diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/ad-query-hints.org | 65 | ||||
| -rw-r--r-- | doc/dirmngr.texi | 9 | ||||
| -rw-r--r-- | doc/gpg.texi | 6 | ||||
| -rw-r--r-- | doc/gpgsm.texi | 20 |
4 files changed, 97 insertions, 3 deletions
diff --git a/doc/ad-query-hints.org b/doc/ad-query-hints.org new file mode 100644 index 000000000..fd32a5831 --- /dev/null +++ b/doc/ad-query-hints.org @@ -0,0 +1,65 @@ + + +* Examples + +** List the DNs of all users in our QAUsers group + +: ad_query --subst --attr=dn +: ^OU=QAUsers,$domain&sub&(&(objectcategory=person)(objectclass=user)) + +** List the DN using the user's mail address + +: ad_query --subst --attr=dn,userAccountControl +: (&(objectcategory=person)(objectclass=user) +: (|([email protected]) +: ([email protected]))) + +After that the userControlFlags should be checked - see below for +the bit flags. For a non-disabled user use: + +: if ((userControlFlags & 0x0212) == 0x200)) +: use_this_user() + + +* Useful attributes + +** userAccountControl + +These are bit flags. For details see +https://learn.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_user_flag_enum + +- 0x00000002 :: ADS_UF_ACCOUNTDISABLE, the account is disabled. +- 0x00000010 :: ADS_UF_LOCKOUT, the account is temporarily locked out. +- 0x00000100 :: ADS_UF_TEMP_DUPLICATE_ACCOUNT, this is an account for + a user whose primary account is in another domain. +- 0x00000200 :: ADS_UF_NORMAL_ACCOUNT, the default account type that + represents a typical user. +- 0x00000800 :: ADS_UF_INTERDOMAIN_TRUST_ACCOUNT, the account for a + domain-to-domain trust. +- 0x00001000 :: ADS_UF_WORKSTATION_ACCOUNT, the computer account for a + computer that is a member of this domain. +- 0x00002000 :: ADS_UF_SERVER_TRUST_ACCOUNT, the computer account for + a DC. +- 0x00010000 :: ADS_UF_DONT_EXPIRE_PASSWD, the password will not expire. +- 0x04000000 :: ADS_UF_PARTIAL_SECRETS_ACCOUNT, the computer account + for an RODC. + +For example to select only user accounts which are not disabled or +are locked out could naivly be used: + +: (userAccountControl:1.2.840.113556.1.4.803:=512) + +1.2.840.113556.1.4.803 is bit wise AND, 1.2.840.113556.1.4.804 is bit +wise OR. However, because a mask can't be specified, this is not really +useful. Thus the above needs to be replaced by explicit checks; i.e. + +: (&(userAccountControl:1.2.840.113556.1.4.804:=512) +: (!(userAccountControl:1.2.840.113556.1.4.804:=2)) +: (!(userAccountControl:1.2.840.113556.1.4.804:=16))) + +I'd suggest to also add explict checks on the returned data. + + +* Resources + +- https://qa.social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 8da4dcd37..84f568692 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -180,7 +180,7 @@ available flags the sole word "help" can be used. This option is only useful for testing; it sets the system time back or forth to @var{epoch} which is the number of seconds elapsed since the year 1970. Alternatively @var{epoch} may be given as a full ISO time string -(e.g., "20070924T154812"). +(e.g. "20070924T154812"). @item --debug-level @var{level} @opindex debug-level @@ -344,7 +344,8 @@ whether Tor is locally running or not. The check for a running Tor is done for each new connection. If no keyserver is explicitly configured, dirmngr will use the -built-in default of @code{https://keyserver.ubuntu.com}. +built-in default of @code{https://keyserver.ubuntu.com}. To avoid the +use of a default keyserver the value @code{none} can be used. Windows users with a keyserver running on their Active Directory may use the short form @code{ldap:///} for @var{name} to access this directory. @@ -426,7 +427,9 @@ force the use of the default responder. @item --honor-http-proxy @opindex honor-http-proxy If the environment variable @env{http_proxy} has been set, use its -value to access HTTP servers. +value to access HTTP servers. If on Windows the option is used but +the environment variable is not set, the proxy settings are taken +from the system. @item --http-proxy @var{host}[:@var{port}] @opindex http-proxy diff --git a/doc/gpg.texi b/doc/gpg.texi index 8203c1466..17de880ea 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -2715,6 +2715,12 @@ The available properties are: second is the same but given as an ISO date string, e.g., "2016-08-17". (drop-sig) + @item sig_expires + @itemx sig_expires_d + The expiration time of a signature packet or 0 if it does not + expire. The second is the same but given as an ISO date string or + an empty string e.g. "2038-01-19". + @item sig_algo A number with the public key algorithm of a signature packet. (drop-sig) diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 602a39f50..0d4fb2fcc 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -732,6 +732,13 @@ instead to make sure that the gpgsm process exits with a failure if the compliance rules are not fulfilled. Note that this option has currently an effect only in "de-vs" mode. +@item --always-trust +@opindex always-trust +Force encryption to the specified certificates without any validation +of the certificate chain. The only requirement is that the +certificate is capable of encryption. Note that this option is +ineffective if @option{--require-compliance} is used. + @item --ignore-cert-with-oid @var{oid} @opindex ignore-cert-with-oid Add @var{oid} to the list of OIDs to be checked while reading @@ -1621,6 +1628,10 @@ The leading two dashes usually used with @var{opt} shall not be given. Return OK if the connection is in offline mode. This may be either due to a @code{OPTION offline=1} or due to @command{gpgsm} being started with option @option{--disable-dirmngr}. +@item always-trust +Returns OK of the connection is in always-trust mode. That is either +@option{--always-trust} or @option{GPGSM OPTION always-trust} are +active. @end table @node GPGSM OPTION @@ -1727,6 +1738,15 @@ If @var{value} is true or @var{value} is not given all network access is disabled for this session. This is the same as the command line option @option{--disable-dirmngr}. +@item always-trust +If @var{value} is true or @var{value} is not given encryption to the +specified certificates is forced without any validation of the +certificate chain. The only requirement is that the certificates are +capable of encryption. If set to false the standard behaviour is +re-established. This option is cleared by a RESET and after each +encrypt operation. Note that this option is ignored if +@option{--always-trust} or @option{--require-compliance} are used. + @item input-size-hint This is the same as the @option{--input-size-hint} command line option. |