Help Desk password reset tool?

 29 Replies
 0 Subscribed to this topic
 17 Subscribed to this forum
Sort:
Page 2 of 2 << < 12
Author
Messages
Mike Schlenk
Veteran Member
Posts: 71
Veteran Member
    I'm digging deep in to the SSO servlets looking for a way to enter a call in a pflow to force the LDAP sync. If anyone has any ideas, it would be much appreciated.
    jojo.serquina
    Veteran Member
    Posts: 63
    Veteran Member
      newbie question: where are the SSO servlets located?
      John Desmarais
      Basic Member
      Posts: 20
      Basic Member

        We did the scripted ssoconfig thing during the time in between implement LSF9 and doing the ldapbind.  In our case, we use an enterprise-wide password maintenance tool (Entact) but the basic idea would work without it as all it did in our case was deliver an xml file.  I won't claim it was elegant, but it worked.  The biggest downside to is that your passing passwords around as plain text.  What you would need to create is a program that the help desk would use that would let them enter an id and password, then create a deliver the xml file.

        The xml file looked like the attachment (where cdh034 is the user id and newpawd is the password):



        We then had a cron driven script executing ssoconfig (where ???????? is your ssoconfig password):

        #  Script to look through the directory FTPHub drop entact requests
        #  into and process them through ssoconfig.
        . cv lawprod
        ENTACTDIR=/lawson/lawprod/law/entact
        LISTFILE=$ENTACTDIR/list
        LOGFILE=/lawson/lawprod/law/system/ChangeSSOPassword.log
        DATESTAMP=$(date '+%D %r')
        # Check to see is there is an lase process
        if (( $(ps -ef | grep lase | wc -l) >= 2 )); then
           ls $ENTACTDIR/UserID*.xml > $LISTFILE 2> /dev/null
           if [[ -s $LISTFILE ]]
           then
              exec 0<$LISTFILE
              while read NAME
              do
                 print "$DATESTAMP  Updating password" >> $LOGFILE
                 fgrep "" $NAME >> $LOGFILE
                 ssoconfig -l ???????? $NAME >> $LOGFILE
                 rm -f $NAME >> $LOGFILE
              done
           fi
           rm $LISTFILE
        fi

        Attachments
        Kwane McNeal
        Veteran Member
        Posts: 479
        Veteran Member
          Sorry, I hadn't been watching this list actively lately. I missed a few questions out here.

          John Desmaris is a really bright guy, and his solution would work well. As he said NOT OPTIMAL, but does work. I'm with him on the plain-text passwords. Lawson (if you're reading), give us a command line tool to encrypt the passwords for ssoconfig, like with BPM config.

          The other major method would be to emulate the LSGate calls the Security Client uses internally.

          Kwane
          Mike Schlenk
          Veteran Member
          Posts: 71
          Veteran Member
            I found ssoconfig to be unreliable with the -l tag.

            I ended up using processflow with a custom service that picks up a csv. This csv is populated from another web site that authenticates either by helpdesk assigned temporary password or Novell authentication. Since Lawson ids always begin with the Novell ID, it works kind of like a self-help.

            I'd really like to utilize the same bouncy castle routines to encrypt the password in order to get past the (up to) 15 minute delay. At least until we do the LDAP bind.

            Thanks for all of the input.
            Page 2 of 2 << < 12