1 |
robbat2 07/12/18 01:29:58 |
2 |
|
3 |
Modified: ldap.xml |
4 |
Log: |
5 |
First pass at cleaning up ldap.xml. |
6 |
|
7 |
Revision Changes Path |
8 |
1.17 xml/htdocs/proj/en/infrastructure/ldap.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?rev=1.17&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?rev=1.17&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml?r1=1.16&r2=1.17 |
13 |
|
14 |
Index: ldap.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v |
17 |
retrieving revision 1.16 |
18 |
retrieving revision 1.17 |
19 |
diff -p -w -b -B -u -u -r1.16 -r1.17 |
20 |
--- ldap.xml 31 Jul 2007 07:07:03 -0000 1.16 |
21 |
+++ ldap.xml 18 Dec 2007 01:29:57 -0000 1.17 |
22 |
@@ -1,6 +1,6 @@ |
23 |
<?xml version="1.0" encoding="UTF-8"?> |
24 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
25 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v 1.16 2007/07/31 07:07:03 robbat2 Exp $ --> |
26 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/infrastructure/ldap.xml,v 1.17 2007/12/18 01:29:57 robbat2 Exp $ --> |
27 |
|
28 |
<guide link="/proj/en/infrastructure/ldap.xml"> |
29 |
<title>Gentoo Infrastructure LDAP guide</title> |
30 |
@@ -8,6 +8,9 @@ |
31 |
<author title="Author"> |
32 |
<mail link="lcars@g.o">Andrea Barisani</mail> |
33 |
</author> |
34 |
+<author title="Author"> |
35 |
+ <mail link="robbat2@g.o">Robin H. Johnson</mail> |
36 |
+</author> |
37 |
<author title="Editor"> |
38 |
<mail link="lmedinas@×××××.com">Luis Medinas</mail> |
39 |
</author> |
40 |
@@ -24,8 +27,8 @@ and administrators. |
41 |
<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> |
42 |
<license/> |
43 |
|
44 |
-<version>1.5</version> |
45 |
-<date>2007-02-23</date> |
46 |
+<version>1.6</version> |
47 |
+<date>2007-12-17</date> |
48 |
|
49 |
<chapter> |
50 |
<title>Key Concepts</title> |
51 |
@@ -64,39 +67,46 @@ see if that user is in the database and |
52 |
<p> |
53 |
LDAP is used by Gentoo to secure the infrastructure. Gentoo resources are spread |
54 |
across the globe and LDAP gives us a central location to manage them. There are |
55 |
-four levels of access or OU (organizational unit): anonymous, user, recruiters |
56 |
-and infra, that are used to connect or <e>bind</e> to the LDAP database. |
57 |
+four levels of access: anonymous, user, recruiter and infra that are used to |
58 |
+control what can be changed in the LDAP database. These are controlled via |
59 |
+special values in the gentooAccess attribute.</p> |
60 |
+ |
61 |
+<p> |
62 |
+You must connect or <e>bind</e> to the LDAP database either anonymously, or a |
63 |
+known user. Binding anonymously will always grant only the anonymous level, |
64 |
+while binding as a known user will grant you the level based on your user and |
65 |
+potentially where you are connecting from. |
66 |
</p> |
67 |
|
68 |
<p> |
69 |
-The <e>anonymous</e> OU is used for simple <e>read only</e> informational queries. |
70 |
-All developers and staff can bind to LDAP as anonymous. If you don't specify an |
71 |
-OU when you bind anonymous is assumed. |
72 |
+The <e>anonymous</e> level is used for simple <e>read only</e> informational |
73 |
+queries. All developers and staff can bind to LDAP as anonymous. If you don't |
74 |
+specify a mode when you bind, anonymous is assumed. |
