Configuring direct authentication with LDAP by using the command line

Use the command line to configure the appliance to pass user credentials to the LDAP server and use them as the bind credentials.

1. Connect to the IBM MQ Appliance as described in Command line access. Log in as an administrative user.
2. Type config to enter global configuration mode.
3. Type the following command to configure role based management:

   rbm

4. Enter the following command to specify the LDAP authentication method:

   au-method ldap

5. Specify the host name of the LDAP server (you can use a host alias if you have defined one):

   au-server-host host

6. Specify the port to use when connecting to the LDAP server:

   au-server-port port

   The usual port for an LDAP server is 389, or 636 for an SSL connection.
7. Specify the LDAP version that is used to access the LDAP server for RBM authentication:

   ldap-version version

   Where version is v2 or v3. The default value is v2.
8. Optionally specify a load balancer group. (See Creating a load balancer group profile by using the command line for details of how to create a load balancer group):

   loadbalancer-group name 

9. Specify the string that is used to prefix the user name, for example, cn=.

   ldap-prefix prefix

10. Specify the string that is used to suffix user names, for example, dc=appliance123, dc=com.

    ldap-suffix suffix

11. Specify the time that RBM authentication waits for a response from the LDAP server. The default value is 60. A value of 0 indicates that the wait never times out:

    au-ldap-readtimeout seconds

12. If you need a secure connection with your LDAP server, you must specify an SSL client type of client, and the name of your SSL client profile (see Creating a TLS client profile by using the command line for details of how to create an SSL client profile):

    ssl-client-type client
    ssl-client name

13. Optionally specify fallback users who can log in to the appliance if the LDAP server is not available. Fallback users must already have been added as local users to the appliance. You can specify that all local users are fallback users by entering the following command:

    fallback-login local

    Alternatively, you can specify one or more particular users by entering the following commands:

    fallback-login restricted
    fallback-user localuser1
    fallback-user localuser2
    ...
    fallback-user localuserN
    

14. Alter the default LDAP cache settings, if required. By default, the appliance caches results of authentication attempts for 600 seconds, but you can change the mode of caching, and the caching duration by entering the following commands:

    au-cache-mode mode
    au-cache-ttl seconds

    Where mode is one of:

    absolute

    Caches the results of user authentications for a period of time specified by the au-cache-ttl command (the explicit time-to-live). This is the default setting.

    disabled

    Disables caching. The appliance will not cache any results and instead always authenticates every time a user requests access.

    maximum

    Compares the explicit TTL to the TTL contained in the response (if any) and cache authentication results for the maximum of the two values.

    minimum

    Compares the explicit TTL to the TTL contained in the response (if any) and cache authentication results for the minimum of the two values.

mqa# config
Global configuration mode
mqa(config)# rbm
Modify RBM Settings configuration

mqa(config rbm)# au-method ldap
mqa(config rbm)# au-server-host ldap_host
mqa(config rbm)# au-server-port 389
mqa(config rbm)# ldap-version v3
mqa(config rbm)# ldap-prefix "cn="
mqa(config rbm)# ldap-suffix "dc=appliance123,dc=com"
mqa(config rbm)# fallback-login local
mqa(config rbm)# exit
mqa(config)# write memory
Overwrite previously saved configuration? Yes/No [y/n]: y
Configuration saved successfully.