The GSI security protocol defaults to the "trymap" logic which, according to documentation, is "try to map the DN but if unsuccessful use the hash of the client’s DN as the user identifier (username)". With this change, the XrdHttpSecurity interface will follow the same logic.
Since some sites may have special setups which rely on the old mechanism, one can get the old behavior by setting the optional new compatNameGeneration
configuration in the http.gridmap
setting. For example:
http.gridmap compatNameGeneration /etc/xrootd/grid-mapfile
Would restore the old behavior.
With this change, a user can effectively match the nomap
, trymap
, and usemap
settings between the XRootD and HTTP protocols and the two protocols have the same default. Without the change, only the usemap
setting could be matched with HTTP. Having the defaults the same greatly decreases the "surprise" factor of using both protocols; the prior HTTP default of guessing a name from the DN is undocumented.
VOMS-based mappings (and mapfile) behavior is unaffected.
@olifre - you have one of the more complex security configs that I could think of. Would you be unaffected by this change?
https://github.com/xrootd/xrootd/pull/1640
(3 files)
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1