 |
 |
On Tue, 9 May 2006, Maarten Litmaath wrote: > Andreas Haupt wrote: > > > Hello, > > > > I wanted to have an update of how the ops SFTs will be handled in future. > > When will the ops SFTs overrule the dteam SFTs? > > > > There are still some things I'm concerned about: > > > > 1. Why does the ops SFT still check for the IGTF CA release 1.1 (and not > > for the current 1.2)? > > > > 2. Everytime the VOMS server hosting the ops VO is not available (seems > > to be the case again) the DN > > '/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 9654' will be mapped to dteamsgm. > > Why? The CE mapping is independent of the VOMS server being available: > the CE does _not_ call the VOMS server. But the grid-mapfile is generated out of the data it gets from the VOMS servers. This is the result on my CE after the ops VOMS server has not been available: [globe-ce1] ~ # grep 'CN=Piotr Nyczyk 9654' /etc/grid-security/grid-mapfile "/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 9654" dteamsgm This grid-mapfile had been generated before the ops VOMS server became unavailable: [root@lcg-ce0 root]# grep 'CN=Piotr Nyczyk 9654' /etc/grid-security/grid-mapfile "/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 9654" opssgm Please note that /opt/edg/etc/edg-mkgridmap.conf is identical on both hosts. The first VO membership found a VOMS server will be used to match a dn to a pool account. This is dependend on the order of the entries in edg-mkgridmap.conf. A similar problem would appear if I put the dteam VO before the ops VO in the list of supported VOs in the site-info file (VOS="dteam ops ..."). Greetings Andreas -- | Andreas Haupt | E-Mail: [log in to unmask] | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216