Users cannot login to OneClick because their account is locked

Document ID : KB000014629
Last Modified Date : 14/02/2018
Show Technical Document Details

We have OneClick integrated with LDAP for single sign-on authentication. However, after adding several new users to OneClick, I am attempting to login and change their passwords to their actual LDAP passwords. But I am getting the following message returned:

Connect to CA Spectrum OneClick on <hostname.FQDN> 
SPC-OCA-10502: Your account has been locked out.

I have set user up with unlimited login attempts and deleted and recreated users several time, but cannot find a way to unlock their accounts.

How do you unlock an account in Spectrum?


Spectrum does not provide any mechanism to lock out a user account after x number of failed attempts. The "Maximum Logins unlimited" setting found in the OneClick User Editor is setting a limit on the maximum number of concurrent OneClick sessions a user can have open at any moment in time, and is not related to the maximum number of unsuccessful authentication attempts.

The message you are seeing is directly related to LDAP, and is informing the user that their LDAP account has been locked out.

In a typical LDAP integration we do not store the user's LDAP password in the Spectrum database. So there is not reason to log into OneClick and change the password to match the LDAP password. The only reason you would want to set the password in OneClick is if you have enabled the "Allow User to Log In if either the LDAP Password is Invalid or the User does not exist in LDAP" or if the LDAP Integration Configuration page on the OneClick Web Server has the "Save LDAP passwords to CA Spectrum database" set to yes.

 if you see that a user account has been locked out, notify the LDAP Admin and have the account unlocked.