... | ... | @@ -225,13 +225,50 @@ modify an existing user or add a new one): |
|
|
|
|
|
ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"
|
|
|
|
|
|
This will list all known hosts in LDAP:
|
|
|
This dump all known hosts in LDAP:
|
|
|
|
|
|
ldapsearch -ZZ -vLxW -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org" -b "ou=hosts,dc=torproject,dc=org" '(objectclass=*)' | grep ^dn:
|
|
|
ldapsearch -ZZ -Lx -h db.torproject.org -b "ou=hosts,dc=torproject,dc=org"
|
|
|
|
|
|
Note that this will only work on the LDAP host itself or on
|
|
|
whitelisted hosts which are few right now. This is mostly documented
|
|
|
for TPA members.
|
|
|
whitelisted hosts which are few right now. Also note that this uses an
|
|
|
"anonymous" connection, which means that some (secret) fields might
|
|
|
not show up. For hosts, that's fine, but if you search for users, you
|
|
|
will need to use authentication. This, for example, will dump all
|
|
|
users with an SSH key:
|
|
|
|
|
|
ldapsearch -ZZ -LxW -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org" -b "ou=users,dc=torproject,dc=org" '(sshRSAAuthKey=*)'
|
|
|
|
|
|
Note how we added a search filter (`(sshRSAAuthKey=*)`) here. We could
|
|
|
also have parsed the output in a script or bash, but this can actually
|
|
|
be much simpler. Also note that the previous searches dump the entire
|
|
|
objects. Sometimes it might be useful to only *list* the object
|
|
|
handles or certain fields. For example, this will list all hosts
|
|
|
`rebootPolicy` attribute:
|
|
|
|
|
|
ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(objectClass=*)' 'rebootPolicy'
|
|
|
|
|
|
This will list all servers with a manual reboot policy:
|
|
|
|
|
|
ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(rebootPolicy=manual)' ''
|
|
|
|
|
|
Note here the empty (`''`) attribute list.
|
|
|
|
|
|
To list hosts that do *not* have a reboot policy, you need a boolean modifier:
|
|
|
|
|
|
ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(!(rebootPolicy=manual))' ''
|
|
|
|
|
|
Such filters can be stacked to do complex searches. For example, this
|
|
|
filter lists all active accounts:
|
|
|
|
|
|
ldapsearch -ZZ -vLxW -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org" -b "ou=users,dc=torproject,dc=org" '(&(!(|(objectclass=debianRoleAccount)(objectClass=debianGroup)(objectClass=simpleSecurityObject)(shadowExpire=1)))(objectClass=debianAccount))'
|
|
|
|
|
|
This lists users with access to Gitolite:
|
|
|
|
|
|
((allowedGroups=git-tor)|(exportOptions=GITOLITE))
|
|
|
|
|
|
... inactive users:
|
|
|
|
|
|
(&(shadowExpire=1)(objectClass=debianAccount))
|
|
|
|
|
|
## Modifying the schema
|
|
|
|
... | ... | |