| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Providing access to userID greater than 12 characters |
« View previous topic :: View next topic » |
| Author |
Message
|
| the_one |
 Posted: Wed Aug 15, 2012 4:54 pm Post subject: Providing access to userID greater than 12 characters |
 |
|
Novice
Joined: 16 Dec 2008
Posts: 22
Location: PHX, AZ
|
I have searched this forum and found that other people had issue with the '12 character' UserName/GroupName limit with MQ (and setmqaut), but couldnt find a concrete workaround.
In our environment, the users are provisioned on the server using eDir. AIX parameters have been tweeked to allow userID <= 16 characters.
The access has been provided to groups (setmqaut -g).
One of the user ID is 13 characters long, and gets NOT_AUTHORIZED error. Can someone suggest a way to handle such exceptions?
Env Details:
MQ 7.0.1.8
AIX 6.1
_________________
See the marbles of the world, but never forget the drops of oil on the spoon. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Aug 16, 2012 5:51 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Aug 16, 2012 5:52 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| the_one |
| Posted: Thu Aug 16, 2012 12:22 pm Post subject: |
|
|
Novice
Joined: 16 Dec 2008
Posts: 22
Location: PHX, AZ
|
Bruce,
Thanks for the response. This is what i found, from the link :
| Quote: |
| If you use a user ID of greater than 12 characters, WebSphere MQ replaces it with the value UNKNOWN. Do not define a user ID with a value of UNKNOWN. |
Unfortunately, we have 3 users (yet) with this issue, one of them is part of Operations and two from development group. In other words, since MQ defaults it to UNKNOWN, we wont know which group profile should be applied.
So it kind of brings back to the same question, that whether or not there is a workaround to this situation?
(also - this same user ID is used by broker toolkit as well)
PS - In parallel, i would also start a dialogue with our eDir guys and see if they can update the network IDs for these guys. But will use it as the last resort, because updating network IDs is a pain considering its impact on various apps in the enterprise)
_________________
See the marbles of the world, but never forget the drops of oil on the spoon. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Aug 16, 2012 12:44 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| the_one wrote: |
| So it kind of brings back to the same question, that whether or not there is a workaround to this situation? |
Not that I'm aware of, and if there is I would doubt it's supported given the very clearly documented:
| Quote: |
| A 12 character limitation applies to both group and user IDs |
and
| Quote: |
| WebSphere MQ continues to observe a 12 character restriction on all UNIX platforms. |
So the software clearly restricts to 12 characters. It's indeed unfortunate that you have users with ids longer than that; it's even more unfortunate your site chose to use them without fully evaluating the impact on all the software!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Aug 16, 2012 12:57 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If you switch them to using client connections, you can tie each >12 id to a specific channel that has an MCAUSER < 12.
Or in 7.1 and later, you can do things with chlauth records to map ids. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Aug 17, 2012 5:45 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
My curiosity has gotten the best of me.
What (policy) drove your organization to userids greater than 12 characters? I sense an auditor at play.
I've worked with some very large organizations, and all seemed satisfied with the nearly-infinite number of possible userids that 8 characters yield.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| the_one |
| Posted: Mon Aug 20, 2012 4:53 pm Post subject: |
|
|
Novice
Joined: 16 Dec 2008
Posts: 22
Location: PHX, AZ
|
| bruce2359 wrote: |
| What (policy) drove your organization to userids greater than 12 characters? I sense an auditor at play. |
Its been in place for (at least 7 )years that way, and didn't hear much issues from other app teams.
But now, with our organization exploring eDir options, such as single-sign-on and fan-out drivers, i am sure others will hit the wall as well 
_________________
See the marbles of the world, but never forget the drops of oil on the spoon. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Aug 20, 2012 8:39 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
If memory serves... eDir (from Novell) uses distinguished name (DN) up to 256 characters long. It also allows for aliases. The alias could be 12 characters (or less) to fit WMQs 12 character id max.
And thus ends my recollection of eDir. Over.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
