Hi Gerri, I think I got it working (assuming option grps will fill XrdSecEntity.grps). I am running it on our production machine and hopefully we can tell in a day or so if there are other issues. regards, Wei Yang | [log in to unmask] | 650-926-3338(O) On Feb 6, 2013, at 9:46 AM, Gerardo Ganis wrote: > > Hi Wei, > > Thanks for the feedback. > > About your question. > The module fills the XrdSecEntity structure which is the analysed by > the authorization module. > > Another option is to specify the group (or groups) you want to > authorize with the 'grps=grp1[,grp2,...]' > configuration option: if the group is not found, authentication > fails. This functionality was not correctly > implemented in the binary you tested, but I have just fixed it, so > you can try it now taking the latest > version. > > Cheers, Gerri > > > On 2/6/13 8:53 AM, Yang, Wei wrote: >> Hi Gerri, >> >> It turns out that the .so I tried wasn't the latest. I just tried the latest one (slc5-gcc4.3) and it can extract the VO info correctly from various types of limited proxy used at ATLAS sites. I will try again with slc5-gcc4.1 and slc6 platforms. I have another question. With this module, how to do map a VO to a specific group (and then grant this group access in oss.authdb)? >> >> regards, >> Wei Yang | [log in to unmask] | 650-926-3338(O) >> >> >> >> >> On Feb 5, 2013, at 1:21 AM, Gerardo Ganis wrote: >> >>> Hi Wei, >>> >>> It does not look as loading the right plug-in . >>> Are there any related messages at xrootd startup? >>> Could you post the full startup log? >>> >>> You should get something like this at a certain point: >>> >>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit: ++++++++++++++++++ VOMS >>> plugi-in ++++++++++++++++++++++++++++++ >>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit: +++ proxy fmt: raw >>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit: +++ group option: last of all >>> 130205 10:20:13 4689 secgsiVOMS_VOMSInit: >>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> 130205 10:20:13 4689 secgsi_LoadVOMSFun: using 'XrdSecgsiVOMSFun()' from >>> libXrdSecgsiVOMS.so >>> =====> sec.protocol gsi -cert:~/.globus/usercert.pem >>> -key:~/.globus/userkey.pem >>> -certdir:/afs/cern.ch/user/g/ganis/.globus/certificates -ca:2 -crl:3 >>> -crldir:/afs/cern.ch/user/g/ganis/.globus/certificates >>> Config 2 authentication directives processed in xrd.voms.cf >>> ------ Authentication system initialization completed. >>> >>> Gerri >>> >>> >>> On 2/4/13 8:15 PM, Yang, Wei wrote: >>>> [Adding David Smith since he may want to know this ...] >>>> >>>> Hi Gerri, >>>> >>>> I am having trouble getting it to work. On RHEL5-64, I compiled xrootd git head with gcc 4.3 and use the .so you compiled. Here is my config file: >>>> >>>> all.export /xrootd/atlas r/o >>>> all.role server >>>> xrootd.async off >>>> xrootd.seclib /afs/slac.stanford.edu/package/xrootd/githead/amd64_rhel50/src/libXrdSec.so >>>> sec.protparm gsi -vomsfun:/etc/xrootd/libXrdSecgsiVOMS.so.1 -vomsfunparms:grpopt=0|certfmt=raw|vos=atlas|dbg >>>> sec.protocol /afs/slac.stanford.edu/package/xrootd/githead/amd64_rhel50/src gsi -ca:1 -crl:3 >>>> acc.authdb /etc/xrootd/auth_file >>>> acc.authrefresh 60 >>>> ofs.authorize >>>> >>>> here is my proxy info (I tried a proxy created locally using VOMS 1.8.8 and a proxy created at CERN using VOMS 2.0.8). >>>> >>>> subject : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203/CN=proxy >>>> issuer : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203 >>>> identity : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203 >>>> type : proxy >>>> strength : 1024 bits >>>> path : /tmp/x509up_u2353 >>>> timeleft : 11:58:22 >>>> === VO atlas extension information === >>>> VO : atlas >>>> subject : /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203 >>>> issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch >>>> attribute : /atlas/Role=NULL/Capability=NULL >>>> attribute : /atlas/lcg1/Role=NULL/Capability=NULL >>>> attribute : /atlas/usatlas/Role=NULL/Capability=NULL >>>> attribute : nickname = yangw (atlas) >>>> timeleft : 11:58:22 >>>> uri : lcg-voms.cern.ch:15001 >>>> >>>> Here is the $X509_VOMS_DIR >>>> >>>> [yangw@atl-prod08 xrootd]$ ls -l $X509_VOMS_DIR >>>> total 68 >>>> -rw-r--r-- 1 yangw sf 69 Feb 16 2010 README >>>> drwxr-xr-x 2 yangw sf 2048 Nov 25 2011 atlas/ >>>> -rw-r--r-- 1 yangw sf 1440 Feb 2 2010 cert-voms-01.cnaf.infn.it.pem >>>> -rw-r--r-- 1 yangw sf 1440 Feb 2 2010 cert-voms-01.cnaf.infn.it.pem.1 >>>> -rw-r--r-- 1 yangw sf 1424 Feb 2 2010 cert-voms-01.cnaf.infn.it.pem.2 >>>> -rw-r--r-- 1 yangw sf 1436 Feb 2 2010 grid12.lal.in2p3.fr.pem >>>> -rw-r--r-- 1 yangw sf 5154 Feb 2 2010 mu4.matrix.sara.nl.pem >>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-01.pd.infn.it.pem >>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-01.pd.infn.it.pem.1 >>>> -rw-r--r-- 1 yangw sf 1420 Feb 2 2010 voms-01.pd.infn.it.pem.2 >>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-02.pd.infn.it.pem >>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms-02.pd.infn.it.pem.1 >>>> -rw-r--r-- 1 yangw sf 1420 Feb 2 2010 voms-02.pd.infn.it.pem.2 >>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms.cnaf.infn.it.pem >>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms.cnaf.infn.it.pem.1 >>>> -rw-r--r-- 1 yangw sf 1419 Feb 2 2010 voms.cnaf.infn.it.pem.2 >>>> -rw-r--r-- 1 yangw sf 1399 Feb 2 2010 voms.cnaf.infn.it.pem.3 >>>> -rw-r--r-- 1 yangw sf 1484 Feb 2 2010 voms.fnal.gov.pem >>>> -rw-r--r-- 1 yangw sf 1298 Feb 2 2010 voms.fnal.gov.pem.1 >>>> -rw-r--r-- 1 yangw sf 1651 Feb 2 2010 voms.grid.sara.nl.pem >>>> -rw-r--r-- 1 yangw sf 5152 Feb 2 2010 voms.grid.sara.nl.pem.1 >>>> -rw-r--r-- 1 yangw sf 1793 Feb 2 2010 voms.grid.sinica.edu.tw.pem >>>> -rw-r--r-- 1 yangw sf 1842 Feb 2 2010 voms.gridpp.ac.uk.pem >>>> -rw-r--r-- 1 yangw sf 1843 Feb 2 2010 voms.gridpp.ac.uk.pem.1 >>>> -rw-r--r-- 1 yangw sf 2138 Feb 2 2010 voms.gridpp.ac.uk.pem.2 >>>> -rw-r--r-- 1 yangw sf 1472 Feb 2 2010 voms.research-infrastructures.eu.pem >>>> -rw-r--r-- 1 yangw sf 1472 Feb 2 2010 voms.research-infrastructures.eu.pem.1 >>>> -rw-r--r-- 1 yangw sf 1424 Feb 2 2010 voms2.cnaf.infn.it.pem >>>> -rw-r--r-- 1 yangw sf 1424 Feb 2 2010 voms2.cnaf.infn.it.pem.1 >>>> -rw-r--r-- 1 yangw sf 1404 Feb 2 2010 voms2.cnaf.infn.it.pem.2 >>>> >>>> And here is the log file: >>>> >>>> X509Chain::Dump://------------------Dumping X509 chain content ------------------// >>>> X509Chain::Dump:// >>>> X509Chain::Dump:// Chain instance: 0x8eeb7d0 >>>> X509Chain::Dump:// >>>> X509Chain::Dump:// Number of certificates: 3 >>>> X509Chain::Dump:// >>>> X509Chain::Dump:// CA: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 >>>> X509Chain::Dump:// EEC: /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203 >>>> X509Chain::Dump:// >>>> X509Chain::Dump:// Issuer: d1b603c3.0 Subject: 1c3f2ca8.0 Type: CA >>>> X509Chain::Dump:// Issuer: 1c3f2ca8.0 Subject: 684536c7.0 Type: EEC >>>> X509Chain::Dump:// Issuer: 684536c7.0 Subject: f81adb11.0 Type: Proxy >>>> X509Chain::Dump:// >>>> X509Chain::Dump://---------------------------- END ------------------------------// >>>> 130204 11:02:36 14262 crypto_X509::Dump: +++++++++++++++ X509 dump +++++++++++++++++++++++ >>>> 130204 11:02:36 14262 crypto_X509::Dump: + >>>> 130204 11:02:36 14262 crypto_X509::Dump: + File: >>>> 130204 11:02:36 14262 crypto_X509::Dump: + >>>> 130204 11:02:36 14262 crypto_X509::Dump: + Type: Proxy >>>> 130204 11:02:36 14262 crypto_X509::Dump: + Serial Number: 283485584 >>>> 130204 11:02:36 14262 crypto_X509::Dump: + Subject: /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203/CN=proxy >>>> 130204 11:02:36 14262 crypto_X509::Dump: + Subject hash: f81adb11.0 >>>> 130204 11:02:36 14262 crypto_X509::Dump: + Issuer: /DC=org/DC=doegrids/OU=People/CN=Wei Yang 74203 >>>> 130204 11:02:36 14262 crypto_X509::Dump: + Issuer hash: 684536c7.0 >>>> 130204 11:02:36 14262 crypto_X509::Dump: + Validity: >>>> 130204 11:02:36 14262 crypto_X509::Dump: + NotBefore: 1360032944 UTC - Mon Feb 4 18:55:44 2013 >>>> 130204 11:02:36 14262 crypto_X509::Dump: + NotAfter: 1360076444 UTC - Tue Feb 5 07:00:44 2013 >>>> 130204 11:02:36 14262 crypto_X509::Dump: + >>>> 130204 11:02:36 14262 crypto_X509::Dump: + PKI: Public >>>> 130204 11:02:36 14262 crypto_X509::Dump: + >>>> 130204 11:02:36 14262 crypto_X509::Dump: +++++++++++++++++++++++++++++++++++++++++++++++++ >>>> 130204 11:02:36 14262 secgsi_VOMSFun: xrc: 1 >>>> 130204 11:02:36 14262 secgsi_VOMSFun: NOT OK: Cannot discover holder from certificate chain! >>>> 130204 11:02:36 14262 secgsi_VOMSFun: WARNING: no VO found! (VOMS attributes: '') >>>> 130204 11:02:36 14262 XrootdXeq: yangw.27906:22@atlint01 login as 684536c7.0 >>>> 130204 11:02:41 14262 XrootdXeq: yangw.27906:22@atlint01 disc 0:00:05 >>>> >>>> I am not sure what the 4th line from the bottom mean. >>>> >>>> regards, >>>> Wei Yang | [log in to unmask] | 650-926-3338(O) >>>> >>>> >>>> On Feb 4, 2013, at 9:42 AM, Gerardo Ganis wrote: >>>> >>>>> Hi, >>>>> >>>>> This is the status of things: >>>>> >>>>> The plug-in is available for test at >>>>> 'https://github.com/gganis/voms.git' from where you can download >>>>> the sources. Binaries for SLC5 (x86_64, gcc-4.1, gcc 4.3) and SLC6 >>>>> (x86_64, gcc-4.6) are available under >>>>> >>>>> /afs/cern.ch/work/g/ganis/public/vomsxrd/vomsxrd-0.0.1 >>>>> >>>>> (README and examples under /afs/cern.ch/work/g/ganis/public/vomsxrd). >>>>> >>>>> With the following caveats: >>>>> >>>>> 1. The builds require VOMS 2.0.8 which, if I understand >>>>> correctly, is a not (yet?) available in OSG >>>>> 2. Unfortunately the backport of the vomsfun functionality was >>>>> not complete in the 3.2.x stable branch, >>>>> so to use the plug-in you have either to use the HEAD of the >>>>> 'stable' branch or 3.3.x-rc1 . >>>>> RPMs for the stable branch are available from the Teamcity >>>>> portal: >>>>> >>>>> https://teamcity-dss.cern.ch:8443/project.html?projectId=project13&tab=projectOverview >>>>> >>>>> Can you please let me know if you can try this out or what you miss >>>>> to be able to try? >>>>> >>>>> Gerri >>>>> >>>>> >>>>> >>>>> >>>>> On 1/31/13 7:19 PM, Yang, Wei wrote: >>>>>> I haven't get it to work yet. I am communicating with the developer. >>>>>> >>>>>> regards, >>>>>> Wei Yang | [log in to unmask] | 650-926-3338(O) >>>>>> >>>>>> >>>>>> On Jan 31, 2013, at 2:28 AM, Tommaso Boccali wrote: >>>>>> >>>>>>> Follow-up Comment #2, sr #135141 (project xrootd): >>>>>>> >>>>>>> ciao, news on that plugin? >>>>>>> >>>>>>> thanks >>>>>>> >>>>>>> tom >>>>>>> >>>>>>> _______________________________________________________ >>>>>>> >>>>>>> Reply to this item at: >>>>>>> >>>>>>> <http://savannah.cern.ch/support/?135141> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Message sent via/by LCG Savannah >>>>>>> http://savannah.cern.ch/ >>>>>>> >>>>> -- >>>>> +--------------------------------------------------------------------------+ >>>>> Gerardo GANIS CERN, PH Dept, SFT group, CH 1211 Geneve 23 >>>>> room: 32-RC-006, tel: +41 22 7676439 >>>>> email: [log in to unmask], fax: +41 22 7669133 >>>>> +--------------------------------------------------------------------------+ >>>>> > > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1