HISTORY.txt for the LDAPUserFolder

  This file contains change information for the LDAPUserFolder product
  for revisions before the current version.


    2.3

      Bugs fixed:

        * Noticed that sometimes "empty" authentication credentials lead
          to unnecessary lookups for non-existing users. Relaxed a 
          specific authentication check so this is prevented.

        * The unicode changes had possible disabling consequences for
          group-to-role mappings defined on the Groups tab. Thanks go
          to Helge Tesdal for pointing that one out.


    2.3beta3

      Bugs fixed:

        * Fixed a couple buglets found by Florent Guillaume (JTracker
          issue 333).

        * Florent also noticed code that would trigger unnecessary 
          MODRDN calls when a user record was updated. This extra call
          did not damage the record, it was just unnecessary work
          (issue 334).

        * Dieter Maurer provided the explanation for a recursion error
          in the __getattr__ method on the LDAPUser object that a 
          few people had run into (JTracker issue 338 by Michael
          Crawford).

        * The getGroupedUsers method was not working if the groups are
          stored in the user folder itself (JTracker issue 342, thanks
          Florent Guillaume again).

        * Spurred by Helge Tesdal and Nate Aune I spent a little more 
          time on the unicode-ability. Now a user that has non-ASCII
          characters not just in arbitrary attributes but also in
          attributes that form part of the full DN are processed
          correctly. This required quite a few changes, so any feedback
          is very welcome.


    2.3beta2

      Bugs fixed:

        * Cut down on the number of LDAP lookups in cases where the
          user lookup happens "anonymously", meaning not as part of a 
          normal authenticated request but from the Zope security
          machinery for things like ownership-related security checks.
          Thanks to Kyler Laird for bringing this one up.

      Features added:

        * All user lookups are now limited to those object classed 
          defined in the "User object classes" configuration setting
          on the "Configure" tab. Previously the lookup policy was
          much more lenient and accepted every record where the login
          matched - now the object classes have to match as well.

          ***WARNING - THIS MIGHT BREAK YOUR SITE IF YOU WERE SLOPPY
          WITH THE OBJECT CLASSES SETTING AND USAGE!***

          Due to the possible breakage I had been sitting on Tracker
          issue 294, filed by Andy Dustman, for quite a while before
          going with it. Thanks for keeping te pressure on - it is 
          "the right thing" to do.

       * The "Users" tab will now show a little more information on
         the user record detail view by default, namely the DN and
         the object classes.

       * The unit tests have been changed to work with the latest
         and greatest (Zope 2.7 and Python 2.3.2), which is now the
         default platform used to test and develop this product.
  

    2.3beta1

      Bugs fixed:

        * Use of the distinguished name as login attribute was broken
          in version 2.2 - thanks to Ralf Herold for the information
          (JTracker issue 312)

        * The API documentation for manage_addUser in the Zope Help
          System was slightly off, thanks go to Eugene Prigorodov for
          pointing that out (Issue 319).

        * Cleaned up LDAP filter strings used by the product to have
          surrounding parentheses.

        * Enable correct handling of DN elements that contain bad
          characters, such as backslash-escaped commas (Bug report 
          by Stephen Kirby)


    2.2

      Features added:

        * User attributes can now be declared "multi-valued" in the
          LDAP Schema, thereby ensuring that all values for that 
          attribute are stored on the user object (Feature request by
          Jean Jordaan, JTracker issue 294).

      Bugs fixed:

        * While investigating JTracker issue 309 ("problem changing password")
          it became apparent that previous fixes to correctly use mapped 
          attributes during user creation were flawed. Also, _expireUser is
          now more resilient against receiving invalid user information.


    2.2beta4

      Bugs fixed:

        * LDAP Referrals are now chased for searches as well. (JTracker
          issue 277 by Eric Brun) LDAP Referrals in general *require*
          LDAP server support for version 3 of the LDAP protocol. Almost
          all newer servers should be able to handle that.

        * Removed non-existent "_expire" call from the interfaces file
          for the LDAPUser class (JTracker issue 303 filed by Jean Jordaan)

        * Added "clear" password encryption scheme to the choices 
          available when adding a new LDAPUserFolder (JTracker issue
          295, thanks to Andy Dustman)

        * Added some (obviously missing) logging calls. Thanks to Jean
          Jordaan for telling me about it (JTracker issue 300). Also,
          added a missing message return from the LDAPDelegate modify
          method.

        * Revamped group handling a little bit so that the 
          GROUP_MEMBER_MAP mapping in the utils module is the central
          place where permissible groups and their member types are
          stored. Fixed issue 289 by Eric Brun which was suffering from
          a related problem at the same time.

        * If a new user is created and the form fields are not named 
          after the real LDAP attribute names but with mapped names
          as specified on the LDAP schema tab the correct reverse
          translation will now be done (JTracker issue 301, thanks to
          Doug Winter)

        * Cleaned out a bunch of unneeded imports

        * Added some very interesting ActiveDirectory secrets uncovered
          by Larry Prikockis to the ActiveDirectory README. This has the
          potential of helping a lot of people who have difficulties
          integrating Zope and ActiveDirectory.


    2.2beta3

      Bugs fixed:

        * The routine used to create a crypt-style password string
          did not take enough precautions to ensure that the salt value
          used stays pure ASCII. This could prevent users from logging in.


    2.2beta2

      Features added:

        * The list of LDAP servers will now respect the order in which
          they were added and the connection process will go through the
          servers in that same order, starting at the top of the list as
          visible on the "Configure" tab. (JTracker issue 284 by Dirk
          Datzert)

        * Started a separate README for those hapless users who are stuck
          on Active Directory with input from Philipp Kutter (JTracker 
          issue 280), see README.ActiveDirectory.txt

      Bugs fixed:

        * If roles were stored locally and a user with locally stored 
          roles had all roles removed that user would still show up in
          the user listing, even if the user record itself was removed 
          from LDAP. Now removal of all roles will clean the internal
          roles storage mechanism correctly. Thanks go to Hans-Jrgen 
          Sell for letting me know.

        * When a user logs in the application will no longer construct
          the user object with the name typed in by the user but will
          look it up in the LDAP record itself. That way a user will
          always be represented by the same username, regardless of what
          capitalization was used upon login (JTracker issue 282, thanks
          go to Ronan Amicel)

        * Domain restrictions put on the emergency/init-users were not
          respected, thanks to Dirk Datzert for pointing that out
          in JTracker issue 283.

        * Broke the Caches tab if and when the anonymous cache 
          contained any users, the display for anonymous cache users
          was calling a non-existing method. (JTracker issue 281, my
          thanks go to Ronan Amicel)

        * Logic error in getGroups corrected that could lead to binding 
          with an invalid user/password pair. Now the decision what to
          bind as is left completely up to the LDAPDelegate itself.
        
        * Added workaround for changed behavior of ldap.explode_dn
          which will blow up now if the passed-in DN does not contain
          at least one key=value pair.

        * Removed superfluous argument to manage_setUserProperty 
          (Tracker issue 270 by Dirk Datzert)

        * Fixed manage_setUserProperty errors that crept in during
          the last great code reorganization and also added a unit 
          test to exercise this method. (Tracker issue 269, thanks to
          Dirk Datzert again for pointing that out)


    2.2beta1

      Features added:

        * Cache timeouts can now be set from the Caches tab in the ZMI
          (Tracker issue 263 by Michael Lindig)

      Bugs fixed:

        * "Manager DN usage" set to "Always" would still bind as the user
          itself after the initial bind, now it only uses the Manager
          credentials. Had to insert a bind as the user to determine
          password validity, though. (Tracker issue 266)


    2.1

      No significant changes between 2.1 beta3 and 2.1


    2.1beta3

      Bugs fixed:

        * Fixed a LDAP server misbehavior where a bind operation with
          a valid user DN but empty password would seemingly succeed.
          This behavior was only obvious in 2.1beta2 because I removed
          code I considered obsolete. Also added unittests for
          authentication and extended the FakeLDAP module to emulate
          LDAP server binding behavior. (Tracker issue 257, my thanks
          go to Jan-Wijbrand Kolman)


    2.1beta2

      Bugs fixed:

        * Apparently there are situations when a call to getGroups
          returns a tuple. Code in the LDAPUserSatallite expected it
          to be a list (Tracker issue 244).

