NAME¶
lcmaps_voms_localaccount.mod - LCMAPS plugin to switch user identity based on
VOMS credentials by local accounts
SYNOPSIS¶
lcmaps_voms_localaccount.mod [-gridmapfile gridmapfile]
[--add-primary-gid-from-mapped-account]
[--do-not-add-primary-gid-from-mapped-account]
[--add-primary-gid-as-secondary-gid-from-mapped-account]
[--add-secondary-gids-from-mapped-account]
[-use_voms_gid|-use-voms-gid]
DESCRIPTION¶
This VOMS localaccount acquisition plugin is a 'VOMS-aware' modification of the
lcmaps_localaccount.mod.8 plugin. The plugin tries to find a local
account (more specifically a UserID) based on the VOMS information that has
available from the LCMAPS, in particular the Fully Qualified Attribute Names
(FQAN).
The VOMS credentials need to be available from the LCMAPS
framework.
OPTIONS¶
- -gridmapfile gridmapfile
- This file must contain FQANs to (local) user account names. If this option
is set, it will override the default path of the gridmapfile. It is
advised to use an absolute path to the gridmapfile to avoid usage of the
wrong file(path).
- --add-primary-gid-from-mapped-account
- After the account is mapped, add the primary Group ID from the
passwd-file/LDAP of the mapped account as a part of the mapping result.
Default is to not add the primary Group ID.
- --do-not-add-primary-gid-from-mapped-account
- After the account is mapped, explicitly avoid adding the primary Group ID
from the passwd-file/LDAP of the mapped account as a part of the mapping
result.. Default is to not add the primary Group ID.
- --add-primary-gid-as-secondary-gid-from-mapped-account
- After the account is mapped, add the primary Group ID from the
passwd-file/LDAP of the mapped account as a secondary Group ID as a part
of the mapping result.
- --add-secondary-gids-from-mapped-account
- After the account is mapped, add the secondary Group ID from the
groups-file/LDAP of the mapped account as a secondary Group ID(s) as a
part of the mapping result.
- -use_voms_gid|-use-voms-gid
- Warning: Default enabled! Switching this on will disable the
automatic inclusion of the primary Group ID and secondary Group ID(s) of
the mapped account as a part of the mapping result. We advise to switch
this option on by default.
RETURN VALUES¶
- LCMAPS_MOD_SUCCESS
- Success.
- LCMAPS_MOD_FAIL
- Failure.
NOTES¶
Since version 1.6.0 the voms_localaccount plugin supports grid-mapfile entries
with multiple usernames, separated by a comma without whitespace. This can be
used in combination with specifying a requested username (such as by
gsissh), to pick any of these accounts. When no requested username is
specified, the first is used. This requires LCMAPS version 1.6.0 or newer.
BUGS¶
Please report any errors to the Nikhef Grid Middleware Security Team
<grid-mw-security-support@nikhef.nl>.
AUTHORS¶
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team
<grid-mw-security@nikhef.nl>.