Manual backport of user lock updates to 1.13.x branch (#21766)

CHANGELOG.md

@@ -25,6 +25,7 @@ Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString.
 
 FEATURES:
 
+* **User lockout**: Ignore repeated bad credentials from the same user for a configured period of time. Enabled by default.
 * **New PKI UI**: Add beta support for new and improved PKI UI [[GH-18842](https://github.com/hashicorp/vault/pull/18842)]
 * **Server UDS Listener**: Adding listener to Vault server to serve http request via unix domain socket [[GH-18227](https://github.com/hashicorp/vault/pull/18227)]
 * **Transit managed keys**: The transit secrets engine now supports configuring and using managed keys

website/content/docs/upgrading/upgrade-to-1.13.x.mdx

@@ -15,7 +15,20 @@ for Vault 1.13.x compared to 1.12. Please read it carefully.
 
 @include 'consul-dataplane-upgrade-note.mdx'
 
-### Active Directory Secrets Engine Deprecation
+### User lockout
+
+As of version 1.13, Vault will stop trying to validate user credentials if the
+user submits multiple invalid credentials in quick succession. During lockout,
+Vault ignores requests from the barred user rather than responding with a 
+permission denied error.
+
+User lockout is enabled by default with a lockout threshold of 5 attempt, a
+lockout duration of 15 minutes, and a counter reset window of 15 minutes.
+
+For more information, refer to the [User lockout](/vault/docs/concepts/user-lockout)
+overview.
+
+### Active directory secrets engine deprecation
 
 The Active Directory (AD) secrets engine has been deprecated as of the Vault 1.13 release.
 We will continue to support the AD secrets engine in maintenance mode for six major Vault