75 |
</p> |
76 |
|
77 |
<p> |
78 |
-The <e>user</e> OU is used to add or change information in your own LDAP |
79 |
-record. Things like your latitude and longitude, ssh public key and so on. |
80 |
-All developers and staff are members of the user OU. |
81 |
+The <e>user</e> level is used to add or change information in your own LDAP |
82 |
+record. Things like your latitude and longitude, ssh public key and so on. All |
83 |
+users can access the <e>user</e> level, by binding as themselves with the mode |
84 |
+specified, and providing their password. |
85 |
</p> |
86 |
|
87 |
<p> |
88 |
-<e>recruiters</e> is a special OU used by recruiters to create new LDAP entries |
89 |
-or to alter existing ones for any user including their own. If you are a |
90 |
-Recruiter you <e>must</e> bind to LDAP as 'recruiter' for any operation including |
91 |
-another users record or your own. |
92 |
+The <e>recruiter</e> level enables recruiters to add new users, and perform |
93 |
+some administrative changes to users. |
94 |
</p> |
95 |
|
96 |
<p> |
97 |
-The <e>infra</e> OU is also a special OU that is used by members of the Infrastructure |
98 |
-Project to manage the various resources within Gentoo. Although this is used |
99 |
-mainly for managing machine accounts, the infra OU can also alter any other users |
100 |
-record. |
101 |
+The <e>infra</e> level enables the infrastructure team full power over LDAP, |
102 |
+and is additionally protected by only being available from ldap1.gentoo.org |
103 |
+(toucan.gentoo.org). |
104 |
</p> |
105 |
|
106 |
<note> |
107 |
-All write operations performed by recruiters or infra must be performed on |
108 |
-ldap1.gentoo.org (roadrunner.gentoo.org). |
109 |
+All write operations performed by infra must be performed on ldap1.gentoo.org |
110 |
+(toucan.gentoo.org). Normal user and recruiter write operations may be |
111 |
+performed on any LDAP-connected Gentoo box, however it is strongly recommended |
112 |
+that you use dev.gentoo.org (woodpecker.gentoo.org). |
113 |
</note> |
114 |
|
115 |
</body> |
116 |
@@ -110,11 +120,11 @@ ldap1.gentoo.org (roadrunner.gentoo.org) |
117 |
<body> |
118 |
|
119 |
<p> |
120 |
-Currently we have two LDAP servers available. The <e>master</e> server and a |
121 |
-<e>slave</e> server. The <e>master</e> LDAP server is reachable at |
122 |
-<e>ldap1.gentoo.org</e>. The <e>slave</e> server is <e>ldap2.gentoo.org</e> and |
123 |
-it connects every 60 seconds to the <e>master</e> looking up changes and |
124 |
-resyncing the database if necessary. |
125 |
+Currently we have three LDAP servers available. The <e>master</e> server and two |
126 |
+<e>slave</e> servers. The <e>master</e> LDAP server is reachable at |
127 |
+<e>ldap1.gentoo.org</e>. The <e>slave</e> servers are <e>ldap2.gentoo.org</e>, |
128 |
+<e>ldap3.gentoo.org</e> and it connects every 60 seconds to the <e>master</e> |
129 |
+to replicate changes from the master. |
130 |
</p> |
131 |
|
132 |
<p> |
133 |
@@ -122,14 +132,14 @@ Every update operation must be done on < |
134 |
(which means writing some entry) is performed on the <e>slave</e> a referral to |
135 |
the <e>master</e> is issued. This is transparently handled and all attempts to |
136 |
update against the slave will be redirected to the <e>master</e>. Connections |
137 |
-are validated via TLS + password. The password is your toucan one and it's going |
138 |
-to be the same for all LDAP_aware boxes in the future. |
139 |
+are validated via TLS + password. The password is your dev one and is the same |
140 |
+for all LDAP-aware boxes. |
141 |
</p> |
142 |
|
143 |
<p> |
144 |
We use a custom script, <c>perl_ldap</c> that uses <e>Net::LDAP</e>, for accessing |
145 |
and modifying the database, it allows only a predefined set of actions but it |
146 |
-should cover 90% of the cases. In the following chapters we explain how to use it. |
147 |
+should cover 95% of the cases. In the following chapters we explain how to use it. |
148 |
</p> |
149 |
|
150 |
<note> |
151 |
@@ -149,9 +159,11 @@ in #gentoo-infra for help with this. |
152 |
|
153 |
<p> |
154 |
The following attributes are included in the Gentoo Schema. Note the 'Access |
155 |
-Level' needed for each attribute. |
156 |
+Level' needed to write each attribute. Anonymous reading is allowed unless |
157 |
+otherwise noted. Required fields are emphasised. |
158 |
</p> |
159 |
|
160 |
+<!-- Please keep this list in alphabetical order, sorted by the attribute name --> |
161 |
<table> |
162 |
<tr> |
163 |
<th>Attribute Name</th> |
164 |
@@ -161,25 +173,46 @@ Level' needed for each attribute. |
165 |
<th>Format</th> |
166 |
</tr> |
167 |
<tr> |
168 |
- <ti>gentooLocation</ti> |
169 |
+ <ti>birthday</ti> |
170 |
+ <ti>user (not globally readable)</ti> |
171 |
+ <ti>developer birthday</ti> |
172 |
+ <ti>single, optional</ti> |
173 |
+ <ti>UTF-8</ti> |
174 |
+ </tr> |
175 |
+ <tr> |
176 |
+ <ti><e>gentooAccess</e></ti> |
177 |
+ <ti>infra, top level recruiters only</ti> |
178 |
+ <ti>developer access level</ti> |
179 |
+ <ti>multiple, required</ti> |
180 |
+ <ti>UTF-8</ti> |
181 |
+ </tr> |
182 |
+ <tr> |
183 |
+ <ti>gentooAlias</ti> |
184 |
<ti>infra, recruiters</ti> |
185 |
- <ti>developer location</ti> |
186 |
- <ti>single, required</ti> |
187 |
+ <ti>alternate names for this developer</ti> |
188 |
+ <ti>multiple, required</ti> |
189 |
<ti>UTF-8</ti> |
190 |
</tr> |
191 |
<tr> |
192 |
- <ti>gentooLatitude, lat</ti> |
193 |
+ <ti>gentooGPGFingerprint, gpgfingerprint</ti> |
194 |
<ti>user</ti> |
195 |
- <ti>latitude coordinate</ti> |
196 |
+ <ti>GPG key fingerprint</ti> |
197 |
<ti>single, optional</ti> |
198 |
- <ti>numeric string</ti> |
199 |
+ <ti>UTF-8</ti> |
200 |
</tr> |
201 |
<tr> |
202 |
- <ti>gentooLongitude, lon</ti> |
203 |
+ <ti><e>gentooGPGkey, gpgkey</e></ti> |
204 |
<ti>user</ti> |
205 |
- <ti>longitude coordinate</ti> |
206 |
- <ti>single, optional</ti> |
207 |
- <ti>numeric string</ti> |
208 |
+ <ti>GPG key uid</ti> |
209 |
+ <ti>single, required</ti> |
210 |
+ <ti>UTF-8</ti> |
211 |
+ </tr> |
212 |
+ <tr> |
213 |
+ <ti>gentooIM</ti> |
214 |
+ <ti>user</ti> |
215 |
+ <ti>instant messaging ID</ti> |
216 |
+ <ti>multiple, optional</ti> |
217 |
+ <ti>UTF-8</ti> |
218 |
</tr> |
219 |
<tr> |
220 |
<ti>gentooJoin</ti> |
221 |
@@ -189,63 +222,66 @@ Level' needed for each attribute. |
222 |
<ti>UTF-8</ti> |
223 |
</tr> |
224 |
<tr> |
225 |
- <ti>gentooAccess</ti> |
226 |
- <ti>infra, recruiters</ti> |
227 |
- <ti>developer access level</ti> |
228 |
- <ti>multiple, required</ti> |
229 |
- <ti>UTF-8</ti> |
230 |
+ <ti>gentooLatitude, lat</ti> |
231 |
+ <ti>user</ti> |
232 |
+ <ti>latitude coordinate</ti> |
233 |
+ <ti>single, optional</ti> |
234 |
+ <ti>signed decimal string</ti> |
235 |
</tr> |
236 |
<tr> |
237 |
- <ti>gentooStatus</ti> |
238 |
- <ti>infra, recruiters</ti> |
239 |
- <ti>developer status</ti> |
240 |
+ <ti><e>gentooLocation</e></ti> |
241 |
+ <ti>user</ti> |
242 |
+ <ti>developer location</ti> |
243 |
<ti>single, required</ti> |
244 |
<ti>UTF-8</ti> |
245 |
</tr> |
246 |
<tr> |
247 |
- <ti>gentooGPGkey, gpgkey</ti> |
248 |
+ <ti>gentooLongitude, lon</ti> |
249 |
<ti>user</ti> |
250 |
- <ti>gpg key uid</ti> |
251 |
+ <ti>longitude coordinate</ti> |
252 |
<ti>single, optional</ti> |
253 |
- <ti>UTF-8</ti> |
254 |
+ <ti>signed decimal string</ti> |
255 |
</tr> |
256 |
<tr> |
257 |
- <ti>gentooGPGFingerprint, gpgfingerprint</ti> |
258 |
- <ti>user</ti> |
259 |
- <ti>gpg key fingerprint</ti> |
260 |
+ <ti>gentooRetire</ti> |
261 |
+ <ti>infra, recruiters</ti> |
262 |
+ <ti>developer retirement date</ti> |
263 |
<ti>single, optional</ti> |
264 |
<ti>UTF-8</ti> |
265 |
</tr> |
266 |
<tr> |
267 |
- <ti>gentooRoles</ti> |
268 |
- <ti>infra,recruiters</ti> |
269 |
+ <ti><e>gentooRoles</e></ti> |
270 |
+ <ti>user</ti> |
271 |
<ti>developer projects</ti> |
272 |
- <ti>single, optional</ti> |
273 |
+ <ti>single, required</ti> |
274 |
<ti>UTF-8</ti> |
275 |
</tr> |
276 |
<tr> |
277 |
- <ti>gentooHerd, herd</ti> |
278 |
+ <ti><e>gentooStatus</e></ti> |
279 |
<ti>infra,recruiters</ti> |
280 |
- <ti>developer herd</ti> |
281 |
- <ti>single, optional</ti> |
282 |
+ <ti>developer status</ti> |
283 |
+ <ti>single, required</ti> |
284 |
<ti>UTF-8</ti> |
285 |
</tr> |
286 |
<tr> |
287 |
- <ti>sshPublicKey</ti> |
288 |
+ <ti><e>sshPublicKey</e></ti> |
289 |
<ti>user</ti> |
290 |
<ti>OpenSSH public key</ti> |
291 |
- <ti>multiple, optional</ti> |
292 |
- <ti>UTF-8</ti> |
293 |
- </tr> |
294 |
- <tr> |
295 |
- <ti>birthday</ti> |
296 |
- <ti>user</ti> |
297 |
- <ti>developer birthday</ti> |
298 |
- <ti>single, optional</ti> |
299 |
+ <ti>multiple, required</ti> |
300 |
<ti>UTF-8</ti> |
301 |
</tr> |
302 |
</table> |
303 |
|
304 |
+<note> |
305 |
+All dates are presently expected to be in the form DD MMMM YYYY, and are being |
306 |
+being migrated to ISO8601, after which, the field will have validation enabled. |
307 |
+</note> |
308 |
+ |
309 |
+<p |
310 |
+>The following attributes were in use at some point in the past, but have |
311 |
+been retired: <e>gentooHerd</e>, <e>gentooAltMail</e>, <e>gentooForumsUID</e>. |
312 |
+</p> |
313 |
+ |
314 |
</body> |
315 |
</section> |
316 |
<section> |
317 |
@@ -320,7 +356,7 @@ The following are the most common option |
318 |
|
319 |
<ul> |
320 |
<li> |
321 |
- <c>-b OU</c> used to bind to the LDAP server. If you don't specify |
322 |
+ <c>-b MODE</c> used to bind to the LDAP server. If you don't specify |
323 |
<e>user</e>, the script will default to <e>anonymous</e> and be <e>read |
324 |
only</e>. |
325 |
</li> |
326 |
@@ -339,7 +375,7 @@ The following are the most common option |
327 |
<c>-C ATTRIBUTE NEWVALUE <username></c> creates a new attribute for |
328 |
the specified user |
329 |
</li> |
330 |
- <li><c>-E ATTRIBUTE</c> erases an attribute</li> |
331 |
+ <li><c>-E ATTRIBUTE OLDVALUE <username></c> erases an attribute</li> |
332 |
</ul> |
333 |
|
334 |
</body> |
335 |
@@ -370,9 +406,13 @@ of the most commonly changed attributes. |
336 |
# <i>perl_ldap -b user -M gentooGPGkey "1AF343E" <username></i> |
337 |
</pre> |
338 |
|
339 |
-<pre caption="Change your public SSH key"> |
340 |
-<comment>(substitute 'pubkey' with the path to your public SSH key. ex: "~/.ssh/id_dsa.pub". You should have one sshPublicKey attribute per key!)</comment> |
341 |
-# <i>perl_ldap -b user -M sshPublicKey "$(cat pubkey)" <username></i> |
342 |
+<pre caption="Add a new public SSH key"> |
343 |
+<comment>(substitute 'pubkey' with the path to your public SSH key. ex: "~/.ssh/id_dsa.pub". You should have one sshPublicKey attribute per key! No newlines!)</comment> |
344 |
+# <i>perl_ldap -b user -A sshPublicKey "$(cat pubkey)" <username></i> |
345 |
+</pre> |
346 |
+ |
347 |
+<pre caption="Erase an old public SSH key"> |
348 |
+# <i>perl_ldap -b user -E sshPublicKey "$(cat oldpubkey)" <username></i> |
349 |
</pre> |
350 |
|
351 |
</body> |
352 |
@@ -390,55 +430,43 @@ a recruiter. |
353 |
</p> |
354 |
|
355 |
<p> |
356 |
-When dealing with users that belong to a sub-OU the <c>-o OU | -b OU</c> option |
357 |
-must be used, this will be clarified in the examples. The command <c>-b OU</c> |
358 |
-must be used if the <e>binding user</e> belongs to a sub-OU, the command |
359 |
-<c>-o OU</c> must be used if <e>the target user</e> belongs to a sub-OU. |
360 |
+When dealing with users that belong to a sub-OU the <c>-o OU</c> option |
361 |
+must be used, this will be clarified in the examples. The command <c>-o OU</c> |
362 |
+must be used if <e>the target user</e> belongs to a sub-OU. |
363 |
</p> |
364 |
|
365 |
<p> |
366 |
The following examples will show you how to change attributes for users, recruiters |
367 |
-and infra. All write operations performed by one user against another user |
368 |
-must be performed on ldap1.gentoo.org (roadrunner.gentoo.org). |
369 |
+and infra. All write operations performed by infra against another user must be |
370 |
+performed on ldap1.gentoo.org (toucan.gentoo.org). |
371 |
</p> |
372 |
|
373 |
<p> |
374 |
-Some attributes, like gentooRoles and sshPublickey, allow multi_values. To append an |
375 |
-additional value to the exiting ones use <c>-C</c>. To overwrite the existing values |
376 |
-use <c>-M</c>. |
377 |
+Some attributes, like <e>sshPublickey</e>, and <e>mail</e>, allow multi-values. To append an |
378 |
+additional value to the exiting ones use <c>-C</c>. You may not use <c>-M</c> |
379 |
+with multi-valued attributes. |
380 |
</p> |
381 |
|
382 |
<pre caption="Modify (overwrite) an existing attribute for a user"> |
383 |
-# <i>perl_ldap -b recruiters -M gentooGPGkey "1AF343E" <username></i> |
384 |
-</pre> |
385 |
- |
386 |
-<pre caption="Modify (overwrite) an existing attribute if the target user is recruiters or infra"> |
387 |
-# <i>perl_ldap -b recruiters -o recruiters -M gentooGPGkey "1AF343E" <username></i> |
388 |
-# <i>perl_ldap -b recruiters -o infra -M gentooGPGkey "1AF343E" <username></i> |
389 |
+# <i>perl_ldap -b user -M gentooGPGkey "0x1AF343EB" <username></i> |
390 |
</pre> |
391 |
|
392 |
<pre caption="Delete an attribute for a user"> |
393 |
-# <i>perl_ldap -b recruiters -E gentooRoles <username></i> |
