Hi all,
On 24/06/15 18:02, Basney, Jim wrote:
I agree. MyProxy offers 3 options for adding VOMS attributes to the
credential:
1. adding the VOMS attributes via myproxy-init by calling voms-proxy-init
2. adding the VOMS attributes via myproxy-server using the VOMS APIs
(as requested by myproxy-logon -m)
3. adding the VOMS attributes via myproxy-logon by calling voms-proxy-init
If I understand correctly, the problem is that option #2 is not working in
GT 6.0, so myproxy-logon is trying option #3 as a fall-back, but we want
to get option #2 working again. Of the 3 options, only option #2 requires
linking with the VOMS libraries, because options #1 and #3 just call
voms-proxy-init. As Matteo explains, the nice thing about option #2 is it
doesn't require a client-side VOMS install.
I'm working on re-establishing my VOMS test environment so I can help
further with the diagnosis. Thanks Matteo for confirming that the problem
is with all GT 6.0 versions but not with GT 5.2.4 and GT 5.2.5. That
should help in finding the cause.
ah, I didn't know about feature #2 : quite nice&interesting!
And yes, I can reproduce it with GT 6 as well; after some digging I
found that the problem is caused by the 'configure' script for the
myproxy code: when checking for 'globus_gsi_proxy_handle_set_extensions'
it cannot find the library libglobus_gsi_proxy_core and thus disables
support for this (#undef HAVE_GLOBUS_GSI_PROXY_HANDLE_SET_EXTENSIONS)
This causes myproxy to not add *any* extensions to delegated proxies
(see ssl_utils.c, lines 1708-1720) , including the voms extensions.
If you rerun the myproxy 'configure' script
LDFLAGS="-L/usr/local/globus-6/lib" ./configure ....
then it picks up 'globus_gsi_proxy_handle_set_extensions' just fine and
the problem is resolved.
HTH,
JJK / Jan Just Keijser
Nikhef
Amsterdam
On 6/24/15, 10:34 AM, [email protected] on behalf of
Lanati, Matteo wrote:
Hi Jan,
I see your point (upload a VOMS enabled proxy, generated locally), but I
want to store on MyProxy a plain proxy (without signature) and retrieve a
credential with a VO extension. It's MyProxy that should contact the VOMS
server to get the signature. The goal is to avoid to install (and
configure) the VOMS utils on the client, since it is a tedious task.
I think that when I do a "myproxy-logon -m esr", myproxy-logon realises
that it received a proxy without the signature, then it tries to add it
looking for voms-proxy-init, as a fallback. I want MyProxy to do the
dirty work for me and for my users ;-) . It used to work on GT
5.2.4/5.2.5. As explained by Jim in the previous mail, something changed
in the meanwhile.
All the best,
Matteo
On 24 Jun 2015, at 17:11, Jan Just Keijser <[email protected]> wrote:
Hi,
the error is on the client side:
Enter MyProxy pass phrase:
failed to run voms-proxy-init: No such file or directory
A credential has been received for user Š
when you run
myproxy-logon -m esr
the myproxy-logon command tries to launch 'voms-proxy-init -voms esr
.....' and it fails to find voms-proxy-init.
FWIW:
I've download globus_toolkit-6.0.1433516164, built myproxy with voms
support and launched a MyProxy server. It listed VOMS supported, and
indeed, when I upload a vomsified proxy to it the proxy is stored.
Delegated proxies (e.g. run 'myproxy-get-delegation' without listing a
voms server) included the VOMS info from the original upload.
