We have OneClick integrated with LDAP for single sign-on authentication. However, after adding several new users to OneClick, I am attempting to login and change their passwords to their actual LDAP passwords. But I am getting the following message returned:
Connect to CA Spectrum OneClick on <hostname.FQDN>
SPC-OCA-10502: Your account has been locked out.
I have set user up with unlimited login attempts and deleted and recreated users several time, as well as changing the user's password in OneClick to match their LDAP password, but cannot find a way to unlock their accounts.
How do you unlock an account in Spectrum?
Spectrum does not provide a mechanism to lock out a user account after x number of failed attempts. The "Maximum Logins unlimited" setting, found in the OneClick User Editor, is setting a limit on the maximum number of concurrent OneClick sessions a user can have open at any moment in time, and is not related to the maximum number of unsuccessful authentication attempts.
The message you are seeing is directly related to LDAP, and is informing the user that their LDAP account has been locked out.
In a typical LDAP integration we do not store the user's LDAP password in the Spectrum database. So, there is not a reason to log into OneClick and change the password to match the LDAP password. The only reason you would want to set the password in OneClick is if you have enabled the "Allow User to Log In if either the LDAP Password is Invalid or the User does not exist in LDAP" or if the LDAP Integration Configuration page on the OneClick Web Server has the "Save LDAP passwords to CA Spectrum database" set to yes.
If you see that a user account has been locked out, notify the LDAP Admin and have the account unlocked.
If for any reason, this article does not help resolve the problem, please open a Support case with the CA Spectrum Support team. The CA Support team will need the following debug set up on the OneClick Server in order to help further troubleshoot the LDAP integration.
Please enable the following debug from the OneClick Web server: