Provided by: lcmaps-plugins-voms_1.6.2-2build1_i386 bug

NAME

       lcmaps_voms_poolaccount.mod  -  LCMAPS  plugin  to switch user identity
       based on VOMS credentials by pool accounts

SYNOPSIS

       lcmaps_voms_poolaccount.mod [-gridmapfile gridmapfile] [-gridmapdir
       gridmapdir] [--add-primary-gid-from-mapped-account] [--do-not-add-
       primary-gid-from-mapped-account] [--add-primary-gid-as-secondary-gid-
       from-mapped-account] [--add-secondary-gids-from-mapped-account] [--do-
       not-require-primary-gid] [--require-primary-gid]
       [-override_inconsistency] [-max_mappings_per_credential
       maxmappingspercredential] [-strict_poolprefix_match yes_or_no]

DESCRIPTION

       This VOMS poolaccount acquisition plugin is a 'VOMS-aware' modification
       of  the  lcmaps_poolaccount.mod.8  plugin.  The  plugin tries to find a
       local  account  (more  specifically  a  UserID)  based  on   the   VOMS
       information that has available from the LCMAPS, in particular the Fully
       Qualified Attribute Names (FQAN).  The  account  is  acquired  from  an
       account  pool.  The  accounts  in  the  account  pool must exist on the
       system, either locally or through a centralized account database,  e.g.
       LDAP.

       The  gridmapdir  directory is going to be used as a persistent and open
       mapping database. A  pool  is  defined  as  being  a  set  of  accounts
       following  a  particular  pattern  in  their  naming,  i.e.  pool001 or
       atlas001. In the directory the plug-in will make a new filename  build-
       up  of  the Subject-DN of the user, in URL-encode form, followed by the
       name of the Unix groups that are already mapped by other plug-ins.

       Example showing the output of ls -li:
       1836080 -rw-r--r-- 2 root root %2fdc%3dorg%2fdc%3dterena%2fdc%3dtcs%2fc%3dnl%2fo%3dnikhef%2fcn%3doscar%20koeroo%20okoeroo%40nikhef%2enl:pool:group004
       1836080 -rw-r--r-- 2 root root pool003
       This filename is hardlinked to the mapped  accountname.  Creating  this
       hardlink  is designed to be an atomic operation and verified to work on
       large installations serving multiple services from one NFS-share.

       The VOMS credentials need to be available from the LCMAPS framework.

OPTIONS

       -gridmapfile gridmapfile
              This file must contain FQANs to (local) user account names.   If
              this  option  is  set,  it will override the default path of the
              gridmapfile.  It is advised to  use  an  absolute  path  to  the
              gridmapfile to avoid usage of the wrong file(path).

       -gridmapdir gridmapdir
              A directory used for the mapping database.

       --add-primary-gid-from-mapped-account
              After  the  account is mapped, add the primary Group ID from the
              passwd-file/LDAP of the mapped account as a part of the  mapping
              result. Default is to not add the primary Group ID.

       --do-not-add-primary-gid-from-mapped-account
              After the account is mapped, explicitly avoid adding the primary
              Group ID from the passwd-file/LDAP of the mapped  account  as  a
              part  of  the mapping result.. Default is to not add the primary
              Group ID.

       --add-primary-gid-as-secondary-gid-from-mapped-account
              After the account is mapped, add the primary Group ID  from  the
              passwd-file/LDAP  of  the mapped account as a secondary Group ID
              as a part of the mapping result.

       --add-secondary-gids-from-mapped-account
              After the account is mapped, add the secondary Group ID from the
              groups-file/LDAP  of  the  mapped  account  as a secondary Group
              ID(s) as a part of the mapping result.

       --do-not-require-primary-gid
              This option will inspect  the  LCMAPS  mapping  store  and  fail
              enforce  the  existence  of  a primary Group ID prior to running
              this plug-in. When enabled the plug-in will ignore  the  absence
              of  the  primary  Group  ID  prior to its own mapping sequences.
              This plugin or the next plug-in must map the user's  credentials
              to  a  primary  Group  ID in an LCMAPS plug-in execution policy.
              Default is: do not require a primary GID.

       --require-primary-gid
              This option will inspect  the  LCMAPS  mapping  store  and  fail
              enforce  the  existence  of  a primary Group ID prior to running
              this plug-in. When enabled the plug-in will  fail  before  doing
              anything  on  the  grounds of the primary Group ID nonexistence.
              The solution is to make sure that another plug-in is ensured  to
              map  the  user's credentials to a primary Group ID.  Default is:
              do not require a primary GID.

       -override_inconsistency
              If the poolaccount is mapped from an URL-encoded Subject DN  and
              Unix  Group names to an account, and when the gridmapfile states
              that this user needs to move to another pool, then  the  plug-in
              will  remap  the  user  to the new pool. Without this option the
              plug-in  will  fail  if  an  existing  mapping  for   the   user
              credentials exist, but do not map the configured mapping pool.

       -max_mappings_per_credential max_mappings_per_credential
              This  feature  is  deprecated.  It was intended to work together
              with the Globus Dynamic Account Service/Workspace Service.  This
              value  indicates  the maximum number of accounts a user, or more
              specifically a set of credentials (=DN + FQANS), can  be  mapped
              to.   Normally  this  number  is  1.  But if each job should run
              under its own account  the  number  should  be  increased.   The
              leasename (or poolindex) in this case looks like:

                      url_encoded(<DN>):gid1[:gid2[:gid3[...]]]:mapcount=<mapnumber>)

       -strict_poolprefix_match yes/no
              If this is set to 'yes', a line in the gridmapfile  like  <FQAN>
              .pool  will  result  in accounts matching the regexp pool[0-9]+.
              Otherwise it will be allowed to match pool.* (legacy behaviour).

RETURN VALUES

       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.

NOTES

       Since  version  1.6.0  the  voms_poolaccount  plugin  also  takes   the
       requested  username   (such as forwarded by gsissh) into consideration.
       When present, the resulting poolaccount has to match it  in  order  for
       the plugin to succeed. This requires LCMAPS version 1.6.0 or newer.

BUGS

       Please  report  any  errors to the Nikhef Grid Middleware Security Team
       <grid-mw-security-support@nikhef.nl>.

SEE ALSO

       lcmaps.db(5), lcmaps(3).

AUTHORS

       LCMAPS and the LCMAPS plug-ins were  written  by  the  Grid  Middleware
       Security Team <grid-mw-security@nikhef.nl>.