Globus can be configured to use CIlogon for authentication. After the user authenticates to CILogon via their identity provider the Globus server receives from CILogon a certificate Distinguished Name (DN) unique to the user. We can then map this DN to a local unix user.
Typically Globus uses a ‘grid-mapfile’ with lines specifying a DN to username mapping. At one time in OSiRIS we generated this file from user DN stored in our LDAP directory. At the time of this writing we use the module described here to directly lookup DN from LDAP and do not use a Globus grid-mapfile.
To store certificate DN in LDAP we use the voPerson schema and DS389 LDAP server. The schema defines many attributes useful for identities in a virtual organization: voperson.org
Before beginning setup, install Globus by following the Globus installation guide.
To simplify troubleshooting we recommend you have a functional Globus installation before trying to configure and use this module.
The steps below will help guide you to build your LDAP module for use.
git clone https://github.com/MI-OSiRIS/globus-toolkit cd globus-toolkit
autoreconf -i ./configure
globus_mapping /path/to/libglobus_gridmap_ldap_callout.so globus_gridmap_ldap_callout ENV:LDAP_SERVER="ldaps://ldap.example.org" LDAP_ROOT="ou=People,dc=example,dc=org"The module does a certificate dn attribute query to find a matching certificate dn for Globus credentials.
IdentityMethod = CILogon AuthorizationMethod = Gridmap
Additional optional variables that can be set in the LDAP module config file. Note only read attributes are required as the search query only reads LDAP entries.
This module has been tested to work with RPM-based installation on RHEL7 (globus-connect-server-4.0.59-1.el7+gt6, globus-gridftp-server-12.19-1.el7+gt6).
The original globus Github repository can be found here.
If you are using CILogon only to authenticate users for your institution then you most likely don't need to do this. You can configure Globus to use only a specific identity provider. Globus will use the unqualified username portion of the EPPN (email@example.com without @my.edu) which will in many cases be the same as what is used to authenticate to campus systems. The configuration described here is targeted at projects needing to map user identities from many institutions.