Optional: Configuring LDAP

The IBM® MQ Operator can be configured to use several different security approaches. Typically LDAP is the most effective for an enterprise deployment, and LDAP is used for this migration scenario.

Before you begin

Important: This task applies only to users on Red Hat® OpenShift®.

This task assumes that you have extracted and acquired the queue manager keys and certificates.

About this task

Do I need to do this?

If you are already using LDAP for authentication and authorization then no changes are required.

If you are not sure if LDAP is being used, run the following command:

 
connauthname="$(grep CONNAUTH backup.mqsc | cut -d "(" -f2 | cut -d ")" -f1)"; grep -A 20 AUTHINFO\($connauthname\) backup.mqsc

Sample output:

DEFINE AUTHINFO('USE.LDAP') +
   AUTHTYPE(IDPWLDAP) +
   ADOPTCTX(YES) +
   CONNAME('ldap-service.ldap(389)') +
   CHCKCLNT(REQUIRED) +
   CLASSGRP('groupOfUniqueNames') +
   FINDGRP('uniqueMember') +
   BASEDNG('ou=groups,dc=ibm,dc=com') +
   BASEDNU('ou=people,dc=ibm,dc=com') +
   LDAPUSER('cn=admin,dc=ibm,dc=com') +
*  LDAPPWD('********************************') +
   SHORTUSR('uid') +
   GRPFIELD('cn') +
   USRFIELD('uid') +
   AUTHORMD(SEARCHGRP) +
*  ALTDATE(2020-11-26) +
*  ALTTIME(15.44.38) +
   REPLACE

There are two attributes in the output that are of particular interest:

AUTHTYPE: If this has the value IDPWLDAP, then you are using LDAP for authentication.; If the value is blank, or another value, then LDAP is not configured. In this case, check the AUTHORMD attribute to see if LDAP users are being used for authorization.
AUTHORMD: If this has the value OS, then you are not using LDAP for authorization.

To modify the authorization and authentication to use LDAP, complete the following tasks: