Locked users
DETAILS: Tier: Free, Premium, Ultimate Offering: Self-managed, GitLab Dedicated
Self-managed users
- Configurable locked user policy introduced in GitLab 16.5.
By default, users are locked after 10 failed sign-in attempts. These users remain locked:
- For 10 minutes, after which time they are automatically unlocked.
- Until an administrator unlocks them from the Admin area or the command line in under 10 minutes.
In GitLab 16.5 and later, administrators can use the API to configure:
- The number of failed sign-in attempts that locks a user (
max_login_attempts
). - The time period in minutes that the locked user is locked for, after the maximum number of failed sign-in attempts is reached (
failed_login_attempts_unlock_period_in_minutes
).
For example, an administrator can configure that five failed sign-in attempts locks a user, and that user will be locked for 60 minutes, with the following API call:
curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/application/settings?max_login_attempts=5&failed_login_attempts_unlock_period_in_minutes=60"
GitLab.com users
If 2FA is not enabled users are locked after three failed sign-in attempts within 24 hours. These users remain locked until:
- Their next successful sign-in, at which point they are sent an email with a six-digit unlock code and redirected to a verification page where they can unlock their account by entering the code.
- GitLab Support manually unlock the account after account ownership is verified.
If 2FA is enabled, users are locked after three failed sign-in attempts. Accounts are unlocked automatically after 30 minutes.
Unlock a user from the Admin area
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- Use the search bar to find the locked user.
- From the User administration dropdown list, select Unlock.
Unlock a user from the command line
To unlock a locked user:
-
SSH into your GitLab server.
-
Start a Ruby on Rails console:
## For Omnibus GitLab sudo gitlab-rails console -e production ## For installations from source sudo -u git -H bundle exec rails console -e production
-
Find the user to unlock. You can search by email:
user = User.find_by(email: 'admin@local.host')
Or you can search by ID:
user = User.where(id: 1).first
-
Unlock the user:
user.unlock_access!
-
Exit the console with Control+d.
The user should now be able to sign in.