Re: [Mailman-Users] Interface questions

2005-10-19 Thread John Dennis 
On Wed, 2005-10-19 at 13:42 -0400, JOSEPH DAMICO wrote:
 Hello,
 
 We are considering a conversion from Listproc to Mailman. We have a few 
 concerns, but our chief one is authentication.  Here are two questions in 
 this regard:
 
 (a) We would like to have Mailman interface with our Kerberos system, so that 
 the passwords our students and faculty use for their e-mail, course logins, 
 and almost every other authentication procedure would be the same passwords 
 they use to access mailing lists.
 
 Has anyone developed a Mailman-Kerberos interface?
 
 (b) A number of people subscribed to our lists are from outside the 
 university, so a Mailman-Kerberos interface would not work for them.
 Ideally, we would have users communicate with another program (such as 
 Shibboleth).  Then we would determine whether to use the Kerberos interface 
 (for university people) or the regular Mailman password (for those 
 non-university people) to communicate with Mailman.
 
 Has anyone developed a Mailman-Shibboleth interface?

To the best of my knowledge neither has been developed. However, it
isn't terribly hard and you should consider developing it yourself and
contributing the code.

Here is what you would need to do:

Mailman comes with a member adapter plugin. You would override the
method authenticateMember() to perform a authentication validation. I'm
not sure if there is an existing python module for kerberos
authentication, if not you would need to write one that checks the
user's ticket. You would also need to add some code to automatically
invoke your member adapter. You also need a method to determine if the
user is in your kerberos realm, -or- you could attempt a kerberos
authentication and if you get a unknown principal error attempt
authentication with your fallback mechanism.

Mailman lets its members set and get their passwords, YOU DO NOT WANT to
allow this with kerberos so you would probably also override
setMemberPassword() and getMemberPassword() to be a no-op. You would
also want to configure the site defaults to never send password
reminders.
-- 
John Dennis [EMAIL PROTECTED]

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp

Re: [Mailman-Users] Interface questions

2005-10-19 Thread John Dennis 
On Wed, 2005-10-19 at 13:42 -0400, JOSEPH DAMICO wrote:

 (a) We would like to have Mailman interface with our Kerberos system...

hmm... thinking about this a bit more, while getting mailman to
authenticate with kerberos wouldn't be hard you're going to run into
some other nasty problems you can't ignore

1) The web pages will prompt for credentials, you do not want this
because kerberos is a single signon system (SSO). You would want to
remove this prompting, that is a larger task. But you may need to retain
it for users not your kerberos realm, but see points 2 and 3.

2) You will be dependent on external mechanisms for ticket generation.
That may or may not play well for your mailman user community. For
example if I'm trying to access mailman remotely via the web how would I
establish a ticket?

3) Unless you force all your mailman URL's to use SSL (TLS) and you
allow password entry you will have exposed a very critical password to
the world, potentially the kerberos passwords of your entire user
community. Mailman currently transmits passwords in the clear in many
circumstances, the only reason this has not become more of an issue is
because user's are encouraged not to use an important password for
mailman.
-- 
John Dennis [EMAIL PROTECTED]

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp