| Author |
Message
|
| vishBroker |
 Posted: Wed Nov 01, 2017 5:47 am Post subject: LDAP Authorization Question |
 |
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
Setup :
IBM MQ - v8.0.0.6
Platform - Unix
I am doing authentication and authorization using LDAP/AD
Have created 3 AD groups - MQADMIN, MQUSER and MQREADONLY
Authorization is happening as expected at the group level.
Now, I want to tighten security for particular user[principal].
For example
AD group - MQUSER
Members of MQUSER - mqusr1, mqusr2
Queues in the QM - Q1, Q2,Q3
MQUSER group has (say) - put, get and browse access to all the queues.
| Quote: |
| setmqaut -m $qmgr -n '**' -t queue -g "$group" +browse +allmqi +dsp |
Now, I want to retrict access for principal mqusr2.
mqusr2 should not be able to put messages to the queue Q1.
| Quote: |
| setmqaut -m TESTLDAP -n "Q1" -t q -p "CN=mqusr2,OU=Test Accounts,OU=xxx,DC=xx,DC=xxx" -all +get + browse |
But still - mqusr2 is able to put messages on Q1.
I know, it works as accumulated authorization.
So - dspmqaut for the principal [mqusr2] shows all the permissions for the group.
Question - How should I restrict access to one of the users in the group.
I tried to search in the forum as well as blogs - but could not find how to achieve it.
Kindly suggest- what I am trying to do is possible? And possible in MQv8?
Appreciate - if you point me in the right direction.
Let me know - what is missing.
[/code] |
|
| Back to top |
|
 |
| vishBroker |
| Posted: Wed Nov 01, 2017 6:07 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 01, 2017 6:28 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Never grant get or put permission to the system queues with a profile of "**".
You might like to consider where MQ stores the ACL rules for example ....
Always use an application prefix like "PREFIX.**" on a generic profile.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| vishBroker |
| Posted: Wed Nov 01, 2017 6:45 am Post subject: |
|
|
Centurion
Joined: 08 Dec 2010
Posts: 135
|
| zpat wrote: |
Never grant get or put permission to the system queues with a profile of "**".
You might like to consider where MQ stores the ACL rules for example ....
Always use an application prefix like "PREFIX.**" on a generic profile. |
Thanks.
As of now, I wanted to get this 'tighter' security working for the principal.
I will keep it in mind not to give permissions for system queues.
Could you point - how can I have 'group' as as well 'principal' level authorization working together? |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 01, 2017 6:57 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Normally you would create another group.
You are asking if you can take away permissions granted by the group from a principal?
I think that MQ v9 has some enhancements for "principals" - but if you have tried using +none and it doesn't work, then I would stick with groups.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Nov 01, 2017 9:10 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I'm not aware of anything in MQv8 or v9 that changes the position of authorizations in Unix platforms being at the group level and applied equally to all members of the group.
Individual permissions are only supported on Windows. And Z/os. But you're always better off with groups on any platform IMHO.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Nov 01, 2017 9:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| I'm not aware of anything in MQv8 or v9 that changes the position of authorizations in Unix platforms being at the group level and applied equally to all members of the group... |
Have a look at the UNIX and Linux systems bit.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
