Manage Account Lockout
The Account Lockout feature provides security controls to automatically lock user accounts after multiple failed login attempts. This feature helps protect against brute-force attacks and unauthorized access attempts.
Account Lockout is a security mechanism that:
- Tracks failed login attempts
- Automatically locks accounts after exceeding configured thresholds
- Temporarily prevents access to locked accounts
- Helps protect against brute-force password attacks
Account lockout applies to internal users only. External users (LDAP/SSO) are managed by their respective authentication systems.
For external user management, see Configure User Settings.
Configuration
Backend Configuration
Account Lockout is configured via the xl-release.conf file and requires a server restart to take effect.
Add the following configuration block to your xl-release.conf file:
xl {
security {
account-lockout {
enabled=true
max-login-failed-attempts=5
lockout-duration="3 minutes"
whitelist-username=["admin"]
}
}
}
Configuration Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
enabled | Boolean | false | Enables or disables the account lockout feature |
max-login-failed-attempts | Integer | 5 | Maximum number of failed login attempts before account is locked |
lockout-duration | Duration | 3 minutes | How long an account remains locked after exceeding max attempts |
whitelist-username | Array | [] | List of usernames that are exempt from account lockout |
Login Failure When Locked
When a user exceeds the maximum failed login attempts, they will see an error message indicating their account has been locked.
Disable Account Lockout:
xl {
security {
account-lockout {
enabled=false
}
}
}
Whitelist Multiple Users:
xl {
security {
account-lockout {
enabled=true
max-login-failed-attempts=5
lockout-duration="30 minutes"
whitelist-username=["admin", "service-account", "backup-user"]
}
}
}
- Configuration changes require a server restart to take effect
- The Account Lockout settings are not available in the System Settings UI
- This is a config-file-only feature
Manage Locked Users
Navigate to Settings > Users and permissions to view user account status.
Sort by Locked Status
Click on the Locked column header to sort and display locked accounts at the top of the list.
This helps administrators:
- Quickly identify locked accounts
- Take immediate action on security incidents
- Monitor failed login patterns
Unlocking Accounts
Administrators can manually unlock user accounts before the configured lockout-duration expires.
Manual Unlock
To unlock a user account:
- Navigate to Settings > Users and permissions
- Click the Edit Icon under the Action column of the locked user
- A banner will display indicating the account is locked with an Unlock user button
- Click Unlock user to immediately restore access
The account will be unlocked immediately, and the user can log in with valid credentials.
Automatic Unlock
If no manual action is taken, locked accounts will automatically unlock after the configured lockout-duration expires.
Recommended settings for most environments:
max-login-failed-attempts=5
lockout-duration="30 minutes"
whitelist-username=["admin"]
Troubleshooting
Account Locked Unexpectedly
If a user account is locked unexpectedly:
- Verify the user is using correct credentials
- Review if thresholds are too strict
- Manually unlock the account via Settings > Users and permissions > Edit User
- Or wait for
lockout-durationto expire for automatic unlock
Configuration Not Taking Effect
If configuration changes don't work:
- Verify configuration syntax in
xl-release.conf - Restart the Release server (required)
- Check server logs for configuration errors
- Verify file permissions