[gentoo-commits] gentoo commit in xml/htdocs/proj/en/infrastructure: ldap.xml - gentoo-commits

From:	"Robin H. Johnson (robbat2)" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/proj/en/infrastructure: ldap.xml
Date:	Tue, 18 Dec 2007 01:30:06
Message-Id:	`E1J4RHS-0003OQ-HR@stork.gentoo.org`

1

robbat2     07/12/18 01:29:58

2

3

  Modified:             ldap.xml

4

  Log:

5

  First pass at cleaning up ldap.xml.

6

7

Revision  Changes    Path

8

1.17                 xml/htdocs/proj/en/infrastructure/ldap.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?rev=1.17&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?rev=1.17&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?r1=1.16&r2=1.17

13

14

Index: ldap.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v

17

retrieving revision 1.16

18

retrieving revision 1.17

19

diff -p -w -b -B -u -u -r1.16 -r1.17

20

--- ldap.xml	31 Jul 2007 07:07:03 -0000	1.16

21

+++ ldap.xml	18 Dec 2007 01:29:57 -0000	1.17

22

@@ -1,6 +1,6 @@

23

 <?xml version="1.0" encoding="UTF-8"?>

24

 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

25

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v 1.16 2007/07/31 07:07:03 robbat2 Exp $ -->

26

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v 1.17 2007/12/18 01:29:57 robbat2 Exp $ -->

27

28

 <guide link="/proj/en/infrastructure/ldap.xml">

29

 <title>Gentoo Infrastructure LDAP guide</title>

30

@@ -8,6 +8,9 @@

31

 <author title="Author">

32

   <mail link="lcars@g.o">Andrea Barisani</mail>

33

 </author>

34

+<author title="Author">

35

+  <mail link="robbat2@g.o">Robin H. Johnson</mail>

36

+</author>

37

 <author title="Editor">

38

   <mail link="lmedinas@×××××.com">Luis Medinas</mail>

39

 </author>

40

@@ -24,8 +27,8 @@ and administrators.

41

 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->

42

 <license/>

43

44

-<version>1.5</version>

45

-<date>2007-02-23</date>

46

+<version>1.6</version>

47

+<date>2007-12-17</date>

48

49

 <chapter>

50

 <title>Key Concepts</title>

51

@@ -64,39 +67,46 @@ see if that user is in the database and 

52

<p>

53

 LDAP is used by Gentoo to secure the infrastructure. Gentoo resources are spread

54

 across the globe and LDAP gives us a central location to manage them. There are

55

-four levels of access or OU (organizational unit): anonymous, user, recruiters

56

-and infra, that are used to connect or <e>bind</e> to the LDAP database.

57

+four levels of access: anonymous, user, recruiter and infra that are used to

58

+control what can be changed in the LDAP database.  These are controlled via

59

+special values in the gentooAccess attribute.</p>

60

+

61

+<p>

62

+You must connect or <e>bind</e> to the LDAP database either anonymously, or a

63

+known user. Binding anonymously will always grant only the anonymous level,

64

+while binding as a known user will grant you the level based on your user and

65

+potentially where you are connecting from.

66

 </p>

67

68

<p>

69

-The <e>anonymous</e> OU is used for simple <e>read only</e> informational queries.

70

-All developers and staff can bind to LDAP as anonymous. If you don't specify an

71

-OU when you bind anonymous is assumed.

72

+The <e>anonymous</e> level is used for simple <e>read only</e> informational

73

+queries.  All developers and staff can bind to LDAP as anonymous. If you don't

74

+specify a mode when you bind, anonymous is assumed.

75

 </p>

76

77

<p>

78

-The <e>user</e> OU is used to add or change information in your own LDAP

79

-record. Things like your latitude and longitude, ssh public key and so on.

80

-All developers and staff are members of the user OU.

81

+The <e>user</e> level is used to add or change information in your own LDAP

82

+record. Things like your latitude and longitude, ssh public key and so on.  All

83

+users can access the <e>user</e> level, by binding as themselves with the mode

84

+specified, and providing their password.

85

 </p>

86

87

<p>

88

-<e>recruiters</e> is a special OU used by recruiters to create new LDAP entries

89

-or to alter existing ones for any user including their own. If you are a

90

-Recruiter you <e>must</e> bind to LDAP as 'recruiter' for any operation including

91

-another users record or your own.

92

+The <e>recruiter</e> level enables recruiters to add new users, and perform

93

+some administrative changes to users.

94

 </p>

95

96

<p>

97

-The <e>infra</e> OU is also a special OU that is used by members of the Infrastructure

98

-Project to manage the various resources within Gentoo. Although this is used

99

-mainly for managing machine accounts, the infra OU can also alter any other users

100

-record.

101

+The <e>infra</e> level enables the infrastructure team full power over LDAP,

102

+and is additionally protected by only being available from ldap1.gentoo.org

103

+(toucan.gentoo.org).

104

 </p>

105

106

 <note>

107

-All write operations performed by recruiters or infra must be performed on

108

-ldap1.gentoo.org (roadrunner.gentoo.org).

109

+All write operations performed by infra must be performed on ldap1.gentoo.org

110

+(toucan.gentoo.org). Normal user and recruiter write operations may be

111

+performed on any LDAP-connected Gentoo box, however it is strongly recommended

112

+that you use dev.gentoo.org (woodpecker.gentoo.org).

113

 </note>

114

115

 </body>

116

@@ -110,11 +120,11 @@ ldap1.gentoo.org (roadrunner.gentoo.org)

117

 <body>

118

119

<p>

120

-Currently we have two LDAP servers available. The <e>master</e> server and a

121

-<e>slave</e> server. The <e>master</e> LDAP server is reachable at

122

-<e>ldap1.gentoo.org</e>. The <e>slave</e> server is <e>ldap2.gentoo.org</e> and

123

-it connects every 60 seconds to the <e>master</e> looking up changes and

124

-resyncing the database if necessary.

125

+Currently we have three LDAP servers available. The <e>master</e> server and two

126

+<e>slave</e> servers. The <e>master</e> LDAP server is reachable at

127

+<e>ldap1.gentoo.org</e>. The <e>slave</e> servers are <e>ldap2.gentoo.org</e>,

128

+<e>ldap3.gentoo.org</e> and it connects every 60 seconds to the <e>master</e>

129

+to replicate changes from the master.

130

 </p>

131

132

<p>

133

@@ -122,14 +132,14 @@ Every update operation must be done on <

134

 (which means writing some entry) is performed on the <e>slave</e> a referral to

135

 the <e>master</e> is issued. This is transparently handled and all attempts to

136

 update against the slave will be redirected to the <e>master</e>. Connections

137

-are validated via TLS + password. The password is your toucan one and it's going

138

-to be the same for all LDAP_aware boxes in the future.

139

+are validated via TLS + password. The password is your dev one and is the same

140

+for all LDAP-aware boxes.

141

 </p>

142

143

<p>

144

 We use a custom script, <c>perl_ldap</c> that uses <e>Net::LDAP</e>, for accessing

145

 and modifying the database, it allows only a predefined set of actions but it

146

-should cover 90% of the cases. In the following chapters we explain how to use it.

147

+should cover 95% of the cases. In the following chapters we explain how to use it.

148

 </p>

149

150

 <note>

151

@@ -149,9 +159,11 @@ in #gentoo-infra for help with this.

152

153

<p>

154

 The following attributes are included in the Gentoo Schema. Note the 'Access

155

-Level' needed for each attribute.

156

+Level' needed to write each attribute. Anonymous reading is allowed unless

157

+otherwise noted. Required fields are emphasised.

158

 </p>

159

160

+<!-- Please keep this list in alphabetical order, sorted by the attribute name -->

161

 <table>

162

   <tr>

163

     <th>Attribute Name</th>

164

@@ -161,25 +173,46 @@ Level' needed for each attribute.

165

     <th>Format</th>

166

   </tr>

167

   <tr>

168

-    <ti>gentooLocation</ti>

169

+    <ti>birthday</ti>

170

+    <ti>user (not globally readable)</ti>

171

+    <ti>developer birthday</ti>

172

+    <ti>single, optional</ti>

173

+    <ti>UTF-8</ti>

174

+  </tr>

175

+  <tr>

176

+    <ti><e>gentooAccess</e></ti>

177

+    <ti>infra, top level recruiters only</ti>

178

+    <ti>developer access level</ti>

179

+    <ti>multiple, required</ti>

180

+    <ti>UTF-8</ti>

181

+  </tr>

182

+  <tr>

183

+    <ti>gentooAlias</ti>

184

     <ti>infra, recruiters</ti>

185

-    <ti>developer location</ti>

186

-    <ti>single, required</ti>

187

+    <ti>alternate names for this developer</ti>

188

+    <ti>multiple, required</ti>

189

     <ti>UTF-8</ti>

190

   </tr>

191

   <tr>

192

-    <ti>gentooLatitude, lat</ti>

193

+    <ti>gentooGPGFingerprint, gpgfingerprint</ti>

194

     <ti>user</ti>

195

-    <ti>latitude coordinate</ti>

196

+    <ti>GPG key fingerprint</ti>

197

     <ti>single, optional</ti>

198

-    <ti>numeric string</ti>

199

+    <ti>UTF-8</ti>

200

   </tr>

201

   <tr>

202

-    <ti>gentooLongitude, lon</ti>

203

+    <ti><e>gentooGPGkey, gpgkey</e></ti>

204

     <ti>user</ti>

205

-    <ti>longitude coordinate</ti>

206

-    <ti>single, optional</ti>

207

-    <ti>numeric string</ti>

208

+    <ti>GPG key uid</ti>

209

+    <ti>single, required</ti>

210

+    <ti>UTF-8</ti>

211

+  </tr>

212

+  <tr>

213

+    <ti>gentooIM</ti>

214

+    <ti>user</ti>

215

+    <ti>instant messaging ID</ti>

216

+    <ti>multiple, optional</ti>

217

+    <ti>UTF-8</ti>

218

   </tr>

219

   <tr>

220

     <ti>gentooJoin</ti>

221

@@ -189,63 +222,66 @@ Level' needed for each attribute.

222

     <ti>UTF-8</ti>

223

   </tr>

224

   <tr>

225

-    <ti>gentooAccess</ti>

226

-    <ti>infra, recruiters</ti>

227

-    <ti>developer access level</ti>

228

-    <ti>multiple, required</ti>

229

-    <ti>UTF-8</ti>

230

+    <ti>gentooLatitude, lat</ti>

231

+    <ti>user</ti>

232

+    <ti>latitude coordinate</ti>

233

+    <ti>single, optional</ti>

234

+    <ti>signed decimal string</ti>

235

   </tr>

236

   <tr>

237

-    <ti>gentooStatus</ti>

238

-    <ti>infra, recruiters</ti>

239

-    <ti>developer status</ti>

240

+    <ti><e>gentooLocation</e></ti>

241

+    <ti>user</ti>

242

+    <ti>developer location</ti>

243

     <ti>single, required</ti>

244

     <ti>UTF-8</ti>

245

   </tr>

246

   <tr>

247

-    <ti>gentooGPGkey, gpgkey</ti>

248

+    <ti>gentooLongitude, lon</ti>

249

     <ti>user</ti>

250

-    <ti>gpg key uid</ti>

251

+    <ti>longitude coordinate</ti>

252

     <ti>single, optional</ti>

253

-    <ti>UTF-8</ti>

254

+    <ti>signed decimal string</ti>

255

   </tr>

256

   <tr>

257

-    <ti>gentooGPGFingerprint, gpgfingerprint</ti>

258

-    <ti>user</ti>

259

-    <ti>gpg key fingerprint</ti>

260

+    <ti>gentooRetire</ti>

261

+    <ti>infra, recruiters</ti>

262

+    <ti>developer retirement date</ti>

263

     <ti>single, optional</ti>

264

     <ti>UTF-8</ti>

265

   </tr>

266

   <tr>

267

-    <ti>gentooRoles</ti>

268

-    <ti>infra,recruiters</ti>

269

+    <ti><e>gentooRoles</e></ti>

270

+    <ti>user</ti>

271

     <ti>developer projects</ti>

272

-    <ti>single, optional</ti>

273

+    <ti>single, required</ti>

274

     <ti>UTF-8</ti>

275

   </tr>

276

   <tr>

277

-    <ti>gentooHerd, herd</ti>

278

+    <ti><e>gentooStatus</e></ti>

279

     <ti>infra,recruiters</ti>

280

-    <ti>developer herd</ti>

281

-    <ti>single, optional</ti>

282

+    <ti>developer status</ti>

283

+    <ti>single, required</ti>

284

     <ti>UTF-8</ti>

285

   </tr>

286

   <tr>

287

-    <ti>sshPublicKey</ti>

288

+    <ti><e>sshPublicKey</e></ti>

289

     <ti>user</ti>

290

     <ti>OpenSSH public key</ti>

291

-    <ti>multiple, optional</ti>

292

-    <ti>UTF-8</ti>

293

-  </tr>

294

-  <tr>

295

-    <ti>birthday</ti>

296

-    <ti>user</ti>

297

-    <ti>developer birthday</ti>

298

-    <ti>single, optional</ti>

299

+    <ti>multiple, required</ti>

300

     <ti>UTF-8</ti>

301

   </tr>

302

 </table>

303

304

+<note>

305

+All dates are presently expected to be in the form DD MMMM YYYY, and are being

306

+being migrated to ISO8601, after which, the field will have validation enabled.

307

+</note>

308

+

309

+<p

310

+>The following attributes were in use at some point in the past, but have

311

+been retired: <e>gentooHerd</e>, <e>gentooAltMail</e>, <e>gentooForumsUID</e>.

312

+</p>

313

+

314

 </body>

315

 </section>

316

 <section>

317

@@ -320,7 +356,7 @@ The following are the most common option

318

319

 <ul>

320

   <li>

321

-    <c>-b OU</c> used to bind to the LDAP server. If you don't specify

322

+    <c>-b MODE</c> used to bind to the LDAP server. If you don't specify

323

     <e>user</e>, the script will default to <e>anonymous</e> and be <e>read

324

     only</e>.

325

   </li>

326

@@ -339,7 +375,7 @@ The following are the most common option

327

     <c>-C ATTRIBUTE NEWVALUE &lt;username&gt;</c> creates a new attribute for

328

     the specified user

329

   </li>

330

-  <li><c>-E ATTRIBUTE</c> erases an attribute</li>

331

+  <li><c>-E ATTRIBUTE OLDVALUE &lt;username&gt;</c> erases an attribute</li>

332

 </ul>

333

334

 </body>

335

@@ -370,9 +406,13 @@ of the most commonly changed attributes.

336

 # <i>perl_ldap -b user -M gentooGPGkey "1AF343E" &lt;username&gt;</i>

337

 </pre>

338

339

-<pre caption="Change your public SSH key">

340

-<comment>(substitute 'pubkey' with the path to your public SSH key. ex: "~/.ssh/id_dsa.pub". You should have one sshPublicKey attribute per key!)</comment>

341

-# <i>perl_ldap -b user -M sshPublicKey "$(cat pubkey)" &lt;username&gt;</i>

342

+<pre caption="Add a new public SSH key">

343

+<comment>(substitute 'pubkey' with the path to your public SSH key. ex: "~/.ssh/id_dsa.pub". You should have one sshPublicKey attribute per key! No newlines!)</comment>

344

+# <i>perl_ldap -b user -A sshPublicKey "$(cat pubkey)" &lt;username&gt;</i>

345

+</pre>

346

+

347

+<pre caption="Erase an old public SSH key">

348

+# <i>perl_ldap -b user -E sshPublicKey "$(cat oldpubkey)" &lt;username&gt;</i>

349

 </pre>

350

351

 </body>

352

@@ -390,55 +430,43 @@ a recruiter.

353

 </p>

354

355

<p>

356

-When dealing with users that belong to a sub-OU the <c>-o OU | -b OU</c> option

357

-must be used, this will be clarified in the examples. The command <c>-b OU</c>

358

-must be used if the <e>binding user</e> belongs to a sub-OU, the command

359

-<c>-o OU</c> must be used if <e>the target user</e> belongs to a sub-OU.

360

+When dealing with users that belong to a sub-OU the <c>-o OU</c> option

361

+must be used, this will be clarified in the examples. The command <c>-o OU</c>

362

+must be used if <e>the target user</e> belongs to a sub-OU.

363

 </p>

364

365

<p>

366

 The following examples will show you how to change attributes for users, recruiters

367

-and infra. All write operations performed by one user against another user

368

-must be performed on ldap1.gentoo.org (roadrunner.gentoo.org).

369

+and infra. All write operations performed by infra against another user must be

370

+performed on ldap1.gentoo.org (toucan.gentoo.org).

371

 </p>

372

373

<p>

374

-Some attributes, like gentooRoles and sshPublickey, allow multi_values. To append an

375

-additional value to the exiting ones use <c>-C</c>. To overwrite the existing values

376

-use <c>-M</c>.

377

+Some attributes, like <e>sshPublickey</e>, and <e>mail</e>, allow multi-values. To append an

378

+additional value to the exiting ones use <c>-C</c>. You may not use <c>-M</c>

379

+with multi-valued attributes.

380

 </p>

381

382

 <pre caption="Modify (overwrite) an existing attribute for a user">

383

-# <i>perl_ldap -b recruiters -M gentooGPGkey "1AF343E" &lt;username&gt;</i>

384

-</pre>

385

-

386

-<pre caption="Modify (overwrite) an existing attribute if the target user is recruiters or infra">

387

-# <i>perl_ldap -b recruiters -o recruiters -M gentooGPGkey "1AF343E" &lt;username&gt;</i>

388

-# <i>perl_ldap -b recruiters -o infra -M gentooGPGkey "1AF343E" &lt;username&gt;</i>

389

+# <i>perl_ldap -b user -M gentooGPGkey "0x1AF343EB" &lt;username&gt;</i>

390

 </pre>

391

392

 <pre caption="Delete an attribute for a user">

393

-# <i>perl_ldap -b recruiters -E gentooRoles &lt;username&gt;</i>

394

-

395

-<comment>(If value is specified then only the matching attribute is removed, this is useful for multi_valued attributes.)</comment>

396

-# <i>perl_ldap -b recruiters -E gentooRoles "forums" &lt;username&gt;</i>

397

+# <i>perl_ldap -b user -E mail "myoldaddress@×××××××.com" &lt;username&gt;</i>

398

 </pre>

399

400

-<pre caption="Add a new user">

401

-# <i>perl_ldap -b recruiters -A &lt;username&gt;</i>

402

+<pre caption="Add a new user (infra, recruiters)">

403

+# <i>perl_ldap -b user -A &lt;username&gt;</i>

404

 </pre>

405

406

-<pre caption="Delete a user">

407

-# <i>perl_ldap -b recruiters -D &lt;username&gt;</i>

408

+<pre caption="Delete a user (infra)">

409

+# <i>perl_ldap -b user -D &lt;username&gt;</i>

410

 </pre>

411

412

-<pre caption="Create or modify multi_value attributes">

413

+<pre caption="Create or modify multi-value attributes">

414

 <comment>(Create a new attribute while preserving the existing ones. Use the command multiple times to add addtional attributes)</comment>

415

-# <i>perl_ldap -b recruiters -C gentooRoles "forums" &lt;username&gt;</i>

416

-# <i>perl_ldap -b recruiters -C gentooRoles "devrel" &lt;username&gt;</i>

417

-

418

-<comment>(overwrite the existing values with a new one)</comment>

419

-# <i>perl_ldap -b recruiters -M gentooRoles "forums" &lt;username&gt;</i>

420

+# <i>perl_ldap -b user -C mail "myaltaddress@×××××××.com" &lt;username&gt;</i>

421

+# <i>perl_ldap -b user -C mail "backup@×××××××.com" &lt;username&gt;</i>

422

 </pre>

423

424

 </body>

425

@@ -449,15 +477,18 @@ use <c>-M</c>.

426

427

<p>

428

 Infra can change their own attributes or those of another user. You <b>must</b>

429

-bind as <e>infra</e> to change any attributes, including your own. To change

430

-your own attributes use the examples from the "users" section above. To change

431

-another users record use the examples from the "recruiters" section.

432

+bind as <e>user</e> to change any attributes, including your own. To change

433

+your own attributes use the examples from the "users" section above from any

434

+LDAP-aware machine. To change another users record, you must be using perl_ldap

435

+from ldap1.gentoo.org.

436

 </p>

437

438

<p>

439

 The attribute <c>gentooAccess</c> controls which boxes a user can login to. Only

440

 infra and a few selected recruiters are allowed to create and modify this

441

-multi_value attribute. The FQDN must be used (ex. roadrunner.gentoo.org).

442

+multi-value attribute. The FQDN must be used (ex. roadrunner.gentoo.org).

443

+Some special values also exist: infra.group, infra-ldapadmin.group,

444

+infra-cvsadmin.group, infra-system.group, recruiters.group.

445

 </p>

446

447

 </body>

448

@@ -472,6 +503,7 @@ multi_value attribute. The FQDN must be 

449

 <ul>

450

   <li>Master LDAP Server - ldap1.gentoo.org</li>

451

   <li>Slave LDAP Server - ldap2.gentoo.org</li>

452

+  <li>Slave LDAP Server - ldap3.gentoo.org</li>

453

   <li><uri link="http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO">LDAP HOWTO</uri></li>

454

 </ul>

--

460

gentoo-commits@g.o mailing list

1	robbat2 07/12/18 01:29:58
2
3	Modified: ldap.xml
4	Log:
5	First pass at cleaning up ldap.xml.
6
7	Revision Changes Path
8	1.17 xml/htdocs/proj/en/infrastructure/ldap.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?rev=1.17&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?rev=1.17&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?r1=1.16&r2=1.17
13
14	Index: ldap.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v
17	retrieving revision 1.16
18	retrieving revision 1.17
19	diff -p -w -b -B -u -u -r1.16 -r1.17
20	--- ldap.xml 31 Jul 2007 07:07:03 -0000 1.16
21	+++ ldap.xml 18 Dec 2007 01:29:57 -0000 1.17
22	@@ -1,6 +1,6 @@
23	<?xml version="1.0" encoding="UTF-8"?>
24	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
25	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v 1.16 2007/07/31 07:07:03 robbat2 Exp $ -->
26	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v 1.17 2007/12/18 01:29:57 robbat2 Exp $ -->
27
28	<guide link="/proj/en/infrastructure/ldap.xml">
29	<title>Gentoo Infrastructure LDAP guide</title>
30	@@ -8,6 +8,9 @@
31	<author title="Author">
32	<mail link="lcars@g.o">Andrea Barisani</mail>
33	</author>
34	+<author title="Author">
35	+ <mail link="robbat2@g.o">Robin H. Johnson</mail>
36	+</author>
37	<author title="Editor">
38	<mail link="lmedinas@×××××.com">Luis Medinas</mail>
39	</author>
40	@@ -24,8 +27,8 @@ and administrators.
41	<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
42	<license/>
43
44	-<version>1.5</version>
45	-<date>2007-02-23</date>
46	+<version>1.6</version>
47	+<date>2007-12-17</date>
48
49	<chapter>
50	<title>Key Concepts</title>
51	@@ -64,39 +67,46 @@ see if that user is in the database and
52	<p>
53	LDAP is used by Gentoo to secure the infrastructure. Gentoo resources are spread
54	across the globe and LDAP gives us a central location to manage them. There are
55	-four levels of access or OU (organizational unit): anonymous, user, recruiters
56	-and infra, that are used to connect or <e>bind</e> to the LDAP database.
57	+four levels of access: anonymous, user, recruiter and infra that are used to
58	+control what can be changed in the LDAP database. These are controlled via
59	+special values in the gentooAccess attribute.</p>
60	+
61	+<p>
62	+You must connect or <e>bind</e> to the LDAP database either anonymously, or a
63	+known user. Binding anonymously will always grant only the anonymous level,
64	+while binding as a known user will grant you the level based on your user and
65	+potentially where you are connecting from.
66	</p>
67
68	<p>
69	-The <e>anonymous</e> OU is used for simple <e>read only</e> informational queries.
70	-All developers and staff can bind to LDAP as anonymous. If you don't specify an
71	-OU when you bind anonymous is assumed.
72	+The <e>anonymous</e> level is used for simple <e>read only</e> informational
73	+queries. All developers and staff can bind to LDAP as anonymous. If you don't
74	+specify a mode when you bind, anonymous is assumed.
75	</p>
76
77	<p>
78	-The <e>user</e> OU is used to add or change information in your own LDAP
79	-record. Things like your latitude and longitude, ssh public key and so on.
80	-All developers and staff are members of the user OU.
81	+The <e>user</e> level is used to add or change information in your own LDAP
82	+record. Things like your latitude and longitude, ssh public key and so on. All
83	+users can access the <e>user</e> level, by binding as themselves with the mode
84	+specified, and providing their password.
85	</p>
86
87	<p>
88	-<e>recruiters</e> is a special OU used by recruiters to create new LDAP entries
89	-or to alter existing ones for any user including their own. If you are a
90	-Recruiter you <e>must</e> bind to LDAP as 'recruiter' for any operation including
91	-another users record or your own.
92	+The <e>recruiter</e> level enables recruiters to add new users, and perform
93	+some administrative changes to users.
94	</p>
95
96	<p>
97	-The <e>infra</e> OU is also a special OU that is used by members of the Infrastructure
98	-Project to manage the various resources within Gentoo. Although this is used
99	-mainly for managing machine accounts, the infra OU can also alter any other users
100	-record.
101	+The <e>infra</e> level enables the infrastructure team full power over LDAP,
102	+and is additionally protected by only being available from ldap1.gentoo.org
103	+(toucan.gentoo.org).
104	</p>
105
106	<note>
107	-All write operations performed by recruiters or infra must be performed on
108	-ldap1.gentoo.org (roadrunner.gentoo.org).
109	+All write operations performed by infra must be performed on ldap1.gentoo.org
110	+(toucan.gentoo.org). Normal user and recruiter write operations may be
111	+performed on any LDAP-connected Gentoo box, however it is strongly recommended
112	+that you use dev.gentoo.org (woodpecker.gentoo.org).
113	</note>
114
115	</body>
116	@@ -110,11 +120,11 @@ ldap1.gentoo.org (roadrunner.gentoo.org)
117	<body>
118
119	<p>
120	-Currently we have two LDAP servers available. The <e>master</e> server and a
121	-<e>slave</e> server. The <e>master</e> LDAP server is reachable at
122	-<e>ldap1.gentoo.org</e>. The <e>slave</e> server is <e>ldap2.gentoo.org</e> and
123	-it connects every 60 seconds to the <e>master</e> looking up changes and
124	-resyncing the database if necessary.
125	+Currently we have three LDAP servers available. The <e>master</e> server and two
126	+<e>slave</e> servers. The <e>master</e> LDAP server is reachable at
127	+<e>ldap1.gentoo.org</e>. The <e>slave</e> servers are <e>ldap2.gentoo.org</e>,
128	+<e>ldap3.gentoo.org</e> and it connects every 60 seconds to the <e>master</e>
129	+to replicate changes from the master.
130	</p>
131
132	<p>
133	@@ -122,14 +132,14 @@ Every update operation must be done on <
134	(which means writing some entry) is performed on the <e>slave</e> a referral to
135	the <e>master</e> is issued. This is transparently handled and all attempts to
136	update against the slave will be redirected to the <e>master</e>. Connections
137	-are validated via TLS + password. The password is your toucan one and it's going
138	-to be the same for all LDAP_aware boxes in the future.
139	+are validated via TLS + password. The password is your dev one and is the same
140	+for all LDAP-aware boxes.
141	</p>
142
143	<p>
144	We use a custom script, <c>perl_ldap</c> that uses <e>Net::LDAP</e>, for accessing
145	and modifying the database, it allows only a predefined set of actions but it
146	-should cover 90% of the cases. In the following chapters we explain how to use it.
147	+should cover 95% of the cases. In the following chapters we explain how to use it.
148	</p>
149
150	<note>
151	@@ -149,9 +159,11 @@ in #gentoo-infra for help with this.
152
153	<p>
154	The following attributes are included in the Gentoo Schema. Note the 'Access
155	-Level' needed for each attribute.
156	+Level' needed to write each attribute. Anonymous reading is allowed unless
157	+otherwise noted. Required fields are emphasised.
158	</p>
159
160	+<!-- Please keep this list in alphabetical order, sorted by the attribute name -->
161	<table>
162	<tr>
163	<th>Attribute Name</th>
164	@@ -161,25 +173,46 @@ Level' needed for each attribute.
165	<th>Format</th>
166	</tr>
167	<tr>
168	- <ti>gentooLocation</ti>
169	+ <ti>birthday</ti>
170	+ <ti>user (not globally readable)</ti>
171	+ <ti>developer birthday</ti>
172	+ <ti>single, optional</ti>
173	+ <ti>UTF-8</ti>
174	+ </tr>
175	+ <tr>
176	+ <ti><e>gentooAccess</e></ti>
177	+ <ti>infra, top level recruiters only</ti>
178	+ <ti>developer access level</ti>
179	+ <ti>multiple, required</ti>
180	+ <ti>UTF-8</ti>
181	+ </tr>
182	+ <tr>
183	+ <ti>gentooAlias</ti>
184	<ti>infra, recruiters</ti>
185	- <ti>developer location</ti>
186	- <ti>single, required</ti>
187	+ <ti>alternate names for this developer</ti>
188	+ <ti>multiple, required</ti>
189	<ti>UTF-8</ti>
190	</tr>
191	<tr>
192	- <ti>gentooLatitude, lat</ti>
193	+ <ti>gentooGPGFingerprint, gpgfingerprint</ti>
194	<ti>user</ti>
195	- <ti>latitude coordinate</ti>
196	+ <ti>GPG key fingerprint</ti>
197	<ti>single, optional</ti>
198	- <ti>numeric string</ti>
199	+ <ti>UTF-8</ti>
200	</tr>
201	<tr>
202	- <ti>gentooLongitude, lon</ti>
203	+ <ti><e>gentooGPGkey, gpgkey</e></ti>
204	<ti>user</ti>
205	- <ti>longitude coordinate</ti>
206	- <ti>single, optional</ti>
207	- <ti>numeric string</ti>
208	+ <ti>GPG key uid</ti>
209	+ <ti>single, required</ti>
210	+ <ti>UTF-8</ti>
211	+ </tr>
212	+ <tr>
213	+ <ti>gentooIM</ti>
214	+ <ti>user</ti>
215	+ <ti>instant messaging ID</ti>
216	+ <ti>multiple, optional</ti>
217	+ <ti>UTF-8</ti>
218	</tr>
219	<tr>
220	<ti>gentooJoin</ti>
221	@@ -189,63 +222,66 @@ Level' needed for each attribute.
222	<ti>UTF-8</ti>
223	</tr>
224	<tr>
225	- <ti>gentooAccess</ti>
226	- <ti>infra, recruiters</ti>
227	- <ti>developer access level</ti>
228	- <ti>multiple, required</ti>
229	- <ti>UTF-8</ti>
230	+ <ti>gentooLatitude, lat</ti>
231	+ <ti>user</ti>
232	+ <ti>latitude coordinate</ti>
233	+ <ti>single, optional</ti>
234	+ <ti>signed decimal string</ti>
235	</tr>
236	<tr>
237	- <ti>gentooStatus</ti>
238	- <ti>infra, recruiters</ti>
239	- <ti>developer status</ti>
240	+ <ti><e>gentooLocation</e></ti>
241	+ <ti>user</ti>
242	+ <ti>developer location</ti>
243	<ti>single, required</ti>
244	<ti>UTF-8</ti>
245	</tr>
246	<tr>
247	- <ti>gentooGPGkey, gpgkey</ti>
248	+ <ti>gentooLongitude, lon</ti>
249	<ti>user</ti>
250	- <ti>gpg key uid</ti>
251	+ <ti>longitude coordinate</ti>
252	<ti>single, optional</ti>
253	- <ti>UTF-8</ti>
254	+ <ti>signed decimal string</ti>
255	</tr>
256	<tr>
257	- <ti>gentooGPGFingerprint, gpgfingerprint</ti>
258	- <ti>user</ti>
259	- <ti>gpg key fingerprint</ti>
260	+ <ti>gentooRetire</ti>
261	+ <ti>infra, recruiters</ti>
262	+ <ti>developer retirement date</ti>
263	<ti>single, optional</ti>
264	<ti>UTF-8</ti>
265	</tr>
266	<tr>
267	- <ti>gentooRoles</ti>
268	- <ti>infra,recruiters</ti>
269	+ <ti><e>gentooRoles</e></ti>
270	+ <ti>user</ti>
271	<ti>developer projects</ti>
272	- <ti>single, optional</ti>
273	+ <ti>single, required</ti>
274	<ti>UTF-8</ti>
275	</tr>
276	<tr>
277	- <ti>gentooHerd, herd</ti>
278	+ <ti><e>gentooStatus</e></ti>
279	<ti>infra,recruiters</ti>
280	- <ti>developer herd</ti>
281	- <ti>single, optional</ti>
282	+ <ti>developer status</ti>
283	+ <ti>single, required</ti>
284	<ti>UTF-8</ti>
285	</tr>
286	<tr>
287	- <ti>sshPublicKey</ti>
288	+ <ti><e>sshPublicKey</e></ti>
289	<ti>user</ti>
290	<ti>OpenSSH public key</ti>
291	- <ti>multiple, optional</ti>
292	- <ti>UTF-8</ti>
293	- </tr>
294	- <tr>
295	- <ti>birthday</ti>
296	- <ti>user</ti>
297	- <ti>developer birthday</ti>
298	- <ti>single, optional</ti>
299	+ <ti>multiple, required</ti>
300	<ti>UTF-8</ti>
301	</tr>
302	</table>
303
304	+<note>
305	+All dates are presently expected to be in the form DD MMMM YYYY, and are being
306	+being migrated to ISO8601, after which, the field will have validation enabled.
307	+</note>
308	+
309	+<p
310	+>The following attributes were in use at some point in the past, but have
311	+been retired: <e>gentooHerd</e>, <e>gentooAltMail</e>, <e>gentooForumsUID</e>.
312	+</p>
313	+
314	</body>
315	</section>
316	<section>
317	@@ -320,7 +356,7 @@ The following are the most common option
318
319	<ul>
320	<li>
321	- <c>-b OU</c> used to bind to the LDAP server. If you don't specify
322	+ <c>-b MODE</c> used to bind to the LDAP server. If you don't specify
323	<e>user</e>, the script will default to <e>anonymous</e> and be <e>read
324	only</e>.
325	</li>
326	@@ -339,7 +375,7 @@ The following are the most common option
327	<c>-C ATTRIBUTE NEWVALUE <username></c> creates a new attribute for
328	the specified user
329	</li>
330	- <li><c>-E ATTRIBUTE</c> erases an attribute</li>
331	+ <li><c>-E ATTRIBUTE OLDVALUE <username></c> erases an attribute</li>
332	</ul>
333
334	</body>
335	@@ -370,9 +406,13 @@ of the most commonly changed attributes.
336	# <i>perl_ldap -b user -M gentooGPGkey "1AF343E" <username></i>
337	</pre>
338
339	-<pre caption="Change your public SSH key">
340	-<comment>(substitute 'pubkey' with the path to your public SSH key. ex: "~/.ssh/id_dsa.pub". You should have one sshPublicKey attribute per key!)</comment>
341	-# <i>perl_ldap -b user -M sshPublicKey "$(cat pubkey)" <username></i>
342	+<pre caption="Add a new public SSH key">
343	+<comment>(substitute 'pubkey' with the path to your public SSH key. ex: "~/.ssh/id_dsa.pub". You should have one sshPublicKey attribute per key! No newlines!)</comment>
344	+# <i>perl_ldap -b user -A sshPublicKey "$(cat pubkey)" <username></i>
345	+</pre>
346	+
347	+<pre caption="Erase an old public SSH key">
348	+# <i>perl_ldap -b user -E sshPublicKey "$(cat oldpubkey)" <username></i>
349	</pre>
350
351	</body>
352	@@ -390,55 +430,43 @@ a recruiter.
353	</p>
354
355	<p>
356	-When dealing with users that belong to a sub-OU the <c>-o OU \| -b OU</c> option
357	-must be used, this will be clarified in the examples. The command <c>-b OU</c>
358	-must be used if the <e>binding user</e> belongs to a sub-OU, the command
359	-<c>-o OU</c> must be used if <e>the target user</e> belongs to a sub-OU.
360	+When dealing with users that belong to a sub-OU the <c>-o OU</c> option
361	+must be used, this will be clarified in the examples. The command <c>-o OU</c>
362	+must be used if <e>the target user</e> belongs to a sub-OU.
363	</p>
364
365	<p>
366	The following examples will show you how to change attributes for users, recruiters
367	-and infra. All write operations performed by one user against another user
368	-must be performed on ldap1.gentoo.org (roadrunner.gentoo.org).
369	+and infra. All write operations performed by infra against another user must be
370	+performed on ldap1.gentoo.org (toucan.gentoo.org).
371	</p>
372
373	<p>
374	-Some attributes, like gentooRoles and sshPublickey, allow multi_values. To append an
375	-additional value to the exiting ones use <c>-C</c>. To overwrite the existing values
376	-use <c>-M</c>.
377	+Some attributes, like <e>sshPublickey</e>, and <e>mail</e>, allow multi-values. To append an
378	+additional value to the exiting ones use <c>-C</c>. You may not use <c>-M</c>
379	+with multi-valued attributes.
380	</p>
381
382	<pre caption="Modify (overwrite) an existing attribute for a user">
383	-# <i>perl_ldap -b recruiters -M gentooGPGkey "1AF343E" <username></i>
384	-</pre>
385	-
386	-<pre caption="Modify (overwrite) an existing attribute if the target user is recruiters or infra">
387	-# <i>perl_ldap -b recruiters -o recruiters -M gentooGPGkey "1AF343E" <username></i>
388	-# <i>perl_ldap -b recruiters -o infra -M gentooGPGkey "1AF343E" <username></i>
389	+# <i>perl_ldap -b user -M gentooGPGkey "0x1AF343EB" <username></i>
390	</pre>
391
392	<pre caption="Delete an attribute for a user">
393	-# <i>perl_ldap -b recruiters -E gentooRoles <username></i>
394	-
395	-<comment>(If value is specified then only the matching attribute is removed, this is useful for multi_valued attributes.)</comment>
396	-# <i>perl_ldap -b recruiters -E gentooRoles "forums" <username></i>
397	+# <i>perl_ldap -b user -E mail "myoldaddress@×××××××.com" <username></i>
398	</pre>
399
400	-<pre caption="Add a new user">
401	-# <i>perl_ldap -b recruiters -A <username></i>
402	+<pre caption="Add a new user (infra, recruiters)">
403	+# <i>perl_ldap -b user -A <username></i>
404	</pre>
405
406	-<pre caption="Delete a user">
407	-# <i>perl_ldap -b recruiters -D <username></i>
408	+<pre caption="Delete a user (infra)">
409	+# <i>perl_ldap -b user -D <username></i>
410	</pre>
411
412	-<pre caption="Create or modify multi_value attributes">
413	+<pre caption="Create or modify multi-value attributes">
414	<comment>(Create a new attribute while preserving the existing ones. Use the command multiple times to add addtional attributes)</comment>
415	-# <i>perl_ldap -b recruiters -C gentooRoles "forums" <username></i>
416	-# <i>perl_ldap -b recruiters -C gentooRoles "devrel" <username></i>
417	-
418	-<comment>(overwrite the existing values with a new one)</comment>
419	-# <i>perl_ldap -b recruiters -M gentooRoles "forums" <username></i>
420	+# <i>perl_ldap -b user -C mail "myaltaddress@×××××××.com" <username></i>
421	+# <i>perl_ldap -b user -C mail "backup@×××××××.com" <username></i>
422	</pre>
423
424	</body>
425	@@ -449,15 +477,18 @@ use <c>-M</c>.
426
427	<p>
428	Infra can change their own attributes or those of another user. You <b>must</b>
429	-bind as <e>infra</e> to change any attributes, including your own. To change
430	-your own attributes use the examples from the "users" section above. To change
431	-another users record use the examples from the "recruiters" section.
432	+bind as <e>user</e> to change any attributes, including your own. To change
433	+your own attributes use the examples from the "users" section above from any
434	+LDAP-aware machine. To change another users record, you must be using perl_ldap
435	+from ldap1.gentoo.org.
436	</p>
437
438	<p>
439	The attribute <c>gentooAccess</c> controls which boxes a user can login to. Only
440	infra and a few selected recruiters are allowed to create and modify this
441	-multi_value attribute. The FQDN must be used (ex. roadrunner.gentoo.org).
442	+multi-value attribute. The FQDN must be used (ex. roadrunner.gentoo.org).
443	+Some special values also exist: infra.group, infra-ldapadmin.group,
444	+infra-cvsadmin.group, infra-system.group, recruiters.group.
445	</p>
446
447	</body>
448	@@ -472,6 +503,7 @@ multi_value attribute. The FQDN must be
449	<ul>
450	<li>Master LDAP Server - ldap1.gentoo.org</li>
451	<li>Slave LDAP Server - ldap2.gentoo.org</li>
452	+ <li>Slave LDAP Server - ldap3.gentoo.org</li>
453	<li><uri link="http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO">LDAP HOWTO</uri></li>
454	</ul>
455
456
457
458
459	--
460	gentoo-commits@g.o mailing list

Gentoo Archives: gentoo-commits