Provided by: lcmaps-plugins-voms_1.6.2-2_amd64 
NAME
lcmaps_voms_poolgroup.mod - LCMAPS plugin to switch user identity based on VOMS credentials by pool
groups
SYNOPSIS
lcmaps_voms_poolgroup.mod [-groupmapfile groupmapfile] [-groupmapdir groupmapdir] [--map-to-secondary-
groups] [-override_inconsistency] [-mapall] [-mapmin number of minimal mappings]
[-strict_poolprefix_match yes_or_no]
DESCRIPTION
This VOMS poolgroup acquisition plugin is a 'VOMS-aware' modification of the lcmaps_poolgroup.mod.8 plug‐
in. The plugin tries to find a local group (more specifically a GroupID) based on the VOMS information
that has available from the LCMAPS, in particular the Fully Qualified Attribute Names (FQAN). The group
is acquired from an group pool. The groups in the group-pool must exist on the system, either locally or
through a centralized account database, e.g. LDAP.
The groupmapdir directory is going to be used as a persistent and open mapping database. A pool is de‐
fined as being a set of groups following a particular pattern in their naming, i.e. pool001 or atlas001.
In the directory the plug-in will make a new filename build-up VOMS FQAN in URL-encode form:
Example showing the output of ls -li:
1836080 -rw-r--r-- 2 root root %2fdteam%2f
1836080 -rw-r--r-- 2 root root dteam001
This filename is hardlinked to the mapped groupname. Creating this hardlink is designed to be an atomic
operation and verified to work on large installations serving multiple services from one NFS-share.
The VOMS credentials need to be available from the LCMAPS framework.
OPTIONS
-groupmapfile groupmapfile
This option is used to determine the groupmapfile path. The plug-in will open the file and use the
content for the FQAN to Group ID mapping. The same formatting rules of the grid-mapfile apply to
the groupmapfile. Provide a full path.
-groupmapdir groupmapdir"
A directory used for the group mapping database, similar to the gridmapdir. It is important to not
mix the gridmapdir and groupmapdir directories.
--map-to-secondary-groups
When enabled, the plug-in will map all the FQANs of the user to secondary Group IDs. There will be
no primary Group ID set by this plug-in when enabled.
-override_inconsistency
If the poolgroup is mapped from an URL-encoded VOMS FQAN to a group name, and when the gridmapfile
states that this user needs to move to another pool, then the plug-in will remap the user to the
new pool. Without this option the plug-in will fail if an existing mapping for the user creden‐
tials exist, but do not map the configured mapping pool.
-mapall
When enabled, a failure will be triggered if not all of the FQANs could be mapped to primary or
secondary Group IDs.
-mapmin number of minimal mappings
This option will set a minimum amount of groups that have to be resolved for later mapping. If
the minimum is not set then the minimum amount is set to '0' by default. If the plugin is not
able to the required number of poolgroups it will fail. Note: if the minimum is set to zero or
the minimum is not set the plugin will return a success if no other errors occur, even if no pool‐
groups were found.
-strict_poolprefix_match yes/no
If this is set to 'yes', a line in the groupmapfile like <FQAN> .poolgr will result in groups
matching the regexp poolgr[0-9]+. Otherwise it will be allowed to match poolgr.* (legacy behav‐
iour).
RETURN VALUES
LCMAPS_MOD_SUCCESS
Success.
LCMAPS_MOD_FAIL
Failure.
BUGS
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-sup‐
port@nikhef.nl>.
SEE ALSO
lcmaps.db(5), lcmaps(3).
AUTHORS
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-securi‐
ty@nikhef.nl>.
Stichting FOM/Nikhef March 14, 2012 LCMAPS_VOMS_POOLGROUP.MOD(8)