wrong GLOBUS_MYPROXY_AUTHORIZED_DN value generated in gsi-authz.conf when "[Security].CILogonIdentityProvider = University of Notre Dame" is set in gcs.conf

[danpowers]

see https://globusonline.zendesk.com/agent/tickets/344865

Initially reported from and reproduced on GCS-4.0.50 RHEL7 systems.

gsi-authz.conf gets generated with GLOBUS_MYPROXY_AUTHORIZED_DN="/DC=org/DC=cilogon/C=US/C=US/O=University of Notre Dame" when "[Security].CILogonIdentityProvider = University of Notre Dame" is set in gcs.conf:

# cat /var/lib/globus-connect-server/gsi-authz.conf

|globus_mapping libglobus_gridmap_eppn_callout globus_gridmap_eppn_callout ENV:GLOBUS_MYPROXY_CA_CERT=/var/lib/globus-connect-server/grid-security/certificates/c2868627.0 GLOBUS_MYPROXY_AUTHORIZED_DN="/DC=org/DC=cilogon/C=US/C=US/O=University of Notre Dame"
|globus_mapping libglobus_gridmap_eppn_callout globus_gridmap_eppn_callout ENV:GLOBUS_MYPROXY_CA_CERT=/var/lib/globus-connect-server/grid-security/certificates/01b5d333.0 GLOBUS_MYPROXY_AUTHORIZED_DN="/DC=org/DC=cilogon/C=US/C=US/O=University of Notre Dame"

Note "/C=US/C=US/" rather than "/C=US/".

Issue prevented users from being able to access endpoint using their CILogon credentials. Fixing the DN value resolved the issue.

This does not happen when "[Security].CILogonIdentityProvider = University of Chicago" is set in gcs.conf:

# cat /var/lib/globus-connect-server/gsi-authz.conf

|globus_mapping libglobus_gridmap_eppn_callout globus_gridmap_eppn_callout ENV:GLOBUS_MYPROXY_CA_CERT=/var/lib/globus-connect-server/grid-security/certificates/c2868627.0 GLOBUS_MYPROXY_AUTHORIZED_DN="/DC=org/DC=cilogon/C=US/O=University of Chicago"
|globus_mapping libglobus_gridmap_eppn_callout globus_gridmap_eppn_callout ENV:GLOBUS_MYPROXY_CA_CERT=/var/lib/globus-connect-server/grid-security/certificates/01b5d333.0 GLOBUS_MYPROXY_AUTHORIZED_DN="/DC=org/DC=cilogon/C=US/O=University of Chicago"

[michaellink]

Fixed and released in 4.0.51