Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Revision as of 16:40, 5 September 2016 by Larocca (talk | contribs) (→‎Prepare the configuration)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Main operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security

Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators

Title Per-User Sub-Proxy
Document link
Last modified 19 May 2015
Policy Group Acronym
Policy Group Name
Contact Group
Document Status DRAFT
Approved Date
Procedure Statement This manual shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate.
Owner Owner of procedure


The goal of the per-user sub-proxy (PUSP) is allowing identification of the individual users under a common robot certificate. More information on this feature are on this wiki.

To make this work, the installation of a dedicated plugin is needed. To install the plugin, available at NIKHEF, we will follow the corresponding guide.


In order to configure the CREAM CE to handle the PUSP, the following steps must be performed.


If you reconfigure the service using YAIM/Puppet, the configuration will be overwritten.

Installing the plugin

The installation is very simple:

rpm -ivh

Prepare the configuration

You can add one or more pool-account based mappings to grid-mapfile:

"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:*" .testvo 

or single users:

"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:test" testvo001
"/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera/CN=eToken:testtwo" testvo001

Then the glexec.conf must be configured with the following options

#userswitch will be done by glexec instead of lcmaps
user_identity_switch_by = glexec 
#bypass lcas usage, assuming you're running the LCMAPS ban_dn plugin
#use new mapping policy, we will write it to lcmaps.db
lcmaps_get_account_policy = combi_mapping 

Finally prepare the lcmaps.db like the following:

path = /usr/lib64/lcmaps

### classic non-PUSP modules

verify_proxy = "lcmaps_verify_proxy.mod"
               " -certdir /etc/grid-security/certificates/"
               " --allow-limited-proxy"

localaccount = "lcmaps_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
" -groupmapfile /etc/grid-security/groupmapfile"
" -mapmin 0"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -use_voms_gid"
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
" -do_not_use_secondary_gids"

### PUSP specific modules
ban_dn = "lcmaps_ban_dn.mod"
         "-banmapfile /etc/grid-security/ban_users.db"
robot_ban_dn = "lcmaps_robot_ban_dn.mod"
               "-banmapfile /etc/grid-security/ban_users.db"
robot_local = "lcmaps_robot_localaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
robot_pool = "lcmaps_robot_poolaccount.mod"
              "-gridmapfile /etc/grid-security/grid-mapfile"
              "-gridmapdir /etc/grid-security/gridmapdir/"

### Combined policy
    ban_dn -> robot_ban_dn
    robot_ban_dn -> verify_proxy
    verify_proxy -> robot_pool
    ~robot_pool -> robot_local
    ~robot_local -> vomslocalgroup
    vomslocalgroup -> vomspoolaccount | vomslocalaccount


Few modifications are enough to enable PUSP-aware accounting on CREAM. In file:


the following start tag should be modified like this:

<service id="CREAM service (core2)" dn_filter="/CN=Robot[^/]+/CN=eToken:[^/]+">

adding explicitely the dn_filter attribute, or modifying it if already present.


After configuring the CREAM CE, please make sure the GridFTP server is still working. By default, it uses lcas.db and lcmaps.db at their default locations.


Main reference on the Lcmaps-plugins-robot [1]