LDAP administration

An overview of how each platform administers LDAP.

When using LDAP authorization, membership of the mqm group (or equivalent) in the operating system is not that important. Being a member of that group only controls whether certain command-line commands can be processed.

In particular, you must be in that group to issue the strmqm and endmqm commands.

Once the queue manager is running, there are now limits on the fully-privileged account. Apart from the user ID of the person who issues the strmqm command, other users belonging to the OS mqm (or equivalent) group do not get special privileges.

Authorizations of other users are based on which LDAP groups they belong to. An unqualified use of the mqm group name in commands such as setmqaut is not allowed to map to any LDAP group.

UNIX platforms

Once the queue manager is running, the only automatically fully-privileged account is the real user who started the queue manager.

The mqm ID still exists and is used as the owner of OS resources, such as files, because mqm is the effective ID under which the queue manager is running. However, the mqm user will not automatically be able to do administrative tasks controlled by the OAM.

IBM i

On IBM® i, the automatically-privileged accounts are the one that starts the queue manager and the QMQM ID.

You need both IDs, because the user ID that starts the queue manager is required only to start the system. Once running, the queue manager processes have QMQM authority only.

Sample script

As it is useful to have a group able to do full administration on a queue manager, a sample script is shipped on UNIX platforms as:


<install dir>/samp/bin/amqauthg.sh

This sample takes two parameters:

A queue manager name
An LDAP group name

The sample processes setmqaut commands, granting full authority for all objects. This is the same script that is generated by theMQ Explorer OAM Wizard for administrative roles. For example, the code starts:


setmqaut -t q -m <qmgr> -n "**" +alladm +allmqi -g
      <groupname>