edg-mkgridmap.conf file contains configuration informations for edg-mkgridmap.
The default location is /etc/edg-mkgridmap.conf.
The edg-mkgridmap.conf file is a free-form ASCII text file. It is parsed by the descent parser built into edg-mkgridmap. The file may contain extra tabs and white spaces for formatting purposes. Keywords in the file are case-insensitive. Comments may be placed anywhere within the file (except within quotes). Comments begin with the # character and end at the end of the line.
The file essentially consists of a list of directives composed by a keyword and one or more arguments. Optional arguments are put in square brackets.
* group URI [lcluser]
* default_lcluser default_lcluser
* auth URI
* allow⎪deny pattern_to_match
* gmf_local grid-mapfile-local
#### GROUP: group URI [lcluser] group ldaps://grid-vo.infn.it/ou=testbed1,o=infn,c=it .infngrid group ldaps://grid-vo.infn.it/ou=testbed2,o=infn,c=it group ldaps://grid-vo.infn.it/ou=testbed3,o=infn,c=it AUTO group https://grid-vo.infn.it/infngrid/testbed1 .infngrid group https://grid-vo.infn.it/infngrid/testbed2 group https://grid-vo.infn.it/infngrid/testbed3 AUTO group vomss://voms.hellasgrid.gr:8443/voms/dteam?/dteam/Role=lcgadmin dteamsgm group vomss://voms.hellasgrid.gr:8443/voms/dteam?/dteam .dteam
#### DEFAULT_LCLUSER: default_lcluser lcluser default_lcluser .infngrid
#### AUTH: auth URI auth ldaps://grid-auth.infn.it/ou=People,o=infn,c=it
#### ALLOW and DENY: deny⎪allow pattern_to_match deny *L=Parma* allow *INFN*
#### GMF_LOCAL: gmf_local grid-mapfile-local gmf_local /etc/grid-mapfile-local1 gmf_local /etc/grid-mapfile-local2 gmf_local /etc/grid-mapfile-local3
The group directive
group URI [lcluser]
A group directive defines a group of people which are members of a VO. lcluser, if specified, is the local user name associated to each member of the group. If lcluser is not specified, the default local user is implicitly used. If someone belongs to more than one group, the first match is used.
The URI may be of these types:
For ldap URI the default scope is base and the default filter is (objectClass=*).
For voms/vomss URI the default port is the same of http/https URI.
Specify AUTO as lcluser or default_lcluser for automatic generation of local usernames. In this case the executable local-subject2user is used. local-subject2user is called with the user certificate subject as argument and writes to the standard output the local username associated with the user certificate subject. This allows local sites to customize the output of edg-mkgridmap.
Specify . or .[PREFIX] (eg .cms) as lcluser or default_lcluser to enable dynamic allocation of local usernames (Andrew McNab's gridmapdir patch).
The default_lcluser directive
The default_lcluser directive defines the default local user.
The auth directive
The auth directive specifies a group of people which are authorized to access to the local resources. If the certificate subject of a member of a ldap/ldaps group is not present in this authorized group, it will not be inserted in the grid-mapfile. If auth is omitted, this feature is disabled.
The URI may be of these types:
The default scope is one and the default filter is (description=subject=*).
REFERENCE: ALLOW and DENY
The allow⎪deny directive
allow and deny directives define the access control list. The pattern to match may contain wildcards; the test is done on the user certificate subject. Parsing stops at the first match. If there is at least an allow, there is an implicit deny * at the end, otherwise there is an implicit allow *. Parsing is not case sensitive.
The gmf_local directive
The gmf_local directive specifies a local grid-mapfile useful to add static entries in the grid-mapfile.
EU DataGrid Authorization Working Group, EGEE Middleware Security Group, Maarten Litmaath (CERN/WLCG)