MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  MQ LDAP connection

    Posted Fri December 21, 2018 07:03 AM
    Hello,

    Our IBM MQ QMGR v9.1 is currently using LDAP as it user repository for Authentication and Authorization, and in our CONNAME attribute we point to multiple LDAP server.
    Recently we had an issue with a few of the LDAP servers due to which the search results took a considerable time to get back results causing a few disconnections.

    Just wanted to know where can we find more information on how IBM MQ handles connection to LDAP, dont need the configuration aspect but more on the internal working of MQ-to-LDAP connectivity.

    Is there a retry setting which can we reduced so that MQ can detect a failure to connect to a particular server and move to another server ?
    How does MQ select a particular LDAP server from a list in the CONNAME attribute, round robin ?
    Is there an LDAP cache maintained to restrict load on the LDAP server ?

    It would be great if someone can help with above information or direct me to the right technote/knowledge center article on this.

    Thanks !

    ------------------------------
    Murtuza Matiwala
    ------------------------------


  • 2.  RE: MQ LDAP connection

    Posted Sun December 23, 2018 05:46 PM

    > Is there a retry setting which can we reduced so that MQ can detect a failure to connect to a particular server and move to another server ?
    I don't believe so no.
    > How does MQ select a particular LDAP server from a list in the CONNAME attribute, round robin ?
    Tries first on in the list and if that fails to connect, then tries the next one. The intention is that all LDAP servers in the list can return the same information so all are as good as each other.
    > Is there an LDAP cache maintained to restrict load on the LDAP server ?
    No.

    I believe the expectation is that a farm of LDAP servers can be set up to present a single IP address or hostname behind which logic can be put in place to do all you describe. Only when you do not have that capability would you use the simplistic CONNAME list in MQ.

    I am by no means an LDAP expert though!
    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    ------------------------------

    Original Message


  • 3.  RE: MQ LDAP connection

    Posted Tue December 25, 2018 10:07 PM
    ​Thanks as always Morag.

    ------------------------------
    Murtuza Matiwala
    ------------------------------

    Original Message


  • 4.  RE: MQ LDAP connection

    Posted Thu December 27, 2018 02:34 AM
    Edited by Bernard Pittens Thu December 27, 2018 03:51 AM
    Interesting case Murtuza,
    We used a LDAP(Active directory) cluster and via a loadbalancer we connect to that cluster, so only one IP or one DNS address is in the MQ LDAP config.
    At first we used our normal LDAP cluster and part of that cluster are some of site servers.  After we experienced probems with LDAP we created an extra LDAP cluster with only on site LDAP servers in it.  In my opinion MQ has problems with latency in LDAP calls.
    We have problems with LDAP but we have them on MQ v8 and on a MQ Appliance M2001B.
    Kind Regards

    ------------------------------
    Bernard Pittens
    Integration Engeneer
    Sligro Foodgroup B.V.
    Veghel
    ------------------------------

    Original Message


  • 5.  RE: MQ LDAP connection

    Posted Thu December 27, 2018 03:36 AM
    MQ delegates the authorisation/authentication connection for LDAP servers to the underlying LDAP client implementation. It does no sequencing or caching of previous connection requests (in fact, MQ doesn't even know which real LDAP server has been reached if more than one were possible.)

    The LDAP client options are described in that product's documentation. Other than reformatting the MQ ConnName style "host(port)" into "host:port", MQ passes connection information directly to the LDAP client.

    Note the interesting possibility of using "ldap://" as the address for automatic discovery of servers through a variety of mechanisms. And how that page discusses cycling through the list.

    ------------------------------
    Mark Taylor

    ------------------------------

    Original Message


Related Content