lcmaps_poolaccount.mod [-gridmapfile|-GRIDMAPFILE|-gridmap|-GRIDMAP <location gridmapfile>] [-gridmapdir|-GRIDMAPDIR <location gridmapdir>]
This plugin is a Acquisition Plugin and will provide the LCMAPS system with Pool Account information. To do this it needs to look up the Distinguished Name (DN) from a user's certificate in the gridmapfile. If this DN is found in the gridmapfile the plugin now knows to which pool of local system accounts the user wil be mapped. The poolname (starting with a dot ('.') instead of an alphanumeric character) will be converted into the an account from a list of local accounts. This list is located in the gridmapdir and is made out of filenames. These filenames correspond to the system poolaccount names. (E.g. if a DN corresponds to
.test in the gridmapfile, it will be mapped to
test002, etc., which names can be found in the gridmapdir)
If there is no pool account assigned to the user yet, the plugin will get a directory listing of the gridmapdir. This list will contain usernames corresponding to system accounts specially designated for pool accounting. If the plugin resolved the mapping of a certain pool name, let's say '.test', the plugin will look into the directory list and will find the first available file in the list corresponding with 'test' (e.g. 'test001') by checking the number of links to its i-node. If this number is 1, this account is still available. To lease this account a second hard link is created, named after the URL-encoded, decapitalized DN.
When a user returns to this site the plugin will look for the DN of the user (URL encoded) in this directory. If found, the corresponding poolaccount will be assigned to the user.
The plugin will resolve the UID, GID and all the secondary GIDs belonging to the poolaccount. When this has been done and there weren't any problems detected, the plugin will add this information to a datastructure in the Plugin Manager. The plugin will finish its run with a LCMAPS_MOD_SUCCESS. This result will be reported to the Plugin Manager which started this plugin and it will forward this result to the Evaluation Manager, which will take appropriate actions for the next plugin to run. Normally this plugin would be followed by an Enforcement plugin that can apply these gathered credentials in a way that is appropriate to a system administration's needs.
If this option is set, it will override the default path of the gridmapfile. It is advised to use an absolute path to the gridmapfile to avoid usage of the wrong file(path).
If this option is set, it will override the default path to the gridmapdir. It is advised to use an absolute path to the gridmapdir to avoid usage of the wrong path.
Moving a user from one pool to another (because of a VO change) should only be done by changing the gridmapfile indicating the new pool for this user. If a user has already been mapped previously to a poolaccount, there is a link present between this poolaccount and his DN. In the good old days prior to LCMAPS, a 'pool change' would still result in a mapping to the old pool account, neglecting the administrative changes in the gridmapfile. LCMAPS corrects this behaviour: By default the poolaccount plugin will fail if the pool designated by the gridmapfile doesn't match the previously mapped poolaccount leasename. If the site doesn't want a failure on this inconsistency it can turn on this parameter. When the inconsistency is detected the plugin will automatically unlink the previous mapping and will proceed by making a new lease from the new pool.
See bugzilla for known errors (http://marianne.in2p3.fr/datagrid/bugzilla/)
lcmaps_localaccount.mod, lcmaps_posix_enf.mod, lcmaps_ldap_enf.mod, lcmaps_voms.mod, lcmaps_voms_poolaccount.mod, lcmaps_voms_poolgroup.mod, lcmaps_voms_localgroup.mod
- LCMAPS_MOD_SUCCESS : Success
- LCMAPS_MOD_FAIL : Failure
Generated on Sun May 29 21:22:13 2005 for lcmaps by