Provided by: lcas-lcmaps-gt4-interface_0.3.0-2_amd64 bug

NAME

       lcas_lcmaps_gt_interface - A Globus GSI-AuthZ plug-in to run LCAS and LCMAPS

SYNOPSIS

       lcas_lcmaps_gt_interface

       lcas_lcmaps_gt4_interface

DESCRIPTION

       This  is  a  plug-in to be loaded from a GSI-AuthZ capable Globus service. The feature was
       introduced in Globus GT4 and is available for GT5. The purpose  of  this  call-out  is  to
       authorize  a  user  by  running  the LCAS framework and map the user credentials to a Unix
       account based using the LCMAPS framework. Both LCAS and LCMAPS  are  frameworks  that  run
       configured plug-ins to do the real work.

       Some  of  the  plug-ins  are  capable  of imposing certain policy on the user credentials,
       others are capable of off-loading the decision  to  a  centralized  service  to  make  the
       decision or even provide an account mapping in the process.

       This  plug-in  is  dynamically  loaded  during  each  interaction that requires an account
       mapping in the GSI-AuthZ interface of a Globus service.

ENVIRONMENT VARIABLES

       LLGT_LOG_FILE
              When this variable is set and it can be opened as file, log output will go  to  the
              given  file instead of to syslog. When either $LCAS_LOG_FILE or $LCMAPS_LOG_FILE is
              unset, it will also be set to this same file.

       LLGT_LOG_FACILITY
              Change  the  default  logging  facility  with  the  $LLGT_LOG_FACILITY  environment
              variable.  Use  the  name of (standard syslog) facility names. Example: LOG_DAEMON,
              LOG_LOCAL1, etcetera

       LLGT_LOG_IDENT
              The $LLGT_LOG_IDENT can (optionally) be set as the Syslog ident value. This will be
              the  identifying  string  in  Syslog for the current process. Not using this option
              will let Syslog (or one of the GT services) to set these options.  By  default  the
              Syslog ident will be set to the executable name.

       LLGT_RUN_LCAS
              Set  the  environment  variable  $LLGT_RUN_LCAS to "no", "disabled" or "disable" to
              avoid LCAS to run prior to the LCMAPS.

              There is a matching ./configure option "--enable-lcas" which can be used to  change
              the  default  behaviour to run LCAS or not. The $LLGT_RUN_LCAS environment variable
              can still influence the LCAS run.

       LLGT_LIFT_PRIVILEGED_PROTECTION
              Normally the callout, after LCMAPS has  finished,  checks  whether  it  is  (still)
              running  with  root  privileges  (uid,  euid, gid or egid) and fails if that is the
              case. This is to prevent erroneous configurations to silently  result  in  a  root-
              account mapping in services that do not have their own checks for this.

              When the environment variable LLGT_LIFT_PRIVILEGED_PROTECTION is set, this check is
              disabled. This is NEEDED for services that:

              1.) don't user switch, and run as root.

              2.) services that expect only a username to be returned and perform the user switch
              themselves, e.g. the Globus GSI-OpenSSHd.

       LLGT_CACHE_CALLOUT
              Set  the  environment variable $LLGT_CACHE_CALLOUT to "no", "disabled" or "disable"
              to disable reusing the result of the `localname' callout for the `userok'  callout.
              This results in calling the LCAS/LCMAPS authorization twice for e.g. gsisshd.

       LLGT_DLCLOSE_LCMAPS
              Set  the environment variable $LLGT_DLCLOSE_LCMAPS to "no", "disabled" or "disable"
              to prevent calling dlclose() on the LCMAPS library.  This  might  be  needed  as  a
              workaround on RH5-based systems in an installation for gsisshd, when the use of PAM
              is enabled ("UsePAM Yes" in the /etc/gsissh/sshd_config).  The underlying bug is  a
              combination  between  the  OpenSSL,  VOMS  and  PAM  libraries, which can trigger a
              segfault when VOMS is initialized twice.

