ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityLDAP Authorization Question

Post new topicReply to topic
LDAP Authorization Question View previous topic :: View next topic
Author Message
vishBroker
PostPosted: Wed Nov 01, 2017 5:47 am Post subject: LDAP Authorization Question Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

Setup :
IBM MQ - v8.0.0.6
Platform - Unix

I am doing authentication and authorization using LDAP/AD
Have created 3 AD groups - MQADMIN, MQUSER and MQREADONLY

Authorization is happening as expected at the group level.

Now, I want to tighten security for particular user[principal].
For example
AD group - MQUSER
Members of MQUSER - mqusr1, mqusr2
Queues in the QM - Q1, Q2,Q3

MQUSER group has (say) - put, get and browse access to all the queues.
Quote:
setmqaut -m $qmgr -n '**' -t queue -g "$group" +browse +allmqi +dsp


Now, I want to retrict access for principal mqusr2.
mqusr2 should not be able to put messages to the queue Q1.
Quote:
setmqaut -m TESTLDAP -n "Q1" -t q -p "CN=mqusr2,OU=Test Accounts,OU=xxx,DC=xx,DC=xxx" -all +get + browse


But still - mqusr2 is able to put messages on Q1.
I know, it works as accumulated authorization.
So - dspmqaut for the principal [mqusr2] shows all the permissions for the group.

Question - How should I restrict access to one of the users in the group.
I tried to search in the forum as well as blogs - but could not find how to achieve it.

Kindly suggest- what I am trying to do is possible? And possible in MQv8?
Appreciate - if you point me in the right direction.
Let me know - what is missing.
[/code]
Back to top
View user's profile Send private message
vishBroker
PostPosted: Wed Nov 01, 2017 6:07 am Post subject: Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

As always - after posting question - I found some pointer.

https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q027780_.htm

Trying this out.
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Nov 01, 2017 6:28 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5687
Location: UK

Never grant get or put permission to the system queues with a profile of "**".

You might like to consider where MQ stores the ACL rules for example ....

Always use an application prefix like "PREFIX.**" on a generic profile.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
vishBroker
PostPosted: Wed Nov 01, 2017 6:45 am Post subject: Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

zpat wrote:
Never grant get or put permission to the system queues with a profile of "**".

You might like to consider where MQ stores the ACL rules for example ....

Always use an application prefix like "PREFIX.**" on a generic profile.


Thanks.
As of now, I wanted to get this 'tighter' security working for the principal.
I will keep it in mind not to give permissions for system queues.

Could you point - how can I have 'group' as as well 'principal' level authorization working together?
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Nov 01, 2017 6:57 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5687
Location: UK

Normally you would create another group.

You are asking if you can take away permissions granted by the group from a principal?

I think that MQ v9 has some enhancements for "principals" - but if you have tried using +none and it doesn't work, then I would stick with groups.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Nov 01, 2017 9:10 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25855
Location: Texas, USA

I'm not aware of anything in MQv8 or v9 that changes the position of authorizations in Unix platforms being at the group level and applied equally to all members of the group.

Individual permissions are only supported on Windows. And Z/os. But you're always better off with groups on any platform IMHO.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Nov 01, 2017 9:28 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6109

Vitor wrote:
I'm not aware of anything in MQv8 or v9 that changes the position of authorizations in Unix platforms being at the group level and applied equally to all members of the group...

Have a look at the UNIX and Linux systems bit.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityLDAP Authorization Question
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.