FAQ
Hi all. I'm wondering if anybody has devised a way to authenticate to
the admin/moderator interfaces in Mailman using browser certificates.
We try to use them to authenticate to web services wherever possible,
and have a fairly widely deployed PKI at my site.

It seems like this should be possible, but I really don't know python
and am not very familiar with Mailman's code. We use Apache and
mod_ssl, which means that we can make a bunch of environment variables
associated with the certificates available to Mailman. In particular,
we can find out the email address of the user. It seems like we should
be able to look for that email address in the list of admin or moderator
addresses and consider the user to be authenticated if it's there. The
web server is already doing the necessary work to verify that the
certificate is valid, so everything presented to Mailman should be
trustworthy.

Any help would be much appreciated.

noah

--
Noah Meyerhans System Administrator
MIT Computer Science and Artificial Intelligence Laboratory

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.python.org/pipermail/mailman-users/attachments/20040130/852c9623/attachment.pgp

Search Discussions

  • Jon Carnes at Jan 30, 2004 at 8:25 pm

    On Fri, 2004-01-30 at 14:03, Noah Meyerhans wrote:
    Hi all. I'm wondering if anybody has devised a way to authenticate to
    the admin/moderator interfaces in Mailman using browser certificates.
    We try to use them to authenticate to web services wherever possible,
    and have a fairly widely deployed PKI at my site.

    It seems like this should be possible, but I really don't know python
    and am not very familiar with Mailman's code. We use Apache and
    mod_ssl, which means that we can make a bunch of environment variables
    associated with the certificates available to Mailman. In particular,
    we can find out the email address of the user. It seems like we should
    be able to look for that email address in the list of admin or moderator
    addresses and consider the user to be authenticated if it's there. The
    web server is already doing the necessary work to verify that the
    certificate is valid, so everything presented to Mailman should be
    trustworthy.

    Any help would be much appreciated.

    noah
    Dude,

    Just move the script alias inside the ssl part of your httpd.conf.
  • Noah Meyerhans at Jan 30, 2004 at 9:11 pm

    On Fri, Jan 30, 2004 at 03:25:24PM -0500, Jon Carnes wrote:
    Just move the script alias inside the ssl part of your httpd.conf.
    I've already got the script alias in the SSL section of Apache's config.
    That works fine, but it's most definitely not authenticating based on
    the x509 certificate presented by the browser. It it supposed to? I
    haven't seen any indication in the documentation that leads me to
    believe it is. Please point me to whatever docs I'm missing if I am
    missing something. Or tell me where in mailman's source code I can find
    that functionality.

    In case I was not clear in my intentions: If the browser presents an
    x509 certificate that is properly signed by my Certificate Authority,
    and the email address associated with the certificate is listed in the
    admin or moderator fields in Mailman, then the user should be considered
    authenticated. At no point should they be prompted for a password.

    noah

    --
    Noah Meyerhans System Administrator
    MIT Computer Science and Artificial Intelligence Laboratory

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: Digital signature
    Url : http://mail.python.org/pipermail/mailman-users/attachments/20040130/0fbec6a5/attachment.pgp
  • Jon Carnes at Jan 30, 2004 at 11:02 pm
    You'll need to dive into the code for that. Mailman is totally and
    blissfully unaware of such authentications.

    Good Luck - Jon Carnes
    On Fri, 2004-01-30 at 16:11, Noah Meyerhans wrote:
    On Fri, Jan 30, 2004 at 03:25:24PM -0500, Jon Carnes wrote:

    Just move the script alias inside the ssl part of your httpd.conf.
    I've already got the script alias in the SSL section of Apache's config.
    That works fine, but it's most definitely not authenticating based on
    the x509 certificate presented by the browser. It it supposed to? I
    haven't seen any indication in the documentation that leads me to
    believe it is. Please point me to whatever docs I'm missing if I am
    missing something. Or tell me where in mailman's source code I can find
    that functionality.

    In case I was not clear in my intentions: If the browser presents an
    x509 certificate that is properly signed by my Certificate Authority,
    and the email address associated with the certificate is listed in the
    admin or moderator fields in Mailman, then the user should be considered
    authenticated. At no point should they be prompted for a password.

    noah

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedJan 30, '04 at 7:03p
activeJan 30, '04 at 11:02p
posts4
users2
websitelist.org

2 users in discussion

Noah Meyerhans: 2 posts Jon Carnes: 2 posts

People

Translate

site design / logo © 2021 Grokbase