Account Still Locked After Password Resetting

Symptom

When a user connects to the cluster, the system displays a message indicating that the user is locked. After the user password is reset and the customer logs in again, the system still displays the message.

    
         FATAL: The account has been locked.

Possible Causes

By default, a user will be locked if the user enters incorrect passwords for 10 consecutive times. The maximum number of incorrect password attempts is specified by the failed_login_attempts parameter. To modify the parameter, see Setting the Number of Times of Failed Login.

After the password is reset, the user is still locked. This may be caused by another user or application that has made 10 times of incorrect password attempts after the password is reset.

Handling Procedure

Connect to the database as the system administrator dbadmin and run the following SQL statement to check the system time:
1

SELECT now();
The command output shows that the default system time on GaussDB(DWS) is the UTC time, that is, Beijing time - 8 hours.

Run the following SQL statement to query the client connection: In the preceding command:

username should be replaced with the name of the locked user.
The time period should be changed base actual requirements. For example, if you want to query the connection status from 09:00 to 10:00 (Beijing time), you need to convert the Beijing time to the UTC time, which is 01:00 to 02:00.

      
           SELECT * FROM pgxc_query_audit('2022-10-27 01:00:00','2022-10-27 02:00:00') where username='username';

The preceding command output shows that the client whose IP address is x.x.x.x has made many attempts for connection using incorrect passwords.

Perform either of the following operations based on the actual service situation:
- If the IP address obtained in step 2 belongs to a job, stop the job connection, connect to the database as the system administrator dbadmin, run the following SQL statement to unlock the user, then configure the job with the correct password.
  1
  
  ALTER USER username ACCOUNT UNLOCK;
- If you are not sure which job the IP address belongs to, change the value of failed_login_attempts to 0 by referring to Setting the Number of Times of Failed Login, and then run the following SQL statement to reset a new password. In this way, incorrect password attempts will no longer cause the account to be locked.
```
ALTER USER username IDENTIFIED BY '{Password}';
```
  Setting the value of failed_login_attempts to 0 is only a temporary solution. To ensure database security, you are advised not to set failed_login_attempts to 0. After locating the job and changing incorrect password, you are advised to set failed_login_attempts to 10.

Parent topic: Account/Permission/Password

Previous topic: How Do I Unlock an Account?

Next topic: After the Permission for Querying Tables in a Schema Is Granted to a User, the User Still Cannot Query the Tables

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot