Hi George,

All this depends actually what and how the certificate attributes are extracted. You can figure out what was extracted by looking at the log line where each info is printed in the MGM log file. For example, in an instance with the following gsi config:

sec.protocol gsi -crl:0 -cert:/etc/grid-security/daemon/hostcert.pem -key:/etc/grid-security/daemon/hostkey.pem -gridmap:/etc/grid-security/grid-mapfile -d:1 -gmapopt:2 -vomsat:1 -moninfo:1

And my certificate VOMS extension looking like this:

=== VO cms extension information ===
VO        : cms
subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
issuer    : /DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
attribute : /cms/Role=NULL/Capability=NULL
timeleft  : 11:47:16
uri       : lcg-voms2.cern.ch:15002

Having the following vid rule:

voms:"/cms:":gid => c3
voms:"/cms:":uid => eosarchi

The mapping works fine. You can see in the logs what info the gsi extracted from the certificate and then you can tweak the vid rule to match. In my particular case:

210709 08:57:23 time=1625777843.471083 func=IdMap                    level=INFO  logid=static.............................. unit=mgm@esdss000.cern.ch:1094 tid=00007fab416ae700 source=Mapping:1003                   tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name
="esindril" sec.host="esdss000.cern.ch" sec.vorg="cms" sec.grps="/cms" sec.role="" sec.info="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru" sec.app="" sec.tident="esindril.2742:386@esdss000" vid.uid=58603 vid.gid=1028

Note the sec.role field is empty so the vid rule matches.

Cheers,
Elvin