Re: [Condor-users] GSI authentication succeeds but authorization fails

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Tue, Sep 25, 2007 at 02:49:34PM -0500, Scott Koranda wrote:
> > > 
> > > Why am I not authorized?
> > 
> > the log shows you are being mapped to skoranda@xxxxxxxxxxxxxxxxxxxxxxx while
> > the allow list has:
> >   ALLOW_READ = skoranda@xxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> > 
> > basically, your authz rule is missing the 'ldg-portal' on the left hand side
> > of the slash.
> > 
> > i think you meant to write:
> >   ALLOW_READ = skoranda@xxxxxxxxxxxxxxxxxxxxxxx/ldg-portal.phys.uwm.edu
> 
> I don't understand.
> 
> The manual indicates that the form is
> 
> "Each macro is defined by a comma-separated list of fully
> qualified users. Each fully qualified user is described using
> the following format:
> 
>     username@domain/hostname

true.  in your case the 'domain' was ldg-portal.phys.uwm.edu, and not
phys.uwm.edu.

why?  as todd pointed out, you didn't specify a domain in your map file,
so condor by default will append the value of UID_DOMAIN.

so, you could either change the mapping to specify the domain as you like
it, or you can change the ALLOW list to accept the domain that condor is
filling in by default.  either way is acceptible.


cheers,
-zach