| Author |
Message
|
| rmah |
 Posted: Fri Sep 05, 2008 9:55 am Post subject: LDAP authentication MQ servers |
 |
|
Centurion
Joined: 04 May 2007
Posts: 142
|
Hi All,
We have moved to LDAP authentication on some of our MQ servers. Therefore, usernames are no longer stored in the /etc/passwd file, but on an LDAP server.
Will this affect connectivity to a queue manager via MQ Explorer?
I noticed that on one server, a user is not in /etc/passwd, but is in the 'mqm' group in /etc/group, and they're able to connect. On another server, however, they are not in /etc/passwd, but are in /etc/group, and is able to connect. Weird...
Is MQ authentication designed to user /etc/passwd and /etc/group only? Will LDAP authentication cripple connectivity?
Thanks! 
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Sep 05, 2008 11:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You have to be carefull and maybe stop the qmgr, Ensure that the LDAP authentication is before any other on your path, then restart the qmgr.
The QMGR goes for the system authentication. If the system's authentication default behavior has been changed, you need to check whether that is also the case for the user and mqm user before you restart the qmgr.
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Sun Sep 07, 2008 8:19 pm Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
we are facing a lot of issues with LDAP server,
it requires multiple times of refreshing security, as we raised this concern to LDAP, but it went vain.
so be careful about this fact, as its a bug in LDAP side, thats what i came to know
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| rmah |
| Posted: Mon Sep 08, 2008 8:33 am Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| Gaya3 wrote: |
we are facing a lot of issues with LDAP server,
it requires multiple times of refreshing security, as we raised this concern to LDAP, but it went vain.
so be careful about this fact, as its a bug in LDAP side, thats what i came to know |
So far, a restart of the queue manager, after the switch over to LDAP, allows connectivity. The queue manager needs to pickup the system's method of authentication.
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Mon Sep 08, 2008 8:25 pm Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
for a particular user id works for a week or two, later it will throw 2035 error while connecting,
restarting the queue manager is expensive every time as for us.
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| rmah |
| Posted: Mon Sep 08, 2008 8:34 pm Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| Gaya3 wrote: |
for a particular user id works for a week or two, later it will throw 2035 error while connecting,
restarting the queue manager is expensive every time as for us. |
Fingers crossed that doesn't happen to us! 
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Sep 08, 2008 8:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Gaya3 wrote: |
for a particular user id works for a week or two, later it will throw 2035 error while connecting,
restarting the queue manager is expensive every time as for us. |
Switching from OS authentication to LDAP you have to take a few things in consideration:
- The initial environment for all users
- The group's initial environment
- The user's changes to the initial environment
Why are those so important?
Because with switching to LDAP comes a different implementation of the usual system function that performs that task. As the task does not disappear from the OS, the LDAP implementation is usually loaded to the PATH before the OS's implementation....
Now you could switch back and forth between LDAP and OS authentication just by switching the order of some items on the PATH.
This is why after switching to LDAP you have to verify the environment for the mqm user / group, and or for the user usually starting the qmgr... Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Sep 09, 2008 12:41 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
Just a FYI.
This topic is talking about "authorization" and not "authentication". MQ /OAM only does authorization processing against its ACL.
Regards,
Roger Lacrox
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 09, 2008 8:12 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| RogerLacroix wrote: |
Hi,
Just a FYI.
This topic is talking about "authorization" and not "authentication". MQ /OAM only does authorization processing against its ACL.
Regards,
Roger Lacrox
Capitalware Inc. |
Sure Roger, but if you introduce LDAP and make it your OS method of choice, you also login against it (i.e. authentication). MQ only uses the authorization part.
MQ authentication requires additional security provided in form of security exits (available @ capitalware.biz) and through SSL. I hope I did not confuse anybody...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Tue Sep 09, 2008 8:21 pm Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
its good information to me, let me see how can i tackle the matter now
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| rmah |
| Posted: Wed Sep 17, 2008 2:44 pm Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| fjb_saper wrote: |
| RogerLacroix wrote: |
Hi,
Just a FYI.
This topic is talking about "authorization" and not "authentication". MQ /OAM only does authorization processing against its ACL.
Regards,
Roger Lacrox
Capitalware Inc. |
Sure Roger, but if you introduce LDAP and make it your OS method of choice, you also login against it (i.e. authentication). MQ only uses the authorization part.
MQ authentication requires additional security provided in form of security exits (available @ capitalware.biz) and through SSL. I hope I did not confuse anybody... |
Does MQ use the /etc/group file to authenticate and see if a user is in the 'mqm' group? Does a user have to be in the proper group in /etc/group, or can their group be stored in LDAP?
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 17, 2008 6:59 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| rmah wrote: |
| Does MQ use the /etc/group file to authenticate and see if a user is in the 'mqm' group? |
The queue manager does NOT authenticate. The queue manager's OAM does a system OS API call to request the Group Id for that particular UserId.
| rmah wrote: |
| Does a user have to be in the proper group in /etc/group, or can their group be stored in LDAP? |
If your Unix SysAdmin has set up the LDAP PAM module correctly then everything will / can be held in the LDAP server.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
