[Mailman-Users] Storing list admin password in LDAP, or unencrypted?

Thu Jul 8 19:29:29 CEST 2010

Ivan Fetch wrote:
>
>    We would like to integrate Mailman with a spam quarantine system. List 
>admin(s) will need to login to manage quarantined messages, and we would 
>like this login to use the list admin password. I'd like some feedback on 
>the best way to accomplish this, with Mailman.
>
>
>    I can think of two ways to accomplish this -
>
>    1. Mailman consults LDAP for the list admin password, and is able to 
>also set that password (for the web UI and the change_pw script). Mailing 
>lists are already defined in LDAP for our MTAs.
>
>    2. The Mailman list admin passwords are stored in an unencrypted form, 
>which we regularly sync to LDAP, for the quarantine system to use.
>
>
>    IT seems like option 2 would be simpler in terms of code, although less 
>ideal (because the password wouldn't be encrypted).
>
>
>    Which method (or is there a third way?) is going to make the most sense 
>for seamless integration with Mailman?

I suggest a third method.

Do not change Mailman at all.

Periodically, via cron and/or on demand, retrieve the list's 'password'
attribute from lists/listname/config.pck. This can be done with a
Python program using the Mailman API to instantiate the list and get
the password, or it could be done with a withlist script whose process
was simply

def get_list_pw(mlist):
    print mlist.password

or it could be done, e.g., by

/path/to/bin/dumpdb /path/to/lists/$listname/config.pck | \
   grep \'password\' | sed -e s'/^.*: .//' -e 's/.,$//'

This is the encrypted password. Store that in LDAP and have your
quarantine system validate a password by encrypting it using Mailman's
algorithm (a 40-hex-digit representation of a SHA1 hash of the
plaintext) and comparing that to the list's encrypted password.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan