[UNIX, Linux, Windows, IBM i]

LDAP administration

An overview of how each platform administers LDAP.

When using LDAP authorization, membership of the mqm group (or equivalent) in the operating system is not that important. Being a member of that group only controls whether certain command-line commands can be processed.

In particular, you must be in that group to issue the strmqm and endmqm commands.

When the queue manager is running, there are limits on the fully-privileged account. Apart from the user ID of the person who issues the strmqm command, other users belonging to the OS mqm (or equivalent) group do not get special privileges.

Authorizations of other users are based on which LDAP groups they belong to. An unqualified use of the mqm group name in commands such as setmqaut is not allowed to map to any LDAP group.

[AIX][Linux]

AIX and Linux

When the queue manager is running, the only automatically fully-privileged account is the real user who started the queue manager.

The mqm ID still exists and is used as the owner of OS resources, such as files, because mqm is the effective ID under which the queue manager is running. However, the mqm user is not automatically able to do administrative tasks controlled by the OAM.

[Windows]

Windows

On Windows, the automatically fully-privileged accounts are the OS user that started the queue manager, and also the user running the core queue manager processes, such as MUSR_MQADMIN if the queue manager was started as a Windows service.

When running in LDAP authorization mode, Windows behaves very similarly to the AIX® and Linux® platforms. It deals with 12 character short names, and full DNs.

[IBM i]

IBM i

On IBM® i, the automatically-privileged accounts are the one that starts the queue manager and the QMQM ID.

You need both IDs, because the user ID that starts the queue manager is required only to start the system. Once running, the queue manager processes have QMQM authority only.

[AIX][Linux]

Sample script to provide MQADMIN privileges

Because it is useful to have a group able to do full administration on a queue manager, a sample script is shipped on AIX and Linux platforms as: 
MQ_INSTALLATION_PATH/samp/bin/amqauthg.sh
Note: When using a name that includes wildcard characters, wrapping the name in single or double quotation marks can be important, depending on how a script is being used and what the parameters are. Single quotation marks, which are used in the code examples, always work for UNIX, AIX, Linux, and Windows on PowerShell. For scripts run from the Windows command prompt, use double quotation marks.
This sample takes two parameters:
  • A queue manager name
  • An LDAP group name
The sample processes setmqaut commands, granting full authority for all objects. This is the same script that is generated by the IBM MQ Explorer OAM Wizard for administrative roles. For example, the code starts: 
setmqaut -t q -m qmgr -n '**' +alladm -g
      groupname