HISTORY.txt for the LDAPUserFolder This file contains change information for the LDAPUserFolder product for revisions before the current version. 2.5 Others: * Make the error message that gets created when a connection to the LDAP server fails a tick more verbose Bugs fixed: * Remove an optimization that would cache unsuccessful lookups in order to prevent undue strain on the LDAP server. The cached records would prevent a LDAP server lookup for a pretermined time. This turns into a problem where code tried to check for the existence of a user before adding it and then trying to retrieve the new user to operate on it. Since the first lookup will have created an entry in the cache the second lookup to retrieve the user will always return None, even though the user might have been added successfully. 2.5beta3 Bugs fixed: * Using the full DN as the user's ID was broken since the AD-related "objectGUID" changes in 2.5beta1 due to a broken "if" statement. * Replace deprecated usage of ldap.is_ldap_url, thanks to Sebastien Munch (http://www.dataflake.org/tracker/issue_00419) * Add caching to getUserById and getUserByDN, it got "lost" during the cache changes introduced for version 2.4 (http://www.dataflake.org/tracker/issue_00402) Others: * Removed the test_all.py helper script - the only supported way to run the unit tests is using "zopectl test" under Zope 2.7.x and up 2.5beta2 Bugs fixed: * Expiring users from the cache did not work correctly when a user password was changed or when the roles were edited and the user's DN contained non-ASCII characters, reported by Helge Tesdal. (http://www.dataflake.org/tracker/issue_00409) Features added: * In addition to the network-related timeout feature introduced on 2.5beta1 there is now a operations timeout, which is useful if you have to live with strange network conditions that drop the connection between the LDAPUserFolder and the LDAP server without the LDAPUserFolder knowing about it. * The LDAP over IPC protocol can now be used to communicate with the LDAP server through a file socket. Please see the README for additional notes on LDAP over IPC. 2.5beta1 Bugs fixed: * The setting for groups storage was not carried over from the Add screen when instantiating a new LDAPUserFolder. http://www.dataflake.org/tracker/issue_00387 by Pierre-Julien Grizel. * The getAttributesOfAllObjects method promised to return a mapping but returned an empty list in case of errors. * Ignore "DN" when passed in as an attribute to modify within LDAPDelegate.modify (it is not possible to modify a user's DN this way). * When changing user record attributes the "multivalued" flag from the LDAP Schema configuration was never consulted and if the new value contained a semicolon (;), it would automatically be considered multivalued. This made it impossible to have single-valued attributes with semicolons in it. (http://www.dataflake.org/tracker/issue_00395) Features added: * Revamp tests so that they can be run comfortably using the Zope 2.7.3+ idiom of running via "zopectl test". * Deal transparently with marshalling ActiveDirectory "objectGUID" values. These are binary values, so they can't be sent without marshalling across the network. This makes it possible to use an AD objectGUID a User Id attribute, * Added a new "Network Timeout" setting to the LDAP server configuration. The Network Timeout prevents the LDAP connection from hanging indefinitely if the network connection cannot be established and connection attempts do not raise an immediate connection error. Important note: It is possible that during a request several attempts at connecting to the LDAP server are made. The time it takes for the LDAPUserFolder to return control to Zope will be the sum of the connection attempts multiplied by the chosen Timeout value. 2.4 Bugs fixed: * Small fix to enable non-ASCII characters in LDAP group names (JTracker issue 381 by Andreas Jung) 2.4beta3 **IMPORTANT NOTE**: This version of the LDAPUserFolder does away with the old behavior of implicitly mapping LDAP groups to Zope roles. Any Zope roles that get conferred are governed by the "LDAP group to Zope role" form on the "Groups" tab. If you relied on this behavior please create the appropriate mappings in your instance. This version introduces a switchover to the new Zope Public License (ZPL) version 2.1, which will bring the LDAPUserFolder in line with future Zope releases. Features added: * Added a method to retrieve the URI for the currently active LDAP server connection which is now shown in the LDAP Servers part of the Configure tab. * Added MD5 to the list of available default password encryption methods * Refactored caching using a new simple cache class contributed by Chris McDonough. * Internal changes: - getAttributeOfAllUsers method removed in favor of a more general getAttributesOfAllObjects method on LDAPUserFolder class. Other methods that deal with mass query of object attributes should likely be gradually refactored in terms of this method at some point, but for now there is some duality in the way attribute-centric object queries are done. - getUserIds method results are now cached. * API addition: getUserIdsAndNames method added to LDAPUserFolder, which returns a sequence of two-tuples (id, username) for each user found in the tree. This result is cached. * Added minimal support for setups where user and groups base DN is actually the same subtree (e.g. ActiveDirectory). LUF now specifies a filter for LUF-specified user object classes during some calls dealing with searching for users (getUserIds, getUserNames, getUserIdsAndNames). **If you were relying on older behavior where all objects in a tree are returned as users from these calls regardless of their actual object class, you will now need ensure that you appropriately specify your user object classes on the main configuration page.** One notable exception to this rule is that searching for from the LUF "Users" tab will still expose groups in search results when user and group base DNs are the same. This is considered a minor bug in the case that a set of user object classes are specified and should be fixed. * The password is no longer logged when Debug-Level logging is enabled. To go back to the old behavior the old log code is still in place, but must be enabled by hand in the python code. This represents a reversed decision on JTracker issue 247. * Refactored the Groups tab in the Zope Management Interface (ZMI) to be less cluttered and be clearer about the difference between group records in LDAP versus roles in Zope. * LDAPDelegate's search method now ignores nonstandard internal referrals returned by ActiveDirectory when querying it against port 389. These referrals aren't returned when querying against AD's global catalog port, so they seem safe to ignore. This may make it possible to use LUF against the normal LDAP port (389) of an AD server without needing to fall back to the GC port. * Small optimization: when the login id is a DN, don't bother attempting to contact the LDAP server when the login id isn't a valid DN. This shortcuts the possibility that the LDAP server will be queried needlessly for names that aren't real DNs (like those for users in user folders defined above the folder in which LUF resides). * LDAP groups are no longer implicitly mapped to Zope roles. The roles that are visible on user objects created by the LDAPUserFolder are dependent on the "LDAP group to Zope role" mapping that can be manipulated on the "Groups" tab in the ZMI. The existing behavior of adding the roles specified as "Default user roles" on the "Configure" tab to all authenticated users remains the same. This change means that the administrator now has *full control* over what roles a user can have. 2.4beta2 ** IMPORTANT NOTES ** * From this version on the LDAPUserFolder product will drop compatibility with Python 2.1. You should use Python 2.2.3 with Zope 2.6.x or Python 2.3.3 with Zope 2.7.x * The separation of Login and User ID as described below is only fully supported with Zope versions *higher than 2.7.0*. For earlier version you should select the same attributes for both Login and User ID. Bugs fixed: (Kudos to Chris McDonough to check in the changes below!) * The following API methods of LDAPUserFolder and LDAPDelegate did not work properly when they were passed a unicode object (as opposed to a string) as one of their arguments: LDAPUserFolder.manage_edit LDAPDelegate.edit LDAPDelegate.insert * When selecting the full DN as login attributes a user was unable to log in if the DN contained non-ASCII characters (JTracker issue 372 by Ralf Herold). Features added: * Distinction between user id and login name. You can now configure the attribute used for a user id to use a different LDAP attribute than the attribute used for a user's login name. This allows you to configure LDAPUserFolder, and thus Zope, to use an identifier other than the user id as a login name. This feature is useful if you wish to use email addresses or other identifiers which may change over time as login names. If you employ this feature, you may allow login names to change (by updating the LDAP attributes of the entries to which they refer), but Zope security depends on the user id remaining constant; you still may not allow the attribute used for the user id to change without performing "surgery" on your Zope instance to update local role maps stored in your ZODB and so forth. For backwards compatibility purposes, it is possible to set the user id attribute and the login name attribute to point to the same LDAP attribute. In the common case, users upgrading from older LDAPUserFolder versions, whom typically employ "cn" as their login name attribute should also employ "cn" as their user id attribute. The addition of this feature has caused some method signatures to change in a non-backwards-compatible way. These are LDAPUserFolder.manage_addLDAPUserFolder, LDAPUserFolder.LDAPUserFolder.__init__, and LDAPUserFolder.LDAPUserFolder.manage_edit. Additionally, code which relies on LDAPUserFolder's "getUserById" returning the same value as its "getUser" method will break as a result of this change. There is a new API method exposed on the LDAPUserFolder object as a result of this change: "getUserIds", which returns an enumeration of all user ids. 2.4beta1 ** NOTE ** This version *requires* you to delete and reinstantiate all existing LDAPUserFolder and LDAPUserSatellite instances! Bugs fixed: * Added call to clear the internal caches after a user has been added so that getUserNames cannot return a stale user list (JTracker issue 362 posted by Nick Bower). * The getMultiValuedUserAttrs method was protected by an invalid permission (JTracker issue 355 by Florent Guillaume). * Add shortcut in getUser to immediately return None is the passed name is empty or None. Features added: * If it is available I am now using the ReconnectLDAPObject for LDAP connections since it promises to hide temporary connection problems and long connection timeouts. This could potentially fix JTracker issue 324 by P.-J Grizel. * A new SharedResource module based on Dieter Maurer's package is now used to provide storage for resources that benefit from being globally unique such as caches, the log and the LDAP server connection object. This brings several advantages, such as... - The log tab will always show the same thing, regardless of which Zope thread handled the rendering. - The LDAP connection itself does not need to be estableshed for each thread, one connection handles all threads. This will probably fix JTracker issue 337 by Florent Guillaume. - The user object cache is globally unique now, meaning the number of trips back to the LDAP server should be reduced. - The list of user IDs generated by calls to getUserList is no longer a thread-level variable but globally shared, meaning this potentially expensive search operation will be performed less often. - These changes were also applied to the LDAPUserSatellite log, user to role mapping and expiration mappings. 2.3 Bugs fixed: * Noticed that sometimes "empty" authentication credentials lead to unnecessary lookups for non-existing users. Relaxed a specific authentication check so this is prevented. * The unicode changes had possible disabling consequences for group-to-role mappings defined on the Groups tab. Thanks go to Helge Tesdal for pointing that one out. 2.3beta3 Bugs fixed: * Fixed a couple buglets found by Florent Guillaume (JTracker issue 333). * Florent also noticed code that would trigger unnecessary MODRDN calls when a user record was updated. This extra call did not damage the record, it was just unnecessary work (issue 334). * Dieter Maurer provided the explanation for a recursion error in the __getattr__ method on the LDAPUser object that a few people had run into (JTracker issue 338 by Michael Crawford). * The getGroupedUsers method was not working if the groups are stored in the user folder itself (JTracker issue 342, thanks Florent Guillaume again). * Spurred by Helge Tesdal and Nate Aune I spent a little more time on the unicode-ability. Now a user that has non-ASCII characters not just in arbitrary attributes but also in attributes that form part of the full DN are processed correctly. This required quite a few changes, so any feedback is very welcome. 2.3beta2 Bugs fixed: * Cut down on the number of LDAP lookups in cases where the user lookup happens "anonymously", meaning not as part of a normal authenticated request but from the Zope security machinery for things like ownership-related security checks. Thanks to Kyler Laird for bringing this one up. Features added: * All user lookups are now limited to those object classed defined in the "User object classes" configuration setting on the "Configure" tab. Previously the lookup policy was much more lenient and accepted every record where the login matched - now the object classes have to match as well. ***WARNING - THIS MIGHT BREAK YOUR SITE IF YOU WERE SLOPPY WITH THE OBJECT CLASSES SETTING AND USAGE!*** Due to the possible breakage I had been sitting on Tracker issue 294, filed by Andy Dustman, for quite a while before going with it. Thanks for keeping te pressure on - it is "the right thing" to do. * The "Users" tab will now show a little more information on the user record detail view by default, namely the DN and the object classes. * The unit tests have been changed to work with the latest and greatest (Zope 2.7 and Python 2.3.2), which is now the default platform used to test and develop this product. 2.3beta1 Bugs fixed: * Use of the distinguished name as login attribute was broken in version 2.2 - thanks to Ralf Herold for the information (JTracker issue 312) * The API documentation for manage_addUser in the Zope Help System was slightly off, thanks go to Eugene Prigorodov for pointing that out (Issue 319). * Cleaned up LDAP filter strings used by the product to have surrounding parentheses. * Enable correct handling of DN elements that contain bad characters, such as backslash-escaped commas (Bug report by Stephen Kirby) 2.2 Features added: * User attributes can now be declared "multi-valued" in the LDAP Schema, thereby ensuring that all values for that attribute are stored on the user object (Feature request by Jean Jordaan, JTracker issue 294). Bugs fixed: * While investigating JTracker issue 309 ("problem changing password") it became apparent that previous fixes to correctly use mapped attributes during user creation were flawed. Also, _expireUser is now more resilient against receiving invalid user information. 2.2beta4 Bugs fixed: * LDAP Referrals are now chased for searches as well. (JTracker issue 277 by Eric Brun) LDAP Referrals in general *require* LDAP server support for version 3 of the LDAP protocol. Almost all newer servers should be able to handle that. * Removed non-existent "_expire" call from the interfaces file for the LDAPUser class (JTracker issue 303 filed by Jean Jordaan) * Added "clear" password encryption scheme to the choices available when adding a new LDAPUserFolder (JTracker issue 295, thanks to Andy Dustman) * Added some (obviously missing) logging calls. Thanks to Jean Jordaan for telling me about it (JTracker issue 300). Also, added a missing message return from the LDAPDelegate modify method. * Revamped group handling a little bit so that the GROUP_MEMBER_MAP mapping in the utils module is the central place where permissible groups and their member types are stored. Fixed issue 289 by Eric Brun which was suffering from a related problem at the same time. * If a new user is created and the form fields are not named after the real LDAP attribute names but with mapped names as specified on the LDAP schema tab the correct reverse translation will now be done (JTracker issue 301, thanks to Doug Winter) * Cleaned out a bunch of unneeded imports * Added some very interesting ActiveDirectory secrets uncovered by Larry Prikockis to the ActiveDirectory README. This has the potential of helping a lot of people who have difficulties integrating Zope and ActiveDirectory. 2.2beta3 Bugs fixed: * The routine used to create a crypt-style password string did not take enough precautions to ensure that the salt value used stays pure ASCII. This could prevent users from logging in. 2.2beta2 Features added: * The list of LDAP servers will now respect the order in which they were added and the connection process will go through the servers in that same order, starting at the top of the list as visible on the "Configure" tab. (JTracker issue 284 by Dirk Datzert) * Started a separate README for those hapless users who are stuck on Active Directory with input from Philipp Kutter (JTracker issue 280), see README.ActiveDirectory.txt Bugs fixed: * If roles were stored locally and a user with locally stored roles had all roles removed that user would still show up in the user listing, even if the user record itself was removed from LDAP. Now removal of all roles will clean the internal roles storage mechanism correctly. Thanks go to Hans-Jürgen Sell for letting me know. * When a user logs in the application will no longer construct the user object with the name typed in by the user but will look it up in the LDAP record itself. That way a user will always be represented by the same username, regardless of what capitalization was used upon login (JTracker issue 282, thanks go to Ronan Amicel) * Domain restrictions put on the emergency/init-users were not respected, thanks to Dirk Datzert for pointing that out in JTracker issue 283. * Broke the Caches tab if and when the anonymous cache contained any users, the display for anonymous cache users was calling a non-existing method. (JTracker issue 281, my thanks go to Ronan Amicel) * Logic error in getGroups corrected that could lead to binding with an invalid user/password pair. Now the decision what to bind as is left completely up to the LDAPDelegate itself. * Added workaround for changed behavior of ldap.explode_dn which will blow up now if the passed-in DN does not contain at least one key=value pair. * Removed superfluous argument to manage_setUserProperty (Tracker issue 270 by Dirk Datzert) * Fixed manage_setUserProperty errors that crept in during the last great code reorganization and also added a unit test to exercise this method. (Tracker issue 269, thanks to Dirk Datzert again for pointing that out) 2.2beta1 Features added: * Cache timeouts can now be set from the Caches tab in the ZMI (Tracker issue 263 by Michael Lindig) Bugs fixed: * "Manager DN usage" set to "Always" would still bind as the user itself after the initial bind, now it only uses the Manager credentials. Had to insert a bind as the user to determine password validity, though. (Tracker issue 266) 2.1 No significant changes between 2.1 beta3 and 2.1 2.1beta3 Bugs fixed: * Fixed a LDAP server misbehavior where a bind operation with a valid user DN but empty password would seemingly succeed. This behavior was only obvious in 2.1beta2 because I removed code I considered obsolete. Also added unittests for authentication and extended the FakeLDAP module to emulate LDAP server binding behavior. (Tracker issue 257, my thanks go to Jan-Wijbrand Kolman) 2.1beta2 Bugs fixed: * Apparently there are situations when a call to getGroups returns a tuple. Code in the LDAPUserSatallite expected it to be a list (Tracker issue 244). * If the LDAPUserFolder was configured to always bind using the Manager DN it was possible to log in with the wrong password (Tracker issues 246 and 248, thanks go to Michael Lindig). * Found a problem deleting all values for a user attribute from the ZMI which would throw an error. Discovered while looking at the (unrelated?) issue 251 in the tracker, which also dealt with a problem when clearing an attribute. 2.1beta1 Bugs fixed: * Cleaned up a mismatch between the delegate edit method and signature expected by the LDAPUserFolder code that talks to it (Tracker Issue 224 pointed out by Albert Chin-A-Young and others) * More cleanup in the way a LDAPUserFolder authenticates to the LDAP server. The setting specified under "Manager DN usage" is now respected for all record modifications and deletions as well. * Michail Bachmann pointed out some code errors in the LDAPUserSatellite code that had crept in when switching to using the LDAPDelegate (tracker issue 233). Features added: * Finally added a full suite of unit tests for most components in the package. * If your LDAP server hands out referrals during an attempted write operation (add, modify or delete a user record) then this is now handled correctly, at least if you run OpenLDAP and python-ldap versions 2.0 or higher. * Implemented read-only mode where any writes to the LDAP server are disabled (Tracker issue 228 filed by Tom Deprez). Features removed: * Officially removed compatibility with python-ldap 1.x versions. Due to an oversight on my part some incompatible code was already in the 2.0-series, but now I am finally dropping any pretenses about supporting that old version. 2.0 Bugs fixed: * Made encoding tasks a little cheaper if you set the encoding to UTF-8 in the utils.py "encoding" settings (Tracker issue 203, thanks go to Artur Zaprzala for suggesting a good way of handling this) 2.0beta3 Bugs fixed: * Changing a password would result in an error (Tracker issue 204 posted by Massimiliano Russo) * If no results were returned from a user record search inside getUserDetails then a faulty check for the length of the returned result set would make it error out. Tracker issue 206, posted by William Carrel. * Make sure that rebinding in _lookupuser will really fulfill the promise of "uses the DN and password of the currently logged-in user" in case the selected Manager DN usage calls for it. (Tracker issue 210 by Oliver Pabst) Features added: * "clear" has been added as a choice for password encryption mechanism. The password will be stored unencrypted in LDAP in that case. (Tracker issue 209 by Oliver Pabst) 2.0beta2 Features added: * Thanks to a patch from Artur Zaprzala the default encoding that gets applied to results from the LDAP servers can now be changed in the utils module, whereas before it was hardcoded to be "Latin-1" in all places. * The getUserDetails method API was extended to allow passing in a sequence of desired attributes. This is helpful when certain attributes (e.g. binary pictures) are not needed and would unnecessarily slow down the request. This feature suggested by Artur Zaprzala. Bugs fixed: * The module reorganization broke the decoding of UTF-8 values which meant non-ASCII characters appeared as garbage characters. Artur Zaprzala posted a set of patches in Tracker issue 198 to fix the issue and simplify/improve the unicode handling in general. 