[gin-ops] Re: [gin-auth] VO name change
Vincenzo Ciaschini
vincenzo.ciaschini at cnaf.infn.it
Wed Mar 22 08:28:06 CST 2006
Hi Oskar, Cindy,
Can you please explain in detail what is the problem here? I am
afraid I do not clearly understand it, and I can't fix it unless I
understand it. :)
Bye,
Vincenzo
Oscar Koeroo wrote:
> Hi Cindy,
>
> I'm extremely confused, possible there is a bug in the VOMS daemon.
> In my debug log I can see many SQL statements and there is a difference
> in the DN string between these queries.
>
> some have uid some have userid.
>
> Can you try it again?
>
>
> cheers,
>
> Oscar
>
>
>
> Cindy Zheng wrote:
>
>> Thank you, Oscar!
>> But I'm still getting the same error. Either this was not the cause,
>> or there are additional problems. Could you check your log and see if
>> any clues?
>>
>> I agree that this case is special in the sense of not
>> IGTF accredited CA. But, I think we can benefit from dealing
>> with this, either as a case of non-IGTF CA or as a case of
>> mixed GT versions. In the near term, these issues will show
>> up again as more grids joining GIN.
>>
>> I feel the same as you do - the incompatibility of the DN format is
>> annoying. I'm not a security expert. In my naive opinion, it would
>> work best if globus software can take care of this somehow. I would
>> like to hear what you and others think is the best solution.
>> Hopefully, these problems and
>> discussions can resolve to some concret recommendations or
>> work plans. Perhaps this can be one of many lessons we learn thru our
>> interoperation?
>>
>> Below is the output of voms-proxy-init. Also "grid-proxy-init",
>> just to verify my .globus setup and give you the time to locate the
>> corresponding log entries.
>>
>> [zhengc at rocks-52 ~]$ voms-proxy-init --debug --voms gin.ggf.org
>> Detected Globus version: 22
>> Unspecified proxy version, settling on Globus version: 2
>> Number of bits in key :512
>> Using configuration file /opt/glite/etc/vomses
>> Using configuration file /opt/glite/etc/vomses
>> Files being used:
>> CA certificate file: none
>> Trusted certificates directory : /etc/grid-security/certificates
>> Proxy certificate file : /home/zhengc/.globus/.proxy
>> User certificate file: /home/zhengc/.globus/usercert.pem
>> User key file: /home/zhengc/.globus/userkey.pem
>> Output to /home/zhengc/.globus/.proxy
>> Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
>> Enter GRID pass phrase:
>> Creating temporary proxy to /tmp/tmp_x509up_u502_2448
>> ...........++++++++++++
>> ...................................++++++++++++
>> Done
>> Contacting kuiken.nikhef.nl:15050
>> [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
>> Error: gin.ggf.org: User unknown to this VO.
>> [zhengc at rocks-52 ~]$ grid-proxy-init
>> Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/UID=zhengc
>> Enter GRID pass phrase for this identity:
>> Creating proxy ............................ Done
>> Your proxy is valid until: Wed Mar 22 04:24:18 2006
>>
>> Cindy
>>
>>
>>
>>> -----Original Message-----
>>> From: owner-gin-ops at ggf.org [mailto:owner-gin-ops at ggf.org] On Behalf
>>> Of Oscar Koeroo
>>> Sent: Tuesday, March 21, 2006 2:15 AM
>>> To: Cindy Zheng
>>> Cc: gin-auth at ggf.org; gin-ops at ggf.org
>>> Subject: Re: [gin-ops] Re: [gin-auth] VO name change
>>>
>>>
>>> Hi Cindy,
>>>
>>> I now regard your registration in the VOMS db as special, with
>>> respect to the instant trust in your CA and this little change.
>>> Which means that I've updated your DN in the database with the UID to
>>> USERID substring change.
>>>
>>> It seems that it is up to the software on how they can either
>>> construct a DN to UID or USERID. According to my Google searches the
>>> UID is the prevailed string representation for that part of your DN
>>> in your certificate which means that something (the used software
>>> that constructs a DN from a X.509 cert to do the simple string
>>> compare) needs investigation on possible incompatibility between the
>>> two repesentations.
>>> Perhaps I'm just negatively paranoid ofcourse, but this issue could
>>> hit us again when other members would have an serialNumber or SN in
>>> their DN :-)
>>>
>>> My personal feelings towards the CAs in general is still unchanged in
>>> the matter of avoiding dubious fields like UID/USERID,
>>> emailAddress/Email and such in a DN which is used in simple
>>> stringcompare operations in numerous parts of middleware.
>>>
>>>
>>> cheers,
>>>
>>> Oscar
>>>
>>>
>>>
>>> Cindy Zheng wrote:
>>>
>>>
>>>> Thank you, Oscar! I agree that we should have in-depth
>>>> discussion on this issue.
>>>> Meanwhile, can we also have a temporary solution?
>>>> Since double entry does not work for your environment, how about
>>>> change UID to USERID in my DN string in your
>>>> voms db? Welcome any better ideas and solutions.
>>>>
>>>> Thanks again,
>>>>
>>>> Cindy
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: owner-gin-ops at ggf.org [mailto:owner-gin-ops at ggf.org] On
>>>>> Behalf Of Oscar Koeroo
>>>>> Sent: Friday, March 17, 2006 6:20 PM
>>>>> To: zhengc at sdsc.edu
>>>>> Cc: gin-auth at ggf.org; gin-ops at ggf.org; Olle Mulmo; Dane Skow; David
>>>>> Groep
>>>>> Subject: [gin-ops] Re: [gin-auth] VO name change
>>>>>
>>>>>
>>>>> Hi Cindy,
>>>>>
>>>>> I wish to help here, but this seems be a point where
>>> interoperability
>>>>> needs to be noted (done), fixed/solved and documented.
>>>>> I know of the existance of UID and USERID, now I know where my
>>>>> confusion comes from (I could remember if it was UID or USERID).
>>>>>
>>>>> I think that a double entry in the VOMS DB is not the way to go.
>>>>>
>>>>> Perhaps David Group, Dane Skow or Olle Mulmo can give a better
>>>>> judgement on what to do.
>>>>> Personally I do not like the UID/USERID option for a bit in
>>> the DN of
>>>>> personal certificate. Especially since it doesn't give you any
>>>>> identificational value if you cross a domain that has you
>>> registered
>>>>> differently (by their local policy).
>>>>>
>>>>>
>>>>> Oscar
>>>>>
>>>>>
>>>>>
>>>>> Cindy Zheng wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Thanks, Oscar, for checking!
>>>>>>
>>>>>> The DN is the same, but "seen" differently by different versions
>>>>>> of GT. GT2 formats it as USERID= and GT3&4 formats it as UID=. I
>>>>>> learned this, since PRAGMA testbed sites are running a mixture of
>>>>>> GT2,3,4.
>>>>>> What we do in PRAGMA testbed is to add a DN in both format
>>>>>> in the gridmap file, so even when GT get upgraded, you don't have
>>>>>> to worry about it. Perhaps you can do the same?
>>>>>>
>>>>>> Let me know and I can then test it again.
>>>>>>
>>>>>> Our SDSC CA admin also pointed out that a signing_policy file
>>>>>> which will recognize the OID 0.9.2342.19200300.100.1.1
>>>>>> as either UID or USERID is linked off the CA web page:
>>>>>> http://www.sdsc.edu/CA/.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Cindy
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Oscar Koeroo [mailto:okoeroo at nikhef.nl] Sent: Friday, March
>>>>>>> 17, 2006 3:19 AM
>>>>>>> To: Cindy Zheng
>>>>>>> Cc: gin-auth at ggf.org; gin-ops at ggf.org
>>>>>>> Subject: Re: [gin-auth] VO name change
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Have look at your DN
>>>>>>>
>>>>>>> /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
>>>>>>>
>>>>>>> and compare it to:
>>>>>>> "/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/UID=zhengc" .gin.ggf.org
>>>>>>>
>>>>>>> This will never match :-)
>>>>>>> Please use only one certificate.
>>>>>>>
>>>>>>> cheers,
>>>>>>>
>>>>>>> Oscar
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Cindy Zheng wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hi, Oscar,
>>>>>>>>
>>>>>>>> I modified the VO name in the vomses file, but I get
>>>>>>>> "user unknown to this VO" when run voms-proxy-init. Did you add
>>>>>>>> SDSC cert files in the new VO server?
>>>>>>>> Or did I missed something? Here is the vomses file and
>>>>>>>> voms-proxy-init output:
>>>>>>>>
>>>>>>>> [zhengc at rocks-52 vomsdir]$ cat /opt/glite/etc/vomses/gin.ggf.org
>>>>>>>> "gin.ggf.org" "kuiken.nikhef.nl" "15050"
>>>>>>>> "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
>>>>>>>>
>>>>> "gin.ggf.org"
>>>>>
>>>>>
>>>>>>>> [zhengc at rocks-52 vomsdir]$ voms-proxy-init --debug --voms
>>>>>>>>
>>>>> gin.ggf.org
>>>>>
>>>>>
>>>>>>>> Detected Globus version: 22
>>>>>>>> Unspecified proxy version, settling on Globus version: 2
>>>>>>>> Number of bits in key :512
>>>>>>>> Using configuration file /opt/glite/etc/vomses
>>>>>>>> Using configuration file /opt/glite/etc/vomses
>>>>>>>> Files being used:
>>>>>>>> CA certificate file: none
>>>>>>>> Trusted certificates directory : /etc/grid-security/certificates
>>>>>>>> Proxy certificate file : /home/zhengc/.globus/.proxy
>>>>>>>> User certificate file: /home/zhengc/.globus/usercert.pem
>>>>>>>> User key file: /home/zhengc/.globus/userkey.pem
>>>>>>>> Output to /home/zhengc/.globus/.proxy
>>>>>>>> Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
>>>>>>>> Enter GRID pass phrase:
>>>>>>>> Creating temporary proxy to /tmp/tmp_x509up_u502_21548
>>>>>>>> .......++++++++++++
>>>>>>>> ...........................................++++++++++++
>>>>>>>> Done
>>>>>>>> Contacting kuiken.nikhef.nl:15050
>>>>>>>> [/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl]
>>>>>>>>
>>>>> "gin.ggf.org"
>>>>>
>>>>>
>>>>>>>> Error: gin.ggf.org: User unknown to this VO.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org] On
>>>>>>>>> Behalf Of Oscar Koeroo
>>>>>>>>> Sent: Tuesday, March 14, 2006 6:09 AM
>>>>>>>>> To: gin-auth at ggf.org
>>>>>>>>> Subject: [gin-auth] VO name change
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello everybody,
>>>>>>>>>
>>>>>>>>> The GIN VO name has been change from 'GIN-GGF-ORG' to
>>>>>>>>> 'gin.ggf.org' with the approval of the security area directroy
>>>>>>>>> to use the ggf.org domain name.
>>>>>>>>> All other configurations and registration have stayed
>>>>>>>>>
>>>>> persistently.
>>>>>
>>>>>>>>> Which means, the same portnumbers do apply on the same server
>>>>>>>>> with the same certificate.
>>>>>>>>>
>>>>>>>>> Though the web site as been move to:
>>>>>>>>> https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/
>>>>>>>>>
>>>>>>>>> The configuration for the vomses file has change to:
>>>>>>>>>
>>>>>>>>> "gin.ggf.org" "kuiken.nikhef.nl" "15050"
>>>>>>>>> "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
>>>>>>>>>
>>>>>>>>>
>>>>>>> "gin.ggf.org"
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> And also the legacy support interface for mkgridmap has also
>>>>>>>>> changed with the URL change to:
>>>>>>>>> group vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org
>>>>>>>>>
>>> .gin.ggf.org
>>>
>>>>>>>>>
>>>>>>>>> Oscar - /gin.ggf.org/Role=VO-Admin
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Oscar Koeroo wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> which means that I'll change the GIN-GGF-ORG VO name to:
>>>>>>>>>> "gin.ggf.org"
>>>>>>>>>> ... if one or both security area directors approve with the
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> change and
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> use of the "ggf.org" domain as a suffix to the GIN VO.
>>>>>>>>>>
>>>>>>>>>> Oscar
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Von Welch wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Works for me.
>>>>>>>>>>>
>>>>>>>>>>> Von
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mar 13, 2006, at 12:42 PM, Olle Mulmo wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> FYI,
>>>>>>>>>>>>
>>>>>>>>>>>> This was discussed (again) at two consecutive EGEE
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>> meetings at CERN
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> last week, ending in the draft text proposed below.
>>>>>>>>>>>>
>>>>>>>>>>>> /Olle
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> VO Naming
>>>>>>>>>>>> ---------
>>>>>>>>>>>> The VO name is a string, used to represent the VO in all
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>> interactions
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> with grid software, such as in expressions of policy
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>> and access
>>>>>
>>>>>>>>>>>> rights.
>>>>>>>>>>>>
>>>>>>>>>>>> The VO name MUST be formatted as a subdomain name as
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>> specified in
>>>>>
>>>>>
>>>>>>>>>>>> RFC 1034 section 3.5. The VO Manager of a VO using a
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>> thus-formatted
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> name
>>>>>>>>>>>> MUST be entitled to the use of this name, when
>>>>>>>>>>>>
>>>>> interpreted as a
>>>>>
>>>>>>>>>>>> name in the Internet Domain Name System.
>>>>>>>>>>>> This entitlement MUST stem either from a direct
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>> delegation of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> corresponding name in the Domain Name System by an
>>>>>>>>>>>>
>>> accredited
>>>>>>>>>>>> registrar for
>>>>>>>>>>>> the next-higher level subdomain, or from a direct
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>> delegation of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> equivalent name in the Domain Name System by ICANN, or
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>> from the
>>>>
>>>>>
>>>>>
>>>>>>>>>>>> consent
>>>>>>>>>>>> of the administrative or operational contact of the
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>> next-higher
>>>>>
>>>>>>>>>>>> equivalent
>>>>>>>>>>>> subdomain name for that VO name that itself is registered
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>> with such an
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> accredited registrar.
>>>>>>>>>>>>
>>>>>>>>>>>> Considering that RFC1034 section 3.5 states that both
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>> upper case
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>> and lower
>>>>>>>>>>>> case letters are allowed, but no significance is to be
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>> attached to
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> the case,
>>>>>>>>>>>> but that today the software handling VO names may
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>> still be case
>>>>>
>>>>>>>>>>>> sensisitive,
>>>>>>>>>>>> all VO names MUST be entirely in lower case.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>
More information about the gin-auth
mailing list