1LCMAPS(3) Library Functions Manual LCMAPS(3)
2
6 lcmaps - The Local Credential MAPping Service
7
9 lcmaps
10
13 The LCMAPS framework is designed to take various credentials as input,
14 e.g. a certificate and/or VOMS credentials, and map them to Unix cre‐
15 dentials as output. Unix credentials are the basic POSIX credentials,
16 i.e. User ID, Group ID and Secondary Group IDs. LCMAPS is a framework
17 that can load and run one or more 'credential mapping' plugins. The
18 framework will load and run plugins to perform the identity mapping.
19 Site and organizations can create their own new functionality by creat‐
20 ing new plugins. The LCMAPS framework exposes various APIs to push cre‐
21 dentials into the framework and to get the account mapping results in
22 return. The lcmaps.db configuration file configures the LCMAPS plugins
23 and configures the order in which the plugins are launch. Some practi‐
24 cal examples are shown below.
25 LCMAPS is used by gLExec, the lcas-lcmaps-gt(4)-interface to interface
27 with a Globus GT4 and GT5 Gatekeeper, GridFTP daemon and GSI-OpenSSHd,
28 in StoRM and somewhere in XRootD.
29
33 When an application initializes LCMAPS the plugins will be loaded based
34 on the lcmaps.db configuration file. The application can use one of
35 the APIs to provide credentials as input. The loaded plugins will be
36 executed in the sequence described in the same lcmaps.db configuration
37 file.
38 During a plugin's execution it has access to the credential data in the
40 LCMAPS core memory. The plugin is also capable of writing credential
41 mapping results in LCMAPS. The plugins can each resolve a part of the
42 mapping and they can also perform actions based on these (intermediate)
43 results, e.g. run setuid, setgid and setgroup calls or interact with an
44 LDAP service.
45 The plugins are executed in a state machine. When a plugin finishes
47 successfully it can execute a different next plugin then when it
48 failed. This allows LCMAPS to pass different plugins to resolve a cre‐
49 dential mapping.
50
54 GATEKEEPER_JM_ID
55 Extra Gatekeeper log message to be able to more easily track a
56 Job Manager ID.
57 GLOBUSID
59 See $GATEKEEPER_JM_ID.
60 JOB_REPOSITORY_ID
62 See $GATEKEEPER_JM_ID, but explicitly for the purpose of the
63 LCMAPS Job Repository plugin.
64 LCMAPS_DB_FILE
66 Override the build-in default filename for the lcmaps.db config‐
67 uration file with the value of this environment variable.
68 LCMAPS_DEBUG_LEVEL
70 Tune the logging output cut off level. The numbers resemble the
71 numbers as used in previous released in the range [1-5]. Howev‐
72 er, since LCMAPS version 1.5.0 these numbers resemble a numeri‐
73 cally shifted Syslog number.
74 0 Silent logging, no messages will be written to file or
76 Syslog.
77 1 All messages with a priority of LOG_ERR are written to
79 file or Syslog. More severe error messages are squashed
80 down to the LOG_ERR priority. This is to prevent Syslog
81 from blocking on default configurations and to prevent
82 Syslog from broadcasting LCMAPS related messages on the
83 connected TTYs when old plug-ins are used.
84 2 All messages with a priority of LOG_WARNING or more se‐
86 vere, i.e. LOG_ERR, are written to file and/or Syslog.
87 3 All messages with a priority of LOG_NOTICE or more se‐
89 vere, i.e. LOG_ERR or LOG_WARNING, are written to file
90 and/or Syslog. This is the default advertised setting for
91 the lcas-lcmaps-gt-interface and glexec. The "FINAL CRED"
92 messages are written on LOG_NOTICE and indicate the re‐
93 sulting LCMAPS mapping from an X.509 and/or VOMS creden‐
94 tial to a Unix/POSIX credential.
95 4 All messages with a priority of LOG_INFO or more severe,
97 i.e. all messages between (and including) LOG_ERR and
98 LOG_INFO, are written to file and/or Syslog. This value
99 is the build-in default. The success or failures of plug-
100 ins are written on LOG_INFO. To see the flow of plug-ins
101 this log level is the advised log level to set.
102 5 All messages with a priority of LOG_DEBUG or more severe,
104 i.e. all messages between (and including) LOG_ERR and
105 LOG_DEBUG, are written to file and/or Syslog. This is the
106 most verbose mode and should be used carefully as the
107 amount of information flowing from here might hinder nor‐
108 mal operation performance if the syslogd isn't able to
109 keep up.
110 LCMAPS_DIR
113 The base directory of the $LCMAPS_DB_FILE parameter. This vari‐
114 able is concatenated with the $LCMAPS_DB_FILE
115 LCMAPS_ETC_DIR
117 See $LCMAPS_DIR
118 LCMAPS_LOG_FILE
120 Overrides the build-in default file path to log the output to.
121 When set, the logging will not go to Syslog.
122 LCMAPS_LOG_STRING
124 Prepend all log output messages with value of this environment
125 variable
126 LCMAPS_MODULES_DIR
128 Directory to search for the LCMAPS plugins (or modules). Same as
129 the path option in the lcmaps.db file..
130 LCMAPS_POLICY_NAME
132 A colon separated list of LCMAPS plugin execution policies. When
133 this environment variable is present, only the listed execution
134 policies will be executed. They will be executed in the order as
135 written in the lcmaps.db file (from top to bottom).
136 LCMAPS_VERIFY_TYPE
138 Deprecated
139 LCMAPS_VOMS_EXTRACT
141 Deprecated
142 LCMAPS_X509_CERT_DIR
144 Specific setting equal to the $X509_CERT_DIR environment vari‐
145 able
146 LCMAPS_X509_VOMS_DIR
148 Specific setting equal to the $X509_VOMS_DIR environment vari‐
149 able
150 X509_CERT_DIR
152 The directory where all the CA files, e.g. CA certificate and
153 CRL files, are located. The default location is: /etc/grid-secu‐
154 rity/certificates/.
155 X509_VOMS_DIR
157 This VOMS directory will hold the VOMS .lsc files and/or PEM
158 files to authenticate the VOMS Attributes Certificates. Subdi‐
159 rectories are named by the VO name and scope the .lsc and PEM
160 files in their authentication to one particular VO. The default
161 location is: /etc/grid-security/vomsdir/.
162
166 LCMAPS_SUCCESS
167 Success.
168 LCMAPS_FAIL
170 Failure.
171
174 For an API specification, please use make doc to make the apidoc.
175
178 The apidoc is not complete. It has most interfaces, but needs to be
179 checked for completeness.
180 Please report any errors to the Nikhef Grid Middleware Security Team
182 <grid-mw-security-support@nikhef.nl>.
183
185 lcmaps.db(5), lcas_lcmaps_gt4_interface(8), lcas_lcmaps_gt_inter‐
186 face(8), lcmaps_dummy_bad.mod(8), lcmaps_dummy_good.mod(8),
187 lcmaps_ldap_enf.mod(8), lcmaps_localaccount.mod(8), lcmaps-plugins-c-
188 pep(8), lcmaps_plugins_scas_client(8), lcmaps_poolaccount.mod(8),
189 lcmaps_posix_enf.mod(8), lcmaps_tracking_groupid.mod(8), lcmaps_veri‐
190 fy_proxy.mod(8), scas(8), scas.conf(5), glexec(1), glexec.conf(5),
191 ees(1), ees.conf(5)
192
196 LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware Se‐
197 curity Team <grid-mw-security@nikhef.nl>.
198 December 22, 2011 LCMAPS(3)