DMs (i.e. people who have their key in the debian-maintainers keyring) or
people already in the NM process may route their request through the
-<a href="mailto:new-maintainer@debian.org">NM-frontdesk</a>.
+<a href="mailto:nm@debian.org">NM-frontdesk</a>.
The following information should be provided to frontdesk:
--- /dev/null
+== add an account to ud-ldap ==
+
+=== Introduction ===
+
+A Debian Account Manager (DAM) will submit an RT ticket to ask that an account
+be created for a new member of the Debian Project.
+
+Initially, the RT ticket will be assigned to a Debian Keyring Maintainer (DKM)
+so that Debian's Keyring may be updated with the user's GPG key.
+
+Subsequently, the RT ticket will be assigned to a Debian System Administrator
+(DSA) so that Debian's LDAP may be updated.
+
+This HOWTO documents DSA's actions relating to account creation.
+
+The RT ticket will contain the following details in a GPG-signed message:
+* the user's account type ("uploading DD")
+* the user's GPG key fingerprint
+* the user's full name (first name, middle name, last name)
+* the user's forwarding address
+* the user's preferred account name
+
+=== Procedure for New Accounts ===
+
+Step 1: Download the GPG-signed message from RT and verify the signature.
+Ensure that the message has been signed by a DAM (for a list of DAMs, see
+http://wiki.debian.org/DAManager or http://www.debian.org/intro/organization).
+
+Step 2: Create an entry in LDAP by executing ud-useradd on draghi.
+
+{{{
+ you@home~$ ssh you@db-master.debian.org
+ you@draghi~$ ud-useradd
+}}}
+
+You will be prompted to enter the fingerprint; the preferred account name; the
+first, middle and last names; and the forwarding address. Some of these values
+will be extracted from the GPG key, if available.
+
+Use the @debian.org for the debian-private subscription.
+
+Accept the randomly generated password.
+
+Step 3: Confirm account creation.
+
+Step 4: Resolve the RT ticket. Enter the 'final information collected' emitted
+by ud-adduser as the message of the resolution action. Carbon copy the
+forwarding address and da-manager@debian.org.
+
+=== Procedure for Upgrading Guest Accounts ===
+
+Step 1: same as above
+
+Step 2: Remove the GPG key from guest-keyring.
+
+{{{
+ you@home~$ sudo apt-get install jetring
+ you@home~$ git clone ssh://db.debian.org/git/guest-keyring.git
+ you@home~$ cd guest-keyring
+ you@home~$ ./del-key <fingerprint>
+ you@home~$ git status
+ you@home~$ git add debian-guest/delete-<fingerprint substring>
+ you@home~$ git commit -a
+}}}
+
+Step 3: Modify the LDAP entry.
+
+{{{
+ you@draghi~$ export EDITOR=vim
+ you@draghi~$ ldapvi -ZZ -D uid=<you>,ou=users,ou=debian,ou=org
+ find account
+ set gidNumber: 800
+ add privateSub: <account>@debian.org
+ del allowedHost
+ del shadowExpire
+}}}
+
+Step 4: Email welcome-message-800 to the user, substituting parameters.
+
+Step 5: Resolve the RT ticket. Carbon copy the forwarding address and
+da-manager@debian.org.
+
* install da-backup on the client
* create a crontab that runs da-backup daily at some convenient time
* configure the directories in {{{/etc/da-backup}}}
-* install the public host key of the server with a proper command in
- puppet {{{modules/ssh/templates/authorized_keys.erb}}} for beethoven. Do a puppetrun on beethoven.
- (This might get done automatically eventually.)
* configure how many copies of the directory should be kept in
- {{{/etc/da-backup-manager/}}}
+ beethoven's {{{/etc/da-backup-manager/}}}
* run {{{da-backup -v}}} on the client to see if it all works.
# least "en_US.UTF-8 UTF-8" and "en_US ISO-8859-1".)
#
#*) setup nsswitch.conf to properly use the ldap stuff
- apt-get install libnss-db &&
- sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/;
- s/^group:\[[:space:]]\+compat$/group: db compat/;
- s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \
- /etc/nsswitch.conf
+ # [dchroot]: apt-get install libnss-db &&
+ # sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/;
+ # s/^group:\[[:space:]]\+compat$/group: db compat/;
+ # s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \
+ # /etc/nsswitch.conf
#
#
# *)
apt-get update && apt-get upgrade
#
# *)
- mount /proc && debfoster && umount /proc
+ mount -t proc none /proc && debfoster ; umount /proc
#
# *)
# exit the chroot
exit
}}}
-* edit /etc/fstab on the system root and add entries to mount /proc and /home
+* [dchroot only] edit /etc/fstab on the system root and add entries to mount /proc and /home
in the chroot, there will be existing ones for the other chroots, just copy and
adjust. Then mount them (from the system root).
{{{
: tmp /srv/albeniz.debian.org/chroot/sid/tmp none bind,defaults
}}}
-* edit /etc/dchroot.conf in the system root, add an entry for $DIST, and
-update the stable and testing pointers
+* [schroot] set up /etc/schroot/chroot.d/ correctly.
+ [dchroot]: edit /etc/dchroot.conf in the system root, add an entry for $DIST, and update the stable and testing pointers
-* run ud-replicate so the new chroot is setup (this would happen via cron eventually, this is just to speed things up)
+* [dchroot]: run ud-replicate so the new chroot is setup (this would happen via cron eventually, this is just to speed things up)
{{{
ud-replicate
}}}
-* as a normal user, test that the new chroot works: "dchroot $DIST", test that the stable and testing pointers work.
-
--- taggart 2007, slightly modified by weasel 2007, 2008, ported to wiki 2010.
+* as a normal user, test that the new chroot works: "dchroot $DIST" or "schroot $DIST", test that the stable and testing pointers work.
* [[howto/install-kvm]]: How to setup a new kvm domain without going through d-i etc.
* [[howto/postgres]]: Random postgres stuff
* [[howto/add-guest]]: How to add guests to ud-ldap
+* [[howto/add-account]]: How to add accounts to ud-ldap / upgrade guest accounts
* [[howto/swarm-kernel]]: How to build kernels for our swarm boxes
* [[howto/drac-reset]]: How to beat the radacm rootk^Wbinary only software.
* [[howto/dchroot]]: porter chroots setup
-* [upgrade guest-accounts](https://rt.debian.org//Ticket/Display.html?id=2054): How to promote a guest account to a real DD account
## ports