IBM Support

IT29401: AMQ5531E error message generated when the application connects successfully.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The queue manager is started by the 'mqm' user and configured
with CONNAUTH to use an LDAP user repository. Channel
authentication is enabled and a mapping rule is used to adopt
MCAUSER('mqm').

A client application connects and doesn't provide
userid/password, this matches the mapping rule and the
connection is successful. However during the connect an AMQ5531
error message is written to the queue manager error log:
----------------------------------------------------------------
AMQ5531E: Error locating user or group in LDAP


EXPLANATION:
The LDAP authentication and authorization service has failed in
the ldap_search call while trying to find user or group 'mqm'.
Returned count is 0. Additional context is
'(&(objectClass=user)(sAMAccountName=mqm))'.
----------------------------------------------------------------

The 'mqm' user is known to the local OS, but it doesn't exist in
the LDAP repository.

Local fix

  • To eliminate the AMQ5531 message in the queue manager error
logs, specify a user identifier known to the LDAP repository in
MCAUSER.

Problem summary

  • ****************************************************************
USERS AFFECTED:
Queue managers that use LDAP authentication & authorization may
be impacted if channels are configured to adopt the security
context of a local OS user id in MCAUSER, for example via
channel definition or CHLAUTH mapping rules.


Platforms affected:
AIX, IBM iSeries, Linux on Power, Linux on x86-64, Linux on
zSeries, Solaris SPARC, Solaris x86-64

****************************************************************
PROBLEM DESCRIPTION:
When using CONNAUTH with AUTHTYPE(IDPWLDAP) and an authorization
method that doesn't use the OS user repository, for example
AUTHORMD(SEARCHGRP), AUTHORMD(SEARCHUSR) or
AUTHORMD(SEARCHGRPSN), the MQ object authority manager (OAM)
will attempt to find the short user id in LDAP based on matching
the user id specified in MCAUSER.

The user id search fails if a channel attempts to adopt a user
id not known to the LDAP repository, this causes an AMQ5531
error message to be written to the queue manager error log.

The MQ object authority manager will continue to check that the
user id has appropriate authority to the queue manager. The only
local OS user id that is permitted to have any authority to the
queue manager when using an LDAP user repository is the user
that started the queue manager.

In the case where the channel MCA user ID had been resolved to
the user that started the queue manager, this was not honored
correctly, and the lookup was still made to the LDAP server,
resulting in the AMQ5531 error message in the queue manager's
error log.

Problem conclusion

  • The MQ queue manager logic has been updated such that codepath
to lookup a short user id in LDAP is avoided if the MCAUSER for
a channel matches the OS user id that started the queue manager.

Adopting the local OS user identifier that started the queue
manager when using LDAP authorization via MCAUSER mapping is not
recommended, this grants full administrative access control to a
remote user.

The AMQ5531 error message will continue to be correctly reported
in the queue manager's error log in the case where the channel
MCA user is resolved to a user who is NOT the user that started
the queue manager, and this user cannot be found in the LDAP
repository.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v9.1 CD    9.1.3
v9.1 LTS   9.1.0.3

The latest available maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT29401
    • 

  • Reported component name
    IBM MQ BASE MP
    • 

  • Reported component ID
    5724H7271
    • 

  • Reported release
    910
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-06-11
    • 

  • Closed date
    2019-07-09
    • 

  • Last modified date
    2019-07-09
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM MQ BASE MP
    • 

  • Fixed component ID
    5724H7271
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            09 July 2019
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback