{"id":1110,"date":"2023-02-17T08:58:00","date_gmt":"2023-02-17T08:58:00","guid":{"rendered":"https:\/\/marketaylor.synology.me\/?p=1110"},"modified":"2023-02-19T11:16:09","modified_gmt":"2023-02-19T11:16:09","slug":"active-directory-with-mq-on-linux","status":"publish","type":"post","link":"https:\/\/marketaylor.synology.me\/?p=1110","title":{"rendered":"More on Active Directory with MQ on Linux"},"content":{"rendered":"\n

Several years ago I wrote about using Active Directory<\/a> (AD) with MQ-specific authentication and authorisation options on a Unix queue manager. In that scenario, AD serves as an LDAP server. The MQ CONNAUTH<\/code> attribute points at an IDPWLDAP<\/code> format of AuthInfo object. <\/p>\n\n\n\n

There is another approach to using Active Directory with MQ on Linux, where the directory is much more integrated with the operating system. I have seen enough confusion between these two options that I thought it was worth writing something to explain. I’ve had several apparently independent streams of notes on this topic in the last month alone (not to mention the person who seems to have asked everyone they know in the hope of at least one of them giving the answer they want to hear even if it’s wrong).<\/p>\n\n\n\n\n\n\n\n

Where the confusion starts<\/h3>\n\n\n\n

A typical question that comes in starts something like “My Linux queue manager is using AD …”. From that introduction, I have seen support teams assume that that means the queue manager is using the IDPWLDAP<\/code> configuration described in my older post. Because that really is the only situation where AD or LDAP is directly relevant to MQ. In turn, that understandably leads to providing information about the attributes such as BASEDNU<\/code> or SEARCHGRP<\/code>. Which might be completely irrelevant to the question.<\/p>\n\n\n\n

But quite frequently these days, AD is used as a provider of identities to the whole operating system, not something that is specific to MQ. So you should not expect anything about this approach in any MQ documentation. Here, MQ will use the IDPWOS<\/code> mechanism for authentication and authorisation. It’s very similar to having NIS as a centralised identity mechanism. The AD component uses interfaces like NSS and PAM to fill in responses to the standard library calls such as getpwent <\/em>or getgroups <\/em>that MQ calls to find out about “local” users and groups.<\/p>\n\n\n\n

So whenever a question or support ticket mentions using AD with MQ on a Linux queue manager, the first requirement is to clarify the meaning. Do you mean “as an LDAP server” or do you mean “as an integrated OS identity provider”?<\/p>\n\n\n\n

Using sssd with Active Directory<\/h3>\n\n\n\n

Simple integration of identities with AD at a Linux operating system level originally came only with 3rd-party commercial products. And there was Samba which did something, but was more about file\/printer sharing. Although some of these tools still exist, and can offer additional flexibility, I’m mostly going to talk about the “free” option available with Linux today.<\/p>\n\n\n\n

The sssd<\/code>service<\/a> is the key piece. It provides a link between Linux applications requesting security services and a variety of backend providers. In our case, what we are interested in is the Active Directory module. When configured, AD gives a transparent extension to the local lists of users and groups. It’s as if additional lines were added to \/etc\/passwd<\/em> and \/etc\/group<\/em>.<\/p>\n\n\n\n

Most of the time that you will be working in this environment, the configuration of both Windows AD services and Linux will already have been done, or is someone else’s responsibility. But I’m going to write a few notes here on what I had to do for a test environment in case you want to try it yourself.<\/p>\n\n\n\n

Configuration of Active Directory<\/h4>\n\n\n\n

There is not really much to do in the AD configuration. I provisioned a Windows Server 2019 machine, and made it a domain controller for a new forest\/domain. The Windows machine knows nothing about Linux or sssd<\/code>; it is just a standard AD environment. I then created a few users and groups that could be used for running MQ applications:<\/p>\n\n\n\n

\"Defining
Defining users and groups<\/figcaption><\/figure>\n\n\n\n

The only thing that I had to be careful about when defining the domain was to NOT change the machine’s fully-qualified hostname so that networking and certificates would have the cloud-assigned names, resolvable in DNS by other machines.<\/p>\n\n\n\n

\"DNS
Do not modify the DNS names<\/figcaption><\/figure>\n\n\n\n

In a real environment, I would expect that all of the AD setup has already been done – the whole point is that the Linux machine is integrating with an existing enterprise directory.<\/p>\n\n\n\n

Configuration of Linux and sssd<\/h4>\n\n\n\n

Connecting my Linux system to the domain was mostly a matter of running the realm<\/code> command. <\/p>\n\n\n\n

The only unexpected aspect was I had to use the hostname of the controller, not the Windows domain in the join<\/code>sub-command. That wasn’t obvious from the documentation which seems to assume the Windows domain and the machine’s DNS name are the same. Perhaps additional discovery probes might have found it.<\/p>\n\n\n\n

[root@rh9]# realm join autotype1.fyre.ibm.com \nPassword for Administrator:\n\n[root@rh9]# realm list\nmq.met.com\n  type: kerberos\n  realm-name: MQ.MET.COM\n  domain-name: mq.met.com\n  configured: kerberos-member\n  server-software: active-directory\n  client-software: sssd\n  required-package: oddjob\n  required-package: oddjob-mkhomedir\n  required-package: sssd\n  required-package: adcli\n  required-package: samba-common-tools\n  login-formats: %U@mq.met.com\n  login-policy: allow-realm-logins<\/pre>\n\n\n\n
The main problem I had was ensuring the secure communication worked: update-crypto-policies DEFAULT:AD-SUPPORT<\/code> seemed to be the key to solving that. <\/p>\n\n\n\n
There are a bunch of other commands that can be useful in looking at status or doing debug: sssctl domain-status<\/code>, systemctl status sssd<\/code>, adcli<\/code> all had their place. The only other configuration I made was in \/etc\/sssd\/sssd.conf<\/em>, followed by restarting the sssd<\/code> service:<\/p>\n\n\n\n
use_fully_qualified_names = false<\/pre>\n\n\n\n
This option tells Linux to use the base name everywhere instead of the name+domain. So I can choose to refer to user1<\/code> intead of user1@mq.met.com<\/code> although the fully-qualified version still works in the OS:<\/p>\n\n\n\n
[root@rh9]# id user1\nuid=456201110(user1) gid=456200513(domain users) groups=456200513(domain users),456201106(group1),456201108(group0)\n[root@rh9]# id user1@mq.met.com\nuid=456201110(user1) gid=456200513(domain users) groups=456200513(domain users),456201106(group1),456201108(group0)<\/pre>\n\n\n\n
All the MQ controls like setmqaut<\/code> will assume (require) use of this short unqualified format. There are a number of other configuration options for the security service, but I only made the minimum changes to get a working environment.<\/p>\n\n\n\n
MQ Installation and Configuration<\/h3>\n\n\n\n
Where this all becomes important for MQ is in the installation process and using privileged identities. Note that anything in the product documentation referring to Active Directory<\/a> is going to be related to running on Windows – the queue manager there is aware of things like domains and SIDs. So you can ignore all of that for a Linux environment.<\/p>\n\n\n\n
Installing MQ on a Linux system from rpm<\/code> or deb<\/code>format files requires that there must be an mqm<\/code> user and group available. You cannot change those identities; they own resources such as the binary programs and files making up a queue manager. Scripts execute during the installation that check for the existence of the user and group. If they do not already exist, then the installation automatically creates them. <\/p>\n\n\n\n
The container images for MQ use a different mechanism; the MQ code comes in a simple tar image unpacked into an arbitrary directory and has a different security and resource ownership model. I’m not going to consider that further here as it is not at all affected by, or relevant to, the AD integration.<\/p>\n\n\n\n
If I have not already created the ids, I see them being defined when I run the MQ install process:<\/p>\n\n\n\n
[root@rh9]#.\/mqlicense.sh -accept\n\nLicensed Materials - Property of IBM\n 5724-H72\n (C) Copyright IBM Corporation 1993, 2023\nUS Government Users Restricted Rights - Use, duplication or disclosure\nrestricted by GSA ADP Schedule Contract with IBM Corp.\n\nAgreement accepted:  Proceed with install.\n\n[root@rh9]# rpm -i *.rpm \nCreating group mqm\nCreating user mqm\n<\/strong><\/span>\nLicensed entitlement 'advanced' set for installation at '\/opt\/mqm'.\n\n[root@rh9]# grep mqm \/etc\/passwd\nmqm:x:983:1000::\/var\/mqm:\/bin\/bash\n[root@rh9]# grep mqm \/etc\/group\nmqm:x:1000:\n<\/pre>\n\n\n\n
You can see the local definition of the user and group. But what if we do not want to have them local?<\/p>\n\n\n\n
One fundamental problem with using AD is that you are unable to have users and groups of the same name in the directory. So you cannot have both the mqm<\/code> user and the mqm<\/code> group defined in AD. You MUST<\/strong> define at least one of them locally. <\/p>\n\n\n\n
I reset from the previous test where the installation created both accounts. What I chose to do this time was to have a local user definition but to have a central AD mqm<\/code> group. Having the group makes it easier to add other users to the group globally. So I let the MQ installation process create the mqm<\/code> user. But I also created an mqadmin<\/code> user in AD that will be useful later on. <\/p>\n\n\n\n
\"Defining
Defining the mqm group and a global administrator<\/figcaption><\/figure>\n\n\n\n
This time, only the user gets created by the installation:<\/p>\n\n\n\n
[root@rh9]#.\/mqlicense.sh -accept\n\nLicensed Materials - Property of IBM\n 5724-H72\n (C) Copyright IBM Corporation 1993, 2023\nUS Government Users Restricted Rights - Use, duplication or disclosure\nrestricted by GSA ADP Schedule Contract with IBM Corp.\n\nAgreement accepted:  Proceed with install.\n\n[root@rh9]# rpm -i *.rpm \nCreating user mqm\n<\/strong><\/span>\nLicensed entitlement 'advanced' set for installation at '\/opt\/mqm'.\n\n[root@rh9]# grep mqm \/etc\/passwd\nmqm:x:983:1000::\/var\/mqm:\/bin\/bash\n[root@rh9]# grep mqm \/etc\/group\n[root@rh9]#<\/pre>\n\n\n\n
There should never need to be a need to logon as the mqm<\/code> user provided you have other users with the right group membership. So you can set that installation-created id to not be available for login and any other disabling that you want. This might be an acceptable compromise in organisations that would otherwise like to prohibit any local definitions.<\/p>\n\n\n\n
One thing to be careful of is the group membership. In particular, the primary group associated with any users. By default, AD reports the primary group as “Domain Users” which is not suitable for Unix systems – the space in the name is a problem. And that led at first to a bunch of security issues producing FDCs when I wanted to create a queue manager. Instead I explicitly set the primary group for the mqadmin<\/code> user to be mqm<\/code>:<\/p>\n\n\n\n
\"Setting
Setting a primary group<\/figcaption><\/figure>\n\n\n\n
Once all of that was in place, I was able to switch to the mqadmin<\/code>user and create a queue manager:<\/p>\n\n\n\n
[root@rh9]# su - mqadmin\nLast login: Thu Feb 16 11:02:06 GMT 2023 on pts\/0\n[mqadmin@rh9]$ id\nuid=456201121(mqadmin) gid=456201120(mqm) groups=456201120(mqm),456200513(domain users)\n[mqadmin@rh9]$ crtmqm QM1\nIBM MQ queue manager 'QM1' created.\nDirectory '\/var\/mqm\/qmgrs\/QM1' created.\nThe queue manager is associated with installation 'Installation1'.\nCreating or replacing default objects for queue manager 'QM1'.\nDefault objects statistics : 83 created. 0 replaced. 0 failed.\nCompleting setup.\nSetup completed.<\/pre>\n\n\n\n
You can see the gid<\/code> entry for primary group now refers to mqm<\/code>. <\/p>\n\n\n\n
I also needed to do similar group membership settings for “application” users. If the primary group does not look like a Unix groupname, then commands such as setmqaut<\/code> will fail. If a user is never going to need to use the account on a Windows machine, it might be convenient to explicitly remove the id from the “Domain Users” group and any other similarly-named groups.<\/p>\n\n\n\n
Changes to users and group membership sometimes took a little while to propagate from the server. Running sssctl cache-expire -E<\/code> helped to bring the updates down faster.<\/p>\n\n\n\n
Is there any way to have both mqm user and group defined in AD?<\/h4>\n\n\n\n
Not with the sssd<\/code> service that I could find. The constraint of users and groups sharing the same namespace is fundamental in AD. And sssd<\/code> doesn’t seem to have any documented mapping options. <\/p>\n\n\n\n
There are additional paid-for products that might give further configuration. For example, the Safeguard (originally Vintela) documentation<\/a> suggests that you might be able to apply a more complex mapping between AD names and local names. So you might have an AD definition of mqmGroup<\/code> and mqmUser<\/code> and then apply a local mapping. But it’s not something I’ve been able to try.<\/p>\n\n\n\n
Queue manager configuration<\/h4>\n\n\n\n
You do not need any special queue manager configuration. All of the authentication and authorisation controls behave as if the users and groups are local to the OS. Password checking is delegated via PAM to the AD server; group membership for authorisations is delegated via NSS<\/a>. So the CONNAUTH<\/code> configuration points at an Authentication Object of type IDPWOS<\/code> with AUTHENMD(PAM)<\/code>. We do not need to setup for LDAP checking. We could choose to do that, and treat the AD server as a general LDAP server, but it’s not necessary.<\/p>\n\n\n\n
Summary<\/h3>\n\n\n\n
Using Active Directory as an identity provider on Linux is mostly transparent to MQ. But you do have to decide about where to define the mqm<\/code>user and group. Once you have done that, MQ just considers the centralised accounts to be part of the operating system. Which is of course the goal.<\/p>\n\n\n\n
I hope this helps to sort out any confusion about using AD with MQ.<\/p>\n
This post was last updated on February 19th, 2023 at 11:16 am<\/p>","protected":false},"excerpt":{"rendered":"
Several years ago I wrote about using Active Directory (AD) with MQ-specific authentication and authorisation options on a Unix queue manager. In that scenario, AD serves as an LDAP server. The MQ CONNAUTH attribute points at an IDPWLDAP format of AuthInfo object. There is another approach to using Active Directory with MQ on Linux, where … Continue reading “More on Active Directory with MQ on Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1450,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5],"tags":[78,79,20],"class_list":["post-1110","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mq","tag-active-directory","tag-ldap","tag-mqseries"],"yoast_head":"\nMore on Active Directory with MQ on Linux - Mark Taylor's Blog<\/title>\n<meta name=\"description\" content=\"This post talks about using Active Directory as an integrated provider for operating system identities, and how it relates to MQ\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/marketaylor.synology.me\/?p=1110\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"More on Active Directory with MQ on Linux - Mark Taylor's Blog\" \/>\n<meta property=\"og:description\" content=\"This post talks about using Active Directory as an integrated provider for operating system identities, and how it relates to MQ\" \/>\n<meta property=\"og:url\" content=\"https:\/\/marketaylor.synology.me\/?p=1110\" \/>\n<meta property=\"og:site_name\" content=\"Mark Taylor's Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-17T08:58:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-19T11:16:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/marketaylor.synology.me\/wp-content\/uploads\/2023\/02\/ad_logo.png\" \/>\n\t<meta property=\"og:image:width\" content=\"309\" \/>\n\t<meta property=\"og:image:height\" content=\"163\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Mark\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@marketaylor\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mark\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110\"},\"author\":{\"name\":\"Mark\",\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/#\\\/schema\\\/person\\\/2d6f4113ff54187023e20c20186bbb3c\"},\"headline\":\"More on Active Directory with MQ on Linux\",\"datePublished\":\"2023-02-17T08:58:00+00:00\",\"dateModified\":\"2023-02-19T11:16:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110\"},\"wordCount\":1780,\"commentCount\":1,\"image\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/marketaylor.synology.me\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/ad_logo.png\",\"keywords\":[\"active directory\",\"ldap\",\"mqseries\"],\"articleSection\":[\"IBM MQ\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110\",\"url\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110\",\"name\":\"More on Active Directory with MQ on Linux - Mark Taylor's Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/marketaylor.synology.me\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/ad_logo.png\",\"datePublished\":\"2023-02-17T08:58:00+00:00\",\"dateModified\":\"2023-02-19T11:16:09+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/#\\\/schema\\\/person\\\/2d6f4113ff54187023e20c20186bbb3c\"},\"description\":\"This post talks about using Active Directory as an integrated provider for operating system identities, and how it relates to MQ\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#primaryimage\",\"url\":\"https:\\\/\\\/marketaylor.synology.me\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/ad_logo.png\",\"contentUrl\":\"https:\\\/\\\/marketaylor.synology.me\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/ad_logo.png\",\"width\":309,\"height\":163},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/?p=1110#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/marketaylor.synology.me\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"More on Active Directory with MQ on Linux\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/#website\",\"url\":\"https:\\\/\\\/marketaylor.synology.me\\\/\",\"name\":\"Mark Taylor's Blog\",\"description\":\"Messaging, Music and Moving Around\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/marketaylor.synology.me\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/marketaylor.synology.me\\\/#\\\/schema\\\/person\\\/2d6f4113ff54187023e20c20186bbb3c\",\"name\":\"Mark\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9a5ae091c43730194cba7cabb5d65c1dc3f48d05caaddec6ff2319a1ce66376f?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9a5ae091c43730194cba7cabb5d65c1dc3f48d05caaddec6ff2319a1ce66376f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9a5ae091c43730194cba7cabb5d65c1dc3f48d05caaddec6ff2319a1ce66376f?s=96&d=mm&r=g\",\"caption\":\"Mark\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/marketaylor\"],\"url\":\"https:\\\/\\\/marketaylor.synology.me\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"More on Active Directory with MQ on Linux - Mark Taylor's Blog","description":"This post talks about using Active Directory as an integrated provider for operating system identities, and how it relates to MQ","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/marketaylor.synology.me\/?p=1110","og_locale":"en_GB","og_type":"article","og_title":"More on Active Directory with MQ on Linux - Mark Taylor's Blog","og_description":"This post talks about using Active Directory as an integrated provider for operating system identities, and how it relates to MQ","og_url":"https:\/\/marketaylor.synology.me\/?p=1110","og_site_name":"Mark Taylor's Blog","article_published_time":"2023-02-17T08:58:00+00:00","article_modified_time":"2023-02-19T11:16:09+00:00","og_image":[{"width":309,"height":163,"url":"https:\/\/marketaylor.synology.me\/wp-content\/uploads\/2023\/02\/ad_logo.png","type":"image\/png"}],"author":"Mark","twitter_card":"summary_large_image","twitter_creator":"@marketaylor","twitter_misc":{"Written