Message Image  

Using the LdapAuthentication.jar tool for troubleshooting LDAP authentication and the WebUI

 View Only
Thu July 16, 2020 05:38 AM

Published on November 2, 2016 / Updated on November 29, 2018

Setting up LDAP Authentication with the WebUI has been challenging. A tool has been created to simplify this process, as the trial and error method can get tedious, when broker restarts, etc are needed.

The tool is attached as a .zip file at the end of this article.

***Please note LdapAuthentication.zip will need to be renamed LdapAuthentication.jar***

Usage: java -jar LdapAuthentication.jar “Ldap host” “binding userid” “binding password” “Ldap baseDN” “Ldap uid attr” “Admin userid” “Admin passwd”

For example:
java -jar LdapAuthentication.jar ldap://localhost:389 cn=Manager,dc=maxcrc,dc=com secret dc=maxcrc,dc=com uid dbwillis secret

Where
“Ldap host” = ldap://localhost:389
“binding userid” = cn=Manager,dc=maxcrc,dc=com
“binding password” = secret
“Ldap baseDN” = dc=maxcrc,dc=com
“Ldap uid attr” = uid
“Admin userid” = dbwillis
“Admin passwd” = secret

If you are unclear on any of these parameters, your LDAP Admin should be able to get that information for you.
The only one that is not extremely clear is Ldap uid attr.
Typically this will be ‘cn’, ‘uid’, or ‘samaccountname’
__________________________________________________________________
Run the tool with the parameters.

If the tool is run successfully, the correct mqsisetdbparms, mqsichangeproperties, and mqsiwebuseradmin commands will be displayed.

If any of the parameters are incorrect, the tool will help you determine where it is failing. I will demonstrate these.
__________________________________________________________________
Correct Output:


Once input correctly, the mqsisetdbparms, mqsichangeproperties, and mqsiwebuseradmin commands are issued.
**When using special characters in the password, it will need to be surrounded by double quotes in the mqsisetdbparms command**
__________________________________________________________________
Using the wrong host/port will show the following:


Using the wrong Binding UserID:


As you can see cn=Manager was incorrectly typed as cn=People.
Using the wrong Binding password will also give this same error
__________________________________________________________________
Using the wrong Base DN:



As you can see dc=maxcrc was incorrectly typed as dc= maxcr
The tool was able to successfully bind to the LDAP server, but was unable to search the base DN.
__________________________________________________________________
Using the wrong UID Attribute:


As you can see uid was incorrectly typed as samaccountname
The tool was able to successfully bind to and search the LDAP server, but could not find the specified user. You will also see this if the username is incorrect.


Note that dbwillis was incorrectly typed as dbwillis1
__________________________________________________________________
Using the wrong user Password:


As you can see secret was incorrectly typed secret1
The tool was able to successfully bind to and search the LDAP server, found the user, but was unable to authenticate. It lets you know the wrong password was used.
__________________________________________________________________
Additional Resources:
Enabling an integration node to use LDAP for authentication:
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ap04143_.htm

mqsiwebuseradmin command
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28491_.htm

Role-based security
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28480_.htm

8 comments on"Using the LdapAuthentication.jar tool for troubleshooting LDAP authentication and the WebUI"

  1. lorenmcc January 25, 2018

    tried this tool, with the following input

    java -jar LdapAuthentication.jar ldaps://adldap.company.com:636 ‘CN=MqProduct AppID,OU=Application IDs,OU=People,DC=company,DC=com’ b8Gh5m2r DC=company,DC=com samAccountName userid password

    what does the following error mean?

    @WMBL3: successful bind
    @WMBL3: successfull search
    Starting Authentication
    Exception in thread “main” javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ‘DC=company,DC=com’

    Reply (Edit)
  2. Daniel Willis September 14, 2017

    A new tool has also been created for testing with Multiple Base DNs. It has been published in a DWAnswer at the following:
    https://developer.ibm.com/answers/questions/400944/iib-weubui-ldap-authentication-with-multiple-base.html?childToView=400948#answer-400948

    Reply (Edit)
  3. Eva June 24, 2017

    Hey Daniel,
    Your utility is great !!! It has help me tremendously to debug the connection to AD and LDAP URI parms. Alike Shane, I also was on the verge of opening a PMR. I’m so glad I came across it.
    Sweet 🙂
    Thanks and Regards,
    Eva

    Reply (Edit)
    • Babu June 27, 2017

      Hi Eva

      Am planning to integrate the IIB WEB interface with Active directory .
      Can you please help me with useful doc ?

      Reply (Edit)
  4. Steve Gies February 21, 2017

    Daniel –
    Does this tool support ldaps (LDAP Secure) calls? I’m assuming not since I don’t see any place to specify a truststore.

    Reply (Edit)
  5. Shane December 09, 2016

    Daniel,

    Thanks much for taking the time to create this utility and sharing it. We had given up on connecting IIB WebAdmin to our Active Directory after spending a couple days trying to set it up (and even opening a PMR). Earlier this week, I happened to stumble across this and a couple hours later we had everything resolved and converted over.

    You should verify that support is aware of this utility and sends a link to this page to customers that contact them with LDAP concerns.

    Reply (Edit)


#IntegrationBus(IIB)
#IIBV10
#LDAP

Attachment(s)
zip file
LdapAuthentication.zip   14 KB   1 version
Uploaded - Thu July 16, 2020
 
Download