[Mailman-Users] Storing list admin password in LDAP, or unencrypted?
mark at msapiro.net
Thu Jul 8 19:29:29 CEST 2010
Ivan Fetch wrote:
> We would like to integrate Mailman with a spam quarantine system. List
>admin(s) will need to login to manage quarantined messages, and we would
>like this login to use the list admin password. I'd like some feedback on
>the best way to accomplish this, with Mailman.
> I can think of two ways to accomplish this -
> 1. Mailman consults LDAP for the list admin password, and is able to
>also set that password (for the web UI and the change_pw script). Mailing
>lists are already defined in LDAP for our MTAs.
> 2. The Mailman list admin passwords are stored in an unencrypted form,
>which we regularly sync to LDAP, for the quarantine system to use.
> IT seems like option 2 would be simpler in terms of code, although less
>ideal (because the password wouldn't be encrypted).
> Which method (or is there a third way?) is going to make the most sense
>for seamless integration with Mailman?
I suggest a third method.
Do not change Mailman at all.
Periodically, via cron and/or on demand, retrieve the list's 'password'
attribute from lists/listname/config.pck. This can be done with a
Python program using the Mailman API to instantiate the list and get
the password, or it could be done with a withlist script whose process
or it could be done, e.g., by
/path/to/bin/dumpdb /path/to/lists/$listname/config.pck | \
grep \'password\' | sed -e s'/^.*: .//' -e 's/.,$//'
This is the encrypted password. Store that in LDAP and have your
quarantine system validate a password by encrypting it using Mailman's
algorithm (a 40-hex-digit representation of a SHA1 hash of the
plaintext) and comparing that to the list's encrypted password.
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users