backport of commit f0fb07b0b2762a1f6df987b75e78c67ac6e323d2 (#23071)

Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>

website/content/docs/auth/approle.mdx

@@ -239,6 +239,10 @@ Refer to the [AppRole Pull
 Authentication](/vault/tutorials/auth-methods/approle)
 tutorial to learn how to use the AppRole method to generate tokens for machines or apps.
 
+## User lockout
+
+@include 'user-lockout.mdx'
+
 ## API
 
 The AppRole auth method has a full HTTP API. Please see the

website/content/docs/auth/ldap.mdx

@@ -270,6 +270,10 @@ default, foobar, zoobar
 
 It should be noted that user -> policy mapping happens at token creation time. And changes in group membership on the LDAP server will not affect tokens that have already been provisioned. To see these changes, old tokens should be revoked and the user should be asked to reauthenticate.
 
+## User lockout
+
+@include 'user-lockout.mdx'
+
 ## API
 
 The LDAP auth method has a full HTTP API. Please see the

website/content/docs/auth/userpass.mdx

@@ -68,9 +68,9 @@ management tool.
    ```shell-session
    $ vault auth enable userpass
    ```
-   
+
    This enables the userpass auth method at `auth/userpass`. To enable it at a different path, use the `-path` flag:
-   
+
    ```shell-session
    $ vault auth enable -path=<path> userpass
    ```
@@ -87,6 +87,9 @@ management tool.
    associated with the "admins" policy. This is the only configuration
    necessary.
 
+## User lockout
+
+@include 'user-lockout.mdx'
 
 ## API
 

website/content/partials/user-lockout.mdx

@@ -1,23 +1,22 @@
-If a user provides bad credentials several times in quick succession, 
-Vault will stop trying to validate their credentials for a while, instead returning immediately 
-with a permission denied error. We call this behavior "user lockout". The time for which 
-a user will be locked out is called “lockout duration”. The user will be able to login after the lockout 
-duration has passed. The number of failed login attempts after which the user is locked out is called 
-“lockout threshold”. The lockout threshold counter is reset to zero after a few minutes without login attempts, 
+If a user provides bad credentials several times in quick succession,
+Vault will stop trying to validate their credentials for a while, instead returning immediately
+with a permission denied error. We call this behavior "user lockout". The time for which
+a user will be locked out is called “lockout duration”. The user will be able to login after the lockout
+duration has passed. The number of failed login attempts after which the user is locked out is called
+“lockout threshold”. The lockout threshold counter is reset to zero after a few minutes without login attempts,
 or upon a successful login attempt. The duration after which the counter will be reset to zero
-after no login attempts is called "lockout counter reset". This can defeat both automated and targeted requests 
-i.e, user-based password guessing attacks as well as automated attacks. 
+after no login attempts is called "lockout counter reset". This can defeat both automated and targeted requests
+i.e, user-based password guessing attacks as well as automated attacks.
 
-The user lockout feature is enabled by default. The default values for "lockout threshold" is 5 attempts, 
+The user lockout feature is enabled by default. The default values for "lockout threshold" is 5 attempts,
 "lockout duration" is 15 minutes, "lockout counter reset" is 15 minutes.
 
-The user lockout feature can disabled as follows: 
-- It can be disabled globally using environment variable VAULT_DISABLE_USER_LOCKOUT.
-- It can be disabled for all supported auth methods (ldap, userpass and approle) or a specific supported auth method using "disable_lockout"
- parameter within user_lockout stanza in configuration file. 
- Please see [user lockout configuration](/vault/docs/configuration/user-lockout#user_lockout-stanza) for more details. 
+The user lockout feature can be disabled as follows:
+- It can be disabled globally using environment variable `VAULT_DISABLE_USER_LOCKOUT`.
+- It can be disabled for all supported auth methods (ldap, userpass and approle) or a specific supported auth method using the `disable_lockout`
+  parameter within `user_lockout` stanza in configuration file.
+  Please see [user lockout configuration](/vault/docs/configuration/user-lockout#user_lockout-stanza) for more details.
 - It can be disabled for a specific auth mount using "auth tune". Please see [auth tune command](/vault/docs/commands/auth/tune)
-or [auth tune api](/vault/api-docs/system/auth#tune-auth-method) for more details. 
+  or [auth tune api](/vault/api-docs/system/auth#tune-auth-method) for more details.
 
-
-~> **NOTE**: This feature is available from  Vault version 1.13 and is only supported by userpass, ldap and approle auth methods.
+~> **NOTE**: This feature is available from Vault version 1.13 and is only supported by the userpass, ldap, and approle auth methods.