We can now directly update LDAP records - That means that key updates
can now be handled directly by us. There are several tools that can be
used for this purpose - I'm using ud-info. For this, I have to use the
Debian password (and given I dislike passwords, I always regenerate it
by following http://db.debian.org/password.html and throwing it away).

keyring-maint has access to updating DD keys, but _not_ to change
their account status - That is, creating new DD accounts and retiring
DDs requires reassigning the tickets to DSA.

To edit a DD's entry, we specify his username - In this case, I will
edit Julien Danjou (acid)'s record (only the first couple of lines
shown), and a short menu of actions:

$ ud-info -r -u acid
Accessing LDAP entry for 'acid' as 'gwolf'
gwolf's password: 

Julien Danjou <acid@debian.org>
Password last changed   : Mon 13/10/2008 UTC
PGP/GPG Key Fingerprints: 9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD
      Unix User ID      : 'acid' (id=2491, gid=800)
(...)
   a) Arbitary Change
   r) retire developer
   R) Randomize Password
   L) Lock account and disable mail
   p) Change Password
   u) Switch Users
   x) Exit

We request an arbitrary change for the "keyfingerprint"
attribute. Note that it appears as empty - Disregardl

Change? a
Attr? keyfingerprint
Old value: ''
Press enter to leave unchanged and a single space to set to empty
New? 5361 BD40 015B 7438 2739  101A 611B A950 8B78 A5C2
Setting.

The record will be shown again. Note that the old key will still be
shown! You can switch user ('u') to the same user again and verify the
change is in place.


*** Helper script helps!

    The parse-git-changelog script will generate a ldap-update
    file. Each line contains the updates for a user: Debian login,
    old key fingerprint, new key fingerprint.

    Following that file is a real time saver for this step! :)