.TH LCMAPS_VOMS_LOCALACCOUNT.MOD 8 "February 6, 2015" "Stichting FOM/Nikhef" "Site Access Control" .SH NAME lcmaps_voms_localaccount.mod \- LCMAPS plugin to switch user identity based on VOMS credentials by local accounts .SH SYNOPSIS .nh .ad l .B lcmaps_voms_localaccount.mod .RB [ \-gridmapfile .IR grid-mapfile ] .RB [ \-\-do-not-add-primary-gid-from-mapped-account ] .RB [ \-\-add-primary-gid-from-mapped-account ] .RB [ \-\-add-primary-gid-as-secondary-gid-from-mapped-account ] .RB [ \-\-do-not-add-secondary-gids-from-mapped-account ] .RB [ \-\-add-secondary-gids-from-mapped-account ] .RB [ \-\-use-voms-gid | \-\-use_voms_gid | \-use_voms_gid ] .RB [ \-\-use-account-gid ] .hy .ad b .SH DESCRIPTION This VOMS localaccount acquisition plugin is a 'VOMS-aware' modification of the \fBlcmaps_localaccount.mod.8\fR plugin. The plugin tries to find a local account (more specifically a UserID) based on the VOMS information that is available from LCMAPS, in particular the Fully Qualified Attribute Names (FQANs). It will try to find a FQAN to local account name mapping in the grid-mapfile. The plugin will resolve the UID, GID and all the secondary GIDs of the mapped local (system) account username. .SH OPTIONS .TP .BI "\-gridmapfile " grid-mapfile This file must contain FQANs to (local) user account name mappings. It is strongly advised to set this option and to set it to an absolute path to avoid usage of the wrong file(path). When unset, the plugin will try to obtain the value from one of the environment variables (see \fBENVIRONMENT\fR). When those are also unset, the default depends on whether the plugin runs inside a (setuid-)root application. In the (setuid-)root case, the default is \fI/etc/grid-security/grid-mapfile\fR. In the non-(setuid-)root case, the default is \fI/.gridmap\fR. In a (setuid-)root application, relative paths are taken with respect to \fI/etc/grid-security/\fR. .TP .BI "\-\-do-not-add-primary-gid-from-mapped-account" After the account is mapped, do \fINOT\fR add the primary Group ID from the passwd-file/LDAP of the mapped account as a part of the mapping result. Default is to add the primary Group ID, unless \fB\-\-use-voms-gid\fR is specified. See also \fB\-\-add-primary-gid-from-mapped-account\fR, \fB\-\-add-primary-gid-as-secondary-gid-from-mapped-account\fR and \fB\-\-use-voms-gid\fR. .TP .BI "\-\-add-primary-gid-from-mapped-account" After the account is mapped, add the primary Group ID from the passwd-file/LDAP of the mapped account as a part of the mapping result. Default is to add the primary Group ID, unless \fB\-\-use-voms-gid\fR is specified. See also \fB\-\-do-not-add-primary-gid-from-mapped-account\fR, \fB\-\-add-primary-gid-as-secondary-gid-from-mapped-account\fR and \fB\-\-use-voms-gid\fR. .TP .BI "\-\-add-primary-gid-as-secondary-gid-from-mapped-account" After the account is mapped, add the primary Group ID from the passwd-file/LDAP of the mapped account as a secondary Group ID as a part of the mapping result (possibly in addition to adding it as a primary Group ID). Default is to add it only as primary Group ID. See also \fB\-\-do-not-add-primary-gid-from-mapped-account\fR, \fB\-\-add-primary-gid-from-mapped-account\fR and \fB\-\-use-voms-gid\fR. .TP .BI "\-\-do-not-add-secondary-gids-from-mapped-account" After the account is mapped, do \fINOT\fR add the secondary Group ID(s) from the groups-file/LDAP of the mapped account as secondary Group ID(s) as a part of the mapping result. Default is to add the sGIDs, unless \fB\-\-use-voms-gid\fR is specified. See also \fB\-\-add-secondary-gids-from-mapped-account\fR \fB\-\-use-voms-gid\fR. .TP .BI "\-\-add-secondary-gids-from-mapped-account" After the account is mapped, add the secondary Group ID(s) from the groups-file/LDAP of the mapped account as secondary Group ID(s) as a part of the mapping result. Default is to add the secondary Group ID(s), unless \fB\-\-use-voms-gid\fR is specified. See also \fB\-\-do-not-add-secondary-gids-from-mapped-account\fR \fB\-\-use-voms-gid\fR. .TP .BI "\-\-use-voms-gid" \fR|\fI "\-\-use_voms_gid" \fR|\fI "\-use_voms_gid" By default this plugin will add the primary and secondary Group ID(s) from the passwd-file/groups-file/LDAP of the mapped account as part of the mapping result. Specifying this option will override that default. Part or all of the group information can still be added by using the \fB\-\-add-*\fR flags. We advise to switch this option \fBon\fR by default. See also \fB\-\-use-account-gid\fR. .TP .BI "\-\-use-account-gid" This option has the opposite effect of the option \fB\-\-use-voms-gid\fR, instructing the plugin to add the mapped account group information to the mapping result. This is currently already the default and hence this option has no effect. See also \fB\-\-use-voms-gid\fR. .SH RETURN VALUES .TP .B LCMAPS_MOD_SUCCESS Success. .TP .B LCMAPS_MOD_FAIL Failure. .SH ENVIRONMENT .TP GRIDMAP | GLOBUSMAP | globusmap | GlobusMap When no grid-mapfile is specified as option to the plugin, it will try to obtain the file location from one of these environment variables. .SH NOTES Since version 1.6.0 the voms_localaccount plugin supports grid-mapfile entries with multiple usernames, separated by a comma without whitespace. This can be used in combination with specifying a \fBrequested username\fR (such as by gsissh), to pick any of these accounts. When no \fBrequested username\fR is specified, the first is used. This requires LCMAPS version 1.6.0 or newer. .SH BUGS Please report any errors to the Nikhef Grid Middleware Security Team . .SH SEE ALSO .BR lcmaps.db (5), .BR lcmaps (3). .SH AUTHORS LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team .