Hello Mailman developers,
Attached to this post please find a patch against the current Mailman CVS
tree which adds support for Kerberos and AFS. Users who do not enable the
Kerberos or AFS functionality will not experience any change in the
functionality of their server vs. the current CVS tree.
To enable support for Kerberos, first install Mailman on a system with a
Kerberized httpd (such as Stronghold, or use mod_auth_kerb). You can then
use the following configuration variables in mm_cfg.py to enable it:
ADMIN_USERS = [] # A list of usernames which should be
# considered site adminstrators when
# authenticated via Kerberos. This is to
# be used in place of the old "site admin
# password" on a Kerberized server.
KERBERIZED_SERVERS = [] # A list denoting which servers should be
# considered Kerberized. Each entry
# should consist of the preferred alias
# for that machine concatenated with a ':'
# and the port, to allow Kerberized and
# non-Kerberized servers to co-exist on a
# single machine.
NONE_KERBERIZED = 0 # Boolean value which disables Kerberos on
# all servers. This overrides
# KERBERIZED_SERVERS.
ALL_KERBERIZED = 0 # Boolean value to enable Kerberos on all
# servers. This overrides NONE_KERBERIZED
# and KERBERIZED_SERVERS.
Of course there are some limitations to the Kerberos functionality. The
Kerberized httpds I know of only support one Kerberos realm at a time. If
you use Kerberos without SSL, you're crazy (your password will go in the
clear). This patch has only been tested with Kerberos V5, but I see no
reason it should not work with V4, because the httpd handles those
differences anyway, I believe (you should upgrade to V5 anyway, though :).
Kerberized servers should interoperate, including sharing lists, cleanly
with non-Kerberized servers. Cookies and passwords (apart from Kerberos
passwords) are now only used by non-Kerberized servers. In theory it
should be possible to substitute other authentication methods in place of
Kerberos, but this has not been tested.
To enable support for AFS, use some or all of the following command-line
arguments to `configure':
--with-mail-preauth=COMMAND
--with-mail-postauth=COMMAND
--with-www-preauth=COMMAND
--with-www-postauth=COMMAND
--with-cron-preauth=COMMAND
--with-cron-postauth=COMMAND
These tell Mailman which commands to execute to get and destroy an AFS
token before and after it performs mail-driven, web-based, and cron tasks.
Different commands are available because your web server may have a
different keytab file than your mail server, and who knows which server
you might use to run the cron jobs. Of course non-AFS commands could be
used instead, but this was added for AFS compatibility.
As indicated by Christopher Lindsey in a previous post, we at NCSA are
hoping to migrate to Mailman soon, and we need these changes to do so. We
hope that this patch will be integrated into the main distribution so we
don't have to maintain a parallel patch.
Thank you for a useful product, and for reading all of that,
--
Paul Hebble <hebble(a)ncsa.uiuc.edu>
NCSA