Centralize authentication is a great thing. Many customers use MQAUSX on AIX, HP-UX, IBM i (OS/400), Linux, Solaris and authenticate against Microsoft Active Directory (AD) as a remote LDAP server. Since, AD conforms to LDAP v3, this generally works very well.
Some companies configure their AD servers such that the attribute sAMAccountName contains the user’s UserID (i.e. jdoe) and the user’s username to be the user’s full name (i.e. John Doe). This makes authentications very difficult for MQAUSX via an LDAP session as AD will not authenticate a Login DN that contains sAMAccountName attribute but not the username attribute. Normally, we recommend that the customer use MQAUSX LDAP ANR (Ambiguous Name Resolution) feature as it works very well with AD.
Recently, we had a customer go down that path using MQAUSX LDAP ANR for authentication but for them, it was not a workable solution (sAMAccountName had truncated values, they put the country code in the UPN, etc..)
They requested that MQAUSX LDAP and LDAP SSL components be changed to support the following logic when authenticating against AD:
- Connect and bind to LDAP server using service account credentials (LDAPBindDN and LDAPBindPwd).
- With the incoming UserID, run an LDAP search to discover the DN of the user object associated with UserID.
- The search should return the current DN (i.e. “cn=John Doe, cn=Users, dc=corp, dc=acme, dc=com”) of a user object (if not, the connection is rejected).
- Attempt a LDAP bind operation using the returned DN along with the provided incoming Password
- If the bind succeeds, the user is authenticated, otherwise the connection is rejected.
The MQAUSX LDAP and LDAP SSL components have been updated to handle the above logic and the following MQAUX IniFile keywords have been added:
- UseLDAPUserIDSearch specifies that a LDAP UserID Search is to be performed
- LDAPUserIDSearchBase specifies a search base for the LDAP UserID Search
- LDAPUserIDSearchFilter specifies a search filter for the LDAP UserID Search
- LDAPUserIDSearchScope specifies a search scope for the LDAP UserID Search
Example:
UseLDAPUserIDSearch=Y LDAPUserIDSearchBase="dc=corp,dc=acme,dc=com" LDAPUserIDSearchFilter="(&(objectCategory=user)(samaccountname=%USERID%))" LDAPUserIDSearchScope=2
To keep the confusion to a minimum and to support a proper naming standard, the following LDAP Group Search keywords have been renamed:
- UseLDAPSearch to UseLDAPGroupSearch
- LDAPSearchBase to LDAPGroupSearchBase
- LDAPSearchFilter to LDAPGroupSearchFilter
- LDAPSearchScope to LDAPGroupSearchScope
So far, the new feature is working very well for this customer. So if anyone would like to try out this new MQAUSX feature then send an email to support@capitalware.com requesting the latest release of MQAUSX.
Regards,
Roger Lacroix
Capitalware Inc.
