unhandled exception when displaying dhcpStatement
value with no space-separated value.
Fixed generating input form values for associatedDomain.
Fixed/improved some HTML search form templates.
Added plugin class for mXRecord.
Added additional safety check for invalid key string in HTML template
dictionary.
Added example configuration snippet for accessing web2ldap running as
external FastCGI responder via lighttpd.
Added script sbin/web2ldap_postinstall.sh which adds demon
user/group, creates directories and fixes ownership/permissions.
Added select list plugin class for NIS attribute ipServiceProtocol.
Added inputform template for dNSDomain2.
Updated fallback schema file localschema.ldif.
HTTPS
links are used for all IETF docs, PyPI and Google code links.
Added HTML templates for object classes namedObject and
namedPolicy (defined in
draft-stroeder-namedobject)
Added HTML templates for object class groupOfNames.
1.2.10
Release Date: 2014-12-19
Fixed case-insensitive syntax checking of attribute dhcpHWAddress.
Added link for search PTR RR entry when displaying attributes
aRecord and aAAARecord.
Plugin class for associatedDomain now displays link to search
referencing DNS RR entries.
Improved suggesting reasonable input values for associatedDomain
based on domain entries with attributes
nSRecord or sOARecord found.
Added ssh-ed25519 to validation regex pattern for
sshPublicKey.
Plugin class for dhcpStatements and dhcpOptions
now displays link to search related DNS RR entries for DHCP options
host-name and fixed-address.
Env vars HTTP_X_REAL_IP, HTTP_FORWARDED_FOR,
HTTP_X_FORWARDED_FOR are derived from HTTP headers to get
the real client IP address when running in stand-alone mode behind a
proxy.
Many small improvements to docs, config examples and a new wrapper script around
spawn-fcgi
for running as a separate FastCGI process.
FastCGI process starts even when configured PID file cannot be written.
Added example configuration snippet for accessing web2ldap running as
external FastCGI responder via nginx.
1.2.9
Release Date: 2014-12-12
In case something goes wrong when reading LDIF templates the name of
the template is displayed in the error message.
Importing non-standard lib modules before extending sys.path
is now avoided.
Added LDIF template for entry with object class
olcModuleList (for OpenLDAP's back-config).
Added LDIF and HTML templates for various DHCP entries / object classes.
Added entryDN to HTML templates for structural object classes.
Registered multi-line plugin class for dhcpOption,
dhcpOptions and dhcpStatements.
Include more LAN types in regex for dhcpHWAddress.
Corrected installation instructions and current version number is used everywhere.
Error message is generated for a formerly unhandled exception when object
classes of an entry are completely unknown and users hits [Modify].
1.2.8
Release Date: 2014-12-01
Added preliminary support for bulk copying entries
based on search results (new checkbox in bulkmod).
Use with care!
Slightly improved support for OpenLDAP's back-config:
Moved templates to separate sub directory.
Fixed/improved LDIF and HTML templates for back-hdb.
New LDIF and HTML templates for back-mdb.
Plugin class for olcRootDn now derives form input value
from olcSuffix.
Added value for Windows 2012R2 to plugin class for
domainControllerFunctionality.
Added some Windows 2012R2 specific control and capabilities OIDs to
LDAP OID registry.
Added plugin module for the Univention Corporate Server
which does not contain much yet.
Registered attribute types krb5PrincipalName,
krb5RealmName and krb5Key with more suitable LDAP
syntax classes to make values displayable.
1.2.7
Release Date: 2014-11-28
New parameter
groupadm_optgroup_bounds
for defining the DN component slice to use to generate the
<optgroup> in group administration.
New plugin class for namingContexts displays link to search
accompanying OpenLDAP's database configuration entries.
Fixed unhandled exception when choosing printable output of search results.
Small improvements to plugin class for associatedDomain.
Added work-around to always ignore non-empty configuration value
requested_attrs
when cloning an entry.
1.2.6
Release Date: 2014-11-13
Added plugin class for AD attribute lockoutTime.
Fixed group administration exception in case attribute
objectClass of group entry is not present.
Fixed fallback to module ipaddr.
Fixed plugin class pseudo OIDs
IPHostAddress.oid and IPNetworkAddress.oid.
Improved plugin class for dhcpRange for checking against
network address specified in attributes cn/dhcpNetMask
and suggesting the whole range as default value.
Use posixAccount as default value for objectClass
when searching primary member entries of a posixGroup entry
by gidNumber.
