• Search Forums
    Advanced Search Topics Posts
Prev
Next
Forums User Experience Lawson Portal

Deny LID Use

 10 Replies
 0 Subscribed to this topic
 14 Subscribed to this forum
Sort:
Author
Messages
DianaE
Basic Member Send Private Message
Posts: 10
Basic Member
4/29/2009 5:26 PM

We are in the process of moving to Apps. 9 and in that process moving our LID users to Portal.  We are still on LAUA security and will not be turning on CheckLS = yes within Lawson Security for a while yet.  Is there a file I could adjust that would deny users access to all application forms via lapm in LID?  Essentially, I want to mimic what Lawson Security does.

Greg Moeller
Veteran Member Send Private Message
Posts: 1498
Veteran Member
4/29/2009 5:41 PM
You didn't indicate which platform you are on, but if it's Unix, you can give all of the users a fake shell.
usermod -s /usr/bin/none

That way you can still have LID available for the people (by not changing their shell to an invalid one) that will probably still need to access it once in a while. Yes, LID is still needed/more convenient for some tasks.
Greg Moeller
Veteran Member Send Private Message
Posts: 1498
Veteran Member
4/29/2009 6:07 PM
Let's try that again...

usermod -s /usr/bin/none login-id

or

usermod -s /usr/bin/false login-id
DianaE
Basic Member Send Private Message
Posts: 10
Basic Member
4/29/2009 7:06 PM
Thanks for the information Greg. We are on the Windows platform.
Ben Coonfield
Veteran Member Send Private Message
Posts: 146
Veteran Member
4/30/2009 12:28 AM
In my case if I altered the OS password and left the SSOP password, a user would still be able to log on to portal (using the SSOP password), but would not be able to log on to LID which would use the OS password (because they wouldn't know the new value).
DianaE
Basic Member Send Private Message
Posts: 10
Basic Member
4/30/2009 2:02 PM
Thanks Ben. I changed the OS password with Lawson Security but my system is still allowing the user to access Desktop Client Logon with the old password. I did clear the Cache under Server Management. Is there something I might be missing?
Ben Coonfield
Veteran Member Send Private Message
Posts: 146
Veteran Member
4/30/2009 2:46 PM
Change it in Windows rather than Security Administrator. For Windows, assuming you have not done an ldap bind you can just log on to Windows with that userid, hit ctl-alt-delete, & select "Change Password". There are of course other tools to achive the same thing, depending on which tools you have access to, and whether this is a domain or a local account.

If this is a domain account, this will affect that userid accross the domain, not just in Lawson.

On Unix at least, LID uses the password defined to the operating system, not any of the passwords defined in Security Administrator. I assume the same is true in Windows although I have not tested it.
DianaE
Basic Member Send Private Message
Posts: 10
Basic Member
5/4/2009 3:29 PM
Great tip Ben, thank you. According to Lawson's KB article 2007012226996 Lawson's software never challenges the OS (Windows) user's password (except for execjob - which I have set up to run as a Privileged Identity). I ran a few tests and everything appears to work well.
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
5/6/2009 10:35 PM
Turn on the firewall on the LID Port. block it. (you can unblock it and then connect, leaving yourself a backdoor)

Or change the LID port to something else that no one know.

afterall, i wouldn't want to sit down and guess between a number 1 to 65535 to connect thru LID.
DianaE
Basic Member Send Private Message
Posts: 10
Basic Member
5/7/2009 3:11 PM
If I change the lalogin (LID) Port number within laconfig - are there any other areas I need to reconfigure for this port change?
Jimmy Chiu
Veteran Member Send Private Message
Posts: 641
Veteran Member
5/16/2009 7:02 PM
laconfig is the only modification you need to change LID port.

once it's changed, only you or people with access to laconfig can see the changed lid port.