Hi,
The SL4 glite3.1 LCG CE works but the file
/var/log/globus-gatekeeper.log
fills with thousands of lines like
LCAS 0: Testing DN against gline_tmp at x0x86dcd38, matching type = 10 ...
LCAS 0: no match
for every authorization attempt. I think this is coming from checking a VOMS
'thing' like '/atlas/ca/Role=NULL/Capability=NULL' against every DN in a
normal grid-mapfile. Does this indicate a misconfiguration, or do I need to
reduce the log level? How?
# cat /opt/glite/etc/lcas/lcas.db
# LCAS database/plugin list
#
# Format of each line:
# pluginname="<name/path of plugin>", pluginargs="<arguments>"
#
pluginname=lcas_userban.mod,pluginargs=ban_users.db
pluginname=lcas_voms.mod,pluginargs="-vomsdir /etc/grid-security/vomsdir/
-certdir /etc/grid-security/certificates/ -authfile
/etc/grid-security/grid-mapfile -authformat simple -use_user_dn"
where /etc/grid-security/grid-mapfile has 2000 DNs.
Should this be voms-grid-mapfile with O(10) voms things?
/opt/glite/etc/lcmaps/lcmaps.db is below.
Cheers,
Rod.
# cat /opt/glite/etc/lcmaps/lcmaps.db
# Written by Oscar Koeroo - okoeroo * at * nikhef * dot * nl
# Only for performing VOMS mappings
# where to look for modules
path = /opt/glite/lib/modules
# module definitions
posix_enf = "lcmaps_posix_enf.mod"
" -maxuid 1"
" -maxpgid 1"
" -maxsgid 32"
localaccount = "lcmaps_localaccount.mod"
" -gridmapfile /etc/grid-security/grid-mapfile-local"
poolaccount = "lcmaps_poolaccount.mod"
" -override_inconsistency"
" -gridmapfile /etc/grid-security/grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
vomslocalgroup = "lcmaps_voms_localgroup.mod"
" -groupmapfile /etc/grid-security/groupmapfile"
" -mapmin 1"
vomslocalaccount = "lcmaps_voms_localaccount.mod"
" -gridmapfile /etc/grid-security/voms-grid-mapfile-local"
" -use_voms_gid"
vomspoolaccount = "lcmaps_voms_poolaccount.mod"
" -gridmapfile /etc/grid-security/voms-grid-mapfile"
" -gridmapdir /etc/grid-security/gridmapdir"
" -override_inconsistency"
# gridftp related code
good = "lcmaps_dummy_good.mod"
verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates/"
" --only-post-verify-checks"
# --only-post-verify-checks
# --allow-limited-proxy
# --max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>
# Sets a maximum lifetime for proxy certificate level <level> where <level>
# can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy # in the
chain)
# policies
withvoms:
vomslocalgroup -> vomslocalaccount
vomslocalaccount -> posix_enf | vomspoolaccount
vomspoolaccount -> posix_enf
standard:
localaccount -> posix_enf | poolaccount
poolaccount -> posix_enf
--
Tel. +1 604 222 7667
|