+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html lang="en">
-<head>
- <meta http-equiv="Content-Type" content="text/html; charset=">
- <title>Debian Project -- LDAP Gateway</title>
- <link rev="made" href="mailto:webmaster@debian.org">
- <meta name="Generator" content="WML 2.0.11 (19-Aug-2006)">
- <meta name="Modified" content="2009-06-02 12:31:59">
-</head>
-<body text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
-<table width="100%" align="center" border="0" cellpadding="3" cellspacing="0" summary="">
-<tr>
- <td align="left" valign="middle">
- <a href="http://www.debian.org/"><img src="http://www.debian.org/logos/openlogo-nd-50.png" border="0" hspace="0" vspace="0" alt=""></a>
- <a href="http://www.debian.org/" rel="start"><img src="http://www.debian.org/Pics/debian.png" border="0" hspace="0" vspace="0" alt="Debian Project"></a>
- </td>
-</tr>
-</table>
-<!--UdmComment-->
-<table bgcolor="#DF0451" border="0" cellpadding="0" cellspacing="0" width="100%" summary="">
-<tr>
-<td valign="top">
-<img src="http://www.debian.org/Pics/red-upperleft.png" align="left" border="0" hspace="0" vspace="0" alt="">
-</td>
-<td rowspan="2" align="center">
-<a href="http://www.debian.org/intro/about"><img src="http://www.debian.org/Pics/about.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="About Debian"></a>
-<a href="http://www.debian.org/News/"><img src="http://www.debian.org/Pics/news.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="News"></a>
-<a href="http://www.debian.org/distrib/"><img src="http://www.debian.org/Pics/getting.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Getting Debian"></a>
-<a href="http://www.debian.org/support"><img src="http://www.debian.org/Pics/support.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Support"></a>
-<a href="http://www.debian.org/devel/"><img src="http://www.debian.org/Pics/devel.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Developers' Corner"></a>
-<a href="http://www.debian.org/sitemap" rel="contents"><img src="http://www.debian.org/Pics/sitemap.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Site map"></a>
-<a href="http://search.debian.org/"><img src="http://www.debian.org/Pics/search.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Search"></a>
-</td>
-<td valign="top">
-<img src="http://www.debian.org/Pics/red-upperright.png" align="right" border="0" hspace="0" vspace="0" alt="">
-</td>
-</tr>
-<tr>
-<td valign="bottom">
-<img src="http://www.debian.org/Pics/red-lowerleft.png" align="left" border="0" hspace="0" vspace="0" alt="">
-</td>
-<td valign="bottom">
-<img src="http://www.debian.org/Pics/red-lowerright.png" align="right" border="0" hspace="0" vspace="0" alt="">
-</td>
-</tr>
-</table>
-<!--/UdmComment-->
-<h1>LDAP Gateway</h1>
-<p>
-The LDAP directory has a PGP secured mail gateway that
-allows users to safely and conveniently effect changes to their entries. It
-makes use of PGP signed input messages to positively identify the user and
-to confirm the validity of the request. Furthermore it implements a replay
-cache that prevents the gateway from accepting the same message more than
-once.
-<p>
-There are three functions logically split into 3 separate email addresses
-that are implemented by the gateway: <b>ping</b>, <b>new password</b> and
-<b>changes</b>. The function to act on is the first argument to the program.
-<p>
-Error handling is currently done by generating a bounce message and passing
-descriptive error text to the mailer. This can generate a somewhat hard to
-read error message, but it does have all the relevant information.
-<h1>Ping</h1>
-The ping command simply returns the users public record. It is useful for
-testing the gateway and for the requester to get a basic dump of their
-record. In future this address might 'freshen' the record to indicate the
-user is alive. Any PGP signed message will produce a reply.
-<h1>New Password</h1>
-If a user looses their password they can request that a new one be generated
-for them. This is done by sending the phrase "Please change my Debian
-password" to chpasswd@db.debian.org. The phrase is required to prevent the
-daemon from triggering on arbitrary signed email. The best way to invoke this
-feature is with
-<pre>echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org</pre>
-After validating the request the daemon will generate a new random password,
-set it in the directory and respond with an encrypted message containing the
-new password. The password can be changed using one of the other interface
-methods.
-<h1>Changes</h1>
-An address (changes@db.debian.org) is provided for making almost arbitrary
-changes to the contents of the record. The daemon parses its input line by
-line and acts on each line in a command oriented manner. Anything, except for
-passwords, can be changed using this mechanism. Note however that because
-this is a mail gateway it does stringent checking on its input. The other
-tools allow fields to be set to virtually anything, the gateway requires
-specific field formats to be met.
-<ul>
-<li>A line of the form <tt>'field: value'</tt> will change the contents of
-the field to value. Some simple checks are performed on value to make sure
-that it is not set to nonsense. You can't set an empty string as
-value, use <tt>del</tt> instead (see below). The values that can
-be changed are:
-<b>c</b>, <b>l</b>, <b>facsimileTelephoneNumber</b>, <b>telephoneNumber</b>,
-<b>postalAddress</b>, <b>postalCode</b>,
-<b>loginShell</b>, <b>emailForward</b>,
-<b>jabberJID</b>, <b>ircNick</b>, <b>icqUin</b>,
-<b>onVacation</b>,
-<b>labledURI</b>,
-<b>birthDate</b> (YYYYMMDD),
-<b>mailDisableMessage</b>,
-<b>mailGreylisting</b> (TRUE|FALSE),
-<b>mailCallout</b> (TRUE|FALSE),
-<b>mailContentInspectionAction</b> (markup|blackhole|reject)
-<b>mailDefaultOptions</b> (TRUE|FALSE),
-<b>bATVToken</b>,
-<b>VoIP</b>,
-and <b>gender</b> (1|2|9|male|female|unspecified).
