Gridmap Account Mapping Proposal

In order to support proxy without AC, it should be possible to map the user primary group based on his DN.


  1. Allow DNs based group (pool account, static) mapping in the group mapfile
  2. Configuration options:
    • preferDNForLoginName if a FQAN and a DN mapping exist for the login name, prefer the DN based mapping
    • preferDNForPrimaryGroup - works the same as preferDNForLoginName but for the primary group.
    • noPrimaryGroupIsError - indicates that the failure to find a mapping in the group map file causes the obligation handling (and thus the overall authorization process) to fail.
  3. Allow the Argus server to send back the login name with or without group names. The resolution of names to numeric IDs would continue to occur on the authorization client side.

User and Group Mapping Process

  • user-id is the user login name
  • group-id is the user primary group
  • group-ids[] is a list of secondary groups

Pseudo Code

// Username mapping
dn_user-id :=  first DN mapping from grid mapfile
fqan_user-id := first primary FQAN mapping from grid mapfile

if preferDNForLoginName and dn_user-id not NULL then
   user-id := dn_user-id
   user-id := fqan_user-id

if user-id is NULL then fail

// Primary and secondary groups mapping
dn_groups[] := all DN mapping from group mapfile (in order)
fqan_groups[] := all FQANs mapping from group mapfile (in order)

if preferDNForPrimaryGroup and dn_groups[] not empty then
   group-id := first element of dn_groups[]
   group-id := first element of fqan_groups[]

if noPrimaryGroupIsError and group-id is NULL then fail

group-ids[] := fqan_groups[] + dn_groups[]

This topic: EMI > WebHome > EmiProjectStructure > EmiProductTeams > Argus > AuthZOHMappingProposal
Topic revision: r1 - 2010-07-07 - ValeryTschoppExCern
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback