1 mailto(admin@db.debian.org)
2 manpage(ud-info)(1)(17 Sep 1999)(userdir-ldap)()
3 manpagename(ud-info)(Command line LDAP user record manipulator)
10 ud-info is the command-line tool for end users to manipulate their own
11 database information and to view other users information. It also provides
12 root functions which when combined with sufficient LDAP privilages allow
13 an administrator to completely manipulate a users record.
15 The defined fields are:
17 it() cn - Common (first) name. [root]
18 it() mn - Middle name or initial. [root]
19 it() sn - Surname (last name). [root]
20 it() cn - ISO 3166 country code, see file(/usr/share/zoneinfo/iso3166.tab)
22 it() ircnick - IRC nickname.
23 it() l - City name, state/province. The part of a mailing address that is
24 not the street address. e.g.: Dallas, Texas
25 it() postalcode - Postal Code or ZIP Code
26 it() postaladdress - Complete mailing address including postal codes and
27 country designations. Newlines are seperated by a $ character. The
28 address should be formed exactly as it would appear on a parcel.
29 it() latitude/longitude - The physical latitude and longitude. This
30 information is typically used to generate an xearth marker file.
31 See the discussion below on position formats.
32 it() facsimiletelephonenumber - FAX phone number, do not forget to specify a
33 country code [North Armerica is +1].
34 it() telephonenumber - Voice phone number.
35 it() loginshell - Full path to the prefered Unix login shell. e.g. file(/bin/bash)
36 it() emailforward - Destination email address.
37 it() userpassword - Encrypted version of the password. [root]
38 it() sshrsaauthkey - SSH RSA public authentication key.
39 it() supplementarygid - A list of group names that the user belongs.
40 This field emulates the functionality of the traditional Unix group
42 it() dnszoneentry - A list of zone file fragments that are placed in
43 the zone file for debian.net. [root]
44 it() allowedhosts - Permits access to hosts outside of the group list. [root]
45 it() onvacation - A message indicating that the user is on vacation. The
46 time of departure and expected return date should be included as
47 well as any special instructions.
48 it() comment - Administrative comment about the account. [root]
49 it() labeledurl - User's web site.
50 it() privatesub - Debian-Private subscription
51 it() icquin - ICQ User Number
54 When prompted for a password it is possible to enter a blank password and
55 access the database anonymously. This is useful to check PGP key
56 fingerprints, for instance.
58 manpagesection(SECURITY AND PRIVACY)
59 Three levels of information security are provided by the database. The first
60 is completely public information that anyone can see either by issuing an
61 LDAP query or by visiting the web site. The next level is "maintainer-only"
62 information that requires authentication to the directory before it can be
63 accessed. The final level is admin-only or user-only information; this
64 information can only be viewed by the user or an administrator.
66 Maintainer-only information includes precise location information
67 [postalcode, postal address, lat/long] telephone numbers, and the vacation
70 Admin-only/user-only information includes email forwarding, ssh keys and
71 the encrypted password. Note that email forwarding is necessarily publicly
72 viewable from accounts on the actual machines.
74 manpagesection(LAT/LONG POSITION)
75 There are three possible formats for giving position information and several
76 online sites that can give an accurate position fix based on mailing address.
80 The format is +-DDD.DDDDDDDDDDDDDDD. This is the format programs like
82 use and the format that many positioning web sites use. However typically
83 the precision is limited to 4 or 5 decimals.
85 dit(Degrees Minutes (DGM))
86 The format is +-DDDMM.MMMMMMMMMMMMM. It is not an arithmetic type, but a
87 packed representation of two seperate units, degrees and minutes. This
88 output is common from some types of hand held GPS units and from NMEA format
91 dit(Degrees Minutes Seconds (DGMS))
92 The format is +-DDDMMSS.SSSSSSSSSSS. Like DGM, it is not an arithmetic type but
93 a packed representation of three seperate units, degrees minutes and
94 seconds. This output is typically derived from web sites that give 3 values
95 for each position. For instance 34:50:12.24523 North might be the position
96 given, in DGMS it would be +0345012.24523.
99 For Latitude + is North, for Longitude + is East. It is important to specify
100 enough leading zeros to dis-ambiguate the format that is being used if your
101 position is less than 2 degrees from a zero point.
103 So locations to find positioning information are:
106 it() Good starting point - http://www.ckdhr.com/dns-loc/finding.html
107 it() AirNav - GPS locations for airports around the world http://www.airnav.com/
108 it() GeoCode - US index by ZIP Code http://www.geocode.com/eagle.html-ssi
109 it() Map Blast! Canadian, US and some European maps - http://www.mapblast.com/
110 it() Australian Database http://www.environment.gov.au/database/MAN200R.html
111 it() Canadian Database http://GeoNames.NRCan.gc.ca/
112 it() Atlas of the World, indexed by city http://www.astro.com/atlas/
113 it() Xerox PARC Map Viewer http://mapweb.parc.xerox.com/map
114 it() GNU Timezone database, organized partially by country /usr/share/zoneinfo/zone.tab
117 Remember that we are after reasonable coordinates for drawing an xearth
118 graph and looking for people to sign keys, not for coordinates accurate
119 enough to land an ICBM on your doorstop!
121 manpagesection(EDITING SUPPLEMENTAL GIDS)
122 When the root function is activated then the supplemental GIDs can be
123 manipulated as a list of items. It is possible to add and remove items from
124 the list by name. Proper prompts are given. A similar editing function is
125 made available for the host acl list.
127 manpagesection(ENCRYPTION PUBLIC KEYS)
128 The directory associates two types of public encryption keys with the user,
129 a PGP key fingerprint and a SSH RSA authentication key. It is not possible for
130 a user to change their associated key fingerprint, that can only be done by
131 the keyring maintainers after performing reasonable verification of the new
132 key. Who ever controls the PGP key can make any modification to the LDAP
133 account by using the PGP mail gateways.
135 SSH RSA authentication keys are used by the SSH protocol to authenticate a
136 user based on a cryptographic challenge. These keys pairs are created by the
137 ssh-keygen program. The public version that is stored in the directory is
138 generally placed in a file called identity.pub. SSH RSA authentication keys
139 are password equivelents, whoever has the private half of the key can use it
140 to login to any machine, but not affect changes to the LDAP entry. SSH
141 authentication keys are kept private.
143 manpagesection(NOTES)
144 To lock out an account take the password and prepend *LK* before the hash
145 and after the {crypt} this is understood by ssh, shadow and the mailgateway to
146 indicate a disabled account. No manipulations what so ever will be permitted.
151 Set the authentication user. This is the user whose authority is used when
152 accessing the LDAP directory. The default is to use the current system user
156 Select the user whose fields will be displayed/edited. The default is to use
157 the current system user name.
160 Set both the authentication user and the target user. This option is useful
161 if the login name does not match the user who is operating the program.
164 Enable root functions. This enables more options to allow changing
165 any entry in the directory. This function only has meaning if the
166 authentication user has the necessary permissions at the LDAP server.
169 No actions. Anonymously bind and show the information for the user and then
175 it() /etc/userdir-ldap/userdir-ldap.conf
176 Configuration variables to select what server and what base DN to use.
180 userdir-ldap was written by Jason Gunthorpe <jgg@debian.org>.
projects / mirror / userdir-ldap.git / blob