| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| AMQ5530E: Error from LDAP authentication and authorization s |
« View previous topic :: View next topic » |
| Author |
Message
|
| Andrii |
 Posted: Mon Jan 17, 2022 12:18 pm Post subject: AMQ5530E: Error from LDAP authentication and authorization s |
 |
|
Newbie
Joined: 26 Apr 2021
Posts: 9
|
Hi All,
In our organization has installed and configured IBM MQ Appliance with firmware version M2002A. It has IBM MQ software version 9.2.3.0 deployed.
In this environment are configured a queue manager with authorization on LDAP server. Connection to the LDAP server is carried out using a TLS connection on port 636. All connections to the queue manager, with authorization on the LDAP server, are successful. But during the day the following situation is observed.
At specific intervals, in the interval of 35 minutes, the following error occurs on the queue manager:
| Code: |
[color=darkblue]01/17/22 21:32:54 - Process(1509986.233) User(mqsystem) Program(amqrmppa)
Host(n7mq1) Installation(MQAppliance)
VRMF(9.2.3.0) QMgr(QM.SEP4.EXT)
Time(2022-01-17T19:32:54.134Z)
ArithInsert1(81)
CommentInsert1(ldap_simple_bind)
CommentInsert2(Can't contact LDAP server)
CommentInsert3(CN=xxxx,OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua@172.xx.x.xx:636 )
AMQ5530E: Error from LDAP authentication and authorization service
EXPLANATION:
The LDAP authentication and authorization service has failed. The
'ldap_simple_bind' call returned error 81 : 'Can't contact LDAP server'. The
context string is
'CN=xxxxx,OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua@172.xx.x.xx:636 '. Additional
code is 0.
ACTION:
Correct the LDAP configuration. Look at the LDAP server logs for additional
error information.[/color]
|
| Code: |
[color=brown]----- amqzfula.c : 3126 -------------------------------------------------------
01/17/22 21:32:54 - Process(1509986.233) User(mqsystem) Program(amqrmppa)
Host(n7mq1) Installation(MQAppliance)
VRMF(9.2.3.0) QMgr(QM.SEP4.EXT)
Time(2022-01-17T19:32:54.135Z)
RemoteHost(172.22.XXX.XX)
CommentInsert1(xxxxxxxxx)
CommentInsert2(REQUIRED)
CommentInsert3(MCAUSER(xxxxxx) CLNTUSER(xxxxxxxx) SSLPEER(SERIALNUMBER=06:BD:FE:F3:8E:27:41:FC:04:00:00:00:4D:01:00:00:2F:02:00:00,CN=S0XXSEPXXXX,O=XXXXXXXX,L=XXXXXX,C=UA) SSLCERTI(CN=.))
AMQ9790I: The failed authentication check was caused by a CHLAUTH record with
CHCKCLNT(REQUIRED).
EXPLANATION:
The user ID 'xxxxxxxxx' and its password were checked because the inbound
connection matched a channel authentication record with CHCKCLNT(REQUIRED).
The active values of the channel were 'MCAUSER(xxxxxxxxx) CLNTUSER(xxxxxxxx)
SSLPEER(SERIALNUMBER=06:BD:FE:F3:8E:27:41:FC:04:00:00:00:4D:01:00:00:2F:02:00:00,CN=S0XXXSEPXXXX,O=XXXXX˜,L=XXXX,C=UA) SSLCERTI(CN=XXXXXX
XXXXX..)'. The MATCH(RUNCHECK) mode of the DISPLAY CHLAUTH MQSC command can
be used to identify the relevant CHLAUTH record.
This message accompanies a previous error to clarify the reason for the user ID
and password check.
ACTION:
Refer to the previous error for more information.
Ensure that a password is specified by the client application and that the
password is correct for the User ID. The queue manager's connection
authentication configuration determines the User ID repository, for example the
local operating system user database or an LDAP server.
Alternatively, to avoid the authentication check you can amend the CHLAUTH
record CHCKCLNT attribute. However, allowing unauthenticated remote access is
not recommended.[/color] |
The reason for the occurrence of such an error with a normally occurring authorization during the day is not clear. No errors were found in the logs of the LDAP server itself.
Last edited by Andrii on Mon Jan 24, 2022 4:27 am; edited 6 times in total |
|
| Back to top |
|
 |
| hughson |
| Posted: Mon Jan 17, 2022 8:18 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
So you have shown us that you have a remote (i.e client attached) application attempting to connect to your queue manager. It is coming in on an un-disclosed channel name because CommentInsert3 which would contain the channel name is filled with certificate details and truncated.
You are shown the client's digital certificate details in the SSLPEER and SSLCERTI attributes in CommentInsert3, and the user ID that it is presenting for password validation, S0HPSEP000. This should hopefully allow you to identify the application in question if you have not already done so?
We know that it's password is being checked because the CHLAUTH record is set to CHCKCLNT(REQUIRED) - this may help you to determine the CHLAUTH record in question given you don't have a channel name in the error message.
You have shown us that at the time this LDAP authentication check is attempted, the queue manager reports that it "can't contact LDAP server" at IP address 172.22.0.10 and port number 636.
You have not shown us any of the configuration for your LDAP authentication setup. You mention that all other connections to the queue manager are successful.
Do all the successful connections you mention also do password validation? or are you only using the LDAP server for authorization and not authentication for these other applications?
I suspect for us to be able to help you further you will need to tell us a little more about your setup.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Andrii |
| Posted: Tue Jan 18, 2022 12:18 pm Post subject: AMQ5530E: Error from LDAP authentication and authorization |
|
|
Newbie
Joined: 26 Apr 2021
Posts: 9
|
Еhanks for your reply
The WEB Application Server is connected remotely. In this case, the WEB Application Server is authorized by the user S0XXXSEPXXXX. In the following error message, the QMgr field contains the name of the queue manager QM.SEP4.EXT to which the connection is being made.
An error occurred while connecting the WEB Application Server Liberty server. The WEB Application Server we have two nodes but which are not connected at the physical level into a cluster among themselves. But also with a similar error there are connections from Data Power. We have three of their physical nodes combined into a logical cluster for balancing.
Below are the parameters for connecting to the LDAP server:
| Code: |
DEFINE AUTHINFO('TEST_US') +
AUTHTYPE(IDPWLDAP) +
ADOPTCTX(YES) +
DESCR('TEST_US') +
CONNAME('172.xx.x.xx(636)') +
CHCKCLNT(REQUIRED) +
CHCKLOCL(OPTIONAL) +
CLASSGRP('group') +
CLASSUSR('user') +
FAILDLAY(1) +
FINDGRP('memberof') +
BASEDNG('OU=MQ,DC=test_us,DC=tets,DC=gov,DC=ua') +
BASEDNU('OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua') +
LDAPUSER('CN=xxxxxx,OU=MQ,DC=test_us,DC=test,DC=gov,DC=ua') +
* LDAPPWD(' ') +
SHORTUSR('cn') +
GRPFIELD('sAMAccountName') +
USRFIELD('sAMAccountName') +
AUTHORMD(SEARCHUSR) +
NESTGRP(NO) +
SECCOMM(YES) +
REPLACE |
[/code][/quote]
Last edited by Andrii on Mon Jan 24, 2022 4:26 am; edited 4 times in total |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jan 20, 2022 9:38 pm Post subject: Re: AMQ5530E: Error from LDAP authentication and authorizati |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| Andrii wrote: |
| Below are the parameters for connecting to the LDAP server: |
Thank you for that. Did you have a chance to think about any of the other questions I asked?
| Andrii wrote: |
| But also with a similar error there are connections from Data Power. |
Do you mean that Data Power is also making use of the same LDAP Server and is seeing similar errors?
Have you checked with your network administrators that the error being reported isn't simply due to a network outage at that time?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jan 21, 2022 5:54 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
why are user field and group field the same in your LDAP definition? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Andrii |
| Posted: Sat Jan 29, 2022 10:12 am Post subject: AMQ5530E: Error from LDAP authentication and authorization |
|
|
Newbie
Joined: 26 Apr 2021
Posts: 9
|
Yes, all other successful connections also perform password verification and use authorization to obtain information about access to queue manager objects. According to my ideas on IBM MQ, it stores all authorization records in its memory cache for a certain period of time. Therefore, one of the assumptions was that the LDAP connection error is repeated every 35 minutes due to updating the autorotation records.
But the Appliance is running other queue managers whose users are also authorized and authenticated on the same LDAP server. And these queue managers do not generate such errors.
We also contacted our network specialists, they said that all connections are successful. We also found one feature on the gateway equipment, we do not have active TCP connects that have not been active for more than an hour, they close automatically. But correlations of this parameter on network equipment and the occurrence of an LDAP connection error have not yet been traced.
I am answering the question why in the connection settings we use the same definition for the group and users - since the main users and groups that are used for authorization are in the root of the LDAP container, the rest of the users are in the subdirectories of this LDAP container.
Last edited by Andrii on Sun Jan 30, 2022 11:11 pm; edited 1 time in total |
|
| Back to top |
|
|
| hughson |
| Posted: Sun Jan 30, 2022 10:00 pm Post subject: Re: AMQ5530E: Error from LDAP authentication and authorizati |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| Andrii wrote: |
| According to my ideas on IBM MQ, it stores all autorotation data in its memory cache for a certain period of time. Therefore, one of the assumptions was that the LDAP connection error is repeated every 35 minutes due to updating the autorotation records. |
I am not familiar with autorotation data in IBM MQ, can you elaborate?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Andrii |
| Posted: Mon Jan 31, 2022 3:55 am Post subject: AMQ5530E: Error from LDAP authentication and authorization |
|
|
Newbie
Joined: 26 Apr 2021
Posts: 9
|
Hi All.
I'm sorry, I made a spelling mistake. I meant something else about this.
According to my ideas on IBM MQ, it stores all authorization records in its memory cache for a certain period of time. Therefore, one of the assumptions was that the LDAP connection error is repeated every 35 minutes due to updating the authorization records.
| Quote: |
 |
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
