Configuring credential mapping with local user groups by using the Web UI

Configure the appliance to authorize users by using local user group definitions.

About this task

You can use the IBM® MQ Appliance web UI to configure role based management such that the appliance uses local user groups for user authorization. You define the local users in a separate procedure, see Configuring local user groups by using the web UI.

You can specify that an LDAP directory is searched for groups that the authenticated user belongs to, then the returned groups are mapped onto local user groups. The LDAP query should search for groups that the user belongs to. Do not configure a search that looks for users in a particular group; if the search returns users you will be attempting to map groups onto users, rather than users onto groups.

Procedure

  1. Start the IBM MQ Appliance web UI and click the Administration icon shows the administration icon.
  2. Select Access > RBM Settings
  3. Ensure that Enable administrative state is selected (it is selected by default) and click Credential-mapping to view the authentication options.
  4. Select an Credential-mapping method of Local user group.
  5. If you have defined a user authentication method of LDAP, then you must select Search LDAP for group name. You must then supply the details for connecting to the LDAP server:
    1. Specify the Server host and the Server port for connecting to the LDAP server (server port is usually 389, or 636 for an SSL connection).
    2. If you have configured a load balancer group for LDAP access and created a profile, specify it in the Load balancer group field. Alternatively, click the plus icon shows the plus icon to open the Load Balancer Group dialog to specify a profile for your load balancer group.
    3. Specify the DN that the appliance uses to bind to the LDAP server to perform the search in the LDAP bind DN field. Specify the password alias in the LDAP bind password alias field. Click the plus icon shows the plus icon to create a password alias if you have not already created one. (Leave these fields blank if you are using an anonymous bind to access the LDAP server.)
    4. Specify the LDAP search parameters. You can enter these directly, or you can click the plus icon to open the LDAP Search Parameters dialog. Your search must look for the user group or groups that the authenticated user belongs to, and return one or more user group names.
    5. Specify an LDAP read timeout. This is the time that the appliance will attempt to connect to the LDAP server before closing the connection. The default is 60 seconds. Specify 0 to never timeout.
    6. If you want to use an SSL (TLS) connection to the LDAP server, select an SSL client type of Client profile. If you have already defined a profile, select the profile name from the SSL client profile list. Alternatively, click the plus icon shows the plus icon to open the SSL Client Profile dialog and create a new SSL client profile.
  6. Click Apply to apply your changes.

What to do next

After specifying the credential mapping method, you can next configure the password policy for your local users (password policy does not apply to other user types).