MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Connecting IBM MQ to LDAP for Authorisation – A Hands‑On Tutorial

By Andrew Tomlinson posted 12 days ago

  

Connecting IBM MQ to LDAP for Authorisation – A Hands-On Tutorial

Why do this?

Integrating IBM MQ with an LDAP directory enables centralised user authentication and streamlined access control for messaging resources. By leveraging LDAP, administrators can manage user identities and group memberships in a single location, reducing complexity and improving security.

This document shows a worked example of the steps required to configure IBM MQ to use an LDAP server for authorisation (MQ supports all LDAP Servers that support the LDAP V2 or V3 specifications), including defining MQ objects such as authentication information, authority records, and permission validation.

A second article will detail securing LDAP.

Set-up

  • IBM MQ 9.x or later
  • A running Queue Manager: QM1
  • Two Queues: Q1, Q2

·        An LDAP Server – in this tutorial, OpenLDAP was used with the following basic groups and users:

ldap structure
ldap structure

mqadmins group
mqadmins group

mqusers group
mqusers group

Step 1: Define the LDAP Connection

Open a command prompt to issue MQSC commands on a queue manager interactively

runmqsc QM1

Define the authentication information object using the  DEFINE AUTHINFO command based on the LDAP config outline in the Set-up section above

DEFINE AUTHINFO('LDAPCONFIG') AUTHTYPE(IDPWLDAP) +

  ADOPTCTX(YES) +

  CONNAME('xxxx.yyyy.ibm.com(389)') +

  SHORTUSR('uid') +

  LDAPUSER('cn=admin,dc=mq,dc=ibm,dc=com') +

  LDAPPWD('<LDAP bind password>') +

  BASEDNU('ou=users,dc=mq,dc=ibm,dc=com') +

  USRFIELD('uid') +

  FINDGRP('member') +

  BASEDNG('ou=groups,dc=mq,dc=ibm,dc=com') +

  GRPFIELD('cn') +

  AUTHORMD(SEARCHGRP) +

  CHCKCLNT(REQUIRED) +

  CHCKLOCL(OPTIONAL) +

  CLASSGRP('groupOfNames') +

  CLASSUSR('inetOrgPerson') +

  SECCOMM (NO) +

  REPLACE

     

Parameter breakdown

AUTHINFO('LDAPCONFIG')
The name of the AUTHINFO object. You’ll reference this later in ALTER QMGR CONNAUTH('LDAPCONFIG').

AUTHTYPE(IDPWLDAP)
Specifies that MQ should authenticate users against an LDAP directory using an ID and a password.

ADOPTCTX(YES)
MQ adopts the authenticated user’s identity for authorisation checks. Without this, MQ might use a default context.

CONNAME('xxxx.yyyy.ibm.com(389)')
Hostname and port of the LDAP server. Use port 636 for LDAPS (secure LDAP).

SHORTUSR('uid')
Defines the short user name attribute used when mapping MQ user IDs to LDAP entries.

LDAPUSER('cn=admin,dc=mq,dc=ibm,dc=com')
The LDAP bind DN (Distinguished Name) for the service account MQ uses to query LDAP.

LDAPPWD('<LDAP bind password>')
Password for the bind DN.

BASEDNU('ou=users,dc=mq,dc=ibm,dc=com')
Base DN where MQ searches for user entries.

USRFIELD('uid')
LDAP attribute that holds the user ID (e.g., uid or sAMAccountName in AD).

FINDGRP('member')
Attribute used to find group membership (e.g., member in OpenLDAP or memberOf in AD).

BASEDNG('ou=groups,dc=mq,dc=ibm,dc=com')
Base DN where MQ searches for group entries.

GRPFIELD('cn')
LDAP attribute that holds the group name.

AUTHORMD(SEARCHGRP)
MQ resolves authorisation by searching LDAP groups. Other options include SEARCHUSR if membership is stored on the user.

CHCKCLNT(REQUIRED)
MQ requires client applications to provide credentials.

CHCKLOCL(OPTIONAL)
Local bindings (e.g., scripts on the MQ server) may skip credentials.

CLASSGRP('groupOfNames')
LDAP object class for groups.

CLASSUSR('inetOrgPerson')
LDAP object class for users.

SECCOMM(NO)
No TLS encryption for LDAP connection. Change to YES for LDAPS (secure LDAP).

REPLACE
Overwrites any existing AUTHINFO object with the same name.

Step 2: Activate it

Set the connection authentication attribute of the qmgr to use the authentication info defined in step 2 and refresh security:

ALTER QMGR CONNAUTH('LDAPCONFIG')

REFRESH SECURITY TYPE(CONNAUTH)

Step 3: Validate LDAP resolution

At this point, it is worth checking that the LDAP configuration is correct. One way to do this is to use the DISPLAY ENTAUTH to display the authorisations an entity has to a specified object. While there are no authorisations set, the principal is evaluated to confirm that a successful LDAP search for the principal has occurred. If a principal is found that exists only in LDAP, we can be satisfied that the LDAP config is correct.  For example, the command

DISPLAY ENTAUTH PRINCIPAL('andrew') OBJTYPE(QUEUE) OBJNAME(Q1)

Displays the following if the principal is found:

A black screen with white text AI-generated content may be incorrect.

And if the principal cannot be located:

If this happens, in the first instance, check the MQ error logs for information on the issue. For example, checking the AMQERR01.LOG in /var/mqm/qmgrs/QM1/errors shows the following error:

In this case, invalid credentials have been supplied in the AUTHINFO object.

Step 4: Grant permissions

Set some authority records using SET AUTHREC

Give the ‘mqusers’ group authority to browse, get, and put to Q1

SET AUTHREC PROFILE(Q1) OBJTYPE(QUEUE) GROUP('cn=mqusers,ou=groups,dc=mq,dc=ibm,dc=com') AUTHADD(BROWSE,GET,PUT)

Give the ‘mqadmins’ group the authority to perform all administrative operations to Q1

SET AUTHREC PROFILE(Q1) OBJTYPE(QUEUE) GROUP('cn=mqadmins,ou=groups,dc=mq,dc=ibm,dc=com') AUTHADD(ALLADM) 

Step 5: Verify permissions

To verify the specific permissions, use the DISPLAY ENTAUTH command again for each user:

DISPLAY ENTAUTH PRINCIPAL('andrew') OBJTYPE(QUEUE) OBJNAME(Q1)

A black background with white text AI-generated content may be incorrect.

DISPLAY ENTAUTH PRINCIPAL('bob') OBJTYPE(QUEUE) OBJNAME(Q1)

A black screen with white text AI-generated content may be incorrect.

DISPLAY ENTAUTH PRINCIPAL('charlie') OBJTYPE(QUEUE) OBJNAME(Q1)

A black background with white text AI-generated content may be incorrect.

DISPLAY ENTAUTH PRINCIPAL('dave') OBJTYPE(QUEUE) OBJNAME(Q1)

A black screen with white text AI-generated content may be incorrect.

Given the group membership defined in the setup:

·       Andrew, as a member of mqadmins has admin operations authority

·       Bob, as a member of mqusers has browse, get, and put authority

·       Charlie is a member of both groups, so has the combined authority of browse, get, put and admin operations

·       Dave, who is a member of neither, has no authority to perform any actions

A full list of authorisations is found on the SET AUTHREC reference page.

Step 6: Explain "why"

The authority record details that are applied to a user based on their group membership can be displayed using DISPLAY AUTHREC.

DISPLAY AUTHREC PROFILE(Q1) PRINCIPAL('andrew') MATCH(MEMBERSHIP) OBJTYPE(QUEUE)

A black screen with white text AI-generated content may be incorrect.

DISPLAY AUTHREC PROFILE(Q1) PRINCIPAL('bob') MATCH(MEMBERSHIP) OBJTYPE(QUEUE)

A black screen with white text AI-generated content may be incorrect.

DISPLAY AUTHREC PROFILE(Q1) PRINCIPAL('charlie') MATCH(MEMBERSHIP) OBJTYPE(QUEUE)

A black screen with white text AI-generated content may be incorrect.

DISPLAY AUTHREC PROFILE(Q1) PRINCIPAL('dave') MATCH(MEMBERSHIP) OBJTYPE(QUEUE)

The results above are as expected based on the AUTHRECS set and the group membership defined.

Next Steps

Part 2 will cover LDAPS (TLS), keystore setup, and secure binding.

IBM Docs Links

0 comments
7 views

Permalink

https://community.ibm.com/community/user/blogs/andrew-tomlinson/2025/12/09/connecting-ibm-mq-to-ldap-for-authorisation-a-hand