CHANGES.txt for the LDAPUserFolder

  This file contains change information for the LDAPUserFolder product.
  To see changes made to revisions prior to the latest version see
  HISTORY.txt.

    2.4

      Bugs fixed:

        * Small fix to enable non-ASCII characters in LDAP group names
          (JTracker issue 381 by Andreas Jung)


    2.4beta3

      **IMPORTANT NOTE**: This version of the LDAPUserFolder does away with
                          the old behavior of implicitly mapping LDAP groups
                          to Zope roles. Any Zope roles that get conferred
                          are governed by the "LDAP group to Zope role" 
                          form on the "Groups" tab. If you relied on this
                          behavior please create the appropriate mappings
                          in your instance.

      This version introduces a switchover to the new Zope Public License
      (ZPL) version 2.1, which will bring the LDAPUserFolder in line with
      future Zope releases.

      Features added:

        * Added a method to retrieve the URI for the currently active
          LDAP server connection which is now shown in the LDAP Servers
          part of the Configure tab.

        * Added MD5 to the list of available default password encryption
          methods

        * Refactored caching using a new simple cache class contributed 
          by Chris McDonough.

        * Internal changes:

          - getAttributeOfAllUsers method removed in favor of a more
            general getAttributesOfAllObjects method on LDAPUserFolder
            class.  Other methods that deal with mass query of object
            attributes should likely be gradually refactored in terms
            of this method at some point, but for now there is some
            duality in the way attribute-centric object queries are
            done.

          - getUserIds method results are now cached.

        * API addition: getUserIdsAndNames method added to
          LDAPUserFolder, which returns a sequence of two-tuples (id,
          username) for each user found in the tree.  This result is
          cached.

        * Added minimal support for setups where user and groups base
          DN is actually the same subtree (e.g. ActiveDirectory).  LUF
          now specifies a filter for LUF-specified user object classes
          during some calls dealing with searching for users
          (getUserIds, getUserNames, getUserIdsAndNames).

          **If you were relying on older behavior where all objects in
          a tree are returned as users from these calls regardless of
          their actual object class, you will now need ensure that you
          appropriately specify your user object classes on the main
          configuration page.**

          One notable exception to this rule is that searching for
          from the LUF "Users" tab will still expose groups in search
          results when user and group base DNs are the same.  This is
          considered a minor bug in the case that a set of user object
          classes are specified and should be fixed.

        * The password is no longer logged when Debug-Level logging is
          enabled. To go back to the old behavior the old log code is
          still in place, but must be enabled by hand in the python code.
          This represents a reversed decision on JTracker issue 247.

        * Refactored the Groups tab in the Zope Management Interface 
          (ZMI) to be less cluttered and be clearer about the difference
          between group records in LDAP versus roles in Zope.

        * LDAPDelegate's search method now ignores nonstandard internal
          referrals returned by ActiveDirectory when querying it against
          port 389.  These referrals aren't returned when querying against
          AD's global catalog port, so they seem safe to ignore.  This
          may make it possible to use LUF against the normal LDAP port (389)
          of an AD server without needing to fall back to the GC port.

        * Small optimization: when the login id is a DN, don't bother
          attempting to contact the LDAP server when the login id isn't
          a valid DN.  This shortcuts the possibility that the LDAP server
          will be queried needlessly for names that aren't real DNs (like
          those for users in user folders defined above the folder in which
          LUF resides).

        * LDAP groups are no longer implicitly mapped to Zope roles. The
          roles that are visible on user objects created by the
          LDAPUserFolder are dependent on the "LDAP group to Zope role"
          mapping that can be manipulated on the "Groups" tab in the ZMI.
          The existing behavior of adding the roles specified as "Default
          user roles" on the "Configure" tab to all authenticated users 
          remains the same. This change means that the administrator now has 
          *full control* over what roles a user can have.


