Original Message:
Sent: Tue April 04, 2023 02:41 AM
From: Frederik Janse van Rensburg
Subject: enable LDAP for IIB 10.0.0.23
Hi Matthias.
Thanks for your assistance.
I found the problems and finally got it working.
I have followed the steps you shared - but from the IBM knowledge centre and still was stuck.
The problem was with the ldap auth url that didn't match the groups correctly.
This is now functioning.
--------------------------------------------
Regards
Frederik Janse van Rensburg
--------------------------------------------
------------------------------
Frederik Janse van Rensburg
Original Message:
Sent: Thu March 30, 2023 04:24 AM
From: Matthias Blomme
Subject: enable LDAP for IIB 10.0.0.23
Hi Frederik
I have done in the past but you don't need to if you don't want (but I would recommend unless you want to keep manually maintaining users).
What have you setup so far?
For the ldap - group coupling you need to set what ldap groups match with a local group and give the local group access to resources in the yaml config
Setting the ldap to local group coupling
Giving the local groups access to resources
And integration servers
------------------------------
Regards
Matthias Blomme
Original Message:
Sent: Wed March 29, 2023 03:43 AM
From: Frederik Janse van Rensburg
Subject: enable LDAP for IIB 10.0.0.23
Hi @Matthias Blomme
I have taken this work from Emile and I am trying to assist him.
We are now moving towards getting it all configured in ACE.
I have managed to get the LDAP authentication setup.
After authentication, do you make use of LDAP groups for authorisations?
I have followed the steps from the IBM Documentation and have configured the groups in the YAML files.
When I log on, it gives me an error that the user is not authorised to any of the object in the integration server.
------------------------------
Frederik Janse van Rensburg
Original Message:
Sent: Wed February 15, 2023 11:36 AM
From: Matthias Blomme
Subject: enable LDAP for IIB 10.0.0.23
@Emile Kearns
did this help?
------------------------------
Regards
Matthias Blomme
Original Message:
Sent: Fri January 20, 2023 08:37 AM
From: Matthias Blomme
Subject: enable LDAP for IIB 10.0.0.23
After running the command you can choose to generate code for ACE or IIB.
Example:
> java -jar .\LdapAuthenticator.jar -h ....
LMT5600I: successful bind
LMT5601I: successfull search
LMT2516I*: Starting Authentication
LMT2517I: Found the user, xxxx
LMT2518I: checking if the user password is correct
LMT8004E: Incorrect LDAP user password provided. Please correct the password and try again.
LMT2519I: LDAP user password is correct
LMT5602I**: successful authentication
Select a product to generate configuration settings:
Products Available:
1. IIB 2. ACE 3. EXIT
Enter a number or a product name from available options :
** LDAP Authentication Settings for IIB **
1. mqsisetdbparms <IIBNODE> -n ldap::LDAP -u "xxxx" -p xxxx
2. mqsichangeproperties <IIBNODE> -b webadmin -o server -n ldapAuthenticationUri -v \"xxxx"
3. mqsiwebuseradmin <IIBNODE> -c -u xxxx -x -r <sysrole for eg: local userid>
** IMPORTANT NOTE: **
If any username is more than one word or any password contains special character, it must be enclosed in single or double quotes based on your OS.
Information provided here may change over time. Please, review products documentation for updated configuration settings.
Program terminated. Status code 0.
------------------------------
Regards
Matthias Blomme
Original Message:
Sent: Thu January 19, 2023 03:10 AM
From: Matthias Blomme
Subject: enable LDAP for IIB 10.0.0.23
Hi Emile,
Not sure this helps you (or maybe you have tried it before) but there is an ldap test tool,
I noted down the following from somewhere (forgot what the source was)
--------------------------------------------------------
My suggestion would be to use non-SSL for the testing tool, since you already have the cert path configured correctly.
Usage is the following:
-----------------------
Usage: java -jar LdapAuthenticator.jar OPTIONS
Options Available:
-h FQDN or IP address of the LDAP server(required).
LDAP server URI in the following format:
schema://host:port
schema is either ldap (for LDAP/Active Directory) or
ldaps (for secure LDAP/Active Directory).
-bd LDAP binding DN (required).
The bind name of a user that allows you to bind as
a certain privileged user to be able to query the userPassword
or authPassword field. For example cn=Manager,dc=domain,dc=com.
-bp LDAP binding password (required)
-d Base search DN (required).
This field sets where in the schema the query should start searching.
-a Search attribute (required).
Attribute to search for on the LDAP server.
For example: cn, uid, or samAccountName.
-u LDAP username (required).
This field sets the username to be authenticated by the LDAP server.
-p LDAP user password (required).
This field sets the password for the username to be authenticated
by the LDAP server.
-t Truststore path (optional).
This field sets the absolute path to the truststore where you upload
the LDAP server certificate. The truststore name MUST be cacerts.
The tool will use the default path of the cacerts truststore, which
comes with JRE install, if not set.
-tp Truststore password (optional).
This field sets the password for the cacerts truststore.
The default cacerts password is used if not set.
-----------------
Example:
java -jar LdapAuthenticator.jar -h ldap://ldap.xxxx.com:389 -bd <your binding DN> -bp <binding password> -d DC=xxxx,DC=xxxx,DC=com -a userPrincipalName - u <ldap user> -p <ldap user password>
--------------------------------------------------------
This might help test and tweak your ldap string
#####
# edit
#####
Its from IBM support: https://www.ibm.com/support/pages/stand-alone-tool-authenticating-ldap-users-and-groups
------------------------------
Regards
Matthias Blomme
Original Message:
Sent: Fri January 13, 2023 07:56 AM
From: Emile Kearns
Subject: enable LDAP for IIB 10.0.0.23
Hi all,
I have an issue with activating LDAP for IIB 10 Web GUI.
I am suspecting my search string within LDAP is incorrect.
This is the error: "BIP2774W: A user 'xxxxxxxx' attempted to authenticate, and was rejected by the LDAP server."
How can I determine what IIB uses as it's search string for ldap.userSearchBase, and ldap.userSearchFilter?
------------------------------
Emile Kearns
------------------------------