Hi Yves,
> I want to set up VOMS mapping, and I am running into the following
> problem:
>
> - voms-proxy --voms desy:/desy
> and /desy is configured in /opt/edg/etc/lcmaps/[grid,group]mapfile
> -> mapping to desy pool group, all fine
>
> - voms-proxy-init --voms desy:/desy/Role=lcgadmin
> -> mapping to desysm as defined in the lcmaps files.
>
> - voms-proxy --voms desy:/desy/test
> and /desy/test not configured at the CE (I am however a member of that
> group in the DESY voms server.)
> -> VOMS mapping ignored, instead etc/grid-security/grid-mapfile applied
Indeed: the primary FQAN in your VOMS proxy _must_ match a pattern in the
LCMAPS grid- and groupmapfile.
The idea is that you potentially asked for special privileges (e.g. sgm
or prd), so the service must not silently map you to an ordinary account.
Instead it must signal that your primary FQAN is not supported (usually
this means the service has not been configured correctly).
So, to allow for "/desy/test" you either need to have explicit patterns
for that, or you can define a wildcard as you did.
> I can enter a catch-all line in ..../lcmaps/[grid,group]mapfile like
> "/VO=desy/GROUP=/desy/*" atlas (atlas just for testing purpose).
>
> Now, the following works correctly:
> - voms-proxy --voms desy:/desy/test
> -> mapped to an atlas pool account, as specified
>
> while the following fails:
> - voms-proxy-init --voms desy:/desy/Role=lcgadmin
> -> also mapped to an atlas pool account
>
> Please find the relevant information from the config files below.
>
> Am I doing something wrong in my configuration?
> Do other people see this behaviour?
>
>
> Thanks for any help!
>
> Best
>
> Yves
>
>
>
>>grep desy /opt/edg/etc/lcmaps/gridmapfile
>
> "/VO=desy/GROUP=/desy/ROLE=lcgadmin/Capability=NULL" desysm
> "/VO=desy/GROUP=/desy/ROLE=lcgadmin" desysm
> "/VO=desy/GROUP=/desy/ROLE=production/Capability=NULL" desypr
> "/VO=desy/GROUP=/desy/ROLE=production" desypr
> "/VO=desy/GROUP=/desy/Role=NULL/Capability=NULL" .desy
> "/VO=desy/GROUP=/desy" .desy
> #"/VO=desy/GROUP=/desy/*" .atlas
>
>
>>grep desy /opt/edg/etc/lcmaps/groupmapfile
>
> "/VO=desy/GROUP=/desy/ROLE=lcgadmin/Capability=NULL" desy
> "/VO=desy/GROUP=/desy/ROLE=lcgadmin" desy
> "/VO=desy/GROUP=/desy/ROLE=production/Capability=NULL" desy
> "/VO=desy/GROUP=/desy/ROLE=production" desy
> "/VO=desy/GROUP=/desy/Role=NULL/Capability=NULL" desy
> "/VO=desy/GROUP=/desy" desy
> #"/VO=desy/GROUP=/desy/*" atlas
>
>
> --------------------------------------------
> Yves Kemp
> [log in to unmask] Desy IT 2b/312
> Fon: +49-(0)40-8998-2318 Notkestr. 85
> Fax: +49-(0)40-8994-2318 D-22607 Hamburg
> --------------------------------------------
|