Create a security profile for use with Lightweight Directory Access Protocol (LDAP) or Secure LDAP (LDAPS), by using either the mqsicreateconfigurableservice command or an editor in the IBM® Integration Explorer.
Before you start:
If your LDAP directory does not permit login by unrecognized user IDs, and does not grant search access rights on the subtree, you must also set up a separate authorized login ID that the broker can use for the search. For information on how to do this, see Configuring authorization with LDAP or Authenticating incoming requests with LDAP.
You can use the mqsicreateconfigurableservice command to create a security profile that uses LDAP for authentication, authorization, or both. The security profile ensures that each message has an authenticated ID and is authorized for the message flow.
mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP
-n authentication,authenticationConfig,authorization,authorizationConfig,propagation,rejectBlankpassword
-v "LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP,
\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\",TRUE,TRUE
You must enclose the LDAP URL (which contains commas) with escaped double quotation marks (\" and \") so that the URL commas are not confused with the comma separator of the value parameter of mqsicreateconfigurableservice.
If the LDAP URL includes an element name with a space, in this case cn=All Sales, the set of values after the -v flag must be enclosed by double quotation marks, (")
For more information about the structure of the command, refer to the mqsicreateconfigurableservice command.
You can define the security-specific parts of the command in the following way:
ldap[s]://server[:port]/baseDN[?[uid_attr][?[base|sub]]]
For example:
ldap://ldap.acme.com:389/ou=sales,o=acme.com
ldaps://localhost:636/ou=sales,o=acme?cn?base
ldap[s]://server[:port]/groupDN[?[member_attr]
[?[base|sub][?[x-userBaseDN=baseDN,
x-uid_attr=uid_attr]]]]
For example:
ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
o=acme.com?uniquemember?sub?x-userBaseDN=ou=sales%2co=ibm.com,
x-uid_attr=emailaddress
mqsicreateconfigurableservice WBRK_BROKER -c SecurityProfiles -o LDAP_URI_FUN
-n authentication,authenticationConfig,authorization,authorizationConfig -v
"LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com?emailaddress?sub\",
LDAP,\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,
o=acme.com?report?base?x-BaseDN=ou=sales%%2co=acme.com,
x-uid_attr=emailaddress\""
The selected group must be defined on the LDAP server, and all of the required users must be members of the group.
The values that you enter in the LDAP Parameters fields create a configuration string, which is displayed in the Authentication Config field. For information about the valid values for the parameters, see Creating a security profile using mqsicreateconfigurableservice.
The value that you specify in the TFIM Configuration field creates a configuration string, which is displayed in the Mapping Config field.
The values that you enter in the LDAP Parameters fields create a configuration string, which is displayed in the Authorization Config field. For information about the valid values for the parameters, see Creating a security profile using mqsicreateconfigurableservice.
To delete an existing security profile, select the profile in the list and then click Delete.