       LLGT_DLCLOSE_LCAS
              Set the environment variable $LLGT_DLCLOSE_LCAS to "no", "disabled" or "disable" to
              prevent calling dlclose() on the LCAS library. This might be needed as a workaround
              on RH5-based systems. The underlying bug is a combination between the OpenSSL, VOMS
              and  Globus libraries, which can trigger a segfault when VOMS is initialized twice,
              which can happen when LCAS is using a VOMS based plugin.  Normally  should  not  be
              needed as LCAS is now dlclosed and terminated after LCMAPS.

       LLGT_NO_CHANGE_USER (deprecated)
              Depreciated  $LLGT_NO_CHANGE_USER  in  favour  of $LLGT_LIFT_PRIVILEGED_PROTECTION.
              (Depreciation does not mean non-functional anymore)

       LLGT4_NO_CHANGE_USER (deprecated)
              Depreciated $LLGT4_NO_CHANGE_USER in  favour  of  $LLGT_LIFT_PRIVILEGED_PROTECTION.
              (Depreciation does not mean non-functional anymore)

       LLGT_VOMS_DISABLE_CREDENTIAL_CHECK
              The VOMS credentials are verified by the LCMAPS framework before further processing
              is done in the plug-ins. The LCMAPS framework has an API to enable or  disable  the
              verification  of the VOMS credentials and this option will disable the verification
              of the VOMS credentials. A vanilla LCMAPS build will verify the VOMS credentials by
              default.

       LLGT_VOMS_ENABLE_CREDENTIAL_CHECK
              Similar  to  the  $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK  environment  variable,  this
              setting will enable the verification of the VOMS credentials, overriding the LCMAPS
              default  setting  to  have  the  verification of VOMS credentials to be disabled. A
              vanilla LCMAPS build will verify the VOMS credentials by default, the OSG build has
              is disabled by default.

       LLGT_LCAS_LIBDIR
              Support  for  an  alternative  LCAS_LIBDIR  as  a  run-time  setting  by  exporting
              $LLGT_LCAS_LIBDIR="/usr/local/lib/liblcas.so"

       LLGT_LCMAPS_LIBDIR
              Support for an  alternative  LCMAPS_LIBDIR  as  a  run-time  setting  by  exporting
              $LLGT_LCMAPS_LIBDIR="/usr/local/lib/liblcmaps.so"

       LLGT_ENABLE_DEBUG
              If  the  $LLGT_ENABLE_DEBUG environment variable is set, then the debugging message
              logged at level LOG_DEBUG are passed to the log. The scope of this setting is  only
              within the LCAS-LCMAPS-GT-interface

INTERNAL ENVIRONMENT VARIABLES

       GATEKEEPER_JM_ID
              An environment variable that is internally set to uniquely identify this gatekeeper
              and the job manager.

       JOB_REPOSITORY_ID
              Similar to the $GATEKEEPER_JM_ID value, but its  purpose  is  for  the  LCMAPS  job
              repository plug-in.

LCAS ENVIRONMENT VARIABLES

       LCAS_DEBUG_LEVEL
              Debug level

LCMAPS ENVIRONMENT VARIABLES

       LCMAPS_DEBUG_LEVEL
              For  LCMAPS  1.5.0  (and  newer) the value "5" corresponds to Syslog LOG_DEBUG, "4"
              corresponds to LOG_INFO, "3" to LOG_NOTICE and so on. The LCMAPS default is to  log
              up to LOG_INFO.

RETURN VALUES

       True   The user is authorized and a local Unix account was procured.

       False  No mapping was possible.

NOTES

       From  version  0.3.0  onwards,  the  interface  tries to forward the requested username to
       LCMAPS (for version 1.6.0 and up). The mapping plugins can use this  to  support  multiple
       username  entries  in  the  grid-mapfile,  or enforcing poolaccount mappings to a specific
       poolaccount.

BUGS

       Please report any errors to the Nikhef Grid Middleware  Security  Team  <grid-mw-security-
       support@nikhef.nl>.

SEE ALSO

       lcas.db(5), lcas(3).  lcmaps.db(5), lcmaps(3).

AUTHORS

       LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-
       security@nikhef.nl>.