IBM Support

IT29401: AMQ5531E error message generated when the application connects successfully.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The queue manager is started by the 'mqm' user and configured
    with CONNAUTH to use an LDAP user repository. Channel
    authentication is enabled and a mapping rule is used to adopt
    MCAUSER('mqm').
    
    A client application connects and doesn't provide
    userid/password, this matches the mapping rule and the
    connection is successful. However during the connect an AMQ5531
    error message is written to the queue manager error log:
    ----------------------------------------------------------------
    AMQ5531E: Error locating user or group in LDAP
    
    
    EXPLANATION:
    The LDAP authentication and authorization service has failed in
    the ldap_search call while trying to find user or group 'mqm'.
    Returned count is 0. Additional context is
    '(&(objectClass=user)(sAMAccountName=mqm))'.
    ----------------------------------------------------------------
    
    The 'mqm' user is known to the local OS, but it doesn't exist in
    the LDAP repository.
    

Local fix

  • To eliminate the AMQ5531 message in the queue manager error
    logs, specify a user identifier known to the LDAP repository in
    MCAUSER.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Queue managers that use LDAP authentication & authorization may
    be impacted if channels are configured to adopt the security
    context of a local OS user id in MCAUSER, for example via
    channel definition or CHLAUTH mapping rules.
    
    
    Platforms affected:
    AIX, IBM iSeries, Linux on Power, Linux on x86-64, Linux on
    zSeries, Solaris SPARC, Solaris x86-64
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When using CONNAUTH with AUTHTYPE(IDPWLDAP) and an authorization
    method that doesn't use the OS user repository, for example
    AUTHORMD(SEARCHGRP), AUTHORMD(SEARCHUSR) or
    AUTHORMD(SEARCHGRPSN), the MQ object authority manager (OAM)
    will attempt to find the short user id in LDAP based on matching
    the user id specified in MCAUSER.
    
    The user id search fails if a channel attempts to adopt a user
    id not known to the LDAP repository, this causes an AMQ5531
    error message to be written to the queue manager error log.
    
    The MQ object authority manager will continue to check that the
    user id has appropriate authority to the queue manager. The only
    local OS user id that is permitted to have any authority to the
    queue manager when using an LDAP user repository is the user
    that started the queue manager.
    
    In the case where the channel MCA user ID had been resolved to
    the user that started the queue manager, this was not honored
    correctly, and the lookup was still made to the LDAP server,
    resulting in the AMQ5531 error message in the queue manager's
    error log.
    

Problem conclusion

  • The MQ queue manager logic has been updated such that codepath
    to lookup a short user id in LDAP is avoided if the MCAUSER for
    a channel matches the OS user id that started the queue manager.
    
    Adopting the local OS user identifier that started the queue
    manager when using LDAP authorization via MCAUSER mapping is not
    recommended, this grants full administrative access control to a
    remote user.
    
    The AMQ5531 error message will continue to be correctly reported
    in the queue manager's error log in the case where the channel
    MCA user is resolved to a user who is NOT the user that started
    the queue manager, and this user cannot be found in the LDAP
    repository.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v9.1 CD    9.1.3
    v9.1 LTS   9.1.0.3
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT29401

  • Reported component name

    IBM MQ BASE MP

  • Reported component ID

    5724H7271

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-06-11

  • Closed date

    2019-07-09

  • Last modified date

    2019-07-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ BASE MP

  • Fixed component ID

    5724H7271

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
09 July 2019