| Author |
Message
|
| jefflowrey |
 Posted: Fri Apr 25, 2008 5:48 am Post subject: |
 |
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Is there a user named "user1" on the computer that hosts the queue manager?
It seems there isn't.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
 |
| bbburson |
| Posted: Fri Apr 25, 2008 5:49 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| mquser925 wrote: |
setmqaut -m TEST -t qmgr -p user1 +all
AMQ7026: A principal or group name was invalid.
|
I appears (rather obviously) that 'user1' does not exist on Machine A. You cannot grant authorizations to a nonexistent id. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Apr 25, 2008 5:51 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
I repeat my suggestion to set MCAUser to mqm for experimental purposes.
Or define a new user which does exist on Machine A, setmqaut that user and put that user in MCAUser (a better longer term strategy).
I again commend those manuals to you. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon Apr 28, 2008 4:21 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| We are using LDAP, are there additional settings to allow mq to interface with LDAP? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Apr 28, 2008 4:53 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| mquser925 wrote: |
| We are using LDAP, are there additional settings to allow mq to interface with LDAP? |
MQ only uses the OS for user registry. If you want to use LDAP, you must configure the OS to use LDAP.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon Apr 28, 2008 5:12 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| But I am able to login to the OS using my userid that is acquired using LDAP, wouldn't that mean that the OS is configured to use LDAP? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Apr 28, 2008 5:14 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| mquser925 wrote: |
| But I am able to login to the OS using my userid that is acquired using LDAP, wouldn't that mean that the OS is configured to use LDAP? |
Yes.
Can you log into the OS as "user1", on the box in question?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon Apr 28, 2008 5:17 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 28, 2008 8:55 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20766
Location: LI,NY
|
| mquser925 wrote: |
| But I am able to login to the OS using my userid that is acquired using LDAP, wouldn't that mean that the OS is configured to use LDAP? |
Not necessarily. Is user mqm configured to use LDAP?
You may have to make sure the PATH is correct for user mqm and bounce the qmgrs to take advantage of the new PATH (LDAP).
And remember the ORDER on the PATH DOES matter
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon Apr 28, 2008 9:13 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
Ok so maybe I can try a different approach, 'user1' is in the group 'group1'.
So I set permissions for all queues in qmgr TEST
setmqaut -m TEST -n TEST.Q.* -t q -g group1 +get +put
This completes sucessfully.
I set the env variable for the user on the client machine.
export MQSERVER=TEST.SVRCONN/TCP/'XX.XXX.X.XX(1414)'
When I try to put a msg on the queue using:
amqsputc TEST.QUEUE TEST
I get error 2035.
The only way I have been able to get/put msgs on the queue using the client is by setting
MCAUSER('mqm') but I don't want to give every user the same permissions as mqm. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Apr 28, 2008 9:20 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Your queue manager is not syncing against the LDAP properly, or your LDAP is not providing the users to the OS on the *server* that you think it is.
Nothing you do with MQSERVER or setmqaut will resolve this.
But again, remember that the OAM only works against the server OS user registry. Nothing you do on the client machine applies at all.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Wed Apr 30, 2008 1:48 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| fjb_saper wrote: |
| mquser925 wrote: |
| But I am able to login to the OS using my userid that is acquired using LDAP, wouldn't that mean that the OS is configured to use LDAP? |
Not necessarily. Is user mqm configured to use LDAP?
You may have to make sure the PATH is correct for user mqm and bounce the qmgrs to take advantage of the new PATH (LDAP).
And remember the ORDER on the PATH DOES matter
Enjoy |
mqm was configured as a local user but is now configured to use LDAP. Can you elaborate on the path? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 30, 2008 6:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20766
Location: LI,NY
|
| mquser925 wrote: |
| fjb_saper wrote: |
Is user mqm configured to use LDAP?
You may have to make sure the PATH is correct for user mqm and bounce the qmgrs to take advantage of the new PATH (LDAP).
And remember the ORDER on the PATH DOES matter
Enjoy |
mqm was configured as a local user but is now configured to use LDAP. Can you elaborate on the path? |
Well the LDAP libraries need to be on the PATH before the default ones or under the user the LDAP will not work / be resolved properly.
You can check that with the which command.
And remember the qmgr needs to be started in and environment that resolves LDAP correctly for LDAP to work with MQ.
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mquser925 |
| Posted: Thu May 01, 2008 5:09 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
I am able to successfully set the permissions for the following queues using:
setmqaut -m TEST -n TEST.Q.* -t q -g group1 +get +put
I then viewed the groups permissions using
dspmqaut -m TEST -n TEST.Q.A -t -g group1
Entity group1 has the follwing authorizations for object TEST.Q.A
get
put
However when I try to put a message on the queue using amqsputc I get a 2059 error.
I did set MQSERSVER correctly as well for user1 who is in group1. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Thu May 01, 2008 5:22 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| fjb_saper wrote: |
| mquser925 wrote: |
| fjb_saper wrote: |
Is user mqm configured to use LDAP?
You may have to make sure the PATH is correct for user mqm and bounce the qmgrs to take advantage of the new PATH (LDAP).
And remember the ORDER on the PATH DOES matter
Enjoy |
mqm was configured as a local user but is now configured to use LDAP. Can you elaborate on the path? |
Well the LDAP libraries need to be on the PATH before the default ones or under the user the LDAP will not work / be resolved properly.
You can check that with the which command.
And remember the qmgr needs to be started in and environment that resolves LDAP correctly for LDAP to work with MQ.
Enjoy |
I didn't set up LDAP, do you know if there is any documentation on setting up LDAP with MQ? |
|
| Back to top |
|
|
|
|
