[Mailman-Developers] User-centric authentication and access control

[Andrew Stuart]

If users still sign in directly, what do you see the functionality of roles being from a Mailman perspective? I don’t see how they relate Mailman resources specifically.

The authenticating proxy server (which is still awaiting a better name - Barry? :-)) currently gives individuals control over Mailing lists, assuming that individual has moderator status.

Currently it decides to grant an authentication token based on reciept of username and password, which it validates by asking Mailman core if the username and password match. If you know Python then that is the staring point for hooking in an additional level of authorisation.  If you can write some pseudocode for how your authentication process works I could comment further.

as
 


On 2 Sep 2015, at 1:15 am, Waldbieser, Carl <waldbiec at lafayette.edu> wrote:

I know that currently, mailman roles are set up such that the roles themselves have a shared password per role.  I want to be able to move away from that model and have roles assigned to individual user accounts that would allow access to the admin interfaces for individual lists.

For example, say we have mail lists "Campus" and "Board of Trustees".  I might have roles "campus_moderators", "campus_admins", "boardoftrustees_moderators", and "boardoftrustees_admins".
If I assign the role campus_admins to user "johnsmith", I would like this user to be able to access the mailman admin interface for the "Campus" list using his own credentials.  Ideally, "johnsmith" would not have to present his primary credentials to the mailman interface because our institution has a web single sign-on infrastructure (Web SSO).

I would like to actually move the authentication and role management *outside* of mailman and have the administrative interface consume the role based information from external sources (e.g. LDAP, CAS or SAML2 attribute release), so I am looking for a more "pluggable" authentication and access management architecture.

Does anything like this exist for Mailman, or is it on the roadmap?  Are there technical guidelines for how one might contribute toward something like this?

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers at python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/andrew.stuart%40supercoders.com.au

Security Policy: http://wiki.list.org/x/QIA9