Print

Print
Hi Tom,

in the first print-out you are mapped to 'dteam' and this is probably what you wanted in this case. Our authz plug-in uses sec.name to map to the FS uid/gid.

in the second print-out it does not call the VOMS authz routines (as you said) and this has nothing to do with the OFS/OSS plug-in you have. For this Fabrizio has to help ... however just a warning, currently we don't apply the 'role' field as FS uid or gid, this requires a 2 line change in our Authz plugin ... ( I am actually not sure if role is written into name?) ... in any case I write it to the to-do list.

Cheers Andreas.






On Wed, Nov 26, 2014 at 12:46 PM, <[log in to unmask]> wrote:

Hi,

 

I'm trying to set up a XrdHTTP server with libXrdHttpVOMS, however I seem to be missing something. I have a working xrootd server with libXrdSecgsiAuthzVO.so controlling GSI authorisation (which I have confirmed as working). I also have a working HTTPS server, with x.509 authentication working (username is mapped to their browser certificates DN).

 

However, I then tried to use the http security extractor /usr/lib64/libXrdHttpVOMS-4.so, which was provided by the xrdhttpvoms-0.2.0-1.20141022.1000.el6.x86_64.rpm package (I found this from the email thread about "enabling https" in this mailing list last month). When adding the SecXtractor option to the config the http server now refuses to use the certificate (even in https), and just identifies the user as 'nobody'. And looking at the log, no authentication/authorisation is even attempted. (I've attached a log showing startup, a correctly authorised cmd line operation and a 'failed' https operation. I've also attached the config used)

 

There’s no obvious error messages, the only bit that confuses me is the "Config warning: 'xrootd.seclib' not specified; strong authentication disabled!" towards the end of startup, despite the fact the security library had clearly been loaded (and is working).

 

I'm using the xrootd4 package and all dependencies from the LCGDM Continuous Build Repository (ver. 20140918.cf01cb4), but I'm using some other xrootd packages from an eos-diamond repo for the storage bits, as this xrootd server is using a Ceph object store as it's storage. I don't think it should affect anything on the authn/z side of things however.

 

What am I doing wrong? I have a feeling I may have I got the wrong end of the stick completely and the security extractor doesn't do what I think it does, or that it will, but I'm not using up to date packages (or something else entirely, I’m very new to xrootd and GSI).

 

Any help would be greatly appreciated!

 

Cheers

Tom


--
Scanned by iCritical.



Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1



Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1