Skip to content

LAWSON authentication with LDAP

Integrating LDAP/AD login names and passwords with our UNIX environment was not implemented without challenges but all pales looking at the benefits of this integration. One of the benefits was the ability to use the long (up to 265 characters) login names.

Somehow, it was surprising to discover that LAWSON application’s own authorization mechanism does not accept logins longer then 10 characters, oops …. For a moment we felt like being doomed. But thanks to the splendid LAWSON administrator that we have, we discovered that the long login names used by the operating system can be mapped to the shorter ones allowed by LAWSON – a Lawson user is one that has an entry in the /etc/passwd. It does not matter that there is no corresponding entry in the /etc/group or /etc/security/user and so forth – there must be an entry in the /etc/passwd for LAWSON to view a login account as a legitimate one.

So somewhere, where only the LAWSON administrator knows there is the file that maps UNIX login name with the appropriate LAWSON application login name. The LAWSON user authentication proceeds pretty much along this line:

    a. user logs into UNIX host with his/hers long login –
    LDAP authenticate the user

    b. AIX passes the flow of control to the /etc/profile

    c. inside this file, there is a call to a script that based on the user group
    membership invokes the LAWSON authentication procedure

    d. this procedure maps the OS login name to a shorter one which is looked up
    in the /etc/passwd and if the match is made the user is allowed to proceed
    into the LAWSON realm

    e. user is asked to provide the LAWSON password and if a valid response is
    provided user can proceed into the LAWSON realm.

Sometimes, system administrator who “owns” the LAWSON servers needs to know what are the logins which are longer then 10 characters allowed by this application. On the next page, you will find a simply script that does exactly what I have just described – pulling this information out of the LDAP repository.

Posted in AIX, Linux, Real life AIX, scripts.

2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Ramon says

    You can use too
    lsldap -a group cn=lawson | awk ‘/member/ && length($2) >10 { print $2, length($2) }’

    AWK has automatic loops!

  2. MarkD:-) says

    Ramon, I hoped you will respond! Your “awk” knowledge is amazing.


Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield

Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.