Yves Kemp wrote:
> Dear *,
>
> I am trying to work on our mapping scheme for VOMS groups and roles.
> I am doing this with the DESY owned VO desy.
> Details about its groups and roles configuration can be found here:
> https://grid-voms.desy.de:8443/voms/desy
>
> When all groups and roles are mapped to pool accounts, I have to add a
> catch-all line to account for groups that are not definded in
> /opt/edg/etc/lcmaps/[grid,group]mapfile
> but that the user might have asked for in his proxy.
> The catch-all line looks like
> "/VO=desy/GROUP=/desy/*/Role=NULL/Capability=NULL" .desyusr
> "/VO=desy/GROUP=/desy/*" .desyusr
>
> This scheme works, but only if all groups and roles have pool accounts.
>
> When one role is configured as a static account (e.g. SGM), this will
> not work anymore.
> - If I leave the catch-all line, SGM will be mapped to a user account
> instead of the single SGM account
> - If I drop the catch-all line, SGM is correctly mapped. If a proxy
> comes with groups that are not defined on my CE, VOMS mapping failes,
> and the old gridmap-file mechanism is used instead.
>
> Does anyone see similar problems? (and maybe know the right solution?)
If you put the catch-all line at the end, it should only be used when
no earlier match was found in the LCMAPS gridmapfile.
Does this not work for you?
|