Provided by: lcmaps-plugins-voms_1.6.2-2build1_amd64 
NAME
lcmaps_voms_poolgroup.mod - LCMAPS plugin to switch user identity based on VOMS
credentials by pool groups
SYNOPSIS
lcmaps_voms_poolgroup.mod [-groupmapfile groupmapfile] [-groupmapdir groupmapdir] [--map-
to-secondary-groups] [-override_inconsistency] [-mapall] [-mapmin number of minimal
mappings] [-strict_poolprefix_match yes_or_no]
DESCRIPTION
This VOMS poolgroup acquisition plugin is a 'VOMS-aware' modification of the
lcmaps_poolgroup.mod.8 plugin. The plugin tries to find a local group (more specifically
a GroupID) based on the VOMS information that has available from the LCMAPS, in particular
the Fully Qualified Attribute Names (FQAN). The group is acquired from an group pool. The
groups in the group-pool must exist on the system, either locally or through a centralized
account database, e.g. LDAP.
The groupmapdir directory is going to be used as a persistent and open mapping database. A
pool is defined as being a set of groups following a particular pattern in their naming,
i.e. pool001 or atlas001. In the directory the plug-in will make a new filename build-up
VOMS FQAN in URL-encode form:
Example showing the output of ls -li:
1836080 -rw-r--r-- 2 root root %2fdteam%2f
1836080 -rw-r--r-- 2 root root dteam001
This filename is hardlinked to the mapped groupname. Creating this hardlink is designed to
be an atomic operation and verified to work on large installations serving multiple
services from one NFS-share.
The VOMS credentials need to be available from the LCMAPS framework.
OPTIONS
-groupmapfile groupmapfile
This option is used to determine the groupmapfile path. The plug-in will open the
file and use the content for the FQAN to Group ID mapping. The same formatting
rules of the grid-mapfile apply to the groupmapfile. Provide a full path.
-groupmapdir groupmapdir"
A directory used for the group mapping database, similar to the gridmapdir. It is
important to not mix the gridmapdir and groupmapdir directories.
--map-to-secondary-groups
When enabled, the plug-in will map all the FQANs of the user to secondary Group
IDs. There will be no primary Group ID set by this plug-in when enabled.
-override_inconsistency
If the poolgroup is mapped from an URL-encoded VOMS FQAN to a group name, and when
the gridmapfile states that this user needs to move to another pool, then the plug-
in will remap the user to the new pool. Without this option the plug-in will fail
if an existing mapping for the user credentials exist, but do not map the
configured mapping pool.
-mapall
When enabled, a failure will be triggered if not all of the FQANs could be mapped
to primary or secondary Group IDs.
-mapmin number of minimal mappings
This option will set a minimum amount of groups that have to be resolved for later
mapping. If the minimum is not set then the minimum amount is set to '0' by
default. If the plugin is not able to the required number of poolgroups it will
fail. Note: if the minimum is set to zero or the minimum is not set the plugin
will return a success if no other errors occur, even if no poolgroups were found.
-strict_poolprefix_match yes/no
If this is set to 'yes', a line in the groupmapfile like <FQAN> .poolgr will result
in groups matching the regexp poolgr[0-9]+. Otherwise it will be allowed to match
poolgr.* (legacy behaviour).
RETURN VALUES
LCMAPS_MOD_SUCCESS
Success.
LCMAPS_MOD_FAIL
Failure.
BUGS
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-
support@nikhef.nl>.
SEE ALSO
lcmaps.db(5), lcmaps(3).
AUTHORS
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-
security@nikhef.nl>.