content/operate/rs/7.4/security/access-control/manage-users/login-lockout.md
Redis Enterprise Software secures user access in a few different ways, including automatically:
Locking user accounts after a series of authentication failures (invalid passwords)
Signing sessions out after a period of inactivity
Here, you learn how to configure the relevant settings.
By default, after 5 failed login attempts within 15 minutes, the user account is locked for 30 minutes. You can change the user login lockout settings in the Cluster Manager UI or with [rladmin]({{< relref "/operate/rs/7.4/references/cli-utilities/rladmin" >}}).
You can view the cluster's user login lockout settings from Cluster > Security > Preferences > Lockout threshold in the Cluster Manager UI or with [rladmin info cluster]({{< relref "/operate/rs/7.4/references/cli-utilities/rladmin/info#info-cluster" >}}):
$ rladmin info cluster | grep login_lockout
login_lockout_counter_reset_after: 900
login_lockout_duration: 1800
login_lockout_threshold: 5
To change the user login lockout settings using the Cluster Manager UI:
Go to Cluster > Security > Preferences, then select Edit.
In the Lockout threshold section, make sure the checkbox is selected.
{{<image filename="images/rs/screenshots/cluster/security-preferences-lockout-threshold.png" alt="The Lockout threshold configuration section" >}}
Configure the following Lockout threshold settings:
Log-in attempts until user is revoked - The number of failed login attempts allowed before the user account is locked.
Time between failed login attempts in seconds, minutes, or hours - The amount of time during which failed login attempts are counted.
For Unlock method, select one of the following:
Locked duration to set how long the user account is locked after excessive failed login attempts.
Only Admin can unlock the user by resetting the password.
Select Save.
To change the number of failed login attempts allowed before the user account is locked, use one of the following methods:
[rladmin tune cluster]({{< relref "/operate/rs/7.4/references/cli-utilities/rladmin/tune#tune-cluster" >}}):
rladmin tune cluster login_lockout_threshold <integer>
For example, to set the lockout threshold to 10 failed login attempts, run:
rladmin tune cluster login_lockout_threshold 10
If you set the lockout threshold to 0, it turns off account lockout, and the cluster settings show login_lockout_threshold: disabled.
rladmin tune cluster login_lockout_threshold 0
To change the amount of time during which failed login attempts are counted, use one of the following methods:
[rladmin tune cluster]({{< relref "/operate/rs/7.4/references/cli-utilities/rladmin/tune#tune-cluster" >}}):
rladmin tune cluster login_lockout_counter_reset_after <seconds>
For example, to set the lockout reset to 1 hour, run:
rladmin tune cluster login_lockout_counter_reset_after 3600
To change the amount of time that the user account is locked after excessive failed login attempts, use one of the following methods:
[rladmin tune cluster]({{< relref "/operate/rs/7.4/references/cli-utilities/rladmin/tune#tune-cluster" >}}):
rladmin tune cluster login_lockout_duration <login_lockout_duration>
For example, to set the lockout duration to 1 hour, run:
rladmin tune cluster login_lockout_duration 3600
If you set the lockout duration to 0, then the account can be unlocked only when an administrator changes the account's password.
rladmin tune cluster login_lockout_duration 0
The cluster settings now show login_lockout_duration: admin-release.
To unlock a user account in the Cluster Manager UI:
Go to Access Control > Users. Locked users have a "User is locked out" label:
{{<image filename="images/rs/screenshots/access-control/users-locked-out.png" alt="The Access Control > Users configuration screen in the Cluster Manager UI" >}}
Point to the user you want to unlock, then click Reset to unlock:
{{<image filename="images/rs/screenshots/access-control/users-reset-to-unlock.png" alt="Reset to unlock button appears when you point to a locked user in the list" >}}
In the Reset user password dialog, enter a new password for the user:
{{<image filename="images/rs/screenshots/access-control/users-reset-user-password-dialog.png" alt="Reset user password dialog" >}}
Select Save to reset the user's password and unlock their account.
To unlock a user account or reset a user password with rladmin, run:
rladmin cluster reset_password <user_email>
To unlock a user account or reset a user password with the REST API, use [PUT /v1/users]({{< relref "/operate/rs/7.4/references/rest-api/requests/users#put-user" >}}):
PUT /v1/users
{"password": "<new_password>"}
To turn off user login lockout and allow unlimited login attempts, use one of the following methods:
Cluster Manager UI:
Go to Cluster > Security > Preferences, then select Edit.
Clear the Lockout threshold checkbox.
Select Save.
[rladmin tune cluster]({{< relref "/operate/rs/7.4/references/cli-utilities/rladmin/tune#tune-cluster" >}}):
rladmin tune cluster login_lockout_threshold 0
The cluster settings show login_lockout_threshold: disabled.
The Redis Enterprise Cluster Manager UI supports session timeouts. By default, users are automatically logged out after 15 minutes of inactivity.
To customize the session timeout, use one of the following methods:
Cluster Manager UI:
Go to Cluster > Security > Preferences, then select Edit.
For Session timeout, select minutes or hours from the list and enter the timeout value.
Select Save.
[rladmin cluster config]({{< relref "/operate/rs/7.4/references/cli-utilities/rladmin/cluster/config" >}}):
rladmin cluster config cm_session_timeout_minutes <number_of_min>
The <number_of_min> is the number of minutes after which sessions will time out.