CHANGES.txt for the LDAPUserFolder

  This file contains change information for the LDAPUserFolder product.
  To see changes made to revisions prior to the latest version see
  HISTORY.txt.

    2.2beta4

      Bugs fixed:

        * LDAP Referrals are now chased for searches as well. (JTracker
          issue 277 by Eric Brun) LDAP Referrals in general *require*
          LDAP server support for version 3 of the LDAP protocol. Almost
          all newer servers should be able to handle that.

        * Removed non-existent "_expire" call from the interfaces file
          for the LDAPUser class (JTracker issue 303 filed by Jean Jordaan)

        * Added "clear" password encryption scheme to the choices 
          available when adding a new LDAPUserFolder (JTracker issue
          295, thanks to Andy Dustman)

        * Added some (obviously missing) logging calls. Thanks to Jean
          Jordaan for telling me about it (JTracker issue 300). Also,
          added a missing message return from the LDAPDelegate modify
          method.

        * Revamped group handling a little bit so that the 
          GROUP_MEMBER_MAP mapping in the utils module is the central
          place where permissible groups and their member types are
          stored. Fixed issue 289 by Eric Brun which was suffering from
          a related problem at the same time.

        * If a new user is created and the form fields are not named 
          after the real LDAP attribute names but with mapped names
          as specified on the LDAP schema tab the correct reverse
          translation will now be done (JTracker issue 301, thanks to
          Doug Winter)

        * Cleaned out a bunch of unneeded imports

        * Added some very interesting ActiveDirectory secrets uncovered
          by Larry Prikockis to the ActiveDirectory README. This has the
          potential of helping a lot of people who have difficulties
          integrating Zope and ActiveDirectory.


    2.2beta3

      Bugs fixed:

        * The routine used to create a crypt-style password string
          did not take enough precautions to ensure that the salt value
          used stays pure ASCII. This could prevent users from logging in.


    2.2beta2

      Features added:

        * The list of LDAP servers will now respect the order in which
          they were added and the connection process will go through the
          servers in that same order, starting at the top of the list as
          visible on the "Configure" tab. (JTracker issue 284 by Dirk
          Datzert)

        * Started a separate README for those hapless users who are stuck
          on Active Directory with input from Philipp Kutter (JTracker 
          issue 280), see README.ActiveDirectory.txt

      Bugs fixed:

        * If roles were stored locally and a user with locally stored 
          roles had all roles removed that user would still show up in
          the user listing, even if the user record itself was removed 
          from LDAP. Now removal of all roles will clean the internal
          roles storage mechanism correctly. Thanks go to Hans-Jürgen 
          Sell for letting me know.

        * When a user logs in the application will no longer construct
          the user object with the name typed in by the user but will
          look it up in the LDAP record itself. That way a user will
          always be represented by the same username, regardless of what
          capitalization was used upon login (JTracker issue 282, thanks
          go to Ronan Amicel)

        * Domain restrictions put on the emergency/init-users were not
          respected, thanks to Dirk Datzert for pointing that out
          in JTracker issue 283.

        * Broke the Caches tab if and when the anonymous cache 
          contained any users, the display for anonymous cache users
          was calling a non-existing method. (JTracker issue 281, my
          thanks go to Ronan Amicel)

        * Logic error in getGroups corrected that could lead to binding 
          with an invalid user/password pair. Now the decision what to
          bind as is left completely up to the LDAPDelegate itself.
        
        * Added workaround for changed behavior of ldap.explode_dn
          which will blow up now if the passed-in DN does not contain
          at least one key=value pair.

        * Removed superfluous argument to manage_setUserProperty 
          (Tracker issue 270 by Dirk Datzert)

        * Fixed manage_setUserProperty errors that crept in during
          the last great code reorganization and also added a unit 
          test to exercise this method. (Tracker issue 269, thanks to
          Dirk Datzert again for pointing that out)


    2.2beta1

      Features added:

        * Cache timeouts can now be set from the Caches tab in the ZMI
          (Tracker issue 263 by Michael Lindig)

      Bugs fixed:

        * "Manager DN usage" set to "Always" would still bind as the user
          itself after the initial bind, now it only uses the Manager
          credentials. Had to insert a bind as the user to determine
          password validity, though. (Tracker issue 266)


    2.1

      No significant changes between 2.1 beta3 and 2.1


    2.1beta3

      Bugs fixed:

        * Fixed a LDAP server misbehavior where a bind operation with
          a valid user DN but empty password would seemingly succeed.
          This behavior was only obvious in 2.1beta2 because I removed
          code I considered obsolete. Also added unittests for 
          authentication and extended the FakeLDAP module to emulate
          LDAP server binding behavior. (Tracker issue 257, my thanks
          go to Jan-Wijbrand Kolman)


    2.1beta2

      Bugs fixed:

        * Apparently there are situations when a call to getGroups 
          returns a tuple. Code in the LDAPUserSatallite expected it 
          to be a list (Tracker issue 244).

        * If the LDAPUserFolder was configured to always bind using
          the Manager DN it was possible to log in with the wrong
          password (Tracker issues 246 and 248, thanks go to Michael 
          Lindig).

        * Found a problem deleting all values for a user attribute
          from the ZMI which would throw an error. Discovered while 
          looking at the (unrelated?) issue 251 in the tracker, which
          also dealt with a problem when clearing an attribute.


    2.1beta1

      Bugs fixed:

        * Cleaned up a mismatch between the delegate edit method and 
          signature expected by the LDAPUserFolder code that talks to
          it (Tracker Issue 224 pointed out by Albert Chin-A-Young
          and others)

        * More cleanup in the way a LDAPUserFolder authenticates to the
          LDAP server. The setting specified under "Manager DN usage"
          is now respected for all record modifications and deletions
          as well.

        * Michail Bachmann pointed out some code errors in the 
          LDAPUserSatellite code that had crept in when switching to
          using the LDAPDelegate (tracker issue 233).

      Features added:

        * Finally added a full suite of unit tests for most components
          in the package.

        * If your LDAP server hands out referrals during an attempted
          write operation (add, modify or delete a user record) then
          this is now handled correctly, at least if you run OpenLDAP
          and python-ldap versions 2.0 or higher.

        * Implemented read-only mode where any writes to the LDAP
          server are disabled (Tracker issue 228 filed by Tom Deprez).

      Features removed:

        * Officially removed compatibility with python-ldap 1.x
          versions. Due to an oversight on my part some incompatible
          code was already in the 2.0-series, but now I am finally
          dropping any pretenses about supporting that old version.