ENVIRONMENT VARIABLES

LLGT_LOG_FILE

When this variable is set and it can be opened as file, log output will go to the given file instead of to syslog. When either $LCAS_LOG_FILE or $LCMAPS_LOG_FILE is unset, it will also be set to this same file.

LLGT_LOG_FACILITY

Change the default logging facility with the $LLGT_LOG_FACILITY environment variable. Use the name of (standard syslog) facility names. Example: LOG_DAEMON, LOG_LOCAL1, etcetera

LLGT_LOG_IDENT

The $LLGT_LOG_IDENT can (optionally) be set as the Syslog ident value. This will be the identifying string in Syslog for the current process. Not using this option will let Syslog (or one of the GT services) to set these options. By default the Syslog ident will be set to the executable name.

LLGT_RUN_LCAS

Set the environment variable $LLGT_RUN_LCAS to "no", "disabled" or "disable" to avoid LCAS to run prior to the LCMAPS.

There is a matching ./configure option "--enable-lcas" which can be used to change the default behaviour to run LCAS or not. The $LLGT_RUN_LCAS environment variable can still influence the LCAS run.

LLGT_LIFT_PRIVILEGED_PROTECTION

Normally the callout, after LCMAPS has finished, checks whether it is (still) running with root privileges (uid, euid, gid or egid) and fails if that is the case. This is to prevent erroneous configurations to silently result in a root-account mapping in services that do not have their own checks for this.

When the environment variable LLGT_LIFT_PRIVILEGED_PROTECTION is set, this check is disabled. This is NEEDED for services that:

1.) don't user switch, and run as root.

2.) services that expect only a username to be returned and perform the user switch themselves, e.g. the Globus GSI-OpenSSHd.

LLGT_CACHE_CALLOUT

Set the environment variable $LLGT_CACHE_CALLOUT to "no", "disabled" or "disable" to disable reusing the result of the `localname' callout for the `userok' callout. This results in calling the LCAS/LCMAPS authorization twice for e.g. gsisshd.

LLGT_DLCLOSE_LCMAPS

Set the environment variable $LLGT_DLCLOSE_LCMAPS to "no", "disabled" or "disable" to prevent calling dlclose() on the LCMAPS library. This might be needed as a workaround on RH5-based systems in an installation for gsisshd, when the use of PAM is enabled ("UsePAM Yes" in the /etc/gsissh/sshd_config). The underlying bug is a combination between the OpenSSL, VOMS and PAM libraries, which can trigger a segfault when VOMS is initialized twice.

LLGT_DLCLOSE_LCAS

Set the environment variable $LLGT_DLCLOSE_LCAS to "no", "disabled" or "disable" to prevent calling dlclose() on the LCAS library. This might be needed as a workaround on RH5-based systems. The underlying bug is a combination between the OpenSSL, VOMS and Globus libraries, which can trigger a segfault when VOMS is initialized twice, which can happen when LCAS is using a VOMS based plugin. Normally should not be needed as LCAS is now dlclosed and terminated after LCMAPS.

LLGT_NO_CHANGE_USER (deprecated)

Depreciated $LLGT_NO_CHANGE_USER in favour of $LLGT_LIFT_PRIVILEGED_PROTECTION. (Depreciation does not mean non-functional anymore)

LLGT4_NO_CHANGE_USER (deprecated)

Depreciated $LLGT4_NO_CHANGE_USER in favour of $LLGT_LIFT_PRIVILEGED_PROTECTION. (Depreciation does not mean non-functional anymore)

LLGT_VOMS_DISABLE_CREDENTIAL_CHECK

The VOMS credentials are verified by the LCMAPS framework before further processing is done in the plug-ins. The LCMAPS framework has an API to enable or disable the verification of the VOMS credentials and this option will disable the verification of the VOMS credentials. A vanilla LCMAPS build will verify the VOMS credentials by default.

LLGT_VOMS_ENABLE_CREDENTIAL_CHECK

Similar to the $LLGT_VOMS_DISABLE_CREDENTIAL_CHECK environment variable, this setting will enable the verification of the VOMS credentials, overriding the LCMAPS default setting to have the verification of VOMS credentials to be disabled. A vanilla LCMAPS build will verify the VOMS credentials by default, the OSG build has is disabled by default.

LLGT_LCAS_LIBDIR

Support for an alternative LCAS_LIBDIR as a run-time setting by exporting $LLGT_LCAS_LIBDIR="/usr/local/lib/liblcas.so"

LLGT_LCMAPS_LIBDIR

Support for an alternative LCMAPS_LIBDIR as a run-time setting by exporting $LLGT_LCMAPS_LIBDIR="/usr/local/lib/liblcmaps.so"

LLGT_ENABLE_DEBUG

If the $LLGT_ENABLE_DEBUG environment variable is set, then the debugging message logged at level LOG_DEBUG are passed to the log. The scope of this setting is only within the LCAS-LCMAPS-GT-interface