MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  MQ Web COnsole LDAP Settings

    Posted Tue October 24, 2023 04:17 PM
    Edited by Andres Colodrero Tue October 24, 2023 04:21 PM

    Hi,

    im trying to set the MQ Web Console integration with active directory. I managed to connect to LDAP and authenticate the user connecting to MQ Web Console. Now, i have a problem to understand how to query if this user is authorized to access:

    <enterpriseApplication id="com.ibm.mq.console">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="CN=mq-admins,OU=Security,OU=Users and Computers,DC=domain,DC=ad,DC=local" 
                realm="defaultRealm"/>
            </security-role>
        </application-bnd>
    </enterpriseApplication>

    And here the LDAP settings:

    <ldapRegistry id="ldap" 
        realm="defaultRealm" 
        host="domain.ad.local" 
        port="389"
        ignoreCase="true" 
        bindDN="CN=mqldap,OU=Services,DC=domain,DC=ad,DC=local" 
        bindPassword="xxxxxxxxxxxxxxxx" 
        baseDN="OU=Services,DC=center1,DC=ad,DC=local"
        ldapType="Microsoft Active Directory"
        searchTimeout="2m"
        sslEnabled="false"
        recursiveSearch="true"
        sslRef="thisSSLConfig">
        <activedFilters 
           userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"
           groupFilter="(&amp;(objectClass=group)(member=%v))"
           userIdMap="user:sAMAccountName" 
           groupIdMap="group:cn" 
           groupMemberIdMap="memberOf:member">
         </activedFilters>
    </ldapRegistry>

    The loging return a user :

    CN=mq admin user ,OU=Admin Accounts,,OU=Services,DC=center1,DC=ad,DC=local

    The user has a LDAP Property "MemberOf" that contains a list of all the AD Groups (included CN=mq admins,OU=Security,
    OU=Users and Computers,DC=domain,DC=ad,DC=local )
    IN the group:CN=mq admins,OU=Security,
    OU=Users and Computers,DC=domain,DC=ad,DC=local
    the users are in 
    "member"
    Any suggestion about what im doing wrong?



    ------------------------------
    Andres Colodrero
    ------------------------------



  • 2.  RE: MQ Web COnsole LDAP Settings

    Posted Wed October 25, 2023 10:44 AM

    Hi Andres,

    Do you get any error messages that might help us to debug the issue? And probably a stupid question but in your XML you define the group as 

    CN=mq-admins,OU=Security,OU=Users and Computers,DC=domain,DC=ad,DC=local

    and according to the description the returning user has a MemberOf definition without a hyphen as 

    CN=mq admins,OU=Security,OU=Users and Computers,DC=domain,DC=ad,DC=local

    Maybe a typo but just checking....



    ------------------------------
    Hermanni Pernaa
    ------------------------------

    Original Message


  • 3.  RE: MQ Web COnsole LDAP Settings

    Posted Tue October 31, 2023 06:48 AM

    HI and thanks for the answer.

    I debugged a bit with "ldapsearch", until i could get the correct groups. It looked like base search was incorrect



    ------------------------------
    Andres Colodrero
    ------------------------------

    Original Message


  • 4.  RE: MQ Web COnsole LDAP Settings

    Posted Thu November 02, 2023 02:24 AM

    Hi Andres

    I'm a bit late to the party since your issue is solved. I like to use nettools to build my ldap queries. I find it a very user friendly tool. Maybe it can help you in the future :)

    https://nettools.net/download/



    ------------------------------
    Regards
    Matthias Blomme
    ------------------------------

    Original Message


Related Content