App Connect

Hello,
I am trying to enable ldap authentication on integration node in ACE 12.0.4.0

I am using ACE 12.0.4.0 on windows

I did follow this instructions for the authorization

https://www.ibm.com/docs/en/app-connect/12.0?topic=administration-enabling-ldap-authentication

https://community.ibm.com/community/user/integration/viewdocument/security-hardening-of-ibm-app-conne?CommunityKey=77544459-9fda-40da-ae0b-fc8c76f0ce18&tab=librarydocuments

 

my id is part of ldap group "CVC_APP_IBMACE_MGR_DEV" and "CVC_APP_IBMACE_MGR_DEV" this ldap group is part of the local group aceusers

 

Even after configuring the authorization, I am not able to authenticate myself/myid to web user interface of integration node. I don't see anything in eventviewer

 

I also ran the command on my user id

mqsisetdbparms DINODE01 -n ldap::adminAuthentication -u myid

here is what I have in my yml file

RestAdminListener:

  authorizationEnabled: true

  authorizationMode: 'ldap'

  basicAuth: true

  caPath: 'C:\ProgramData\IBM\MQSI\SSL\cacerts'

  host: 'lzbita16'

  ldapAuthorizeUrl: 'ldap://CN=lzbita16,OU=Domain Controllers,DC=ad,DC=civic,DC=com?samAccountName'

  ldapBindDn: 'ldap::adminAuthentication'

  ldapBindPassword: 'ldap::adminAuthentication'

  ldapUrl: 'ldap://CN=lzbita16,OU=Domain Controllers,DC=ad,DC=civic,DC=com?samAccountName'

  minimumTlsVersion: 'TLSv1.2'

  port: 5414

  sslCertificate: 'C:\ProgramData\IBM\MQSI\SSL\DINODE01.p12'

  sslPassword: 'adminRestApi::sslpwd'

  webUserPasswordHashAlgorithm: 'PBKDF2-SHA-512'

Security:

  LdapAuthorizeAttributeToRoleMap:

    'CN=CVC_APP_IBMACE_ADM_DEV,OU=CVCUserGroups,OU=CVC Groups,OU=CVC,OU=Departments,DC=ad,DC=civic,DC=com': 'aceadmins'

    'CN=CVC_APP_IBMACE_MGR_DEV,OU=CVCUserGroups,OU=CVC Groups,OU=CVC,OU=Departments,DC=ad,DC=civic,DC=com': 'aceusers'

  Node:

    DataPermissions:

      aceadmin: 'read+:write+:execute+'

    Permissions:

      aceadmins: 'read+:write+:execute+'

      aceusers: 'read+:write+:execute+'

  Server:

    IS01:

      Permissions:

        aceadmins: 'read+:write+:execute+'

        aceusers: 'read+:write+:execute+'

    IS02:

      Permissions:

        aceadmins: 'read+:write+:execute+'

Hi Praveen,

Are you seeing any errors, because your node.config.yaml file looks good, along with mqsisetdbparms command. Have you tried using below pattern search

ldapAuthorizeUrl: 'ldap://CN=lzbita16,OU=Domain Controllers,DC=ad,DC=civic,DC=com?cn?sub?(member={{dn}})'
ldapUrl: 'ldap://CN=lzbita16,OU=Domain Controllers,DC=ad,DC=civic,DC=com?cn?sub'


------------------------------
Prathyusha Yedupati
Software Lead
------------------------------

Original Message:
Sent: Tue June 14, 2022 02:50 PM
From: Praveen
Subject: Enabling an integration node to use LDAP for authentication

Hello,
I am trying to enable ldap authentication on integration node in ACE 12.0.4.0

I am using ACE 12.0.4.0 on windows

I did follow this instructions for the authorization

https://www.ibm.com/docs/en/app-connect/12.0?topic=administration-enabling-ldap-authentication

https://community.ibm.com/community/user/integration/viewdocument/security-hardening-of-ibm-app-conne?CommunityKey=77544459-9fda-40da-ae0b-fc8c76f0ce18&tab=librarydocuments

 

my id is part of ldap group "CVC_APP_IBMACE_MGR_DEV" and "CVC_APP_IBMACE_MGR_DEV" this ldap group is part of the local group aceusers

 

Even after configuring the authorization, I am not able to authenticate myself/myid to web user interface of integration node. I don't see anything in eventviewer

 

I also ran the command on my user id

mqsisetdbparms DINODE01 -n ldap::adminAuthentication -u myid

here is what I have in my yml file

RestAdminListener:

  authorizationEnabled: true

  authorizationMode: 'ldap'

  basicAuth: true

  caPath: 'C:\ProgramData\IBM\MQSI\SSL\cacerts'

  host: 'lzbita16'

  ldapAuthorizeUrl: 'ldap://CN=lzbita16,OU=Domain Controllers,DC=ad,DC=civic,DC=com?samAccountName'

  ldapBindDn: 'ldap::adminAuthentication'

  ldapBindPassword: 'ldap::adminAuthentication'

  ldapUrl: 'ldap://CN=lzbita16,OU=Domain Controllers,DC=ad,DC=civic,DC=com?samAccountName'

  minimumTlsVersion: 'TLSv1.2'

  port: 5414

  sslCertificate: 'C:\ProgramData\IBM\MQSI\SSL\DINODE01.p12'

  sslPassword: 'adminRestApi::sslpwd'

  webUserPasswordHashAlgorithm: 'PBKDF2-SHA-512'

Security:

  LdapAuthorizeAttributeToRoleMap:

    'CN=CVC_APP_IBMACE_ADM_DEV,OU=CVCUserGroups,OU=CVC Groups,OU=CVC,OU=Departments,DC=ad,DC=civic,DC=com': 'aceadmins'

    'CN=CVC_APP_IBMACE_MGR_DEV,OU=CVCUserGroups,OU=CVC Groups,OU=CVC,OU=Departments,DC=ad,DC=civic,DC=com': 'aceusers'

  Node:

    DataPermissions:

      aceadmin: 'read+:write+:execute+'

    Permissions:

      aceadmins: 'read+:write+:execute+'

      aceusers: 'read+:write+:execute+'

  Server:

    IS01:

      Permissions:

        aceadmins: 'read+:write+:execute+'

        aceusers: 'read+:write+:execute+'

    IS02:

      Permissions:

        aceadmins: 'read+:write+:execute+'