/[webwml]/db.debian.org/doc-mail.html
ViewVC logotype

Contents of /db.debian.org/doc-mail.html

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.5 - (show annotations) (download) (as text)
Wed Mar 12 23:28:18 2003 UTC (10 years, 3 months ago) by rmurray
Branch: MAIN
CVS Tags: HEAD
Changes since 1.4: +0 -0 lines
File MIME type: text/html
FILE REMOVED 
remove autogenerated files
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2 <html lang="en">
3 <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=">
5 <title>Debian GNU/Linux -- LDAP Gateway</title>
6 <link rev="made" href="mailto:webmaster@debian.org">
7 <meta name="Description" content="Debian GNU/Linux is a free distribution of the GNU/Linux operating system. It is maintained and updated through the work of many users who volunteer their time and effort.">
8 <meta name="Keywords" content="debian, GNU, linux, unix, open source, free, DFSG">
9 <meta name="Language" content="">
10 <meta name="Author" content="Debian Webmaster, webmaster@debian.org">
11 <meta name="Generator" content="WML 2.0.8 (30-Oct-2001)">
12 <meta name="Modified" content="2002-07-12 19:23:30">
13 </head>
14 <body text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF0000">
15 <table width="100%" align="center" border="0" cellpadding="3" cellspacing="0" summary="">
16 <tr>
17 <td align="left" valign="middle">
18 <a href="http://www.debian.org/"><img src="http://www.debian.org/logos/openlogo-nd-50.png" border="0" hspace="0" vspace="0" alt=""></a>
19 <a href="http://www.debian.org/"><img src="http://www.debian.org/Pics/debian.jpg" border="0" hspace="0" vspace="0" alt="Debian Project"></a>
20 </td>
21 </tr>
22 </table>
23 <!--UdmComment-->
24 <table bgcolor="#DF0451" border="0" cellpadding="0" cellspacing="0" width="100%" summary="">
25 <tr>
26 <td valign="top">
27 <img src="http://www.debian.org/Pics/red-upperleft.png" align="left" border="0" hspace="0" vspace="0" alt="">
28 </td>
29 <td rowspan="2" align="center">
30 <a href="http://www.debian.org/intro/about"><img src="http://www.debian.org/Pics/about.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="About Debian"></a>
31 <a href="http://www.debian.org/News/"><img src="http://www.debian.org/Pics/news.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="News"></a>
32 <a href="http://www.debian.org/distrib/"><img src="http://www.debian.org/Pics/getting.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Getting Debian"></a>
33 <a href="http://www.debian.org/support"><img src="http://www.debian.org/Pics/support.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Support"></a>
34 <a href="http://www.debian.org/devel/"><img src="http://www.debian.org/Pics/devel.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Developers'&nbsp;Corner"></a>
35 <a href="http://www.debian.org/sitemap"><img src="http://www.debian.org/Pics/sitemap.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Site map"></a>
36 <a href="http://search.debian.org/"><img src="http://www.debian.org/Pics/search.en.gif" align="middle" border="0" hspace="4" vspace="7" alt="Search"></a>
37 </td>
38 <td valign="top">
39 <img src="http://www.debian.org/Pics/red-upperright.png" align="right" border="0" hspace="0" vspace="0" alt="">
40 </td>
41 </tr>
42 <tr>
43 <td valign="bottom">
44 <img src="http://www.debian.org/Pics/red-lowerleft.png" align="left" border="0" hspace="0" vspace="0" alt="">
45 </td>
46 <td valign="bottom">
47 <img src="http://www.debian.org/Pics/red-lowerright.png" align="right" border="0" hspace="0" vspace="0" alt="">
48 </td>
49 </tr>
50 </table>
51 <!--/UdmComment-->
52 <h1>LDAP Gateway</h1>
53 <p>
54 The LDAP directory has a PGP secured mail gateway that
55 allows users to safely and conveniently effect changes to their entries. It
56 makes use of PGP signed input messages to positively identify the user and
57 to confirm the validity of the request. Furthermore it implements a replay
58 cache that prevents the gateway from accepting the same message more than
59 once.
60 <p>
61 There are three functions logically split into 3 seperate email addresses
62 that are implemented by the gateway: <b>ping</b>, <b>new password</b> and
63 <b>changes</b>. The function to act on is the first argument to the program.
64 <p>
65 Error handling is currently done by generating a bounce message and passing
66 descriptive error text to the mailer. This can generate a somewhat hard to
67 read error message, but it does have all the relevent information.
68 <h1>Ping</h1>
69 The ping command simply returns the users public record. It is useful for
70 testing the gateway and for the requester to get a basic dump of their
71 record. In future this address might 'freshen' the record to indicate the
72 user is alive. Any PGP signed message will produce a reply.
73 <h1>New Password</h1>
74 If a user looses their password they can request that a new one be generated
75 for them. This is done by sending the phrase "Please change my Debian
76 password" to chpasswd@db.debian.org. The phrase is required to prevent the
77 daemon from triggering on arbitary signed email. The best way to invoke this
78 feature is with
79 <pre>echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org</pre>
80 After validating the request the daemon will generate a new random password,
81 set it in the directory and respond with an encrpyted message containing the
82 new password. The password can be changed using one of the other interface
83 methods.
84 <h1>Changes</h1>
85 An address (changes@db.debian.org) is provided for making almost arbitary
86 changes to the contents of the record. The daemon parses its input line by
87 line and acts on each line in a command oriented manner. Anything, except for
88 passwords, can be changed using this mechanism. Note however that because
89 this is a mail gateway it does stringent checking on its input. The other
90 tools allow fields to be set to virtually anything, the gateway requires
91 specific field formats to be met.
92 <ul>
93 <li>A line of the form <tt>'field: value'</tt> will change the contents of
94 the field to value. Some simple checks are performed on value to make sure
95 that it is not set to nonsense. The values that can be changed are:
96 <b>c</b>, <b>l</b>, <b>facsimiletelephonenumber</b>, <b>telephonenumber</b>,
97 <b>postaladdress</b>, <b>postalcode</b>,
98 <b>loginshell</b>, <b>emailforward</b>, <b>ircnick</b>, <b>onvacation</b>,
99 and <b>labledurl</b>
100 <li>The daemon has a special parser to help changing latitude and longitude
101 values. It accepts several common formats for position information and
102 converts them to one of the standard forms. The permitted types are
103 <pre>D = Degrees, M = Minutes, S = Seconds, x = n,s,e,w
104 +-DDD.DDDDD, +- DDDMM.MMMM, +-DDDMMSS.SSSS [standard forms]
105 DDxMM.MMMM, DD:MM.MMMM x, DD:MM:SS.SSS X)</pre>
106 and the request format is <tt>'Lat: xxx Long: xxx'</tt> where <tt>xxx</tt>
107 is one of the permitted types. The resulting response will include how the
108 input was parsed and the value in decimal degrees.
109 <li>
110 Part of the replicated dataset is a virtual .ssh/authorized_keys file for
111 each user. The change address is the simplest way to set the RSA key(s) you
112 intend to use. Simply place a key on a line by itself, the full SSH key
113 format specification is supported, see sshd(8). Probably the most common way
114 to use this function will be
115 <pre>cat .ssh/identity.pub | gpg --clearsign | mail change@db.debian.org</pre>
116 which will set the authentication key to the identity you are using.
117 Multiple keys per user are supported, but they must all be sent at once.
118 <li>Debian.net DNS Zone Entry. The only way to get a debian.net address is
119 to use the mail gateway. It
120 will verify the request and prevent name collisions automatically. Requests
121 can take two forms: <tt>'foo in a 1.2.3.4'</tt> or <tt>'foo in cname
122 foo.bar.'</tt> The precise form is critical and must not be deviated from.
123 Like the SSH function above, multiple hosts are supported, but they must all
124 be sent at once. The debian.net zone is only reloaded once per day at
125 midnight -0700.
126 <li>If the single word <b>show</b> appears on a line then a PGP encrypted version
127 of the entire record will be attached to the resulting email.
128 </ul>
129 After processing the requests the daemon will generate a report which contains
130 each input command and the action taken. If there are any parsing errors
131 processing stops immediately, but valid changes up to that point are
132 processed.
133 <h2>Notes</h2>
134 <p>
135 In this document PGP refers to any message or key that GnuPG is
136 able to generate or parse, specificaly it includes both PGP2.x and OpenPGP
137 (aka GnuPG) keys.
138 <p>
139 Due to the replay cache the clock on the computer that generates the
140 signatures has to be accurate to at least one day. If it is off by several
141 months or more then the deamon will outright reject all messages.
142 <p>
143 Examples are given using GnuPG, but PGP 2.x can also be used. The correct
144 options to generate a clear signed ascii armored message in 'filter' mode
145 are <tt>pgp -fast</tt> which does the same as <tt>gpg --clearsign</tt>
146 <p>
147 Debian.org machines rely on secured replication to transfer login data out
148 of the database. Replication is performed at 15 min intervals so it can take
149 a short while before any changes made take effect.
150 <hr noshade width="100%" size="1">
151 Back to the <a href="http://www.debian.org/">Debian Project homepage</a>.
152 <hr noshade width="100%" size="1">
153 <small>
154 You can contact us at
155 <a href="mailto:admin@db.debian.org">admin@db.debian.org</a>.
156 </small>
157 <p>
158 <small>
159 Last Modified: Fri, Jul 12 17:23:30 UTC 2002
160 <br>
161 Copyright &copy; 1997-2002
162 <a href="http://www.spi-inc.org/">SPI</a>; See <a href="http://www.debian.org/license">license terms</a>
163 </small>
164 </body>
165 </html>
  ViewVC Help
Powered by ViewVC 1.1.5