ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportQuestion on Active Directory setup

Post new topicReply to topic
Question on Active Directory setup View previous topic :: View next topic
Author Message
crashdog
PostPosted: Mon Jan 11, 2021 9:59 am Post subject: Question on Active Directory setup Reply with quote

Acolyte

Joined: 02 Apr 2017
Posts: 72

Hello,
I've setup a connection from MQ to a Active Directory (LDAP) server. I can set authority records for my AD users and for AD groups. Now I'm looking for a way to verify that MQ can resolve who is member of a group. When I authorize a group that I'm supposed the be member of it does not appear to have any impact.
For example I created following auth records:
set authrec PROFILE(TEST.TO.TEST.QUEUE1) OBJTYPE(QUEUE) GROUP('MQAdmin') AUTHADD(DSP)
set authrec PROFILE(TEST.TO.TEST.QUEUE1) OBJTYPE(QUEUE) GROUP('MQAdmin') AUTHADD(INQ)
set authrec PROFILE(TEST.TO.TEST.QUEUE1) OBJTYPE(QUEUE) GROUP('MQAdmin') AUTHADD(PUT)

Now, I've connected to the queue manager using MQExplorer and I've set some auth records specifically for my (AD) user which works (otherwise I would not be able to connect to the queue manager). However the group authorizations do not appear to have any impact on my user. But I can not find a way to verify whether MQ can resolve the members or if there is another issue that prevents the user from displaying TEST.TO.TEST.QUEUE1.

Actually I created a TEST.TO.TEST.QUEUE2 and authorized my user (principal) directly and it can display that queue. So I ques my question now is how can I find out why users of a group are not resolved correctly ? AMQERR01.LOG does not show any errors. MQ version is 9.2 I've set NESTGRP(YES) according to the AD admin the groups are nested. I know there are some limitations in MQ with nested groups. But I haven't really seen what limitations that are.

Edit: Actually I need to be more precise. There are a lot of errors in AMQERR01 but none that relates to AD. Most errors are just about my user missing authorization for this and that.


Cheers,
Gerhard
_________________
You win again gravity !
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Jan 11, 2021 2:23 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20436
Location: LI,NY

IIRC nesting with groups is a nono... So you should have groups that have only members. Exceptions nesting one level if the group is a member of the local mqm group...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
crashdog
PostPosted: Tue Jan 12, 2021 5:53 am Post subject: Reply with quote

Acolyte

Joined: 02 Apr 2017
Posts: 72

Problem solved. It appears that nested groups work in MQ 9.2 though. I guess I have to read through the release notes more thoroughly to see when what changed...
The issue was that the users where not in the group on the AD server. Once the AD admin solved that, MQ could resolve the users in the groups.
The group nesting looks like:


Role (group)
^
|
Department (group)
^
|
User (mq admin)

Where the role is authorized by auth records. None of the groups are member of mqm or ad-mqm group.

Cheers,
Gerhard
_________________
You win again gravity !
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportQuestion on Active Directory setup
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.