ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Authenticating and Authorising a AD domain user using LDAP

Post new topic  Reply to topic
 Authenticating and Authorising a AD domain user using LDAP « View previous topic :: View next topic » 
Author Message
saurabh25281
PostPosted: Wed Aug 31, 2016 2:05 pm    Post subject: Authenticating and Authorising a AD domain user using LDAP Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi All,

I have a requirement for providing authentication and authorization to users in Active directory using LDAP.

I am using the below AUTHINFO configuration along with CHLAUTH and I am getting the below error when trying to remotely connect to a remote Qmgr using MQ Explorer. My userid is an Active Directory id and is part of the mqm group. I am providing the userid/password in the MQ Explorer. My MQ server is version 8.0.0.5 while MQ Explorer is 7.5.0.1.

Can someone tell me where I might be going wrong.

Quote:

AuthInfo
AMQ8566: Display authentication information details.
AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(x.x.x.x(389)) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSUSR(user)
FAILDLAY(1)
BASEDNU(OU=***,DC=*****,DC=internal)
LDAPUSER(userid)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName) USRFIELD(sAMAccountName)

Channel Auth
AMQ8878: Display channel authentication record details.
CHLAUTH(MQEXPLORER.SVRCONN) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) USERSRC(CHANNEL)
CHCKCLNT(ASQMGR) ALTDATE(2016-08-31)
ALTTIME(14.41.37)

Qmgr Status
AMQ8705: Display Queue Manager Status Details.
QMNAME(TESTQMGR) STATUS(RUNNING)
CONNS(24) CMDSERV(RUNNING)
CHINIT(RUNNING) INSTNAME(Installation1)
INSTPATH(C:\Program Files\IBM\WebSphere MQ)
INSTDESC( ) LDAPCONN(CONNECTED)
STANDBY(NOPERMIT) STARTDA(2016-08-30)
STARTTI(15.13.51)


Quote:
Error Details
8/31/2016 15:17:34 - Process(8140.59) User(someotheruser) Program(amqzlaa0.exe) Host(servername) Installation(Installation1) VRMF(8.0.0.5) QMgr(TESTQMGR)

Error locating user or group in LDAP

The LDAP authentication and authorization service has failed in the ldap_get_values call while trying to find user or group 'userid'. Returned count is 15. Additional context is 'length: userid'.

Specify the correct name, or fix the directory configuration. There may be additional information in the LDAP server error logs.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
smdavies99
PostPosted: Wed Aug 31, 2016 9:42 pm    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

As you are runnning on Windows you already have Auth using AD OOTB with MQ available to you.

So why LDAP? Does the person who told you to do this understand the features the MS 7.5 has OOTB on Windows? What advantages/extra features do they think you are going to get by using LDAP over the Auth that is already there?

I seem to recall that the configuration with LDAP was made a lot easier with V8.
There is a presentation by Morag Hughson someone around that details this.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Thu Sep 01, 2016 1:30 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

I need to correct myself, we would like to provide authorisation by passing on the LDAP authenticated domain users and granting them access via local groups on the OS.

So, the authorisation would not be through LDAP. And yes, we are using MQv8.

Let me know, if the configuration that I have stated is not correct and what should I do to make it work.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
mqjeff
PostPosted: Thu Sep 01, 2016 3:51 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

This is what CHLAUTH rules are for. You can map LDAP users to local OS users, based on the incoming DN.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Thu Sep 01, 2016 6:16 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

I don't see the option of DNs except with SSLPEERMAP, and I am not using SSL in any of my connections.

Can you provide me a v8 link which describes usage of DNs for LDAP records to be used with USERMAP.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
mqjeff
PostPosted: Thu Sep 01, 2016 6:24 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

I was thinking that you could use the text of the dn, rather than the DN directly, in USERSRC or USERMAP.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Thu Sep 01, 2016 6:35 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Jeff, 2 points,

1. I was not aware if we can use this format. CLNTUSER('cn=johndoe'). The v8 documentation does not provide any hint. So i was hoping to get it verified from a link.

