Provided by: lcmaps-plugins-voms_1.7.1-1ubuntu2_amd64 
NAME
lcmaps_voms_localaccount.mod - LCMAPS plugin to switch user identity based on VOMS credentials by local
accounts
SYNOPSIS
lcmaps_voms_localaccount.mod [-gridmapfile grid-mapfile] [--do-not-add-primary-gid-from-mapped-account]
[--add-primary-gid-from-mapped-account] [--add-primary-gid-as-secondary-gid-from-mapped-account] [--do-
not-add-secondary-gids-from-mapped-account] [--add-secondary-gids-from-mapped-account] [--use-voms-
gid|--use_voms_gid|-use_voms_gid] [--use-account-gid]
DESCRIPTION
This VOMS localaccount acquisition plugin is a 'VOMS-aware' modification of the lcmaps_localaccount.mod.8
plugin. The plugin tries to find a local account (more specifically a UserID) based on the VOMS informa‐
tion that is available from LCMAPS, in particular the Fully Qualified Attribute Names (FQANs).
It will try to find a FQAN to local account name mapping in the grid-mapfile. The plugin will resolve
the UID, GID and all the secondary GIDs of the mapped local (system) account username.
OPTIONS
-gridmapfile grid-mapfile
This file must contain FQANs to (local) user account name mappings. It is strongly advised to set
this option and to set it to an absolute path to avoid usage of the wrong file(path). When unset,
the plugin will try to obtain the value from one of the environment variables (see ENVIRONMENT).
When those are also unset, the default depends on whether the plugin runs inside a (setuid-)root
application. In the (setuid-)root case, the default is /etc/grid-security/grid-mapfile. In the
non-(setuid-)root case, the default is <homedir>/.gridmap. In a (setuid-)root application, rela‐
tive paths are taken with respect to /etc/grid-security/.
--do-not-add-primary-gid-from-mapped-account
After the account is mapped, do NOT add the primary Group ID from the passwd-file/LDAP of the
mapped account as a part of the mapping result. Default is to add the primary Group ID, unless
--use-voms-gid is specified. See also --add-primary-gid-from-mapped-account, --add-primary-gid-as-
secondary-gid-from-mapped-account and --use-voms-gid.
--add-primary-gid-from-mapped-account
After the account is mapped, add the primary Group ID from the passwd-file/LDAP of the mapped ac‐
count as a part of the mapping result. Default is to add the primary Group ID, unless --use-voms-
gid is specified. See also --do-not-add-primary-gid-from-mapped-account, --add-primary-gid-as-sec‐
ondary-gid-from-mapped-account and --use-voms-gid.
--add-primary-gid-as-secondary-gid-from-mapped-account
After the account is mapped, add the primary Group ID from the passwd-file/LDAP of the mapped ac‐
count as a secondary Group ID as a part of the mapping result (possibly in addition to adding it
as a primary Group ID). Default is to add it only as primary Group ID. See also --do-not-add-pri‐
mary-gid-from-mapped-account, --add-primary-gid-from-mapped-account and --use-voms-gid.
--do-not-add-secondary-gids-from-mapped-account
After the account is mapped, do NOT add the secondary Group ID(s) from the groups-file/LDAP of the
mapped account as secondary Group ID(s) as a part of the mapping result. Default is to add the
sGIDs, unless --use-voms-gid is specified. See also --add-secondary-gids-from-mapped-account
--use-voms-gid.
--add-secondary-gids-from-mapped-account
After the account is mapped, add the secondary Group ID(s) from the groups-file/LDAP of the mapped
account as secondary Group ID(s) as a part of the mapping result. Default is to add the secondary
Group ID(s), unless --use-voms-gid is specified. See also --do-not-add-secondary-gids-from-
mapped-account --use-voms-gid.
--use-voms-gid|--use_voms_gid|-use_voms_gid
By default this plugin will add the primary and secondary Group ID(s) from the passwd-file/groups-
file/LDAP of the mapped account as part of the mapping result. Specifying this option will over‐
ride that default. Part or all of the group information can still be added by using the --add-*
flags. We advise to switch this option on by default. See also --use-account-gid.
--use-account-gid
This option has the opposite effect of the option --use-voms-gid, instructing the plugin to add
the mapped account group information to the mapping result. This is currently already the default
and hence this option has no effect. See also --use-voms-gid.
RETURN VALUES
LCMAPS_MOD_SUCCESS
Success.
LCMAPS_MOD_FAIL
Failure.
ENVIRONMENT
GRIDMAP | GLOBUSMAP | globusmap | GlobusMap
When no grid-mapfile is specified as option to the plugin, it will try to obtain the file location
from one of these environment variables.
NOTES
Since version 1.6.0 the voms_localaccount plugin supports grid-mapfile entries with multiple usernames,
separated by a comma without whitespace. This can be used in combination with specifying a requested
username (such as by gsissh), to pick any of these accounts. When no requested username is specified, the
first is used. This requires LCMAPS version 1.6.0 or newer.
BUGS
Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-sup‐
port@nikhef.nl>.
SEE ALSO
lcmaps.db(5), lcmaps(3).
AUTHORS
LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Security Team <grid-mw-securi‐
ty@nikhef.nl>.
Stichting FOM/Nikhef February 6, 2015 LCMAPS_VOMS_LOCALACCOUNT.MOD(8)