Products.ldapuserfolder

----------------
- Small fix to enable non-ASCII characters in LDAP group names
(JTracker issue 381 by Andreas Jung)

---------------------
**IMPORTANT NOTE**: This version of the LDAPUserFolder does away with
the old behavior of implicitly mapping LDAP groups
to Zope roles. Any Zope roles that get conferred
are governed by the "LDAP group to Zope role"
form on the "Groups" tab. If you relied on this
behavior please create the appropriate mappings
in your instance.

This version introduces a switchover to the new Zope Public License
(ZPL) version 2.1, which will bring the LDAPUserFolder in line with
future Zope releases.

- Added a method to retrieve the URI for the currently active
LDAP server connection which is now shown in the LDAP Servers
part of the Configure tab.
- Added MD5 to the list of available default password encryption
methods
- Refactored caching using a new simple cache class contributed
by Chris McDonough.
- getAttributeOfAllUsers method removed in favor of a more
general getAttributesOfAllObjects method on LDAPUserFolder
class. Other methods that deal with mass query of object
attributes should likely be gradually refactored in terms
of this method at some point, but for now there is some
duality in the way attribute-centric object queries are
done.
- getUserIds method results are now cached.
- API addition: getUserIdsAndNames method added to
LDAPUserFolder, which returns a sequence of two-tuples (id,
username) for each user found in the tree. This result is
cached.
- Added minimal support for setups where user and groups base
DN is actually the same subtree (e.g. ActiveDirectory). LUF
now specifies a filter for LUF-specified user object classes
during some calls dealing with searching for users
(getUserIds, getUserNames, getUserIdsAndNames).
**If you were relying on older behavior where all objects in
a tree are returned as users from these calls regardless of
their actual object class, you will now need ensure that you
appropriately specify your user object classes on the main
configuration page.**
One notable exception to this rule is that searching for
from the LUF "Users" tab will still expose groups in search
results when user and group base DNs are the same. This is
considered a minor bug in the case that a set of user object
classes are specified and should be fixed.
- The password is no longer logged when Debug-Level logging is
enabled. To go back to the old behavior the old log code is
still in place, but must be enabled by hand in the python code.
This represents a reversed decision on JTracker issue 247.
- Refactored the Groups tab in the Zope Management Interface
(ZMI) to be less cluttered and be clearer about the difference
between group records in LDAP versus roles in Zope.
- LDAPDelegate's search method now ignores nonstandard internal
referrals returned by ActiveDirectory when querying it against
port 389. These referrals aren't returned when querying against
AD's global catalog port, so they seem safe to ignore. This
may make it possible to use LUF against the normal LDAP port (389)
of an AD server without needing to fall back to the GC port.
- Small optimization: when the login id is a DN, don't bother
attempting to contact the LDAP server when the login id isn't
a valid DN. This shortcuts the possibility that the LDAP server
will be queried needlessly for names that aren't real DNs (like
those for users in user folders defined above the folder in which
LUF resides).
- LDAP groups are no longer implicitly mapped to Zope roles. The
roles that are visible on user objects created by the
LDAPUserFolder are dependent on the "LDAP group to Zope role"
mapping that can be manipulated on the "Groups" tab in the ZMI.
The existing behavior of adding the roles specified as "Default
user roles" on the "Configure" tab to all authenticated users
remains the same. This change means that the administrator now has
*full control* over what roles a user can have.

---------------------
From this version on the LDAPUserFolder product will drop
compatibility with Python 2.1. You should use Python 2.2.3
with Zope 2.6.x or Python 2.3.3 with Zope 2.7.x

The separation of Login and User ID as described below is
only fully supported with Zope versions *higher than 2.7.0*.
For earlier version you should select the same attributes for
both Login and User ID.

Kudos to Chris McDonough to check in the changes below!

- The following API methods of LDAPUserFolder and LDAPDelegate
did not work properly when they were passed a unicode object
(as opposed to a string) as one of their arguments:

LDAPUserFolder.manage_edit
LDAPDelegate.edit
LDAPDelegate.insert
- When selecting the full DN as login attributes a user
was unable to log in if the DN contained non-ASCII characters
(JTracker issue 372 by Ralf Herold).
- Distinction between user id and login name. You can now
configure the attribute used for a user id to use a
different LDAP attribute than the attribute used for a
user's login name. This allows you to configure
LDAPUserFolder, and thus Zope, to use an identifier other
than the user id as a login name. This feature is useful if
you wish to use email addresses or other identifiers which
may change over time as login names.
If you employ this feature, you may allow login names to
change (by updating the LDAP attributes of the entries to
which they refer), but Zope security depends on the user id
remaining constant; you still may not allow the attribute
used for the user id to change without performing "surgery"
on your Zope instance to update local role maps stored in
your ZODB and so forth.
For backwards compatibility purposes, it is possible to set
the user id attribute and the login name attribute to point
to the same LDAP attribute. In the common case, users
upgrading from older LDAPUserFolder versions, whom typically
employ "cn" as their login name attribute should also employ
"cn" as their user id attribute.
The addition of this feature has caused some method
signatures to change in a non-backwards-compatible way.
These are LDAPUserFolder.manage_addLDAPUserFolder,
LDAPUserFolder.LDAPUserFolder.__init__, and
LDAPUserFolder.LDAPUserFolder.manage_edit. Additionally,
code which relies on LDAPUserFolder's "getUserById"
returning the same value as its "getUser" method will break
as a result of this change.
There is a new API method exposed on the LDAPUserFolder
object as a result of this change: "getUserIds", which
returns an enumeration of all user ids.

---------------------
This version *requires* you to delete and reinstantiate all
existing LDAPUserFolder and LDAPUserSatellite instances!

- Added call to clear the internal caches after a user has been
added so that getUserNames cannot return a stale user list
(JTracker issue 362 posted by Nick Bower).
- The getMultiValuedUserAttrs method was protected by an invalid
permission (JTracker issue 355 by Florent Guillaume).
- Add shortcut in getUser to immediately return None is the passed
name is empty or None.
- If it is available I am now using the ReconnectLDAPObject for
LDAP connections since it promises to hide temporary connection
problems and long connection timeouts. This could potentially
fix JTracker issue 324 by P.-J Grizel.
- A new SharedResource module based on Dieter Maurer's package is
now used to provide storage for resources that benefit from
being globally unique such as caches, the log and the LDAP
server connection object. This brings several advantages, such
as:

- The log tab will always show the same thing, regardless of
which Zope thread handled the rendering.
- The LDAP connection itself does not need to be estableshed
for each thread, one connection handles all threads. This
will probably fix JTracker issue 337 by Florent Guillaume.
- The user object cache is globally unique now, meaning the
number of trips back to the LDAP server should be reduced.
- The list of user IDs generated by calls to getUserList is
no longer a thread-level variable but globally shared,
meaning this potentially expensive search operation will be
performed less often.
- These changes were also applied to the LDAPUserSatellite
log, user to role mapping and expiration mappings.

----------------
- Noticed that sometimes "empty" authentication credentials lead
to unnecessary lookups for non-existing users. Relaxed a
specific authentication check so this is prevented.
- The unicode changes had possible disabling consequences for
group-to-role mappings defined on the Groups tab. Thanks go
to Helge Tesdal for pointing that one out.

---------------------
- Fixed a couple buglets found by Florent Guillaume (JTracker
issue 333).
- Florent also noticed code that would trigger unnecessary
MODRDN calls when a user record was updated. This extra call
did not damage the record, it was just unnecessary work
(issue 334).
- Dieter Maurer provided the explanation for a recursion error
in the __getattr__ method on the LDAPUser object that a
few people had run into (JTracker issue 338 by Michael
Crawford).
- The getGroupedUsers method was not working if the groups are
stored in the user folder itself (JTracker issue 342, thanks
Florent Guillaume again).
- Spurred by Helge Tesdal and Nate Aune I spent a little more
time on the unicode-ability. Now a user that has non-ASCII
characters not just in arbitrary attributes but also in
attributes that form part of the full DN are processed
correctly. This required quite a few changes, so any feedback
is very welcome.