Background

MQ on distributed platforms has had the capability to perform authorization checks based on users and groups in LDAP, rather than the local Operating System users and groups, for some time. This has the benefits of allowing user and group information to be centrally located in an LDAP repository.

MQ V9.0.5 adds a new method for LDAP authorization, to allow MQ to be used with a wider range of LDAP configurations.

Previous authorization methods

There are several ways that users’ membership of groups can be represented in LDAP, and prior to V9.0.5, MQ provided two different authorization methods to cater for this. The queue manager could either be configured to determine group membership by looking at an attribute in the user record listing the group to which the user belongs (the search user method), or by looking at an attribute in the group record listing the users belonging to the group (the search group method).

The authorization method to use is selected using the Authorization method attribute of an authinfo object of type IDPWLDAP, which contains the various configuration parameters for LDAP authentication and authorization. The correct method to choose depends on the configuration of the LDAP server.

The following example LDAP user and group show how group membership can be indicated by an attribute in the group record listing the distinguished names of the members.

dn: cn=usra,ou=users,o=ibm
objectClass: inetOrgPerson
cn: usra
…

dn: cn=grp1,ou=users,o=ibm
objectClass: groupOfNames
cn: grp1
member: cn=usra,ou=users,o=ibm
…

In this case, the authinfo object would be defined with AUTHORMD(SEARCHGRP), indicating that the search group authorization method is to be used.

The new authorization method

When group membership is determined by the group record having an attribute that lists the users who belong to the group, as in the example above, the users’ distinguished name is normally used. However, in some LDAP configurations, the users’ short name is used instead, so in MQ V9.0.5 a new LDAP authorization method was added to support this configuration.

The following example LDAP user and group shows how group membership can be indicated by an attribute in the group record listing the short name of the members.

dn: cn=usra,ou=users,o=ibm
objectClass: inetOrgPerson
cn: usra
…

dn: cn=grp1,ou=users,o=ibm
objectClass: posixGroup
cn: grp1
gidNumber: 500
memberUid: usra
…

To enable the new authorization method, define the authinfo object with AUTHORMD(SRCHGRPSN). The queue manager will determine group membership for LDAP authorization by looking for an attribute in the group record listing the short name of users belonging to the group. The name of the short name attribute in the user record is set in the SHORTUSR attribute of the authinfo object.

Use with caution

If your LDAP server is configured to represent group membership in this way, then this new feature allows you to enjoy the benefits of LDAP authorization in MQ. However, bear in mind that while distinguished names are distinct, this is not necessarily true for short user names. Only use this new authorization method if you are sure that all the user short names in your LDAP repository are distinct.

More information

There’s more information on LDAP authorization in the MQ Knowledge Center here, and more information on this new feature in MQ 9.0.5 here.

Join The Discussion

Your email address will not be published.