OK, I'll keep it here on the forum. Hopefully, at the end, I'll have a nice summary of the required steps. Here is my latest note to Lee:
Hello Lee, Yes, I've done this but only in a proof of concept mode about 6 months ago. I'm just starting to do the process again for what will become our QA environment of MQ and I'll get some of our developers to direct their MQ traffic here for more extensive testing. Also, I feel compelled to point out, it's MQ authorization I'm using AD for, not authentication. Without some third party software, MQ isn't built to authenticate - it takes users at their word as far as who they are. MQ does have nice authentication, to determine what queues and resources you have access to. As my proof of concept is 6 months old, and I'm doing this again but with more attention to the exact process, I don't have all of the details. I hope to have this working by this week so I'll give you details then. But, if you are anxious here's a quick summary: 1. Turn on LDAP checking to use the AD directory. You'll need to modify /etc/ldap.conf, nssswitch, pam.d/system-auth. 2. Maybe, you have to turn on SMB and winbind. I did in my POC but I hope to determine if that is necessary with my QA installation. 3. There were some IBM delivered patches to MQ that I had to install to get it to enumerate the group membership. I'm fuzzy on the details, but I'll see if I can find you more info. Lee responded with: Thanks Tim... And yes, I did get tangled up in the authorization/authentication... If it does the authorization, that's what we needed back then (and it didn't work, at least for that customer)... I'll have to talk to them and see if they want to revisit it now... (Of course who knows if it was a code issue or a user issue back then...) I'm curious, does your setup end up leaving the Linux system open to have any AD user logon? Thanks! Lee And my response to Lee: Yes, my POC system does allow any AD user to logon, but without any potent authority or even a home directory. I'm certain that I could tweak the nsswitch.conf and/or pam.d/system-auth to prevent that, but it hasn't been a priority for me. My first goal was to get MQ running on zLinux to properly enumerate group membership through AD to determine an individual user's authority to MQ objects. Now our short off-line correspondence is back to the forum. -----Original Message----- From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Gibney, Dave Sent: Tuesday, April 13, 2010 9:42 AM To: [email protected] Subject: Re: MQ on zLinux authenticated to AD? Please don't go private on this, there may be (are) others interested. Dave Gibney Information Technology Services Washington State University > -----Original Message----- > From: Linux on 390 Port [mailto:[email protected]] On Behalf Of > Moeur Tim C > Sent: Tuesday, April 13, 2010 9:03 AM > To: [email protected] > Subject: Re: MQ on zLinux authenticated to AD? > > Sure, I'll contact you offline and spare the forum the gory details. > > -----Original Message----- > From: Linux on 390 Port [mailto:[email protected]] On Behalf Of > Lee Stewart > Sent: Monday, April 12, 2010 4:31 PM > To: [email protected] > Subject: Re: MQ on zLinux authenticated to AD? > > If you don't mind, could you share your steps? We had a customer that > tried a year+ ago and their experience wasn't pretty... > Thanks, > Lee > > On 4/9/2010 12:16 PM, Moeur Tim C wrote: > > I am in the process of rolling that out. I've done it successfully > on > > a proof-of-concept machine several months ago, and I'm now > replicating > > those steps to deploy a test machine that my real users will hit. > > > > -----Original Message----- > > From: Linux on 390 Port [mailto:[email protected]] On Behalf Of > > Lee Stewart > > Sent: Wednesday, April 07, 2010 10:22 AM > > To: [email protected] > > Subject: MQ on zLinux authenticated to AD? > > > > Is anyone running MQ on Linux on Z, but getting it to authenticate > > against Windows Active Directory? > > > > If so, how? > > > > Lee > > -- > > > > Lee Stewart, Senior SE > > Sirius Computer Solutions > > Phone: (303) 996-7122 > > Email: [email protected] > > Web: www.siriuscom.com > > > > --------------------------------------------------------------------- > - > > For LINUX-390 subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO LINUX-390 > or > > visit > > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > > > --------------------------------------------------------------------- > - > > For LINUX-390 subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO LINUX-390 > or visit > > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > > > > > -- > > Lee Stewart, Senior SE > Sirius Computer Solutions > Phone: (303) 996-7122 > Email: [email protected] > Web: www.siriuscom.com > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO LINUX-390 > or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO LINUX-390 > or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
