APAR status
Closed as program error.
Error description
The MQ client/user receives 2035, NOT AUTHORIZED error even though the MQ authorizations are set correctly via setmqaut, etc. This happens when using LDAP as the source of user and group information for the queue manager, when the shortname is obtained from an attribute in the LDAP schema declared to be case-sensitive in searches. (MQ obtains the shortname from the LDAP user record, in the attribute named by the SHORTUSR attribute of the AUTHINFO object used by the queue manager).
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This happens when the queue manager has been configured to use LDAP as the source of user and group information for the queue manager, and specifically only when the shortname is obtained from an attribute in the LDAP schema declared to be case-sensitive in searches. Platforms affected: AIX, Linux on Power, Linux on x86-64, Linux on zSeries, Solaris SPARC, Solaris x86-64 **************************************************************** PROBLEM DESCRIPTION: MQ obtains the shortname from the LDAP user record, in the attribute named by the SHORTUSR attribute of the AUTHINFO object used by the queue manager. On the affected platforms, the MQ code was folding the shortname to lowercase before storing it. This was the right thing to do in some cases, but not in others. It was right to do this when using AUTHORMD(OS) on the AUTHINFO object. In this configuration the LDAP repository is used for authentication of username/password, but is not used as a source of users/groups. It was wrong to do this when using the other supported values of AUTHORMD. In these cases, the LDAP repository is used for authentication and also as a source of users and groups. In this latter case, the shortname is sometimes used in later LDAP searches performed by the queue manager, as a validity check. When the MQ code had folded the shortname to lowercase, it would then fail those validity checks (unless the value of shortname was already all-lowercase in the user records).
Problem conclusion
In cases other than AUTHORMD(OS) the MQ code now will not fold the shortname to lowercase. So the later validity checks will work. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.1 CD 9.1.3 v9.1 LTS 9.1.0.4 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT29065
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7271
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-05-08
Closed date
2019-07-12
Last modified date
2019-07-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7271
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
12 July 2019