Who's On?

	Membership:
	Latest: Zac Shields
	Past 24 Hours: 0
	Prev. 24 Hours: 1
	Overall: 5210

	People Online:
	Visitors: 169
	Members: 0
	Total: 169

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3291
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1372
Roger French	1315
mark.cook	1244

Deny LID Use

10 Replies

0 Subscribed to this topic

13 Subscribed to this forum

Sort:

Author

Messages

DianaE

Basic Member

Posts: 10

4/29/2009 5:26 PM

We are in the process of moving to Apps. 9 and in that process moving our LID users to Portal. We are still on LAUA security and will not be turning on CheckLS = yes within Lawson Security for a while yet. Is there a file I could adjust that would deny users access to all application forms via lapm in LID? Essentially, I want to mimic what Lawson Security does.

Greg Moeller

Veteran Member

Posts: 1498

4/29/2009 5:41 PM

You didn't indicate which platform you are on, but if it's Unix, you can give all of the users a fake shell.
usermod -s /usr/bin/none

That way you can still have LID available for the people (by not changing their shell to an invalid one) that will probably still need to access it once in a while. Yes, LID is still needed/more convenient for some tasks.

Greg Moeller

Veteran Member

Posts: 1498

4/29/2009 6:07 PM

Let's try that again...

usermod -s /usr/bin/none login-id

or

usermod -s /usr/bin/false login-id

DianaE

Basic Member

Posts: 10

4/29/2009 7:06 PM

Thanks for the information Greg. We are on the Windows platform.

Ben Coonfield

Veteran Member

Posts: 146

4/30/2009 12:28 AM

In my case if I altered the OS password and left the SSOP password, a user would still be able to log on to portal (using the SSOP password), but would not be able to log on to LID which would use the OS password (because they wouldn't know the new value).

DianaE

Basic Member

Posts: 10

4/30/2009 2:02 PM

Thanks Ben. I changed the OS password with Lawson Security but my system is still allowing the user to access Desktop Client Logon with the old password. I did clear the Cache under Server Management. Is there something I might be missing?

Ben Coonfield

Veteran Member

Posts: 146

4/30/2009 2:46 PM

Change it in Windows rather than Security Administrator. For Windows, assuming you have not done an ldap bind you can just log on to Windows with that userid, hit ctl-alt-delete, & select "Change Password". There are of course other tools to achive the same thing, depending on which tools you have access to, and whether this is a domain or a local account.

If this is a domain account, this will affect that userid accross the domain, not just in Lawson.

On Unix at least, LID uses the password defined to the operating system, not any of the passwords defined in Security Administrator. I assume the same is true in Windows although I have not tested it.

DianaE

Basic Member

Posts: 10

5/4/2009 3:29 PM

Great tip Ben, thank you. According to Lawson's KB article 2007012226996 Lawson's software never challenges the OS (Windows) user's password (except for execjob - which I have set up to run as a Privileged Identity). I ran a few tests and everything appears to work well.

Jimmy Chiu

Veteran Member

Posts: 641

5/6/2009 10:35 PM

Turn on the firewall on the LID Port. block it. (you can unblock it and then connect, leaving yourself a backdoor)

Or change the LID port to something else that no one know.

afterall, i wouldn't want to sit down and guess between a number 1 to 65535 to connect thru LID.

DianaE

Basic Member

Posts: 10

5/7/2009 3:11 PM

If I change the lalogin (LID) Port number within laconfig - are there any other areas I need to reconfigure for this port change?

Jimmy Chiu

Veteran Member

Posts: 641

5/16/2009 7:02 PM

laconfig is the only modification you need to change LID port.

once it's changed, only you or people with access to laconfig can see the changed lid port.