Tasked to find out why accounts lock out for approx 1 hour (403 responses to users)

#1

Good Afternoon all, hope you’re well.

We’re running Gitlab Community Edition in our environment (self hosted) and I have been tasked with determining a root cause and possible workaround, solution to an issue users are experiencing seemingly at random.

What users are reporting in their experience is that they use the system as normal and then, out of the blue, they are then redirected to “https://server.domain.tld/users/auth/ldapmain/callback
Access was denied
You don’t have authorization to view this page.

Of course, they previously have had permissions and have been working just fine. (able to log in to access the web GUI, push and pull requests), but once they experience this, they can do none of the former.

At the moment, the only solid workaround we have is for the users to wait for an hour and then this lock out appears to resolve itself. Though admittedly, telling users to simply “wait it out” isn’t really the preferred best option.

I’ve spent a lot of time reading up on what could have caused this, scoured the production logs, api_json, application and more logs but cannot find anything that strikes me as out of the ordinary.

I found the following that does appear to meet the general symptoms however and it seems as though it’s possibly a known issue with no current workaround? I’ll need to wait for this to be fixed.




I checked out gitlab.rb and the rack_attack section is commented out, so I don’t believe it’s enabled. There’s also no rack attack logs in the production logs either.

I’ve been asked if there is a means to maybe adjust the amount of time a user is locked out for. So we could drop it down from an hour to something less.
Or, if we are aware a user is “locked out”, if there is a file we could purge to remove the lock out from the user.

Apologies for the lengthy post, this is however driving me a bit crazy! :thinking:

Specs of the configuration setup.

System information
System: RedHatEnterpriseServer 7.6
Current User: git
Using RVM: no
Ruby Version: 2.5.3p105
Gem Version: 2.7.6
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.18.1
Sidekiq Version:5.2.5
Go Version: unknown

GitLab information
Version: 11.10.4
Revision: 62c464651d2
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 9.6.11
URL: [removed from post]
HTTP Clone URL: [removed from post]
SSH Clone URL: [removed from post]
Using LDAP: yes
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version: 9.0.0
Repository storage paths:

  • default: /srv/git-data/repositories
    GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
    Git: /opt/gitlab/embedded/bin/git