Provided by: lcas-lcmaps-gt4-interface_0.3.1-1_amd64 
NAME
lcas_lcmaps_gt_interface - A Globus GSI-AuthZ plug-in to run LCAS and LCMAPS
SYNOPSIS
lcas_lcmaps_gt_interface.so
lcas_lcmaps_gt4_interface.so
DESCRIPTION
This is a plug-in to be loaded from a GSI-AuthZ capable Globus service. The feature was introduced in
Globus GT4 and is available for GT5 and GT6. The purpose of this call-out is to authorize a user by
optionally running the LCAS framework and subsequently running the LCMAPS framework to map the user
credentials to a Unix account. Both LCAS and LCMAPS are plug-in frameworks, where the plug-ins to do the
real work.
Some of these plug-ins are capable of imposing a certain policy on the user credentials, others are
capable of off-loading the decision to a centralized service to make the decision or even provide an
account mapping in the process.
This plug-in is dynamically loaded during each interaction that requires an account mapping in the GSI-
AuthZ interface of a Globus service. It has no configuration file for itself, it is configured via
environment variables and the LCAS and LCMAPS configuration files. It can be enabled for use in the GSI-
AuthZ interface using the gsi-authz.conf file, by configuring it to call the function lcmaps_callout(),
which can be done using gt4-interface-install(8).
ENVIRONMENT VARIABLES
LLGT_LOG_FILE
When this variable is set and it can be opened as file, log output will go to the given file
instead of to syslog. When either $LCAS_LOG_FILE or $LCMAPS_LOG_FILE is unset, it will also be set
to this same file.
LLGT_LOG_FACILITY
Change the default logging facility with the $LLGT_LOG_FACILITY environment variable. Use the name
of (standard syslog) facility names. Example: LOG_DAEMON, LOG_LOCAL1, etc.
LLGT_LOG_IDENT
The $LLGT_LOG_IDENT can (optionally) be set as the syslog ident value. This will be the
identifying string in syslog for the current process. Not using this option will let syslog (or
one of the GT services) to set these options. By default the syslog ident will be set to the
executable name.
LLGT_RUN_LCAS
Set the environment variable $LLGT_RUN_LCAS to "no", "disabled" or "disable" to avoid LCAS to run
prior to the LCMAPS.
There is a matching ./configure option "--enable-lcas" which can be used to change the default
behaviour to run LCAS or not. The $LLGT_RUN_LCAS environment variable can still influence the LCAS
run.
LLGT_LIFT_PRIVILEGED_PROTECTION
Normally the callout, after LCMAPS has finished, checks whether it is (still) running with root
privileges (uid, euid, gid or egid) and fails if that is the case. This is to prevent erroneous
configurations to silently result in a root-account mapping in services that do not have their own
checks for this.
When the environment variable $LLGT_LIFT_PRIVILEGED_PROTECTION is set, this check is disabled.
This is NEEDED for services that:
1.) don't user switch, and run as root.
2.) services that expect only a username to be returned and perform the user switch themselves,
e.g. the Globus GSI-OpenSSHd.
LLGT_CACHE_CALLOUT
Set the environment variable $LLGT_CACHE_CALLOUT to "no", "disabled" or "disable" to disable
reusing the result of the `localname' callout for the `userok' callout. This results in calling
the LCAS/LCMAPS authorization twice for e.g. gsisshd.
LLGT_DLCLOSE_LCMAPS
Set the environment variable $LLGT_DLCLOSE_LCMAPS to "no", "disabled" or "disable" to prevent
calling dlclose() on the LCMAPS library. This might be needed as a workaround on RH5-based systems
in an installation for gsisshd, when the use of PAM is enabled ("UsePAM Yes" in the
/etc/gsissh/sshd_config). The underlying bug is a combination between the OpenSSL, VOMS and PAM
libraries, which can trigger a segfault when VOMS is initialized twice.
LLGT_DLCLOSE_LCAS
Set the environment variable $LLGT_DLCLOSE_LCAS to "no", "disabled" or "disable" to prevent
calling dlclose() on the LCAS library. This might be needed as a workaround on RH5-based systems.
The underlying bug is a combination between the OpenSSL, VOMS and Globus libraries, which can
trigger a segfault when VOMS is initialized twice, which can happen when LCAS is using a VOMS
based plugin. Normally should not be needed as LCAS is now dlclosed and terminated after LCMAPS.
LLGT_NO_CHANGE_USER (deprecated)
Deprecated $LLGT_NO_CHANGE_USER in favour of $LLGT_LIFT_PRIVILEGED_PROTECTION. (Deprecation does
not mean non-functional anymore)
LLGT4_NO_CHANGE_USER (deprecated)
Deprecated $LLGT4_NO_CHANGE_USER in favour of $LLGT_LIFT_PRIVILEGED_PROTECTION. (Depreciation
does not mean non-functional anymore)
LLGT_VOMS_DISABLE_CREDENTIAL_CHECK
The VOMS credentials are verified by the LCMAPS framework before further processing is done in the
plug-ins. The LCMAPS framework has an API to enable or disable the verification of the VOMS
credentials and this option will disable the verification of the VOMS credentials. A vanilla
LCMAPS build will verify the VOMS credentials by default.