2. Even if the above format is permissible, for each user do I have to create separate user MAPS using chlauth, or can I MAP the LDAP hierarchy like CLNTUSER('OU=Users,DC=Organisation,DC=internal') to my local OS user?
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
mqjeff
PostPosted: Thu Sep 01, 2016 6:50 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Not really sure.



Kinda guessing here.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Fri Sep 02, 2016 1:53 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi Guys,

To investigate this issue I had disabled the CHLAUTH and set AUTHINFO to use LDAP. Some strange behaviour that I see are as follows:

When I set the LDAP configuration using my own id, the Qmgr status show that it is connected.
Quote:
Qmgr Status
AMQ8705: Display Queue Manager Status Details.
QMNAME(TESTQMGR) STATUS(RUNNING)
CONNS(24) CMDSERV(RUNNING)
CHINIT(RUNNING) INSTNAME(Installation1)
INSTPATH(C:\Program Files\IBM\WebSphere MQ)
INSTDESC( ) LDAPCONN(CONNECTED)
STANDBY(NOPERMIT) STARTDA(2016-08-30)
STARTTI(15.13.51)


But when I use my same id from MQ Explorer to authenticate and connect to the remote Qmgr I am getting the below LDAP error.
Quote:
Error
Error locating user or group in LDAP

The LDAP authentication and authorization service has failed in the ldap_get_values call while trying to find user or group 'userid'. Returned count is 15. Additional context is 'length: userid'.

Specify the correct name, or fix the directory configuration. There may be additional information in the LDAP server error logs.


Wondering if LDAP has separate set of permissions on userids for connecting and for authenticating?
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
mqjeff
PostPosted: Fri Sep 02, 2016 3:59 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

That error from MQExplorer means that the user id is too long.

You might make sure you're MQ Explorer is at the most recent FP.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Fri Sep 02, 2016 10:56 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi Jeff,

I was able to now resolve the LDAP connectivity. The issue was due to the SHORTUSR parameter that I configured on authinfo, to a ldap attribute "sAMAccountName" that had a value greater than 12 character. To get over it, I have selected a separate LDAP parameter "givenName" which was within the acceptable limits.

I did not had to shorten the userid that I was using at MQ Explorer. My MQ Explorer is still using the 15 character id which is authenticated against sAMAccountName ldap property. The difference being the ldap attribute used in SHORTUSR parameter.

Quote:
Earlier Authinfo
AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(x.x.x.x(389)) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSUSR(user)
FAILDLAY(1)
BASEDNU(OU=***,DC=*****,DC=internal)
LDAPUSER(userid)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName) USRFIELD(sAMAccountName)


Quote:
Current Authinfo
AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(x.x.x.x(389)) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL) CLASSUSR(user)
FAILDLAY(1)
BASEDNU(OU=***,DC=*****,DC=internal)
LDAPUSER(userid)
LDAPPWD(********************************)
SHORTUSR(givenName) USRFIELD(sAMAccountName)
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
Zodiac42
PostPosted: Fri Oct 21, 2016 6:49 am    Post subject: Reply with quote

Newbie

Joined: 31 Aug 2016
Posts: 6
Location: Linz, AT

Hi,

I had the exact same problem (see http://www.mqseries.net/phpBB2/viewtopic.php?t=72892 )

After opening a PMR with IBM I was told that LDAP Authorization over AD only works from MQ 9.0 upwards. We were on 8.0.0.5, but as soon as we upgraded to 9.0.0.0 it worked instantaniously. You just have to pay attention to this details:

Code:
AUTHINFO(AD.AUTHINFO)                   AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO)                            DESCR( )
CONNAME(domain-controller1)             CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL)                      CLASSGRP( )
CLASSUSR(user)                          FAILDLAY(1)
FINDGRP( )                              BASEDNG( )
BASEDNU(OU=ou_AdminAccounts,DC=mydomain,DC=local)
LDAPUSER(serviceuser@mydomain.local)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName)                GRPFIELD( )
USRFIELD(userPrincipalName)             AUTHORMD(OS)
NESTGRP(NO)                             SECCOMM(NO)


Also, you have to uncheck the "Compatibility mode" in your MQ Explorer connection settings, for this will cut the username after 12 characters and also the password!

Cheers, Pat
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Authenticating and Authorising a AD domain user using LDAP
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.