如何将IBM MQ v9配置为使用Microsoft AD进行用户身份验证

Question

我正在尝试为IBM MQ v9队列管理器设置Microsoft AD之类的用户存储库，但没有成功。我阅读了文档https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q085490_.htm，但是对于所有这些图，破折号和箭头来说还是很不清楚的。我的最终目标是能够授予或撤消基于od AD组的授权。有人可以给我完整的命令示例，如何配置队列管理器以将AD用于用户存储库吗？

IBM MQ为v9.0.0.0，可在CentOS v7上运行。 Active Directory在Windows Server 2019计算机上。

我尝试使用MQSC命令设置AUTHINFO。所有命令执行都没有问题。之后，我刷新了安全性，并尝试使用setmqaut命令授予授权，但未成功。

我在MQSC命令下面尝试过此操作：

DEFINE AUTHINFO(MY.AD.CONFIGURATION) AUTHTYPE(IDPWLDAP) AUTHORMD(SEARCHGRP) FINDGRP(member) CONNAME('192.168.100.100') BASEDNG('OU=Groups,OU=MyCompany,DC=mycompany,DC=us') SHORTUSR('sAMAccountName') LDAPUSER('mybinduser') LDAPPWD('mypassword')

ALTER QMGR CONNAUTH(MY.AD.CONFIGURATION)

REFRESH SECURITY TYPE(CONNAUTH)

setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all

执行命令后： setmqaut -m MY.QUEUE.MANAGER -t qmgr -g myadgroup +all

已在控制台上显示此错误：AMQ7026: A principal or group name was invalid.

下面这些行记录在队列管理器日志中：

AMQ5531: Error locating user or group in LDAP

EXPLANATION:
The LDAP authentication and authorization service has failed in the ldap_search
call while trying to find user or group 'myadgroup '. Returned count is 0.
Additional context is 'rc = 87 (Bad search filter)
[(&(objectClass=groupOfNames)(=myadgroup ))]'.
ACTION:
Specify the correct name, or fix the directory configuration. There may be
additional information in the LDAP server error logs.
----- amqzfula.c : 2489 -------------------------------------------------------

在Active Directory端，这些行记录在日志中：

An account failed to log on.
Subject:
    Security ID:        SYSTEM
    Account Name:       MYADSERVER$
    Account Domain:     MYDOMAINNAME
    Logon ID:       0x3E7
Logon Type:         3
Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       mybinduser
    Account Domain:     MYDOMAINNAME
Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xC000006D
    Sub Status:     0xC000006A
Process Information:
    Caller Process ID:  0x280
    Caller Process Name:    C:\Windows\System32\lsass.exe
Network Information:
    Workstation Name:   MYADSERVER
    Source Network Address: 192.168.100.101
    Source Port:        55592
Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

以下是命令DIS AUTHINFO(MY.AD.CONFIGURATION) ALL的输出

AMQ8566: Display authentication information details.
   AUTHINFO(MY.AD.CONFIGURATION)          AUTHTYPE(IDPWLDAP)
   ADOPTCTX(NO)                            DESCR( )
   CONNAME(192.168.100.100)                CHCKCLNT(REQUIRED)
   CHCKLOCL(OPTIONAL)                      CLASSGRP( )
   CLASSUSR( )                             FAILDLAY(1)
   FINDGRP(MEMBER)                         BASEDNG(OU=Groups,OU=MyCompany,DC=mycompany,DC=us)
   BASEDNU( )
   LDAPUSER(CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us)
   LDAPPWD( )                              SHORTUSR(sAMAccountName)
   GRPFIELD( )                             USRFIELD( )
   AUTHORMD(SEARCHGRP)                     NESTGRP(NO)
   SECCOMM(NO)                             ALTDATE(2019-07-25)
   ALTTIME(08.14.20)

以下是LdapAuthentication.jar工具的输出：

java -jar LdapAuthentication.jar ldap://192.168.100.100:389 CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword OU=MyCompany,DC=mycompany,DC=us sAMAccountName adminusername adminpassword

@WMBL3: successful bind
@WMBL3: successfull search Starting Authentication Found the user, DN is CN=adminusername,OU=MyCompany,OU=Users,OU=MyCompany,DC=mycompany,DC=us
@WMBL3 : check if the password is correct
@WMBL3: successful authentication
@WMBL3 : Commands for WebUI ldap authentication :

1. mqsisetdbparms <INodeName> -n ldap::LDAP -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword

                                 Or

 mqsisetdbparms <INodeName> -n ldap::192.168.100.100 -u "CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us" -p mybinduserpassword

2. mqsichangeproperties <INodeName> -b webadmin -o server -n ldapAuthenticationUri -v \"ldap://192.168.100.100:389/OU=MyCompany,DC=mycompany,DC=us?sAMAccountName\"

3. mqsiwebuseradmin <INodeName> -c -u adminusername -x -r <sysrole  for eg: local userid >

Answer 1

根据您的输出，我注意到您没有设置LDAPPWD，MQ使用它来认证您指定的LDAPUSER。

您提供的Windows错误支持此操作：

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       mybinduser
    Account Domain:     MYDOMAINNAME
Failure Information:
    Failure Reason:     Unknown user name or bad password.

在LdapAuthentication.jar的输出中，您似乎具有正确的可用密码：

CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us mybinduserpassword

您可以指定LDAPPWD，也可以清空LDAPUSER，看看您的广告是否允许匿名绑定（这种情况很少见）。

我注意到您还有一些其他字段可能需要填写。我还建议您始终使用ADOPTCTX(YES)。

以下是我对AUTHINFO对象的建议更新：

ALTER AUTHINFO(MY.AD.CONFIGURATION) +
      AUTHTYPE(IDPWLDAP) +
      AUTHORMD(SEARCHGRP) +
      FINDGRP('member') +
      ADOPTCTX(YES) +
      CONNAME(192.168.100.100) +
      CHCKCLNT(REQUIRED) +
      CHCKLOCL(OPTIONAL) +
      CLASSGRP(GROUP) +
      CLASSUSR(USER) +
      FAILDLAY(1) +
      BASEDNG('OU=MyCompany,DC=mycompany,DC=us') +
      BASEDNU('OU=MyCompany,DC=mycompany,DC=us') +
      LDAPUSER('CN=mybinduser,OU=System,OU=Users,OU=MyCompany,DC=mycompany,DC=us') +
      LDAPPWD(mybinduserpassword) +
      SHORTUSR(sAMAccountName) +
      GRPFIELD(sAMAccountName) +
      USRFIELD(sAMAccountName) +
      NESTGRP(NO) +
      SECCOMM(NO)

*注意，我尚未针对AD对此进行测试，但是我已经设置IIB来验证针对AD的WebUI / REST调用，并且还从IBM的Mark Taylor的两个演示文稿/写作中汲取了灵感：

• MQ Integration with Directory Services - Presented at MQTC v2.0.1.6
• MQdev Blog: IBM MQ - Using Active Directory for authorisation in Unix queue managers