Hi Antun,
> 1) Is it true that the lcmaps files responsible for voms mapping on gLite-3.1
> CE are still
>
> /opt/edg/etc/lcmaps/gridmapfile
> /opt/edg/etc/lcmaps/groupmapfile
Those files are obsolete and YAIM will stop generating them.
> Or groupmapfile that should be used is /etc/grid-security/groupmapfile ?
Yes.
> 2) Whatever is the answer to 1), I believe that
> /opt/glite/etc/lcmaps/lcmaps.db has some dubious entries:
>
> vomslocalaccount = "lcmaps_voms_localaccount.mod"
> " -gridmapfile /etc/grid-security/grid-mapfile"
> " -use_voms_gid"
>
> vomspoolaccount = "lcmaps_voms_poolaccount.mod"
> " -gridmapfile /etc/grid-security/grid-mapfile"
> " -gridmapdir /etc/grid-security/gridmapdir"
> " -override_inconsistency"
>
>
> Shouldn't gridmapfile point to voms-enabled gridmapfile? This certainly is not
> /etc/grid-security/grid-mapfile, which contains static mappings (DN to VO)...
/etc/grid-security/grid-mapfile contains DN _and_ FQAN mappings: look at the end.
This ugliness is due to an LCMAPS limitation.
> Anyhow, I have problems with mapping for users with the specific voms roles
> specified in /opt/edg/etc/lcmaps/gridmapfile. Mapping to a group works, I
> suppose because lcmaps.db has this entry
>
> vomslocalgroup = "lcmaps_voms_localgroup.mod"
> " -groupmapfile /etc/grid-security/groupmapfile"
> " -mapmin 1"
>
>
> and /etc/grid-security/groupmapfile is voms-enabled file.
What do you have in /etc/grid-security/grid-mapfile for those VOMS roles?
|