Difference between revisions of "User:Dennisvd@nikhef.nl/lijmwijzer"
| Line 16: | Line 16: | ||
=== LDAP enforcement === | === LDAP enforcement === | ||
| − | The LCMAPS plugin for LDAP enforcement is used for sites that have dynamic mappings to users and groups, which requires a modification of the LDAP database every time a (new) mapping is done. Applies to: WN, CE. | + | The LCMAPS plugin for LDAP enforcement is used for sites that have dynamic mappings to users and groups, which requires a modification of the LDAP database every time a (new) mapping is done. Zie elders. Applies to: WN, CE. |
| + | |||
| + | This plugin will '''not''' work together with the ARGUS framework. | ||
| + | |||
| + | ==== LDAP enforcement with SCAS ==== | ||
On the WN: | On the WN: | ||
| Line 31: | Line 35: | ||
On SCAS: | On SCAS: | ||
get_account_on_scas: | get_account_on_scas: | ||
| + | voms_pool_group -> voms_local_group | voms_local_group | ||
| + | voms_local_group -> voms_pool_account | ||
| + | |||
| + | ==== LDAP enforcement with node-local mapping ==== | ||
| + | |||
| + | This case is used when there is no centrally arranged authorization; the gridmapdir should be shared (e.g. through NFS) between services for consistent | ||
| + | mappings. | ||
| + | |||
| + | On the WN: | ||
| + | get_account_on_wn: | ||
| + | verify_proxy -> voms_pool_group | voms_local_group | ||
voms_pool_group -> voms_local_group | voms_pool_group -> voms_local_group | ||
voms_local_group -> voms_pool_account | voms_local_group -> voms_pool_account | ||
| − | + | voms_pool_account -> ldap_enf | |
| + | ldap_enf -> posix_enf | ||
| + | |||
| + | On the CE: | ||
| + | get_account_on_ce: | ||
| + | voms_pool_group -> voms_local_group | voms_local_group | ||
| + | voms_local_group -> voms_pool_account | ||
| + | voms_pool_account -> ldap_enf | ||
| + | ldap_enf -> posix_enf | ||
=== AFS integration === | === AFS integration === | ||
Revision as of 13:04, 19 April 2010
De LCMAPS lijmwijzer. Nederlandse tekst is concepttekst.
The universal guide to setting up Grid security middleware at your site
This guide will help you choose and configure security middleware components to suite the local setup at your site. Warning: this advice given by this guide won't replace applying good security practices for grid sites.
The following guide applies to sites that are part of the EGEE grid infrastructure.
There are several options for centrally managing grid security policies, but the ARGUS authorization service is the framework of choice now and in the future. There are some special cases which require an alternative approach as detailed below.
Special Cases
The following items should be considered before a final choice can be made.
LDAP enforcement
The LCMAPS plugin for LDAP enforcement is used for sites that have dynamic mappings to users and groups, which requires a modification of the LDAP database every time a (new) mapping is done. Zie elders. Applies to: WN, CE.
This plugin will not work together with the ARGUS framework.
LDAP enforcement with SCAS
On the WN:
get_account_on_wn: verify_proxy -> scas_client scas_client -> ldap_enf ldap_enf -> posix_enf
On the CE:
get_account_on_ce: scas_client -> ldap_enf ldap_enf -> posix_enf
On SCAS:
get_account_on_scas: voms_pool_group -> voms_local_group | voms_local_group voms_local_group -> voms_pool_account
LDAP enforcement with node-local mapping
This case is used when there is no centrally arranged authorization; the gridmapdir should be shared (e.g. through NFS) between services for consistent mappings.
On the WN:
get_account_on_wn: verify_proxy -> voms_pool_group | voms_local_group voms_pool_group -> voms_local_group voms_local_group -> voms_pool_account voms_pool_account -> ldap_enf ldap_enf -> posix_enf
On the CE:
get_account_on_ce: voms_pool_group -> voms_local_group | voms_local_group voms_local_group -> voms_pool_account voms_pool_account -> ldap_enf ldap_enf -> posix_enf
