LToS: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
== Configuration of the CE == | == Configuration of the CE == | ||
This [https://wiki.egi.eu/wiki/MAN12 link] explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the | This [https://wiki.egi.eu/wiki/MAN12 link] explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the actual configurations we have applied : | ||
* /etc/glexec.conf | * /etc/glexec.conf | ||
<pre> | <pre> | ||
| Line 25: | Line 25: | ||
user_identity_switch_by=lcmaps | user_identity_switch_by=lcmaps | ||
user_white_list=tomcat | user_white_list=tomcat | ||
</pre> | |||
* /etc/lcmaps/lcmaps.db.glexec.pusp | |||
<pre> | |||
path = /usr/lib64/lcmaps | |||
vomspoolaccount = "lcmaps_voms_poolaccount.mod" | |||
"-gridmapfile /etc/lcmaps/gridmapfile" | |||
"-gridmapdir /etc/grid-security/gridmapdir" | |||
"-override_inconsistency" | |||
vomslocalgroup = "lcmaps_voms_localgroup.mod" | |||
"-groupmapfile /etc/lcmaps/groupmapfile" | |||
"-mapmin 0 " | |||
proxycheck = "lcmaps_verify_proxy.mod" | |||
"-certdir /etc/grid-security/certificates" | |||
"--allow-limited-proxy" | |||
posixenf = "lcmaps_posix_enf.mod" | |||
"-maxuid 1" | |||
"-maxpgid 1" | |||
"-maxsgid 32" | |||
vomslocalaccount = "lcmaps_voms_localaccount.mod" | |||
"-gridmapfile /etc/lcmaps/gridmapfile" | |||
"-use_voms_gid" | |||
robot_pool = "lcmaps_robot_poolaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
"-gridmapdir /etc/grid-security/gridmapdir/" | |||
poolaccount = "lcmaps_poolaccount.mod" | |||
"-override_inconsistency" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
"-gridmapdir /etc/grid-security/gridmapdir" | |||
robot_ban_dn = "lcmaps_robot_ban_dn.mod" | |||
"-banmapfile /etc/lcas/ban_users.db" | |||
localaccount = "lcmaps_localaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
ban_dn = "lcmaps_ban_dn.mod" | |||
"-banmapfile /etc/lcas/ban_users.db" | |||
robot_local = "lcmaps_robot_localaccount.mod" | |||
"-gridmapfile /etc/grid-security/grid-mapfile" | |||
# Policies: | |||
voms: | |||
proxycheck -> vomslocalgroup | |||
vomslocalgroup -> vomslocalaccount | |||
vomslocalaccount -> posixenf | vomspoolaccount | |||
vomspoolaccount -> posixenf | |||
standard: | |||
proxycheck -> localaccount | |||
localaccount -> posixenf | poolaccount | |||
poolaccount -> posixenf | |||
combi_mapping: | |||
ban_dn -> robot_ban_dn | |||
robot_ban_dn -> proxycheck | |||
proxycheck -> robot_pool | |||
~robot_pool -> robot_local | |||
~robot_local -> vomslocalgroup | |||
vomslocalgroup -> vomslocalaccount | |||
vomslocalaccount -> posixenf | vomspoolaccount | |||
vomspoolaccount -> posixenf | |||
</pre> | </pre> | ||
Revision as of 19:52, 18 May 2016
Configuration of the CE
This link explains how to set up the PUSP mechanism on the CE. However, if you apply these recipes to the letter, it will break the CE. Here are the actual configurations we have applied :
- /etc/glexec.conf
[glexec] create_target_proxy=no lcas_db_file=/etc/lcas/lcas-glexec.db lcas_debug_level=5 lcas_log_file=/var/log/glexec/lcas_lcmaps.log lcas_log_level=5 lcmaps_db_file=/etc/lcmaps/lcmaps.db.glexec.pusp lcmaps_debug_level=5 lcmaps_get_account_policy=combi_mapping lcmaps_log_file=/var/log/glexec/lcas_lcmaps.log lcmaps_log_level=5 lcmaps_voms_verification=no linger=no log_destination=file log_file=/var/log/glexec/glexec.log log_level=5 omission_private_key_white_list=tomcat preserve_env_variables= silent_logging=no use_lcas=no user_identity_switch_by=lcmaps user_white_list=tomcat
- /etc/lcmaps/lcmaps.db.glexec.pusp
path = /usr/lib64/lcmaps
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
"-gridmapfile /etc/lcmaps/gridmapfile"
"-gridmapdir /etc/grid-security/gridmapdir"
"-override_inconsistency"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
"-groupmapfile /etc/lcmaps/groupmapfile"
"-mapmin 0 "
proxycheck = "lcmaps_verify_proxy.mod"
"-certdir /etc/grid-security/certificates"
"--allow-limited-proxy"
posixenf = "lcmaps_posix_enf.mod"
"-maxuid 1"
"-maxpgid 1"
"-maxsgid 32"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
"-gridmapfile /etc/lcmaps/gridmapfile"
"-use_voms_gid"
robot_pool = "lcmaps_robot_poolaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
"-gridmapdir /etc/grid-security/gridmapdir/"
poolaccount = "lcmaps_poolaccount.mod"
"-override_inconsistency"
"-gridmapfile /etc/grid-security/grid-mapfile"
"-gridmapdir /etc/grid-security/gridmapdir"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
"-banmapfile /etc/lcas/ban_users.db"
localaccount = "lcmaps_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
ban_dn = "lcmaps_ban_dn.mod"
"-banmapfile /etc/lcas/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
"-gridmapfile /etc/grid-security/grid-mapfile"
# Policies:
voms:
proxycheck -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf
standard:
proxycheck -> localaccount
localaccount -> posixenf | poolaccount
poolaccount -> posixenf
combi_mapping:
ban_dn -> robot_ban_dn
robot_ban_dn -> proxycheck
proxycheck -> robot_pool
~robot_pool -> robot_local
~robot_local -> vomslocalgroup
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posixenf | vomspoolaccount
vomspoolaccount -> posixenf