fix ldapsearch "-h" argument no longer supported (7de5dcf9) · Commits · The Tor Project / TPA / Wiki Replica

howto/ldap.md

+6 −6

Original line number	Diff line number	Diff line
		@@ -434,7 +434,7 @@ modify an existing user or add a new one):

		This dump all known hosts in LDAP:

		ldapsearch -ZZ -Lx -h db.torproject.org -b "ou=hosts,dc=torproject,dc=org"
		ldapsearch -ZZ -Lx -H ldap://db.torproject.org -b "ou=hosts,dc=torproject,dc=org"

		Note that this will only work on the LDAP host itself or on
		whitelisted hosts which are few right now. Also note that this uses an
		@@ -443,7 +443,7 @@ not show up. For hosts, that's fine, but if you search for users, you
		will need to use authentication. This, for example, will dump all
		users with an SSH key:

		ldapsearch -ZZ -LxW -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org" -b "ou=users,dc=torproject,dc=org" '(sshRSAAuthKey=*)'
		ldapsearch -ZZ -LxW -H ldap://db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org" -b "ou=users,dc=torproject,dc=org" '(sshRSAAuthKey=*)'

		Note how we added a [search filter](https://ldap.com/ldap-filters/) (`(sshRSAAuthKey=*)`) here. We could
		also have parsed the output in a script or bash, but this can actually
		@@ -452,22 +452,22 @@ objects. Sometimes it might be useful to only list the object
		handles or certain fields. For example, this will list all hosts
		`rebootPolicy` attribute:

		ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(objectClass=*)' 'rebootPolicy'
		ldapsearch -H ldap://db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(objectClass=*)' 'rebootPolicy'

		This will list all servers with a manual reboot policy:

		ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(rebootPolicy=manual)' ''
		ldapsearch -H ldap://db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(rebootPolicy=manual)' ''

		Note here the empty (`''`) attribute list.

		To list hosts that do not have a reboot policy, you need a boolean modifier:

		ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(!(rebootPolicy=manual))' ''
		ldapsearch -H ldap://db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL '(!(rebootPolicy=manual))' ''

		Such filters can be stacked to do complex searches. For example, this
		filter lists all active accounts:

		ldapsearch -ZZ -vLxW -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org" -b "ou=users,dc=torproject,dc=org" '(&(!(\|(objectclass=debianRoleAccount)(objectClass=debianGroup)(objectClass=simpleSecurityObject)(shadowExpire=1)))(objectClass=debianAccount))'
		ldapsearch -ZZ -vLxW -H ldap://db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org" -b "ou=users,dc=torproject,dc=org" '(&(!(\|(objectclass=debianRoleAccount)(objectClass=debianGroup)(objectClass=simpleSecurityObject)(shadowExpire=1)))(objectClass=debianAccount))'

		This lists users with access to Gitolite:

howto/puppet.md

+1 −1

Original line number	Diff line number	Diff line
		@@ -786,7 +786,7 @@ As a bonus, this query will show the number of hosts running each release:

		* Using LDAP:

		HOSTS=$(ssh alberti.torproject.org 'ldapsearch -h db.torproject.org -x -ZZ -b dc=torproject,dc=org -LLL "hostname=*.torproject.org" hostname \| awk "\$1 == \"hostname:\" {print \$2}" \| sort')
		HOSTS=$(ssh alberti.torproject.org 'ldapsearch -H ldap://db.torproject.org -x -ZZ -b dc=torproject,dc=org -LLL "hostname=*.torproject.org" hostname \| awk "\$1 == \"hostname:\" {print \$2}" \| sort')
		for i in `echo $HOSTS`; do mkdir hosts/x-$i 2>/dev/null \|\| continue; echo $i; ssh $i ' ...'; done

		the `mkdir` is so that I can run the same command in many terminal

howto/static-component.md

+1 −1

Original line number	Diff line number	Diff line
		@@ -65,7 +65,7 @@ from a sysadmin perspective. User documentation lives in [doc/static-sites](doc/
		8. consider creating a new role and group for the component if none
		match its purpose, see [howto/create-a-new-user](howto/create-a-new-user) for details:

		ssh alberti.torproject.org ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"
		ssh alberti.torproject.org ldapvi -ZZ --encoding=ASCII --ldap-conf -H ldap://db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"

		9. if you created a new group, you will probably need to modify the
		`legacy_sudoers` file to grant a user access to the role/group,

howto/upgrades.md

+2 −2

Original line number	Diff line number	Diff line
		@@ -286,10 +286,10 @@ This routine should be able to reboot all hosts with a `rebootPolicy`
		defined to `justdoit` or `rotation`:

		echo "rebooting 'justdoit' hosts with a 10-minute delay, every 2 minutes...."
		./reboot -H $(ssh db.torproject.org 'ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL "(rebootPolicy=justdoit)" hostname \| awk "\$1 == \"hostname:\" {print \$2}" \| sort -R') --delay-shutdown=10 --delay-hosts=120
		./reboot -H $(ssh db.torproject.org 'ldapsearch -H ldap://db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL "(rebootPolicy=justdoit)" hostname \| awk "\$1 == \"hostname:\" {print \$2}" \| sort -R') --delay-shutdown=10 --delay-hosts=120

		echo "rebooting 'rotation' hosts with a 10-minute delay, every 30 minutes...."
		./reboot -H $(ssh db.torproject.org 'ldapsearch -h db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL "(rebootPolicy=rotation)" hostname \| awk "\$1 == \"hostname:\" {print \$2}" \| sort -R') --delay-shutdown=10 --delay-hosts=1800
		./reboot -H $(ssh db.torproject.org 'ldapsearch -H ldap://db.torproject.org -x -ZZ -b ou=hosts,dc=torproject,dc=org -LLL "(rebootPolicy=rotation)" hostname \| awk "\$1 == \"hostname:\" {print \$2}" \| sort -R') --delay-shutdown=10 --delay-hosts=1800

		## Rebooting KVM hosts