IBM Support

IT16493: Telemetry using ldaploginmodule is unable to use multiple JAAS login modules for a login configuration file

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When configuring MQ  v8 Telemetry to use LDAP for
    authentication, with LdapLoginModule, you are unable to use
    multiple
    JAAS login modules for a login configuration file entry.
    
    See the following errors in the log:
      AMQXR2051E: Login failed for ClientIdentifier
      FailedLoginException: Cannot bind to LDAP server
    
    Example configuration/issue:
    
    In the following configuration, LDAP authentication using
    LdapLoginModule fails when using multiple login module entries,
    but works
    if only one is provided.
    
    Example fails with both entries:
    
    MQXRConfig {
      com.ibm.security.auth.module.LdapLoginModule OPTIONAL
         userProvider="ldap://ldapserver:389"
         authIdentity="uid={USERNAME},ou=org1,ou=yyy,dc=zzz,dc=com"
         debug=true
         useSSL=false;
    
      com.ibm.security.auth.module.LdapLoginModule OPTIONAL
         userProvider="ldap://ldapserver:389"
        authIdentity="uid={USERNAME},o u=org2,ou=yyy,dc=zzz,dc=com"
        debug=true
        useSSL=false;
    };
    
    Works with either entry alone:
    
    MQXRConfig {
      com.ibm.security.auth.module.LdapLoginModule OPTIONAL
        userProvider="ldap://ldapserver:389"
        authIdentity="uid={USERNAME},ou=org1,ou=yyy,dc=zzz,dc=com"
        debug=true
        useSSL=false;
    };
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of the IBM MQ Telemetry functionality who wish to use JAAS
    LDAP login module LdapLoginModule may be affected by this
    problem.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    IBM MQ was incorrectly throwing an exception when multiple JAAS
    login modules were specified for a login configuration file
    entry.
    

Problem conclusion

  • The code was corrected so that multiple login modules can be
    used for a single login configuration entry.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.6
    v9.0 CD    9.0.1
    v9.0 LTS   9.0.0.1
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT16493

  • Reported component name

    WMQ MOBILITY

  • Reported component ID

    5724H7258

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-08-05

  • Closed date

    2016-09-29

  • Last modified date

    2017-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ MOBILITY

  • Fixed component ID

    5724H7258

Applicable component levels

  • R800 PSY

       UP

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0"}]

Document Information

Modified date:
14 December 2020