-
Notifications
You must be signed in to change notification settings - Fork 20
ESGFNode|InstallingGridFTP|GridMapWildCards
| Wiki Reorganisation |
|---|
| This page has been classified for reorganisation. It has been given the category MOVE. |
| The content of this page will be revised and moved to one or more other pages in the new wiki structure. |
This feature requires a separately patched package that understand wildcards in the _ /etc/grid-security/grid-mapfile _ . The goal here is to allow a range of DN users to all be mapped to the same local user account, rather than the default behaviour of having each DN entry map to a single local user account. To get started on using this, download the following package file (recent as of 08/12/2009; based on the globus_4_2_0 tag, meaning it's compatible with the globus 4.2.x releases):
An example of downloading an applying the patch is shown below:
# download the patched package file here:
[root@vm-125-66 sbin]# wget http://rainbow.llnl.gov/dist/globus/gridftp/globus_gss_assist-5.5.tar.gz
# NOTE: the below command line was used for installing on a 64 bit machine with the gcc64dbg flavor.
# For a 32 bit machine with the gcc32dbg flavor, substitute both gcc32dbg gcc32dbgpthr appropriately.
[root@vm-125-66 sbin]# $GPT_LOCATION/sbin/gpt-build -force -update globus_gss_assist-5.5.tar.gz gcc64dbg gcc64dbgpthr
gpt-build ====> CHECKING BUILD DEPENDENCIES FOR globus_gss_assist
gpt-build ====> Changing to /usr/local/gt4.2.1/sbin/BUILD/globus_gss_assist-5.5/
gpt-build ====> BUILDING FLAVOR gcc64dbg
gpt-build ====> Changing to /usr/local/gt4.2.1/sbin/BUILD
gpt-build ====> Changing to /usr/local/gt4.2.1/sbin/BUILD/globus_gss_assist-5.5/
gpt-build ====> BUILDING FLAVOR gcc64dbgpthr
gpt-build ====> Changing to /usr/local/gt4.2.1/sbin/BUILD
Now edit the _ /etc/grid-security/grid-mapfile _ file. An example is shown below, but you will have to modify it appropriately for your system.
# This is the original grid-mapfile:
[root@vm-125-66 sbin]# cat /etc/grid-security/grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=testUser" neillm
# Modify it here to contain a regexp to accommodate wildcard matches.
# After editing, it should resemble something like this:
# The version we want now for ESG it accept and map ALL DNs to the same local account.
# Security in other places allows this to work securely. This is done as follows:
"^.*$" neillm
You can see that it now contains a short regex (i.e. "^.*$") accepting all DNs and mapping them to the local account "neillm". This is the syntax of the supported regex matches for this feature.
Restart the globus-gridftp-server and the wildcard mappings should work correctly!