However, I could not simply reverse the order of the LCMAPS plugins as this would undo all the good which VOMS brings and move everyone back to a single fixed or pool account mapping no matter what their VOMS credentials (this would probably have affected me worse than anyone as I flit between atlas, atlas/Role=production, vo.scotgrid.ac.uk and dteam!).
So, for local users grid-proxy-init seemed to be the way to go, even if I knew this would come back and be a problem later. However, later became earlier as soon as I started to test the gLite-WMS - here it turns out you must use a VOMS proxy. Simple grid proxies just don't work anymore.
Finally, puzzling over the very poor LCMAPS documentation, and staring at the configuration script I managed to solve the problem by:
- First running a local account plugin against a grid-mapfile which only contains our local user accounts.
- Then running the VOMS plugins as usual.
- Finally, running the grid-mapfile plugin, against the usual /etc/grid-security/grid-mapfile.
And, in the end, I was able to keep myself out of the local user grid-mapfile, so I have the full array of VOMS roles for myself, while the local users are cosily tucked up in their local account areas.