On Thu, 27 Jan 2011, Maarten Litmaath wrote:
> Hola Arnau,
>
>> I'm trying to configure our CE (lcg-CE and CREAM) in order to map one
>> specific user to one unix account. The problem is that we need to map:
>>
>> 1.-) DN1+Role1 -> account1
>> 2.-) DN1+Role2 -> account2
>> 3.-) DN2+Role3 -> account3
>
> With the current LCMAPS code used by lcg-CE and CREAM
Code or configuration ?
Indeed yaim-cream-ce and yaim-core configure the lcmaps conf files
(used in CREAM for glexec and for gridftp) in that way (hard-coded).
If there is the need to allow different configurations of the lcmaps
conf files at yaim level, I think this can be done
PS: in next CREAM major release there will the option to use Argus. In
this case the mapping will be decided by argus and no more by lcmaps
Cheers, Massimo
> it essentially
> is impossible to do exactly what you described. We can approximate:
>
> - map DN_x --> account_x
> - map Role_y --> account_y
>
> The LCMAPS algorithm configured by YAIM has these blocks:
>
> ----------------------------------------------------------------------
> withvoms:
> vomslocalgroup -> vomslocalaccount
> vomslocalaccount -> posix_enf | vomspoolaccount
> vomspoolaccount -> posix_enf
>
> standard:
> localaccount -> posix_enf | poolaccount
> poolaccount -> posix_enf
> ----------------------------------------------------------------------
>
> This means VOMS will be tried first and if that fails a classic DN
> mapping will be tried.
>
> If the special roles appear in the VOMS grid- and groupmapfiles,
> any DN with those roles would get mapped the same way.
>
> If the special roles do _not_ appear in the VOMS grid- and groupmapfiles,
> a DN mapping would work, but then cases 1 and 2 cannot be distinguished.
>
> If there are wildcards in the VOMS grid- and groupmapfiles, the special
> roles could be mapped to accounts that do not exist (!), such that the
> DN mapping will then be tried instead.
>
> There was a similar discussion on this list on Feb 11-12 last year
> with the subject "Static mapping of VOMS credentials on lcg-CE".
>
\|||/
-----------0oo----( o o )----oo0-------------------
(_)
INFN Sezione di Padova
Via Marzolo, 8
35131 Padova - Italy E-mail: massimo.sgaravatto [at] pd.infn.it
Tel: ++39 0498275908 Skype: massimo.sgaravatto
Fax: ++39 0498275952
|