Dear *,
I am trying to work on our mapping scheme for VOMS groups and roles.
I am doing this with the DESY owned VO desy.
Details about its groups and roles configuration can be found here:
https://grid-voms.desy.de:8443/voms/desy
When all groups and roles are mapped to pool accounts, I have to add a
catch-all line to account for groups that are not definded in
/opt/edg/etc/lcmaps/[grid,group]mapfile
but that the user might have asked for in his proxy.
The catch-all line looks like
"/VO=desy/GROUP=/desy/*/Role=NULL/Capability=NULL" .desyusr
"/VO=desy/GROUP=/desy/*" .desyusr
This scheme works, but only if all groups and roles have pool accounts.
When one role is configured as a static account (e.g. SGM), this will
not work anymore.
- If I leave the catch-all line, SGM will be mapped to a user account
instead of the single SGM account
- If I drop the catch-all line, SGM is correctly mapped. If a proxy
comes with groups that are not defined on my CE, VOMS mapping failes,
and the old gridmap-file mechanism is used instead.
Does anyone see similar problems? (and maybe know the right solution?)
Thanks for any suggestion!
Best
Yves
--------------------------------------------
Yves Kemp
[log in to unmask] Desy IT 2b/312
Fon: +49-(0)40-8998-2318 Notkestr. 85
Fax: +49-(0)40-8994-2318 D-22607 Hamburg
--------------------------------------------
|