Setting authorizations
How you use the short name or USRFIELD to set authorizations.
The approach of working with multiple formats, described in LDAP authorization on Multiplatforms,
continues into the authorization commands, with a further extension that either the
shortname
or the USRFIELD can be used in an unadorned fashion.
If you pass a principal name to the OAM for authorization that is potentially a
shortname
, the character string must fit into 12 characters. The mapping algorithm
first tries to resolve it to a DN using the SHORTUSR attribute in its LDAP query.
If that fails with an UNKNOWN_ENTITY error, or if the given string cannot possibly be a
shortname
, a further attempt is made using the USRFIELD attribute to construct the
LDAP query.
For processing user authorizations, the following setmqaut command settings are all equivalent.
Command | Note |
---|---|
setmqaut -m QM -t qmgr -p jodoe +connect |
This is a flat, unqualified name, resolved through SHORTUSR. |
setmqaut -m QM -t qmgr -pJohnDoe1@yourcompany.com
+connect |
Also a flat, unqualified name, resolving via USRFIELD to the same entity. |
setmqaut -m QM -t qmgr -p email=JohnDoe1@yourcompany.com
+connect |
Using a named attribute. |
setmqaut -m QM -t qmgr -p "phone=1234567" +connect |
Using another named attribute which does not have to be any of those configured on the AUTHINFO object. |
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('JohnDoe1@yourcompany.com') AUTHADD(connect)
or the Set Authority Record
(MQCMD_SET_AUTH_REC) PCF command with the MQCACF_PRINCIPAL_ENTITY_NAMES element containing
the string:
"cn=JohnDoe,ou=users,o=yourcompany,c=yourcountry"
When processing groups, there is no ambiguity about shortname
processing, as
there is no requirement to fit any form of a group name into 12-characters. Therefore, there is no
equivalent of the SHORTUSR attribute for groups.
GRPFIELD(longname)
BASEDNG(ou=groups,o=yourcompany,c=yourcountry ) CLASSGRP(groupOfNames)
Command | Note |
---|---|
setmqaut -m QM -t qmgr -g ApplicationGroupA +connect |
Using GRPFIELD to resolve |
setmqaut -m QM -t qmgr -g longname=ApplicationGroupA
+connect |
Naming a single attribute |
setmqaut -m QM -t qmgr -g "cn=Application Group
A,ou=groups,o=yourcompany,c=yourcountry" +connect |
Using the full DN |
SET AUTHREC OBJTYPE(QMGR) GROUP('ApplicationGroupA')
AUTHADD(connect)
or the Set Authority Record
(MQCMD_SET_AUTH_REC) PCF command with the MQCACF_GROUP_ENTITY_NAMES element containing the
string:
"ApplicationGroupA"
Whichever format you use to refer to a name, whether for user or group, it must be possible to derive a unique DN.
So, for example, you must not have two distinct records that both have
"shortu=jodoe
".
If a single unique DN cannot be determined, the OAM returns MQRC_UNKNOWN_ENTITY.