View Full Version: Identity Mgmt And Listing Users

LawsonTalk > System Admin > Identity Mgmt And Listing Users


Title: Identity Mgmt And Listing Users
Description: LSF9 Security


jph826 - November 12, 2007 05:48 PM (GMT)
We have just migrated from env 8.0.3 to 9.0.0.3. It appears that in LSA [1] some of the users are missing and [2] some of the users that are there are missing an attribute for Company. I'm using Lawson Security Administration, clicking on User Management, then clicking on PROD_EMPLOYEE. It is my understanding that each user must have an attribute for company and employee. Does anyone know how I can extract a list of all users and their attributes so help me unravel this puzzle? I tried using Lawson RM Administrator, but there is no query field for company. I also tried ssoconfig -c. It was ugly and only brought back 999 records. We have over 8,000. Are there any tables I could query. (I miss rd30 records!)

Any assistance would be much appreciated. Thanks!

Keith_G_Thompson - November 12, 2007 06:15 PM (GMT)
Welcome to the (honestly) short sightedness of Lawson. In LSF9 it appears that the development team designed Lawson user management to really only be for a few users at a time, maybe say 50. Anything more than that and you have to branch out on your own.

We manage about 4000 users and had a similar set of challenges. I found the reporting in the security admin client very lacking and although I was able to get the information to show up in their reports is was impossible to meaninfully manipulate the resulting reports to find these types of errors.

What I would suggest is a direct export of the LDAP entries. Hopefully you are a techie, or have access to one. You can find the employee self-service identities in two places:

CN=PROD_EMPLOYEE, lwsnsooRMId=<employee login>, OU=idxref,O=lwsnSecData,<BASE DN>

- and -

lwsnssoLoginIds=COMPANY:9999::EMPLOYEE:999999999,CN=PROD_EMPLOYEE,OU=svcxref,O=lwsnSecData,<BASE DN>

Note that these two entries are a cross reference of each other. The 1st shows you their employee entry if you know their login ID and the other shows their login ID if you know their company / employee number.

If you're not familiar with LDAP commands, reference google. There are definitely some good articles out there with examples (but I do not have a favorite). Here's an example for ADAM to help you get started. Tivoli will be similar, but has different syntax.

ldifde -m -f EMPLOYEE.ldif
-b <ldap user> <user domain> *
-s <ldap server> -t <ldap port>
-d "CN=PROD_EMPLOYEE,OU=svcxref,o=lwsnSecData,O=lwsn,DC=mts,DC=net" -j .


Good hunting! They don't cover this stuff in class, so it'll be up to you find where this information is within the LDAP. Get a hold of an LDAP browser (free on the internet) and take a look around.....

jph826 - November 12, 2007 08:59 PM (GMT)
Thanks for your response.

Today, I'm waiting on Lawson to answer the same question that I posted here. So far, they are telling me there is a known problem with the LSA query not working when you enter criteria company !=. There is a PT (171483) scheduled to be released by the end of March 2008. They said for me to run a query that would return all correct entries. I'm guessing I would have to figure out a way to move that data into something else, then figure out a way to compare it to other employee data to find out whose missing what. Very painful.

Thanks again. You've saved me many additional hours of research trying to fit a square peg into a round hole. You have pointed me in another direction that sounds much more feasible. I'll talk to my LDAP expert and try to get an export of the data.



Hosted for free by InvisionFree