        * If the LDAPUserFolder was configured to always bind using
          the Manager DN it was possible to log in with the wrong
          password (Tracker issues 246 and 248, thanks go to Michael
          Lindig).

        * Found a problem deleting all values for a user attribute
          from the ZMI which would throw an error. Discovered while
          looking at the (unrelated?) issue 251 in the tracker, which
          also dealt with a problem when clearing an attribute.


    2.1beta1

      Bugs fixed:

        * Cleaned up a mismatch between the delegate edit method and
          signature expected by the LDAPUserFolder code that talks to
          it (Tracker Issue 224 pointed out by Albert Chin-A-Young
          and others)

        * More cleanup in the way a LDAPUserFolder authenticates to the
          LDAP server. The setting specified under "Manager DN usage"
          is now respected for all record modifications and deletions
          as well.

        * Michail Bachmann pointed out some code errors in the
          LDAPUserSatellite code that had crept in when switching to
          using the LDAPDelegate (tracker issue 233).

      Features added:

        * Finally added a full suite of unit tests for most components
          in the package.

        * If your LDAP server hands out referrals during an attempted
          write operation (add, modify or delete a user record) then
          this is now handled correctly, at least if you run OpenLDAP
          and python-ldap versions 2.0 or higher.

        * Implemented read-only mode where any writes to the LDAP
          server are disabled (Tracker issue 228 filed by Tom Deprez).

      Features removed:

        * Officially removed compatibility with python-ldap 1.x
          versions. Due to an oversight on my part some incompatible
          code was already in the 2.0-series, but now I am finally
          dropping any pretenses about supporting that old version.


    2.0

      Bugs fixed:

        * Made encoding tasks a little cheaper if you set the encoding
          to UTF-8 in the utils.py "encoding" settings (Tracker issue
          203, thanks go to Artur Zaprzala for suggesting a good way
          of handling this)


    2.0beta3

      Bugs fixed:

        * Changing a password would result in an error (Tracker issue
          204 posted by Massimiliano Russo)

        * If no results were returned from a user record search inside
          getUserDetails then a faulty check for the length of the
          returned result set would make it error out. Tracker issue
          206, posted by William Carrel.

        * Make sure that rebinding in _lookupuser will really fulfill
          the promise of "uses the DN and password of the currently
          logged-in user" in case the selected Manager DN usage calls
          for it. (Tracker issue 210 by Oliver Pabst)

      Features added:

        * "clear" has been added as a choice for password encryption
          mechanism. The password will be stored unencrypted in LDAP
          in that case. (Tracker issue 209 by Oliver Pabst)


    2.0beta2

      Features added:

        * Thanks to a patch from Artur Zaprzala the default encoding
          that gets applied to results from the LDAP servers can now be
          changed in the utils module, whereas before it was hardcoded
          to be "Latin-1" in all places.

        * The getUserDetails method API was extended to allow passing
          in a sequence of desired attributes. This is helpful when 
          certain attributes (e.g. binary pictures) are not needed and
          would unnecessarily slow down the request. This feature 
          suggested by Artur Zaprzala.

      Bugs fixed:

        * The module reorganization broke the decoding of UTF-8 values
          which meant non-ASCII characters appeared as garbage 
          characters. Artur Zaprzala posted a set of patches in Tracker
          issue 198 to fix the issue and simplify/improve the unicode
          handling in general.


    2.0beta1

      Version 2.0 represents a major code base refactoring. The main
      goals were code simplification, cruft removal and improving
      maintainability for me. While this meant putting the axe to 
      some features it also enabled me to implement some other
      functionality that would have been much harder to do using the
      old code.

      Features removed:

        * ZBabel support has been discontinued. 
        
          I have received very little (meaning No) feedback on it and 
          even before it was offered only very few people requested it. 
          
          I myself did not have an environment set up where I could 
          maintain the translation dictionaries, mainly because the way 
          they are updated is (in my opionion) a huge PITA. I got tired of 
          lugging code along that got more stale with every update I did 
          to the main cod. Since I have been on a simplification spree for 
          version 2.0 it was one of the first items to go.

