| Author |
Message
|
| chuvaaak |
 Posted: Wed Mar 21, 2007 1:54 am Post subject: LDAP authority |
 |
|
Newbie
Joined: 21 Mar 2007
Posts: 4
|
Hi.
I need to use LDAP for MQ authority whithout SSL and CRL.
Just reading information about users via LDAP and make authority for MQ objects for them.
Does anyone know something about solving this problem? |
|
| Back to top |
|
 |
| marcin.kasinski |
| Posted: Wed Mar 21, 2007 2:57 am Post subject: Re: LDAP authority |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| chuvaaak wrote: |
Hi.
I need to use LDAP for MQ authority whithout SSL and CRL.
Just reading information about users via LDAP and make authority for MQ objects for them.
Does anyone know something about solving this problem? |
There is object authority manager (OAM).
You can replace default by your version (I saw C example).
_________________
Marcin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Mar 21, 2007 3:26 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
On Windows, you can configure the OS to use Active Directory, which is LDAP.
On Unix, you can configure the OS to use LDAP.
Then you don't have to screw around with writing your own OAM.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Wed Mar 21, 2007 3:36 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| jefflowrey wrote: |
On Windows, you can configure the OS to use Active Directory, which is LDAP.
On Unix, you can configure the OS to use LDAP.
Then you don't have to screw around with writing your own OAM. |
I forget about it.
but...
What if other software installed on this node won't accept this change or will work slower, or...
This is configuration for every software on this machine.
OAM is configuration only for MQ.
Is there other option ?
_________________
Marcin |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Mar 21, 2007 3:39 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
WebSphere MQ Extended Security Edition lets you do this, I think.
Otherwise, you would have to either write your own client exit (and API exit for bindings connections) or your own OAM.
Neither of which are tasks for the faint of heart.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| chuvaaak |
| Posted: Wed Mar 21, 2007 4:17 am Post subject: |
|
|
Newbie
Joined: 21 Mar 2007
Posts: 4
|
| jefflowrey wrote: |
WebSphere MQ Extended Security Edition lets you do this, I think.
Otherwise, you would have to either write your own client exit (and API exit for bindings connections) or your own OAM.
Neither of which are tasks for the faint of heart. |
It's windows platform and WebSphere MQ6
The main idea is do not include this machine to domain.
The main question: how to get information about user accounts from Active directory if machine doesn't belong to domain.
May be there is any other ways except security exits? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Mar 21, 2007 4:27 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I'm confused.
You want to use a domain, without using the domain?
I forget if you can run WMQ as a domain user on a machine that's not in the domain.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Wed Mar 21, 2007 4:33 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| jefflowrey wrote: |
I'm confused.
You want to use a domain, without using the domain?
I forget if you can run WMQ as a domain user on a machine that's not in the domain. |
He doesn't want to add machine to domain but he wants do security check in LDAP during API call.
I know only OAM, which can do it (and API exit which you mentioned).
In OAM or API exit you only have to do LDAP search.
_________________
Marcin |
|
| Back to top |
|
|
| chuvaaak |
| Posted: Wed Mar 21, 2007 4:51 am Post subject: |
|
|
Newbie
Joined: 21 Mar 2007
Posts: 4
|
OAM can't manage authority of domain accounts if machine is not in domain.
In this case it can use only local accounts. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Mar 21, 2007 4:55 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| marcin.kasinski wrote: |
| He doesn't want to add machine to domain but he wants do security check in LDAP during API call. |
Which is what the domain is for - to provide distributed security checks against a single user repository...
Chuvaaak. It is possible to run WMQ as a domain user, that would give OAM permissions to access the domain. It may not be possible to do this when the machine is not in the domain, I forget. It's worth asking your Windows security or system administrators for assistance.
Of course, you might not want to put the machine in the domain because you don't want to involve your Windows security or system administrators...
Writing an OAM is not something that 99.99% of MQ people should do. The same with API Exits.
If the requirement is to authorize domain users, then it should be reasonable to put the machine in the domain to accomplish this.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| chuvaaak |
| Posted: Wed Mar 21, 2007 5:03 am Post subject: |
|
|
Newbie
Joined: 21 Mar 2007
Posts: 4
|
| jefflowrey wrote: |
If the requirement is to authorize domain users, then it should be reasonable to put the machine in the domain to accomplish this. |
I agree with you, but it's not my wish. I've always done like that before... |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Mar 21, 2007 5:08 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jefflowrey wrote: |
It may not be possible to do this when the machine is not in the domain, I forget. It's worth asking your Windows security or system administrators for assistance.
|
It depends a lot on the domain model in use. At first glance you might be able to use a local account if the machine was in a domain that was trusted by the domain against which you were doing the lookup. Then again you might not.
Bizarre technical requirement though. Always a bit interesting running a stand alone machine alongside a domain; the tendency to put all the hardware in the domain is a seductively simplifying concept. Even if you still use local accounts.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Mar 21, 2007 5:10 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| chuvaaak wrote: |
| I agree with you, but it's not my wish. |
Push back. Get them to justify the requirements and the business benefits of not doing it "properly" 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 22, 2007 7:10 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| marcin.kasinski wrote: |
He doesn't want to add machine to domain but he wants do security check in LDAP during API call.
I know only OAM, which can do it (and API exit which you mentioned).
In OAM or API exit you only have to do LDAP search. |
Hi,
Have you looked at MQ Authenticate User Security Exit ?? Because that is what MQAUSX does when you configure it to use LDAP authentication.
UserIds can be stored in an LDAP server (including Active Directory) and the installation of MQ does not have to include the domain accounts. Everything is handle by MQAUSX.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Mar 22, 2007 7:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
And buying a security exit (or any exit) is a lot easier than writing your own!
(My personal view only, other views may be equally valid, I am not now nor have I ever been associated with Capitalware and any comments made about their products should not be taken as an official endorsement and no liability is accepted for any loss or damage howsoever caused   )
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
