| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ LDAP - Case sensitive AUTHREC |
« View previous topic :: View next topic » |
| Author |
Message
|
| TrstnG |
 Posted: Tue Apr 25, 2023 6:55 am Post subject: MQ LDAP - Case sensitive AUTHREC |
 |
|
Newbie
Joined: 25 Apr 2023
Posts: 1
|
Hi everyone,
After several searches on this Forum & a PMR opened to IBM, I didn't find response to my issue.
On some of our queue managers we enabled the LDAP authentication.
| Code: |
DIS AUTHINFO(LDAPAUTHGRP)
AMQ8566I: Display authentication information details.
AUTHINFO(LDAPAUTHGRP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES)
DESCR(AUTHINFO for LDAP authentication)
CONNAME(***) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP(groupOfNames)
CLASSUSR( ) FAILDLAY(1)
FINDGRP(member) BASEDNG(o=***,c=**)
BASEDNU( )
LDAPUSER(cn=****,ou=***,o=***,c=***)
LDAPPWD(********************************)
SHORTUSR(uid) GRPFIELD(cn)
USRFIELD(cn) AUTHORMD(SEARCHGRP)
NESTGRP(NO) SECCOMM(NO)
ALTDATE(2021-09-01) ALTTIME(14.38.46)
|
In summary we created specific groups on LDAP to segregate rights on queue manager :
- READONLY (Just displays objects & message into queues)
- APPLICATION (for getting & putting messages from applications)
- OPS (kind of admin role (with some restrictions))
- BUILD (Developper role for deploy only)
The idea is to check if the user that is trying to connect to the queue manger belongs to one of those group.
We determined a bench of AUTHREC to give rights to those LDAP group by specifying full DN :
| Code: |
SET AUTHREC PROFILE('self') +
OBJTYPE(QMGR) +
GROUP('cn=READONLY,ou=GROUP,o=********,c=******') +
AUTHADD(CONNECT,DSP,INQ)
SET AUTHREC PROFILE('self') +
OBJTYPE(QMGR) +
GROUP('cn=APPLICATIONS,ou=GROUP,o==********,c=******')') +
AUTHADD(ALTUSR ,CONNECT ,DSP ,INQ ,SET ,SETID)
SET AUTHREC PROFILE('self') +
OBJTYPE(QMGR) +
GROUP('cn=OPS,ou=GROUPS,ou=********,ou=POSIX,o=********,c=******') +
AUTHADD(ALTUSR ,CHG ,CONNECT ,DSP ,INQ ,SET ,SETALL ,SETID)
SET AUTHREC PROFILE('self') +
OBJTYPE(QMGR) +
GROUP('cn=BUILD,ou=GROUPS,ou=********,ou=POSIX,o=********,c=******') +
AUTHADD(CONNECT ,DSP ,INQ ,SETALL ,SETID)
|
All were running fine during several months but we recently change the LDAP solution.
First it started to fail because AUTHREC were case sensitive and the DN case changed between the 2 LDAP solutions. We fixed the AUTHREC with the correct case and no issues anymore.
Regarding the LDAP RFC 4517 it seems that the LDAP server can't guarantee the case of the LDAP Query result.
But, we are currently meeting a random issue on some queue managers : sometime authentication is failing again, we re apply the same AUTHREC with same case than before and it's fixing the issue.
Is there a way to have AUTHREC case insensitive ?
PMR conclusion advise us to set ChlauthIgnoreUserCase stanza in qm.ini but I don't see the link between CHLAUTH & AUTHREC...
| Code: |
Channels:
MQIBindType=***
MaxChannels=****
MaxActiveChannels=***
ChlauthIgnoreUserCase=YES |
Thanks a lot for your help ! |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Apr 26, 2023 2:01 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I may be barking up the wrong tree here, but...
ChlauthIgnoreUserCase=NO
username != UserName
ChlauthIgnoreUserCase=YES
username == UserName
The block may have been initiated before hitting the AUTHREC check (logical - why would you check whether a userid has access to an object, then check whether the userid is allowed to connect to the queue manager).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Apr 26, 2023 9:02 pm Post subject: Re: MQ LDAP - Case sensitive AUTHREC |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
| TrstnG wrote: |
| Is there a way to have AUTHREC case insensitive ? |
I don't know of a way to make AUTHRECs treat user ids and groups in a case insensitive way. I suspect you don't want to go to the lengths of creating your own OAM either.
| TrstnG wrote: |
| PMR conclusion advise us to set ChlauthIgnoreUserCase stanza in qm.ini but I don't see the link between CHLAUTH & AUTHREC... |
I also don't see the link. Sure CHLAUTH could have the same problem, but I don't think this setting changes the case of the user id after CHLAUTH is finished looking at it.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
