--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML lang="en">
+<HEAD>
+<TITLE>Debian GNU/Linux -- Direct LDAP Access</TITLE>
+<LINK REV="made" HREF="mailto:webmaster@debian.org">
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+<META NAME="Description" CONTENT="Debian GNU/Linux is a free distribution of the GNU/Linux operating system. It is maintained and updated through the work of many users who volunteer their time and effort.">
+<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
+<META NAME="Language" CONTENT="English">
+<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="27-12-1999 23:03:51">
+</HEAD>
+<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
+<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
+<TR>
+<TD>
+<A HREF="http://www.debian.org/logos/" BORDER="0"><IMG src="/Pics/logo-50.jpg" border="0" hspace="0" vspace="0" alt=""></A>
+<IMG src="/Pics/debian.jpg" border="0" hspace="0" vspace="0" alt="Debian Project">
+</TD>
+</TR>
+<TR>
+<TD bgcolor="#DF0451">
+<A href="http://www.debian.org/"><IMG src="/Pics/home.en.gif" border="0" hspace="2" vspace="3" alt="Home"></A>
+<A href="http://www.debian.org/intro/about"><IMG src="/Pics/about.en.gif" border="0" hspace="2" vspace="3" alt="About Debian"></A>
+<A href="http://www.debian.org/News/"><IMG src="/Pics/news.en.gif" border="0" hspace="2" vspace="3" alt="News"></A>
+<A href="http://www.debian.org/distrib/"><IMG src="/Pics/distrib.en.gif" border="0" hspace="2" vspace="3" alt="Distribution"></A>
+<A href="http://www.debian.org/support"><IMG src="/Pics/support.en.gif" border="0" hspace="2" vspace="3" alt="Support"></A>
+<A href="http://www.debian.org/devel/"><IMG src="/Pics/devel.en.gif" border="0" hspace="2" vspace="3" alt="Developers' Corner"></A>
+<A href="http://www.debian.org/search"><IMG src="/Pics/search.en.gif" border="0" hspace="2" vspace="3" alt="Search"></A>
+</TD>
+</TR>
+</TABLE>
+<H1>Direct LDAP Access</H1>
+<p>
+The LDAP utilities package provides a program called ldapsearch that can be
+used to exectute direct queries to the database. Generally this is done by
+putting
+<pre>
+HOST db.debian.org
+BASE dc=debian,dc=org
+</pre>
+in ~/.ldaprc. Then queries can be performed, for instance
+<pre>
+samosa{jgg}~#ldapsearch uid=wakkerma keyfingerprint
+uid=wakkerma,ou=users,dc=debian,dc=org
+keyfingerprint=38444C2CA6AD756EB4A2E5FA612AFF59
+keyfingerprint=576E100B518D2F1636B028053CB892502FA3BC2D
+</pre>
+Shows the PGP key finger prints for the <tt>wakkerma</tt> user. The first word
+in the command is the query to perform, the rest of command line are the
+attributes to return, if omitted then all readable attributes are returned.
+More complicated queries are possible, for instance:
+<pre>
+samosa{jgg}~#ldapsearch '(&(!(loginshell=/bin/bash))(uid=*))' loginshell
+uid=admin,ou=users,dc=debian,dc=org
+
+uid=mryan,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/tcsh
+
+uid=jkominek,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+
+uid=caelum,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+[..]
+</pre>
+Shows users that do not use bash as their shell. Some other interesting
+queries are:
+<ul>
+<li>Count the number of developers <tt>(&(keyfingerprint=*)(gidnumber=800))</tt>
+<li>Show people in a certain group <tt>gidmembership=adm</tt>
+<li>People named james <tt>cn=james</tt>
+<li>Someone whos last name phonetically sounds like 'Ackerma' <tt>sn~=ackerm</tt>
+<li>All the sparcs <tt>host=sparc</tt>
+</ul>
+<a href="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2254.txt">RFC 2254</a>
+has more information about the filter expressions.
+<h1>Other LDAP Browsers</h1>
+<p>
+The GQ package has a graphical LDAP browser that can browse the debian.org
+tree. It is somewhat ungainly with the large number of entries in our
+directory, but it does work nonetheless. Configuration is similar, use the
+preferences dialog to add a new host with the information given above.
+<p>
+Netscape has a browser for their mailer, but I have never been able to get
+it to work, please email if you have any luck.
+<p>
+To my knowledge there are no interfaces for popular mailers like mutt and
+gnus. Such an interface would allow using the directory as an enhanced address
+book.
+<HR>
+<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
+<HR>
+<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
+<SMALL>Last Modified: Tue, Dec 28 06:03:51 UTC 1999<BR>
+Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
+
+ </SMALL>
+</BODY>
+</HTML>
--- /dev/null
+#use wml::debian::template title="Direct LDAP Access"
+<p>
+The LDAP utilities package provides a program called ldapsearch that can be
+used to exectute direct queries to the database. Generally this is done by
+putting
+<pre>
+HOST db.debian.org
+BASE dc=debian,dc=org
+</pre>
+in ~/.ldaprc. Then queries can be performed, for instance
+<pre>
+samosa{jgg}~#ldapsearch uid=wakkerma keyfingerprint
+uid=wakkerma,ou=users,dc=debian,dc=org
+keyfingerprint=38444C2CA6AD756EB4A2E5FA612AFF59
+keyfingerprint=576E100B518D2F1636B028053CB892502FA3BC2D
+</pre>
+Shows the PGP key finger prints for the <tt>wakkerma</tt> user. The first word
+in the command is the query to perform, the rest of command line are the
+attributes to return, if omitted then all readable attributes are returned.
+More complicated queries are possible, for instance:
+<pre>
+samosa{jgg}~#ldapsearch '(&(!(loginshell=/bin/bash))(uid=*))' loginshell
+uid=admin,ou=users,dc=debian,dc=org
+
+uid=mryan,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/tcsh
+
+uid=jkominek,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+
+uid=caelum,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+[..]
+</pre>
+Shows users that do not use bash as their shell. Some other interesting
+queries are:
+<ul>
+<li>Count the number of developers <tt>(&(keyfingerprint=*)(gidnumber=800))</tt>
+<li>Show people in a certain group <tt>gidmembership=adm</tt>
+<li>People named james <tt>cn=james</tt>
+<li>Someone whos last name phonetically sounds like 'Ackerma' <tt>sn~=ackerm</tt>
+<li>All the sparcs <tt>host=sparc</tt>
+</ul>
+<a href="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2254.txt">RFC 2254</a>
+has more information about the filter expressions.
+
+<h1>Other LDAP Browsers</h1>
+<p>
+The GQ package has a graphical LDAP browser that can browse the debian.org
+tree. It is somewhat ungainly with the large number of entries in our
+directory, but it does work nonetheless. Configuration is similar, use the
+preferences dialog to add a new host with the information given above.
+<p>
+Netscape has a browser for their mailer, but I have never been able to get
+it to work, please email if you have any luck.
+<p>
+To my knowledge there are no interfaces for popular mailers like mutt and
+gnus. Such an interface would allow using the directory as an enhanced address
+book.
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML lang="en">
+<HEAD>
+<TITLE>Debian GNU/Linux -- General LDAP Documentation</TITLE>
+<LINK REV="made" HREF="mailto:webmaster@debian.org">
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+<META NAME="Description" CONTENT="Debian GNU/Linux is a free distribution of the GNU/Linux operating system. It is maintained and updated through the work of many users who volunteer their time and effort.">
+<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
+<META NAME="Language" CONTENT="English">
+<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="27-12-1999 22:58:00">
+</HEAD>
+<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
+<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
+<TR>
+<TD>
+<A HREF="http://www.debian.org/logos/" BORDER="0"><IMG src="/Pics/logo-50.jpg" border="0" hspace="0" vspace="0" alt=""></A>
+<IMG src="/Pics/debian.jpg" border="0" hspace="0" vspace="0" alt="Debian Project">
+</TD>
+</TR>
+<TR>
+<TD bgcolor="#DF0451">
+<A href="http://www.debian.org/"><IMG src="/Pics/home.en.gif" border="0" hspace="2" vspace="3" alt="Home"></A>
+<A href="http://www.debian.org/intro/about"><IMG src="/Pics/about.en.gif" border="0" hspace="2" vspace="3" alt="About Debian"></A>
+<A href="http://www.debian.org/News/"><IMG src="/Pics/news.en.gif" border="0" hspace="2" vspace="3" alt="News"></A>
+<A href="http://www.debian.org/distrib/"><IMG src="/Pics/distrib.en.gif" border="0" hspace="2" vspace="3" alt="Distribution"></A>
+<A href="http://www.debian.org/support"><IMG src="/Pics/support.en.gif" border="0" hspace="2" vspace="3" alt="Support"></A>
+<A href="http://www.debian.org/devel/"><IMG src="/Pics/devel.en.gif" border="0" hspace="2" vspace="3" alt="Developers' Corner"></A>
+<A href="http://www.debian.org/search"><IMG src="/Pics/search.en.gif" border="0" hspace="2" vspace="3" alt="Search"></A>
+</TD>
+</TR>
+</TABLE>
+<H1>General LDAP Documentation</H1>
+<p>
+debian.org uses a single LDAP driven directory for account managment across
+all the project run <a href="/machines.cgi">machines</a>. This directory
+also provides services for leaving vacation notices, updating
+<a href="http://www.debian.org/devel/developers.loc">xplanet</a> coordinates,
+email forwarding, ssh authentication keys and other information.
