Before you start:
Before
you can configure a message flow to perform authorization, you need
to check that an appropriate security profile exists, or create a
new security profile. See Creating a security profile for LDAP.
When LDAP is used for authorization, the broker needs
to determine whether the incoming username is a member of the given
group. To do this, the broker requires the following information:
- To resolve the username to an LDAP entry, the broker needs to
know the base distinguished name (Base DN) of the accepted login IDs.
This is required to enable the broker to differentiate between different
entries with the same name.
- To get an entry list from a group name, the group name must be
the distinguished name of the group, not just a common name. An LDAP
search is made for the group, and the username is checked by finding
an entry matching the distinguished name of the user.
- If your LDAP directory does not permit login by unrecognized IDs, and does not grant search access rights on the subtree, you must set up a separate authorized login ID that the broker can use for the search. Use the mqsisetdbparms command to specify a username and password:
mqsisetdbparms <BrokerName> -n ldap::LDAP -u username -p password
or mqsisetdbparms <BrokerName> -n ldap::<servername> -u username -p password
where <servername> is your base LDAP server name. For example: ldap.mydomain.com.If you specify ldap::LDAP, it creates a default setting for the broker, which the broker attempts to use if you have not explicitly used the mqsisetdbparms command to create a login ID for a specific <servername>. All servers that do not have an explicit ldap::servername entry then start using the credentials in the ldap::LDAP entry. This means that any servers that were previously using anonymous bind by default will start using the details in ldap::LDAP.
The username that you specify in the
-u parameter must be recognized by the LDAP server as a complete user name. In most cases this means that you need to specify the full DN of the user. Alternatively, by specifying a username to be anonymous, you can force the broker to bind anonymously to this LDAP server. This might be useful if you have specified a non-anonymous bind as your default (ldap::LDAP). For example:
mqsisetdbparms <BrokerName> -n ldap::<servername> -u anonymous -p password
In this case, the value specified for
password is ignored.
Steps for enabling LDAP authorization:
To enable an existing message flow to perform authorization
using LDAP, use the Broker Archive editor to select a security profile
that has authorization enabled. You can set a security
profile on a message flow or on individual input nodes. If no security
profile is set for the input nodes, the setting is inherited from
the setting on the message flow.
- Switch to the Integration Development perspective.
- In the Application
Development view, right-click the BAR
file and then click Open with > Broker
Archive Editor.
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the
security profile. The properties that you
can configure for the message flow or for the node are displayed in
the Properties view.
- In the Security Profile Name field,
select a security profile that uses LDAP for authorization.
- Save the BAR file.
For a SOAPInput node to use the identity in the WS-Security
header (rather than an underlying transport identity) an appropriate
policy set and bindings must also be defined and specified. For more
information, see Policy sets.
Last updated Friday, 21 July 2017