I did that kind of thing several years ago as a test. It was a legitimate concern.

In principle, a server should check with $X509_VOMS_DIR to verify that a X509 proxy with VOMS attribute atlas:/atlas/Role=production is signed by "atlas" VOMS server, and VO group "/atlas/xyz" matches VO name "atlas".

--
Wei Yang | [log in to unmask] | 650-926-3338

________________________________________
From: Oliver Freyermuth <[log in to unmask]>
Sent: Tuesday, June 18, 2019 10:01 PM
To: xrootd/xrootd
Cc: Subscribed
Subject: Re: [xrootd/xrootd] Bad mapping of VOMS extensions using XrdSecgsiVOMSFun (#1006)

The group information indeed can be multi-valued (space separated).

I understand. But does that mean that

= atlprod o atlas g /atlas r production

would match a hypothetical proxy with production role for VO CMS and role "NULL" for VO ATLAS (and group /ATLAS)?
That very example is from the xrootd docs, by the way (but without the group part) 😉.
At least, using "o" here instead of "g" would ensure it is not a CMS user with an ATLAS group.
But do I understand correctly that it's not the "triple" of VO, Group and Role which is matched?

With respect to having a very old version in the WLCG repo: I'm not the right person for that. I can only point at what OSG has available (which isn't affected by the issues described above).

Ok, I will contact the WLCG repo admins on this then. At least it's good to know a working version exists, thanks for pointing me to it - maybe they can add it to the repo.

The doc unfortunately have a little typo. Option "grpopt" (not "groupopt") can be used to make selection

Thanks for the hint!
We don't have any service using lcmaps yet, so right now vomsxrd is the easiest solution for us.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://github.com/xrootd/xrootd/issues/1006?email_source=notifications&email_token=ABHVGAYTC7ZRV24ZXADZUDTP3G4THA5CNFSM4HZFJLZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYAWB5I#issuecomment-503406837>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ABHVGA6DQT72NVOVX5LRLHLP3G4THANCNFSM4HZFJLZQ>.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1006?email_source=notifications\u0026email_token=AA7NRDU456QVIXADMJ5ZT2TP3HA7NA5CNFSM4HZFJLZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYAX2WQ#issuecomment-503414106", "url": "https://github.com/xrootd/xrootd/issues/1006?email_source=notifications\u0026email_token=AA7NRDU456QVIXADMJ5ZT2TP3HA7NA5CNFSM4HZFJLZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYAX2WQ#issuecomment-503414106", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1