[gin-auth] Re: Nightly cron for DN list dump ?

Mon Mar 20 16:35:11 CST 2006

Hi Oxana,

The .gin.ggf.org is the advisory poolaccount name. The prefix for each 
Unix User ID. As published now it is the default output from mkgridmap. 
(dot plus vo-name is poolaccount).
I can see your point though, I'll make this grid-mapfile agnostic to it 
future purpose. It is now the same as your example.

cheers,

    Oscar

ps: Dane, do you think that I earned a coffee somewhere on this tiny 
planet for this work?

Oxana Smirnova wrote:

> Hi Oscar,
>
> that's neat - however, how shall one interpret the ".gin.ggf.org" 
> string? E.g., we use VO lists like
>
> https://www.pdc.kth.se/grid/swegrid-vo/vo.atlas-testusers-vo
>
> which are interpreted by the mkgridmap kind of utility, and as each 
> such list uniquely represents a VO, there's no need to mention the VO 
> name explicitly, right?
>
> Cheers,
> Oxana
>
> Oscar Koeroo пишет:
>
>> Hi Dane and others,
>>
>> I've create a crontab to supply a non-secured grid-mapfile. The 
>> crontab is set to execute each 6 hours of each day to provide the 
>> controlled priviledge leak :-)
>> The location is here: http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile
>>
>> I've also written my first RSS file. I hope I have understood the 
>> standard correctly.
>> The feed contains two channels "unsecured_gin.ggf.org" and 
>> "secured_gin.ggf.org". Both have simulair settings, but the secured 
>> is using the direct weblink that will be used by the mkgridmap script 
>> to the XML though an HTTPS connection and the other is my 
>> crontab-created grid-mapfile.
>>
>> It seems that Thunderbird has a minor bug. I get two messages there 
>> but both are listed as Sended by 'unsecured_gin.ggf.org', clicking on 
>> them work perfectly. The secure connection need a valid certificate 
>> to mutually authenticate the content of the feed, de default error is 
>> -12229. This is good behaviour :-)
>> ps: I'll not update the secured feed because it is linked to the 
>> direct database list creation method on the VOMS Admin.
>>
>> Comments/improvements are always welcome.
>>
>>
>>    Oscar - your feeding VO-Admin
>>
>>
>>
>> Dane Skow wrote:
>>
>>>
>>> Oscar,
>>>
>>> Would it be possible to setup a nightly cronjob to dump the DN list  
>>> from this VOMS server to a webpage someplace ? That way anyone who  
>>> has not setup the edg-makegridmapfile scripts or equivalent 
>>> automata  can grab the list and manage the appropriate snippet for 
>>> a  gridmapfile by hand ? That helps lower the bar for bootstrapping 
>>> one  more notch.
>>>
>>> The UK folks have offered their WIKI server as a headquarters for  
>>> this kind of contributed links. I'll send info (or Stephen will  
>>> directly) with the link soon.
>>>
>>> Double Bonus points if you make the webpage an RSS feed ;-))  (so 
>>> one  can get notice of updates)
>>>
>>> Cheers,
>>> Dane
>>>
>>> On Mar 14, 2006, at 8:09 AM, Oscar Koeroo wrote:
>>>
>>>> Hello everybody,
>>>>
>>>> The GIN VO name has been change from 'GIN-GGF-ORG' to 
>>>> 'gin.ggf.org'  with the approval of the security area directroy to 
>>>> use the ggf.org  domain name.
>>>> All other configurations and registration have stayed 
>>>> persistently.  Which means, the same portnumbers do apply on the 
>>>> same server with  the same certificate.
>>>>
>>>> Though the web site as been move to:
>>>> https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/
>>>>
>>>> The configuration for the vomses file has change to:
>>>>
>>>> "gin.ggf.org" "kuiken.nikhef.nl" "15050" "/O=dutchgrid/O=hosts/ 
>>>> OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
>>>>
>>>> And also the legacy support interface for mkgridmap has also  
>>>> changed with the URL change to:
>>>> group vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org  .gin.ggf.org
>>>>
>>>>
>>>>
>>>>    Oscar - /gin.ggf.org/Role=VO-Admin
>>>>
>>>>
>>>> Oscar Koeroo wrote:
>>>>
>>>>> which means that I'll change the GIN-GGF-ORG VO name to:        
>>>>> "gin.ggf.org"
>>>>> ... if one or both security area directors approve with the 
>>>>> change  and use of the "ggf.org" domain as a suffix to the GIN VO.
>>>>>
>>>>>    Oscar
>>>>>
>>>>>
>>>>> Von Welch wrote:
>>>>>
>>>>>>
>>>>>> Works for me.
>>>>>>
>>>>>> Von
>>>>>>
>>>>>>
>>>>>> On Mar 13, 2006, at 12:42 PM, Olle Mulmo wrote:
>>>>>>
>>>>>>>
>>>>>>> FYI,
>>>>>>>
>>>>>>> This was discussed (again) at two consecutive EGEE meetings at  
>>>>>>> CERN  last week, ending in the draft text proposed below.
>>>>>>>
>>>>>>> /Olle
>>>>>>>
>>>>>>>
>>>>>>> VO Naming
>>>>>>> ---------
>>>>>>> The VO name is a string, used to represent the VO in all  
>>>>>>> interactions
>>>>>>> with grid software, such as in expressions of policy and 
>>>>>>> access   rights.
>>>>>>>
>>>>>>> The VO name MUST be formatted as a subdomain name as specified in
>>>>>>> RFC 1034 section 3.5. The VO Manager of a VO using a thus- 
>>>>>>> formatted  name
>>>>>>> MUST be entitled to the use of this name, when interpreted as 
>>>>>>> a   name in the Internet Domain Name System.
>>>>>>> This entitlement MUST stem either from a direct delegation of  
>>>>>>> the  corresponding name in the Domain Name System by an  
>>>>>>> accredited  registrar for
>>>>>>> the next-higher level subdomain, or from a direct delegation of the
>>>>>>> equivalent name in the Domain Name System by ICANN, or from 
>>>>>>> the   consent
>>>>>>> of the administrative or operational contact of the 
>>>>>>> next-higher   equivalent
>>>>>>> subdomain name for that VO name that itself is registered with  
>>>>>>> such an
>>>>>>> accredited registrar.
>>>>>>>
>>>>>>> Considering that RFC1034 section 3.5 states that both upper  
>>>>>>> case  and lower
>>>>>>> case letters are allowed, but no significance is to be attached  
>>>>>>> to  the case,
>>>>>>> but that today the software handling VO names may still be 
>>>>>>> case   sensisitive,
>>>>>>> all VO names MUST be entirely in lower case.
>>>>>>>
>>>>
>>