App Connect

 View Only
  • 1.  enable LDAP for IIB 10.0.0.23

    Posted Fri January 13, 2023 07:57 AM
    Hi all,

    I have an issue with activating LDAP for IIB 10 Web GUI.
    I am suspecting my search string within LDAP is incorrect.

    This is the error: "BIP2774W: A user 'xxxxxxxx' attempted to authenticate, and was rejected by the LDAP server."

    How can I determine what IIB uses as it's search string for ldap.userSearchBase, and ldap.userSearchFilter?


    ------------------------------
    Emile Kearns
    ------------------------------


  • 2.  RE: enable LDAP for IIB 10.0.0.23

    IBM Champion
    Posted Thu January 19, 2023 03:10 AM
    Edited by Matthias Blomme Thu January 19, 2023 03:11 AM
    Hi Emile,

    Not sure this helps you (or maybe you have tried it before) but there is an ldap test tool,
    I noted down the following from somewhere (forgot what the source was)

    --------------------------------------------------------
    My suggestion would be to use non-SSL for the testing tool, since you already have the cert path configured correctly.


    Usage is the following:
    -----------------------

    Usage: java -jar LdapAuthenticator.jar OPTIONS
    Options Available:
    -h FQDN or IP address of the LDAP server(required).
    LDAP server URI in the following format:
    schema://host:port
    schema is either ldap (for LDAP/Active Directory) or
    ldaps (for secure LDAP/Active Directory).

    -bd LDAP binding DN (required).
    The bind name of a user that allows you to bind as
    a certain privileged user to be able to query the userPassword
    or authPassword field. For example cn=Manager,dc=domain,dc=com.

    -bp LDAP binding password (required)

    -d Base search DN (required).
    This field sets where in the schema the query should start searching.

    -a Search attribute (required).
    Attribute to search for on the LDAP server.
    For example: cn, uid, or samAccountName.

    -u LDAP username (required).
    This field sets the username to be authenticated by the LDAP server.

    -p LDAP user password (required).
    This field sets the password for the username to be authenticated
    by the LDAP server.

    -t Truststore path (optional).
    This field sets the absolute path to the truststore where you upload
    the LDAP server certificate. The truststore name MUST be cacerts.
    The tool will use the default path of the cacerts truststore, which
    comes with JRE install, if not set.

    -tp Truststore password (optional).
    This field sets the password for the cacerts truststore.
    The default cacerts password is used if not set.

    -----------------
    Example:
    java -jar LdapAuthenticator.jar -h ldap://ldap.xxxx.com:389 -bd <your binding DN> -bp <binding password> -d DC=xxxx,DC=xxxx,DC=com -a userPrincipalName - u <ldap user> -p <ldap user password>

    --------------------------------------------------------

    This might help test and tweak your ldap string


    #####
    # edit
    #####
    Its from IBM support: https://www.ibm.com/support/pages/stand-alone-tool-authenticating-ldap-users-and-groups

    ------------------------------
    Regards
    Matthias Blomme
    ------------------------------



  • 3.  RE: enable LDAP for IIB 10.0.0.23

    IBM Champion
    Posted Fri January 20, 2023 08:37 AM

    After running the command you can choose to generate code for ACE or IIB.

    Example: 
    > java -jar .\LdapAuthenticator.jar -h ....

    LMT5600I: successful bind
    LMT5601I: successfull search

    LMT2516I*: Starting Authentication

    LMT2517I: Found the user, xxxx
    LMT2518I: checking if the user password is correct
    LMT8004E: Incorrect LDAP user password provided. Please correct the password and try again.
    LMT2519I: LDAP user password is correct

    LMT5602I**: successful authentication



    Select a product to generate configuration settings:


    Products Available:

    1. IIB 2. ACE 3. EXIT

    Enter a number or a product name from available options :


    ** LDAP Authentication Settings for IIB **

    1. mqsisetdbparms <IIBNODE> -n ldap::LDAP -u "xxxx" -p xxxx

    2. mqsichangeproperties <IIBNODE> -b webadmin -o server -n ldapAuthenticationUri -v \"xxxx"

    3. mqsiwebuseradmin <IIBNODE> -c -u xxxx -x -r <sysrole for eg: local userid>

    ** IMPORTANT NOTE: **

    If any username is more than one word or any password contains special character, it must be enclosed in single or double quotes based on your OS.

    Information provided here may change over time. Please, review products documentation for updated configuration settings.

    Program terminated. Status code 0.



    ------------------------------
    Regards
    Matthias Blomme
    ------------------------------



  • 4.  RE: enable LDAP for IIB 10.0.0.23

    IBM Champion
    Posted Wed February 15, 2023 11:37 AM
    Edited by Matthias Blomme Wed February 15, 2023 11:38 AM

    @Emile Kearns 

     did this help?



    ------------------------------
    Regards
    Matthias Blomme
    ------------------------------



  • 5.  RE: enable LDAP for IIB 10.0.0.23

    Posted Wed March 29, 2023 06:09 AM

    Hi @Matthias Blomme 

    I have taken this work from Emile and I am trying to assist him.

    We are now moving towards getting it all configured in ACE.
    I have managed to get the LDAP authentication setup.

    After authentication, do you make use of LDAP groups for authorisations?
    I have followed the steps from the IBM Documentation and have configured the groups in the YAML files.
    When I log on, it gives me an error that the user is not authorised to any of the object in the integration server.



    ------------------------------
    Frederik Janse van Rensburg
    ------------------------------



  • 6.  RE: enable LDAP for IIB 10.0.0.23

    IBM Champion
    Posted Thu March 30, 2023 04:24 AM

    Hi Frederik

    I have done in the past but you don't need to if you don't want (but I would recommend unless you want to keep manually maintaining users).

    What have you setup so far?

    For the ldap - group coupling you need to set what ldap groups match with a local group and give the local group access to resources in the yaml config

    Setting the ldap to local group coupling

    Giving the local groups access to resources

    And integration servers



    ------------------------------
    Regards
    Matthias Blomme
    ------------------------------



  • 7.  RE: enable LDAP for IIB 10.0.0.23

    Posted Tue April 04, 2023 02:42 AM

    Hi Matthias.

    Thanks for your assistance.
    I found the problems and finally got it working.

    I have followed the steps you shared - but from the IBM knowledge centre and still was stuck.
    The problem was with the ldap auth url that didn't match the groups correctly.

    This is now functioning.

    --------------------------------------------
    Regards
    Frederik Janse van Rensburg

    --------------------------------------------



    ------------------------------
    Frederik Janse van Rensburg
    ------------------------------



  • 8.  RE: enable LDAP for IIB 10.0.0.23

    IBM Champion
    Posted Tue April 04, 2023 02:56 AM

    Glad it works now!



    ------------------------------
    Regards
    Matthias Blomme
    ------------------------------