Discover Why a Member is not a Member of A VO.

There are many many reasons why a particular user is not a member of a VO when they think they should be.

Here are a number of things to check. For benefit of the examples I am looking for me. Obviosly change for who you are looking for.

Check if they are voms-admin

For each VO you can visit: and search for them by name usually.

If they are voms click and the data looks correct click on the more info button and send the URL to them. Essentially as far as we are concerned they are in VO.

Check if they are in the HR Database.

People need to be in the HR database associated with their experiment so check that.

  • Login into , this is the single backend vomrs machine.
  • Run the script:
  • Find their person id based on their email address.
select EMAIL,NAME,PERSON_ID from foundation_pub.voms_persons where upper(email) like upper('%traylen%');
NAME                      PERSON_ID
------------------------ ----------
TRAYLEN                      613539
  • Now find their experiment status, pretending result shows I am in alice for the sake of the example
select EXPERIMENT,START_DATE,END_DATE from foundation_pub.person_participation where PERSON_ID='613539';
EXPERIMENT                                                   START_DAT END_DATE
------------------------------------------------------------ --------- ---------
ATLAS                                                        16-APR-08
ALICE                                                        12-OCT-10

i.e from this I am in Alice and Atlas now, this is necessary.

If the user is not point them to this web interface where you can do the same thing in fact but it's not as fun.

If they are not in the graybook they should contact their experiment secretariat to understand why. vomrs is complete slave to the data in the graybook.

Check if they are in the VOMRS Database

If they in the HR database but not in the voms-admin database you need to check in vomrs. You need to know preferably the DN else name or email are probably good enough. You must know the VO.

  1. Login into or (see VomsNodes)
  2. Run the script: <voname>
  3. Make sure the certificate is still valid. In this example it is:
SELECT member_id, certificate_status
FROM member_dns WHERE distinguished_name LIKE '%LastNameYouGuessedFromDN%';

MEMBER_ID CERTIFICATE_STA --------- --------------- 42 Approved
  1. Find out whether the VOMS membership has expired. In this example it has:
SELECT member_status, status_reason FROM members WHERE member_id = '42';
MEMBER_STATUS STATUS_REASON ------------- ------------------------- Expired VO membership has expired

What to do if:

User is in vomrs but not in voms-admin

Take a look at the vomrs logs in /var/log/vomrs on the vomrs backend node , grep for the ERROR and or parts of the DN or email address of the user.

This topic: LCG > LCGSecurity > VomsCern > VomsIdentifyMissing
Topic revision: r7 - 2013-12-18 - AlbertoRodriguezPeon
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback