LDAP authorization

We can use LDAP authorization to remove the need for a local user ID.


Availability of LDAP authorization on supported platforms

LDAP authorization is available on the following platforms:

  • UNIX
  • IBM i
  • Windows

Attention:

From IBM MQ Version 9.0 general availability, this functionality is available on all queue managers, whether new or migrated from an earlier release.


Overview of LDAP authorization

With LDAP authorization, commands that handle authorization configuration, such as setmqaut and DISPLAY AUTHREC, can process Distinguished Names. Previously, users were authenticated by comparing their credentials with the maximum available characters that exist for users and groups on the local operating system.

Attention: If we have run the DEFINE AUTHINFO command, we must restart the queue manager. If we do not restart the queue manager, the setmqaut command does not return the correct result.

If a user provides a user ID, rather than a Distinguished Name, the user ID is processed. For example, when there is an incoming message on a channel with PUTAUT(CTX), the characters in the user ID are mapped to an LDAP Distinguished Name, and the appropriate authorization checks are made.

Other commands such as DISPLAY CONN, continue to work with and show the actual value for the user ID, even though that user ID might not actually exist on the local OS.

When LDAP authorization is in place, the queue manager always uses the user model of security on UNIX platforms, regardless of the SecurityPolicy attribute in the qm.ini file. So, setting permissions for an individual user affects only that user, and not anyone else who belongs to any of that user's groups.

As with the OS model, a user still has the combined authority that has been assigned to both the individual and to all of the groups (if any) to which the user belongs.

For example, assume that the following records have been defined in an LDAP repository.

  • In the inetOrgPerson class:
    dn="cn=JohnDoe, ou=users, o=yourcompany, c=yourcountry"
            email=JohnDoe1@yourcompany.com [longer than 12 characters]
            shortu=jodoe
            Phone=1234567
    
  • In the groupOfNames class:
    dn="cn=Application Group A, ou=groups, o=yourcompany, c=yourcountry"
            longname=ApplicationGroupA [longer than 12 characters]
            members="cn=JaneDoe, ou=users, o=yourcompany, c=yourcountry",
                    "cn=JohnDoe, ou=users, o=yourcompany, c=yourcountry"
    

For authentication purposes, a queue manager using this LDAP server must have been defined so that its CONNAUTH value points at an AUTHINFO object of type IDPWLDAP, and whose relevant name-resolution attributes are probably set as follows:

USRFIELD(email) SHORTUSR(shortu) 
BASEDNU(ou=users,o=yourcompany,c=yourcountry) CLASSUSR(inetOrgPerson)
Given this configuration for authentication, an application can complete the CSPUserID field, used within the MQCNO call, with either of the following sets of values:
" cn=JohnDoe ", " JohnDoe1@yourcompany.com ", " email=JohnDoe1@yourcompany.com "
or
" cn=JohnDoe, ou=users, o=ibm, c=uk ", " shortu=jodoe "
In either case, the system can use the supplied values to authenticate the OS context of " jodoe".

Parent topic: Securing IBM MQ