Unlock user account from failed login attempts
search cancel

Unlock user account from failed login attempts

book

Article ID: 368002

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

Unable to update the GSLB Follower Site password via the GUI due to locked user account.

 

Environment

Affects Versions: 21.1.x, 22.1.x, 30.1.x, 30.2.x

Cause

If the user password is changed on the GSLB Follower Site controller and the password is not updated on the GSLB Leader site, the high amount of APIs from the leader site will lock the account leading to GSLB Site sync failure.

Resolution

The following script can be run on the affected controller to unlock the user.

#!/usr/bin/python3
import sys, os, django
 
sys.path.append('/opt/avi/python/bin/portal')
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'portal.settings_full')
 
from api.models import UserActivity, UserAccountProfile
from permission.models import User
from avi.rest.pb2model import protobuf2model
from django.core.exceptions import ObjectDoesNotExist
from django.db import transaction
 
django.setup()
 
@transaction.atomic
def update_user_settings(profile_uuid):
  try:
    prof_pb = UserAccountProfile.objects.select_for_update().get(uuid = profile_uuid).protobuf()
  except ObjectDoesNotExist:
    raise Exception('UserAccountProfile %s not found' %profile_uuid)
  prof_pb.max_login_failure_count = 0
  print( "Setting max_login_failure_count in %s to 0" %prof_pb.name)
  protobuf2model(prof_pb, None, True)
 
def unlock_user(user):
  user_obj = User.objects.get(name=user)
  user_activity_obj = UserActivity.objects.get(name=user)
  ua_pb = user_activity_obj.protobuf()
  print("User: %s" %user)
  print("Failed login attempts : %s" %ua_pb.failed_login_attempts)
  print("Last login request from : %s" %ua_pb.last_login_ip)
  print("Last login attempted at : %s" %ua_pb.last_login_timestamp)
  update_user_settings(user_obj.user_profile_ref.uuid)
 
if __name__ == '__main__':
  unlock_user('admin')

Step to unlock the user account on affected controller:

  1. ssh to the controller with the locked account
  2. scp the file "unlock_user_account.py" to the /tmp directory
  3. change the file permissions
    sudo chmod 777 unlock_user_account.py
  4. run the script
    sudo python3 unlock_user_account.py

****NOTE***
Please update the unlock_user value located at the end of the script with the username.

 Now you will be able to update the correct password in the GSLB leader controller site configuration for the Follower site.

Additional Information

In GSLB deployments it's highly advised to create a user with a no-lockout-account profile to prevent this kind of scenarios.

Configure No-Lockout-User-Account-Profile on NSX Advanced Load Balancer

Powered by Wolken Software