From dfc5b58621cac02f37ce959b89afe5c1129ebafd Mon Sep 17 00:00:00 2001
From: John Thiltges <jthiltges2@unl.edu>
Date: Thu, 4 Dec 2025 09:55:55 -0600
Subject: [PATCH] central-collector: Allow <host>@unmapped to advertise schedd

---
 opensciencegrid/central-collector/Dockerfile          | 11 ++++++-----
 .../etc/condor-ce/config.d/50-central-collector.conf  | 10 ++++++++++
 .../condor-ce/mapfiles.d/50-central-collector.conf    |  1 +
 3 files changed, 17 insertions(+), 5 deletions(-)
 create mode 100644 opensciencegrid/central-collector/etc/condor-ce/config.d/50-central-collector.conf
 create mode 100644 opensciencegrid/central-collector/etc/condor-ce/mapfiles.d/50-central-collector.conf

diff --git a/opensciencegrid/central-collector/Dockerfile b/opensciencegrid/central-collector/Dockerfile
index abf505cd..fc1f23af 100644
--- a/opensciencegrid/central-collector/Dockerfile
+++ b/opensciencegrid/central-collector/Dockerfile
@@ -25,10 +25,11 @@ RUN    yum module enable -y mod_auth_openidc \
 # Create home directory for registry user
 RUN mkdir /var/lib/condor-ce/webapp
 
-COPY etc/supervisord.d/*      /etc/supervisord.d/
-COPY etc/condor-ce/config.d/* /etc/condor-ce/config.d/
-COPY etc/httpd/conf.d/*       /etc/httpd/conf.d/
-COPY etc/osg/image-init.d/*   /etc/osg/image-init.d/
-COPY auto-reload.sh           /usr/local/sbin/
+COPY etc/supervisord.d/*        /etc/supervisord.d/
+COPY etc/condor-ce/config.d/*   /etc/condor-ce/config.d/
+COPY etc/condor-ce/mapfiles.d/* /etc/condor-ce/mapfiles.d/
+COPY etc/httpd/conf.d/*         /etc/httpd/conf.d/
+COPY etc/osg/image-init.d/*     /etc/osg/image-init.d/
+COPY auto-reload.sh             /usr/local/sbin/
 
 RUN  chmod a+x /usr/local/sbin/auto-reload.sh
diff --git a/opensciencegrid/central-collector/etc/condor-ce/config.d/50-central-collector.conf b/opensciencegrid/central-collector/etc/condor-ce/config.d/50-central-collector.conf
new file mode 100644
index 00000000..9c835940
--- /dev/null
+++ b/opensciencegrid/central-collector/etc/condor-ce/config.d/50-central-collector.conf
@@ -0,0 +1,10 @@
+# We need hostnames for COLLECTOR_REQUIREMENTS authz
+# Clients are mapped to <host>@unmapped
+
+# Include *@unmapped in UNMAPPED_USERS
+UNMAPPED_USERS = $UNMAPPED_USERS, *@unmapped
+
+# Default config uses DENY_DAEMON to set DENY_ADVERTISE_SCHEDD
+# > IPVERIFY: deny ADVERTISE_SCHEDD: anonymous@*, *@unmapped (from config value DENY_DAEMON)
+# Remove "*@unmapped" to allow <host>@unmapped to advertise
+DENY_ADVERTISE_SCHEDD = anonymous@*
diff --git a/opensciencegrid/central-collector/etc/condor-ce/mapfiles.d/50-central-collector.conf b/opensciencegrid/central-collector/etc/condor-ce/mapfiles.d/50-central-collector.conf
new file mode 100644
index 00000000..829e5549
--- /dev/null
+++ b/opensciencegrid/central-collector/etc/condor-ce/mapfiles.d/50-central-collector.conf
@@ -0,0 +1 @@
+SSL /[.A-Za-z0-9\/= -]*\/CN=([.A-Za-z0-9\/= -]+)/ \1@unmapped