+<p>
+Note: master and va do not presently use the LDAP directory. Only lully
+uses replicated SSH RSA authentication keys and master does not use the
+email forwarding field (but all other machines do)
+<h1>Security and Privacy</h1>
+Three levels of information security are provided by the database. The first
+is completely public information that anyone can see either by issuing an
+LDAP query or by visiting the web site. The next level is "maintainer-only"
+information that requires authentication to the directory before it can be
+accessed. The final level is admin-only or user-only information; this
+information can only be viewed by the user or an administrator.
+<p>
+Maintainer-only information includes precise location information
+[postalcode, postal address, lat/long] telephone numbers, and the vacation
+message.
+<p>
+Admin-only/user-only information includes email forwarding, ssh keys and
+the encrypted password. Note that email forwarding is necessarily publicly
+viewable from accounts on the actual machines.
+<p>
+Entries in the directory are keyed to the developers PGP key, whoever has that
+key can make any change to the directory through the mail interface.
+<h1>Access</h1>
+The directory has several means to access it:
+<ul>
+<li><a href="https://db.debian.org/login.cgi">SSL Web Forms</a>
+<li>Finger gateway, <tt>finger foo@debian.org</tt>
+<li><a href="doc-mail.html">Mail gateway</a>
+<li><a href="doc-direct.html">Direct LDAP Access</a>
+<li>LDAP command line tools such as <tt>ud-info</tt>
+</ul>
+<HR>
+<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
+<HR>
+<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
+<SMALL>Last Modified: Tue, Dec 28 05:58:00 UTC 1999<BR>
+Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
+
+ </SMALL>
+</BODY>
+</HTML>
--- /dev/null
+#use wml::debian::template title="General LDAP Documentation"
+<p>
+debian.org uses a single LDAP driven directory for account managment across
+all the project run <a href="/machines.cgi">machines</a>. This directory
+also provides services for leaving vacation notices, updating
+<a href="http://www.debian.org/devel/developers.loc">xplanet</a> coordinates,
+email forwarding, ssh authentication keys and other information.
+
+<p>
+Note: master and va do not presently use the LDAP directory. Only lully
+uses replicated SSH RSA authentication keys and master does not use the
+email forwarding field (but all other machines do)
+
+<h1>Security and Privacy</h1>
+Three levels of information security are provided by the database. The first
+is completely public information that anyone can see either by issuing an
+LDAP query or by visiting the web site. The next level is "maintainer-only"
+information that requires authentication to the directory before it can be
+accessed. The final level is admin-only or user-only information; this
+information can only be viewed by the user or an administrator.
+
+<p>
+Maintainer-only information includes precise location information
+[postalcode, postal address, lat/long] telephone numbers, and the vacation
+message.
+
+<p>
+Admin-only/user-only information includes email forwarding, ssh keys and
+the encrypted password. Note that email forwarding is necessarily publicly
+viewable from accounts on the actual machines.
+
+<p>
+Entries in the directory are keyed to the developers PGP key, whoever has that
+key can make any change to the directory through the mail interface.
+
+<h1>Access</h1>
+The directory has several means to access it:
+<ul>
+<li><a href="https://db.debian.org/login.cgi">SSL Web Forms</a>
+<li>Finger gateway, <tt>finger foo@debian.org</tt>
+<li><a href="doc-mail.html">Mail gateway</a>
+<li><a href="doc-direct.html">Direct LDAP Access</a>
+<li>LDAP command line tools such as <tt>ud-info</tt>
+</ul>
+
+<p>
+<a href="password.html">Lost or forgotten password instructions</a>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML lang="en">
+<HEAD>
+<TITLE>Debian GNU/Linux -- LDAP Gateway</TITLE>
+<LINK REV="made" HREF="mailto:webmaster@debian.org">
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+<META NAME="Description" CONTENT="Debian GNU/Linux is a free distribution of the GNU/Linux operating system. It is maintained and updated through the work of many users who volunteer their time and effort.">
+<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
+<META NAME="Language" CONTENT="English">
+<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="27-12-1999 16:38:30">
+</HEAD>
+<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
+<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
+<TR>
+<TD>
+<A HREF="http://www.debian.org/logos/" BORDER="0"><IMG src="/Pics/logo-50.jpg" border="0" hspace="0" vspace="0" alt=""></A>
+<IMG src="/Pics/debian.jpg" border="0" hspace="0" vspace="0" alt="Debian Project">
+</TD>
+</TR>
+<TR>
+<TD bgcolor="#DF0451">
+<A href="http://www.debian.org/"><IMG src="/Pics/home.en.gif" border="0" hspace="2" vspace="3" alt="Home"></A>
+<A href="http://www.debian.org/intro/about"><IMG src="/Pics/about.en.gif" border="0" hspace="2" vspace="3" alt="About Debian"></A>
+<A href="http://www.debian.org/News/"><IMG src="/Pics/news.en.gif" border="0" hspace="2" vspace="3" alt="News"></A>
+<A href="http://www.debian.org/distrib/"><IMG src="/Pics/distrib.en.gif" border="0" hspace="2" vspace="3" alt="Distribution"></A>
+<A href="http://www.debian.org/support"><IMG src="/Pics/support.en.gif" border="0" hspace="2" vspace="3" alt="Support"></A>
+<A href="http://www.debian.org/devel/"><IMG src="/Pics/devel.en.gif" border="0" hspace="2" vspace="3" alt="Developers' Corner"></A>
+<A href="http://www.debian.org/search"><IMG src="/Pics/search.en.gif" border="0" hspace="2" vspace="3" alt="Search"></A>
+</TD>
+</TR>
+</TABLE>
+<H1>LDAP Gateway</H1>
+The LDAP directory has a PGP secured mail gateway that
+allows users to safely and conviently effect changes to their entries. It
+makes use of PGP signed input messages to positivly identify the user and
+to confirm the validity of the request. Furthermore it implements a replay
+cache that prevents the gateway from accepting the same message more than
+once.
+<p>
+There are three functions logically split into 3 sperate email addresses
+that are implemented by the gateway: <b>ping</b>, <b>new password</b> and
+<b>changes</b>. The function to act on is the first argument to the program.
+<p>
+Error handling is currently done by generating a bounce message and passing
+descriptive error text to the mailer. This can generate a somewhat hard to
+read error message, but it does have all the relevent information.
+<h1>Ping</h1>
+The ping command simply returns the users public record. It is usefull for
+testing the gateway and for the requester to get a basic dump of their
+record. In future this address might 'freshen' the record to indicate the
+user is alive. Any PGP signed message will produce a reply.
+<h1>New Password</h1>
+If a user looses their password they can request that a new one be generated
+for them. This is done by sending the phrase "Please change my Debian
+password" to chpasswd@db.debian.org. The phrase is required to prevent the
+daemon from triggering on arbitary signed email. The best way to invoke this
+feature is with
+<pre>echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org</pre>
+After validating the request the daemon will generate a new random password,
+set it in the directory and respond with an ecrpyted message containing the
+new password. The password can be changed using one of the other interface
+methods.
+<h1>Changes</h1>
+An address is provided for making almost arbitary changes to the contents of
+the record. The daemon parse its input line by line and acts on each line in
+a command oriented manner. Anything, except for passwords, can be changed
+using this mechanism. Note however that because this is a mail gateway it
+does stringent checking on its input. The other tools allow fields to be set
+to virtually anything, the gateway requires specific field formats to be met.
+<ul>
+<li>A line of the form <tt>'field: value'</tt> will change the contents of
+the field to value. Some simple checks are performed on value to make sure
+that it is not sent to nonsense. The values that can be changed are:
+<b>c</b>, <b>l</b>, <b>facsimiletelephonenumber</b>, <b>telephonenumber</b>,
+<b>postaladdress</b>, <b>postalcode</b>,
+<b>loginshell</b>, <b>emailforward</b>, <b>ircnick</b>, <b>onvacation</b>,
+and <b>labledurl</b>
+<li>The daemon has a special parser to help changing latitude and longitude
+values. It accepts several common formats for position information and
+converts them to one of the standard forms. The permitted types are
+<pre>D = Degrees, M = Minutes, S = Seconds, x = n,s,e,w
++-DDD.DDDDD, +- DDDMM.MMMM, +-DDDMMSS.SSSS [standard forms]
+DDxMM.MMMM, DD:MM.MMMM x, DD:MM:SS.SSS X)</pre>
+and the request format is <tt>'Lat: xxx Long: xxx'</tt> where <tt>xxx</tt>
+is one of the permitted types. The resulting response will include how the
+input was parsed and the value in decimal degrees.
+<li>
+Part of the replicated dataset is a virtual .ssh/authorized_keys file for
+each user. The change address is the simplest way to set the RSA key(s) you
+intend to use. Simply place a key on a line by itself, the full SSH key
+format specification is supported, see sshd(8). Probably the most common way
+to use this function will be
+<pre>cat .ssh/identity.pub | gpg --clearsign | mail change@db.debian.org</pre>
+which will set the authentication key to the identity you are using.
+Multiple keys per user are supported, but they must all be sent at once.
+<li>Debian.net DNS Zone Entry. The only way to get a debian.net address is
+to use the mail gateway. It
+will verify the request and prevent name collisions automatically. Requests
+can take two forms: <tt>'foo in a 1.2.3.4'</tt> or <tt>'foo in cname
+foo.bar.'</tt> The precise form is critical and must not be deviated from.
+Like the SSH function above, multiple hosts are supported, but they must all
+be sent at once. The debian.net zone is only reloaded once per day at
+midnight -0700.
+<li>If the single word <b>show</b> appears on a line then a PGP encrypted version
+of the entire record will be attached to the result email.
+</ul>
+After processing the requests the daemon will generate a report which contains
+each input command and the action taken. If there are any parsing errors
+processing stops immediately, but valid changes up to that point are
+processed.
+<h2>Notes</h2>
+<p>
+In this document PGP refers to any message or key that GnuPG is
+able to generate or parse, specificaly it includes both PGP2.x and OpenPGP
+(aka GnuPG) keys.
+<p>
+Due to the replay cache the clock on the computer that generates the
+signatures has to be accurate to at least one day. If it is off by several
+months or more then the deamon will outright reject all messages.
+<p>
+Examples are given using GnuPG, but PGP 2.x can also be used. The correct
+options to generate a clear signed ascii armored message in 'filter' mode
+are <tt>pgp -fast</tt> which does the same as <tt>gpg --clearsign</tt>
+<p>
+Debian.org machines rely on secured replication to transfer login data out
+of the database. Replication is performed at 15 min intervals so it can take
+a short while before any changes made take effect.
+<HR>
+<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
+<HR>
+<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
+<SMALL>Last Modified: Mon, Dec 27 23:38:30 UTC 1999<BR>
+Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
+
+ </SMALL>
+</BODY>
+</HTML>
--- /dev/null
+#use wml::debian::template title="LDAP Gateway"
+
+The LDAP directory has a PGP secured mail gateway that
+allows users to safely and conviently effect changes to their entries. It
+makes use of PGP signed input messages to positivly identify the user and
+to confirm the validity of the request. Furthermore it implements a replay
+cache that prevents the gateway from accepting the same message more than
+once.
+
+<p>
+There are three functions logically split into 3 sperate email addresses
+that are implemented by the gateway: <b>ping</b>, <b>new password</b> and
+<b>changes</b>. The function to act on is the first argument to the program.
+
+<p>
+Error handling is currently done by generating a bounce message and passing
+descriptive error text to the mailer. This can generate a somewhat hard to
+read error message, but it does have all the relevent information.
+
+<h1>Ping</h1>
+The ping command simply returns the users public record. It is usefull for
+testing the gateway and for the requester to get a basic dump of their
+record. In future this address might 'freshen' the record to indicate the
+user is alive. Any PGP signed message will produce a reply.
+
+<h1>New Password</h1>
+If a user looses their password they can request that a new one be generated
+for them. This is done by sending the phrase "Please change my Debian
+password" to chpasswd@db.debian.org. The phrase is required to prevent the
+daemon from triggering on arbitary signed email. The best way to invoke this
+feature is with
+<pre>echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org</pre>
+After validating the request the daemon will generate a new random password,
+set it in the directory and respond with an ecrpyted message containing the
+new password. The password can be changed using one of the other interface
+methods.
+
+<h1>Changes</h1>
+An address is provided for making almost arbitary changes to the contents of
+the record. The daemon parse its input line by line and acts on each line in
+a command oriented manner. Anything, except for passwords, can be changed
+using this mechanism. Note however that because this is a mail gateway it
+does stringent checking on its input. The other tools allow fields to be set
+to virtually anything, the gateway requires specific field formats to be met.
+
+<ul>
+<li>A line of the form <tt>'field: value'</tt> will change the contents of
+the field to value. Some simple checks are performed on value to make sure
+that it is not sent to nonsense. The values that can be changed are:
+<b>c</b>, <b>l</b>, <b>facsimiletelephonenumber</b>, <b>telephonenumber</b>,
+<b>postaladdress</b>, <b>postalcode</b>,
+<b>loginshell</b>, <b>emailforward</b>, <b>ircnick</b>, <b>onvacation</b>,
+and <b>labledurl</b>
+
+<li>The daemon has a special parser to help changing latitude and longitude
+values. It accepts several common formats for position information and
+converts them to one of the standard forms. The permitted types are
+<pre>D = Degrees, M = Minutes, S = Seconds, x = n,s,e,w
++-DDD.DDDDD, +- DDDMM.MMMM, +-DDDMMSS.SSSS [standard forms]
+DDxMM.MMMM, DD:MM.MMMM x, DD:MM:SS.SSS X)</pre>
+and the request format is <tt>'Lat: xxx Long: xxx'</tt> where <tt>xxx</tt>
+is one of the permitted types. The resulting response will include how the
+input was parsed and the value in decimal degrees.
+
+<li>
+Part of the replicated dataset is a virtual .ssh/authorized_keys file for
+each user. The change address is the simplest way to set the RSA key(s) you
+intend to use. Simply place a key on a line by itself, the full SSH key
+format specification is supported, see sshd(8). Probably the most common way
+to use this function will be
+<pre>cat .ssh/identity.pub | gpg --clearsign | mail change@db.debian.org</pre>
+which will set the authentication key to the identity you are using.
+
+Multiple keys per user are supported, but they must all be sent at once.
+
+<li>Debian.net DNS Zone Entry. The only way to get a debian.net address is
+to use the mail gateway. It
+will verify the request and prevent name collisions automatically. Requests
+can take two forms: <tt>'foo in a 1.2.3.4'</tt> or <tt>'foo in cname
+foo.bar.'</tt> The precise form is critical and must not be deviated from.
+
+Like the SSH function above, multiple hosts are supported, but they must all
+be sent at once. The debian.net zone is only reloaded once per day at
+midnight -0700.
+
+<li>If the single word <b>show</b> appears on a line then a PGP encrypted version
+of the entire record will be attached to the result email.
+</ul>
+
+After processing the requests the daemon will generate a report which contains
+each input command and the action taken. If there are any parsing errors
+processing stops immediately, but valid changes up to that point are
+processed.
+
+<h2>Notes</h2>
+<p>
+In this document PGP refers to any message or key that GnuPG is
+able to generate or parse, specificaly it includes both PGP2.x and OpenPGP
+(aka GnuPG) keys.
+<p>
+Due to the replay cache the clock on the computer that generates the
+signatures has to be accurate to at least one day. If it is off by several
+months or more then the deamon will outright reject all messages.
+<p>
+Examples are given using GnuPG, but PGP 2.x can also be used. The correct
+options to generate a clear signed ascii armored message in 'filter' mode
+are <tt>pgp -fast</tt> which does the same as <tt>gpg --clearsign</tt>
+<p>
+Debian.org machines rely on secured replication to transfer login data out
+of the database. Replication is performed at 15 min intervals so it can take
+a short while before any changes made take effect.
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.7.2 (28-06-1999)">
-<meta name="Modified" content="29-09-1999 22:36:01">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="29-09-1999 23:38:06">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Thu, Sep 30 05:36:01 UTC 1999<BR>
+<SMALL>Last Modified: Thu, Sep 30 05:38:06 UTC 1999<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.7.2 (28-06-1999)">
-<meta name="Modified" content="23-11-1999 23:29:30">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="25-11-1999 00:35:32">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Wed, Nov 24 06:29:30 UTC 1999<BR>
+<SMALL>Last Modified: Thu, Nov 25 07:35:32 UTC 1999<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML lang="en">
+<HEAD>
+<TITLE>Debian GNU/Linux -- Lost or Forgotten password</TITLE>
+<LINK REV="made" HREF="mailto:webmaster@debian.org">
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+<META NAME="Description" CONTENT="Debian GNU/Linux is a free distribution of the GNU/Linux operating system. It is maintained and updated through the work of many users who volunteer their time and effort.">
+<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
+<META NAME="Language" CONTENT="English">
+<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="27-12-1999 23:19:17">
+</HEAD>
+<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
+<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
+<TR>
+<TD>
+<A HREF="http://www.debian.org/logos/" BORDER="0"><IMG src="/Pics/logo-50.jpg" border="0" hspace="0" vspace="0" alt=""></A>
+<IMG src="/Pics/debian.jpg" border="0" hspace="0" vspace="0" alt="Debian Project">
+</TD>
+</TR>
+<TR>
+<TD bgcolor="#DF0451">
+<A href="http://www.debian.org/"><IMG src="/Pics/home.en.gif" border="0" hspace="2" vspace="3" alt="Home"></A>
+<A href="http://www.debian.org/intro/about"><IMG src="/Pics/about.en.gif" border="0" hspace="2" vspace="3" alt="About Debian"></A>
+<A href="http://www.debian.org/News/"><IMG src="/Pics/news.en.gif" border="0" hspace="2" vspace="3" alt="News"></A>
+<A href="http://www.debian.org/distrib/"><IMG src="/Pics/distrib.en.gif" border="0" hspace="2" vspace="3" alt="Distribution"></A>
+<A href="http://www.debian.org/support"><IMG src="/Pics/support.en.gif" border="0" hspace="2" vspace="3" alt="Support"></A>
+<A href="http://www.debian.org/devel/"><IMG src="/Pics/devel.en.gif" border="0" hspace="2" vspace="3" alt="Developers' Corner"></A>
+<A href="http://www.debian.org/search"><IMG src="/Pics/search.en.gif" border="0" hspace="2" vspace="3" alt="Search"></A>
+</TD>
+</TR>
+</TABLE>
+<H1>Lost or Forgotten password</H1>
+<p>
+If you have lost or forgotten your LDAP password (and by extension, your
+machine login password) you can have it reset by sending a PGP signed
+message to the <a href="doc-mail/html">mail gateway</a>:
+<pre>
+echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org
+echo "Please change my Debian password" | pgp -fast | mail chpasswd@db.debian.org
+</pre>
+The daemon will then respond with a new randomized password encrypted
+with your key. You can then use the
+<a href="https://db.debian.org/login.cgi">SSL Web pages</a> to change your
+password to something you can remember. You cannot set a new password via the
+mail gateway.
+<p>
+Alternatively, you can do without a password and use PGP to manipulate your
+LDAP information through the <a href="doc-mail/html">mail gateway</a> and use
+SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you
+need to first generate a private RSA key using <tt>ssh-keygen</tt> and select
+a good password for it. Then send the public portion of the key to the LDAP
+directory:
+<pre>
+gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org
+</pre>
+You can then use this key to authenticate to the machines. Using ssh-agent
+(automatically run by Debian's X configuration) you can use ssh-add to 'cache'
+your password once. Note: Very few
+machines have the patched SSH required to support this yet.
+<HR>
+<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
+<HR>
+<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
+<SMALL>Last Modified: Tue, Dec 28 06:19:17 UTC 1999<BR>
+Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
+
+ </SMALL>
+</BODY>
+</HTML>
--- /dev/null
+#use wml::debian::template title="Lost or Forgotten password"
+<p>
+If you have lost or forgotten your LDAP password (and by extension, your
+machine login password) you can have it reset by sending a PGP signed
+message to the <a href="doc-mail/html">mail gateway</a>:
+<pre>
+echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org
+or
+echo "Please change my Debian password" | pgp -fast | mail chpasswd@db.debian.org
+</pre>
+The daemon will then respond with a new randomized password encrypted
+with your key. You can then use the
+<a href="https://db.debian.org/login.cgi">SSL Web pages</a> to change your
+password to something you can remember. You cannot set a new password via the
+mail gateway.
+
+<p>
+Alternatively, you can do without a password and use PGP to manipulate your
+LDAP information through the <a href="doc-mail/html">mail gateway</a> and use
+SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you
+need to first generate a private RSA key using <tt>ssh-keygen</tt> and select
+a good password for it. Then send the public portion of the key to the LDAP
+directory:
+<pre>
+gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org
+</pre>
+You can then use this key to authenticate to the machines. Using ssh-agent
+(automatically run by Debian's X configuration) you can use ssh-add to 'cache'
+your password once. Note: Very few
+machines have the patched SSH required to support this yet.
+
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.7.2 (28-06-1999)">
-<meta name="Modified" content="23-11-1999 23:27:39">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="27-12-1999 23:09:33">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
</form>
<hr>
<p align="center"><a href="http://db.debian.org/machines.cgi">Debian development machines</a></p>
+<p align="center"><a href="http://db.debian.org/doc-general.html">Documentation</a></p>
<HR>
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Wed, Nov 24 06:27:39 UTC 1999<BR>
+<SMALL>Last Modified: Tue, Dec 28 06:09:33 UTC 1999<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
</form>
<hr>
<p align=center><a href="http://db.debian.org/machines.cgi">Debian development machines</a></p>
+<p align=center><a href="http://db.debian.org/doc-general.html">Documentation</a></p>
+<p align=center><a href="password.html">Lost or forgotten password instructions</a></p>
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.7.2 (28-06-1999)">
-<meta name="Modified" content="22-09-1999 20:51:58">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="22-09-1999 21:53:03">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Thu, Sep 23 03:51:58 UTC 1999<BR>
+<SMALL>Last Modified: Thu, Sep 23 03:53:03 UTC 1999<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.7.2 (28-06-1999)">
-<meta name="Modified" content="24-09-1999 18:13:40">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="24-09-1999 19:15:43">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Sat, Sep 25 01:13:40 UTC 1999<BR>
+<SMALL>Last Modified: Sat, Sep 25 01:15:43 UTC 1999<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
<META NAME="Keywords" CONTENT="debian, GNU, linux, unix, open source, free, DFSG ">
<META NAME="Language" CONTENT="English">
<meta name="Author" content="Debian Webmaster, webmaster@debian.org">
-<meta name="Generator" content="WML 1.7.2 (28-06-1999)">
-<meta name="Modified" content="24-09-1999 17:34:38">
+<meta name="Generator" content="WML 1.6.8 (12-01-1999)">
+<meta name="Modified" content="24-09-1999 19:07:50">
</HEAD>
<BODY text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
<TABLE border="0" cellpadding="3" cellspacing="0" width="100%">
<P>Back to the <A href="http://www.debian.org/">Debian Project homepage</A>.
<HR>
<SMALL>You can contact us at <A href="mailto:admin@db.debian.org">admin@db.debian.org</A>.</SMALL><P>
-<SMALL>Last Modified: Sat, Sep 25 00:34:38 UTC 1999<BR>
+<SMALL>Last Modified: Sat, Sep 25 01:07:50 UTC 1999<BR>
Copyright © 1997-1999 <A href="http://www.spi-inc.org/">SPI</A>; See <A href="http://www.debian.org/license">license terms</A>
</SMALL>
projects / mirror / userdir-ldap.git / commitdiff