| Author |
Message
|
| saurabh25281 |
 Posted: Wed Aug 31, 2016 2:05 pm Post subject: Authenticating and Authorising a AD domain user using LDAP |
 |
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Hi All,
I have a requirement for providing authentication and authorization to users in Active directory using LDAP.
I am using the below AUTHINFO configuration along with CHLAUTH and I am getting the below error when trying to remotely connect to a remote Qmgr using MQ Explorer. My userid is an Active Directory id and is part of the mqm group. I am providing the userid/password in the MQ Explorer. My MQ server is version 8.0.0.5 while MQ Explorer is 7.5.0.1.
Can someone tell me where I might be going wrong.
| Quote: |
AuthInfo
AMQ8566: Display authentication information details.
AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(x.x.x.x(389)) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSUSR(user)
FAILDLAY(1)
BASEDNU(OU=***,DC=*****,DC=internal)
LDAPUSER(userid)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName) USRFIELD(sAMAccountName)
Channel Auth
AMQ8878: Display channel authentication record details.
CHLAUTH(MQEXPLORER.SVRCONN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(ASQMGR) ALTDATE(2016-08-31)
ALTTIME(14.41.37)
Qmgr Status
AMQ8705: Display Queue Manager Status Details.
QMNAME(TESTQMGR) STATUS(RUNNING)
CONNS(24) CMDSERV(RUNNING)
CHINIT(RUNNING) INSTNAME(Installation1)
INSTPATH(C:\Program Files\IBM\WebSphere MQ)
INSTDESC( ) LDAPCONN(CONNECTED)
STANDBY(NOPERMIT) STARTDA(2016-08-30)
STARTTI(15.13.51) |
| Quote: |
Error Details
8/31/2016 15:17:34 - Process(8140.59) User(someotheruser) Program(amqzlaa0.exe) Host(servername) Installation(Installation1) VRMF(8.0.0.5) QMgr(TESTQMGR)
Error locating user or group in LDAP
The LDAP authentication and authorization service has failed in the ldap_get_values call while trying to find user or group 'userid'. Returned count is 15. Additional context is 'length: userid'.
Specify the correct name, or fix the directory configuration. There may be additional information in the LDAP server error logs. |
|
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Wed Aug 31, 2016 9:42 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
As you are runnning on Windows you already have Auth using AD OOTB with MQ available to you.
So why LDAP? Does the person who told you to do this understand the features the MS 7.5 has OOTB on Windows? What advantages/extra features do they think you are going to get by using LDAP over the Auth that is already there?
I seem to recall that the configuration with LDAP was made a lot easier with V8.
There is a presentation by Morag Hughson someone around that details this.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Thu Sep 01, 2016 1:30 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
I need to correct myself, we would like to provide authorisation by passing on the LDAP authenticated domain users and granting them access via local groups on the OS.
So, the authorisation would not be through LDAP. And yes, we are using MQv8.
Let me know, if the configuration that I have stated is not correct and what should I do to make it work. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 01, 2016 3:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
This is what CHLAUTH rules are for. You can map LDAP users to local OS users, based on the incoming DN.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Thu Sep 01, 2016 6:16 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
I don't see the option of DNs except with SSLPEERMAP, and I am not using SSL in any of my connections.
Can you provide me a v8 link which describes usage of DNs for LDAP records to be used with USERMAP. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 01, 2016 6:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I was thinking that you could use the text of the dn, rather than the DN directly, in USERSRC or USERMAP.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Thu Sep 01, 2016 6:35 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Jeff, 2 points,
1. I was not aware if we can use this format. CLNTUSER('cn=johndoe'). The v8 documentation does not provide any hint. So i was hoping to get it verified from a link.
2. Even if the above format is permissible, for each user do I have to create separate user MAPS using chlauth, or can I MAP the LDAP hierarchy like CLNTUSER('OU=Users,DC=Organisation,DC=internal') to my local OS user? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 01, 2016 6:50 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Not really sure.
Kinda guessing here.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Fri Sep 02, 2016 1:53 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Hi Guys,
To investigate this issue I had disabled the CHLAUTH and set AUTHINFO to use LDAP. Some strange behaviour that I see are as follows:
When I set the LDAP configuration using my own id, the Qmgr status show that it is connected.
| Quote: |
Qmgr Status
AMQ8705: Display Queue Manager Status Details.
QMNAME(TESTQMGR) STATUS(RUNNING)
CONNS(24) CMDSERV(RUNNING)
CHINIT(RUNNING) INSTNAME(Installation1)
INSTPATH(C:\Program Files\IBM\WebSphere MQ)
INSTDESC( ) LDAPCONN(CONNECTED)
STANDBY(NOPERMIT) STARTDA(2016-08-30)
STARTTI(15.13.51) |
But when I use my same id from MQ Explorer to authenticate and connect to the remote Qmgr I am getting the below LDAP error.
| Quote: |
Error
Error locating user or group in LDAP
The LDAP authentication and authorization service has failed in the ldap_get_values call while trying to find user or group 'userid'. Returned count is 15. Additional context is 'length: userid'.
Specify the correct name, or fix the directory configuration. There may be additional information in the LDAP server error logs. |
Wondering if LDAP has separate set of permissions on userids for connecting and for authenticating? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Sep 02, 2016 3:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
That error from MQExplorer means that the user id is too long.
You might make sure you're MQ Explorer is at the most recent FP.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Fri Sep 02, 2016 10:56 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Hi Jeff,
I was able to now resolve the LDAP connectivity. The issue was due to the SHORTUSR parameter that I configured on authinfo, to a ldap attribute "sAMAccountName" that had a value greater than 12 character. To get over it, I have selected a separate LDAP parameter "givenName" which was within the acceptable limits.
I did not had to shorten the userid that I was using at MQ Explorer. My MQ Explorer is still using the 15 character id which is authenticated against sAMAccountName ldap property. The difference being the ldap attribute used in SHORTUSR parameter.
| Quote: |
Earlier Authinfo
AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(x.x.x.x(389)) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSUSR(user)
FAILDLAY(1)
BASEDNU(OU=***,DC=*****,DC=internal)
LDAPUSER(userid)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName) USRFIELD(sAMAccountName)
|
| Quote: |
Current Authinfo
AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(x.x.x.x(389)) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSUSR(user)
FAILDLAY(1)
BASEDNU(OU=***,DC=*****,DC=internal)
LDAPUSER(userid)
LDAPPWD(********************************)
SHORTUSR(givenName) USRFIELD(sAMAccountName)
|
|
|
| Back to top |
|
|
| Zodiac42 |
| Posted: Fri Oct 21, 2016 6:49 am Post subject: |
|
|
Newbie
Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT
|
Hi,
I had the exact same problem (see http://www.mqseries.net/phpBB2/viewtopic.php?t=72892 )
After opening a PMR with IBM I was told that LDAP Authorization over AD only works from MQ 9.0 upwards. We were on 8.0.0.5, but as soon as we upgraded to 9.0.0.0 it worked instantaniously. You just have to pay attention to this details:
| Code: |
AUTHINFO(AD.AUTHINFO) AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO) DESCR( )
CONNAME(domain-controller1) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP( )
CLASSUSR(user) FAILDLAY(1)
FINDGRP( ) BASEDNG( )
BASEDNU(OU=ou_AdminAccounts,DC=mydomain,DC=local)
LDAPUSER(serviceuser@mydomain.local)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName) GRPFIELD( )
USRFIELD(userPrincipalName) AUTHORMD(OS)
NESTGRP(NO) SECCOMM(NO) |
Also, you have to uncheck the "Compatibility mode" in your MQ Explorer connection settings, for this will cut the username after 12 characters and also the password!
Cheers, Pat |
|
| Back to top |
|
|
|
|
