User authentication with LDAP

You can configure the IBM® MQ Appliance to authenticate users by using an LDAP server.

CAUTION:

Read the topic Important: avoiding user lock out when configuring role based management before you attempt to set up authentication with LDAP

You have a number of options when you are using an LDAP server:

Using credentials directly: You can use your users' credentials directly to bind to the LDAP server. In this case, your user names must be part of the X.500 distinguished names (DN) that the LDAP server uses to identify directory entries. You specify the remainder of the DN as part of the configuration. Typically, the user would log in using the common name (CN) part of the distinguished name. The appliance prefixes the user name with cn= and suffixes it with a comma and the remaining distinguished name elements that are common to all appliance users.
For example, your user might log in with the user name Robin Dalemain, which is the CN part of their DN. You have configured the suffix to be dc=appliance203, dc=com. When Robin attempts to log in to the appliance, the distinguished name cn=Robin Dalemain, dc=appliance203, dc=com, together with Robin's password are used to connect to the LDAP server. If Robin's credentials successfully bind to the LDAP server, then Robin is authenticated and can access the appliance.
Looking up users in LDAP: You can configure the appliance so that users enter a user name that is not part of their DN. You specify search parameters so that this user name can be passed to the LDAP server and used to look up the user's distinguished name, which is then used with the entered password to authenticate the user. To look up a user's distinguished name the appliance can either bind to the LDAP server anonymously, or you can specify a bind ID and password alias it must use.
For example, Robin Dalemain might have the user name RWD123. When Robin attempts to log in to the appliance, Robin's user name is sent to the LDAP server and the distinguished name for Robin's entry is returned. Robin is authenticated using his distinguished name and password to determine if he can access the appliance.
Using TLS (SSL): You can specify that the appliance acts as an SSL client when connecting to the LDAP server. If you use this option, user credentials are encrypted when sent to the LDAP server, so user passwords are never sent across the network in plain text.
Using load balancing: You can specify that the appliance uses a pool of LDAP servers rather than a single server, and configure how the load is balanced between the LDAP servers in the pool.
Specifying fallback users: It is important that you specify one or more fallback users. These are local users who can log in to the appliance if you lose the connection with your LDAP server.

After you have configured how users are authenticated using LDAP, you must go on to specify how authenticated users are authorized to use the appliance resources. You do this by configuring credential mapping.