Globus LDAP Callout Installation and Use

Purpose

Globus can be configured to use CIlogon for authentication. After the user authenticates to CILogon via their identity provider the Globus server receives from CILogon a certificate Distinguished Name (DN) unique to the user. We can then map this DN to a local unix user.

Typically Globus uses a ‘grid-mapfile’ with lines specifying a DN to username mapping. At one time in OSiRIS we generated this file from user DN stored in our LDAP directory. At the time of this writing we use the module described here to directly lookup DN from LDAP and do not use a Globus grid-mapfile.

To store certificate DN in LDAP we use the voPerson schema and DS389 LDAP server. The schema defines many attributes useful for identities in a virtual organization: voperson.org

Set up

Before beginning setup, install Globus by following the Globus installation guide.

To simplify troubleshooting we recommend you have a functional Globus installation before trying to configure and use this module.

The steps below will help guide you to build your LDAP module for use.

1. Clone https://github.com/MI-OSiRIS/globus-toolkit

   git clone https://github.com/MI-OSiRIS/globus-toolkit
   cd globus-toolkit

2. Initialize the repository:

   autoreconf -i
   ./configure

3. Build the LDAP module:

   make globus_gridmap_ldap_callout

4. Copy the .so file from gsi/gridmap_ldap_callout/.libs/libglobus_gridmap_ldap_callout.so to /usr/local/lib64/ or a location of your choice.
5. Set LDAP module configurations and certifications in /etc/grid-security/gsi-authz.conf:

   globus_mapping  /path/to/libglobus_gridmap_ldap_callout.so globus_gridmap_ldap_callout ENV:LDAP_SERVER="ldaps://ldap.example.org" LDAP_ROOT="ou=People,dc=example,dc=org"

   The module does a certificate dn attribute query to find a matching certificate dn for Globus credentials.
6. In Globus /etc/globus-connect-server.conf, set IdentityMethod to CIlogon and AuthorizationMethod to Gridmap.

   IdentityMethod = CILogon
   AuthorizationMethod = Gridmap

7. If the LDAP module fails to find the CILogon DN it will fall back to the Gridmap authorization defined in the server config file and handled by the usual bundled Globus modules.
8. If anything had to be changed in the globus-connect-server.conf file run the 'globus-connect-server-setup' script again.

LDAP Options

Additional optional variables that can be set in the LDAP module config file. Note only read attributes are required as the search query only reads LDAP entries.

• LDAP_BIND_DN, LDAP_BIND_PASSWORD
  LDAP_BIND_DN is a username and the LDAP_BIND_PASSWord is the password. If login fails, the module defaults to gridmap_lookup.
• UID_ATTRIBUTE
  The User ID attribute defaults to "uid". This is the attribute which the module will return from the ldap entry it finds through the search query.
• LDAP_CERT_DN_ATTRIBUTE
  The LDAP certificate dn attribute marks the ldap attribute containing the certificate dn string.
• LDAP_OBJECT_CLASS
  The LDAP object class defaults to * (searches for anything). This limits the search to only objects whose object class attribute is equal to the object class paramater.
• LOGFILE
  The logfile is the path to the debugging output is unintended for regular use. It is over-written on each invocation of the module.

Additional Information

This module has been tested to work with RPM-based installation on RHEL7 (globus-connect-server-4.0.59-1.el7+gt6, globus-gridftp-server-12.19-1.el7+gt6).

The original globus Github repository can be found here.

If you are using CILogon only to authenticate users for your institution then you most likely don't need to do this. You can configure Globus to use only a specific identity provider. Globus will use the unqualified username portion of the EPPN (username@my.edu without @my.edu) which will in many cases be the same as what is used to authenticate to campus systems. The configuration described here is targeted at projects needing to map user identities from many institutions.