Bugzilla – Bug 1679
Unified support for emailAddress in grid-mapfile
Last modified: 2008-08-12 13:32:43
You need to
before you can comment on or make changes to this bug.
I don't find the following answer given on the discuss list to be acceptable.
The middleware (that is, us) should hide any anomalies in the toolkits on
which we depend.
BTW, I recommend emailAddress= throughout.
From: Samuel Meder
Sent: Wednesday, March 31, 2004 16:53
To: Masahiro Ito
Subject: Re: [Globus-discuss] User certificate subject (DN)
On Wed, 2004-03-31 at 06:11, Masahiro Ito wrote:
> Hi all,
> I have a touble with the user certificates that contain EmailAddress in the
> If my user certificate's subject is
> "/C=JP/O=myhome/CN=Masahiro ITO/Emailemail@example.com",
> I must describe DN in grid-mapfile as following (otherwise the operations
> will be failure):
> (1) To use WS in GT3.0.2 and GT3.2beta
> "/C=JP/O=myhome/CN=Masahiro ITO/Efirstname.lastname@example.org" masahiro
> (2) To use pre-WS in GT3.0.2
> "/C=JP/O=myhome/CN=Masahiro ITO/Emailemail@example.com" masahiro
> (3) To use pre-WS in GT3.2beta
> "/C=JP/O=myhome/CN=Masahiro ITO/emailAddressfirstname.lastname@example.org"
> I found openssl-0.9.6 displays "Email=" and openssl-0.9.7 displays
> ( $ openssl x509 -subject -in certfile )
> But I don't know about "E=".
> I have to use and switch three types of grid-mapfile now.
> But I'd like to use only one grid-mapfile. How to describe such DNs?
> Or shouldn't I use email-address in the certificate subject?
It's somewhat unfortunate. Adding all three entries to the same
grid-mapfile should work, so you will still only have to have one
*** Bug 2766 has been marked as a duplicate of this bug. ***
A work around has been committed to the C code.
Work around committed for Java code.
To elaborate a little: We now canonicalize DNs before comparison
* E= and Email= are changed to emailAddress=
* UID= is changed to USERID=
* all comparisons are done using non-case sensitive string matching
> * E= and Email= are changed to emailAddress=
> * UID= is changed to USERID=
> * all comparisons are done using non-case sensitive string matching
Note that USERID is the old form (GT2) and UID is the new form (GT3, GT4,
OpenSSL 0.9.7). It would be more consistent to change USERID= to UID=.
(If this is just internal, it probably doesn't matter much.)
I've never seen "E=".
I'm not certain that doing a case insensitive match is necessary, or even a
Note that gx-map, <http://users.sdsc.edu/~kst/gx-map/>, automatically
maintains grid-mapfiles and signing_policy files (as well as CA certificates
and CRLs), and handles the USERID vs. UID and Email vs. emailAddress stuff
more or less transparently.