Using multi-delegated proxy certificates and a gridmap-file with XrdHttp does not yield the proper mapping. This happens due to the fact that the following code: https://github.com/xrootd/xrootd/blob/master/src/XrdHttp/XrdHttpProtocol.cc#L314-L343 only checks the subject and issuer of the certificate against the gridmap-file while it should also check the End Entity Certificate. This same behavior works as expected when accessed through the xrootd protocol since this mapping is handled properly in XrdSecgsi namley XrdCryptoX509Chain.

For a gridmap-file that contains this entry:
"/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru" dteam001

and coming with the following proxy certificate:

[esindril@esdss000 http-tpc-utils]$ voms-proxy-info
subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555
issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u58602
timeleft  : 11:59:49
key usage : Digital Signature, Key Encipherment

yields the expected dteam001 while using the following proxy certificate (delegated multiple time):

[esindril@esdss000 http-tpc-utils]$ voms-proxy-info --file /tmp/proxy_2
subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555/CN=1153688675
issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555
identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/proxy_2
timeleft  : 11:59:18
key usage : Digital Signature, Key Encipherment

yields esindril, since it falls back to extracting the first CN from the DN (this only makes sense for CERN certs).

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1221", "url": "https://github.com/xrootd/xrootd/issues/1221", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1