forked from dataflake/Products.LDAPUserFolder
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGES.txt
1616 lines (1432 loc) · 71.4 KB
/
CHANGES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Change log
==========
3.2 (unreleased)
----------------
- full flake8/isort compatibility
3.1 (2019-01-20)
----------------
- don't encode attributes when wrapping an LDAPUser if they are flagged binary
3.0 (2018-05-21)
----------------
- Zope 4 compatibility
- merge and fix old HelpSys API docs into interfaces and add Sphinx doc
- add instance scripts as a test/development convenience
- unbreak saving of bind passwords on the Configure tab
- remove old _SharedResource code and simplify caching
- replace Products.LDAPUserFolder.SimpleCache.SimpleCache with
Products.LDAPUserFolder.cache.UserCache, based on
dataflake.cache.timeout.TimeoutCache
- replace Products.LDAPUserFolder.SimpleCache.SharedObject with
dataflake.cache.simple.SimpleCache
- flake8 whitespace cleanup
- moved the code to GitHub
- officially dropped Python 2.6 support, only Python 2.7 is supported.
- moved documentation to Sphinx
- sanitized buildout test script generation to always use the
``exportimport`` extra and always test the `GenericSetup`
export/import support
- Add ``tox`` configuration to support automated testing
on all supported Python versions
- Removed the LDAPUserSatellite code due to severe bit-rot. Please use
the PluggableAuthService package in conjunction with LDAPMultiPlugins
to gain the same functionality.
- Removed the CMF tools, please use the package ``Products.CMFLDAP``
(see http://pypi.python.org/pypi/Products.CMFLDAP/1.0) instead.
- ensure bind passwords used for the LDAP delegate and the user
folder do not get out of sync
- Refactor some definitions in the utils module to make them easier
to override (Patch by Godefroid Chapelle)
- Fixed a missing string conversion in getGroupedUsers (Patch by
Godefroid Chapelle)
- Fix python-ldap error when receiving sets instead of lists for
attributes to search on (Patch by Godefroid Chapelle)
- When comparing a login value to login values found on the LDAP
server strip the login value first. This follows OpenLDAP behavior
which considers values as matches even with trailing or leading
spaces in the value query filter.
(https://bugs.launchpad.net/bugs/1060080)
- LDAPDelegate: When using a user from the Zope security machinery
for the purpose of finding a suitable bind DN and password for
connecting to a LDAP server, discard it when it's not been created
as the result of a real login and thus has an invalid password
(https://bugs.launchpad.net/bugs/1060112)
2.23 (2012-04-23)
-----------------
- Add ``setuptools-git`` to ``setup_requires`` to prevent missing
files in the egg release - versions 2.22 and 2.21 will not build
due to a missing ``VERSION.txt``.
2.22 (2012-04-23)
-----------------
- factored some tests into separate modules to increase
maintainability
- Moved all documentary text files into the egg root
2.21 (2012-04-21)
-----------------
- Make sure to raise OverflowError if no users can be found
when calling ``getUserNames``
(https://bugs.launchpad.net/bugs/972408)
- switch to using the standalone ``dataflake.fakeldap`` package
for unit tests
2.20 (2011-05-04)
-----------------
- Fix for CVE-2010-2944
(http://secunia.com/advisories/cve_reference/CVE-2010-2944/),
which was never reported upstream by the Debian people, who
found the problem 8 months ago (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593466).
Thanks guys.
2.19 (2011-01-10)
-----------------
- Add attribute name to the negative_cache_key so requests
for same value but different attribute do not poison the
cache.
(https://bugs.launchpad.net/bugs/695821)
- The changed base classes in Zope 2.13 did not define
isPrincipiaFolderish, so the user folder would no longer show
up in the left hand navigation pane in the ZMI.
(https://bugs.launchpad.net/bugs/693315)
- Fixed a faulty check for unicode so user expiration will not
fail if a unicode value is passed in. Changed all checks for
string and unicode to use basestring.
(https://bugs.launchpad.net/bugs/700071)
- Fixed an export/import test error so all tests run again.
- The Manager DN Password value on the ``Configure`` tab in the
ZMI showed up in clear text when viewing the HTML source for
the rendered page.
(https://bugs.launchpad.net/bugs/664976)
2.18 (2010-07-29)
-----------------
- Added a new flag ``purge`` to the ``ldap-servers`` and
``ldap-schema`` export/import XML elements for finer-grained
control over value purging for those two settings if the
global purge flag is not set.
(https://bugs.launchpad.net/bugs/586970)
- The export/import code did not handle server definitions
using the ``ldapi`` protocol correctly.
(part of https://bugs.launchpad.net/bugs/586970)
- When adding a new server definition, the comparison to avoid
duplicate server definitions was faulty. Furthermore, operations
and connection timeout values were disregarded for duplicate
server definitions.
(https://bugs.launchpad.net/bugs/586967)
2.17 (2010-05-28)
-----------------
- Added GenericSetup magic to fully provide the INode interface
for the exporter and importer classes, making it easier to nest
within other importers.
(https://bugs.launchpad.net/bugs/586531)
2.16 (2010-04-15)
-----------------
- depend on dataflake.ldapconnection so tests run without
any hassle.
- Use sha hexdigests instead of digests to build cache keys,
digest values can contain non-ASCII characters.
2.15 (2010-04-12)
-----------------
- Changed import/export test code to be compatible with
GenericSetup 1.5
- No longer force-inject the "fakeldap" module into the module
namespace sys.modules as "ldap" for testing
2.14 (2009-12-22)
-----------------
- Updated compatibility with CMF 2.1 and the upcoming
dataflake.ldapconnection 1.0
- Potential Bug: Avoid cache hash clashes by recomputing the hash
when the admin clears the caches in the ZMI
(http://www.dataflake.org/tracker/issue_00629)
- Bug: _lookupuserbyattr created its own user search filter and
did not take the _extra_user_filter attribute into account
(http://www.dataflake.org/tracker/issue_00640)
2.13 (2009-05-02)
-----------------
- Factoring: Removed the SSHA module in favor of using Zope's
AccessControl.AuthEncoding module to handle password creation for
most types of encryption.
- Bug: Binary attribute handling in manage_addUser was broken. Only the
first character in the binary attribute's value would be stored.
- Miscellaneous: Weed out all LDAP search calls that would indiscriminately
pull all attributes from a user record. This will reduce server load if
the user record contains large attributes such as jpegPhoto.
- Feature: Added GenericSetup support with import/export steps for the
LDAPUserFolder. When installing the LDAPUserFolder via Buildout, make
sure to specify the extra name "exportimport" to automatically pull
the GenericSetup dependency: Products.LDAPUserFolder[exportimport]
- Factoring: GenericSetup profile registration and CMF skin folder
registration now moved from code to ZCML. Renamed profile
"default" to "cmfldap", that's a more descriptive name. The minimum CMF
version required for installing the CMF integration is now 2.1.0, which
implies Zope 2.10.4 or later.
2.12 (2008-10-21)
-----------------
- Bug/LDAPDelegate: Use the canonical explode_dn method when splitting
up a DN for escaping its values instead of hand-splitting on ",", which
breaks if the DN contains commas in any value. Patch by Russell Sim.
This also required cleaning up one test that used an invalid DN format.
(http://www.dataflake.org/tracker/issue_00623)
- Factoring: For testing, use the fakeldap module from the
dataflake.ldapconnection package instead of maintaining a copy here.
- Factoring: Refactored unit tests to use ZopeTestCase and ZopeLite instead
of hand-rolling ZODB connections etc.
- Bug: Added explicit CMFDefault dependency for the CMF-related functions
by adding an extras_require in setup.py.
- Bug: Make sure a user is purged from the negative cache when the user
is explicitly expired.
(http://www.dataflake.org/tracker/issue_00617)
2.11 (2008-08-01)
-----------------
- Feature: The site administrator may now set an arbitrary LDAP search
filter expression that will be applied to all user searches in
addition to the default filters. Only those user records matching both
the default filter and this arbitrary filter expression will be
returned. CAUTION: The filter expression must conform to standard LDAP
filter syntax. Setting a wrong value will lock out your users!
(http://www.dataflake.org/tracker/issue_00615)
- Factoring: Move the LDAP server configuration off the Configure
tab in the ZMI to its own LDAP Servers tab to avoid overcrowding the
configuration view even more.
- Bug: The unit tests for the LDAPMemberDataTool and the
LDAPMembershipTool did not run due to a faulty import.
- Bug: The ZMI Caches tab erroneously suggested that a cached user's
last access time would be recorded and/or updated. This was not the case,
it is recorded at user object creation and then never updated. The Caches
tab will now reflect the creation time. Since the API to set or query the
last access time was not used anywhere it has been removed.
(in response to http://www.dataflake.org/tracker/issue_00614 by Stefan
Loidl)
2.10 (2008-07-21)
-----------------
- Bug: Recreating the internal cache hash key inside
LDAPUserFolder.__setstate__ can lead to values differring from one thread
to the next, leading to unnecessary extra LDAP lookups for values already
cached under the original key.
(http://www.dataflake.org/tracker/issue_00608 by Stefan Loidl)
- Factoring: LDAPUserFolder.__setstate__: Removed old backwards-compatibility
gyrations.
- Bug: FakeLDAP could not handle BASE-scoped searches
- Bug: LDAPUserFolder.searchUsers mishandled searches on DN by not passing
the correct BASE search scope through. Found by Nico Grubert.
2.9 (2008-06-04)
----------------
- Bug: LDAPUserFolder.getUserByAttr: The negative login cache used for
preventing repeated LDAP requests when a user enters wrong
creadentials was keyed on user login alone. This would prevent
subsequent logins with the correct password. Thanks to Tarek
Ziade for test and patch and Gilles Lenfant for filing the issue.
(http://www.dataflake.org/tracker/issue_00605)
- Refactoring: test suite: Rearrange imports to prevent error messages when
the CMF is not present.
- Bug: LDAPDelegate.search: Improve searches on binary attributes such as
objectGUID by introducing a method argument that prevents
UTF*-conversion of the filter expression passed in.
(http://www.dataflake.org/tracker/issue_00576 by Wichert Akkerman)
- Feature: Improve binary attribute handlng by introducing a binary flag
for LDAP schema items that is consulted when inserting/modifying an
attribute flagged that way. Introduce a hardcoded list of
binary attributes to no convert from UTF-8 when searching.
(http://www.dataflake.org/tracker/issue_00598 Dragos Chirila)
- Bug: LDAPUserFolder.getUserByAttr: made login attribute and uid attribute
retrieval safer by explicitly providing a default.
(http://www.dataflake.org/tracker/issue_00602 by Martin Gfeller)
- Bug: ZMI Groups tab: Asking for the type of group via a separate
LDAP search for every group listed is unfeasible for installations
with large numbers of groups, it is now only done if the total
number of groups is less than 50.
2.9-beta (2008-01-01)
---------------------
NOTE: In order to use the LDAP-based CMF membership components
you need CMF version 2.1.0 or higher.
- Bug: Added a __setstate__ hook for deleting old-style logger
instances which were removed for version 2.7 but are now showing
up as "broken" objects and may prevent Plone migration scripts
from working correctly, pointed out by Martijn Pieters.
(http://www.dataflake.org/tracker/issue_00574)
- Bug: Removed failing unit test for old-style Zope 2 interfaces that
no longer exist in the CMF
- Bug: CMFLDAP skins: Cleanups and changes to align the custom skin
scripts and templates with their CMF 2.1.0 counterparts
- Bug: LDAPMemberDataTool: The "Member Properties" ZMI tab was broken
due to a typo in the ZPT code.
- Bug: LDAPMemberDataTool: Adjusted wrapUser to match the changed
behavior in CMF 2.1.0 and up.
- Bug: LDAPMembershipTool/LDAPMemberDataTool: Since the core CMF tools
no longer support the IActionProvider interface the tests to
prove the LDAP-based versions support these interfaces have been
removed.
- Bug: The functional test rig setup has been changed to avoid
DeprecationWarning-Messages from GenericSetup 1.3 and up.
- Bug: LDAPUserFolder.searchGroups: Make the code more defensive for
situations where a search would return groups without members,
suggested by Nick Davis.
(http://www.dataflake.org/tracker/issue_00584)
- Feature: Added negative caching for users to avoid querying the LDAP
server again and again for invalid logins. Patch provided by Wichert
Akkerman.
(http://www.dataflake.org/tracker/issue_00572)
- Feature: added a group/membership mapping for group type "univentionGroup"
(http://www.dataflake.org/tracker/issue_00569)
- Documentation: Noted the danger of trying to install the CMFLDAP
extensions into a Plone site: Just don't do it, you will suffer!
2.8 (2007-06-13)
----------------
**NOTE**: In order to use the LDAP-based CMF membership components
you need CMF version 1.6 or higher.
- ensure CMF tool unit tests run against CMF 1.6 and up
- cmfldap skins: Replace the non-working skin scripts with a set
based on CMF 1.6.
- LDAPUserFolder/LDAPDelegate: Change the hash key generation which
produces the keys used for caching to use random numbers instead
of time-based hashes. LDAPUserFolder will also generate a new hash
key whenever Zope is restarted.
(http://www.dataflake.org/tracker/issue_00535)
- LDAPDelegate._connect: We now check to see if a new requested
connection is known to our configuration by checking the
connection string against the saved server information in order to
prevent reusing connections instantiated while handling
ldap.REFERRAL exceptions, spotted by Riccardo Lemmi.
(http://www.dataflake.org/tracker/issue_00548)
- utils: _verifyUnicode was faulty and would return non-unicode
if the input was not simple ascii or a unicode object. Kudos for
the discovery to Godefroid Chapelle.
- LDAPUserFolder.searchUsers: Faulty code would cause an exception
if the LDAP delegate returned a failed search with exception
information, discovered by Andreas Gabriel.
- LDAPUserFolder.getGroupDetails: Removed a hardcoded list of possible
group member attributes and replaced it with utils.GROUP_MEMBER_MAP,
which is used anywhere else. Good spot from Helge Tesdal.
(http://www.dataflake.org/tracker/issue_00560)
- LDAPUserSatellite.getGroups and LDAPUserSatellite.getAdditionalRoles:
Replace occurrences of hardcoded group member attributes with usage
of utils.GROUP_MEMBER_MAP, also suggested by Helge Tesdal.
- Removed Zope 2.7 compatibility code and cleaned up imports
- Removed compatibility code for CMF < 1.6
2.8-beta (2006-10-16)
---------------------
**NOTE**: The python-ldap requirement is now version 2.0.6 or higher
- Fixed a broken security declaration for searchGroups and a
left-over form tag in the Users tab (thanks to Klaus Barthelmann)
- LDAPDelegate.modify would attempt to modify a LDAP record even
if the list of modifications was empty. This is now logged without
any further call to python-ldap to prevent some servers from
throwing UNWILLING_TO_PERFOM.
(http://www.dataflake.org/tracker/issue_00528)
- DNs were not properly escaped for such edge cases that needed
escaping, like values starting with "#".
(http://www.dataflake.org/tracker/issue_00507)
- Changes in GenericSetup meant attempting to register the extension
profile for installing the CMFLDAP tools would fail in CMF >= 1.6.
- Group deletion for groups with non-ASCII and non-UTF8 characters
was broken, discovered by Eric Brun
(http://www.dataflake.org/tracker/issue_00527)
- Unforeseen software combinations, such as CMF < 1.6 in combination
with GenericSetup could prevent Zope from starting up because the
LDAPUserFolder initialization module would throw an error.
2.7 (2006-07-20)
----------------
- Sidnei da Silva took the time to root out any use of mutable
variables in method argument lists.
- Completely refactored the way searches are handled by the
FakeLDAP testing fixture. The new code uses intelligent parsing
to make sense of a query and apply it in a generic way instead
of trying to sniff a filter to guess where the query came from
and what the query was attempting to do. Kudos for a whole
bunch of time spent go to Sidnei da Silva.
- Added a more powerful groups search method named searchGroups
to improve group searching capabilities for e.g. Plone and
PlonePAS. Wichert Akkerman provided code and tests.
- Added a more powerful user search method named searchUsers.
Unlike findUser, searchUsers allows for more than one attribute
to be searched on. findUser has been reduced to a simple wrapper
around searchUsers. My thanks for inspiration and an initial
implementation suggestion go to Wichert Akkerman.
- Enabled utils.to_utf8 to handle unicode (continuing work on
http://www.dataflake.org/tracker/issue_00480)
- The use of zLOG, and the SimpleLog module, have been removed
in favor of using the Python logging module throughout.
- Software dependencies are now listed concisely in one place,
a new DEPENDENCIES.txt file.
2.7-beta (2006-03-02)
---------------------
- Harden SimpleLog against cases where the log message included
strings like %s, caught by Wichert Akkerman.
(http://www.dataflake.org/tracker/issue_00491)
- In ActiveDirectory, it is possible to have records (specifically
internal system accounts) that have the correct objectClasses to
qualify as user records, but they lack the attribute designated as
the chosen UID attribute. Thanks to Wichert Akkerman, these are now
disregarded. (http://www.dataflake.org/tracker/issue_00484)
- Make sure objectGUID, when set on the LDAPUser as a property,
gets treated specially (discovered by Wichert Akkerman in the
course of clarifying http://www.dataflake.org/tracker/issue_00480)
- The SimpleLog.zLOGLogger log method ignored the ``args`` parameter
(http://www.dataflake.org/tracker/issue_00474, thanks go to
Mark Hammond)
- Repaired warings appearing in Zope 2.8.5 due to a couple typos
in security declarations.
- Fix breakage when local groups storage is used and no groups are
assigned to a user: When roles are changed to another empty value
an error occurred (http://www.dataflake.org/tracker/issue_00478 by
Junyong Pan)
2.6 (2005-10-29)
----------------
- Expanded findUser with an argument "exact_match" to signal
whether a search term passed in should only return exact
matches or wildcard matches. This is also exposed on the Users
tab in the ZMI as a selection widget for the search form.
(Inspired by a suggestion from Sidnei da Silva)
2.6beta3 (2005-09-22)
---------------------
- Folded the CMFLDAP product into the LDAPUserFolder package
- Revamped the unit tests to share test fixture creation code and
to work in both Zope 2.7 and 2.8 without problems.
- The LDAPUserFolder factory method and the initialization code were
massively simplified. A lot of duplicated code was removed. When
adding a LDAPUserFolder, there is no longer a separate Add view.
The user folder will be created straight away and the admin will
be redirected to the Configure tab of the new instance.
**Note**: If you have code that programmatically instantiates
LDAPUserFolder instances then you must change it. See
the unit test files "setUp" method for an example how
to do it from this point on.
- Fixed a serious bug that crept into version 2.6beta1 and which
led to users being able to log in with a wrong password or no
password.
- The getId method on the LDAPUser class neglected to encode the
user ID to an encoded string and handed back unicode, which could
lead to strange failures elsewhere. Most code handling IDs is not
equipped to deal with unicode.
- A bug had crept into the logging subsystem that could cause
spurious error messages.
(http://www.dataflake.org/tracker/issue_00462)
- The user records found via the Users tab search were not
consistent with the users that can actually log in because the
search on the Users tab did not filter out records that do not
match the user object classes as defined on the Configure tab.
(http://www.dataflake.org/tracker/issue_00260 and
http://www.dataflake.org/tracker/issue_00445)
2.6beta2 (2005-07-28)
---------------------
- Previous changes in how the LDAPUserFolder handles the
conversion of LDAP group memberships to Zope roles (it was made
explicit as opposed to automatic and implicit) made the
LDAPUserSatellite less useful for users who expected LDAP
group names to automatically show on the user object. Now the
LDAP User will carry a hidden field for all current LDAP group
memberships, which can then be consulted by the LDAPUserSatellite
to determine what additional roles to hand out. (Suggestion by
Dirk Datzert)
- The LDAPUserSatellite configuration screen would blow up trying
to determine the logging level, which has been removed.
- Before returning a new connection in the internal LDAPDelegate
connection methods the Manage DSA IT control was enabled. This
was the result of misunderstanding the control - it really is
only needed to directly access and manipulate a referral or
alias entry without having the server send you to the referred
or aliased server.
- The old behavior of mapping every LDAP group name a user is member
of to a Zope role of the same name can now be reactivated using
a new configuration option named "Group mapping" on the
Configuration tab. Many thanks to Dirk Bergstrom for a set of
patches and unit tests.
(http://www.dataflake.org/tracker/issue_00459)
2.6beta1 (2005-07-05)
---------------------
- Spell out how to safely upgrade in README.txt by using the
emergency user to delete/recreate the instances.
- Made the getAttributesOfAllObjects method more resilient by
always providing a key per queried attribute in the resultset
(http://www.dataflake.org/tracker/issue_00456 by Pierre-Julien
Grizel)
- Applied a similar fix to getUserIds and getUserIdsAndNames that
was applied for Tracker issue 441 to make sure empty resultsets
don't lead to catastrophic failures
(http://www.dataflake.org/tracker/issue_00446 by Pierre-Julien
Grizel)
- An earlier special-casing applied by Chris McDonough to
correctly handle AD objectGUID values has been applied in a
second place, in the findUser method (patch by Mark Hammond).
- Deleting a user record would be short-circuited if the user
record itself was not in the DIT anymore, e.g. because someone
manipulated the DIT without the user folder knowing about it.
This prevented cleanups for group memberships to be performed.
(http://www.dataflake.org/tracker/issue_00439 by Hans-Juergen
Sell)
- The getUserNames function did not react correctly in the face of
an empty resultset from getAttributesOfAllObjects and would
prevent admins from using the ZMI local role management view.
getUserNames now also raises a OverflowError if no results have
been returned in order to show a simple text input widget on the
local role management view instead of the multiple choice select
box. (http://www.dataflake.org/tracker/issue_00442 by Andrew
Veitch and http://www.dataflake.org/tracker/issue_00441 by
Hans-Juergen Sell)
- Added the new logging machinery to the LDAPDelegate class which
improves lower-level LDAP problem discovery.
- Moved away from the current way of logging to a purely zLOG-based
mechanism. This will make sure that all logging for Zope is in
one and the same place and that more information can be passed
along to the logging mechanism, such as tracebacks.
(http://www.dataflake.org/tracker/issue_00438 by Mark Hammond)
- Refactored the code that has python-ldap dependencies so that
only the LDAPDelegate instance now holds all the cards. This
enables plugging in different delegate implementations because
subclassing LDAPDelegate and overriding implementation details
has become easier.
(http://www.dataflake.org/tracker/issue_00438 by Mark Hammond)
- Added a registry for delegate implementations so that other
delegate classes can register themselves with this registry and
become available to the LDAPUserFolder during instantiation.
2.5 (2005-04-16)
----------------
- Make the error message that gets created when a connection to the
LDAP server fails a tick more verbose
- Remove an optimization that would cache unsuccessful lookups in
order to prevent undue strain on the LDAP server. The cached
records would prevent a LDAP server lookup for a pretermined
time. This turns into a problem where code tried to check for
the existence of a user before adding it and then trying to
retrieve the new user to operate on it. Since the first lookup
will have created an entry in the cache the second lookup to
retrieve the user will always return None, even though the user
might have been added successfully.
2.5beta3 (2005-04-11)
---------------------
- Using the full DN as the user's ID was broken since the AD-related
"objectGUID" changes in 2.5beta1 due to a broken "if" statement.
- Replace deprecated usage of ldap.is_ldap_url, thanks to Sebastien
Munch (http://www.dataflake.org/tracker/issue_00419)
- Add caching to getUserById and getUserByDN, it got "lost" during the
cache changes introduced for version 2.4
(http://www.dataflake.org/tracker/issue_00402)
- Removed the test_all.py helper script - the only supported way to
run the unit tests is using "zopectl test" under Zope 2.7.x and up
2.5beta2 (2005-01-23)
---------------------
- Expiring users from the cache did not work correctly when a user
password was changed or when the roles were edited and the user's
DN contained non-ASCII characters, reported by Helge Tesdal.
(http://www.dataflake.org/tracker/issue_00409)
- In addition to the network-related timeout feature introduced on
2.5beta1 there is now a operations timeout, which is useful if you
have to live with strange network conditions that drop the
connection between the LDAPUserFolder and the LDAP server without
the LDAPUserFolder knowing about it.
- The LDAP over IPC protocol can now be used to communicate with
the LDAP server through a file socket. Please see the README for
additional notes on LDAP over IPC.
2.5beta1 (2004-11-20)
---------------------
- The setting for groups storage was not carried over from the Add
screen when instantiating a new LDAPUserFolder.
http://www.dataflake.org/tracker/issue_00387 by Pierre-Julien
Grizel.
- The getAttributesOfAllObjects method promised to return a mapping
but returned an empty list in case of errors.
- Ignore "DN" when passed in as an attribute to modify within
LDAPDelegate.modify (it is not possible to modify a user's DN
this way).
- When changing user record attributes the "multivalued" flag from
the LDAP Schema configuration was never consulted and if the
new value contained a semicolon (;), it would automatically be
considered multivalued. This made it impossible to have
single-valued attributes with semicolons in it.
(http://www.dataflake.org/tracker/issue_00395)
- Revamp tests so that they can be run comfortably using the Zope
2.7.3+ idiom of running via "zopectl test".
- Deal transparently with marshalling ActiveDirectory "objectGUID"
values. These are binary values, so they can't be sent without
marshalling across the network. This makes it possible to use
an AD objectGUID a User Id attribute,
- Added a new "Network Timeout" setting to the LDAP server
configuration. The Network Timeout prevents the LDAP connection
from hanging indefinitely if the network connection cannot be
established and connection attempts do not raise an immediate
connection error. Important note: It is possible that during
a request several attempts at connecting to the LDAP server
are made. The time it takes for the LDAPUserFolder to return
control to Zope will be the sum of the connection attempts
multiplied by the chosen Timeout value.
2.4 (2004-07-31)
----------------
- Small fix to enable non-ASCII characters in LDAP group names
(JTracker issue 381 by Andreas Jung)
2.4beta3 (2004-06-11)
---------------------
**IMPORTANT NOTE**: This version of the LDAPUserFolder does away with
the old behavior of implicitly mapping LDAP groups
to Zope roles. Any Zope roles that get conferred
are governed by the "LDAP group to Zope role"
form on the "Groups" tab. If you relied on this
behavior please create the appropriate mappings
in your instance.
This version introduces a switchover to the new Zope Public License
(ZPL) version 2.1, which will bring the LDAPUserFolder in line with
future Zope releases.
- Added a method to retrieve the URI for the currently active
LDAP server connection which is now shown in the LDAP Servers
part of the Configure tab.
- Added MD5 to the list of available default password encryption
methods
- Refactored caching using a new simple cache class contributed
by Chris McDonough.
- getAttributeOfAllUsers method removed in favor of a more
general getAttributesOfAllObjects method on LDAPUserFolder
class. Other methods that deal with mass query of object
attributes should likely be gradually refactored in terms
of this method at some point, but for now there is some
duality in the way attribute-centric object queries are
done.
- getUserIds method results are now cached.
- API addition: getUserIdsAndNames method added to
LDAPUserFolder, which returns a sequence of two-tuples (id,
username) for each user found in the tree. This result is
cached.
- Added minimal support for setups where user and groups base
DN is actually the same subtree (e.g. ActiveDirectory). LUF
now specifies a filter for LUF-specified user object classes
during some calls dealing with searching for users
(getUserIds, getUserNames, getUserIdsAndNames).
**If you were relying on older behavior where all objects in
a tree are returned as users from these calls regardless of
their actual object class, you will now need ensure that you
appropriately specify your user object classes on the main
configuration page.**
One notable exception to this rule is that searching for
from the LUF "Users" tab will still expose groups in search
results when user and group base DNs are the same. This is
considered a minor bug in the case that a set of user object
classes are specified and should be fixed.
- The password is no longer logged when Debug-Level logging is
enabled. To go back to the old behavior the old log code is
still in place, but must be enabled by hand in the python code.
This represents a reversed decision on JTracker issue 247.
- Refactored the Groups tab in the Zope Management Interface
(ZMI) to be less cluttered and be clearer about the difference
between group records in LDAP versus roles in Zope.
- LDAPDelegate's search method now ignores nonstandard internal
referrals returned by ActiveDirectory when querying it against
port 389. These referrals aren't returned when querying against
AD's global catalog port, so they seem safe to ignore. This
may make it possible to use LUF against the normal LDAP port (389)
of an AD server without needing to fall back to the GC port.
- Small optimization: when the login id is a DN, don't bother
attempting to contact the LDAP server when the login id isn't
a valid DN. This shortcuts the possibility that the LDAP server
will be queried needlessly for names that aren't real DNs (like
those for users in user folders defined above the folder in which
LUF resides).
- LDAP groups are no longer implicitly mapped to Zope roles. The
roles that are visible on user objects created by the
LDAPUserFolder are dependent on the "LDAP group to Zope role"
mapping that can be manipulated on the "Groups" tab in the ZMI.
The existing behavior of adding the roles specified as "Default
user roles" on the "Configure" tab to all authenticated users
remains the same. This change means that the administrator now has
*full control* over what roles a user can have.
2.4beta2 (2004-04-14)
---------------------
From this version on the LDAPUserFolder product will drop
compatibility with Python 2.1. You should use Python 2.2.3
with Zope 2.6.x or Python 2.3.3 with Zope 2.7.x
The separation of Login and User ID as described below is
only fully supported with Zope versions *higher than 2.7.0*.
For earlier version you should select the same attributes for
both Login and User ID.
Kudos to Chris McDonough to check in the changes below!
- The following API methods of LDAPUserFolder and LDAPDelegate
did not work properly when they were passed a unicode object
(as opposed to a string) as one of their arguments:
LDAPUserFolder.manage_edit
LDAPDelegate.edit
LDAPDelegate.insert
- When selecting the full DN as login attributes a user
was unable to log in if the DN contained non-ASCII characters
(JTracker issue 372 by Ralf Herold).
- Distinction between user id and login name. You can now
configure the attribute used for a user id to use a
different LDAP attribute than the attribute used for a
user's login name. This allows you to configure
LDAPUserFolder, and thus Zope, to use an identifier other
than the user id as a login name. This feature is useful if
you wish to use email addresses or other identifiers which
may change over time as login names.
If you employ this feature, you may allow login names to
change (by updating the LDAP attributes of the entries to
which they refer), but Zope security depends on the user id
remaining constant; you still may not allow the attribute
used for the user id to change without performing "surgery"
on your Zope instance to update local role maps stored in
your ZODB and so forth.
For backwards compatibility purposes, it is possible to set
the user id attribute and the login name attribute to point
to the same LDAP attribute. In the common case, users
upgrading from older LDAPUserFolder versions, whom typically
employ "cn" as their login name attribute should also employ
"cn" as their user id attribute.
The addition of this feature has caused some method
signatures to change in a non-backwards-compatible way.
These are LDAPUserFolder.manage_addLDAPUserFolder,
LDAPUserFolder.LDAPUserFolder.__init__, and
LDAPUserFolder.LDAPUserFolder.manage_edit. Additionally,
code which relies on LDAPUserFolder's "getUserById"
returning the same value as its "getUser" method will break
as a result of this change.
There is a new API method exposed on the LDAPUserFolder
object as a result of this change: "getUserIds", which
returns an enumeration of all user ids.
2.4beta1 (2004-03-23)
---------------------
This version *requires* you to delete and reinstantiate all
existing LDAPUserFolder and LDAPUserSatellite instances!
- Added call to clear the internal caches after a user has been
added so that getUserNames cannot return a stale user list
(JTracker issue 362 posted by Nick Bower).
- The getMultiValuedUserAttrs method was protected by an invalid
permission (JTracker issue 355 by Florent Guillaume).
- Add shortcut in getUser to immediately return None is the passed
name is empty or None.
- If it is available I am now using the ReconnectLDAPObject for
LDAP connections since it promises to hide temporary connection
problems and long connection timeouts. This could potentially
fix JTracker issue 324 by P.-J Grizel.
- A new SharedResource module based on Dieter Maurer's package is
now used to provide storage for resources that benefit from
being globally unique such as caches, the log and the LDAP
server connection object. This brings several advantages, such
as:
- The log tab will always show the same thing, regardless of
which Zope thread handled the rendering.
- The LDAP connection itself does not need to be estableshed
for each thread, one connection handles all threads. This
will probably fix JTracker issue 337 by Florent Guillaume.
- The user object cache is globally unique now, meaning the
number of trips back to the LDAP server should be reduced.
- The list of user IDs generated by calls to getUserList is
no longer a thread-level variable but globally shared,
meaning this potentially expensive search operation will be
performed less often.
- These changes were also applied to the LDAPUserSatellite
log, user to role mapping and expiration mappings.
2.3 (2003-12-18)
----------------
- Noticed that sometimes "empty" authentication credentials lead
to unnecessary lookups for non-existing users. Relaxed a
specific authentication check so this is prevented.
- The unicode changes had possible disabling consequences for
group-to-role mappings defined on the Groups tab. Thanks go
to Helge Tesdal for pointing that one out.
2.3beta3 (2003-11-30)
---------------------
- Fixed a couple buglets found by Florent Guillaume (JTracker
issue 333).
- Florent also noticed code that would trigger unnecessary
MODRDN calls when a user record was updated. This extra call
did not damage the record, it was just unnecessary work
(issue 334).
- Dieter Maurer provided the explanation for a recursion error
in the __getattr__ method on the LDAPUser object that a
few people had run into (JTracker issue 338 by Michael
Crawford).
- The getGroupedUsers method was not working if the groups are
stored in the user folder itself (JTracker issue 342, thanks
Florent Guillaume again).
- Spurred by Helge Tesdal and Nate Aune I spent a little more
time on the unicode-ability. Now a user that has non-ASCII
characters not just in arbitrary attributes but also in
attributes that form part of the full DN are processed
correctly. This required quite a few changes, so any feedback
is very welcome.
2.3beta2 (2003-11-02)
---------------------
- Cut down on the number of LDAP lookups in cases where the
user lookup happens "anonymously", meaning not as part of a
normal authenticated request but from the Zope security
machinery for things like ownership-related security checks.
Thanks to Kyler Laird for bringing this one up.
- All user lookups are now limited to those object classed
defined in the "User object classes" configuration setting
on the "Configure" tab. Previously the lookup policy was
much more lenient and accepted every record where the login
matched - now the object classes have to match as well.
***WARNING - THIS MIGHT BREAK YOUR SITE IF YOU WERE SLOPPY
WITH THE OBJECT CLASSES SETTING AND USAGE!***
Due to the possible breakage I had been sitting on Tracker
issue 294, filed by Andy Dustman, for quite a while before
going with it. Thanks for keeping the pressure on - it is
"the right thing" to do.
- The "Users" tab will now show a little more information on
the user record detail view by default, namely the DN and
the object classes.
- The unit tests have been changed to work with the latest
and greatest (Zope 2.7 and Python 2.3.2), which is now the
default platform used to test and develop this product.
2.3beta1 (2003-09-29)
---------------------
- Use of the distinguished name as login attribute was broken
in version 2.2 - thanks to Ralf Herold for the information
(JTracker issue 312)
- The API documentation for manage_addUser in the Zope Help
System was slightly off, thanks go to Eugene Prigorodov for
pointing that out (Issue 319).
- Cleaned up LDAP filter strings used by the product to have
surrounding parentheses.
- Enable correct handling of DN elements that contain bad
characters, such as backslash-escaped commas (Bug report
by Stephen Kirby)
2.2 (2003-08-08)
----------------
- User attributes can now be declared "multi-valued" in the
LDAP Schema, thereby ensuring that all values for that
attribute are stored on the user object (Feature request by
Jean Jordaan, JTracker issue 294).
