LDAP administration
An overview of how each platform administers LDAP.
When using LDAP authorization, membership of the mqm
group (or equivalent) in the operating system is not that important. Being a member of that group only controls whether certain command-line commands can be processed.
In particular, you must be in that group to issue the strmqm and endmqm commands.
Once the queue manager is running, there are now limits on the fully-privileged account. Apart from the user ID of the person who issues the strmqm command, other users belonging to the OS mqm
(or equivalent) group do not get special privileges.
Authorizations of other users are based on which LDAP groups they belong to. An unqualified use
of the mqm
group name in commands such as setmqaut is not
allowed to map to any LDAP group.
UNIX platforms
Once the queue manager is running, the only automatically fully-privileged account is the real user who started the queue manager.
The mqm
ID still exists and is used as the owner of OS resources, such as files, because mqm
is the effective ID under which the queue manager is running. However, the mqm
user will not automatically be able to do administrative tasks controlled by the OAM.
IBM i
On IBM® i, the automatically-privileged accounts are the one that starts the queue manager and the QMQM ID.
You need both IDs, because the user ID that starts the queue manager is required only to start the system. Once running, the queue manager processes have QMQM authority only.
Sample script
<install dir>/samp/bin/amqauthg.sh
- A queue manager name
- An LDAP group name
setmqaut -t q -m <qmgr> -n "**" +alladm +allmqi -g
<groupname>