Configuration files for the default (CE) case.

Install a user account glexec.
Set its shell to /sbin/nologin
Please set its ownership to: chown root:glexec /opt/glite/sbin/glexec
Set the file permissions to: chmod 6555 /opt/glite/sbin/glexec

glexec configuration file.

To be installed at /opt/glite/etc/glexec.conf (hard-coded at the glexec compile time for security).

The glexec.conf file ownership must be root.glexec.
The glexec.conf file permissions must be 0640.

#
#  Glexec configuration file
#
[glexec]
silent_logging                   = no
log_destination                  = syslog
log_level                        = 1
user_white_list                  = [this must be specified by admin, will vary for each VO]
linger                           = yes
omission_private_key_white_list  = tomcat
user_identity_switch_by          = lcmaps

lcmaps_db_file                   = /opt/glite/etc/[to be completed by admin]
lcmaps_log_file                  = /var/log/glexec/lcaslcmap.log
lcmaps_debug_level               = 1

lcas_db_file                     = /opt/glite/etc/[to be completed by admin]
lcas_log_file                    = /var/log/glexec/lcaslcmap.log
lcas_debug_level                 = 1

The default name and location of the following two configuration files are: /opt/glite/etc/lcas/lcas.db and /opt/glite/etc/lcmaps/lcmaps.db. These values may only be changed in the /opt/glite/etc/glexec.conf file by using the following switches:

lcas_db_file    = <path>/<name of db file>
lcmaps_db_file  = <path>/<name of db file>

LCMAPS configuration file.

# LCMAPS policy file/plugin definition
# Written by: Oscar Koeroo - okoeroo * at * nikhef * dot * nl
# Configuration file is specialized for the gLExec on CREAM CE
# This configuration for LCMAPS assumes that the process is running with (effective) root privileges.
## No verify_proxy needed


# default path for the modules
path = /opt/glite/lib/modules

# Plugin definitions:
good             = "lcmaps_dummy_good.mod"

posix_enf        = "lcmaps_posix_enf.mod"
                   " -maxuid 1"
                   " -maxpgid 1"
                   " -maxsgid 32"

localaccount     = "lcmaps_localaccount.mod"
                   " -gridmapfile /etc/grid-security/grid-mapfile"

poolaccount      = "lcmaps_poolaccount.mod"
                   " -override_inconsistency"
                   " -gridmapfile /etc/grid-security/grid-mapfile"
                   " -gridmapdir /etc/grid-security/gridmapdir"

vomslocalgroup   = "lcmaps_voms_localgroup.mod"
                   "-groupmapfile /etc/grid-security/groupmapfile"
                   "-mapmin 0"

vomspoolaccount  = "lcmaps_voms_poolaccount.mod"
                   "-gridmapfile /etc/grid-security/grid-mapfile"
                   "-gridmapdir /etc/grid-security/gridmapdir"
                   "-do_not_use_secondary_gids"

vomslocalaccount = "lcmaps_voms_localaccount.mod"
                   "-gridmapfile /etc/grid-security/grid-mapfile"
                   "-use_voms_gid"


# Warning: The false goto state is not defined in this line "vomspoolaccount -> posix_enf", 
# because the gathered vomslocalgroup information is still in memory. 
# Jumping to another plugin evaluation policy will clear the intermediate mappin results.
# So in the rare occassion that the vomslocalgroup was successful and the vomspoolaccount
# failed, you must abondon ship to avoid undesired mappings

# Policies:
# DN-local -> VO-static -> VO-pool -> DN-pool

glexec_get_account:
localaccount -> posix_enf | vomslocalgroup
vomslocalgroup -> vomslocalaccount | poolaccount
vomslocalaccount -> posix_enf | vomspoolaccount
vomspoolaccount -> posix_enf
poolaccount -> posix_enf

-- JohnWhite - 14 Aug 2008