From 386666ec7a3ab737dbe45041d7c7e903aad3bc0c Mon Sep 17 00:00:00 2001 From: jgg <> Date: Wed, 25 Oct 2000 03:58:01 +0000 Subject: [PATCH] Doc fixes --- templates/welcome-message-800 | 4 +++- ud-replicate | 2 +- web/doc-direct.html | 8 ++++---- web/doc-direct.wml | 2 +- web/doc-general.html | 12 ++++++------ web/doc-general.wml | 8 ++++---- web/doc-mail.html | 33 +++++++++++++++++---------------- web/doc-mail.wml | 27 ++++++++++++++------------- web/forward.html | 29 ++++++++++++++++++----------- web/forward.wml | 16 ++++++++-------- web/password.html | 11 +++++------ web/password.wml | 5 ++--- 12 files changed, 83 insertions(+), 74 deletions(-) diff --git a/templates/welcome-message-800 b/templates/welcome-message-800 index b86d4e1..5df81e8 100644 --- a/templates/welcome-message-800 +++ b/templates/welcome-message-800 @@ -70,7 +70,9 @@ The machine ftp-master.debian.org is our main archive server. Every uploaded package finds it's way there (except for Packages covered by US crypto laws which go to non-us.debian.org) eventually. master.debian.org is the home of our bug tracking system. Project web pages and CVS archives are -hosted on va.debian.org (aka cvs/www.debian.org). +hosted on klecker.debian.org (aka cvs/www.debian.org), klecker is also our +general shell server. Web pages should be placed in public_html on klecker +and refered to by http://people.debian.org/~__LOGIN__ You should use ssh to log into the machines instead of regular telnet or rlogin. Our LDAP directory is able to share ssh RSA keys among machines, diff --git a/ud-replicate b/ud-replicate index 5010a6a..58f705b 100755 --- a/ud-replicate +++ b/ud-replicate @@ -10,7 +10,7 @@ trap "rm -f lock > /dev/null 2>&1" exit rsync -e ssh -rp sshdist@samosa:/var/cache/userdir-ldap/hosts/$HOST . > /dev/null 2>&1 makedb $HOST/passwd.tdb -o passwd.db.t > /dev/null 2>&1 (umask 027 && makedb $HOST/shadow.tdb -o shadow.db.t) > /dev/null 2>&1 -chown root.shadow shadow.db; chmod 0640 shadow.db.t +chown root.shadow shadow.db.t; chmod 0640 shadow.db.t makedb $HOST/group.tdb -o group.db.t > /dev/null 2>&1 mv -f passwd.db.t passwd.db mv -f shadow.db.t shadow.db diff --git a/web/doc-direct.html b/web/doc-direct.html index 2a6de07..536fe73 100644 --- a/web/doc-direct.html +++ b/web/doc-direct.html @@ -8,8 +8,8 @@ - - + + @@ -34,7 +34,7 @@

Direct LDAP Access

The LDAP utilities package provides a program called ldapsearch that can be -used to exectute direct queries to the database. Generally this is done by +used to execute direct queries to the database. Generally this is done by putting

 HOST db.debian.org
@@ -93,7 +93,7 @@ book.
 Back to the Debian Project homepage.
 

 You can contact us at admin@db.debian.org.
-Last Modified: Tue, Dec 28 06:03:51 UTC 1999

+Last Modified: Wed, Oct 25 05:43:55 UTC 2000

 Copyright © 1997-1999 SPI; See license terms
 	
 	 
diff --git a/web/doc-direct.wml b/web/doc-direct.wml
index 1142722..fc6b74b 100644
--- a/web/doc-direct.wml
+++ b/web/doc-direct.wml
@@ -1,7 +1,7 @@
 #use wml::debian::template title="Direct LDAP Access"
 

 The LDAP utilities package provides a program called ldapsearch that can be
-used to exectute direct queries to the database. Generally this is done by
+used to execute direct queries to the database. Generally this is done by
 putting
 
 HOST db.debian.org
diff --git a/web/doc-general.html b/web/doc-general.html
index cf38433..40de257 100644
--- a/web/doc-general.html
+++ b/web/doc-general.html
@@ -8,8 +8,8 @@
 
 
 
-
-
+
+

@@ -33,7 +33,7 @@

General LDAP Documentation

-debian.org uses a single LDAP driven directory for account managment across +debian.org uses a single LDAP driven directory for account management across all the project run machines. This directory also provides services for leaving vacation notices, updating xplanet coordinates, @@ -45,12 +45,12 @@ running OpenSSH are using replicated SSH RSA authentication keys.

