| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| QMgr authentication via LDAP (IDPWLDAP) |
« View previous topic :: View next topic » |
| Author |
Message
|
| HubertKleinmanns |
 Posted: Thu Aug 22, 2019 7:26 am Post subject: QMgr authentication via LDAP (IDPWLDAP) |
 |
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Hi all,
I've set up a LDAP connection for my QMgr:
| Code: |
DEFINE AUTHINFO(LDAP.AUTHENTICATION) +
AUTHTYPE(IDPWLDAP) +
ADOPTCTX(NO) +
CONNAME('ldap-server(636)') +
CLASSGRP( )
CLASSUSR( ) +
FINDGRP('member') +
BASEDNG('cn=group,cn=mq,cn=...') +
BASEDNU('cn=user,cn=mq,cn=,...') +
LDAPUSER('cn=bindusr,cn=...') +
LDAPPWD('*******************') +
SHORTUSR('uid') +
GRPFIELD('cn') +
USRFIELD('uid') +
AUTHORMD(SEARCHGRP) +
NESTGRP(NO) +
SECCOMM(YES) +
REPLACE |
The LDAP connection itself was successful:
| Quote: |
dis qmstatus ldapconn
QMNAME(QMGR) STATUS(RUNNING)
LDAPCONN(CONNECTED) |
I've now defined an user "mqusr" and a group "mqgrp" in LDAP, "mqusr" is a member of "mqgrp".
When I permit the group to a Queue, the user does not have access:
| Code: |
# dmpmqaut -m QMGR -t q -n MY.QUEUE
profile: MY.QUEUE
object type: queue
entity: cn=mqgrp,cn=group,cn=mq,cn=...
entity type: group
authority: put setall
# dspmqaut -m QMGR -t q -n MY.QUEUE -g cn=mqgrp,cn=group,cn=mq,cn=...
Entity cn=mqgrp,cn=group,cn=mq,cn=...E has the following authorizations for object MY.QUEUE:
put
setall
# dspmqaut -m QMGR -t q -n MY.QUEUE -p cn=mqgrp,cn=group,cn=mq,cn=...
AMQ7026E: A principal or group name was invalid.
# dspmqaut -m QMGR -t q -n MY.QUEUE -p uid=mqusr,cn=user,cn=mq,cn=...
Entity uid=mqusr,cn=user,cn=mq,cn=... has the following authorizations for object MY.QUEUE:
|
When I permit the user to another queue, the user has access:
| Code: |
profile: MY.SECOND.QUEUE
object type: queue
entity: uid=mqusr,cn=user,cn=mq,cn=...
entity type: principal
authority: put setall
# dspmqaut -m QMGR -t q -n MY.SECOND.QUEUE -p uid=mquser,cn=user,cn=mq,cn=...
Entity uid=mquser,cn=user,cn=mq,cn=... has the following authorizations for object MY.SECOND.QUEUE:
put
setall |
It seems, that the QMgr is not able to recognize, that the user "mqusr" is a member of the group "mqgrp".
This is my user definition in LDAP:
| Code: |
uid=mquser
uidnumber=12345
cn=mqusr
objectClass=person
objectClass=posixAccount
gidnumber=54321
sn=mqusr |
And this is my group definition in LDAP:
| Code: |
cn=mqgrp
gidnumber=54321
memberuid=mqusr
objectClass=groupOfNames
objectClass=posixGroup
member=uid=mqusr,cn=user,cn=mq,cn=... |
How can I configure the LDAP connection, so that the QMgr will be able to recognize, which users belong to a specific group?
_________________
Regards
Hubert |
|
| Back to top |
|
 |
| markt |
| Posted: Thu Aug 22, 2019 8:19 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 508
|
| did you do REFRESH SECURITY at any stage? |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Thu Aug 22, 2019 9:46 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| markt wrote: |
| did you do REFRESH SECURITY at any stage? |
We did "REFRESH SECURITY" and "REFRESH SECURITY TYPE(CONNAUTH)" at any stage.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Thu Aug 22, 2019 11:33 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Hi all,
sometimes RTFM  is helpful. I found the following statement:
----------------------------------------
When LDAP authorization is in place, the queue manager always uses the user model of security on UNIX platforms, regardless of the SecurityPolicy attribute in the qm.ini file. So, setting permissions for an individual user affects only that user, and not anyone else who belongs to any of that user's groups.
----------------------------------------
Setting the value of AUTHORMD to SEARCHGRP or SEARCHUSR activates LDAP authorization  .
So everything works as designed  .
_________________
Regards
Hubert |
|
| Back to top |
|
|
| marxgp |
| Posted: Mon Aug 26, 2019 10:23 pm Post subject: |
|
|
Newbie
Joined: 19 Aug 2019
Posts: 3
|
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Aug 27, 2019 1:12 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Group authorization works now for me too. I had the trouble, that the QMgr could not resolve the user to a Group - don't know why. A colleague re-created all definitions and now it works.
We are running with version 9.1 and there is a new value for "AUTHORMD" named "SRCHGRPSN". The advantage is, that you now may grant a user with the short name (e. g. "setmqaut -m <QMgr> ... -p username") instead of LDAP DN ("setmqaut -m <QMgr> ... -p uid=username,cn=user,..."
_________________
Regards
Hubert |
|
| Back to top |
|
|
| marxgp |
| Posted: Tue Aug 27, 2019 4:32 am Post subject: |
|
|
Newbie
Joined: 19 Aug 2019
Posts: 3
|
| I was able to do grant access via the shortname with AUTHORMD(SEARCHGRP). I guess it all depends on how your LDAP setup is. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Aug 27, 2019 6:04 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| marxgp wrote: |
| I was able to do grant access via the shortname with AUTHORMD(SEARCHGRP). I guess it all depends on how your LDAP setup is. |
Correct - and Active Directory is another variant.
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
