Ian Eiloart wrote: > > --On 9 July 2010 12:11:50 +0200 Anna Granudd <anna.gran...@gmail.com> > wrote: > >> Hi, >> when subscribing a user or creating a list in Mailman 3.0 we need to >> implement the use of a password for security reasons. Later the same >> password will be used for logging in to the settings pages. At the >> moment >> passwords are not handled at all which is why I filed bug #600780 (see >> [1]). However, we're not sure how to handle the passwords at the moment >> and would like your help with ideas and possible ways to implement this, >> which is why I want to start a discussion about the password handling/ >> login function. What do we need to think of and how should this best be >> dealt with? > > Most importantly, passwords must be securely hashed, so that they > can't be > read by the site or list admins, or by third parties. > > That means that password resets must be offered to users, instead of > password reminders. > > Also, for sites like mine, it would be nice to have more than one > password > store. For example, I'd like to have users with addresses in the > sussex.ac.uk domain authenticated against my current LDAP db, but > non-local > users authenticate against some other db (perhaps a different branch > of the > LDAP tree, but perhaps something local).
Agreed, passwords must be securely hashed. No one should be able to reverse the hash to derive a password. I toss would also like to have multiple authentication stores whether via LDAP or intrinsic to default Mailman. Likewise, I would also like to have multiple membership stores, obviously the default intrinsic Mailman member store, but also LDAP, database, etc. Optimally, if both multiple password/member stores are combined, when a member authenticates, the member is looked up in the appropriate password/member store for validity whether it be LDAP, a database, or Mailman intrinsic. Likewise, a posting to a list should send a message to members listed in all password/member stores associated with the list. Thanks, Chris > >> Thanks, >> Anna >> >> >> [1] https://bugs.launchpad.net/mailman/+bug/600780 >> _______________________________________________ >> Mailman-Developers mailing list >> Mailman-Developers@python.org >> http://mail.python.org/mailman/listinfo/mailman-developers >> Mailman FAQ: http://wiki.list.org/x/AgA3 >> Searchable Archives: >> http://www.mail-archive.com/mailman-developers%40python.org/ >> Unsubscribe: >> http://mail.python.org/mailman/options/mailman-developers/iane%40sussex.a >> >> c.uk >> >> Security Policy: http://wiki.list.org/x/QIA9 > > > > -- > Ian Eiloart > IT Services, University of Sussex > 01273-873148 x3148 > For new support requests, see http://www.sussex.ac.uk/its/help/ > > > _______________________________________________ > Mailman-Developers mailing list > Mailman-Developers@python.org > http://mail.python.org/mailman/listinfo/mailman-developers > Mailman FAQ: http://wiki.list.org/x/AgA3 > Searchable Archives: > http://www.mail-archive.com/mailman-developers%40python.org/ > Unsubscribe: > http://mail.python.org/mailman/options/mailman-developers/cnulk%40scu.edu > > Security Policy: http://wiki.list.org/x/QIA9 _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9