LDAP part 1: Updating the IBM MQ backup for the LDAP server
A comprehensive description of how to set up LDAP is outside the scope of this scenario. This topic gives a summary of the process, a sample, and references to further information.
Before you begin
About this task
Do I need to do this?
If you are already using LDAP for authentication and authorization then no changes are required. If you are not sure if LDAP is being used, see Optional: Configuring LDAP.
There are two parts to setting up the LDAP server:
Further information to help you with this configuration:
Define an LDAP configuration.
Edit the backup.mqsc file to define a new AUTHINFO object for the LDAP system. For example:
DEFINE AUTHINFO(USE.LDAP) + AUTHTYPE(IDPWLDAP) + CONNAME('ldap-service.ldap(389)') + LDAPUSER('cn=admin,dc=ibm,dc=com') + LDAPPWD('admin') + SECCOMM(NO) + USRFIELD('uid') + SHORTUSR('uid') + BASEDNU('ou=people,dc=ibm,dc=com') + AUTHORMD(SEARCHGRP) + BASEDNG('ou=groups,dc=ibm,dc=com') + GRPFIELD('cn') + CLASSGRP('groupOfUniqueNames') + FINDGRP('uniqueMember') REPLACE
- CONNAME is the hostname and port corresponding to the LDAP server. If multiple addresses exist for resilience then these can be configured using a comma-separated list.
- LDAPUSER is the distinguished name corresponding to the user that IBM MQ uses when connecting to LDAP to query user records.
- LDAPPWD is the password that corresponds to the LDAPUSER user.
- SECCOM specifies whether the communication to the LDAP server should use
TLS. Possible values:
- YES: TLS is used and a certificate is presented by the IBM MQ server.
- ANON: TLS is used without a certificate being presented by the IBM MQ server.
- NO: TLS is not used during the connection.
- USRFIELD specifies the field in the LDAP record that the presented username be matched against.
- SHORTUSR is a field within the LDAP record that does not exceed 12 characters in length. The value within this field be the asserted identity if authentication is successful.
- BASEDNU is the base DN that should be used for searching LDAP.
- BASEDNG is the base DN for groups within LDAP.
- AUTHORMD defines the mechanism used to resolve group membership for the
user. There are four options:
- OS: Query the operating system for the groups associated with the short name.
- SEARCHGRP: Search the group entries in LDAP for the authenticated user.
- SEARCHUSR: Search the authenticated user record for group membership information.
- SRCHGRPSN: Search the group entries in LDAP for the authenticated users short user name (defined by the SHORTUSR field).
- GRPFIELD is the attribute within the LDAP group record that corresponds to a simple name. If specified this can be used for defining authorization records.
- CLASSUSR is the LDAP object class that corresponds to a user.
- CLASSGRP is the LDAP object class that corresponds to a group.
- FINDGRP is the attribute within the LDAP record that corresponds to group membership.
The new entry can be placed anywhere within the file, however you might find it helpful to have any new entries at the beginning of the file:
Associate the LDAP configuration with the queue manager definition.
You need to associate the LDAP configuration with the queue manager definition. Immediately after the
DEFINE AUTHINFOentry is an
ALTER QMGRentry. Modify the CONNAUTH entry to correspond to the newly created AUTHINFO name. For example in the previous example
AUTHINFO(USE.LDAP)was defined, meaning the name is
USE.LDAP. Therefore change
To cause the switch to LDAP to occur immediately, call a
REFRESH SECURITYcommand by adding a line immediately after the