mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 15:11:07 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
71 lines
2.8 KiB
Plaintext
71 lines
2.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: User lockout - Configuration
|
|
description: >-
|
|
Configure the user_lockout stanza to customize lockout behavior for failed
|
|
logins in vault.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# User lockout
|
|
|
|
@include 'user-lockout.mdx'
|
|
|
|
## `user_lockout` stanza
|
|
|
|
The `user_lockout` stanza specifies various configurations for user lockout
|
|
behaviour for failed logins in vault. They can be configured for all supported auth methods
|
|
(userpass, ldap and approle) using "all" user_lockout stanza name or for a specific auth method
|
|
using the auth method name in stanza.
|
|
|
|
Supported user_lockout stanza names are all, userpass, ldap and approle.
|
|
|
|
The configurations for a specific auth method takes precedence over the configurations specified
|
|
for all auth methods using "all" user_lockout stanza name in the config file.
|
|
|
|
## Configuration
|
|
|
|
User lockouts configuration is done through the Vault configuration file using
|
|
the `user_lockout` stanza:
|
|
|
|
```hcl
|
|
user_lockout [NAME] {
|
|
[PARAMETERS...]
|
|
}
|
|
```
|
|
|
|
For example:
|
|
|
|
```hcl
|
|
user_lockout "all" {
|
|
lockout_duration = "10m"
|
|
lockout_counter_reset = "10m"
|
|
}
|
|
|
|
user_lockout "userpass" {
|
|
lockout_threshold = "25"
|
|
lockout_duration = "5m"
|
|
}
|
|
|
|
user_lockout "ldap" {
|
|
disable_lockout = "true"
|
|
}
|
|
```
|
|
|
|
Here, user lockout feature will be disabled for ldap auth methods. Userpass auth methods will have lockout threshold of 25,
|
|
lockout duration of 5 minutes, lockout counter reset of 10 minutes. Approle auth methods will have a lockout threshold of
|
|
5 (considers default as this value is not configured), lockout duration of 10 minutes and lockout counter reset of 10 minutes.
|
|
|
|
The user lockout configuration for the auth method at a given path can be tuned using auth tune. Please see [auth tune command](/vault/docs/commands/auth/tune)
|
|
or [auth tune api](/vault/api-docs/system/auth#tune-auth-method) for more details.
|
|
|
|
## `user_lockout` parameters
|
|
|
|
The following options are available on all user_lockout configurations.
|
|
|
|
- `lockout_threshold` `(string: "")` - Specifies the number of failed login attempts after which the user is locked out.
|
|
- `lockout_duration` `(string: "")` - Specifies the duration for which an user will be locked out.
|
|
- `lockout_counter_reset` `(string: "")` - Specifies the duration after which the lockout counter is reset with no failed login attempts.
|
|
- `disable_lockout` `(bool: false)` - Disables the user lockout feature if set to true. |