Provided by: xrootd-voms-plugins_5.6.9-2_amd64 
NAME
libXrdVoms - XRootD plug-in to extract VOMS attributes
SYNOPSIS
sec.protparm gsi -vomsfun:libXrdVoms.so
sec.protparm gsi -vomsfunparms:options
DESCRIPTION
The libXrdVoms plug-in provides an implementation of the
int XrdSecgsiVOMSFun(XrdSecEntity &ent)
int XrdSecgsiVOMSInit(const char *cfg)
functions making use of the official VOMS API libraries to validate and extract the VOMS attributes from
a VOMS proxy.
OPTIONS
The following options are available:
certfmt={raw,pem,x509}
Certificate format: raw to be used with XrdCrypto tools; pem PEM base64 format (as in cert files);
x509, as a STACK_OF(X509). Default: raw.
grpopt=opt
Defines how to use the group names information; opt is defined as sel * 10 + which, with sel either 0
(consider all the groups present in the VOMS extension) or 1 (select among those groups specified by
the grps option; see below); which can be either 0 (take the first one) or 1 (take the last) or 2 (take
all, comma separated, and created a vertically sliced tuple; see NOTES below).
grps=grp1[,grp2,...]
Group(s) for which the information is extracted; if specified, the grpopt sel is set to 1 regardless of
the setting; see NOTES below.
vos=vo1[,vo2,...]
VOs to be considered; the first match is taken; see NOTES below.
grpfmt=fmtstring, rolefmt=fmtstring, vofmt=fmtstring
String to be used to format the content of XrdSecEntity::grps, XrdSecEntity::role, XrdSecEntity::vorg,
respectively. These strings are optional and by default they are empty.
Recognized place holders in the above format strings:
<r>: role
<g>: group
<vo>: VO
<an>: Full Qualified Attribute Name
For example, rolefmt=<g>|grpfmt=<r>|vofmt="<vo> <an>" will inverse the group and role, and will add a
space and the FQAN in the vorg field of XrdSecEntity.
dbg
Force verbose mode.
Multiple options can be specified separated by '|'.
NOTES
Specifying grps or vos options forces a failure if the requested group and/or VO is not found. In this
regard, this plug-in may act as a sort of authorization filter. Note that most refined authorization
based on VOMS information may be achieved using the libXrdSecgsiAuthzVO plug-in distributed with XRootD.
Option 'all' for the group selection (which=2) will generated a vertically sliced tuple including VO,
group and role fields. For example, the following VOMS attributes
attribute : /atlas/de/Role=production/Capability=NULL
attribute : /atlas/de/Role=NULL/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
would result in following content in the XrdSecEntity fields:
vorg: atlas atlas atlas
grps: /atlas/de /atlas/de /atlas
role: producton NULL NULL
The default XrdAcc will take its decision by checking in turn the triplets obtained slicing vertically
this tuple.
EXAMPLES
The following example shows how configure the plugin to select VO=cms, select the first group, use the
PEM format for the proxy and switch on debugging; it shows also how to specify multiple options, either
on the same line or on multiple lines.
sec.protparm gsi -vomsfun:libXrdVoms.so
sec.protparm gsi -vomsfunparms:grpopt=0|vos=cms|certfmt=pem
sec.protparm gsi -vomsfunparms:dbg
FILES
The plug-in files are
lib64/libXrdVoms-4.so (or lib/libXrdVoms-4.so)
include/xrootd/private/XrdVoms/XrdVoms.hh
and are typically available under /usr.
ENVIRONMENT
The environment X509_VOMS_DIR must be set to a valid directory; this is typically /etc/grid-
security/vomsdir.
DIAGNOSTICS
The libXrdVoms plug-in requires libvomsapi.so and the openssl libraries. In case of load failure it may
be useful to check with ldd if all the required dependencies are correctly resolved.
LICENSE
LGPL; see http://www.gnu.org/licenses/.
AUTHOR AND SUPPORT
The libXrdVoms plug-in has been implemented by Gerardo Ganis (Gerardo.Ganis@cern.ch). Any request for
support should addressed via the project main web site
https://github.com/gganis/vomsxrd
or via the XRootD support site
https://github.com/xrootd/xrootd
v5.6.9 libXrdVoms(1)