SYNOPSIS
lcmaps_voms_poolaccount.mod lcmaps_poolaccount.mod [-gridmapfile|-GRIDMAPFILE|-gridmap|-GRIDMAP <location grid-mapfile>] [-gridmapdir|-GRIDMAPDIR <location gridmapdir>] [-do_not_use_secondary_gids] [-do_not_require_primary_gid]
This poolaccount acquisition plugin is a voms-'aware' modificated from the 'poolaccount' plugin. The plugin's main purpose is to gather credential information from the given Voms Acquisition plugin. This plugin will gather a UID. In the credential data datastructure in the Plugin Manager are all the VO-GROUP-ROLE(-CAPABILITY) values stored. This plugin will get this data and compare the first known VO-GROUP-ROLE combination that has been extracted from the certificate with entries in the same 'grid-mapfile' as the localaccount and poolaccount plugin use. In that file there will be VO-GROUP-ROLE combinations stored with each entry a mapping to a poolaccount.
EXAMPLE:
"/VO=wilma/GROUP=*" .test
"/VO=fred/GROUP=*" .test
When a user comes in with his certificate and his first known VO is 'wilma' the plugin will get a poolaccount from the '.test' pool. This could result in 'test001' as a poolaccount for this user. The linking between '/VO=wilma/GROUP=*', this user and a poolaccount must be made in the same directory as the \bPoolaccount \bPlugin otherwise there will be a great chance of inconsistancy when both are used on a site. The same filename and i-node link will be made as the Poolaccount Plugin with one little change in the filename of the user's Distinghuished Name. This will no longer be only it's DN but has al the gathered groups concatinated (attached) to this DN. So a linked DN could look like:
EXAMPLE DN with pool/localgroups attached: 2fo3ddutchgrid2fo3dusers2fo3dnikhef2fcn3dmartijn20steenbakkers3apool0013abogus13abogus23abogus33abogus43apool0023apool0033apool0043apool0053apool0063apool0073apool0083apool0093apool010
This means when a user changes it's VO-GROUP-ROLE sublimentary VO-'identity' the gathered groups will change. Indicating a change in this sublimentary 'identity' and this will result in an other poolaccount on the site's system. The change has effect to the sublimentary identity because the Distinghuished Name of the user is not changed. Fysicaly and digitally it is the same user, but with different rights and obligations.
NOTE 1
This plugin will only be run succesfully when localgroup and/or poolgroup has already been run. There is no check if another plugin has ialready run but there will be a logical notice to the logs that it would.
NOTE 2
If '-do_not_require_primary_gid' and '-do_not_use_secondary_gids' is selected in the initialize part of the plugin it has become a little useless. This means a user doesn't need a primary GID, but also can do without any secundary GIDs. In other words the plugin will not fail when no credentials at all have been gathered from the voms credentials. It is prohibited to use these settings in combination of each other. Selection of the two settings is blocked.
OPTIONS
-GRIDMAPFILE <gridmapfile>
See -gridmap
-gridmapfile <gridmapfile>
See -gridmap
-GRIDMAP <gridmapfile>
See -gridmap
-gridmap <gridmapfile>
When this option is set in the initialization string it will override the default path of to the grid-mapfile. It is advised to use a absolute path to the grid-mapfile to avoid usage of the wrong file(path). When this option is set but without a path to the grid-mapfile will fail the initialisation of the plugin and the plugin will not run untill it has been disposed and reloaded.
-GRIDMAPDIR <gridmapdir>
See -gridmapdir
-gridmapdir <gridmapdir>
Here you can override the default directory path to the 'gridmapdir'. This directory should be the same directory as the one used by the 'normal' Poolaccount plugin. It holds all the poolaccount mappings that has/will be made by linking filenames to a i-node indicating a mapping between a Distinghuished Name with it's gathered VO-GROUP-ROLE combinations and a poolaccount.
-do_not_use_secondary_gids
This make a DN and VO-GROUP-ROLE mapping to a poolaccount based on only the DN and the group that has been designated as the primary group for this user with it's credential data. This will prevent the user from making constantly new mappings to other poolaccounts because of a slight change in the user's voms credentials from it's proxy certificate.
-do_not_require_primary_gid
The user will always need a primary GID. The plugin will check this value and fail if another plugin didn't presented Plugin Manager's credential data structure with a primary GID. If there is still a possibility of getting a primary GID then there can be made use of this cmdline option. It will disable the checking (and plugin failure) of the primary GID and it's existance. The primary GID is a (logical) needed value at this point because there will be made a link for the mapping process in the groupmapdir. To make sure that the credentials are correct and complete the system should have a primary GID.
SEE ALSO
lcmaps_ldap_enf.mod, lcmaps_poolaccount.mod, lcmaps_posix_enf.mod, lcmaps_voms.mod
1.2.8.1 written by Dimitri van Heesch,
© 1997-2001