mirror of
https://github.com/gitlabhq/gitlabhq.git
synced 2025-08-03 16:37:48 +00:00
102 lines
2.9 KiB
Markdown
102 lines
2.9 KiB
Markdown
---
|
|
stage: Software Supply Chain Security
|
|
group: Authentication
|
|
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
|
|
title: Locked user accounts
|
|
---
|
|
|
|
GitLab locks a user account after the user unsuccessfully attempts to sign in several times.
|
|
|
|
## GitLab.com users
|
|
|
|
{{< details >}}
|
|
|
|
- Tier: Free, Premium, Ultimate
|
|
- Offering: GitLab.com
|
|
|
|
{{< /details >}}
|
|
|
|
If two-factor authentication (2FA) is enabled, accounts are locked after three failed sign-in attempts. Accounts are unlocked automatically after 30 minutes.
|
|
|
|
If 2FA is not enabled user accounts are locked after three failed sign-in attempts within 24 hours. Accounts remain locked until:
|
|
|
|
- The next successful sign-in, at which point the user must verify their identity with a code sent to their email.
|
|
- GitLab Support verifies the identity of the user and [manually unlocks](https://handbook.gitlab.com/handbook/support/workflows/reinstating-blocked-accounts/#manual-unlock) the account.
|
|
|
|
## GitLab Self-Managed and GitLab Dedicated users
|
|
|
|
{{< details >}}
|
|
|
|
- Tier: Free, Premium, Ultimate
|
|
- Offering: GitLab Self-Managed, GitLab Dedicated
|
|
|
|
{{< /details >}}
|
|
|
|
{{< history >}}
|
|
|
|
- Configurable locked user policy [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/27048) in GitLab 16.5.
|
|
|
|
{{< /history >}}
|
|
|
|
By default, user accounts are locked after 10 failed sign-in attempts. Accounts are unlocked automatically after 10 minutes.
|
|
|
|
In GitLab 16.5 and later, administrators can use the [Application settings API](../api/settings.md#update-application-settings) to modify the `max_login_attempts` or `failed_login_attempts_unlock_period_in_minutes` settings.
|
|
|
|
Administrators can unlock accounts immediately by using the following tasks:
|
|
|
|
### Unlock user accounts from the Admin area
|
|
|
|
Prerequisites
|
|
|
|
- You must be an administrator of GitLab Self-Managed.
|
|
|
|
To unlock an account from the Admin area:
|
|
|
|
1. On the left sidebar, at the bottom, select **Admin**.
|
|
1. Select **Overview > Users**.
|
|
1. Use the search bar to find the locked user.
|
|
1. From the **User administration** dropdown list, select **Unlock**.
|
|
|
|
The user can now sign in.
|
|
|
|
### Unlock user accounts from the command line
|
|
|
|
Prerequisites
|
|
|
|
- You must be an administrator of GitLab Self-Managed.
|
|
|
|
To unlock an account from the command line:
|
|
|
|
1. SSH into your GitLab server.
|
|
1. Start a Ruby on Rails console:
|
|
|
|
```shell
|
|
## For Omnibus GitLab
|
|
sudo gitlab-rails console -e production
|
|
|
|
## For installations from source
|
|
sudo -u git -H bundle exec rails console -e production
|
|
```
|
|
|
|
1. Find the user to unlock. You can search by email:
|
|
|
|
```ruby
|
|
user = User.find_by(email: 'admin@local.host')
|
|
```
|
|
|
|
Or you can search by ID:
|
|
|
|
```ruby
|
|
user = User.where(id: 1).first
|
|
```
|
|
|
|
1. Unlock the user:
|
|
|
|
```ruby
|
|
user.unlock_access!
|
|
```
|
|
|
|
1. Exit the console with <kbd>Control</kbd>+<kbd>d</kbd>.
|
|
|
|
The user can now sign in.
|