Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] GSI authentication details

Date: Wed, 26 Sep 2007 14:36:11 -0500
From: Scott Koranda <skoranda@xxxxxxxxxxxxxxxxxxxx>
Subject: [Condor-users] GSI authentication details

Hi,

The Condor 6.9.4 manual in section 3.6.3.1 implies that the
GSI_DAEMON_CERT is a "host" cert:

GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/hostcert.pem

By "host" cert here I mean a cert ending with CN=FQDN or
CN=host/FQDN.

Is there any such requirement or can the certificate used be
any valid certificate? Are there any restrictions on the DN?

Also, a common problem seen with GSI and "host" certificates
when used on machines that have two (or more) network
interfaces is that host authorization (commonly used with
some client tools leveraging GSI) fails when a reverse lookup
on the IP address for the box hosting the service/daemon
doesn't match the DN for the host cert because the DN is bound
to one network interface while the client tool is talking to
the other interface.

Is this an issue at all when using GSI authentication in
Condor? I am guessing it is not because there is not GSI
"host" authorization happening and all authorization is at the
level of the Condor user IDs, but I want to be sure...

Thanks,

Scott

Follow-Ups:
- Re: [Condor-users] GSI authentication details
  - From: Zachary Miller

Prev by Date: Re: [Condor-users] DAGMan ? RE : birdbath dag submission
Next by Date: Re: [Condor-users] GSI authentication details
Previous by thread: Re: [Condor-users] unable to restart from a "checkpointed" process
Next by thread: Re: [Condor-users] GSI authentication details
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[Condor-users] GSI authentication details