此命令里有很多内容值得一看。
https://www.ibm.com/docs/en/ibm-mq/8.0?topic=commands-define-authinfo#q085490___6
一,CHCKCLNT
CHCKCLNT
This attribute determines the authentication requirements for client applications, and is valid only for an AUTHTYPE of IDPWOS or IDPWLDAP . The possible values are:
NONE
No user ID and password checks are made. If any user ID or password is supplied by a client application, the credentials are ignored.
OPTIONAL
Client applications are not required to provide a user ID and password.
Any applications that do provide a user ID and password in the MQCSP structure have them authenticated by the queue manager against the password store indicated by the AUTHTYPE.
The connection will only be allowed to continue if the user ID and password are valid.
This option might be useful during migration, for example.
REQUIRED
All client applications must provide a user ID and password in the MQCSP structure. This user ID and password is authenticated by the queue manager against the password store indicated by the AUTHTYPE.
The connection will only be allowed to continue if the user ID and password are valid.
REQDADM
All client applications using a privileged user ID must provide a user ID and password in the MQCSP structure. Any locally bound applications using a non-privileged user ID are not required to provide a user ID and password and are treated as with the OPTIONAL setting.Any provided user ID and password will be authenticated by the queue manager against the password store indicated by the AUTHTYPE. The connection will only be allowed to continue if the user ID and password are valid.
Note: The REQDADM value for the CHCKCLNT attribute is irrelevant if the authentication type is LDAP. This is because there is no concept of privileged user id when using LDAP user accounts. LDAP user accounts and groups must be assigned permission explicitly.
A privileged user is one that has full administrative authorities for IBM MQ. See Privileged users for more information.
(This setting is not allowed on z/OS systems.)
Important:
- This attribute can be overridden by the CHCKCLNT attribute of the CHLAUTH rule that matches the client connection. The CONNAUTH AUTHINFO CHCKCLNT attribute on the queue manager therefore determines the default client checking behavior for client connections that do not match a CHLAUTH rule, or where the CHLAUTH rule matched has CHCKCLNT ASQMGR.
- If you select NONE and the client connection matches a CHLAUTH record with CHCKCLNT REQUIRED (or REQDADM on platforms other than z/OS), the connection fails. You receive message AMQ9793 on platforms other than z/OS, and message CSQX793E on z/OS.
- This parameter is valid only with TYPE (USERMAP), TYPE (ADDRESSMAP) and TYPE (SSLPEERMAP), and only when USERSRC is not set to NOACCESS.
- This parameter applies only to inbound connections that are server-connection channels.
二,ADOPTCTX
ADOPTCTX
Whether to use the presented credentials as the context for this application. This means that they are used for authorization checks, shown on administrative displays, and appear in messages.
YES
The user ID presented in the MQCSP structure, which has been successfully validated by password, is adopted as the context to use for this application. Therefore, this user ID will be the credentials checked for authorization to use IBM MQ resources.
If the user ID presented is an LDAP user ID, and authorization checks are done using operating system user IDs, the SHORTUSR associated with the user entry in LDAP will be adopted as the credentials for authorization checks to be done against.
NO
Authentication will be performed on the user ID and password presented in the MQCSP structure, but then the credentials will not be adopted for further use. Authorization will be performed using the user ID the application is running under.
This attribute is only valid for an AUTHTYPE of IDPWOS and IDPWLDAP.
