| Author |
Message
|
| mahi_raj |
 Posted: Thu May 14, 2009 6:12 am Post subject: LDAP Authentication for MQ |
 |
|
Newbie
Joined: 11 May 2009
Posts: 8
|
Hello,
We have MQ 6.0.2.5 running on AIX 5.3. As per business requirement, we are looking for alternative authentication method for MQ other than OS based authentication (using /etc/passwd or /etc/group). We heard LDAP is option and IBM says there is an option to configure MQ to use LDAP based authentication in the place of OS authentication. We are trying to understand merits/demerits of using LDAP against OS authentication and What would be the impact of using LDAP on OAM. Please share your thoughts on this.
Many thanks in advance
Regards,
Mahesh |
|
| Back to top |
|
 |
| vol |
| Posted: Thu May 14, 2009 7:43 am Post subject: |
|
|
Acolyte
Joined: 01 Feb 2009
Posts: 69
|
LDAP has caused several problems because of flaky implementations by OS vendors, notably Linux and zLinux, but to some extent on all platforms.
Also, have you considered the possibility that should the LDAP server be unavailable then authentication cannot be carried out. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu May 14, 2009 3:50 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
LDAP Authentication is an add-on to MQ. You have 2 products to choose from :
- Capitalware's MQ Authenticate User Security Exit (MQAUSX)
- IBM's WMQ ESE
Our customers are very happy with LDAP authentication via MQAUSX. We have not had any issues with Linux or zLinux. Also, most companies have a primary and secondary LDAP servers so that there will not be any outages.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mahi_raj |
| Posted: Fri May 15, 2009 2:03 am Post subject: |
|
|
Newbie
Joined: 11 May 2009
Posts: 8
|
Thanks Roger. We have already implemented Captiware security (MQAUSX) for channel security with file based authentication. Further We are using mcauser on channel to prevent one customer accessing another customer MQ objects. Due to some constraints, we do not want to create mcauser for the channel on OS level.
Since MQAUSX already has a provision to support LDAP authentication , we are planning to use it. But once authentication is complete, MQ would check for authourisation of users to access MQ objects. If users are created on LDAP and not on OS , how would this authouristation of MQ objects be achieved ? Is there any way to perform MQ objects authourisation without creating users on OS ? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 15, 2009 4:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| RogerLacroix wrote: |
| LDAP Authentication is an add-on to MQ. |
OR it's an add-on to your OS (except on windows where it's named "ActiveDirectory"), and MQ never even knows it's there - the base product OAM happily does everything it needs to and the OS talks to LDAP under the covers. |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Fri May 15, 2009 5:56 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri May 15, 2009 7:23 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi Mahesh,
| mahi_raj wrote: |
| MQAUSX already has a provision to support LDAP authentication , we are planning to use it. |
| mahi_raj wrote: |
| Is there any way to perform MQ objects authourisation without creating users on OS ? |
The standard recommendation is to use the "Proxy List" and group people together.
i.e. Lets say you have 10 people from group ABC who needs read access to a queue manager. Create an OS UserID called "abcread" and give the appropriate authorization to the UserID via setmqaut. Now assign those UserIDs to "abcread" via the "Proxy List".
Or if you wanted a more global approach, create an OS UserID called "readonly" and give the appropriate authorization to the UserID via setmqaut. Now anyone who needs read-only access to the queue manager, assign their UserId to "readonly" to the Proxy List.
To take it one more step further, you can use the "DefaultProxyID" in the Proxy List. This means if the UserID is not found in the Proxy List, it will be assigned whatever value is set for "DefaultProxyID".
i.e.
DefaultProxyID=readonly
Please read section 5.15 of the latest MQAUSX Server-side Installation and Operation manual for more information.
Please let me know if you have any questions or comments. (You can reach us directly at "support AT capitalware DOT biz".)
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri May 15, 2009 8:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I'm not sure how suggesting to create a proxied user on the OS will help Mahesh avoid creating a user on the OS.
Again, on Unix, one can replace the standard /etc/passwd, /etc/group files with LDAP using various mechanism - PAM on Linux for example.
Then one doesn't need to do anything other than point the OS at the same LDAP that MQAUX is pointed at, and issue setmqaut as needed against the actual LDAP users. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri May 15, 2009 9:10 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi Jeff,
| mqjeff wrote: |
| Again, on Unix, one can replace the standard /etc/passwd, /etc/group files with LDAP using various mechanism - PAM on Linux for example. |
This is true but a lot of companies either cannot or will not support this configuration. Sometimes that's just the way it is.
| mqjeff wrote: |
| I'm not sure how suggesting to create a proxied user on the OS will help Mahesh avoid creating a user on the OS. |
  That's not what said. What I was saying was to create a single OS account instead of 10, 50, 100 OS accounts.
i.e. Create 1 OS account for application support people. Create 1 OS account for people who need read-only access, etc... then use the Proxy feature of MQAUSX to map LDAP UserIds to single OS account.
Several years ago, I suggested to IBM Hursley that they add an API exit call in the OAM to replace the OS UserID lookup with a vendor supplied lookup. But so far, IBM has ignored me.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
