Hi Jim,
as Morag has said... if your LDAP CN field is the full user name and not restricted to 12 characters then it is not suitable for use as the SHORTUSR field in the MQ IDPWLDAP definition.
I'll have a go at explaining what is going on, and why you will need a field other than the CN to refer to users in MQ.
A directory accessed using LDAP represents its content as a tree. Every leaf in the tree has a unique path to reach it from the root. This is represented as the full Distinguished Name (DN). The CN is generally the first (or last depending on ordering) value in the DN. DNs can be ordered from least specific to most specific (CN would be last) or most to least, where CN would be first).
MQ has an internal limitation in some of the control blocks where there are only 12 characters available to hold the username value. So MQ needs a way to map from some unique 12 (or less) character value to the distinguished name which is the unique path to the entry in the LDAP).
In the IDPWLDAP entry, MQ refers to this value as the SHORTUSR.
The SHORTUSR has to the be name of a field in the LDAP for each entry which will be used by MQ. The field has to contain a short user value (12 characters or less) which is unique within the search scope of the directory that MQ is using, and ideally would be unique within the entire directory. MQ requires the qualified uniqueness within the search scope. The complete directory uniqueness helps to reduce confusion among LDAP administrators.
The SHORTUSR field becomes a sort of alias which MQ can hold internally, and can then use to search the directory for a matching entry in the LDAP directory.
For example, if my LDAP DN is:
CN=Neil W Casey, OU=Consulting, O=Syntegrity Solutions, C=AU
and I have a SHORTUSR field defined as sAMAccountName (because I am using Active Directory as my LDAP), then I might have my sAMAccountName value of my entry as sAMAccountName=nwcasey
Note: sAMAccountName is limited to 20 characters, but for use with MQ you must ensure that all MQ related values are 12 characters or less, as has already been established.
In the MCAUSER field or other MQ related user fields, the actual user entry will be referenced as nwcasey (the SHORTUSR - sAMAccountName - value).
But in things like OAM records (DISPLAY AUTHREC output) MQ will show the full DN of the record which has sAMAccountName=nwcasey.
If your LDAP directory doesn't already have unique short aliases for your users, you will need to add suitable values to either an existing field within each user entry in the directory, or else extend the LDAP schema to define a new field and add the unique alias values to the new field. The IDPWLDAP authinfo record then has to be updated in order to refer to the field which has been populated using the SHORTUSR attribute to tell MQ what LDAP field contains these values.
Regards,
------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-20
+61 (0) 414 615 334
------------------------------
Original Message:
Sent: Thu October 08, 2020 02:09 PM
From: Jim Creasman
Subject: Limits on LDAP user / group names when used with MQ?
I've been doing some more research as to where the 12 character limit originates. I think maybe I'm not understanding the MQ documentation correctly. On the DEFINE AUTHINFO TYPE(IDPWLDAP) command I specify SHORTUSR('cn') and USRFIELD('cn'). The MQ documentation says this about SHORTUSR:
SHORTUSR(LDAP field name)A field in the user record to be used as a short user name in IBM MQ.
This field must contain values of 12 characters or less. This short user name is used for the following purposes:
If LDAP authentication is enabled, but LDAP authorization is not enabled, this is used as an operating system user ID for authorization checks. In this case, the attribute must represent an operating system user ID.
If LDAP authentication and authorization are both enabled, this is used as the user ID carried with the message in order for the LDAP user name to be rediscovered when the user ID inside the message needs to be used.
For example, on another queue manager, or when writing report messages. In this case, the attribute does not need to represent an operating system user ID, but must be a unique string. An employee serial number is an example of a good attribute for this purpose.
I took the 12-character limitation as applied to the "LDAP field name" but I believe this is applied to the LDAP field value that is pointed to by 'cn'. Is that correct? In our LDAP the 'cn' attribute has the full ID and is not truncated. If someone could explain how this works that would be helpful. This is how I have the AUTHINFO set on my test server:
* LDAP authentication statements:
DEFINE AUTHINFO('PRI.LDAP.AUTHINFO') AUTHTYPE(IDPWLDAP) CHCKCLNT(REQUIRED) CHCKLOCL(REQUIRED) ADOPTCTX(YES) REPLACE +
BASEDNU('dc=INTL') +
BASEDNG('ou=groups,dc=INTL') +
GRPFIELD('cn') +
CLASSUSR('organizationalRole') +
CLASSGRP('groupOfNames') +
CONNAME('prildap(389)') +
LDAPUSER('cn=admin,dc=INTL') +
LDAPPWD('********') +
SHORTUSR('cn') +
USRFIELD('cn') +
AUTHORMD(SEARCHGRP) +
FINDGRP('member') +
SECCOMM(NO)
ALTER QMGR CONNAUTH('PRI.LDAP.AUTHINFO')
REFRESH SECURITY(*) TYPE(CONNAUTH)
------------------------------
Jim Creasman
Original Message:
Sent: Mon October 05, 2020 06:13 PM
From: Jim Creasman
Subject: Limits on LDAP user / group names when used with MQ?
We are using Active Directory to secure a topic on our MQ server with separate AD groups for publish and subscribe. This has been working for some time with the initial AD artifacts we created for our POC. Last week, I requested the "real" IDs and groups we plan to use as we move towards production. The only significant difference was the names used for each ID and group. The new ones were over 12 characters in length (one is 14 and one is 24). I thought the max length for group or ID names is 1024. Is that correct?
There are a series of error messages on the MQ server, but this is the first one I see. Are these documented in detail anywhere?
----- cmqxrsrv.c : 2759 -------------------------------------------------------
10/05/20 19:54:46 - Process(238.15) User(mqm) Program(amqzlaa0)
Host(wl-pri-sms-mq-68bc98b84c-xsrq9) Installation(Installation1)
VRMF(9.1.5.0) QMgr(QC1)
Time(2020-10-05T19:54:46.751Z)
ArithInsert1(24)
CommentInsert1(ldap_get_values)
CommentInsert2(MQ_IDENTITY_CONSENT_PROC)
CommentInsert3(length: MQ_IDENTITY_CONSENT_PROC)
AMQ5531E: Error locating user or group in LDAP
EXPLANATION:
The LDAP authentication and authorization service has failed in the
ldap_get_values call while trying to find user or group
'MQ_IDENTITY_CONSENT_PROC'. Returned count is 24. Additional context is
'length: MQ_IDENTITY_CONSENT_PROC'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
After finding a reference on the internet to an issue with MQ Explorer when using LDAP names > 12 I decided to try a shorter name and it worked!
We have a fairly recent version of MQ server (9.1.5). The client is the ibmmq NodeJS client (latest version as of July). The version of AD is Microsoft Active Directory 2003 (not certain about maintenance level).
I'd like to understand what truly determines the name length limits and how MQ is using LDAP to validate users so I can document these accurately for future reference within our team.
Thanks,
------------------------------
Jim Creasman
------------------------------