https://t2bwiki.iihe.ac.be/index.php?action=history&feed=atom&title=T2BTracAccessT2BTracAccess - Revision history2026-04-20T09:48:26ZRevision history for this page on the wikiMediaWiki 1.43.5https://t2bwiki.iihe.ac.be/index.php?title=T2BTracAccess&diff=258&oldid=prevMaintenance script: Created page with " === Automatic generation of the authorized DNs list ===
Only people from becms and beapps can login to the T2B Trac Wiki. Login restriction is achieved through the https con..."2015-08-26T12:29:06Z<p>Created page with " === Automatic generation of the authorized DNs list ===
Only people from becms and beapps can login to the T2B Trac Wiki. Login restriction is achieved through the https con..."</p>
<p><b>New page</b></p><div><br />
=== Automatic generation of the authorized DNs list ===<br />
Only people from becms and beapps can login to the T2B Trac Wiki. Login restriction is achieved through the https config. on mon :<br />
<pre><br />
[root@mon ~]# cat /etc/httpd/conf.d/ssl.conf<br />
...<br />
<Location "/trac/t2b"><br />
SetHandler mod_python<br />
PythonHandler trac.web.modpython_frontend<br />
PythonOption TracEnvParentDir /var/www/trac<br />
PythonOption TracUriRoot /trac<br />
<br />
SSLVerifyClient require<br />
SSLOptions +FakeBasicAuth +StdEnvVars<br />
SSLRequireSSL<br />
<br />
AuthType Basic<br />
AuthName "test server"<br />
AuthUserFile /tmp/get-dns/t2b-auth<br />
Require valid-user<br />
</Location><br />
</pre><br />
Each line in /tmp/get-dns/t2b-auth is a DN followed by ":" followed by an encrypted password that will not be used. The generation of the file /tmp/get-dns/t2b-auth is not done on mon, because it does not have the middleware tools. Instead, the list is generated on cream02 with the script /root/get_dns.pl that is run with a crontask :<br />
<pre><br />
[root@cream02 ~]# crontab -e<br />
...<br />
*/15 * * * * ( date --iso-8601=seconds --utc; /root/get_dns.pl) >> /var/log/get_dns.log 2>&1<br />
...<br />
</pre><br />
The list is then copied from cream02 to mon thanks to a crontask on qnat :<br />
<pre><br />
[root@qnat ~]# crontab -e<br />
...<br />
0 * * * * scp cream02.iihe.ac.be:/root/get-dns/t2b-auth mon.iihe.ac.be:/tmp/get-dns/<br />
...<br />
</pre><br />
<br />
=== Gory details ===<br />
==== How the DNs list is generated on cream02 ====<br />
It is done with a Perl script that generates a config file ("conf") with the following content :<br />
<pre><br />
group vomss://voms01.begrid.be:8443/voms/beapps?/beapps .beapps<br />
group vomss://voms01.begrid.be:8443/voms/betest?/betest .betest<br />
group vomss://voms.cern.ch:8443/voms/cms?/cms/becms .cms<br />
</pre><br />
The script will then execute the following command :<br />
<pre><br />
/usr/sbin/edg-mkgridmap --conf conf --output out<br />
</pre><br />
The DNs are then extracted from the output file ("out") to generate the content of /root/get-dns/t2b-auth.<br />
<br />
<br />
<br />
{{TracNotice|{{PAGENAME}}}}</div>Maintenance script