open-vault/website/content/docs/configuration/user-lockout.mdx

---
layout: docs
page_title: User Lockout - Configuration
description: |-
  The user_lockout stanza specifies various configurations for user lockout behaviour for
  failed logins in vault. 
---
# User Lockout

@include 'user-lockout.mdx'

## `user_lockout` Stanza

The `user_lockout` stanza specifies various configurations for user lockout 
behaviour for failed logins in vault. They can be configured for all supported auth methods
(userpass, ldap and approle) using "all" user_lockout stanza name or for a specific auth method 
using the auth method name in stanza. 

Supported user_lockout stanza names are all, userpass, ldap and approle.

The configurations for a specific auth method takes precedence over the configurations specified 
for all auth methods using "all" user_lockout stanza name in the config file.

## Configuration

User lockouts configuration is done through the Vault configuration file using
the `user_lockout` stanza:

```hcl
user_lockout [NAME] {
  [PARAMETERS...]
}
```

For example:

```hcl
user_lockout "all" {
  lockout_duration = "10m"
  lockout_counter_reset = "10m"
}

user_lockout "userpass" {
  lockout_threshold = "25"
  lockout_duration = "5m"
}

user_lockout "ldap" {
 disable_lockout = "true"
}
```

Here, user lockout feature will be disabled for ldap auth methods. Userpass auth methods will have lockout threshold of 25, 
lockout duration of 5 minutes, lockout counter reset of 10 minutes. Approle auth methods will have a lockout threshold of 
5 (considers default as this value is not configured), lockout duration of 10 minutes and lockout counter reset of 10 minutes.

The user lockout configuration for the auth method at a given path can be tuned using auth tune. Please see [auth tune command](/vault/docs/commands/auth/tune)
or [auth tune api](/vault/api-docs/system/auth#tune-auth-method) for more details. 

## `user_lockout` Parameters

The following options are available on all telemetry configurations.

- `lockout_threshold` `(string: "")` - Specifies the number of failed login attempts after which the user is locked out.
- `lockout_duration` `(string: "")` - Specifies the duration for which an user will be locked out.
- `lockout_counter_reset` `(string: "")` - Specifies the duration after which the lockout counter is reset with no failed login attempts.
- `disable_lockout` `(bool: false)` - Disables the user lockout feature if set to true.
user-lockout documentation changes (#18478) * added user-lockout documentation changes * add changelog * remove new lines * changing method name * changing lockedusers to locked-users * Update website/content/docs/concepts/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/api-docs/system/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/api-docs/system/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/partials/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/partials/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * adding suggested changes * adding bullet points to disable * Update website/content/api-docs/system/user-lockout.mdx Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update website/content/partials/user-lockout.mdx Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update website/content/docs/commands/auth/tune.mdx Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> * Update website/content/docs/commands/auth/tune.mdx Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> * Update website/content/docs/concepts/user-lockout.mdx Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> Co-authored-by: Meggie <meggie@hashicorp.com> Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> 2023-01-17 23:12:16 +00:00			`---`
			`layout: docs`
			`page_title: User Lockout - Configuration`
			`description: \|-`
			`The user_lockout stanza specifies various configurations for user lockout behaviour for`
			`failed logins in vault.`
			`---`
			`# User Lockout`

			`@include 'user-lockout.mdx'`

			## `user_lockout` Stanza

			The `user_lockout` stanza specifies various configurations for user lockout
			`behaviour for failed logins in vault. They can be configured for all supported auth methods`
			`(userpass, ldap and approle) using "all" user_lockout stanza name or for a specific auth method`
			`using the auth method name in stanza.`

			`Supported user_lockout stanza names are all, userpass, ldap and approle.`

			`The configurations for a specific auth method takes precedence over the configurations specified`
			`for all auth methods using "all" user_lockout stanza name in the config file.`

			`## Configuration`

			`User lockouts configuration is done through the Vault configuration file using`
			the `user_lockout` stanza:

			```hcl
			`user_lockout [NAME] {`
			`[PARAMETERS...]`
			`}`
			```

			`For example:`

			```hcl
			`user_lockout "all" {`
			`lockout_duration = "10m"`
			`lockout_counter_reset = "10m"`
			`}`

			`user_lockout "userpass" {`
			`lockout_threshold = "25"`
			`lockout_duration = "5m"`
			`}`

			`user_lockout "ldap" {`
			`disable_lockout = "true"`
			`}`
			```

			`Here, user lockout feature will be disabled for ldap auth methods. Userpass auth methods will have lockout threshold of 25,`
			`lockout duration of 5 minutes, lockout counter reset of 10 minutes. Approle auth methods will have a lockout threshold of`
			`5 (considers default as this value is not configured), lockout duration of 10 minutes and lockout counter reset of 10 minutes.`

docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`The user lockout configuration for the auth method at a given path can be tuned using auth tune. Please see [auth tune command](/vault/docs/commands/auth/tune)`
			`or [auth tune api](/vault/api-docs/system/auth#tune-auth-method) for more details.`
user-lockout documentation changes (#18478) * added user-lockout documentation changes * add changelog * remove new lines * changing method name * changing lockedusers to locked-users * Update website/content/docs/concepts/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/api-docs/system/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/api-docs/system/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/partials/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * Update website/content/partials/user-lockout.mdx Co-authored-by: Meggie <meggie@hashicorp.com> * adding suggested changes * adding bullet points to disable * Update website/content/api-docs/system/user-lockout.mdx Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update website/content/partials/user-lockout.mdx Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update website/content/docs/commands/auth/tune.mdx Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> * Update website/content/docs/commands/auth/tune.mdx Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> * Update website/content/docs/concepts/user-lockout.mdx Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> Co-authored-by: Meggie <meggie@hashicorp.com> Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> 2023-01-17 23:12:16 +00:00
			## `user_lockout` Parameters

			`The following options are available on all telemetry configurations.`

			- `lockout_threshold` `(string: "")` - Specifies the number of failed login attempts after which the user is locked out.
			- `lockout_duration` `(string: "")` - Specifies the duration for which an user will be locked out.
			- `lockout_counter_reset` `(string: "")` - Specifies the duration after which the lockout counter is reset with no failed login attempts.
			- `disable_lockout` `(bool: false)` - Disables the user lockout feature if set to true.