MQ

We have been running QMgrs on Linux using the local Unix Auth service. This way, client do not need to login to the host, and only connect in client mode. Now we want to enable REST, there are couple of ways the REST auth can be configured on the mq webserver using LDAP, Basic Local OS.

If we enable using AD(ldap), the webserver passes the ID as a fully qualified CN to the queue manager, and the queue manager which is trying to lookup local groups on the box fails to find any groups of the CN causing authorization failure.

One option is to convert the qmgr from Unix Service lookup to LDAP Connauth, meaning dropping 1000+ auth and adding it back as the groups will be CN=... 

If we enable Local OS login, that means granting 100's of users access to box.We do nit want to do it like this.

Question is, what param in the webserver/qmgr we need to specify so that the ID is passed correctly to the queue manager.

Example:

Users attempts login to REST endpoint, the webserver makes AD call and returns CN=myid,OU=internal...
this CN is passed to the queue manager which is marked to authenticate to local Unix Groups. 
At this time Qmgr fails to lookup ID which is CN=... and find no match to any group.
Qmgr throws permission error.

Any suggestion how we can use both the service of AD and local Unix groups.


------------------------------
om prakash
------------------------------

After opening a case with support, learnt it is not possible.
So we switched to LDAP for the queue manager.
Had to drop all AUTHs on every object and resubmit after the qmgr was marked to verify from AD.

------------------------------
om prakash
WI
------------------------------

Original Message:
Sent: Fri January 29, 2021 04:43 PM
From: om prakash
Subject: REST Auth vs Qmgr Auth service

We have been running QMgrs on Linux using the local Unix Auth service. This way, client do not need to login to the host, and only connect in client mode. Now we want to enable REST, there are couple of ways the REST auth can be configured on the mq webserver using LDAP, Basic Local OS.

If we enable using AD(ldap), the webserver passes the ID as a fully qualified CN to the queue manager, and the queue manager which is trying to lookup local groups on the box fails to find any groups of the CN causing authorization failure.

One option is to convert the qmgr from Unix Service lookup to LDAP Connauth, meaning dropping 1000+ auth and adding it back as the groups will be CN=... 

If we enable Local OS login, that means granting 100's of users access to box.We do nit want to do it like this.

Question is, what param in the webserver/qmgr we need to specify so that the ID is passed correctly to the queue manager.

Example:

Users attempts login to REST endpoint, the webserver makes AD call and returns CN=myid,OU=internal...
this CN is passed to the queue manager which is marked to authenticate to local Unix Groups. 
At this time Qmgr fails to lookup ID which is CN=... and find no match to any group.
Qmgr throws permission error.

Any suggestion how we can use both the service of AD and local Unix groups.


------------------------------
om prakash
------------------------------

Would you mind sharing the response of the support case with us?

------------------------------
Matthias Jungbauer
------------------------------

Original Message:
Sent: Wed February 24, 2021 01:27 PM
From: om prakash
Subject: REST Auth vs Qmgr Auth service

After opening a case with support, learnt it is not possible.
So we switched to LDAP for the queue manager.
Had to drop all AUTHs on every object and resubmit after the qmgr was marked to verify from AD.

------------------------------
om prakash
WI

Original Message:
Sent: Fri January 29, 2021 04:43 PM
From: om prakash
Subject: REST Auth vs Qmgr Auth service

We have been running QMgrs on Linux using the local Unix Auth service. This way, client do not need to login to the host, and only connect in client mode. Now we want to enable REST, there are couple of ways the REST auth can be configured on the mq webserver using LDAP, Basic Local OS.

If we enable using AD(ldap), the webserver passes the ID as a fully qualified CN to the queue manager, and the queue manager which is trying to lookup local groups on the box fails to find any groups of the CN causing authorization failure.

One option is to convert the qmgr from Unix Service lookup to LDAP Connauth, meaning dropping 1000+ auth and adding it back as the groups will be CN=... 

If we enable Local OS login, that means granting 100's of users access to box.We do nit want to do it like this.

Question is, what param in the webserver/qmgr we need to specify so that the ID is passed correctly to the queue manager.

Example:

Users attempts login to REST endpoint, the webserver makes AD call and returns CN=myid,OU=internal...
this CN is passed to the queue manager which is marked to authenticate to local Unix Groups. 
At this time Qmgr fails to lookup ID which is CN=... and find no match to any group.
Qmgr throws permission error.

Any suggestion how we can use both the service of AD and local Unix groups.


------------------------------
om prakash
------------------------------