          My apologies to Dirk Datzert who performed the most of the ZBabel
          integration work last year.

        * Cookie support is no longer built into the product. If you need
          cookie-based authentication I recommend installing the
          CookieCrumbler product alongside the LDAPUserFolder. It performs 
          all functionalities of the built-in cookie support. See
          http://www.zope.org/Members/hathawsh/CookieCrumbler for 
          information and download.

      Features added:

        * You can now specify multiple LDAP servers to be used by the
          LDAPUserFolder. Servers are used in a failover fashion. If the
          first server in the list is down the next one is contacted, etc.
          This assumes that the LDAP data structure on both servers is
          identical, e.g. the users search base is the same.

        * The LDAPUserSatellite can now be used in recursive fashion. This
          means it can go out and consult all LDAPUserSatellites in its 
          acquisition path and have them make any role manipulations before
          doing its own work, thereby getting a cumulative effect. Please
          use caution with this feature because it is potentially very 
          expensive.


    1.6

      That's it, folks... this is the end of the 1.x line of 
      LDAPUserFolders. The new version, LDAPUserFolder 2.x, 
      is out by now and I encourage everyone to give it a try. It
      has many added features and, above all, a refactored code
      base that makes it easier for me to maintain and improve.

      From this point on no new features will be added to the 
      1.x series, and only urgent bug fixes. All development will
      concentrate on the 2.x series.


    1.6beta3

      Bugs fixed:

        * Fixed a bug that could allow access with an invalid password
          (Tracker issues 185, 188)

      Features added:

        * Some more small logging improvements


    1.6beta2

      Features added:

        * A brand new object can now be instantiated after upgrading
          to this version. It's called "LDAPUserSatellite" and is 
          used to manipulate roles for a user based on the context
          the user is in if a LDAPUserSatellite is around.

          Roles can be manipulated by applying a mapping from
          LDAP group to additional Zope role and/or performing
          a group record lookup in an additional groups search
          path on your LDAP server.

          The LDAPUserSatellite does not directly change global roles
          on the user object like the LDAPRoleTwiddler and 
          LDAPRoleExtender did, it uses internal Zope security
          mechanisms to compute roles based on context.

          This new object replaces both the LDAPRoleTwiddler and 
          the LDAPRoleExtender, which are hereby deprecated.

          Thanks go to Dirk Datzert who did some extensive testing
          and helped me hunt down a lot of bugs.

        * Better logging for using cached users

        * Caches ZMI tab more informative by presenting both 
          authenticated and anonymous cache contents

      Bugs fixed:

        * Update some outdated help files for the LDAPUserFolder
    

    1.6beta1

      Features added:

        * Group type accessGroup added to the list of group records
          recognized and usable within the LDAPUserFolder. Michael
          Stroeder spotted this type of group on a IBM SecureWay
          directory server.

        * More efficient groups search filter for specific user
          record, suggested by Michael Stroeder.

        * Logging and caching are factored out into instance-level
          objects

        * The security model has seen a complete change to make 
          it simpler and to respect access controls placed on the 
          LDAP server itself more:

            - providing a Manager DN and password is optional

            - if a Manager DN has been provided in the configuration
              then that DN will be used to bind for every single 
              LDAP operation

            - if no Manager DN has been provided then the current
              user's DN will be used for binding.

            - if no Manager DN has been provided and a user who
              authenticated against another user folder is 
              attempting to perform LDAP operations it will
              be performed with an anonymous bind.

          This all implies that if you want to make changes in LDAP that 
          require specific rights you must either log in as a user with 
          those specific rights or use the less security-conscious 
          workaround of providing a Manager DN in the LDAPUserFolder 
          configuration. 
          
          If you attempt to make changes with a Manager user 
          authenticated against another user folder you might not be able 
          to, which might be a source of confusion for some Zope admins.

      Bugs fixed:

        * Catch ldap.PARTIAL_RESULTS after issuing a search request
          to the server, something the Micro$haft "Active Directory"
          server seems to like doing. Thanks go to Brad Powell for
          reporting this nonstandard server behavior.

        * Reclassified and clarified some logging calls and their
          message output.

        * A lot of "whitespace normalization" (hate that expression!)
          and fixes to overly long lines of code.

        * Handling of multi-valued attributes has been cleaned up and
          changed slightly. If an attribute value contains semicolon
          (;) characters it will be assumed to contain a semicolon-
          separated list of values. The ZMI "Users" tab will also
          display semicolon-separated values for all multi-valued
          attributes when you view the record.

        * A misconfigured Users base DN setting is now less likely to
          lead to complete blowups upon trying to connect to the 
          LDAP server so that access to the container will always remain
          intact and the LDAPUserFolder can be reconfigured or deleted 
          if needed.

        * No blowups from getUser if the name passed in is not a string,
          just returns None instead now. (Tracker issue 166 filed by 
          Romain Eliot)


    1.5

      Bugs fixed:

        * Due to the way user object caching was implemented local
          role lookup would break for those users who have logins
          that are not all lowercase. This has been fixed.
          (Tracker issue 163, my thanks go to John Hohm who did
          a lot of the detective work for this one himself)

        * Using a better search filter in case getGroups is asked
          to return all groups available to the LDAPUserFolder. 
          Improved the doc string for getGroups to clarify its 
          usage. Michael Stroeder suggested the better search filter.


    1.5beta3

      Features added:

        * New method getLocalUsers added to allow for retrieving
          all user DNs and their roles that have roles stored
          locally. If user roles are stored locally this method is 
          now used on the Users ZMI tab to show a list of all
          users with locally stored roles. This is more or less a
          convenience so that the admin does not have to search
          for a specific record and go into the detail screen to
          find out about a user's roles.

        * The implementation for getGroupDetails was incomplete
          for locally stored groups. It is now fully implemented.

        * New method "getGroupedUsers" will return a sequence of 
          user objects for the groups you pass as argument. If no
          groups are passed then user objects from all groups
          that are visible to the LDAPUserFolder are returned.

        * Make unwrapped LDAPUser objects a little more useful
          by ensuring __getattr__ can now find the DN attribute.
          Trying to call getUserDN on a unwrapped user object
          will always raise an error due to the nature of wrapping
          and security declarations. __getattr__ does not raise 
          this error.

        * manage_setUserProperty is now more useful by allowing
          set set empty properties, which it did not before. 
          (Tracker Issue 158, thanks to Sven Thomsen)

      Bugs fixed:

        * The manage_editUser method will no longer blow up if the
          specific user's RDN attribute is not part of the values
          passed in. It will now simply take the old record's RDN
          value instead.


    1.5beta2

      Bugs fixed:

        * The latest versions of OpenLDAP seem to complain about
          the LDAP protocol in use if it is not LDAPv3. Added a 
          workaround that catches the complaint and explicitly
          sets the protocol.

        * Corrected some faulty default arguments that could have 
          caused errors in certain cases.

        * The group search scope was mis-applied to a search that 
          takes a group DN and returns its objectClass. This would
          cause errors if SCOPE_ONELEVEL is the groups search scope 
          because that scope does not include the object pointed to
          by the group DN. Changed to always use SCOPE_BASE (this 
          scope searches the current object only) instead (Tracker 
          issue 141, thanks go to Philippe May).

        * A similar bug as the one above afflicted the _lookupuser
          method. Changed search scope to SCOPE_BASE as well. Derrick
          Hudson spotted the problem.

        * Added workaround for a (supposed) shortcoming in python-ldap
          where a DN is not part of the search results dictionary even
          if asked for it explicitly. Also found by Derrick Hudson.


    1.5beta1

      Bugs fixed:

        * Small fix on add form to ensure form element naming is
          consistent (Tracker issue 139 by David Riggs).

        * Instead of adding a workaround for the (faulty) ability
          to create and have empty group records on Netscape 
          directory server products (which then won't show up on
          the LDAPUserFolder "Groups" tab) I have added a paragraph 
          in the README that addresses why it happens and what to do.

