Though it is possible to allow anonymous access to dCache it is usually desirable to authenticate users. The user then has to connect to one of the different doors (e.g., GridFTP door, dCap door) and login with credentials that prove his identity. These credentials usually are X.509 certificates, but dCache also supports username/password and kerberos authentication.

The door collects the credential information from the user and sends a login request to the configured authorization service (in most cases this is gPlazma and we will go on assuming it is). Within gPlazma the configured plug-ins try to verify the users identity and determine his access rights. From this a response is created that is then sent back to the door. The response may also contain additional user information like UID, GID and the path to the data directory. While for authentication usually more global services (e.g., ARGUS) may be used, the mapping to site specific UIDs has to be configured on a per site basis. Both versions of gPlazma come with several plug-ins. Their configuration is described in the section called “Configuration files”.