Unreleased

 - Bump ez_setup.py version.

 - Add IMetadataProvider plugin type.  Chris says 'Whit rules'.

0.5 (2008-03-09)

 - Allow "remote user key" (default: REMOTE_USER) to be overridden
   (pass in remote_user_key to middleware constructor).

 - Allow form plugin to override the default form.

 - API change: IIdentifiers are no longer required to put both 'login'
   and 'password' in a returned identity dictionary.  Instead, an
   IIdentifier can place arbitrary key/value pairs in the identity
   dictionary (or return an empty dictionary).

 - API return value change: the "failure" identity which IIdentifiers
   return is now None rather than an empty dictionary.

 - The IAuthenticator interface now specifies that IAuthenticators
   must not raise an exception when evaluating an identity that does
   not have "expected" key/value pairs (e.g. when an IAuthenticator
   that expects login and password inspects an identity returned by an
   IP-based auth system which only puts the IP address in the
   identity); instead they fail gracefully by returning None.

 - Add (cookie) "auth_tkt" identification plugin.

 - Stamp identity dictionaries with a userid by placing a key named
   'repoze.pam.userid' into the identity for each authenticated
   identity.

 - If an IIdentifier plugin inserts a 'repoze.pam.userid' key into the
   identity dictionary, consider this identity "preauthenticated".  No
   authenticator plugins will be asked to authenticate this identity.
   This is designed for things like the recently added auth_tkt
   plugin, which embeds the user id into the ticket.  This effectively
   alllows an IIdentifier plugin to become an IAuthenticator plugin
   when breaking apart the responsibility into two separate plugins is
   "make-work".  Preauthenticated identities will be selected first
   when deciding which identity to use for any given request.

 - Insert a 'repoze.pam.identity' key into the WSGI environment on
   ingress if an identity is found.  Its value will be the identity
   dictionary related to the identity selected by repoze.pam on
   ingress.  Downstream consumers are allowed to mutate this
   dictionary; this value is passed to "remember" and "forget", so its
   main use is to do a "credentials reset"; e.g. a user has changed
   his username or password within the application, but we don't want
   to force him to log in again after he does so.

0.4 (03-07-2008)

 - Allow plugins to specify a classifiers list per interface (instead
   of a single classifiers list per plugin).

0.3 (03-05-2008)

  - Make SQLAuthenticatorPlugin's default_password_compare use
    hexdigest sha instead of base64'ed binary sha for simpler
    conversion.

0.2 (03-04-2008)

  - Added SQLAuthenticatorPlugin (see plugins/sql.py).

0.1 (02-27-2008)

  Initial release (no configuration file support yet).