Provided by: lcmaps-plugins-jobrep_1.5.3-2_i386 bug


       lcmaps_jobrep.mod - jobrepository LCMAPS plug-in


       lcmaps_jobrep.mod  [--test]  --dsn  <Database Service Name>  --username
       <database user> --password <database password>


       The LCMAPS Jobrepository plug-in stores credentials and  the  resulting
       account  mappings  into a relational database. This plugin will link up
       all the known in-process information from LCMAPS core memory and stores
       it      in      a      database.     This     plug-in     uses     ODBC
       ( to connect to the database.

       The current state of the mappings between various credentials and  Unix
       accounts  is  stored  in an open database on disk, but this information
       can  change  over  time   through   (regular)   system   administrative
       interventions.  This  state  is  now preserved in a relational database
       with the added benefit of  being  accessible  by  other  systems,  e.g.
       GridSAFE  and  build-up  an easy to backup historic view on the mapping

       Quite some systems seem to dig up data by trawling log files,  e.g.  to
       construct  accounting  data  records.  This  method is subjected to the
       settings of the sub-systems which control the format of  the  log  file
       output.  Log  trawling  tools  are  interacting with the log files as a
       glorified API. This lowers the ability for tools, e.g. LCMAPS, to alter
       their  log  output.  By offering the LCMAPS Jobrepository plug-in as an
       alternative with the added benefit of offering the data in a structured
       fine-grained  database  with the ability of an historic view the intend
       is to avoid the need and/or requirement for log file trawling.


       The schema can be used to link up  account  mapping  and/or  credential
       mapping  results  originating  from  other credential types and link up
       more fine grained details from the specific work  environment,  i.e.  a
       Gatekeeper   and   GridFTPd  will  be  able  to  add  service  specific
       information together with the mapping results.


       The LCMAPS Jobrepository plug-in is  currently  limited  to  MySQL  and
       MariaDB despite its usage of the ODBC database interface. The intend is
       to remove  this  limitation  and  make  the  plug-in  work  with  other
       database, e.g. PostgreSQL, Oracle and SQLite.


       --test When enabled the plug-in will only test if the connection to the
              database can be established through the ODBC coupling. The  test
              will  verify  the  correctness of the DSN, Username and Password
              combination. The plug-in will announce an  LCMAPS  SUCCESS  when
              the  connection  was  established, and a FAILURE when it was not
              able to establish the connection.

       --dsn <Database Service Name>
              This will select the Data Source Name (DSN) that has been set in
              a odbc.ini file. Use the odbc.ini file to configure the database
              driver, server/host, port number and database  name.  See  below
              for an example odbc.ini file.

       --username <database username>
              Specifies  the database username that the LCMAPS module must use
              to authorize itself with the database.

       --password <database password>
              Specifies the database password that the LCMAPS module must  use
              to  authorize  itself  with. You can omit the setting if you set
              the password in the odbc.ini file.

              WARNING: Be careful  to  assess  the  read  permissions  on  the
              lcmaps.db  file  to be exclusive to the service using this file,
              i.e. it's probably best to make the file exclusive to root:root.





       Notice the --dsn <value> matches the DSN  shown  in  the  .ini  section
       header.  Also  notice  that the posix_enf plug-in is executed after the
       jobrep  plug-in.  The  motivation  is  to  be  able  to  use  privilege
       separation and with that protect the database password.

       Example lcmaps.db
              jobrep      = "lcmaps_jobrep.mod"
                            "--dsn MySQL-test"
                            "--username root"
                            "--password worteltjes"

              verifyproxy -> vomslocalgroup
              vomslocalgroup -> vomspoolaccount
              vomspoolaccount -> tracking_groupid
              tracking_groupid -> jobrep
              jobrep -> posix_enf

       Example /etc/odbc.ini file:
              Description = MySQL test database
              Driver      = MySQL
              SERVER      =
              PORT        = 3306
              DATABASE    = jobrepository


       Tested front-end tools and services

       Likely to work
              lcmaps-rest (only the Full-SSL interface)

       Front-ends that will likely NOT work
              StoRM backend


       The  front-ends  which  do  not  use  an LCMAPS interface that provides
       certificates can currently not be supported.  It is a  requirement  for
       the 1.5 version to be able to work from a certificate chain.


       Please  report  any  errors to the Nikhef Grid Middleware Security Team


       lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
       More      information      can      be      found      on-line       at the Nikhef Wiki on Site
       Access Control and the  Nikhef  Wiki
       on LCMAPS and other plug-ins.


       The  Jobrepository  and  the LCMAPS plug-ins were written by the Nikhef
       Grid Middleware Security Team <>.