| Author |
Message
|
| saurabh25281 |
 Posted: Sun Mar 31, 2019 2:11 pm Post subject: LDAP Configurations |
 |
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Hi All,
Can someone please provide some insights into such requirement. We use AD.
- We currently configure one LDAP search path for users/groups. Is it possible to specify more than one search-path (e.g. first search in the Europe-Domain and then in the Americas-Domain)?
- How does MQ react when an LDAP-Search for a given username returns more than one result, e.g. if the same username is present in two Domains?
Regards
Saurabh[/list] |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sun Mar 31, 2019 2:47 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Mon Apr 01, 2019 1:31 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
| Quote: |
| Try visiting Google. Search for "define ldap IBM MQ" or similar. |
I did not find anything specific to my usecase.
| Quote: |
| You can specify more than one LDAP server in the CONNAME |
We already have a list of LDAP servers configured. But this is not what I was looking for.
1. Is it possible to specify more than one search-path (domain), (e.g. first search in the Europe-Domain and then in the Americas-Domain)?
2. What happens when the search returns multiple results for the same user.
Regards
Saurabh |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Apr 01, 2019 4:16 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| saurabh25281 wrote: |
| 1. Is it possible to specify more than one search-path (domain), (e.g. first search in the Europe-Domain and then in the Americas-Domain)? |
At a worst case, you perform 2 LDAP checks. I don't believe there's a best case, but someone may know better than me.
| saurabh25281 wrote: |
| 2. What happens when the search returns multiple results for the same user. |
Same thing as happens for any LDAP search - whatever you've defined. In most cases (where nothing is defined) the result is either an error or an undefined result.
A better question is how do you get results from multiple domains from a single LDAP query and why do you LDAP administrators allow this?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Apr 01, 2019 10:28 pm Post subject: Re: LDAP Configurations |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| saurabh25281 wrote: |
| We currently configure one LDAP search path for users/groups. Is it possible to specify more than one search-path (e.g. first search in the Europe-Domain and then in the Americas-Domain)? |
The multiple CONNAMEs you can specify in LDAP setup in MQ are not for specifying multiple different search paths, they are simply a redundancy, if the first server is not available, then it will try the second.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Tue Apr 02, 2019 10:57 pm Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
| Quote: |
| At a worst case, you perform 2 LDAP checks. |
How do I perform 2 LDAP checks? The LDAP servers we have are in primary/secondary configuration to add redundancy. I am confused about 2 LDAP checks also because, I can only configure a single CONNAUTH configuration.
| Quote: |
| In most cases (where nothing is defined) the result is either an error or an undefined result. |
In our case there would be multiple search results, so search returning nothing was not my question. So answer I am expecting is how does MQ evaluate the search result? Does it stop the search after the 1st match is found?
| Quote: |
A better question is how do you get results from multiple domains from a single LDAP query and why do you LDAP administrators allow this?
|
This is allowed because uniqueness of a user (sAMAccountName) is allowed only at geographic (EUROPE, AMERICAS) domain level. At a global level same user can exist in multiple domains. Point to be noted here is that uniqueness is referred by the searching attribute sAMAccountName rather than the DN (which will remain unique even at global level).
| Quote: |
| The multiple CONNAMEs you can specify in LDAP setup in MQ are not for specifying multiple different search paths, they are simply a redundancy, if the first server is not available, then it will try the second. |
Agreed. This is how our LDAP is configured. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 03, 2019 4:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| saurabh25281 wrote: |
| Quote: |
| At a worst case, you perform 2 LDAP checks. |
How do I perform 2 LDAP checks? The LDAP servers we have are in primary/secondary configuration to add redundancy. I am confused about 2 LDAP checks also because, I can only configure a single CONNAUTH configuration. |
Must have hit my head on your post; thought you were asking about IIB! 
Of course you can't do 2 LDAP checks from MQ. I'm talking crazy. More so than normal. Moving on...
| saurabh25281 wrote: |
| Quote: |
| The multiple CONNAMEs you can specify in LDAP setup in MQ are not for specifying multiple different search paths, they are simply a redundancy, if the first server is not available, then it will try the second. |
Agreed. This is how our LDAP is configured. |
So MQ will attempt to connect to the first server in the list, and if the connection is successful it performs the search and ignores the second.
So your situation is that it will connect to (let's say) the Europe LDAP server and will retrieve sAMAAccountName twice, once from each of the EUROPE and AMERICAS domains but with 2 different DN.
Again, ask your LDAP admins what the expected resolution of this should be. MQ doesn't do anything unusual in terms of an LDAP query so everything that uses your LDAP setup has the same problem and hence your admins must have guidelines on how to resolve it.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Wed Apr 03, 2019 10:53 pm Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
| Quote: |
So your situation is that it will connect to (let's say) the Europe LDAP server and will retrieve sAMAAccountName twice, once from each of the EUROPE and AMERICAS domains but with 2 different DN.
Again, ask your LDAP admins what the expected resolution of this should be. MQ doesn't do anything unusual in terms of an LDAP query so everything that uses your LDAP setup has the same problem and hence your admins must have guidelines on how to resolve it. |
Agreed that the LDAP search would return multiple results and that ends the role of LDAP server.
1. How does MQ, now handle the multiple search result? Does it authenticate a user on the 1st result and ignore the subsequent results? I am not sure how LDAP admin can answer how MQ handles the search results.
2. Should I assume that there is no way to allow multiple search or configure multiple search path in MQ? This was my first question. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Apr 03, 2019 11:36 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| saurabh25281 wrote: |
| Should I assume that there is no way to allow multiple search or configure multiple search path in MQ? This was my first question. |
The multiple connames of LDAP servers that you can configure in MQ are only for redundancy not for multiple search paths. Sorry that my previous attempt to answer this for you was not clear.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| markt |
| Posted: Wed Apr 03, 2019 11:53 pm Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
| If a query returns multiple responses, that is treated (and logged) by MQ as an error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Apr 04, 2019 4:57 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| saurabh25281 wrote: |
| 1. How does MQ, now handle the multiple search result? Does it authenticate a user on the 1st result and ignore the subsequent results? I am not sure how LDAP admin can answer how MQ handles the search results. |
Please see the response from my worthy associate. My point was that many products / LDAP libraries / etc. react the same way to multiple responses so your LDAP admins may have encountered this situation before and have guidance for you.
| saurabh25281 wrote: |
| 2. Should I assume that there is no way to allow multiple search or configure multiple search path in MQ? This was my first question. |
You should assume that.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
