Some updates (sorry for the delay, it's been a busy couple of weeks for
other projects).
I've rebuilt my user test system on zLinux. I can set up authority
records (using MQ explorer or the SETMQAUT command) that use AD group
names for the profile. MQ does properly enumerate the group membership
to determine the authority granted to a particular queue or object. BUT
- there are some limitations - see the bottom of the note for a
discussion of the limitations. Here are my basic steps:
1 - Dedicate a zLinux image to MQ Server.
2 - Modify /etc/ldap.conf, /etc/nssswitch.conf, /etc/samba/smb.conf, and
/etc/pam.d/system-auth to send authentication requests to Window AD.
Success in this will be evident with the 'getent group' command. I'll
provide details on request.
3 - Install MQ with the latest fixpacks. I used MQ 7.0.1.1. The
pre-fixpack version that I used (7.0.0.1) was missing some fixes to make
MQ properly enumerate LDAP group membership. There may be patches
available for other versions. My version was addressed by APAR IZ56282.
4 - Add new authority records as needed. I find SETMQAUT easier, but
you may prefer MQ Explorer. Here's a sample:
setmqaut -m QMTSTonLinux -n TEST.QUEUE.** -t queue -g "adgroupname"
+browse +clr +dsp +get +inq
That's it!
BUT - there are some problems (here's the promised limitation section).
MQ on Linux seems to abide by Linux group name rules. No names over 12
characters in length, no spaces in the names. Oh -oh - this is a
problem for me because many of the Windows AD names that I need to build
authorization records for fall into one of those categories. So the
command 'setmqaut -g "shortname" will work, but 'setmqaut -g
"long_____Name" will fail.
I've just been speaking to my Windows AD guy, and he assures me that
the solution isn't terribly difficult. I can identify those AD group
names that fall outside of Unix naming standards (say "tim test" for
example), and create a second AD group that fits ("tim_test"). Make
the single entry in "tim_test" the ad group "tim test". I haven't yet
done this to verify that MQ does properly enumerate all members in "tim
test", but that's my next task.
I welcome any comments or suggestions about the kludgy second AD group
solution.
Tim
-----Original Message-----
From: Linux on 390 Port [mailto:[email protected]] On Behalf Of
Moeur Tim C
Sent: Wednesday, April 14, 2010 3:41 PM
To: [email protected]
Subject: Re: MQ on zLinux authenticated to AD?
OK, I'll keep it here on the forum. Hopefully, at the end, I'll have a
nice summary of the required steps. Here is my latest note to Lee:
Hello Lee,
Yes, I've done this but only in a proof of concept mode about 6 months
ago. I'm just starting to do the process again for what will become
our QA environment of MQ and I'll get some of our developers to direct
their MQ traffic here for more extensive testing.
Also, I feel compelled to point out, it's MQ authorization I'm using AD
for, not authentication. Without some third party software, MQ isn't
built to authenticate - it takes users at their word as far as who they
are. MQ does have nice authentication, to determine what queues and
resources you have access to.
As my proof of concept is 6 months old, and I'm doing this again but
with more attention to the exact process, I don't have all of the
details. I hope to have this working by this week so I'll give you
details then. But, if you are anxious here's a quick summary:
1. Turn on LDAP checking to use the AD directory. You'll need to
modify /etc/ldap.conf, nssswitch, pam.d/system-auth.
2. Maybe, you have to turn on SMB and winbind. I did in my POC
but I hope to determine if that is necessary with my QA installation.
3. There were some IBM delivered patches to MQ that I had to
install to get it to enumerate the group membership. I'm fuzzy on the
details, but I'll see if I can find you more info.
Lee responded with:
Thanks Tim...
And yes, I did get tangled up in the authorization/authentication...
If it does the authorization, that's what we needed back then (and it
didn't work, at least for that customer)... I'll have to talk to them
and see if they want to revisit it now... (Of course who knows if it
was a code issue or a user issue back then...)
I'm curious, does your setup end up leaving the Linux system open to
have any AD user logon?
Thanks!
Lee
And my response to Lee:
Yes, my POC system does allow any AD user to logon, but without any
potent authority or even a home directory. I'm certain that I could
tweak the nsswitch.conf and/or pam.d/system-auth to prevent that, but it
hasn't been a priority for me. My first goal was to get MQ running on
zLinux to properly enumerate group membership through AD to determine an
individual user's authority to MQ objects.
Now our short off-line correspondence is back to the forum.
-----Original Message-----
From: Linux on 390 Port [mailto:[email protected]] On Behalf Of
Gibney, Dave
Sent: Tuesday, April 13, 2010 9:42 AM
To: [email protected]
Subject: Re: MQ on zLinux authenticated to AD?
Please don't go private on this, there may be (are) others interested.
Dave Gibney
Information Technology Services
Washington State University
> -----Original Message-----
> From: Linux on 390 Port [mailto:[email protected]] On Behalf Of
> Moeur Tim C
> Sent: Tuesday, April 13, 2010 9:03 AM
> To: [email protected]
> Subject: Re: MQ on zLinux authenticated to AD?
>
> Sure, I'll contact you offline and spare the forum the gory details.
>
> -----Original Message-----
> From: Linux on 390 Port [mailto:[email protected]] On Behalf Of
> Lee Stewart
> Sent: Monday, April 12, 2010 4:31 PM
> To: [email protected]
> Subject: Re: MQ on zLinux authenticated to AD?
>
> If you don't mind, could you share your steps? We had a customer
that
> tried a year+ ago and their experience wasn't pretty...
> Thanks,
> Lee
>
> On 4/9/2010 12:16 PM, Moeur Tim C wrote:
> > I am in the process of rolling that out. I've done it successfully
> on
> > a proof-of-concept machine several months ago, and I'm now
> replicating
> > those steps to deploy a test machine that my real users will hit.
> >
> > -----Original Message-----
> > From: Linux on 390 Port [mailto:[email protected]] On Behalf
Of
> > Lee Stewart
> > Sent: Wednesday, April 07, 2010 10:22 AM
> > To: [email protected]
> > Subject: MQ on zLinux authenticated to AD?
> >
> > Is anyone running MQ on Linux on Z, but getting it to authenticate
> > against Windows Active Directory?
> >
> > If so, how?
> >
> > Lee
> > --
> >
> > Lee Stewart, Senior SE
> > Sirius Computer Solutions
> > Phone: (303) 996-7122
> > Email: [email protected]
> > Web: www.siriuscom.com
> >
> >
---------------------------------------------------------------------
> -
> > For LINUX-390 subscribe / signoff / archive access instructions,
> > send email to [email protected] with the message: INFO
LINUX-390
> or
> > visit
> > http://www.marist.edu/htbin/wlvindex?LINUX-390
> >
> >
---------------------------------------------------------------------
> -
> > For LINUX-390 subscribe / signoff / archive access instructions,
> > send email to [email protected] with the message: INFO
LINUX-390
> or visit
> > http://www.marist.edu/htbin/wlvindex?LINUX-390
> >
> >
>
> --
>
> Lee Stewart, Senior SE
> Sirius Computer Solutions
> Phone: (303) 996-7122
> Email: [email protected]
> Web: www.siriuscom.com
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO LINUX-390
> or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO LINUX-390
> or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
