Switching between OS and LDAP authorization models

How you switch between the different authorization methods on different platforms.

The CONNAUTH attribute of the queue manager points at an AUTHINFO object. When the object is of type IDPWLDAP, an LDAP repository is used for authentication.

We can now apply an authorization method to that same object, which allows you to continue with OS-based authorization, or to work with LDAP authorization


UNIX platforms and IBM i

The queue manager can be switched at any time between OS and LDAP models. We can change the configuration and make that configuration active by using the REFRESH SECURITY TYPE (CONNAUTH) command.

For example, if this object has already been configured with the connection information for authentication:
ALTER AUTHINFO(MYLDAP) AUTHTYPE(IDPWLDAP) +  
        AUTHORMD(SEARCHGRP) + 
        BASEDNG('ou=groups,o=ibm,c=uk') +
        Ë‚other attributes>
ALTER QMGR CONNAUTH(MYLDAP)
REFRESH SECURITY


Windows

If an authority configuration change involves switching between OS and LDAP models, the queue manager must be restarted for the change to take effect. Otherwise, we can make the change active by using the REFRESH SECURITY TYPE (CONNAUTH) command.


Processing rules

When switching from OS to LDAP authorization, any existing OS authority rules that have been set, become inactive and invisible.

Commands such as dmpmqaut do not display those OS rules. Similarly, when switching back from LDAP to OS, any defined LDAP authorizations become inactive and invisible, restoring the original OS rules.

To back up the definitions of a queue manager for any reason, using the dmpmqcfg command, then that backup will contain only the rules that are defined for the authorization method in effect at the time of the back up.

Parent topic: LDAP authorization