Skip to content
Snippets Groups Projects
Verified Commit 2c2156cc authored by anarcat's avatar anarcat
Browse files

ldap: document mail-passwords change and upstream sync

parent c606a12f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 14 additions and 1 deletion
howto/ldap.md
+ 14
1
View file @ 2c2156cc
......@@ -862,6 +862,7 @@ one subdirectory per host.
| `mail-whitelist` | ? | mailWhitelist |
| `markers` | xearth geolocation markers, unless `NOMARKERS` in `extraOptions` | `latitude`, `longitude` |
| `passwd.tbd` | `passwd` file template, if `loginShell` is set and user has access | `uid`, `uidNumber`, `gidNumber`, `gecos`, `loginShell` |
| `mail-passwords` | secondary password for mail authentication | `uid`, `mailPassword`, `userPassword` (skips inactive), `supplementaryGid` (skips guests) |
| `rtc-passwords` | secondary password for RTC calls | `uid`, `rtcPassword`, `userPassword` (skips inactive), `supplementaryGid` (skips guests) |
| `shadow.tdb` | `shadow` file template, same as `passwd.tdb`, if `NOPASSWD` not in `extraOptions` | `uid`, `uidNumber`, `userPassword`, `shadowExpire`, `shadowLastChange`, `shadowMin`, `shadowMax`, `shadowWarning`, `shadowInactive` |
| `ssh-gitolite` | `authorized_keys` file for `gitolite`, if `GITOLITE` in `exportOptions` | `uid`, `sshRSAAuthKey` |
......@@ -985,7 +986,7 @@ obviously distributes authentication systems all over the place:
* PAM and NSS usernames and passwords
* SSH user authentication keys
* SSH server public keys
* `webPassword`, `rtcPassword` and so on
* `webPassword`, `rtcPassword`, `mailPassword`, and so on
* email forwards and email block list checks
* DNS zone files (which may include things like SSH server public
keys, for example)
......@@ -1032,6 +1033,7 @@ modified or deleted by the user through the email interface
| `mailRHSBL` | set of RHSBLs to use |
| `mailWhitelist` | sender envelopes to whitelist |
| `mailDisableMessage` | message to bounce messages with to disable an email account |
| `mailPassword` | [crypt(3)][]-hashed password used for email authentication |
| `rtcPassword` | previously used in XMPP authentication, unused |
| `samba*` | many samba fields, unused |
| `shadowExpire` | `1` if the account is expired |
......@@ -1048,6 +1050,7 @@ modified or deleted by the user through the email interface
| `uid` | User identifier, the user's *name* |
| `userPassword` | LDAP password field, stripped of the `{CRYPT}` prefix to be turned into a UNIX password if relevant |
[crypt(3)]: https://manpages.debian.org/crypt.3
[cdbmake(1)]: https://manpages.debian.org/cdbmake.1
#### sudoPassword field format
......@@ -1178,6 +1181,7 @@ host. It can either enable or inhibit the creation of certain files.
`shadow` file. also marks a host as `UNTRUSTED` (below)
* `PRIVATE`: ship the `debian-private` mailing list registration file
* `RTC-PASSWORDS`: ship the `rtc-passwords` file
* `MAIL-PASSWORDS`: ship the `mail-passwords` file
* `TOTP`: ship the `users.oath` file
* `UNTRUSTED`: skip sudo passwords for this host unless explicitly
set
......@@ -1903,6 +1907,15 @@ The **diff with upstream** also makes it hard to collaborate. We
should make it possible to use directly the upstream package with a
local configuration, without having to ship and maintain our own fork.
Update: there has been progress on both of those fronts. Upstream
ported to Python 3 (partially?), but scripts (e.g. `ud-generate`)
still have the `python2` header. Preliminary tests seem to show that
`ud-generate` might be capable of running under `python3` directly as
well (ie. it doesn't error).
The diff with upstream has been reduced, see [upstream section for
details](#maintainer-users-and-upstream).
### Mid term: move hosts to Puppet, possibly replace ud-ldap with simpler dashboard
In the **mid-term**, we should remove the duplication of duty
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment