MQCMD_INQUIRE_AUTH_INFO (Inquire Authentication Information Object) Response
The response of the Inquire authentication information (MQCMD_INQUIRE_AUTH_INFO) PCF command
consists of the response header followed by the AuthInfoName
structure (and on z/OS® only, the
QSGDisposition structure), and the requested combination of
attribute parameter structures (where applicable).
- Always returned:
-
AuthInfoName![[z/OS]](ngzos.gif)
,
QSGDisposition - Returned if requested:
-
AdoptContext,AlterationDate,AlterationTime,AuthInfoConnName,BaseDNGroup,BaseDNUser,AuthInfoType,CheckClient,CheckLocal,ClassUser,FailureDelay,LDAPPassword,LDAPUserName,OCSPResponderURL,SecureComms,ShortUser,UserField
Response data
- AdoptContext
- Whether to use the presented credentials as the context for this application.
- AlterationDate (MQCFST)
- Alteration date of the authentication information object, in the form
yyyy-mm-dd(parameter identifier: MQCA_ALTERATION_DATE). - AlterationTime (MQCFST)
- Alteration time of the authentication information object, in the form
hh.mm.ss(parameter identifier: MQCA_ALTERATION_TIME). - AuthInfoConnName (MQCFST)
- The connection name of the authentication information object (parameter identifier:
MQCA_AUTH_INFO_CONN_NAME).
The maximum length of the string is MQ_AUTH_INFO_CONN_NAME_LENGTH. On z/OS, it is MQ_LOCAL_ADDRESS_LENGTH.
This parameter is relevant only when AuthInfoType is set to MQAIT_CRL_LDAP or MQAIT_IDPW_LDAP.
- AuthInfoDesc (MQCFST)
- The description of the authentication information object (parameter identifier:
MQCA_AUTH_INFO_DESC).
The maximum length is MQ_AUTH_INFO_DESC_LENGTH.
- AuthInfoName (MQCFST)
- Authentication information object name (parameter identifier: MQCA_AUTH_INFO_NAME).
The maximum length of the string is MQ_AUTH_INFO_NAME_LENGTH.
- AuthInfoType (MQCFIN)
- The type of authentication information object (parameter identifier: MQIA_AUTH_INFO_TYPE).
The value can be:
- MQAIT_CRL_LDAP
- This authentication information object specifies Certificate Revocation Lists that are held on LDAP servers.
- MQAIT_OCSP
- This authentication information object specifies certificate revocation checking using OCSP.
- MQAIT_IDPW_OS
- This authentication information object specifies certificate revocation checking using user ID and password checking through the operating system.
- MQAIT_IDPW_LDAP
- This authentication information object specifies certificate revocation checking using user ID and password checking through an LDAP server.
- AuthenticationMethod (MQCFIN)
- Authentication methods for user passwords (parameter identifier: MQIA_AUTHENTICATION_METHOD).
Possible values are:
- MQAUTHENTICATE_OS
- Use the traditional UNIX password verification method.
- MQAUTHENTICATE_PAM
- Use the Pluggable Authentication Method to authenticate the user passwords.
You can set the PAM value only on AIX® and Linux®.
This attribute is valid only for an AuthInfoType of MQAIT_IDPW_OS, and is not valid on IBM MQ for z/OS.
- AuthorizationMethod (MQCFIN)
- Authorization methods for the queue manager (parameter identifier MQIA_LDAP_AUTHORMD). Possible
values are:
- MQLDAP_AUTHORMD_OS
- Use operating system groups to determine permissions associated with a user.
- MQLDAP_AUTHORMD_SEARCHGRP
- A group entry in the LDAP repository contains an attribute listing the Distinguished Name of all the users belonging to that group.
- MQLDAP_AUTHORMD_SEARCHUSER
- A user entry in the LDAP repository contains an attribute listing the Distinguished Name of all the groups to which the specified user belongs.
- MQLDAP_AUTHORMD_SRCHGRPSN
- A group entry in the LDAP repository contains an attribute listing the short user name of all the users belonging to that group.
- BaseDNGroup (MQCFST)
- In order to be able to find group names, this parameter must be set with the base DN to search
for groups in the LDAP server (parameter identifier MQCA_LDAP_BASE_DN_GROUPS).
The maximum length of the string is MQ_LDAP_BASE_DN_LENGTH.
- BaseDNUser (MQCFST)
- In order to be able to find the short user name attribute (see ShortUser ) this parameter must be set with the base DN to search for users
within the LDAP server.
This attribute is valid only for an AuthInfoType of MQAIT_IDPW_LDAP and is mandatory (parameter identifier MQ_LDAP_BASE_DN_USERS).
The maximum length is MQ_LDAP_BASE_DN_LENGTH.
- Checklocal or Checkclient (MQCFIN)
- These attributes are valid only for an AuthInfoType of
MQAIT_IDPW_OS or MQAIT_IDPW_LDAP (parameter identifier
MQIA_CHECK_LOCAL_BINDING or MQIA_CHECK_CLIENT_BINDING). The possible values are:
- MQCHK_NONE
- Switches off checking.
- MQCHK_OPTIONAL
- Ensures that if a user ID and password are provided by an application, they are a valid pair, but that it is not mandatory to provide them. This option might be useful during migration, for example.
- MQCHK_REQUIRED
- Requires that all applications provide a valid user ID and password.
- MQCHK_REQUIRED_ADMIN
- Privileged users must supply a valid user ID and password, but non-privileged users are treated
as with the OPTIONAL setting. See also the following note. (This
setting is not allowed on z/OS systems.)
- ClassGroup (MQCFST)
- The LDAP object class used for group records in the LDAP repository (parameter identifier MQCA_LDAP_GROUP_OBJECT_CLASS).
- Classuser (MQCFST)
- The LDAP object class used for user records in the LDAP repository (parameter identifier
MQCA_LDAP_USER_OBJECT_CLASS).
The maximum length is MQ_LDAP_CLASS_LENGTH.
- FailureDelay (MQCFIN)
- The failure delay (parameter identifier MQIA_AUTHENTICATION_FAIL_DELAY) when an authentication fails due to the user ID or password being incorrect, in seconds, before the failure is returned to the application.
- FindGroup (MQCFST)
- Name of the attribute used within an LDAP entry to determine group membership (parameter
identifier MQCA_LDAP_FIND_GROUP_FIELD).
The maximum length of the string is MQ_LDAP_FIELD_LENGTH.
- GroupField (MQCFST)
- LDAP attribute that represents a simple name for the group (parameter identifier
MQCA_LDAP_GROUP_ATTR_FIELD).
The maximum length of the string is MQ_LDAP_FIELD_LENGTH.
- GroupNesting (MQCFIN)
- Whether groups are members of other groups (parameter identifier MQIA_LDAP_NESTGRP).
The values can be:
- MQLDAP_NESTGRP_NO
- Only the initially discovered groups are considered for authorization.
- MQLDAP_NESTGRP_YES
- The group list is searched recursively to enumerate all the groups to which a user belongs.
- LDAPPassword (MQCFST)
- The LDAP password (parameter identifier: MQCA_LDAP_PASSWORD).
The maximum length is MQ_LDAP_PASSWORD_LENGTH.
This parameter is relevant only when AuthInfoType is set to MQAIT_CRL_LDAP or MQAIT_IDPW_LDAP.
- LDAPUserName (MQCFST)
- The LDAP user name (parameter identifier: MQCA_LDAP_USER_NAME).
The Distinguished Name of the user who is binding to the directory.
The maximum length is MQ_DISTINGUISHED_NAME_LENGTH. On z/OS, it is MQ_SHORT_DNAME_LENGTH.
This parameter is relevant only when AuthInfoType is set to MQAIT_CRL_LDAP or MQAIT_IDPW_LDAP.
- OCSPResponderURL (MQCFST)
- The URL of the OCSP responder used to check for certificate revocation.
- QSGDisposition (MQCFIN)
- QSG disposition (parameter identifier: MQIA_QSG_DISP).
Specifies the disposition of the object (that is, where it is defined and how it behaves). This parameter is valid on z/OS only. The value can be any of the following values:
- MQQSGD_COPY
- The object is defined as MQQSGD_COPY.
- MQQSGD_GROUP
- The object is defined as MQQSGD_GROUP.
- MQQSGD_Q_MGR
- The object is defined as MQQSGD_Q_MGR.
- SecureComms (MQCFIN)
- Whether connectivity to the LDAP server should be done securely using TLS (parameter identifier
MQIA_LDAP_SECURE_COMM).
The maximum length is MQ_LDAP_SECURE_COMM_LENGTH.
- ShortUser (MQCFST)
- A field in the user record to be used as a short user name in IBM MQ (parameter identifier MQCA_LDAP_SHORT_USER_FIELD)..
The maximum length is MQ_LDAP_FIELD_LENGTH.
- UserField (MQCFST)
- Identifies the field in the LDAP user record that is used to interpret the provided user ID,
only if the user ID does not contain a qualifier (parameter identifier MQCA_LDAP_USER_ATTR_FIELD).
The maximum length is MQ_LDAP_FIELD_LENGTH.