1.2.5
Release Date: 2014-11-03
Fixed various regressions with extended control form handling introduced
in 1.2.2 when extending data structure in
ldapparams.AVAILABLE_BOOLEAN_CONTROLS.
Some minor HTML5 markup fixes/improvements.
1.2.4
Release Date: 2014-10-31
Plugin class for attribute x509issuer only uses normal DN
value check.
OID values with curly braces are now normalized to dotted IETF string
representation for OIDs.
Different plugin classes for IPv4 and IPv6 host and network addresses.
Old separate TLS configuration parameters were obsoleted by new parameter
tls_options.
New features/enhancements
Implemented multi-session cookie handling with cross-checking
against web2ldap's session ID to prevent attacks in
case web server's access logs is not kept confidential.
Cookie usage is enabled by setting
cookie_length
to a non-zero cookie value length.
Now more TLS options can be set by using the more flexible
host-/backend-specific parameter
tls_options.
Input form entry data now processed in different steps to give
plugin classes access to more attributes in the different stages.
Especially there's a new method LDAPSyntax.transmute()
which has guaranteed access to the whole entry and will be called
several times if needed to make composing attributes values possible.
The sequence of keys used to determine HTML templates from
input_template and
read_template
is now first the single STRUCTURAL object class
followed by all non-STRUCTURAL object classes.
New context menu item [Clone] when displaying a single entry
leads to add form being displayed with the old entry used as
template.
HTTP headers pre-configured with
http_headers
are now consequently used for every HTTP response generated.
Bulk modification/moving of entries derived from search results.
New context menu item [Bulk modify] is shown when displaying search results.
Bulk deleting of entries derived from search results.
New context menu item [Delete] is shown when displaying search results.
New host-/backend-specific configuration parameter
schema_supplement
allows to extend the subschema with the content of a locally
installed LDIF file.
Monitor page now shows maximum of concurrent sessions and how
many sessions were removed after timeout in the session counter
table.
New host-/backend-specific configuration parameter
naming_contexts
allows to set list of fake namingContexts values.
When starting in stand-alone mode the hostname in command-line
option -l is now fully honored to determine
SERVER_NAME and thus the cookie domain.
This works around a cookie issue with Google Chrome etc.
when listening just on 127.0.0.1. You can now add e.g.
localhost.localdomain to your /etc/hosts and set the
hostname with -l.
Plugin classes SelectList and friends now support
additional option title. In particular DynamicValueSelectList
looks for attributes description or info to
determine the option title.
Former configuration template files/snippets defined with
status_template, html_begin_template and
link_css are now all consolidated in one HTML template
top_template.
The redirect page can also be defined with a HTML template file referenced by
redirect_template.
"Don't Use Copy" control is used if readable in rootDSE
attribute supportedControl when reading an entry before
presenting modification input form.
OIDs from RFC 6171
and OpenLDAP experimental are supported.
Dropped features
Support for normally unused parameter web2ldapcnf.misc.sec_expire
was removed also due to security issues with setting it to non-zero value.
Host-/backend-specific parameter now login_default_mech
obsolete. You can specify a default login mechanism in the HTML
template referenced by
login_template.
Changes in the UI
Full bookmark links are now generated and added as link to
<head> section and in the displayed status area.
When choosing [Modify] from the context menu the entry input form
is shown directly.
The entry input form now provides [+] and [-] buttons for easier
input handling of multi-valued attributes.
The entry input form now provides a button [Classes] for changing
the set of chosen object classes.
New plugin class AuthzDN additionally displays a
description of the referenced entry. Registered for the
following attribute types:
creatorsName
modifiersName
reqAuthzID
monitorConnectionAuthzDN
If the user submitted a search form without assertion values the
same search form is re-displayed now.
When displaying search results the context menu now has a new
menu item [Modify Search] which allows to edit the search input
in an advanced search form if base or advanced search form was
used before.
No context menu anymore displayed along with input form for new entry.
When adding a new entry two different forms are available for
choosing the object classes:
Templates:
Displays a radio button list to choose from pre-configured
LDIF templates
Expert:
Displays multi-select lists for choosing the object classes
manually.
mailto: links only displayed along with search
results if not only partial results were retrieved. Adding a
mail address more than once is avoided.
Bugs fixed
Better error handling when exporting data to e.g. avoid HTML
error messages appearing in LDIF export.
More graceful handling of errors when accessing a LDAP server
with very paranoid security settings (no anon bind, explicit
bind required, etc.).
Security
Whereever possible the class
random.SystemRandom is now used for generating random stuff.