I had added the input from Greig to the wiki page and also included the
link to the dcache book page. Any comments?
Cheers,
Mingchao
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Greig Alan Cowan
> Sent: 08 November 2007 07:41
> To: [log in to unmask]
> Subject: Re: A new wiki entry on gridpp (how to ban a user on
> CE, SE and GridFTP)
>
> Mingchao,
>
> I've had a look at the documentation and it is relatively
> simple to use dCache's gPlazma authorization system to ban
> particular DN and VOMs role
> combinations:
>
> http://www.dcache.org/manuals/Book/ch12s05.shtml
>
> To create a revocation entry, add a line with "-" (without
> quotes) as the username in the
> /etc/grid-security/grid-vorolemap file, i.e.
>
> "/DC=org/DC=doegrids/OU=People/CN=Timur Perelmutov 623542"
> "/uscms/production" -
>
> or modify the username of the entry if it already exists. The
> behaviour is undefined if there are two entries which differ
> only by username.
> Since DN is matched first, if a user would be authorized by
> his VO membership through a "*" entry, but is matched
> according to his DN to a revocation entry, authorization
> would be denied. Likewise if a whole VO were denied in a
> revocation entry, but some user in that VO could be mapped to
> a username through his DN, then authorization would be granted.
>
> Could you add this to the wiki page?
>
> Thanks,
> Greig
>
>
> On 07/11/07 17:55, Ma, M (Mingchao) wrote:
> > Hi all,
> >
> > Considered the recent CNAF security incident and last weeks' RSA768
> > job, it seems that some admins do not know exactly how to
> > ban/blacklist a user on CE, SE or GridFTP. I summed up some tips in
> > the maillist and created a wiki page on gridPP
> >
> (https://www.gridpp.ac.uk/wiki/How_to_ban/blacklist_user_on_CE
> _and_SE).
> > It includes some basic tips on how to ban a user on
> different services.
> > Please feel free to add/correct it or email me your solution.
> >
> > Cheers,
> >
> > Mingchao
>
|