... | ... | @@ -431,7 +431,7 @@ TODO: LDAP diagram missing ud-mailgate and eugeni |
|
|
|
|
|
![LDAP architecture diagram](ldap/graph.svg)
|
|
|
|
|
|
### Configuration file creation and distribution
|
|
|
### Configuration file distribution
|
|
|
|
|
|
An important part of `ud-ldap` is the `ud-generate` command, which
|
|
|
generates configuration files for each host. Then the `ud-replicate`
|
... | ... | @@ -442,18 +442,121 @@ former hardcoded to 15 minutes. |
|
|
More specifically, this is what happens:
|
|
|
|
|
|
1. on the LDAP server (currently `alberti`), `ud-generate` writes
|
|
|
various files to `/var/cache/userdir-ldap/hosts/`, one directory
|
|
|
per host
|
|
|
various files (detailed below) in one directory per host
|
|
|
|
|
|
2. on all hosts, `ud-replicate` `rsync`'s that host's directory from
|
|
|
the LDAP server (as the `sshdist` user) to
|
|
|
`/var/lib/misc/$HOSTNAME` and a symlink ensures
|
|
|
`/var/lib/misc/thishost` points to that directory
|
|
|
the LDAP server (as the `sshdist` user)
|
|
|
|
|
|
TODO: walk through ud-generate. more explicitely.
|
|
|
`ud-generate` will write files only if the LDAP database or keyring
|
|
|
changed since last time, or at most every 24 hours, based on the
|
|
|
timestamp (`last_update.trace`). The `--force` option can be used to
|
|
|
bypass those checks.
|
|
|
|
|
|
### Files managed by ud-generate
|
|
|
|
|
|
This is a (hopefully) exhaustive list of files generated by
|
|
|
`ud-generate` as part of userdir-ldap 0.3.97 ("UNRELEASED"). This
|
|
|
might have changed since this was documented, on 2020-10-07.
|
|
|
|
|
|
All files are written in the `/var/cache/userdir-ldap/hosts/`, with
|
|
|
one subdirectory per host. This is where `ud-replicate` finds its
|
|
|
files. For example, for a host named `example.torproject.org`,
|
|
|
`ud-generate` will write the files in
|
|
|
`/var/cache/userdir-ldap/hosts/example.torproject.org/` and
|
|
|
`ud-replicate` will synchronize that directory, on
|
|
|
`example.torproject.org`, in the
|
|
|
`/var/lib/misc/example.torproject.org/` directory. The
|
|
|
`/var/lib/misc/thishost` symlink will also point to that directory.
|
|
|
|
|
|
| Path | Function | Fields used |
|
|
|
|------------------------------------|-----------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
|
|
|
| `all-accounts.json` | JSON list of users | `uid`, `uidNumber`, `userPassword`, `shadowExpire` |
|
|
|
| `authorized_keys` | `authorized_keys` file for `ssh_dist`, if `AUTHKEYS` in `exportOptions` | `ipHostNumber`, `sshRSAHostKey`, `purpose`, `sshdistAuthKeysHost` |
|
|
|
| `bsmtp` | ? | ? |
|
|
|
| `debian-private` | debian-private mailing list subscription | `privateSub`, `userPassword` (skips inactive) , `supplementaryGid` (skips guests) |
|
|
|
| `debianhosts` | list of all IP addresses, unused | `hostname`, `ipHostNumber` |
|
|
|
| `disabled-accounts` | list of disabled accounts | `uid`, `userPassword` (*includes* inactive) |
|
|
|
| `dns-sshfp` | per-host DNS entries (e.g. debian.org), if `DNS` in `exportOptions` | see below |
|
|
|
| `dns-zone` | user-managed DNS entries (e.g. debian.net), if `DNS` in `exportOptions` | `dnsZoneEntry` |
|
|
|
| `forward.alias` | .forward compatibilty, unused? | `uid`, `emailForward` |
|
|
|
| `group.tdb` | `group` file template, with only the group that have access to that host | `uid`, `gidNumber`, `supplementaryGid` |
|
|
|
| `last_update.trace` | timestamps of last change to LDAP, keyring and last `ud-generate` run | N/A |
|
|
|
| `mail-callout` | ? | mailCallout |
|
|
|
| `mail-contentinspectionaction.cdb` | | |
|
|
|
| `mail-contentinspectionaction.db` | | |
|
|
|
| `mail-disable` | disabled email messages | `uid`, `mailDisableMessage` |
|
|
|
| `mail-forward.cdb` | .forward "CDB" database, see [cdbmake(1)][] | `uid`, `emailForward` |
|
|
|
| `mail-forward.db` | .forward Oracle Berkeley DB "DBM" database | `uid`, `emailForward` |
|
|
|
| `mail-greylist` | greylist the account or not | mailGreylisting |
|
|
|
| `mail-rbl` | ? | mailRBL |
|
|
|
| `mail-rhsbl` | ? | mailRHSBL |
|
|
|
| `mail-whitelist` | ? | mailWhitelist |
|
|
|
| `markers` | xearth geolocation markers, unless `NOMARKERS` in `extraOptions` | `latitude`, `longitude` |
|
|
|
| `passwd.tbd` | `passwd` file template, if `loginShell` is set and user has access | `uid`, `uidNumber`, `gidNumber`, `gecos`, `loginShell` |
|
|
|
| `rtc-passwords` | secondary password for RTC calls | `uid`, `rtcPassword`, `userPassword` (skips inactive), `supplementaryGid` (skips guests) |
|
|
|
| `shadow.tdb` | `shadow` file template, same as `passwd.tdb`, if `NOPASSWD` not in `extraOptions` | `uid`, `uidNumber`, `userPassword`, `shadowExpire`, `shadowLastChange`, `shadowMin`, `shadowMax`, `shadowWarning`, `shadowInactive` |
|
|
|
| `ssh-gitolite` | `authorized_keys` file for `gitolite`, if `GITOLITE` in `exportOptions` | `uid`, `sshRSAAuthKey` |
|
|
|
| `ssh-keys-$HOST.tar.gz` | SSH *user* keys, as a tar archive | `uid`, `allowed_hosts` |
|
|
|
| `ssh_known_host` | SSH host keys | `hostname`, `sshRSAHostKey`, `ipHostNumber` |
|
|
|
| `sudo-passwd` | `shadow` file for `sudo` | `uid`, `sudoPassword` |
|
|
|
| `users.oath` | TOTP authentication | `uid`, `totpSeed`, `userPassword` (skips inactive) , `supplementaryGid` (skips guests) |
|
|
|
| `web-passwords` | secondary password database for web apps (user:pass) | `uid`, `webPassword` |
|
|
|
|
|
|
#### `makedb` template files
|
|
|
|
|
|
Files labeled with `template` are inputs for the [makedb(1)][]
|
|
|
command. They are like their regular "non-template" counterparts,
|
|
|
except they have a prefix that corresponds to:
|
|
|
|
|
|
1. an incremental index, prefixed by zero (e.g. 01, 02, 03,
|
|
|
... 010...)
|
|
|
2. the `uid` field (the username), prefixed by a dot (e.g. `.anarcat`)
|
|
|
3. the `uidNumber` field (the UNIX UID), prefixed by an equal sign
|
|
|
(e.g. `=1092`)
|
|
|
|
|
|
Those are the fields for the `passwd` file. The `shadow` file has only
|
|
|
prefixes 1 and 2. This file format is used to create the databases in
|
|
|
`/var/lib/misc/` which are fed into the NSS database with the
|
|
|
[libnss-db](https://tracker.debian.org/pkg/libnss-db) package. The database files get generated by
|
|
|
[makedb(1)][] from the templates above. It is what allows the `passwd`
|
|
|
file in `/etc/passwd` to remain untouched while still allowing ud-ldap
|
|
|
to manage extra users.
|
|
|
|
|
|
[makedb(1)]: https://manpages.debian.org/makedb.1
|
|
|
|
|
|
#### self-configuration: sshdist `authorized_keys`
|
|
|
|
|
|
The `authorized_keys` file gets shipped if `AUTHKEYS` is set in
|
|
|
`extraOptions`. This is typically set on the LDAP server (currently
|
|
|
`alberti`), so that all servers can login to the server (as the
|
|
|
`sshdist` user) and synchronise their configuration with
|
|
|
`ud-replicate`.
|
|
|
|
|
|
TODO: trace this to ud-replicate a little further.
|
|
|
|
|
|
### SSH access controls
|
|
|
|
|
|
A user gets granted access if it is part of a group that has been
|
|
|
granted access on the host with the `allowedGroups` field. An
|
|
|
additional group has access to *all* host, defined as
|
|
|
`allowedgroupspreload` (currently `adm`) in
|
|
|
`/etc/userdir-ldap/userdir-ldap.conf` on the LDAP server (currently
|
|
|
`alberti`).
|
|
|
|
|
|
Also note the `NOPASSWD` value for `exportOptions`: if set, it marks
|
|
|
the host as not allowing passwords so the `shadow` database is not
|
|
|
shipped which makes it impossible to login to the host with a
|
|
|
password. In practice this has no effect since password-based
|
|
|
authentication is disabled at the SSH server level, however.
|
|
|
|
|
|
### LDAP user fields
|
|
|
|
|
|
Those are the fields in the `user` LDAP object as of userdir-ldap
|
|
|
0.3.97 ("UNRELEASED"). This might have changed since this was
|
|
|
documented, on 2020-10-07. Some of those fields, but not all, can be
|
|
|
modified or deleted by the user through the email interface
|
|
|
(`ud-mailgate`).
|
|
|
|
|
|
| User field | Meaning |
|
|
|
| ---------- | ------- |
|
|
|
| `cn` | "common name" AKA "last name" |
|
... | ... | @@ -526,9 +629,13 @@ skip keys that have other options. |
|
|
|
|
|
[authorized_keys(5)]: https://manpages.debian.org/authorized_keys.5
|
|
|
|
|
|
|
|
|
### LDAP host fields
|
|
|
|
|
|
Those are the fields in the `user` LDAP object as of userdir-ldap
|
|
|
0.3.97 ("UNRELEASED"). This might have changed since this was
|
|
|
documented, on 2020-10-07. Those fields are usually edited by hand by
|
|
|
an LDAP admin using `ldapvi`.
|
|
|
|
|
|
| Group field | Meaning |
|
|
|
|-----------------|--------------------------------------------------------------|
|
|
|
| `description` | free-form text field description |
|
... | ... | @@ -545,9 +652,13 @@ skip keys that have other options. |
|
|
| `sshRSAHostKey` | SSH server public key, multiple values |
|
|
|
| `rebootPolicy` | how to reboot this server: `manual`, `justdoit`, `rotation`) |
|
|
|
|
|
|
#### `rebootPolicy` field values
|
|
|
|
|
|
The `rebootPolicy` is documented in the [upgrade
|
|
|
procedures](upgrades).
|
|
|
|
|
|
#### `purpose` field values
|
|
|
|
|
|
The `purpose` field is special in that it supports a crude markup
|
|
|
language which can be used to create links in the web interface, but
|
|
|
is also used to generate SSH `known_hosts` files. To quote the
|
... | ... | @@ -563,7 +674,11 @@ ud-generate source code: |
|
|
Otherwise the `description` and `purpose` fields are fairly similar
|
|
|
and often contain the same value.
|
|
|
|
|
|
#### exportOptions values
|
|
|
#### `exportOptions` field values
|
|
|
|
|
|
The `exportOptions` field warrants a more detailed explanation. Its
|
|
|
value determines which files are created by `ud-generate` for a given
|
|
|
host. It can either enable or inhibit the creation of certain files.
|
|
|
|
|
|
* `AUTHKEYS`: ship the `authorized_keys` file for `sshdist`,
|
|
|
typically on the LDAP server for `ud-replicate` to connect to it
|
... | ... | @@ -590,78 +705,8 @@ and often contain the same value. |
|
|
* `WEB-PASSWORDS`: ship the `web-passwords` file
|
|
|
|
|
|
Of those parameters, only `AUTHKEYS`, `DNS` and `GITOLITE` are used at
|
|
|
TPO.
|
|
|
|
|
|
### Files managed by ud-generate
|
|
|
|
|
|
| Path | Function | Fields used |
|
|
|
|------------------------------------|-----------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
|
|
|
| `all-accounts.json` | JSON list of users | `uid`, `uidNumber`, `userPassword`, `shadowExpire` |
|
|
|
| `authorized_keys` | `authorized_keys` file for `ssh_dist`, if `AUTHKEYS` in `exportOptions` | `ipHostNumber`, `sshRSAHostKey`, `purpose`, `sshdistAuthKeysHost` |
|
|
|
| `bsmtp` | ? | ? |
|
|
|
| `debian-private` | debian-private mailing list subscription | `privateSub`, `userPassword` (skips inactive) , `supplementaryGid` (skips guests) |
|
|
|
| `debianhosts` | list of all IP addresses, unused | `hostname`, `ipHostNumber` |
|
|
|
| `disabled-accounts` | list of disabled accounts | `uid`, `userPassword` (*includes* inactive) |
|
|
|
| `dns-sshfp` | per-host DNS entries (e.g. debian.org), if `DNS` in `exportOptions` | see below |
|
|
|
| `dns-zone` | user-managed DNS entries (e.g. debian.net), if `DNS` in `exportOptions` | `dnsZoneEntry` |
|
|
|
| `forward.alias` | .forward compatibilty, unused? | `uid`, `emailForward` |
|
|
|
| `group.tdb` | `group` file template, with only the group that have access to that host | `uid`, `gidNumber`, `supplementaryGid` |
|
|
|
| `last_update.trace` | timestamp | N/A |
|
|
|
| `mail-callout` | ? | mailCallout |
|
|
|
| `mail-contentinspectionaction.cdb` | | |
|
|
|
| `mail-contentinspectionaction.db` | | |
|
|
|
| `mail-disable` | disabled email messages | `uid`, `mailDisableMessage` |
|
|
|
| `mail-forward.cdb` | .forward "CDB" database, see [cdbmake(1)][] | `uid`, `emailForward` |
|
|
|
| `mail-forward.db` | .forward Oracle Berkeley DB "DBM" database | `uid`, `emailForward` |
|
|
|
| `mail-greylist` | greylist the account or not | mailGreylisting |
|
|
|
| `mail-rbl` | ? | mailRBL |
|
|
|
| `mail-rhsbl` | ? | mailRHSBL |
|
|
|
| `mail-whitelist` | ? | mailWhitelist |
|
|
|
| `markers` | xearth geolocation markers, unless `NOMARKERS` in `extraOptions` | `latitude`, `longitude` |
|
|
|
| `passwd.tbd` | `passwd` file template, if `loginShell` is set and user has access | `uid`, `uidNumber`, `gidNumber`, `gecos`, `loginShell` |
|
|
|
| `rtc-passwords` | secondary password for RTC calls | `uid`, `rtcPassword`, `userPassword` (skips inactive), `supplementaryGid` (skips guests) |
|
|
|
| `shadow.tdb` | `shadow` file template, same as `passwd.tdb`, if `NOPASSWD` not in `extraOptions` | `uid`, `uidNumber`, `userPassword`, `shadowExpire`, `shadowLastChange`, `shadowMin`, `shadowMax`, `shadowWarning`, `shadowInactive` |
|
|
|
| `ssh-gitolite` | `authorized_keys` file for `gitolite`, if `GITOLITE` in `exportOptions` | `uid`, `sshRSAAuthKey` |
|
|
|
| `ssh-keys-$HOST.tar.gz` | SSH *user* keys, as a tar archive | `uid`, `allowed_hosts` |
|
|
|
| `ssh_known_host` | SSH host keys | `hostname`, `sshRSAHostKey`, `ipHostNumber` |
|
|
|
| `sudo-passwd` | `shadow` file for `sudo` | `uid`, `sudoPassword` |
|
|
|
| `users.oath` | TOTP authentication | `uid`, `totpSeed`, `userPassword` (skips inactive) , `supplementaryGid` (skips guests) |
|
|
|
| `web-passwords` | secondary password database for web apps (user:pass) | `uid`, `webPassword` |
|
|
|
|
|
|
File "templates" are like their regular "non-template" counterparts,
|
|
|
except they have a prefix that corresponds to:
|
|
|
|
|
|
1. an incremental index, prefixed by zero (e.g. 01, 02, 03,
|
|
|
... 010...)
|
|
|
2. the `uid` field (the username), prefixed by a dot (e.g. `.anarcat`)
|
|
|
3. the `uidNumber` field (the UNIX UID), prefixed by an equal sign
|
|
|
(e.g. `=1092`)
|
|
|
|
|
|
Those are the fields for the `passwd` file. The `shadow` file has only
|
|
|
prefixes 1 and 2. Note that this file format is used to create the
|
|
|
databases in `/var/lib/misc/` which are fed into the NSS database with
|
|
|
the [libnss-db](https://tracker.debian.org/pkg/libnss-db) package. The database files get generated by
|
|
|
[makedb(1)][] from the templates above. It is what allows the `passwd`
|
|
|
file in `/etc/passwd` to remain untouched while still allowing ud-ldap
|
|
|
to manage extra users.
|
|
|
|
|
|
[makedb(1)]: https://manpages.debian.org/makedb.1
|
|
|
|
|
|
The `authorized_keys` file gets shipped if `AUTHKEYS` is set in
|
|
|
`extraOptions`. This is typically set on the LDAP server (currently
|
|
|
`alberti`), so that all servers can login to the server (as the
|
|
|
`sshdist` user) and synchronise their configuration with
|
|
|
`ud-replicate`. TODO: trace this to ud-replicate a little further,
|
|
|
make a separate section?
|
|
|
|
|
|
A user gets granted access if it is part of a group that has been
|
|
|
granted access on the host with the `allowedGroups` field. An
|
|
|
additional group has access to *all* host, defined as
|
|
|
`allowedgroupspreload` (currently `adm`) in
|
|
|
`/etc/userdir-ldap/userdir-ldap.conf` on the LDAP server (currently
|
|
|
`alberti`).
|
|
|
|
|
|
TODO: cleanup this section.
|
|
|
TPO, for, respectively, the LDAP server, DNS servers, and the git
|
|
|
server.
|
|
|
|
|
|
### Email gateway
|
|
|
|
... | ... | |