Set authorizations
How we use the short name or USRFIELD to set authorizations.
The approach of working with multiple formats, described in LDAP authorization, continues into the authorization commands, with a further extension that either the shortname or the USRFIELD can be used in an unadorned fashion.
The character string specifies a particular attribute in the LDAP record when naming users (principals) for authorization.Important: The character string must not contain the = character, because this character cannot be used in an operating system user ID.If you pass a principal name to the OAM for authorization that is potentially a shortname, the character string must fit into 12 characters. The mapping algorithm first tries to resolve it to a DN using the SHORTUSR attribute in its LDAP query.
If that fails with an UNKNOWN_ENTITY error, or if the given string cannot possibly be a shortname, a further attempt is made using the USRFIELD attribute to construct the LDAP query.
Attention: If we have run the DEFINE AUTHINFO command, we must restart the queue manager. If we do not restart the queue manager, the setmqaut command does not return the correct result.For processing user authorizations, the following setmqaut command settings are all equivalent.
We can use the SET AUTHREC MQSC command as an alternative to the setmqaut command:
Command Note setmqaut -m QM -t qmgr -p jodoe +connect This is a flat, unqualified name, resolved through SHORTUSR. setmqaut -m QM -t qmgr -pJohnDoe1@yourcompany.com +connect Also a flat, unqualified name, resolving via USRFIELD to the same entity. setmqaut -m QM -t qmgr -p email=JohnDoe1@yourcompany.com +connect Use a named attribute. setmqaut -m QM -t qmgr -p "phone=1234567" +connect Use another named attribute which does not have to be any of those configured on the AUTHINFO object. SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('JohnDoe1@yourcompany.com') AUTHADD(connect)or the Set Authority Record (MQCMD_SET_AUTH_REC) PCF command with the MQCACF_PRINCIPAL_ENTITY_NAMES element containing the string:"cn=JohnDoe,ou=users,o=yourcompany,c=yourcountry"When processing groups, there is no ambiguity about shortname processing, as there is no requirement to fit any form of a group name into 12-characters. Therefore, there is no equivalent of the SHORTUSR attribute for groups.
That means that the syntax examples described in Table 2 are valid, assuming that we have configured the AUTHINFO object with the extended attributes, and set to:GRPFIELD(longname) BASEDNG(ou=groups,o=yourcompany,c=yourcountry ) CLASSGRP(groupOfNames)We can use the SET AUTHREC MQSC command as an alternative to the preceding setmqaut command:
Command Note setmqaut -m QM -t qmgr -g ApplicationGroupA +connect Use GRPFIELD to resolve setmqaut -m QM -t qmgr -g longname=ApplicationGroupA +connect Naming a single attribute setmqaut -m QM -t qmgr -g "cn=Application Group A,ou=groups,o=yourcompany,c=yourcountry" +connect Use the full DN SET AUTHREC OBJTYPE(QMGR) GROUP('ApplicationGroupA') AUTHADD(connect)or the Set Authority Record (MQCMD_SET_AUTH_REC) PCF command with the MQCACF_GROUP_ENTITY_NAMES element containing the string:"ApplicationGroupA"Important:Whichever format we use to refer to a name, whether for user or group, it must be possible to derive a unique DN.
So, for example, we must not have two distinct records that both have "shortu=jodoe".
If a single unique DN cannot be determined, the OAM returns MQRC_UNKNOWN_ENTITY.
Parent topic: LDAP authorization