| Author |
Message
|
| neilwcasey |
 Posted: Mon Apr 06, 2015 6:28 pm Post subject: MQ v8.0.0.2 authentication of LDAP user via OS fails |
 |
|
Newbie
Joined: 09 Oct 2011
Posts: 9
Location: Melbourne, Australia
|
Hi,
I am running MQ v8.0.0.2 on RHEL 6.6. I have the queue manager set up with IDPWOS and a client channel configured to enforce login.
| Code: |
dis authinfo (CLIENT.IDPWOS)
7 : dis authinfo (CLIENT.IDPWOS)
AMQ8566: Display authentication information details.
AUTHINFO(CLIENT.IDPWOS) AUTHTYPE(IDPWOS)
ADOPTCTX(YES)
DESCR(Force client admins to sign in. Local is allowed)
CHCKCLNT(REQUIRED) CHCKLOCL(OPTIONAL)
FAILDLAY(1) ALTDATE(2015-04-02)
ALTTIME(15.38.24)
dis qmgr connauth
5 : dis qmgr connauth
AMQ8408: Display Queue Manager details.
QMNAME(SNDXM0201) CONNAUTH(CLIENT.IDPWOS)
dis chl(ADMIN.SNDXM0201) all
2 : dis chl(ADMIN.SNDXM0201) all
AMQ8414: Display Channel details.
CHANNEL(ADMIN.SNDXM0201) CHLTYPE(SVRCONN)
ALTDATE(2015-04-02) ALTTIME(15.38.24)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE)
DESCR(Administer QM via this admin channel)
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(20)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER(mqnoaccess) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
dis chlauth(ADMIN.SNDXM0201) all
3 : dis chlauth(ADMIN.SNDXM0201) all
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.SNDXM0201) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(ASQMGR) ALTDATE(2015-04-02)
ALTTIME(11.52.04)
AMQ8878: Display channel authentication record details.
CHLAUTH(ADMIN.SNDXM0201) TYPE(BLOCKUSER)
DESCR( ) CUSTOM( )
USERLIST(MQNOACCESS) WARN(NO)
ALTDATE(2015-04-02) ALTTIME(16.00.34) |
The /etc/nsswitch.conf sets the following
passwd: files ldap
shadow: files ldap
group: files ldap
When I create a local user (adduser -G mqm neilc) and set a password for it, I can then connect to the queue manager (runmqsc -c -u neilc QMGR0) successfully. runmqsc prompts for the password, and authentication and authorization proceed as expected.
However, if the account I use is hosted on LDAP, MQ fails to authenticate the account, and access is blocked. I know that the OS can see the account, because I use it to log on to the server.
The command used when trying to authenticate an LDAP account is:
runmqsc -c -u CASEYN
Further information: the system uses PAM.
Has anyone else got a working system with this sort of configuration?
Is MQ going to honor the case of the userid? The OS does honor case, and attempts to log in with incorrect case of the userid fail.
Is any configuration of PAM needed?
Thanks,
Neil Casey. |
|
| Back to top |
|
 |
| hughson |
| Posted: Tue Apr 07, 2015 12:39 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 07, 2015 12:40 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Is not IDPWOS 'local' checking, i.e. it never goes anywhere near LDAP? I thought it was one or the other?
Hopefully the (new) Morag will pop up and illuminate us both...
[EDIT]...and did so!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Apr 07, 2015 12:48 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| exerk wrote: |
Hopefully the (new) Morag will pop up and illuminate us both...
[EDIT]...and did so! |
Boo! 
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| neilwcasey |
| Posted: Tue Apr 07, 2015 1:45 am Post subject: |
|
|
Newbie
Joined: 09 Oct 2011
Posts: 9
Location: Melbourne, Australia
|
Thanks Morag,
I guess I got confused by the New Features for v8 red book.
It contains the following:
Begin Excerpt From: IBM Redbooks. “sg248218.epub.” iBooks.
“3.2 Identity repositories
On all platforms, MQ integrates with the local operating system (OS) user repository. So on Windows, a Windows account can be verified; on UNIX, it is someone defined to that machine; on z/OS, it is a user ID defined in RACF or other external security manager.
All of these operating systems have mechanisms to transparently “extend” their view of which users are defined beyond local definitions. For example, on UNIX systems, configuration through files such as /etc/nsswitch.conf can be used to refer to identities defined in a Network Information System (NIS) or LDAP server. Because these are handled directly by the OS services, MQ is unaware of their existence, and works with them just as though the users are defined in /etc/passwd. These users are therefore always considered to be OS-defined.
