Products.ldapuserfolder

---------------------
- Cache timeouts can now be set from the Caches tab in the ZMI
(Tracker issue 263 by Michael Lindig)
- "Manager DN usage" set to "Always" would still bind as the user
itself after the initial bind, now it only uses the Manager
credentials. Had to insert a bind as the user to determine
password validity, though. (Tracker issue 266)

----------------
No significant changes between 2.1 beta3 and 2.1

---------------------
- Fixed a LDAP server misbehavior where a bind operation with
a valid user DN but empty password would seemingly succeed.
This behavior was only obvious in 2.1beta2 because I removed
code I considered obsolete. Also added unittests for
authentication and extended the FakeLDAP module to emulate
LDAP server binding behavior. (Tracker issue 257, my thanks
go to Jan-Wijbrand Kolman)

---------------------
- Apparently there are situations when a call to getGroups
returns a tuple. Code in the LDAPUserSatallite expected it
to be a list (Tracker issue 244).
- If the LDAPUserFolder was configured to always bind using
the Manager DN it was possible to log in with the wrong
password (Tracker issues 246 and 248, thanks go to Michael
Lindig).
- Found a problem deleting all values for a user attribute
from the ZMI which would throw an error. Discovered while
looking at the (unrelated?) issue 251 in the tracker, which
also dealt with a problem when clearing an attribute.

---------------------
- Cleaned up a mismatch between the delegate edit method and
signature expected by the LDAPUserFolder code that talks to
it (Tracker Issue 224 pointed out by Albert Chin-A-Young
and others)
- More cleanup in the way a LDAPUserFolder authenticates to the
LDAP server. The setting specified under "Manager DN usage"
is now respected for all record modifications and deletions
as well.
- Michail Bachmann pointed out some code errors in the
LDAPUserSatellite code that had crept in when switching to
using the LDAPDelegate (tracker issue 233).
- Finally added a full suite of unit tests for most components
in the package.
- If your LDAP server hands out referrals during an attempted
write operation (add, modify or delete a user record) then
this is now handled correctly, at least if you run OpenLDAP
and python-ldap versions 2.0 or higher.
- Implemented read-only mode where any writes to the LDAP
server are disabled (Tracker issue 228 filed by Tom Deprez).
- Officially removed compatibility with python-ldap 1.x
versions. Due to an oversight on my part some incompatible
code was already in the 2.0-series, but now I am finally
dropping any pretenses about supporting that old version.

goals were code simplification, cruft removal and improving
maintainability for me. While this meant putting the axe to
some features it also enabled me to implement some other
functionality that would have been much harder to do using the
old code.

- ZBabel support has been discontinued.
I have received very little (meaning No) feedback on it and
even before it was offered only very few people requested it.
I myself did not have an environment set up where I could
maintain the translation dictionaries, mainly because the way
they are updated is (in my opionion) a huge PITA. I got tired of
lugging code along that got more stale with every update I did
to the main cod. Since I have been on a simplification spree for
version 2.0 it was one of the first items to go.
My apologies to Dirk Datzert who performed the most of the ZBabel
integration work last year.
- Cookie support is no longer built into the product. If you need
cookie-based authentication I recommend installing the
CookieCrumbler product alongside the LDAPUserFolder. It performs
all functionalities of the built-in cookie support. See
http://www.zope.org/Members/hathawsh/CookieCrumbler for
information and download.
- You can now specify multiple LDAP servers to be used by the
LDAPUserFolder. Servers are used in a failover fashion. If the
first server in the list is down the next one is contacted, etc.
This assumes that the LDAP data structure on both servers is
identical, e.g. the users search base is the same.
- The LDAPUserSatellite can now be used in recursive fashion. This
means it can go out and consult all LDAPUserSatellites in its
acquisition path and have them make any role manipulations before
doing its own work, thereby getting a cumulative effect. Please
use caution with this feature because it is potentially very
expensive.