Creating a security profile for LDAP
Create a security profile for use with Lightweight Directory Access Protocol (LDAP) or Secure LDAP (LDAPS), by using the mqsicreateconfigurableservice command.
Before you begin
- IBM® Tivoli® Directory Server
- Microsoft Active Directory
- OpenLDAP.
About this task
If your LDAP directory does not permit login by unrecognized user IDs, and does not grant search access rights on the subtree, you must also set up a separate authorized login ID that the integration node can use for the search. For information on how to do this, see Configuring authorization with LDAP or Authenticating incoming requests with LDAP.
Creating a security profile using mqsicreateconfigurableservice
About this task
You can use the mqsicreateconfigurableservice command to create a security profile that uses LDAP for authentication, authorization, or both. The security profile ensures that each message has an authenticated ID and is authorized for the message flow.
Procedure
- Open a command window that is configured for your environment.
- Enter the mqsicreateconfigurableservice command
on the command line. For example:
mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP -n authentication,authenticationConfig,authorization,authorizationConfig,propagation,rejectBlankpassword -v "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP, \"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\",TRUE,TRUE
You must enclose the LDAP URL (which contains commas) with escaped double quotation marks (
\"
and\"
) so that the URL commas are not confused with the comma separator of the value parameter of mqsicreateconfigurableservice.If the LDAP URL includes an element name with a space, in this case
cn=All Sales
, the set of values after the -v flag must be enclosed by double quotation marks, ("
)For more information about the structure of the command, refer to the mqsicreateconfigurableservice command.
You can define the security-specific parts of the command in the following way:
- Set the authentication to LDAP.
This ensures that the incoming identity is validated.
- Set the authenticationConfig using
the following syntax:
ldap[s]://server[:port]/baseDN[?[uid_attr][?[base|sub]]]
For example:
ldap://ldap.acme.com:389/ou=sales,o=acme.com ldaps://localhost:636/ou=sales,o=acme?cn?base
- ldap:
- (Required) Fixed protocol string.
- s:
- (Optional) Specifies whether SSL should be used. Default is not to use SSL.
- server:
- (Required) The name or IP address of the LDAP server to contact.
- port:
- (Optional) The port to connect to. Default is 389 (non-SSL). For LDAP servers with SSL enabled, the port is typically 636.
- baseDN
- (Required) String defining the base distinguished name (DN) of all users in the directory. If users exist in different subtrees, specify a common subtree under which a search on the username uniquely resolves to the required user entry, and set the sub attribute.
- uid_attr:
- (Optional) String defining the attribute to which the incoming username maps, typically uid, CN, or email address. Default is uid.
- base|sub:
- (Optional) Defines whether to perform a base or subtree search. If base is defined, the authentication is faster because the DN of the user can be constructed from the uid_att, username, and baseDN values. If sub is selected, a search must be performed before the DN can be resolved. Default is sub.
- (Optional) To specify that you want the security manager
to reject a user name during authentication if the user name has an
empty password token, set rejectBlankpassword to TRUE.
The default is FALSE, which means that a user name is authenticated against the LDAP server even if it has an empty password token.
- (Optional) To specify the way that the password is displayed
in the properties folder, set passwordValue to
one of the following values:
- PLAIN
- The password is displayed in the Properties folder as plain text.
- OBFUSCATE
- The password is displayed in the Properties folder as base64 encoding.
- MASK
- The password is displayed in the Properties folder as four asterisks (****).
- Set authorization to LDAP.
This ensures that the incoming identity is checked for group membership in LDAP.
- Set authorizationConfig using the
following syntax:
ldap[s]://server[:port]/groupDN[?[member_attr] [?[base|sub][?[x-userBaseDN=baseDN, x-uid_attr=uid_attr]]]]
For example:
ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups, o=acme.com?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com, x-uid_attr=emailaddress
- ldap:
- (Required) Fixed protocol string
- s:
- (Optional) Specifies whether SSL is used. Default is not to use SSL.
- server:
- (Required) The name or IP address of the LDAP server to contact.
- port:
- (Optional) The port to connect to. Default is 389 (non-SSL). For LDAP servers with SSL enabled, the port is typically 636.
- groupDN
- (Required) Fully defined distinguished name (DN) of the group in which users must be members to be granted access. You can specify multiple group DNs by using the following formats:
Authorization succeeds if the user is a member of any of the groups that are specified. For example:|(groupDN1)(groupDN2)(groupDN3)...(groupDNn)
ldap://ldap.acme.com:389/|(cn=UK Sales,ou=acmegroups,o=acme.com)(cn=US Sales,ou=acmegroups,o=acme.com)?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,x-uid_attr=emailaddress
Authorization succeeds if the user is a member of all the groups that are specified. For example:&(groupDN1)(groupDN2)(groupDN3)...(groupDNn)
ldap://ldap.acme.com:389/&(cn=UK Sales,ou=acmegroups,o=acme.com)(cn=US Sales,ou=acmegroups,o=acme.com)?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,x-uid_attr=emailaddress
- The UNIX command line interprets the
|
and&
characters as special characters. You must enclose multiple group DNs in double quotation marks, as shown in the following example:ldap://ldap.acme.com:389/"|(cn=UK Sales,ou=acmegroups,o=acme.com)(cn=US Sales,ou=acmegroups,o=acme.com)"?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,x-uid_attr=emailaddress
- member_attr:
- (Optional) The attribute of the group used to filter the search. Default is to look for both member and uniquemember attributes.
The following options are required only if authentication has not preceded the authorization, and if the authentication configuration string has not been specified. If the authentication configuration string has been specified, the following parameters are ignored and those provided by the baseDN, uid_attr, and [base|sub] for authentication are used instead:- base|sub:
- Defines whether to perform a base or subtree search. If base is defined, the authentication is faster because the DN of the user can be constructed from uid_att + username + baseDN. If sub is selected, a search must be performed before the DN can be resolved. Default is sub.
- baseDN
- String defining the base distinguished name of all users in the
directory. Must be preceded by the string
x-userBaseDN
. Any commas in the BaseDN must be rendered as%2c
. - x-uid_attr:
- String defining the attribute to which the incoming username should
map, typically uid, CN, or email address. Default is uid. Must be
preceded by the string
x-uid_attr
.
When you submit the command from a batch (.bat) file or command (.cmd) file, if the LDAP URL includes an extension with LDAP URL "percent hex hex" escaped characters (for example, a comma replaced by%2c
, or a space replaced by%20
), the percent signs must be escaped from the batch interpreter with an extra percent sign (%%
). For example:mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP_URI_FUN -n authentication,authenticationConfig,authorization,authorizationConfig -v "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com?emailaddress?sub\", LDAP,\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups, o=acme.com?report?base?x-BaseDN=ou=sales%%2co=acme.com, x-uid_attr=emailaddress\""
The selected group must be defined on the LDAP server, and all of the required users must be members of the group.
- Set the authentication to LDAP.
- If you need to reconfigure the security profile after it has been created, use the mqsichangeproperties command. You must stop and start the integration server for the change of property value to take effect.