Original Message:
Sent: Thu July 18, 2024 08:09 PM
From: Morag Hughson
Subject: IBM MQ REST API call not working with LDAP user over 12 char
Hi Amit,
If your queue manager is using LDAP authorization, and you expect to passthrough the user ID you supply on the REST call, doesn't it have to be in the form:
uid=mquser3mquser3,ou=People,dc=local,dc=io
and not just
mquser3mquser3
as you show on your curl command?
Could you please show us the error message in the queue manager's AMQERR01.LOG so that we can see, from the queue manager's perspective, what user ID made it to the authorisation check.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Thu July 18, 2024 07:18 PM
From: Amit Aggarwal
Subject: IBM MQ REST API call not working with LDAP user over 12 char
My users from LDAP (short id or long Id - over 12 char) are able to send message when connecting to QM.
Issue is only when using long (over 12 char) ids to sent messsags using REST API.
If I send REST API request with same user who can send message to QM...I am getting this
curl -k https://9.30.189.149:9443/ibmmq/rest/v2/messaging/qmgr/QLESBD03/queue/QA1/message -X POST -u mquser3mquser3:mquser3 -H "ibm-mq-rest-csrf-token: value" -H "Content-Type: text/plain;charset=utf-8" --data "Hello World mquser3mquser3"{"error": [{ "msgId": "MQWB0103E", "action": "Obtain the necessary authorization to perform the operation and resubmit the request.", "completionCode": 2, "reasonCode": 2035, "type": "rest", "message": "MQWB0103E: Not authorized.", "explanation": "The authenticated principal is not authorized to perform the requested REST API operation."}]}
Here is how QM authinfo is set, as it has concept of SHORTUSR, even user id is over 12 char, QM uses short username, which is working as expected.
dis AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP) 3 : dis AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP)AMQ8566I: Display authentication information details. AUTHINFO(USE.LDAP) AUTHTYPE(IDPWLDAP) ADOPTCTX(YES) DESCR( ) CONNAME(ldap-service.ibm-ldap.svc(389)) CHCKCLNT(REQUIRED) CHCKLOCL(OPTIONAL) CLASSGRP(groupOfNames) CLASSUSR(inetOrgPerson) FAILDLAY(1) FINDGRP(member) BASEDNG(ou=Groups,dc=local,dc=io) BASEDNU(ou=People,dc=local,dc=io) LDAPUSER(cn=admin,dc=local,dc=io) LDAPPWD(********************************) SHORTUSR(sn) GRPFIELD(cn) USRFIELD(cn) AUTHORMD(SEARCHGRP) NESTGRP(YES) SECCOMM(NO) ALTDATE(2024-07-18) ALTTIME(16.30.52)
Here is how user looks in ldap, user3 can send message using REST API, but mquser3mquser3, can not, as it's over 12 char.
dn: uid=user3,ou=People,dc=local,dc=iochangetype: addobjectclass: inetOrgPersonobjectclass: organizationalPersonobjectclass: personobjectclass: topuid: user3displayname: user3sn: user3cn: user3userpassword: user3dn: uid=mquser3mquser3,ou=People,dc=local,dc=iochangetype: addobjectclass: inetOrgPersonobjectclass: organizationalPersonobjectclass: personobjectclass: topuid: mquser3mquser3displayname: mquser3mquser3sn: mquser30cn: mquser3mquser3userpassword: mquser3
Here my mqwebuser.xml
<server> <featureManager> <feature>appSecurity-2.0</feature> <feature>ldapRegistry-3.0</feature> <feature>basicAuthenticationMQ-1.0</feature> </featureManager> <enterpriseApplication id="com.ibm.mq.console"> <application-bnd> <security-role name="MQWebAdmin"> <group name="cn=mqm,ou=Groups,dc=local,dc=io" /> </security-role> <security-role name="MQWebUser"> <special-subject type="ALL_AUTHENTICATED_USERS"/> </security-role> </application-bnd> </enterpriseApplication> <enterpriseApplication id="com.ibm.mq.rest"> <application-bnd> <security-role name="MQWebAdmin"> <group name="cn=mqm,ou=Groups,dc=local,dc=io" /> </security-role> <security-role name="MQWebUser"> <special-subject type="ALL_AUTHENTICATED_USERS"/> </security-role> </application-bnd> </enterpriseApplication> <!-- LDAP registry configuration --> <ldapRegistry id='ldap' host='ldap-service.ibm-ldap.svc' port='389' ignoreCase='true' baseDN='dc=local,dc=io' certificateMapMode='NOT_SUPPORTED' idsFilters='ibm_dir_server' ldapType='Custom' bindDN='cn=admin,dc=local,dc=io' bindPassword='admin'> </ldapRegistry> <idsLdapFilterProperties id="ibm_dir_server" userFilter="(&(sn=%v)(objectclass=inetOrgPerson))" groupFilter="(&(cn=%v)(objectclass=groupOfNames))" userIdMap="*:sn" groupIdMap="*:cn" groupMemberIdMap="groupOfNames:member"> </idsLdapFilterProperties> <variable name="httpHost" value="*"/> <variable name="mqConsoleRemoteSupportEnabled" value="false"/> <variable name="mqConsoleEnableUnsafeInline" value="true"/> <variable name="mqRestMessagingEnabled" value="true"/></server>
------------------------------
Amit Aggarwal
Markham
9054132763
Original Message:
Sent: Sat July 13, 2024 11:53 PM
From: Morag Hughson
Subject: IBM MQ REST API call not working with LDAP user over 12 char
It is not apparent from your problem description whether your queue manager is running using O/S user id based authorization or whether it is using LDAP user id based authorization. Your question seems to focus on the mapping from a long LDAP user to the short name that might be needed if you were using O/S user id based authorization.
You also say "it does not work" but it is unclear whether you are simply referring to the 2035 reason code or whether you mean the mapping of user ID is not working.
Could you please provide the following additional information to help us fully understand your situation.
- What type of authorization your queue manager is using, e.g. your QMGR CONNAUTH object and it's full definition.
- The authorization failure message from the queue manager AMQERR01.LOG. This will include in it the user ID that was used to check authorization and will show us whether the mapping is taking place correctly.
- The authorization rules that are in place on the queue manager for Q1 and the above reported user ID and the group it is in.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Thu July 11, 2024 02:57 PM
From: Amit Aggarwal
Subject: IBM MQ REST API call not working with LDAP user over 12 char
I want to use REST api with LDAP user (MQWEBUSER role) over 12 char UID, I have a filed which is short less than 12 char which is (SN). But it gives below error.
I can use same user using JMS application connecting to qmgr and send message on queue, it works.
curl -k https://9.30.189.149:9443/ibmmq/rest/v2/messaging/qmgr/QLESBD03/queue/Q1/message -X POST -u mquser2mquser2:<password> -H "ibm-mq-rest-csrf-token: value" -H "Content-Type: text/plain;charset=utf-8" --data "Hello World 1"
{"error": [{
"msgId": "MQWB0103E",
"action": "Obtain the necessary authorization to perform the operation and resubmit the request.",
"completionCode": 2,
"reasonCode": 2035,
"type": "rest",
"message": "MQWB0103E: Not authorized.",
"explanation": "The authenticated principal is not authorized to perform the requested REST API operation."
}]}
This is LDAP setting on mqwebuser.xml file.
<!-- LDAP registry configuration --> <ldapRegistry id='ldap' host='ldap-service.ibm-ldap.svc' port='389' ignoreCase='false' baseDN='dc=local,dc=io' certificateMapMode='NOT_SUPPORTED' idsFilters='ibm_dir_server' ldapType='Custom' bindDN='cn=admin,dc=local,dc=io' bindPassword='admin'> </ldapRegistry> <idsLdapFilterProperties id="ibm_dir_server" userFilter="(&(|(uid=%v)(cn=%v))(objectclass=inetOrgPerson))" groupFilter="(&(cn=%v)(objectclass=groupOfUniqueNames))" userIdMap="*:sn" groupIdMap="*:cn" groupMemberIdMap="memberOf:member"> </idsLdapFilterProperties>
Looking for suggestion, how it will work, wondering if I need to change anything in ldap filter above. I tried userIdMap="*:sn" or userIdMap="*:uid" , but it does not work.
------------------------------
Amit Aggarwal
Markham
9054132763
------------------------------