LLGT_VOMS_ENABLE_CREDENTIAL_CHECK
Similar to the $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK environment variable, this setting will enable
the verification of the VOMS credentials, overriding the LCMAPS default setting to have the
verification of VOMS credentials to be disabled. A vanilla LCMAPS build will verify the VOMS
credentials by default, the OSG build has is disabled by default.
LLGT_LCAS_LIBDIR
Support for an alternative LCAS_LIBDIR as a run-time setting by exporting such as
$LLGT_LCAS_LIBDIR="/usr/lib/x86_64-linux-gnu/liblcas.so"
LLGT_LCAS_MODULEDIR_SFX
When set, used as suffix instead of the default /lcas when setting the $LCAS_MODULES_DIR variable
based on the $LLGT_LCAS_LIBDIR variable. Default /lcas. NOTE: current versions of LCAS do not yet
use the $LCAS_MODULES_DIR variable.
LLGT_LCMAPS_LIBDIR
Support for an alternative LCMAPS_LIBDIR as a run-time setting by exporting such as
$LLGT_LCMAPS_LIBDIR="/usr/lib/x86_64-linux-gnu/liblcmaps.so". Must be an absolute path. Setting
this variable will also set the LCMAPS variable $LCMAPS_MODULES_DIR to the given libdir followed
by either the default /lcmaps or the value of $LLGT_LCMAPS_MODULEDIR_SFX.
LLGT_LCMAPS_MODULEDIR_SFX
When set, used as suffix instead of the default /lcmaps when setting the $LCMAPS_MODULES_DIR
variable based on the $LLGT_LCMAPS_LIBDIR variable. Default /lcmaps.
LLGT_ENABLE_DEBUG
If the $LLGT_ENABLE_DEBUG environment variable is set, then the debugging message logged at level
LOG_DEBUG are passed to the log. The scope of this setting is only within the LCAS-LCMAPS-GT-
interface
INTERNAL ENVIRONMENT VARIABLES
GATEKEEPER_JM_ID
An environment variable that is internally set to uniquely identify this gatekeeper and the job
manager.
JOB_REPOSITORY_ID
Similar to the $GATEKEEPER_JM_ID value, but its purpose is for the LCMAPS job repository plug-in.
LCAS ENVIRONMENT VARIABLES
The following list of LCAS environment variables are handled specially by the interface.
LCAS_MODULES_DIR
Default directory for LCAS to look for in plug-ins (not yet supported by LCAS). Will be set based
on the values of $LLGT_LCAS_LIBDIR and $LLGT_LCAS_MODULEDIR_SFX or their defaults.
LCAS_LOG_FILE
When set, LCAS will log there instead of syslog. When unset, it will get the value of
$LLGT_LOG_FILE when that one is set. When compiled with LCAS_LCMAPS_FORCE_LOG_TO_FILE defined, it
will get set to /var/log/gt_lcas_lcmaps.log.
LCAS_DEBUG_LEVEL
LCAS log level. Default: 3.
LCAS_DB_FILE
Location of the LCAS configuration file. Default for the interface: /etc/lcas/lcas.db
LCMAPS ENVIRONMENT VARIABLES
The following list of LCMAPS environment variables are handled specially by the interface.
LCMAPS_MODULES_DIR
Default directory for LCMAPS to look for in plug-ins. Will be set based on the values of
$LLGT_LCMAPS_LIBDIR and $LLGT_LCMAPS_MODULEDIR_SFX or their defaults.
LCMAPS_LOG_FILE
When set, LCMAPS will log there instead of syslog. When unset, it will get the value of
$LLGT_LOG_FILE when that one is set. When compiled with LCAS_LCMAPS_FORCE_LOG_TO_FILE defined, it
will get set to /var/log/gt_lcas_lcmaps.log.
LCMAPS_DEBUG_LEVEL
For LCMAPS 1.5.0 (and newer) the value "5" corresponds to syslog LOG_DEBUG, "4" corresponds to
LOG_INFO, "3" to LOG_NOTICE and so on. The LCMAPS default is to log up to LOG_INFO.
LCMAPS_DB_FILE
Location of the LCMAPS configuration file. Default for the interface: /etc/lcmaps/lcmaps.db
RETURN VALUES
True The user is authorized and a local Unix account was procured.
False No mapping was possible.
NOTES
From version 0.3.1 onwards, the interface supports the 'sharing' service: it then expects an additional
argument, (a PEM string) containing the credential on which the mapping should be based.
From version 0.3.0 onwards, the interface tries to forward the requested username to LCMAPS (for version
1.6.0 and up). The mapping plugins can use this to support multiple username entries in the grid-mapfile,
or enforcing pool account mappings to a specific pool account.
BUGS
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-
support@nikhef.nl>.
SEE ALSO
gt4-interface-install(8), lcas.db(5), lcas(3), lcmaps.db(5), lcmaps(3).
AUTHORS
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-
security@nikhef.nl>.