ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » LDAP Authentication Issue

Post new topic  Reply to topic
 LDAP Authentication Issue « View previous topic :: View next topic » 
Author Message
vishBroker
PostPosted: Mon Oct 23, 2017 5:11 pm    Post subject: LDAP Authentication Issue Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

Issue - Not able to authenticate with LDAP as client connection [when provided with -u option on runmqsc command]

Background -
MQ version - 8.0.0.5
Os - Windows
CMDLevel - 800 [I have tried by changing CMD level to 8002 - which gives AUTHORIZATION via LDAP - but that is out of question as of now]
LDAP - Active Directory on windows

[Base configution - created a new QM to setup authentication]

What I want to achieve - Whenever any client is connecting to QM - should provide userId creds which will be validated against AD and connection is established.

[Just authentication as of now. Authorization afterwards]
[And yes, it has to be AD based - don't ask why]

Setup -
1. Followed the bite size blog by Rob Parker [https://www.ibm.com/developerworks/community/blogs/messaging/entry/bite_size_blogging_mq_v8_setting_up_a_qmgr_to_use_ldap_authentication?lang=en]
2. Made approriate changes as per AD records in the organization.

- Have setup AUTHINFO records
+++++
Code:
DISPLAY QMGR CMDLEVEL
     1 : DISPLAY QMGR CMDLEVEL
AMQ8408: Display Queue Manager details.
   QMNAME(TESTQM)                          [b]CMDLEVEL(800)[/b]
display authinfo(use.ldap1)
     2 : display authinfo(use.ldap1)
AMQ8566: Display authentication information details.
   AUTHINFO(USE.ldap1)                    AUTHTYPE(IDPWLDAP)
   ADOPTCTX(NO)                            DESCR( )
   CONNAME(ldapf5.us.xxxx)                 CHCKCLNT(REQUIRED)
   CHCKLOCL(OPTIONAL)
   [b]CLASSUSR(user)[/b]
   FAILDLAY(1)
   [b]BASEDNU(CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx)[/b]
   LDAPUSER( )                             LDAPPWD( )
  [b] SHORTUSR(uid) [/b]                         [b] USRFIELD(uid)[/b]
   SECCOMM(NO)                             ALTDATE(2017-10-23)
   ALTTIME(20.20.39)

+++++

3. Updated QMGR to use this authinfo record and refreshed security. [Followed the steps in the blog]
4. But getting security error - not able to connect to QM.
5. Enabled trace and tried to debug - AD is not returning any object. LDAP query is not successful for the given criteria.
6. LDAP connection is successful though.
++++
Quote:
000CD573 20:21:44.384954 4268.26449 CONN:000028 LDAP searching (retried=0 scope=2) with base=CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx filter=(&(objectClass=user)(uid=RB3105)) ld=000000000A76A8F0
000CD574 20:21:44.388366 4268.26449 CONN:000028 LDAP search (1) rc=1 count=0
000CD575 20:21:44.388434 4268.26449 CONN:000028 LDAP search (2) rc=1 count=0
000CD576 20:21:44.388467 4268.26449 CONN:000028 LDAP search failed with rc=1 (Operations error) user='RB3105'
000CD577 20:21:44.388502 4268.26449 CONN:000028 -------------}! zfuLdapGetUserDn (rc=MQRC_SERVICE_ERROR)
++++

This tells me some issue with configuring the BaseDN for user.
So - as I am not LDAP or AD expert or used it extensively - not sure what is causing the issue.

What I have done -
I checked the AD structure for the user using AD explorer.
Here is snapshot of what it looks for the user 'RB3105'

+++++
cn DirectoryString 1 RB3105@us.xxxx
displayName DirectoryString 1 $CimsUserVersion5
distinguishedName DN 1 CN=RB3105@us.xxxx,CN=Users,CN=EMIS,CN=AllSystems,OU=UNIX,OU=SERVERS,DC=us,DC=xxxx
dSCorePropagationData GeneralizedTime 1 1/1/1601 12:00:00 AM
gecos IA5String 1 Ravindra Bommakanti
gidNumber Integer 1 300
instanceType Integer 1 4
keywords DirectoryString 1 parentLink:S-1-5-21-1360216634-158211412-1947940980-58528
loginShell IA5String 1 /bin/bash
name DirectoryString 1 RB3105@us.xxxx
nTSecurityDescriptor NTSecurityDescriptor 1 D:AI(A;;*****************************************MASKED**-1

objectCategory DN 1 CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=us,DC=xxxx

objectClass OID 5 top;posixAccount;leaf;connectionPoint;serviceConnectionPoint

objectGUID OctetString 1 {99477E1E-0B10-4357-AFF1-BDF89F45A935}
showInAdvancedViewOnly Boolean 1 TRUE
uid DirectoryString 1 rb3105
uidNumber Integer 1 1426121888
unixHomeDirectory IA5String 1 %{home}/%{user}
uSNChanged Integer8 1 0xD16A9C5
uSNCreated Integer8 1 0xD16A9C5
whenChanged GeneralizedTime 1 7/20/2017 4:52:57 PM
whenCreated GeneralizedTime 1 7/20/2017 4:52:47 PM
+++++

So, long story short - what is the base DN I should use in the AUTHINFO record.

Another issue I am guessing is 'scope' of the LDAP search.
As one can see - there are multiple levels of CN and OU in the AD and from trace - it says LDAP searching (retried=0 scope=2).
[Not sure what scope=2 means] . [After googling found few things about AD scope - there are 3 values 'NON','ONE' and 'SUBTREE' - https://msdn.microsoft.com/en-us/library/ms677937(v=vs.85).aspx]


Kindly suggest/guide.
[Seems like missing something small but cruial]

let me know, if more details are needed.



Regards,
Vishnu.
Back to top
View user's profile Send private message
vishBroker
PostPosted: Mon Oct 23, 2017 5:14 pm    Post subject: Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

Well, I have read few threads regarding this - in this forum.[http://www.mqseries.net/phpBB2/viewtopic.php?p=410623&sid=f39979b1c871997aec740d7ab4c1521f]
But not sure - it is issue with MQ version.
Can somebody confirm - MQv8 does not work with AD and only works with LDAP?

I could not find solid proof for that in IBM documentation.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Oct 24, 2017 4:46 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

This is the result of your query:
Code:
distinguishedName   DN   1   CN=RB3105@us.xxxx,CN=Users,CN=EMIS,CN=AllSystems,OU=UNIX,OU=SERVERS,DC=us,DC=xxxx


So instead of passing RB3105 as userid did you try passing RB3105@us.xxxx , and if you did, did it make a difference in the output observed?

You may also want to check the order of the multiple calls for a same DN identifier. If the order is relevant, remember that there might be a reversal between system of different endianness... as evidenced in SSL setup...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
vishBroker
PostPosted: Tue Oct 24, 2017 5:40 am    Post subject: Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

Thanks for the reply.
Yes, I have tried passing RB3105@us.xxxx and same result.

I tried changing 'userfield' in the AUTHINFO definition to 'uid' [And passed only -u RB3105 ] and it still didn;t work.

Quote:
You may also want to check the order of the multiple calls for a same DN identifier. If the order is relevant, remember that there might be a reversal between system of different endianness... as evidenced in SSL setup...


I have asked for AD logs - once I get it, will know what was the sequence and what is the exact query MQ sent to AD.
The order might be the issue - as you pointed out.

From MQ trace - I am not getting any more details and also failing to understand the ldap-search query the filter structure - shown below. Hope that '&' sign is rightly placed.
[Then, me thinks..it is IBM internal code and must be right, but...]

If I could get some direction/pointers in understanding the issue from the trace - appreciate it.

++++
Quote:
000CD573 20:21:44.384954 4268.26449 CONN:000028 LDAP searching (retried=0 scope=2) with base=CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx filter=(&(objectClass=user)(uid=RB3105))ld=000000000A76A8F0
000CD574 20:21:44.388366 4268.26449 CONN:000028 LDAP search (1) rc=1 count=0
000CD575 20:21:44.388434 4268.26449 CONN:000028 LDAP search (2) rc=1 count=0
000CD576 20:21:44.388467 4268.26449 CONN:000028 LDAP search failed with rc=1 (Operations error) user='RB3105'
000CD577 20:21:44.388502 4268.26449 CONN:000028 -------------}! zfuLdapGetUserDn (rc=MQRC_SERVICE_ERROR)

++++
Back to top
View user's profile Send private message
vishBroker
PostPosted: Tue Oct 24, 2017 5:53 am    Post subject: Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

Few more things.
Quote:

DISPLAY QMGR CMDLEVEL
1 : DISPLAY QMGR CMDLEVEL
AMQ8408: Display Queue Manager details.
QMNAME(TESTQM) CMDLEVEL(800)
display authinfo(use.ldap1)
2 : display authinfo(use.ldap1)
AMQ8566: Display authentication information details.
AUTHINFO(USE.ldap1) AUTHTYPE(IDPWLDAP)
ADOPTCTX(NO) DESCR( )
CONNAME(ldapf5.us.xxxx) CHCKCLNT(REQUIRED)
CHCKLOCL(OPTIONAL)
CLASSUSR(user)
FAILDLAY(1)
BASEDNU(CN=Users,CN=EMIS,CN=AllSystems, OU=UNIX,OU=SERVER,DC=us,DC=xxxx)
LDAPUSER( ) LDAPPWD( )
SHORTUSR(uid) USRFIELD(uid)
SECCOMM(NO) ALTDATE(2017-10-23)
ALTTIME(20.20.39)


Question
1. What should be the CLASSUSR value?
The documentation says it should be the objectClass of the result.
And in one of the documents/blogs I found it should be 'user' for AD [typically]

In the AD structure - I get below for the user RB3105.
objectClass OID 5 top;posixAccount;leaf;connectionPoint;serviceConnectionPoint


Tried setting this whole string - comma separated in the 'CLASSUSR ' - but no luck.
Any pointers?
Back to top
View user's profile Send private message
vishBroker
PostPosted: Tue Oct 24, 2017 5:59 am    Post subject: Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

have tried leaving it blank as well - which defaults to intOrgPerson
Tried the value 'person'.
[and even tried making the values uppercase - hoping it would work]
Back to top
View user's profile Send private message
vishBroker
PostPosted: Wed Oct 25, 2017 6:28 am    Post subject: Reply with quote

Centurion

Joined: 08 Dec 2010
Posts: 135

QUick Update : I was able to get it working.
The issue was with the AD structure/Base DN.

When worked with LDAP admin to get proper BASE DN - the issue got resolved.
Also noted one more point - it is required to populate below two attributes -
LDAPUSER( ) LDAPPWD( )
Earlier - I was keeping them blank and I was still able to see 'connected to LDAP' on QMGR Status.

Will update with complete write up.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » LDAP Authentication Issue
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.