[gin-auth] VO name change

Oscar Koeroo okoeroo at nikhef.nl
Fri Mar 17 05:19:08 CST 2006 

Hi,

Have look at your DN

/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc

and compare it to:
"/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/UID=zhengc" .gin.ggf.org

This will never match :-)
Please use only one certificate.

cheers,

	Oscar



Cindy Zheng wrote:

>Hi, Oscar,
>
>I modified the VO name in the vomses file, but I get
>"user unknown to this VO" when run voms-proxy-init. 
>Did you add SDSC cert files in the new VO server?
>Or did I missed something? Here is the vomses file 
>and voms-proxy-init output:
>
>[zhengc at rocks-52 vomsdir]$ cat /opt/glite/etc/vomses/gin.ggf.org 
>"gin.ggf.org" "kuiken.nikhef.nl" "15050"
>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
>
>[zhengc at rocks-52 vomsdir]$ voms-proxy-init --debug --voms gin.ggf.org
>Detected Globus version: 22
>Unspecified proxy version, settling on Globus version: 2
>Number of bits in key :512
>Using configuration file /opt/glite/etc/vomses
>Using configuration file /opt/glite/etc/vomses
>Files being used:
> CA certificate file: none
> Trusted certificates directory : /etc/grid-security/certificates
> Proxy certificate file : /home/zhengc/.globus/.proxy
> User certificate file: /home/zhengc/.globus/usercert.pem
> User key file: /home/zhengc/.globus/userkey.pem
>Output to /home/zhengc/.globus/.proxy
>Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
>Enter GRID pass phrase:
>Creating temporary proxy to /tmp/tmp_x509up_u502_21548
>.......++++++++++++
>...........................................++++++++++++
> Done
>Contacting  kuiken.nikhef.nl:15050
>[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
>Error: gin.ggf.org: User unknown to this VO.
>
>  
>
>>-----Original Message-----
>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org] 
>>On Behalf Of Oscar Koeroo
>>Sent: Tuesday, March 14, 2006 6:09 AM
>>To: gin-auth at ggf.org
>>Subject: [gin-auth] VO name change
>>
>>
>>Hello everybody,
>>
>>The GIN VO name has been change from 'GIN-GGF-ORG' to 
>>'gin.ggf.org' with 
>>the approval of the security area directroy to use the 
>>ggf.org domain name.
>>All other configurations and registration have stayed persistently. 
>>Which means, the same portnumbers do apply on the same server 
>>with the 
>>same certificate.
>>
>>Though the web site as been move to:
>>https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/
>>
>>The configuration for the vomses file has change to:
>>
>>"gin.ggf.org" "kuiken.nikhef.nl" "15050" 
>>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
>>
>>And also the legacy support interface for mkgridmap has also 
>>changed with the URL change to:
>>group vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org  .gin.ggf.org
>>
>>
>>
>>    Oscar - /gin.ggf.org/Role=VO-Admin
>>
>>
>>Oscar Koeroo wrote:
>>
>>    
>>
>>>which means that I'll change the GIN-GGF-ORG VO name to:       
>>>"gin.ggf.org"
>>>... if one or both security area directors approve with the 
>>>      
>>>
>>change and 
>>    
>>
>>>use of the "ggf.org" domain as a suffix to the GIN VO.
>>>
>>>   Oscar
>>>
>>>
>>>Von Welch wrote:
>>>
>>>      
>>>
>>>>Works for me.
>>>>
>>>>Von
>>>>
>>>>
>>>>On Mar 13, 2006, at 12:42 PM, Olle Mulmo wrote:
>>>>
>>>>        
>>>>
>>>>>FYI,
>>>>>
>>>>>This was discussed (again) at two consecutive EGEE 
>>>>>          
>>>>>
>>meetings at CERN  
>>    
>>
>>>>>last week, ending in the draft text proposed below.
>>>>>
>>>>>/Olle
>>>>>
>>>>>
>>>>>VO Naming
>>>>>---------
>>>>>The VO name is a string, used to represent the VO in all 
>>>>>          
>>>>>
>>interactions
>>    
>>
>>>>>with grid software, such as in expressions of policy and access  
>>>>>rights.
>>>>>
>>>>>The VO name MUST be formatted as a subdomain name as specified in
>>>>>RFC 1034 section 3.5. The VO Manager of a VO using a 
>>>>>          
>>>>>
>>thus-formatted  
>>    
>>
>>>>>name
>>>>>MUST be entitled to the use of this name, when interpreted as a  
>>>>>name in the Internet Domain Name System.
>>>>>This entitlement MUST stem either from a direct 
>>>>>          
>>>>>
>>delegation of the  
>>    
>>
>>>>>corresponding name in the Domain Name System by an accredited  
>>>>>registrar for
>>>>>the next-higher level subdomain, or from a direct 
>>>>>          
>>>>>
>>delegation of the
>>    
>>
>>>>>equivalent name in the Domain Name System by ICANN, or from the  
>>>>>consent
>>>>>of the administrative or operational contact of the next-higher  
>>>>>equivalent
>>>>>subdomain name for that VO name that itself is registered 
>>>>>          
>>>>>
>>with such an
>>    
>>
>>>>>accredited registrar.
>>>>>
>>>>>Considering that RFC1034 section 3.5 states that both upper case  
>>>>>and lower
>>>>>case letters are allowed, but no significance is to be 
>>>>>          
>>>>>
>>attached to  
>>    
>>
>>>>>the case,
>>>>>but that today the software handling VO names may still be case  
>>>>>sensisitive,
>>>>>all VO names MUST be entirely in lower case.
>>>>>
>>>>>          
>>>>>

More information about the gin-auth mailing list