Provided by: lcas-lcmaps-gt4-interface_0.3.0-2_i386 bug

NAME

       lcas_lcmaps_gt_interface  -  A Globus GSI-AuthZ plug-in to run LCAS and
       LCMAPS

SYNOPSIS

       lcas_lcmaps_gt_interface

       lcas_lcmaps_gt4_interface

DESCRIPTION

       This is a plug-in to be loaded from a GSI-AuthZ capable Globus service.
       The  feature was introduced in Globus GT4 and is available for GT5. The
       purpose of this call-out is to authorize a user  by  running  the  LCAS
       framework  and  map  the user credentials to a Unix account based using
       the LCMAPS framework. Both LCAS and  LCMAPS  are  frameworks  that  run
       configured plug-ins to do the real work.

       Some of the plug-ins are capable of imposing certain policy on the user
       credentials, others are  capable  of  off-loading  the  decision  to  a
       centralized  service  to  make  the decision or even provide an account
       mapping in the process.

       This  plug-in  is  dynamically  loaded  during  each  interaction  that
       requires  an  account  mapping  in  the GSI-AuthZ interface of a Globus
       service.

ENVIRONMENT VARIABLES

       LLGT_LOG_FILE
              When this variable is set and it can  be  opened  as  file,  log
              output  will  go  to  the  given file instead of to syslog. When
              either $LCAS_LOG_FILE or $LCMAPS_LOG_FILE is unset, it will also
              be set to this same file.

       LLGT_LOG_FACILITY
              Change  the default logging facility with the $LLGT_LOG_FACILITY
              environment variable. Use the name of (standard syslog) facility
              names. Example: LOG_DAEMON, LOG_LOCAL1, etcetera

       LLGT_LOG_IDENT
              The  $LLGT_LOG_IDENT can (optionally) be set as the Syslog ident
              value. This will be the identifying string  in  Syslog  for  the
              current  process.  Not using this option will let Syslog (or one
              of the GT services) to set these options.  By default the Syslog
              ident will be set to the executable name.

       LLGT_RUN_LCAS
              Set  the environment variable $LLGT_RUN_LCAS to "no", "disabled"
              or "disable" to avoid LCAS to run prior to the LCMAPS.

              There is a matching ./configure option "--enable-lcas" which can
              be  used to change the default behaviour to run LCAS or not. The
              $LLGT_RUN_LCAS environment variable can still influence the LCAS
              run.

       LLGT_LIFT_PRIVILEGED_PROTECTION
              Normally  the callout, after LCMAPS has finished, checks whether
              it is (still) running with root privileges (uid,  euid,  gid  or
              egid)  and  fails  if  that  is  the  case.  This  is to prevent
              erroneous configurations to silently result  in  a  root-account
              mapping in services that do not have their own checks for this.

              When the environment variable LLGT_LIFT_PRIVILEGED_PROTECTION is
              set, this check is disabled. This is NEEDED for services that:

              1.) don't user switch, and run as root.

              2.) services that expect only a  username  to  be  returned  and
              perform  the  user  switch  themselves,  e.g.  the  Globus  GSI-
              OpenSSHd.

       LLGT_CACHE_CALLOUT
              Set  the  environment  variable  $LLGT_CACHE_CALLOUT  to   "no",
              "disabled"  or  "disable"  to  disable reusing the result of the
              `localname' callout for the `userok' callout.  This  results  in
              calling the LCAS/LCMAPS authorization twice for e.g. gsisshd.

       LLGT_DLCLOSE_LCMAPS
              Set  the  environment  variable  $LLGT_DLCLOSE_LCMAPS  to  "no",
              "disabled" or "disable" to  prevent  calling  dlclose()  on  the
              LCMAPS  library.  This  might  be  needed  as  a  workaround  on
              RH5-based systems in an installation for gsisshd, when  the  use
              of PAM is enabled ("UsePAM Yes" in the /etc/gsissh/sshd_config).
              The underlying bug is a combination between  the  OpenSSL,  VOMS
              and  PAM  libraries,  which  can trigger a segfault when VOMS is
              initialized twice.