        * A stupid syntax error on my part prevented the "SERVER_DOWN"
          exception that was used to determine the freshness of a 
          reused connection object to ever be caught correctly. Brad 
          Powell pushed my nose into that and made me fix it.


    1.4

      Bugs fixed:

        * All actions performed on the management tabs with the 
          lone exception of the "Custom Forms" tab will now go
          back to the same tab, with the correct tab highlighted.
          (Tracker issue 127, thanks to David Riggs)

        * Expiring users out of the caches when the record got 
          changed was not working in all cases. The expiration is
          now more explicit and involves manipulating the caches
          directly instead of changing the expiration time on the 
          user object (Tracker item 128).

        * IE on windoze misbehaves when setting a cookie where 
          expiration is set to an empty string. All other browsers
          (surprise surprise!) behave correctly, but IE will foil
          any login attempts when using cookie mode. Added a
          workaround (Tracker issue 129).
  

    1.4beta3

      Bugs fixed:

        * The code used to format exceptions in the utils method 
          was called the wrong way and failed when it was called
          to format an exception (Tracker issue 125, thanks to 
          David Riggs).

        * A juxtaposition in arguments to manage_edit led to 
          segfaults in some applications (spotted by Tres 
          Seaver).

      Features added:

        * Logging is extracted into its own module (SimpleLog), 
          thereby making it easier to extend later.
  

    1.4beta2

      Bugs fixed:

        * A small bug crept in while making the user cache case-
          insensitive (Tracker # 123 from Jan Idzikowski).

      Features added:

        * The LDAPUserFolder will now use the LDAP database
          connection on a more persistent basis. A connection
          gets stored away and reused until it breaks or until the 
          object is ghosted by Zope. This should speed up LDAP 
          accesses in many situations.


    1.4beta1

      Bugs fixed:

        * The unicode verification in utils.py could not deal with
          non-ascii characters (Tracker issue 122, thanks to Jan 
          Idzikowski).

        * The setting for encryption scheme was never set with the
          selection from the add form (thanks Dirk Datzert).

        * The redirection after calling the constructor method has
          been changed to use RESPONSE.redirect to get over the 
          idiosyncrasies of returning something from a self that 
          is a factory dispatcher and not a container. (thanks
          to Dirk Datzert)

        * Internal cache is no longer case-sensitive (suggested 
          by Dirk Datzert)

      Features added:

        * The list of available LDAP groups to map to Zope roles
          on the Groups tab is now sorted alphabetically (suggestion 
          from Dirk Datzert).


    1.3

      Bugs fixed:

        * Added workaround for the missing "crypt" module problem
          that only appears on a so-called OS from Redmond. (Tracker 
          issues 119 and 120)

        * Simplified package structure somewhat by adding a utils 
          module that defines methods or constants used in the 
          other modules.

      Features added:

        * As a step to better unicode handling the LDAPUser now 
          stores all attribute strings as unicode strings.


    1.3beta1

      Bugs fixed:

        * Small bug in user object caching code that could lead to 
          duplicate user objects being cached which only differ in 
          capitalization.

        * Added a couple small improvements and fixes as suggested
          by Dieter Maurer.

      Features added:

        * Added workaround for the buggy windoze ldap.pyd that does
          not have a meaningful __version__ string (Tracker issue
          118).

        * Added the ability to map a LDAP group name to a Zope role 
          name. In a nutshell, if LDAP group "Employee" is mapped to
          Zope role "Member" then anyone who authenticates through 
          LDAP and is in LDAP group "Employee" will have "Employee" 
          and "Member" in the list of roles for the user.


    1.2

      Features added:

        * Dirk Datzert sent me a module that can encrypt strings
          using the SSHA encryption scheme. This prompted me to
          make user password encryption schemes selectable in the
          LDAPUserFolder configuration. Thanks Dirk!

        * Added a new configuration toggle to set the use of SSL
          for the LDAP server connection. This option will be 
          ignored and appear greyed-out on the Configure tab if 
          the python-ldap module version is lower than 2.0.

        * The detailed user data view on the Users tab will now
          show the full DN for every group that is listed as 
          possible roles for a user. This will help everyone who
          has roles with the same name defined several times 
          underneath their groups search base (Tracker item
          107, thanks go to David Rideau).


    1.2beta3

      Bugs fixed:

        * Not only did the importing semantics for the latest   
          python-ldap modules change, some fundamental method 
          signatures changed as well. This fixes the call to
          ldap.open which led to uncontrollable debugging
          output on the command line since 1.2beta2 (Tracker
          issue 106 - thanks to David Rideau).

    1.2beta2

      Features added:

        * Ensure compatibility with the latest python-ldap releases
          which introduced an underdocumented and spurious change 
          that mandates a different way of importing the ldap
          module. (Tracker issues 102 and 105)

          The recommended python-ldap module to use remains
          1.10alpha3 which seems to work more reliably and has
          less bugs.
  

    1.2beta1

      Bugs fixed:

        * If the authentication information was incorrect, the
          _searchResults method would raise the Unauthorized 
          exception, which would make basic HTTP authentication boxes 
          pop up even in cookie mode. It now returns an empty string
          and users will get the login page when in cookie mode.
          Tracker issue 87 - thanks to Eric Brun.

        * Some browsers would not display the LDAP server port in the
          configuration tab due to a line break in the DTML for the
          form. The line break has been removed. (Tracker issue 103,
          thanks once again to Florent Guillaume)

      Features added:

        * A little more extended debug logging in the _lookupuser
          method (suggested by Marc-Aurele Darche of IDEALX, Tracker 
          issue 101)

        * The RDN Attribute dropdown in the Configure tab now lists
          all attributes defined on the LDAP Schema tab. This allows
          the administrator to select any attribute if the LDAP setup
          violates RFC 2377. Suggestion and patch (thanks!) from 
          Marc-Aurele Darche of IDEALX, Tracker issue 101.


    1.1

      Features added:

        * Exclusively use direct string method invocation as opposed 
          to using the string module

      Bugs fixed:

        * Mistakenly cached the superuser account upon successful
          authentication. This would break the "Caches" tab because
          it tries to call a method on each cached user object that
          is not supported by the superuser API.

        * A spurious "/" in the "Add Object" widget of the "Contents"
          tab broke rendering of the dropdown list in some browsers.

        * Updated all help screens, some were outdated

        * Updated the API help files


    1.1beta3

      Bugs fixed:

        * Typo inside the method that adds user records led to an
          obscure error message and user roles would not be set
          (Tracker issue 95, submitted by M. A. Darche if IDEALX)

        * The targets of some MessageDialog error screens for the
          management interface pointed to the wrong method name
          and caused a traceback.


    1.1beta2

      Features added:

        * The administrator can now choose between reading group
          information from the LDAP server or storing it inside 
          the LDAP User Folder itself. This feature has been added
          in response to Tracker issue 94. Thanks go to Colin Smith
          for bringing this configuration option to my attention.

      Bugs fixed:

        * The Users tab in the ZMI would show tracebacks if the 
          connection to the LDAP server produced an error. Now the
          real error is shown (Tracker Issue 93)

        * Some details of the ZBabel transition did not work
          correctly, in particular the add screen blew up.


    1.1beta1

      Features added:

        * ZBabel support, thanks go to Dirk Datzert.


    1.0

      Bugs fixed:

        * Failed authentication in LDAP during a search operation
          will not simply re-raise the ldap.INVALID_CREDENTIALS
          anymore, but raise "Unauthorized", which will cause the
          browser to pop up an authentication dialog (Tracker issue
          82 by Igor Stroh).

        * Adding of users was broken because of a faulty invocation
          for translating record attributes into UTF-8 (Tracker
          issue 83, thanks go to Magnus Heino)

        * Changing some attribute names led to the main management 
          screen bombing out (Tracker Issue 84, thanks go to 
          Magnus Heino)

        * The way in which caches were used in getUser was broken
          since the last few betas and cache records with a fake
          passwords were sometimes used in a real validation context.

      Features added:

        * LDAP User objects now have a __getattr__ that will look
          into the internal properties dictionary, meaning direct
          attribute access is now possible without the need to 
          use getProperty(). The "Public User Attribute" machinery
          has been renamed to explain its new meaning in this 
          context: It is used to map an attribute name from LDAP
          to another name that will also appear on the user object.


    1.0 beta5

      Bugs fixed:

        * Default roles were no longer applied (Tracker issue 73, 
          thanks go to Eric Brun)

        * Passwords can now contain colon (:) characters. This 
          would break reading the authentication cookie in cookie
          mode before (Tracker issue 74, thanks to Eric Brun)

        * Added logging to cache lookup successes and decided to
          simplify getUserById at the same time (Tracker issue 
          75, thanks to Eric Brun)

        * The user ID as seen by zope is now guaranteed to be the
          same every time a user logs in, regardless of name 
          capitalization (which LDAP ignores upon searching).
          Tracker issue 77, thanks go to Eric Brun.

    1.0 beta4

      Bugs fixed:

        * Some missing imports related to the Cookie authentication
          and a tweak to the add screen so that the authentication
          mechanism choice gets applied correctly.


    1.0 beta3

      Features added:

        * Added compatibility with WebDAV and FTP when in cookie mode

        * Basic Auth is used as "last resort" when authenticating 
          a user, meaning if you change to cookie mode from basic
          auth mode there will be no login screen if you were 
          logged in.

        * An attempt is made, while in cookie mode, to hand off
          authentication to the next user folder above if a user
          cannot be identified but might be valid in the user folder
          above.

        * The life span of the authentication cookie (if cookie mode
          is in use) can now be set by the administrator.

      Bug fixed:

        * Vast amounts of code were removed by integrating the 
          validate/authenticate/identify machinery better into the
          machinery provided by the BasicUserFolder base class.


    1.0 beta2

      **WARNING**

      As of this point the product is not API-compatible with the 
      LDAPUserManager or LDAPLoginAdapter anymore. The API will change
      even more before the final 1.0-release.

      Please experiment but don't use in production unless you really 
      know what you are doing.

      Features added:

        * The LDAP User Folder is much more flexible with the groups
          it reads and writes. Administrators can select the type of
          group upon creation and any code that manipulates group
          membership will do the "right thing". Any code retrieving
          group information can work with varying kinds of groups now.
          This should ease integration with M$ Active Directory.

        * The user id shown in the "Cache" tab is now a link that will
          bring up the user data for the specific user.

        * The "Configuration" tab has been refactored to be more visually
          pleasing and less space consuming.

        * The "LDAP Schema" tab has been completely revamped. The fields
          for inputting a mapped public name that will show up on the user
          object to an LDAP attribute has been integrated into the main
          display and can be triggered by adding attributes with the 
          optional "Public name" value filled in.

        * The "log verbosity" setting has been moved onto the "Log" tab.

      Features removed:

        * The horribly kludgy "getGroupsWithInconsistentRecords" method,
          introduced in LDAPLoginAdapter 1.3beta4, was dropped.

        * Any attempt to be backwards-compatible with Python 1.5.x was
          removed. This product needs Zope 2.4.x, which in turn depends
          on Python 2.1.x or higher.

        * The "Advanced" configuration tab has been removed after 
          consolidating its functionality into other screens.


    LDAPUserFolder 1.0 beta1 : The Beginning

      This product combines the LDAPLoginAdapter and LDAPUserManager 
      products into a single package. It is designed to supplant both
      of them and further development, apart from urgent bug fixes, will
      be limited to this product.

      **Important Note** : This product is compatible with Zope versions
      2.4 and up, which necessitates Python 2.0 and up. Older Zope sites
      should continue to use the LDAPLoginAdapter/LDAPUserManager combo.

      This first version is simply a combination of all contents from
      all classes used in the LDAPLoginAdapter and LDAPUserManager
      code. Future plans (probably version 2.0 and up) will include 
      a complete refactoring with class separation of

        o Storage backend operations

        o User Folder API and setting of properties on the LDAPUserFolder

      Other cleanups in this first cut involve the following:

        o throwing out of code that tried to compensate for cases where
          a user record's DN had spacing different from its reference
          inside a group record

        o throwing out of code that tried to fake unicode support for
          Python versions prior to 1.6

        o Some refactoring of ZMI screens, there will undoubtedly be 
          more in the future.


