Another in the series of bite size blog posts about features in MQ V8. Check out the whole series here.
The ability to authenticate users with LDAP instead of OS credentials has been added to MQ v8. This allows MQ administrators to require any users attempting to connect to MQ, either locally or through a client, to provide LDAP credentials for authentication. In order to accommodate this form of authentication a new AUTHINFO object has been added to MQ, this AUTHINFO is of AUTHTYPE IDPWLDAP and holds the necessary LDAP server information to be used to connect to and authenticate with a LDAP server. In this blog post we will focus on how to set up a Queue Manager for LDAP authentication.
In MQ terms we treat an LDAP record in 3 parts: The User field, the value and the Base Distinguished name. For a typical LDAP entry MQ breaks it down into the following:
- cn= - This is the one of the possible user fields that contains a value that is unique to a record.
- Robert - This is a value that could be used for authentication
- ou=MQ,o=IBM,co=UK - This is the base distinguished name, it is not unique to a record and many records will have this as their suffix.
When creating or altering an AUTHINFO of type IDPWLDAP the following fields must be completed:
- CONNAME = The hostname for the LDAP server. This should also include the port number if the LDAP server operates on a non-standard port. (389 or 636)
- SHORTUSR = The LDAP field we should use if we adopt the LDAP user as the user to use for future checks.
In addition the following fields could be filled in to ensure that MQ can contact and communicate with the LDAP server:
- ADOPTCTX = Whether we should start using the LDAP user supplied as our user for future checks (for example Authorisation checks) or not.
- BASEDNU = This specifies the base distinguished name that should be appended to any credentials that does not supply them.
- CLASSUSR = This is the object class of the records you want to authenticate against.
- LDAPUSER = The LDAP User to connect to the server with. These credentials are only required if the LDAP server requires credentials when you connect to it.
- LDAPPWD = The Password for the above user
- SECCOMM = Whether we should connect to the LDAP server via SSL/TLS or not (This will be covered in more detail in another blog post)
- USRFIELD = This specifies the User field that should be added to any credentials that does not supply one.
- CHCKLOCL = Whether a user connecting via local bindings should supply credentials
- CHCKCLNT = Whether a user connecting via a client connection should supply credentials
Using LDAP with MQ
Once you have created or altered a IDPWLDAP AUTHINFO you should execute the following MQSC command:
> ALTER QMGR CONNAUTH(<Auth info Name>) > REFRESH SECURITY TYPE(CONNAUTH)
This will tell MQ to use the new AUTHINFO object and apply any changes so they come into effect. *Please Note:* If you tell MQ to use a LDAP server for authentication and also set CHCKLOCL to REQUIRED or REQDADM you MUST ensure that MQ will be able to connect to and communicate with the LDAP server. If MQ is unable to connect to the LDAP server you will be unable to authenticate with MQ and so will not be able to connect. (In this situation you will need to stop your Queue Manager and then start it in Safe Mode using strmqm -ns. See here for more information.)
Once you have set up an AUTHINFO object and told your Queue Manager to use it anyone connecting to your Queue Manager will be able to supply LDAP credentials to the Queue Manager to authenticate with it. The amount of credentials they will need to supply will depend on whether you have completed the BASEDNU and USRFIELD fields. For example, if you have not completed these then a user connecting will have to supply their full LDAP record.
> amqscnxc -u cn=Robert,ou=MQ,o=IBM,co=UK QMGR Connection established to queue manager QMGR
If however you have filled out BASEDN and USRFIELD then users connecting will only have to supply the value of USRFIELD. For example:
> amqscnxc -u Robert QMGR Connection established to queue manager QMGR
It should be noted that if you have set a BASEDNU and you supply a fully formed LDAP record as the credentials then the supplied credentials will override the value in the BASEDNU. For example:
> amqscnxc -u Robert Robert,ou=MQ,o=IBM,co=DE QMGR MQCONNX ended with reason code 2035
Once you have set your Queue Manager to use LDAP Authentication you can verify whether MQ has been successful in connecting to the LDAP server by executing the following command in runmqsc:
> DISPLAY QMSTATUS ALL
In the results that come back one of the fields is LDAPCONN. This can have the following three values:
- CONNECTED - MQ has been able to connect to the LDAP server and is ready to use it for User authentication
- ERROR - There has been a problem connecting to the LDAP server. See the Queue Manager error logs for more details
- INACTIVE - We are not using LDAP authentication.
For more information on LDAP Authentication see here. (Content starts on slide 53)
Example of how to set up a Queue manager to use LDAP authentication
In this example we will look at how to set up a Queue Manager to use LDAP authentication instead of the default OS Authentication. We assume that there is already a LDAP server set up ready to be used for authenticating against and that I am completing all commands as a user who is a member of the mqm group.
1) Before creating the AUTHINFO I first need to ensure that I know all of the information about the LDAP server and how its records are formatted including which field I will want users connecting to supply for authentication. In this example I will assume that the LDAP server uses default ports, does not require secure connections, is located on host superldap.servers.uk and that all LDAP records follow the format below. Additionally the field we will be authenticating against is the uid field and cn, sn and uid are unique to the user.
2) Now I have all of the necessary information I can create my AUTHINFO for use on my Queue Manager. To do this I execute the following MQSC command in runmqsc:
> DEFINE AUTHINFO('USE.LDAP') AUTHTYPE(IDPWLDAP) CONNAME('superldap.servers.uk') SHORTUSR('uid') ADOPTCTX(NO) USRFIELD('uid') BASEDNU('ou=MQ,o=IBM,co=UK') CHCKCLNT(OPTIONAL) CHCKLOCL(OPTIONAL) CLASSUSR('account') SECCOMM(NO)
3) Now that I have created my AUTHINFO object I tell my Queue Manager to use it by executing the following in runmqsc:
> ALTER QMGR CONNAUTH('USE.LDAP')
4) Next I refresh my Queue Manager security in order to bring the new AUTHINFO object into effect.
> REFRESH SECURITY TYPE(CONNAUTH)
5) Before I raise the CHCKCLNT and CHCKLOCL security on my Queue Manager I should test to ensure that I am able to reconnect. First I execute the following command in runmqsc to make sure the Queue Manager has connected to the LDAP server successfully.
> DIS QMSTATUS ALL QMNAME(EXAMPLE) STATUS(RUNNING) CONNS(23) CMDSERV(RUNNING) CHINIT(RUNNING) INSTNAME(Installation1) INSTPATH(C:\MQ) INSTDESC( ) LDAPCONN(CONNECTED) STANDBY(NOPERMIT) STARTDA(2014-06-16) STARTTI(09.22.12)
6) As the LDAPCONN equals CONNECTED I verify that I can connect to the queue manager using a client application providing credentials I know should pass.
> amqscnxc -u Robert QMGR Connection established to queue manager QMGR
7) As I am able to connect to my Queue Manager with my LDAP credentials I can then raise the CHCKCLNT and CHCKLOCL values on the AUTHINFO object to the desired security level
Once the CHCKCLNT and CHCKLOCL values are at the correct level my Queue Manager has been set up to use LDAP Authentication on both local and client connections.