394 |
- |
395 |
-<comment>(If value is specified then only the matching attribute is removed, this is useful for multi_valued attributes.)</comment> |
396 |
-# <i>perl_ldap -b recruiters -E gentooRoles "forums" <username></i> |
397 |
+# <i>perl_ldap -b user -E mail "myoldaddress@×××××××.com" <username></i> |
398 |
</pre> |
399 |
|
400 |
-<pre caption="Add a new user"> |
401 |
-# <i>perl_ldap -b recruiters -A <username></i> |
402 |
+<pre caption="Add a new user (infra, recruiters)"> |
403 |
+# <i>perl_ldap -b user -A <username></i> |
404 |
</pre> |
405 |
|
406 |
-<pre caption="Delete a user"> |
407 |
-# <i>perl_ldap -b recruiters -D <username></i> |
408 |
+<pre caption="Delete a user (infra)"> |
409 |
+# <i>perl_ldap -b user -D <username></i> |
410 |
</pre> |
411 |
|
412 |
-<pre caption="Create or modify multi_value attributes"> |
413 |
+<pre caption="Create or modify multi-value attributes"> |
414 |
<comment>(Create a new attribute while preserving the existing ones. Use the command multiple times to add addtional attributes)</comment> |
415 |
-# <i>perl_ldap -b recruiters -C gentooRoles "forums" <username></i> |
416 |
-# <i>perl_ldap -b recruiters -C gentooRoles "devrel" <username></i> |
417 |
- |
418 |
-<comment>(overwrite the existing values with a new one)</comment> |
419 |
-# <i>perl_ldap -b recruiters -M gentooRoles "forums" <username></i> |
420 |
+# <i>perl_ldap -b user -C mail "myaltaddress@×××××××.com" <username></i> |
421 |
+# <i>perl_ldap -b user -C mail "backup@×××××××.com" <username></i> |
422 |
</pre> |
423 |
|
424 |
</body> |
425 |
@@ -449,15 +477,18 @@ use <c>-M</c>. |
426 |
|
427 |
<p> |
428 |
Infra can change their own attributes or those of another user. You <b>must</b> |
429 |
-bind as <e>infra</e> to change any attributes, including your own. To change |
430 |
-your own attributes use the examples from the "users" section above. To change |
431 |
-another users record use the examples from the "recruiters" section. |
432 |
+bind as <e>user</e> to change any attributes, including your own. To change |
433 |
+your own attributes use the examples from the "users" section above from any |
434 |
+LDAP-aware machine. To change another users record, you must be using perl_ldap |
435 |
+from ldap1.gentoo.org. |
436 |
</p> |
437 |
|
438 |
<p> |
439 |
The attribute <c>gentooAccess</c> controls which boxes a user can login to. Only |
440 |
infra and a few selected recruiters are allowed to create and modify this |
441 |
-multi_value attribute. The FQDN must be used (ex. roadrunner.gentoo.org). |
442 |
+multi-value attribute. The FQDN must be used (ex. roadrunner.gentoo.org). |
443 |
+Some special values also exist: infra.group, infra-ldapadmin.group, |
444 |
+infra-cvsadmin.group, infra-system.group, recruiters.group. |
445 |
</p> |
446 |
|
447 |
</body> |
448 |
@@ -472,6 +503,7 @@ multi_value attribute. The FQDN must be |
449 |
<ul> |
450 |
<li>Master LDAP Server - ldap1.gentoo.org</li> |
451 |
<li>Slave LDAP Server - ldap2.gentoo.org</li> |
452 |
+ <li>Slave LDAP Server - ldap3.gentoo.org</li> |
453 |
<li><uri link="http://www.tldp.org/HOWTO/html_single/LDAP-HOWTO">LDAP HOWTO</uri></li> |
454 |
</ul> |
455 |
|
456 |
|
457 |
|
458 |
|
459 |
-- |
460 |
gentoo-commits@g.o mailing list |