Troubleshooting
Problem
You have created a WebSphere MQ queue manager and set the authorities for a number of groups on a Linux server running RedHat 6. All logins are controlled via LDAP. When a user in a group tries to connect, authorization errors are reported: AMQ8077: Entity 'aaaaaa ' has insufficient authority to access object 'QM1'. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: connect
Cause
The OS calls that MQ uses are the standard Unix getpwnam, getgrgid, setgrent/getgrent calls. MQ uses the _r threadsafe versions of those calls.
The version of Linux, RHEL v6 with SSS, sets the "directory enumeration" to OFF.
With System Security Services Daemon (SSSD) only, the getgrent/getpwent calls are considered as enumeration functions and are disabled by that option. The getgrouplist() call is treated separately
and that is why this function returns the correct data.
Diagnosing The Problem
The MQ utility dmpmqcfg shows the group has the proper authorities.
The Unix commands “id” and “group” return the correct information.
A trace shows that the call WMQ uses to get this data, getgrent, finds all the groups, but does not find the user in any of the groups.
Resolving The Problem
The default setting for enumerate is False.
You need change this to True, otherwise any applications which use getgrent will not return the users in the group when using LDAP.
Contact WebSphere IBM Support for more information and a possible work around.
Product Synonym
MQ WMQ MQSeries WebSphere MQ
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21694347