Security and Privacy

Three levels of information security are provided by the database. The first is completely public information that anyone can see either by issuing an -LDAP query or by visiting the web site. The next level is "maintainer-only" +LDAP query or by visiting the web site. The next level is "developer-only" information that requires authentication to the directory before it can be accessed. The final level is admin-only or user-only information; this information can only be viewed by the user or an administrator.

@@ -75,7 +75,7 @@ The directory has several means to access it:

Back to the Debian Project homepage.

You can contact us at admin@db.debian.org.

-Last Modified: Wed, May 3 03:59:30 UTC 2000
+Last Modified: Wed, Oct 25 05:38:37 UTC 2000
Copyright © 1997-1999 SPI; See license terms diff --git a/web/doc-general.wml b/web/doc-general.wml index 183446c..697847b 100644 --- a/web/doc-general.wml +++ b/web/doc-general.wml @@ -1,8 +1,8 @@ #use wml::debian::template title="General LDAP Documentation"

-debian.org uses a single LDAP driven directory for account managment across +debian.org uses a single LDAP driven directory for account management across all the project run machines. This directory -also provides services for leaving vacation notices, updating +also provides services for leaving vacation notices, updating xplanet coordinates, email forwarding, ssh authentication keys and other information. @@ -14,13 +14,13 @@ running OpenSSH are using replicated SSH RSA authentication keys.

Security and Privacy

-Maintainer-only information includes precise location information +developer-only information includes precise location information [postalcode, postal address, lat/long] telephone numbers, and the vacation message. diff --git a/web/doc-mail.html b/web/doc-mail.html index 1730fe6..51739e9 100644 --- a/web/doc-mail.html +++ b/web/doc-mail.html @@ -8,8 +8,8 @@ - - + + @@ -33,13 +33,13 @@

LDAP Gateway

The LDAP directory has a PGP secured mail gateway that -allows users to safely and conviently effect changes to their entries. It -makes use of PGP signed input messages to positivly identify the user and +allows users to safely and conveniently effect changes to their entries. It +makes use of PGP signed input messages to positively identify the user and to confirm the validity of the request. Furthermore it implements a replay cache that prevents the gateway from accepting the same message more than once.

@@ -47,7 +47,7 @@ Error handling is currently done by generating a bounce message and passing descriptive error text to the mailer. This can generate a somewhat hard to read error message, but it does have all the relevent information.

Ping

-The ping command simply returns the users public record. It is usefull for +The ping command simply returns the users public record. It is useful for testing the gateway and for the requester to get a basic dump of their record. In future this address might 'freshen' the record to indicate the user is alive. Any PGP signed message will produce a reply. @@ -59,20 +59,21 @@ daemon from triggering on arbitary signed email. The best way to invoke this feature is with

echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org

After validating the request the daemon will generate a new random password, -set it in the directory and respond with an ecrpyted message containing the +set it in the directory and respond with an encrpyted message containing the new password. The password can be changed using one of the other interface methods.

Changes

-An address is provided for making almost arbitary changes to the contents of -the record. The daemon parse its input line by line and acts on each line in -a command oriented manner. Anything, except for passwords, can be changed -using this mechanism. Note however that because this is a mail gateway it -does stringent checking on its input. The other tools allow fields to be set -to virtually anything, the gateway requires specific field formats to be met. +An address (changes@debian.org) is provided for making almost arbitary +changes to the contents of the record. The daemon parses its input line by +line and acts on each line in a command oriented manner. Anything, except for +passwords, can be changed using this mechanism. Note however that because +this is a mail gateway it does stringent checking on its input. The other +tools allow fields to be set to virtually anything, the gateway requires +specific field formats to be met.

A line of the form 'field: value' will change the contents of the field to value. Some simple checks are performed on value to make sure -that it is not sent to nonsense. The values that can be changed are: +that it is not set to nonsense. The values that can be changed are: c, l, facsimiletelephonenumber, telephonenumber, postaladdress, postalcode, loginshell, emailforward, ircnick, onvacation, @@ -104,7 +105,7 @@ Like the SSH function above, multiple hosts are supported, but they must all be sent at once. The debian.net zone is only reloaded once per day at midnight -0700.
If the single word show appears on a line then a PGP encrypted version -of the entire record will be attached to the result email. +of the entire record will be attached to the resulting email.

After processing the requests the daemon will generate a report which contains each input command and the action taken. If there are any parsing errors @@ -131,7 +132,7 @@ a short while before any changes made take effect.

Back to the Debian Project homepage.

You can contact us at admin@db.debian.org.

-Last Modified: Mon, Dec 27 23:38:30 UTC 1999
+Last Modified: Wed, Oct 25 05:42:44 UTC 2000
Copyright © 1997-1999 SPI; See license terms diff --git a/web/doc-mail.wml b/web/doc-mail.wml index 9f0a7d8..6b84576 100644 --- a/web/doc-mail.wml +++ b/web/doc-mail.wml @@ -1,14 +1,14 @@ #use wml::debian::template title="LDAP Gateway" The LDAP directory has a PGP secured mail gateway that -allows users to safely and conviently effect changes to their entries. It -makes use of PGP signed input messages to positivly identify the user and +allows users to safely and conveniently effect changes to their entries. It +makes use of PGP signed input messages to positively identify the user and to confirm the validity of the request. Furthermore it implements a replay cache that prevents the gateway from accepting the same message more than once.

-There are three functions logically split into 3 sperate email addresses +There are three functions logically split into 3 seperate email addresses that are implemented by the gateway: ping, new password and changes. The function to act on is the first argument to the program. @@ -18,7 +18,7 @@ descriptive error text to the mailer. This can generate a somewhat hard to read error message, but it does have all the relevent information.

Ping

-The ping command simply returns the users public record. It is usefull for +The ping command simply returns the users public record. It is useful for testing the gateway and for the requester to get a basic dump of their record. In future this address might 'freshen' the record to indicate the user is alive. Any PGP signed message will produce a reply. @@ -31,22 +31,23 @@ daemon from triggering on arbitary signed email. The best way to invoke this feature is with

echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org

Changes

A line of the form 'field: value' will change the contents of the field to value. Some simple checks are performed on value to make sure -that it is not sent to nonsense. The values that can be changed are: +that it is not set to nonsense. The values that can be changed are: c, l, facsimiletelephonenumber, telephonenumber, postaladdress, postalcode, loginshell, emailforward, ircnick, onvacation, @@ -84,7 +85,7 @@ be sent at once. The debian.net zone is only reloaded once per day at midnight -0700.
If the single word show appears on a line then a PGP encrypted version -of the entire record will be attached to the result email. +of the entire record will be attached to the resulting email.

After processing the requests the daemon will generate a report which contains diff --git a/web/forward.html b/web/forward.html index 207af53..728e85f 100644 --- a/web/forward.html +++ b/web/forward.html @@ -8,8 +8,8 @@ - - + + @@ -33,12 +33,12 @@

Email Forwarding

-Emails to @debian.org now go through a LDAP distributed email system. This -system uses the forwarding field in the LDAP directory to route mail without -passing it through a users .forward file on a single computer. -Multiple machines participate in the forwarding to provide redudency. +Emails to @debian.org addresses now go through a LDAP distributed email system. +This system uses the forwarding field in the LDAP directory to route mail +without passing it through a users .forward file on a single host. +Multiple machines participate in the forwarding to provide redudancy.

-Each of the forwarders inspects the LDAP database +Each forwarders inspects the LDAP database to see if foo@debian.org has forwarding set to an address, if so the envelope to address is rewritten and the message redirected to the new address. Otherwise the message is relayed to master.debian.org for processing by the @@ -51,11 +51,18 @@ email. If the user has a home directory and no .forward file the mail is forwarded rather than delivered to /var/spool/mail. This makes sure cron reports, bug responses and other unexpected emails are not misplaced.

+If you set the forwarding address to be a specific Debian machine and do +not create a forward file then that machine will spool the mail to +/var/spool/mail instead of creating a mail loop. +

The email forwarding can be easially reconfigured using GnuPG:

 echo "emailforward: foo@bar.com" | gpg --clearsign | mail change@db.debian.org

or by visiting db.debian.org +

+You can test the email routing by using the command /usr/sbin/exim -bt +foo@debian.org

procmail

If you use procmail for your main mailbox, PLEASE, erase your .forward file and put a .procmailrc in its place instead. This feature has been @@ -65,7 +72,7 @@ supported. The correct way to invoke procmail for extension addresses is "|/usr/bin/procmail [options]" Ignore the IFS=".." stuff in the procmail man page.

MailBox formats

-Emails can be saved to mailboxes or maildirs by using the correct lines in a +Email can be saved to mailboxes or maildirs by using the correct lines in a .forward file:

Mailbox format files "/debian/home/foo/Mbox" @@ -78,7 +85,7 @@ Exim.

Also, 'Exim Filter' files are deliberately turned off.

Delivey Environment

-Some environment variables are set per-message (not quoted! Carefull!) +Some environment variables are set per-message (not quoted! Careful!) It is important to note that the environment variables dealing with addressing apply to the ENVELOPE address are are totally completely unrelated to the actual contents of the message: @@ -97,12 +104,12 @@ unrelated to the actual contents of the message:

RECIPIENT = (the entire envelope to)

-Such that, $RECIPIENT = $LOCAL-EXTENSION@<something>. +Such that, $RECIPIENT = $LOCAL-$EXTENSION@<something>.

Back to the Debian Project homepage.

You can contact us at admin@db.debian.org.

-Last Modified: Wed, May 10 04:51:33 UTC 2000
+Last Modified: Wed, Oct 25 05:46:04 UTC 2000
Copyright © 1997-1999 SPI; See license terms diff --git a/web/forward.wml b/web/forward.wml index 532bbf7..86fc31b 100644 --- a/web/forward.wml +++ b/web/forward.wml @@ -1,12 +1,12 @@ #use wml::debian::template title="Email Forwarding"

-Each of the forwarders inspects the LDAP database +Each forwarders inspects the LDAP database to see if foo@debian.org has forwarding set to an address, if so the envelope to address is rewritten and the message redirected to the new address. Otherwise the message is relayed to master.debian.org for processing by the @@ -47,7 +47,7 @@ The correct way to invoke procmail for extension addresses is "|/usr/bin/procmai Ignore the IFS=".." stuff in the procmail man page.

MailBox formats

-Emails can be saved to mailboxes or maildirs by using the correct lines in a +Email can be saved to mailboxes or maildirs by using the correct lines in a .forward file:

Mailbox format files "/debian/home/foo/Mbox" @@ -63,7 +63,7 @@ Exim. Also, 'Exim Filter' files are deliberately turned off.

Delivey Environment

-Some environment variables are set per-message (not quoted! Carefull!) +Some environment variables are set per-message (not quoted! Careful!) It is important to note that the environment variables dealing with addressing apply to the ENVELOPE address are are totally completely unrelated to the actual contents of the message: @@ -84,5 +84,5 @@ unrelated to the actual contents of the message:

-Such that, $RECIPIENT = $LOCAL-EXTENSION@<something>. +Such that, $RECIPIENT = $LOCAL-$EXTENSION@<something>. diff --git a/web/password.html b/web/password.html index 674ec50..38241d8 100644 --- a/web/password.html +++ b/web/password.html @@ -8,8 +8,8 @@ - - + + @@ -51,20 +51,19 @@ Alternatively, you can do without a password and use PGP to manipulate your LDAP information through the mail gateway and use SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you need to first generate a private RSA key using ssh-keygen and select -a good password for it. Then send the public portion of the key to the LDAP +a good passphrase for it. Then send the public portion of the key to the LDAP directory:
gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org
You can then use this key to authenticate to the machines. Using ssh-agent (automatically run by Debian's X configuration) you can use ssh-add to 'cache' -your password once. Note: Very few -machines have the patched SSH required to support this yet. +your passphrase once.
Back to the Debian Project homepage.
You can contact us at admin@db.debian.org.
-Last Modified: Tue, Dec 28 06:44:59 UTC 1999
+Last Modified: Wed, Oct 25 05:43:55 UTC 2000
Copyright © 1997-1999 SPI; See license terms diff --git a/web/password.wml b/web/password.wml index e4dbee3..8901cef 100644 --- a/web/password.wml +++ b/web/password.wml @@ -19,13 +19,12 @@ Alternatively, you can do without a password and use PGP to manipulate your LDAP information through the mail gateway and use SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you need to first generate a private RSA key using ssh-keygen and select -a good password for it. Then send the public portion of the key to the LDAP +a good passphrase for it. Then send the public portion of the key to the LDAP directory:
gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org
You can then use this key to authenticate to the machines. Using ssh-agent (automatically run by Debian's X configuration) you can use ssh-add to 'cache' -your password once. Note: Very few -machines have the patched SSH required to support this yet. +your passphrase once. -- 2.20.1