You are quite correct that the SHORTUSR field in a AUTHINFO definition does indeed need to be set to an attribute where the values used will be 12 or less. If LDAP admins are not doing so, then user ID retrieval across systems may not function as expected. They may be getting away with it because using the authority of the user ID carried in the message is not a common pattern.
Original Message:
Sent: Wed April 03, 2024 07:29 PM
From: Riaan Jonker
Subject: MQMD.UserIdentifier field length
Sorry I was not clear earlier. Nothing missing. You've answered the question. There is currently no roadmap to extend the 12-character limitation.
From what I understand the "LDAP User Repository - Equivalent short user" needs to be set to an attribute where the value is 12 or less characters.
I'm only commenting that many Directory administrators often reference this to the "sAMAccountName" attribute which is limited to 20 characters. If they do reference this to anther attribute, the company needs to take care to not use it for another purpose where it may exceed 12 characters.
------------------------------
Riaan Jonker
Original Message:
Sent: Wed April 03, 2024 06:28 PM
From: Morag Hughson
Subject: MQMD.UserIdentifier field length
I think that future proofing might have already been done. I'm afraid I didn't understand from your response what it was you thought was missing.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Wed April 03, 2024 06:20 PM
From: Riaan Jonker
Subject: MQMD.UserIdentifier field length
Hi Morag,
This is more a question of future proofing. With more cloud services being adopted, I've found that many "useful" directory attributes often exceed 12 characters or are deliberately left empty for security reasons.
On top of that I've found that as time goes by, if a directory attribute is agreed to be limit to 12 characters, time and ignorance often leads to this self-imposed limitation being forgotten.
Regards,
------------------------------
Riaan Jonker
Original Message:
Sent: Tue April 02, 2024 05:38 PM
From: Morag Hughson
Subject: MQMD.UserIdentifier field length
IBM MQ already allowed you to authenticate and authorise users with longer than 12 characters. When user ids need to be stored in the message the short form of the user id is used so the long equivalent can be retrieved on another system.
As a result of the above I do not believe the MQMD field will ever be increased.
What is it that you find you cannot do that leads you to ask this question?
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Mon April 01, 2024 10:40 PM
From: Riaan Jonker
Subject: MQMD.UserIdentifier field length
Original Post: Limits on LDAP user / group names when used with MQ? | MQ (ibm.com)
Now I know that we can limit access by various other methods (Example: IP, Certificate, etc.). Yet it's not ideal when you want to lockdown the specific access an account has on the Queue Manager Yet, I believe it may become more relevant with time.
Does anybody know if IBM is planning on increasing the MQMD.UserIdentifier field length in future releases of IBM MQ?
It's currently limited to 12 characters, I've seen many backend service accounts and system administrator accounts with user id lengths exceeding 12 Characters.
------------------------------
Riaan Jonker
------------------------------