Configuring look up authentication with LDAP by using the command line

Use the command line to configure the appliance to look up user details on an LDAP server. To look up users, the appliance binds to the LDAP server by using credentials.

Before you begin

CAUTION:
Read the topic Important: avoiding user lock out when configuring role based management before you attempt to set up authentication with LDAP

About this task

You can use commands to configure role based management such that the appliance looks up user details in the LDAP server by using defined search parameters. To look up users, the appliance binds to the LDAP server by using credentials that you define as part of the RBM configuration, or you can use an anonymous bind to access the LDAP server. See User authentication with LDAP for a description of this method of authentication.

Procedure

  1. Connect to the IBM MQ Appliance as described in Command line access. Log in as an administrative user.
  2. Type config to enter global configuration mode.
  3. Type the following command to configure role based management: 
    rbm
  4. Enter the following command to specify the LDAP authentication method: 
    au-method ldap
  5. Specify the host name of the LDAP server (you can use a host alias if you have defined one): 
    au-server-host host
  6. Specify the port to use when connecting to the LDAP server: 
    au-server-port port
    The usual port for an LDAP server is 389, or 636 for an SSL connection.
  7. Specify the LDAP version that is used to access the LDAP server for RBM authentication: 
    ldap-version version
    Where version is v2 or v3. The default value is v2.
  8. Optionally specify a load balancer group. (See Creating a load balancer group profile by using the command line for details of how to create a load balancer group): 
    loadbalancer-group name
  9. Specify that the appliance will search the LDAP directory for user information: 
    au-ldap-search on
  10. Specify the distinguished name used to bind to the LDAP server to perform the search: 
    au-ldap-bind-dn DN
  11. Specify the password that is used for binding to the LDAP server. You should define a password alias, rather than entering the password directly (see password-map for details on creating a password alias). 
    au-ldap-bind-password password_alias
    If you do not specify a bind DN and bind password, an anonymous bind is used for the search.
  12. Define the parameters for the search. You use the LDAP search parameters commands to create a named set of parameters (see LDAP Search Parameters commands). You then specify the name of the set of search parameters to use: 
    au-ldap-parameters name
  13. Specify the time that RBM authentication waits for a response from the LDAP server. The default value is 60. A value of 0 indicates that the wait never times out: 
    au-ldap-readtimeout seconds
  14. If you need a secure connection to your LDAP server, you must specify an SSL client type of client, and the name of your SSL client profile (see Creating a TLS client profile by using the command line for details of how to create an SSL client profile): 
    ssl-client-type client
ssl-client name
  15. Optionally specify fallback users who can log in to the appliance if the LDAP server is not available. Fallback users must already have been added as local users to the appliance. You can specify that all local users are fallback users by entering the following command: 
    fallback-login local
    Alternatively, you can specify one or more particular users by entering the following commands:
    fallback-login restricted
fallback-user localuser1
fallback-user localuser2
...
fallback-user localuserN
  16. Alter the default LDAP cache settings, if required. By default, the appliance caches results of authentication attempts for 600 seconds, but you can change the mode of caching, and the caching duration by entering the following commands: 
    au-cache-mode mode
au-cache-ttl seconds
    Where mode is one of:
    absolute

    Caches the results of user authentications for a period of time specified by the au-cache-ttl command (the explicit time-to-live). This is the default setting.

    disabled

    Disables caching. The appliance will not cache any results and instead always authenticates every time a user requests access.

    maximum

    Compares the explicit TTL to the TTL contained in the response (if any) and cache authentication results for the maximum of the two values.

    minimum

    Compares the explicit TTL to the TTL contained in the response (if any) and cache authentication results for the minimum of the two values.

Example

The following example configures the appliance to use an LDAP server that is identified by the host alias ldap_host for user authentication. If a user logged in with the user name RobinWD, the name is passed to the LDAP server and used to look up Robin's distinguished name (as specified in the search parameters). If the LDAP server is unavailable, any local appliance user can log in to the appliance.

mqa# config
Global configuration mode
mqa(config)# rbm
Modify RBM Settings configuration

mqa(config rbm)# au-method ldap
mqa(config rbm)# au-server-host ldap_host
mqa(config rbm)# au-server-port 389
mqa(config rbm)# ldap-version v3
mqa(config rbm)# au-ldap-search on
mqa(config rbm)# au-ldap-bind-dn cn=appbind, dc=appliance123, dc=com
mqa(config rbm)# au-ldap-bind-password bindpw_alias
mqa(config rbm)# au-ldap-parameters auth_params
mqa(config rbm)# fallback-login local
mqa(config rbm)# exit
mqa(config)# write memory
Overwrite previously saved configuration? Yes/No [y/n]: y
Configuration saved successfully.

What to do next

After you specify the user authentication method, you must next configure credential mapping.