[gin-auth] Re: Nightly cron for DN list dump ?

Fri Mar 17 06:42:56 CST 2006

Hi Dane and others,

I've create a crontab to supply a non-secured grid-mapfile. The crontab 
is set to execute each 6 hours of each day to provide the controlled 
priviledge leak :-)
The location is here: http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile

I've also written my first RSS file. I hope I have understood the 
standard correctly.
The feed contains two channels "unsecured_gin.ggf.org" and 
"secured_gin.ggf.org". Both have simulair settings, but the secured is 
using the direct weblink that will be used by the mkgridmap script to 
the XML though an HTTPS connection and the other is my crontab-created 
grid-mapfile.

It seems that Thunderbird has a minor bug. I get two messages there but 
both are listed as Sended by 'unsecured_gin.ggf.org', clicking on them 
work perfectly. The secure connection need a valid certificate to 
mutually authenticate the content of the feed, de default error is 
-12229. This is good behaviour :-)
ps: I'll not update the secured feed because it is linked to the direct 
database list creation method on the VOMS Admin.

Comments/improvements are always welcome.

    Oscar - your feeding VO-Admin

Dane Skow wrote:

>
> Oscar,
>
> Would it be possible to setup a nightly cronjob to dump the DN list  
> from this VOMS server to a webpage someplace ? That way anyone who  
> has not setup the edg-makegridmapfile scripts or equivalent automata  
> can grab the list and manage the appropriate snippet for a  
> gridmapfile by hand ? That helps lower the bar for bootstrapping one  
> more notch.
>
> The UK folks have offered their WIKI server as a headquarters for  
> this kind of contributed links. I'll send info (or Stephen will  
> directly) with the link soon.
>
> Double Bonus points if you make the webpage an RSS feed ;-))  (so one  
> can get notice of updates)
>
> Cheers,
> Dane
>
> On Mar 14, 2006, at 8:09 AM, Oscar Koeroo wrote:
>
>> Hello everybody,
>>
>> The GIN VO name has been change from 'GIN-GGF-ORG' to 'gin.ggf.org'  
>> with the approval of the security area directroy to use the ggf.org  
>> domain name.
>> All other configurations and registration have stayed persistently.  
>> Which means, the same portnumbers do apply on the same server with  
>> the same certificate.
>>
>> Though the web site as been move to:
>> https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/
>>
>> The configuration for the vomses file has change to:
>>
>> "gin.ggf.org" "kuiken.nikhef.nl" "15050" "/O=dutchgrid/O=hosts/ 
>> OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
>>
>> And also the legacy support interface for mkgridmap has also  changed 
>> with the URL change to:
>> group vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org  .gin.ggf.org
>>
>>
>>
>>    Oscar - /gin.ggf.org/Role=VO-Admin
>>
>>
>> Oscar Koeroo wrote:
>>
>>> which means that I'll change the GIN-GGF-ORG VO name to:        
>>> "gin.ggf.org"
>>> ... if one or both security area directors approve with the change  
>>> and use of the "ggf.org" domain as a suffix to the GIN VO.
>>>
>>>    Oscar
>>>
>>>
>>> Von Welch wrote:
>>>
>>>>
>>>> Works for me.
>>>>
>>>> Von
>>>>
>>>>
>>>> On Mar 13, 2006, at 12:42 PM, Olle Mulmo wrote:
>>>>
>>>>>
>>>>> FYI,
>>>>>
>>>>> This was discussed (again) at two consecutive EGEE meetings at  
>>>>> CERN  last week, ending in the draft text proposed below.
>>>>>
>>>>> /Olle
>>>>>
>>>>>
>>>>> VO Naming
>>>>> ---------
>>>>> The VO name is a string, used to represent the VO in all  
>>>>> interactions
>>>>> with grid software, such as in expressions of policy and access   
>>>>> rights.
>>>>>
>>>>> The VO name MUST be formatted as a subdomain name as specified in
>>>>> RFC 1034 section 3.5. The VO Manager of a VO using a thus- 
>>>>> formatted  name
>>>>> MUST be entitled to the use of this name, when interpreted as a   
>>>>> name in the Internet Domain Name System.
>>>>> This entitlement MUST stem either from a direct delegation of  
>>>>> the  corresponding name in the Domain Name System by an  
>>>>> accredited  registrar for
>>>>> the next-higher level subdomain, or from a direct delegation of the
>>>>> equivalent name in the Domain Name System by ICANN, or from the   
>>>>> consent
>>>>> of the administrative or operational contact of the next-higher   
>>>>> equivalent
>>>>> subdomain name for that VO name that itself is registered with  
>>>>> such an
>>>>> accredited registrar.
>>>>>
>>>>> Considering that RFC1034 section 3.5 states that both upper  case  
>>>>> and lower
>>>>> case letters are allowed, but no significance is to be attached  
>>>>> to  the case,
>>>>> but that today the software handling VO names may still be case   
>>>>> sensisitive,
>>>>> all VO names MUST be entirely in lower case.
>>>>>
>>