|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
|
|
Can I mix local userids with LDAP authentication? |
« View previous topic :: View next topic » |
Author |
Message
|
NomadAU |
Posted: Thu May 25, 2017 11:06 pm Post subject: Can I mix local userids with LDAP authentication? |
|
|
Novice
Joined: 06 Feb 2017 Posts: 15
|
I've got myself confused around something that should be fairly straightforward. Hoping someone can put me straight.
Environment: RHEL v7 and MQ v8.
I'm building out a configuration with multiple QMs in a cluster and a couple of QM's that are used as cluster gateways.
One of the gateways is used for access to/from external business partners while the other is used primarily for access to/from a 3rd party component installed on premise.
The security I am trying to implement would have traffic from the external business partner secured using x.509 certs on the SDR/RCVR channel, and mapped to a local userid (using SSL peer mapping).
Similarly, traffic from the 3rd party component is via a SVRCONN connection, also secured using x.509 and again, a local userid mapped using SSL peer mapping.
These 2 local userids are then used to grant permissions for MQ access (qm, queues, topics and so on).
So far, so good and easy to do.
However, I'd also like to use Active Directory authenticate other users who need to use MQExplorer. That way I can easily define a group of users in the LDAP with admin privileges, and other groups with lesser privileges.
The problem I've hit is that after creating an AUTHINFO enabling LDAP on a QM, I an no longer able create AUTHRECs for the local userids mapped using ssl peer mapping.
MQ is searching the LDAP for the specified user or group and failing to find an entry (because the userid is only defined on the local machine).
So, I'm rapidly coming to the conclusion that I can't mix these 2 'local' userids with LDAP userids.
Is this correct, or is there some way of restricting the use of LDAP to just the authentication on the MQ Explorer client channel? |
|
Back to top |
|
|
NomadAU |
Posted: Wed May 31, 2017 9:38 am Post subject: |
|
|
Novice
Joined: 06 Feb 2017 Posts: 15
|
Judging by the lack of responses to my question, I'm guessing either
- I'm asking a really dumb question... or
- no-one really knows the answer
Either way, it might help if I add that the intent is to MINIMISE the qm dependency on LDAP. We are facing a lot of instability with our current MQ/AD installation, some (most?) of which is likely to be due to a bug in the MQ product.
Ihttp://www-01.ibm.com/support/docview.wss?uid=swg1IT17234&myns=swgws&mynp=OCSSFKSJ&mync=R&cm_sp=swgws-_-OCSSFKSJ-_-R
The only value I can see in continuing to use LDAP is the ease with which users can be provisioned to access to the MQ installation, specifically using MQExplorer (by adding them to LDAP groups).
On the other hand, if we just create a set of local userids, with differing permissions, these could be used to authenticate with MQExplorer, but they would then be shared and not provide any degree of auditability.
Anyone got further thoughts on this? |
|
Back to top |
|
|
Vitor |
Posted: Wed May 31, 2017 9:50 am Post subject: Re: Can I mix local userids with LDAP authentication? |
|
|
Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
NomadAU wrote: |
So, I'm rapidly coming to the conclusion that I can't mix these 2 'local' userids with LDAP userids. |
Well there is, but not really in the context you describe here.
We get round this by mapping the "local" Linux ids to LDAP. Hence no matter the source of the id values, they're authenticated against our LDAP system. So none of the Linux boxes actually have any local ids, they just think they have.
This is on RHELv6.5 in Prod and I'm told it works in RHELv7 in the certification environment the Linux people use. I have not seen it, but have no reason to believe they're lying nor that it's stopped worked with the new major release. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|