ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Can I mix local userids with LDAP authentication?

Post new topic  Reply to topic
 Can I mix local userids with LDAP authentication? « View previous topic :: View next topic » 
Author Message
NomadAU
PostPosted: Thu May 25, 2017 11:06 pm    Post subject: Can I mix local userids with LDAP authentication? Reply with quote

Novice

Joined: 06 Feb 2017
Posts: 15

I've got myself confused around something that should be fairly straightforward. Hoping someone can put me straight.
Environment: RHEL v7 and MQ v8.

I'm building out a configuration with multiple QMs in a cluster and a couple of QM's that are used as cluster gateways.
One of the gateways is used for access to/from external business partners while the other is used primarily for access to/from a 3rd party component installed on premise.

The security I am trying to implement would have traffic from the external business partner secured using x.509 certs on the SDR/RCVR channel, and mapped to a local userid (using SSL peer mapping).
Similarly, traffic from the 3rd party component is via a SVRCONN connection, also secured using x.509 and again, a local userid mapped using SSL peer mapping.
These 2 local userids are then used to grant permissions for MQ access (qm, queues, topics and so on).

So far, so good and easy to do.

However, I'd also like to use Active Directory authenticate other users who need to use MQExplorer. That way I can easily define a group of users in the LDAP with admin privileges, and other groups with lesser privileges.

The problem I've hit is that after creating an AUTHINFO enabling LDAP on a QM, I an no longer able create AUTHRECs for the local userids mapped using ssl peer mapping.
MQ is searching the LDAP for the specified user or group and failing to find an entry (because the userid is only defined on the local machine).

So, I'm rapidly coming to the conclusion that I can't mix these 2 'local' userids with LDAP userids.

Is this correct, or is there some way of restricting the use of LDAP to just the authentication on the MQ Explorer client channel?
Back to top
View user's profile Send private message
NomadAU
PostPosted: Wed May 31, 2017 9:38 am    Post subject: Reply with quote

Novice

Joined: 06 Feb 2017
Posts: 15

Judging by the lack of responses to my question, I'm guessing either
- I'm asking a really dumb question... or
- no-one really knows the answer

Either way, it might help if I add that the intent is to MINIMISE the qm dependency on LDAP. We are facing a lot of instability with our current MQ/AD installation, some (most?) of which is likely to be due to a bug in the MQ product.

Ihttp://www-01.ibm.com/support/docview.wss?uid=swg1IT17234&myns=swgws&mynp=OCSSFKSJ&mync=R&cm_sp=swgws-_-OCSSFKSJ-_-R

The only value I can see in continuing to use LDAP is the ease with which users can be provisioned to access to the MQ installation, specifically using MQExplorer (by adding them to LDAP groups).
On the other hand, if we just create a set of local userids, with differing permissions, these could be used to authenticate with MQExplorer, but they would then be shared and not provide any degree of auditability.

Anyone got further thoughts on this?
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed May 31, 2017 9:50 am    Post subject: Re: Can I mix local userids with LDAP authentication? Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

NomadAU wrote:
So, I'm rapidly coming to the conclusion that I can't mix these 2 'local' userids with LDAP userids.


Well there is, but not really in the context you describe here.

We get round this by mapping the "local" Linux ids to LDAP. Hence no matter the source of the id values, they're authenticated against our LDAP system. So none of the Linux boxes actually have any local ids, they just think they have.

This is on RHELv6.5 in Prod and I'm told it works in RHELv7 in the certification environment the Linux people use. I have not seen it, but have no reason to believe they're lying nor that it's stopped worked with the new major release.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Can I mix local userids with LDAP authentication?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.