NAME

       lcas_lcmaps_gt_interface - A Globus GSI-AuthZ plug-in to run LCAS and LCMAPS

SYNOPSIS

       lcas_lcmaps_gt_interface

       lcas_lcmaps_gt4_interface

DESCRIPTION

       This  is  a  plug-in  to be loaded from a GSI-AuthZ capable Globus service. The feature was introduced in
       Globus GT4 and is available for GT5. The purpose of this call-out is to authorize a user by  running  the
       LCAS framework and map the user credentials to a Unix account based using the LCMAPS framework. Both LCAS
       and LCMAPS are frameworks that run configured plug-ins to do the real work.

       Some  of  the plug-ins are capable of imposing certain policy on the user credentials, others are capable
       of off-loading the decision to a centralized service to make the decision or even provide an account map‐
       ping in the process.

       This plug-in is dynamically loaded during each interaction that requires an account mapping in  the  GSI-
       AuthZ interface of a Globus service.

ENVIRONMENT VARIABLES

       LLGT_LOG_FILE
              When  this  variable is set and it can be opened as file, log output will go to the given file in‐
              stead of to syslog. When either $LCAS_LOG_FILE or $LCMAPS_LOG_FILE is unset, it will also  be  set
              to this same file.

       LLGT_LOG_FACILITY
              Change the default logging facility with the $LLGT_LOG_FACILITY environment variable. Use the name
              of (standard syslog) facility names. Example: LOG_DAEMON, LOG_LOCAL1, etcetera

       LLGT_LOG_IDENT
              The  $LLGT_LOG_IDENT can (optionally) be set as the Syslog ident value. This will be the identify‐
              ing string in Syslog for the current process. Not using this option will let Syslog (or one of the
              GT services) to set these options.  By default the Syslog ident will  be  set  to  the  executable
              name.

       LLGT_RUN_LCAS
              Set  the environment variable $LLGT_RUN_LCAS to "no", "disabled" or "disable" to avoid LCAS to run
              prior to the LCMAPS.

              There is a matching ./configure option "--enable-lcas" which can be used to change the default be‐
              haviour to run LCAS or not. The $LLGT_RUN_LCAS environment variable can still influence  the  LCAS
              run.

       LLGT_LIFT_PRIVILEGED_PROTECTION
              Normally  the  callout,  after LCMAPS has finished, checks whether it is (still) running with root
              privileges (uid, euid, gid or egid) and fails if that is the case. This is  to  prevent  erroneous
              configurations to silently result in a root-account mapping in services that do not have their own
              checks for this.

              When the environment variable LLGT_LIFT_PRIVILEGED_PROTECTION is set, this check is disabled. This
              is NEEDED for services that:

              1.) don't user switch, and run as root.

              2.)  services  that  expect only a username to be returned and perform the user switch themselves,
              e.g. the Globus GSI-OpenSSHd.

       LLGT_CACHE_CALLOUT
              Set the environment variable $LLGT_CACHE_CALLOUT to  "no",  "disabled"  or  "disable"  to  disable
              reusing  the  result  of the `localname' callout for the `userok' callout. This results in calling
              the LCAS/LCMAPS authorization twice for e.g. gsisshd.

       LLGT_DLCLOSE_LCMAPS
              Set the environment variable $LLGT_DLCLOSE_LCMAPS to "no",  "disabled"  or  "disable"  to  prevent
              calling dlclose() on the LCMAPS library. This might be needed as a workaround on RH5-based systems
              in  an  installation  for  gsisshd,  when  the  use  of  PAM  is  enabled  ("UsePAM  Yes"  in  the
              /etc/gsissh/sshd_config).  The underlying bug is a combination between the OpenSSL, VOMS  and  PAM
              libraries, which can trigger a segfault when VOMS is initialized twice.

       LLGT_DLCLOSE_LCAS
              Set  the environment variable $LLGT_DLCLOSE_LCAS to "no", "disabled" or "disable" to prevent call‐
              ing dlclose() on the LCAS library. This might be needed as a workaround on RH5-based systems.  The
              underlying  bug is a combination between the OpenSSL, VOMS and Globus libraries, which can trigger
              a segfault when VOMS is initialized twice, which can happen when LCAS is using a VOMS based  plug‐
              in. Normally should not be needed as LCAS is now dlclosed and terminated after LCMAPS.

       LLGT_NO_CHANGE_USER (deprecated)
              Depreciated  $LLGT_NO_CHANGE_USER  in  favour  of $LLGT_LIFT_PRIVILEGED_PROTECTION.  (Depreciation
              does not mean non-functional anymore)

       LLGT4_NO_CHANGE_USER (deprecated)
              Depreciated $LLGT4_NO_CHANGE_USER in favour  of  $LLGT_LIFT_PRIVILEGED_PROTECTION.   (Depreciation
              does not mean non-functional anymore)

       LLGT_VOMS_DISABLE_CREDENTIAL_CHECK
              The VOMS credentials are verified by the LCMAPS framework before further processing is done in the
              plug-ins.  The  LCMAPS framework has an API to enable or disable the verification of the VOMS cre‐
              dentials and this option will disable the verification of the VOMS credentials. A  vanilla  LCMAPS
              build will verify the VOMS credentials by default.

       LLGT_VOMS_ENABLE_CREDENTIAL_CHECK
              Similar  to the $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK environment variable, this setting will enable
              the verification of the VOMS credentials, overriding the LCMAPS default setting to have the  veri‐
              fication  of  VOMS credentials to be disabled. A vanilla LCMAPS build will verify the VOMS creden‐
              tials by default, the OSG build has is disabled by default.

       LLGT_LCAS_LIBDIR
              Support for an  alternative  LCAS_LIBDIR  as  a  run-time  setting  by  exporting  $LLGT_LCAS_LIB‐
              DIR="/usr/local/lib/liblcas.so"

       LLGT_LCMAPS_LIBDIR
              Support  for  an  alternative  LCMAPS_LIBDIR  as a run-time setting by exporting $LLGT_LCMAPS_LIB‐
              DIR="/usr/local/lib/liblcmaps.so"

       LLGT_ENABLE_DEBUG
              If the $LLGT_ENABLE_DEBUG environment variable is set, then the debugging message logged at  level
              LOG_DEBUG  are  passed to the log. The scope of this setting is only within the LCAS-LCMAPS-GT-in‐
              terface

INTERNAL ENVIRONMENT VARIABLES

       GATEKEEPER_JM_ID
              An environment variable that is internally set to uniquely identify this gatekeeper  and  the  job
              manager.

       JOB_REPOSITORY_ID
              Similar to the $GATEKEEPER_JM_ID value, but its purpose is for the LCMAPS job repository plug-in.

LCAS ENVIRONMENT VARIABLES

       LCAS_DEBUG_LEVEL
              Debug level

LCMAPS ENVIRONMENT VARIABLES

       LCMAPS_DEBUG_LEVEL
              For  LCMAPS  1.5.0  (and  newer) the value "5" corresponds to Syslog LOG_DEBUG, "4" corresponds to
              LOG_INFO, "3" to LOG_NOTICE and so on. The LCMAPS default is to log up to LOG_INFO.

RETURN VALUES

       True   The user is authorized and a local Unix account was procured.

       False  No mapping was possible.

NOTES

       From version 0.3.0 onwards, the interface tries to forward the requested username to LCMAPS (for  version
       1.6.0 and up). The mapping plugins can use this to support multiple username entries in the grid-mapfile,
       or enforcing poolaccount mappings to a specific poolaccount.

BUGS

       Please   report   any   errors  to  the  Nikhef  Grid  Middleware  Security  Team  <grid-mw-security-sup‐
       port@nikhef.nl>.

SEE ALSO

       lcas.db(5), lcas(3).  lcmaps.db(5), lcmaps(3).

AUTHORS

       LCMAPS and the LCMAPS plug-ins were  written  by  the  Grid  Middleware  Security  Team  <grid-mw-securi‐
       ty@nikhef.nl>.

Stichting FOM-Nikhef                            February 22, 2013                    LCAS_LCMAPS_GT_INTERFACE(8)