[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] GSI authentication details


The Condor 6.9.4 manual in section implies that the
GSI_DAEMON_CERT is a "host" cert:

GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/hostcert.pem

By "host" cert here I mean a cert ending with CN=FQDN or

Is there any such requirement or can the certificate used be
any valid certificate? Are there any restrictions on the DN?

Also, a common problem seen with GSI and "host" certificates
when used on machines that have two (or more) network
interfaces is that host authorization (commonly used with
some client tools leveraging GSI) fails when a reverse lookup
on the IP address for the box hosting the service/daemon
doesn't match the DN for the host cert because the DN is bound
to one network interface while the client tool is talking to
the other interface.

Is this an issue at all when using GSI authentication in
Condor? I am guessing it is not because there is not GSI
"host" authorization happening and all authorization is at the
level of the Condor user IDs, but I want to be sure...