Configuring credential mapping with local user groups by using the command line

Use the command line to configure the appliance to authorize users by using local user group definitions.

About this task

You can use commands to configure role based management such that the appliance uses local user groups for user authorization. You must create user groups as a separate operation.

You can specify that an LDAP directory is searched for groups that the authenticated user belongs to, then the returned groups are mapped onto local user groups. The LDAP query should search for groups that the user belongs to. Do not configure a search that looks for users in a particular group; if the search returns users you will be attempting to map groups onto users, rather than users onto groups.

Procedure

  1. Connect to the IBM® MQ Appliance as described in Command line access. Log in as an administrative user.
  2. Type config to enter global configuration mode.
  3. Type the following command to configure role based management: 
    rbm
  4. Enter the following command to specify the local user group authorization method: 
    mc-method local
  5. If you are using local user groups to authorize LDAP users, define an LDAP search to retrieve the user group for the authenticated user, that can in turn be mapped onto a local user group. Enter the following commands:
    1. Specify that you want to perform an LDAP search: 
      mc-ldap-search on
    2. Specify the server and password for connecting to the LDAP server: 
      mc-server-host host
mc-server-port port
      Where host is the IP address or domain name of the LDAP server and port is usually 389, or 636 for an SSL connection.
    3. If you have configured a load balancer group for LDAP access and created a profile, specify the profile by using the following command: 
      mc-loadbalancer-group name
      Where name is the name of the load balancer group profile.
    4. Specify the Distinguished Name and password that the appliance uses to bind to the LDAP server to perform the search by using the following commands. (Omit these commands if you are using an anonymous bind to access the LDAP server.) 
      mc-ldap-bind-dn dn
mc-ldap-bind-password password
      Where dn is the Distinguished Name and password is the password.
    5. Specify the LDAP search parameters by entering the following command: 
      mc-ldap-parameters parameters_name
      Where parameters_name is the name of a set of LDAP search parameters that you have previously defined using the ldap-search-parameters command. Your search must look for the user group or groups that the authenticated user belongs to, and return one or more user group names.
    6. Specify a timeout for the LDAP search. This is the time that the appliance will attempt to connect to the LDAP server before closing the connection. The default is 60 seconds. Specify 0 to never timeout. 
      mc-ldap-readtimeout timeout
      Where timeout specifies the duration of the timeout period.
    7. If you want to use an SSL (TLS) connection to the LDAP server, specify an SSL client profile to use by entering the following commands: 
      ssl-client-type client
ssl-client client_profile
      Where client_profile is the name of a client profile that you have previously created.
  6. Save your configuration and exit.

Example

The following example configures the appliance to use the authorization details defined by local user groups.

mqa# config
Global configuration mode
mqa(config)# rbm
Modify RBM Settings configuration

mqa(config rbm)# mc-method local
mqa(config rbm)# exit
mqa(config)# write memory
Overwrite previously saved configuration? Yes/No [y/n]: y
Configuration saved successfully.
The following commands configure the appliance to use the authorization details defined by local user groups, performing an LDAP search to retrieve user group names from an LDAP repository:
mqa# config
Global configuration mode
mqa(config)# rbm
Modify RBM Settings configuration

mqa(config rbm)# mc-method local
mqa(config rbm)# mc-ldap-search on
mqa(config rbm)# mc-server-host LDAP_serv1
mqa(config rbm)# mc-server-port 389
mqa(config rbm)# mc-ldap-bind-dn "cn=proxyuser"
mqa(config rbm)# mc-ldap-bind-password p@Ssw0rd
mqa(config rbm)# mc-ldap-parameters ldap1-MC
mqa(config rbm)# mc-ldap-readtimeout 120
mqa(config rbm)# exit
mqa(config)# write memory
Overwrite previously saved configuration? Yes/No [y/n]: y
Configuration saved successfully.

What to do next

After specifying the credential mapping method, you can next configure the password policy for your local users (password policy does not apply to other user types).