Users cannot login to OneClick because their account is locked

Document ID : KB000014629
Last Modified Date : 19/07/2018
Show Technical Document Details
Question:

We have OneClick integrated with LDAP for single sign-on authentication. However, after adding several new users to OneClick, I am attempting to login and change their passwords to their actual LDAP passwords. But I am getting the following message returned:

Connect to CA Spectrum OneClick on <hostname.FQDN> 
SPC-OCA-10502: Your account has been locked out.

I have set user up with unlimited login attempts and deleted and recreated users several time, as well as changing the user's password in OneClick to match their LDAP password, but cannot find a way to unlock their accounts.

How do you unlock an account in Spectrum?

Answer:

Spectrum does not provide a mechanism to lock out a user account after x number of failed attempts. The "Maximum Logins unlimited" setting, found in the OneClick User Editor, is setting a limit on the maximum number of concurrent OneClick sessions a user can have open at any moment in time, and is not related to the maximum number of unsuccessful authentication attempts.

The message you are seeing is directly related to LDAP, and is informing the user that their LDAP account has been locked out.


In a typical LDAP integration we do not store the user's LDAP password in the Spectrum database. So, there is not a reason to log into OneClick and change the password to match the LDAP password. The only reason you would want to set the password in OneClick is if you have enabled the "Allow User to Log In if either the LDAP Password is Invalid or the User does not exist in LDAP" or if the LDAP Integration Configuration page on the OneClick Web Server has the "Save LDAP passwords to CA Spectrum database" set to yes.

If you see that a user account has been locked out, notify the LDAP Admin and have the account unlocked.

Additional Information:
If for any reason, this article does not help resolve the problem, please open a Support case with the CA Spectrum Support team. The CA Support team will need the following debug set up on the OneClick Server in order to help further troubleshoot the LDAP integration. 

Please enable the following debug from the OneClick Web server:
  1. Open a web browser and navigate to the Spectrum OneClick home page.
  2. Select the Administration Tab
  3. Select the "Debugging" link in the small gray header beneath the Tabs
  4. Select the "Web Server Debug Page (Runtime)" link on the left-hand side of the page.
  5. Scroll down near the bottom and enable the "Single Sign-On Integration" debug and the "SSORB Security SP" debug.
  6. Go to the bottom of the page and ensure the log level is set to MAX and click Apply.
 
The debug output will be written to the $SPECROOT/tomcat/logs/catalina.out. Recreate the failure, and upload a copy of the catalina.out, and a copy of the $SPECROOT/tomcat/conf/server.xml to the Support case.
 
Make sure the user name you are testing is also a user in Spectrum. We must be able to match up the username in LDAP with a user model in Spectrum. Also remember that the user names in Spectrum are case sensitive, so the case must also match.
 
If it is possible to get a packet capture from the OneClick Web server during the recreation of the issue. If OneClick is running on Windows, Wireshark would be an easy way to get the capture. If OneClick is running on Linux, you will need to use tcpdump. Have the packet capture running during the test, so we can capture the packets sent to and from the OneClick server. It will provide more information to why the test fails. The command for the tcpdump is as follows: tcpdump -s 0 -w <capture_file.pcap>. You may have to run the tcpdump as root. 
 
Please upload a copy of the packet capture file (capture_file.pcap) to the case, if you are able to get one.