| 140 | |
| 141 | == the Grid Mapfile == |
| 142 | This tutorial assumes that the QCG-Computing service is configured in such way, that every authenticated user must be authorized against the `grid-mapfile`. This file can be created manually by an administrator (if the service is run in "test mode") or generated automatically based on the LDAP directory service. |
| 143 | === Manually created grid mapfile (for testing purpose only) === |
| 144 | {{{ |
| 145 | #!div style="font-size: 90%" |
| 146 | {{{#!default |
| 147 | #for test purpose only add mapping for your account |
| 148 | echo '"MyCertDN" myaccount' >> /etc/grid-security/grid-mapfile |
| 149 | }}} |
| 150 | }}} |
| 151 | === LDAP generated grid mapfile === |
| 152 | {{{ |
| 153 | #!div style="font-size: 90%" |
| 154 | {{{#!default |
| 155 | # |
| 156 | # 1. install qcg grid-mapfile generator |
| 157 | # |
| 158 | yum install qcg-gridmapfilegenerator |
| 159 | # |
| 160 | # 2. configure gridmapfilegenerator - remember to change |
| 161 | # * url property to your local ldap replica |
| 162 | # * search base |
| 163 | # * filter expression |
| 164 | # * security context |
| 165 | vim /opt/plgrid/qcg/etc/qcg-comp/plggridmapfilegenerator.conf |
| 166 | # |
| 167 | # 3. run the gridmapfile generator in order to generate gridmapfile now |
| 168 | # |
| 169 | /opt/plgrid/qcg/sbin/qcg-gridmapfilegenerator.sh |
| 170 | }}} |
| 171 | }}} |
| 172 | |
| 173 | After installing and running this tool one can find three files: |
| 174 | * /etc/grid-security/grid-mapfile.local - here you can put list of DN and local unix accounts name that will be merged with data acquired from local LDAP server |
| 175 | * /etc/grid-security/grid-mapfile.deny - here you can put list od DN's (only DNs!) that you want to deny access to the QCG-Computing service |
| 176 | * /etc/grid-security/grid-mapfile - the final gridmap file generated using the above two files and information available in local LDAP server. Do not edit this file as it is generated automatically! |
| 177 | |
| 178 | This gridmapfile generator script is run every 10 minutes. Moreover its issues `su - $USERNAME -c 'true' > /dev/null` for every new user that do not have yet home directory (thus triggering pam_mkhomedir if installed). |