| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Series and LDAP Authentication |
« View previous topic :: View next topic » |
| Author |
Message
|
| lucac |
 Posted: Wed Nov 24, 2004 7:38 am Post subject: MQ Series and LDAP Authentication |
 |
|
Newbie
Joined: 17 Nov 2004
Posts: 9
Location: Italy
|
Hi,
I've an MQ 5.3 installed on a Redhat Avanced Server 2.1 and it worked fine.
I tried to manage the user authentication with a LDAP server; so I modified my /etc/nsswitch.conf like below:
passwd: files nis ldap
shadow: files nis ldap
group: files nis ldap
I left mqm user and group into /etc/passwd and /etc/group.
The first time I stopped and restart MQ, the command "strmqm MYQM" was staying in execution (it was seeming in hang). I checked the QM processes and they were running, but I was not be able to start the listener (the message was like "No QManagers are running on this computer").
I noticed that the strmqm was contacting my LDAP server every time (but mqm user and group are locally).
Then I stopped all processes, I killed all semaphoris and the shared memory; I changed my /etc/nsswitch.conf like below:
passwd: files nis #ldap
shadow: files nis #ldap
group: files nis #ldap
I tried to restart MQ and now it is working fine again.
Any idea to work properly with ldap authentication an MQ? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Nov 24, 2004 4:55 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
MQ is using OS authentication. So if your OS authenticates to LDAP you need to have the mqm user and group on your LDAP.
Enjoy  |
|
| Back to top |
|
|
| lucac |
| Posted: Thu Nov 25, 2004 2:40 am Post subject: MQ Series and LDAP Authentication |
|
|
Newbie
Joined: 17 Nov 2004
Posts: 9
Location: Italy
|
I know MQ uses OS authentication, but writing the follow authentication sequence "passwd: files nis ldap", "shadow: files nis ldap", "group: files nis ldap " in my /etc/nsswitch.conf I think my system should search the user first in the /etc/passwd, then on the nis and at last on the LDAP server.
Is it right?
Luca |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 25, 2004 1:50 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
That you'll have to ask a unix admin. I don't know if the options should be space separated or like in a path have a ":" between them ?
Enjoy |
|
| Back to top |
|
|
| Nigelg |
| Posted: Fri Nov 26, 2004 3:45 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
The syntax of the nsswitch.conf file is correct as above.
As far as the hang in strmqm (or crtmqm) is concerned, this is to do with how Linux returns a list of O/S groups to WMQ. The mechanism used to interrogate the O/S groups is the same in WMQ whatever the provenance of the group, but Linux returns different values to signal the end of the group list to the calling app depending on whether LDAP (or NSCD, name service caching demon) is in use. The problem is compunded by there being no Linux documentation of the API to the groups database (getgrent_r).
This has resulted in a few problems with Linux and LDAP authorisation over the last 12 months and more. There has been 1 bug fix in RH Linux, nss-ldap-189-9, and 2 in WMQ, IY45325 (in CSD08) & IY63056 (scheduled for CSD10). |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
