| Author |
Message
|
| Sainath |
 Posted: Mon Dec 13, 2010 1:58 pm Post subject: Unable to set authority to Single Sign On userids in MQ 7 |
 |
|
Newbie
Joined: 13 Dec 2010
Posts: 4
|
Hi Guys,
setmqaut is not working for SSO Ids.
I have created a group on Red Hat Enterprise LINUX 5.5 which is local to the machine. I have a local user in that group and my SSO id added to that group.
when I set an authority to that local group then the change in the authority is being applied only to the local userid but not to my SSO. I am using mqm userid to set authority.
The reason I have created a local group is I am not able to set authority to a group that is hosted on LDAP.
Is there anything else need to be done, so that the change in authorities I am doing should apply to SSO id also ??
Please suggest.......... |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Mon Dec 13, 2010 5:07 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| setmqaut on Unix only applies to the user's primary group, not to the user itself. |
|
| Back to top |
|
|
| Sainath |
| Posted: Mon Dec 13, 2010 6:14 pm Post subject: |
|
|
Newbie
Joined: 13 Dec 2010
Posts: 4
|
| Thanks for the response, but as far as my knowledge we can set authorities both to users and groups on LINUX. I did not understand what you said please elaborate it. My question is can we set authority to users or groups which are local to machine ?? |
|
| Back to top |
|
|
| Sainath |
| Posted: Mon Dec 13, 2010 7:21 pm Post subject: |
|
|
Newbie
Joined: 13 Dec 2010
Posts: 4
|
Pardon my typo....
My question is can we set authority to users or groups which aren't local to machine ?? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Dec 13, 2010 7:27 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
On all unix platforms, when you issue a setmqaut command against a -p Principle, it is only *actually* issued against the primary group of that principle.
As to whether or not you can issue a setmqaut command against a userid that is not resolvable through the local security repository, I will suggest that at least in early versions of 7.0, you needed to use things like PAM to ensure that LDAP users *were* resolvable through the local security registry.
And I will also suggest you review the enhancements to MQ between 7.0 and 7.0.1.3. |
|
| Back to top |
|
|
| mvic |
| Posted: Wed Dec 15, 2010 3:50 pm Post subject: Re: Unable to set authority to Single Sign On userids in MQ |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Sainath wrote: |
| when I set an authority to that local group then the change in the authority is being applied only to the local userid but not to my SSO. I am using mqm userid to set authority. |
Please provide an example.
Feel free to change the names to user1, user2 etc. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Dec 15, 2010 10:35 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| Sainath wrote: |
Pardon my typo....
My question is can we set authority to users or groups which aren't local to machine ?? |
Yes, it is possible - I use "setmqaut" on Solaris with LDAP users and groups. MQ uses what the operating system provides. So if you "see" a user or group for example with the command "id", MQ is able to use this user too.
BUT, on Unix systems you cannot grant a user to MQ objects at all. As mqjeff already mentioned you ALWAYS specify a group. When you use the "setmqaut" command with a principle the result will be exactly the same as when you use it with specifying the primary group of this user.
And additionally also the primary group of the user, who ran the command "setmqaut" will be granted afterwards!
So your SSO user must be a member of a group, which is granted to use the MQ objects.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| Sainath |
| Posted: Mon Dec 20, 2010 11:17 am Post subject: |
|
|
Newbie
Joined: 13 Dec 2010
Posts: 4
|
[quote="HubertKleinmanns"][quote="Sainath"]Pardon my typo....
My question is can we set authority to users or groups which aren't local to machine ??[/quote]
Yes, it is possible - I use "setmqaut" on Solaris with LDAP users and groups. MQ uses what the operating system provides. So if you "see" a user or group for example with the command "id", MQ is able to use this user too.
BUT, on Unix systems you cannot grant a user to MQ objects at all. As mqjeff already mentioned you ALWAYS specify a group. When you use the "setmqaut" command with a principle the result will be exactly the same as when you use it with specifying the primary group of this user.
And additionally also the primary group of the user, who ran the command "setmqaut" will be granted afterwards!
So your SSO user must be a member of a group, which is granted to use the MQ objects.[/quote]
Thanks for the response...
I have assign authority to a group as you all suggested.
I have a group called GROUP1, local group on machine A.
I have USER1 in GROUP1, USER1 is a local user on machine A, NOT SSO
I have USER2 in GROUP1, USER2 is SSO on LDAP.
I have set mqaut for GROUP1 to connect to a local QMGR.
USER1 connection Success.
USER2 not authorized.
USER1 and USER2 not in mqm group. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Dec 20, 2010 7:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Seems like your problem is that the OS on machine A cannot resolve USER2 to GROUP1 (on machine A).
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Mon Dec 20, 2010 10:00 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| HubertKleinmanns wrote: |
| Sainath wrote: |
Pardon my typo....
My question is can we set authority to users or groups which aren't local to machine ?? |
Yes, it is possible - I use "setmqaut" on Solaris with LDAP users and groups. MQ uses what the operating system provides. So if you "see" a user or group for example with the command "id", MQ is able to use this user too.
BUT, on Unix systems you cannot grant a user to MQ objects at all. As mqjeff already mentioned you ALWAYS specify a group. When you use the "setmqaut" command with a principle the result will be exactly the same as when you use it with specifying the primary group of this user.
And additionally also the primary group of the user, who ran the command "setmqaut" will be granted afterwards!
So your SSO user must be a member of a group, which is granted to use the MQ objects. |
Forget about my last remarks. When you use "setmqaut" command the primary group of the issuer will not be granted too.
This only occurs when an object has been newly created.
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
