Setting up LDAP Authentication with the WebUI has been challenging. A tool has been created to simplify this process, as the trial and error method can get tedious, when broker restarts, etc are needed.

The tool can be downloaded from the following:
https://developer.ibm.com/integration/wp-content/uploads/sites/25/2016/11/LdapAuthentication.zip

***Please note LdapAuthentication.zip will need to be renamed LdapAuthentication.jar***

Usage: java -jar LdapAuthentication.jar “Ldap host” “binding userid” “binding password” “Ldap baseDN” “Ldap uid attr” “Admin userid” “Admin passwd”

For example:
java -jar LdapAuthentication.jar ldap://localhost:389 cn=Manager,dc=maxcrc,dc=com secret dc=maxcrc,dc=com uid dbwillis secret

Where
“Ldap host” = ldap://localhost:389
“binding userid” = cn=Manager,dc=maxcrc,dc=com
“binding password” = secret
“Ldap baseDN” = dc=maxcrc,dc=com
“Ldap uid attr” = uid
“Admin userid” = dbwillis
“Admin passwd” = secret

If you are unclear on any of these parameters, your LDAP Admin should be able to get that information for you.
The only one that is not extremely clear is Ldap uid attr.
Typically this will be ‘cn’, ‘uid’, or ‘samaccountname’
__________________________________________________________________
Run the tool with the parameters.

If the tool is run successfully, the correct mqsisetdbparms, mqsichangeproperties, and mqsiwebuseradmin commands will be displayed.

If any of the parameters are incorrect, the tool will help you determine where it is failing. I will demonstrate these.
__________________________________________________________________
Correct Output:
correctoutput

Once input correctly, the mqsisetdbparms, mqsichangeproperties, and mqsiwebuseradmin commands are issued.
**When using special characters in the password, it will need to be surrounded by double quotes in the mqsisetdbparms command**

__________________________________________________________________
Using the wrong host/port will show the following:

wrong-host

Using the wrong Binding UserID:
wrong-binding-userid

As you can see cn=Manager was incorrectly typed as cn=People.
Using the wrong Binding password will also give this same error

__________________________________________________________________
Using the wrong Base DN:
wrong-basedn

As you can see dc=maxcrc was incorrectly typed as dc= maxcr
The tool was able to successfully bind to the LDAP server, but was unable to search the base DN.

__________________________________________________________________
Using the wrong UID Attribute:
wronguidattr

As you can see uid was incorrectly typed as samaccountname
The tool was able to successfully bind to and search the LDAP server, but could not find the specified user. You will also see this if the username is incorrect.

wrong-username
Note that dbwillis was incorrectly typed as dbwillis1
__________________________________________________________________
Using the wrong user Password:
wrongpassword
As you can see secret was incorrectly typed secret1
The tool was able to successfully bind to and search the LDAP server, found the user, but was unable to authenticate. It lets you know the wrong password was used.

__________________________________________________________________
Additional Resources:
Enabling an integration node to use LDAP for authentication:
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ap04143_.htm

mqsiwebuseradmin command
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28491_.htm

Role-based security
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28480_.htm

8 comments on"Using the LdapAuthentication.jar tool for troubleshooting LDAP authentication and the WebUI"

  1. tried this tool, with the following input

    java -jar LdapAuthentication.jar ldaps://adldap.company.com:636 ‘CN=MqProduct AppID,OU=Application IDs,OU=People,DC=company,DC=com’ b8Gh5m2r DC=company,DC=com samAccountName userid password

    what does the following error mean?

    @WMBL3: successful bind
    @WMBL3: successfull search
    Starting Authentication
    Exception in thread “main” javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ‘DC=company,DC=com’

  2. Daniel Willis September 14, 2017

    A new tool has also been created for testing with Multiple Base DNs. It has been published in a DWAnswer at the following:
    https://developer.ibm.com/answers/questions/400944/iib-weubui-ldap-authentication-with-multiple-base.html?childToView=400948#answer-400948

  3. Hey Daniel,
    Your utility is great !!! It has help me tremendously to debug the connection to AD and LDAP URI parms. Alike Shane, I also was on the verge of opening a PMR. I’m so glad I came across it.
    Sweet 🙂
    Thanks and Regards,
    Eva

    • Hi Eva

      Am planning to integrate the IIB WEB interface with Active directory .
      Can you please help me with useful doc ?

  4. Daniel –
    Does this tool support ldaps (LDAP Secure) calls? I’m assuming not since I don’t see any place to specify a truststore.

  5. Daniel,

    Thanks much for taking the time to create this utility and sharing it. We had given up on connecting IIB WebAdmin to our Active Directory after spending a couple days trying to set it up (and even opening a PMR). Earlier this week, I happened to stumble across this and a couple hours later we had everything resolved and converted over.

    You should verify that support is aware of this utility and sends a link to this page to customers that contact them with LDAP concerns.

Join The Discussion

Your email address will not be published. Required fields are marked *