Products.ldapuserfolder

---------------------
- Previous changes in how the LDAPUserFolder handles the
conversion of LDAP group memberships to Zope roles (it was made
explicit as opposed to automatic and implicit) made the
LDAPUserSatellite less useful for users who expected LDAP
group names to automatically show on the user object. Now the
LDAP User will carry a hidden field for all current LDAP group
memberships, which can then be consulted by the LDAPUserSatellite
to determine what additional roles to hand out. (Suggestion by
Dirk Datzert)
- The LDAPUserSatellite configuration screen would blow up trying
to determine the logging level, which has been removed.
- Before returning a new connection in the internal LDAPDelegate
connection methods the Manage DSA IT control was enabled. This
was the result of misunderstanding the control - it really is
only needed to directly access and manipulate a referral or
alias entry without having the server send you to the referred
or aliased server.
- The old behavior of mapping every LDAP group name a user is member
of to a Zope role of the same name can now be reactivated using
a new configuration option named "Group mapping" on the
Configuration tab. Many thanks to Dirk Bergstrom for a set of
patches and unit tests.
(http://www.dataflake.org/tracker/issue_00459)

---------------------
- Spell out how to safely upgrade in README.txt by using the
emergency user to delete/recreate the instances.
- Made the getAttributesOfAllObjects method more resilient by
always providing a key per queried attribute in the resultset
(http://www.dataflake.org/tracker/issue_00456 by Pierre-Julien
Grizel)
- Applied a similar fix to getUserIds and getUserIdsAndNames that
was applied for Tracker issue 441 to make sure empty resultsets
don't lead to catastrophic failures
(http://www.dataflake.org/tracker/issue_00446 by Pierre-Julien
Grizel)
- An earlier special-casing applied by Chris McDonough to
correctly handle AD objectGUID values has been applied in a
second place, in the findUser method (patch by Mark Hammond).
- Deleting a user record would be short-circuited if the user
record itself was not in the DIT anymore, e.g. because someone
manipulated the DIT without the user folder knowing about it.
This prevented cleanups for group memberships to be performed.
(http://www.dataflake.org/tracker/issue_00439 by Hans-Juergen
Sell)
- The getUserNames function did not react correctly in the face of
an empty resultset from getAttributesOfAllObjects and would
prevent admins from using the ZMI local role management view.
getUserNames now also raises a OverflowError if no results have
been returned in order to show a simple text input widget on the
local role management view instead of the multiple choice select
box. (http://www.dataflake.org/tracker/issue_00442 by Andrew
Veitch and http://www.dataflake.org/tracker/issue_00441 by
Hans-Juergen Sell)
- Added the new logging machinery to the LDAPDelegate class which
improves lower-level LDAP problem discovery.
- Moved away from the current way of logging to a purely zLOG-based
mechanism. This will make sure that all logging for Zope is in
one and the same place and that more information can be passed
along to the logging mechanism, such as tracebacks.
(http://www.dataflake.org/tracker/issue_00438 by Mark Hammond)
- Refactored the code that has python-ldap dependencies so that
only the LDAPDelegate instance now holds all the cards. This
enables plugging in different delegate implementations because
subclassing LDAPDelegate and overriding implementation details
has become easier.
(http://www.dataflake.org/tracker/issue_00438 by Mark Hammond)
- Added a registry for delegate implementations so that other
delegate classes can register themselves with this registry and
become available to the LDAPUserFolder during instantiation.

----------------
- Make the error message that gets created when a connection to the
LDAP server fails a tick more verbose
- Remove an optimization that would cache unsuccessful lookups in
order to prevent undue strain on the LDAP server. The cached
records would prevent a LDAP server lookup for a pretermined
time. This turns into a problem where code tried to check for
the existence of a user before adding it and then trying to
retrieve the new user to operate on it. Since the first lookup
will have created an entry in the cache the second lookup to
retrieve the user will always return None, even though the user
might have been added successfully.

---------------------
- Using the full DN as the user's ID was broken since the AD-related
"objectGUID" changes in 2.5beta1 due to a broken "if" statement.
- Replace deprecated usage of ldap.is_ldap_url, thanks to Sebastien
Munch (http://www.dataflake.org/tracker/issue_00419)
- Add caching to getUserById and getUserByDN, it got "lost" during the
cache changes introduced for version 2.4
(http://www.dataflake.org/tracker/issue_00402)
- Removed the test_all.py helper script - the only supported way to
run the unit tests is using "zopectl test" under Zope 2.7.x and up

---------------------
- Expiring users from the cache did not work correctly when a user
password was changed or when the roles were edited and the user's
DN contained non-ASCII characters, reported by Helge Tesdal.
(http://www.dataflake.org/tracker/issue_00409)
- In addition to the network-related timeout feature introduced on
2.5beta1 there is now a operations timeout, which is useful if you
have to live with strange network conditions that drop the
connection between the LDAPUserFolder and the LDAP server without
the LDAPUserFolder knowing about it.
- The LDAP over IPC protocol can now be used to communicate with
the LDAP server through a file socket. Please see the README for
additional notes on LDAP over IPC.

---------------------
- The setting for groups storage was not carried over from the Add
screen when instantiating a new LDAPUserFolder.
http://www.dataflake.org/tracker/issue_00387 by Pierre-Julien
Grizel.
- The getAttributesOfAllObjects method promised to return a mapping
but returned an empty list in case of errors.
- Ignore "DN" when passed in as an attribute to modify within
LDAPDelegate.modify (it is not possible to modify a user's DN
this way).
- When changing user record attributes the "multivalued" flag from
the LDAP Schema configuration was never consulted and if the
new value contained a semicolon (;), it would automatically be
considered multivalued. This made it impossible to have
single-valued attributes with semicolons in it.
(http://www.dataflake.org/tracker/issue_00395)
- Revamp tests so that they can be run comfortably using the Zope
2.7.3+ idiom of running via "zopectl test".
- Deal transparently with marshalling ActiveDirectory "objectGUID"
values. These are binary values, so they can't be sent without
marshalling across the network. This makes it possible to use
an AD objectGUID a User Id attribute,
- Added a new "Network Timeout" setting to the LDAP server
configuration. The Network Timeout prevents the LDAP connection
from hanging indefinitely if the network connection cannot be
established and connection attempts do not raise an immediate
connection error. Important note: It is possible that during
a request several attempts at connecting to the LDAP server
are made. The time it takes for the LDAPUserFolder to return
control to Zope will be the sum of the connection attempts
multiplied by the chosen Timeout value.