Enter the mqsicreateconfigurableservice command
on the command line. For example: mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP
-n authentication,authenticationConfig,authorization,authorizationConfig,propagation,rejectBlankpassword
-v "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP,
\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\",TRUE,TRUE
You must enclose the LDAP URL (which contains commas)
with escaped double quotation marks (\" and \")
so that the URL commas are not confused with the comma separator of
the value parameter of mqsicreateconfigurableservice.
If
the LDAP URL includes an element name with a space, in this case cn=All
Sales, the set of values after the -v flag must be enclosed
by double quotation marks, (")
For more information
about the structure of the command, refer to the mqsicreateconfigurableservice command.
You can define the security-specific
parts of the command in the following way:
- Set the authentication to LDAP. This ensures that the incoming identity is validated.
- Set the authenticationConfig using
the following syntax:
ldap[s]://server[:port]/baseDN[?[uid_attr][?[base|sub]]]
For
example:
ldap://ldap.acme.com:389/ou=sales,o=acme.com
ldaps://localhost:636/ou=sales,o=acme?cn?base
- ldap:
- (Required) Fixed protocol string.
- s:
- (Optional) Specifies whether SSL should be used. Default is not
to use SSL.
- server:
- (Required) The name or IP address of the LDAP server to contact.
- port:
- (Optional) The port to connect to. Default is 389 (non-SSL). For
LDAP servers with SSL enabled, the port is typically 636.
- baseDN
- (Required) String defining the base distinguished name (DN) of
all users in the directory. If users exist in different subtrees,
specify a common subtree under which a search on the username uniquely
resolves to the required user entry, and set the sub attribute.
- uid_attr:
- (Optional) String defining the attribute to which the incoming
username maps, typically uid, CN, or email address. Default is uid.
- base|sub:
- (Optional) Defines whether to perform a base or subtree search.
If base is defined, the authentication is faster
because the DN of the user can be constructed from the uid_att, username,
and baseDN values. If sub is selected, a
search must be performed before the DN can be resolved. Default is sub.
- Set the authorization to LDAP. This ensures that the incoming identity is checked for group
membership in LDAP.
- Set the authorizationConfig using
the following syntax:
ldap[s]://server[:port]/groupDN[?[member_attr]
[?[base|sub][?[x-userBaseDN=baseDN,
x-uid_attr=uid_attr]]]]
For example:
ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
o=acme.com?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,
x-uid_attr=emailaddress
- ldap:
- (Required) Fixed protocol string
- s:
- (Optional) Specifies whether SSL is used. Default is not to use
SSL.
- server:
- (Required) The name or IP address of the LDAP server to contact.
- port:
- (Optional) The port to connect to. Default is 389 (non-SSL). For
LDAP servers with SSL enabled, the port is typically 636.
- groupDN
- (Required) Fully defined distinguished name of the group in which
users must be members to be granted access.
- member_attr:
- (Optional) The attribute of the group used to filter the search.
Default is to look for both member and uniquemember attributes.
The following options are required only if authentication
has not preceded the authorization, and if the authentication configuration
string has not been specified. If the authentication configuration
string has been specified, the following parameters are ignored and
those provided by the
baseDN,
uid_attr,
and
[base|sub] for authentication are used instead:
- base|sub:
- Defines whether to perform a base or subtree search. If base is
defined, the authentication is faster because the DN of the user can
be constructed from uid_att + username + baseDN. If sub is
selected, a search must be performed before the DN can be resolved.
Default is sub.
- baseDN
- String defining the base distinguished name of all users in the
directory. Must be preceded by the string x-userBaseDN.
Any commas in the BaseDN must be rendered as %2c.
- x-uid_attr:
- String defining the attribute to which the incoming username should
map, typically uid, CN, or email address. Default is uid. Must be
preceded by the string x-uid_attr.
When you submit the command from a batch (.bat) file or command
(.cmd) file, if the LDAP URL includes an extension with LDAP URL "percent
hex hex" escaped characters (for example, a comma replaced by
%2c,
or a space replaced by
%20), the percent signs must
be escaped from the batch interpreter with an extra percent sign (
%%).
For example:
mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP_URI_FUN
-n authentication,authenticationConfig,authorization,authorizationConfig -v
"LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com?emailaddress?sub\",
LDAP,\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
o=acme.com?report?base?x-BaseDN=ou=sales%%2co=acme.com,
x-uid_attr=emailaddress\""
The selected group must
be defined on the LDAP server, and all of the required users must
be members of the group.