       LLGT_DLCLOSE_LCAS
              Set  the  environment  variable  $LLGT_DLCLOSE_LCAS   to   "no",
              "disabled" or "disable" to prevent calling dlclose() on the LCAS
              library. This might be  needed  as  a  workaround  on  RH5-based
              systems.  The  underlying  bug  is  a  combination  between  the
              OpenSSL, VOMS and Globus libraries, which can trigger a segfault
              when  VOMS  is  initialized twice, which can happen when LCAS is
              using a VOMS based plugin. Normally should not be needed as LCAS
              is now dlclosed and terminated after LCMAPS.

       LLGT_NO_CHANGE_USER (deprecated)
              Depreciated      $LLGT_NO_CHANGE_USER      in      favour     of
              $LLGT_LIFT_PRIVILEGED_PROTECTION.  (Depreciation does  not  mean
              non-functional anymore)

       LLGT4_NO_CHANGE_USER (deprecated)
              Depreciated      $LLGT4_NO_CHANGE_USER      in     favour     of
              $LLGT_LIFT_PRIVILEGED_PROTECTION.  (Depreciation does  not  mean
              non-functional anymore)

       LLGT_VOMS_DISABLE_CREDENTIAL_CHECK
              The VOMS credentials are verified by the LCMAPS framework before
              further processing is done in the plug-ins. The LCMAPS framework
              has  an  API  to  enable or disable the verification of the VOMS
              credentials and this option will disable the verification of the
              VOMS  credentials.  A  vanilla LCMAPS build will verify the VOMS
              credentials by default.

       LLGT_VOMS_ENABLE_CREDENTIAL_CHECK
              Similar to the  $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK  environment
              variable,  this setting will enable the verification of the VOMS
              credentials, overriding the LCMAPS default setting to  have  the
              verification  of  VOMS  credentials  to  be  disabled. A vanilla
              LCMAPS build will verify the VOMS credentials  by  default,  the
              OSG build has is disabled by default.

       LLGT_LCAS_LIBDIR
              Support  for an alternative LCAS_LIBDIR as a run-time setting by
              exporting $LLGT_LCAS_LIBDIR="/usr/local/lib/liblcas.so"

       LLGT_LCMAPS_LIBDIR
              Support for an alternative LCMAPS_LIBDIR as a  run-time  setting
              by exporting $LLGT_LCMAPS_LIBDIR="/usr/local/lib/liblcmaps.so"

       LLGT_ENABLE_DEBUG
              If  the $LLGT_ENABLE_DEBUG environment variable is set, then the
              debugging message logged at level LOG_DEBUG are  passed  to  the
              log.  The  scope of this setting is only within the LCAS-LCMAPS-
              GT-interface

INTERNAL ENVIRONMENT VARIABLES

       GATEKEEPER_JM_ID
              An environment variable  that  is  internally  set  to  uniquely
              identify this gatekeeper and the job manager.

       JOB_REPOSITORY_ID
              Similar  to  the $GATEKEEPER_JM_ID value, but its purpose is for
              the LCMAPS job repository plug-in.

LCAS ENVIRONMENT VARIABLES

       LCAS_DEBUG_LEVEL
              Debug level

LCMAPS ENVIRONMENT VARIABLES

       LCMAPS_DEBUG_LEVEL
              For LCMAPS 1.5.0 (and newer) the value "5" corresponds to Syslog
              LOG_DEBUG, "4" corresponds to LOG_INFO, "3" to LOG_NOTICE and so
              on. The LCMAPS default is to log up to LOG_INFO.

RETURN VALUES

       True   The user is authorized and a local Unix account was procured.

       False  No mapping was possible.

NOTES

       From  version  0.3.0  onwards,  the  interface  tries  to  forward  the
       requested  username  to  LCMAPS (for version 1.6.0 and up). The mapping
       plugins can use this to support multiple username entries in the  grid-
       mapfile, or enforcing poolaccount mappings to a specific poolaccount.

BUGS

       Please  report  any  errors to the Nikhef Grid Middleware Security Team
       <grid-mw-security-support@nikhef.nl>.

SEE ALSO

       lcas.db(5), lcas(3).  lcmaps.db(5), lcmaps(3).

AUTHORS

       LCMAPS and the LCMAPS plug-ins were  written  by  the  Grid  Middleware
       Security Team <grid-mw-security@nikhef.nl>.