Restricted OCP logon

This topic describes the scenarios where OCP logon is restricted. You can troubleshoot this problem by referring to this topic.

OCP logon restrictions include the account-based restriction and the IP address-based restriction.

Account-based logon restriction

Symptom

You are prompted the message "The current account has been temporarily disabled. Please wait and try again later or contact the administrator." when you attempt to log on.

Possible causes

The consecutive logon attempts have exceeded the limit.

Solutions

This restriction is imposed to avoid brute-force cracking of the user password.

• You can modify the following parameters in the config_properties file. The configuration automatically takes effect three minutes later.

  • ocp.iam.login.max-attempts: the maximum number of logon attempts allowed. Default value: 5.

  • ocp.iam.login.lockout-minutes: the lock time of the account when the maximum number of logon attempts allowed is exceeded. Default value: 30 minutes.

• You can clear the logon records in the iam_user_login_record table to unlock the account. The account is locked based on the logon records. After the account is unlocked, you can log on using the account again.

IP address-based logon restriction

Symptom

You are prompted the message "The request from IP address xxx is restricted. Please try again later." when you attempt to log on or call an API.

Possible causes

• The consecutive logon failures from the IP address have exceeded the limit.

• The IP address has failed the API authorization for a number of times that has exceeded the limit.

Solutions

The restriction is imposed to avoid cracking of the user password by repeatedly calling the logon API from a specific IP address and avoid brute-force cracking of the user password by calling an API. You can modify the logon settings in the GUI, or modify the following parameters in the config_properties file:

• ocp.iam.login.client.max-attempts: the maximum number of logon attempts allowed from an IP address through the logon API. If the number of logon attempts exceeds this limit, subsequent logon requests from this IP address are temporarily blocked. Default value: 10.

• ocp.iam.login.client.lockout-minutes: the lock time of an IP address from which the logon attempts initiated have exceeded the maximum logon attempts allowed. Default value: 10 minutes.

• ocp.iam.login.client.white-list: the whitelist of IP addresses not subject to the IP address-based restriction. This feature is available in OCP V2.5.2 and later. This parameter is hidden. You must manually insert it to the config_properties file, for example:

  REPLACE INTO config_properties(`key`, `value`) VALUES ('ocp.iam.login.client.white-list', '127.0.0.1,127.0.0.2');
  

Note

This restriction is stored in the memory. You can restart OCP to remove this restriction.