-<li>A line of the form <tt>'del field'</tt> will completly remove all
-occurrences of a field. Useful e.g. to unset your vacation status.
-The fields that can be deleted are:
-<b>c</b>, <b>l</b>, <b>facsimileTelephoneNumber</b>, <b>telephoneNumber</b>,
-<b>postalAddress</b>, <b>postalCode</b>, <b>emailForward</b>,
-<b>onVacation</b>, <b>labeledURI</b>, <b>latitude</b>, <b>longitude</b>, <b>dnsZoneEntry</b>,
-<b>ircNick</b>, <b>jabberJID</b>, <b>icquin</b>,
-<b>sshRSAAuthKey</b>,
-<b>mailGreylisting</b>,
-<b>mailCallout</b>,
-<b>mailRBL</b>,
-<b>mailRHSBL</b>,
-<b>mailDisableMessage</b>,
-<b>mailWhitelist</b>,
-<b>mailContentInspectionAction</b>,
-<b>mailDefaultOptions</b>,
-<b>bATVToken</b>,
-<b>birthDate</b>,
-<b>jpegPhoto</b>, <b>VoIP</b>
-<li>The daemon has a special parser to help changing latitude and longitude
-values. It accepts several common formats for position information and
-converts them to one of the standard forms. The permitted types are
-<pre>D = Degrees, M = Minutes, S = Seconds, x = n,s,e,w
-+-DDD.DDDDD, +- DDDMM.MMMM, +-DDDMMSS.SSSS [standard forms]
-DDxMM.MMMM, DD:MM.MMMM x, DD:MM:SS.SSS X)</pre>
-and the request format is <tt>'Lat: xxx Long: xxx'</tt> where <tt>xxx</tt>
-is one of the permitted types. The resulting response will include how the
-input was parsed and the value in decimal degrees.
-<li>
-Part of the replicated dataset is a virtual .ssh/authorized_keys file for
-each user. The change address is the simplest way to set the RSA key(s) you
-intend to use. Simply place a key on a line by itself, the full SSH key
-format specification is supported, see sshd(8). Probably the most common way
-to use this function will be
-<pre>cat .ssh/id_rsa.pub | gpg --clearsign | mail changes@db.debian.org</pre>
-which will set the authentication key to the identity you are using.
-Multiple keys per user are supported, but they must all be sent at once.
-<li>RBL, RHSBL, and whitelists can only be updated via the mail gateway. Like
-DNS and ssh keys, any list specified must be specified in its enterity. The format is:
-<b>listtype</b> <b>dns.domain.of.rbl/IP to whitelist</b> where listtype is one of mailRBL,
-mailRHSBL, and mailWhitelist
-<li>Debian.net DNS Zone Entry. The only way to get a debian.net address is
-to use the mail gateway. It
-will verify the request and prevent name collisions automatically. Requests
-can take three forms: <tt>'foo in a 1.2.3.4'</tt>, <tt>'foo in cname
-foo.bar.'</tt>, or <tt>'foo in mx 10 foo.bar.'</tt> (note the trailing dot).
-Note that you
-cannot combine CNAME with any other record types. The precise form
-is critical and must not be deviated from.
-Like the SSH function above, multiple hosts are supported, but they must all
-be sent at once. The debian.net zone is reloaded hourly.
-<li>If the single word <b>show</b> appears on a line then a PGP encrypted version
-of the entire record will be attached to the resulting email.
-</ul>
-After processing the requests the daemon will generate a report which contains
-each input command and the action taken. If there are any parsing errors
-processing stops immediately, but valid changes up to that point are
-processed.
-<h2>Notes</h2>
-<p>
-In this document PGP refers to any message or key that GnuPG is
-able to generate or parse, specifically it includes both PGP2.x and OpenPGP
-(aka GnuPG) keys.
-<p>
-Due to the replay cache the clock on the computer that generates the
-signatures has to be accurate to at least one day. If it is off by several
-months or more then the daemon will outright reject all messages.
-<p>
-Examples are given using GnuPG, but PGP 2.x can also be used. The correct
-options to generate a clear signed ascii armored message in 'filter' mode
-are <tt>pgp -fast</tt> which does the same as <tt>gpg --clearsign</tt>
-<p>
-Debian.org machines rely on secured replication to transfer login data out
-of the database. Replication is performed at 15 min intervals so it can take
-a short while before any changes made take effect.
-<p>
-If the mail you're sending to the mail robot is too long for your MTA
-and gets split please use a different mail origin or pass the mail to
-the MTA on a debian.org machine, e.g. gluck:
-<pre>cat .ssh/id_rsa.pub | gpg --clearsign | ssh gluck mail changes@db.debian.org</pre>
-<hr noshade width="100%" size="1">
-Back to the <a href="http://www.debian.org/">Debian Project homepage</a>.
-<hr noshade width="100%" size="1">
-<small>
-You can contact us at
-<a href="mailto:admin@db.debian.org">admin@db.debian.org</a>.
-</small>
-<p>
-<p><small>
-Last Modified: Tue, Jun 2 12:31:58 UTC 2009
- <br>
- Copyright © 1997-2009
- <a href="http://www.spi-inc.org/">SPI</a>; See <a href="http://www.debian.org/license" rel="copyright">license terms</a><br>
- Debian is a registered trademark of Software in the Public Interest, Inc.
-</small></p>
-</body>
-</html>
projects / mirror / userdir-ldap-cgi.git / blobdiff