Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Problem setting up VOMS authentication on a new CondorCE

Hi Chris,
you can check out this page for examples:

https://confluence.egi.eu/display/EGIBG/HTCondor+and+SSL+authentication

Scroll down for HTCondor 24 --> should work also for 25.

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Chris Brew - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Monday, May 4, 2026 7:36 PM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Cc: Chris Brew <chris.brew@xxxxxxxxxx>
Subject: [HTCondor-users] Problem setting up VOMS authentication on a new CondorCE
 
Hi All,

Weâre trying to set up some new CondorCEs to replace our ArcCEs but am having some issues getting VOMS Authentication to work (unfortunately, I think itâs still needed for now for some of the VOs we support).

If I put a very basic:

SSL /.*/ cms001

Mapping into the map file, I can run condor_ce_traceâ and get a job into the condor_ce_schedd and  job_router as expected and the x509UserProxy.* ClassAds are all populated with the values I expect.

However, if I put any more complex regex in there, the mapping fails. Eventually in desperation, I tried a mapping of:

SSL /(.*)/ \1

Hoping that the error would tell me something about the format of the VOMS FQDN I was trying to match. It sort of did, condor_ce_traceâ failed as expected with this line in the stack trace:

htcondor2_impl.HTCondorException: Failed to create new cluster.SCHEDD:28:AP user has OS user value unauthenticated, which is not a valid OS account.

Iâm guessing that Iâve missed switching some knob on to enable VOMS mapping but cannot figure out which one.

This is Condor CE 25.7.0 on AlmaLinux 10:

# condor_ce_version
$HTCondorCEVersion: 25.7.0 $
$CondorVersion: 25.8.2 2026-04-15 BuildID: 896299 PackageID: 25.8.2-1 GitSHA: 37a36d5f $
$CondorPlatform: x86_64_AlmaLinux10 $

Any ideas?

Thanks,
Chris.


# condor_ce_config_val -dump | grep -E 'SSL|VOMS'
AUTH_SSL_ALLOW_CLIENT_PROXY = True
AUTH_SSL_AUTOGENERATE_CERTFILE = $(ETC)/hostcert.pem
AUTH_SSL_AUTOGENERATE_KEYFILE = $(ETC)/hostkey.pem
AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates
AUTH_SSL_CLIENT_CAFILE =
AUTH_SSL_CLIENT_CERTFILE = /etc/grid-security/hostcert.pem
AUTH_SSL_CLIENT_KEYFILE = /etc/grid-security/hostkey.pem
AUTH_SSL_CLIENT_USE_DEFAULT_CAS = true
AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE = false
AUTH_SSL_REQUIRE_CLIENT_MAPPING = True
AUTH_SSL_SERVER_CADIR = /etc/grid-security/certificates
AUTH_SSL_SERVER_CAFILE =
AUTH_SSL_SERVER_CERTFILE = /etc/grid-security/hostcert.pem
AUTH_SSL_SERVER_KEYFILE = /etc/grid-security/hostkey.pem
AUTH_SSL_SERVER_USE_DEFAULT_CAS = true
AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR = True
AUTH_SSL_USE_VOMS_IDENTITY = true
BOOTSTRAP_SSL_SERVER_TRUST = false
BOOTSTRAP_SSL_SERVER_TRUST_PROMPT_USER = true
COLLECTOR.SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
COLLECTOR.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
COLLECTOR_BOOTSTRAP_SSL_CERTIFICATE = false
GAHP_SSL_CADIR =
GAHP_SSL_CAFILE =
SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,SCITOKENS,SSL
SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,SCITOKENS,SSL
SEC_CLIENT_AUTHENTICATION_METHODS = FS, TOKEN, SCITOKENS, SSL
SSL_SKIP_HOST_CHECK = false
USE_VOMS_ATTRIBUTES = True