... | ... | @@ -358,9 +358,12 @@ host pulls those configuration files with `ud-replicate`. |
|
|
|
|
|
TODO: expand? mailgate maybe?
|
|
|
|
|
|
TODO: diagram?
|
|
|
|
|
|
### Configuration file creation
|
|
|
|
|
|
An important part of `ud-ldap` is the `ud-generate`
|
|
|
An important part of `ud-ldap` is the `ud-generate` command, which
|
|
|
generates configuration files for each host.
|
|
|
|
|
|
### DNS zone file management
|
|
|
|
... | ... | @@ -405,48 +408,79 @@ See also: <https://gitlab.torproject.org/tpo/tpa/team/-/issues/33766> |
|
|
|
|
|
TODO: document those tools.
|
|
|
|
|
|
* `ud-arbimport`: Python script, ASCII text executable
|
|
|
* `ud-config`: Python script, ASCII text executable
|
|
|
* `ud-echelon`: Python script, ASCII text executable
|
|
|
* `ud-fingerserv`: Perl script text executable
|
|
|
* `ud-fingerserv2.c`: C source, ASCII text
|
|
|
* `ud-forwardlist`: Python script, ASCII text executable
|
|
|
* `ud-generate`: Python script, ASCII text executable
|
|
|
* `ud-gpgimport`: Python, seems unused? "Key Ring Syncronization
|
|
|
utility", it "maintains the key fingerprint to user ID mapping in
|
|
|
the directory. It takes as input a set of keyrings that represent
|
|
|
all keys belonging to all users in the directory. It then reads
|
|
|
each key and attempts to match it up to a user already in the
|
|
|
directory."
|
|
|
* `ud-gpgsigfetch`: Python script, ASCII text executable
|
|
|
* `ud-groupadd`: Python script, ASCII text executable
|
|
|
* `ud-guest-extend`: Python script, ASCII text executable
|
|
|
* `ud-guest-upgrade`: Python script, ASCII text executable
|
|
|
* `ud-homecheck`: Python script, ASCII text executable
|
|
|
* `ud-host`: Python script, ASCII text executable
|
|
|
* `ud-info`: Python script, ASCII text executable
|
|
|
* `ud-krb-reset`: Perl script text executable
|
|
|
* `UDLdap.py`: Python script, ASCII text executable
|
|
|
* `ud-ldapshow`: Python script, ASCII text executable
|
|
|
* `ud-lock`: Python script, ASCII text executable
|
|
|
* `ud-mailgate`: Python script, ASCII text executable
|
|
|
* `ud-passchk`: Python script, ASCII text executable
|
|
|
* `ud-replicate`: Bourne-Again shell script, ASCII text executable
|
|
|
* `ud-replicated`: Python script, ASCII text executable
|
|
|
* `ud-roleadd`: Python script, ASCII text executable
|
|
|
* `ud-sshlist`: Python script, ASCII text executable
|
|
|
* `ud-sync-accounts-to-afs`: Python script, ASCII text executable
|
|
|
* `ud-useradd`: Python script, ASCII text executable
|
|
|
* `ud-userimport`: Python script, ASCII text executable
|
|
|
* `ud-xearth`: Python script, ASCII text executable
|
|
|
* `ud-zoneupdate`: POSIX shell script, ASCII text executable
|
|
|
* `userdir_exceptions.py`: Python script, UTF-8 Unicode text executable
|
|
|
* `userdir_gpg.py`: Python script, ASCII text executable
|
|
|
* `userdir-ldap.conf`: Objective-C source, ASCII text
|
|
|
* `userdir_ldap.pth`: ASCII text
|
|
|
* `userdir_ldap.py`: Python script, ASCII text executable
|
|
|
* `userdir-ldap.schema`: ASCII text
|
|
|
* `userdir-ldap-slapd.conf.in`: ASCII text, with very long lines
|
|
|
| tool | lang | ud? | description |
|
|
|
| ---- | ------ | | ----------- |
|
|
|
| `ud-arbimport` | Python | | possible example of direct LDAP (write) access from Python |
|
|
|
| `ud-config` | Python | | prints config from `userdir-ldap.conf`, used by ud-replicate |
|
|
|
| `ud-echelon` | Python | x | "Watches for email activity from Debian Developers" |
|
|
|
| `ud-fingerserv` | Perl | x | [finger(1)][] server to expose some (public) user information |
|
|
|
| `ud-fingerserv2.c` | C | | same in C? |
|
|
|
