Setting up LDAP Authentication with the WebUI has been challenging. A tool has been created to simplify this process, as the trial and error method can get tedious, when broker restarts, etc are needed.
The tool is attached as a .zip file at the end of this article.
***Please note LdapAuthentication.zip will need to be renamed LdapAuthentication.jar***
Usage: java -jar LdapAuthentication.jar “Ldap host” “binding userid” “binding password” “Ldap baseDN” “Ldap uid attr” “Admin userid” “Admin passwd”
For example:
java -jar LdapAuthentication.jar ldap://localhost:389 cn=Manager,dc=maxcrc,dc=com secret dc=maxcrc,dc=com uid dbwillis secret
Where
“Ldap host” = ldap://localhost:389
“binding userid” = cn=Manager,dc=maxcrc,dc=com
“binding password” = secret
“Ldap baseDN” = dc=maxcrc,dc=com
“Ldap uid attr” = uid
“Admin userid” = dbwillis
“Admin passwd” = secret
If you are unclear on any of these parameters, your LDAP Admin should be able to get that information for you.
The only one that is not extremely clear is Ldap uid attr.
Typically this will be ‘cn’, ‘uid’, or ‘samaccountname’
__________________________________________________________________
Run the tool with the parameters.
If the tool is run successfully, the correct mqsisetdbparms, mqsichangeproperties, and mqsiwebuseradmin commands will be displayed.
If any of the parameters are incorrect, the tool will help you determine where it is failing. I will demonstrate these.
__________________________________________________________________
Correct Output:
Once input correctly, the mqsisetdbparms, mqsichangeproperties, and mqsiwebuseradmin commands are issued.
**When using special characters in the password, it will need to be surrounded by double quotes in the mqsisetdbparms command**
__________________________________________________________________
Using the wrong host/port will show the following:
Using the wrong Binding UserID:
As you can see cn=Manager was incorrectly typed as cn=People.
Using the wrong Binding password will also give this same error
__________________________________________________________________
Using the wrong Base DN:
As you can see dc=maxcrc was incorrectly typed as dc= maxcr
The tool was able to successfully bind to the LDAP server, but was unable to search the base DN.
__________________________________________________________________
Using the wrong UID Attribute:
As you can see uid was incorrectly typed as samaccountname
The tool was able to successfully bind to and search the LDAP server, but could not find the specified user. You will also see this if the username is incorrect.
Note that dbwillis was incorrectly typed as dbwillis1
__________________________________________________________________
Using the wrong user Password:
As you can see secret was incorrectly typed secret1
The tool was able to successfully bind to and search the LDAP server, found the user, but was unable to authenticate. It lets you know the wrong password was used.
__________________________________________________________________
Additional Resources:
Enabling an integration node to use LDAP for authentication:
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ap04143_.htm
mqsiwebuseradmin command
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28491_.htm
Role-based security
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28480_.htm