uploaded package finds it's way there (except for Packages covered by US
crypto laws which go to non-us.debian.org) eventually. master.debian.org is
the home of our bug tracking system. Project web pages and CVS archives are
-hosted on va.debian.org (aka cvs/www.debian.org).
+hosted on klecker.debian.org (aka cvs/www.debian.org), klecker is also our
+general shell server. Web pages should be placed in public_html on klecker
+and refered to by http://people.debian.org/~__LOGIN__
You should use ssh to log into the machines instead of regular telnet
or rlogin. Our LDAP directory is able to share ssh RSA keys among machines,
rsync -e ssh -rp sshdist@samosa:/var/cache/userdir-ldap/hosts/$HOST . > /dev/null 2>&1
makedb $HOST/passwd.tdb -o passwd.db.t > /dev/null 2>&1
(umask 027 && makedb $HOST/shadow.tdb -o shadow.db.t) > /dev/null 2>&1
-chown root.shadow shadow.db; chmod 0640 shadow.db.t
+chown root.shadow shadow.db.t; chmod 0640 shadow.db.t
makedb $HOST/group.tdb -o group.db.t > /dev/null 2>&1
mv -f passwd.db.t passwd.db
mv -f shadow.db.t shadow.db
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
-<meta name="Modified" content="27-12-1999 23:03:51">
+<meta name="Generator" content="WML 1.7.4 (06-Oct-1999)">
+<meta name="Modified" content="24-10-2000 23:43:55">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
<H1>Direct LDAP Access</H1>
<p>
The LDAP utilities package provides a program called ldapsearch that can be
-used to exectute direct queries to the database. Generally this is done by
+used to execute direct queries to the database. Generally this is done by
putting
<pre>
HOST db.debian.org
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Tue, Dec 28 06:03:51 UTC 1999<BR>
+<SMALL>Last Modified: Wed, Oct 25 05:43:55 UTC 2000<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
#use wml::debian::template title="Direct LDAP Access"
<p>
The LDAP utilities package provides a program called ldapsearch that can be
-used to exectute direct queries to the database. Generally this is done by
+used to execute direct queries to the database. Generally this is done by
putting
<pre>
HOST db.debian.org
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
-<meta name="Modified" content="02-05-2000 21:59:30">
+<meta name="Generator" content="WML 1.7.4 (06-Oct-1999)">
+<meta name="Modified" content="24-10-2000 23:38:37">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
</TABLE>
<H1>General LDAP Documentation</H1>
<p>
-debian.org uses a single LDAP driven directory for account managment across
+debian.org uses a single LDAP driven directory for account management across
all the project run <a href="/machines.cgi">machines</a>. This directory
also provides services for leaving vacation notices, updating
<a href="http://www.debian.org/devel/developers.loc">xplanet</a> coordinates,
<h1>Security and Privacy</h1>
Three levels of information security are provided by the database. The first
is completely public information that anyone can see either by issuing an
-LDAP query or by visiting the web site. The next level is "maintainer-only"
+LDAP query or by visiting the web site. The next level is "developer-only"
information that requires authentication to the directory before it can be
accessed. The final level is admin-only or user-only information; this
information can only be viewed by the user or an administrator.
<p>
-Maintainer-only information includes precise location information
+developer-only information includes precise location information
[postalcode, postal address, lat/long] telephone numbers, and the vacation
message.
<p>
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Wed, May 3 03:59:30 UTC 2000<BR>
+<SMALL>Last Modified: Wed, Oct 25 05:38:37 UTC 2000<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
#use wml::debian::template title="General LDAP Documentation"
<p>
-debian.org uses a single LDAP driven directory for account managment across
+debian.org uses a single LDAP driven directory for account management across
all the project run <a href="/machines.cgi">machines</a>. This directory
-also provides services for leaving vacation notices, updating
+also provides services for leaving vacation notices, updating
<a href="http://www.debian.org/devel/developers.loc">xplanet</a> coordinates,
email forwarding, ssh authentication keys and other information.
<h1>Security and Privacy</h1>
Three levels of information security are provided by the database. The first
is completely public information that anyone can see either by issuing an
-LDAP query or by visiting the web site. The next level is "maintainer-only"
+LDAP query or by visiting the web site. The next level is "developer-only"
information that requires authentication to the directory before it can be
accessed. The final level is admin-only or user-only information; this
information can only be viewed by the user or an administrator.
<p>
-Maintainer-only information includes precise location information
+developer-only information includes precise location information
[postalcode, postal address, lat/long] telephone numbers, and the vacation
message.
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
-<meta name="Modified" content="27-12-1999 16:38:30">
+<meta name="Generator" content="WML 1.7.4 (06-Oct-1999)">
+<meta name="Modified" content="24-10-2000 23:42:44">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
</TABLE>
<H1>LDAP Gateway</H1>
The LDAP directory has a PGP secured mail gateway that
-allows users to safely and conviently effect changes to their entries. It
-makes use of PGP signed input messages to positivly identify the user and
+allows users to safely and conveniently effect changes to their entries. It
+makes use of PGP signed input messages to positively identify the user and
to confirm the validity of the request. Furthermore it implements a replay
cache that prevents the gateway from accepting the same message more than
once.
<p>
-There are three functions logically split into 3 sperate email addresses
+There are three functions logically split into 3 seperate email addresses
that are implemented by the gateway: <b>ping</b>, <b>new password</b> and
<b>changes</b>. The function to act on is the first argument to the program.
<p>
descriptive error text to the mailer. This can generate a somewhat hard to
read error message, but it does have all the relevent information.
<h1>Ping</h1>
-The ping command simply returns the users public record. It is usefull for
+The ping command simply returns the users public record. It is useful for
testing the gateway and for the requester to get a basic dump of their
record. In future this address might 'freshen' the record to indicate the
user is alive. Any PGP signed message will produce a reply.
feature is with
<pre>echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org</pre>
After validating the request the daemon will generate a new random password,
-set it in the directory and respond with an ecrpyted message containing the
+set it in the directory and respond with an encrpyted message containing the
new password. The password can be changed using one of the other interface
methods.
<h1>Changes</h1>
-An address is provided for making almost arbitary changes to the contents of
-the record. The daemon parse its input line by line and acts on each line in
-a command oriented manner. Anything, except for passwords, can be changed
-using this mechanism. Note however that because this is a mail gateway it
-does stringent checking on its input. The other tools allow fields to be set
-to virtually anything, the gateway requires specific field formats to be met.
+An address (changes@debian.org) is provided for making almost arbitary
+changes to the contents of the record. The daemon parses its input line by
+line and acts on each line in a command oriented manner. Anything, except for
+passwords, can be changed using this mechanism. Note however that because
+this is a mail gateway it does stringent checking on its input. The other
+tools allow fields to be set to virtually anything, the gateway requires
+specific field formats to be met.
<ul>
<li>A line of the form <tt>'field: value'</tt> will change the contents of
the field to value. Some simple checks are performed on value to make sure
-that it is not sent to nonsense. The values that can be changed are:
+that it is not set to nonsense. The values that can be changed are:
<b>c</b>, <b>l</b>, <b>facsimiletelephonenumber</b>, <b>telephonenumber</b>,
<b>postaladdress</b>, <b>postalcode</b>,
<b>loginshell</b>, <b>emailforward</b>, <b>ircnick</b>, <b>onvacation</b>,
be sent at once. The debian.net zone is only reloaded once per day at
midnight -0700.
<li>If the single word <b>show</b> appears on a line then a PGP encrypted version
-of the entire record will be attached to the result email.
+of the entire record will be attached to the resulting email.
</ul>
After processing the requests the daemon will generate a report which contains
each input command and the action taken. If there are any parsing errors
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Mon, Dec 27 23:38:30 UTC 1999<BR>
+<SMALL>Last Modified: Wed, Oct 25 05:42:44 UTC 2000<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
#use wml::debian::template title="LDAP Gateway"
The LDAP directory has a PGP secured mail gateway that
-allows users to safely and conviently effect changes to their entries. It
-makes use of PGP signed input messages to positivly identify the user and
+allows users to safely and conveniently effect changes to their entries. It
+makes use of PGP signed input messages to positively identify the user and
to confirm the validity of the request. Furthermore it implements a replay
cache that prevents the gateway from accepting the same message more than
once.
<p>
-There are three functions logically split into 3 sperate email addresses
+There are three functions logically split into 3 seperate email addresses
that are implemented by the gateway: <b>ping</b>, <b>new password</b> and
<b>changes</b>. The function to act on is the first argument to the program.
read error message, but it does have all the relevent information.
<h1>Ping</h1>
-The ping command simply returns the users public record. It is usefull for
+The ping command simply returns the users public record. It is useful for
testing the gateway and for the requester to get a basic dump of their
record. In future this address might 'freshen' the record to indicate the
user is alive. Any PGP signed message will produce a reply.
feature is with
<pre>echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org</pre>
After validating the request the daemon will generate a new random password,
-set it in the directory and respond with an ecrpyted message containing the
+set it in the directory and respond with an encrpyted message containing the
new password. The password can be changed using one of the other interface
methods.
<h1>Changes</h1>
-An address is provided for making almost arbitary changes to the contents of
-the record. The daemon parse its input line by line and acts on each line in
-a command oriented manner. Anything, except for passwords, can be changed
-using this mechanism. Note however that because this is a mail gateway it
-does stringent checking on its input. The other tools allow fields to be set
-to virtually anything, the gateway requires specific field formats to be met.
+An address (changes@debian.org) is provided for making almost arbitary
+changes to the contents of the record. The daemon parses its input line by
+line and acts on each line in a command oriented manner. Anything, except for
+passwords, can be changed using this mechanism. Note however that because
+this is a mail gateway it does stringent checking on its input. The other
+tools allow fields to be set to virtually anything, the gateway requires
+specific field formats to be met.
<ul>
<li>A line of the form <tt>'field: value'</tt> will change the contents of
the field to value. Some simple checks are performed on value to make sure
-that it is not sent to nonsense. The values that can be changed are:
+that it is not set to nonsense. The values that can be changed are:
<b>c</b>, <b>l</b>, <b>facsimiletelephonenumber</b>, <b>telephonenumber</b>,
<b>postaladdress</b>, <b>postalcode</b>,
<b>loginshell</b>, <b>emailforward</b>, <b>ircnick</b>, <b>onvacation</b>,
midnight -0700.
<li>If the single word <b>show</b> appears on a line then a PGP encrypted version
-of the entire record will be attached to the result email.
+of the entire record will be attached to the resulting email.
</ul>
After processing the requests the daemon will generate a report which contains
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
-<meta name="Modified" content="09-05-2000 22:51:33">
+<meta name="Generator" content="WML 1.7.4 (06-Oct-1999)">
+<meta name="Modified" content="24-10-2000 23:46:04">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
</TABLE>
<H1>Email Forwarding</H1>
<p>
-Emails to @debian.org now go through a LDAP distributed email system. This
-system uses the forwarding field in the LDAP directory to route mail without
-passing it through a users .forward file on a single computer.
-Multiple machines participate in the forwarding to provide redudency.
+Emails to @debian.org addresses now go through a LDAP distributed email system.
+This system uses the forwarding field in the LDAP directory to route mail
+without passing it through a users .forward file on a single host.
+Multiple machines participate in the forwarding to provide redudancy.
<p>
-Each of the forwarders inspects the LDAP database
+Each forwarders inspects the LDAP database
to see if foo@debian.org has forwarding set to an address, if so the <i>envelope
to address</i> is rewritten and the message redirected to the new address.
Otherwise the message is relayed to master.debian.org for processing by the
forwarded rather than delivered to /var/spool/mail. This makes sure cron
reports, bug responses and other unexpected emails are not misplaced.
<p>
+If you set the forwarding address to be a specific Debian machine and do
+not create a forward file then that machine will spool the mail to
+/var/spool/mail instead of creating a mail loop.
+<p>
The email forwarding can be easially reconfigured using GnuPG:
<pre>
echo "emailforward: foo@bar.com" | gpg --clearsign | mail change@db.debian.org
</pre>
or by visiting <a href="https://db.debian.org/login.html">db.debian.org</a>
+<p>
+You can test the email routing by using the command <tt>/usr/sbin/exim -bt
+foo@debian.org</tt>
<h2>procmail</h2>
If you use procmail for your main mailbox, PLEASE, erase your .forward
file and put a .procmailrc in its place instead. This feature has been
The correct way to invoke procmail for extension addresses is "|/usr/bin/procmail [options]"
Ignore the IFS=".." stuff in the procmail man page.
<h2>MailBox formats</h2>
-Emails can be saved to mailboxes or maildirs by using the correct lines in a
+Email can be saved to mailboxes or maildirs by using the correct lines in a
.forward file:
<p>
Mailbox format files "/debian/home/foo/Mbox"
<p>
Also, 'Exim Filter' files are deliberately turned off.
<h2>Delivey Environment</h2>
-Some environment variables are set per-message (not quoted! Carefull!)
+Some environment variables are set per-message (not quoted! Careful!)
It is important to note that the environment variables dealing with
addressing apply to the ENVELOPE address are are totally completely
unrelated to the actual contents of the message:
<li>RECIPIENT = (the entire envelope to)
</ol>
<p>
-Such that, <i>$RECIPIENT = $LOCAL-EXTENSION@<something></i>.
+Such that, <i>$RECIPIENT = $LOCAL-$EXTENSION@<something></i>.
<HR>
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Wed, May 10 04:51:33 UTC 2000<BR>
+<SMALL>Last Modified: Wed, Oct 25 05:46:04 UTC 2000<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
#use wml::debian::template title="Email Forwarding"
<p>
-Emails to @debian.org now go through a LDAP distributed email system. This
-system uses the forwarding field in the LDAP directory to route mail without
-passing it through a users .forward file on a single computer.
-Multiple machines participate in the forwarding to provide redudency.
+Emails to @debian.org addresses now go through a LDAP distributed email system.
+This system uses the forwarding field in the LDAP directory to route mail
+without passing it through a users .forward file on a single host.
+Multiple machines participate in the forwarding to provide redudancy.
<p>
-Each of the forwarders inspects the LDAP database
+Each forwarders inspects the LDAP database
to see if foo@debian.org has forwarding set to an address, if so the <i>envelope
to address</i> is rewritten and the message redirected to the new address.
Otherwise the message is relayed to master.debian.org for processing by the
Ignore the IFS=".." stuff in the procmail man page.
<h2>MailBox formats</h2>
-Emails can be saved to mailboxes or maildirs by using the correct lines in a
+Email can be saved to mailboxes or maildirs by using the correct lines in a
.forward file:
<p>
Mailbox format files "/debian/home/foo/Mbox"
Also, 'Exim Filter' files are deliberately turned off.
<h2>Delivey Environment</h2>
-Some environment variables are set per-message (not quoted! Carefull!)
+Some environment variables are set per-message (not quoted! Careful!)
It is important to note that the environment variables dealing with
addressing apply to the ENVELOPE address are are totally completely
unrelated to the actual contents of the message:
</ol>
<p>
-Such that, <i>$RECIPIENT = $LOCAL-EXTENSION@<something></i>.
+Such that, <i>$RECIPIENT = $LOCAL-$EXTENSION@<something></i>.
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
-<meta name="Modified" content="27-12-1999 23:44:59">
+<meta name="Generator" content="WML 1.7.4 (06-Oct-1999)">
+<meta name="Modified" content="24-10-2000 23:43:55">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
LDAP information through the <a href="doc-mail.html">mail gateway</a> and use
SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you
need to first generate a private RSA key using <tt>ssh-keygen</tt> and select
-a good password for it. Then send the public portion of the key to the LDAP
+a good passphrase for it. Then send the public portion of the key to the LDAP
directory:
<pre>
gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org
</pre>
You can then use this key to authenticate to the machines. Using ssh-agent
(automatically run by Debian's X configuration) you can use ssh-add to 'cache'
-your password once. Note: Very few
-machines have the patched SSH required to support this yet.
+your passphrase once.
<HR>
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Tue, Dec 28 06:44:59 UTC 1999<BR>
+<SMALL>Last Modified: Wed, Oct 25 05:43:55 UTC 2000<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
LDAP information through the <a href="doc-mail.html">mail gateway</a> and use
SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you
need to first generate a private RSA key using <tt>ssh-keygen</tt> and select
-a good password for it. Then send the public portion of the key to the LDAP
+a good passphrase for it. Then send the public portion of the key to the LDAP
directory:
<pre>
gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org
</pre>
You can then use this key to authenticate to the machines. Using ssh-agent
(automatically run by Debian's X configuration) you can use ssh-add to 'cache'
-your password once. Note: Very few
-machines have the patched SSH required to support this yet.
+your passphrase once.