Products.ldapuserfolder

------------------
- Group type accessGroup added to the list of group records
recognized and usable within the LDAPUserFolder. Michael
Stroeder spotted this type of group on a IBM SecureWay
directory server.
- More efficient groups search filter for specific user
record, suggested by Michael Stroeder.
- Logging and caching are factored out into instance-level
objects
- The security model has seen a complete change to make
it simpler and to respect access controls placed on the
LDAP server itself more:

- providing a Manager DN and password is optional
- if a Manager DN has been provided in the configuration
then that DN will be used to bind for every single
LDAP operation
- if no Manager DN has been provided then the current
user's DN will be used for binding.
- if no Manager DN has been provided and a user who
authenticated against another user folder is
attempting to perform LDAP operations it will
be performed with an anonymous bind.

This all implies that if you want to make changes in LDAP that
require specific rights you must either log in as a user with
those specific rights or use the less security-conscious
workaround of providing a Manager DN in the LDAPUserFolder
configuration.
If you attempt to make changes with a Manager user
authenticated against another user folder you might not be able
to, which might be a source of confusion for some Zope admins.
- Catch ldap.PARTIAL_RESULTS after issuing a search request
to the server, something the Micro$haft "Active Directory"
server seems to like doing. Thanks go to Brad Powell for
reporting this nonstandard server behavior.
- Reclassified and clarified some logging calls and their
message output.
- A lot of "whitespace normalization" (hate that expression!)
and fixes to overly long lines of code.
- Handling of multi-valued attributes has been cleaned up and
changed slightly. If an attribute value contains semicolon
(;) characters it will be assumed to contain a semicolon-
separated list of values. The ZMI "Users" tab will also
display semicolon-separated values for all multi-valued
attributes when you view the record.
- A misconfigured Users base DN setting is now less likely to
lead to complete blowups upon trying to connect to the
LDAP server so that access to the container will always remain
intact and the LDAPUserFolder can be reconfigured or deleted
if needed.
- No blowups from getUser if the name passed in is not a string,
just returns None instead now. (Tracker issue 166 filed by
Romain Eliot)

----------------
- Due to the way user object caching was implemented local
role lookup would break for those users who have logins
that are not all lowercase. This has been fixed.
(Tracker issue 163, my thanks go to John Hohm who did
a lot of the detective work for this one himself)
- Using a better search filter in case getGroups is asked
to return all groups available to the LDAPUserFolder.
Improved the doc string for getGroups to clarify its
usage. Michael Stroeder suggested the better search filter.

---------------------
- New method getLocalUsers added to allow for retrieving
all user DNs and their roles that have roles stored
locally. If user roles are stored locally this method is
now used on the Users ZMI tab to show a list of all
users with locally stored roles. This is more or less a
convenience so that the admin does not have to search
for a specific record and go into the detail screen to
find out about a user's roles.
- The implementation for getGroupDetails was incomplete
for locally stored groups. It is now fully implemented.
- New method "getGroupedUsers" will return a sequence of
user objects for the groups you pass as argument. If no
groups are passed then user objects from all groups
that are visible to the LDAPUserFolder are returned.
- Make unwrapped LDAPUser objects a little more useful
by ensuring __getattr__ can now find the DN attribute.
Trying to call getUserDN on a unwrapped user object
will always raise an error due to the nature of wrapping
and security declarations. __getattr__ does not raise
this error.
- manage_setUserProperty is now more useful by allowing
set set empty properties, which it did not before.
(Tracker Issue 158, thanks to Sven Thomsen)
- The manage_editUser method will no longer blow up if the
specific user's RDN attribute is not part of the values
passed in. It will now simply take the old record's RDN
value instead.

---------------------
- The latest versions of OpenLDAP seem to complain about
the LDAP protocol in use if it is not LDAPv3. Added a
workaround that catches the complaint and explicitly
sets the protocol.
- Corrected some faulty default arguments that could have
caused errors in certain cases.
- The group search scope was mis-applied to a search that
takes a group DN and returns its objectClass. This would
cause errors if SCOPE_ONELEVEL is the groups search scope
because that scope does not include the object pointed to
by the group DN. Changed to always use SCOPE_BASE (this
scope searches the current object only) instead (Tracker
issue 141, thanks go to Philippe May).
- A similar bug as the one above afflicted the _lookupuser
method. Changed search scope to SCOPE_BASE as well. Derrick
Hudson spotted the problem.
- Added workaround for a (supposed) shortcoming in python-ldap
where a DN is not part of the search results dictionary even
if asked for it explicitly. Also found by Derrick Hudson.

---------------------
- Small fix on add form to ensure form element naming is
consistent (Tracker issue 139 by David Riggs).
- Instead of adding a workaround for the (faulty) ability
to create and have empty group records on Netscape
directory server products (which then won't show up on
the LDAPUserFolder "Groups" tab) I have added a paragraph
in the README that addresses why it happens and what to do.
- A stupid syntax error on my part prevented the "SERVER_DOWN"
exception that was used to determine the freshness of a
reused connection object to ever be caught correctly. Brad
Powell pushed my nose into that and made me fix it.

----------------
- All actions performed on the management tabs with the
lone exception of the "Custom Forms" tab will now go
back to the same tab, with the correct tab highlighted.
(Tracker issue 127, thanks to David Riggs)
- Expiring users out of the caches when the record got
changed was not working in all cases. The expiration is
now more explicit and involves manipulating the caches
directly instead of changing the expiration time on the
user object (Tracker item 128).
- IE on windoze misbehaves when setting a cookie where
expiration is set to an empty string. All other browsers
(surprise surprise!) behave correctly, but IE will foil
any login attempts when using cookie mode. Added a
workaround (Tracker issue 129).