Hello Oscar,
I have configured lcas/lcmaps on some new machines. There i
am able to secure gatekeeper successfully. But gridftp is
showing some error.
The lcas/lcmaps logs go directly to the gatekeeper logs but not to
gridftp logs. So can i generate lcas/lcmaps log for gridftp so that i can
understand the full flow of gridftp and debug the error.
Thanks
Vipul
CDAC,Banglore
> Hi Vipul,
>
> The gridsite core component is used as a GACL (Grid ACL) parser by the
> glite-security-lcas-plugins-voms package. GACL is a simple (humanly
> readable) XML formatted file that can state which user DNs or VOMS
> attributes are allowed or disallowed on the site. With GACL you can
> tailor the authorization decision in detail.
>
> cheers,
>
> Oscar
>
>
> Vipul.B wrote:
>> Hello Oscar,
>> Thank you for your help on this. Everything is working fine now. I am
>> able
>> to secure GLobus gridftp and gatekeeper services through lcas/lcmaps
>> using
>> voms credentials.
>>
>> One more thing i need to ask. When i was configuring the lcas/lcmaps,
>> log
>> file showed some dependency on a package called org.gridsite.core.
>> This package deals with set of extensions to the Apache web server and
>> a
>> toolkit for Grid credentials. But we are not using any web server. So is
>> it possible by any means to remove this dependency?
>>
>> Thanks again
>>
>> Vipul
>> CDAC, Banglore
>> India.
>>
>>
>>> Hi Vipul,
>>>
>>> That version indeed has the fix.
>>>
>>> I guess it's a configuration issue now.
>>> Is the gsi-authz.conf at /etc/grid-security/gsi-authz.conf
>>> That location is searched for by the gt4 tools.
>>>
>>>
>>> The VO mapfile should only have:
>>> "/trial" globus
>>> "/trial/*" globus
>>>
>>>
>>> I would also configure the vomslocalgroup plugin. The groupmapfile
>>> should contain:
>>> "/trial" globus
>>> "/trial/*" globus
>>>
>>>
>>> For testing I would only configure the lcas_userban.mod with an empty
>>> ban _users.db file in the lcas.db.gridftp for the simple reason to test
>>> the service.
>>>
>>> Let the lcas_voms.mod look to the grid-mapfile or vomapfile that you
>>> have.
>>>
>>> change the content of the lcas_voms.mapfile to:
>>> "/trial" globus
>>> "/trial/*" globus
>>>
>>>
>>> Export the following elements in the gridftpd's environment:
>>>
>>> export LCAS_LOG_LEVEL=5
>>> export LCAS_DEBUG_LEVEL=5
>>> export LCMAPS_LOG_LEVEL=5
>>> export LCMAPS_DEBUG_LEVEL=5
>>>
>>> 5 mean very-very verbose, 0 means nearly nothing. Normal operational
>>> setting is:
>>> export LCAS_LOG_LEVEL=1
>>> export LCAS_DEBUG_LEVEL=0
>>> export LCMAPS_LOG_LEVEL=1
>>> export LCMAPS_DEBUG_LEVEL=0
>>>
>>> Tune as you seem fit.
>>>
>>>
>>> cheers,
>>>
>>> Oscar
>>>
>>>
>>>
>>> Vipul.B wrote:
>>>> Hi Oscar,
>>>> Correct me if I am wrong : VOMS credential is supported for
>>>> accessing
>>>> pre-WS globus services like Globus gate-keeper and Globus gridFTP(Not
>>>> only the glite versions) via the lcas-lcmaps-gt4-interface?
>>>> If yes, then the following should work.
>>>> I have taken the binary from the link :
>>>> http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.security.lcas-lcmaps-gt4-interface/0.0.14
>>>> The bug #35981 is fixed in this?
>>>>
>>>> And I am using Globus gridftp in GT4.0.7
>>>> On calling globus-url-copy, getting error :
>>>> ---------------------------------------------------
>>>> debug: starting to get gsiftp://192.168.61.197/home/globususer/tot
>>>> debug: connecting to gsiftp://192.168.61.197/home/globususer/tot
>>>> debug: response from gsiftp://192.168.61.197/home/globususer/tot:
>>>> 220 192.168.61.197 GridFTP Server 2.7 (gcc32dbg, 1204845443-63)
>>>> [Globus
>>>> Toolkit 4.0.7] ready.
>>>>
>>>> debug: authenticating with gsiftp://192.168.61.197/home/globususer/tot
>>>> debug: fault on connection to
>>>> gsiftp://192.168.61.197/home/globususer/tot: an end-of-file was
>>>> reached
>>>> debug: data callback, error an end-of-file was reached, buffer
>>>> 0xb7deb008, length 0, offset=0, eof=true
>>>> debug: operation complete
>>>> error: an end-of-file was reached
>>>> globus_xio: An end of file occurred.
>>>> --------------------------------------------
>>>> The file gets created with 0 bytes.
>>>> Attaching the configuration files.
>>>>
>>>> Kindly advise.
>>>>
>>>> Also, how do I enable logging in LCAS-LCMAPS, so that I can trace the
>>>> entire flow?
