Document user lock due to failed sign-in attempts

We have user lockout console reset instructions documented at https://docs.gitlab.com/ee/security/unlock_user.html. However, we don't seem to have more general user lockout documentation.

I suspect we should create a new page within doc/administration/, explaining what leads to a lockout (10 failed sign-in attempts) and that the lock will automatically reset in 10 minutes. There is also an email sent to the user explaining this, as well as a link to unlock immediately.

---

Original description

Problem

I'm using GitLab Community Edition Omnibus. After using GitLab for over 6 years. It is the first time I've encountered a locked user. There is no indication of this state under the Admin UI (we are on 13.12.5) nor is there a path to resolution.

I found this page on unlocking a user via the console. That resolves the issue for the user, but it's not intuitive.

Proposal

There are 2 issues to be addressed:

• Under the Admin UI (probably under /admin/users) there should be some indication that a user is locked. One may argue that it isn't necessary because the user will alert an administrator to get the lock resolved. But for the following proposal, it would be necessary.
  • Add (Locked) after the user's name
• A mean to unlock a locked user via the UI, rather than the console.
  • This does exist, but the documentation needs to be updated. Update docs to make note of the Unlock action.

From the documentation, this state is triggered by 10 failed login attempts. Does it self correct after some grace period? The documentation doesn't say, so I assume it doesn't. For some one not versed in Ruby on Rails, the console method is obtuse, and it isn't obvious if it had worked.

It self-corrects after 10 minutes. This should be added to the documentation

Implementation plan

1. Add (Locked) after the name of any locked user
2. Document the Unlock action that exists in the User administration dropdown
3. Document that a locked account self-corrects after 10 minutes