Configuring credential mapping with an XML file by using the web UI

Configure the appliance to authorize users by using access policies that are defined in an XML file.

About this task

You can use the IBM® MQ Appliance web UI to configure role based management such that the appliance uses access policies that are defined in an XML file.

You can specify that an LDAP directory is searched for groups that the authenticated user belongs to, then the returned groups are mapped onto access policies in the XML file. The LDAP query should search for groups that the user belongs to. Do not configure a search that looks for users in a particular group; if the search returns users you will be attempting to map groups onto users, rather than users onto groups.

Procedure

  1. Start the IBM MQ Appliance web UI and click the Administration icon shows the administration icon.
  2. Select Access > RBM Settings
  3. Ensure that Administrative state is On and click the Credential-mapping tab to view the authentication options.
  4. Select an Credential-mapping method of XML file.
  5. If you already defined an XML file, enter its path in XML file URL.
  6. If you have defined a user authentication method of LDAP, select Search LDAP for group name to look up an attribute (usually the distinguished name) of each group the user belongs to. These attributes are then used as the input credential to the XML file. Otherwise, the distinguished name of the user is used as the input credential. If you select this option, you must then supply the details for connecting to the LDAP server:
    1. Specify the Server host and the Server port for connecting to the LDAP server (server port is usually 389, or 636 for an SSL connection).
    2. If you have configured a load balancer group for LDAP access and created a profile, specify it in the Load balancer group field. Alternatively, click the plus icon shows the plus icon to open the Load Balancer Group tab to specify a profile for your load balancer group, see Creating a load balancer group profile by using the web UI. You can leave this field blank if you are using a single LDAP server.
    3. Specify the DN that the appliance uses to bind to the LDAP server to perform the search in the LDAP bind DN field. Specify the password alias in the LDAP bind password alias field. Click the plus icon shows the plus icon to create a password alias if you have not already created one. (Leave these fields blank if you are using an anonymous bind to access the LDAP server.)
    4. Specify the LDAP search parameters. You can enter these parameters directly, or you can click the plus icon to open the LDAP Search Parameters dialog. Your search must look for the user group or groups that the authenticated user belongs to, and return one or more user group names.
    5. Specify an LDAP read timeout. The timeout is the time that the appliance will attempt to connect to the LDAP server before closing the connection. The default is 60 seconds. Specify 0 to never timeout.
    6. If you want to use TLS connection to the LDAP server, select an TLS client type of Client profile. If you have already defined a profile, select the profile name from the TLS client profile list. Alternatively, click the plus icon shows the plus icon to open the TLS Client Profile dialog and create a new TLS client profile, see Creating an TLS client profile by using the web UI.
  7. Click Apply to apply your changes.

What to do next

After you specify the credential mapping method, you can next configure the password policy for your local users (password policy does not apply to other user types).