Configuration

The configuration involves both LCMAPS itself and the edg-gatekeeper.

Configuration of the edg-gatekeeper

The edg-gatekeeper is configurable with a few more command line options in addition to the normal globus-gatekeeper options:

• -lcmaps_db_file <file>: specifies the filename of the LCMAPS policy file (default: lcmaps.db).
• -lcmaps_etc_dir <path>: specifies the directory where the LCMAPS configuration files are located (default: /opt/edg/etc/lcmaps/).
• -lcmapsmod_dir <path>: specifies the directory where the LCMAPS library is located (default: /opt/edg/lib/lcmaps/).
• -lcas_etc_dir <path>: specifies the directory where the LCAS authorization configuration files are located (default /opt/edg/etc/lcas/).
• -lcas_dir <path>: same as -lcas_etc_dir <path>, deprecated.
• -lcasmod_dir <path>: specifies the directory where the LCAS library is located (default /opt/edg/lib/lcas/).
• -plainoldglobus: provides the old globus-gatekeeper functionality, LCAS and LCMAPS are not used.

The directories where the poolaccount and poolgroup leases are registered, the so called gridmapdir and groupmapdir, can be passed to the gatekeeper by setting the environment variables $GRIDMAPDIR and $GROUPMAPDIR to the respective directories.

The globus.conf file (usually residing in the /etc directory) contains the configuration parameters for the globus software. The gatekeeper init.d script uses this file to to configure the edg-gatekeeper. The following lines were added/modified in /etc/globus.conf:

[common]

[...]

gridmapdir=/share/grid-security/gridmapdir/

groupmapdir=/share/grid-security/groupmapdir/

[...]

[gatekeeper]

[...]

globus_gatekeeper=/opt/edg/sbin/edg-gatekeeper

extra_options="-lcas_etc_dir /opt/edg/etc/lcas/ -lcasmod_dir /opt/edg/lib/lcas/ -lcmaps_etc_dir /opt/edg/etc/lcmaps/ -lcmapsmod_dir /opt/edg/lib/lcmaps -lcmaps_db_file lcmaps.db"

The globus_gatekeeper= line gives the path of the gatekeeper to be used and the extra_options= line the gatekeeper options to be added. The gridmapdir and groupmapdir entries give the default locations for the poolaccount and poolgroup lease administration directories.

LCFG configuration:
The globus.conf file can be created using the globus LCFG object contained in package edg-lcfg-globuscfg. The extra lines for the configuration files have to be specified in an LCFGng resource file in the way that is shown in the Computing Element resource file ComputingElement-cfg.h.

Configuration of LCMAPS

The LCMAPS reads its configuration, in particular the plugins that it should load and the local site policy from the file lcmaps.db. An example file is shown here. The default path to the LCMAPS plugins is specified on the line starting with path =. On the following lines aliases are defined for the complete plugin names and their options. For a description of the plugins and the options please refer to the man pages installed with the rpms, which can also be found in apidoc. In the current release the number of aliases attached to a plugin is limited to one. If one wants to use two aliases of for example the "localaccount" plugin, each alias corresponding to different options, this is not possible, unless a physical copy is mode of the plugin. This will be corrected in the next release.

In the lines following the plugin definitions the local site policies are described. The policies follow the word ended by a colon. The policies are evaluated in order of appearance, until a policy evaluation returns a true result. In the example two policies are described:

1. default: This policy does pretty much the same as what the old gatekeeper did: check the gridmapfile with the user's DN for a local account or a poolaccount.
2. voms: This policy uses the VOMS information in the user's proxy X509 certificate. First it checks if the VO info is actually there. If so, it tries to find local groups for this VO info or if it cannot find local groups it tries to find pool groups. If local groups were found, in addition it will try to find pool groups. Then it will try to find a VOMS poolaccount (based on the VO information). The next step is to try to add the gids found to the LDAP directory (ldap_enf) and enforce them in (posix_enf) the calling process (become the user).

A more elaborate description of the policy description language can be found here , or as PostScript file or PDF file.

The configuration files needed by the plugins consist of the (ordinary) grid-mapfile (used by the plugins localaccount, poolaccount and vomspoolaccount) and a new file: the groupmapfile (used by the plugins vomslocalgroup and vomspoolgroup). This file contains line entries for "VO-GROUP-ROLE" combinations and a corresponding local/pool account. The "VO-GROUP-ROLE" combinations in the user's proxy will be compared to the entries in the groupmapfile and if a match is found, a gid is added to the list of local credentials for the user. An example groupmapfile is shown here. Note that one can use '*' as a wild character. The vomspoolaccount finds a pool account based on the VO information and on the user DN. Therefore, it looks in the grid-mapfile for "VO-GROUP-ROLE" combinations as described in the example above. The leases that are maintained in the gridmapdir are, however, based on the user DN and the gids found prior to the vomspoolaccount call.

The gridmapdir and groupmapdir directories that are needed by the various plugins can be set in the lcmaps.db file or by setting the environment variables $GRIDMAPDIR and $GROUPMAPDIR to the respective directories.

LCFG configuration:
The LCMAPS policy file can also be created using the LCMAPS LCFG object contained in package edg-lcfg-lcmaps. The lines for the configuration files have to be specified in an LCFG resource file in the way that is shown in the Computing Element resource file ComputingElement-cfg.h. One should be careful when specifying asterixes and double quotes. The groupmapfile will be installed by the filecopy LCFG package edg-lcfg-filecopy.