Local condor cluster technical setup

HTCondor configuration


Global Pool resources need to authenticate with the local condor collector. This will require GSI authentication, so please make sure you have the following on your condor system available:

  • A grid-mapfile and CA certificates updated.
  • Optional: A condor_mapfile if only specific user DNs want to be allowed (rather than any user with VO CMS proxy certificates).

grid-mapfile and CA certificates

  • If you don't have a grid-mapfile (usually in: /etc/grid-security/grid-mapfile), please follow  these instructions in order to enable a grid-mapfile of VOs in your system.
  • If you don't have CA certificates (usually in: /etc/grid-security/certificates), please follow this guide.
    • Note: If your host has CVMFS available you can also use the CA certificates from there. More details on the condor configuration.


This is used by condor to allow the authentication of specific DNs. Create this if you would like to restrict the authentication to a certain group of users only.

These Distinguished Names (DN) can be obtained as followed:

$ voms-proxy-info -identity
/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=khurtado/CN=764581/CN=Kenyi Paolo Hurtado Anampa

Please, backslack special characters like spaces, =, /, etc.

GSI "^\/DC\=ch\/DC\=cern\/OU\=Organic\ Units\/OU\=Users\/CN\=khurtado\/CN\=764581\/CN\=Kenyi\ Paolo\ Hurtado\ Anampa" uscms01
GSI (.*) anonymous
FS (.*) \1

Note: If no condor_mapfile is created, the whole grid-mapfile will be used for the authentication table. Then e.g any CMS user mapped to uscms01 can be allowed. This is the default authentication procedure when no condor_mapfile is created.

# map users from grid-mapfile
FS (.*) \1 
FS_REMOTE (.*) \1 
SSL (.*) ssl@unmapped 
KERBEROS ([^/]*)/?[^@]*@(.*) \1@\2 
NTSSPI (.*) \1 
CLAIMTOBE (.*) \1 
PASSWORD (.*) \1 


We will need to specify that condor daemons will require GSI authentication.

Condor configuration
## Add this to your condor configuration.
# This is to authenticate CMS proxies or specific DNs with the collector

# Specify CA directory
GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
# Use this if you have CVMFS available and would like to use the certificates from OASIS instead.
# GSI_DAEMON_TRUSTED_CA_DIR  = /cvmfs/oasis.opensciencegrid.org/mis/osg-wn-client/3.3/current/el6-x86_64/etc/grid-security/certificates

# Specify your grid-mapfile location
GRIDMAP = /etc/grid-security/grid-mapfile

# If you plan to use condor_mapfile, specify the location here
CERTIFICATE_MAPFILE = /etc/grid-security/condor_mapfile

# Allow GSI authentication for condor daemons

# Allow users with CMS proxies