| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| LDAP authority |
« View previous topic :: View next topic » |
| Author |
Message
|
| markt |
 Posted: Sun Sep 30, 2007 3:31 am Post subject: |
 |
|
Knight
Joined: 14 May 2002
Posts: 508
|
| The OAM uses standard calls like getgrent which hide the underlying repository. So if you have configured the OS to merge LDAP and /etc/passwd, /etc/group information, then this is completely transparent to the OAM. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sun Sep 30, 2007 3:15 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And remember that in UNIX there are no privileges at user level.
If privileges at user level get defined they are actually applied to the user's primary group. Now if you had the user change primary group all its MQ authorizations associated with that group are gone... as he/she/it(process) is no longer a member of said group.
This is why it is recommended to always work authorizations at group level even in Windows.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jcv |
| Posted: Mon Oct 01, 2007 4:51 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
Thank you all for your responses. I have triple checked those claims, and my colleague was right. He cannot connect to local qmgr using BINDING mode, by being member of LDAP user group and having connect mq priviledges through this membership. We will apply latest patch on v6, hoping to solve the situation, although I don't see any such fix for AIX in fix list. I see something similar for Solaris, being reported and fixed:
IY72714: FAILURE OF LDAP SERVER PROVIDING O/S USER IDENTIFICATION DATA TO WMQ THROUGH THE GETGRENT INTERFACE OBSERVED ON SOLARIS
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg1IY72714 |
|
| Back to top |
|
|
| jcv |
| Posted: Fri Dec 07, 2007 9:34 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
I have closed a PMR which was raised to clarify the situation. When appl developer couldn't connect his application to a qmgr, someone came up with idea that the problem was that mqm user was not defined on LDAP. On the contrary, that was actually problem generator, since MQ doesn't allow such condition (existence of two users with the same friendly name "mqm").
My main objection to this issue was that application actually received 2059 while trying to connect to an up and running local qmgr, which didn't give enough information to conclude what the problem was, and no FDC's were dumped.
My another objection is that AIX authorization module should maybe reject creation of multiple users with the same friendly name. |
|
| Back to top |
|
|
| abiondo |
| Posted: Tue Jan 15, 2008 2:59 pm Post subject: Not sure if this is what you need |
|
|
Novice
Joined: 30 Aug 2007
Posts: 21
Location: Philadelphia, PA
|
We are doing something similar. A user executes a program on their desktop and connects to MQ under their desktop authenticated context (AD).
Our MQ servers are joined to the domain and we add domain users to local AD groups on the MQ Server.
Then you can go and Manage the Authourity Records for a specific queue and add a group to the queue with the permissions you want for example:
MYGROUP@SERVER01
Where MYGROUP is the name of the local Windows group and SERVER01 is the name of the WebSphere MQ Server.
Not sure if this is what you were looking for, but hope this helps.
Anthony
_________________
Anthony J Biondo Jr
Manager, Web Services
AmeriHealth Mercy |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
