Provided by: lcmaps-plugins-jobrep_1.5.3-2_amd64 bug


       lcmaps_jobrep.mod - jobrepository LCMAPS plug-in


       lcmaps_jobrep.mod   [--test]   --dsn  <Database Service Name>  --username  <database user>
       --password <database password>


       The LCMAPS Jobrepository plug-in stores credentials and  the  resulting  account  mappings
       into  a relational database. This plugin will link up all the known in-process information
       from  LCMAPS  core  memory  and  stores  it  in  a  database.  This  plug-in   uses   ODBC
       ( to connect to the database.

       The  current state of the mappings between various credentials and Unix accounts is stored
       in an open database on disk, but this information can change over time  through  (regular)
       system  administrative interventions. This state is now preserved in a relational database
       with the added benefit of being accessible by other systems, e.g. GridSAFE and build-up an
       easy to backup historic view on the mapping state.

       Quite some systems seem to dig up data by trawling log files, e.g. to construct accounting
       data records. This method is subjected to the settings of the  sub-systems  which  control
       the  format  of the log file output. Log trawling tools are interacting with the log files
       as a glorified API. This lowers the ability for tools, e.g. LCMAPS,  to  alter  their  log
       output.  By  offering  the  LCMAPS  Jobrepository plug-in as an alternative with the added
       benefit of offering the data in a structured fine-grained database with the ability of  an
       historic view the intend is to avoid the need and/or requirement for log file trawling.


       The  schema  can  be  used  to  link  up account mapping and/or credential mapping results
       originating from other credential types and link up more fine  grained  details  from  the
       specific  work  environment,  i.e.  a  Gatekeeper and GridFTPd will be able to add service
       specific information together with the mapping results.


       The LCMAPS Jobrepository plug-in is currently limited to MySQL  and  MariaDB  despite  its
       usage of the ODBC database interface. The intend is to remove this limitation and make the
       plug-in work with other database, e.g. PostgreSQL, Oracle and SQLite.


       --test When enabled the plug-in will only test if the connection to the  database  can  be
              established  through the ODBC coupling. The test will verify the correctness of the
              DSN, Username and Password combination. The plug-in will announce an LCMAPS SUCCESS
              when  the  connection  was  established,  and  a  FAILURE  when  it was not able to
              establish the connection.

       --dsn <Database Service Name>
              This will select the Data Source Name (DSN) that has been set in a  odbc.ini  file.
              Use  the  odbc.ini  file to configure the database driver, server/host, port number
              and database name. See below for an example odbc.ini file.

       --username <database username>
              Specifies the database username that the LCMAPS module must use to authorize itself
              with the database.

       --password <database password>
              Specifies the database password that the LCMAPS module must use to authorize itself
              with. You can omit the setting if you set the password in the odbc.ini file.

              WARNING: Be careful to assess the read permissions on  the  lcmaps.db  file  to  be
              exclusive  to the service using this file, i.e. it's probably best to make the file
              exclusive to root:root.





       Notice the --dsn <value> matches the DSN shown in the .ini  section  header.  Also  notice
       that  the  posix_enf plug-in is executed after the jobrep plug-in. The motivation is to be
       able to use privilege separation and with that protect the database password.

       Example lcmaps.db
              jobrep      = "lcmaps_jobrep.mod"
                            "--dsn MySQL-test"
                            "--username root"
                            "--password worteltjes"

              verifyproxy -> vomslocalgroup
              vomslocalgroup -> vomspoolaccount
              vomspoolaccount -> tracking_groupid
              tracking_groupid -> jobrep
              jobrep -> posix_enf

       Example /etc/odbc.ini file:
              Description = MySQL test database
              Driver      = MySQL
              SERVER      =
              PORT        = 3306
              DATABASE    = jobrepository


       Tested front-end tools and services

       Likely to work
              lcmaps-rest (only the Full-SSL interface)

       Front-ends that will likely NOT work
              StoRM backend


       The front-ends which do not  use  an  LCMAPS  interface  that  provides  certificates  can
       currently  not  be  supported.  It is a requirement for the 1.5 version to be able to work
       from a certificate chain.


       Please report any errors to the Nikhef Grid Middleware  Security  Team  <grid-mw-security->.


       lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
       More  information  can be found on-line at
       the Nikhef Wiki on Site Access Control and  the  Nikhef
       Wiki on LCMAPS and other plug-ins.


       The  Jobrepository  and  the  LCMAPS  plug-ins  were written by the Nikhef Grid Middleware
       Security Team <>.