On the EU Data Grid, ``users'' of the Grid will not have ``accounts'' in the usual sense of the word. That is, they will not have a login name and password via which they can log in to Grid computer nodes via ssh or telnet or somesuch. Rather, users will have a ``X.509 Identity Certificate'' which has been issued by some ``Certificate Authority'' which is recognized by the EU Data Grid organization. This certificate serves to ``prove'' a user's identity, but somehow the user's authorization to perform the requested task must be authorized.
The Virtual Organization (VO) construct is used in the implementation of the authorization phase of user task instantiation. Basically, VOs are used to organize the credentials (certificate subject lines for example) of sets of users into various subgroups. When a user submits a task request, the user's certificate information is compared with a file which is populated by information from the various VOs. ``Roberto Barbera'' may have been added to the Alice VO, in which case the file referred to will have an entry for ``Roberto Barbera'' along with a directive to map his requests onto a local Alice environment. On the other hand, Roberto would not be allowed to run jobs under other environments (at least for PM9).
Somewhere there needs to be a database which lists the people in each VO. LDAP has been chosen to implement this database. NIKHEF has experience in other contexts with LDAP, so the institute volunteered to administer the LDAP server containing this person/VO mapping. Experiments themselves need to administer the VO directories which reside on the server. The main purpose of this document is to explain how to do that.