The mailing list for listmasters using Sympa

[Aumont - Comite Reseaux des Universites <address@concealed>]

Stewart James wrote:
> Hi All,
>
> I have sympa setup to use an LDAP Database for authentication.
>
> Just for fun I thought what information I get when I 'remind' a list.
>
> Even though all the subscribers are authenticated by LDAP they were sent a
> password in the reminder (obvioulsy not the LDAP password).
>
> So I logged in with the nonLDAP password - and it worked! this to me is
> bad.
>
>
> Can anyone offer some help, or are these known issues for sympa.

This problem is not a new problem. The current solution is

-   use "authentication_info_url" parameter in auth.conf in order to
    redirect the "send me a password" button usage.

-   modify templates in order to include a javascript that disallow
sympa internal password creation  for a specific domain. This as been
described by Vincent Mathieu  in the following mail :
http://listes.cru.fr/wws/arc/sympa-users/2002-05/msg00027.html

This is a partial solution. Sympa 4.0 will improve auth.conf syntax
in order to :

-1- clearly add a paragraph for sympa internal password meccanim

-2- add a regexp to each paragraph. The related paragraph will be
    applied only if the user uid|email match this regexp.


This way you will be able to block Sympa internal password
meccanism for a domain.

We will do it also because we need Sympa to use some SSO meccanim
such as CAS

Regards
Serge Aumont