Unlocking an LDAP User in the MRS Cluster

To unlock a user who has been locked out due to excessive incorrect password attempts, log in to the MRS cluster node and run commands to unlock the user, or use Manager to unlock the user if they were created on Manager.

If the service is abnormal, the internal user of the system may be locked. Unlock the user promptly, or the cluster cannot run properly. For the internal user list, see MRS Cluster User Accounts. Internal users cannot be unlocked on Manager.

Unlocking a User Created on Manager

For MRS 3.x and later versions:

Log in to FusionInsight Manager.
Choose System > Permission > User.
Locate the row that contains the target user and click Unlock in the Operation column.
In the window that is displayed, select I have read the information and understand the impact. Click OK.

For MRS 2.x and earlier:

On MRS Manager, click System.
In the Permission area, click Manage User.

Figure 1 User management
In the row of a user to be unlocked, click Unlock User.

Figure 2 Unlocking a user
In the window that is displayed, click OK to unlock the user.

Unlocking an Internal User

This function is available in MRS 3.x and later only.

Use the following method to confirm whether the internal system username is locked:
1. OLdap port number obtaining method:
  1. Log in to Manager, choose System > OMS > oldap > Modify Configuration.
  2. The LDAP Listening Port parameter value is oldap port.
2. Domain name obtaining method:
  1. Log in to Manager, choose System > Permission > Domain and Mutual Trust.
  2. The Local Domain parameter value is the domain name.
    For example, the domain name of the current system is 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM.
3. Run the following command on each node in the cluster as user omm to query the number of password authentication failures:
  ldapsearch -H ldaps://OMS Floating IP Address:OLdap port -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=Internal system username@Domain name,cn=Domain name,cn=krbcontainer,dc=hadoop,dc=com -w Password of LDAP administrator -e ppolicy | grep krbLoginFailedCount
  - To obtain the floating IP address of OMS, log in to the Master2 node remotely, and run the ifconfig command. In the command output, eth0:wsom indicates the floating IP address of OMS. Record the value of inet. If the floating IP address of OMS cannot be queried on the Master2 node, switch to the Master1 node to query and record the floating IP address. If there is only one Master node, query and record the cluster manager IP address of the Master node.
  - LDAP administrator password: Obtain the default password of LDAP administrator cn=root,dc=hadoop,dc=com by referring to MRS Cluster User Accounts.
  For example, run the following command to check the number of password authentication failures for user oms/manager:
  
  ldapsearch -H ldaps://10.5.146.118:21750 -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=oms/manager@9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=9427068F-6EFA-4833-B43E-60CB641E5B6C.COM,cn=krbcontainer,dc=hadoop,dc=com -w Password of user cn=root,dc=hadoop,dc=com -e ppolicy | grep krbLoginFailedCount
```
krbLoginFailedCount: 5
```
4. Log in to Manager, choose System > Permission > Security Policy > Password Policy.
5. Check the value of the Password Retries parameter. If the value is less than or equal to the value of krbLoginFailedCount, the user is locked.
  
  You can also check whether internal users are locked by viewing operations logs.
Log in to the active management node as user omm and run the following command to unlock the user:

sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName Internal system username

Example: sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName oms/manager