| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| LDAP Authentication Issue |
« View previous topic :: View next topic » |
| Author |
Message
|
| vishBroker |
 Posted: Mon Oct 23, 2017 5:11 pm Post subject: LDAP Authentication Issue |
 |
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Issue - Not able to authenticate with LDAP as client connection [when provided with -u option on runmqsc command]
Background -
MQ version - 8.0.0.5
Os - Windows
CMDLevel - 800 [I have tried by changing CMD level to 8002 - which gives AUTHORIZATION via LDAP - but that is out of question as of now]
LDAP - Active Directory on windows
[Base configution - created a new QM to setup authentication]
What I want to achieve - Whenever any client is connecting to QM - should provide userId creds which will be validated against AD and connection is established.
[Just authentication as of now. Authorization afterwards]
[And yes, it has to be AD based - don't ask why]
Setup -
1. Followed the bite size blog by Rob Parker [https://www.ibm.com/developerworks/community/blogs/messaging/entry/bite_size_blogging_mq_v8_setting_up_a_qmgr_to_use_ldap_authentication?lang=en]
2. Made approriate changes as per AD records in the organization.
- Have setup AUTHINFO records
+++++
| Code: |
DISPLAY QMGR CMDLEVEL
1 : DISPLAY QMGR CMDLEVEL
AMQ8408: Display Queue Manager details.
QMNAME(TESTQM) [b]CMDLEVEL(800)[/b]
display authinfo(use.ldap1)
2 : display authinfo(use.ldap1)
AMQ8566: Display authentication information details.
AUTHINFO(USE.ldap1) AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO) DESCR( )
CONNAME(ldapf5.us.xxxx) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL)
[b]CLASSUSR(user)[/b]
FAILDLAY(1)
[b]BASEDNU(CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx)[/b]
LDAPUSER( ) LDAPPWD( )
[b] SHORTUSR(uid) [/b] [b] USRFIELD(uid)[/b]
SECCOMM(NO) ALTDATE(2017-10-23)
ALTTIME(20.20.39)
|
+++++
3. Updated QMGR to use this authinfo record and refreshed security. [Followed the steps in the blog]
4. But getting security error - not able to connect to QM.
5. Enabled trace and tried to debug - AD is not returning any object. LDAP query is not successful for the given criteria.
6. LDAP connection is successful though.
++++
| Quote: |
000CD573 20:21:44.384954 4268.26449 CONN:000028 LDAP searching (retried=0 scope=2) with base=CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx filter=(&(objectClass=user)(uid=RB3105)) ld=000000000A76A8F0
000CD574 20:21:44.388366 4268.26449 CONN:000028 LDAP search (1) rc=1 count=0
000CD575 20:21:44.388434 4268.26449 CONN:000028 LDAP search (2) rc=1 count=0
000CD576 20:21:44.388467 4268.26449 CONN:000028 LDAP search failed with rc=1 (Operations error) user='RB3105'
000CD577 20:21:44.388502 4268.26449 CONN:000028 -------------}! zfuLdapGetUserDn (rc=MQRC_SERVICE_ERROR)
++++
This tells me some issue with configuring the BaseDN for user.
So - as I am not LDAP or AD expert or used it extensively - not sure what is causing the issue.
What I have done -
I checked the AD structure for the user using AD explorer.
Here is snapshot of what it looks for the user 'RB3105' |
+++++
cn DirectoryString 1 RB3105@us.xxxx
displayName DirectoryString 1 $CimsUserVersion5
distinguishedName DN 1 CN=RB3105@us.xxxx,CN=Users,CN=EMIS,CN=AllSystems,OU=UNIX,OU=SERVERS,DC=us,DC=xxxx
dSCorePropagationData GeneralizedTime 1 1/1/1601 12:00:00 AM
gecos IA5String 1 Ravindra Bommakanti
gidNumber Integer 1 300
instanceType Integer 1 4
keywords DirectoryString 1 parentLink:S-1-5-21-1360216634-158211412-1947940980-58528
loginShell IA5String 1 /bin/bash
name DirectoryString 1 RB3105@us.xxxx
nTSecurityDescriptor NTSecurityDescriptor 1 D:AI(A;;*****************************************MASKED**-1
objectCategory DN 1 CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=us,DC=xxxx
objectClass OID 5 top;posixAccount;leaf;connectionPoint;serviceConnectionPoint
objectGUID OctetString 1 {99477E1E-0B10-4357-AFF1-BDF89F45A935}
showInAdvancedViewOnly Boolean 1 TRUE
uid DirectoryString 1 rb3105
uidNumber Integer 1 1426121888
unixHomeDirectory IA5String 1 %{home}/%{user}
uSNChanged Integer8 1 0xD16A9C5
uSNCreated Integer8 1 0xD16A9C5
whenChanged GeneralizedTime 1 7/20/2017 4:52:57 PM
whenCreated GeneralizedTime 1 7/20/2017 4:52:47 PM
+++++
So, long story short - what is the base DN I should use in the AUTHINFO record.