>>>>
>>>>
>>>> Thanks & Regards,
>>>> Vipul Borikar
>>>> CDAC,Banglore
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Hello Vipul,
>>>>>
>>>>> Please look for the newer version of the gt4 interface which has the
>>>>> names fixed (and a bug fixed):
>>>>> glite-security-lcas-lcmaps-gt4-interface
>>>>>
>>>>> And I'd update the LCAS and LCMAPS installation to the glite
>>>>> versions:
>>>>> http://linuxsoft.cern.ch/EGEE/gLite/R3.1/generic/sl4/i386/RPMS.release/
>>>>>
>>>>> Also in the glite-security-lcas-lcmaps-gt4-interface package, there
>>>>> should be a small script that loads the lcas-lcmaps-gt4-interface and
>>>>> redirects it to the LCAS and LCMAPS frameworks for the AuthZ and
>>>>> identity mapping functionality.
>>>>>
>>>>> These edg-* tools are very old.
>>>>>
>>>>> The LCAS framework now has the configuration to allow
>>>>> "/VO=trial/GROUP=trial/*" globus
>>>>>
>>>>> This should be changed to the new format for VOMS FQANs
>>>>> "/trial" globus
>>>>> "/trial/*" globus
>>>>>
>>>>> Here is more info on the configuration:
>>>>> https://savannah.cern.ch/patch/?1830
>>>>>
>>>>> The lcmaps configuration on that page is not for a GridFTP, but the
>>>>> version of the RPMS that are used now in the EGEE systems is stated
>>>>> here.
>>>>>
>>>>>
>>>>> When I look at the lcas-vomsfile you send, then I guess this to be
>>>>> your
>>>>> grid-mapfile for testing. As the 'globus' account is a non-pool
>>>>> account,
>>>>> its a local account. If you wish to do the identity (to Unix account)
>>>>> mapping based on the VOMS FQANs, then you should use the
>>>>> voms_localaccount plugin and the posix_enf plugin.
>>>>>
>>>>>
>>>>> Example lcmaps.db:
>>>>> BOF
>>>>> path = /opt/glite/lib/modules
>>>>>
>>>>>
>>>>> vomslocalaccount = "lcmaps_voms_localaccount.mod"
>>>>> " -gridmapfile /etic/grid-security/gridmapfile"
>>>>>
>>>>> posix_enf = "lcmaps_posix_enf.mod"
>>>>>
>>>>>
>>>>> # policies
>>>>> vomsevalpolicy:
>>>>> vomslocalaccount -> posix_enf
>>>>> EOF
>>>>>
>>>>>
>>>>> cheers,
>>>>>
>>>>> Oscar
>>>>>
>>>>>
>>>>>
>>>>> Vipul Borikar wrote:
>>>>>> Hello all,
>>>>>> I am trying to access pre-WS components of Globus like gridFTP
>>>>>> through VOMS credential.
>>>>>> For this, I have installed the following :
>>>>>> #GT4.0.7
>>>>>> #VOMS server 1.8 and used it to generate VOMS certificates.
>>>>>> #LCAS, LCMAPS binary RPM for Red hat is taken from the link
>>>>>> http://grid-deployment.web.cern.ch/grid-deployment/download/RpmDir/WP4/
>>>>>> The components installed are :
>>>>>> # edg-lcas_gcc3_2_2-voms_plugins-1.1.22-1
>>>>>> # edg-lcas_gcc3_2_2-1.1.22-1
>>>>>> # edg-lcmaps_gcc3_2_2-0.0.30-1
>>>>>> # edg-lcmaps_gcc3_2_2-voms_plugins-0.0.30-1
>>>>>> # edg-lcmaps_gcc3_2_2-basic_plugins-0.0.30
>>>>>> # org.glite.security.lcas-lcmaps-gt4-interface libraries from
>>>>>> eticsoft
>>>>>>
>>>>>>
>>>>>> Then I generate VOMS credential through voms-proxy-init in the
>>>>>> standard
>>>>>> location.
>>>>>> Then when I give the command
>>>>>>
>>>>>> globus-url-copy -dbg gsiftp://192.168.61.197/home/globususer/tot
>>>>>> file:///home/globususer/wall/tot1
>>>>>>
>>>>>> I get the error :
>>>>>> debug: starting to get gsiftp://192.168.61.197/home/globususer/tot
>>>>>> debug: connecting to gsiftp://192.168.61.197/home/globususer/tot
>>>>>> debug: response from gsiftp://192.168.61.197/home/globususer/tot:
>>>>>> 220 192.168.61.197 GridFTP Server 2.7 (gcc32dbg, 1204845443-63)
>>>>>> [Globus
>>>>>> Toolkit 4.0.7] ready.
>>>>>>
>>>>>> debug: authenticating with
>>>>>> gsiftp://192.168.61.197/home/globususer/tot
>>>>>> debug: fault on connection to
>>>>>> gsiftp://192.168.61.197/home/globususer/tot: an end-of-file was
>>>>>> reached
>>>>>> debug: data callback, error an end-of-file was reached, buffer
>>>>>> 0xb7deb008, length 0, offset=0, eof=true
>>>>>> debug: operation complete
>>>>>>
>>>>>> error: an end-of-file was reached
>>>>>> globus_xio: An end of file occurred.
>>>>>>
>>>>>> The file gets created with 0 bytes.
>>>>>> Has anyone tried this?
>>>>>> Attaching the file lcas_voms.mapfile and the voms-proxy-info
>>>>>>
>>>>>> Thanks & Regards,
>>>>>> Vipul Borikar
>>>>>> CDAC Banglore,India
>>>>>>
>>>>>>
>>>
>>
>>
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
