| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Any way to distinguish between a W2k local and domain user? |
« View previous topic :: View next topic » |
| Author |
Message
|
| smahon |
 Posted: Tue May 14, 2002 9:11 am Post subject: Any way to distinguish between a W2k local and domain user? |
 |
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
On an AIX queue manager, is there any way to distinguish between a W2k/NT "local" user and a W2k/NT "domain" user with the same userid?
I would like to give a group of domain users admin access via MQ Explorer, but need to prevent someone from creating a "local" userid and, thereby, obtaining admin access. |
|
| Back to top |
|
 |
| mqonnet |
| Posted: Tue May 14, 2002 9:36 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
smahon,
Not quite sure if i understand your question. But you need to bear in mind that no one can have access to your queue manager until and unless you authorize that user. Each and every user must have a principal defined on Aix and properly granted authorities to access the objects of this qm.
Unless you do the above, noone is allowed access to your QM on Aix.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| smahon |
| Posted: Tue May 14, 2002 9:45 am Post subject: |
|
|
Apprentice
Joined: 24 Apr 2002
Posts: 29
|
I understand all that. Let's assume, for the sake of this conversation, that I grant admin access to a group via setmqaut. A UNIX principle is a member of that group. A W2k "domain" user, with the same id connects to the SYSTEM.ADMIN.SRVCONN channel via MQ Explorer and is allowed admin access to the queue manager. This is desired, and I have it working.
Now, another W2k user, with admin permission on his workstation, creates a "local" user by the same name as above. When he uses MQ Explorer to connect to the AIX queue manager he is given admin authority, without me granting it!
IF there is a way, on AIX to differentiate between the "domain" user: joblow and the "local" user: joblow, THEN I can rely on the domain authentication provided by W2k/NT to prevent this. If not, I am screwed. |
|
| Back to top |
|
|
| mqonnet |
| Posted: Tue May 14, 2002 10:00 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
As per my knowledge there is nothing that would determine if the userid that is coming in is a domain user or a local user. At the time of this userid being checked for authorization on AIX, the only thing that comes in is the userid. And with just this info, one cannot distinguish between a domain and a local userid.
I am really not sure how you could get around your problem. Because this is the way it is supposed to work. Create a user on Aix, assigin authorities to it. Map this user to a local/domain user on NT and you are granted access. In this scenario. The motive of creating a userid on AIX is to grant access to a user coming in with the specified userid. What if more than 1 users have this userid is not within the purview of MQ(as per my understanding). And this needs to be dealt by your Admin.
Sure would like to get more info/comments on this.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