Another issue I am guessing is 'scope' of the LDAP search.
As one can see - there are multiple levels of CN and OU in the AD and from trace - it says LDAP searching (retried=0 scope=2).
[Not sure what scope=2 means] . [After googling found few things about AD scope - there are 3 values 'NON','ONE' and 'SUBTREE' - https://msdn.microsoft.com/en-us/library/ms677937(v=vs.85).aspx]
Kindly suggest/guide.
[Seems like missing something small but cruial]
let me know, if more details are needed.
Regards,
Vishnu. |
|
| Back to top |
|
 |
| vishBroker |
| Posted: Mon Oct 23, 2017 5:14 pm Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Oct 24, 2017 4:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
This is the result of your query:
| Code: |
| distinguishedName DN 1 CN=RB3105@us.xxxx,CN=Users,CN=EMIS,CN=AllSystems,OU=UNIX,OU=SERVERS,DC=us,DC=xxxx |
So instead of passing RB3105 as userid did you try passing RB3105@us.xxxx , and if you did, did it make a difference in the output observed?
You may also want to check the order of the multiple calls for a same DN identifier. If the order is relevant, remember that there might be a reversal between system of different endianness... as evidenced in SSL setup... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Oct 24, 2017 5:40 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Thanks for the reply.
Yes, I have tried passing RB3105@us.xxxx and same result.
I tried changing 'userfield' in the AUTHINFO definition to 'uid' [And passed only -u RB3105 ] and it still didn;t work.
| Quote: |
| You may also want to check the order of the multiple calls for a same DN identifier. If the order is relevant, remember that there might be a reversal between system of different endianness... as evidenced in SSL setup... |
I have asked for AD logs - once I get it, will know what was the sequence and what is the exact query MQ sent to AD.
The order might be the issue - as you pointed out.
From MQ trace - I am not getting any more details and also failing to understand the ldap-search query the filter structure - shown below. Hope that '&' sign is rightly placed.
[Then, me thinks..it is IBM internal code and must be right, but...]
If I could get some direction/pointers in understanding the issue from the trace - appreciate it.
++++
| Quote: |
000CD573 20:21:44.384954 4268.26449 CONN:000028 LDAP searching (retried=0 scope=2) with base=CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx filter=(&(objectClass=user)(uid=RB3105))ld=000000000A76A8F0
000CD574 20:21:44.388366 4268.26449 CONN:000028 LDAP search (1) rc=1 count=0
000CD575 20:21:44.388434 4268.26449 CONN:000028 LDAP search (2) rc=1 count=0
000CD576 20:21:44.388467 4268.26449 CONN:000028 LDAP search failed with rc=1 (Operations error) user='RB3105'
000CD577 20:21:44.388502 4268.26449 CONN:000028 -------------}! zfuLdapGetUserDn (rc=MQRC_SERVICE_ERROR)
|
++++ |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Oct 24, 2017 5:53 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Few more things.
| Quote: |
DISPLAY QMGR CMDLEVEL
1 : DISPLAY QMGR CMDLEVEL
AMQ8408: Display Queue Manager details.
QMNAME(TESTQM) CMDLEVEL(800)
display authinfo(use.ldap1)
2 : display authinfo(use.ldap1)
AMQ8566: Display authentication information details.
AUTHINFO(USE.ldap1) AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO) DESCR( )
CONNAME(ldapf5.us.xxxx) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL)
CLASSUSR(user)
FAILDLAY(1)
BASEDNU(CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx)
LDAPUSER( ) LDAPPWD( )
SHORTUSR(uid) USRFIELD(uid)
SECCOMM(NO) ALTDATE(2017-10-23)
ALTTIME(20.20.39)
|
Question
1. What should be the CLASSUSR value?
The documentation says it should be the objectClass of the result.
And in one of the documents/blogs I found it should be 'user' for AD [typically]
In the AD structure - I get below for the user RB3105.
objectClass OID 5 top;posixAccount;leaf;connectionPoint;serviceConnectionPoint
Tried setting this whole string - comma separated in the 'CLASSUSR ' - but no luck.
Any pointers? |
|
| Back to top |
|
|
| vishBroker |
| Posted: Tue Oct 24, 2017 5:59 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
have tried leaving it blank as well - which defaults to intOrgPerson
Tried the value 'person'.
[and even tried making the values uppercase - hoping it would work] |
|
| Back to top |
|
|
| vishBroker |
| Posted: Wed Oct 25, 2017 6:28 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
QUick Update : I was able to get it working.
The issue was with the AD structure/Base DN.
When worked with LDAP admin to get proper BASE DN - the issue got resolved.
Also noted one more point - it is required to populate below two attributes -
LDAPUSER( ) LDAPPWD( )
Earlier - I was keeping them blank and I was still able to see 'connected to LDAP' on QMGR Status.
Will update with complete write up. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
