NAME

       lcmaps_jobrep.mod - jobrepository LCMAPS plug-in

SYNOPSIS

       lcmaps_jobrep.mod   [--test]   --dsn   <Database Service Name>   --username   <database user>  --password
       <database password>

DESCRIPTION

       The LCMAPS Jobrepository plug-in stores credentials and the resulting account mappings into a  relational
       database.  This  plugin  will  link  up  all the known in-process information from LCMAPS core memory and
       stores it in a database. This plug-in uses ODBC (http://en.wikipedia.org/wiki/ODBC)  to  connect  to  the
       database.

       The  current  state  of  the  mappings between various credentials and Unix accounts is stored in an open
       database on disk, but this information can change  over  time  through  (regular)  system  administrative
       interventions.  This  state  is  now  preserved  in a relational database with the added benefit of being
       accessible by other systems, e.g. GridSAFE and build-up an easy to backup historic view  on  the  mapping
       state.

       Quite  some systems seem to dig up data by trawling log files, e.g. to construct accounting data records.
       This method is subjected to the settings of the sub-systems which control the  format  of  the  log  file
       output. Log trawling tools are interacting with the log files as a glorified API. This lowers the ability
       for tools, e.g. LCMAPS, to alter their log output. By offering the LCMAPS  Jobrepository  plug-in  as  an
       alternative  with  the  added benefit of offering the data in a structured fine-grained database with the
       ability of an historic view the intend is to avoid the need and/or requirement for log file trawling.

DATABASE SCHEMA EXTENSIONS

       The schema can be used to link up account mapping and/or  credential  mapping  results  originating  from
       other  credential  types and link up more fine grained details from the specific work environment, i.e. a
       Gatekeeper and GridFTPd will be able to add  service  specific  information  together  with  the  mapping
       results.

FUTURE

       The  LCMAPS Jobrepository plug-in is currently limited to MySQL and MariaDB despite its usage of the ODBC
       database interface. The intend is to remove  this  limitation  and  make  the  plug-in  work  with  other
       database, e.g. PostgreSQL, Oracle and SQLite.

OPTIONS

       --test When  enabled  the  plug-in  will  only  test if the connection to the database can be established
              through the ODBC coupling. The test will verify the correctness of the DSN, Username and  Password
              combination.  The plug-in will announce an LCMAPS SUCCESS when the connection was established, and
              a FAILURE when it was not able to establish the connection.

       --dsn <Database Service Name>
              This will select the Data Source Name (DSN) that has been set in a odbc.ini file. Use the odbc.ini
              file  to  configure the database driver, server/host, port number and database name. See below for
              an example odbc.ini file.

       --username <database username>
              Specifies the database username that the LCMAPS module must  use  to  authorize  itself  with  the
              database.

       --password <database password>
              Specifies  the database password that the LCMAPS module must use to authorize itself with. You can
              omit the setting if you set the password in the odbc.ini file.

              WARNING: Be careful to assess the read permissions on the lcmaps.db file to be  exclusive  to  the
              service using this file, i.e. it's probably best to make the file exclusive to root:root.

RETURN VALUES

       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.

EXAMPLES

       Notice the --dsn <value> matches the DSN shown in the .ini section header. Also notice that the posix_enf
       plug-in is executed after the jobrep plug-in. The motivation is to be able to  use  privilege  separation
       and with that protect the database password.

       Example lcmaps.db
              jobrep      = "lcmaps_jobrep.mod"
                            "--dsn MySQL-test"
                            "--username root"
                            "--password worteltjes"

              example_plugin_policy:
              verifyproxy -> vomslocalgroup
              vomslocalgroup -> vomspoolaccount
              vomspoolaccount -> tracking_groupid
              tracking_groupid -> jobrep
              jobrep -> posix_enf

       Example /etc/odbc.ini file:
              [MySQL-test]
              Description = MySQL test database
              Driver      = MySQL
              SERVER      = 127.0.0.1
              PORT        = 3306
              DATABASE    = jobrepository

SUPPORTED INSTALLATIONS

       Tested front-end tools and services
              gLExec
              globus-gridftp-server
              globus-gatekeeper

       Likely to work
              SCAS
              lcmaps-rest (only the Full-SSL interface)
              gsi-openssh-server

       Front-ends that will likely NOT work
              WMProxy
              StoRM backend

LIMITATIONS

       The  front-ends  which  do  not  use  an LCMAPS interface that provides certificates can currently not be
       supported.  It is a requirement for the 1.5 version to be able to work from a certificate chain.

BUGS

       Please  report  any  errors  to   the   Nikhef   Grid   Middleware   Security   Team   <grid-mw-security-
       support@nikhef.nl>.

SEE ALSO

       lcmaps(8), lcmaps_jobrep.mod(8), mysql(1).
       More  information can be found on-line at https://wiki.nikhef.nl/grid/Site_Access_Control the Nikhef Wiki
       on Site Access Control and https://wiki.nikhef.nl/grid/LCMAPS the Nikhef Wiki on LCMAPS and  other  plug-
       ins.

AUTHOR

       The Jobrepository and the LCMAPS plug-ins were written by the Nikhef Grid Middleware Security Team <grid-
       mw-security@nikhef.nl>.