MQ

 View Only
  • 1.  MQMD.UserIdentifier field length

    Posted Tue April 02, 2024 01:23 PM

    Original Post: Limits on LDAP user / group names when used with MQ? | MQ (ibm.com) 

    Now I know that we can limit access by various other methods (Example: IP, Certificate, etc.).  Yet it's not ideal when you want to lockdown the specific access an account has on the Queue Manager 
    Yet, I believe it may become more relevant with time.

    Does anybody know if IBM is planning on increasing the MQMD.UserIdentifier field length in future releases of IBM MQ?

    It's currently limited to 12 characters, I've seen many backend service accounts and system administrator accounts with user id lengths exceeding 12 Characters.



    ------------------------------
    Riaan Jonker
    ------------------------------


  • 2.  RE: MQMD.UserIdentifier field length

    IBM Champion
    Posted Tue April 02, 2024 05:39 PM

    IBM MQ already allowed you to authenticate and authorise users with longer than 12 characters. When user ids need to be stored in the message the short form of the user id is used so the long equivalent can be retrieved on another system.

    As a result of the above I do not believe the MQMD field will ever be increased. 

    What is it that you find you cannot do that leads you to ask this question?

    Cheers,

    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: MQMD.UserIdentifier field length

    Posted Wed April 03, 2024 06:20 PM

    Hi Morag,

    This is more a question of future proofing.  With more cloud services being adopted, I've found that many "useful" directory attributes often exceed 12 characters or are deliberately left empty for security reasons.

    On top of that I've found that as time goes by, if a directory attribute is agreed to be limit to 12 characters, time and ignorance often leads to this self-imposed limitation being forgotten.

    Regards,



    ------------------------------
    Riaan Jonker
    ------------------------------



  • 4.  RE: MQMD.UserIdentifier field length

    IBM Champion
    Posted Wed April 03, 2024 06:28 PM

    I think that future proofing might have already been done. I'm afraid I didn't understand from your response what it was you thought was missing.

    Cheers,

    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 5.  RE: MQMD.UserIdentifier field length

    Posted Wed April 03, 2024 07:29 PM

    Sorry I was not clear earlier.  Nothing missing.  You've answered the question.  There is currently no roadmap to extend the 12-character limitation.

    From what I understand the "LDAP User Repository - Equivalent short user" needs to be set to an attribute where the value is 12 or less characters.
    I'm only commenting that many Directory administrators often reference this to the "sAMAccountName" attribute which is limited to 20 characters.  If they do reference this to anther attribute, the company needs to take care to not use it for another purpose where it may exceed 12 characters.



    ------------------------------
    Riaan Jonker
    ------------------------------



  • 6.  RE: MQMD.UserIdentifier field length

    IBM Champion
    Posted Fri April 05, 2024 12:17 AM

    You are quite correct that the SHORTUSR field in a AUTHINFO definition does indeed need to be set to an attribute where the values used will be 12 or less. If LDAP admins are not doing so, then user ID retrieval across systems may not function as expected. They may be getting away with it because using the authority of the user ID carried in the message is not a common pattern.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------