We have been running QMgrs on Linux using the local Unix Auth service. This way, client do not need to login to the host, and only connect in client mode. Now we want to enable REST, there are couple of ways the REST auth can be configured on the mq webserver using LDAP, Basic Local OS.
If we enable using AD(ldap), the webserver passes the ID as a fully qualified CN to the queue manager, and the queue manager which is trying to lookup local groups on the box fails to find any groups of the CN causing authorization failure.
One option is to convert the qmgr from Unix Service lookup to LDAP Connauth, meaning dropping 1000+ auth and adding it back as the groups will be CN=...
If we enable Local OS login, that means granting 100's of users access to box.We do nit want to do it like this.
Question is, what param in the webserver/qmgr we need to specify so that the ID is passed correctly to the queue manager.
Example:
Users attempts login to REST endpoint, the webserver makes AD call and returns CN=myid,OU=internal...
this CN is passed to the queue manager which is marked to authenticate to local Unix Groups.
At this time Qmgr fails to lookup ID which is CN=... and find no match to any group.
Qmgr throws permission error.
Any suggestion how we can use both the service of AD and local Unix groups.
------------------------------
om prakash
------------------------------