by":"Mark","Estimated reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/marketaylor.synology.me\/?p=1110#article","isPartOf":{"@id":"https:\/\/marketaylor.synology.me\/?p=1110"},"author":{"name":"Mark","@id":"https:\/\/marketaylor.synology.me\/#\/schema\/person\/2d6f4113ff54187023e20c20186bbb3c"},"headline":"More on Active Directory with MQ on Linux","datePublished":"2023-02-17T08:58:00+00:00","dateModified":"2023-02-19T11:16:09+00:00","mainEntityOfPage":{"@id":"https:\/\/marketaylor.synology.me\/?p=1110"},"wordCount":1780,"commentCount":1,"image":{"@id":"https:\/\/marketaylor.synology.me\/?p=1110#primaryimage"},"thumbnailUrl":"https:\/\/marketaylor.synology.me\/wp-content\/uploads\/2023\/02\/ad_logo.png","keywords":["active directory","ldap","mqseries"],"articleSection":["IBM MQ"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/marketaylor.synology.me\/?p=1110#respond"]}]},{"@type":"WebPage","@id":"https:\/\/marketaylor.synology.me\/?p=1110","url":"https:\/\/marketaylor.synology.me\/?p=1110","name":"More on Active Directory with MQ on Linux - Mark Taylor's Blog","isPartOf":{"@id":"https:\/\/marketaylor.synology.me\/#website"},"primaryImageOfPage":{"@id":"https:\/\/marketaylor.synology.me\/?p=1110#primaryimage"},"image":{"@id":"https:\/\/marketaylor.synology.me\/?p=1110#primaryimage"},"thumbnailUrl":"https:\/\/marketaylor.synology.me\/wp-content\/uploads\/2023\/02\/ad_logo.png","datePublished":"2023-02-17T08:58:00+00:00","dateModified":"2023-02-19T11:16:09+00:00","author":{"@id":"https:\/\/marketaylor.synology.me\/#\/schema\/person\/2d6f4113ff54187023e20c20186bbb3c"},"description":"This post talks about using Active Directory as an integrated provider for operating system identities, and how it relates to MQ","breadcrumb":{"@id":"https:\/\/marketaylor.synology.me\/?p=1110#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/marketaylor.synology.me\/?p=1110"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/marketaylor.synology.me\/?p=1110#primaryimage","url":"https:\/\/marketaylor.synology.me\/wp-content\/uploads\/2023\/02\/ad_logo.png","contentUrl":"https:\/\/marketaylor.synology.me\/wp-content\/uploads\/2023\/02\/ad_logo.png","width":309,"height":163},{"@type":"BreadcrumbList","@id":"https:\/\/marketaylor.synology.me\/?p=1110#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/marketaylor.synology.me\/"},{"@type":"ListItem","position":2,"name":"More on Active Directory with MQ on Linux"}]},{"@type":"WebSite","@id":"https:\/\/marketaylor.synology.me\/#website","url":"https:\/\/marketaylor.synology.me\/","name":"Mark Taylor's Blog","description":"Messaging, Music and Moving Around","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/marketaylor.synology.me\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/marketaylor.synology.me\/#\/schema\/person\/2d6f4113ff54187023e20c20186bbb3c","name":"Mark","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/9a5ae091c43730194cba7cabb5d65c1dc3f48d05caaddec6ff2319a1ce66376f?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/9a5ae091c43730194cba7cabb5d65c1dc3f48d05caaddec6ff2319a1ce66376f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9a5ae091c43730194cba7cabb5d65c1dc3f48d05caaddec6ff2319a1ce66376f?s=96&d=mm&r=g","caption":"Mark"},"sameAs":["https:\/\/x.com\/marketaylor"],"url":"https:\/\/marketaylor.synology.me\/?author=1"}]}},"jetpack_featured_media_url":"https:\/\/marketaylor.synology.me\/wp-content\/uploads\/2023\/02\/ad_logo.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=\/wp\/v2\/posts\/1110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1110"}],"version-history":[{"count":18,"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=\/wp\/v2\/posts\/1110\/revisions"}],"predecessor-version":[{"id":1471,"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=\/wp\/v2\/posts\/1110\/revisions\/1471"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=\/wp\/v2\/media\/1450"}],"wp:attachment":[{"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/marketaylor.synology.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}