Developers of Sympa

[Olivier Salaün - CRU <address@concealed>]

Hi Vladimir,

If I understand your request, you need to :

1. use attributes from the user certificates at the authorization engine level
2. map this user attribute with the listname to apply regural expressions

(1) is natively provided by Sympa : authorization in Sympa is managed, for each operation, via a single authorization engine that is fed with so called "authorization scenarios". An authorization scenario is made of rules ; a rule include a condition that refers to variables. Among the available variables are the environment variables that are populated by mod_ssl. You could have a scenario rule that would look like this :

equal([env->SSL_CLIENT_S_DN_Email],'address@concealed') smtp,md5,smime -> do_it

(2) is more tricky if the mapping between the cert info and the listname is not direct. If the unit name is the same, then there is not much to do to achieve your goal (basically pass the listname to the scenario engine at create_list time ; which is not done currently).

Another way to meet your needs could be to use Sympa's "family" feature. A family is a generic definition of a set of lists. List are automatically created in bulk, given the list config model and a set of variables (expressed in XML). Currently the only onterface to instanciate a family is via the command line but we plan to make it available via the web interface and the mail interface.

For more information on Sympa features :

• http://www.sympa.org/doc/html/node14.html
• http://www.sympa.org/doc/html/node20.html
  

address@concealed wrote:

Dear Sympa developers,

Are anyone thought about granting rights based on X.509 certificate content?
For example, in case of large organisation, organisation's CA could put some title/position information into the person's certificate (say, a person is a MANAGER of some organisation unit). Then, administrators could give right to create lists with names *.address@concealed to all managers.