Re: [HTCondor-users] SSL authentication - location of user certificates

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Fri, Apr 11, 2014 at 02:42:18PM +0200, Operation Condor wrote:
> Hey,
>  
> we stumbled upon a problem regarding the user authentication using SSL. The
> (daemon to daemon) host authentication seems to work flawlessly (ssl_status,
> adding worker nodes). 
> However user authentication appears to fail. For instance submitting jobs using
> condor_submit results in the following error in the SCHEDLOG:
>  
> "
> 04/11/14 07:47:19 (pid:9530) DC_AUTHENTICATE: authentication of
> <10.0.38.23:50961> did not result in a valid mapped user name, which is
> required for this command (1112 QMGMT_WRITE_CMD), so aborting.
> "
>  
> Our mapfile looks as follows:
>  
> "
> SSL CN=USER johndoe
> "
>  
> What we tried to do is mapping the user certificate (generated as described on
> http://pages.cs.wisc.edu/~zmiller/ca-howto/ ) with the common name "johndoe" to
> the corresponding (Linux) user johndoe who is the owner of the process
> condor_submit, resulting in the error mentioned above.

If using SSL for user authentication, you need to point to that individual's
certificate using the condor_config parameters.  Individual users can override
the config file by setting environment variables prefixed with "_condor_".

	export _condor_AUTH_SSL_CLIENT_CERTFILE=/home/zmiller/zmiller_cert.pem
	export _condor_AUTH_SSL_CLIENT_KEYFILE=/home/zmiller/zmiller_key.pem


> On the other hand we tried the following mapping:
>  
> "
> SSL CN=HOST johndoe
> "
>  
> whereat HOST is the common name of the certificate used for host
> authentication. Funnily enough this appears to work hence we can submit jobs
> using this mapfile.

Check the permissions on your host key.  It should not be readable by users.


If you would like to send more info or details, feel free to contact me off-
list as well.


Cheers,
-zach