IBM Security Verify

  • 1.  Using LDAP for checking group membership

    Posted Tue October 05, 2021 06:06 AM
    Edited by Colin Paice Tue October 05, 2021 06:07 AM

    I am looking at MQ's on Linux use of LDAP on z/OS to store its group to user mapping.
    I can get static groups to work, but I am having problems with groups of groups and dynamic groups.
    I can list a (dynamic )group
    ldapsearch ...  -b "cn=dynamic,o=Your Company" "&(objectClass=*)" ibm-allmembers
    gives
    ibm-allmembers=cn=colin, o=Your Company
    ibm-allmembers=cn=LDAP Administrator, o=Your Company
    ibm-allmembers=cn=ibmuser, o=Your Company

    but
    ldapsearch ...  -b "cn=dynamic,o=Your Company" "&(objectClass=*) (ibm-allmembers=cn=ibmuser, o=Your Company)" 

    gives me nothing, and the documentation says
    The ibm-allGroups and ibm-allMembers attribute types cannot be used in a search filter. These are read-only operational attributes and results in a FALSE match status when used in a search filter.

    Is there way of asking what groups does this cn belong to, and include groups of groups and dynamic groups?

    I cant change the query - it is what MQ issues.

    Colin



    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: Using LDAP for checking group membership

    Posted Tue October 05, 2021 07:02 AM
    Hi Colin,

    You can get the groups (including dynamic and nested) that a DN is a member of by retrieving the ibm-allGroups attribute of the DN.

    I think you're saying that you can't do this kind of search - that MQ is restricted to searching across group objects for an attribute containing the DN.  If that's the case then I don't think there is a way to get what you're looking for.

    I know that (many years ago....) WebSphere Application Server added specific functionality to allow the use of a special attribute of the user object to get group memberships instead of searching across groups.  Maybe MQ has something similar hiding away?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Using LDAP for checking group membership

    Posted Thu October 07, 2021 11:59 AM

    Hi Jon,

    Thanks for your comments, I went back to the MQ doc, and they have provided a way of doing virtual groups, and group within groups.  I am writing it up, as it was not obvious!

    regards

    Colin



    ------------------------------
    Colin Paice
    ------------------------------