Provided by: lcmaps-plugins-basic-poolaccount_1.6.1-3_amd64 
NAME
lcmaps_poolaccount.mod - LCMAPS plugin to switch user identity by pool accounts
SYNOPSIS
lcmaps_poolaccount.mod [-gridmapfile gridmapfile] [-gridmapdir gridmapdir] [-override_inconsistency]
[-max_mappings_per_credential max nr of mappings]
DESCRIPTION
This plugin is a Acquisition Plugin and will provide the LCMAPS system with Pool Account information. To
do this it needs to look up the Distinguished Name (DN) from a user's certificate in the gridmapfile. If
this DN is found in the gridmapfile the plugin now knows to which pool of local system accounts the user
will be mapped. The poolname (starting with a dot ('.') instead of an alphanumeric character) will be
converted into the an account from a list of local accounts. This list is located in the \ gridmapdir and
is made out of filenames. These filenames correspond to the system poolaccount names. (E.g. if a DN cor‐
responds to .test in the gridmapfile, it will be mapped to test001, test002, etc., which names can be
found in the gridmapdir.
If there is no pool account assigned to the user yet, the plugin will get a directory listing of the
gridmapdir. This list will contain usernames corresponding to system accounts specially designated for
pool accounting. If the plugin resolved the mapping of a certain pool name, let's say '.test', the plug‐
in will look into the directory list and will find the first available file in the list corresponding
with 'test' (e.g. 'test001') by checking the number of links to its i-node. If this number is 1, this
account is still available. To lease this account a second hard link is created, named after the URL-en‐
coded, decapitalized DN.
When a user returns to this site the plugin will look for the DN of the user (URL encoded) in this direc‐
tory. If found, the corresponding poolaccount will be assigned to the user.
The plugin will resolve the UID, GID and all the secondary GIDs belonging to the poolaccount. When this
has been done and there weren't any problems detected, the plugin will add this information to a datas‐
tructure in the Plugin Manager. For version 1.6.0 and newer, if a requested username is specified
(such as via the gsisshd) this needs to match the resulting poolaccount for the plugin to succeed, see
NOTES . The plugin will finish its run with a LCMAPS_MOD_SUCCESS. This result will be reported to the
Plugin Manager which started this plugin and it will forward this result to the Evaluation Manager, which
will take appropriate actions for the next plugin to run. Normally this plugin would be followed by an
Enforcement plugin that can apply these gathered credentials in a way that is appropriate to a system ad‐
ministration's needs.
OPTIONS
-gridmapfile gridmapfile
If this option is set, it will override the default path of the gridmapfile. It is advised to use
an absolute path to the gridmapfile to avoid usage of the wrong file(path).
-gridmapdir gridmapdir
If this option is set, it will override the default path to the gridmapdir. It is advised to use
an absolute path to the gridmapdir to avoid usage of the wrong path.
-override_inconsistency
Moving a user from one pool to another (because of a VO change) should only be done by changing
the gridmapfile indicating the new pool for this user. If a user has already been mapped previ‐
ously to a poolaccount, there is a link present between this poolaccount and his DN. In the good
old days prior to LCMAPS, a 'pool change' would still result in a mapping to the old pool account,
neglecting the administrative changes in the gridmapfile. LCMAPS corrects this behaviour: By de‐
fault the poolaccount plugin will fail if the pool designated by the gridmapfile doesn't match the
previously mapped poolaccount leasename. If the site doesn't want a failure on this inconsistency
it can turn on this parameter. When the inconsistency is detected the plugin will automatically
unlink the previous mapping and will proceed by making a new lease from the new pool.
-max_mappings_per_credential max nr of mappings
This value indicates the maximum number of accounts a user, or more specifically a set of creden‐
tials (=DN + FQANS), can be mapped to. Normally this number is 1. But if each job should run un‐
der its own account the number should be increased. The leasename (or poolindex) in this case
looks like:
url_encoded(<DN>):mapcount=<mapnumber>)
-no_wildcard
If this option is set, wildcards cannot be used in the grid-mapfile (on by default)
-strict_poolprefix_match {yes|no}
Default is 'yes'. If this is set to 'yes', a line in the gridmapfile like <DN>.pool will result
in accounts matching the regexp 'pool[0-9]+'. Otherwise it will be allowed to match 'pool.*'
(legacy behaviour).
RETURN VALUES
LCMAPS_MOD_SUCCESS
Success.
LCMAPS_MOD_FAIL
Failure.
NOTES
Since version 1.6.0 the poolaccount plugin also takes the requested username (such as forwarded by
gsissh) into consideration. When present, the resulting poolaccount has to match it in order for the plu‐
gin to succeed. This requires LCMAPS version 1.6.0 or newer.
BUGS
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-sup‐
port@nikhef.nl>.
SEE ALSO
lcmaps.db(5), lcmaps(3).
AUTHORS
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-securi‐
ty@nikhef.nl>.
February 25, 2013 LCMAPS_POOLACCOUNT.MOD(8)