How to configure IBM MQ v9 to use Microsoft AD for user authentication

2

I'm trying to set up Microsoft AD like user repository for IBM MQ v9 Queue Manager , but without success. I read the document https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q085490_.htm, but it's very unclear with all those diagrams, dashes and arrows. My final goal is to have ability to grant or rewoke authorizations based od AD groups. Can someone give me complete commands example how to configure queue manager to use AD for user repository?

IBM MQ is v9.0.0.0 and runs on CentOS v7. Active Directory is on Windows Server 2019 machine.

I tried to set AUTHINFO with MQSC commands. All commands are executed without problems. After that I refreshed security and tried to grant authorizations with setmqaut command, but unsuccessful.

I tried with this below MQSC commands:

DEFINE AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP) AUTHORMD(SEARCHGRP) FINDGRP(member) CONNAME('192.168.100.100') BASEDNG('OU=Groups,OU=MyCompany,DC=mycompany,DC=us') SHORTUSR('sAMAccountName') LDAPUSER('mybinduser') LDAPPWD('mypassword')

ALTER QMGR CONNAUTH(MY.AD.CONFIGURATION)

REFRESH SECURITY TYPE(CONNAUTH)

setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all

After I execute command: setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all

This error is displyed i console: AMQ7026: A principal or group name was invalid.

And these below lines are recorded in queue manager log:

AMQ5531: Error locating user or group in LDAP

EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'myadgroup '. Returned count is 0.
Additional context is 'rc = 87 (Bad search filter)
[(&(objectClass=groupOfNames)(=myadgroup ))]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
----- amqzfula.c : 2489 -------------------------------------------------------

On Active Directory side these lines are recorded in log:

An account failed to log on.
Subject:
    Security ID:        SYSTEM
    Account Name:       MYADSERVER$
    Account Domain:     MYDOMAINNAME
    Logon ID:       0x3E7
Logon Type:         3
Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       mybinduser
    Account Domain:     MYDOMAINNAME
Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xC000006D
    Sub Status:     0xC000006A
Process Information:
    Caller Process ID:  0x280
    Caller Process Name:    C:\Windows\System32\lsass.exe
Network Information:
    Workstation Name:   MYADSERVER
    Source Network Address: 192.168.100.101
    Source Port:        55592
Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

Here beleow is output of the command DIS AUTHINFO(MY.AD.CONFIGURATION) ALL

AMQ8566: Display authentication information details.
   AUTHINFO(MY.AD.CONFIGURATION)          AUTHTYPE(IDPWLDAP)
   ADOPTCTX(NO)                            DESCR( )
   CONNAME(192.168.100.100)                CHCKCLNT(REQUIRED)
   CHCKLOCL(OPTIONAL)                      CLASSGRP( )
   CLASSUSR( )                             FAILDLAY(1)
   FINDGRP(MEMBER)                         BASEDNG(OU=Groups,OU=MyCompany,DC=mycompany,DC=us)
   BASEDNU( )
   LDAPUSER(CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us)
   LDAPPWD( )                              SHORTUSR(sAMAccountName)
   GRPFIELD( )                             USRFIELD( )
   AUTHORMD(SEARCHGRP)                     NESTGRP(NO)
   SECCOMM(NO)                             ALTDATE(2019-07-25)
   ALTTIME(08.14.20)

Here below is output from LdapAuthentication.jar tool:

java -jar LdapAuthentication.jar ldap://192.168.100.100:389 CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword OU=MyCompany,DC=mycompany,DC=us sAMAccountName adminusername adminpassword

@WMBL3: successful bind
@WMBL3: successfull search Starting Authentication Found the user, DN is CN=adminusername,OU=MyCompany,OU=Users,OU=MyCompany,DC=mycompany,DC=us
@WMBL3 : check if the password is correct
@WMBL3: successful authentication
@WMBL3 : Commands for WebUI ldap authentication :

1. mqsisetdbparms <INodeName> -n ldap::LDAP -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword

                                 Or

 mqsisetdbparms <INodeName> -n ldap::192.168.100.100 -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword

2. mqsichangeproperties <INodeName> -b webadmin -o server -n ldapAuthenticationUri -v \"ldap://192.168.100.100:389/OU=MyCompany,DC=mycompany,DC=us?sAMAccountName\"

3. mqsiwebuseradmin <INodeName> -c -u adminusername -x -r <sysrole  for eg: local userid >

Here below is qmanager log after I applied changes in my AUTHINFO what you suggested Jul 25.

AMQ5531: Error locating user or group in LDAP

EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'wasadmin'. Returned count is 0.
Additional context is 'rc = 1 (Operations error)
[(&(objectClass=GROUP)(SAMACCOUNTNAME=wasadmin))]'.
ACTION: Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.

This is myadgroup full DN: CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us

This is output of the setmqaut command with full group DN:

setmqaut -m MY.QUEUE.MANAGER -t qmgr -g 'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us' +all
AMQ7047: An unexpected error was encountered by a command. Reason code is 2063.

And this is qmanager log after that command was executed:

AMQ5531: Error locating user or group in LDAP

EXPLANATION: The LDAP authentication and authorization service has failed in the ldap_search call while trying to find user or group 'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us'.
Returned count is 0.
Additional context is 'rc = 1 (Operations error) [(objectClass=groupOfNames)]'. 
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.

If I try with CLASSGRP(GROUP) output of the setmqaut is:

AMQ7047: An unexpected error was encountered by a command. Reason code is 2063.

And qmqnager log is:

AMQ5531: Error locating user or group in LDAP

EXPLANATION: The LDAP authentication and authorization service has failed in the
ldap_search call while trying to find user or group
'CN=myadgroup,OU=System,OU=Groups,OU=MyCompany,DC=mycompany,DC=us'.
Returned count is 0.
Additional context is 'rc = 1 (Operations error) [(objectClass=GROUP)]'.

ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.

Below is my last configured authinfo object:

AMQ8566: Display authentication information details.   
AUTHINFO(MY.AD.CONFIGURATION)           AUTHTYPE(IDPWLDAP)   
ADOPTCTX(YES)                           DESCR( )   
CONNAME(192.168.100.100)                CHCKCLNT(OPTIONAL)   
CHCKLOCL(OPTIONAL)                      CLASSGRP(group)   
CLASSUSR(USER)                          FAILDLAY(1)
FINDGRP(member)
BASEDNG(OU=Groups,OU=MyCompany,DC=mycompany,DC=us)   
BASEDNU(OU=Users,OU=MyCompany,DC=mycompany,DC=us)   
LDAPUSER(CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us)
LDAPPWD( )                              SHORTUSR(sAMAccountName)   
GRPFIELD(sAMAccountName)                USRFIELD(sAMAccountName)   
AUTHORMD(SEARCHGRP)                     NESTGRP(NO)
SECCOMM(NO)                             ALTDATE(2019-08-07)
ALTTIME(08.44.40)
authentication
active-directory
ldap
ibm-mq
asked on Stack Overflow Jul 23, 2019 by asmoljo • edited Aug 7, 2019 by JoshMc

1 Answer

0

Based on the your output I noted that you did not set LDAPPWD which is used by MQ to authenticate the LDAPUSER that you specified.

This is supported by the windows error you provided:

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       mybinduser
    Account Domain:     MYDOMAINNAME
Failure Information:
    Failure Reason:     Unknown user name or bad password.

In the output of LdapAuthentication.jar it appears that you have the correct password available:

CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword

You can either specify the LDAPPWD or you can blank out your LDAPUSER and see if your AD allows anonymous bind (this is rare).

I noted that you have some other fields left blank that probably need to be filled in. I also suggest you always use ADOPTCTX(YES).

Below is my suggested updates to your AUTHINFO object:

ALTER AUTHINFO(MY.AD.CONFIGURATION) +
      AUTHTYPE(IDPWLDAP) +
      AUTHORMD(SEARCHGRP) +
      FINDGRP('member') +
      ADOPTCTX(YES) +
      CONNAME(192.168.100.100) +
      CHCKCLNT(REQUIRED) +
      CHCKLOCL(OPTIONAL) +
      CLASSGRP(GROUP) +
      CLASSUSR(USER) +
      FAILDLAY(1) +
      BASEDNG('OU=MyCompany,DC=mycompany,DC=us') +
      BASEDNU('OU=MyCompany,DC=mycompany,DC=us') +
      LDAPUSER('CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us') +
      LDAPPWD(mybinduserpassword) +
      SHORTUSR(sAMAccountName) +
      GRPFIELD(sAMAccountName) +
      USRFIELD(sAMAccountName) +
      NESTGRP(NO) +
      SECCOMM(NO)

*Note I have not tested this against AD, but I have setup IIB to authenticate the WebUI/REST calls against AD and also took inspiration from two presentations/write ups from Mark Taylor from IBM:

answered on Stack Overflow Jul 25, 2019 by JoshMc

User contributions licensed under CC BY-SA 3.0