IBM Support

IT20673: Queue manager performs incorrect escaping of characters in username strings before passing to LDAP for search

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Applications (including administration applications) fail
various operations with reason code 2035 MQRC_NOT_AUTHORIZED,
even when you have correctly added authorization records for the
user via its group memberships.

The queue manager was configured to request user/group
information from LDAP.

This happens when you have configured this via an AUTHINFO
object with:
- AUTHTYPE(IDPWLDAP)
- Either AUTHORMD(SEARCHGRP) or AUTHORMD(SEARCHUSR)

Also, the usernames returned by LDAP contain one or more of the
characters: left-parenthesis, right-parenthesis, backslash,
asterisk.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
Queue managers configured to request user/group memberships from
an LDAP repository, where the users or groups contain characters
that must be escaped as per the rules in section 4 of RFC 2254.
 Those characters relevant to this case are: left-parenthesis,
right-parenthesis, backslash, asterisk.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
If you have a username registered on LDAP which consists of a
combination of normal characters + special characters - eg. a
backslash + parenthesis in the following example:

  CN=Doe\, J. (John),OU=MYGROUP,OU=Users,...

... then MQ incorrectly transforms the username string before
giving it to LDAP to perform a search for groups containing this
user.

Section 4 of RFC 2254 says that any special characters like
backslash, asterisk and open- or close-parenthesis should be
encoded before providing as input for an LDAPsearch. So the
above example should be transformed to this before calling an
LDAP search:

  CN=Doe\5C, J. \28John\29,OU=MYGROUP,OU=Users,...

However, MQ encodes the above as follows:

  CN=Doe\2C J. (John),OU=MYGROUP,OU=Users,...

The backslash-comma sequence was being encoded as \2C which is
wrong per Section 4 of RFC 2254. MQ also did not encode the
open- and close-parenthesis characters as required.

    



Problem conclusion


    

  • The LDAP lookup code within the MQ queue manager has been
corrected to ensure that the rules of Section 4 of RFC 2254 are
followed to escape these characters.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.8
v9.0 CD    9.0.4
v9.0 LTS   9.0.0.2

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT20673
    • 

  • Reported component name
    WMQ BASE MULTIP
    • 

  • Reported component ID
    5724H7251
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-05-19
    • 

  • Closed date
    2017-05-31
    • 

  • Last modified date
    2017-05-31
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WMQ BASE MULTIP
    • 

  • Fixed component ID
    5724H7251
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 May 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback