Forums S3 Security

Can the Domain_User password in LSA be Synced with Active Directory?

Author
Messages
bobc
Basic Member
Posts: 10
Basic Member
12/16/2020 3:58 PM

    We are migrating from the HP-UX version of Lawson to the Windows version. During testing we were getting a "user could not be logged in" error when running batch jobs and found out that their Domain_User password needed to be manually inputted in Manage Identities/Prod service in LSA in order to run batch jobs. This wasn't required in the HP-UX version.

    It isn't practical to have to manually input over 100 network passwords in LSA every 90 days, and users aren't allowed to give up their password anyway. Is there a way to have the user's network password automatically updated in LSA when they change their password? Apparently the LDAP bind doesn't do that.  Or is there possibly something wrong with the setup?  It doesn't seem it would be intended to work this way.  Thanks.

    John Henley
    Senior Member
    Posts: 3348
    Senior Member
    12/16/2020 4:06 PM
      Bob, that is not necessary. LDAP bind is used for the SSOP user for Portal login. In order to satisfy the batch user requirement, you just need to set up a single privileged identity called BATCH in LSA, and that will be used on behalf of all batch users. Their password for the DOMAIN_USER can be anything, it is never used.
      Thanks for using the LawsonGuru.com forums!
      John
      bobc
      Basic Member
      Posts: 10
      Basic Member
      12/16/2020 5:33 PM

        Thanks, John.  I don't see a BATCH identity under Manage Identities.  I'll contact the person who installed this environment.  I'm not sure he knows about this BATCH identity.  Thanks for your help!

        Greg Moeller
        Veteran Member
        Posts: 1498
        Veteran Member
        12/16/2020 5:43 PM
          we actually have ours running under an id called 'lawbatch' -- but I'm not sure where that gets associated with all batch jobs at.
          John Henley
          Senior Member
          Posts: 3348
          Senior Member
          12/16/2020 5:45 PM
            User management | Manage Privileged Identities
            select the service for your LSF environment
            you might see on for ONLINE and/or BATCH
            if you don't you can add it and map it to a DOMAIN_USER (I usually create one called lawbatch for BATCH and lawonline for ONLINE).
            Thanks for using the LawsonGuru.com forums!
            John
            John Henley
            Senior Member
            Posts: 3348
            Senior Member
            12/16/2020 5:50 PM
              also need to add a line in LAWDIR/system/lajs.cfg
              RUNUSERKEY BATCH
              Thanks for using the LawsonGuru.com forums!
              John
              John Henley
              Senior Member
              Posts: 3348
              Senior Member
              12/16/2020 5:51 PM
                RUNUSERKEY BATCH is what instructs the job queue engine to look up the BATCH privileged identity as a fallback if logon fails for the DOMAIN_USER.
                Thanks for using the LawsonGuru.com forums!
                John
                John Henley
                Senior Member
                Posts: 3348
                Senior Member
                12/16/2020 5:53 PM
                  adding the RUNUSERKEY BATCH line to lajs.cfg is a (manual) step in the LSF installation process.
                  Thanks for using the LawsonGuru.com forums!
                  John
                  bobc
                  Basic Member
                  Posts: 10
                  Basic Member
                  12/16/2020 5:57 PM
                    I checked in Manage Privileged Identities and there is an ONLINE and BATCH identity. The BATCH identity does have a domain user and password. I'll have to check to see if the password is good. That could be the problem. Thanks, guys.
                    bobc
                    Basic Member
                    Posts: 10
                    Basic Member
                    12/16/2020 8:17 PM
                      RUNUSERKEY is commented out in lajs.cfg. Do we need BATCH IdentityRUNUSERKEY BATCH and BATCH Identity to be uncommented as well? This is what we have in lajs.cfg.
                      */RUNUSERKEY BATCH /* BATCH IdentityRUNUSERKEY BATCH /* BATCH Identity
                      John Henley
                      Senior Member
                      Posts: 3348
                      Senior Member
                      12/16/2020 8:53 PM
                        not sure why it's commented out nor why it appears to be in there twice, but it only needs to be a single line:
                        RUNUSERKEY BATCH

                        Once you put that in, restart your environment.
                        Thanks for using the LawsonGuru.com forums!
                        John
                        bobc
                        Basic Member
                        Posts: 10
                        Basic Member
                        12/16/2020 9:34 PM
                          Thanks, John. I added the line and restarted everything and it's now working. We're very grateful.
                          John Henley
                          Senior Member
                          Posts: 3348
                          Senior Member
                          12/17/2020 3:14 PM
                            moving to sys admin / security forum
                            Thanks for using the LawsonGuru.com forums!
                            John
                            ---