Provided by: lcmaps-plugins-voms_1.6.2-2build1_i386 bug


       lcmaps_voms_poolgroup.mod - LCMAPS plugin to switch user identity based
       on VOMS credentials by pool groups


       lcmaps_voms_poolgroup.mod [-groupmapfile groupmapfile] [-groupmapdir
       groupmapdir] [--map-to-secondary-groups] [-override_inconsistency]
       [-mapall] [-mapmin number of minimal mappings]
       [-strict_poolprefix_match yes_or_no]


       This  VOMS  poolgroup acquisition plugin is a 'VOMS-aware' modification
       of the lcmaps_poolgroup.mod.8 plugin.  The plugin tries to find a local
       group  (more specifically a GroupID) based on the VOMS information that
       has available from  the  LCMAPS,  in  particular  the  Fully  Qualified
       Attribute  Names  (FQAN). The group is acquired from an group pool. The
       groups in the group-pool must exist on the system,  either  locally  or
       through a centralized account database, e.g. LDAP.

       The  groupmapdir directory is going to be used as a persistent and open
       mapping database. A pool is defined as being a set of groups  following
       a  particular pattern in their naming, i.e. pool001 or atlas001. In the
       directory the plug-in will make a new filename build-up  VOMS  FQAN  in
       URL-encode form:

       Example showing the output of ls -li:

       1836080 -rw-r--r-- 2 root root %2fdteam%2f

       1836080 -rw-r--r-- 2 root root dteam001

       This  filename  is  hardlinked  to  the mapped groupname. Creating this
       hardlink is designed to be an atomic operation and verified to work  on
       large installations serving multiple services from one NFS-share.

       The VOMS credentials need to be available from the LCMAPS framework.


       -groupmapfile groupmapfile
              This  option  is  used  to  determine the groupmapfile path. The
              plug-in will open the file and use the content for the  FQAN  to
              Group  ID mapping. The same formatting rules of the grid-mapfile
              apply to the groupmapfile. Provide a full path.

       -groupmapdir groupmapdir"
              A directory used for the group mapping database, similar to  the
              gridmapdir.  It  is  important  to  not  mix  the gridmapdir and
              groupmapdir directories.

              When enabled, the plug-in will map all the FQANs of the user  to
              secondary  Group  IDs.  There will be no primary Group ID set by
              this plug-in when enabled.

              If the poolgroup is mapped from an URL-encoded VOMS  FQAN  to  a
              group name, and when the gridmapfile states that this user needs
              to move to another pool, then the plug-in will remap the user to
              the  new  pool.  Without this option the plug-in will fail if an
              existing mapping for the user credentials exist, but do not  map
              the configured mapping pool.

              When  enabled,  a  failure  will  be triggered if not all of the
              FQANs could be mapped to primary or secondary Group IDs.

       -mapmin number of minimal mappings
              This option will set a minimum amount of groups that have to  be
              resolved  for later mapping.  If the minimum is not set then the
              minimum amount is set to '0' by default.  If the plugin  is  not
              able  to  the required number of poolgroups it will fail.  Note:
              if the minimum is set to zero or the  minimum  is  not  set  the
              plugin  will  return a success if no other errors occur, even if
              no poolgroups were found.

       -strict_poolprefix_match yes/no
              If this is set to 'yes', a line in the groupmapfile like  <FQAN>
              .poolgr  will result in groups matching the regexp poolgr[0-9]+.
              Otherwise  it  will  be  allowed  to  match   poolgr.*   (legacy





       Please  report  any  errors to the Nikhef Grid Middleware Security Team


       lcmaps.db(5), lcmaps(3).


       LCMAPS and the LCMAPS plug-ins were  written  by  the  Grid  Middleware
       Security Team <>.