Kerberos, AFS Patch
Hello Mailman developers,
Attached to this post please find a patch against the current Mailman CVS tree which adds support for Kerberos and AFS. Users who do not enable the Kerberos or AFS functionality will not experience any change in the functionality of their server vs. the current CVS tree.
To enable support for Kerberos, first install Mailman on a system with a Kerberized httpd (such as Stronghold, or use mod_auth_kerb). You can then use the following configuration variables in mm_cfg.py to enable it: ADMIN_USERS = [] # A list of usernames which should be # considered site adminstrators when # authenticated via Kerberos. This is to # be used in place of the old "site admin # password" on a Kerberized server. KERBERIZED_SERVERS = [] # A list denoting which servers should be # considered Kerberized. Each entry # should consist of the preferred alias # for that machine concatenated with a ':' # and the port, to allow Kerberized and # non-Kerberized servers to co-exist on a # single machine. NONE_KERBERIZED = 0 # Boolean value which disables Kerberos on # all servers. This overrides # KERBERIZED_SERVERS. ALL_KERBERIZED = 0 # Boolean value to enable Kerberos on all # servers. This overrides NONE_KERBERIZED # and KERBERIZED_SERVERS. Of course there are some limitations to the Kerberos functionality. The Kerberized httpds I know of only support one Kerberos realm at a time. If you use Kerberos without SSL, you're crazy (your password will go in the clear). This patch has only been tested with Kerberos V5, but I see no reason it should not work with V4, because the httpd handles those differences anyway, I believe (you should upgrade to V5 anyway, though :). Kerberized servers should interoperate, including sharing lists, cleanly with non-Kerberized servers. Cookies and passwords (apart from Kerberos passwords) are now only used by non-Kerberized servers. In theory it should be possible to substitute other authentication methods in place of Kerberos, but this has not been tested.
To enable support for AFS, use some or all of the following command-line arguments to `configure': --with-mail-preauth=COMMAND --with-mail-postauth=COMMAND --with-www-preauth=COMMAND --with-www-postauth=COMMAND --with-cron-preauth=COMMAND --with-cron-postauth=COMMAND These tell Mailman which commands to execute to get and destroy an AFS token before and after it performs mail-driven, web-based, and cron tasks. Different commands are available because your web server may have a different keytab file than your mail server, and who knows which server you might use to run the cron jobs. Of course non-AFS commands could be used instead, but this was added for AFS compatibility.
As indicated by Christopher Lindsey in a previous post, we at NCSA are hoping to migrate to Mailman soon, and we need these changes to do so. We hope that this patch will be integrated into the main distribution so we don't have to maintain a parallel patch.
Thank you for a useful product, and for reading all of that,
Paul Hebble <hebble@ncsa.uiuc.edu>
NCSA
participants (1)
-
Paul Hebble