LDAP administration
An overview of how each platform administers LDAP.
When using LDAP authorization, membership of the mqm group (or equivalent) in the operating system is not that important. Being a member of that group only controls whether certain command-line commands can be processed.
In particular, we must be in that group to issue the strmqm and endmqm commands.
Once the queue manager is running, there are now limits on the fully-privileged account. Apart from the user ID of the person who issues the strmqm command, other users belonging to the OS mqm (or equivalent) group do not get special privileges.
Authorizations of other users are based on which LDAP groups they belong to. An unqualified use of the mqm group name in commands such as setmqaut is not allowed to map to any LDAP group.
UNIX platforms
Once the queue manager is running, the only automatically fully-privileged account is the real user who started the queue manager.
The mqm ID still exists and is used as the owner of OS resources, such as files, because mqm is the effective ID under which the queue manager is running. However, the mqm user will not automatically be able to do administrative tasks controlled by the OAM.
IBM i
On IBM i, the automatically-privileged accounts are the one that starts the queue manager and the QMQM ID.
You need both IDs, because the user ID that starts the queue manager is required only to start the system. Once running, the queue manager processes have QMQM authority only.
Windows platforms
On Windows, the automatically fully-privileged accounts are the OS user that started the queue manager, and also the user running the core queue manager processes, such as MUSR_MQADMIN if the queue manager was started as a Windows service.
When running in LDAP authorization mode, Windows behaves very similarly to the UNIX platforms. It deals with 12 character short names, and full DNs.
Sample script
As it is useful to have a group able to do full administration on a queue manager, a sample script is shipped on UNIX platforms as:MQ_INSTALLATION_PATH/samp/bin/amqauthg.shThis sample takes two parameters:
- A queue manager name
- An LDAP group name
The sample processes setmqaut commands, granting full authority for all objects. This is the same script that is generated by the IBM MQ Explorer OAM Wizard for administrative roles. For example, the code starts:
setmqaut -t q -m qmgr -n "**" +alladm +allmqi -g groupnameParent topic: LDAP authorization