View Only
Expand all | Collapse all

IBM MQ image with PAM LDAP enabled?

  • 1.  IBM MQ image with PAM LDAP enabled?

    Posted Fri September 29, 2023 01:16 PM

    We try to configure LDAP authentication using PAM, i.e. CONNAUTH(IDPWOS) AUTHENMD(PAM).
    I know, we can also configure CONNAUTH(IDPWLDAP), but we need the flexibility to use "virtual" users, i.e. users that are only used for AUTHREC rules.
    And this (
    SecurityPolicy=UserExternal in mq.ini) only works with CONNAUTH(IDPWOS), unfortunately.

    We are building our MQ image (advancedserver) from GitHub - ibm-messaging/mq-container: Container images for IBM® MQ.

    This image (based on does not contain the PAM LDAP libraries.

    We therefore tried to install sssd (as described in Chapter 3. Configuring SSSD to use LDAP and require TLS authentication Red Hat Enterprise Linux 8 | Red Hat Customer Portal), but there is no sssd package in the ubi-8 repos.

    How can we use LDAP in PAM with this base image?

    Christoph Kuenzle

  • 2.  RE: IBM MQ image with PAM LDAP enabled?

    Posted Mon October 02, 2023 03:37 AM
    Edited by Mark Taylor Mon October 02, 2023 03:37 AM

    Looks like the sssd components are only available to systems with some level of redhat subscription - I copied /etc/yum..repos.d/redhat.repo from one machine into a UBI container and was then able to `dnf install sssd`.

    See Q30 at

    Otherwise you might need to start from a different base image like centos as the runtime container

    Mark Taylor