On Sun, Feb 20, 2011 at 12:39, Martijn Pieters <mj@zopatista.com> wrote:
Yes, changing the existing interface would require a 4.0. If you'd add a new interface extending the IPasswordManager one, we could do it in a 3.x release.
A new zope.password 3.x release could go into both ZTK 1.1 and 1.0, a backwards incompatible 4.0 would have to wait for ZTK 1.2.
Right. What would be a suitable name for the extended interface? IMatchingPasswordManager?
I've committed a revision that implements this as an extension to the existing interface:
http://zope3.pov.lt/trac/changeset/120458/zope.password/trunk
but that's easy enough to change.
I've also found that the SHA1 scheme in zope.password uses the {SHA1} prefix, which is incompatible with LDAP and AccessControl.AuthEncoding, which both use {SHA} instead. I'll change zope.password to support {SHA} as well, defaulting to that prefix.
I've implemented the {SHA} prefix change, as well as implement {CRYPT} support, making zope.password useful for all schemes explicitly named in RFC 2307, except the MD5 scheme. The latter uses a salt by default, making it incompatible with LDAP {MD5}. Open LDAP implements a salted MD5 scheme ({SMD5}) but places the salt at the end of the hash, not at the beginning as the zope.password manager implements it. I think I can keep that one backwards compatible but disable support for generating hashes with a salt, and add a SMD5 manager to implement a compatible scheme. With all the new password managers, this will be at least a 3.7 release, with a separate extended interface. -- Martijn Pieters