Grid User Management System (GUMS)

From SURAgrid
(Difference between revisions)
Jump to: navigation, search
(Created page with "The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work. == Reference == [https://twiki.gr...")
 
 
(3 intermediate revisions by one user not shown)
Line 2: Line 2:
 
useful, there still seems to be some black magic involved in making it work.
 
useful, there still seems to be some black magic involved in making it work.
  
== Reference ==
+
== Reference ==
  
[https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/InstallConfigureAndManageGUMS OSG Documentation: Install, Configure, and Manage GUMS]
+
[https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/InstallConfigureAndManageGUMS OSG Documentation: Install, Configure, and Manage GUMS]  
  
This should be installed on a standalone (virtual) server. GUMS uses port
+
This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.  
8443 so it will collide with SRM and/or GRAM4 services if you try to
+
cut corners. It's also a good idea to harden this server and lock
+
down all the ports with iptables, as GUMS essentially controls access
+
to your resource.  
+
  
[[Requesting Certificates|Install certs]]
+
[[Requesting Certificates|Install certs]] into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.<br> [[Pacman|Install pacman]].  
into /etc/grid-security/host{cert,key}.pem and
+
 
/etc/grid-security/http/http{cert,key}.pem.<br/>
+
<tt></tt>
[[Pacman|Install pacman]].
+
  
 
<tt>
 
<tt>
  '''mkdir /usr/local/osg-gums
+
  '''mkdir /usr/local/osg-gums'''
 
  cd /usr/local/osg-gums
 
  cd /usr/local/osg-gums
 
  export INSTALL_DIR=/usr/local/osg-gums
 
  export INSTALL_DIR=/usr/local/osg-gums
Line 27: Line 22:
 
  vdt-ca-manage setupca --location root --url osg
 
  vdt-ca-manage setupca --location root --url osg
 
  Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
 
  Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
  CA Certificates will be installed into /etc/grid-security/certificates'''
+
  CA Certificates will be installed into /etc/grid-security/certificates
  '''vdt-control --enable fetch-crl
+
  '''vdt-control --enable fetch-crl'''
 
  vdt-control --enable vdt-update-certs
 
  vdt-control --enable vdt-update-certs
 
  vdt-control --enable vdt-rotate-logs
 
  vdt-control --enable vdt-rotate-logs
Line 34: Line 29:
 
  vdt-control --enable apache
 
  vdt-control --enable apache
 
  vdt-control --enable tomcat-55
 
  vdt-control --enable tomcat-55
  vdt-control --on'''
+
  vdt-control --on
 
   
 
   
  ====> RUNNING AS NON-ROOT USER? READ ON. <====
+
  ====&gt; RUNNING AS NON-ROOT USER? READ ON. &lt;====
 
  '''vdt-control --off'''
 
  '''vdt-control --off'''
 
  Create gums user and gums group with HOME=/usr/local/osg-gums
 
  Create gums user and gums group with HOME=/usr/local/osg-gums
 
  '''chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates'''
 
  '''chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates'''
  '''echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile'''
+
  '''echo ". /usr/local/osg-gums/setup.sh" &gt; /usr/local/osg-gums/.profile'''
 
  Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
 
  Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
  change ServerAdmin to valid e-mail.
+
change ServerAdmin to valid e-mail.
  change ServerName to current hostname.
+
change ServerName to current hostname.
 
  Create /etc/init.d/vdt
 
  Create /etc/init.d/vdt
  Start: daemon -u gums vdt-control --on --non-root
+
Start: daemon -u gums vdt-control --on --non-root
  Stop: su - gums "vdt-control --off --non-root"
+
Stop: su - gums "vdt-control --off --non-root"
 
  '''chkconfig vdt on'''
 
  '''chkconfig vdt on'''
 
  Edit your firewall rules for port 8443 only permit your CE and SE.
 
  Edit your firewall rules for port 8443 only permit your CE and SE.
Line 55: Line 50:
 
   
 
   
 
  '''./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
 
  '''./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
  WARNING: You must have created the database before running this script!
+
WARNING: You must have created the database before running this script!
  Adding the following DN to the local database:
+
Adding the following DN to the local database:
  Certificate DN for administrator: "''your DN''"
+
Certificate DN for administrator: "''your DN''"
  Is this correct? (Enter 'yes' to proceed) ''yes''
+
Is this correct? (Enter 'yes' to proceed) ''yes''
  Adding the admin:
+
Adding the admin:
  Enter the root mysql password (or hit enter if you didn't set one up)
+
Enter the root mysql password (or hit enter if you didn't set one up)
  Enter password: ''your mysql password for root''
+
Enter password: ''your mysql password for root''
 
+
 
  Replace the default config with the OSG config
 
  Replace the default config with the OSG config
 
  --or--
 
  --or--
 
  create a custom SURAgrid-only config.
 
  create a custom SURAgrid-only config.
 
   
 
   
  '''cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
+
  '''cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config'''
  cp -p gums.config gums.config.sav'''
+
  cp -p gums.config gums.config.sav
 
+
 
  Edit gums.config
 
  Edit gums.config
  add &lt;vomsserver&gt; def for ttu VOMS:
+
add &lt;vomsserver&gt; def for ttu VOMS:
  <nowiki>https://voms.hpcc.ttu.edu:8443/voms/suragrid/services</nowiki>
+
<nowiki>https://voms.hpcc.ttu.edu:8443/voms/suragrid/services</nowiki>
 
</tt>
 
</tt>
  
== Configuration via Web Interface ==
+
<tt></tt>
 +
 
 +
== Configuration via Web Interface ==
 +
 
 +
<tt></tt>
 +
 
 
<tt>
 
<tt>
 
  Connect to https://yourhost.edu:8443/gums with firefox
 
  Connect to https://yourhost.edu:8443/gums with firefox
 
  Create a local account mapper so you can manually map accounts in GUMS.
 
  Create a local account mapper so you can manually map accounts in GUMS.
  [Click Account Mappers]
+
[Click Account Mappers]
  &lt;add&gt;
+
&lt;add&gt;
  Name: localMapper
+
  Name: localMapper
  Description: Manual Local Account Mapper
+
  Description: Manual Local Account Mapper
  Type: manual
+
  Type: manual
  Persistence Factory: mysql
+
  Persistence Factory: mysql
  &lt;save&gt;
+
&lt;save&gt;
 
  Now add a local user to the mapper.
 
  Now add a local user to the mapper.
  [Manual Account Mappings]
+
[Manual Account Mappings]
  &lt;add&gt;
+
&lt;add&gt;
 
   
 
   
  DN: ''some DN''
+
  DN: ''some DN''
  Account Mapper: localMapper
+
  Account Mapper: localMapper
  Account: username of local account
+
  Account: username of local account
  &lt;save&gt;
+
  &lt;save&gt;
 
   
 
   
 
  Create a new User Group.
 
  Create a new User Group.
  [UserGroups]
+
[UserGroups]
  &lt;add&gt;
+
&lt;add&gt;
  Name: local
+
  Name: local
  Description: Local Users
+
  Description: Local Users
  Type: manual
+
  Type: manual
  persistence Factory: mysql
+
  persistence Factory: mysql
  Members URI: ''blank''
+
  Members URI: ''blank''
  Non-members URI: ''blank''
+
  Non-members URI: ''blank''
 
   
 
   
  GUMS Access: read self
+
  GUMS Access: read self
  &lt;save&gt;
+
  &lt;save&gt;
 
  Add local user to local group.
 
  Add local user to local group.
  [Manual User Group Members]
+
[Manual User Group Members]
  &lt;add&gt;
+
&lt;add&gt;
  User group: local
+
  User group: local
  DN: ''thieir DN''
+
  DN: ''thieir DN''
  FQAN: ''blank for now''
+
  FQAN: ''blank for now''
  email: ''their email''
+
  email: ''their email''
 
   
 
   
  &lt;save&gt;
+
  &lt;save&gt;
  [Group  To Account Mappings]
+
[Group  To Account Mappings]
  &lt;add&gt;
+
&lt;add&gt;
  Name: localGroupToAccountMapping
+
  Name: localGroupToAccountMapping
  Description: Local Group to Account Mapping
+
  Description: Local Group to Account Mapping
  User Group(s): local
+
  User Group(s): local
  Account Mapper(s): localMapper
+
  Account Mapper(s): localMapper
  Accounting VO Subgroup: ''blank''
+
  Accounting VO Subgroup: ''blank''
  Accounting VO: ''blank''
+
  Accounting VO: ''blank''
  &lt;save&gt;
+
  &lt;save&gt;
 
   
 
   
  [Host To Group Mappings]
+
[Host To Group Mappings]
  Click &lt;edit&gt; next to the only mapping.
+
  Click &lt;edit&gt; next to the only mapping.
  Hosts: ''leave as is''
+
  Hosts: ''leave as is''
  Description: ''optional''
+
  Description: ''optional''
  Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
+
  Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
  &lt;save&gt;
+
  &lt;save&gt;
 
  Check the user mapping:
 
  Check the user mapping:
  [Map Account to Grid Identity(s)]
+
[Map Account to Grid Identity(s)]
  Enter the username you mapped above.
+
  Enter the username you mapped above.
  &lt;map account&gt;
+
  &lt;map account&gt;
 
   
 
   
 
  Check the other direction:
 
  Check the other direction:
  [Map Grid Identity to Account]
+
[Map Grid Identity to Account]
  DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
+
  DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
  DN for user: ''their DN''
+
  DN for user: ''their DN''
  VOMS FQAN for user: ''blank for now''
+
  VOMS FQAN for user: ''blank for now''
  &lt;map user&gt;
+
  &lt;map user&gt;
  The manual user mapping show show up.
+
  The manual user mapping show show up.
 
  Test SURAgrid VOMS
 
  Test SURAgrid VOMS
  [User Groups]
+
[User Groups]
  &lt;add&gt;
+
&lt;add&gt;
  Name: SURAgridGroup
+
  Name: SURAgridGroup
  Description: Group for SURAgrid users from VOMS
+
  Description: Group for SURAgrid users from VOMS
  Type: voms
+
  Type: voms
  VOMS Server: <font color="red">SURAgrid</font>
+
  VOMS Server: <font color="red">SURAgrid</font>
  Remainder URL: ''blank for now''
+
  Remainder URL: ''blank for now''
 
   
 
   
  Accept non-VOMS certificates: true
+
  Accept non-VOMS certificates: true
  Match VOMS certificate's FQAN as: ignroe
+
  Match VOMS certificate's FQAN as: ignroe
  VO/Group: ''blank''
+
  VO/Group: ''blank''
  Role: ''blank''
+
  Role: ''blank''
  GUMS Access: read self
+
  GUMS Access: read self
  &lt;save&gt;
+
  &lt;save&gt;
  [Account Mappers]
+
[Account Mappers]
 +
&lt;add&gt;
 +
  Name: suraPoolMapper
 +
  Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
 +
  Type: pool
 +
  Pool Name / Groups: SURA
 +
  Persistence Factory: mysql
 +
  &lt;save&gt;
 +
 +
[Manage Pool Accounts]
 +
  Account Pool Mapper: suraPoolMapper
 +
  Account Pool: SURA
 +
  Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
 
   &lt;add&gt;
 
   &lt;add&gt;
  Name: suraPoolMapper
+
[Group To Account Mappings]
  Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
+
  Name: suraGroupToAccountMapping
  Type: pool
+
  Description: Map SURA Group to Accounts
  Pool Name / Groups: SURA
+
  User Group(s): SURAgridGroup
  Persistence Factory: mysql
+
  Account Mapper(s): suraPoolMapper
  &lt;save&gt;
+
  Accounting VO Subgroup: <font color="red">SURAgrid&nbsp;???</font>
 +
  Accounting VO: <font color="red">SURAgrid</font>
 +
  &lt;add&gt;
 +
[Host To Group Mappings]
 +
  &lt;Edit&gt; Group To Account Mapping(s):
 +
  &lt;add&gt; suraGroupToAccountMapping
 +
  &lt;save&gt;
 
   
 
   
  [Manage Pool Accounts]
+
  [Generate Grid-Mapfile]
  Account Pool Mapper: suraPoolMapper
+
  will assign pool accounts!
  Account Pool: SURA
+
  &lt;generate grid-mapfile&gt;
  Range: sura000-020 # Create these in /etc/passwd, LDAP, NIS, etc
+
[Generate Email-Mapfile]
  &lt;add&gt;
+
  shows DN, local username, e-mail
  [Group To Account Mappings]
+
  Name: suraGroupToAccountMapping
+
  Description: Map SURA Group to Accounts
+
  User Group(s): SURAgridGroup
+
  Account Mapper(s): suraPoolMapper
+
  Accounting VO Subgroup: <font color="red">SURAgrid ???</font>
+
  Accounting VO: <font color="red">SURAgrid</font>
+
  &lt;add&gt;
+
  [Host To Group Mappings]
+
  &lt;Edit&gt; Group To Account Mapping(s):
+
  &lt;add&gt; suraGroupToAccountMapping
+
  &lt;save&gt;
+
+
  [Generate Grid-Mapfile]
+
  will assign pool accounts!
+
  &lt;generate grid-mapfile&gt;
+
  [Generate Email-Mapfile]
+
  shows DN, local username, e-mail
+
 
</tt>
 
</tt>
  
Optional: Simplify the forms for your site
+
<tt></tt>
 +
 
 +
Optional: Simplify the forms for your site  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
 
  Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
 
  Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
 
  Preload your Service DN using
 
  Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu"
+
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the &lt;input&gt; HTML tag. </tt>
in the &lt;input&gt; HTML tag.
+
</tt>
+
  
== Client Configuration ==
+
== Client Configuration ==
  
Clients are usually configured with the <tt>'''configure-osg'''</tt>
+
Clients are usually configured with the <tt>'''configure-osg'''</tt> command which reads your <tt>config.ini</tt> file where GUMS is enabled and the gums_host defined.  
command which reads your <tt>config.ini</tt> file where GUMS is
+
enabled and the gums_host defined.
+
  
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following
+
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
Line 215: Line 217:
 
</tt>
 
</tt>
  
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following:
+
<tt></tt>
 +
 
 +
The file <tt>/etc/grid-security/gsi-authz.conf</tt> will be created by <tt>'''configure-osg'''</tt> and should contain the following:  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
  imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort
+
  imsContact <nowiki>https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort</nowiki>
  xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort
+
  xacmlContact <nowiki>https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort</nowiki>
 
  issuerCertDir  /etc/grid-security/vomsdir
 
  issuerCertDir  /etc/grid-security/vomsdir
 
  verifyAC false
 
  verifyAC false
Line 229: Line 235:
 
</tt>
 
</tt>
  
== Testing ==
+
<tt></tt>
  
On a different system on which you're going to use this GUMS instance
+
== Testing  ==
for authN/Z, you can test a mapping:
+
 
 +
On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:  
 +
 
 +
<tt></tt>
  
 
<tt>
 
<tt>
  gauss# '''gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
+
  '''gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"'''
 
</tt>
 
</tt>
 +
 +
<tt></tt>

Latest revision as of 11:50, 29 June 2011

The documentation for GUMS is a bit sketchy. While GUMS is quite useful, there still seems to be some black magic involved in making it work.

Contents

[edit] Reference

OSG Documentation: Install, Configure, and Manage GUMS

This should be installed on a standalone (virtual) server. GUMS uses port 8443 so it will collide with SRM and/or GRAM4 services if you try to cut corners. It's also a good idea to harden this server and lock down all the ports with iptables, as GUMS essentially controls access to your resource.

Install certs into /etc/grid-security/host{cert,key}.pem and /etc/grid-security/http/http{cert,key}.pem.
Install pacman.

mkdir /usr/local/osg-gums
cd /usr/local/osg-gums
export INSTALL_DIR=/usr/local/osg-gums
pacman -get http://software.grid.iu.edu/osg-1.2:gums
source setup.sh
vdt-post-install
vdt/setup/configure_mysql  --version 5 -root passwd_for_mysql
vdt-ca-manage setupca --location root --url osg
Setting up CA Certificates for VDT installation at '/usr/local/osg-gums'
CA Certificates will be installed into /etc/grid-security/certificates
vdt-control --enable fetch-crl
vdt-control --enable vdt-update-certs
vdt-control --enable vdt-rotate-logs
vdt-control --enable mysql5
vdt-control --enable apache
vdt-control --enable tomcat-55
vdt-control --on

====> RUNNING AS NON-ROOT USER? READ ON. <====
vdt-control --off
Create gums user and gums group with HOME=/usr/local/osg-gums
chown -R gums:gums /usr/local/osg-gums /etc/grid-security/certificates
echo ". /usr/local/osg-gums/setup.sh" > /usr/local/osg-gums/.profile
Edit apache/conf/httpd.conf apache/conf/extra/httpd-ssl.conf
change ServerAdmin to valid e-mail.
change ServerName to current hostname.
Create /etc/init.d/vdt
Start: daemon -u gums vdt-control --on --non-root
Stop: su - gums "vdt-control --off --non-root"
chkconfig vdt on
Edit your firewall rules for port 8443 only permit your CE and SE.
Consider locking down SSH as well.
Add your DN so you can administer GUMS:
su - gums
cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/scripts

./gums-add-mysql-admin "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"
WARNING: You must have created the database before running this script!
Adding the following DN to the local database:
Certificate DN for administrator: "your DN"
Is this correct? (Enter 'yes' to proceed) yes
Adding the admin:
Enter the root mysql password (or hit enter if you didn't set one up)
Enter password: your mysql password for root

Replace the default config with the OSG config
--or--
create a custom SURAgrid-only config.

cd $VDT_LOCATION/tomcat/v55/webapps/gums/WEB-INF/config
cp -p gums.config gums.config.sav

Edit gums.config
add <vomsserver> def for ttu VOMS:
https://voms.hpcc.ttu.edu:8443/voms/suragrid/services

[edit] Configuration via Web Interface

Connect to https://yourhost.edu:8443/gums with firefox
Create a local account mapper so you can manually map accounts in GUMS.
[Click Account Mappers]
<add>
 Name: localMapper
 Description: Manual Local Account Mapper
 Type: manual
 Persistence Factory: mysql
<save>
Now add a local user to the mapper.
[Manual Account Mappings]
<add>

 DN: some DN
 Account Mapper: localMapper
 Account: username of local account
 <save>

Create a new User Group.
[UserGroups]
<add>
 Name: local
 Description: Local Users
 Type: manual
 persistence Factory: mysql
 Members URI: blank
 Non-members URI: blank

 GUMS Access: read self
 <save>
Add local user to local group.
[Manual User Group Members]
<add>
 User group: local
 DN: thieir DN
 FQAN: blank for now
 email: their email

 <save>
[Group  To Account Mappings]
<add>
 Name: localGroupToAccountMapping
 Description: Local Group to Account Mapping
 User Group(s): local
 Account Mapper(s): localMapper
 Accounting VO Subgroup: blank
 Accounting VO: blank
 <save>

[Host To Group Mappings]
 Click <edit> next to the only mapping.
 Hosts: leave as is
 Description: optional
 Group to Account Mapping(s): localGroupToAccountMapping in 2nd pulldown
 <save>
Check the user mapping:
[Map Account to Grid Identity(s)]
 Enter the username you mapped above.
 <map account>

Check the other direction:
[Map Grid Identity to Account]
 DN for service: /DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu
 DN for user: their DN
 VOMS FQAN for user: blank for now
 <map user>
 The manual user mapping show show up.
Test SURAgrid VOMS
[User Groups]
<add>
 Name: SURAgridGroup
 Description: Group for SURAgrid users from VOMS
 Type: voms
 VOMS Server: SURAgrid
 Remainder URL: blank for now

 Accept non-VOMS certificates: true
 Match VOMS certificate's FQAN as: ignroe
 VO/Group: blank
 Role: blank
 GUMS Access: read self
 <save>
[Account Mappers]
<add>
 Name: suraPoolMapper
 Description: Map DNs from SURAgrid VOMS to local pool suraNNN accounts
 Type: pool
 Pool Name / Groups: SURA
 Persistence Factory: mysql
 <save>

[Manage Pool Accounts]
 Account Pool Mapper: suraPoolMapper
 Account Pool: SURA
 Range: sura000-020  # Create these in /etc/passwd, LDAP, NIS, etc
 <add>
[Group To Account Mappings]
 Name: suraGroupToAccountMapping
 Description: Map SURA Group to Accounts
 User Group(s): SURAgridGroup
 Account Mapper(s): suraPoolMapper
 Accounting VO Subgroup: SURAgrid ???
 Accounting VO: SURAgrid
 <add>
[Host To Group Mappings]
 <Edit> Group To Account Mapping(s):
 <add> suraGroupToAccountMapping
 <save>

[Generate Grid-Mapfile]
 will assign pool accounts!
 <generate grid-mapfile>
[Generate Email-Mapfile]
 shows DN, local username, e-mail

Optional: Simplify the forms for your site

Edit the _form.jsp files in $VDT_LOCATION/tomcat/v55/webapps/gums/.
Preload your Service DN using
value="/DC=org/DC=doegrids/OU=Services/CN=host.yourdomain.edu" in the <input> HTML tag. 

[edit] Client Configuration

Clients are usually configured with the configure-osg command which reads your config.ini file where GUMS is enabled and the gums_host defined.

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following

globus_mapping /usr/local/osg/prima/lib/libprima_authz_module_scas_gcc32dbg
globus_gridmap_callout

The file /etc/grid-security/gsi-authz.conf will be created by configure-osg and should contain the following:

imsContact https://yourgums.edu:8443/gums/services/GUMSAuthorizationServicePort
xacmlContact https://yourgums.edu:8443/gums/services/GUMSXACMLAuthorizationServicePort
issuerCertDir  /etc/grid-security/vomsdir
verifyAC false
serviceCert /etc/grid-security/containercert.pem
serviceKey  /etc/grid-security/containerkey.pem
caCertDir   /usr/local/osg/globus/TRUSTED_CA
logLevel    info
samlSchemaDir /usr/local/osg/prima/etc/opensaml/

[edit] Testing

On a different system on which you're going to use this GUMS instance for authN/Z, you can test a mapping:

gums-host mapUser -s "/DC=org/DC=doegrids/OU=People/CN=Steve Johnson 737432"

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox