This release provides minor fixes to the CERN OrgDB integration code and a new flag that allows to skip checks on certificate issuer when doing user authentication.
By default, VOMS Admin authenticates users considering certificate subject and issuer. This means that the following certificate:
subject= /C=IT/O=IGI/CN=test0 issuer= /C=IT/O=IGI/CN=Test CA
is considered a different identity from:
subject= /C=IT/O=IGI/CN=test0 issuer= /C=IT/O=IGI/CN=Test CA 2
It is now possible to authenticate users skipping the checks on the certificate
issuer, by setting the
voms.skip_ca_check=True in the
/etc/voms-admin/<VO>/service.properties file for a given VO.
By setting the above property, the two example certificates would be considered the same user.
In order to have consisten behaviour among voms and voms-admin service, you
should set the
skip-ca-check option for both services.
This can be done in two ways:
reconfiguring the affected VOs with
voms-configure and specifying the
--admin-skip-ca-check option when running the
command, as in the following example:
voms-configure install --vo <my.vo> --skip-ca-check --admin-skip-ca-check ...
Running the above command will modify the voms-admin and voms configuration for the affected VO
by setting, for a given VO
--skipcacheckflag in the
In both cases, services need to be restarted for the change to take effect.
Follow the instructions in the VOMS System Administrator Guide.
The upgrade requires a service restart. After the packages have been updated, run the following commands:
service voms-admin stop service voms-admin undeploy service voms-admin start
Upgrading to this version requires an upgrade of the database and a reconfiguration depending on the version of VOMS admin which is being upgraded. Follow the instructions in the VOMS System Administrator Guide.
|Upgrade from||Actions required|
|v. 3.1.0||db upgrade|
|v. 2.7.0||db upgrade reconfiguration|