On distributed platforms, MQ now can also directly access an LDAP server to verify users and their passwords. This allows user IDs and passwords to be defined independently of an operating system, in a central repository.”
End Excerpt From: IBM Redbooks. “sg248218.epub.” iBooks.
So I was expecting the access to LDAP (configured in PAM and nsswitch) to "just work". If there is a restriction that PAM specifically doesn't work, perhaps a tech note would be worthwhile unless and until the PAM RFE is delivered (I will indeed vote for it).
Regards,
Neil Casey. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Apr 07, 2015 2:35 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
While that might be true for authorization, I don't believe it is quite as 'hidden' for authentication.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Apr 07, 2015 4:52 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Ok, I guess I'm kind of confused about this.
Shouldn't PAM be hidden to applications using normal getgroup/etc calls? If not, then it doesn't sound like PAM works as an actual plugabble authentication module...
If it does, then what and why is MQ doing something different than using standard OS level calls to obtain the information it needs to both authenticate and authorize?
Also, there was a post or series of posts from LouML a while ago trying to troubleshoot this issue - or at least I think it was LouML. I don't remember if he got any resolution through a PMR. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Apr 07, 2015 6:23 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mqjeff wrote: |
| Shouldn't PAM be hidden to applications using normal getgroup/etc calls? |
I believe it is for authorization yes. Requesting user IDs and group memberships it is all 'hidden' from the caller.
| mqjeff wrote: |
| If not, then it doesn't sound like PAM works as an actual plugabble authentication module... |
However, I believe for authentication (i.e. checking user ID and password) it's not so well 'hidden'.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| markt |
| Posted: Tue Apr 07, 2015 8:34 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
There's some confusion here between what PAM and nsswitch do.
PAM is for authentication. It does not have any effect on functions like getgrent.
nsswitch is what gives the transparent user/group files for authorisation. nsswitch modules sometimes (but not always) populate the password fields in the extended /etc/passwd file.
While both can be used in conjunction, it is not an absolute necessity.
Having MQ support generic PAM services for authentication is a "well-known requirement". |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 07, 2015 8:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
As an a parte... Does Unix / Linux support upper case userid?
So I would suggest to Neil to also try with a lower case userid... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| neilwcasey |
| Posted: Tue Apr 07, 2015 3:23 pm Post subject: |
|
|
Newbie
Joined: 09 Oct 2011
Posts: 9
Location: Melbourne, Australia
|
Hi,
The linux variant I am running (RHEL 6.6) does indeed support upper, lower and mixed case user ids, and enforces matching case (a feature of the new version of PAM in RHEL 6).
I believe markt has the right of it. I missed the distinction between the functions provided by nsswitch in hiding the source of a value, and PAM in authenticating a user. If nsswitch was set up to provide access to shadow password held in the LDAP directory, MQ would probably be able to authenticate the users without needing to directly interact with PAM. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 07, 2015 4:19 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| neilwcasey wrote: |
Hi,
The linux variant I am running (RHEL 6.6) does indeed support upper, lower and mixed case user ids, and enforces matching case (a feature of the new version of PAM in RHEL 6).
I believe markt has the right of it. I missed the distinction between the functions provided by nsswitch in hiding the source of a value, and PAM in authenticating a user. If nsswitch was set up to provide access to shadow password held in the LDAP directory, MQ would probably be able to authenticate the users without needing to directly interact with PAM. |
Unix Linux might support an Upper Case userid on your particular setup. I remember reading somewhere that MQ on those platforms will automatically change it to lower case. But then that might only be for a client connection...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Apr 09, 2015 3:36 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Sorry, I gotta post, so...
[Vendor_Speak]
MQAUSX 'natively' supports 6 different authentication targets (without PAM):
- Local OS
- LDAP server
- Microsoft's Active Directory
- Quest Authentication Services (QAS) aka Vintela Authentication Services (VAS)
- Centrify's DirectControl (CDC)
- MQAUSX FBA file.
For both QAS and CDC, the companies have supplied Capitalware with their product SDK, so that MQAUSX can natively call said products for authentication.
Obviously, for Local OS and LDAP authentication, MQAUSX simply uses the appropriate API supplied by the operating system.
For Active Directory authentication, MQAUSX can handle it in 2 ways: (1) MQAUSX on Windows via a Windows' AD authentication call and (2) MQAUSX on any platform can use/talk to AD as a remote LDAP server.
[/Vendor_Speak]
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
