This patch introduces the glite-GLEXEC_wn metapackage for gLite 3.2.
YAIM update:
The YAIM module is capable of configuring multiple SCAS endpoints for fail-over and fault tolerance reasons.
Configure SCAS_ENDPOINTS as a whitespace delimited variable with multiple unwhitespaced values to setup multiple endpoints, example:
SCAS_ENDPOINTS="https://scas1.site.com:8443/ https://scas2.site.com:8443/"
which results in lcmaps.db like:
scasclient = "lcmaps_scas_client.mod"
"-capath /etc/grid-security/certificates"
"--endpoint https://scas1.site.com:8443"
"--endpoint https://scas2.site.com:8443"
"-resourcetype wn"
"-actiontype execute-now"
Verify Proxy:
Upgrading certificate chain depth limit to the depth of the certificate chain. The OpenSSL library seems to have a build in limit of
9 certificates. This means that the verify-proxy will fail when having to check more then 9 certificate (including the CA,
personal/service and proxies). This limit has been raised to be equal then the certificate chain itself.
The new maximum amount of delegations used by verify-proxy (using gLExec as a frontend) is roughly 200 delegations when using 1024 keys.
The next upperlimit is the 1MB limit of a maximum proxy file size being read by gLExec. Which is quite a safe limit. Other tools might
not provide this limitation and the verify-proxy should be able to check a certificate chain as big as the memory of a machine can hold it.
A problem surfaced with the code change and it could only handle single level CAs. CAs that have a subordinate or intermediate CA that perform
the EEC signing are now supported again.
When your proxy certificate's DNs grows too large due to the use of the expanding DNs with every delegation step, then the log messages could
overflow a buffer. This is solved by truncating the log message properly. This effect has shown to happen when testing the proxy verification
with more then ~35 proxy delegations.
Platform support:
LCMAPS is available on all 32 and 64 bit platforms for SL4, SL5, debian4 and debian5.
saml2-xacml2-c-lib is able to be build on all 32 and 64 bit platforms for SL4, SL5 and debian4. The incompatibility for debian5 64bit will
be fixed in a next release). As a result, the SCAS client and SCAS service can't build on more platforms then these platforms.
The SCAS service and SCAS Client packages can be build on an equal amount of platforms as the saml2-xacml2-c-lib. Currently on all 32 and
64 bit platforms for SL4, SL5 and debian4*.
* Upstream build issues on the debian4 platform can't be resolved, but the nightly builds were successful on debian4 32 and 64 bit.
LCAS:
- Solved segmentation faults when a malformed proxy was provided by the calling library or application.
- When using the lcas_pem interface (used by gLExec, SCAS and third parties) a wrong individual certificate was selected. It was first
delegation that was selected and not the final delegation of the certificate chain. This also disturbed the call to the voms-api from a
plugin which use the certificate and certificate chain.
- The extraction of the user's subject DN has been replaced. The Globus code calculates the RDN count of the individual certificate and
strips of the amount of RDNs equal to the amount of delegations. This process is error prone, causes seg.faults when used in a wrong way,
overly complex. It's replaced by a safer approach which has been used in LCMAPS for years.
LCAS & LCMAPS Syslog problem:
Not all information was written properly to Syslog. This is improved. It's still not fully the same. Big differences might still be noticed
between the two log destinations. A lot of interesting messages are now published in syslog. The information that is left in the gap will be
investigated, but the fix is should let the syslog contain sufficient information to be able to debug LCAS and LCMAPS failure conditions.
All the information that was masked to not be send to the syslog level '0' (zero, meaning a system broadcast) is prevented by restamping the
log severity to LOG_ERR.
This update fixes various bugs. For the full list of bugs, please see list below.
This package contains three basic authorization plugins for LCAS: 1) allow-user module (currently the gridmapfile is used) 2) ban-user module 3) timeslots availability module
This package provides the timeslot (fabric openings hours), poolaccount selection, localaccount selection, LDAP enforcement and POSIX enforcement (changing the process ownership to the mapped user
This package provides the LCMAPS plugins for specialised VOMS handling: voms_localaccount, voms_localgroup, voms_poolgroup and voms_poolacount. (It is recommended to use the voms_localgroup and voms_poolaccount)
