Microsoft is hardening their security with LDAP channeling and LDAP signing in an update coming soon. Any applications that rely on LDAP connections to Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) need to be converted to LDAPS. LDAPS is a secure connection protocol used between applications like Lawson and the Network Directory or Domain Controller. Below are the potential impacted Lawson applications mentioned by Infor in a recent KB Article.
Impacted Lawson applications:
- Lawson System Foundation (LSF) environments using AD LDS instances for Authentication Data Store (RM Configuration).
- Lawson System Foundation (LSF) environments using an LDAP Bind to Windows Active Directory for authentication.
- Landmark Environments using an LDAP Bind to Windows Active Directory for authentication.
- Infor Federated Services (IFS) synchronization connections to Active Directory.
Infor has recommended that on-premise clients configure the impacted applications and have provided KB Articles on how to perform these tasks.
Some important things to note:
- This change does affect you, even if you have implemented AD FS
- If you are using Microsoft Add-ins for LSF and Lawson Process Administrator for Landmark, you will have a Thick Client installed that used LDAP Bind.
- If your networking team takes the Microsoft LDAPS update and enforces LDAPS connections before these changes have been configured, your Lawson applications will fail in the following ways:
- The LASE process on LSF will fail to start.
- Login to services that rely on LDAP bind will be unable to login (Landmark Rich Client, MSCM Handheld Devices, IPA Flows to LSF).
- IFS will be unable to sync users from Active Directory.
- This change will NOT impact DSP applications
- DSP application include Infor Business Intelligence (IBI or LBI), Lawson Smart Office (LSO), Mobile Supply Chain Management (MSCM), etc.
- These applications use Infor Lawson for authentication. They are not bound to LDAP, nor do they have their own instance of AD LDS.
- You can update your configuration at any time
- The changes recommended by Infor can be completed before LDAPS connections are enforced, and there will be no negative impact to your system.