| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| AD / LDAP connection question |
« View previous topic :: View next topic » |
| Author |
Message
|
| crashdog |
 Posted: Mon Apr 05, 2021 5:25 am Post subject: AD / LDAP connection question |
 |
|
Voyager
Joined: 02 Apr 2017
Posts: 77
|
Hello,
I've just setup some new queue manager and ran into an issue that I don't fully understand. [ MQ Version 9.1.5.0 on RHEL 7.6 ]
I've created a group in AD called 'MQ-MD80-ADMINS' my user 'gerhard' is member of that group. Yet I get insufficient authority errors when trying to remote connect over an SVRCONN channel.
I use an encrypted channel with CCDT and KDB/JKS. There is an SSLPEERMAP that basically works. When I change the MCAUSER from 'gerhard' to 'mqm' I can connect to the qmgr.
What I've checked so far:
| Code: |
[mqm@mqhub1 errors]$ dmpmqaut -m MQHUBHA1 -t qmgr
profile: self
object type: qmgr
entity: CN=MQ-MD80-ADMINS,CN=Users,DC=md80,DC=ch
entity type: group
authority: connect dlt chg dsp ctrl
|
[EDIT :] See missing inq permission for the group on the queue manager.
Ldapsearch result:
| Code: |
# Gerhard Gubler, Users, md80.ch
dn: CN=Gerhard Gubler,CN=Users,DC=md80,DC=ch
employeeID: gerhard
memberOf: CN=MQ-MD80-ADMINS,CN=Users,DC=md80,DC=ch
|
| Code: |
dis authinfo(MD80LDAP)
1 : dis authinfo(MD80LDAP)
AMQ8566I: Display authentication information details.
AUTHINFO(MD80LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR( )
CONNAME(192.168.178.46) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP(GROUP)
CLASSUSR(USER) FAILDLAY(1)
FINDGRP(member) BASEDNG(CN=Users,DC=md80,DC=ch)
BASEDNU(CN=Users,DC=md80,DC=ch)
LDAPUSER(CN=mqldapprd,CN=Users,DC=md80,DC=ch)
LDAPPWD(********************************)
SHORTUSR(employeeID) GRPFIELD(sAMAccountName)
USRFIELD(sAMAccountName) AUTHORMD(SEARCHGRP)
NESTGRP(YES) SECCOMM(NO)
ALTDATE(2021-04-05) ALTTIME(15.09.39)
|
sAMAccountName appears to be correct for user and group:
| Code: |
sAMAccountName: MQ-MD80-ADMINS
sAMAccountName: gerhard
|
This is only a lab setup, so no sensitive data here...
From how I see it 'gerhard' is in 'MQ-MD80-ADMINS' and that group is authorized to connect to the queue manager. Yet I get :
| Code: |
AMQ8077W: Entity 'gerhard' has insufficient authority to access object MQHUBHA1
[qmgr].
|
One thing I'm not sure of here... (not being an AD admin) is whether FINDGRP(member) is correct. I found that in an example. When looking up AD with ldapsearch it actually says memberOf. Chanding it to memberOf does not appear to have any impact though.
I Appreciate any suggestions.
Cheers,
Gerhard
_________________
You win again gravity !
Last edited by crashdog on Tue Apr 06, 2021 7:46 am; edited 1 time in total |
|
| Back to top |
|
 |
| hughson |
| Posted: Mon Apr 05, 2021 8:12 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand
|
I'm not an LDAP expert either, but reading the IBM MQ docs it says:-
| IBM docs wrote: |
When AUTHORMD = SEARCHGRP, the FINDGRP attribute is typically set to member or uniqueMember.
When AUTHORMD = SEARCHUSR, the FINDGRP attribute is typically set to memberOf. |
It also says:
| IBM docs wrote: |
Many LDAP servers use an attribute of the group object to determine group membership and you should, therefore, set this value to SEARCHGRP.
Microsoft Active Directory typically stores group memberships as a user attribute. The IBM Tivoli Directory Server supports both methods. |
So if you think that you should be using FINDGRP('memberOf') you might also need to change to AUTHORMD(SEARCHUSR) where you are currently using AUTHORMD(SEARCHGRP).
It sounds like you are using Microsoft Active Directory, so I think that would also suggest you should be using AUTHORMD(SEARCHUSR).
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| crashdog |
| Posted: Mon Apr 05, 2021 10:55 pm Post subject: |
|
|
Voyager
Joined: 02 Apr 2017
Posts: 77
|
Hello Morag,
I looked at that MQ documentation yesterday, but the mqseries.net forum was not reachable for some hours so I could not update my post.
Yes I do use Microsoft Active Directory. I tried both combinations that you mentioned but with the same result. What I could find out of (which I wasn't exactly sure of before) is that the user name is really taken from the MCAUSER attribute of the SSLPEERMAP. If I change the MCAUSER to something none existent, like 'bla' then I get following error (with combination FINDGRP('memberOf') AUTHORMD(SEARCHUSR):
| Code: |
AMQ5531E: Error locating user or group in LDAP
EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'bla'. Returned count is 0. Additional
context is '(&(objectClass=user)(sAMAccountName=bla))'.
|
What is a bit strange to me is that MQ appears to find both the user and the group, but it appears that it cannot link the user to the group. When I look in AD the member field in the group fully qualifies the user:
| Code: |
| member: CN=Gerhard Gubler,CN=Users,DC=md80,DC=ch |
Also the 'memberOf' of the group is fully qualified:
| Code: |
| memberOf: CN=MQ-MD80-ADMINS,CN=Users,DC=md80,DC=ch |
But I cannot use that in the MCAUSER field as this would be a too long string.
What I'm also not sure about is whether CLASSUSR and CLASSGRP is case sensitive. At the moment both are lowercase 'user' and 'group'.
This is where I'm currently stuck. But I'll continue to look into it.
[Edit]: I'm mostly referencing to this documentation for my AD setup : https://community.ibm.com/community/user/integration/viewdocument/using-active-directory-for-authoris?CommunityKey=183ec850-4947-49c8-9a2e-8e7c7fc46c64&tab=librarydocuments
[Edit]: Also interesting changing CLASSGRP to empty gives following error output:
| Code: |
AMQ5532E: Error authorizing entity in LDAP
EXPLANATION:
The LDAP authorization service has failed in the ldap_first_entry call while
trying to find user or group 'NULL'. Returned count is 0. Additional context is
'CN=MQ-MD80-ADMINS,CN=Users,DC=md80,DC=ch'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
|
Cheers,
Gerhard
_________________
You win again gravity ! |
|
| Back to top |
|
|
| crashdog |
| Posted: Tue Apr 06, 2021 7:29 am Post subject: |
|
|
Voyager
Joined: 02 Apr 2017
Posts: 77
|
Problem solved.... in the end it was a missing +inq for the group MQ-MD80-ADMINS on the QMGR ... but the error in AMQERR001.LOG shows it as a missing authorization for the user.
So currently the connection to AD is setup with :
| Code: |
AUTHINFO(MD80LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO) DESCR( )
CONNAME(192.168.178.46) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP(group)
CLASSUSR(user) FAILDLAY(1)
FINDGRP(memberof) BASEDNG(CN=Users,DC=md80,DC=ch)
BASEDNU(CN=Users,DC=md80,DC=ch)
LDAPUSER(CN=mqldapprd,CN=Users,DC=md80,DC=ch)
LDAPPWD(********************************)
SHORTUSR(employeeID) GRPFIELD(sAMAccountName)
USRFIELD(sAMAccountName) AUTHORMD(SEARCHUSR)
NESTGRP(YES) SECCOMM(NO)
|
which works as desired. It would probably also work when changing to SEARCHGRP./member But I'll leave it as is for now.
As a lesson learned, always look pedantic at the dmpmqaut output (see first post, first code section). Even the smallest bit can give you a bad day.
Cheers,
Gerhard
_________________
You win again gravity ! |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Apr 06, 2021 7:16 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand
|
Glad to hear that you are all sorted now.
| crashdog wrote: |
| As a lesson learned, always look pedantic at the dmpmqaut output (see first post, first code section). Even the smallest bit can give you a bad day. |
Another lesson, always post the full error message when asking a question too.
| crashdog wrote: |
| Code: |
AMQ8077W: Entity 'gerhard' has insufficient authority to access object MQHUBHA1
[qmgr]. |
|
The above is missing the part that says you need inq authority. 
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| crashdog |
| Posted: Wed Apr 07, 2021 2:26 am Post subject: |
|
|
Voyager
Joined: 02 Apr 2017
Posts: 77
|
| Quote: |
| Another lesson, always post the full error message when asking a question too. |
You're right. I'm sure it won't be long before I have an opportunity to ask a more precise question
Kind Regards,
Gerhard
_________________
You win again gravity ! |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
