| Author |
Message
|
| rujova |
 Posted: Tue Apr 16, 2019 9:38 am Post subject: |
 |
|
Novice
Joined: 07 Jan 2015
Posts: 13
|
| belchman wrote: |
I have 4 mq groups in descending order of MQ OAM auth
1) g.cmmqd_1.mqm
2) g.cmmqd_1.mqmpusr
3) g.cmmqd_1.mqmusr
4) g.cmmqd_1.mqmmon
My ID is in all 3. It was my brilliant way of thinking I could test. I think (cough) I was wrong headed in that decision. |
@belchman are those nested groups? In our case, if an user is member of a group member of another group, LDAP validation begins to fail.
What about trying the MCA property for the channel instead of user/password authentication at MQE connection?
I am curious about the MQ Version that you are using. Is it 9.1.x?
_________________
Looking Forward,
Rujova |
|
| Back to top |
|
 |
| hughson |
| Posted: Wed Apr 17, 2019 12:23 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| belchman wrote: |
| 2) The breakdown is due to how I am interfacing MQ Explorer. I am using the Connection Properties function on MQ Explorer 9 and have my ID in the ID field. Maybe I need something close to what is in LDAP. |
Could you say a little more about this please? What do you expect to happen to 'MyID' when you enter it in the Connection Properties function on MQ Explorer? Do you expect it to become the running MCAUSER for the SVRCONN? Have you checked that it is?
What do you mean by "something close to what is in LDAP"? Is 'MyID' not an LDAP user in your LDAP group 'g.CMMQD_1.mqm'?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| belchman |
| Posted: Wed Apr 17, 2019 3:36 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Morag,
Say my ID is myID in the LDAP and myID is in the LDAP group g.qmgrname.mqm.
I have granted the group g.qmgrname.mqm access to everything I have specified.
In the MQ Explorer connection properties, I have checked Enable User Identification, entered myID into the UserID filed and selected Prompt for Password.
So what I expect to happen is when I get to the queue manager, MQ looks up myID in the LDAP and says myID is in the g.qmgrname.mqm group and affords me the access allowed to that group.
My usage of "Something close to what is in LDAP", I mean perhaps just using the value myID in MQ Explorer, I need something more like "UID=myID,ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com"
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| belchman |
| Posted: Wed Apr 17, 2019 3:41 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Rujova,
I do not plan on making them nested. I plan on making the mqm group a super set of all of them plus MQ total admin. The group pusr is a power user and will be a superset of mon, usr and some admin tasks. The group usr is where app IDs go and some human IDs. The mon group is for monitoring.
I am modeling this after WebsphereAS admin, configurator, operator, etc. roles.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Apr 17, 2019 3:56 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| belchman wrote: |
Morag,
Say my ID is myID in the LDAP and myID is in the LDAP group g.qmgrname.mqm.
I have granted the group g.qmgrname.mqm access to everything I have specified.
In the MQ Explorer connection properties, I have checked Enable User Identification, entered myID into the UserID filed and selected Prompt for Password.
So what I expect to happen is when I get to the queue manager, MQ looks up myID in the LDAP and says myID is in the g.qmgrname.mqm group and affords me the access allowed to that group.
My usage of "Something close to what is in LDAP", I mean perhaps just using the value myID in MQ Explorer, I need something more like "UID=myID,ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com" |
So you have Connection Authentication configured on your queue manager, with AdoptCtx set to Yes? Can you show us the configuration for that? Also, you omitted to answer my question about the MCAUSER. Have you checked what ends up in there, because the MCAUSER of the running SVRCONN is the authority under which your client application will be running. You can see this using the DISPLAY CHSTATUS command.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| belchman |
| Posted: Wed Apr 17, 2019 4:10 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
I currently have chlauth disabled until I get LDAP working. Then I will get chlauth going.
| Quote: |
AMQ8408I: Display Queue Manager details.
QMNAME(CMMQD_1) ACCTCONO(DISABLED)
ACCTINT(1800) ACCTMQI(OFF)
ACCTQ(OFF) ACTIVREC(MSG)
ACTVCONO(DISABLED) ACTVTRC(OFF)
ADVCAP(DISABLED) ALTDATE(2019-03-29)
ALTTIME(14.32.1 AMQPCAP(YES)
AUTHOREV(DISABLED) CCSID(1208)
CERTLABL(ibmwebspheremqcmmqd_1) CERTVPOL(ANY)
CHAD(DISABLED) CHADEV(DISABLED)
CHADEXIT( ) CHLEV(DISABLED)
CHLAUTH(DISABLED) CLWLDATA( )
CLWLEXIT( ) CLWLLEN(100)
CLWLMRUC(999999999) CLWLUSEQ(LOCAL)
CMDEV(DISABLED) CMDLEVEL(911)
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) CONFIGEV(DISABLED)
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
CRDATE(2019-03-14) CRTIME(08.03.5
CUSTOM( ) DEADQ( )
DEFCLXQ(SCTQ) DEFXMITQ( )
DESCR( ) DISTL(YES)
IMGINTVL(60) IMGLOGLN(OFF)
IMGRCOVO(YES) IMGRCOVQ(YES)
IMGSCHED(MANUAL) INHIBTEV(DISABLED)
IPADDRV(IPV4) LOCALEV(DISABLED)
LOGGEREV(DISABLED) MARKINT(5000)
MAXHANDS(256) MAXMSGL(4194304)
MAXPROPL(NOLIMIT) MAXPRTY(9)
MAXUMSGS(10000) MONACLS(QMGR)
MONCHL(OFF) MONQ(OFF)
PARENT( ) PERFMEV(DISABLED)
PLATFORM(UNIX) PSMODE(ENABLED)
PSCLUS(ENABLED) PSNPMSG(DISCARD)
PSNPRES(NORMAL) PSRTYCNT(5)
PSSYNCPT(IFPER) QMID(CMMQD_1_2019-03-14_08.03.5
REMOTEEV(DISABLED) REPOS( )
REPOSNL( ) REVDNS(ENABLED)
ROUTEREC(MSG) SCHINIT(QMGR)
SCMDSERV(QMGR) SPLCAP(DISABLED)
SSLCRLNL( ) SSLCRYP( )
SSLEV(DISABLED) SSLFIPS(NO)
SSLKEYR(/var/mqm/qmgrs/CMMQD_1/ssl/CMMQD_1)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SUITEB(NONE)
SYNCPT TREELIFE(1800)
TRIGINT(999999999) VERSION(09010100)
XRCAP(NO)
|
| Quote: |
AMQ8566I: Display authentication information details.
AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP)
AUTHTYPE(IDPWLDAP) ADOPTCTX(YES)
DESCR( ) CONNAME(foo.bar.com(636))
CHCKCLNT(NONE) CHCKLOCL(OPTIONAL)
CLASSGRP(GROUPOFUNIQUENAMES) CLASSUSR( )
FAILDLAY(1) FINDGRP(UNIQUEMEMBER)
BASEDNG(ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com)
BASEDNU(ou=b2e,dc=test53,dc=com)
LDAPUSER(UID=s.MQBind.NonProd,ou=MQSeries,ou=Apps,ou=B2E,dc=test,dc=com)
LDAPPWD(********************************)
SHORTUSR(UID) GRPFIELD(CN)
USRFIELD( ) AUTHORMD(SEARCHGRP)
NESTGRP(NO) SECCOMM(YES)
ALTDATE(2019-03-1 ALTTIME(09.46.02)
|
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| belchman |
| Posted: Wed Apr 17, 2019 4:12 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
mcauser on the channel is null
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Apr 17, 2019 4:41 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Actually I asked about Connection Authentication (that is user id and password checking) and not Channel Authentication.
Also, are you really saying that DISPLAY CHSTATUS(name) MCAUSER is null? Are you sure you are not looking at DISPLAY CHANNEL?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| belchman |
| Posted: Wed Apr 17, 2019 5:02 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Mea Culpa 
I appreciate all of the attention but I figured out the problem. It was my inability to read our tool that tells me is my LDAP request was completed properly.
When I said the myID was in the LDAP group g.CMMQD_1.mqm, I was ww, I was wwrr... I was incorrect 
What I was seeing was that my request was in the approval flow. It was not approved yet so I did not have access yet.
Now that I know the request is complete and that myID was in the LDAP group g.CMMQD_1.mqm (and no other groups), it works.
All, especially Morag!, thanks a lot.
I really appreciate the time you donated and am embarrassed by my wasting it with my mistake.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 17, 2019 5:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| belchman wrote: |
| I was ww, I was wwrr... I was incorrect |
I too often achieve high levels of negative accuracy.
I recommend blaming the poor workflow reporting of your LDAP tool.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| belchman |
| Posted: Wed Apr 17, 2019 5:24 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
It is pretty poor but it did have a pretty blue field displayed that said REQUESTED. I did not see it. So I am mostly culpable.
 
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 17, 2019 5:39 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| belchman wrote: |
| It is pretty poor but it did have a pretty blue field displayed that said REQUESTED. I did not see it. So I am mostly culpable. |
Classic mistake - allowing mere facts to cloud your defense. Deny everything.
Channel your inner manager.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Apr 17, 2019 3:56 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Funny how often root cause analysis identifies the problem as occurring between your chair and your keyboard.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
