edg-mkgridmap.conf (5) - Linux Manuals

edg-mkgridmap.conf: edg-mkgridmap configuration file


edg-mkgridmap.conf - edg-mkgridmap configuration file


edg-mkgridmap.conf file contains configuration informations for edg-mkgridmap.

The default location is /etc/edg-mkgridmap.conf.

The edg-mkgridmap.conf file is a free-form ASCII text file. It is parsed by the descent parser built into edg-mkgridmap. The file may contain extra tabs and white spaces for formatting purposes. Keywords in the file are case-insensitive. Comments may be placed anywhere within the file (except within quotes). Comments begin with the # character and end at the end of the line.

The file essentially consists of a list of directives composed by a keyword and one or more arguments. Optional arguments are put in square brackets.

* group URI [lcluser]
* default_lcluser default_lcluser
* auth URI
* allow|deny pattern_to_match
* gmf_local grid-mapfile-local


  #### GROUP: group URI [lcluser]
  group ldaps://grid-vo.infn.it/ou=testbed1,o=infn,c=it .infngrid
  group ldaps://grid-vo.infn.it/ou=testbed2,o=infn,c=it
  group ldaps://grid-vo.infn.it/ou=testbed3,o=infn,c=it AUTO
  group https://grid-vo.infn.it/infngrid/testbed1 .infngrid
  group https://grid-vo.infn.it/infngrid/testbed2
  group https://grid-vo.infn.it/infngrid/testbed3 AUTO
  group vomss://voms.hellasgrid.gr:8443/voms/dteam?/dteam/Role=lcgadmin dteamsgm
  group vomss://voms.hellasgrid.gr:8443/voms/dteam?/dteam .dteam

  #### DEFAULT_LCLUSER: default_lcluser lcluser
  default_lcluser .infngrid

  #### AUTH: auth URI
  auth ldaps://grid-auth.infn.it/ou=People,o=infn,c=it

  #### ALLOW and DENY: deny|allow pattern_to_match
  deny *L=Parma*
  allow *INFN*

  #### GMF_LOCAL: gmf_local grid-mapfile-local
  gmf_local /etc/grid-mapfile-local1
  gmf_local /etc/grid-mapfile-local2
  gmf_local /etc/grid-mapfile-local3


The group directive

group URI [lcluser]

A group directive defines a group of people which are members of a VO. lcluser, if specified, is the local user name associated to each member of the group. If lcluser is not specified, the default local user is implicitly used. If someone belongs to more than one group, the first match is used.

The URI may be of these types:




For ldap URI the default scope is base and the default filter is (objectClass=*).

For voms/vomss URI the default port is the same of http/https URI.

Specify AUTO as lcluser or default_lcluser for automatic generation of local usernames. In this case the executable local-subject2user is used. local-subject2user is called with the user certificate subject as argument and writes to the standard output the local username associated with the user certificate subject. This allows local sites to customize the output of edg-mkgridmap.

Specify . or .[PREFIX] (eg .cms) as lcluser or default_lcluser to enable dynamic allocation of local usernames (Andrew McNab's gridmapdir patch).


The default_lcluser directive

default_lcluser default_lcluser

The default_lcluser directive defines the default local user.


The auth directive

auth URI

The auth directive specifies a group of people which are authorized to access to the local resources. If the certificate subject of a member of a ldap/ldaps group is not present in this authorized group, it will not be inserted in the grid-mapfile. If auth is omitted, this feature is disabled.

The URI may be of these types:


The default scope is one and the default filter is (description=subject=*).


The allow|deny directive

allow|deny pattern_to_match

allow and deny directives define the access control list. The pattern to match may contain wildcards; the test is done on the user certificate subject. Parsing stops at the first match. If there is at least an allow, there is an implicit deny * at the end, otherwise there is an implicit allow *. Parsing is not case sensitive.


The gmf_local directive

gmf_local grid-mapfile-local

The gmf_local directive specifies a local grid-mapfile useful to add static entries in the grid-mapfile.




EU DataGrid Authorization Working Group, EGEE Middleware Security Group, Maarten Litmaath (CERN/WLCG)