 |
 |
Hi Matevz, On Thu, 26 Jan 2012, Matevz Tadel wrote: >> The origin is typically a redirector and we recommend against enabling >> authentication for that unless you are forwarding requests. > > Authentication for what? For proxy->origin, for client->proxy, or for > client->origin? For anything. That is, why have authentication at all for connections to the redirector? >> Based on the log, it seems that the security shared libraries that the proxy >> needed to use were not in the ld path for the proxy (common problem). > > But why would it need the libs if it doesn't do any authentication? That statement makes no sense, you just told me that the redirector requires GSI authentication. > The final result of my fiddling with configuration: > http://uaf-2.t2.ucsd.edu/~matevz/tmp/proxy.cfg > where I limit access to my desktop only, results in this on startup (even without anybody connecting to the proxy): > http://uaf-2.t2.ucsd.edu/~matevz/tmp/proxy.log > and the redirector simply says: > 120126 12:53:22 4028 XrootdXeq: xrootd.2781:[log in to unmask] disc 0:00:01 > > So, it seems, proxy wants to authenticate itself to the redirector ... > and as redirector only allows GSI authentication, it fails. Is this >correct? a) The only reason that the redirector wants GSI authentication is because it is configured to require it. b) The only reason that the proxy fails to do si is because either it doesn't have a proper certificate or the libraries are not accessible. > My naive expectation from the first mail was that proxy will never > authenticate itself to the redirector ... but always just pass auth > requests/responses between its client ant the redirector. If the redirector requires authentication then everyone must authenticate. That said, you can make exceptions on a host by host basis and the documentation tells you how to do that via the sec.bind directive. But you have to do that explicitly. > So ... should I be running the proxy with a valid certificate? (Or some > other authentication, like sss and have it enabled on the redirector for > proxy hosts only.) See the sec.protbind directive. http://www.xrootd.org/doc/prod/sec_config.htm#_Toc304922498 > [ Strangely enough, when I connect to the proxy with a client I also > get a line: > 120126 13:06:17 3126 secgsi_InitProxy: cannot access private key file: > /home/xrootd/.globus/userkey.pem > in the log ... which wasn't there before. I didn't change LD_LIB_PATH, > have /usr/local/lib64 in /etc/ld.so.conf.] Is that the proxy saying this ir the client. It's not clear which here. In any case, either that file is missing or the permission disallow access, that's what the message means. Andy ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1