- While investigating JTracker issue 309 ("problem changing password")
it became apparent that previous fixes to correctly use mapped
attributes during user creation were flawed. Also, _expireUser is
now more resilient against receiving invalid user information.
2.2beta4 (2003-07-24)
---------------------
- LDAP Referrals are now chased for searches as well. (JTracker
issue 277 by Eric Brun) LDAP Referrals in general *require*
LDAP server support for version 3 of the LDAP protocol. Almost
all newer servers should be able to handle that.
- Removed non-existent "_expire" call from the interfaces file
for the LDAPUser class (JTracker issue 303 filed by Jean Jordaan)
- Added "clear" password encryption scheme to the choices
available when adding a new LDAPUserFolder (JTracker issue
295, thanks to Andy Dustman)
- Added some (obviously missing) logging calls. Thanks to Jean
Jordaan for telling me about it (JTracker issue 300). Also,
added a missing message return from the LDAPDelegate modify
method.
- Revamped group handling a little bit so that the
GROUP_MEMBER_MAP mapping in the utils module is the central
place where permissible groups and their member types are
stored. Fixed issue 289 by Eric Brun which was suffering from
a related problem at the same time.
- If a new user is created and the form fields are not named
after the real LDAP attribute names but with mapped names
as specified on the LDAP schema tab the correct reverse
translation will now be done (JTracker issue 301, thanks to
Doug Winter)
- Cleaned out a bunch of unneeded imports
- Added some very interesting ActiveDirectory secrets uncovered
by Larry Prikockis to the ActiveDirectory README. This has the
potential of helping a lot of people who have difficulties
integrating Zope and ActiveDirectory.
2.2beta3 (2003-06-06)
---------------------
- The routine used to create a crypt-style password string
did not take enough precautions to ensure that the salt value
used stays pure ASCII. This could prevent users from logging in.
2.2beta2 (2003-05-14)
---------------------
- The list of LDAP servers will now respect the order in which
they were added and the connection process will go through the
servers in that same order, starting at the top of the list as
visible on the "Configure" tab. (JTracker issue 284 by Dirk
Datzert)
- Started a separate README for those hapless users who are stuck
on Active Directory with input from Philipp Kutter (JTracker
issue 280), see README.ActiveDirectory.txt
- If roles were stored locally and a user with locally stored
roles had all roles removed that user would still show up in
the user listing, even if the user record itself was removed
from LDAP. Now removal of all roles will clean the internal
roles storage mechanism correctly. Thanks go to Hans-Juergen
Sell for letting me know.
- When a user logs in the application will no longer construct
the user object with the name typed in by the user but will
look it up in the LDAP record itself. That way a user will
always be represented by the same username, regardless of what
capitalization was used upon login (JTracker issue 282, thanks
go to Ronan Amicel)
- Domain restrictions put on the emergency/init-users were not
respected, thanks to Dirk Datzert for pointing that out
in JTracker issue 283.
- Broke the Caches tab if and when the anonymous cache
contained any users, the display for anonymous cache users
was calling a non-existing method. (JTracker issue 281, my
thanks go to Ronan Amicel)
- Logic error in getGroups corrected that could lead to binding
with an invalid user/password pair. Now the decision what to
bind as is left completely up to the LDAPDelegate itself.
- Added workaround for changed behavior of ldap.explode_dn
which will blow up now if the passed-in DN does not contain
at least one key=value pair.
- Removed superfluous argument to manage_setUserProperty
(Tracker issue 270 by Dirk Datzert)
- Fixed manage_setUserProperty errors that crept in during
the last great code reorganization and also added a unit
test to exercise this method. (Tracker issue 269, thanks to
Dirk Datzert again for pointing that out)
2.2beta1 (2003-04-18)
---------------------
- Cache timeouts can now be set from the Caches tab in the ZMI
(Tracker issue 263 by Michael Lindig)
- "Manager DN usage" set to "Always" would still bind as the user
itself after the initial bind, now it only uses the Manager
credentials. Had to insert a bind as the user to determine
password validity, though. (Tracker issue 266)
2.1 (2003-04-14)
----------------
No significant changes between 2.1 beta3 and 2.1
2.1beta3 (2003-03-16)
---------------------
- Fixed a LDAP server misbehavior where a bind operation with
a valid user DN but empty password would seemingly succeed.
This behavior was only obvious in 2.1beta2 because I removed
code I considered obsolete. Also added unittests for
authentication and extended the FakeLDAP module to emulate
LDAP server binding behavior. (Tracker issue 257, my thanks
go to Jan-Wijbrand Kolman)
2.1beta2 (2003-03-02)
---------------------
- Apparently there are situations when a call to getGroups
returns a tuple. Code in the LDAPUserSatallite expected it
to be a list (Tracker issue 244).
- If the LDAPUserFolder was configured to always bind using
the Manager DN it was possible to log in with the wrong
password (Tracker issues 246 and 248, thanks go to Michael
Lindig).
- Found a problem deleting all values for a user attribute
from the ZMI which would throw an error. Discovered while
looking at the (unrelated?) issue 251 in the tracker, which
also dealt with a problem when clearing an attribute.