Hi Colin,
You can get the groups (including dynamic and nested) that a DN is a member of by retrieving the ibm-allGroups attribute of the DN.
I think you're saying that you can't do this kind of search - that MQ is restricted to searching across group objects for an attribute containing the DN. If that's the case then I don't think there is a way to get what you're looking for.
I know that (many years ago....) WebSphere Application Server added specific functionality to allow the use of a special attribute of the user object to get group memberships instead of searching across groups. Maybe MQ has something similar hiding away?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue October 05, 2021 06:05 AM
From: Colin Paice
Subject: Using LDAP for checking group membership
I am looking at MQ's on Linux use of LDAP on z/OS to store its group to user mapping.
I can get static groups to work, but I am having problems with groups of groups and dynamic groups.
I can list a (dynamic )group
ldapsearch ... -b "cn=dynamic,o=Your Company" "&(objectClass=*)" ibm-allmembers
gives
ibm-allmembers=cn=colin, o=Your Company
ibm-allmembers=cn=LDAP Administrator, o=Your Company
ibm-allmembers=cn=ibmuser, o=Your Company
but
ldapsearch ... -b "cn=dynamic,o=Your Company" "&(objectClass=*) (ibm-allmembers=cn=ibmuser, o=Your Company)"
gives me nothing, and the documentation says
The ibm-allGroups and ibm-allMembers attribute types cannot be used in a search filter. These are read-only operational attributes and results in a FALSE match status when used in a search filter.
Is there way of asking what groups does this cn belong to, and include groups of groups and dynamic groups?
I cant change the query - it is what MQ issues.
Colin
------------------------------
Colin Paice
------------------------------