Setting authorizations
How you use the short name or USRFIELD to set authorizations.
The approach of working with multiple formats, described in LDAP authorization,
continues into the authorization commands, with a further extension that either the
shortname
or the USRFIELD can be used in an unadorned fashion.
If you pass a principal name to the OAM for authorization that is potentially a
shortname
, the character string must fit into 12 characters. The mapping algorithm
first tries to resolve it to a DN using the SHORTUSR attribute in its LDAP query.
If that fails with an UNKNOWN_ENTITY error, or if the given string cannot possibly be a shortname
, a further attempt is made using the USRFIELD attribute to construct the LDAP query.
For processing user authorizations, the following setmqaut command settings are all equivalent.
Command | Note |
---|---|
setmqaut -m QM -t qmgr -p jodoe +connect |
This is a flat, unqualified name, resolved through SHORTUSR. |
setmqaut -m QM -t qmgr -pJohnDoe1@yourcompany.com
+connect |
Also a flat, unqualified name, resolving via USRFIELD to the same entity. |
setmqaut -m QM -t qmgr -p email=JohnDoe1@yourcompany.com
+connect |
Using a named attribute. |
setmqaut -m QM -t qmgr -p "phone=1234567" +connect |
Using another named attribute which does not have to be any of those configured on the AUTHINFO object. |
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('JohnDoe1@yourcompany.com') AUTHADD(connect)
or the Set Authority Record
(MQCMD_SET_AUTH_REC) PCF command with the MQCACF_PRINCIPAL_ENTITY_NAMES element containing
the string:
"cn=JohnDoe,ou=users,o=yourcompany,c=yourcountry"
When processing groups, there is no ambiguity about shortname
processing, as there is no requirement to fit any form of a group name into 12-characters. Therefore, there is no equivalent of the SHORTUSR attribute for groups.
GRPFIELD(longname)
BASEDNG(ou=groups,o=yourcompany,c=yourcountry ) CLASSGRP(groupOfNames)
Command | Note |
---|---|
setmqaut -m QM -t qmgr -g ApplicationGroupA +connect |
Using GRPFIELD to resolve |
setmqaut -m QM -t qmgr -g longname=ApplicationGroupA +connect |
Naming a single attribute |
setmqaut -m QM -t qmgr -g "cn=Application Group A,ou=groups,o=yourcompany,c=yourcountry" +connect |
Using the full DN |
SET AUTHREC OBJTYPE(QMGR) GROUP('ApplicationGroupA')
AUTHADD(connect)
or the Set Authority Record (MQCMD_SET_AUTH_REC) PCF command with the MQCACF_GROUP_ENTITY_NAMES element containing the string:
"ApplicationGroupA"
Whichever format you use to refer to a name, whether for user or group, it must be possible to derive a unique DN.
So, for example, you must not have two distinct records that both have "shortu=jodoe
".
If a single unique DN cannot be determined, the OAM returns MQRC_UNKNOWN_ENTITY.