... | ... | @@ -447,6 +447,83 @@ More specifically, this is what happens: |
|
|
|
|
|
TODO: walk through ud-generate. more explicitely.
|
|
|
|
|
|
### LDAP fields
|
|
|
|
|
|
| User field | Meaning |
|
|
|
| ---------- | ------- |
|
|
|
| `uid` | User identifier, the user's *name* |
|
|
|
| `uidNumber` | Numeric user identifier, the UNIX UID, not to be confused with the above |
|
|
|
| `gidNumber` | Primary numeric group identifier, the UNIX GID |
|
|
|
| `supplementaryGid` | Extra groups GIDs the user is a member of |
|
|
|
| `gecos` | GECOS metadata field |
|
|
|
| `loginShell` | UNIX login shell, grants user shell access, depending on gidNumber |
|
|
|
| `userPassword` | LDAP password field, stripped of the `{CRYPT}` prefix to be turned into a UNIX password if relevant |
|
|
|
| `shadowExpire` | Account expiry (in days?) |
|
|
|
| `shadowLastChange` | Last change date (epoch seconds?) |
|
|
|
| `shadowMin` | ? |
|
|
|
| `shadowMax` | ? |
|
|
|
| `shadowWarning` | ? |
|
|
|
| `shadowInactive` | ? |
|
|
|
| `sudoPassword` | `sudo` passwords on different hosts |
|
|
|
| `sshRSAAuthKey` | SSH public keys |
|
|
|
| `emailForward` | address to forward email to |
|
|
|
| `mailDisableMessage` | message to bounce messages with to disable an email account |
|
|
|
|
|
|
[cdbmake(1)]: https://manpages.debian.org/cdbmake.1
|
|
|
## sudoPassword field format
|
|
|
|
|
|
TODO
|
|
|
|
|
|
## sshRSAAuthKey field format
|
|
|
|
|
|
TODO
|
|
|
|
|
|
### Files managed by ud-generate
|
|
|
|
|
|
| Path | Function | Fields used |
|
|
|
| ---- | | -------- |
|
|
|
| all-accounts.json | JSON list of users | `uid`, `uidNumber`, `userPassword`, `shadowExpire` |
|
|
|
| passwd.tbd | `passwd` file template, if `loginShell` is set | `uid`, `uidNumber`, `gidNumber`, `gecos`, `loginShell` |
|
|
|
| shadow.tdb | `shadow` file template | `uid`, `uidNumber`, `userPassword`, `shadowExpire`, `shadowLastChange`, `shadowMin`, `shadowMax`, `shadowWarning`, `shadowInactive` |
|
|
|
| sudo-passwd | `shadow` file for `sudo` | `uid`, `sudoPassword` |
|
|
|
| ssh-gitolite | `authorized_keys` file for `gitolite`, if `GITOLITE` is in `exportOptiosn` | `uid`, `sshRSAAuthKey` |
|
|
|
| web-passwords | secondary password database for web apps (user:pass) | `uid`, `webPassword` |
|
|
|
| rtc-passwords | secondary password for RTC calls | `uid`, `rtcPassword`, `userPassword` (skips inactive), `supplementaryGid` (skips guests) |
|
|
|
| users.oath | TOTP authentication | `uid`, `totpSeed`, `userPassword` (skips inactive) , `supplementaryGid` (skips guests) |
|
|
|
| ssh-keys-$HOST.tar.gz | SSH host keys | ? |
|
|
|
| group.tdb | `group` file template, with only the group that have access to that host | `uid`, `gidNumber`, `supplementaryGid` |
|
|
|
| forward.alias | .forward compatibilty, unused? | `uid`, `emailForward` |
|
|
|
| mail-forward.cdb | .forward "CDB" database, see [cdbmake(1)][] | `uid`, `emailForward` |
|
|
|
| mail-forward.db | .forward Oracle Berkeley DB "DBM" database | `uid`, `emailForward` |
|
|
|
| markers | xearth geolocation markers | `latitude`, `longitude` |
|
|
|
| debian-private | debian-private mailing list subscription | `privateSub`, `userPassword` (skips inactive) , `supplementaryGid` (skips guests) |
|
|
|
| disabled-accounts | list of disabled accounts | `uid`, `userPassword` (*includes* inactive) |
|
|
|
| mail-disable | disabled email messages | `uid`, `mailDisableMessage` |
|
|
|
| mail-greylist | greylist the account or not | mailGreylisting |
|
|
|
| mail-callout | ? | mailCallout |
|
|
|
| mail-rbl | ? | mailRBL |
|
|
|
| mail-rhsbl | ? | mailRHSBL |
|
|
|
| mail-whitelist | ? | mailWhitelist |
|
|
|
| dns-zone | user-managed DNS entries (e.g. debian.net) | `dnsZoneEntry` |
|
|
|
| dns-sshfp | per-host DNS entries (e.g. debian.org) | see below |
|
|
|
| ssh_known_host | | |
|
|
|
| debianhosts | | |
|
|
|
| mail-contentinspectionaction.cdb | | |
|
|
|
| mail-contentinspectionaction.db | | |
|
|
|
| authorized_keys | | |
|
|
|
| | | |
|
|
|
File "templates" are like their regular "non-template" counterparts,
|
|
|
except they have a prefix that corresponds to:
|
|
|
|
|
|
1. an incremental index, prefixed by zero (e.g. 01, 02, 03,
|
|
|
... 010...)
|
|
|
2. the `uid` field (the username), prefixed by a dot (e.g. `.anarcat`)
|
|
|
3. the `uidNumber` field (the UNIX UID), prefixed by an equal sign
|
|
|
(e.g. `=1092`)
|
|
|
|
|
|
Those are the fields for the `passwd` file. The `shadow` file has only
|
|
|
prefixes 1 and 2.
|
|
|
|
|
|
### DNS zone file management
|
|
|
|
|
|
One of the configuration files `ud-generate` generates are,
|
... | ... | |