[Mailman-Users] Storing list admin password in LDAP, or unencrypted?

Fri Jul 9 22:04:21 CEST 2010

Hello,

On Thu, 8 Jul 2010, Mark Sapiro wrote:

> Ivan Fetch wrote:
>>
>>    We would like to integrate Mailman with a spam quarantine system. List
>> admin(s) will need to login to manage quarantined messages, and we would
>> like this login to use the list admin password. I'd like some feedback on
>> the best way to accomplish this, with Mailman.
>>
>>
>>    I can think of two ways to accomplish this -
>>
>>    1. Mailman consults LDAP for the list admin password, and is able to
>> also set that password (for the web UI and the change_pw script). Mailing
>> lists are already defined in LDAP for our MTAs.
>>
>>    2. The Mailman list admin passwords are stored in an unencrypted form,
>> which we regularly sync to LDAP, for the quarantine system to use.
>>
>>
>>    IT seems like option 2 would be simpler in terms of code, although less
>> ideal (because the password wouldn't be encrypted).
>>
>>
>>    Which method (or is there a third way?) is going to make the most sense
>> for seamless integration with Mailman?
>
>
> I suggest a third method.
>
> Do not change Mailman at all.
>
> Periodically, via cron and/or on demand, retrieve the list's 'password'
> attribute from lists/listname/config.pck. This can be done with a
> Python program using the Mailman API to instantiate the list and get
> the password, or it could be done with a withlist script whose process
> was simply
>
> def get_list_pw(mlist):
>    print mlist.password
>
> or it could be done, e.g., by
>
> /path/to/bin/dumpdb /path/to/lists/$listname/config.pck | \
>   grep \'password\' | sed -e s'/^.*: .//' -e 's/.,$//'
>
> This is the encrypted password. Store that in LDAP and have your
> quarantine system validate a password by encrypting it using Mailman's
> algorithm (a 40-hex-digit representation of a SHA1 hash of the
> plaintext) and comparing that to the list's encrypted password.
>
> -- 
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>

    Great - makes very good sense, thank you. We have tested this by 
getting the list's admin password, removing the hexification (with 
binascii.unhexlify) which leaves the password in SHA1 digest form, then 
base64 encoding the password, and putting it into LDAP.

    How much difference in eficiency is there, between runnig dumpdb vs. 
using python code to only get a list's password? I know dumpdb is doing 
more (because it dumps the entire pck), but is it going to be enough to matter?

    The script we'll write, will probably run every 5 minutes, iterating 
through all lists, and setting password attributes in LDAP for passwords 
which have changed. I'd like to have minimal impact on Mailman (RE: using 
dumpdb).

- Ivan