Unlock User Fails
Contents
Overview
Unable to unlock users marked as inactive.
Prerequisites
PINsafe 3.5-7, HA pair active-active appliances.
Symptoms
A user (or several users) has been marked as inactive on a HA pair of PINsafe appliances, but clicking on the Unlock button under User Administration has no effect.
Solution
This problem can occur only in an active-active HA pair of appliances, and only if a user has not previously been marked as inactive. It happens because both servers simultaneously set the user as inactive, and the database replication results in the user having two inactive flags. This problem should not happen in PINsafe 3.8, but may occur if a server has been upgraded from an earlier version to 3.8.
There are two parts to this solution: unlocking the problem user, and preventing it from happening (again).
To unlock the user(s), you will need to modify the PINsafe database directly. Take great care when doing this that you apply only the changes list here.
First of all, you need to access Webmin on the appliance console. In a web browser, go to the URL https://<pinsafe_ip>:10000, where <pinsafe_ip> is the IP address of the primary PINsafe appliance. It is recommended that you use the actual appliance IP address, rather than the virtual IP or host name. For security reasons, the credentials you need to enter to access Webmin are not listed here (it is recommended that they should be changed from the default anyway). If you are uncertain of the credentials, please contact Swivel Secure support.
Now in the menu select "Servers" and then "MySQL Database Server". From the database list, select pinsafe_rep. On the next page, click "Execute SQL".
First of all, you need to identify the user number of the problem user. Enter the following command in the text box:
SELECT G, C FROM PINSAFEJ WHERE C='username';
Replace 'username' with the name of the problem user. You must include the single quotes. Click Execute. You should see the username preceded by a number. Make a note of that number.
Now click "Return to Execute SQL form" and enter the following command:
SELECT * FROM PINSAFEN WHERE A=NNN AND C=12;
Here, replace NNN with the user number identified in the previous statement (no quotes this time). You will probably see two entries listed. If you don't, then your problem cannot be resolved by this solution. Contact Swivel support or your reseller for further help.
Assuming that you do see two entries, you now need to delete them, as follows:
Click "Return to Execute SQL form" and enter the following command:
DELETE FROM PINSAFEN WHERE A=NNN AND C=12;
Again, replace NNN with the user number identified in the previous statement. Be careful when executing this command, as it modifies the database, so be sure that you have the right command.
The user should now be reactivated. You will need to refresh the User Administration page in PINsafe, if you have it open, to see the result. If the user was locked as well as inactive, you will still need to click Unlock, but this time it should work.
Note that, unless the user logs in successfully before the next check for inactive users, they will become inactive again, so advise the user to log in as soon as possible.
To prevent this problem happening any more, you will need to ensure that the Inactive Users Check is run at different times on the two servers, or preferably, do not run it at all on the secondary server.
Go to Server -> Jobs on the primary server and note the schedule for Inactive User Check. Now go to the same page on the secondary server. Set Inactive User Check to Never, or to a time at least 30 minutes different from the primary.
