Switching between OS and LDAP authorization models
How you switch between the different authorization methods on different platforms.
The CONNAUTH attribute of the queue manager points at an AUTHINFO object. When the object is of type IDPWLDAP, an LDAP repository is used for authentication.
You can now apply an authorization method to that same object, which allows you to continue with OS-based authorization, or to work with LDAP authorization
![[UNIX]](ngunix.gif)
![[IBM i]](ngibmi.gif)
UNIX platforms and IBM® i
The queue manager can be switched at any time between OS and LDAP models. You can change the configuration and make that configuration active by using the REFRESH SECURITY TYPE (CONNAUTH) command.
ALTER AUTHINFO(MYLDAP) AUTHTYPE(IDPWLDAP) +
AUTHORMD(SEARCHGRP) +
BASEDNG('ou=groups,o=ibm,c=uk') +
˂other attributes>
ALTER QMGR CONNAUTH(MYLDAP)
REFRESH SECURITY
![[Windows]](ngwin.gif)
Windows
If an authority configuration change involves switching between OS and LDAP models, the queue manager must be restarted for the change to take effect. Otherwise, you can make the change active by using the REFRESH SECURITY TYPE (CONNAUTH) command.
Processing rules
When switching from OS to LDAP authorization, any existing OS authority rules that have been set, become inactive and invisible.
Commands such as dmpmqaut do not display those OS rules. Similarly, when switching back from LDAP to OS, any defined LDAP authorizations become inactive and invisible, restoring the original OS rules.
If you want to back up the definitions of a queue manager for any reason, using the dmpmqcfg command, then that backup will contain only the rules that are defined for the authorization method in effect at the time of the back up.