I ran across this while looking through
    gsi/gss_assist/source/gridmap.c
I haven't verified that any problems actually occur.

The comment block at the top of the
globus_i_gss_assist_gridmap_parse_globusid() function say, in part:

 * Given a pointer to a string containing the globusid from the
 * gridmap file, return a pointer to a string containing the
 * parsed from of the id.
 *
 * Specifically handle backslashed characters - e.g. '\\',
 * '\x4a' or '\37'.

"from" should be "form".

The code appears to handle '\\' (mapping it to a single '\') and '\x4a'
(mapping it to ASCII 'J'), but there doesn't appear to be any code
that would handle '\37'.  What is '\37' supposed to mean?

I was also surprised to learn that the DN doesn't have to be enclosed
in quotation marks as long as it doesn't contain any whitespace,
*and* that anything after the username list is silently ignored.

The code uses fgets() with a 1024-byte buffer to read input lines.
If a line is longer than 1024 characters, the remaining characters 
are left in the input, to be read by the next fgets() call as if
it were a separate line.  I can imagine that this could create
a security hole, though I don't have a specific example of that.
I suggest either discarding any remaining characters on the line,
or treating any line longer than 1024 characters as an error.

I don't see a detailed description of the grid-mapfile syntax in the
on-line documentation.  If there there is one, where can I find it?

One possible problem is that it's easy to assume that '#' can introduce
an end-of-line comment; as far as I can tell, a '#' adjacent to a
username is treated as part of the username.  For example:

    "/O=FOO/OU=BAR/CN=John Doe" jdoe#this is a comment

would map the DN to the username "jdoe#this".  This problem won't 
occur if the '#' is preceded by whitespace.