Hi Oscar,
I attach my lcmaps.db.
Cheers,
Adam
Oscar Koeroo pisze:
> Hi Adam,
>
> You do realize that you've just earned the "LCMAPS black magic" award
> together with Maarten. ;-)
>
> I'm pleased that it worked. I do think that there might be
> voms_localgroup plug-in options that could make the mapping even more
> determanistic.
>
> May I have a look at the resulting lcmaps.db file to evaluate your
> success?
>
>
> Cheers,
>
> Oscar
>
>
> On 5 mrt 2010, at 19:56, Adam Padee <[log in to unmask]> wrote:
>
>> Hi Maarten,
>>
>> [log in to unmask] pisze:
>>> Hi Adam,
>>>
>>>
>>>> localaccount2 = "lcmaps_localaccount2.mod" " -gridmapfile
>>>> /opt/edg/etc/grid-mapfile-local"
>>>> ... (other plugins follow) ...
>>>> veryspecialmappingpolicy:
>>>> localaccount2 -> vomslocalgroup
>>>> vomslocalgroup -> posix_enf
>>>> ... (other policies follow)
>>>>
>>>> But then I got the following error (from globus-gatekeeper.log):
>>>>
>>>> lcmaps_plugin_localaccount-plugin_run(): localaccount plugin succeeded
>>>> lcmaps_plugin_voms_localgroup-plugin_run(): voms_localgroup plugin
>>>> succeeded
>>>> lcmaps_plugin_posix_enf-plugin_run(): Error: The set amount of
>>>> primary
>>>> gid's gathered exceeds the maximum of 1 primary gid('s) by 1
>>>>
>>>
>>> Does it work the other way around:
>>>
>>> veryspecialmappingpolicy:
>>> vomslocalgroup -> localaccount2
>>> localaccount2 -> posix_enf
>>>
>>> The standard configuration files usually do the groups first.
>>>
>>>
>> I tried that one before, but unfortunately it didn't work. It seems that
>> localaccount plugin always appends pgid, doesn't matter if it's already
>> assigned or not. But nevertheless this setup is very useful in
>> combination with the second trick below
>>
>>> This hack might also do the trick (with either order):
>>>
>>> posix_enf = "lcmaps_posix_enf.mod"
>>> " -maxuid 1"
>>> " -maxpgid 2"
>>> " -maxsgid 32"
>>>
>> This one works perfectly!
>> Although posix-enf got two pgids, it digested them without complaints:
>>
>> lcmaps_plugin_posix_enf-log_cred():
>> uid=4702(apadee):pgid=2777(compass),2777(compass)
>> ...
>> and globus-jm just omits the second pgid:
>> ...
>> mapped to apadee (4702, 2777)
>>
>> It works even if these two pgids are different. I created another
>> account for myself with some other pgid, and this time I used
>> vomslocalgroup first.
>> And now I got:
>> lcmaps_plugin_posix_enf-log_cred():
>> uid=4700(adam):pgid=2777(compass),5050(localusr)
>> ...
>> mapped to adam (4700, 2777)
>>
>> which is exactly what I had in mind. Of course if I use plain proxy,
>> I'm still mapped to adam (4700, 5050) by standard policy, as can be
>> expected.
>>
>> Thank you very, very much for your help!
>> Adam
>
# Written by Oscar Koeroo - okoeroo * at * nikhef * dot * nl
# Only for performing VOMS mappings
# where to look for modules
path = /opt/glite/lib/modules
# module definitions
posix_enf = "lcmaps_posix_enf.mod"
" -maxuid 1"
" -maxpgid 2"
" -maxsgid 32"
localaccount2 = "lcmaps_localaccount2.mod"
" -gridmapfile /opt/edg/etc/grid-mapfile-local"
localaccount = "lcmaps_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
" -groupmapfile /etc/grid-security/groupmapfile"
" -mapmin 0"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -use_voms_gid"
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
" -do_not_use_secondary_gids"
# gridftp related code
good = "lcmaps_dummy_good.mod"
# --only-post-verify-checks
# --allow-limited-proxy
# --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>
# Sets a maximum lifetime for proxy certificate level <level> where <level>
# can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy # in the chain)
# policies
veryspecialmappingpolicy:
vomslocalgroup -> localaccount2
localaccount2 -> posix_enf
withvoms:
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posix_enf | vomspoolaccount
vomspoolaccount -> posix_enf
standard:
localaccount -> posix_enf | poolaccount
poolaccount -> posix_enf
|