Page 1 of 1
Unlock a locked out account.
Posted: Mon Mar 18, 2013 11:01 pm
by tjbenator
Been searching the web trying to figure out how to unlock an account. We are using PAM for authentication. I thought maybe it was locking the unix account but it isn't. How do I unlock an account to allow the user to login again.
Thanks,
Travis
Re: Unlock a locked out account.
Posted: Fri May 17, 2013 1:10 pm
by alexb
I've searched for this a few times now and haven't found any information on it.
There is nothing in the web ui that I can see, I suspect that restart openvpnas would fix it but that seems pretty hardcore.
We are also using PAM authentication but had the same issue when using Radius.
If anyone knows an elegant way of unlocking a user account that has failed too many password attempts that would be great to hear.
Thanks
Alex
Re: Unlock a locked out account.
Posted: Fri May 24, 2013 2:41 pm
by alexb
I haven't had chance to try this yet but I noticed this in the CLI readme file:
Ban a user from logging into the VPN or Web server
(doesn't affect a user who is already logged in -- for this,
use DisconnectUser below):
./sacli --user <USER> --key prop_deny --value true UserPropPut
Re-admit a user who was previously banned:
./sacli --user <USER> --key prop_deny --value false UserPropPut
I'm wondering if that would work to unlock an account immediately.
Will give that a go next time someone is locked out and let you know.
Re: Unlock a locked out account.
Posted: Thu Nov 21, 2013 11:28 pm
by sthenral
Not worked... Any solution ...
Re: Unlock a locked out account.
Posted: Thu Jan 16, 2014 2:34 pm
by def
I found that running "/etc/init.d/openvpnas restart" will reset all lockouts. I haven't found a way to do it for a specific user though.
Re: Unlock a locked out account.
Posted: Mon Jul 04, 2016 6:58 pm
by ameenibrahim
The easiest method I've found is to toggle the User Authentication method in the admin web portal.
1. Log into the webportal at "https://[your-url-or-ip]:943/admin"
2. Click on "General" under the "Authentication" section.
3. Change the authentication method.
Note: It doesn't matter what you change the authentication method to, just that you change the method. For example, I use an LDAP server. So I'll change the method to "Local".
4. Click "Save Settings", then click "Update Running Server".
5. Now immediately change the authentication method back to it's original setting.
6. Click "Save Settings", then click "Update Running Server".
At this point, all lockouts are now reset and previously locked out users can attempt to log in. In my experience, this trick does NOT affect currently logged in users. It will, however, affect anyone who tries to log in while you're performing this toggle. But seeing as how this toggle takes all of 10 seconds, I've never experienced someone trying to log in while I was performing this reset.
Re: Unlock a locked out account.
Posted: Wed Jul 06, 2016 6:03 pm
by novaflash
There is no way to reset the lockout for a specific user, sorry.
If you have a user that is locked out now and you need a fast way to unlock the user, run this command in an SSH or console session on the Access Server. Note, this is one line, just copy and paste it. It will reset the lock out of all currently locked out users:
/usr/local/openvpn_as/scripts/confdba -mk vpn.server.lockout_policy.reset_time -v 1;/usr/local/openvpn_as/scripts/sacli start;sleep 2;/usr/local/openvpn_as/scripts/confdba -mk vpn.server.lockout_policy.reset_time -v 900;/usr/local/openvpn_as/scripts/sacli start
What this will do is simply set the lockout period to 1 second, then wait 2 seconds, and put it back to the default of 900 seconds.
If you run into the problem a lot consider simply changing the threshold for when lockout triggers.
Re: Unlock a locked out account.
Posted: Tue Jan 24, 2017 4:57 pm
by mbelcherit
have to be sudo
cd /usr/local/openvpn_as/scripts/
./sacli -u username GoogleAuthRegen
Re: Unlock a locked out account.
Posted: Tue Jan 24, 2017 5:03 pm
by novaflash
mbelcherit; that's something different than a password lockout, but okay, thanks for the contribution.