Admins WebATLAS Old + New VOMS Workaround Page
The Problem
The ATLAS VO membership is currently spread accross two disjoint systems. The old system, which began with an LDAP directory at grid-vo.nikhef.nl also includes the VOMS servers at voms.cern.ch and vo.racf.bnl.gov. These two VOMS servers are automatically syncronized with the old LDAP database periodically. The new system consists of a VOMS server and a VOMRS (VOMS management system) at lcg-voms.cern.ch. Only the new system is being updated as new members register. The ATLAS VO managers do not want to automatically import all the old members from the old system for a very good reason: the data is very "dirty". There are invalid names, names without grid certficate DNs, and entries missing an e-mail address. There are certainly people in there who are no longer affiliated with ATLAS. The other reason is that the LCG software stack client tools allow multiple sources to be queried for a given VO, and they have configured their systems to do this. We (USATLAS) cannot simply switch over to the new system, becuase there are hundreds of people who are not yet registered with the new system.The Solution
The long-term solution to this problem is for ALL ATLAS VO members to (re)register to the new VOMRS system and for this to become the definitive, canonical list of ATLAS VO members. (Re)register at https://lcg-voms.cern.ch:8443/vo/atlas/vomrsThe Workaround
Until we can switch entirely to the new system, sites that want to suppport ATLAS will need to add entries and make configuration changes to their gums.config file inside of the GUMS installation. The principal behind these changes is to create groupMapping entries for both OLD and NEW atlas VOMS servers (vo.racf.bnl.gov and lcg-voms.cern.ch) and have old and new both map to the same local UNIX user and group. Then, in the hostGroup section of the gums.config, one puts entries referring to both new and old groupMappings, in that order. Done this way, for any given certificate, it will match the first valid entry and perform the correct mapping. Below are templates for gums.config that contain the relevant entries:- usatlas-group-accounts-template.txt: Complete solution for USATLAS/ATLAS group accounts
- gums.template.usatlas-pools.txt: Snippet to define US/ATLAS Pool Accounts.
Further Help
If you need help with these templates, or need to implement a more complex site-specific scheme, please e-mail me at jhover@bnl.gov -- JohnHover - 03 May 2006About This Site
Please note that this site is a content mirror of the BNL US ATLAS TWiki. To edit the content of this page, click the Edit this page button at the top of the page and log in with your US ATLAS computing account name and password.
Attachments
usatlas-group-accounts-template.txt (7.8K) | JohnHover? , 04 May 2006 - 14:35 | Complete solution for USATLAS/ATLAS group accounts
gums.template.usatlas-pools.txt (4.9K) | JohnHover? , 03 May 2006 - 15:37 | Snippet to define US/ATLAS Pool Accounts.
- USATLAS Site Admin Topics
- Admin Support Home
- Site Setup Help
- Search
- Site Admin Help Desk
- Submit a help ticket
- Facility contacts
- Open Science Grid Support Center
- Facility Integration Program
- Integration home
- Proof-Xrootd
 |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback