LDAP part 1: Updating the IBM MQ backup for the LDAP server

A comprehensive description of how to set up LDAP is outside the scope of this scenario. This topic gives a summary of the process, a sample, and references to further information.

Before you begin

This task assumes that you have extracted and acquired the queue manager keys and certificates.

About this task

Do I need to do this?

If you are already using LDAP for authentication and authorization then no changes are required. If you are not sure if LDAP is being used, see Optional: Configuring LDAP.

There are two parts to setting up the LDAP server:

Define an LDAP configuration.
Associate the LDAP configuration with the queue manager definition.

Further information to help you with this configuration:

Procedure

Define an LDAP configuration.
Edit the backup.mqsc file to define a new AUTHINFO object for the LDAP system. For example:
```
DEFINE AUTHINFO(USE.LDAP) + 
   AUTHTYPE(IDPWLDAP) + 
   CONNAME('ldap-service.ldap(389)') + 
   LDAPUSER('cn=admin,dc=ibm,dc=com') + 
   LDAPPWD('admin') + 
   SECCOMM(NO) + 
   USRFIELD('uid') + 
   SHORTUSR('uid') + 
   BASEDNU('ou=people,dc=ibm,dc=com') + 
   AUTHORMD(SEARCHGRP) + 
   BASEDNG('ou=groups,dc=ibm,dc=com') +
   GRPFIELD('cn') +
   CLASSGRP('groupOfUniqueNames') +
   FINDGRP('uniqueMember')
   REPLACE
```
where
- CONNAME is the hostname and port corresponding to the LDAP server. If multiple addresses exist for resilience then these can be configured using a comma-separated list.
- LDAPUSER is the distinguished name corresponding to the user that IBM MQ uses when connecting to LDAP to query user records.
- LDAPPWD is the password that corresponds to the LDAPUSER user.
- SECCOM specifies whether the communication to the LDAP server should use TLS. Possible values:
  - YES: TLS is used and a certificate is presented by the IBM MQ server.
  - ANON: TLS is used without a certificate being presented by the IBM MQ server.
  - NO: TLS is not used during the connection.
- USRFIELD specifies the field in the LDAP record that the presented username be matched against.
- SHORTUSR is a field within the LDAP record that does not exceed 12 characters in length. The value within this field be the asserted identity if authentication is successful.
- BASEDNU is the base DN that should be used for searching LDAP.
- BASEDNG is the base DN for groups within LDAP.
- AUTHORMD defines the mechanism used to resolve group membership for the user. There are four options:
  - OS: Query the operating system for the groups associated with the short name.
  - SEARCHGRP: Search the group entries in LDAP for the authenticated user.
  - SEARCHUSR: Search the authenticated user record for group membership information.
  - SRCHGRPSN: Search the group entries in LDAP for the authenticated users short user name (defined by the SHORTUSR field).
- GRPFIELD is the attribute within the LDAP group record that corresponds to a simple name. If specified this can be used for defining authorization records.
- CLASSUSR is the LDAP object class that corresponds to a user.
- CLASSGRP is the LDAP object class that corresponds to a group.
- FINDGRP is the attribute within the LDAP record that corresponds to group membership.
The new entry can be placed anywhere within the file, however you might find it helpful to have any new entries at the beginning of the file:
Associate the LDAP configuration with the queue manager definition.
You need to associate the LDAP configuration with the queue manager definition. Immediately below the DEFINE AUTHINFO entry is an ALTER QMGR entry. Modify the CONNAUTH entry to correspond to the newly created AUTHINFO name. For example in the previous example AUTHINFO(USE.LDAP) was defined, meaning the name is USE.LDAP. Therefore change CONNAUTH('SYSTEM.DEFAULT.AUTHINFO.IDPWOS') to CONNAUTH('USE.LDAP'):

To cause the switch to LDAP to occur immediately, call a REFRESH SECURITY command by adding a line immediately after the ALTER QMGR command:

What to do next

You are now ready to update the IBM MQ backup for LDAP authorization information.