| Author |
Message
|
| Vitor |
 Posted: Thu May 01, 2008 5:26 am Post subject: |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mquser925 wrote: |
I am able to successfully set the permissions for the following queues using:
setmqaut -m TEST -n TEST.Q.* -t q -g group1 +get +put |
Remember this is setting permissions on the server OAM. This has nothing to do with how the user is identified (or not) against LDAP.
| mquser925 wrote: |
However when I try to put a message on the queue using amqsputc I get a 2059 error.
I did set MQSERSVER correctly as well for user1 who is in group1. |
A 2059 is unrelated to permissions; it's a configuration or connectivity error. Possibly connected to the environment variable being called MQSERVER (unless the above post is a simple typo!)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| mquser925 |
| Posted: Thu May 01, 2008 7:45 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| Vitor wrote: |
Remember this is setting permissions on the server OAM. This has nothing to do with how the user is identified (or not) against LDAP. |
Yes, I'm assuming that LDAP is properly configured, I dont know anything about LDAP (other than what I googled) and someone else configured it.
| Vitor wrote: |
A 2059 is unrelated to permissions; it's a configuration or connectivity error. Possibly connected to the environment variable being called MQSERVER (unless the above post is a simple typo!) |
export MQSERVER=TEST.SVRCONN/TCP/'XX.XXX.X.XX(1414)'
This is the exact syntax I'm using. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 01, 2008 2:51 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mquser925 wrote: |
| Vitor wrote: |
A 2059 is unrelated to permissions; it's a configuration or connectivity error. Possibly connected to the environment variable being called MQSERVER (unless the above post is a simple typo!) |
export MQSERVER=TEST.SVRCONN/TCP/'XX.XXX.X.XX(1414)'
This is the exact syntax I'm using. |
Looks good to me - search through the forum for discussion of the 2059 error code. It's very common, and may be nothing to do with your configuration.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 01, 2008 6:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20766
Location: LI,NY
|
Case matters.
Have you tried using MQServer as env variable?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri May 02, 2008 12:46 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| Case matters. |
It certainly does.
| fjb_saper wrote: |
| Have you tried using MQServer as env variable? |
I've always upper cased it...
...and I thought we'd explored this subject towards the front of this post. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| kevinf2349 |
| Posted: Fri May 02, 2008 5:25 am Post subject: |
|
|
Grand Master
Joined: 28 Feb 2003
Posts: 1311
Location: USA
|
Did you issue the setmqaut for group 'group1' to connect to the qmgr?
I read that you tried to issue it for the principle but didn't see where you did it for the group. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon May 12, 2008 1:11 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| Yes I changed the permissions for the principle and the group but the client is still unable to connect. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon May 12, 2008 1:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mquser925 wrote: |
| Yes I changed the permissions for the principle and the group but the client is still unable to connect. |
I repeat my point above that a 2059 error code is unrelated to permissions.
As you don't say in this post what the error is here, I'm assuming that the problem in unchanged.
Remember that a 2059 can be unrelated to any part of your configuration.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon May 12, 2008 4:53 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
Now I'm getting a 2035 error so maybe I'm in the right ballpark now.
| Code: |
#mq script
crtmqm -u SYSTEM.DEAD.LETTER.QUEUE TEST
strmqm TEST
runmqsc TEST << EOF
DEFINE QLOCAL (TEST.A.Q) REPLACE
DEFINE CHANNEL (TEST.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('nobody') REPLACE
DEFINE LISTENER (TEST.LISTENER) TRPTYPE(TCP) CONTROL(QMGR) PORT(1414) REPLACE
START LISTENER(TEST.LISTENER)
EOF
setmqaut -m TEST -n TEST.A.Q -t q -g group1 +all
setmqaut -m TEST -t qmgr -g group1 +all
|
| Code: |
export MQSERVER='TEST.SVRCONN/TCP/xx.xxx.x.xx(1414)'
|
| Code: |
./amqsputc TEST.A.Q TEST
|
| Code: |
Sample AMQSPUT0 start
MQCONN ended with reason code 2035
|
|
|
| Back to top |
|
|
| Gaya3 |
| Posted: Mon May 12, 2008 4:55 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
you are not authorized to connect to the specific queue manager and queue thats all
Check the MCAUSER level
Regards
Gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon May 12, 2008 5:04 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| Gaya3 wrote: |
you are not authorized to connect to the specific queue manager and queue thats all
Check the MCAUSER level
Regards
Gayathri |
I thought setmqaut was specifically authorizing any member of group1 to connect to the queue manager and queue.
I'm not sure what you mean about checking the MCAUSER level. |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Mon May 12, 2008 5:22 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
Check the Channel properties, you can see an attribute called MCAUSER
Regards
gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon May 12, 2008 5:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Gaya3 wrote: |
Check the Channel properties, you can see an attribute called MCAUSER
|
More specifically, why is it set to "nobody"? Who, presumably, is not a member of group1?
Why is it not set to "somebody", who is a member of group1?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mquser925 |
| Posted: Mon May 12, 2008 5:59 am Post subject: |
|
|
Acolyte
Joined: 22 Apr 2008
Posts: 61
|
| Vitor wrote: |
More specifically, why is it set to "nobody"? Who, presumably, is not a member of group1?
Why is it not set to "somebody", who is a member of group1? |
This is what I did not understand, I have to specify a member of group1 in order to allow all users in group1 to access the objects? I also found out there is a 12 character limit on the user name. |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Mon May 12, 2008 6:03 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
Should have some limitations, else we will cross the limit.
so reflect the username/group and resolve the issue, you are pretty near to it
Regards
Gayathri
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
|
|
