summaryrefslogtreecommitdiffstats
path: root/CHANGES.txt
blob: f5e640e690dfe5f7ad87294bc7be57fb30058d9d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
CHANGES.txt for the LDAPLoginAdapter

  This file contains change information for the LDAPLoginAdapter product.

    LDAPLoginAdapter 1.2

      Bugs fixed:

        * _lookupuser had an exeption handler that would try and use a 
          variable left uninitialized when the exception was thrown.

    LDAPLoginAdapter 1.2beta3

      Bugs fixed:

        * The methods that manipulate the publicly available user object
          attributes now make sure to flush the cache of user objects 
          and force all of them to be recreated, thereby making the 
          changes "grab" immediately and not just whenever the user object
          expires all by itself and gets recreated.

    LDAPLoginAdapter 1.2beta2

      Features Added:

        * A new management tab called "LDAP Schema" allows the 
          manager to enter or delete attributes that describe the 
          LDAP schema used for the LDAP user records. This completely
          replaces the misleading "Allowable User Attributes" found
          on the Advanced tab which had been abused to find out more 
          about the LDAP schema in use. All select lists that list
          LDAP attributes are now driven by the attributes that are
          shown on the LDAP Schema tab.

      Features deprecated:

        * The "Special Users" and "Special User Roles" feature has been
          deprecated. I considered it a kludge in cases where you cannot
          set your LDAP schema correctly. With the advent of the 
          LDAPUserManager product it has become trivially easy to add
          users and groups. This is the much preferred way of conferring
          roles to users.
    
      Bugs fixed:

        * Mishandled the loop to delete the public attribute mappings
          in manage_deletePublicUserAttrs which caused index errors

        * Default handling of method calls through the web or from 
          python was inconsistent in regards to what to return and
          what to expect. All method signatures that might expect
          REQUEST now set it to a default value of None and in the 
          method body test to see if it is None. This improves the
          use of methods from python where no REQUEST is guaranteed.

        * Change capitalization of manage_AddPublicUserAttrs to bring
          it in line with the normally used capitalization scheme

        * Renamed "Contents" tab to "Custom Forms" to clear up the
          meaning of this tab

    LDAPLoginAdapter 1.2beta1

      Features Added:

        * Cookie-based authentication with a login page and the
          ability to simply drop in custom login pages.

        * Complete rewriting of all code connected to the 
          validate method, which does the actual authentication,
          to reflect the way it is done in the latest built-in
          user folder object.

      Bugs fixed:

        * The bunduid and bindpwd attributes which hold the DN and
          password of the LDAP server manager user are now safeguarded
          from DTML access by changing names to _binduid and _bindpwd.
          A (protected) method, getProperty, is now used to get them.

        * The LDAP search string created in _lookupuser, the method
          which is called by validate to find a user in LDAP, created
          search expressions with asterisk wildcard characters around
          the search term. These were removed in the interest of an 
          unambiguous match.

    LDAPLoginAdapter 1.1

      Features Added:

        * Instead of hardcoding fixed publicly available attributes
          onto the LDAPUser object you can now take full control
          of the mapping from LDAP attribute to public user object
          attribute.
          A public user object attribute is an attribute that is 
          directly accessible on the user object. DTML code like 
          "AUTHENTICATED_USER.email" is an example of accessing
          a directly accessible attribute on the user object. A lot
          of legacy DTML code relies on such attributes.

      Bugs fixed:

        * finduser() now lowercases all DN records from valid groups
          and compares it to a lowercased DN from any search results
          among user records. This fixes records not showing up if
          the capitalization in the group and on the user record 
          is different.

        * When a user object was created the code expected a "mail"
          attribute on the LDAP record to set the email attribute 
          used for compatibility with the Tracker. This has been 
          repaired and will just default to an empty string.

        * Users who use tools like PADL's migration script end up
          with records that do not have the expected "sn" attribute.
          This is not set to a default value in finduser() to avoid
          errors in case it is not there.
          This will make the LDAPLoginAdapter compatible with
          user records of type posixAccount.


    LDAPLoginAdapter 1.0

      Bugs fixed:

        * Due to a bug in checking the return values from an LDAP search 
          the cache can be polluted by invalid records for failed
          logins. This did not constitue a security breach, just more 
          processing than necessary.


    LDAPLoginAdapter 1.0beta3

      Bugs Fixed:

        * Moved the LDAP search scope translation list from a volatile
          attribute on the LDAPLoginAdapter to a module-level attribute.
          This avoids any re-initialization calls.

        * Eliminated the extra attribute _v_loglines that counted the 
          length of the log. A simple call to len(self._v_log) replaces 
          it where log length info is needed.

        * Created one centralized method that handles connecting to and 
          searching the LDAP server. This allows centralized error
          handling and makes for less and cleaner code. So far finduser, 
          getUserDetails, getGroups, getUserNames and _lookupuser have 
          been converted to use it instead of having their own connection 
          code.

       * Rooted out error that would put a known user into the cache 
         even though the password was not matched. This was not a 
         security error since the broken user had the wrong password 
         and failed any tests in validate()

       * Rigorous pruning of overly long lines of code to pare everything
         down to 80 chars width max

       * Avoiding unnecessary calls to the logging routine by checking
         for the correct log level *before* the call and not in the 
         logging method.

       * Added a file, SAMPLE_RECORDS.txt, that shows a sample group-
         and user record. This will hopefully make it easier to 
         understand the types of LDAP records needed.

     Features added:

       * Nicer Search screen adopted from the LDAPUserManager 


    LDAPLoginAdapter 1.0beta2

      Features added:

        * Clearer error messages through refactoring of all code that
          is responsible for connecting and disconnecting from the LDAP
          server.

        * Co-operation with the Zope Tracker software has been ensured
          by making a full name and email attribute available on the
          user object returned from the LDAPLoginAdapter.

        * Added API documentation to the Zope Help System

      Bugs Fixed:

        * Various code cleanups

        * Added check to see if a server address with a prepended
          "ldap://" was entered.

        * Updated all docs to clarify the reliance on Zope 
          version 2.3.0 of higher.

        * Vetted all code to make sure that every connection made 
          to the LDAP server is followed by a formal disconnect, 
          regardless of processing between connect and disconnect.


    LDAPLoginAdapter 1.0beta1

      Features added:

        * The LDAP record attribute to be used as the user's name 
          can be selected from a list of attributes

        * The list of LDAP attributes to be used as the user's name
          can be extended or reduced and custom attributes can be 
          added to it.

        * A Search screen allows the Manager to search the LDAP
          database for user records and then view their details.

        * The python code has been refactored and the code for the 
          LDAPUser class has been split off into a separate module.

        * All LDAPLoginAdapter-specific management screens have help
          screens associated with them, accessible through the built-in
          Zope Help System.

        * All management screens have been modified to integrate with
          the new Zope Management Interface, introduced in Zope 2.3.0.

        * ...and many others I forgot to track.


    The Beginning

      This product started from Ross Lazarus' Zope LDAP Adapter, which has 
      since seen many improvement and moved to SourceForge. You can see 
      Ross' and Soren Roug's efforts at:

          http://sourceforge.net/projects/zldapadapter

      I decided to use it as a base and develop a customized version for 
      use in authenticating users in Digital Creations' own intranet. I
      have come to the point where it has matured enough to be released 
      to a wider audience.