Start of change
WebSphere Message Brokers
File: ap04141_
Writer: Stephanie J Strugnell

Task topic

This build: July 31, 2007 21:34:50

Creating a security profile for LDAP

Before you start:

Ensure that you have an LDAP Version 3 server, for example:
  • IBM Tivoli Directory Server
  • Microsoft Active Directory
  • OpenLDAP.

You can use mqsicreateconfigurableservice command to create a new security profile for use with LDAP.

  1. To create a security profile that ensures that each message has an authenticated ID and is authorized for the flow, enter the mqsicreateconfigurableservice command on the command line. For example:
    mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP 
    -n authentication,authenticationConfig,authorization,authorizationConfig 
    -v "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP,
    \"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\""

    As shown in the example above, you must enclose the LDAP URL (which contains commas) by escaped double quotes \" and \" so that the URL commas are not confused with the comma separator of the value parameter of mqsicreateconfigurableservice.

    If the LDAP URL includes an element name with a space, in this case cn=All Sales, the set of values after the -v flag must be surrounded in double quotes, ("), so that the command interpreter views it as a single parameter, rather than seeing the space as a parameter separator.

    For more information about the structure of the command, refer to mqsicreateconfigurableservice command.

    You define the security-specific parts of the command in the following way:

    1. Set the authentication to LDAP. This ensures that the incoming identity will be validated.
    2. Set the authorization to LDAP. This ensures that the incoming identity will be checked for group membership in LDAP.
    3. Set the authenticationConfig using the following syntax:
      ldap[s]://server[:port]/baseDN[?[uid_attr][?[base|sub]]]

      For example:

      ldap://ldap.acme.com:389/ou=sales,o=acme.com
      ldaps://localhost:636/ou=sales,o=acme?cn?base
      ldap:
      Required. Fixed protocol string
      s:
      Optional. Specifies whether or not SSL should be used. Default is not to use SSL.
      server:
      Required. The name or IP address of the LDAP server to contact.
      port:
      Optional. The port to connect to. Default is 389 (non-SSL). For LDAP servers with SSL enabled, the port is typically 636.
      baseDN
      Required. String defining the base distinguished name of all users in the directory.
      uid_attr:
      Optional. String defining the attribute to which the incoming username should map, typically uid, CN, or email address. Default is uid.
      base|sub:
      Optional. Defines whether to perform a base or subtree search. If base is defined, the authentication is faster because the DN of the user can be constructed from uid_att + username + baseDN. If sub is selected, a search must be performed before the DN can be resolved. Default is sub.
    4. Set the authorizationConfig using the following syntax:
      ldap[s]://server[:port]/groupDN[?[member_attr][?[base|sub][?[x-userBaseDN=baseDN,x-uid_attr=uid_attr]]]]

      For example:

      ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,x-uid_attr=emailaddress
      ldap:
      Required. Fixed protocol string
      s:
      Optional. Specifies whether or not SSL should be used. Default is not to use SSL.
      server:
      Required. The name or IP address of the LDAP server to contact.
      port:
      Optional. The port to connect to. Default is 389 (non-SSL). For LDAP servers with SSL enabled, the port is typically 636.
      groupDN
      Required. Fully defined distinguished name of the group in which users must be members to be granted access.
      member_attr:
      Optional. The attribute of the group used to filter the search. Default is to look for both member and uniquemember attributes.
      The following options are required only if authentication has not preceded the authorization and the authentication configuration string has not been specified. If the authentication configuration string has been specified, the following parameters are ignored and the ones provided by the baseDN, uid_attr, and [base|sub] for authentication are used instead:
      base|sub:
      Optional. Defines whether to perform a base or subtree search. If base is defined, the authentication is faster because the DN of the user can be constructed from uid_att + username + baseDN. If sub is selected, a search must be performed before the DN can be resolved. Default is sub.
      baseDN
      Optional. String defining the base distinguished name of all users in the directory. Must be preceded by the string x-userBaseDN. Any commas in the BaseDN must be rendered as %2c.
      x-uid_attr:
      Optional. String defining the attribute to which the incoming username should map, typically uid, CN, or email address. Default is uid. Must be preceded by the string x-uid_attr.
    When you submit the command from a batch (.bat) file or command (.cmd) file, if the LDAP URL includes an extension with LDAP URL percent hex hex escaped characters (for example, a comma replaced by %2c, or a space replaced by %20), these percent signs must be escaped from the batch interpreter with an extra percent sign (%%). For example:
    mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP_URI_FUN -n
    authentication,authenticationConfig,authorization,authorizationConfig -v
    "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com?emailaddress?sub\",TRUE,LDAP,
    \"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
    o=acme.com?report?base?x-BaseDN=ou=sales%%2co=acme.com,x-uid_attr=emailaddress\""

    The selected group must be defined on the LDAP server, and all of the required users must be members of the group.

  2. If you need to reconfigure the security profile when it has been created, use the mqsichangeproperties command.
Related concepts
Identity
Authentication
Identity mapping
Authorization
Identity propagation
Security profiles
Security exception processing
Related tasks
Configuring identity
Configuring authentication
Configuring identity mapping
Configuring a security profile
Configuring authorization
Configuring a message flow for identity propagation
Setting up message flow security
Related reference
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
HTTPRequest node
MQOutput node
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:34:50

ap04141_ This topic's URL is:
End of change