| `ud-forwardlist` | Python | | convert `.forward` files into LDAP configuration |
|
|
|
| `ud-generate` | Python | x | critical code path, generates all configuration files |
|
|
|
| `ud-gpgimport` | Python | | seems unused? "Key Ring Syncronization utility" |
|
|
|
| `ud-gpgsigfetch` | Python | | refresh signatures from a keyring? unused? |
|
|
|
| `ud-groupadd` | Python | x | tries to create a group, possibly broken, not implemented by ud |
|
|
|
| `ud-guest-extend` | Python | | "Query/Extend a guest account" |
|
|
|
| `ud-guest-upgrade` | Python | | "Upgrade a guest account" |
|
|
|
| `ud-homecheck` | Python | | audits home directory permissions? |
|
|
|
| `ud-host` | Python | | interactively edits host entries |
|
|
|
| `ud-info` | Python | | same with user entries |
|
|
|
| `ud-krb-reset` | Perl | | kerberos password reset, unused? |
|
|
|
| `ud-ldapshow` | Python | | stats and audit on the LDAP database |
|
|
|
| `ud-lock` | Python | x | locks many accounts |
|
|
|
| `ud-mailgate` | Python | x | email operations |
|
|
|
| `ud-passchk` | Python | | audit a password file |
|
|
|
| `ud-replicate` | Bash | x | rsync file distribution from LDAP host |
|
|
|
| `ud-replicated` | Python | | rabbitmq-based trigger for ud-replicate, unused? |
|
|
|
| `ud-roleadd` | Python | x | like ud-groupadd, but for roles, possibly broken too |
|
|
|
| `ud-sshlist` | Python | | like ud-forwardlist, but for ssh keys |
|
|
|
| `ud-sync-accounts-to-afs` | Python | | sync to AFS, unused |
|
|
|
| `ud-useradd` | Python | x | create a user in LDAP, possibly broken? |
|
|
|
| `ud-userimport` | Python | | imports passwd and group files |
|
|
|
| `ud-xearth` | Python | | generates xearth DB from LDAP entries |
|
|
|
| `ud-zoneupdate` | Shell | x | increments serial on a zonefile and reload bind |
|
|
|
|
|
|
The `ud?` column documents whether the command was considered for
|
|
|
implementation in ud, and gives us a hint on whether it is important
|
|
|
or not.
|
|
|
|
|
|
| libraries | lang | description |
|
|
|
| `UDLdap.py` | Python | mainly an Account representation |
|
|
|
| `userdir_exceptions.py` | Python | exceptions |
|
|
|
| `userdir_gpg.py` | Python | yet another GnuPG Python wrapper |
|
|
|
| `userdir_ldap.py` | Python | various functions to talk with LDAP and more |
|
|
|
|
|
|
| configuration files | Lang | description |
|
|
|
| `userdir-ldap.conf` | Python | LDAP host, admin user, email, logging, keyrings, web, DNS, MX, and more |
|
|
|
| `userdir_ldap.pth` | ??? | no idea! |
|
|
|
| `userdir-ldap.schema` | LDAP | TPO/Debian-specific LDAP schema additions |
|
|
|
| `userdir-ldap-slapd.conf.in` | slapd | slapd configuration, includes LDAP access control |
|
|
|
|
|
|
Note how the `ud-guest-upgrade` command works. It generates an LDAP
|
|
|
snippet like:
|
|
|
|
|
|
delete: allowedHost
|
|
|
-
|
|
|
delete: shadowExpire
|
|
|
-
|
|
|
replace: supplementaryGid
|
|
|
supplementaryGid: $GIDs
|
|
|
-
|
|
|
replace: privateSub
|
|
|
privateSub: $UID@debian.org
|
|
|
|
|
|
where the `guest` gid is replaced by the "default" `defaultgroup`
|
|
|
set in the `userdir-ldap.conf` file.
|
|
|
|
|
|
[finger(1)]: https://manpages.debian.org/finger.1
|
|
|
### References
|
|
|
|
|
|
* [userdir-ldap source code](https://salsa.debian.org/dsa-team/mirror/userdir-ldap)
|
|
|
* [userdir-ldap-cgi source code](https://salsa.debian.org/dsa-team/mirror/userdir-ldap-pylons)
|
|
|
* [ud](https://github.com/Debian/ud) - a partial ud-ldap rewrite in Django from 2013-2014, no
|
|
|
change since 2017
|
|
|
* [userdir-ldap-pylons](https://salsa.debian.org/dsa-team/mirror/userdir-ldap-pylons) - a partial ud-ldap rewrite in Pylons from
|
|
|
2011, abandoned
|
|
|
|
|
|
## Issues
|
|
|
|
... | ... | |