Products.ldapuserfolder

---------------------
- Cut down on the number of LDAP lookups in cases where the
user lookup happens "anonymously", meaning not as part of a
normal authenticated request but from the Zope security
machinery for things like ownership-related security checks.
Thanks to Kyler Laird for bringing this one up.
- All user lookups are now limited to those object classed
defined in the "User object classes" configuration setting
on the "Configure" tab. Previously the lookup policy was
much more lenient and accepted every record where the login
matched - now the object classes have to match as well.
***WARNING - THIS MIGHT BREAK YOUR SITE IF YOU WERE SLOPPY
WITH THE OBJECT CLASSES SETTING AND USAGE!***
Due to the possible breakage I had been sitting on Tracker
issue 294, filed by Andy Dustman, for quite a while before
going with it. Thanks for keeping the pressure on - it is
"the right thing" to do.
- The "Users" tab will now show a little more information on
the user record detail view by default, namely the DN and
the object classes.
- The unit tests have been changed to work with the latest
and greatest (Zope 2.7 and Python 2.3.2), which is now the
default platform used to test and develop this product.

---------------------
- Use of the distinguished name as login attribute was broken
in version 2.2 - thanks to Ralf Herold for the information
(JTracker issue 312)
- The API documentation for manage_addUser in the Zope Help
System was slightly off, thanks go to Eugene Prigorodov for
pointing that out (Issue 319).
- Cleaned up LDAP filter strings used by the product to have
surrounding parentheses.
- Enable correct handling of DN elements that contain bad
characters, such as backslash-escaped commas (Bug report
by Stephen Kirby)

----------------
- User attributes can now be declared "multi-valued" in the
LDAP Schema, thereby ensuring that all values for that
attribute are stored on the user object (Feature request by
Jean Jordaan, JTracker issue 294).
- While investigating JTracker issue 309 ("problem changing password")
it became apparent that previous fixes to correctly use mapped
attributes during user creation were flawed. Also, _expireUser is
now more resilient against receiving invalid user information.

---------------------
- LDAP Referrals are now chased for searches as well. (JTracker
issue 277 by Eric Brun) LDAP Referrals in general *require*
LDAP server support for version 3 of the LDAP protocol. Almost
all newer servers should be able to handle that.
- Removed non-existent "_expire" call from the interfaces file
for the LDAPUser class (JTracker issue 303 filed by Jean Jordaan)
- Added "clear" password encryption scheme to the choices
available when adding a new LDAPUserFolder (JTracker issue
295, thanks to Andy Dustman)
- Added some (obviously missing) logging calls. Thanks to Jean
Jordaan for telling me about it (JTracker issue 300). Also,
added a missing message return from the LDAPDelegate modify
method.
- Revamped group handling a little bit so that the
GROUP_MEMBER_MAP mapping in the utils module is the central
place where permissible groups and their member types are
stored. Fixed issue 289 by Eric Brun which was suffering from
a related problem at the same time.
- If a new user is created and the form fields are not named
after the real LDAP attribute names but with mapped names
as specified on the LDAP schema tab the correct reverse
translation will now be done (JTracker issue 301, thanks to
Doug Winter)
- Cleaned out a bunch of unneeded imports
- Added some very interesting ActiveDirectory secrets uncovered
by Larry Prikockis to the ActiveDirectory README. This has the
potential of helping a lot of people who have difficulties
integrating Zope and ActiveDirectory.

---------------------
- The routine used to create a crypt-style password string
did not take enough precautions to ensure that the salt value
used stays pure ASCII. This could prevent users from logging in.

---------------------
- The list of LDAP servers will now respect the order in which
they were added and the connection process will go through the
servers in that same order, starting at the top of the list as
visible on the "Configure" tab. (JTracker issue 284 by Dirk
Datzert)
- Started a separate README for those hapless users who are stuck
on Active Directory with input from Philipp Kutter (JTracker
issue 280), see README.ActiveDirectory.txt
- If roles were stored locally and a user with locally stored
roles had all roles removed that user would still show up in
the user listing, even if the user record itself was removed
from LDAP. Now removal of all roles will clean the internal
roles storage mechanism correctly. Thanks go to Hans-Juergen
Sell for letting me know.
- When a user logs in the application will no longer construct
the user object with the name typed in by the user but will
look it up in the LDAP record itself. That way a user will
always be represented by the same username, regardless of what
capitalization was used upon login (JTracker issue 282, thanks
go to Ronan Amicel)
- Domain restrictions put on the emergency/init-users were not
respected, thanks to Dirk Datzert for pointing that out
in JTracker issue 283.
- Broke the Caches tab if and when the anonymous cache
contained any users, the display for anonymous cache users
was calling a non-existing method. (JTracker issue 281, my
thanks go to Ronan Amicel)
- Logic error in getGroups corrected that could lead to binding
with an invalid user/password pair. Now the decision what to
bind as is left completely up to the LDAPDelegate itself.
- Added workaround for changed behavior of ldap.explode_dn
which will blow up now if the passed-in DN does not contain
at least one key=value pair.
- Removed superfluous argument to manage_setUserProperty
(Tracker issue 270 by Dirk Datzert)
- Fixed manage_setUserProperty errors that crept in during
the last great code reorganization and also added a unit
test to exercise this method. (Tracker issue 269, thanks to
Dirk Datzert again for pointing that out)