It works, it really works!!! I canât believe it works. Thatâs all I
B.T.W.
>Hi Levente (and Alain),
>
>It looks like you need to add -x before -r in your myproxy-init command.
>Here's the myproxy-init man page text:
>
> -r dn, --retrievable_by dn
> Allow the specified entity to retrieve credentials. By default,
> the argument will be matched against the common name (CN) of the
> client (for example: "Jim Basney"). Specify -x before this
> option to match against the full distinguished name (DN) (for
> example: "/C=US/O=National Computational Science Alliance/CN=Jim
> Basney") instead.
>
>If you run myproxy-info, it should show something like:
>
> retrieval policy: */CN=DC=org/DC=doegrids/OU=People/CN=Levente B. Hajdu 105387
>
>The -x option tells myproxy-init not to add that "*/CN=" part.
>
>Also, since you mention that you're using a limited proxy, please be
>aware of a change in MyProxy v3.8 and later:
>
> - check if client authenticates with a limited proxy, and if so,
> only allow the client to obtain another limited proxy, unless
> ignore_globus_limited_proxy_flag is set in myproxy-server.config
>
>I had the myproxy.fnal.gov server in mind when I added that
>ignore_globus_limited_proxy_flag option. If in the future you get the
>error message:
>
> Client with limited proxy may not retrieve full credentials.
>
>it means the myproxy-server needs the ignore_globus_limited_proxy_flag
>to be set in myproxy-server.config.
>
>Regards,
>Jim
>
>Alain Roy via RT <vdt-support@opensciencegrid.org> wrote:
>
>
>>Thanks for your question, Levente.
>>
>>As I said on the phone today, I'm not terribly experienced with MyProxy.
>>So I've added Jim Basney to this ticket. He's the current maintainer of
>>MyProxy. I'm betting he can help us out.
>>
>>Any suggestions, Jim?
>>
>>Thanks,
>>-alain
>>
>>
>>
>>>Hello VDT Team,
>>>
>>><>This is a usage question on MYPROXY, I am trying to get a full proxy
>>>using a limited proxy from within a running job using my limited proxy
>>>to authenticate. I am trying this between two nodes right now.
>>>
>>>Doing this with out authentication seems to work for me. Like this:
>>>
>>>[stargrid02] ~/temp/> myproxy-init -V
>>>
>>>myproxy-init version MYPROXYv2 (v3.6 10 Aug 2006 PAM)
>>>
>>>//From my local node:
>>>
>>>[stargrid02] ~/temp/> myproxy-init -c 0 -s myproxy.fnal.gov
>>>
>>>//From another node, this works:
>>>
>>>[stargrid01] ~/temp/> echo "LeveHIn*@bnl!" | myproxy-logon -s
>>>myproxy.fnal.gov âS
>>>
>>>A credential has been received for user lbhajdu in /tmp/x509up_u7665.
>>>
>>>
>>>
>>>//However when I try this:
>>>
>>>[stargrid02] ~/temp/> myproxy-init -c 0 -s myproxy.fnal.gov -r
>>>"/DC=org/DC=doegrids/OU=People/CN=Levente B. Hajdu 105387"
>>>
>>>Your identity: /DC=org/DC=doegrids/OU=People/CN=Levente B. Hajdu
>>>105387
>>>
>>>Enter GRID pass phrase for this identity:
>>>
>>>Creating proxy ............................ Done
>>>
>>>Proxy Verify OK
>>>
>>>Your proxy is valid until: Thu Mar 27 11:42:19 2008
>>>
>>>Enter MyProxy pass phrase:
>>>
>>>Verifying - Enter MyProxy pass phrase:
>>>
>>>A proxy valid for 4044 hours (168.5 days) for user lbhajdu now exists
>>>on myproxy.fnal.gov.
>>>
>>>
>>>
>>>
>>>
>>>//It returns this error to me:
>>>
>>>[stargrid01] ~/temp/> echo "LeveHIn*@bnl!" | myproxy-logon -s
>>>myproxy.fnal.gov -S
>>>
>>>Failed to receive credentials.
>>>
>>>ERROR from myproxy-server (myproxy.fnal.gov):
>>>
>>>"/DC=org/DC=doegrids/OU=People/CN=Levente B. Hajdu 105387" not
>>>authorized by server's trusted_retrievers policy
>>>
>>>"/DC=org/DC=doegrids/OU=People/CN=Levente B. Hajdu 105387" not
>>>authorized by credential's authorized_retrievers policy
>>>
>>>
>>>
>>>
>>>
>>>
>>--
>>View ticket at <http://vdt.cs.wisc.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=3021>
>>VDT Support, vdt-support@ivdgl.org
>>
>>
>
>
>
>
>
Levente B. Hajdu
U.S. Department of Energy
Bldg. 510A Room 1-179
RT for crt.cs.wisc.edu
