.\" In .TH, FOO should be all caps, SECTION should be 1-8, maybe w/ subsection .\" other parms are allowed: see man(7), man(1) .\" .\" This template provided by Tom Christiansen . .\" .TH LCMAPS_VOMS_POOLGROUP.MOD 8 "March 14, 2012" "Stichting FOM/Nikhef" "Site Access Control" .SH NAME lcmaps_voms_poolgroup.mod \- LCMAPS plugin to switch user identity based on VOMS credentials by pool groups .SH SYNOPSIS .nh .ad l .B lcmaps_voms_poolgroup.mod .RB [ -groupmapfile .IR groupmapfile ] .RB [ -groupmapdir .IR groupmapdir ] .RB [ --map-to-secondary-groups ] .RB [ -override_inconsistency ] .RB [ -mapall ] .RB [ -mapmin .IR "number of minimal mappings" ] .RB [ -strict_poolprefix_match .IR yes_or_no ] .hy .ad b .SH DESCRIPTION This VOMS poolgroup acquisition plugin is a 'VOMS-aware' modification of the \fBlcmaps_poolgroup.mod.8\fR plugin. The plugin tries to find a local group (more specifically a GroupID) based on the VOMS information that has available from the LCMAPS, in particular the Fully Qualified Attribute Names (FQAN). The group is acquired from an group pool. The groups in the group-pool must exist on the system, either locally or through a centralized account database, e.g. LDAP. The \fBgroupmapdir\fR directory is going to be used as a persistent and open mapping database. A pool is defined as being a set of groups following a particular pattern in their naming, i.e. pool001 or atlas001. In the directory the plug-in will make a new filename build-up VOMS FQAN in URL-encode form: Example showing the output of ls \-li: 1836080 \-rw\-r\-\-r\-\- 2 root root %2fdteam%2f 1836080 \-rw\-r\-\-r\-\- 2 root root dteam001 This filename is hardlinked to the mapped groupname. Creating this hardlink is designed to be an atomic operation and verified to work on large installations serving multiple services from one NFS-share. The VOMS credentials need to be available from the LCMAPS framework. .SH OPTIONS .TP .BI "-groupmapfile " groupmapfile This option is used to determine the groupmapfile path. The plug-in will open the file and use the content for the FQAN to Group ID mapping. The same formatting rules of the grid-mapfile apply to the groupmapfile. Provide a full path. .TP .BI "-groupmapdir " groupmapdir" A directory used for the group mapping database, similar to the gridmapdir. It is important to not mix the gridmapdir and groupmapdir directories. .TP .BI "--map-to-secondary-groups" When enabled, the plug-in will map all the FQANs of the user to secondary Group IDs. There will be no primary Group ID set by this plug-in when enabled. .TP .BI "-override_inconsistency" If the poolgroup is mapped from an URL-encoded VOMS FQAN to a group name, and when the gridmapfile states that this user needs to move to another pool, then the plug-in will remap the user to the new pool. Without this option the plug-in will fail if an existing mapping for the user credentials exist, but do not map the configured mapping pool. .TP .BI "-mapall" When enabled, a failure will be triggered if not all of the FQANs could be mapped to primary or secondary Group IDs. .TP .BI "-mapmin " "number of minimal mappings" This option will set a minimum amount of groups that have to be resolved for later mapping. If the minimum is not set then the minimum amount is set to '0' by default. If the plugin is not able to the required number of poolgroups it will fail. Note: if the minimum is set to zero or the minimum is not set the plugin will return a success if no other errors occur, even if no poolgroups were found. .TP .BI "-strict_poolprefix_match " yes/no If this is set to 'yes', a line in the groupmapfile like \fB .poolgr\fR will result in groups matching the regexp \fBpoolgr[0-9]+\fR. Otherwise it will be allowed to match \fBpoolgr.*\fR (legacy behaviour). .SH "RETURN VALUES" .TP .B LCMAPS_MOD_SUCCESS Success. .TP .B LCMAPS_MOD_FAIL Failure. .SH BUGS Please report any errors to the Nikhef Grid Middleware Security Team . .SH "SEE ALSO" .BR lcmaps.db (5), .BR lcmaps (3). .SH AUTHORS LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team .