adding the DN directly gives VOMS plugin error. From the CE's globus-gatekeeper log:
LCAS 1: Initialization LCAS version 1.3.7
allowing empty credentials
LCAS 2: LCAS authorization request
LCAS 0: lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
LCAS 0: lcas_plugin_voms-plugin_confirm_authorization_from_x509(): VOMS Signature error (failure)!
LCAS 0: 2009-04-02.18:56:13 : lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin failed
LCAS 0: lcas.mod-lcas_run_va(): authorization failed for plugin /opt/glite/lib/modules/lcas_voms.mod
LCAS 0: lcas.mod-lcas_run_va(): failed
LCAS failed authorization.
Failure in LCAS Authorization
Failure: globus_gss_assist_gridmap() failed authorization. globus_gss_assist: Error invoking callout
globus_callout_module: The callout returned an error
an unknown error occurred
to me sounds like it still requires some additional config for the VO's VOMS server. Nut where and what?
YT, Ivan
> -----Original Message-----
> From: LHC Computer Grid - Rollout
> [mailto:[log in to unmask]] On Behalf Of Burke, S (Stephen)
> Sent: 2. huhtikuuta 2009 18:49
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] adding a particular DN without
> enabling whole VO on lcg-CE?
>
> LHC Computer Grid - Rollout
> > [mailto:[log in to unmask]] On Behalf Of Ivan Degtyarenko
> said:
> > is there a chance to authorize a particular DN on the lcg-CE
> > without enabling a whole VO?
> >
> > Simple adding the DN to the CE's grid-mapfile does not work.
>
> What do you mean by "does not work"? For job matching you
> will also have
> to publish the DN in the AccessControlBaseRule in the
> information system
> - I think that's still supported, although it may not have been tested
> for some time.
>
> Stephen
> --
> Scanned by iCritical.
>
|