APAR status
Closed as program error.
Error description
The queue manager is started by the 'mqm' user and configured with CONNAUTH to use an LDAP user repository. Channel authentication is enabled and a mapping rule is used to adopt MCAUSER('mqm'). A client application connects and doesn't provide userid/password, this matches the mapping rule and the connection is successful. However during the connect an AMQ5531 error message is written to the queue manager error log: ---------------------------------------------------------------- AMQ5531E: Error locating user or group in LDAP EXPLANATION: The LDAP authentication and authorization service has failed in the ldap_search call while trying to find user or group 'mqm'. Returned count is 0. Additional context is '(&(objectClass=user)(sAMAccountName=mqm))'. ---------------------------------------------------------------- The 'mqm' user is known to the local OS, but it doesn't exist in the LDAP repository.
Local fix
To eliminate the AMQ5531 message in the queue manager error logs, specify a user identifier known to the LDAP repository in MCAUSER.
Problem summary
**************************************************************** USERS AFFECTED: Queue managers that use LDAP authentication & authorization may be impacted if channels are configured to adopt the security context of a local OS user id in MCAUSER, for example via channel definition or CHLAUTH mapping rules. Platforms affected: AIX, IBM iSeries, Linux on Power, Linux on x86-64, Linux on zSeries, Solaris SPARC, Solaris x86-64 **************************************************************** PROBLEM DESCRIPTION: When using CONNAUTH with AUTHTYPE(IDPWLDAP) and an authorization method that doesn't use the OS user repository, for example AUTHORMD(SEARCHGRP), AUTHORMD(SEARCHUSR) or AUTHORMD(SEARCHGRPSN), the MQ object authority manager (OAM) will attempt to find the short user id in LDAP based on matching the user id specified in MCAUSER. The user id search fails if a channel attempts to adopt a user id not known to the LDAP repository, this causes an AMQ5531 error message to be written to the queue manager error log. The MQ object authority manager will continue to check that the user id has appropriate authority to the queue manager. The only local OS user id that is permitted to have any authority to the queue manager when using an LDAP user repository is the user that started the queue manager. In the case where the channel MCA user ID had been resolved to the user that started the queue manager, this was not honored correctly, and the lookup was still made to the LDAP server, resulting in the AMQ5531 error message in the queue manager's error log.
Problem conclusion
The MQ queue manager logic has been updated such that codepath to lookup a short user id in LDAP is avoided if the MCAUSER for a channel matches the OS user id that started the queue manager. Adopting the local OS user identifier that started the queue manager when using LDAP authorization via MCAUSER mapping is not recommended, this grants full administrative access control to a remote user. The AMQ5531 error message will continue to be correctly reported in the queue manager's error log in the case where the channel MCA user is resolved to a user who is NOT the user that started the queue manager, and this user cannot be found in the LDAP repository. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.1 CD 9.1.3 v9.1 LTS 9.1.0.3 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT29401
Reported component name
IBM MQ BASE MP
Reported component ID
5724H7271
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-06-11
Closed date
2019-07-09
Last modified date
2019-07-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM MQ BASE MP
Fixed component ID
5724H7271
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"910","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
09 July 2019