The mailing list for listmasters using Sympa

[Olivier Salaün <address@concealed>]

Hi Ryann,

We are aware of this risk ; that's why the Shibboleth authentication 
feature (actually generic_sso) has been extended by J.P.  Robinson, 
University of Alabama at Birmingham. The extension allows to either 
validate a shibboleth-provided email address or collect one (and 
validate it). The extension is part of Sympa 5.2.x versions.

Please check the documentation to find out about the available 
parameters : 
http://www.sympa.org/wiki/manual/authentication#generic_sso_paragraph

Let us know if the documentation not sufficient.

Ryann Levo wrote:

> We're working with Sympa 5.2.3 and we have Shibboleth authentication 
> (staying within our institution - currently not allowing others to 
> auth) working.  However we found a slight security issue that since 
> our customers can change their mail attribute in LDAP (what Shib uses 
> to get the users's information), there's the potential that someone 
> could change their mail attribute to another person's email address 
> and basically auth into Sympa and have the other person's rights/views 
> into their lists (of course the most dangerous one would be the 
> listmaster's email address).
>
> Has anyone else run into this problem using Sympa and Shibboleth?
>
> Any thoughts or ideas would be of great help - and unfortunately not 
> allowing our customers to modify their mail attribute is not an option.