1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
.\" In .TH, FOO should be all caps, SECTION should be 1-8, maybe w/ subsection
.\" other parms are allowed: see man(7), man(1)
.\"
.\" This template provided by Tom Christiansen <tchrist@jhereg.perl.com>.
.\"
.TH LCMAPS_POOLACCOUNT.MOD 8 "February 6, 2015" "Stichting FOM/Nikhef" "Site Access Control"
.SH NAME
lcmaps_poolaccount.mod \- LCMAPS plugin to switch user identity by pool accounts
.SH SYNOPSIS
.nh
.ad l
.B lcmaps_poolaccount.mod
.RB [ \-gridmapfile
.IR grid-mapfile ]
.RB [ \-gridmapdir
.IR gridmapdir ]
.RB [ \-no_wildcard | \-disablewildcard ]
.RB [ \-override_inconsistency ]
.RB [ \-max_mappings_per_credential
.IR max nr of mappings ]
.RB [ \-strict_poolprefix_match
.IR {yes|no} ]
.hy
.ad b
.SH DESCRIPTION
This plugin is an acquisition plugin and will provide the LCMAPS system with
Pool Account credential information.
The plugin tries to find a pool account (more specifically a UserID) based on
the Distinguished Name (DN) of the user's end-entity certificate.
The account is acquired from an account pool. The accounts in the account pool
must exist on the system, either locally or through a centralised account
database, e.g. LDAP.
It will first try to find a DN to pool name (starting with a
dot '.' instead of an alphanumeric character) mapping in the grid-mapfile which
will provide it with a list of local accounts.
The \fBgridmapdir\fR directory is going to be used as a persistent and open
mapping database. A pool is defined as being a set of accounts following a
particular pattern in their naming, e.g. test001.
In the directory the plug-in will make a new filename consisting of the
lowercase URL-encoded Subject-DN of the user.
For example, if the DN is mapped to
.B .test
in the grid-mapfile, it will be mapped to the pool accounts
.BR test001 ,
.BR test002 ,
etc., the names of which can be found in the gridmapdir.
.PP
If there is no pool account assigned to the user yet, the plugin will try to
find a free pool account (i.e. one for which the link count is 1) and make a
new hardlink to it with the URL-encoded subject DN as name.
.PP
When a user returns to this site the plugin will look for the DN of the user
(URL encoded) in this directory. If found, the corresponding pool account will
be assigned to the user.
.PP
Example showing the output of ls \-li:
.nf
1836080 \-rw\-r\-\-r\-\- 2 root root %2fdc%3dorg%2fdc%3dterena%2fdc%3dtcs%2fc%3dnl%2fo%3dnikhef%2fcn%3doscar%20koeroo%20okoeroo%40nikhef%2enl
1836080 \-rw\-r\-\-r\-\- 2 root root test003
.fi
The filename is hardlinked to the mapped account-name. Creating this hardlink is
designed to be an atomic operation and verified to work on large installations
serving multiple services from one NFS-share.
The plugin will resolve the UID, GID and all the secondary GIDs of the mapped
local (system) account username.
.SH OPTIONS
.TP
.BI "\-gridmapfile " grid-mapfile
This file must contain DN to pool name mappings.
It is strongly advised to set this option and to set it to an absolute path to
avoid usage of the wrong file(path).
When unset, the plugin will try to obtain the value from one of the environment
variables (see \fBENVIRONMENT\fR). When those are also unset, the default
depends on whether the plugin runs inside a (setuid-)root application. In the
(setuid-)root case, the default is \fI/etc/grid-security/grid-mapfile\fR.
In the non-(setuid-)root case, the default is \fI<homedir>/.gridmap\fR.
In a (setuid-)root application, relative paths are taken with respect to
\fI/etc/grid-security/\fR.
.TP
.BI "\-gridmapdir " gridmapdir
A directory used for the mapping database.
If this option is unset, the plugin will try to obtain the value from the
environment variable \fBGRIDMAPDIR\fR (see \fBENVIRONMENT\fR).
In a (setuid-)root application, relative paths are taken with respect to
\fI/etc/grid-security/\fR.
.TP
.BI "\-override_inconsistency"
Moving a user from one pool to another should normally
only be done by changing the grid-mapfile indicating the new pool for this user.
If the resulting URL-encoded lease (hardlink) already exists but points to a
different pool account then would result from the running of this plugin, the
plugin would normally fail. This option instructs the plugin to remap to the new
pool account.
.TP
.BI "\-max_mappings_per_credential " "maximum number of mappings"
This feature is deprecated. It was intended to work together with the Globus
Dynamic Account Service/Workspace Service.
This value indicates the maximum number of accounts a user, or more specifically
a set of credentials (=DN + FQANs), can be mapped to. Normally this number is 1.
But if each job should run under its own account the number should be increased.
Whether LCMAPS will actually use the mapcounter depends on the LCMAPS interface
being used. The lease name (or poolindex) in the case of mapcounters looks like:
.IP
.in +4m
url_encoded(<DN>):mapcount=<mapnumber>)
.TP
.BI "\-no_wildcard\fR,\fB \-disablewildcard"
When this option is set the plug-in will only match exact DNs, i.e.
/DC=org/DC=terena/DC=tcs/C=NL/* will \fInot\fR match.
.TP
.BI "\-strict_poolprefix_match " {yes|no}
If this is set to 'yes', a line in the grid-mapfile like \fB<DN> .pool\fR
will result in mapping pool accounts matching only the regexp \fBpool[0-9]+\fR.
Otherwise it will be allowed to match the wider range of \fBpool.*\fR (legacy
behaviour).
.SH RETURN VALUES
.TP
.B LCMAPS_MOD_SUCCESS
Success.
.TP
.B LCMAPS_MOD_FAIL
Failure.
.SH ENVIRONMENT
.TP
GRIDMAP | GLOBUSMAP | globusmap | GlobusMap
When no grid-mapfile is specified as option to the plugin, it will try to obtain
the file location from one of these environment variables.
.TP
GRIDMAPDIR
When no gridmapdir is specified as option to the plugin, it will try to obtain
the file location from this environment variable.
.SH NOTES
Since version 1.6.0 the poolaccount plugin also takes the \fB requested
username \fR (such as forwarded by gsissh) into consideration. When present, the
resulting pool account has to match it in order for the plugin to succeed. This
requires LCMAPS version 1.6.0 or newer.
.SH BUGS
Please report any errors to the Nikhef Grid Middleware Security Team
<grid-mw-security-support@nikhef.nl>.
.SH SEE ALSO
.BR lcmaps.db (5),
.BR lcmaps (3).
.SH AUTHORS
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team
<grid-mw-security@nikhef.nl>.
|
