ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportQMgr authentication via LDAP (IDPWLDAP)

Post new topicReply to topic
QMgr authentication via LDAP (IDPWLDAP) View previous topic :: View next topic
Author Message
HubertKleinmanns
PostPosted: Thu Aug 22, 2019 7:26 am Post subject: QMgr authentication via LDAP (IDPWLDAP) Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 723
Location: Germany

Hi all,

I've set up a LDAP connection for my QMgr:

Code:
DEFINE AUTHINFO(LDAP.AUTHENTICATION) +
   AUTHTYPE(IDPWLDAP) +
   ADOPTCTX(NO) +
   CONNAME('ldap-server(636)')  +
   CLASSGRP( )
   CLASSUSR( )  +
   FINDGRP('member') +
   BASEDNG('cn=group,cn=mq,cn=...') +
   BASEDNU('cn=user,cn=mq,cn=,...') +
   LDAPUSER('cn=bindusr,cn=...') +
   LDAPPWD('*******************') +
   SHORTUSR('uid')  +
   GRPFIELD('cn') +
   USRFIELD('uid') +
   AUTHORMD(SEARCHGRP) +
   NESTGRP(NO) +
   SECCOMM(YES) +
   REPLACE


The LDAP connection itself was successful:

Quote:
dis qmstatus ldapconn
QMNAME(QMGR) STATUS(RUNNING)
LDAPCONN(CONNECTED)


I've now defined an user "mqusr" and a group "mqgrp" in LDAP, "mqusr" is a member of "mqgrp".

When I permit the group to a Queue, the user does not have access:

Code:
# dmpmqaut -m QMGR -t q -n MY.QUEUE
profile:     MY.QUEUE
object type: queue
entity:      cn=mqgrp,cn=group,cn=mq,cn=...
entity type: group
authority:   put setall

# dspmqaut -m QMGR -t q -n MY.QUEUE -g cn=mqgrp,cn=group,cn=mq,cn=...
Entity cn=mqgrp,cn=group,cn=mq,cn=...E has the following authorizations for object MY.QUEUE:
        put
        setall

# dspmqaut -m QMGR -t q -n MY.QUEUE -p cn=mqgrp,cn=group,cn=mq,cn=...
AMQ7026E: A principal or group name was invalid.

# dspmqaut -m QMGR -t q -n MY.QUEUE -p uid=mqusr,cn=user,cn=mq,cn=...
Entity uid=mqusr,cn=user,cn=mq,cn=... has the following authorizations for object MY.QUEUE:


When I permit the user to another queue, the user has access:

Code:
profile:     MY.SECOND.QUEUE
object type: queue
entity:      uid=mqusr,cn=user,cn=mq,cn=...
entity type: principal
authority:   put setall

# dspmqaut -m QMGR -t q -n MY.SECOND.QUEUE -p uid=mquser,cn=user,cn=mq,cn=...
Entity uid=mquser,cn=user,cn=mq,cn=... has the following authorizations for object MY.SECOND.QUEUE:
        put
        setall


It seems, that the QMgr is not able to recognize, that the user "mqusr" is a member of the group "mqgrp".

This is my user definition in LDAP:

Code:
uid=mquser
uidnumber=12345
cn=mqusr
objectClass=person
objectClass=posixAccount
gidnumber=54321
sn=mqusr


And this is my group definition in LDAP:

Code:
cn=mqgrp
gidnumber=54321
memberuid=mqusr
objectClass=groupOfNames
objectClass=posixGroup
member=uid=mqusr,cn=user,cn=mq,cn=...


How can I configure the LDAP connection, so that the QMgr will be able to recognize, which users belong to a specific group?
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
markt
PostPosted: Thu Aug 22, 2019 8:19 am Post subject: Reply with quote

Chevalier

Joined: 14 May 2002
Posts: 427

did you do REFRESH SECURITY at any stage?
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Thu Aug 22, 2019 9:46 pm Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 723
Location: Germany

markt wrote:
did you do REFRESH SECURITY at any stage?


We did "REFRESH SECURITY" and "REFRESH SECURITY TYPE(CONNAUTH)" at any stage.
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
HubertKleinmanns
PostPosted: Thu Aug 22, 2019 11:33 pm Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 723
Location: Germany

Hi all,

sometimes RTFM is helpful. I found the following statement:

----------------------------------------
When LDAP authorization is in place, the queue manager always uses the user model of security on UNIX platforms, regardless of the SecurityPolicy attribute in the qm.ini file. So, setting permissions for an individual user affects only that user, and not anyone else who belongs to any of that user's groups.
----------------------------------------

Setting the value of AUTHORMD to SEARCHGRP or SEARCHUSR activates LDAP authorization .

So everything works as designed .
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
marxgp
PostPosted: Mon Aug 26, 2019 10:23 pm Post subject: Reply with quote

Newbie

Joined: 19 Aug 2019
Posts: 3

Hi

I was able to setup group security using LDAP. From the manual it states that when you connect to LDAP you always use the user model of security on UNIX platforms but also authorities given by any group the user belongs to. Please see this link.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q123450_.htm.
Please also see the following link about AUTHORMD.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.ref.adm.doc/q085490_.htm
When i used SEARCHUSR it did not pick up that a user was part of the group but when I used SEARCHGRP it did pick up authorities given to the group the user belonged to.
I think it depends on you LDAP server setup.

Hope this helps.
Marco
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Tue Aug 27, 2019 1:12 am Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 723
Location: Germany

Group authorization works now for me too. I had the trouble, that the QMgr could not resolve the user to a Group - don't know why. A colleague re-created all definitions and now it works.

We are running with version 9.1 and there is a new value for "AUTHORMD" named "SRCHGRPSN". The advantage is, that you now may grant a user with the short name (e. g. "setmqaut -m <QMgr> ... -p username") instead of LDAP DN ("setmqaut -m <QMgr> ... -p uid=username,cn=user,..."
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
marxgp
PostPosted: Tue Aug 27, 2019 4:32 am Post subject: Reply with quote

Newbie

Joined: 19 Aug 2019
Posts: 3

I was able to do grant access via the shortname with AUTHORMD(SEARCHGRP). I guess it all depends on how your LDAP setup is.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Tue Aug 27, 2019 6:04 am Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 723
Location: Germany

marxgp wrote:
I was able to do grant access via the shortname with AUTHORMD(SEARCHGRP). I guess it all depends on how your LDAP setup is.


Correct - and Active Directory is another variant.
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportQMgr authentication via LDAP (IDPWLDAP)
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.