[gin-ops] Re: [gin-auth] VO name change
Oscar Koeroo
okoeroo at nikhef.nl
Fri Mar 17 05:19:08 CST 2006
Hi,
Have look at your DN
/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
and compare it to:
"/C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/UID=zhengc" .gin.ggf.org
This will never match :-)
Please use only one certificate.
cheers,
Oscar
Cindy Zheng wrote:
>Hi, Oscar,
>
>I modified the VO name in the vomses file, but I get
>"user unknown to this VO" when run voms-proxy-init.
>Did you add SDSC cert files in the new VO server?
>Or did I missed something? Here is the vomses file
>and voms-proxy-init output:
>
>[zhengc at rocks-52 vomsdir]$ cat /opt/glite/etc/vomses/gin.ggf.org
>"gin.ggf.org" "kuiken.nikhef.nl" "15050"
>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
>
>[zhengc at rocks-52 vomsdir]$ voms-proxy-init --debug --voms gin.ggf.org
>Detected Globus version: 22
>Unspecified proxy version, settling on Globus version: 2
>Number of bits in key :512
>Using configuration file /opt/glite/etc/vomses
>Using configuration file /opt/glite/etc/vomses
>Files being used:
> CA certificate file: none
> Trusted certificates directory : /etc/grid-security/certificates
> Proxy certificate file : /home/zhengc/.globus/.proxy
> User certificate file: /home/zhengc/.globus/usercert.pem
> User key file: /home/zhengc/.globus/userkey.pem
>Output to /home/zhengc/.globus/.proxy
>Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
>Enter GRID pass phrase:
>Creating temporary proxy to /tmp/tmp_x509up_u502_21548
>.......++++++++++++
>...........................................++++++++++++
> Done
>Contacting kuiken.nikhef.nl:15050
>[/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl] "gin.ggf.org"
>Error: gin.ggf.org: User unknown to this VO.
>
>
>
>>-----Original Message-----
>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
>>On Behalf Of Oscar Koeroo
>>Sent: Tuesday, March 14, 2006 6:09 AM
>>To: gin-auth at ggf.org
>>Subject: [gin-auth] VO name change
>>
>>
>>Hello everybody,
>>
>>The GIN VO name has been change from 'GIN-GGF-ORG' to
>>'gin.ggf.org' with
>>the approval of the security area directroy to use the
>>ggf.org domain name.
>>All other configurations and registration have stayed persistently.
>>Which means, the same portnumbers do apply on the same server
>>with the
>>same certificate.
>>
>>Though the web site as been move to:
>>https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/
>>
>>The configuration for the vomses file has change to:
>>
>>"gin.ggf.org" "kuiken.nikhef.nl" "15050"
>>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
>>
>>And also the legacy support interface for mkgridmap has also
>>changed with the URL change to:
>>group vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org .gin.ggf.org
>>
>>
>>
>> Oscar - /gin.ggf.org/Role=VO-Admin
>>
>>
>>Oscar Koeroo wrote:
>>
>>
>>
>>>which means that I'll change the GIN-GGF-ORG VO name to:
>>>"gin.ggf.org"
>>>... if one or both security area directors approve with the
>>>
>>>
>>change and
>>
>>
>>>use of the "ggf.org" domain as a suffix to the GIN VO.
>>>
>>> Oscar
>>>
>>>
>>>Von Welch wrote:
>>>
>>>
>>>
>>>>Works for me.
>>>>
>>>>Von
>>>>
>>>>
>>>>On Mar 13, 2006, at 12:42 PM, Olle Mulmo wrote:
>>>>
>>>>
>>>>
>>>>>FYI,
>>>>>
>>>>>This was discussed (again) at two consecutive EGEE
>>>>>
>>>>>
>>meetings at CERN
>>
>>
>>>>>last week, ending in the draft text proposed below.
>>>>>
>>>>>/Olle
>>>>>
>>>>>
>>>>>VO Naming
>>>>>---------
>>>>>The VO name is a string, used to represent the VO in all
>>>>>
>>>>>
>>interactions
>>
>>
>>>>>with grid software, such as in expressions of policy and access
>>>>>rights.
>>>>>
>>>>>The VO name MUST be formatted as a subdomain name as specified in
>>>>>RFC 1034 section 3.5. The VO Manager of a VO using a
>>>>>
>>>>>
>>thus-formatted
>>
>>
>>>>>name
>>>>>MUST be entitled to the use of this name, when interpreted as a
>>>>>name in the Internet Domain Name System.
>>>>>This entitlement MUST stem either from a direct
>>>>>
>>>>>
>>delegation of the
>>
>>
>>>>>corresponding name in the Domain Name System by an accredited
>>>>>registrar for
>>>>>the next-higher level subdomain, or from a direct
>>>>>
>>>>>
>>delegation of the
>>
>>
>>>>>equivalent name in the Domain Name System by ICANN, or from the
>>>>>consent
>>>>>of the administrative or operational contact of the next-higher
>>>>>equivalent
>>>>>subdomain name for that VO name that itself is registered
>>>>>
>>>>>
>>with such an
>>
>>
>>>>>accredited registrar.
>>>>>
>>>>>Considering that RFC1034 section 3.5 states that both upper case
>>>>>and lower
>>>>>case letters are allowed, but no significance is to be
>>>>>
>>>>>
>>attached to
>>
>>
>>>>>the case,
>>>>>but that today the software handling VO names may still be case
>>>>>sensisitive,
>>>>>all VO names MUST be entirely in lower case.
>>>>>
>>>>>
>>>>>
More information about the gin-ops
mailing list