ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » MQ connecting to LDAP

Post new topic  Reply to topic
 MQ connecting to LDAP « View previous topic :: View next topic » 
Author Message
belchman
PostPosted: Mon Mar 11, 2019 10:46 am    Post subject: MQ connecting to LDAP Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

I have connected to LDAP from MQv8 just fine if I connect over non-ssl. However, I cannot connect if over SSL.

Here is what I use to connect non-ssl

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP) +
AUTHTYPE(IDPWLDAP) +
CONNAME('ed-stage.info53.com(389)') +
LDAPUSER('UID=s.MQBind.NonProd,ou=MQSeries,ou=Apps,ou=B2E,dc=test53,dc=com') +
LDAPPWD(scrubbed') +
AUTHORMD(SEARCHGRP) +
BASEDNU('ou=b2e,dc=test53,dc=com') +
BASEDNG('ou=MQSeries,ou=Apps,ou=B2E,dc=test53,dc=com') +
FINDGRP(uniqueMember) +
GRPFIELD('CN') +
SHORTUSR('UID') +
SECCOMM(NO) +
CHCKCLNT(NONE) +
CLASSGRP(groupOfUniqueNames)


Here is what I use to connect ssl

ALTER AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP) +
AUTHTYPE(IDPWLDAP) +
CONNAME('ed-stage.info53.com(636)') +
LDAPUSER('UID=s.MQBind.NonProd,ou=MQSeries,ou=Apps,ou=B2E,dc=test53,dc=com') +
LDAPPWD('scrubbed') +
AUTHORMD(SEARCHGRP) +
BASEDNU('ou=b2e,dc=test53,dc=com') +
BASEDNG('ou=MQSeries,ou=Apps,ou=B2E,dc=test53,dc=com') +
FINDGRP(uniqueMember) +
GRPFIELD('CN') +
SHORTUSR('UID') +
SECCOMM(YES) +
CHCKCLNT(NONE) +
CLASSGRP(groupOfUniqueNames)


For SECCOMM, I used NO, YES and ANON. None work.

To see it working, I just try to add myself to be able to connect to the queue manager. I get a result from LDAP if not SSL enabled. I get nothing if SSL enabled.

The SSL port is 636.

I have the root and intermediate signers that the LDAP admin says I require on my .kdb. For grins and giggle, I got a personal cert on the .kdb that validates OK.

Am I missing something? Any ideas will be appreciated.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Mar 11, 2019 9:32 pm    Post subject: Re: MQ connecting to LDAP Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

belchman wrote:
I have the root and intermediate signers that the LDAP admin says I require on my .kdb. For grins and giggle, I got a personal cert on the .kdb that validates OK.

Do you mean you have put them in the .kdb file that is referenced in the queue manager's SSLKEYR field?

Does the queue manager error log have anything to say on the matter?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
belchman
PostPosted: Tue Mar 12, 2019 4:12 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Thanks Morag,

*Blush... greenhorn mistake.

1) look at logs first
2) make sure you set the SSL Key Repository property properly.

I am connected to LDAP after doing item 1 to see that issue was item 2.


_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
belchman
PostPosted: Tue Mar 12, 2019 6:08 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

I am getting this in the logs now and am investigating. I deliberately did not have mqm added to the LDAP. I was thinking MQ always uses the local mqm ID for mqm access.

03/12/19 08:09:31 - Process(10354894.12) User(mqm) Program(amqzlaa0)
Host(sagramihqwmta90) Installation(Installation3)
VRMF(8.0.0. QMgr(WMTA90_1)

AMQ5531: Error locating user or group in LDAP

EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'mqm'. Returned count is 0. Additional
context is '(&(objectClass=inetOrgPerson)(UID=mqm))'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.


I have a group in the LDAP called g.<qmgrname>.mqm that human users will be in that will have admin access on the queue manager.

Am I missing something about the error? I will be reading up in the security guide now.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
belchman
PostPosted: Tue Mar 12, 2019 6:17 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

This is a snip of the LDAP admin guide that I think supports my last post

Quote:
UNIX platforms

Once the queue manager is running, the only automatically fully-privileged account is the real user who started the queue manager.

The mqm ID still exists and is used as the owner of OS resources, such as files, because mqm is the effective ID under which the queue manager is running. However, the mqm user will not automatically be able to do administrative tasks controlled by the OAM.


I plan on stopping, starting and maintaining versions using the local mqm account. However, anyone in the g.<qmgrname>.mqm group can do anything else admins can do... OAM, CONNAUTH. alter/create/delete etc.

Kindly steer me in the right direction if I am making a miscalculation.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
mvic
PostPosted: Fri Mar 15, 2019 7:41 am    Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2080

I think you should open a PMR.
There should be no need to add "mqm" user or group to your LDAP repos.
Back to top
View user's profile Send private message
belchman
PostPosted: Fri Mar 15, 2019 8:53 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Thanks MVIC.

I will do that if necessary. I am still testing. I am thinking at this point the issue was because perhaps I already had some OAM perms granted to mqm and maybe this was MQs way of saying that will no longer work.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
mvic
PostPosted: Fri Mar 15, 2019 11:20 am    Post subject: Reply with quote

Jedi

Joined: 09 Mar 2004
Posts: 2080

belchman wrote:
I am thinking at this point the issue was because perhaps I already had some OAM perms granted to mqm and maybe this was MQs way of saying that will no longer work.

In the group-based model you will always have OAM records for (local) mqm group.
I think that's true, even when you have told the qmgr to use LDAP as you have done.
And there is never a requirement to have mqm user or group (or anything analogous to mqm user or group) in the LDAP repos.
In your case I don't know what operation called for a lookup of mqm, and whether it was group mqm or user mqm that was being looked up (probably user mqm, seeing the LDAP filter string that was named in the error message).
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » MQ connecting to LDAP
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.