Who's On?

	Membership:
	Latest: Hitman
	Past 24 Hours: 0
	Prev. 24 Hours: 1
	Overall: 5208

	People Online:
	Visitors: 248
	Members: 0
	Total: 248

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3291
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1372
Roger French	1315
mark.cook	1244

Can the Domain_User password in LSA be Synced with Active Directory?

12 Replies

0 Subscribed to this topic

15 Subscribed to this forum

Sort:

Author

Messages

bobc

Basic Member

Posts: 10

12/16/2020 3:58 PM

We are migrating from the HP-UX version of Lawson to the Windows version. During testing we were getting a "user could not be logged in" error when running batch jobs and found out that their Domain_User password needed to be manually inputted in Manage Identities/Prod service in LSA in order to run batch jobs. This wasn't required in the HP-UX version.

It isn't practical to have to manually input over 100 network passwords in LSA every 90 days, and users aren't allowed to give up their password anyway. Is there a way to have the user's network password automatically updated in LSA when they change their password? Apparently the LDAP bind doesn't do that. Or is there possibly something wrong with the setup? It doesn't seem it would be intended to work this way. Thanks.

John Henley

Posts: 3353

12/16/2020 4:06 PM

Bob, that is not necessary. LDAP bind is used for the SSOP user for Portal login. In order to satisfy the batch user requirement, you just need to set up a single privileged identity called BATCH in LSA, and that will be used on behalf of all batch users. Their password for the DOMAIN_USER can be anything, it is never used.

bobc

Basic Member

Posts: 10

12/16/2020 5:33 PM

Thanks, John. I don't see a BATCH identity under Manage Identities. I'll contact the person who installed this environment. I'm not sure he knows about this BATCH identity. Thanks for your help!

Greg Moeller

Veteran Member

Posts: 1498

12/16/2020 5:43 PM

we actually have ours running under an id called 'lawbatch' -- but I'm not sure where that gets associated with all batch jobs at.

John Henley

Posts: 3353

12/16/2020 5:45 PM

User management | Manage Privileged Identities
select the service for your LSF environment
you might see on for ONLINE and/or BATCH
if you don't you can add it and map it to a DOMAIN_USER (I usually create one called lawbatch for BATCH and lawonline for ONLINE).

John Henley

Posts: 3353

12/16/2020 5:50 PM

also need to add a line in LAWDIR/system/lajs.cfg
RUNUSERKEY BATCH

John Henley

Posts: 3353

12/16/2020 5:51 PM

RUNUSERKEY BATCH is what instructs the job queue engine to look up the BATCH privileged identity as a fallback if logon fails for the DOMAIN_USER.

John Henley

Posts: 3353

12/16/2020 5:53 PM

adding the RUNUSERKEY BATCH line to lajs.cfg is a (manual) step in the LSF installation process.

bobc

Basic Member

Posts: 10

12/16/2020 5:57 PM

I checked in Manage Privileged Identities and there is an ONLINE and BATCH identity. The BATCH identity does have a domain user and password. I'll have to check to see if the password is good. That could be the problem. Thanks, guys.

bobc

Basic Member

Posts: 10

12/16/2020 8:17 PM

RUNUSERKEY is commented out in lajs.cfg. Do we need BATCH IdentityRUNUSERKEY BATCH and BATCH Identity to be uncommented as well? This is what we have in lajs.cfg.
*/RUNUSERKEY BATCH /* BATCH IdentityRUNUSERKEY BATCH /* BATCH Identity

John Henley

Posts: 3353

12/16/2020 8:53 PM

not sure why it's commented out nor why it appears to be in there twice, but it only needs to be a single line:
RUNUSERKEY BATCH

Once you put that in, restart your environment.

bobc

Basic Member

Posts: 10

12/16/2020 9:34 PM

Thanks, John. I added the line and restarted everything and it's now working. We're very grateful.

John Henley

Posts: 3353

12/17/2020 3:14 PM

moving to sys admin / security forum