Provided by: lcmaps-plugins-voms_1.6.2-2build1_amd64 bug


       lcmaps_voms_poolgroup.mod   -  LCMAPS  plugin  to  switch  user  identity  based  on  VOMS
       credentials by pool groups


       lcmaps_voms_poolgroup.mod [-groupmapfile groupmapfile] [-groupmapdir groupmapdir] [--map-
       to-secondary-groups] [-override_inconsistency] [-mapall] [-mapmin number of minimal
       mappings] [-strict_poolprefix_match yes_or_no]


       This  VOMS  poolgroup  acquisition  plugin  is  a   'VOMS-aware'   modification   of   the
       lcmaps_poolgroup.mod.8  plugin.  The plugin tries to find a local group (more specifically
       a GroupID) based on the VOMS information that has available from the LCMAPS, in particular
       the  Fully Qualified Attribute Names (FQAN). The group is acquired from an group pool. The
       groups in the group-pool must exist on the system, either locally or through a centralized
       account database, e.g. LDAP.

       The groupmapdir directory is going to be used as a persistent and open mapping database. A
       pool is defined as being a set of groups following a particular pattern in  their  naming,
       i.e.  pool001  or atlas001. In the directory the plug-in will make a new filename build-up
       VOMS FQAN in URL-encode form:

       Example showing the output of ls -li:

       1836080 -rw-r--r-- 2 root root %2fdteam%2f

       1836080 -rw-r--r-- 2 root root dteam001

       This filename is hardlinked to the mapped groupname. Creating this hardlink is designed to
       be  an  atomic  operation  and  verified  to  work on large installations serving multiple
       services from one NFS-share.

       The VOMS credentials need to be available from the LCMAPS framework.


       -groupmapfile groupmapfile
              This option is used to determine the groupmapfile path. The plug-in will  open  the
              file  and  use  the  content  for the FQAN to Group ID mapping. The same formatting
              rules of the grid-mapfile apply to the groupmapfile. Provide a full path.

       -groupmapdir groupmapdir"
              A directory used for the group mapping database, similar to the gridmapdir.  It  is
              important to not mix the gridmapdir and groupmapdir directories.

              When  enabled,  the  plug-in  will map all the FQANs of the user to secondary Group
              IDs. There will be no primary Group ID set by this plug-in when enabled.

              If the poolgroup is mapped from an URL-encoded VOMS FQAN to a group name, and  when
              the gridmapfile states that this user needs to move to another pool, then the plug-
              in will remap the user to the new pool. Without this option the plug-in  will  fail
              if  an  existing  mapping  for  the  user  credentials  exist,  but  do not map the
              configured mapping pool.

              When enabled, a failure will be triggered if not all of the FQANs could  be  mapped
              to primary or secondary Group IDs.

       -mapmin number of minimal mappings
              This  option will set a minimum amount of groups that have to be resolved for later
              mapping.  If the minimum is not set then the  minimum  amount  is  set  to  '0'  by
              default.   If  the  plugin is not able to the required number of poolgroups it will
              fail.  Note: if the minimum is set to zero or the minimum is  not  set  the  plugin
              will return a success if no other errors occur, even if no poolgroups were found.

       -strict_poolprefix_match yes/no
              If this is set to 'yes', a line in the groupmapfile like <FQAN> .poolgr will result
              in groups matching the regexp poolgr[0-9]+. Otherwise it will be allowed  to  match
              poolgr.* (legacy behaviour).





       Please  report  any  errors to the Nikhef Grid Middleware Security Team <grid-mw-security->.


       lcmaps.db(5), lcmaps(3).


       LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw->.