Configuring gPlazma

dCache Authorization by protocol

WebDAV

• htpasswd

Authentication

• JAAS, custom /etc/dcache/jgss.conf

Mapping

• glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid)

NFSv3/NFSv41

Authentication

• Not performed in the dCache system, is made through OpenLDAP server.

Mapping

• Username/Password already authenticated through OpenLDAP, NSSwitch for mapping.

GridFTP

Authentication

x509

• Users defined in /etc/grid-security/grid-mapfile.

• /etc/grid-security/grid-mapfile is generated with a grid-mapfile cron (crontab -l) which executes the edg-mkgridmap application.

# Puppet Name: grid-mapfile
0 */6 * * * [ ! -f /var/lock/subsys/edg-mkgridmap ] && /usr/sbin/edg-mkgridmap --output=- > /etc/grid-security/grid-mapfile.new && sleep 3 && cat /etc/grid-security/grid-mapfile.new > /etc/grid-security/grid-mapfile

• edg-mkgridmap application can be configured with the /etc/edg-mkgridmap.conf file where:

• You can map VO members by specifying a VOMS service and the affected VO. In example:

group vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb lhcb001

• /etc/grid-mapfile-local is a file to bootstrap the actual grid-mapfile and can be used to allow extra DNs or override some mappings

voms

• User defined in /etc/grid-security/grid-vorolemap.

Mapping

• gridmap must is map the incoming DN to a local user

DCap/GSI-DCap

Authentication: Plain DCap with no authentication, but requires world readable and/or writable. GSI-DCap

Mapping: glazma Mutator (to convert LDAP specific result to dCache internal principals) + NSSwitch (to map user name to uid)

XRootD

HTPasswd

• This is intended only for the WebDAV protocol.

x509 Certificates

• This is mostly intented for the WebDAV protocol.

VOMS Certificates

• This is intented for GRID Users, mostly using GridFTP, GSI-DCap & SRM protocols.

JAAS

• This is intended for PIC LDAP users accessing to WebDAV.

multimap

• Useful for OIDC authentication (i.e. through Google or INDIGO Accounts)