PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 5/16/2009 7:02 PM by  Jimmy Chiu
Deny LID Use
 10 Replies
Sort:
You are not authorized to post a reply.
Author Messages
DianaE
Private
Private
Basic Member
(22 points)
Basic Member
Posts:10


Send Message:

--
4/29/2009 5:26 PM

    We are in the process of moving to Apps. 9 and in that process moving our LID users to Portal.  We are still on LAUA security and will not be turning on CheckLS = yes within Lawson Security for a while yet.  Is there a file I could adjust that would deny users access to all application forms via lapm in LID?  Essentially, I want to mimic what Lawson Security does.

    Greg Moeller
    Private
    Private
    Veteran Member
    (4132 points)
    Veteran Member
    Posts:1474


    Send Message:

    --
    4/29/2009 5:41 PM
    You didn't indicate which platform you are on, but if it's Unix, you can give all of the users a fake shell.
    usermod -s /usr/bin/none

    That way you can still have LID available for the people (by not changing their shell to an invalid one) that will probably still need to access it once in a while. Yes, LID is still needed/more convenient for some tasks.
    Greg Moeller
    Private
    Private
    Veteran Member
    (4132 points)
    Veteran Member
    Posts:1474


    Send Message:

    --
    4/29/2009 6:07 PM
    Let's try that again...

    usermod -s /usr/bin/none login-id

    or

    usermod -s /usr/bin/false login-id
    DianaE
    Private
    Private
    Basic Member
    (22 points)
    Basic Member
    Posts:10


    Send Message:

    --
    4/29/2009 7:06 PM
    Thanks for the information Greg. We are on the Windows platform.
    Ben Coonfield
    Private
    Private
    Veteran Member
    (420 points)
    Veteran Member
    Posts:146


    Send Message:

    --
    4/30/2009 12:28 AM
    In my case if I altered the OS password and left the SSOP password, a user would still be able to log on to portal (using the SSOP password), but would not be able to log on to LID which would use the OS password (because they wouldn't know the new value).
    DianaE
    Private
    Private
    Basic Member
    (22 points)
    Basic Member
    Posts:10


    Send Message:

    --
    4/30/2009 2:02 PM
    Thanks Ben. I changed the OS password with Lawson Security but my system is still allowing the user to access Desktop Client Logon with the old password. I did clear the Cache under Server Management. Is there something I might be missing?
    Ben Coonfield
    Private
    Private
    Veteran Member
    (420 points)
    Veteran Member
    Posts:146


    Send Message:

    --
    4/30/2009 2:46 PM
    Change it in Windows rather than Security Administrator. For Windows, assuming you have not done an ldap bind you can just log on to Windows with that userid, hit ctl-alt-delete, & select "Change Password". There are of course other tools to achive the same thing, depending on which tools you have access to, and whether this is a domain or a local account.

    If this is a domain account, this will affect that userid accross the domain, not just in Lawson.

    On Unix at least, LID uses the password defined to the operating system, not any of the passwords defined in Security Administrator. I assume the same is true in Windows although I have not tested it.
    DianaE
    Private
    Private
    Basic Member
    (22 points)
    Basic Member
    Posts:10


    Send Message:

    --
    5/4/2009 3:29 PM
    Great tip Ben, thank you. According to Lawson's KB article 2007012226996 Lawson's software never challenges the OS (Windows) user's password (except for execjob - which I have set up to run as a Privileged Identity). I ran a few tests and everything appears to work well.
    Jimmy Chiu
    System Analyst
    Federal Government
    Veteran Member
    (1880 points)
    Veteran Member
    Posts:640


    Send Message:

    --
    5/6/2009 10:35 PM
    Turn on the firewall on the LID Port. block it. (you can unblock it and then connect, leaving yourself a backdoor)

    Or change the LID port to something else that no one know.

    afterall, i wouldn't want to sit down and guess between a number 1 to 65535 to connect thru LID.
    DianaE
    Private
    Private
    Basic Member
    (22 points)
    Basic Member
    Posts:10


    Send Message:

    --
    5/7/2009 3:11 PM
    If I change the lalogin (LID) Port number within laconfig - are there any other areas I need to reconfigure for this port change?
    Jimmy Chiu
    System Analyst
    Federal Government
    Veteran Member
    (1880 points)
    Veteran Member
    Posts:640


    Send Message:

    --
    5/16/2009 7:02 PM
    laconfig is the only modification you need to change LID port.

    once it's changed, only you or people with access to laconfig can see the changed lid port.
    You are not authorized to post a reply.