IBM Support

IT20673: Queue manager performs incorrect escaping of characters in username strings before passing to LDAP for search

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Applications (including administration applications) fail
    various operations with reason code 2035 MQRC_NOT_AUTHORIZED,
    even when you have correctly added authorization records for the
    user via its group memberships.
    
    The queue manager was configured to request user/group
    information from LDAP.
    
    This happens when you have configured this via an AUTHINFO
    object with:
    - AUTHTYPE(IDPWLDAP)
    - Either AUTHORMD(SEARCHGRP) or AUTHORMD(SEARCHUSR)
    
    Also, the usernames returned by LDAP contain one or more of the
    characters: left-parenthesis, right-parenthesis, backslash,
    asterisk.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Queue managers configured to request user/group memberships from
    an LDAP repository, where the users or groups contain characters
    that must be escaped as per the rules in section 4 of RFC 2254.
     Those characters relevant to this case are: left-parenthesis,
    right-parenthesis, backslash, asterisk.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    If you have a username registered on LDAP which consists of a
    combination of normal characters + special characters - eg. a
    backslash + parenthesis in the following example:
    
      CN=Doe\, J. (John),OU=MYGROUP,OU=Users,...
    
    ... then MQ incorrectly transforms the username string before
    giving it to LDAP to perform a search for groups containing this
    user.
    
    Section 4 of RFC 2254 says that any special characters like
    backslash, asterisk and open- or close-parenthesis should be
    encoded before providing as input for an LDAPsearch. So the
    above example should be transformed to this before calling an
    LDAP search:
    
      CN=Doe\5C, J. \28John\29,OU=MYGROUP,OU=Users,...
    
    However, MQ encodes the above as follows:
    
      CN=Doe\2C J. (John),OU=MYGROUP,OU=Users,...
    
    The backslash-comma sequence was being encoded as \2C which is
    wrong per Section 4 of RFC 2254. MQ also did not encode the
    open- and close-parenthesis characters as required.
    

Problem conclusion

  • The LDAP lookup code within the MQ queue manager has been
    corrected to ensure that the rules of Section 4 of RFC 2254 are
    followed to escape these characters.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.8
    v9.0 CD    9.0.4
    v9.0 LTS   9.0.0.2
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT20673

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7251

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-05-19

  • Closed date

    2017-05-31

  • Last modified date

    2017-05-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ BASE MULTIP

  • Fixed component ID

    5724H7251

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
31 May 2017