Burke, S (Stephen) wrote:
>LHC Computer Grid - Rollout
>
>
>>[mailto:[log in to unmask]] On Behalf Of
>>Kyriakos G. Ginis said:
>>I think this link is a bit outdated, since AFAIK in the
>>current LCG version the
>>DN <--> pool acount mapping is handled by LCMAPS. On your CE
>>or SE, try
>>
>>man lcmaps_poolaccount.mod
>>
>>
>
>I think the algorithm is the same. One consequence seems to be that
>you'd better not have pool account prefixes where one is an initial
>substring of the other ... indeed if Jeff is using pool accounts for
>sgms maybe he'd better check the mapping, on the face of it a user
>mapped to .dteam might pick up a pool account called dteamsgm01 with
>enhanced privileges ...
>
>Stephen
>
>
Hi Stephen and *,
Unless pieces of code in the poolaccount plugin have changed (likely
without my notice on these internal parts) the plugin is
nondeterministic about the characters to be found in the gridmapdir in
the order of "<prefix here>[a-zA-Z0-9]*".
for '.dteamsgm' it can find the userid 'dteamsgm' but also 'dteamsgm001'
and also dteamsgmAbraCaDaBraPoefff.
There is no counter, it's just easier to administer if you match and map
to accounts postfixed with a number.
What we also should know is that the first match will be found and bound
to the DN as a mapping. If you come to a cluster as dteam first and
gained a mapping as dteam001 then you can not exploit this 'feature'
until this mapping is removed by an admin.
cheers,
Oscar "Documented 'bugs' are features (also late at night at CET)"
Koeroo
|