ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » setmqaut for full admin access

Post new topic  Reply to topic Goto page Previous  1, 2
 setmqaut for full admin access « View previous topic :: View next topic » 
Author Message
rujova
PostPosted: Tue Apr 16, 2019 9:38 am    Post subject: Reply with quote

Novice

Joined: 07 Jan 2015
Posts: 13

belchman wrote:
I have 4 mq groups in descending order of MQ OAM auth

1) g.cmmqd_1.mqm
2) g.cmmqd_1.mqmpusr
3) g.cmmqd_1.mqmusr
4) g.cmmqd_1.mqmmon

My ID is in all 3. It was my brilliant way of thinking I could test. I think (cough) I was wrong headed in that decision.


@belchman are those nested groups? In our case, if an user is member of a group member of another group, LDAP validation begins to fail.

What about trying the MCA property for the channel instead of user/password authentication at MQE connection?

I am curious about the MQ Version that you are using. Is it 9.1.x?
_________________
Looking Forward,

Rujova
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Apr 17, 2019 12:23 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

belchman wrote:
2) The breakdown is due to how I am interfacing MQ Explorer. I am using the Connection Properties function on MQ Explorer 9 and have my ID in the ID field. Maybe I need something close to what is in LDAP.

Could you say a little more about this please? What do you expect to happen to 'MyID' when you enter it in the Connection Properties function on MQ Explorer? Do you expect it to become the running MCAUSER for the SVRCONN? Have you checked that it is?

What do you mean by "something close to what is in LDAP"? Is 'MyID' not an LDAP user in your LDAP group 'g.CMMQD_1.mqm'?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
belchman
PostPosted: Wed Apr 17, 2019 3:36 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Morag,

Say my ID is myID in the LDAP and myID is in the LDAP group g.qmgrname.mqm.

I have granted the group g.qmgrname.mqm access to everything I have specified.

In the MQ Explorer connection properties, I have checked Enable User Identification, entered myID into the UserID filed and selected Prompt for Password.

So what I expect to happen is when I get to the queue manager, MQ looks up myID in the LDAP and says myID is in the g.qmgrname.mqm group and affords me the access allowed to that group.

My usage of "Something close to what is in LDAP", I mean perhaps just using the value myID in MQ Explorer, I need something more like "UID=myID,ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com"
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
belchman
PostPosted: Wed Apr 17, 2019 3:41 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Rujova,

I do not plan on making them nested. I plan on making the mqm group a super set of all of them plus MQ total admin. The group pusr is a power user and will be a superset of mon, usr and some admin tasks. The group usr is where app IDs go and some human IDs. The mon group is for monitoring.

I am modeling this after WebsphereAS admin, configurator, operator, etc. roles.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Apr 17, 2019 3:56 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

belchman wrote:
Morag,

Say my ID is myID in the LDAP and myID is in the LDAP group g.qmgrname.mqm.

I have granted the group g.qmgrname.mqm access to everything I have specified.

In the MQ Explorer connection properties, I have checked Enable User Identification, entered myID into the UserID filed and selected Prompt for Password.

So what I expect to happen is when I get to the queue manager, MQ looks up myID in the LDAP and says myID is in the g.qmgrname.mqm group and affords me the access allowed to that group.

My usage of "Something close to what is in LDAP", I mean perhaps just using the value myID in MQ Explorer, I need something more like "UID=myID,ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com"

So you have Connection Authentication configured on your queue manager, with AdoptCtx set to Yes? Can you show us the configuration for that? Also, you omitted to answer my question about the MCAUSER. Have you checked what ends up in there, because the MCAUSER of the running SVRCONN is the authority under which your client application will be running. You can see this using the DISPLAY CHSTATUS command.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
belchman
PostPosted: Wed Apr 17, 2019 4:10 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

I currently have chlauth disabled until I get LDAP working. Then I will get chlauth going.

Quote:
AMQ8408I: Display Queue Manager details.
QMNAME(CMMQD_1) ACCTCONO(DISABLED)
ACCTINT(1800) ACCTMQI(OFF)
ACCTQ(OFF) ACTIVREC(MSG)
ACTVCONO(DISABLED) ACTVTRC(OFF)
ADVCAP(DISABLED) ALTDATE(2019-03-29)
ALTTIME(14.32.1 AMQPCAP(YES)
AUTHOREV(DISABLED) CCSID(1208)
CERTLABL(ibmwebspheremqcmmqd_1) CERTVPOL(ANY)
CHAD(DISABLED) CHADEV(DISABLED)
CHADEXIT( ) CHLEV(DISABLED)
CHLAUTH(DISABLED) CLWLDATA( )
CLWLEXIT( ) CLWLLEN(100)
CLWLMRUC(999999999) CLWLUSEQ(LOCAL)
CMDEV(DISABLED) CMDLEVEL(911)
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) CONFIGEV(DISABLED)
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
CRDATE(2019-03-14) CRTIME(08.03.5
CUSTOM( ) DEADQ( )
DEFCLXQ(SCTQ) DEFXMITQ( )
DESCR( ) DISTL(YES)
IMGINTVL(60) IMGLOGLN(OFF)
IMGRCOVO(YES) IMGRCOVQ(YES)
IMGSCHED(MANUAL) INHIBTEV(DISABLED)
IPADDRV(IPV4) LOCALEV(DISABLED)
LOGGEREV(DISABLED) MARKINT(5000)
MAXHANDS(256) MAXMSGL(4194304)
MAXPROPL(NOLIMIT) MAXPRTY(9)
MAXUMSGS(10000) MONACLS(QMGR)
MONCHL(OFF) MONQ(OFF)
PARENT( ) PERFMEV(DISABLED)
PLATFORM(UNIX) PSMODE(ENABLED)
PSCLUS(ENABLED) PSNPMSG(DISCARD)
PSNPRES(NORMAL) PSRTYCNT(5)
PSSYNCPT(IFPER) QMID(CMMQD_1_2019-03-14_08.03.5
REMOTEEV(DISABLED) REPOS( )
REPOSNL( ) REVDNS(ENABLED)
ROUTEREC(MSG) SCHINIT(QMGR)
SCMDSERV(QMGR) SPLCAP(DISABLED)
SSLCRLNL( ) SSLCRYP( )
SSLEV(DISABLED) SSLFIPS(NO)
SSLKEYR(/var/mqm/qmgrs/CMMQD_1/ssl/CMMQD_1)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SUITEB(NONE)
SYNCPT TREELIFE(1800)
TRIGINT(999999999) VERSION(09010100)
XRCAP(NO)


Quote:
AMQ8566I: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
AUTHTYPE(IDPWLDAP) ADOPTCTX(YES)
DESCR( ) CONNAME(foo.bar.com(636))
CHCKCLNT(NONE) CHCKLOCL(OPTIONAL)
CLASSGRP(GROUPOFUNIQUENAMES) CLASSUSR( )
FAILDLAY(1) FINDGRP(UNIQUEMEMBER)
BASEDNG(ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com)
BASEDNU(ou=b2e,dc=test53,dc=com)
LDAPUSER(UID=s.MQBind.NonProd,ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com)
LDAPPWD(********************************)
SHORTUSR(UID) GRPFIELD(CN)
USRFIELD( ) AUTHORMD(SEARCHGRP)
NESTGRP(NO) SECCOMM(YES)
ALTDATE(2019-03-1 ALTTIME(09.46.02)

_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
belchman
PostPosted: Wed Apr 17, 2019 4:12 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

mcauser on the channel is null
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Apr 17, 2019 4:41 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Actually I asked about Connection Authentication (that is user id and password checking) and not Channel Authentication.

Also, are you really saying that DISPLAY CHSTATUS(name) MCAUSER is null? Are you sure you are not looking at DISPLAY CHANNEL?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
belchman
PostPosted: Wed Apr 17, 2019 5:02 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Mea Culpa

I appreciate all of the attention but I figured out the problem. It was my inability to read our tool that tells me is my LDAP request was completed properly.

When I said the myID was in the LDAP group g.CMMQD_1.mqm, I was ww, I was wwrr... I was incorrect

What I was seeing was that my request was in the approval flow. It was not approved yet so I did not have access yet.

Now that I know the request is complete and that myID was in the LDAP group g.CMMQD_1.mqm (and no other groups), it works.

All, especially Morag!, thanks a lot.

I really appreciate the time you donated and am embarrassed by my wasting it with my mistake.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Apr 17, 2019 5:18 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

belchman wrote:
I was ww, I was wwrr... I was incorrect


I too often achieve high levels of negative accuracy.

I recommend blaming the poor workflow reporting of your LDAP tool.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
belchman
PostPosted: Wed Apr 17, 2019 5:24 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

It is pretty poor but it did have a pretty blue field displayed that said REQUESTED. I did not see it. So I am mostly culpable.


_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Apr 17, 2019 5:39 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

belchman wrote:
It is pretty poor but it did have a pretty blue field displayed that said REQUESTED. I did not see it. So I am mostly culpable.


Classic mistake - allowing mere facts to cloud your defense. Deny everything.

Channel your inner manager.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Wed Apr 17, 2019 3:56 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Funny how often root cause analysis identifies the problem as occurring between your chair and your keyboard.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » General IBM MQ Support » setmqaut for full admin access
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.