Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] SSL Certificate -> User Mapping Issue
- Date: Tue, 23 Dec 2014 16:00:59 +1100
- From: Peter Brady <subscriptions@xxxxxxxxxxxxxx>
- Subject: Re: [HTCondor-users] SSL Certificate -> User Mapping Issue
On 23/12/2014 3:26 pm, Peter Brady wrote:
> Hello,
>
> I think I've been staring at this too long and the problem, most likely,
> exists between keyboard and chair.
>
> I'm building a HTCondor cluster with SSL authentication across the nodes
> but I seem to have trouble with the certificate -> user mapping.
>
> My configuration has
>
> GRIDMAP = /etc/condor/wma_gridmap
> CERTIFICATE_MAPFILE = /etc/condor/wma_unified_map
>
> which are real files. I checked for typos in the path first. In cert
> map I have:
>
> SSL (.) GSS_ASSIST_GRIDMAP
>
> and have tried:
>
> SSL (.*) GSS_ASSIST_GRIDMAP
>
> The rest of the file is defaults as per the manual (§3.6.4), which, if I
> read the correctly, should map back to GRIDMAP. In the grid map file I
> have, for example,
>
> "/C=AU/ST=New South Wales/O=WMA Water/CN=htc-controller@xxxxxxxxxxxxxxx"
> condor@xxxxxxxxxxxxxxx
>
> However, I get permission denied with the indicative errors that I'm
> seeing are:
>
> PERMISSION DENIED to GSS_ASSIST_GRIDMAP@xxxxxxxxxxxxxxx
>
> It seems to me that GSS_ASSIST_GRIDMAP is not mapping to GRIDMAP and
> hence matching my certificates to users. Rather it is being treated as
> a user in and of itself.
>
> I can get around this by adding:
>
> SSL "^/C=AU/ST=New South Wales/O=WMA
> Water/CN=htc-controller@xxxxxxxxxxxxxxx$" condor@xxxxxxxxxxxxxxx
>
> to the CERTIFICATE_MAP but this seems to defeat the purpose of
> GSS_ASSIST_GRIDMAP. The above line must be before the GSS_ASSIST_LINE
> to work though.
>
> Is there something obvious that I've missed?
>
> Thanks in advance,
> -pete
OK, so after sending this I went for a walk around the block to think
this through. I've been able to fix this via a work around.
Luckily for me I'm only testing and can roll out certificates as
required. In this case I can change the CN to the form of
user@domain
and then, after brushing up on PCREs, adjust the unified map to extract
the user and domain that I require.
I'm still curious as to why my first attempt with GSS_ASSIST_GRIDMAP did
not work....
Cheers
-pete
--
Peter Brady
Email: pdbrady@xxxxxxxxxx
Skype: pbrady77
Attachment:
signature.asc
Description: OpenPGP digital signature