1 mailto(admin@db.debian.org)
2 manpage(ud-info)(1)(17 Sep 1999)(userdir-ldap)()
3 manpagename(ud-info)(Command line LDAP user record manipulator)
10 ud-info is the command-line tool for end users to manipulate their own
11 database information and to view other users information. It also provides
12 root functions which when combined with sufficient LDAP privilages allow
13 an administrator to completely manipulate a users record.
15 The defined fields are:
17 it() cn - Common (first) name. [root]
18 it() mn - Middle name or initial. [root]
19 it() sn - Surname (last name). [root]
20 it() cn - ISO 3166 country code, see file(/usr/share/zoneinfo/iso3166.tab)
22 it() ircnick - IRC nickname.
23 it() l - City name, state/province. The part of a mailing address that is
24 not the street address. e.g.: Dallas, Texas
25 it() postalcode - Postal Code or ZIP Code
26 it() postaladdress - Complete mailing address including postal codes and
27 country designations. Newlines are seperated by a $ character. The
28 address should be formed exactly as it would appear on a parcel.
29 it() latitude/longitude - The physical latitude and longitude. This
30 information is typically used to generate an xearth marker file.
31 See the discussion below on position formats.
32 it() facsimiletelephonenumber - FAX phone number, do not forget to specify a
33 country code [North Armerica is +1].
34 it() telephonenumber - Voice phone number.
35 it() loginshell - Full path to the prefered Unix login shell. e.g. file(/bin/bash)
36 it() emailforward - Destination email address.
37 it() userpassword - Encrypted version of the password. [root]
38 it() sshrsaauthkey - SSH RSA public authentication key.
39 it() supplementarygid - A list of group names that the user belongs.
40 This field emulates the functionality of the traditional Unix group
42 it() dnszoneentry - A list of zone file fragments that are placed in
43 the zone file for debian.net. [root]
44 it() allowedhosts - Permits access to hosts outside of the group list. [root]
45 it() onvacation - A message indicating that the user is on vacation. The
46 time of departure and expected return date should be included as
47 well as any special instructions.
48 it() comment - Administrative comment about the account. [root]
49 it() labeledurl - User's web site.
52 When prompted for a password it is possible to enter a blank password and
53 access the database anonymously. This is useful to check PGP key
54 fingerprints, for instance.
56 manpagesection(SECURITY AND PRIVACY)
57 Three levels of information security are provided by the database. The first
58 is completely public information that anyone can see either by issuing an
59 LDAP query or by visiting the web site. The next level is "maintainer-only"
60 information that requires authentication to the directory before it can be
61 accessed. The final level is admin-only or user-only information; this
62 information can only be viewed by the user or an administrator.
64 Maintainer-only information includes precise location information
65 [postalcode, postal address, lat/long] telephone numbers, and the vacation
68 Admin-only/user-only information includes email forwarding, ssh keys and
69 the encrypted password. Note that email forwarding is necessarily publicly
70 viewable from accounts on the actual machines.
72 manpagesection(LAT/LONG POSITION)
73 There are three possible formats for giving position information and several
74 online sites that can give an accurate position fix based on mailing address.
78 The format is +-DDD.DDDDDDDDDDDDDDD. This is the format programs like
80 use and the format that many positioning web sites use. However typically
81 the precision is limited to 4 or 5 decimals.
83 dit(Degrees Minutes (DGM))
84 The format is +-DDDMM.MMMMMMMMMMMMM. It is not an arithmetic type, but a
85 packed representation of two seperate units, degrees and minutes. This
86 output is common from some types of hand held GPS units and from NMEA format
89 dit(Degrees Minutes Seconds (DGMS))
90 The format is +-DDDMMSS.SSSSSSSSSSS. Like DGM, it is not an arithmetic type but
91 a packed representation of three seperate units, degrees minutes and
92 seconds. This output is typically derived from web sites that give 3 values
93 for each position. For instance 34:50:12.24523 North might be the position
94 given, in DGMS it would be +0345012.24523.
97 For Latitude + is North, for Longitude + is East. It is important to specify
98 enough leading zeros to dis-ambiguate the format that is being used if your
99 position is less than 2 degrees from a zero point.
101 So locations to find positioning information are:
104 it() Good starting point - http://www.ckdhr.com/dns-loc/finding.html
105 it() AirNav - GPS locations for airports around the world http://www.airnav.com/
106 it() GeoCode - US index by ZIP Code http://www.geocode.com/eagle.html-ssi
107 it() Map Blast! Canadian, US and some European maps - http://www.mapblast.com/
108 it() Australian Database http://www.environment.gov.au/database/MAN200R.html
109 it() Canadian Database http://GeoNames.NRCan.gc.ca/
110 it() Atlas of the World, indexed by city http://www.astro.com/atlas/
111 it() Xerox PARC Map Viewer http://mapweb.parc.xerox.com/map
112 it() GNU Timezone database, organized partially by country /usr/share/zoneinfo/zone.tab
115 Remember that we are after reasonable coordinates for drawing an xearth
116 graph and looking for people to sign keys, not for coordinates accurate
117 enough to land an ICBM on your doorstop!
119 manpagesection(EDITING SUPPLEMENTAL GIDS)
120 When the root function is activated then the supplemental GIDs can be
121 manipulated as a list of items. It is possible to add and remove items from
122 the list by name. Proper prompts are given. A similar editing function is
123 made available for the host acl list.
125 manpagesection(ENCRYPTION PUBLIC KEYS)
126 The directory associates two types of public encryption keys with the user,
127 a PGP key fingerprint and a SSH RSA authentication key. It is not possible for
128 a user to change their associated key fingerprint, that can only be done by
129 the keyring maintainers after performing reasonable verification of the new
130 key. Who ever controls the PGP key can make any modification to the LDAP
131 account by using the PGP mail gateways.
133 SSH RSA authentication keys are used by the SSH protocol to authenticate a
134 user based on a cryptographic challenge. These keys pairs are created by the
135 ssh-keygen program. The public version that is stored in the directory is
136 generally placed in a file called identity.pub. SSH RSA authentication keys
137 are password equivelents, whoever has the private half of the key can use it
138 to login to any machine, but not affect changes to the LDAP entry. SSH
139 authentication keys are kept private.
141 manpagesection(NOTES)
142 To lock out an account take the password and prepend *LK* before the hash
143 and after the {crypt} this is understood by ssh, shadow and the mailgateway to
144 indicate a disabled account. No manipulations what so ever will be permitted.
150 Set the authentication user. This is the user whose authority is used when
151 accessing the LDAP directory. The default is to use the current system user
155 Select the user whose fields will be displayed/edited. The default is to use
156 the current system user name.
159 Set both the authentication user and the target user. This option is useful
160 if the login name does not match the user who is operating the program.
163 Enable root functions. This enables more options to allow changing
164 any entry in the directory. This function only has meaning if the
165 authentication user has the necessary permissions at the LDAP server.
168 No actions. Anonymously bind and show the information for the user and then
174 it() /etc/userdir-ldap/userdir-ldap.conf
175 Configuration variables to select what server and what base DN to use.
179 userdir-ldap was written by Jason Gunthorpe <jgg@debian.org>.