Enterprise IBM MQ estates rarely maintain a separate password file per queue manager. Instead ALTER QMGR CONNAUTH references an AUTHINFO object of AUTHTYPE(IDPWLDAP) that points at Active Directory, OpenLDAP, or other LDAP-compatible directories. When a client application calls MQCONNX with a userid and password, the queue manager uses its LDAPUSER service bind to search the directory and validate credentials—or perform a direct user bind depending on attribute configuration documented for your release. Lockout after failed attempts, password expiry, and group membership remain directory concerns, which centralizes identity lifecycle for HR joiners and leavers. This tutorial walks through DEFINE AUTHINFO IDPWLDAP attributes—CONNAME, BASEDN, CLASSUSR, LDAPUSER, LDAPPWD, SECCOMM for TLS to directory—network and certificate requirements, userid format pitfalls between platforms, high availability for directory replicas, monitoring and troubleshooting connection storms during directory outages, and pairing LDAP authentication with OAM grants on service accounts versus human users.
CONNAME specifies host and port of the LDAP server—often ldap.corp.example.com(636) for LDAPS. BASEDN sets the search base such as ou=users,dc=corp,dc=com. CLASSUSR identifies the object class filter for user entries. LDAPUSER and LDAPPWD are the queue manager's bind identity with read permission to locate users—protect LDAPPWD rotation in secrets management. CHCKCLNT on the same or related AUTHINFO may still require TLS client certificates for MQ connections even when passwords go to LDAP. Mis-set BASEDN produces “user not found” for valid employees who exist in a different organizational unit.
| Attribute | Purpose | Common mistake |
|---|---|---|
| CONNAME | Directory host:port | Wrong port 389 vs 636 |
| BASEDN | Search root for users | Too narrow OU |
| LDAPUSER | QM service bind DN | Expired service password |
| LDAPPWD | Service bind password | Stored in clear text scripts |
| SECCOMM | TLS to LDAP | Plaintext 389 on untrusted network |
| CLASSUSR | User object class filter | Wrong for AD schema |
1234567DEFINE AUTHINFO('CORP.LDAP') AUTHTYPE(IDPWLDAP) + CONNAME('ldap.corp.example.com(636)') SECCOMM(YES) + LDAPUSER('cn=mqbind,ou=svc,dc=corp,dc=com') + LDAPPWD('secret') BASEDN('ou=apps,dc=corp,dc=com') + CLASSUSR('user') ALTER QMGR CONNAUTH(CORP.LDAP) DISPLAY AUTHINFO('CORP.LDAP') CONNAME LDAPUSER BASEDN
Replace example DN syntax with your directory team's standards. LDAPPWD in MQSC commands enters the repository—use secure command channels and rotate after bootstrap. Many sites define AUTHINFO once in automation and never type passwords in interactive runmqsc. Test ldap connectivity from the MQ host with vendor tools before blaming MQ.
Applications may present DOMAIN\user, user@domain.com, or sAMAccountName. MQ and AUTHINFO must align with the format the directory expects for bind. Directory teams often provide a dedicated OU for MQ application accounts separate from interactive users. Group-based authorization still requires OAM grants to groups mirrored from LDAP groups or manual group objects on the MQ host. Single sign-on with certificates may replace password LDAP for some channels while LDAP remains for others.
Point CONNAME at a directory VIP or DNS round robin with health checks. Directory outage during peak batch windows can stall thousands of MQCONNX attempts—implement connection retry in apps with backoff, and monitor directory latency from MQ hosts. Read-only domain controller placement near data centers reduces cross-WAN LDAP. Firewall deny rules between DMZ MQ and corporate LDAP are a frequent go-live blocker discovered on Friday evening.
Many B2B integrations drop passwords entirely: mutual TLS, CHLAUTH SSLPEERMAP to MCAUSER, OAM grants on MCAUSER. LDAP remains valuable for internal fat clients and legacy APIs that already use directory passwords. Hybrid estates use LDAP CONNAUTH on internal SVRCONN and certificates on external listeners—document per listener and channel.
LDAP authentication is the guard calling the central employee database to confirm your password before you enter. IDPWOS was the guard's local notebook instead.
Before you climb into the treehouse, the guard calls mom's phone list in the kitchen to check your secret word is right.
List five AUTHINFO attributes to document in a connection spec.
Directory up but MQ fails—three format or BASEDN checks.
Design DR when LDAP is unavailable: break-glass options.
1. IDPWLDAP AUTHTYPE uses:
2. LDAPUSER is:
3. Client password checked:
4. LDAPS typically uses port: