giacomini
commented
1 year ago In practice this would mean removing all certificates from IAM before adding the ones present in VOMS. But in this way you can't add a certificate only in IAM.
Open vokac opened 1 year ago
giacomini
commented
1 year ago In practice this would mean removing all certificates from IAM before adding the ones present in VOMS. But in this way you can't add a certificate only in IAM.
vokac
commented
1 year ago I'm able to delete individual problematic certificate with
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"operations": [{
"op": "remove",
"path": "certificates",
"value": {
"urn:indigo-dc:scim:schemas:IndigoUser": {
"certificates": [{
... all cert details ...
}]
}
}
}]
}Sure, you can also do it from the dashboard. But how does this address the issue?
Before finding a solution, we should probably answer the question: what is a problematic certificate?
vokac
commented
1 year ago People in the past got certificate from CN=TERENA eScience Personal CA 3,O=TERENA,L=Amsterdam,ST=Noord-Holland,C=NL issuer which is now replaced with CN=GEANT eScience Personal CA 4,O=GEANT Vereniging,C=NL. Certificates issued by these CAs have same subject and that mean due to https://github.com/indigo-iam/iam/issues/454 new certificate can't be imported in IAM without cleaning old one first.
giacomini
commented
1 year ago Ok, but assuming https://github.com/indigo-iam/iam/issues/454 is fixed, would this be enough to consider also this issue (and #8) fixed? I fail to see how the importer can be changed to address this issue (and #8).
Maybe we can run a one-time campaign to clean from IAM the certificates with issuer "CN=TERENA eScience Personal CA 3". That should be possible with the APIs.
vokac
commented
1 year ago With https://github.com/indigo-iam/iam/issues/454 fixed import is still not perfect, but we can live with that.
New certificates are added with
link_certificate, but for full synchronization it is also necessary to remove DNs that no longer exists in the source VOMS. We are just aggregating in IAM bad / incorrect DNs that were cleanup long time ago from VOMS and to be able to use IAM SCIM as account source for other services (e.g. Rucio) we should get rid of these problematic entries that sometimes even don't have correct encoding for DN.