[Mailman-Developers] A bit of perspective ....

Sat Jan 31 15:56:58 EST 2004

I suppose it can be, but it is a question of where you implement your security.
If mailman is to use SQL to store preferences then it is up to mm to deal with
what records a user can update. If the mm interface to LDAP goes through one
master LDAP account, then it is still mm's job... But if mm binds to LDAP as
the mm user, then security is the responsibility of the LDAP server. With
OpenLDAP, and NDS permissions can be extreemly fine grained, down to the
attribute level. Ive not so much as seen ADS running anywhere, but I can only
assume that it does too.

How secure an admin might want to make it is likely to be related to what else,
if anything, their LDAP directory is being used for. A hypothetical site with
10,000 users in NDS, and 100,000 other things (printers, queues....), which
they have been using for a decade, may be very restrictive. Another site
installing MM+LDAP for fun as much as anything else, might just give the MM
user unlimited rights.

Kinda like the Bugzilla install docs something to the effect of  ".... MySQL's
security is an evil beast, and some people actualy use it. If you do, just make
sure that 'bugz' has the right rights...."

Quoting moron <moron at industrial.org>:

> On January 31, 2004 11:10 am, Chuq Von Rospach wrote:
>> Mailman <-> LDAP as an interface means that anything that can generate
>> an LDAP interface can talk to it. so perhaps the best thing to do is
>> come up with an LDAP interface, define how the LDAP data should look,
>> and then create a set of MySQL schemas that'll support that. I know
>> barry's wanted to avoid requiring too many "things" to be installed to
>> use Mailman, but when someone chooses to move to MySQL, I don't think
>> it's unfair to assume they have or can install LDAP also.
>
> Isn't LDAP a bit of a security hassle?  I would think it is pretty common to
> have Mailman running on a machine along side MySQL, Apache and and MTA of
> some sort but wouldn't throwing in LDAP be more like requiring people install
> a CVS daemon to use Mailman?  I'm no LDAP guru but from what I have looked at
> previously it certainly seemed that way.