LISTSERV 16.5 - XROOTD-L Archives

Hi, 

>The security extractor enables clients with VOMS proxy certificates to connect. For normal client user certificates you 
>don't need it.

Ah, right, I think I get it. So if I'm using an ordinary user cert (in a browser for instance) the XrdHTTP server does the authentication without the sec extractor. Can it do any authorisation? From the email (https://listserv.slac.stanford.edu/cgi-bin/wa?A2=ind1410&L=XROOTD-L&D=0&P=632) last month it looks like you were waiting for the grid mapfile feature to be added.

>Your config file looks fine to me, and the only error that I see in the log is
>141126 10:38:47 8292 ofs_opendir: unnamed.1:[log in to unmask] Unable to open directory /dteam/; permission 
>denied
>From this I am not able to tell whether the request was denied by some authorization module in ofs, libRadosOss or 
>anything else.
>Could you please restart the server with the -d option and redo this little read test?
>Which credentials is your test client using to do the test ? User cert? VOMS proxy?

Right, so that test was me pointing my browser with my user cert loaded at the XrdHTTP server and hoping some VOMS magic would happen. I now realise that is not how it works (I think). I got davix-get working with my voms proxy cert (I confirmed it on your littlexrdhttp server), and then tried it on mine (with the -d option and the security extractor loaded). As far as I could see the server showed no signs or recognising my proxy cert: 

<span id="requestby">Request by unnamed.9:44@gdss541 ( [::ffff:130.246.179.6]:59926 )</span></p>
<p>Powered by XrdHTTP v20140918-cf01cb4 (CERN IT-SDC)</p>

The command I used was:

davix-get -k -E /tmp/x509up_u33141 https://gdss541.gridpp.rl.ac.uk:1094/

I've attached the log. The " 140350031914752:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE" bit looks fishy to me, but I don't know what the logs from a successful davix-get look so I could be looking in the wrong place entirely.

Thanks for the help, are there any other tests I can run that might make things clearer?

Cheers
Tom

-- 
Scanned by iCritical.


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1