    2.4beta2

      ** IMPORTANT NOTES **

        * From this version on the LDAPUserFolder product will drop 
          compatibility with Python 2.1. You should use Python 2.2.3
          with Zope 2.6.x or Python 2.3.3 with Zope 2.7.x

        * The separation of Login and User ID as described below is
          only fully supported with Zope versions *higher than 2.7.0*.
          For earlier version you should select the same attributes for
          both Login and User ID.

      Bugs fixed:

        (Kudos to Chris McDonough to check in the changes below!)

        * The following API methods of LDAPUserFolder and LDAPDelegate
          did not work properly when they were passed a unicode object
          (as opposed to a string) as one of their arguments:

          LDAPUserFolder.manage_edit
          LDAPDelegate.edit
          LDAPDelegate.insert

        * When selecting the full DN as login attributes a user
          was unable to log in if the DN contained non-ASCII characters
          (JTracker issue 372 by Ralf Herold).

      Features added:

        * Distinction between user id and login name.  You can now
          configure the attribute used for a user id to use a
          different LDAP attribute than the attribute used for a
          user's login name.  This allows you to configure
          LDAPUserFolder, and thus Zope, to use an identifier other
          than the user id as a login name.  This feature is useful if
          you wish to use email addresses or other identifiers which
          may change over time as login names.

          If you employ this feature, you may allow login names to
          change (by updating the LDAP attributes of the entries to
          which they refer), but Zope security depends on the user id
          remaining constant; you still may not allow the attribute
          used for the user id to change without performing "surgery"
          on your Zope instance to update local role maps stored in
          your ZODB and so forth.

          For backwards compatibility purposes, it is possible to set
          the user id attribute and the login name attribute to point
          to the same LDAP attribute.  In the common case, users
          upgrading from older LDAPUserFolder versions, whom typically
          employ "cn" as their login name attribute should also employ
          "cn" as their user id attribute.

          The addition of this feature has caused some method
          signatures to change in a non-backwards-compatible way.
          These are LDAPUserFolder.manage_addLDAPUserFolder,
          LDAPUserFolder.LDAPUserFolder.__init__, and
          LDAPUserFolder.LDAPUserFolder.manage_edit.  Additionally,
          code which relies on LDAPUserFolder's "getUserById"
          returning the same value as its "getUser" method will break
          as a result of this change.

          There is a new API method exposed on the LDAPUserFolder
          object as a result of this change: "getUserIds", which
          returns an enumeration of all user ids.

    2.4beta1

      ** NOTE **

        This version *requires* you to delete and reinstantiate all
        existing LDAPUserFolder and LDAPUserSatellite instances!

      Bugs fixed:

        * Added call to clear the internal caches after a user has been
          added so that getUserNames cannot return a stale user list
          (JTracker issue 362 posted by Nick Bower).

        * The getMultiValuedUserAttrs method was protected by an invalid
          permission (JTracker issue 355 by Florent Guillaume).

        * Add shortcut in getUser to immediately return None is the passed
          name is empty or None.

      Features added:

        * If it is available I am now using the ReconnectLDAPObject for 
          LDAP connections since it promises to hide temporary connection
          problems and long connection timeouts. This could potentially
          fix JTracker issue 324 by P.-J Grizel.

        * A new SharedResource module based on Dieter Maurer's package is
          now used to provide storage for resources that benefit from
          being globally unique such as caches, the log and the LDAP
          server connection object. This brings several advantages, such
          as...

            - The log tab will always show the same thing, regardless of
              which Zope thread handled the rendering.

            - The LDAP connection itself does not need to be estableshed
              for each thread, one connection handles all threads. This
              will probably fix JTracker issue 337 by Florent Guillaume.

            - The user object cache is globally unique now, meaning the
              number of trips back to the LDAP server should be reduced.

            - The list of user IDs generated by calls to getUserList is
              no longer a thread-level variable but globally shared,
              meaning this potentially expensive search operation will be 
              performed less often.

            - These changes were also applied to the LDAPUserSatellite
              log, user to role mapping and expiration mappings.



