| Author |
Message
|
| RogerLacroix |
 Posted: Thu Mar 22, 2007 7:47 am Post subject: |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| Vitor wrote: |
(My personal view only, other views may be equally valid, I am not now nor have I ever been associated with Capitalware and any comments made about their products should not be taken as an official endorsement and no liability is accepted for any loss or damage howsoever caused   ) |
Somebody knows the CYA rule!  
Regards,
Roger Lacroix
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Mar 22, 2007 7:53 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| RogerLacroix wrote: |
Somebody knows the CYA rule!
|
Over 10 years consulting, often in government contracts... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Mar 22, 2007 10:37 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| Vitor wrote: |
And buying a security exit (or any exit) is a lot easier than writing your own!
(My personal view only, other views may be equally valid, I am not now nor have I ever been associated with Capitalware and any comments made about their products should not be taken as an official endorsement and no liability is accepted for any loss or damage howsoever caused ) |
But writing your own you can learn a lot and expand funcionality
_________________
Marcin |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 22, 2007 10:52 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| marcin.kasinski wrote: |
| But writing your own you can learn a lot |
Very true but MQ exits is a complex subject and you should be at an expert level of MQ and C programming.
| marcin.kasinski wrote: |
| expand funcionality |
Well, I tried to put everything but the kitchen sink in MQAUSX. I'm always looking for suggestions.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Mar 23, 2007 12:53 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| marcin.kasinski wrote: |
| But writing your own you can learn a lot and expand funcionality |
Quite true, if you have the spare time and a sandbox to test it in. Exits are an advanced topic. Poorly written exits will have an impact on throughput, badly written exits will bring your system down.
And I said it was easier to buy an exit, not better. That's a determination each person must make for themselves.
(My disclaimer refers)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Fri Mar 23, 2007 1:25 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| RogerLacroix wrote: |
| Well, I tried to put everything but the kitchen sink in MQAUSX. I'm always looking for suggestions. |
I haven't used LDAP myself, but had a look at the documentation on your site, is it applicable to client users only?
if the above is yes, could it also be extended to bindings mode users?
can you store the authorisations like put, get etc also in LDAP?
just a few questions...
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Fri Mar 23, 2007 1:27 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| Vitor wrote: |
Quite true, if you have the spare time and a sandbox to test it in. Exits are an advanced topic. Poorly written exits will have an impact on throughput, badly written exits will bring your system down.
And I said it was easier to buy an exit, not better. That's a determination each person must make for themselves.
(My disclaimer refers) |
Roger, Vitor
I agree with you,
Everything is true but in my opinion performance is not good argument here where we are talking about security exit.
I spent a lot time optimizing message exit’s where performance is very important.
but...
If you are talking about performance, in my opinion security exit is not so sensitive.
Security exit is activated during establishing connection. This operation is not executed very often in “normal”, “standard” applications.
Rest is absolutely true.
_________________
Marcin |
|
| Back to top |
|
|
| jcv |
| Posted: Fri Sep 28, 2007 5:56 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
| jefflowrey wrote: |
On Windows, you can configure the OS to use Active Directory, which is LDAP.
On Unix, you can configure the OS to use LDAP.
Then you don't have to screw around with writing your own OAM. |
Basically, if OS (AIX) uses LDAP, MQ should not see any difference between those and standard (/etc/passwd and /etc/group) users?
I'm asking it because I have added authority permissions to a LDAP user group, it does not seem to have any effect. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 28, 2007 5:58 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| jcv wrote: |
Basically, if OS (AIX) uses both LDAP and standard /etc/passwd and /etc/group, MQ should not make any difference between those two?
I'm asking it because I have added authority permissions to a LDAP user group, it does not seem to have any effect. |
I'm not sure how an OS can actually use TWO SEPARATE user repository systems at the same time, but I'll take your word for it.
The MQ OAM does not poll the OS user repository for changes. Any time you change the OS user repository - in terms of group memberships - you need to issue REFRESH SECURITY.
Any time you do anything with setmqaut, then you DO NOT need to issue REFRESH SECURITY.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jcv |
| Posted: Fri Sep 28, 2007 6:14 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
As I understand our AIXADMIN team, we have both, local users, visible in previously mentioned files, and LDAP users, at the same time.
And I used setmqaut to add some permissions to a certain LDAP group. Hence, I don't have to issue REFRESH SECURITY, because it's not like I moved some user between groups, or added to a group. setmqaut made no complaint's, dspmqaut displayed it was received O.K., but LDAP user being member of that group, had no benefit from that command. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 28, 2007 7:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Well.
Do any LDAP users have ANY mq privledges?
Is there an MCAUser on the channel the LDAP user is connecting over?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jcv |
| Posted: Fri Sep 28, 2007 8:28 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
Although I must admit I don't follow you perfectly, because I'm not positioned as a member of AIXADMIN team, I have googled arround a bit just out of pure intelectual curiosity for a possibility to have files and LDAP users at the same time on the system. And it appears (but I'm not 100 percent sure about that) I have understood my colleagues well, there is no obstacle for that . There is a "registry" stanza in /etc/security/user, possible values are files, or NIS, or DCE, or LDAP, ... It defines authentication registry where the user is administered. Here you are:
http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.ibm.aix.files/doc/aixfiles/user.htm
I tried to add mq privileges to a whole LDAP group, with previously described results. So the answer to your first question is: not yet, but I would like them to have. The second question I don't understand quite well: LDAP user is doing telnet session to connect to AIX system (with success), and from there he is trying (it's definetly "he" this time) to run server application connecting in BINDING shared memory mode. And application can't connect to a local qmgr, I couldn't give him rights. |
|
| Back to top |
|
|
| jcv |
| Posted: Fri Sep 28, 2007 9:17 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
| It seems that SYSTEM stanza in /etc/security/user is also relevant to understand the whole situation, which I don't, but my main question is: once OS user is setup, it does not matter how it's authenticated or where it is administered, MQ (standard OAM) knows about it? The same question stands for groups. |
|
| Back to top |
|
|
| jcv |
| Posted: Sun Sep 30, 2007 12:55 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
| There is also a possibility that LDAP group is newer than last qmgr restart and last security refresh. In that case I wonder would it be too expensive for setmqaut to call refresh security automatically, to avoid such situations? In fact, in that case I would expect setmqaut to return error: unknown group. I will explore the possibility tomorrow. |
|
| Back to top |
|
|
| jcv |
| Posted: Sun Sep 30, 2007 1:53 am Post subject: |
|
|
Chevalier
Joined: 07 May 2007
Posts: 411
Location: Zagreb
|
| Since setmqaut most likely does refresh security automatically, and most likely would report an unknown group, I will first double check claims that LDAP user has no priviledges, which is something I had to do first. |
|
| Back to top |
|
|
|
|
