ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Setting LDAP on MQ 9.3 running on Openshift

Post new topic  Reply to topic Goto page 1, 2  Next
 Setting LDAP on MQ 9.3 running on Openshift « View previous topic :: View next topic » 
Author Message
andres
PostPosted: Tue Jan 24, 2023 3:28 am    Post subject: Setting LDAP on MQ 9.3 running on Openshift Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

HI,
i recently deployed the IBm HELM Chart and i deployed this example:
https://github.com/ibm-messaging/mq-helm/tree/main/samples/OpenShiftNativeHA/deploy


OS AUTH just work fine. But im not being able to connect MQ to LDAP.
1. From the pods i can connect to LDAP
2. IN the web Console i created this AUTH INFO:
3. I deployed mq.ini as i is:
SecurityPolicy=UserExternal

4. Then define auth
DEFINE AUTHINFO('test') +
AUTHTYPE(IDPWLDAP) +
ADOPTCTX(YES) +
DESCR('test') +
CONNAME('myldapserver.ad.local') +
CHCKCLNT(OPTIONAL) +
CLASSGRP('group') +
CLASSUSR('user') +
FINDGRP('memberOf') +
BASEDNG(',OU=Users,DC=myldapserver,DC=ad,DC=local') +
BASEDNU(OU=Groups, Services,DC=myldapserver,DC=ad,DC=local') +
LDAPUSER('mqadreader') +
* LDAPPWD('********************************') +
SHORTUSR('sAMAccountName') +
GRPFIELD('sAMAccountName') +
USRFIELD('sAMAccountName') +
AUTHORMD(SEARCHGRP) +
SECCOMM(YES) +
REPLACE

5. ALTER QMGR CONNAUTH(test)
REFRESH SECURITY TYPE(CONNAUTH)

If i tryu to connect from MQ Explorer as AD user:
AMQ9623E: Error inquiring on AUTHINFO object 'TEST'. [ArithInsert1(2085), CommentInsert1(TEST)]
2023-01-24T10:51:17.185Z AMQ9639E: Remote channel 'DEV.ADMIN.SVRCONN' did not specify a CipherSpec. [CommentInsert1(DEV.ADMIN.SVRCONN), CommentInsert2(10.131.0.1)]
2023-01-24T10:51:17.185Z AMQ9999E: Channel 'DEV.ADMIN.SVRCONN' to host '10.131.0.1' ended abnormally. [CommentInsert1(DEV.ADMIN.SVRCONN),

Then i check if there is ldap connection:

LDAPCONN doesnt seems to be running,
dis qmstatus ldapconn
1 : dis qmstatus ldapconn
AMQ8705I: Display Queue Manager Status Details.
QMNAME(devqmarion) STATUS(RUNNING)
LDAPCONN(INACTIVE)


Something i also noticed from the MQ COnsole is that, when i tried to edit the AITH INFO test (IDPW LDAP), i got this error:
Failed to update object

MQWB2013E: MQRC3014: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '3014' ('MQRCCF_CFIN_PARM_ID_ERROR')
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jan 24, 2023 5:10 am    Post subject: Re: Setting LDAP on MQ 9.3 running on Openshift Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

andres wrote:
4. Then define auth
DEFINE AUTHINFO('test') ....

5. ALTER QMGR CONNAUTH(test)
REFRESH SECURITY TYPE(CONNAUTH)

Can I just quickly check whether these are the EXACT commands you used? i.e. did you define a lower case object 'test' using quotes to ensure MQSC didn't upper case the name for you when you defined it, but then didn't quote the name when you used it on the ALTER QMGR command?

If you issue DISPLAY QMGR CONNAUTH, are you shown the name in lower case or upper case. Remember MQ names are case sensitive so test and TEST are not the same. And also remember that MQSC commands must have lower case names quoted so they are not folded to upper case.

This is why it is generally just easier to make all your objects have upper case names.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Wed Jan 25, 2023 12:29 am    Post subject: Re: Setting LDAP on MQ 9.3 running on Openshift Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

andres wrote:
HI,
i recently deployed the IBm HELM Chart and i deployed this example:
https://github.com/ibm-messaging/mq-helm/tree/main/samples/OpenShiftNativeHA/deploy


OS AUTH just work fine. But im not being able to connect MQ to LDAP.
1. From the pods i can connect to LDAP
2. IN the web Console i created this AUTH INFO:
3. I deployed mq.ini as i is:
SecurityPolicy=UserExternal

So you defined the security policy as UserExternal.

Then why bother to define an LDAP look up?
All you're supposed to do is authorize the user...??
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
andres
PostPosted: Wed Jan 25, 2023 4:58 am    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

Hi,
thanks for the answer
My first problem were solved setting all names from uppercase (sorry for that, time ago a left IBM uppercase convention, but the error messages werent very helpful).

Now im getting SSL LDAP errors to communicate with our ldap servers.. where should i place certificate? in ca-trust of the server or import via mq cli?

Regarding the securityPOlicy, im still not there, but i understood that running on containers i should never use internal users and rely mostly on LDAP.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Jan 25, 2023 8:40 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

andres wrote:
Now im getting SSL LDAP errors to communicate with our ldap servers.. where should i place certificate? in ca-trust of the server or import via mq cli?

Can you show the error you are getting? Do you mean the queue manager is having these errors?

andres wrote:
Regarding the securityPOlicy, im still not there, but i understood that running on containers i should never use internal users and rely mostly on LDAP.

As @fjb_saper said:
fjb_saper wrote:
So you defined the security policy as UserExternal.

Then why bother to define an LDAP look up?

The UserExternal setting is so that you don't need the user ID to exist in any user repository anywhere. If you intend to use user IDs that are defined in LDAP then you don't need to use this. If you don't intend to define user IDs in LDAP, then why go to the bother of setting up LDAP?

Here's the description of the UserExternal setting:

IBM Docs wrote:
SecurityPolicy=UserExternal
If you select this option, you can define authority records for a user name that is not known to the system, with a maximum of 12 characters


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
andres
PostPosted: Thu Jan 26, 2023 1:44 am    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

Hi,
when i refresh connauth, i get this error:

AMQ5530E: Error from LDAP authentication and authorization service [ArithInsert1(49), CommentInsert1(ldap_simple_bind), CommentInsert2(Invalid credentials), CommentInsert3(mqadreader@myldapserver.ad.local)]

MQ Manager is sending user@ldaservername, so the ldap server reject authentication.

By example:
ldapsearch -H myldapserver.ad.local -U mqadreader -W somepass
OK

ldapsearch -H myldapserver.ad.local -U mqadreader@mqadreader. -W somepass
Invalid credentials
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jan 26, 2023 1:47 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Can you show us the output from this command (replacing the name with the one you are using in the QMgr CONNAUTH field if it's not this one).

Code:
DISPLAY AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWLDAP) ALL


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
andres
PostPosted: Thu Jan 26, 2023 2:14 am    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

Hi Hughson and thanks a lot for your help.

i fixed changing the LDAPUser for "DistinguisedName" instead of sAMAcount name (i was confused because of of ldap connectors uses sAMaccountNAme).

Love to see this working:
display qmstatus ldapconn
1 : display qmstatus ldapconn
AMQ8705I: Display Queue Manager Status Details.
QMNAME(devqmarion) STATUS(RUNNING)
LDAPCONN(CONNECTED)

Now that i removed from mq.ini
SecurityPolicy=UserExternal

Now, i have a MQ Instance running on windows with local users. If i connect from MQ Explorer as "User Authentication Compatibility Mode", it takes the user running on MQ Explorer and connect to MQ.

Now that my new MQ Containers instance is connected to LDAP,
how i connect from LDAP?
are users from BASEDNU allowed to access?

Sorry for all my questions, im just a kubernetes guy helping my mq guys
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jan 26, 2023 2:22 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

andres wrote:
Love to see this working

Happy to hear you got it working

andres wrote:
Now that my new MQ Containers instance is connected to LDAP,
how i connect from LDAP?

Could you expand a little on this question. *WHAT* is it that needs to connect from LDAP?
andres wrote:
are users from BASEDNU allowed to access?

Are they allowed to access what? LDAP? Queue Manager resources like queues? Something else?

I don't know whether you know this or not, and I apologise if you already do, but the MQ Queue Manager only uses LDAP as a user and group repository. You still have to provide the access control rules in MQ, it's just that now they can use LDAP usernames/groups, instead of O/S usernames/groups.

So the queue manager needs to have connectivity to the LDAP server, so that it can look up usernames (via their short names to get their long names and vice versa) and group memberships. You can set up access control by groups for example (recommended) and so when a username tries to connect, the queue manager must first discover what group that username is in (look it up in LDAP) and then discover whether that group has an access control rule that allows the connection to take place (look it up in the queue manager AUTHREC rules).

Anyway, expand a bit on your above questions and hopefully we can help further.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
andres
PostPosted: Thu Jan 26, 2023 2:47 am    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

What im trying to do is delegate users to LDAP. Setup an AD group that has permissions to access to MQ QueueManager.

BY example, a have this group:
DistinguisedName: CN=UAL-MQ-Administrators, OU=xxx, DC=myldapserver
GroupCategory : Security
GroupScope : Global
Name : UAL-MQ-Administrators
ObjectClass : group
SamAccountName : UAL-MQ-Administrators

Names are bigger than 12 characters.. should i change names?
In theory, shoulnt be enought to add a group with shorname on MQ COnsole?
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jan 26, 2023 2:53 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

andres wrote:
What im trying to do is delegate users to LDAP. Setup an AD group that has permissions to access to MQ QueueManager.

You will need to grant that AD group the permissions you want it to have on the queue manager by running MQ commands to grant permission, e.g. the MQSC command SET AUTHREC.

andres wrote:
BY example, a have this group:
DistinguisedName: CN=UAL-MQ-Administrators, OU=xxx, DC=myldapserver
GroupCategory : Security
GroupScope : Global
Name : UAL-MQ-Administrators
ObjectClass : group
SamAccountName : UAL-MQ-Administrators

Names are bigger than 12 characters.. should i change names?

Only the name that will be used as the short name (the field you nominate in SHORTUSR - if memory serves - on your AUTHINFO object) need be 12 chars or less.

andres wrote:
In theory, shoulnt be enought to add a group with shorname on MQ COnsole?

I don't know to which part of the MQ Console you are referring to - if it is the equivalent UI to the SET AUTHREC command then perhaps. Could you provide a screenshot of what you are talking about? Or give the name of it in some way that I can go look at what you mean?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
andres
PostPosted: Thu Jan 26, 2023 6:22 am    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

Hi again,
im working with the Web Console. IN the container world, i should use GitOps to provision the whole QueueManager. But by now im learning the process to set a a workable MQ.

Things are getting better. IM setting admin accounts and it can access to DEV.ADMIN:SVRCONN granting some permissions directly to the user.
Conexion fromMQ Explorer works!

Then iadd a group in the MQ web Console:
CN=Domain Users,CN=Users,DC=myldapserver

The user mqadmin is on that ACtive Directory.

Again, i remove permisions in MQ for the user "mqadmin" (i want to test that the group works)

then i got:
mqhtpass: User authentication failed user=mqadmin effuser=mqadmin applname=MQ Explorer 9.1.5 c

2023-01-26T14:19:49.182Z AMQ8077W: Entity 'mqadmin' has insufficient authority to access object devqm [qmgr]. [CommentInsert1(mqdmin), CommentInsert2(devqm [qmgr]), CommentInsert3(connect)]
2023-01-26T14:19:49.183Z AMQ9557E: Queue Manager User ID initialization failed for 'mqadmin'. [ArithInsert1(2), ArithInsert2(2035), CommentInsert1(mqadmin)

i tried different values for AUTHORMD
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jan 26, 2023 6:03 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

andres wrote:
Then i add a group in the MQ web Console:
CN=Domain Users,CN=Users,DC=myldapserver

As requested before, can you explain or show what is you are referring to in the MQ console when you say this. Without knowing what you are doing, I'm not able to comment on it.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
andres
PostPosted: Fri Jan 27, 2023 1:29 am    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

HI,
im refering to this:
https://www.ibm.com/docs/en/ibm-mq/9.0?topic=console-getting-started-mq


IM creating queues, adding authrec from this URL (it is generated when deploying IBM MQ Containers using a helm chart).

Th eissue im having now is that the QM is not finding the user "mqadmin" that belong to the group:
CN=Domain Users,CN=Users,DC=myldapserver:

dmpmauith
profile: **
object type: queue
entity: CN=MQAdmins, CN=Users,DC=myldapserver:
entity type: group
authority: dlt chg dsp clr

So QM only find the groups if i type distinguisedName.

AUTHINFO(TEST.LDAP) AUTHTYPE(IDPWLDAP)
ADOPTCTX(YES) DESCR(TEST LDP)
CONNAME(center1.ad.local) CHCKCLNT(OPTIONAL)
CHCKLOCL(OPTIONAL) CLASSGRP(group)
CLASSUSR(user) FAILDLAY(1)
FINDGRP(member)
BASEDNG(CN=Domain Users,CN=Users,DC=myldapserver:l)
BASEDNU(CN=Users,DC=myldapserver)
LDAPUSER(CN=mqldapreader, Domain Users,CN=Users,DC=myldapserver)
LDAPPWD(********************************)
SHORTUSR(sAMAccountName) GRPFIELD(distinguishedName)
USRFIELD(sAMAccountName) AUTHORMD(SRCHGRPSN)
NESTGRP(NO) SECCOMM(YES)
ALTDATE(2023-01-26) ALTTIME(22.35.56)

If i set auth for the user "mqadmin", it works.
If i set auth for the group "CN=MQadmins" and then i try to access as "mqadmin", i got the error:

2023-01-26T14:19:49.182Z AMQ8077W: Entity 'mqadmin' has insufficient authority to access object devqm [qmgr]. [CommentInsert1(mqdmin), CommentInsert2(devqm [qmgr]), CommentInsert3(connect)]
2023-01-26T14:19:49.183Z AMQ9557E: Queue Manager User ID initialization failed for 'mqadmin'. [ArithInsert1(2), ArithInsert2(2035), CommentInsert1(mqadmin)

I guess the QM is not finding the user in the group, but errors logs doesnt show much about what is going on.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Jan 27, 2023 1:37 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

andres wrote:
im refering to this:
https://www.ibm.com/docs/en/ibm-mq/9.0?topic=console-getting-started-mq

I guess I didn't ask my question very well. I know what the MQ Console is, I was just wondering what part of the MQ Console you were referring to when you said "Then i add a group in the MQ web Console". Anyway, perhaps it doesn't matter. Let's see.

andres wrote:
IM creating queues, adding authrec from this URL (it is generated when deploying IBM MQ Containers using a helm chart).

Th eissue im having now is that the QM is not finding the user "mqadmin" that belong to the group:
CN=Domain Users,CN=Users,DC=myldapserver:

:

I guess the QM is not finding the user in the group, but errors logs doesnt show much about what is going on.


Have you restarted the queue manager since you added mqadmin to the group in question? The queue manager caches group memberships so that it doesn't have to be constantly interrogating the user+group repository it is using. If it has previously queried the group membership of the username mqadmin then it won't ask again. You can cause it to ask again by issuing the MQSC command:

Code:
REFRESH SECURITY


or by restarting the queue manager.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » Setting LDAP on MQ 9.3 running on Openshift
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.