Deny LID Use

 10 Replies
 0 Subscribed to this topic
 13 Subscribed to this forum
Sort:
Author
Messages
DianaE
Basic Member
Posts: 10
Basic Member

    We are in the process of moving to Apps. 9 and in that process moving our LID users to Portal.  We are still on LAUA security and will not be turning on CheckLS = yes within Lawson Security for a while yet.  Is there a file I could adjust that would deny users access to all application forms via lapm in LID?  Essentially, I want to mimic what Lawson Security does.

    Greg Moeller
    Veteran Member
    Posts: 1498
    Veteran Member
      You didn't indicate which platform you are on, but if it's Unix, you can give all of the users a fake shell.
      usermod -s /usr/bin/none

      That way you can still have LID available for the people (by not changing their shell to an invalid one) that will probably still need to access it once in a while. Yes, LID is still needed/more convenient for some tasks.
      Greg Moeller
      Veteran Member
      Posts: 1498
      Veteran Member
        Let's try that again...

        usermod -s /usr/bin/none login-id

        or

        usermod -s /usr/bin/false login-id
        DianaE
        Basic Member
        Posts: 10
        Basic Member
          Thanks for the information Greg. We are on the Windows platform.
          Ben Coonfield
          Veteran Member
          Posts: 146
          Veteran Member
            In my case if I altered the OS password and left the SSOP password, a user would still be able to log on to portal (using the SSOP password), but would not be able to log on to LID which would use the OS password (because they wouldn't know the new value).
            DianaE
            Basic Member
            Posts: 10
            Basic Member
              Thanks Ben. I changed the OS password with Lawson Security but my system is still allowing the user to access Desktop Client Logon with the old password. I did clear the Cache under Server Management. Is there something I might be missing?
              Ben Coonfield
              Veteran Member
              Posts: 146
              Veteran Member
                Change it in Windows rather than Security Administrator. For Windows, assuming you have not done an ldap bind you can just log on to Windows with that userid, hit ctl-alt-delete, & select "Change Password". There are of course other tools to achive the same thing, depending on which tools you have access to, and whether this is a domain or a local account.

                If this is a domain account, this will affect that userid accross the domain, not just in Lawson.

                On Unix at least, LID uses the password defined to the operating system, not any of the passwords defined in Security Administrator. I assume the same is true in Windows although I have not tested it.
                DianaE
                Basic Member
                Posts: 10
                Basic Member
                  Great tip Ben, thank you. According to Lawson's KB article 2007012226996 Lawson's software never challenges the OS (Windows) user's password (except for execjob - which I have set up to run as a Privileged Identity). I ran a few tests and everything appears to work well.
                  Jimmy Chiu
                  Veteran Member
                  Posts: 641
                  Veteran Member
                    Turn on the firewall on the LID Port. block it. (you can unblock it and then connect, leaving yourself a backdoor)

                    Or change the LID port to something else that no one know.

                    afterall, i wouldn't want to sit down and guess between a number 1 to 65535 to connect thru LID.
                    DianaE
                    Basic Member
                    Posts: 10
                    Basic Member
                      If I change the lalogin (LID) Port number within laconfig - are there any other areas I need to reconfigure for this port change?
                      Jimmy Chiu
                      Veteran Member
                      Posts: 641
                      Veteran Member
                        laconfig is the only modification you need to change LID port.

                        once it's changed, only you or people with access to laconfig can see the changed lid port.