+
+
+
+
+
+
+
+
+|
+
+
+ |
+
|
+
+
+
+
+
+
+
+ |
+
+The LDAP utilities package provides a program called ldapsearch that can be +used to exectute direct queries to the database. Generally this is done by +putting +
+HOST db.debian.org +BASE dc=debian,dc=org ++in ~/.ldaprc. Then queries can be performed, for instance +
+samosa{jgg}~#ldapsearch uid=wakkerma keyfingerprint
+uid=wakkerma,ou=users,dc=debian,dc=org
+keyfingerprint=38444C2CA6AD756EB4A2E5FA612AFF59
+keyfingerprint=576E100B518D2F1636B028053CB892502FA3BC2D
+
+Shows the PGP key finger prints for the wakkerma user. The first word
+in the command is the query to perform, the rest of command line are the
+attributes to return, if omitted then all readable attributes are returned.
+More complicated queries are possible, for instance:
+
+samosa{jgg}~#ldapsearch '(&(!(loginshell=/bin/bash))(uid=*))' loginshell
+uid=admin,ou=users,dc=debian,dc=org
+
+uid=mryan,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/tcsh
+
+uid=jkominek,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+
+uid=caelum,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+[..]
+
+Shows users that do not use bash as their shell. Some other interesting
+queries are:
++The GQ package has a graphical LDAP browser that can browse the debian.org +tree. It is somewhat ungainly with the large number of entries in our +directory, but it does work nonetheless. Configuration is similar, use the +preferences dialog to add a new host with the information given above. +
+Netscape has a browser for their mailer, but I have never been able to get +it to work, please email if you have any luck. +
+To my knowledge there are no interfaces for popular mailers like mutt and +gnus. Such an interface would allow using the directory as an enhanced address +book. +
Back to the Debian Project homepage. +
+Last Modified: Tue, Dec 28 06:03:51 UTC 1999
+Copyright © 1997-1999 SPI; See license terms
+
+
+
+
diff --git a/web/doc-direct.wml b/web/doc-direct.wml
new file mode 100644
index 0000000..1142722
--- /dev/null
+++ b/web/doc-direct.wml
@@ -0,0 +1,59 @@
+#use wml::debian::template title="Direct LDAP Access"
+
+The LDAP utilities package provides a program called ldapsearch that can be +used to exectute direct queries to the database. Generally this is done by +putting +
+HOST db.debian.org +BASE dc=debian,dc=org ++in ~/.ldaprc. Then queries can be performed, for instance +
+samosa{jgg}~#ldapsearch uid=wakkerma keyfingerprint
+uid=wakkerma,ou=users,dc=debian,dc=org
+keyfingerprint=38444C2CA6AD756EB4A2E5FA612AFF59
+keyfingerprint=576E100B518D2F1636B028053CB892502FA3BC2D
+
+Shows the PGP key finger prints for the wakkerma user. The first word
+in the command is the query to perform, the rest of command line are the
+attributes to return, if omitted then all readable attributes are returned.
+More complicated queries are possible, for instance:
+
+samosa{jgg}~#ldapsearch '(&(!(loginshell=/bin/bash))(uid=*))' loginshell
+uid=admin,ou=users,dc=debian,dc=org
+
+uid=mryan,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/tcsh
+
+uid=jkominek,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+
+uid=caelum,ou=users,dc=debian,dc=org
+loginshell=/usr/bin/zsh
+[..]
+
+Shows users that do not use bash as their shell. Some other interesting
+queries are:
++The GQ package has a graphical LDAP browser that can browse the debian.org +tree. It is somewhat ungainly with the large number of entries in our +directory, but it does work nonetheless. Configuration is similar, use the +preferences dialog to add a new host with the information given above. +
+Netscape has a browser for their mailer, but I have never been able to get +it to work, please email if you have any luck. +
+To my knowledge there are no interfaces for popular mailers like mutt and +gnus. Such an interface would allow using the directory as an enhanced address +book. diff --git a/web/doc-general.html b/web/doc-general.html new file mode 100644 index 0000000..1527f87 --- /dev/null +++ b/web/doc-general.html @@ -0,0 +1,81 @@ + + +
+|
+
+
+ |
+
|
+
+
+
+
+
+
+
+ |
+
+debian.org uses a single LDAP driven directory for account managment across +all the project run machines. This directory +also provides services for leaving vacation notices, updating +xplanet coordinates, +email forwarding, ssh authentication keys and other information. +
+Note: master and va do not presently use the LDAP directory. Only lully +uses replicated SSH RSA authentication keys and master does not use the +email forwarding field (but all other machines do) +
+Maintainer-only information includes precise location information +[postalcode, postal address, lat/long] telephone numbers, and the vacation +message. +
+Admin-only/user-only information includes email forwarding, ssh keys and +the encrypted password. Note that email forwarding is necessarily publicly +viewable from accounts on the actual machines. +
+Entries in the directory are keyed to the developers PGP key, whoever has that +key can make any change to the directory through the mail interface. +
Back to the Debian Project homepage. +
+Last Modified: Tue, Dec 28 05:58:00 UTC 1999
+Copyright © 1997-1999 SPI; See license terms
+
+
+
+
diff --git a/web/doc-general.wml b/web/doc-general.wml
new file mode 100644
index 0000000..50962bd
--- /dev/null
+++ b/web/doc-general.wml
@@ -0,0 +1,47 @@
+#use wml::debian::template title="General LDAP Documentation"
+
+debian.org uses a single LDAP driven directory for account managment across +all the project run machines. This directory +also provides services for leaving vacation notices, updating +xplanet coordinates, +email forwarding, ssh authentication keys and other information. + +
+Note: master and va do not presently use the LDAP directory. Only lully +uses replicated SSH RSA authentication keys and master does not use the +email forwarding field (but all other machines do) + +
+Maintainer-only information includes precise location information +[postalcode, postal address, lat/long] telephone numbers, and the vacation +message. + +
+Admin-only/user-only information includes email forwarding, ssh keys and +the encrypted password. Note that email forwarding is necessarily publicly +viewable from accounts on the actual machines. + +
+Entries in the directory are keyed to the developers PGP key, whoever has that +key can make any change to the directory through the mail interface. + +
+Lost or forgotten password instructions diff --git a/web/doc-mail.html b/web/doc-mail.html new file mode 100644 index 0000000..1730fe6 --- /dev/null +++ b/web/doc-mail.html @@ -0,0 +1,139 @@ + + +
+|
+
+
+ |
+
|
+
+
+
+
+
+
+
+ |
+
+There are three functions logically split into 3 sperate email addresses +that are implemented by the gateway: ping, new password and +changes. The function to act on is the first argument to the program. +
+Error handling is currently done by generating a bounce message and passing +descriptive error text to the mailer. This can generate a somewhat hard to +read error message, but it does have all the relevent information. +
echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org+After validating the request the daemon will generate a new random password, +set it in the directory and respond with an ecrpyted message containing the +new password. The password can be changed using one of the other interface +methods. +
D = Degrees, M = Minutes, S = Seconds, x = n,s,e,w ++-DDD.DDDDD, +- DDDMM.MMMM, +-DDDMMSS.SSSS [standard forms] +DDxMM.MMMM, DD:MM.MMMM x, DD:MM:SS.SSS X)+and the request format is 'Lat: xxx Long: xxx' where xxx +is one of the permitted types. The resulting response will include how the +input was parsed and the value in decimal degrees. +
cat .ssh/identity.pub | gpg --clearsign | mail change@db.debian.org+which will set the authentication key to the identity you are using. +Multiple keys per user are supported, but they must all be sent at once. +
+In this document PGP refers to any message or key that GnuPG is +able to generate or parse, specificaly it includes both PGP2.x and OpenPGP +(aka GnuPG) keys. +
+Due to the replay cache the clock on the computer that generates the +signatures has to be accurate to at least one day. If it is off by several +months or more then the deamon will outright reject all messages. +
+Examples are given using GnuPG, but PGP 2.x can also be used. The correct +options to generate a clear signed ascii armored message in 'filter' mode +are pgp -fast which does the same as gpg --clearsign +
+Debian.org machines rely on secured replication to transfer login data out +of the database. Replication is performed at 15 min intervals so it can take +a short while before any changes made take effect. +
Back to the Debian Project homepage. +
+Last Modified: Mon, Dec 27 23:38:30 UTC 1999
+Copyright © 1997-1999 SPI; See license terms
+
+
+
+
diff --git a/web/doc-mail.wml b/web/doc-mail.wml
new file mode 100644
index 0000000..9f0a7d8
--- /dev/null
+++ b/web/doc-mail.wml
@@ -0,0 +1,111 @@
+#use wml::debian::template title="LDAP Gateway"
+
+The LDAP directory has a PGP secured mail gateway that
+allows users to safely and conviently effect changes to their entries. It
+makes use of PGP signed input messages to positivly identify the user and
+to confirm the validity of the request. Furthermore it implements a replay
+cache that prevents the gateway from accepting the same message more than
+once.
+
+
+There are three functions logically split into 3 sperate email addresses +that are implemented by the gateway: ping, new password and +changes. The function to act on is the first argument to the program. + +
+Error handling is currently done by generating a bounce message and passing +descriptive error text to the mailer. This can generate a somewhat hard to +read error message, but it does have all the relevent information. + +
echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org+After validating the request the daemon will generate a new random password, +set it in the directory and respond with an ecrpyted message containing the +new password. The password can be changed using one of the other interface +methods. + +
D = Degrees, M = Minutes, S = Seconds, x = n,s,e,w ++-DDD.DDDDD, +- DDDMM.MMMM, +-DDDMMSS.SSSS [standard forms] +DDxMM.MMMM, DD:MM.MMMM x, DD:MM:SS.SSS X)+and the request format is 'Lat: xxx Long: xxx' where xxx +is one of the permitted types. The resulting response will include how the +input was parsed and the value in decimal degrees. + +
cat .ssh/identity.pub | gpg --clearsign | mail change@db.debian.org+which will set the authentication key to the identity you are using. + +Multiple keys per user are supported, but they must all be sent at once. + +
+In this document PGP refers to any message or key that GnuPG is +able to generate or parse, specificaly it includes both PGP2.x and OpenPGP +(aka GnuPG) keys. +
+Due to the replay cache the clock on the computer that generates the +signatures has to be accurate to at least one day. If it is off by several +months or more then the deamon will outright reject all messages. +
+Examples are given using GnuPG, but PGP 2.x can also be used. The correct +options to generate a clear signed ascii armored message in 'filter' mode +are pgp -fast which does the same as gpg --clearsign +
+Debian.org machines rely on secured replication to transfer login data out +of the database. Replication is performed at 15 min intervals so it can take +a short while before any changes made take effect. diff --git a/web/hostinfo.html b/web/hostinfo.html index c63b7ea..38fbd02 100644 --- a/web/hostinfo.html +++ b/web/hostinfo.html @@ -8,8 +8,8 @@ - - + +
|
+
+
+ |
+
|
+
+
+
+
+
+
+
+ |
+
+If you have lost or forgotten your LDAP password (and by extension, your +machine login password) you can have it reset by sending a PGP signed +message to the mail gateway: +
+echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org +echo "Please change my Debian password" | pgp -fast | mail chpasswd@db.debian.org ++The daemon will then respond with a new randomized password encrypted +with your key. You can then use the +SSL Web pages to change your +password to something you can remember. You cannot set a new password via the +mail gateway. +
+Alternatively, you can do without a password and use PGP to manipulate your +LDAP information through the mail gateway and use +SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you +need to first generate a private RSA key using ssh-keygen and select +a good password for it. Then send the public portion of the key to the LDAP +directory: +
+gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org ++You can then use this key to authenticate to the machines. Using ssh-agent +(automatically run by Debian's X configuration) you can use ssh-add to 'cache' +your password once. Note: Very few +machines have the patched SSH required to support this yet. +
Back to the Debian Project homepage. +
+Last Modified: Tue, Dec 28 06:19:17 UTC 1999
+Copyright © 1997-1999 SPI; See license terms
+
+
+
+
diff --git a/web/password.wml b/web/password.wml
new file mode 100644
index 0000000..efe8da3
--- /dev/null
+++ b/web/password.wml
@@ -0,0 +1,31 @@
+#use wml::debian::template title="Lost or Forgotten password"
+
+If you have lost or forgotten your LDAP password (and by extension, your +machine login password) you can have it reset by sending a PGP signed +message to the mail gateway: +
+echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org +or +echo "Please change my Debian password" | pgp -fast | mail chpasswd@db.debian.org ++The daemon will then respond with a new randomized password encrypted +with your key. You can then use the +SSL Web pages to change your +password to something you can remember. You cannot set a new password via the +mail gateway. + +
+Alternatively, you can do without a password and use PGP to manipulate your +LDAP information through the mail gateway and use +SSH RSA Authentication to access the servers. To setup OpenSSH for RSA you +need to first generate a private RSA key using ssh-keygen and select +a good password for it. Then send the public portion of the key to the LDAP +directory: +
+gpg --clearsign < ~/.ssh/identity.pub | mail change@db.debian.org ++You can then use this key to authenticate to the machines. Using ssh-agent +(automatically run by Debian's X configuration) you can use ssh-add to 'cache' +your password once. Note: Very few +machines have the patched SSH required to support this yet. + diff --git a/web/searchform.html b/web/searchform.html index bfa57a1..d40113d 100644 --- a/web/searchform.html +++ b/web/searchform.html @@ -8,8 +8,8 @@ - - + +