Inquire Authentication Information Object (Response)

The response of the Inquire authentication information (MQCMD_INQUIRE_AUTH_INFO) command consists of the response header followed by the AuthInfoName structure (and on z/OS only, the QSGDisposition structure), and the requested combination of attribute parameter structures (where applicable).

Always returned:: AuthInfoName, QSGDisposition
Returned if requested:: AdoptContext , AlterationDate , AlterationTime , AuthInfoConnName , BaseDNGroup , BaseDNUser , AuthInfoType , CheckClient , CheckLocal , ClassUser , FailureDelay , LDAPPassword , LDAPUserName , OCSPResponderURL , SecureComms , ShortUser , UserField

Response data

AdoptContext

Whether to use the presented credentials as the context for this application.

AlterationDate (MQCFST)

Alteration date of the authentication information object, in the form yyyy-mm-dd (parameter identifier: MQCA_ALTERATION_DATE).

AlterationTime (MQCFST)

Alteration time of the authentication information object, in the form hh.mm.ss (parameter identifier: MQCA_ALTERATION_TIME).

AuthInfoConnName (MQCFST)

The connection name of the authentication information object (parameter identifier: MQCA_AUTH_INFO_CONN_NAME).

The maximum length of the string is MQ_AUTH_INFO_CONN_NAME_LENGTH. On z/OS, it is MQ_LOCAL_ADDRESS_LENGTH.

This parameter is relevant only when AuthInfoType is set to MQAIT_CRL_LDAP or MQAIT_IDPW_LDAP.

AuthInfoDesc (MQCFST)

The description of the authentication information object (parameter identifier: MQCA_AUTH_INFO_DESC).

The maximum length is MQ_AUTH_INFO_DESC_LENGTH.

AuthInfoName (MQCFST)

Authentication information object name (parameter identifier: MQCA_AUTH_INFO_NAME).

The maximum length of the string is MQ_AUTH_INFO_NAME_LENGTH.

AuthInfoType (MQCFIN)

The type of authentication information object (parameter identifier: MQIA_AUTH_INFO_TYPE). The value can be:

MQAIT_CRL_LDAP: This authentication information object specifies Certificate Revocation Lists that are held on LDAP servers.
MQAIT_OCSP: This authentication information object specifies certificate revocation checking using OCSP.
MQAIT_IDPW_OS: This authentication information object specifies certificate revocation checking using user ID and password checking through the operating system.
MQAIT_IDPW_LDAP: This authentication information object specifies certificate revocation checking using user ID and password checking through an LDAP server.

See Securing for more information.

AuthenticationMethod (MQCFIN)

Authentication methods for user passwords (parameter identifier: MQIA_AUTHENTICATION_METHOD). Possible values are:

MQAUTHENTICATE_OS: Use the traditional UNIX password verification method.
MQAUTHENTICATE_PAM: Use the Pluggable Authentication Method to authenticate the user passwords.
We can set the PAM value only on UNIX and Linux .

This attribute is valid only for an AuthInfoType of MQAIT_IDPW_OS, and is not valid on IBM MQ for z/OS.

AuthorizationMethod (MQCFIN)

Authorization methods for the queue manager (parameter identifier MQIA_LDAP_AUTHORMD). Possible values are:

MQLDAP_AUTHORMD_OS: Use operating system groups to determine permissions associated with a user.
MQLDAP_AUTHORMD_SEARCHGRP: A group entry in the LDAP repository contains an attribute listing the Distinguished Name of all the users belonging to that group.
MQLDAP_AUTHORMD_SEARCHUSER: A user entry in the LDAP repository contains an attribute listing the Distinguished Name of all the groups to which the specified user belongs.
MQLDAP_AUTHORMD_SRCHGRPSN: A group entry in the LDAP repository contains an attribute listing the short user name of all the users belonging to that group.

BaseDNGroup (MQCFST)

In order to be able to find group names, this parameter must be set with the base DN to search for groups in the LDAP server (parameter identifier MQCA_LDAP_BASE_DN_GROUPS).

The maximum length of the string is MQ_LDAP_BASE_DN_LENGTH.

BaseDNUser (MQCFST)

In order to be able to find the short user name attribute (see ShortUser ) this parameter must be set with the base DN to search for users within the LDAP server.

This attribute is valid only for an AuthInfoType of MQAIT_IDPW_LDAP and is mandatory (parameter identifier MQ_LDAP_BASE_DN_USERS).

The maximum length is MQ_LDAP_BASE_DN_LENGTH.

Checklocal or Checkclient (MQCFIN)

These attributes are valid only for an AuthInfoType of MQAIT_IDPW_OS or MQAIT_IDPW_LDAP (parameter identifier MQIA_CHECK_LOCAL_BINDING or MQIA_CHECK_CLIENT_BINDING). The possible values are:

MQCHK_NONE: Switches off checking.
MQCHK_OPTIONAL: Ensures that if a user ID and password are provided by an application, they are a valid pair, but that it is not mandatory to provide them. This option might be useful during migration, for example.
MQCHK_REQUIRED: Requires that all applications provide a valid user ID and password.
MQCHK_REQUIRED_ADMIN: Privileged users must supply a valid user ID and password, but non-privileged users are treated as with the OPTIONAL setting. See also the following note. (This setting is not allowed on z/OS systems.)

ClassGroup (MQCFST)

The LDAP object class used for group records in the LDAP repository (parameter identifier MQCA_LDAP_GROUP_OBJECT_CLASS).

Classuser (MQCFST)

The LDAP object class used for user records in the LDAP repository (parameter identifier MQCA_LDAP_USER_OBJECT_CLASS).

The maximum length is MQ_LDAP_CLASS_LENGTH.

FailureDelay (MQCFIN)

The failure delay (parameter identifier MQIA_AUTHENTICATION_FAIL_DELAY) when an authentication fails due to the user ID or password being incorrect, in seconds, before the failure is returned to the application.

FindGroup (MQCFST)

Name of the attribute used within an LDAP entry to determine group membership (parameter identifier MQCA_LDAP_FIND_GROUP_FIELD).

The maximum length of the string is MQ_LDAP_FIELD_LENGTH.

GroupField (MQCFST)

LDAP attribute that represents a simple name for the group (parameter identifier MQCA_LDAP_GROUP_ATTR_FIELD).

The maximum length of the string is MQ_LDAP_FIELD_LENGTH.

GroupNesting (MQCFIN)

Whether groups are members of other groups (parameter identifier MQIA_LDAP_NESTGRP). The values can be:

MQLDAP_NESTGRP_NO: Only the initially discovered groups are considered for authorization.
MQLDAP_NESTGRP_YES: The group list is searched recursively to enumerate all the groups to which a user belongs.

LDAPPassword (MQCFST)

The LDAP password (parameter identifier: MQCA_LDAP_PASSWORD).

The maximum length is MQ_LDAP_PASSWORD_LENGTH.

This parameter is relevant only when AuthInfoType is set to MQAIT_CRL_LDAP or MQAIT_IDPW_LDAP.

LDAPUserName (MQCFST)

The LDAP user name (parameter identifier: MQCA_LDAP_USER_NAME).

The Distinguished Name of the user who is binding to the directory.

The maximum length is MQ_DISTINGUISHED_NAME_LENGTH. On z/OS, it is MQ_SHORT_DNAME_LENGTH.

This parameter is relevant only when AuthInfoType is set to MQAIT_CRL_LDAP or MQAIT_IDPW_LDAP.

OCSPResponderURL (MQCFST)

The URL of the OCSP responder used to check for certificate revocation.

QSGDisposition (MQCFIN)

QSG disposition (parameter identifier: MQIA_QSG_DISP). Specifies the disposition of the object (that is, where it is defined and how it behaves). This parameter is valid on z/OS only. The value can be any of the following values:

MQQSGD_COPY: The object is defined as MQQSGD_COPY.
MQQSGD_GROUP: The object is defined as MQQSGD_GROUP.
MQQSGD_Q_MGR: The object is defined as MQQSGD_Q_MGR.

SecureComms (MQCFIN)

Whether connectivity to the LDAP server should be done securely using TLS (parameter identifier MQIA_LDAP_SECURE_COMM).

The maximum length is MQ_LDAP_SECURE_COMM_LENGTH.

ShortUser (MQCFST)

A field in the user record to be used as a short user name in IBM MQ (parameter identifier MQCA_LDAP_SHORT_USER_FIELD)..

The maximum length is MQ_LDAP_FIELD_LENGTH.

UserField (MQCFST)

Identifies the field in the LDAP user record that is used to interpret the provided user ID, only if the user ID does not contain a qualifier (parameter identifier MQCA_LDAP_USER_ATTR_FIELD).

The maximum length is MQ_LDAP_FIELD_LENGTH.

Parent topic: Definitions of the Programmable Command Formats