VOMS Admin server v. 3.3.2

This release provides minor fixes to the CERN OrgDB integration code and a new flag that allows to skip checks on certificate issuer when doing user authentication.

How to turn off certificate issuer checks

By default, VOMS Admin authenticates users considering certificate subject and issuer. This means that the following certificate:

subject= /C=IT/O=IGI/CN=test0
issuer= /C=IT/O=IGI/CN=Test CA

is considered a different identity from:

subject= /C=IT/O=IGI/CN=test0
issuer= /C=IT/O=IGI/CN=Test CA 2

It is now possible to authenticate users skipping the checks on the certificate issuer, by setting the voms.skip_ca_check=True in the /etc/voms-admin/<VO>/service.properties file for a given VO.

By setting the above property, the two example certificates would be considered the same user.

In order to have consisten behaviour among voms and voms-admin service, you should set the skip-ca-check option for both services.

This can be done in two ways:

  • reconfiguring the affected VOs with voms-configure and specifying the --skip-ca-check and --admin-skip-ca-check option when running the command, as in the following example:

      voms-configure install --vo <my.vo> --skip-ca-check --admin-skip-ca-check ...

    Running the above command will modify the voms-admin and voms configuration for the affected VO

  • by setting, for a given VO

    • the voms.skip_ca_check=True in the /etc/voms-admin/<VO>/service.properties file
    • the --skipcacheck flag in the /etc/voms/<VO>/voms.conf file

In both cases, services need to be restarted for the change to take effect.

Bug fixes and improvements

  • VOMS-605 : Add ability to skip certificate issuer checks in VOMS Admin authentication
  • VOMS-588 : VOMS OrgDB sync should also update phone number for registered users
  • VOMS-586 : VOMS Admin should take user phone number from the CERN OrgDB when is defined
  • VOMS-585 : VOMS Admin should only request the user the enter his email address to search CERN OrgDB information
  • VOMS-564 : VOMS Admin should not show sensitive information taken from the HR db at registration time
  • VOMS-563 : VOMS Admin should show link to CERN phonebook when HR DB integration is enabled

Installation and configuration

Clean install

Follow the instructions in the VOMS System Administrator Guide.

Upgrade from v. >= 3.2.0

The upgrade requires a service restart. After the packages have been updated, run the following commands:

service voms-admin stop
service voms-admin undeploy
service voms-admin start

Upgrade from earlier VOMS Admin versions

Upgrading to this version requires an upgrade of the database and a reconfiguration depending on the version of VOMS admin which is being upgraded. Follow the instructions in the VOMS System Administrator Guide.

Upgrade from Actions required
v. 3.1.0 db upgrade
v. 2.7.0 db upgrade reconfiguration