2.0beta1 Version 2.0 represents a major code base refactoring. The main goals were code simplification, cruft removal and improving maintainability for me. While this meant putting the axe to some features it also enabled me to implement some other functionality that would have been much harder to do using the old code. Features removed: * ZBabel support has been discontinued. I have received very little (meaning No) feedback on it and even before it was offered only very few people requested it. I myself did not have an environment set up where I could maintain the translation dictionaries, mainly because the way they are updated is (in my opionion) a huge PITA. I got tired of lugging code along that got more stale with every update I did to the main cod. Since I have been on a simplification spree for version 2.0 it was one of the first items to go. My apologies to Dirk Datzert who performed the most of the ZBabel integration work last year. * Cookie support is no longer built into the product. If you need cookie-based authentication I recommend installing the CookieCrumbler product alongside the LDAPUserFolder. It performs all functionalities of the built-in cookie support. See http://www.zope.org/Members/hathawsh/CookieCrumbler for information and download. Features added: * You can now specify multiple LDAP servers to be used by the LDAPUserFolder. Servers are used in a failover fashion. If the first server in the list is down the next one is contacted, etc. This assumes that the LDAP data structure on both servers is identical, e.g. the users search base is the same. * The LDAPUserSatellite can now be used in recursive fashion. This means it can go out and consult all LDAPUserSatellites in its acquisition path and have them make any role manipulations before doing its own work, thereby getting a cumulative effect. Please use caution with this feature because it is potentially very expensive. 1.6 That's it, folks... this is the end of the 1.x line of LDAPUserFolders. The new version, LDAPUserFolder 2.x, is out by now and I encourage everyone to give it a try. It has many added features and, above all, a refactored code base that makes it easier for me to maintain and improve. From this point on no new features will be added to the 1.x series, and only urgent bug fixes. All development will concentrate on the 2.x series. 1.6beta3 Bugs fixed: * Fixed a bug that could allow access with an invalid password (Tracker issues 185, 188) Features added: * Some more small logging improvements 1.6beta2 Features added: * A brand new object can now be instantiated after upgrading to this version. It's called "LDAPUserSatellite" and is used to manipulate roles for a user based on the context the user is in if a LDAPUserSatellite is around. Roles can be manipulated by applying a mapping from LDAP group to additional Zope role and/or performing a group record lookup in an additional groups search path on your LDAP server. The LDAPUserSatellite does not directly change global roles on the user object like the LDAPRoleTwiddler and LDAPRoleExtender did, it uses internal Zope security mechanisms to compute roles based on context. This new object replaces both the LDAPRoleTwiddler and the LDAPRoleExtender, which are hereby deprecated. Thanks go to Dirk Datzert who did some extensive testing and helped me hunt down a lot of bugs. * Better logging for using cached users * Caches ZMI tab more informative by presenting both authenticated and anonymous cache contents Bugs fixed: * Update some outdated help files for the LDAPUserFolder 1.6beta1 Features added: * Group type accessGroup added to the list of group records recognized and usable within the LDAPUserFolder. Michael Stroeder spotted this type of group on a IBM SecureWay directory server. * More efficient groups search filter for specific user record, suggested by Michael Stroeder. * Logging and caching are factored out into instance-level objects * The security model has seen a complete change to make it simpler and to respect access controls placed on the LDAP server itself more: - providing a Manager DN and password is optional - if a Manager DN has been provided in the configuration then that DN will be used to bind for every single LDAP operation - if no Manager DN has been provided then the current user's DN will be used for binding. - if no Manager DN has been provided and a user who authenticated against another user folder is attempting to perform LDAP operations it will be performed with an anonymous bind. This all implies that if you want to make changes in LDAP that require specific rights you must either log in as a user with those specific rights or use the less security-conscious workaround of providing a Manager DN in the LDAPUserFolder configuration. If you attempt to make changes with a Manager user authenticated against another user folder you might not be able to, which might be a source of confusion for some Zope admins. Bugs fixed: * Catch ldap.PARTIAL_RESULTS after issuing a search request to the server, something the Micro$haft "Active Directory" server seems to like doing. Thanks go to Brad Powell for reporting this nonstandard server behavior. * Reclassified and clarified some logging calls and their message output. * A lot of "whitespace normalization" (hate that expression!) and fixes to overly long lines of code. * Handling of multi-valued attributes has been cleaned up and changed slightly. If an attribute value contains semicolon (;) characters it will be assumed to contain a semicolon- separated list of values. The ZMI "Users" tab will also display semicolon-separated values for all multi-valued attributes when you view the record. * A misconfigured Users base DN setting is now less likely to lead to complete blowups upon trying to connect to the LDAP server so that access to the container will always remain intact and the LDAPUserFolder can be reconfigured or deleted if needed. * No blowups from getUser if the name passed in is not a string, just returns None instead now. (Tracker issue 166 filed by Romain Eliot) 1.5 Bugs fixed: * Due to the way user object caching was implemented local role lookup would break for those users who have logins that are not all lowercase. This has been fixed. (Tracker issue 163, my thanks go to John Hohm who did a lot of the detective work for this one himself) * Using a better search filter in case getGroups is asked to return all groups available to the LDAPUserFolder. Improved the doc string for getGroups to clarify its usage. Michael Stroeder suggested the better search filter. 1.5beta3 Features added: * New method getLocalUsers added to allow for retrieving all user DNs and their roles that have roles stored locally. If user roles are stored locally this method is now used on the Users ZMI tab to show a list of all users with locally stored roles. This is more or less a convenience so that the admin does not have to search for a specific record and go into the detail screen to find out about a user's roles. * The implementation for getGroupDetails was incomplete for locally stored groups. It is now fully implemented. * New method "getGroupedUsers" will return a sequence of user objects for the groups you pass as argument. If no groups are passed then user objects from all groups that are visible to the LDAPUserFolder are returned. * Make unwrapped LDAPUser objects a little more useful by ensuring __getattr__ can now find the DN attribute. Trying to call getUserDN on a unwrapped user object will always raise an error due to the nature of wrapping and security declarations. __getattr__ does not raise this error. * manage_setUserProperty is now more useful by allowing set set empty properties, which it did not before. (Tracker Issue 158, thanks to Sven Thomsen) Bugs fixed: * The manage_editUser method will no longer blow up if the specific user's RDN attribute is not part of the values passed in. It will now simply take the old record's RDN value instead. 1.5beta2 Bugs fixed: * The latest versions of OpenLDAP seem to complain about the LDAP protocol in use if it is not LDAPv3. Added a workaround that catches the complaint and explicitly sets the protocol. * Corrected some faulty default arguments that could have caused errors in certain cases. * The group search scope was mis-applied to a search that takes a group DN and returns its objectClass. This would cause errors if SCOPE_ONELEVEL is the groups search scope because that scope does not include the object pointed to by the group DN. Changed to always use SCOPE_BASE (this scope searches the current object only) instead (Tracker issue 141, thanks go to Philippe May). * A similar bug as the one above afflicted the _lookupuser method. Changed search scope to SCOPE_BASE as well. Derrick Hudson spotted the problem. * Added workaround for a (supposed) shortcoming in python-ldap where a DN is not part of the search results dictionary even if asked for it explicitly. Also found by Derrick Hudson. 1.5beta1 Bugs fixed: * Small fix on add form to ensure form element naming is consistent (Tracker issue 139 by David Riggs). * Instead of adding a workaround for the (faulty) ability to create and have empty group records on Netscape directory server products (which then won't show up on the LDAPUserFolder "Groups" tab) I have added a paragraph in the README that addresses why it happens and what to do. * A stupid syntax error on my part prevented the "SERVER_DOWN" exception that was used to determine the freshness of a reused connection object to ever be caught correctly. Brad Powell pushed my nose into that and made me fix it. 1.4 Bugs fixed: * All actions performed on the management tabs with the lone exception of the "Custom Forms" tab will now go back to the same tab, with the correct tab highlighted. (Tracker issue 127, thanks to David Riggs) * Expiring users out of the caches when the record got changed was not working in all cases. The expiration is now more explicit and involves manipulating the caches directly instead of changing the expiration time on the user object (Tracker item 128). * IE on windoze misbehaves when setting a cookie where expiration is set to an empty string. All other browsers (surprise surprise!) behave correctly, but IE will foil any login attempts when using cookie mode. Added a workaround (Tracker issue 129). 1.4beta3 Bugs fixed: * The code used to format exceptions in the utils method was called the wrong way and failed when it was called to format an exception (Tracker issue 125, thanks to David Riggs). * A juxtaposition in arguments to manage_edit led to segfaults in some applications (spotted by Tres Seaver). Features added: * Logging is extracted into its own module (SimpleLog), thereby making it easier to extend later. 1.4beta2 Bugs fixed: * A small bug crept in while making the user cache case- insensitive (Tracker # 123 from Jan Idzikowski). Features added: * The LDAPUserFolder will now use the LDAP database connection on a more persistent basis. A connection gets stored away and reused until it breaks or until the object is ghosted by Zope. This should speed up LDAP accesses in many situations. 1.4beta1 Bugs fixed: * The unicode verification in utils.py could not deal with non-ascii characters (Tracker issue 122, thanks to Jan Idzikowski). * The setting for encryption scheme was never set with the selection from the add form (thanks Dirk Datzert). * The redirection after calling the constructor method has been changed to use RESPONSE.redirect to get over the idiosyncrasies of returning something from a self that is a factory dispatcher and not a container. (thanks to Dirk Datzert) * Internal cache is no longer case-sensitive (suggested by Dirk Datzert) Features added: * The list of available LDAP groups to map to Zope roles on the Groups tab is now sorted alphabetically (suggestion from Dirk Datzert). 1.3 Bugs fixed: * Added workaround for the missing "crypt" module problem that only appears on a so-called OS from Redmond. (Tracker issues 119 and 120) * Simplified package structure somewhat by adding a utils module that defines methods or constants used in the other modules. Features added: * As a step to better unicode handling the LDAPUser now stores all attribute strings as unicode strings. 1.3beta1 Bugs fixed: * Small bug in user object caching code that could lead to duplicate user objects being cached which only differ in capitalization. * Added a couple small improvements and fixes as suggested by Dieter Maurer. Features added: * Added workaround for the buggy windoze ldap.pyd that does not have a meaningful __version__ string (Tracker issue 118). * Added the ability to map a LDAP group name to a Zope role name. In a nutshell, if LDAP group "Employee" is mapped to Zope role "Member" then anyone who authenticates through LDAP and is in LDAP group "Employee" will have "Employee" and "Member" in the list of roles for the user. 1.2 Features added: * Dirk Datzert sent me a module that can encrypt strings using the SSHA encryption scheme. This prompted me to make user password encryption schemes selectable in the LDAPUserFolder configuration. Thanks Dirk! * Added a new configuration toggle to set the use of SSL for the LDAP server connection. This option will be ignored and appear greyed-out on the Configure tab if the python-ldap module version is lower than 2.0. * The detailed user data view on the Users tab will now show the full DN for every group that is listed as possible roles for a user. This will help everyone who has roles with the same name defined several times underneath their groups search base (Tracker item 107, thanks go to David Rideau). 1.2beta3 Bugs fixed: * Not only did the importing semantics for the latest python-ldap modules change, some fundamental method signatures changed as well. This fixes the call to ldap.open which led to uncontrollable debugging output on the command line since 1.2beta2 (Tracker issue 106 - thanks to David Rideau). 1.2beta2 Features added: * Ensure compatibility with the latest python-ldap releases which introduced an underdocumented and spurious change that mandates a different way of importing the ldap module. (Tracker issues 102 and 105) The recommended python-ldap module to use remains 1.10alpha3 which seems to work more reliably and has less bugs. 1.2beta1 Bugs fixed: * If the authentication information was incorrect, the _searchResults method would raise the Unauthorized exception, which would make basic HTTP authentication boxes pop up even in cookie mode. It now returns an empty string and users will get the login page when in cookie mode. Tracker issue 87 - thanks to Eric Brun. * Some browsers would not display the LDAP server port in the configuration tab due to a line break in the DTML for the form. The line break has been removed. (Tracker issue 103, thanks once again to Florent Guillaume) Features added: * A little more extended debug logging in the _lookupuser method (suggested by Marc-Aurele Darche of IDEALX, Tracker issue 101) * The RDN Attribute dropdown in the Configure tab now lists all attributes defined on the LDAP Schema tab. This allows the administrator to select any attribute if the LDAP setup violates RFC 2377. Suggestion and patch (thanks!) from Marc-Aurele Darche of IDEALX, Tracker issue 101. 1.1 Features added: * Exclusively use direct string method invocation as opposed to using the string module Bugs fixed: * Mistakenly cached the superuser account upon successful authentication. This would break the "Caches" tab because it tries to call a method on each cached user object that is not supported by the superuser API. * A spurious "/" in the "Add Object" widget of the "Contents" tab broke rendering of the dropdown list in some browsers. * Updated all help screens, some were outdated * Updated the API help files 1.1beta3 Bugs fixed: * Typo inside the method that adds user records led to an obscure error message and user roles would not be set (Tracker issue 95, submitted by M. A. Darche if IDEALX) * The targets of some MessageDialog error screens for the management interface pointed to the wrong method name and caused a traceback. 1.1beta2 Features added: * The administrator can now choose between reading group information from the LDAP server or storing it inside the LDAP User Folder itself. This feature has been added in response to Tracker issue 94. Thanks go to Colin Smith for bringing this configuration option to my attention. Bugs fixed: * The Users tab in the ZMI would show tracebacks if the connection to the LDAP server produced an error. Now the real error is shown (Tracker Issue 93) * Some details of the ZBabel transition did not work correctly, in particular the add screen blew up. 1.1beta1 Features added: * ZBabel support, thanks go to Dirk Datzert. 1.0 Bugs fixed: * Failed authentication in LDAP during a search operation will not simply re-raise the ldap.INVALID_CREDENTIALS anymore, but raise "Unauthorized", which will cause the browser to pop up an authentication dialog (Tracker issue 82 by Igor Stroh). * Adding of users was broken because of a faulty invocation for translating record attributes into UTF-8 (Tracker issue 83, thanks go to Magnus Heino) * Changing some attribute names led to the main management screen bombing out (Tracker Issue 84, thanks go to Magnus Heino) * The way in which caches were used in getUser was broken since the last few betas and cache records with a fake passwords were sometimes used in a real validation context. Features added: * LDAP User objects now have a __getattr__ that will look into the internal properties dictionary, meaning direct attribute access is now possible without the need to use getProperty(). The "Public User Attribute" machinery has been renamed to explain its new meaning in this context: It is used to map an attribute name from LDAP to another name that will also appear on the user object. 1.0 beta5 Bugs fixed: * Default roles were no longer applied (Tracker issue 73, thanks go to Eric Brun) * Passwords can now contain colon (:) characters. This would break reading the authentication cookie in cookie mode before (Tracker issue 74, thanks to Eric Brun) * Added logging to cache lookup successes and decided to simplify getUserById at the same time (Tracker issue 75, thanks to Eric Brun) * The user ID as seen by zope is now guaranteed to be the same every time a user logs in, regardless of name capitalization (which LDAP ignores upon searching). Tracker issue 77, thanks go to Eric Brun. 1.0 beta4 Bugs fixed: * Some missing imports related to the Cookie authentication and a tweak to the add screen so that the authentication mechanism choice gets applied correctly. 1.0 beta3 Features added: * Added compatibility with WebDAV and FTP when in cookie mode * Basic Auth is used as "last resort" when authenticating a user, meaning if you change to cookie mode from basic auth mode there will be no login screen if you were logged in. * An attempt is made, while in cookie mode, to hand off authentication to the next user folder above if a user cannot be identified but might be valid in the user folder above. * The life span of the authentication cookie (if cookie mode is in use) can now be set by the administrator. Bug fixed: * Vast amounts of code were removed by integrating the validate/authenticate/identify machinery better into the machinery provided by the BasicUserFolder base class. 1.0 beta2 **WARNING** As of this point the product is not API-compatible with the LDAPUserManager or LDAPLoginAdapter anymore. The API will change even more before the final 1.0-release. Please experiment but don't use in production unless you really know what you are doing. Features added: * The LDAP User Folder is much more flexible with the groups it reads and writes. Administrators can select the type of group upon creation and any code that manipulates group membership will do the "right thing". Any code retrieving group information can work with varying kinds of groups now. This should ease integration with M$ Active Directory. * The user id shown in the "Cache" tab is now a link that will bring up the user data for the specific user. * The "Configuration" tab has been refactored to be more visually pleasing and less space consuming. * The "LDAP Schema" tab has been completely revamped. The fields for inputting a mapped public name that will show up on the user object to an LDAP attribute has been integrated into the main display and can be triggered by adding attributes with the optional "Public name" value filled in. * The "log verbosity" setting has been moved onto the "Log" tab. Features removed: * The horribly kludgy "getGroupsWithInconsistentRecords" method, introduced in LDAPLoginAdapter 1.3beta4, was dropped. * Any attempt to be backwards-compatible with Python 1.5.x was removed. This product needs Zope 2.4.x, which in turn depends on Python 2.1.x or higher. * The "Advanced" configuration tab has been removed after consolidating its functionality into other screens. LDAPUserFolder 1.0 beta1 : The Beginning This product combines the LDAPLoginAdapter and LDAPUserManager products into a single package. It is designed to supplant both of them and further development, apart from urgent bug fixes, will be limited to this product. **Important Note** : This product is compatible with Zope versions 2.4 and up, which necessitates Python 2.0 and up. Older Zope sites should continue to use the LDAPLoginAdapter/LDAPUserManager combo. This first version is simply a combination of all contents from all classes used in the LDAPLoginAdapter and LDAPUserManager code. Future plans (probably version 2.0 and up) will include a complete refactoring with class separation of o Storage backend operations o User Folder API and setting of properties on the LDAPUserFolder Other cleanups in this first cut involve the following: o throwing out of code that tried to compensate for cases where a user record's DN had spacing different from its reference inside a group record o throwing out of code that tried to fake unicode support for Python versions prior to 1.6 o Some refactoring of ZMI screens, there will undoubtedly be more in the future.