Tools/Manuals/TS113
< Tools
Jump to navigation
Jump to search
Revision as of 16:18, 15 September 2011 by Aesch (talk | contribs) (Created page with '{{TOC_right}} Category:FAQ ------ Back to Troubleshooting Guide ------ = AccessControlBaseRule has an invalid format = == Full messag…')
Back to Troubleshooting Guide
AccessControlBaseRule has an invalid format
Full message
gstat2.0 can report an error:
gstat-validate-se -p 2170 -H site-bdii.example.org -b Mds-vo-name=SITE-NAME,o=Grid ERROR: some-SE.example.org, AccessControlBaseRule has an invalid format, ops ACBR has an invalid format
Diagnosis
A command like
ldapsearch -x -H ldap://site-bdii.example.org:2170 -b \ Mds-vo-name=SITE-NAME,o=Grid \ objectClass=GlueSA GlueSAAccessControlBaseRule
returns a line like
GlueSAAccessControlBaseRule: some-VO
when it should be
GlueSAAccessControlBaseRule: VO:some-VO
Solution
Recent SE info providers should no longer generate the legacy format for a GlueSAAccessControlBaseRule value, which was just the name of the relevant VO. These days the value should either have a VO: prefix for the whole VO, or VOMS: for a VOMS group or role when the access is restricted to that.
On a DPM the legacy format appears when the info provider uses the "--legacy" option: check /opt/glite/yaim/functions/config_gip_dpm and the resulting /opt/glite/etc/gip/provider/se-dpm.