Metadata-Version: 1.0
Name: Products.LDAPUserFolder
Version: 2.16
Summary: A LDAP-enabled Zope 2 user folder
Home-page: http://pypi.python.org/pypi/Products.LDAPUserFolder
Author: Jens Vagelpohl and contributors
Author-email: jens@dataflake.org
License: ZPL 2.1 (http://www.zope.org/Resources/License/ZPL-2.1)
Description: =========================
        Products.LDAPUserFolder
        =========================
        
        .. contents::
        
        NOTE: Do not install the CMFLDAP GenericSetup extension profile into a Plone
        site. They are meant for pure CMF sites only and will break Plone.
        
        This product is a replacement for a Zope user folder. It does not store its
        own user objects but builds them on the fly after authenticating a user against
        the LDAP database.
        
        Bug tracker
        ===========
        
        Please post questions, bug reports or feature requests to the bug tracker
        at https://bugs.launchpad.net/ldapuserfolder
        
        SVN version
        ===========
        
        You can retrieve the latest code from Subversion using setuptools or
        zc.buildout via this URL:
        
        http://svn.dataflake.org/svn/Products.LDAPUserFolder/trunk#egg=Products.LDAPUserFolder
        
        
        How to upgrade
        ==============
        
        Upgrading entails not only unpacking the new code, you should also delete and
        recreate all LDAPUserFolder instances in your Zope installation to prevent
        errors. A safe upgrade strategy looks like this:
        
        - log in as an emergency user
        - delete all LDAPUserFolder instances
        - upgrade the filesystem product
        - restart Zope
        - log in as emergency user
        - recreate the LDAPUserFolder instances
        
        How to create an emergency user is described in the SECURITY.txt document in
        the 'doc' folder at the root of your Zope software installation. The
        mentioned 'zpasswd.py' script resides in the 'bin' folder at the root of your
        Zope installation.
        
        Debugging problems
        ==================
        
        All log messages are sent to the standard Zope event log 'event.log'. In
        order to see more verbose logging output you need to increase the log level
        in your Zope instance's zope.conf. See the 'eventlog' directive. Setting
        the 'level' key to 'debug' will maximize log output and may help pinpoint
        problems during setup and testing.
        
        Why does the LDAPUserFolder not show all my LDAP groups?
        ========================================================
        
        According to feedback received from people who use Netscape directory
        products the way a new group is instantiated allows empty groups to exist
        in the system. However, according to the canonical definition for group
        records groups must always have a group member attribute.
        The LDAPUserFolder looks up group records by looking for group member
        entries. If a group record has no members then it will be skipped. As said
        above, this only seems to affect Netscape directory servers.
        To work around this (Netscape) phenomenon add one or more members to the
        group in question using the tools that came with the directory server. It
        should appear in the LDAPUserFolder after that.
        
        Why use LDAP to store user records?
        ===================================
        
        LDAP as a source of Zope user records is an excellent choice in many cases,
        like...
        
        - You already have an existing LDAP setup that might store company employee
        data and you do not want to duplicate any data into a Zope user folder
        
        - You want to make the same user database available to other applications
        like mail, address book clients, operating system authenticators
        (PAM-LDAP) or other network services that allow authentication against
        LDAP
        
        - You have several Zope installations that need to share user records or a
        ZEO setup
        
        - You want to be able to store more than just user name and password in your
        Zope user folder
        
        - You want to manipulate user data outside of Zope
        
        ... the list continues.
        
        The LDAP Schema
        ===============
        
        Your LDAP server should contain records that can be used as user
        records. Any object types like person, organizationalPerson,
        or inetOrgPerson and any derivatives thereof should work. Records
        of type posixAccount should work correctly as well.
        The LDAPUserFolder expects your user records to have at least the
        following attributes, most of which are required for the
        abovementioned object classes, anyway:
        
        - an attribute to hold the user ID (like cn, uid, etc)
        
        - userPassword (the password field)
        
        - objectClass
        
        - whatever attribute you choose as the username attribute
        
        - typcial person-related attributes like sn (last name),
        givenName (first name), uid or mail (email address) will make
        working with the LDAPUserFolder nicer
        
        Zope users have certain roles associated with them, these roles
        determine what permissions the user have. For the LDAPUserFolder,
        role information can be expressed through membership in group
        records in LDAP.
        
        Group records can be of any object type that accepts multiple
        attributes of type "uniqueMember" or "member" and that has a
        "cn" attribute. One such type is "groupOfUniqueNames". The cn
        describes the group / role name while the member attributes point
        back to all those user records that are part of this group. Only
        those group-style records that use full DNs for its members
        are supported, which excludes classes like posixGroup.
        
        For examples of valid group- and user-records for LDAP please
        see the file SAMPLE_RECORDS.txt in this distribution. It has
        samples for a user- and a group record in LDIF format.
        
        It is outside of the scope of this documentation to describe the
        different object classes and attributes in detail, please see
        LDAP documentation for a better treatment.
        
        Things to watch out for
        =======================
        
        Since a user folder is one of these items that can lock users out
        of your site if they break I suggest testing the settings in some
        inconspicuous location before replacing a site's main acl_users folder
        with a LDAPUserFolder.
        
        As a last resort you will always be able to log in and make changes
        as the superuser (or in newer Zope releases called "emergency user")
        who, as an added bonus, can delete and create user folders. This is
        a breach of the standard "the superuser cannot create / own anything"
        policy, but can save your skin in so many ways.
        
        LDAP Schema considerations when used with the CMF
        =================================================
        
        The CMF (and by extension, Plone) expect that every user has an email
        address. In order to make everything work correctly your LDAP user
        records must have a "mail" attribute, and this attribute must be set
        up in the "LDAP Schema" tab of your LDAPUserFolder. When you add the
        "mail" schema item make sure you set the "Map to Name" field to
        "email".
        
        The attributes that show up on the join form and the personalize view
        are governed by the properties you 'register' using the
        'Member Properties' tab in the portal_memberdata tool ZMI view, which
        in turn is sourced from the 'LDAP Schema' tab in the LDAPUserFolder
        ZMI view. Attributes you would like to enable for portal members
        must be set up on the LDAPUserFolder 'LDAP Schema' tab first, and
        then registered using the 'Membeer properties' screen in the
        Member data tool ZMI view.
        
        
        ------------------------------------------------------------
        
        Changelog for Products.LDAPUserFolder
        =====================================
        
        This file contains change information for the LDAPUserFolder product.
        To see changes for older releases please see HISTORY.txt.
        
        2.16 (2010-04-15)
        -----------------
        
        - depend on dataflake.ldapconnection so tests run without
        any hassle.
        
        - Use sha hexdigests instead of digests to build cache keys,
        digest values can contain non-ASCII characters.
        
        
        2.15 (2010-04-12)
        -----------------
        
        - Changed import/export test code to be compatible with
        GenericSetup 1.5
        
        - No longer force-inject the "fakeldap" module into the module
        namespace sys.modules as "ldap" for testing
        
        
        2.14 (2009-12-22)
        -----------------
        
        - Updated compatibility with CMF 2.1 and the upcoming
        dataflake.ldapconnection 1.0
        
        - Potential Bug: Avoid cache hash clashes by recomputing the hash
        when the admin clears the caches in the ZMI
        (http://www.dataflake.org/tracker/issue_00629)
        
        - Bug: _lookupuserbyattr created its own user search filter and
        did not take the _extra_user_filter attribute into account
        (http://www.dataflake.org/tracker/issue_00640)
        
        
        2.13 (2009-05-02)
        -----------------
        
        - Factoring: Removed the SSHA module in favor of using Zope's
        AccessControl.AuthEncoding module to handle password creation for
        most types of encryption.
        
        - Bug: Binary attribute handling in manage_addUser was broken. Only the
        first character in the binary attribute's value would be stored.
        
        - Miscellaneous: Weed out all LDAP search calls that would indiscriminately
        pull all attributes from a user record. This will reduce server load if
        the user record contains large attributes such as jpegPhoto.
        
        - Feature: Added GenericSetup support with import/export steps for the
        LDAPUserFolder. When installing the LDAPUserFolder via Buildout, make
        sure to specify the extra name "exportimport" to automatically pull
        the GenericSetup dependency: Products.LDAPUserFolder[exportimport]
        
        - Factoring: GenericSetup profile registration and CMF skin folder
        registration now moved from code to ZCML. Renamed profile
        "default" to "cmfldap", that's a more descriptive name. The minimum CMF
        version required for installing the CMF integration is now 2.1.0, which
        implies Zope 2.10.4 or later.
        
        
        2.12 (2008-10-21)
        -----------------
        
        - Bug/LDAPDelegate: Use the canonical explode_dn method when splitting
        up a DN for escaping its values instead of hand-splitting on ",", which
        breaks if the DN contains commas in any value. Patch by Russell Sim.
        This also required cleaning up one test that used an invalid DN format.
        (http://www.dataflake.org/tracker/issue_00623)
        
        - Factoring: For testing, use the fakeldap module from the
        dataflake.ldapconnection package instead of maintaining a copy here.
        
        - Factoring: Refactored unit tests to use ZopeTestCase and ZopeLite instead
        of hand-rolling ZODB connections etc.
        
        - Bug: Added explicit CMFDefault dependency for the CMF-related functions
        by adding an extras_require in setup.py.
        
        - Bug: Make sure a user is purged from the negative cache when the user
        is explicitly expired.
        (http://www.dataflake.org/tracker/issue_00617)
        
        
        2.11 (2008-08-01)
        -----------------
        
        - Feature: The site administrator may now set an arbitrary LDAP search
        filter expression that will be applied to all user searches in
        addition to the default filters. Only those user records matching both
        the default filter and this arbitrary filter expression will be
        returned. CAUTION: The filter expression must conform to standard LDAP
        filter syntax. Setting a wrong value will lock out your users!
        (http://www.dataflake.org/tracker/issue_00615)
        
        - Factoring: Move the LDAP server configuration off the Configure
        tab in the ZMI to its own LDAP Servers tab to avoid overcrowding the
        configuration view even more.
        
        - Bug: The unit tests for the LDAPMemberDataTool and the
        LDAPMembershipTool did not run due to a faulty import.
        
        - Bug: The ZMI Caches tab erroneously suggested that a cached user's
        last access time would be recorded and/or updated. This was not the case,
        it is recorded at user object creation and then never updated. The Caches
        tab will now reflect the creation time. Since the API to set or query the
        last access time was not used anywhere it has been removed.
        (in response to http://www.dataflake.org/tracker/issue_00614 by Stefan
        Loidl)
        
        
        2.10 (2008-07-21)
        -----------------
        
        - Bug: Recreating the internal cache hash key inside
        LDAPUserFolder.__setstate__ can lead to values differring from one thread
        to the next, leading to unnecessary extra LDAP lookups for values already
        cached under the original key.
        (http://www.dataflake.org/tracker/issue_00608 by Stefan Loidl)
        
        - Factoring: LDAPUserFolder.__setstate__: Removed old backwards-compatibility
        gyrations.
        
        - Bug: FakeLDAP could not handle BASE-scoped searches
        
        - Bug: LDAPUserFolder.searchUsers mishandled searches on DN by not passing
        the correct BASE search scope through. Found by Nico Grubert.
        
        
        2.9 (2008-06-04)
        ----------------
        
        - Bug: LDAPUserFolder.getUserByAttr: The negative login cache used for
        preventing repeated LDAP requests when a user enters wrong
        creadentials was keyed on user login alone. This would prevent
        subsequent logins with the correct password. Thanks to Tarek
        Ziade for test and patch and Gilles Lenfant for filing the issue.
        (http://www.dataflake.org/tracker/issue_00605)
        
        - Refactoring: test suite: Rearrange imports to prevent error messages when
        the CMF is not present.
        
        - Bug: LDAPDelegate.search: Improve searches on binary attributes such as
        objectGUID by introducing a method argument that prevents
        UTF*-conversion of the filter expression passed in.
        (http://www.dataflake.org/tracker/issue_00576 by Wichert Akkerman)
        
        - Feature: Improve binary attribute handlng by introducing a binary flag
        for LDAP schema items that is consulted when inserting/modifying an
        attribute flagged that way. Introduce a hardcoded list of
        binary attributes to no convert from UTF-8 when searching.
        (http://www.dataflake.org/tracker/issue_00598 Dragos Chirila)
        
        - Bug: LDAPUserFolder.getUserByAttr: made login attribute and uid attribute
        retrieval safer by explicitly providing a default.
        (http://www.dataflake.org/tracker/issue_00602 by Martin Gfeller)
        
        - Bug: ZMI Groups tab: Asking for the type of group via a separate
        LDAP search for every group listed is unfeasible for installations
        with large numbers of groups, it is now only done if the total
        number of groups is less than 50.
        
        
        2.9-beta (2008-01-01)
        ---------------------
        
        NOTE: In order to use the LDAP-based CMF membership components
        you need CMF version 2.1.0 or higher.
        
        - Bug: Added a __setstate__ hook for deleting old-style logger
        instances which were removed for version 2.7 but are now showing
        up as "broken" objects and may prevent Plone migration scripts
        from working correctly, pointed out by Martijn Pieters.
        (http://www.dataflake.org/tracker/issue_00574)
        
        - Bug: Removed failing unit test for old-style Zope 2 interfaces that
        no longer exist in the CMF
        
        - Bug: CMFLDAP skins: Cleanups and changes to align the custom skin
        scripts and templates with their CMF 2.1.0 counterparts
        
        - Bug: LDAPMemberDataTool: The "Member Properties" ZMI tab was broken
        due to a typo in the ZPT code.
        
        - Bug: LDAPMemberDataTool: Adjusted wrapUser to match the changed
        behavior in CMF 2.1.0 and up.
        
        - Bug: LDAPMembershipTool/LDAPMemberDataTool: Since the core CMF tools
        no longer support the IActionProvider interface the tests to
        prove the LDAP-based versions support these interfaces have been
        removed.
        
        - Bug: The functional test rig setup has been changed to avoid
        DeprecationWarning-Messages from GenericSetup 1.3 and up.
        
        - Bug: LDAPUserFolder.searchGroups: Make the code more defensive for
        situations where a search would return groups without members,
        suggested by Nick Davis.
        (http://www.dataflake.org/tracker/issue_00584)
        
        - Feature: Added negative caching for users to avoid querying the LDAP
        server again and again for invalid logins. Patch provided by Wichert
        Akkerman.
        (http://www.dataflake.org/tracker/issue_00572)
        
        - Feature: added a group/membership mapping for group type "univentionGroup"
        (http://www.dataflake.org/tracker/issue_00569)
        
        - Documentation: Noted the danger of trying to install the CMFLDAP
        extensions into a Plone site: Just don't do it, you will suffer!
        
        
        ------------------------------------------------------------
        
        Download
        ========
Keywords: web application server zope zope2 ldap
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Framework :: Zope2
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Zope Public License
Classifier: Programming Language :: Python
Classifier: Topic :: Internet :: WWW/HTTP :: Site Management
Classifier: Topic :: Software Development
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP
