Tools/Manuals/TS113
< Tools
Jump to navigation
Jump to search
Revision as of 14:49, 3 July 2018 by imported>Apaolini
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
This article is Deprecated and should no longer be used, but is still available for reasons of reference. |
Back to Troubleshooting Guide
AccessControlBaseRule has an invalid format
Full message
gstat2.0 can report an error:
gstat-validate-se -p 2170 -H site-bdii.example.org -b Mds-vo-name=SITE-NAME,o=Grid ERROR: some-SE.example.org, AccessControlBaseRule has an invalid format, ops ACBR has an invalid format
Diagnosis
A command like
ldapsearch -x -H ldap://site-bdii.example.org:2170 -b \ Mds-vo-name=SITE-NAME,o=Grid \ objectClass=GlueSA GlueSAAccessControlBaseRule
returns a line like
GlueSAAccessControlBaseRule: some-VO
when it should be
GlueSAAccessControlBaseRule: VO:some-VO
Solution
Recent SE info providers should no longer generate the legacy format for a GlueSAAccessControlBaseRule value, which was just the name of the relevant VO. These days the value should either have a VO: prefix for the whole VO, or VOMS: for a VOMS group or role when the access is restricted to that.
On a DPM the legacy format appears when the info provider uses the "--legacy" option: check /opt/glite/yaim/functions/config_gip_dpm and the resulting /opt/glite/etc/gip/provider/se-dpm.