CHANGES.txt for the LDAPLoginAdapter
This file contains change information for the LDAPLoginAdapter product.
* _lookupuser had an exeption handler that would try and use a
variable left uninitialized when the exception was thrown.
* The methods that manipulate the publicly available user object
attributes now make sure to flush the cache of user objects
and force all of them to be recreated, thereby making the
changes "grab" immediately and not just whenever the user object
expires all by itself and gets recreated.
* A new management tab called "LDAP Schema" allows the
manager to enter or delete attributes that describe the
LDAP schema used for the LDAP user records. This completely
replaces the misleading "Allowable User Attributes" found
on the Advanced tab which had been abused to find out more
about the LDAP schema in use. All select lists that list
LDAP attributes are now driven by the attributes that are
shown on the LDAP Schema tab.
* The "Special Users" and "Special User Roles" feature has been
deprecated. I considered it a kludge in cases where you cannot
set your LDAP schema correctly. With the advent of the
LDAPUserManager product it has become trivially easy to add
users and groups. This is the much preferred way of conferring
roles to users.
* Mishandled the loop to delete the public attribute mappings
in manage_deletePublicUserAttrs which caused index errors
* Default handling of method calls through the web or from
python was inconsistent in regards to what to return and
what to expect. All method signatures that might expect
REQUEST now set it to a default value of None and in the
method body test to see if it is None. This improves the
use of methods from python where no REQUEST is guaranteed.
* Change capitalization of manage_AddPublicUserAttrs to bring
it in line with the normally used capitalization scheme
* Renamed "Contents" tab to "Custom Forms" to clear up the
meaning of this tab
* Cookie-based authentication with a login page and the
ability to simply drop in custom login pages.
* Complete rewriting of all code connected to the
validate method, which does the actual authentication,
to reflect the way it is done in the latest built-in
user folder object.
* The bunduid and bindpwd attributes which hold the DN and
password of the LDAP server manager user are now safeguarded
from DTML access by changing names to _binduid and _bindpwd.
A (protected) method, getProperty, is now used to get them.
* The LDAP search string created in _lookupuser, the method
which is called by validate to find a user in LDAP, created
search expressions with asterisk wildcard characters around
the search term. These were removed in the interest of an
* Instead of hardcoding fixed publicly available attributes
onto the LDAPUser object you can now take full control
of the mapping from LDAP attribute to public user object
A public user object attribute is an attribute that is
directly accessible on the user object. DTML code like
"AUTHENTICATED_USER.email" is an example of accessing
a directly accessible attribute on the user object. A lot
of legacy DTML code relies on such attributes.
* finduser() now lowercases all DN records from valid groups
and compares it to a lowercased DN from any search results
among user records. This fixes records not showing up if
the capitalization in the group and on the user record
* When a user object was created the code expected a "mail"
attribute on the LDAP record to set the email attribute
used for compatibility with the Tracker. This has been
repaired and will just default to an empty string.
* Users who use tools like PADL's migration script end up
with records that do not have the expected "sn" attribute.
This is not set to a default value in finduser() to avoid
errors in case it is not there.
This will make the LDAPLoginAdapter compatible with
user records of type posixAccount.
* Due to a bug in checking the return values from an LDAP search
the cache can be polluted by invalid records for failed
logins. This did not constitue a security breach, just more
processing than necessary.
* Moved the LDAP search scope translation list from a volatile
attribute on the LDAPLoginAdapter to a module-level attribute.
This avoids any re-initialization calls.
* Eliminated the extra attribute _v_loglines that counted the
length of the log. A simple call to len(self._v_log) replaces
it where log length info is needed.
* Created one centralized method that handles connecting to and
searching the LDAP server. This allows centralized error
handling and makes for less and cleaner code. So far finduser,
getUserDetails, getGroups, getUserNames and _lookupuser have
been converted to use it instead of having their own connection
* Rooted out error that would put a known user into the cache
even though the password was not matched. This was not a
security error since the broken user had the wrong password
and failed any tests in validate()
* Rigorous pruning of overly long lines of code to pare everything
down to 80 chars width max
* Avoiding unnecessary calls to the logging routine by checking
for the correct log level *before* the call and not in the
* Added a file, SAMPLE_RECORDS.txt, that shows a sample group-
and user record. This will hopefully make it easier to
understand the types of LDAP records needed.
* Nicer Search screen adopted from the LDAPUserManager
* Clearer error messages through refactoring of all code that
is responsible for connecting and disconnecting from the LDAP
* Co-operation with the Zope Tracker software has been ensured
by making a full name and email attribute available on the
user object returned from the LDAPLoginAdapter.
* Added API documentation to the Zope Help System
* Various code cleanups
* Added check to see if a server address with a prepended
"ldap://" was entered.
* Updated all docs to clarify the reliance on Zope
version 2.3.0 of higher.
* Vetted all code to make sure that every connection made
to the LDAP server is followed by a formal disconnect,
regardless of processing between connect and disconnect.
* The LDAP record attribute to be used as the user's name
can be selected from a list of attributes
* The list of LDAP attributes to be used as the user's name
can be extended or reduced and custom attributes can be
added to it.
* A Search screen allows the Manager to search the LDAP
database for user records and then view their details.
* The python code has been refactored and the code for the
LDAPUser class has been split off into a separate module.
* All LDAPLoginAdapter-specific management screens have help
screens associated with them, accessible through the built-in
Zope Help System.
* All management screens have been modified to integrate with
the new Zope Management Interface, introduced in Zope 2.3.0.
* ...and many others I forgot to track.
This product started from Ross Lazarus' Zope LDAP Adapter, which has
since seen many improvement and moved to SourceForge. You can see
Ross' and Soren Roug's efforts at:
I decided to use it as a base and develop a customized version for
use in authenticating users in Digital Creations' own intranet. I
have come to the point where it has matured enough to be released
to a wider audience.