MQ

We try to configure LDAP authentication using PAM, i.e. CONNAUTH(IDPWOS) AUTHENMD(PAM).
I know, we can also configure CONNAUTH(IDPWLDAP), but we need the flexibility to use "virtual" users, i.e. users that are only used for AUTHREC rules.
And this (SecurityPolicy=UserExternal in mq.ini) only works with CONNAUTH(IDPWOS), unfortunately.

We are building our MQ 9.3.0.5 image (advancedserver) from GitHub - ibm-messaging/mq-container: Container images for IBM® MQ.

This image (based on registry.access.redhat.com/ubi8/ubi-minimal) does not contain the PAM LDAP libraries.

We therefore tried to install sssd (as described in Chapter 3. Configuring SSSD to use LDAP and require TLS authentication Red Hat Enterprise Linux 8 | Red Hat Customer Portal), but there is no sssd package in the ubi-8 repos.

How can we use LDAP in PAM with this base image?

Looks like the sssd components are only available to systems with some level of redhat subscription - I copied /etc/yum..repos.d/redhat.repo from one machine into a UBI container and was then able to `dnf install sssd`.

See Q30 at https://developers.redhat.com/articles/ubi-faq

Otherwise you might need to start from a different base image like centos as the runtime container

------------------------------
Mark Taylor
Winchester
------------------------------