Peter Palfrader [Fri, 25 Mar 2011 17:59:47 +0000 (18:59 +0100)]
Use GlobalDir instead of GenerateDir in one place
Peter Palfrader [Mon, 28 Feb 2011 21:45:48 +0000 (22:45 +0100)]
Do not mess with sudo passwords if nothing changed
Peter Palfrader [Wed, 2 Feb 2011 20:56:25 +0000 (21:56 +0100)]
Merge branch 'master' of ssh://db.debian.org/git/userdir-ldap
* 'master' of ssh://db.debian.org/git/userdir-ldap:
Minor changes from Holger (<
201102021122.16183.holger@layer-acht.org>) Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Wed, 2 Feb 2011 20:56:19 +0000 (21:56 +0100)]
say a word about subjects in mail to admin@db
Martin Zobel-Helas [Wed, 2 Feb 2011 11:02:39 +0000 (12:02 +0100)]
Minor changes from Holger (<
201102021122.16183.holger@layer-acht.org>)
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Wed, 5 Jan 2011 08:53:29 +0000 (09:53 +0100)]
ud-mailgate: Make updating of gender actually work
Martin Zobel-Helas [Thu, 23 Dec 2010 16:59:42 +0000 (17:59 +0100)]
* Uploading/Non-Uploading DDs
* remove superfluous "and"
* SSH fingerprints of the machines
* Debian CA
* mention debian-infrastructure-announce
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Wed, 22 Dec 2010 22:14:11 +0000 (23:14 +0100)]
This is some fine documentation
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Wed, 20 Oct 2010 11:41:23 +0000 (11:41 +0000)]
ud-gpgimport: handle guest keyrings
ud-gpgimport so far used a single list of keyrings, and it expected all
keys from that keyring to be in ldap, and to have all users in ldap a
key in those keyrings.
Now ud-gpgimport has a notion of the guest-keyring. It still expects
all keys from the "main" keyring to be in ldap, but not all keys from
the guest (DM and guest) keyrings need to have accounts. An account
with a key associated to it is OK as long as it has a key in any of
the keyrings.
Peter Palfrader [Sun, 19 Sep 2010 00:00:02 +0000 (02:00 +0200)]
Update guest welcome template
Peter Palfrader [Sat, 18 Sep 2010 23:44:42 +0000 (01:44 +0200)]
Remove .pgp (v3 pgp key) keyrings from config
Peter Palfrader [Sat, 18 Sep 2010 23:42:15 +0000 (01:42 +0200)]
ud-useradd: A new -g switch for adding guest accounts
ud-useradd: A new -g switch for adding guest accounts, with proper
setting hostacls and shadowexpire and picking the right keyring.
Peter Palfrader [Sat, 18 Sep 2010 23:41:10 +0000 (01:41 +0200)]
Update changelog
Peter Palfrader [Sat, 18 Sep 2010 23:09:56 +0000 (01:09 +0200)]
Add a -h for ud-useradd
Peter Palfrader [Sat, 18 Sep 2010 23:01:54 +0000 (01:01 +0200)]
Teach ud-generate about host ACLs that expire
Peter Palfrader [Wed, 15 Sep 2010 15:47:33 +0000 (17:47 +0200)]
Allow - in usernames
Peter Palfrader [Wed, 15 Sep 2010 10:52:06 +0000 (12:52 +0200)]
import fixing
Peter Palfrader [Wed, 15 Sep 2010 10:49:26 +0000 (12:49 +0200)]
Add ud-sync-accounts-to-afs, a script to sync accounts to an AFS protection database
Peter Palfrader [Tue, 14 Sep 2010 21:10:15 +0000 (23:10 +0200)]
Fix ud-generate to create all-accounts.json in the right place
Peter Palfrader [Mon, 13 Sep 2010 17:14:33 +0000 (19:14 +0200)]
dev tree changelog
Peter Palfrader [Mon, 13 Sep 2010 17:08:19 +0000 (19:08 +0200)]
ud-generate: Add an extra output file called all-users.json
That file can be used on one of the AFS hosts to create afs users.
Peter Palfrader [Fri, 10 Sep 2010 12:53:44 +0000 (14:53 +0200)]
Add ud-krb-reset, and make ud-mailgate call it when receiving a mail at chpasswd@ saying 'Please change my Kerberos password'.
Peter Palfrader [Fri, 10 Sep 2010 12:20:20 +0000 (14:20 +0200)]
ud-mailgate: minor refactoring
Peter Palfrader [Wed, 11 Aug 2010 09:12:36 +0000 (11:12 +0200)]
Fix ACL rule for keyring maintainers
Peter Palfrader [Mon, 2 Aug 2010 23:48:02 +0000 (23:48 +0000)]
A class shouldn't write to stderr on error, it should throw an exception
Peter Palfrader [Mon, 2 Aug 2010 23:36:03 +0000 (23:36 +0000)]
update debian/changelog
Peter Palfrader [Mon, 2 Aug 2010 23:33:12 +0000 (23:33 +0000)]
Merge branch 'refactor-udgen'
* refactor-udgen: (24 commits)
Get rid of global variable PasswdAttrs
GenBSMTP
GenDNS
GenPasswd
GenShadow
Do not forget that passwords start with {crypt}
GenShadowSudo
GenSSHShadow
fix not-array-value-but-multiple-values check
GenGroup partially
GenForward
GenCDB
And GenMailList
whitespace fixes
And GenMailBool
Let disable-main-msg generation use Account class
Let disabled-users generation use Account class
Let private generation use Account class
Catch the case where attributes that are not declared as an array value have more than one value. This indicates a bug in the data, code, or ldap schema
Some improvement over the last path
...
Peter Palfrader [Mon, 2 Aug 2010 23:30:03 +0000 (23:30 +0000)]
Get rid of global variable PasswdAttrs
Peter Palfrader [Mon, 2 Aug 2010 23:11:30 +0000 (23:11 +0000)]
GenBSMTP
Peter Palfrader [Mon, 2 Aug 2010 22:15:35 +0000 (22:15 +0000)]
GenDNS
Peter Palfrader [Mon, 2 Aug 2010 22:05:41 +0000 (22:05 +0000)]
GenPasswd
Peter Palfrader [Mon, 2 Aug 2010 21:55:14 +0000 (21:55 +0000)]
GenShadow
Peter Palfrader [Mon, 2 Aug 2010 21:37:50 +0000 (21:37 +0000)]
Do not forget that passwords start with {crypt}
Peter Palfrader [Mon, 2 Aug 2010 21:35:07 +0000 (21:35 +0000)]
GenShadowSudo
Peter Palfrader [Mon, 2 Aug 2010 21:31:04 +0000 (21:31 +0000)]
GenSSHShadow
Peter Palfrader [Mon, 2 Aug 2010 21:28:31 +0000 (21:28 +0000)]
fix not-array-value-but-multiple-values check
Peter Palfrader [Mon, 2 Aug 2010 21:19:41 +0000 (21:19 +0000)]
GenGroup partially
Peter Palfrader [Mon, 2 Aug 2010 21:14:08 +0000 (21:14 +0000)]
GenForward
Peter Palfrader [Mon, 2 Aug 2010 21:11:37 +0000 (21:11 +0000)]
GenCDB
Peter Palfrader [Mon, 2 Aug 2010 21:06:55 +0000 (21:06 +0000)]
And GenMailList
Peter Palfrader [Mon, 2 Aug 2010 20:52:29 +0000 (20:52 +0000)]
whitespace fixes
Peter Palfrader [Mon, 2 Aug 2010 20:51:50 +0000 (20:51 +0000)]
And GenMailBool
Peter Palfrader [Mon, 2 Aug 2010 20:37:31 +0000 (20:37 +0000)]
Let disable-main-msg generation use Account class
Peter Palfrader [Mon, 2 Aug 2010 20:35:49 +0000 (20:35 +0000)]
Let disabled-users generation use Account class
Martin Zobel-Helas [Mon, 2 Aug 2010 20:35:38 +0000 (22:35 +0200)]
have a proper distribution
Martin Zobel-Helas [Mon, 2 Aug 2010 20:33:53 +0000 (22:33 +0200)]
release 0.3.77
Peter Palfrader [Mon, 2 Aug 2010 20:23:53 +0000 (20:23 +0000)]
Let private generation use Account class
Peter Palfrader [Mon, 2 Aug 2010 20:14:40 +0000 (20:14 +0000)]
Catch the case where attributes that are not declared as an array value have more than one value. This indicates a bug in the data, code, or ldap schema
Peter Palfrader [Mon, 2 Aug 2010 20:12:10 +0000 (20:12 +0000)]
Some improvement over the last path
Peter Palfrader [Mon, 2 Aug 2010 20:06:12 +0000 (20:06 +0000)]
Let markers generation use Account class
Peter Palfrader [Mon, 2 Aug 2010 19:58:10 +0000 (19:58 +0000)]
give Account class a __getitem__ method and use it
Peter Palfrader [Mon, 2 Aug 2010 19:34:41 +0000 (19:34 +0000)]
Let Account have a constructor that is more useful in generate
Peter Palfrader [Mon, 2 Aug 2010 19:17:07 +0000 (19:17 +0000)]
optionally read some configuration items from the environment so we can test ud-generate without running it as sshdist
Peter Palfrader [Fri, 30 Jul 2010 17:47:04 +0000 (19:47 +0200)]
ud-generate: refuse to run as root
Peter Palfrader [Tue, 1 Jun 2010 15:22:57 +0000 (17:22 +0200)]
debian/changelog update
Faidon Liambotis [Mon, 31 May 2010 14:38:21 +0000 (17:38 +0300)]
Give keyring-maint write access to keyFingerPrint
However, make an exception for supplementaryGid=adm users for security
reasons (wouldn't want keyring-maint to be able to takeover a root
account).
The ACL gives writes to a non-existing group; this should be created,
e.g.
cn=Keyring Maintainers,ou=users,dc=debian,dc=org
objectClass: top
objectClass: groupOfNames
cn: Keyring Maintainers
member: uid=noodles,ou=users,dc=debian,dc=org
member: uid=gwolf,ou=users,dc=debian,dc=org
Signed-off-by: Peter Palfrader <peter@palfrader.org>
Peter Palfrader [Tue, 1 Jun 2010 15:14:32 +0000 (17:14 +0200)]
labeledURI, ircNick, icqUIN, jabberJID are all exposed via finger anyway. No need to restrict them to d.o hosts
Peter Palfrader [Tue, 1 Jun 2010 15:11:50 +0000 (17:11 +0200)]
Remove redundant attributes: loginShell and onVacation were already matched by the read-from-d.o ACL
Peter Palfrader [Tue, 1 Jun 2010 15:10:05 +0000 (17:10 +0200)]
commenta update
Peter Palfrader [Tue, 1 Jun 2010 15:05:49 +0000 (17:05 +0200)]
sshrsaauthkey is only readble by self. everyone else does not even get to compare it
Peter Palfrader [Tue, 1 Jun 2010 15:03:15 +0000 (17:03 +0200)]
comment update
Peter Palfrader [Tue, 1 Jun 2010 15:02:45 +0000 (17:02 +0200)]
Merge remaining d.o readable attributes into one ACL
Peter Palfrader [Tue, 1 Jun 2010 15:00:24 +0000 (17:00 +0200)]
Break out self-writable attributes to their own ACL
Peter Palfrader [Tue, 1 Jun 2010 14:59:08 +0000 (16:59 +0200)]
comment update
Faidon Liambotis [Thu, 27 May 2010 22:20:22 +0000 (01:20 +0300)]
Minor simplification of slapd.conf's ACLs
Avoid repetition of the rule that allows cn=LDAP Administrator and uid=sshdist
to write to every attribute by taking advantage of the "break" control
field.
Signed-off-by: Peter Palfrader <peter@palfrader.org>
Peter Palfrader [Sun, 9 May 2010 16:04:04 +0000 (18:04 +0200)]
Fix a typo in welcome-message-800 noticed by Tommi Vainikainen
Stephen Gran [Sun, 28 Mar 2010 09:38:27 +0000 (09:38 +0000)]
prototype code for sshfp generation for services
Signed-off-by: Stephen Gran <steve@lobefin.net>
Peter Palfrader [Mon, 15 Mar 2010 20:13:26 +0000 (21:13 +0100)]
Maybe fix ud-mailgate
Stephen Gran [Sun, 14 Mar 2010 14:01:12 +0000 (14:01 +0000)]
some changelog entries for today's work
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Sun, 14 Mar 2010 13:56:04 +0000 (13:56 +0000)]
gratuitous code style change
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Sun, 14 Mar 2010 13:54:46 +0000 (13:54 +0000)]
add txt record support
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Sun, 14 Mar 2010 13:33:15 +0000 (13:33 +0000)]
write one identifying txt entry per host, if it has an a or aaaa record
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Sun, 14 Mar 2010 13:17:19 +0000 (13:17 +0000)]
drop some dead code
Signed-off-by: Stephen Gran <steve@lobefin.net>
Peter Palfrader [Thu, 11 Mar 2010 21:23:35 +0000 (22:23 +0100)]
Probably should only delete keyFingerPrint if it exists
Peter Palfrader [Thu, 11 Mar 2010 21:19:23 +0000 (22:19 +0100)]
Add ud-lock
ud-lock, non-interactively, sets a great many accounts to
'retiring', locking their password, removing keys, setting shadow
information to expired and setting accountstatus appropriatly.
Peter Palfrader [Sun, 31 Jan 2010 12:57:10 +0000 (13:57 +0100)]
ud-gpgimport: Get rid of "0x" when printing keyids/fingerprints.
Peter Palfrader [Sun, 31 Jan 2010 12:56:17 +0000 (13:56 +0100)]
A set of copyright headers
Peter Palfrader [Sun, 31 Jan 2010 09:13:57 +0000 (10:13 +0100)]
ud-mailgate: fix gpg result usage
We use the result of the pgp check for quite a long time in the main
program. Give it its own variable instead of using Res which was
overwritten a bit later. Also make a new gpgcheck2 class that allows us
to access the values of the gpg signature check in a saner way.
Peter Palfrader [Sun, 31 Jan 2010 09:12:20 +0000 (10:12 +0100)]
ud-mailgate: Remove a global declaration after a variable has already been assigned globally.
Peter Palfrader [Sun, 31 Jan 2010 09:11:43 +0000 (10:11 +0100)]
Fix changelog
Stephen Gran [Sat, 30 Jan 2010 13:35:49 +0000 (13:35 +0000)]
finalize changelog for release
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Sat, 30 Jan 2010 13:32:02 +0000 (13:32 +0000)]
add trailing newline to ssh files
Signed-off-by: Stephen Gran <steve@lobefin.net>
Helmut Grohne [Sat, 23 Jan 2010 16:20:12 +0000 (17:20 +0100)]
do not accept invalid allowed_hosts for ssh keys
Check them against a list ValidHostNames that is generated during
startup.
Helmut Grohne [Fri, 22 Jan 2010 23:26:07 +0000 (00:26 +0100)]
added a bug report comment
Helmut Grohne [Sat, 23 Jan 2010 13:15:52 +0000 (14:15 +0100)]
made ud-generate support new ssh key syntax
Helmut Grohne [Fri, 22 Jan 2010 22:51:24 +0000 (23:51 +0100)]
write machine specifications for ssh keys to ldap
Helmut Grohne [Fri, 22 Jan 2010 22:35:48 +0000 (23:35 +0100)]
parse machine specifications for ssh keys
Ssh keys can now be prepended with a string
"allowed_hosts=machine1,machine2 ". Machine names are restricted to
sane characters. This patch only adds the parsing and throws away the
result.
Peter Palfrader [Fri, 22 Jan 2010 19:16:10 +0000 (20:16 +0100)]
Include a host in DNS even if we do not have both ssh keys and an arch for that host configured
Peter Palfrader [Sat, 9 Jan 2010 15:51:11 +0000 (16:51 +0100)]
ud-generate: move the regex that determines whether or not to include a host in the dns-sshfp zone snippet (for SSHFP and A, AAAA and MX records) to the config file.
Peter Palfrader [Sat, 9 Jan 2010 11:01:38 +0000 (12:01 +0100)]
ud-useradd: Properly encode realname in subjects and to header lines regardless of which template is being used
Peter Palfrader [Sat, 9 Jan 2010 01:10:34 +0000 (02:10 +0100)]
Fix welcome-message to be like welcome-message-800 and 60000 wrt email headers
Peter Palfrader [Fri, 8 Jan 2010 23:27:37 +0000 (00:27 +0100)]
ud-useradd: Only ask for private subscription if this installation has a debian-private like mailinglist whose membership is configured by ud-ldap. (defaults to true.)
Peter Palfrader [Fri, 8 Jan 2010 23:20:16 +0000 (00:20 +0100)]
ud-useradd: Fix usergroup support: Move ldap call to actually add the user to the right place, properly compare strings and numbers.
Peter Palfrader [Fri, 8 Jan 2010 23:16:37 +0000 (00:16 +0100)]
ud-useradd: If we do not have a template for a specific group, use the general purpose template file (welcome-message).
Peter Palfrader [Fri, 8 Jan 2010 23:15:51 +0000 (00:15 +0100)]
Fix changelog: mention which tool we modified
Peter Palfrader [Fri, 8 Jan 2010 22:25:49 +0000 (23:25 +0100)]
Export groups even if nobody has that group as a supplementary group, as long as there are users that have it as a primary group
Stephen Gran [Tue, 8 Dec 2009 11:31:27 +0000 (11:31 +0000)]
make a stab at really not exporting empty groups
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Mon, 16 Nov 2009 00:20:14 +0000 (00:20 +0000)]
new release changelog started
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Sun, 15 Nov 2009 23:27:38 +0000 (23:27 +0000)]
default anti-spam options
Signed-off-by: Stephen Gran <steve@lobefin.net>
Stephen Gran [Sun, 15 Nov 2009 20:32:27 +0000 (20:32 +0000)]
spot the obvious typo
Signed-off-by: Stephen Gran <steve@lobefin.net>