doc-{general,direct}.html

David B Harris Thu, 26 Feb 2004 11:31:31 -0600

Hey there. I've attached new versions of
http://db.debian.org/doc-direct.html and
http://db.debian.org/doc-general.html.


Quick summary of changes:
- doc-general.html:
    Updating and clarification of the "Security and Privacy" section,
    documenting that the developer-only information requires either that
    the connection be made from a .debian.org machine (and pointing to
    doc-direct.html for a tutorial on how to do that), or via the web
    interface after you've authenticated
- doc-direct.html:
    A fairly major reworking, updating how things are done (-x needs to
    be supplied to ldapsearch these days), pointing out that one should
    use .debian.org, that sort of thing.

I say "you should use gluck" because the DAM welcome message I got not
long ago said that gluck was the general shell machine. I don't know if
another developer-accessible machine would be more appropriate; if
that's the case, feel free to just change that bit.

I'm not subscribed to this list, but I'd be more than happy to have any
replies CC:'d to me.

Title: Debian GNU/Linux -- Direct LDAP Access

Direct LDAP Access

Since the compromise, the information available to non-developers via the LDAP interface has been limited a great deal. However, as always, the full database is accessible from any .debian.org machine. If you wish relatively unfettered access to the LDAP database, connect to it from a .debian.org machine, such as gluck.debian.org (which is recommended for general shell usage anyhow).

The LDAP utilities package (ldap-utils) provides a utility called ldapsearch that can be used to execute direct queries to the database. This is done by supplying the following arguments to ldapsearch: -x -H ldap://db.debian.org -b dc=debian,dc=org. Alternatively, the -H and -b options can be put in one's ~/.ldaprc, in the following form:

[ [EMAIL PROTECTED]: ~/ ]$ cat ~/.ldaprc
HOST db.debian.org
BASE dc=debian,dc=org

-x tells ldapsearch to use "simple" (non-SASL, non-Kerberos) authentication. There appears to be no ~/.ldaprc option which does the same as -x. With these parameters specified, we're ready to begin searching. Here's an example:

[ [EMAIL PROTECTED]: ~/ ]$ ldapsearch -x uid=dbharris keyfingerprint
<snip>
# dbharris, users, debian, org
dn: uid=dbharris,ou=users,dc=debian,dc=org
keyFingerPrint: CC53F12435C07BC258FE7A3C157DDFD959DDCB9F
<snip>

The first non-option argument (uid=dbharris in this case) is the query to perform, and the rest of the arguments are the attributes to return. If you only specify the query, but don't provide any attributes to return, all readable attributes are returned. While the example was quite simple, complex queries can be performed as well:

[ [EMAIL PROTECTED]: ~/ ]$ ldapsearch -x -H ldap://db.debian.org -b dc=debian,dc=org '(&(!(loginshell=/bin/bash))(uid=*))' loginshell

That query shows users that do not use bash as their shell. Some other interesting queries are:

Count the number of developers (&(keyfingerprint=*)(gidnumber=800))
Show people in a certain group gidmembership=adm
People named james cn=james
Someone whos last name phonetically sounds like 'Ackerma' sn~=ackerm
All the sparcs host=sparc

RFC 2254 has more information about the filter expressions.

Other LDAP Browsers

The GQ package has a graphical LDAP browser that can browse the debian.org tree. It is somewhat ungainly with the large number of entries in our directory, but it does work nonetheless. Configuration is similar, use the preferences dialog to add a new host with the information given above.

Netscape has a browser for their mailer, but I have never been able to get it to work, please email if you have any luck.

To my knowledge there are no interfaces for popular mailers like mutt and gnus. Such an interface would allow using the directory as an enhanced address book.

Back to the Debian Project homepage.

You can contact us at [EMAIL PROTECTED].

Last Modified: Fri, Sep 26 18:19:30 UTC 2003
Copyright © 1997-2003 SPI; See license terms
Debian is a registered trademark of Software in the Public Interest, Inc.

Title: Debian GNU/Linux -- General LDAP Documentation

General LDAP Documentation

debian.org uses a single LDAP driven directory for account management across all the project run machines. This directory also provides services for leaving vacation notices, updating xplanet coordinates, email forwarding, ssh authentication keys and other information.

Note: the 'passwd' program and 'chfn' do not work with LDAP information. Please use the web page or email gateway for the time being. All machines running OpenSSH are using replicated SSH RSA authentication keys.

Security and Privacy

Three levels of information security are provided by the database. The first is completely public information that anyone can see either by issuing an LDAP query or by visiting the web site. The next level is "developer-only" information that requires the search to be performed from a .debian.org machine (see this tutorial on how to use ldapsearch from a .debian.org machine for a direct connection to the LDAP daemon) or from the web interface after one has authenticated themselves as a Debian Developer. The final level is admin-only or user-only information; this information can only be viewed by the user or an administrator.

developer-only information includes precise location information [postalcode, postal address, lat/long] telephone numbers, and the vacation message.

Admin-only/user-only information includes email forwarding, ssh keys and the encrypted password. Note that email forwarding is necessarily publicly viewable from accounts on the actual machines.

Entries in the directory are keyed to the developers PGP key, whoever has that key can make any change to the directory through the mail interface.

Access

The directory has several means to access it:

SSL Web Forms
Finger gateway, finger [EMAIL PROTECTED]
Mail gateway
Direct LDAP Access
LDAP command line tools such as ud-info

Lost or forgotten password instructions