| Author |
Message
|
| exerk |
 Posted: Tue Oct 14, 2014 11:05 pm Post subject: |
 |
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Code: |
| SET CHLAUTH('SSL.CLIENTS') TYPE(USERMAP) CLNTUSER('devYY') ADDRESS('172.yy.yy.yyy') MCAUSER('mqm') |
I thought that all mqm-group users were automatically blocked, or yet again have I misread/misunderstood CHLAUTH?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
 |
| hughson |
| Posted: Tue Oct 14, 2014 11:42 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| yasaboy wrote: |
What I did for the error 2035 was
| Code: |
SET CHLAUTH('SSL.CLIENTS') TYPE(BLOCKUSER) USERLIST('TROBWUZHERE') ACTION(ADD)
and
SET CHLAUTH('SSL.CLIENTS') TYPE(USERMAP) CLNTUSER('devYY') ADDRESS('172.yy.yy.yyy') MCAUSER('mqm') |
|
They are Exerk, but what yasaboy has done is over-ride than ban on mqm users for this specific channel using the first command, and then mapped the client side user ID to 'mqm' with the second command.
Read CHLAUTH - Allow some privileged admins for more details.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 15, 2014 4:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| And it looks like I'm getting some traction with my TRobWasHere meme. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Oct 15, 2014 5:41 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| hughson wrote: |
| yasaboy wrote: |
What I did for the error 2035 was
| Code: |
SET CHLAUTH('SSL.CLIENTS') TYPE(BLOCKUSER) USERLIST('TROBWUZHERE') ACTION(ADD)
and
SET CHLAUTH('SSL.CLIENTS') TYPE(USERMAP) CLNTUSER('devYY') ADDRESS('172.yy.yy.yyy') MCAUSER('mqm') |
|
They are Exerk, but what yasaboy has done is over-ride than ban on mqm users for this specific channel using the first command, and then mapped the client side user ID to 'mqm' with the second command.
Read CHLAUTH - Allow some privileged admins for more details.
Cheers
Morag |
For shame, I did not make the connection between the first and second definitions 
I still screw myself in circles when it comes to CHLAUTH - it's an  (age) thing I think...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Oct 15, 2014 5:42 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| I still like USERLIST('NoBody') better because you are blocking nobody. Now we will be dealing with cleverness for 15 years or more... |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 15, 2014 5:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| JosephGramig wrote: |
| I still like USERLIST('NoBody') better because you are blocking nobody. Now we will be dealing with cleverness for 15 years or more... |
Whilst "NoBody" is distinct from 'nobody', there are a number of reasons why 'nobody' is a bad idea to use. In particular there can be a 'nobody' user on default unix distributions, or added by various software packages.
Or at least, there used to be.
And 'NoBody' is just one missing quote away from 'nobody'.
So using *something* that is clearly never going to be a real user is more helpful - "ThisUserDoesNotExist" for example. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 15, 2014 5:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| "ThisUserDoesNotExist" for example. |
Or "TRobWasHere"
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 15, 2014 5:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| mqjeff wrote: |
| "ThisUserDoesNotExist" for example. |
Or "TRobWasHere" |
DId you read the earlier part of this thread, that JosephGramig was complaining about? |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Oct 15, 2014 6:01 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| exerk wrote: |
| I still screw myself in circles when it comes to CHLAUTH - it's an (age) thing I think... |
I struggle with CHLAUTH, as well. When I first read the manual on it, I walked away thinking there wasn't a way to set up a rule to allow a specific ip address, just block one. But I'm also sometimes challenged in getting the quotes on this web site to work correctly, as well. 
One thing that I find confusing is the TYPE value seems "overloaded", to me. I wonder if it would be more clear if there was a separate:
ALLOWTYPE = BLOCKUSER, ALLOWUSER, BLOCKADDR, ALLOWADDR
and
MAPTYPE = SSLPEER, ADDRESS, USER, QMGR, NONE
I haven't went through all the permutations of the command to say that would cover things, but it feels like that would make the command more intuitive to use, to me. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Oct 15, 2014 6:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| Vitor wrote: |
| mqjeff wrote: |
| "ThisUserDoesNotExist" for example. |
Or "TRobWasHere" |
DId you read the earlier part of this thread, that JosephGramig was complaining about? |
No.
I just jumped in and tried to support you. Lots of Red Bull this morning.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
