ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportLDAP Configurations

Post new topicReply to topic
LDAP Configurations View previous topic :: View next topic
Author Message
saurabh25281
PostPosted: Sun Mar 31, 2019 2:11 pm Post subject: LDAP Configurations Reply with quote

Voyager

Joined: 05 Nov 2006
Posts: 98
Location: Bangalore

Hi All,

Can someone please provide some insights into such requirement. We use AD.

- We currently configure one LDAP search path for users/groups. Is it possible to specify more than one search-path (e.g. first search in the Europe-Domain and then in the Americas-Domain)?

- How does MQ react when an LDAP-Search for a given username returns more than one result, e.g. if the same username is present in two Domains?

Regards
Saurabh[/list]
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
bruce2359
PostPosted: Sun Mar 31, 2019 2:47 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8434
Location: US: west coast, almost. Otherwise, enroute.

Try visiting Google. Search for "define ldap IBM MQ" or similar.

You can specify more than one LDAP server in the CONNAME attribute of the AUTHINFO definition. Usually, the most restrictive rule applies, but I yield to an LDAP expert.

This one caught my eye: https://www.ibm.com/developerworks/community/blogs/messaging/entry/bite_size_blogging_mq_v8_setting_up_a_qmgr_to_use_ldap_authentication?lang=en
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Mon Apr 01, 2019 1:31 am Post subject: Reply with quote

Voyager

Joined: 05 Nov 2006
Posts: 98
Location: Bangalore

Quote:
Try visiting Google. Search for "define ldap IBM MQ" or similar.

I did not find anything specific to my usecase.

Quote:
You can specify more than one LDAP server in the CONNAME

We already have a list of LDAP servers configured. But this is not what I was looking for.

1. Is it possible to specify more than one search-path (domain), (e.g. first search in the Europe-Domain and then in the Americas-Domain)?
2. What happens when the search returns multiple results for the same user.

Regards
Saurabh
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
Vitor
PostPosted: Mon Apr 01, 2019 4:16 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25777
Location: Ohio, USA

saurabh25281 wrote:
1. Is it possible to specify more than one search-path (domain), (e.g. first search in the Europe-Domain and then in the Americas-Domain)?


At a worst case, you perform 2 LDAP checks. I don't believe there's a best case, but someone may know better than me.


saurabh25281 wrote:
2. What happens when the search returns multiple results for the same user.


Same thing as happens for any LDAP search - whatever you've defined. In most cases (where nothing is defined) the result is either an error or an undefined result.

A better question is how do you get results from multiple domains from a single LDAP query and why do you LDAP administrators allow this?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Apr 01, 2019 10:28 pm Post subject: Re: LDAP Configurations Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1174
Location: Bay of Plenty, New Zealand

saurabh25281 wrote:
We currently configure one LDAP search path for users/groups. Is it possible to specify more than one search-path (e.g. first search in the Europe-Domain and then in the Americas-Domain)?

The multiple CONNAMEs you can specify in LDAP setup in MQ are not for specifying multiple different search paths, they are simply a redundancy, if the first server is not available, then it will try the second.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
saurabh25281
PostPosted: Tue Apr 02, 2019 10:57 pm Post subject: Reply with quote

Voyager

Joined: 05 Nov 2006
Posts: 98
Location: Bangalore

Quote:
At a worst case, you perform 2 LDAP checks.

How do I perform 2 LDAP checks? The LDAP servers we have are in primary/secondary configuration to add redundancy. I am confused about 2 LDAP checks also because, I can only configure a single CONNAUTH configuration.

Quote:
In most cases (where nothing is defined) the result is either an error or an undefined result.

In our case there would be multiple search results, so search returning nothing was not my question. So answer I am expecting is how does MQ evaluate the search result? Does it stop the search after the 1st match is found?

Quote:
A better question is how do you get results from multiple domains from a single LDAP query and why do you LDAP administrators allow this?

This is allowed because uniqueness of a user (sAMAccountName) is allowed only at geographic (EUROPE, AMERICAS) domain level. At a global level same user can exist in multiple domains. Point to be noted here is that uniqueness is referred by the searching attribute sAMAccountName rather than the DN (which will remain unique even at global level).

Quote:
The multiple CONNAMEs you can specify in LDAP setup in MQ are not for specifying multiple different search paths, they are simply a redundancy, if the first server is not available, then it will try the second.

Agreed. This is how our LDAP is configured.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
Vitor
PostPosted: Wed Apr 03, 2019 4:57 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25777
Location: Ohio, USA

saurabh25281 wrote:
Quote:
At a worst case, you perform 2 LDAP checks.

How do I perform 2 LDAP checks? The LDAP servers we have are in primary/secondary configuration to add redundancy. I am confused about 2 LDAP checks also because, I can only configure a single CONNAUTH configuration.


Must have hit my head on your post; thought you were asking about IIB!

Of course you can't do 2 LDAP checks from MQ. I'm talking crazy. More so than normal. Moving on...

saurabh25281 wrote:
Quote:
The multiple CONNAMEs you can specify in LDAP setup in MQ are not for specifying multiple different search paths, they are simply a redundancy, if the first server is not available, then it will try the second.

Agreed. This is how our LDAP is configured.


So MQ will attempt to connect to the first server in the list, and if the connection is successful it performs the search and ignores the second.

So your situation is that it will connect to (let's say) the Europe LDAP server and will retrieve sAMAAccountName twice, once from each of the EUROPE and AMERICAS domains but with 2 different DN.

Again, ask your LDAP admins what the expected resolution of this should be. MQ doesn't do anything unusual in terms of an LDAP query so everything that uses your LDAP setup has the same problem and hence your admins must have guidelines on how to resolve it.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
saurabh25281
PostPosted: Wed Apr 03, 2019 10:53 pm Post subject: Reply with quote

Voyager

Joined: 05 Nov 2006
Posts: 98
Location: Bangalore

Quote:
So your situation is that it will connect to (let's say) the Europe LDAP server and will retrieve sAMAAccountName twice, once from each of the EUROPE and AMERICAS domains but with 2 different DN.

Again, ask your LDAP admins what the expected resolution of this should be. MQ doesn't do anything unusual in terms of an LDAP query so everything that uses your LDAP setup has the same problem and hence your admins must have guidelines on how to resolve it.

Agreed that the LDAP search would return multiple results and that ends the role of LDAP server.

1. How does MQ, now handle the multiple search result? Does it authenticate a user on the 1st result and ignore the subsequent results? I am not sure how LDAP admin can answer how MQ handles the search results.

2. Should I assume that there is no way to allow multiple search or configure multiple search path in MQ? This was my first question.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Wed Apr 03, 2019 11:36 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1174
Location: Bay of Plenty, New Zealand

saurabh25281 wrote:
Should I assume that there is no way to allow multiple search or configure multiple search path in MQ? This was my first question.

The multiple connames of LDAP servers that you can configure in MQ are only for redundancy not for multiple search paths. Sorry that my previous attempt to answer this for you was not clear.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
markt
PostPosted: Wed Apr 03, 2019 11:53 pm Post subject: Reply with quote

Chevalier

Joined: 14 May 2002
Posts: 417

If a query returns multiple responses, that is treated (and logged) by MQ as an error.
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Apr 04, 2019 4:57 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25777
Location: Ohio, USA

saurabh25281 wrote:
1. How does MQ, now handle the multiple search result? Does it authenticate a user on the 1st result and ignore the subsequent results? I am not sure how LDAP admin can answer how MQ handles the search results.


Please see the response from my worthy associate. My point was that many products / LDAP libraries / etc. react the same way to multiple responses so your LDAP admins may have encountered this situation before and have guidance for you.

saurabh25281 wrote:
2. Should I assume that there is no way to allow multiple search or configure multiple search path in MQ? This was my first question.


You should assume that.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportLDAP Configurations
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.