Message Image  

IIB v10 fixpack 4 – LDAP Authentication

 View Only
Mon July 13, 2020 08:19 AM

If you enable administration security for your integration node, this applies to all remote access for administration – primarily web ui access but as of v10 this also includes remote toolkit access, remote commands and Integration API based applications. In that case, you are required to provide a user name and password, which you configure using the mqsiwebuseradmin command.

In fixpack 4, we’ve added a heavily-requested feature which allows the web users and passwords to be authenticated against an LDAP server. Just to be clear – for now, we’ve not changed the authorisation model, so once authenticated against LDAP, the mapping to a role is still performed locally within the integration node, and the subsequent authorisation (READ/WRITE/EXECUTE permissions) are still handled by the integration node against either MQ (SYSTEM.BROKER.AUTH queues) or file authorisation(mqsichangefileauth).

What this feature allows you to do is to centralise the control of your web users so that the passwords are managed in one place, and also to assert rules such as password complexity, failed attempts, age and expiry.

To configure this against an integration node, you simply need to configure firstly the LDAP server by setting a new name-value property for the web administration component. This command takes effect immediately without the need to restart – look in the system log for confirmation that it has taken effect:-

Similarly, to view the setting, use:-

Secondly, a web user account is created for the integration node, but rather than specify a password, use the ‘-x’ parameter to state that the web user has no local password. This mechanism allows you to have a mix of locally authenticated web users, and ldap authenticated users:-

The permissions the user has will be based on the permissions available to ‘userrole’ against the authorisation mechanism (either MQ or file based) – see mqsireportauthmode to confirm which this is.

For problem determination, there are 2 places to look – firstly the system log will show errors in authentication or ldap server access. You can also look in the administration log in the web interface (under the monitoring section) which will give you access times to rate your ldap server speed and successful/failed logins.

For more information, refer to the knowledge center topic ‘Enabling an integration node to use LDAP for authentication’.

3 comments on"IIB v10 fixpack 4 – LDAP Authentication"

  1. Dhiren.Ghelani May 12, 2016

    Is there a way to debug? I always get “attempted to authenticate, and was rejected by the LDAP server.”

    Reply (Edit)
    • Purna September 15, 2016


      Were you able to figure out the reason? please let me know.

      Reply (Edit)
  2. Dhiren.Ghelani May 11, 2016

    Good Enhacement.

    Reply (Edit)