Pluggable authentication for Mailman web interface?
Are there any guidelines for adding authentication and /or authorization mechanisms to the Mailman web user interface? Specifically, I was wondering if there is any kind of guidance for authenticating the user via an HTTP header (e.g. HTTP_REMOTE_USER) so that an authenticating reverse proxy could be placed in front of the Mailman web interface.
If there is no such built-in mechanism or pluggable mechanism, is there any kind of guidance on how the existing authentication mechanism might be replaced from a technical standpoint?
Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College
On 08/26/2015 01:08 PM, Waldbieser, Carl wrote:
Are there any guidelines for adding authentication and /or authorization mechanisms to the Mailman web user interface? Specifically, I was wondering if there is any kind of guidance for authenticating the user via an HTTP header (e.g. HTTP_REMOTE_USER) so that an authenticating reverse proxy could be placed in front of the Mailman web interface.
There is no such for Mailman 2.1. I *think* the authentication mechanism for MM 3 is pluggable, but you should join and ask on mailman-developers@python.org for a more definitive answer.
If there is no such built-in mechanism or pluggable mechanism, is there any kind of guidance on how the existing authentication mechanism might be replaced from a technical standpoint?
In MM 2.1, all the work is done by the Mailman/SecurityManager.py module. You should be able to tweak that to suit your needs.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Can you say more about what you are trying to achieve?
There is an authenticating reverse proxy server for the Mailman REST API at https://gitlab.com/astuart/mailmania
But I don’t think anyone has run it yet - it’s pretty raw, not much more than alpha but fully functional.
I’m sorry but I’ve been dragged to other priorities so there’s no real documentation but I’m happy to answer any questions if you want to give it a try.
This thread really should like on Mailman Developers <Mailman-Developers@python.org> though.
as
On 27 Aug 2015, at 6:08 am, Waldbieser, Carl <waldbiec@lafayette.edu> wrote:
Are there any guidelines for adding authentication and /or authorization mechanisms to the Mailman web user interface? Specifically, I was wondering if there is any kind of guidance for authenticating the user via an HTTP header (e.g. HTTP_REMOTE_USER) so that an authenticating reverse proxy could be placed in front of the Mailman web interface.
If there is no such built-in mechanism or pluggable mechanism, is there any kind of guidance on how the existing authentication mechanism might be replaced from a technical standpoint?
Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/andrew.stuart%40superc...
I know that currently, mailman roles are set up such that the roles themselves have a shared password per role. I want to be able to move away from that model and have roles assigned to individual user accounts that would allow access to the admin interfaces for individual lists.
For example, say we have mail lists "Campus" and "Board of Trustees". I might have roles "campus_moderators", "campus_admins", "boardoftrustees_moderators", and "boardoftrustees_admins". If I assign the role campus_admins to user "johnsmith", I would like this user to be able to access the mailman admin interface for the "Campus" list using his own credentials. Ideally, "johnsmith" would not have to present his primary credentials to the mailman interface because our institution has a web single sign-on infrastructure (Web SSO).
I can take this conversation to mailman-developers if that is the more appropriate forum.
Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College
----- Original Message ----- From: "Andrew Stuart" <andrew.stuart@supercoders.com.au> To: "waldbiec" <waldbiec@lafayette.edu> Cc: "Mailman-Users" <Mailman-Users@python.org> Sent: Monday, August 31, 2015 5:08:11 PM Subject: Re: [Mailman-Users] Pluggable authentication for Mailman web interface?
Can you say more about what you are trying to achieve?
There is an authenticating reverse proxy server for the Mailman REST API at https://gitlab.com/astuart/mailmania
But I don’t think anyone has run it yet - it’s pretty raw, not much more than alpha but fully functional.
I’m sorry but I’ve been dragged to other priorities so there’s no real documentation but I’m happy to answer any questions if you want to give it a try.
This thread really should like on Mailman Developers <Mailman-Developers@python.org> though.
as
On 27 Aug 2015, at 6:08 am, Waldbieser, Carl <waldbiec@lafayette.edu> wrote:
Are there any guidelines for adding authentication and /or authorization mechanisms to the Mailman web user interface? Specifically, I was wondering if there is any kind of guidance for authenticating the user via an HTTP header (e.g. HTTP_REMOTE_USER) so that an authenticating reverse proxy could be placed in front of the Mailman web interface.
If there is no such built-in mechanism or pluggable mechanism, is there any kind of guidance on how the existing authentication mechanism might be replaced from a technical standpoint?
Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/andrew.stuart%40superc...
On 09/01/2015 06:33 AM, Waldbieser, Carl wrote:
I know that currently, mailman roles are set up such that the roles themselves have a shared password per role.
This is true for MM 2.1. It is not true for MM 3.
I want to be able to move away from that model and have roles assigned to individual user accounts that would allow access to the admin interfaces for individual lists.
MM 3 already works this way.
Please clarify whether you want to do this in MM 2.1 or in MM 3.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Andrew Stuart -
Mark Sapiro -
Waldbieser, Carl