Vault User Lockout in Vault 1.13.4

We are planning an upgrade to Vault 1.13.4 from Vault 1.12.6. Initially we want to disable the new user lockout feature via Vault configuration file to ensure a smooth upgrade. We will then enable user lock after providing documentation to our Vault users on the change.

When setting the user lockout settings for our auth methods (ldap, approle) in the Vault configuration file the state of the user lockout configuration isn’t reflected at the /sys/auth/ldap/tune or /sys/auth/approle/tune API endpoints. Thus we have no way knowing the status of the user lock out feature.

Any guidance on how best to disable the user lockout feature and validate the features current settings would be appreciated.

Thanks in advance,

Hi @rory.chapman , You can disabled it on all AUTH when adding the below config in your Vault configuration file.

user_lockout "all" {
 disable_lockout = "true"

While it won’t show on your /sys/auth/ldap/tune and /sys/auth/approle/tune it will disabled it. You can always try it in your dev.
Ref. User Lockout - Configuration | Vault | HashiCorp Developer

However, since you are using ldap auth, just want to share with you that there is current a bug Vault LDAP Auth Method vulnerable to account fuzzing via response. · Issue #20923 · hashicorp/vault · GitHub that you might want to consider before upgrading it. It will be fixed in 1.13.5 release.

Thanks for the response. Yes we can use the Vault configuration file to disable user lockout and test the auth method to validate that we are not locked out. However, what would be most helpful is to disable user lockout via the configuration file and validate that it’s disabled by querying the auth method for it’s configuration.

Sounds like Vault doesn’t support this behavior.

As for the open LDAP fuzzing issue, thanks for the reminder and link, we push Vault updates with a frequent and regular cadence and will catch that update as soon as it’s released.

1 Like