MQ on distributed platforms has had the capability to perform authorization checks based on users and groups in LDAP, rather than the local Operating System users and groups, for some time. This has the benefits of allowing user and group information to be centrally located in an LDAP repository.
MQ V9.0.5 adds a new method for LDAP authorization, to allow MQ to be used with a wider range of LDAP configurations.
Previous authorization methods
There are several ways that usersâ€™ membership of groups can be represented in LDAP, and prior to V9.0.5, MQ provided two different authorization methods to cater for this. The queue manager could either be configured to determine group membership by looking at an attribute in the user record listing the group to which the user belongs (the search user method), or by looking at an attribute in the group record listing the users belonging to the group (the search group method).
The authorization method to use is selected using the Authorization method attribute of an authinfo object of type IDPWLDAP, which contains the various configuration parameters for LDAP authentication and authorization. The correct method to choose depends on the configuration of the LDAP server.
The following example LDAP user and group show how group membership can be indicated by an attribute in the group record listing the distinguished names of the members.
dn: cn=usra,ou=users,o=ibm objectClass: inetOrgPerson cn: usra â€¦ dn: cn=grp1,ou=users,o=ibm objectClass: groupOfNames cn: grp1 member: cn=usra,ou=users,o=ibm â€¦
In this case, the authinfo object would be defined with AUTHORMD(SEARCHGRP), indicating that the search group authorization method is to be used.
The new authorization method
When group membership is determined by the group record having an attribute that lists the users who belong to the group, as in the example above, the usersâ€™ distinguished name is normally used. However, in some LDAP configurations, the usersâ€™ short name is used instead, so in MQ V9.0.5 a new LDAP authorization method was added to support this configuration.
The following example LDAP user and group shows how group membership can be indicated by an attribute in the group record listing the short name of the members.
dn: cn=usra,ou=users,o=ibm objectClass: inetOrgPerson cn: usra â€¦ dn: cn=grp1,ou=users,o=ibm objectClass: posixGroup cn: grp1 gidNumber: 500 memberUid: usra â€¦
To enable the new authorization method, define the authinfo object with AUTHORMD(SRCHGRPSN). The queue manager will determine group membership for LDAP authorization by looking for an attribute in the group record listing the short name of users belonging to the group. The name of the short name attribute in the user record is set in the SHORTUSR attribute of the authinfo object.
Use with caution
If your LDAP server is configured to represent group membership in this way, then this new feature allows you to enjoy the benefits of LDAP authorization in MQ. However, bear in mind that while distinguished names are distinct, this is not necessarily true for short user names. Only use this new authorization method if you are sure that all the user short names in your LDAP repository are distinct.