Setting authorizations

How you use the short name or USRFIELD to set authorizations.

The approach of working with multiple formats, described in LDAP authorization, continues into the authorization commands, with a further extension that either the shortname or the USRFIELD can be used in an unadorned fashion.

The character string specifies a particular attribute in the LDAP record when naming users (principals) for authorization.

Important: The character string must not contain the = character, because this character cannot be used in an operating system user ID.

If you pass a principal name to the OAM for authorization that is potentially a shortname, the character string must fit into 12 characters. The mapping algorithm first tries to resolve it to a DN using the SHORTUSR attribute in its LDAP query.

If that fails with an UNKNOWN_ENTITY error, or if the given string cannot possibly be a shortname, a further attempt is made using the USRFIELD attribute to construct the LDAP query.

Attention: If you have run the DEFINE AUTHINFO command, you must restart the queue manager. If you do not restart the queue manager, the setmqaut command does not return the correct result.

For processing user authorizations, the following setmqaut command settings are all equivalent.

Table 1. User authorization settings
Command	Note
`setmqaut -m QM -t qmgr -p jodoe +connect`	This is a flat, unqualified name, resolved through SHORTUSR.
`setmqaut -m QM -t qmgr -pJohnDoe1@yourcompany.com +connect`	Also a flat, unqualified name, resolving via USRFIELD to the same entity.
`setmqaut -m QM -t qmgr -p email=JohnDoe1@yourcompany.com +connect`	Using a named attribute.
`setmqaut -m QM -t qmgr -p "phone=1234567" +connect`	Using another named attribute which does not have to be any of those configured on the AUTHINFO object.

You can use the SET AUTHREC MQSC command as an alternative to the setmqaut command:


SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('JohnDoe1@yourcompany.com') AUTHADD(connect)

or the Set Authority Record (MQCMD_SET_AUTH_REC) PCF command with the MQCACF_PRINCIPAL_ENTITY_NAMES element containing the string:


 "cn=JohnDoe,ou=users,o=yourcompany,c=yourcountry"

When processing groups, there is no ambiguity about shortname processing, as there is no requirement to fit any form of a group name into 12-characters. Therefore, there is no equivalent of the SHORTUSR attribute for groups.

That means that the syntax examples described in Table 2 are valid, assuming that you have configured the AUTHINFO object with the extended attributes, and set to:


GRPFIELD(longname) 
BASEDNG(ou=groups,o=yourcompany,c=yourcountry ) CLASSGRP(groupOfNames)

Table 2. Group authorization settings
Command	Note
`setmqaut -m QM -t qmgr -g ApplicationGroupA +connect`	Using GRPFIELD to resolve
`setmqaut -m QM -t qmgr -g longname=ApplicationGroupA +connect`	Naming a single attribute
`setmqaut -m QM -t qmgr -g "cn=Application Group A,ou=groups,o=yourcompany,c=yourcountry" +connect`	Using the full DN

You can use the SET AUTHREC MQSC command as an alternative to the preceding setmqaut command:


SET AUTHREC OBJTYPE(QMGR) GROUP('ApplicationGroupA') 
      AUTHADD(connect)

or the Set Authority Record (MQCMD_SET_AUTH_REC) PCF command with the MQCACF_GROUP_ENTITY_NAMES element containing the string:


 "ApplicationGroupA"

Important:

Whichever format you use to refer to a name, whether for user or group, it must be possible to derive a unique DN.

So, for example, you must not have two distinct records that both have "shortu=jodoe".

If a single unique DN cannot be determined, the OAM returns MQRC_UNKNOWN_ENTITY.