LDAP authorization
You can use LDAP authorization to remove the need for a local user ID.
Availability of LDAP authorization on supported platforms
LDAP authorization is available on Multiplatforms:
From IBM® MQ 9.0 general availability, this functionality is available on all queue managers, whether new or migrated from an earlier release.
Overview of LDAP authorization
With LDAP authorization, commands that handle authorization configuration, such as setmqaut and DISPLAY AUTHREC, can process Distinguished Names. Previously, users were authenticated by comparing their credentials with the maximum available characters that exist for users and groups on the local operating system.
If a user provides a user ID, rather than a Distinguished Name, the user ID is processed. For example, when there is an incoming message on a channel with PUTAUT(CTX), the characters in the user ID are mapped to an LDAP Distinguished Name, and the appropriate authorization checks are made.
Other commands such as DISPLAY CONN, continue to work with and show the actual value for the user ID, even though that user ID might not actually exist on the local OS.
When LDAP authorization is in place, the queue manager always uses the user model of security on AIX® and Linux® platforms, regardless of the SecurityPolicy attribute in the qm.ini file. So setting permissions for an individual user affects only that user, and not anyone else who belongs to any of that user's groups.
As with the OS model, a user still has the combined authority that has been assigned to both the individual and to all of the groups (if any) to which the user belongs.
- In the inetOrgPerson class:
dn="cn=JohnDoe, ou=users, o=yourcompany, c=yourcountry" email=JohnDoe1@yourcompany.com [longer than 12 characters] shortu=jodoe Phone=1234567
- In the groupOfNames class:
dn="cn=Application Group A, ou=groups, o=yourcompany, c=yourcountry" longname=ApplicationGroupA [longer than 12 characters] members="cn=JaneDoe, ou=users, o=yourcompany, c=yourcountry", "cn=JohnDoe, ou=users, o=yourcompany, c=yourcountry"
USRFIELD(email) SHORTUSR(shortu)
BASEDNU(ou=users,o=yourcompany,c=yourcountry) CLASSUSR(inetOrgPerson)
" cn=JohnDoe ", " JohnDoe1@yourcompany.com ", " email=JohnDoe1@yourcompany.com "
or
" cn=JohnDoe, ou=users, o=ibm, c=uk ", " shortu=jodoe "
In either case,
the system can use the supplied values to authenticate the OS context of "
jodoe
".