On Tue, 9 May 2006, Maarten Litmaath wrote:
> Andreas Haupt wrote:
>
> > Hello,
> >
> > I wanted to have an update of how the ops SFTs will be handled in future.
> > When will the ops SFTs overrule the dteam SFTs?
> >
> > There are still some things I'm concerned about:
> >
> > 1. Why does the ops SFT still check for the IGTF CA release 1.1 (and not
> > for the current 1.2)?
> >
> > 2. Everytime the VOMS server hosting the ops VO is not available (seems
> > to be the case again) the DN
> > '/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 9654' will be mapped to dteamsgm.
>
> Why? The CE mapping is independent of the VOMS server being available:
> the CE does _not_ call the VOMS server.
But the grid-mapfile is generated out of the data it gets from the VOMS
servers. This is the result on my CE after the ops VOMS server has not
been available:
[globe-ce1] ~ # grep 'CN=Piotr Nyczyk 9654' /etc/grid-security/grid-mapfile
"/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 9654" dteamsgm
This grid-mapfile had been generated before the ops VOMS server became
unavailable:
[root@lcg-ce0 root]# grep 'CN=Piotr Nyczyk 9654' /etc/grid-security/grid-mapfile
"/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 9654" opssgm
Please note that /opt/edg/etc/edg-mkgridmap.conf is identical on both
hosts. The first VO membership found a VOMS server will be used to match a
dn to a pool account. This is dependend on the order of the entries in
edg-mkgridmap.conf.
A similar problem would appear if I put the dteam VO
before the ops VO in the list of supported VOs in the site-info file
(VOS="dteam ops ...").
Greetings
Andreas
--
| Andreas Haupt | E-Mail: [log in to unmask]
| DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216
|