Hi
I am working on implementing openID server for the mailman setup I am running. I have started using mailman only recently and need help/feedback on my approach.
We want to provide the list users an option whether or not to have enable openID. On the "" page, the users will see an option for
- Enable/Disable openID login for your subscription
- Sign in with existing openID login for your subscription
*1. Enable/Disable openID login for your subscription* *account* For enabling and diabling the openID feature, the users login their subscribed accounts as they do now for changing any of the subcription options. On this page if they enable the openID feature, they recieve an automated reply with their openID identifier.
The password for the openID identifier is the same as that for the subscription accounts. If they change their subscription passwords, their openID password gets changed too.
*2. Sign in with existing openID login* The user gets redirected to a page where it enters it's openID identifer and the password and can now manage its account settings with the openID identifier. This authentication and further logging, modification of subscription configurations will be handled by the openID server.
As I understand, the *changes that need to be made to the existing mailman code* include the following:
Changing the MemberAdaptor.py and UserDesc.py for including information whether or not openID identifier is enabled for a paricular user. Propogating changes made to openID-identified-accounts to the subscription configurations. Changing the webpage interfaces for provinding and allowing users to access these options
I want to know if there's already an openID enabled version of mailman available And what files would I need to make changes to include openID support in mailman
Thanks Malveeka
on 6/7/09 12:14 PM, Malveeka Tewari said:
I want to know if there's already an openID enabled version of mailman available And what files would I need to make changes to include openID support in mailman
The OpenID project uses Mailman themselves, and they have hacked it to allow OpenID logins. They even shared with us the code that they have. I took a look at trying to bring this into the main codebase, and I was not able to figure out how to do that -- when they put in OpenID, they broke everything else, and I could never figure out how to get the two to co-exist at the same time.
IMO, this may be a better question to ask on their mailing lists, or to ask the people who maintain their mailing lists.
-- Brad Knowles <brad@shub-internet.org> LinkedIn Profile: <http://tinyurl.com/y8kpxu>
Hi Brad,
Can I also take a look at the code that the OpenID folks sent you? It'll be great if you can send me any pointers to that code. I asked on their mailing lists too but haven't received any promising response.
Looking at the code might give me an idea about how to start implementing openID support fr the mailman setup I am running,
Thanks Malveeka
On Sun, Jun 7, 2009 at 11:08 PM, Brad Knowles <brad@shub-internet.org>wrote:
on 6/7/09 12:14 PM, Malveeka Tewari said:
I want to know if there's already an openID enabled version of
mailman available And what files would I need to make changes to include openID support in mailman
The OpenID project uses Mailman themselves, and they have hacked it to allow OpenID logins. They even shared with us the code that they have. I took a look at trying to bring this into the main codebase, and I was not able to figure out how to do that -- when they put in OpenID, they broke everything else, and I could never figure out how to get the two to co-exist at the same time.
IMO, this may be a better question to ask on their mailing lists, or to ask the people who maintain their mailing lists.
-- Brad Knowles <brad@shub-internet.org> LinkedIn Profile: <http://tinyurl.com/y8kpxu>
on 6/13/09 9:16 AM, Malveeka Tewari said:
Can I also take a look at the code that the OpenID folks sent you? It'll be great if you can send me any pointers to that code. I asked on their mailing lists too but haven't received any promising response.
They never made any attempt to build an OpenID provider in Mailman. All they did was hack in some OpenID Relyer code, and in the process they broke any other kind of authentication.
Mailman is the wrong place to put an OpenID provider. That needs to go somewhere else, and then you can put in code that allows Mailman to be an OpenID Relyer.
Looking at the code might give me an idea about how to start implementing openID support fr the mailman setup I am running,
I really don't think so. They and you seem to have very different ideas as to where the OpenID provider code should go.
-- Brad Knowles <brad@shub-internet.org> LinkedIn Profile: <http://tinyurl.com/y8kpxu>
On Jun 13, 2009, at 1:25 PM, Brad Knowles wrote:
Mailman is the wrong place to put an OpenID provider. That needs to
go somewhere else, and then you can put in code that allows Mailman
to be an OpenID Relyer.
Well put, and I could not agree more.
What would be very helpful would be adding the necessary support to
Mailman 2.2 and 3 so that it can be a relying party, and perhaps we
can finally deprecate or kill off the stupid user passwords.
-Barry
Malveeka Tewari writes:
- Sign in with existing openID login for your subscription
*1. Enable/Disable openID login for your subscription* *account* For enabling and diabling the openID feature, the users login their subscribed accounts as they do now for changing any of the subcription options. On this page if they enable the openID feature, they recieve an automated reply with their openID identifier.
The password for the openID identifier is the same as that for the subscription accounts. If they change their subscription passwords, their openID password gets changed too.
I don't understand what you're trying to do. The whole point of open ID is delegating authorization to a third party. If you want, you can provide that service as well, but once you've enabled OpenID, you shouldn't need a password for Mailman. In fact, the Mailman password should be disabled, as it is certainly less secure than OpenID at this point in time.
I want to know if there's already an openID enabled version of mailman available
The OpenID project has OpenID-enabled Mailman lists, but according to Brad Knowles in the process of adapting Mailman to OpenID they broke a lot of other features, and integrating their changes is non-trivial.
Hi Stephen
Thanks for your reply. W want to implement the OpenID Provider for the mailman set up we are running on our servers. The idea is to use OpenID with mailman to provide single sign on for our other user accounts like our wiki etc. Our focus is on providing Single Sign On but we do not want to delegate authentication to a third party. Hence we want to implement OpenID provider for our Mailman service. and OpenID relying party for our wiki etc.
Now for the OpenID provider we may choose to have new passwords or use the mailman passwords. For ease of users, we want to use the mailman passwords for the OpenID provider.
I hope I have conveyed what I am trying to do. I will be thankful for any suggestions
Thanks Malveeka
On Sat, Jun 13, 2009 at 12:03 PM, Stephen J. Turnbull <stephen@xemacs.org>wrote:
Malveeka Tewari writes:
- Sign in with existing openID login for your subscription
*1. Enable/Disable openID login for your subscription* *account* For enabling and diabling the openID feature, the users login their subscribed accounts as they do now for changing any of the subcription options. On this page if they enable the openID feature, they recieve an automated reply with their openID identifier.
The password for the openID identifier is the same as that for the subscription accounts. If they change their subscription passwords, their openID password gets changed too.
I don't understand what you're trying to do. The whole point of open ID is delegating authorization to a third party. If you want, you can provide that service as well, but once you've enabled OpenID, you shouldn't need a password for Mailman. In fact, the Mailman password should be disabled, as it is certainly less secure than OpenID at this point in time.
I want to know if there's already an openID enabled version of mailman available
The OpenID project has OpenID-enabled Mailman lists, but according to Brad Knowles in the process of adapting Mailman to OpenID they broke a lot of other features, and integrating their changes is non-trivial.
Malveeka Tewari writes:
Our focus is on providing Single Sign On but we do not want to delegate authentication to a third party. Hence we want to implement OpenID provider for our Mailman service.
I don't think this is a good idea. Mailman is designed to deliver single messages to multiple parties, which it does very well, and to manage member lists, which it does tolerably well for many purposes. It is not designed to keep secrets. You may not now particularly care, but it could be very annoying later if you decide you want more security and need to switch your system.
Better to put your provider in a separate place from Mailman, and have Mailman rely on and trust only your provider. You could do them on the same host if necessary but in the long run you might want to have the provider on a dedicated host, depending on how serious you become about security.
and OpenID relying partyOD for our wiki etc.
Now for the OpenID provider we may choose to have new passwords or use the mailman passwords. For ease of users, we want to use the mailman passwords for the OpenID provider.
Again, Mailman is not very secure. In the default configuration, passwords are mailed out in cleartext over non-secure channels (and even so-called secure mail is pretty tricky -- it's much easier to secure a web application). The passwords are also stored in the clear. This means that if you want to set up OpenID for existing users by transferring their passwords, it should be possible (I don't know how offhand, though).
I don't recommend that, either. Normally, people don't care that much as there's not much damage that can be done via a mailing list, except spamming, and most lists have additional defenses against that. But you plan to rely on these passwords to secure multiple services, making the value of cracking one that much higher. I would ask my own users to set new passwords in this situation.
Of course, all these issues depend on a lot of factors. You may have better security than the default for the Internet in place, or much more careful users, etc.
participants (4)
-
Barry Warsaw
-
Brad Knowles
-
Malveeka Tewari
-
Stephen J. Turnbull