Posted: Mon Jan 11, 2021 9:59 am Post subject: Question on Active Directory setup
Voyager
Joined: 02 Apr 2017 Posts: 77
Hello,
I've setup a connection from MQ to a Active Directory (LDAP) server. I can set authority records for my AD users and for AD groups. Now I'm looking for a way to verify that MQ can resolve who is member of a group. When I authorize a group that I'm supposed the be member of it does not appear to have any impact.
For example I created following auth records:
set authrec PROFILE(TEST.TO.TEST.QUEUE1) OBJTYPE(QUEUE) GROUP('MQAdmin') AUTHADD(DSP)
set authrec PROFILE(TEST.TO.TEST.QUEUE1) OBJTYPE(QUEUE) GROUP('MQAdmin') AUTHADD(INQ)
set authrec PROFILE(TEST.TO.TEST.QUEUE1) OBJTYPE(QUEUE) GROUP('MQAdmin') AUTHADD(PUT)
Now, I've connected to the queue manager using MQExplorer and I've set some auth records specifically for my (AD) user which works (otherwise I would not be able to connect to the queue manager). However the group authorizations do not appear to have any impact on my user. But I can not find a way to verify whether MQ can resolve the members or if there is another issue that prevents the user from displaying TEST.TO.TEST.QUEUE1.
Actually I created a TEST.TO.TEST.QUEUE2 and authorized my user (principal) directly and it can display that queue. So I ques my question now is how can I find out why users of a group are not resolved correctly ? AMQERR01.LOG does not show any errors. MQ version is 9.2 I've set NESTGRP(YES) according to the AD admin the groups are nested. I know there are some limitations in MQ with nested groups. But I haven't really seen what limitations that are.
Edit: Actually I need to be more precise. There are a lot of errors in AMQERR01 but none that relates to AD. Most errors are just about my user missing authorization for this and that.
Cheers,
Gerhard _________________ You win again gravity !
IIRC nesting with groups is a nono... So you should have groups that have only members. Exceptions nesting one level if the group is a member of the local mqm group... _________________ MQ & Broker admin
Problem solved. It appears that nested groups work in MQ 9.2 though. I guess I have to read through the release notes more thoroughly to see when what changed...
The issue was that the users where not in the group on the AD server. Once the AD admin solved that, MQ could resolve the users in the groups.
The group nesting looks like:
Role (group)
^
|
Department (group)
^
|
User (mq admin)
Where the role is authorized by auth records. None of the groups are member of mqm or ad-mqm group.
Cheers,
Gerhard _________________ You win again gravity !
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum