[Go to Home]

Using the VO Directory Services

The NIKHEF test bed uses the VO Direcotry Tools from the EDG WP6 Authorization Group. The "GroupMan" tool from CalTech can moanimulate these directories as well with an -- in principle -- nicer user interface. This this document, aded 2002.07.29, the experiences in installing and running VOgroup.py are described.

Python Horror

Of course, being python :-), this script requires multiple non-standard modules: python-ldap, gtk and M2Crypto. The only consistent set of python-ldap, python-GTK and a system-standard python install could be obtained on RedHat 7.2 as installed on fs2.das2.nikhef.nl. In particular, no matching combination could be found on the EDG test bed (RH6.2). On DAS-2, you will have to run python-2.1: no other version will do the job.
Using the RPMs you can install python-ldap and gtk, but not M2Crypto. This module can be obtained in source format only for UNIX platforms (a Win32 binary is available). In order to make M2Crypto, you need a specific python version (at least 2.1 worked, sigh), and you must have SWIG-1.3.6 and only 1.3.6. No other version of SWIG will work (you get all kinds of syntax errors in the ".i" files). This is not a standard SWIG version, so you need to get a new RPM. The RPM as distributed on EDG TB1 worked on RedHat 7.2, and installed in /usr/local (so you do not destroy the working system). Since swig does not expect to live in /usr/local, you should modify the makefile for M2Crypto. The line with "swig" on it should read:
_m2crypto:      _m2crypto.i
        swig -I/usr/local/lib/swig1.3 -I/usr/local/lib/swig1.3/python -python -shadow _m2crypto.i
Of course, you should change the rest of the makefile as well to reflect the python install in /usr (not /usr/local) on RH72.

Putting the lot logether

The python-ldap and pygtk can be converted into CPIO archives and the /usr/lib/..../site-packages stuff copied locally. You can delete the rest of the tree. Also copy M2Crypto, but rememver that the PYTHONPATH should point one level higher than the location of M2Crypto!

Now, you should be able to start VOgroup.py as:

PYTHONPATH=./pygtk:./pyldap:. python2.1 VOgroup.py

Remaining mess

As of yet (2002.07.29) I was not able to parse a PEM-formatted user cert, so you cannot add new users to the group directory, except through (untested!) the CA LDAP directory interface.
The CA LDAP iface suggests that it will actually load the entire CA database into the VO directory. This is conceptually horrid, but since the grid-mapfile is generated from the subgroups it is not an immediate security threat. But the original idea was that the VO Manager is authoritative for adding people to the VO (ou=People), whereupon the Group Admins can take those persons and add them to their specific project group.

Relevant packages and binaries

These files constitute a consistent set of packages for RedHat 7.2 (as installed on fs2.das2.nikhef.nl).

VOgroup-0.3.0-bin.tar.gz (This is the working setup from DAS-2/RedHat7.2).
SWIG-1.3.6-edg1.i386.rpm.
pygtk-0.6.8-3-p21.i386.rpm.
python-ldap-2.0.0pre04-1.i386.rpm.
m2crypto-0.07-snap3.zip.


Metainfo

Author: David Groep
Date: 2002.07.29

Comments to David Groep