| ... | ... | @@ -97,8 +97,8 @@ instructions on SSH public key authentication, for example. |
|
|
|
## How do I update my OpenPGP key?
|
|
|
|
|
|
|
|
LDAP requires an OpenPGP key fingerprint in its records and uses that
|
|
|
|
trust anchor to review changes like [resetting your password](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/ldap#password-reset) or
|
|
|
|
[uploading an SSH key](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/ldap#uploading-a-ssh-user-key).
|
|
|
|
trust anchor to review changes like [resetting your password](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/ldap#password-reset) or
|
|
|
|
[uploading an SSH key](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service/ldap#uploading-a-ssh-user-key).
|
|
|
|
|
|
|
|
You can't, unfortunately, update the OpenPGP key yourself. Setting the
|
|
|
|
key should have been done as part of your on-boarding. If it has not
|
| ... | ... | @@ -689,7 +689,7 @@ That said, if the LDAP server goes down, password changes will not |
|
|
|
work, and the server inventory (at <https://db.torproject.org/>) will
|
|
|
|
be gone. A mitigation is to use Puppet manifests and/or PuppetDB to
|
|
|
|
get a host list and server inventory, see the [Puppet
|
|
|
|
documentation](howto/puppet) for details.
|
|
|
|
documentation](service/puppet) for details.
|
|
|
|
|
|
|
|
### Git server failure
|
|
|
|
|
| ... | ... | @@ -769,7 +769,7 @@ message will all be ASCII-armored. |
|
|
|
### Dependency loop on new installs
|
|
|
|
|
|
|
|
Installing a new server requires granting the new server access
|
|
|
|
various machines, including [puppet](howto/puppet) and the LDAP server
|
|
|
|
various machines, including [puppet](service/puppet) and the LDAP server
|
|
|
|
itself. This is granted ... by Puppet through LDAP!
|
|
|
|
|
|
|
|
So a server cannot register itself on the LDAP server and needs an
|
| ... | ... | @@ -1483,7 +1483,7 @@ dump it in plain text. |
|
|
|
|
|
|
|
### Interactions with Puppet
|
|
|
|
|
|
|
|
The [Puppet server](howto/puppet) is closely coupled with LDAP, from which
|
|
|
|
The [Puppet server](service/puppet) is closely coupled with LDAP, from which
|
|
|
|
it gathers information about servers.
|
|
|
|
|
|
|
|
It specifically uses those fields:
|
| ... | ... | @@ -1585,7 +1585,7 @@ currently: |
|
|
|
`build-services` script in the `auto-dns.git` directory
|
|
|
|
* `/srv/letsencrypt.torproject.org/var/hook/snippet`: generated by
|
|
|
|
the `bin/le-hook` in the `letsencrypt-domains.git` repository, to
|
|
|
|
authenticate against Let's Encrypt and generate [TLS](howto/tls)
|
|
|
|
authenticate against Let's Encrypt and generate [TLS](service/tls)
|
|
|
|
certificates.
|
|
|
|
|
|
|
|
Note that this procedure fails when the git server is unavailable, see
|
| ... | ... | @@ -2070,7 +2070,7 @@ and password information. Those get removed when a user logs out or |
|
|
|
after 10 minutes of inactivity, when the user returns. It's unclear
|
|
|
|
what happens when a user forgets to logout and fails to return to the
|
|
|
|
site. Web server logs should otherwise follow the normal TPO policy,
|
|
|
|
see [the static mirror network](howto/static-component#logs-and-metrics) for more information on that.
|
|
|
|
see [the static mirror network](service/static-component#logs-and-metrics) for more information on that.
|
|
|
|
|
|
|
|
The OpenLDAP server itself (`slapd`) keeps no logs.
|
|
|
|
|
| ... | ... | |
| ... | ... | |
