I have 14 lpars of IBM i.  On all of them I went into https://myserver.mycorp.com:2003/Navigator/login 

@Erik Aasland

------------------------------
Robert Berendt IBMChampion
------------------------------

Found the lock file by using https://www.ibm.com/support/pages/node/666487

Still working on the other part...

------------------------------
Robert Berendt IBMChampion
------------------------------

Original Message:
Sent: Fri April 05, 2024 01:10 PM
From: Robert Berendt
Subject: IBM i Directory Server (LDAP): GLPWCO010E Authentication error: Either the user name or password (or both) is incorrect, or the password has expired.

I have 14 lpars of IBM i.  On all of them I went into https://myserver.mycorp.com:2003/Navigator/login 

Then I went into Network, Servers, TCP/IP Servers 

From there I clicked on Directory Server (LDAP).  Then I selected Actions, Properties.

On the General tab I ensured that my Server administration URL was set to https://myserver.mycorp.com:2005/IDSWebApp/IDSjsp/Login.jsp

This was after using the Web Administrator to assign a certificate, enable TLS and start the right port.  If SSL ain't your thing try http://myserver.mycorp.com:2004/IDSWebApp/IDSjsp/Login.jsp

On that same General tab I made sure my Administrator name: was set to cn=Administrator and I clicked the password and set that.

Then I clicked on OK.  I got back into ldap properties.  Selected the More tab and then clicked Server Administration.  I could log in if I entered cn=administrator for the User ID: and the password I set that to.

 

This worked fine for 10 of my 14 lpars.  They are all at IBM i 7.5 and have the same cume and group level.

 

The other 4 will not let me sign on as cn=Administrator.  I get:

The following error has occurred while logging in:

GLPWCO010E Authentication error: Either the user name or password (or both) is incorrect, or the password has expired. 

I am not entering it in wrong.

 

After several tries I end up with 

Account locked out

User has reached to maximum number of failed login attempts.

Then it suggests:  Delete ids_acc.lck file and try login again. The ids_acc.lck file can be found in <WAS_Home>/profiles/<PROFILE_Name&> directory. Login page.

Question 1:  Why did cn=Administrator not work on this lpar when it worked on so many others?

Question 2:  Where is this ids_acc.lck file?  I could not find it with

select path_name, object_type, data_size, object_owner

  from table(qsys2.IFS_OBJECT_STATISTICS( 

                   start_path_name => '/',

                   subtree_directories => 'YES'))

   where path_name like '%ids_acc.lck%';

   

select path_name, object_type, data_size, object_owner

  from table(qsys2.IFS_OBJECT_STATISTICS( 

                   start_path_name => '/',

                   subtree_directories => 'YES'))

   where upper(path_name) like '%IDS_ACC.LCK%';

@Erik Aasland

------------------------------
Robert Berendt IBMChampion
------------------------------

Original Message:
Sent: 4/5/2024 3:35:00 PM
From: Robert Berendt
Subject: RE: IBM i Directory Server (LDAP): GLPWCO010E Authentication error: Either the user name or password (or both) is incorrect, or the password has expired.

Found the lock file by using https://www.ibm.com/support/pages/node/666487

Still working on the other part...

------------------------------
Robert Berendt IBMChampion
------------------------------

Original Message:
Sent: Fri April 05, 2024 01:10 PM
From: Robert Berendt
Subject: IBM i Directory Server (LDAP): GLPWCO010E Authentication error: Either the user name or password (or both) is incorrect, or the password has expired.

I have 14 lpars of IBM i.  On all of them I went into https://myserver.mycorp.com:2003/Navigator/login 

Then I went into Network, Servers, TCP/IP Servers 

From there I clicked on Directory Server (LDAP).  Then I selected Actions, Properties.

On the General tab I ensured that my Server administration URL was set to https://myserver.mycorp.com:2005/IDSWebApp/IDSjsp/Login.jsp

This was after using the Web Administrator to assign a certificate, enable TLS and start the right port.  If SSL ain't your thing try http://myserver.mycorp.com:2004/IDSWebApp/IDSjsp/Login.jsp

On that same General tab I made sure my Administrator name: was set to cn=Administrator and I clicked the password and set that.

Then I clicked on OK.  I got back into ldap properties.  Selected the More tab and then clicked Server Administration.  I could log in if I entered cn=administrator for the User ID: and the password I set that to.

 

This worked fine for 10 of my 14 lpars.  They are all at IBM i 7.5 and have the same cume and group level.

 

The other 4 will not let me sign on as cn=Administrator.  I get:

The following error has occurred while logging in:

GLPWCO010E Authentication error: Either the user name or password (or both) is incorrect, or the password has expired. 

I am not entering it in wrong.

 

After several tries I end up with 

Account locked out

User has reached to maximum number of failed login attempts.

Then it suggests:  Delete ids_acc.lck file and try login again. The ids_acc.lck file can be found in <WAS_Home>/profiles/<PROFILE_Name&> directory. Login page.

Question 1:  Why did cn=Administrator not work on this lpar when it worked on so many others?

Question 2:  Where is this ids_acc.lck file?  I could not find it with

select path_name, object_type, data_size, object_owner

  from table(qsys2.IFS_OBJECT_STATISTICS( 

                   start_path_name => '/',

                   subtree_directories => 'YES'))

   where path_name like '%ids_acc.lck%';

   

select path_name, object_type, data_size, object_owner

  from table(qsys2.IFS_OBJECT_STATISTICS( 

                   start_path_name => '/',

                   subtree_directories => 'YES'))

   where upper(path_name) like '%IDS_ACC.LCK%';

@Erik Aasland

------------------------------
Robert Berendt IBMChampion
------------------------------