Go to previous topic
Go to next topic
Last Post 12/17/2020 10:14 AM by  John Henley
Can the Domain_User password in LSA be Synced with Active Directory?
 12 Replies
Author Messages
bobc
Systems Administrator
Private
Basic Member
(23 points)
Basic Member
Posts:9


Send Message:

--
12/16/2020 10:58 AM

    We are migrating from the HP-UX version of Lawson to the Windows version. During testing we were getting a "user could not be logged in" error when running batch jobs and found out that their Domain_User password needed to be manually inputted in Manage Identities/Prod service in LSA in order to run batch jobs. This wasn't required in the HP-UX version.

    It isn't practical to have to manually input over 100 network passwords in LSA every 90 days, and users aren't allowed to give up their password anyway. Is there a way to have the user's network password automatically updated in LSA when they change their password? Apparently the LDAP bind doesn't do that.  Or is there possibly something wrong with the setup?  It doesn't seem it would be intended to work this way.  Thanks.

    John Henley
    Private
    Private
    Senior Member
    (9833 points)
    Senior Member
    Posts:3295


    Send Message:

    --
    12/16/2020 11:06 AM
    Bob, that is not necessary. LDAP bind is used for the SSOP user for Portal login. In order to satisfy the batch user requirement, you just need to set up a single privileged identity called BATCH in LSA, and that will be used on behalf of all batch users. Their password for the DOMAIN_USER can be anything, it is never used.
    Thanks for using the LawsonGuru.com forums!
    John
    bobc
    Systems Administrator
    Private
    Basic Member
    (23 points)
    Basic Member
    Posts:9


    Send Message:

    --
    12/16/2020 12:33 PM

    Thanks, John.  I don't see a BATCH identity under Manage Identities.  I'll contact the person who installed this environment.  I'm not sure he knows about this BATCH identity.  Thanks for your help!

    Greg Moeller
    Private
    Private
    Veteran Member
    (4056 points)
    Veteran Member
    Posts:1446


    Send Message:

    --
    12/16/2020 12:43 PM
    we actually have ours running under an id called 'lawbatch' -- but I'm not sure where that gets associated with all batch jobs at.
    John Henley
    Private
    Private
    Senior Member
    (9833 points)
    Senior Member
    Posts:3295


    Send Message:

    --
    12/16/2020 12:45 PM
    User management | Manage Privileged Identities
    select the service for your LSF environment
    you might see on for ONLINE and/or BATCH
    if you don't you can add it and map it to a DOMAIN_USER (I usually create one called lawbatch for BATCH and lawonline for ONLINE).
    Thanks for using the LawsonGuru.com forums!
    John
    John Henley
    Private
    Private
    Senior Member
    (9833 points)
    Senior Member
    Posts:3295


    Send Message:

    --
    12/16/2020 12:50 PM
    also need to add a line in LAWDIR/system/lajs.cfg
    RUNUSERKEY BATCH
    Thanks for using the LawsonGuru.com forums!
    John
    John Henley
    Private
    Private
    Senior Member
    (9833 points)
    Senior Member
    Posts:3295


    Send Message:

    --
    12/16/2020 12:51 PM
    RUNUSERKEY BATCH is what instructs the job queue engine to look up the BATCH privileged identity as a fallback if logon fails for the DOMAIN_USER.
    Thanks for using the LawsonGuru.com forums!
    John
    John Henley
    Private
    Private
    Senior Member
    (9833 points)
    Senior Member
    Posts:3295


    Send Message:

    --
    12/16/2020 12:53 PM
    adding the RUNUSERKEY BATCH line to lajs.cfg is a (manual) step in the LSF installation process.
    Thanks for using the LawsonGuru.com forums!
    John
    bobc
    Systems Administrator
    Private
    Basic Member
    (23 points)
    Basic Member
    Posts:9


    Send Message:

    --
    12/16/2020 12:57 PM
    I checked in Manage Privileged Identities and there is an ONLINE and BATCH identity. The BATCH identity does have a domain user and password. I'll have to check to see if the password is good. That could be the problem. Thanks, guys.
    bobc
    Systems Administrator
    Private
    Basic Member
    (23 points)
    Basic Member
    Posts:9


    Send Message:

    --
    12/16/2020 3:17 PM
    RUNUSERKEY is commented out in lajs.cfg. Do we need BATCH IdentityRUNUSERKEY BATCH and BATCH Identity to be uncommented as well? This is what we have in lajs.cfg.
    */RUNUSERKEY BATCH /* BATCH IdentityRUNUSERKEY BATCH /* BATCH Identity
    John Henley
    Private
    Private
    Senior Member
    (9833 points)
    Senior Member
    Posts:3295


    Send Message:

    --
    12/16/2020 3:53 PM
    not sure why it's commented out nor why it appears to be in there twice, but it only needs to be a single line:
    RUNUSERKEY BATCH

    Once you put that in, restart your environment.
    Thanks for using the LawsonGuru.com forums!
    John
    bobc
    Systems Administrator
    Private
    Basic Member
    (23 points)
    Basic Member
    Posts:9


    Send Message:

    --
    12/16/2020 4:34 PM
    Thanks, John. I added the line and restarted everything and it's now working. We're very grateful.
    John Henley
    Private
    Private
    Senior Member
    (9833 points)
    Senior Member
    Posts:3295


    Send Message:

    --
    12/17/2020 10:14 AM
    moving to sys admin / security forum
    Thanks for using the LawsonGuru.com forums!
    John


    ---